Installing GoToSocial
This page makes the following assumptions:
- You have a running VPS, prepared according to the instructions in Preparing Your VPS.
- You have a domain name that's pointed to your VPS.
If either of these aren't true, please read through the last three pages.
We are now going to download, install, and configure GoToSocial on your system. This is what we've been working towards!
For the ease of simplicity, this guide will go through the simplest possible install of GoToSocial - this means having GoToSocial handle web traffic, using SQLite for your database, and not installing a frontend yourself. Alternate versions of this guide going through more complicated installs may be created in the future - for now, check out the GoToSocial documentation for instructions on how to set these up.
This guide is written based off, and uses a lot of the same commands, as the upstream documentation: GoToSocial Installation - Bare metal
Make some directories for GoToSocial to live in:
sudo mkdir -p /gotosocial/storage/certs
cd /gotosocial
Next, download and extract the Website League GoToSocial fork:
Check the releases page for the latest version. The link below may point to an older release!
sudo wget https://gitlab.com/website-league/gotosocial/-/releases/v0.16.0-wl4/downloads/gotosocial_0.16.0-wl4_linux_amd64.tar.gz
sudo tar -xzf ./gotosocial_0.16.1-wl_linux_amd64.tar.gz
Then, make a copy of the example config.yaml and open it up. It's time to configure your new instance!
sudo cp example/config.yaml ./
sudo nano config.yaml
Configuring GoToSocial
There's going to be a lot of settings! You're probably going to want to look through them all, but below is some of them you're probably going to want to change/adjust from default:
# host: Set this to your domain name.
host: "my-awesome-wobsite.instance"
# Running on allowlist is required for Website League nodes.
instance-federation-mode: "allowlist"
# Make clients that demand mastodon happy
instance-inject-mastodon-version: true
# instance-languages: Set this to you(r users') preferred languages!
# https://en.wikipedia.org/wiki/IETF_language_tag#List_of_common_primary_language_subtags
instance-languages: ["en"]
# If this is a single user instance, you can change this to your user
# and it'll go to your profile when browsing to your instance domain.
landing-page-user: ""
# Enable this if you're making a multi-user node and you're ready to accept registrations.
accounts-registration-open: false
# If you're from Cohost, you probably want this. Not as good as federated CSS crimes,
# but hey, you can at least have custom CSS on your profile!
accounts-allow-custom-css: true
# Adjust that character limit, make it something a little less cramped.
# (50k characters appeared to cause no problems in testing.)
statuses-max-chars: 50000
# Set up GoToSocial to run as the webserver
# and set up SQLite as our database of choice.
port: 443
db-type: "sqlite"
db-address: "sqlite.db"
# This should be correct, but change it if you're using a different directory.
storage-local-base-path: "/gotosocial/storage"
# Set up GoToSocial to get a free SSL cert from Let's Encrypt
letsencrypt-enabled: true
letsencrypt-cert-dir: "/gotosocial/storage/certs"
letsencrypt-email-address: "your@awesome-email.here"
It's probably best to take some time to look through the entire configuration file, though, and see if there's anything you want to change.
Configurations that have different `host` and `account-domain` configuration values can introduce problems with federation later that can be tricky to diagnose, so it's easiest to keep them the exact same. (or leave `account-domain` blank)
Smoke Test
Let's see if it works!
Run the following command:
sudo ./gotosocial --config-path ./config.yaml server start
Your screen should fill with lines, then you should see something like the following near or at the bottom:
timestamp="26/09/2024 04:39:03.389" func=router.(*Router).letsEncryptTLS.func2 level=INFO msg="letsencrypt listening on 0.0.0.0:80"
timestamp="26/09/2024 04:39:03.390" func=router.(*Router).Start.func1 level=INFO msg="listening on 0.0.0.0:443"
Go to your browser, type in your instance domain, and see if it loads!
If it loads, congratulations - you've got yourself a brand new fediverse instance! If not, there's a variety of things you can check. It may need just a moment to get itself an SSL certificate, for one. You may also want to double-check your DNS configuration, as well as the rest of your GoToSocial configuration. Remember - if you need help, there are folks that're willing and able to provide.
Run GoToSocial as a Service
Now that we know it can run, it's time to run it in a way that doesn't require you to be logged in to your console forever. Press Ctrl+C in the console to stop it running for now (it'll be back very soon!)
First, let's create a user like we did earlier, but for GoToSocial, then make it own the /gotosocial folder we made:
sudo useradd -r gotosocial
sudo groupadd gotosocial
sudo usermod -a -G gotosocial gotosocial
sudo chown -R gotosocial:gotosocial /gotosocial
Don't worry about creating a password for it - this is a system account. Nobody should be logging in as this user.
