mastodon and docker networking configured

4 files changed, 139 insertions, 6 deletions

diff --git a/docker-compose.yml b/docker-compose.yml
index 2c8f43f..e13ac95 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -19,7 +19,9 @@ services:
           - root-ca.castle
   
   proxy:
-    image: traefik-trust-root-ca
+    labels:
+      - traefik.enable=false
+    image: traefik-trust-sandcastle-ca
     build: 
       dockerfile: proxy.Dockerfile
     volumes:
diff --git a/mastodon.Dockerfile b/mastodon.Dockerfile
new file mode 100644
index 0000000..14909e6
--- /dev/null
+++ b/mastodon.Dockerfile
@@ -0,0 +1,9 @@
+FROM docker.io/bitnami/mastodon:4
+
+USER root
+
+COPY volumes/root-ca/certs/root_ca.crt /usr/local/share/ca-certificates/root_ca.crt
+
+RUN cat /usr/local/share/ca-certificates/root_ca.crt >> /etc/ssl/certs/ca-certificates.crt
+
+USER 1001
diff --git a/mastodon.castle.yml b/mastodon.castle.yml
new file mode 100644
index 0000000..4b1cc92
--- /dev/null
+++ b/mastodon.castle.yml
@@ -0,0 +1,117 @@
+
+services:
+  mastodon:
+    labels:
+      - traefik.http.routers.mastodon.rule=Host(`mastodon.castle`)
+      - traefik.http.routers.mastodon.tls=true
+      - traefik.http.routers.mastodon.tls.certresolver=smallstep
+      - traefik.port=3000
+    depends_on:
+      - mastodon_db
+      - mastodon_es
+      - mastodon_redis
+    image: mastodon-trust-sandcastle-ca
+    build:
+      dockerfile: mastodon.Dockerfile
+    volumes:
+      - 'mastodon_data:/bitnami/mastodon'
+    ports:
+      - '3080:3000'
+    networks:
+      - mastodon
+      - fediverse
+      - default
+    environment:
+      - MASTODON_DATABASE_HOST=mastodon_db
+      - MASTODON_REDIS_HOST=mastodon_redis
+      - MASTODON_ELASTICSEARCH_HOST=mastodon_es
+      - ALLOW_EMPTY_PASSWORD=yes
+      - MASTODON_MODE=web
+      - MASTODON_DATABASE_PASSWORD=bitnami1
+      - MASTODON_ELASTICSEARCH_PASSWORD=bitnami123
+      - LOCAL_DOMAIN=mastodon.castle
+      - WEB_DOMAIN=mastodon.castle
+  
+  mastodon-streaming:
+    depends_on:
+      - mastodon
+    image: docker.io/bitnami/mastodon:4
+    networks:
+      - mastodon
+    environment:
+      - ALLOW_EMPTY_PASSWORD=yes
+      - MASTODON_MODE=streaming
+      - MASTODON_DATABASE_PASSWORD=bitnami1
+      - MASTODON_ELASTICSEARCH_PASSWORD=bitnami123
+      - MASTODON_REDIS_HOST=mastodon_redis
+  mastodon-sidekiq:
+    depends_on:
+      - mastodon
+    image: docker.io/bitnami/mastodon:4
+    volumes:
+      - 'mastodon_data:/bitnami/mastodon'
+    networks:
+      - mastodon
+    environment:
+      - ALLOW_EMPTY_PASSWORD=yes
+      - MASTODON_MODE=sidekiq
+      - MASTODON_DATABASE_PASSWORD=bitnami1
+      - MASTODON_ELASTICSEARCH_PASSWORD=bitnami123
+      - MASTODON_REDIS_HOST=mastodon_redis
+      - MASTODON_DATABASE_HOST=mastodon_db
+  mastodon_db:
+    image: docker.io/bitnami/postgresql:16
+    networks:
+      - mastodon
+    volumes:
+      - 'mastodon_db_data:/bitnami/postgresql'
+    environment:
+      - POSTGRESQL_DATABASE=bitnami_mastodon
+      - POSTGRESQL_USERNAME=bn_mastodon
+      - POSTGRESQL_PASSWORD=bitnami1
+  mastodon_redis:
+    image: docker.io/bitnami/redis:7.0
+    volumes:
+      - 'redis_data:/bitnami/redis'
+    networks:
+      - mastodon
+    environment:
+      - ALLOW_EMPTY_PASSWORD=yes
+  mastodon_es:
+    image: docker.io/bitnami/elasticsearch:8
+    networks:
+      - mastodon
+    volumes:
+      - 'elasticsearch_data:/bitnami/elasticsearch/data'
+    environment:
+      - ELASTICSEARCH_ENABLE_SECURITY=true
+      - ELASTICSEARCH_SKIP_TRANSPORT_TLS=true
+      - ELASTICSEARCH_ENABLE_REST_TLS=false
+      - ELASTICSEARCH_PASSWORD=bitnami123
+
+  # Configure docker's internal DNS
+  # Traefik will provide SSL termination and proxy back to mastodon
+  proxy:
+    networks:
+      default:
+        aliases:
+          - mastodon.castle
+      fediverse:
+        aliases:
+          - mastodon.castle
+
+volumes:
+  mastodon_db_data:
+    driver: local
+  minio_data:
+    driver: local
+  redis_data:
+    driver: local
+  elasticsearch_data:
+    driver: local
+  mastodon_data:
+    driver: local
+
+networks:
+  mastodon:
+    internal: true
\ No newline at end of file
diff --git a/readme.md b/readme.md
index 40e0d8b..62ad49e 100644
--- a/readme.md
+++ b/readme.md
@@ -7,13 +7,13 @@
 The Letterbook Sandcastles project offers an integration and federation test sandbox for developers of fediverse software. The goal is to make it easy to set up local instances of most fediverse servers, which can all federate with each other, with minimal necessary configuration. This includes your own software, running on your local machine.
 
