make pg upgrade more safe

Reviewed-on: coop-cloud/outline#11

.drone.yml

@@ -0,0 +1,43 @@
+---
+kind: pipeline
+name: deploy to swarm-test.autonomic.zone
+steps:
+  - name: deployment
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: outline
+      generate_secrets: true
+      purge: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+      networks:
+        - proxy
+    environment:
+      DOMAIN: outline.swarm-test.autonomic.zone
+      STACK_NAME: outline
+      LETS_ENCRYPT_ENV: production
+      APP_ENTRYPOINT_VERSION: v1
+      SECRET_DB_PASSWORD_VERSION: v1
+      SECRET_SECRET_KEY_VERSION: v1  # length=64
+      SECRET_UTILS_SECRET_VERSION: v1  # length=64
+      SECRET_AWS_SECRET_KEY_VERSION: v1
+trigger:
+  branch:
+    - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - coop-cloud/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -8,8 +8,7 @@ DOMAIN=outline.example.com
 #EXTRA_DOMAINS=', `www.outline.example.com`'
 LETS_ENCRYPT_ENV=production
 
-# https://git.coopcloud.tech/coop-cloud-chaos-patchs/outline
+COMPOSE_FILE="compose.yml"
-#COMPOSE_FILE="compose.yml:compose.patch.yml"
 
 # –––––––––––––––– REQUIRED ––––––––––––––––
 
@@ -17,7 +16,6 @@ SECRET_DB_PASSWORD_VERSION=v1
 SECRET_SECRET_KEY_VERSION=v1  # length=64
 SECRET_UTILS_SECRET_VERSION=v1  # length=64
 SECRET_AWS_SECRET_KEY_VERSION=v1
-SECRET_OIDC_CLIENT_SECRET_VERSION=v1
 
 AWS_ACCESS_KEY_ID=
 AWS_REGION=
@@ -27,14 +25,6 @@ AWS_S3_UPLOAD_MAX_SIZE=26214400
 AWS_S3_FORCE_PATH_STYLE=true
 AWS_S3_ACL=private
 
-OIDC_CLIENT_ID=
-OIDC_AUTH_URI=
-OIDC_TOKEN_URI=
-OIDC_USERINFO_URI=
-OIDC_USERNAME_CLAIM=preferred_username
-OIDC_DISPLAY_NAME="My Cool OpenId Connect Provider"
-OIDC_SCOPES="openid profile email"
-
 # –––––––––––––––– OPTIONAL ––––––––––––––––
 
 TEAM_LOGO=
@@ -77,3 +67,19 @@ ALLOWED_DOMAINS=
 #SMTP_REPLY_EMAIL=
 #SMTP_TLS_CIPHERS=
 #SMTP_SECURE=true
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.oidc.yml"
+#OIDC_ENABLED=1
+#OIDC_CLIENT_ID=
+#OIDC_AUTH_URI=
+#OIDC_TOKEN_URI=
+#OIDC_USERINFO_URI=
+#OIDC_USERNAME_CLAIM=preferred_username
+#OIDC_DISPLAY_NAME="My Cool OpenId Connect Provider"
+#OIDC_SCOPES="openid profile email"
+#SECRET_OIDC_CLIENT_SECRET_VERSION=v1
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.google.yml"
+#GOOGLE_ENABLED=1
+#GOOGLE_CLIENT_ID=
+#SECRET_GOOGLE_CLIENT_SECRET_VERSION=v1

README.md

@@ -5,13 +5,13 @@ Wiki and knowledge base for growing teams
 <!-- metadata -->
 
 * **Category**: Apps
-* **Status**:
+* **Status**: 1, alpha
 * **Image**: [outlinewiki/outline](https://hub.docker.com/r/outlinewiki/outline)
-* **Healthcheck**:
+* **Healthcheck**: No
-* **Backups**:
+* **Backups**: No
-* **Email**:
+* **Email**: No
-* **Tests**:
+* **Tests**: No
-* **SSO**:
+* **SSO**: 3 (OAuth)
 
