From b7b6fd7a2e31eff2fdcd122409e40d0e6a4a436b Mon Sep 17 00:00:00 2001 From: Pere Lev Date: Sat, 19 Oct 2024 14:28:53 +0300 Subject: [PATCH] Docker: Update Dockerfile & Add docker-compose.yml (still tweaking the setup) --- .gitignore | 1 + Dockerfile | 3 +- INSTALL.md | 20 +- create-db.sql | 2 + docker-compose.yml | 42 ++++ ...s-default.yaml => settings-sample-dev.yaml | 0 settings-sample-prod.yaml | 191 ++++++++++++++++++ src/Vervis/Application.hs | 3 +- 8 files changed, 257 insertions(+), 5 deletions(-) create mode 100644 create-db.sql create mode 100644 docker-compose.yml rename settings-default.yaml => settings-sample-dev.yaml (100%) create mode 100644 settings-sample-prod.yaml diff --git a/.gitignore b/.gitignore index c0383d0..3364a91 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,4 @@ yesod-devel/ # vervis lib/ state/ +postgres15/ diff --git a/Dockerfile b/Dockerfile index 06a5f11..81ef482 100644 --- a/Dockerfile +++ b/Dockerfile @@ -115,9 +115,10 @@ COPY --from=builder /build/artifacts/* /app/ RUN mkdir /app/state /app/state/repos /app/state/deliveries && \ chown vervis:vervis /app/state /app/static /app/log -COPY settings-default.yaml /app/state/settings.yml +# COPY settings-sample-prod.yaml /app/settings.yml RUN ssh-keygen -t rsa -m PEM -f /app/state/ssh-host-key +VOLUME /app/settings.yml VOLUME /app/state RUN ls /app diff --git a/INSTALL.md b/INSTALL.md index d53c27c..fbbd897 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -1,3 +1,16 @@ +# 2024 update - docker setup + +I'll update this file properly soon, but for now, instructions for deployment +using docker: + +1. Create and edit `settings.yml` based on `settings-sample-prod.yml` +2. Check out `create-db.sql`, update it if you want to tweak the DB config +3. In `docker-compose.yml`, in particular update the database superuser + password +4. Ready for launch! `docker compose up` + +--- + Vervis is still in early development and the build process gets updates once in a while, but this file tries to keep up and list the latest instructions for running a Vervis instance. @@ -112,8 +125,9 @@ Generate a new SSH key with a blank password: Update the settings to specify correct database connection details and other settings. - $ cp settings-default.yaml state/settings.yml - $ vim state/settings.yml + # Pick the right settings-sample-* file + $ cp settings-sample-dev.yaml settings.yml + $ vim settings.yml Create a directory that will keep all the VCS repositories hosted by Vervis. Its name should match the `repo-dir` setting in `config/settings.yml`. For @@ -163,7 +177,7 @@ generating the rest, run this: Run. - $ stack run -- state/settings.yml + $ stack run -- settings.yml By default, Vervis is configured with User Registration disabled. This is to prevent any automatic spambot registration for bots that may be monitoring the diff --git a/create-db.sql b/create-db.sql new file mode 100644 index 0000000..2272bf0 --- /dev/null +++ b/create-db.sql @@ -0,0 +1,2 @@ +CREATE USER vervis WITH NOSUPERUSER NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD 'abc123' ; +CREATE DATABASE vervis_production WITH OWNER vervis ENCODING UTF8 ; diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..1bdc15a --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,42 @@ +services: + db: + restart: always + image: postgres:15-bookworm + shm_size: 128mb + networks: + - internal_network + healthcheck: + test: ['CMD', 'pg_isready', '-U', 'postgres'] + volumes: + - ./postgres15:/var/lib/postgresql/data + - ./create-db.sql:/docker-entrypoint-initdb.d/create_database.sql + environment: + POSTGRES_PASSWORD: "pg_superuser_password_xyz12345" + + web: + # You can uncomment the following line if you want to not use the prebuilt + # image, for example if you have local code changes + #build: . + image: codeberg.org/forgefed/vervis:v0.1 + restart: always + command: ./vervis settings.yml > log/vervis.log 2>&1 + networks: + - external_network + - internal_network + healthcheck: + # prettier-ignore + # test: ['CMD-SHELL',"curl -s --noproxy localhost localhost:3000/health | grep -q 'OK' || exit 1"] + test: ['CMD-SHELL',"curl -s --noproxy localhost localhost:3000 | grep -q 'OK' || exit 1"] + ports: + - '127.0.0.1:3000:3000' + - '127.0.0.1:22:5022' + depends_on: + - db + volumes: + - ./state:/app/state + - ./settings.yml:/app/settings.yml + +networks: + external_network: + internal_network: + internal: true diff --git a/settings-default.yaml b/settings-sample-dev.yaml similarity index 100% rename from settings-default.yaml rename to settings-sample-dev.yaml diff --git a/settings-sample-prod.yaml b/settings-sample-prod.yaml new file mode 100644 index 0000000..072dd06 --- /dev/null +++ b/settings-sample-prod.yaml @@ -0,0 +1,191 @@ +# Values formatted like "_env:ENV_VAR_NAME:default_value" can be overridden by +# the specified environment variable. See the Yesod wiki, Configuration page. + +############################################################################### +# HTTP server +############################################################################### + +# any IPv4 host +host: "_env:HOST:*4" + +# The port `yesod devel` uses is distinct from this value. Set the +# `yesod devel` port from the command line. +http-port: "_env:PORT:3000" + +ip-from-header: "_env:IP_FROM_HEADER:false" + +# The instance's host (e.g. "mycoolforge.org"). Used for determining which +# requests are federated and which are for this instance, and for generating +# URLs. The database relies on this value, and you shouldn't change it once +# you deploy an instance. +instance-host: "_env:INSTANCE_HOST:dev.example.org" + +# How much time after the last request it takes for the session cookie to +# expire +client-session-timeout: + amount: 60 + unit: days + +# Maximal accepted time difference between request date and current time, when +# performing this check during HTTP signature verification +request-time-limit: + amount: 5 + unit: minutes + +# How often to generate a new actor key for HTTP-signing requests +actor-key-rotation: + amount: 1 + unit: days + +# Whether to use personal actor keys, or an instance-wide key +per-actor-keys: false + +############################################################################### +# Development +############################################################################### + +# Optional values with the following production defaults. +# In development, they default to the inverse. +# +# development: false +# detailed-logging: false +# should-log-all: false +# mutable-static: false + +# This setting isn't used anymore (because no more need for SVG fonts) +# load-font-from-lib-data: false + +############################################################################### +# Database +############################################################################### + +# If you need a numeric value (e.g. 123) to parse as a String, wrap it in +# single quotes (e.g. "_env:PGPASS:'123'"). See the Yesod wiki, Configuration +# page. + +database: + user: "_env:PGUSER:vervis" + password: "_env:PGPASS:abc123" + host: "_env:PGHOST:db" + port: "_env:PGPORT:5432" + database: "_env:PGDATABASE:vervis_production" + poolsize: "_env:PGPOOLSIZE:10" + +max-instance-keys: 2 +max-actor-keys: 2 + +state-dir: state + +############################################################################### +# Version control repositories +############################################################################### + +diff-context-lines: 5 +post-receive-hook: /app/vervis-post-receive +post-apply-hook: /app/vervis-post-apply + +############################################################################### +# SSH server +############################################################################### + +ssh-port: 5022 + +############################################################################### +# Accounts +############################################################################### + +registration: false +max-accounts: 3 + +# Whether to verify users' email addresses by sending them email with a +# verification link. If not set below, the default is not to verify in +# development, and to verify otherwise. +email-verification: true + +# Person usernames who are allowed to create Factory actors +can-create-factories: [] + +# KeyHashids of local Factory actors who will auto-send a develop-Grant to +# every newly created account +# +# If empty or unset, and there's exactly 1 local factory in DB, it will +# automatically become the resident +resident-factories: [] + +############################################################################### +# Mail +############################################################################### + +# Optional SMTP server settings for sending email. If not provided, no email +# will be sent. The login field is optional, provide if you need SMTP +# authentication. + +mail: + smtp: + login: + user: "_env:SMTPUSER:vervis@dev.example.org" + password: "_env:SMTPPASS:abcd0123456789" + host: "_env:SMTPHOST:smtp.example.org" + port: "_env:SMTPPORT:587" + sender: + name: "_env:SENDERNAME:Vervis" + email: "_env:SENDEREMAIL:vervis@dev.example.org" + allow-reply: false + +############################################################################### +# Federation +############################################################################### + +# Whether to support federation. This includes: +# +# * Accept activities from other servers in the inbox +# * Accept activities from users in the outbox +# * Deliver local activities to other servers +federation: true + +# Whether to reject an HTTP signature when we want to insert a new key or usage +# record but reached the limit setting +reject-on-max-keys: true + +# The duration of time during which a remote actor is unreachable and we +# periodically retry to deliver them activities. After that period of time, we +# stop trying to deliver and we remove them from follower lists of local +# actors. +# +# TODO this probably isn't working anymore since the switch to DeliveryTheater +drop-delivery-after: + amount: 25 + unit: weeks + +# Base of the exponential backoff for inbox POST delivery to remote actors, +# i.e. how much time to wait before the first retry. Afterwards this time +# interval will be doubled with each retry. +retry-delivery-base: + amount: 5 + unit: minutes + +# How many activities to remember in the debug report list, showing latest +# activities received in local inboxes and the result of their processing. +# 'null' means disable the report page entirely. +#activity-debug-reports: 10 + +# List of (hosts of) other known federating instances. +#instances: [] + +# Maximal length we allow for Grant chains (default: 16) +max-grant-chain-length: 16 + +############################################################################### +# User interface +############################################################################### + +# Default color scheme for syntax highlighing of code blocks inside rendered +# documents. The available styles are listed in the "Text.Pandoc.Highlighting" +# module documentation. +highlight-style: zenburn + +# Color scheme to use for UI header, footer, links on pages etc., should help +# with visually identifying instances that may otherwise look very much alike. +# Any number is valid; the scheme is chosen via modulo the number of available +# schemes. +main-color: 0 diff --git a/src/Vervis/Application.hs b/src/Vervis/Application.hs index 61544fb..44fd4dc 100644 --- a/src/Vervis/Application.hs +++ b/src/Vervis/Application.hs @@ -466,7 +466,7 @@ getAppSettings = do path <- do as <- getArgs case as of - [] -> pure "state/settings.yml" + [] -> pure "settings.yml" [p] -> pure p _ -> throwIO $ userError "Expected 1 argument, the settings filename" loadYamlSettings [path] [] useEnv @@ -562,6 +562,7 @@ appMain :: IO () appMain = do -- Remove in 2025 moveFileIfExists "config/settings.yml" "state/settings.yml" + moveFileIfExists "state/settings.yml" "settings.yml" -- Get the settings from all relevant sources settings <- getAppSettings