Update Gramps to file-backed Gramps Web stack with celery and valkey

DEPLOYMENT.md

@@ -17,7 +17,6 @@ Create these Docker secret files (all ignored by git):
 - `secrets/nextcloud_smtp_password.txt`
 - `secrets/nextcloud_redis_password.txt`
 - `secrets/passbolt_db_password.txt`
-- `secrets/gramps_db_password.txt`
 - `secrets/influxdb_init_password.txt`
 - `secrets/prometheus_kuma_basic_auth_password.txt`
 
@@ -31,7 +30,7 @@ chmod 600 secrets/*.txt
 
 These values were previously hardcoded and must be rotated in upstream systems immediately:
 
-- Database credentials (Nextcloud, Passbolt, Gramps, InfluxDB).
+- Database credentials (Nextcloud, Passbolt, InfluxDB).
 - Nextcloud SMTP app password.
 - Authelia reset JWT secret, session secret, storage encryption key.
 - Traefik CrowdSec LAPI key.

SECURITY_SECRETS_INVENTORY.md

@@ -14,12 +14,9 @@ This inventory is aligned with `secrets/.env.secrets.example` and documents only
 | `PASSBOLT_DB_NAME` | `apps/passbolt/docker-compose.yml` | Passbolt database name. |
 | `PASSBOLT_DB_USER` | `apps/passbolt/docker-compose.yml` | Passbolt database username. |
 | `PASSBOLT_GPG_SERVER_KEY_FINGERPRINT` | `apps/passbolt/docker-compose.yml` | Passbolt server GPG key fingerprint. |
-| `GRAMPS_DB_NAME` | `apps/gramps/docker-compose.yml` | Gramps database name. |
-| `GRAMPS_DB_USER` | `apps/gramps/docker-compose.yml` | Gramps database username. |
-| `GRAMPS_DB_PASSWORD` | `apps/gramps/docker-compose.yml` | Gramps database password. |
-| `GRAMPS_INITIAL_ADMIN` | `apps/gramps/docker-compose.yml` | Gramps initial admin username/email (deployment-specific). |
-| `GRAMPS_INITIAL_ADMIN_PASSWORD` | `apps/gramps/docker-compose.yml` | Gramps initial admin password. |
-| `GRAMPS_DB_URI` | `apps/gramps/docker-compose.yml` | Derived connection string in the example file. |
+| `GRAMPSWEB_SECRET_KEY` | `apps/gramps/docker-compose.yml` | Secret key used by Gramps Web for session/security signing. |
+| `GRAMPSWEB_EMAIL_HOST_USER` | `apps/gramps/docker-compose.yml` | SMTP username for Gramps outbound email. |
+| `GRAMPSWEB_EMAIL_HOST_PASSWORD` | `apps/gramps/docker-compose.yml` | SMTP password for Gramps outbound email. |
 | `GOTIFY_DEFAULTUSER_NAME` | `monitoring/gotify/docker-compose.yml` | Gotify default username. |
 | `GOTIFY_DEFAULTUSER_PASS` | `monitoring/gotify/docker-compose.yml` | Gotify default user password. |
 | `INFLUXDB_INIT_USERNAME` | `monitoring/prometheus/docker-compose.yml` | InfluxDB initial username. |

apps/gramps/docker-compose.yml

@@ -1,58 +1,47 @@
 services:
-  gramps-db:
-    profiles: ["apps","all","gramps"]
-    image: postgres:13
-    container_name: gramps-db
-    restart: always
-    env_file:
-      - ${SECRETS_ENV_FILE}
-    environment:
-      POSTGRES_USER: ${GRAMPS_DB_USER}
-      POSTGRES_PASSWORD_FILE: /run/secrets/gramps_db_password
-      POSTGRES_DB: ${GRAMPS_DB_NAME}
-    secrets:
-      - gramps_db_password
-    volumes:
-      - ${PROJECT_ROOT}/apps/gramps/db:/var/lib/postgresql
-    networks:
-      - gramps
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -h gramps-db -p 5432 -U $$POSTGRES_USER -d $$POSTGRES_DB"]
-      interval: 10s
-      timeout: 5s
-      retries: 12
-      start_period: 30s
-
   grampsweb:
     profiles: ["apps","all","gramps"]
     image: ghcr.io/gramps-project/grampsweb:latest
     container_name: gramps-web
     depends_on:
-      - gramps-db
+      - gramps-redis
+      - grampsweb_celery
     restart: always
     env_file:
       - ${SECRETS_ENV_FILE}
     environment:
-      DB_URI: ${GRAMPS_DB_URI}
-      GRAMPSWEB_LOGLEVEL: ${GRAMPSWEB_LOGLEVEL}
-      # default admin user created on first run:
-      INITIAL_ADMIN: ${GRAMPS_INITIAL_ADMIN}
-      INITIAL_ADMIN_PASSWORD: ${GRAMPS_INITIAL_ADMIN_PASSWORD}
-      # optional: storage paths inside container
-      GRAMPSWEB_MEDIAPATH: ${GRAMPSWEB_MEDIAPATH}
-      GRAMPSWEB_TREE: "${GRAMPSWEB_TREE}"
+      TZ: ${TZ}
+      GRAMPSWEB_TREE: ${GRAMPSWEB_TREE}
+      GRAMPSWEB_BASE_URL: ${GRAMPSWEB_BASE_URL}
+      GRAMPSWEB_SECRET_KEY: ${GRAMPSWEB_SECRET_KEY}
+      GRAMPSWEB_REGISTRATION_DISABLED: ${GRAMPSWEB_REGISTRATION_DISABLED}
+      GRAMPSWEB_EMAIL_HOST: ${GRAMPSWEB_EMAIL_HOST}
+      GRAMPSWEB_EMAIL_PORT: ${GRAMPSWEB_EMAIL_PORT}
+      GRAMPSWEB_EMAIL_HOST_USER: ${GRAMPSWEB_EMAIL_HOST_USER}
+      GRAMPSWEB_EMAIL_HOST_PASSWORD: ${GRAMPSWEB_EMAIL_HOST_PASSWORD}
+      GRAMPSWEB_EMAIL_USE_SSL: ${GRAMPSWEB_EMAIL_USE_SSL}
+      GRAMPSWEB_EMAIL_USE_STARTTLS: ${GRAMPSWEB_EMAIL_USE_STARTTLS}
+      GRAMPSWEB_DEFAULT_FROM_EMAIL: ${GRAMPSWEB_DEFAULT_FROM_EMAIL}
+      GRAMPSWEB_CELERY_CONFIG__broker_url: redis://gramps-redis:6379/0
+      GRAMPSWEB_CELERY_CONFIG__result_backend: redis://gramps-redis:6379/0
+      GRAMPSWEB_RATELIMIT_STORAGE_URI: redis://gramps-redis:6379/1
     volumes:
       - ${PROJECT_ROOT}/apps/gramps/data/users:/app/users
-      - ${PROJECT_ROOT}/apps/gramps/data/media:/app/media
+      - ${PROJECT_ROOT}/apps/gramps/data/index:/app/indexdir
+      - ${PROJECT_ROOT}/apps/gramps/data/thumbnail_cache:/app/thumbnail_cache
       - ${PROJECT_ROOT}/apps/gramps/data/cache:/app/cache
+      - ${PROJECT_ROOT}/apps/gramps/data/secret:/app/secret
+      - ${PROJECT_ROOT}/apps/gramps/data/db:/root/.gramps/grampsdb
+      - ${PROJECT_ROOT}/apps/gramps/data/media:/app/media
+      - ${PROJECT_ROOT}/apps/gramps/data/tmp:/tmp
     labels:
-       - "traefik.http.routers.gramps.rule=Host(`familytree.lan.ddnsgeek.com`)"
-       - "traefik.enable=true"
-       - "traefik.http.routers.gramps.entrypoints=websecure"
-       - "traefik.http.routers.gramps.tls.certresolver=myresolver"
-       - "io.portainer.accesscontrol.public"
-       - "traefik.http.services.gramps.loadbalancer.server.port=5000"
-       - "traefik.docker.network=core_traefik"
+      - "traefik.http.routers.gramps.rule=Host(`familytree.lan.ddnsgeek.com`)"
+      - "traefik.enable=true"
+      - "traefik.http.routers.gramps.entrypoints=websecure"
+      - "traefik.http.routers.gramps.tls.certresolver=myresolver"
+      - "io.portainer.accesscontrol.public"
+      - "traefik.http.services.gramps.loadbalancer.server.port=5000"
+      - "traefik.docker.network=core_traefik"
     networks:
       - traefik
       - gramps
@@ -65,9 +54,51 @@ services:
       retries: 6
       start_period: 60s
 
+  grampsweb_celery:
+    profiles: ["apps","all","gramps"]
+    image: ghcr.io/gramps-project/grampsweb:latest
+    container_name: gramps-web-celery
+    command: celery -A gramps_webapi.celery worker --loglevel=INFO --concurrency=2
+    depends_on:
+      - gramps-redis
+    restart: always
+    env_file:
+      - ${SECRETS_ENV_FILE}
+    environment:
+      TZ: ${TZ}
+      GRAMPSWEB_TREE: ${GRAMPSWEB_TREE}
+      GRAMPSWEB_BASE_URL: ${GRAMPSWEB_BASE_URL}
+      GRAMPSWEB_SECRET_KEY: ${GRAMPSWEB_SECRET_KEY}
+      GRAMPSWEB_REGISTRATION_DISABLED: ${GRAMPSWEB_REGISTRATION_DISABLED}
+      GRAMPSWEB_EMAIL_HOST: ${GRAMPSWEB_EMAIL_HOST}
+      GRAMPSWEB_EMAIL_PORT: ${GRAMPSWEB_EMAIL_PORT}
+      GRAMPSWEB_EMAIL_HOST_USER: ${GRAMPSWEB_EMAIL_HOST_USER}
+      GRAMPSWEB_EMAIL_HOST_PASSWORD: ${GRAMPSWEB_EMAIL_HOST_PASSWORD}
+      GRAMPSWEB_EMAIL_USE_SSL: ${GRAMPSWEB_EMAIL_USE_SSL}
+      GRAMPSWEB_EMAIL_USE_STARTTLS: ${GRAMPSWEB_EMAIL_USE_STARTTLS}
+      GRAMPSWEB_DEFAULT_FROM_EMAIL: ${GRAMPSWEB_DEFAULT_FROM_EMAIL}
+      GRAMPSWEB_CELERY_CONFIG__broker_url: redis://gramps-redis:6379/0
+      GRAMPSWEB_CELERY_CONFIG__result_backend: redis://gramps-redis:6379/0
+      GRAMPSWEB_RATELIMIT_STORAGE_URI: redis://gramps-redis:6379/1
+    volumes:
+      - ${PROJECT_ROOT}/apps/gramps/data/users:/app/users
+      - ${PROJECT_ROOT}/apps/gramps/data/index:/app/indexdir
+      - ${PROJECT_ROOT}/apps/gramps/data/thumbnail_cache:/app/thumbnail_cache
+      - ${PROJECT_ROOT}/apps/gramps/data/cache:/app/cache
+      - ${PROJECT_ROOT}/apps/gramps/data/secret:/app/secret
+      - ${PROJECT_ROOT}/apps/gramps/data/db:/root/.gramps/grampsdb
+      - ${PROJECT_ROOT}/apps/gramps/data/media:/app/media
+      - ${PROJECT_ROOT}/apps/gramps/data/tmp:/tmp
+    networks:
+      - gramps
+
+  gramps-redis:
+    profiles: ["apps","all","gramps"]
+    image: valkey/valkey:8-alpine
+    container_name: gramps-redis
+    restart: always
+    networks:
+      - gramps
+
 networks:
   gramps:
-
-secrets:
-  gramps_db_password:
-    file: ${PROJECT_ROOT}/secrets/gramps_db_password.txt

default-environment.env

@@ -39,9 +39,14 @@ PASSBOLT_APP_FULL_BASE_URL=https://passbolt.lan.ddnsgeek.com
 PASSBOLT_DATASOURCES_DEFAULT_HOST=passbolt-db
 
 # Gramps
-GRAMPSWEB_LOGLEVEL=INFO
-GRAMPSWEB_MEDIAPATH=/app/media
 GRAMPSWEB_TREE=main
+GRAMPSWEB_BASE_URL=https://familytree.lan.ddnsgeek.com
+GRAMPSWEB_REGISTRATION_DISABLED=true
+GRAMPSWEB_EMAIL_HOST=smtp.gmail.com
+GRAMPSWEB_EMAIL_PORT=587
+GRAMPSWEB_EMAIL_USE_SSL=false
+GRAMPSWEB_EMAIL_USE_STARTTLS=true
+GRAMPSWEB_DEFAULT_FROM_EMAIL=familytree@lan.ddnsgeek.com
 
 # Prometheus stack
 INFLUXDB_INIT_MODE=setup

secrets/.env.secrets.example

@@ -12,12 +12,9 @@ PASSBOLT_DB_NAME=CHANGE_ME
 PASSBOLT_DB_USER=CHANGE_ME
 PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=CHANGE_ME
 
-GRAMPS_DB_NAME=CHANGE_ME
-GRAMPS_DB_USER=CHANGE_ME
-GRAMPS_DB_PASSWORD=CHANGE_ME
-GRAMPS_INITIAL_ADMIN=CHANGE_ME
-GRAMPS_INITIAL_ADMIN_PASSWORD=CHANGE_ME
-GRAMPS_DB_URI=postgresql://${GRAMPS_DB_USER}:${GRAMPS_DB_PASSWORD}@db:5432/${GRAMPS_DB_NAME}
+GRAMPSWEB_SECRET_KEY=CHANGE_ME
+GRAMPSWEB_EMAIL_HOST_USER=CHANGE_ME
+GRAMPSWEB_EMAIL_HOST_PASSWORD=CHANGE_ME
 
 GOTIFY_DEFAULTUSER_NAME=CHANGE_ME
 GOTIFY_DEFAULTUSER_PASS=CHANGE_ME