add service dependencies and extend deployment timeout

[ci skip]

.drone.yml

@@ -0,0 +1,44 @@
+---
+kind: pipeline
+name: deploy to swarm-test.autonomic.zone
+steps:
+  - name: deployment
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: outline
+      generate_secrets: true
+      purge: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+      networks:
+        - proxy
+    environment:
+      DOMAIN: outline.swarm-test.autonomic.zone
+      STACK_NAME: outline
+      LETS_ENCRYPT_ENV: production
+      APP_ENTRYPOINT_VERSION: v1
+      DB_ENTRYPOINT_VERSION: v1
+      PG_BACKUP_VERSION: v1
+      SECRET_DB_PASSWORD_VERSION: v1
+      SECRET_SECRET_KEY_VERSION: v1  # length=64
+      SECRET_UTILS_SECRET_VERSION: v1  # length=64
+trigger:
+  branch:
+    - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - toolshed/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -1,3 +1,5 @@
+# adapted from https://github.com/outline/outline/blob/main/.env.sample
+
 TYPE=outline
 
 DOMAIN=outline.example.com
@@ -6,101 +8,24 @@ DOMAIN=outline.example.com
 #EXTRA_DOMAINS=', `www.outline.example.com`'
 LETS_ENCRYPT_ENV=production
 
+ENABLE_BACKUPS=true
+
+COMPOSE_FILE="compose.yml"
+
 # –––––––––––––––– REQUIRED ––––––––––––––––
 
-# Generate a hex-encoded 32-byte random key. You should use `openssl rand -hex 32`
-# in your terminal to generate a random value.
-SECRET_KEY=generate_a_new_key
-
-# Generate a unique random key. The format is not important but you could still use
-# `openssl rand -hex 32` in your terminal to produce this.
-UTILS_SECRET=generate_a_new_key
-
-# For production point these at your databases, in development the default
-# should work out of the box.
-# Uncomment this to disable SSL for connecting to Postgres
-# PGSSLMODE=disable
-
-# URL should point to the fully qualified, publicly accessible URL. If using a
-# proxy the port in URL and PORT may be different.
-
-# See [documentation](docs/SERVICES.md) on running a separate collaboration
-# server, for normal operation this does not need to be set.
-COLLABORATION_URL=
-
-# To support uploading of images for avatars and document attachments an
-# s3-compatible storage must be provided. AWS S3 is recommended for redundency
-# however if you want to keep all file storage local an alternative such as
-# minio (https://github.com/minio/minio) can be used.
-
-# A more detailed guide on setting up S3 is available here:
-# => https://wiki.generaloutline.com/share/125de1cc-9ff6-424b-8415-0d58c809a40f
-#
-AWS_ACCESS_KEY_ID=get_a_key_from_aws
-AWS_SECRET_ACCESS_KEY=get_the_secret_of_above_key
-AWS_REGION=xx-xxxx-x
-AWS_S3_UPLOAD_BUCKET_URL=http://s3:4569
-AWS_S3_UPLOAD_BUCKET_NAME=bucket_name_here
-AWS_S3_UPLOAD_MAX_SIZE=26214400
-AWS_S3_FORCE_PATH_STYLE=true
-AWS_S3_ACL=private
-
-# –––––––––––––– AUTHENTICATION ––––––––––––––
-
-# Third party signin credentials, at least ONE OF EITHER Google, Slack,
-# or Microsoft is required for a working installation or you'll have no sign-in
-# options.
-
-# To configure Slack auth, you'll need to create an Application at
-# => https://api.slack.com/apps
-#
-# When configuring the Client ID, add a redirect URL under "OAuth & Permissions":
-# https://<URL>/auth/slack.callback
-SLACK_KEY=get_a_key_from_slack
-SLACK_SECRET=get_the_secret_of_above_key
-
-# To configure Google auth, you'll need to create an OAuth Client ID at
-# => https://console.cloud.google.com/apis/credentials
-#
-# When configuring the Client ID, add an Authorized redirect URI:
-# https://<URL>/auth/google.callback
-GOOGLE_CLIENT_ID=
-GOOGLE_CLIENT_SECRET=
-
-# To configure Microsoft/Azure auth, you'll need to create an OAuth Client. See
-# the guide for details on setting up your Azure App:
-# => https://wiki.generaloutline.com/share/dfa77e56-d4d2-4b51-8ff8-84ea6608faa4
-AZURE_CLIENT_ID=
-AZURE_CLIENT_SECRET=
-AZURE_RESOURCE_APP_ID=
-
-# To configure generic OIDC auth, you'll need some kind of identity provider.
-# See documentation for whichever IdP you use to acquire the following info:
-# Redirect URI is https://<URL>/auth/oidc.callback
-OIDC_CLIENT_ID=
-OIDC_CLIENT_SECRET=
-OIDC_AUTH_URI=
-OIDC_TOKEN_URI=
-OIDC_USERINFO_URI=
-
-# Specify which claims to derive user information from
-# Supports any valid JSON path with the JWT payload
-OIDC_USERNAME_CLAIM=preferred_username
-
-# Display name for OIDC authentication
-OIDC_DISPLAY_NAME="OpenID Connect"
-
-# Space separated auth scopes.
-OIDC_SCOPES="openid profile email"
+SECRET_DB_PASSWORD_VERSION=v1
+SECRET_SECRET_KEY_VERSION=v1  # length=64
+SECRET_UTILS_SECRET_VERSION=v1  # length=64
 
