31 Commits

Author SHA1 Message Date
f
3efbfec419 chore: publish 1.2.2+1.10.1 release
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/tag Build is passing
2025-02-03 09:42:30 -03:00
f
93e5604fcb fix: GHSA-6w39-x2c6-6mpf
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-6w39-x2c6-6mpf
2025-02-03 09:34:32 -03:00
917766023b Update .drone.yml
Some checks failed
continuous-integration/drone/push Build is failing
2025-01-08 10:09:12 -08:00
6feab6a99e Merge pull request 'envvars' (#16) from fauno/hedgedoc:envvars into main
Some checks failed
continuous-integration/drone/push Build is failing
Reviewed-on: #16
2024-10-27 06:22:01 +00:00
f
ca5a95bea6 fix: load secret from file into env var
Some checks failed
continuous-integration/drone/pr Build is failing
2024-10-26 11:01:18 -03:00
f
6a036c4c82 fix: set session secret
Some checks failed
continuous-integration/drone/pr Build is failing
2024-10-25 17:47:27 -03:00
f
d19f286c11 fix: require authentication for free urls 2024-10-25 17:46:47 -03:00
635eee710b chore: publish 1.2.1+1.10.0 release
All checks were successful
continuous-integration/drone/tag Build is passing
continuous-integration/drone/push Build is passing
2024-10-25 21:04:02 +02:00
49f06173e9 fix drone runner
All checks were successful
continuous-integration/drone/push Build is passing
2024-10-24 13:31:31 +02:00
9194256835 update backupbot label
Some checks failed
continuous-integration/drone/push Build is failing
2024-10-24 13:22:27 +02:00
081f2139fa chore: publish 1.2.0+1.10.0 release
All checks were successful
continuous-integration/drone/push Build is passing
2024-10-01 13:12:13 +02:00
6f15d5f2c7 chore: publish 1.1.0+1.9.9 release
All checks were successful
continuous-integration/drone/push Build is passing
2024-07-16 17:32:26 +02:00
8bc03406a1 Remove legacy backup configuration
by @wolcen
2024-07-16 17:31:57 +02:00
bc8996f558 Correct README re: configuring users
by @wolcen
2024-07-16 17:31:20 +02:00
fcf5bade21 Add basic health check for db container
by @wolcen
2024-07-16 17:29:45 +02:00
3fc480b82b Remove unnecessary mode assignment for config.json @wolcen 2024-07-16 17:29:45 +02:00
f71534e396 fix indentation for backupbot labels 2024-07-16 17:29:45 +02:00
5e815e63a5 Merge pull request 'fix: use new uploads path' (#12) from fix-uploads-volume into main
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #12
2024-07-16 14:52:03 +00:00
ec98bab9d5 Merge pull request 'Pass -p also in entrypoint' (#14) from entrypoint-fix into main
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #14
2024-07-16 14:49:28 +00:00
65ec56ac08 add alakazam integration file alaconnect.yml
All checks were successful
continuous-integration/drone/push Build is passing
2024-05-13 17:41:59 +02:00
1ed15423c3 fix: pass "-p" and use new lines
Some checks failed
continuous-integration/drone/pr Build is failing
Closes #13
2024-04-28 17:57:38 +02:00
0443ffc984 chore: remove tabs 2024-04-28 17:55:55 +02:00
c727320a31 fix: use new uploads path
Some checks failed
continuous-integration/drone/pr Build is failing
2024-04-23 09:21:38 +02:00
e8f1186965 chore: publish 1.0.1+1.9.9 release
All checks were successful
continuous-integration/drone/tag Build is passing
continuous-integration/drone/push Build is passing
2024-04-17 17:14:23 +02:00
66c5160812 fix backupbot label 2024-04-17 17:07:53 +02:00
c656afb176 chore: publish 1.0.0+1.9.9 release
All checks were successful
continuous-integration/drone/push Build is passing
2023-12-13 07:49:46 -08:00
97f2d94079 chore: publish 0.6.0+1.9.9 release
All checks were successful
continuous-integration/drone/push Build is passing
2023-10-26 11:14:40 -07:00
4846a09169 add timeout label
All checks were successful
continuous-integration/drone/push Build is passing
2023-10-19 22:50:23 +02:00
210a37cd0c fix permissions for real
All checks were successful
continuous-integration/drone/push Build is passing
2023-10-13 17:10:41 +02:00
3wc
914ef6b026 Spooky permissions fix?
All checks were successful
continuous-integration/drone/push Build is passing
See https://github.com/hedgedoc/container/issues/463
2023-10-02 19:11:13 +01:00
5f205c149f Merge pull request 'update outdated readme + add restore hook' (#10) from mayel-patch-1 into main
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #10
2023-07-29 11:37:09 +00:00
11 changed files with 129 additions and 53 deletions

