Add missing file_env entries

It gets enabled by include compose.s3.yml

.env.sample

@@ -61,7 +61,7 @@ REDIS_PORT=6379
 
 # ElasticSearch
 # --------------------------------------
-ES_ENABLED=true
+#COMPOSE_FILE="$COMPOSE_FILE:compose.elasticsearch.yml"
 ES_HOST=es
 ES_PORT=9200
 
@@ -77,6 +77,7 @@ SECRET_OTP_SECRET_VERSION=v1
 SECRET_VAPID_PRIVATE_KEY_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_SMTP_PASSWORD_VERSION=v1
+SECRET_AWS_SECRET_ACCESS_KEY_VERSION=v1
 
 # Web Push
 # ========
@@ -118,7 +119,7 @@ DEFAULT_LOCALE=en
 
 # S3 and AWS
 # ----------
-# S3_ENABLED=
+#COMPOSE_FILE="$COMPOSE_FILE:compose.s3.yml"
 # S3_BUCKET=
 # AWS_ACCESS_KEY_ID=
 # AWS_SECRET_ACCESS_KEY=

abra.sh

@@ -1,93 +1,70 @@
 #!/bin/bash
 
-export ENTRYPOINT_CONF_VERSION=v7
+export ENTRYPOINT_CONF_VERSION=v6
 
+assets() {
+  export OTP_SECRET=$(cat /run/secrets/otp_secret)
+  export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
+  export DB_PASS=$(cat /run/secrets/db_password)
 
-file_env() {
-  local var="$1"
-  local fileVar="${var}_FILE"
-  local def="${2:-}"
-
-  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
-    exit 1
-  fi
-
-  local val="$def"
-  if [ "${!var:-}" ]; then
-    val="${!var}"
-  elif [ "${!fileVar:-}" ]; then
-    val="$(< "${!fileVar}")"
-  fi
-
-  declare -x -g "$var"="$val"
-  unset "$fileVar"
+  RAILS_ENV=production bundle exec rails assets:precompile
 }
 
-environment() {
-    # for sidekiq service bundle exec env var threading
-    file_env "OTP_SECRET"
-    file_env "SECRET_KEY_BASE"
-    file_env "DB_PASS"
-    file_env "SMTP_PASSWORD"
-    file_env "VAPID_PRIVATE_KEY"
+setup() {
+  export OTP_SECRET=$(cat /run/secrets/otp_secret)
+  export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
+  export DB_PASS=$(cat /run/secrets/db_password)
 
-    declare -x RAILS_ENV=production
+  RAILS_ENV=production bundle exec rake db:setup
 }
 
-setup_admin() {
-    ## Create an admin user
-    environment
-    accounts create "$1" --email "$2" --confirmed --role admin
+admin() {
+  export OTP_SECRET=$(cat /run/secrets/otp_secret)
+  export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
+  export DB_PASS=$(cat /run/secrets/db_password)
+
+  RAILS_ENV=production bin/tootctl accounts create "$1" --email "$2" --confirmed --role admin
 }
 
-shell() {
-    ## Run a shell with proper environment
-    environment
-    bash $@
-}
-
-generate_secrets() {
-    ## Run `abra app cmd -l <yourdomain> generate_secrets` to use Docker to generate secrets you'll need to deploy
-    ## your new instance (and create the secrets on target app).
-    docker context use default > /dev/null 2>&1
-
-    echo "Generating secrets for new Hometown deployment..."
-    echo ""
-
-    SECRET_KEY_BASE=$(docker run --rm tootsuite/mastodon:v4.2.0 bundle exec rake secret)
-    abra app secret insert "$APP_NAME" secret_key_base v1 "$SECRET_KEY_BASE"
-    echo "SECRET_KEY_BASE = $SECRET_KEY_BASE"
-    echo ""
-
-    OTP_SECRET=$(docker run --rm tootsuite/mastodon:v4.2.0 bundle exec rake secret)
-    abra app secret insert "$APP_NAME" otp_secret v1 "$OTP_SECRET"
-    echo "OTP_SECRET = $OTP_SECRET"
-    echo ""
-
-    docker run \
-           -e SECRET_KEY_BASE="$SECRET_KEY_BASE" \
-           -e OTP_SECRET="$OTP_SECRET" \
-           --rm tootsuite/mastodon:v3.4.0 \
-           bundle exec rake mastodon:webpush:generate_vapid_key \
-           > /tmp/key.txt
-
-    VAPID_PRIVATE_KEY=$(grep -oP "VAPID_PRIVATE_KEY=\K.+" "/tmp/key.txt")
-    VAPID_PUBLIC_KEY=$(grep -oP "VAPID_PUBLIC_KEY=\K.+" "/tmp/key.txt")
-    rm -rf /tmp/key.txt
-
-    echo "VAPID_PUBLIC_KEY = $VAPID_PUBLIC_KEY"
-    echo "!IMPORTANT! you MUST insert this VAPID_PUBLIC_KEY into your app .env config !IMPORTANT!"
-    echo ""
-
-    abra app secret insert "$APP_NAME" vapid_private_key v1 "$VAPID_PRIVATE_KEY"
-    echo "VAPID_PRIVATE_KEY = $VAPID_PRIVATE_KEY"
-    echo ""
-
-    abra app secret generate "$APP_NAME" db_password v1
-    echo ""
-
-    echo "don't forget to insert your smtp_password! your deployment won't work without it"
-    echo "run \"abra app secret insert $APP_NAME smtp_password v1 YOURSMTPPASSWORD\""
-    echo ""
+secrets() {
+  docker context use default > /dev/null 2>&1
+
+  echo "Generating secrets for new Hometown deployment..."
+  echo ""
+
+  SECRET_KEY_BASE=$(docker run --rm tootsuite/mastodon:v3.4.0 bundle exec rake secret)
+  abra app secret insert "$APP_NAME" secret_key_base v1 "$SECRET_KEY_BASE"
+  echo "SECRET_KEY_BASE = $SECRET_KEY_BASE"
+  echo ""
+
+  OTP_SECRET=$(docker run --rm tootsuite/mastodon:v3.4.0 bundle exec rake secret)
+  abra app secret insert "$APP_NAME" otp_secret v1 "$OTP_SECRET"
+  echo "OTP_SECRET = $OTP_SECRET"
+  echo ""
+
+  docker run \
+    -e SECRET_KEY_BASE="$SECRET_KEY_BASE" \
+    -e OTP_SECRET="$OTP_SECRET" \
+    --rm tootsuite/mastodon:v3.4.0 \
+    bundle exec rake mastodon:webpush:generate_vapid_key \
+    > /tmp/key.txt
+
+  VAPID_PRIVATE_KEY=$(grep -oP "VAPID_PRIVATE_KEY=\K.+" "/tmp/key.txt")
+  VAPID_PUBLIC_KEY=$(grep -oP "VAPID_PUBLIC_KEY=\K.+" "/tmp/key.txt")
+  rm -rf /tmp/key.txt
+
+  echo "VAPID_PUBLIC_KEY = $VAPID_PUBLIC_KEY"
+  echo "!IMPORTANT! you MUST insert this VAPID_PUBLIC_KEY into your app .env config !IMPORTANT!"
+  echo ""
+
+  abra app secret insert "$APP_NAME" vapid_private_key v1 "$VAPID_PRIVATE_KEY"
+  echo "VAPID_PRIVATE_KEY = $VAPID_PRIVATE_KEY"
+  echo ""
+
+  abra app secret generate "$APP_NAME" db_password v1
+  echo ""
+
+  echo "don't forget to insert your smtp_password! your deployment won't work without it"
+  echo "run \"abra app secret insert $APP_NAME smtp_password v1 YOURSMTPPASSWORD\""
+  echo ""
 }

compose.elasticsearch.yml

@@ -0,0 +1,15 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment: &es-env
+      - ES_ENABLED=true
+      - ES_HOST
+      - ES_PORT
+
+  streaming:
+    environment: *es-env
+
+  sidekiq:
+    environment: *es-env

compose.s3.yml

@@ -0,0 +1,33 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment: &s3-env
+      - S3_ENABLED=true
+      - AWS_ACCESS_KEY_ID
+      - AWS_SECRET_ACCESS_KEY_FILE=/run/secrets/aws_secret_access_key
+      - S3_BUCKET
+      - S3_REGION
+      - S3_PROTOCOL
+      - S3_HOSTNAME
+      - S3_ENDPOINT
+      - S3_SIGNATURE_VERSION
+      - S3_OVERRIDE_PATH_STYLE
+      - S3_OPEN_TIMEOUT
+      - S3_READ_TIMEOUT
+    secrets: &s3-secrets
+      - aws_secret_access_key
+
+  streaming:
+    environment: *s3-env
+    secrets: *s3-secrets
+
+  sidekiq:
+    environment: *s3-env
+    secrets: *s3-secrets
+
+secrets:
+  aws_secret_access_key:
+    name: ${STACK_NAME}_aws_secret_access_key_${SECRET_AWS_SECRET_ACCESS_KEY_VERSION}
+    external: true

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v3.5.10-hometown-1.0.8
+    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.0.6-hometown-1.1.1
     command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
     networks: &bothNetworks
       - proxy
@@ -19,7 +19,7 @@ services:
         - "traefik.http.routers.${STACK_NAME}_web.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}_web.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}_web.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=0.2.3+v3.5.10-hometown-1.0.8"
+        - "coop-cloud.${STACK_NAME}.version=1.0.0+v4.0.6-hometown-1.1.1"
     configs: &configs
       - source: entrypoint_sh
         target: /usr/local/bin/entrypoint.sh
@@ -45,13 +45,9 @@ services:
       - DB_NAME
       - DB_PORT
       - DB_USER
-      - DB_PASS_FILE=/run/secrets/db_password
       - DEFAULT_LOCALE
       - EMAIL_DOMAIN_ALLOWLIST
       - EMAIL_DOMAIN_DENYLIST
-      - ES_ENABLED
-      - ES_HOST
-      - ES_PORT
       - LDAP_BASE
       - LDAP_BIND_DN
       - LDAP_ENABLED
@@ -68,7 +64,6 @@ services:
       - MAX_SESSION_ACTIVATIONS
       - MAX_TOOT_CHARS
       - OAUTH_REDIRECT_AT_SIGN_IN
-      - OTP_SECRET_FILE=/run/secrets/otp_secret
       - OIDC_AUTH_ENDPOINT
       - OIDC_CLIENT_AUTH_METHOD
       - OIDC_CLIENT_ID
@@ -122,7 +117,6 @@ services:
       - SAML_SECURITY_WANT_ASSERTION_ENCRYPTED
       - SAML_SECURITY_WANT_ASSERTION_SIGNED
       - SAML_UID_ATTRIBUTE
-      - SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base
       - SINGLE_USER_MODE
       - SMTP_AUTH_METHOD
       - SMTP_CA_FILE
@@ -145,7 +139,7 @@ services:
       - WEB_DOMAIN
 
   streaming:
-    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v3.5.10-hometown-1.0.8
+    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.0.6-hometown-1.1.1
     command: node ./streaming
     configs: *configs
     entrypoint: *entrypoint
@@ -166,7 +160,7 @@ services:
     volumes: *appVolume # used to make sure this volume is created
 
   sidekiq:
-    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v3.5.10-hometown-1.0.8
+    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.0.6-hometown-1.1.1
     secrets: *secrets
     command: bundle exec sidekiq
     configs: *configs

entrypoint.sh.tmpl

@@ -23,12 +23,14 @@ file_env() {
   unset "$fileVar"
 }
 
+export DB_PASS=$(cat /run/secrets/db_password)
+
 # for sidekiq service bundle exec env var threading
 file_env "OTP_SECRET"
 file_env "SECRET_KEY_BASE"
-file_env "DB_PASS"
 file_env "SMTP_PASSWORD"
 file_env "VAPID_PRIVATE_KEY"
+file_env "AWS_SECRET_ACCESS_KEY"
 
 {{ if eq (env "OIDC_ENABLED") "true" }}
 file_env "OIDC_CLIENT_SECRET"

release/1.0.0+v4.0.6-hometown-1.1.1

@@ -0,0 +1,11 @@
+Mastodon 4 requires running pre- and post-deployment migrations, something like
+
+```
+abra app run your.app.domain app bash -c "SKIP_POST_DEPLOYMENT_MIGRATIONS=true rails db:migrate"
+abra app restart your.app.domain app
+abra app restart your.app.domain streaming
+abra app restart your.app.domain sidekiq
+abra app run your.app.domain app rails db:migrate
+```
+
+See the full release notes for details: https://github.com/mastodon/mastodon/releases/tag/v4.0.0