generated from coop-cloud/example
Compare commits
48 Commits
0.2.1+v4.1
...
add/s3
| Author | SHA1 | Date | |
|---|---|---|---|
0004866d6b
|
|||
| 849d8ba9a7 | |||
| 7846559007 | |||
| 53ea5afb5b | |||
| f24aa11ddc | |||
| d9de83eb06 | |||
| f0d07bcd71 | |||
| 3bb4274ae4 | |||
| 683fb2d24d | |||
| 38cffa745a | |||
| 3a5d28394f | |||
| 2a36d928d9 | |||
| 23a71ea65b | |||
| a6749ed224 | |||
| 3b51e3c602 | |||
| 99a3c12d2d | |||
| 408d3d7d70 | |||
| 3d27b65c84 | |||
| e1d47b1b88 | |||
| 5f6028ef17 | |||
| 1c98e0d790 | |||
| d7086e8b4a | |||
| 3ac2b9a2a3 | |||
| 69b6d7f664 | |||
| 66aa71c4e1 | |||
| 0a0273306e | |||
| 52a0626ec8 | |||
| c05f3c615a | |||
| c2df07e146 | |||
| f40559dcf0 | |||
| ba632b7d61 | |||
| d79abf04ad | |||
| 72f3ac9af4 | |||
| 6b6fc44d33 | |||
| b23d6f874e | |||
| f2c781b20c | |||
| bc57af62d4 | |||
| 1547cddb7c | |||
| 7bb4a5d2e4 | |||
| adc02f9cac | |||
| 4b8a571128 | |||
| c498ba28cb | |||
| a919e1553b | |||
| 74109d293b | |||
| 8b860ead6c | |||
| a61097df85 | |||
| 95f295ed5c | |||
| f70ec17004 |
@ -38,7 +38,7 @@ steps:
|
||||
from_secret: drone_abra-bot_token
|
||||
fork: true
|
||||
repositories:
|
||||
- coop-cloud/auto-recipes-catalogue-json
|
||||
- toolshed/auto-recipes-catalogue-json
|
||||
|
||||
trigger:
|
||||
event: tag
|
||||
|
||||
25
.env.sample
25
.env.sample
@ -15,6 +15,10 @@ LETS_ENCRYPT_ENV=production
|
||||
|
||||
COMPOSE_FILE="compose.yml"
|
||||
|
||||
# Set the maximum length for toots (posts). Longer posts from other servers will still be displayed, this limit only applies to users on this instance.
|
||||
#MAX_CHARS=500
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.character-limit.yml"
|
||||
|
||||
# Federation
|
||||
# ----------
|
||||
# DO NOT CHANGE DOMAIN VARIABLES AFTER DEPLOYMENT! WILL BREAK FEDERATION!!
|
||||
@ -79,6 +83,10 @@ SECRET_OTP_SECRET_VERSION=v1
|
||||
SECRET_VAPID_PRIVATE_KEY_VERSION=v1
|
||||
SECRET_DB_PASSWORD_VERSION=v1
|
||||
SECRET_SMTP_PASSWORD_VERSION=v1
|
||||
SECRET_ARE_DETERMINISTIC_KEY_VERSION=v1
|
||||
SECRET_ARE_KEY_DERIVATION_SALT_VERSION=v1
|
||||
SECRET_ARE_PRIMARY_KEY_VERSION=v1
|
||||
SECRET_AWS_SECRET_ACCESS_KEY_VERSION=v1
|
||||
|
||||
# Web Push
|
||||
# ========
|
||||
@ -119,10 +127,9 @@ DEFAULT_LOCALE=en
|
||||
|
||||
# S3 and AWS
|
||||
# ----------
|
||||
# S3_ENABLED=
|
||||
# S3_BUCKET=
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.s3.yml"
|
||||
# AWS_ACCESS_KEY_ID=
|
||||
# AWS_SECRET_ACCESS_KEY=
|
||||
# S3_BUCKET=
|
||||
# S3_REGION=
|
||||
# S3_PROTOCOL=
|
||||
# S3_HOSTNAME=
|
||||
@ -131,6 +138,15 @@ DEFAULT_LOCALE=en
|
||||
# S3_OVERRIDE_PATH_STYLE=
|
||||
# S3_OPEN_TIMEOUT=
|
||||
# S3_READ_TIMEOUT=
|
||||
# S3_RETRY_LIMIT=
|
||||
# S3_FORCE_SINGLE_REQUEST=
|
||||
# S3_ENABLE_CHECKSUM_MODE=
|
||||
# S3_STORAGE_CLASS=
|
||||
# S3_MULTIPART_THRESHOLD=
|
||||
# S3_PERMISSION=
|
||||
# S3_BATCH_DELETE_LIMIT=
|
||||
# S3_BATCH_DELETE_RETRY=
|
||||
# S3_ALIAS_HOST=
|
||||
|
||||
# External Authentication
|
||||
# =======================
|
||||
