coop-cloud/hedgedoc
coop-cloud/hedgedoc
1
1
Fork 3
Code Issues 1 Pull Requests 1 Releases Wiki Activity

Compare commits

base: coop-cloud:main
Branches Tags
coop-cloud:main
coop-cloud:fauno-sqlite
coop-cloud:entrypoint-fix
coop-cloud:fix-uploads-volume
coop-cloud:mayel-patch-1
coop-cloud:3.0.2+1.10.3
coop-cloud:3.0.1+1.10.3
coop-cloud:3.0.0+1.10.1
coop-cloud:2.0.0+1.10.1
coop-cloud:1.2.2+1.10.1
coop-cloud:1.2.1+1.10.0
coop-cloud:1.2.0+1.10.0
coop-cloud:1.1.0+1.9.9
coop-cloud:1.0.1+1.9.9
coop-cloud:1.0.0+1.9.9
coop-cloud:0.6.0+1.9.9
coop-cloud:0.5.1+1.9.8
coop-cloud:0.5.0+1.9.6
coop-cloud:0.4.0+1.9.3
coop-cloud:0.3.0+1.9.3
coop-cloud:0.2.0+1.9.3
coop-cloud:0.1.0+1.8.2
..
compare: coop-cloud:entrypoint-fix
Branches Tags
coop-cloud:main
coop-cloud:fauno-sqlite
coop-cloud:entrypoint-fix
coop-cloud:fix-uploads-volume
coop-cloud:mayel-patch-1
coop-cloud:3.0.2+1.10.3
coop-cloud:3.0.1+1.10.3
coop-cloud:3.0.0+1.10.1
coop-cloud:2.0.0+1.10.1
coop-cloud:1.2.2+1.10.1
coop-cloud:1.2.1+1.10.0
coop-cloud:1.2.0+1.10.0
coop-cloud:1.1.0+1.9.9
coop-cloud:1.0.1+1.9.9
coop-cloud:1.0.0+1.9.9
coop-cloud:0.6.0+1.9.9
coop-cloud:0.5.1+1.9.8
coop-cloud:0.5.0+1.9.6
coop-cloud:0.4.0+1.9.3
coop-cloud:0.3.0+1.9.3
coop-cloud:0.2.0+1.9.3
coop-cloud:0.1.0+1.8.2

No commits in common. "main" and "entrypoint-fix" have entirely different histories.
main ... entrypoint

15 changed files with 57 additions and 152 deletions
Show Stats Expand all files Collapse all files

4
.drone.yml
View File

@ -18,9 +18,7 @@ steps:
STACK_NAME: hedgedoc STACK_NAME: hedgedoc
LETS_ENCRYPT_ENV: production LETS_ENCRYPT_ENV: production
SECRET_DB_PASSWORD_VERSION: v1 SECRET_DB_PASSWORD_VERSION: v1
SECRET_SESSION_SECRET_VERSION: v1
ENTRYPOINT_CONF_VERSION: v1 ENTRYPOINT_CONF_VERSION: v1
PG_BACKUP_VERSION: v1
trigger: trigger:
branch: branch:
- main - main
@ -36,7 +34,7 @@ steps:
from_secret: drone_abra-bot_token from_secret: drone_abra-bot_token
fork: true fork: true
repositories: repositories:
- toolshed/auto-recipes-catalogue-json - coop-cloud/auto-recipes-catalogue-json
trigger: trigger:
event: tag event: tag

9
.env.sample
View File

@ -1,22 +1,16 @@
TYPE=hedgedoc TYPE=hedgedoc
TIMEOUT=300 TIMEOUT=300
ENABLE_AUTO_UPDATE=true ENABLE_AUTO_UPDATE=true
ENABLE_BACKUPS=true
DOMAIN=hedgedoc.example.com DOMAIN=hedgedoc.example.com
## Domain aliases ## Domain aliases
#EXTRA_DOMAINS=', `www.hedgedoc.example.com`' #EXTRA_DOMAINS=', `www.hedgedoc.example.com`'
LETS_ENCRYPT_ENV=production LETS_ENCRYPT_ENV=production
SECRET_SESSION_SECRET_VERSION=v1 SECRET_DB_PASSWORD_VERSION=v1
COMPOSE_FILE="compose.yml" COMPOSE_FILE="compose.yml"
# PostgreSQL
#COMPOSE_FILE="$COMPOSE_FILE:compose.postgresql.yml"
#SECRET_DB_PASSWORD_VERSION=v1
# OAuth, see https://docs.hedgedoc.org/guides/auth/keycloak/ # OAuth, see https://docs.hedgedoc.org/guides/auth/keycloak/
#COMPOSE_FILE="$COMPOSE_FILE:compose.oauth.yml" #COMPOSE_FILE="$COMPOSE_FILE:compose.oauth.yml"
@ -39,7 +33,6 @@ COMPOSE_FILE="compose.yml"
# CMD_ALLOW_ANONYMOUS_EDITS=false # CMD_ALLOW_ANONYMOUS_EDITS=false
# CMD_ALLOW_EMAIL_REGISTER=true # CMD_ALLOW_EMAIL_REGISTER=true
# CMD_ALLOW_FREEURL=false # CMD_ALLOW_FREEURL=false
# CMD_REQUIRE_FREEURL_AUTHENTICATION=true
# CMD_ALLOW_GRAVATAR=true # CMD_ALLOW_GRAVATAR=true
# CMD_ALLOW_ORIGIN=localhost # CMD_ALLOW_ORIGIN=localhost
# CMD_COOKIE_POLICY=lax # CMD_COOKIE_POLICY=lax

