fix: [plausible] smpt server config + init first install

fix: [outline] remove default OIDC_DISPLAY_NAME
new: [plausible] add charm
2025-09-16 10:14:34 +02:00 · 2025-08-18 12:25:18 +02:00 · 2025-05-27 15:47:29 +02:00 · 2025-05-07 10:59:08 +02:00 · 2024-12-05 17:57:43 +01:00 · 2024-11-26 16:16:39 +01:00
22 changed files with 619 additions and 1 deletions
--- a/clickhouse/README.org
+++ b/clickhouse/README.org
@@ -0,0 +1,7 @@
 # -*- ispell-local-dictionary: "english" -*-
 * Info
 This charm is provided to work with plausible charm
 * Usage
--- a/clickhouse/hooks/init
+++ b/clickhouse/hooks/init
@@ -0,0 +1,21 @@
 #!/bin/bash
 ## Init is run on host
 ## For now it is run every time the script is launched, but
 ## it should be launched only once after build.
 ## Accessible variables are:
 ## - SERVICE_NAME        Name of current service
 ## - DOCKER_BASE_IMAGE   Base image from which this service might be built if any
 ## - SERVICE_DATASTORE           Location on host of the DATASTORE of this service
 ## - SERVICE_CONFIGSTORE         Location on host of the CONFIGSTORE of this service
 set -e
 init-config-add "
 $SERVICE_NAME:
  environment:
    CLICKHOUSE_SKIP_USER_SETUP: 1
  healthcheck:
    test: [ \"CMD-SHELL\", \"wget --no-verbose --tries=1 -O - http://127.0.0.1:8123/ping || exit 1\" ]
 "
--- a/clickhouse/metadata.yml
+++ b/clickhouse/metadata.yml
@@ -0,0 +1,21 @@
 docker-image: docker.0k.io/clickhouse:24.12-alpine
 #docker-image: clickhouse/clickhouse-server:24.12-alpine
 data-resources:
  - /var/lib/clickhouse
  - /var/log/clickhouse-server
 charm-resources:
  - /etc/clickhouse-server/config.d/logs.xml
  - /etc/clickhouse-server/config.d/ipv4-only.xml
  - /etc/clickhouse-server/config.d/low-resources.xml
 provides:
  event-db:
 uses:
  log-rotate:
    constraint: recommended
    auto: pair
    solves:
      disk-leak: "/var/log/clickhouse-server"
--- a/clickhouse/resources/etc/clickhouse-server/config.d/ipv4-only.xml
+++ b/clickhouse/resources/etc/clickhouse-server/config.d/ipv4-only.xml
@@ -0,0 +1,3 @@
 <clickhouse>
    <listen_host>0.0.0.0</listen_host>
 </clickhouse>
--- a/clickhouse/resources/etc/clickhouse-server/config.d/logs.xml
+++ b/clickhouse/resources/etc/clickhouse-server/config.d/logs.xml
@@ -0,0 +1,28 @@
 <clickhouse>
    <logger>
        <level>warning</level>
        <console>true</console>
    </logger>
    <query_log replace="1">
        <database>system</database>
        <table>query_log</table>
        <flush_interval_milliseconds>7500</flush_interval_milliseconds>
        <engine>
            ENGINE = MergeTree
            PARTITION BY event_date
            ORDER BY (event_time)
            TTL event_date + interval 30 day
            SETTINGS ttl_only_drop_parts=1
        </engine>
    </query_log>
    <!-- Stops unnecessary logging -->
    <metric_log remove="remove" />
    <asynchronous_metric_log remove="remove" />
    <query_thread_log remove="remove" />
    <text_log remove="remove" />
    <trace_log remove="remove" />
    <session_log remove="remove" />
    <part_log remove="remove" />
 </clickhouse>
--- a/clickhouse/resources/etc/clickhouse-server/config.d/low-resources.xml
+++ b/clickhouse/resources/etc/clickhouse-server/config.d/low-resources.xml
@@ -0,0 +1,23 @@
 <!-- https://clickhouse.com/docs/en/operations/tips#using-less-than-16gb-of-ram -->
 <clickhouse>
    <!--
    https://clickhouse.com/docs/en/operations/server-configuration-parameters/settings#mark_cache_size -->
    <mark_cache_size>524288000</mark_cache_size>
    <profile>
        <default>
            <!-- https://clickhouse.com/docs/en/operations/settings/settings#max_threads -->
            <max_threads>1</max_threads>
            <!-- https://clickhouse.com/docs/en/operations/settings/settings#max_block_size -->
            <max_block_size>8192</max_block_size>
            <!-- https://clickhouse.com/docs/en/operations/settings/settings#max_download_threads -->
            <max_download_threads>1</max_download_threads>
            <!--
            https://clickhouse.com/docs/en/operations/settings/settings#input_format_parallel_parsing -->
            <input_format_parallel_parsing>0</input_format_parallel_parsing>
            <!--
            https://clickhouse.com/docs/en/operations/settings/settings#output_format_parallel_formatting -->
            <output_format_parallel_formatting>0</output_format_parallel_formatting>
        </default>
    </profile>
 </clickhouse>
--- a/n8n/hooks/web_proxy-relation-joined
+++ b/n8n/hooks/web_proxy-relation-joined
@@ -0,0 +1,17 @@
 #!/bin/bash
 set -e
 DOMAIN=$(relation-get domain) || { 
    echo "Failed to get domain"
    exit 1
 }
 config-add "\
 services:
  $MASTER_BASE_SERVICE_NAME:
    environment:
      N8N_HOST: \"${DOMAIN}\"
      WEBHOOK_URL: \"https:\/\/${DOMAIN}\"
 "
--- a/n8n/metadata.yml
+++ b/n8n/metadata.yml
@@ -1,4 +1,4 @@
-docker-image: docker.n8n.io/n8nio/n8n:1.23.0
+docker-image: docker.0k.io/n8n:1.45.1
 uses:
  postgres-database:
@@ -22,6 +22,15 @@ uses:
      proxy: "Public access"
    default-options:
      target: !var-expand ${MASTER_BASE_SERVICE_NAME}:5678
      apache-custom-rules:
        - !var-expand |
          ## Use RewriteEngine to handle WebSocket connection upgrades    
          RewriteEngine On
          RewriteCond %{HTTP:Upgrade} ^websocket$ [NC]
          RewriteCond %{HTTP:Connection} Upgrade [NC]
          RewriteRule /(.*)\$ ws://${MASTER_BASE_SERVICE_NAME}:5678/\$1 [P,L]
  backup:
    constraint: recommended
    auto: pair
--- a/outline/README.org
+++ b/outline/README.org
@@ -0,0 +1,94 @@
 # -*- ispell-local-dictionary: "english" -*-
 * Info 
 From: https://docs.getoutline.com/s/hosting/doc/docker-7pfeLP5a8t
 * Usage
 Config info: https://github.com/outline/outline/blob/main/.env.sample
 Odoo config: if you configure odoo OIDC connector, the callback url
             should be like this : https://<YOUR_OUTLINE>:443/auth/oidc.callback
 #Requires a =smtp-server= provider to be functional, you can use
 #=smtp-stub= charm to provide information to externally managed =SMTP=.
 #+begin_src yaml
 outline:
  options:
    sender-email: #the sender email (beware the conf of your SMTP server)
    oidc-client-id: #the client id of your OIDC provider
    oidc-client-secret: #the client
    oidc-auth-uri: #the host of your OIDC provider
    oidc-token-uri: #the token uri of your OIDC provider
    oidc-user-info-uri: #the user info uri of your OIDC provider
    oidc-logout-uri: #the login uri of your OIDC provider
 #smtp-stub:
 #  options:
 #    host: smtp.myhost.com
 #    port: 465
 #    connection-security: "ssl/tls"
 #    auth-method: password #IMPORTANT: if not present login password doesn’t work
 #    login: myuser
 #    password: myp4ssw0rd
 ##+end_src
 ** Odoo 14
 We monkey-patch odoo in order to make it work, be sure to use latest version in 14.0 of galicea openIDConnection module
 * Building a new image
 We use the official image with an added patch due to 2 bugs:
 - https://github.com/outline/outline/issues/6859
 - second was not reported yet
 Note that a PR was pushed with a fix on the first bug. But this was not yet tested.
 The fix are on 0.83.0
 ** Fix
 Upon calling "/oidc" url, outline will return "Set-Cookie" header 
 with a "domain:" value that is incorrect (still the inner docker 
 domain: "outline" instead of the outer proxy domain from the frontend.)
 Fortunately we can simply remove the value "domain" from the cookie by 
 commenting only 2 lines in ~build/server/utils/passport.js~.
 The patches will change the "build/" files, so this is a very temporary and brittle fix.
 #+begin_src bash
 IMAGE=docker.0k.io/outline:0.83.0-elabore
 echo 'apt update && apt install patch' | dupd -u "$IMAGE" -- -u 0
 cat <<'EOF1' | dupd -u "$IMAGE" -- -u 0
 patch -p 1 <<'EOF2'
 --- a/build/server/utils/passport.js.orig
 +++ b/build/server/utils/passport.js
@@ -37,7 +37,7 @@
       const state = buildState(host, token, client);
       ctx.cookies.set(this.key, state, {
         expires: (0, _dateFns.addMinutes)(new Date(), 10),
 -        domain: (0, _domains.getCookieDomain)(ctx.hostname, _env.default.isCloudHosted)
 +        //domain: (0, _domains.getCookieDomain)(ctx.hostname, _env.default.isCloudHosted)
       });
       callback(null, token);
     });
@@ -53,7 +53,7 @@
       // Destroy the one-time pad token and ensure it matches
       ctx.cookies.set(this.key, "", {
         expires: (0, _dateFns.subMinutes)(new Date(), 1),
 -        domain: (0, _domains.getCookieDomain)(ctx.hostname, _env.default.isCloudHosted)
 +        //domain: (0, _domains.getCookieDomain)(ctx.hostname, _env.default.isCloudHosted)
       });
       if (!token || token !== providedToken) {
         return callback((0, _errors.OAuthStateMismatchError)(), false, token);
 EOF2
 EOF1
 #+end_src
--- a/outline/hooks/init
+++ b/outline/hooks/init
@@ -0,0 +1,73 @@
 #!/bin/bash
 ## Init is run on host
 ## For now it is run every time the script is launched, but
 ## it should be launched only once after build.
 ## Accessible variables are:
 ## - SERVICE_NAME        Name of current service
 ## - DOCKER_BASE_IMAGE   Base image from which this service might be built if any
 ## - SERVICE_DATASTORE           Location on host of the DATASTORE of this service
 ## - SERVICE_CONFIGSTORE         Location on host of the CONFIGSTORE of this service
 set -e
 PASSWORD_FILE="$SERVICE_DATASTORE"/.compose/password/secret-key
 UTILS_SECRET="$SERVICE_DATASTORE"/.compose/password/utils-secret
 if ! [ -f "$UTILS_SECRET" ]; then
    info "Generating secret password"
    mkdir -p "${UTILS_SECRET%/*}"
    umask 077
    openssl rand -hex 32 > "$UTILS_SECRET"
 else
    info "Using existing utils-secret"
 fi
 if ! [ -f "$PASSWORD_FILE" ]; then
    info "Generating secret password"
    mkdir -p "${PASSWORD_FILE%/*}"
    umask 077
    openssl rand -hex 32 > "$PASSWORD_FILE"
 else
    info "Using existing secret password"
 fi
 secret_password=$(cat "$PASSWORD_FILE")
 utils_secret=$(cat "$UTILS_SECRET")
 sender=$(options-get sender-email) || exit 1
 oidc_client_id=$(options-get oidc-client-id) || exit 1
 oidc_client_secret=$(options-get oidc-client-secret) || exit 1
 oidc_auth_uri=$(options-get oidc-auth-uri) || exit 1
 oidc_token_uri=$(options-get oidc-token-uri) || exit 1
 oidc_user_info_uri=$(options-get oidc-user-info-uri) || exit 1
 oidc_logout_uri=$(options-get oidc-logout-uri) || exit 1
 init-config-add "
 $SERVICE_NAME:
  volumes:
    - $SERVICE_DATASTORE:/var/lib/outline/data
  environment:
    SMTP_FROM_EMAIL: \"$sender\"
    DEFAULT_LANGUAGE: \"fr_FR\"
    SECRET_KEY: \"$secret_password\"
    UTILS_SECRET: \"$utils_secret\"
    OIDC_CLIENT_ID: \"$oidc_client_id\"
    OIDC_CLIENT_SECRET: \"$oidc_client_secret\"
    OIDC_AUTH_URI: \"$oidc_auth_uri\"
    OIDC_TOKEN_URI: \"$oidc_token_uri\"
    OIDC_USERINFO_URI: \"$oidc_user_info_uri\"
    OIDC_LOGOUT_URI: \"$oidc_logout_uri\"
    OIDC_SCOPES: \"openid\"
    OIDC_USERNAME_CLAIM: \"preferred_username\"
    NODE_ENV: \"production\"
    LOG_LEVEL: \"debug\"
    FORCE_HTTPS: \"false\"
    FILE_STORAGE: \"local\"
    #DEVELOPMENT_UNSAFE_INLINE_CSP: \"true\"
    #DEBUG: \"http\"
 "
--- a/outline/hooks/postgres_database-relation-joined
+++ b/outline/hooks/postgres_database-relation-joined
@@ -0,0 +1,18 @@
 #!/bin/bash
 set -e
 PASSWORD="$(relation-get password)"
 USER="$(relation-get user)"
 DBNAME="$(relation-get dbname)"
 config-add "\
 services:
  $MASTER_BASE_SERVICE_NAME:
    environment:
      DATABASE_URL: postgres://$USER:$PASSWORD@$TARGET_SERVICE_NAME:5432/$DBNAME
      PGSSLMODE: disable
 "
 info "Configured $SERVICE_NAME code for $TARGET_SERVICE_NAME access."
--- a/outline/hooks/redis_database-relation-joined
+++ b/outline/hooks/redis_database-relation-joined
@@ -0,0 +1,25 @@
 #!/bin/bash
 set -e
 # USER="$(relation-get user)"
 # DBNAME="$(relation-get dbname)"
 # PASSWORD=$(relation-get password) || {
 #     err "Can't get password for '$SERVICE_NAME' from '$TARGET_SERVICE_NAME'."
 #     exit 1
 # }
 PASSWORD=$(relation-get password) || {
    err "Can't get password for '$SERVICE_NAME' from '$TARGET_SERVICE_NAME'."
    exit 1
 }
 config-add "\
 services:
  $MASTER_BASE_SERVICE_NAME:
    environment:
      REDIS_URL: redis://:$PASSWORD@$TARGET_SERVICE_NAME:6379
 "
 info "Configured $SERVICE_NAME code for $TARGET_SERVICE_NAME access."
--- a/outline/hooks/smtp_server-relation-joined
+++ b/outline/hooks/smtp_server-relation-joined
@@ -0,0 +1,21 @@
 #!/bin/bash
 set -e
 host=$(relation-get host) || exit 1
 port=$(relation-get port) || exit 1
 user=$(relation-get login) || exit 1
 password="$(relation-get password)" || exit 1
 config-add "\
 services:
  $MASTER_BASE_SERVICE_NAME:
    environment:
      SMTP_USERNAME: \"$user\"
      SMTP_PASSWORD: \"${password//\$/\$\$}\"
      SMTP_HOST: \"$host\"
      SMTP_PORT: \"$port\"
      SMTP_FROM_EMAIL: \"$user\"
 "
--- a/outline/hooks/web_proxy-relation-joined
+++ b/outline/hooks/web_proxy-relation-joined
@@ -0,0 +1,48 @@
 #!/bin/bash
 set -e
 URL=$(relation-get url) || { 
    echo "Failed to query for 'url' value"
    exit 1
 }
 DOMAIN_PATH="${URL#*://}"
 if [[ "$DOMAIN_PATH" == *"/"* ]]; then 
    DOMAIN="${DOMAIN_PATH%%/*}"
    UPATH="/${DOMAIN_PATH#*/}"
 else
    DOMAIN="${DOMAIN_PATH}"
    UPATH=""
 fi
 PROTO="${URL%:*}"
 if [[ "$DOMAIN" == *":"* ]]; then
    PORT="${DOMAIN#*:}"
    DOMAIN="${DOMAIN%%:*}"
 else
    case "$PROTO" in
    	http)
    		PORT=80
    		;;
    	https)
    		PORT=443
    		;;
    	*)
 		echo "Unknown portocol '$PROTO' in url '$URL'."
    		exit 1
    		;;
    esac
 fi
 config-add "\
 services:
  $MASTER_BASE_SERVICE_NAME:
    environment:
      URL: \"${PROTO}://${DOMAIN}:${PORT}${UPATH}\"
 "
--- a/outline/metadata.yml
+++ b/outline/metadata.yml
@@ -0,0 +1,49 @@
 docker-image: docker.0k.io/outline:0.83.0-elabore
 uses:
  postgres-database:
    #constraint: required | recommended | optional
    #auto: pair | summon | none ## default: pair
    constraint: required
    auto: summon
    solves:
      database: "main storage"
    default-options:
      extensions:
        - uuid-ossp
        - unaccent
        - pg_trm
  redis-database:
    constraint: required
    auto: summon
    solves:
      database: "short time storage"
  smtp-server:
    constraint: required
    auto: summon
    solves:
      proxy: "Public access"
  web-proxy:
    #constraint: required | recommended | optional
    #auto: pair | summon | none ## default: pair
    constraint: recommended
    auto: pair
    solves:
      proxy: "Public access"
    default-options:
      target: !var-expand ${MASTER_BASE_SERVICE_NAME}:3000
      apache-custom-rules:
        - !var-expand |
          ## Use RewriteEngine to handle WebSocket connection upgrades    
          RewriteEngine On
          RewriteCond %{HTTP:Connection} Upgrade [NC]
          RewriteCond %{HTTP:Upgrade} websocket [NC]
          RewriteRule /(.*)\$ ws://${MASTER_BASE_SERVICE_NAME}:3000/\$1  [P,L]
  backup:
    constraint: recommended
    auto: pair
    solves:
      backup: "Automatic regular backup"
    default-options:
--- a/plausible/README.org
+++ b/plausible/README.org
@@ -0,0 +1,7 @@
 # -*- ispell-local-dictionary: "english" -*-
 * Info 
 From: https://github.com/plausible/community-edition/
 * Usage
--- a/plausible/hooks/event_db-relation-joined
+++ b/plausible/hooks/event_db-relation-joined
@@ -0,0 +1,14 @@
 #!/bin/bash
 set -e
 config-add "\
 services:
  $MASTER_BASE_SERVICE_NAME:
    environment:
      CLICKHOUSE_DATABASE_URL: http://$TARGET_SERVICE_NAME:8123/$TARGET_SERVICE_NAME
 "
 info "Configured $SERVICE_NAME code for $TARGET_SERVICE_NAME access."
--- a/plausible/hooks/init
+++ b/plausible/hooks/init
@@ -0,0 +1,27 @@
 #!/bin/bash
 SECRET_KEY_BASE="$SERVICE_DATASTORE"/secret-key
 SHARE_DIR="$SERVICE_DATASTORE"/var/lib/plausible
 mkdir -p $SHARE_DIR
 uid=$(docker_get_uid "$SERVICE_NAME" "plausible")
 if ! [ -f "$SECRET_KEY_BASE" ]; then
    info "Generating secret key"
    mkdir -p "${SECRET_KEY_BASE%/*}"
    umask 077
    openssl rand -base64 64 > "$SECRET_KEY_BASE"
 else
    info "Using existing secret key"
 fi
 secret_key_base=$(cat "$SECRET_KEY_BASE")
 init-config-add "
 $SERVICE_NAME:
  environment:
    SECRET_KEY_BASE: \"$secret_key_base\"
 "
 chown -v "$uid" "$SHARE_DIR"
--- a/plausible/hooks/postgres_database-relation-joined
+++ b/plausible/hooks/postgres_database-relation-joined
@@ -0,0 +1,17 @@
 #!/bin/bash
 set -e
 PASSWORD="$(relation-get password)"
 USER="$(relation-get user)"
 DBNAME="$(relation-get dbname)"
 config-add "\
 services:
  $MASTER_BASE_SERVICE_NAME:
    environment:
      DATABASE_URL: postgres://$USER:$PASSWORD@$TARGET_SERVICE_NAME:5432/$DBNAME
 "
 info "Configured $SERVICE_NAME code for $TARGET_SERVICE_NAME access."
--- a/plausible/hooks/smtp_server-relation-joined
+++ b/plausible/hooks/smtp_server-relation-joined
@@ -0,0 +1,22 @@
 #!/bin/bash
 set -e
 host=$(relation-get host) || exit 1
 port=$(relation-get port) || exit 1
 user=$(relation-get login) || exit 1
 password="$(relation-get password)" || exit 1
 config-add "\
 services:
  $MASTER_BASE_SERVICE_NAME:
    environment:
      SMTP_USER_NAME: \"$user\"
      SMTP_USER_PWD: \"${password//\$/\$\$}\"
      SMTP_HOST_ADDR: \"$host\"
      SMTP_HOST_PORT: \"$port\"
      SMTP_HOST_SSL_ENABLE: \"true\"
      MAILER_EMAIL: \"$user\"
 "
--- a/plausible/hooks/web_proxy-relation-joined
+++ b/plausible/hooks/web_proxy-relation-joined
@@ -0,0 +1,16 @@
 #!/bin/bash
 set -e
 DOMAIN=$(relation-get domain) || {
    echo "Failed to get domain"
    exit 1
 }
 config-add "\
 services:
  $MASTER_BASE_SERVICE_NAME:
    environment:
      BASE_URL: \"https:\/\/${DOMAIN}\"
 "
--- a/plausible/metadata.yml
+++ b/plausible/metadata.yml
@@ -0,0 +1,58 @@
 docker-image:  docker.0k.io/plausible:3.0.1
 #docker-image:  ghcr.io/plausible/community-edition:v3.0.1
 data-resources:
  - /var/lib/plausible
 docker-compose:
  entrypoint: sh -c "/entrypoint.sh db createdb && /entrypoint.sh db migrate && /entrypoint.sh run"
  #entrypoint: sh -c "/entrypoint.sh run"
 uses:
  event-db:
    #constraint: required | recommended | optional
    #auto: pair | summon | none ## default: pair
    constraint: required
    auto: summon
    solves:
      database: "event db"
  postgres-database:
    #constraint: required | recommended | optional
    #auto: pair | summon | none ## default: pair
    constraint: required
    auto: summon
    solves:
      database: "main storage"
    default-options:
      extensions:
        - citext
  smtp-server:
    constraint: required
    auto: summon
    solves:
      proxy: "Public access"
  web-proxy:
    #constraint: required | recommended | optional
    #auto: pair | summon | none ## default: pair
    constraint: recommended
    auto: pair
    solves:
      proxy: "Public access"
    default-options:
      target: !var-expand ${MASTER_BASE_SERVICE_NAME}:8000
      apache-custom-rules:
        - !var-expand |
          ProxyPreserveHost On
          #Set web sockets
          RewriteEngine On
          RewriteCond %{HTTP:Upgrade} =websocket [NC]
          RewriteCond %{HTTP:Connection} upgrade [NC]
          RewriteRule ^/(live/websocket)$ ws://${MASTER_BASE_SERVICE_NAME}:8000/\$1 [P,L]
  backup:
    constraint: recommended
    auto: pair
    solves:
      backup: "Automatic regular backup"
    default-options:
Author	SHA1	Message	Date
Boris Gallet	c5e45fa28b	fix: [plausible] smpt server config + init first install	2025-09-16 10:14:34 +02:00
Boris Gallet	79dd0a785a	fix: [outline] remove default OIDC_DISPLAY_NAME	2025-08-18 12:25:18 +02:00
default	49e2f398c5	new: [plausible] add charm	2025-05-27 15:47:29 +02:00
Boris Gallet	69002abb5c	chg: [outline] upd to 0.83.0	2025-05-07 10:59:08 +02:00
Boris Gallet	406e01a095	fix: [outline] fix smtp server config	2024-12-05 17:57:43 +01:00
default	f6fd85266f	chg: [outline] upd to 0.81.1	2024-11-26 16:16:39 +01:00
Boris Gallet	0fa527a98e	fix: [n8n] upd 1.45.1 and fix email invitation	2024-06-25 17:24:56 +02:00
default	02755e516c	new: [outline] add new charm	2024-06-04 09:44:47 +02:00