 <!-- endmetadata -->
 
@@ -34,16 +34,31 @@ Wiki and knowledge base for growing teams
 ### Post-deploy migration
 
 ```
-abra app run YOURAPPNAME app sh
+abra app cmd YOURAPPNAME app migrate
-export DATABASE_PASSWORD=$(cat /run/secrets/db_password)
-export DATABASE_URL="postgres://outline:${DATABASE_PASSWORD}@${STACK_NAME}_postgres:5432/outline"
-yarn db:migrate --env=production-ssl-disabled
 ```
 
+_As of 2022-03-30, this requires `abra` RC version, run `abra upgrade --rc`._
+
 ### Setting up your `.env` config
 
 Avoid the use of quotes (`"..."`) as much as possible, the NodeJS scripts flip out for some reason on some vars.
 
-### Multiple users logging in & generic oauth
+### Deleting a user (e.g. to fix SSO weirdness)
 
-`COMPOSE_FILE="compose.yml:compose.patch.yml"`
+`abra app cmd YOURAPPNAME db delete_user <username-to-delete> <username-to-replace>`
+
+Where `<username-to-delete>` is the username of the user to be removed, and
+`<username-to-replace>` is the username of another user, to assign documents and
+revisions to (instead of deleting them).
+
+_As of 2022-03-30, this requires `abra` RC version, run `abra upgrade --rc`._
+
+## Single Sign On with Keycloak
+
+`abra app config YOURAPPNAME`, then uncomment everything in the `OIDC_` section.
+
+Create a new client in Keycloak:
+
+- **Valid Redirect URIs**: `https://YOURAPPDOMAIN/auth/oidc.callback`
+
+`abra app deploy YOURAPPDOMAIN`

abra.sh

@@ -1 +1,83 @@
-export APP_ENTRYPOINT_VERSION=v2
+export APP_ENTRYPOINT_VERSION=v6
+export DB_ENTRYPOINT_VERSION=v1
+
+migrate() {
+	export DATABASE_PASSWORD=$(cat /run/secrets/db_password)
+	export DATABASE_URL="postgres://outline:${DATABASE_PASSWORD}@${STACK_NAME}_db:5432/outline"
+	yarn db:migrate --env=production-ssl-disabled
+}
+
+delete_user_by_id() {
+	if [ -z "$1" ] || [ -z "$2" ]; then
+		echo "Usage: ... delete_user_by_id <userid-to-delete> <userid-to-replace>"
+		exit 1
+	fi
+
+	USERID_REPLACE="$2"
+	USERID_REMOVE="$1"
+
+	psql -U outline outline <<- SQL
+	UPDATE documents SET "userId" = '$USERID_REPLACE' WHERE "userId" = '$USERID_REMOVE';
+	UPDATE groups SET "createdById" = '$USERID_REPLACE' WHERE "createdById" = '$USERID_REMOVE';
+	UPDATE pins SET "createdById" = '$USERID_REPLACE' WHERE "createdById" = '$USERID_REMOVE';
+	UPDATE group_users SET "createdById" = '$USERID_REPLACE' WHERE "createdById" = '$USERID_REMOVE';
+	UPDATE collections SET "createdById" = '$USERID_REPLACE' WHERE "createdById" = '$USERID_REMOVE';
+	UPDATE collection_users SET "createdById" = '$USERID_REPLACE' WHERE "createdById" = '$USERID_REMOVE';
+	UPDATE collection_groups SET "createdById" = '$USERID_REPLACE' WHERE "createdById" = '$USERID_REMOVE';
+	UPDATE documents SET "lastModifiedById" = '$USERID_REPLACE' WHERE "lastModifiedById" = '$USERID_REMOVE';
+	UPDATE documents SET "createdById" = '$USERID_REPLACE' WHERE "createdById" = '$USERID_REMOVE';
+	UPDATE revisions SET "userId" = '$USERID_REPLACE' WHERE "userId" = '$USERID_REMOVE';
+	UPDATE attachments SET "userId" = '$USERID_REPLACE' WHERE "userId" = '$USERID_REMOVE';
+	UPDATE backlinks SET "userId" = '$USERID_REPLACE' WHERE "userId" = '$USERID_REMOVE';
+	UPDATE file_operations SET "userId" = '$USERID_REPLACE' WHERE "userId" = '$USERID_REMOVE';
+	UPDATE users SET "suspendedById" = '$USERID_REPLACE' WHERE "suspendedById" = '$USERID_REMOVE';
+	DELETE FROM search_queries WHERE "userId" = '$USERID_REMOVE';
+	DELETE FROM shares WHERE "userId" = '$USERID_REMOVE';
+	DELETE FROM notification_settings WHERE "userId" = '$USERID_REMOVE';
+	DELETE FROM events WHERE "actorId" = '$USERID_REMOVE';
+	DELETE FROM events WHERE "userId" = '$USERID_REMOVE';
+	DELETE FROM users WHERE "id" = '$USERID_REMOVE';
+	SQL
+}
+
+delete_user() {
+	if [ -z "$1" ] || [ -z "$2" ]; then
+		echo "Usage: ... delete_user <userid-to-delete> <userid-to-replace>"
+		exit 1
+	fi
+
+	USERID_REMOVE=$(echo "SELECT id FROM users WHERE username = '$1'" | psql -t -A -U outline outline)
+	USERID_REPLACE=$(echo "SELECT id FROM users WHERE username = '$2'" | psql -t -A -U outline outline)
+
+	if [ -z "$USERID_REMOVE" ]; then
+		echo "Can't find ID of '$1'"
+		exit 1
+	fi
+
+	if [ -z "$USERID_REPLACE" ]; then
+		echo "Can't find ID of '$2'"
+		exit 1
+	fi
+	
+	delete_user_by_id "$USERID_REMOVE" "$USERID_REPLACE"
+}
+
+delete_duplicate_users() {
+	if [ -z "$1" ]; then
+		echo "Usage: ... delete_duplicate_users <username>"
+		exit 1
+	fi
+
+	USERIDS=$(echo "SELECT id FROM users WHERE username = '$1' ORDER BY users.\"createdAt\" DESC" | psql -t -A -U outline outline)
+
+	if [ ! "$(echo "$USERIDS" | wc -l)" -gt 1 ]; then
+		echo "Only one user exists, bailing"
+		exit 1
+	fi
+
+	USERID_NEW=$(echo "$USERIDS" | head -n1)
+
+	for USERID_OLD in $(echo "$USERIDS" | tail -n+2); do
+		delete_user_by_id "$USERID_OLD" "$USERID_NEW"
+	done
+}

compose.google.yml

@@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - google_client_secret
+    environment:
+      - GOOGLE_CLIENT_ID
+      - GOOGLE_ENABLED
+      - ALLOWED_DOMAINS
+
+secrets:
+  google_client_secret:
+    name: ${STACK_NAME}_google_client_secret_${SECRET_GOOGLE_CLIENT_SECRET_VERSION}
+    external: true

compose.oidc.yml

@@ -0,0 +1,21 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - oidc_client_secret
+    environment:
+      - OIDC_AUTH_URI
+      - OIDC_CLIENT_ID
+      - OIDC_DISPLAY_NAME
+      - OIDC_ENABLED
+      - OIDC_SCOPES
+      - OIDC_TOKEN_URI
+      - OIDC_USERINFO_URI
+      - OIDC_USERNAME_CLAIM
+
+secrets:
+  oidc_client_secret:
+    name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET_VERSION}
+    external: true

compose.patch.yml

@@ -1,6 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    image: thecoopcloud/outline-with-patch:latest

compose.yml

@@ -6,19 +6,16 @@ services:
     networks:
       - backend
       - proxy
-    image: outlinewiki/outline:0.62.0
+    image: outlinewiki/outline:0.69.2
     secrets:
       - aws_secret_key
       - db_password
-      - oidc_client_secret
       - secret_key
       - utils_secret
     configs:
       - source: app_entrypoint
         target: /docker-entrypoint.sh
         mode: 0555
-    volumes:
-      - outline_data:/opt/outline
     environment:
       - AWS_ACCESS_KEY_ID
       - AWS_REGION
@@ -31,16 +28,8 @@ services:
       - AWS_SECRET_KEY_FILE=/run/secrets/aws_secret_key
       - DATABASE_PASSWORD_FILE=/run/secrets/db_password
       - FORCE_HTTPS=true
-      - OIDC_AUTH_URI
+      - PGSSLMODE=disable
-      - OIDC_CLIENT_ID
+      - REDIS_URL=redis://${STACK_NAME}_cache:6379
-      - OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
-      - OIDC_DISPLAY_NAME
-      - OIDC_SCOPES
-      - OIDC_TOKEN_URI
-      - OIDC_USERINFO_URI
-      - OIDC_USERNAME_CLAIM
-      - PGSSLMODE=disable  
-      - REDIS_URL=redis://${STACK_NAME}_redis:6379
       - SECRET_KEY_FILE=/run/secrets/secret_key
       - STACK_NAME
       - TEAM_LOGO
@@ -54,29 +43,40 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=0.3.0+0.62.0"
+        - "coop-cloud.${STACK_NAME}.version=0.8.0+0.69.2"
         ## Redirect from EXTRA_DOMAINS to DOMAIN
         #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
 
-  redis:
+  cache:
-    image: redis:6.2.6
+    image: redis:7.0.11
     networks:
       - backend
 
-  postgres:
+  db:
-    image: postgres:11
+    image: postgres:15.3
     networks:
       - backend
     secrets:
       - db_password
+    configs:
+      - source: db_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
     environment:
       POSTGRES_DB: outline
       POSTGRES_PASSWORD_FILE: /run/secrets/db_password
       POSTGRES_USER: outline
     volumes:
       - "postgres_data:/var/lib/postgresql/data"
+    entrypoint: /docker-entrypoint.sh
+    deploy:
+      labels:
+        backupbot.backup: "true"
+        backupbot.backup.path: "/tmp/dump.sql.gz"
+        backupbot.backup.post-hook: "rm -f /tmp/dump.sql.gz"
+        backupbot.backup.pre-hook: "sh -c 'PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U outline outline | gzip > /tmp/dump.sql.gz'"
 
 secrets:
   secret_key:
@@ -88,9 +88,6 @@ secrets:
   aws_secret_key:
     name: ${STACK_NAME}_aws_secret_key_${SECRET_AWS_SECRET_KEY_VERSION}
     external: true
-  oidc_client_secret:
-    name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET_VERSION}
-    external: true
   db_password:
     name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
     external: true
@@ -101,7 +98,6 @@ networks:
   backend:
 
 volumes:
-  outline_data:
   postgres_data:
 
 configs:
@@ -109,3 +105,7 @@ configs:
     name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION}
     file: entrypoint.sh.tmpl
     template_driver: golang
+  db_entrypoint:
+    name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION}
+    file: entrypoint.postgres.sh.tmpl
+    template_driver: golang

entrypoint.postgres.sh.tmpl

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+set -e
+
+MIGRATION_MARKER=$PGDATA/migration_in_progress
+OLDDATA=$PGDATA/old_data
+NEWDATA=$PGDATA/new_data
+
+if [ -e $MIGRATION_MARKER ]; then
+  echo "FATAL: previous migration not completed. manual restore necessary"
+  exit 1
+fi
+
+DATA_VERSION=$(cat $PGDATA/PG_VERSION)
+
+if [ -n "$DATA_VERSION" -a "$PG_MAJOR" != "$DATA_VERSION" ]; then
+  echo "postgres data version $DATA_VERSION found, but need $PG_MAJOR. Starting migration"
+  echo "Installing postgres $DATA_VERSION"
+  sed -i "s/$/ $DATA_VERSION/" /etc/apt/sources.list.d/pgdg.list
+  apt-get update && apt-get install -y --no-install-recommends \
+    postgresql-$DATA_VERSION \
+    && rm -rf /var/lib/apt/lists/*
+  echo "shuffling around"
+  gosu postgres mkdir $OLDDATA $NEWDATA
+  chmod 700 $OLDDATA $NEWDATA
+  mv $PGDATA/* $OLDDATA/ || true
+  touch $MIGRATION_MARKER
+  echo "running initdb"
+  # abuse entrypoint script for initdb by making server error out
+  gosu postgres bash -c "export PGDATA=$NEWDATA ; /usr/local/bin/docker-entrypoint.sh --invalid-arg"
+  echo "running pg_upgrade"
+  cd /tmp
+  gosu postgres pg_upgrade --link -b /usr/lib/postgresql/$DATA_VERSION/bin -d $OLDDATA -D $NEWDATA -U $POSTGRES_USER
+  cp $OLDDATA/pg_hba.conf $NEWDATA/
+  mv $NEWDATA/* $PGDATA
+  rm -rf $OLDDATA
+  rmdir $NEWDATA
+  rm $MIGRATION_MARKER
+  echo "migration complete"
+fi
+
+/usr/local/bin/docker-entrypoint.sh postgres

entrypoint.sh.tmpl

@@ -1,10 +1,19 @@
 #!/bin/sh
 
 export AWS_SECRET_ACCESS_KEY=$(cat /run/secrets/aws_secret_key)
+
+{{ if eq (env "OIDC_ENABLED") "1" }}
 export OIDC_CLIENT_SECRET=$(cat /run/secrets/oidc_client_secret)
+{{ end }}
+
+{{ if eq (env "GOOGLE_ENABLED") "1" }}
+export GOOGLE_CLIENT_SECRET=$(cat /run/secrets/google_client_secret)
+{{ end }}
+
 export UTILS_SECRET=$(cat /run/secrets/utils_secret)
 export SECRET_KEY=$(cat /run/secrets/secret_key)
 export DATABASE_PASSWORD=$(cat /run/secrets/db_password)
-export DATABASE_URL="postgres://outline:${DATABASE_PASSWORD}@${STACK_NAME}_postgres:5432/outline"
+export DATABASE_URL="postgres://outline:${DATABASE_PASSWORD}@${STACK_NAME}_db:5432/outline"
 
+/usr/local/bin/yarn db:migrate --env=production-ssl-disabled
 /usr/local/bin/yarn start "$@"

release/0.4.0+0.64.3

@@ -0,0 +1,30 @@
+WARNING: This is a breaking release, you will certainly need to read this & fix
+your config to have a successful deployment! There has been a lot of churn on
+this recipe due to the experimental nature of getting things up and running.
+We're hoping things will stabilise soon. It's a lovely software after all and
+users are enjoying using it.
+
+- Additional login methods have been added e.g. Google (yep...). You now need
+  to make a choice of which authentication you want to make. This can be done by
+  using the usual `$AUTH_ENABLED=1` environment variable condition. See the
+  recipe `.env.sample` for more.
+
+- If you were using the generic OpenID Connect authentication method (e.g.
+  Keycloak, Authentik) then you will now need to use
+  `COMPOSE_FILE=compose.yml:compose.oidc.yml` and provide the `OIDC_*`
+  environment variables in your `.env` file. See the recipe `.env.sample` for
+  more.
+
+- We are no longer using a fork of Outline for the recipe (yay!). If you were
+  using the old patched version, you'll have to deal with some migration issues.
+  See https://git.coopcloud.tech/coop-cloud/outline#deleting-a-user-e-g-to-fix-sso-weirdness
+  for more.
+
+- Furthermore, following https://git.coopcloud.tech/coop-cloud/outline/issues/9, you will
+  need to undeploy your stack and re-deploy as some of the services have been renamed to
+  maintain naming conventions with other recipes.
+
+There has been a lot of changes. Please add to this file if you see more
+weirdness to help the rest of the Co-op Cloud Comrades.
+
+@decentral1se (Autonomic Co-op)