21 Commits

Author SHA1 Message Date
f
3efbfec419 chore: publish 1.2.2+1.10.1 release
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/tag Build is passing
2025-02-03 09:42:30 -03:00
f
93e5604fcb fix: GHSA-6w39-x2c6-6mpf
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-6w39-x2c6-6mpf
2025-02-03 09:34:32 -03:00
917766023b Update .drone.yml
Some checks failed
continuous-integration/drone/push Build is failing
2025-01-08 10:09:12 -08:00
6feab6a99e Merge pull request 'envvars' (#16) from fauno/hedgedoc:envvars into main
Some checks failed
continuous-integration/drone/push Build is failing
Reviewed-on: #16
2024-10-27 06:22:01 +00:00
f
ca5a95bea6 fix: load secret from file into env var
Some checks failed
continuous-integration/drone/pr Build is failing
2024-10-26 11:01:18 -03:00
f
6a036c4c82 fix: set session secret
Some checks failed
continuous-integration/drone/pr Build is failing
2024-10-25 17:47:27 -03:00
f
d19f286c11 fix: require authentication for free urls 2024-10-25 17:46:47 -03:00
635eee710b chore: publish 1.2.1+1.10.0 release
All checks were successful
continuous-integration/drone/tag Build is passing
continuous-integration/drone/push Build is passing
2024-10-25 21:04:02 +02:00
49f06173e9 fix drone runner
All checks were successful
continuous-integration/drone/push Build is passing
2024-10-24 13:31:31 +02:00
9194256835 update backupbot label
Some checks failed
continuous-integration/drone/push Build is failing
2024-10-24 13:22:27 +02:00
081f2139fa chore: publish 1.2.0+1.10.0 release
All checks were successful
continuous-integration/drone/push Build is passing
2024-10-01 13:12:13 +02:00
6f15d5f2c7 chore: publish 1.1.0+1.9.9 release
All checks were successful
continuous-integration/drone/push Build is passing
2024-07-16 17:32:26 +02:00
8bc03406a1 Remove legacy backup configuration
by @wolcen
2024-07-16 17:31:57 +02:00
bc8996f558 Correct README re: configuring users
by @wolcen
2024-07-16 17:31:20 +02:00
fcf5bade21 Add basic health check for db container
by @wolcen
2024-07-16 17:29:45 +02:00
3fc480b82b Remove unnecessary mode assignment for config.json @wolcen 2024-07-16 17:29:45 +02:00
f71534e396 fix indentation for backupbot labels 2024-07-16 17:29:45 +02:00
5e815e63a5 Merge pull request 'fix: use new uploads path' (#12) from fix-uploads-volume into main
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #12
2024-07-16 14:52:03 +00:00
ec98bab9d5 Merge pull request 'Pass -p also in entrypoint' (#14) from entrypoint-fix into main
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #14
2024-07-16 14:49:28 +00:00
65ec56ac08 add alakazam integration file alaconnect.yml
All checks were successful
continuous-integration/drone/push Build is passing
2024-05-13 17:41:59 +02:00
c727320a31 fix: use new uploads path
Some checks failed
continuous-integration/drone/pr Build is failing
2024-04-23 09:21:38 +02:00
10 changed files with 90 additions and 28 deletions

View File

@ -19,6 +19,7 @@ steps:
LETS_ENCRYPT_ENV: production
SECRET_DB_PASSWORD_VERSION: v1
ENTRYPOINT_CONF_VERSION: v1
PG_BACKUP_VERSION: v1
trigger:
branch:
- main
@ -34,7 +35,7 @@ steps:
from_secret: drone_abra-bot_token
fork: true
repositories:
- coop-cloud/auto-recipes-catalogue-json
- toolshed/auto-recipes-catalogue-json
trigger:
event: tag

View File

@ -1,6 +1,7 @@
TYPE=hedgedoc
TIMEOUT=300
ENABLE_AUTO_UPDATE=true
ENABLE_BACKUPS=true
DOMAIN=hedgedoc.example.com
## Domain aliases
@ -8,6 +9,7 @@ DOMAIN=hedgedoc.example.com
LETS_ENCRYPT_ENV=production
SECRET_DB_PASSWORD_VERSION=v1
SECRET_SESSION_SECRET_VERSION=v1
COMPOSE_FILE="compose.yml"
@ -33,6 +35,7 @@ COMPOSE_FILE="compose.yml"
# CMD_ALLOW_ANONYMOUS_EDITS=false
# CMD_ALLOW_EMAIL_REGISTER=true
# CMD_ALLOW_FREEURL=false
# CMD_REQUIRE_FREEURL_AUTHENTICATION=true
# CMD_ALLOW_GRAVATAR=true
# CMD_ALLOW_ORIGIN=localhost
# CMD_COOKIE_POLICY=lax

View File

@ -25,10 +25,10 @@
5. `abra app deploy YOURAPPDOMAIN`
6. Create initial user:
```
abra app YOURAPPDOMAIN run app bash
. /docker-entrypoint2.sh -e
abra app run YOURAPPDOMAIN app bash
. /docker-entrypoint.sh -e
bin/manage_users
[hedegedoc]: https://github.com/hedgedoc/hedgedoc
[abra]: https://git.autonomic.zone/autonomic-cooperative/abra
[compose-traefik]: https://git.autonomic.zone/coop-cloud/traefik
[compose-traefik]: https://git.autonomic.zone/coop-cloud/traefik

13
abra.sh
View File

@ -1,13 +1,2 @@
export ENTRYPOINT_CONF_VERSION=v9
abra_backup_app() {
_abra_backup_dir "app:/home/hackmd/app/public/uploads/"
}
abra_backup_db() {
_abra_backup_postgres "db" "codimd" "codimd" "db_password"
}
abra_backup() {
abra_backup_app && abra_backup_db
}
export PG_BACKUP_VERSION=v1

15
alaconnect.yml Normal file
View File

@ -0,0 +1,15 @@
authentik:
env:
CMD_OAUTH2_USER_PROFILE_URL: https://authentik.example.com/application/o/userinfo/
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: preferred_username
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: name
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: email
CMD_OAUTH2_TOKEN_URL: https://authentik.example.com/application/o/token/
CMD_OAUTH2_AUTHORIZATION_URL: https://authentik.example.com/application/o/authorize/
CMD_OAUTH2_CLIENT_ID: hedgedoc
CMD_OAUTH2_PROVIDERNAME: Authentik
uncomment:
- compose.oauth.yml
- SECRET_OAUTH_KEY_VERSION
shared_secrets:
hedgedoc_secret: oauth_key

View File

@ -1,7 +1,7 @@
version: "3.8"
services:
app:
image: quay.io/hedgedoc/hedgedoc:1.9.9
image: quay.io/hedgedoc/hedgedoc:1.10.1
environment:
- CMD_USECDN=false
- CMD_URL_ADDPORT=false
@ -16,6 +16,7 @@ services:
- CMD_ALLOW_ANONYMOUS_EDITS
- CMD_ALLOW_EMAIL_REGISTER
- CMD_ALLOW_FREEURL
- CMD_REQUIRE_FREEURL_AUTHENTICATION
- CMD_ALLOW_GRAVATAR
- CMD_ALLOW_ORIGIN
- CMD_COOKIE_POLICY
@ -26,6 +27,7 @@ services:
- CMD_DEFAULT_PERMISSION
- CMD_EMAIL
- CMD_SESSION_LIFE
- CMD_SESSION_SECRET_FILE=/run/secrets/session_secret
- DOCUMENT_MAX_LENGTH
depends_on:
- db
@ -33,9 +35,10 @@ services:
- proxy
- internal
volumes:
- codimd_uploads:/home/hackmd/app/public/uploads
- codimd_uploads:/hedgedoc/public/uploads
secrets:
- db_password
- session_secret
entrypoint: /docker-entrypoint.sh
configs:
- source: entrypoint_conf
@ -43,7 +46,6 @@ services:
mode: 0555
- source: config_json
target: /files/config.json
mode: 0555
deploy:
restart_policy:
condition: on-failure
@ -58,7 +60,7 @@ services:
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
- "coop-cloud.${STACK_NAME}.version=1.0.1+1.9.9"
- "coop-cloud.${STACK_NAME}.version=1.2.2+1.10.1"
healthcheck:
test: "nodejs -e \"http.get('http://localhost:3000', (res) => { console.log('status: ', res.statusCode); if (res.statusCode == 200) { process.exit(0); } else { process.exit(1); } });\""
interval: 30s
@ -66,7 +68,7 @@ services:
retries: 10
start_period: 1m
db:
image: postgres:16.1-alpine
image: postgres:16.4-alpine
environment:
- POSTGRES_USER=codimd
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
@ -79,12 +81,21 @@ services:
- internal
deploy:
labels:
backupbot.backup: "true"
backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
backupbot.backup.post-hook: "rm -f /var/lib/postgresql/data/backup.sql"
backupbot.backup.path: "/var/lib/postgresql/data/backup.sql"
backupbot.restore: "true"
backupbot.restore.post-hook: "sh -c 'psql -U $${POSTGRES_USER} -d $${POSTGRES_DB} < /var/lib/postgresql/data/backup.sql && rm -f /var/lib/postgresql/data/backup.sql'"
backupbot.backup: "${ENABLE_BACKUPS:-true}"
backupbot.backup.pre-hook: "/pg_backup.sh backup"
backupbot.backup.volumes.postgres.path: "backup.sql"
backupbot.restore.post-hook: '/pg_backup.sh restore'
healthcheck:
test: "pg_isready"
interval: 30s
timeout: 10s
retries: 5
start_period: 1m
configs:
- source: pg_backup
target: /pg_backup.sh
mode: 0555
volumes:
postgres:
codimd_uploads:
@ -92,6 +103,9 @@ secrets:
db_password:
external: true
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
session_secret:
external: true
name: ${STACK_NAME}_session_secret_${SECRET_SESSION_SECRET_VERSION}
networks:
proxy:
external: true
@ -105,3 +119,6 @@ configs:
name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}
file: entrypoint.sh.tmpl
template_driver: golang
pg_backup:
name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
file: pg_backup.sh

View File

@ -24,6 +24,7 @@ file_env() {
load_vars() {
file_env "CMD_DB_PASSWORD"
file_env "CMD_OAUTH2_CLIENT_SECRET"
file_env "CMD_SESSION_SECRET"
}
main() {
@ -39,7 +40,7 @@ main
export CMD_DB_URL=postgres://$CMD_DB_USER:$CMD_DB_PASSWORD@$CMD_DB_HOST:5432/$CMD_DB_NAME
# 3wc: `source /docker-entrypoint2.sh -e` to load CMD_DB_URL for CLI scripts
# 3wc: `source /docker-entrypoint.sh -e` to load CMD_DB_URL for CLI scripts
if [ ! "${1-}" == "-e" ]; then
# 3wc: upstream ENTRYPOINT
# https://github.com/hedgedoc/container/blob/master/alpine/Dockerfile

34
pg_backup.sh Normal file
View File

@ -0,0 +1,34 @@
#!/bin/bash
set -e
BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
function backup {
export PGPASSWORD=$(cat /run/secrets/db_password)
pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
}
function restore {
cd /var/lib/postgresql/data/
restore_config(){
# Restore allowed connections
cat pg_hba.conf.bak > pg_hba.conf
su postgres -c 'pg_ctl reload'
}
# Don't allow any other connections than local
cp pg_hba.conf pg_hba.conf.bak
echo "local all all trust" > pg_hba.conf
su postgres -c 'pg_ctl reload'
trap restore_config EXIT INT TERM
# Recreate Database
psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);"
createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
trap - EXIT INT TERM
restore_config
}
$@

1
release/1.2.0+1.10.0 Normal file
View File

@ -0,0 +1 @@
Fixes security issue: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pjf2-269h-cx7p

1
release/1.2.2+1.10.1 Normal file
View File

@ -0,0 +1 @@
Upgrade to fix GHSA-6w39-x2c6-6mpf