Skip to content

Commit 35c52ab

Browse files
authored
mastodon: 4.2.13 -> 4.3.0 (#337545)
2 parents 15f8bd8 + 36a83a3 commit 35c52ab

File tree

7 files changed

+1050
-617
lines changed

7 files changed

+1050
-617
lines changed

nixos/modules/services/web-apps/mastodon.nix

Lines changed: 83 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,12 @@ let
1212
RAILS_ENV = "production";
1313
NODE_ENV = "production";
1414

15+
BOOTSNAP_CACHE_DIR="/var/cache/mastodon/precompile";
1516
LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so";
1617

17-
# mastodon-web concurrency.
18+
MASTODON_USE_LIBVIPS = "true";
19+
20+
# Concurrency mastodon-web
1821
WEB_CONCURRENCY = toString cfg.webProcesses;
1922
MAX_THREADS = toString cfg.webThreads;
2023

@@ -24,7 +27,7 @@ let
2427
DB_NAME = cfg.database.name;
2528
LOCAL_DOMAIN = cfg.localDomain;
2629
SMTP_SERVER = cfg.smtp.host;
27-
SMTP_PORT = toString(cfg.smtp.port);
30+
SMTP_PORT = toString cfg.smtp.port;
2831
SMTP_FROM_ADDRESS = cfg.smtp.fromAddress;
2932
PAPERCLIP_ROOT_PATH = "/var/lib/mastodon/public-system";
3033
PAPERCLIP_ROOT_URL = "/system";
@@ -33,12 +36,12 @@ let
3336
TRUSTED_PROXY_IP = cfg.trustedProxy;
3437
}
3538
// lib.optionalAttrs (cfg.redis.host != null) { REDIS_HOST = cfg.redis.host; }
36-
// lib.optionalAttrs (cfg.redis.port != null) { REDIS_PORT = toString(cfg.redis.port); }
39+
// lib.optionalAttrs (cfg.redis.port != null) { REDIS_PORT = toString cfg.redis.port; }
3740
// lib.optionalAttrs (cfg.redis.createLocally && cfg.redis.enableUnixSocket) { REDIS_URL = "unix://${config.services.redis.servers.mastodon.unixSocket}"; }
3841
// lib.optionalAttrs (cfg.database.host != "/run/postgresql" && cfg.database.port != null) { DB_PORT = toString cfg.database.port; }
3942
// lib.optionalAttrs cfg.smtp.authenticate { SMTP_LOGIN = cfg.smtp.user; }
4043
// lib.optionalAttrs (cfg.elasticsearch.host != null) { ES_HOST = cfg.elasticsearch.host; }
41-
// lib.optionalAttrs (cfg.elasticsearch.host != null) { ES_PORT = toString(cfg.elasticsearch.port); }
44+
// lib.optionalAttrs (cfg.elasticsearch.host != null) { ES_PORT = toString cfg.elasticsearch.port; }
4245
// lib.optionalAttrs (cfg.elasticsearch.host != null) { ES_PRESET = cfg.elasticsearch.preset; }
4346
// lib.optionalAttrs (cfg.elasticsearch.user != null) { ES_USER = cfg.elasticsearch.user; }
4447
// cfg.extraConfig;
@@ -51,6 +54,9 @@ let
5154
Group = cfg.group;
5255
# Working directory
5356
WorkingDirectory = cfg.package;
57+
# Cache directory and mode
58+
CacheDirectory = "mastodon";
59+
CacheDirectoryMode = "0750";
5460
# State directory and mode
5561
StateDirectory = "mastodon";
5662
StateDirectoryMode = "0750";
@@ -127,7 +133,7 @@ let
127133
description = "Mastodon sidekiq${jobClassLabel}";
128134
wantedBy = [ "mastodon.target" ];
129135
environment = env // {
130-
PORT = toString(cfg.sidekiqPort);
136+
PORT = toString cfg.sidekiqPort;
131137
DB_POOL = threads;
132138
};
133139
serviceConfig = {
@@ -309,7 +315,7 @@ in {
309315
Voluntary Application Server Identification. A new keypair can
310316
be generated by running:
311317
312-
`nix build -f '<nixpkgs>' mastodon; cd result; bin/rake webpush:generate_keys`
318+
`nix build -f '<nixpkgs>' mastodon; cd result; RAILS_ENV=production bin/rake webpush:generate_keys`
313319
314320
If {option}`mastodon.vapidPrivateKeyFile`does not
315321
exist, it and this file will be created with a new keypair.
@@ -324,12 +330,57 @@ in {
324330
type = lib.types.str;
325331
};
326332

