forked from coop-cloud/hometown
Compare commits
78 Commits
Author | SHA1 | Date |
---|---|---|
decentral1se | 2ca92dd55f | |
3wc | 080fcd7a2d | |
3wc | 556d73cce8 | |
3wc | f6c2527182 | |
3wc | 953faaca83 | |
knoflook | 547cefbd19 | |
Nick Sellen | 91ed3cf439 | |
Nick Sellen | 6f31be3458 | |
3wc | 4e8ae43423 | |
3wc | 2e46a01082 | |
3wc | 1155b3cc50 | |
3wordchant | 66adadea97 | |
Nick Sellen | e776970066 | |
Nick Sellen | eab512222a | |
knoflook | 9d5e427b80 | |
knoflook | c1ca15ff87 | |
knoflook | f4ad09c3b2 | |
3wordchant | 3fc213854f | |
Sarma | 7cec462a60 | |
Nick Sellen | acee84e403 | |
nicksellen | 307037b36b | |
nicksellen | 86bef2441d | |
Nick Sellen | 2e446c4467 | |
Nick Sellen | 21e07e59ed | |
Nick Sellen | e6f7efaa44 | |
Nick Sellen | 2dc49d51e4 | |
Nick Sellen | 754ab9411c | |
Nick Sellen | fd89ab14ce | |
Nick Sellen | 205a882653 | |
Nick Sellen | 0bed30c1bf | |
3wc | 284984d49c | |
3wc | 1338294417 | |
3wc | 81e413153c | |
decentral1se | 22a3da9e9a | |
decentral1se | 4751c7f8a4 | |
decentral1se | 17ac659f67 | |
knoflook | 8e761a286d | |
decentral1se | 05f3ac602e | |
decentral1se | 3c95b8a5ab | |
decentral1se | 47fa8dfcae | |
decentral1se | c22063ec4b | |
decentral1se | a86a32fa65 | |
decentral1se | a325717dcd | |
3wc | db007e4b64 | |
3wc | a65d9524f9 | |
3wc | 303b6904a5 | |
3wc | 3466e52ef1 | |
3wc | 5ca09219b8 | |
3wc | 91383be9c2 | |
decentral1se | 82bfcbc302 | |
decentral1se | ac7fcecfbc | |
decentral1se | 52c2f59502 | |
decentral1se | cac78ebaa1 | |
decentral1se | a7d7d63c7b | |
decentral1se | e70be2a79e | |
decentral1se | b2c36cf7e1 | |
decentral1se | ffe75dc32d | |
decentral1se | 968052622f | |
decentral1se | bd89836a99 | |
decentral1se | 86ba4157b4 | |
decentral1se | 033b94a8b4 | |
decentral1se | 656eff4c9b | |
decentral1se | 90533c9c7c | |
decentral1se | 351deee2fb | |
knoflook | 09801668a7 | |
knoflook | e498ab3c90 | |
decentral1se | 37aa6c4043 | |
decentral1se | 9879f6cde3 | |
decentral1se | b4b5006c3c | |
decentral1se | bf93039fbc | |
decentral1se | 6670181da6 | |
decentral1se | cb8ba6a567 | |
decentral1se | 56e05c6293 | |
decentral1se | 3f52b70635 | |
decentral1se | aac97a4aee | |
3wc | b6d05062ac | |
3wc | 4ee7d38018 | |
Comrade Renovate Bot | 86b4f05943 |
27
.drone.yml
27
.drone.yml
|
@ -3,10 +3,13 @@ kind: pipeline
|
|||
name: deploy to swarm-test.autonomic.zone
|
||||
steps:
|
||||
- name: deployment
|
||||
image: decentral1se/stack-ssh-deploy:latest
|
||||
image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
|
||||
settings:
|
||||
host: swarm-test.autonomic.zone
|
||||
stack: mastodon
|
||||
generate_secrets: true
|
||||
networks:
|
||||
- proxy
|
||||
purge: true
|
||||
deploy_key:
|
||||
from_secret: drone_ssh_swarm_test
|
||||
|
@ -14,16 +17,28 @@ steps:
|
|||
DOMAIN: mastodon.swarm-test.autonomic.zone
|
||||
STACK_NAME: mastodon
|
||||
LETS_ENCRYPT_ENV: production
|
||||
ENTRYPOINT_CONF_VERSION: v1
|
||||
SECRET_SECRET_KEY_BASE_VERSION: v1
|
||||
SECRET_OTP_SECRET_VERSION: v1
|
||||
SECRET_VAPID_PRIVATE_KEY_VERSION: v1
|
||||
SECRET_DB_PASSWORD_VERSION: v1
|
||||
SECRET_SMTP_PASSWORD_VERSION: v1
|
||||
trigger:
|
||||
branch:
|
||||
- main
|
||||
---
|
||||
kind: pipeline
|
||||
name: recipe release
|
||||
name: generate recipe catalogue
|
||||
steps:
|
||||
- name: release a new version
|
||||
image: thecoopcloud/drone-abra:latest
|
||||
image: plugins/downstream
|
||||
settings:
|
||||
command: recipe hometown release
|
||||
deploy_key:
|
||||
from_secret: abra_bot_deploy_key
|
||||
server: https://build.coopcloud.tech
|
||||
token:
|
||||
from_secret: drone_abra-bot_token
|
||||
fork: true
|
||||
repositories:
|
||||
- coop-cloud/auto-recipes-catalogue-json
|
||||
|
||||
trigger:
|
||||
event: tag
|
||||
|
|
16
.env.sample
16
.env.sample
|
@ -1,6 +1,6 @@
|
|||
TYPE=hometown
|
||||
|
||||
DOMAIN=mastodon.swarm-test.autonomic.zone
|
||||
DOMAIN=hometown.example.com
|
||||
# Enables WEB_DOMAIN if set (FOR FUTURE USE)
|
||||
# USER_DOMAIN=
|
||||
|
||||
|
@ -30,6 +30,7 @@ LOCAL_DOMAIN=$DOMAIN
|
|||
|
||||
# ALTERNATE_DOMAINS=$EXTRA_DOMAINS
|
||||
AUTHORIZED_FETCH=false
|
||||
DISALLOW_UNAUTHENTICATED_API_ACCESS=false
|
||||
LIMITED_FEDERATION_MODE=false
|
||||
|
||||
# Deployment
|
||||
|
@ -61,7 +62,7 @@ REDIS_PORT=6379
|
|||
|
||||
# ElasticSearch
|
||||
# --------------------------------------
|
||||
ES_ENABLED=true
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.elasticsearch.yml"
|
||||
ES_HOST=es
|
||||
ES_PORT=9200
|
||||
|
||||
|
@ -72,11 +73,12 @@ ES_PORT=9200
|
|||
|
||||
# Secrets
|
||||
# =======
|
||||
SECRET_KEY_BASE_VERSION=v1
|
||||
SECRET_SECRET_KEY_BASE_VERSION=v1
|
||||
SECRET_OTP_SECRET_VERSION=v1
|
||||
SECRET_VAPID_PRIVATE_KEY_VERSION=v1
|
||||
SECRET_DB_PASSWORD_VERSION=v1
|
||||
SECRET_SMTP_PASSWORD_VERSION=v1
|
||||
SECRET_AWS_SECRET_ACCESS_KEY_VERSION=v1
|
||||
|
||||
# Web Push
|
||||
# ========
|
||||
|
@ -90,6 +92,7 @@ SINGLE_USER_MODE=false
|
|||
DEFAULT_LOCALE=en
|
||||
# MAX_SESSION_ACTIVATIONS=
|
||||
# USER_ACTIVE_DAYS=
|
||||
# MAX_TOOT_CHARS=500
|
||||
|
||||
# Sending mail
|
||||
# ============
|
||||
|
@ -117,7 +120,7 @@ DEFAULT_LOCALE=en
|
|||
|
||||
# S3 and AWS
|
||||
# ----------
|
||||
# S3_ENABLED=
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.s3.yml"
|
||||
# S3_BUCKET=
|
||||
# AWS_ACCESS_KEY_ID=
|
||||
# AWS_SECRET_ACCESS_KEY=
|
||||
|
@ -199,8 +202,3 @@ DEFAULT_LOCALE=en
|
|||
# OIDC_END_SESSION_ENDPOINT=
|
||||
# OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=
|
||||
# SECRET_OIDC_CLIENT_SECRET_VERSION=v1
|
||||
|
||||
# Hidden services (Not Supported)
|
||||
# ===============================
|
||||
# http_proxy= # yes, this should be lowercase
|
||||
# ALLOW_ACCESS_TO_HIDDEN_SERVICE=
|
||||
|
|
92
README.md
92
README.md
|
@ -1,87 +1,35 @@
|
|||
# Hometown
|
||||
|
||||
A supported fork of Mastodon that provides local posting and a wider range of content types.
|
||||
> A supported fork of Mastodon that provides local posting and a wider range of content types.
|
||||
|
||||
This repository is a copy of [coop-cloud/mastodon](https://git.autonomic.zone/coop-cloud/mastodon) but with a fresh README and some Hometown specific configuration. It seems like a good idea to keep the deployment separate since the apps may diverge in their deployment or configuration instructions at some point despite best wishes to remain as mainline Mastodon as possible.
|
||||
The configuration aims to stay as close as possible to [coop-cloud/mastodon](https://git.coopcloud.tech/coop-cloud/mastodon).
|
||||
At some point, ideally, we could merge them. We don't have enough folks running
|
||||
both Mastodon & Hometown to understand if that is a good idea right now. To be
|
||||
discussed.
|
||||
|
||||
<!-- metadata -->
|
||||
|
||||
- **Category**:
|
||||
- **Status**:
|
||||
- **Image**: [`decentral1se/hometown`](https://hub.docker.com/r/decentral1se/hometown)
|
||||
- **Healthcheck**:
|
||||
- **Backups**:
|
||||
- **Email**:
|
||||
- **Tests**:
|
||||
- **SSO**:
|
||||
* **Category**: Apps
|
||||
* **Status**: 1
|
||||
* **Image**: [`hometown`](https://git.coopcloud.tech/coop-cloud-chaos-patchs/docker-hometown), 1, Co-op Cloud custom image
|
||||
* **Healthcheck**: No
|
||||
* **Backups**: No
|
||||
* **Email**: Yes
|
||||
* **Tests**: No
|
||||
* **SSO**: Yes
|
||||
|
||||
<!-- endmetadata -->
|
||||
|
||||
## Basic usage
|
||||
|
||||
1. Set up Docker Swarm and [`abra`]
|
||||
1. Deploy [`coop-cloud/traefik`]
|
||||
1. `abra app new mastodon`
|
||||
1. Follow the [secrets setup docs](#secrets-setup)
|
||||
1. `abra app YOURAPPDOMAIN config` - be sure to change `DOMAIN` to something that resolves to your Docker swarm box
|
||||
1. `abra app YOURAPPDOMAIN deploy` to deploy the app
|
||||
See the [`coop-cloud/mastodon` `README.md`](https://git.coopcloud.tech/coop-cloud/mastodon#quick-start).
|
||||
|
||||
You'll need to run a `docker exec -it <streaming-service-id> /bin/bash` and do the following:
|
||||
Watch out in case the Mastodon recipe latest is not the same as the Hometown
|
||||
latest version! You can switch back to a compatible tag on the Mastodon recipe
|
||||
to compare docs, config etc. just to be sure.
|
||||
|
||||
```
|
||||
export OTP_SECRET=$(cat /run/secrets/otp_secret)
|
||||
export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
|
||||
export DB_PASS=$(cat /run/secrets/db_password)
|
||||
bundle exec rake db:setup
|
||||
```
|
||||
## Tips & Tricks
|
||||
|
||||
Then, on your host (outside of the containers), you'll need to fix permissions for the volume (see [#2](https://git.autonomic.zone/coop-cloud/hometown/issues/2)):
|
||||
See the [`coop-cloud/mastodon` `README.md`](https://git.coopcloud.tech/coop-cloud/mastodon#admin-tips-tricks).
|
||||
|
||||
```
|
||||
chown -R 991:991 /var/lib/docker/volumes/<service-name>_app/_data
|
||||
```
|
||||
|
||||
And finally, within any app container, create an admin account:
|
||||
|
||||
```
|
||||
tootctl accounts create <username> --email <email> --confirmed --role admin
|
||||
```
|
||||
|
||||
[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
|
||||
[`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik
|
||||
|
||||
## Secrets setup
|
||||
|
||||
Because Mastodon expects secrets generated by specific tools, we don't support that in `abra` yet. However, you can run these commands yourself using the underlying Docker CLI. You can then load them in as secrets to the swarm using `abra` though and then they will be picked up on the deployment.
|
||||
|
||||
First, generate the `SECRET_KEY_BASE` and `OTP_SECRET` and store them in your local shell environment, you'll need them for subsequent commands.
|
||||
|
||||
```
|
||||
$ SECRET_KEY_BASE=$(docker run --rm tootsuite/mastodon:v3.4.0 bundle exec rake secret)
|
||||
$ OTP_SECRET=$(docker run --rm tootsuite/mastodon:v3.4.0 bundle exec rake secret)
|
||||
$ abra app YOURAPPDOMAIN secret insert secret_key_base v1 $SECRET_KEY_BASE
|
||||
$ abra app YOURAPPDOMAIN secret insert otp_secret v1 $OTP_SECRET
|
||||
```
|
||||
|
||||
Then you need to generate the `VAPID_{PUBLIC/PRIVATE}_KEY` values using the `SECRET_KEY_BASE`/`OTP_SECRET`:
|
||||
|
||||
```
|
||||
$ docker run \
|
||||
-e SECRET_KEY_BASE=$SECRET_KEY_BASE \
|
||||
-e OTP_SECRET=$OTP_SECRET \
|
||||
--rm tootsuite/mastodon:v3.4.0 \
|
||||
bundle exec rake mastodon:webpush:generate_vapid_key
|
||||
```
|
||||
|
||||
Once you see the values generated, you can load the `VAPID_PUBLIC_KEY` into your `.env` file and `VAPID_PRIVATE_KEY` into a secret.
|
||||
|
||||
```
|
||||
$ abra app YOURDOMAIN secret insert vapid_private_key v1 YOURVAPIDPRIVATEKEY
|
||||
```
|
||||
|
||||
And finally, to end your whirlwind secrets loading adventure, get the `DB_PASS` and `SMTP_PASSWORD` loaded.
|
||||
|
||||
```
|
||||
$ abra app YOURAPPDOMAIN secret generate db_password v1
|
||||
$ abra app YOURDOMAIN secret insert smtp_password v1 YOURSMTPPASSWORD
|
||||
```
|
||||
Please only gather tips & tricks that are specific to Hometown here.
|
||||
|
|
128
abra.sh
128
abra.sh
|
@ -1,62 +1,92 @@
|
|||
# shellcheck disable=SC2148
|
||||
export ENTRYPOINT_CONF_VERSION=v5
|
||||
#MASTO_APP_DIR="mastodon/public"
|
||||
#!/bin/bash
|
||||
|
||||
sub_rake() {
|
||||
export OTP_SECRET=$(cat /run/secrets/otp_secret)
|
||||
export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
|
||||
export DB_PASS=$(cat /run/secrets/db_password)
|
||||
export ENTRYPOINT_CONF_VERSION=v8
|
||||
|
||||
# shellcheck disable=SC2034
|
||||
abra__service_="streaming"
|
||||
file_env() {
|
||||
local var="$1"
|
||||
local fileVar="${var}_FILE"
|
||||
local def="${2:-}"
|
||||
|
||||
# Using streaming for rake since it is the least likely to flap
|
||||
sub_app_run bundle exec rake "$@"
|
||||
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
|
||||
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
local val="$def"
|
||||
if [ "${!var:-}" ]; then
|
||||
val="${!var}"
|
||||
elif [ "${!fileVar:-}" ]; then
|
||||
val="$(< "${!fileVar}")"
|
||||
fi
|
||||
|
||||
declare -x -g "$var"="$val"
|
||||
unset "$fileVar"
|
||||
}
|
||||
|
||||
sub_tootctl() {
|
||||
export OTP_SECRET=$(cat /run/secrets/otp_secret)
|
||||
export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base)
|
||||
export DB_PASS=$(cat /run/secrets/db_password)
|
||||
environment() {
|
||||
# for sidekiq service bundle exec env var threading
|
||||
file_env "OTP_SECRET"
|
||||
file_env "SECRET_KEY_BASE"
|
||||
file_env "DB_PASS"
|
||||
file_env "SMTP_PASSWORD"
|
||||
file_env "VAPID_PRIVATE_KEY"
|
||||
|
||||
# shellcheck disable=SC2034
|
||||
abra__service_="web"
|
||||
|
||||
# Using streaming for rake since it is the least likely to flap
|
||||
sub_app_run bin/tootctl "$@"
|
||||
declare -x RAILS_ENV=production
|
||||
}
|
||||
|
||||
sub_setup() {
|
||||
info "Setting up mastodon database"
|
||||
silence
|
||||
|
||||
sub_rake "db:setup"
|
||||
unsilence
|
||||
success "Mastodon's database is now up! 'web' and 'sidekiq' services should now stop failing."
|
||||
|
||||
echo "Do you want to create an admin user? (Extremely recommended!)"
|
||||
prompt_confirm
|
||||
read -rp "Username: " USERNAME
|
||||
read -rp "Email: " EMAIL
|
||||
warning "Password will be show on screen. Copy this down somewhere! Abra cannot show you this again!"
|
||||
sub_tootctl accounts create $USERNAME --email $EMAIL --confirmed --role admin
|
||||
success "Admin account created!"
|
||||
success "Mastodon should be setup and ready to go!"
|
||||
setup_admin() {
|
||||
## Create an admin user
|
||||
environment
|
||||
accounts create "$1" --email "$2" --confirmed --role admin
|
||||
}
|
||||
|
||||
# Not working atm
|
||||
# abra_backup_app() {
|
||||
# _abra_backup_dir $MASTO_APP_DIR
|
||||
# }
|
||||
shell() {
|
||||
## Run a shell with proper environment
|
||||
environment
|
||||
bash $@
|
||||
}
|
||||
|
||||
# abra_restore_app() {
|
||||
# # shellcheck disable=SC2034
|
||||
# {
|
||||
# abra__src_="-"
|
||||
# abra__dst_=$MASTO_APP_DIR
|
||||
# }
|
||||
generate_secrets() {
|
||||
## Run `abra app cmd -l <yourdomain> generate_secrets` to use Docker to generate secrets you'll need to deploy
|
||||
## your new instance (and create the secrets on target app).
|
||||
docker context use default > /dev/null 2>&1
|
||||
|
||||
# zcat "$@" | sub_app_cp
|
||||
echo "Generating secrets for new Hometown deployment..."
|
||||
echo ""
|
||||
|
||||
# success "Restored 'app'"
|
||||
# }
|
||||
SECRET_KEY_BASE=$(docker run --rm tootsuite/mastodon:v4.2.0 bundle exec rake secret)
|
||||
abra app secret insert "$APP_NAME" secret_key_base v1 "$SECRET_KEY_BASE"
|
||||
echo "SECRET_KEY_BASE = $SECRET_KEY_BASE"
|
||||
echo ""
|
||||
|
||||
OTP_SECRET=$(docker run --rm tootsuite/mastodon:v4.2.0 bundle exec rake secret)
|
||||
abra app secret insert "$APP_NAME" otp_secret v1 "$OTP_SECRET"
|
||||
echo "OTP_SECRET = $OTP_SECRET"
|
||||
echo ""
|
||||
|
||||
docker run \
|
||||
-e SECRET_KEY_BASE="$SECRET_KEY_BASE" \
|
||||
-e OTP_SECRET="$OTP_SECRET" \
|
||||
--rm tootsuite/mastodon:v3.4.0 \
|
||||
bundle exec rake mastodon:webpush:generate_vapid_key \
|
||||
> /tmp/key.txt
|
||||
|
||||
VAPID_PRIVATE_KEY=$(grep -oP "VAPID_PRIVATE_KEY=\K.+" "/tmp/key.txt")
|
||||
VAPID_PUBLIC_KEY=$(grep -oP "VAPID_PUBLIC_KEY=\K.+" "/tmp/key.txt")
|
||||
rm -rf /tmp/key.txt
|
||||
|
||||
echo "VAPID_PUBLIC_KEY = $VAPID_PUBLIC_KEY"
|
||||
echo "!IMPORTANT! you MUST insert this VAPID_PUBLIC_KEY into your app .env config !IMPORTANT!"
|
||||
echo ""
|
||||
|
||||
abra app secret insert "$APP_NAME" vapid_private_key v1 "$VAPID_PRIVATE_KEY"
|
||||
echo "VAPID_PRIVATE_KEY = $VAPID_PRIVATE_KEY"
|
||||
echo ""
|
||||
|
||||
abra app secret generate "$APP_NAME" db_password v1
|
||||
echo ""
|
||||
|
||||
echo "don't forget to insert your smtp_password! your deployment won't work without it"
|
||||
echo "run \"abra app secret insert $APP_NAME smtp_password v1 YOURSMTPPASSWORD\""
|
||||
echo ""
|
||||
}
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
es:
|
||||
image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
|
||||
environment:
|
||||
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
|
||||
- "cluster.name=es-mastodon"
|
||||
- "discovery.type=single-node"
|
||||
- "bootstrap.memory_lock=true"
|
||||
networks:
|
||||
- internal_network
|
||||
volumes:
|
||||
- es:/usr/share/elasticsearch/data
|
||||
ulimits:
|
||||
memlock:
|
||||
soft: -1
|
||||
hard: -1
|
||||
|
||||
app:
|
||||
environment: &es-env
|
||||
- ES_ENABLED=true
|
||||
- ES_HOST
|
||||
- ES_PORT
|
||||
|
||||
streaming:
|
||||
environment: *es-env
|
||||
|
||||
sidekiq:
|
||||
environment: *es-env
|
||||
|
||||
volumes:
|
||||
es:
|
|
@ -2,8 +2,7 @@
|
|||
version: "3.8"
|
||||
|
||||
services:
|
||||
web:
|
||||
image: decentral1se/hometown:v1.0.5_3.4.0_openid-sso
|
||||
app:
|
||||
secrets:
|
||||
- db_password
|
||||
- otp_secret
|
||||
|
