From 3fd47049265efab970c6a3aaa4312b188cbbb327 Mon Sep 17 00:00:00 2001 From: Adam Date: Tue, 8 Oct 2024 18:01:00 +0100 Subject: [PATCH] Rebase to 3.20, enable active record encryption (#87) --- Dockerfile | 45 +++++++---------- Dockerfile.aarch64 | 50 ++++++++----------- Jenkinsfile | 4 +- README.md | 22 ++++++-- jenkins-vars.yml | 6 +-- readme-vars.yml | 15 ++++-- .../nginx/site-confs/default.conf.sample | 7 ++- root/etc/s6-overlay/s6-rc.d/init-adduser/run | 7 ++- root/generate-active-record | 6 +++ 9 files changed, 86 insertions(+), 76 deletions(-) create mode 100755 root/generate-active-record diff --git a/Dockerfile b/Dockerfile index f6ec76e..3b83954 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,16 +1,15 @@ # syntax=docker/dockerfile:1 -FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.18 +FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.20 ARG BUILD_DATE ARG VERSION ARG MASTODON_VERSION LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}" -LABEL maintainer="TheSpad" +LABEL maintainer="thespad" ENV RAILS_ENV="production" \ NODE_ENV="production" \ - NODE_OPTIONS="--openssl-legacy-provider" \ PATH="${PATH}:/app/www/bin" \ S6_STAGE2_HOOK="/init-hook" @@ -33,9 +32,10 @@ RUN \ libpq-dev \ libxml2-dev \ libxslt-dev \ + linux-headers \ + npm \ openssl-dev \ ruby-dev \ - yarn \ yaml-dev && \ echo "**** install mastodon ****" && \ mkdir -p /app/www && \ @@ -50,19 +50,24 @@ RUN \ /tmp/mastodon.tar.gz -C \ /app/www/ --strip-components=1 && \ cd /app/www && \ - # https://github.com/mastodon/mastodon/pull/24702 - sed -En "s/.*\brequire\('([^']+)'\).*/\"\1\"/p" streaming/index.js > streaming-requires.txt && \ - jq --slurpfile requires streaming-requires.txt \ - '{ dependencies: .dependencies | with_entries(select([.key] | inside($requires))) }' \ - package.json > streaming/package.json && \ bundle config set --local deployment 'true' && \ bundle config set --local without 'development test exclude' && \ bundle config set silence_root_warning true && \ bundle install -j"$(nproc)" --no-cache && \ - yarn install --production --frozen-lockfile --check-files && \ - cd streaming && \ - yarn install --production --check-files && \ - OTP_SECRET=precompile_placeholder SECRET_KEY_BASE=precompile_placeholder rails assets:precompile && \ + npm install -g corepack && \ + corepack enable && \ + yarn workspaces focus --production @mastodon/mastodon && \ + ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=precompile_placeholder \ + ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=precompile_placeholder \ + ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=precompile_placeholder \ + OTP_SECRET=precompile_placeholder \ + SECRET_KEY_BASE=precompile_placeholder \ + bundle exec rails assets:precompile && \ + bundle exec bootsnap precompile --gemfile app/ lib/ && \ + rm -rf /app/www/node_modules && \ + cd streaming && \ + yarn workspaces focus --production @mastodon/streaming && \ + printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \ echo "**** cleanup ****" && \ yarn cache clean && \ apk del --purge \ @@ -71,7 +76,6 @@ RUN \ rm -r \ /app/www/app/javascript/fonts \ /app/www/app/javascript/icons \ - /app/www/app/javascript/packs \ /app/www/app/javascript/styles && \ rm -rf \ # Remove vendored sources for building native extensions. @@ -98,18 +102,7 @@ RUN \ -o -name '*LICENSE*' \ -o -name 'Rakefile' \ -o -name '.*' \) \ - -type f -delete && \ - # Remove source maps, TS files, docs, tests and other useless files. - find /app/www/streaming/node_modules \( -name '.*' \ - -o -name '*.map' \ - -o -name '*.md' \ - -o -name '*.ts' \ - -o -name 'LICENSE*' \ - -o -name 'Makefile' \ - -o -name 'README*' \) \ - -type f -delete && \ - rm -rf /app/www/streaming/node_modules/*/test && \ - rm -rf /app/www/node_modules + -type f -delete COPY root/ / diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index d9a8dac..998617f 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -1,16 +1,15 @@ # syntax=docker/dockerfile:1 -FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.18 +FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.20 ARG BUILD_DATE ARG VERSION ARG MASTODON_VERSION LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}" -LABEL maintainer="TheSpad" +LABEL maintainer="thespad" ENV RAILS_ENV="production" \ NODE_ENV="production" \ - NODE_OPTIONS="--openssl-legacy-provider" \ PATH="${PATH}:/app/www/bin" \ S6_STAGE2_HOOK="/init-hook" @@ -18,6 +17,7 @@ RUN \ apk add --no-cache \ ffmpeg \ file \ + gcompat \ imagemagick \ libpq \ libidn \ @@ -28,17 +28,17 @@ RUN \ yaml && \ apk add --no-cache --virtual=build-dependencies \ build-base \ - gcompat \ icu-dev \ libidn-dev \ libpq-dev \ libxml2-dev \ libxslt-dev \ + linux-headers \ + npm \ openssl-dev \ python3-dev \ ruby-dev \ - yaml-dev \ - yarn && \ + yaml-dev && \ echo "**** install mastodon ****" && \ mkdir -p /app/www && \ if [ -z ${MASTODON_VERSION+x} ]; then \ @@ -52,20 +52,24 @@ RUN \ /tmp/mastodon.tar.gz -C \ /app/www/ --strip-components=1 && \ cd /app/www && \ - # https://github.com/mastodon/mastodon/pull/24702 - sed -En "s/.*\brequire\('([^']+)'\).*/\"\1\"/p" streaming/index.js > streaming-requires.txt && \ - jq --slurpfile requires streaming-requires.txt \ - '{ dependencies: .dependencies | with_entries(select([.key] | inside($requires))) }' \ - package.json > streaming/package.json && \ bundle config set --local deployment 'true' && \ bundle config set --local without 'development test exclude' && \ bundle config set silence_root_warning true && \ - bundle config set force_ruby_platform true && \ bundle install -j"$(nproc)" --no-cache && \ - yarn install --production --frozen-lockfile --check-files && \ - cd streaming && \ - yarn install --production --check-files && \ - OTP_SECRET=precompile_placeholder SECRET_KEY_BASE=precompile_placeholder rails assets:precompile && \ + npm install -g corepack && \ + corepack enable && \ + yarn workspaces focus --production @mastodon/mastodon && \ + ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=precompile_placeholder \ + ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=precompile_placeholder \ + ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=precompile_placeholder \ + OTP_SECRET=precompile_placeholder \ + SECRET_KEY_BASE=precompile_placeholder \ + bundle exec rails assets:precompile && \ + bundle exec bootsnap precompile --gemfile app/ lib/ && \ + rm -rf /app/www/node_modules && \ + cd streaming && \ + yarn workspaces focus --production @mastodon/streaming && \ + printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \ echo "**** cleanup ****" && \ yarn cache clean && \ apk del --purge \ @@ -74,7 +78,6 @@ RUN \ rm -r \ /app/www/app/javascript/fonts \ /app/www/app/javascript/icons \ - /app/www/app/javascript/packs \ /app/www/app/javascript/styles && \ rm -rf \ # Remove vendored sources for building native extensions. @@ -101,18 +104,7 @@ RUN \ -o -name '*LICENSE*' \ -o -name 'Rakefile' \ -o -name '.*' \) \ - -type f -delete && \ - # Remove source maps, TS files, docs, tests and other useless files. - find /app/www/streaming/node_modules \( -name '.*' \ - -o -name '*.map' \ - -o -name '*.md' \ - -o -name '*.ts' \ - -o -name 'LICENSE*' \ - -o -name 'Makefile' \ - -o -name 'README*' \) \ - -type f -delete && \ - rm -rf /app/www/streaming/node_modules/*/test && \ - rm -rf /app/www/node_modules + -type f -delete COPY root/ / diff --git a/Jenkinsfile b/Jenkinsfile index 4933816..0fa7ed1 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -35,8 +35,8 @@ pipeline { CI_WEB='false' CI_PORT='80' CI_SSL='false' - CI_DELAY='120' - CI_DOCKERENV='TZ=US/Pacific' + CI_DELAY='60' + CI_DOCKERENV='' CI_AUTH='' CI_WEBPATH='' } diff --git a/README.md b/README.md index b65300a..b57702f 100644 --- a/README.md +++ b/README.md @@ -70,9 +70,11 @@ This image provides various versions that are available via tags. Please read th We provide aliases for the common commands that execute in the correct context so that environment variables from secrets are available to them: -* To generate keys for `SECRET_KEY_BASE` & `OTP_SECRET` run `docker run --rm -it --entrypoint /bin/bash lscr.io/linuxserver/mastodon generate-secret` once for each. +* To generate keys for `SECRET_KEY_BASE` & `OTP_SECRET` run `docker run --rm -it --entrypoint /bin/bash lscr.io/linuxserver/mastodon:latest generate-secret` once for each. -* To generate keys for `VAPID_PRIVATE_KEY` & `VAPID_PUBLIC_KEY` run `docker run --rm -it --entrypoint /bin/bash lscr.io/linuxserver/mastodon generate-vapid` +* To generate keys for `VAPID_PRIVATE_KEY` & `VAPID_PUBLIC_KEY` run `docker run --rm -it --entrypoint /bin/bash lscr.io/linuxserver/mastodon:latest generate-vapid` + +* To generate keys for `ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY`, `ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`, & `ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY` run `docker run --rm -it --entrypoint /bin/bash lscr.io/linuxserver/mastodon:latest generate-active-record` Both of the secret generation aliases above can be run without any other setup having been carried out. @@ -127,6 +129,9 @@ services: - DB_PASS=mastodon - DB_PORT=5432 - ES_ENABLED=false + - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY= + - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY= + - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT= - SECRET_KEY_BASE= - OTP_SECRET= - VAPID_PRIVATE_KEY= @@ -153,7 +158,7 @@ services: - DB_POOL=5 #optional - NO_CHOWN= #optional volumes: - - /path/to/appdata/config:/config + - /path/to/mastodon/config:/config ports: - 80:80 - 443:443 @@ -177,6 +182,9 @@ docker run -d \ -e DB_PASS=mastodon \ -e DB_PORT=5432 \ -e ES_ENABLED=false \ + -e ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY= \ + -e ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY= \ + -e ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT= \ -e SECRET_KEY_BASE= \ -e OTP_SECRET= \ -e VAPID_PRIVATE_KEY= \ @@ -204,7 +212,7 @@ docker run -d \ -e NO_CHOWN= `#optional` \ -p 80:80 \ -p 443:443 \ - -v /path/to/appdata/config:/config \ + -v /path/to/mastodon/config:/config \ --restart unless-stopped \ lscr.io/linuxserver/mastodon:latest ``` @@ -227,8 +235,11 @@ Containers are configured using parameters passed at runtime (such as those abov | `-e DB_USER=mastodon` | Postgres username | | `-e DB_NAME=mastodon` | Postgres db name | | `-e DB_PASS=mastodon` | Postgres password | -| `-e DB_PORT=5432` | Portgres port | +| `-e DB_PORT=5432` | Postgres port | | `-e ES_ENABLED=false` | Enable or disable Elasticsearch (requires a separate ES instance) | +| `-e ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=` | Primary key for [Active Record Encryption](https://github.com/mastodon/mastodon/pull/29831/files). | +| `-e ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=` | Deterministic key for [Active Record Encryption](https://github.com/mastodon/mastodon/pull/29831/files). | +| `-e ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=` | Derivation salt for [Active Record Encryption](https://github.com/mastodon/mastodon/pull/29831/files). | | `-e SECRET_KEY_BASE=` | Browser session secret. Changing it will break all active browser sessions. | | `-e OTP_SECRET=` | MFA secret. Changing it after initial setup will break two-factor authentication. | | `-e VAPID_PRIVATE_KEY=` | Push notification private key. Changing it after initial setup will break push notifications. | @@ -418,6 +429,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **08.10.24:** - Rebase to Alpine 3.20, enable [Active Record Encryption](https://github.com/mastodon/mastodon/pull/29831/files). Existing users should update their nginx confs to avoid http2 deprecation warnings. * **21.09.23:** - Rebase to Alpine 3.18, migrate to s6v3. * **25.05.23:** - Adjust apk flags. * **09.02.23:** - Add Glitch branch. diff --git a/jenkins-vars.yml b/jenkins-vars.yml index 12f664c..6b8b25a 100644 --- a/jenkins-vars.yml +++ b/jenkins-vars.yml @@ -6,7 +6,6 @@ external_type: github_stable release_type: stable release_tag: latest ls_branch: main -build_armhf: false repo_vars: - EXT_GIT_BRANCH = 'main' - EXT_USER = 'mastodon' @@ -24,8 +23,7 @@ repo_vars: - CI_WEB='false' - CI_PORT='80' - CI_SSL='false' - - CI_DELAY='120' - - CI_DOCKERENV='TZ=US/Pacific' + - CI_DELAY='60' + - CI_DOCKERENV='' - CI_AUTH='' - CI_WEBPATH='' - \ No newline at end of file diff --git a/readme-vars.yml b/readme-vars.yml index 027e981..b2915aa 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -27,7 +27,6 @@ param_container_name: "{{ project_name }}" param_usage_include_env: true param_env_vars: - - { env_var: "TZ", env_value: "America/New_York", desc: "Specify a timezone to use EG America/New_York"} - { env_var: "LOCAL_DOMAIN", env_value: "example.com", desc: "This is the unique identifier of your server in the network. It cannot be safely changed later."} - { env_var: "REDIS_HOST", env_value: "redis", desc: "Redis server hostname"} - { env_var: "REDIS_PORT", env_value: "6379", desc: "Redis port"} @@ -35,8 +34,11 @@ param_env_vars: - { env_var: "DB_USER", env_value: "mastodon", desc: "Postgres username"} - { env_var: "DB_NAME", env_value: "mastodon", desc: "Postgres db name"} - { env_var: "DB_PASS", env_value: "mastodon", desc: "Postgres password"} - - { env_var: "DB_PORT", env_value: "5432", desc: "Portgres port"} + - { env_var: "DB_PORT", env_value: "5432", desc: "Postgres port"} - { env_var: "ES_ENABLED", env_value: "false", desc: "Enable or disable Elasticsearch (requires a separate ES instance)"} + - { env_var: "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY", env_value: "", desc: "Primary key for [Active Record Encryption](https://github.com/mastodon/mastodon/pull/29831/files)."} + - { env_var: "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY", env_value: "", desc: "Deterministic key for [Active Record Encryption](https://github.com/mastodon/mastodon/pull/29831/files)."} + - { env_var: "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT", env_value: "", desc: "Derivation salt for [Active Record Encryption](https://github.com/mastodon/mastodon/pull/29831/files)."} - { env_var: "SECRET_KEY_BASE", env_value: "", desc: "Browser session secret. Changing it will break all active browser sessions."} - { env_var: "OTP_SECRET", env_value: "", desc: "MFA secret. Changing it after initial setup will break two-factor authentication."} - { env_var: "VAPID_PRIVATE_KEY", env_value: "", desc: "Push notification private key. Changing it after initial setup will break push notifications."} @@ -73,16 +75,18 @@ param_ports: param_usage_include_vols: true param_volumes: - - { vol_path: "/config", vol_host_path: "/path/to/appdata/config", desc: "Contains all relevant configuration files." } + - { vol_path: "/config", vol_host_path: "/path/to/{{ project_name }}/config", desc: "Contains all relevant configuration files." } # application setup block app_setup_block_enabled: true app_setup_block: | We provide aliases for the common commands that execute in the correct context so that environment variables from secrets are available to them: - * To generate keys for `SECRET_KEY_BASE` & `OTP_SECRET` run `docker run --rm -it --entrypoint /bin/bash lscr.io/linuxserver/mastodon generate-secret` once for each. + * To generate keys for `SECRET_KEY_BASE` & `OTP_SECRET` run `docker run --rm -it --entrypoint /bin/bash lscr.io/linuxserver/mastodon:latest generate-secret` once for each. - * To generate keys for `VAPID_PRIVATE_KEY` & `VAPID_PUBLIC_KEY` run `docker run --rm -it --entrypoint /bin/bash lscr.io/linuxserver/mastodon generate-vapid` + * To generate keys for `VAPID_PRIVATE_KEY` & `VAPID_PUBLIC_KEY` run `docker run --rm -it --entrypoint /bin/bash lscr.io/linuxserver/mastodon:latest generate-vapid` + + * To generate keys for `ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY`, `ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`, & `ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY` run `docker run --rm -it --entrypoint /bin/bash lscr.io/linuxserver/mastodon:latest generate-active-record` Both of the secret generation aliases above can be run without any other setup having been carried out. @@ -114,6 +118,7 @@ app_setup_block: | # changelog changelogs: + - { date: "08.10.24:", desc: "Rebase to Alpine 3.20, enable [Active Record Encryption](https://github.com/mastodon/mastodon/pull/29831/files). Existing users should update their nginx confs to avoid http2 deprecation warnings." } - { date: "21.09.23:", desc: "Rebase to Alpine 3.18, migrate to s6v3." } - { date: "25.05.23:", desc: "Adjust apk flags." } - { date: "09.02.23:", desc: "Add Glitch branch." } diff --git a/root/defaults/nginx/site-confs/default.conf.sample b/root/defaults/nginx/site-confs/default.conf.sample index 68f7935..4a58758 100644 --- a/root/defaults/nginx/site-confs/default.conf.sample +++ b/root/defaults/nginx/site-confs/default.conf.sample @@ -1,4 +1,4 @@ -## Version 2023/04/13 - Changelog: https://github.com/linuxserver/docker-mastodon/commits/main/root/defaults/nginx/site-confs/default.conf.sample +## Version 2024/08/26 - Changelog: https://github.com/linuxserver/docker-mastodon/commits/main/root/defaults/nginx/site-confs/default.conf.sample map $http_upgrade $connection_upgrade { default upgrade; @@ -18,9 +18,8 @@ proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max server { listen 80 default_server; listen [::]:80 default_server; - - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; server_name _; diff --git a/root/etc/s6-overlay/s6-rc.d/init-adduser/run b/root/etc/s6-overlay/s6-rc.d/init-adduser/run index 565f89d..db02434 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-adduser/run +++ b/root/etc/s6-overlay/s6-rc.d/init-adduser/run @@ -29,8 +29,13 @@ GID/UID echo " User UID: $(id -u abc) User GID: $(id -g abc) +───────────────────────────────────────" +if [[ -f /build_version ]]; then + cat /build_version + echo ' ─────────────────────────────────────── -" + ' +fi lsiown abc:abc /app lsiown abc:abc /config diff --git a/root/generate-active-record b/root/generate-active-record new file mode 100755 index 0000000..8e47941 --- /dev/null +++ b/root/generate-active-record @@ -0,0 +1,6 @@ +#!/usr/bin/with-contenv bash +# shellcheck shell=bash + +cd /app/www || exit 1 + +rake db:encryption:init