More improvements to abra.sh

.env.sample

@@ -61,7 +61,7 @@ REDIS_PORT=6379
 
 # ElasticSearch
 # --------------------------------------
-#COMPOSE_FILE="$COMPOSE_FILE:compose.elasticsearch.yml"
+ES_ENABLED=true
 ES_HOST=es
 ES_PORT=9200
 
@@ -77,7 +77,6 @@ SECRET_OTP_SECRET_VERSION=v1
 SECRET_VAPID_PRIVATE_KEY_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_SMTP_PASSWORD_VERSION=v1
-SECRET_AWS_SECRET_ACCESS_KEY_VERSION=v1
 
 # Web Push
 # ========
@@ -119,7 +118,7 @@ DEFAULT_LOCALE=en
 
 # S3 and AWS
 # ----------
-#COMPOSE_FILE="$COMPOSE_FILE:compose.s3.yml"
+# S3_ENABLED=
 # S3_BUCKET=
 # AWS_ACCESS_KEY_ID=
 # AWS_SECRET_ACCESS_KEY=

abra.sh

@@ -1,70 +1,93 @@
 #!/bin/bash
 
-export ENTRYPOINT_CONF_VERSION=v6
+export ENTRYPOINT_CONF_VERSION=v7
 
-assets() {
-  export OTP_SECRET=$(cat /run/secrets/otp_secret)
-  export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
-  export DB_PASS=$(cat /run/secrets/db_password)
 
-  RAILS_ENV=production bundle exec rails assets:precompile
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  declare -x -g "$var"="$val"
+  unset "$fileVar"
 }
 
-setup() {
-  export OTP_SECRET=$(cat /run/secrets/otp_secret)
-  export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
-  export DB_PASS=$(cat /run/secrets/db_password)
+environment() {
+    # for sidekiq service bundle exec env var threading
+    file_env "OTP_SECRET"
+    file_env "SECRET_KEY_BASE"
+    file_env "DB_PASS"
+    file_env "SMTP_PASSWORD"
+    file_env "VAPID_PRIVATE_KEY"
 
-  RAILS_ENV=production bundle exec rake db:setup
+    declare -x RAILS_ENV=production
 }
 
-admin() {
-  export OTP_SECRET=$(cat /run/secrets/otp_secret)
-  export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
-  export DB_PASS=$(cat /run/secrets/db_password)
-
-  RAILS_ENV=production bin/tootctl accounts create "$1" --email "$2" --confirmed --role admin
+setup_admin() {
+    ## Create an admin user
+    environment
+    accounts create "$1" --email "$2" --confirmed --role admin
 }
 
