Update to 0.2.6+v4.5.0

- Upgrade app images to v4.5.0
- Switch from postgres:16 to pgautoupgrade/pgautoupgrade:18-debian for automatic major version upgrades
- Fix PGDATA relative path (add leading /)
- Fix pg_backup.sh restore path to match PGDATA

.env.sample

@@ -8,12 +8,27 @@ DOMAIN=lasuite-docs.example.com
 LETS_ENCRYPT_ENV=production
 
 ##############################################################################
-# BASIC SETTINGS 
+# SECRETS
 ##############################################################################
-# FIXME: Move to Docker secret
-DJANGO_SECRET_KEY=ThisIsAnExampleKeyForDevPurposeOnly
-# FIXME: Move to docker secret
-DJANGO_SUPERUSER_PASSWORD=admin
+# abbreviations are to fit abra 12 char secret recommendation
+# DJANGO_SECRET_KEY
+SECRET_DJANGO_SK_VERSION=v1
+# ODIC_RP_CLIENT_SECRET
+SECRET_OIDC_RPCS_VERSION=v1
+# DJANGO_SUPERUSER_PASSWORD
+SECRET_DJANGO_SP_VERSION=v1
+# MINIO_ROOT_PASSWORD
+SECRET_MINIO_RP_VERSION=v1
+# MINIO_ROOT_USER
+SECRET_MINIO_RU_VERSION=v1
+# COLLABORATION_SERVER_SECRET
+SECRET_COLLAB_SS_VERSION=v1
+# POSTGRES_PASSWORD
+SECRET_POSTGRES_P_VERSION=v1
+# Y_PROVIDER_API_KEY
+SECRET_Y_API_KEY_VERSION=v1
+# DJANGO_HOST_EMAIL_PASSWORD
+SECRET_EMAIL_PASS_VERSION=v1
 
 ##############################################################################
 # EMAIL
@@ -22,18 +37,21 @@ DJANGO_EMAIL_BRAND_NAME="La Suite Numérique"
 DJANGO_EMAIL_HOST="mail.example.com"
 DJANGO_EMAIL_LOGO_IMG="http://$DOMAIN/assets/logo-suite-numerique.png"
 DJANGO_EMAIL_PORT=1025
+DJANGO_EMAIL_USE_SSL=True
+DJANGO_EMAIL_USE_TLS=False
+DJANGO_EMAIL_FROM=mail@example.com
 
 ##############################################################################
 # SINGLE SIGN ON
 ##############################################################################
 # NOTE: OpenID Connect (OIDC) single sign-on is **required**, see recipe README
-OIDC_OP_JWKS_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/certs
-OIDC_OP_AUTHORIZATION_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/auth
-OIDC_OP_TOKEN_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/token
-OIDC_OP_USER_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/userinfo
-OIDC_RP_CLIENT_ID=impress
-# FIXME: Move to docker secret
-OIDC_RP_CLIENT_SECRET=example
+OIDC_REALM=yourkeycloakrealm
+AUTH_DOMAIN=yourkeycloakdomain
+OIDC_OP_JWKS_ENDPOINT=https://${AUTH_DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/certs
+OIDC_OP_AUTHORIZATION_ENDPOINT=https://${AUTH_DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/auth
+OIDC_OP_TOKEN_ENDPOINT=https://${AUTH_DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/token
+OIDC_OP_USER_ENDPOINT=https://${AUTH_DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/userinfo
+OIDC_RP_CLIENT_ID=yourkeycloakclientid
 OIDC_RP_SIGN_ALGO=RS256
 OIDC_RP_SCOPES="openid email"
 LOGIN_REDIRECT_URL=https://${DOMAIN}

README.md

@@ -17,15 +17,66 @@
 
 ## Quick start
 
-* Deploy Single Sign On (see [Authentication](#authentication) below)
 * `abra app new lasuite-docs --secrets`
 * `abra app config <app-name>`
 * `abra app deploy <app-name>`
 * `abra app cmd <app-name> backend migrate`
 * `abra app restart <app-name> minio-bootstrap` (Note: this will appear to fail, but probably worked! Check `abra app logs <app-name> minio-bootstrap`)
 
-For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
+You should then be able to visit the landing page of your app, but not yet to login. To login, you need to deploy and integrate single sign on (described below in the "Configure Authentication" section). 
 
