From 6d78d77f9af6322b9e0cbd8f5b1cfbbd39617dce Mon Sep 17 00:00:00 2001 From: thunderysteak Date: Sun, 24 Nov 2024 21:50:33 +0000 Subject: [PATCH 1/2] Use ffmpeg from native repos instead of rpmfusion --- bare/vars/redhat_vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bare/vars/redhat_vars.yml b/bare/vars/redhat_vars.yml index c181d62..5857a92 100644 --- a/bare/vars/redhat_vars.yml +++ b/bare/vars/redhat_vars.yml @@ -7,7 +7,7 @@ packages: - package: "make" - package: "curl" # - package: "cron" installed by default - - package: "ffmpeg" + - package: "ffmpeg-free" - package: "file" - package: "gcc-c++" - package: "gcc" From 10c830a276ef9eeb942af8197abc4e23ab7aac70 Mon Sep 17 00:00:00 2001 From: thunderysteak Date: Mon, 25 Nov 2024 02:31:02 +0000 Subject: [PATCH 2/2] Utilize Corepack for Yarn, add db encryption support, bump node to v20 --- .../web/files/mastodon/env.production.j2 | 3 + bare/roles/web/tasks/mastodon-postflight.yml | 57 +++++++++++++++---- bare/roles/web/tasks/nodejs.yml | 28 ++++++--- 3 files changed, 69 insertions(+), 19 deletions(-) diff --git a/bare/roles/web/files/mastodon/env.production.j2 b/bare/roles/web/files/mastodon/env.production.j2 index ac2e278..ef6613a 100644 --- a/bare/roles/web/files/mastodon/env.production.j2 +++ b/bare/roles/web/files/mastodon/env.production.j2 @@ -4,6 +4,9 @@ SECRET_KEY_BASE={{ secret_key_base.stdout }} OTP_SECRET={{ otp_secret.stdout }} VAPID_PRIVATE_KEY={{ vapid_private_key.stdout }} VAPID_PUBLIC_KEY={{ vapid_public_key.stdout }} +ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY={{ deterministic_key.stdout }} +ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT={{ key_derivation_salt.stdout }} +ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY={{ primary_key.stdout }} DB_HOST={{ db_host }} DB_PORT={{ mastodon_db_port }} DB_NAME={{ mastodon_db }} diff --git a/bare/roles/web/tasks/mastodon-postflight.yml b/bare/roles/web/tasks/mastodon-postflight.yml index 296239a..a752d1f 100644 --- a/bare/roles/web/tasks/mastodon-postflight.yml +++ b/bare/roles/web/tasks/mastodon-postflight.yml @@ -8,10 +8,15 @@ args: chdir: "{{ mastodon_home }}/{{ mastodon_path }}" -- name: Yarn install - command: yarn install --pure-lockfile +# yarn's "--pure-lockfile" has been deprecated and now throws errors +# https://github.com/nodejs/node/issues/52732#issuecomment-2114851722 +# https://github.com/nodejs/snap/issues/26#issuecomment-1459032870 +- name: Yarn install via Corepack + command: corepack yarn install args: chdir: "{{ mastodon_home }}/{{ mastodon_path }}" + environment: + PATH: "/usr/local/bin/corepack:{{ lookup('env', 'PATH') }}" - name: Install systemd sidekiq Service Files template: @@ -44,26 +49,49 @@ - stat: path={{ mastodon_home }}/{{ mastodon_path }}/.env.production register: production_config +# Rake has been replaced with rails +# https://github.com/mastodon/mastodon/pull/30917 - name: Generate SECRET_KEY_BASE secret - shell: "RAILS_ENV=production ~/.rbenv/shims/bundle exec rake secret" + shell: "RAILS_ENV=production ~/.rbenv/shims/bundle exec rails secret" args: chdir: "{{ mastodon_home }}/{{ mastodon_path }}" register: secret_key_base when: not production_config.stat.exists - name: Generate OTP_SECRET secret - shell: "RAILS_ENV=production ~/.rbenv/shims/bundle exec rake secret" + shell: "RAILS_ENV=production ~/.rbenv/shims/bundle exec rails secret" args: chdir: "{{ mastodon_home }}/{{ mastodon_path }}" register: otp_secret when: not production_config.stat.exists - name: "Generate VAPID key pair into {{ mastodon_home }}/{{ mastodon_path }}/vapid.tmp" - shell: "RAILS_ENV=production ~/.rbenv/shims/bundle exec rake mastodon:webpush:generate_vapid_key > {{ mastodon_home }}/{{ mastodon_path }}/vapid.tmp | head -1 | cut -c 19-" + shell: "RAILS_ENV=production ~/.rbenv/shims/bundle exec rails mastodon:webpush:generate_vapid_key > {{ mastodon_home }}/{{ mastodon_path }}/vapid.tmp" + args: + chdir: "{{ mastodon_home }}/{{ mastodon_path }}" + when: not production_config.stat.exists + +- name: "Generate Database encryption keys into {{ mastodon_home }}/{{ mastodon_path }}/db.tmp" + shell: "RAILS_ENV=production ~/.rbenv/shims/bundle exec rails db:encryption:init > {{ mastodon_home }}/{{ mastodon_path }}/db.tmp" args: chdir: "{{ mastodon_home }}/{{ mastodon_path }}" when: not production_config.stat.exists +- name: Get ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY secret + shell: "cat {{ mastodon_home }}/{{ mastodon_path }}/db.tmp | head -3 | tail -1 | cut -c 44-" + register: deterministic_key + when: not production_config.stat.exists + +- name: Get ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT secret + shell: "cat {{ mastodon_home }}/{{ mastodon_path }}/db.tmp | head -4 | tail -1 | cut -c 46-" + register: key_derivation_salt + when: not production_config.stat.exists + +- name: Get ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY secret + shell: "cat {{ mastodon_home }}/{{ mastodon_path }}/db.tmp | tail -1 | cut -c 38-" + register: primary_key + when: not production_config.stat.exists + - name: Get VAPID_PRIVATE_KEY secret shell: "cat {{ mastodon_home }}/{{ mastodon_path }}/vapid.tmp | head -1 | cut -c 19-" register: vapid_private_key @@ -79,6 +107,11 @@ path: "{{ mastodon_home }}/{{ mastodon_path }}/vapid.tmp" state: absent +- name: Ensure that the file used for Database encryption keys generation is removed. + ansible.builtin.file: + path: "{{ mastodon_home }}/{{ mastodon_path }}/db.tmp" + state: absent + - name: Install Production env file template: src: files/mastodon/env.production.j2 @@ -140,13 +173,13 @@ #https://github.com/nodejs/node/issues/40455 #It's possible that this is a bug with ruby 3.0.3 and gets fixed with Mastodon 4.0.0 -- name: Precompile assets with Legacy OpenSSL provider for RHEL9 - shell: "NODE_OPTIONS=--openssl-legacy-provider RAILS_ENV=production ~/.rbenv/shims/bundle exec rails assets:precompile" - args: - chdir: "{{ mastodon_home }}/{{ mastodon_path }}" - when: - - ansible_os_family == "RedHat" - - ansible_facts['distribution_major_version'] == "9" +#- name: Precompile assets with Legacy OpenSSL provider for RHEL9 +# shell: "NODE_OPTIONS=--openssl-legacy-provider RAILS_ENV=production ~/.rbenv/shims/bundle exec rails assets:precompile" +# args: +# chdir: "{{ mastodon_home }}/{{ mastodon_path }}" +# when: +# - ansible_os_family == "RedHat" +# - ansible_facts['distribution_major_version'] == "9" - name: Precompile assets shell: "RAILS_ENV=production ~/.rbenv/shims/bundle exec rails assets:precompile" diff --git a/bare/roles/web/tasks/nodejs.yml b/bare/roles/web/tasks/nodejs.yml index d244f0d..101b1a0 100644 --- a/bare/roles/web/tasks/nodejs.yml +++ b/bare/roles/web/tasks/nodejs.yml @@ -19,30 +19,44 @@ - ansible_facts['distribution_major_version'] == "8" - is_node10_enabled.stdout | bool -- name: Enable NodeJS 16 module +- name: Enable NodeJS 20 module become: yes - shell: "dnf module enable nodejs:16 -y" + shell: "dnf module enable nodejs:20 -y" ignore_errors: true when: - ansible_os_family == "RedHat" - ansible_facts['distribution_major_version'] == "8" - is_node10_enabled.stdout | bool -- name: Install NodeJS 16 via DNF +- name: Install NodeJS 20 via DNF become: yes dnf: - name: "@nodejs:16" + name: "@nodejs:20" state: present when: - ansible_os_family == "RedHat" - ansible_facts['distribution_major_version'] == "8" -#RHEL9 already installs NodeJS 16 by default +# RHEL9 installs NodeJS 16 by default, higher needed for corepack - name: Install NodeJS via DNF become: yes dnf: - name: "nodejs" + name: "@nodejs:20" state: present when: - ansible_os_family == "RedHat" - - ansible_facts['distribution_major_version'] == "9" \ No newline at end of file + - ansible_facts['distribution_major_version'] == "9" +# RHEL Distros do not bundle Corepack with NodeJS as it's Opt-in only +# https://yarnpkg.com/corepack#installation +- name: Install Corepack via NPM + become: yes + npm: + name: corepack + global: true + when: + - ansible_os_family == "RedHat" + + + +- name: Enable NodeJS Corepack for Yarn + shell: "corepack enable" \ No newline at end of file