Let’s face it – Twitter has been quite a dumpster fire lately. And even if you’re all for Elon Musk taking over and ‘shaking things up’ at Twitter, the fact remains that most of the staff is gone. Especially in the areas of content moderation and security – which is a big issue. They’re making many changes very quickly with little staff. Something is going to fall through the cracks security-wise, and that leaves its users at risk.
Mastodon is a Twitter alternative – it’s open source, and decentralized meaning that there’s no central algorithm controlling what you see and serving up ads at the expense of your privacy. You can join an existing server that interests you and suits your preferences, or start your own server and community!
This tutorial is going to cover the creation of your own Mastodon server following all best practices to give you a great head start on your own server, and to make your life easier!
If this tutorial does make your life easier, you’re welcome to buy me a beer! Cheers!
You can run Mastodon on your own server hardware, however, that would require opening up firewall ports and allowing outside users into your secure network areas, so in this tutorial, we’re going to set up a VPS (Virtual Private Server) on Digital Ocean. Their documentation is excellent, and they have a One-click installation for firing up your own Mastodon server!
If you haven’t yet signed up for Digital Ocean, but will be signing up to take advantage of this tutorial, please consider using our Digital Ocean Referral Link! Signing up using my referral link gets you $200.00 in Digital Ocean credit over your first 2 months of service.
What You Need to Get Started with Mastodon
A Digital Ocean account – as stated above, we’re using DO for this setup – their one-click Mastodon server install makes this a no-brainer!
An SMTP server – Mastodon needs to send email for sign-up verifications, password resets, and security notifications. In this tutorial, we’re going to be using SendGrid (no referral code), but any SMTP server will work – SendGrid just makes it super easy.
A domain name – Your Mastodon server is going to need a URL on the Internet! Also known as an FQDN (Fully Qualified Domain Name). In this tutorial, we’re going to be using crosstalk.tech as our Mastodon server domain name, but you’ll have to choose your own. If you don’t have a domain provider (or if you’re on GoDaddy and have decided to come to your senses), then please consider signing up with NameCheap – they’re who I personally use for domain hosting, and I love the service. They have a $6.98/year domain deal going on HERE.
Once you have all of this ready to go, it’s time to create our server!
Add your Domain to Digital Ocean
In this tutorial, I’m going to let Digital Ocean be the nameserver for my Mastodon domain name (crosstalk.tech). You may be saying to yourself – “well, I like my own DNS hosting provider, so I can skip this step.” Technically yes – you can – BUT – skipping this step will make your life more difficult. We’re going to be setting up attached object storage for our server and multiple Let’s Encrypt certificates. Letting DO manage your DNS means that the tight integration we’re doing here is going to be much more seamless.
You have been warned! Using your own DNS will invalidate many of the steps below, so I highly recommend at least reading through the guide completely before you decide to use your own DNS hosting provider.
Log into Digital Ocean and select ‘Networking’ from the left-hand menu (under Manage).
Select the ‘Domains’ tab and then add your domain name (in my case, it’s crosstalk.tech – substitute your own domain name) – then click ‘Add Domain.’
Next, you’ll need to log into your existing domain registrar and change the DNS for your domain name to the name server (NS) records indicated by Digital Ocean.
In the screenshot above, we can see that the name servers Digital Ocean gave me are ns1, ns2, and ns3.digitalocean.com. This is basically telling us that these are the name servers that will now manage all of the other DNS records (A records, CNAME records, MX records, etc.) for the domain ‘crosstalk.tech.’ But I have not yet actually configured crosstalk.tech to use these name servers.
To make that change, I will log into NameCheap – this process should be very similar to most domain registrars. In the case of NameCheap, we need to click on ‘Domain List’ in the left hand menu, and then click ‘Manage’ next to the domain we want to make changes to (crosstalk.tech in my case).
NOTE: If NameCheap isn’t your domain hosting provider, your actual domain hosting provider should have a similar way to change your domain name’s nameservers.
In the ‘Nameservers’ section, drop down the box and choose ‘Custom DNS.’ Then add the 3 nameservers from Digital Ocean as in my screenshot above. Then click the green check mark to save those settings.
Mastodon One-click Installation on Digital Ocean
Next, we need to create a droplet for Mastodon. Luckily, Digital Ocean makes this super easy with their one-click install.
From the Digital Ocean dashboard, click the green ‘Create’ button in the upper right hand corner and choose ‘Droplets.’
In the top section, choose ‘Marketplace’ and then start typing ‘Mastodon’ in the search box – you should see the Mastodon selection pop up – select it.
You should then have Mastodon 4.0.2 selected (it’s v4.0.2 as of the writing of this tutorial – that version is subject to change).
