Re-add SECRET_SESSION_SECRET_VERSION..

..which I accidentally removed while rebasing

.drone.yml

@@ -3,10 +3,12 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
   - name: deployment
-    image: decentral1se/stack-ssh-deploy:latest
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
       stack: hedgedoc
+      networks:
+       - proxy
       deploy_key:
         from_secret: drone_ssh_swarm_test
       generate_secrets: true
@@ -17,16 +19,23 @@ steps:
       LETS_ENCRYPT_ENV: production
       SECRET_DB_PASSWORD_VERSION: v1
       ENTRYPOINT_CONF_VERSION: v1
+      PG_BACKUP_VERSION: v1
 trigger:
   branch:
     - main
 ---
 kind: pipeline
-name: recipe release
+name: generate recipe catalogue
 steps:
   - name: release a new version
-    image: thecoopcloud/drone-abra:latest
+    image: plugins/downstream
     settings:
-      command: recipe hedgedoc release
+      server: https://build.coopcloud.tech
-      deploy_key:
+      token:
-        from_secret: abra_bot_deploy_key
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - coop-cloud/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -1,26 +1,35 @@
-TYPE=codimd
+TYPE=hedgedoc
+TIMEOUT=300
+ENABLE_AUTO_UPDATE=true
+ENABLE_BACKUPS=true
 
-DOMAIN=codimd.example.com
+DOMAIN=hedgedoc.example.com
 ## Domain aliases
-#EXTRA_DOMAINS=', `www.codimd.example.com`'
+#EXTRA_DOMAINS=', `www.hedgedoc.example.com`'
 LETS_ENCRYPT_ENV=production
 
-SECRET_DB_PASSWORD_VERSION=v1
-
 COMPOSE_FILE="compose.yml"
 
-# OAuth, see https://hackmd.io/@codimd/codimd-generic-oauth-2
+SECRET_SESSION_SECRET_VERSION=v1
+
+# PostgreSQL
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.postgresql.yml"
+#SECRET_DB_PASSWORD_VERSION=v1
+
+# OAuth, see https://docs.hedgedoc.org/guides/auth/keycloak/
 
 #COMPOSE_FILE="$COMPOSE_FILE:compose.oauth.yml"
 #CMD_OAUTH2_PROVIDERNAME="Keycloak"
-#CMD_OAUTH2_BASEURL="https://keycloak.example.com/realms/realmname/protocol/openid-connect/"
+#CMD_OAUTH2_CLIENT_ID="hedgedoc"
-#CMD_OAUTH2_CLIENT_ID="codimd"
 #CMD_OAUTH2_AUTHORIZATION_URL="https://keycloak.example.com/auth/realms/realmname/protocol/openid-connect/auth"
 #CMD_OAUTH2_TOKEN_URL="https://keycloak.example.com/auth/realms/realmname/protocol/openid-connect/token"
 #CMD_OAUTH2_USER_PROFILE_URL="https://keycloak.example.com/auth/realms/realmname/protocol/openid-connect/userinfo"
 #CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=ocs.data.id
 #CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=ocs.data.display-name
 #CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=ocs.data.email
+#CMD_OAUTH2_PROVIDERNAME=Keycloak
+#CMD_OAUTH2_SCOPE="openid email profile"
 #
 #SECRET_OAUTH_KEY_VERSION=v1
 
@@ -30,6 +39,7 @@ COMPOSE_FILE="compose.yml"
 # CMD_ALLOW_ANONYMOUS_EDITS=false
 # CMD_ALLOW_EMAIL_REGISTER=true
 # CMD_ALLOW_FREEURL=false
+# CMD_REQUIRE_FREEURL_AUTHENTICATION=true
 # CMD_ALLOW_GRAVATAR=true
 # CMD_ALLOW_ORIGIN=localhost
 # CMD_COOKIE_POLICY=lax
@@ -40,3 +50,5 @@ COMPOSE_FILE="compose.yml"
 # CMD_DEFAULT_PERMISSION=editable
 # CMD_EMAIL=true
 # CMD_SESSION_LIFE=1209600000
+# Only present in config.json (no equivalent env var):
+# DOCUMENT_MAX_LENGTH=100000

README.md

@@ -7,9 +7,9 @@
 <!-- metadata -->
 * **Category**: Apps
 * **Status**: 2, beta
-* **Image**: [`quay.io/hedgedoc/hedgedoc:1.8.2`](https://quay.io/hedgedoc/hedgedoc:1.8.2), 4, upstream
+* **Image**: [`quay.io/hedgedoc/hedgedoc`](https://quay.io/hedgedoc/hedgedoc), 4, upstream
 * **Healthcheck**: Yes
-* **Backups**: No
+* **Backups**: Yes
 * **Email**: No
 * **Tests**: 2
 * **SSO**: 3 (OAuth)
@@ -19,17 +19,16 @@
 
 1. Set up Docker Swarm and [`abra`][abra]
 2. Deploy [`coop-cloud/traefik`][compose-traefik]
-3. `abra app new hedegedoc`
+3. `abra app new hedgedoc`
-4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
+4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to
    your Docker swarm box
-5. `abra app YOURAPPDOMAIN deploy`
+5. `abra app deploy YOURAPPDOMAIN`
 6. Create initial user:
 	```
-	abra app YOURAPPDOMAIN run app bash
+	abra app run YOURAPPDOMAIN app bash
-	. /docker-entrypoint2.sh -e
+	. /docker-entrypoint.sh -e
 	bin/manage_users
-	```
 
-[hedegedoc]: https://github.com/hackmdio/hedegedoc
+[hedegedoc]: https://github.com/hedgedoc/hedgedoc
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
 [compose-traefik]: https://git.autonomic.zone/coop-cloud/traefik

abra.sh

@@ -1,13 +1,2 @@
-export ENTRYPOINT_CONF_VERSION=v5
+export ENTRYPOINT_CONF_VERSION=v10
-
+export PG_BACKUP_VERSION=v1
-abra_backup_app() {
-  _abra_backup_dir "app:/home/hackmd/app/public/uploads/"
-}
-
-abra_backup_db() {
-  _abra_backup_postgres "db" "codimd" "codimd" "db_password"
-}
-
-abra_backup() {
-  abra_backup_app && abra_backup_db
-}

alaconnect.yml

@@ -0,0 +1,15 @@
+authentik:
+    env:
+        CMD_OAUTH2_USER_PROFILE_URL: https://authentik.example.com/application/o/userinfo/
+        CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: preferred_username
+        CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: name
+        CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: email
+        CMD_OAUTH2_TOKEN_URL: https://authentik.example.com/application/o/token/
+        CMD_OAUTH2_AUTHORIZATION_URL: https://authentik.example.com/application/o/authorize/
+        CMD_OAUTH2_CLIENT_ID: hedgedoc
+        CMD_OAUTH2_PROVIDERNAME: Authentik
+    uncomment: 
+        - compose.oauth.yml
+        - SECRET_OAUTH_KEY_VERSION
+    shared_secrets:
+        hedgedoc_secret: oauth_key

compose.oauth.yml

@@ -5,7 +5,6 @@ services:
   app:
     environment:
       - CMD_OAUTH2_PROVIDERNAME
-      - CMD_OAUTH2_BASEURL
       - CMD_OAUTH2_CLIENT_ID
       - CMD_OAUTH2_CLIENT_SECRET_FILE=/run/secrets/oauth_key
       - CMD_OAUTH2_AUTHORIZATION_URL
@@ -14,6 +13,7 @@ services:
       - CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR
       - CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR
       - CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR
+      - CMD_OAUTH2_SCOPE
     secrets:
       - oauth_key
 

compose.postgresql.yml

@@ -0,0 +1,55 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - CMD_DB_URL=
+      - CMD_DB_NAME=codimd
+      - CMD_DB_USER=codimd
+      - CMD_DB_HOST=db
+      - CMD_DB_PASSWORD_FILE=/run/secrets/db_password
+    depends_on:
+      - db
+    networks:
+      - internal
+    secrets:
+      - db_password
+  db:
+    image: postgres:16.4-alpine
+    environment:
+      - POSTGRES_USER=codimd
+      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
+      - POSTGRES_DB=codimd
+    volumes:
+      - "postgres:/var/lib/postgresql/data"
+    secrets:
+      - db_password
+    networks:
+      - internal
+    deploy:
+      labels:
+        backupbot.backup: "${ENABLE_BACKUPS:-true}"
+        backupbot.backup.pre-hook: "/pg_backup.sh backup"
+        backupbot.backup.volumes.postgres.path: "backup.sql"
+        backupbot.restore.post-hook: '/pg_backup.sh restore'
+    healthcheck:
+      test: "pg_isready"
+      interval: 30s
+      timeout: 10s
+      retries: 5
+      start_period: 1m
+    configs:
+        - source: pg_backup
+          target: /pg_backup.sh
+          mode: 0555
+volumes:
+  postgres:
+secrets:
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+networks:
+  internal:
+configs:
+  pg_backup:
+    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
+    file: pg_backup.sh

