add redis password and increase version. does not work yet

.drone.yml

@@ -22,7 +22,6 @@ steps:
       SECRET_SECRET_COOKIE_TOKEN_VERSION: v1
       SECRET_DB_PASSWORD_VERSION: v1
       SECRET_SMTP_PASSWORD_VERSION: v1
-      SECRET_OAUTH_APP_SECRET_VERSION: v1
 trigger:
   branch:
     - main

.env.sample

@@ -41,6 +41,7 @@ USE_RACK_ATTACK=1
 SECRET_DEVISE_SECRET_VERSION=v1 #length=64
 SECRET_SECRET_COOKIE_TOKEN_VERSION=v1 #length=64
 SECRET_DB_PASSWORD_VERSION=v1
+SECRET_REDIS_PASSWORD_VERSION=v1
 
 # Send catch up email (missed yesterday) weekly
 # EMAIL_CATCH_UP_WEEKLY=1
@@ -90,17 +91,3 @@ SECRET_DB_PASSWORD_VERSION=v1
 # THEME_ACCENT_COLOR=rgb(0,188,212)
 # THEME_TEXT_ON_PRIMARY_COLOR=rgb(255,255,255)
 # THEME_TEXT_ON_ACCENT_COLOR=rgb(255,255,255)
-
-# env variables needed to enable OAuth2 authentication  
-# COMPOSE_FILE="$COMPOSE_FILE:compose.oauth.yml"
-# OAUTH_ENABLED=1
-# OAUTH_AUTH_URL=
-# OAUTH_TOKEN_URL=
-# OAUTH_PROFILE_URL=
-# OAUTH_SCOPE=
-# OAUTH_APP_KEY=
-# OAUTH_ATTR_UID=
-# OAUTH_ATTR_NAME=
-# OAUTH_ATTR_EMAIL=
-# OAUTH_LOGIN_PROVIDER_NAME=
-# SECRET_OAUTH_APP_SECRET_VERSION=v1

.gitea/PULL_REQUEST_TEMPLATE.md

@@ -1,16 +0,0 @@
----
-name: "Loomio pull request template"
-about: "Loomio pull request template"
----
-
-<!-- 
-Thank you for doing recipe maintenance work!
-Please mark all checklist items which are relevant for your changes.
-Please remove the checklist items which are not relevant for your changes.
-Feel free to remove this comment.
--->
-
-* [ ] I have deployed and tested my changes
-* [ ] I have [updated relevant versions in `abra.sh`](https://docs.coopcloud.tech/maintainers/upgrade/#updating-versions-in-the-abrash)
-* [ ] I have made my environment variable changes [backwards compatible](https://docs.coopcloud.tech/maintainers/upgrade/#backwards-compatible-environment-variable-changes)
-* [ ] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes)

MAINTENANCE.md

@@ -1,32 +0,0 @@
-# Loomio Recipe Maintenance
-
-All contributions should be made via a pull request. This is to ensure a
-certain quality and consistency, that others can rely on.
-
-## Maintainer Responsibilities
-
-A recipe maintainer has the following responsibilities:
-
-- Respond to pull requests / issues within a week
-- Make image security updates within a day
-- Make image patch / minor updates within a week
-- Make image major updates within a month
-
-In order to fullfill these responsibilities a recipe maintainer:
-
-- Has to watch the repository (to get notifications)
-- Needs to make sure renovate is configured properly
-
-## Pull Requests
-
-A pull request can be merged if it is approved by at least one maintainer. For
-pull requests opened by a maintainer they need to be approved by another
-maintainer. Even though it is okay to merge a pull request with one approval, it
-is always better if all maintainers looked at the pull request and approved it.
-
-## Become a maintainer
-
-Everyone can apply to be a recipe maintainer:
-1. Watch the repository to always get updates
-2. Simply add your self to the list in the [README.md](./README.md) and open a new pull request with the change.
-3. Once the pull request gets merged you will be added to the [loomio maintainers team](https://git.coopcloud.tech/org/coop-cloud/teams/loomio-maintainers).

README.md

@@ -3,7 +3,6 @@
 "Loomio is a collaborative decision-making tool that makes it easy for anyone to participate in decisions which affect them. To find out more, visit Loomio.org."
 
 <!-- metadata -->
-* **Maintainer**: [@jmakdah2](https://git.coopcloud.tech/jmakdah2)[@moosemower](https://git.coopcloud.tech/moosemower)
 * **Category**: Apps
 * **Status**: 3, work-in-progress
 * **Image**: [`loomio/*`](https://hub.docker.com/r/loomio), 4, upstream
@@ -22,23 +21,8 @@
 * `abra app deploy <app-name>`
 * Open the configured domain in your browser to create your user account (only works in case mail is configured correctly)
 * Give yourself admin rights by running `abra app cmd <app-name> app make_last_user_admin`
-* Deploy [swarm-cronjob](https://recipes.coopcloud.tech/swarm-cronjob) on your server if it is not running yet. This is needed for loomios cron container to be started to do hourly chores.
 
-## Migration guide
-
-### Upgrading to 4.0.0+v2.25.3 and later
-
-* Before upgrading to `4.0.0+v2.25.3` and later, one successful deployment of `3.0.0+v2.25.3` shall be performed. Doing both at the same time will lead to complications as 3.0.0 runs rails DB migrations and 4.0.0 upgrades the postgres DB version.
-
-### Broken releases
-
-Please do not use these releases, as they are having issues regarding database migrations:
-
-* 1.0.0+v2.25.2
-* 2.0.0+v2.25.3
-* 2.1.0+v2.25.3
-
-### Manual migration steps when upgrading from 0.6.0+v2.25.2 and earlier to 1.0.0+v2.25.2 and later
+## Manuel migration steps when upgrading from 0.6.0+v2.25.2 and earlier to 1.0.0+v2.25.2 and later
 
 * adapt your env file with the new vars, especially SECRET_DB_PASSWORD_VERSION=v1 and SECRET_SMTP_PASSWORD_VERSION=v1
 * insert your smtp password with `abra app secret insert <app-name> smtp_password v1 "<your-password>"`

abra.sh

@@ -1,4 +1,5 @@
-export LOOMIO_ENTRYPOINT_VERSION=v8
+export LOOMIO_ENTRYPOINT_VERSION=v5
+export REDIS_ENTRYPOINT_VERSION=v1
 
 # cannot be integrated into entrypoint.sh as it requires the operator to create a user first
 function make_last_user_admin()
@@ -13,4 +14,4 @@ function set_new_db_password()
     echo "setting new password for db user..."
 	psql -U $POSTGRES_USER -c "ALTER USER $POSTGRES_USER PASSWORD '$(cat /run/secrets/db_password)';"
     echo "done"
-}
+}

compose.oauth.yml

@@ -1,31 +0,0 @@
-version: "3.8"
-
-x-oauth-env: &oauth-env
-  OAUTH_AUTH_URL:
-  OAUTH_TOKEN_URL:
-  OAUTH_PROFILE_URL:
-  OAUTH_SCOPE:
-  OAUTH_APP_KEY:
-  OAUTH_APP_SECRET_FILE: /run/secrets/oauth_app_secret
-  OAUTH_ATTR_UID:
-  OAUTH_ATTR_NAME:
-  OAUTH_ATTR_EMAIL:
-  OAUTH_LOGIN_PROVIDER_NAME:
-  OAUTH_ENABLED: 
-
-services:
-  app:
-    environment: 
-      *oauth-env
-    secrets:
-      - oauth_app_secret
-  worker:
-    environment: 
-      *oauth-env
-    secrets:
-      - oauth_app_secret
-
-secrets:
-  oauth_app_secret:
-    name: ${STACK_NAME}_oauth_app_secret_${SECRET_OAUTH_APP_SECRET_VERSION}
-    external: true

compose.yml

@@ -7,10 +7,12 @@ x-db-env: &db-env
     POSTGRES_USER: postgres
 
 x-redis-env: &redis-env
-  REDIS_URL: redis://redis:6379
+  REDIS_PASSWORD_FILE: /run/secrets/redis_password
+  REDIS_URL: redis://:{REDIS_PASSWORD}@redis:6379
 
 x-environment: &default-env
-  <<: [*db-env, *redis-env]
+  <<: *db-env
+  <<: *redis-env
   CANONICAL_HOST: ${DOMAIN}
   VIRTUAL_HOST: ${DOMAIN}
   CHANNELS_URI: wss://channels.${DOMAIN}
@@ -32,7 +34,7 @@ x-environment: &default-env
 
 services:
   app:
-    image: loomio/loomio:v3.0.20
+    image: loomio/loomio:v2.25.3
     configs:
       - source: entrypoint
         target: /entrypoint.sh
@@ -42,6 +44,7 @@ services:
       - devise_secret
       - secret_cookie_token
       - db_password
+      - redis_password
     volumes:
       - loomio_uploads:/loomio/public/system
       - loomio_storage:/loomio/storage
@@ -70,16 +73,10 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=5.2.0+v3.0.20"
+        - "coop-cloud.${STACK_NAME}.version=2.0.0+v2.25.3"
         - "backupbot.backup:=${ENABLE_BACKUPS:-true}"
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}"
-        - "traefik.http.middlewares.${STACK_NAME}.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-        - "traefik.http.middlewares.${STACK_NAME}.headers.accesscontrolallowheaders=*"
-        - "traefik.http.middlewares.${STACK_NAME}.headers.accessControlAllowOriginList=https://*.${DOMAIN}"
-        - "traefik.http.middlewares.${STACK_NAME}.headers.accesscontrolmaxage=100"
-        - "traefik.http.middlewares.${STACK_NAME}.headers.addvaryheader=true"
   worker:
-    image: loomio/loomio:v3.0.0
+    image: loomio/loomio:v2.25.3
     configs:
       - source: entrypoint
         target: /entrypoint.sh
@@ -89,6 +86,7 @@ services:
       - devise_secret
       - secret_cookie_token
       - db_password
+      - redis_password
     networks:
       - backend
     environment:
@@ -102,7 +100,6 @@ services:
       - loomio_files:/loomio/public/files
       - loomio_plugins:/loomio/plugins/docker
   db:
-    # loomio version upgrades and postgres version upgrade should not be performed at the same time.
     image: pgautoupgrade/pgautoupgrade:17-debian
     networks:
       - backend
@@ -122,11 +119,19 @@ services:
         backupbot.restore: "true"
         backupbot.restore.post-hook: sh -c 'gzip -d /postgres.dump.gz && pg_restore --clean -U "$$POSTGRES_USER" --dbname="$$POSTGRES_DB" < /postgres.dump && rm -f /postgres.dump'
   redis:
-    image: redis:8.0
+    image: redis:7.4
     networks:
       - backend
+    command: /bin/sh -c "redis-server redis.conf --loglevel debug"
     healthcheck:
       test: ["CMD", "redis-cli", "ping"]
+    secrets:
+      - redis_password
+    configs:
+      - source: entrypoint_redis
+        target: /entrypoint.sh
+        mode: 0555
+    entrypoint: /entrypoint.sh
   #mailin:
   #  image: loomio/mailin-docker:latest
   #  networks:
@@ -139,25 +144,14 @@ services:
     image: loomio/loomio_channel_server
     networks:
       - backend
-      - proxy
     depends_on:
       - redis
+    secrets:
+      - redis_password
     environment:
       <<: *redis-env
-      VIRTUAL_HOST: channels.${DOMAIN}
-      APP_URL: ${DOMAIN}
-    deploy:
-      labels:
-        - "traefik.enable=true"
-        - "traefik.docker.network=proxy"
-        - "traefik.http.routers.channels${STACK_NAME}.rule=Host(`channels.${DOMAIN}`)"
-        - "traefik.http.routers.channels${STACK_NAME}.tls=true"
-        - "traefik.http.routers.channels${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.services.channels${STACK_NAME}.loadbalancer.server.port=5000"
-        - "traefik.http.routers.channels${STACK_NAME}.entrypoints=web-secure"
-
   cron:
-    image: loomio/loomio:v3.0.0
+    image: loomio/loomio:v2.25.3
     configs:
       - source: entrypoint
         target: /entrypoint.sh
@@ -168,6 +162,7 @@ services:
       - devise_secret
       - secret_cookie_token
       - db_password
+      - redis_password
     volumes:
       - loomio_uploads:/loomio/public/system
       - loomio_storage:/loomio/storage
@@ -203,6 +198,9 @@ configs:
   entrypoint:
     name: ${STACK_NAME}_entrypoint_${LOOMIO_ENTRYPOINT_VERSION}
     file: entrypoint.sh
+  entrypoint_redis:
+    name: ${STACK_NAME}_entrypoint_redis_${REDIS_ENTRYPOINT_VERSION}
+    file: entrypoint.redis.sh
 
 secrets:
   devise_secret:
@@ -214,3 +212,6 @@ secrets:
   db_password:
     external: true
     name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  redis_password:
+    external: true
+    name: ${STACK_NAME}_redis_password_${SECRET_REDIS_PASSWORD_VERSION}

entrypoint.redis.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -e
+
+echo "creating redis.conf..."
+echo "requirepass $(cat /run/secrets/redis_password)" > redis.conf
+echo "redis.conf created"

entrypoint.sh

@@ -25,47 +25,22 @@ file_env "DEVISE_SECRET"
 file_env "SECRET_COOKIE_TOKEN"
 file_env "POSTGRES_PASSWORD"
 file_env "SMTP_PASSWORD"
-
-if [ "$OAUTH_ENABLED" = "1" ]; then
-	file_env "OAUTH_APP_SECRET"
-fi  
-
-export DB_HOST="db"
 export DATABASE_URL="postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db/${POSTGRES_DB}"
 
