Update to Karrot v17.1.0

- includes plugins

.drone.yml

@@ -10,7 +10,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -1,18 +1,26 @@
 TYPE=karrot
 
+# For more information about these options
+# see https://docs.karrot.world/self-host/options
+
 DOMAIN=karrot.example.com
 
+COMPOSE_FILE="compose.yml"
+
+SITE_NAME=karrot dev
+SITE_LOGO=https://user-images.githubusercontent.com/31616/36565633-517373a4-1821-11e8-9948-5bf6887c667e.png
+
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_SECRET_KEY_VERSION=v1
 SECRET_SMTP_PASSWORD_VERSION=v1
 
 # account id for maxmind (for GeoIP)
+# uncomment if using maxmind account
+# make sure to add the maxmind_license_key secret too
+#COMPOSE_FILE="$COMPOSE_FILE:compose.geoip.yml"
 #MAXMIND_ACCOUNT_ID=
 SECRET_MAXMIND_LICENSE_KEY_VERSION=v1
 
-SITE_NAME=karrot dev
-SITE_LOGO=https://user-images.githubusercontent.com/31616/36565633-517373a4-1821-11e8-9948-5bf6887c667e.png
-
 FILE_UPLOAD_MAX_SIZE=10m
 
 # postal,smtp,console
@@ -37,6 +45,8 @@ EMAIL_BACKEND=console
 
 # For web push set this, and the vapid private key secret
 # You need to generate a valid vapid keypair
+# You can generate one by running:
+# docker run --rm codeberg.org/karrot/generate-vapid-keypair
 #VAPID_PUBLIC_KEY=
 #VAPID_ADMIN_EMAIL=
 #SECRET_VAPID_PRIVATE_KEY_VERSION=v1
@@ -46,6 +56,7 @@ EMAIL_BACKEND=console
 #MEET_LIVEKIT_API_KEY=
 #SECRET_LIVEKIT_API_SECRET_VERSION=v1
 
+# You probably don't need to touch these
 SITE_URL=https://${DOMAIN}
 LETS_ENCRYPT_ENV=production
-CSRF_TRUSTED_ORIGINS=${SITE_URL}
+CSRF_TRUSTED_ORIGINS=${SITE_URL}

README.md

@@ -6,9 +6,9 @@ Karrot is a free and open-source tool for grassroots initiatives and groups of p
 
 * **Category**: Utilities
 * **Status**: 3, stable
-* **Image**: [`karrot-backend`](https://hub.docker.com/r/vlafvlaf/karrot_backend),4,upstream
+* **Image**: [`karrot-frontend`](https://codeberg.org/karrot/-/packages/container/karrot-backend)/[`karrot-frontend`](https://codeberg.org/karrot/-/packages/container/karrot-backend),4,upstream
 * **Healthcheck**: Yes
-* **Backups**: No
+* **Backups**: Yes
 * **Email**: Yes
 * **Tests**: No
 * **SSO**:  No
@@ -22,6 +22,8 @@ Karrot is a free and open-source tool for grassroots initiatives and groups of p
 3. `abra app config <karrot app name>`
 4. `abra app deploy <karrot app name>`
 
+See [Karrot Self-hosting docs](https://docs.karrot.world/self-host/coop-cloud/getting-started) for more information.
+
 ## Configuration options
 
 `MAXMIND_ACCOUNT_ID` and `MAXMIND_ACCOUNT_KEY` are API credentials from maxmind.com. You need an account there to get GeoIP data for Karrot.

abra.sh

@@ -1,3 +1,17 @@
-export NGINX_CONFIG_VERSION=v23
-export GEOIP_CONFIG_VERSION=v1
-export ENTRYPOINT_VERSION=v3
+fix-permissions() {
+  if [ "$(whoami)" != "root" ]; then
+    echo "error: you must be root to fix permissions"
+    echo "Try adding '--user root'"
+    exit 1
+  fi
+  
+  echo "Fixing permissions"
+  
+  echo "Making karrot the owner of uploads"
+  chown -R karrot:karrot /app/uploads
+
+  echo "Making karrot the owner of plugins"
+  chown -R karrot:karrot /app/plugins
+
+  echo "Done"
+}

compose.geoip.yml

@@ -0,0 +1,30 @@
+version: "3.8"
+
+services:
+  app:
+    volumes:
+      - "geoip_data:/var/lib/GeoIP"
+
+  worker:
+    volumes:
+      - "geoip_data:/var/lib/GeoIP"
+
+  geoip:
+    image: "ghcr.io/maxmind/geoipupdate:v6"
+    volumes:
+      - "geoip_data:/usr/share/GeoIP"
+    secrets:
+      - maxmind_license_key
+    environment:
+      - "GEOIPUPDATE_EDITION_IDS=GeoLite2-City GeoLite2-Country"
+      - "GEOIPUPDATE_ACCOUNT_ID=${MAXMIND_ACCOUNT_ID:-}"
+      - "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/maxmind_license_key"
+      - "GEOIPUPDATE_FREQUENCY=72"
+
+secrets:
+  maxmind_license_key:
+    external: true
+    name: ${STACK_NAME}_maxmind_license_key_${SECRET_MAXMIND_LICENSE_KEY_VERSION}
+
+volumes:
+  geoip_data:

compose.yml

@@ -2,15 +2,16 @@ version: "3.8"
 
 services:
   web:
-    image: "ghcr.io/karrot-dev/karrot-docker-images:13.0.0-frontend"
-    configs:
-      - source: nginx_config
-        target: /etc/nginx/conf.d/default.conf
+    image: "codeberg.org/karrot/karrot-frontend:v17.1.0"
     depends_on:
       - app
     environment:
       - DOMAIN
       - FILE_UPLOAD_MAX_SIZE
+      - FILE_UPLOAD_DIR=/app/uploads/
+      - CSP_CONNECT_SRC=${CSP_CONNECT_SRC:-}
+      - LISTEN=80
+      - BACKEND=app:8000
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost/"]
       interval: 15s
@@ -21,7 +22,7 @@ services:
       - internal
       - proxy
     volumes:
-      - "app_data:/app/uploads"
+      - "app_data:/app/uploads/"
     deploy:
       update_config:
         failure_action: rollback
@@ -34,31 +35,23 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
 
   app:
-    image: "ghcr.io/karrot-dev/karrot-docker-images:13.0.0-backend"
+    image: "codeberg.org/karrot/karrot-backend:v17.1.0"
     networks:
       - internal
     depends_on:
       - db
       - redis
-    configs:
-      - source: geoip_conf
-        target: /etc/GeoIP.conf
-        mode: 0555
-      - source: entrypoint
-        target: /custom-entrypoint.sh
-        mode: 0555
-    entrypoint: /custom-entrypoint.sh
     secrets:
       - db_password
       - secret_key
-      - maxmind_license_key
       - smtp_password
       - vapid_private_key
+      - livekit_api_secret
     volumes:
-      - "shiv_data:/root/.shiv"
-      - "geoip_data:/var/lib/GeoIP"
-      - "app_data:/app/uploads"
+      - "app_data:/app/uploads/"
+      - "plugins_data:/app/plugins/"
     environment:
+      - ADMIN_EMAILS
       - CSRF_TRUSTED_ORIGINS
       - DATABASE_CONN_MAX_AGE
       - DATABASE_HOST=db
@@ -69,18 +62,19 @@ services:
       - EMAIL_BACKEND
       - EMAIL_FROM
       - EMAIL_REPLY_DOMAIN
-      - FILE_UPLOAD_DIR=/app/uploads
+      - FILE_UPLOAD_DIR=/app/uploads/
+      - FILE_UPLOAD_USE_ACCEL_REDIRECT=true
       - FILE_UPLOAD_MAX_SIZE
       - FORUM_BANNER_TOPIC_ID
       - FORUM_DISCUSSIONS_FEED
       - LISTEN_HOST=0.0.0.0
       - LISTEN_SERVER=uvicorn
-      - MAXMIND_ACCOUNT_ID
       - MODE=prod
       - POSTAL_API_KEY
       - POSTAL_API_URL
       - POSTAL_WEBHOOK_KEY
       - PROXY_DISCOURSE_URL
+      - PLUGIN_DIR=/app/plugins/
       - REDIS_DB=0
       - REDIS_HOST=redis
       - REDIS_PORT=6379
@@ -100,32 +94,24 @@ services:
       - MEET_LIVEKIT_ENDPOINT
       - MEET_LIVEKIT_API_KEY
       - MEET_LIVEKIT_API_SECRET_FILE=/run/secrets/livekit_api_secret
+      - MIGRATE=yes
+    command: server
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8000/api/config/"]
+      test: ["CMD", "curl", "-f", "http://localhost:8000/api/settings/"]
       interval: 10s
       timeout: 3s
       retries: 3 
       start_period: 45s
     deploy:
       labels:
-        - "coop-cloud.${STACK_NAME}.version=0.1.8+13.0.0"
+        - "coop-cloud.${STACK_NAME}.version=3.1.0+17.1.0"
         - "backupbot.backup=true"
         - "backupbot.backup.path=/app/uploads"
 
   worker:
-    image: "ghcr.io/karrot-dev/karrot-docker-images:13.0.0-backend"
+    image: "codeberg.org/karrot/karrot-backend:v17.1.0"
     depends_on:
-      # shiv + geoip data gets loaded on the first run of the app
-      # so to ensure it's available in the worker too, we need to wait
       - app
-    volumes:
-      - "shiv_data:/root/.shiv"
-      - "geoip_data:/var/lib/GeoIP"
-    configs:
-      - source: entrypoint
-        target: /custom-entrypoint.sh
-        mode: 0555
-    entrypoint: /custom-entrypoint.sh
     networks:
       - internal
     secrets:
@@ -133,7 +119,12 @@ services:
       - secret_key
       - smtp_password
       - vapid_private_key
+      - livekit_api_secret
+    volumes:
+      - "app_data:/app/uploads/"
+      - "plugins_data:/app/plugins/"
     environment:
+      - ADMIN_EMAILS
       - DATABASE_CONN_MAX_AGE
       - DATABASE_HOST=db
       - DATABASE_NAME=karrot
@@ -143,13 +134,13 @@ services:
       - EMAIL_BACKEND
       - EMAIL_FROM
       - EMAIL_REPLY_DOMAIN
-      - IS_WORKER=1
       - LISTEN_HOST=0.0.0.0
       - LISTEN_SERVER=uvicorn
       - MODE=prod
       - POSTAL_API_KEY
       - POSTAL_API_URL
       - POSTAL_WEBHOOK_KEY
+      - PLUGIN_DIR=/app/plugins/
       - REDIS_DB=0
       - REDIS_HOST=redis
       - REDIS_PORT=6379
@@ -169,6 +160,7 @@ services:
       - MEET_LIVEKIT_ENDPOINT
       - MEET_LIVEKIT_API_KEY
       - MEET_LIVEKIT_API_SECRET_FILE=/run/secrets/livekit_api_secret
+    command: worker
 
   redis:
     image: "redis:6-alpine"
@@ -206,20 +198,6 @@ services:
         backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/postgres-backup.sql"
         backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/postgres-backup.sql"
         backupbot.backup.path: "/var/lib/postgresql/data/"
- 
-
-configs:
-  nginx_config:
-    name: ${STACK_NAME}_nginx_config_${NGINX_CONFIG_VERSION}
-    file: nginx.conf.tmpl
-    template_driver: golang
-  geoip_conf:
-    name: ${STACK_NAME}_geoip_conf_${GEOIP_CONFIG_VERSION}
-    file: geoip.conf.tmpl
-    template_driver: golang
-  entrypoint:
-    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
-    file: entrypoint.sh
 
 secrets:
   db_password:
@@ -228,9 +206,6 @@ secrets:
   secret_key:
     external: true
     name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
-  maxmind_license_key:
-    external: true
-    name: ${STACK_NAME}_maxmind_license_key_${SECRET_MAXMIND_LICENSE_KEY_VERSION}
   smtp_password:
     external: true
     name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
@@ -242,9 +217,8 @@ secrets:
     name: ${STACK_NAME}_livekit_api_secret_${SECRET_LIVEKIT_API_SECRET_VERSION}
 
 volumes:
-  shiv_data:
-  geoip_data:
   app_data:
+  plugins_data:
   postgres_data:
   redis_data:
 

entrypoint.sh

@@ -1,32 +0,0 @@
-#!/bin/bash
-
-set -e
-
-file_env() {
-  local var="$1"
-  local fileVar="${var}_FILE"
-  local def="${2:-}"
-
-  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
-    exit 1
-  fi
-
-  local val="$def"
-
-  if [ "${!var:-}" ]; then
-    val="${!var}"
-  elif [ "${!fileVar:-}" ]; then
-    val="$(< "${!fileVar}")"
-  fi
-
-  export "$var"="$val"
-  unset "$fileVar"
-}
-
-file_env DATABASE_PASSWORD
-file_env SECRET_KEY
-file_env SMTP_PASSWORD
-file_env VAPID_PRIVATE_KEY
-
-/docker-entrypoint.sh

geoip.conf.tmpl

@@ -1,3 +0,0 @@
-EditionIDs GeoLite2-City GeoLite2-Country
-AccountID {{ env "MAXMIND_ACCOUNT_ID" }}
-LicenseKey {{ secret "maxmind_license_key" }}

release/1.0.0+14.0.1

@@ -0,0 +1,32 @@
+Major upgrade because this switches to new set of docker images with new python version.
+
+Full release info available here: https://codeberg.org/karrot/karrot/releases/tag/v14.0.1
+
+## Fix to uploaded file permissions
+
+We now run the container as non-root user which means the file permissions need updating.
+
+After you deployment you can fix that by running:
+
+```
+abra app cmd --user root <domain> app fix-permissions
+```
+
+(Note: we need `--user root` there, as we need to be `root` in the container to change the permissions)
+
+## geoip changes
+
+Now the geoip update server is run using an additional compose file config, so if you are using geoip with a maxmind account, modify your config to include:
+
+```
+COMPOSE_FILE="compose.yml"
+COMPOSE_FILE="$COMPOSE_FILE:compose.geoip.yml"
+MAXMIND_ACCOUNT_ID=youraccountid
+SECRET_MAXMIND_LICENSE_KEY_VERSION=v1
+```
+
+And ensure you have the `maxmind_license_key` secret set, which you can do with:
+
+```
+abra app secret insert <domain> maxmind_license_key v1 <key>
+```