diff --git a/data_bags/credentials/mastodon.json b/data_bags/credentials/mastodon.json index 3eb3e7b..145f5c1 100644 --- a/data_bags/credentials/mastodon.json +++ b/data_bags/credentials/mastodon.json @@ -1,57 +1,80 @@ { "id": "mastodon", "paperclip_secret": { - "encrypted_data": "4IAa8NMwj25MksFkh79r/Gf0ev2bKP9g5Gbz0MZLK8JxekM9+qRSes1bZK1q\nuV+/W/KxQW22GgRCNu6heimGUTnaIM2T5oneCwikDWJPMO11ngiAKkzeJWI9\nxhecxAfCyKEZWdwTIB8U9mjDV9GhppmwjLsMdC5nzcAzGzpFfjMZVVsIhmEg\nWuPIz7GPWqn/+G8pG2Q1DR7ZFJZSVYV+ig==\n", - "iv": "TQl3HBj/eakZ9nrMygW9pg==\n", - "version": 1, - "cipher": "aes-256-cbc" + "encrypted_data": "orOIbqFANPCkd4sUTCyyoh4z1o6SBudgH4wKJudTo9dANaHGhWcBUFKrhZi1\nMJTBQx/d0hiDI1P2XN3h+hROCg3JJ8OClUSJH9CfN5GlbWvXh0Nhq7hqy8L3\nLAPL+uigiXI6ObrnKQoD8LeJIB46233uwaCA/7zB6gah0ExJ2DXGH6qq9JSS\nqmTFiy+hT+VHGrUo\n", + "iv": "U4E4NLYLkP0/tTTs\n", + "auth_tag": "WKQ+pDPZp7B791lhC5j3iQ==\n", + "version": 3, + "cipher": "aes-256-gcm" }, "secret_key_base": { - "encrypted_data": "hH1860J8V4LFNE2OCG8pIVJd8l3hFZ56n0xONXUd98IAmVodM1Eip5nvyQmp\ntfkzAXfKMR4hUz5Y399Gp67BCh4TLum2oTqcLBF+RFP/52ZcVLESQh+ielC0\nxfUXE5Usf1YVL/gxwbmzp2l7Gr87YIAWCcGySbbb6hK+MVyr8degIHBveF0R\nNeUfRLe0B9Y/ZZGExRej+ULiiEn+c5Fubg==\n", - "iv": "+GOTOBWPb72QWX1G1Oaf3g==\n", - "version": 1, - "cipher": "aes-256-cbc" + "encrypted_data": "vweClhdY8SqQkK+p0OYUL2B6Fsz5eQDpEYWCtd/eRJfwwYAObbLcMWRC6MwE\neQVMw59bOqYc3RBuv/+WPLtENazA1bYCXBXQr1J6xqjJAz0Mo6KbRyxy5n78\nv8q6RSiao1VVIUXohtFlQgWeV6x5sz34bJxjlHinKvKsgiGXiuVBxYUUfzWQ\nuzrGug09cpZBqfpc\n", + "iv": "Z0/csEBH5/X1+MR+\n", + "auth_tag": "fTvBN6eovi3JVEK0ZX97Nw==\n", + "version": 3, + "cipher": "aes-256-gcm" }, "otp_secret": { - "encrypted_data": "UZDcQYsfYJxhuaSDEFKdnC9BIryoJPWo95bbVqFcCDCQxO13iGuN5ZiZ4aUp\nRLMrT/pmnirID9qUQfSRgALR9KUTGonPwF03tO8xCvUCLCS7Y9l9fbIG9xUa\nY3c0b6xfwNLVP1fpax3iNfQSGuJMwTShZO8pCOeDxlhe67KawOw2obNeuTUG\n0wTKdxhywNntoLHnXKNqANZebKtqkcCV6A==\n", - "iv": "lMApicoykymve7hcnxx1DQ==\n", - "version": 1, - "cipher": "aes-256-cbc" + "encrypted_data": "o1ts1bUgPIzFQXjJ2MpBMLntWkyPxDaJAaU1K3WzmNMXnw5MVlkKKCEFVccd\nPss/MwDuBkbNPhri3ZkH48m9SiayWETVYvw5GZzcVsw4TeMu915O44lfl9tX\nW3XHU+DBps1BVH9535R4X9M1aFW4W4XfwHtS5wcrZqtVhNhS3NSgE4JpN/Dz\nFdcFAOhflnt8fIAN\n", + "iv": "QLsxmIlX1NpxMyHz\n", + "auth_tag": "j1h/PvIoqshTBN5c5IaAsA==\n", + "version": 3, + "cipher": "aes-256-gcm" }, "aws_access_key_id": { - "encrypted_data": "t2B+oZZcz+EzKFO+BLSzq3oWyGRHQkxiG3NOBWs3bYctgX3Lq24xFZsne9i/\nQmLl\n", - "iv": "TU4RGm3Rl8f/wbEkwmlEvQ==\n", - "version": 1, - "cipher": "aes-256-cbc" + "encrypted_data": "YQHUx0GugKu0AtlbGLRGocFEhTGAghWA0DUs1Nxs4Hd3bTIp4lyM\n", + "iv": "54zt2tkQhHtpY7sO\n", + "auth_tag": "ofBJx3QDsjHe66ga3nji8g==\n", + "version": 3, + "cipher": "aes-256-gcm" }, "aws_secret_access_key": { - "encrypted_data": "ffOTmy9aiHIc9GIjuTlGkgUL4QnujC2cdeAkXpTEi+VBiYjVybrruDalXg3p\nuDZmSqnWB0sfQgNpp9sCOUqUiQ==\n", - "iv": "OnSjyXonCFrq9gGfW/t1TA==\n", - "version": 1, - "cipher": "aes-256-cbc" + "encrypted_data": "FAz6xZ+wsCz/KFA+DK6f4V04rxJt+9U/yXUGF9tvce0VqB3scH+T0KDDn1/n\nZ/0G0Tbxt2urRPbPUdI=\n", + "iv": "iapSpeM6lfDMIfNk\n", + "auth_tag": "HlkwUnNeJlOUrZ3ieN5xAQ==\n", + "version": 3, + "cipher": "aes-256-gcm" }, "smtp_user_name": { - "encrypted_data": "D9UXRNnvBQOICQ2nFjh+CLAazmeA/avlSuQwikDmYU0VoApXbfmPiUBLIvIF\nUtSy\n", - "iv": "nnM8YaTSWUzuVpBJOVn0rA==\n", - "version": 1, - "cipher": "aes-256-cbc" + "encrypted_data": "ivB09/mCRrUaz9X4NFRBiqytjgy/vxN5Nha7gopFq5eSu9v4K9MkaLRqHh1I\nYw==\n", + "iv": "a8WKhRKsUjqBtfmn\n", + "auth_tag": "ib5WJNNaO7bRIspdACmOLw==\n", + "version": 3, + "cipher": "aes-256-gcm" }, "smtp_password": { - "encrypted_data": "edFmMcnLHVEL/hpVslJj6L85WPeC7Wu3/ijTWH93pRZGCchgmcolJCK4S6//\npDz5qKG+KZX7sZLRe5PrAvnwaA==\n", - "iv": "1Nffd1NayckQDa83+LNv8w==\n", - "version": 1, - "cipher": "aes-256-cbc" + "encrypted_data": "FxPz2e7fUNqcAu+DDJKlqn8rcSBLmnzigTFf5moZlQ1zz4YVl6pqHisa22Qz\nbfUx9rjU\n", + "iv": "GvRlNDV/b1WawtOP\n", + "auth_tag": "kyRCGfSJQelIwThDT4iQQQ==\n", + "version": 3, + "cipher": "aes-256-gcm" }, "vapid_private_key": { - "encrypted_data": "VD+4vZxL1Z3FzQRyPVmowGb0qi6+zz7YCsQPTYUIbW693CKpxOtIkt+f6aXj\n95ENI4CsK4bftUC6nMwL+PK4Yw==\n", - "iv": "FE9FzilV00euQiuNxgUgvA==\n", - "version": 1, - "cipher": "aes-256-cbc" + "encrypted_data": "DlbEAhd+SkSJoOSuwGhd5bdFlJADnT0w4u0+6m8AJoWJjoSCGAnzzmdHWT/k\nVUDkwiBCkqmEPK0oTvxnl/a8\n", + "iv": "6e0Gay7GVrQad1rI\n", + "auth_tag": "jjVundJ/ITxP/oYgEgzElg==\n", + "version": 3, + "cipher": "aes-256-gcm" }, "vapid_public_key": { - "encrypted_data": "2Cg2XN5PCSw/O0WhwAU3KlALWh8NBThdgaeW0faIexgetFozEhLOkwiYqdNa\nK/fTYoW2fQNJLJ/jJ6CcGrgwI3V9qy6u6lJnXQDO51vdz09wXWCZKZTue7NE\n0qGUNrq4Atq9mRTNjQ8eUTImlRO+yg==\n", - "iv": "7GeDps0go/IJ7HspQUBAdg==\n", - "version": 1, - "cipher": "aes-256-cbc" + "encrypted_data": "+m37w/eWYqdEjsEYQw27FvQC+37ucruOFjZAjo0OgCwA0SoVz4VHX2eSA2AK\njX4CnM91cY4e/WG/ZHKlOMN1PftyQn2bdGaw35nXDanep8z0ROa01JEEi5DE\nUFRKvBmPInTeR6xvemuj7GM=\n", + "iv": "loYbGrAsWGLUZ+BK\n", + "auth_tag": "lAfpEEVQq+n7MLLm/kpmIA==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "s3_key_id": { + "encrypted_data": "4B8OQ0iVCCna4FvC+EuS5prEUWaHRm1+tzXGmFoCQ4WZfhUA1HwT3x651e/R\n", + "iv": "1/zGwcQPQQQCiXIs\n", + "auth_tag": "siK9ph1q3/VVEycy91wkqQ==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "s3_secret_key": { + "encrypted_data": "BSAc8dE/rQUiVvTGV6Ee/ZUDpq4HZlpoaCZ+lbQAbcnxui4ib0OTLPFwhVJ9\n4OQWahtSzkqxMc6MKWpadLT1a3oTnvnae9b3u40X5b2P3VyZYCM=\n", + "iv": "bqw8GTqLMTs5vD5n\n", + "auth_tag": "+e48L1lYVNda7VE3uLOAHA==\n", + "version": 3, + "cipher": "aes-256-gcm" } } \ No newline at end of file diff --git a/environments/production.json b/environments/production.json index 8c0e97a..16f5811 100644 --- a/environments/production.json +++ b/environments/production.json @@ -21,6 +21,10 @@ } }, "kosmos-mastodon": { + "s3_endpoint": "http://localhost:3900", + "s3_region": "garage", + "s3_bucket": "kosmos-social", + "s3_alias_host": "s3.kosmos.social", "alternate_domains": [ "mastodon.w7nooprauv6yrnhzh2ajpcnj3doinked2aaztlwfyt6u6pva2qdxqhid.onion" ] diff --git a/nodes/mastodon-3.json b/nodes/mastodon-3.json index 18e8250..e25ec48 100644 --- a/nodes/mastodon-3.json +++ b/nodes/mastodon-3.json @@ -14,6 +14,7 @@ "ipaddress": "192.168.122.161", "roles": [ "kvm_guest", + "garage_gateway", "mastodon", "postgresql_client" ], @@ -21,6 +22,9 @@ "kosmos-base", "kosmos-base::default", "kosmos_kvm::guest", + "kosmos_garage", + "kosmos_garage::default", + "kosmos_garage::firewall_rpc", "kosmos_postgresql::hostsfile", "kosmos-mastodon", "kosmos-mastodon::default", @@ -39,6 +43,8 @@ "postfix::_attributes", "postfix::sasl_auth", "hostname::default", + "firewall::default", + "chef-sugar::default", "kosmos-nodejs::default", "nodejs::nodejs_from_package", "nodejs::repo", @@ -55,8 +61,6 @@ "redisio::disable_os_default", "redisio::configure", "redisio::enable", - "firewall::default", - "chef-sugar::default", "nodejs::npm", "nodejs::install", "backup::default", @@ -81,6 +85,7 @@ "run_list": [ "recipe[kosmos-base]", "role[kvm_guest]", + "role[garage_gateway]", "role[mastodon]" ] } \ No newline at end of file diff --git a/site-cookbooks/kosmos-mastodon/attributes/default.rb b/site-cookbooks/kosmos-mastodon/attributes/default.rb index c3a5406..e37c84e 100644 --- a/site-cookbooks/kosmos-mastodon/attributes/default.rb +++ b/site-cookbooks/kosmos-mastodon/attributes/default.rb @@ -8,8 +8,15 @@ node.default["kosmos-mastodon"]["server_name"] = "kosmos.social" node.default["kosmos-mastodon"]["alternate_domains"] = [] node.default["kosmos-mastodon"]["redis_url"] = "redis://localhost:6379/0" node.default["kosmos-mastodon"]["sidekiq_threads"] = 25 + node.default["kosmos-mastodon"]["onion_address"] = nil + # Allocate this amount of RAM to the Java heap for Elasticsearch node.default["kosmos-mastodon"]["elasticsearch"]["allocated_memory"] = "1536m" +node.default["kosmos-mastodon"]["s3_endpoint"] = nil +node.default["kosmos-mastodon"]["s3_region"] = nil +node.default["kosmos-mastodon"]["s3_bucket"] = nil +node.default["kosmos-mastodon"]["s3_alias_host"] = nil + node.override["redisio"]["version"] = "6.2.6" diff --git a/site-cookbooks/kosmos-mastodon/recipes/default.rb b/site-cookbooks/kosmos-mastodon/recipes/default.rb index 2b47544..bc9abbd 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/default.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/default.rb @@ -166,10 +166,12 @@ application mastodon_path do smtp_login: mastodon_credentials['smtp_user_name'], smtp_password: mastodon_credentials['smtp_password'], smtp_from_address: "mail@#{node['kosmos-mastodon']['server_name']}", - s3_bucket: "kosmos-social", - aws_access_key_id: mastodon_credentials['aws_access_key_id'], - aws_secret_access_key: mastodon_credentials['aws_secret_access_key'], - s3_region: "eu-west-1", + s3_endpoint: node["kosmos-mastodon"]["s3_endpoint"], + s3_region: node["kosmos-mastodon"]["s3_region"], + s3_bucket: node["kosmos-mastodon"]["s3_bucket"], + s3_alias_host: node["kosmos-mastodon"]["s3_alias_host"], + aws_access_key_id: mastodon_credentials['s3_key_id'], + aws_secret_access_key: mastodon_credentials['s3_secret_key'], vapid_private_key: mastodon_credentials['vapid_private_key'], vapid_public_key: mastodon_credentials['vapid_public_key'], db_pass: postgresql_data_bag_item['mastodon_user_password'], diff --git a/site-cookbooks/kosmos-mastodon/templates/default/env.production.erb b/site-cookbooks/kosmos-mastodon/templates/default/env.production.erb index 5fb076b..0013fc2 100644 --- a/site-cookbooks/kosmos-mastodon/templates/default/env.production.erb +++ b/site-cookbooks/kosmos-mastodon/templates/default/env.production.erb @@ -35,12 +35,16 @@ SMTP_FROM_ADDRESS=<%= @smtp_from_address %> # Serve static files (to nginx proxy) RAILS_SERVE_STATIC_FILES=true +<% if @s3_endpoint %> # S3 (optional) S3_ENABLED=true +S3_ENDPOINT=<%= @s3_endpoint %> +S3_REGION=<%= @s3_region %> S3_BUCKET=<%= @s3_bucket %> +S3_ALIAS_HOST=<%= @s3_alias_host %> AWS_ACCESS_KEY_ID=<%= @aws_access_key_id %> AWS_SECRET_ACCESS_KEY=<%= @aws_secret_access_key %> -S3_REGION=<%= @s3_region %> +<% end %> # Optional alias for S3 if you want to use Cloudfront or Cloudflare in front # S3_CLOUDFRONT_HOST=