add varnish

.env.sample

@@ -39,6 +39,8 @@ DOMAIN=bonfire.example.com
 # enable abra backups
 ENABLE_BACKUPS=true
 
+# what service to use for sending out emails (eg. smtp, mailgun, none) NOTE: you should also set the corresponding keys in secrets.env
+MAIL_BACKEND=none
 
 # uncomment in order to NOT automatically change the database schema when you upgrade the app
 # DISABLE_DB_AUTOMIGRATION=true
@@ -62,11 +64,6 @@ LOG_LEVEL=info
 # and do not check your env file into any public git repo 
 # change ALL the values:
 
-# what service to use for sending out emails (eg. smtp, mailgun, none) NOTE: you should also set the corresponding keys in secrets.env
-MAIL_BACKEND=none
-
-#COMPOSE_FILE="$COMPOSE_FILE:compose.mail.yml"
-#SECRET_MAIL_PASSWORD_VERSION=v1
 
 # signup to an email service and edit with relevant info, see: https://docs.bonfirenetworks.org/Bonfire.Mailer.html
 # MAIL_DOMAIN=mgo.example.com
@@ -79,6 +76,7 @@ MAIL_BACKEND=none
 # MAIL_SESSION_TOKEN=
 # MAIL_SERVER=
 # MAIL_USER=
+# MAIL_PASSWORD=
 # MAIL_PORT=
 # MAIL_SSL=true
 # MAIL_TLS=if_available

abra.sh

@@ -1,4 +1,32 @@
-export APP_ENTRYPOINT_VERSION=v2
+export APP_ENTRYPOINT_VERSION=v1
 export PG_BACKUP_VERSION=v4
 export MEILI_BACKUP_VERSION=v4
+export NGINX_CONF_VERSION=eaaa
+export VARNISH_CONFIG_VERSION=baac
 
+# Bonfire.Common.Cache.HTTPPurge.bust_http_urls("/post_comments/01KHRMPNKXH659SPB55EY7R1K9")
+
+# varnishlog -g raw
+
+# defmodule Bonfire.UI.Common.Cache.HTTPPurge.Varnish do
+#   @moduledoc """
+#   HTTP cache purge adapter for Varnish.
+
+#   Configured via `VARNISH_URL` env var (default: `http://localhost:80`),
+#   which is resolved at startup in `Bonfire.Common.RuntimeConfig`.
+
+#   Tag-based purging (`bust_tags/1`) requires the `xkey` vmod and is not
+#   implemented here — extend if your Varnish setup supports it.
+#   """
+
+#   @behaviour Bonfire.Common.Cache.HTTPPurge
+#   use Untangle
+
+#   def bust_urls(urls) when is_list(urls) do
+#     Enum.each(urls, &purge_one/1)
+#     :ok
+#   end
+
+#   def bust_tags(_tags), do: :ok
+
+#   defp purge_one(path) do

compose.mail.yml

@@ -1,11 +0,0 @@
-version: "3.8"
-
-services:
-  app:
-    secrets:
-      - mail_password
-
-secrets:
-  mail_password:
-    external: true
-    name: ${STACK_NAME}_mail_password_${SECRET_MAIL_PASSWORD_VERSION}

compose.yml

@@ -2,6 +2,35 @@
 version: "3.8"
 
 services:
+  varnish:
+    image: varnish:stable
+    environment:
+      - STACK_NAME
+      - VARNISH_SIZE=2G
+    networks:
+    - proxy
+    - internal
+    command: "-p default_keep=300 -p thread_pool_min=50 -p thread_pool_max=1000 -p thread_pools=2 -p listen_depth=2048 -p http_resp_hdr_len=65536"
+    configs:
+     - source: varnish_config
+       target: /etc/varnish/default.vcl
+
+    ulimits:
+      nofile:
+        soft: 65536
+        hard: 65536
+
+    deploy:
+      restart_policy:
+        condition: on-failure
+      labels:
+       - "backupbot.backup=false"
+       - "traefik.enable=true"
+       - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
+       - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+       - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+       - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+
   app:
     image: ${APP_DOCKER_IMAGE}
     logging:
@@ -17,6 +46,8 @@ services:
       - POSTGRES_DB=bonfire_db
       - PUBLIC_PORT=443
       - MIX_ENV=prod
+      # - VARNISH_URL=http://${STACK_NAME}_varnish:80
+      - VARNISH_URL=https://${DOMAIN}
       
       - HOSTNAME
       - INSTANCE_DESCRIPTION
@@ -108,7 +139,7 @@ services:
 
       - ORCID_CLIENT_ID
       - ORCID_CLIENT_SECRET
-      
+
     secrets:
       - postgres_password
       - secret_key_base
@@ -121,7 +152,6 @@ services:
       - upload-data:/opt/app/data/uploads
       # - backup-data:/opt/app/data/backup
     networks:
-      - proxy
       - internal
     entrypoint: ["/docker-entrypoint.sh", "./bin/bonfire", "start"]
     configs:
@@ -135,16 +165,6 @@ services:
         - "backupbot.backup=${ENABLE_BACKUPS:-true}"
         #- backupbot.backup.volumes.upload-data: "true"
         #- backupbot.backup.volumes.upload-data.path: "/opt/app/data/uploads"
-        - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=4000"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=error-pages-middleware"
-        #- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
     # healthcheck:
     #   test: ["CMD", "curl", "-f", "http://localhost"]
     #   interval: 30s
@@ -181,8 +201,7 @@ services:
     # -c statement_timeout=1800000
     # -c pg_stat_statements.track=all
     #entrypoint: ['tail', '-f', '/dev/null'] # uncomment when the Postgres DB is corrupted and won't start
-    deploy:
-      labels:
+    labels:
         backupbot.backup: ${ENABLE_BACKUPS:-true}
         # backupbot.backup.volumes.db-data: false
         backupbot.backup.volumes.db-data.path: "backup.sql"
@@ -211,6 +230,14 @@ configs:
   pg_backup:
     name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
     file: pg_backup.sh
+  # nginx_conf:
+  #   name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION}
+  #   file: nginx.conf.tmpl
+  #   template_driver: golang
+  varnish_config:
+    name: ${STACK_NAME}_varnish_config_${VARNISH_CONFIG_VERSION}
+    file: default.vcl.tmpl
+    template_driver: golang
 
 secrets:
   postgres_password:

default.vcl.tmpl

@@ -0,0 +1,23 @@
+vcl 4.1;
+
+backend default {
+    .host = "{{ env "STACK_NAME" }}_app";
+    .port = "4000";
+}
+
+sub vcl_recv {
+	if (req.method == "PURGE" || req.method == "purge") {
+        return (purge);
+	}
+
+    if (req.http.upgrade ~ "(?i)websocket") {
+        return (pipe);
+    }
+}
+
+sub vcl_pipe {
+    if (req.http.upgrade) {
+        set bereq.http.upgrade = req.http.upgrade;
+        set bereq.http.connection = req.http.connection;
+    }
+}

entrypoint.sh.tmpl

@@ -9,12 +9,7 @@ export ENCRYPTION_SALT=$(cat /run/secrets/encryption_salt)
 export SEEDS_PW=$(cat /run/secrets/seeds_pw)
 export LIVEBOOK_PASSWORD=$(cat /run/secrets/livebook_password)
 
-# Only read the secret when the MAIL_PASSWORD was not set to remain backwards compatible
-if [[ -z ${MAIL_PASSWORD} ]]; then
-    export MAIL_PASSWORD=$(cat /run/secrets/mail_password)
-fi
-
 echo "....Secrets have been loaded, now run $@...."
 
 # This will exec the CMD from your Dockerfile
-exec "$@"
+exec "$@"

renovate.json

@@ -1,6 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:recommended"
-  ]
-}