Rebase to 3.20, enable active record encryption (#87)

Dockerfile

@@ -1,16 +1,15 @@
 # syntax=docker/dockerfile:1
 
-FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.18
+FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.20
 
 ARG BUILD_DATE
 ARG VERSION
 ARG MASTODON_VERSION
 LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}"
-LABEL maintainer="TheSpad"
+LABEL maintainer="thespad"
 
 ENV RAILS_ENV="production" \
     NODE_ENV="production" \
-    NODE_OPTIONS="--openssl-legacy-provider" \
     PATH="${PATH}:/app/www/bin" \
     S6_STAGE2_HOOK="/init-hook"
 
@@ -33,9 +32,10 @@ RUN \
     libpq-dev \
     libxml2-dev \
     libxslt-dev \
+    linux-headers \
+    npm \
     openssl-dev \
     ruby-dev \
-    yarn \
     yaml-dev && \
   echo "**** install mastodon ****" && \
   mkdir -p /app/www && \
@@ -50,19 +50,24 @@ RUN \
     /tmp/mastodon.tar.gz -C \
     /app/www/ --strip-components=1 && \
   cd /app/www && \
-  # https://github.com/mastodon/mastodon/pull/24702
-  sed -En "s/.*\brequire\('([^']+)'\).*/\"\1\"/p" streaming/index.js > streaming-requires.txt && \
-  jq --slurpfile requires streaming-requires.txt \
-    '{ dependencies: .dependencies | with_entries(select([.key] | inside($requires))) }' \
-    package.json > streaming/package.json && \
   bundle config set --local deployment 'true' && \
   bundle config set --local without 'development test exclude' && \
   bundle config set silence_root_warning true && \
   bundle install -j"$(nproc)" --no-cache && \
-  yarn install --production --frozen-lockfile --check-files && \
-	cd streaming && \
-	yarn install --production --check-files && \
-  OTP_SECRET=precompile_placeholder SECRET_KEY_BASE=precompile_placeholder rails assets:precompile && \
+  npm install -g corepack && \
+  corepack enable && \
+  yarn workspaces focus --production @mastodon/mastodon && \
+  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=precompile_placeholder \
+  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=precompile_placeholder \
+  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=precompile_placeholder \
+  OTP_SECRET=precompile_placeholder \
+  SECRET_KEY_BASE=precompile_placeholder \
+  bundle exec rails assets:precompile && \
+  bundle exec bootsnap precompile --gemfile app/ lib/ && \
+  rm -rf /app/www/node_modules && \
+  cd streaming && \
+  yarn workspaces focus --production @mastodon/streaming && \
+  printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \
   echo "**** cleanup ****" && \
   yarn cache clean && \
   apk del --purge \
@@ -71,7 +76,6 @@ RUN \
   rm -r \
     /app/www/app/javascript/fonts \
     /app/www/app/javascript/icons \
-    /app/www/app/javascript/packs \
     /app/www/app/javascript/styles && \
   rm -rf \
     # Remove vendored sources for building native extensions.
@@ -98,18 +102,7 @@ RUN \
     -o -name '*LICENSE*' \
     -o -name 'Rakefile' \
     -o -name '.*' \) \
-		-type f -delete && \
-  # Remove source maps, TS files, docs, tests and other useless files.
-	find /app/www/streaming/node_modules \( -name '.*' \
-    -o -name '*.map' \
-    -o -name '*.md' \
-    -o -name '*.ts' \
-    -o -name 'LICENSE*' \
-    -o -name 'Makefile' \
-    -o -name 'README*' \) \
-		-type f -delete && \
-	rm -rf /app/www/streaming/node_modules/*/test && \
-  rm -rf /app/www/node_modules
+    -type f -delete
 
 COPY root/ /
 

Dockerfile.aarch64

@@ -1,23 +1,23 @@
 # syntax=docker/dockerfile:1
 
-FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.18
+FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.20
 
 ARG BUILD_DATE
 ARG VERSION
 ARG MASTODON_VERSION
 LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}"
-LABEL maintainer="TheSpad"
+LABEL maintainer="thespad"
 
 ENV RAILS_ENV="production" \
     NODE_ENV="production" \
-    NODE_OPTIONS="--openssl-legacy-provider" \
     PATH="${PATH}:/app/www/bin" \
     S6_STAGE2_HOOK="/init-hook"
 
 RUN \
   apk add --no-cache \
     ffmpeg \
     file \
+    gcompat \
     imagemagick \
     libpq \
     libidn \
@@ -28,17 +28,17 @@ RUN \
     yaml && \
   apk add --no-cache --virtual=build-dependencies \
     build-base \
-    gcompat \
     icu-dev \
     libidn-dev \
     libpq-dev \
     libxml2-dev \
     libxslt-dev \
+    linux-headers \
+    npm \
     openssl-dev \
     python3-dev \
     ruby-dev \
-    yaml-dev \
-    yarn && \
+    yaml-dev && \
   echo "**** install mastodon ****" && \
   mkdir -p /app/www && \
   if [ -z ${MASTODON_VERSION+x} ]; then \
@@ -52,20 +52,24 @@ RUN \
     /tmp/mastodon.tar.gz -C \
     /app/www/ --strip-components=1 && \
   cd /app/www && \
-  # https://github.com/mastodon/mastodon/pull/24702
-  sed -En "s/.*\brequire\('([^']+)'\).*/\"\1\"/p" streaming/index.js > streaming-requires.txt && \
-  jq --slurpfile requires streaming-requires.txt \
-    '{ dependencies: .dependencies | with_entries(select([.key] | inside($requires))) }' \
-    package.json > streaming/package.json && \
   bundle config set --local deployment 'true' && \
   bundle config set --local without 'development test exclude' && \
   bundle config set silence_root_warning true && \
-  bundle config set force_ruby_platform true && \
   bundle install -j"$(nproc)" --no-cache && \
-  yarn install --production --frozen-lockfile --check-files && \
-	cd streaming && \
-	yarn install --production --check-files && \
-  OTP_SECRET=precompile_placeholder SECRET_KEY_BASE=precompile_placeholder rails assets:precompile && \
+  npm install -g corepack && \
+  corepack enable && \
+  yarn workspaces focus --production @mastodon/mastodon && \
+  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=precompile_placeholder \
+  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=precompile_placeholder \
+  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=precompile_placeholder \
+  OTP_SECRET=precompile_placeholder \
+  SECRET_KEY_BASE=precompile_placeholder \
+  bundle exec rails assets:precompile && \
+  bundle exec bootsnap precompile --gemfile app/ lib/ && \
+  rm -rf /app/www/node_modules && \
+  cd streaming && \
+  yarn workspaces focus --production @mastodon/streaming && \
+  printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \
   echo "**** cleanup ****" && \
   yarn cache clean && \
   apk del --purge \
@@ -74,7 +78,6 @@ RUN \
   rm -r \
     /app/www/app/javascript/fonts \
     /app/www/app/javascript/icons \
-    /app/www/app/javascript/packs \
     /app/www/app/javascript/styles && \
   rm -rf \
     # Remove vendored sources for building native extensions.
@@ -101,18 +104,7 @@ RUN \
     -o -name '*LICENSE*' \
     -o -name 'Rakefile' \
     -o -name '.*' \) \
-		-type f -delete && \
-  # Remove source maps, TS files, docs, tests and other useless files.
-	find /app/www/streaming/node_modules \( -name '.*' \
-    -o -name '*.map' \
-    -o -name '*.md' \
-    -o -name '*.ts' \
-    -o -name 'LICENSE*' \
-    -o -name 'Makefile' \
-    -o -name 'README*' \) \
-		-type f -delete && \
-	rm -rf /app/www/streaming/node_modules/*/test && \
-  rm -rf /app/www/node_modules
+    -type f -delete
 
 COPY root/ /
 

Jenkinsfile

@@ -35,8 +35,8 @@ pipeline {
     CI_WEB='false'
     CI_PORT='80'
     CI_SSL='false'
-    CI_DELAY='120'
-    CI_DOCKERENV='TZ=US/Pacific'
+    CI_DELAY='60'
+    CI_DOCKERENV=''
     CI_AUTH=''
     CI_WEBPATH=''
   }

README.md

@@ -70,9 +70,11 @@ This image provides various versions that are available via tags. Please read th
 
 We provide aliases for the common commands that execute in the correct context so that environment variables from secrets are available to them:
 
-* To generate keys for `SECRET_KEY_BASE` & `OTP_SECRET` run `docker run --rm -it --entrypoint /bin/bash lscr.io/linuxserver/mastodon generate-secret` once for each.
+* To generate keys for `SECRET_KEY_BASE` & `OTP_SECRET` run `docker run --rm -it --entrypoint /bin/bash lscr.io/linuxserver/mastodon:latest generate-secret` once for each.
 
-* To generate keys for `VAPID_PRIVATE_KEY` & `VAPID_PUBLIC_KEY` run `docker run --rm -it --entrypoint /bin/bash lscr.io/linuxserver/mastodon generate-vapid`
+* To generate keys for `VAPID_PRIVATE_KEY` & `VAPID_PUBLIC_KEY` run `docker run --rm -it --entrypoint /bin/bash lscr.io/linuxserver/mastodon:latest generate-vapid`
+
+* To generate keys for `ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY`, `ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`, & `ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY` run `docker run --rm -it --entrypoint /bin/bash lscr.io/linuxserver/mastodon:latest generate-active-record`
 
 Both of the secret generation aliases above can be run without any other setup having been carried out.
 
@@ -127,6 +129,9 @@ services:
       - DB_PASS=mastodon
       - DB_PORT=5432
       - ES_ENABLED=false
+      - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=
+      - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=
+      - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=
       - SECRET_KEY_BASE=
       - OTP_SECRET=
       - VAPID_PRIVATE_KEY=
@@ -153,7 +158,7 @@ services:
       - DB_POOL=5 #optional
       - NO_CHOWN= #optional
     volumes:
-      - /path/to/appdata/config:/config
+      - /path/to/mastodon/config:/config
     ports:
       - 80:80
       - 443:443
@@ -177,6 +182,9 @@ docker run -d \
   -e DB_PASS=mastodon \
   -e DB_PORT=5432 \
   -e ES_ENABLED=false \
+  -e ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY= \
+  -e ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY= \
+  -e ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT= \
   -e SECRET_KEY_BASE= \
   -e OTP_SECRET= \
   -e VAPID_PRIVATE_KEY= \
@@ -204,7 +212,7 @@ docker run -d \
   -e NO_CHOWN= `#optional` \
   -p 80:80 \
   -p 443:443 \
-  -v /path/to/appdata/config:/config \
+  -v /path/to/mastodon/config:/config \
   --restart unless-stopped \
   lscr.io/linuxserver/mastodon:latest
 ```
@@ -227,8 +235,11 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-e DB_USER=mastodon` | Postgres username |
 | `-e DB_NAME=mastodon` | Postgres db name |
 | `-e DB_PASS=mastodon` | Postgres password |
-| `-e DB_PORT=5432` | Portgres port |
+| `-e DB_PORT=5432` | Postgres port |
 | `-e ES_ENABLED=false` | Enable or disable Elasticsearch (requires a separate ES instance) |
+| `-e ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=` | Primary key for [Active Record Encryption](https://github.com/mastodon/mastodon/pull/29831/files). |
+| `-e ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=` | Deterministic key for [Active Record Encryption](https://github.com/mastodon/mastodon/pull/29831/files). |
+| `-e ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=` | Derivation salt for [Active Record Encryption](https://github.com/mastodon/mastodon/pull/29831/files). |
 | `-e SECRET_KEY_BASE=` | Browser session secret. Changing it will break all active browser sessions. |
 | `-e OTP_SECRET=` | MFA secret. Changing it after initial setup will break two-factor authentication. |
 | `-e VAPID_PRIVATE_KEY=` | Push notification private key. Changing it after initial setup will break push notifications. |
@@ -418,6 +429,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **08.10.24:** - Rebase to Alpine 3.20, enable [Active Record Encryption](https://github.com/mastodon/mastodon/pull/29831/files). Existing users should update their nginx confs to avoid http2 deprecation warnings.
 * **21.09.23:** - Rebase to Alpine 3.18, migrate to s6v3.
 * **25.05.23:** - Adjust apk flags.
 * **09.02.23:** - Add Glitch branch.

jenkins-vars.yml

@@ -6,7 +6,6 @@ external_type: github_stable
 release_type: stable
 release_tag: latest
 ls_branch: main
-build_armhf: false
 repo_vars:
   - EXT_GIT_BRANCH = 'main'
   - EXT_USER = 'mastodon'
@@ -24,8 +23,7 @@ repo_vars:
   - CI_WEB='false'
   - CI_PORT='80'
   - CI_SSL='false'
-  - CI_DELAY='120'
-  - CI_DOCKERENV='TZ=US/Pacific'
+  - CI_DELAY='60'
+  - CI_DOCKERENV=''
   - CI_AUTH=''
   - CI_WEBPATH=''
-

readme-vars.yml

@@ -27,16 +27,18 @@ param_container_name: "{{ project_name }}"
 
 param_usage_include_env: true
 param_env_vars:
-  - { env_var: "TZ", env_value: "America/New_York", desc: "Specify a timezone to use EG America/New_York"}
   - { env_var: "LOCAL_DOMAIN", env_value: "example.com", desc: "This is the unique identifier of your server in the network. It cannot be safely changed later."}
   - { env_var: "REDIS_HOST", env_value: "redis", desc: "Redis server hostname"}
   - { env_var: "REDIS_PORT", env_value: "6379", desc: "Redis port"}
   - { env_var: "DB_HOST", env_value: "db", desc: "Postgres database hostname"}
   - { env_var: "DB_USER", env_value: "mastodon", desc: "Postgres username"}
   - { env_var: "DB_NAME", env_value: "mastodon", desc: "Postgres db name"}
   - { env_var: "DB_PASS", env_value: "mastodon", desc: "Postgres password"}
-  - { env_var: "DB_PORT", env_value: "5432", desc: "Portgres port"}
+  - { env_var: "DB_PORT", env_value: "5432", desc: "Postgres port"}
   - { env_var: "ES_ENABLED", env_value: "false", desc: "Enable or disable Elasticsearch (requires a separate ES instance)"}
+  - { env_var: "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY", env_value: "", desc: "Primary key for [Active Record Encryption](https://github.com/mastodon/mastodon/pull/29831/files)."}
+  - { env_var: "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY", env_value: "", desc: "Deterministic key for [Active Record Encryption](https://github.com/mastodon/mastodon/pull/29831/files)."}
+  - { env_var: "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT", env_value: "", desc: "Derivation salt for [Active Record Encryption](https://github.com/mastodon/mastodon/pull/29831/files)."}
   - { env_var: "SECRET_KEY_BASE", env_value: "", desc: "Browser session secret. Changing it will break all active browser sessions."}
   - { env_var: "OTP_SECRET", env_value: "", desc: "MFA secret. Changing it after initial setup will break two-factor authentication."}
   - { env_var: "VAPID_PRIVATE_KEY", env_value: "", desc: "Push notification private key. Changing it after initial setup will break push notifications."}
@@ -73,16 +75,18 @@ param_ports:
 
 param_usage_include_vols: true
 param_volumes:
-  - { vol_path: "/config", vol_host_path: "/path/to/appdata/config", desc: "Contains all relevant configuration files." }
+  - { vol_path: "/config", vol_host_path: "/path/to/{{ project_name }}/config", desc: "Contains all relevant configuration files." }
 
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
   We provide aliases for the common commands that execute in the correct context so that environment variables from secrets are available to them:
 
-  * To generate keys for `SECRET_KEY_BASE` & `OTP_SECRET` run `docker run --rm -it --entrypoint /bin/bash lscr.io/linuxserver/mastodon generate-secret` once for each.
+  * To generate keys for `SECRET_KEY_BASE` & `OTP_SECRET` run `docker run --rm -it --entrypoint /bin/bash lscr.io/linuxserver/mastodon:latest generate-secret` once for each.
 
-  * To generate keys for `VAPID_PRIVATE_KEY` & `VAPID_PUBLIC_KEY` run `docker run --rm -it --entrypoint /bin/bash lscr.io/linuxserver/mastodon generate-vapid`
+  * To generate keys for `VAPID_PRIVATE_KEY` & `VAPID_PUBLIC_KEY` run `docker run --rm -it --entrypoint /bin/bash lscr.io/linuxserver/mastodon:latest generate-vapid`
+
+  * To generate keys for `ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY`, `ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`, & `ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY` run `docker run --rm -it --entrypoint /bin/bash lscr.io/linuxserver/mastodon:latest generate-active-record`
 
   Both of the secret generation aliases above can be run without any other setup having been carried out.
 
@@ -114,6 +118,7 @@ app_setup_block: |
 
 # changelog
 changelogs:
+  - { date: "08.10.24:", desc: "Rebase to Alpine 3.20, enable [Active Record Encryption](https://github.com/mastodon/mastodon/pull/29831/files). Existing users should update their nginx confs to avoid http2 deprecation warnings." }
   - { date: "21.09.23:", desc: "Rebase to Alpine 3.18, migrate to s6v3." }
   - { date: "25.05.23:", desc: "Adjust apk flags." }
   - { date: "09.02.23:", desc: "Add Glitch branch." }

root/defaults/nginx/site-confs/default.conf.sample

@@ -1,4 +1,4 @@
-## Version 2023/04/13 - Changelog: https://github.com/linuxserver/docker-mastodon/commits/main/root/defaults/nginx/site-confs/default.conf.sample
+## Version 2024/08/26 - Changelog: https://github.com/linuxserver/docker-mastodon/commits/main/root/defaults/nginx/site-confs/default.conf.sample
 
 map $http_upgrade $connection_upgrade {
     default upgrade;
@@ -18,9 +18,8 @@ proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max
 server {
     listen 80 default_server;
     listen [::]:80 default_server;
-
-    listen 443 ssl http2 default_server;
-    listen [::]:443 ssl http2 default_server;
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
 
     server_name _;
 

root/etc/s6-overlay/s6-rc.d/init-adduser/run

@@ -29,8 +29,13 @@ GID/UID
 echo "
 User UID:    $(id -u abc)
 User GID:    $(id -g abc)
+───────────────────────────────────────"
+if [[ -f /build_version ]]; then
+    cat /build_version
+    echo '
 ───────────────────────────────────────
-"
+    '
+fi
 
 lsiown abc:abc /app
 lsiown abc:abc /config

root/generate-active-record

@@ -0,0 +1,6 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+cd /app/www || exit 1
+
+rake db:encryption:init