What do you do if you want a private social media experience for you and friends or family? Facebook has Groups, and lesser-known apps like Band exist that can also fill that niche, but you’re still handing over all your content to a 3rd party. For some, that’s untenable, and completely understandable. Furthermore, I wouldn’t have anything of interest to write if the answer was “Make a Group. Now set it to Private. Invite people.”
I looked at various open-source forum offerings, and eventually settled on Discourse. It’s modern-ish, is Docker-native, isn’t written in PHP, and has plugins for days. Administering it definitely still has a hacky feel, but I assume if you’re reading this blog you have the ability to handle it.
I’ll defer to their own guide for the actual install, and simply add in steps necessary to set it up how I did, which is:
- Self-hosting base Docker image on own server behind an nginx reverse proxy
- Uploads and backups directed to an encrypted S3 bucket with no public access
- Optional: Add a CDN via Cloudfront
- DNS handled by Cloudflare
- TLS handled by Let’s Encrypt
- Mail provider via Mailjet
You’re free to switch things out as you see fit. I chose S3 because it’s natively supported, and I’m already familiar with AWS. I chose Cloudflare because I already use it, and it works quite well. I chose Mailjet because they offer a free tier with no expiry and no credit card needed for signup.
Domain name
You’ll need a domain name. Buy one from wherever you want. If you want to have resolution handled by Cloudflare, like I’m doing, make an account with them and switch the nameservers over.
Mail server
You need a mail server to set up Discourse. They have huge warnings about this in the setup guide. You’ll also need to set up a SPF and DKIM record. I’ll defer to Mailjet for that; note that you may also need a separate TXT record to verify your domain; your mail server will inform you if it’s needed.
Nginx setup
I host multiple Docker apps on my server and my RPi 4, and access them via nginx running on the server. If you don’t need this, you can skip this, and just run the normal setup method described in Discourse’s install guide. Otherwise, read on.
- Install Nginx by whatever means you’d like, natively or within Docker. If native, set it up as a service.
- In
/etc/nginx/nginx.conf
, add the following within either the http{} block (affects all sites) or a specific server{} block: client_max_body_size 16M;
# I selected 16 MB here, but you can go with whatever you think is a reasonable maximum size for uploads
- In
/etc/nginx/sites-available/$YOUR\_SITE\_URL.conf
:
# Note that I'm not using a socket here, as Discourse recommends.
# This is because I already have everything else using ports, so consistency.
# If you want to use a socket, it would look like this:
# proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
server {
server_name $YOUR_URL;
location / {
proxy_pass http://$YOUR_SERVER_IP:$YOUR_PORT;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
}
}
ln -s /etc/nginx/sites-available/$YOUR_SITE_URL.conf /etc/nginx/sites-enabled/$YOUR_SITE_URL.conf
sudo systemctl reload nginx
Let’s Encrypt setup
I’m using Certbot to handle my certificates.
- Install certbot by whatever means you’d like.
sudo certbot --nginx
- Follow any instructions given, and test that it worked.
DNS records
As mentioned, you’ll need an SPF and DKIM record, and potentially a TXT record to verify your domain for the mail server. Set them up with your DNS provider as given by your mail provider, and don’t forget that it can take some time (for me, ~5-10 minutes with Mailjet and Cloudflare) for the changes to be seen.
Discourse setup
Since you’re running an nginx reverse proxy, you can’t use their setup script, which assumes port 80 is open.
cp /var/run/discourse/samples.yml /var/discourse/containers/$DESIRED_DOCKER_CONTAINER_NAME.yml
- Open this new file in the editor of your choice.
- Comment out
templates/web.ssl.template.yml
andtemplates/web.letsencrypt.ssl.template.yml
undertemplates
. - If you wanted to use sockets instead of ports, add
templates/web.socketed.template.yml
, and comment out the entireexpose
section. - Comment out
443
underexpose
, and replace the mapping to80
to the port you chose earlier, e.g.- "8888:80"
- Add your site’s URL to
DISCOURSE_HOSTNAME
. - Add one or more emails to
DISCOURSE_DEVELOPER_EMAILS
- these will be site admins. - Add SMTP information to
DISCOURSE_SMTP_*
- For Mailjet, the API ID and Key are the Username and Password in this file, respectively.
