Update Grist image version and enhance environment variables in compose.yaml; add README for deployment instructions

.gitignore

@@ -1,2 +1 @@
 .env
-

README

@@ -0,0 +1,44 @@
+# Grist
+
+Wiki Cafe's configuration for a Grist deployment.
+
+
+## Deploying the app with Docker Swarm
+
+Set the environment variables from the .env file during the shell session.
+
+```
+set -a && source .env && set +a
+```
+
+Set the secrets.
+
+```
+printf "SECRET_HERE" | docker secret create SECRET_NAME -
+```
+
+Deploy using the `-c` flag to specify one or multiple compose files.
+
+```
+docker stack deploy grist --detach=true -c compose.yaml
+```
+
+## Miscellaneous notes
+
+- We may want to set `GRIST_TERMS_OF_SERVICE_URL` to a custom URL, such as the Wiki Cafe's terms of service.
+- Coop Cloud seems to use Pyodide as a sandboxing mechanism. We may want to replace gvisor with Pyodide in the future.
+- Not sure what `APP_DOC_URL` is, but we use it and it works
+- As of version 1.1.16 The Docker images now use a non-root user to run Grist.
+- As of version 1.1.17 additional security options for OIDC authentication were added, improving security and enabling compatibility with new providers that have specific requirements. These are enabled by default, according to best practices.
+- We may want to set a maximum size of document history later as it is now configurable via environment variables as of version 1.2.1.
+- There are also `GRIST_SNAPSHOT_TIME_CAP` and `GRIST_SNAPSHOT_KEEP` to look at.
+- There are also `GRIST_ACTION_HISTORY_MAX_BYTES` and `GRIST_ACTION_HISTORY_MAX_ROWS` to look at.
+- Currently, Grist stores attachments in the database, we may want to change this in the future to store them in a separate storage service like MinIO (version 1.4.0). `GRIST_EXTERNAL_ATTACHMENTS_MODE` related.
+- What should `COOKIE_MAX_AGE` be set to? The default is 90 days, but we may want to set it to a shorter time or none.
+- We should probably set `GRIST_SESSION_SECRET`. Not sure.
+- What does `GRIST_SERVERS` do? It is `home,docs,static` by default, but it can also have `app`?
+- Should we set `GRIST_ORG_IN_PATH`? "if true, encode org in path rather than domain" This is what we do, no?
+- `GRIST_LIST_PUBLIC_SITES` is an option that we can use. "if set to true, sites shared with the public will be listed for anonymous users. Defaults to false."
+- `GRIST_IGNORE_SESSION`: if set, Grist will not use a session for authentication? Do we want this?
+- `GRIST_DOMAIN` Maybe needs to be set to the Wiki Cafe's domain?
+- `GRIST_DEFAULT_EMAIL` gives access to `/admin`.

compose.yaml

@@ -1,12 +1,13 @@
 services:
   grist:
-    image: gristlabs/grist:1.1.12
+    image: gristlabs/grist-oss:1.6.0
     networks:
       - proxy
       - internal
     environment:
-      - GRIST_REDIS_URL=redis://${STACK_NAME}_redis:6379
+      - REDIS_URL=redis://${STACK_NAME}_redis:6379
       - GRIST_SUPPORT_ANON
+      - GRIST_ANON_PLAYGROUND
       - GRIST_SESSION_SECRET_FILE=/run/secrets/session_secret
       - GRIST_SANDBOX_FLAVOR
       - APP_HOME_URL=https://${DOMAIN}
@@ -17,11 +18,14 @@ services:
       - GRIST_FORCE_LOGIN
       - GRIST_HIDE_UI_ELEMENTS
       - GRIST_DEFAULT_EMAIL
+      - GRIST_SUPPORT_EMAIL
       - GRIST_OIDC_SP_HOST
       - GRIST_OIDC_IDP_ISSUER
       - GRIST_OIDC_IDP_SCOPES
       - GRIST_OIDC_IDP_CLIENT_ID
       - GRIST_OIDC_IDP_CLIENT_SECRET_FILE=/run/secrets/oidc_idp_client_secret
+      - GRIST_MAX_UPLOAD_ATTACHMENT_MB
+      - GRIST_MAX_UPLOAD_IMPORT_MB
     secrets:
       - session_secret
       - oidc_idp_client_secret
@@ -45,6 +49,7 @@ services:
         - "caddy=${DOMAIN}"
         - "caddy.reverse_proxy={{upstreams 8484}}"
         - "caddy.tls.on_demand="
+        - "backupbot.backup=true"
 
   redis:
     image: redis:7.2-alpine