restructure env file

.env.sample

@@ -1,41 +1,13 @@
 TYPE=bonfire
 
-# choose what flavour of Bonfire to run
-FLAVOUR=social
-APP_VERSION=latest
-
-# choose what extra services you want to run
-COMPOSE_FILE="compose.yml:compose.meilisearch.yml"
-
-# To use Sonic instead of Meilisearch as the search backend:
-# COMPOSE_FILE="compose.yml:compose.sonic.yml"
-
-# Enable `compose.mail.yml` to set secrets for sending emails (remember to also include your chosen search backend's compose file):
-# COMPOSE_FILE="compose.yml:compose.mail.yml"
-
-# Enable `compose.postgres.tune.yml` for Postgres tuning (can only be enabled *after* your instance already is deployed and working)  (and remember to also include your chosen search backend and mailer's compose files)
-# COMPOSE_FILE="compose.yml:compose.postgres.tune.yml"
-
-APP_VERSION_FLAVOUR=${APP_VERSION}-${FLAVOUR}
-# Different flavours/forks or architectures may require different builds of bonfire:
-# for ARM (manual build):
-# APP_DOCKER_IMAGE=bonfirenetworks/bonfire:${APP_VERSION_FLAVOUR}-aarch64
-# for x86 (built by CI):
-APP_DOCKER_IMAGE=bonfirenetworks/bonfire:${APP_VERSION_FLAVOUR}-amd64
-# multi-arch image (built by CI, but currently not working): 
-#APP_DOCKER_IMAGE=bonfirenetworks/bonfire:${APP_VERSION_FLAVOUR}
-
-DB_DOCKER_VERSION=17-3.5
-# note that different flavours or architectures may require different postgres builds:
-# For ARM or x86:
-DB_DOCKER_IMAGE=ghcr.io/baosystems/postgis:${DB_DOCKER_VERSION}
-# for x86:
-# DB_DOCKER_IMAGE=postgis/postgis:${DB_DOCKER_VERSION}-alpine
-# multiarch (but doesn't have required Postgis extension)
-#DB_DOCKER_IMAGE=postgres:${DB_DOCKER_VERSION}-alpine
-# TODO: maybe to use for Upgrading to a new Postgres version? (NOTE: does not work with postgis data)
-# DB_DOCKER_IMAGE=pgautoupgrade/pgautoupgrade:16-alpine
+LETS_ENCRYPT_ENV=production
 
+# choose what flavour of Bonfire to run. default: social
+#APP_FLAVOUR=social
+# uncomment to run specific version e.g. v1.0.4 or latest release branch. available: latest, latest-beta, latest-alpha
+#APP_VERSION=latest
+# choose specific build. default: amd64, available: aarch64
+#APP_PLATFORM=aarch64
 
 # enter your instance's domain name
 DOMAIN=bonfire.example.com
@@ -46,12 +18,12 @@ DOMAIN=bonfire.example.com
 # enable abra backups
 ENABLE_BACKUPS=true
 
+COMPOSE_FILE="compose.yml"
 
-# uncomment in order to NOT automatically change the database schema when you upgrade the app
-# DISABLE_DB_AUTOMIGRATION=true
-
-# max file upload size - default is 20 meg
-UPLOAD_LIMIT=20000000
+# ====================================
+# DATABASE CONFIG
+COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.yml"
+SECRET_POSTGRES_PASSWORD_VERSION=v1
 
 # upper limit for how much RAM you want the DB to use, in megabytes (the same amount of swap will also be allocated to the DB container)
 DB_MEMORY_LIMIT=5000
@@ -59,26 +31,44 @@ DB_MEMORY_LIMIT=5000
 # set to true *after* your initial deployment to enable concurrent index creation for faster migrations in future upgrades
 DB_MIGRATE_INDEXES_CONCURRENTLY=false
 
-# how much info to include in logs (from less to more: emergency, alert, critical, error, warning, notice, info, debug)
-LOG_LEVEL=info
+# for manual selection of DB version and docker image uncomment
+#DB_DOCKER_VERSION=17-3.5
+# note that different flavours or architectures may require different postgres builds:
+# For ARM or x86:
+#DB_DOCKER_IMAGE=ghcr.io/baosystems/postgis
+# for x86:
+#DB_DOCKER_IMAGE=postgis/postgis
+#DB_DOCKER_VERSION=17-3.5-alpine
+
+# uncomment in order to NOT automatically change the database schema when you upgrade the app
+# DISABLE_DB_AUTOMIGRATION=true
+
+# Enable `compose.postgres.tune.yml` for Postgres tuning (can only be enabled *after* your instance already is deployed and working)  (and remember to also include your chosen search backend and mailer's compose files)
+# COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.tune.yml"
 
 # ====================================
-# SECRETS
+# SEARCH BACKEND
 
-# please make sure you change everything to your own secrets!
-# and do not check your env file into any public git repo 
-# change ALL the values:
+# recommended search backend sonic
+COMPOSE_FILE="$COMPOSE_FILE:compose.sonic.yml"
+SECRET_SONIC_PASSWORD_VERSION=v1
+
+# alternative search service
+#COMPOSE_FILE="$COMPOSE_FILE:compose.meilisearch.yml"
+#SECRET_MEILI_MASTER_KEY_VERSION=v1
+
+# ====================================
+# MAIL
+
+# Enable `compose.mail.yml` to set secrets for sending emails (remember to also include your chosen search backend's compose file):
+# COMPOSE_FILE="$COMPOSE_FILE:compose.mail.yml"
+# SECRET_MAIL_KEY_VERSION=v1
 
 # what service to use for sending out emails (eg. smtp, mailgun, none) NOTE: you should also set the corresponding keys below for the relevant service you choose, and uncomment the COMPOSE_FILE line for the relevant service if needed
-MAIL_BACKEND=none
-
-#COMPOSE_FILE="$COMPOSE_FILE:compose.mail.yml"
-#SECRET_MAIL_PASSWORD_VERSION=v1
+#MAIL_BACKEND=none
 
 # signup to an email service and edit with relevant info, see: https://docs.bonfirenetworks.org/Bonfire.Mailer.html
 # MAIL_DOMAIN=mgo.example.com
-# MAIL_KEY=xyz
-# NOTE: please add `compose.mail.yml` to COMPOSE_FILE above and use the abra secret instead of env for secrets ^
 # MAIL_FROM=admin@example.com
 # MAIL_PROJECT_ID=
 # MAIL_PRIVATE_KEY=
@@ -94,6 +84,12 @@ MAIL_BACKEND=none
 # MAIL_RETRIES=
 # MAIL_ARGS=
 
+# ====================================
+# UPLOADS
+
+# max file upload size - default is 20 meg
+UPLOAD_LIMIT=20000000
+
 # Store uploads in S3-compatible service:
 # UPLOADS_S3_BUCKET=
 # UPLOADS_S3_ACCESS_KEY_ID=
@@ -107,15 +103,12 @@ MAIL_BACKEND=none
 # AWS_ROLE_ARN=
 # AWS_WEB_IDENTITY_TOKEN_FILE=
 
-# GHOST Integration
-#GHOST_URL=https://example.ghost.io
-#GHOST_CONTENT_API_KEY=
-#GHOST_ADMIN_API_KEY=
-#IFRAME_ALLOWED_ORIGINS=https://example.com
+# ====================================
+# SSO
 
 # Enable using Bonfire as an SSO provider for external apps to sign in with?
 # ENABLE_SSO_PROVIDER=false
-OAUTH_ISSUER=https://${DOMAIN}
+#OAUTH_ISSUER=https://${DOMAIN}
 
 # OpenID Connect: connect as a client to the OpenID Connect provider with callback url https://yourinstance.tld/oauth/client/openid_1
 # OPENID_1_DISCOVERY=
@@ -144,6 +137,15 @@ OAUTH_ISSUER=https://${DOMAIN}
 # GITHUB_APP_CLIENT_ID=
 # GITHUB_CLIENT_SECRET=
 
+# ====================================
+# MISC
+
+# GHOST Integration
+#GHOST_URL=https://example.ghost.io
+#GHOST_CONTENT_API_KEY=
+#GHOST_ADMIN_API_KEY=
+#IFRAME_ALLOWED_ORIGINS=https://example.com
+
 # More Bonfire extensions configs:
 # WEB_PUSH_SUBJECT=mailto:admin@example.com
 # WEB_PUSH_PUBLIC_KEY=xyz
@@ -152,36 +154,19 @@ OAUTH_ISSUER=https://${DOMAIN}
 # GITHUB_TOKEN=xyz
 # AKISMET_API_KEY=
 
