From 64b237743f2cc5814b4c3be23cd0815044a877b6 Mon Sep 17 00:00:00 2001
From: Cassowary <cassowary@aldercone.studio>
Date: Thu, 4 Jul 2024 18:12:36 -0700
Subject: [PATCH] Update secrets collection for latest mastodon

---
 .env.sample |  3 +++
 abra.sh     |  4 +++-
 compose.yml | 22 +++++++++++++++++++---
 3 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/.env.sample b/.env.sample
index 684aac2..ce9aeb5 100644
--- a/.env.sample
+++ b/.env.sample
@@ -77,6 +77,9 @@ SECRET_OTP_SECRET_VERSION=v1
 SECRET_VAPID_PRIVATE_KEY_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_SMTP_PASSWORD_VERSION=v1
+SECRET_ACTIVE_REC_DET_KEY_VERSION=v1
+SECRET_ACTIVE_REC_SALT_VERSION=v1
+SECRET_ACTIVE_REC_PRIM_KEY_VERSION=v1
 
 # Web Push
 # ========
diff --git a/abra.sh b/abra.sh
index 19d8e43..bf1505f 100755
--- a/abra.sh
+++ b/abra.sh
@@ -68,7 +68,7 @@ generate_secrets() {
     docker run \
            -e SECRET_KEY_BASE="$SECRET_KEY_BASE" \
            -e OTP_SECRET="$OTP_SECRET" \
-           --rm tootsuite/mastodon:v3.4.0 \
+           --rm tootsuite/mastodon:latest \
            bundle exec rake mastodon:webpush:generate_vapid_key \
            > /tmp/key.txt
 
@@ -90,4 +90,6 @@ generate_secrets() {
     echo "don't forget to insert your smtp_password! your deployment won't work without it"
     echo "run \"abra app secret insert $APP_NAME smtp_password v1 YOURSMTPPASSWORD\""
     echo ""
+
+    echo "FIXME need to generate the ACTIVE_RECORD keys too with bin/rails db:encryption:init"
 }
diff --git a/compose.yml b/compose.yml
index 0283f93..89690c7 100644
--- a/compose.yml
+++ b/compose.yml
@@ -24,8 +24,8 @@ services:
       - source: entrypoint_sh
         target: /usr/local/bin/entrypoint.sh
         mode: 0555
-    entrypoint: &entrypoint /usr/local/bin/entrypoint.sh
-    # entrypoint: &entrypoint ['tail', '-f', '/dev/null']
+    # entrypoint: &entrypoint /usr/local/bin/entrypoint.sh
+    entrypoint: &entrypoint ['tail', '-f', '/dev/null']
     volumes: &appVolume
       - app:/opt/mastodon/public/system
     #healthcheck:
@@ -38,7 +38,10 @@ services:
       - secret_key_base
       - smtp_password
       - vapid_private_key
-    environment: &env
+      - active_rec_det_key
+      - active_rec_salt
+      - active_rec_prim_key
+      environment: &env
       - ALLOW_ACCESS_TO_HIDDEN_SERVICE
       - ALTERNATE_DOMAINS
       - AUTHORIZED_FETCH
@@ -161,6 +164,10 @@ services:
       - VAPID_PRIVATE_KEY_FILE=/run/secrets/vapid_private_key
       - VAPID_PUBLIC_KEY
       - WEB_DOMAIN
+      - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY_FILE=/run/secrets/active_rec_det_key
+      - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT_FILE=/run/secrets/active_rec_salt
+      - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_FILE=/run/secrets/active_rec_key
+
   streaming:
     image: yakumosaki/glitch-soc:latest
     command: node ./streaming
@@ -249,6 +256,15 @@ secrets:
   smtp_password:
     name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
     external: true
+  active_rec_det_key:
+   name: ${STACK_NAME}_active_rec_det_key_${SECRET_ACTIVE_REC_DET_KEY_VERSION}
+   external: true
+  active_rec_salt:
+    name: ${STACK_NAME}_active_rec_salt_${SECRET_ACTIVE_REC_SALT_VERSION}
+    external: true
+  active_rec_prim_key:
+    name: ${STACK_NAME}_active_rec_prim_key_${SECRET_ACTIVE_REC_PRIM_KEY_VERSION}
+    external: true
 
 volumes:
   app: