From dfa48a0a4786a83a591bfbd9bd1ca01f4f1ffd29 Mon Sep 17 00:00:00 2001 From: Cassowary Date: Tue, 3 Oct 2023 17:20:39 -0700 Subject: [PATCH 1/4] Fix multiple issues and work around abra bug. --- abra.sh | 20 ++++++++++---------- compose.yml | 2 ++ entrypoint.sh.tmpl | 5 +++-- 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/abra.sh b/abra.sh index 7faf109..8d62c3f 100644 --- a/abra.sh +++ b/abra.sh @@ -1,27 +1,27 @@ #!/bin/bash -export ENTRYPOINT_CONF_VERSION=v6 +export ENTRYPOINT_CONF_VERSION=v7 assets() { - export OTP_SECRET=$(cat /run/secrets/otp_secret) - export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base) - export DB_PASS=$(cat /run/secrets/db_password) + set -x OTP_SECRET $(cat /run/secrets/otp_secret) + set -x SECRET_KEY_BASE $(cat /run/secrets/secret_key_base) + set -x DB_PASS $(cat /run/secrets/db_password) RAILS_ENV=production bundle exec rails assets:precompile } setup() { - export OTP_SECRET=$(cat /run/secrets/otp_secret) - export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base) - export DB_PASS=$(cat /run/secrets/db_password) + set -x OTP_SECRET $(cat /run/secrets/otp_secret) + set -x SECRET_KEY_BASE $(cat /run/secrets/secret_key_base) + set -x DB_PASS $(cat /run/secrets/db_password) RAILS_ENV=production bundle exec rake db:setup } admin() { - export OTP_SECRET=$(cat /run/secrets/otp_secret) - export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base) - export DB_PASS=$(cat /run/secrets/db_password) + set -x OTP_SECRET $(cat /run/secrets/otp_secret) + set -x SECRET_KEY_BASE $(cat /run/secrets/secret_key_base) + set -x DB_PASS $(cat /run/secrets/db_password) RAILS_ENV=production bin/tootctl accounts create "$1" --email "$2" --confirmed --role admin } diff --git a/compose.yml b/compose.yml index 7fcaf91..b2d0030 100644 --- a/compose.yml +++ b/compose.yml @@ -45,6 +45,7 @@ services: - DB_NAME - DB_PORT - DB_USER + - DB_PASS_FILE=/run/secrets/db_password - DEFAULT_LOCALE - EMAIL_DOMAIN_ALLOWLIST - EMAIL_DOMAIN_DENYLIST @@ -67,6 +68,7 @@ services: - MAX_SESSION_ACTIVATIONS - MAX_TOOT_CHARS - OAUTH_REDIRECT_AT_SIGN_IN + - OTP_SECRET_FILE=/run/secrets/otp_secret - OIDC_AUTH_ENDPOINT - OIDC_CLIENT_AUTH_METHOD - OIDC_CLIENT_ID diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl index 57b8ff0..4f218e2 100644 --- a/entrypoint.sh.tmpl +++ b/entrypoint.sh.tmpl @@ -23,11 +23,12 @@ file_env() { unset "$fileVar" } -export DB_PASS=$(cat /run/secrets/db_password) - # for sidekiq service bundle exec env var threading file_env "OTP_SECRET" file_env "SECRET_KEY_BASE" +file_env "DB_PASS" +file_env "SMTP_PASSWORD" +file_env "VAPID_PRIVATE_KEY" {{ if eq (env "OIDC_ENABLED") "true" }} file_env "OIDC_CLIENT_SECRET" From 673667e2bfaab427478e2732b31bb5365dc39254 Mon Sep 17 00:00:00 2001 From: Cassowary Date: Tue, 10 Oct 2023 13:02:20 -0700 Subject: [PATCH 2/4] Fix abra.sh to use the correct set -a --- abra.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) mode change 100644 => 100755 abra.sh diff --git a/abra.sh b/abra.sh old mode 100644 new mode 100755 index 8d62c3f..1f5abb8 --- a/abra.sh +++ b/abra.sh @@ -3,25 +3,25 @@ export ENTRYPOINT_CONF_VERSION=v7 assets() { - set -x OTP_SECRET $(cat /run/secrets/otp_secret) - set -x SECRET_KEY_BASE $(cat /run/secrets/secret_key_base) - set -x DB_PASS $(cat /run/secrets/db_password) + set -a OTP_SECRET $(cat /run/secrets/otp_secret) + set -a SECRET_KEY_BASE $(cat /run/secrets/secret_key_base) + set -a DB_PASS $(cat /run/secrets/db_password) RAILS_ENV=production bundle exec rails assets:precompile } setup() { - set -x OTP_SECRET $(cat /run/secrets/otp_secret) - set -x SECRET_KEY_BASE $(cat /run/secrets/secret_key_base) - set -x DB_PASS $(cat /run/secrets/db_password) + set -a OTP_SECRET $(cat /run/secrets/otp_secret) + set -a SECRET_KEY_BASE $(cat /run/secrets/secret_key_base) + set -a DB_PASS $(cat /run/secrets/db_password) RAILS_ENV=production bundle exec rake db:setup } admin() { - set -x OTP_SECRET $(cat /run/secrets/otp_secret) - set -x SECRET_KEY_BASE $(cat /run/secrets/secret_key_base) - set -x DB_PASS $(cat /run/secrets/db_password) + set -a OTP_SECRET $(cat /run/secrets/otp_secret) + set -a SECRET_KEY_BASE $(cat /run/secrets/secret_key_base) + set -a DB_PASS $(cat /run/secrets/db_password) RAILS_ENV=production bin/tootctl accounts create "$1" --email "$2" --confirmed --role admin } From d52a8ad9108d4aeb9288327b10198b1ef1a01b1d Mon Sep 17 00:00:00 2001 From: Cassowary Date: Tue, 10 Oct 2023 14:18:47 -0700 Subject: [PATCH 3/4] Major Improvements to abra.sh --- abra.sh | 143 ++++++++++++++++++++++++++++++++++---------------------- 1 file changed, 87 insertions(+), 56 deletions(-) diff --git a/abra.sh b/abra.sh index 1f5abb8..73f914d 100755 --- a/abra.sh +++ b/abra.sh @@ -2,69 +2,100 @@ export ENTRYPOINT_CONF_VERSION=v7 -assets() { - set -a OTP_SECRET $(cat /run/secrets/otp_secret) - set -a SECRET_KEY_BASE $(cat /run/secrets/secret_key_base) - set -a DB_PASS $(cat /run/secrets/db_password) - RAILS_ENV=production bundle exec rails assets:precompile +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + + declare -x -g "$var"="$val" + unset "$fileVar" } -setup() { - set -a OTP_SECRET $(cat /run/secrets/otp_secret) - set -a SECRET_KEY_BASE $(cat /run/secrets/secret_key_base) - set -a DB_PASS $(cat /run/secrets/db_password) +environment() { + # for sidekiq service bundle exec env var threading + file_env "OTP_SECRET" + file_env "SECRET_KEY_BASE" + file_env "DB_PASS" + file_env "SMTP_PASSWORD" + file_env "VAPID_PRIVATE_KEY" - RAILS_ENV=production bundle exec rake db:setup + declare -x RAILS_ENV=production } -admin() { - set -a OTP_SECRET $(cat /run/secrets/otp_secret) - set -a SECRET_KEY_BASE $(cat /run/secrets/secret_key_base) - set -a DB_PASS $(cat /run/secrets/db_password) - RAILS_ENV=production bin/tootctl accounts create "$1" --email "$2" --confirmed --role admin +setup_assets() { + environment + bundle exec rails assets:precompile } -secrets() { - docker context use default > /dev/null 2>&1 - - echo "Generating secrets for new Hometown deployment..." - echo "" - - SECRET_KEY_BASE=$(docker run --rm tootsuite/mastodon:v3.4.0 bundle exec rake secret) - abra app secret insert "$APP_NAME" secret_key_base v1 "$SECRET_KEY_BASE" - echo "SECRET_KEY_BASE = $SECRET_KEY_BASE" - echo "" - - OTP_SECRET=$(docker run --rm tootsuite/mastodon:v3.4.0 bundle exec rake secret) - abra app secret insert "$APP_NAME" otp_secret v1 "$OTP_SECRET" - echo "OTP_SECRET = $OTP_SECRET" - echo "" - - docker run \ - -e SECRET_KEY_BASE="$SECRET_KEY_BASE" \ - -e OTP_SECRET="$OTP_SECRET" \ - --rm tootsuite/mastodon:v3.4.0 \ - bundle exec rake mastodon:webpush:generate_vapid_key \ - > /tmp/key.txt - - VAPID_PRIVATE_KEY=$(grep -oP "VAPID_PRIVATE_KEY=\K.+" "/tmp/key.txt") - VAPID_PUBLIC_KEY=$(grep -oP "VAPID_PUBLIC_KEY=\K.+" "/tmp/key.txt") - rm -rf /tmp/key.txt - - echo "VAPID_PUBLIC_KEY = $VAPID_PUBLIC_KEY" - echo "!IMPORTANT! you MUST insert this VAPID_PUBLIC_KEY into your app .env config !IMPORTANT!" - echo "" - - abra app secret insert "$APP_NAME" vapid_private_key v1 "$VAPID_PRIVATE_KEY" - echo "VAPID_PRIVATE_KEY = $VAPID_PRIVATE_KEY" - echo "" - - abra app secret generate "$APP_NAME" db_password v1 - echo "" - - echo "don't forget to insert your smtp_password! your deployment won't work without it" - echo "run \"abra app secret insert $APP_NAME smtp_password v1 YOURSMTPPASSWORD\"" - echo "" +setup_db() { + environment + bundle exec rake db:setup +} + +setup_admin() { + environment + accounts create "$1" --email "$2" --confirmed --role admin +} + +shell() { + environment + bash $@ +} + +generate_secrets() { + ## Run this 'local' to generate secrets + docker context use default > /dev/null 2>&1 + + echo "Generating secrets for new Hometown deployment..." + echo "" + + SECRET_KEY_BASE=$(docker run --rm tootsuite/mastodon:v3.4.0 bundle exec rake secret) + abra app secret insert "$APP_NAME" secret_key_base v1 "$SECRET_KEY_BASE" + echo "SECRET_KEY_BASE = $SECRET_KEY_BASE" + echo "" + + OTP_SECRET=$(docker run --rm tootsuite/mastodon:v3.4.0 bundle exec rake secret) + abra app secret insert "$APP_NAME" otp_secret v1 "$OTP_SECRET" + echo "OTP_SECRET = $OTP_SECRET" + echo "" + + docker run \ + -e SECRET_KEY_BASE="$SECRET_KEY_BASE" \ + -e OTP_SECRET="$OTP_SECRET" \ + --rm tootsuite/mastodon:v3.4.0 \ + bundle exec rake mastodon:webpush:generate_vapid_key \ + > /tmp/key.txt + + VAPID_PRIVATE_KEY=$(grep -oP "VAPID_PRIVATE_KEY=\K.+" "/tmp/key.txt") + VAPID_PUBLIC_KEY=$(grep -oP "VAPID_PUBLIC_KEY=\K.+" "/tmp/key.txt") + rm -rf /tmp/key.txt + + echo "VAPID_PUBLIC_KEY = $VAPID_PUBLIC_KEY" + echo "!IMPORTANT! you MUST insert this VAPID_PUBLIC_KEY into your app .env config !IMPORTANT!" + echo "" + + abra app secret insert "$APP_NAME" vapid_private_key v1 "$VAPID_PRIVATE_KEY" + echo "VAPID_PRIVATE_KEY = $VAPID_PRIVATE_KEY" + echo "" + + abra app secret generate "$APP_NAME" db_password v1 + echo "" + + echo "don't forget to insert your smtp_password! your deployment won't work without it" + echo "run \"abra app secret insert $APP_NAME smtp_password v1 YOURSMTPPASSWORD\"" + echo "" } From 8921575d11fc7c8da92a1dd7f8545d937b27d731 Mon Sep 17 00:00:00 2001 From: Cassowary Date: Tue, 10 Oct 2023 14:37:02 -0700 Subject: [PATCH 4/4] More improvements to abra.sh --- abra.sh | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/abra.sh b/abra.sh index 73f914d..cb535e0 100755 --- a/abra.sh +++ b/abra.sh @@ -35,40 +35,32 @@ environment() { declare -x RAILS_ENV=production } - -setup_assets() { - environment - bundle exec rails assets:precompile -} - -setup_db() { - environment - bundle exec rake db:setup -} - setup_admin() { + ## Create an admin user environment accounts create "$1" --email "$2" --confirmed --role admin } shell() { + ## Run a shell with proper environment environment bash $@ } generate_secrets() { - ## Run this 'local' to generate secrets + ## Run `abra app cmd -l generate_secrets` to use Docker to generate secrets you'll need to deploy + ## your new instance (and create the secrets on target app). docker context use default > /dev/null 2>&1 echo "Generating secrets for new Hometown deployment..." echo "" - SECRET_KEY_BASE=$(docker run --rm tootsuite/mastodon:v3.4.0 bundle exec rake secret) + SECRET_KEY_BASE=$(docker run --rm tootsuite/mastodon:v4.2.0 bundle exec rake secret) abra app secret insert "$APP_NAME" secret_key_base v1 "$SECRET_KEY_BASE" echo "SECRET_KEY_BASE = $SECRET_KEY_BASE" echo "" - OTP_SECRET=$(docker run --rm tootsuite/mastodon:v3.4.0 bundle exec rake secret) + OTP_SECRET=$(docker run --rm tootsuite/mastodon:v4.2.0 bundle exec rake secret) abra app secret insert "$APP_NAME" otp_secret v1 "$OTP_SECRET" echo "OTP_SECRET = $OTP_SECRET" echo ""