fix web healthcheck

.env.sample

@@ -1,16 +1,29 @@
 TYPE=karrot
 
 DOMAIN=karrot.example.com
-LETS_ENCRYPT_ENV=production
-
-# account id for maxmind (for GeoIP)
-MAXMIND_ACCOUNT_ID=
-# License key for maxmind 
-MAXMIND_LICENSE_KEY=
-
-# if I set this it fails with:
-# TypeError: SelectorEventLoop required, instead got: <uvloop.Loop running=False closed=False debug=False>
-#LISTEN_CONCURRENCY=4
-
 
 SECRET_DB_PASSWORD_VERSION=v1
+SECRET_SECRET_KEY_VERSION=v1
+SECRET_SMTP_PASSWORD_VERSION=v1
+
+# account id for maxmind (for GeoIP)
+#MAXMIND_ACCOUNT_ID=
+#SECRET_MAXMIND_LICENSE_KEY_VERSION=v1
+
+SITE_NAME=karrot dev
+SITE_LOGO=https://user-images.githubusercontent.com/31616/36565633-517373a4-1821-11e8-9948-5bf6887c667e.png
+
+# postal,smtp,console
+EMAIL_BACKEND=console
+# only set those when using SMTP
+# SMTP USER and EMAIL_FROM are usually the same
+#EMAIL_FROM=
+#SMTP_USER=
+#SMTP_HOST=
+#SMTP_USE_SSL=
+#SMTP_USE_TLS=true
+#SMTP_PORT=587
+
+SITE_URL=https://${DOMAIN}
+LETS_ENCRYPT_ENV=production
+

README.md

@@ -0,0 +1,29 @@
+# karrot
+
+Karrot is a free and open-source tool for grassroots initiatives and groups of people that want to coordinate face-to-face activities on a local, autonomous and voluntary basis.
+
+<!-- metadata -->
+
+* **Category**: Utilities
+* **Status**: 3, stable
+* **Image**: [`karrot-backend`](https://hub.docker.com/r/vlafvlaf/karrot_backend),4,upstream
+* **Healthcheck**: Yes
+* **Backups**: No
+* **Email**: Yes
+* **Tests**: No
+* **SSO**:  No
+
+<!-- endmetadata -->
+
+## Basic usage
+
+1. Set up Docker Swarm and [`abra`]
+2. `abra app new karrot`
+3. `abra app config <karrot app name>`
+4. `abra app deploy <karrot app name>`
+
+## Configuration options
+
+`MAXMIND_ACCOUNT_ID` and `MAXMIND_ACCOUNT_KEY` are API credentials from maxmind.com. You need an account there to get GeoIP data for Karrot.
+
+[`abra`]: https://git.coopcloud.tech/coop-cloud/abra

abra.sh

@@ -1,2 +1,3 @@
 export NGINX_CONFIG_VERSION=v1
-export POSTGRES_ENTRYPOINT_VERSION=v1
+export GEOIP_CONFIG_VERSION=v1
+export ENTRYPOINT_VERSION=v1

backend/Dockerfile

@@ -1,13 +0,0 @@
-FROM python:3.7-buster
-
-WORKDIR /app
-
-RUN apt-get update && \
-    apt-get install -y gdal-bin
-
-COPY ./karrot-backend.pyz /app/karrot-backend.pyz
-
-RUN sed -i -e's/ main/ main contrib non-free/g' /etc/apt/sources.list && \
-    apt-get update && \
-    apt-get install -y libmaxminddb0 libmaxminddb-dev geoipupdate
-

compose.yml

@@ -2,7 +2,7 @@ version: "3.8"
 
 services:
   web:
-    image: "vlafvlaf/karrot_frontend:0.0.3"
+    image: "ghcr.io/karrot-dev/karrot-docker-images:0.1.1-frontend"
     configs:
       - source: nginx_config
         target: /etc/nginx/conf.d/default.conf
@@ -11,10 +11,11 @@ services:
     environment:
       - DOMAIN
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost/"]
-      interval: 30s
+      test: ["CMD", "curl", "-f", "http://localhost/api/config/"]
+      interval: 15s
       timeout: 3s
-      retries: 30
+      retries: 2
+      start_period: 45s
     networks:
       - internal
       - proxy
@@ -30,52 +31,67 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=0.0.1+testing"
 
