GoToSocial on OpenBSD, a Fediverse adventure

    

In early 2019, I got fed up with Twitter Ads and recommendations etc. So I started looking for alternatives and read about Mastodon. As I was especially looking for OpenBSD news, tricks etc, I finally landed on bsd.network. It turned out to be a really nice place to hang out ; and not BSD-centric at all. People there are great. And MastoAdmins are kind and caring people.

A couple of years later, I decided that I would host my own instance on the Fediverse. And the journey began.

There were no particular reasons to host my on instance server. And as one say: only because you can does not mean you should. But this is how I learn things.

So I created a bunch of accounts in various Fediverse instances using Mastodon, Friendica, PixelFed, Misskey, GNUsocial, Pleroma. I also installed Honk and GoToSocial. Then I started testing how they all worked together. And I finally decided to go with GoToSocial .

If you care about why I didn’t choose any of the other tested options, here’s my compliance checklist:

Install and run GoToSocial

GTS is available as a package in OpenBSD. As of now, I’m using OpenBSD 7.2 and GoToSocial 0.5.2, available in HEAD ports. I compiled this package in a full 7.2 environment. This is not the recommended way to do it but I don’t want to run -CURRENT on my server. After reading the installation guide , you may proceed.

# pkg_add gotosocial
# cp /usr/local/share/examples/gotosocial/gotosocial.yaml /etc/gotosocial.yaml
# vi /etc/gotosocial.yaml
(...)
host: "piou.foolbazar.eu"
account-domain: ""
protocol: "https"
bind-address: "127.0.0.1"
port: 8080
trusted-proxies:
  - "127.0.0.1/32"
db-type: "sqlite"
db-address: "/var/gotosocial/sqlite.db"
(...)

# rcctl enable gotosocial
# rcctl start gotosocial

Note that GTS will be listening to localhost only. The service will be exposed via a reverse-proxy mechanism.

The domain name is quite an important notion in ActivityPub. As for e-mail, this is how you’re joinable. But It seems to be a little less flexible than e-mail as users / actors seem to be identified by their ID and a cryptographic key. What’s to be remembered is “backup your instance and user identification data”. And do not simply replace a working installation with an empty one using the same FQDN.
GoToSocial has a nice feature that allows some kind of masquerading. You can set your account to @me@somewhere.home while running the service on a server called vps.somewhere.home. The magic is done via /.well-known/ URLs. But this also means that it can only be done once per domain. So I decided not to use it and to configure a specific (sub)domain.

Administrative tasks are done in the console. There’s no GUI for those tasks (yet) ; and I LOVE IT!
I created an Admin user and a normal user.

# doas -u _gotosocial gotosocial --config-path /etc/gotosocial.yaml      \
  admin account create --username <adminUID> --email <adminEMAIL>        \
  --password '<adminPASSWD>'
# doas -u _gotosocial gotosocial --config-path /etc/gotosocial.yaml      \
  admin account confirm --username <adminUID>
# doas -u _gotosocial gotosocial --config-path /etc/gotosocial.yaml      \
  admin account promote --username <adminUID>

# doas -u _gotosocial gotosocial --config-path /etc/gotosocial.yaml      \
  admin account create --username <myUID> --email <myEMAIL>              \
  --password '<myPASSWD>'
# doas -u _gotosocial gotosocial --config-path /etc/gotosocial.yaml      \
  admin account confirm --username <myUID>

Keep in mind that <UID> is how you’ll appear in the Fediverse. People will talk to @UID@DOMAINNAME. The <EMAIL> is used as a username when it comes to authentification, in Apps or to configure your profile from the Web GUI. The <PASSWD> is… well… your password.

Expose GoToSocial to the Fediverse

I’m not exposing GTS directly on the Internet. I use the stock relayd(8) and httpd(8) to deal with TLS certificates, HTTP headers and publication.

I used /etc/examples/httpd.conf to setup the HTTP to HTTPS redirection and Let’s Encrypt TLS certificate management.

Then I modified my /etc/relayd.conf to expose GoToSocial.

# cat /etc/relayd.conf
localhost="127.0.0.1"
table <piou> { $localhost }

http protocol www {
	block
	pass request quick header "Host" value "piou.foolbazar.eu" forward to <localhost>
}
relay www {
	listen on $ext_addr port 80
	protocol www
	forward to <localhost> port http
}

