forked from indymedia/epicyon
170 lines
6.2 KiB
Plaintext
170 lines
6.2 KiB
Plaintext
# How to install Epicyon
|
|
|
|
You will need python version 3.7 or later.
|
|
|
|
On a Debian based system:
|
|
|
|
sudo apt install -y tor python3-socks imagemagick python3-numpy python3-setuptools python3-crypto python3-cryptodome python3-dateutil python3-pil.imagetk python3-idna python3-requests python3-flake8 libimage-exiftool-perl certbot nginx
|
|
|
|
The following instructions install Epicyon to the /opt directory. It's not essential that it be installed there, and it could be in any other preferred directory.
|
|
|
|
Clone the repo, or if you downloaded the tarball then extract it into the /opt directory.
|
|
|
|
cd /opt
|
|
git clone https://gitlab.com/bashrc2/epicyon
|
|
|
|
Create a user for the server to run as:
|
|
|
|
sudo su
|
|
adduser --system --home=/opt/epicyon --group epicyon
|
|
chown -R epicyon:epicyon /opt/epicyon
|
|
|
|
Create a daemon:
|
|
|
|
nano /etc/systemd/system/epicyon.service
|
|
|
|
Paste the following:
|
|
|
|
[Unit]
|
|
Description=epicyon
|
|
After=syslog.target
|
|
After=network.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=epicyon
|
|
Group=epicyon
|
|
WorkingDirectory=/opt/epicyon
|
|
ExecStart=/usr/bin/python3 /opt/epicyon/epicyon.py --port 443 --proxy 7156 --domain YOUR_DOMAIN --registration open --debug
|
|
Environment=USER=epicyon
|
|
Environment=PYTHONUNBUFFERED=true
|
|
Restart=always
|
|
StandardError=syslog
|
|
CPUQuota=80%
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
|
|
Activate the daemon:
|
|
|
|
systemctl enable epicyon
|
|
systemctl start epicyon
|
|
|
|
Create a web server configuration:
|
|
|
|
nano /etc/nginx/sites-available/YOUR_DOMAIN
|
|
|
|
And paste the following:
|
|
|
|
proxy_cache_path /var/www/cache levels=1:2 keys_zone=my_cache:10m max_size=10g
|
|
inactive=60m use_temp_path=off;
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name YOUR_DOMAIN;
|
|
access_log /dev/null;
|
|
error_log /dev/null;
|
|
client_max_body_size 31m;
|
|
client_body_buffer_size 128k;
|
|
|
|
limit_conn conn_limit_per_ip 10;
|
|
limit_req zone=req_limit_per_ip burst=10 nodelay;
|
|
|
|
index index.html;
|
|
rewrite ^ https://$server_name$request_uri? permanent;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
server_name YOUR_DOMAIN;
|
|
|
|
ssl_stapling off;
|
|
ssl_stapling_verify off;
|
|
ssl on;
|
|
ssl_certificate /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem;
|
|
#ssl_dhparam /etc/ssl/certs/YOUR_DOMAIN.dhparam;
|
|
|
|
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
ssl_session_timeout 60m;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
|
|
add_header X-Frame-Options DENY;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header X-Download-Options noopen;
|
|
add_header X-Permitted-Cross-Domain-Policies none;
|
|
|
|
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
|
|
add_header Strict-Transport-Security max-age=15768000;
|
|
|
|
access_log /dev/null;
|
|
error_log /dev/null;
|
|
|
|
index index.html;
|
|
|
|
location / {
|
|
proxy_http_version 1.1;
|
|
client_max_body_size 31M;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forward-Proto http;
|
|
proxy_set_header X-Nginx-Proxy true;
|
|
expires epoch;
|
|
proxy_no_cache 1;
|
|
proxy_temp_file_write_size 64k;
|
|
proxy_connect_timeout 10080s;
|
|
proxy_send_timeout 10080;
|
|
proxy_read_timeout 10080;
|
|
proxy_buffer_size 64k;
|
|
proxy_buffers 16 32k;
|
|
proxy_busy_buffers_size 64k;
|
|
proxy_redirect off;
|
|
proxy_request_buffering on;
|
|
proxy_buffering on;
|
|
proxy_cache my_cache;
|
|
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
|
|
location ~ ^/(icons|images|media|emoji)/(.*)/(.*).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {
|
|
expires 7d;
|
|
proxy_pass http://localhost:7156;
|
|
}
|
|
location ~ ^/icons/(.*)/(like|repeat|calendar)(.*).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {
|
|
expires epoch;
|
|
proxy_no_cache 1;
|
|
proxy_pass http://localhost:7156;
|
|
}
|
|
location ~ ^/icons/(like|repeat|calendar)(.*).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {
|
|
expires epoch;
|
|
proxy_no_cache 1;
|
|
proxy_pass http://localhost:7156;
|
|
}
|
|
location ~ ^/users/(.*)/(image|banner).png {
|
|
expires epoch;
|
|
proxy_no_cache 1;
|
|
proxy_pass http://localhost:7156;
|
|
}
|
|
proxy_pass http://localhost:7156;
|
|
}
|
|
}
|
|
|
|
Enable the site:
|
|
|
|
ln -s /etc/nginx/sites-available/YOUR_DOMAIN /etc/nginx/sites-enabled/
|
|
mkdir /var/www/cache
|
|
|
|
Forward port 443 from your internet router to your server. If you have dynamic DNS make sure its configured. Add a TLS certificate:
|
|
|
|
certbot certonly -n --server https://acme-v01.api.letsencrypt.org/directory --standalone -d YOUR_DOMAIN --renew-by-default --agree-tos --email YOUR_EMAIL
|
|
|
|
Restart your web server:
|
|
|
|
systemctl restart nginx
|
|
|
|
If you are using the Caddy web server then see caddy.example.conf
|
|
|
|
Now you can navigate to your domain and register an account. The first account becomes the administrator.
|