Go-Fed apcore example: installation experience

gofed-apcore-example-feedback.md

Go-Fed

general

• Move all repo's from master to main default branch.

apcore example

Prequisites:

• Set up Postgres 13
• Recommended: Install pgadmin4

Installing and executing:

• In the README it is unclear how to set up https for localhost (where to place generated keys).
• Had to copy 'example' from bin to the apcore/example folder.
• Created the self-signed certificate in this dir.
  • Can use a config file here, to avoid all the cmd-line questions

Various remarks:

• Backspace in terminal during config gives annoying 'bump' sound. Same with arrow movement.
• On command-line option selection, only the result not the question is displayed, after a choice was made.
• The cursor character █ covers the first char of default values in configure, making them unreadable.
• When text doesn't fit terminal line, and you keep typing, then on each character entered the entire line is repeated twice:

✔ Please enter an account contact information (username, webfinger address, email address, etc) for the organization's contact for this server. This may be made avialable to the public:example_account_cont
✔ Please enter an account contact information (username, webfinger address, email address, etc) for the organization's contact for this server. This may be made avialable to the public:example_account_cont
✔ Please enter an account contact information (username, webfinger address, email address, etc) for the organization's contact for this server. This may be made avialable to the public:example_account_cont
✔ Please enter an account contact information (username, webfinger address, email address, etc) for the organization's contact for this server. This may be made avialable to the public:example_account_cont
✔ Please enter an account contact information (username, webfinger address, email address, etc) for the organization's contact for this server. This may be made avialable to the public:example_account_cont
✔ Please enter an account contact information (username, webfinger address, email address, etc) for the organization's contact for this server. This may be made avialable to the public:example_account_contact

example configure

• The /templates subdir needs to be available in the folder where the example executable resides.
  • Otherwise (contains backticks): panic: html/template: pattern matches no files: ``templates/*.tmpl``

Example configure command-line output:

22:07 $ ./example configure
INFO : 2021/01/08 22:07:35.717756 app.go:88: Templates found:
INFO : 2021/01/08 22:07:35.717824 app.go:90: header.tmpl
INFO : 2021/01/08 22:07:35.717836 app.go:90: inline_css.tmpl
INFO : 2021/01/08 22:07:35.717843 app.go:90: list_users.tmpl
INFO : 2021/01/08 22:07:35.717850 app.go:90: 
INFO : 2021/01/08 22:07:35.717857 app.go:90: auth.tmpl
INFO : 2021/01/08 22:07:35.717865 app.go:90: not_found.tmpl
INFO : 2021/01/08 22:07:35.717872 app.go:90: note.tmpl
INFO : 2021/01/08 22:07:35.717880 app.go:90: list_notes.tmpl
INFO : 2021/01/08 22:07:35.717889 app.go:90: nav.tmpl
INFO : 2021/01/08 22:07:35.717900 app.go:90: create_note.tmpl
INFO : 2021/01/08 22:07:35.717917 app.go:90: home.tmpl
INFO : 2021/01/08 22:07:35.717925 app.go:90: inbox.tmpl
INFO : 2021/01/08 22:07:35.717932 app.go:90: internal_error.tmpl
INFO : 2021/01/08 22:07:35.717939 app.go:90: login.tmpl
INFO : 2021/01/08 22:07:35.717945 app.go:90: not_allowed.tmpl
INFO : 2021/01/08 22:07:35.717951 app.go:90: outbox.tmpl
INFO : 2021/01/08 22:07:35.717959 app.go:90: user.tmpl
INFO : 2021/01/08 22:07:35.717965 app.go:90: bad_request.tmpl
INFO : 2021/01/08 22:07:35.717971 app.go:90: followers.tmpl
INFO : 2021/01/08 22:07:35.717977 app.go:90: following.tmpl
INFO : 2021/01/08 22:07:35.717982 app.go:90: footer.tmpl
               ______________________________________________________
       \__/   / Welcome to the configuration guided flow!  Here we   \
\------(oo)  / will visit common configuration choices. While not    |
 ||    (__) <  every option is asked in the guided flow, you can     |
 ||w--||     | always open the resulting configuration file to       |
             | change options. You can also change your answers to   |
             | this flow. Note that in order to take advantage of    |
             | changed configuration values, the application will    |
             | need to be restarted.  Let's go!                      |
             \-------------------------------------------------------/

✔ postgres
✔ Enter the host for this server (ignored in debug mode):example.com
✔ Enter the path to the file containing the certificate used in HTTPS connections:./cert.pem
✔ Enter the path to the file containing the private key for the certificate used in HTTPS connections:./key.pem
✔ Enter the directory for serving static content (WARNING: Everything in it will be served)?:static
✔ Do you already have a file containing a cookie authentication private key? [y/N]N█
✔ Enter the new file name for the cookie authentication private key:█ookie_authn.key
✔ Do you already have a file containing a cookie encryption private key? [y/N]N
✔ Do you want to use a cookie encryption private key? [y/N]y
✔ Enter the new file name for the cookie encryption private key:cookie_enc.key
✔ Session name used to find cookies:█y_apcore_session_name
✔ Enter the deadline (in seconds) for reading & writing HTTP & HTTPS requests. A value of zero means connections do not timeout:60
✔ Please enter an IANA Time Zone for the server, "UTC", or "Local":Local
✔ Please enter the steady-state rate limit for outbound ActivityPub QPS:2
✔ Please enter the burst limit for outbound ActivityPub QPS:5
✔ Enter the maximum lifetime (in seconds) for database connections. A value of zero means connections do not timeout:60
✔ Enter the maximum number of database connections allowed. A value of zero means infinite are permitted.:0
Prompting for Postgres database configuration options...
✔ Enter the postgres user name:gofeduser
✔ Enter the postgres database port:5432█
Enter the postgres database password: *********
✔ disable
✔ Enter the postgres database name:gofed
✔ Enter the postgres schema name:public
INFO : 2021/01/08 22:10:52.462357 cmdline.go:285: Calling application to get default config options
INFO : 2021/01/08 22:10:52.462396 config.go:156: Saving config file: config.ini
INFO : 2021/01/08 22:10:52.463390 cmdline.go:301: Successfully wrote configuration file to config.ini

example init-db

• Needed to create 'gofeduser', and had to give login privilege
• Created 'gofed' db with gofeduser as owner with 'Log in' privlege and having at least 'Create' privilege on the db (I then granted full privilege for gofeduser, so don't know exactly what else may be required).
  • Otherwise (error shown twice, uses backticks): run.go:93: error running init-db: failed to connect to ``host=localhost user=gofeduser database=gofed``: server error (FATAL: role "gofeduser" is not permitted to log in (SQLSTATE 28000))
• Had to manually execute on gofed db: CREATE EXTENSION IF NOT EXISTS "pgcrypto";
  • Otherwise (error shown twice): run.go:93: error running init-db: ERROR: function gen_random_uuid() does not exist (SQLSTATE 42883)

Example init-db command-line output:

23:06 $ ./example init-db
INFO : 2021/01/08 23:16:31.179154 app.go:88: Templates found:
INFO : 2021/01/08 23:16:31.180465 app.go:90: note.tmpl
INFO : 2021/01/08 23:16:31.180474 app.go:90: following.tmpl
INFO : 2021/01/08 23:16:31.180482 app.go:90: inline_css.tmpl
INFO : 2021/01/08 23:16:31.180489 app.go:90: internal_error.tmpl
INFO : 2021/01/08 23:16:31.180498 app.go:90: list_notes.tmpl
INFO : 2021/01/08 23:16:31.180505 app.go:90: nav.tmpl
INFO : 2021/01/08 23:16:31.180512 app.go:90: not_allowed.tmpl
INFO : 2021/01/08 23:16:31.180519 app.go:90: 
INFO : 2021/01/08 23:16:31.180525 app.go:90: header.tmpl
INFO : 2021/01/08 23:16:31.180532 app.go:90: inbox.tmpl
INFO : 2021/01/08 23:16:31.180542 app.go:90: login.tmpl
INFO : 2021/01/08 23:16:31.180552 app.go:90: outbox.tmpl
INFO : 2021/01/08 23:16:31.180562 app.go:90: user.tmpl
INFO : 2021/01/08 23:16:31.180587 app.go:90: bad_request.tmpl
INFO : 2021/01/08 23:16:31.180597 app.go:90: followers.tmpl
INFO : 2021/01/08 23:16:31.180608 app.go:90: home.tmpl
INFO : 2021/01/08 23:16:31.180621 app.go:90: list_users.tmpl
INFO : 2021/01/08 23:16:31.180630 app.go:90: auth.tmpl
INFO : 2021/01/08 23:16:31.180640 app.go:90: create_note.tmpl
INFO : 2021/01/08 23:16:31.180649 app.go:90: footer.tmpl
INFO : 2021/01/08 23:16:31.180658 app.go:90: not_found.tmpl
               ______________________________________________________
       \__/   / We're connecting to the database using the specs in  \
\------(oo)  / the config file, creating tables, seeding initial     |
 ||    (__) <  data, and then closing all connections.               |
 ||w--||     \-------------------------------------------------------/

INFO : 2021/01/08 23:16:31.181139 config.go:123: Loading config file: config.ini
INFO : 2021/01/08 23:16:31.181839 db.go:84: Postgres database configuration
INFO : 2021/01/08 23:16:31.181868 db.go:46: Calling sql.Open...
INFO : 2021/01/08 23:16:31.182496 db.go:51: Calling sql.Open complete
INFO : 2021/01/08 23:16:31.182511 db.go:65: Database connections configured successfully
INFO : 2021/01/08 23:16:31.182522 db.go:66: NOTE: No underlying database connections may have happened yet!
               ______________________________________________________
       \__/   /                                                      \
\------(oo)  / Next up is seeeeding the database with basic          |
 ||    (__) < information to get your server Moooooving~.            |
 ||w--||     \-------------------------------------------------------/

INFO : 2021/01/08 23:16:31.484494 config.go:123: Loading config file: config.ini
INFO : 2021/01/08 23:16:31.484893 db.go:84: Postgres database configuration
INFO : 2021/01/08 23:16:31.484914 db.go:46: Calling sql.Open...
INFO : 2021/01/08 23:16:31.484939 db.go:51: Calling sql.Open complete
INFO : 2021/01/08 23:16:31.484947 db.go:65: Database connections configured successfully
INFO : 2021/01/08 23:16:31.484957 db.go:66: NOTE: No underlying database connections may have happened yet!
               ______________________________________________________
       \__/   / We're now going to prompt for optional information   \
\------(oo)  / about your server and the organization running it, in |
 ||    (__) <  order to complete the server profile.                 |
 ||w--||     \-------------------------------------------------------/

INFO : 2021/01/08 23:16:31.574260 config.go:123: Loading config file: config.ini
INFO : 2021/01/08 23:16:31.574550 db.go:84: Postgres database configuration
INFO : 2021/01/08 23:16:31.574567 db.go:46: Calling sql.Open...
INFO : 2021/01/08 23:16:31.574581 db.go:51: Calling sql.Open complete
INFO : 2021/01/08 23:16:31.574595 db.go:65: Database connections configured successfully
INFO : 2021/01/08 23:16:31.574608 db.go:66: NOTE: No underlying database connections may have happened yet!
✔ Please enter the name of the organization this server belongs to. This may be made available to the public:example_org
✔ Please enter the name of the organization's contact for this server. This may be made avialable to the public:example_contact
✔ Please enter an account contact information (username, webfinger address, email address, etc) for the organization's contact for this server. This may be made avialable to the public:example_account_contact
✔ Please enter this server's name, which may be publicly shared:example_org_server
✔ Are registrations on this server open to the general public? [y/N]N█

• Loading templates appears to occur in random order (bit confusing)

example init-admin

Example init-admin command-line output:

$ ./example init-admin
INFO : 2021/01/09 08:24:05.429410 app.go:88: Templates found:
INFO : 2021/01/09 08:24:05.430731 app.go:90: header.tmpl
INFO : 2021/01/09 08:24:05.430743 app.go:90: login.tmpl
INFO : 2021/01/09 08:24:05.430753 app.go:90: not_found.tmpl
INFO : 2021/01/09 08:24:05.430762 app.go:90: 
INFO : 2021/01/09 08:24:05.430772 app.go:90: create_note.tmpl
INFO : 2021/01/09 08:24:05.430783 app.go:90: footer.tmpl
INFO : 2021/01/09 08:24:05.430795 app.go:90: nav.tmpl
INFO : 2021/01/09 08:24:05.430807 app.go:90: outbox.tmpl
INFO : 2021/01/09 08:24:05.430819 app.go:90: followers.tmpl
INFO : 2021/01/09 08:24:05.430829 app.go:90: inline_css.tmpl
INFO : 2021/01/09 08:24:05.430838 app.go:90: list_notes.tmpl
INFO : 2021/01/09 08:24:05.430848 app.go:90: bad_request.tmpl
INFO : 2021/01/09 08:24:05.430859 app.go:90: home.tmpl
INFO : 2021/01/09 08:24:05.430868 app.go:90: note.tmpl
INFO : 2021/01/09 08:24:05.430877 app.go:90: internal_error.tmpl
INFO : 2021/01/09 08:24:05.430898 app.go:90: list_users.tmpl
INFO : 2021/01/09 08:24:05.430907 app.go:90: not_allowed.tmpl
INFO : 2021/01/09 08:24:05.430916 app.go:90: user.tmpl
INFO : 2021/01/09 08:24:05.430925 app.go:90: auth.tmpl
INFO : 2021/01/09 08:24:05.430934 app.go:90: following.tmpl
INFO : 2021/01/09 08:24:05.430942 app.go:90: inbox.tmpl
               ______________________________________________________
       \__/   /                                                      \
\------(oo)  / Moo~, let's create an administrative account!         |
 ||    (__) <                                                        |
 ||w--||     \-------------------------------------------------------/

INFO : 2021/01/09 08:24:05.431404 config.go:123: Loading config file: config.ini
INFO : 2021/01/09 08:24:05.431950 db.go:84: Postgres database configuration
INFO : 2021/01/09 08:24:05.431975 db.go:46: Calling sql.Open...
INFO : 2021/01/09 08:24:05.432564 db.go:51: Calling sql.Open complete
INFO : 2021/01/09 08:24:05.432578 db.go:65: Database connections configured successfully
INFO : 2021/01/09 08:24:05.432588 db.go:66: NOTE: No underlying database connections may have happened yet!
✔ Enter the new admin account's username:gofedadmin█
✔ Enter the new admin account's email address (will NOT be verified):gofedadmin@example.com█
Enter the new admin account's password: *********
               ______________________________________________________
       \__/   /                                                      \
\------(oo)  / New admin account successfully created! Moo~          |
 ||    (__) <                                                        |
 ||w--||     \-------------------------------------------------------/

example serve

Example serve command-line output:

$ ./example serve
INFO : 2021/01/09 08:30:37.691362 app.go:88: Templates found:
INFO : 2021/01/09 08:30:37.691459 app.go:90: inbox.tmpl
INFO : 2021/01/09 08:30:37.691472 app.go:90: user.tmpl
INFO : 2021/01/09 08:30:37.691483 app.go:90: footer.tmpl
INFO : 2021/01/09 08:30:37.691493 app.go:90: home.tmpl
INFO : 2021/01/09 08:30:37.691505 app.go:90: list_notes.tmpl
INFO : 2021/01/09 08:30:37.691516 app.go:90: login.tmpl
INFO : 2021/01/09 08:30:37.691527 app.go:90: nav.tmpl
INFO : 2021/01/09 08:30:37.691539 app.go:90: 
INFO : 2021/01/09 08:30:37.691550 app.go:90: bad_request.tmpl
INFO : 2021/01/09 08:30:37.691557 app.go:90: followers.tmpl
INFO : 2021/01/09 08:30:37.691564 app.go:90: inline_css.tmpl
INFO : 2021/01/09 08:30:37.691571 app.go:90: not_allowed.tmpl
INFO : 2021/01/09 08:30:37.691581 app.go:90: outbox.tmpl
INFO : 2021/01/09 08:30:37.691591 app.go:90: auth.tmpl
INFO : 2021/01/09 08:30:37.691598 app.go:90: create_note.tmpl
INFO : 2021/01/09 08:30:37.691618 app.go:90: following.tmpl
INFO : 2021/01/09 08:30:37.691625 app.go:90: not_found.tmpl
INFO : 2021/01/09 08:30:37.691632 app.go:90: note.tmpl
INFO : 2021/01/09 08:30:37.691639 app.go:90: header.tmpl
INFO : 2021/01/09 08:30:37.691650 app.go:90: internal_error.tmpl
INFO : 2021/01/09 08:30:37.691657 app.go:90: list_users.tmpl
INFO : 2021/01/09 08:30:37.691679 config.go:123: Loading config file: config.ini
INFO : 2021/01/09 08:30:37.692001 db.go:84: Postgres database configuration
INFO : 2021/01/09 08:30:37.692019 db.go:46: Calling sql.Open...
INFO : 2021/01/09 08:30:37.692066 db.go:51: Calling sql.Open complete
INFO : 2021/01/09 08:30:37.692077 db.go:65: Database connections configured successfully
INFO : 2021/01/09 08:30:37.692100 db.go:66: NOTE: No underlying database connections may have happened yet!
INFO : 2021/01/09 08:30:37.736351 sessions.go:42: Cookie encryption key file detected
INFO : 2021/01/09 08:30:37.736673 handler.go:77: Serving static directory: static
INFO : 2021/01/09 08:30:37.738980 db.go:71: Opening connection to database by pinging, which will create a connection...
INFO : 2021/01/09 08:30:37.739208 db.go:79: Successfully pinged database with latency: 174.606µs
INFO : 2021/01/09 08:30:37.739234 server.go:139: Preparing models
INFO : 2021/01/09 08:30:37.739252 server.go:145: Starting internal systems
INFO : 2021/01/09 08:30:37.739329 server.go:149: Starting application
INFO : 2021/01/09 08:30:37.739364 server.go:171: Launching https server
INFO : 2021/01/09 08:30:37.739428 server.go:163: Starting http redirection server
ERROR: 2021/01/09 08:30:37.741953 server.go:176: Error shutting down https server: listen tcp :443: bind: permission denied
ERROR: 2021/01/09 08:30:37.741953 server.go:176: Error shutting down https server: listen tcp :443: bind: permission denied

Trying to fix: I did a go clean, new folder, running configure + init-db a second time:

• Since I got an error in example serve dealing with SSL (see below), this time I specified full path for key + certificate.
• I did not clean, or delete/recreate database.
• Error in init-db (shown twice): run.go:93: error running init-db: user does not have a unique preferredUsername
  • Entirely dropping the db and recreating it fixed this problem.
• End result. Same error on serve: server.go:176: Error shutting down https server: listen tcp :443: bind: permission denied

