chore: publish 1.2.0+1.10.0 release

by @wolcen

README.md

@@ -25,10 +25,10 @@
 5. `abra app deploy YOURAPPDOMAIN`
 6. Create initial user:
 	```
-	abra app YOURAPPDOMAIN run app bash
+	abra app run YOURAPPDOMAIN app bash
-	. /docker-entrypoint2.sh -e
+	. /docker-entrypoint.sh -e
 	bin/manage_users
 
 [hedegedoc]: https://github.com/hedgedoc/hedgedoc
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
-[compose-traefik]: https://git.autonomic.zone/coop-cloud/traefik
+[compose-traefik]: https://git.autonomic.zone/coop-cloud/traefik

abra.sh

@@ -1,13 +1 @@
-export ENTRYPOINT_CONF_VERSION=v8
+export ENTRYPOINT_CONF_VERSION=v9
-
-abra_backup_app() {
-  _abra_backup_dir "app:/home/hackmd/app/public/uploads/"
-}
-
-abra_backup_db() {
-  _abra_backup_postgres "db" "codimd" "codimd" "db_password"
-}
-
-abra_backup() {
-  abra_backup_app && abra_backup_db
-}

alaconnect.yml

@@ -0,0 +1,15 @@
+authentik:
+    env:
+        CMD_OAUTH2_USER_PROFILE_URL: https://authentik.example.com/application/o/userinfo/
+        CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: preferred_username
+        CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: name
+        CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: email
+        CMD_OAUTH2_TOKEN_URL: https://authentik.example.com/application/o/token/
+        CMD_OAUTH2_AUTHORIZATION_URL: https://authentik.example.com/application/o/authorize/
+        CMD_OAUTH2_CLIENT_ID: hedgedoc
+        CMD_OAUTH2_PROVIDERNAME: Authentik
+    uncomment: 
+        - compose.oauth.yml
+        - SECRET_OAUTH_KEY_VERSION
+    shared_secrets:
+        hedgedoc_secret: oauth_key

compose.yml

@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   app:
-    image: quay.io/hedgedoc/hedgedoc:1.9.9
+    image: quay.io/hedgedoc/hedgedoc:1.10.0
     environment:
       - CMD_USECDN=false
       - CMD_URL_ADDPORT=false
@@ -43,7 +43,6 @@ services:
         mode: 0555
       - source: config_json
         target: /files/config.json
-        mode: 0555
     deploy:
       restart_policy:
         condition: on-failure
@@ -58,7 +57,7 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "coop-cloud.${STACK_NAME}.version=1.0.1+1.9.9"
+        - "coop-cloud.${STACK_NAME}.version=1.2.0+1.10.0"
     healthcheck:
       test: "nodejs -e \"http.get('http://localhost:3000', (res) => { console.log('status: ', res.statusCode); if (res.statusCode == 200) { process.exit(0); } else { process.exit(1); } });\""
       interval: 30s
@@ -66,7 +65,7 @@ services:
       retries: 10
       start_period: 1m
   db:
-    image: postgres:16.1-alpine
+    image: postgres:16.4-alpine
     environment:
       - POSTGRES_USER=codimd
       - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
@@ -79,12 +78,19 @@ services:
       - internal
     deploy:
       labels:
-          backupbot.backup: "true"
+        backupbot.backup: "true"
-          backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
+        backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
-          backupbot.backup.post-hook: "rm -f /var/lib/postgresql/data/backup.sql"
+        backupbot.backup.post-hook: "rm -f /var/lib/postgresql/data/backup.sql"
-          backupbot.backup.path: "/var/lib/postgresql/data/backup.sql"
+        backupbot.backup.path: "/var/lib/postgresql/data/backup.sql"
-          backupbot.restore: "true"
+        backupbot.restore: "true"
-          backupbot.restore.post-hook: "sh -c 'psql -U $${POSTGRES_USER} -d $${POSTGRES_DB} < /var/lib/postgresql/data/backup.sql && rm -f /var/lib/postgresql/data/backup.sql'"
+        backupbot.restore.post-hook: "sh -c 'psql -U $${POSTGRES_USER} -d $${POSTGRES_DB} < /var/lib/postgresql/data/backup.sql && rm -f /var/lib/postgresql/data/backup.sql'"
+    healthcheck:
+      test: "pg_isready"
+      interval: 30s
+      timeout: 10s
+      retries: 5
+      start_period: 1m
+
 volumes:
   postgres:
   codimd_uploads:

entrypoint.sh.tmpl

@@ -1,48 +1,50 @@
 #!/usr/bin/env bash
 
 file_env() {
-	# 3wc: Load $VAR_FILE into $VAR - useful for secrets. See
+  # 3wc: Load $VAR_FILE into $VAR - useful for secrets. See
-	# 	https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab
+  #   https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab
-	local var="$1"
+  local var="$1"
-	local fileVar="${var}_FILE"
+  local fileVar="${var}_FILE"
-	local def="${2:-}"
+  local def="${2:-}"
 
-	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
-		exit 1
+    exit 1
-	fi
+  fi
-	local val="$def"
+  local val="$def"
-	if [ "${!var:-}" ]; then
+  if [ "${!var:-}" ]; then
-		val="${!var}"
+    val="${!var}"
-	elif [ "${!fileVar:-}" ]; then
+  elif [ "${!fileVar:-}" ]; then
-		val="$(< "${!fileVar}")"
+    val="$(< "${!fileVar}")"
-	fi
+  fi
-	export "$var"="$val"
+  export "$var"="$val"
-	unset "$fileVar"
+  unset "$fileVar"
 }
 
 load_vars() {
-	file_env "CMD_DB_PASSWORD"
+  file_env "CMD_DB_PASSWORD"
-	file_env "CMD_OAUTH2_CLIENT_SECRET"
+  file_env "CMD_OAUTH2_CLIENT_SECRET"
 }
 
 main() {
-	set -eu
+  set -eu
 
-	load_vars
+  load_vars
-  mkdir "/hedgedoc/.npm" && chown -R 10000:65534 "/hedgedoc/.npm" && chmod "u+rwx" "/hedgedoc/.npm"
+  mkdir -p "/hedgedoc/.npm" && \
+    chown -R 10000:65534 "/hedgedoc/.npm" && \
+    chmod "u+rwx" "/hedgedoc/.npm"
 }
 
 main
 
 export CMD_DB_URL=postgres://$CMD_DB_USER:$CMD_DB_PASSWORD@$CMD_DB_HOST:5432/$CMD_DB_NAME
 
-# 3wc: `source /docker-entrypoint2.sh -e` to load CMD_DB_URL for CLI scripts
+# 3wc: `source /docker-entrypoint.sh -e` to load CMD_DB_URL for CLI scripts
 if [ ! "${1-}" == "-e" ]; then
-	# 3wc: upstream ENTRYPOINT
+  # 3wc: upstream ENTRYPOINT
-	# https://github.com/hedgedoc/container/blob/master/alpine/Dockerfile
+  # https://github.com/hedgedoc/container/blob/master/alpine/Dockerfile
-	 mkdir -p "/hedgedoc/.npm" && chown -R 10000:65534 "/hedgedoc/.npm"
+   mkdir -p "/hedgedoc/.npm" && chown -R 10000:65534 "/hedgedoc/.npm"
-	/usr/local/bin/docker-entrypoint.sh npm start
+  /usr/local/bin/docker-entrypoint.sh npm start
 fi
 
 set +eu

release/1.2.0+1.10.0

@@ -0,0 +1 @@
+Fixes security issue: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pjf2-269h-cx7p