From 44fae6db11f7f7b1234270ee69ced2f58c4fcaa8 Mon Sep 17 00:00:00 2001
From: knoflook <knoflook@disroot.org>
Date: Thu, 11 Sep 2025 13:37:59 +0200
Subject: [PATCH] spell fixes and disable email password secret

---
 .env.sample | 21 +++++++++++++--------
 compose.yml | 27 +++++++++++++++------------
 2 files changed, 28 insertions(+), 20 deletions(-)

diff --git a/.env.sample b/.env.sample
index 2409bbd..c0529b5 100644
--- a/.env.sample
+++ b/.env.sample
@@ -13,7 +13,7 @@ LETS_ENCRYPT_ENV=production
 SECRET_MINIO_ROOT_PASSWORD_VERSION=v1
 SECRET_COLLABORATION_SERVER_SECRET_VERSION=v1
 SECRET_POSTGRES_PASSWORD_VERSION=v1
-SECRET_AWS_S3_SECRET_KEY_VERSION=v1
+SECRET_AWS_S3_SECRET_ACCESS_KEY_VERSION=v1
 SECRET_OIDC_RP_CLIENT_SECRET_VERSION=v1
 SECRET_DJANGO_SECRET_KEY_VERSION=v1
 SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION=v1
@@ -35,18 +35,23 @@ DJANGO_EMAIL_PORT=1025
 # SINGLE SIGN ON
 ##############################################################################
 # NOTE: OpenID Connect (OIDC) single sign-on is **required**, see recipe README
-OIDC_OP_JWKS_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/certs
-OIDC_OP_AUTHORIZATION_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/auth
-OIDC_OP_TOKEN_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/token
-OIDC_OP_USER_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/userinfo
-OIDC_RP_CLIENT_ID=impress
+## Set those according to your needs
+OIDC_RP_CLIENT_ID=docs
+REALM_NAME=
+SSO_DOMAIN=
+
+## These can probably be left as-is
+OIDC_OP_JWKS_ENDPOINT=https://${SSO_DOMAIN}/realms/${REALM_NAME}/protocol/openid-connect/certs
+OIDC_OP_AUTHORIZATION_ENDPOINT=https://${SSO_DOMAIN}/realms/${REALM_NAME}/protocol/openid-connect/auth
+OIDC_OP_TOKEN_ENDPOINT=https://${SSO_DOMAIN}/realms/${REALM_NAME}/protocol/openid-connect/token
+OIDC_OP_USER_ENDPOINT=https://${SSO_DOMAIN}/realms/${REALM_NAME}/protocol/openid-connect/userinfo
 OIDC_RP_SIGN_ALGO=RS256
 OIDC_RP_SCOPES="openid email"
 LOGIN_REDIRECT_URL=https://${DOMAIN}
 LOGIN_REDIRECT_URL_FAILURE=https://${DOMAIN}
 LOGOUT_REDIRECT_URL=https://${DOMAIN}
-OIDC_REDIRECT_ALLOWED_HOSTS='["https://auth.${DOMAIN}", "https://${DOMAIN}"]'
-OIDC_AUTH_REQUEST_EXTRA_PARAMS="{'acr_values'='eidas1'}"
+OIDC_REDIRECT_ALLOWED_HOSTS='["https://id.docs.coop", "https://${DOMAIN}"]'
+#OIDC_AUTH_REQUEST_EXTRA_PARAMS="{'acr_values'='eidas1'}"
 
 ##############################################################################
 # LOGGING
diff --git a/compose.yml b/compose.yml
index e8304f3..d06861d 100644
--- a/compose.yml
+++ b/compose.yml
@@ -21,7 +21,8 @@ x-common-env: &common-env
   DJANGO_EMAIL_LOGO_IMG:
   DJANGO_EMAIL_PORT:
   DJANGO_EMAIL_HOST_USER:
-  DJANGO_EMAIL_HOST_PASSWORD_FILE: /run/secrets/django_email_host_password
+  DJANGO_EMAIL_HOST_PASSWORD_FILE:
+    # /run/secrets/django_email_host_password
   # Backend url
   IMPRESS_BASE_URL: "https://${DOMAIN}"
   # Media
@@ -100,11 +101,11 @@ services:
     secrets:
       - collaboration_server_secret
       - postgres_password
-      - aws_s3_secret_key
+      - aws_s3_secret_access_key
       - oidc_rp_client_secret
       - django_secret_key
       - django_superuser_password
-      - django_email_host_password
+      #- django_email_host_password
     healthcheck:
       test: ["CMD", "python", "manage.py", "check"]
       interval: 15s
@@ -123,10 +124,10 @@ services:
       - collaboration_server_secret
       - django_superuser_password
       - postgres_password
-      - aws_s3_secret_key
+      - aws_s3_secret_access_key
       - oidc_rp_client_secret
       - django_secret_key
-      - django_email_host_password
+      #- django_email_host_password
       
   y-provider:
     image: lasuite/impress-y-provider:v3.6.0
@@ -151,6 +152,8 @@ services:
       PGDATA: var/lib/postgresql/data/pgdata
     volumes:
       - postgres:/var/lib/postgresql/data/pgdata
+    secrets:
+      - postgres_password
     deploy:
       labels:
         backupbot.backup: "${ENABLE_BACKUPS:-true}"
@@ -169,7 +172,7 @@ services:
 
   minio-bootstrap:
     # NOTE: Not started by default, only run with a manual `abra app restart` / `docker service scale`
-    image: minio/mc:RELEASE.2025-09-07T16-13-09Z
+    image: minio/mc:RELEASE.2025-08-13T08-35-41Z
     environment: 
       - MINIO_ROOT_USER=minio
       - MINIO_ROOT_PASSWORD_FILE=/run/secrets/minio_root_password
@@ -184,7 +187,7 @@ services:
         condition: none
 
   minio:
-    image: minio/minio:RELEASE.RELEASE.2025-09-07T16-13-09Z
+    image: minio/minio:RELEASE.2025-09-07T16-13-09Z
     environment:
       - MINIO_ROOT_USER=minio
       - MINIO_ROOT_PASSWORD_FILE=/run/secrets/minio_root_password
@@ -272,8 +275,8 @@ secrets:
   postgres_password:
     name: ${STACK_NAME}_postgres_password_${SECRET_POSTGRES_PASSWORD_VERSION}
     external: true 
-  aws_s3_secret_key:
-    name: ${STACK_NAME}_aws_s3_secret_key_${SECRET_AWS_S3_SECRET_KEY_VERSION}
+  aws_s3_secret_access_key:
+    name: ${STACK_NAME}_aws_s3_secret_access_key_${SECRET_AWS_S3_SECRET_ACCESS_KEY_VERSION}
     external: true 
   oidc_rp_client_secret:
     name: ${STACK_NAME}_oidc_rp_client_secret_${SECRET_OIDC_RP_CLIENT_SECRET_VERSION}
@@ -284,6 +287,6 @@ secrets:
   django_superuser_password:
     name: ${STACK_NAME}_django_superuser_password_${SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION}
     external: true 
-  django_email_host_password:
-    name: ${STACK_NAME}_django_email_host_passsword_${SECRET_DJANGO_EMAIL_HOST_PASSWORD_VERSION}
-    external: true 
+#  django_email_host_password:
+#    name: ${STACK_NAME}_django_email_host_passsword_${SECRET_DJANGO_EMAIL_HOST_PASSWORD_VERSION}
+#    external: true