From bde6eb4f1aaf41402cb2aba2616710aec4dbd2a1 Mon Sep 17 00:00:00 2001
From: 3wc <3wc.coopcloud@doesthisthing.work>
Date: Mon, 9 Mar 2026 11:24:06 -0400
Subject: [PATCH] =?UTF-8?q?Working=20=F0=9F=8E=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .env.sample               |  22 ++++++++
 abra-entrypoint.sh.tmpl   |  19 +++++++
 abra.sh                   |   2 +
 compose.smtp-password.yml |  12 +++++
 compose.yml               | 106 +++++++++++++++++++++++++++++++-------
 5 files changed, 142 insertions(+), 19 deletions(-)
 create mode 100644 abra-entrypoint.sh.tmpl
 create mode 100644 compose.smtp-password.yml

diff --git a/.env.sample b/.env.sample
index 1b53f2e..6155e12 100644
--- a/.env.sample
+++ b/.env.sample
@@ -6,3 +6,25 @@ DOMAIN=heyform.example.com
 #EXTRA_DOMAINS=', `www.heyform.example.com`'
 
 LETS_ENCRYPT_ENV=production
+
+COMPOSE_FILE=compose.yml
+
+SECRET_SESSION_KEY_VERSION=v1
+SECRET_FORM_ENC_KEY_VERSION=v1
+
+# APP_DISABLE_REGISTRATION=true
+
+# Email
+#SMTP_FROM
+#SMTP_HOST
+#SMTP_PORT
+#SMTP_USER
+#SMTP_SECURE
+#SMTP_IGNORE_CERT
+
+# NOTE: If your SMTP server requires a password (most do), uncommment both the
+# following lines, and add the password to the server with:
+#  abra app secret insert heyform.example.com smtp_password v1 "YOUR-SECURE-EMAIL-PASSWORD"
+
+#COMPOSE_FILE=$COMPOSE_FILE:compose.smtp-password.yml
+#SECRET_SMTP_PASSWORD_VERSION=v1
diff --git a/abra-entrypoint.sh.tmpl b/abra-entrypoint.sh.tmpl
new file mode 100644
index 0000000..9374d23
--- /dev/null
+++ b/abra-entrypoint.sh.tmpl
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+[ -f "$SESSION_KEY_FILE" ] && export SESSION_KEY="$(cat "${SESSION_KEY_FILE}")"
+[ -f "$FORM_ENCRYPTION_KEY_FILE" ] && export FORM_ENCRYPTION_KEY="$(cat "${FORM_ENCRYPTION_KEY_FILE}")"
+[ -f "$SMTP_PASSWORD_FILE" ] && export SMTP_PASSWORD="$(cat "${SMTP_PASSWORD_FILE}")"
+
+# if not in "env" mode, then execute the original entrypoint and command
+if [ ! "$1" = "-e" ]; then
+  if [ -z "$*" ]; then
+    if [ -f ./dist/main.js ]; then 
+      node --enable-source-maps ./dist/main.js; 
+    elif [ -f ./dist/src/main.js ]; then 
+      node --enable-source-maps ./dist/src/main.js; 
+    else node --enable-source-maps ./dist/packages/server/main.js; 
+    fi
+  else
+    exec "$@"
+  fi
+fi
diff --git a/abra.sh b/abra.sh
index 13b5452..fee9e23 100755
--- a/abra.sh
+++ b/abra.sh
@@ -1,2 +1,4 @@
 # Set any config versions here
 # Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs
+
+export ABRA_ENTRYPOINT_CONF_VERSION=v1
diff --git a/compose.smtp-password.yml b/compose.smtp-password.yml
new file mode 100644
index 0000000..a42a4ae
--- /dev/null
+++ b/compose.smtp-password.yml
@@ -0,0 +1,12 @@
+--- 
+services:
+  app:
+    environment:
+      SMTP_PASSWORD_FILE: /run/secrets/smtp_password
+    secrets:
+      - smtp_password
+
+secrets:
+  smtp_password:
+    external: true
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
diff --git a/compose.yml b/compose.yml
index 5e77224..eb05c89 100644
--- a/compose.yml
+++ b/compose.yml
@@ -1,39 +1,107 @@
 ---
 services:
   app:
-    image: nginx:1.27.5
+    image: heyform/community-edition:v3.0.0-rc.5
+    volumes:
+      - assets:/app/static/upload
+    environment:
+      APP_HOMEPAGE_URL: https://${DOMAIN}
+      SESSION_KEY_FILE: /run/secrets/session_key
+      # NOTE: Beware misaligned names here (to avoid long docker secret name)
+      FORM_ENCRYPTION_KEY_FILE: /run/secrets/form_enc_key
+      MONGO_URI: 'mongodb://mongo:27017/heyform'
+      REDIS_HOST: keydb
+      REDIS_PORT: 6379
+      SMTP_FROM:
+      SMTP_HOST:
+      SMTP_PORT:
+      SMTP_USER:
+      SMTP_SECURE:
+      SMTP_IGNORE_CERT:
+      APP_DISABLE_REGISTRATION:
+      APP_LISTEN_PORT: 9157
+    configs:
+      - source: abra_entrypoint_conf
+        target: /abra-entrypoint.sh
+        mode: 0555
+    secrets:
+      - session_key
+      - form_enc_key
+    entrypoint: [ "/abra-entrypoint.sh" ]
     networks:
       - proxy
+      - internal
     deploy:
       restart_policy:
         condition: on-failure
       labels:
         - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=9157"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        ## Edit the following line if you are using one, but not both, "Redirect" sections below
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirectscheme,${STACK_NAME}-redirecthostname"
-        ## Redirect from EXTRA_DOMAINS to DOMAIN
-        # - "traefik.http.middlewares.${STACK_NAME}-redirecthostname.redirectregex.regex=^http[s]?://([^/]*)/(.*)"
-        # - "traefik.http.middlewares.${STACK_NAME}-redirecthostname.redirectregex.replacement=https://${DOMAIN}/$${2}"
-        # - "traefik.http.middlewares.${STACK_NAME}-redirecthostname.redirectregex.permanent=true"
-        ## Redirect HTTP to HTTPS
-        # - "traefik.http.middlewares.${STACK_NAME}-redirectscheme.redirectscheme.scheme=https"
-        # - "traefik.http.middlewares.${STACK_NAME}-redirectscheme.redirectscheme.permanent=true"
+        # Edit the following line if you are using one, but not both, "Redirect" sections below
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirectscheme,${STACK_NAME}-redirecthostname"
+        # Redirect from EXTRA_DOMAINS to DOMAIN
+        - "traefik.http.middlewares.${STACK_NAME}-redirecthostname.redirectregex.regex=^http[s]?://([^/]*)/(.*)"
+        - "traefik.http.middlewares.${STACK_NAME}-redirecthostname.redirectregex.replacement=https://${DOMAIN}/$${2}"
+        - "traefik.http.middlewares.${STACK_NAME}-redirecthostname.redirectregex.permanent=true"
+        # Redirect HTTP to HTTPS
+        - "traefik.http.middlewares.${STACK_NAME}-redirectscheme.redirectscheme.scheme=https"
+        - "traefik.http.middlewares.${STACK_NAME}-redirectscheme.redirectscheme.permanent=true"
         ## When you're ready for release, run "abra recipe sync <name>" to set this
         - "coop-cloud.${STACK_NAME}.version="
         ## Enable backups: https://docs.coopcloud.tech/maintainers/handbook/#how-do-i-configure-backuprestore
-        # - "backupbot.backup=true"
-        # - "backupbot.backup.path=/some/path"
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost"]
-      interval: 30s
-      timeout: 10s
-      retries: 10
-      start_period: 1m
+        - "backupbot.backup=true"
+    # healthcheck:
+    #   test: ["CMD", "curl", "-f", "http://localhost"]
+    #   interval: 30s
+    #   timeout: 10s
+    #   retries: 10
+    #   start_period: 1m
+
+  mongo:
+    image: percona/percona-server-mongodb:4.4
+    volumes:
+      - mongodb:/data/db
+    networks:
+      - internal
+    deploy:
+      labels:
+        - "backupbot.backup=true"
+
+  keydb:
+    image: eqalpha/keydb:x86_64_v6.3.3
+    command: keydb-server --appendonly yes --protected-mode no
+    volumes:
+      - keydb:/data
+    networks:
+      - internal
+    deploy:
+      labels:
+        - "backupbot.backup=true"
 
 networks:
   proxy:
     external: true
+  internal:
+
+volumes:
+  assets:
+  mongodb:
+  keydb:
+
+secrets:
+  session_key:
+    external: true
+    name: ${STACK_NAME}_session_key_${SECRET_SESSION_KEY_VERSION}
+
+  form_enc_key:
+    external: true
+    name: ${STACK_NAME}_form_enc_key_${SECRET_FORM_ENC_KEY_VERSION}
+
+configs:
+  abra_entrypoint_conf:
+    name: ${STACK_NAME}_abra_entrypoint_conf_${ABRA_ENTRYPOINT_CONF_VERSION}
+    file: abra-entrypoint.sh.tmpl
+    template_driver: golang