feat: Update to backend version v0.12.0 and use new environment variable configuration (#272)

* refactor: Change secrets file format and update to v0.12.0

This commit was made without the use of generative AI.

Signed-off-by: Jacob Schlecht <dadadah@echoha.us>

* chore: Update livekit to v1.9.13

This commit was made without the use of generative AI.

Signed-off-by: Jacob Schlecht <dadadah@echoha.us>

* docs: Update readme links

This commit was made without the use of generative AI.

Signed-off-by: Jacob Schlecht <dadadah@echoha.us>

* docs: Add a disclaimer on the config when using generate_config

This commit was made without the use of generative AI.

Signed-off-by: Jacob Schlecht <dadadah@echoha.us>

---------

Signed-off-by: Jacob Schlecht <dadadah@echoha.us>

.gitignore

@@ -7,6 +7,7 @@ livekit.yml
 Revolt.toml.old
 livekit.yml.old
 secrets.env
+secrets.env.old
 
 compose.override.yml
 compose.override.yml.old

README.md

@@ -27,8 +27,8 @@ This repository contains configurations and instructions that can be used for de
 ## Table of Contents
 
 - [Deployment](#deployment)
-  - [Secure your server](#secure-your-server)
+  - [Securing your server](#securing-your-server)
-  - [Configure your domain](#configure-your-domain)
+  - [Configuring your domain](#configuring-your-domain)
   - [Install Required Dependencies](#install-required-dependencies)
 - [Configuration](#configuration)
 - [Updating](#updating)

compose.yml

@@ -77,7 +77,8 @@ services:
 
   # API server
   api:
-    image: ghcr.io/stoatchat/api:v0.11.1
+    image: ghcr.io/stoatchat/api:v0.12.0
+    env_file: secrets.env
     depends_on:
       database:
         condition: service_healthy
@@ -93,7 +94,8 @@ services:
 
   # Events service
   events:
-    image: ghcr.io/stoatchat/events:v0.11.1
+    image: ghcr.io/stoatchat/events:v0.12.0
+    env_file: secrets.env
     depends_on:
       database:
         condition: service_healthy
@@ -107,7 +109,8 @@ services:
 
   # File server
   autumn:
-    image: ghcr.io/stoatchat/file-server:v0.11.1
+    image: ghcr.io/stoatchat/file-server:v0.12.0
+    env_file: secrets.env
     depends_on:
       database:
         condition: service_healthy
@@ -121,7 +124,8 @@ services:
 
   # Metadata and image proxy
   january:
-    image: ghcr.io/stoatchat/proxy:v0.11.1
+    image: ghcr.io/stoatchat/proxy:v0.12.0
+    env_file: secrets.env
     volumes:
       - type: bind
         source: ./Revolt.toml
@@ -130,7 +134,8 @@ services:
 
   # Tenor proxy
   gifbox:
-    image: ghcr.io/stoatchat/gifbox:v0.11.1
+    image: ghcr.io/stoatchat/gifbox:v0.12.0
+    env_file: secrets.env
     volumes:
       - type: bind
         source: ./Revolt.toml
@@ -139,7 +144,8 @@ services:
 
   # Regular task daemon
   crond:
-    image: ghcr.io/stoatchat/crond:v0.11.1
+    image: ghcr.io/stoatchat/crond:v0.12.0
+    env_file: secrets.env
     depends_on:
       database:
         condition: service_healthy
@@ -153,7 +159,8 @@ services:
 
   # Push notification daemon
   pushd:
-    image: ghcr.io/stoatchat/pushd:v0.11.1
+    image: ghcr.io/stoatchat/pushd:v0.12.0
+    env_file: secrets.env
     depends_on:
       database:
         condition: service_healthy
@@ -169,7 +176,8 @@ services:
 
    # Voice ingress daemon
   voice-ingress:
-    image: ghcr.io/stoatchat/voice-ingress:v0.11.1
+    image: ghcr.io/stoatchat/voice-ingress:v0.12.0
+    env_file: secrets.env
     restart: always
     depends_on:
       database:
@@ -182,7 +190,7 @@ services:
         target: /Revolt.toml
 
   livekit:
-    image: ghcr.io/stoatchat/livekit-server:v1.9.6
+    image: ghcr.io/stoatchat/livekit-server:v1.9.13
     depends_on:
       redis:
         condition: service_started

