chore: publish 1.2.0+0.24.6 release

Reviewed-on: #3
Reviewed-by: simon <simon@noreply.git.coopcloud.tech>

.drone.yml

@@ -17,7 +17,9 @@ steps:
       DOMAIN: authentik.swarm-test.autonomic.zone
       STACK_NAME: authentik
       LETS_ENCRYPT_ENV: production
-      CONFIG_YML_VERSION: v1
+      CONFIG_YML_VERSION: v9
+      HEALTHCHECK_VERSION: v1
+      PG_BACKUP_VERSION: v2
       SECRET_DB_PASSWORD_VERSION: v1
       SECRET_JWT_SECRET_VERSION: v1
 
@@ -36,8 +38,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag
-

.env.sample

@@ -1,22 +1,32 @@
 TYPE=vikunja
 TIMEOUT=300
 ENABLE_AUTO_UPDATE=true
+ENABLE_BACKUPS=true
 
 DOMAIN=vikunja.example.com
 
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.vikunja.example.com`'
+#REDIRECT_DOMAIN=www.vikunja.example.com
 
 LETS_ENCRYPT_ENV=production
 
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_JWT_SECRET_VERSION=v1
 
-LOG_LEVEL=INFO
+VIKUNJA_LOG_LEVEL=INFO
+VIKUNJA_LOG_DATABASELEVEL=INFO
+VIKUNJA_LOG_DATABASE=stdout
+VIKUNJA_LOG_EVENTS=stdout
+VIKUNJA_LOG_MAIL=stdout
 
 COMPOSE_FILE=compose.yml
 
 #VIKUNJA_RATELIMIT_NOAUTHLIMIT=10
+VIKUNJA_DEFAULTSETTINGS_DISCOVERABLE_BY_NAME=true
+VIKUNJA_DEFAULTSETTINGS_DISCOVERABLE_BY_EMAIL=true
+VIKUNJA_SERVICE_ENABLEREGISTRATION=false
+VIKUNJA_AUTH_LOCAL_ENABLED=false
 
 # SSO OAUTH
 # e.g. see https://goauthentik.io/integrations/services/vikunja/
@@ -30,9 +40,9 @@ COMPOSE_FILE=compose.yml
 
 # E-MAIL
 # COMPOSE_FILE="${COMPOSE_FILE}:compose.smtp.yml"
-# SMTP_ENABLED=true
+# VIKUNJA_MAILER_ENABLED=true
-# SMTP_HOST=mail.example.com
+# VIKUNJA_MAILER_HOST=mail.example.com
-# SMTP_AUTHTYPE=plain # possible: plain, login, cram-md5
+# VIKUNJA_MAILER_AUTHTYPE=plain # possible: plain, login, cram-md5
-# SMTP_USER=user
+# VIKUNJA_MAILER_USERNAME=user
-# SMTP_FROM_EMAIL=user@example.com
+# VIKUNJA_MAILER_FROMEMAIL=user@example.com
 # SECRET_SMTP_PASSWORD_VERSION=v1

README.md

@@ -23,3 +23,28 @@ Organize everything, on all platforms
 * `abra app deploy <app-name>`
 
 For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
+
+
+## Healthcheck
+
+Vikunja uses a docker [scratch](https://hub.docker.com/_/scratch/) image, that is completely empty, therefore it is necessary to copy a statically build healthcheck binary into the container to perform the healthcheck.
+
+To verify the binary in this recipe run this code:
+
+```
+# Set the source date epoch for reproducibility
+export SOURCE_DATE_EPOCH=1640995200
+export DOCKER_BUILDKIT=1
+
+# Build the Docker image
+docker build --build-arg SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH} -t healthcheck -f healthcheck_Dockerfile .
+
+# Create container, extract binary and remove the container
+docker create --name healthcheck_builder healthcheck
+docker cp healthcheck_builder:/app/healthcheck .
+docker rm healthcheck_builder
+
+# Check if the build is reproducible by calculating hash
+sha256sum healthcheck
+```
+The sha256 checksum should be **c7c12a0eb019edd275c3f5a9302c70b2112941a8c0b9d9128d26c66a81a263c6**

abra.sh

@@ -1 +1,3 @@
-export CONFIG_YML_VERSION=v7
+export CONFIG_YML_VERSION=v9
+export HEALTHCHECK_VERSION=v1
+export PG_BACKUP_VERSION=v2

