mastodon: 4.2.13 -> 4.3.0

Changelog:
https://github.com/mastodon/mastodon/releases/tag/v4.3.0

nixos/modules/services/web-apps/mastodon.nix

@@ -12,9 +12,12 @@ let
  RAILS_ENV = "production";
  NODE_ENV = "production";
 
+ BOOTSNAP_CACHE_DIR="/var/cache/mastodon/precompile";
  LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so";
 
- # mastodon-web concurrency.
+ MASTODON_USE_LIBVIPS = "true";
+
+ # Concurrency mastodon-web
  WEB_CONCURRENCY = toString cfg.webProcesses;
  MAX_THREADS = toString cfg.webThreads;
 
@@ -51,6 +54,9 @@ let
  Group = cfg.group;
  # Working directory
  WorkingDirectory = cfg.package;
+ # Cache directory and mode
+ CacheDirectory = "mastodon";
+ CacheDirectoryMode = "0750";
  # State directory and mode
  StateDirectory = "mastodon";
  StateDirectoryMode = "0750";
@@ -324,12 +330,57 @@ in {
  type = lib.types.str;
  };
 
+ activeRecordEncryptionDeterministicKeyFile = lib.mkOption {
+ description = ''
+ This key must be set to enable the Active Record Encryption feature within
+ Rails that Mastodon uses to encrypt and decrypt some database attributes.
+ A new Active Record keys can be generated by running:
+
+ `nix build -f '<nixpkgs>' mastodon; cd result; bin/rails db:encryption:init`
+
+ If this file does not exist, it will be created with a new Active Record
+ keys.
+ '';
+ default = "/var/lib/mastodon/secrets/active-record-encryption-deterministic-key";
+ type = lib.types.str;
+ };
+
+ activeRecordEncryptionKeyDerivationSaltFile = lib.mkOption {
+ description = ''
+ This key must be set to enable the Active Record Encryption feature within
+ Rails that Mastodon uses to encrypt and decrypt some database attributes.
+ A new Active Record keys can be generated by running:
+
+ `nix build -f '<nixpkgs>' mastodon; cd result; bin/rails db:encryption:init`
+
+ If this file does not exist, it will be created with a new Active Record
+ keys.
+ '';
+ default = "/var/lib/mastodon/secrets/active-record-encryption-key-derivation-salt";
+ type = lib.types.str;
+ };
+
+ activeRecordEncryptionPrimaryKeyFile = lib.mkOption {
+ description = ''
+ This key must be set to enable the Active Record Encryption feature within
+ Rails that Mastodon uses to encrypt and decrypt some database attributes.
+ A new Active Record keys can be generated by running:
+
+ `nix build -f '<nixpkgs>' mastodon; cd result; bin/rails db:encryption:init`
+
+ If this file does not exist, it will be created with a new Active Record
+ keys.
+ '';
+ default = "/var/lib/mastodon/secrets/active-record-encryption-primary-key";
+ type = lib.types.str;
+ };
+
  secretKeyBaseFile = lib.mkOption {
  description = ''
  Path to file containing the secret key base.
  A new secret key base can be generated by running:
 
- `nix build -f '<nixpkgs>' mastodon; cd result; bin/rake secret`
+ `nix build -f '<nixpkgs>' mastodon; cd result; bin/bundle exec rails secret`
 
  If this file does not exist, it will be created with a new secret key base.
  '';
@@ -342,7 +393,7 @@ in {
  Path to file containing the OTP secret.
  A new OTP secret can be generated by running:
 
- `nix build -f '<nixpkgs>' mastodon; cd result; bin/rake secret`
+ `nix build -f '<nixpkgs>' mastodon; cd result; bin/bundle exec rails secret`
 
  If this file does not exist, it will be created with a new OTP secret.
  '';
@@ -708,13 +759,28 @@ in {
  script = ''
  umask 077
 
+ if ! test -d /var/cache/mastodon/precompile; then
+ ${cfg.package}/bin/bundle exec bootsnap precompile --gemfile ${cfg.package}/app ${cfg.package}/lib
+ fi
+ if ! test -f ${cfg.activeRecordEncryptionDeterministicKeyFile}; then
+ mkdir -p $(dirname ${cfg.activeRecordEncryptionDeterministicKeyFile})
+ bin/rails db:encryption:init | grep --only-matching "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=[^ ]\+" | sed 's/^ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=//' > ${cfg.activeRecordEncryptionDeterministicKeyFile}
+ fi
+ if ! test -f ${cfg.activeRecordEncryptionKeyDerivationSaltFile}; then
+ mkdir -p $(dirname ${cfg.activeRecordEncryptionKeyDerivationSaltFile})
+ bin/rails db:encryption:init | grep --only-matching "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=[^ ]\+" | sed 's/^ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=//' > ${cfg.activeRecordEncryptionKeyDerivationSaltFile}
+ fi
+ if ! test -f ${cfg.activeRecordEncryptionPrimaryKeyFile}; then
+ mkdir -p $(dirname ${cfg.activeRecordEncryptionPrimaryKeyFile})
+ bin/rails db:encryption:init | grep --only-matching "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=[^ ]\+" | sed 's/^ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=//' > ${cfg.activeRecordEncryptionPrimaryKeyFile}
+ fi
  if ! test -f ${cfg.secretKeyBaseFile}; then
  mkdir -p $(dirname ${cfg.secretKeyBaseFile})
- bin/rake secret > ${cfg.secretKeyBaseFile}
+ bin/bundle exec rails secret > ${cfg.secretKeyBaseFile}
  fi
  if ! test -f ${cfg.otpSecretFile}; then
  mkdir -p $(dirname ${cfg.otpSecretFile})
- bin/rake secret > ${cfg.otpSecretFile}
+ bin/bundle exec rails secret > ${cfg.otpSecretFile}
  fi
  if ! test -f ${cfg.vapidPrivateKeyFile}; then
  mkdir -p $(dirname ${cfg.vapidPrivateKeyFile}) $(dirname ${cfg.vapidPublicKeyFile})
@@ -724,6 +790,9 @@ in {
  fi
 
  cat > /var/lib/mastodon/.secrets_env <<EOF
+ ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY="$(cat ${cfg.activeRecordEncryptionDeterministicKeyFile})"
+ ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT="$(cat ${cfg.activeRecordEncryptionKeyDerivationSaltFile})"
+ ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY="$(cat ${cfg.activeRecordEncryptionPrimaryKeyFile})"
  SECRET_KEY_BASE="$(cat ${cfg.secretKeyBaseFile})"
  OTP_SECRET="$(cat ${cfg.otpSecretFile})"
  VAPID_PRIVATE_KEY="$(cat ${cfg.vapidPrivateKeyFile})"
@@ -816,7 +885,7 @@ in {
  # System Call Filtering
  SystemCallFilter = [ ("~" + lib.concatStringsSep " " systemCallsList) "@chown" "pipe" "pipe2" ];
  } // cfgService;
- path = with pkgs; [ ffmpeg-headless file imagemagick ];
+ path = with pkgs; [ ffmpeg-headless file ];
  };
 
  systemd.services.mastodon-media-auto-remove = lib.mkIf cfg.mediaAutoRemove.enable {
@@ -903,7 +972,7 @@ in {
  inherit (cfg) group;
  };
  })
- (lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package pkgs.imagemagick ])
+ (lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package ])
  (lib.mkIf (cfg.redis.createLocally && cfg.redis.enableUnixSocket) {${config.services.mastodon.user}.extraGroups = [ "redis-mastodon" ];})
  ];
 

pkgs/servers/mastodon/default.nix

@@ -1,7 +1,6 @@
 { lib, stdenv, nodejs-slim, bundlerEnv, nixosTests
-, yarn, callPackage, ruby, writeShellScript
-, fetchYarnDeps, fixup-yarn-lock
-, brotli
+, yarn-berry, callPackage, ruby, writeShellScript
+, brotli, python3
 
  # Allow building a fork or custom version of Mastodon:
 , pname ? "mastodon"
@@ -28,12 +27,12 @@ stdenv.mkDerivation rec {
  pname = "${pname}-modules";
  inherit src version;
 
- yarnOfflineCache = fetchYarnDeps {
- yarnLock = "${src}/yarn.lock";
+ yarnOfflineCache = callPackage ./yarn.nix {
+ inherit src;
  hash = yarnHash;
  };
 
- nativeBuildInputs = [ fixup-yarn-lock nodejs-slim yarn mastodonGems mastodonGems.wrappedRuby brotli ];
+ nativeBuildInputs = [ nodejs-slim yarn-berry mastodonGems mastodonGems.wrappedRuby brotli python3 ];
 
  RAILS_ENV = "production";
  NODE_ENV = "production";
@@ -42,19 +41,21 @@ stdenv.mkDerivation rec {
  runHook preBuild
 
  export HOME=$PWD
- fixup-yarn-lock ~/yarn.lock
- yarn config --offline set yarn-offline-mirror $yarnOfflineCache
- yarn install --offline --frozen-lockfile --ignore-engines --ignore-scripts --no-progress
+ export YARN_ENABLE_TELEMETRY=0
+ export npm_config_nodedir=${nodejs-slim}
+ export SECRET_KEY_BASE_DUMMY=1
+
+ mkdir -p ~/.yarn/berry
+ ln -s $yarnOfflineCache ~/.yarn/berry/cache
+
+ yarn install --immutable --immutable-cache
 
  patchShebangs ~/bin
  patchShebangs ~/node_modules
 
- # skip running yarn install
- rm -rf ~/bin/yarn
+ bundle exec rails assets:precompile
 
- OTP_SECRET=precompile_placeholder SECRET_KEY_BASE=precompile_placeholder \
- rails assets:precompile
- yarn cache clean --offline
+ yarn cache clean --all
  rm -rf ~/node_modules/.cache
 
  # Create missing static gzip and brotli files
@@ -133,7 +134,8 @@ stdenv.mkDerivation rec {
  runHook preInstall
 
  mkdir -p $out
- cp -r * $out/
+ mv .{env*,ruby*} $out/
+ mv * $out/
  ln -s ${run-streaming} $out/run-streaming.sh
 
  runHook postInstall