From 13f6768bcdb8e0e2793339a645b4c9950d3cf021 Mon Sep 17 00:00:00 2001 From: Andreas Wittig Date: Wed, 9 Oct 2024 14:29:50 +0200 Subject: [PATCH] Fixing deployment --- .github/workflows/deploy.yml | 5 ++++- README.md | 6 ++++++ mastodon.yaml | 36 ++++++++++++++++++++++++++++++++++++ 3 files changed, 46 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index bb0dc36..cbf3686 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -36,5 +36,8 @@ jobs: VAPID_PRIVATE_KEY=$(aws ssm get-parameter --name /mastodon/prod/vapid_private_key --with-decryption --query Parameter.Value --output text) VAPID_PUBLIC_KEY=$(aws ssm get-parameter --name /mastodon/prod/vapid_public_key --with-decryption --query Parameter.Value --output text) ALERTING_HTTPS_ENDPOINT=$(aws ssm get-parameter --name /mastodon/prod/alerting_https_endpoint --with-decryption --query Parameter.Value --output text) + ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=$(aws ssm get-parameter --name /mastodon/prod/active_record_encryption_deterministic_key --with-decryption --query Parameter.Value --output text) + ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=$(aws ssm get-parameter --name /mastodon/prod/active_record_encryption_key_derivation_salt --with-decryption --query Parameter.Value --output text) + ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=$(aws ssm get-parameter --name /mastodon/prod/active_record_encryption_primary_key --with-decryption --query Parameter.Value --output text) aws cloudformation package --template-file mastodon.yaml --s3-bucket cloudformation-widdix-mastodon --output-template-file packaged.yml - aws cloudformation deploy --template-file packaged.yml --stack-name cloudonaut-mastodon --capabilities CAPABILITY_IAM --parameter-overrides "DomainName=${DOMAIN_NAME}" "SecretKeyBase=${SECRET_KEY_BASE}" "OtpSecret=${OTP_SECRET}" "VapidPrivateKey=${VAPID_PRIVATE_KEY}" "VapidPublicKey=${VAPID_PUBLIC_KEY}" "AlertingHttpsEndpoint=${ALERTING_HTTPS_ENDPOINT}" "Spot=true" "DatabaseAllocatedStorage=10" "ContainerInsights=disabled" "DatabaseBackupRetentionPeriod=7" + aws cloudformation deploy --template-file packaged.yml --stack-name cloudonaut-mastodon --capabilities CAPABILITY_IAM --parameter-overrides "DomainName=${DOMAIN_NAME}" "SecretKeyBase=${SECRET_KEY_BASE}" "OtpSecret=${OTP_SECRET}" "VapidPrivateKey=${VAPID_PRIVATE_KEY}" "VapidPublicKey=${VAPID_PUBLIC_KEY}" "AlertingHttpsEndpoint=${ALERTING_HTTPS_ENDPOINT}" "ActiveRecordEncryptionDeterministicKey=${ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY}" "ActiveRecordEncryptionKeyDerivationSalt=ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT" "ActiveRecordEncryptionPrimaryKey=ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY" "Spot=true" "DatabaseAllocatedStorage=10" "ContainerInsights=disabled" "DatabaseBackupRetentionPeriod=7" diff --git a/README.md b/README.md index 8caa3ed..9705a1b 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,12 @@ c528b5cbb0236e4b0c2fe38a6d7ed1edc5fa12608c67a45690e225f005bad8bfbabfa99f7b83cb9c $ bundle exec rake mastodon:webpush:generate_vapid_key VAPID_PRIVATE_KEY=am3vlPBGQGv7Rl3xOKXSv7lRYyWfZITItb88FXX9IOs= VAPID_PUBLIC_KEY=BMGkIr1PaK4v7Kut7q7eoHtWxu9gEBQ5BeV28xOIR9c9VIvDWvOViTn1SV5G2LIEFGWo0f1dQka-UynR58WMn2Y= + +# Generate ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY, ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT, and ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY +$ bundle exec rake db:encryption:init +ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=V2FgMcCXJDCBythgGzWvhIDqiA8TUr2k +ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=otljXH8L0xL1sPwyfOTHGCk5r6uohkCM +ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=JnC6I2X2iTVfiu2KNRThvc3fSJnJhCOH ``` ### Configure the domain name diff --git a/mastodon.yaml b/mastodon.yaml index ef5dfa9..adc5f86 100644 --- a/mastodon.yaml +++ b/mastodon.yaml @@ -21,6 +21,18 @@ Parameters: Description: 'Mastodon config VAPID_PUBLIC_KEY (README explains how to gennerate the key)' Type: String NoEcho: true + ActiveRecordEncryptionDeterministicKey: + Description: 'Mastodon config ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY (README explains how to gennerate the key)' + Type: String + NoEcho: true + ActiveRecordEncryptionKeyDerivationSalt: + Description: 'Mastodon config ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT (README explains how to gennerate the key)' + Type: String + NoEcho: true + ActiveRecordEncryptionPrimaryKey: + Description: 'Mastodon config ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY (README explains how to gennerate the key)' + Type: String + NoEcho: true Spot: Description: 'Reduce costs and decrease availability by running on Fargate Spot?' Type: String @@ -208,6 +220,12 @@ Resources: AppEnvironment21Value: !GetAtt 'CloudFront.Outputs.DistributionDomainName' AppEnvironment22Key: 'S3_PERMISSION' AppEnvironment22Value: 'private' + AppEnvironment23Key: 'ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY' + AppEnvironment23Value: !Ref ActiveRecordEncryptionDeterministicKey + AppEnvironment24Key: 'ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT' + AppEnvironment24Value: !Ref ActiveRecordEncryptionKeyDerivationSalt + AppEnvironment25Key: 'ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY' + AppEnvironment25Value: !Ref ActiveRecordEncryptionPrimaryKey Cpu: '0.5' Memory: '1' DesiredCount: '1' @@ -283,6 +301,12 @@ Resources: AppEnvironment21Value: !GetAtt 'CloudFront.Outputs.DistributionDomainName' AppEnvironment22Key: 'S3_PERMISSION' AppEnvironment22Value: 'private' + AppEnvironment23Key: 'ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY' + AppEnvironment23Value: !Ref ActiveRecordEncryptionDeterministicKey + AppEnvironment24Key: 'ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT' + AppEnvironment24Value: !Ref ActiveRecordEncryptionKeyDerivationSalt + AppEnvironment25Key: 'ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY' + AppEnvironment25Value: !Ref ActiveRecordEncryptionPrimaryKey Cpu: '0.25' Memory: '0.5' DesiredCount: '1' @@ -356,6 +380,12 @@ Resources: AppEnvironment21Value: !GetAtt 'CloudFront.Outputs.DistributionDomainName' AppEnvironment22Key: 'S3_PERMISSION' AppEnvironment22Value: 'private' + AppEnvironment23Key: 'ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY' + AppEnvironment23Value: !Ref ActiveRecordEncryptionDeterministicKey + AppEnvironment24Key: 'ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT' + AppEnvironment24Value: !Ref ActiveRecordEncryptionKeyDerivationSalt + AppEnvironment25Key: 'ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY' + AppEnvironment25Value: !Ref ActiveRecordEncryptionPrimaryKey Cpu: '0.25' Memory: '1' DesiredCount: '1' @@ -429,6 +459,12 @@ Resources: AppEnvironment21Value: !GetAtt 'CloudFront.Outputs.DistributionDomainName' AppEnvironment22Key: 'S3_PERMISSION' AppEnvironment22Value: 'private' + AppEnvironment23Key: 'ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY' + AppEnvironment23Value: !Ref ActiveRecordEncryptionDeterministicKey + AppEnvironment24Key: 'ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT' + AppEnvironment24Value: !Ref ActiveRecordEncryptionKeyDerivationSalt + AppEnvironment25Key: 'ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY' + AppEnvironment25Value: !Ref ActiveRecordEncryptionPrimaryKey Cpu: '1' Memory: '2' LogsRetentionInDays: '14'