11 changed files with 236 additions and 245 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -3,13 +3,10 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
  - name: deployment
-    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    image: decentral1se/stack-ssh-deploy:latest
    settings:
      host: swarm-test.autonomic.zone
      stack: mastodon
-      generate_secrets: true
-      networks:
-       - proxy
      purge: true
      deploy_key:
        from_secret: drone_ssh_swarm_test
@ -17,28 +14,16 @@ steps:
      DOMAIN: mastodon.swarm-test.autonomic.zone
      STACK_NAME: mastodon
      LETS_ENCRYPT_ENV: production
-      ENTRYPOINT_CONF_VERSION: v1
-      SECRET_SECRET_KEY_BASE_VERSION: v1
-      SECRET_OTP_SECRET_VERSION: v1
-      SECRET_VAPID_PRIVATE_KEY_VERSION: v1
-      SECRET_DB_PASSWORD_VERSION: v1
-      SECRET_SMTP_PASSWORD_VERSION: v1
 trigger:
  branch:
    - main
 ---
 kind: pipeline
-name: generate recipe catalogue
+name: recipe release
 steps:
  - name: release a new version
-    image: plugins/downstream
+    image: thecoopcloud/drone-abra:latest
    settings:
-      server: https://build.coopcloud.tech
-      token:
-        from_secret: drone_abra-bot_token
-      fork: true
-      repositories:
-        - coop-cloud/auto-recipes-catalogue-json
-
-trigger:
-  event: tag
+      command: recipe hometown release
+      deploy_key:
+        from_secret: abra_bot_deploy_key
--- a/.env.sample
+++ b/.env.sample
@ -1,6 +1,6 @@
 TYPE=hometown

-DOMAIN=hometown.example.com
+DOMAIN=mastodon.swarm-test.autonomic.zone
 # Enables WEB_DOMAIN if set (FOR FUTURE USE)
 # USER_DOMAIN=

@ -30,7 +30,6 @@ LOCAL_DOMAIN=$DOMAIN

 # ALTERNATE_DOMAINS=$EXTRA_DOMAINS
 AUTHORIZED_FETCH=false
-DISALLOW_UNAUTHENTICATED_API_ACCESS=false
 LIMITED_FEDERATION_MODE=false

 # Deployment
@ -62,7 +61,7 @@ REDIS_PORT=6379

 # ElasticSearch
 # --------------------------------------
-#COMPOSE_FILE="$COMPOSE_FILE:compose.elasticsearch.yml"
+ES_ENABLED=true
 ES_HOST=es
 ES_PORT=9200

@ -73,12 +72,11 @@ ES_PORT=9200

 # Secrets
 # =======
-SECRET_SECRET_KEY_BASE_VERSION=v1
+SECRET_KEY_BASE_VERSION=v1
 SECRET_OTP_SECRET_VERSION=v1
 SECRET_VAPID_PRIVATE_KEY_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_SMTP_PASSWORD_VERSION=v1
-SECRET_AWS_SECRET_ACCESS_KEY_VERSION=v1

 # Web Push
 # ========
@ -92,7 +90,6 @@ SINGLE_USER_MODE=false
 DEFAULT_LOCALE=en
 # MAX_SESSION_ACTIVATIONS=
 # USER_ACTIVE_DAYS=
-# MAX_TOOT_CHARS=500

 # Sending mail
 # ============
@ -120,7 +117,7 @@ DEFAULT_LOCALE=en

 # S3 and AWS
 # ----------
-#COMPOSE_FILE="$COMPOSE_FILE:compose.s3.yml"
+# S3_ENABLED=
 # S3_BUCKET=
 # AWS_ACCESS_KEY_ID=
 # AWS_SECRET_ACCESS_KEY=
@ -202,3 +199,8 @@ DEFAULT_LOCALE=en
 # OIDC_END_SESSION_ENDPOINT=
 # OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=
 # SECRET_OIDC_CLIENT_SECRET_VERSION=v1
+
+# Hidden services (Not Supported)
+# ===============================
+# http_proxy=  # yes, this should be lowercase
+# ALLOW_ACCESS_TO_HIDDEN_SERVICE=
--- a/README.md
+++ b/README.md
@ -1,35 +1,87 @@
 # Hometown

-> A supported fork of Mastodon that provides local posting and a wider range of content types.
+A supported fork of Mastodon that provides local posting and a wider range of content types.

-The configuration aims to stay as close as possible to [coop-cloud/mastodon](https://git.coopcloud.tech/coop-cloud/mastodon).
-At some point, ideally, we could merge them. We don't have enough folks running
-both Mastodon & Hometown to understand if that is a good idea right now. To be
-discussed.
+This repository is a copy of [coop-cloud/mastodon](https://git.autonomic.zone/coop-cloud/mastodon) but with a fresh README and some Hometown specific configuration. It seems like a good idea to keep the deployment separate since the apps may diverge in their deployment or configuration instructions at some point despite best wishes to remain as mainline Mastodon as possible.

 <!-- metadata -->

-* **Category**: Apps
-* **Status**: 1
-* **Image**: [`hometown`](https://git.coopcloud.tech/coop-cloud-chaos-patchs/docker-hometown), 1, Co-op Cloud custom image
-* **Healthcheck**: No
-* **Backups**: No
-* **Email**: Yes
-* **Tests**: No
-* **SSO**: Yes
+- **Category**:
+- **Status**:
+- **Image**: [`decentral1se/hometown`](https://hub.docker.com/r/decentral1se/hometown)
+- **Healthcheck**:
+- **Backups**:
+- **Email**:
+- **Tests**:
+- **SSO**:

 <!-- endmetadata -->

 ## Basic usage

-See the [`coop-cloud/mastodon` `README.md`](https://git.coopcloud.tech/coop-cloud/mastodon#quick-start).
+1. Set up Docker Swarm and [`abra`]
+1. Deploy [`coop-cloud/traefik`]
+1. `abra app new mastodon`
+1. Follow the [secrets setup docs](#secrets-setup)
+1. `abra app YOURAPPDOMAIN config` - be sure to change `DOMAIN` to something that resolves to your Docker swarm box
+1. `abra app YOURAPPDOMAIN deploy` to deploy the app

-Watch out in case the Mastodon recipe latest is not the same as the Hometown
-latest version! You can switch back to a compatible tag on the Mastodon recipe
-to compare docs, config etc. just to be sure.
+You'll need to run a `docker exec -it <streaming-service-id> /bin/bash` and do the following:

-## Tips & Tricks
+```
+export OTP_SECRET=$(cat /run/secrets/otp_secret)
+export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
+export DB_PASS=$(cat /run/secrets/db_password)
+bundle exec rake db:setup
+```

-See the [`coop-cloud/mastodon` `README.md`](https://git.coopcloud.tech/coop-cloud/mastodon#admin-tips-tricks).
+Then, on your host (outside of the containers), you'll need to fix permissions for the volume (see [#2](https://git.autonomic.zone/coop-cloud/hometown/issues/2)):

-Please only gather tips & tricks that are specific to Hometown here.
+```
+chown -R 991:991 /var/lib/docker/volumes/<service-name>_app/_data
+```
+
+And finally, within any app container, create an admin account:
+
+```
+tootctl accounts create <username> --email <email> --confirmed --role admin
+```
+
+[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
+[`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik
+
+## Secrets setup
+
+Because Mastodon expects secrets generated by specific tools, we don't support that in `abra` yet. However, you can run these commands yourself using the underlying Docker CLI. You can then load them in as secrets to the swarm using `abra` though and then they will be picked up on the deployment.
+
+First, generate the `SECRET_KEY_BASE` and `OTP_SECRET` and store them in your local shell environment, you'll need them for subsequent commands.
+
+```
+$ SECRET_KEY_BASE=$(docker run --rm tootsuite/mastodon:v3.4.0 bundle exec rake secret)
+$ OTP_SECRET=$(docker run --rm tootsuite/mastodon:v3.4.0 bundle exec rake secret)
+$ abra app YOURAPPDOMAIN secret insert secret_key_base v1 $SECRET_KEY_BASE
+$ abra app YOURAPPDOMAIN secret insert otp_secret v1 $OTP_SECRET
+```
+
+Then you need to generate the `VAPID_{PUBLIC/PRIVATE}_KEY` values using the `SECRET_KEY_BASE`/`OTP_SECRET`:
+
+```
+$ docker run \
+  -e SECRET_KEY_BASE=$SECRET_KEY_BASE \
+  -e OTP_SECRET=$OTP_SECRET \
+  --rm tootsuite/mastodon:v3.4.0 \
+  bundle exec rake mastodon:webpush:generate_vapid_key
+```
+
+Once you see the values generated, you can load the `VAPID_PUBLIC_KEY` into your `.env` file and `VAPID_PRIVATE_KEY` into a secret.
+
+```
+$ abra app YOURDOMAIN secret insert vapid_private_key v1 YOURVAPIDPRIVATEKEY
+```
+
+And finally, to end your whirlwind secrets loading adventure, get the `DB_PASS` and `SMTP_PASSWORD` loaded.
+
+```
+$ abra app YOURAPPDOMAIN secret generate db_password v1
+$ abra app YOURDOMAIN secret insert smtp_password v1 YOURSMTPPASSWORD
+```
--- a/abra.sh
+++ b/abra.sh
@ -1,92 +1,62 @@
-#!/bin/bash
+# shellcheck disable=SC2148
+export ENTRYPOINT_CONF_VERSION=v5
+#MASTO_APP_DIR="mastodon/public"

