feat!(mastodon): Upgrade to 4.3 beta

BREAKING!

Requires these new secrets to be set:

mastodon_config:
  ar_enc_deterministic_key: undef
  ar_enc_derivation_salt: undef
  ar_enc_primary_key: undef

roles/mastodon/defaults/main.yml

@@ -39,6 +39,9 @@ mastodon_config:
   local_domain: "{{ mastodon_domain }}"
   secret_key_base: undef
   otp_secret: undef
+  ar_enc_deterministic_key: undef
+  ar_enc_derivation_salt: undef
+  ar_enc_primary_key: undef
   vapid_private_key: undef
   vapid_public_key: undef
   smtp_server: localhost
@@ -52,7 +55,7 @@ mastodon_elasticsearch_adjust_sysctl: true
 
 # Container versions
 # renovate: depName=ghcr.io/mastodon/mastodon
-mastodon_version: 4.2.12
+mastodon_version: 4.3.0-beta.1
 # renovate: depName=docker.io/library/postgres
 mastodon_database_version: 15.8
 # renovate: depName=docker.io/library/redis

roles/mastodon/templates/.env.production

@@ -39,16 +39,22 @@ WEB_DOMAIN={{ mastodon_config.web_domain }}
 # ALTERNATE_DOMAINS=example1.com,example2.com
 
 # Application secrets
-# Generate each with the `RAILS_ENV=production bundle exec rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
+# Generate each with the `RAILS_ENV=production bundle exec rails secret` task (`docker-compose run --rm web rails secret` if you use docker compose)
 SECRET_KEY_BASE={{ mastodon_config.secret_key_base }}
 OTP_SECRET={{ mastodon_config.otp_secret }}
+# DB encryption secrets
+# Generate them yourself, each 32 alphanumeric or
+# Generate them with `RAILS_ENV=production bundle exec rails db:encryption:init` task (`docker-compose run --rm web rails db:encryption:init` if you use docker compose)
+ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY={{ mastodon_config.ar_enc_deterministic_key }}
+ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT={{ mastodon_config.ar_enc_derivation_salt }}
+ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY={{ mastodon_config.ar_enc_primary_key }}
 
 # VAPID keys (used for push notifications
 # You can generate the keys using the following command (first is the private key, second is the public one)
 # You should only generate this once per instance. If you later decide to change it, all push subscription will
 # be invalidated, requiring the users to access the website again to resubscribe.
 #
-# Generate with `RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web rake mastodon:webpush:generate_vapid_key` if you use docker compose)
+# Generate with `RAILS_ENV=production bundle exec rails mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web rails mastodon:webpush:generate_vapid_key` if you use docker compose)
 #
 # For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html
 VAPID_PRIVATE_KEY={{ mastodon_config.vapid_private_key }}

roles/mastodon/templates/default.conf

@@ -48,11 +48,28 @@ server {
     try_files $uri @proxy;
   }
 
-  location /sw.js {
+  location = /sw.js {
     add_header Cache-Control "public, max-age=604800, must-revalidate";
     try_files $uri @proxy;
   }
 
+  location ^~ /api/v1/streaming {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Proxy "";
+
+    proxy_pass http://streaming:4000;
+    proxy_buffering off;
+    proxy_redirect off;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+
+    tcp_nodelay on;
+  }
+
   location @proxy {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
@@ -77,22 +94,7 @@ server {
     tcp_nodelay on;
   }
 
-  location /api/v1/streaming {
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto https;
-    proxy_set_header Proxy "";
 
-    proxy_pass http://streaming:4000;
-    proxy_buffering off;
-    proxy_redirect off;
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection $connection_upgrade;
 
-    tcp_nodelay on;
+  error_page 404 500 501 502 503 504 /500.html;
-  }
-
-  error_page 500 501 502 503 504 /500.html;
 }

roles/mastodon/templates/docker-compose.yml

@@ -122,18 +122,21 @@ services:
     depends_on:
       - db
       - redis
+{% if mastodon_config.enable_elasticsearch is defined and mastodon_config.enable_elasticsearch %}
+      - es
+{% endif %}
     volumes:
       - {{ mastodon_public_location }}/system:/mastodon/public/system
     networks:
       frontend:
       backend:
     healthcheck:
-      test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1']
+      test: ['CMD-SHELL',"curl -s --noproxy localhost localhost:3000/health | grep -q 'OK' || exit 1"]
     restart: always
-    command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000 -b '0.0.0.0'"
+    command: bundle exec puma -C config/puma.rb
 
   streaming:
-    image: ghcr.io/mastodon/mastodon:{{ mastodon_image_version }}
+    image: ghcr.io/mastodon/mastodon-streaming:{{ mastodon_image_version }}
     mem_limit: 1024mb
     memswap_limit: 1280mb
     env_file: {{ mastodon_install_location }}/.env.production
@@ -141,12 +144,12 @@ services:
       frontend:
       backend:
     healthcheck:
-      test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1']
+      test: ['CMD-SHELL', "curl -s --noproxy localhost localhost:4000/api/v1/streaming/health | grep -q 'OK' || exit 1"]
     depends_on:
       - db
       - redis
     restart: always
-    command: node ./streaming
+    command: node ./streaming/index.js
 
   sidekiq:
     image: ghcr.io/mastodon/mastodon:{{ mastodon_image_version }}