Skip to content

Commit

Permalink
Fix mastodon redis to be valkey, generate active record encyption env…
Browse files Browse the repository at this point in the history
… vars for mastodon (#323)

* switch to valkey instead of redis

* fix restic password for mastodon

* update mastodon doc example

* now we generate active record encyption keys for the database for mastodon

* update mastodon_rake to be mastodon_secrets to accomadate the new generated secrets
  • Loading branch information
jessebot authored Oct 22, 2024
1 parent e35a797 commit 5022532
Show file tree
Hide file tree
Showing 6 changed files with 129 additions and 90 deletions.
120 changes: 60 additions & 60 deletions docs/assets/images/screenshots/help_text.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
14 changes: 9 additions & 5 deletions docs/k8s_apps/mastodon.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
We are mostly stable for running Mastodon on Kubernetes. Check out our [Mastodon Argo CD ApplicationSet](https://github.com/small-hack/argocd-apps/tree/main/mastodon/small-hack):

<a href="../../assets/images/screenshots/mastodon_screenshot.png">
<img src="../../assets/images/screenshots/mastodon_screenshot.png" alt="screenshot of the mastodon applicationset in Argo CD's web interface using the tree mode view. the main mastodon app has 6 child apps: mastodon-redis, mastodon-app-set with child mastodon-web-app, mastodon-external-secrets-appset with child mastodon-external-secrets, mastodon-postgres-app-set with child mastodon-postgres-cluster, mastodon-s3-provider-app-set with child mastodon-seaweedfs, and mastodon-s3-pvc-appset with child mastodon-s3-pvc.">
<img src="../../assets/images/screenshots/mastodon_screenshot.png" alt="screenshot of the mastodon applicationset in Argo CD's web interface using the tree mode view. the main mastodon app has 6 child apps: mastodon-valkey, mastodon-app-set with child mastodon-web-app, mastodon-external-secrets-appset with child mastodon-external-secrets, mastodon-postgres-app-set with child mastodon-postgres-cluster, mastodon-s3-provider-app-set with child mastodon-seaweedfs, and mastodon-s3-pvc-appset with child mastodon-s3-pvc.">
</a>

This is the networking view in Argo CD:
Expand Down Expand Up @@ -53,7 +53,7 @@ apps:
description: |
[link=https://joinmastodon.org/]Mastodon[/link] is an open source self hosted social media network.
smol-k8s-lab supports initializing mastodon, by setting up your hostname, SMTP credentials, redis credentials, postgresql credentials, and an admin user credentials. We pass all credentials as secrets in the namespace and optionally save them to Bitwarden.
smol-k8s-lab supports initializing mastodon, by setting up your hostname, SMTP credentials, valkey credentials, postgresql credentials, and an admin user credentials. We pass all credentials as secrets in the namespace and optionally save them to Bitwarden.
smol-k8s-lab also creates a local s3 endpoint and as well as S3 bucket and credentials if you enable set mastodon.argo.secret_keys.s3_provider to "minio" or "seaweedfs". Both seaweedfs and minio require you to specify a remote s3 endpoint, bucket, region, and accessID/secretKey so that we can make sure you have remote backups.
Expand Down Expand Up @@ -102,9 +102,9 @@ apps:
access_key_id:
value_from:
env: MASTODON_S3_BACKUP_ACCESS_ID
restic_repo_password:
value_from:
env: MASTODON_RESTIC_REPO_PASSWORD
restic_repo_password:
value_from:
env: MASTODON_RESTIC_REPO_PASSWORD
argo:
# secrets keys to make available to Argo CD ApplicationSets
secret_keys:
Expand All @@ -119,6 +119,10 @@ apps:
# local s3 endpoint for postgresql backups, backed up constantly
s3_endpoint: ""
s3_region: eu-west-1
# size of valkey pvc storage settings
valkey_storage: 3Gi
valkey_storage_class: local-path
valkey_access_mode: ReadWriteOnce
# git repo to install the Argo CD app from
repo: https://github.com/small-hack/argocd-apps
# path in the argo repo to point to. Trailing slash very important!
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[tool.poetry]
name = "smol_k8s_lab"
version = "5.17.1"
version = "5.17.2"
description = "CLI and TUI to quickly install slimmer Kubernetes distros and then manage apps declaratively using Argo CD"
authors = ["Jesse Hitch <[email protected]>",
"Max Roby <[email protected]>"]
Expand Down
14 changes: 9 additions & 5 deletions smol_k8s_lab/config/default_config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -784,7 +784,7 @@ apps:
description: |
[link=https://joinmastodon.org/]Mastodon[/link] is an open source self hosted social media network.
smol-k8s-lab supports initializing mastodon, by setting up your hostname, SMTP credentials, redis credentials, postgresql credentials, and an admin user credentials. We pass all credentials as secrets in the namespace and optionally save them to Bitwarden.
smol-k8s-lab supports initializing mastodon, by setting up your hostname, SMTP credentials, valkey credentials, postgresql credentials, and an admin user credentials. We pass all credentials as secrets in the namespace and optionally save them to Bitwarden.
smol-k8s-lab also creates a local s3 endpoint and as well as S3 bucket and credentials if you enable set mastodon.argo.secret_keys.s3_provider to "minio" or "seaweedfs". Both seaweedfs and minio require you to specify a remote s3 endpoint, bucket, region, and accessID/secretKey so that we can make sure you have remote backups.
Expand Down Expand Up @@ -834,9 +834,9 @@ apps:
access_key_id:
value_from:
env: MASTODON_S3_BACKUP_ACCESS_ID
restic_repo_password:
value_from:
env: MASTODON_RESTIC_REPO_PASSWORD
restic_repo_password:
value_from:
env: MASTODON_RESTIC_REPO_PASSWORD
argo:
# secrets keys to make available to Argo CD ApplicationSets
secret_keys:
Expand All @@ -851,6 +851,10 @@ apps:
# local s3 endpoint for postgresql backups, backed up constantly
s3_endpoint: ""
s3_region: eu-west-1
# size of valkey pvc storage
valkey_storage: 3Gi
valkey_storage_class: local-path
valkey_access_mode: ReadWriteOnce
# git repo to install the Argo CD app from
repo: https://github.com/small-hack/argocd-apps
# path in the argo repo to point to. Trailing slash very important!
Expand Down Expand Up @@ -1195,7 +1199,7 @@ apps:
description: |
[link=https://nextcloud.com/]Nextcloud Hub[/link] is the industry-leading, fully open-source, on-premises content collaboration platform. Teams access, share and edit their documents, chat and participate in video calls and manage their mail and calendar and projects across mobile, desktop and web interfaces
smol-k8s-lab supports initialization by setting up your admin username, password, and SMTP username and password, as well as your redis and postgresql credentials.
smol-k8s-lab supports initialization by setting up your admin username, password, and SMTP username and password, as well as your redis (or valkey) and postgresql credentials.
To avoid providing sensitive values everytime you run smol-k8s-lab, consider exporting the following environment variables before running smol-k8s-lab:
- NEXTCLOUD_SMTP_PASSWORD
Expand Down
47 changes: 31 additions & 16 deletions smol_k8s_lab/k8s_apps/social/mastodon.py
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# internal libraries
from smol_k8s_lab.bitwarden.bw_cli import BwCLI, create_custom_field
from smol_k8s_lab.k8s_apps.operators.minio import create_minio_alias, BetterMinio
from smol_k8s_lab.k8s_apps.social.mastodon_rake import generate_rake_secrets
from smol_k8s_lab.k8s_apps.social.mastodon_secrets import generate_mastodon_secrets
from smol_k8s_lab.k8s_tools.argocd_util import ArgoCD
from smol_k8s_lab.k8s_tools.restores import restore_seaweedfs, restore_cnpg_cluster
from smol_k8s_lab.utils.passwords import create_password
Expand Down Expand Up @@ -81,7 +81,7 @@ def configure_mastodon(argocd: ArgoCD,
mail_pass = extract_secret(init_values.get('smtp_password'))

# main mastodon rake secrets
rake_secrets = generate_rake_secrets()
rake_secrets = generate_mastodon_secrets()

# configure s3 credentials
s3_access_id = 'mastodon'
Expand Down Expand Up @@ -125,10 +125,10 @@ def configure_mastodon(argocd: ArgoCD,
{"password": mastodon_pgsql_password,
'postrgesPassword': mastodon_pgsql_password})

# redis creds k8s secret
mastodon_redis_password = create_password()
argocd.k8s.create_secret('mastodon-redis-credentials', 'mastodon',
{"password": mastodon_redis_password})
# valkey creds k8s secret
mastodon_valkey_password = create_password()
argocd.k8s.create_secret('mastodon-valkey-credentials', 'mastodon',
{"password": mastodon_valkey_password})

# mastodon rake secrets
argocd.k8s.create_secret('mastodon-server-secrets', 'mastodon',
Expand Down Expand Up @@ -226,8 +226,8 @@ def refresh_bweso(argocd: ArgoCD,
f"mastodon-elasticsearch-credentials-{mastodon_hostname}", False
)[0]['id']

redis_id = bitwarden.get_item(
f"mastodon-redis-credentials-{mastodon_hostname}", False
valkey_id = bitwarden.get_item(
f"mastodon-valkey-credentials-{mastodon_hostname}", False
)[0]['id']

smtp_id = bitwarden.get_item(
Expand Down Expand Up @@ -258,7 +258,7 @@ def refresh_bweso(argocd: ArgoCD,
argocd.update_appset_secret(
{'mastodon_smtp_credentials_bitwarden_id': smtp_id,
'mastodon_postgres_credentials_bitwarden_id': db_id,
'mastodon_redis_bitwarden_id': redis_id,
'mastodon_valkey_bitwarden_id': valkey_id,
'mastodon_s3_admin_credentials_bitwarden_id': s3_admin_id,
'mastodon_s3_postgres_credentials_bitwarden_id': s3_db_id,
'mastodon_s3_mastodon_credentials_bitwarden_id': s3_id,
Expand Down Expand Up @@ -353,13 +353,13 @@ def setup_bitwarden_items(argocd: ArgoCD,
fields=[postrges_pass_obj]
)

# Redis credentials
mastodon_redis_password = bitwarden.generate()
redis_id = bitwarden.create_login(
name='mastodon-redis-credentials',
# valkey credentials
mastodon_valkey_password = bitwarden.generate()
valkey_id = bitwarden.create_login(
name='mastodon-valkey-credentials',
item_url=mastodon_hostname,
user='mastodon',
password=mastodon_redis_password
password=mastodon_valkey_password
)

# SMTP credentials
Expand Down Expand Up @@ -400,6 +400,18 @@ def setup_bitwarden_items(argocd: ArgoCD,
"VAPID_PRIVATE_KEY",
rake_secrets['VAPID_PRIVATE_KEY']
)
active_record_encryption_deterministic_obj = create_custom_field(
"ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY",
rake_secrets['ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY']
)
active_record_encryption_derivation_obj = create_custom_field(
"ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT",
rake_secrets['ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT']
)
active_record_encryption_primary_obj = create_custom_field(
"ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY",
rake_secrets['ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY']
)

secrets_id = bitwarden.create_login(
name='mastodon-server-secrets',
Expand All @@ -410,7 +422,10 @@ def setup_bitwarden_items(argocd: ArgoCD,
secret_key_base_obj,
otp_secret_obj,
vapid_priv_key_obj,
vapid_pub_key_obj
vapid_pub_key_obj,
active_record_encryption_primary_obj,
active_record_encryption_derivation_obj,
active_record_encryption_deterministic_obj
]
)

Expand All @@ -419,7 +434,7 @@ def setup_bitwarden_items(argocd: ArgoCD,
argocd.update_appset_secret(
{'mastodon_smtp_credentials_bitwarden_id': smtp_id,
'mastodon_postgres_credentials_bitwarden_id': db_id,
'mastodon_redis_bitwarden_id': redis_id,
'mastodon_valkey_bitwarden_id': valkey_id,
'mastodon_s3_admin_credentials_bitwarden_id': s3_admin_id,
'mastodon_s3_postgres_credentials_bitwarden_id': s3_db_id,
'mastodon_s3_mastodon_credentials_bitwarden_id': s3_id,
Expand Down
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
#!/usr/bin/env python
"""
"""
This is just for generating mastodon rake secrets and testing on the cli
"""
from smol_k8s_lab.utils.run.subproc import subproc


def generate_rake_secrets() -> None:
def generate_mastodon_secrets() -> None:
"""
These are required for mastodon:
https://docs.joinmastodon.org/admin/config/#secrets
Expand All @@ -21,11 +21,20 @@ def generate_rake_secrets() -> None:
VAPID_PUBLIC_KEY Generate with rake mastodon:webpush:generate_vapid_key.
Changing it will break push notifications.
these are all generated with rails db:encryption:init
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
"""
final_dict = {"SECRET_KEY_BASE": "",
"OTP_SECRET": "",
"VAPID_PRIVATE_KEY": "",
"VAPID_PUBLIC_KEY": ""}
"VAPID_PUBLIC_KEY": "",
"ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY": "",
"ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT": "",
"ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY": ""
}

# we use docker to generate all of these
base_cmd = "docker run docker.io/tootsuite/mastodon:latest rake"
Expand All @@ -42,6 +51,13 @@ def generate_rake_secrets() -> None:
final_dict['VAPID_PRIVATE_KEY'] = vapid_keys[0].split("=")[1]
final_dict['VAPID_PUBLIC_KEY'] = vapid_keys[1].split("=")[1]

db_crypt_cmd = "docker run docker.io/tootsuite/mastodon:latest rails db:encryption:init"
crypt_env = subproc([db_crypt_cmd]).split('\n')
print(crypt_env)
final_dict['ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY'] = crypt_env[2].split("=")[1]
final_dict['ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT'] = crypt_env[3].split("=")[1]
final_dict['ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY'] = crypt_env[4].split("=")[1]

return final_dict

if __name__ == '__main__':
Expand Down

0 comments on commit 5022532

Please sign in to comment.