View File

@ -19,6 +19,7 @@ steps:
LETS_ENCRYPT_ENV: production
SECRET_DB_PASSWORD_VERSION: v1
ENTRYPOINT_CONF_VERSION: v1
PG_BACKUP_VERSION: v1
trigger:
branch:
- main
@ -34,7 +35,7 @@ steps:
from_secret: drone_abra-bot_token
fork: true
repositories:
- coop-cloud/auto-recipes-catalogue-json
- toolshed/auto-recipes-catalogue-json
trigger:
event: tag

View File

@ -1,4 +1,7 @@
TYPE=hedgedoc
TIMEOUT=300
ENABLE_AUTO_UPDATE=true
ENABLE_BACKUPS=true
DOMAIN=hedgedoc.example.com
## Domain aliases
@ -6,6 +9,7 @@ DOMAIN=hedgedoc.example.com
LETS_ENCRYPT_ENV=production
SECRET_DB_PASSWORD_VERSION=v1
SECRET_SESSION_SECRET_VERSION=v1
COMPOSE_FILE="compose.yml"
@ -31,6 +35,7 @@ COMPOSE_FILE="compose.yml"
# CMD_ALLOW_ANONYMOUS_EDITS=false
# CMD_ALLOW_EMAIL_REGISTER=true
# CMD_ALLOW_FREEURL=false
# CMD_REQUIRE_FREEURL_AUTHENTICATION=true
# CMD_ALLOW_GRAVATAR=true
# CMD_ALLOW_ORIGIN=localhost
# CMD_COOKIE_POLICY=lax

