computer-playbook/roles/web-app-mastodon/templates/env.j2

# Configuration file for mastodon
# @see https://docs.joinmastodon.org/admin/config
# @see https://github.com/mastodon/mastodon/blob/main/.env.production.sample


LOCAL_DOMAIN={{ domains | get_domain(application_id) }}
ALTERNATE_DOMAINS="{{ domains['web-app-mastodon'][1:] | join(',') }}"
SINGLE_USER_MODE={{ applications | get_app_conf(application_id, 'single_user_mode') }}
ALLOWED_PRIVATE_ADDRESSES="{{ MASTODON_ALLOWED_PRIVATE_ADDRESSES }}"

RAILS_ENV={{ ENVIRONMENT }}

# Debug
{% if MODE_DEBUG | bool %}
RAILS_LOG_LEVEL=debug
DEBUG=*
{% endif %}

# Credentials

# Secrets
# -------
# Make sure to use `bundle exec rails secret` to generate secrets
# -------
SECRET_KEY_BASE=    {{ applications | get_app_conf(application_id, 'credentials.secret_key_base') }}
OTP_SECRET=         {{ applications | get_app_conf(application_id, 'credentials.otp_secret') }}

# Web Push
# --------
# Generate with `bundle exec rails mastodon:webpush:generate_vapid_key`
# --------
VAPID_PRIVATE_KEY=  {{ applications | get_app_conf(application_id, 'credentials.vapid_private_key') }}
VAPID_PUBLIC_KEY=   {{ applications | get_app_conf(application_id, 'credentials.vapid_public_key') }}

# Encryption secrets
# ------------------
# Must be available (and set to same values) for all server processes
# These are private/secret values, do not share outside hosting environment
# Use `bin/rails db:encryption:init` to generate fresh secrets
# Do NOT change these secrets once in use, as this would cause data loss and other issues
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=     {{ applications | get_app_conf(application_id, 'credentials.active_record_encryption_deterministic_key') }}
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=   {{ applications | get_app_conf(application_id, 'credentials.active_record_encryption_key_derivation_salt') }}
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=           {{ applications | get_app_conf(application_id, 'credentials.active_record_encryption_primary_key') }}

DB_HOST={{ database_host }}
DB_PORT={{ database_port }}
DB_NAME={{ database_name }}
DB_USER={{ database_username }}
DB_PASS={{ database_password }}
DB_POOL="{{ POSTGRES_ALLOWED_AVG_CONNECTIONS }}"
RAILS_MAX_THREADS="{{ POSTGRES_ALLOWED_AVG_CONNECTIONS }}"

REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=

SMTP_SERVER={{ SYSTEM_EMAIL.HOST }}
SMTP_PORT={{ SYSTEM_EMAIL.PORT }}
SMTP_LOGIN={{ users['no-reply'].email }}
SMTP_PASSWORD={{ users['no-reply'].mailu_token }}
SMTP_AUTH_METHOD=plain
SMTP_OPENSSL_VERIFY_MODE=none
SMTP_ENABLE_STARTTLS=auto
SMTP_FROM_ADDRESS=Mastodon <{{ users['no-reply'].email }}>

{% if applications | get_app_conf(application_id, 'features.oidc', False) %}
################################### 
# OpenID Connect settings
###################################
# @see https://github.com/mastodon/mastodon/pull/16221
# @see https://stackoverflow.com/questions/72081776/how-mastodon-configured-login-using-sso

OIDC_ENABLED={{ applications | get_app_conf(application_id, 'features.oidc', False) | string | lower }}
OIDC_DISPLAY_NAME="{{ OIDC.BUTTON_TEXT }}"
OIDC_ISSUER={{ OIDC.CLIENT.ISSUER_URL }}
OIDC_DISCOVERY=true
OIDC_SCOPE="openid,profile,email"
# @see https://stackoverflow.com/questions/72108087/how-to-set-the-username-of-mastodon-by-log-in-via-keycloak
OIDC_UID_FIELD={{ OIDC.ATTRIBUTES.USERNAME }}
OIDC_CLIENT_ID={{ OIDC.CLIENT.ID }}
OIDC_REDIRECT_URI={{ domains | get_url(application_id, WEB_PROTOCOL) }}/auth/auth/openid_connect/callback
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
OIDC_CLIENT_SECRET={{ OIDC.CLIENT.SECRET }}
# uncomment to only use OIDC for login / registration buttons
OMNIAUTH_ONLY=true
ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH=true
ONE_CLICK_SSO_LOGIN=true
{% endif %}