-secrets() {
-  docker context use default > /dev/null 2>&1
-
-  echo "Generating secrets for new Hometown deployment..."
-  echo ""
-
-  SECRET_KEY_BASE=$(docker run --rm tootsuite/mastodon:v3.4.0 bundle exec rake secret)
-  abra app secret insert "$APP_NAME" secret_key_base v1 "$SECRET_KEY_BASE"
-  echo "SECRET_KEY_BASE = $SECRET_KEY_BASE"
-  echo ""
-
-  OTP_SECRET=$(docker run --rm tootsuite/mastodon:v3.4.0 bundle exec rake secret)
-  abra app secret insert "$APP_NAME" otp_secret v1 "$OTP_SECRET"
-  echo "OTP_SECRET = $OTP_SECRET"
-  echo ""
-
-  docker run \
-    -e SECRET_KEY_BASE="$SECRET_KEY_BASE" \
-    -e OTP_SECRET="$OTP_SECRET" \
-    --rm tootsuite/mastodon:v3.4.0 \
-    bundle exec rake mastodon:webpush:generate_vapid_key \
-    > /tmp/key.txt
-
-  VAPID_PRIVATE_KEY=$(grep -oP "VAPID_PRIVATE_KEY=\K.+" "/tmp/key.txt")
-  VAPID_PUBLIC_KEY=$(grep -oP "VAPID_PUBLIC_KEY=\K.+" "/tmp/key.txt")
-  rm -rf /tmp/key.txt
-
-  echo "VAPID_PUBLIC_KEY = $VAPID_PUBLIC_KEY"
-  echo "!IMPORTANT! you MUST insert this VAPID_PUBLIC_KEY into your app .env config !IMPORTANT!"
-  echo ""
-
-  abra app secret insert "$APP_NAME" vapid_private_key v1 "$VAPID_PRIVATE_KEY"
-  echo "VAPID_PRIVATE_KEY = $VAPID_PRIVATE_KEY"
-  echo ""
-
-  abra app secret generate "$APP_NAME" db_password v1
-  echo ""
-
-  echo "don't forget to insert your smtp_password! your deployment won't work without it"
-  echo "run \"abra app secret insert $APP_NAME smtp_password v1 YOURSMTPPASSWORD\""
-  echo ""
+shell() {
+    ## Run a shell with proper environment
+    environment
+    bash $@
+}
+
+generate_secrets() {
+    ## Run `abra app cmd -l <yourdomain> generate_secrets` to use Docker to generate secrets you'll need to deploy
+    ## your new instance (and create the secrets on target app).
+    docker context use default > /dev/null 2>&1
+
+    echo "Generating secrets for new Hometown deployment..."
+    echo ""
+
+    SECRET_KEY_BASE=$(docker run --rm tootsuite/mastodon:v4.2.0 bundle exec rake secret)
+    abra app secret insert "$APP_NAME" secret_key_base v1 "$SECRET_KEY_BASE"
+    echo "SECRET_KEY_BASE = $SECRET_KEY_BASE"
+    echo ""
+
+    OTP_SECRET=$(docker run --rm tootsuite/mastodon:v4.2.0 bundle exec rake secret)
+    abra app secret insert "$APP_NAME" otp_secret v1 "$OTP_SECRET"
+    echo "OTP_SECRET = $OTP_SECRET"
+    echo ""
+
+    docker run \
+           -e SECRET_KEY_BASE="$SECRET_KEY_BASE" \
+           -e OTP_SECRET="$OTP_SECRET" \
+           --rm tootsuite/mastodon:v3.4.0 \
+           bundle exec rake mastodon:webpush:generate_vapid_key \
+           > /tmp/key.txt
+
+    VAPID_PRIVATE_KEY=$(grep -oP "VAPID_PRIVATE_KEY=\K.+" "/tmp/key.txt")
+    VAPID_PUBLIC_KEY=$(grep -oP "VAPID_PUBLIC_KEY=\K.+" "/tmp/key.txt")
+    rm -rf /tmp/key.txt
+
+    echo "VAPID_PUBLIC_KEY = $VAPID_PUBLIC_KEY"
+    echo "!IMPORTANT! you MUST insert this VAPID_PUBLIC_KEY into your app .env config !IMPORTANT!"
+    echo ""
+
+    abra app secret insert "$APP_NAME" vapid_private_key v1 "$VAPID_PRIVATE_KEY"
+    echo "VAPID_PRIVATE_KEY = $VAPID_PRIVATE_KEY"
+    echo ""
+
+    abra app secret generate "$APP_NAME" db_password v1
+    echo ""
+
+    echo "don't forget to insert your smtp_password! your deployment won't work without it"
+    echo "run \"abra app secret insert $APP_NAME smtp_password v1 YOURSMTPPASSWORD\""
+    echo ""
 }

compose.elasticsearch.yml

@@ -1,15 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    environment: &es-env
-      - ES_ENABLED=true
-      - ES_HOST
-      - ES_PORT
-
-  streaming:
-    environment: *es-env
-
-  sidekiq:
-    environment: *es-env

compose.s3.yml

@@ -1,33 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    environment: &s3-env
-      - S3_ENABLED=true
-      - AWS_ACCESS_KEY_ID
-      - AWS_SECRET_ACCESS_KEY_FILE=/run/secrets/aws_secret_access_key
-      - S3_BUCKET
-      - S3_REGION
-      - S3_PROTOCOL
-      - S3_HOSTNAME
-      - S3_ENDPOINT
-      - S3_SIGNATURE_VERSION
-      - S3_OVERRIDE_PATH_STYLE
-      - S3_OPEN_TIMEOUT
-      - S3_READ_TIMEOUT
-    secrets: &s3-secrets
-      - aws_secret_access_key
-
-  streaming:
-    environment: *s3-env
-    secrets: *s3-secrets
-
-  sidekiq:
-    environment: *s3-env
-    secrets: *s3-secrets
-
-secrets:
-  aws_secret_access_key:
-    name: ${STACK_NAME}_aws_secret_access_key_${SECRET_AWS_SECRET_ACCESS_KEY_VERSION}
-    external: true

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.0.6-hometown-1.1.1
+    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v3.5.10-hometown-1.0.8
     command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
     networks: &bothNetworks
       - proxy
@@ -19,7 +19,7 @@ services:
         - "traefik.http.routers.${STACK_NAME}_web.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}_web.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}_web.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=1.0.0+v4.0.6-hometown-1.1.1"
+        - "coop-cloud.${STACK_NAME}.version=0.2.3+v3.5.10-hometown-1.0.8"
     configs: &configs
       - source: entrypoint_sh
         target: /usr/local/bin/entrypoint.sh
@@ -45,9 +45,13 @@ services:
       - DB_NAME
       - DB_PORT
       - DB_USER
+      - DB_PASS_FILE=/run/secrets/db_password
       - DEFAULT_LOCALE
       - EMAIL_DOMAIN_ALLOWLIST
       - EMAIL_DOMAIN_DENYLIST
+      - ES_ENABLED
+      - ES_HOST
+      - ES_PORT
       - LDAP_BASE
       - LDAP_BIND_DN
       - LDAP_ENABLED
@@ -64,6 +68,7 @@ services:
       - MAX_SESSION_ACTIVATIONS
       - MAX_TOOT_CHARS
       - OAUTH_REDIRECT_AT_SIGN_IN
+      - OTP_SECRET_FILE=/run/secrets/otp_secret
       - OIDC_AUTH_ENDPOINT
       - OIDC_CLIENT_AUTH_METHOD
       - OIDC_CLIENT_ID
@@ -117,6 +122,7 @@ services:
       - SAML_SECURITY_WANT_ASSERTION_ENCRYPTED
       - SAML_SECURITY_WANT_ASSERTION_SIGNED
       - SAML_UID_ATTRIBUTE
+      - SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base
       - SINGLE_USER_MODE
       - SMTP_AUTH_METHOD
       - SMTP_CA_FILE
@@ -139,7 +145,7 @@ services:
       - WEB_DOMAIN
 
   streaming:
-    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.0.6-hometown-1.1.1
+    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v3.5.10-hometown-1.0.8
     command: node ./streaming
     configs: *configs
     entrypoint: *entrypoint
@@ -160,7 +166,7 @@ services:
     volumes: *appVolume # used to make sure this volume is created
 
   sidekiq:
-    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.0.6-hometown-1.1.1
+    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v3.5.10-hometown-1.0.8
     secrets: *secrets
     command: bundle exec sidekiq
     configs: *configs

entrypoint.sh.tmpl

@@ -23,14 +23,12 @@ file_env() {
   unset "$fileVar"
 }
 
-export DB_PASS=$(cat /run/secrets/db_password)
-
 # for sidekiq service bundle exec env var threading
 file_env "OTP_SECRET"
 file_env "SECRET_KEY_BASE"
+file_env "DB_PASS"
 file_env "SMTP_PASSWORD"
 file_env "VAPID_PRIVATE_KEY"
-file_env "AWS_SECRET_ACCESS_KEY"
 
 {{ if eq (env "OIDC_ENABLED") "true" }}
 file_env "OIDC_CLIENT_SECRET"

release/1.0.0+v4.0.6-hometown-1.1.1

@@ -1,11 +0,0 @@
-Mastodon 4 requires running pre- and post-deployment migrations, something like
-
-```
-abra app run your.app.domain app bash -c "SKIP_POST_DEPLOYMENT_MIGRATIONS=true rails db:migrate"
-abra app restart your.app.domain app
-abra app restart your.app.domain streaming
-abra app restart your.app.domain sidekiq
-abra app run your.app.domain app rails db:migrate
-```
-
-See the full release notes for details: https://github.com/mastodon/mastodon/releases/tag/v4.0.0