diff --git a/CHANGELOG.md b/CHANGELOG.md index 3458d35c..bec15267 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,64 @@ +## [14.0.0-beta.6](https://github.com/maevsi/stack/compare/14.0.0-beta.5...14.0.0-beta.6) (2025-05-15) + +### Bug Fixes + +* **deps:** update ghcr.io/maevsi/vibetype docker tag to v10.20.1 ([778cf65](https://github.com/maevsi/stack/commit/778cf651a68085e03e7a2c0850a29b16ff403037)) +* **deps:** update ghcr.io/maevsi/vibetype docker tag to v10.20.2 ([fb444d4](https://github.com/maevsi/stack/commit/fb444d430fe105650f7e3c1dbb368bf920a7820d)) +* **deps:** update ghcr.io/maevsi/vibetype to v10.21.0 ([737f1cd](https://github.com/maevsi/stack/commit/737f1cd67bf52e3f485275d4e04e5e38711db7a9)) + +## [14.0.0-beta.5](https://github.com/maevsi/stack/compare/14.0.0-beta.4...14.0.0-beta.5) (2025-05-13) + +### ⚠ BREAKING CHANGES + +* **postgres:** drop database and role creation entrypoint + +### Features + +* **postgres:** drop database and role creation entrypoint ([96c9d88](https://github.com/maevsi/stack/commit/96c9d885fd9080e40574ebfee9df60b849ce6128)) + +## [14.0.0-beta.4](https://github.com/maevsi/stack/compare/14.0.0-beta.3...14.0.0-beta.4) (2025-05-12) + +### Bug Fixes + +* revert "feat(vibetype): upgrade to v11.0.0-beta.1" ([c7fc2e0](https://github.com/maevsi/stack/commit/c7fc2e0c198a785b984dc67d804970801c719acd)) + +## [14.0.0-beta.3](https://github.com/maevsi/stack/compare/14.0.0-beta.2...14.0.0-beta.3) (2025-05-12) + +### ⚠ BREAKING CHANGES + +* **debezium-postgres-connector:** whitelist tables +* **tusd:** adapt new vibetype api for uploads + +### Features + +* **debezium-postgres-connector:** whitelist tables ([e31e93d](https://github.com/maevsi/stack/commit/e31e93db09c74a9c42ca06328257385c6836fd9a)) +* **tusd:** adapt new vibetype api for uploads ([2ac49d1](https://github.com/maevsi/stack/commit/2ac49d1be6704c115c7dc5d782dc10ca84b5ff5f)) +* **vibetype:** exclude internal api path from traefik routing ([bc90f8f](https://github.com/maevsi/stack/commit/bc90f8f9eedf95d5eb6dcd4ad362dbfd10f47a24)) + +## [14.0.0-beta.2](https://github.com/maevsi/stack/compare/14.0.0-beta.1...14.0.0-beta.2) (2025-05-12) + +### Features + +* **vibetype:** upgrade to v11.0.0-beta.1 ([601660a](https://github.com/maevsi/stack/commit/601660a4c9b52d829c938f5b9fb84b8df662f673)) + +### Bug Fixes + +* **deps:** update ghcr.io/maevsi/vibetype docker tag to v10.19.0 ([4a04e9e](https://github.com/maevsi/stack/commit/4a04e9e01d006777b06cb96a2d2c598d5730fc3a)) +* **reccoom:** disable routing for production ([97a949b](https://github.com/maevsi/stack/commit/97a949bcfbbd2a7a28f0e7d6ec937cb5d0637981)) +* **traefik:** specify router entrypoints ([eeab9f7](https://github.com/maevsi/stack/commit/eeab9f7320e141bd4eaacbc08a1927996920e77d)) +* **vibetype:** account for nuxt content's websocket ([96b63f4](https://github.com/maevsi/stack/commit/96b63f49a3fbeb7d151195e058d4e4ac3ae4f961)) +* **vibetype:** upgrade to v11.0.0-beta.2 ([2dba24a](https://github.com/maevsi/stack/commit/2dba24a3a1d4cd6e77cc7c3c78c57ab98ee9b4dd)) + +## [14.0.0-beta.1](https://github.com/maevsi/stack/compare/13.3.0...14.0.0-beta.1) (2025-05-08) + +### ⚠ BREAKING CHANGES + +* **vibetype-beta:** disable + +### Features + +* **vibetype-beta:** disable ([f46055e](https://github.com/maevsi/stack/commit/f46055e588a14c7750acd754b0a9326925d5d0da)) + ## [13.4.9](https://github.com/maevsi/stack/compare/13.4.8...13.4.9) (2025-05-14) ### Bug Fixes diff --git a/README.md b/README.md index 5d844ab3..df5cc270 100644 --- a/README.md +++ b/README.md @@ -250,10 +250,6 @@ This project is deployed in accordance to the [DargStack template](https://githu You can access the main project's frontend at [localhost](https://localhost/). - - ### `vibetype_beta` ![production](https://img.shields.io/badge/-production-informational.svg?style=flat-square) - - You can access the main project frontend's beta version at [beta.localhost](https://beta.localhost/). - ## volumes diff --git a/package.json b/package.json index 581be158..ce93116d 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "@maevsi/stack", "private": true, - "version": "13.4.9", + "version": "14.0.0-beta.6", "description": "Dargstack configuration for Vibetype.", "repository": "https://github.com/maevsi/stack.git", "author": "Jonas Thelemann ", diff --git a/src/development/stack.yml b/src/development/stack.yml index b2585700..88842d2d 100644 --- a/src/development/stack.yml +++ b/src/development/stack.yml @@ -260,7 +260,7 @@ services: deploy: labels: - traefik.enable=true - - traefik.http.middlewares.postgraphile_auth.forwardauth.address=http://vibetype:3000/api/auth-proxy + - traefik.http.middlewares.postgraphile_auth.forwardauth.address=http://vibetype:3000/api/service/traefik/authentication - traefik.http.middlewares.postgraphile_auth.forwardauth.forwardBody=true - traefik.http.middlewares.postgraphile_cors.headers.accessControlAllowHeaders=authorization,baggage,content-type,sentry-trace,x-turnstile-key - traefik.http.middlewares.postgraphile_cors.headers.accessControlAllowOriginList=* @@ -292,7 +292,6 @@ services: # You can access the database via `adminer`. command: -c vibetype.jwt_expiry_duration='1 month' -c wal_level=logical environment: - POSTGRES_ADDITIONAL_DBS: grafana POSTGRES_DB_FILE: /run/secrets/postgres_db POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password POSTGRES_USER_FILE: /run/secrets/postgres_user @@ -302,8 +301,6 @@ services: secrets: - postgres_db - postgres_password - - postgres_role_service_grafana_password - - postgres_role_service_grafana_username - postgres_user # sysctls: # # Prevent Docker Swarm from killing connections (https://github.com/moby/moby/issues/31208) @@ -312,7 +309,6 @@ services: # - net.ipv4.tcp_keepalive_probes=10 volumes: - postgres_data:/var/lib/postgresql/data/ - - ../production/configurations/postgres/docker-entrypoint-initdb.d/additional-databases.sh:/docker-entrypoint-initdb.d/additional-databases.sh:ro prometheus: # You can access the metrics monitoring at [prometheus.localhost](https://prometheus.localhost/). deploy: @@ -388,6 +384,8 @@ services: # You cannot access the database migrations directly. image: maevsi/sqitch:dev secrets: + - postgres_role_service_grafana_password + - postgres_role_service_grafana_username - postgres_role_service_postgraphile_password - postgres_role_service_postgraphile_username - postgres_role_service_vibetype_password @@ -445,7 +443,7 @@ services: - ./configurations/traefik/dynamic.yml:/dynamic.yml:ro #DARGSTACK-REMOVE tusd: # You can access the upload service at [tusd.localhost](https://tusd.localhost/). - command: -behind-proxy --hooks-enabled-events pre-create,pre-finish,post-terminate --hooks-http http://vibetype:3000/api/tusd -max-size ${TUSD_MAX_SIZE} -s3-bucket ${TUSD_BUCKET} -s3-endpoint ${TUSD_ENDPOINT} + command: -behind-proxy --hooks-enabled-events pre-create,pre-finish,pre-terminate --hooks-http http://vibetype:3000/api/internal/service/tusd -max-size ${TUSD_MAX_SIZE} -s3-bucket ${TUSD_BUCKET} -s3-endpoint ${TUSD_ENDPOINT} deploy: labels: - traefik.enable=true @@ -476,15 +474,15 @@ services: - traefik.http.middlewares.vibetype_redirectregex.redirectregex.replacement=https://${STACK_DOMAIN}/$${2} - traefik.http.routers.vibetype.entryPoints=web - traefik.http.routers.vibetype.middlewares=redirectscheme #DARGSTACK-REMOVE - - traefik.http.routers.vibetype.rule=Host(`${STACK_DOMAIN}`) || Host(`www.${STACK_DOMAIN}`) + - traefik.http.routers.vibetype.rule=(Host(`${STACK_DOMAIN}`) || Host(`www.${STACK_DOMAIN}`)) && !PathPrefix(`/api/internal`) - traefik.http.routers.vibetype.service=vibetype #DARGSTACK-REMOVE - traefik.http.routers.vibetype_content_secure.entryPoints=nuxt-content-websocket #DARGSTACK-REMOVE - - traefik.http.routers.vibetype_content_secure.rule=Host(`${STACK_DOMAIN}`) || Host(`www.${STACK_DOMAIN}`) #DARGSTACK-REMOVE + - traefik.http.routers.vibetype_content_secure.rule=(Host(`${STACK_DOMAIN}`) || Host(`www.${STACK_DOMAIN}`)) && !PathPrefix(`/api/internal`) #DARGSTACK-REMOVE - traefik.http.routers.vibetype_content_secure.service=vibetype_content #DARGSTACK-REMOVE - traefik.http.routers.vibetype_content_secure.tls.options=mintls13@file #DARGSTACK-REMOVE - traefik.http.routers.vibetype_secure.entryPoints=web-secure - traefik.http.routers.vibetype_secure.middlewares=vibetype_cors,vibetype_redirectregex - - traefik.http.routers.vibetype_secure.rule=Host(`${STACK_DOMAIN}`) || Host(`www.${STACK_DOMAIN}`) + - traefik.http.routers.vibetype_secure.rule=(Host(`${STACK_DOMAIN}`) || Host(`www.${STACK_DOMAIN}`)) && !PathPrefix(`/api/internal`) - traefik.http.routers.vibetype_secure.service=vibetype #DARGSTACK-REMOVE - traefik.http.routers.vibetype_secure.tls.options=mintls13@file #DARGSTACK-REMOVE - traefik.http.services.vibetype.loadbalancer.server.port=3000 diff --git a/src/production/configurations/debezium-postgres-connector/entrypoint.sh b/src/production/configurations/debezium-postgres-connector/entrypoint.sh index f79af59c..5130d89f 100755 --- a/src/production/configurations/debezium-postgres-connector/entrypoint.sh +++ b/src/production/configurations/debezium-postgres-connector/entrypoint.sh @@ -33,10 +33,9 @@ elif [ "$HTTP_STATUS" -eq 404 ]; then "database.dbname": "'"$POSTGRES_DB"'", "database.hostname": "postgres", "database.password": "'"$POSTGRES_PASSWORD"'", - "database.port": "5432", - "database.server.name": "postgres", "database.user": "'"$POSTGRES_USER"'", "plugin.name": "pgoutput", + "table.include.list": "vibetype.upload,vibetype_private.notification", "topic.prefix" : "vibetype" } }' diff --git a/src/production/configurations/postgres/docker-entrypoint-initdb.d/PERMISSIONS.md b/src/production/configurations/postgres/docker-entrypoint-initdb.d/PERMISSIONS.md deleted file mode 100644 index 9dc91f46..00000000 --- a/src/production/configurations/postgres/docker-entrypoint-initdb.d/PERMISSIONS.md +++ /dev/null @@ -1 +0,0 @@ -Ensure this directory (!) and all files within it have permission 755. \ No newline at end of file diff --git a/src/production/configurations/postgres/docker-entrypoint-initdb.d/additional-databases.sh b/src/production/configurations/postgres/docker-entrypoint-initdb.d/additional-databases.sh deleted file mode 100755 index b4ca2e33..00000000 --- a/src/production/configurations/postgres/docker-entrypoint-initdb.d/additional-databases.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/sh - -set -eu - -postgres_user="$(cat /run/secrets/postgres_user)" - -create_database_and_role() { - db_name="$1" - password_file="/run/secrets/postgres_role_service_${db_name}_password" - username_file="/run/secrets/postgres_role_service_${db_name}_username" - - if [ ! -f "$password_file" ]; then - echo "[WARN] Password file for '$db_name' not found, skipping creation" >&2 - return - fi - - if [ ! -f "$username_file" ]; then - echo "[WARN] Username file for '$db_name' not found, skipping creation" >&2 - return - fi - - db_password="$(tr -d '\n' < "$password_file")" - db_username="$(tr -d '\n' < "$username_file")" - - echo "[INFO] Creating user and database: '$db_name'" - - psql -v ON_ERROR_STOP=1 --username "$postgres_user" --dbname "postgres" <<-EOSQL - CREATE ROLE "$db_username" WITH LOGIN PASSWORD '$db_password'; - CREATE DATABASE "$db_name" OWNER "$db_username"; -EOSQL -} - -if [ -n "${POSTGRES_ADDITIONAL_DBS:-}" ]; then - echo "[INFO] Additional database creation requested: $POSTGRES_ADDITIONAL_DBS" - - for db in $POSTGRES_ADDITIONAL_DBS; do - create_database_and_role "$db" - done - - echo "[INFO] Multiple databases and roles created" -fi diff --git a/src/production/production.yml b/src/production/production.yml index fbebf9ce..aa39ee2d 100644 --- a/src/production/production.yml +++ b/src/production/production.yml @@ -82,7 +82,7 @@ services: image: ghcr.io/maevsi/reccoom:0.1.0 volumes: (( prune )) sqitch: - image: ghcr.io/maevsi/sqitch:7.0.1 + image: ghcr.io/maevsi/sqitch:8.0.0 volumes: (( prune )) traefik: command: @@ -128,50 +128,50 @@ services: - (( append )) - traefik.http.routers.vibetype.middlewares=vibetype_cors,vibetype_redirectregex - traefik.http.routers.vibetype_secure.tls.certresolver=default - image: ghcr.io/maevsi/vibetype:10.21.0 + image: ghcr.io/maevsi/vibetype:11.0.0 user: (( prune )) - vibetype_beta: - # You can access the main project frontend's beta version at [beta.localhost](https://beta.localhost/). - deploy: - labels: - - traefik.enable=true - - traefik.http.routers.vibetype_beta.entryPoints=web - - traefik.http.routers.vibetype_beta.middlewares=vibetype_cors,vibetype_redirectregex - - traefik.http.routers.vibetype_beta.rule=Host(`beta.${STACK_DOMAIN}`) - - traefik.http.routers.vibetype_beta_secure.entryPoints=web-secure - - traefik.http.routers.vibetype_beta_secure.middlewares=vibetype_cors,vibetype_redirectregex - - traefik.http.routers.vibetype_beta_secure.rule=Host(`beta.${STACK_DOMAIN}`) - - traefik.http.services.vibetype_beta.loadbalancer.server.port=3000 - - traefik.http.routers.vibetype_beta_secure.tls.certresolver=default - environment: - AWS_REGION: ${VIBETYPE_AWS_REGION} - NUXT_PUBLIC_GTAG_ID: ${VIBETYPE_NUXT_PUBLIC_GTAG_ID} - NUXT_PUBLIC_I18N_BASE_URL: https://${STACK_DOMAIN} - NUXT_PUBLIC_SITE_URL: https://${STACK_DOMAIN} - NUXT_PUBLIC_TURNSTILE_SITE_KEY: ${VIBETYPE_NUXT_PUBLIC_TURNSTILE_SITE_KEY} - NUXT_PUBLIC_VIBETYPE_EMAIL_LIMIT24H: ${VIBETYPE_NUXT_PUBLIC_VIBETYPE_EMAIL_LIMIT24H} - NUXT_PUBLIC_VIO_ENVIRONMENT: beta - PGHOST: ${VIBETYPE_PGHOST} - image: ghcr.io/maevsi/vibetype:10.21.0 - secrets: - - source: vibetype_api-notification-secret - target: /run/environment-variables/NUXT_PRIVATE_API_NOTIFICATION_SECRET - - source: vibetype_aws-credentials - target: /home/node/.aws/credentials # TODO: switch to user `node` - - source: vibetype_firebase-service-account-credentials - target: /run/environment-variables/FIREBASE_SERVICE_ACCOUNT_CREDENTIALS - - source: vibetype_openai-api-key - target: /run/environment-variables/NUXT_PRIVATE_OPENAI_API_KEY - - source: vibetype_turnstile-key - target: /run/environment-variables/NUXT_TURNSTILE_SECRET_KEY - - source: postgres_db - target: /run/environment-variables/PGDATABASE - - source: postgres_role_service_vibetype_password - target: /run/environment-variables/PGPASSWORD - - source: postgres_role_service_vibetype_username - target: /run/environment-variables/PGUSER - volumes: - - ./configurations/postgraphile/jwtRS256.key.pub:/run/environment-variables/NUXT_PUBLIC_VIO_AUTH_JWT_PUBLIC_KEY:ro + # vibetype_beta: + # # You can access the main project frontend's beta version at [beta.localhost](https://beta.localhost/). + # deploy: + # labels: + # - traefik.enable=true + # - traefik.http.routers.vibetype_beta.entryPoints=web + # - traefik.http.routers.vibetype_beta.middlewares=vibetype_cors,vibetype_redirectregex + # - traefik.http.routers.vibetype_beta.rule=Host(`beta.${STACK_DOMAIN}`) + # - traefik.http.routers.vibetype_beta_secure.entryPoints=web-secure + # - traefik.http.routers.vibetype_beta_secure.middlewares=vibetype_cors,vibetype_redirectregex + # - traefik.http.routers.vibetype_beta_secure.rule=Host(`beta.${STACK_DOMAIN}`) + # - traefik.http.services.vibetype_beta.loadbalancer.server.port=3000 + # - traefik.http.routers.vibetype_beta_secure.tls.certresolver=default + # environment: + # AWS_REGION: ${VIBETYPE_AWS_REGION} + # NUXT_PUBLIC_GTAG_ID: ${VIBETYPE_NUXT_PUBLIC_GTAG_ID} + # NUXT_PUBLIC_I18N_BASE_URL: https://${STACK_DOMAIN} + # NUXT_PUBLIC_SITE_URL: https://${STACK_DOMAIN} + # NUXT_PUBLIC_TURNSTILE_SITE_KEY: ${VIBETYPE_NUXT_PUBLIC_TURNSTILE_SITE_KEY} + # NUXT_PUBLIC_VIBETYPE_EMAIL_LIMIT24H: ${VIBETYPE_NUXT_PUBLIC_VIBETYPE_EMAIL_LIMIT24H} + # NUXT_PUBLIC_VIO_ENVIRONMENT: beta + # PGHOST: ${VIBETYPE_PGHOST} + # image: ghcr.io/maevsi/vibetype:11.0.0 + # secrets: + # - source: vibetype_api-notification-secret + # target: /run/environment-variables/NUXT_PRIVATE_API_NOTIFICATION_SECRET + # - source: vibetype_aws-credentials + # target: /home/node/.aws/credentials # TODO: switch to user `node` + # - source: vibetype_firebase-service-account-credentials + # target: /run/environment-variables/FIREBASE_SERVICE_ACCOUNT_CREDENTIALS + # - source: vibetype_openai-api-key + # target: /run/environment-variables/NUXT_PRIVATE_OPENAI_API_KEY + # - source: vibetype_turnstile-key + # target: /run/environment-variables/NUXT_TURNSTILE_SECRET_KEY + # - source: postgres_db + # target: /run/environment-variables/PGDATABASE + # - source: postgres_role_service_vibetype_password + # target: /run/environment-variables/PGPASSWORD + # - source: postgres_role_service_vibetype_username + # target: /run/environment-variables/PGUSER + # volumes: + # - ./configurations/postgraphile/jwtRS256.key.pub:/run/environment-variables/NUXT_PUBLIC_VIO_AUTH_JWT_PUBLIC_KEY:ro version: "3.7" volumes: acme_data: