chore: publish 0.4.0+11 release

Reviewed-on: #1

.env.sample

@@ -6,11 +6,46 @@ TYPE=directus
 
 DOMAIN=directus.example.com
 
+#IMAGE_VERSION=11.13.1
+
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.directus.example.com`'
 
 LETS_ENCRYPT_ENV=production
 
+COMPOSE_FILE="compose.yml"
+
 ENABLE_BACKUPS=true
 
-ADMIN_EMAIL=mail@example.com
+ADMIN_EMAIL=mail@example.com
+
+# if you don't use smtp, sendmail is used
+# COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
+# SECRET_SMTP_PASSWORD_VERSION=v1
+# EMAIL_FROM=noreply@example.com
+# EMAIL_SMTP_USER=
+# EMAIL_SMTP_HOST=mailhost.com
+# EMAIL_SMTP_PORT=465
+# EMAIL_SMTP_SECURE=true
+
+
+## SSO (via OpenId)
+ 
+# Details about env-vars, the once below are necessary, others can be used as well: 
+# https://directus.io/docs/configuration/auth-sso#openid-connect
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.oidc.yml"
+#SECRET_OIDC_SECRET_VERSION=v1
+
+#AUTH_DISABLE_DEFAULT="false"
+#AUTH_SSO_LABEL="Single-Sign On"
+#AUTH_SSO_CLIENT_ID="<your-client-id>"
+#AUTH_SSO_ISSUER_URL="<your-.wellknown-issuer-url"
+#AUTH_SSO_ALLOW_PUBLIC_REGISTRATION="true"
+#AUTH_SSO_DEFAULT_ROLE_ID="<UUID-of-a-user-role>"
+#AUTH_SSO_SYNC_USER_INFO="true"
+#AUTH_SSO_SCOPE="openid profile email"
+
+# https://directus.io/docs/configuration/auth-sso
+# if you need more/other provider(s), consult docs on how to override compose.yml:
+# https://docs.coopcloud.tech/operators/handbook/#how-can-i-modifyoverride-the-composeyml-file

README.md

@@ -17,7 +17,9 @@
 
 ## Quick start
 
-* `abra app new directus --secrets`
+* `abra app new directus`
+* `abra app secret insert <app-name> smtp_password v1 <your-smtp-password>`
+* `abra app secret generate <app-name> --all`
 * `abra app config <app-name>`
 * `abra app deploy <app-name>`
 

abra.sh

@@ -1,4 +1,63 @@
 # Set any config versions here
 # Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs
-export DIRECTUS_ENTRYPOINT_VERSION=v1
-export PG_BACKUP_VERSION=v1
+export DIRECTUS_ENTRYPOINT_VERSION=v4
+export PG_BACKUP_VERSION=v1
+
+# essentially a wrapper for directus-template-cli apply:
+# https://github.com/directus-labs/directus-template-cli
+apply_community_template () {
+    echo "This will apply one of the community templates to your directus installation."
+    echo "Checkout existing templates here: https://github.com/directus-labs/directus-templates"
+    echo "\"CMS\" is proably what you want, there exist others, e.g. \"Simple CRM\", for others checkout github-repo and look in the package.json for \"templateName\""
+    
+    
+    echo -n "Enter template name (e.g. \"CMS\"): "
+    read template
+
+    if [ -z "$template" ]; then
+        echo "You need to define a template" >&2
+        return 1
+    fi
+
+    echo "\n will try to apply template \"$template\". "
+    read -p "Proceed? (y/n): " proceed 
+
+
+    if [ "$proceed" != "y" ]; then
+        echo "Aborting."
+        return 1
+    fi
+
+    npx --yes directus-template-cli@latest apply -p \
+        --directusUrl=https://$DOMAIN \
+        --userEmail=$ADMIN_EMAIL \
+        --userPassword=$(cat /var/run/secrets/admin_password) \
+        --templateLocation="$template" \
+        --templateType="community"
+
+    return 0
+}
+
+# run locally!
+# essentially a wrapper for directus-template-cli extract:
+# https://github.com/directus-labs/directus-template-cli
+extract_template (){
+    TEMPLATE_LOCATION="./directus-template"
+    TEMPLATE_NAME="directus-template"
+
+    echo "script extracts your current directus settings (includes data!) and saves it with the template name \"$TEMPLATE_NAME\" to the folder \"$TEMPLATE_LOCATION\""
+
+    ADMIN_PASSWORD=$(abra app run -t $DOMAIN app -- cat /var/run/secrets/admin_password)
+    npx --yes directus-template-cli@latest extract -p \
+        --directusUrl=https://$DOMAIN \
+        --userEmail=$ADMIN_EMAIL \
+        --userPassword=$ADMIN_PASSWORD \
+        --templateLocation="$TEMPLATE_LOCATION" \
+        --templateName="$TEMPLATE_NAME"
+        
+    ADMIN_PASSWORD=""
+    TEMPLATE_LOCATION=""
+    TEMPLATE_NAME=""
+    return 0
+}
+

compose.oidc.yml

@@ -0,0 +1,31 @@
+---
+services:
+  app:
+    environment:
+      AUTH_PROVIDERS: "sso"
+      AUTH_DISABLE_DEFAULT: "${AUTH_DISABLE_DEFAULT:-false}"
+      AUTH_SSO_DRIVER: "openid"
+      AUTH_SSO_CLIENT_ID: ${AUTH_SSO_CLIENT_ID}
+      AUTH_SSO_CLIENT_SECRET_FILE: /run/secrets/oidc_secret
+      AUTH_SSO_ISSUER_URL: ${AUTH_SSO_ISSUER_URL}
+      AUTH_SSO_SCOPE: ${AUTH_SSO_SCOPE:-"openid profile email"}
+      AUTH_SSO_IDENTIFIER_KEY: ${AUTH_SSO_IDENTIFIER_KEY}
+      AUTH_SSO_ALLOW_PUBLIC_REGISTRATION: ${AUTH_SSO_ALLOW_PUBLIC_REGISTRATION:-false}
+      AUTH_SSO_REQUIRE_VERIFIED_EMAIL: ${AUTH_SSO_REQUIRE_VERIFIED_EMAIL:-false}
+      AUTH_SSO_DEFAULT_ROLE_ID: ${AUTH_SSO_DEFAULT_ROLE_ID}
+      AUTH_SSO_SYNC_USER_INFO: ${AUTH_SSO_SYNC_USER_INFO:-true}
+      AUTH_SSO_ROLE_MAPPING: ${AUTH_SSO_ROLE_MAPPING:-{}}"
+      AUTH_SSO_GROUP_CLAIM_NAME: ${AUTH_SSO_GROUP_CLAIM_NAME:-groups}
+      AUTH_SSO_ICON: ${AUTH_SSO_ICON:-account_circle}
+      AUTH_SSO_LABEL: ${AUTH_SSO_LABEL:-"Single Sign On"}
+      AUTH_SSO_PARAMS: ${AUTH_SSO_PARAMS:-{}}
+      AUTH_SSO_REDIRECT_ALLOW_LIST: ${AUTH_SSO_REDIRECT_ALLOW_LIST}
+
+    secrets:
+      - oidc_secret
+      
+secrets:
+  oidc_secret:
+    name: ${STACK_NAME}_oidc_secret_${SECRET_OIDC_SECRET_VERSION}
+    external: true
+

compose.smtp.yml

@@ -0,0 +1,20 @@
+---
+services:
+  app:
+    environment:
+      EMAIL_TRANSPORT: "smtp"
+      EMAIL_FROM: ${EMAIL_FROM}
+      EMAIL_SMTP_USER: ${EMAIL_SMTP_USER}
+      EMAIL_SMTP_HOST: ${EMAIL_SMTP_HOST}
+      EMAIL_SMTP_PORT: ${EMAIL_SMTP_PORT:-465}
+      EMAIL_SMTP_SECURE: ${EMAIL_SMTP_SECURE:-true}
+      EMAIL_SMTP_PASSWORD_FILE: /run/secrets/smtp_password
+
+    secrets:
+      - smtp_password
+
+secrets:
+  smtp_password:
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
+    external: true
+

compose.yml

@@ -1,7 +1,7 @@
 ---
 services:
   app:
-    image: directus/directus:11.10.2
+    image: directus/directus:${IMAGE_VERSION:-11}
 
     environment:
       DB_CLIENT: pg
@@ -12,6 +12,8 @@ services:
       DB_PASSWORD_FILE: /run/secrets/db_password
       SECRET_FILE: /run/secrets/signing_secret
 
+      DB_POOL__MIN: 0
+
       CACHE_ENABLED: "true"
       CACHE_AUTO_PURGE: "true"
       CACHE_STORE: "redis"
@@ -56,19 +58,18 @@ services:
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         ## Redirect from EXTRA_DOMAINS to DOMAIN
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         ## Redirect HTTP to HTTPS
-        # - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
-        # - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
-        ## When you're ready for release, run "abra recipe sync <name>" to set this
-        - "coop-cloud.${STACK_NAME}.version=0.1.0+11.10.2"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
+        - "coop-cloud.${STACK_NAME}.version=0.4.0+11"
 
     healthcheck:
       test: ["CMD-SHELL", "wget -qO- http://0.0.0.0:8055/server/health | grep -q '\"status\":\"ok\"'"]
-      timeout: 10s
+      timeout: 30s
       retries: 10
       start_interval: 5s
-      start_period: 1m
+      start_period: 90s
   
   db:
     image: postgis/postgis:13-master

entrypoint.sh

@@ -0,0 +1,28 @@
+#!/bin/sh
+
+set -e
+
+load_secret() {
+    env_var="$1"
+    secret_file="$2"
+
+    if [ -f "$secret_file" ]; then
+        value=$(cat "$secret_file")
+        if [ -z "$value" ]; then
+            echo >&2 "error: $secret_file is empty"
+            exit 1
+        fi
+        export "$env_var"="$value"
+    else
+        echo >&2 "info: $secret_file does not exist, if you don't use the secret it shouldn't be a problem"
+    fi
+}
+
+load_secret "DB_PASSWORD" "/run/secrets/db_password"
+load_secret "ADMIN_PASSWORD" "/run/secrets/admin_password"
+load_secret "SIGNING_SECRET" "/run/secrets/signing_secret"
+load_secret "EMAIL_SMTP_PASSWORD" "/run/secrets/smtp_password"
+load_secret "OIDC_SECRET" "/run/secrets/oidc_secret"
+
+# upstream has no entrypoint https://github.com/directus/directus/blob/main/Dockerfile
+node cli.js bootstrap && pm2-runtime start ecosystem.config.cjs

pg_backup.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
+
+function backup {
+  export PGPASSWORD=$(cat $POSTGRES_PASSWORD_FILE)
+  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
+}
+
+function restore {
+    cd /var/lib/postgresql/data/
+    restore_config(){
+        # Restore allowed connections
+        cat pg_hba.conf.bak > pg_hba.conf
+        su postgres -c 'pg_ctl reload'
+    }
+    # Don't allow any other connections than local
+    cp pg_hba.conf pg_hba.conf.bak
+    echo "local all all trust" > pg_hba.conf
+    su postgres -c 'pg_ctl reload'
+    trap restore_config EXIT INT TERM
+
+    # Recreate Database
+    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
+    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
+    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
+
+    trap - EXIT INT TERM
+    restore_config
+}
+
+$@

release/0.3.0+11

@@ -0,0 +1 @@
+added sso and smtp, two secrets are now optional

release/0.3.1+11

@@ -0,0 +1 @@
+added example env for sso

release/0.4.0+11

@@ -0,0 +1 @@
+compare release notes of 0.3.0 – some recipe upgrading issues