chore: publish 0.3.0+0.62.0 release

See coop-cloud/outline#2.

.env.sample

@@ -1,3 +1,5 @@
+# adapted from https://github.com/outline/outline/blob/main/.env.sample
+
 TYPE=outline
 
 DOMAIN=outline.example.com
@@ -6,101 +8,38 @@ DOMAIN=outline.example.com
 #EXTRA_DOMAINS=', `www.outline.example.com`'
 LETS_ENCRYPT_ENV=production
 
+# https://git.coopcloud.tech/coop-cloud-chaos-patchs/outline
+#COMPOSE_FILE="compose.yml:compose.patch.yml"
+
 # –––––––––––––––– REQUIRED ––––––––––––––––
 
-# Generate a hex-encoded 32-byte random key. You should use `openssl rand -hex 32`
+SECRET_DB_PASSWORD_VERSION=v1
-# in your terminal to generate a random value.
+SECRET_SECRET_KEY_VERSION=v1  # length=64
-SECRET_KEY=generate_a_new_key
+SECRET_UTILS_SECRET_VERSION=v1  # length=64
+SECRET_AWS_SECRET_KEY_VERSION=v1
+SECRET_OIDC_CLIENT_SECRET_VERSION=v1
 
-# Generate a unique random key. The format is not important but you could still use
+AWS_ACCESS_KEY_ID=
-# `openssl rand -hex 32` in your terminal to produce this.
+AWS_REGION=
-UTILS_SECRET=generate_a_new_key
+AWS_S3_UPLOAD_BUCKET_URL=
-
+AWS_S3_UPLOAD_BUCKET_NAME=
-# For production point these at your databases, in development the default
-# should work out of the box.
-# Uncomment this to disable SSL for connecting to Postgres
-# PGSSLMODE=disable
-
-# URL should point to the fully qualified, publicly accessible URL. If using a
-# proxy the port in URL and PORT may be different.
-
-# See [documentation](docs/SERVICES.md) on running a separate collaboration
-# server, for normal operation this does not need to be set.
-COLLABORATION_URL=
-
-# To support uploading of images for avatars and document attachments an
-# s3-compatible storage must be provided. AWS S3 is recommended for redundency
-# however if you want to keep all file storage local an alternative such as
-# minio (https://github.com/minio/minio) can be used.
-
-# A more detailed guide on setting up S3 is available here:
-# => https://wiki.generaloutline.com/share/125de1cc-9ff6-424b-8415-0d58c809a40f
-#
-AWS_ACCESS_KEY_ID=get_a_key_from_aws
-AWS_SECRET_ACCESS_KEY=get_the_secret_of_above_key
-AWS_REGION=xx-xxxx-x
-AWS_S3_UPLOAD_BUCKET_URL=http://s3:4569
-AWS_S3_UPLOAD_BUCKET_NAME=bucket_name_here
 AWS_S3_UPLOAD_MAX_SIZE=26214400
 AWS_S3_FORCE_PATH_STYLE=true
 AWS_S3_ACL=private
 
-# –––––––––––––– AUTHENTICATION ––––––––––––––
-
-# Third party signin credentials, at least ONE OF EITHER Google, Slack,
-# or Microsoft is required for a working installation or you'll have no sign-in
-# options.
-
-# To configure Slack auth, you'll need to create an Application at
-# => https://api.slack.com/apps
-#
-# When configuring the Client ID, add a redirect URL under "OAuth & Permissions":
-# https://<URL>/auth/slack.callback
-SLACK_KEY=get_a_key_from_slack
-SLACK_SECRET=get_the_secret_of_above_key
-
-# To configure Google auth, you'll need to create an OAuth Client ID at
-# => https://console.cloud.google.com/apis/credentials
-#
-# When configuring the Client ID, add an Authorized redirect URI:
-# https://<URL>/auth/google.callback
-GOOGLE_CLIENT_ID=
-GOOGLE_CLIENT_SECRET=
-
-# To configure Microsoft/Azure auth, you'll need to create an OAuth Client. See
-# the guide for details on setting up your Azure App:
-# => https://wiki.generaloutline.com/share/dfa77e56-d4d2-4b51-8ff8-84ea6608faa4
-AZURE_CLIENT_ID=
-AZURE_CLIENT_SECRET=
-AZURE_RESOURCE_APP_ID=
-
-# To configure generic OIDC auth, you'll need some kind of identity provider.
-# See documentation for whichever IdP you use to acquire the following info:
-# Redirect URI is https://<URL>/auth/oidc.callback
 OIDC_CLIENT_ID=
-OIDC_CLIENT_SECRET=
 OIDC_AUTH_URI=
 OIDC_TOKEN_URI=
 OIDC_USERINFO_URI=
-
-# Specify which claims to derive user information from
-# Supports any valid JSON path with the JWT payload
 OIDC_USERNAME_CLAIM=preferred_username
-
+OIDC_DISPLAY_NAME="My Cool OpenId Connect Provider"
-# Display name for OIDC authentication
-OIDC_DISPLAY_NAME="OpenID Connect"
-
-# Space separated auth scopes.
 OIDC_SCOPES="openid profile email"
 
-
 # –––––––––––––––– OPTIONAL ––––––––––––––––
 
-# If using a Cloudfront/Cloudflare distribution or similar it can be set below.
+TEAM_LOGO=
-# This will cause paths to javascript, stylesheets, and images to be updated to
+
-# the hostname defined in CDN_URL. In your CDN configuration the origin server
+DEFAULT_LANGUAGE=en_US
-# should be set to the same as URL.
-CDN_URL=
 
 # Auto-redirect to https in production. The default is true but you may set to
 # false if you can be sure that SSL is terminated at an external loadbalancer.
@@ -126,34 +65,15 @@ DEBUG=http
 # set, all domains are allowed by default when using Google OAuth to signin
 ALLOWED_DOMAINS=
 
-# For a complete Slack integration with search and posting to channels the
+# TODO: setup compose.smtp.yml
-# following configs are also needed, some more details
-# => https://wiki.generaloutline.com/share/be25efd1-b3ef-4450-b8e5-c4a4fc11e02a
-#
-SLACK_VERIFICATION_TOKEN=your_token
-SLACK_APP_ID=A0XXXXXXX
-SLACK_MESSAGE_ACTIONS=true
-
-# Optionally enable google analytics to track pageviews in the knowledge base
-GOOGLE_ANALYTICS_ID=
-
-# Optionally enable Sentry (sentry.io) to track errors and performance
-SENTRY_DSN=
-
 # To support sending outgoing transactional emails such as "document updated" or
 # "you've been invited" you'll need to provide authentication for an SMTP server
-SMTP_HOST=
+#SMTP_ENABLED=1
-SMTP_PORT=
+#SMTP_HOST=
-SMTP_USERNAME=
+#SMTP_PORT=
-SMTP_PASSWORD=
+#SMTP_USERNAME=
-SMTP_FROM_EMAIL=
+#SMTP_PASSWORD=
-SMTP_REPLY_EMAIL=
+#SMTP_FROM_EMAIL=
-SMTP_TLS_CIPHERS=
+#SMTP_REPLY_EMAIL=
-SMTP_SECURE=true
+#SMTP_TLS_CIPHERS=
-
+#SMTP_SECURE=true
-# Custom logo that displays on the authentication screen, scaled to height: 60px
-# TEAM_LOGO=https://example.com/images/logo.png
-
-# The default interface language. See translate.getoutline.com for a list of
-# available language codes and their rough percentage translated.
-DEFAULT_LANGUAGE=en_US

README.md

@@ -24,8 +24,26 @@ Wiki and knowledge base for growing teams
 4. `abra app config YOURAPPNAME` - be sure to change `$DOMAIN` to something that resolves to
    your Docker swarm box
 5. `abra app deploy YOURAPPNAME`
-6. Build the database with `abra app run YOURAPPNAME app yarn db:migrate --env=production-ssl-disabled` 
 7. Open the configured domain in your browser to finish set-up
 
 [`abra`]: https://git.coopcloud.tech/coop-cloud/abra
 [`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik
+
+## Tips & Tricks
+
+### Post-deploy migration
+
+```
+abra app run YOURAPPNAME app sh
+export DATABASE_PASSWORD=$(cat /run/secrets/db_password)
+export DATABASE_URL="postgres://outline:${DATABASE_PASSWORD}@${STACK_NAME}_postgres:5432/outline"
+yarn db:migrate --env=production-ssl-disabled
+```
+
+### Setting up your `.env` config
+
+Avoid the use of quotes (`"..."`) as much as possible, the NodeJS scripts flip out for some reason on some vars.
+
+### Multiple users logging in & generic oauth
+
+`COMPOSE_FILE="compose.yml:compose.patch.yml"`

abra.sh

@@ -0,0 +1 @@
+export APP_ENTRYPOINT_VERSION=v2

compose.patch.yml

@@ -0,0 +1,6 @@
+---
+version: "3.8"
+
+services:
+  app:
+    image: thecoopcloud/outline-with-patch:latest

compose.yml

@@ -6,7 +6,17 @@ services:
     networks:
       - backend
       - proxy
-    image: outlinewiki/outline:0.60.3
+    image: outlinewiki/outline:0.62.0
+    secrets:
+      - aws_secret_key
+      - db_password
+      - oidc_client_secret
+      - secret_key
+      - utils_secret
+    configs:
+      - source: app_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
     volumes:
       - outline_data:/opt/outline
     environment:
@@ -17,13 +27,13 @@ services:
       - AWS_S3_UPLOAD_BUCKET_NAME
       - AWS_S3_UPLOAD_BUCKET_URL
       - AWS_S3_UPLOAD_MAX_SIZE
-      - AWS_SECRET_ACCESS_KEY
+      - AWS_SDK_LOAD_CONFIG=0
-      - DATABASE_URL=postgres://user:pass@${STACK_NAME}_postgres:5432/outline
+      - AWS_SECRET_KEY_FILE=/run/secrets/aws_secret_key
-      - DATABASE_URL_TEST=postgres://user:pass@${STACK_NAME}_postgres:5432/outline-test
+      - DATABASE_PASSWORD_FILE=/run/secrets/db_password
       - FORCE_HTTPS=true
       - OIDC_AUTH_URI
       - OIDC_CLIENT_ID
-      - OIDC_CLIENT_SECRET
+      - OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
       - OIDC_DISPLAY_NAME
       - OIDC_SCOPES
       - OIDC_TOKEN_URI
@@ -31,10 +41,12 @@ services:
       - OIDC_USERNAME_CLAIM
       - PGSSLMODE=disable  
       - REDIS_URL=redis://${STACK_NAME}_redis:6379
-      - SECRET_KEY
+      - SECRET_KEY_FILE=/run/secrets/secret_key
+      - STACK_NAME
       - TEAM_LOGO
       - URL=https://$DOMAIN
-      - UTILS_SECRET
+      - UTILS_SECRET_FILE=/run/secrets/utils_secret
+    entrypoint: /docker-entrypoint.sh
     deploy:
       labels:
         - "traefik.enable=true"
@@ -42,14 +54,14 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=0.1.0+0.60.3"
+        - "coop-cloud.${STACK_NAME}.version=0.3.0+0.62.0"
         ## Redirect from EXTRA_DOMAINS to DOMAIN
         #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
 
   redis:
-    image: redis
+    image: redis:6.2.6
     networks:
       - backend
 
@@ -57,18 +69,43 @@ services:
     image: postgres:11
     networks:
       - backend
+    secrets:
+      - db_password
     environment:
       POSTGRES_DB: outline
-      POSTGRES_PASSWORD: pass
+      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
-      POSTGRES_USER: user
+      POSTGRES_USER: outline
     volumes:
       - "postgres_data:/var/lib/postgresql/data"
 
+secrets:
+  secret_key:
+    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
+    external: true
+  utils_secret:
+    name: ${STACK_NAME}_utils_secret_${SECRET_UTILS_SECRET_VERSION}
+    external: true
+  aws_secret_key:
+    name: ${STACK_NAME}_aws_secret_key_${SECRET_AWS_SECRET_KEY_VERSION}
+    external: true
+  oidc_client_secret:
+    name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET_VERSION}
+    external: true
+  db_password:
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+    external: true
+
 networks:
   proxy:
     external: true
   backend:
-    
+
 volumes:
   outline_data:
   postgres_data:
+
+configs:
+  app_entrypoint:
+    name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang

entrypoint.sh.tmpl

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+export AWS_SECRET_ACCESS_KEY=$(cat /run/secrets/aws_secret_key)
+export OIDC_CLIENT_SECRET=$(cat /run/secrets/oidc_client_secret)
+export UTILS_SECRET=$(cat /run/secrets/utils_secret)
+export SECRET_KEY=$(cat /run/secrets/secret_key)
+export DATABASE_PASSWORD=$(cat /run/secrets/db_password)
+export DATABASE_URL="postgres://outline:${DATABASE_PASSWORD}@${STACK_NAME}_postgres:5432/outline"
+
+/usr/local/bin/yarn start "$@"

release/0.2.0+0.60.3

@@ -0,0 +1,8 @@
+If you're coming from 0.1.0+0.60.3, your upgrade will break! Careful!
+
+Two main points for preparing for the upgrade:
+
+- recipe now uses docker secrets, you need to load them + remove them from your config
+- recipe upgraded outline image, some of the AWS env var names changed
+
+It might be wise to undeploy/deploy for this one.