Implement yarn 4.5, new active_record_encryption and mastodon default services

3 files changed, 54 insertions, 27 deletions

diff --git a/scripts/_common.sh b/scripts/_common.sh
index a2ba0b8..d354663 100644
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@@ -5,7 +5,7 @@
 #=================================================
 
 memory_needed="2560"
-ruby_version=3.2.3
+ruby_version=3.3.5
 nodejs_version=20
 
 # Workaround for Mastodon on Bullseye
diff --git a/scripts/install b/scripts/install
index 1385a30..dfcbb27 100644
--- a/scripts/install
+++ b/scripts/install
@@ -69,22 +69,19 @@ ynh_app_setting_set --app="$app" --key=secret_key_base --value="$secret_key_base
 otp_secret=$(ynh_string_random --length=128)
 ynh_app_setting_set --app="$app" --key=otp_secret --value="$otp_secret"
 
-# We need rake to build vapid keys, we generate them later once the app is installed
+# We need bundle exec rails to build vapid keys, we generate them later once the app is installed
 vapid_private_key=""
 vapid_public_key=""
 
+# We need `bin/rails db:encryption:init` to generate fresh secrets, we generate them later once the app is installed
+active_record_encryption_deterministic_key=""
+active_record_encryption_key_derivation_salt=""
+active_record_encryption_primary_key=""
+
 ynh_add_config --template=".env.production.sample" --destination="$config"
 chmod 400 "$config"
 chown $app:$app "$config"
 
-ynh_replace_string --match_string="registrations_mode: 'open'" --replace_string="registrations_mode: 'none'" --target_file="$install_dir/live/config/settings.yml"
-ynh_replace_string --match_string="min_invite_role: 'admin'" --replace_string="min_invite_role: 'none'" --target_file="$install_dir/live/config/settings.yml"
-
-ynh_store_file_checksum --file="$install_dir/live/config/settings.yml"
-
-chmod 400 "$install_dir/live/config/settings.yml"
-chown $app:$app "$install_dir/live/config/settings.yml"
-
 #=================================================
 # BUILD APP
 #=================================================
@@ -97,31 +94,45 @@ pushd "$install_dir/live"
 	ynh_gem install bundler --no-document
 	ynh_exec_as $app $ynh_ruby_load_path $ld_preload bin/bundle config deployment 'true'
 	ynh_exec_as $app $ynh_ruby_load_path $ld_preload bin/bundle config without 'development test'
-	ynh_exec_as $app $ynh_ruby_load_path $ld_preload bin/bundle config set force_ruby_platform true
+	ynh_exec_as $app $ynh_ruby_load_path $ld_preload bin/bundle config set force_ruby_platform true --quiet
 	ynh_exec_as $app $ynh_ruby_load_path $ld_preload bin/bundle install -j$(getconf _NPROCESSORS_ONLN)
-	# Building assets
 	ynh_use_nodejs
-	ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn install --pure-lockfile --production --network-timeout 600000
+	env $ynh_node_load_PATH corepack enable
+	echo Y | ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH yarn workspaces focus --production
+	ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH yarn install --immutable
 	echo "SAFETY_ASSURED=1">> $config
-	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails db:migrate --quiet
-	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails assets:precompile --quiet
 	# Generate vapid keys
-	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rake mastodon:webpush:generate_vapid_key > key.txt
-	# Create the first admin user
-	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/tootctl accounts create "$admin" --email="$admin_mail" --confirmed --role=Owner > /dev/null
+	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails mastodon:webpush:generate_vapid_key > vapid_key.txt
+	# Generate active record encryption
+	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails db:encryption:init > active_record_encryption.txt
 popd
 
