Merge pull request 'Migrate Mastodon S3 from AWS to Garage' (#458) from feature/22-mastodon_s3 into master

Reviewed-on: #458

data_bags/credentials/mastodon.json

@@ -1,57 +1,80 @@
 {
   "id": "mastodon",
   "paperclip_secret": {
-    "encrypted_data": "4IAa8NMwj25MksFkh79r/Gf0ev2bKP9g5Gbz0MZLK8JxekM9+qRSes1bZK1q\nuV+/W/KxQW22GgRCNu6heimGUTnaIM2T5oneCwikDWJPMO11ngiAKkzeJWI9\nxhecxAfCyKEZWdwTIB8U9mjDV9GhppmwjLsMdC5nzcAzGzpFfjMZVVsIhmEg\nWuPIz7GPWqn/+G8pG2Q1DR7ZFJZSVYV+ig==\n",
-    "iv": "TQl3HBj/eakZ9nrMygW9pg==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "orOIbqFANPCkd4sUTCyyoh4z1o6SBudgH4wKJudTo9dANaHGhWcBUFKrhZi1\nMJTBQx/d0hiDI1P2XN3h+hROCg3JJ8OClUSJH9CfN5GlbWvXh0Nhq7hqy8L3\nLAPL+uigiXI6ObrnKQoD8LeJIB46233uwaCA/7zB6gah0ExJ2DXGH6qq9JSS\nqmTFiy+hT+VHGrUo\n",
+    "iv": "U4E4NLYLkP0/tTTs\n",
+    "auth_tag": "WKQ+pDPZp7B791lhC5j3iQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "secret_key_base": {
-    "encrypted_data": "hH1860J8V4LFNE2OCG8pIVJd8l3hFZ56n0xONXUd98IAmVodM1Eip5nvyQmp\ntfkzAXfKMR4hUz5Y399Gp67BCh4TLum2oTqcLBF+RFP/52ZcVLESQh+ielC0\nxfUXE5Usf1YVL/gxwbmzp2l7Gr87YIAWCcGySbbb6hK+MVyr8degIHBveF0R\nNeUfRLe0B9Y/ZZGExRej+ULiiEn+c5Fubg==\n",
-    "iv": "+GOTOBWPb72QWX1G1Oaf3g==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "vweClhdY8SqQkK+p0OYUL2B6Fsz5eQDpEYWCtd/eRJfwwYAObbLcMWRC6MwE\neQVMw59bOqYc3RBuv/+WPLtENazA1bYCXBXQr1J6xqjJAz0Mo6KbRyxy5n78\nv8q6RSiao1VVIUXohtFlQgWeV6x5sz34bJxjlHinKvKsgiGXiuVBxYUUfzWQ\nuzrGug09cpZBqfpc\n",
+    "iv": "Z0/csEBH5/X1+MR+\n",
+    "auth_tag": "fTvBN6eovi3JVEK0ZX97Nw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "otp_secret": {
-    "encrypted_data": "UZDcQYsfYJxhuaSDEFKdnC9BIryoJPWo95bbVqFcCDCQxO13iGuN5ZiZ4aUp\nRLMrT/pmnirID9qUQfSRgALR9KUTGonPwF03tO8xCvUCLCS7Y9l9fbIG9xUa\nY3c0b6xfwNLVP1fpax3iNfQSGuJMwTShZO8pCOeDxlhe67KawOw2obNeuTUG\n0wTKdxhywNntoLHnXKNqANZebKtqkcCV6A==\n",
-    "iv": "lMApicoykymve7hcnxx1DQ==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "o1ts1bUgPIzFQXjJ2MpBMLntWkyPxDaJAaU1K3WzmNMXnw5MVlkKKCEFVccd\nPss/MwDuBkbNPhri3ZkH48m9SiayWETVYvw5GZzcVsw4TeMu915O44lfl9tX\nW3XHU+DBps1BVH9535R4X9M1aFW4W4XfwHtS5wcrZqtVhNhS3NSgE4JpN/Dz\nFdcFAOhflnt8fIAN\n",
+    "iv": "QLsxmIlX1NpxMyHz\n",
+    "auth_tag": "j1h/PvIoqshTBN5c5IaAsA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "aws_access_key_id": {
-    "encrypted_data": "t2B+oZZcz+EzKFO+BLSzq3oWyGRHQkxiG3NOBWs3bYctgX3Lq24xFZsne9i/\nQmLl\n",
-    "iv": "TU4RGm3Rl8f/wbEkwmlEvQ==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "YQHUx0GugKu0AtlbGLRGocFEhTGAghWA0DUs1Nxs4Hd3bTIp4lyM\n",
+    "iv": "54zt2tkQhHtpY7sO\n",
+    "auth_tag": "ofBJx3QDsjHe66ga3nji8g==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "aws_secret_access_key": {
-    "encrypted_data": "ffOTmy9aiHIc9GIjuTlGkgUL4QnujC2cdeAkXpTEi+VBiYjVybrruDalXg3p\nuDZmSqnWB0sfQgNpp9sCOUqUiQ==\n",
-    "iv": "OnSjyXonCFrq9gGfW/t1TA==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "FAz6xZ+wsCz/KFA+DK6f4V04rxJt+9U/yXUGF9tvce0VqB3scH+T0KDDn1/n\nZ/0G0Tbxt2urRPbPUdI=\n",
+    "iv": "iapSpeM6lfDMIfNk\n",
+    "auth_tag": "HlkwUnNeJlOUrZ3ieN5xAQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "smtp_user_name": {
-    "encrypted_data": "D9UXRNnvBQOICQ2nFjh+CLAazmeA/avlSuQwikDmYU0VoApXbfmPiUBLIvIF\nUtSy\n",
-    "iv": "nnM8YaTSWUzuVpBJOVn0rA==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "ivB09/mCRrUaz9X4NFRBiqytjgy/vxN5Nha7gopFq5eSu9v4K9MkaLRqHh1I\nYw==\n",
+    "iv": "a8WKhRKsUjqBtfmn\n",
+    "auth_tag": "ib5WJNNaO7bRIspdACmOLw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "smtp_password": {
-    "encrypted_data": "edFmMcnLHVEL/hpVslJj6L85WPeC7Wu3/ijTWH93pRZGCchgmcolJCK4S6//\npDz5qKG+KZX7sZLRe5PrAvnwaA==\n",
-    "iv": "1Nffd1NayckQDa83+LNv8w==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "FxPz2e7fUNqcAu+DDJKlqn8rcSBLmnzigTFf5moZlQ1zz4YVl6pqHisa22Qz\nbfUx9rjU\n",
+    "iv": "GvRlNDV/b1WawtOP\n",
+    "auth_tag": "kyRCGfSJQelIwThDT4iQQQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "vapid_private_key": {
-    "encrypted_data": "VD+4vZxL1Z3FzQRyPVmowGb0qi6+zz7YCsQPTYUIbW693CKpxOtIkt+f6aXj\n95ENI4CsK4bftUC6nMwL+PK4Yw==\n",
-    "iv": "FE9FzilV00euQiuNxgUgvA==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "DlbEAhd+SkSJoOSuwGhd5bdFlJADnT0w4u0+6m8AJoWJjoSCGAnzzmdHWT/k\nVUDkwiBCkqmEPK0oTvxnl/a8\n",
+    "iv": "6e0Gay7GVrQad1rI\n",
+    "auth_tag": "jjVundJ/ITxP/oYgEgzElg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "vapid_public_key": {
-    "encrypted_data": "2Cg2XN5PCSw/O0WhwAU3KlALWh8NBThdgaeW0faIexgetFozEhLOkwiYqdNa\nK/fTYoW2fQNJLJ/jJ6CcGrgwI3V9qy6u6lJnXQDO51vdz09wXWCZKZTue7NE\n0qGUNrq4Atq9mRTNjQ8eUTImlRO+yg==\n",
-    "iv": "7GeDps0go/IJ7HspQUBAdg==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "+m37w/eWYqdEjsEYQw27FvQC+37ucruOFjZAjo0OgCwA0SoVz4VHX2eSA2AK\njX4CnM91cY4e/WG/ZHKlOMN1PftyQn2bdGaw35nXDanep8z0ROa01JEEi5DE\nUFRKvBmPInTeR6xvemuj7GM=\n",
+    "iv": "loYbGrAsWGLUZ+BK\n",
+    "auth_tag": "lAfpEEVQq+n7MLLm/kpmIA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_key_id": {
+    "encrypted_data": "4B8OQ0iVCCna4FvC+EuS5prEUWaHRm1+tzXGmFoCQ4WZfhUA1HwT3x651e/R\n",
+    "iv": "1/zGwcQPQQQCiXIs\n",
+    "auth_tag": "siK9ph1q3/VVEycy91wkqQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_secret_key": {
+    "encrypted_data": "BSAc8dE/rQUiVvTGV6Ee/ZUDpq4HZlpoaCZ+lbQAbcnxui4ib0OTLPFwhVJ9\n4OQWahtSzkqxMc6MKWpadLT1a3oTnvnae9b3u40X5b2P3VyZYCM=\n",
+    "iv": "bqw8GTqLMTs5vD5n\n",
+    "auth_tag": "+e48L1lYVNda7VE3uLOAHA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   }
 }

environments/production.json

@@ -21,6 +21,10 @@
       }
     },
     "kosmos-mastodon": {
+      "s3_endpoint": "http://localhost:3900",
+      "s3_region": "garage",
+      "s3_bucket": "kosmos-social",
+      "s3_alias_host": "s3.kosmos.social",
       "alternate_domains": [
         "mastodon.w7nooprauv6yrnhzh2ajpcnj3doinked2aaztlwfyt6u6pva2qdxqhid.onion"
       ]

nodes/mastodon-3.json

@@ -14,6 +14,7 @@
     "ipaddress": "192.168.122.161",
     "roles": [
       "kvm_guest",
+      "garage_gateway",
       "mastodon",
       "postgresql_client"
     ],
@@ -21,6 +22,9 @@
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
       "kosmos_postgresql::hostsfile",
       "kosmos-mastodon",
       "kosmos-mastodon::default",
@@ -39,6 +43,8 @@
       "postfix::_attributes",
       "postfix::sasl_auth",
       "hostname::default",
+      "firewall::default",
+      "chef-sugar::default",
       "kosmos-nodejs::default",
       "nodejs::nodejs_from_package",
       "nodejs::repo",
@@ -55,8 +61,6 @@
       "redisio::disable_os_default",
       "redisio::configure",
       "redisio::enable",
-      "firewall::default",
-      "chef-sugar::default",
       "nodejs::npm",
       "nodejs::install",
       "backup::default",
@@ -81,6 +85,7 @@
   "run_list": [
     "recipe[kosmos-base]",
     "role[kvm_guest]",
+    "role[garage_gateway]",
     "role[mastodon]"
   ]
 }

site-cookbooks/kosmos-mastodon/attributes/default.rb

@@ -8,8 +8,15 @@ node.default["kosmos-mastodon"]["server_name"]       = "kosmos.social"
 node.default["kosmos-mastodon"]["alternate_domains"] = []
 node.default["kosmos-mastodon"]["redis_url"]         = "redis://localhost:6379/0"
 node.default["kosmos-mastodon"]["sidekiq_threads"]   = 25
+
 node.default["kosmos-mastodon"]["onion_address"]     = nil
+
 # Allocate this amount of RAM to the Java heap for Elasticsearch
 node.default["kosmos-mastodon"]["elasticsearch"]["allocated_memory"] = "1536m"
 
+node.default["kosmos-mastodon"]["s3_endpoint"]   = nil
+node.default["kosmos-mastodon"]["s3_region"]     = nil
+node.default["kosmos-mastodon"]["s3_bucket"]     = nil
+node.default["kosmos-mastodon"]["s3_alias_host"] = nil
+
 node.override["redisio"]["version"] = "6.2.6"

site-cookbooks/kosmos-mastodon/recipes/default.rb

@@ -166,10 +166,12 @@ application mastodon_path do
               smtp_login: mastodon_credentials['smtp_user_name'],
               smtp_password: mastodon_credentials['smtp_password'],
               smtp_from_address: "mail@#{node['kosmos-mastodon']['server_name']}",
-              s3_bucket: "kosmos-social",
-              aws_access_key_id: mastodon_credentials['aws_access_key_id'],
-              aws_secret_access_key: mastodon_credentials['aws_secret_access_key'],
-              s3_region: "eu-west-1",
+              s3_endpoint: node["kosmos-mastodon"]["s3_endpoint"],
+              s3_region: node["kosmos-mastodon"]["s3_region"],
+              s3_bucket: node["kosmos-mastodon"]["s3_bucket"],
+              s3_alias_host: node["kosmos-mastodon"]["s3_alias_host"],
+              aws_access_key_id: mastodon_credentials['s3_key_id'],
+              aws_secret_access_key: mastodon_credentials['s3_secret_key'],
               vapid_private_key: mastodon_credentials['vapid_private_key'],
               vapid_public_key: mastodon_credentials['vapid_public_key'],
               db_pass: postgresql_data_bag_item['mastodon_user_password'],

site-cookbooks/kosmos-mastodon/templates/default/env.production.erb

@@ -35,12 +35,16 @@ SMTP_FROM_ADDRESS=<%= @smtp_from_address %>
 # Serve static files (to nginx proxy)
 RAILS_SERVE_STATIC_FILES=true
 
+<% if @s3_endpoint %>
 # S3 (optional)
 S3_ENABLED=true
+S3_ENDPOINT=<%= @s3_endpoint %>
+S3_REGION=<%= @s3_region %>
 S3_BUCKET=<%= @s3_bucket %>
+S3_ALIAS_HOST=<%= @s3_alias_host %>
 AWS_ACCESS_KEY_ID=<%= @aws_access_key_id %>
 AWS_SECRET_ACCESS_KEY=<%= @aws_secret_access_key %>
-S3_REGION=<%= @s3_region %>
+<% end %>
 
 # Optional alias for S3 if you want to use Cloudfront or Cloudflare in front
 # S3_CLOUDFRONT_HOST=