This is what you need to run your own Loomio server.
It will run all Loomio services on a single host via docker and docker compose, complete with an SSL certificate via letsencrypt.
If you just want a local install of Loomio for development, see Setting up a Loomio development environment.
-
Root access to a server, on a public IP address, running Ubuntu with at least 1GB RAM (2GB recommended).
-
A domain name
-
An SMTP server
For this example, the hostname will be loomio.example.com and the IP address is 192.0.2.1
To allow people to access the site via your hostname you need an A record:
A loomio.example.com, 192.0.2.1
Loomio supports "Reply by email" and to enable this you need an MX record so mail servers know where to direct these emails.
MX loomio.example.com, loomio.example.com, priority 0
Additionally, create two CNAME records that point to loomio.example.com.
CNAME channels.loomio.example.com, loomio.example.com
CNAME hocuspocus.loomio.example.com, loomio.example.com
To login to the server, open a terminal window and type:
ssh -A root@loomio.example.comThese steps to install docker are copied from docs.docker.com
apt-get update
apt-get install -y ca-certificates curl gnupg
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
echo \
"deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
"$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-pluginThis is the place where all the configuration for your Loomio services will live. In this step you make a copy of this repo, so that you can modify the settings to work for your particular setup.
As root on your server, clone this repo:
git clone https://github.com/loomio/loomio-deploy.git
cd loomio-deployThe commands below assume your working directory is this repo, on your server.
There are some simple scripts within this repo to help you configure your server.
This script will create and mount a 4GB swapfile. If you have less than 2GB RAM on your server then this step is required.
./scripts/create_swapfileBy default, docker-compose.yml includes an nginx proxy container that automatically handles fetching an SSL certificate via LetsEncrypt.org. If you don't need SSL termination, or you're running Loomio from behind a proxy, you can safely remove the nginx services from the docker-compose.yml file. The loomio app container will happily speak plain HTTP on port 3000 (by default). Configuring reverse proxies and other advanced configurations are outside the scope of this documentation, but at minimum it's suggested to preserve the HTTP host header and to set X-FORWARDED-PROTO if terminating SSL upstream.
This script creates env files configured for you. It also creates directories on the host to hold user data.
When you run this, remember to change loomio.example.com to your hostname, and give your contact email address, so you can recover your SSL keys later if required.
./scripts/create_env loomio.example.com you@contact.emailNow have a look inside the files:
cat .envThe default environment file isn't configured for OAuth2 authentication out of the box. In order to enable it, there are several environment variables that need to be set to appropriate values:
OAUTH_AUTH_URLis used to specify the auth endpoint, for examplehttps://sso.yourdomain.com/realms/YourRealm/protocol/openid-connect/auth.OAUTH_TOKEN_URLis used to specify the token endpoint, for examplehttps://sso.yourdomain.com/realms/YourRealm/protocol/openid-connect/token.OAUTH_PROFILE_URLis used to fetch the user's profile data, for examplehttps://sso.yourdomain.com/realms/YourRealm/protocol/openid-connect/userinfo.OAUTH_SCOPEis the list of scopes passed in the auth request, for exampleopenid email profile.OAUTH_APP_KEYis what OIDC refers to as the Client ID. For example,loomio.OAUTH_APP_SECRETis what OIDC refers to as the Client Secret. It's a long string of letters and numbers and other characters.OAUTH_ATTR_UIDspecifies which user profile field is used for Loomio's internal unique identifier for this user. For example,email.OAUTH_ATTR_NAMEspecifies which user profile field is used for Loomio's displayed name, for examplename.OAUTH_ATTR_EMAILspecifies which user profile field is used for the Loomio account email address, for exampleemail.OAUTH_LOGIN_PROVIDER_NAMEis the label used for the SSO login button. The user will see this value when they're prompted to log in using SSO. For example,Your Domain SSO.
For the ATTR variables, if you're not sure what your OAuth provider is returning, you can attempt a login and check the Loomio logs to see the response.
If you do not wish to allow users to create non-SSO accounts, you should also use FEATURES_DISABLE_EMAIL_LOGIN=1 to disable non-SSO logins.
The default environment file isn't configured for SAML authentication out of the box. In order to enable it, there are several environment variables that need to be set to appropriate values:
SAML_IDP_METADATA_URLis used to specify the metadata endpoint, for examplehttps://sso.yourdomain.com/realms/YourRealm/protocol/saml/descriptor. This setting is ignored ifSAML_IDP_METADATAis set.SAML_IDP_METADATAis used to directly specify the SAML configuration rather than fetching it from a URL. Useful if you don't want to hammer your SAML provider for this data, but not recommended for general use.SAML_ISSUERis occasionally useful if you need to override the issuer value.SAML_LOGIN_PROVIDER_NAMEis the label used for the SSO login button. The user will see this value when they're prompted to log in using SSO. For example,Your Domain SSO.
Attribute mapping is not supported for SAML.
If you do not wish to allow users to create non-SSO accounts, you should also use FEATURES_DISABLE_EMAIL_LOGIN=1 to disable non-SSO logins.
You need to bring your own SMTP server for Loomio to send emails.
If you already have an SMTP server, that's great, put the settings into the env file.
For everyone else here are some options to consider:
-
Look at the (sometimes free) services offered by SendGrid, SparkPost, Mailgun, Mailjet.
-
Setup your own SMTP server with something like Haraka
Edit the .env file and enter the right SMTP settings for your setup.
You might also need to add an SPF DNS record to indicate that the SMTP can send mail for your domain.
This command initializes a new database for your Loomio instance to use.
docker compose up -d db
docker compose run app rake db:setup
Doing this tells the server what regular tasks it needs to run. These tasks include:
- Noticing which proposals are closing in 24 hours and notifying users.
- Closing proposals and notifying users they have closed.
- Sending "Yesterday on Loomio", a digest of activity users have not already read. This is sent to users at 6am in their local timezone.
Run crontab -e and append the following line:
0 * * * * /usr/bin/docker exec loomio-worker bundle exec rake loomio:hourly_tasks > ~/rake.log 2>&1
This command starts the database, application, reply-by-email, and live-update services all at once.
docker compose up -d
Give it a minute to start, then visit your URL while crossing your fingers!
If you visit the url with your browser and the rails server is not yet running, but nginx is, you'll see a "503 bad gateway" error message.
You'll want to see the logs as it all starts, run the following command:
docker compose logs -f
visit your hostname in your browser.
Once you have signed in (and confirmed your email), grant yourself admin rights
docker compose run app rails c
User.last.update(is_admin: true)
you can now access the admin interface at https://loomio.example.com/admin
To see system error messages as they happen run docker compose logs -f and make a request against the server.
If you want to be notified of system errors you could setup Sentry and add it to the env.
Confirm env settings are correct.
After you change your env files you need to restart the system:
docker compose down
docker compose up -dTo update Loomio to the latest stable version just run the update script.
./scripts/updateTo login to your running rails app console:
docker compose run app rails cA PostgreSQL shell to inspect the database:
docker exec -ti loomio-db su - postgres -c 'psql loomio_production'The default docker-compose.yml includes automatic backups with prodrigestivill/docker-postgres-backup-local, however, you'll need to run mkdir -p pgdumps && chown -R 999:999 pgdumps to set the correct permissions for this to work.
You can test that the automatic backup permissions are correct with this command:
docker run --rm -v "$PWD:/backups" -u "$(id -u):$(id -g)" --network=loomio-deploy_main -e POSTGRES_HOST=db -e POSTGRES_DB=loomio_production -e POSTGRES_USER=postgres -e POSTGRES_PASSWORD=password prodrigestivill/postgres-backup-local /backup.sh
However, sometimes you just want to make or restore an SQL snapshot directly.
Dump SQL
docker exec -ti loomio-db su - postgres -c 'pg_dump -c loomio_production' > loomio_production.sql
Restore SQL
cat loomio_production.sql | docker exec -i loomio-db su - postgres -c 'psql loomio_production'
Please upgrade through the following versions. You need to edit .env and change LOOMIO_CONTAINER_TAG to each version, then run ./scripts/update. When the migrations have completed, apply the next tag and repeat.
- v2.4.2
- v2.8.8
- v2.11.13
- v2.15.4
- v2.17.1