http protocol wwwtls {
	tls keypair foolbazar.eu
	http websockets

	match request header append "X-Forwarded-For"                         \
	    value "$REMOTE_ADDR"
	match request header append "X-Forwarded-By"                          \
	    value "$SERVER_ADDR:$SERVER_PORT"
	match request tagged "piou" header set "X-Forwarded-Proto"            \
	    value "https"
	match response tagged "piou" header set "Content-Security-Policy"     \
	    value "default-src 'self'; script-src 'self'; connect-src 'self'; \
	    img-src 'self'; style-src 'self'; base-uri 'self';                \
	    form-action 'self'"
	match response header set "Permissions-Policy"                        \
	    value "accelerometer=(none), camera=(none),                       \
	    geolocation=(none), gyroscope=(none), magnetometer=(none),        \
	    microphone=(none), payment=(none), usb=(none)"
	match response header set "Referrer-Policy" value "strict-origin"
	match response header set "Strict-Transport-Security"                 \
	    value "max-age=31536000; includeSubDomains"
	match response header set "X-Content-Type-Options" value "nosniff"
	match response header set "X-Frame-Options" value "SAMEORIGIN"
	match response header set "X-XSS-Protection" value "1; mode=block"
	match response header remove "Server"

	block
	match request header "Host" value "piou.foolbazar.eu" tag "piou"
	pass request quick tagged "piou" forward to <piou>
}
relay wwwtls {
	listen on $ext_addr port 443 tls
	protocol wwwtls
	forward to <piou> port 8080
}

The reasons for the tags is because I have several services exposed by relayd(8) and I apply various configuration depending on the service. I extracted the ones needed for GTS here.

Once this is done, reload relayd(8) and you’re reading to explore the Fediverse.

Online configuration

There are a few URL that can be used to check and/or modify data.

Connecting Web and/or App client

As stated by the instance summary, there is no Web client provided by GoToSocial. Mastodon ships with one. Here, we have to either install a compatible Web client and/or connect to the instance using an App.

I installed and run Pinafore on my OpenBSD instance. I just followed the installation directive and start the daemon in a tmux session. The client is exposed via relayd(8). Everything works like a charm and you get a Mastodon-like user experience.

I tried using several applications. Some work, some don’t. The official Mastodon client works. So does Twidere X and Metatext. The CLI and TUI client named toot does not work. So doesn’t feed2toot and ephemetoot. As far as I could understand, this is because urn:ietf:wg:oauth:2.0:oob is not yet well supported. But I was told on gotosocial-help that this should be solved in the next release.

Migrating from Mastodon

DON’T DO IT. Like REALLY!
Do not do it unless you know what will fail and accept to not go whining in the benevol developers ears ;-)

Quoting GTS:

GoToSocial is still ALPHA SOFTWARE. It is already deployable and useable, and it federates cleanly with many other Fediverse servers (not yet all). However, many things are not yet implemented, and there are plenty of bugs! We foresee entering beta somewhere in 2023.

Quoting GoToSocial Help:

several people now have tried to hackily drop-in replace mastodon or pleroma with gts and it is very likely to cause issues. in future we’ll present a properly tested means of migrating, but for now you do such things at your own risk ;)

As I am an idiot, I tried it anyway.

First thing I did, was to configure a “redirect”. From the Mastodon Web interface, go to Account / Account settings / Move to a different account. Then click the Alternatively, you can only put up a redirect on your profile link. Enter the new account reference and your current password. Finally click “Set Redirect”.
From now on, the Mastodon account has a note saying This account is marked as moved to @me@mydomain, and may thus not accept new follows. From an account that was already following my redirected account, nothing really happened. If you try to get information for that redirected account, you’ll get the notification that this account is redirected. From an account that was not already following my redirected account, it is impossible to follow it. You have to follow the target account.

The second step would be to actually move the account. Which, according to the doc, should move all your followers to the new account. As of now, there were no automatic migration of the followers to the new account. People had to manually follow the new account.
Using the “Move to a different account” feature did not work. I think the reason lies here:

The new account must first be configured to back-reference this one

and as far as I could understand, GTS does not implement alias yet. So trying to proceed to the migration ends up with

Something isn’t quite right yet! Please review the error below

DO NOT TRY TO MIGRATE YOUR MASTODON ACCOUNT TO GOTOSOCIAL
Just create a new one, tell your followers and take the opportunity to clean your following / followers lists ;-)

So what?

All in all, I don’t regret setting up my own Fediverse instance using GoToSocial. And I think I will keep using my account with GTS.

There are a few things I used on Mastodon that I noticed do not work yet with GoToSocial:

Keep and eye on the roadmap to see what happens and what to expect from GoToSocial. Things will change with time.

When you run your own instance and you’re the only user on it, the Local and Federated Timelines get a bit less interested than what they were on a populated instance.
The Home Timeline is composed of a mix of your activity and the activity from people you follow. You got their posts, their favorites, their retoots and various replies.
The Local Timeline is basically the list of toots you, the only user, made. Hence, not very interesting. Unless you don’t know what you toot :)
The Federated Timeline may be populated in different manner depending on the software. From what I understood and identified, the Federated Timeline using GoToSocial and being the only user on the instance will contain the following things:

I thought the Federated Timeline would contain all the public posts from the instances hosting people/accounts I follow. But its not. Discovering new people/accounts will require an alternate method.

Now, happy tooting! And if you wish to, I’m tootable as @joel@piou.foolbazar.eu.