Merge pull request 'remove old setup script' (#17) from benjaminlyng/mastodon:chore/remove_old_setup_script into main

Reviewed-on: #17
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>

.drone.yml

@@ -38,7 +38,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -15,6 +15,10 @@ LETS_ENCRYPT_ENV=production
 
 COMPOSE_FILE="compose.yml"
 
+# Set the maximum length for toots (posts). Longer posts from other servers will still be displayed, this limit only applies to users on this instance.
+#MAX_CHARS=500
+#COMPOSE_FILE="$COMPOSE_FILE:compose.character-limit.yml"
+
 # Federation
 # ----------
 # DO NOT CHANGE DOMAIN VARIABLES AFTER DEPLOYMENT! WILL BREAK FEDERATION!!
@@ -79,6 +83,9 @@ SECRET_OTP_SECRET_VERSION=v1
 SECRET_VAPID_PRIVATE_KEY_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_SMTP_PASSWORD_VERSION=v1
+SECRET_ARE_DETERMINISTIC_KEY_VERSION=v1
+SECRET_ARE_KEY_DERIVATION_SALT_VERSION=v1
+SECRET_ARE_PRIMARY_KEY_VERSION=v1
 
 # Web Push
 # ========
@@ -187,4 +194,5 @@ DEFAULT_LOCALE=en
 # OIDC_REDIRECT_URI=https://mastodon.company/auth/auth/openid_connect/callback
 # OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
 # OMNIAUTH_ONLY=true
-# ONE_CLICK_SSO_LOGIN
+# ONE_CLICK_SSO_LOGIN=true
+# SECRET_OIDC_CLIENT_SECRET_VERSION=v1

README.md

@@ -22,10 +22,10 @@ the [`abra.sh`](./abra.sh) for more.
 
 1. `abra app new mastodon`
 1. `abra app cmd --local <domain> secrets`
+1. `abra app cmd --local <domain> secrets_activerecord`
 1. `abra app secret insert <domain> smtp_password v1 <password>`
 1. `abra app config <domain>` (uncomment SMTP details)
 1. `abra app deploy <domain>`
-1. `abra app cmd <domain> streaming setup`
 
 Then, on your host (outside of the containers), you'll need to fix permissions
 for the volume (see [#10](https://git.coopcloud.tech/coop-cloud/mastodon/issues/10)):
@@ -37,7 +37,7 @@ chown -R 991:991 /var/lib/docker/volumes/<domain>_app/_data
 And finally, within the `app` container, create an admin account:
 
 ```
-abra app cmd <domain> admin -- <username> <email>
+abra app cmd <domain> app admin -- <username> <email>
 ```
 
 ## Tips & tricks

abra.sh

@@ -1,27 +1,69 @@
-export ENTRYPOINT_CONF_VERSION=v3
+export ENTRYPOINT_CONF_VERSION=v6
+export ENTRYPOINT_STREAMING_CONF_VERSION=v1
+
+grep=grep
+if ! $grep -P --version 2>/dev/null 1>/dev/null
+then
+    echo "$grep doesn't have -P option, trying ggrep"
+    grep=ggrep
+    if ! $grep -P --version 2>/dev/null 1>/dev/null
+    then
+      echo "If you're on a mac try running \`brew install grep\`"
+      exit 1
+    fi
+fi
+
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  declare -x -g "$var"="$val"
+  unset "$fileVar"
+}
+
+environment() {
+    # for sidekiq service bundle exec env var threading
+    file_env "DB_PASS"
+    file_env "OTP_SECRET"
+    file_env "SECRET_KEY_BASE"
+    file_env "VAPID_PRIVATE_KEY"
+    file_env "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"
+    file_env "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"
+    file_env "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"
+
+    declare -x RAILS_ENV=production
+}
 
 assets() {
-  export OTP_SECRET=$(cat /run/secrets/otp_secret)
-  export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
-  export DB_PASS=$(cat /run/secrets/db_password)
+  environment
 