Next, choose your server tier – for this tutorial, we’re gonna choose a Basic (Shared CPU) plan with Premium AMD processor – $14.00/mo. tier.
Next, pick a data center location close to you – in my case, I’m going to choose San Francisco 3.
Next, choose to use either an SSH public/private key pair, or a root password for authentication. An SSH key pair is going to be more secure, so we will use that method (you will need a separate Linux server to create the key – I used a Raspberry Pi to do mine) – let’s assume that we don’t yet have a key. Click ‘New SSH Key.’ You will see this pop-up (note the SSH Key creation instructions on the right – thanks Digital Ocean!):
Log into a different Linux server (if you don’t have one, your best bet is to simply choose ‘password’ as the authentication mechanism above). Run this command:
When asked where to save the key, just take the default (press ENTER) – this will place the key in your home/.ssh directory. When asked to enter a passphrase, just press ENTER twice for no passphrase.
Once the key has been created, we need to copy the public side of the key to Digital Ocean – run this command to see the contents of the ~/.ssh/id_rsa.pub file:
Copy the contents of that file and then paste them into the Digital Ocean ‘SSH key content’ section. Give the key a name and then click ‘Add SSH key.’
Back in the Droplet creation screen now, scroll down and choose ‘Enable backups’ – this is strongly recommended, and will create a weekly backup of your server in case something bad happens. Also a good idea to enable Monitoring.
Finally, set the hostname of the Droplet to your domain FQDN – in my case, it’s crosstalk.tech.
Click the green ‘Create Droplet’ button at the very bottom, and our Mastodon server will be created with the settings that we set! This will take a minute or two.
Associate your FQDN with the new Mastodon Droplet
Next, we need to create an A-record for our Mastodon Droplet.
Since we’re super smart, and allowing Digital Ocean to manage our DNS in this tutorial, we don’t need to find or copy the Droplet’s IP address – simply go back to Networking in the left hand menu and then click on Domains and then your domain name. Under the ‘Create new record’ section, choose A (for DNS A-record) and then enter an @ symbol as the hostname.
For the ‘Will direct to’ section, select the Mastodon Droplet that we just created (it should be at the top). Finally click ‘Create Record.’
SSH Into Mastodon
Next, we’ll need to SSH into our Mastodon droplet in order to go through the initial setup wizard. If you picked root password authentication when you created the droplet above, you can simply SSH to the droplet’s IP address (or FQDN), and then log in as ‘root’ with the password you picked above.
NOTE: It’s always DNS. Sometimes the A-record you just created for your Mastodon server takes a while to propagate out to the Internet. If you try to connect using your server’s FQDN and it doesn’t work, you may have to use the IP address instead until the DNS name is actually resolving.
Since we picked SSH public/private key authentication for our server, we’ll need to do one extra step which is to import our private key for use with our SSH client. In this tutorial, I’m going to be doing this with PuTTY since it’s what I’m used to – but you can also use private key authentication for SSH with Windows CMD/PowerShell and macOS Terminal.
First, in Linux where you created the public/private keypair, you’ll need to copy the contents of the private key to your clipboard – run this command:
Copy all of the contents of that file and then save them into a text file on your Windows desktop (these instructions will be different on different OS’s – so adjust accordingly).
When you download and install PuTTY, you also get PuTTYgen which coverts text-based private keys into .PPK files that we can use with PuTTY. So first launch PuTTYgen and click ‘Load.’ Browse to the private key text file you just saved, and then select it.
Once the private key has been loaded into PuTTYgen, click ‘Save private key’ and save the .PPK file somewhere safe where it isn’t going to get lost.
Now it’s time to open up PuTTY and connect to our Mastodon instance. With PuTTY open, enter the Host Name (or IP address) of your server at the top. Then on the left hand side, expand ‘SSH’ under Connection, and then expand ‘Auth.’ Click on the ‘Auth’ menu item and then click ‘Browse’ and select the .PPK file that you just created.
In the left-hand menu, click back onto ‘Session’ at the top of the menu list. We don’t want to connect just yet – we want to save these settings so that it’s easier the NEXT time we connect – so enter a friendly name such as ‘Mastodon server’ in the ‘Saved Sessions’ box, and then click ‘Save.’
After you’ve clicked ‘Save,’ your Mastodon server will now be in the Saved Sessions list – when you want to reconnect in the future, just click on the Mastodon server, then click ‘Load.’ It will already have your PPK file in the configuration settings.
Finally, click ‘Open’ to connect to the Mastodon server. Click ‘Accept’ if prompted, and then enter username ‘root’ when asked. It’s time to start the Mastodon installation wizard!
