Update secrets collection for latest mastodon

2024-07-04 18:12:36 -07:00 · 2024-07-04 18:12:36 -07:00 · 64b237743f
commit 64b237743f
parent cf744e2266
3 changed files with 25 additions and 4 deletions
--- a/.env.sample
+++ b/.env.sample
@ -77,6 +77,9 @@ SECRET_OTP_SECRET_VERSION=v1
 SECRET_VAPID_PRIVATE_KEY_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_SMTP_PASSWORD_VERSION=v1
+SECRET_ACTIVE_REC_DET_KEY_VERSION=v1
+SECRET_ACTIVE_REC_SALT_VERSION=v1
+SECRET_ACTIVE_REC_PRIM_KEY_VERSION=v1

 # Web Push
 # ========
--- a/abra.sh
+++ b/abra.sh
@ -68,7 +68,7 @@ generate_secrets() {
    docker run \
           -e SECRET_KEY_BASE="$SECRET_KEY_BASE" \
           -e OTP_SECRET="$OTP_SECRET" \
-           --rm tootsuite/mastodon:v3.4.0 \
+           --rm tootsuite/mastodon:latest \
           bundle exec rake mastodon:webpush:generate_vapid_key \
           > /tmp/key.txt

@ -90,4 +90,6 @@ generate_secrets() {
    echo "don't forget to insert your smtp_password! your deployment won't work without it"
    echo "run \"abra app secret insert $APP_NAME smtp_password v1 YOURSMTPPASSWORD\""
    echo ""
+
+    echo "FIXME need to generate the ACTIVE_RECORD keys too with bin/rails db:encryption:init"
 }
--- a/compose.yml
+++ b/compose.yml
@ -24,8 +24,8 @@ services:
      - source: entrypoint_sh
        target: /usr/local/bin/entrypoint.sh
        mode: 0555
-    entrypoint: &entrypoint /usr/local/bin/entrypoint.sh
-    # entrypoint: &entrypoint ['tail', '-f', '/dev/null']
+    # entrypoint: &entrypoint /usr/local/bin/entrypoint.sh
+    entrypoint: &entrypoint ['tail', '-f', '/dev/null']
    volumes: &appVolume
      - app:/opt/mastodon/public/system
    #healthcheck:
@ -38,6 +38,9 @@ services:
      - secret_key_base
      - smtp_password
      - vapid_private_key
+      - active_rec_det_key
+      - active_rec_salt
+      - active_rec_prim_key
      environment: &env
      - ALLOW_ACCESS_TO_HIDDEN_SERVICE
      - ALTERNATE_DOMAINS
@ -161,6 +164,10 @@ services:
      - VAPID_PRIVATE_KEY_FILE=/run/secrets/vapid_private_key
      - VAPID_PUBLIC_KEY
      - WEB_DOMAIN
+      - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY_FILE=/run/secrets/active_rec_det_key
+      - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT_FILE=/run/secrets/active_rec_salt
+      - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_FILE=/run/secrets/active_rec_key
+
  streaming:
    image: yakumosaki/glitch-soc:latest
    command: node ./streaming
@ -249,6 +256,15 @@ secrets:
  smtp_password:
    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
    external: true
+  active_rec_det_key:
+   name: ${STACK_NAME}_active_rec_det_key_${SECRET_ACTIVE_REC_DET_KEY_VERSION}
+   external: true
+  active_rec_salt:
+    name: ${STACK_NAME}_active_rec_salt_${SECRET_ACTIVE_REC_SALT_VERSION}
+    external: true
+  active_rec_prim_key:
+    name: ${STACK_NAME}_active_rec_prim_key_${SECRET_ACTIVE_REC_PRIM_KEY_VERSION}
+    external: true

 volumes:
  app: