Set Up a Mastodon Instance on a Ubuntu Machine + AWS S3 for Media Storage + Hidden Service Mirror

server May 03, 2020

Recently I have made a Mastodon instance as a way to spend some time. I have a underutilized AWS Lightsail instance (1vCPU, 2GB RAM) which I currently run my Discord bot on + other projects so I thought why not just make full use of it?

You can view the instance here. The instance is based on Kitakami Reika from THE iDOLM@STER : Million Live!

As mentioned in the title, I am using my Ubuntu 18.04 server. I use AWS S3 to store the media for the instance, use Mailgun for the email and have a hidden service mirror accessible via Tor just for the sake of it. Docker Compose is used to run the instance. The steps I did are almost similar to Linode's guide, but the difference is that I have to add my AWS S3 credentials instead. How I did it is something like this, note that I might be wrong, since I am recalling it on top of my head:

  1. Make an S3 bucket and set objects to public
  2. Create a new policy in IAM allows object access only to the bucket
  3. Create a new group and attach the policy
  4. Create a new user, add it to the group
  5. Obtain keys, paste in .env.production

As I have mentioned, I have also did a hidden service that can be accessed at reikawebiyedpk4bwqv34kxjtberfucy25scpr44tmkmk32urtbnwdad.onion. What I did is that I installed Tor on the server, enabled HiddenService and then replace the hostname, public and private keys with the one I generated via mkp224o. mkp2240 generates vanity hidden service v3 onion addresses and uses the CPU. Takes a while for it to get the keys for the hash I am using now but it's definitely more identifiable than having some random strings. I don't really have a specific reason to have it though, other than "I can" and "Why not".

The Nginx config is modified slightly so that Nginx serves the onion link on HTTP instead of HTTPS. There is no real reason to serve HTTPS on Tor, and this is stated by Tor Project themselves. The config looks kind of like this:

server{
    listen 80;
    server_name reikawebiyedpk4bwqv34kxjtberfucy25scpr44tmkmk32urtbnwdad.onion;
    ...
}

server{
    listen 80;
    server_name kitakamirei.ca;
    return 301 https://$server_name$request_uri;
}

server{
    listen 443 ssl http2;
    ...
    #All the configs are here
}
Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.