move deployment docs to separate file, link account docs at end of deployment

retr0.id / millipds

fork atom

A from-scratch atproto PDS implementation in Python (mirrors https://github.com/DavidBuchanan314/millipds)

fork atom

retr0.id 1 year ago d400b12b 36010f9c

+119 -111

2 changed files

expand all

README.md

docs

DEPLOY.md

+1 -111

README.md

··· 28 28 29 29 ### Production deployment on Ubuntu (and similar systems) [WIP] 30 30 31 - ```sh 32 - # create group for service socket access 33 - sudo addgroup millipds-sock 34 - 35 - # create unprivileged user 36 - sudo adduser --system --shell /bin/false --home /opt/millipds millipds 37 - 38 - # add the user to the group (leaving its primary group as the default) 39 - sudo usermod -aG millipds-sock millipds 40 - 41 - # start a shell session under the new user 42 - sudo -u millipds -s 43 - 44 - # all commands below this point are run as the millipds user 45 - 46 - # create a virtualenv (maybe this will prove unnecessary, but it probably doesn't hurt) 47 - python3 -m venv ~/.venv 48 - 49 - # activate the virtualenv (this must be re-run every time you want to use it) 50 - source ~/.venv/bin/activate 51 - 52 - # all commands below this point are run inside the virtualenv 53 - 54 - # upgrade pip (maybe optional, again, probably doesn't hurt) 55 - python3 -m pip install --upgrade pip 56 - 57 - # install millipds 58 - python3 -m pip install --upgrade millipds@git+https://github.com/DavidBuchanan314/millipds 59 - ``` 60 - 61 - Upgrading: 62 - 63 - ```sh 64 - sudo -u millipds -s 65 - source ~/.venv/bin/activate 66 - python3 -m pip install --upgrade --force-reinstall --no-cache-dir millipds@git+https://github.com/DavidBuchanan314/millipds 67 - exit 68 - sudo systemctl restart millipds 69 - ``` 70 - 71 - Create a systemd service 72 - 73 - ``` 74 - [Unit] 75 - Description=millipds 76 - After=network.target 77 - 78 - [Service] 79 - Type=simple 80 - Restart=on-failure 81 - User=millipds 82 - WorkingDirectory=/opt/millipds 83 - ExecStart=/opt/millipds/.venv/bin/millipds run --sock_path=/run/millipds/millipds.sock 84 - RuntimeDirectory=millipds 85 - 86 - [Install] 87 - WantedBy=multi-user.target 88 - ``` 89 - 90 - TODO: put this file in the repo so it can be copied into place more easily. 91 - 92 - Put this in `/etc/systemd/system/millipds.service` 93 - 94 - Create a new nginx config: 95 - ``` 96 - upstream millipds { 97 - server unix:/run/millipds/millipds.sock fail_timeout=0; 98 - } 99 - 100 - server { 101 - listen 80; 102 - server_name millipds.test; # CHANGEME! 103 - 104 - location / { 105 - proxy_pass http://millipds; 106 - proxy_http_version 1.1; 107 - proxy_set_header Connection "upgrade"; 108 - proxy_set_header Upgrade $http_upgrade; 109 - proxy_set_header X-Forwarded-For $remote_addr; 110 - proxy_read_timeout 1d; 111 - proxy_redirect off; 112 - proxy_buffering off; 113 - access_log off; 114 - } 115 - } 116 - ``` 117 - TODO: is fail_timeout=0 sensible? 118 - 119 - Put this in `/etc/nginx/sites-enabled/millipds` 120 - 121 - Note: For a prod setup, you'll need to enable SSL. That's outside the scope of this guide, but one way is "once you have the service accessible via HTTP, use certbot" 122 - 123 - Add the user that nginx runs under (`www-data`) to the `millipds-sock` group: 124 - 125 - ```sh 126 - sudo adduser www-data millipds-sock 127 - ``` 128 - 129 - Start the service: 130 - 131 - ```sh 132 - sudo systemctl start millipds # make it start now 133 - sudo systemctl enable millipds # make it start on every boot 134 - systemctl status millipds # check that it's running 135 - sudo systemctl reload nginx # get nginx to see your new config 136 - ``` 137 - 138 - Useful command for watching the logs: 139 - ```sh 140 - sudo journalctl -u millipds.service -f 141 - ``` 31 + See [./docs/DEPLOY.md](./docs/DEPLOY.md)

+118

docs/DEPLOY.md

··· 1 + 2 + ### Production deployment on Ubuntu[WIP] 3 + 4 + These specific instructions assume ubuntu+nginx+systemd. If you're on something else, it shouldn't be too hard to adapt. 5 + 6 + ```sh 7 + # create group for service socket access 8 + sudo addgroup millipds-sock 9 + 10 + # create unprivileged user 11 + sudo adduser --system --shell /bin/false --home /opt/millipds millipds 12 + 13 + # add the user to the group (leaving its primary group as the default) 14 + sudo usermod -aG millipds-sock millipds 15 + 16 + # start a shell session under the new user 17 + sudo -u millipds -s 18 + 19 + # all commands below this point are run as the millipds user 20 + 21 + # create a virtualenv (maybe this will prove unnecessary, but it probably doesn't hurt) 22 + python3 -m venv ~/.venv 23 + 24 + # activate the virtualenv (this must be re-run every time you want to use it) 25 + source ~/.venv/bin/activate 26 + 27 + # all commands below this point are run inside the virtualenv 28 + 29 + # upgrade pip (maybe optional, again, probably doesn't hurt) 30 + python3 -m pip install --upgrade pip 31 + 32 + # install millipds 33 + python3 -m pip install --upgrade millipds@git+https://github.com/DavidBuchanan314/millipds 34 + ``` 35 + 36 + Upgrading: 37 + 38 + ```sh 39 + sudo -u millipds -s 40 + source ~/.venv/bin/activate 41 + python3 -m pip install --upgrade --force-reinstall --no-cache-dir millipds@git+https://github.com/DavidBuchanan314/millipds 42 + exit 43 + sudo systemctl restart millipds 44 + ``` 45 + 46 + Create a systemd service 47 + 48 + ``` 49 + [Unit] 50 + Description=millipds 51 + After=network.target 52 + 53 + [Service] 54 + Type=simple 55 + Restart=on-failure 56 + User=millipds 57 + WorkingDirectory=/opt/millipds 58 + ExecStart=/opt/millipds/.venv/bin/millipds run --sock_path=/run/millipds/millipds.sock 59 + RuntimeDirectory=millipds 60 + 61 + [Install] 62 + WantedBy=multi-user.target 63 + ``` 64 + 65 + TODO: put this file in the repo so it can be copied into place more easily. 66 + 67 + Put this in `/etc/systemd/system/millipds.service` 68 + 69 + Create a new nginx config: 70 + ``` 71 + upstream millipds { 72 + server unix:/run/millipds/millipds.sock fail_timeout=0; 73 + } 74 + 75 + server { 76 + listen 80; 77 + server_name millipds.test; # CHANGEME! 78 + 79 + location / { 80 + proxy_pass http://millipds; 81 + proxy_http_version 1.1; 82 + proxy_set_header Connection "upgrade"; 83 + proxy_set_header Upgrade $http_upgrade; 84 + proxy_set_header X-Forwarded-For $remote_addr; 85 + proxy_read_timeout 1d; 86 + proxy_redirect off; 87 + proxy_buffering off; 88 + access_log off; 89 + } 90 + } 91 + ``` 92 + TODO: is fail_timeout=0 sensible? 93 + 94 + Put this in `/etc/nginx/sites-enabled/millipds` 95 + 96 + Note: For a prod setup, you'll need to enable SSL. That's outside the scope of this guide, but one way is "once you have the service accessible via HTTP, use certbot" 97 + 98 + Add the user that nginx runs under (`www-data`) to the `millipds-sock` group: 99 + 100 + ```sh 101 + sudo adduser www-data millipds-sock 102 + ``` 103 + 104 + Start the service: 105 + 106 + ```sh 107 + sudo systemctl start millipds # make it start now 108 + sudo systemctl enable millipds # make it start on every boot 109 + systemctl status millipds # check that it's running 110 + sudo systemctl reload nginx # get nginx to see your new config 111 + ``` 112 + 113 + Useful command for watching the logs: 114 + ```sh 115 + sudo journalctl -u millipds.service -f 116 + ``` 117 + 118 + Once the service is up, see [ACCOUNTS.md](./ACCOUNTS.md) for setting up user accounts.