diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index f2fdf05e..06ffd845 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -1,10 +1,5 @@ name: Docker -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - on: push: branches: [gh-images] @@ -23,6 +18,7 @@ jobs: build_args: [""] flavor: [""] include: + # Build additional OIDC flavor for nginx (tags will be suffixed with -oidc) - image: nginx flavor: | latest=true @@ -52,7 +48,7 @@ jobs: with: images: ${{ env.REGISTRY_WITH_PATH }}/central-${{ matrix.image }} flavor: ${{ matrix.flavor }} - # generate Docker tags based on the following events/attributes + # Generate Docker tags based on the following events/attributes tags: | type=ref,event=branch type=semver,pattern={{version}} diff --git a/docker-compose.nobuild.yml b/docker-compose.nobuild.yml new file mode 100644 index 00000000..f1d25f3a --- /dev/null +++ b/docker-compose.nobuild.yml @@ -0,0 +1,143 @@ +version: "3" +services: + postgres14: + build: + context: . + dockerfile: postgres14.dockerfile + volumes: + - postgres14:/var/lib/odk/postgresql/14 + environment: + POSTGRES_USER: odk + POSTGRES_PASSWORD: odk + POSTGRES_DATABASE: odk + restart: always + postgres: + # This service upgrades from postgres 9.6 to 14. + # The legacy name must be maintained to allow access to the anonymous volume. + build: + context: . + dockerfile: postgres-upgrade.dockerfile + volumes: + - /var/lib/postgresql/data + - postgres14:/var/lib/postgresql/14 + - ./files/postgres14/upgrade:/postgres14-upgrade + environment: + PGUSER: odk + POSTGRES_INITDB_ARGS: -U odk + POSTGRES_PASSWORD: odk + POSTGRES_DATABASE: odk + mail: + image: "ixdotai/smtp:v0.5.1" + volumes: + - ./files/mail/rsa.private:/etc/exim4/dkim.key.temp:ro + environment: + - MAILNAME=${DOMAIN} + - DKIM_KEY_PATH=/etc/exim4/dkim.key.temp + restart: always + service: + image: ghcr.io/caktus/central-service:latest + depends_on: + - secrets + - postgres14 + - mail + - pyxform + - enketo + volumes: + - secrets:/etc/secrets + - /data/transfer:/data/transfer + - ./files/service/config.json.template:/usr/share/odk/config.json.template + environment: + - DOMAIN=${DOMAIN} + - SYSADMIN_EMAIL=${SYSADMIN_EMAIL} + - HTTPS_PORT=${HTTPS_PORT:-443} + - NODE_OPTIONS=${SERVICE_NODE_OPTIONS:-} + - DB_HOST=${DB_HOST:-postgres14} + - DB_USER=${DB_USER:-odk} + - DB_PASSWORD=${DB_PASSWORD:-odk} + - DB_NAME=${DB_NAME:-odk} + - DB_SSL=${DB_SSL:-null} + - EMAIL_FROM=${EMAIL_FROM:-no-reply@$DOMAIN} + - EMAIL_HOST=${EMAIL_HOST:-mail} + - EMAIL_PORT=${EMAIL_PORT:-25} + - EMAIL_SECURE=${EMAIL_SECURE:-false} + - EMAIL_IGNORE_TLS=${EMAIL_IGNORE_TLS:-true} + - EMAIL_USER=${EMAIL_USER:-} + - EMAIL_PASSWORD=${EMAIL_PASSWORD:-} + - OIDC_ENABLED=${OIDC_ENABLED:-false} + - OIDC_ISSUER_URL=${OIDC_ISSUER_URL:-} + - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-} + - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-} + - SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137} + - SENTRY_KEY=${SENTRY_KEY:-3cf75f54983e473da6bd07daddf0d2ee} + - SENTRY_PROJECT=${SENTRY_PROJECT:-1298632} + command: [ "wait-for-it", "${DB_HOST:-postgres14}:5432", "--", "./start-odk.sh" ] + restart: always + logging: + driver: local + nginx: + image: ghcr.io/caktus/central-nginx:latest + depends_on: + - service + - enketo + environment: + - DOMAIN=${DOMAIN} + - CERTBOT_EMAIL=${SYSADMIN_EMAIL} + - SSL_TYPE=${SSL_TYPE:-letsencrypt} + - SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137} + - SENTRY_KEY=${SENTRY_KEY:-3cf75f54983e473da6bd07daddf0d2ee} + - SENTRY_PROJECT=${SENTRY_PROJECT:-1298632} + ports: + - "${HTTP_PORT:-80}:80" + - "${HTTPS_PORT:-443}:443" + healthcheck: + test: [ "CMD-SHELL", "nc -z localhost 80 || exit 1" ] + restart: always + logging: + driver: local + options: + max-file: "30" + pyxform: + image: 'ghcr.io/getodk/pyxform-http:v1.12.2' + restart: always + secrets: + image: ghcr.io/caktus/central-secrets:latest + volumes: + - secrets:/etc/secrets + command: './generate-secrets.sh' + enketo: + image: ghcr.io/caktus/central-enketo:latest + volumes: + - secrets:/etc/secrets + restart: always + depends_on: + - secrets + - enketo_redis_main + - enketo_redis_cache + environment: + - DOMAIN=${DOMAIN} + - SUPPORT_EMAIL=${SYSADMIN_EMAIL} + - HTTPS_PORT=${HTTPS_PORT:-443} + enketo_redis_main: + image: redis:7.2 + volumes: + - ./files/enketo/redis-enketo-main.conf:/usr/local/etc/redis/redis.conf:ro + - enketo_redis_main:/data + command: + - redis-server + - /usr/local/etc/redis/redis.conf + restart: always + enketo_redis_cache: + image: redis:7.2 + volumes: + - ./files/enketo/redis-enketo-cache.conf:/usr/local/etc/redis/redis.conf:ro + - enketo_redis_cache:/data + command: + - redis-server + - /usr/local/etc/redis/redis.conf + restart: always +volumes: + secrets: + transfer: + postgres14: + enketo_redis_main: + enketo_redis_cache: diff --git a/docker-compose.yml b/docker-compose.yml index fc0b49d1..2b176674 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -35,7 +35,9 @@ services: - DKIM_KEY_PATH=/etc/exim4/dkim.key.temp restart: always service: - image: ghcr.io/caktus/central-service:gh-images + build: + context: . + dockerfile: service.dockerfile depends_on: - secrets - postgres14 @@ -45,7 +47,6 @@ services: volumes: - secrets:/etc/secrets - /data/transfer:/data/transfer - - ./files/service/config.json.template:/usr/share/odk/config.json.template environment: - DOMAIN=${DOMAIN} - SYSADMIN_EMAIL=${SYSADMIN_EMAIL} @@ -75,7 +76,11 @@ services: logging: driver: local nginx: - image: ghcr.io/caktus/central-nginx:gh-images + build: + context: . + args: + - OIDC_ENABLED=${OIDC_ENABLED:-false} + dockerfile: nginx.dockerfile depends_on: - service - enketo @@ -100,14 +105,18 @@ services: image: 'ghcr.io/getodk/pyxform-http:v1.12.2' restart: always secrets: - image: ghcr.io/caktus/central-secrets:gh-images volumes: - secrets:/etc/secrets + build: + context: . + dockerfile: secrets.dockerfile command: './generate-secrets.sh' enketo: - image: ghcr.io/caktus/central-enketo:gh-images volumes: - secrets:/etc/secrets + build: + context: . + dockerfile: enketo.dockerfile restart: always depends_on: - secrets