2.0.2

* Use docker-compose
 * Make it work with podman too
 * Run as root inside the container, no need for chorus user

Cargo.lock

@@ -220,7 +220,7 @@ checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
 
 [[package]]
 name = "chorus"
-version = "2.0.1"
+version = "2.0.2"
 dependencies = [
  "base64 0.22.1",
  "bitcoin_hashes 0.19.0",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "chorus"
-version = "2.0.1"
+version = "2.0.2"
 description = "A personal relay for nostr"
 authors = ["Mike Dilger <mike@mikedilger.com>"]
 license = "MIT"
@@ -24,8 +24,8 @@ log = "0.4"
 mime-sniffer = "0.1"
 mime2ext = "0.1"
 negentropy = "0.5"
-pocket-types = { git = "https://github.com/mikedilger/pocket", ref = "43d35015f7caf1db48eb846a1d6916a5716048da" }
-pocket-db = { git = "https://github.com/mikedilger/pocket", ref = "43d35015f7caf1db48eb846a1d6916a5716048da" }
+pocket-types = { git = "https://github.com/mikedilger/pocket", ref = "329334f20948c796c6016b673b92551ac4855ad7" }
+pocket-db = { git = "https://github.com/mikedilger/pocket", ref = "329334f20948c796c6016b673b92551ac4855ad7" }
 parking_lot = "0.12"
 rustls-pki-types = "1.11"
 rustls-pemfile = "2.2"

docker/.env

@@ -0,0 +1 @@
+PODMAN_USERNS=keep-id

docker/Dockerfile

@@ -0,0 +1,35 @@
+FROM rust:alpine as builder
+RUN apk add --no-cache git
+WORKDIR /root
+RUN git clone https://github.com/mikedilger/chorus
+WORKDIR /root/chorus
+RUN git checkout latest
+RUN cargo build --release
+RUN strip ./target/release/* || true
+
+FROM alpine:latest
+
+# Install system packages
+# RUN apk add --no-cache curl gcc musl-dev openssl-dev pkgconfig git make cmake
+
+# Setup chorus user and directories
+RUN mkdir -p /opt/chorus/etc /opt/chorus/src/chorus /opt/chorus/var /opt/chorus/sbin /opt/chorus/lib && \
+    mkdir -p /opt/chorus/var/chorus /opt/chorus/var/www && \
+    mkdir -p /opt/chorus/lib/systemd/system
+
+COPY --from=builder /root/chorus/target/release/chorus /opt/chorus/sbin/chorus
+COPY --from=builder /root/chorus/target/release/chorus_cmd /opt/chorus/sbin/chorus_cmd
+COPY --from=builder /root/chorus/target/release/chorus_compress /opt/chorus/sbin/chorus_compress
+COPY --from=builder /root/chorus/target/release/chorus_dump /opt/chorus/sbin/chorus_dump
+COPY --from=builder /root/chorus/target/release/chorus_dump_approvals /opt/chorus/sbin/chorus_dump_approvals
+COPY --from=builder /root/chorus/target/release/chorus_moderate /opt/chorus/sbin/chorus_moderate
+
+RUN chmod 0700 /opt/chorus/sbin/*
+
+VOLUME /opt/chorus/etc
+VOLUME /opt/chorus/var
+
+WORKDIR /opt/chorus
+ENV RUST_BACKTRACE=1
+ENV RUST_LOG=info
+ENTRYPOINT ["/opt/chorus/sbin/chorus", "/opt/chorus/etc/chorus.toml"]

docker/README.md

@@ -0,0 +1,6 @@
+# Docker install of Chorus
+
+You need to `cp chorus.toml.in chorus.toml` and then edit this file
+to set up your configuration
+
+Then you can build the container: `docker build .`

docker/docker-compose.yml

@@ -0,0 +1,12 @@
+services:
+  chorus:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    container_name: chorus
+    restart: unless-stopped
+    volumes:
+      - ./etc:/opt/chorus/etc
+      - ./var:/opt/chorus/var
+    ports:
+      - 443:1444

docker/etc/.gitignore

@@ -0,0 +1 @@
+/chorus.toml

docker/etc/chorus.toml.in

@@ -0,0 +1,354 @@
+# This is a config file for the Chorus nostr relay
+# Refer to https://github.com/mikedilger/chorus
+
+# This is the directory where chorus stores data.
+#
+# Default is "/tmp".
+#
+# If deployed according to docs/DEPLOYING.md, is "/opt/chorus/var/chorus".
+#
+data_directory = "/opt/chorus/var/chorus"
+
+
+# This is the IP address that chorus listens on. If deployed directly on the
+# Internet, this should be an Internet globally accessible IP address.
+# If proxied or if testing locally, this can be a localhost address.
+#
+# Default is "127.0.0.1".
+#
+ip_address = "0.0.0.0"
+
+
+# This is the port that chorus listens on. If deployed directly on the Internet,
+# this should probably be 443 which is the expected default port for the
+# "wss://" protocol.
+#
+# Default is 443.
+#
+port = 443
+
+
+# This is the DNS hostname of your relay.
+# This is used for verifying AUTH events, which specify your relay host name.
+#
+hostname = "localhost"
+
+
+# If chorus is behind a proxy like nginx, set this to true. In this case chorus will look for and
+# trust the `X-Real-Ip` HTTP request header to get the real IP of the client. This header MUST exist
+# or the connection will not be served.
+#
+# Default is false.
+#
+chorus_is_behind_a_proxy = true
+
+
+# If chorus is behing a proxy, it can't compute it's Internet-visible URL. So set it here.
+# This is used currently by web management and blossom and maybe more in the future.
+#
+# Default is not set.
+#
+# base_url =
+
+# If true, chorus will handle TLS, running over HTTPS. If false, chorus run over HTTP.
+#
+# If you are proxying via nginx, normally you will set this to false and allow nginx to handle TLS.
+#
+use_tls = false
+
+
+# This is the path to your TLS certificate chain file.
+#
+# If use_tls is false, this value is irrelevant.
+#
+# Default is "./tls/fullchain.pem".
+#
+# If deployed according to docs/DEPLOYING.md using the direct method, this is set to
+# "/opt/chorus/etc/tls/fullchain.pem" and the systemd service copies letsencrypt TLS
+# certificates into this position on start.
+#
+certchain_pem_path = "/use/an/nginx/proxy"
+
+
+# This is the path to yoru TLS private key file.
+#
+# If use_tls is false, this value is irrelevant.
+#
+# Default is "./tls/privkey.pem".
+#
+# If deployed according to docs/DEPLOYING.md using the direct method, this is set to
+# "/opt/chorus/etc/tls/privkey.pem" and the systemd service copies letsencrypt TLS
+# certificates into this position on start.
+#
+key_pem_path = "/use/an/nginx/proxy"
+
+
+# This is a name for your relay, displayed in the NIP-11 response.
+#
+# Default is "Chorus Default"
+#
+# name = "Chorus Default"
+
+
+# This is a description for your relay, displayed in the NIP-11 response.
+#
+# Default is "A default config of the Chorus relay"
+#
+# description = "A default config of the Chorus relay"
+
+
+# This is a banner URL pointing to an image representing your relay, displayed in the NIP-11
+# response.
+#
+# Default is not set
+#
+# banner_url =
+
+
+# This is an icon URL pointing to an image representing your relay, displayed in the NIP-11
+# response.
+#
+# Default is not set
+#
+# icon_url =
+
+
+# This is an optional privacy policy as a blob of text (not a URL, not HTML).
+#
+# Default is not set
+#
+# privacy_policy = ""
+
+
+# This is an optional terms of service document as a blob of text (not a URL, not HTML).
+#
+# Default is not set
+#
+# terms_of_service = ""
+
+
+# This is an optional contact for your relay, displayed in the NIP-11 response.
+#
+# Default is not set
+#
+# contact =
+
+
+# This is an optional public key (hex format) for your relay, displayed in the NIP-11 response.
+#
+# Default is not set
+#
+# contact_public_key_hex =
+
+
+# If open_relay is true, the relay behaves as an open public relay.
+#
+# Default is false.
+#
+# open_relay = false
+
+
+# These are the public keys (hex format) of your relay's administrators. This does NOT
+# automatically make them a relay user, but it will eventually allow them to add/remove users
+# and moderators.
+#
+# Default is []
+#
+admin_hex_keys = []
+
+
+# This is a boolean indicating whether or not chorus verifies incoming events.
+#
+# This setting only skips verification of events that are submitted by AUTHed and
+# authorized users. Chorus always verifies incoming AUTH events, and any event that
+# is not submitted by an AUTHed and authorized relay user.
+#
+# Default is true.
+#
+verify_events = true
+
+
+# This is a boolean indicating whether or not scraping is allowed. Scraping is any filter
+# where all of the following are true:
+#
+# - `ids` is missing or empty
+# - `authors` is missing or empty
+# - There are no `#X` tag filters
+#
+# Filter that fail to match these conditions will be rejected if allow_scraping is false.
+#
+# If allow_scraping is true, be aware that filters that don't match any of these conditions
+# (and are not bound by since/until/limit) have no indexes to speed up their query, so they
+# scan through every single event on the relay.
+#
+# See also `allow_scrape_if_limited_to` and `allow_scrape_if_max_seconds`.
+#
+# Default is false.
+#
+allow_scraping = false
+
+
+# This is a u32 count of events indicating a filter `limit` value under which a scrape is
+# allowed, irrespective of the `allow_scraping` setting. Such scrapes are not expensive due
+# to the limit.  The limit must be specified in the filter; it does not do the scrape and
+# then count to see if it was under the limit.
+#
+# See `allow_scraping` to learn the definition of a scrape.
+#
+# The default is 100.
+#
+allow_scrape_if_limited_to = 500
+
+
+# This is a u64 number of seconds indicating a filter time range under which a scrape is
+# allowed, irrespective of the `allow_scraping` setting. Such scrapes are rarely expensive
+# due to the short time period.
+#
+# See `allow_scraping` to learn the definition of a scrape.
+#
+# The default is 7200.
+#
+allow_scrape_if_max_seconds = 14400
+
+
+# Within negentropy synchronization, allow scraping
+#
+# The default is true
+#
+allow_scrape_if_negentropy = true
+
+
+# This is an integer indicating the maximum number of subscriptions a connection can have open
+# at a given time.
+#
+# If you set this too low, clients will be incentivised to resubmit updated subscriptions which
+# will pull down the same events over again, instead of submitting a new subscription that only
+# gets the additional events that the client wants. It may seem intuitive that setting this to
+# a low value like 10 will decrease server load, but it will probably increase server load.
+#
+# It is strongly recommended to not go below 16.
+#
+# Default is 128.
+#
+max_subscriptions = 128
+
+
+# Whether or not to accept and serve all ephemeral events to everybody.
+#
+# Default is true.
+#
+serve_ephemeral = true
+
+# Whether or not to accept and serve kind 10002 Relay List Metadata (NIP-65) events to everybody.
+#
+# Default is true.
+#
+serve_relay_lists = true
+
+# How verbose to log issues with the main server code.
+#
+# Possible values are: Trace, Debug, Info, Warn, Error
+#
+# Default is Info
+#
+server_log_level = "Info"
+
+
+# How verbose to log library issues and other general issues
+#
+# Possible values are: Trace, Debug, Info, Warn, Error
+#
+# Default is Info
+#
+library_log_level = "Info"
+
+
+# How verbose to log issues with client requests
+#
+# Possible values are: Trace, Debug, Info, Warn, Error
+#
+# Default is Info
+#
+client_log_level = "Info"
+
+
+# Whether to block incoming connections based on recent prior behavior
+#
+# Chorus normally blocks IP addresses for a short period preventing quick reconnections,
+# and for a longer period if the previous connection ended in some error condition.
+#
+# By setting this variable to false, it will allow all connections, incluing poorly behaving
+# clients that reconnect over and over in a tight loop.
+#
+# Default is true
+#
+enable_ip_blocking = true
+
+
+# Number of seconds to ban an IP address after disconnection.
+#
+# Enforcing this minimum ban prevents clients from immediately reconnecting which can cause tight loops.
+# Only relevant if enable_ip_blocking is true.
+#
+# Default is 1
+#
+minimum_ban_seconds = 1
+
+
+# Number of seconds beyond which chorus times out a client that has no open subscriptions.
+#
+# Default is 60
+#
+timeout_seconds = 60
+
+
+# Maximum number of websocket connections per IP address
+#
+# Default is 5
+#
+max_connections_per_ip = 5
+
+
+# The maximum rate (excluding bursts) of data that will be transmitted over a websocket connection
+# (both directions, per connection). Beyond this rate (in a sustained way) the connection will be
+# closed.
+#
+# Default is 1024576 bytes per second.
+#
+throttling_bytes_per_second = 1024576
+
+
+# The allowable bursts of data beyond the normal rate.
+#
+# We keep a count of how many bytes they are allowed, and that count starts at this number.
+# As bytes are consumed the count goes down, but we refund throttling_bytes_per_second every
+# second. If that bucket doesn't have enough, the burst won't be allowed and the connection
+# will be closed.
+#
+# Default is 16777216 bytes.
+#
+throttling_burst = 16777216
+
+
+# Blossom server directory
+#
+# Set to a filesystem directory where you want chorus to store files.
+#
+# Blossom allows clients to upload files making them available for the public to download.
+# Our implementation makes all files publicly readable, but only chorus users can upload
+# or delete.  See https://github.com/hzrd149/blossom
+#
+# Default is not set
+#
+# blossom_directory =
+
+
+# Whether to allow negentropy syncing or not
+#
+# If this is enabled, keep in mind that some negentropy syncs are scrapes and if you want to
+# allow those, you should also enable allow_scraping. But this will require scans of the entire
+# database since scrapes have no indexes.
+#
+# Default is false
+#
+enable_negentropy = false

docker/var/.gitignore

@@ -0,0 +1 @@
+