From 5e10b304239eb2a0a6459ff826e3d76d3903b133 Mon Sep 17 00:00:00 2001 From: Jeremy Wall Date: Sat, 21 Jan 2023 11:28:01 -0500 Subject: [PATCH] Add age and update some dependencies --- docker-compose.yaml | 283 ++++++++++++++++++++++++++++ nix/darwin/darwin-configuration.nix | 4 +- nix/darwin/flake.lock | 85 +++++++-- nix/darwin/flake.nix | 7 +- 4 files changed, 362 insertions(+), 17 deletions(-) create mode 100644 docker-compose.yaml diff --git a/docker-compose.yaml b/docker-compose.yaml new file mode 100644 index 0000000..975b08d --- /dev/null +++ b/docker-compose.yaml @@ -0,0 +1,283 @@ +--- +version: "3.5" + +networks: + penpot: + +volumes: + penpot_postgres_v15: + penpot_assets: + # penpot_traefik: + # penpot_minio: + +services: + ## Traefik service declaration example. Consider using it if you are going to expose + ## penpot to the internet or different host than `localhost`. + + # traefik: + # image: traefik:v2.9 + # networks: + # - penpot + # command: + # - "--api.insecure=true" + # - "--entryPoints.web.address=:80" + # - "--providers.docker=true" + # - "--providers.docker.exposedbydefault=false" + # - "--entryPoints.websecure.address=:443" + # - "--certificatesresolvers.letsencrypt.acme.tlschallenge=true" + # - "--certificatesresolvers.letsencrypt.acme.email=" + # - "--certificatesresolvers.letsencrypt.acme.storage=/traefik/acme.json" + # volumes: + # - "penpot_traefik:/traefik" + # - "/var/run/docker.sock:/var/run/docker.sock" + # ports: + # - "80:80" + # - "443:443" + + penpot-frontend: + image: "penpotapp/frontend:latest" + ports: + - 9001:80 + + volumes: + - penpot_assets:/opt/data/assets + + depends_on: + - penpot-backend + - penpot-exporter + + networks: + - penpot + + labels: + - "traefik.enable=true" + + ## HTTP: example of labels for the case if you are going to expose penpot to the + ## internet using only HTTP (without HTTPS) with traefik + + # - "traefik.http.routers.penpot-http.entrypoints=web" + # - "traefik.http.routers.penpot-http.rule=Host(``)" + # - "traefik.http.services.penpot-http.loadbalancer.server.port=80" + + ## HTTPS: example of labels for the case if you are going to expose penpot to the + ## internet using with HTTPS using traefik + + # - "traefik.http.middlewares.http-redirect.redirectscheme.scheme=https" + # - "traefik.http.middlewares.http-redirect.redirectscheme.permanent=true" + # - "traefik.http.routers.penpot-http.entrypoints=web" + # - "traefik.http.routers.penpot-http.rule=Host(``)" + # - "traefik.http.routers.penpot-http.middlewares=http-redirect" + # - "traefik.http.routers.penpot-https.entrypoints=websecure" + # - "traefik.http.routers.penpot-https.rule=Host(``)" + # - "traefik.http.services.penpot-https.loadbalancer.server.port=80" + # - "traefik.http.routers.penpot-https.tls=true" + # - "traefik.http.routers.penpot-https.tls.certresolver=letsencrypt" + + ## Configuration envronment variables for frontend the container. In this case this + ## container only needs the `PENPOT_FLAGS`. This environment variable is shared with + ## other services but not all flags are relevant to all services. + + environment: + ## Relevant flags for frontend: + ## - demo-users + ## - login-with-github + ## - login-with-gitlab + ## - login-with-google + ## - login-with-ldap + ## - login-with-oidc + ## - login-with-password + ## - registration + ## - webhooks + ## + ## You can read more about all available flags on: + ## https://help.penpot.app/technical-guide/configuration/#advanced-configuration + + - PENPOT_FLAGS=enable-registration enable-login-with-password + + penpot-backend: + image: "penpotapp/backend:latest" + volumes: + - penpot_assets:/opt/penpot/assets + + depends_on: + - penpot-postgres + - penpot-redis + + networks: + - penpot + + ## Configuration envronment variables for backend the + ## container. + + environment: + + ## Relevant flags for backend: + ## - demo-users + ## - email-verification + ## - log-emails + ## - log-invitation-tokens + ## - login-with-github + ## - login-with-gitlab + ## - login-with-google + ## - login-with-ldap + ## - login-with-oidc + ## - login-with-password + ## - registration + ## - secure-session-cookies + ## - smtp + ## - smtp-debug + ## - telemetry + ## - webhooks + ## - prepl-server + ## + ## You can read more about all available flags and other + ## environment variables for the backend here: + ## https://help.penpot.app/technical-guide/configuration/#advanced-configuration + + - PENPOT_FLAGS=enable-registration enable-login-with-password disable-email-verification