333+
activeRecordEncryptionDeterministicKeyFile = lib.mkOption {
334+
description = ''
335+
This key must be set to enable the Active Record Encryption feature within
336+
Rails that Mastodon uses to encrypt and decrypt some database attributes.
337+
A new Active Record keys can be generated by running:
338+
339+
`nix build -f '<nixpkgs>' mastodon; cd result; RAILS_ENV=production ./bin/rails db:encryption:init`
340+
341+
If this file does not exist, it will be created with a new Active Record
342+
keys.
343+
'';
344+
default = "/var/lib/mastodon/secrets/active-record-encryption-deterministic-key";
345+
type = lib.types.str;
346+
};
347+
348+
activeRecordEncryptionKeyDerivationSaltFile = lib.mkOption {
349+
description = ''
350+
This key must be set to enable the Active Record Encryption feature within
351+
Rails that Mastodon uses to encrypt and decrypt some database attributes.
352+
A new Active Record keys can be generated by running:
353+
354+
`nix build -f '<nixpkgs>' mastodon; cd result; RAILS_ENV=production ./bin/rails db:encryption:init`
355+
356+
If this file does not exist, it will be created with a new Active Record
357+
keys.
358+
'';
359+
default = "/var/lib/mastodon/secrets/active-record-encryption-key-derivation-salt";
360+
type = lib.types.str;
361+
};
362+
363+
activeRecordEncryptionPrimaryKeyFile = lib.mkOption {
364+
description = ''
365+
This key must be set to enable the Active Record Encryption feature within
366+
Rails that Mastodon uses to encrypt and decrypt some database attributes.
367+
A new Active Record keys can be generated by running:
368+
369+
`nix build -f '<nixpkgs>' mastodon; cd result; RAILS_ENV=production ./bin/rails db:encryption:init`
370+
371+
If this file does not exist, it will be created with a new Active Record
372+
keys.
373+
'';
374+
default = "/var/lib/mastodon/secrets/active-record-encryption-primary-key";
375+
type = lib.types.str;
376+
};
377+
327378
secretKeyBaseFile = lib.mkOption {
328379
description = ''
329380
Path to file containing the secret key base.
330381
A new secret key base can be generated by running:
331382
332-
`nix build -f '<nixpkgs>' mastodon; cd result; bin/rake secret`
383+
`nix build -f '<nixpkgs>' mastodon; cd result; bin/bundle exec rails secret`
333384
334385
If this file does not exist, it will be created with a new secret key base.
335386
'';
@@ -342,7 +393,7 @@ in {
342393
Path to file containing the OTP secret.
343394
A new OTP secret can be generated by running:
344395
345-
`nix build -f '<nixpkgs>' mastodon; cd result; bin/rake secret`
396+
`nix build -f '<nixpkgs>' mastodon; cd result; bin/bundle exec rails secret`
346397
347398
If this file does not exist, it will be created with a new OTP secret.
348399
'';
@@ -708,13 +759,28 @@ in {
708759
script = ''
709760
umask 077
710761
762+
if ! test -d /var/cache/mastodon/precompile; then
763+
${cfg.package}/bin/bundle exec bootsnap precompile --gemfile ${cfg.package}/app ${cfg.package}/lib
764+
fi
765+
if ! test -f ${cfg.activeRecordEncryptionDeterministicKeyFile}; then
766+
mkdir -p $(dirname ${cfg.activeRecordEncryptionDeterministicKeyFile})
767+
bin/rails db:encryption:init | grep --only-matching "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=[^ ]\+" | sed 's/^ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=//' > ${cfg.activeRecordEncryptionDeterministicKeyFile}
768+
fi
769+
if ! test -f ${cfg.activeRecordEncryptionKeyDerivationSaltFile}; then
770+
mkdir -p $(dirname ${cfg.activeRecordEncryptionKeyDerivationSaltFile})
771+
bin/rails db:encryption:init | grep --only-matching "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=[^ ]\+" | sed 's/^ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=//' > ${cfg.activeRecordEncryptionKeyDerivationSaltFile}
772+
fi
773+
if ! test -f ${cfg.activeRecordEncryptionPrimaryKeyFile}; then
774+
mkdir -p $(dirname ${cfg.activeRecordEncryptionPrimaryKeyFile})
775+
bin/rails db:encryption:init | grep --only-matching "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=[^ ]\+" | sed 's/^ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=//' > ${cfg.activeRecordEncryptionPrimaryKeyFile}
776+
fi
711777
if ! test -f ${cfg.secretKeyBaseFile}; then
712778
mkdir -p $(dirname ${cfg.secretKeyBaseFile})
713-
bin/rake secret > ${cfg.secretKeyBaseFile}
779+
bin/bundle exec rails secret > ${cfg.secretKeyBaseFile}
714780
fi
715781
if ! test -f ${cfg.otpSecretFile}; then
716782
mkdir -p $(dirname ${cfg.otpSecretFile})
717-
bin/rake secret > ${cfg.otpSecretFile}
783+
bin/bundle exec rails secret > ${cfg.otpSecretFile}
718784
fi
719785
if ! test -f ${cfg.vapidPrivateKeyFile}; then
720786
mkdir -p $(dirname ${cfg.vapidPrivateKeyFile}) $(dirname ${cfg.vapidPublicKeyFile})
@@ -724,6 +790,9 @@ in {
724790
fi
725791
726792
cat > /var/lib/mastodon/.secrets_env <<EOF
793+
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY="$(cat ${cfg.activeRecordEncryptionDeterministicKeyFile})"
794+
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT="$(cat ${cfg.activeRecordEncryptionKeyDerivationSaltFile})"
795+
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY="$(cat ${cfg.activeRecordEncryptionPrimaryKeyFile})"
727796
SECRET_KEY_BASE="$(cat ${cfg.secretKeyBaseFile})"
728797
OTP_SECRET="$(cat ${cfg.otpSecretFile})"
729798
VAPID_PRIVATE_KEY="$(cat ${cfg.vapidPrivateKeyFile})"
@@ -802,7 +871,7 @@ in {
802871
description = "Mastodon web";
803872
environment = env // (if cfg.enableUnixSocket
804873
then { SOCKET = "/run/mastodon-web/web.socket"; }
805-
else { PORT = toString(cfg.webPort); }
874+
else { PORT = toString cfg.webPort; }
806875
);
807876
serviceConfig = {
808877
ExecStart = "${cfg.package}/bin/puma -C config/puma.rb";
@@ -816,7 +885,7 @@ in {
816885
# System Call Filtering
817886
SystemCallFilter = [ ("~" + lib.concatStringsSep " " systemCallsList) "@chown" "pipe" "pipe2" ];
818887
} // cfgService;
819-
path = with pkgs; [ ffmpeg-headless file imagemagick ];
888+
path = with pkgs; [ ffmpeg-headless file ];
820889
};
821890

822891
systemd.services.mastodon-media-auto-remove = lib.mkIf cfg.mediaAutoRemove.enable {
@@ -851,7 +920,7 @@ in {
851920
};
852921

853922
locations."@proxy" = {
854-
proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-web/web.socket" else "http://127.0.0.1:${toString(cfg.webPort)}");
923+
proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-web/web.socket" else "http://127.0.0.1:${toString cfg.webPort}");
855924
proxyWebsockets = true;
856925
};
857926

@@ -903,7 +972,7 @@ in {
903972
inherit (cfg) group;
904973
};
905974
})
906-
(lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package pkgs.imagemagick ])
975+
(lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package ])
907976
(lib.mkIf (cfg.redis.createLocally && cfg.redis.enableUnixSocket) {${config.services.mastodon.user}.extraGroups = [ "redis-mastodon" ];})
908977
];
909978

pkgs/servers/mastodon/default.nix

Lines changed: 28 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,6 @@
11
{ lib, stdenv, nodejs-slim, bundlerEnv, nixosTests
2-
, yarn, callPackage, ruby, writeShellScript
3-
, fetchYarnDeps, fixup-yarn-lock
4-
, brotli
2+
, yarn-berry, callPackage, ruby, writeShellScript
3+
, brotli, python3
54

65
# Allow building a fork or custom version of Mastodon:
76
, pname ? "mastodon"
@@ -28,12 +27,12 @@ stdenv.mkDerivation rec {
2827
pname = "${pname}-modules";
2928
inherit src version;
3029

31-
yarnOfflineCache = fetchYarnDeps {
32-
yarnLock = "${src}/yarn.lock";
30+
yarnOfflineCache = callPackage ./yarn.nix {
31+
inherit version src;
3332
hash = yarnHash;
3433
};
3534

36-
nativeBuildInputs = [ fixup-yarn-lock nodejs-slim yarn mastodonGems mastodonGems.wrappedRuby brotli ];
35+
nativeBuildInputs = [ nodejs-slim yarn-berry mastodonGems mastodonGems.wrappedRuby brotli python3 ];
3736

3837
RAILS_ENV = "production";
3938
NODE_ENV = "production";
@@ -42,29 +41,33 @@ stdenv.mkDerivation rec {
4241
runHook preBuild
4342
4443
export HOME=$PWD
45-
fixup-yarn-lock ~/yarn.lock
46-
yarn config --offline set yarn-offline-mirror $yarnOfflineCache
47-
yarn install --offline --frozen-lockfile --ignore-engines --ignore-scripts --no-progress
44+
export YARN_ENABLE_TELEMETRY=0
45+
export npm_config_nodedir=${nodejs-slim}
46+
export SECRET_KEY_BASE_DUMMY=1
47+
48+
mkdir -p ~/.yarn/berry
49+
ln -s $yarnOfflineCache ~/.yarn/berry/cache
50+
51+
yarn install --immutable --immutable-cache
4852
4953
patchShebangs ~/bin
5054
patchShebangs ~/node_modules
5155
52-
# skip running yarn install
53-
rm -rf ~/bin/yarn
56+
bundle exec rails assets:precompile
5457
55-
OTP_SECRET=precompile_placeholder SECRET_KEY_BASE=precompile_placeholder \
56-
rails assets:precompile
57-
yarn cache clean --offline
58+
yarn cache clean --all
5859
rm -rf ~/node_modules/.cache
5960
61+
# Remove execute permissions
62+
find ~/public/assets -type f ! -perm 0555 \
63+
-exec chmod 0444 {} ';'
64+
6065
# Create missing static gzip and brotli files
61-
gzip --best --keep ~/public/assets/500.html
66+
find ~/public/assets -type f -regextype posix-extended -iregex '.*\.(css|html|js|json|svg)' \
67+
-exec gzip --best --keep --force {} ';' \
68+
-exec brotli --best --keep {} ';'
6269
gzip --best --keep ~/public/packs/report.html
63-
find ~/public/assets -maxdepth 1 -type f -name '.*.json' \
64-
-exec gzip --best --keep --force {} ';'
6570
brotli --best --keep ~/public/packs/report.html
66-
find ~/public/assets -type f -regextype posix-extended -iregex '.*\.(css|js|json|html)' \
67-
-exec brotli --best --keep {} ';'
6871
6972
runHook postBuild
7073
'';
@@ -101,13 +104,14 @@ stdenv.mkDerivation rec {
101104
done
102105
103106
# Remove execute permissions
104-
chmod 0444 public/emoji/*.svg
107+
find public/emoji -type f ! -perm 0555 \
108+
-exec chmod 0444 {} ';'
105109
106110
# Create missing static gzip and brotli files
107-
find public -maxdepth 1 -type f -regextype posix-extended -iregex '.*\.(css|js|svg|txt|xml)' \
111+
find public -maxdepth 1 -type f -regextype posix-extended -iregex '.*\.(js|txt)' \
108112
-exec gzip --best --keep --force {} ';' \
109113
-exec brotli --best --keep {} ';'
110-
find public/emoji -type f -name '.*.svg' \
114+
find public/emoji -type f -name '*.svg' \
111115
-exec gzip --best --keep --force {} ';' \
112116
-exec brotli --best --keep {} ';'
113117
ln -s assets/500.html.gz public/500.html.gz
@@ -133,7 +137,8 @@ stdenv.mkDerivation rec {
133137
runHook preInstall
134138
135139
mkdir -p $out
136-
cp -r * $out/
140+
mv .{env*,ruby*} $out/
141+
mv * $out/
137142
ln -s ${run-streaming} $out/run-streaming.sh
138143
139144
runHook postInstall

0 commit comments

Comments
 (0)