Don't include geoip volume in main compose.yml

Since we run karrot as karrot user now, the uploads need to be
owned by that user.

.env.sample

@@ -1,5 +1,8 @@
 TYPE=karrot
 
+# For more information about these options
+# see https://docs.karrot.world/self-host/options
+
 DOMAIN=karrot.example.com
 
 COMPOSE_FILE="compose.yml"
@@ -42,6 +45,8 @@ EMAIL_BACKEND=console
 
 # For web push set this, and the vapid private key secret
 # You need to generate a valid vapid keypair
+# You can generate one by running:
+# docker run --rm codeberg.org/karrot/generate-vapid-keypair
 #VAPID_PUBLIC_KEY=
 #VAPID_ADMIN_EMAIL=
 #SECRET_VAPID_PRIVATE_KEY_VERSION=v1
@@ -51,6 +56,7 @@ EMAIL_BACKEND=console
 #MEET_LIVEKIT_API_KEY=
 #SECRET_LIVEKIT_API_SECRET_VERSION=v1
 
+# You probably don't need to touch these
 SITE_URL=https://${DOMAIN}
 LETS_ENCRYPT_ENV=production
 CSRF_TRUSTED_ORIGINS=${SITE_URL}

abra.sh

@@ -1,2 +1,16 @@
-export NGINX_CONFIG_VERSION=v23
-export GEOIP_CONFIG_VERSION=v1
+fix-permissions() {
+  if [ "$(whoami)" != "root" ]; then
+    echo "error: you must be root to fix permissions"
+    echo "Try adding '--user root'"
+    exit 1
+  fi
+  if [ ! -d /app/uploads ]; then
+    echo "error: no uploads dir!"
+    echo "Make sure to run it on the 'app' service"
+    exit 1
+  fi
+  echo "Fixing upload permissions"
+  echo "Making karrot the owner of uploads"
+  chown -R karrot:karrot /app/uploads
+  echo "Done"
+}

compose.geoip.yml

@@ -4,7 +4,6 @@ services:
   app:
     volumes:
       - "geoip_data:/var/lib/GeoIP"
-      - "app_data:/app/uploads"
 
   worker:
     volumes:
@@ -17,10 +16,10 @@ services:
     secrets:
       - maxmind_license_key
     environment:
-      - GEOIPUPDATE_EDITION_IDS=GeoLite2-City GeoLite2-Country
-      - GEOIPUPDATE_ACCOUNT_ID=${MAXMIND_ACCOUNT_ID:-}
-      - GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/maxmind_license_key
-      - GEOIPUPDATE_FREQUENCY=72
+      - "GEOIPUPDATE_EDITION_IDS=GeoLite2-City GeoLite2-Country"
+      - "GEOIPUPDATE_ACCOUNT_ID=${MAXMIND_ACCOUNT_ID:-}"
+      - "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/maxmind_license_key"
+      - "GEOIPUPDATE_FREQUENCY=72"
 
 secrets:
   maxmind_license_key:

compose.yml

@@ -48,7 +48,6 @@ services:
       - vapid_private_key
       - livekit_api_secret
     volumes:
-      - "geoip_data:/var/lib/GeoIP"
       - "app_data:/app/uploads/"
     environment:
       - CSRF_TRUSTED_ORIGINS
@@ -102,7 +101,7 @@ services:
       start_period: 45s
     deploy:
       labels:
-        - "coop-cloud.${STACK_NAME}.version=0.1.10+13.0.0"
+        - "coop-cloud.${STACK_NAME}.version=1.0.0+14.0.1"
         - "backupbot.backup=true"
         - "backupbot.backup.path=/app/uploads"
 
@@ -110,8 +109,6 @@ services:
     image: "codeberg.org/karrot/karrot-backend:v14.0.1"
     depends_on:
       - app
-    volumes:
-      - "geoip_data:/var/lib/GeoIP"
     networks:
       - internal
     secrets:
@@ -212,7 +209,6 @@ secrets:
     name: ${STACK_NAME}_livekit_api_secret_${SECRET_LIVEKIT_API_SECRET_VERSION}
 
 volumes:
-  geoip_data:
   app_data:
   postgres_data:
   redis_data:

release/1.0.0+14.0.1

@@ -0,0 +1,32 @@
+Major upgrade because this switches to new set of docker images with new python version.
+
+Full release info available here: https://codeberg.org/karrot/karrot/releases/tag/v14.0.1
+
+## Fix to uploaded file permissions
+
+We now run the container as non-root user which means the file permissions need updating.
+
+After you deployment you can fix that by running:
+
+```
+abra app cmd <domain> app fix-permissions --user root
+```
+
+(Note: we need `--user root` there, as we need to be `root` in the container to change the permissions)
+
+## geoip changes
+
+Now the geoip update server is run using an additional compose file config, so if you are using geoip with a maxmind account, modify your config to include:
+
+```
+COMPOSE_FILE="compose.yml"
+COMPOSE_FILE="$COMPOSE_FILE:compose.geoip.yml"
+MAXMIND_ACCOUNT_ID=youraccountid
+SECRET_MAXMIND_LICENSE_KEY_VERSION=v1
+```
+
+And ensure you have the `maxmind_license_key` secret set, which you can do with:
+
+```
+abra app secret insert <domain> maxmind_license_key v1 <key>
+```