chore: publish 1.0.1+v4.7.0 release

Reviewed-on: #3

.drone.yml

@@ -6,17 +6,55 @@ steps:
     image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
-      stack: example_com  # UPDATE ME
+      stack: liberaforms
       generate_secrets: true
       purge: true
       deploy_key:
         from_secret: drone_ssh_swarm_test
       networks:
         - proxy
+        - internal
+      compose: "compose.yml"
     environment:
-      DOMAIN: example.swarm-test.autonomic.zone # UPDATE ME
-      STACK_NAME: example_com  # UPDATE ME
+      DOMAIN: liberaforms.swarm-test.autonomic.zone
+      STACK_NAME: liberaforms
       LETS_ENCRYPT_ENV: production
+      ENABLE_LDAP: False
+      FLASK_DEBUG: False
+      FLASK_CONFIG: production
+      DB_HOST: db
+      DB_USER: liberaforms
+      DB_PASSWORD_FILE: /run/secrets/db_password
+      DB_NAME: liberaforms
+      BASE_URL: https://${DOMAIN}
+      ROOT_USER: ${ADMIN_USER}
+      TMP_DIR: /tmp
+      SECRET_KEY_FILE: /run/secrets/secret_key
+      CRYPTO_KEY_FILE: /run/secrets/crypto_key
+      SESSION_TYPE: filesystem
+      LOG_LEVEL: INFO
+      LOG_DIR: /app/logs
+      GUNICORN_WORKERS: ${GUNICORN_WORKERS:-3}
+      SECRET_SECRET_KEY_VERSION: v1
+      SECRET_DB_PASSWORD_VERSION: v1
+      SECRET_CRYPTO_KEY_VERSION: v1
+      ENTRYPOINT_VERSION: v2
+      NGINX_CONFIG_VERSION: v1
+      PG_BACKUP_VERSION: v1
+      TYPE: liberaforms
+      ADMIN_USER: you@example.com
+      DEFAULT_LANGUAGE: en
+      E2EE_MODE: ENABLED_BY_DEFAULT
+      TOKEN_EXPIRATION: 604800
+      DEFAULT_TIMEZONE: America/New_York
+      ENABLE_RSS_FEED: True
+      ENABLE_PROMETHEUS_METRICS: False
+      ENABLE_UPLOADS: True
+      ENABLE_REMOTE_STORAGE: False
+      TOTAL_UPLOADS_LIMIT: 1 GB
+      DEFAULT_USER_UPLOADS_LIMIT: 50 MB
+      MAX_MEDIA_SIZE: 512000
+      MAX_ATTACHMENT_SIZE: 1572864
 trigger:
   branch:
     - main
@@ -32,7 +70,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -1,42 +1,38 @@
 TYPE=liberaforms
-
 DOMAIN=liberaforms.example.com
-
 LETS_ENCRYPT_ENV=production
 
-SECRET_SECRET_KEY_VERSION = v1
-SECRET_DB_PASSWORD_VERSION = v1
-SECRET_CRYPTO_KEY_VERSION= v1
-
-ADMIN_USER = 'you@example.com'
-DEFAULT_LANGUAGE = 'en' # Options: en, eu, es, ca, cs, de, fr, gl, ru, ta
-E2EE_MODE=ENABLED_BY_DEFAULT # Options: AVAILABLE, DISABLED, REQUIRED, ENABLED_BY_DEFAULT
-TOKEN_EXPIRATION = 604800 # Maximum valid age (in seconds) for password resets, invitations, etc.
+# Secrets
+SECRET_SECRET_KEY_VERSION=v1
+SECRET_DB_PASSWORD_VERSION=v1
+CRYPTO_KEY_VERSION=v1 # This secret is managed in the entrypoint, not as a docker secret
 
+# Administration
+ADMIN_USER='you@example.com'
+DEFAULT_LANGUAGE='en'
 DEFAULT_TIMEZONE="America/New_York"
 ENABLE_RSS_FEED=True
 
-ENABLE_PROMETHEUS_METRICS=False
-#GUNICORN_WORKERS= # Advanced option based on the specs of your server, defaults to 3
-
-#ALERT_MAILS = ["your_email_address", "another_email_address"] # Optional. Recieve Internal Server 500 errors. Good for debugging.
-
-###############
-### Uploads ###
-###############
+# Security
+E2EE_MODE=ENABLED_BY_DEFAULT
+TOKEN_EXPIRATION=604800  # 7 days in seconds
 
+# File Uploads
 ENABLE_UPLOADS=True
-ENABLE_REMOTE_STORAGE=False
-TOTAL_UPLOADS_LIMIT="1 GB" # site-wide limit
+TOTAL_UPLOADS_LIMIT="1 GB"
 DEFAULT_USER_UPLOADS_LIMIT="50 MB"
-MAX_MEDIA_SIZE=512000 # In Bytes
-MAX_ATTACHMENT_SIZE=1572864 # In Bytes
+MAX_MEDIA_SIZE=512000      # 500 KB
+MAX_ATTACHMENT_SIZE=1572864  # 1.5 MB
 
-###############
-#### LDAP #####
-###############
+# Performance and Monitoring
+ENABLE_PROMETHEUS_METRICS=False
+#GUNICORN_WORKERS=        # Default: 3 
 
-#LDAP_SERVER: ldap://localhost
+# Email notifications
+#ALERT_MAILS=["your_email_address", "another_email_address"]
+
+# LDAP
+#LDAP_SERVER=ldap://localhost
 #LDAP_BIND_ACCOUNT="cn=nobody,dc=example,dc=com"
 #LDAP_USER_DN_LIST=["uid=%uid,ou=users,o=company,dc=example,dc=com"]
 #LDAP_SEARCH_BASE_DN="o=company,dc=example,dc=com"

README.md

@@ -4,22 +4,32 @@
 
 <!-- metadata -->
 
-* **Category**: Apps
-* **Status**: wip
-* **Image**: [`liberaforms`](https://fung.uy/mycosystems/-/packages/container/liberaforms/), 1
-* **Healthcheck**: Yes
-* **Backups**: No
-* **Email**: 1
-* **Tests**: No
-* **SSO**: 3
+- **Category**: Apps
+- **Status**: 2
+- **Image**: [`liberaforms`](https://fung.uy/mycosystems/-/packages/container/liberaforms/), 1
+- **Healthcheck**: Yes
+- **Backups**: Yes
+- **Email**: 1
+- **Tests**: Yes
+- **SSO**: 3
 
 <!-- endmetadata -->
 
 ## Quick start
 
-* `abra app new liberaforms --secrets`
-* `abra app config <domain-name>`
-* `abra app deploy <domain-name>`
-* Create tables `abra app cmd <domain-name> app setup_db` more info in [liberaforms docs](https://gitlab.com/liberaforms/liberaforms/-/blob/main/docs/docker.md?ref_type=heads#create-the-database)
+- `abra app new liberaforms --secrets`
+- Set an admin email address 
+    - `abra app config <domain-name>`
+- Deploy 
+    > note, the deployment will need to be interuppted to run **Create tables**
+    - `abra app deploy <domain-name>`
+    - *Note: The deploy may hang, if so, perform the next step in another terminal and wait for the deploy to complete.*
+- Create tables 
+    - `abra app cmd <domain-name> app setup_db` 
+> more info in [liberaforms docs](https://codeberg.org/LiberaForms/server/src/branch/main/docs/docker.md#create-the-database)
+
+## Admin account setup
+
+Once liberaforms is deployed, go to the login screen by clicking the text in the top right. Next, click "forgot password" now you can fill in the email you set as your admin email and you will be prompted to set a password.
 
 For more, see [`docs.liberaforms.org`](https://docs.liberaforms.org/).

abra.sh

@@ -1,7 +1,8 @@
 #!/bin/bash
 
 export ENTRYPOINT_VERSION=v2
-export NGINX_CONFIG_VERSION=v1
+export NGINX_CONFIG_VERSION=v2
+export PG_BACKUP_VERSION=v1
 
 file_env() {
     local var="$1"
@@ -39,4 +40,4 @@ setup_db() {
     fi
 
     echo "Database setup complete. <3"
-}
+}

compose.yml

@@ -4,42 +4,19 @@ version: "3.8"
 services:
 
   app:
-    image: nginx:stable
-    networks:
-      - internal
-      - proxy
-    volumes:
-      - uploads:/liberaforms/uploads:ro
-      - static:/liberaforms/static:ro
-    configs:
-      - source: nginx_conf
-        mode: 555
-        target: /etc/nginx/conf.d/default.conf
-    deploy:
-      restart_policy:
-        condition: on-failure
-      labels:
-        - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=wip"
-    healthcheck:
-      test: [ "CMD", "curl", "-f", "http://localhost" ]
-      interval: 30s
-      timeout: 10s
-      retries: 10
-      start_period: 1m
-
-  forms:
-    image: fung.uy/mycosystems/liberaforms:v4.0.0
+    image: fung.uy/mycosystems/liberaforms:v4.7.0
     configs:
       - source: entrypoint
         mode: 555
         target: /custom-entrypoint.sh
     entrypoint: /custom-entrypoint.sh
     command: "/usr/bin/supervisord -n"
+    healthcheck:
+      test: ["CMD", "python", "-c", "import requests; print(requests.get('http://localhost:5000/').status_code)"]
+      timeout: 45s
+      interval: 10s
+      retries: 10
+      start_period: 1m
     environment:
       - ENABLE_LDAP=False
       - FLASK_DEBUG=False
@@ -49,10 +26,10 @@ services:
       - DB_PASSWORD_FILE=/run/secrets/db_password
       - DB_NAME=liberaforms
       - BASE_URL=https://${DOMAIN}
+      - SERVER_NAME=${DOMAIN}
       - ROOT_USER=${ADMIN_USER}
       - TMP_DIR=/tmp
       - SECRET_KEY_FILE=/run/secrets/secret_key
-      - CRYPTO_KEY_FILE=/run/secrets/crypto_key
       - SESSION_TYPE=filesystem
       - LOG_LEVEL=INFO
       - LOG_DIR=/app/logs
@@ -64,7 +41,7 @@ services:
       - ENABLE_UPLOADS
       - TOTAL_UPLOADS_LIMIT
       - DEFAULT_USER_UPLOADS_LIMIT
-      - ENABLE_REMOTE_STORAGE
+      - ENABLE_REMOTE_STORAGE=False
       - MAX_MEDIA_SIZE
       - MAX_ATTACHMENT_SIZE
       - ENABLE_PROMETHEUS_METRICS
@@ -79,19 +56,63 @@ services:
       - LDAP_MAIL_ATTRIB
       - LDAP_RECOVER_PASSWD_URL
       - E2EE_MODE
+      - CRYPTO_KEY_VERSION
+    deploy:
+      labels:
+        - "coop-cloud.${STACK_NAME}.version=1.0.1+v4.7.0"
+        - "backupbot.backup=true"
+        - "backupbot.backup.volumes.uploads=true"
+        - "backupbot.backup.volumes.log=false"
+        - "backupbot.backup.volumes.static=false"
     volumes:
       - uploads:/app/uploads
       - log:/app/logs
       - static:/app/liberaforms/static
+      - cryptokey:/cryptokey
     secrets:
       - db_password
       - secret_key
-      - crypto_key
+    networks:
+      internal:
+        aliases:
+          - "${STACK_NAME}-app"
+
+  proxy:
+    image: nginx:stable
     networks:
       - internal
+      - proxy
+    volumes:
+      - uploads:/liberaforms/uploads:ro
+      - static:/liberaforms/static:ro
+    environment:
+      - STACK_NAME
+    configs:
+      - source: nginx_conf
+        mode: 555
+        target: /etc/nginx/conf.d/default.conf
+    deploy:
+      restart_policy:
+        condition: on-failure
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+    healthcheck:
+      test: [ "CMD", "curl", "-f", "http://localhost" ]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
 
