From 1ea9f262b668889325d91cf71eb56800fbc03de3 Mon Sep 17 00:00:00 2001
From: 3wc <3wc.coopcloud@doesthisthing.work>
Date: Thu, 19 Mar 2026 17:03:38 -0400
Subject: [PATCH] =?UTF-8?q?Working=20=F0=9F=8E=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .env.sample               | 31 ++++++++++++++++++
 abra-entrypoint.sh.tmpl   | 10 ++++++
 abra.sh                   |  1 +
 compose.oidc.yml          | 19 +++++++++++
 compose.smtp-password.yml | 11 +++++++
 compose.yml               | 69 ++++++++++++++++++++++++++++++---------
 6 files changed, 125 insertions(+), 16 deletions(-)
 create mode 100644 abra-entrypoint.sh.tmpl
 create mode 100644 compose.oidc.yml
 create mode 100644 compose.smtp-password.yml

diff --git a/.env.sample b/.env.sample
index f6a292e..edfef6f 100644
--- a/.env.sample
+++ b/.env.sample
@@ -6,3 +6,34 @@ DOMAIN=pdfding.example.com
 #EXTRA_DOMAINS=', `www.pdfding.example.com`'
 
 LETS_ENCRYPT_ENV=production
+
+COMPOSE_FILE=compose.yml
+
+SECRET_SECRET_KEY_VERSION=v1
+
+# Default: FALSE (user signup is enabled)
+#DISABLE_USER_SIGNUP=TRUE
+
+# Email; see https://docs.pdfding.com/configuration/email/
+#EMAIL_BACKEND=SMTP
+#EMAIL_ADDRESS=noreply@example.com
+#SMTP_HOST=smtp.example.com
+#SMTP_PORT=587
+#SMTP_USER=noreply@example.com
+# NOTE: The following options are mutually exclusive, you must choose maximum 1 of them
+#SMTP_USE_TLS=TRUE
+#SMTP_USE_SSL
+
+# If your SMTP server requires a password:
+#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp-password.yml"
+#SECRET_SMTP_PASSWORD_VERSION=v1
+
+# OIDC single sign-on, see https://docs.pdfding.com/configuration/sso_oidc/
+#COMPOSE_FILE="$COMPOSE_FILE:compose.oidc.yml"
+#OIDC_CLIENT_ID
+#OIDC_AUTH_URL=https://auth.example.com/.well-known/openid-configuration
+#OIDC_GROUPS_CLAIM
+#OIDC_ADMIN_GROUP
+#OIDC_EXTRA_SCOPE
+#OIDC_ONLY=TRUE
+#OIDC_PROVIDER_NAME
diff --git a/abra-entrypoint.sh.tmpl b/abra-entrypoint.sh.tmpl
new file mode 100644
index 0000000..9f8fef5
--- /dev/null
+++ b/abra-entrypoint.sh.tmpl
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+[ -f "$SECRET_KEY_FILE" ] && export SECRET_KEY="$(cat "${SECRET_KEY_FILE}")"
+[ -f "$SMTP_PASSWORD_FILE" ] && export SMTP_PASSWORD="$(cat "${SMTP_PASSWORD_FILE}")"
+[ -f "$OIDC_CLIENT_SECRET_FILE" ] && export OIDC_CLIENT_SECRET="$(cat "${OIDC_CLIENT_SECRET_FILE}")"
+
+# if not in "env" mode, then execute the original entrypoint and command
+if [ ! "$1" = "-e" ]; then
+  /home/nonroot/bootstrap.sh
+fi
diff --git a/abra.sh b/abra.sh
index 13b5452..8a50694 100755
--- a/abra.sh
+++ b/abra.sh
@@ -1,2 +1,3 @@
 # Set any config versions here
 # Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs
+export ABRA_ENTRYPOINT_CONF_VERSION=v1
diff --git a/compose.oidc.yml b/compose.oidc.yml
new file mode 100644
index 0000000..e0af2a5
--- /dev/null
+++ b/compose.oidc.yml
@@ -0,0 +1,19 @@
+services:
+  app:
+    environment:
+      - OIDC_ENABLE=TRUE
+      - OIDC_CLIENT_ID
+      - OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret 
+      - OIDC_AUTH_URL
+      - OIDC_GROUPS_CLAIM
+      - OIDC_ADMIN_GROUP
+      - OIDC_EXTRA_SCOPE
+      - OIDC_ONLY 
+      - OIDC_PROVIDER_NAME
+    secrets:
+      - oidc_client_secret
+
+secrets:
+  oidc_client_secret:
+    external: true
+    name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET_VERSION}
diff --git a/compose.smtp-password.yml b/compose.smtp-password.yml
new file mode 100644
index 0000000..15b2166
--- /dev/null
+++ b/compose.smtp-password.yml
@@ -0,0 +1,11 @@
+services:
+  app:
+    environment:
+      - SMTP_PASSWORD_FILE=/run/secrets/smtp_password 
+    secrets:
+      - smtp_password
+
+secrets:
+  smtp_password:
+    external: true
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
diff --git a/compose.yml b/compose.yml
index 5e77224..143f707 100644
--- a/compose.yml
+++ b/compose.yml
@@ -1,34 +1,56 @@
 ---
 services:
   app:
-    image: nginx:1.27.5
+    image: mrmn/pdfding:v1.6.3
     networks:
       - proxy
+    environment:
+      - HOST_NAME=127.0.0.1,${DOMAIN}
+      - SECRET_KEY_FILE=/run/secrets/secret_key 
+      - CSRF_COOKIE=TRUE 
+      - SESSION_COOKIE_SECURE=TRUE
+      - DISABLE_USER_SIGNUP
+      - EMAIL_BACKEND
+      - EMAIL_ADDRESS
+      - SMTP_HOST
+      - SMTP_PORT 
+      - SMTP_USER
+      - SMTP_USE_TLS
+      - SMTP_USE_SSL
+    volumes:
+      - sqlite_data:/home/nonroot/pdfding/db
+      - media:/home/nonroot/pdfding/media
+    secrets:
+      - secret_key
+    configs:
+      - source: abra_entrypoint_conf
+        target: /abra-entrypoint.sh
+        mode: 0555
+    entrypoint: [ "/abra-entrypoint.sh" ]
     deploy:
       restart_policy:
         condition: on-failure
       labels:
         - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8000"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        ## Edit the following line if you are using one, but not both, "Redirect" sections below
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirectscheme,${STACK_NAME}-redirecthostname"
-        ## Redirect from EXTRA_DOMAINS to DOMAIN
-        # - "traefik.http.middlewares.${STACK_NAME}-redirecthostname.redirectregex.regex=^http[s]?://([^/]*)/(.*)"
-        # - "traefik.http.middlewares.${STACK_NAME}-redirecthostname.redirectregex.replacement=https://${DOMAIN}/$${2}"
-        # - "traefik.http.middlewares.${STACK_NAME}-redirecthostname.redirectregex.permanent=true"
-        ## Redirect HTTP to HTTPS
-        # - "traefik.http.middlewares.${STACK_NAME}-redirectscheme.redirectscheme.scheme=https"
-        # - "traefik.http.middlewares.${STACK_NAME}-redirectscheme.redirectscheme.permanent=true"
-        ## When you're ready for release, run "abra recipe sync <name>" to set this
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirectscheme,${STACK_NAME}-redirecthostname"
+        # Redirect from EXTRA_DOMAINS to DOMAIN
+        - "traefik.http.middlewares.${STACK_NAME}-redirecthostname.redirectregex.regex=^http[s]?://([^/]*)/(.*)"
+        - "traefik.http.middlewares.${STACK_NAME}-redirecthostname.redirectregex.replacement=https://${DOMAIN}/$${2}"
+        - "traefik.http.middlewares.${STACK_NAME}-redirecthostname.redirectregex.permanent=true"
+        # Redirect HTTP to HTTPS
+        - "traefik.http.middlewares.${STACK_NAME}-redirectscheme.redirectscheme.scheme=https"
+        - "traefik.http.middlewares.${STACK_NAME}-redirectscheme.redirectscheme.permanent=true"
+        # When you're ready for release, run "abra recipe sync <name>" to set this
         - "coop-cloud.${STACK_NAME}.version="
-        ## Enable backups: https://docs.coopcloud.tech/maintainers/handbook/#how-do-i-configure-backuprestore
-        # - "backupbot.backup=true"
-        # - "backupbot.backup.path=/some/path"
+        # Enable backups: https://docs.coopcloud.tech/maintainers/handbook/#how-do-i-configure-backuprestore
+        - "backupbot.backup=true"
+        - "backupbot.backup.path=/home/nonroot/pdfding/"
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost"]
+      test: ["CMD", "wget", "-qO-", "http://127.0.0.1:8000"]
       interval: 30s
       timeout: 10s
       retries: 10
@@ -37,3 +59,18 @@ services:
 networks:
   proxy:
     external: true
+
+configs:
+  abra_entrypoint_conf:
+    name: ${STACK_NAME}_abra_entrypoint_conf_${ABRA_ENTRYPOINT_CONF_VERSION}
+    file: abra-entrypoint.sh.tmpl
+    template_driver: golang
+
+secrets:
+  secret_key:
+    external: true
+    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
+  
+volumes:
+  sqlite_data:
+  media: