From d91b216b4c7804b495ed456a594d6edcbcebe787 Mon Sep 17 00:00:00 2001
From: teutat3s <teutates@mailbox.org>
Date: Fri, 21 Jul 2023 11:50:44 +0200
Subject: [PATCH] mastodon: 4.1.2 -> 4.1.4, update docs with how to

upgrade caddy and elasticsearch containers
---
 mastodon/README.md          | 41 ++++++++++++++++++++++++++++++++++++-
 mastodon/docker-compose.yml | 33 ++++++++++++++---------------
 2 files changed, 57 insertions(+), 17 deletions(-)

diff --git a/mastodon/README.md b/mastodon/README.md
index 6c8bb07..cc2deb2 100644
--- a/mastodon/README.md
+++ b/mastodon/README.md
@@ -1,7 +1,7 @@
 # pub.solar mastodon
 https://mastodon.pub.solar
 
-### Upgrading
+### Upgrading Mastodon
 This section assumes you edited `docker-compose.yml` and bumped the mastodon docker
 image version tag
 ```
@@ -53,6 +53,45 @@ docker rm \
   blue-mastodon_sidekiq_($current_container_index - 1)
 ```
 
+### Upgrading Caddy
+```
+mkdir -p certificates/acme-v02.api.letsencrypt.org-directory
+docker cp --archive blue-mastodon_caddy_2:/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/files.pub.solar ./certificates/acme-v02.api.letsencrypt.org-directory/
+docker cp --archive blue-mastodon_caddy_2:/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mastodon.pub.solar ./certificates/acme-v02.api.letsencrypt.org-directory/
+
+docker-compose --project-name blue-mastodon up \
+  --scale caddy=2 \
+  --no-recreate \
+  --no-start
+
+docker cp --archive ./backups/certificates blue-mastodon_caddy_3:/data/caddy/certificates
+docker start blue-mastodon_caddy_3
+
+# Stop old caddy container
+docker stop blue-mastodon_caddy_2
+
+# Verify everything works fine, then remove the old caddy container
+docker rm blue-mastodon_caddy_2
+```
+
+### Upgrading Elasticsearch
+Look for new releases on https://www.elastic.co/guide/en/elasticsearch/reference/7.17/es-release-notes.html
+and edit the docker image tag accordingly.
+```
+docker-compose --project-name blue-mastodon up \
+  --scale elasticsearch=2 \
+  --no-recreate \
+
+# Stop old elasticsearch container
+docker stop blue-mastodon_elasticsearch_2
+
+docker exec -it blue-mastodon_web_15 bash
+tootctl search deploy
+
+# Verify everything works fine, then remove the old caddy container
+docker rm blue-mastodon_elasticsearch_2
+```
+
 Todos:
 - implement automatic backups, they are only done manually during upgrades at the moment
 - switch proxy from nginx-dehydrated to caddy - done
diff --git a/mastodon/docker-compose.yml b/mastodon/docker-compose.yml
index 12dc68c..24e3bb4 100644
--- a/mastodon/docker-compose.yml
+++ b/mastodon/docker-compose.yml
@@ -28,7 +28,7 @@ services:
   #    - triton.cns.services=mastodon-proxy
 
   caddy:
-    image: caddy:2.5.1
+    image: caddy:2.6.4
     mem_limit: 256m
     restart: always
     environment:
@@ -44,12 +44,16 @@ services:
     labels:
       - triton.cns.services=mastodon-proxy
     entrypoint: /bin/sh
-    command: >-
-      -c 'echo "
+    command:
+      - -c
+      - >-
+        echo "
         {
           email admins@pub.solar
+          servers {
+            protocols h1 h2
+          }
         }
-
         $$SITE_DOMAIN {
           @streaming {
             path /api/v1/streaming/*
@@ -77,23 +81,21 @@ services:
           handle_errors {
             rewrite 500.html
           }
-
           encode zstd gzip
-
           header {
             Strict-Transport-Security "max-age=31536000"
+            # clickjacking protection
+            X-Frame-Options DENY
           }
           header /sw.js Cache-Control "public, max-age=0"
           header @cache_control Cache-Control "public, max-age=31536000, immutable"
         }
-
         files.pub.solar {
           handle {
             rewrite * /s/jw24ad6l4a6zxsnd32cmf5hp5nsq/pub-solar-mastodon{uri}?download
             reverse_proxy {
               # backends / upstreams
               to https://link.tardigradeshare.io
-
               # header manipulation
               # proxy to an HTTPS endpoint
               header_up Host {upstream_hostport}
@@ -101,7 +103,6 @@ services:
               header_up Connection ""
               header_up Authorization ""
               # remove these header from the backends response
-              header_down -content-disposition
               header_down -Set-Cookie
               header_down -Access-Control-Allow-Origin
               header_down -Access-Control-Allow-Methods
@@ -115,14 +116,14 @@ services:
               # add these header to the backends response
               # cache client side for 7 days
               header_down Cache-Control "public, max-age=604800"
+              header_down Access-Control-Allow-Origin "*"
+              header_down X-Content-Type-Options "nosniff"
             }
           }
           handle_errors {
             rewrite 500.html
           }
-        }
-        " | caddy run --adapter caddyfile --config -'
-
+        }" | caddy run --adapter caddyfile --config -
 
 # using SmartOS native zone mastodon-redis, lx-brand redis crashes regularly,
 # upstream bug: https://github.com/redis/redis/issues/8861
@@ -135,7 +136,7 @@ services:
 #      - triton.cns.services=mastodon-redis
 
   web:
-    image: tootsuite/mastodon:v4.1.2
+    image: tootsuite/mastodon:v4.1.4
     mem_limit: 1g
     restart: always
     env_file: .env.production
@@ -148,7 +149,7 @@ services:
       - triton.cns.services=mastodon-web
 
   streaming:
-    image: tootsuite/mastodon:v4.1.2
+    image: tootsuite/mastodon:v4.1.4
     mem_limit: 1g
     restart: always
     env_file: .env.production
@@ -161,7 +162,7 @@ services:
       - triton.cns.services=mastodon-streaming
 
   sidekiq:
-    image: tootsuite/mastodon:v4.1.2
+    image: tootsuite/mastodon:v4.1.4
     mem_limit: 1g
     restart: always
     env_file: .env.production
@@ -171,7 +172,7 @@ services:
       - triton.cns.services=mastodon-sidekiq
 
   elasticsearch:
-    image: docker.elastic.co/elasticsearch/elasticsearch:7.17.9
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.17.11
     mem_limit: 512m
     restart: always
     environment: