From 8b2f211eee53e15d59883ffcf18c37dce15799ca Mon Sep 17 00:00:00 2001 From: stevensting Date: Thu, 25 Jun 2026 11:35:18 +0200 Subject: [PATCH 01/15] move some env var defaults to compose --- .env.sample | 15 ++------------- compose.yml | 16 +++++++++------- 2 files changed, 11 insertions(+), 20 deletions(-) diff --git a/.env.sample b/.env.sample index 8a07293..fb1ec06 100644 --- a/.env.sample +++ b/.env.sample @@ -1,5 +1,7 @@ TYPE=bonfire +LETS_ENCRYPT_ENV=production + # choose what flavour of Bonfire to run FLAVOUR=social APP_VERSION=latest @@ -172,16 +174,3 @@ SECRET_SECRET_KEY_BASE_VERSION=v1 # length=128 SECRET_SIGNING_SALT_VERSION=v1 # length=128 SECRET_ENCRYPTION_SALT_VERSION=v1 # length=128 -# ==================================== -# You should not have to edit any of the following ones: -APP_NAME=Bonfire -LANG=en_US.UTF-8 -SEEDS_USER=root -ERLANG_COOKIE=bonfire_cookie -REPLACE_OS_VARS=true -LIVEVIEW_ENABLED=true -ACME_AGREE=true -SHOW_DEBUG_IN_DEV=true -LETS_ENCRYPT_ENV=production -HOSTNAME=$DOMAIN -#PLUG_SERVER=bandit diff --git a/compose.yml b/compose.yml index b33910b..11bba39 100644 --- a/compose.yml +++ b/compose.yml @@ -18,17 +18,19 @@ services: - PUBLIC_PORT=443 - MIX_ENV=prod - - HOSTNAME + - HOSTNAME=${DOMAIN} - INSTANCE_DESCRIPTION - DISABLE_DB_AUTOMIGRATION - UPLOAD_LIMIT - INVITE_KEY - - LANG - - SEEDS_USER - - ERLANG_COOKIE - - REPLACE_OS_VARS - - LIVEVIEW_ENABLED - - APP_NAME + - LANG=${LANG:-en_US.UTF-8} + - SEEDS_USER=${SEEDS_USER:-root} + - ERLANG_COOKIE=${ERLANG_COOKIE:-bonfire_cookie} + - REPLACE_OS_VARS=${REPLACE_OS_VARS:-true} + - LIVEVIEW_ENABLED=${LIVEVIEW_ENABLED:-true} + - ACME_AGREE=${ACME_AGREE:-true} + - SHOW_DEBUG_IN_DEV=${SHOW_DEBUG_IN_DEV:-true} + - APP_NAME={APP_NAME:-Bonfire} - PLUG_SERVER - WITH_LV_NATIVE - WITH_IMAGE_VIX -- 2.52.0 From f1e87ae7ca195147e72057925cec19ebbe9ebf48 Mon Sep 17 00:00:00 2001 From: stevensting Date: Thu, 25 Jun 2026 11:47:06 +0200 Subject: [PATCH 02/15] remove unused env vars --- compose.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/compose.yml b/compose.yml index 11bba39..140e82c 100644 --- a/compose.yml +++ b/compose.yml @@ -28,8 +28,6 @@ services: - ERLANG_COOKIE=${ERLANG_COOKIE:-bonfire_cookie} - REPLACE_OS_VARS=${REPLACE_OS_VARS:-true} - LIVEVIEW_ENABLED=${LIVEVIEW_ENABLED:-true} - - ACME_AGREE=${ACME_AGREE:-true} - - SHOW_DEBUG_IN_DEV=${SHOW_DEBUG_IN_DEV:-true} - APP_NAME={APP_NAME:-Bonfire} - PLUG_SERVER - WITH_LV_NATIVE -- 2.52.0 From bac96b0b82883cbed5cb548113f7854cc27a9fec Mon Sep 17 00:00:00 2001 From: stevensting Date: Thu, 25 Jun 2026 12:48:05 +0200 Subject: [PATCH 03/15] move db to own compose file and fix version --- .env.sample | 38 ++++++++++++++----------- compose.postgres.yml | 68 ++++++++++++++++++++++++++++++++++++++++++++ compose.yml | 51 --------------------------------- 3 files changed, 89 insertions(+), 68 deletions(-) create mode 100644 compose.postgres.yml diff --git a/.env.sample b/.env.sample index fb1ec06..5565df2 100644 --- a/.env.sample +++ b/.env.sample @@ -6,17 +6,33 @@ LETS_ENCRYPT_ENV=production FLAVOUR=social APP_VERSION=latest +# enter your instance's domain name +DOMAIN=bonfire.example.com +# DO NOT CHANGE DOMAIN AFTER DEPLOYMENT! WILL BREAK FEDERATION!! +## Domain aliases +#EXTRA_DOMAINS=', `www.bonfire.example.com`' + +# enable abra backups +ENABLE_BACKUPS=true + +COMPOSE_FILE="compose.yml" + +# ==================================== +# Database config +COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.yml" +SECRET_POSTGRES_PASSWORD_VERSION=v1 + # choose what extra services you want to run -COMPOSE_FILE="compose.yml:compose.meilisearch.yml" +COMPOSE_FILE="$COMPOSE_FILE:compose.meilisearch.yml" # To use Sonic instead of Meilisearch as the search backend: -# COMPOSE_FILE="compose.yml:compose.sonic.yml" +# COMPOSE_FILE="$COMPOSE_FILE:compose.sonic.yml" # Enable `compose.mail.yml` to set secrets for sending emails (remember to also include your chosen search backend's compose file): -# COMPOSE_FILE="compose.yml:compose.mail.yml" +# COMPOSE_FILE="$COMPOSE_FILE:compose.mail.yml" # Enable `compose.postgres.tune.yml` for Postgres tuning (can only be enabled *after* your instance already is deployed and working) (and remember to also include your chosen search backend and mailer's compose files) -# COMPOSE_FILE="compose.yml:compose.postgres.tune.yml" +# COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.tune.yml" APP_VERSION_FLAVOUR=${APP_VERSION}-${FLAVOUR} # Different flavours/forks or architectures may require different builds of bonfire: @@ -30,7 +46,7 @@ APP_DOCKER_IMAGE=bonfirenetworks/bonfire:${APP_VERSION_FLAVOUR}-amd64 DB_DOCKER_VERSION=17-3.5 # note that different flavours or architectures may require different postgres builds: # For ARM or x86: -DB_DOCKER_IMAGE=ghcr.io/baosystems/postgis:${DB_DOCKER_VERSION} +DB_DOCKER_IMAGE=ghcr.io/baosystems/postgis # for x86: # DB_DOCKER_IMAGE=postgis/postgis:${DB_DOCKER_VERSION}-alpine # multiarch (but doesn't have required Postgis extension) @@ -38,17 +54,6 @@ DB_DOCKER_IMAGE=ghcr.io/baosystems/postgis:${DB_DOCKER_VERSION} # TODO: maybe to use for Upgrading to a new Postgres version? (NOTE: does not work with postgis data) # DB_DOCKER_IMAGE=pgautoupgrade/pgautoupgrade:16-alpine - -# enter your instance's domain name -DOMAIN=bonfire.example.com -# DO NOT CHANGE DOMAIN AFTER DEPLOYMENT! WILL BREAK FEDERATION!! -## Domain aliases -#EXTRA_DOMAINS=', `www.bonfire.example.com`' - -# enable abra backups -ENABLE_BACKUPS=true - - # uncomment in order to NOT automatically change the database schema when you upgrade the app # DISABLE_DB_AUTOMIGRATION=true @@ -164,7 +169,6 @@ LIVE_DASHBOARD_LOGGER=false # ==================================== # these secrets will be autogenerated/managed by abra and docker" -SECRET_POSTGRES_PASSWORD_VERSION=v1 SECRET_MEILI_MASTER_KEY_VERSION=v1 SECRET_SONIC_PASSWORD_VERSION=v1 SECRET_SEEDS_PW_VERSION=v1 diff --git a/compose.postgres.yml b/compose.postgres.yml new file mode 100644 index 0000000..a7315f0 --- /dev/null +++ b/compose.postgres.yml @@ -0,0 +1,68 @@ +version: '3.8' + +x-postgres-env: &postgres-env + POSTGRES_DB: bonfire_db + POSTGRES_USER: postgres + POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password + +services: + app: + environment: + <<: *postgres-env + POSTGRES_HOST: ${STACK_NAME}_db + secrets: + - postgres_password + + db: + image: ${DB_DOCKER_IMAGE:-ghcr.io/baosystems/postgis}:${DB_DOCKER_VERSION:-17-3.5} + command: > + postgres + -c max_connections=200 + -c shared_buffers=${DB_MEMORY_LIMIT}MB + # -c shared_preload_libraries='pg_stat_statements' + # -c statement_timeout=1800000 + # -c pg_stat_statements.track=all + #entrypoint: ['tail', '-f', '/dev/null'] # uncomment when the Postgres DB is corrupted and won't start + volumes: + - db-data:/var/lib/postgresql/data + - type: tmpfs + target: /dev/shm + tmpfs: + size: 1000000000 + # about 1 GB in bytes + tmpfs: + - /tmp:size=${DB_MEMORY_LIMIT}M^ + networks: + - internal + environment: + <<: *postgres-env + secrets: + - postgres_password + healthcheck: + test: ["CMD-SHELL", "pg_isready", "-U", "postgres"] + interval: 10s + timeout: 5s + retries: 5 + deploy: + labels: + backupbot.backup: ${ENABLE_BACKUPS:-true} + backupbot.backup.pre-hook: "/pg_backup.sh backup" + backupbot.backup.volumes.db-data.path: "backup.sql" + backupbot.restore.post-hook: '/pg_backup.sh restore' + configs: + - source: pg_backup + target: /pg_backup.sh + mode: 0555 + +volumes: + db-data: + +configs: + pg_backup: + name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION} + file: pg_backup.sh + +secrets: + postgres_password: + external: true + name: ${STACK_NAME}_postgres_password_${SECRET_POSTGRES_PASSWORD_VERSION:-v1} \ No newline at end of file diff --git a/compose.yml b/compose.yml index 140e82c..51d0f1f 100644 --- a/compose.yml +++ b/compose.yml @@ -12,9 +12,6 @@ services: depends_on: - db environment: - - POSTGRES_HOST=${STACK_NAME}_db - - POSTGRES_USER=postgres - - POSTGRES_DB=bonfire_db - PUBLIC_PORT=443 - MIX_ENV=prod @@ -115,7 +112,6 @@ services: - IFRAME_ALLOWED_ORIGINS secrets: - - postgres_password - secret_key_base - signing_salt - encryption_salt @@ -157,47 +153,6 @@ services: # retries: 10 # start_period: 1m - db: - image: ${DB_DOCKER_IMAGE} - environment: - # - POSTGRES_PASSWORD - - POSTGRES_USER=postgres - - POSTGRES_DB=bonfire_db - - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password - secrets: - - postgres_password - volumes: - - db-data:/var/lib/postgresql/data - - type: tmpfs - target: /dev/shm - tmpfs: - size: 1000000000 - # about 1 GB in bytes ^ - networks: - - internal - # shm_size: ${DB_MEMORY_LIMIT} # unsupported by docker swarm - tmpfs: - - /tmp:size=${DB_MEMORY_LIMIT}M - command: > - postgres - -c max_connections=200 - -c shared_buffers=${DB_MEMORY_LIMIT}MB - # -c shared_preload_libraries='pg_stat_statements' - # -c statement_timeout=1800000 - # -c pg_stat_statements.track=all - #entrypoint: ['tail', '-f', '/dev/null'] # uncomment when the Postgres DB is corrupted and won't start - deploy: - labels: - backupbot.backup: ${ENABLE_BACKUPS:-true} - # backupbot.backup.volumes.db-data: false - backupbot.backup.volumes.db-data.path: "backup.sql" - backupbot.backup.pre-hook: "/pg_backup.sh backup" - backupbot.restore.post-hook: '/pg_backup.sh restore' - configs: - - source: pg_backup - target: /pg_backup.sh - mode: 0555 - volumes: db-data: upload-data: @@ -213,14 +168,8 @@ configs: name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION:-v3} file: entrypoint.sh.tmpl template_driver: golang - pg_backup: - name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION:-v4} - file: pg_backup.sh secrets: - postgres_password: - external: true - name: ${STACK_NAME}_postgres_password_${SECRET_POSTGRES_PASSWORD_VERSION:-v1} secret_key_base: external: true name: ${STACK_NAME}_secret_key_base_${SECRET_SECRET_KEY_BASE_VERSION:-v1} -- 2.52.0 From 8436baf85b528c4223065e758acaa381f58c4b54 Mon Sep 17 00:00:00 2001 From: stevensting Date: Thu, 25 Jun 2026 13:22:31 +0200 Subject: [PATCH 04/15] add healthcheck --- compose.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/compose.yml b/compose.yml index 51d0f1f..15739b0 100644 --- a/compose.yml +++ b/compose.yml @@ -146,12 +146,12 @@ services: #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect" #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true" #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}" - # healthcheck: - # test: ["CMD", "curl", "-f", "http://localhost"] - # interval: 30s - # timeout: 10s - # retries: 10 - # start_period: 1m + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:4000"] + interval: 30s + timeout: 10s + retries: 10 + start_period: 15s volumes: db-data: -- 2.52.0 From 04a045ed33e6f2fa3ec209d5873d92a195a8e377 Mon Sep 17 00:00:00 2001 From: stevensting Date: Fri, 26 Jun 2026 10:56:12 +0200 Subject: [PATCH 05/15] fex versions of app and db, restructure .env.sample --- .env.sample | 69 +++++++++++++++++++++++++---------------------------- compose.yml | 4 ++-- 2 files changed, 34 insertions(+), 39 deletions(-) diff --git a/.env.sample b/.env.sample index 5565df2..19e83e1 100644 --- a/.env.sample +++ b/.env.sample @@ -2,9 +2,12 @@ TYPE=bonfire LETS_ENCRYPT_ENV=production -# choose what flavour of Bonfire to run -FLAVOUR=social -APP_VERSION=latest +# choose what flavour of Bonfire to run. default: social +#APP_FLAVOUR=social +# uncomment to run specific version e.g. v1.0.4 or latest release branch. available: latest, latest-beta, latest-alpha +#APP_VERSION=latest +# choose specific build. default: amd64, available: aarch64 +#APP_PLATFORM=aarch64 # enter your instance's domain name DOMAIN=bonfire.example.com @@ -18,10 +21,34 @@ ENABLE_BACKUPS=true COMPOSE_FILE="compose.yml" # ==================================== -# Database config +# DATABASE CONFIG COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.yml" SECRET_POSTGRES_PASSWORD_VERSION=v1 +# upper limit for how much RAM you want the DB to use, in megabytes (the same amount of swap will also be allocated to the DB container) +DB_MEMORY_LIMIT=5000 + +# set to true *after* your initial deployment to enable concurrent index creation for faster migrations in future upgrades +DB_MIGRATE_INDEXES_CONCURRENTLY=false + +# for manual selection of DB version and docker image uncomment +#DB_DOCKER_VERSION=17-3.5 +# note that different flavours or architectures may require different postgres builds: +# For ARM or x86: +#DB_DOCKER_IMAGE=ghcr.io/baosystems/postgis +# for x86: +#DB_DOCKER_IMAGE=postgis/postgis +#DB_DOCKER_VERSION=17-3.5-alpine + +# uncomment in order to NOT automatically change the database schema when you upgrade the app +# DISABLE_DB_AUTOMIGRATION=true + +# Enable `compose.postgres.tune.yml` for Postgres tuning (can only be enabled *after* your instance already is deployed and working) (and remember to also include your chosen search backend and mailer's compose files) +# COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.tune.yml" + +# ==================================== +# SEARCH SERVICE + # choose what extra services you want to run COMPOSE_FILE="$COMPOSE_FILE:compose.meilisearch.yml" @@ -31,41 +58,9 @@ COMPOSE_FILE="$COMPOSE_FILE:compose.meilisearch.yml" # Enable `compose.mail.yml` to set secrets for sending emails (remember to also include your chosen search backend's compose file): # COMPOSE_FILE="$COMPOSE_FILE:compose.mail.yml" -# Enable `compose.postgres.tune.yml` for Postgres tuning (can only be enabled *after* your instance already is deployed and working) (and remember to also include your chosen search backend and mailer's compose files) -# COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.tune.yml" - -APP_VERSION_FLAVOUR=${APP_VERSION}-${FLAVOUR} -# Different flavours/forks or architectures may require different builds of bonfire: -# for ARM (manual build): -# APP_DOCKER_IMAGE=bonfirenetworks/bonfire:${APP_VERSION_FLAVOUR}-aarch64 -# for x86 (built by CI): -APP_DOCKER_IMAGE=bonfirenetworks/bonfire:${APP_VERSION_FLAVOUR}-amd64 -# multi-arch image (built by CI, but currently not working): -#APP_DOCKER_IMAGE=bonfirenetworks/bonfire:${APP_VERSION_FLAVOUR} - -DB_DOCKER_VERSION=17-3.5 -# note that different flavours or architectures may require different postgres builds: -# For ARM or x86: -DB_DOCKER_IMAGE=ghcr.io/baosystems/postgis -# for x86: -# DB_DOCKER_IMAGE=postgis/postgis:${DB_DOCKER_VERSION}-alpine -# multiarch (but doesn't have required Postgis extension) -#DB_DOCKER_IMAGE=postgres:${DB_DOCKER_VERSION}-alpine -# TODO: maybe to use for Upgrading to a new Postgres version? (NOTE: does not work with postgis data) -# DB_DOCKER_IMAGE=pgautoupgrade/pgautoupgrade:16-alpine - -# uncomment in order to NOT automatically change the database schema when you upgrade the app -# DISABLE_DB_AUTOMIGRATION=true - # max file upload size - default is 20 meg UPLOAD_LIMIT=20000000 -# upper limit for how much RAM you want the DB to use, in megabytes (the same amount of swap will also be allocated to the DB container) -DB_MEMORY_LIMIT=5000 - -# set to true *after* your initial deployment to enable concurrent index creation for faster migrations in future upgrades -DB_MIGRATE_INDEXES_CONCURRENTLY=false - # how much info to include in logs (from less to more: emergency, alert, critical, error, warning, notice, info, debug) LOG_LEVEL=info @@ -77,7 +72,7 @@ LOG_LEVEL=info # change ALL the values: # what service to use for sending out emails (eg. smtp, mailgun, none) NOTE: you should also set the corresponding keys below for the relevant service you choose, and uncomment the COMPOSE_FILE line for the relevant service if needed -MAIL_BACKEND=none +#MAIL_BACKEND=none #COMPOSE_FILE="$COMPOSE_FILE:compose.mail.yml" #SECRET_MAIL_PASSWORD_VERSION=v1 diff --git a/compose.yml b/compose.yml index 15739b0..35846fb 100644 --- a/compose.yml +++ b/compose.yml @@ -3,7 +3,7 @@ version: "3.8" services: app: - image: ${APP_DOCKER_IMAGE} + image: bonfirenetworks/bonfire:${APP_VERSION:-1.0.4}-${APP_FLAVOUR:-social}-${APP_PLATFORM:-amd64} logging: driver: "json-file" options: @@ -36,7 +36,7 @@ services: - DB_STATEMENT_TIMEOUT - DB_MIGRATE_INDEXES_CONCURRENTLY - - MAIL_BACKEND + - MAIL_BACKEND=${MAIL_BACKEND:-none} - MAIL_DOMAIN - MAIL_FROM - MAIL_KEY -- 2.52.0 From 35d67a6823fc8aa0f6f40a97f71127e8b72f6193 Mon Sep 17 00:00:00 2001 From: stevensting Date: Fri, 26 Jun 2026 12:31:09 +0200 Subject: [PATCH 06/15] restructure env file --- .env.sample | 69 +++++++++++++++++++++++++---------------------------- compose.yml | 8 +++---- 2 files changed, 37 insertions(+), 40 deletions(-) diff --git a/.env.sample b/.env.sample index 19e83e1..cd98409 100644 --- a/.env.sample +++ b/.env.sample @@ -47,40 +47,28 @@ DB_MIGRATE_INDEXES_CONCURRENTLY=false # COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.tune.yml" # ==================================== -# SEARCH SERVICE +# SEARCH BACKEND -# choose what extra services you want to run -COMPOSE_FILE="$COMPOSE_FILE:compose.meilisearch.yml" +# recommended search backend sonic +COMPOSE_FILE="$COMPOSE_FILE:compose.sonic.yml" +SECRET_SONIC_PASSWORD_VERSION=v1 -# To use Sonic instead of Meilisearch as the search backend: -# COMPOSE_FILE="$COMPOSE_FILE:compose.sonic.yml" +# alternative search service +#COMPOSE_FILE="$COMPOSE_FILE:compose.meilisearch.yml" +#SECRET_MEILI_MASTER_KEY_VERSION=v1 + +# ==================================== +# MAIL # Enable `compose.mail.yml` to set secrets for sending emails (remember to also include your chosen search backend's compose file): # COMPOSE_FILE="$COMPOSE_FILE:compose.mail.yml" - -# max file upload size - default is 20 meg -UPLOAD_LIMIT=20000000 - -# how much info to include in logs (from less to more: emergency, alert, critical, error, warning, notice, info, debug) -LOG_LEVEL=info - -# ==================================== -# SECRETS - -# please make sure you change everything to your own secrets! -# and do not check your env file into any public git repo -# change ALL the values: +# SECRET_MAIL_KEY_VERSION=v1 # what service to use for sending out emails (eg. smtp, mailgun, none) NOTE: you should also set the corresponding keys below for the relevant service you choose, and uncomment the COMPOSE_FILE line for the relevant service if needed #MAIL_BACKEND=none -#COMPOSE_FILE="$COMPOSE_FILE:compose.mail.yml" -#SECRET_MAIL_PASSWORD_VERSION=v1 - # signup to an email service and edit with relevant info, see: https://docs.bonfirenetworks.org/Bonfire.Mailer.html # MAIL_DOMAIN=mgo.example.com -# MAIL_KEY=xyz -# NOTE: please add `compose.mail.yml` to COMPOSE_FILE above and use the abra secret instead of env for secrets ^ # MAIL_FROM=admin@example.com # MAIL_PROJECT_ID= # MAIL_PRIVATE_KEY= @@ -96,6 +84,12 @@ LOG_LEVEL=info # MAIL_RETRIES= # MAIL_ARGS= +# ==================================== +# UPLOADS + +# max file upload size - default is 20 meg +UPLOAD_LIMIT=20000000 + # Store uploads in S3-compatible service: # UPLOADS_S3_BUCKET= # UPLOADS_S3_ACCESS_KEY_ID= @@ -109,15 +103,12 @@ LOG_LEVEL=info # AWS_ROLE_ARN= # AWS_WEB_IDENTITY_TOKEN_FILE= -# GHOST Integration -#GHOST_URL=https://example.ghost.io -#GHOST_CONTENT_API_KEY= -#GHOST_ADMIN_API_KEY= -#IFRAME_ALLOWED_ORIGINS=https://example.com +# ==================================== +# SSO # Enable using Bonfire as an SSO provider for external apps to sign in with? # ENABLE_SSO_PROVIDER=false -OAUTH_ISSUER=https://${DOMAIN} +#OAUTH_ISSUER=https://${DOMAIN} # OpenID Connect: connect as a client to the OpenID Connect provider with callback url https://yourinstance.tld/oauth/client/openid_1 # OPENID_1_DISCOVERY= @@ -146,6 +137,15 @@ OAUTH_ISSUER=https://${DOMAIN} # GITHUB_APP_CLIENT_ID= # GITHUB_CLIENT_SECRET= +# ==================================== +# MISC + +# GHOST Integration +#GHOST_URL=https://example.ghost.io +#GHOST_CONTENT_API_KEY= +#GHOST_ADMIN_API_KEY= +#IFRAME_ALLOWED_ORIGINS=https://example.com + # More Bonfire extensions configs: # WEB_PUSH_SUBJECT=mailto:admin@example.com # WEB_PUSH_PUBLIC_KEY=xyz @@ -154,21 +154,18 @@ OAUTH_ISSUER=https://${DOMAIN} # GITHUB_TOKEN=xyz # AKISMET_API_KEY= -WITH_LV_NATIVE=0 -WITH_IMAGE_VIX=1 -WITH_AI=0 -LIVE_DASHBOARD_LOGGER=false +# how much info to include in logs (from less to more: emergency, alert, critical, error, warning, notice, info, debug) +LOG_LEVEL=info # error reporting: # SENTRY_DSN= # ==================================== +# SECRETS # these secrets will be autogenerated/managed by abra and docker" -SECRET_MEILI_MASTER_KEY_VERSION=v1 -SECRET_SONIC_PASSWORD_VERSION=v1 + SECRET_SEEDS_PW_VERSION=v1 SECRET_LIVEBOOK_PASSWORD_VERSION=v1 -SECRET_MAIL_KEY_VERSION=v1 SECRET_SECRET_KEY_BASE_VERSION=v1 # length=128 SECRET_SIGNING_SALT_VERSION=v1 # length=128 SECRET_ENCRYPTION_SALT_VERSION=v1 # length=128 diff --git a/compose.yml b/compose.yml index 35846fb..9208e99 100644 --- a/compose.yml +++ b/compose.yml @@ -27,10 +27,10 @@ services: - LIVEVIEW_ENABLED=${LIVEVIEW_ENABLED:-true} - APP_NAME={APP_NAME:-Bonfire} - PLUG_SERVER - - WITH_LV_NATIVE - - WITH_IMAGE_VIX - - WITH_AI - - LIVE_DASHBOARD_LOGGER + - WITH_LV_NATIVE=${WITH_LV_NATIVE:-0} + - WITH_IMAGE_VIX=${WITH_IMAGE_VIX:-1} + - WITH_AI=${WITH_AI:-0} + - LIVE_DASHBOARD_LOGGER=${LIVE_DASHBOARD_LOGGER:-false} - DB_SLOW_QUERY_MS - DB_STATEMENT_TIMEOUT -- 2.52.0 From 22c5d3b3e288a87716b286f12e5c1d8b0dfa0f85 Mon Sep 17 00:00:00 2001 From: stevensting Date: Mon, 29 Jun 2026 13:02:16 +0200 Subject: [PATCH 07/15] improve separation of compose files --- .env.sample | 5 +++-- compose.mail.yml | 21 +++++++++++++++++---- compose.meilisearch.yml | 7 +++++++ compose.yml | 32 -------------------------------- 4 files changed, 27 insertions(+), 38 deletions(-) diff --git a/.env.sample b/.env.sample index cd98409..926f94c 100644 --- a/.env.sample +++ b/.env.sample @@ -22,11 +22,12 @@ COMPOSE_FILE="compose.yml" # ==================================== # DATABASE CONFIG + COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.yml" SECRET_POSTGRES_PASSWORD_VERSION=v1 -# upper limit for how much RAM you want the DB to use, in megabytes (the same amount of swap will also be allocated to the DB container) -DB_MEMORY_LIMIT=5000 +# upper limit for how much RAM you want the DB to use, in megabytes (the same amount of swap will also be allocated to the DB container) As a rule of thumb use 25% of system RAM. +DB_MEMORY_LIMIT=1024 # set to true *after* your initial deployment to enable concurrent index creation for faster migrations in future upgrades DB_MIGRATE_INDEXES_CONCURRENTLY=false diff --git a/compose.mail.yml b/compose.mail.yml index 85b1958..7457d9a 100644 --- a/compose.mail.yml +++ b/compose.mail.yml @@ -2,14 +2,27 @@ version: "3.8" services: app: + environment: + - MAIL_BACKEND=${MAIL_BACKEND:-none} + - MAIL_DOMAIN + - MAIL_FROM + - MAIL_KEY_FILE=/run/secrets/mail_key + - MAIL_PROJECT_ID + - MAIL_PRIVATE_KEY + - MAIL_BASE_URI + - MAIL_REGION + - MAIL_SERVER + - MAIL_USER + - MAIL_PORT + - MAIL_TLS + - MAIL_SSL + - MAIL_SMTP_AUTH + - MAIL_RETRIES + - MAIL_ARGS secrets: - - mail_password - mail_key secrets: - mail_password: - external: true - name: ${STACK_NAME}_mail_password_${SECRET_MAIL_PASSWORD_VERSION:-v1} mail_key: external: true name: ${STACK_NAME}_mail_key_${SECRET_MAIL_KEY_VERSION:-v1} diff --git a/compose.meilisearch.yml b/compose.meilisearch.yml index a2625e2..63fc327 100644 --- a/compose.meilisearch.yml +++ b/compose.meilisearch.yml @@ -7,6 +7,8 @@ services: - search environment: - SEARCH_MEILI_INSTANCE=http://${STACK_NAME}_search:7700 + secrets: + - meili_master_key search: image: getmeili/meilisearch:v1.14 # WIP: upgrade from v1.11 to 1.14 @@ -42,3 +44,8 @@ configs: meili_backup: name: ${STACK_NAME}_meili_backup_${MEILI_BACKUP_VERSION:-v4} file: meili_backup.sh + +secrets: + meili_master_key: + external: true + name: ${STACK_NAME}_meili_master_key_${SECRET_MEILI_MASTER_KEY_VERSION:-v1} \ No newline at end of file diff --git a/compose.yml b/compose.yml index 9208e99..56a3d12 100644 --- a/compose.yml +++ b/compose.yml @@ -36,24 +36,6 @@ services: - DB_STATEMENT_TIMEOUT - DB_MIGRATE_INDEXES_CONCURRENTLY - - MAIL_BACKEND=${MAIL_BACKEND:-none} - - MAIL_DOMAIN - - MAIL_FROM - - MAIL_KEY - - MAIL_PROJECT_ID - - MAIL_PRIVATE_KEY - - MAIL_BASE_URI - - MAIL_REGION - - MAIL_SERVER - - MAIL_USER - - MAIL_PASSWORD - - MAIL_PORT - - MAIL_TLS - - MAIL_SSL - - MAIL_SMTP_AUTH - - MAIL_RETRIES - - MAIL_ARGS - - SENTRY_DSN - OTEL_ENABLED - OTEL_SERVICE_NAME @@ -115,12 +97,10 @@ services: - secret_key_base - signing_salt - encryption_salt - - meili_master_key - seeds_pw - livebook_password volumes: - upload-data:/opt/app/data/uploads - # - backup-data:/opt/app/data/backup networks: - proxy - internal @@ -134,18 +114,11 @@ services: condition: on-failure labels: - "backupbot.backup=${ENABLE_BACKUPS:-true}" - #- backupbot.backup.volumes.upload-data: "true" - #- backupbot.backup.volumes.upload-data.path: "/opt/app/data/uploads" - "traefik.enable=true" - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=4000" - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})" - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - #- "traefik.http.routers.${STACK_NAME}.middlewares=error-pages-middleware" - #- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80" - #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect" - #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true" - #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}" healthcheck: test: ["CMD", "curl", "-f", "http://localhost:4000"] interval: 30s @@ -154,9 +127,7 @@ services: start_period: 15s volumes: - db-data: upload-data: - # backup-data: networks: proxy: @@ -179,9 +150,6 @@ secrets: encryption_salt: external: true name: ${STACK_NAME}_encryption_salt_${SECRET_ENCRYPTION_SALT_VERSION:-v1} - meili_master_key: - external: true - name: ${STACK_NAME}_meili_master_key_${SECRET_MEILI_MASTER_KEY_VERSION:-v1} seeds_pw: external: true name: ${STACK_NAME}_seeds_pw_${SECRET_SEEDS_PW_VERSION:-v1} -- 2.52.0 From b002674215529ae2932e050adebee5413581e43c Mon Sep 17 00:00:00 2001 From: stevensting Date: Mon, 29 Jun 2026 14:29:53 +0200 Subject: [PATCH 08/15] move S3 to dedicated compose file and use docker secrets --- .env.sample | 23 ++++++++++++----------- compose.s3.yml | 36 ++++++++++++++++++++++++++++++++++++ compose.yml | 12 ------------ 3 files changed, 48 insertions(+), 23 deletions(-) create mode 100644 compose.s3.yml diff --git a/.env.sample b/.env.sample index 926f94c..bc3f5f0 100644 --- a/.env.sample +++ b/.env.sample @@ -92,17 +92,18 @@ SECRET_SONIC_PASSWORD_VERSION=v1 UPLOAD_LIMIT=20000000 # Store uploads in S3-compatible service: -# UPLOADS_S3_BUCKET= -# UPLOADS_S3_ACCESS_KEY_ID= -# UPLOADS_S3_SECRET_ACCESS_KEY= -# TODO: please use the abra secret instead of env for secrets ^ -# UPLOADS_S3_REGION=fr-par -# UPLOADS_S3_HOST=s3.fr-par.scw.cloud -# UPLOADS_S3_SCHEME=https:// -# UPLOADS_S3_URL= -# UPLOADS_S3_DEFAULT_URL= -# AWS_ROLE_ARN= -# AWS_WEB_IDENTITY_TOKEN_FILE= +# COMPOSE_FILE="$COMPOSE_FILE:compose.s3.yml" +#SECRET_UPLOADS_S3_ACCESS_KEY_ID_VERSION=v1 +#SECRET_UPLOADS_S3_SECRET_ACCESS_KEY_VERSION=v1 +#SECRET_AWS_WEB_IDENTITY_TOKEN_VERSION=v1 +#UPLOADS_S3_BUCKET= +#UPLOADS_S3_REGION=fr-par +#UPLOADS_S3_HOST=s3.fr-par.scw.cloud +#UPLOADS_S3_SCHEME=https:// +#UPLOADS_S3_URL= +#UPLOADS_S3_DEFAULT_URL= +#AWS_ROLE_ARN= +#AWS_WEB_IDENTITY_TOKEN_FILE= # ==================================== # SSO diff --git a/compose.s3.yml b/compose.s3.yml new file mode 100644 index 0000000..b33a033 --- /dev/null +++ b/compose.s3.yml @@ -0,0 +1,36 @@ +version: "3.8" + +services: + app: + environment: + - UPLOADS_S3_BUCKET + - UPLOADS_S3_ACCESS_KEY_ID_FILE=/run/secrets/uploads_s3_access_key_id + - UPLOADS_S3_SECRET_ACCESS_KEY_FILE=/run/secrets/uploads_s3_secret_access_key + - UPLOADS_S3_REGION + - UPLOADS_S3_HOST + - UPLOADS_S3_SCHEME + - UPLOADS_S3_URL + - UPLOADS_S3_DEFAULT_URL + - UPLOADS_S3_URL_EXPIRATION_TTL + - AWS_ROLE_ARN + - AWS_WEB_IDENTITY_TOKEN_FILE=/run/secrets/aws_web_identity_token + + secrets: + - mail_key + - uploads_s3_access_key_id + - uploads_s3_secret_access_key + - aws_web_identity_token + +secrets: + mail_key: + external: true + name: ${STACK_NAME}_mail_key_${SECRET_MAIL_KEY_VERSION:-v1} + uploads_s3_access_key_id: + external: true + name: ${STACK_NAME}_uploads_s3_access_key_id_${SECRET_UPLOADS_S3_ACCESS_KEY_ID_VERSION:-v1} + uploads_s3_secret_access_key: + external: true + name: ${STACK_NAME}_uploads_s3_secret_access_key_${SECRET_UPLOADS_S3_SECRET_ACCESS_KEY_VERSION:-v1} + aws_web_identity_token: + external: true + name: ${STACK_NAME}_aws_web_identity_token_${SECRET_AWS_WEB_IDENTITY_TOKEN_VERSION:-v1} diff --git a/compose.yml b/compose.yml index 56a3d12..fcba7ca 100644 --- a/compose.yml +++ b/compose.yml @@ -51,18 +51,6 @@ services: - GEOLOCATE_OPENCAGEDATA - GITHUB_TOKEN - - UPLOADS_S3_BUCKET - - UPLOADS_S3_ACCESS_KEY_ID - - UPLOADS_S3_SECRET_ACCESS_KEY - - UPLOADS_S3_REGION - - UPLOADS_S3_HOST - - UPLOADS_S3_SCHEME - - UPLOADS_S3_URL - - UPLOADS_S3_DEFAULT_URL - - UPLOADS_S3_URL_EXPIRATION_TTL - - AWS_ROLE_ARN - - AWS_WEB_IDENTITY_TOKEN_FILE - - ENABLE_SSO_PROVIDER - OAUTH_ISSUER -- 2.52.0 From a513bc6fa221a078eb72050da2c84af2cad116f9 Mon Sep 17 00:00:00 2001 From: stevensting Date: Mon, 29 Jun 2026 14:31:29 +0200 Subject: [PATCH 09/15] small fix --- .env.sample | 1 - 1 file changed, 1 deletion(-) diff --git a/.env.sample b/.env.sample index bc3f5f0..3952c72 100644 --- a/.env.sample +++ b/.env.sample @@ -103,7 +103,6 @@ UPLOAD_LIMIT=20000000 #UPLOADS_S3_URL= #UPLOADS_S3_DEFAULT_URL= #AWS_ROLE_ARN= -#AWS_WEB_IDENTITY_TOKEN_FILE= # ==================================== # SSO -- 2.52.0 From 8ffe84e15e7488aab7e2c1e96742f1be94934a9e Mon Sep 17 00:00:00 2001 From: stevensting Date: Mon, 29 Jun 2026 15:19:45 +0200 Subject: [PATCH 10/15] pass docker secrets by file names --- .env.sample | 4 +++- abra.sh | 2 +- compose.mail.privatekey.yml | 13 +++++++++++++ compose.mail.yml | 1 - compose.yml | 8 +++++++- entrypoint.sh.tmpl | 20 +++----------------- 6 files changed, 27 insertions(+), 21 deletions(-) create mode 100644 compose.mail.privatekey.yml diff --git a/.env.sample b/.env.sample index 3952c72..3ae6370 100644 --- a/.env.sample +++ b/.env.sample @@ -64,6 +64,9 @@ SECRET_SONIC_PASSWORD_VERSION=v1 # Enable `compose.mail.yml` to set secrets for sending emails (remember to also include your chosen search backend's compose file): # COMPOSE_FILE="$COMPOSE_FILE:compose.mail.yml" # SECRET_MAIL_KEY_VERSION=v1 +# private key only necessary for some mail provider +# COMPOSE_FILE="$COMPOSE_FILE:compose.mail.privatekey.yml" +# SECRET_MAIL_PRIVATE_KEY_VERSION=v1 # what service to use for sending out emails (eg. smtp, mailgun, none) NOTE: you should also set the corresponding keys below for the relevant service you choose, and uncomment the COMPOSE_FILE line for the relevant service if needed #MAIL_BACKEND=none @@ -72,7 +75,6 @@ SECRET_SONIC_PASSWORD_VERSION=v1 # MAIL_DOMAIN=mgo.example.com # MAIL_FROM=admin@example.com # MAIL_PROJECT_ID= -# MAIL_PRIVATE_KEY= # MAIL_BASE_URI= # MAIL_REGION= # MAIL_SESSION_TOKEN= diff --git a/abra.sh b/abra.sh index 684fa0c..faa2159 100644 --- a/abra.sh +++ b/abra.sh @@ -1,4 +1,4 @@ -export APP_ENTRYPOINT_VERSION=v3 +export APP_ENTRYPOINT_VERSION=v4 export PG_BACKUP_VERSION=v6 export MEILI_BACKUP_VERSION=v4 export SONIC_CFG_VERSION=v1 diff --git a/compose.mail.privatekey.yml b/compose.mail.privatekey.yml new file mode 100644 index 0000000..6b8da57 --- /dev/null +++ b/compose.mail.privatekey.yml @@ -0,0 +1,13 @@ +version: "3.8" + +services: + app: + environment: + - MAIL_PRIVATE_KEY_FILE=/run/secrets/mail_private_key + secrets: + - mail_private_key + +secrets: + mail_private_key: + external: true + name: ${STACK_NAME}_mail_private_key_${SECRET_MAIL_PRIVATE_KEY_VERSION:-v1} diff --git a/compose.mail.yml b/compose.mail.yml index 7457d9a..f0b27e6 100644 --- a/compose.mail.yml +++ b/compose.mail.yml @@ -8,7 +8,6 @@ services: - MAIL_FROM - MAIL_KEY_FILE=/run/secrets/mail_key - MAIL_PROJECT_ID - - MAIL_PRIVATE_KEY - MAIL_BASE_URI - MAIL_REGION - MAIL_SERVER diff --git a/compose.yml b/compose.yml index fcba7ca..5d48784 100644 --- a/compose.yml +++ b/compose.yml @@ -80,7 +80,13 @@ services: - GHOST_CONTENT_API_KEY - GHOST_ADMIN_API_KEY - IFRAME_ALLOWED_ORIGINS - + + - SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base + - SIGNING_SALT_FILE=/run/secrets/signing_salt + - ENCRYPTION_SALT_FILE=/run/secrets/encryption_salt + - SEEDS_PW_FILE=/run/secrets/seeds_pw + - LIVEBOOK_PASSWORD_FILE=/run/secrets/livebook_password + secrets: - secret_key_base - signing_salt diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl index 94bc0c2..023dda2 100644 --- a/entrypoint.sh.tmpl +++ b/entrypoint.sh.tmpl @@ -1,22 +1,8 @@ #!/bin/sh -# put secrets from files into env -export MEILI_MASTER_KEY=$(cat /run/secrets/meili_master_key) -export POSTGRES_PASSWORD=$(cat /run/secrets/postgres_password) -export SECRET_KEY_BASE=$(cat /run/secrets/secret_key_base) -export SIGNING_SALT=$(cat /run/secrets/signing_salt) -export ENCRYPTION_SALT=$(cat /run/secrets/encryption_salt) -export SEEDS_PW=$(cat /run/secrets/seeds_pw) -export LIVEBOOK_PASSWORD=$(cat /run/secrets/livebook_password) - -# Only read the secret when the MAIL_PASSWORD was not set to remain backwards compatible -if [ -f /run/secrets/mail_password ] && [ -z "${MAIL_PASSWORD}" ]; then - export MAIL_PASSWORD=$(cat /run/secrets/mail_password) -fi - -# Only read the secret when the MAIL_KEY was not set to remain backwards compatible -if [ -f /run/secrets/mail_key ] && [ -z "${MAIL_KEY}" ]; then - export MAIL_KEY=$(cat /run/secrets/mail_key) +# meilisearch does not support MEILI_MASTER_KEY_FILE, so we export it here for the search service +if [ -f /run/secrets/meili_master_key ]; then + export MEILI_MASTER_KEY=$(cat /run/secrets/meili_master_key) fi echo "....Secrets have been loaded, now run $@...." -- 2.52.0 From 521e4124fe82e51fb16fe4e76e7b20b143c634bb Mon Sep 17 00:00:00 2001 From: stevensting Date: Mon, 29 Jun 2026 19:07:58 +0200 Subject: [PATCH 11/15] use all docker secrets directly with file access --- .env.sample | 34 +++++++++++++++++++++------------- compose.auth.github.yml | 14 ++++++++++++++ compose.auth.oauth.yml | 19 +++++++++++++++++++ compose.auth.openid.yml | 19 +++++++++++++++++++ compose.auth.orcid.yml | 14 ++++++++++++++ compose.ghost.yml | 20 ++++++++++++++++++++ compose.webpush.yml | 15 +++++++++++++++ compose.yml | 31 ------------------------------- 8 files changed, 122 insertions(+), 44 deletions(-) create mode 100644 compose.auth.github.yml create mode 100644 compose.auth.oauth.yml create mode 100644 compose.auth.openid.yml create mode 100644 compose.auth.orcid.yml create mode 100644 compose.ghost.yml create mode 100644 compose.webpush.yml diff --git a/.env.sample b/.env.sample index 3ae6370..fb2c5c3 100644 --- a/.env.sample +++ b/.env.sample @@ -52,7 +52,8 @@ DB_MIGRATE_INDEXES_CONCURRENTLY=false # recommended search backend sonic COMPOSE_FILE="$COMPOSE_FILE:compose.sonic.yml" -SECRET_SONIC_PASSWORD_VERSION=v1 +# docker secret cannot be used due to distroless image, threfore add secret here +SONIC_PASSWORD= # alternative search service #COMPOSE_FILE="$COMPOSE_FILE:compose.meilisearch.yml" @@ -94,7 +95,7 @@ SECRET_SONIC_PASSWORD_VERSION=v1 UPLOAD_LIMIT=20000000 # Store uploads in S3-compatible service: -# COMPOSE_FILE="$COMPOSE_FILE:compose.s3.yml" +#COMPOSE_FILE="$COMPOSE_FILE:compose.s3.yml" #SECRET_UPLOADS_S3_ACCESS_KEY_ID_VERSION=v1 #SECRET_UPLOADS_S3_SECRET_ACCESS_KEY_VERSION=v1 #SECRET_AWS_WEB_IDENTITY_TOKEN_VERSION=v1 @@ -114,45 +115,52 @@ UPLOAD_LIMIT=20000000 #OAUTH_ISSUER=https://${DOMAIN} # OpenID Connect: connect as a client to the OpenID Connect provider with callback url https://yourinstance.tld/oauth/client/openid_1 +#COMPOSE_FILE="$COMPOSE_FILE:compose.auth.openid.yml" +#SECRET_OPENID_CLIENT_SECRET_VERSION=v1 # OPENID_1_DISCOVERY= # OPENID_1_DISPLAY_NAME= # OPENID_1_CLIENT_ID= -# OPENID_1_CLIENT_SECRET= # OPENID_1_SCOPE= # OPENID_1_RESPONSE_TYPE=code # OPENID_1_ENABLE_SIGNUP=false # ^ can be code, token or id_token # orcid.org SSO: connect as a client to the orcid.org OpenID Connect provider with callback url https://yourinstance.tld/oauth/client/orcid +#COMPOSE_FILE="$COMPOSE_FILE:compose.auth.orcid.yml" +#SECRET_ORCID_CLIENT_SECRET_VERSION=v1 # ORCID_CLIENT_ID= -# ORCID_CLIENT_SECRET= # OAuth2 provider: connect as a client to the OAuth2 provider with callback url https://yourinstance.tld/oauth/client/oauth_1 +#COMPOSE_FILE="$COMPOSE_FILE:compose.auth.oauth.yml" +# SECRET_OAUTH_CLIENT_SECRET_VERSION=v1 # OAUTH_1_DISPLAY_NAME= # OAUTH_1_CLIENT_ID= -# OAUTH_1_CLIENT_SECRET= # OAUTH_1_AUTHORIZE_URI= # OAUTH_1_ACCESS_TOKEN_URI= # OAUTH_1_USER_INFO_URI= # OAUTH_1_ENABLE_SIGNUP=false # github.com SSO: connect as a client to the github.com OAuth2 provider with callback url https://yourinstance.tld/oauth/client/github +#COMPOSE_FILE="$COMPOSE_FILE:compose.auth.github.yml" +# SECRET_GITHUB_CLIENT_SECRET_VERSION=v1 # GITHUB_APP_CLIENT_ID= -# GITHUB_CLIENT_SECRET= # ==================================== -# MISC +# GHOST INTEGRATION -# GHOST Integration +#COMPOSE_FILE="$COMPOSE_FILE:compose.ghost.yml" +#SECRET_GHOST_CONTENT_API_KEY_VERSION=v1 +#SECRET_GHOST_ADMIN_API_KEY_VERSION=v1 #GHOST_URL=https://example.ghost.io -#GHOST_CONTENT_API_KEY= -#GHOST_ADMIN_API_KEY= #IFRAME_ALLOWED_ORIGINS=https://example.com -# More Bonfire extensions configs: +# ==================================== +# BONFIRE EXTENSIONS + +#COMPOSE_FILE="$COMPOSE_FILE:compose.webpush.yml" +# SECRET_WEBPUSH_PRIVATE_KEY_VERSION=v1 # WEB_PUSH_SUBJECT=mailto:admin@example.com # WEB_PUSH_PUBLIC_KEY=xyz -# WEB_PUSH_PRIVATE_KEY=abc # GEOLOCATE_OPENCAGEDATA= # GITHUB_TOKEN=xyz # AKISMET_API_KEY= @@ -165,7 +173,7 @@ LOG_LEVEL=info # ==================================== # SECRETS -# these secrets will be autogenerated/managed by abra and docker" +# these secrets will be autogenerated/managed by abra and docker SECRET_SEEDS_PW_VERSION=v1 SECRET_LIVEBOOK_PASSWORD_VERSION=v1 diff --git a/compose.auth.github.yml b/compose.auth.github.yml new file mode 100644 index 0000000..b437b11 --- /dev/null +++ b/compose.auth.github.yml @@ -0,0 +1,14 @@ +version: "3.8" + +services: + app: + environment: + - GITHUB_APP_CLIENT_ID + - GITHUB_CLIENT_SECRET_FILE=/run/secrets/github_client_secret + secrets: + - github_client_secret + +secrets: + oauth_client_secret: + external: true + name: ${STACK_NAME}_github_client_secret_${SECRET_GITHUB_CLIENT_SECRET_VERSION:-v1} diff --git a/compose.auth.oauth.yml b/compose.auth.oauth.yml new file mode 100644 index 0000000..0cfb65b --- /dev/null +++ b/compose.auth.oauth.yml @@ -0,0 +1,19 @@ +version: "3.8" + +services: + app: + environment: + - OAUTH_1_DISPLAY_NAME + - OAUTH_1_CLIENT_ID + - OAUTH_1_CLIENT_SECRET_FILE=/run/secrets/oauth_client_secret + - OAUTH_1_AUTHORIZE_URI + - OAUTH_1_ACCESS_TOKEN_URI + - OAUTH_1_USER_INFO_URI + - OAUTH_1_ENABLE_SIGNUP + secrets: + - oauth_client_secret + +secrets: + oauth_client_secret: + external: true + name: ${STACK_NAME}_oauth_client_secret_${SECRET_OAUTH_CLIENT_SECRET_VERSION:-v1} diff --git a/compose.auth.openid.yml b/compose.auth.openid.yml new file mode 100644 index 0000000..67b0846 --- /dev/null +++ b/compose.auth.openid.yml @@ -0,0 +1,19 @@ +version: "3.8" + +services: + app: + environment: + - OPENID_1_DISPLAY_NAME + - OPENID_1_DISCOVERY + - OPENID_1_CLIENT_ID + - OPENID_1_CLIENT_SECRET_FILE=/run/secrets/openid_client_secret + - OPENID_1_SCOPE + - OPENID_1_RESPONSE_TYPE + - OPENID_1_ENABLE_SIGNUP + secrets: + - openid_client_secret + +secrets: + openid_client_secret: + external: true + name: ${STACK_NAME}_openid_client_secret_${SECRET_OPENID_CLIENT_SECRET_VERSION:-v1} diff --git a/compose.auth.orcid.yml b/compose.auth.orcid.yml new file mode 100644 index 0000000..45c2bbb --- /dev/null +++ b/compose.auth.orcid.yml @@ -0,0 +1,14 @@ +version: "3.8" + +services: + app: + environment: + - ORCID_CLIENT_ID + - ORCID_CLIENT_SECRET_FILE=/run/secrets/orchid_client_secret + secrets: + - orchid_client_secret + +secrets: + orchid_client_secret: + external: true + name: ${STACK_NAME}_orchid_client_secret_${SECRET_ORCID_CLIENT_SECRET_VERSION:-v1} diff --git a/compose.ghost.yml b/compose.ghost.yml new file mode 100644 index 0000000..7599f92 --- /dev/null +++ b/compose.ghost.yml @@ -0,0 +1,20 @@ +version: "3.8" + +services: + app: + environment: + - GHOST_URL + - GHOST_CONTENT_API_KEY_FILE=/run/secrets/ghost_content_api_key + - GHOST_ADMIN_API_KEY_FILE=/run/secrets/ghost_admin_api_key + - IFRAME_ALLOWED_ORIGINS + secrets: + - ghost_content_api_key + - ghost_admin_api_key + +secrets: + ghost_content_api_key: + external: true + name: ${STACK_NAME}_ghost_content_api_key_${SECRET_GHOST_CONTENT_API_KEY_VERSION:-v1} + ghost_admin_api_key: + external: true + name: ${STACK_NAME}_ghost_admin_api_key_${SECRET_GHOST_ADMIN_API_KEY_VERSION:-v1} \ No newline at end of file diff --git a/compose.webpush.yml b/compose.webpush.yml new file mode 100644 index 0000000..30da25f --- /dev/null +++ b/compose.webpush.yml @@ -0,0 +1,15 @@ +version: "3.8" + +services: + app: + environment: + - WEB_PUSH_SUBJECT + - WEB_PUSH_PUBLIC_KEY + - WEB_PUSH_PRIVATE_KEY_FILE=/run/secrets/webpush_private_key + secrets: + - webpush_private_key + +secrets: + webpush_private_key: + external: true + name: ${STACK_NAME}_webpush_private_key_${SECRET_WEBPUSH_PRIVATE_KEY_VERSION:-v1} diff --git a/compose.yml b/compose.yml index 5d48784..8ad90da 100644 --- a/compose.yml +++ b/compose.yml @@ -42,10 +42,6 @@ services: - OTEL_HONEYCOMB_API_KEY - OTEL_LIGHTSTEP_API_KEY - - WEB_PUSH_SUBJECT - - WEB_PUSH_PUBLIC_KEY - - WEB_PUSH_PRIVATE_KEY - - AKISMET_API_KEY - MAPBOX_API_KEY - GEOLOCATE_OPENCAGEDATA @@ -53,33 +49,6 @@ services: - ENABLE_SSO_PROVIDER - OAUTH_ISSUER - - - OPENID_1_DISPLAY_NAME - - OPENID_1_DISCOVERY - - OPENID_1_CLIENT_ID - - OPENID_1_CLIENT_SECRET - - OPENID_1_SCOPE - - OPENID_1_RESPONSE_TYPE - - OPENID_1_ENABLE_SIGNUP - - - OAUTH_1_DISPLAY_NAME - - OAUTH_1_CLIENT_ID - - OAUTH_1_CLIENT_SECRET - - OAUTH_1_AUTHORIZE_URI - - OAUTH_1_ACCESS_TOKEN_URI - - OAUTH_1_USER_INFO_URI - - OAUTH_1_ENABLE_SIGNUP - - - GITHUB_APP_CLIENT_ID - - GITHUB_CLIENT_SECRET - - - ORCID_CLIENT_ID - - ORCID_CLIENT_SECRET - - - GHOST_URL - - GHOST_CONTENT_API_KEY - - GHOST_ADMIN_API_KEY - - IFRAME_ALLOWED_ORIGINS - SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base - SIGNING_SALT_FILE=/run/secrets/signing_salt -- 2.52.0 From 1e9f29cdc4a9d07ecd30204eb4cc5c2fcf701b94 Mon Sep 17 00:00:00 2001 From: stevensting <156+stevensting@noreply.git.coopcloud.tech> Date: Tue, 7 Jul 2026 08:09:09 +0000 Subject: [PATCH 12/15] fix review findings --- .env.sample | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/.env.sample b/.env.sample index fb2c5c3..2ebc440 100644 --- a/.env.sample +++ b/.env.sample @@ -4,7 +4,7 @@ LETS_ENCRYPT_ENV=production # choose what flavour of Bonfire to run. default: social #APP_FLAVOUR=social -# uncomment to run specific version e.g. v1.0.4 or latest release branch. available: latest, latest-beta, latest-alpha +# uncomment to run specific version e.g. 1.0.4 or latest release branch. available: latest, latest-rc, latest-beta, latest-alpha #APP_VERSION=latest # choose specific build. default: amd64, available: aarch64 #APP_PLATFORM=aarch64 @@ -51,9 +51,9 @@ DB_MIGRATE_INDEXES_CONCURRENTLY=false # SEARCH BACKEND # recommended search backend sonic -COMPOSE_FILE="$COMPOSE_FILE:compose.sonic.yml" +#COMPOSE_FILE="$COMPOSE_FILE:compose.sonic.yml" # docker secret cannot be used due to distroless image, threfore add secret here -SONIC_PASSWORD= +#SONIC_PASSWORD= # alternative search service #COMPOSE_FILE="$COMPOSE_FILE:compose.meilisearch.yml" @@ -62,7 +62,6 @@ SONIC_PASSWORD= # ==================================== # MAIL -# Enable `compose.mail.yml` to set secrets for sending emails (remember to also include your chosen search backend's compose file): # COMPOSE_FILE="$COMPOSE_FILE:compose.mail.yml" # SECRET_MAIL_KEY_VERSION=v1 # private key only necessary for some mail provider @@ -114,7 +113,7 @@ UPLOAD_LIMIT=20000000 # ENABLE_SSO_PROVIDER=false #OAUTH_ISSUER=https://${DOMAIN} -# OpenID