Fixup compose.postal.yml

- includes plugins

.drone.yml

@@ -10,7 +10,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -1,25 +1,46 @@
 TYPE=karrot
 
+# For more information about these options
+# see https://docs.karrot.world/self-host/settings
+
 DOMAIN=karrot.example.com
 
-SECRET_DB_PASSWORD_VERSION=v1
-SECRET_SECRET_KEY_VERSION=v1
-SECRET_SMTP_PASSWORD_VERSION=v1
-
-# account id for maxmind (for GeoIP)
-#MAXMIND_ACCOUNT_ID=
-SECRET_MAXMIND_LICENSE_KEY_VERSION=v1
+COMPOSE_FILE="compose.yml"
 
 SITE_NAME=karrot dev
 SITE_LOGO=https://user-images.githubusercontent.com/31616/36565633-517373a4-1821-11e8-9948-5bf6887c667e.png
 
 FILE_UPLOAD_MAX_SIZE=10m
 
-# postal,smtp,console
+# Useful to set this, it's a comma separated list of email address.
+# Anyone that registers with one of these emails addresses is considered an instance admin
+# and will have access to the instance admin UI within Karrot
+#ADMIN_EMAILS=
+
+SECRET_DB_PASSWORD_VERSION=v1
+SECRET_SECRET_KEY_VERSION=v1
+SECRET_SMTP_PASSWORD_VERSION=v1
+SECRET_MAXMIND_LICENSE_KEY_VERSION=v1
+SECRET_VAPID_PRIVATE_KEY_VERSION=v1
+SECRET_LIVEKIT_API_SECRET_VERSION=v1
+SECRET_POSTAL_API_KEY_VERSION=v1
+
+# Email
+#------------------------------------------------------
+
+# Note: you can also configure this in the admin UI
+# Can be: postal, smtp, or console
+
 EMAIL_BACKEND=console
 
-# only set these when using EMAIL_BACKEND=smtp
+# SMTP
+#-----------------------
+
+# when EMAIL_BACKEND=smtp
 # SMTP USER and EMAIL_FROM are usually the same
+# make sure to set the smtp_password secret
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
 #EMAIL_FROM=
 #SMTP_USER=
 #SMTP_HOST=
@@ -27,25 +48,61 @@ EMAIL_BACKEND=console
 #SMTP_USE_TLS=true
 #SMTP_PORT=587
 
-# only set these when using EMAIL_BACKEND=postal
-#POSTAL_API_KEY=
-#POSTAL_API_URL=
-#POSTAL_WEBHOOK_KEY=
+# Postal
+#-----------------------
 
-# only if you have configured incoming emails
+# when EMAIL_BACKEND=postal
+# make sure to set the postal_api_key secret
+
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.postal.yml"
+#POSTAL_API_URL=
+
+# Postal incoming email
+#-----------------------
+
+# If you are using postal for incoming email, set these.
+# You can use smtp for outgoing and postal for incoming if you wish!
+
+#POSTAL_WEBHOOK_KEY=
 #EMAIL_REPLY_DOMAIN=
 
-# For web push set this, and the vapid private key secret
+# MaxMind GeoIP (optional)
+#------------------------------------------------------
+
+# account id for maxmind (for GeoIP)
+# uncomment if using maxmind account
+# make sure to set the maxmind_license_key secret
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.geoip.yml"
+#MAXMIND_ACCOUNT_ID=
+
+# Web Push (Vapid) (optional)
+#------------------------------------------------------
+
+# Note: you can also configure this in the instance admin UI
 # You need to generate a valid vapid keypair
+# You can generate one by running:
+# docker run --rm codeberg.org/karrot/generate-vapid-keypair
+# make sure to set the vapid_private_key secret
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.vapid.yml"
 #VAPID_PUBLIC_KEY=
 #VAPID_ADMIN_EMAIL=
-#SECRET_VAPID_PRIVATE_KEY_VERSION=v1
 
-# for video calls
+# Video calls (optional)
+#------------------------------------------------------
+
+# Note: you can also configure this in the admin UI
+# make sure to set the livekit_api_secret secret
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.livekit.yml"
 #MEET_LIVEKIT_ENDPOINT=
 #MEET_LIVEKIT_API_KEY=
-#SECRET_LIVEKIT_API_SECRET_VERSION=v1
+
+# You probably don't need to touch these
+#------------------------------------------------------
 
