From 515f110b2f295d8699125dfc6dddd7e14b3f3b26 Mon Sep 17 00:00:00 2001
From: cellarspoon <cellarspoon@riseup.net>
Date: Thu, 9 Dec 2021 14:03:46 +0100
Subject: [PATCH] init

---
 .env.sample          | 34 +++++++++++++++++++
 README.md            | 56 +++++++++++++++++++++++++++++++
 abra.sh              |  2 ++
 compose.keycloak.yml | 28 ++++++++++++++++
 compose.yml          | 80 ++++++++++++++++++++++++++++++++++++++++++++
 config.ini.tmpl      | 72 +++++++++++++++++++++++++++++++++++++++
 entrypoint.sh        |  3 ++
 first_deploy.sh      | 18 ++++++++++
 8 files changed, 293 insertions(+)
 create mode 100644 .env.sample
 create mode 100644 README.md
 create mode 100644 abra.sh
 create mode 100644 compose.keycloak.yml
 create mode 100644 compose.yml
 create mode 100644 config.ini.tmpl
 create mode 100644 entrypoint.sh
 create mode 100755 first_deploy.sh

diff --git a/.env.sample b/.env.sample
new file mode 100644
index 0000000..56567de
--- /dev/null
+++ b/.env.sample
@@ -0,0 +1,34 @@
+TYPE=writefreely
+
+DOMAIN=writefreely.example.com
+HOST_URL=https://${DOMAIN}
+SITE_NAME=writefreely
+
+FEDERATION=true
+LOCAL_TIMELINE=false
+OPEN_DELETION=false
+OPEN_REGISTRATION=true
+PRIVATE=true
+PUBLIC_STATS=true
+SITE_DESCRIPTION=
+SITE_THEME=write
+
+#This is here so later lines can extend it; you likely don't wanna edit
+COMPOSE_FILE="compose.yml"
+
+## Domain aliases
+#EXTRA_DOMAINS=', `www.writefreely.example.com`'
+LETS_ENCRYPT_ENV=production
+
+SECRET_DB_ROOT_PASSWORD_VERSION=v1
+SECRET_DB_PASSWORD_VERSION=v1
+
+## Set both for keycloak. See README.md for explanation
+#KEYCLOAK_ENABLED=1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
+#OAUTH_CLIENT_ID=writefreely
+#OAUTH_HOST=
+#OAUTH_CLIENT_SECRET=
+#OAUTH_LOGIN_BUTTON=
+#CONFIG_OAUTH_WRITEFREELY_VERSION=v1
+#SECRET_OAUTH_CLIENT_SECRET_VERSION=v1
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..8793d8b
--- /dev/null
+++ b/README.md
@@ -0,0 +1,56 @@
+# writefreely
+
+> An open source platform for building a writing space on the web.
+
+<!-- metadata -->
+
+- **Category**: Apps
+- **Status**: 2, beta
+- **Image**: [`writeas/writefreely`](https://hub.docker.com/r/writeas/writefreely), 4, upstream
+- **Healthcheck**: 3
+- **Backups**: 1
+- **Email**: 3
+- **Tests**: No
+- **SSO**: 1
+
+<!-- endmetadata -->
+
+## Basic usage
+
+1. Set up Docker Swarm and [`abra`]
+2. Deploy [`coop-cloud/traefik`]
+3. `abra app new writefreely --secrets` (optionally with `--pass` if you'd like
+   to save secrets in `pass`)
+4. `abra app YOURAPPDOMAIN config` - be sure to change `DOMAIN` to something that resolves to
+   your Docker swarm box
+5. `abra app YOURAPPDOMAIN deploy`
+6. Open the configured domain in your browser to finish set-up
+
+## Post-install
+
+```
+./first_deploy.sh <app name>
+```
+
+## Keycloak setup
+
+Until [this](https://github.com/writefreely/writefreely/issues/516) is fixed, you have to migrate the db yourself.
+
+Get into a db shell with the following:
+
+```
+db_passwd=$(abra app run <app name> db cat /run/secrets/db_password)
+abra app run <app name> db mysql -u writeas -p"$db_passwd" writefreely
+```
+
+Run the migration:
+
+```
+ALTER TABLE 'oauth_users' MODIFY 'access_token' varchar(2048);
+```
+
+For the **OAUTH_HOST** config, it uses this format: `https://keycloak.domain.here/auth/realms/<your realm>/protocol/openid-connect`.
