shortened secrets, added healthcheck, removed debug log

Reviewed-on: #21

.env.sample

@@ -4,6 +4,8 @@ TYPE=outline
 
 DOMAIN=outline.example.com
 
+#TIMEOUT=
+
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.outline.example.com`'
 LETS_ENCRYPT_ENV=production
@@ -94,3 +96,13 @@ FILE_STORAGE_UPLOAD_MAX_SIZE=26214400
 #AWS_S3_FORCE_PATH_STYLE=true
 #AWS_S3_ACL=private
 #SECRET_AWS_SECRET_KEY_VERSION=v1
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.authentikgroupsync.yml"
+# # details on env here: https://github.com/burritosoftware/Outline-Authentik-Connector/blob/master/.env.example
+# AGS_AUTHENTIK_URL=
+# SECRET_AGS_OUTLINE_TOKEN_VERSION=v1 
+# SECRET_AGS_AUTHENTIK_TOKEN_VERSION=v1
+# SECRET_AGS_WEBHOOK_SECRET_VERSION=v1
+# AGS_AUTO_CREATE_GROUPS=True
+# #AGS_SYNC_GROUP_REGEX=
+# #AGS_DEBUG=True

README.md

@@ -71,12 +71,24 @@ revisions to (instead of deleting them).
 - `abra app deploy <domain> -f`
 - enjoy getting rid of S3 🥳
 
-## Single Sign On with Keycloak
+## Single Sign On with Keycloak/Authentik
-
-`abra app config YOURAPPNAME`, then uncomment everything in the `OIDC_` section.
-
-Create a new client in Keycloak:
 
+- Create an OIDC client in Keycloak (in Authentik this is called a provider and application)
+- Run `abra app config YOURAPPNAME`, then uncomment everything in the `OIDC_` section.
   - **Valid Redirect URIs**: `https://YOURAPPDOMAIN/auth/oidc.callback`
+  - Reference the client/provider info to populate the `_AUTH_URI` `_TOKEN_URI` and `_USERINFO_URI` values
+- Set the OIDC secret using the value from the client/provider `abra app secret insert YOURAPPNAME oidc_client_secret v1 SECRETVALUE`
+- `abra app deploy YOURAPPDOMAIN`
 
-`abra app deploy YOURAPPDOMAIN`
+### Advanced: Group Sync with Authentik
+- As `outline` doesn't support group sync, you can make use of an [extra service, the Outline-Authentik-Connector,](https://github.com/burritosoftware/Outline-Authentik-Connector) to do so.
+- Just uncomment the respective section in your `.env`, and set the necessary envs.
+- Then [follow these instructions](https://github.com/burritosoftware/Outline-Authentik-Connector?tab=readme-ov-file#outline-setup) to create the needed user and tokens
+  - ! for the authentik-token make sure you don't use the token it shows when creating the user (that is a password), create as the user (it will expire) but in the admin interface (path: `https://login..../if/admin/#/core/tokens`). Also setting the needed global permissions was not possible on the user directly, but I had to create a role for this.
+
+- and insert them as secrets:
+```
+abra app secret insert YOURAPPNAME agsoutline v1 SECRETVALUE
+abra app secret insert YOURAPPNAME agsauthentik v1 SECRETVALUE
+abra app secret insert YOURAPPNAME agswebhook v1 SECRETVALUE
+```

abra.sh

@@ -1,6 +1,7 @@
-export APP_ENTRYPOINT_VERSION=v9
+export APP_ENTRYPOINT_VERSION=v11
 export DB_ENTRYPOINT_VERSION=v2
 export PG_BACKUP_VERSION=v1
+export AGS_ENTRYPOINT_VERSION=v1
 
 create_email_user() {
 	if [ -z "$1" ]; then
@@ -98,3 +99,10 @@ delete_duplicate_users() {
 		delete_user_by_id "$USERID_OLD" "$USERID_NEW"
 	done
 }
+
+fix_collation_mismatch() {
+  psql -U ${POSTGRES_USER} -d outline -c "ALTER DATABASE outline REFRESH COLLATION VERSION;"
+  psql -U ${POSTGRES_USER} -d outline -c "REINDEX DATABASE outline;"
+  psql -U ${POSTGRES_USER} -d postgres -c "ALTER DATABASE postgres REFRESH COLLATION VERSION;"
+  psql -U ${POSTGRES_USER} -d postgres -c "REINDEX DATABASE postgres;"
+}

compose.authentikgroupsync.yml

@@ -0,0 +1,62 @@
+---
+version: "3.8"
+
+services:
+  outline-authentik-connector:
+    image: burritosoftware/outline-authentik-connector:1.2
+
+    secrets:
+      - agsoutline
+      - agsauthentik
+      - agswebhook
+      
+    environment:
+      - AUTHENTIK_URL=${AGS_AUTHENTIK_URL}
+      - OUTLINE_URL=https://${DOMAIN}
+      - OUTLINE_TOKEN_FILE=/var/run/secrets/agsoutline
+      - OUTLINE_WEBHOOK_SECRET_FILE=/var/run/secrets/agswebhook
+      - AUTHENTIK_TOKEN_FILE=/var/run/secrets/agsauthentik
+      - AUTO_CREATE_GROUPS=${AGS_AUTO_CREATE_GROUPS:-True}
+      - DEBUG=${AGS_DEBUG:-False}
+      - SYNC_GROUP_REGEX=${AGS_SYNC_GROUP_REGEX:-.*}
+
+    deploy:
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.sync-router.rule=Host(`groupsync.${DOMAIN}`)"
+        - "traefik.http.routers.sync-router.entrypoints=web-secure"
+        - "traefik.http.routers.sync-router.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.services.sync-router.loadbalancer.server.port=80"
+
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://0.0.0.0:80/ | grep -q '\"status\":\"running\"' || exit 1"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+
+    networks:
+      - backend
+      - proxy
+
+    configs:
+      - source: ags_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
+
+    entrypoint: /docker-entrypoint.sh
+
+secrets:
+  agsoutline:
+    name: ${STACK_NAME}_agsoutline_${SECRET_AGS_OUTLINE_TOKEN_VERSION}
+    external: true
+  agsauthentik:
+    name: ${STACK_NAME}_agsauthentik_${SECRET_AGS_AUTHENTIK_TOKEN_VERSION}
+    external: true
+  agswebhook:
+    name: ${STACK_NAME}_agswebhook_${SECRET_AGS_WEBHOOK_SECRET_VERSION}
+    external: true
+
+configs:
+  ags_entrypoint:
+    name: ${STACK_NAME}_ags_entrypoint_${AGS_ENTRYPOINT_VERSION}
+    file: entrypoint.authentikgroupsync.sh

compose.yml

@@ -6,7 +6,7 @@ services:
     networks:
       - backend
       - proxy
-    image: outlinewiki/outline:0.82.0
+    image: outlinewiki/outline:1.6.0
     secrets:
       - db_password
       - secret_key
@@ -34,23 +34,20 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=2.9.0+0.82.0"
+        - "coop-cloud.${STACK_NAME}.version=2.18.0+1.6.0"
         # Redirect from EXTRA_DOMAINS to DOMAIN
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-80}"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
-    depends_on:
-      - cache
-      - db
 
   cache:
-    image: redis:7.4.2
+    image: redis:8.6.1
     networks:
       - backend
 
   db:
-    image: postgres:17.3
+    image: postgres:17.9
     networks:
       - backend
     secrets:

entrypoint.authentikgroupsync.sh

@@ -0,0 +1,28 @@
+#!/bin/sh
+
+set -e
+
+load_secret() {
+    env_var="$1"
+    secret_file="$2"
+
+    if [ -f "$secret_file" ]; then
+        value=$(cat "$secret_file")
+        if [ -z "$value" ]; then
+            echo >&2 "error: $secret_file is empty"
+            exit 1
+        fi
+        export "$env_var"="$value"
+    else
+        echo >&2 "[info] didn't set $env_var because $secret_file does not exist. If you don't use the secret or it is no secret at all you can safely ignore this message."
+    fi
+}
+
+# load every env-var that ends on _FILE
+for var in $(env | grep "_FILE="); do
+    key=$(echo "$var" | sed 's/_FILE=.*//')
+    value=$(echo "$var" | sed 's/.*_FILE=//')
+    load_secret "$key" "$value"
+done
+
+exec uvicorn connect:app --host=0.0.0.0 --port=80

entrypoint.sh.tmpl

@@ -18,10 +18,9 @@ export GOOGLE_CLIENT_SECRET=$(cat /run/secrets/google_client_secret)
 
 export UTILS_SECRET=$(cat /run/secrets/utils_secret)
 export SECRET_KEY=$(cat /run/secrets/secret_key)
-export DATABASE_PASSWORD=$(cat /run/secrets/db_password)
+DATABASE_PASSWORD=$(cat /run/secrets/db_password)
 export DATABASE_URL="postgres://outline:${DATABASE_PASSWORD}@${STACK_NAME}_db:5432/outline"
 
 if [ ! "$1" = "-e" ]; then
-	/usr/local/bin/yarn db:migrate --env=production-ssl-disabled
+  node build/server/index.js
-	/usr/local/bin/yarn start "$@"
 fi

release/2.17.0+1.5.0

@@ -0,0 +1 @@
+y

release/2.9.1+0.82.0

@@ -0,0 +1 @@
+Fixes a problem where deployments were consistently giving a timeout response even though they were successful