chore: publish 2.1.0+6.5.0-34 release

.drone.yml

@@ -32,7 +32,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -1,13 +1,38 @@
 TYPE=zammad
 
 DOMAIN=zammad.example.com
+TIMEOUT=600
+ENABLE_BACKUPS=true
 
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.zammad.example.com`'
 
 LETS_ENCRYPT_ENV=production
+COMPOSE_FILE="compose.yml"
 
 SECRET_DB_PASSWORD_VERSION=v1
+SECRET_SMTP_PASSWORD_VERSION=v1
+SECRET_ADMIN_PASSWORD_VERSION=v1
 
 #RAILS_TRUSTED_PROXIES=['127.0.0.1', '::1', 'your-traefik_app']
-X_FRAME_OPTIONS_ALLOW_FROM=none
+## Initialization ##
+PRODUCT_NAME="Support"
+ORGANIZATION="Test Org"
+# TIMEZONE="Europe/Berlin"
+LOCALE="de-de"
+
+ADMIN_EMAIL=admin@example.com
+SMTP_HOST=mail.example.com
+SMTP_LOGIN=user@example.com
+SMTP_PORT=465
+
+## SAML SSO ##
+#SSO_PROVIDER_DOMAIN=authentik.example.com
+#IDP_SSO_TARGET_URL=https://authentik.example.com/application/saml/zammad/sso/binding/init/
+#IDP_SLO_SERVICE_URL=https://zammad.example.com/auth/saml/slo
+
+
+## Zammad internal backups
+# COMPOSE_FILE="$COMPOSE_FILE:compose.backup.yml"
+# BACKUP_TIME=03:00"
+# HOLD_DAYS=10

README.md

@@ -1,17 +1,17 @@
 # zammad
 
-> One line description of the recipe
+Zammad is a free helpdesk or issue tracking system. 
 
 <!-- metadata -->
 
 * **Category**: Apps
 * **Status**: 0
 * **Image**: [`zammad`](https://hub.docker.com/r/zammad), 4, upstream
-* **Healthcheck**: No
+* **Healthcheck**: Yes
 * **Backups**: No
-* **Email**: No
+* **Email**: Yes
 * **Tests**: No
-* **SSO**: No
+* **SSO**: Yes
 
 <!-- endmetadata -->
 
@@ -21,6 +21,28 @@ if using elasticsearch, set on your host: `vm.max_map_count=262144`  in `/etc/sy
 
 * `abra app new zammad --secrets`
 * `abra app config <app-name>`
+* `abra app secret insert <app-name> smtp_password v1 <password>`
+* `abra app secret generate -a <app-name>`
 * `abra app deploy <app-name>`
 
+Either use the web wizard for the initial setup or run: `abra app cmd <app-name> zammad-railsserver init`
+
+## Authentik SSO
+
+* `abra app config <app-name>`
+```
+SSO_PROVIDER_DOMAIN=authentik.example.com
+IDP_SSO_TARGET_URL=https://authentik.example.com/application/saml/zammad/sso/binding/init/
+IDP_SLO_SERVICE_URL=https://authentik.example.com/application/saml/zammad/slo/binding/redirect/
+```
+Run:
+`abra app cmd --local <app_name> enable_authentik_sso`
+
+## Useful Commands
+
+Show changed settings: `abra app cmd <app_name> zammad-railsserver get_setting_changes`
+
+Open rails console: `abra app cmd <app_name> zammad-railsserver console`
+
+
 For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).

abra.sh

@@ -1 +1,53 @@
-export ENTRYPOINT_VERSION=v1
+export ENTRYPOINT_VERSION=v2
+export AUTO_WIZARD_VERSION=v2
+export PG_BACKUP_VERSION=v2
+
+get_setting_changes() {
+    /custom-entrypoint.sh "rails r 'puts JSON.pretty_generate(JSON.parse(Setting.all.select{ |setting| setting.state_current != setting.state_initial }.map { |setting| {name: setting.name, value: setting.state_current[\""value\""]} } .to_json))'"
+}
+
+console() {
+    /custom-entrypoint.sh "rails c"
+}
+
+
+rails_run() {
+    COMMAND="rails r \"$@\""
+    /custom-entrypoint.sh "$COMMAND"
+}
+
+init() {
+    cp -f /opt/zammad/contrib/auto_wizard.json /tmp/auto_wizard.json
+    /custom-entrypoint.sh "rails zammad:setup:auto_wizard[/tmp/auto_wizard.json]"
+}
+
+enable_authentik_sso() {
+    ADMIN_UID=$(abra app cmd -T $SSO_PROVIDER_DOMAIN worker get_user_uid akadmin)
+    CERT=$(abra app cmd -T $SSO_PROVIDER_DOMAIN worker get_certificate zammad)
+    COMMAND="
+    (u = User.find_by(login: 'admin')) && (u.login='$ADMIN_UID') && u.save!;
+    Setting.set('auth_saml', true);
+    Setting.set('auth_third_party_auto_link_at_inital_login', true);
+    Setting.set('auth_saml_credentials', {
+        'display_name'=>'$ORGANIZATION',
+        'idp_sso_target_url'=>'$IDP_SSO_TARGET_URL',
+        'idp_slo_service_url'=>'$IDP_SLO_SERVICE_URL',
+        'idp_cert'=>'$CERT',
+        'idp_cert_fingerprint'=>'',
+        'name_identifier_format'=>'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'})
+    "
+    abra app cmd -T $DOMAIN zammad-railsserver rails_run "$(printf "%q " $COMMAND )"
+}
+
+set_logo() {
+    LOGO_PATH="$1"
+    abra app cp "$APP_NAME" "$LOGO_PATH" zammad-railsserver:/tmp/
+    filename="$(basename "$LOGO_PATH")"
+    COMMAND="
+    logo_path = '/tmp/$filename';
+    logo_content = File.open(logo_path, 'rb') { |file| file.read };
+    logo_timestamp = Service::SystemAssets::ProductLogo.store(logo_content);
+    Setting.set('product_logo', logo_timestamp);
+    "
+    abra app cmd -T $DOMAIN zammad-railsserver rails_run "$(printf "%q " $COMMAND )"
+}

alaconnect.yml

@@ -0,0 +1,8 @@
+authentik:
+    uncomment:
+        - SSO_PROVIDER_DOMAIN
+        - IDP_SSO_TARGET_URL
+        - IDP_SLO_SERVICE_URL
+    initial-hooks:
+        - local enable_authentik_sso
+

auto_wizard.json.tmpl

@@ -0,0 +1,65 @@
+{
+    "Users": [
+        {
+            "login": "admin",
+            "firstname": "Admin",
+            "lastname": "Agent",
+            "password": "{{ secret "admin_password" }}",
+            "email": "{{ env "ADMIN_EMAIL" }}"
+        }
+    ],
+    "Channels": [
+        {
+            "id": 1,
+            "area": "Email::Notification",
+            "options": {
+                "outbound": {
+                    "adapter": "smtp",
+                    "options": {
+                        "host": "{{ env "SMTP_HOST" }}",
+                        "user": "{{ env "SMTP_LOGIN" }}",
+                        "password": "{{ secret "smtp_password" }}",
+                        "port": "{{ env "SMTP_PORT" }}",
+                        "ssl": true,
+                        "domain": "{{ env "DOMAIN" }}",
+                        "enable_starttls_auto": true,
+                        "openssl_verify_mode": "none"
+                    }
+                }
+            },
+            "active": true,
+            "preferences": {
+                "online_service_disable": true
+            }
+        }
+    ],
+    "Settings": [
+        {
+            "name": "fqdn",
+            "value": "{{ env "DOMAIN" }}"
+        },
+        {
+            "name": "product_name",
+            "value": "{{ env "PRODUCT_NAME" }}"
+        },
+        {
+            "name": "organization",
+            "value": "{{ env "ORGANIZATION" }}"
+        },
+        {
+            "name": "timezone_default",
+            "value": "{{ env "TZ" }}"
+        },
+        {
+            "name": "locale_default",
+            "value": "{{ env "LOCALE" }}"
+        },
+        {
+            "name": "http_type",
+            "value": "https"
+        }
+    ],
+    "TextModuleLocale": {
+        "Locale": "{{ env "LOCALE" }}"
+    }
+}

compose.backup.yml

@@ -0,0 +1,36 @@
+version: "3.8"
+services:
+  zammad-backup:
+    image: ghcr.io/zammad/zammad:6.5.0-34
+    command: ["zammad-backup"]
+    volumes:
+      - zammad-backup:/var/tmp/zammad
+      - zammad-storage:/opt/zammad/storage:ro
+    user: 0:0
+    deploy:
+      labels:
+        backupbot.backup.volumes.zammad-backup: "false"
+      restart_policy:
+        condition: on-failure
+    environment:
+      POSTGRESQL_DB: zammad_production
+      POSTGRESQL_HOST: zammad-postgresql
+      POSTGRESQL_USER: zammad
+      POSTGRESQL_PASS_FILE: /run/secrets/db_password
+      POSTGRESQL_PORT: 5432
+      # Backup settings
+      BACKUP_DIR: "/var/tmp/zammad"
+      BACKUP_TIME: "${BACKUP_TIME:-03:00}"
+      #BACKUP_SLEEP: 86400
+      HOLD_DAYS: 10
+      DOMAIN:
+    entrypoint: /custom-entrypoint.sh
+    configs:
+        - source: entrypoint
+          target: /custom-entrypoint.sh
+          mode: 0555
+    secrets:
+      - db_password
+
+volumes:
+  zammad-backup:

compose.yml

@@ -13,11 +13,6 @@ x-shared:
       POSTGRESQL_OPTIONS: ?pool=50
       POSTGRESQL_DB_CREATE:
       REDIS_URL: redis://zammad-redis:6379
-      # Backup settings
-      BACKUP_DIR: "/var/tmp/zammad"
-      BACKUP_TIME: "${BACKUP_TIME:-03:00}"
-      #BACKUP_SLEEP: 86400
-      HOLD_DAYS: 10
       TZ: "${TZ:-Europe/Berlin}"
       # Allow passing in these variables via .env:
       AUTOWIZARD_JSON:
@@ -37,66 +32,80 @@ x-shared:
       ZAMMAD_SESSION_JOBS:
       ZAMMAD_PROCESS_SCHEDULED:
       ZAMMAD_PROCESS_DELAYED_JOBS_WORKERS:
-    image: ghcr.io/zammad/zammad:6.3.1-95
-    restart: on-failure
+      PRODUCT_NAME:
+      ORGANIZATION:
+      LOCALE:
+      ADMIN_EMAIL:
+      SMTP_HOST:
+      SMTP_LOGIN:
+      SMTP_PORT:
+      DOMAIN:
+      SSO_PROVIDER_DOMAIN:
+      IDP_SSO_TARGET_URL:
+      IDP_SLO_SERVICE_URL:
+    image: ghcr.io/zammad/zammad:6.5.0-34
+    deploy:
+      restart_policy:
+        condition: on-failure
     volumes:
       - zammad-storage:/opt/zammad/storage
-      #old: - zammad-data:/opt/zammad
     depends_on:
       - zammad-memcached
       - zammad-postgresql
       - zammad-redis
     entrypoint: /custom-entrypoint.sh
     configs:
-        - source: entrypoint
-          target: /custom-entrypoint.sh
-          mode: 0555
+      - source: entrypoint
+        target: /custom-entrypoint.sh
+        mode: 0555
+      - source: auto_wizard
+        target: /opt/zammad/contrib/auto_wizard.json
     secrets:
       - db_password
+      - smtp_password
+      - admin_password
 
 services:
-  zammad-backup:
-    <<: *zammad-service
-    command: ["zammad-backup"]
-    volumes:
-      - zammad-backup:/var/tmp/zammad
-      - zammad-storage:/opt/zammad/storage:ro
-      #old: - zammad-data:/opt/zammad
-    user: 0:0
-    deploy:
-      labels:
-        - "backupbot.backup=true"
-        - "backupbot.backup.path=/var/tmp/zammad"
-
   zammad-elasticsearch:
-    image: bitnami/elasticsearch:8.14.3
-    restart: on-failure
-    volumes:
-      - elasticsearch-data:/bitnami/elasticsearch/data
-    environment:
-      - discovery.type=single-node
+    image: bitnami/elasticsearch:8.18.0
     deploy:
+      restart_policy:
+        condition: on-failure
       resources:
         limits:
           memory: 4G
         reservations:
           memory: 2G
-  
+    volumes:
+      - elasticsearch-data:/bitnami/elasticsearch/data
+    environment:
+      - discovery.type=single-node
+    healthcheck:
+      test: "/opt/bitnami/scripts/elasticsearch/healthcheck.sh"
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 5m
+
   zammad-init:
     <<: *zammad-service
     command: ["zammad-init"]
     depends_on:
       - zammad-postgresql
-    restart: on-failure
     user: 0:0
-    #deploy:
-    #  restart_policy:
-    #    condition: on-failure
 
   zammad-memcached:
     command: memcached -m 256M
-    image: memcached:1.6.29-alpine
-    restart: on-failure
+    image: memcached:1.6.38-alpine
+    healthcheck:
+      test: 'echo "version" | nc -vn -w 1 127.0.0.1 11211'
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 5m
+    deploy:
+      restart_policy:
+        condition: on-failure
 
   app:
     <<: *zammad-service
@@ -118,13 +127,17 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
-        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
-        - "coop-cloud.${STACK_NAME}.version=1.0.0+6.3.1-95"
+        - "coop-cloud.${STACK_NAME}.version=2.1.0+6.5.0-34"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 5m
 
   zammad-postgresql:
     image: postgres:15.7-alpine
@@ -132,38 +145,80 @@ services:
       POSTGRES_DB: zammad_production
       POSTGRES_USER: zammad
       POSTGRES_PASSWORD_FILE: /run/secrets/db_password
-    restart: on-failure
+    deploy:
+      restart_policy:
+        condition: on-failure
+      labels:
+        backupbot.backup: "${ENABLE_BACKUPS:-true}"
+        backupbot.backup.pre-hook: "/pg_backup.sh backup"
+        backupbot.backup.volumes.postgresql-data.path: "backup.sql"
+        backupbot.restore.post-hook: "/pg_backup.sh restore"
+        backupbot.backup.volumes.elasticsearch-data: "false"
+        backupbot.backup.volumes.redis-data: "false"
     volumes:
       - postgresql-data:/var/lib/postgresql/data
+    configs:
+      - source: pg_backup
+        target: /pg_backup.sh
+        mode: 0555
     secrets:
       - db_password
+    healthcheck:
+      test: ["CMD", "pg_isready", "-U", "zammad"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 2m
 
   zammad-railsserver:
     <<: *zammad-service
     command: ["zammad-railsserver"]
-
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3000"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 5m
 
   zammad-redis:
-    image: redis:7.2.5-alpine
-    restart: on-failure
+    image: redis:7.4.3-alpine
+    deploy:
+      restart_policy:
+        condition: on-failure
     volumes:
       - redis-data:/data
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
 
   zammad-scheduler:
     <<: *zammad-service
     command: ["zammad-scheduler"]
+    healthcheck:
+      test: 'grep -a "background-worker.rb" -r /proc/[0-9]*/cmdline'
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 5m
 
   zammad-websocket:
     <<: *zammad-service
     command: ["zammad-websocket"]
+    healthcheck:
+      test: 'ruby -rsocket -e "s = TCPSocket.new(''localhost'', 6042); s.close"'
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 5m
 
 volumes:
   elasticsearch-data:
   postgresql-data:
   redis-data:
-  zammad-backup:
   zammad-storage:
- #zammad-data:
 
 networks:
   default:
@@ -174,8 +229,21 @@ configs:
   entrypoint:
     name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
     file: entrypoint.sh
+  auto_wizard:
+    name: ${STACK_NAME}_auto_wizard_${AUTO_WIZARD_VERSION}
+    file: auto_wizard.json.tmpl
+    template_driver: golang
+  pg_backup:
+    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
+    file: pg_backup.sh
 
 secrets:
   db_password:
     external: true
     name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  smtp_password:
+    external: true
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
+  admin_password:
+    external: true
+    name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}

entrypoint.sh

@@ -26,10 +26,5 @@ file_env() {
 
 file_env "POSTGRESQL_PASS"
 
-if [ "$1" == "zammad-backup" ];
-then
-    bash -c "/usr/local/bin/backup.sh $@"
-else
-    # https://github.com/zammad/zammad-docker-compose/blob/master/containers/zammad/docker-entrypoint.sh
-    bash -c "/docker-entrypoint.sh $@"
-fi
+# https://github.com/zammad/zammad/blob/develop/contrib/docker/docker-entrypoint.sh
+bash -c "/docker-entrypoint.sh $@"

pg_backup.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
+
+function backup {
+  export PGPASSWORD=$(cat /run/secrets/db_password)
+  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
+}
+
+function restore {
+    cd /var/lib/postgresql/data/
+    restore_config(){
+        # Restore allowed connections
+        cat pg_hba.conf.bak > pg_hba.conf
+        su postgres -c 'pg_ctl reload'
+    }
+    # Don't allow any other connections than local
+    cp pg_hba.conf pg_hba.conf.bak
+    echo "local all all trust" > pg_hba.conf
+    su postgres -c 'pg_ctl reload'
+    trap restore_config EXIT INT TERM
+
+    # Recreate Database
+    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
+    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
+    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
+
+    trap - EXIT INT TERM
+    restore_config
+}
+
+$@