   db:
     image: postgres:17
+    configs:
+        - source: pg_backup
+          target: /pg_backup.sh
+          mode: 0555
     healthcheck:
       test: [ "CMD", "pg_isready", "-q", "-d", "postgres", "-U", "liberaforms" ]
       timeout: 45s
@@ -101,6 +122,11 @@ services:
       POSTGRES_USER: liberaforms
       POSTGRES_DB: liberaforms
       POSTGRES_PASSWORD_FILE: /run/secrets/db_password
+    deploy:
+      labels:
+        backupbot.backup.pre-hook: "/pg_backup.sh backup"
+        backupbot.backup.volumes.db.path: "backup.sql"
+        backupbot.restore.post-hook: "/pg_backup.sh restore"
     volumes:
       - db:/var/lib/postgresql/data
     secrets:
@@ -115,15 +141,13 @@ secrets:
   secret_key:
     external: true
     name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
-  crypto_key:
-    external: true
-    name: ${STACK_NAME}_crypto_key_${SECRET_CRYPTO_KEY_VERSION}
 
 volumes:
   uploads:
   static:
   log:
   db:
+  cryptokey:
 
 
 networks:
@@ -139,3 +163,7 @@ configs:
   nginx_conf:
     name: ${STACK_NAME}_nginx_conf_${NGINX_CONFIG_VERSION}
     file: nginx.conf
+    template_driver: golang
+  pg_backup:
+    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
+    file: pg_backup.sh

entrypoint.sh.tmpl

@@ -25,8 +25,12 @@ file_env() {
 }
 
 file_env "DB_PASSWORD"
-file_env "CRYPTO_KEY"
 file_env "SECRET_KEY"
 file_env "LDAP_BIND_PASSWORD"
 
+if [ ! -f "/cryptokey/$CRYPTO_KEY_VERSION" ]; then
+   flask cryptokey create > /cryptokey/$CRYPTO_KEY_VERSION
+fi
+export CRYPTO_KEY=`cat /cryptokey/$CRYPTO_KEY_VERSION`
+
 /usr/bin/supervisord -n

nginx.conf

@@ -2,12 +2,16 @@ server {
     listen         80;
     server_name    localhost;
     
+    resolver 127.0.0.11 valid=10s;
+
     client_max_body_size 2m;
     
     add_header Referrer-Policy "origin-when-cross-origin";
     add_header X-Content-Type-Options nosniff;
 
     location / {
+        set $upstream_app http://{{ env "STACK_NAME" }}-app:5000;
+        
         location /static/ {
             alias  /liberaforms/static/;
         }
@@ -23,7 +27,7 @@ server {
         location /metrics {
             return 404;
         }
-        proxy_pass          http://forms:5000;
+        proxy_pass          $upstream_app;
         proxy_set_header    Host    $host;
         proxy_set_header    X-Forwarded-For $remote_addr;
         proxy_set_header    X-Real-IP   $remote_addr;

pg_backup.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
+
+function backup {
+  export PGPASSWORD=$(cat /run/secrets/db_password)
+  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
+}
+
+function restore {
+    cd /var/lib/postgresql/data/
+    restore_config(){
+        # Restore allowed connections
+        cat pg_hba.conf.bak > pg_hba.conf
+        su postgres -c 'pg_ctl reload'
+    }
+    # Don't allow any other connections than local
+    cp pg_hba.conf pg_hba.conf.bak
+    echo "local all all trust" > pg_hba.conf
+    su postgres -c 'pg_ctl reload'
+    trap restore_config EXIT INT TERM
+
+    # Recreate Database
+    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
+    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
+    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
+
+    trap - EXIT INT TERM
+    restore_config
+}
+
+$@

release/0.1.1+4.0.0

@@ -0,0 +1 @@
+add ci testing and activate drone ci pipeline

release/0.4.2+4.0.0

@@ -0,0 +1 @@
+This release adds a proper healthcheck to the Liberaforms service and Backupbot labels for liberaforms uploads and Postgres.

release/0.4.3+4.0.0

@@ -0,0 +1 @@
+minor patch, no breaking changes expected.

release/0.4.3+4.5.1

@@ -0,0 +1 @@
+bump liberaforms container to 4.5.1

release/0.4.3+4.6.1

@@ -0,0 +1 @@
+bump liberaforms container to 4.6.1

release/0.5.0+4.6.1

@@ -0,0 +1 @@
+add key generation steps to support file uploads in forms.

release/1.0.0+v4.7.0

@@ -0,0 +1 @@
+Some release testing has been conducted but this latest version changes the compose layout, please take a backup before proceeding.

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}