Fix elasticsearch filename

It gets enabled by include compose.s3.yml

.drone.yml

@@ -3,10 +3,13 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
   - name: deployment
-    image: decentral1se/stack-ssh-deploy:latest
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
       stack: mastodon
+      generate_secrets: true
+      networks:
+       - proxy
       purge: true
       deploy_key:
         from_secret: drone_ssh_swarm_test
@@ -14,16 +17,28 @@ steps:
       DOMAIN: mastodon.swarm-test.autonomic.zone
       STACK_NAME: mastodon
       LETS_ENCRYPT_ENV: production
+      ENTRYPOINT_CONF_VERSION: v1
+      SECRET_SECRET_KEY_BASE_VERSION: v1
+      SECRET_OTP_SECRET_VERSION: v1
+      SECRET_VAPID_PRIVATE_KEY_VERSION: v1
+      SECRET_DB_PASSWORD_VERSION: v1
+      SECRET_SMTP_PASSWORD_VERSION: v1
 trigger:
   branch:
     - main
 ---
 kind: pipeline
-name: recipe release
+name: generate recipe catalogue
 steps:
   - name: release a new version
-    image: thecoopcloud/drone-abra:latest
+    image: plugins/downstream
     settings:
-      command: recipe hometown release
-      deploy_key:
-        from_secret: abra_bot_deploy_key
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - coop-cloud/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -201,8 +201,3 @@ DEFAULT_LOCALE=en
 # OIDC_END_SESSION_ENDPOINT=
 # OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=
 # SECRET_OIDC_CLIENT_SECRET_VERSION=v1
-
-# Hidden services (Not Supported)
-# ===============================
-# http_proxy=  # yes, this should be lowercase
-# ALLOW_ACCESS_TO_HIDDEN_SERVICE=

README.md

@@ -1,77 +1,35 @@
 # Hometown
 
-A supported fork of Mastodon that provides local posting and a wider range of content types.
+> A supported fork of Mastodon that provides local posting and a wider range of content types.
 
-This repository is a copy of [coop-cloud/mastodon](https://git.autonomic.zone/coop-cloud/mastodon) but with a fresh README and some Hometown specific configuration. It seems like a good idea to keep the deployment separate since the apps may diverge in their deployment or configuration instructions at some point despite best wishes to remain as mainline Mastodon as possible.
+The configuration aims to stay as close as possible to [coop-cloud/mastodon](https://git.autonomic.zone/coop-cloud/mastodon).
+At some point, ideally, we could merge them. We don't have enough folks running
+both Mastodon & Hometown to understand if that is a good idea right now. To be
+discussed.
 
 <!-- metadata -->
 
 * **Category**: Apps
-* **Status**:
+* **Status**: 1
 * **Image**: [`decentral1se/hometown`](https://hub.docker.com/r/decentral1se/hometown)
-* **Healthcheck**:
-* **Backups**:
-* **Email**:
-* **Tests**:
-* **SSO**:
+* **Healthcheck**: No
+* **Backups**: No
+* **Email**: Yes
+* **Tests**: No
+* **SSO**: Yes
 
 <!-- endmetadata -->
 
 ## Basic usage
 
-1. Set up Docker Swarm and [`abra`]
-1. Deploy [`coop-cloud/traefik`]
-1. `abra app new mastodon`
-1. Follow the [secrets setup docs](#secrets-setup)
-1. `abra app YOURAPPDOMAIN config` - be sure to change `DOMAIN` to something that resolves to your Docker swarm box
-1. `abra app YOURAPPDOMAIN deploy` to deploy the app
+See the [`coop-cloud/mastodon` `README.md`](https://git.coopcloud.tech/coop-cloud/mastodon#quick-start).
 
-You'll need to run a `docker exec -it <streaming-service-id> /bin/bash` and do the following:
-
-```
-export OTP_SECRET=$(cat /run/secrets/otp_secret)
-export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
-export DB_PASS=$(cat /run/secrets/db_password)
-bundle exec rake db:setup
-```
-
-Then, on your host (outside of the containers), you'll need to fix permissions for the volume (see [#2](https://git.autonomic.zone/coop-cloud/hometown/issues/2)):
-
-```
-chown -R 991:991 /var/lib/docker/volumes/<service-name>_app/_data
-```
-
-And finally, within the `app` container, create an admin account:
-
-```
-export OTP_SECRET=$(cat /run/secrets/otp_secret)
-export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
-export DB_PASS=$(cat /run/secrets/db_password)
-tootctl accounts create <username> --email <email> --confirmed --role admin
-```
-
-[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
-[`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik
-
-## Secrets setup
-
-Mastodon expects secrets generated by specific tools. Uou can run these commands via the scripts interface with `abra`.
-
-`abra app cmd <domain> secrets --local`
+Watch out in case the Mastodon recipe latest is not the same as the Hometown
+latest version! You can switch back to a compatible tag on the Mastodon recipe
+to compare docs, config etc. just to be sure.
 
 ## Tips & Tricks
 
-### Auto-complete is not working?
+See the [`coop-cloud/mastodon` `README.md`](https://git.coopcloud.tech/coop-cloud/mastodon#admin-tips-tricks).
 
-Check the sidekiq logs (`/sidekiq/retries`), is a bunch of stuff failing? What is the error?
-
-If it looks anything like `blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];` then it might mean that your elastic search service has put itself into "read-only" state. This could be due to running close to no free disk space one time. ES doesn't undo this state, even when you have more free disk space once more, so you need to handle this manually:
-
-```
-abra app run <domain> es bash
-curl -XPUT -H "Content-Type: application/json" http://localhost:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}'
-```
-
-Then head back to the sidekiq retries panel and retry one job. You should see
-the ticket of retries go down by one if if passed. Then you can "retry all" and
-they should get scheduled & run.
+Please only gather tips & tricks that are specific to Hometown here.

abra.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-export ENTRYPOINT_CONF_VERSION=v5
+export ENTRYPOINT_CONF_VERSION=v6
 
 assets() {
   export OTP_SECRET=$(cat /run/secrets/otp_secret)
@@ -10,12 +10,12 @@ assets() {
   RAILS_ENV=production bundle exec rails assets:precompile
 }
 
-migrate() {
+setup() {
   export OTP_SECRET=$(cat /run/secrets/otp_secret)
   export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
   export DB_PASS=$(cat /run/secrets/db_password)
 
-  bundle exec rake db:setup
+  RAILS_ENV=production bundle exec rake db:setup
 }
 
 admin() {
@@ -23,7 +23,7 @@ admin() {
   export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
   export DB_PASS=$(cat /run/secrets/db_password)
 
-  tootctl accounts create "$1" --email "$2" --confirmed --role admin
+  RAILS_ENV=production bin/tootctl accounts create "$1" --email "$2" --confirmed --role admin
 }
 
 secrets() {

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: decentral1se/hometown:v1.0.6_3.5.2
+    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.0.6-hometown-1.1.1
     command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
     networks: &bothNetworks
       - proxy
@@ -19,7 +19,7 @@ services:
         - "traefik.http.routers.${STACK_NAME}_web.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}_web.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}_web.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=0.1.1+v1.0.5_3.4.6"
+        - "coop-cloud.${STACK_NAME}.version=1.0.0+v4.0.6-hometown-1.1.1"
     configs: &configs
       - source: entrypoint_sh
         target: /usr/local/bin/entrypoint.sh
@@ -43,7 +43,6 @@ services:
       - CACHE_REDIS_URL
       - DB_HOST
       - DB_NAME
-      - DB_PASS_FILE=/run/secrets/db_password
       - DB_PORT
       - DB_USER
       - DEFAULT_LOCALE
@@ -63,10 +62,12 @@ services:
       - LIMITED_FEDERATION_MODE
       - LOCAL_DOMAIN
       - MAX_SESSION_ACTIVATIONS
+      - MAX_TOOT_CHARS
       - OAUTH_REDIRECT_AT_SIGN_IN
       - OIDC_AUTH_ENDPOINT
       - OIDC_CLIENT_AUTH_METHOD
       - OIDC_CLIENT_ID
+      - OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
       - OIDC_DISCOVERY
       - OIDC_DISPLAY
       - OIDC_DISPLAY_NAME
@@ -85,11 +86,9 @@ services:
       - OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED
       - OIDC_SEND_NONCE
       - OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT
-      - OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
       - OIDC_TOKEN_ENDPOINT
       - OIDC_UID_FIELD
       - OIDC_USER_INFO_ENDPOINT
-      - OTP_SECRET_FILE=/run/secrets/otp_secret
       - PAPERCLIP_ROOT_PATH
       - PAPERCLIP_ROOT_URL
       - RAILS_ENV
@@ -118,7 +117,6 @@ services:
       - SAML_SECURITY_WANT_ASSERTION_ENCRYPTED
       - SAML_SECURITY_WANT_ASSERTION_SIGNED
       - SAML_UID_ATTRIBUTE
-      - SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base
       - SINGLE_USER_MODE
       - SMTP_AUTH_METHOD
       - SMTP_CA_FILE
@@ -139,8 +137,41 @@ services:
       - VAPID_PRIVATE_KEY_FILE=/run/secrets/vapid_private_key
       - VAPID_PUBLIC_KEY
       - WEB_DOMAIN
-      - MAX_TOOT_CHARS
-      - http_proxy # yes, this should be lowercase
+
+  streaming:
+    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.0.6-hometown-1.1.1
+    command: node ./streaming
+    configs: *configs
+    entrypoint: *entrypoint
+    secrets: *secrets
+    networks: *bothNetworks
+    deploy:
+      update_config:
+        failure_action: rollback
+        order: start-first
+      labels:
+        - "traefik.enable=true"
+        - "traefik.docker.network=proxy"
+        - "traefik.http.services.${STACK_NAME}_streaming.loadbalancer.server.port=4000"
+        - "traefik.http.routers.${STACK_NAME}_streaming.rule=(Host(`${DOMAIN}`) && PathPrefix(`/api/v1/streaming`))"
+        - "traefik.http.routers.${STACK_NAME}_streaming.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}_streaming.tls.certresolver=${LETS_ENCRYPT_ENV}"
+    environment: *env
+    volumes: *appVolume # used to make sure this volume is created
+
+  sidekiq:
+    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.0.6-hometown-1.1.1
+    secrets: *secrets
+    command: bundle exec sidekiq
+    configs: *configs
+    entrypoint: *entrypoint
+    deploy:
+      update_config:
+        failure_action: rollback
+        order: start-first
+    networks: *bothNetworks
+    volumes: *appVolume
+    environment: *env
 
   db:
     image: postgres:14.5-alpine
@@ -179,41 +210,6 @@ services:
         soft: -1
         hard: -1
 
-  streaming:
-    image: decentral1se/hometown:v1.0.6_3.5.2
-    command: node ./streaming
-    configs: *configs
-    entrypoint: *entrypoint
-    secrets: *secrets
-    networks: *bothNetworks
-    deploy:
-      update_config:
-        failure_action: rollback
-        order: start-first
-      labels:
-        - "traefik.enable=true"
-        - "traefik.docker.network=proxy"
-        - "traefik.http.services.${STACK_NAME}_streaming.loadbalancer.server.port=4000"
-        - "traefik.http.routers.${STACK_NAME}_streaming.rule=(Host(`${DOMAIN}`) && PathPrefix(`/api/v1/streaming`))"
-        - "traefik.http.routers.${STACK_NAME}_streaming.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}_streaming.tls.certresolver=${LETS_ENCRYPT_ENV}"
-    environment: *env
-    volumes: *appVolume # used to make sure this volume is created
-
-  sidekiq:
-    image: decentral1se/hometown:v1.0.6_3.5.2
-    secrets: *secrets
-    command: bundle exec sidekiq
-    configs: *configs
-    entrypoint: *entrypoint
-    deploy:
-      update_config:
-        failure_action: rollback
-        order: start-first
-    networks: *bothNetworks
-    volumes: *appVolume
-    environment: *env
-
 secrets:
   secret_key_base:
     name: ${STACK_NAME}_secret_key_base_${SECRET_SECRET_KEY_BASE_VERSION}

entrypoint.sh.tmpl

@@ -23,15 +23,15 @@ file_env() {
   unset "$fileVar"
 }
 
-file_env "DB_PASS"
+export DB_PASS=$(cat /run/secrets/db_password)
+
+# for sidekiq service bundle exec env var threading
 file_env "OTP_SECRET"
 file_env "SECRET_KEY_BASE"
-file_env "SMTP_PASSWORD"
-file_env "VAPID_PRIVATE_KEY"
 file_env "AWS_SECRET_ACCESS_KEY"
 
 {{ if eq (env "OIDC_ENABLED") "true" }}
 file_env "OIDC_CLIENT_SECRET"
 {{ end }}
 
-/usr/bin/tini -- "$@"
+/usr/bin/tini -s -- "$@"

release/1.0.0+v4.0.6-hometown-1.1.1

@@ -0,0 +1,11 @@
+Mastodon 4 requires running pre- and post-deployment migrations, something like
+
+```
+abra app run your.app.domain app bash -c "SKIP_POST_DEPLOYMENT_MIGRATIONS=true rails db:migrate"
+abra app restart your.app.domain app
+abra app restart your.app.domain streaming
+abra app restart your.app.domain sidekiq
+abra app run your.app.domain app rails db:migrate
+```
+
+See the full release notes for details: https://github.com/mastodon/mastodon/releases/tag/v4.0.0