15 changed files with 57 additions and 152 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -18,9 +18,7 @@ steps:
      STACK_NAME: hedgedoc
      LETS_ENCRYPT_ENV: production
      SECRET_DB_PASSWORD_VERSION: v1
-      SECRET_SESSION_SECRET_VERSION: v1
      ENTRYPOINT_CONF_VERSION: v1
-      PG_BACKUP_VERSION: v1
 trigger:
  branch:
    - main
@ -36,7 +34,7 @@ steps:
        from_secret: drone_abra-bot_token
      fork: true
      repositories:
-        - toolshed/auto-recipes-catalogue-json
+        - coop-cloud/auto-recipes-catalogue-json

 trigger:
  event: tag
--- a/.env.sample
+++ b/.env.sample
@ -1,22 +1,16 @@
 TYPE=hedgedoc
 TIMEOUT=300
 ENABLE_AUTO_UPDATE=true
-ENABLE_BACKUPS=true

 DOMAIN=hedgedoc.example.com
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.hedgedoc.example.com`'
 LETS_ENCRYPT_ENV=production

-SECRET_SESSION_SECRET_VERSION=v1
+SECRET_DB_PASSWORD_VERSION=v1

 COMPOSE_FILE="compose.yml"

-# PostgreSQL
-
-#COMPOSE_FILE="$COMPOSE_FILE:compose.postgresql.yml"
-#SECRET_DB_PASSWORD_VERSION=v1
-
 # OAuth, see https://docs.hedgedoc.org/guides/auth/keycloak/

