feat: Update to backend version v0.12.0 and use new environment variable configuration (#272)

* refactor: Change secrets file format and update to v0.12.0 This commit was made without the use of generative AI. Signed-off-by: Jacob Schlecht <dadadah@echoha.us> * chore: Update livekit to v1.9.13 This commit was made without the use of generative AI. Signed-off-by: Jacob Schlecht <dadadah@echoha.us> * docs: Update readme links This commit was made without the use of generative AI. Signed-off-by: Jacob Schlecht <dadadah@echoha.us> * docs: Add a disclaimer on the config when using generate_config This commit was made without the use of generative AI. Signed-off-by: Jacob Schlecht <dadadah@echoha.us> --------- Signed-off-by: Jacob Schlecht <dadadah@echoha.us>
2026-04-05 17:01:38 -06:00
parent 00706b6243
commit 19f6885d14
5 changed files with 75 additions and 59 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,7 @@ livekit.yml
 Revolt.toml.old
 livekit.yml.old
 secrets.env
+secrets.env.old

 compose.override.yml
 compose.override.yml.old
--- a/README.md
+++ b/README.md
@@ -27,8 +27,8 @@ This repository contains configurations and instructions that can be used for de
 ## Table of Contents

 - [Deployment](#deployment)
-  - [Secure your server](#secure-your-server)
-  - [Configure your domain](#configure-your-domain)
+  - [Securing your server](#securing-your-server)
+  - [Configuring your domain](#configuring-your-domain)
  - [Install Required Dependencies](#install-required-dependencies)
 - [Configuration](#configuration)
 - [Updating](#updating)
--- a/compose.yml
+++ b/compose.yml
@@ -77,7 +77,8 @@ services:

  # API server
  api:
-    image: ghcr.io/stoatchat/api:v0.11.1
+    image: ghcr.io/stoatchat/api:v0.12.0
+    env_file: secrets.env
    depends_on:
      database:
        condition: service_healthy
@@ -93,7 +94,8 @@ services:

  # Events service
  events:
-    image: ghcr.io/stoatchat/events:v0.11.1
+    image: ghcr.io/stoatchat/events:v0.12.0
+    env_file: secrets.env
    depends_on:
      database:
        condition: service_healthy
@@ -107,7 +109,8 @@ services:

  # File server
  autumn:
-    image: ghcr.io/stoatchat/file-server:v0.11.1
+    image: ghcr.io/stoatchat/file-server:v0.12.0
+    env_file: secrets.env
    depends_on:
      database:
        condition: service_healthy
@@ -121,7 +124,8 @@ services:

  # Metadata and image proxy
  january:
-    image: ghcr.io/stoatchat/proxy:v0.11.1
+    image: ghcr.io/stoatchat/proxy:v0.12.0
+    env_file: secrets.env
    volumes:
      - type: bind
        source: ./Revolt.toml
@@ -130,7 +134,8 @@ services:

  # Tenor proxy
  gifbox:
-    image: ghcr.io/stoatchat/gifbox:v0.11.1
+    image: ghcr.io/stoatchat/gifbox:v0.12.0
+    env_file: secrets.env
    volumes:
      - type: bind
        source: ./Revolt.toml
@@ -139,7 +144,8 @@ services:

  # Regular task daemon
  crond:
-    image: ghcr.io/stoatchat/crond:v0.11.1
+    image: ghcr.io/stoatchat/crond:v0.12.0
+    env_file: secrets.env
    depends_on:
      database:
        condition: service_healthy
@@ -153,7 +159,8 @@ services:

  # Push notification daemon
  pushd:
-    image: ghcr.io/stoatchat/pushd:v0.11.1
+    image: ghcr.io/stoatchat/pushd:v0.12.0
+    env_file: secrets.env
    depends_on:
      database:
        condition: service_healthy
@@ -169,7 +176,8 @@ services:

   # Voice ingress daemon
  voice-ingress:
-    image: ghcr.io/stoatchat/voice-ingress:v0.11.1
+    image: ghcr.io/stoatchat/voice-ingress:v0.12.0
+    env_file: secrets.env
    restart: always
    depends_on:
      database:
@@ -182,7 +190,7 @@ services:
        target: /Revolt.toml

  livekit:
-    image: ghcr.io/stoatchat/livekit-server:v1.9.6
+    image: ghcr.io/stoatchat/livekit-server:v1.9.13
    depends_on:
      redis:
        condition: service_started
--- a/generate_config.sh
+++ b/generate_config.sh
@@ -71,6 +71,24 @@ fi
 if [ "$SECRETS_FOUND" -eq "0" ]; then
    cp secrets.env.example secrets.env
    loadSecrets
+else
+    echo "Checking if secrets file needs to be updated..."
+    if [ "$PUSHD_VAPID_PRIVATEKEY" != "" ] || [ "$PUSHD_VAPID_PUBLICKEY" != "" ] || [ "$FILES_ENCRYPTION_KEY" != "" ] || [ "$LIVEKIT_WORLDWIDE_SECRET" != "" ] || [ "$LIVEKIT_WORLDWIDE_KEY" != "" ]; then
+        echo "Old secrets found. Your secrets will be rewritten in the new format. If you have any custom secrets not managed by this file, you will need to convert them to the new format."
+        echo "See https://github.com/stoatchat/stoatchat/pull/576"
+        echo "Renaming secrets.env to secrets.env.old"
+        mv secrets.env secrets.env.old
+        echo "Copying old secrets to new format..."
+        cp secrets.env.example secrets.env
+        printf "REVOLT__PUSHD__VAPID__PRIVATE_KEY='%s'\n" $PUSHD_VAPID_PRIVATEKEY >> secrets.env
+        printf "REVOLT__PUSHD__VAPID__PUBLIC_KEY='%s'\n" $PUSHD_VAPID_PUBLICKEY >> secrets.env
+        echo "" >> secrets.env
+        printf "REVOLT__FILES__ENCRYPTION_KEY='%s'\n" $FILES_ENCRYPTION_KEY >> secrets.env
+        echo "" >> secrets.env
+        printf "REVOLT__API__LIVEKIT__NODES__WORLDWIDE__SECRET='%s'\n" $LIVEKIT_WORLDWIDE_SECRET >> secrets.env
+        printf "REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY='%s'\n" $LIVEKIT_WORLDWIDE_KEY >> secrets.env
+        loadSecrets
+    fi
 fi

 echo "Configuring Stoat with hostname $DOMAIN"
@@ -103,56 +121,56 @@ fi

 # Generate secrets
 echo "Generating secrets..."
-if [ "$PUSHD_VAPID_PRIVATEKEY" = "" ]; then 
-    if [ "$PUSHD_VAPID_PUBLICKEY" != "" ]; then
+if [ "$REVOLT__PUSHD__VAPID__PRIVATE_KEY" = "" ]; then 
+    if [ "$REVOLT__PUSHD__VAPID__PUBLIC_KEY" != "" ]; then
        echo "VAPID public key is defined when private key isn't?"
-        echo "Did you forget to copy the PUSHD_VAPID_PRIVATEKEY secret?"
-        echo "Try removing PUSHD_VAPID_PUBLICKEY if you do not have a private key."
+        echo "Did you forget to copy the REVOLT__PUSHD__VAPID__PRIVATE_KEY secret?"
+        echo "Try removing REVOLT__PUSHD__VAPID__PUBLIC_KEY if you do not have a private key."
        exit 1
    fi
    echo "Generating Pushd VAPID secrets..."
    openssl ecparam -name prime256v1 -genkey -noout -out vapid_private.pem
-    PUSHD_VAPID_PRIVATEKEY=$(base64 -i vapid_private.pem | tr -d '\n' | tr -d '=')
-    PUSHD_VAPID_PUBLICKEY=$(openssl ec -in vapid_private.pem -outform DER|tail --bytes 65|base64|tr '/+' '_-'|tr -d '\n'|tr -d '=')
+    REVOLT__PUSHD__VAPID__PRIVATE_KEY=$(base64 -i vapid_private.pem | tr -d '\n' | tr -d '=')
+    REVOLT__PUSHD__VAPID__PUBLIC_KEY=$(openssl ec -in vapid_private.pem -outform DER|tail --bytes 65|base64|tr '/+' '_-'|tr -d '\n'|tr -d '=')
    rm vapid_private.pem
    echo "" >> secrets.env
-    printf "PUSHD_VAPID_PRIVATEKEY='%s'\n" $PUSHD_VAPID_PRIVATEKEY >> secrets.env
-    printf "PUSHD_VAPID_PUBLICKEY='%s'\n" $PUSHD_VAPID_PUBLICKEY >> secrets.env
-elif [ "$PUSHD_VAPID_PUBLICKEY" = "" ]; then
+    printf "REVOLT__PUSHD__VAPID__PRIVATE_KEY='%s'\n" $REVOLT__PUSHD__VAPID__PRIVATE_KEY >> secrets.env
+    printf "REVOLT__PUSHD__VAPID__PUBLIC_KEY='%s'\n" $REVOLT__PUSHD__VAPID__PUBLIC_KEY >> secrets.env
+elif [ "$REVOLT__PUSHD__VAPID__PUBLIC_KEY" = "" ]; then
    echo "VAPID private key is defined when public key isn't?"
-    echo "Did you forget to copy the PUSHD_VAPID_PUBLICKEY secret?"
-    echo "Try removing PUSHD_VAPID_PRIVATEKEY if you do not have a public key."
+    echo "Did you forget to copy the REVOLT__PUSHD__VAPID__PUBLIC_KEY secret?"
+    echo "Try removing REVOLT__PUSHD__VAPID__PRIVATE_KEY if you do not have a public key."
    exit 1
 else
    echo "Using old Pushd VAPID secrets..."
 fi

