From 9d7ab53e50558ffd65cd65bcd79dfe1ebe85e4cd Mon Sep 17 00:00:00 2001
From: Mike Dilger <mike@mikedilger.com>
Date: Sat, 17 Feb 2024 15:27:05 +1300
Subject: [PATCH] Contrib files with instructions for deployment

---
 contrib/README.md              | 174 +++++++++++++++++++++++++++++++++
 contrib/chorus-direct.service  |  20 ++++
 contrib/chorus-proxied.service |  16 +++
 contrib/chorus.nginx.com       |  30 ++++++
 contrib/chorus.ron             |  16 +++
 5 files changed, 256 insertions(+)
 create mode 100644 contrib/README.md
 create mode 100644 contrib/chorus-direct.service
 create mode 100644 contrib/chorus-proxied.service
 create mode 100644 contrib/chorus.nginx.com
 create mode 100644 contrib/chorus.ron

diff --git a/contrib/README.md b/contrib/README.md
new file mode 100644
index 0000000..f9c57a0
--- /dev/null
+++ b/contrib/README.md
@@ -0,0 +1,174 @@
+# Deploying Chorus
+
+## Internet-accessible IP Address
+
+Nostr relays need to be deployed on machines with Internet-accessible IP addresses.
+
+Generally these are servers in data centres, but you might be able to make a port available
+to the Internet on a home machine if your ISP doesn't use CGNAT and you know how to
+configure your firewall/router for this. We leave this up to you.
+
+## Deploying the files
+
+As root, you'll want to create a `chorus` user. Here is an example for debian based systems:
+
+
+```sh
+# useradd -r -d /opt/chorus -s /bin/bash chorus
+```
+
+As root, you'll want to make the following directories
+
+```sh
+# mkdir -p /opt/chorus/{etc,src,var,sbin,lib}
+# mkdir -p /opt/chorus/var/{chorus,www}
+# mkdir -p /opt/chorus/lib/systemd/system
+# chown -R chorus /opt/chorus
+```
+
+Now you can clone the chorus source code onto the server.
+
+If you will be building as a different user (e.g. your personal login), you might want to change
+the ownership of this directory to yourself. This is particularly useful if you already have rust
+installed via rustup and don't want to install another rust system under the chorus user.
+
+We continue presuming you will be installing rust under the chorus user.
+
+```sh
+# sudo -iu chorus
+$ cd /opt/chorus/src
+$ git clone https://github.com/mikedilger/chorus
+$ cd chorus
+```
+
+Now we install rust as the chorus user. Beware this uses a fair amount of space for rust package
+downloads that is not shared with any other user on the system.
+
+If you have `rustc` and `cargo` installed at the system level you can use those
+instead and can skip this step.  This step comes from (https://rustup.rs)[https://rustup.rs]
+
+```sh
+$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
+```
+
+If you are coming back here after some time, you may wish to update rust instead:
+
+```sh
+$ rustup update
+```
+
+Now let's continue by building chorus:
+
+```sh
+$ cd /opt/chorus/src/chorus
+$ cargo build --release
+```
+
+Ok now let's install that:
+
+```sh
+$ install --mode=0700 ./target/release/chorus /opt/chorus/sbin/chorus
+```
+
+Now let's create our config file
+
+```sh
+$ cp /opt/chorus/src/chorus/contrib/chorus.ron /opt/chorus/etc/
+```
+
+Go ahead and edit that file to your liking. In particular:
+
+- Change the `ip_address` to your internet-accessible IP address (if you are running directly)
+  or to 127.0.0.1 with a local port like 8080 (if you are proxying behind nginx)
+- Change the port if necessary
+- Change the name, description, and contact (e.g. your email address) as desired
+- Set your public_key_hex (it is an option, so use `Some()`)
+- Set hex keys of users for which this relay will act as a personal relay
+
+
+## Setting up the Service
+
+We describe two options for setting up the service. The first is to run chorus directly.
+The second is to run chorus behind an nginx proxy.
+
+If you want chorus to respond on port 443, and you host other virtual servers on the
+machine, you'll need to run chorus behind an nginx proxy.
+
+But you can run in on a different port (e.g. 444) too. Remember to open up your firewall
+for this if necessary.
+
+
+### Running chorus directly
+
+Copy the systemd service file from the source code to the install location:
+
+```sh
+$ cp /opt/chorus/src/chorus/contrib/chorus-direct.service /opt/chorus/lib/systemd/system/chorus.service
+```
+
+Edit this file to change the `letsencrypt` paths to include your actual domain (replace the
+`chorus.example.com` part).
+
+NOTE ON TLS CERTIFICATES: We will presume that you manage TLS certificates for your server
+with letsencrypt and certbot, and that certificates can be found (as root) under the
+`/etc/letsencrypt/` directory. Our systemd service file will copy those certificates
+into /opt/chorus/etc/tls each time it starts so it has access to them (it doesn't run as
+root so it needs copies that are owned by chorus that it can access).
+
+Make the directory for certificate copies:
+
+```sh
+$ mkdir -p --mode=0700 /opt/chorus/etc/tls
+```
+
+As root, enable the service and start the service:
+
+```sh
+# systemctl enable /opt/chorus/lib/systemd/system/chorus.service
+# systemctl start chorus.service
+```
+
+### Running behind nginx
+
+Copy the systemd service file from the source code to the install location:
+
+```sh
+$ cp /opt/chorus/src/chorus/contrib/chorus-proxied.service /opt/chorus/lib/systemd/system/chorus.service
+```
+
+Copy the nginx config file to the install location:
+
+```sh
+$ cp /opt/chorus/src/chorus/contrib/chorus.nginx.conf /opt/chorus/etc/chorus.nginx.conf
+```
+
+Change the port on the `proxy_pass` line if you are running chorus on a different port.
+
+As root, enable the service and start the service:
+
+```sh
+# systemctl enable /opt/chorus/lib/systemd/system/chorus.service
+# systemctl start chorus.service
+```
+
+Link the nginx config file
+
+```sh
+# ln -s /opt/chorus/etc/chorus.nginx.conf /etc/nginx/sites-available/chorus.nginx.conf
+# ln -s ../sites-available/chorus.nginx.conf /etc/nginx/sites-enabled/chorus.nginx.conf
+```
+
+Restart nginx
+
+```sh
+# systemctl restart nginx.service
+```
+
+## Monitoring the service
+
+You can watch the logs with a command like this
+
+```sh
+# journalctl -f -u chorus.service
+```
+
diff --git a/contrib/chorus-direct.service b/contrib/chorus-direct.service
new file mode 100644
index 0000000..686e17e
--- /dev/null
+++ b/contrib/chorus-direct.service
@@ -0,0 +1,20 @@
+[Unit]
+Description=chorus
+After=network-online.target
+
+[Service]
+Type=simple
+Environment="RUST_BACKTRACE=1"
+Environment="RUST_LOG=info"
+WorkingDirectory=/opt/chorus
+User=chorus
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+ExecStartPre=+cp -H /etc/letsencrypt/live/chorus.example.com/fullchain.pem /opt/chorus/etc/tls/
+ExecStartPre=+cp -H /etc/letsencrypt/live/chorus.example.com/privkey.pem /opt/chorus/etc/tls/
+ExecStartPre=+chown chorus /opt/chorus/etc/tls/fullchain.pem /opt/chorus/etc/tls/privkey.pem
+ExecStart=/opt/chorus/sbin/chorus /opt/chorus/etc/chorus.ron
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
diff --git a/contrib/chorus-proxied.service b/contrib/chorus-proxied.service
new file mode 100644
index 0000000..85904ae
--- /dev/null
+++ b/contrib/chorus-proxied.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=chorus
+After=network-online.target
+
+[Service]
+Type=simple
+Environment="RUST_BACKTRACE=1"
+Environment="RUST_LOG=info"
+WorkingDirectory=/opt/chorus
+User=chorus
+ExecStart=/opt/chorus/sbin/chorus /opt/chorus/etc/chorus.ron
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
diff --git a/contrib/chorus.nginx.com b/contrib/chorus.nginx.com
new file mode 100644
index 0000000..231c29e
--- /dev/null
+++ b/contrib/chorus.nginx.com
@@ -0,0 +1,30 @@
+server {
+    listen 443 ssl;
+    server_name chorus.example.com;
+    #include snippets/snakeoil.conf;
+    ssl_certificate /etc/letsencrypt/live/chorus.example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/chorus.example.com/privkey.pem;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ecdh_curve secp521r1:secp384r1;
+    ssl_ciphers EECDH+AESGCM:EECDH+AES256;
+
+    keepalive_timeout 70;
+
+    location /.well-known/acme-challenge {
+        root /opt/chorus/var/www/;
+   	    add_header Access-Control-Allow-Origin *;
+        add_header Access-Control-Allow-Headers *;
+        add_header Access-Control-Allow-Methods *;
+    }
+    location / {
+        proxy_pass http://127.0.0.1:8080;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+	    proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_read_timeout 1d;
+        proxy_send_timeout 1d;
+    }
+}
diff --git a/contrib/chorus.ron b/contrib/chorus.ron
new file mode 100644
index 0000000..1a5ed30
--- /dev/null
+++ b/contrib/chorus.ron
@@ -0,0 +1,16 @@
+FriendlyConfig(
+    data_directory: "/opt/chorus/var/chorus",
+    ip_address: "127.0.0.1",
+    port: 443,
+    use_tls: true,
+    certchain_pem_path: "/opt/chorus/etc/tls/fullchain.pem",
+    key_pem_path: "/opt/chorus/etc/tls/privkey.pem",
+    name: Some("Chorus Default"),
+    description: Some("A default config of the Chorus relay"),
+    contact: None,
+    public_key_hex: None,
+    user_hex_keys: [
+    ],
+    verify_events: true,
+    allow_scraping: false,
+)
\ No newline at end of file