@ -11,8 +10,8 @@ services:
|
|||
- smtp_password
|
||||
- vapid_private_key
|
||||
- oidc_client_secret
|
||||
|
||||
streaming:
|
||||
image: decentral1se/hometown:v1.0.5_3.4.0_openid-sso
|
||||
secrets:
|
||||
- db_password
|
||||
- otp_secret
|
||||
|
@ -20,8 +19,8 @@ services:
|
|||
- smtp_password
|
||||
- vapid_private_key
|
||||
- oidc_client_secret
|
||||
|
||||
sidekiq:
|
||||
image: decentral1se/hometown:v1.0.5_3.4.0_openid-sso
|
||||
secrets:
|
||||
- db_password
|
||||
- otp_secret
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
environment: &s3-env
|
||||
- S3_ENABLED=true
|
||||
- AWS_ACCESS_KEY_ID
|
||||
- AWS_SECRET_ACCESS_KEY_FILE=/run/secrets/aws_secret_access_key
|
||||
- S3_BUCKET
|
||||
- S3_REGION
|
||||
- S3_PROTOCOL
|
||||
- S3_HOSTNAME
|
||||
- S3_ENDPOINT
|
||||
- S3_SIGNATURE_VERSION
|
||||
- S3_OVERRIDE_PATH_STYLE
|
||||
- S3_OPEN_TIMEOUT
|
||||
- S3_READ_TIMEOUT
|
||||
- S3_FORCE_SINGLE_REQUEST
|
||||
- S3_ALIAS_HOST
|
||||
secrets: &s3-secrets
|
||||
- aws_secret_access_key
|
||||
|
||||
streaming:
|
||||
environment: *s3-env
|
||||
secrets: *s3-secrets
|
||||
|
||||
sidekiq:
|
||||
environment: *s3-env
|
||||
secrets: *s3-secrets
|
||||
|
||||
secrets:
|
||||
aws_secret_access_key:
|
||||
name: ${STACK_NAME}_aws_secret_access_key_${SECRET_AWS_SECRET_ACCESS_KEY_VERSION}
|
||||
external: true
|
124
compose.yml
124
compose.yml
|
@ -2,66 +2,12 @@
|
|||
version: "3.8"
|
||||
|
||||
services:
|
||||
db:
|
||||
image: postgres:9.6-alpine
|
||||
networks: &internalNetwork
|
||||
- internal_network
|
||||
# Note(decentral1se): get this working, failing somehow so far
|
||||
# healthcheck:
|
||||
# test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"]
|
||||
volumes:
|
||||
- postgres:/var/lib/postgresql/data
|
||||
secrets:
|
||||
- db_password
|
||||
environment:
|
||||
- POSTGRES_DB=${DB_NAME}
|
||||
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
|
||||
- POSTGRES_USER=${DB_USER}
|
||||
|
||||
redis:
|
||||
image: redis:6.2-alpine
|
||||
networks: *internalNetwork
|
||||
healthcheck:
|
||||
test: ["CMD", "redis-cli", "ping"]
|
||||
volumes:
|
||||
- redis:/data
|
||||
|
||||
es:
|
||||
image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.16
|
||||
environment:
|
||||
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
|
||||
- "cluster.name=es-mastodon"
|
||||
- "discovery.type=single-node"
|
||||
- "bootstrap.memory_lock=true"
|
||||
networks:
|
||||
- internal_network
|
||||
# Note(decentral1se): get this working, failing somehow so far
|
||||
# healthcheck:
|
||||
# test:
|
||||
# [
|
||||
# "CMD-SHELL",
|
||||
# "curl --silent --fail localhost:9200/_cluster/health || exit 1",
|
||||
# ]
|
||||
volumes:
|
||||
- es:/usr/share/elasticsearch/data
|
||||
ulimits:
|
||||
memlock:
|
||||
soft: -1
|
||||
hard: -1
|
||||
|
||||
web:
|
||||
image: decentral1se/hometown:v1.0.5_3.4.0
|
||||
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
|
||||
app:
|
||||
image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.0.15-hometown-1.1.1
|
||||
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rake db:migrate; bundle exec rails s -p 3000"
|
||||
networks: &bothNetworks
|
||||
- proxy
|
||||
- internal_network
|
||||
# Note(decentral1se): get this working, failing somehow so far
|
||||
# healthcheck:
|
||||
# test:
|
||||
# [
|
||||
# "CMD-SHELL",
|
||||
# "wget -q --spider --proxy=off localhost:3000/health || exit 1",
|
||||
# ]
|
||||
deploy:
|
||||
update_config:
|
||||
failure_action: rollback
|
||||
|
@ -73,19 +19,7 @@ services:
|
|||
- "traefik.http.routers.${STACK_NAME}_web.rule=Host(`${DOMAIN}`)"
|
||||
- "traefik.http.routers.${STACK_NAME}_web.entrypoints=web-secure"
|
||||
- "traefik.http.routers.${STACK_NAME}_web.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
# WEB_DOMAIN redirect
|
||||
#- "traefik.http.routers.${STACK_NAME}_web.rule=(Host(`${DOMAIN}`) || (Host(`${LOCAL_DOMAIN}`) && Path(`/.well-known/webfinger`)))"
|
||||
# - "traefik.http.middlewares.mastodon-webfinger.redirectregex.regex=^https?://${LOCAL_DOMAIN}/.*" #^(http|https)://${LOCAL_DOMAIN}/.well-known/webfinger"
|
||||
# # - "traefik.http.middlewares.mastodon-webfinger.redirectregex.permanent=true"
|
||||
# - "traefik.http.middlewares.mastodon-webfinger.redirectregex.replacement=https://${WEB_DOMAIN}/.well-known/webfinger"
|
||||
# - "traefik.http.routers.${STACK_NAME}_hack.rule=(Host(`${LOCAL_DOMAIN}`) && Path(`/.well-known/`))"
|
||||
# - "traefik.http.routers.${STACK_NAME}_hack.entrypoints=websecure"
|
||||
# - "traefik.http.routers.${STACK_NAME}_hack.middlewares=mastodon-webfinger@docker"
|
||||
## Redirect from EXTRA_DOMAINS to DOMAIN
|
||||
#- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
|
||||
#- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
|
||||
#- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
||||
|
||||
- "coop-cloud.${STACK_NAME}.version=1.1.9+v4.0.15-hometown-1.1.1"
|
||||
configs: &configs
|
||||
- source: entrypoint_sh
|
||||
target: /usr/local/bin/entrypoint.sh
|
||||
|
@ -109,15 +43,13 @@ services:
|
|||
- CACHE_REDIS_URL
|
||||
- DB_HOST
|
||||
- DB_NAME
|
||||
- DB_PASS_FILE=/run/secrets/db_password
|
||||
- DB_PORT
|
||||
- DB_USER
|
||||
- DB_PASS_FILE=/run/secrets/db_password
|
||||
- DEFAULT_LOCALE
|
||||
- DISALLOW_UNAUTHENTICATED_API_ACCESS
|
||||
- EMAIL_DOMAIN_ALLOWLIST
|
||||
- EMAIL_DOMAIN_DENYLIST
|
||||
- ES_ENABLED
|
||||
- ES_HOST
|
||||
- ES_PORT
|
||||
- LDAP_BASE
|
||||
- LDAP_BIND_DN
|
||||
- LDAP_ENABLED
|
||||
|
@ -132,10 +64,12 @@ services:
|
|||
- LIMITED_FEDERATION_MODE
|
||||
- LOCAL_DOMAIN
|
||||
- MAX_SESSION_ACTIVATIONS
|
||||
- MAX_TOOT_CHARS
|
||||
- OAUTH_REDIRECT_AT_SIGN_IN
|
||||
- OIDC_AUTH_ENDPOINT
|
||||
- OIDC_CLIENT_AUTH_METHOD
|
||||
- OIDC_CLIENT_ID
|
||||
- OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
|
||||
- OIDC_DISCOVERY
|
||||
- OIDC_DISPLAY
|
||||
- OIDC_DISPLAY_NAME
|
||||
|
@ -154,7 +88,6 @@ services:
|
|||
- OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED
|
||||
- OIDC_SEND_NONCE
|
||||
- OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT
|
||||
- OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
|
||||
- OIDC_TOKEN_ENDPOINT
|
||||
- OIDC_UID_FIELD
|
||||
- OIDC_USER_INFO_ENDPOINT
|
||||
|
@ -208,22 +141,14 @@ services:
|
|||
- VAPID_PRIVATE_KEY_FILE=/run/secrets/vapid_private_key
|
||||
- VAPID_PUBLIC_KEY
|
||||
- WEB_DOMAIN
|
||||
- http_proxy # yes, this should be lowercase
|
||||
|
||||
streaming:
|
||||
image: decentral1se/hometown:v1.0.5_3.4.0
|
||||
image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.0.15-hometown-1.1.1
|
||||
command: node ./streaming
|
||||
configs: *configs
|
||||
entrypoint: *entrypoint
|
||||
secrets: *secrets
|
||||
networks: *bothNetworks
|
||||
# Note(decentral1se): get this working, failing somehow so far
|
||||