Mastodon Initial Setup Wizard
Finally we’re configuring Mastodon! For Domain Name, enter in your FQDN – in my case, it’s crosstalk.tech.
OK – next step is an open question. “Do you want to store user-uploaded files on the cloud? (y/N)” Let’s talk about this one for a moment. Being that Mastodon is a Twitter alternative, people are going to be sending out messages with pics, links, videos, etc. attached to them. That content needs to be stored somewhere – the easiest and cheapest thing to do is to just store that content on the Digital Ocean droplet that we created – on the $14.00 tier, we have 50GB worth of storage space (minus the overhead of the OS and installed software). BUT – there’s a very serious caveat here…if that space fills up, it’s going to be much more difficult to expand/upgrade later.
To give you some idea of the amount of space required for our Mastodon server, I set this server up about a week ago, and have barely promoted it – I have ~200ish followers as of the writing of this note, and the server has around 30 users who have signed up. It’s pretty low usage compared to some of the big popular Mastodon servers, and it has generated 2.3GB worth of data (12,241 items).
The alternative is to use scalable object storage. Using object storage for our files is faster and scales automatically if we ‘run out of space,’ but it is more expensive. For this tutorial, we’re going to say YES and then set up our object storage.
Digital Ocean Spaces pricing is $5.00 base per month for the first 250GB worth of storage, and then $0.02/GB/month for any usage above 250GB.
When prompted for Provider, choose DigitalOcean Spaces.
Next, it’s going to ask for the Space name – we need to pause here, switch over to Digital Ocean, and create the storage Space first.
Back in the Digital Ocean dashboard, click on ‘Spaces’ under ‘Manage’ in the left-hand menu. Then click ‘Create a Space.’ (Or choose the green ‘Create’ button in the upper right and choose Spaces).
First, choose a data center geographically close to you (I’m picking the same one I used for my Mastodon Droplet – San Francisco 3).
Under CDN (Content Delivery Network), click ‘Enable CDN,’ and then click ‘Use a custom subdomain’ followed by ‘+ Add a new subdomain certificate.’
When the ‘Add custom subdomain’ window pops up, make sure the ‘User Let’s Encrypt’ tab is selected, and then choose your domain from the drop-down box.
Remember at the beginning of this tutorial where I told you some of these steps would be much more difficult if you’re hosting your own DNS? This is one of those instances – if you decided to use your own DNS, you’re on your own for this part.
Next choose ‘Select specific subdomains’ and then add a new one – it’s hard to see in the screenshot below, but I am creating ‘files.crosstalk.tech.’
Once all of that info has been input, click on ‘Generate Certificate and Use Subdomain.’ It should take less than a minute to generate the cert, and you’ll get a green pop-up in the upper right of the Digital Ocean GUI once it’s ready to use.
Scroll down under Finalize and Create and input a name for your Space – I’m going to use the subdomain files.crosstalk.tech for mine. Finally, click the green ‘Create a Space’ button at the bottom.
Now back to the Mastodon installation wizard. For Space Name, enter the subdomain you just created for your Digital Ocean Space – in my case, it’s files.crosstalk.tech.
For region, you’ll need to input the code for the region that you selected when you created your Digital Ocean Space – I used San Francisco 3, so my code is ‘sfo3.’ If you click on Spaces in the Digital Ocean dashboard, you should be able to see this code in the Spaces URL:
For the space endpoint, it’s going to be the last part of the URL for your Digital Ocean Space – in my case, it’s sfo3.digitaloceanspaces.com.
So far so good…
Next we’re asked about our Space access key – we don’t have one yet, so let’s get it created!
Go back to the Digital Ocean dashboard and click on API towards the bottom of the left-hand menu. Under ‘Spaces access keys,’ click ‘Generate New Key.’
Name it something friendly like ‘Mastodon,’ and then click the check mark to save it – you will now be shown your Key and Secret.
First copy the ‘Key’ (the one on top) and go back to the Mastdodon installation wizard and paste it in. SHIFT+INS (or right-click) to paste into PuTTY.
Next, you’ll be asked for your secret key – this is the 2nd key that was generated in the Spaces API section – copy/paste it into that next field.
When asked if you want to access the uploaded files from your own domain, just press ENTER to take the default (Y).
The Domain for Uploaded files should be your Spaces domain – in my case, it’s files.crosstalk.tech (the one that you created the Let’s Encrypt certificate for).
SMTP Server Setup
Next we need to input our SMTP server information. For this tutorial, I’m using SendGrid for sending emails. Creating an account on SendGrid is free, and you can send up to 100 emails per day with the free plan. The next plan up allows you to send 50k emails/month for $19.95.