Now, copy the systemd service to the correct folder, and open it up in a text editor:
sudo cp /gotosocial/example/gotosocial.service /etc/systemd/system/
sudo nano /etc/systemd/system/gotosocial.service
If you followed the instructions as given here, you'll only need to uncomment a single line:
# You might need this if you are running as non-root on a privileged port (below 1024)
AmbientCapabilities=CAP_NET_BIND_SERVICE
It should look just like that - no # in front of it.
Making SELinux Happy
If you try to run the service right now:
sudo systemctl enable --now gotosocial.service
you'll notice it fails right away with an odd error.
Sep 26 05:22:34 vultr.guest systemd[1]: Starting GoToSocial Server...
Sep 26 05:22:34 vultr.guest systemd[4941]: gotosocial.service: Failed to locate executable /gotosocial/gotosocial: Permission denied
Sep 26 05:22:34 vultr.guest systemd[4941]: gotosocial.service: Failed at step EXEC spawning /gotosocial/gotosocial: Permission denied
Sep 26 05:22:34 vultr.guest systemd[1]: gotosocial.service: Main process exited, code=exited, status=203/EXEC
Sep 26 05:22:34 vultr.guest systemd[1]: gotosocial.service: Failed with result 'exit-code'.
Sep 26 05:22:34 vultr.guest systemd[1]: Failed to start GoToSocial Server.
This is because the permissions don't quite fit with SELinux, and so SELinux has decided to deny GoToSocial from starting.
SELinux is something that runs in Rocky Linux and other Linux distros like it. Its purpose is to put limits on things like what resources applications are allowed to access. If its permissions aren’t properly set, it can cause issues like the ones we’re seeing here.
We can solve this in one of two ways: the easy way, or the secure way. (You're probably perfectly fine just doing it the easy way, but I prepared the secure way in case you want it!) Follow the instructions according to which path you're comfortable taking:
The Easy Way
We set SELinux into permissive mode - effectively, make it not really matter what SELinux thinks.
sudo setenforce 0
This sets it temporarily into permissive mode, so it takes effect right away. We then edit a line in /etc/selinux/config to make this permanent so it continues to persist after restarts:
# change
SELINUX=enforcing
# to
SELINUX=permissive
You can also set it to "disabled" in this file if you want to completely disable SELinux. Either way, it should not hinder starting GoToSocial anymore. Skip "The Secure Way" and continue onwards to "Creating a User".
The Secure Way
This might be a bit of a headache, but it'll be more secure - we basically import an SELinux policy for GoToSocial, and patch it over time if GoToSocial ever needs new permissions. Doing this has the benefit of not having to disable SELinux.
Use git to clone a fork of this selinux policy modified to work with our setup:
git clone https://git.tenna.zip/tenna/gotosocial-selinux
Compile it and run the included script to re-label some files:
cd gotosocial-selinux
sudo make -f /usr/share/selinux/devel/Makefile load
sudo ./gotosocial-selinux-relabel
sudo systemctl start gotosocial
If it works, great! If SELinux doesn't allow it to do something for some reason, get SELinux to give you a config that would fix that problem:
sudo sepolgen-ifgen
sudo audit2allow -larR
It'll spit out some code - add this to the selinux files where relevant. Re-compile it and restart GoToSocial.
If you're having trouble with this, feel free to ask about it in the Discord. There is, also, of course, the option of just disabling SELinux if worst comes to worst, but it's good to keep it enabled if at all possible!
Creating a User
You're now running GoToSocial as a bonafide service! ...Except you don't have an account. Let's fix that.
Run this command, then enter the password you want and hit Enter again:
read -r THEPASSWORD
Then, run the following commands, replacing your_username_here and your@awesome.email with your username and E-mail (don't replace THEPASSWORD - this will get substituted automatically with the password you just entered):
cd /gotosocial/
sudo -u gotosocial ./gotosocial --config-path ./config.yaml \
admin account create \
--username your_username_here \
--email your@awesome.email \
--password ${THEPASSWORD}
sudo -u gotosocial ./gotosocial --config-path ./config.yaml \
admin account promote --username your_username_here
Finally, restart GoToSocial. You've got your own user now! Now you can use a client like Semaphore to log in and make posts!
...To nobody, yet. You've gotta add the other Website League nodes to your allowlist. This is fairly simple, though!
Managing the Allowlist
As of the writing of this guide, there is currently no automated way to manage the allowlist for the Website League. One is in the works - once it is finished, this guide will be updated to include the installation of such automation. In the interim, this will go over how to manually add nodes to your allowlist.
Go to the following URL, replacing "your-cool.instance" with your instance domain:
https://your-cool.instance/settings
Log in to the account you just made. Then, go to Domain Permissions > Allows. Here, you can then type the name of an instance, then hit Allow, then Allow again.
Alternatively, if you have a list of domains, you can go to Domain Permissions > Import/Export, paste the list, tick the "Domain allows" box, then import.
You're done! If you've made it all the way to the end here - congrats on your new instance, and thanks for reading! Hope it helped. If you have any questions or need any help, there's folks in the Discord who're willing to help, including the author of this guide, Tenna Lotor.