-export ENTRYPOINT_CONF_VERSION=v8
+sub_rake() {
+  export OTP_SECRET=$(cat /run/secrets/otp_secret)
+  export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
+  export DB_PASS=$(cat /run/secrets/db_password)

-file_env() {
-  local var="$1"
-  local fileVar="${var}_FILE"
-  local def="${2:-}"
+  # shellcheck disable=SC2034
+  abra__service_="streaming"

-  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
-    exit 1
-  fi
-
-  local val="$def"
-  if [ "${!var:-}" ]; then
-    val="${!var}"
-  elif [ "${!fileVar:-}" ]; then
-    val="$(< "${!fileVar}")"
-  fi
-
-  declare -x -g "$var"="$val"
-  unset "$fileVar"
+  # Using streaming for rake since it is the least likely to flap
+  sub_app_run bundle exec rake "$@"
 }

-environment() {
-    # for sidekiq service bundle exec env var threading
-    file_env "OTP_SECRET"
-    file_env "SECRET_KEY_BASE"
-    file_env "DB_PASS"
-    file_env "SMTP_PASSWORD"
-    file_env "VAPID_PRIVATE_KEY"
+sub_tootctl() {
+  export OTP_SECRET=$(cat /run/secrets/otp_secret)
+  export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
+  export DB_PASS=$(cat /run/secrets/db_password)

-    declare -x RAILS_ENV=production
+  # shellcheck disable=SC2034
+  abra__service_="web"
+
+  # Using streaming for rake since it is the least likely to flap
+  sub_app_run bin/tootctl "$@"
 }

-setup_admin() {
-    ## Create an admin user
-    environment
-    accounts create "$1" --email "$2" --confirmed --role admin
+sub_setup() {
+    info "Setting up mastodon database"
+    silence
+
+    sub_rake "db:setup"
+    unsilence
+    success "Mastodon's database is now up! 'web' and 'sidekiq' services should now stop failing."
+
+    echo "Do you want to create an admin user? (Extremely recommended!)"
+    prompt_confirm
+    read -rp "Username: " USERNAME
+    read -rp "Email: " EMAIL
+    warning "Password will be show on screen. Copy this down somewhere! Abra cannot show you this again!"
+    sub_tootctl accounts create $USERNAME --email $EMAIL --confirmed --role admin
+    success "Admin account created!"
+    success "Mastodon should be setup and ready to go!"
 }

-shell() {
-    ## Run a shell with proper environment
-    environment
-    bash $@
-}
+# Not working atm
+# abra_backup_app() {
+#   _abra_backup_dir $MASTO_APP_DIR
+# }

-generate_secrets() {
-    ## Run `abra app cmd -l <yourdomain> generate_secrets` to use Docker to generate secrets you'll need to deploy
-    ## your new instance (and create the secrets on target app).
-    docker context use default > /dev/null 2>&1
+# abra_restore_app() {
+#   # shellcheck disable=SC2034
+#   {
+#   abra__src_="-"
+#   abra__dst_=$MASTO_APP_DIR
+#   }

-    echo "Generating secrets for new Hometown deployment..."
-    echo ""
+#   zcat "$@" | sub_app_cp

-    SECRET_KEY_BASE=$(docker run --rm tootsuite/mastodon:v4.2.0 bundle exec rake secret)
-    abra app secret insert "$APP_NAME" secret_key_base v1 "$SECRET_KEY_BASE"
-    echo "SECRET_KEY_BASE = $SECRET_KEY_BASE"
-    echo ""
-
-    OTP_SECRET=$(docker run --rm tootsuite/mastodon:v4.2.0 bundle exec rake secret)
-    abra app secret insert "$APP_NAME" otp_secret v1 "$OTP_SECRET"
-    echo "OTP_SECRET = $OTP_SECRET"
-    echo ""
-
-    docker run \
-           -e SECRET_KEY_BASE="$SECRET_KEY_BASE" \
-           -e OTP_SECRET="$OTP_SECRET" \
-           --rm tootsuite/mastodon:v3.4.0 \
-           bundle exec rake mastodon:webpush:generate_vapid_key \
-           > /tmp/key.txt
-
-    VAPID_PRIVATE_KEY=$(grep -oP "VAPID_PRIVATE_KEY=\K.+" "/tmp/key.txt")
-    VAPID_PUBLIC_KEY=$(grep -oP "VAPID_PUBLIC_KEY=\K.+" "/tmp/key.txt")
-    rm -rf /tmp/key.txt
-
-    echo "VAPID_PUBLIC_KEY = $VAPID_PUBLIC_KEY"
-    echo "!IMPORTANT! you MUST insert this VAPID_PUBLIC_KEY into your app .env config !IMPORTANT!"
-    echo ""
-
-    abra app secret insert "$APP_NAME" vapid_private_key v1 "$VAPID_PRIVATE_KEY"
-    echo "VAPID_PRIVATE_KEY = $VAPID_PRIVATE_KEY"
-    echo ""
-
-    abra app secret generate "$APP_NAME" db_password v1
-    echo ""
-
-    echo "don't forget to insert your smtp_password! your deployment won't work without it"
-    echo "run \"abra app secret insert $APP_NAME smtp_password v1 YOURSMTPPASSWORD\""
-    echo ""
-}
+#   success "Restored 'app'"
+# }
--- a/compose.elasticsearch.yml
+++ b/compose.elasticsearch.yml
@ -1,34 +0,0 @@
---
-version: "3.8"
-
-services:
-  es:
-    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
-    environment:
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
-      - "cluster.name=es-mastodon"
-      - "discovery.type=single-node"
-      - "bootstrap.memory_lock=true"
-    networks:
-      - internal_network
-    volumes:
-      - es:/usr/share/elasticsearch/data
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-
-  app:
-    environment: &es-env
-      - ES_ENABLED=true
-      - ES_HOST
-      - ES_PORT
-
-  streaming:
-    environment: *es-env
-
-  sidekiq:
-    environment: *es-env
-
-volumes:
-  es:
--- a/compose.oidc.yml
+++ b/compose.oidc.yml
@ -2,7 +2,8 @@
 version: "3.8"

 services:
-  app:
+  web:
+    image: decentral1se/hometown:v1.0.5_3.4.0_openid-sso
    secrets:
      - db_password
      - otp_secret
@ -10,8 +11,8 @@ services:
      - smtp_password
      - vapid_private_key
      - oidc_client_secret
-
  streaming:
+    image: decentral1se/hometown:v1.0.5_3.4.0_openid-sso
    secrets:
      - db_password
      - otp_secret
@ -19,8 +20,8 @@ services:
      - smtp_password
      - vapid_private_key
      - oidc_client_secret
-
  sidekiq:
+    image: decentral1se/hometown:v1.0.5_3.4.0_openid-sso
    secrets:
      - db_password
      - otp_secret
--- a/compose.s3.yml
+++ b/compose.s3.yml
@ -1,35 +0,0 @@
---
-version: "3.8"
-
-services:
-  app:
-    environment: &s3-env
-      - S3_ENABLED=true
-      - AWS_ACCESS_KEY_ID
-      - AWS_SECRET_ACCESS_KEY_FILE=/run/secrets/aws_secret_access_key
-      - S3_BUCKET
-      - S3_REGION
-      - S3_PROTOCOL
-      - S3_HOSTNAME
-      - S3_ENDPOINT
-      - S3_SIGNATURE_VERSION
-      - S3_OVERRIDE_PATH_STYLE
-      - S3_OPEN_TIMEOUT
-      - S3_READ_TIMEOUT
-      - S3_FORCE_SINGLE_REQUEST
-      - S3_ALIAS_HOST
-    secrets: &s3-secrets
-      - aws_secret_access_key
-
-  streaming:
-    environment: *s3-env
-    secrets: *s3-secrets
-
-  sidekiq:
-    environment: *s3-env
-    secrets: *s3-secrets
-
-secrets:
-  aws_secret_access_key:
-    name: ${STACK_NAME}_aws_secret_access_key_${SECRET_AWS_SECRET_ACCESS_KEY_VERSION}
-    external: true
--- a/compose.yml
+++ b/compose.yml
@ -2,12 +2,66 @@
 version: "3.8"

 services:
-  app:
-    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.0.15-hometown-1.1.1
-    command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rake db:migrate; bundle exec rails s -p 3000"
+  db:
+    image: postgres:9.6-alpine
+    networks: &internalNetwork
+      - internal_network
+    # Note(decentral1se): get this working, failing somehow so far
+    # healthcheck:
+    #   test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"]
+    volumes:
+      - postgres:/var/lib/postgresql/data
+    secrets:
+      - db_password
+    environment:
+      - POSTGRES_DB=${DB_NAME}
+      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
+      - POSTGRES_USER=${DB_USER}
+
+  redis:
+    image: redis:6.2-alpine
+    networks: *internalNetwork
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+    volumes:
+      - redis:/data
+
+  es:
+    image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.16
+    environment:
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - "cluster.name=es-mastodon"
+      - "discovery.type=single-node"
+      - "bootstrap.memory_lock=true"
+    networks:
+      - internal_network
+    # Note(decentral1se): get this working, failing somehow so far
+    # healthcheck:
+    #   test:
+    #     [
+    #       "CMD-SHELL",
+    #       "curl --silent --fail localhost:9200/_cluster/health || exit 1",
+    #     ]
+    volumes:
+      - es:/usr/share/elasticsearch/data
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+
+  web:
+    image: decentral1se/hometown:v1.0.5_3.4.0
+    command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
    networks: &bothNetworks
      - proxy
      - internal_network
+    # Note(decentral1se): get this working, failing somehow so far
+    # healthcheck:
+    #   test:
+    #     [
+    #       "CMD-SHELL",
+    #       "wget -q --spider --proxy=off localhost:3000/health || exit 1",
+    #     ]
    deploy:
      update_config:
        failure_action: rollback
@ -19,7 +73,19 @@ services:
        - "traefik.http.routers.${STACK_NAME}_web.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}_web.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}_web.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=1.1.9+v4.0.15-hometown-1.1.1"
+        # WEB_DOMAIN redirect
+        #- "traefik.http.routers.${STACK_NAME}_web.rule=(Host(`${DOMAIN}`) || (Host(`${LOCAL_DOMAIN}`) && Path(`/.well-known/webfinger`)))"
+        # - "traefik.http.middlewares.mastodon-webfinger.redirectregex.regex=^https?://${LOCAL_DOMAIN}/.*" #^(http|https)://${LOCAL_DOMAIN}/.well-known/webfinger"
+        # # - "traefik.http.middlewares.mastodon-webfinger.redirectregex.permanent=true"
+        # - "traefik.http.middlewares.mastodon-webfinger.redirectregex.replacement=https://${WEB_DOMAIN}/.well-known/webfinger"
+        # - "traefik.http.routers.${STACK_NAME}_hack.rule=(Host(`${LOCAL_DOMAIN}`) && Path(`/.well-known/`))"
+        # - "traefik.http.routers.${STACK_NAME}_hack.entrypoints=websecure"
+        # - "traefik.http.routers.${STACK_NAME}_hack.middlewares=mastodon-webfinger@docker"
+        ## Redirect from EXTRA_DOMAINS to DOMAIN
+        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
+        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
+        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+
    configs: &configs
      - source: entrypoint_sh
        target: /usr/local/bin/entrypoint.sh
@ -43,13 +109,15 @@ services:
      - CACHE_REDIS_URL
      - DB_HOST
      - DB_NAME
+      - DB_PASS_FILE=/run/secrets/db_password
      - DB_PORT
      - DB_USER
-      - DB_PASS_FILE=/run/secrets/db_password
      - DEFAULT_LOCALE
-      - DISALLOW_UNAUTHENTICATED_API_ACCESS
      - EMAIL_DOMAIN_ALLOWLIST
      - EMAIL_DOMAIN_DENYLIST
+      - ES_ENABLED
+      - ES_HOST
+      - ES_PORT
      - LDAP_BASE
      - LDAP_BIND_DN
      - LDAP_ENABLED
@ -64,12 +132,10 @@ services:
      - LIMITED_FEDERATION_MODE
      - LOCAL_DOMAIN
      - MAX_SESSION_ACTIVATIONS
-      - MAX_TOOT_CHARS
      - OAUTH_REDIRECT_AT_SIGN_IN
      - OIDC_AUTH_ENDPOINT
      - OIDC_CLIENT_AUTH_METHOD
      - OIDC_CLIENT_ID
-      - OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
      - OIDC_DISCOVERY
      - OIDC_DISPLAY
      - OIDC_DISPLAY_NAME
@ -88,6 +154,7 @@ services:
      - OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED
      - OIDC_SEND_NONCE
      - OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT
+      - OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
      - OIDC_TOKEN_ENDPOINT
      - OIDC_UID_FIELD
      - OIDC_USER_INFO_ENDPOINT
@ -141,14 +208,22 @@ services:
      - VAPID_PRIVATE_KEY_FILE=/run/secrets/vapid_private_key
      - VAPID_PUBLIC_KEY
      - WEB_DOMAIN
+      - http_proxy # yes, this should be lowercase