+
+## Acknowledgements
+
+Thanks to [@knoflook](https://git.coopcloud.tech/knoflook) for packaging work :heart:
diff --git a/abra.sh b/abra.sh
new file mode 100644
index 0000000..6ca5c75
--- /dev/null
+++ b/abra.sh
@@ -0,0 +1,2 @@
+export CONFIG_WRITEFREELY_VERSION=v1
+export CONFIG_ENTRYPOINT_VERSION=v1
diff --git a/compose.keycloak.yml b/compose.keycloak.yml
new file mode 100644
index 0000000..a770d0a
--- /dev/null
+++ b/compose.keycloak.yml
@@ -0,0 +1,28 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - db_password
+      - oauth_client_secret
+    environment:
+      - FEDERATION
+      - HOST_URL
+      - KEYCLOAK_ENABLED
+      - LOCAL_TIMELINE
+      - OAUTH_CLIENT_ID
+      - OAUTH_HOST
+      - OAUTH_LOGIN_BUTTON
+      - OPEN_DELETION
+      - OPEN_REGISTRATION
+      - PRIVATE
+      - PUBLIC_STATS
+      - SITE_DESCRIPTION
+      - SITE_NAME
+      - SITE_THEME
+
+secrets:
+  oauth_client_secret:
+    external: true
+    name: ${STACK_NAME}_oauth_client_secret_${SECRET_OAUTH_CLIENT_SECRET_VERSION}
diff --git a/compose.yml b/compose.yml
new file mode 100644
index 0000000..08c8657
--- /dev/null
+++ b/compose.yml
@@ -0,0 +1,80 @@
+---
+version: "3.8"
+
+services:
+  app:
+    image: "writeas/writefreely:latest"
+    environment:
+      - DB_PASSWORD_FILE=/run/secrets/db_password
+      - FEDERATION
+      - HOST_URL
+      - LOCAL_TIMELINE
+      - OPEN_DELETION
+      - OPEN_REGISTRATION
+      - PRIVATE
+      - PUBLIC_STATS
+      - SITE_DESCRIPTION
+      - SITE_NAME
+      - SITE_THEME
+    configs:
+      - source: config_ini
+        target: /go/config.ini
+    secrets:
+      - db_password
+    volumes:
+      - "web-keys:/go/keys"
+    networks:
+      - internal
+      - proxy
+    deploy:
+      update_config:
+        failure_action: rollback
+        order: start-first
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8080"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "coop-cloud.${STACK_NAME}.version=0.1.0+latest"
+
+  db:
+    image: "mariadb:10.7"
+    environment:
+      - MYSQL_DATABASE=writefreely
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
+      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
+      - MYSQL_USER=writeas
+    volumes:
+      - "db:/var/lib/mysql"
+    networks:
+      - internal
+    secrets:
+      - db_root_password
+      - db_password
+
+volumes:
+  web-keys:
+  db:
+
+networks:
+  proxy:
+    external: true
+  internal:
+
+secrets:
+  db_root_password:
+    external: true
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+
+configs:
+  config_ini:
+    name: ${STACK_NAME}_config_${CONFIG_WRITEFREELY_VERSION}
+    file: config.ini.tmpl
+    template_driver: golang
diff --git a/config.ini.tmpl b/config.ini.tmpl
new file mode 100644
index 0000000..fe206c7
--- /dev/null
+++ b/config.ini.tmpl
@@ -0,0 +1,72 @@
+[server]
+hidden_host          =
+port                 = 8080
+bind                 = 0.0.0.0
+tls_cert_path        =
+tls_key_path         =
+autocert             = false
+templates_parent_dir =
+static_parent_dir    =
+pages_parent_dir     =
+keys_parent_dir      =
+hash_seed            =
+gopher_port          = 0
+
+[database]
+type     = mysql
+filename =
+username = writeas
+password = {{ secret "db_password" }}
+database = writefreely
+host     = db
+port     = 3306
+tls      = false
+
+[app]
+site_name             = {{ env "SITE_NAME" }}
+site_description      = {{ env "SITE_DESCRIPTION" }}
+host                  = {{ env "HOST_URL" }}
+theme                 = {{ env "SITE_THEME" }}
+editor                =
+disable_js            = false
+webfonts              = true
+landing               =
+simple_nav            = false
+wf_modesty            = false
+chorus                = false
+forest                = false
+disable_drafts        = false
+single_user           = false
+open_registration     = {{ env "OPEN_REGISTRATION" }}
+open_deletion         = {{ env "OPEN_DELETION" }}
+min_username_len      = 3
+max_blogs             = 10
+federation            = {{ env "FEDERATION" }}
+public_stats          = {{ env "PUBLIC_STATS" }}
+monetization          = false
+notes_only            = false
+private               = {{ env "PRIVATE" }}
+local_timeline        = {{ env "LOCAL_TIMELINE" }}
+user_invites          =
+default_visibility    =
+update_checks         = false
+disable_password_auth = true
+
+{{ if eq (env "KEYCLOAK_ENABLED") "1" }}
+[oauth.generic]
+client_id          = {{ env "OAUTH_CLIENT_ID" }}
+client_secret      = {{ secret "oauth_client_secret" }}
+host               = {{ env "OAUTH_HOST" }}
+display_name       = {{ env "OAUTH_LOGIN_BUTTON" }}
+callback_proxy     =
+callback_proxy_api =
+token_endpoint     = /token
+inspect_endpoint   = /userinfo
+auth_endpoint      = /auth
+scope              = openid profile email
+allow_disconnect   = false
+map_user_id        = sub
+map_username       = preferred_username
+map_display_name   =
+map_email          = email
+{{ end }}
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100644
index 0000000..e49b6fd
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/go/cmd/writefreely/writefreely
diff --git a/first_deploy.sh b/first_deploy.sh
new file mode 100755
index 0000000..39e3732
--- /dev/null
+++ b/first_deploy.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+function show_help () {
+    echo "usage: ./first_deploy.sh [app name]"
+}
+
+if [[ $1 == "" ]]; then
+    show_help
+    exit 1
+fi
+
+app=$1
+
+abra app run $app app /go/cmd/writefreely/writefreely --init-db
+passwd=`abra app run $app db cat /run/secrets/db_password`
+echo 'ALTER TABLE `oauth_users` MODIFY `access_token` varchar(2048)' | abra app run $app db mysql -u writeas -p$passwd writefreely
+
+exit 0