 # How it Works
-This is accomplished by running them all in a docker compose project, along with some supporting infrastructure.
+This is accomplished by running them all in a docker compose project, along with some supporting infrastructure to provision and use SSL certificates.
 
 ## Smallstep Certificate Authority
-This provides a root certificate authority which can issue SSL certificates to all of the other servers managed by the project. These servers are preconfigured to trust this CA, and the certificates will be renewed or re-issued as needed.
+This provides a root certificate authority which can issue SSL certificates to all of the other servers managed by the project. These servers are preconfigured to trust this CA, and the certificates will be provisioned as needed.
 
 ## Traefik Reverse Proxy
-Traefik serves as a reverse proxy, handling *all* of the federated traffick between services. It does this so that it can also manage their SSL certificates and connections. Traefik will automatically provision these certificates.
+Traefik serves as a reverse proxy, handling *all* of the federated traffick between services. It does this so that it can also manage their SSL certificates and connections. Traefik will automatically request or renew the certificates from Smallstep.
 
 # Getting Started
 
@@ -41,12 +41,16 @@ This will configure the internal Smallstep CA, and will generate a number of sec
 ### 3. Run everything  
 This will re-build the service images with built-in trust for your new internal root CA. This allows all of the services to federate with each other with no additional modifications. The re-build is only necessary once, or whenever a service is updated. You can run only the services you want by specifying their overlay files as extra `-f` args to `docker compose up`
 ```shell
-docker compose up -d -f docker-compose.yml -f mastodon.castle.yml # etc
+# add other *.castle.yml as needed
+docker compose -f docker-compose.yml -f mastodon.castle.yml \
+    up -d
 ```
 
 If you need to rebuild these images because you regenerated the root CA secrets, you can do so by adding the `--build` and `--force-recreate` flags to the compose command.
 ```shell
-docker-compose up --build --force-recreate -f docker-compose.yml -f mastodon.castle.yml # etc
+# add other *.castle.yml as needed
+docker compose -f docker-compose.yml -f mastodon.castle.yml \
+    up --build --force-recreate -d
 ```
 
 At this point, you have a functioning sandbox full of fedi services that can all federate with each other. To make this maximally useful to you for local development of your own fedi service, continue on to the following optional steps.
@@ -59,6 +63,7 @@ Each of the castles provided by this project is configured to serve from it's ow
 # /etc/hosts
 127.0.0.1   root-ca.castle
 127.0.0.1   dashboard.castle
+127.0.0.1   host.castle
 127.0.0.1   mastodon.castle
 127.0.0.1   letterbook.castle 
 #etc