Move secret.exs inside docker volume

fetch http://nl.alpinelinux.org/alpine/latest-stable/community/x86_64/APKINDEX.tar.gz
    ERROR: http://nl.alpinelinux.org/alpine/latest-stable/community: UNTRUSTED signature
    WARNING: Ignoring http://nl.alpinelinux.org/alpine/latest-stable/community: No such file or directory

.dockerignore

@@ -7,5 +7,8 @@ COPYING
 elixir_buildpack.config
 test/
 
+uploads/
+postgres/
+
 # Required to get version
 !.git

Dockerfile

@@ -17,6 +17,9 @@ FROM alpine:3.11
 ARG BUILD_DATE
 ARG VCS_REF
 
+ARG UID=911
+ARG GID=911
+
 LABEL maintainer="ops@pleroma.social" \
     org.opencontainers.image.title="pleroma" \
     org.opencontainers.image.description="Pleroma for Docker" \
@@ -32,9 +35,9 @@ ARG HOME=/opt/pleroma
 ARG DATA=/var/lib/pleroma
 
 RUN echo "http://nl.alpinelinux.org/alpine/latest-stable/community" >> /etc/apk/repositories &&\
-	apk update &&\
+	apk update --allow-untrusted &&\
 	apk add exiftool ffmpeg imagemagick libmagic ncurses postgresql-client &&\
-	adduser --system --shell /bin/false --home ${HOME} pleroma &&\
+	adduser --system --shell /bin/false -u $UID -g $GID --home ${HOME} pleroma &&\
 	mkdir -p ${DATA}/uploads &&\
 	mkdir -p ${DATA}/static &&\
 	chown -R pleroma ${DATA} &&\
@@ -44,10 +47,10 @@ RUN echo "http://nl.alpinelinux.org/alpine/latest-stable/community" >> /etc/apk/
 USER pleroma
 
 COPY --from=build --chown=pleroma:0 /release ${HOME}
+ENV PATH="${HOME}/bin:${PATH}"
 
 COPY ./config/docker.exs /etc/pleroma/config.exs
-COPY ./docker-entrypoint.sh ${HOME}
 
 EXPOSE 4000
 
-ENTRYPOINT ["/opt/pleroma/docker-entrypoint.sh"]
+CMD ["pleroma", "start"]

config/docker.exs

@@ -15,7 +15,7 @@ config :pleroma, :instance,
 config :pleroma, Pleroma.Repo,
   adapter: Ecto.Adapters.Postgres,
   username: System.get_env("DB_USER", "pleroma"),
-  password: System.fetch_env!("DB_PASS"),
+  password: System.get_env("DB_PASS", nil),
   database: System.get_env("DB_NAME", "pleroma"),
   hostname: System.get_env("DB_HOST", "db"),
   pool_size: 10
@@ -26,9 +26,10 @@ config :web_push_encryption, :vapid_details, subject: "mailto:#{System.get_env("
 config :pleroma, :database, rum_enabled: false
 config :pleroma, :instance, static_dir: "/var/lib/pleroma/static"
 config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
+config :pleroma, configurable_from_database: true
 
 # We can't store the secrets in this file, since this is baked into the docker image
-if not File.exists?("/var/lib/pleroma/secret.exs") do
+if not File.exists?("/var/lib/pleroma/config/secret.exs") do
   secret = :crypto.strong_rand_bytes(64) |> Base.encode64() |> binary_part(0, 64)
   signing_salt = :crypto.strong_rand_bytes(8) |> Base.encode64() |> binary_part(0, 8)
   {web_push_public_key, web_push_private_key} = :crypto.generate_key(:ecdh, :prime256v1)
@@ -52,10 +53,10 @@ if not File.exists?("/var/lib/pleroma/secret.exs") do
       web_push_private_key: Base.url_encode64(web_push_private_key, padding: false)
     )
 
-  File.write("/var/lib/pleroma/secret.exs", secret_file)
+  File.write("/var/lib/pleroma/config/secret.exs", secret_file)
 end
 
-import_config("/var/lib/pleroma/secret.exs")
+import_config("/var/lib/pleroma/config/secret.exs")
 
 # For additional user config
 if File.exists?("/var/lib/pleroma/config.exs"),

docker-compose.yml

@@ -0,0 +1,77 @@
+version: '3'
+services:
+
+  web:
+    build: .
+    image: pleroma/pleroma
+    restart: always
+#    env_file: .env.production
+    networks:
+      - external_network
+      - internal_network
+    healthcheck:
+      test: ["CMD", "curl", "-s", "-f", "--noproxy", "localhost:4000", "localhost:4000/health"]
+    ports:
+      - "127.0.0.1:4000:4000"
+    depends_on:
+      - db
+#      - es
+    volumes:
+      - ./uploads:/var/lib/pleroma/uploads
+      - ./config:/var/lib/pleroma/config
+
+  db:
+    restart: always
+    image: postgres:14-alpine
+#    shm_size: 256mb
+    networks:
+      - internal_network
+    healthcheck:
+      test: ["CMD", "pg_isready", "-U", "postgres"]
+    volumes:
+      - ./postgres:/var/lib/postgresql/data
+    environment:
+      - "POSTGRES_HOST_AUTH_METHOD=trust"
+
+## https://coffee-and-dreams.uk/tutorials/2021/12/15/integrating-elasticsearch-with-pleroma.html
+## https://git.pleroma.social/pleroma/pleroma/-/issues/1331
+#  es:
+#    restart: always
+#    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
+#    environment:
+#      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+#      - "cluster.name=es-pleroma"
+#      - "discovery.type=single-node"
+#      - "bootstrap.memory_lock=true"
+#    networks:
+#      - internal_network
+#    healthcheck:
+#      test: ["CMD", "curl", "-s", "-f", "localhost:9200/_cluster/health"]
+#    volumes:
+#      - ./elasticsearch:/usr/share/elasticsearch/data
+#    ulimits:
+#      memlock:
+#        soft: -1
+#        hard: -1
+
+## Uncomment to enable federation with tor instances along with adding the following ENV variables
+## http_proxy=http://privoxy:8118
+## ALLOW_ACCESS_TO_HIDDEN_SERVICE=true
+#  tor:
+#    image: sirboops/tor
+#    networks:
+#      - external_network
+#      - internal_network
+#
+#  privoxy:
+#    image: sirboops/privoxy
+#    volumes:
+#      - ./priv-config:/opt/config
+#    networks:
+#      - external_network
+#      - internal_network
+
+networks:
+  external_network:
+  internal_network:
+    internal: true

docker-entrypoint.sh

@@ -1,14 +0,0 @@
-#!/bin/ash
-
-set -e
-
-echo "-- Waiting for database..."
-while ! pg_isready -U ${DB_USER:-pleroma} -d postgres://${DB_HOST:-db}:5432/${DB_NAME:-pleroma} -t 1; do
-    sleep 1s
-done
-
-echo "-- Running migrations..."
-$HOME/bin/pleroma_ctl migrate
-
-echo "-- Starting!"
-exec $HOME/bin/pleroma start