Suffix

Joining the Fediverse with honk

Self-hosting a Fediverse server with honk.

One of Mastodon’s (and the Fediverse by extension) main advantages over Twitter is its decentralized nature. You can pick up and move if your instance no longer suits you. Unlike Twitter you can still interact with your Fediverse friends on other instances. While the decentralized nature offers more freedom and flexibility you still depend on someone else’s goodwill to keep the server up and running. As a techie we can do better, why not host our own?

Mastodon might be the most popular social media Fediverse platform but it’s not the only one: Pleorma, Misskey, GoToSocial, and honk all use ActivityPub under the hood to talk to each other. Honk might be one of the simplest alternatives to self-host: a single binary is all that’s needed.

Installing honk

First download the latest honk source code and extract the tarball.

wget https://humungus.tedunangst.com/r/honk/d/honk-0.9.8.tgz
tar -xf honk-0.9.8.tgz
sudo mv honk-0.9.8 /etc/honk

Building honk

To build honk we need a recent go compiler. The version in the Ubuntu 20.04.5 LTS repository is too old, so we are using the snap package. We also need the gcc compiler and SQLite development library. We can now build honk from within its directory.

sudo snap install go --classic
sudo apt install gcc libsqlite3-dev
cd /etc/honk
make

Configuring honk

Configure honk by setting a username and password, the listenaddr, and servername. I set 127.0.0.1:31337 as the listen address and my FQDN as server name.

./honk init

From here running honk is as simple as starting the binary.

./honk

Reverse proxy

Honk does not handle encryption itself and expects a TLS frontend. We can use any webserver we like. For Apache we configure a reverse TLS proxy. Replace SERVERNAME by the FQDN used in the honk config above. The certificate is managed by certbot.

ServerTokens Prod
ServerSignature Off
TraceEnable off
LogLevel alert

<VirtualHost *:80 >
  ServerName SERVERNAME
</VirtualHost>

<VirtualHost *:443>
  ServerName SERVERNAME
  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/SERVERNAME/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/SERVERNAME/privkey.pem
  Include /etc/letsencrypt/options-ssl-apache.conf
  ProxyPreserveHost On
  ProxyPass / http://127.0.0.1:31337/
  ProxyPassReverse / http://127.0.0.1:31337/
</VirtualHost>
↑ Apache reverse proxy config in /etc/apache2/sites-available/SERVERNAME.conf.

Link the config and reload Apache.

sudo ln -s /etc/apache2/sites-available/SERVERNAME.conf /etc/apache2/sites-enabled/
sudo systemctl reload apache2

Surviving restarts

Starting the honk server manually is nice the first time but we want the system to automatically start the process after a server restart. First create a new system user so we don’t run the honk process as root.

sudo useradd --system honk
sudo chown -R honk:honk /etc/honk

Next add a new systemd service configuration (I stole the sandboxing part from the GoToSocial example).

[Unit]
Description=Honk Server

[Service]
WorkingDirectory=/etc/honk
ExecStart=/etc/honk/honk
Restart=on-failure

User=honk
Group=honk

# Harden security
CapabilityBoundingSet=CAP_SET_UID
DevicePolicy=closed
LockPersonality=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
ProtectSystem=strict
ReadWritePaths=/etc/honk
RestrictAddressFamilies=AF_UNIX AF_INET
RestrictNamespaces=yes
RestrictRealtime=yes

[Install]
WantedBy=default.target
↑ Create a /etc/systemd/system/honk.service config file.

All that’s left now is to enable and start the honk service.

sudo systemctl enable --now honk

Check the logs to make sure everything runs smoothly.

journalctl -u honk -f

Find me at @cimm@fedi.suffix.be and share your new fancy Fediverse instance!