add healthcheck

Reviewed-on: #12

.env.sample

@@ -1,15 +1,38 @@
 TYPE=bonfire
 
+LETS_ENCRYPT_ENV=production
+
 # choose what flavour of Bonfire to run
 FLAVOUR=social
 APP_VERSION=latest
 
+# enter your instance's domain name
+DOMAIN=bonfire.example.com
+# DO NOT CHANGE DOMAIN AFTER DEPLOYMENT! WILL BREAK FEDERATION!!
+## Domain aliases
+#EXTRA_DOMAINS=', `www.bonfire.example.com`'
+
+# enable abra backups
+ENABLE_BACKUPS=true
+
+COMPOSE_FILE="compose.yml"
+
+# ====================================
+# Database config
+COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.yml"
+SECRET_POSTGRES_PASSWORD_VERSION=v1
+
 # choose what extra services you want to run
-COMPOSE_FILE="compose.yml:compose.meilisearch.yml"
-# Enable `compose.mail.yml` to set secrets for sending emails:
-# COMPOSE_FILE="compose.yml:compose.mail.yml"
-# Enable `compose.postgres.tune.yml` for Postgres tuning (recommended, but only once your instance already is deployed and working):
-# COMPOSE_FILE="compose.yml:postgres/compose.postgres.tune.yml"
+COMPOSE_FILE="$COMPOSE_FILE:compose.meilisearch.yml"
+
+# To use Sonic instead of Meilisearch as the search backend:
+# COMPOSE_FILE="$COMPOSE_FILE:compose.sonic.yml"
+
+# Enable `compose.mail.yml` to set secrets for sending emails (remember to also include your chosen search backend's compose file):
+# COMPOSE_FILE="$COMPOSE_FILE:compose.mail.yml"
+
+# Enable `compose.postgres.tune.yml` for Postgres tuning (can only be enabled *after* your instance already is deployed and working)  (and remember to also include your chosen search backend and mailer's compose files)
+# COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.tune.yml"
 
 APP_VERSION_FLAVOUR=${APP_VERSION}-${FLAVOUR}
 # Different flavours/forks or architectures may require different builds of bonfire:
@@ -23,7 +46,7 @@ APP_DOCKER_IMAGE=bonfirenetworks/bonfire:${APP_VERSION_FLAVOUR}-amd64
 DB_DOCKER_VERSION=17-3.5
 # note that different flavours or architectures may require different postgres builds:
 # For ARM or x86:
-DB_DOCKER_IMAGE=ghcr.io/baosystems/postgis:${DB_DOCKER_VERSION}
+DB_DOCKER_IMAGE=ghcr.io/baosystems/postgis
 # for x86:
 # DB_DOCKER_IMAGE=postgis/postgis:${DB_DOCKER_VERSION}-alpine
 # multiarch (but doesn't have required Postgis extension)
@@ -31,17 +54,6 @@ DB_DOCKER_IMAGE=ghcr.io/baosystems/postgis:${DB_DOCKER_VERSION}
 # TODO: maybe to use for Upgrading to a new Postgres version? (NOTE: does not work with postgis data)
 # DB_DOCKER_IMAGE=pgautoupgrade/pgautoupgrade:16-alpine
 
-
-# enter your instance's domain name
-DOMAIN=bonfire.example.com
-# DO NOT CHANGE DOMAIN AFTER DEPLOYMENT! WILL BREAK FEDERATION!!
-## Domain aliases
-#EXTRA_DOMAINS=', `www.bonfire.example.com`'
-
-# enable abra backups
-ENABLE_BACKUPS=true
-
-
 # uncomment in order to NOT automatically change the database schema when you upgrade the app
 # DISABLE_DB_AUTOMIGRATION=true
 
@@ -102,6 +114,12 @@ MAIL_BACKEND=none
 # AWS_ROLE_ARN=
 # AWS_WEB_IDENTITY_TOKEN_FILE=
 
+# GHOST Integration
+#GHOST_URL=https://example.ghost.io
+#GHOST_CONTENT_API_KEY=
+#GHOST_ADMIN_API_KEY=
+#IFRAME_ALLOWED_ORIGINS=https://example.com
+
 # Enable using Bonfire as an SSO provider for external apps to sign in with?
 # ENABLE_SSO_PROVIDER=false
 OAUTH_ISSUER=https://${DOMAIN}
@@ -144,14 +162,15 @@ OAUTH_ISSUER=https://${DOMAIN}
 WITH_LV_NATIVE=0
 WITH_IMAGE_VIX=1
 WITH_AI=0
+LIVE_DASHBOARD_LOGGER=false
 
 # error reporting:
 # SENTRY_DSN=
 
 # ====================================
 # these secrets will be autogenerated/managed by abra and docker"
-SECRET_POSTGRES_PASSWORD_VERSION=v1
 SECRET_MEILI_MASTER_KEY_VERSION=v1
+SECRET_SONIC_PASSWORD_VERSION=v1
 SECRET_SEEDS_PW_VERSION=v1
 SECRET_LIVEBOOK_PASSWORD_VERSION=v1
 SECRET_MAIL_KEY_VERSION=v1
@@ -159,16 +178,3 @@ SECRET_SECRET_KEY_BASE_VERSION=v1 # length=128
 SECRET_SIGNING_SALT_VERSION=v1 # length=128
 SECRET_ENCRYPTION_SALT_VERSION=v1 # length=128
 
-# ====================================
-# You should not have to edit any of the following ones:
-APP_NAME=Bonfire
-LANG=en_US.UTF-8
-SEEDS_USER=root
-ERLANG_COOKIE=bonfire_cookie
-REPLACE_OS_VARS=true
-LIVEVIEW_ENABLED=true
-ACME_AGREE=true
-SHOW_DEBUG_IN_DEV=true
-LETS_ENCRYPT_ENV=production
-HOSTNAME=$DOMAIN
-#PLUG_SERVER=bandit

README.md

@@ -25,6 +25,12 @@ A [coop-cloud](https://coopcloud.tech) recipe for deploying [Bonfire](https://bo
 ## Upgrades 
 `abra app deploy --force your-server.domain.name`
 
+NOTE: we recommend switching to the new `sonic` search backend (instead of the deprecated `meilisearch`):
+1. comment the `COMPOSE_FILE` line that contains `compose.meilisearch.yml` in the `.env` file for your bonfire instancem and replace with a line like `COMPOSE_FILE="compose.yml:compose.sonic.yml"`
+2. add `SONIC_PASSWORD=a-super-secret-password` to the same file (make sure to change the password after pasting!)
+3. redeploy with `abra app deploy --force your-server.domain.name`
+
+
 [`abra`]: https://docs.coopcloud.tech/abra/
 [`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik
 

abra.sh

@@ -1,4 +1,5 @@
-export APP_ENTRYPOINT_VERSION=v2
-export PG_BACKUP_VERSION=v4
+export APP_ENTRYPOINT_VERSION=v3
+export PG_BACKUP_VERSION=v6
 export MEILI_BACKUP_VERSION=v4
-
+export SONIC_CFG_VERSION=v1
+export SONIC_ENTRYPOINT_VERSION=v1

compose.mail.yml

@@ -9,7 +9,7 @@ services:
 secrets:
   mail_password:
     external: true
-    name: ${STACK_NAME}_mail_password_${SECRET_MAIL_PASSWORD_VERSION}
+    name: ${STACK_NAME}_mail_password_${SECRET_MAIL_PASSWORD_VERSION:-v1}
   mail_key:
     external: true
-    name: ${STACK_NAME}_mail_key_${SECRET_MAIL_KEY_VERSION}
+    name: ${STACK_NAME}_mail_key_${SECRET_MAIL_KEY_VERSION:-v1}

compose.meilisearch.yml

@@ -40,5 +40,5 @@ volumes:
    
 configs:
   meili_backup:
-    name: ${STACK_NAME}_meili_backup_${MEILI_BACKUP_VERSION}
+    name: ${STACK_NAME}_meili_backup_${MEILI_BACKUP_VERSION:-v4}
     file: meili_backup.sh

