Replaced Disqus with self hosted Commento

· by Raghu Rajagopalan · Read in about 3 min · (600 words) ·

One thing that’s bothered me with this blog is having to have Disqus for comments. Not that I get a lot of comments but the thing is that disqus loads a boatload of scripts and content and generally makes things slow. Anyway, in comes Commento - an open source project for self hosted blog comments.

My current setup

Commento itself requires PostgreSQL db - but something that’s more 'production' strength requires HTTPS - so I’m running a caddy server in front of Commento. Caddy does automatic HTTPS with LetsEncrypt - including cert renewals so it’s really just configuring it once and then leaving it. The other bits mostly have to do with setting it all up to run as services under Systemd

  1. On a Standard A2 instance on Azure

  2. Install postgres, create a database

    $ sudo apt install postgresql
    $ sudo -i -u postgre
    # set a password, create a db
    postgres=# \password
    postgres=# create database commento;
  3. FIgure out ip address of the docker0 bridge

    $ ip addr
    4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
        link/ether 02:42:32:7a:c3:2a brd ff:ff:ff:ff:ff:ff
        inet brd scope global docker0 (1)
           valid_lft forever preferred_lft forever
        inet6 fe80::42:32ff:fe7a:c32a/64 scope link
           valid_lft forever preferred_lft forever
    1 Note the subnet -
  4. Allow access from docker0 bridge

    $ sudo vim /etc/postgresql/10/main/pg_hba.conf
    host    all             all               md5
    host    all             all               md5
    # make sure that pgsql actually listens on the docker0 interface
    $ sudo vim /etc/postgresql/10/main/postgresql.conf
    listen_addresses = 'localhost,'
    # check if you can connect to the db from a docker container
    $ docker run -it --rm ubuntu
    # inside the container now
    apt update && apt install postgresql-client
    psql -U postgres -h
  5. Create OAuth applications for social logins - I did for twitter, Google & github

  6. Create configuration file for Commento

    $ cd ~/commento
    $ vim commento.conf
  7. Run Commento in a container

    $ docker run -d -p 8080:8080 -v ~/commento:/etc/commento -e COMMENTO_CONFIG_FILE=/etc/commento/commento.conf
  8. SSL - deploy caddy on the host

    # download caddy and unzip
    # give caddy perms to bind to privileged ports
    $ sudo setcap cap_net_bind_service=+ep ./caddy
    # create config for caddy
    $ vim Caddyfile
            log stdout
            errors stdout
            proxy / localhost:8080 {
  9. Run everything as a service in systemd

    $ sudo vim /etc/systemd/system/commento.service
    Description=Commento service
    After=docker.service docker.socket
    ExecStartPre=/bin/bash -c "/usr/bin/docker container inspect commento 2> /dev/null || /usr/bin/docker run -d --name commento --privileged -p 8080:8080 -v /var/run/docker.sock:/var/run/docker.sock -v /home/raghu/commento:/etc/commento -e COMMENTO_CONFIG_FILE=/etc/commento/commento.conf -e COMMENTO_POSTGRES=postgres://postgres:notmypass@"
    ExecStart=/usr/bin/docker start -a commento
    ExecStop=/usr/bin/docker stop -t 10 commento
    $ sudo vim /etc/systemd/system/commento-web.service
    Description=Commento HTTP
    ExecStart=/home/raghu/commento/caddy -agree -conf /home/raghu/commento/Caddyfile -http-port 9090
    ExecReload=/bin/kill -USR1 $MAINPID
  10. Now commento can be started/stopped with systemctl start commento-web

  11. To run it automatically on boot, enable it in systemd with systemctl enable commento

UPDATE 2019-11 - Docker, UFW, Iptables

So after debugging/troubleshooting the same issue now twice, I’ve finally come to my senses and actually documenting the damn thing.

  • After reboot, pgsql access from docker containers is broken. Ergo, commento web does not start.

What’s happening
  • Connection from containers to host is being firewalled.

  • Hey - but I added a rule in UFW

    • UFW and docker don’t play well. blame docker.

So how do I allow traffic from docker0
  • sudo iptables -A INPUT -i docker0 -j ACCEPT

  • Test with:

    docker run -it --rm rraghur/psql-client
    > psql -Upostgres -h172.17.0.1
Cool - works well. How do I make it permanent?
  • I’ve added an ExecStartPre=/sbin/iptables -A INPUT -i docker0 -jACCEPT into /etc/systemd/system/commento.service