Update to 0.2.6+v4.5.0

- Upgrade app images to v4.5.0
- Switch from postgres:16 to pgautoupgrade/pgautoupgrade:18-debian for automatic major version upgrades
- Fix PGDATA relative path (add leading /)
- Fix pg_backup.sh restore path to match PGDATA

.env.sample

@@ -46,10 +46,11 @@ DJANGO_EMAIL_FROM=mail@example.com
 ##############################################################################
 # NOTE: OpenID Connect (OIDC) single sign-on is **required**, see recipe README
 OIDC_REALM=yourkeycloakrealm
-OIDC_OP_JWKS_ENDPOINT=https://auth.${DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/certs
-OIDC_OP_AUTHORIZATION_ENDPOINT=https://auth.${DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/auth
-OIDC_OP_TOKEN_ENDPOINT=https://auth.${DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/token
-OIDC_OP_USER_ENDPOINT=https://auth.${DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/userinfo
+AUTH_DOMAIN=yourkeycloakdomain
+OIDC_OP_JWKS_ENDPOINT=https://${AUTH_DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/certs
+OIDC_OP_AUTHORIZATION_ENDPOINT=https://${AUTH_DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/auth
+OIDC_OP_TOKEN_ENDPOINT=https://${AUTH_DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/token
+OIDC_OP_USER_ENDPOINT=https://${AUTH_DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/userinfo
 OIDC_RP_CLIENT_ID=yourkeycloakclientid
 OIDC_RP_SIGN_ALGO=RS256
 OIDC_RP_SCOPES="openid email"

README.md

@@ -17,15 +17,66 @@
 
 ## Quick start
 
-* Deploy Single Sign On (see [Authentication](#authentication) below)
 * `abra app new lasuite-docs --secrets`
 * `abra app config <app-name>`
 * `abra app deploy <app-name>`
 * `abra app cmd <app-name> backend migrate`
 * `abra app restart <app-name> minio-bootstrap` (Note: this will appear to fail, but probably worked! Check `abra app logs <app-name> minio-bootstrap`)
 
-For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
+You should then be able to visit the landing page of your app, but not yet to login. To login, you need to deploy and integrate single sign on (described below in the "Configure Authentication" section). 
 
-## Authentication
 
-Docs **requires** an OpenID Connect (OIDC) single sign-on provider; we recommend [Authentik](https://git.coopcloud.tech/coop-cloud/authentik) or [Keycloak](https://git.coopcloud.tech/coop-cloud/keycloak), both of which are installable using Co-op Cloud.
+## Configure Authentication
+
+lasuite-docs **requires** an OpenID Connect (OIDC) single sign-on provider; deployment has been tested with [Keycloak](https://git.coopcloud.tech/coop-cloud/keycloak), which we recommend, or you could also try [Authentik](https://git.coopcloud.tech/coop-cloud/authentik), both of which are installable using Co-op Cloud.
+
+Instructions for integrating keycloak with docs after deploying it, are below. 
+
+* In keycloak, create a realm (save the name of this realm, you will need it later)
+* Within that realm, create a client
+    * during client creation, ensure:
+        - Standard flow: True
+        - Direct access grants: True
+        - Authorization: True
+        - Client authentication: True
+        - PKCE method: none
+* Within the client tab, for your client, click on "Credentials". Click on the the copy button to copy "Client Secret" so you can insert this into your coop cloud deployment in the next step. 
+* `abra app secret insert <app-name> oidc_rpcs v2 <yoursecret>`
+* `abra app config <app-name>` # set SECRET_OIDC_RPCS_VERSION=v2
+
+* Now create a user for this client within keycloak. Within the Users tab, click "Add User". Any username and password works. Save this info.
+
+You then additionally need to modify the config of docs to point to your keycloak deployment.
+
+* `abra app config <app-name>`
+```
+OIDC_REALM=<the realm you configured in keycloak>
+AUTH_DOMAIN=<the domain of your keycloak instance>
+OIDC_RP_CLIENT_ID=<yourkeycloakclientid>
+```
+
+then redeploy docs:
+`abra app deploy <app-name> --force`
+
+at this point, when you go to your docs url, you shoud then be able to click "login" and login with the username and password for the user you created in keycloak.
+
+you can make additional users in keycloak for this "client" and they will all be able to login to docs and collaborate. 
+
+## Configure E-Mail
+
+Using `abra app config <app-name>` you need to set the following for your smtp server:
+
+```
+DJANGO_EMAIL_HOST="yourmailserver.com"
+DJANGO_EMAIL_PORT=1025
+DJANGO_EMAIL_FROM=noreply@example.com
+```
+
+You then need to insert the password for your smtp server as a secret:
+
+* `abra app secret insert <app-name> email_pass v2 <youremailpass>`
+* `abra app config <app-name>` # set SECRET_EMAIL_PASS_VERSION=v2
+
+Then redeploy the app, and automated e-mail sending should work:
+
+`abra app deploy <app-name> --force`

compose.yml

@@ -1,4 +1,5 @@
----
+
+
 
 # NOTE: based on https://github.com/suitenumerique/docs/pull/855/ and https://github.com/suitenumerique/docs/pull/583/
 
@@ -83,14 +84,14 @@ x-minio-env: &minio-env
 
 services:
   app:
-    image: lasuite/impress-frontend:v4.0.0
+    image: lasuite/impress-frontend:v4.5.0
     networks:
       - backend
     deploy:
       labels:
         - "traefik.enable=false"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "coop-cloud.${STACK_NAME}.version=0.2.4+v4.0.0"
+        - "coop-cloud.${STACK_NAME}.version=0.2.6+v4.5.0"
     user: "${DOCKER_USER:-1000}"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8080"]
@@ -100,7 +101,7 @@ services:
       start_period: 10s
 
   backend:
-    image: lasuite/impress-backend:v4.0.0
+    image: lasuite/impress-backend:v4.5.0
     networks:
       - backend 
     environment:
@@ -130,7 +131,7 @@ services:
       - email_pass
 
   celery:
-    image: lasuite/impress-backend:v4.0.0
+    image: lasuite/impress-backend:v4.5.0
     networks:
       - backend
     user: "${DOCKER_USER:-1000}"
@@ -154,7 +155,7 @@ services:
 
 
   y-provider:
-    image: lasuite/impress-y-provider:v4.0.0
+    image: lasuite/impress-y-provider:v4.5.0
     networks:
       - backend 
     environment: *yprovider-env
@@ -167,7 +168,7 @@ services:
       - y_api_key
 
   db:
-    image: postgres:16
+    image: pgautoupgrade/pgautoupgrade:18-debian
     networks:
       - backend 
     healthcheck:
@@ -177,7 +178,7 @@ services:
       retries: 300
     environment:
       <<: *postgres-env
-      PGDATA: var/lib/postgresql/data/pgdata
+      PGDATA: /var/lib/postgresql/data/pgdata
     volumes:
       - postgres:/var/lib/postgresql/data/pgdata
     deploy:

pg_backup.sh

@@ -10,7 +10,7 @@ function backup {
 }
 
 function restore {
-    cd /var/lib/postgresql/data/
+    cd /var/lib/postgresql/data/pgdata/
     restore_config(){
         # Restore allowed connections
         cat pg_hba.conf.bak > pg_hba.conf

release/0.2.5+v4.4.0

@@ -0,0 +1,8 @@
+after upgrading to this version, its necessary to run the data migration again, via:
+
+`abra app cmd <app-name> backend migrate`
+
+this release updates to a new version that fixes a security vulnerability,
+in addition to adding new features
+
+

release/0.2.6+v4.5.0

@@ -0,0 +1,4 @@
+upgraded to v4.5.0, and also switched from postgres:16 to pgautoupgrade/pgautoupgrade:18-bookworm
+for automatic major version upgrades
+
+no actions by operator should be necessary