compose.postgres.yml

@@ -0,0 +1,68 @@
+version: '3.8'
+
+x-postgres-env: &postgres-env
+  POSTGRES_DB: bonfire_db
+  POSTGRES_USER: postgres
+  POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
+
+services:
+  app:
+    environment:
+      <<: *postgres-env
+      POSTGRES_HOST: ${STACK_NAME}_db
+    secrets:
+      - postgres_password
+
+  db:
+    image: ${DB_DOCKER_IMAGE:-ghcr.io/baosystems/postgis}:${DB_DOCKER_VERSION:-17-3.5}
+    command: >
+      postgres
+      -c max_connections=200
+      -c shared_buffers=${DB_MEMORY_LIMIT}MB
+    # -c shared_preload_libraries='pg_stat_statements'
+    # -c statement_timeout=1800000
+    # -c pg_stat_statements.track=all
+    #entrypoint: ['tail', '-f', '/dev/null'] # uncomment when the Postgres DB is corrupted and won't start
+    volumes:
+      - db-data:/var/lib/postgresql/data
+      - type: tmpfs
+        target: /dev/shm
+        tmpfs:
+           size: 1000000000
+           # about 1 GB in bytes 
+    tmpfs:
+      - /tmp:size=${DB_MEMORY_LIMIT}M^
+    networks:
+      - internal
+    environment:
+      <<: *postgres-env
+    secrets:
+      - postgres_password
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready", "-U", "postgres"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    deploy:
+      labels:
+        backupbot.backup: ${ENABLE_BACKUPS:-true}
+        backupbot.backup.pre-hook: "/pg_backup.sh backup"
+        backupbot.backup.volumes.db-data.path: "backup.sql"
+        backupbot.restore.post-hook: '/pg_backup.sh restore'
+    configs:
+        - source: pg_backup
+          target: /pg_backup.sh
+          mode: 0555
+
+volumes:
+   db-data:
+
+configs:
+  pg_backup:
+    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
+    file: pg_backup.sh
+
+secrets:
+  postgres_password:
+    external: true
+    name: ${STACK_NAME}_postgres_password_${SECRET_POSTGRES_PASSWORD_VERSION:-v1}

compose.sonic.yml

@@ -0,0 +1,49 @@
+---
+version: "3.8"
+
+services:
+  app:
+    depends_on:
+      - search
+    environment:
+      - SEARCH_ADAPTER=sonic
+      - SONIC_HOST=${STACK_NAME}_search
+      - SONIC_PORT=1491
+      - SONIC_PASSWORD
+      # - SONIC_PASSWORD_FILE=/run/secrets/sonic_password
+    # secrets:
+    #   - sonic_password
+      
+  search:
+    image: valeriansaliou/sonic:v1.5.1
+    # secrets:
+    #   - sonic_password
+    volumes:
+      - "sonic-data:/var/lib/sonic/store"
+    networks:
+      - internal
+    # NOTE: latest versions of Sonic (v1.5.1+) don't have a shell, so we can't have a custom entrypoint script that does pre-startup configuration, so we just need to store the PW in env for now
+    # entrypoint: ["/docker-entrypoint.sh"]
+    configs:
+      - source: sonic_cfg
+        target: /etc/sonic.cfg
+        mode: 0444
+      # - source: sonic_entrypoint
+      #   target: /docker-entrypoint.sh
+      #   mode: 0555
+        
+volumes:
+  sonic-data:
+   
+configs:
+  sonic_cfg:
+    name: ${STACK_NAME}_sonic_cfg_${SONIC_CFG_VERSION:-v1}
+    file: sonic.cfg
+  # sonic_entrypoint:
+  #   name: ${STACK_NAME}_sonic_entrypoint_${SONIC_ENTRYPOINT_VERSION:-v1}
+  #   file: sonic_entrypoint.sh
+
+# secrets:
+#   sonic_password:
+#     external: true
+#     name: ${STACK_NAME}_sonic_password_${SECRET_SONIC_PASSWORD_VERSION:-v1}

compose.yml

@@ -12,27 +12,25 @@ services:
     depends_on:
       - db
     environment:
-      - POSTGRES_HOST=${STACK_NAME}_db
-      - POSTGRES_USER=postgres
-      - POSTGRES_DB=bonfire_db
       - PUBLIC_PORT=443
       - MIX_ENV=prod
       