gofed-generated-config.ini

; HTTP server configuration
[server]
; (required) Host with TLD for this instance (basically, the fully qualified domain or subdomain); ignored in debug mode
sr_host                           = example.com
; (required) Path to the certificate file used to establish TLS connections for HTTPS
sr_cert_file                      = /home/myself/Documents/go-fed/apcore-example/cert.pem
; (required) Path to the private key file used to establish TLS connections for HTTPS
sr_key_file                       = /home/myself/Documents/go-fed/apcore-example/key.pem
; (required) Path to private key file used for cookie authentication
sr_cookie_auth_key_file           = cookie_authn.key
; Path to private key file used for cookie encryption
sr_cookie_encryption_key_file     = cookie_enc.key
; (default: 86400 seconds) Number of seconds a cookie is valid; 0 indicates no Max-Age (browser-dependent, usually session-only); negative value is invalid
sr_cookie_max_age                 = 86400
; (required) Cookie session name to use for the application
sr_cookie_session_name            = my_apcore_session_name
; Timeout in seconds for incoming HTTPS requests; a zero or unset value does not timeout
sr_https_read_timeout_seconds     = 60
; Timeout in seconds for outgoing HTTPS responses; a zero or unset value does not timeout
sr_https_write_timeout_seconds    = 60
; Timeout in seconds for outgoing HTTP requests; a zero or unset value does not timeout
sr_http_client_timeout_seconds    = 0
; Timeout in seconds for incoming HTTP requests, which will be redirected to HTTPS; a zero or unset value does not timeout
sr_redirect_read_timeout_seconds  = 60
; Timeout in seconds for outgoing HTTP redirect-to-HTTPS responses; a zero or unset value does not timeout
sr_redirect_write_timeout_seconds = 60
; (required) Root directory for serving static content, such as ECMAScript, CSS, favicon; !!!Warning: Everything in this directory will be served and accessible!!!
sr_static_root_directory          = static
; (default: 32) The size of salts to use with passwords when hashing, anything smaller than 16 will be treated as 16
sr_salt_size                      = 32
; (default: 10) The hashing cost to use with the bcrypt hashing algorithm, between 4 and 31; the higher the cost, the slower the hash comparisons for passwords will take for attackers and regular users alike
sr_bcrypt_strength                = 10
; (default: 1024) The size of the RSA private key for a user; values less than 1024 are forbidden
sr_rsa_private_key_size           = 1024

; OAuth 2 configuration
[oauth]
; (default: 3600 seconds) Duration in seconds until an access token expires; zero or negative values are invalid.
oauth_access_token_expiry  = 3600
; (default: 7200 seconds) Duration in seconds until a refresh token expires; zero or negative values are invalid.
oauth_refresh_token_expiry = 7200

; Database configuration
[database]
; (required) Only "postgres" supported
db_database_kind                = postgres
; (default: indefinite) Maximum lifetime of a connection in seconds; a value of zero or unset value means indefinite
db_conn_max_lifetime_seconds    = 60
; (default: infinite) Maximum number of open connections to the database; a value of zero or unset value means infinite
db_max_open_conns               = 0
; (default: 2) Maximum number of idle connections in the connection pool to the database; a value of zero maintains no idle connections; a value greater than max_open_conns is reduced to be equal to max_open_conns
db_max_idle_conns               = 2
; (default: 10) The default collection page size when fetching a page of an ActivityStreams collection
db_default_collection_page_size = 10
; (default: 200) The maximum collection page size allowed when fetching a page of an ActivityStreams collection
db_max_collection_page_size     = 200

; Only needed if database_kind is postgres, and values are based on the github.com/jackc/pgx driver
[db_postgres]
; (required) Database name
pg_db_name                   = gofed
; (required) User to connect as (any password will be prompted)
pg_user                      = gofeduser
; (default: localhost) The Postgres host to connect to
pg_host                      = localhost
; (default: 5432) The port to connect to
pg_port                      = 5432
; The database password to use to connect
password                     = gofed123oohmy!
; (default: require) SSL mode to use when connecting (options are: "disable", "require", "verify-ca", "verify-full")
pg_ssl_mode                  = disable
; An application_name to fall back to if one is not provided
pg_fallback_application_name = 
; (default: indefinite) Maximum wait when connecting to a database, zero or unset means indefinite
pg_connect_timeout           = 0
; PEM-encoded certificate file location
pg_ssl_cert                  = 
; PEM-encoded private key file location
pg_ssl_key                   = 
; PEM-encoded root certificate file location
pg_ssl_root_cert             = 
; Postgres schema prefix to use
pg_schema                    = public

; ActivityPub configuration
[activitypub]
; (default: UTC) Timezone for ActivityPub related operations: unset and "UTC" are UTC, "Local" is local server time, otherwise use IANA Time Zone database values
ap_clock_timezone                           = UTC
; (default: 2) Per-host outbound rate limit for delivery of federated messages under steady state conditions; a negative value or value of zero is invalid
ap_outbound_rate_limit_qps                  = 2
; (default: 5) Per-host outbound burst tolerance for delivery of federated messages; a negative value or value of zero is invalid
ap_outbound_rate_limit_burst                = 5
; (default: 60) The time period to await before periodically removing cached per-host rate-limiters that are no longer in use, controlling how frequently pruning occurs; a negative value or value of zero is invalid
ap_outbound_rate_limit_prune_period_seconds = 60
; (default: 30) The age of an unused per-host rate-limiter must be to be pruned and removed from the cache when the pruning occurs, controlling how long cached rate-limiters are kept when unused; a negative value is invalid
ap_outbound_rate_limit_prune_age_seconds    = 30
; (default: 50) The maximum recursion depth to use when determining whether to do inbox forwarding, which if triggered ensures older thread participants are able to receive messages; zero means no limit (only used if the application has S2S enabled); a negative value is invalid
ap_max_inbox_forwarding_recursion_depth     = 50
; (default: 50) The maximum depth to search for peers to deliver due to inbox forwarding, which ensures messages received by this server are propagated to them and no "ghost reply" problems occur; zero means no limit (only used if the application has S2S enabled); a negative value is invalid
ap_max_delivery_recursion_depth             = 50
; (default: 25) The number of retryable deliveries to request from the database at a time; a negative value or zero value is invalid
ap_retry_page_size                          = 25
; (default: 10) The maximum number of times the app will attempt to deliver an Activity to a federated peer and fail before permanently giving up and abandoning any further attempts to deliver it; a negative value or zero value is invalid
ap_retry_abandon_limit                      = 10
; (default: 300) The time period to await between making periodic attempts to re-deliver Activities to federated peers that have never been successfully delivered; a 300-second retry sleep period with an abandon limit of 10 results in an exponential backoff of 10 delivery attempts across roughly 3 days; a negative value or zero value is invalid
ap_retry_sleep_period_seconds               = 300

; HTTP Signatures configuration
[ap_http_signatures]
; (default: "rsa-sha256,rsa-sha512") Comma-separated list of algorithms used by the go-fed/httpsig library to sign outgoing HTTP signatures; the first algorithm in this list will be the one used to verify other peers' HTTP signatures
http_sig_algorithms       = rsa-sha256,rsa-sha512
; (default: "SHA-256") RFC 3230 algorithm for use in signing header Digests
http_sig_digest_algorithm = SHA-256
; (default: "(request-target),Date") Comma-separated list of HTTP headers to sign in GET requests; must contain "(request-target)" and "Date"
http_sig_get_headers      = (request-target),Date
; (default: "(request-target),Date,Digest") Comma-separated list of HTTP headers to sign in POST requests; must contain "(request-target)", "Date", and "Digest"
http_sig_post_headers     = (request-target),Date,Digest

; NodeInfo configuration
[nodeinfo]
; (default: true) Whether to share basic server and software information at a somewhat-Fediverse-understood endpoint for public use; NodeInfo is upstream of the NodeInfo2 fork and in general admins will either wish to enable or disable both
ni_enable_nodeinfo                      = true
; (default: true) Whether to share basic server, organization, and software information at a somewhat-Fediverse-understood endpoint for public use; NodeInfo2 is a fork of NodeInfo and in general admins will either wish to enable or disable both
ni_enable_nodeinfo2                     = true
; (default: true) Whether to share anonymized statistics about user counts, counts of user activity over various periods of time, local post counts, and local comment counts to the public; for sufficiently small instances the statistics are always shared with noise introduced; if none of the NodeInfos are enabled then this option does nothing
ni_enable_anon_stats_sharing            = true
; (default: 86400) The number of seconds before the anonymized node statistics are refreshed and updated; in the meantime the existing values will be cached and served for this period of time
ni_anon_stats_cache_invalidated_seconds = 86400

As discussed with @cjslep on Matrix:

• Problem is that ports under 1024 need process to be run as root (possible fix)
• Port can be adjusted in https://github.com/go-fed/apcore/blob/master/framework/server.go#L53 (suggestion of '1234', but TBD)

Might add a 'Troubleshooting' section to docs, based on configuration errors encountered above (saves Ducking for answers).

I spun off the following issues based on the above:

• Improve CLI + Example installation experience (discussion issue)
• Improvements to example install + CLI (#53) (to be PR'ed)
• Add DEBUG level logging? (#54)
• Considerations on DB install + extensions / migrations (#55)

With regards to generating the openssl certificates for localhost (needed to run the example), I had to do one extra step to generate a random number (otherwise you'll get an error, and searching for that might lead to unneeded work, namely to upgrade OpenSSL):

openssl rand -out ~/.rnd -hex 256

Running ./example serve still yielded listen tcp :443: bind: permission denied though. As per suggestion of @cjslep I changed server.go#L53 to be :1234, which also didn't do the job.

I turned the port setting back to original (:http). Then I created a root random number with sudo openssl rand -out /root/.rnd -hex 256 and tried sudo ./example serve, but that yielded tls: failed to parse private key.

Also tried to give root access for port binding to the example with: sudo setcap 'cap_net_bind_service=+ep' ./example. Same result.

Digging further, I did openssl rsa -in key.pem -out key.unencrypted.pem -passin pass:MY_PWD, and finally this removal of password and using an unencrypted key made it possible to run the example 😄

I can run https://localhost now, but have to skip through Firefox certificate warning screen, which logs as:

• TLS handshake error from 127.0.0.1:53518: remote error: tls: bad certificate

The example landingpage looks like this:

There is probably other way to setup test environment that is easier for less experienced users.
[TODO for you - @aschrijver]

1. [you] sets up an testgofed 60 IN A 165.227.177.240 record in your go-fed.org SOA. (Where 165.227.177.240 is your server ip address). Important: Make sure to set TTL obeying your registrar/ns service rules. Some insist on more than 60 seconds.
2. Check if testgofed.go-fed.org resolves properly.
3. Make it ready for auto cert provisioning. Simplest way is to use Caddy's LetsEncrypt/ZeroSSL 'on-demand' feature
4. Make sure config is valid for it. Esp. read this for test acme point.
5. Up the site, connect to it, wait a minute. If all went well, now you have testgofed.go-fed.org private key and issued certificate written here. Take both to your dev box.
6. Down the testgofed site. You may use it in the future for the certificate reneval.
7. Now you make testgofed to point to localhost: testgofed 60 IN A 127.0.0.1. Reload SOA. Wait TTL + minute.
8. Check if testgofed.go-fed.org resolves properly to 127.0.0.1 - if it does, do restore TTL to more friendly values (eg 3600). Remember that you will need to wait that long when you will need to renew expired cert.

Now you have private key and acommpanying certificate from a globally recognized CA.
Check both into the example suite. Now these are public and can be used by everyone - not for security, but for convenience.
Now example site can be served off the localhost under testgofed.go-fed.org.

Alternative: talk to the Caddy/ZeroSSL team and ask for a testgofed certificate with much longer expire time - it will save you a hassle with reneving and commiting every three months or so.

Hope this helps :)

Note: I did not tested above right now for the localhost, but I used this technique for locally aliased ip addresses many times in the past.

Ooh, this is very interesting @ohir thanks a bunch for typing this. I'll CC @cjslep with this information.

Thanks for including me. There's a lot to unpack here. Based on the various writeups you created in the apcore repo directly (ty!), I've tried to break things down into more focused & narrow topics, which I hope already covers a good deal of the notes here. It's still on my TODO list to double check that, go through this feedback, and update the repo issues accordingly.

Yes, most of the insights gleaned here should already be incorporated in the issue trackers :)