-## Authentication
 
-Docs **requires** an OpenID Connect (OIDC) single sign-on provider; we recommend [Authentik](https://git.coopcloud.tech/coop-cloud/authentik) or [Keycloak](https://git.coopcloud.tech/coop-cloud/keycloak), both of which are installable using Co-op Cloud.
+## Configure Authentication
+
+lasuite-docs **requires** an OpenID Connect (OIDC) single sign-on provider; deployment has been tested with [Keycloak](https://git.coopcloud.tech/coop-cloud/keycloak), which we recommend, or you could also try [Authentik](https://git.coopcloud.tech/coop-cloud/authentik), both of which are installable using Co-op Cloud.
+
+Instructions for integrating keycloak with docs after deploying it, are below. 
+
+* In keycloak, create a realm (save the name of this realm, you will need it later)
+* Within that realm, create a client
+    * during client creation, ensure:
+        - Standard flow: True
+        - Direct access grants: True
+        - Authorization: True
+        - Client authentication: True
+        - PKCE method: none
+* Within the client tab, for your client, click on "Credentials". Click on the the copy button to copy "Client Secret" so you can insert this into your coop cloud deployment in the next step. 
+* `abra app secret insert <app-name> oidc_rpcs v2 <yoursecret>`
+* `abra app config <app-name>` # set SECRET_OIDC_RPCS_VERSION=v2
+
+* Now create a user for this client within keycloak. Within the Users tab, click "Add User". Any username and password works. Save this info.
+
+You then additionally need to modify the config of docs to point to your keycloak deployment.
+
+* `abra app config <app-name>`
+```
+OIDC_REALM=<the realm you configured in keycloak>
+AUTH_DOMAIN=<the domain of your keycloak instance>
+OIDC_RP_CLIENT_ID=<yourkeycloakclientid>
+```
+
+then redeploy docs:
+`abra app deploy <app-name> --force`
+
+at this point, when you go to your docs url, you shoud then be able to click "login" and login with the username and password for the user you created in keycloak.
+
+you can make additional users in keycloak for this "client" and they will all be able to login to docs and collaborate. 
+
+## Configure E-Mail
+
+Using `abra app config <app-name>` you need to set the following for your smtp server:
+
+```
+DJANGO_EMAIL_HOST="yourmailserver.com"
+DJANGO_EMAIL_PORT=1025
+DJANGO_EMAIL_FROM=noreply@example.com
+```
+
+You then need to insert the password for your smtp server as a secret:
+
+* `abra app secret insert <app-name> email_pass v2 <youremailpass>`
+* `abra app config <app-name>` # set SECRET_EMAIL_PASS_VERSION=v2
+
+Then redeploy the app, and automated e-mail sending should work:
+
+`abra app deploy <app-name> --force`

abra-entrypoint.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+set -e
+
+[ -f /run/secrets/postgres_p ] && export DB_PASSWORD="$(cat /run/secrets/postgres_p)"
+[ -f /run/secrets/django_sk ] && export DJANGO_SECRET_KEY="$(cat /run/secrets/django_sk)"
+[ -f /run/secrets/minio_rp ] && export AWS_S3_SECRET_ACCESS_KEY="$(cat /run/secrets/minio_rp)"
+[ -f /run/secrets/minio_ru ] && export AWS_S3_ACCESS_KEY_ID="$(cat /run/secrets/minio_ru)"
+[ -f /run/secrets/django_sp ] && export DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_sp)"
+[ -f /run/secrets/oidc_rpcs ] && export OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rpcs)"
+[ -f /run/secrets/collab_ss ] && export COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collab_ss)"
+[ -f /run/secrets/y_api_key ] && export Y_PROVIDER_API_KEY="$(cat /run/secrets/y_api_key)"
+[ -f /run/secrets/email_pass ] && export DJANGO_EMAIL_HOST_PASSWORD="$(cat /run/secrets/email_pass)"
+
+# if not in "env" mode, then execute the original entrypoint and command
+if [ ! "$1" = "-e" ]; then
+  exec "$@"
+fi

abra.sh

@@ -1,12 +1,15 @@
 # Set any config versions here
 # Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs
-export NGINX_CONF_VERSION=v2
+export ABRA_ENTRYPOINT_VERSION=v5
+export NGINX_CONF_VERSION=v3
 export PG_BACKUP_VERSION=v3
 
-# environment() {
-#   # TODO: Add file_env here
-# }
+environment() {
+  # this exports all the secrets as environment variables
+  source /abra-entrypoint.sh -e
+}
 
 migrate() {
+  environment
   python manage.py migrate --noinput
 }

compose.yml

@@ -1,13 +1,14 @@
----
+
+
 
 # NOTE: based on https://github.com/suitenumerique/docs/pull/855/ and https://github.com/suitenumerique/docs/pull/583/
 
 x-common-env: &common-env
   DJANGO_CONFIGURATION: Production
   DJANGO_ALLOWED_HOSTS: "*"
-  DJANGO_SECRET_KEY:
+  # DJANGO_SECRET_KEY supplied via secrets
   DJANGO_SETTINGS_MODULE: impress.settings
-  DJANGO_SUPERUSER_PASSWORD:
+  # DJANGO_SUPERUSER_PASSWORD supplied via secrets
   # Logging
   # Set to DEBUG level for dev only
   LOGGING_LEVEL_HANDLERS_CONSOLE:
@@ -21,15 +22,17 @@ x-common-env: &common-env
   DJANGO_EMAIL_LOGO_IMG:
   DJANGO_EMAIL_PORT:
   DJANGO_EMAIL_HOST_USER:
-  DJANGO_EMAIL_HOST_PASSWORD:
+  # DJANGO_EMAIL_HOST_PASSWORD supplied via secret
+  DJANGO_EMAIL_USE_SSL:
+  DJANGO_EMAIL_USE_TLS:
+  DJANGO_EMAIL_FROM:
   # Backend url
   IMPRESS_BASE_URL: "https://${DOMAIN}"
   # Media
   STORAGES_STATICFILES_BACKEND: django.contrib.staticfiles.storage.StaticFilesStorage
   AWS_S3_ENDPOINT_URL: http://minio:9000
-  AWS_S3_ACCESS_KEY_ID: user
-  # FIXME: Move to docker secret
-  AWS_S3_SECRET_ACCESS_KEY: password
+  # AWS_S3_ACCESS_KEY_ID supplied via secret (this is same MINIO_ROOT_USER)
+  # AWS_S3_SECRET_ACCESS_KEY supplied via secret (this is same as MINIO_ROOT_PASSWORD)
   MEDIA_BASE_URL: https://${DOMAIN}
   AWS_STORAGE_BUCKET_NAME: docs-media-storage
   # OIDC - settings from .env, see .env.sample
@@ -38,7 +41,7 @@ x-common-env: &common-env
   OIDC_OP_TOKEN_ENDPOINT:
   OIDC_OP_USER_ENDPOINT:
   OIDC_RP_CLIENT_ID:
-  OIDC_RP_CLIENT_SECRET:
+  # OIDC_RP_CLIENT_SECRET supplied via secrets
   OIDC_RP_SIGN_ALGO:
   OIDC_RP_SCOPES:
   LOGIN_REDIRECT_URL:
@@ -46,7 +49,7 @@ x-common-env: &common-env
   LOGOUT_REDIRECT_URL:
   OIDC_REDIRECT_ALLOWED_HOSTS:
   OIDC_AUTH_REQUEST_EXTRA_PARAMS:
-  # AI
+  # AI (Fixme: remove?)
   AI_FEATURE_ENABLED: "false"
   AI_BASE_URL: https://openaiendpoint.com
   AI_API_KEY: password
@@ -58,40 +61,38 @@ x-postgres-env: &postgres-env
   # Postgresql db container configuration
   POSTGRES_DB: docs
   POSTGRES_USER: docs
-  # FIXME: Move to docker secret
-  POSTGRES_PASSWORD: password
+  POSTGRES_PASSWORD_FILE: /run/secrets/postgres_p
   # App database configuration
   DB_HOST: db
   DB_NAME: docs
   DB_USER: docs
-  # FIXME: Move to docker secret
-  DB_PASSWORD: password
   DB_PORT: 5432
+  # DB_PASSWORD supplied via secrets (this is same as POSTGRES_PASSWORD)
 
 x-yprovider-env: &yprovider-env
   COLLABORATION_LOGGING: "true"
-  Y_PROVIDER_API_KEY: foobar
+  # Y_PROVIDER_API_KEY supplied via secrets
   COLLABORATION_API_URL: http://y-provider:4444/api/
   COLLABORATION_SERVER_ORIGIN: https://${DOMAIN}
-  COLLABORATION_SERVER_SECRET: my-secret
+  # COLLABORATION_SERVER_SECRET supplied via secrets
   COLLABORATION_BACKEND_BASE_URL: https://${DOMAIN}
   COLLABORATION_WS_URL: wss://${DOMAIN}/collaboration/ws/
 
 x-minio-env: &minio-env
-  MINIO_ROOT_USER: user
-  # FIXME: Move to docker secret
-  MINIO_ROOT_PASSWORD: password
+  MINIO_ROOT_USER_FILE: /run/secrets/minio_ru
+  MINIO_ROOT_PASSWORD_FILE: /run/secrets/minio_rp
 
 services:
   app:
-    image: lasuite/impress-frontend:v3.4.2
+    image: lasuite/impress-frontend:v4.5.0
     networks:
-      - backend 
+      - backend
     deploy:
       labels:
         - "traefik.enable=false"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "coop-cloud.${STACK_NAME}.version=0.2.1+v3.4.2"
+        - "coop-cloud.${STACK_NAME}.version=0.2.6+v4.5.0"
+    user: "${DOCKER_USER:-1000}"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8080"]
       interval: 15s
@@ -100,35 +101,74 @@ services:
       start_period: 10s
 
   backend:
-    image: lasuite/impress-backend:v3.4.2
+    image: lasuite/impress-backend:v4.5.0
     networks:
       - backend 
     environment:
       <<: [*common-env, *postgres-env, *yprovider-env]
     healthcheck:
-      test: ["CMD", "python", "manage.py", "check"]
+      test: ["CMD", "/abra-entrypoint.sh", "python", "manage.py", "check"]
       interval: 15s
       timeout: 30s
       retries: 20
       start_period: 10s
+    user: "${DOCKER_USER:-1000}"
+    command: ["gunicorn", "-c", "/usr/local/etc/gunicorn/impress.py", "impress.wsgi:application"]
+    entrypoint: ["/abra-entrypoint.sh", "/usr/local/bin/entrypoint"]
+    configs:
+      - source: abra_entrypoint
+        target: /abra-entrypoint.sh
+        mode: 0555
+    secrets:
+      - django_sk
+      - django_sp
+      - oidc_rpcs
+      - collab_ss
+      - minio_rp
+      - minio_ru
+      - postgres_p
+      - y_api_key
+      - email_pass
 
   celery:
-    image: lasuite/impress-backend:v3.4.2
+    image: lasuite/impress-backend:v4.5.0
     networks:
-      - backend 
+      - backend
+    user: "${DOCKER_USER:-1000}"
     command: ["celery", "-A", "impress.celery_app", "worker", "-l", "INFO"]
     environment:
       <<: [*common-env, *postgres-env, *yprovider-env]
+    entrypoint: ["/abra-entrypoint.sh", "/usr/local/bin/entrypoint"]
+    configs:
+      - source: abra_entrypoint
+        target: /abra-entrypoint.sh
+        mode: 0555
+    secrets:
+      - django_sk
+      - django_sp
+      - oidc_rpcs
+      - collab_ss
+      - minio_rp
+      - postgres_p
+      - y_api_key
+      - email_pass
+
 
   y-provider:
-    image: lasuite/impress-y-provider:v3.4.2
+    image: lasuite/impress-y-provider:v4.5.0
     networks:
       - backend 
     environment: *yprovider-env
+    user: "${DOCKER_USER:-1000}"
+    entrypoint: >
+      sh -c "export Y_PROVIDER_API_KEY=\"$$(cat /run/secrets/y_api_key)\" && exec /usr/local/bin/entrypoint \"$$@\"" --
+    command: ["yarn", "start"]
     # NOTE: healthcheck - `wget` is available in the container, but `wget http://localhost:4444` gives a 403
+    secrets:
+      - y_api_key
 
   db:
-    image: postgres:16
+    image: pgautoupgrade/pgautoupgrade:18-debian
     networks:
       - backend 
     healthcheck:
@@ -138,7 +178,7 @@ services:
       retries: 300
     environment:
       <<: *postgres-env
-      PGDATA: var/lib/postgresql/data/pgdata
+      PGDATA: /var/lib/postgresql/data/pgdata
     volumes:
       - postgres:/var/lib/postgresql/data/pgdata
     deploy:
@@ -151,6 +191,8 @@ services:
         - source: pg_backup
           target: /pg_backup.sh
           mode: 0555
+    secrets:
+      - postgres_p
 
   redis:
     image: redis:8
@@ -162,18 +204,23 @@ services:
     image: minio/mc:RELEASE.2025-05-21T01-59-54Z
     environment: *minio-env
     networks:
-      - backend 
+      - backend
     entrypoint: >
       sh -c "
-      /usr/bin/mc alias set docs http://minio:9000 $${MINIO_ROOT_USER} $${MINIO_ROOT_PASSWORD} && \
-      /usr/bin/mc mb --ignore-existing docs/docs-media-storage && \
-      /usr/bin/mc version enable docs/docs-media-storage && \
-      exit 0;"
+      MINIO_ROOT_USER=\"\$$(cat /run/secrets/minio_ru)\" &&   
+      MINIO_ROOT_PASSWORD=\"\$$(cat /run/secrets/minio_rp)\" &&   
+      /usr/bin/mc alias set docs http://minio:9000 \$${MINIO_ROOT_USER} \"\$${MINIO_ROOT_PASSWORD}\" &&
+      /usr/bin/mc mb --ignore-existing docs/docs-media-storage &&
+      /usr/bin/mc version enable docs/docs-media-storage &&
+      exit 0"
     deploy:
       mode: replicated
       replicas: 0
       restart_policy:
         condition: none
+    secrets:
+      - minio_rp
+      - minio_ru
 
   minio:
     image: minio/minio:RELEASE.2025-05-24T17-08-30Z
@@ -183,15 +230,23 @@ services:
       interval: 1s
       timeout: 20s
       retries: 300
-    entrypoint: ""
     networks:
-      - backend 
+      - backend
     command: minio server /data
+    entrypoint: ["/usr/bin/docker-entrypoint.sh"]
     volumes:
       - minio:/data
     deploy:
       labels:
         backupbot.backup: "${ENABLE_BACKUPS:-true}"
+        entrypoint: /abra-entrypoint.sh
+    configs:
+      - source: abra_entrypoint
+        target: /abra-entrypoint.sh
+        mode: 0555
+    secrets:
+      - minio_rp
+      - minio_ru
 
   web:
     image: nginx:1.29
@@ -201,6 +256,11 @@ services:
     networks:
       proxy:
       backend:
+    depends_on:
+      - backend
+      - app
+    environment:
+      - STACK_NAME
     deploy:
       labels:
         - "traefik.enable=true"
@@ -223,7 +283,40 @@ volumes:
 configs:
   nginx_conf:
     name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION}
-    file: nginx.conf
+    file: nginx.conf.tmpl
+    template_driver: golang
   pg_backup:
     name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
     file: pg_backup.sh
+  abra_entrypoint:
+    name: ${STACK_NAME}_entrypoint_${ABRA_ENTRYPOINT_VERSION}
+    file: abra-entrypoint.sh
+
+secrets:
+  django_sk:
+    external: true
+    name: ${STACK_NAME}_django_sk_${SECRET_DJANGO_SK_VERSION}
+  oidc_rpcs:
+    external: true
+    name: ${STACK_NAME}_oidc_rpcs_${SECRET_OIDC_RPCS_VERSION}
+  django_sp:
+    external: true
+    name: ${STACK_NAME}_django_sp_${SECRET_DJANGO_SP_VERSION}
+  postgres_p:
+    external: true
+    name: ${STACK_NAME}_postgres_p_${SECRET_POSTGRES_P_VERSION}
+  collab_ss:
+    external: true
+    name: ${STACK_NAME}_collab_ss_${SECRET_COLLAB_SS_VERSION}
+  minio_rp:
+    external: true
+    name: ${STACK_NAME}_minio_rp_${SECRET_MINIO_RP_VERSION}
+  minio_ru:
+    external: true
+    name: ${STACK_NAME}_minio_ru_${SECRET_MINIO_RP_VERSION}
+  y_api_key:
+    external: true
+    name: ${STACK_NAME}_y_api_key_${SECRET_Y_API_KEY_VERSION}
+  email_pass:
+    external: true
+    name: ${STACK_NAME}_email_pass_${SECRET_EMAIL_PASS_VERSION}

nginx.conf.tmpl

@@ -1,9 +1,9 @@
 upstream docs_backend {
-    server backend:8000 fail_timeout=0;
+    server {{ env "STACK_NAME" }}_backend:8000 fail_timeout=0;
 }
 
 upstream docs_frontend {
-    server app:8080 fail_timeout=0;
+    server {{ env "STACK_NAME" }}_app:8080 fail_timeout=0;
 }
 
 server {

pg_backup.sh

@@ -5,13 +5,12 @@ set -e
 BACKUP_FILE='/var/lib/postgresql/data/pgdata/backup.sql'
 
 function backup {
-  # export PGPASSWORD=$(cat $POSTGRES_PASSWORD_FILE)
-  export PGPASSWORD="$POSTGRES_PASSWORD"
+  export PGPASSWORD=$(cat $POSTGRES_PASSWORD_FILE)
   pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
 }
 
 function restore {
-    cd /var/lib/postgresql/data/
+    cd /var/lib/postgresql/data/pgdata/
     restore_config(){
         # Restore allowed connections
         cat pg_hba.conf.bak > pg_hba.conf

release/0.2.5+v4.4.0

@@ -0,0 +1,8 @@
+after upgrading to this version, its necessary to run the data migration again, via:
+
+`abra app cmd <app-name> backend migrate`
+
+this release updates to a new version that fixes a security vulnerability,
+in addition to adding new features
+
+

release/0.2.6+v4.5.0

@@ -0,0 +1,4 @@
+upgraded to v4.5.0, and also switched from postgres:16 to pgautoupgrade/pgautoupgrade:18-bookworm
+for automatic major version upgrades
+
+no actions by operator should be necessary