Generate active record encryption keys

conf/.env.production.sample

@@ -71,6 +71,10 @@ DB_PORT=5432
 SECRET_KEY_BASE=__SECRET_KEY_BASE__
 OTP_SECRET=__OTP_SECRET__
 
+ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=__ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY__
+ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=__ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY__
+ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=__ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT__
+
 # Web Push
 # --------
 # Generate with `rake mastodon:webpush:generate_vapid_key` (first is the private key, second is the public one)

scripts/install

@@ -50,6 +50,15 @@ ynh_app_setting_set --app="$app" --key=secret_key_base --value="$secret_key_base
 otp_secret=$(ynh_string_random --length=128)
 ynh_app_setting_set --app="$app" --key=otp_secret --value="$otp_secret"
 
+active_record_encryption_primary_key=$(ynh_string_random --length=32)
+ynh_app_setting_set --app="$app" --key=active_record_encryption_primary_key --value="$active_record_encryption_primary_key"
+
+active_record_encryption_deterministic_key=$(ynh_string_random --length=32)
+ynh_app_setting_set --app="$app" --key=active_record_encryption_deterministic_key --value="$active_record_encryption_deterministic_key"
+
+active_record_encryption_key_derivation_salt=$(ynh_string_random --length=32)
+ynh_app_setting_set --app="$app" --key=active_record_encryption_key_derivation_salt --value="$active_record_encryption_key_derivation_salt"
+
 #=================================================
 # INSTALL DEPENDENCIES
 #=================================================
@@ -132,7 +141,6 @@ pushd "$install_dir/live"
 	# This export might be removed in yunohost 12
 	COREPACK_ENABLE_DOWNLOAD_PROMPT=0 yarn install
 	echo "SAFETY_ASSURED=1">> "$config"
-	ynh_exec_warn_less ynh_exec_as "$app" RAILS_ENV=production COREPACK_ENABLE_DOWNLOAD_PROMPT=0 "$ynh_ruby_load_path" "$ld_preload" bin/bundle exec rails db:encryption:init --quiet
 	ynh_exec_warn_less ynh_exec_as "$app" RAILS_ENV=production COREPACK_ENABLE_DOWNLOAD_PROMPT=0 "$ynh_ruby_load_path" "$ld_preload" bin/bundle exec rails db:migrate --quiet
 	ynh_exec_warn_less ynh_exec_as "$app" RAILS_ENV=production COREPACK_ENABLE_DOWNLOAD_PROMPT=0 "$ynh_ruby_load_path" "$ld_preload" bin/bundle exec rails assets:precompile --quiet
 	# Generate vapid keys

scripts/upgrade

@@ -41,7 +41,18 @@ fi
 ynh_remove_extra_repo
 
 if ynh_compare_current_package_version --comparison lt --version 2024.05.01~ynh1; then
-	ynh_exec_warn_less ynh_exec_as "$app" RAILS_ENV=production COREPACK_ENABLE_DOWNLOAD_PROMPT=0 "$ynh_ruby_load_path" "$ld_preload" bin/bundle exec rails db:encryption:init
+	active_record_encryption_primary_key=$(ynh_string_random --length=32)
+	ynh_app_setting_set --app="$app" --key=active_record_encryption_primary_key --value="$active_record_encryption_primary_key"
+	
+	active_record_encryption_deterministic_key=$(ynh_string_random --length=32)
+	ynh_app_setting_set --app="$app" --key=active_record_encryption_deterministic_key --value="$active_record_encryption_deterministic_key"
+	
+	active_record_encryption_key_derivation_salt=$(ynh_string_random --length=32)
+	ynh_app_setting_set --app="$app" --key=active_record_encryption_key_derivation_salt --value="$active_record_encryption_key_derivation_salt"
+
+	ynh_add_config --template=".env.production.sample" --destination="$config"
+	chmod 400 "$config"
+	chown "$app:$app" "$config"
 fi
 
 #=================================================