Merge branch 'production' into main

Author: phildini

VERSION

@@ -1 +1 @@
-0.7.3
+0.7.4

bookwyrm/settings.py

@@ -293,9 +293,15 @@
 AUTH_PASSWORD_VALIDATORS = [
     {
         "NAME": "django.contrib.auth.password_validation.UserAttributeSimilarityValidator",
+        'OPTIONS': {
+            'max_similarity': .9,
+        }
     },
     {
         "NAME": "django.contrib.auth.password_validation.MinimumLengthValidator",
+        'OPTIONS': {
+            'min_length': 16,
+        }
     },
     {
         "NAME": "django.contrib.auth.password_validation.CommonPasswordValidator",

bookwyrm/views/landing/password.py

@@ -75,6 +75,7 @@ def post(self, request, code):
             return TemplateResponse(request, "landing/password_reset.html", data)
 
         new_password = form.cleaned_data["password"]
+        # deepcode ignore DjangoUnvalidatedPassword: cleaned_data validates the password; would be nice to move validation here eventually
         user.set_password(new_password)
         user.save(broadcast=False, update_fields=["password"])
         login(request, user)

bookwyrm/views/preferences/change_password.py

@@ -30,7 +30,8 @@ def post(self, request):
             data = {"form": form}
             return TemplateResponse(request, "preferences/change_password.html", data)
 
-        new_password = form.cleaned_data["password"]
+        new_password = form.cleaned_data["password"] 
+        # deepcode ignore DjangoUnvalidatedPassword: cleaned_data includes password validation; would be nice to move it here eventually
         request.user.set_password(new_password)
         request.user.save(broadcast=False, update_fields=["password"])
 

contrib/systemd/bookwyrm.service

@@ -6,7 +6,7 @@ After=network.target postgresql.service redis.service
 User=bookwyrm
 Group=bookwyrm
 WorkingDirectory=/opt/bookwyrm
-ExecStart=/opt/bookwyrm/venv/bin/gunicorn bookwyrm.wsgi:application --bind 0.0.0.0:8000
+ExecStart=/opt/bookwyrm/venv/bin/gunicorn bookwyrm.wsgi:application --threads=8 --bind 0.0.0.0:8000
 StandardOutput=journal
 StandardError=inherit
 ProtectSystem=strict

docker-compose.yml

@@ -1,28 +1,54 @@
+version: '3'
+
+x-logging:
+  &default-logging
+  driver: "json-file"
+  options:
+    max-size: "150m"
+    max-file: "2"
+
 services:
   nginx:
     image: nginx:1.25.2
+    logging: *default-logging
     restart: unless-stopped
     ports:
-      - "1333:80"
+      - "80:80"
+      - "443:443"
     depends_on:
       - web
     networks:
       - main
     volumes:
       - ./nginx:/etc/nginx/conf.d
+      - ./certbot/conf:/etc/nginx/ssl
+      - ./certbot/data:/var/www/certbot
       - static_volume:/app/static
       - media_volume:/app/images
+  certbot:
+    image: certbot/certbot:latest
+    command: certonly --webroot --webroot-path=/var/www/certbot --email ${EMAIL} --agree-tos --no-eff-email -d ${DOMAIN} -d www.${DOMAIN}
+    #command: renew --webroot --webroot-path /var/www/certbot
+    logging: *default-logging
+    volumes:
+      - ./certbot/conf:/etc/letsencrypt
+      - ./certbot/logs:/var/log/letsencrypt
+      - ./certbot/data:/var/www/certbot
   db:
-    image: postgres:13
+    build: postgres-docker
     env_file: .env
+    entrypoint: /bookwyrm-entrypoint.sh
+    command: cron postgres
     volumes:
       - pgdata:/var/lib/postgresql/data
+      - backups:/backups
     networks:
       - main
   web:
     build: .
     env_file: .env
-    command: python manage.py runserver 0.0.0.0:8000
+    command: gunicorn bookwyrm.wsgi:application --threads=8 --bind 0.0.0.0:8000
+    logging: *default-logging
     volumes:
       - .:/app
       - static_volume:/app/static
@@ -39,6 +65,7 @@ services:
   redis_activity:
     image: redis:7.2.1
     command: redis-server --requirepass ${REDIS_ACTIVITY_PASSWORD} --appendonly yes --port ${REDIS_ACTIVITY_PORT}
+    logging: *default-logging
     volumes:
       - ./redis.conf:/etc/redis/redis.conf
       - redis_activity_data:/data
@@ -49,6 +76,7 @@ services:
   redis_broker:
     image: redis:7.2.1
     command: redis-server --requirepass ${REDIS_BROKER_PASSWORD} --appendonly yes --port ${REDIS_BROKER_PORT}
+    logging: *default-logging
     volumes:
       - ./redis.conf:/etc/redis/redis.conf
       - redis_broker_data:/data
@@ -62,6 +90,7 @@ services:
     networks:
       - main
     command: celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority,streams,images,suggested_users,email,connectors,lists,inbox,imports,import_triggered,broadcast,misc
+    logging: *default-logging
     volumes:
       - .:/app
       - static_volume:/app/static
@@ -77,6 +106,7 @@ services:
     networks:
       - main
     command: celery -A celerywyrm beat -l INFO --scheduler django_celery_beat.schedulers:DatabaseScheduler
+    logging: *default-logging
     volumes:
       - .:/app
       - static_volume:/app/static
@@ -88,6 +118,7 @@ services:
   flower:
     build: .
     command: celery -A celerywyrm flower --basic_auth=${FLOWER_USER}:${FLOWER_PASSWORD} --url_prefix=flower
+    logging: *default-logging
     env_file: .env
     volumes:
       - .:/app
@@ -108,6 +139,7 @@ services:
       - tools
 volumes:
   pgdata:
+  backups:
   static_volume:
   media_volume:
   exports_volume:

postgres-docker/Dockerfile

@@ -0,0 +1,20 @@
+FROM postgres:13.0
+
+# crontab
+RUN mkdir /backups
+COPY ./backup.sh /usr/local/bin/bookwyrm-backup.sh
+COPY ./weed.sh /usr/local/bin/bookwyrm-weed.sh
+COPY ./cronfile /etc/cron.d/cronfile
+RUN apt-get update && apt-get -y --no-install-recommends install cron
+RUN chmod 0644 /etc/cron.d/cronfile
+RUN crontab /etc/cron.d/cronfile
+RUN touch /var/log/cron.log
+
+# The postgres image's entrypoint expects the docker command to only contain flags to
+# pass postgres. It runs the entrypoint twice, the second times as the postgres user.
+# We need to start the cron service the first time it runs, when it's still being run
+# as the root user. We're going to add a check that looks at the first argument and
+# if it's 'cron', starts the service and then removes that argument.
+RUN awk '$0 ~ /^\t_main "\$@"$/ { print "\tif [[ $1 == cron ]]; then\n\t\techo \"POSTGRES_DB=${POSTGRES_DB}\" > /backups/.env\n\t\techo \"POSTGRES_USER=${POSTGRES_USER}\" >> /backups/.env\n\t\tservice cron start\n\t\tshift\n\tfi" }{ print }' docker-entrypoint.sh > bookwyrm-entrypoint.sh
+RUN chown postgres /bookwyrm-entrypoint.sh
+RUN chmod u=rwx,go=r /bookwyrm-entrypoint.sh

postgres-docker/backup.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+source /backups/.env
+
+if [ -z "$POSTGRES_DB" ]; then
+    echo "Database not specified, defaulting to bookwyrm"
+fi
+if [ -z "$POSTGRES_USER" ]; then
+    echo "Database user not specified, defaulting to bookwyrm"
+fi
+BACKUP_DB=${POSTGRES_DB:-bookwyrm}
+BACKUP_USER=${POSTGRES_USER:-bookwyrm}
+filename=backup_${BACKUP_DB}_$(date +%F)
+pg_dump -U $BACKUP_USER $BACKUP_DB > /backups/$filename.sql

postgres-docker/cronfile

@@ -0,0 +1,5 @@
+0 0 * * * /usr/local/bin/bookwyrm-backup.sh
+# If uncommented, this script will weed the backups directory. It will keep the 14
+# most-recent backups, then one backup/week for the next four backups, then one
+# backup/month after that.
+# 0 5 * * * /usr/local/bin/bookwyrm-weed.sh -d 14 -w 4 -m -1 /backups

postgres-docker/tests/Dockerfile

@@ -0,0 +1,8 @@
+FROM postgres:latest
+
+RUN apt update && apt install -y shellcheck
+
+COPY ./tests/testing-entrypoint.sh /testing-entrypoint.sh
+RUN chmod u+rx,go=r /testing-entrypoint.sh
+COPY ./weed.sh /weed.sh
+RUN chmod u+rx,go=r /weed.sh

postgres-docker/tests/docker-compose.yaml

@@ -0,0 +1,9 @@
+version: "3"
+
+services:
+  weeding:
+    build:
+      # We need to build from the parent directory so we can access weed.sh
+      context: ..
+      dockerfile: ./tests/Dockerfile
+    entrypoint: /testing-entrypoint.sh