enable-smtp enable-prepl-server + + ## Penpot SECRET KEY. It serves as a master key from which other keys for subsystems + ## (eg http sessions) are derived. + ## + ## Leave it comment if it is ok for you to have to login again after each backend + ## restart. + ## + ## If you going to uncomment this, we recommend use here a trully randomly generated + ## 512 bits base64 encoded string. You can generate one with: + ## + ## python3 -c "import secrets; print(secrets.token_urlsafe(64))" + + # - PENPOT_SECRET_KEY=my-insecure-key + + ## The PREPL host. Mainly used for external programatic access to penpot backend + ## (example: admin). By default it listen on `localhost` but if you are going to use + ## the `admin`, you will need to uncomment this and set the host to `0.0.0.0`. + + # - PENPOT_PREPL_HOST=0.0.0.0 + + ## Public URI. If you are going to expose this instance to the internet and use it + ## under different domain than 'localhost', you will need to adjust it to the final + ## domain. + ## + ## Consider using traefik and set the 'disable-secure-session-cookies' if you are + ## not going to serve penpot under HTTPS. + + - PENPOT_PUBLIC_URI=http://localhost:9001 + + ## Database connection parameters. Don't touch them unless you are using custom + ## postgresql connection parameters. + + - PENPOT_DATABASE_URI=postgresql://penpot-postgres/penpot + - PENPOT_DATABASE_USERNAME=penpot + - PENPOT_DATABASE_PASSWORD=penpot + + ## Redis is used for the websockets notifications. Don't touch unless the redis + ## container has different parameters or different name. + + - PENPOT_REDIS_URI=redis://penpot-redis/0 + + ## Default configuration for assets storage: using filesystem based with all files + ## stored in a docker volume. + + - PENPOT_ASSETS_STORAGE_BACKEND=assets-fs + - PENPOT_STORAGE_ASSETS_FS_DIRECTORY=/opt/data/assets + + ## Also can be configured to to use a S3 compatible storage + ## service like MiniIO. Look below for minio service setup. + + # - AWS_ACCESS_KEY_ID= + # - AWS_SECRET_ACCESS_KEY= + # - PENPOT_ASSETS_STORAGE_BACKEND=assets-s3 + # - PENPOT_STORAGE_ASSETS_S3_ENDPOINT=http://penpot-minio:9000 + # - PENPOT_STORAGE_ASSETS_S3_BUCKET= + + ## Telemetry. When enabled, a periodical process will send anonymous data about this + ## instance. Telemetry data will enable us to learn on how the application is used, + ## based on real scenarios. If you want to help us, please leave it enabled. You can + ## audit what data we send with the code available on github + + - PENPOT_TELEMETRY_ENABLED=true + + ## Example SMTP/Email configuration. By default, emails are sent to the mailcatch + ## service, but for production usage is recommended to setup a real SMTP + ## provider. Emails are used to confirm user registrations & invitations. Look below + ## how mailcatch service is configured. + + - PENPOT_SMTP_DEFAULT_FROM=no-reply@example.com + - PENPOT_SMTP_DEFAULT_REPLY_TO=no-reply@example.com + - PENPOT_SMTP_HOST=penpot-mailcatch + - PENPOT_SMTP_PORT=1025 + - PENPOT_SMTP_USERNAME= + - PENPOT_SMTP_PASSWORD= + - PENPOT_SMTP_TLS=false + - PENPOT_SMTP_SSL=false + + penpot-exporter: + image: "penpotapp/exporter:latest" + networks: + - penpot + + environment: + # Don't touch it; this uses internal docker network to + # communicate with the frontend. + - PENPOT_PUBLIC_URI=http://penpot-frontend + + ## Redis is used for the websockets notifications. + - PENPOT_REDIS_URI=redis://penpot-redis/0 + + penpot-postgres: + image: "postgres:15" + restart: always + stop_signal: SIGINT + + volumes: + - penpot_postgres_v15:/var/lib/postgresql/data + + networks: + - penpot + + environment: + - POSTGRES_INITDB_ARGS=--data-checksums + - POSTGRES_DB=penpot + - POSTGRES_USER=penpot + - POSTGRES_PASSWORD=penpot + + penpot-redis: + image: redis:7 + restart: always + networks: + - penpot + + ## A mailcatch service, used as temporal SMTP server. You can access via HTTP to the + ## port 1080 for read all emails the penpot platform has sent. Should be only used as a + ## temporal solution meanwhile you don't have a real SMTP provider configured. + + penpot-mailcatch: + image: sj26/mailcatcher:latest + restart: always + expose: + - '1025' + ports: + - "1080:1080" + networks: + - penpot + + ## Example configuration of MiniIO (S3 compatible object storage service); If you don't + ## have preference, then just use filesystem, this is here just for the completeness. + + # minio: + # image: "minio/minio:latest" + # command: minio server /mnt/data --console-address ":9001" + # + # volumes: + # - "penpot_minio:/mnt/data" + # + # environment: + # - MINIO_ROOT_USER=minioadmin + # - MINIO_ROOT_PASSWORD=minioadmin + # + # ports: + # - 9000:9000 + # - 9001:9001 + + diff --git a/nix/darwin/darwin-configuration.nix b/nix/darwin/darwin-configuration.nix index 3b8e644..775631d 100644 --- a/nix/darwin/darwin-configuration.nix +++ b/nix/darwin/darwin-configuration.nix @@ -76,7 +76,7 @@ gnumake # TODO find a version of the julia package that will install # on darwin and add it as an overlay - python + python3 emacs git mercurial @@ -92,6 +92,7 @@ htop colima qemu + podman lima rlwrap docker-client @@ -108,6 +109,7 @@ inputs.runwhen inputs.durnitisp inputs.jj + inputs.age # TODO add sonic-pi here if it supports the arch ]; diff --git a/nix/darwin/flake.lock b/nix/darwin/flake.lock index 4b01ea3..66aa297 100644 --- a/nix/darwin/flake.lock +++ b/nix/darwin/flake.lock @@ -1,6 +1,47 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1682101079, + "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=", + "owner": "ryantm", + "repo": "agenix", + "rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "darwin_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -134,7 +175,7 @@ }, "jj": { "inputs": { - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1671036685, @@ -152,7 +193,7 @@ }, "naersk": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1639947939, @@ -170,7 +211,7 @@ }, "naersk_2": { "inputs": { - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1650101877, @@ -187,6 +228,22 @@ } }, "nixpkgs": { + "locked": { + "lastModified": 1677676435, + "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1645937171, "narHash": "sha256-n9f9GZBNMe8UMhcgmmaXNObkH01jjgp7INMrUgBgcy4=", @@ -200,7 +257,7 @@ "type": "indirect" } }, - "nixpkgs_2": { + "nixpkgs_3": { "locked": { "lastModified": 1651634615, "narHash": "sha256-VtvcS61bLh5mIBm9cV3idUHdlfPRFus/NwdJfaj5s8o=", @@ -214,23 +271,22 @@ "type": "indirect" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { - "lastModified": 1669833724, - "narHash": "sha256-/HEZNyGbnQecrgJnfE8d0WC5c1xuPSD2LUpB6YXlg4c=", + "lastModified": 1680977908, + "narHash": "sha256-0Ehcgswo51+dx+QH5sZBqUOZh4JeTgrnxGTACSn8ZkA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4d2b37a84fad1091b9de401eb450aae66f1a741e", + "rev": "54731a8cea6d8b9d4fcb9ca7cbfc75ae1e07a171", "type": "github" }, "original": { "owner": "nixos", - "ref": "22.11", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1650109093, "narHash": "sha256-tqlnKrAdJktRLXTou9le0oTqrYBAFpGscV5RADdpArU=", @@ -244,7 +300,7 @@ "type": "indirect" } }, - "nixpkgs_5": { + "nixpkgs_6": { "locked": { "lastModified": 1650222748, "narHash": "sha256-AHh/goEfG5hlhIMVgGQwACbuv5Wit2ND9vrcB4QthJs=", @@ -261,10 +317,11 @@ }, "root": { "inputs": { - "darwin": "darwin", + "agenix": "agenix", + "darwin": "darwin_2", "durnitisp": "durnitisp", "jj": "jj", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "runwhen": "runwhen", "rust-overlay": "rust-overlay_2" } @@ -274,7 +331,7 @@ "flake-compat": "flake-compat_2", "flake-utils": "flake-utils_2", "naersk": "naersk_2", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_6", "rust-overlay": "rust-overlay" }, "locked": { diff --git a/nix/darwin/flake.nix b/nix/darwin/flake.nix index 7a1895a..3fc98cf 100644 --- a/nix/darwin/flake.nix +++ b/nix/darwin/flake.nix @@ -2,11 +2,12 @@ inputs = { # TODO(jwall): Pinning this to a fixed version of lua on darwin for now. - nixpkgs.url = "github:nixos/nixpkgs?ref=22.11"; + nixpkgs.url = "github:nixos/nixpkgs"; darwin.url = "github:lnl7/nix-darwin"; darwin.inputs.nixpkgs.follows = "nixpkgs"; runwhen.url = "github:zaphar/runwhen?ref=v0.0.5"; durnitisp.url = "github:zaphar/durnitisp"; + agenix.url = "github:ryantm/agenix"; rust-overlay = { url = "github:oxalica/rust-overlay"; inputs.nixpkgs.follows = "nixpkgs"; @@ -14,7 +15,7 @@ jj.url = "github:martinvonz/jj"; }; - outputs = {self, nixpkgs, darwin, runwhen, durnitisp, rust-overlay, jj }: + outputs = {self, nixpkgs, darwin, runwhen, durnitisp, rust-overlay, jj, agenix }: let forSystem = (system: let @@ -24,6 +25,7 @@ inherit system; modules = [ ./darwin-configuration.nix + agenix.nixosModules.default ]; inputs = { runwhen = runwhen.defaultPackage."${system}"; @@ -32,6 +34,7 @@ #TODO(jwall): when the libtexpdf issue is fixed we can stop doing this sile = pkgs.sile.overrideAttrs(oldAttrs: { doCheck = false; meta.broken = false; }); jj = jj.defaultPackage."${system}"; + age = agenix.packages."${system}".default; }; }); in