I recently spent some time getting snac2 running on my OpenBSD infrastructure. For those unfamiliar, it is a simple, minimalistic, and remarkably efficient ActivityPub instance written in C. It is a fantastic fit for the OpenBSD philosophy, as it plays nicely with native security features like pledge(2) and unveil(2).
If you are looking for a way to join the fediverse without the heavy resource footprint of larger platforms, this is a solid choice.
1. Get the Port
I have established a personal repository to manage my custom ports. You can find the snac2 port here:
- Repository: https://gitlab.com/oneguynick/openbsd-ports
To begin, clone the repo and move the www/snac2 directory into your local ports tree, typically located at /usr/ports/mystuff/.
2. Initialisation and Directory Setup
The snac binary is quite particular about its base of operations. It will only initialise if the target directory does not exist yet, so we have to coordinate our steps carefully.
- Run the initialisation command:
doas snac init /var/snac. - Follow the prompts to configure your domain (in my case,
treffen.geekyschmidt.com) and network settings. - Once the directory is created, ensure the ownership is transferred to the service account:
doas chown -R _snac:_snac /var/snac. - Secure the sector by locking down permissions:
doas chmod 750 /var/snac.
3. Administrative Setup
To make managing the service less of a chore, I recommend adding an entry to your /etc/doas.conf. This allows you to manage the operative without being prompted for a password every time you need to jump to the service account:
permit nopass <your_user> as _snac
4. Create Your User
With the headquarters established, you can now add your own account to the instance:
doas -u _snac snac adduser /var/snac <username>- Make sure you document the generated password immediately. It is the only key you will have for that first login.
5. Networking: The Reverse Proxy Pincer
Because snac2 is a standalone daemon and does not natively speak FastCGI, I used a combination of relayd and httpd to manage traffic.
- httpd: Handles the
acme-clientchallenges and standardises the HTTPS redirects on port 80. - relayd: Acts as the “brain,” handling TLS termination on port 443 and forwarding traffic to the
snacservice listening on port 8001.
This configuration allows you to maintain clean certificates while keeping the application binary isolated from the public-facing port.
6. Persistence and Final Deployment
The port includes an RC script to ensure the service remains at its post following a system reboot.
- Enable the service:
doas rcctl enable snac2 - Start the service:
doas rcctl start snac2
Final Thoughts
This setup provides a highly defensible, low-overhead position in the fediverse. It is a great alternative for anyone who finds the standard ActivityPub implementations a bit too bloated for their liking.
Hopefully, this provides some useful food for thought, or at least a light… snac. <ZING!>