This tutorial assumes that you already have a SendGrid account, and that it’s already set up – if you haven’t yet set up your SendGrid account, go to the SendGrid Dashboard, click on your username in the top left hand corner, and then choose ‘Setup Guide.’ This will walk you through the initial setup of your sender identity first.
Once that is done, click on the ‘Send your first email’ section and click the ‘Start’ button underneath ‘Integrate using our Web API or SMTP Relay.’
Choose SMTP Relay for the next step.
Next, give your API key a friendly name like Mastodon, and then click ‘Create Key.’
You should now have all of the information you need to finish the SMTP setup of your Mastodon server.
Here is the info you should use if you’re using SendGrid for SMTP:
SMTP Server: smtp.sendgrid.net
SMTP Port: 587
SMTP Username: apikey
SMTP Password: (the Password in yellow above)
SMTP authentication: plain (take the default by pressing ENTER)
SMTP OpenSSL verify mode: peer
E-mail address to send e-mails “from”: (whatever you want, but this should be a valid email to send from).
*** NOTE: Let’s sidetrack for a moment here. By default, the email that Mastodon wants to send ‘From’ is notifications@yourdomain – this is a great email to use since it’s a clear indication that the email is coming from your own Mastodon server. HOWEVER – SendGrid doesn’t just let you send emails from unverified sources, so before you can actually USE this email (and before you can finish the Mastodon server setup), you need to verify that you own the domain you’re trying to send from (in my case, it’s the crosstalk.tech domain).
To verify the domain in SendGrid, click on Settings –> Sender Authentication. Then click ‘Authenticate Your Domain.’ This is going to ask you a few questions – first, which DNS host do you use? In our case, we’re using Digital Ocean, which isn’t in their list – so choose ‘Other’ and then type in Digital Ocean for ‘Which DNS Host?’
For ‘Would you also like to brand the links for this domain? Select Yes and then click ‘Next.’
Then you’re asked which domain you need to authenticate – in my case, it’s crosstalk.tech. Click Next.
Once you click Next, you’re given a list of CNAME records that you need to create in the Digital Ocean DNS settings – these will be used to verify that you actually own, and can affect changes to that domain.
Now we need to go back to Digital Ocean, click on Networking –> Domains –> click your domain.
Then click on the CNAME tab and add all of these records as CNAME records so that they match what is in the table that SendGrid gave you.
Once all of those CNAME records have been added – wait about 1 minute, and then go back to SendGrid and click ‘Verify.’ It should have no issue verifying those CNAME records if everything was done correctly.
If any of the CNAME records do not verify, double-check that they were entered correctly, and then wait another minute before clicking ‘Verify’ again. Sometimes it takes a little bit for the DNS records to propagate.
Back to the Mastodon installation wizard – next you are asked you if you want to send a test e-mail – choose Y and then enter an email address to send the test email to.
If all goes well, you should see a message saying that the server is Booting up Mastodon…
Next, the installation wizard will ask us for a username to administer Mastodon – by default, it’s ‘admin,’ but that’s boring. Keep in mind that this username is going to be your first Mastodon user – so if you want this to be YOUR account, make it exactly what you want.
For example, Mastodon usernames are @username@server – if I pick ‘chris’ as my username, I’m going to be @email@example.com.
It will then ask you for an email address to use. When you enter in your email address, a long password is generated – make sure you copy down that password!
The next step is asking for another email address – this is for the EFF Let’s Encrypt notices. They also ask you if you would like to be on their mailing list – the EFF is a great organization that does some incredibly good work – I recommend getting their newsletter so that you can keep up with the latest!
Let’s Encrypt then does its thing, and setup is complete!
Open up your Mastodon server GUI in a web browser! Mine is https://crosstalk.tech. If it isn’t resolving just yet – give it some time! Stupid DNS and stupid propagation.
PRO TIP: If you screwed up any of the information during the Mastodon initial setup wizard, don’t despair! There’s a configuration file for that. You can go edit the /home/mastodon/live/.env.production file and change up any of the answers you gave during the wizard.
Then you simply need to restart the Mastodon services as detailed below.
My friend Jay over at LearnLinuxTV did his own comprehensive Mastodon install. Where we did a Digital Ocean one-click install, Jay’s tutorial covers a full manual install of Mastodon, which really helps you better understand the nuts and bolts of this installation if you want. One of the items he recommends towards the end of the video is to install the unattended-upgrades package. Our Digital Ocean one-click install includes unattended-upgrades by default, however there are a couple of configuration items we should address as recommended by Jay.
First is to allow the server to automatically reboot when needed (this is triggered by an installation package creating a file called /var/run/reboot-required). Edit the unattended-upgrades configuration file by typing:
sudo nano -w /etc/apt/apt.conf.d/50unattended-upgrades
Now scroll down until you find the line that says // Automatically reboot *WITHOUT CONFIRMATION* if….
You’ll want to uncomment the 3rd line in that section and change the value to “true” as shown in this screenshot:
You’ll also want to uncomment the 3rd line in the next section which will allow the server to reboot even if there are logged in users.
Finally, scroll down to the ‘If automatic reboot is enabled and needed,….’ section and uncomment the last line – this sets the time to reboot the server if a reboot is needed. You can choose to reboot ‘now’ or set a time such as 2am as in the screenshot below.
Another useful tip that Jay over at LearnLinuxTV recommends is to install CrowdSec which is an open source IPS (Intrusion Prevention System). Since this is a public-facing server, we should be vigilant about detecting and rejecting any nefarious attempts to compromise our server.
Type the following into the command line to install the CrowdSec repository:
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
This script should only take 20-30 seconds or so to run. Once the repo has been installed, we can then install CrowdSec:
sudo apt install crowdsec
This will watch the server for intrusion attempts, and will log anything it finds. We should also install the CrowdSec Bouncer which will actually take action against detected attackers.
sudo apt install crowdsec-firewall-bouncer-iptables
You can double-check that these services are running after installation by running:
service crowdsec status
service crowdsec-firewall-bouncer status
You should see a green ‘active (running)’ in the output of both of those commands.
Restarting Mastodon Services
If you ever find a need to restart Mastodon services, you’re reminded how to do so every time you log in via SSH:
Here are those commands listed out for easy copy/paste:
sudo systemctl restart mastodon-web
sudo systemctl restart mastodon-streaming
sudo systemctl restart mastodon-sidekiq
So…uhhh…what now? First Steps After Installation
Let’s talk about first steps after installation and some general server setup stuff. Most of this is going to be entirely up to you how much or how little you want to configure. To configure the general settings, log into Mastodon, and then click on ‘Edit profile’ underneath your username.
Most of the left-hand menu settings are for your Mastodon user – to get to the server settings, click on ‘Administration.’ In the Administration dashboard, you will see some general server statistics about users and topics. Click on ‘Site Settings’ to set up some of the basics.
NOTE: It’s possible that you won’t see the ‘Administration’ menu item when you first log in – I’ve had this happen one time, and it just means that your ‘admin’ user (the one you created towards the end of the Mastodon installation wizard) doesn’t have ‘Owner’ permissions on your server. To fix this, we need to us the CLI to add those permissions – BUT – the CLI tools for Mastodon also don’t seem to work out of the box with the Digital Ocean one-click installation. Here’s how to fix all of that – log into SSH and run the following commands:
apt install ruby ruby-bundler
sudo su mastodon
RAILS_ENV=production /home/mastodon/live/bin/tootctl accounts modify admin --role Owner
Change ‘admin’ in that last command to the user that you want to give Owner permissions. Once you’ve successfully run this command, you should now see the ‘Administration’ menu item in the Mastodon GUI when you click ‘Edit profile.’
Under Site Settings, there are tabs across the top for Branding/About/Registrations/etc. Go through each of these tabs and set up the general information and rules for your server. You can also set your server thumbnail which shows up when users first get to your Mastodon URL.
The ‘About’ tab allows you to write some more in-depth descriptions about your server. Note that these fields can take HTML tags – I had to add a bunch of line breaks in order for the description to show up properly.
The Appearance tab allows you to choose your Mastodon site theme (Light/Dark) and also allows for another thumbnail picture to be uploaded.
Administration –>Server rules are a special set of rules that are displayed on your About page. These are separated on purpose to be very clear. One of the nice things about running your own Mastodon server is that you can set your own rules for who can join and how users can behave. My rules are pretty clear cut, but may change over time as needed.
One annoying thing about these server rules – they are displayed in the order that you write them. I don’t see any way to drag and drop them around, or insert a rule in-between 3 and 4 for instance. You’d basically have to delete and re-create to shuffle them around. These are displayed prominently on the About screen:
Those are the important and most basic rules to set. You can also check out Sidekiq and PgHero for some detailed stats about the server and database performance.
Thanks so much for using this Mastodon Easy Server Setup tutorial! At this point you’re all done, and should have a fully functional Mastodon server. I will update this tutorial with any corrections or changes to the installation instructions when I can.
If you would like to support Crosstalk Solutions, you can BUY ME A BEER HERE! Or check out some of the cool stuff we have in our Crosstalk merch store!