@ -187,4 +203,5 @@ DEFAULT_LOCALE=en
|
||||
# OIDC_REDIRECT_URI=https://mastodon.company/auth/auth/openid_connect/callback
|
||||
# OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
|
||||
# OMNIAUTH_ONLY=true
|
||||
# ONE_CLICK_SSO_LOGIN
|
||||
# ONE_CLICK_SSO_LOGIN=true
|
||||
# SECRET_OIDC_CLIENT_SECRET_VERSION=v1
|
||||
|
||||
@ -3,8 +3,10 @@
|
||||
> Your self-hosted, globally interconnected microblogging community
|
||||
|
||||
<!-- metadata -->
|
||||
* **Maintainers**: `@3wordchant` (Matrix: `@3wc:autonomic.zone`), `Benjamin` (Matrix: `@benjaminlj:matrix.org`)
|
||||
* **Status**: `stable`
|
||||
* **Category**: Apps
|
||||
* **Status**: 1
|
||||
* **Features**: 1
|
||||
* **Image**: [`tootsuite/mastodon`](https://hub.docker.com/r/tootsuite/mastodon)
|
||||
* **Healthcheck**: No
|
||||
* **Backups**: No
|
||||
@ -22,10 +24,10 @@ the [`abra.sh`](./abra.sh) for more.
|
||||
|
||||
1. `abra app new mastodon`
|
||||
1. `abra app cmd --local <domain> secrets`
|
||||
1. `abra app cmd --local <domain> secrets_activerecord`
|
||||
1. `abra app secret insert <domain> smtp_password v1 <password>`
|
||||
1. `abra app config <domain>` (uncomment SMTP details)
|
||||
1. `abra app deploy <domain>`
|
||||
1. `abra app cmd <domain> streaming setup`
|
||||
|
||||
Then, on your host (outside of the containers), you'll need to fix permissions
|
||||
for the volume (see [#10](https://git.coopcloud.tech/coop-cloud/mastodon/issues/10)):
|
||||
@ -37,7 +39,7 @@ chown -R 991:991 /var/lib/docker/volumes/<domain>_app/_data
|
||||
And finally, within the `app` container, create an admin account:
|
||||
|
||||
```
|
||||
abra app cmd <domain> admin -- <username> <email>
|
||||
abra app cmd <domain> app admin -- <username> <email>
|
||||
```
|
||||
|
||||
## Tips & tricks
|
||||
|
||||
117
abra.sh
117
abra.sh
@ -1,27 +1,69 @@
|
||||
export ENTRYPOINT_CONF_VERSION=v3
|
||||
export ENTRYPOINT_CONF_VERSION=v6
|
||||
export ENTRYPOINT_STREAMING_CONF_VERSION=v1
|
||||
|
||||
grep=grep
|
||||
if ! $grep -P --version 2>/dev/null 1>/dev/null
|
||||
then
|
||||
echo "$grep doesn't have -P option, trying ggrep"
|
||||
grep=ggrep
|
||||
if ! $grep -P --version 2>/dev/null 1>/dev/null
|
||||
then
|
||||
echo "If you're on a mac try running \`brew install grep\`"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
file_env() {
|
||||
local var="$1"
|
||||
local fileVar="${var}_FILE"
|
||||
local def="${2:-}"
|
||||
|
||||
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
|
||||
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
local val="$def"
|
||||
if [ "${!var:-}" ]; then
|
||||
val="${!var}"
|
||||
elif [ "${!fileVar:-}" ]; then
|
||||
val="$(< "${!fileVar}")"
|
||||
fi
|
||||
|
||||
declare -x -g "$var"="$val"
|
||||
unset "$fileVar"
|
||||
}
|
||||
|
||||
environment() {
|
||||
# for sidekiq service bundle exec env var threading
|
||||
file_env "DB_PASS"
|
||||
file_env "OTP_SECRET"
|
||||
file_env "SECRET_KEY_BASE"
|
||||
file_env "VAPID_PRIVATE_KEY"
|
||||
file_env "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"