- Yes, these are stored in plaintext. If you want to integrate Vault or something into this, please write it up, I’d be thrilled to see it.
sudo ./launcher bootstrap $DESIRED_DOCKER_CONTAINER_NAME
- This will take a fair amount of time, and when it’s done, you should have a Docker container running - if everything else is set up correctly, you should be able to hit the URL from your browser.
- You must verify that HTTPS is working at this point. It is likely that you’ll get an Info warning, saying that you have a valid certificate, but that some elements are being delivered insecurely. This will be rectified later. If instead it’s completely insecure, something is wrong, and it needs to be fixed before continuing.
- Follow the instructions on your Discourse instance to verify an admin email. If you’ve not yet set up your DNS records for mail, this will probably fail, and you’ll get an email from your mail provider nagging you to fix the problem.
S3 setup
- Create an S3 bucket, with all public access blocked, and encryption at rest.
- According to forum posts, you should be able to skip this step if the IAM is set up correctly, as Discourse will create the necessary buckets. YMMV.
- Create an IAM policy. The example is here, if you’d like to copy it.
- It could be better organized to be fair, as the backup doesn’t actually need all of those permissions. Since these were limited in scope and closed to the public, I didn’t care to further limit them, but you may.
- Lifecycling can be done from within Discourse, hence the inclusion of
PutLifecycleConfiguration
- if you’d rather handle that from S3, you can remove it. - Similarly, if you manually created the buckets, you can remove
CreateBucket
.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*",
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl",
"s3:PutLifecycleConfiguration",
"s3:CreateBucket",
"s3:PutBucketCORS"
],
"Resource": [
"arn:aws:s3:::$BACKUP_BUCKET_NAME",
"arn:aws:s3:::$BACKUP_BUCKET_NAME/*",
"arn:aws:s3:::$UPLOAD_BUCKET_NAME",
"arn:aws:s3:::$UPLOAD_BUCKET_NAME/*"
]
}
]
}
- Create an IAM user, and assign this policy to them. Copy the Access ID and Secret Key, and put them somewhere safe, ideally something like Lastpass or 1Pass. You’ll need them for Discourse.
Discourse configuration
- In Settings –> Login:
- Select
login required
andmust approve users
. - You could additionally add an
invite code
. - If you plan on setting up OAuth via Google, Facebook, et. al., this is where you’ll configure them.
- In Settings –> Security:
- Select
force https
. - In Settings –> Files:
- Change
max image size kb
andmax attachment size kb
to match the value you selected for nginx. - Enter your S3 credentials and upload bucket name into their respective fields, and select the proper region for your bucket.
- If you were using Cloudfront, I assume you’ve set it up, including an OAI, and granted it permission in the S3 Bucket Policy.
- You’d then enter its endpoint into
s3 cdn url
. - If you have issues with this, you can contact me, as I did get it working - I just decided it wasn’t necessary for my use case.
- Select
enable s3 uploads
. - Select
prevent anons from downloading files
, andsecure media
. - In Settings –> Backups:
- Enter your S3 bucket name into
s3 backup bucket
. - Change
backup location
tos3
. - Change
maximum backups
if you’d like Discourse to handle lifecycling for you. - Enable
automatic backups enabled
unless you’d rather manually run backups. - Select
include thumbnails in backups
if desired - it makes for a faster restore should it be needed. - Change
backup frequency
andbackup time of day
to whatever makes sense for you - I’m using daily (1
), and05:00
UTC.
Testing it out
- In Backups (not Settings –> Backups), generate a backup, and verify that you have a tarball in the s3 bucket.
- Create a new topic, and try both text and image posts.
- For an image, if you have S3 permissions issues, it won’t upload at all, and you’ll get an
Access Denied
error. - You should be able to view the image from within Discourse, and only from within Discourse - even viewing the file directly from the S3 bucket should fail.
- Try manually accessing a URL to an image from within Discourse in an Incognito window. If you include the signed part after the path, it should work. If you don’t, it should fail.