-  RAILS_ENV=production bundle exec rails assets:precompile
+  bundle exec rails assets:precompile
 }
 
 admin() {
-  export OTP_SECRET=$(cat /run/secrets/otp_secret)
-  export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
-  export DB_PASS=$(cat /run/secrets/db_password)
+  environment
 
-  RAILS_ENV=production bin/tootctl accounts create "$1" --email "$2" --confirmed --role Owner
+  bin/tootctl accounts create "$1" --email "$2" --confirmed --role Owner
+  bin/tootctl accounts approve "$1"
 }
 
-setup() {
-  export OTP_SECRET=$(cat /run/secrets/otp_secret)
-  export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
-  export DB_PASS=$(cat /run/secrets/db_password)
-
-  RAILS_ENV=production bundle exec rake db:setup
+shell() {
+    ## Run a shell with proper environment
+    environment
+    bash $@
 }
 
 secrets() {
@@ -29,17 +71,17 @@ secrets() {
 
   docker context use default > /dev/null 2>&1
 
-  MASTO_VERSION="v4.1.0"
+  MASTO_VERSION="v4.3.8"
 
   echo "Generating secrets for a new Mastodon deployment..."
   echo ""
 
-  SECRET_KEY_BASE=$(docker run --rm tootsuite/mastodon:$MASTO_VERSION bundle exec rake secret)
+  SECRET_KEY_BASE=$(docker run --rm tootsuite/mastodon:$MASTO_VERSION bundle exec rails secret)
   abra app secret insert "$APP_NAME" secret_key_base v1 "$SECRET_KEY_BASE"
   echo "SECRET_KEY_BASE = $SECRET_KEY_BASE"
   echo ""
 
-  OTP_SECRET=$(docker run --rm tootsuite/mastodon:$MASTO_VERSION bundle exec rake secret)
+  OTP_SECRET=$(docker run --rm tootsuite/mastodon:$MASTO_VERSION bundle exec rails secret)
   abra app secret insert "$APP_NAME" otp_secret v1 "$OTP_SECRET"
   echo "OTP_SECRET = $OTP_SECRET"
   echo ""
@@ -51,8 +93,8 @@ secrets() {
     bundle exec rake mastodon:webpush:generate_vapid_key \
     > /tmp/key.txt
 
-  VAPID_PRIVATE_KEY=$(grep -oP "VAPID_PRIVATE_KEY=\K.+" "/tmp/key.txt")
-  VAPID_PUBLIC_KEY=$(grep -oP "VAPID_PUBLIC_KEY=\K.+" "/tmp/key.txt")
+  VAPID_PRIVATE_KEY=$($grep -oP "VAPID_PRIVATE_KEY=\K.+" "/tmp/key.txt")
+  VAPID_PUBLIC_KEY=$($grep -oP "VAPID_PUBLIC_KEY=\K.+" "/tmp/key.txt")
   rm -rf /tmp/key.txt
 
   echo "VAPID_PUBLIC_KEY = $VAPID_PUBLIC_KEY"
@@ -70,3 +112,38 @@ secrets() {
   echo "run \"abra app secret insert $APP_NAME smtp_password v1 YOURSMTPPASSWORD\""
   echo ""
 }
+
+secrets_activerecord() {
+  set -e
+
+  docker context use default > /dev/null 2>&1
+
+  MASTO_VERSION="v4.3.8"
+
+  echo "Generating activerecord secrets for an updated deployment"
+  echo ""
+
+  docker run \
+    -e SECRET_KEY_BASE="$SECRET_KEY_BASE" \
+    -e OTP_SECRET="$OTP_SECRET" \
+    --rm tootsuite/mastodon:$MASTO_VERSION \
+    bundle exec rake db:encryption:init \
+    > /tmp/activerecord.txt
+
+  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=$($grep ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY /tmp/activerecord.txt | cut -d'=' -f2)
+  abra app secret insert "$APP_NAME" are_deterministic_key v1 "$ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"
+  echo "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY = $ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"
+  echo ""
+
+  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=$($grep ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT /tmp/activerecord.txt | cut -d'=' -f2)
+  abra app secret insert "$APP_NAME" are_key_derivation_salt v1 "$ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"
+  echo "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT = $ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"
+  echo ""
+
+  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=$($grep ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY /tmp/activerecord.txt | cut -d'=' -f2)
+  abra app secret insert "$APP_NAME" are_primary_key v1 "$ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"
+  echo "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY = $ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"
+  echo ""
+
+  rm -rf /tmp/activerecord.txt
+}

compose.character-limit.yml

@@ -0,0 +1,12 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+    - MAX_CHARS
+    # NOTE: See [0] for background on why this is necessary
+    # [0]: See https://github.com/mastodon/mastodon/pull/30091
+    user: root
+    command: >
+      /bin/sh -c 'set -x && ls && sed -i -e "s/500/$MAX_CHARS/g" app/javascript/mastodon/features/compose/components/compose_form.jsx && sed -i -e "s/500/$MAX_CHARS/g" app/validators/status_length_validator.rb && RAILS_ENV=production && rm -f /mastodon/tmp/pids/server.pid && su -c "bundle exec rails s -p 3000"'

compose.oidc.yml

@@ -12,8 +12,15 @@ services:
       - OIDC_SCOPE
       - OIDC_UID_FIELD
       - OIDC_CLIENT_ID
-      - OIDC_CLIENT_SECRET
       - OIDC_REDIRECT_URI
       - OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED
       - OMNIAUTH_ONLY
       - ONE_CLICK_SSO_LOGIN
+      - OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
+    secrets:
+      - oidc_client_secret
+
+secrets:
+  oidc_client_secret:
+    name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET_VERSION}
+    external: true

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: tootsuite/mastodon:v4.1.0
+    image: tootsuite/mastodon:v4.3.8
     command: |
       bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
     networks: &bothNetworks
@@ -20,11 +20,14 @@ services:
         - "traefik.http.routers.${STACK_NAME}_web.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}_web.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}_web.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=0.2.1+v4.1.0"
+        - "coop-cloud.${STACK_NAME}.version=1.1.0+v4.3.8"
     configs: &configs
       - source: entrypoint_sh
         target: /usr/local/bin/entrypoint.sh
         mode: 0555
+      - source: entrypoint_streaming_sh
+        target: /usr/local/bin/entrypoint_streaming.sh
+        mode: 0555
     entrypoint: &entrypoint /usr/local/bin/entrypoint.sh
     volumes: &appVolume
       - app:/opt/mastodon/public/system
@@ -34,7 +37,13 @@ services:
       - secret_key_base
       - smtp_password
       - vapid_private_key
+      - are_deterministic_key
+      - are_key_derivation_salt
+      - are_primary_key
     environment: &env
+      - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY_FILE=/run/secrets/are_deterministic_key
+      - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT_FILE=/run/secrets/are_key_derivation_salt
+      - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_FILE=/run/secrets/are_primary_key
       - ALLOW_ACCESS_TO_HIDDEN_SERVICE
       - ALTERNATE_DOMAINS
       - AUTHORIZED_FETCH
@@ -46,6 +55,7 @@ services:
       - DB_NAME
       - DB_PORT
       - DB_USER
+      - DB_PASS_FILE=/run/secrets/db_password
       - DEFAULT_LOCALE
       - EMAIL_DOMAIN_ALLOWLIST
       - EMAIL_DOMAIN_DENYLIST
@@ -119,10 +129,10 @@ services:
       - WEB_DOMAIN
 
   streaming:
-    image: tootsuite/mastodon:v4.1.0
-    command: node ./streaming
+    image: tootsuite/mastodon-streaming:v4.3.8
+    command: node ./streaming/index.js
     configs: *configs
-    entrypoint: *entrypoint
+    entrypoint: /usr/local/bin/entrypoint_streaming.sh
     secrets: *secrets
     networks: *bothNetworks
     deploy:
@@ -140,7 +150,7 @@ services:
     volumes: *appVolume
 
   sidekiq:
-    image: tootsuite/mastodon:v4.1.0
+    image: tootsuite/mastodon:v4.3.8
     secrets: *secrets
     command: bundle exec sidekiq
     configs: *configs
@@ -154,7 +164,7 @@ services:
     environment: *env
 
   db:
-    image: postgres:15.2-alpine
+    image: postgres:15.12-alpine
     networks: &internalNetwork
       - internal
     volumes:
@@ -206,6 +216,15 @@ secrets:
   smtp_password:
     name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
     external: true
+  are_deterministic_key:
+    name: ${STACK_NAME}_are_deterministic_key_${SECRET_ARE_DETERMINISTIC_KEY_VERSION}
+    external: true
+  are_key_derivation_salt:
+    name: ${STACK_NAME}_are_key_derivation_salt_${SECRET_ARE_KEY_DERIVATION_SALT_VERSION}
+    external: true
+  are_primary_key:
+    name: ${STACK_NAME}_are_primary_key_${SECRET_ARE_PRIMARY_KEY_VERSION}
+    external: true
 
 volumes:
   app:
@@ -223,3 +242,7 @@ configs:
     name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
     file: entrypoint.sh.tmpl
     template_driver: golang
+  entrypoint_streaming_sh:
+    name: ${STACK_NAME}_entrypoint_streaming_conf_${ENTRYPOINT_STREAMING_CONF_VERSION}
+    file: entrypoint-streaming.sh.tmpl
+    template_driver: golang

entrypoint-streaming.sh.tmpl

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -eu
+
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  declare -x -g "$var"="$val"
+  unset "$fileVar"
+}
+
+file_env "DB_PASS"
+file_env "OTP_SECRET"
+file_env "SECRET_KEY_BASE"
+file_env "VAPID_PRIVATE_KEY"
+file_env "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"
+file_env "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"
+file_env "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"
+
+/usr/local/bin/docker-entrypoint.sh "$@"

entrypoint.sh.tmpl

@@ -2,11 +2,44 @@
 
 set -eu
 
-export DB_PASS=$(cat /run/secrets/db_password)
-export OTP_SECRET=$(cat $OTP_SECRET_FILE)
-export SECRET_KEY_BASE=$(cat $SECRET_KEY_BASE_FILE)
-export VAPID_PRIVATE_KEY=$(cat $VAPID_PRIVATE_KEY_FILE)
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
 
-sed -i '/- admin$/d' /opt/mastodon/config/settings.yml
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  declare -x -g "$var"="$val"
+  unset "$fileVar"
+}
+
+file_env "DB_PASS"
+file_env "SMTP_PASSWORD"
+file_env "OTP_SECRET"
+file_env "SECRET_KEY_BASE"
+file_env "VAPID_PRIVATE_KEY"
+file_env "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"
+file_env "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"
+file_env "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"
+
+{{ if eq (env "OIDC_ENABLED") "true" }}
+file_env "OIDC_CLIENT_SECRET"
+{{ end }}
+
+
+# NOTE: this was working in mastodon 4.2 but breaks in 4.3
+# sed -i '/- admin$/d' /opt/mastodon/config/settings.yml
+
+RAILS_ENV=production bundle exec rake db:migrate
 
 /usr/bin/tini -s -- "$@"

release/1.0.0+v4.3.1

@@ -0,0 +1,11 @@
+WARNING❗ This release requires adding new secrets, and will not deploy successfully without them.
+
+Run `abra app cmd --local <domain> secrets_activerecord` to generate and store these secrets.
+
+You will also need to add this to your config (`abra app config <domain>`):
+
+```
+SECRET_ARE_DETERMINISTIC_KEY_VERSION=v1
+SECRET_ARE_KEY_DERIVATION_SALT_VERSION=v1
+SECRET_ARE_PRIMARY_KEY_VERSION=v1
+```

release/1.1.0+v4.3.8

@@ -0,0 +1 @@
+MAX_CHARS now supported; see ~/.abra/recipes/.env.sample