From 139a1e468f52995d9e9081087b4c58e16bc1768a Mon Sep 17 00:00:00 2001
From: Amras <amras@ciaszczyk.pl>
Date: Wed, 17 Jun 2026 13:20:24 +0000
Subject: [PATCH 1/2] Upgrade to upstream v4.5.6+1.2.0

Applies the changes defined in https://github.com/hometown-fork/hometown/releases/tag/v4.5.6%2Bhometown-1.2.0
 (with one exception: I ignored the optional fasp Sidekiq queue)

There was a long gap in upstream releases,
 and the hometown fork skipped over 4.3.x and 4.4.x
 so there are a lot of changes here.

NB: this isn't the current up-to-date version of hometown,
 but the later releases suggest doing the 1.2.0 upgrade
 before moving on. So I'm giving Coop-Cloud operators that option
---
 .env.sample                         |  5 +++--
 abra.sh                             |  2 +-
 compose.yml                         | 25 +++++++++++++++++++------
 entrypoint.sh.tmpl                  |  3 +++
 release/3.0.0+v4.5.6-hometown-1.2.0 | 20 ++++++++++++++++++++
 5 files changed, 46 insertions(+), 9 deletions(-)
 create mode 100644 release/3.0.0+v4.5.6-hometown-1.2.0

diff --git a/.env.sample b/.env.sample
index f15049e..cdd9f64 100644
--- a/.env.sample
+++ b/.env.sample
@@ -54,11 +54,9 @@ DB_PORT=5432
 REDIS_HOST=redis
 REDIS_PORT=6379
 # REDIS_URL=
-# REDIS_NAMESPACE=
 # CACHE_REDIS_HOST=
 # CACHE_REDIS_PORT=
 # CACHE_REDIS_URL=
-# CACHE_REDIS_NAMESPACE=
 
 # ElasticSearch
 # --------------------------------------
@@ -79,6 +77,9 @@ SECRET_VAPID_PRIVATE_KEY_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_SMTP_PASSWORD_VERSION=v1
 SECRET_AWS_SECRET_ACCESS_KEY_VERSION=v1
+SECRET_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY_VERSION=v1
+SECRET_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT_VERSION=v1
+SECRET_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_VERSION=v1
 
 # Web Push
 # ========
diff --git a/abra.sh b/abra.sh
index a070e6d..bbcc8a3 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-export ENTRYPOINT_CONF_VERSION=v8
+export ENTRYPOINT_CONF_VERSION=v9
 
 file_env() {
   local var="$1"
diff --git a/compose.yml b/compose.yml
index 079bdf6..fdf949c 100644
--- a/compose.yml
+++ b/compose.yml
@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.2.17-hometown-1.1.2
+    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.5.6-hometown-1.2.0
     command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rake db:migrate; bundle exec rails s -p 3000"
     networks: &bothNetworks
       - proxy
@@ -19,7 +19,7 @@ services:
         - "traefik.http.routers.${STACK_NAME}_web.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}_web.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}_web.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=2.0.2+v4.2.17-hometown-1.1.2"
+        - "coop-cloud.${STACK_NAME}.version=3.0.0+v4.5.6-hometown-1.2.0"
     configs: &configs
       - source: entrypoint_sh
         target: /usr/local/bin/entrypoint.sh
@@ -33,12 +33,17 @@ services:
       - secret_key_base
       - smtp_password
       - vapid_private_key
+      - enc_det_key
+      - enc_salt
+      - enc_pri_key
     environment: &env
+      - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY_FILE=/run/secrets/enc_det_key
+      - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT_FILE=/run/secrets/enc_salt
+      - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_FILE=/run/secrets/enc_pri_key
       - ALLOW_ACCESS_TO_HIDDEN_SERVICE
       - ALTERNATE_DOMAINS
       - AUTHORIZED_FETCH
       - CACHE_REDIS_HOST
-      - CACHE_REDIS_NAMESPACE
       - CACHE_REDIS_PORT
       - CACHE_REDIS_URL
       - DB_HOST
@@ -97,7 +102,6 @@ services:
       - RAILS_ENV
       - RAILS_SERVE_STATIC_FILES
       - REDIS_HOST
-      - REDIS_NAMESPACE
       - REDIS_PORT
       - REDIS_URL
       - SAML_ACS_URL
@@ -143,7 +147,7 @@ services:
       - WEB_DOMAIN
 
   streaming:
-    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.2.17-hometown-1.1.2
+    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.5.6-hometown-1.2.0-streaming
     command: node ./streaming
     configs: *configs
     entrypoint: *entrypoint
@@ -164,7 +168,7 @@ services:
     volumes: *appVolume # used to make sure this volume is created
 
   sidekiq:
-    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.2.17-hometown-1.1.2
+    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.5.6-hometown-1.2.0
     secrets: *secrets
     command: bundle exec sidekiq
     configs: *configs
@@ -222,6 +226,15 @@ secrets:
   smtp_password:
     name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
     external: true
+  enc_det_key:
+    name: ${STACK_NAME}_enc_det_key_${SECRET_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY_VERSION}
+    external: true
+  enc_salt:
+    name: ${STACK_NAME}_enc_salt_${SECRET_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT_VERSION}
+    external: true
+  enc_pri_key:
+    name: ${STACK_NAME}_enc_pri_key_${SECRET_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_VERSION}
+    external: true
 
 volumes:
   app:
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index fb0b345..ce9814c 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -30,6 +30,9 @@ file_env "SECRET_KEY_BASE"
 file_env "SMTP_PASSWORD"
 file_env "VAPID_PRIVATE_KEY"
 file_env "AWS_SECRET_ACCESS_KEY"
+file_env "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"
+file_env "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"
+file_env "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"
 
 {{ if eq (env "OIDC_ENABLED") "true" }}
 file_env "OIDC_CLIENT_SECRET"
diff --git a/release/3.0.0+v4.5.6-hometown-1.2.0 b/release/3.0.0+v4.5.6-hometown-1.2.0
new file mode 100644
index 0000000..59c62ce
--- /dev/null
+++ b/release/3.0.0+v4.5.6-hometown-1.2.0
@@ -0,0 +1,20 @@
+!!! It is recommended to update to this version before moving on to later updates !!!
+
+- Redis Namespaces are no longer supported! If you use REDIS_NAMESPACE or CACHE_REDIS_NAMESPACE in your config, you'll have to remove it.
+
+- Three new secrets have been introduced:
+  * Add the keys to your env:
+SECRET_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY_VERSION=v1
+SECRET_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT_VERSION=v1
+SECRET_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_VERSION=v1
+  * Create the keys, e.g. with `abra app secret generate -a your.app.domain`
+
+- As with every mastodon upgrade, you'll need to migrate databases by running:
+```
+abra app run your.app.domain app bash -c "SKIP_POST_DEPLOYMENT_MIGRATIONS=true rails db:migrate"
+abra app undeploy your.app.domain
+abra app deploy your.app.domain
+abra app run your.app.domain app rails db:migrate
+```
+
+See the full release notes for details: https://github.com/hometown-fork/hometown/releases/tag/v4.5.6%2Bhometown-1.2.0
-- 
2.49.0


From 00d71c3fb66f4820b8e3b4d75da6aa178f55d53d Mon Sep 17 00:00:00 2001
From: Amras <amras@ciaszczyk.pl>
Date: Wed, 17 Jun 2026 14:29:54 +0000
Subject: [PATCH 2/2] Upgrade to 4.5.11+1.2.1

Notable change
is that the streaming and main images
have different entrypoints in the Dockerfiles.
I broke up our entrypoint.sh to respect that.

Unclear if this affected 1.2.0,
but in my tests the streaming container
deployed without issue in 1.2.0.
---
 compose.yml                                   | 35 ++++++++++++++-----
 ...point.sh.tmpl => entrypoint.common.sh.tmpl |  1 -
 entrypoint.main.sh.tmpl                       |  6 ++++
 entrypoint.streaming.sh.tmpl                  |  6 ++++
 release/3.0.1+v4.5.11-hometown-1.2.1          |  1 +
 5 files changed, 39 insertions(+), 10 deletions(-)
 rename entrypoint.sh.tmpl => entrypoint.common.sh.tmpl (97%)
 create mode 100644 entrypoint.main.sh.tmpl
 create mode 100644 entrypoint.streaming.sh.tmpl
 create mode 100644 release/3.0.1+v4.5.11-hometown-1.2.1

diff --git a/compose.yml b/compose.yml
index fdf949c..32127a5 100644
--- a/compose.yml
+++ b/compose.yml
@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.5.6-hometown-1.2.0
+    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.5.11-hometown-1.2.1
     command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rake db:migrate; bundle exec rails s -p 3000"
     networks: &bothNetworks
       - proxy
@@ -19,9 +19,12 @@ services:
         - "traefik.http.routers.${STACK_NAME}_web.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}_web.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}_web.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=3.0.0+v4.5.6-hometown-1.2.0"
+        - "coop-cloud.${STACK_NAME}.version=3.0.1+v4.5.11-hometown-1.2.1"
     configs: &configs
-      - source: entrypoint_sh
+      - source: entrypoint_common_sh
+        target: /usr/local/bin/entrypoint.common.sh
+        mode: 0555
+      - source: entrypoint_main_sh
         target: /usr/local/bin/entrypoint.sh
         mode: 0555
     entrypoint: &entrypoint /usr/local/bin/entrypoint.sh
@@ -147,9 +150,15 @@ services:
       - WEB_DOMAIN
 
   streaming:
-    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.5.6-hometown-1.2.0-streaming
+    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.5.11-hometown-1.2.1-streaming
     command: node ./streaming
-    configs: *configs
+    configs:
+      - source: entrypoint_common_sh
+        target: /usr/local/bin/entrypoint.common.sh
+        mode: 0555
+      - source: entrypoint_streaming_sh
+        target: /usr/local/bin/entrypoint.sh
+        mode: 0555
     entrypoint: *entrypoint
     secrets: *secrets
     networks: *bothNetworks
@@ -168,7 +177,7 @@ services:
     volumes: *appVolume # used to make sure this volume is created
 
   sidekiq:
-    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.5.6-hometown-1.2.0
+    image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.5.11-hometown-1.2.1
     secrets: *secrets
     command: bundle exec sidekiq
     configs: *configs
@@ -248,7 +257,15 @@ networks:
     internal: true
 
 configs:
-  entrypoint_sh:
-    name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
-    file: entrypoint.sh.tmpl
+  entrypoint_common_sh:
+    name: ${STACK_NAME}_ep_common_conf_${ENTRYPOINT_CONF_VERSION}
+    file: entrypoint.common.sh.tmpl
+    template_driver: golang
+  entrypoint_main_sh:
+    name: ${STACK_NAME}_ep_main_conf_${ENTRYPOINT_CONF_VERSION}
+    file: entrypoint.main.sh.tmpl
+    template_driver: golang
+  entrypoint_streaming_sh:
+    name: ${STACK_NAME}_ep_streaming_conf_${ENTRYPOINT_CONF_VERSION}
+    file: entrypoint.streaming.sh.tmpl
     template_driver: golang
diff --git a/entrypoint.sh.tmpl b/entrypoint.common.sh.tmpl
similarity index 97%
rename from entrypoint.sh.tmpl
rename to entrypoint.common.sh.tmpl
index ce9814c..32e5849 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.common.sh.tmpl
@@ -38,4 +38,3 @@ file_env "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"
 file_env "OIDC_CLIENT_SECRET"
 {{ end }}
 
-/usr/bin/tini -s -- "$@"
diff --git a/entrypoint.main.sh.tmpl b/entrypoint.main.sh.tmpl
new file mode 100644
index 0000000..c5efd38
--- /dev/null
+++ b/entrypoint.main.sh.tmpl
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+source entrypoint.common.sh
+
+/usr/bin/tini -s -- "$@"
+
diff --git a/entrypoint.streaming.sh.tmpl b/entrypoint.streaming.sh.tmpl
new file mode 100644
index 0000000..bd7573b
--- /dev/null
+++ b/entrypoint.streaming.sh.tmpl
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+source entrypoint.common.sh
+
+node ./streaming/index.js
+
diff --git a/release/3.0.1+v4.5.11-hometown-1.2.1 b/release/3.0.1+v4.5.11-hometown-1.2.1
new file mode 100644
index 0000000..bb4d3c1
--- /dev/null
+++ b/release/3.0.1+v4.5.11-hometown-1.2.1
@@ -0,0 +1 @@
+No migration necessary, but backing up the database is recommended.
-- 
2.49.0