|
||||
file_env "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"
|
||||
file_env "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"
|
||||
|
||||
declare -x RAILS_ENV=production
|
||||
}
|
||||
|
||||
assets() {
|
||||
export OTP_SECRET=$(cat /run/secrets/otp_secret)
|
||||
export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
|
||||
export DB_PASS=$(cat /run/secrets/db_password)
|
||||
environment
|
||||
|
||||
RAILS_ENV=production bundle exec rails assets:precompile
|
||||
bundle exec rails assets:precompile
|
||||
}
|
||||
|
||||
admin() {
|
||||
export OTP_SECRET=$(cat /run/secrets/otp_secret)
|
||||
export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
|
||||
export DB_PASS=$(cat /run/secrets/db_password)
|
||||
environment
|
||||
|
||||
RAILS_ENV=production bin/tootctl accounts create "$1" --email "$2" --confirmed --role Owner
|
||||
bin/tootctl accounts create "$1" --email "$2" --confirmed --role Owner
|
||||
bin/tootctl accounts approve "$1"
|
||||
}
|
||||
|
||||
setup() {
|
||||
export OTP_SECRET=$(cat /run/secrets/otp_secret)
|
||||
export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
|
||||
export DB_PASS=$(cat /run/secrets/db_password)
|
||||
|
||||
RAILS_ENV=production bundle exec rake db:setup
|
||||
shell() {
|
||||
## Run a shell with proper environment
|
||||
environment
|
||||
bash $@
|
||||
}
|
||||
|
||||
secrets() {
|
||||
@ -29,17 +71,17 @@ secrets() {
|
||||
|
||||
docker context use default > /dev/null 2>&1
|
||||
|
||||
MASTO_VERSION="v4.1.0"
|
||||
MASTO_VERSION="v4.3.8"
|
||||
|
||||
echo "Generating secrets for a new Mastodon deployment..."
|
||||
echo ""
|
||||
|
||||
SECRET_KEY_BASE=$(docker run --rm tootsuite/mastodon:$MASTO_VERSION bundle exec rake secret)
|
||||
SECRET_KEY_BASE=$(docker run --rm tootsuite/mastodon:$MASTO_VERSION bundle exec rails secret)
|
||||
abra app secret insert "$APP_NAME" secret_key_base v1 "$SECRET_KEY_BASE"
|
||||
echo "SECRET_KEY_BASE = $SECRET_KEY_BASE"
|
||||
echo ""
|
||||
|
||||
OTP_SECRET=$(docker run --rm tootsuite/mastodon:$MASTO_VERSION bundle exec rake secret)
|
||||
OTP_SECRET=$(docker run --rm tootsuite/mastodon:$MASTO_VERSION bundle exec rails secret)
|
||||
abra app secret insert "$APP_NAME" otp_secret v1 "$OTP_SECRET"
|
||||
echo "OTP_SECRET = $OTP_SECRET"
|
||||
echo ""
|
||||
@ -51,8 +93,8 @@ secrets() {
|
||||
bundle exec rake mastodon:webpush:generate_vapid_key \
|
||||
> /tmp/key.txt
|
||||
|
||||
VAPID_PRIVATE_KEY=$(grep -oP "VAPID_PRIVATE_KEY=\K.+" "/tmp/key.txt")
|
||||
VAPID_PUBLIC_KEY=$(grep -oP "VAPID_PUBLIC_KEY=\K.+" "/tmp/key.txt")
|
||||
VAPID_PRIVATE_KEY=$($grep -oP "VAPID_PRIVATE_KEY=\K.+" "/tmp/key.txt")
|
||||
VAPID_PUBLIC_KEY=$($grep -oP "VAPID_PUBLIC_KEY=\K.+" "/tmp/key.txt")
|
||||
rm -rf /tmp/key.txt
|
||||
|
||||
echo "VAPID_PUBLIC_KEY = $VAPID_PUBLIC_KEY"
|
||||
@ -70,3 +112,38 @@ secrets() {
|
||||
echo "run \"abra app secret insert $APP_NAME smtp_password v1 YOURSMTPPASSWORD\""
|
||||
echo ""
|
||||
}
|
||||
|
||||
secrets_activerecord() {
|
||||
set -e
|
||||
|
||||
docker context use default > /dev/null 2>&1
|
||||
|
||||
MASTO_VERSION="v4.3.8"
|
||||
|
||||
echo "Generating activerecord secrets for an updated deployment"
|
||||
echo ""
|
||||
|
||||
docker run \
|
||||
-e SECRET_KEY_BASE="$SECRET_KEY_BASE" \
|
||||
-e OTP_SECRET="$OTP_SECRET" \
|
||||
--rm tootsuite/mastodon:$MASTO_VERSION \
|
||||
bundle exec rake db:encryption:init \
|
||||
> /tmp/activerecord.txt
|
||||
|
||||
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=$($grep ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY /tmp/activerecord.txt | cut -d'=' -f2)
|
||||
abra app secret insert "$APP_NAME" are_deterministic_key v1 "$ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"
|
||||
echo "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY = $ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"
|
||||
echo ""
|
||||
|
||||
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=$($grep ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT /tmp/activerecord.txt | cut -d'=' -f2)
|
||||
abra app secret insert "$APP_NAME" are_key_derivation_salt v1 "$ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"
|
||||
echo "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT = $ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"
|
||||
echo ""
|
||||
|
||||
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=$($grep ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY /tmp/activerecord.txt | cut -d'=' -f2)
|
||||
abra app secret insert "$APP_NAME" are_primary_key v1 "$ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"
|
||||
echo "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY = $ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"
|
||||
echo ""
|
||||
|
||||
rm -rf /tmp/activerecord.txt
|
||||
}
|
||||
|
||||
12
compose.character-limit.yml
Normal file
12
compose.character-limit.yml
Normal file
@ -0,0 +1,12 @@
|
||||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- MAX_CHARS
|
||||
# NOTE: See [0] for background on why this is necessary
|
||||
# [0]: See https://github.com/mastodon/mastodon/pull/30091
|
||||
user: root
|
||||
command: >
|
||||
/bin/sh -c 'set -x && ls && sed -i -e "s/500/$MAX_CHARS/g" app/javascript/mastodon/features/compose/components/compose_form.jsx && sed -i -e "s/500/$MAX_CHARS/g" app/validators/status_length_validator.rb && rm -f /mastodon/tmp/pids/server.pid && su -c "RAILS_ENV=production bundle exec rails s -p 3000"'
|
||||
@ -12,8 +12,15 @@ services:
|
||||
- OIDC_SCOPE
|
||||
- OIDC_UID_FIELD
|
||||
- OIDC_CLIENT_ID
|
||||
- OIDC_CLIENT_SECRET
|
||||
- OIDC_REDIRECT_URI
|
||||
- OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED
|
||||
- OMNIAUTH_ONLY
|
||||
- ONE_CLICK_SSO_LOGIN
|
||||
- OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
|
||||
secrets:
|
||||
- oidc_client_secret
|
||||
|
||||
secrets:
|
||||
oidc_client_secret:
|
||||
name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET_VERSION}
|
||||
external: true
|
||||
|
||||
42
compose.s3.yml
