coop-cloud/mastodon
coop-cloud/mastodon
2
0
Fork 1
generated from coop-cloud/example
Code Issues 3 Pull Requests Projects Releases Wiki Activity

OIDC secret storage, separate streaming entrypoint

Browse Source
This commit is contained in:
3wc 2024-11-21 22:44:45 -05:00
parent f70ec17004
commit 95f295ed5c
7 changed files with 205 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.env.sample
View File

@ -79,6 +79,9 @@ SECRET_OTP_SECRET_VERSION=v1
SECRET_VAPID_PRIVATE_KEY_VERSION=v1 SECRET_VAPID_PRIVATE_KEY_VERSION=v1
SECRET_DB_PASSWORD_VERSION=v1 SECRET_DB_PASSWORD_VERSION=v1
SECRET_SMTP_PASSWORD_VERSION=v1 SECRET_SMTP_PASSWORD_VERSION=v1
SECRET_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY_VERSION=v1
SECRET_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT_VERSION=v1
SECRET_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_VERSION=v1
# Web Push # Web Push
# ======== # ========
@ -187,4 +190,5 @@ DEFAULT_LOCALE=en
# OIDC_REDIRECT_URI=https://mastodon.company/auth/auth/openid_connect/callback # OIDC_REDIRECT_URI=https://mastodon.company/auth/auth/openid_connect/callback
# OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true # OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
# OMNIAUTH_ONLY=true # OMNIAUTH_ONLY=true
# ONE_CLICK_SSO_LOGIN # ONE_CLICK_SSO_LOGIN=true
# SECRET_OIDC_CLIENT_SECRET_VERSION=v1

96
abra.sh
View File

@ -1,25 +1,60 @@
export ENTRYPOINT_CONF_VERSION=v3 export ENTRYPOINT_CONF_VERSION=v5
export ENTRYPOINT_STREAMING_CONF_VERSION=v1
file_env() {
local var="$1"
local fileVar="${var}_FILE"
local def="${2:-}"
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
exit 1
fi
local val="$def"
if [ "${!var:-}" ]; then
val="${!var}"
elif [ "${!fileVar:-}" ]; then
val="$(< "${!fileVar}")"
fi
declare -x -g "$var"="$val"
unset "$fileVar"
}
environment() {
# for sidekiq service bundle exec env var threading
file_env "DB_PASS"
file_env "OTP_SECRET"
file_env "SECRET_KEY_BASE"
file_env "VAPID_PRIVATE_KEY"
file_env "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"
file_env "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"
file_env "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"
declare -x RAILS_ENV=production
}
assets() { assets() {
export OTP_SECRET=$(cat /run/secrets/otp_secret) environment
export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
export DB_PASS=$(cat /run/secrets/db_password)
RAILS_ENV=production bundle exec rails assets:precompile bundle exec rails assets:precompile
} }
admin() { admin() {
export OTP_SECRET=$(cat /run/secrets/otp_secret) environment
export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
export DB_PASS=$(cat /run/secrets/db_password)
RAILS_ENV=production bin/tootctl accounts create "$1" --email "$2" --confirmed --role Owner bin/tootctl accounts create "$1" --email "$2" --confirmed --role Owner
}
shell() {
## Run a shell with proper environment
environment
bash $@
} }
setup() { setup() {
export OTP_SECRET=$(cat /run/secrets/otp_secret) environment
export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
export DB_PASS=$(cat /run/secrets/db_password)
RAILS_ENV=production bundle exec rake db:setup RAILS_ENV=production bundle exec rake db:setup
} }
@ -29,7 +64,7 @@ secrets() {
docker context use default > /dev/null 2>&1 docker context use default > /dev/null 2>&1
MASTO_VERSION="v4.1.0" MASTO_VERSION="v4.3.1"
echo "Generating secrets for a new Mastodon deployment..." echo "Generating secrets for a new Mastodon deployment..."
echo "" echo ""
@ -70,3 +105,38 @@ secrets() {
echo "run \"abra app secret insert $APP_NAME smtp_password v1 YOURSMTPPASSWORD\"" echo "run \"abra app secret insert $APP_NAME smtp_password v1 YOURSMTPPASSWORD\""
echo "" echo ""
} }
secrets_activerecord() {
set -e
docker context use default > /dev/null 2>&1
MASTO_VERSION="v4.3.1"
echo "Generating activerecord secrets for an updated deployment"
echo ""
docker run \
-e SECRET_KEY_BASE="$SECRET_KEY_BASE" \
-e OTP_SECRET="$OTP_SECRET" \
--rm tootsuite/mastodon:$MASTO_VERSION \
bundle exec rake db:encryption:init \
> /tmp/activerecord.txt
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=$(grep ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY /tmp/activerecord.txt | cut -d'=' -f2)
abra app secret insert "$APP_NAME" active_record_encryption_deterministic_key v1 "$ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"
echo "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY = $ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"
echo ""
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=$(grep ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT /tmp/activerecord.txt | cut -d'=' -f2)
abra app secret insert "$APP_NAME" active_record_encryption_key_derivation_salt v1 "$ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"
echo "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT = $ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"
echo ""
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=$(grep ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY /tmp/activerecord.txt | cut -d'=' -f2)
abra app secret insert "$APP_NAME" active_record_encryption_primary_key v1 "$ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"
echo "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY = $ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"
echo ""
rm -rf /tmp/activerecord.txt
}