-# Re-generate config with vapid keys
-vapid_private_key=$(grep -oP "VAPID_PRIVATE_KEY=\K.+" "$install_dir/live/key.txt")
+# Re-generate config with vapid keys and active record encryption
+vapid_private_key=$(grep -oP "VAPID_PRIVATE_KEY=\K.+" "$install_dir/live/vapid_key.txt")
 ynh_app_setting_set --app="$app" --key=vapid_private_key --value="$vapid_private_key"
-vapid_public_key=$(grep -oP "VAPID_PUBLIC_KEY=\K.+" "$install_dir/live/key.txt")
+vapid_public_key=$(grep -oP "VAPID_PUBLIC_KEY=\K.+" "$install_dir/live/vapid_key.txt")
 ynh_app_setting_set --app="$app" --key=vapid_public_key --value="$vapid_public_key"
-ynh_secure_remove --file="$install_dir/live/key.txt"
+ynh_secure_remove --file="$install_dir/live/vapid_key.txt"
+active_record_encryption_deterministic_key=$(grep -oP "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=\K.+" "$install_dir/live/active_record_encryption.txt")
+ynh_app_setting_set --app="$app" --key=active_record_encryption_deterministic_key --value="$active_record_encryption_deterministic_key"
+active_record_encryption_key_derivation_salt=$(grep -oP "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=\K.+" "$install_dir/live/active_record_encryption.txt")
+ynh_app_setting_set --app="$app" --key=active_record_encryption_key_derivation_salt --value="$active_record_encryption_key_derivation_salt"
+active_record_encryption_primary_key=$(grep -oP "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=\K.+" "$install_dir/live/active_record_encryption.txt")
+ynh_app_setting_set --app="$app" --key=active_record_encryption_primary_key --value="$active_record_encryption_primary_key"
+ynh_secure_remove --file="$install_dir/live/active_record_encryption.txt"
 ynh_delete_file_checksum --file="$config"
 ynh_add_config --template=".env.production.sample" --destination="$config"
 chmod 400 "$config"
 chown $app:$app "$config"
 
+pushd "$install_dir/live"
+	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails db:migrate --quiet
+	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails assets:precompile --quiet
+	# Create the first admin user
+	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/tootctl accounts create "$admin" --email="$admin_mail" --confirmed --role=Owner > /dev/null
+	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/tootctl accounts approve "$admin" > /dev/null
+popd
+
 #=================================================
 # SYSTEM CONFIGURATION
 #=================================================
diff --git a/scripts/upgrade b/scripts/upgrade
index c889e65..10e37c9 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -124,9 +124,9 @@ pushd "$install_dir/live"
 	ynh_exec_as $app $ynh_ruby_load_path $ld_preload bin/bundle config set force_ruby_platform true --quiet
 	ynh_exec_as $app $ynh_ruby_load_path $ld_preload bin/bundle install -j$(getconf _NPROCESSORS_ONLN)
 	ynh_use_nodejs
-	ynh_exec_as $app $ynh_node_load_PATH yarn install --pure-lockfile --production --network-timeout 600000
-	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails assets:clean
-	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails assets:precompile
+	env $ynh_node_load_PATH corepack enable
+	echo Y | ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH yarn workspaces focus --production
+	ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH yarn install --immutable
 popd
 
 chown "$app:www-data" "$install_dir"
@@ -163,6 +163,21 @@ ynh_use_logrotate --non-append
 #=================================================
 ynh_script_progression --message="Updating a config file..." --weight=1
 
+if ynh_compare_current_package_version --comparison lt --version "4.3.2~ynh1"; then
+	pushd "$install_dir/live"
+		ynh_use_ruby
+		# Generate active record encryption
+		ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails db:encryption:init > active_record_encryption.txt
+		active_record_encryption_deterministic_key=$(grep -oP "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=\K.+" "$install_dir/live/active_record_encryption.txt")
+		ynh_app_setting_set --app="$app" --key=active_record_encryption_deterministic_key --value="$active_record_encryption_deterministic_key"
+		active_record_encryption_key_derivation_salt=$(grep -oP "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=\K.+" "$install_dir/live/active_record_encryption.txt")
+		ynh_app_setting_set --app="$app" --key=active_record_encryption_key_derivation_salt --value="$active_record_encryption_key_derivation_salt"
+		active_record_encryption_primary_key=$(grep -oP "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=\K.+" "$install_dir/live/active_record_encryption.txt")
+		ynh_app_setting_set --app="$app" --key=active_record_encryption_primary_key --value="$active_record_encryption_primary_key"
+		ynh_secure_remove --file="$install_dir/live/active_record_encryption.txt"
+	popd
+fi
+
 language="$(echo $language | head -c 2)"
 
 ynh_add_config --template=".env.production.sample" --destination="$config"
@@ -177,8 +192,9 @@ ynh_script_progression --message="Applying migrations..." --weight=1
 
 pushd "$install_dir/live"
 	ynh_use_ruby
-	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails db:migrate
-	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/tootctl cache clear
+	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails db:migrate --quiet
+	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails assets:clean --quiet
+	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails assets:precompile --quiet
 popd
 
 #=================================================