Mastodon vapid init.

2026-01-04 23:56:37 +00:00
parent 963929475c
commit b6d88e79ac
3 changed files with 71 additions and 2 deletions
--- a/mastodon/vapid-init-job.yaml
+++ b/mastodon/vapid-init-job.yaml
@@ -0,0 +1,68 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: mastodon-vapid-init
+  namespace: {{ .namespace }}
+spec:
+  ttlSecondsAfterFinished: 300
+  template:
+    metadata:
+      labels:
+        component: vapid-init
+    spec:
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 991
+        runAsGroup: 991
+        fsGroup: 991
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      - name: vapid-init
+        image: {{ .image }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: [ALL]
+          readOnlyRootFilesystem: false
+        command:
+        - sh
+        - -c
+        - |
+          set -e
+
+          # Check if VAPID keys already exist in the secret
+          if [ -n "$VAPID_PRIVATE_KEY" ] && [ "$VAPID_PRIVATE_KEY" != "null" ] && \
+             [ -n "$VAPID_PUBLIC_KEY" ] && [ "$VAPID_PUBLIC_KEY" != "null" ]; then
+            echo "VAPID keys already exist in secret, skipping generation"
+            exit 0
+          fi
+
+          echo "Generating VAPID keys..."
+          bundle exec rake mastodon:webpush:generate_vapid_key > /tmp/vapid_output.txt
+
+          echo "VAPID keys generated:"
+          cat /tmp/vapid_output.txt
+
+          echo ""
+          echo "NOTE: These keys must be manually added to secrets.yaml:"
+          echo "  apps.mastodon.vapidPrivateKey: <VAPID_PRIVATE_KEY from above>"
+          echo "  apps.mastodon.vapidPublicKey: <VAPID_PUBLIC_KEY from above>"
+        env:
+        - name: VAPID_PRIVATE_KEY
+          valueFrom:
+            secretKeyRef:
+              name: mastodon-secrets
+              key: vapidPrivateKey
+              optional: true
+        - name: VAPID_PUBLIC_KEY
+          valueFrom:
+            secretKeyRef:
+              name: mastodon-secrets
+              key: vapidPublicKey
+              optional: true
+        - name: RAILS_ENV
+          value: production
+        - name: LOCAL_DOMAIN
+          value: "{{ .domain }}"