diff --git a/.env.sample b/.env.sample index 0b7b403..d0815d4 100644 --- a/.env.sample +++ b/.env.sample @@ -5,28 +5,21 @@ DOMAIN=penpot.example.com #EXTRA_DOMAINS=', `www.${REPO_NAME_KEBAB}.example.com`' LETS_ENCRYPT_ENV=production -# By default files upload by user are stored in local -# filesystem. But it can be configured to store in AWS S3 or -# completelly in de the database. Storing in the database makes -# the backups more easy but will make access to media less -# performant. -PENPOT_STORAGE_BACKEND=fs +# Generate the secret key manually and insert it e.g. +# dd if=/dev/urandom bs=1 count=64 | base64 - +SECRET_SECRET_KEY_VERSION=v1 +SECRET_DB_PASSWORD_VERSION=v1 -# Telemetry. When enabled, a periodical process will send -# annonymous data about this instance. Telemetry data will -# enable us to learn on how the application is used based on -# real scenarios. If you want to help us, please leave it -# enabled. In any case you can see the source code of both -# client and server in the penpot repository. -PENPOT_TELEMETRY_ENABLED=false +## All flags take the format of enable-flag-name or disable-flag-name +# List of flags: +# demo-users email-verification log-emails log-invitation-tokens login-with-github login-with-gitlab login-with-google login-with-ldap login-with-oidc login-with-password registration secure-session-cookies smtp smtp-debug telemetry webhooks prepl-server +PENPOT_FLAGS="enable-registration enable-login-with-password disable-email-verification enable-prepl-server disable-telemetry" -# Email sending configuration. By default emails are printed in -# console, but for production usage is recommeded to setup a -# real SMTP provider. Emails are used for confirm user -# registration. -PENPOT_SMTP_ENABLED=false -PENPOT_SMTP_DEFAULT_FROM=penpot@example.com -PENPOT_SMTP_DEFAULT_REPLY_TO=penpot@example.com +## If not set, mails will be printed to logs +#PENPOT_FLAGS="$PENPOT_FLAGS enable-smtp" +#SECRET_SMTP_PASSWORD_VERSION=v1 +#PENPOT_SMTP_DEFAULT_FROM=penpot@example.com +#PENPOT_SMTP_DEFAULT_REPLY_TO=penpot@example.com #PENPOT_SMTP_HOST=smtp.example.com #PENPOT_SMTP_PORT=25 #PENPOT_SMTP_USERNAME=username @@ -34,10 +27,18 @@ PENPOT_SMTP_DEFAULT_REPLY_TO=penpot@example.com #PENPOT_SMTP_TLS=true #PENPOT_SMTP_SSL=false -SECRET_DB_PASSWORD_VERSION=v1 -SECRET_SMTP_PASSWORD_VERSION=v1 +## Store assets in the filesystem +PENPOT_ASSETS_STORAGE_BACKEND=assets-fs +PENPOT_ASSETS_FS_DIRECTORY=/opt/data/assets +## Or store them in an S3 bucket +#- PENPOT_ASSETS_STORAGE_BACKEND=assets-s3 +#- PENPOT_STORAGE_ASSETS_S3_ENDPOINT=http://penpot-minio:9000 +#- PENPOT_STORAGE_ASSETS_S3_BUCKET= +#- AWS_ACCESS_KEY_ID= +#- AWS_SECRET_ACCESS_KEY= # e.g. for Keycloak https://id.example.com/auth/realms/example/ +#PENPOT_FLAGS_FRONTEND="$PENPOT_FLAGS_FRONTEND enable-login-with-oidc" #PENPOT_OIDC_BASE_URI= #PENPOT_OIDC_CLIENT_ID= #PENPOT_OIDC_CLIENT_SECRET= diff --git a/compose.yml b/compose.yml index c3ea271..f43ed05 100644 --- a/compose.yml +++ b/compose.yml @@ -1,92 +1,86 @@ version: "3.8" -x-environment: - &default-env - - PENPOT_PUBLIC_URI=https://{domain} - - PENPOT_DATABASE_URI=postgresql://postgres/penpot - - PENPOT_DATABASE_USERNAME=penpot - - PENPOT_DATABASE_PASSWORD_FILE=/run/secrets/db_password - - PENPOT_REDIS_URI=redis://redis/0 - - PENPOT_STORAGE_BACKEND - - PENPOT_STORAGE_FS_DIRECTORY=/opt/data/assets - - PENPOT_TELEMETRY_ENABLED - - PENPOT_SMTP_ENABLED - - PENPOT_SMTP_DEFAULT_FROM - - PENPOT_SMTP_DEFAULT_REPLY_TO - - PENPOT_SMTP_HOST - - PENPOT_SMTP_PORT - - PENPOT_SMTP_USERNAME - - PENPOT_SMTP_TLS - - PENPOT_SMTP_SSL - services: app: - image: "penpotapp/frontend:1.8.2-alpha" + image: "penpotapp/frontend:1.19.1" networks: - proxy - - backend + - internal volumes: - penpot_assets:/opt/data depends_on: - penpot-backend - penpot-exporter - environment: *default-env - entrypoint: /entrypoint.override.sh + environment: + - PENPOT_FLAGS secrets: - db_password - configs: - - source: app_entrypoint - target: /entrypoint.override.sh - mode: 0555 deploy: restart_policy: condition: on-failure labels: - "traefik.enable=true" + - "traefik.docker.network=proxy" - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80" - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})" - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - # Redirect from EXTRA_DOMAINS to DOMAIN - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect" - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true" - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}" - - coop-cloud.${STACK_NAME}.version=0.2.0+1.8.2-alpha + - "coop-cloud.${STACK_NAME}.version=2.0.0+1.19.1" + penpot-backend: - image: "penpotapp/backend:1.8.2-alpha" + image: "penpotapp/backend:1.19.1" volumes: - penpot_assets:/opt/data depends_on: - - postgres - - redis - environment: *default-env + - penpot-postgres + - penpot-redis + environment: + - PENPOT_FLAGS + - PENPOT_PREPL_HOST=0.0.0.0 # I don't really understand what that is for + - PENPOT_PUBLIC_URI=${DOMAIN} + - PENPOT_SECRET_KEY_FILE=/run/secrets/secret_key + - PENPOT_DATABASE_PASSWORD_FILE=/run/secrets/db_password + - PENPOT_DATABASE_URI=postgresql://penpot-postgres/penpot + - PENPOT_DATABASE_USERNAME=penpot + - PENPOT_REDIS_URI=redis://penpot-redis/0 + - PENPOT_SMTP_DEFAULT_FROM + - PENPOT_SMTP_DEFAULT_REPLY_TO + - PENPOT_SMTP_HOST + - PENPOT_SMTP_PORT + - PENPOT_SMTP_USERNAME + - PENPOT_SMTP_PASSWORD + - PENPOT_SMTP_TLS + - PENPOT_SMTP_SSL + - PENPOT_ASSETS_STORAGE_BACKEND + - PENPOT_ASSETS_FS_DIRECTORY + - PENPOT_STORAGE_ASSETS_S3_ENDPOINT + - PENPOT_STORAGE_ASSETS_S3_BUCKET + - AWS_ACCESS_KEY_ID + - AWS_SECRET_ACCESS_KEY secrets: - db_password + - secret_key configs: - source: backend_entrypoint target: /docker-entrypoint.sh mode: 0555 entrypoint: /docker-entrypoint.sh networks: - - backend - # FIXME 3wc: this is only required for email - - proxy - deploy: - labels: - - coop-cloud.${STACK_NAME}.penpot-backend.version=1.4.0-alpha- + - internal + penpot-exporter: - image: "penpotapp/exporter:1.8.2-alpha" + image: "penpotapp/exporter:1.19.1" environment: - # Don't touch it; this uses internal docker network to - # communicate with the frontend. - PENPOT_PUBLIC_URI=http://app + - PENPOT_REDIS_URI=redis://penpot-redis/0 networks: - - backend - deploy: - labels: - - coop-cloud.${STACK_NAME}.penpot-exporter.version=1.4.0-alpha-617c54da - postgres: - image: "postgres:14" + - internal + + penpot-postgres: + image: "postgres:15.4" stop_signal: SIGINT secrets: - db_password @@ -98,31 +92,23 @@ services: volumes: - postgres:/var/lib/postgresql/data networks: - - backend - deploy: - labels: - - coop-cloud.${STACK_NAME}.postgres.version=13-61d5d8ef - redis: - image: redis:6 + - internal + + penpot-redis: + image: redis:7.2.1 networks: - - backend - deploy: - labels: - - coop-cloud.${STACK_NAME}.redis.version=6-e10f55f9 + - internal networks: + internal: proxy: external: true - backend: volumes: postgres: penpot_assets: configs: - app_entrypoint: - name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_CONF_VERSION} - file: entrypoint-app.sh backend_entrypoint: name: ${STACK_NAME}_backend_entrypoint_${BACKEND_ENTRYPOINT_CONF_VERSION} file: entrypoint-backend.sh @@ -131,3 +117,9 @@ secrets: db_password: external: true name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION} + secret_key: + external: true + name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION} + smtp_password: + external: true + name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION} diff --git a/entrypoint-backend.sh b/entrypoint-backend.sh index 0c147ee..cdaeb6b 100644 --- a/entrypoint-backend.sh +++ b/entrypoint-backend.sh @@ -23,6 +23,7 @@ file_env() { load_vars() { file_env "PENPOT_DATABASE_PASSWORD" + file_env "PENPOT_SECRET_KEY" file_env "PENPOT_SMTP_PASSWORD" file_env "PENPOT_LDAP_BIND_PASSWORD" file_env "PENPOT_GOOGLE_CLIENT_SECRET"