From b0384cf5547663693410ccba9ab38bde839387ea Mon Sep 17 00:00:00 2001
From: Ubuntu <ubuntu@vst.labs.lowerlayer.nl>
Date: Sun, 13 Nov 2022 16:58:00 +0000
Subject: [PATCH] prod: lots of little hacks to get things working on the prod
 server

---
 Makefile                     |  6 +++++-
 env.production               |  4 ++--
 grafana.yaml                 |  5 ++---
 hedgedoc.yaml                |  9 ++++-----
 keycloak.yaml                | 36 +++++++++---------------------------
 keycloak/entrypoint-setup.sh | 15 ++++++++++++++-
 mastodon.yaml                | 26 ++++++++++++++++----------
 mastodon/entrypoint.sh       |  5 ++++-
 mastodon/env.production      |  2 +-
 matrix.yaml                  | 13 ++++++-------
 mobilizon.yaml               | 10 +++++-----
 nextcloud.yaml               |  9 ++++-----
 nextcloud/setup.sh           |  9 ++++++++-
 nginx.yaml                   |  8 +++++---
 14 files changed, 85 insertions(+), 72 deletions(-)

diff --git a/Makefile b/Makefile
index d9ba2b0..8378b8a 100644
--- a/Makefile
+++ b/Makefile
@@ -41,6 +41,8 @@ mastodon-streaming-shell:
 	$(DOCKER) exec mastodon-streaming bash
 matrix-shell:
 	$(DOCKER) exec matrix-synapse bash
+nextcloud-shell:
+	$(DOCKER) exec nextcloud bash
 matrix-logs:
 	$(DOCKER) logs -f matrix-synapse
 nextcloud-logs:
@@ -67,7 +69,7 @@ data/%/secrets:
 	echo >>$@ "export $(GET_MODULE)_SESSION_SECRET=$(call RAND,20)"
 
 keycloak-setup: secrets-setup
-	$(DOCKER) run keycloak-setup
+	docker exec keycloak /setup.sh
 
 certbot:
 	$(DOCKER) \
@@ -88,6 +90,8 @@ certbot:
 
 nginx-reload:
 	$(DOCKER) restart nginx
+nextcloud-restart:
+	$(DOCKER) restart nextcloud
 
 
 config:
diff --git a/env.production b/env.production
index 3330897..6b1e159 100644
--- a/env.production
+++ b/env.production
@@ -1,6 +1,6 @@
 # Fill in with your top-level domain name and desired OAUTH realm name
-DOMAIN_NAME=dev.v.st
-REALM=hackerspace
+DOMAIN_NAME=v.st
+REALM=voidstar
 
 # Fill in with your SMTP server, if you have one
 SMTP_SERVER=
diff --git a/grafana.yaml b/grafana.yaml
index c3312a2..eefab2c 100644
--- a/grafana.yaml
+++ b/grafana.yaml
@@ -36,8 +36,7 @@ services:
       - ./grafana/nginx.conf:/etc/nginx/templates/grafana.conf.template:ro
 
   # add the grafana client secrets to the keycloak-setup volume
-  keycloak-setup:
-    env_file:
-      - data/grafana/secrets
+  keycloak:
     volumes:
       - ./grafana/keycloak.sh:/keycloak-setup/grafana.sh:ro
+      - ./data/grafana/secrets:/run/secrets/grafana:ro
diff --git a/hedgedoc.yaml b/hedgedoc.yaml
index 6828dd4..57db592 100644
--- a/hedgedoc.yaml
+++ b/hedgedoc.yaml
@@ -1,4 +1,4 @@
-version: '3.9'
+version: '3'
 services:
   hedgedoc-db:
     image: postgres:13.4-alpine
@@ -35,7 +35,7 @@ services:
       - CMD_OAUTH2_CLIENT_SECRET=${HEDGEDOC_CLIENT_SECRET}
       - CMD_SESSION_SECRET=${HEDGEDOC_SESSION_SECRET}
     env_file:
-      - env.production
+      - ./env.production
     volumes:
       - ./data/hedgedoc/uploads:/hedgedoc/public/uploads
         #    ports:
@@ -51,8 +51,7 @@ services:
       - ./hedgedoc/nginx.conf:/etc/nginx/templates/hedgedoc.conf.template:ro
 
   # add the hedgedoc client secrets to the keycloak-setup volume
-  keycloak-setup:
-    env_file:
-      - data/hedgedoc/secrets
+  keycloak:
     volumes:
       - ./hedgedoc/keycloak.sh:/keycloak-setup/hedgedoc.sh:ro
+      - ./data/hedgedoc/secrets:/run/secrets/hedgedoc:ro
diff --git a/keycloak.yaml b/keycloak.yaml
index ad6cc6b..29af26b 100644
--- a/keycloak.yaml
+++ b/keycloak.yaml
@@ -1,4 +1,4 @@
-version: '3.9'
+version: '3'
 services:
   keycloak-db:
       image: mysql:5.7
@@ -13,7 +13,7 @@ services:
         MYSQL_PASSWORD: password
 
   keycloak:
-      image: quay.io/keycloak/keycloak:18.0.0
+      image: quay.io/keycloak/keycloak:18.0
       restart: always
       container_name: keycloak
       entrypoint: /opt/keycloak/bin/kc.sh start --hostname="$${KEYCLOAK_HOSTNAME}.$${DOMAIN_NAME}" --proxy=edge
@@ -23,9 +23,6 @@ services:
 #        timeout: 10s
 #        retries: 3
       user: "0:0" # otherwise the persistent data directory is not writable
-      env_file:
-        - env.production
-        - data/keycloak/secrets
       environment:
         DB_VENDOR: MYSQL
         DB_ADDR: keycloak-db
@@ -33,35 +30,20 @@ services:
         DB_USER: keycloak
         DB_PASSWORD: password
         KEYCLOAK_ADMIN: admin
-        KEYCLOAK_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
+        KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
         PROXY_ADDRESS_FORWARDING: 'true'
-        # KEYCLOAK_ADMIN_PASSWORD is set in env.secrets
+      env_file:
+        - ./env.production
       volumes:
         - ./data/keycloak/certs:/etc/x509/https
         - ./data/keycloak/keycloak:/opt/keycloak/data
+        - ./keycloak/client-create:/bin/client-create:ro
+        - ./keycloak/entrypoint-setup.sh:/setup.sh:ro
+        - ./keycloak/mail-setup.sh:/keycloak-setup/mail-setup.sh:ro
+        - ./data/keycloak/secrets:/run/secrets/keycloak-secrets:ro
       depends_on:
         - keycloak-db
 
-  # all of the various subdomains can install files in
-  # /keycloak-setup/ to be executed during the setup phase
-  # to enable their clients using the client-create tool
-  keycloak-setup:
-        image: quay.io/keycloak/keycloak:18.0.0
-        container_name: keycloak-setup
-        profiles:
-          - setup
-        depends_on:
-          - keycloak
-        restart: never
-        env_file:
-          - env.production
-          - data/keycloak/secrets
-        entrypoint: /entrypoint.sh
-        volumes:
-          - ./keycloak/entrypoint-setup.sh:/entrypoint.sh:ro
-          - ./keycloak/mail-setup.sh:/keycloak-setup/mail-setup.sh:ro
-          - ./keycloak/client-create:/bin/client-create:ro
-
   # add the keycloak nginx configuration into the nginx volume
   nginx:
     volumes:
diff --git a/keycloak/entrypoint-setup.sh b/keycloak/entrypoint-setup.sh
index 051bff2..de25aad 100755
--- a/keycloak/entrypoint-setup.sh
+++ b/keycloak/entrypoint-setup.sh
@@ -1,7 +1,11 @@
-#!/bin/bash
+#!/bin/bash -x
 
 export PATH=/opt/keycloak/bin:$PATH
 
+for file in /run/secrets/* ; do
+	. "$file"
+done
+
 # perform an authentication as admin so that all other scripts can
 # use the cached credentials
 
@@ -13,6 +17,15 @@ kcadm.sh \
 	--realm master \
 || exit 1
 
+if ! kcadm.sh get realms/$REALM ; then
+	echo >&2 "***** Creating realm $REALM"
+	kcadm.sh \
+		create realms \
+		-s "realm=$REALM" \
+		-s enabled=true \
+	|| exit 1
+fi
+
 for file in /keycloak-setup/* ; do
 	echo >&2 "$file: running setup"
 	$file || exit 1
diff --git a/mastodon.yaml b/mastodon.yaml
index 04e4c36..aba46af 100644
--- a/mastodon.yaml
+++ b/mastodon.yaml
@@ -11,12 +11,14 @@ services:
       test: ['CMD', 'pg_isready', '-U', "mastodon", "-d", "mastodon_production"]
     volumes:
       - ./data/mastodon/database:/var/lib/postgresql/data
+      - ../prod.dump:/prod.dump:ro
     environment:
       - POSTGRES_USER=mastodon
       - POSTGRES_PASSWORD=mastodon
-        #- POSTGRES_DB=mastodon_production
+      - POSTGRES_DB=mastodon_production
     env_file:
-      - mastodon/env.production
+      - ./env.production
+      - ./mastodon/env.production
 
   mastodon-redis:
     image: redis:6-alpine
@@ -27,7 +29,8 @@ services:
     healthcheck:
       test: ['CMD', 'redis-cli', 'ping']
     env_file:
-      - mastodon/env.production
+      - ./env.production
+      - ./mastodon/env.production
     volumes:
       - ./data/mastodon/redis:/data
 
@@ -41,7 +44,8 @@ services:
       - "discovery.type=single-node"
       - "bootstrap.memory_lock=true"
     env_file:
-      - mastodon/env.production
+      - ./env.production
+      - ./mastodon/env.production
 #    networks:
 #       - internal_network
     healthcheck:
@@ -78,7 +82,8 @@ services:
       - ./data/mastodon/system:/mastodon/public/system
       - ./mastodon/entrypoint.sh:/entrypoint.sh:ro
     env_file:
-      - mastodon/env.production
+      - ./env.production
+      - ./mastodon/env.production
     environment:
       - WEB_DOMAIN=$MASTODON_HOSTNAME.$DOMAIN_NAME
       - LOCAL_DOMAIN=$DOMAIN_NAME
@@ -113,7 +118,8 @@ services:
       - SMTP_PASSWORD=$SMTP_PASSWORD
       - SMTP_FROM_ADDRESS=mastodon@$DOMAIN_NAME
     env_file:
-      - mastodon/env.production
+      - ./env.production
+      - ./mastodon/env.production
     command: node ./streaming
 #    networks:
 #      - external_network
@@ -132,7 +138,8 @@ services:
     restart: always
     container_name: mastodon-sidekiq
     env_file:
-      - mastodon/env.production
+      - ./env.production
+      - ./mastodon/env.production
     environment:
       - WEB_DOMAIN=$MASTODON_HOSTNAME.$DOMAIN_NAME
       - LOCAL_DOMAIN=$DOMAIN_NAME
@@ -186,11 +193,10 @@ services:
       - ./data/mastodon/system/accounts:/mastodon/system/accounts:ro
 
   # add the subdomain client secrets to the keycloak-setup volume
-  keycloak-setup:
-    env_file:
-      - data/mastodon/secrets
+  keycloak:
     volumes:
       - ./mastodon/keycloak.sh:/keycloak-setup/mastodon.sh:ro
+      - ./data/mastodon/secrets:/run/secrets/mastodon:ro
 
 #networks:
 #  external_network:
diff --git a/mastodon/entrypoint.sh b/mastodon/entrypoint.sh
index bae2cb8..cf9b3cc 100755
--- a/mastodon/entrypoint.sh
+++ b/mastodon/entrypoint.sh
@@ -6,7 +6,10 @@ export MASTODON_DIR=/mastodon/public/system
 export VAPID_KEY="$MASTODON_DIR/vapid_key"
 export DB_SETUP="$MASTODON_DIR/db_done"
 
-chown -R mastodon:mastodon "$MASTODON_DIR"
+if [ ! -r "$DB_SETUP" ]; then
+	echo >&2 "*** Setting permissions on $MASTODON_DIR"
+	chown -R mastodon:mastodon "$MASTODON_DIR"
+fi
 
 exec su mastodon <<EOF
 
diff --git a/mastodon/env.production b/mastodon/env.production
index 120834b..5253276 100644
--- a/mastodon/env.production
+++ b/mastodon/env.production
@@ -25,8 +25,8 @@ REDIS_PORT=6379
 # PostgreSQL
 # ----------
 DB_HOST=mastodon-db
-DB_USER=mastodon
 DB_NAME=mastodon_production
+DB_USER=mastodon
 DB_PASS=mastodon
 DB_PORT=5432
 
diff --git a/matrix.yaml b/matrix.yaml
index e62999e..b017563 100644
--- a/matrix.yaml
+++ b/matrix.yaml
@@ -15,11 +15,11 @@ services:
     image: vectorim/element-web:latest
     restart: unless-stopped
     container_name: matrix-element
-    env_file:
-     - env.production
     volumes:
       - ./matrix/10-envsubst-config.sh:/docker-entrypoint.d/10-envsubst-config.sh:ro
       - ./matrix/config.sample.json:/app/config.sample.json:ro
+    env_file:
+      - ./env.production
     depends_on:
       - matrix-synapse
 #    ports:
@@ -33,10 +33,10 @@ services:
       - ./data/matrix/synapse:/data
       - ./matrix/entrypoint-synapse.sh:/entrypoint.sh:ro
     entrypoint: ["/entrypoint.sh"]
-    env_file:
-      - env.production
     environment:
       - MATRIX_CLIENT_SECRET=${MATRIX_CLIENT_SECRET}
+    env_file:
+      - ./env.production
     depends_on:
       - keycloak
       - nginx
@@ -49,8 +49,7 @@ services:
       - ./matrix/nginx.conf:/etc/nginx/templates/matrix.conf.template:ro
 
   # add the client secrets to the keycloak-setup volume
-  keycloak-setup:
-    env_file:
-      - data/matrix/secrets
+  keycloak:
     volumes:
       - ./matrix/keycloak.sh:/keycloak-setup/matrix.sh:ro
+      - ./data/matrix/secrets:/run/secrets/matrix:ro
diff --git a/mobilizon.yaml b/mobilizon.yaml
index df56731..7089aa9 100644
--- a/mobilizon.yaml
+++ b/mobilizon.yaml
@@ -2,7 +2,7 @@ version: "3"
 
 services:
   mobilizon:
-    image: framasoft/mobilizon
+    image: framasoft/mobilizon:2.1.0
     container_name: mobilizon
     restart: always
     volumes:
@@ -11,7 +11,6 @@ services:
     environment:
       - KEYCLOAK_HOSTNAME=${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}
       - REALM=${REALM}
-      - MOBILIZON_INSTANCE_NAME=${MOBILIZON_HOSTNAME}.${DOMAIN_NAME}
       - MOBILIZON_INSTANCE_HOST=${MOBILIZON_HOSTNAME}.${DOMAIN_NAME}
       - MOBILIZON_INSTANCE_SECRET_KEY_BASE=${MOBILIZON_ADMIN_PASSWORD}
       - MOBILIZON_INSTANCE_SECRET_KEY=${MOBILIZON_SESSION_SECRET}
@@ -29,6 +28,8 @@ services:
       - MOBILIZON_DATABASE_HOST=mobilizon-db
       - MOBILIZON_INSTANCE_REGISTRATIONS_OPEN=false
       - MOBILIZON_INSTANCE_PORT=7000
+    env_file:
+      - ./env.production
     user: root
     entrypoint:
       - "/bin/sh"
@@ -55,8 +56,7 @@ services:
       - ./mobilizon/nginx.conf:/etc/nginx/templates/mobilizon.conf.template:ro
 
   # add the client secrets to the keycloak-setup volume
-  keycloak-setup:
-    env_file:
-      - data/mobilizon/secrets
+  keycloak:
     volumes:
       - ./mobilizon/keycloak.sh:/keycloak-setup/mobilizon.sh:ro
+      - ./data/mobilizon/secrets:/run/secrets/mobilizon:ro
diff --git a/nextcloud.yaml b/nextcloud.yaml
index 9de5c77..f21301d 100644
--- a/nextcloud.yaml
+++ b/nextcloud.yaml
@@ -16,8 +16,6 @@ services:
     image: nextcloud:25.0.1-apache
     container_name: nextcloud
     restart: always
-    env_file:
-      - env.production
     environment:
       POSTGRES_HOST: nextcloud-db
       POSTGRES_DB: nextcloud
@@ -28,6 +26,8 @@ services:
       NEXTCLOUD_ADMIN_PASSWORD: ${NEXTCLOUD_ADMIN_PASSWORD}
       NEXTCLOUD_CLIENT_SECRET: ${NEXTCLOUD_CLIENT_SECRET}
       NEXTCLOUD_TRUSTED_DOMAINS: ${NEXTCLOUD_HOSTNAME}.${DOMAIN_NAME}
+    env_file:
+      - ./env.production
     volumes:
       - ./data/nextcloud/nextcloud:/var/www/html
       - ./nextcloud/setup.sh:/setup.sh:ro
@@ -41,8 +41,7 @@ services:
       - ./nextcloud/nginx.conf:/etc/nginx/templates/nextcloud.conf.template:ro
 
   # add the grafana client secrets to the keycloak-setup volume
-  keycloak-setup:
-    env_file:
-      - data/nextcloud/secrets
+  keycloak:
     volumes:
       - ./nextcloud/keycloak.sh:/keycloak-setup/nextcloud.sh:ro
+      - ./data/nextcloud/secrets:/run/secrets/nextcloud:ro
diff --git a/nextcloud/setup.sh b/nextcloud/setup.sh
index 3eb63fd..855082f 100755
--- a/nextcloud/setup.sh
+++ b/nextcloud/setup.sh
@@ -6,11 +6,18 @@ if [ -r "$CANARY" ]; then
 	exec "/entrypoint.sh" "$SERVER"
 fi
 
+# Wrapper to run OwnCloudConsole (occ) as www-data user
+occ() { su -p www-data -s /bin/sh -c "php /var/www/html/occ $*" ; }
+
 echo >&2 "**** installing nextcloud"
 NEXTCLOUD_UPDATE=1 bash /entrypoint.sh date || exit 1
 
+echo >&2 "***** Waiting for nextcloud for ${DOMAIN_NAME}"
+sleep 10
+occ status
+
 echo >&2 "***** Setting up nextcloud for ${DOMAIN_NAME}"
-occ() { su -p www-data -s /bin/sh -c "php /var/www/html/occ $*" ; }
+
 #occ maintenance:install || exit 1
 
 PROVIDER="$(cat <<EOF
diff --git a/nginx.yaml b/nginx.yaml
index 4e42ad7..b54d2c6 100644
--- a/nginx.yaml
+++ b/nginx.yaml
@@ -1,4 +1,4 @@
-version: '3.9'
+version: '3'
 services:
   nginx:
 #    image: nginx:1.21-alpine
@@ -12,6 +12,8 @@ services:
       - "80:80"
       - "443:443"
       - "8448:8448"
+    env_file:
+      - ./env.production
     volumes:
       - ./nginx/etc/includes:/etc/nginx/includes:ro
       - ./nginx/etc/nginx.conf:/etc/nginx/nginx.conf:ro
@@ -20,12 +22,12 @@ services:
       - ./data/nginx/certbot/www:/var/www/certbot:ro
       - ./data/nginx/certbot/conf:/etc/letsencrypt:rw
       - /home:/home:ro
-    env_file:
-      - env.production
 
   certbot:
     image: certbot/certbot
     container_name: certbot
+    env_file:
+      - ./env.production
     volumes:
       - ./data/nginx/certbot/conf:/etc/letsencrypt
       - ./data/nginx/certbot/www:/var/www/certbot