 if [ -n "$1" ]; then
 	echo "Running '$1'"
 	$1
 else
+	if [ ! -f /loomio/storage/migrations_ran ] && [ "${TASK:-}" = "worker" ]; then
+		echo "first deploy, running DB setup..."
+		rake db:setup
+		touch /loomio/storage/migrations_ran
+	fi
+
+	echo "running DB migrations..."
+	rake db:migrate
+	echo "DB migrations finished"
 
 	echo "starting loomio!"
-	if [ "$TASK" = "worker" ]; then
-  		bundle exec sidekiq
-	else
-		sudo apt update -y && sudo apt install -y postgresql-client
-		bundle install
-
-		# running this code instaed of db:prepare in docker_start.sh in loomio container
-		# as postgres container creates empty db, somehow db:prepare cannot cope.
-		# therefore we run db:setup or db:migrate individually
-		if PGPASSWORD=$(cat /run/secrets/db_password) psql -U "$POSTGRES_USER" -h "$DB_HOST" -lqt | cut -d \| -f 1 | grep -wq "$POSTGRES_DB"; then
-			echo "database '$POSTGRES_DB' exists."
-
-			# check if the database contains tables
-			TABLE_COUNT=$(PGPASSWORD=$(cat /run/secrets/db_password) psql -U "$POSTGRES_USER" -h "$DB_HOST" -d "$POSTGRES_DB" -t -c "SELECT count(*) FROM information_schema.tables WHERE table_schema = 'public';")
-
-			if [ "$TABLE_COUNT" -eq 0 ]; then
-				echo "Database '$POSTGRES_DB' is empty, running db:setup."
-				bundle exec rake db:setup
-			else
-				echo "database '$POSTGRES_DB' not empty, running migrations."
-				bundle exec rake db:migrate
-			fi
-		else
-			echo "database '$POSTGRES_DB' does not exist, running db:setup."
-			bundle exec rake db:setup
-		fi
-
-		bundle exec puma -C config/puma.rb
-	fi
+	/loomio/docker_start.sh
 fi

release/1.0.0+v2.25.2

@@ -1,14 +1,9 @@
 In this release the passwords for smtp and postgres DB were moved into docker secrets. Therefore a few manual steps need to be performed (also available in recipe documentation)
 
-* adapt your env file with the new vars, especially `SECRET_DB_PASSWORD_VERSION=v1` and `SECRET_SMTP_PASSWORD_VERSION=v1` (remember, you can use `abra app check <app-name>` to check for any missing variables)
-* insert your existing smtp password with `abra app secret insert <app-name> smtp_password v1 "<your-password>"`
-
-Then, choose whether to keep the existing insecure database password (easy):
-* `abra app secret insert <app-name> db_password v1 password`
-
-Or, switch to a new secure password (harder, better):
-* `abra app secret generate <app-name> db_password v1`
-* `abra app deploy <app-name>`
-* set the new password in DB: `abra app cmd <app-name> db set_new_db_password` (NOTE: if you get "FATA loomio doesn't have a set_new_db_password function" here, run `cd ~/.abra/recipes/loomio && git checkout main`, then re-run the `abra app cmd` command with `-C` at the end)
+* adapt your env file with the new vars, especially SECRET_DB_PASSWORD_VERSION=v1 and SECRET_SMTP_PASSWORD_VERSION=v1
+* insert your smtp password with abra app secret insert <app-name> smtp_password v1 "<your-password>"
+* abra app secret generate <app-name> db_password v1
+* abra app deploy <app-name>
+* set the new password in DB: abra app cmd <app-name> db set_new_db_password
 * redeploy
 

release/2.1.0+v2.25.3

@@ -1 +0,0 @@
-DB initialization issues with wrong migration should be fixed now. (But not really sure why)

release/3.0.0+v2.25.3

@@ -1 +0,0 @@
-ATTENTION: do not skip this relase, otherwise it will lead to database migration complications. This release fixes migration issues of 1.x and 2.x releases.

release/4.0.0+v2.25.3

@@ -1 +0,0 @@
-ATTENTION: Perform a deployment of version 3.0.0+v2.25.3 before upgrading to this version. Otherwise there will be complications with database migrations. This version upgrades the used postgres container to version 17 with auto-upgrade functionality. 

release/5.1.0+v3.0.0

@@ -1 +0,0 @@
-Add support for OAuth2. To use this feature copy and populate the new oauth2 env variables from the .env.sample to your locale .env config and insert the oauth2_app_secret secret into your recipe:

release/5.2.0+v3.0.20

@@ -1 +0,0 @@
-upgrade loomio from version 3.0.0 to 3.0.20

renovate.json

@@ -1,6 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:recommended"
-  ]
-}