Installing Honk on Debian 11
I like Mastodon, and I like to self-host everything I can, but Mastodon itself is a bit heavier than I want something I'm self-hosting to be. Thankfully, there are a few great lightweight single-user alternatives that I'm more than happy to run myself. I chose Honk because it's purple.
Basic setup
Honk is basically simple: it's a Go app that runs as a single binary and sits behind a reverse proxy. We'll run it as its own user, so let's create then become that user:
# useradd -m --system honk
# su - honk
It requires a newer version of Go than Debian 11 ships, so fetch that from https://go.dev/dl/ and unpack it. We also need libsqlite3-dev
, so get that too (as root)
$ wget https://go.dev/dl/go1.20.6.linux-amd64.tar.gz
$ tar xf go*
# apt -y install libsqlite3-dev
Go comes precompiled for our convenience, so we can go ahead and fetch and build Honk.
$ wget https://humungus.tedunangst.com/r/honk/d/honk-0.9.91.tgz
$ tar xf honk*
$ cd honk-0.9.91
$ PATH=~/go/bin/:$PATH make
Now we've built the monolithic binary, we can configure it with
$ ./honk init
This asks a few questions to get it setup. Choose a free port, say 127.0.0.1:4567
, for it to listen on and a hostname you like (I chose micro.maddie.sh
). You'll also set the name and password for the only user here. Make sure you've got DNS set up for the domain name you choose.
Reverse proxy
We can now run it with a simple ./honk
. However, we still need to set up a SSL reverse proxy (including fetching the certs). I use Apache httpd, so set up a barebones VHost and ask Certbot for a certificate. As root:
# cat > /etc/apache2/sites-available/micro.maddie.sh.conf << EOF
<VirtualHost *:80>
ServerName micro.maddie.sh
</VirtualHost>
EOF
# a2ensite micro.maddie.sh
# systemctl reload apache2
# certbot -d micro.maddie.sh -i apache
This will create /etc/apache2/sites-availabel/micro.maddie.sh-le-ssl.conf
, where we can put the reverse proxy config. Add the following lines to that file below the ServerName directive:
ProxyPreserveHost on
ProxyPass / http://127.0.0.1:4576
ProxyPassReverse / http://127.0.0.1:4567
Then systemctl reload apache2
and everything should be good!
Systemd service
We want to run Honk as a service that restarts on every boot, so let's set up a Systemd unit file.
# cat > /etc/systemd/system/honk.service << EOF
[Unit]
Description=Honk, a Fediverse server
After=syslog.target network.target
[Service]
Type=simple
StandardOutput=syslog
StandardError=syslog
User=honk
Group=honk
WorkingDirectory=/home/honk/honk-0.9.91
ExecStart=/home/honk/honk-0.9.91/honk
Restart=always
CapabilityBoundingSet=CAP_SET_UID
DevicePolicy=closed
LockPersonality=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
ProtectSystem=strict
ReadWritePaths=/home/honk
RestrictAddressFamilies=AF_UNIX AF_INET
RestrictNamespaces=yes
RestrictRealtime=yes
[Install]
WantedBy=multi-user.target
EOF
This adds in a few securitey enhancements, and lets us operate Honk with systemctl. Let's start the service and enable it at boot time, and we're done!
# systemctl daemon-reload
# systemctl enable --now honk