forked from indymedia/epicyon
				
			
		
			
				
	
	
		
			170 lines
		
	
	
		
			6.2 KiB
		
	
	
	
		
			Plaintext
		
	
	
			
		
		
	
	
			170 lines
		
	
	
		
			6.2 KiB
		
	
	
	
		
			Plaintext
		
	
	
| # How to install Epicyon
 | |
| 
 | |
| You will need python version 3.7 or later.
 | |
| 
 | |
| On a Debian based system:
 | |
| 
 | |
|     sudo apt install -y tor python3-socks imagemagick python3-numpy python3-setuptools python3-crypto python3-cryptodome python3-dateutil python3-pil.imagetk python3-idna python3-requests python3-flake8 libimage-exiftool-perl certbot nginx
 | |
| 
 | |
| The following instructions install Epicyon to the /opt directory. It's not essential that it be installed there, and it could be in any other preferred directory.
 | |
| 
 | |
| Clone the repo, or if you downloaded the tarball then extract it into the /opt directory.
 | |
| 
 | |
|     cd /opt
 | |
|     git clone https://gitlab.com/bashrc2/epicyon
 | |
| 
 | |
| Create a user for the server to run as:
 | |
| 
 | |
|     sudo su
 | |
|     adduser --system --home=/opt/epicyon --group epicyon
 | |
|     chown -R epicyon:epicyon /opt/epicyon
 | |
| 
 | |
| Create a daemon:
 | |
| 
 | |
|     nano /etc/systemd/system/epicyon.service
 | |
| 
 | |
| Paste the following:
 | |
| 
 | |
|     [Unit]
 | |
|     Description=epicyon
 | |
|     After=syslog.target
 | |
|     After=network.target
 | |
| 
 | |
|     [Service]
 | |
|     Type=simple
 | |
|     User=epicyon
 | |
|     Group=epicyon
 | |
|     WorkingDirectory=/opt/epicyon
 | |
|     ExecStart=/usr/bin/python3 /opt/epicyon/epicyon.py --port 443 --proxy 7156 --domain YOUR_DOMAIN --registration open --debug
 | |
|     Environment=USER=epicyon
 | |
|     Environment=PYTHONUNBUFFERED=true
 | |
|     Restart=always
 | |
|     StandardError=syslog
 | |
|     CPUQuota=80%
 | |
| 
 | |
|     [Install]
 | |
|     WantedBy=multi-user.target
 | |
| 
 | |
| Activate the daemon:
 | |
| 
 | |
|     systemctl enable epicyon
 | |
|     systemctl start epicyon
 | |
| 
 | |
| Create a web server configuration:
 | |
| 
 | |
|     nano /etc/nginx/sites-available/YOUR_DOMAIN
 | |
| 
 | |
| And paste the following:
 | |
| 
 | |
|     proxy_cache_path /var/www/cache levels=1:2 keys_zone=my_cache:10m max_size=10g
 | |
|                      inactive=60m use_temp_path=off;
 | |
|     server {
 | |
|         listen 80;
 | |
|         listen [::]:80;
 | |
|         server_name YOUR_DOMAIN;
 | |
|         access_log /dev/null;
 | |
|         error_log /dev/null;
 | |
|         client_max_body_size 31m;
 | |
|         client_body_buffer_size 128k;
 | |
| 
 | |
|         limit_conn conn_limit_per_ip 10;
 | |
|         limit_req zone=req_limit_per_ip burst=10 nodelay;
 | |
| 
 | |
|         index index.html;
 | |
|         rewrite ^ https://$server_name$request_uri? permanent;
 | |
|     }
 | |
| 
 | |
|     server {
 | |
|         listen 443 ssl;
 | |
|         server_name YOUR_DOMAIN;
 | |
| 
 | |
|         ssl_stapling off;
 | |
|         ssl_stapling_verify off;
 | |
|         ssl on;
 | |
|         ssl_certificate /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem;
 | |
|         ssl_certificate_key /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem;
 | |
|         #ssl_dhparam /etc/ssl/certs/YOUR_DOMAIN.dhparam;
 | |
| 
 | |
|         ssl_session_cache builtin:1000 shared:SSL:10m;
 | |
|         ssl_session_timeout 60m;
 | |
|         ssl_prefer_server_ciphers on;
 | |
|         ssl_protocols TLSv1.2 TLSv1.3;
 | |
|         ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
