11 changed files with 236 additions and 245 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -3,13 +3,10 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
  - name: deployment
-    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    image: decentral1se/stack-ssh-deploy:latest
    settings:
      host: swarm-test.autonomic.zone
      stack: mastodon
      generate_secrets: true
      networks:
       - proxy
      purge: true
      deploy_key:
        from_secret: drone_ssh_swarm_test
@ -17,28 +14,16 @@ steps:
      DOMAIN: mastodon.swarm-test.autonomic.zone
      STACK_NAME: mastodon
      LETS_ENCRYPT_ENV: production
      ENTRYPOINT_CONF_VERSION: v1
      SECRET_SECRET_KEY_BASE_VERSION: v1
      SECRET_OTP_SECRET_VERSION: v1
      SECRET_VAPID_PRIVATE_KEY_VERSION: v1
      SECRET_DB_PASSWORD_VERSION: v1
      SECRET_SMTP_PASSWORD_VERSION: v1
 trigger:
  branch:
    - main
 ---
 kind: pipeline
-name: generate recipe catalogue
+name: recipe release
 steps:
  - name: release a new version
-    image: plugins/downstream
+    image: thecoopcloud/drone-abra:latest
    settings:
-      server: https://build.coopcloud.tech
+      command: recipe hometown release
-      token:
+      deploy_key:
-        from_secret: drone_abra-bot_token
+        from_secret: abra_bot_deploy_key
      fork: true
      repositories:
        - coop-cloud/auto-recipes-catalogue-json
 trigger:
  event: tag
--- a/.env.sample
+++ b/.env.sample
@ -1,6 +1,6 @@
 TYPE=hometown
-DOMAIN=hometown.example.com
+DOMAIN=mastodon.swarm-test.autonomic.zone
 # Enables WEB_DOMAIN if set (FOR FUTURE USE)
 # USER_DOMAIN=
@ -30,7 +30,6 @@ LOCAL_DOMAIN=$DOMAIN
 # ALTERNATE_DOMAINS=$EXTRA_DOMAINS
 AUTHORIZED_FETCH=false
 DISALLOW_UNAUTHENTICATED_API_ACCESS=false
 LIMITED_FEDERATION_MODE=false
 # Deployment
@ -62,7 +61,7 @@ REDIS_PORT=6379
 # ElasticSearch
 # --------------------------------------
-#COMPOSE_FILE="$COMPOSE_FILE:compose.elasticsearch.yml"
+ES_ENABLED=true
 ES_HOST=es
 ES_PORT=9200
@ -73,12 +72,11 @@ ES_PORT=9200
 # Secrets
 # =======
-SECRET_SECRET_KEY_BASE_VERSION=v1
+SECRET_KEY_BASE_VERSION=v1
 SECRET_OTP_SECRET_VERSION=v1
 SECRET_VAPID_PRIVATE_KEY_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_SMTP_PASSWORD_VERSION=v1
 SECRET_AWS_SECRET_ACCESS_KEY_VERSION=v1
 # Web Push
 # ========
@ -92,7 +90,6 @@ SINGLE_USER_MODE=false
 DEFAULT_LOCALE=en
 # MAX_SESSION_ACTIVATIONS=
 # USER_ACTIVE_DAYS=
 # MAX_TOOT_CHARS=500
 # Sending mail
 # ============
@ -120,7 +117,7 @@ DEFAULT_LOCALE=en
 # S3 and AWS
 # ----------
-#COMPOSE_FILE="$COMPOSE_FILE:compose.s3.yml"
+# S3_ENABLED=
 # S3_BUCKET=
 # AWS_ACCESS_KEY_ID=
 # AWS_SECRET_ACCESS_KEY=
@ -202,3 +199,8 @@ DEFAULT_LOCALE=en
 # OIDC_END_SESSION_ENDPOINT=
 # OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=
 # SECRET_OIDC_CLIENT_SECRET_VERSION=v1
 # Hidden services (Not Supported)
 # ===============================
 # http_proxy=  # yes, this should be lowercase
 # ALLOW_ACCESS_TO_HIDDEN_SERVICE=
--- a/README.md
+++ b/README.md
@ -1,35 +1,87 @@
 # Hometown
-> A supported fork of Mastodon that provides local posting and a wider range of content types.
+A supported fork of Mastodon that provides local posting and a wider range of content types.
-The configuration aims to stay as close as possible to [coop-cloud/mastodon](https://git.coopcloud.tech/coop-cloud/mastodon).
+This repository is a copy of [coop-cloud/mastodon](https://git.autonomic.zone/coop-cloud/mastodon) but with a fresh README and some Hometown specific configuration. It seems like a good idea to keep the deployment separate since the apps may diverge in their deployment or configuration instructions at some point despite best wishes to remain as mainline Mastodon as possible.
 At some point, ideally, we could merge them. We don't have enough folks running
 both Mastodon & Hometown to understand if that is a good idea right now. To be
 discussed.
 <!-- metadata -->
-* **Category**: Apps
+- **Category**:
-* **Status**: 1
+- **Status**:
-* **Image**: [`hometown`](https://git.coopcloud.tech/coop-cloud-chaos-patchs/docker-hometown), 1, Co-op Cloud custom image
+- **Image**: [`decentral1se/hometown`](https://hub.docker.com/r/decentral1se/hometown)
-* **Healthcheck**: No
+- **Healthcheck**:
-* **Backups**: No
+- **Backups**:
-* **Email**: Yes
+- **Email**:
-* **Tests**: No
+- **Tests**:
-* **SSO**: Yes
+- **SSO**:
 <!-- endmetadata -->
 ## Basic usage
-See the [`coop-cloud/mastodon` `README.md`](https://git.coopcloud.tech/coop-cloud/mastodon#quick-start).
+1. Set up Docker Swarm and [`abra`]
 1. Deploy [`coop-cloud/traefik`]
 1. `abra app new mastodon`
 1. Follow the [secrets setup docs](#secrets-setup)
 1. `abra app YOURAPPDOMAIN config` - be sure to change `DOMAIN` to something that resolves to your Docker swarm box
 1. `abra app YOURAPPDOMAIN deploy` to deploy the app
-Watch out in case the Mastodon recipe latest is not the same as the Hometown
+You'll need to run a `docker exec -it <streaming-service-id> /bin/bash` and do the following:
 latest version! You can switch back to a compatible tag on the Mastodon recipe
 to compare docs, config etc. just to be sure.
-## Tips & Tricks
+```
 export OTP_SECRET=$(cat /run/secrets/otp_secret)
 export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
 export DB_PASS=$(cat /run/secrets/db_password)
 bundle exec rake db:setup
 ```
-See the [`coop-cloud/mastodon` `README.md`](https://git.coopcloud.tech/coop-cloud/mastodon#admin-tips-tricks).
+Then, on your host (outside of the containers), you'll need to fix permissions for the volume (see [#2](https://git.autonomic.zone/coop-cloud/hometown/issues/2)):
-Please only gather tips & tricks that are specific to Hometown here.
+```
 chown -R 991:991 /var/lib/docker/volumes/<service-name>_app/_data
 ```
 And finally, within any app container, create an admin account:
 ```
 tootctl accounts create <username> --email <email> --confirmed --role admin
 ```
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
 [`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik
 ## Secrets setup
 Because Mastodon expects secrets generated by specific tools, we don't support that in `abra` yet. However, you can run these commands yourself using the underlying Docker CLI. You can then load them in as secrets to the swarm using `abra` though and then they will be picked up on the deployment.
 First, generate the `SECRET_KEY_BASE` and `OTP_SECRET` and store them in your local shell environment, you'll need them for subsequent commands.
 ```
 $ SECRET_KEY_BASE=$(docker run --rm tootsuite/mastodon:v3.4.0 bundle exec rake secret)
 $ OTP_SECRET=$(docker run --rm tootsuite/mastodon:v3.4.0 bundle exec rake secret)
 $ abra app YOURAPPDOMAIN secret insert secret_key_base v1 $SECRET_KEY_BASE
 $ abra app YOURAPPDOMAIN secret insert otp_secret v1 $OTP_SECRET
 ```
 Then you need to generate the `VAPID_{PUBLIC/PRIVATE}_KEY` values using the `SECRET_KEY_BASE`/`OTP_SECRET`:
 ```
 $ docker run \
  -e SECRET_KEY_BASE=$SECRET_KEY_BASE \
  -e OTP_SECRET=$OTP_SECRET \
  --rm tootsuite/mastodon:v3.4.0 \
  bundle exec rake mastodon:webpush:generate_vapid_key
 ```
 Once you see the values generated, you can load the `VAPID_PUBLIC_KEY` into your `.env` file and `VAPID_PRIVATE_KEY` into a secret.
 ```
 $ abra app YOURDOMAIN secret insert vapid_private_key v1 YOURVAPIDPRIVATEKEY
 ```
 And finally, to end your whirlwind secrets loading adventure, get the `DB_PASS` and `SMTP_PASSWORD` loaded.
 ```
 $ abra app YOURAPPDOMAIN secret generate db_password v1
 $ abra app YOURDOMAIN secret insert smtp_password v1 YOURSMTPPASSWORD
 ```
--- a/abra.sh
+++ b/abra.sh
@ -1,92 +1,62 @@
-#!/bin/bash
+# shellcheck disable=SC2148
 export ENTRYPOINT_CONF_VERSION=v5
 #MASTO_APP_DIR="mastodon/public"
-export ENTRYPOINT_CONF_VERSION=v8
+sub_rake() {
  export OTP_SECRET=$(cat /run/secrets/otp_secret)
  export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
  export DB_PASS=$(cat /run/secrets/db_password)
-file_env() {
+  # shellcheck disable=SC2034
-  local var="$1"
+  abra__service_="streaming"
  local fileVar="${var}_FILE"
  local def="${2:-}"
-  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+  # Using streaming for rake since it is the least likely to flap
-    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+  sub_app_run bundle exec rake "$@"
    exit 1
  fi
  local val="$def"
  if [ "${!var:-}" ]; then
    val="${!var}"
  elif [ "${!fileVar:-}" ]; then
    val="$(< "${!fileVar}")"
  fi
  declare -x -g "$var"="$val"
  unset "$fileVar"
 }
-environment() {
+sub_tootctl() {
-    # for sidekiq service bundle exec env var threading
+  export OTP_SECRET=$(cat /run/secrets/otp_secret)
-    file_env "OTP_SECRET"
+  export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
-    file_env "SECRET_KEY_BASE"
+  export DB_PASS=$(cat /run/secrets/db_password)
    file_env "DB_PASS"
    file_env "SMTP_PASSWORD"
    file_env "VAPID_PRIVATE_KEY"
-    declare -x RAILS_ENV=production
+  # shellcheck disable=SC2034
  abra__service_="web"
  # Using streaming for rake since it is the least likely to flap
  sub_app_run bin/tootctl "$@"
 }
-setup_admin() {
+sub_setup() {
-    ## Create an admin user
+    info "Setting up mastodon database"
-    environment
+    silence
-    accounts create "$1" --email "$2" --confirmed --role admin
+
    sub_rake "db:setup"
    unsilence
    success "Mastodon's database is now up! 'web' and 'sidekiq' services should now stop failing."
    echo "Do you want to create an admin user? (Extremely recommended!)"
    prompt_confirm
    read -rp "Username: " USERNAME
    read -rp "Email: " EMAIL
    warning "Password will be show on screen. Copy this down somewhere! Abra cannot show you this again!"
    sub_tootctl accounts create $USERNAME --email $EMAIL --confirmed --role admin
    success "Admin account created!"
    success "Mastodon should be setup and ready to go!"
 }
-shell() {
+# Not working atm
-    ## Run a shell with proper environment
+# abra_backup_app() {
-    environment
+#   _abra_backup_dir $MASTO_APP_DIR
-    bash $@
+# }
 }
-generate_secrets() {
+# abra_restore_app() {
-    ## Run `abra app cmd -l <yourdomain> generate_secrets` to use Docker to generate secrets you'll need to deploy
+#   # shellcheck disable=SC2034
-    ## your new instance (and create the secrets on target app).
+#   {
-    docker context use default > /dev/null 2>&1
+#   abra__src_="-"
 #   abra__dst_=$MASTO_APP_DIR
 #   }
-    echo "Generating secrets for new Hometown deployment..."
+#   zcat "$@" | sub_app_cp
    echo ""
-    SECRET_KEY_BASE=$(docker run --rm tootsuite/mastodon:v4.2.0 bundle exec rake secret)
+#   success "Restored 'app'"
-    abra app secret insert "$APP_NAME" secret_key_base v1 "$SECRET_KEY_BASE"
+# }
    echo "SECRET_KEY_BASE = $SECRET_KEY_BASE"
    echo ""
    OTP_SECRET=$(docker run --rm tootsuite/mastodon:v4.2.0 bundle exec rake secret)
    abra app secret insert "$APP_NAME" otp_secret v1 "$OTP_SECRET"
    echo "OTP_SECRET = $OTP_SECRET"
    echo ""
    docker run \
           -e SECRET_KEY_BASE="$SECRET_KEY_BASE" \
           -e OTP_SECRET="$OTP_SECRET" \
           --rm tootsuite/mastodon:v3.4.0 \
           bundle exec rake mastodon:webpush:generate_vapid_key \
           > /tmp/key.txt
    VAPID_PRIVATE_KEY=$(grep -oP "VAPID_PRIVATE_KEY=\K.+" "/tmp/key.txt")
    VAPID_PUBLIC_KEY=$(grep -oP "VAPID_PUBLIC_KEY=\K.+" "/tmp/key.txt")
    rm -rf /tmp/key.txt
    echo "VAPID_PUBLIC_KEY = $VAPID_PUBLIC_KEY"
    echo "!IMPORTANT! you MUST insert this VAPID_PUBLIC_KEY into your app .env config !IMPORTANT!"
    echo ""
    abra app secret insert "$APP_NAME" vapid_private_key v1 "$VAPID_PRIVATE_KEY"
    echo "VAPID_PRIVATE_KEY = $VAPID_PRIVATE_KEY"
    echo ""
    abra app secret generate "$APP_NAME" db_password v1
    echo ""
    echo "don't forget to insert your smtp_password! your deployment won't work without it"
    echo "run \"abra app secret insert $APP_NAME smtp_password v1 YOURSMTPPASSWORD\""
    echo ""
 }
--- a/compose.elasticsearch.yml
+++ b/compose.elasticsearch.yml
@ -1,34 +0,0 @@
 ---
 version: "3.8"
 services:
  es:
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
    environment:
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - "cluster.name=es-mastodon"
      - "discovery.type=single-node"
      - "bootstrap.memory_lock=true"
    networks:
      - internal_network
    volumes:
      - es:/usr/share/elasticsearch/data
    ulimits:
      memlock:
        soft: -1
        hard: -1
  app:
    environment: &es-env
      - ES_ENABLED=true
      - ES_HOST
      - ES_PORT
  streaming:
    environment: *es-env
  sidekiq:
    environment: *es-env
 volumes:
  es:
--- a/compose.oidc.yml
+++ b/compose.oidc.yml
@ -2,7 +2,8 @@
 version: "3.8"
 services:
-  app:
+  web:
    image: decentral1se/hometown:v1.0.5_3.4.0_openid-sso
    secrets:
      - db_password
      - otp_secret
@ -10,8 +11,8 @@ services:
      - smtp_password
      - vapid_private_key
      - oidc_client_secret
  streaming:
    image: decentral1se/hometown:v1.0.5_3.4.0_openid-sso
    secrets:
      - db_password
      - otp_secret
@ -19,8 +20,8 @@ services:
      - smtp_password
      - vapid_private_key
      - oidc_client_secret
  sidekiq:
    image: decentral1se/hometown:v1.0.5_3.4.0_openid-sso
    secrets:
      - db_password
      - otp_secret
--- a/compose.s3.yml
+++ b/compose.s3.yml
@ -1,35 +0,0 @@
 ---
 version: "3.8"
 services:
  app:
    environment: &s3-env
      - S3_ENABLED=true
      - AWS_ACCESS_KEY_ID
      - AWS_SECRET_ACCESS_KEY_FILE=/run/secrets/aws_secret_access_key
      - S3_BUCKET
      - S3_REGION
      - S3_PROTOCOL
      - S3_HOSTNAME
      - S3_ENDPOINT
      - S3_SIGNATURE_VERSION
      - S3_OVERRIDE_PATH_STYLE
      - S3_OPEN_TIMEOUT
      - S3_READ_TIMEOUT
      - S3_FORCE_SINGLE_REQUEST
      - S3_ALIAS_HOST
    secrets: &s3-secrets
      - aws_secret_access_key
  streaming:
    environment: *s3-env
    secrets: *s3-secrets
  sidekiq:
    environment: *s3-env
    secrets: *s3-secrets
 secrets:
  aws_secret_access_key:
    name: ${STACK_NAME}_aws_secret_access_key_${SECRET_AWS_SECRET_ACCESS_KEY_VERSION}
    external: true
--- a/compose.yml
+++ b/compose.yml
@ -2,12 +2,66 @@
 version: "3.8"
 services:
-  app:
+  db:
-    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.0.15-hometown-1.1.1
+    image: postgres:9.6-alpine
-    command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rake db:migrate; bundle exec rails s -p 3000"
+    networks: &internalNetwork
      - internal_network
    # Note(decentral1se): get this working, failing somehow so far
    # healthcheck:
    #   test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"]
    volumes:
      - postgres:/var/lib/postgresql/data
    secrets:
      - db_password
    environment:
      - POSTGRES_DB=${DB_NAME}
      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
      - POSTGRES_USER=${DB_USER}
  redis:
    image: redis:6.2-alpine
    networks: *internalNetwork
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
    volumes:
      - redis:/data
  es:
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.16
    environment:
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - "cluster.name=es-mastodon"
      - "discovery.type=single-node"
      - "bootstrap.memory_lock=true"
    networks:
      - internal_network
    # Note(decentral1se): get this working, failing somehow so far
    # healthcheck:
    #   test:
    #     [
    #       "CMD-SHELL",
    #       "curl --silent --fail localhost:9200/_cluster/health || exit 1",
    #     ]
    volumes:
      - es:/usr/share/elasticsearch/data
    ulimits:
      memlock:
        soft: -1
        hard: -1
  web:
    image: decentral1se/hometown:v1.0.5_3.4.0
    command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
    networks: &bothNetworks
      - proxy
      - internal_network
    # Note(decentral1se): get this working, failing somehow so far
    # healthcheck:
    #   test:
    #     [
    #       "CMD-SHELL",
    #       "wget -q --spider --proxy=off localhost:3000/health || exit 1",
    #     ]
    deploy:
      update_config:
        failure_action: rollback
@ -19,7 +73,19 @@ services:
        - "traefik.http.routers.${STACK_NAME}_web.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}_web.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}_web.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=1.1.9+v4.0.15-hometown-1.1.1"
+        # WEB_DOMAIN redirect
        #- "traefik.http.routers.${STACK_NAME}_web.rule=(Host(`${DOMAIN}`) || (Host(`${LOCAL_DOMAIN}`) && Path(`/.well-known/webfinger`)))"
        # - "traefik.http.middlewares.mastodon-webfinger.redirectregex.regex=^https?://${LOCAL_DOMAIN}/.*" #^(http|https)://${LOCAL_DOMAIN}/.well-known/webfinger"
        # # - "traefik.http.middlewares.mastodon-webfinger.redirectregex.permanent=true"
        # - "traefik.http.middlewares.mastodon-webfinger.redirectregex.replacement=https://${WEB_DOMAIN}/.well-known/webfinger"
        # - "traefik.http.routers.${STACK_NAME}_hack.rule=(Host(`${LOCAL_DOMAIN}`) && Path(`/.well-known/`))"
        # - "traefik.http.routers.${STACK_NAME}_hack.entrypoints=websecure"
        # - "traefik.http.routers.${STACK_NAME}_hack.middlewares=mastodon-webfinger@docker"
        ## Redirect from EXTRA_DOMAINS to DOMAIN
        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
    configs: &configs
      - source: entrypoint_sh
        target: /usr/local/bin/entrypoint.sh
@ -43,13 +109,15 @@ services:
      - CACHE_REDIS_URL
      - DB_HOST
      - DB_NAME
      - DB_PASS_FILE=/run/secrets/db_password
      - DB_PORT
      - DB_USER
      - DB_PASS_FILE=/run/secrets/db_password
      - DEFAULT_LOCALE
      - DISALLOW_UNAUTHENTICATED_API_ACCESS
      - EMAIL_DOMAIN_ALLOWLIST
      - EMAIL_DOMAIN_DENYLIST
      - ES_ENABLED
      - ES_HOST
      - ES_PORT
      - LDAP_BASE
      - LDAP_BIND_DN
      - LDAP_ENABLED
@ -64,12 +132,10 @@ services:
      - LIMITED_FEDERATION_MODE
      - LOCAL_DOMAIN
      - MAX_SESSION_ACTIVATIONS
      - MAX_TOOT_CHARS
      - OAUTH_REDIRECT_AT_SIGN_IN
      - OIDC_AUTH_ENDPOINT
      - OIDC_CLIENT_AUTH_METHOD
      - OIDC_CLIENT_ID
      - OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
      - OIDC_DISCOVERY
      - OIDC_DISPLAY
      - OIDC_DISPLAY_NAME
@ -88,6 +154,7 @@ services:
      - OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED
      - OIDC_SEND_NONCE
      - OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT
      - OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
      - OIDC_TOKEN_ENDPOINT
      - OIDC_UID_FIELD
      - OIDC_USER_INFO_ENDPOINT
@ -141,14 +208,22 @@ services:
      - VAPID_PRIVATE_KEY_FILE=/run/secrets/vapid_private_key
      - VAPID_PUBLIC_KEY
      - WEB_DOMAIN
      - http_proxy # yes, this should be lowercase
  streaming:
-    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.0.15-hometown-1.1.1
+    image: decentral1se/hometown:v1.0.5_3.4.0
    command: node ./streaming
    configs: *configs
    entrypoint: *entrypoint
    secrets: *secrets
    networks: *bothNetworks
    # Note(decentral1se): get this working, failing somehow so far
    # healthcheck:
    #   test:
    #     [
    #       "CMD-SHELL",
    #       "wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1",
    #     ]
    deploy:
      update_config:
        failure_action: rollback
@ -160,11 +235,16 @@ services:
        - "traefik.http.routers.${STACK_NAME}_streaming.rule=(Host(`${DOMAIN}`) && PathPrefix(`/api/v1/streaming`))"
        - "traefik.http.routers.${STACK_NAME}_streaming.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}_streaming.tls.certresolver=${LETS_ENCRYPT_ENV}"
        ## Redirect from EXTRA_DOMAINS to DOMAIN
        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
    environment: *env
    volumes: *appVolume # used to make sure this volume is created
  sidekiq:
-    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.0.15-hometown-1.1.1
+    image: decentral1se/hometown:v1.0.5_3.4.0
    secrets: *secrets
    command: bundle exec sidekiq
    configs: *configs
@ -177,30 +257,9 @@ services:
    volumes: *appVolume
    environment: *env
  db:
    image: postgres:14.10-alpine
    networks: &internalNetwork
      - internal_network
    volumes:
      - postgres:/var/lib/postgresql/data
    secrets:
      - db_password
    environment:
      - POSTGRES_DB=${DB_NAME}
      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
      - POSTGRES_USER=${DB_USER}
  redis:
    image: redis:7.2-alpine
    networks: *internalNetwork
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
    volumes:
      - redis:/data
 secrets:
  secret_key_base:
-    name: ${STACK_NAME}_secret_key_base_${SECRET_SECRET_KEY_BASE_VERSION}
+    name: ${STACK_NAME}_secret_key_base_${SECRET_KEY_BASE_VERSION}
    external: true
  otp_secret:
    name: ${STACK_NAME}_otp_secret_${SECRET_OTP_SECRET_VERSION}
@ -219,6 +278,7 @@ volumes:
  app:
  redis:
  postgres:
  es:
 networks:
  proxy:
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -23,16 +23,14 @@ file_env() {
  unset "$fileVar"
 }
 # for sidekiq service bundle exec env var threading
 file_env "DB_PASS"
 file_env "OTP_SECRET"
 file_env "SECRET_KEY_BASE"
 file_env "SMTP_PASSWORD"
 file_env "VAPID_PRIVATE_KEY"
 file_env "AWS_SECRET_ACCESS_KEY"
 {{ if eq (env "OIDC_ENABLED") "true" }}
 file_env "OIDC_CLIENT_SECRET"
 {{ end }}
-/usr/bin/tini -s -- "$@"
+/usr/bin/tini -- "$@"
--- a/release/1.0.0+v4.0.6-hometown-1.1.1
+++ b/release/1.0.0+v4.0.6-hometown-1.1.1
@ -1,11 +0,0 @@
 Mastodon 4 requires running pre- and post-deployment migrations, something like
 ```
 abra app run your.app.domain app bash -c "SKIP_POST_DEPLOYMENT_MIGRATIONS=true rails db:migrate"
 abra app restart your.app.domain app
 abra app restart your.app.domain streaming
 abra app restart your.app.domain sidekiq
 abra app run your.app.domain app rails db:migrate
 ```
 See the full release notes for details: https://github.com/mastodon/mastodon/releases/tag/v4.0.0
--- a/renovate.json
+++ b/renovate.json
@ -0,0 +1,3 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
 }