Normal file
42
compose.s3.yml
Normal file
@ -0,0 +1,42 @@
|
||||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
environment: &s3-env
|
||||
- S3_ENABLED=true
|
||||
- AWS_ACCESS_KEY_ID
|
||||
- AWS_SECRET_ACCESS_KEY_FILE=/run/secrets/aws_secret_access_key
|
||||
- S3_BUCKET
|
||||
- S3_REGION
|
||||
- S3_PROTOCOL
|
||||
- S3_HOSTNAME
|
||||
- S3_ENDPOINT
|
||||
- S3_SIGNATURE_VERSION
|
||||
- S3_OVERRIDE_PATH_STYLE
|
||||
- S3_OPEN_TIMEOUT
|
||||
- S3_READ_TIMEOUT
|
||||
- S3_RETRY_LIMIT
|
||||
- S3_FORCE_SINGLE_REQUEST
|
||||
- S3_ENABLE_CHECKSUM_MODE
|
||||
- S3_STORAGE_CLASS
|
||||
- S3_MULTIPART_THRESHOLD
|
||||
- S3_PERMISSION
|
||||
- S3_BATCH_DELETE_LIMIT
|
||||
- S3_BATCH_DELETE_RETRY
|
||||
- S3_ALIAS_HOST
|
||||
secrets: &s3-secrets
|
||||
- aws_secret_access_key
|
||||
|
||||
streaming:
|
||||
environment: *s3-env
|
||||
secrets: *s3-secrets
|
||||
|
||||
sidekiq:
|
||||
environment: *s3-env
|
||||
secrets: *s3-secrets
|
||||
|
||||
secrets:
|
||||
aws_secret_access_key:
|
||||
name: ${STACK_NAME}_aws_secret_access_key_${SECRET_AWS_SECRET_ACCESS_KEY_VERSION}
|
||||
external: true
|
||||
42
compose.yml
42
compose.yml
@ -3,7 +3,7 @@ version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
image: tootsuite/mastodon:v4.1.0
|
||||
image: tootsuite/mastodon:v4.5.3
|
||||
command: |
|
||||
bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
|
||||
networks: &bothNetworks
|
||||
@ -20,11 +20,14 @@ services:
|
||||
- "traefik.http.routers.${STACK_NAME}_web.rule=Host(`${DOMAIN}`)"
|
||||
- "traefik.http.routers.${STACK_NAME}_web.entrypoints=web-secure"
|
||||
- "traefik.http.routers.${STACK_NAME}_web.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
- "coop-cloud.${STACK_NAME}.version=0.2.1+v4.1.0"
|
||||
- "coop-cloud.${STACK_NAME}.version=2.1.3+v4.5.3"
|
||||
configs: &configs
|
||||
- source: entrypoint_sh
|
||||
target: /usr/local/bin/entrypoint.sh
|
||||
mode: 0555
|
||||
- source: entrypoint_streaming_sh
|
||||
target: /usr/local/bin/entrypoint_streaming.sh
|
||||
mode: 0555
|
||||
entrypoint: &entrypoint /usr/local/bin/entrypoint.sh
|
||||
volumes: &appVolume
|
||||
- app:/opt/mastodon/public/system
|
||||
@ -34,7 +37,13 @@ services:
|
||||
- secret_key_base
|
||||
- smtp_password
|
||||
- vapid_private_key
|
||||
- are_deterministic_key
|
||||
- are_key_derivation_salt
|
||||
- are_primary_key
|
||||
environment: &env
|
||||
- ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY_FILE=/run/secrets/are_deterministic_key
|
||||
- ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT_FILE=/run/secrets/are_key_derivation_salt
|
||||
- ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_FILE=/run/secrets/are_primary_key
|
||||
- ALLOW_ACCESS_TO_HIDDEN_SERVICE
|
||||
- ALTERNATE_DOMAINS
|
||||
- AUTHORIZED_FETCH
|
||||
@ -46,6 +55,7 @@ services:
|
||||
- DB_NAME
|
||||
- DB_PORT
|
||||
- DB_USER
|
||||
- DB_PASS_FILE=/run/secrets/db_password
|
||||
- DEFAULT_LOCALE
|
||||
- EMAIL_DOMAIN_ALLOWLIST
|
||||
- EMAIL_DOMAIN_DENYLIST
|
||||
@ -119,10 +129,10 @@ services:
|
||||
- WEB_DOMAIN
|
||||
|
||||
streaming:
|
||||
image: tootsuite/mastodon:v4.1.0
|
||||
command: node ./streaming
|
||||
image: tootsuite/mastodon-streaming:v4.5.3
|
||||
command: node ./streaming/index.js
|
||||
configs: *configs
|
||||
entrypoint: *entrypoint
|
||||
entrypoint: /usr/local/bin/entrypoint_streaming.sh
|
||||
secrets: *secrets
|
||||
networks: *bothNetworks
|
||||
deploy:
|
||||
@ -140,7 +150,7 @@ services:
|
||||
volumes: *appVolume
|
||||
|
||||
sidekiq:
|
||||
image: tootsuite/mastodon:v4.1.0
|
||||
image: tootsuite/mastodon:v4.5.3
|
||||
secrets: *secrets
|
||||
command: bundle exec sidekiq
|
||||
configs: *configs
|
||||
@ -154,11 +164,12 @@ services:
|
||||
environment: *env
|
||||
|
||||
db:
|
||||
image: postgres:15.2-alpine
|
||||
image: pgautoupgrade/pgautoupgrade:18-alpine
|
||||
networks: &internalNetwork
|
||||
- internal
|
||||
volumes:
|
||||
- postgres:/var/lib/postgresql/data
|
||||
- postgres:/var/lib/postgresql
|
||||
|
||||
secrets:
|
||||
- db_password
|
||||
environment:
|
||||
@ -167,7 +178,7 @@ services:
|
||||
- POSTGRES_USER=${DB_USER}
|
||||
|
||||
redis:
|
||||
image: redis:7.4-alpine
|
||||
image: redis:8.4-alpine
|
||||
networks: *internalNetwork
|
||||
healthcheck:
|
||||
test: ["CMD", "redis-cli", "ping"]
|
||||
@ -206,6 +217,15 @@ secrets:
|
||||
smtp_password:
|
||||
name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
|
||||
external: true
|
||||
are_deterministic_key:
|
||||
name: ${STACK_NAME}_are_deterministic_key_${SECRET_ARE_DETERMINISTIC_KEY_VERSION}
|
||||
external: true
|
||||
are_key_derivation_salt:
|
||||
name: ${STACK_NAME}_are_key_derivation_salt_${SECRET_ARE_KEY_DERIVATION_SALT_VERSION}
|
||||
external: true
|
||||
are_primary_key:
|
||||
name: ${STACK_NAME}_are_primary_key_${SECRET_ARE_PRIMARY_KEY_VERSION}
|
||||
external: true
|
||||
|
||||
volumes:
|
||||
app:
|
||||
@ -223,3 +243,7 @@ configs:
|
||||
name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
|
||||
file: entrypoint.sh.tmpl
|
||||
template_driver: golang
|
||||
entrypoint_streaming_sh:
|
||||
name: ${STACK_NAME}_entrypoint_streaming_conf_${ENTRYPOINT_STREAMING_CONF_VERSION}
|
||||
file: entrypoint-streaming.sh.tmpl
|
||||
template_driver: golang
|
||||
|
||||
34
entrypoint-streaming.sh.tmpl
Normal file
34
entrypoint-streaming.sh.tmpl
Normal file
@ -0,0 +1,34 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -eu
|
||||
|
||||
file_env() {
|
||||
local var="$1"
|
||||
local fileVar="${var}_FILE"
|
||||
local def="${2:-}"
|
||||
|
||||
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
|
||||
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
local val="$def"
|
||||
if [ "${!var:-}" ]; then
|
||||
val="${!var}"
|
||||
elif [ "${!fileVar:-}" ]; then
|
||||
val="$(< "${!fileVar}")"
|
||||
fi
|
||||
|
||||
declare -x -g "$var"="$val"
|
||||
unset "$fileVar"
|
||||
}
|
||||
|
||||
file_env "DB_PASS"
|
||||
file_env "OTP_SECRET"
|
||||
file_env "SECRET_KEY_BASE"
|
||||
file_env "VAPID_PRIVATE_KEY"
|
||||
file_env "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"
|
||||
file_env "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"
|
||||
file_env "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"
|
||||
|
||||
/usr/local/bin/docker-entrypoint.sh "$@"
|
||||
@ -2,11 +2,44 @@
|
||||
|
||||
set -eu
|
||||
|
||||
export DB_PASS=$(cat /run/secrets/db_password)
|
||||
export OTP_SECRET=$(cat $OTP_SECRET_FILE)
|
||||
export SECRET_KEY_BASE=$(cat $SECRET_KEY_BASE_FILE)
|
||||
export VAPID_PRIVATE_KEY=$(cat $VAPID_PRIVATE_KEY_FILE)
|
||||
file_env() {
|
||||
local var="$1"
|
||||
local fileVar="${var}_FILE"
|
||||
local def="${2:-}"
|
||||
|
||||
sed -i '/- admin$/d' /opt/mastodon/config/settings.yml
|
||||
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
|
||||
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
local val="$def"
|
||||
if [ "${!var:-}" ]; then
|
||||
val="${!var}"
|
||||
elif [ "${!fileVar:-}" ]; then
|
||||
val="$(< "${!fileVar}")"
|
||||
fi
|
||||
|
||||
declare -x -g "$var"="$val"
|
||||
unset "$fileVar"
|
||||
}
|
||||
|
||||
file_env "DB_PASS"
|
||||
file_env "SMTP_PASSWORD"
|
||||
file_env "OTP_SECRET"
|
||||
file_env "SECRET_KEY_BASE"
|
||||
file_env "VAPID_PRIVATE_KEY"
|
||||
file_env "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"
|
||||
file_env "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"
|
||||
file_env "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"
|
||||
|
||||
{{ if eq (env "OIDC_ENABLED") "true" }}
|
||||
file_env "OIDC_CLIENT_SECRET"
|
||||
{{ end }}
|
||||
|
||||
|
||||
# NOTE: this was working in mastodon 4.2 but breaks in 4.3
|
||||
# sed -i '/- admin$/d' /opt/mastodon/config/settings.yml
|
||||
|
||||
RAILS_ENV=production bundle exec rake db:migrate
|
||||
|
||||
/usr/bin/tini -s -- "$@"
|
||||
|
||||
11
release/1.0.0+v4.3.1
Normal file
11
release/1.0.0+v4.3.1
Normal file
@ -0,0 +1,11 @@
|
||||
WARNING❗ This release requires adding new secrets, and will not deploy successfully without them.
|
||||
|
||||
Run `abra app cmd --local <domain> secrets_activerecord` to generate and store these secrets.
|
||||
|
||||
You will also need to add this to your config (`abra app config <domain>`):
|
||||
|
||||
```
|
||||
SECRET_ARE_DETERMINISTIC_KEY_VERSION=v1
|
||||
SECRET_ARE_KEY_DERIVATION_SALT_VERSION=v1
|
||||
SECRET_ARE_PRIMARY_KEY_VERSION=v1
|
||||
```
|
||||
1
release/1.1.0+v4.3.8
Normal file
1
release/1.1.0+v4.3.8
Normal file
@ -0,0 +1 @@
|
||||
MAX_CHARS now supported; see ~/.abra/recipes/.env.sample
|
||||
1
release/2.0.0+v4.4.7
Normal file
1
release/2.0.0+v4.4.7
Normal file
@ -0,0 +1 @@
|
||||
This release includes several Postgres major version upgrades; this should work automatically, but please take extra care to make a database backup before upgrading!
|
||||
6
renovate.json
Normal file
6
renovate.json
Normal file
@ -0,0 +1,6 @@
|
||||
{
|
||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
||||
"extends": [
|
||||
"config:recommended"
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user