-if [ "$FILES_ENCRYPTION_KEY" = "" ]; then
+if [ "$REVOLT__FILES__ENCRYPTION_KEY" = "" ]; then
    echo "Generating files encryption secret..."
-    FILES_ENCRYPTION_KEY=$(openssl rand -base64 32)
+    REVOLT__FILES__ENCRYPTION_KEY=$(openssl rand -base64 32)
    echo "" >> secrets.env
-    printf "FILES_ENCRYPTION_KEY='%s'\n" $FILES_ENCRYPTION_KEY >> secrets.env
+    printf "REVOLT__FILES__ENCRYPTION_KEY='%s'\n" $REVOLT__FILES__ENCRYPTION_KEY >> secrets.env
 else
    echo "Using old files encryption secret..."
 fi

-if [ "$LIVEKIT_WORLDWIDE_SECRET" = "" ]; then 
-    if [ "$LIVEKIT_WORLDWIDE_KEY" != "" ]; then
+if [ "$REVOLT__API__LIVEKIT__NODES__WORLDWIDE__SECRET" = "" ]; then 
+    if [ "$REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY" != "" ]; then
        echo "Livekit public key is defined when secret isn't?"
-        echo "Did you forget to copy the LIVEKIT_WORLDWIDE_SECRET secret?"
-        echo "Try removing LIVEKIT_WORLDWIDE_KEY if you do not have a secret."
+        echo "Did you forget to copy the REVOLT__API__LIVEKIT__NODES__WORLDWIDE__SECRET secret?"
+        echo "Try removing REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY if you do not have a secret."
        exit 1
    fi
    echo "Generating Livekit secrets..."
-    LIVEKIT_WORLDWIDE_SECRET=$(openssl rand -hex 24)
-    LIVEKIT_WORLDWIDE_KEY=$(openssl rand -hex 6)
+    REVOLT__API__LIVEKIT__NODES__WORLDWIDE__SECRET=$(openssl rand -hex 24)
+    REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY=$(openssl rand -hex 6)
    echo "" >> secrets.env
-    printf "LIVEKIT_WORLDWIDE_SECRET='%s'\n" $LIVEKIT_WORLDWIDE_SECRET >> secrets.env
-    printf "LIVEKIT_WORLDWIDE_KEY='%s'\n" $LIVEKIT_WORLDWIDE_KEY >> secrets.env
-elif [ "$LIVEKIT_WORLDWIDE_KEY" = "" ]; then
+    printf "REVOLT__API__LIVEKIT__NODES__WORLDWIDE__SECRET='%s'\n" $REVOLT__API__LIVEKIT__NODES__WORLDWIDE__SECRET >> secrets.env
+    printf "REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY='%s'\n" $REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY >> secrets.env
+elif [ "$REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY" = "" ]; then
    echo "Livekit secret is defined when public key isn't?"
-    echo "Did you forget to copy the LIVEKIT_WORLDWIDE_KEY secret?"
-    echo "Try removing LIVEKIT_WORLDWIDE_SECRET if you do not have a public key."
+    echo "Did you forget to copy the REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY secret?"
+    echo "Try removing REVOLT__API__LIVEKIT__NODES__WORLDWIDE__SECRET if you do not have a public key."
    exit 1
 else
    echo "Using old Livekit secrets..."
@@ -168,7 +186,11 @@ echo "VITE_PROXY_URL=https://$DOMAIN/january" >> .env.web
 echo "VITE_CFG_ENABLE_VIDEO=$VIDEO_ENABLED" >> .env.web