View File

@ -25,10 +25,10 @@
5. `abra app deploy YOURAPPDOMAIN`
6. Create initial user:
```
abra app YOURAPPDOMAIN run app bash
. /docker-entrypoint2.sh -e
abra app run YOURAPPDOMAIN app bash
. /docker-entrypoint.sh -e
bin/manage_users
[hedegedoc]: https://github.com/hedgedoc/hedgedoc
[abra]: https://git.autonomic.zone/autonomic-cooperative/abra
[compose-traefik]: https://git.autonomic.zone/coop-cloud/traefik
[compose-traefik]: https://git.autonomic.zone/coop-cloud/traefik

15
abra.sh
View File

@ -1,13 +1,2 @@
export ENTRYPOINT_CONF_VERSION=v6
abra_backup_app() {
_abra_backup_dir "app:/home/hackmd/app/public/uploads/"
}
abra_backup_db() {
_abra_backup_postgres "db" "codimd" "codimd" "db_password"
}
abra_backup() {
abra_backup_app && abra_backup_db
}
export ENTRYPOINT_CONF_VERSION=v9
export PG_BACKUP_VERSION=v1

15
alaconnect.yml Normal file
View File

@ -0,0 +1,15 @@
authentik:
env:
CMD_OAUTH2_USER_PROFILE_URL: https://authentik.example.com/application/o/userinfo/
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: preferred_username
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: name
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: email
CMD_OAUTH2_TOKEN_URL: https://authentik.example.com/application/o/token/
CMD_OAUTH2_AUTHORIZATION_URL: https://authentik.example.com/application/o/authorize/
CMD_OAUTH2_CLIENT_ID: hedgedoc
CMD_OAUTH2_PROVIDERNAME: Authentik
uncomment:
- compose.oauth.yml
- SECRET_OAUTH_KEY_VERSION
shared_secrets:
hedgedoc_secret: oauth_key

View File

@ -1,7 +1,7 @@
version: "3.8"
services:
app:
image: quay.io/hedgedoc/hedgedoc:1.9.8
image: quay.io/hedgedoc/hedgedoc:1.10.1
environment:
- CMD_USECDN=false
- CMD_URL_ADDPORT=false
@ -16,6 +16,7 @@ services:
- CMD_ALLOW_ANONYMOUS_EDITS
- CMD_ALLOW_EMAIL_REGISTER
- CMD_ALLOW_FREEURL
- CMD_REQUIRE_FREEURL_AUTHENTICATION
- CMD_ALLOW_GRAVATAR
- CMD_ALLOW_ORIGIN
- CMD_COOKIE_POLICY
@ -26,6 +27,7 @@ services:
- CMD_DEFAULT_PERMISSION
- CMD_EMAIL
- CMD_SESSION_LIFE
- CMD_SESSION_SECRET_FILE=/run/secrets/session_secret
- DOCUMENT_MAX_LENGTH
depends_on:
- db
@ -33,9 +35,10 @@ services:
- proxy
- internal
volumes:
- codimd_uploads:/home/hackmd/app/public/uploads
- codimd_uploads:/hedgedoc/public/uploads
secrets:
- db_password
- session_secret
entrypoint: /docker-entrypoint.sh
configs:
- source: entrypoint_conf
@ -43,7 +46,6 @@ services:
mode: 0555
- source: config_json
target: /files/config.json
mode: 0555
deploy:
restart_policy:
condition: on-failure
@ -57,7 +59,8 @@ services:
- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
- coop-cloud.${STACK_NAME}.version=0.5.1+1.9.8
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
- "coop-cloud.${STACK_NAME}.version=1.2.2+1.10.1"
healthcheck:
test: "nodejs -e \"http.get('http://localhost:3000', (res) => { console.log('status: ', res.statusCode); if (res.statusCode == 200) { process.exit(0); } else { process.exit(1); } });\""
interval: 30s
@ -65,7 +68,7 @@ services:
retries: 10
start_period: 1m
db:
image: postgres:11.20-alpine
image: postgres:16.4-alpine
environment:
- POSTGRES_USER=codimd
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
@ -78,12 +81,21 @@ services:
- internal
deploy:
labels:
backupbot.backup: "true"
backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
backupbot.backup.post-hook: "rm -rf /tmp/backup"
backupbot.backup.path: "/tmp/backup/"
backupbot.restore: "true"
backupbot.restore.post-hook: "sh -c 'psql -U $${POSTGRES_USER} -d $${POSTGRES_DB} < ./backup.sql && rm -f ./backup.sql'"
backupbot.backup: "${ENABLE_BACKUPS:-true}"
backupbot.backup.pre-hook: "/pg_backup.sh backup"
backupbot.backup.volumes.postgres.path: "backup.sql"
backupbot.restore.post-hook: '/pg_backup.sh restore'
healthcheck:
test: "pg_isready"
interval: 30s
timeout: 10s