generate_config.sh

@@ -71,6 +71,24 @@ fi
 if [ "$SECRETS_FOUND" -eq "0" ]; then
     cp secrets.env.example secrets.env
     loadSecrets
+else
+    echo "Checking if secrets file needs to be updated..."
+    if [ "$PUSHD_VAPID_PRIVATEKEY" != "" ] || [ "$PUSHD_VAPID_PUBLICKEY" != "" ] || [ "$FILES_ENCRYPTION_KEY" != "" ] || [ "$LIVEKIT_WORLDWIDE_SECRET" != "" ] || [ "$LIVEKIT_WORLDWIDE_KEY" != "" ]; then
+        echo "Old secrets found. Your secrets will be rewritten in the new format. If you have any custom secrets not managed by this file, you will need to convert them to the new format."
+        echo "See https://github.com/stoatchat/stoatchat/pull/576"
+        echo "Renaming secrets.env to secrets.env.old"
+        mv secrets.env secrets.env.old
+        echo "Copying old secrets to new format..."
+        cp secrets.env.example secrets.env
+        printf "REVOLT__PUSHD__VAPID__PRIVATE_KEY='%s'\n" $PUSHD_VAPID_PRIVATEKEY >> secrets.env
+        printf "REVOLT__PUSHD__VAPID__PUBLIC_KEY='%s'\n" $PUSHD_VAPID_PUBLICKEY >> secrets.env
+        echo "" >> secrets.env
+        printf "REVOLT__FILES__ENCRYPTION_KEY='%s'\n" $FILES_ENCRYPTION_KEY >> secrets.env
+        echo "" >> secrets.env
+        printf "REVOLT__API__LIVEKIT__NODES__WORLDWIDE__SECRET='%s'\n" $LIVEKIT_WORLDWIDE_SECRET >> secrets.env
+        printf "REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY='%s'\n" $LIVEKIT_WORLDWIDE_KEY >> secrets.env
+        loadSecrets
+    fi
 fi
 
 echo "Configuring Stoat with hostname $DOMAIN"
@@ -103,56 +121,56 @@ fi
 
 # Generate secrets
 echo "Generating secrets..."
-if [ "$PUSHD_VAPID_PRIVATEKEY" = "" ]; then 
+if [ "$REVOLT__PUSHD__VAPID__PRIVATE_KEY" = "" ]; then 
-    if [ "$PUSHD_VAPID_PUBLICKEY" != "" ]; then
+    if [ "$REVOLT__PUSHD__VAPID__PUBLIC_KEY" != "" ]; then
         echo "VAPID public key is defined when private key isn't?"
-        echo "Did you forget to copy the PUSHD_VAPID_PRIVATEKEY secret?"
+        echo "Did you forget to copy the REVOLT__PUSHD__VAPID__PRIVATE_KEY secret?"
-        echo "Try removing PUSHD_VAPID_PUBLICKEY if you do not have a private key."
+        echo "Try removing REVOLT__PUSHD__VAPID__PUBLIC_KEY if you do not have a private key."
         exit 1
     fi
     echo "Generating Pushd VAPID secrets..."
     openssl ecparam -name prime256v1 -genkey -noout -out vapid_private.pem
-    PUSHD_VAPID_PRIVATEKEY=$(base64 -i vapid_private.pem | tr -d '\n' | tr -d '=')
+    REVOLT__PUSHD__VAPID__PRIVATE_KEY=$(base64 -i vapid_private.pem | tr -d '\n' | tr -d '=')
-    PUSHD_VAPID_PUBLICKEY=$(openssl ec -in vapid_private.pem -outform DER|tail --bytes 65|base64|tr '/+' '_-'|tr -d '\n'|tr -d '=')
+    REVOLT__PUSHD__VAPID__PUBLIC_KEY=$(openssl ec -in vapid_private.pem -outform DER|tail --bytes 65|base64|tr '/+' '_-'|tr -d '\n'|tr -d '=')
     rm vapid_private.pem
     echo "" >> secrets.env
-    printf "PUSHD_VAPID_PRIVATEKEY='%s'\n" $PUSHD_VAPID_PRIVATEKEY >> secrets.env
+    printf "REVOLT__PUSHD__VAPID__PRIVATE_KEY='%s'\n" $REVOLT__PUSHD__VAPID__PRIVATE_KEY >> secrets.env
-    printf "PUSHD_VAPID_PUBLICKEY='%s'\n" $PUSHD_VAPID_PUBLICKEY >> secrets.env
+    printf "REVOLT__PUSHD__VAPID__PUBLIC_KEY='%s'\n" $REVOLT__PUSHD__VAPID__PUBLIC_KEY >> secrets.env
-elif [ "$PUSHD_VAPID_PUBLICKEY" = "" ]; then
+elif [ "$REVOLT__PUSHD__VAPID__PUBLIC_KEY" = "" ]; then
     echo "VAPID private key is defined when public key isn't?"
-    echo "Did you forget to copy the PUSHD_VAPID_PUBLICKEY secret?"
+    echo "Did you forget to copy the REVOLT__PUSHD__VAPID__PUBLIC_KEY secret?"
-    echo "Try removing PUSHD_VAPID_PRIVATEKEY if you do not have a public key."
+    echo "Try removing REVOLT__PUSHD__VAPID__PRIVATE_KEY if you do not have a public key."
     exit 1
 else
     echo "Using old Pushd VAPID secrets..."
 fi
 
-if [ "$FILES_ENCRYPTION_KEY" = "" ]; then
+if [ "$REVOLT__FILES__ENCRYPTION_KEY" = "" ]; then
     echo "Generating files encryption secret..."
-    FILES_ENCRYPTION_KEY=$(openssl rand -base64 32)
+    REVOLT__FILES__ENCRYPTION_KEY=$(openssl rand -base64 32)
     echo "" >> secrets.env
-    printf "FILES_ENCRYPTION_KEY='%s'\n" $FILES_ENCRYPTION_KEY >> secrets.env
+    printf "REVOLT__FILES__ENCRYPTION_KEY='%s'\n" $REVOLT__FILES__ENCRYPTION_KEY >> secrets.env
 else
     echo "Using old files encryption secret..."
 fi
 
-if [ "$LIVEKIT_WORLDWIDE_SECRET" = "" ]; then 
+if [ "$REVOLT__API__LIVEKIT__NODES__WORLDWIDE__SECRET" = "" ]; then 
-    if [ "$LIVEKIT_WORLDWIDE_KEY" != "" ]; then
+    if [ "$REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY" != "" ]; then
         echo "Livekit public key is defined when secret isn't?"
-        echo "Did you forget to copy the LIVEKIT_WORLDWIDE_SECRET secret?"
+        echo "Did you forget to copy the REVOLT__API__LIVEKIT__NODES__WORLDWIDE__SECRET secret?"
-        echo "Try removing LIVEKIT_WORLDWIDE_KEY if you do not have a secret."
+        echo "Try removing REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY if you do not have a secret."
         exit 1
     fi
     echo "Generating Livekit secrets..."
-    LIVEKIT_WORLDWIDE_SECRET=$(openssl rand -hex 24)
+    REVOLT__API__LIVEKIT__NODES__WORLDWIDE__SECRET=$(openssl rand -hex 24)
-    LIVEKIT_WORLDWIDE_KEY=$(openssl rand -hex 6)
+    REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY=$(openssl rand -hex 6)
     echo "" >> secrets.env
-    printf "LIVEKIT_WORLDWIDE_SECRET='%s'\n" $LIVEKIT_WORLDWIDE_SECRET >> secrets.env
+    printf "REVOLT__API__LIVEKIT__NODES__WORLDWIDE__SECRET='%s'\n" $REVOLT__API__LIVEKIT__NODES__WORLDWIDE__SECRET >> secrets.env
-    printf "LIVEKIT_WORLDWIDE_KEY='%s'\n" $LIVEKIT_WORLDWIDE_KEY >> secrets.env
+    printf "REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY='%s'\n" $REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY >> secrets.env
-elif [ "$LIVEKIT_WORLDWIDE_KEY" = "" ]; then
+elif [ "$REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY" = "" ]; then
     echo "Livekit secret is defined when public key isn't?"
-    echo "Did you forget to copy the LIVEKIT_WORLDWIDE_KEY secret?"
+    echo "Did you forget to copy the REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY secret?"
-    echo "Try removing LIVEKIT_WORLDWIDE_SECRET if you do not have a public key."
+    echo "Try removing REVOLT__API__LIVEKIT__NODES__WORLDWIDE__SECRET if you do not have a public key."
     exit 1
 else
     echo "Using old Livekit secrets..."
@@ -168,7 +186,11 @@ echo "VITE_PROXY_URL=https://$DOMAIN/january" >> .env.web
 echo "VITE_CFG_ENABLE_VIDEO=$VIDEO_ENABLED" >> .env.web
 