 #COMPOSE_FILE="$COMPOSE_FILE:compose.oauth.yml"
@ -39,7 +33,6 @@ COMPOSE_FILE="compose.yml"
 # CMD_ALLOW_ANONYMOUS_EDITS=false
 # CMD_ALLOW_EMAIL_REGISTER=true
 # CMD_ALLOW_FREEURL=false
-# CMD_REQUIRE_FREEURL_AUTHENTICATION=true
 # CMD_ALLOW_GRAVATAR=true
 # CMD_ALLOW_ORIGIN=localhost
 # CMD_COOKIE_POLICY=lax
--- a/README.md
+++ b/README.md
@ -25,10 +25,10 @@
 5. `abra app deploy YOURAPPDOMAIN`
 6. Create initial user:
 	```
-	abra app run YOURAPPDOMAIN app bash
-	. /docker-entrypoint.sh -e
+	abra app YOURAPPDOMAIN run app bash
+	. /docker-entrypoint2.sh -e
 	bin/manage_users

 [hedegedoc]: https://github.com/hedgedoc/hedgedoc
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
-[compose-traefik]: https://git.autonomic.zone/coop-cloud/traefik
+[compose-traefik]: https://git.autonomic.zone/coop-cloud/traefik
--- a/abra.sh
+++ b/abra.sh
@ -1,2 +1,13 @@
-export ENTRYPOINT_CONF_VERSION=v13
-export PG_BACKUP_VERSION=v1
+export ENTRYPOINT_CONF_VERSION=v9
+
+abra_backup_app() {
+  _abra_backup_dir "app:/home/hackmd/app/public/uploads/"
+}
+
+abra_backup_db() {
+  _abra_backup_postgres "db" "codimd" "codimd" "db_password"
+}
+
+abra_backup() {
+  abra_backup_app && abra_backup_db
+}
--- a/alaconnect.yml
+++ b/alaconnect.yml
@ -1,15 +0,0 @@
-authentik:
-    env:
-        CMD_OAUTH2_USER_PROFILE_URL: https://authentik.example.com/application/o/userinfo/
-        CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: preferred_username
-        CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: name
-        CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: email
-        CMD_OAUTH2_TOKEN_URL: https://authentik.example.com/application/o/token/
-        CMD_OAUTH2_AUTHORIZATION_URL: https://authentik.example.com/application/o/authorize/
-        CMD_OAUTH2_CLIENT_ID: hedgedoc
-        CMD_OAUTH2_PROVIDERNAME: Authentik
-    uncomment: 
-        - compose.oauth.yml
-        - SECRET_OAUTH_KEY_VERSION
-    shared_secrets:
-        hedgedoc_secret: oauth_key
--- a/compose.postgresql.yml
+++ b/compose.postgresql.yml
@ -1,55 +0,0 @@
-version: "3.8"
-services:
-  app:
-    environment:
-      - CMD_DB_TYPE=postgres
-      - CMD_DB_NAME=codimd
-      - CMD_DB_USER=codimd
-      - CMD_DB_HOST=db
-      - CMD_DB_PASSWORD_FILE=/run/secrets/db_password
-    depends_on:
-      - db
-    networks:
-      - internal
-    secrets:
-      - db_password
-  db:
-    image: pgautoupgrade/pgautoupgrade:16-alpine
-    environment:
-      - POSTGRES_USER=codimd
-      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
-      - POSTGRES_DB=codimd
-    volumes:
-      - "postgres:/var/lib/postgresql/data"
-    secrets:
-      - db_password
-    networks:
-      - internal
-    deploy:
-      labels:
-        backupbot.backup: "${ENABLE_BACKUPS:-true}"
-        backupbot.backup.pre-hook: "/pg_backup.sh backup"
-        backupbot.backup.volumes.postgres.path: "backup.sql"
-        backupbot.restore.post-hook: '/pg_backup.sh restore'
-    healthcheck:
-      test: "pg_isready"
-      interval: 30s
-      timeout: 10s
-      retries: 5
-      start_period: 1m
-    configs:
-        - source: pg_backup
-          target: /pg_backup.sh
-          mode: 0555
-volumes:
-  postgres:
-secrets:
-  db_password:
-    external: true
-    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
-networks:
-  internal:
-configs:
-  pg_backup:
-    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
-    file: pg_backup.sh
--- a/compose.yml
+++ b/compose.yml
@ -1,19 +1,21 @@
 version: "3.8"
 services:
  app:
-    image: quay.io/hedgedoc/hedgedoc:1.10.3
+    image: quay.io/hedgedoc/hedgedoc:1.9.9
    environment:
      - CMD_USECDN=false
      - CMD_URL_ADDPORT=false
      - CMD_DOMAIN=$DOMAIN
      - CMD_PROTOCOL_USESSL=true
      - CMD_HSTS_ENABLE=false
-      - CMD_DB_URL=sqlite:/database/db.sqlite3
+      - CMD_DB_NAME=codimd
+      - CMD_DB_USER=codimd
+      - CMD_DB_HOST=db
+      - CMD_DB_PASSWORD_FILE=/run/secrets/db_password
      - CMD_ALLOW_ANONYMOUS
      - CMD_ALLOW_ANONYMOUS_EDITS
      - CMD_ALLOW_EMAIL_REGISTER
      - CMD_ALLOW_FREEURL
-      - CMD_REQUIRE_FREEURL_AUTHENTICATION
      - CMD_ALLOW_GRAVATAR
      - CMD_ALLOW_ORIGIN
      - CMD_COOKIE_POLICY
@ -24,15 +26,16 @@ services:
      - CMD_DEFAULT_PERMISSION
      - CMD_EMAIL
      - CMD_SESSION_LIFE
-      - CMD_SESSION_SECRET_FILE=/run/secrets/session_secret
      - DOCUMENT_MAX_LENGTH
+    depends_on:
+      - db
    networks:
      - proxy
+      - internal
    volumes:
-      - codimd_uploads:/hedgedoc/public/uploads
-      - codimd_database:/database
+      - codimd_uploads:/home/hackmd/app/public/uploads
    secrets:
-      - session_secret
+      - db_password
    entrypoint: /docker-entrypoint.sh
    configs:
      - source: entrypoint_conf
@ -40,6 +43,7 @@ services:
        mode: 0555
      - source: config_json
        target: /files/config.json
+        mode: 0555
    deploy:
      restart_policy:
        condition: on-failure
@ -54,24 +58,44 @@ services:
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "coop-cloud.${STACK_NAME}.version=3.0.2+1.10.3"
-        - "backupbot.backup=${ENABLE_BACKUPS:-true}"
+        - "coop-cloud.${STACK_NAME}.version=1.0.1+1.9.9"
    healthcheck:
      test: "nodejs -e \"http.get('http://localhost:3000', (res) => { console.log('status: ', res.statusCode); if (res.statusCode == 200) { process.exit(0); } else { process.exit(1); } });\""
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m
+  db:
+    image: postgres:16.1-alpine
+    environment:
+      - POSTGRES_USER=codimd
+      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
+      - POSTGRES_DB=codimd
+    volumes:
+      - "postgres:/var/lib/postgresql/data"
+    secrets:
+      - db_password
+    networks:
+      - internal
+    deploy:
+      labels:
+          backupbot.backup: "true"
+          backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
+          backupbot.backup.post-hook: "rm -f /var/lib/postgresql/data/backup.sql"
+          backupbot.backup.path: "/var/lib/postgresql/data/backup.sql"
+          backupbot.restore: "true"
+          backupbot.restore.post-hook: "sh -c 'psql -U $${POSTGRES_USER} -d $${POSTGRES_DB} < /var/lib/postgresql/data/backup.sql && rm -f /var/lib/postgresql/data/backup.sql'"
 volumes:
+  postgres:
  codimd_uploads:
-  codimd_database:
 secrets:
-  session_secret:
+  db_password:
    external: true
-    name: ${STACK_NAME}_session_secret_${SECRET_SESSION_SECRET_VERSION}
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
 networks:
  proxy:
    external: true
+  internal:
 configs:
  config_json:
    name: ${STACK_NAME}_config_${ENTRYPOINT_CONF_VERSION}
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -22,11 +22,8 @@ file_env() {
 }

 load_vars() {
-  if [ -n "${CMD_DB_PASSWORD_FILE:-""}" ] ; then
-    file_env "CMD_DB_PASSWORD"
-  fi
+  file_env "CMD_DB_PASSWORD"
  file_env "CMD_OAUTH2_CLIENT_SECRET"
-  file_env "CMD_SESSION_SECRET"
 }

 main() {
@ -36,17 +33,13 @@ main() {
  mkdir -p "/hedgedoc/.npm" && \
    chown -R 10000:65534 "/hedgedoc/.npm" && \
    chmod "u+rwx" "/hedgedoc/.npm"
-
-  chown -R 10000:65534 /database
 }

 main

-if [ -n "${CMD_DB_PASSWORD:-""}" ] ; then
-  export CMD_DB_URL="${CMD_DB_TYPE}://$CMD_DB_USER:$CMD_DB_PASSWORD@$CMD_DB_HOST:5432/$CMD_DB_NAME"
-fi
+export CMD_DB_URL=postgres://$CMD_DB_USER:$CMD_DB_PASSWORD@$CMD_DB_HOST:5432/$CMD_DB_NAME

-# 3wc: `source /docker-entrypoint.sh -e` to load CMD_DB_URL for CLI scripts
+# 3wc: `source /docker-entrypoint2.sh -e` to load CMD_DB_URL for CLI scripts
 if [ ! "${1-}" == "-e" ]; then
  # 3wc: upstream ENTRYPOINT
  # https://github.com/hedgedoc/container/blob/master/alpine/Dockerfile
--- a/pg_backup.sh
+++ b/pg_backup.sh
@ -1,34 +0,0 @@
-#!/bin/bash
-
-set -e
-
-BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
-
-function backup {
-  export PGPASSWORD=$(cat /run/secrets/db_password)
-  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
-}
-
-function restore {
-    cd /var/lib/postgresql/data/
-    restore_config(){
-        # Restore allowed connections
-        cat pg_hba.conf.bak > pg_hba.conf
-        su postgres -c 'pg_ctl reload'
-    }
-    # Don't allow any other connections than local
-    cp pg_hba.conf pg_hba.conf.bak
-    echo "local all all trust" > pg_hba.conf
-    su postgres -c 'pg_ctl reload'
-    trap restore_config EXIT INT TERM
-
-    # Recreate Database
-    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
-    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
-    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
-
-    trap - EXIT INT TERM
-    restore_config
-}
-
-$@
--- a/release/1.2.0+1.10.0
+++ b/release/1.2.0+1.10.0
@ -1 +0,0 @@
-Fixes security issue: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pjf2-269h-cx7p
--- a/release/1.2.2+1.10.1
+++ b/release/1.2.2+1.10.1
@ -1,5 +0,0 @@
-Upgrade to fix GHSA-6w39-x2c6-6mpf
-
-BREAKING CHANGE!! new secret "session_secret" added, run:
-
-abra app secret generate <app_domain> session_secret v1
--- a/release/1.3.0+1.10.1
+++ b/release/1.3.0+1.10.1
@ -1 +0,0 @@
-This release adds SQLite support by default, if you were using PostgreSQL make sure to update the env file!
--- a/release/3.0.0+1.10.1
+++ b/release/3.0.0+1.10.1
@ -1 +0,0 @@
-This release switches to `pgaautoupgrade` for easier Postgresql upgrades. If you are using Postgres, please take extra care to take a backup before upgrading.
--- a/release/3.0.1+1.10.3
+++ b/release/3.0.1+1.10.3
@ -1 +0,0 @@
-Security upgrade for GHSA-3983-rrqh-mvx5
--- a/release/3.0.2+1.10.3
+++ b/release/3.0.2+1.10.3
@ -1 +0,0 @@
-CRITICAL FIX: since version 3 this recipe uses always sqlite as database. This patch fixes instances running postgres
				`@ -1 +0,0 @@`
				`Fixes security issue: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pjf2-269h-cx7p`
				`@ -1 +0,0 @@`
				`This release adds SQLite support by default, if you were using PostgreSQL make sure to update the env file!`
				`@ -1 +0,0 @@`
				This release switches to `pgaautoupgrade` for easier Postgresql upgrades. If you are using Postgres, please take extra care to take a backup before upgrading.
				`@ -1 +0,0 @@`
				`CRITICAL FIX: since version 3 this recipe uses always sqlite as database. This patch fixes instances running postgres`