From d69c74e5376fc9192d7dc6fe436ae0546e51e03c Mon Sep 17 00:00:00 2001 From: beatz174-bit Date: Tue, 14 Apr 2026 14:34:31 +1000 Subject: [PATCH] Add healthchecks for Gramps celery and valkey services --- DEPLOYMENT.md | 3 +- SECURITY_SECRETS_INVENTORY.md | 9 +-- apps/gramps/docker-compose.yml | 137 ++++++++++++++++++++++----------- default-environment.env | 9 ++- secrets/.env.secrets.example | 9 +-- 5 files changed, 106 insertions(+), 61 deletions(-) diff --git a/DEPLOYMENT.md b/DEPLOYMENT.md index 7f2e1e0..f4b90d8 100644 --- a/DEPLOYMENT.md +++ b/DEPLOYMENT.md @@ -17,7 +17,6 @@ Create these Docker secret files (all ignored by git): - `secrets/nextcloud_smtp_password.txt` - `secrets/nextcloud_redis_password.txt` - `secrets/passbolt_db_password.txt` -- `secrets/gramps_db_password.txt` - `secrets/influxdb_init_password.txt` - `secrets/prometheus_kuma_basic_auth_password.txt` @@ -31,7 +30,7 @@ chmod 600 secrets/*.txt These values were previously hardcoded and must be rotated in upstream systems immediately: -- Database credentials (Nextcloud, Passbolt, Gramps, InfluxDB). +- Database credentials (Nextcloud, Passbolt, InfluxDB). - Nextcloud SMTP app password. - Authelia reset JWT secret, session secret, storage encryption key. - Traefik CrowdSec LAPI key. diff --git a/SECURITY_SECRETS_INVENTORY.md b/SECURITY_SECRETS_INVENTORY.md index 9d5d47e..39b1ccd 100644 --- a/SECURITY_SECRETS_INVENTORY.md +++ b/SECURITY_SECRETS_INVENTORY.md @@ -14,12 +14,9 @@ This inventory is aligned with `secrets/.env.secrets.example` and documents only | `PASSBOLT_DB_NAME` | `apps/passbolt/docker-compose.yml` | Passbolt database name. | | `PASSBOLT_DB_USER` | `apps/passbolt/docker-compose.yml` | Passbolt database username. | | `PASSBOLT_GPG_SERVER_KEY_FINGERPRINT` | `apps/passbolt/docker-compose.yml` | Passbolt server GPG key fingerprint. | -| `GRAMPS_DB_NAME` | `apps/gramps/docker-compose.yml` | Gramps database name. | -| `GRAMPS_DB_USER` | `apps/gramps/docker-compose.yml` | Gramps database username. | -| `GRAMPS_DB_PASSWORD` | `apps/gramps/docker-compose.yml` | Gramps database password. | -| `GRAMPS_INITIAL_ADMIN` | `apps/gramps/docker-compose.yml` | Gramps initial admin username/email (deployment-specific). | -| `GRAMPS_INITIAL_ADMIN_PASSWORD` | `apps/gramps/docker-compose.yml` | Gramps initial admin password. | -| `GRAMPS_DB_URI` | `apps/gramps/docker-compose.yml` | Derived connection string in the example file. | +| `GRAMPSWEB_SECRET_KEY` | `apps/gramps/docker-compose.yml` | Secret key used by Gramps Web for session/security signing. | +| `GRAMPSWEB_EMAIL_HOST_USER` | `apps/gramps/docker-compose.yml` | SMTP username for Gramps outbound email. | +| `GRAMPSWEB_EMAIL_HOST_PASSWORD` | `apps/gramps/docker-compose.yml` | SMTP password for Gramps outbound email. | | `GOTIFY_DEFAULTUSER_NAME` | `monitoring/gotify/docker-compose.yml` | Gotify default username. | | `GOTIFY_DEFAULTUSER_PASS` | `monitoring/gotify/docker-compose.yml` | Gotify default user password. | | `INFLUXDB_INIT_USERNAME` | `monitoring/prometheus/docker-compose.yml` | InfluxDB initial username. | diff --git a/apps/gramps/docker-compose.yml b/apps/gramps/docker-compose.yml index 8064fac..409bed8 100644 --- a/apps/gramps/docker-compose.yml +++ b/apps/gramps/docker-compose.yml @@ -1,58 +1,47 @@ services: - gramps-db: - profiles: ["apps","all","gramps"] - image: postgres:13 - container_name: gramps-db - restart: always - env_file: - - ${SECRETS_ENV_FILE} - environment: - POSTGRES_USER: ${GRAMPS_DB_USER} - POSTGRES_PASSWORD_FILE: /run/secrets/gramps_db_password - POSTGRES_DB: ${GRAMPS_DB_NAME} - secrets: - - gramps_db_password - volumes: - - ${PROJECT_ROOT}/apps/gramps/db:/var/lib/postgresql - networks: - - gramps - healthcheck: - test: ["CMD-SHELL", "pg_isready -h gramps-db -p 5432 -U $$POSTGRES_USER -d $$POSTGRES_DB"] - interval: 10s - timeout: 5s - retries: 12 - start_period: 30s - grampsweb: profiles: ["apps","all","gramps"] image: ghcr.io/gramps-project/grampsweb:latest container_name: gramps-web depends_on: - - gramps-db + - gramps-redis + - grampsweb_celery restart: always env_file: - ${SECRETS_ENV_FILE} environment: - DB_URI: ${GRAMPS_DB_URI} - GRAMPSWEB_LOGLEVEL: ${GRAMPSWEB_LOGLEVEL} - # default admin user created on first run: - INITIAL_ADMIN: ${GRAMPS_INITIAL_ADMIN} - INITIAL_ADMIN_PASSWORD: ${GRAMPS_INITIAL_ADMIN_PASSWORD} - # optional: storage paths inside container - GRAMPSWEB_MEDIAPATH: ${GRAMPSWEB_MEDIAPATH} - GRAMPSWEB_TREE: "${GRAMPSWEB_TREE}" + TZ: ${TZ} + GRAMPSWEB_TREE: ${GRAMPSWEB_TREE} + GRAMPSWEB_BASE_URL: ${GRAMPSWEB_BASE_URL} + GRAMPSWEB_SECRET_KEY: ${GRAMPSWEB_SECRET_KEY} + GRAMPSWEB_REGISTRATION_DISABLED: ${GRAMPSWEB_REGISTRATION_DISABLED} + GRAMPSWEB_EMAIL_HOST: ${GRAMPSWEB_EMAIL_HOST} + GRAMPSWEB_EMAIL_PORT: ${GRAMPSWEB_EMAIL_PORT} + GRAMPSWEB_EMAIL_HOST_USER: ${GRAMPSWEB_EMAIL_HOST_USER} + GRAMPSWEB_EMAIL_HOST_PASSWORD: ${GRAMPSWEB_EMAIL_HOST_PASSWORD} + GRAMPSWEB_EMAIL_USE_SSL: ${GRAMPSWEB_EMAIL_USE_SSL} + GRAMPSWEB_EMAIL_USE_STARTTLS: ${GRAMPSWEB_EMAIL_USE_STARTTLS} + GRAMPSWEB_DEFAULT_FROM_EMAIL: ${GRAMPSWEB_DEFAULT_FROM_EMAIL} + GRAMPSWEB_CELERY_CONFIG__broker_url: redis://gramps-redis:6379/0 + GRAMPSWEB_CELERY_CONFIG__result_backend: redis://gramps-redis:6379/0 + GRAMPSWEB_RATELIMIT_STORAGE_URI: redis://gramps-redis:6379/1 volumes: - ${PROJECT_ROOT}/apps/gramps/data/users:/app/users - - ${PROJECT_ROOT}/apps/gramps/data/media:/app/media + - ${PROJECT_ROOT}/apps/gramps/data/index:/app/indexdir + - ${PROJECT_ROOT}/apps/gramps/data/thumbnail_cache:/app/thumbnail_cache - ${PROJECT_ROOT}/apps/gramps/data/cache:/app/cache + - ${PROJECT_ROOT}/apps/gramps/data/secret:/app/secret + - ${PROJECT_ROOT}/apps/gramps/data/db:/root/.gramps/grampsdb + - ${PROJECT_ROOT}/apps/gramps/data/media:/app/media + - ${PROJECT_ROOT}/apps/gramps/data/tmp:/tmp labels: - - "traefik.http.routers.gramps.rule=Host(`familytree.lan.ddnsgeek.com`)" - - "traefik.enable=true" - - "traefik.http.routers.gramps.entrypoints=websecure" - - "traefik.http.routers.gramps.tls.certresolver=myresolver" - - "io.portainer.accesscontrol.public" - - "traefik.http.services.gramps.loadbalancer.server.port=5000" - - "traefik.docker.network=core_traefik" + - "traefik.http.routers.gramps.rule=Host(`familytree.lan.ddnsgeek.com`)" + - "traefik.enable=true" + - "traefik.http.routers.gramps.entrypoints=websecure" + - "traefik.http.routers.gramps.tls.certresolver=myresolver" + - "io.portainer.accesscontrol.public" + - "traefik.http.services.gramps.loadbalancer.server.port=5000" + - "traefik.docker.network=core_traefik" networks: - traefik - gramps @@ -65,9 +54,67 @@ services: retries: 6 start_period: 60s + grampsweb_celery: + profiles: ["apps","all","gramps"] + image: ghcr.io/gramps-project/grampsweb:latest + container_name: gramps-web-celery + command: celery -A gramps_webapi.celery worker --loglevel=INFO --concurrency=2 + depends_on: + - gramps-redis + restart: always + env_file: + - ${SECRETS_ENV_FILE} + environment: + TZ: ${TZ} + GRAMPSWEB_TREE: ${GRAMPSWEB_TREE} + GRAMPSWEB_BASE_URL: ${GRAMPSWEB_BASE_URL} + GRAMPSWEB_SECRET_KEY: ${GRAMPSWEB_SECRET_KEY} + GRAMPSWEB_REGISTRATION_DISABLED: ${GRAMPSWEB_REGISTRATION_DISABLED} + GRAMPSWEB_EMAIL_HOST: ${GRAMPSWEB_EMAIL_HOST} + GRAMPSWEB_EMAIL_PORT: ${GRAMPSWEB_EMAIL_PORT} + GRAMPSWEB_EMAIL_HOST_USER: ${GRAMPSWEB_EMAIL_HOST_USER} + GRAMPSWEB_EMAIL_HOST_PASSWORD: ${GRAMPSWEB_EMAIL_HOST_PASSWORD} + GRAMPSWEB_EMAIL_USE_SSL: ${GRAMPSWEB_EMAIL_USE_SSL} + GRAMPSWEB_EMAIL_USE_STARTTLS: ${GRAMPSWEB_EMAIL_USE_STARTTLS} + GRAMPSWEB_DEFAULT_FROM_EMAIL: ${GRAMPSWEB_DEFAULT_FROM_EMAIL} + GRAMPSWEB_CELERY_CONFIG__broker_url: redis://gramps-redis:6379/0 + GRAMPSWEB_CELERY_CONFIG__result_backend: redis://gramps-redis:6379/0 + GRAMPSWEB_RATELIMIT_STORAGE_URI: redis://gramps-redis:6379/1 + volumes: + - ${PROJECT_ROOT}/apps/gramps/data/users:/app/users + - ${PROJECT_ROOT}/apps/gramps/data/index:/app/indexdir + - ${PROJECT_ROOT}/apps/gramps/data/thumbnail_cache:/app/thumbnail_cache + - ${PROJECT_ROOT}/apps/gramps/data/cache:/app/cache + - ${PROJECT_ROOT}/apps/gramps/data/secret:/app/secret + - ${PROJECT_ROOT}/apps/gramps/data/db:/root/.gramps/grampsdb + - ${PROJECT_ROOT}/apps/gramps/data/media:/app/media + - ${PROJECT_ROOT}/apps/gramps/data/tmp:/tmp + networks: + - gramps + healthcheck: + test: + - CMD-SHELL + - pgrep -f "celery.*gramps_webapi.celery.*worker" >/dev/null + interval: 30s + timeout: 5s + retries: 6 + start_period: 60s + + gramps-redis: + profiles: ["apps","all","gramps"] + image: valkey/valkey:8-alpine + container_name: gramps-redis + restart: always + networks: + - gramps + healthcheck: + test: + - CMD-SHELL + - valkey-cli -h 127.0.0.1 -p 6379 ping | grep -q PONG + interval: 10s + timeout: 5s + retries: 6 + start_period: 10s + networks: gramps: - -secrets: - gramps_db_password: - file: ${PROJECT_ROOT}/secrets/gramps_db_password.txt diff --git a/default-environment.env b/default-environment.env index 2deaee5..c267f49 100644 --- a/default-environment.env +++ b/default-environment.env @@ -39,9 +39,14 @@ PASSBOLT_APP_FULL_BASE_URL=https://passbolt.lan.ddnsgeek.com PASSBOLT_DATASOURCES_DEFAULT_HOST=passbolt-db # Gramps -GRAMPSWEB_LOGLEVEL=INFO -GRAMPSWEB_MEDIAPATH=/app/media GRAMPSWEB_TREE=main +GRAMPSWEB_BASE_URL=https://familytree.lan.ddnsgeek.com +GRAMPSWEB_REGISTRATION_DISABLED=true +GRAMPSWEB_EMAIL_HOST=smtp.gmail.com +GRAMPSWEB_EMAIL_PORT=587 +GRAMPSWEB_EMAIL_USE_SSL=false +GRAMPSWEB_EMAIL_USE_STARTTLS=true +GRAMPSWEB_DEFAULT_FROM_EMAIL=familytree@lan.ddnsgeek.com # Prometheus stack INFLUXDB_INIT_MODE=setup diff --git a/secrets/.env.secrets.example b/secrets/.env.secrets.example index eff0093..f923ea2 100644 --- a/secrets/.env.secrets.example +++ b/secrets/.env.secrets.example @@ -12,12 +12,9 @@ PASSBOLT_DB_NAME=CHANGE_ME PASSBOLT_DB_USER=CHANGE_ME PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=CHANGE_ME -GRAMPS_DB_NAME=CHANGE_ME -GRAMPS_DB_USER=CHANGE_ME -GRAMPS_DB_PASSWORD=CHANGE_ME -GRAMPS_INITIAL_ADMIN=CHANGE_ME -GRAMPS_INITIAL_ADMIN_PASSWORD=CHANGE_ME -GRAMPS_DB_URI=postgresql://${GRAMPS_DB_USER}:${GRAMPS_DB_PASSWORD}@db:5432/${GRAMPS_DB_NAME} +GRAMPSWEB_SECRET_KEY=CHANGE_ME +GRAMPSWEB_EMAIL_HOST_USER=CHANGE_ME +GRAMPSWEB_EMAIL_HOST_PASSWORD=CHANGE_ME GOTIFY_DEFAULTUSER_NAME=CHANGE_ME GOTIFY_DEFAULTUSER_PASS=CHANGE_ME