 # hostnames
-echo "[hosts]" > Revolt.toml
+echo "# All secrets are stored in secrets.env" > Revolt.toml
+echo "# Any configuration added to this file will be overwritten by generate_config on run; however," >> Revolt.toml
+echo "# the script will back up your old configuration so you can copy over your old configuration" >> Revolt.toml
+echo "# values if needed." >> Revolt.toml
+echo "[hosts]" >> Revolt.toml
 echo "app = \"https://$DOMAIN\"" >> Revolt.toml
 echo "api = \"https://$DOMAIN/api\"" >> Revolt.toml
 echo "events = \"wss://$DOMAIN/ws\"" >> Revolt.toml
@@ -180,18 +202,6 @@ echo "" >> Revolt.toml
 echo "[hosts.livekit]" >> Revolt.toml
 echo "worldwide = \"wss://$DOMAIN/livekit\"" >> Revolt.toml
 
-# VAPID keys
-echo "" >> Revolt.toml
-echo "[pushd.vapid]" >> Revolt.toml
-
-echo "private_key = \"$PUSHD_VAPID_PRIVATEKEY\"" >> Revolt.toml
-echo "public_key = \"$PUSHD_VAPID_PUBLICKEY\"" >> Revolt.toml
-
-# encryption key for files
-echo "" >> Revolt.toml
-echo "[files]" >> Revolt.toml
-echo "encryption_key = \"$FILES_ENCRYPTION_KEY\"" >> Revolt.toml
-
 # livekit yml
 echo "rtc:" > livekit.yml
 echo "  use_external_ip: true" >> livekit.yml
@@ -206,10 +216,10 @@ echo "turn:" >> livekit.yml
 echo "  enabled: false" >> livekit.yml
 echo "" >> livekit.yml
 echo "keys:" >> livekit.yml
-echo "  $LIVEKIT_WORLDWIDE_KEY: $LIVEKIT_WORLDWIDE_SECRET" >> livekit.yml
+echo "  $REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY: $REVOLT__API__LIVEKIT__NODES__WORLDWIDE__SECRET" >> livekit.yml
 echo "" >> livekit.yml
 echo "webhook:" >> livekit.yml
-echo "  api_key: $LIVEKIT_WORLDWIDE_KEY" >> livekit.yml
+echo "  api_key: $REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY" >> livekit.yml
 echo "  urls:" >> livekit.yml
 echo "  - \"http://voice-ingress:8500/worldwide\"" >> livekit.yml
 
@@ -219,11 +229,8 @@ echo "[api.livekit.nodes.worldwide]" >> Revolt.toml
 echo "url = \"http://livekit:7880\"" >> Revolt.toml
 echo "lat = 0.0" >> Revolt.toml
 echo "lon = 0.0" >> Revolt.toml
-echo "key = \"$LIVEKIT_WORLDWIDE_KEY\"" >> Revolt.toml
-echo "secret = \"$LIVEKIT_WORLDWIDE_SECRET\"" >> Revolt.toml
 
 # Video config
-# We need to address issue https://github.com/stoatchat/stoatchat/issues/588 until we adopt a backend version later than 0.12.0
 # We'll enable 1080p video by default, that should be high enough for most users.
 if [[ -n "$VIDEO_ENABLED" ]]; then
     echo "" >> Revolt.toml

secrets.env.example

@@ -26,20 +26,20 @@ VALID_SECRET_EXAMPLE_2='This is an example secret'
 #
 # Pushd VAPID private key is the value stored in the [pushd.vapid] section of
 # Revolt.toml for the private_key line.
-# PUSHD_VAPID_PRIVATEKEY=
+# REVOLT__PUSHD__VAPID__PRIVATE_KEY=
 #
 # Pushd VAPID public key is the value stored in the [pushd.vapid] section of
 # Revolt.toml for the public_key line.
-# PUSHD_VAPID_PUBLICKEY=
+# REVOLT__PUSHD__VAPID__PUBLIC_KEY=
 #
 # Files encryption key is the value stored in the [files] section of
 # Revolt.toml for the encryption_key line.
-# FILES_ENCRYPTION_KEY=
+# REVOLT__FILES__ENCRYPTION_KEY=
 #
 # Livekit worldwide key is the value stored in the
 # [api.livekit.nodes.worldwide] section of Revolt.toml for the key line.
-# LIVEKIT_WORLDWIDE_KEY=
+# REVOLT__API__LIVEKIT__NODES__WORLDWIDE__KEY=
 #
 # Livekit worldwide secret is the value stored in the
 # [api.livekit.nodes.worldwide] section of Revolt.toml for the secret line.
-# LIVEKIT_WORLDWIDE_SECRET=
+# REVOLT__API__LIVEKIT__NODES__WORLDWIDE__SECRET=