Fixing deployment

widdix · Oct 9, 2024 · 13f6768 · 13f6768
1 parent 7d6afa6
commit 13f6768
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 1 deletion.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -36,5 +36,8 @@ jobs:
         VAPID_PRIVATE_KEY=$(aws ssm get-parameter --name /mastodon/prod/vapid_private_key --with-decryption --query Parameter.Value --output text)
         VAPID_PUBLIC_KEY=$(aws ssm get-parameter --name /mastodon/prod/vapid_public_key --with-decryption --query Parameter.Value --output text)
         ALERTING_HTTPS_ENDPOINT=$(aws ssm get-parameter --name /mastodon/prod/alerting_https_endpoint --with-decryption --query Parameter.Value --output text)
+        ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=$(aws ssm get-parameter --name /mastodon/prod/active_record_encryption_deterministic_key --with-decryption --query Parameter.Value --output text)
+        ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=$(aws ssm get-parameter --name /mastodon/prod/active_record_encryption_key_derivation_salt --with-decryption --query Parameter.Value --output text)
+        ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=$(aws ssm get-parameter --name /mastodon/prod/active_record_encryption_primary_key --with-decryption --query Parameter.Value --output text)
         aws cloudformation package --template-file mastodon.yaml --s3-bucket cloudformation-widdix-mastodon --output-template-file packaged.yml
-        aws cloudformation deploy --template-file packaged.yml --stack-name cloudonaut-mastodon --capabilities CAPABILITY_IAM --parameter-overrides "DomainName=${DOMAIN_NAME}" "SecretKeyBase=${SECRET_KEY_BASE}" "OtpSecret=${OTP_SECRET}" "VapidPrivateKey=${VAPID_PRIVATE_KEY}" "VapidPublicKey=${VAPID_PUBLIC_KEY}" "AlertingHttpsEndpoint=${ALERTING_HTTPS_ENDPOINT}" "Spot=true" "DatabaseAllocatedStorage=10" "ContainerInsights=disabled" "DatabaseBackupRetentionPeriod=7"
+        aws cloudformation deploy --template-file packaged.yml --stack-name cloudonaut-mastodon --capabilities CAPABILITY_IAM --parameter-overrides "DomainName=${DOMAIN_NAME}" "SecretKeyBase=${SECRET_KEY_BASE}" "OtpSecret=${OTP_SECRET}" "VapidPrivateKey=${VAPID_PRIVATE_KEY}" "VapidPublicKey=${VAPID_PUBLIC_KEY}" "AlertingHttpsEndpoint=${ALERTING_HTTPS_ENDPOINT}" "ActiveRecordEncryptionDeterministicKey=${ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY}" "ActiveRecordEncryptionKeyDerivationSalt=ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT" "ActiveRecordEncryptionPrimaryKey=ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY" "Spot=true" "DatabaseAllocatedStorage=10" "ContainerInsights=disabled" "DatabaseBackupRetentionPeriod=7"
diff --git a/README.md b/README.md
@@ -52,6 +52,12 @@ c528b5cbb0236e4b0c2fe38a6d7ed1edc5fa12608c67a45690e225f005bad8bfbabfa99f7b83cb9c
 $ bundle exec rake mastodon:webpush:generate_vapid_key
 VAPID_PRIVATE_KEY=am3vlPBGQGv7Rl3xOKXSv7lRYyWfZITItb88FXX9IOs=
 VAPID_PUBLIC_KEY=BMGkIr1PaK4v7Kut7q7eoHtWxu9gEBQ5BeV28xOIR9c9VIvDWvOViTn1SV5G2LIEFGWo0f1dQka-UynR58WMn2Y=
+
+# Generate ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY, ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT, and ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
+$ bundle exec rake db:encryption:init
+ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=V2FgMcCXJDCBythgGzWvhIDqiA8TUr2k
+ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=otljXH8L0xL1sPwyfOTHGCk5r6uohkCM
+ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=JnC6I2X2iTVfiu2KNRThvc3fSJnJhCOH
 ```
 
 ### Configure the domain name

diff --git a/mastodon.yaml b/mastodon.yaml
@@ -21,6 +21,18 @@ Parameters:
     Description: 'Mastodon config VAPID_PUBLIC_KEY (README explains how to gennerate the key)'
     Type: String
     NoEcho: true
+  ActiveRecordEncryptionDeterministicKey:
+    Description: 'Mastodon config ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY (README explains how to gennerate the key)'
+    Type: String
+    NoEcho: true
+  ActiveRecordEncryptionKeyDerivationSalt:
+    Description: 'Mastodon config ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT (README explains how to gennerate the key)'
+    Type: String
+    NoEcho: true
+  ActiveRecordEncryptionPrimaryKey:
+    Description: 'Mastodon config ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY (README explains how to gennerate the key)'
+    Type: String
+    NoEcho: true
   Spot:
     Description: 'Reduce costs and decrease availability by running on Fargate Spot?'
     Type: String
@@ -208,6 +220,12 @@ Resources:
         AppEnvironment21Value: !GetAtt 'CloudFront.Outputs.DistributionDomainName'
         AppEnvironment22Key: 'S3_PERMISSION'
         AppEnvironment22Value: 'private'
+        AppEnvironment23Key: 'ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY'
+        AppEnvironment23Value: !Ref ActiveRecordEncryptionDeterministicKey
+        AppEnvironment24Key: 'ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT'
+        AppEnvironment24Value: !Ref ActiveRecordEncryptionKeyDerivationSalt
+        AppEnvironment25Key: 'ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY'
+        AppEnvironment25Value: !Ref ActiveRecordEncryptionPrimaryKey
         Cpu: '0.5'
         Memory: '1'
         DesiredCount: '1'
@@ -283,6 +301,12 @@ Resources:
         AppEnvironment21Value: !GetAtt 'CloudFront.Outputs.DistributionDomainName'
         AppEnvironment22Key: 'S3_PERMISSION'
         AppEnvironment22Value: 'private'
+        AppEnvironment23Key: 'ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY'
+        AppEnvironment23Value: !Ref ActiveRecordEncryptionDeterministicKey
+        AppEnvironment24Key: 'ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT'
+        AppEnvironment24Value: !Ref ActiveRecordEncryptionKeyDerivationSalt
+        AppEnvironment25Key: 'ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY'
+        AppEnvironment25Value: !Ref ActiveRecordEncryptionPrimaryKey
         Cpu: '0.25'
         Memory: '0.5'
         DesiredCount: '1'
@@ -356,6 +380,12 @@ Resources:
         AppEnvironment21Value: !GetAtt 'CloudFront.Outputs.DistributionDomainName'
         AppEnvironment22Key: 'S3_PERMISSION'
         AppEnvironment22Value: 'private'
+        AppEnvironment23Key: 'ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY'
+        AppEnvironment23Value: !Ref ActiveRecordEncryptionDeterministicKey
+        AppEnvironment24Key: 'ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT'
+        AppEnvironment24Value: !Ref ActiveRecordEncryptionKeyDerivationSalt
+        AppEnvironment25Key: 'ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY'
+        AppEnvironment25Value: !Ref ActiveRecordEncryptionPrimaryKey
         Cpu: '0.25'
         Memory: '1'
         DesiredCount: '1'
@@ -429,6 +459,12 @@ Resources:
         AppEnvironment21Value: !GetAtt 'CloudFront.Outputs.DistributionDomainName'
         AppEnvironment22Key: 'S3_PERMISSION'
         AppEnvironment22Value: 'private'
+        AppEnvironment23Key: 'ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY'
+        AppEnvironment23Value: !Ref ActiveRecordEncryptionDeterministicKey
+        AppEnvironment24Key: 'ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT'
+        AppEnvironment24Value: !Ref ActiveRecordEncryptionKeyDerivationSalt
+        AppEnvironment25Key: 'ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY'
+        AppEnvironment25Value: !Ref ActiveRecordEncryptionPrimaryKey
         Cpu: '1'
         Memory: '2'
         LogsRetentionInDays: '14'