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: vikunja/vikunja:0.24.0
+    image: vikunja/vikunja:0.24.6
     environment:
       - DOMAIN
       - LOG_LEVEL
@@ -15,10 +15,27 @@ services:
       - VIKUNJA_DATABASE_USER=vikunja
       - VIKUNJA_DATABASE_DATABASE=vikunja
       - VIKUNJA_SERVICE_JWTSECRET_FILE=/run/secrets/jwt_secret
-      - VIKUNJA_REDIS_ENABLED=0
+      - VIKUNJA_REDIS_ENABLED=1
-      # - VIKUNJA_REDIS_HOST='${STACK_NAME}_redis:6379'
+      - VIKUNJA_REDIS_HOST=redis:6379
       - VIKUNJA_CACHE_ENABLED=1
-      - VIKUNJA_CACHE_TYPE=memory
+      - VIKUNJA_CACHE_TYPE=redis
+      - VIKUNJA_SERVICE_ENABLEREGISTRATION=false
+      - VIKUNJA_SERVICE_JWTTTL=604800
+      - VIKUNJA_MAILER_ENABLED
+      - VIKUNJA_MAILER_HOST
+      - VIKUNJA_MAILER_AUTHTYPE
+      - VIKUNJA_MAILER_USERNAME
+      - VIKUNJA_MAILER_PASSWORD_FILE=/run/secrets/smtp_password
+      - VIKUNJA_MAILER_FROMEMAIL
+      - VIKUNJA_LOG_LEVEL
+      - VIKUNJA_LOG_DATABASE
+      - VIKUNJA_LOG_DATABASELEVEL
+      - VIKUNJA_LOG_EVENTS
+      - VIKUNJA_LOG_MAIL
+      - VIKUNJA_KEYVALUE_TYPE=redis
+      - VIKUNJA_AUTH_LOCAL_ENABLED
+      - VIKUNJA_DEFAULTSETTINGS_DISCOVERABLE_BY_NAME
+      - VIKUNJA_DEFAULTSETTINGS_DISCOVERABLE_BY_EMAIL
     volumes: 
       - files:/app/vikunja/files
     networks:
@@ -30,30 +47,33 @@ services:
     configs:
       - source: config_yml
         target: /etc/vikunja/config.yml
+      - source: healthcheck
+        target: /healthcheck
+        mode: 555
     deploy:
       labels:
         - "traefik.enable=true"
-        # - "traefik.docker.network=web"
+        - "traefik.docker.network=proxy"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=3456"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.regex=^https://${REDIRECT_DOMAIN:-example.com}(.*)"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}$${1}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=1.0.0+0.24.0"
+        - "coop-cloud.${STACK_NAME}.version=1.2.0+0.24.6"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
     healthcheck:
-      test: [ "CMD", "curl", "-f", "http://localhost" ]
+      test: [ "CMD", "/healthcheck"]
       interval: 30s
       timeout: 10s
       retries: 10
       start_period: 1m
 
-  # redis:
+  redis:
-  #   image: redis
+    image: redis:8.2.2-alpine
-  #   networks:
+    networks:
-  #     - internal
+      - internal
-  #   ports:
-  #     - "6379:6379"
-
 
   db:
     image: postgres:13
@@ -72,10 +92,14 @@ services:
       - db_password
     deploy:
       labels:
-        backupbot.backup: "true"
+        backupbot.backup: "${ENABLE_BACKUPS:-true}"
-        backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
+        backupbot.backup.pre-hook: "/pg_backup.sh backup"
-        backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql"
+        backupbot.backup.volumes.db.path: "backup.sql"
-        backupbot.backup.path: "/var/lib/postgresql/data/backup.sql"
+        backupbot.restore.post-hook: '/pg_backup.sh restore'
+    configs:
+        - source: pg_backup
+          target: /pg_backup.sh
+          mode: 0555
 
 volumes:
   files:
@@ -93,6 +117,12 @@ configs:
     name: ${STACK_NAME}_config_yml_${CONFIG_YML_VERSION}
     file: config.yml.tmpl
     template_driver: golang
+  healthcheck:
+    name: ${STACK_NAME}_healthcheck_${HEALTHCHECK_VERSION}
+    file: healthcheck
+  pg_backup:
+    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
+    file: pg_backup.sh
 
 secrets:
   db_password:

config.yml.tmpl

@@ -1,131 +1,23 @@
+# https://kolaente.dev/vikunja/vikunja/src/commit/eee7b060b65fb9b35c0bca0e4f69b66b56a8fe0f/config.yml.sample
+# https://vikunja.io/docs/config-options
+
 service:
-  # This token is used to verify issued JWT tokens.
-  # Default is a random token which will be generated at each startup of Vikunja.
-  # (This means all already issued tokens will be invalid once you restart Vikunja)
   JWTSecret: {{ secret "jwt_secret" }}
-  # The public facing URL where your users can reach Vikunja. Used in emails and for the communication between api and frontend.
-  publicurl: "https://{{ env "DOMAIN" }}"
-  
 database:
-  # Database type to use. Supported values are mysql, postgres and sqlite. Vikunja is able to run with MySQL 8.0+, Mariadb 10.2+, PostgreSQL 12+, and sqlite.
-  type: "postgres"
-  # Database user which is used to connect to the database.
-  user: "vikunja"
-  # Database password
   password: "{{ secret "db_password" }}"
-  # Database host
+{{ if eq (env "VIKUNJA_MAILER_ENABLED") "true" }}
-  host: "localhost"
-  # Database to use
-  database: "vikunja"
-  # When using sqlite, this is the path where to store the data
-  path: "./vikunja.db"
-  # Sets the max open connections to the database. Only used when using mysql and postgres.
-  maxopenconnections: 100
-  # Sets the maximum number of idle connections to the db.
-  maxidleconnections: 50
-  # The maximum lifetime of a single db connection in milliseconds.
-  maxconnectionlifetime: 10000
-  # Secure connection mode. Only used with postgres.
-  # (see https://pkg.go.dev/github.com/lib/pq?tab=doc#hdr-Connection_String_Parameters)
-  sslmode: disable
-  # The path to the client cert. Only used with postgres.
-  sslcert: ""
-  # The path to the client key. Only used with postgres.
-  sslkey: ""
-  # The path to the ca cert. Only used with postgres.
-  sslrootcert: ""
-  # Enable SSL/TLS for mysql connections. Options: false, true, skip-verify, preferred
-  tls: false
-
-{{ if eq (env "SMTP_ENABLED") "true" }}
 mailer:
-  # Whether to enable the mailer or not. If it is disabled, all users are enabled right away and password reset is not possible.
-  enabled: {{ env "SMTP_ENABLED" }}
-  # SMTP Host
-  host: {{ env "SMTP_HOST" }}
-  # SMTP Host port.
-  # **NOTE:** If you're unable to send mail and the only error you see in the logs is an `EOF`, try setting the port to `25`.
-  port: 587
-  # SMTP Auth Type. Can be either `plain`, `login` or `cram-md5`.
-  authtype: {{ env "SMTP_AUTHTYPE" }}
-  # SMTP username
-  username: {{ env "SMTP_USER" }}
-  # SMTP password
   password: {{ secret "smtp_password" }}
-  # Whether to skip verification of the tls certificate on the server
-  skiptlsverify: false
-  # The default from address when sending emails
-  fromemail: {{ env "SMTP_FROM_EMAIL" }}
-  # The length of the mail queue.
-  queuelength: 100
-  # The timeout in seconds after which the current open connection to the mailserver will be closed.
-  queuetimeout: 30
-  # By default, Vikunja will try to connect with starttls, use this option to force it to use ssl.
-  forcessl: false
 {{ end }}
-
-log:
-  # A folder where all the logfiles should go.
-  path: <rootpath>logs
-  # Whether to show any logging at all or none
-  enabled: true
-  # Where the normal log should go. Possible values are stdout, stderr, file or off to disable standard logging.
-  standard: "stdout"
-  # Change the log level. Possible values (case-insensitive) are CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG.
-  level: {{ env "LOG_LEVEL" }}
-  # Whether or not to log database queries. Useful for debugging. Possible values are stdout, stderr, file or off to disable database logging.
-  database: "stdout"
-  # The log level for database log messages. Possible values (case-insensitive) are CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG.
-  databaselevel: "INFO"
-  # Whether to log http requests or not. Possible values are stdout, stderr, file or off to disable http logging.
-  http: "stdout"
-  # Echo has its own logging which usually is unnecessary, which is why it is disabled by default. Possible values are stdout, stderr, file or off to disable standard logging.
-  echo: "off"
-  # Whether or not to log events. Useful for debugging. Possible values are stdout, stderr, file or off to disable events logging.
-  events: "stdout"
-  # The log level for event log messages. Possible values (case-insensitive) are ERROR, INFO, DEBUG.
-  eventslevel: "info"
-  # Whether or not to log mail log messages. This will not log mail contents. Possible values are stdout, stderr, file or off to disable mail-related logging.
-  mail: "stdout"
-  # The log level for mail log messages. Possible values (case-insensitive) are ERROR, WARNING, INFO, DEBUG.
-  maillevel: "info"
-
-auth:
-  # Local authentication will let users log in and register (if enabled) through the db.
-  # This is the default auth mechanism and does not require any additional configuration.
-  local:
-    # Enable or disable local authentication
-    enabled: false
-  # OpenID configuration will allow users to authenticate through a third-party OpenID Connect compatible provider.<br/>
-  # The provider needs to support the `openid`, `profile` and `email` scopes.<br/>
-  # **Note:** Some openid providers (like Gitlab) only make the email of the user available through OpenID if they have set it to be publicly visible.
-  # If the email is not public in those cases, authenticating will fail.
-  # +**Note 2:** The frontend expects the third party to redirect the user <frontend-url>/auth/openid/<auth key> after authentication. Please make sure to configure the redirect url in your third party auth service accordingly if you're using the default Vikunja frontend.    
-  # The frontend will automatically provide the API with the redirect url, composed from the current url where it's hosted.
-  # If you want to use the desktop client with OpenID, make sure to allow redirects to `127.0.0.1`.
-  # Take a look at the [default config file](https://kolaente.dev/vikunja/vikunja/src/branch/main/config.yml.sample) for more information about how to configure openid authentication.
 {{ if eq (env "OAUTH_ENABLED") "true" }}
+auth:
   openid:
-    # Enable or disable OpenID Connect authentication
     enabled: {{ env "OAUTH_ENABLED" }}
-    # The url to redirect clients to. Defaults to the configured frontend url. If you're using Vikunja with the official
-    # frontend, you don't need to change this value.
-    redirecturl: https://{{ env "DOMAIN" }}/auth/openid/
-    # A list of enabled providers
     providers:
-      # The name of the provider as it will appear in the frontend.
       - name: {{ env "OAUTH_NAME" }}
-        # The auth url to send users to if they want to authenticate using OpenID Connect.
         authurl: {{ env "OAUTH_URL" }}
-        # The oidc logouturl that users will be redirected to on logout.
-        # Leave empty or delete key, if you do not want to be redirected.
         logouturl: {{ env "OAUTH_LOGOUT_URL" }}
-        # The client ID used to authenticate Vikunja at the OpenID Connect provider.
         clientid: {{ env "OAUTH_CLIENT_ID" }}
-        # The client secret used to authenticate Vikunja at the OpenID Connect provider.
         clientsecret: {{ secret "oauth_secret" }}
-        # The scope necessary to use oidc.
-        # If you want to use the Feature to create and assign to Vikunja teams via oidc, you have to add the custom "vikunja_scope" and check [openid.md](https://vikunja.io/docs/openid/).
-        # e.g. scope: openid email profile vikunja_scope
         scope: openid email profile
 {{ end }}

debug_Dockerfile

@@ -0,0 +1,16 @@
+FROM vikunja/vikunja:0.24.2 AS vikunja-scratch
+
+FROM alpine
+
+RUN apk add --upgrade --no-cache vim bash curl
+
+WORKDIR /app/vikunja
+CMD [ "/app/vikunja/vikunja" ]
+EXPOSE 3456
+USER 1000
+
+ENV VIKUNJA_SERVICE_ROOTPATH=/app/vikunja/
+ENV VIKUNJA_DATABASE_PATH=/db/vikunja.db
+
+COPY --from=vikunja-scratch /app/vikunja /app/vikunja
+COPY --from=vikunja-scratch /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

healthcheck.c

@@ -0,0 +1,50 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+
+int main() {
+    int sockfd;
+    struct sockaddr_in server_addr;
+    char request[] = "HEAD / HTTP/1.1\r\nHost: localhost\r\n\r\n";
+    char response[1024];
+    int received_bytes;
+
+    sockfd = socket(AF_INET, SOCK_STREAM, 0);
+    if (sockfd < 0) {
+        perror("socket");
+        return 1;
+    }
+
+    server_addr.sin_family = AF_INET;
+    server_addr.sin_port = htons(3456);
+    server_addr.sin_addr.s_addr = inet_addr("127.0.0.1");
+
+    if (connect(sockfd, (struct sockaddr *)&server_addr, sizeof(server_addr)) < 0) {
+        perror("connect");
+        close(sockfd);
+        return 1;
+    }
+
+    send(sockfd, request, strlen(request), 0);
+
+    received_bytes = recv(sockfd, response, sizeof(response) - 1, 0);
+    if (received_bytes < 0) {
+        perror("recv");
+        close(sockfd);
+        return 1;
+    }
+
+    // Null-terminieren der empfangenen Bytes
+    response[received_bytes] = '\0';
+
+    // Statuscode extrahieren (erste Zeile enthält den Statuscode)
+    char *status_line = strtok(response, "\r\n");
+    printf("Response: %s\n", status_line);
+
+    close(sockfd);
+    return 0;
+}

healthcheck_Dockerfile

@@ -0,0 +1,13 @@
+FROM alpine:latest
+
+ENV SOURCE_DATE_EPOCH=1640995200
+
+RUN apk add --no-cache gcc musl-dev
+
+WORKDIR /app
+
+COPY healthcheck.c /app
+
+RUN gcc -o healthcheck healthcheck.c -static
+
+CMD ["./healthcheck"]

pg_backup.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
+
+function backup {
+  export PGPASSWORD=$(cat /run/secrets/db_password)
+  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
+}
+
+function restore {
+    cd /var/lib/postgresql/data/
+    restore_config(){
+        # Restore allowed connections
+        cat pg_hba.conf.bak > pg_hba.conf
+        su postgres -c 'pg_ctl reload'
+    }
+    # Don't allow any other connections than local
+    cp pg_hba.conf pg_hba.conf.bak
+    echo "local all all trust" > pg_hba.conf
+    su postgres -c 'pg_ctl reload'
+    trap restore_config EXIT INT TERM
+
+    # Recreate Database
+    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
+    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
+    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
+
+    trap - EXIT INT TERM
+    restore_config
+}
+
+$@

release/1.0.0+0.24.2

@@ -0,0 +1 @@
+API and frontend are merged. Undeploy and deploy for an upgrade. Do a backup before upgrading.