+# Set to s3 to use AWS S3 bucket
+FILE_STORAGE=local
 
 # –––––––––––––––– OPTIONAL ––––––––––––––––
 
-# If using a Cloudfront/Cloudflare distribution or similar it can be set below.
-# This will cause paths to javascript, stylesheets, and images to be updated to
-# the hostname defined in CDN_URL. In your CDN configuration the origin server
-# should be set to the same as URL.
-CDN_URL=
+TEAM_LOGO=
+
+DEFAULT_LANGUAGE=en_US
 
 # Auto-redirect to https in production. The default is true but you may set to
 # false if you can be sure that SSL is terminated at an external loadbalancer.
@@ -116,7 +41,7 @@ WEB_CONCURRENCY=1
 
 # Override the maxium size of document imports, could be required if you have
 # especially large Word documents with embedded imagery
-MAXIMUM_IMPORT_SIZE=5120000
+FILE_STORAGE_IMPORT_MAX_SIZE=5120000
 
 # You can remove this line if your reverse proxy already logs incoming http
 # requests and this ends up being duplicative
@@ -126,34 +51,46 @@ DEBUG=http
 # set, all domains are allowed by default when using Google OAuth to signin
 ALLOWED_DOMAINS=
 
-# For a complete Slack integration with search and posting to channels the
-# following configs are also needed, some more details
-# => https://wiki.generaloutline.com/share/be25efd1-b3ef-4450-b8e5-c4a4fc11e02a
-#
-SLACK_VERIFICATION_TOKEN=your_token
-SLACK_APP_ID=A0XXXXXXX
-SLACK_MESSAGE_ACTIONS=true
-
-# Optionally enable google analytics to track pageviews in the knowledge base
-GOOGLE_ANALYTICS_ID=
-
-# Optionally enable Sentry (sentry.io) to track errors and performance
-SENTRY_DSN=
-
 # To support sending outgoing transactional emails such as "document updated" or
 # "you've been invited" you'll need to provide authentication for an SMTP server
-SMTP_HOST=
-SMTP_PORT=
-SMTP_USERNAME=
-SMTP_PASSWORD=
-SMTP_FROM_EMAIL=
-SMTP_REPLY_EMAIL=
-SMTP_TLS_CIPHERS=
-SMTP_SECURE=true
+# By default, this enables email login. You can disable this in the settings
+# for configuration details see https://docs.getoutline.com/s/hosting/doc/smtp-cqCJyZGMIB
+#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
+#SMTP_ENABLED=1
+#SMTP_HOST=
+#SMTP_PORT=
+#SMTP_USERNAME=
+#SMTP_FROM_EMAIL=
+#SMTP_REPLY_EMAIL=
+#SMTP_TLS_CIPHERS=
+#SMTP_SECURE=true
+#SECRET_SMTP_PASSWORD_VERSION=v1
 
-# Custom logo that displays on the authentication screen, scaled to height: 60px
-# TEAM_LOGO=https://example.com/images/logo.png
+#COMPOSE_FILE="$COMPOSE_FILE:compose.oidc.yml"
+#OIDC_ENABLED=1
+#OIDC_CLIENT_ID=
+#OIDC_AUTH_URI=
+#OIDC_TOKEN_URI=
+#OIDC_USERINFO_URI=
+#OIDC_USERNAME_CLAIM=preferred_username
+#OIDC_DISPLAY_NAME="My Cool OpenId Connect Provider"
+#OIDC_SCOPES="openid profile email"
+#SECRET_OIDC_CLIENT_SECRET_VERSION=v1
 
-# The default interface language. See translate.getoutline.com for a list of
-# available language codes and their rough percentage translated.
-DEFAULT_LANGUAGE=en_US
+#COMPOSE_FILE="$COMPOSE_FILE:compose.google.yml"
+#GOOGLE_ENABLED=1
+#GOOGLE_CLIENT_ID=
+#SECRET_GOOGLE_CLIENT_SECRET_VERSION=v1
+
+COMPOSE_FILE="$COMPOSE_FILE:compose.local.yml"
+FILE_STORAGE_UPLOAD_MAX_SIZE=26214400
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.aws.yml"
+#AWS_ACCESS_KEY_ID=
+#AWS_REGION=
+#AWS_S3_UPLOAD_BUCKET_URL=
+#AWS_S3_UPLOAD_BUCKET_NAME=
+#AWS_S3_UPLOAD_MAX_SIZE=26214400
+#AWS_S3_FORCE_PATH_STYLE=true
+#AWS_S3_ACL=private
+#SECRET_AWS_SECRET_KEY_VERSION=v1

README.md

@@ -5,13 +5,13 @@ Wiki and knowledge base for growing teams
 <!-- metadata -->
 
 * **Category**: Apps
-* **Status**:
-* **Image**: [outlinewiki/outline](https://hub.docker.com/r/outlinewiki/outline)
-* **Healthcheck**:
-* **Backups**:
-* **Email**:
-* **Tests**:
-* **SSO**:
+* **Status**: 3, beta
+* **Image**: [outlinewiki/outline](https://hub.docker.com/r/outlinewiki/outline), 4, upstream
+* **Healthcheck**: No
+* **Backups**: Yes
+* **Email**: Yes
+* **Tests**: 2
+* **SSO**: 3 (OAuth)
 
 <!-- endmetadata -->
 
@@ -19,13 +19,64 @@ Wiki and knowledge base for growing teams
 
 1. Set up Docker Swarm and [`abra`]
 2. Deploy [`coop-cloud/traefik`]
-3. `abra app new ${REPO_NAME} --secrets` (optionally with `--pass` if you'd like
-   to save secrets in `pass`)
+3. `abra app new ${REPO_NAME}`
+   - **WARNING**: Choose "n" when `abra` asks if you'd like to generate secrets
 4. `abra app config YOURAPPNAME` - be sure to change `$DOMAIN` to something that resolves to
    your Docker swarm box
-5. `abra app deploy YOURAPPNAME`
-6. Build the database with `abra app run YOURAPPNAME app yarn db:migrate --env=production-ssl-disabled` 
-7. Open the configured domain in your browser to finish set-up
+5. Insert secrets:
+    - `abra app secret insert YOURAPPNAME secret_key v1 $(openssl rand -hex 32)` #12
+    - `abra app secret generate -a YOURAPPNAME`
+6. `abra app deploy YOURAPPNAME`
+8. Open the configured domain in your browser to finish set-up
 
 [`abra`]: https://git.coopcloud.tech/coop-cloud/abra
 [`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik
+
+## Tips & Tricks
+
+### Create an initial admin user
+
+```
+abra app cmd YOURAPPNAME app create_email_user test@example.com
+```
+
+### Setting up your `.env` config
+
+Avoid the use of quotes (`"..."`) as much as possible, the NodeJS scripts flip out for some reason on some vars.
+
+### Deleting a user (e.g. to fix SSO weirdness)
+
+`abra app cmd YOURAPPNAME db delete_user <username-to-delete> <username-to-replace>`
+
+Where `<username-to-delete>` is the username of the user to be removed, and
+`<username-to-replace>` is the username of another user, to assign documents and
+revisions to (instead of deleting them).
+
+### Migrate from S3 to local storage
+
+- `abra app config <domain>`, add
+  - `COMPOSE_FILE="$COMPOSE_FILE:compose.local.yml"`
+  - `FILE_STORAGE_UPLOAD_MAX_SIZE=26214400`
+- `abra app deploy <domain> -f`
+  - compose.aws.yml should still be deployed!
+- `abra app undeploy <domain>`
+- on the docker host, find mountpoint of newly created volume via `docker volume ls` and `docker volume inspect`
+  - volume name is smth like `<domain>_storage-data`
+- take note which linux user owns `<storage_mountpoint>` (likely `1001`)
+- use s3cmd/rclone/... to sync your bucket to `<storage_mountpoint>`
+- `chown -R <storage_user>:<storage_user> <storage_mountpoint>`
+- `abra app config <domain>`, switch storage backend
+  - remove `AWS_*` vars, `SECRET_AWS_SECRET_KEY_VERSION` and `COMPOSE_FILE="$COMPOSE_FILE:compose.aws.yml"`
+  - set `FILE_STORAGE=local`
+- `abra app deploy <domain> -f`
+- enjoy getting rid of S3 🥳
+
+## Single Sign On with Keycloak
+
+`abra app config YOURAPPNAME`, then uncomment everything in the `OIDC_` section.
+
+Create a new client in Keycloak:
+
+- **Valid Redirect URIs**: `https://YOURAPPDOMAIN/auth/oidc.callback`
+
+`abra app deploy YOURAPPDOMAIN`

abra.sh

@@ -0,0 +1,100 @@
+export APP_ENTRYPOINT_VERSION=v9
+export DB_ENTRYPOINT_VERSION=v2
+export PG_BACKUP_VERSION=v1
+
+create_email_user() {
+	if [ -z "$1" ]; then
+		echo "Usage: ... create_email_user <email_address>"
+		exit 1
+	fi
+	export DATABASE_PASSWORD=$(cat /run/secrets/db_password)
+	export DATABASE_URL="postgres://outline:${DATABASE_PASSWORD}@${STACK_NAME}_db:5432/outline"
+	export UTILS_SECRET=$(cat /run/secrets/utils_secret)
+	export SECRET_KEY=$(cat /run/secrets/secret_key)
+	node build/server/scripts/seed.js "$1"
+}
+
+migrate() {
+	export DATABASE_PASSWORD=$(cat /run/secrets/db_password)
+	export DATABASE_URL="postgres://outline:${DATABASE_PASSWORD}@${STACK_NAME}_db:5432/outline"
+	yarn db:migrate --env=production-ssl-disabled
+}
+
+generate_secret() {
+    abra app secret insert $DOMAIN secret_key v1 $(openssl rand -hex 32)
+}
+
+delete_user_by_id() {
+	if [ -z "$1" ] || [ -z "$2" ]; then
+		echo "Usage: ... delete_user_by_id <userid-to-delete> <userid-to-replace>"
+		exit 1
+	fi
+
+	USERID_REPLACE="$2"
+	USERID_REMOVE="$1"
+
+	psql -U outline outline <<- SQL
+	UPDATE documents SET "userId" = '$USERID_REPLACE' WHERE "userId" = '$USERID_REMOVE';
+	UPDATE groups SET "createdById" = '$USERID_REPLACE' WHERE "createdById" = '$USERID_REMOVE';
+	UPDATE pins SET "createdById" = '$USERID_REPLACE' WHERE "createdById" = '$USERID_REMOVE';
+	UPDATE group_users SET "createdById" = '$USERID_REPLACE' WHERE "createdById" = '$USERID_REMOVE';
+	UPDATE collections SET "createdById" = '$USERID_REPLACE' WHERE "createdById" = '$USERID_REMOVE';
+	UPDATE collection_users SET "createdById" = '$USERID_REPLACE' WHERE "createdById" = '$USERID_REMOVE';
+	UPDATE collection_groups SET "createdById" = '$USERID_REPLACE' WHERE "createdById" = '$USERID_REMOVE';
+	UPDATE documents SET "lastModifiedById" = '$USERID_REPLACE' WHERE "lastModifiedById" = '$USERID_REMOVE';
+	UPDATE documents SET "createdById" = '$USERID_REPLACE' WHERE "createdById" = '$USERID_REMOVE';
+	UPDATE revisions SET "userId" = '$USERID_REPLACE' WHERE "userId" = '$USERID_REMOVE';
+	UPDATE attachments SET "userId" = '$USERID_REPLACE' WHERE "userId" = '$USERID_REMOVE';
+	UPDATE backlinks SET "userId" = '$USERID_REPLACE' WHERE "userId" = '$USERID_REMOVE';
+	UPDATE file_operations SET "userId" = '$USERID_REPLACE' WHERE "userId" = '$USERID_REMOVE';
+	UPDATE users SET "suspendedById" = '$USERID_REPLACE' WHERE "suspendedById" = '$USERID_REMOVE';
+	DELETE FROM search_queries WHERE "userId" = '$USERID_REMOVE';
+	DELETE FROM shares WHERE "userId" = '$USERID_REMOVE';
+	DELETE FROM notification_settings WHERE "userId" = '$USERID_REMOVE';
+	DELETE FROM events WHERE "actorId" = '$USERID_REMOVE';
+	DELETE FROM events WHERE "userId" = '$USERID_REMOVE';
+	DELETE FROM users WHERE "id" = '$USERID_REMOVE';
+	SQL
+}
+
+delete_user() {
+	if [ -z "$1" ] || [ -z "$2" ]; then
+		echo "Usage: ... delete_user <userid-to-delete> <userid-to-replace>"
+		exit 1
+	fi
+
+	USERID_REMOVE=$(echo "SELECT id FROM users WHERE username = '$1'" | psql -t -A -U outline outline)
+	USERID_REPLACE=$(echo "SELECT id FROM users WHERE username = '$2'" | psql -t -A -U outline outline)
+
+	if [ -z "$USERID_REMOVE" ]; then
+		echo "Can't find ID of '$1'"
+		exit 1
+	fi
+
+	if [ -z "$USERID_REPLACE" ]; then
+		echo "Can't find ID of '$2'"
+		exit 1
+	fi
+	
+	delete_user_by_id "$USERID_REMOVE" "$USERID_REPLACE"
+}
+
+delete_duplicate_users() {
+	if [ -z "$1" ]; then
+		echo "Usage: ... delete_duplicate_users <username>"
+		exit 1
+	fi
+
+	USERIDS=$(echo "SELECT id FROM users WHERE username = '$1' ORDER BY users.\"createdAt\" DESC" | psql -t -A -U outline outline)
+
+	if [ ! "$(echo "$USERIDS" | wc -l)" -gt 1 ]; then
+		echo "Only one user exists, bailing"
+		exit 1
+	fi
+
+	USERID_NEW=$(echo "$USERIDS" | head -n1)
+
+	for USERID_OLD in $(echo "$USERIDS" | tail -n+2); do
+		delete_user_by_id "$USERID_OLD" "$USERID_NEW"
+	done
+}

alaconnect.yml

@@ -0,0 +1,15 @@
+authentik:
+    env: 
+        OIDC_CLIENT_ID: outline
+        OIDC_AUTH_URI: https://authentik.example.com/application/o/authorize/
+        OIDC_TOKEN_URI: https://authentik.example.com/application/o/token/
+        OIDC_USERINFO_URI: https://authentik.example.com/application/o/userinfo/
+        OIDC_DISPLAY_NAME: "Authentik"
+    uncomment:
+        - compose.oidc.yml
+        - OIDC_ENABLED
+        - OIDC_USERNAME_CLAIM
+        - OIDC_SCOPES
+        - SECRET_OIDC_CLIENT_SECRET_VERSION
+    shared_secrets:
+        outline_secret: oidc_client_secret

compose.aws.yml

@@ -0,0 +1,22 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - aws_secret_key
+    environment:
+      - AWS_ACCESS_KEY_ID
+      - AWS_REGION
+      - AWS_S3_ACL
+      - AWS_S3_FORCE_PATH_STYLE
+      - AWS_S3_UPLOAD_BUCKET_NAME
+      - AWS_S3_UPLOAD_BUCKET_URL
+      - AWS_S3_UPLOAD_MAX_SIZE
+      - AWS_SDK_LOAD_CONFIG=0
+      - AWS_SECRET_KEY_FILE=/run/secrets/aws_secret_key
+
+secrets:
+  aws_secret_key:
+    name: ${STACK_NAME}_aws_secret_key_${SECRET_AWS_SECRET_KEY_VERSION}
+    external: true

compose.google.yml

@@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - google_client_secret
+    environment:
+      - GOOGLE_CLIENT_ID
+      - GOOGLE_ENABLED
+      - ALLOWED_DOMAINS
+
+secrets:
+  google_client_secret:
+    name: ${STACK_NAME}_google_client_secret_${SECRET_GOOGLE_CLIENT_SECRET_VERSION}
+    external: true

compose.local.yml

@@ -0,0 +1,13 @@
+---
+version: "3.8"
+
+services:
+  app:
+    volumes:
+      - storage-data:/var/lib/outline/data
+    environment:
+      - FILE_STORAGE
+      - FILE_STORAGE_UPLOAD_MAX_SIZE
+
+volumes:
+  storage-data:

compose.oidc.yml

@@ -0,0 +1,21 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - oidc_client_secret
+    environment:
+      - OIDC_AUTH_URI
+      - OIDC_CLIENT_ID
+      - OIDC_DISPLAY_NAME
+      - OIDC_ENABLED
+      - OIDC_SCOPES
+      - OIDC_TOKEN_URI
+      - OIDC_USERINFO_URI
+      - OIDC_USERNAME_CLAIM
+
+secrets:
+  oidc_client_secret:
+    name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET_VERSION}
+    external: true

compose.smtp.yml

@@ -0,0 +1,18 @@
+version: "3.8"
+services:
+  app:
+    secrets:
+      - smtp_password
+    environment:
+      - SMTP_HOST
+      - SMTP_PORT
+      - SMTP_USERNAME
+      - SMTP_FROM_EMAIL
+      - SMTP_REPLY_EMAIL
+      - SMTP_TLS_CIPHERS
+      - SMTP_SECURE
+
+secrets:
+  smtp_password:
+    external: true
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}

compose.yml

@@ -6,35 +6,27 @@ services:
     networks:
       - backend
       - proxy
-    image: outlinewiki/outline:0.60.3
-    volumes:
-      - outline_data:/opt/outline
+    image: outlinewiki/outline:0.82.0
+    secrets:
+      - db_password
+      - secret_key
+      - utils_secret
+    configs:
+      - source: app_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
     environment:
-      - AWS_ACCESS_KEY_ID
-      - AWS_REGION
-      - AWS_S3_ACL
-      - AWS_S3_FORCE_PATH_STYLE
-      - AWS_S3_UPLOAD_BUCKET_NAME
-      - AWS_S3_UPLOAD_BUCKET_URL
-      - AWS_S3_UPLOAD_MAX_SIZE
-      - AWS_SECRET_ACCESS_KEY
-      - DATABASE_URL=postgres://user:pass@${STACK_NAME}_postgres:5432/outline
-      - DATABASE_URL_TEST=postgres://user:pass@${STACK_NAME}_postgres:5432/outline-test
+      - FILE_STORAGE
+      - DATABASE_PASSWORD_FILE=/run/secrets/db_password
       - FORCE_HTTPS=true
-      - OIDC_AUTH_URI
-      - OIDC_CLIENT_ID
-      - OIDC_CLIENT_SECRET
-      - OIDC_DISPLAY_NAME
-      - OIDC_SCOPES
-      - OIDC_TOKEN_URI
-      - OIDC_USERINFO_URI
-      - OIDC_USERNAME_CLAIM
       - PGSSLMODE=disable
-      - REDIS_URL=redis://${STACK_NAME}_redis:6379
-      - SECRET_KEY
+      - REDIS_URL=redis://${STACK_NAME}_cache:6379
+      - SECRET_KEY_FILE=/run/secrets/secret_key
+      - STACK_NAME
       - TEAM_LOGO
       - URL=https://$DOMAIN
-      - UTILS_SECRET
+      - UTILS_SECRET_FILE=/run/secrets/utils_secret
+    entrypoint: /docker-entrypoint.sh
     deploy:
       labels:
         - "traefik.enable=true"
@@ -42,27 +34,58 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=0.1.0+0.60.3"
-        ## Redirect from EXTRA_DOMAINS to DOMAIN
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "coop-cloud.${STACK_NAME}.version=2.9.0+0.82.0"
+        # Redirect from EXTRA_DOMAINS to DOMAIN
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-80}"
+    depends_on:
+      - cache
+      - db
 
-  redis:
-    image: redis
+  cache:
+    image: redis:7.4.2
     networks:
       - backend
 
-  postgres:
-    image: postgres:11
+  db:
+    image: postgres:17.3
     networks:
       - backend
+    secrets:
+      - db_password
+    configs:
+      - source: db_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
+      - source: pg_backup
+        target: /pg_backup.sh
+        mode: 0555
     environment:
       POSTGRES_DB: outline
-      POSTGRES_PASSWORD: pass
-      POSTGRES_USER: user
+      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
+      POSTGRES_USER: outline
     volumes:
       - "postgres_data:/var/lib/postgresql/data"
+    entrypoint: /docker-entrypoint.sh
+    deploy:
+      labels:
+        backupbot.backup: "${ENABLE_BACKUPS:-true}"
+        backupbot.backup.pre-hook: "/pg_backup.sh backup"
+        backupbot.backup.volumes.postgres_data.path: "backup.sql"
+        backupbot.restore.post-hook: '/pg_backup.sh restore'
+
+secrets:
+  secret_key:
+    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
+    external: true
+  utils_secret:
+    name: ${STACK_NAME}_utils_secret_${SECRET_UTILS_SECRET_VERSION}
+    external: true
+  db_password:
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+    external: true
 
 networks:
   proxy:
@@ -70,5 +93,17 @@ networks:
   backend:
 
 volumes:
-  outline_data:
   postgres_data:
+
+configs:
+  app_entrypoint:
+    name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
+  db_entrypoint:
+    name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
+    file: entrypoint.postgres.sh.tmpl
+    template_driver: golang
+  pg_backup:
+    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
+    file: pg_backup.sh

entrypoint.postgres.sh.tmpl

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+set -e
+
+MIGRATION_MARKER=$PGDATA/migration_in_progress
+OLDDATA=$PGDATA/old_data
+NEWDATA=$PGDATA/new_data
+
+if [ -e $MIGRATION_MARKER ]; then
+  echo "FATAL: migration was started but did not complete in a previous run. manual recovery necessary"
+  exit 1
+fi
+
+if [ -f $PGDATA/PG_VERSION ]; then
+  DATA_VERSION=$(cat $PGDATA/PG_VERSION)
+
+  if [ -n "$DATA_VERSION" -a "$PG_MAJOR" != "$DATA_VERSION" ]; then
+    echo "postgres data version $DATA_VERSION found, but need $PG_MAJOR. Starting migration"
+    echo "Installing postgres $DATA_VERSION"
+    sed -i "s/$/ $DATA_VERSION/" /etc/apt/sources.list.d/pgdg.list
+    apt-get update && apt-get install -y --no-install-recommends \
+      postgresql-$DATA_VERSION \
+      && rm -rf /var/lib/apt/lists/*
+    echo "shuffling around"
+    gosu postgres mkdir $OLDDATA $NEWDATA
+    chmod 700 $OLDDATA $NEWDATA
+    mv $PGDATA/* $OLDDATA/ || true
+    touch $MIGRATION_MARKER
+    echo "running initdb"
+    # abuse entrypoint script for initdb by making server error out
+    gosu postgres bash -c "export PGDATA=$NEWDATA ; /usr/local/bin/docker-entrypoint.sh --invalid-arg || true"
+    echo "running pg_upgrade"
+    cd /tmp
+    gosu postgres pg_upgrade --link -b /usr/lib/postgresql/$DATA_VERSION/bin -d $OLDDATA -D $NEWDATA -U $POSTGRES_USER
+    cp $OLDDATA/pg_hba.conf $NEWDATA/
+    mv $NEWDATA/* $PGDATA
+    rm -rf $OLDDATA
+    rmdir $NEWDATA
+    rm $MIGRATION_MARKER
+    echo "migration complete"
+  fi
+fi
+
+/usr/local/bin/docker-entrypoint.sh postgres

