Auf ins Fediverse mit Firefish

Das Fediverse¹ dürfte den meisten unter dem Schlagwort Mastodon² bekannt sein. Und Mastodon ist zweifellos die bekannteste Anwendung dieses föderierten Netzwerks. Doch es gibt auch (kompatible) Alternativen. Eine davon ist CalckeyFirefish³.

Firefish (früher Calckey) ist ein Fork von Misskey⁴, der sich insbesondere dadurch auszeichnet, dass er die Umzugs einen Mastodon-Accounts hin zu Firefish (oder umgekehrt) ermöglicht. Außerdem ist Firefish etwas weniger - naja, sagen wir mal - "verspielt" als Misskey. Gegenüber Mastodon empfinden viele die Oberfläche als moderner. Bei einigen Funktionen muss man erst einmal ein klein wenig hineinfinden, leider ist die Dokumentation sehr dürftig, aber nach und nach erschließt sich eigentlich alles.

Die Inbetriebnahme mittels Docker (docker-compose) ist denkbar einfach:

version: "3"

services:
  web:
    image: registry.joinfirefish.org/firefish/firefish
    container_name: firefish_web
    restart: unless-stopped
    depends_on:
      - db
      - redis
    ports:
      - "3000:3000"
    networks:
      - calcnet
    environment:
      NODE_ENV: production
    volumes:
      - /docker/firefish/files:/firefish/files
      - /docker/firefish/config:/firefish/.config:ro
    logging:
        driver: "json-file"
        options:
            max-size: "768k"
            max-file: "1"

  redis:
    restart: unless-stopped
    image: docker.io/redis:7.0-alpine
    container_name: firefish_redis
    networks:
      - calcnet
    volumes:
      - /docker/firefish/redis:/data
    logging:
        driver: "json-file"
        options:
            max-size: "768k"
            max-file: "1"

  db:
    restart: unless-stopped
    image: docker.io/postgres:12.2-alpine
    container_name: firefish_db
    networks:
      - calcnet
    env_file:
      - docker.env
    volumes:
      - /docker/firefish/db:/var/lib/postgresql/data
    logging:
        driver: "json-file"
        options:
            max-size: "768k"
            max-file: "1"

  sonic:
    restart: unless-stopped
    image: docker.io/valeriansaliou/sonic:v1.4.0
    networks:
      - calcnet
    volumes:
      - /docker/firefish/sonic:/var/lib/sonic/store
      - /docker/firefish/sonic/config.cfg:/etc/sonic.cfg

networks:
  calcnet

Die Abschnitte:

    logging:
        driver: "json-file"
        options:
            max-size: "768k"
            max-file: "1"

habe ich aufgenommen, weil Firefish sehr viele Logdaten erzeugt. Leider lässt sich dieses Verhalten auch nicht wirklich konfigurieren. Daher beschränke ich die Logfilegröße einfach auf 768k und eine einzige Logdatei. Wer zusätzlich seine Datenträger schonen möchte, kann auch einfach driver: "none" anstelle von driver: "json-file" nutzen. Es werden dann gar keine Logdaten erzeugt.

Die Datei docker.env enthält folgende Angaben:

POSTGRES_PASSWORD=meinsuperdupergeheimesdatenbankpasswort
POSTGRES_USER=firefish
POSTGRES_DB=firefish

Vor dem ersten Start sollten wir noch eine Konfigurationsdatei /docker/firefish/config/default.yml erzeugen:

#━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# firefish configuration
#━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

# After starting your server, please don't change the URL! Doing so will break federation.

#   ┌─────┐
#───┘ URL └─────────────────────────────────────────────────────

# Final accessible URL seen by a user.
url: https://social.example.org/

#   ┌───────────────────────┐
#───┘ Port and TLS settings └───────────────────────────────────

#
# Calckey requires a reverse proxy to support HTTPS connections.
#
#                 +----- https://example.com/ ------------+
#   +------+      |+-------------+      +----------------+|
#   | User | ---> || Proxy (443) | ---> | Calckey (3000) ||
#   +------+      |+-------------+      +----------------+|
#                 +---------------------------------------+
#
#   You need to set up a reverse proxy. (e.g. nginx, caddy)
#   An encrypted connection with HTTPS is highly recommended
#   because tokens may be transferred in GET requests.

# The port that your Calckey server should listen on.
port: 3000

#   ┌──────────────────────────┐
#───┘ PostgreSQL configuration └────────────────────────────────

db:
  host: localhost
  port: 5432
  #ssl: false
  # Database name
  db: calckey

  # Auth
  user: calckey
  pass: meinsuperdupergeheimesdatenbankpasswort

  # Whether disable Caching queries
  #disableCache: true

  # Extra Connection options
  #extra:
  #  ssl:
  #   host: localhost
  #   rejectUnauthorized: false

#   ┌─────────────────────┐
#───┘ Redis configuration └─────────────────────────────────────

redis:
  host: localhost
  port: 6379
  #tls:
  #  host: localhost
  #  rejectUnauthorized: false
  #family: 0  # 0=Both, 4=IPv4, 6=IPv6
  #pass: example-pass
  #prefix: example-prefix
  #db: 1
  #user: default

#   ┌─────────────────────────────┐
#───┘ Cache server configuration └─────────────────────────────────────

# A Redis-compatible server (DragonflyDB, Keydb, Redis) for caching
# If left blank, it will use the Redis server from above

#cacheServer:
  #host: localhost
  #port: 6379
  #family: 0  # 0=Both, 4=IPv4, 6=IPv6
  #pass: example-pass
  #prefix: example-prefix
  #db: 1

# Please configure either MeiliSearch *or* Sonic.
# If both MeiliSearch and Sonic configurations are present, MeiliSearch will take precedence.

#   ┌───────────────────────────┐
#───┘ MeiliSearch configuration └─────────────────────────────────────
#meilisearch:
#  host: meilisearch
#  port: 7700
#  ssl: false
#  apiKey:

#   ┌─────────────────────┐
#───┘ Sonic configuration └─────────────────────────────────────

#sonic:
#  host: localhost
#  port: 1491
#  auth: SecretPassword
#  collection: notes
#  bucket: default

#   ┌───────────────┐
#───┘ ID generation └───────────────────────────────────────────

# No need to uncomment in most cases, but you may want to change
# these settings if you plan to run a large and/or distributed server.

# cuid:
#   # Min 16, Max 24
#   length: 16
#
#   # Set this to a unique string across workers (e.g., machine's hostname)
#   # if your workers are running in multiple hosts.
#   fingerprint: my-fingerprint

#   ┌─────────────────────┐
#───┘ Other configuration └─────────────────────────────────────

# Maximum length of a post (default 3000, max 100000)
#maxNoteLength: 3000

# Maximum length of an image caption (default 1500, max 8192)
#maxCaptionLength: 1500

# Reserved usernames that only the administrator can register with
reservedUsernames: [
  'root',
  'admin',
  'administrator',
  'me',
  'system'
]

# Whether disable HSTS
#disableHsts: true

# Number of worker processes
#clusterLimit: 1

# Worker only mode
#onlyQueueProcessor: 1

# Job concurrency per worker
# deliverJobConcurrency: 128
# inboxJobConcurrency: 16

# Job rate limiter
# deliverJobPerSec: 128
# inboxJobPerSec: 16

# Job attempts
# deliverJobMaxAttempts: 12
# inboxJobMaxAttempts: 8

# IP address family used for outgoing request (ipv4, ipv6 or dual)
#outgoingAddressFamily: ipv4

# Syslog option
#syslog:
#  host: localhost
#  port: 514

# Proxy for HTTP/HTTPS
#proxy: http://127.0.0.1:3128

#proxyBypassHosts: [
#  'web.kaiteki.app',
#  'example.com',
#  '192.0.2.8'
#]

# Proxy for SMTP/SMTPS
#proxySmtp: http://127.0.0.1:3128   # use HTTP/1.1 CONNECT
#proxySmtp: socks4://127.0.0.1:1080 # use SOCKS4
#proxySmtp: socks5://127.0.0.1:1080 # use SOCKS5

# Media Proxy
#mediaProxy: https://example.com/proxy

# Proxy remote files (default: false)
#proxyRemoteFiles: true

#allowedPrivateNetworks: [
#  '127.0.0.1/32'
#]

# TWA
#twa:
#  nameSpace: android_app
#  packageName: tld.domain.twa
#  sha256CertFingerprints: ['AB:CD:EF']

# Upload or download file size limits (bytes)
#maxFileSize: 262144000

#━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# Congrats, you've reached the end of the config file needed for most deployments!
# Enjoy your Calckey server!
#━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

#━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# Managed hosting settings
# >>> NORMAL SELF-HOSTERS, STAY AWAY! <<<
# >>> YOU DON'T NEED THIS! <<<
# Each category is optional, but if each item in each category is mandatory!
# If you mess this up, that's on you, you've been warned...
#━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

#maxUserSignups: 100
#isManagedHosting: true
#deepl:
#  managed: true
#  authKey: ''
#  isPro: false
#
#email:
#  managed: true
#  address: 'example@email.com'
#  host: 'email.com'
#  port: 587
#  user: 'example@email.com'
#  pass: ''
#  useImplicitSslTls: false
#
#objectStorage:
#  managed: true
#  baseUrl: ''
#  bucket: ''
#  prefix: ''
#  endpoint: ''
#  region: ''
#  accessKey: ''
#  secretKey: ''
#  useSsl: true
#  connnectOverProxy: false
#  setPublicReadOnUpload: true
#  s3ForcePathStyle: true

# !!!!!!!!!!
# >>>>>> AGAIN, NORMAL SELF-HOSTERS, STAY AWAY! <<<<<<
# >>>>>> YOU DON'T NEED THIS, ABOVE SETTINGS ARE FOR MANAGED HOSTING ONLY! <<<<<<
# !!!!!!!!!!

# Seriously. Do NOT fill out the above settings if you're self-hosting.
# They're much better off being set from the control panel.

Fehlt noch eine Proxy-Konfiguration, ich nehme hierzu nginx:

server {
    listen 80;
    listen [::]:80;

    listen 443 ssl;
    listen [::]:443;

    server_name social.example.org;

    ssl_certificate /var/lib/dehydrated/certs/social.example.org/fullchain.pem;
    ssl_certificate_key /var/lib/dehydrated/certs/social.example.org/privkey.pem;
    ssl_trusted_certificate /var/lib/dehydrated/certs/social.example.org/fullchain.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;
    ssl_dhparam /etc/ssl/dhparams.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    gzip off;

    add_header Strict-Transport-Security "max-age=63072000" always;

    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 127.0.0.1;

    location / {
        if ($ssl_protocol = "") {
            rewrite ^   https://$server_name$request_uri? permanent;
        }
        proxy_pass http://127.0.0.1:8100/;

        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_redirect off;

        # If it's behind another reverse proxy or CDN, remove the following.
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        # For WebSocket
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

        # Cache settings
        proxy_cache cache1;
        proxy_cache_lock on;
        proxy_cache_use_stale updating;
        add_header X-Cache $upstream_cache_status;
    }

    location /api/ {
        proxy_pass http://127.0.0.1:8100/api/;

        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_redirect off;

        # If it's behind another reverse proxy or CDN, remove the following.
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        # For WebSocket
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

Nach einem reload der Nginx-Konfiguration und einem docker-compose up steht unsere Calckey-Instanz nach einer kurzen Wartezeit zur Verfügung und die Reise ins Fediverse kann beginnen.