Add renovate.json

Reviewed-on: #2
Issue: #1

.env.sample

@@ -7,7 +7,7 @@ LETS_ENCRYPT_ENV=production
 #==============================================================================
 SECRET_SECRET_KEY_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
-SECRET_CRYPTO_KEY_VERSION=v1
+CRYPTO_KEY_VERSION=v1 # This secret is managed in the entrypoint, not as a docker secret
 
 #==============================================================================
 # ADMINISTRATION

README.md

@@ -19,14 +19,14 @@
 
 - `abra app new liberaforms`
 - Generate secrets 
-    - `abra app secret g <domain-name> secret_key v1`
-    - `abra app secret g <domain-name> db_password v1`
-- Set an admin email address `abra app config <domain-name>`
-- `abra app deploy <domain-name>`
-- Create tables `abra app cmd <domain-name> forms setup_db` more info in [liberaforms docs](https://codeberg.org/LiberaForms/server/src/branch/main/docs/docker.md#create-the-database)
-- Generate keypair used to sign form entries/uploads `abra app cmd <domain-name> forms gen_key`
-- Insert the key `abra app secret i forms.fung.uy crypto_key v1 <key>`
-- Re-deploy
+    - `abra app secret g <domain-name> --all`
+- Set an admin email address 
+    - `abra app config <domain-name>`
+- Deploy
+    - `abra app deploy <domain-name>`
+- Create tables 
+    - `abra app cmd <domain-name> forms setup_db` 
+> more info in [liberaforms docs](https://codeberg.org/LiberaForms/server/src/branch/main/docs/docker.md#create-the-database)
 
 ## Admin account setup
 

abra.sh

@@ -40,13 +40,4 @@ setup_db() {
     fi
 
     echo "Database setup complete. <3"
-}
-
-gen_key() {
-    file_env "DB_PASSWORD"
-    file_env "CRYPTO_KEY"
-    file_env "SECRET_KEY"
-    file_env "LDAP_BIND_PASSWORD"
-
-    flask cryptokey create
 }

compose.yml

@@ -24,7 +24,7 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=wip"
+        - "coop-cloud.${STACK_NAME}.version=0.6.0+4.6.1"
     healthcheck:
       test: [ "CMD", "curl", "-f", "http://localhost" ]
       interval: 30s
@@ -59,7 +59,6 @@ services:
       - ROOT_USER=${ADMIN_USER}
       - TMP_DIR=/tmp
       - SECRET_KEY_FILE=/run/secrets/secret_key
-      - CRYPTO_KEY_FILE=/run/secrets/crypto_key
       - SESSION_TYPE=filesystem
       - LOG_LEVEL=INFO
       - LOG_DIR=/app/logs
@@ -86,6 +85,7 @@ services:
       - LDAP_MAIL_ATTRIB
       - LDAP_RECOVER_PASSWD_URL
       - E2EE_MODE
+      - CRYPTO_KEY_VERSION
     deploy:
       labels:
         backupbot.backup: "true"
@@ -96,10 +96,10 @@ services:
       - uploads:/app/uploads
       - log:/app/logs
       - static:/app/liberaforms/static
+      - cryptokey:/cryptokey
     secrets:
       - db_password
       - secret_key
-      - crypto_key
     networks:
       - internal
 
@@ -137,15 +137,13 @@ secrets:
   secret_key:
     external: true
     name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
-  crypto_key:
-    external: true
-    name: ${STACK_NAME}_crypto_key_${SECRET_CRYPTO_KEY_VERSION}
 
 volumes:
   uploads:
   static:
   log:
   db:
+  cryptokey:
 
 
 networks:
@@ -163,4 +161,4 @@ configs:
     file: nginx.conf
   pg_backup:
     name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
-    file: pg_backup.sh
+    file: pg_backup.sh

entrypoint.sh.tmpl

@@ -25,8 +25,12 @@ file_env() {
 }
 
 file_env "DB_PASSWORD"
-file_env "CRYPTO_KEY"
 file_env "SECRET_KEY"
 file_env "LDAP_BIND_PASSWORD"
 
+if [ ! -f "/cryptokey/$CRYPTO_KEY_VERSION" ]; then
+   flask cryptokey create > /cryptokey/$CRYPTO_KEY_VERSION
+fi
+export CRYPTO_KEY=`cat /cryptokey/$CRYPTO_KEY_VERSION`
+
 /usr/bin/supervisord -n

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}