retries: 5
start_period: 1m
configs:
- source: pg_backup
target: /pg_backup.sh
mode: 0555
volumes:
postgres:
codimd_uploads:
@ -91,6 +103,9 @@ secrets:
db_password:
external: true
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
session_secret:
external: true
name: ${STACK_NAME}_session_secret_${SECRET_SESSION_SECRET_VERSION}
networks:
proxy:
external: true
@ -104,3 +119,6 @@ configs:
name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}
file: entrypoint.sh.tmpl
template_driver: golang
pg_backup:
name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
file: pg_backup.sh

View File

@ -1,46 +1,51 @@
#!/usr/bin/env bash
file_env() {
# 3wc: Load $VAR_FILE into $VAR - useful for secrets. See
# https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab
local var="$1"
local fileVar="${var}_FILE"
local def="${2:-}"
# 3wc: Load $VAR_FILE into $VAR - useful for secrets. See
# https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab
local var="$1"
local fileVar="${var}_FILE"
local def="${2:-}"
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
exit 1
fi
local val="$def"
if [ "${!var:-}" ]; then
val="${!var}"
elif [ "${!fileVar:-}" ]; then
val="$(< "${!fileVar}")"
fi
export "$var"="$val"
unset "$fileVar"
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
exit 1
fi
local val="$def"
if [ "${!var:-}" ]; then
val="${!var}"
elif [ "${!fileVar:-}" ]; then
val="$(< "${!fileVar}")"
fi
export "$var"="$val"
unset "$fileVar"
}
load_vars() {
file_env "CMD_DB_PASSWORD"
file_env "CMD_OAUTH2_CLIENT_SECRET"
file_env "CMD_DB_PASSWORD"
file_env "CMD_OAUTH2_CLIENT_SECRET"
file_env "CMD_SESSION_SECRET"
}
main() {
set -eu
set -eu
load_vars
load_vars
mkdir -p "/hedgedoc/.npm" && \
chown -R 10000:65534 "/hedgedoc/.npm" && \
chmod "u+rwx" "/hedgedoc/.npm"
}
main
export CMD_DB_URL=postgres://$CMD_DB_USER:$CMD_DB_PASSWORD@$CMD_DB_HOST:5432/$CMD_DB_NAME
# 3wc: `source /docker-entrypoint2.sh -e` to load CMD_DB_URL for CLI scripts
# 3wc: `source /docker-entrypoint.sh -e` to load CMD_DB_URL for CLI scripts
if [ ! "${1-}" == "-e" ]; then
# 3wc: upstream ENTRYPOINT
# https://github.com/hedgedoc/container/blob/master/alpine/Dockerfile
/usr/local/bin/docker-entrypoint.sh npm start
# 3wc: upstream ENTRYPOINT
# https://github.com/hedgedoc/container/blob/master/alpine/Dockerfile
mkdir -p "/hedgedoc/.npm" && chown -R 10000:65534 "/hedgedoc/.npm"
/usr/local/bin/docker-entrypoint.sh npm start
fi
set +eu

34
pg_backup.sh Normal file
View File

@ -0,0 +1,34 @@
#!/bin/bash
set -e
BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
function backup {
export PGPASSWORD=$(cat /run/secrets/db_password)
pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
}
function restore {
cd /var/lib/postgresql/data/
restore_config(){
# Restore allowed connections
cat pg_hba.conf.bak > pg_hba.conf
su postgres -c 'pg_ctl reload'
}
# Don't allow any other connections than local
cp pg_hba.conf pg_hba.conf.bak
echo "local all all trust" > pg_hba.conf
su postgres -c 'pg_ctl reload'
trap restore_config EXIT INT TERM
# Recreate Database
psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);"
createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
trap - EXIT INT TERM
restore_config
}
$@

7
release/1.0.0+1.9 Normal file
View File

@ -0,0 +1,7 @@
WARNING WARNING WARNING 🚨
This release includes a major Postgres database upgrade, but does not yet include tools to automatically upgrade from older Postgres releases.
PLEASE DO NOT UPGRADE EXISTING INSTANCES TO THIS VERSION.
This should be fixed soon.

1
release/1.2.0+1.10.0 Normal file
View File

@ -0,0 +1 @@
Fixes security issue: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pjf2-269h-cx7p

1
release/1.2.2+1.10.1 Normal file
View File

@ -0,0 +1 @@
Upgrade to fix GHSA-6w39-x2c6-6mpf