fix: [plausible] smpt server config + init first install

clickhouse/README.org

@@ -0,0 +1,7 @@
+# -*- ispell-local-dictionary: "english" -*-
+
+* Info
+
+This charm is provided to work with plausible charm
+
+* Usage

clickhouse/hooks/init

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+## Init is run on host
+## For now it is run every time the script is launched, but
+## it should be launched only once after build.
+
+## Accessible variables are:
+## - SERVICE_NAME        Name of current service
+## - DOCKER_BASE_IMAGE   Base image from which this service might be built if any
+## - SERVICE_DATASTORE           Location on host of the DATASTORE of this service
+## - SERVICE_CONFIGSTORE         Location on host of the CONFIGSTORE of this service
+
+set -e
+
+init-config-add "
+$SERVICE_NAME:
+  environment:
+    CLICKHOUSE_SKIP_USER_SETUP: 1
+  healthcheck:
+    test: [ \"CMD-SHELL\", \"wget --no-verbose --tries=1 -O - http://127.0.0.1:8123/ping || exit 1\" ]
+"

clickhouse/metadata.yml

@@ -0,0 +1,21 @@
+docker-image: docker.0k.io/clickhouse:24.12-alpine
+#docker-image: clickhouse/clickhouse-server:24.12-alpine
+
+data-resources:
+  - /var/lib/clickhouse
+  - /var/log/clickhouse-server
+
+charm-resources:
+  - /etc/clickhouse-server/config.d/logs.xml
+  - /etc/clickhouse-server/config.d/ipv4-only.xml
+  - /etc/clickhouse-server/config.d/low-resources.xml
+
+provides:
+  event-db:
+
+uses:
+  log-rotate:
+    constraint: recommended
+    auto: pair
+    solves:
+      disk-leak: "/var/log/clickhouse-server"

clickhouse/resources/etc/clickhouse-server/config.d/ipv4-only.xml

@@ -0,0 +1,3 @@
+<clickhouse>
+    <listen_host>0.0.0.0</listen_host>
+</clickhouse>

clickhouse/resources/etc/clickhouse-server/config.d/logs.xml

@@ -0,0 +1,28 @@
+<clickhouse>
+    <logger>
+        <level>warning</level>
+        <console>true</console>
+    </logger>
+
+    <query_log replace="1">
+        <database>system</database>
+        <table>query_log</table>
+        <flush_interval_milliseconds>7500</flush_interval_milliseconds>
+        <engine>
+            ENGINE = MergeTree
+            PARTITION BY event_date
+            ORDER BY (event_time)
+            TTL event_date + interval 30 day
+            SETTINGS ttl_only_drop_parts=1
+        </engine>
+    </query_log>
+
+    <!-- Stops unnecessary logging -->
+    <metric_log remove="remove" />
+    <asynchronous_metric_log remove="remove" />
+    <query_thread_log remove="remove" />
+    <text_log remove="remove" />
+    <trace_log remove="remove" />
+    <session_log remove="remove" />
+    <part_log remove="remove" />
+</clickhouse>

clickhouse/resources/etc/clickhouse-server/config.d/low-resources.xml

@@ -0,0 +1,23 @@
+<!-- https://clickhouse.com/docs/en/operations/tips#using-less-than-16gb-of-ram -->
+<clickhouse>
+    <!--
+    https://clickhouse.com/docs/en/operations/server-configuration-parameters/settings#mark_cache_size -->
+    <mark_cache_size>524288000</mark_cache_size>
+
+    <profile>
+        <default>
+            <!-- https://clickhouse.com/docs/en/operations/settings/settings#max_threads -->
+            <max_threads>1</max_threads>
+            <!-- https://clickhouse.com/docs/en/operations/settings/settings#max_block_size -->
+            <max_block_size>8192</max_block_size>
+            <!-- https://clickhouse.com/docs/en/operations/settings/settings#max_download_threads -->
+            <max_download_threads>1</max_download_threads>
+            <!--
+            https://clickhouse.com/docs/en/operations/settings/settings#input_format_parallel_parsing -->
+            <input_format_parallel_parsing>0</input_format_parallel_parsing>
+            <!--
+            https://clickhouse.com/docs/en/operations/settings/settings#output_format_parallel_formatting -->
+            <output_format_parallel_formatting>0</output_format_parallel_formatting>
+        </default>
+    </profile>
+</clickhouse>

