diff --git a/backend/src/app/setup/keys.clj b/backend/src/app/setup/keys.clj index 3ee5153e7..bdc5ce45e 100644 --- a/backend/src/app/setup/keys.clj +++ b/backend/src/app/setup/keys.clj @@ -11,7 +11,6 @@ [app.common.spec :as us] [buddy.core.kdf :as bk])) - (defn derive "Derive a key from secret-key" [secret-key & {:keys [salt size] :or {size 32}}] diff --git a/docker/images/Dockerfile.backend b/docker/images/Dockerfile.backend index d5c727d18..c34ec98c5 100644 --- a/docker/images/Dockerfile.backend +++ b/docker/images/Dockerfile.backend @@ -78,6 +78,8 @@ RUN set -ex; \ ; \ echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen; \ locale-gen; \ + mkdir -p /opt/penpot/assets; \ + chown -R penpot:penpot /opt/penpot; \ rm -rf /var/lib/apt/lists/*; COPY --chown=penpot:penpot ./bundle-backend/ /opt/penpot/backend/ diff --git a/docker/images/build.sh b/docker/images/build.sh index 7f4caf20d..6957c12e6 100755 --- a/docker/images/build.sh +++ b/docker/images/build.sh @@ -18,8 +18,6 @@ done if [ "$PENPOT_BUILD_PUSH" = "true" ]; then OPTIONS="--push $OPTIONS" -else - OPTIONS="--load $OPTIONS" fi docker buildx inspect penpot > /dev/null 2>&1; @@ -34,4 +32,4 @@ else fi unset IFS; -docker buildx build --platform ${PLATFORM// /,} $OPTIONS -f Dockerfile.$IMAGE .; +docker buildx build --platform ${PLATFORM// /,} $OPTIONS -f Dockerfile.$IMAGE "$@" .; diff --git a/docker/images/docker-compose.yaml b/docker/images/docker-compose.yaml index 15882f60c..2e224c720 100644 --- a/docker/images/docker-compose.yaml +++ b/docker/images/docker-compose.yaml @@ -11,9 +11,8 @@ volumes: # penpot_minio: services: - ## Traefik service declaration example. Consider using it if you are - ## going to expose penpot to the internet or different host than - ## `localhost`. + ## Traefik service declaration example. Consider using it if you are going to expose + ## penpot to the internet or different host than `localhost`. # traefik: # image: traefik:v2.9 @@ -41,7 +40,7 @@ services: - 9001:80 volumes: - - penpot_assets:/opt/data + - penpot_assets:/opt/penpot/assets depends_on: - penpot-backend @@ -53,16 +52,15 @@ services: labels: - "traefik.enable=true" - ## HTTP: example of labels for the case if you are going to - ## expose penpot to the internet using only HTTP (without HTTPS) - ## with traefik + ## HTTP: example of labels for the case if you are going to expose penpot to the + ## internet using only HTTP (without HTTPS) with traefik # - "traefik.http.routers.penpot-http.entrypoints=web" # - "traefik.http.routers.penpot-http.rule=Host(``)" # - "traefik.http.services.penpot-http.loadbalancer.server.port=80" - ## HTTPS: example of labels for the case if you are going to - ## expose penpot to the internet using with HTTPS using traefik + ## HTTPS: example of labels for the case if you are going to expose penpot to the + ## internet using with HTTPS using traefik # - "traefik.http.middlewares.http-redirect.redirectscheme.scheme=https" # - "traefik.http.middlewares.http-redirect.redirectscheme.permanent=true" @@ -75,32 +73,31 @@ services: # - "traefik.http.routers.penpot-https.tls=true" # - "traefik.http.routers.penpot-https.tls.certresolver=letsencrypt" - ## Configuration envronment variables for frontend the - ## container. In this case this container only needs the - ## `PENPOT_FLAGS`. This environment variable is shared with other - ## services but not all flags are relevant to all services. - ## - ## Relevant flags for frontend: - ## - demo-users - ## - login-with-github - ## - login-with-gitlab - ## - login-with-google - ## - login-with-ldap - ## - login-with-oidc - ## - login-with-password - ## - registration - ## - webhooks - ## - ## You can read more about all available flags on: - ## https://help.penpot.app/technical-guide/configuration/#advanced-configuration + ## Configuration envronment variables for frontend the container. In this case this + ## container only needs the `PENPOT_FLAGS`. This environment variable is shared with + ## other services but not all flags are relevant to all services. environment: + ## Relevant flags for frontend: + ## - demo-users + ## - login-with-github + ## - login-with-gitlab + ## - login-with-google + ## - login-with-ldap + ## - login-with-oidc + ## - login-with-password + ## - registration + ## - webhooks + ## + ## You can read more about all available flags on: + ## https://help.penpot.app/technical-guide/configuration/#advanced-configuration + - PENPOT_FLAGS=enable-registration enable-login-with-password penpot-backend: image: "penpotapp/backend:latest" volumes: - - penpot_assets:/opt/data + - penpot_assets:/opt/penpot/assets depends_on: - penpot-postgres @@ -111,58 +108,79 @@ services: ## Configuration envronment variables for backend the ## container. - ## - ## Relevant flags for backend: - ## - demo-users - ## - email-verification - ## - log-emails - ## - log-invitation-tokens - ## - login-with-github - ## - login-with-gitlab - ## - login-with-google - ## - login-with-ldap - ## - login-with-oidc - ## - login-with-password - ## - registration - ## - secure-session-cookies - ## - smtp - ## - smtp-debug - ## - telemetry - ## - webhooks - ## - ## You can read more about all available flags and other - ## environment variables for the backend here: - ## https://help.penpot.app/technical-guide/configuration/#advanced-configuration environment: - - PENPOT_FLAGS=enable-registration enable-login disable-email-verification enable-smtp - ## Public URI. If you are going to expose this instance to the - ## internet, or use it under different domain than 'localhost' - ## consider using traefik and set the - ## `disable-secure-session-cookies` if you are not going to - ## serve penpot under HTTPS. + ## Relevant flags for backend: + ## - demo-users + ## - email-verification + ## - log-emails + ## - log-invitation-tokens + ## - login-with-github + ## - login-with-gitlab + ## - login-with-google + ## - login-with-ldap + ## - login-with-oidc + ## - login-with-password + ## - registration + ## - secure-session-cookies + ## - smtp + ## - smtp-debug + ## - telemetry + ## - webhooks + ## - prepl-server + ## + ## You can read more about all available flags and other + ## environment variables for the backend here: + ## https://help.penpot.app/technical-guide/configuration/#advanced-configuration + + - PENPOT_FLAGS=enable-registration enable-login disable-email-verification enable-smtp enable-prepl-server + + ## Penpot SECRET KEY. It serves as a master key from which other keys for subsystems + ## (eg http sessions) are derived. + ## + ## Leave it comment if it is ok for you to have to login again after each backend + ## restart. + ## + ## If you going to uncomment this, we recommend use here a trully randomly generated + ## 512 bits base64 encoded string. You can generate one with: + ## + ## python3 -c "import secrets; print(secrets.token_urlsafe(64))" + + # - PENPOT_SECRET_KEY=my-insecure-key + + ## The PREPL host. Mainly used for external programatic access to penpot backend + ## (example: admin). By default it listen on `localhost` but if you are going to use + ## the `admin`, you will need to uncomment this and set the host to `0.0.0.0`. + + # - PENPOT_PREPL_HOST=0.0.0.0 + + ## Public URI. If you are going to expose this instance to the internet and use it + ## under different domain than 'localhost', you will need to adjust it to the final + ## domain. + ## + ## Consider using traefik and set the 'disable-secure-session-cookies' if you are + ## not going to serve penpot under HTTPS. - PENPOT_PUBLIC_URI=http://localhost:9001 - ## Database connection parameters. Don't touch them unless you - ## are using custom postgresql connection parameters + ## Database connection parameters. Don't touch them unless you are using custom + ## postgresql connection parameters. - PENPOT_DATABASE_URI=postgresql://penpot-postgres/penpot - PENPOT_DATABASE_USERNAME=penpot - PENPOT_DATABASE_PASSWORD=penpot - ## Redis is used for the websockets notifications. Don't touch - ## unless the redis container has different parameters or - ## different name. + ## Redis is used for the websockets notifications. Don't touch unless the redis + ## container has different parameters or different name. - PENPOT_REDIS_URI=redis://penpot-redis/0 - ## Default configuration for assets storage: using filesystem - ## based with all files stored in a docker volume. + ## Default configuration for assets storage: using filesystem based with all files + ## stored in a docker volume. - PENPOT_ASSETS_STORAGE_BACKEND=assets-fs - - PENPOT_STORAGE_ASSETS_FS_DIRECTORY=/opt/data/assets + - PENPOT_STORAGE_ASSETS_FS_DIRECTORY=/opt/penpot/assets ## Also can be configured to to use a S3 compatible storage ## service like MiniIO. Look below for minio service setup. @@ -173,19 +191,18 @@ services: # - PENPOT_STORAGE_ASSETS_S3_ENDPOINT=http://penpot-minio:9000 # - PENPOT_STORAGE_ASSETS_S3_BUCKET= - ## Telemetry. When enabled, a periodical process will send - ## anonymous data about this instance. Telemetry data will - ## enable us to learn on how the application is used, based on - ## real scenarios. If you want to help us, please leave it - ## enabled. You can audit what data we send with the code - ## available on github + ## Telemetry. When enabled, a periodical process will send anonymous data about this + ## instance. Telemetry data will enable us to learn on how the application is used, + ## based on real scenarios. If you want to help us, please leave it enabled. You can + ## audit what data we send with the code available on github + - PENPOT_TELEMETRY_ENABLED=true - ## Example SMTP/Email configuration. By default, emails are sent - ## to the mailcatch service, but for production usage is - ## recommended to setup a real SMTP provider. Emails are used to - ## confirm user registrations & invitations. Look below how - ## mailcatch service is configured. + ## Example SMTP/Email configuration. By default, emails are sent to the mailcatch + ## service, but for production usage is recommended to setup a real SMTP + ## provider. Emails are used to confirm user registrations & invitations. Look below + ## how mailcatch service is configured. + - PENPOT_SMTP_DEFAULT_FROM=no-reply@example.com - PENPOT_SMTP_DEFAULT_REPLY_TO=no-reply@example.com - PENPOT_SMTP_HOST=penpot-mailcatch @@ -231,10 +248,9 @@ services: networks: - penpot - ## A mailcatch service, used as temporal SMTP server. You can access - ## via HTTP to the port 1080 for read all emails the penpot platform - ## has sent. Should be only used as a temporal solution meanwhile - ## you don't have a real SMTP provider configured. + ## A mailcatch service, used as temporal SMTP server. You can access via HTTP to the + ## port 1080 for read all emails the penpot platform has sent. Should be only used as a + ## temporal solution meanwhile you don't have a real SMTP provider configured. penpot-mailcatch: image: sj26/mailcatcher:latest @@ -244,9 +260,42 @@ services: ports: - "1080:1080" - ## Example configuration of MiniIO (S3 compatible object storage - ## service); If you don't have preference, then just use filesystem, - ## this is here just for the completeness. + ## An optional admin application for pentpot. It allows manage users, teams and inspect + ## some parts of the database. You can read more about it on: + ## https://github.com/penpot/penpot-admin + ## + ## If you are going to use admin, ensure to have `enable-prepl-server` in backend flags + ## and uncomment the `PENPOT_PREPL_HOST` environment variable. + ## + ## Status: EXPERIMENTAL + + # penpot-admin: + # image: "penpotapp/admin:latest" + # networks: + # - penpot + # + # depends_on: + # - penpot-postgres + # - penpot-backend + # + # environment: + # ## Adjust to the same value as on backend + # - PENPOT_PUBLIC_URI=http://localhost:9001 + # + # ## Do not touch it, this is an internal routes + # - PENPOT_API_URI=http://penpot-frontend/ + # - PENPOT_PREPL_URI=tcp://penpot-backend:6063/ + # - PENPOT_DEBUG="false" + # + # ## Adjust to the same values as on backend + # - PENPOT_DATABASE_HOST=penpot-postgres + # - PENPOT_DATABASE_NAME=penpot + # - PENPOT_DATABASE_USERNAME=penpot + # - PENPOT_DATABASE_PASSWORD=penpot + # - PENPOT_REDIS_URI=redis://penpot-redis/0 + + ## Example configuration of MiniIO (S3 compatible object storage service); If you don't + ## have preference, then just use filesystem, this is here just for the completeness. # minio: # image: "minio/minio:latest" diff --git a/docker/images/files/nginx.conf b/docker/images/files/nginx.conf index 2d2317135..cc089b770 100644 --- a/docker/images/files/nginx.conf +++ b/docker/images/files/nginx.conf @@ -90,11 +90,10 @@ http { location /internal/assets { internal; - alias /opt/data/assets; + alias /opt/penpot/assets; add_header x-internal-redirect "$upstream_http_x_accel_redirect"; } - location /api/export { proxy_pass http://penpot-exporter:6061; } @@ -104,7 +103,7 @@ http { } location /admin { - proxy_pass http://penpot-admin:6063/admin; + proxy_pass http://penpot-admin:6065/admin; } location /ws/notifications {