Docker: Config volume & State preparation when using docker-compose

NOTE: The docker setup is still WIP, production deployment is
discouraged until you see the container image uploaded to the project's Package
Registry on Codeberg

Dockerfile

@@ -80,6 +80,11 @@ RUN ls -lh /build/artifacts
 
 FROM debian:bookworm
 
+# Linux UID (user id) for the vervis user, change with [--build-arg UID=1234]
+ARG UID="991"
+# Linux GID (group id) for the vervis user, change with [--build-arg GID=1234]
+ARG GID="991"
+
 RUN apt-get -yq update && apt-get -yq install \
     ca-certificates \
     curl \
@@ -103,22 +108,32 @@ ENV \
     LC_ALL=en_US.UTF-8 \
     TZ=Etc/UTC
 
-RUN groupadd vervis && useradd -l -g vervis -m -d /app vervis
+RUN groupadd -g "${GID}" vervis && \
+    useradd -l -u "${UID}" -g vervis -m -d /app vervis
 
 WORKDIR /app
 
 EXPOSE 3000
 EXPOSE 5022
 
-RUN mkdir /app/static /app/log
+RUN mkdir /app/static /app/log /app/config
 COPY --from=builder /build/artifacts/* /app/
 
+## The next 3 lines, which prepare the state dir and SSH key, aren't needed
+## when using docker-compose, because it prepares and sets its own ./state
+## volume.
+##
+## Probably this applies to COPYing config as well, and the VOLUME lines.
+##
+## But we keep these lines in case someone uses this Dockerfile without
+## docker-compose.
 RUN mkdir /app/state /app/state/repos /app/state/deliveries && \
-    chown vervis:vervis /app/state /app/static /app/log
+    ssh-keygen -t rsa -m PEM -f /app/state/ssh-host-key && \
-# COPY settings-sample-prod.yaml /app/settings.yml
+    chown vervis:vervis /app/state && \
-RUN ssh-keygen -t rsa -m PEM -f /app/state/ssh-host-key
+    chown vervis:vervis /app/static /app/log
+COPY config /app/config
 
-VOLUME /app/settings.yml
+VOLUME /app/config
 VOLUME /app/state
 
 RUN ls /app

INSTALL.md

@@ -3,11 +3,13 @@
 I'll update this file properly soon, but for now, instructions for deployment
 using docker:
 
-1. Create and edit `settings.yml` based on `settings-sample-prod.yml`
+1. In `create-db.sql`, update the `vervis` DB user's password
-2. Check out `create-db.sql`, update it if you want to tweak the DB config
+2. Create and edit `config/settings.yml` based on
-3. In `docker-compose.yml`, in particular update the database superuser
+   `config/settings-sample-prod.yml`, remember to set the same DB password here
-   password
+3. In `docker-compose.yml`, update the database superuser password (it's the
-4. Ready for launch! `docker compose up`
+   password for the `postgres` superuser, not `vervis`)
+4. Create initial state: `./prepare-state.sh`
+5. Ready for launch! `docker-compose up -d`
 
 ---
 
@@ -21,7 +23,7 @@ steps below.
 UPDATE: There is a binary build you can use instead of building from source. It
 can be found [here](https://box.angeley.es/nextcloud/s/oWHmQDtWTAfPR4Z). If you
 use it, verify the download using `sha256sum` and `gpg`, make sure the settings
-in your `settings.yml` (see below) match the downloaded file paths, and run the
+in your `config/settings.yml` (see below) match the downloaded file paths, and run the
 web app using `./bin/vervis` and not `stack run`. This may be confusing;
 hopefully I'll make a nicer binary release soon :)
 
@@ -126,18 +128,14 @@ Update the settings to specify correct database connection details and other
 settings.
 
     # Pick the right settings-sample-* file
-    $ cp settings-sample-dev.yaml settings.yml
+    $ cp config/settings-sample-dev.yaml config/settings.yml
-    $ vim settings.yml
+    $ vim config/settings.yml
 
 Create a directory that will keep all the VCS repositories hosted by Vervis.
-Its name should match the `repo-dir` setting in `config/settings.yml`. For
-example, if you're keeping the default name:
 
     $ mkdir state/repos
 
-Create a directory that will keep remote delivery state. Its name should match
+Create a directory that will keep remote delivery state.
-the `delivery-state-dir` setting in `config/settings.yml`. For example, if
-you're keeping the default name:
 
     $ mkdir state/delivery-states
 
@@ -177,7 +175,7 @@ generating the rest, run this:
 
 Run.
 
-    $ stack run -- settings.yml
+    $ stack run -- config/settings.yml
 
 By default, Vervis is configured with User Registration disabled.  This is to
 prevent any automatic spambot registration for bots that may be monitoring the

docker-compose.yml

@@ -19,7 +19,7 @@ services:
     #build: .
     image: codeberg.org/forgefed/vervis:v0.1
     restart: always
-    command: ./vervis settings.yml > log/vervis.log 2>&1
+    command: ./vervis config/settings.yml > log/vervis.log 2>&1
     networks:
       - external_network
       - internal_network
@@ -34,7 +34,7 @@ services:
       - db
     volumes:
       - ./state:/app/state
-      - ./settings.yml:/app/settings.yml
+      - ./config:/app/config
 
 networks:
   external_network:

prepare-state.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+mkdir state state/repos state/deliveries
+ssh-keygen -t rsa -m PEM -N '' -f state/ssh-host-key
+sudo chown -R 991:991 state

src/Vervis/Application.hs

@@ -466,7 +466,7 @@ getAppSettings = do
     path <- do
         as <- getArgs
         case as of
-            [] -> pure "settings.yml"
+            [] -> pure "config/settings.yml"
             [p] -> pure p
             _ -> throwIO $ userError "Expected 1 argument, the settings filename"
     loadYamlSettings [path] [] useEnv
@@ -560,10 +560,6 @@ fillPermitRecords = do
 -- | The @main@ function for an executable running this site.
 appMain :: IO ()
 appMain = do
-    -- Remove in 2025
-    moveFileIfExists "config/settings.yml" "state/settings.yml"
-    moveFileIfExists "state/settings.yml" "settings.yml"
-
     -- Get the settings from all relevant sources
     settings <- getAppSettings