# healthcheck:
|
||||
# test:
|
||||
# [
|
||||
# "CMD-SHELL",
|
||||
# "wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1",
|
||||
# ]
|
||||
deploy:
|
||||
update_config:
|
||||
failure_action: rollback
|
||||
|
@ -235,16 +160,11 @@ services:
|
|||
- "traefik.http.routers.${STACK_NAME}_streaming.rule=(Host(`${DOMAIN}`) && PathPrefix(`/api/v1/streaming`))"
|
||||
- "traefik.http.routers.${STACK_NAME}_streaming.entrypoints=web-secure"
|
||||
- "traefik.http.routers.${STACK_NAME}_streaming.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
|
||||
## Redirect from EXTRA_DOMAINS to DOMAIN
|
||||
#- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
|
||||
#- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
|
||||
#- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
||||
environment: *env
|
||||
volumes: *appVolume # used to make sure this volume is created
|
||||
|
||||
sidekiq:
|
||||
image: decentral1se/hometown:v1.0.5_3.4.0
|
||||
image: git.coopcloud.tech/coop-cloud-chaos-patchs/hometown:v4.0.15-hometown-1.1.1
|
||||
secrets: *secrets
|
||||
command: bundle exec sidekiq
|
||||
configs: *configs
|
||||
|
@ -257,9 +177,30 @@ services:
|
|||
volumes: *appVolume
|
||||
environment: *env
|
||||
|
||||
db:
|
||||
image: postgres:14.10-alpine
|
||||
networks: &internalNetwork
|
||||
- internal_network
|
||||
volumes:
|
||||
- postgres:/var/lib/postgresql/data
|
||||
secrets:
|
||||
- db_password
|
||||
environment:
|
||||
- POSTGRES_DB=${DB_NAME}
|
||||
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
|
||||
- POSTGRES_USER=${DB_USER}
|
||||
|
||||
redis:
|
||||
image: redis:7.2-alpine
|
||||
networks: *internalNetwork
|
||||
healthcheck:
|
||||
test: ["CMD", "redis-cli", "ping"]
|
||||
volumes:
|
||||
- redis:/data
|
||||
|
||||
secrets:
|
||||
secret_key_base:
|
||||
name: ${STACK_NAME}_secret_key_base_${SECRET_KEY_BASE_VERSION}
|
||||
name: ${STACK_NAME}_secret_key_base_${SECRET_SECRET_KEY_BASE_VERSION}
|
||||
external: true
|
||||
otp_secret:
|
||||
name: ${STACK_NAME}_otp_secret_${SECRET_OTP_SECRET_VERSION}
|
||||
|
@ -278,7 +219,6 @@ volumes:
|
|||
app:
|
||||
redis:
|
||||
postgres:
|
||||
es:
|
||||
|
||||
networks:
|
||||
proxy:
|
||||
|
|
|
@ -23,14 +23,16 @@ file_env() {
|
|||
unset "$fileVar"
|
||||
}
|
||||
|
||||
# for sidekiq service bundle exec env var threading
|
||||
file_env "DB_PASS"
|
||||
file_env "OTP_SECRET"
|
||||
file_env "SECRET_KEY_BASE"
|
||||
file_env "SMTP_PASSWORD"
|
||||
file_env "VAPID_PRIVATE_KEY"
|
||||
file_env "AWS_SECRET_ACCESS_KEY"
|
||||
|
||||
{{ if eq (env "OIDC_ENABLED") "true" }}
|
||||
file_env "OIDC_CLIENT_SECRET"
|
||||
{{ end }}
|
||||
|
||||
/usr/bin/tini -- "$@"
|
||||
/usr/bin/tini -s -- "$@"
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
Mastodon 4 requires running pre- and post-deployment migrations, something like
|
||||
|
||||
```
|
||||
abra app run your.app.domain app bash -c "SKIP_POST_DEPLOYMENT_MIGRATIONS=true rails db:migrate"
|
||||
abra app restart your.app.domain app
|
||||
abra app restart your.app.domain streaming
|
||||
abra app restart your.app.domain sidekiq
|
||||
abra app run your.app.domain app rails db:migrate
|
||||
```
|
||||
|
||||
See the full release notes for details: https://github.com/mastodon/mastodon/releases/tag/v4.0.0
|
|
@ -1,3 +0,0 @@
|
|||
{
|
||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json"
|
||||
}
|
Loading…
Reference in New Issue