git.squeep.com Git - akkoma/blob - docs/docs/configuration/onion_federation.md

   1 # Easy Onion Federation (Tor)
   2 Tor can free people from the necessity of a domain, in addition to helping protect their privacy. As Akkoma's goal is to empower the people and let as many as possible host an instance with as little resources as possible, the ability to host an instance with a small, cheap computer like a Raspberry Pi along with Tor, would be a great way to achieve that.
   3 In addition, federating with such instances will also help furthering that goal.
   4
   5 This is a guide to show you how it can be easily done.
   6
   7 This guide assumes you already got Akkoma working, and that it's running on the default port 4000.
   8 This guide also assumes you're using Nginx as the reverse proxy.
   9
  10 To install Tor on Debian / Ubuntu:
  11 ```
  12 apt -yq install tor
  13 ```
  14
  15 **WARNING:** Onion instances not using a Tor version supporting V3 addresses will not be able to federate with you.
  16
  17 Create the hidden service for your Akkoma instance in `/etc/tor/torrc`, with an HTTP tunnel:
  18 ```
  19 HiddenServiceDir /var/lib/tor/akkoma_hidden_service/
  20 HiddenServicePort 80 127.0.0.1:8099
  21 HiddenServiceVersion 3  # Remove if Tor version is below 0.3 ( tor --version )
  22 HTTPTunnelPort 9080
  23 ```
  24 Restart Tor to generate an adress:
  25 ```
  26 systemctl restart tor@default.service
  27 ```
  28 Get the address:
  29 ```
  30 cat /var/lib/tor/akkoma_hidden_service/hostname
  31 ```
  32
  33 # Federation
  34
  35 Next, edit your Akkoma config.
  36 If running in prod, navigate to your Akkoma directory, edit `config/prod.secret.exs`
  37 and append this line:
  38 ```
  39 config :pleroma, :http, proxy_url: "http://localhost:9080"
  40 ```
  41 In your Akkoma directory, assuming you're running prod,
  42 run the following:
  43 ```
  44 su akkoma
  45 MIX_ENV=prod mix deps.get
  46 MIX_ENV=prod mix ecto.migrate
  47 exit
  48 ```
  49 restart Akkoma (if using systemd):
  50 ```
  51 systemctl restart akkoma
  52 ```
  53
  54 # Tor Instance Access
  55
  56 Make your instance accessible using Tor.
  57
  58 ## Tor-only Instance
  59 If creating a Tor-only instance, open `config/prod.secret.exs` and under "config :pleroma, Akkoma.Web.Endpoint," edit "https" and "port: 443" to the following:
  60 ```
  61    url: [host: "onionaddress", scheme: "http", port: 80],
  62 ```
  63 In addition to that, replace the existing nginx config's contents with the example below.
  64
  65 ## Existing Instance (Clearnet Instance)
  66 If not a Tor-only instance,
  67 add the nginx config below to your existing config at `/etc/nginx/sites-enabled/akkoma.nginx`.
  68
  69 ---
  70 For both cases, disable CSP in Akkoma's config (STS is disabled by default) so you can define those yourself separately from the clearnet (if your instance is also on the clearnet).
  71 Copy the following into the `config/prod.secret.exs` in your Akkoma folder (/home/akkoma/akkoma/):
  72 ```
  73 config :pleroma, :http_security,
  74   enabled: false
  75 ```
  76
  77 Use this as the Nginx config:
  78 ```
  79 proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=10g inactive=720m use_temp_path=off;
  80 # The above already exists in a clearnet instance's config.
  81 # If not, add it.
  82
  83 server {
  84     listen 127.0.0.1:8099;
  85     server_name youronionaddress;
  86
  87     # Comment to enable logs
  88     access_log /dev/null;
  89     error_log /dev/null;
  90
  91     gzip_vary on;
  92     gzip_proxied any;
  93     gzip_comp_level 6;
  94     gzip_buffers 16 8k;
  95     gzip_http_version 1.1;
  96     gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
  97
  98     client_max_body_size 16m;
  99
 100     location / {
 101
 102         add_header X-XSS-Protection "0";
 103         add_header X-Permitted-Cross-Domain-Policies none;
 104         add_header X-Frame-Options DENY;
 105         add_header X-Content-Type-Options nosniff;
 106         add_header Referrer-Policy same-origin;
 107         add_header X-Download-Options noopen;
 108
 109         proxy_http_version 1.1;
 110         proxy_set_header Upgrade $http_upgrade;
 111         proxy_set_header Connection "upgrade";
 112         proxy_set_header Host $http_host;
 113
 114         proxy_pass http://localhost:4000;
 115
 116         client_max_body_size 16m;
 117     }
 118
 119     location /proxy {
 120         proxy_cache akkoma_media_cache;
 121         proxy_cache_lock on;
 122         proxy_ignore_client_abort on;
 123         proxy_pass http://localhost:4000;
 124     }
 125 }
 126 ```
 127 reload Nginx:
 128 ```
 129 systemctl reload nginx
 130 ```
 131
 132 You should now be able to both access your instance using Tor and federate with other Tor instances!
 133
 134 ---
 135
 136 ### Possible Issues
 137
 138 * In Debian, make sure your hidden service folder `/var/lib/tor/akkoma_hidden_service/` and its contents, has debian-tor as both owner and group by using
 139 ```
 140 ls -la /var/lib/tor/
 141 ```
 142 If it's not, run:
 143 ```
 144 chown -R debian-tor:debian-tor /var/lib/tor/akkoma_hidden_service/
 145 ```
 146 * Make sure *only* the owner has *only* read and write permissions.
 147 If not, run:
 148 ```
 149 chmod -R 600 /var/lib/tor/akkoma_hidden_service/
 150 ```
 151 * If you have trouble logging in to the Mastodon Frontend when using Tor, use the Tor Browser Bundle.