4
README.md
View File

@ -25,8 +25,8 @@
5. `abra app deploy YOURAPPDOMAIN` 5. `abra app deploy YOURAPPDOMAIN`
6. Create initial user: 6. Create initial user:
``` ```
abra app run YOURAPPDOMAIN app bash abra app YOURAPPDOMAIN run app bash
. /docker-entrypoint.sh -e . /docker-entrypoint2.sh -e
bin/manage_users bin/manage_users
[hedegedoc]: https://github.com/hedgedoc/hedgedoc [hedegedoc]: https://github.com/hedgedoc/hedgedoc

15
abra.sh
View File

@ -1,2 +1,13 @@
export ENTRYPOINT_CONF_VERSION=v13 export ENTRYPOINT_CONF_VERSION=v9
export PG_BACKUP_VERSION=v1
abra_backup_app() {
_abra_backup_dir "app:/home/hackmd/app/public/uploads/"
}
abra_backup_db() {
_abra_backup_postgres "db" "codimd" "codimd" "db_password"
}
abra_backup() {
abra_backup_app && abra_backup_db
}

15
alaconnect.yml
View File

@ -1,15 +0,0 @@
authentik:
env:
CMD_OAUTH2_USER_PROFILE_URL: https://authentik.example.com/application/o/userinfo/
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: preferred_username
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: name
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: email
CMD_OAUTH2_TOKEN_URL: https://authentik.example.com/application/o/token/
CMD_OAUTH2_AUTHORIZATION_URL: https://authentik.example.com/application/o/authorize/
CMD_OAUTH2_CLIENT_ID: hedgedoc
CMD_OAUTH2_PROVIDERNAME: Authentik
uncomment:
- compose.oauth.yml
- SECRET_OAUTH_KEY_VERSION
shared_secrets:
hedgedoc_secret: oauth_key

55
compose.postgresql.yml
View File

@ -1,55 +0,0 @@
version: "3.8"
services:
app:
environment:
- CMD_DB_TYPE=postgres
- CMD_DB_NAME=codimd
- CMD_DB_USER=codimd
- CMD_DB_HOST=db
- CMD_DB_PASSWORD_FILE=/run/secrets/db_password
depends_on:
- db
networks:
- internal
secrets:
- db_password
db:
image: pgautoupgrade/pgautoupgrade:16-alpine
environment:
- POSTGRES_USER=codimd
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
- POSTGRES_DB=codimd
volumes:
- "postgres:/var/lib/postgresql/data"
secrets:
- db_password
networks:
- internal
deploy:
labels:
backupbot.backup: "${ENABLE_BACKUPS:-true}"
backupbot.backup.pre-hook: "/pg_backup.sh backup"
backupbot.backup.volumes.postgres.path: "backup.sql"
backupbot.restore.post-hook: '/pg_backup.sh restore'
healthcheck:
test: "pg_isready"
interval: 30s
timeout: 10s
retries: 5
start_period: 1m
configs:
- source: pg_backup
target: /pg_backup.sh
mode: 0555
volumes:
postgres:
secrets:
db_password:
external: true
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
networks:
internal:
configs:
pg_backup:
name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
file: pg_backup.sh

50
compose.yml
View File

@ -1,19 +1,21 @@
version: "3.8" version: "3.8"
services: services:
app: app:
image: quay.io/hedgedoc/hedgedoc:1.10.3 image: quay.io/hedgedoc/hedgedoc:1.9.9
environment: environment:
- CMD_USECDN=false - CMD_USECDN=false
- CMD_URL_ADDPORT=false - CMD_URL_ADDPORT=false
- CMD_DOMAIN=$DOMAIN - CMD_DOMAIN=$DOMAIN
- CMD_PROTOCOL_USESSL=true - CMD_PROTOCOL_USESSL=true
- CMD_HSTS_ENABLE=false - CMD_HSTS_ENABLE=false
- CMD_DB_URL=sqlite:/database/db.sqlite3 - CMD_DB_NAME=codimd
- CMD_DB_USER=codimd
- CMD_DB_HOST=db
- CMD_DB_PASSWORD_FILE=/run/secrets/db_password
- CMD_ALLOW_ANONYMOUS - CMD_ALLOW_ANONYMOUS
- CMD_ALLOW_ANONYMOUS_EDITS - CMD_ALLOW_ANONYMOUS_EDITS
- CMD_ALLOW_EMAIL_REGISTER - CMD_ALLOW_EMAIL_REGISTER
- CMD_ALLOW_FREEURL - CMD_ALLOW_FREEURL
- CMD_REQUIRE_FREEURL_AUTHENTICATION
- CMD_ALLOW_GRAVATAR - CMD_ALLOW_GRAVATAR
- CMD_ALLOW_ORIGIN - CMD_ALLOW_ORIGIN
- CMD_COOKIE_POLICY - CMD_COOKIE_POLICY
@ -24,15 +26,16 @@ services:
- CMD_DEFAULT_PERMISSION - CMD_DEFAULT_PERMISSION
- CMD_EMAIL - CMD_EMAIL
- CMD_SESSION_LIFE - CMD_SESSION_LIFE
- CMD_SESSION_SECRET_FILE=/run/secrets/session_secret
- DOCUMENT_MAX_LENGTH - DOCUMENT_MAX_LENGTH
depends_on:
- db
networks: networks:
- proxy - proxy
- internal
volumes: volumes:
- codimd_uploads:/hedgedoc/public/uploads - codimd_uploads:/home/hackmd/app/public/uploads
- codimd_database:/database
secrets: secrets:
- session_secret - db_password
entrypoint: /docker-entrypoint.sh entrypoint: /docker-entrypoint.sh
configs: configs:
- source: entrypoint_conf - source: entrypoint_conf
@ -40,6 +43,7 @@ services:
mode: 0555 mode: 0555
- source: config_json - source: config_json
target: /files/config.json target: /files/config.json
mode: 0555
deploy: deploy:
restart_policy: restart_policy:
condition: on-failure condition: on-failure
@ -54,24 +58,44 @@ services:
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true" - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}" - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}" - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
- "coop-cloud.${STACK_NAME}.version=3.0.2+1.10.3" - "coop-cloud.${STACK_NAME}.version=1.0.1+1.9.9"
