From 6a933fdeeb9dff3f4575de03763d5006a71917ba Mon Sep 17 00:00:00 2001
From: brooke <brooke@myco.systems>
Date: Tue, 4 Mar 2025 02:29:13 -0500
Subject: [PATCH] init

---
 .env.sample        | 43 ++++++++++++++++++++--
 README.md          |  6 ++--
 abra.sh            |  2 ++
 compose.ldap.yml   | 16 +++++++++
 compose.yml        | 88 ++++++++++++++++++++++++++++++++++++++++------
 entrypoint.sh.tmpl | 32 +++++++++++++++++
 6 files changed, 171 insertions(+), 16 deletions(-)
 create mode 100644 abra.sh
 create mode 100644 compose.ldap.yml
 create mode 100644 entrypoint.sh.tmpl

diff --git a/.env.sample b/.env.sample
index 60b83b9..9bea43e 100644
--- a/.env.sample
+++ b/.env.sample
@@ -2,7 +2,44 @@ TYPE=liberaforms
 
 DOMAIN=liberaforms.example.com
 
-## Domain aliases
-#EXTRA_DOMAINS=', `www.liberaforms.example.com`'
-
 LETS_ENCRYPT_ENV=production
+
+SECRET_SECRET_KEY_VERSION = v1
+SECRET_DB_PASSWORD_VERSION = v1
+SECRET_CRYPTO_KEY_VERSION= v1
+
+ADMIN_USER = 'you@example.com'
+DEFAULT_LANGUAGE = 'en' # Options: en, eu, es, ca, cs, de, fr, gl, ru, ta
+E2EE_MODE=ENABLED_BY_DEFAULT # Options: AVAILABLE, DISABLED, REQUIRED, ENABLED_BY_DEFAULT
+TOKEN_EXPIRATION = 604800 # Maximum valid age (in seconds) for password resets, invitations, etc.
+
+DEFAULT_TIMEZONE="America/New_York"
+ENABLE_RSS_FEED=True
+
+ENABLE_PROMETHEUS_METRICS=False
+#GUNICORN_WORKERS= # defaults to 6
+
+#ALERT_MAILS = ["your_email_address", "another_email_address"] # Optional. Recieve Internal Server 500 errors. Good for debugging.
+
+###############
+### Uploads ###
+###############
+
+ENABLE_UPLOADS=True
+ENABLE_REMOTE_STORAGE=False
+TOTAL_UPLOADS_LIMIT="1 GB" # site-wide limit
+DEFAULT_USER_UPLOADS_LIMIT="50 MB"
+MAX_MEDIA_SIZE=512000 # In Bytes
+MAX_ATTACHMENT_SIZE=1572864 # In Bytes
+
+###############
+#### LDAP #####
+###############
+
+#LDAP_SERVER: ldap://localhost
+#LDAP_BIND_ACCOUNT="cn=nobody,dc=example,dc=com"
+#LDAP_USER_DN_LIST=["uid=%uid,ou=users,o=company,dc=example,dc=com"]
+#LDAP_SEARCH_BASE_DN="o=company,dc=example,dc=com"
+#LDAP_FILTER="(&(objectclass=inetOrgPerson)(|(uid=%uid)(mail=%uid)))"
+#LDAP_MAIL_ATTRIB=mail
+#LDAP_RECOVER_PASSWD_URL=https://example.com/recover-your-ldap-password
\ No newline at end of file
diff --git a/README.md b/README.md
index 1fa74a1..0b716c5 100644
--- a/README.md
+++ b/README.md
@@ -7,11 +7,11 @@
 * **Category**: Apps
 * **Status**: 0
 * **Image**: [`liberaforms`](https://hub.docker.com/r/liberaforms), 4, upstream
-* **Healthcheck**: No
+* **Healthcheck**: Yes
 * **Backups**: No
-* **Email**: No
+* **Email**: 1
 * **Tests**: No
-* **SSO**: No
+* **SSO**: 3
 
 <!-- endmetadata -->
 
diff --git a/abra.sh b/abra.sh
new file mode 100644
index 0000000..48a3187
--- /dev/null
+++ b/abra.sh
@@ -0,0 +1,2 @@
+export ENTRYPOINT_VERSION=v2
+export INIT_VERSION=v1
\ No newline at end of file
diff --git a/compose.ldap.yml b/compose.ldap.yml
new file mode 100644
index 0000000..817607f
--- /dev/null
+++ b/compose.ldap.yml
@@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - ldap_password
+    environment:
+      ENABLE_LDAP: "True"
+      LDAP_ANONYMOUS_BIND: "False"
+      LDAP_BIND_PASSWORD_FILE: /run/secrets/ldap_password
+
+secrets:
+  ldap_password:
+    external: true
+    name: ${STACK_NAME}_ldap_password_${SECRET_DB_PASSWORD_VERSION}
\ No newline at end of file
diff --git a/compose.yml b/compose.yml
index a2c3805..225b48a 100644
--- a/compose.yml
+++ b/compose.yml
@@ -3,30 +3,98 @@ version: "3.8"
 
 services:
   app:
-    image: nginx:1.20.0
+    image: fung.uy/mycosystems/liberaforms:v4.0.0
+    configs:
+      - source: entrypoint
+        mode: 0555
+        target: /custom-entrypoint.sh
+      - source: init
+        mode: 0555
+        target: /init.sh
+    entrypoint: /custom-entrypoint.sh
+    environment:
+      ENABLE_LDAP: "False"
+      FLASK_DEBUG: "False"
+      FLASK_CONFIG: production
+      DB_HOST: db
+      DB_USER: liberaforms
+      DB_PASSWORD_FILE: /run/secrets/db_password
+      DB_NAME: liberaforms
+      BASE_URL: https://${DOMAIN}
+      ROOT_USER: ${ADMIN_USER}
+      TMP_DIR: /tmp
+      SECRET_KEY_FILE: /run/secrets/secret_key
+      CRYPTO_KEY_FILE: /run/secrets/crypto_key
+      SESSION_TYPE: "filesystem"
+      LOG_LEVEL: INFO
+      LOG_DIR: /app/logs
+      GUNICORN_WORKERS: ${GUNICORN_WORKERS:-6}
+    volumes:
+      - uploads:/app/uploads
+      - log:/app/logs
+    secrets:
+      - db_password
+      - secret_key
+      - crypto_key
     networks:
       - proxy
+      - internal
     deploy:
       restart_policy:
         condition: on-failure
       labels:
         - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=5000"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        ## Redirect from EXTRA_DOMAINS to DOMAIN
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "coop-cloud.${STACK_NAME}.version="
+
+  db:
+    image: postgres:17-alpine
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost"]
-      interval: 30s
-      timeout: 10s
+      test: ["CMD", "pg_isready", "-q", "-d", "postgres", "-U", "${POSTGRES_ROOT_USER}"]
+      timeout: 45s
+      interval: 10s
       retries: 10
-      start_period: 1m
+    environment:
+      POSTGRES_USER: liberaforms
+      POSTGRES_DB: liberaforms
+      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
+    volumes:
+      - db:/var/lib/postgresql/data
+    secrets:
+      - db_password
+    networks:
+      - internal
+
+secrets:
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  secret_key:
+    external: true
+    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
+  crypto_key:
+    external: true
+    name: ${STACK_NAME}_crypto_key_${SECRET_CRYPTO_KEY_VERSION}
+
+volumes:
+  uploads:
+  log:
+  db:
 
 networks:
+  internal:
   proxy:
     external: true
+
+configs:
+  entrypoint:
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
+  init:
+    name: ${STACK_NAME}_init_${INIT_VERSION}
+    file: init.sh.tmpl
+    template_driver: golang
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
new file mode 100644
index 0000000..10ec38a
--- /dev/null
+++ b/entrypoint.sh.tmpl
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -e
+
+file_env() {
+   local var="$1"
+   local fileVar="${var}_FILE"
+   local def="${2:-}"
+
+   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+      echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+      exit 1
+   fi
+
+   local val="$def"
+
+   if [ "${!var:-}" ]; then
+      val="${!var}"
+   elif [ "${!fileVar:-}" ]; then
+      val="$(< "${!fileVar}")"
+   fi
+
+   export "$var"="$val"
+   unset "$fileVar"
+}
+
+file_env "DB_PASSWORD"
+file_env "CRYPTO_KEY"
+file_env "SECRET_KEY"
+file_env "LDAP_BIND_PASSWORD"
+
+/usr/bin/supervisord -n
\ No newline at end of file