Archos/gotosocial-vps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: trusted-proxies, nginx configs, bootstrap ssh/ufw, add zkreml.cz template

Browse Source
This commit is contained in:
Zdenek Kreml
2026-03-07 11:45:28 +01:00
parent 9fd66279f4
commit ed0133e943
5 changed files with 62 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bootstrap.sh
View File

@@ -61,7 +61,7 @@ SSHD_CONF="/etc/ssh/sshd_config"
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' "$SSHD_CONF" sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' "$SSHD_CONF"
# Zakaz PasswordAuthentication (pouze klíče) # Zakaz PasswordAuthentication (pouze klíče)
sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' "$SSHD_CONF" sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' "$SSHD_CONF"
systemctl reload sshd systemctl reload ssh.service
# === UFW firewall === # === UFW firewall ===
echo "==> Konfigurace UFW firewallu..." echo "==> Konfigurace UFW firewallu..."

2
docker-compose.yml
View File

@@ -7,6 +7,8 @@ services:
restart: unless-stopped restart: unless-stopped
env_file: env_file:
- .env - .env
environment:
- GTS_TRUSTED_PROXIES=127.0.0.1/32,172.18.0.1/16
ports: ports:
- "127.0.0.1:8080:8080" - "127.0.0.1:8080:8080"
volumes: volumes:

14
nginx/gotosocial.conf
View File

@@ -1,19 +1,7 @@
server { server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
server_name vase-domena.cz; server_name GTS_HOST;
# Certbot automaticky přidá přesměrování na HTTPS
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name vase-domena.cz;
# SSL Certbot doplní automaticky
# ssl_certificate /etc/letsencrypt/live/vase-domena.cz/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/vase-domena.cz/privkey.pem;
client_max_body_size 40M; client_max_body_size 40M;

18
nginx/zkreml.cz.conf Normal file
View File

@@ -0,0 +1,18 @@
server {
listen 80;
listen [::]:80;
server_name ACCOUNT_DOMAIN;
# Webfinger a discovery endpointy přesměruj na GoToSocial instanci
location = /.well-known/webfinger {
return 301 https://GTS_HOST$request_uri;
}
location = /.well-known/nodeinfo {
return 301 https://GTS_HOST$request_uri;
}
location = /.well-known/host-meta {
return 301 https://GTS_HOST$request_uri;
}
}

51
scripts/install.sh
View File

@@ -80,17 +80,20 @@ fi
CONFIG_FILE="$ROOT_DIR/config/config.yaml" CONFIG_FILE="$ROOT_DIR/config/config.yaml"
NGINX_CONF="$ROOT_DIR/nginx/gotosocial.conf" NGINX_CONF="$ROOT_DIR/nginx/gotosocial.conf"
NGINX_CONF_ZKREML="$ROOT_DIR/nginx/zkreml.cz.conf"
echo "" echo ""
echo "==> Nastavení konfigurace..." echo "==> Nastavení konfigurace..."
# Záloha originálů pro idempotentní opakované spuštění # Záloha originálů pro idempotentní opakované spuštění
[ -f "${CONFIG_FILE}.orig" ] || cp "$CONFIG_FILE" "${CONFIG_FILE}.orig" [ -f "${CONFIG_FILE}.orig" ] || cp "$CONFIG_FILE" "${CONFIG_FILE}.orig"
[ -f "${NGINX_CONF}.orig" ] || cp "$NGINX_CONF" "${NGINX_CONF}.orig" [ -f "${NGINX_CONF}.orig" ] || cp "$NGINX_CONF" "${NGINX_CONF}.orig"
[ -f "${NGINX_CONF_ZKREML}.orig" ] || cp "$NGINX_CONF_ZKREML" "${NGINX_CONF_ZKREML}.orig"
# Vždy pracuj z originálu # Vždy pracuj z originálu
cp "${CONFIG_FILE}.orig" "$CONFIG_FILE" cp "${CONFIG_FILE}.orig" "$CONFIG_FILE"
cp "${NGINX_CONF}.orig" "$NGINX_CONF" cp "${NGINX_CONF}.orig" "$NGINX_CONF"
cp "${NGINX_CONF_ZKREML}.orig" "$NGINX_CONF_ZKREML"
# config.yaml host # config.yaml host
sed -i "s|host: \".*\"|host: \"${GTS_DOMAIN}\"|" "$CONFIG_FILE" sed -i "s|host: \".*\"|host: \"${GTS_DOMAIN}\"|" "$CONFIG_FILE"
@@ -100,14 +103,26 @@ if [ "$SEPARATE_ACCOUNT_DOMAIN" = true ]; then
sed -i "s|# account-domain: \".*\"|account-domain: \"${GTS_ACCOUNT_DOMAIN}\"|" "$CONFIG_FILE" sed -i "s|# account-domain: \".*\"|account-domain: \"${GTS_ACCOUNT_DOMAIN}\"|" "$CONFIG_FILE"
fi fi
# nginx server_name a references na doménu # nginx gotosocial.conf dosaď GTS_HOST
sed -i "s|server_name .*;|server_name ${GTS_DOMAIN};|g" "$NGINX_CONF" sed -i "s|GTS_HOST|${GTS_DOMAIN}|g" "$NGINX_CONF"
sed -i "s|vase-domena\.cz|${GTS_DOMAIN}|g" "$NGINX_CONF"
# Nasazení nginx konfigurace # nginx zkreml.cz.conf dosaď ACCOUNT_DOMAIN a GTS_HOST
if [ "$SEPARATE_ACCOUNT_DOMAIN" = true ]; then
sed -i "s|ACCOUNT_DOMAIN|${GTS_ACCOUNT_DOMAIN}|g" "$NGINX_CONF_ZKREML"
sed -i "s|GTS_HOST|${GTS_DOMAIN}|g" "$NGINX_CONF_ZKREML"
fi
# === Nasazení nginx konfigurací ===
echo "==> Nasazení Nginx konfigurace..." echo "==> Nasazení Nginx konfigurace..."
cp "$NGINX_CONF" /etc/nginx/sites-available/gotosocial cp "$NGINX_CONF" /etc/nginx/sites-available/gotosocial
ln -sf /etc/nginx/sites-available/gotosocial /etc/nginx/sites-enabled/gotosocial ln -sf /etc/nginx/sites-available/gotosocial /etc/nginx/sites-enabled/gotosocial
if [ "$SEPARATE_ACCOUNT_DOMAIN" = true ]; then
cp "$NGINX_CONF_ZKREML" "/etc/nginx/sites-available/${GTS_ACCOUNT_DOMAIN}"
ln -sf "/etc/nginx/sites-available/${GTS_ACCOUNT_DOMAIN}" \
"/etc/nginx/sites-enabled/${GTS_ACCOUNT_DOMAIN}"
fi
nginx -t nginx -t
systemctl reload nginx systemctl reload nginx
@@ -136,14 +151,28 @@ $DC exec gotosocial /gotosocial/gotosocial admin account create \
$DC exec gotosocial /gotosocial/gotosocial admin account promote \ $DC exec gotosocial /gotosocial/gotosocial admin account promote \
--username "$ADMIN_USER" --username "$ADMIN_USER"
# === SSL certifikát === # === SSL certifikáty ===
echo "" echo ""
echo "==> Získání SSL certifikátu přes Certbot..." echo "==> Získání SSL certifikátu pro ${GTS_DOMAIN}..."
certbot --nginx -d "$GTS_DOMAIN" certbot --nginx -d "$GTS_DOMAIN"
if [ "$SEPARATE_ACCOUNT_DOMAIN" = true ]; then
echo "==> Získání SSL certifikátu pro ${GTS_ACCOUNT_DOMAIN}..."
certbot --nginx -d "$GTS_ACCOUNT_DOMAIN"
fi
# === Hotovo ===
echo "" echo ""
echo "==> Instalace dokončena!" echo "==> Instalace dokončena!"
echo " GoToSocial je dostupný na https://${GTS_DOMAIN}" echo ""
echo " GoToSocial: https://${GTS_DOMAIN}"
if [ "$SEPARATE_ACCOUNT_DOMAIN" = true ]; then if [ "$SEPARATE_ACCOUNT_DOMAIN" = true ]; then
echo " Hlavní doména: https://${GTS_ACCOUNT_DOMAIN}"
echo " Účty budou mít formát @uživatel@${GTS_ACCOUNT_DOMAIN}" echo " Účty budou mít formát @uživatel@${GTS_ACCOUNT_DOMAIN}"
fi fi
echo ""
echo "NEZAPOMENOUT nastavit DNS záznamy:"
echo " ${GTS_DOMAIN} -> IP tohoto serveru"
if [ "$SEPARATE_ACCOUNT_DOMAIN" = true ]; then
echo " ${GTS_ACCOUNT_DOMAIN} -> IP tohoto serveru"
fi