entrypoint.sh.tmpl

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+{{ if eq (env "FILE_STORAGE")  "s3" }}
+export AWS_SECRET_ACCESS_KEY=$(cat /run/secrets/aws_secret_key)
+{{ end }}
+
+{{ if eq (env "SMTP_ENABLED") "1" }}
+export SMTP_PASSWORD=$(cat /run/secrets/smtp_password)
+{{ end }}
+
+{{ if eq (env "OIDC_ENABLED") "1" }}
+export OIDC_CLIENT_SECRET=$(cat /run/secrets/oidc_client_secret)
+{{ end }}
+
+{{ if eq (env "GOOGLE_ENABLED") "1" }}
+export GOOGLE_CLIENT_SECRET=$(cat /run/secrets/google_client_secret)
+{{ end }}
+
+export UTILS_SECRET=$(cat /run/secrets/utils_secret)
+export SECRET_KEY=$(cat /run/secrets/secret_key)
+export DATABASE_PASSWORD=$(cat /run/secrets/db_password)
+export DATABASE_URL="postgres://outline:${DATABASE_PASSWORD}@${STACK_NAME}_db:5432/outline"
+
+if [ ! "$1" = "-e" ]; then
+	/usr/local/bin/yarn db:migrate --env=production-ssl-disabled
+	/usr/local/bin/yarn start "$@"
+fi

pg_backup.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
+
+function backup {
+  export PGPASSWORD=$(cat $POSTGRES_PASSWORD_FILE)
+  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
+}
+
+function restore {
+    cd /var/lib/postgresql/data/
+    restore_config(){
+        # Restore allowed connections
+        cat pg_hba.conf.bak > pg_hba.conf
+        su postgres -c 'pg_ctl reload'
+    }
+    # Don't allow any other connections than local
+    cp pg_hba.conf pg_hba.conf.bak
+    echo "local all all trust" > pg_hba.conf
+    su postgres -c 'pg_ctl reload'
+    trap restore_config EXIT INT TERM
+
+    # Recreate Database
+    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
+    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
+    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
+
+    trap - EXIT INT TERM
+    restore_config
+}
+
+$@

release/0.2.0+0.60.3

@@ -0,0 +1,8 @@
+If you're coming from 0.1.0+0.60.3, your upgrade will break! Careful!
+
+Two main points for preparing for the upgrade:
+
+- recipe now uses docker secrets, you need to load them + remove them from your config
+- recipe upgraded outline image, some of the AWS env var names changed
+
+It might be wise to undeploy/deploy for this one.

release/0.4.0+0.64.3

@@ -0,0 +1,30 @@
+WARNING: This is a breaking release, you will certainly need to read this & fix
+your config to have a successful deployment! There has been a lot of churn on
+this recipe due to the experimental nature of getting things up and running.
+We're hoping things will stabilise soon. It's a lovely software after all and
+users are enjoying using it.
+
+- Additional login methods have been added e.g. Google (yep...). You now need
+  to make a choice of which authentication you want to make. This can be done by
+  using the usual `$AUTH_ENABLED=1` environment variable condition. See the
+  recipe `.env.sample` for more.
+
+- If you were using the generic OpenID Connect authentication method (e.g.
+  Keycloak, Authentik) then you will now need to use
+  `COMPOSE_FILE=compose.yml:compose.oidc.yml` and provide the `OIDC_*`
+  environment variables in your `.env` file. See the recipe `.env.sample` for
+  more.
+
+- We are no longer using a fork of Outline for the recipe (yay!). If you were
+  using the old patched version, you'll have to deal with some migration issues.
+  See https://git.coopcloud.tech/coop-cloud/outline#deleting-a-user-e-g-to-fix-sso-weirdness
+  for more.
+
+- Furthermore, following https://git.coopcloud.tech/coop-cloud/outline/issues/9, you will
+  need to undeploy your stack and re-deploy as some of the services have been renamed to
+  maintain naming conventions with other recipes.
+
+There has been a lot of changes. Please add to this file if you see more
+weirdness to help the rest of the Co-op Cloud Comrades.
+
+@decentral1se (Autonomic Co-op)

release/2.0.0+0.74.0

@@ -0,0 +1,4 @@
+Due to the introduction of local storage, you need to adapt your config to continue using S3 storage. Just add the following lines to your config:
+
+FILE_STORAGE=s3
+COMPOSE_FILE="$COMPOSE_FILE:compose.aws.yml"