Attempt to fix CI secret generation

[ci skip]

.drone.yml

@@ -0,0 +1,41 @@
+---
+kind: pipeline
+name: deploy to swarm-test.autonomic.zone
+steps:
+  - name: deployment
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: penpot
+      networks:
+       - proxy
+      purge: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+    environment:
+      DOMAIN: penpot.swarm-test.autonomic.zone
+      STACK_NAME: penpot
+      LETS_ENCRYPT_ENV: production
+      APP_ENTRYPOINT_CONF_VERSION: v1
+      BACKEND_ENTRYPOINT_CONF_VERSION: v1
+      SECRET_PENPOT_DB_PASSWORD_VERSION: v1
+      SECRET_SMTP_PASSWORD_VERSION: v1
+trigger:
+  branch:
+    - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - coop-cloud/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -5,31 +5,41 @@ DOMAIN=penpot.example.com
 #EXTRA_DOMAINS=', `www.${REPO_NAME_KEBAB}.example.com`'
 LETS_ENCRYPT_ENV=production
 
-# By default files upload by user are stored in local
-# filesystem. But it can be configured to store in AWS S3 or
-# completelly in de the database. Storing in the database makes
-# the backups more easy but will make access to media less
-# performant.
-PENPOT_STORAGE_BACKEND=fs
+# Generate the secret key manually and insert it e.g.
+# dd if=/dev/urandom bs=1 count=64 | base64 -
+SECRET_SECRET_KEY_VERSION=v1 
+SECRET_DB_PASSWORD_VERSION=v1
 
-# Telemetry. When enabled, a periodical process will send
-# annonymous data about this instance. Telemetry data will
-# enable us to learn on how the application is used based on
-# real scenarios. If you want to help us, please leave it
-# enabled. In any case you can see the source code of both
-# client and server in the penpot repository.
-PENPOT_TELEMETRY_ENABLED=false
+## All flags take the format of enable-flag-name or disable-flag-name
+# List of flags:
+# demo-users email-verification log-emails log-invitation-tokens login-with-github login-with-gitlab login-with-google login-with-ldap login-with-oidc login-with-password registration secure-session-cookies smtp smtp-debug telemetry webhooks prepl-server
+PENPOT_FLAGS="enable-registration enable-login-with-password disable-email-verification enable-prepl-server disable-telemetry"
 
-# Email sending configuration. By default emails are printed in
-# console, but for production usage is recommeded to setup a
-# real SMTP provider. Emails are used for confirm user
-# registration.
-PENPOT_SMTP_ENABLED=false
-PENPOT_SMTP_DEFAULT_FROM=penpot@example.com
-PENPOT_SMTP_DEFAULT_REPLY_TO=penpot@example.com
+## If not set, mails will be printed to logs
+#PENPOT_FLAGS="$PENPOT_FLAGS enable-smtp"
+#SECRET_SMTP_PASSWORD_VERSION=v1
+#PENPOT_SMTP_DEFAULT_FROM=penpot@example.com
+#PENPOT_SMTP_DEFAULT_REPLY_TO=penpot@example.com
 #PENPOT_SMTP_HOST=smtp.example.com
 #PENPOT_SMTP_PORT=25
 #PENPOT_SMTP_USERNAME=username
 #PENPOT_SMTP_PASSWORD=password
 #PENPOT_SMTP_TLS=true
 #PENPOT_SMTP_SSL=false
+
+## Store assets in the filesystem
+PENPOT_ASSETS_STORAGE_BACKEND=assets-fs
+PENPOT_ASSETS_FS_DIRECTORY=/opt/data/assets
+## Or store them in an S3 bucket
+#- PENPOT_ASSETS_STORAGE_BACKEND=assets-s3
+#- PENPOT_STORAGE_ASSETS_S3_ENDPOINT=http://penpot-minio:9000
+#- PENPOT_STORAGE_ASSETS_S3_BUCKET=<BUKET_NAME>
+#- AWS_ACCESS_KEY_ID=<KEY_ID>
+#- AWS_SECRET_ACCESS_KEY=<ACCESS_KEY>
+
+# e.g. for Keycloak https://id.example.com/auth/realms/example/
+#PENPOT_FLAGS_FRONTEND="$PENPOT_FLAGS_FRONTEND enable-login-with-oidc"
+#PENPOT_OIDC_BASE_URI=
+#PENPOT_OIDC_CLIENT_ID=
+#PENPOT_OIDC_CLIENT_SECRET=
+#SECRET_OIDC_CLIENT_SECRET_VERSION=v1

.gitignore

@@ -0,0 +1 @@
+/.envrc

README.md

@@ -2,13 +2,13 @@
 
 <!-- metadata -->
 * **Category**: Apps
-* **Status**: ❹💣
+* **Status**: 0, work-in-progress
 * **Image**: [`penpotapp/*`](https://hub.docker.com/r/penpotapp)
 * **Healthcheck**: 
 * **Backups**: 
 * **Email**: 
 * **Tests**: 
-* **SSO**: 
+* **SSO**: 3 (OAuth)
 <!-- endmetadata -->
 
 ## Basic usage
@@ -17,9 +17,9 @@
 2. Deploy [`coop-cloud/traefik`]
 3. `abra app new penpot --secrets` (optionally with `--pass` if you'd like
    to save secrets in `pass`)
-4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
+4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to
    your Docker swarm box
-5. `abra app YOURAPPDOMAIN deploy`
+5. `abra app deploy YOURAPPDOMAIN`
 6. Open the configured domain in your browser to finish set-up
 
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra

abra.sh

@@ -0,0 +1,2 @@
+export APP_ENTRYPOINT_CONF_VERSION=v1
+export BACKEND_ENTRYPOINT_CONF_VERSION=v3

compose.oidc.yml

@@ -0,0 +1,19 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - PENPOT_OIDC_CLIENT_ID
+  penpot-backend:
+    environment:
+      - PENPOT_OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
+      - PENPOT_OIDC_CLIENT_ID
+      - PENPOT_OIDC_BASE_URI
+    secrets:
+      - oidc_client_secret
+
+secrets:
+  oidc_client_secret:
+    external: true
+    name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET_VERSION}

compose.smtpauth.yml

@@ -0,0 +1,19 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - PENPOT_SMTP_PASSWORD_FILE=/var/run/secrets/smtp_password
+    secrets:
+      - smtp_password
+  penpot-backend:
+    environment:
+      - PENPOT_SMTP_PASSWORD_FILE=/var/run/secrets/smtp_password
+    secrets:
+      - smtp_password
+
+secrets:
+  smtp_password:
+    external: true
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}

compose.yml

@@ -1,98 +1,125 @@
 version: "3.8"
+
 services:
   app:
-    image: "penpotapp/frontend:1.4.0-alpha"
+    image: "penpotapp/frontend:1.19.3"
     networks:
       - proxy
-      - backend
+      - internal
     volumes:
       - penpot_assets:/opt/data
     depends_on:
       - penpot-backend
       - penpot-exporter
+    environment:
+      - PENPOT_FLAGS
+    secrets:
+      - db_password
     deploy:
       restart_policy:
         condition: on-failure
       labels:
         - "traefik.enable=true"
+        - "traefik.docker.network=proxy"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        # Redirect from EXTRA_DOMAINS to DOMAIN
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - coop-cloud.${STACK_NAME}.app.version=1.4.0-alpha-5d926f43
+        - "coop-cloud.${STACK_NAME}.version=2.0.1+1.19.3"
+
   penpot-backend:
-    image: "penpotapp/backend:1.4.0-alpha"
+    image: "penpotapp/backend:1.19.3"
     volumes:
       - penpot_assets:/opt/data
     depends_on:
-      - postgres
-      - redis
+      - penpot-postgres
+      - penpot-redis
     environment:
-      - PENPOT_PUBLIC_URI=https://{domain}
-      - PENPOT_DATABASE_URI=postgresql://postgres/penpot
+      - PENPOT_FLAGS
+      - PENPOT_PREPL_HOST=0.0.0.0 # I don't really understand what that is for
+      - PENPOT_PUBLIC_URI=${DOMAIN}
+      - PENPOT_SECRET_KEY_FILE=/run/secrets/secret_key
+      - PENPOT_DATABASE_PASSWORD_FILE=/run/secrets/db_password
+      - PENPOT_DATABASE_URI=postgresql://penpot-postgres/penpot
       - PENPOT_DATABASE_USERNAME=penpot
-      - PENPOT_DATABASE_PASSWORD=penpot
-      - PENPOT_REDIS_URI=redis://redis/0
-      - PENPOT_STORAGE_BACKEND=${PENPOT_STORAGE_BACKEND}
-      - PENPOT_STORAGE_FS_DIRECTORY=/opt/data/assets
-      - PENPOT_TELEMETRY_ENABLED=${PENPOT_TELEMETRY_ENABLED}
-      - PENPOT_SMTP_ENABLED=${PENPOT_SMTP_ENABLED}
-      - PENPOT_SMTP_DEFAULT_FROM=${PENPOT_SMTP_DEFAULT_FROM}
-      - PENPOT_SMTP_DEFAULT_REPLY_TO=${PENPOT_SMTP_DEFAULT_REPLY_TO}
-      - PENPOT_SMTP_HOST=${PENPOT_SMTP_HOST}
-      - PENPOT_SMTP_PORT=${PENPOT_SMTP_PORT}
-      - PENPOT_SMTP_USERNAME=${PENPOT_SMTP_USERNAME}
-      - PENPOT_SMTP_PASSWORD=${PENPOT_SMTP_PASSWORD}
-      - PENPOT_SMTP_TLS=${PENPOT_SMTP_TLS}
-      - PENPOT_SMTP_SSL=${PENPOT_SMTP_SSL}
+      - PENPOT_REDIS_URI=redis://penpot-redis/0
+      - PENPOT_SMTP_DEFAULT_FROM
+      - PENPOT_SMTP_DEFAULT_REPLY_TO
+      - PENPOT_SMTP_HOST
+      - PENPOT_SMTP_PORT
+      - PENPOT_SMTP_USERNAME
+      - PENPOT_SMTP_PASSWORD
+      - PENPOT_SMTP_TLS
+      - PENPOT_SMTP_SSL
+      - PENPOT_ASSETS_STORAGE_BACKEND
+      - PENPOT_ASSETS_FS_DIRECTORY
+      - PENPOT_STORAGE_ASSETS_S3_ENDPOINT
+      - PENPOT_STORAGE_ASSETS_S3_BUCKET
+      - AWS_ACCESS_KEY_ID
+      - AWS_SECRET_ACCESS_KEY
+    secrets:
+      - db_password
+      - secret_key
+    configs:
+      - source: backend_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint: /docker-entrypoint.sh
     networks:
-      - backend
-      # FIXME 3wc: this is only required for email
-      - proxy
-    deploy:
-      labels:
-        - coop-cloud.${STACK_NAME}.penpot-backend.version=1.4.0-alpha-
+      - internal
+
   penpot-exporter:
-    image: "penpotapp/exporter:1.4.0-alpha"
+    image: "penpotapp/exporter:1.19.3"
     environment:
-      # Don't touch it; this uses internal docker network to
-      # communicate with the frontend.
       - PENPOT_PUBLIC_URI=http://app
+      - PENPOT_REDIS_URI=redis://penpot-redis/0
     networks:
-      - backend
-    deploy:
-      labels:
-        - coop-cloud.${STACK_NAME}.penpot-exporter.version=1.4.0-alpha-617c54da
-  postgres:
-    image: "postgres:13"
+      - internal
+
+  penpot-postgres:
+    image: "postgres:16.2"
     stop_signal: SIGINT
+    secrets:
+      - db_password
     environment:
       - POSTGRES_INITDB_ARGS=--data-checksums
       - POSTGRES_DB=penpot
       - POSTGRES_USER=penpot
-      - POSTGRES_PASSWORD=penpot
+      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
     volumes:
       - postgres:/var/lib/postgresql/data
     networks:
-      - backend
-    deploy:
-      labels:
-        - coop-cloud.${STACK_NAME}.postgres.version=13-61d5d8ef
-  redis:
-    image: redis:6
+      - internal
+
+  penpot-redis:
+    image: redis:7.2.4
     networks:
-      - backend
-    deploy:
-      labels:
-        - coop-cloud.${STACK_NAME}.redis.version=6-e10f55f9
+      - internal
+
 networks:
+  internal:
   proxy:
     external: true
-  backend:
+
 volumes:
   postgres:
   penpot_assets:
+
+configs:
+  backend_entrypoint:
+    name: ${STACK_NAME}_backend_entrypoint_${BACKEND_ENTRYPOINT_CONF_VERSION}
+    file: entrypoint-backend.sh
+
+secrets:
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  secret_key:
+    external: true
+    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
+  smtp_password:
+    external: true
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}

entrypoint-backend.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+file_env() {
+	# 3wc: Load $VAR_FILE into $VAR - useful for secrets. See
+	# 	https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+load_vars() {
+	file_env "PENPOT_DATABASE_PASSWORD"
+  file_env "PENPOT_SECRET_KEY"
+	file_env "PENPOT_SMTP_PASSWORD"
+	file_env "PENPOT_LDAP_BIND_PASSWORD"
+	file_env "PENPOT_GOOGLE_CLIENT_SECRET"
+	file_env "PENPOT_GITHUB_CLIENT_SECRET"
+	file_env "PENPOT_GITLAB_CLIENT_SECRET"
+	file_env "PENPOT_OIDC_CLIENT_SECRET"
+}
+
+main() {
+	set -eu
+
+	load_vars
+}
+
+main
+
+# 3wc: upstream ENTRYPOINT
+# https://github.com/penpot/penpot/blob/develop/docker/images/Dockerfile.backend
+./run.sh

renovate.json

@@ -0,0 +1,3 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+}