 | |
|         add_header X-Frame-Options DENY;
 | |
|         add_header X-Content-Type-Options nosniff;
 | |
|         add_header X-XSS-Protection "1; mode=block";
 | |
|         add_header X-Download-Options noopen;
 | |
|         add_header X-Permitted-Cross-Domain-Policies none;
 | |
| 
 | |
|         add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
 | |
|         add_header Strict-Transport-Security max-age=15768000;
 | |
| 
 | |
|         access_log /dev/null;
 | |
|         error_log /dev/null;
 | |
| 
 | |
|         index index.html;
 | |
| 
 | |
|         location / {
 | |
|             proxy_http_version 1.1;
 | |
|             client_max_body_size 31M;
 | |
|             proxy_set_header Upgrade $http_upgrade;
 | |
|             proxy_set_header Connection "upgrade";
 | |
|             proxy_set_header Host $http_host;
 | |
|             proxy_set_header X-Real-IP $remote_addr;
 | |
|             proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
 | |
|             proxy_set_header X-Forward-Proto http;
 | |
|             proxy_set_header X-Nginx-Proxy true;
 | |
|      	    expires epoch;
 | |
|             proxy_no_cache 1;
 | |
|             proxy_temp_file_write_size 64k;
 | |
|             proxy_connect_timeout 10080s;
 | |
|             proxy_send_timeout 10080;
 | |
|             proxy_read_timeout 10080;
 | |
|             proxy_buffer_size 64k;
 | |
|             proxy_buffers 16 32k;
 | |
|             proxy_busy_buffers_size 64k;
 | |
|             proxy_redirect off;
 | |
|             proxy_request_buffering on;
 | |
|             proxy_buffering on;
 | |
| 	    proxy_cache my_cache;
 | |
| 	    proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
 | |
| 	    location ~ ^/(icons|images|media|emoji)/(.*)/(.*).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {
 | |
| 	    	expires 7d;
 | |
|                 proxy_pass http://localhost:7156;
 | |
|             }
 | |
|             location ~ ^/icons/(.*)/(like|repeat|calendar)(.*).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {
 | |
|                 expires epoch;
 | |
|                 proxy_no_cache 1;
 | |
|                 proxy_pass http://localhost:7156;
 | |
|             }
 | |
|             location ~ ^/icons/(like|repeat|calendar)(.*).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {
 | |
|                 expires epoch;
 | |
|                 proxy_no_cache 1;
 | |
|                 proxy_pass http://localhost:7156;
 | |
|             }
 | |
|             location ~ ^/users/(.*)/(image|banner).png {
 | |
|                 expires epoch;
 | |
|                 proxy_no_cache 1;
 | |
|                 proxy_pass http://localhost:7156;
 | |
|             }
 | |
|             proxy_pass http://localhost:7156;
 | |
|         }
 | |
|     }
 | |
| 
 | |
| Enable the site:
 | |
| 
 | |
|     ln -s /etc/nginx/sites-available/YOUR_DOMAIN /etc/nginx/sites-enabled/
 | |
|     mkdir /var/www/cache
 | |
| 
 | |
| Forward port 443 from your internet router to your server. If you have dynamic DNS make sure its configured. Add a TLS certificate:
 | |
| 
 | |
|     certbot certonly -n --server https://acme-v01.api.letsencrypt.org/directory --standalone -d YOUR_DOMAIN --renew-by-default --agree-tos --email YOUR_EMAIL
 | |
| 
 | |
| Restart your web server:
 | |
| 
 | |
|     systemctl restart nginx
 | |
| 
 | |
| If you are using the Caddy web server then see caddy.example.conf
 | |
| 
 | |
| Now you can navigate to your domain and register an account. The first account becomes the administrator.
 |