-WITH_LV_NATIVE=0
-WITH_IMAGE_VIX=1
-WITH_AI=0
-LIVE_DASHBOARD_LOGGER=false
+# how much info to include in logs (from less to more: emergency, alert, critical, error, warning, notice, info, debug)
+LOG_LEVEL=info
 
 # error reporting:
 # SENTRY_DSN=
 
 # ====================================
+# SECRETS
 # these secrets will be autogenerated/managed by abra and docker"
-SECRET_POSTGRES_PASSWORD_VERSION=v1
-SECRET_MEILI_MASTER_KEY_VERSION=v1
-SECRET_SONIC_PASSWORD_VERSION=v1
+
 SECRET_SEEDS_PW_VERSION=v1
 SECRET_LIVEBOOK_PASSWORD_VERSION=v1
-SECRET_MAIL_KEY_VERSION=v1
 SECRET_SECRET_KEY_BASE_VERSION=v1 # length=128
 SECRET_SIGNING_SALT_VERSION=v1 # length=128
 SECRET_ENCRYPTION_SALT_VERSION=v1 # length=128
 
-# ====================================
-# You should not have to edit any of the following ones:
-APP_NAME=Bonfire
-LANG=en_US.UTF-8
-SEEDS_USER=root
-ERLANG_COOKIE=bonfire_cookie
-REPLACE_OS_VARS=true
-LIVEVIEW_ENABLED=true
-ACME_AGREE=true
-SHOW_DEBUG_IN_DEV=true
-LETS_ENCRYPT_ENV=production
-HOSTNAME=$DOMAIN
-#PLUG_SERVER=bandit

compose.postgres.yml

@@ -0,0 +1,68 @@
+version: '3.8'
+
+x-postgres-env: &postgres-env
+  POSTGRES_DB: bonfire_db
+  POSTGRES_USER: postgres
+  POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
+
+services:
+  app:
+    environment:
+      <<: *postgres-env
+      POSTGRES_HOST: ${STACK_NAME}_db
+    secrets:
+      - postgres_password
+
+  db:
+    image: ${DB_DOCKER_IMAGE:-ghcr.io/baosystems/postgis}:${DB_DOCKER_VERSION:-17-3.5}
+    command: >
+      postgres
+      -c max_connections=200
+      -c shared_buffers=${DB_MEMORY_LIMIT}MB
+    # -c shared_preload_libraries='pg_stat_statements'
+    # -c statement_timeout=1800000
+    # -c pg_stat_statements.track=all
+    #entrypoint: ['tail', '-f', '/dev/null'] # uncomment when the Postgres DB is corrupted and won't start
+    volumes:
+      - db-data:/var/lib/postgresql/data
+      - type: tmpfs
+        target: /dev/shm
+        tmpfs:
+           size: 1000000000
+           # about 1 GB in bytes 
+    tmpfs:
+      - /tmp:size=${DB_MEMORY_LIMIT}M^
+    networks:
+      - internal
+    environment:
+      <<: *postgres-env
+    secrets:
+      - postgres_password
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready", "-U", "postgres"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    deploy:
+      labels:
+        backupbot.backup: ${ENABLE_BACKUPS:-true}
+        backupbot.backup.pre-hook: "/pg_backup.sh backup"
+        backupbot.backup.volumes.db-data.path: "backup.sql"
+        backupbot.restore.post-hook: '/pg_backup.sh restore'
+    configs:
+        - source: pg_backup
+          target: /pg_backup.sh
+          mode: 0555
+
+volumes:
+   db-data:
+
+configs:
+  pg_backup:
+    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
+    file: pg_backup.sh
+
+secrets:
+  postgres_password:
+    external: true
+    name: ${STACK_NAME}_postgres_password_${SECRET_POSTGRES_PASSWORD_VERSION:-v1}

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: ${APP_DOCKER_IMAGE}
+    image: bonfirenetworks/bonfire:${APP_VERSION:-1.0.4}-${APP_FLAVOUR:-social}-${APP_PLATFORM:-amd64}
     logging:
       driver: "json-file"
       options:
@@ -12,34 +12,31 @@ services:
     depends_on:
       - db
     environment:
-      - POSTGRES_HOST=${STACK_NAME}_db
-      - POSTGRES_USER=postgres
-      - POSTGRES_DB=bonfire_db
       - PUBLIC_PORT=443
       - MIX_ENV=prod
       
-      - HOSTNAME
+      - HOSTNAME=${DOMAIN}
       - INSTANCE_DESCRIPTION
       - DISABLE_DB_AUTOMIGRATION
       - UPLOAD_LIMIT
       - INVITE_KEY
-      - LANG
-      - SEEDS_USER
-      - ERLANG_COOKIE
-      - REPLACE_OS_VARS
-      - LIVEVIEW_ENABLED
-      - APP_NAME
+      - LANG=${LANG:-en_US.UTF-8}
+      - SEEDS_USER=${SEEDS_USER:-root}
+      - ERLANG_COOKIE=${ERLANG_COOKIE:-bonfire_cookie}
+      - REPLACE_OS_VARS=${REPLACE_OS_VARS:-true}
+      - LIVEVIEW_ENABLED=${LIVEVIEW_ENABLED:-true}
+      - APP_NAME={APP_NAME:-Bonfire}
       - PLUG_SERVER
-      - WITH_LV_NATIVE
-      - WITH_IMAGE_VIX
-      - WITH_AI
-      - LIVE_DASHBOARD_LOGGER
+      - WITH_LV_NATIVE=${WITH_LV_NATIVE:-0}
+      - WITH_IMAGE_VIX=${WITH_IMAGE_VIX:-1}
+      - WITH_AI=${WITH_AI:-0}
+      - LIVE_DASHBOARD_LOGGER=${LIVE_DASHBOARD_LOGGER:-false}
       
       - DB_SLOW_QUERY_MS
       - DB_STATEMENT_TIMEOUT
       - DB_MIGRATE_INDEXES_CONCURRENTLY
 
-      - MAIL_BACKEND
+      - MAIL_BACKEND=${MAIL_BACKEND:-none}
       - MAIL_DOMAIN
       - MAIL_FROM
       - MAIL_KEY
@@ -115,7 +112,6 @@ services:
       - IFRAME_ALLOWED_ORIGINS
       
     secrets:
-      - postgres_password
       - secret_key_base
       - signing_salt
       - encryption_salt
@@ -150,53 +146,12 @@ services:
         #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-    # healthcheck:
-    #   test: ["CMD", "curl", "-f", "http://localhost"]
-    #   interval: 30s
-    #   timeout: 10s
-    #   retries: 10
-    #   start_period: 1m
-
-  db:
-    image: ${DB_DOCKER_IMAGE}
-    environment:
-      # - POSTGRES_PASSWORD
-      - POSTGRES_USER=postgres
-      - POSTGRES_DB=bonfire_db
-      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
-    secrets:
-      - postgres_password
-    volumes:
-      - db-data:/var/lib/postgresql/data
-      - type: tmpfs
-        target: /dev/shm
-        tmpfs:
-           size: 1000000000
-           # about 1 GB in bytes ^
-    networks:
-      - internal
-    # shm_size: ${DB_MEMORY_LIMIT} # unsupported by docker swarm
-    tmpfs:
-      - /tmp:size=${DB_MEMORY_LIMIT}M
-    command: >
-      postgres
-      -c max_connections=200
-      -c shared_buffers=${DB_MEMORY_LIMIT}MB
-    # -c shared_preload_libraries='pg_stat_statements'
-    # -c statement_timeout=1800000
-    # -c pg_stat_statements.track=all
-    #entrypoint: ['tail', '-f', '/dev/null'] # uncomment when the Postgres DB is corrupted and won't start
-    deploy:
-      labels:
-        backupbot.backup: ${ENABLE_BACKUPS:-true}
-        # backupbot.backup.volumes.db-data: false
-        backupbot.backup.volumes.db-data.path: "backup.sql"
-        backupbot.backup.pre-hook: "/pg_backup.sh backup"
-        backupbot.restore.post-hook: '/pg_backup.sh restore'
-    configs:
-        - source: pg_backup
-          target: /pg_backup.sh
-          mode: 0555
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:4000"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 15s
 
 volumes:
   db-data:
@@ -213,14 +168,8 @@ configs:
     name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION:-v3}
     file: entrypoint.sh.tmpl
     template_driver: golang
-  pg_backup:
-    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION:-v4}
-    file: pg_backup.sh
 
 secrets:
-  postgres_password:
-    external: true
-    name: ${STACK_NAME}_postgres_password_${SECRET_POSTGRES_PASSWORD_VERSION:-v1}
   secret_key_base:
     external: true
     name: ${STACK_NAME}_secret_key_base_${SECRET_SECRET_KEY_BASE_VERSION:-v1}