  streaming:
-    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.0.15-hometown-1.1.1
+    image: decentral1se/hometown:v1.0.5_3.4.0
    command: node ./streaming
    configs: *configs
    entrypoint: *entrypoint
    secrets: *secrets
    networks: *bothNetworks
+    # Note(decentral1se): get this working, failing somehow so far
+    # healthcheck:
+    #   test:
+    #     [
+    #       "CMD-SHELL",
+    #       "wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1",
+    #     ]
    deploy:
      update_config:
        failure_action: rollback
@ -160,11 +235,16 @@ services:
        - "traefik.http.routers.${STACK_NAME}_streaming.rule=(Host(`${DOMAIN}`) && PathPrefix(`/api/v1/streaming`))"
        - "traefik.http.routers.${STACK_NAME}_streaming.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}_streaming.tls.certresolver=${LETS_ENCRYPT_ENV}"
+
+        ## Redirect from EXTRA_DOMAINS to DOMAIN
+        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
+        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
+        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
    environment: *env
    volumes: *appVolume # used to make sure this volume is created

  sidekiq:
-    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.0.15-hometown-1.1.1
+    image: decentral1se/hometown:v1.0.5_3.4.0
    secrets: *secrets
    command: bundle exec sidekiq
    configs: *configs
@ -177,30 +257,9 @@ services:
    volumes: *appVolume
    environment: *env

-  db:
-    image: postgres:14.10-alpine
-    networks: &internalNetwork
-      - internal_network
-    volumes:
-      - postgres:/var/lib/postgresql/data
-    secrets:
-      - db_password
-    environment:
-      - POSTGRES_DB=${DB_NAME}
-      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
-      - POSTGRES_USER=${DB_USER}
-
-  redis:
-    image: redis:7.2-alpine
-    networks: *internalNetwork
-    healthcheck:
-      test: ["CMD", "redis-cli", "ping"]
-    volumes:
-      - redis:/data
-
 secrets:
  secret_key_base:
-    name: ${STACK_NAME}_secret_key_base_${SECRET_SECRET_KEY_BASE_VERSION}
+    name: ${STACK_NAME}_secret_key_base_${SECRET_KEY_BASE_VERSION}
    external: true
  otp_secret:
    name: ${STACK_NAME}_otp_secret_${SECRET_OTP_SECRET_VERSION}
@ -219,6 +278,7 @@ volumes:
  app:
  redis:
  postgres:
+  es:

 networks:
  proxy:
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -23,16 +23,14 @@ file_env() {
  unset "$fileVar"
 }

-# for sidekiq service bundle exec env var threading
 file_env "DB_PASS"
 file_env "OTP_SECRET"
 file_env "SECRET_KEY_BASE"
 file_env "SMTP_PASSWORD"
 file_env "VAPID_PRIVATE_KEY"
-file_env "AWS_SECRET_ACCESS_KEY"

 {{ if eq (env "OIDC_ENABLED") "true" }}
 file_env "OIDC_CLIENT_SECRET"
 {{ end }}

-/usr/bin/tini -s -- "$@"
+/usr/bin/tini -- "$@"
--- a/release/1.0.0+v4.0.6-hometown-1.1.1
+++ b/release/1.0.0+v4.0.6-hometown-1.1.1
@ -1,11 +0,0 @@
-Mastodon 4 requires running pre- and post-deployment migrations, something like
-
-```
-abra app run your.app.domain app bash -c "SKIP_POST_DEPLOYMENT_MIGRATIONS=true rails db:migrate"
-abra app restart your.app.domain app
-abra app restart your.app.domain streaming
-abra app restart your.app.domain sidekiq
-abra app run your.app.domain app rails db:migrate
-```
-
-See the full release notes for details: https://github.com/mastodon/mastodon/releases/tag/v4.0.0
--- a/renovate.json
+++ b/renovate.json
@ -0,0 +1,3 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+}