   app:
-    image: "vlafvlaf/karrot_backend:test"
+    image: "ghcr.io/karrot-dev/karrot-docker-images:0.1.2-backend"
     networks:
       - internal
     depends_on:
       - db
       - redis
+    configs:
+      - source: geoip_conf
+        target: /etc/GeoIP.conf
+        mode: 0555
+      - source: entrypoint
+        target: /custom-entrypoint.sh
+        mode: 0555
+    entrypoint: /custom-entrypoint.sh
+    secrets:
+      - db_password
+      - secret_key
+      - maxmind_license_key
+      - smtp_password
     volumes:
       - "shiv_data:/root/.shiv"
       - "geoip_data:/var/lib/GeoIP"
       - "app_data:/app/uploads"
     environment:
       - MAXMIND_ACCOUNT_ID
-      - MAXMIND_LICENSE_KEY
-      - SITE_URL=http://localhost:8000
+      - EMAIL_BACKEND
+      - EMAIL_FROM
+      - SMTP_USER
+      - SMTP_PASSWORD_FILE=/run/secrets/smtp_password
+      - SMTP_HOST
+      - SMTP_USE_SSL
+      - SMTP_USE_TLS
+      - SMTP_PORT
+      - SITE_URL
+      - SITE_NAME
+      - SITE_LOGO
       - LISTEN_HOST=0.0.0.0
       - LISTEN_SERVER=uvicorn
-      - SECRET_KEY=foobar
+      - SECRET_KEY_FILE=/run/secrets/secret_key
       - DATABASE_HOST=db
       - DATABASE_PORT=5432
       - DATABASE_NAME=karrot
       - DATABASE_USER=karrot
-      - DATABASE_PASSWORD=karrot
+      - DATABASE_PASSWORD_FILE=/run/secrets/db_password
       - REDIS_HOST=redis
       - REDIS_PORT=6379
       - REDIS_DB=0
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8000/api/"]
-      interval: 30s
+      test: ["CMD", "curl", "-f", "http://localhost:8000/api/config/"]
+      interval: 10s
       timeout: 3s
-      retries: 90
-    command: >
-      sh -c "
-      echo 'EditionIDs GeoLite2-City GeoLite2-Country' > /etc/GeoIP.conf &&
-      echo AccountID $${MAXMIND_ACCOUNT_ID} >> /etc/GeoIP.conf &&
-      echo LicenseKey $${MAXMIND_LICENSE_KEY} >> /etc/GeoIP.conf &&
-      echo 'Updating geoip data, first time could be slow...' &&
-      geoipupdate &&
-      pip install tzdata &&
-      python karrot-backend.pyz migrate &&
-      python karrot-backend.pyz server
-      "
+      retries: 3 
+      start_period: 45s
+    deploy:
+      labels:
+        - "coop-cloud.${STACK_NAME}.version=0.1.2+0.1.2"
+
   worker:
-    image: "vlafvlaf/karrot_backend:test"
+    image: "ghcr.io/karrot-dev/karrot-docker-images:0.1.2-backend"
     depends_on:
       # shiv + geoip data gets loaded on the first run of the app
       # so to ensure it's available in the worker too, we need to wait
@@ -83,25 +99,37 @@ services:
     volumes:
       - "shiv_data:/root/.shiv"
       - "geoip_data:/var/lib/GeoIP"
+    configs:
+      - source: entrypoint
+        target: /custom-entrypoint.sh
+        mode: 0555
+    entrypoint: /custom-entrypoint.sh
     networks:
       - internal
+    secrets:
+      - db_password
+      - secret_key
+      - smtp_password
     environment:
-      - SITE_URL=http://localhost:8000
+      - SITE_URL
+      - SMTP_USER
+      - SMTP_HOST
+      - SMTP_USE_SSL
+      - SMTP_USE_TLS
+      - SMTP_PORT
+      - SMTP_PASSWORD_FILE=/run/secrets/smtp_password
+      - IS_WORKER=1
       - LISTEN_HOST=0.0.0.0
       - LISTEN_SERVER=uvicorn
-      - SECRET_KEY=foobar
+      - SECRET_KEY_FILE=/run/secrets/secret_key
       - DATABASE_HOST=db
       - DATABASE_PORT=5432
       - DATABASE_NAME=karrot
       - DATABASE_USER=karrot
-      - DATABASE_PASSWORD=karrot
+      - DATABASE_PASSWORD_FILE=/run/secrets/db_password
       - REDIS_HOST=redis
       - REDIS_PORT=6379
       - REDIS_DB=0
-    command: 
-      sh -c "
-      pip install tzdata &&
-      python karrot-backend.pyz worker"
   
   redis:
     image: "redis:6-alpine"
@@ -123,33 +151,44 @@ services:
       interval: 10s
       timeout: 3s
       retries: 30
-    configs:
-      - source: postgres_extensions
-        target: /docker-entrypoint-initdb.d/extensions.sql
-        mode: 0555
+    secrets:
+      - db_password
     volumes:
       - "postgres_data:/var/lib/postgresql/data"
     networks:
       - internal
     environment:
-      - POSTGRES_PASSWORD=karrot
+      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
       - POSTGRES_USER=karrot
       - POSTGRES_DB=karrot
  
 
-secrets:
-  db_password:
-    external: true
-    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
-
 configs:
   nginx_config:
     name: ${STACK_NAME}_nginx_config_${NGINX_CONFIG_VERSION}
     file: nginx.conf.tmpl
     template_driver: golang
-  postgres_extensions:
-    name: ${STACK_NAME}_postgres_extensions_${POSTGRES_ENTRYPOINT_VERSION}
-    file: pg_extensions.sql
+  geoip_conf:
+    name: ${STACK_NAME}_geoip_conf_${GEOIP_CONFIG_VERSION}
+    file: geoip.conf.tmpl
+    template_driver: golang
+  entrypoint:
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
+    file: entrypoint.sh
+
+secrets:
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  secret_key:
+    external: true
+    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
+  maxmind_license_key:
+    external: true
+    name: ${STACK_NAME}_maxmind_license_key_${SECRET_MAXMIND_LICENSE_KEY_VERSION}
+  smtp_password:
+    external: true
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
 
 volumes:
   shiv_data:
@@ -157,6 +196,7 @@ volumes:
   app_data:
   postgres_data:
   redis_data:
+
 networks:
   proxy:
     external: true

entrypoint.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -e
+
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+file_env DATABASE_PASSWORD
+file_env SECRET_KEY
+file_env SMTP_PASSWORD
+
+/docker-entrypoint.sh

frontend/Dockerfile

@@ -1,4 +0,0 @@
-FROM nginx:1.20.1-alpine
-
-RUN curl https://download.karrot.world/karrot-frontend-production.zip -o karrot-frontend.zip && \
-    unzip -o karrot-frontend.zip -d /usr/share/nginx/html

frontend/nginx.conf

@@ -1,64 +0,0 @@
-map $http_upgrade $connection_upgrade {
-    default upgrade;
-    '' close;
-}
-
-server { 
-    listen 80;
-    server_name web;
-
-    root /usr/share/nginx/html;
-
-    location / {
-        try_files $uri /index.html;
-        if_modified_since off;
-        expires off;
-        etag off;
-        # TODO: csp headers
-    }
-
-    location /css {
-      expires max;
-    }
-
-    location /js {
-      expires max;
-    }
-
-    location /img {
-      expires max;
-    }
-
-    location /fonts {
-      expires max;
-    }
-
-    # /app/uploads
-
-    location /media/ {
-        alias /app/uploads/;
-        expires max;
-    }
-    
-    location /community_proxy/ {
-        proxy_pass https://community.foodsaving.world/;
-    }
-
-    location ^\/(api(\-auth)?|docs|silk)\/ {
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        # this port is whatever port 80 is mapped to outside the container
-        proxy_set_header Host $host:8080;
-        proxy_pass http://app:8000;
-        proxy_redirect off;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection $connection_upgrade;
-        proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions;
-        proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key;
-        proxy_set_header Sec-WebSocket-Protocol $http_sec_websocket_protocol;
-        proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version;
-    }
-
-}

geoip.conf.tmpl

@@ -0,0 +1,3 @@
+EditionIDs GeoLite2-City GeoLite2-Country
+AccountID {{ env "MAXMIND_ACCOUNT_ID" }}
+LicenseKey {{ secret "maxmind_license_key" }}