 SITE_URL=https://${DOMAIN}
 LETS_ENCRYPT_ENV=production
-CSRF_TRUSTED_ORIGINS=${SITE_URL}
+CSRF_TRUSTED_ORIGINS=${SITE_URL}

README.md

@@ -6,9 +6,9 @@ Karrot is a free and open-source tool for grassroots initiatives and groups of p
 
 * **Category**: Utilities
 * **Status**: 3, stable
-* **Image**: [`karrot-backend`](https://hub.docker.com/r/vlafvlaf/karrot_backend),4,upstream
+* **Image**: [`karrot-frontend`](https://codeberg.org/karrot/-/packages/container/karrot-backend)/[`karrot-frontend`](https://codeberg.org/karrot/-/packages/container/karrot-backend),4,upstream
 * **Healthcheck**: Yes
-* **Backups**: No
+* **Backups**: Yes
 * **Email**: Yes
 * **Tests**: No
 * **SSO**:  No
@@ -22,6 +22,8 @@ Karrot is a free and open-source tool for grassroots initiatives and groups of p
 3. `abra app config <karrot app name>`
 4. `abra app deploy <karrot app name>`
 
+See [Karrot Self-hosting docs](https://docs.karrot.world/self-host/coop-cloud/getting-started) for more information.
+
 ## Configuration options
 
 `MAXMIND_ACCOUNT_ID` and `MAXMIND_ACCOUNT_KEY` are API credentials from maxmind.com. You need an account there to get GeoIP data for Karrot.

abra.sh

@@ -1,3 +1,17 @@
-export NGINX_CONFIG_VERSION=v23
-export GEOIP_CONFIG_VERSION=v1
-export ENTRYPOINT_VERSION=v3
+fix-permissions() {
+  if [ "$(whoami)" != "root" ]; then
+    echo "error: you must be root to fix permissions"
+    echo "Try adding '--user root'"
+    exit 1
+  fi
+  
+  echo "Fixing permissions"
+  
+  echo "Making karrot the owner of uploads"
+  chown -R karrot:karrot /app/uploads
+
+  echo "Making karrot the owner of plugins"
+  chown -R karrot:karrot /app/plugins
+
+  echo "Done"
+}

compose.geoip.yml

@@ -0,0 +1,30 @@
+version: "3.8"
+
+services:
+  app:
+    volumes:
+      - "geoip_data:/var/lib/GeoIP"
+
+  worker:
+    volumes:
+      - "geoip_data:/var/lib/GeoIP"
+
+  geoip:
+    image: "ghcr.io/maxmind/geoipupdate:v6"
+    volumes:
+      - "geoip_data:/usr/share/GeoIP"
+    secrets:
+      - maxmind_license_key
+    environment:
+      - "GEOIPUPDATE_EDITION_IDS=GeoLite2-City GeoLite2-Country"
+      - "GEOIPUPDATE_ACCOUNT_ID=${MAXMIND_ACCOUNT_ID:-}"
+      - "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/maxmind_license_key"
+      - "GEOIPUPDATE_FREQUENCY=72"
+
+secrets:
+  maxmind_license_key:
+    external: true
+    name: ${STACK_NAME}_maxmind_license_key_${SECRET_MAXMIND_LICENSE_KEY_VERSION}
+
+volumes:
+  geoip_data:

compose.livekit.yml

@@ -0,0 +1,23 @@
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - livekit_api_secret
+    environment:
+      - MEET_LIVEKIT_ENDPOINT
+      - MEET_LIVEKIT_API_KEY
+      - MEET_LIVEKIT_API_SECRET_FILE=/run/secrets/livekit_api_secret
+
+  worker:
+    secrets:
+      - livekit_api_secret
+    environment:
+      - MEET_LIVEKIT_ENDPOINT
+      - MEET_LIVEKIT_API_KEY
+      - MEET_LIVEKIT_API_SECRET_FILE=/run/secrets/livekit_api_secret
+
+secrets:
+  livekit_api_secret:
+    external: true
+    name: ${STACK_NAME}_livekit_api_secret_${SECRET_LIVEKIT_API_SECRET_VERSION}

compose.postal.yml

@@ -0,0 +1,21 @@
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - postal_api_key
+    environment:
+      - POSTAL_API_KEY_FILE=/run/secrets/postal_api_key
+      - POSTAL_API_URL
+
+  worker:
+    secrets:
+      - postal_api_key
+    environment:
+      - POSTAL_API_KEY_FILE=/run/secrets/postal_api_key
+      - POSTAL_API_URL
+
+secrets:
+  postal_api_key:
+    external: true
+    name: ${STACK_NAME}_postal_api_key_${SECRET_POSTAL_API_KEY_VERSION}

compose.smtp.yml

@@ -0,0 +1,29 @@
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - smtp_password
+    environment:
+      - SMTP_HOST
+      - SMTP_PASSWORD_FILE=/run/secrets/smtp_password
+      - SMTP_PORT
+      - SMTP_USE_SSL
+      - SMTP_USE_TLS
+      - SMTP_USER
+
+  worker:
+    secrets:
+      - smtp_password
+    environment:
+      - SMTP_HOST
+      - SMTP_PASSWORD_FILE=/run/secrets/smtp_password
+      - SMTP_PORT
+      - SMTP_USE_SSL
+      - SMTP_USE_TLS
+      - SMTP_USER
+
+secrets:
+  smtp_password:
+    external: true
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}

compose.vapid.yml

@@ -0,0 +1,23 @@
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - vapid_private_key
+    environment:
+      - VAPID_ADMIN_EMAIL
+      - VAPID_PUBLIC_KEY
+      - VAPID_PRIVATE_KEY_FILE=/run/secrets/vapid_private_key
+
+  worker:
+    secrets:
+      - vapid_private_key
+    environment:
+      - VAPID_ADMIN_EMAIL
+      - VAPID_PUBLIC_KEY
+      - VAPID_PRIVATE_KEY_FILE=/run/secrets/vapid_private_key
+
+secrets:
+  vapid_private_key:
+    external: true
+    name: ${STACK_NAME}_vapid_private_key_${SECRET_VAPID_PRIVATE_KEY_VERSION}

compose.yml

@@ -2,15 +2,16 @@ version: "3.8"
 
 services:
   web:
-    image: "ghcr.io/karrot-dev/karrot-docker-images:13.0.0-frontend"
-    configs:
-      - source: nginx_config
-        target: /etc/nginx/conf.d/default.conf
+    image: "codeberg.org/karrot/karrot-frontend:v17.2.1"
     depends_on:
       - app
     environment:
       - DOMAIN
       - FILE_UPLOAD_MAX_SIZE
+      - FILE_UPLOAD_DIR=/app/uploads/
+      - CSP_CONNECT_SRC=${CSP_CONNECT_SRC:-}
+      - LISTEN=80
+      - BACKEND=app:8000
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost/"]
       interval: 15s
@@ -21,7 +22,7 @@ services:
       - internal
       - proxy
     volumes:
-      - "app_data:/app/uploads"
+      - "app_data:/app/uploads/"
     deploy:
       update_config:
         failure_action: rollback
@@ -34,31 +35,20 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
 
   app:
-    image: "ghcr.io/karrot-dev/karrot-docker-images:13.0.0-backend"
+    image: "codeberg.org/karrot/karrot-backend:v17.2.1"
     networks:
       - internal
     depends_on:
       - db
       - redis
-    configs:
-      - source: geoip_conf
-        target: /etc/GeoIP.conf
-        mode: 0555
-      - source: entrypoint
-        target: /custom-entrypoint.sh
-        mode: 0555
-    entrypoint: /custom-entrypoint.sh
     secrets:
       - db_password
       - secret_key
-      - maxmind_license_key
-      - smtp_password
-      - vapid_private_key
     volumes:
-      - "shiv_data:/root/.shiv"
-      - "geoip_data:/var/lib/GeoIP"
-      - "app_data:/app/uploads"
+      - "app_data:/app/uploads/"
+      - "plugins_data:/app/plugins/"
     environment:
+      - ADMIN_EMAILS
       - CSRF_TRUSTED_ORIGINS
       - DATABASE_CONN_MAX_AGE
       - DATABASE_HOST=db
@@ -69,18 +59,19 @@ services:
       - EMAIL_BACKEND
       - EMAIL_FROM
       - EMAIL_REPLY_DOMAIN
-      - FILE_UPLOAD_DIR=/app/uploads
+      - FILE_UPLOAD_DIR=/app/uploads/
+      - FILE_UPLOAD_USE_ACCEL_REDIRECT=true
       - FILE_UPLOAD_MAX_SIZE
       - FORUM_BANNER_TOPIC_ID
       - FORUM_DISCUSSIONS_FEED
       - LISTEN_HOST=0.0.0.0
       - LISTEN_SERVER=uvicorn
-      - MAXMIND_ACCOUNT_ID
       - MODE=prod
-      - POSTAL_API_KEY
-      - POSTAL_API_URL
+      # Keep POSTAL_WEBHOOK_KEY in main compose file
+      # as you can use it without the other postal vars
       - POSTAL_WEBHOOK_KEY
       - PROXY_DISCOURSE_URL
+      - PLUGIN_DIR=/app/plugins/
       - REDIS_DB=0
       - REDIS_HOST=redis
       - REDIS_PORT=6379
@@ -88,52 +79,35 @@ services:
       - SITE_LOGO
       - SITE_NAME
       - SITE_URL
-      - SMTP_HOST
-      - SMTP_PASSWORD_FILE=/run/secrets/smtp_password
-      - SMTP_PORT
-      - SMTP_USE_SSL
-      - SMTP_USE_TLS
-      - SMTP_USER
-      - VAPID_ADMIN_EMAIL
-      - VAPID_PUBLIC_KEY
-      - VAPID_PRIVATE_KEY_FILE=/run/secrets/vapid_private_key
-      - MEET_LIVEKIT_ENDPOINT
-      - MEET_LIVEKIT_API_KEY
-      - MEET_LIVEKIT_API_SECRET_FILE=/run/secrets/livekit_api_secret
+      - MIGRATE=yes
+    command: server
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8000/api/config/"]
+      test: ["CMD", "curl", "-f", "http://localhost:8000/api/healthcheck/"]
       interval: 10s
       timeout: 3s
       retries: 3 
-      start_period: 45s
+      # sometimes migrations can take their time..
+      start_period: 600s
     deploy:
       labels:
-        - "coop-cloud.${STACK_NAME}.version=0.1.8+13.0.0"
+        - "coop-cloud.${STACK_NAME}.version=3.2.1+17.2.1"
         - "backupbot.backup=true"
         - "backupbot.backup.path=/app/uploads"
 
   worker:
-    image: "ghcr.io/karrot-dev/karrot-docker-images:13.0.0-backend"
+    image: "codeberg.org/karrot/karrot-backend:v17.2.1"
     depends_on:
-      # shiv + geoip data gets loaded on the first run of the app
-      # so to ensure it's available in the worker too, we need to wait
       - app
-    volumes:
-      - "shiv_data:/root/.shiv"
-      - "geoip_data:/var/lib/GeoIP"
-    configs:
-      - source: entrypoint
-        target: /custom-entrypoint.sh
-        mode: 0555
-    entrypoint: /custom-entrypoint.sh
     networks:
       - internal
     secrets:
       - db_password
       - secret_key
-      - smtp_password
-      - vapid_private_key
+    volumes:
+      - "app_data:/app/uploads/"
+      - "plugins_data:/app/plugins/"
     environment:
+      - ADMIN_EMAILS
       - DATABASE_CONN_MAX_AGE
       - DATABASE_HOST=db
       - DATABASE_NAME=karrot
@@ -143,13 +117,13 @@ services:
       - EMAIL_BACKEND
       - EMAIL_FROM
       - EMAIL_REPLY_DOMAIN
-      - IS_WORKER=1
       - LISTEN_HOST=0.0.0.0
       - LISTEN_SERVER=uvicorn
       - MODE=prod
-      - POSTAL_API_KEY
-      - POSTAL_API_URL
+      # Keep POSTAL_WEBHOOK_KEY in main compose file
+      # as you can use it without the other postal vars
       - POSTAL_WEBHOOK_KEY
+      - PLUGIN_DIR=/app/plugins/
       - REDIS_DB=0
       - REDIS_HOST=redis
       - REDIS_PORT=6379
@@ -157,18 +131,7 @@ services:
       - SITE_LOGO
       - SITE_NAME
       - SITE_URL
-      - SMTP_HOST
-      - SMTP_PASSWORD_FILE=/run/secrets/smtp_password
-      - SMTP_PORT
-      - SMTP_USE_SSL
-      - SMTP_USE_TLS
-      - SMTP_USER
-      - VAPID_ADMIN_EMAIL
-      - VAPID_PUBLIC_KEY
-      - VAPID_PRIVATE_KEY_FILE=/run/secrets/vapid_private_key
-      - MEET_LIVEKIT_ENDPOINT
-      - MEET_LIVEKIT_API_KEY
-      - MEET_LIVEKIT_API_SECRET_FILE=/run/secrets/livekit_api_secret
+    command: worker
 
   redis:
     image: "redis:6-alpine"
@@ -206,20 +169,6 @@ services:
         backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/postgres-backup.sql"
         backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/postgres-backup.sql"
         backupbot.backup.path: "/var/lib/postgresql/data/"
- 
-
-configs:
-  nginx_config:
-    name: ${STACK_NAME}_nginx_config_${NGINX_CONFIG_VERSION}
-    file: nginx.conf.tmpl
-    template_driver: golang
-  geoip_conf:
-    name: ${STACK_NAME}_geoip_conf_${GEOIP_CONFIG_VERSION}
-    file: geoip.conf.tmpl
-    template_driver: golang
-  entrypoint:
-    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
-    file: entrypoint.sh
 
 secrets:
   db_password:
@@ -228,23 +177,10 @@ secrets:
   secret_key:
     external: true
     name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
-  maxmind_license_key:
-    external: true
-    name: ${STACK_NAME}_maxmind_license_key_${SECRET_MAXMIND_LICENSE_KEY_VERSION}
-  smtp_password:
-    external: true
-    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
-  vapid_private_key:
-    external: true
-    name: ${STACK_NAME}_vapid_private_key_${SECRET_VAPID_PRIVATE_KEY_VERSION}
-  livekit_api_secret:
-    external: true
-    name: ${STACK_NAME}_livekit_api_secret_${SECRET_LIVEKIT_API_SECRET_VERSION}
 
 volumes:
-  shiv_data:
-  geoip_data:
   app_data:
+  plugins_data:
   postgres_data:
   redis_data:
 

entrypoint.sh

@@ -1,32 +0,0 @@
-#!/bin/bash
-
-set -e
-
-file_env() {
-  local var="$1"
-  local fileVar="${var}_FILE"
-  local def="${2:-}"
-
-  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
-    exit 1
-  fi
-
-  local val="$def"
-
-  if [ "${!var:-}" ]; then
-    val="${!var}"
-  elif [ "${!fileVar:-}" ]; then
-    val="$(< "${!fileVar}")"
-  fi
-
-  export "$var"="$val"
-  unset "$fileVar"
-}
-
-file_env DATABASE_PASSWORD
-file_env SECRET_KEY
-file_env SMTP_PASSWORD
-file_env VAPID_PRIVATE_KEY
-
-/docker-entrypoint.sh

geoip.conf.tmpl

@@ -1,3 +0,0 @@
-EditionIDs GeoLite2-City GeoLite2-Country
-AccountID {{ env "MAXMIND_ACCOUNT_ID" }}
-LicenseKey {{ secret "maxmind_license_key" }}

release/1.0.0+14.0.1

@@ -0,0 +1,32 @@
+Major upgrade because this switches to new set of docker images with new python version.
+
+Full release info available here: https://codeberg.org/karrot/karrot/releases/tag/v14.0.1
+
+## Fix to uploaded file permissions
+
+We now run the container as non-root user which means the file permissions need updating.
+
+After you deployment you can fix that by running:
+
+```
+abra app cmd --user root <domain> app fix-permissions
+```
+
+(Note: we need `--user root` there, as we need to be `root` in the container to change the permissions)
+
+## geoip changes
+
+Now the geoip update server is run using an additional compose file config, so if you are using geoip with a maxmind account, modify your config to include:
+
+```
+COMPOSE_FILE="compose.yml"
+COMPOSE_FILE="$COMPOSE_FILE:compose.geoip.yml"
+MAXMIND_ACCOUNT_ID=youraccountid
+SECRET_MAXMIND_LICENSE_KEY_VERSION=v1
+```
+
+And ensure you have the `maxmind_license_key` secret set, which you can do with:
+
+```
+abra app secret insert <domain> maxmind_license_key v1 <key>
+```