-      - HOSTNAME
+      - HOSTNAME=${DOMAIN}
       - INSTANCE_DESCRIPTION
       - DISABLE_DB_AUTOMIGRATION
       - UPLOAD_LIMIT
       - INVITE_KEY
-      - LANG
-      - SEEDS_USER
-      - ERLANG_COOKIE
-      - REPLACE_OS_VARS
-      - LIVEVIEW_ENABLED
-      - APP_NAME
+      - LANG=${LANG:-en_US.UTF-8}
+      - SEEDS_USER=${SEEDS_USER:-root}
+      - ERLANG_COOKIE=${ERLANG_COOKIE:-bonfire_cookie}
+      - REPLACE_OS_VARS=${REPLACE_OS_VARS:-true}
+      - LIVEVIEW_ENABLED=${LIVEVIEW_ENABLED:-true}
+      - APP_NAME={APP_NAME:-Bonfire}
       - PLUG_SERVER
       - WITH_LV_NATIVE
       - WITH_IMAGE_VIX
       - WITH_AI
+      - LIVE_DASHBOARD_LOGGER
       
       - DB_SLOW_QUERY_MS
       - DB_STATEMENT_TIMEOUT
@@ -107,9 +105,13 @@ services:
 
       - ORCID_CLIENT_ID
       - ORCID_CLIENT_SECRET
+
+      - GHOST_URL
+      - GHOST_CONTENT_API_KEY
+      - GHOST_ADMIN_API_KEY
+      - IFRAME_ALLOWED_ORIGINS
       
     secrets:
-      - postgres_password
       - secret_key_base
       - signing_salt
       - encryption_salt
@@ -144,52 +146,12 @@ services:
         #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-    # healthcheck:
-    #   test: ["CMD", "curl", "-f", "http://localhost"]
-    #   interval: 30s
-    #   timeout: 10s
-    #   retries: 10
-    #   start_period: 1m
-
-  db:
-    image: ${DB_DOCKER_IMAGE}
-    environment:
-      # - POSTGRES_PASSWORD
-      - POSTGRES_USER=postgres
-      - POSTGRES_DB=bonfire_db
-      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
-    secrets:
-      - postgres_password
-    volumes:
-      - db-data:/var/lib/postgresql/data
-      - type: tmpfs
-        target: /dev/shm
-        tmpfs:
-           size: 1000000000
-           # about 1 GB in bytes ^
-    networks:
-      - internal
-    # shm_size: ${DB_MEMORY_LIMIT} # unsupported by docker swarm
-    tmpfs:
-      - /tmp:size=${DB_MEMORY_LIMIT}M
-    command: >
-      postgres
-      -c max_connections=200
-      -c shared_buffers=${DB_MEMORY_LIMIT}MB
-    # -c shared_preload_libraries='pg_stat_statements'
-    # -c statement_timeout=1800000
-    # -c pg_stat_statements.track=all
-    #entrypoint: ['tail', '-f', '/dev/null'] # uncomment when the Postgres DB is corrupted and won't start
-    labels:
-        backupbot.backup: ${ENABLE_BACKUPS:-true}
-        # backupbot.backup.volumes.db-data: false
-        backupbot.backup.volumes.db-data.path: "backup.sql"
-        backupbot.backup.pre-hook: "/pg_backup.sh backup"
-        backupbot.restore.post-hook: '/pg_backup.sh restore'
-    configs:
-        - source: pg_backup
-          target: /pg_backup.sh
-          mode: 0555
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:4000"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 15s
 
 volumes:
   db-data:
@@ -203,32 +165,26 @@ networks:
 
 configs:
   app_entrypoint:
-    name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION}
+    name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION:-v3}
     file: entrypoint.sh.tmpl
     template_driver: golang
-  pg_backup:
-    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
-    file: pg_backup.sh
 
