feat(maevsi)!: upgrade to v7

Several changes to environment variables are made alongside the update.

Author: dargmuesli

README.md

@@ -46,10 +46,18 @@ This project is deployed in accordance to the [DargStack template](https://githu
 
     The job scheduler's SMTP client configuration.
 
+ - ### `maevsi_api-notification-secret`
+    
+    The notification endpoint's secret.
+    
  - ### `maevsi_aws-credentials`
 
     The cloud computing provider's user credentials.
 
+ - ### `maevsi_openai-api-key`
+    
+    The AI provider's API key.
+    
  - ### `maevsi_turnstile-key`
 
     The captcha provider's application key.

src/development/secrets/maevsi/api-notification.secret

@@ -0,0 +1 @@
+maevsi

src/development/secrets/maevsi/api-notification.secret.template

@@ -0,0 +1 @@
+<string>

src/development/stack.env.template

@@ -1,11 +1,11 @@
-GTAG_ID=G-WMQ1JY99XH
+MAEVSI_AWS_REGION=eu-central-1
 MAEVSI_FIREBASE_SERVICE_ACCOUNT_CREDENTIALS=
-MAEVSI_NUXT_PRIVATE_API_NOTIFICATION_SECRET=
-MAEVSI_NUXT_PRIVATE_OPENAI_API_KEY=
+MAEVSI_NUXT_PUBLIC_GTAG_ID=G-WMQ1JY99XH
+MAEVSI_NUXT_PUBLIC_MAEVSI_EMAIL_LIMIT24H=100
+MAEVSI_NUXT_PUBLIC_TURNSTILE_SITE_KEY=1x00000000000000000000AA
+MAEVSI_PGHOST=postgres
 PNPM_STORE_DIR=
-S3_TUSD_BUCKET=maevsi-images
-S3_TUSD_ENDPOINT=http://minio:9000
-S3_TUSD_REGION=eu-central-1
-TURNSTILE_SECRET_KEY=1x0000000000000000000000000000000AA
-TURNSTILE_SITE_KEY=1x00000000000000000000AA
+TUSD_BUCKET=maevsi-images
+TUSD_ENDPOINT=http://minio:9000
 TUSD_MAX_SIZE=1048576
+TUSD_REGION=eu-central-1

src/development/stack.yml

@@ -16,9 +16,15 @@ secrets:
   jobber_msmtprc:
     # The job scheduler's SMTP client configuration.
     file: ./secrets/jobber/msmtprc.secret
+  maevsi_api-notification-secret:
+    # The notification endpoint's secret.
+    file: ./secrets/maevsi/api-notification.secret
   maevsi_aws-credentials:
     # The cloud computing provider's user credentials.
     file: ./secrets/maevsi/aws-credentials.secret
+  maevsi_openai-api-key:
+    # The AI provider's API key.
+    file: ../production/secrets/maevsi/openai-api-key.secret
   maevsi_turnstile-key:
     # The captcha provider's application key.
     file: ./secrets/maevsi/turnstile-key.secret
@@ -184,31 +190,34 @@ services:
       CONSOLA_LEVEL: 4 # debug #DARGSTACK-REMOVE
       FIREBASE_SERVICE_ACCOUNT_CREDENTIALS: ${MAEVSI_FIREBASE_SERVICE_ACCOUNT_CREDENTIALS}
       NUXT_PRIVATE_API_NOTIFICATION_SECRET: ${MAEVSI_NUXT_PRIVATE_API_NOTIFICATION_SECRET}
-      NUXT_PRIVATE_OPENAI_API_KEY: ${MAEVSI_NUXT_PRIVATE_OPENAI_API_KEY}
-      NUXT_PUBLIC_GTAG_ID: ${GTAG_ID}
+      NUXT_PUBLIC_GTAG_ID: ${MAEVSI_NUXT_PUBLIC_GTAG_ID}
       NUXT_PUBLIC_I18N_BASE_URL: https://${STACK_DOMAIN}
-      NUXT_PUBLIC_MAEVSI_EMAIL_LIMIT24H: 15
+      NUXT_PUBLIC_MAEVSI_EMAIL_LIMIT24H: ${MAEVSI_NUXT_PUBLIC_MAEVSI_EMAIL_LIMIT24H}
       NUXT_PUBLIC_SITE_URL: https://${STACK_DOMAIN}
-      NUXT_PUBLIC_TURNSTILE_SITE_KEY: ${TURNSTILE_SITE_KEY}
-      NUXT_TURNSTILE_SECRET_KEY: ${TURNSTILE_SECRET_KEY} # TODO: move to file (https://github.com/nuxt-modules/turnstile/pull/298)
-      POSTGRAPHILE_JWT_PUBLIC_KEY_FILE: /run/config/postgraphile_jwt-public-key
-      POSTGRES_DB_FILE: /run/secrets/postgres_db
-      POSTGRES_ROLE_MAEVSI_TUSD_PASSWORD_FILE: /run/secrets/postgres_role_maevsi-tusd_password
-      POSTGRES_ROLE_MAEVSI_TUSD_USERNAME_FILE: /run/secrets/postgres_role_maevsi-tusd_username
+      NUXT_PUBLIC_TURNSTILE_SITE_KEY: ${MAEVSI_NUXT_PUBLIC_TURNSTILE_SITE_KEY}
+      PGHOST: ${MAEVSI_PGHOST}
     image: maevsi/maevsi:dev
     secrets:
+      - source: maevsi_api-notification-secret
+        target: /run/environment-variables/NUXT_PRIVATE_API_NOTIFICATION_SECRET
       - source: maevsi_aws-credentials
         target: /home/node/.aws/credentials # TODO: switch to user `node`
-      - maevsi_turnstile-key
-      - postgres_db
-      - postgres_role_maevsi-tusd_password
-      - postgres_role_maevsi-tusd_username
+      - source: maevsi_openai-api-key
+        target: /run/environment-variables/NUXT_PRIVATE_OPENAI_API_KEY
+      - source: maevsi_turnstile-key
+        target: /run/environment-variables/NUXT_TURNSTILE_SECRET_KEY
+      - source: postgres_db
+        target: /run/environment-variables/PGDATABASE
+      - source: postgres_role_maevsi-tusd_password
+        target: /run/environment-variables/PGPASSWORD
+      - source: postgres_role_maevsi-tusd_username
+        target: /run/environment-variables/PGUSER
     user: node:node # files created inside a docker container, like node_modules by pnpm, gain correct permissions by setting the user to `node`
     volumes:
       - ${PNPM_STORE_DIR}:/srv/.pnpm-store/ #DARGSTACK-REMOVE
       - ./certificates/:/srv/certificates/ #DARGSTACK-REMOVE
       - ../../../maevsi/:/srv/app/ #DARGSTACK-REMOVE
-      - ./configurations/postgraphile/jwtRS256.key.pub:/run/config/postgraphile_jwt-public-key:ro
+      - ./configurations/postgraphile/jwtRS256.key.pub:/run/environment-variables/NUXT_PUBLIC_VIO_AUTH_JWT_PUBLIC_KEY:ro
   minio: #DARGSTACK-REMOVE
     # You can access the s3 console at [minio.localhost](https://minio.localhost/).
     # You can access the s3 api service at [s3.localhost](https://s3.localhost/) if you want to access via cli from outside the stack.
@@ -436,7 +445,7 @@ services:
       - ./configurations/traefik/dynamic.yml:/dynamic.yml:ro #DARGSTACK-REMOVE
   tusd:
     # You can access the upload service at [tusd.localhost](https://tusd.localhost/).
-    command: -behind-proxy --hooks-enabled-events pre-create,pre-finish,post-terminate --hooks-http http://maevsi:3000/api/tusd -max-size ${TUSD_MAX_SIZE} -s3-bucket ${S3_TUSD_BUCKET} -s3-endpoint ${S3_TUSD_ENDPOINT}
+    command: -behind-proxy --hooks-enabled-events pre-create,pre-finish,post-terminate --hooks-http http://maevsi:3000/api/tusd -max-size ${TUSD_MAX_SIZE} -s3-bucket ${TUSD_BUCKET} -s3-endpoint ${TUSD_ENDPOINT}
     deploy:
       labels:
         - traefik.enable=true
@@ -448,7 +457,7 @@ services:
         - traefik.http.routers.tusd_secure.tls.options=mintls13@file #DARGSTACK-REMOVE
         - traefik.http.services.tusd.loadbalancer.server.port=8080
     environment:
-      AWS_REGION: ${S3_TUSD_REGION}
+      AWS_REGION: ${TUSD_REGION}
     image: tusproject/tusd:v2.6.0
     secrets:
       - source: tusd_aws

src/production/production.yml

@@ -51,7 +51,7 @@ services:
         - (( append ))
         - traefik.http.routers.maevsi.middlewares=maevsi_cors,maevsi_redirectregex
         - traefik.http.routers.maevsi_secure.tls.certresolver=default
-    image: ghcr.io/maevsi/maevsi:6.6.0
+    image: ghcr.io/maevsi/maevsi:7.0.0
     user: (( prune ))
   maevsi_beta:
     # You can access the main project frontend's beta version at [beta.localhost](https://beta.localhost/).
@@ -67,26 +67,33 @@ services:
         - traefik.http.services.maevsi_beta.loadbalancer.server.port=3000
         - traefik.http.routers.maevsi_beta_secure.tls.certresolver=default
     environment:
+      AWS_REGION: ${MAEVSI_AWS_REGION}
       FIREBASE_SERVICE_ACCOUNT_CREDENTIALS: ${MAEVSI_FIREBASE_SERVICE_ACCOUNT_CREDENTIALS}
       NUXT_PRIVATE_API_NOTIFICATION_SECRET: ${MAEVSI_NUXT_PRIVATE_API_NOTIFICATION_SECRET}
-      NUXT_PRIVATE_OPENAI_API_KEY: ${MAEVSI_NUXT_PRIVATE_OPENAI_API_KEY}
-      NUXT_PUBLIC_GTAG_ID: ${GTAG_ID}
-      NUXT_PUBLIC_SITE_URL: https://beta.${STACK_DOMAIN}
-      NUXT_PUBLIC_TURNSTILE_SITE_KEY: ${TURNSTILE_SITE_KEY}
-      NUXT_PUBLIC_VIO_ENVIRONMENT: beta
-      NUXT_TURNSTILE_SECRET_KEY: ${TURNSTILE_SECRET_KEY}
-      POSTGRAPHILE_JWT_PUBLIC_KEY_FILE: /run/config/postgraphile_jwt-public-key
-      POSTGRES_DB_FILE: /run/secrets/postgres_db
-      POSTGRES_ROLE_MAEVSI_TUSD_PASSWORD_FILE: /run/secrets/postgres_role_maevsi-tusd_password
-      POSTGRES_ROLE_MAEVSI_TUSD_USERNAME_FILE: /run/secrets/postgres_role_maevsi-tusd_username
-    image: ghcr.io/maevsi/maevsi:6.6.0
+      NUXT_PUBLIC_GTAG_ID: ${MAEVSI_NUXT_PUBLIC_GTAG_ID}
+      NUXT_PUBLIC_I18N_BASE_URL: https://${STACK_DOMAIN}
+      NUXT_PUBLIC_MAEVSI_EMAIL_LIMIT24H: ${MAEVSI_NUXT_PUBLIC_MAEVSI_EMAIL_LIMIT24H}
+      NUXT_PUBLIC_SITE_URL: https://${STACK_DOMAIN}
+      NUXT_PUBLIC_TURNSTILE_SITE_KEY: ${MAEVSI_NUXT_PUBLIC_TURNSTILE_SITE_KEY}
+      PGHOST: ${MAEVSI_PGHOST}
+    image: ghcr.io/maevsi/maevsi:7.0.0
     secrets:
-      - maevsi_turnstile-key
-      - postgres_db
-      - postgres_role_maevsi-tusd_password
-      - postgres_role_maevsi-tusd_username
+      - source: maevsi_api-notification-secret
+        target: /run/environment-variables/NUXT_PRIVATE_API_NOTIFICATION_SECRET
+      - source: maevsi_aws-credentials
+        target: /home/node/.aws/credentials # TODO: switch to user `node`
+      - source: maevsi_openai-api-key
+        target: /run/environment-variables/NUXT_PRIVATE_OPENAI_API_KEY
+      - source: maevsi_turnstile-key
+        target: /run/environment-variables/NUXT_TURNSTILE_SECRET_KEY
+      - source: postgres_db
+        target: /run/environment-variables/PGDATABASE
+      - source: postgres_role_maevsi-tusd_password
+        target: /run/environment-variables/PGPASSWORD
+      - source: postgres_role_maevsi-tusd_username
+        target: /run/environment-variables/PGUSER
     volumes:
-      - ./configurations/postgraphile/jwtRS256.key.pub:/run/config/postgraphile_jwt-public-key:ro
+      - ./configurations/postgraphile/jwtRS256.key.pub:/run/environment-variables/NUXT_PUBLIC_VIO_AUTH_JWT_PUBLIC_KEY:ro
   # minio: (( prune )) # breaks renovate
   portainer:
     deploy:

src/production/secrets/maevsi/openai-api-key.secret.template

@@ -0,0 +1 @@
+sk-proj-<...>