如何在Debian 10上安装Pleroma

必要条件

• 一台运行 Linux 的机器，你有root访问权限。
• 一个域名

您将以 root 用户身份运行命令。如果您还不是 root 用户，请通过执行 sudo su/su 来提升您的权限。虽然理论上OTP版本可以安装在任何兼容的机器上，但是为了简单起见，本文只关注 X86 平台的 Debian 10 （buster）和 Pleroma - 2.2.1 。

安装依赖

apt install curl unzip libncurses5 postgresql postgresql-contrib nginx 

Postgresql 性能调优（可选）

为了优化性能，你可以使用 pgTune 生成一个合适的配置文件。编辑/etc/postgresql/11.9/main/postgresql.conf 中的相应数值并使用以下命令重启 PostgreSQL 。

systemctl restart postgresql

安装 Pleroma

创建一个 pleroma 用户

adduser --system --shell  /bin/false --home /opt/pleroma pleroma

设置环境变量 FLAVOUR

export FLAVOUR="amd64"

下载安装 Pleroma 所需的文件到/tmp文件夹并解压

su pleroma -s $SHELL -lc "
curl 'https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job=$FLAVOUR' -o /tmp/pleroma.zip
unzip /tmp/pleroma.zip -d /tmp/
"

移动文件到 /opt/pleroma 并删除临时文件夹

su pleroma -s $SHELL -lc "
mv /tmp/release/* /opt/pleroma
rmdir /tmp/release
rm /tmp/pleroma.zip
"

创建/uploads文件夹并设置适当的权限

mkdir -p /var/lib/pleroma/uploads

chown -R pleroma /var/lib/pleroma

创建存放配置文件的文件夹并设置适当的权限

mkdir -p /etc/pleroma

chown -R pleroma /etc/pleroma

生成配置文件

su pleroma -s $SHELL -lc "./bin/pleroma_ctl instance gen --output /etc/pleroma/config.exs --output-psql /tmp/setup_db.psql"

开始填表

What domain will your instance use? (e.g pleroma.soykaf.com) []  abc.xyz.com
你的网站的网址是什么？

What is the name of your instance? (e.g. Pleroma/Soykaf) []  abc.xyz.com
你的网站叫什么名字？

What is your admin email address? []  abc@163.com
网站管理员的电子邮箱地址是什么？

What email address do you want to use for sending email notifications? 
[abc@163.com]  
你想要用哪个电子邮件地址来发送邮件通知？

Do you want search engines to index your site? (y/n) [n] 
你希望搜索引擎收录你的网站吗？

Do you want to store the configuration in the database (allows controlling it from admin-fe)? (y/n) [n] y
你希望将配置信息存入数据库吗（开启管理控制台）？

Do you want to strip location (GPS) data from uploaded images? (y/n) [y]
是否要从上传的图像中删除地理位置（GPS）数据

Do you want to anonymize the filenames of uploads? (y/n) [n]
是否对上传的文件名进行匿名化处理？

Do you want to deduplicate uploaded files? (y/n) [n]
是否避免上传重复的文件？

填完表，剩下的全部按回车，保持默认即可

What is the hostname of your database? [localhost]
What is the name of your database? [pleroma]
What is the user used to connect to your database? [pleroma]
What is the password used to connect to your database? [autogenerated] 
Would you like to use RUM indices? [n] n
What port will the app listen to (leave it if you are using the default setup with nginx)? [4000]
What ip will the app listen to (leave it if you are using the default setup with nginx)? [127.0.0.1]
What directory should media uploads go in (when using the local uploader)? [/var/lib/pleroma/uploads]
What directory should custom public files be read from (custom emojis, frontend bundle overrides, robots.txt, etc.)? [/var/lib/pleroma/static]
Do you want to strip location (GPS) data from uploaded images? (y/n) [y]
Do you want to anonymize the filenames of uploads? (y/n) [n]
Do you want to deduplicate uploaded files? (y/n) [n]

如果没有出错的话，你能看见以下内容

What directory should custom public files be read from (custom emojis, frontend bundle overrides, robots.txt, etc.)? [/var/lib/pleroma/static]
Writing config to /etc/pleroma/config.exs.
Writing the postgres script to /tmp/setup_db.psql.
Writing /var/lib/pleroma/static/robots.txt.

 All files successfully written! Refer to the installation instructions for your platform for next steps.
 Please transfer your config to the database after running database migrations. Refer to "Transfering the config to/from the database" section of the docs for more information.

创建 postgres 数据库

su postgres -s $SHELL -lc "psql -f /tmp/setup_db.psql"

创建数据表

su pleroma -s $SHELL -lc "./bin/pleroma_ctl migrate"

设置系统服务

将pleroma.service复制到适当的文件夹中

cp /opt/pleroma/installation/pleroma.service /etc/systemd/system/pleroma.service

启动 pleroma 并设置开机自启动

systemctl start pleroma

systemctl enable pleroma

测试 Pleroma

启动实例以验证一切都按预期工作

su pleroma -s $SHELL -lc "./bin/pleroma daemon"

等待大约20秒并检测实例运行状况，如果它正确地显示了您的网址、网站名称和电子邮件地址，则说明实例已经安装成功

sleep 20 && curl http://localhost:4000/api/v1/instance

暂停实例的运行

su pleroma -s $SHELL -lc "./bin/pleroma stop"

按 Ctrl+C 返回

申请数字证书

下面以申请 RSA 证书为例 如何申请 ECC 证书 ？

安装 socat

apt install socat -y

安装 acme.sh

curl https://get.acme.sh | sh

将DNS解析商的 API KEY 加入临时系统变量 如何获取 API key ？

export GD_Key="****"   # 填写GoDaddy的 KEY

export GD_Secret="****" # 填写GoDaddy的 Secret

开始获取通配符证书

~/.acme.sh/acme.sh --issue --dns dns_gd -d xyz.com -d *.xyz.com --dns dns_dg --log # 要把xyz.com替换成你的域名

证书成功签发后，你会看见以下内容

-----END CERTIFICATE-----
[Sun Jul  5 02:35:19 UTC 2020] Your cert is in  /root/.acme.sh/xyz.com/xyz.com.cer
[Sun Jul  5 02:35:19 UTC 2020] Your cert key is in  /root/.acme.sh/xyz.com/xyz.com.key
[Sun Jul  5 02:35:19 UTC 2020] The intermediate CA cert is in  /root/.acme.sh/xyz.com/ca.cer
[Sun Jul  5 02:35:19 UTC 2020] And the full chain certs is there:  /root/.acme.sh/xyz.com/fullchain.cer

签发成功后，请求文件 csr、密钥 key 以及证书 cert 和完整证书链均保存在 /root/.acme.sh/xyz.com/ 下

设置 Nginx

复制 pleroma.nginx 到 Nginx 的配置文件夹

cp /opt/pleroma/installation/pleroma.nginx /etc/nginx/sites-available/pleroma.conf

ln -s /etc/nginx/sites-available/pleroma.conf /etc/nginx/sites-enabled/pleroma.conf

编辑 Nginx 配置文件

nano /etc/nginx/sites-available/pleroma.conf

可参考下方修改

# default nginx site config for Pleroma
#
# Simple installation instructions:
# 1. Install your TLS certificate, possibly using Let's Encrypt.
# 2. Replace 'example.tld' with your instance's domain wherever it appears.
# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it
#    in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx.

proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g
                 inactive=720m use_temp_path=off;

server {
    server_name abc.xyz.com; # 把abc.xyz.com替换成pleroma实例的网址

    listen         80;
    listen         [::]:80;

    # security


    # Uncomment this if you need to use the 'webroot' method with certbot. Make sure
    # that the directory exists and that it is accessible by the webserver. If you followed
    # the guide, you already ran 'mkdir -p /var/lib/letsencrypt' to create the folder.
    # You may need to load this file with the ssl server block commented out, run certbot
    # to get the certificate, and then uncomment it.
    #
    # location ~ /\.well-known/acme-challenge {
    #     root /var/lib/letsencrypt/;
    # }
    location / {
      return 301 https://abc.xyz.com$request_uri; # 把abc.xyz.com替换成pleroma实例的网址
    }
}

# Enable SSL session caching for improved performance
ssl_session_cache shared:ssl_session_cache:10m;

server {
    server_name social.3cat.icu; # 把abc.xyz.com替换成pleroma实例的网址

    # security


    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl_session_timeout 5m;
    
    ssl_trusted_certificate   /root/.acme.sh/xyz.com/ca.cer;  # 把xyz.com替换成你的域名
    ssl_certificate           /root/.acme.sh/xyz.com/fullchain.cer; # 把xyz.com替换成你的域名
    ssl_certificate_key       /root/.acme.sh/xyz.com/xyz.com.key; # 把xyz.com替换成你的域名 

    # Add TLSv1.0 to support older devices
    ssl_protocols TLSv1.2;
    # Uncomment line below if you want to support older devices (Before Android 4.4.2, IE 8, etc.)
    # ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    # In case of an old server with an OpenSSL version of 1.0.2 or below,
    # leave only prime256v1 or comment out the following line.
    ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
    ssl_stapling on;
    ssl_stapling_verify on;

    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;

    # the nginx default is 1m, not enough for large media uploads
    client_max_body_size 16m;

    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only
        # and `localhost.` resolves to [::0] on some systems: see issue #930
        proxy_pass http://127.0.0.1:4000;

        client_max_body_size 16m;
    }

    location ~ ^/(media|proxy) {
        proxy_cache        pleroma_media_cache;
        slice              1m;
        proxy_cache_key    $host$uri$is_args$args$slice_range;
        proxy_set_header   Range $slice_range;
        proxy_http_version 1.1;
        proxy_cache_valid  200 206 301 304 1h;
        proxy_cache_lock   on;
        proxy_ignore_client_abort on;
        proxy_buffering    on;
        chunked_transfer_encoding on;
        proxy_pass         http://127.0.0.1:4000;
    }
}

重启 Nginx

systemctl restart nginx

创建管理员账户

启动 Pleroma 实例

su pleroma -s $SHELL -lc "./bin/pleroma daemon"

处理异常

如果你输入su pleroma -s $SHELL -lc "./bin/pleroma daemon"后，CPU利用率长时间保持在100%，请输入 systemctl stop pleroma 关闭 Pleroma 。当命令执行成功后，输入 reboot 重启服务器。服务器重启后再继续下一步。

创建管理员账户

cd /opt/pleroma/bin

su pleroma -s $SHELL -lc "./bin/pleroma_ctl user new afgp abc@163.com --password sswr1e --admin" 

弹出提示Continue? [Continue?] ，输入 y 。命令中的 afgp 是管理员账户的用户名 ，abc@163.com 是 管理员的电子邮箱地址，sswr1e 是管理员账户的密码。