Replaced Disqus with self hosted Commento

· by Raghu Rajagopalan · Read in about 3 min · (600 words) ·
metablog

One thing that’s bothered me with this blog is having to have Disqus for comments. Not that I get a lot of comments but the thing is that disqus loads a boatload of scripts and content and generally makes things slow. Anyway, in comes Commento - an open source project for self hosted blog comments.

My current setup

Commento itself requires PostgreSQL db - but something that’s more 'production' strength requires HTTPS - so I’m running a caddy server in front of Commento. Caddy does automatic HTTPS with LetsEncrypt - including cert renewals so it’s really just configuring it once and then leaving it. The other bits mostly have to do with setting it all up to run as services under Systemd

  1. On a Standard A2 instance on Azure

  2. Install postgres, create a database

    $ sudo apt install postgresql
$ sudo -i -u postgre

# set a password, create a db
postgres=# \password
postgres=# create database commento;

  3. FIgure out ip address of the docker0 bridge

    $ ip addr

....
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:32:7a:c3:2a brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 (1)
       valid_lft forever preferred_lft forever
    inet6 fe80::42:32ff:fe7a:c32a/64 scope link
       valid_lft forever preferred_lft forever
....
    1 Note the subnet - 172.17.0.1

  4. Allow access from docker0 bridge

    $ sudo vim /etc/postgresql/10/main/pg_hba.conf

host    all             all             127.0.0.1/32            md5
host    all             all             172.17.0.1/16            md5

# make sure that pgsql actually listens on the docker0 interface
$ sudo vim /etc/postgresql/10/main/postgresql.conf

listen_addresses = 'localhost,172.17.0.1'

# check if you can connect to the db from a docker container
$ docker run -it --rm ubuntu
# inside the container now
apt update && apt install postgresql-client
psql -U postgres -h 172.17.0.1

  5. Create OAuth applications for social logins - I did for twitter, Google & github

  6. Create configuration file for Commento

    $ cd ~/commento
$ vim commento.conf

COMMENTO_ORIGIN=https://comments.rraghur.in
COMMENTO_POSTGRES=postgres://postgres:notmypass@172.17.0.1:5432/commento?sslmode=disable
COMMENTO_GZIP_STATIC=true
COMMENTO_GITHUB_KEY=...

  7. Run Commento in a container

    $ docker run -d -p 8080:8080 -v ~/commento:/etc/commento -e COMMENTO_CONFIG_FILE=/etc/commento/commento.conf  registry.gitlab.com/commento/commento

  8. SSL - deploy caddy on the host

    # download caddy and unzip
# give caddy perms to bind to privileged ports

$ sudo setcap cap_net_bind_service=+ep ./caddy

# create config for caddy
$ vim Caddyfile


https://comments.rraghur.in:443 {
        tls redacted@email.com
        log stdout
        errors stdout
        proxy / localhost:8080 {
                transparent

        }
}

  9. Run everything as a service in systemd

    $ sudo vim /etc/systemd/system/commento.service

[Unit]
Description=Commento service
After=docker.service
Wants=network-online.target docker.socket
Requires=docker.socket

[Service]
Restart=always
ExecStartPre=/bin/bash -c "/usr/bin/docker container inspect commento 2> /dev/null || /usr/bin/docker run -d --name commento --privileged -p 8080:8080 -v /var/run/docker.sock:/var/run/docker.sock -v /home/raghu/commento:/etc/commento -e COMMENTO_CONFIG_FILE=/etc/commento/commento.conf -e COMMENTO_POSTGRES=postgres://postgres:notmypass@172.17.0.1/commento  registry.gitlab.com/commento/commento"
ExecStart=/usr/bin/docker start -a commento
ExecStop=/usr/bin/docker stop -t 10 commento

[Install]
WantedBy=multi-user.target


$ sudo vim /etc/systemd/system/commento-web.service

[Unit]
Description=Commento HTTP
PartOf=commento.service
After=commento.service
Requires=commento.service

[Service]
Restart=always
ExecStart=/home/raghu/commento/caddy -agree -conf /home/raghu/commento/Caddyfile -http-port 9090
ExecReload=/bin/kill -USR1 $MAINPID
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s

[Install]
WantedBy=multi-user.target

  10. Now commento can be started/stopped with systemctl start commento-web

  11. To run it automatically on boot, enable it in systemd with systemctl enable commento

UPDATE 2019-11 - Docker, UFW, Iptables

So after debugging/troubleshooting the same issue now twice, I’ve finally come to my senses and actually documenting the damn thing.

Symptom

  • After reboot, pgsql access from docker containers is broken. Ergo, commento web does not start.

What’s happening

  • Connection from containers to host is being firewalled.

  • Hey - but I added a rule in UFW

    • UFW and docker don’t play well. blame docker.

So how do I allow traffic from docker0

  • sudo iptables -A INPUT -i docker0 -j ACCEPT

  • Test with:

    docker run -it --rm rraghur/psql-client
> psql -Upostgres -h172.17.0.1
Cool - works well. How do I make it permanent?

  • I’ve added an ExecStartPre=/sbin/iptables -A INPUT -i docker0 -jACCEPT into /etc/systemd/system/commento.service

Raghu Rajagopalan's ramblings
     

Latest Notes

Popular Note tags

Homelab Linux Router Desktop