Enable AR Encryption (#29831)
parent
a390299744
commit
828299e71c
|
@ -0,0 +1,4 @@
|
||||||
|
# Required by ActiveRecord encryption feature
|
||||||
|
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=fkSxKD2bF396kdQbrP1EJ7WbU7ZgNokR
|
||||||
|
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=r0hvVmzBVsjxC7AMlwhOzmtc36ZCOS1E
|
||||||
|
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=PhdFyyfy5xJ7WVd2lWBpcPScRQHzRTNr
|
|
@ -3,3 +3,8 @@ NODE_ENV=production
|
||||||
# Federation
|
# Federation
|
||||||
LOCAL_DOMAIN=cb6e6126.ngrok.io
|
LOCAL_DOMAIN=cb6e6126.ngrok.io
|
||||||
LOCAL_HTTPS=true
|
LOCAL_HTTPS=true
|
||||||
|
|
||||||
|
# Required by ActiveRecord encryption feature
|
||||||
|
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=fkSxKD2bF396kdQbrP1EJ7WbU7ZgNokR
|
||||||
|
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=r0hvVmzBVsjxC7AMlwhOzmtc36ZCOS1E
|
||||||
|
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=PhdFyyfy5xJ7WVd2lWBpcPScRQHzRTNr
|
||||||
|
|
|
@ -28,6 +28,9 @@ jobs:
|
||||||
env:
|
env:
|
||||||
RAILS_ENV: ${{ matrix.mode }}
|
RAILS_ENV: ${{ matrix.mode }}
|
||||||
BUNDLE_WITH: ${{ matrix.mode }}
|
BUNDLE_WITH: ${{ matrix.mode }}
|
||||||
|
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: precompile_placeholder
|
||||||
|
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: precompile_placeholder
|
||||||
|
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: precompile_placeholder
|
||||||
OTP_SECRET: precompile_placeholder
|
OTP_SECRET: precompile_placeholder
|
||||||
SECRET_KEY_BASE: precompile_placeholder
|
SECRET_KEY_BASE: precompile_placeholder
|
||||||
|
|
||||||
|
|
|
@ -24,7 +24,6 @@
|
||||||
/public/packs-test
|
/public/packs-test
|
||||||
.env
|
.env
|
||||||
.env.production
|
.env.production
|
||||||
.env.development
|
|
||||||
/node_modules/
|
/node_modules/
|
||||||
/build/
|
/build/
|
||||||
|
|
||||||
|
|
|
@ -205,7 +205,12 @@ ARG TARGETPLATFORM
|
||||||
|
|
||||||
RUN \
|
RUN \
|
||||||
# Use Ruby on Rails to create Mastodon assets
|
# Use Ruby on Rails to create Mastodon assets
|
||||||
OTP_SECRET=precompile_placeholder SECRET_KEY_BASE=precompile_placeholder bundle exec rails assets:precompile; \
|
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=precompile_placeholder \
|
||||||
|
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=precompile_placeholder \
|
||||||
|
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=precompile_placeholder \
|
||||||
|
OTP_SECRET=precompile_placeholder \
|
||||||
|
SECRET_KEY_BASE=precompile_placeholder \
|
||||||
|
bundle exec rails assets:precompile; \
|
||||||
# Cleanup temporary files
|
# Cleanup temporary files
|
||||||
rm -fr /opt/mastodon/tmp;
|
rm -fr /opt/mastodon/tmp;
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,26 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
%w(
|
||||||
|
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
|
||||||
|
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
|
||||||
|
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
|
||||||
|
).each do |key|
|
||||||
|
ENV.fetch(key) do
|
||||||
|
raise <<~MESSAGE
|
||||||
|
|
||||||
|
The ActiveRecord encryption feature requires that these variables are set:
|
||||||
|
|
||||||
|
- ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
|
||||||
|
- ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
|
||||||
|
- ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
|
||||||
|
|
||||||
|
Run `bin/rails db:encryption:init` to generate values and then assign the environment variables.
|
||||||
|
MESSAGE
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
Rails.application.configure do
|
||||||
|
config.active_record.encryption.deterministic_key = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY')
|
||||||
|
config.active_record.encryption.key_derivation_salt = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT')
|
||||||
|
config.active_record.encryption.primary_key = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY')
|
||||||
|
end
|
|
@ -36,6 +36,15 @@ namespace :mastodon do
|
||||||
env[key] = SecureRandom.hex(64)
|
env[key] = SecureRandom.hex(64)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Required by ActiveRecord encryption feature
|
||||||
|
%w(
|
||||||
|
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
|
||||||
|
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
|
||||||
|
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
|
||||||
|
).each do |key|
|
||||||
|
env[key] = SecureRandom.alphanumeric(32)
|
||||||
|
end
|
||||||
|
|
||||||
vapid_key = Webpush.generate_key
|
vapid_key = Webpush.generate_key
|
||||||
|
|
||||||
env['VAPID_PRIVATE_KEY'] = vapid_key.private_key
|
env['VAPID_PRIVATE_KEY'] = vapid_key.private_key
|
||||||
|
|
Loading…
Reference in New Issue