 secrets:
-  postgres_password:
-    external: true
-    name: ${STACK_NAME}_postgres_password_${SECRET_POSTGRES_PASSWORD_VERSION}
   secret_key_base:
     external: true
-    name: ${STACK_NAME}_secret_key_base_${SECRET_SECRET_KEY_BASE_VERSION}
+    name: ${STACK_NAME}_secret_key_base_${SECRET_SECRET_KEY_BASE_VERSION:-v1}
   signing_salt:
     external: true
-    name: ${STACK_NAME}_signing_salt_${SECRET_SIGNING_SALT_VERSION}
+    name: ${STACK_NAME}_signing_salt_${SECRET_SIGNING_SALT_VERSION:-v1}
   encryption_salt:
     external: true
-    name: ${STACK_NAME}_encryption_salt_${SECRET_ENCRYPTION_SALT_VERSION}
+    name: ${STACK_NAME}_encryption_salt_${SECRET_ENCRYPTION_SALT_VERSION:-v1}
   meili_master_key:
     external: true
-    name: ${STACK_NAME}_meili_master_key_${SECRET_MEILI_MASTER_KEY_VERSION}
+    name: ${STACK_NAME}_meili_master_key_${SECRET_MEILI_MASTER_KEY_VERSION:-v1}
   seeds_pw:
     external: true
-    name: ${STACK_NAME}_seeds_pw_${SECRET_SEEDS_PW_VERSION}
+    name: ${STACK_NAME}_seeds_pw_${SECRET_SEEDS_PW_VERSION:-v1}
   livebook_password:
     external: true
-    name: ${STACK_NAME}_livebook_password_${SECRET_LIVEBOOK_PASSWORD_VERSION}
+    name: ${STACK_NAME}_livebook_password_${SECRET_LIVEBOOK_PASSWORD_VERSION:-v1}

pg_backup.sh

@@ -6,18 +6,17 @@ BACKUP_PATH="/var/lib/postgresql/data"
 LATEST_BACKUP_FILE="${BACKUP_PATH}/backup.sql"
 
 function backup {
-  FILE_WITH_DATE="${BACKUP_PATH}/backup_$(date +%F).sql"
-  
   if [ -f "$POSTGRES_PASSWORD_FILE" ]; then
     export PGPASSWORD=$(cat "$POSTGRES_PASSWORD_FILE")
   fi
-  
-  echo "Creating backup at ${FILE_WITH_DATE}..."
-  pg_dump -U "${POSTGRES_USER:-postgres}" "${POSTGRES_DB:-postgres}" > "${FILE_WITH_DATE}"
-  
-  echo "Copying to ${LATEST_BACKUP_FILE}..."
-  cp -f "${FILE_WITH_DATE}" "${LATEST_BACKUP_FILE}"
-  
+
+  # Keep a single backup.sql (restic handles versioning); write to a temp file and move
+  # atomically so a failed dump never clobbers the last good backup.
+  echo "Creating backup at ${LATEST_BACKUP_FILE}..."
+  rm -f "${LATEST_BACKUP_FILE}.tmp"
+  pg_dump -U "${POSTGRES_USER:-postgres}" "${POSTGRES_DB:-postgres}" > "${LATEST_BACKUP_FILE}.tmp"
+  mv -f "${LATEST_BACKUP_FILE}.tmp" "${LATEST_BACKUP_FILE}"
+
   echo "Backup done. You will find it at ${LATEST_BACKUP_FILE}"
 }
 

sonic.cfg

@@ -0,0 +1,43 @@
+# Sonic configuration
+# https://github.com/valeriansaliou/sonic/blob/master/CONFIGURATION.md
+
+[server]
+  log_level = "error"
+
+[channel]
+  inet = "0.0.0.0:1491"
+  tcp_timeout = 300
+
+  [channel.search]
+    query_limit_default = 10
+    query_limit_maximum = 200
+    suggest_limit_default = 5
+    suggest_limit_maximum = 20
+
+[store.kv]
+  path = "/var/lib/sonic/store/kv/"
+  retain_word_objects = 1000
+
+  [store.kv.pool]
+    inactive_after = 1800
+
+  [store.kv.database]
+    flush_after = 900
+    compress = true
+    parallelism = 2
+    max_files = 100
+    max_compactions = 1
+    max_flushes = 1
+    write_buffer = 16384
+    write_ahead_log = true
+
+[store.fst]
+  path = "/var/lib/sonic/store/fst/"
+
+  [store.fst.pool]
+    inactive_after = 300
+
+  [store.fst.graph]
+    consolidate_after = 180
+    max_size = 2048
+    max_words = 250000

sonic_entrypoint.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+export SONIC_CHANNEL__AUTH_PASSWORD="$(cat /run/secrets/sonic_password)"
+
+exec sonic -c /etc/sonic.cfg