Fix mastodon redis to be valkey, generate active record encyption env…

… vars for mastodon (#323)

* switch to valkey instead of redis

* fix restic password for mastodon

* update mastodon doc example

* now we generate active record encyption keys for the database for mastodon

* update mastodon_rake to be mastodon_secrets to accomadate the new generated secrets

docs/k8s_apps/mastodon.md

@@ -3,7 +3,7 @@
 We are mostly stable for running Mastodon on Kubernetes. Check out our [Mastodon Argo CD ApplicationSet](https://github.com/small-hack/argocd-apps/tree/main/mastodon/small-hack):
 
 <a href="../../assets/images/screenshots/mastodon_screenshot.png">
-<img src="../../assets/images/screenshots/mastodon_screenshot.png" alt="screenshot of the mastodon applicationset in Argo CD's web interface using the tree mode view. the main mastodon app has 6 child apps: mastodon-redis, mastodon-app-set with child mastodon-web-app, mastodon-external-secrets-appset with child mastodon-external-secrets, mastodon-postgres-app-set with child mastodon-postgres-cluster, mastodon-s3-provider-app-set with child mastodon-seaweedfs, and mastodon-s3-pvc-appset with child mastodon-s3-pvc.">
+<img src="../../assets/images/screenshots/mastodon_screenshot.png" alt="screenshot of the mastodon applicationset in Argo CD's web interface using the tree mode view. the main mastodon app has 6 child apps: mastodon-valkey, mastodon-app-set with child mastodon-web-app, mastodon-external-secrets-appset with child mastodon-external-secrets, mastodon-postgres-app-set with child mastodon-postgres-cluster, mastodon-s3-provider-app-set with child mastodon-seaweedfs, and mastodon-s3-pvc-appset with child mastodon-s3-pvc.">
 </a>
 
 This is the networking view in Argo CD:
@@ -53,7 +53,7 @@ apps:
     description: |
        [link=https://joinmastodon.org/]Mastodon[/link] is an open source self hosted social media network.
 
-       smol-k8s-lab supports initializing mastodon, by setting up your hostname, SMTP credentials, redis credentials, postgresql credentials, and an admin user credentials. We pass all credentials as secrets in the namespace and optionally save them to Bitwarden.
+       smol-k8s-lab supports initializing mastodon, by setting up your hostname, SMTP credentials, valkey credentials, postgresql credentials, and an admin user credentials. We pass all credentials as secrets in the namespace and optionally save them to Bitwarden.
 
        smol-k8s-lab also creates a local s3 endpoint and as well as S3 bucket and credentials if you enable set mastodon.argo.secret_keys.s3_provider to "minio" or "seaweedfs". Both seaweedfs and minio require you to specify a remote s3 endpoint, bucket, region, and accessID/secretKey so that we can make sure you have remote backups.
 
@@ -102,9 +102,9 @@ apps:
         access_key_id:
           value_from:
             env: MASTODON_S3_BACKUP_ACCESS_ID
-        restic_repo_password:
-          value_from:
-            env: MASTODON_RESTIC_REPO_PASSWORD
+      restic_repo_password:
+        value_from:
+          env: MASTODON_RESTIC_REPO_PASSWORD
     argo:
       # secrets keys to make available to Argo CD ApplicationSets
       secret_keys:
@@ -119,6 +119,10 @@ apps:
         # local s3 endpoint for postgresql backups, backed up constantly
         s3_endpoint: ""
         s3_region: eu-west-1
+        # size of valkey pvc storage settings
+        valkey_storage: 3Gi
+        valkey_storage_class: local-path
+        valkey_access_mode: ReadWriteOnce
       # git repo to install the Argo CD app from
       repo: https://github.com/small-hack/argocd-apps
       # path in the argo repo to point to. Trailing slash very important!

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name          = "smol_k8s_lab"
-version       = "5.17.1"
+version       = "5.17.2"
 description   = "CLI and TUI to quickly install slimmer Kubernetes distros and then manage apps declaratively using Argo CD"
 authors       = ["Jesse Hitch <jessebot@linux.com>",
                  "Max Roby <emax@cloudydev.net>"]

smol_k8s_lab/config/default_config.yaml

@@ -784,7 +784,7 @@ apps:
     description: |
        [link=https://joinmastodon.org/]Mastodon[/link] is an open source self hosted social media network.
 
-       smol-k8s-lab supports initializing mastodon, by setting up your hostname, SMTP credentials, redis credentials, postgresql credentials, and an admin user credentials. We pass all credentials as secrets in the namespace and optionally save them to Bitwarden.
+       smol-k8s-lab supports initializing mastodon, by setting up your hostname, SMTP credentials, valkey credentials, postgresql credentials, and an admin user credentials. We pass all credentials as secrets in the namespace and optionally save them to Bitwarden.
 
        smol-k8s-lab also creates a local s3 endpoint and as well as S3 bucket and credentials if you enable set mastodon.argo.secret_keys.s3_provider to "minio" or "seaweedfs". Both seaweedfs and minio require you to specify a remote s3 endpoint, bucket, region, and accessID/secretKey so that we can make sure you have remote backups.
 