Connect: connect as a client to the OpenID Connect provider with callback url https://yourinstance.tld/oauth/client/openid_1 +# OpenID Connect: connect as a client to the OpenID Connect provider with callback url https://yourinstance.tld/openid/client/openid_1 #COMPOSE_FILE="$COMPOSE_FILE:compose.auth.openid.yml" #SECRET_OPENID_CLIENT_SECRET_VERSION=v1 # OPENID_1_DISCOVERY= @@ -125,7 +124,7 @@ UPLOAD_LIMIT=20000000 # OPENID_1_ENABLE_SIGNUP=false # ^ can be code, token or id_token -# orcid.org SSO: connect as a client to the orcid.org OpenID Connect provider with callback url https://yourinstance.tld/oauth/client/orcid +# orcid.org SSO: connect as a client to the orcid.org OpenID Connect provider with callback url https://yourinstance.tld/openid/client/orcid #COMPOSE_FILE="$COMPOSE_FILE:compose.auth.orcid.yml" #SECRET_ORCID_CLIENT_SECRET_VERSION=v1 # ORCID_CLIENT_ID= @@ -145,6 +144,13 @@ UPLOAD_LIMIT=20000000 # SECRET_GITHUB_CLIENT_SECRET_VERSION=v1 # GITHUB_APP_CLIENT_ID= +# Zenodo SSO: connect as a client to the Zenodo OAuth2 provider with callback url https://yourinstance.tld/oauth/client/zenodo +# ZENODO_CLIENT_ID= +# ZENODO_CLIENT_SECRET= +# ZENODO_GRANT_TYPE= +# ZENODO_SCOPE= +# ZENODO_ENV= + # ==================================== # GHOST INTEGRATION @@ -152,10 +158,9 @@ UPLOAD_LIMIT=20000000 #SECRET_GHOST_CONTENT_API_KEY_VERSION=v1 #SECRET_GHOST_ADMIN_API_KEY_VERSION=v1 #GHOST_URL=https://example.ghost.io -#IFRAME_ALLOWED_ORIGINS=https://example.com # ==================================== -# BONFIRE EXTENSIONS +# BONFIRE EXTENSIONS AND MISC #COMPOSE_FILE="$COMPOSE_FILE:compose.webpush.yml" # SECRET_WEBPUSH_PRIVATE_KEY_VERSION=v1 @@ -165,6 +170,8 @@ UPLOAD_LIMIT=20000000 # GITHUB_TOKEN=xyz # AKISMET_API_KEY= +#IFRAME_ALLOWED_ORIGINS=https://example.com + # how much info to include in logs (from less to more: emergency, alert, critical, error, warning, notice, info, debug) LOG_LEVEL=info -- 2.52.0 From c6606ce82816fc0f94236a69f9e601bb064452f6 Mon Sep 17 00:00:00 2001 From: stevensting Date: Tue, 7 Jul 2026 11:50:43 +0200 Subject: [PATCH 13/15] fix more review findings --- .env.sample | 28 ++++++++++++++++++++++++---- compose.akismet.yml | 14 ++++++++++++++ compose.ghost.yml | 8 ++++++-- compose.github.yml | 14 ++++++++++++++ compose.mapbox.yml | 14 ++++++++++++++ compose.otel.yml | 21 +++++++++++++++++++++ compose.postgres.yml | 6 +++--- compose.s3.tokenfile.yml | 14 ++++++++++++++ compose.s3.yml | 5 ----- compose.yml | 21 +++++++++++---------- 10 files changed, 121 insertions(+), 24 deletions(-) create mode 100644 compose.akismet.yml create mode 100644 compose.github.yml create mode 100644 compose.mapbox.yml create mode 100644 compose.otel.yml create mode 100644 compose.s3.tokenfile.yml diff --git a/.env.sample b/.env.sample index 2ebc440..226d9f6 100644 --- a/.env.sample +++ b/.env.sample @@ -29,6 +29,8 @@ SECRET_POSTGRES_PASSWORD_VERSION=v1 # upper limit for how much RAM you want the DB to use, in megabytes (the same amount of swap will also be allocated to the DB container) As a rule of thumb use 25% of system RAM. DB_MEMORY_LIMIT=1024 +#DB_MAX_CONNECTIONS=200 + # set to true *after* your initial deployment to enable concurrent index creation for faster migrations in future upgrades DB_MIGRATE_INDEXES_CONCURRENTLY=false @@ -97,7 +99,6 @@ UPLOAD_LIMIT=20000000 #COMPOSE_FILE="$COMPOSE_FILE:compose.s3.yml" #SECRET_UPLOADS_S3_ACCESS_KEY_ID_VERSION=v1 #SECRET_UPLOADS_S3_SECRET_ACCESS_KEY_VERSION=v1 -#SECRET_AWS_WEB_IDENTITY_TOKEN_VERSION=v1 #UPLOADS_S3_BUCKET= #UPLOADS_S3_REGION=fr-par #UPLOADS_S3_HOST=s3.fr-par.scw.cloud @@ -105,6 +106,9 @@ UPLOAD_LIMIT=20000000 #UPLOADS_S3_URL= #UPLOADS_S3_DEFAULT_URL= #AWS_ROLE_ARN= +# Optionally use AWS identity token file +#COMPOSE_FILE="$COMPOSE_FILE:compose.s3.tokenfile.yml" +#SECRET_AWS_WEB_IDENTITY_TOKEN_VERSION=v1 # ==================================== # SSO @@ -157,8 +161,16 @@ UPLOAD_LIMIT=20000000 #COMPOSE_FILE="$COMPOSE_FILE:compose.ghost.yml" #SECRET_GHOST_CONTENT_API_KEY_VERSION=v1 #SECRET_GHOST_ADMIN_API_KEY_VERSION=v1 +#SECRET_GHOST_WEBHOOK_SECRET_VERSION=v1 #GHOST_URL=https://example.ghost.io +# ==================================== +# OPEN TELEMETRY + +#COMPOSE_FILE="$COMPOSE_FILE:compose.otel.yml" +#SECRET_HONEYCOMB_API_KEY_VERSION=v1 +#SECRET_LIGHTSTEP_API_KEY_VERSION=v1 + # ==================================== # BONFIRE EXTENSIONS AND MISC @@ -166,10 +178,17 @@ UPLOAD_LIMIT=20000000 # SECRET_WEBPUSH_PRIVATE_KEY_VERSION=v1 # WEB_PUSH_SUBJECT=mailto:admin@example.com # WEB_PUSH_PUBLIC_KEY=xyz -# GEOLOCATE_OPENCAGEDATA= -# GITHUB_TOKEN=xyz -# AKISMET_API_KEY= +#COMPOSE_FILE="$COMPOSE_FILE:compose.github.yml" +#SECRET_GITHUB_TOKEN_VERSION=v1 + +#COMPOSE_FILE="$COMPOSE_FILE:compose.akismet.yml" +#SECRET_AKISMET_API_KEY_VERSION=v1 + +#COMPOSE_FILE="$COMPOSE_FILE:compose.mapbox.yml" +#SECRET_MAPBOX_API_KEY_VERSION=v1 + +# GEOLOCATE_OPENCAGEDATA= #IFRAME_ALLOWED_ORIGINS=https://example.com # how much info to include in logs (from less to more: emergency, alert, critical, error, warning, notice, info, debug) @@ -187,4 +206,5 @@ SECRET_LIVEBOOK_PASSWORD_VERSION=v1 SECRET_SECRET_KEY_BASE_VERSION=v1 # length=128 SECRET_SIGNING_SALT_VERSION=v1 # length=128 SECRET_ENCRYPTION_SALT_VERSION=v1 # length=128 +SECRET_RELEASE_COOKIE_VERSION=v1 diff --git a/compose.akismet.yml b/compose.akismet.yml new file mode 100644 index 0000000..1c75517 --- /dev/null +++ b/compose.akismet.yml @@ -0,0 +1,14 @@ +version: "3.8" + +services: + app: + environment: + - AKISMET_API_KEY_FILE=/run/secrets/akismet_api_key + + secrets: + - akismet_api_key + +secrets: + akismet_api_key: + external: true + name: ${STACK_NAME}_akismet_api_key_${SECRET_AKISMET_API_KEY_VERSION:-v1} \ No newline at end of file diff --git a/compose.ghost.yml b/compose.ghost.yml index 7599f92..23029b4 100644 --- a/compose.ghost.yml +++ b/compose.ghost.yml @@ -6,10 +6,11 @@ services: - GHOST_URL - GHOST_CONTENT_API_KEY_FILE=/run/secrets/ghost_content_api_key - GHOST_ADMIN_API_KEY_FILE=/run/secrets/ghost_admin_api_key - - IFRAME_ALLOWED_ORIGINS + - GHOST_WEBHOOK_SECRET_FILE=/run/secrets/ghost_webhook_secret secrets: - ghost_content_api_key - ghost_admin_api_key + - ghost_webhook_secret secrets: ghost_content_api_key: @@ -17,4 +18,7 @@ secrets: name: ${STACK_NAME}_ghost_content_api_key_${SECRET_GHOST_CONTENT_API_KEY_VERSION:-v1} ghost_admin_api_key: external: true - name: ${STACK_NAME}_ghost_admin_api_key_${SECRET_GHOST_ADMIN_API_KEY_VERSION:-v1} \ No newline at end of file + name: ${STACK_NAME}_ghost_admin_api_key_${SECRET_GHOST_ADMIN_API_KEY_VERSION:-v1} + ghost_webhook_secret: + external: true + name: ${STACK_NAME}_ghost_webhook_secret_${SECRET_GHOST_WEBHOOK_SECRET_VERSION:-v1} \ No newline at end of file diff --git a/compose.github.yml b/compose.github.yml new file mode 100644 index 0000000..e9fcc03 --- /dev/null +++ b/compose.github.yml @@ -0,0 +1,14 @@ +version: "3.8" + +services: + app: + environment: + - GITHUB_TOKEN_FILE=/run/secrets/github_token + + secrets: + - github_token + +secrets: + github_token: + external: true + name: ${STACK_NAME}_github_token_${SECRET_GITHUB_TOKEN_VERSION:-v1} \ No newline at end of file diff --git a/compose.mapbox.yml b/compose.mapbox.yml new file mode 100644 index 0000000..333a2c9 --- /dev/null +++ b/compose.mapbox.yml @@ -0,0 +1,14 @@ +version: "3.8" + +services: + app: + environment: + - MAPBOX_API_KEY_FILE=/run/secrets/mapbox_api_key + + secrets: + - mapbox_api_key + +secrets: + mapbox_api_key: + external: true + name: ${STACK_NAME}_mapbox_api_key_${SECRET_MAPBOX_API_KEY_VERSION:-v1} \ No newline at end of file diff --git a/compose.otel.yml b/compose.otel.yml new file mode 100644 index 0000000..f16ab5c --- /dev/null +++ b/compose.otel.yml @@ -0,0 +1,21 @@ +version: "3.8" + +services: + app: + environment: + - OTEL_ENABLED + - OTEL_SERVICE_NAME + - OTEL_HONEYCOMB_API_KEY_FILE=/run/secrets/honeycomb_api_key + - OTEL_LIGHTSTEP_API_KEY_FILE=/run/secrets/lightstep_api_key + + secrets: + - honeycomb_api_key + - lightstep_api_key + +secrets: + honeycomb_api_key: + external: true + name: ${STACK_NAME}_honeycomb_api_key_${SECRET_HONEYCOMB_API_KEY_VERSION:-v1} + lightstep_api_key: + external: true + name: ${STACK_NAME}_lightstep_api_key_${SECRET_LIGHTSTEP_API_KEY_VERSION:-v1} \ No newline at end of file diff --git a/compose.postgres.yml b/compose.postgres.yml index a7315f0..a3fb3fd 100644 --- a/compose.postgres.yml +++ b/compose.postgres.yml @@ -17,8 +17,8 @@ services: image: ${DB_DOCKER_IMAGE:-ghcr.io/baosystems/postgis}:${DB_DOCKER_VERSION:-17-3.5} command: > postgres - -c max_connections=200 - -c shared_buffers=${DB_MEMORY_LIMIT}MB + -c max_connections=${DB_MAX_CONNECTIONS:-200} + -c shared_buffers=${DB_MEMORY_LIMIT:-1024}MB # -c shared_preload_libraries='pg_stat_statements' # -c statement_timeout=1800000 # -c pg_stat_statements.track=all @@ -31,7 +31,7 @@ services: size: 1000000000 # about 1 GB in bytes tmpfs: - - /tmp:size=${DB_MEMORY_LIMIT}M^ + - /tmp:size=${DB_MEMORY_LIMIT:-1024}M^ networks: - internal environment: diff --git a/compose.s3.tokenfile.yml b/compose.s3.tokenfile.yml new file mode 100644 index 0000000..344c42d --- /dev/null +++ b/compose.s3.tokenfile.yml @@ -0,0 +1,14 @@ +version: "3.8" + +services: + app: + environment: + - AWS_WEB_IDENTITY_TOKEN_FILE=/run/secrets/aws_web_identity_token + + secrets: + - aws_web_identity_token + +secrets: + aws_web_identity_token: + external: true + name: ${STACK_NAME}_aws_web_identity_token_${SECRET_AWS_WEB_IDENTITY_TOKEN_VERSION:-v1} diff --git a/compose.s3.yml b/compose.s3.yml index b33a033..f335d65 100644 --- a/compose.s3.yml +++ b/compose.s3.yml @@ -13,13 +13,11 @@ services: - UPLOADS_S3_DEFAULT_URL - UPLOADS_S3_URL_EXPIRATION_TTL - AWS_ROLE_ARN - - AWS_WEB_IDENTITY_TOKEN_FILE=/run/secrets/aws_web_identity_token secrets: - mail_key - uploads_s3_access_key_id - uploads_s3_secret_access_key - - aws_web_identity_token secrets: mail_key: @@ -31,6 +29,3 @@ secrets: uploads_s3_secret_access_key: external: true name: ${STACK_NAME}_uploads_s3_secret_access_key_${SECRET_UPLOADS_S3_SECRET_ACCESS_KEY_VERSION:-v1} - aws_web_identity_token: - external: true - name: ${STACK_NAME}_aws_web_identity_token_${SECRET_AWS_WEB_IDENTITY_TOKEN_VERSION:-v1} diff --git a/compose.yml b/compose.yml index 8ad90da..a96fc9a 100644 --- a/compose.yml +++ b/compose.yml @@ -3,7 +3,7 @@ version: "3.8" services: app: - image: bonfirenetworks/bonfire:${APP_VERSION:-1.0.4}-${APP_FLAVOUR:-social}-${APP_PLATFORM:-amd64} + image: ${CONTAINER_REGISTRY:-bonfirenetworks/bonfire}:${APP_VERSION:-1.0.4}-${APP_FLAVOUR:-social}-${APP_PLATFORM:-amd64} logging: driver: "json-file" options: @@ -22,7 +22,6 @@ services: - INVITE_KEY - LANG=${LANG:-en_US.UTF-8} - SEEDS_USER=${SEEDS_USER:-root} - - ERLANG_COOKIE=${ERLANG_COOKIE:-bonfire_cookie} - REPLACE_OS_VARS=${REPLACE_OS_VARS:-true} - LIVEVIEW_ENABLED=${LIVEVIEW_ENABLED:-true} - APP_NAME={APP_NAME:-Bonfire} @@ -31,21 +30,18 @@ services: - WITH_IMAGE_VIX=${WITH_IMAGE_VIX:-1} - WITH_AI=${WITH_AI:-0} - LIVE_DASHBOARD_LOGGER=${LIVE_DASHBOARD_LOGGER:-false} + - IFRAME_ALLOWED_ORIGINS + - RELEASE_DISTRIBUTION + - RELEASE_NODE + - RELEASE_MODE - DB_SLOW_QUERY_MS - DB_STATEMENT_TIMEOUT - DB_MIGRATE_INDEXES_CONCURRENTLY - SENTRY_DSN - - OTEL_ENABLED - - OTEL_SERVICE_NAME - - OTEL_HONEYCOMB_API_KEY - - OTEL_LIGHTSTEP_API_KEY - - - AKISMET_API_KEY - - MAPBOX_API_KEY + - GEOLOCATE_OPENCAGEDATA - - GITHUB_TOKEN - ENABLE_SSO_PROVIDER - OAUTH_ISSUER @@ -55,6 +51,7 @@ services: - ENCRYPTION_SALT_FILE=/run/secrets/encryption_salt - SEEDS_PW_FILE=/run/secrets/seeds_pw - LIVEBOOK_PASSWORD_FILE=/run/secrets/livebook_password + - RELEASE_COOKIE_FILE=/run/secrets/release_cookie secrets: - secret_key_base @@ -62,6 +59,7 @@ services: - encryption_salt - seeds_pw - livebook_password + - release_cookie volumes: - upload-data:/opt/app/data/uploads networks: @@ -119,3 +117,6 @@ secrets: livebook_password: external: true name: ${STACK_NAME}_livebook_password_${SECRET_LIVEBOOK_PASSWORD_VERSION:-v1} + release_cookie: + external: true + name: ${STACK_NAME}_release_cookie_${SECRET_RELEASE_COOKIE_VERSION:-v1} \ No newline at end of file -- 2.52.0 From df168764122faa5fcff622e5d979eb23db5fcc72 Mon Sep 17 00:00:00 2001 From: stevensting Date: Tue, 7 Jul 2026 13:20:46 +0200 Subject: [PATCH 14/15] small fix for env var --- compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/compose.yml b/compose.yml index df9b768..c49a740 100644 --- a/compose.yml +++ b/compose.yml @@ -24,7 +24,7 @@ services: - SEEDS_USER=${SEEDS_USER:-root} - REPLACE_OS_VARS=${REPLACE_OS_VARS:-true} - LIVEVIEW_ENABLED=${LIVEVIEW_ENABLED:-true} - - APP_NAME={APP_NAME:-Bonfire} + - APP_NAME=${APP_NAME:-Bonfire} - PLUG_SERVER - WITH_LV_NATIVE=${WITH_LV_NATIVE:-0} - WITH_IMAGE_VIX=${WITH_IMAGE_VIX:-1} -- 2.52.0 From b0ba41f277af3221503b1b2fdf7a9fe6c8248792 Mon Sep 17 00:00:00 2001 From: stevensting Date: Tue, 7 Jul 2026 16:57:27 +0200 Subject: [PATCH 15/15] small fixes, set bonfire version to 1.0.5 --- .env.sample | 4 ++-- compose.postgres.yml | 2 +- compose.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.env.sample b/.env.sample index 98cf016..ee477f3 100644 --- a/.env.sample +++ b/.env.sample @@ -46,8 +46,8 @@ DB_MIGRATE_INDEXES_CONCURRENTLY=false # uncomment in order to NOT automatically change the database schema when you upgrade the app # DISABLE_DB_AUTOMIGRATION=true -# Enable `compose.postgres.tune.yml` for Postgres tuning (can only be enabled *after* your instance already is deployed and working) (and remember to also include your chosen search backend and mailer's compose files) -# COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.tune.yml" +# Enable `compose.postgres.tune.yml` for Postgres tuning (can only be enabled *after* your instance already is deployed and working) +# COMPOSE_FILE="$COMPOSE_FILE:postgres/compose.postgres.tune.yml" # ==================================== ## BASIC_AUTH diff --git a/compose.postgres.yml b/compose.postgres.yml index 3db8c08..b1e8e67 100644 --- a/compose.postgres.yml +++ b/compose.postgres.yml @@ -64,7 +64,7 @@ services: secrets: - postgres_password healthcheck: - test: ["CMD-SHELL", "pg_isready", "-U", "postgres"] + test: ["CMD-SHELL", "pg_isready -h localhost -U $$POSTGRES_USER"] interval: 10s timeout: 5s retries: 5 diff --git a/compose.yml b/compose.yml index c49a740..4f0cdd6 100644 --- a/compose.yml +++ b/compose.yml @@ -3,7 +3,7 @@ version: "3.8" services: app: - image: ${CONTAINER_REGISTRY:-bonfirenetworks/bonfire}:${APP_VERSION:-1.0.4}-${APP_FLAVOUR:-social}-${APP_PLATFORM:-amd64} + image: ${CONTAINER_REGISTRY:-bonfirenetworks/bonfire}:${APP_VERSION:-1.0.5}-${APP_FLAVOUR:-social}-${APP_PLATFORM:-amd64} logging: driver: "json-file" options: -- 2.52.0