Merge pull request #383 from getodk/next

Release v2023.2

.circleci/config.yml

@@ -7,23 +7,28 @@ jobs:
     steps:
       - checkout
 
+      - run: sudo apt install shellcheck
+      - run: cat <(git grep -El '^#!.*sh\b') <(git ls-files | grep -E '.sh$') | sort -u | grep -v '/wait-for-it.sh$' | xargs shellcheck --exclude=SC2016
+
       - run: git submodule update -i
 
       - run: |
           echo 'SSL_TYPE=selfsign
           DOMAIN=local
           [email protected]' > .env
 
-      - run: docker-compose build
+      - run: touch ./files/allow-postgres14-upgrade
+
+      - run: docker compose build
 
       - run:
           # we allow a long retry period for the first check because the first-run
           # nginx setup could take several minutes due to key generation.
           name: Verify frontend and backend load
           command: |
             set -x
-            docker-compose up -d
-            CONTAINER_NAME=$(docker inspect -f '{{.Name}}' $(docker-compose ps -q nginx) | cut -c2-)
+            docker compose up -d
+            CONTAINER_NAME=$(docker inspect -f '{{.Name}}' $(docker compose ps -q nginx) | cut -c2-)
             docker run --network container:$CONTAINER_NAME \
               appropriate/curl -4 --insecure --retry 30 --retry-delay 10 --retry-connrefused https://localhost/ \
               | tee /dev/tty \
@@ -32,3 +37,4 @@ jobs:
               appropriate/curl -4 --insecure --retry 20 --retry-delay 2 --retry-connrefused https://localhost/v1/projects \
               | tee /dev/tty \
               | grep -q '\[\]'
+            docker compose exec -T service pm2 list | grep -c "online" | grep -q 4 || exit 1

.env.template

@@ -10,3 +10,26 @@ SSL_TYPE=letsencrypt
 # Do not change if using SSL_TYPE=letsencrypt
 HTTP_PORT=80
 HTTPS_PORT=443
+
+# Optional: configure Node
+# SERVICE_NODE_OPTIONS=
+
+# Optional: connect to a custom database server
+# DB_HOST=
+# DB_USER=
+# DB_PASSWORD=
+# DB_NAME=
+
+# Optional: configure a custom mail server
+# EMAIL_FROM=
+# EMAIL_HOST=
+# EMAIL_PORT=
+# EMAIL_SECURE=
+# EMAIL_IGNORE_TLS=
+# EMAIL_USER=
+# EMAIL_PASSWORD=
+
+# Optional: configure error reporting
+# SENTRY_ORG_SUBDOMAIN=
+# SENTRY_KEY=
+# SENTRY_PROJECT=

.gitignore

@@ -3,3 +3,9 @@
 *.swo
 /.env
 /version.txt
+
+/files/allow-postgres14-upgrade
+/files/postgres14/upgrade/*
+!/files/postgres14/upgrade/check-available-space
+
+/files/local/customssl/*.pem

docker-compose.yml

@@ -1,16 +1,33 @@
 version: "3"
 services:
-  postgres:
-    image: "postgres:9.6"
+  postgres14:
+    build:
+      context: .
+      dockerfile: postgres14.dockerfile
     volumes:
-      - /var/lib/postgresql/data
+      - postgres14:/var/lib/odk/postgresql/14
     environment:
       POSTGRES_USER: odk
       POSTGRES_PASSWORD: odk
       POSTGRES_DATABASE: odk
     restart: always
+  postgres:
+    # This service upgrades from postgres 9.6 to 14.
+    # The legacy name must be maintained to allow access to the anonymous volume.
+    build:
+      context: .
+      dockerfile: postgres-upgrade.dockerfile
+    volumes:
+      - /var/lib/postgresql/data
+      - postgres14:/var/lib/postgresql/14
+      - ./files/postgres14/upgrade:/postgres14-upgrade
+    environment:
+      PGUSER: odk
+      POSTGRES_INITDB_ARGS: -U odk
+      POSTGRES_PASSWORD: odk
+      POSTGRES_DATABASE: odk
   mail:
-    image: "itsissa/namshi-smtp:4.92-8.deb10u6"
+    image: "ixdotai/smtp:v0.2.0"
     volumes:
       - ./files/dkim/config:/etc/exim4/_docker_additional_macros:ro
       - ./files/dkim/rsa.private:/etc/exim4/domain.key:ro
@@ -23,7 +40,7 @@ services:
       dockerfile: service.dockerfile
     depends_on:
       - secrets
-      - postgres
+      - postgres14
       - mail
       - pyxform
       - enketo
@@ -32,9 +49,25 @@ services:
       - /data/transfer:/data/transfer
     environment:
       - DOMAIN=${DOMAIN}
-      - HTTPS_PORT=${HTTPS_PORT:-443}
       - SYSADMIN_EMAIL=${SYSADMIN_EMAIL}
-    command: [ "./wait-for-it.sh", "postgres:5432", "--", "./start-odk.sh" ]
+      - HTTPS_PORT=${HTTPS_PORT:-443}
+      - NODE_OPTIONS=${SERVICE_NODE_OPTIONS:-''}
+      - DB_HOST=${DB_HOST:-postgres14}
+      - DB_USER=${DB_USER:-odk}
+      - DB_PASSWORD=${DB_PASSWORD:-odk}
+      - DB_NAME=${DB_NAME:-odk}
+      - DB_SSL=${DB_SSL:-null}
+      - EMAIL_FROM=${EMAIL_FROM:-no-reply@${DOMAIN}}
+      - EMAIL_HOST=${EMAIL_HOST:-mail}
+      - EMAIL_PORT=${EMAIL_PORT:-25}
+      - EMAIL_SECURE=${EMAIL_SECURE:-false}
+      - EMAIL_IGNORE_TLS=${EMAIL_IGNORE_TLS:-true}
+      - EMAIL_USER=${EMAIL_USER:-''}
+      - EMAIL_PASSWORD=${EMAIL_PASSWORD:-''}
+      - SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137}
+      - SENTRY_KEY=${SENTRY_KEY:-3cf75f54983e473da6bd07daddf0d2ee}
+      - SENTRY_PROJECT=${SENTRY_PROJECT:-1298632}
+    command: [ "./wait-for-it.sh", "${DB_HOST:-postgres14}:5432", "--", "./start-odk.sh" ]
     restart: always
     logging:
       driver: local
@@ -46,9 +79,12 @@ services:
       - service
       - enketo
     environment:
-      - SSL_TYPE=${SSL_TYPE:-letsencrypt}
       - DOMAIN=${DOMAIN}
       - CERTBOT_EMAIL=${SYSADMIN_EMAIL}
+      - SSL_TYPE=${SSL_TYPE:-letsencrypt}
+      - SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137}
+      - SENTRY_KEY=${SENTRY_KEY:-3cf75f54983e473da6bd07daddf0d2ee}
+      - SENTRY_PROJECT=${SENTRY_PROJECT:-1298632}
     ports:
       - "${HTTP_PORT:-80}:80"
       - "${HTTPS_PORT:-443}:443"
@@ -85,7 +121,7 @@ services:
       - SUPPORT_EMAIL=${SYSADMIN_EMAIL}
       - HTTPS_PORT=${HTTPS_PORT:-443}
   enketo_redis_main:
-    image: redis:5
+    image: redis:7.0.8
     volumes:
       - ./files/enketo/redis-enketo-main.conf:/usr/local/etc/redis/redis.conf:ro
       - enketo_redis_main:/data
@@ -94,7 +130,7 @@ services:
       - /usr/local/etc/redis/redis.conf
     restart: always
   enketo_redis_cache:
-    image: redis:5
+    image: redis:7.0.8
     volumes:
       - ./files/enketo/redis-enketo-cache.conf:/usr/local/etc/redis/redis.conf:ro
       - enketo_redis_cache:/data
@@ -103,7 +139,8 @@ services:
       - /usr/local/etc/redis/redis.conf
     restart: always
 volumes:
+  secrets:
   transfer:
+  postgres14:
   enketo_redis_main:
   enketo_redis_cache:
-  secrets:

enketo.dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/enketo/enketo-express:5.0.2
+FROM ghcr.io/enketo/enketo-express:6.0.0
 
 ENV ENKETO_SRC_DIR=/srv/src/enketo_express
 WORKDIR ${ENKETO_SRC_DIR}
@@ -14,7 +14,8 @@ COPY files/enketo/config.json.template ${ENKETO_SRC_DIR}/config/config.json.temp
 COPY files/enketo/config.json.template ${ENKETO_SRC_DIR}/config/config.json
 COPY files/enketo/start-enketo.sh ${ENKETO_SRC_DIR}/start-enketo.sh
 
-RUN apt-get update; apt-get install gettext-base
+RUN apt-get update && \
+    apt-get install gettext-base
 
 EXPOSE 8005
 

files/enketo/config.json.template

@@ -8,7 +8,7 @@
         "api key": "${API_KEY}",
         "authentication": {
             "type": "cookie",
-            "url": "https://${DOMAIN}:${HTTPS_PORT}/#/login?next={RETURNURL}"
+            "url": "${BASE_URL}/#/login?next={RETURNURL}"
         },
         "name": "ODK Central",
         "server url": "${DOMAIN}"

files/enketo/start-enketo.sh

@@ -2,8 +2,14 @@
 
 CONFIG_PATH=${ENKETO_SRC_DIR}/config/config.json
 echo "generating enketo configuration.."
-/bin/bash -c "SECRET=$(cat /etc/secrets/enketo-secret) LESS_SECRET=$(cat /etc/secrets/enketo-less-secret) API_KEY=$(cat /etc/secrets/enketo-api-key) envsubst '\$DOMAIN\$HTTPS_PORT:\$SECRET:\$LESS_SECRET:\$API_KEY:\$SUPPORT_EMAIL' < ${CONFIG_PATH}.template > $CONFIG_PATH"
+
+BASE_URL=$( [ "${HTTPS_PORT}" = 443 ] && echo https://"${DOMAIN}" || echo https://"${DOMAIN}":"${HTTPS_PORT}" ) \
+SECRET=$(cat /etc/secrets/enketo-secret) \
+LESS_SECRET=$(cat /etc/secrets/enketo-less-secret) \
+API_KEY=$(cat /etc/secrets/enketo-api-key) \
+envsubst '$DOMAIN $BASE_URL $SECRET $LESS_SECRET $API_KEY $SUPPORT_EMAIL' \
+    < "$CONFIG_PATH.template" \
+    > "$CONFIG_PATH"
 
 echo "starting pm2/enketo.."
 pm2 start --no-daemon app.js -n enketo
-