@@ -834,9 +834,9 @@ apps:
         access_key_id:
           value_from:
             env: MASTODON_S3_BACKUP_ACCESS_ID
-        restic_repo_password:
-          value_from:
-            env: MASTODON_RESTIC_REPO_PASSWORD
+      restic_repo_password:
+        value_from:
+          env: MASTODON_RESTIC_REPO_PASSWORD
     argo:
       # secrets keys to make available to Argo CD ApplicationSets
       secret_keys:
@@ -851,6 +851,10 @@ apps:
         # local s3 endpoint for postgresql backups, backed up constantly
         s3_endpoint: ""
         s3_region: eu-west-1
+        # size of valkey pvc storage
+        valkey_storage: 3Gi
+        valkey_storage_class: local-path
+        valkey_access_mode: ReadWriteOnce
       # git repo to install the Argo CD app from
       repo: https://github.com/small-hack/argocd-apps
       # path in the argo repo to point to. Trailing slash very important!
@@ -1195,7 +1199,7 @@ apps:
     description: |
       [link=https://nextcloud.com/]Nextcloud Hub[/link] is the industry-leading, fully open-source, on-premises content collaboration platform. Teams access, share and edit their documents, chat and participate in video calls and manage their mail and calendar and projects across mobile, desktop and web interfaces
 
-      smol-k8s-lab supports initialization by setting up your admin username, password, and SMTP username and password, as well as your redis and postgresql credentials.
+      smol-k8s-lab supports initialization by setting up your admin username, password, and SMTP username and password, as well as your redis (or valkey) and postgresql credentials.
 
       To avoid providing sensitive values everytime you run smol-k8s-lab, consider exporting the following environment variables before running smol-k8s-lab:
         - NEXTCLOUD_SMTP_PASSWORD

smol_k8s_lab/k8s_apps/social/mastodon.py

@@ -1,7 +1,7 @@
 # internal libraries
 from smol_k8s_lab.bitwarden.bw_cli import BwCLI, create_custom_field
 from smol_k8s_lab.k8s_apps.operators.minio import create_minio_alias, BetterMinio
-from smol_k8s_lab.k8s_apps.social.mastodon_rake import generate_rake_secrets
+from smol_k8s_lab.k8s_apps.social.mastodon_secrets import generate_mastodon_secrets
 from smol_k8s_lab.k8s_tools.argocd_util import ArgoCD
 from smol_k8s_lab.k8s_tools.restores import restore_seaweedfs, restore_cnpg_cluster
 from smol_k8s_lab.utils.passwords import create_password
@@ -81,7 +81,7 @@ def configure_mastodon(argocd: ArgoCD,
             mail_pass = extract_secret(init_values.get('smtp_password'))
 
             # main mastodon rake secrets
-            rake_secrets = generate_rake_secrets()
+            rake_secrets = generate_mastodon_secrets()
 
             # configure s3 credentials
             s3_access_id = 'mastodon'
@@ -125,10 +125,10 @@ def configure_mastodon(argocd: ArgoCD,
                     {"password": mastodon_pgsql_password,
                      'postrgesPassword': mastodon_pgsql_password})
 
-            # redis creds k8s secret
-            mastodon_redis_password = create_password()
-            argocd.k8s.create_secret('mastodon-redis-credentials', 'mastodon',
-                                     {"password": mastodon_redis_password})
+            # valkey creds k8s secret
+            mastodon_valkey_password = create_password()
+            argocd.k8s.create_secret('mastodon-valkey-credentials', 'mastodon',
+                                     {"password": mastodon_valkey_password})
 
             # mastodon rake secrets
             argocd.k8s.create_secret('mastodon-server-secrets', 'mastodon',
@@ -226,8 +226,8 @@ def refresh_bweso(argocd: ArgoCD,
             f"mastodon-elasticsearch-credentials-{mastodon_hostname}", False
             )[0]['id']
 
-    redis_id = bitwarden.get_item(
-            f"mastodon-redis-credentials-{mastodon_hostname}", False
+    valkey_id = bitwarden.get_item(
+            f"mastodon-valkey-credentials-{mastodon_hostname}", False
             )[0]['id']
 
     smtp_id = bitwarden.get_item(
@@ -258,7 +258,7 @@ def refresh_bweso(argocd: ArgoCD,
     argocd.update_appset_secret(
             {'mastodon_smtp_credentials_bitwarden_id': smtp_id,
              'mastodon_postgres_credentials_bitwarden_id': db_id,
-             'mastodon_redis_bitwarden_id': redis_id,
+             'mastodon_valkey_bitwarden_id': valkey_id,
              'mastodon_s3_admin_credentials_bitwarden_id': s3_admin_id,
              'mastodon_s3_postgres_credentials_bitwarden_id': s3_db_id,
              'mastodon_s3_mastodon_credentials_bitwarden_id': s3_id,
@@ -353,13 +353,13 @@ def setup_bitwarden_items(argocd: ArgoCD,
             fields=[postrges_pass_obj]
             )
 
-    # Redis credentials
-    mastodon_redis_password = bitwarden.generate()
-    redis_id = bitwarden.create_login(
-            name='mastodon-redis-credentials',
+    # valkey credentials
+    mastodon_valkey_password = bitwarden.generate()
+    valkey_id = bitwarden.create_login(
+            name='mastodon-valkey-credentials',
             item_url=mastodon_hostname,
             user='mastodon',
-            password=mastodon_redis_password
+            password=mastodon_valkey_password
             )
 
     # SMTP credentials
@@ -400,6 +400,18 @@ def setup_bitwarden_items(argocd: ArgoCD,
             "VAPID_PRIVATE_KEY",
             rake_secrets['VAPID_PRIVATE_KEY']
             )
+    active_record_encryption_deterministic_obj = create_custom_field(
+            "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY",
+            rake_secrets['ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY']
+            )
+    active_record_encryption_derivation_obj = create_custom_field(
+            "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT",
+            rake_secrets['ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT']
+            )
+    active_record_encryption_primary_obj = create_custom_field(
+            "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY",
+            rake_secrets['ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY']
+            )
 
     secrets_id = bitwarden.create_login(
             name='mastodon-server-secrets',
@@ -410,7 +422,10 @@ def setup_bitwarden_items(argocd: ArgoCD,
                 secret_key_base_obj,
                 otp_secret_obj,
                 vapid_priv_key_obj,
-                vapid_pub_key_obj
+                vapid_pub_key_obj,
+                active_record_encryption_primary_obj,
+                active_record_encryption_derivation_obj,
+                active_record_encryption_deterministic_obj
                 ]
             )
 
@@ -419,7 +434,7 @@ def setup_bitwarden_items(argocd: ArgoCD,
     argocd.update_appset_secret(
             {'mastodon_smtp_credentials_bitwarden_id': smtp_id,
              'mastodon_postgres_credentials_bitwarden_id': db_id,
-             'mastodon_redis_bitwarden_id': redis_id,
+             'mastodon_valkey_bitwarden_id': valkey_id,
              'mastodon_s3_admin_credentials_bitwarden_id': s3_admin_id,
              'mastodon_s3_postgres_credentials_bitwarden_id': s3_db_id,
              'mastodon_s3_mastodon_credentials_bitwarden_id': s3_id,

smol_k8s_lab/k8s_apps/social/mastodon_rake.py → smol_k8s_lab/k8s_apps/social/mastodon_secrets.py

@@ -1,11 +1,11 @@
 #!/usr/bin/env python
-""" 
+"""
 This is just for generating mastodon rake secrets and testing on the cli
 """
 from smol_k8s_lab.utils.run.subproc import subproc
 
 
-def generate_rake_secrets() -> None:
+def generate_mastodon_secrets() -> None:
     """
     These are required for mastodon:
         https://docs.joinmastodon.org/admin/config/#secrets
@@ -21,11 +21,20 @@ def generate_rake_secrets() -> None:
 
     VAPID_PUBLIC_KEY  Generate with rake mastodon:webpush:generate_vapid_key.
                       Changing it will break push notifications.
+
+    these are all generated with rails db:encryption:init
+    ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
+    ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
+    ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
     """
     final_dict = {"SECRET_KEY_BASE": "",
                   "OTP_SECRET": "",
                   "VAPID_PRIVATE_KEY": "",
-                  "VAPID_PUBLIC_KEY": ""}
+                  "VAPID_PUBLIC_KEY": "",
+                  "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY": "",
+                  "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT": "",
+                  "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY": ""
+                  }
 
     # we use docker to generate all of these
     base_cmd = "docker run docker.io/tootsuite/mastodon:latest rake"
@@ -42,6 +51,13 @@ def generate_rake_secrets() -> None:
     final_dict['VAPID_PRIVATE_KEY'] = vapid_keys[0].split("=")[1]
     final_dict['VAPID_PUBLIC_KEY'] = vapid_keys[1].split("=")[1]
 
+    db_crypt_cmd = "docker run docker.io/tootsuite/mastodon:latest rails db:encryption:init"
+    crypt_env = subproc([db_crypt_cmd]).split('\n')
+    print(crypt_env)
+    final_dict['ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY'] = crypt_env[2].split("=")[1]
+    final_dict['ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT'] = crypt_env[3].split("=")[1]
+    final_dict['ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY'] = crypt_env[4].split("=")[1]
+
     return final_dict
 
 if __name__ == '__main__':