Mastodon setup Linode API Token Permissions?
When I go to set up a new Mastodon instance, I am following the instructions here: https://www.linode.com/docs/products/tools/marketplace/guides/mastodon/
When I get to the step of selecting Mastodon from the App Marketplace, it opens up a form with a number of fields, including one for a Linode API Token. I then go to the API Tokens page for my account profile.
The problem is that the Linode Mastodon documentation does not tell me in detail what kind of token to create (Personal vs Third-Party Access), what permissions are needed for it, and what to set the expiration to. I would presume it is a Personal token, and the expiration should be set to Never, since I don't see any method in the Mastodon setup to automatically renew the token when it expires. If that is the case, then all I would need is the precise permissions it needs. I presume it will at least need the Domains read/write permission, since the setup documentation mentions needing to manage DNS records for Let's Encrypt, but is that all it needs? I try to be security-conscious, so I don't want to give it anything more than what it needs to function. I do plan on adding Object Storage for it, so would I also need to give it R/W for that? Anything else?
I would like to suggest adding this to the Mastodon setup documentation, as I can't imagine other Linode/Mastodon newbies will be able to figure it out easily, either.
✓ Best Answer
Functionally, this API key is only creating your Mastodon server's DNS records during deployment. This means that you could create a single-use key with DNS Read-Write permissions that you delete immediately after deployment if you don't want to create a key with a long expiration or more permissions than necessary.
When it comes to integrating OBJ, you will need a separate Access Key (different than the permissions granted with an API key with OBJ permissions) and will want to be more careful since this key needs to persist as long as you need to grant bucket access. For more information about how to integrate Mastodon and Linode's Object storage, be sure to check out the following guide:
Let's Encrypt/Certbot handles the SSL certificate generation and renewal separately and should automatically renew on its own.