n8n/hooks/web_proxy-relation-joined

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+DOMAIN=$(relation-get domain) || { 
+    echo "Failed to get domain"
+    exit 1
+}
+
+config-add "\
+services:
+  $MASTER_BASE_SERVICE_NAME:
+    environment:
+      N8N_HOST: \"${DOMAIN}\"
+      WEBHOOK_URL: \"https:\/\/${DOMAIN}\"
+"
+

n8n/metadata.yml

@@ -1,4 +1,4 @@
-docker-image: docker.n8n.io/n8nio/n8n:1.23.0
+docker-image: docker.0k.io/n8n:1.45.1
 
 uses:
   postgres-database:
@@ -22,6 +22,15 @@ uses:
       proxy: "Public access"
     default-options:
       target: !var-expand ${MASTER_BASE_SERVICE_NAME}:5678
+      apache-custom-rules:
+        - !var-expand |
+          
+          ## Use RewriteEngine to handle WebSocket connection upgrades    
+          RewriteEngine On
+          RewriteCond %{HTTP:Upgrade} ^websocket$ [NC]
+          RewriteCond %{HTTP:Connection} Upgrade [NC]
+          RewriteRule /(.*)\$ ws://${MASTER_BASE_SERVICE_NAME}:5678/\$1 [P,L]
+
   backup:
     constraint: recommended
     auto: pair

outline/README.org

@@ -0,0 +1,94 @@
+# -*- ispell-local-dictionary: "english" -*-
+
+* Info 
+
+From: https://docs.getoutline.com/s/hosting/doc/docker-7pfeLP5a8t
+
+
+* Usage
+
+Config info: https://github.com/outline/outline/blob/main/.env.sample
+
+Odoo config: if you configure odoo OIDC connector, the callback url
+             should be like this : https://<YOUR_OUTLINE>:443/auth/oidc.callback
+
+
+#Requires a =smtp-server= provider to be functional, you can use
+#=smtp-stub= charm to provide information to externally managed =SMTP=.
+
+#+begin_src yaml
+outline:
+  options:
+    sender-email: #the sender email (beware the conf of your SMTP server)
+    oidc-client-id: #the client id of your OIDC provider
+    oidc-client-secret: #the client
+    oidc-auth-uri: #the host of your OIDC provider
+    oidc-token-uri: #the token uri of your OIDC provider
+    oidc-user-info-uri: #the user info uri of your OIDC provider
+    oidc-logout-uri: #the login uri of your OIDC provider
+
+#smtp-stub:
+#  options:
+#    host: smtp.myhost.com
+#    port: 465
+#    connection-security: "ssl/tls"
+#    auth-method: password #IMPORTANT: if not present login password doesn’t work
+#    login: myuser
+#    password: myp4ssw0rd
+##+end_src
+
+** Odoo 14
+
+We monkey-patch odoo in order to make it work, be sure to use latest version in 14.0 of galicea openIDConnection module
+
+* Building a new image
+
+We use the official image with an added patch due to 2 bugs:
+- https://github.com/outline/outline/issues/6859
+- second was not reported yet
+
+Note that a PR was pushed with a fix on the first bug. But this was not yet tested.
+
+The fix are on 0.83.0
+
+** Fix
+
+Upon calling "/oidc" url, outline will return "Set-Cookie" header 
+with a "domain:" value that is incorrect (still the inner docker 
+domain: "outline" instead of the outer proxy domain from the frontend.)
+
+Fortunately we can simply remove the value "domain" from the cookie by 
+commenting only 2 lines in ~build/server/utils/passport.js~.
+
+The patches will change the "build/" files, so this is a very temporary and brittle fix.
+
+
+#+begin_src bash
+IMAGE=docker.0k.io/outline:0.83.0-elabore
+
+echo 'apt update && apt install patch' | dupd -u "$IMAGE" -- -u 0
+cat <<'EOF1' | dupd -u "$IMAGE" -- -u 0
+patch -p 1 <<'EOF2'
+--- a/build/server/utils/passport.js.orig
++++ b/build/server/utils/passport.js
+@@ -37,7 +37,7 @@
+       const state = buildState(host, token, client);
+       ctx.cookies.set(this.key, state, {
+         expires: (0, _dateFns.addMinutes)(new Date(), 10),
+-        domain: (0, _domains.getCookieDomain)(ctx.hostname, _env.default.isCloudHosted)
++        //domain: (0, _domains.getCookieDomain)(ctx.hostname, _env.default.isCloudHosted)
+       });
+       callback(null, token);
+     });
+@@ -53,7 +53,7 @@
+       // Destroy the one-time pad token and ensure it matches
+       ctx.cookies.set(this.key, "", {
+         expires: (0, _dateFns.subMinutes)(new Date(), 1),
+-        domain: (0, _domains.getCookieDomain)(ctx.hostname, _env.default.isCloudHosted)
++        //domain: (0, _domains.getCookieDomain)(ctx.hostname, _env.default.isCloudHosted)
+       });
+       if (!token || token !== providedToken) {
+         return callback((0, _errors.OAuthStateMismatchError)(), false, token);
+EOF2
+EOF1
+#+end_src

outline/hooks/init

@@ -0,0 +1,73 @@
+#!/bin/bash
+
+## Init is run on host
+## For now it is run every time the script is launched, but
+## it should be launched only once after build.
+
+## Accessible variables are:
+## - SERVICE_NAME        Name of current service
+## - DOCKER_BASE_IMAGE   Base image from which this service might be built if any
+## - SERVICE_DATASTORE           Location on host of the DATASTORE of this service
+## - SERVICE_CONFIGSTORE         Location on host of the CONFIGSTORE of this service
+
+
+set -e
+
+PASSWORD_FILE="$SERVICE_DATASTORE"/.compose/password/secret-key
+UTILS_SECRET="$SERVICE_DATASTORE"/.compose/password/utils-secret
+
+if ! [ -f "$UTILS_SECRET" ]; then
+    info "Generating secret password"
+    mkdir -p "${UTILS_SECRET%/*}"
+    umask 077
+    openssl rand -hex 32 > "$UTILS_SECRET"
+else
+    info "Using existing utils-secret"
+fi
+
+if ! [ -f "$PASSWORD_FILE" ]; then
+    info "Generating secret password"
+    mkdir -p "${PASSWORD_FILE%/*}"
+    umask 077
+    openssl rand -hex 32 > "$PASSWORD_FILE"
+else
+    info "Using existing secret password"
+fi
+
+secret_password=$(cat "$PASSWORD_FILE")
+utils_secret=$(cat "$UTILS_SECRET")
+
+sender=$(options-get sender-email) || exit 1
+oidc_client_id=$(options-get oidc-client-id) || exit 1
+oidc_client_secret=$(options-get oidc-client-secret) || exit 1
+oidc_auth_uri=$(options-get oidc-auth-uri) || exit 1
+oidc_token_uri=$(options-get oidc-token-uri) || exit 1
+oidc_user_info_uri=$(options-get oidc-user-info-uri) || exit 1
+oidc_logout_uri=$(options-get oidc-logout-uri) || exit 1
+
+init-config-add "
+$SERVICE_NAME:
+  volumes:
+    - $SERVICE_DATASTORE:/var/lib/outline/data
+  environment:
+    SMTP_FROM_EMAIL: \"$sender\"
+    DEFAULT_LANGUAGE: \"fr_FR\"
+    SECRET_KEY: \"$secret_password\"
+    UTILS_SECRET: \"$utils_secret\"
+    OIDC_CLIENT_ID: \"$oidc_client_id\"
+    OIDC_CLIENT_SECRET: \"$oidc_client_secret\"
+    OIDC_AUTH_URI: \"$oidc_auth_uri\"
+    OIDC_TOKEN_URI: \"$oidc_token_uri\"
+    OIDC_USERINFO_URI: \"$oidc_user_info_uri\"
+    OIDC_LOGOUT_URI: \"$oidc_logout_uri\"
+    OIDC_SCOPES: \"openid\"
+    OIDC_USERNAME_CLAIM: \"preferred_username\"
+    NODE_ENV: \"production\"
+    LOG_LEVEL: \"debug\"
+    FORCE_HTTPS: \"false\"
+    FILE_STORAGE: \"local\"
+    #DEVELOPMENT_UNSAFE_INLINE_CSP: \"true\"
+    #DEBUG: \"http\"
+"
+
+

outline/hooks/postgres_database-relation-joined

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -e
+
+PASSWORD="$(relation-get password)"
+USER="$(relation-get user)"
+DBNAME="$(relation-get dbname)"
+
+
+config-add "\
+services:
+  $MASTER_BASE_SERVICE_NAME:
+    environment:
+      DATABASE_URL: postgres://$USER:$PASSWORD@$TARGET_SERVICE_NAME:5432/$DBNAME
+      PGSSLMODE: disable
+"
+
+info "Configured $SERVICE_NAME code for $TARGET_SERVICE_NAME access."

outline/hooks/redis_database-relation-joined

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -e
+
+
+# USER="$(relation-get user)"
+# DBNAME="$(relation-get dbname)"
+# PASSWORD=$(relation-get password) || {
+#     err "Can't get password for '$SERVICE_NAME' from '$TARGET_SERVICE_NAME'."
+#     exit 1
+# }
+
+PASSWORD=$(relation-get password) || {
+    err "Can't get password for '$SERVICE_NAME' from '$TARGET_SERVICE_NAME'."
+    exit 1
+}
+
+config-add "\
+services:
+  $MASTER_BASE_SERVICE_NAME:
+    environment:
+      REDIS_URL: redis://:$PASSWORD@$TARGET_SERVICE_NAME:6379
+"
+
+info "Configured $SERVICE_NAME code for $TARGET_SERVICE_NAME access."

outline/hooks/smtp_server-relation-joined

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -e
+
+host=$(relation-get host) || exit 1
+port=$(relation-get port) || exit 1
+user=$(relation-get login) || exit 1
+password="$(relation-get password)" || exit 1
+
+
+config-add "\
+services:
+  $MASTER_BASE_SERVICE_NAME:
+    environment:
+      SMTP_USERNAME: \"$user\"
+      SMTP_PASSWORD: \"${password//\$/\$\$}\"
+      SMTP_HOST: \"$host\"
+      SMTP_PORT: \"$port\"
+      SMTP_FROM_EMAIL: \"$user\"
+"
+

outline/hooks/web_proxy-relation-joined

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+set -e
+
+URL=$(relation-get url) || { 
+    echo "Failed to query for 'url' value"
+    exit 1
+}
+DOMAIN_PATH="${URL#*://}"
+
+if [[ "$DOMAIN_PATH" == *"/"* ]]; then 
+    DOMAIN="${DOMAIN_PATH%%/*}"
+    UPATH="/${DOMAIN_PATH#*/}"
+else
+    DOMAIN="${DOMAIN_PATH}"
+    UPATH=""
+fi
+
+PROTO="${URL%:*}"
+if [[ "$DOMAIN" == *":"* ]]; then
+    PORT="${DOMAIN#*:}"
+    DOMAIN="${DOMAIN%%:*}"
+else
+
+    case "$PROTO" in
+    	http)
+    		PORT=80
+    		;;
+    	https)
+    		PORT=443
+    		;;
+    	*)
+		echo "Unknown portocol '$PROTO' in url '$URL'."
+    		exit 1
+    		;;
+    esac
+
+fi
+
+
+config-add "\
+services:
+  $MASTER_BASE_SERVICE_NAME:
+    environment:
+      URL: \"${PROTO}://${DOMAIN}:${PORT}${UPATH}\"
+
+"
+

outline/metadata.yml

@@ -0,0 +1,49 @@
+docker-image: docker.0k.io/outline:0.83.0-elabore
+
+uses:
+  postgres-database:
+    #constraint: required | recommended | optional
+    #auto: pair | summon | none ## default: pair
+    constraint: required
+    auto: summon
+    solves:
+      database: "main storage"
+    default-options:
+      extensions:
+        - uuid-ossp
+        - unaccent
+        - pg_trm
+  redis-database:
+    constraint: required
+    auto: summon
+    solves:
+      database: "short time storage"
+  smtp-server:
+    constraint: required
+    auto: summon
+    solves:
+      proxy: "Public access"
+  web-proxy:
+    #constraint: required | recommended | optional
+    #auto: pair | summon | none ## default: pair
+    constraint: recommended
+    auto: pair
+    solves:
+      proxy: "Public access"
+    default-options:
+      target: !var-expand ${MASTER_BASE_SERVICE_NAME}:3000
+      apache-custom-rules:
+        - !var-expand |
+          
+          ## Use RewriteEngine to handle WebSocket connection upgrades    
+          RewriteEngine On
+          RewriteCond %{HTTP:Connection} Upgrade [NC]
+          RewriteCond %{HTTP:Upgrade} websocket [NC]
+          RewriteRule /(.*)\$ ws://${MASTER_BASE_SERVICE_NAME}:3000/\$1  [P,L]
+ 
+  backup:
+    constraint: recommended
+    auto: pair
+    solves:
+      backup: "Automatic regular backup"
+    default-options:

plausible/README.org

@@ -0,0 +1,7 @@
+# -*- ispell-local-dictionary: "english" -*-
+
+* Info 
+
+From: https://github.com/plausible/community-edition/
+
+* Usage

plausible/hooks/event_db-relation-joined

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+
+
+config-add "\
+services:
+  $MASTER_BASE_SERVICE_NAME:
+    environment:
+      CLICKHOUSE_DATABASE_URL: http://$TARGET_SERVICE_NAME:8123/$TARGET_SERVICE_NAME
+"
+
+info "Configured $SERVICE_NAME code for $TARGET_SERVICE_NAME access."

plausible/hooks/init

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+SECRET_KEY_BASE="$SERVICE_DATASTORE"/secret-key
+
+SHARE_DIR="$SERVICE_DATASTORE"/var/lib/plausible
+mkdir -p $SHARE_DIR
+
+uid=$(docker_get_uid "$SERVICE_NAME" "plausible")
+
+if ! [ -f "$SECRET_KEY_BASE" ]; then
+    info "Generating secret key"
+    mkdir -p "${SECRET_KEY_BASE%/*}"
+    umask 077
+    openssl rand -base64 64 > "$SECRET_KEY_BASE"
+else
+    info "Using existing secret key"
+fi
+
+secret_key_base=$(cat "$SECRET_KEY_BASE")
+
+init-config-add "
+$SERVICE_NAME:
+  environment:
+    SECRET_KEY_BASE: \"$secret_key_base\"
+"
+
+chown -v "$uid" "$SHARE_DIR"

plausible/hooks/postgres_database-relation-joined

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+PASSWORD="$(relation-get password)"
+USER="$(relation-get user)"
+DBNAME="$(relation-get dbname)"
+
+
+config-add "\
+services:
+  $MASTER_BASE_SERVICE_NAME:
+    environment:
+      DATABASE_URL: postgres://$USER:$PASSWORD@$TARGET_SERVICE_NAME:5432/$DBNAME
+"
+
+info "Configured $SERVICE_NAME code for $TARGET_SERVICE_NAME access."

plausible/hooks/smtp_server-relation-joined

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -e
+
+host=$(relation-get host) || exit 1
+port=$(relation-get port) || exit 1
+user=$(relation-get login) || exit 1
+password="$(relation-get password)" || exit 1
+
+
+config-add "\
+services:
+  $MASTER_BASE_SERVICE_NAME:
+    environment:
+      SMTP_USER_NAME: \"$user\"
+      SMTP_USER_PWD: \"${password//\$/\$\$}\"
+      SMTP_HOST_ADDR: \"$host\"
+      SMTP_HOST_PORT: \"$port\"
+      SMTP_HOST_SSL_ENABLE: \"true\"
+      MAILER_EMAIL: \"$user\"
+"
+

plausible/hooks/web_proxy-relation-joined

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+
+DOMAIN=$(relation-get domain) || {
+    echo "Failed to get domain"
+    exit 1
+}
+
+config-add "\
+services:
+  $MASTER_BASE_SERVICE_NAME:
+    environment:
+      BASE_URL: \"https:\/\/${DOMAIN}\"
+"
+

plausible/metadata.yml

@@ -0,0 +1,58 @@
+docker-image:  docker.0k.io/plausible:3.0.1
+#docker-image:  ghcr.io/plausible/community-edition:v3.0.1
+
+data-resources:
+  - /var/lib/plausible
+
+docker-compose:
+  entrypoint: sh -c "/entrypoint.sh db createdb && /entrypoint.sh db migrate && /entrypoint.sh run"
+  #entrypoint: sh -c "/entrypoint.sh run"
+uses:
+  event-db:
+    #constraint: required | recommended | optional
+    #auto: pair | summon | none ## default: pair
+    constraint: required
+    auto: summon
+    solves:
+      database: "event db"
+  postgres-database:
+    #constraint: required | recommended | optional
+    #auto: pair | summon | none ## default: pair
+    constraint: required
+    auto: summon
+    solves:
+      database: "main storage"
+    default-options:
+      extensions:
+        - citext
+  smtp-server:
+    constraint: required
+    auto: summon
+    solves:
+      proxy: "Public access"
+  web-proxy:
+    #constraint: required | recommended | optional
+    #auto: pair | summon | none ## default: pair
+    constraint: recommended
+    auto: pair
+    solves:
+      proxy: "Public access"
+    default-options:
+      target: !var-expand ${MASTER_BASE_SERVICE_NAME}:8000
+      apache-custom-rules:
+        - !var-expand |
+          ProxyPreserveHost On
+        
+          #Set web sockets
+          RewriteEngine On
+          RewriteCond %{HTTP:Upgrade} =websocket [NC]
+          RewriteCond %{HTTP:Connection} upgrade [NC]
+          RewriteRule ^/(live/websocket)$ ws://${MASTER_BASE_SERVICE_NAME}:8000/\$1 [P,L]
+
+
+  backup:
+    constraint: recommended
+    auto: pair
+    solves:
+      backup: "Automatic regular backup"
+    default-options: