rename AI env vars for v5.x (AI_API_KEY -> OPENAI_SDK_API_KEY, AI_BASE_URL -> OPENAI_SDK_BASE_URL)

Reviewed-on: https://git.coopcloud.tech/coop-cloud/lasuite-docs/pulls/14

.env.sample

@@ -46,10 +46,11 @@ DJANGO_EMAIL_FROM=mail@example.com
 ##############################################################################
 # NOTE: OpenID Connect (OIDC) single sign-on is **required**, see recipe README
 OIDC_REALM=yourkeycloakrealm
-OIDC_OP_JWKS_ENDPOINT=https://auth.${DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/certs
-OIDC_OP_AUTHORIZATION_ENDPOINT=https://auth.${DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/auth
-OIDC_OP_TOKEN_ENDPOINT=https://auth.${DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/token
-OIDC_OP_USER_ENDPOINT=https://auth.${DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/userinfo
+AUTH_DOMAIN=yourkeycloakdomain
+OIDC_OP_JWKS_ENDPOINT=https://${AUTH_DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/certs
+OIDC_OP_AUTHORIZATION_ENDPOINT=https://${AUTH_DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/auth
+OIDC_OP_TOKEN_ENDPOINT=https://${AUTH_DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/token
+OIDC_OP_USER_ENDPOINT=https://${AUTH_DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/userinfo
 OIDC_RP_CLIENT_ID=yourkeycloakclientid
 OIDC_RP_SIGN_ALGO=RS256
 OIDC_RP_SCOPES="openid email"
@@ -65,3 +66,9 @@ OIDC_AUTH_REQUEST_EXTRA_PARAMS='{"acr_values": "eidas1"}'
 LOGGING_LEVEL_HANDLERS_CONSOLE=INFO
 LOGGING_LEVEL_LOGGERS_ROOT=INFO
 LOGGING_LEVEL_LOGGERS_APP=INFO
+
+##############################################################################
+# MIGRATIONS
+##############################################################################
+# Set to false to disable automatic migrations on backend startup
+# AUTO_MIGRATIONS=true

README.md

@@ -17,15 +17,66 @@
 
 ## Quick start
 
-* Deploy Single Sign On (see [Authentication](#authentication) below)
 * `abra app new lasuite-docs --secrets`
 * `abra app config <app-name>`
 * `abra app deploy <app-name>`
-* `abra app cmd <app-name> backend migrate`
-* `abra app restart <app-name> minio-bootstrap` (Note: this will appear to fail, but probably worked! Check `abra app logs <app-name> minio-bootstrap`)
 
-For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
+You should then be able to visit the landing page of your app, but not yet to login. To login, you need to deploy and integrate single sign on (described below in the "Configure Authentication" section).
 
-## Authentication
+* Migrations run automatically on backend startup. To trigger manually: `abra app cmd <app-name> backend migrate`
+* Minio buckets are created automatically on first deploy. To manually trigger: `abra app cmd <app-name> minio minio_initialize`
 
-Docs **requires** an OpenID Connect (OIDC) single sign-on provider; we recommend [Authentik](https://git.coopcloud.tech/coop-cloud/authentik) or [Keycloak](https://git.coopcloud.tech/coop-cloud/keycloak), both of which are installable using Co-op Cloud.
+## Configure Authentication
+
+lasuite-docs **requires** an OpenID Connect (OIDC) single sign-on provider; deployment has been tested with [Keycloak](https://git.coopcloud.tech/coop-cloud/keycloak), which we recommend, or you could also try [Authentik](https://git.coopcloud.tech/coop-cloud/authentik), both of which are installable using Co-op Cloud.
+
+Instructions for integrating keycloak with docs after deploying it, are below. 
+
+* In keycloak, create a realm (save the name of this realm, you will need it later)
+* Within that realm, create a client
+    * during client creation, ensure:
+        - Standard flow: True
+        - Direct access grants: True
+        - Authorization: True
+        - Client authentication: True
+        - PKCE method: none
+* Within the client tab, for your client, click on "Credentials". Click on the the copy button to copy "Client Secret" so you can insert this into your coop cloud deployment in the next step. 
+* `abra app secret insert <app-name> oidc_rpcs v2 <yoursecret>`
+* `abra app config <app-name>` # set SECRET_OIDC_RPCS_VERSION=v2
+
+* Now create a user for this client within keycloak. Within the Users tab, click "Add User". Any username and password works. Save this info.
+
+You then additionally need to modify the config of docs to point to your keycloak deployment.
+
+* `abra app config <app-name>`
+```
+OIDC_REALM=<the realm you configured in keycloak>
+AUTH_DOMAIN=<the domain of your keycloak instance>
+OIDC_RP_CLIENT_ID=<yourkeycloakclientid>
+```
+
+then redeploy docs:
+`abra app deploy <app-name> --force`
+
+at this point, when you go to your docs url, you shoud then be able to click "login" and login with the username and password for the user you created in keycloak.
+
+you can make additional users in keycloak for this "client" and they will all be able to login to docs and collaborate. 
+
+## Configure E-Mail
+
+Using `abra app config <app-name>` you need to set the following for your smtp server:
+
+```
+DJANGO_EMAIL_HOST="yourmailserver.com"
+DJANGO_EMAIL_PORT=1025
+DJANGO_EMAIL_FROM=noreply@example.com
+```
+
+You then need to insert the password for your smtp server as a secret:
+
+* `abra app secret insert <app-name> email_pass v2 <youremailpass>`
+* `abra app config <app-name>` # set SECRET_EMAIL_PASS_VERSION=v2
+
+Then redeploy the app, and automated e-mail sending should work:
+
+`abra app deploy <app-name> --force`

abra.sh

@@ -1,8 +1,10 @@
 # Set any config versions here
 # Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs
-export ABRA_ENTRYPOINT_VERSION=v4
+export ABRA_ENTRYPOINT_VERSION=v5
 export NGINX_CONF_VERSION=v3
 export PG_BACKUP_VERSION=v3
+export MINIO_INITIALIZE_VERSION=v1
+export MIGRATE_VERSION=v1
 
 environment() {
   # this exports all the secrets as environment variables
@@ -10,6 +12,9 @@ environment() {
 }
 
 migrate() {
-  environment
-  python manage.py migrate --noinput
+  /migrate.sh
+}
+
+minio_initialize() {
+  /minio-initialize.sh
 }

compose.yml

@@ -1,4 +1,5 @@
----
+
+
 
 # NOTE: based on https://github.com/suitenumerique/docs/pull/855/ and https://github.com/suitenumerique/docs/pull/583/
 
@@ -48,10 +49,10 @@ x-common-env: &common-env
   LOGOUT_REDIRECT_URL:
   OIDC_REDIRECT_ALLOWED_HOSTS:
   OIDC_AUTH_REQUEST_EXTRA_PARAMS:
-  # AI (Fixme: remove?)
+  # AI
   AI_FEATURE_ENABLED: "false"
-  AI_BASE_URL: https://openaiendpoint.com
-  AI_API_KEY: password
+  OPENAI_SDK_BASE_URL: https://openaiendpoint.com
+  OPENAI_SDK_API_KEY: password
   AI_MODEL: llama
   # Collaboration
   COLLABORATION_API_URL: https://$DOMAIN/collaboration/api/
@@ -83,14 +84,15 @@ x-minio-env: &minio-env
 
 services:
   app:
-    image: lasuite/impress-frontend:v3.4.2
+    image: lasuite/impress-frontend:v5.1.0
     networks:
       - backend
     deploy:
       labels:
         - "traefik.enable=false"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "coop-cloud.${STACK_NAME}.version=0.2.1+v3.4.2"
+        - "coop-cloud.${STACK_NAME}.version=0.3.0+v5.1.0"
+    user: "${DOCKER_USER:-1000}"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8080"]
       interval: 15s
@@ -99,23 +101,29 @@ services:
       start_period: 10s
 
   backend:
-    image: lasuite/impress-backend:v3.4.2
+    image: lasuite/impress-backend:v5.1.0
     networks:
-      - backend 
+      - backend
     environment:
       <<: [*common-env, *postgres-env, *yprovider-env]
+      AUTO_MIGRATIONS: "${AUTO_MIGRATIONS:-true}"
     healthcheck:
       test: ["CMD", "/abra-entrypoint.sh", "python", "manage.py", "check"]
       interval: 15s
       timeout: 30s
       retries: 20
       start_period: 10s
+    user: "${DOCKER_USER:-1000}"
     command: ["gunicorn", "-c", "/usr/local/etc/gunicorn/impress.py", "impress.wsgi:application"]
-    entrypoint: ["/abra-entrypoint.sh", "/usr/local/bin/entrypoint"]
+    entrypoint: >
+      sh -c "if [ \"$$AUTO_MIGRATIONS\" = \"true\" ]; then /migrate.sh; fi && exec /abra-entrypoint.sh /usr/local/bin/entrypoint \"$$@\"" --
     configs:
       - source: abra_entrypoint
         target: /abra-entrypoint.sh
         mode: 0555
+      - source: migrate
+        target: /migrate.sh
+        mode: 0555
     secrets:
       - django_sk
       - django_sp
@@ -128,9 +136,16 @@ services:
       - email_pass
 
   celery:
-    image: lasuite/impress-backend:v3.4.2
+    image: lasuite/impress-backend:v5.1.0
     networks:
-      - backend 
+      - backend
+    healthcheck:
+      test: ["CMD", "celery", "-A", "impress.celery_app", "inspect", "ping", "--timeout", "5"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+    user: "${DOCKER_USER:-1000}"
     command: ["celery", "-A", "impress.celery_app", "worker", "-l", "INFO"]
     environment:
       <<: [*common-env, *postgres-env, *yprovider-env]
@@ -151,19 +166,26 @@ services:
 
 
   y-provider:
-    image: lasuite/impress-y-provider:v3.4.2
+    image: lasuite/impress-y-provider:v5.1.0
     networks:
-      - backend 
+      - backend
+    healthcheck:
+      # y-provider returns 403 on unauthenticated requests; wget exit 4 = network error (server down), anything else = server is responding
+      test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:4444/ 2>/dev/null; test $$? -ne 4"]
+      interval: 15s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
     environment: *yprovider-env
+    user: "${DOCKER_USER:-1000}"
     entrypoint: >
       sh -c "export Y_PROVIDER_API_KEY=\"$$(cat /run/secrets/y_api_key)\" && exec /usr/local/bin/entrypoint \"$$@\"" --
     command: ["yarn", "start"]
-    # NOTE: healthcheck - `wget` is available in the container, but `wget http://localhost:4444` gives a 403
     secrets:
       - y_api_key
 
   db:
-    image: postgres:16
+    image: pgautoupgrade/pgautoupgrade:18-debian
     networks:
       - backend 
     healthcheck:
@@ -173,7 +195,7 @@ services:
       retries: 300
     environment:
       <<: *postgres-env
-      PGDATA: var/lib/postgresql/data/pgdata
+      PGDATA: /var/lib/postgresql/data/pgdata
     volumes:
       - postgres:/var/lib/postgresql/data/pgdata
     deploy:
@@ -190,32 +212,14 @@ services:
       - postgres_p
 
   redis:
-    image: redis:8
-    networks:
-      - backend 
-
-  minio-bootstrap:
-    # NOTE: Not started by default, only run with a manual `abra app restart` / `docker service scale`
-    image: minio/mc:RELEASE.2025-05-21T01-59-54Z
-    environment: *minio-env
+    image: redis:8.2.6
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 15s
+      timeout: 5s
+      retries: 3
     networks:
       - backend
-    entrypoint: >
-      sh -c "
-      MINIO_ROOT_USER=\"\$$(cat /run/secrets/minio_ru)\" &&   
-      MINIO_ROOT_PASSWORD=\"\$$(cat /run/secrets/minio_rp)\" &&   
-      /usr/bin/mc alias set docs http://minio:9000 \$${MINIO_ROOT_USER} \"\$${MINIO_ROOT_PASSWORD}\" &&
-      /usr/bin/mc mb --ignore-existing docs/docs-media-storage &&
-      /usr/bin/mc version enable docs/docs-media-storage &&
-      exit 0"
-    deploy:
-      mode: replicated
-      replicas: 0
-      restart_policy:
-        condition: none
-    secrets:
-      - minio_rp
-      - minio_ru
 
   minio:
     image: minio/minio:RELEASE.2025-05-24T17-08-30Z
@@ -226,9 +230,10 @@ services:
       timeout: 20s
       retries: 300
     networks:
-      - backend 
+      - backend
     command: minio server /data
-    entrypoint: ["/usr/bin/docker-entrypoint.sh"]
+    entrypoint: >
+      sh -c "/minio-initialize.sh & exec /usr/bin/docker-entrypoint.sh \"$$@\"" --
     volumes:
       - minio:/data
     deploy:
@@ -239,12 +244,21 @@ services:
       - source: abra_entrypoint
         target: /abra-entrypoint.sh
         mode: 0555
+      - source: minio_initialize
+        target: /minio-initialize.sh
+        mode: 0555
     secrets:
       - minio_rp
       - minio_ru
 
   web:
-    image: nginx:1.29
+    image: nginx:1.30.0
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8083"]
+      interval: 15s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
     configs:
       - source: nginx_conf
         target: /etc/nginx/conf.d/default.conf
@@ -286,6 +300,12 @@ configs:
   abra_entrypoint:
     name: ${STACK_NAME}_entrypoint_${ABRA_ENTRYPOINT_VERSION}
     file: abra-entrypoint.sh
+  minio_initialize:
+    name: ${STACK_NAME}_minio_initialize_${MINIO_INITIALIZE_VERSION}
+    file: minio-initialize.sh
+  migrate:
+    name: ${STACK_NAME}_migrate_${MIGRATE_VERSION}
+    file: migrate.sh
 
 secrets:
   django_sk:

migrate.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+set -e
+
+# Load secrets into environment
+source /abra-entrypoint.sh -e
+
+# Wait for database to be ready (up to 30 seconds)
+i=0
+while ! python manage.py check --database default 2>/dev/null; do
+  i=$((i+1))
+  if [ "$i" -ge 30 ]; then
+    echo "migrate: timed out waiting for database" >&2
+    exit 1
+  fi
+  sleep 1
+done
+
+# Idempotent: skip if no pending migrations
+if python manage.py migrate --check > /dev/null 2>&1; then
+  echo "migrate: no pending migrations, skipping"
+  exit 0
+fi
+
+echo "migrate: applying pending migrations..."
+python manage.py migrate --noinput
+echo "migrate: done"

minio-initialize.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+set -e
+
+# Wait for minio to be ready (up to 60 seconds)
+i=0
+while ! mc ready local 2>/dev/null; do
+  i=$((i+1))
+  if [ "$i" -ge 60 ]; then
+    echo "minio-initialize: timed out waiting for minio to be ready" >&2
+    exit 1
+  fi
+  sleep 1
+done
+
+MINIO_ROOT_USER="$(cat /run/secrets/minio_ru)"
+MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_rp)"
+
+mc alias set docs http://localhost:9000 "${MINIO_ROOT_USER}" "${MINIO_ROOT_PASSWORD}"
+
+# Idempotent: skip if bucket already exists
+if mc ls docs/docs-media-storage > /dev/null 2>&1; then
+  echo "minio-initialize: bucket 'docs-media-storage' already exists, skipping"
+  exit 0
+fi
+
+echo "minio-initialize: creating bucket 'docs-media-storage'..."
+mc mb docs/docs-media-storage
+mc version enable docs/docs-media-storage
+echo "minio-initialize: done"

pg_backup.sh

@@ -10,7 +10,7 @@ function backup {
 }
 
 function restore {
-    cd /var/lib/postgresql/data/
+    cd /var/lib/postgresql/data/pgdata/
     restore_config(){
         # Restore allowed connections
         cat pg_hba.conf.bak > pg_hba.conf

release/0.2.5+v4.4.0

@@ -0,0 +1,8 @@
+after upgrading to this version, its necessary to run the data migration again, via:
+
+`abra app cmd <app-name> backend migrate`
+
+this release updates to a new version that fixes a security vulnerability,
+in addition to adding new features
+
+

release/0.2.6+v4.5.0

@@ -0,0 +1,4 @@
+upgraded to v4.5.0, and also switched from postgres:16 to pgautoupgrade/pgautoupgrade:18-bookworm
+for automatic major version upgrades
+
+no actions by operator should be necessary