compose.yml

@@ -1,21 +1,19 @@
 version: "3.8"
 services:
   app:
-    image: quay.io/hedgedoc/hedgedoc:1.9.3
+    image: quay.io/hedgedoc/hedgedoc:1.10.0
     environment:
       - CMD_USECDN=false
       - CMD_URL_ADDPORT=false
       - CMD_DOMAIN=$DOMAIN
       - CMD_PROTOCOL_USESSL=true
       - CMD_HSTS_ENABLE=false
-      - CMD_DB_NAME=codimd
+      - CMD_DB_URL=sqlite:/database/db.sqlite3
-      - CMD_DB_USER=codimd
-      - CMD_DB_HOST=db
-      - CMD_DB_PASSWORD_FILE=/run/secrets/db_password
       - CMD_ALLOW_ANONYMOUS
       - CMD_ALLOW_ANONYMOUS_EDITS
       - CMD_ALLOW_EMAIL_REGISTER
       - CMD_ALLOW_FREEURL
+      - CMD_REQUIRE_FREEURL_AUTHENTICATION
       - CMD_ALLOW_GRAVATAR
       - CMD_ALLOW_ORIGIN
       - CMD_COOKIE_POLICY
@@ -26,20 +24,22 @@ services:
       - CMD_DEFAULT_PERMISSION
       - CMD_EMAIL
       - CMD_SESSION_LIFE
-    depends_on:
+      - CMD_SESSION_SECRET_FILE=/run/secrets/session_secret
-      - db
+      - DOCUMENT_MAX_LENGTH
     networks:
       - proxy
-      - internal
     volumes:
-      - codimd_uploads:/home/hackmd/app/public/uploads
+      - codimd_uploads:/hedgedoc/public/uploads
+      - codimd_database:/database
     secrets:
-      - db_password
+      - session_secret
     entrypoint: /docker-entrypoint.sh
     configs:
       - source: entrypoint_conf
         target: /docker-entrypoint.sh
         mode: 0555
+      - source: config_json
+        target: /files/config.json
     deploy:
       restart_policy:
         condition: on-failure
@@ -53,37 +53,31 @@ services:
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - coop-cloud.${STACK_NAME}.version=0.2.0+1.9.3
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "coop-cloud.${STACK_NAME}.version=1.2.1+1.10.0"
+        - "backupbot.backup=${ENABLE_BACKUPS:-true}"
     healthcheck:
       test: "nodejs -e \"http.get('http://localhost:3000', (res) => { console.log('status: ', res.statusCode); if (res.statusCode == 200) { process.exit(0); } else { process.exit(1); } });\""
       interval: 30s
       timeout: 10s
       retries: 10
       start_period: 1m
-  db:
-    image: postgres:11.15-alpine
-    environment:
-      - POSTGRES_USER=codimd
-      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
-      - POSTGRES_DB=codimd
-    volumes:
-      - "postgres:/var/lib/postgresql/data"
-    secrets:
-      - db_password
-    networks:
-      - internal
 volumes:
-  postgres:
   codimd_uploads:
+  codimd_database:
+  
 secrets:
-  db_password:
+  session_secret:
     external: true
-    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+    name: ${STACK_NAME}_session_secret_${SECRET_SESSION_SECRET_VERSION}
 networks:
   proxy:
     external: true
-  internal:
 configs:
+  config_json:
+    name: ${STACK_NAME}_config_${ENTRYPOINT_CONF_VERSION}
+    file: config.json.tmpl
+    template_driver: golang
   entrypoint_conf:
     name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}
     file: entrypoint.sh.tmpl

config.json.tmpl

@@ -0,0 +1,7 @@
+{
+  {{ if (env "DOCUMENT_MAX_LENGTH") }}
+  "production": {
+    "documentMaxLength": {{ env "DOCUMENT_MAX_LENGTH" }}
+    }
+  {{ end }}
+}

entrypoint.sh.tmpl

@@ -1,46 +1,53 @@
 #!/usr/bin/env bash
 
 file_env() {
-	# 3wc: Load $VAR_FILE into $VAR - useful for secrets. See
+  # 3wc: Load $VAR_FILE into $VAR - useful for secrets. See
-	# 	https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab
+  #   https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab
-	local var="$1"
+  local var="$1"
-	local fileVar="${var}_FILE"
+  local fileVar="${var}_FILE"
-	local def="${2:-}"
+  local def="${2:-}"
 
-	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
-		exit 1
+    exit 1
-	fi
+  fi
-	local val="$def"
+  local val="$def"
-	if [ "${!var:-}" ]; then
+  if [ "${!var:-}" ]; then
-		val="${!var}"
+    val="${!var}"
-	elif [ "${!fileVar:-}" ]; then
+  elif [ "${!fileVar:-}" ]; then
-		val="$(< "${!fileVar}")"
+    val="$(< "${!fileVar}")"
-	fi
+  fi
-	export "$var"="$val"
+  export "$var"="$val"
-	unset "$fileVar"
+  unset "$fileVar"
 }
 
 load_vars() {
-	file_env "CMD_DB_PASSWORD"
+  file_env "CMD_DB_PASSWORD"
-	file_env "CMD_OAUTH2_CLIENT_SECRET"
+  file_env "CMD_OAUTH2_CLIENT_SECRET"
+  file_env "CMD_SESSION_SECRET"
 }
 
 main() {
-	set -eu
+  set -eu
 
-	load_vars
+  load_vars
+  mkdir -p "/hedgedoc/.npm" && \
+    chown -R 10000:65534 "/hedgedoc/.npm" && \
+    chmod "u+rwx" "/hedgedoc/.npm"
+
+  chown -R 10000:65534 /database
 }
 
 main
 
-export CMD_DB_URL=postgres://$CMD_DB_USER:$CMD_DB_PASSWORD@$CMD_DB_HOST:5432/$CMD_DB_NAME
+export CMD_DB_URL="${CMD_DB_URL:-postgres://$CMD_DB_USER:$CMD_DB_PASSWORD@$CMD_DB_HOST:5432/$CMD_DB_NAME}"
 
-# 3wc: `source /docker-entrypoint2.sh -e` to load CMD_DB_URL for CLI scripts
+# 3wc: `source /docker-entrypoint.sh -e` to load CMD_DB_URL for CLI scripts
 if [ ! "${1-}" == "-e" ]; then
-	# 3wc: upstream ENTRYPOINT
+  # 3wc: upstream ENTRYPOINT
-	# https://github.com/hedgedoc/container/blob/master/alpine/Dockerfile
+  # https://github.com/hedgedoc/container/blob/master/alpine/Dockerfile
-	/usr/local/bin/docker-entrypoint.sh npm start
+   mkdir -p "/hedgedoc/.npm" && chown -R 10000:65534 "/hedgedoc/.npm"
+  /usr/local/bin/docker-entrypoint.sh npm start
 fi
 
 set +eu

pg_backup.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
+
+function backup {
+  export PGPASSWORD=$(cat /run/secrets/db_password)
+  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
+}
+
+function restore {
+    cd /var/lib/postgresql/data/
+    restore_config(){
+        # Restore allowed connections
+        cat pg_hba.conf.bak > pg_hba.conf
+        su postgres -c 'pg_ctl reload'
+    }
+    # Don't allow any other connections than local
+    cp pg_hba.conf pg_hba.conf.bak
+    echo "local all all trust" > pg_hba.conf
+    su postgres -c 'pg_ctl reload'
+    trap restore_config EXIT INT TERM
+
+    # Recreate Database
+    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
+    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
+    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
+
+    trap - EXIT INT TERM
+    restore_config
+}
+
+$@

release/1.0.0+1.9

@@ -0,0 +1,7 @@
+WARNING WARNING WARNING 🚨
+
+This release includes a major Postgres database upgrade, but does not yet include tools to automatically upgrade from older Postgres releases.
+
+PLEASE DO NOT UPGRADE EXISTING INSTANCES TO THIS VERSION.
+
+This should be fixed soon.

release/1.2.0+1.10.0

@@ -0,0 +1 @@
+Fixes security issue: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pjf2-269h-cx7p