- "backupbot.backup=${ENABLE_BACKUPS:-true}"
healthcheck: healthcheck:
test: "nodejs -e \"http.get('http://localhost:3000', (res) => { console.log('status: ', res.statusCode); if (res.statusCode == 200) { process.exit(0); } else { process.exit(1); } });\"" test: "nodejs -e \"http.get('http://localhost:3000', (res) => { console.log('status: ', res.statusCode); if (res.statusCode == 200) { process.exit(0); } else { process.exit(1); } });\""
interval: 30s interval: 30s
timeout: 10s timeout: 10s
retries: 10 retries: 10
start_period: 1m start_period: 1m
db:
image: postgres:16.1-alpine
environment:
- POSTGRES_USER=codimd
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
- POSTGRES_DB=codimd
volumes: volumes:
codimd_uploads: - "postgres:/var/lib/postgresql/data"
codimd_database:
secrets: secrets:
session_secret: - db_password
networks:
- internal
deploy:
labels:
backupbot.backup: "true"
backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
backupbot.backup.post-hook: "rm -f /var/lib/postgresql/data/backup.sql"
backupbot.backup.path: "/var/lib/postgresql/data/backup.sql"
backupbot.restore: "true"
backupbot.restore.post-hook: "sh -c 'psql -U $${POSTGRES_USER} -d $${POSTGRES_DB} < /var/lib/postgresql/data/backup.sql && rm -f /var/lib/postgresql/data/backup.sql'"
volumes:
postgres:
codimd_uploads:
secrets:
db_password:
external: true external: true
name: ${STACK_NAME}_session_secret_${SECRET_SESSION_SECRET_VERSION} name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
networks: networks:
proxy: proxy:
external: true external: true
internal:
configs: configs:
config_json: config_json:
name: ${STACK_NAME}_config_${ENTRYPOINT_CONF_VERSION} name: ${STACK_NAME}_config_${ENTRYPOINT_CONF_VERSION}

11
entrypoint.sh.tmpl
View File

@ -22,11 +22,8 @@ file_env() {
} }
load_vars() { load_vars() {
if [ -n "${CMD_DB_PASSWORD_FILE:-""}" ] ; then
file_env "CMD_DB_PASSWORD" file_env "CMD_DB_PASSWORD"
fi
file_env "CMD_OAUTH2_CLIENT_SECRET" file_env "CMD_OAUTH2_CLIENT_SECRET"
file_env "CMD_SESSION_SECRET"
} }
main() { main() {
@ -36,17 +33,13 @@ main() {
mkdir -p "/hedgedoc/.npm" && \ mkdir -p "/hedgedoc/.npm" && \
chown -R 10000:65534 "/hedgedoc/.npm" && \ chown -R 10000:65534 "/hedgedoc/.npm" && \
chmod "u+rwx" "/hedgedoc/.npm" chmod "u+rwx" "/hedgedoc/.npm"
chown -R 10000:65534 /database
} }
main main
if [ -n "${CMD_DB_PASSWORD:-""}" ] ; then export CMD_DB_URL=postgres://$CMD_DB_USER:$CMD_DB_PASSWORD@$CMD_DB_HOST:5432/$CMD_DB_NAME
export CMD_DB_URL="${CMD_DB_TYPE}://$CMD_DB_USER:$CMD_DB_PASSWORD@$CMD_DB_HOST:5432/$CMD_DB_NAME"
fi
# 3wc: `source /docker-entrypoint.sh -e` to load CMD_DB_URL for CLI scripts # 3wc: `source /docker-entrypoint2.sh -e` to load CMD_DB_URL for CLI scripts
if [ ! "${1-}" == "-e" ]; then if [ ! "${1-}" == "-e" ]; then
# 3wc: upstream ENTRYPOINT # 3wc: upstream ENTRYPOINT
# https://github.com/hedgedoc/container/blob/master/alpine/Dockerfile # https://github.com/hedgedoc/container/blob/master/alpine/Dockerfile

34
pg_backup.sh
View File

@ -1,34 +0,0 @@
#!/bin/bash
set -e
BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
function backup {
export PGPASSWORD=$(cat /run/secrets/db_password)
pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
}
function restore {
cd /var/lib/postgresql/data/
restore_config(){
# Restore allowed connections
cat pg_hba.conf.bak > pg_hba.conf
su postgres -c 'pg_ctl reload'
}
# Don't allow any other connections than local
cp pg_hba.conf pg_hba.conf.bak
echo "local all all trust" > pg_hba.conf
su postgres -c 'pg_ctl reload'
trap restore_config EXIT INT TERM
# Recreate Database
psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);"
createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
trap - EXIT INT TERM
restore_config
}
$@

1
release/1.2.0+1.10.0
View File

@ -1 +0,0 @@
Fixes security issue: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pjf2-269h-cx7p

5
release/1.2.2+1.10.1
View File

@ -1,5 +0,0 @@
Upgrade to fix GHSA-6w39-x2c6-6mpf
BREAKING CHANGE!! new secret "session_secret" added, run:
abra app secret generate <app_domain> session_secret v1

1
release/1.3.0+1.10.1
View File

@ -1 +0,0 @@
This release adds SQLite support by default, if you were using PostgreSQL make sure to update the env file!

1
release/3.0.0+1.10.1
View File

@ -1 +0,0 @@
This release switches to `pgaautoupgrade` for easier Postgresql upgrades. If you are using Postgres, please take extra care to take a backup before upgrading.

1
release/3.0.1+1.10.3
View File

@ -1 +0,0 @@
Security upgrade for GHSA-3983-rrqh-mvx5

1
release/3.0.2+1.10.3
View File

@ -1 +0,0 @@
CRITICAL FIX: since version 3 this recipe uses always sqlite as database. This patch fixes instances running postgres