 # hostnames
-echo "[hosts]" > Revolt.toml
+echo "# All secrets are stored in secrets.env" > Revolt.toml
+echo "# Any configuration added to this file will be overwritten by generate_config on run; however," >> Revolt.toml
+echo "# the script will back up your old configuration so you can copy over your old configuration" >> Revolt.toml
+echo "# values if needed." >> Revolt.toml
+echo "[hosts]" >> Revolt.toml
 echo "app = \"https://$DOMAIN\"" >> Revolt.toml
 echo "api = \"https://$DOMAIN/api\"" >> Revolt.toml
 echo "events = \"wss://$DOMAIN/ws\"" >> Revolt.toml
@@ -180,18 +202,6 @@ echo "" >> Revolt.toml
 echo "[hosts.livekit]" >> Revolt.toml
 echo "worldwide = \"wss://$DOMAIN/livekit\"" >> Revolt.toml

-# VAPID keys
-echo "" >> Revolt.toml
-echo "[pushd.vapid]" >> Revolt.toml
-
-echo "private_key = \"$PUSHD_VAPID_PRIVATEKEY\"" >> Revolt.toml
-echo "public_key = \"$PUSHD_VAPID_PUBLICKEY\"" >> Revolt.toml
-
-# encryption key for files
-echo "" >> Revolt.toml
-echo "[files]" >> Revolt.toml
-echo "encryption_key = \"$FILES_ENCRYPTION_KEY\"" >> Revolt.toml
-
 # livekit yml
 echo "rtc:" > livekit.yml
 echo "  use_external_ip: true" >> livekit.yml
@@ -206,10 +216,10 @@ echo "turn:" >> livekit.yml
 echo "  enabled: false" >> livekit.yml
 echo "" >> livekit.yml
 echo "keys:" >> livekit.yml
-echo "  $LIVEKIT_WORLDWIDE_KEY: $LIVEKIT_WORLDWIDE_SECRET" >> livekit.yml
+echo "  $REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY: $REVOLT__API__LIVEKIT__NODES__WORLDWIDE__SECRET" >> livekit.yml
 echo "" >> livekit.yml
 echo "webhook:" >> livekit.yml
-echo "  api_key: $LIVEKIT_WORLDWIDE_KEY" >> livekit.yml
+echo "  api_key: $REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY" >> livekit.yml
 echo "  urls:" >> livekit.yml
 echo "  - \"http://voice-ingress:8500/worldwide\"" >> livekit.yml

@@ -219,11 +229,8 @@ echo "[api.livekit.nodes.worldwide]" >> Revolt.toml
 echo "url = \"http://livekit:7880\"" >> Revolt.toml
 echo "lat = 0.0" >> Revolt.toml
 echo "lon = 0.0" >> Revolt.toml
-echo "key = \"$LIVEKIT_WORLDWIDE_KEY\"" >> Revolt.toml
-echo "secret = \"$LIVEKIT_WORLDWIDE_SECRET\"" >> Revolt.toml

 # Video config
-# We need to address issue https://github.com/stoatchat/stoatchat/issues/588 until we adopt a backend version later than 0.12.0
 # We'll enable 1080p video by default, that should be high enough for most users.
 if [[ -n "$VIDEO_ENABLED" ]]; then
    echo "" >> Revolt.toml
--- a/secrets.env.example
+++ b/secrets.env.example
@@ -26,20 +26,20 @@ VALID_SECRET_EXAMPLE_2='This is an example secret'
 #
 # Pushd VAPID private key is the value stored in the [pushd.vapid] section of
 # Revolt.toml for the private_key line.
-# PUSHD_VAPID_PRIVATEKEY=
+# REVOLT__PUSHD__VAPID__PRIVATE_KEY=
 #
 # Pushd VAPID public key is the value stored in the [pushd.vapid] section of
 # Revolt.toml for the public_key line.
-# PUSHD_VAPID_PUBLICKEY=
+# REVOLT__PUSHD__VAPID__PUBLIC_KEY=
 #
 # Files encryption key is the value stored in the [files] section of
 # Revolt.toml for the encryption_key line.
-# FILES_ENCRYPTION_KEY=
+# REVOLT__FILES__ENCRYPTION_KEY=
 #
 # Livekit worldwide key is the value stored in the
 # [api.livekit.nodes.worldwide] section of Revolt.toml for the key line.
-# LIVEKIT_WORLDWIDE_KEY=
+# REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY=
 #
 # Livekit worldwide secret is the value stored in the
 # [api.livekit.nodes.worldwide] section of Revolt.toml for the secret line.
-# LIVEKIT_WORLDWIDE_SECRET=
+# REVOLT__API__LIVEKIT__NODES__WORLDWIDE__SECRET=