9
compose.oidc.yml
View File

@ -12,8 +12,15 @@ services:
- OIDC_SCOPE - OIDC_SCOPE
- OIDC_UID_FIELD - OIDC_UID_FIELD
- OIDC_CLIENT_ID - OIDC_CLIENT_ID
- OIDC_CLIENT_SECRET
- OIDC_REDIRECT_URI - OIDC_REDIRECT_URI
- OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED - OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED
- OMNIAUTH_ONLY - OMNIAUTH_ONLY
- ONE_CLICK_SSO_LOGIN - ONE_CLICK_SSO_LOGIN
- OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
secrets:
- oidc_client_secret
secrets:
oidc_client_secret:
name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET_VERSION}
external: true

33
compose.yml
View File

@ -3,7 +3,7 @@ version: "3.8"
services: services:
app: app:
image: tootsuite/mastodon:v4.2.13 image: tootsuite/mastodon:v4.3.1
command: | command: |
bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000" bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
networks: &bothNetworks networks: &bothNetworks
@ -25,6 +25,9 @@ services:
- source: entrypoint_sh - source: entrypoint_sh
target: /usr/local/bin/entrypoint.sh target: /usr/local/bin/entrypoint.sh
mode: 0555 mode: 0555
- source: entrypoint_streaming_sh
target: /usr/local/bin/entrypoint_streaming.sh
mode: 0555
entrypoint: &entrypoint /usr/local/bin/entrypoint.sh entrypoint: &entrypoint /usr/local/bin/entrypoint.sh
volumes: &appVolume volumes: &appVolume
- app:/opt/mastodon/public/system - app:/opt/mastodon/public/system
@ -34,7 +37,13 @@ services:
- secret_key_base - secret_key_base
- smtp_password - smtp_password
- vapid_private_key - vapid_private_key
- active_record_encryption_deterministic_key
- active_record_encryption_key_derivation_salt
- active_record_encryption_primary_key
environment: &env environment: &env
- ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY_FILE=/run/secrets/active_record_encryption_deterministic_key
- ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT_FILE=/run/secrets/active_record_encryption_key_derivation_salt
- ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_FILE=/run/secrets/active_record_encryption_primary_key
- ALLOW_ACCESS_TO_HIDDEN_SERVICE - ALLOW_ACCESS_TO_HIDDEN_SERVICE
- ALTERNATE_DOMAINS - ALTERNATE_DOMAINS
- AUTHORIZED_FETCH - AUTHORIZED_FETCH
@ -46,6 +55,7 @@ services:
- DB_NAME - DB_NAME
- DB_PORT - DB_PORT
- DB_USER - DB_USER
- DB_PASS_FILE=/run/secrets/db_password
- DEFAULT_LOCALE - DEFAULT_LOCALE
- EMAIL_DOMAIN_ALLOWLIST - EMAIL_DOMAIN_ALLOWLIST
- EMAIL_DOMAIN_DENYLIST - EMAIL_DOMAIN_DENYLIST
@ -119,10 +129,10 @@ services:
- WEB_DOMAIN - WEB_DOMAIN
streaming: streaming:
image: tootsuite/mastodon:v4.2.13 image: tootsuite/mastodon-streaming:v4.3.1
command: node ./streaming command: node ./streaming/index.js
configs: *configs configs: *configs
entrypoint: *entrypoint entrypoint: /usr/local/bin/entrypoint_streaming.sh
secrets: *secrets secrets: *secrets
networks: *bothNetworks networks: *bothNetworks
deploy: deploy:
@ -140,7 +150,7 @@ services:
volumes: *appVolume volumes: *appVolume
sidekiq: sidekiq:
image: tootsuite/mastodon:v4.2.13 image: tootsuite/mastodon:v4.3.1
secrets: *secrets secrets: *secrets
command: bundle exec sidekiq command: bundle exec sidekiq
configs: *configs configs: *configs
@ -206,6 +216,15 @@ secrets:
smtp_password: smtp_password:
name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION} name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
external: true external: true
active_record_encryption_deterministic_key:
name: ${STACK_NAME}_active_record_encryption_deterministic_key_${SECRET_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY_VERSION}
external: true
active_record_encryption_key_derivation_salt:
name: ${STACK_NAME}_active_record_encryption_key_derivation_salt_${SECRET_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT_VERSION}
external: true
active_record_encryption_primary_key:
name: ${STACK_NAME}_active_record_encryption_primary_key_${SECRET_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_VERSION}
external: true
volumes: volumes:
app: app:
@ -223,3 +242,7 @@ configs:
name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION} name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
file: entrypoint.sh.tmpl file: entrypoint.sh.tmpl
template_driver: golang template_driver: golang
entrypoint_streaming_sh:
name: ${STACK_NAME}_entrypoint_streaming_conf_${ENTRYPOINT_STREAMING_CONF_VERSION}
file: entrypoint-streaming.sh.tmpl
template_driver: golang

34
entrypoint-streaming.sh.tmpl Normal file
View File

@ -0,0 +1,34 @@
#!/bin/bash
set -eu
file_env() {
local var="$1"
local fileVar="${var}_FILE"
local def="${2:-}"
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
exit 1
fi
local val="$def"
if [ "${!var:-}" ]; then
val="${!var}"
elif [ "${!fileVar:-}" ]; then
val="$(< "${!fileVar}")"
fi
declare -x -g "$var"="$val"
unset "$fileVar"
}
file_env "DB_PASS"
file_env "OTP_SECRET"
file_env "SECRET_KEY_BASE"
file_env "VAPID_PRIVATE_KEY"
file_env "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"
file_env "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"
file_env "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"
/usr/local/bin/docker-entrypoint.sh "$@"

41
entrypoint.sh.tmpl
View File

@ -2,11 +2,42 @@
set -eu set -eu
export DB_PASS=$(cat /run/secrets/db_password) file_env() {
export OTP_SECRET=$(cat $OTP_SECRET_FILE) local var="$1"
export SECRET_KEY_BASE=$(cat $SECRET_KEY_BASE_FILE) local fileVar="${var}_FILE"
export VAPID_PRIVATE_KEY=$(cat $VAPID_PRIVATE_KEY_FILE) local def="${2:-}"
sed -i '/- admin$/d' /opt/mastodon/config/settings.yml if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
exit 1
fi
local val="$def"
if [ "${!var:-}" ]; then
val="${!var}"
elif [ "${!fileVar:-}" ]; then
val="$(< "${!fileVar}")"
fi
declare -x -g "$var"="$val"
unset "$fileVar"
}
file_env "DB_PASS"
file_env "SMTP_PASSWORD"
file_env "OTP_SECRET"
file_env "SECRET_KEY_BASE"
file_env "VAPID_PRIVATE_KEY"
file_env "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"
file_env "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"
file_env "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"
{{ if eq (env "OIDC_ENABLED") "true" }}
file_env "OIDC_CLIENT_SECRET"
{{ end }}
# NOTE: this was working in mastodon 4.2 but breaks in 4.3
# sed -i '/- admin$/d' /opt/mastodon/config/settings.yml
/usr/bin/tini -s -- "$@" /usr/bin/tini -s -- "$@"

11
release/next Normal file
View File

@ -0,0 +1,11 @@
WARNING❗ This release requires adding new secrets, and will not deploy successfully without them.
Run `abra app cmd --local <domain> secrets_activerecord` to generate and store these secrets.
You will also need to add this to your config (`abra app config <domain>`):
```
SECRET_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY_VERSION=v1
SECRET_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT_VERSION=v1
SECRET_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_VERSION=v1
```