Merge branch 'master' into docker-secrets

Support dualstack listen on nginx

.github/dependabot.yml

@@ -12,3 +12,10 @@ updates:
     versions:
     - ">= 3.11.a"
     - "< 3.12"
+- package-ecosystem: github-actions
+  directory: "/"
+  schedule:
+    interval: weekly
+    time: "04:00"
+    timezone: Europe/Paris
+  open-pull-requests-limit: 10

.github/workflows/publish.yml

@@ -13,16 +13,16 @@ jobs:
       contents: read
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Log in to the Container registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -30,23 +30,23 @@ jobs:
           
        # Documentation: https://github.com/docker/setup-qemu-action
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
         
       # Documentation: https://github.com/docker/setup-buildx-action
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: |
             wallabag/wallabag
             ghcr.io/${{ github.repository }}
 
       - name: Build and push Docker images
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: true

.github/workflows/test.yml

@@ -21,20 +21,21 @@ jobs:
           - "sqlite"
           - "mariadb"
           - "postgresql"
+          - "postgresql-secret"
 
     steps:
       - name: "Checkout"
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 2
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: 3.11
 
       - name: "Build image"
-        run: docker-compose -f tests/docker-compose.${{ matrix.database }}.yml build
+        run: docker compose -f tests/docker-compose.${{ matrix.database }}.yml build
 
       - name: "Install dependencies"
         run: pip install pytest pytest-docker requests
@@ -44,8 +45,8 @@ jobs:
 
       - name: "Get docker logs"
         if: ${{ always() }}
-        run: docker-compose -p "wallabag_${{ matrix.database }}" -f tests/docker-compose.${{ matrix.database }}.yml logs wallabag
+        run: docker compose -p "wallabag_${{ matrix.database }}" -f tests/docker-compose.${{ matrix.database }}.yml logs wallabag
 
       - name: "Cleanup environment"
         if: ${{ always() }}
-        run: docker-compose -p "wallabag_${{ matrix.database }}" -f tests/docker-compose.${{ matrix.database }}.yml down -v
+        run: docker compose -p "wallabag_${{ matrix.database }}" -f tests/docker-compose.${{ matrix.database }}.yml down -v

Dockerfile

@@ -13,7 +13,7 @@ FROM alpine:3.18
 
 COPY --from=builder /go/bin/envsubst /usr/bin/envsubst
 
-ARG WALLABAG_VERSION=2.6.10
+ARG WALLABAG_VERSION=2.6.12
 
 RUN set -ex \
  && apk add --no-cache \
@@ -32,6 +32,7 @@ RUN set -ex \
       php81-iconv \
       php81-json \
       php81-mbstring \
+      php81-opcache \
       php81-openssl \
       php81-pecl-amqp \
       php81-pecl-imagick \
@@ -83,6 +84,8 @@ ENV PATH="${PATH}:/var/www/wallabag/bin"
 # Set console entry path
 WORKDIR /var/www/wallabag
 
+HEALTHCHECK CMD curl --fail --silent --show-error --user-agent healthcheck http://localhost/api/info || exit 1
+
 EXPOSE 80
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["wallabag"]

README.md

@@ -43,6 +43,8 @@ Default login is `wallabag:wallabag`.
 - `-e SYMFONY__ENV__SERVER_NAME=...` (defaults to "Your wallabag instance". Specifies a user-friendly name for the 2FA issuer)
 - `-e PHP_MEMORY_LIMIT=...` (allows you to change the PHP `memory_limit` value. defaults to 128M, and should be a number and unit, eg. 512K, 128M, 2G, or a number of bytes)
 
+To set any of these environment variables from a file (for instance a Docker Secret), append `__FILE` to the name of the environment variable.
+
 ## SQLite
 
 The easiest way to start wallabag is to use the SQLite backend. You can spin that up with
@@ -109,7 +111,6 @@ $ docker exec -t NAME_OR_ID_OF_YOUR_WALLABAG_CONTAINER /var/www/wallabag/bin/con
 An example [docker-compose](https://docs.docker.com/compose/) file can be seen below:
 
 ```
-version: '3'
 services:
   wallabag:
     image: wallabag/wallabag
@@ -132,10 +133,6 @@ services:
       - "80"
     volumes:
       - /opt/wallabag/images:/var/www/wallabag/web/assets/images
-    healthcheck:
-      test: ["CMD", "wget" ,"--no-verbose", "--tries=1", "--spider", "http://localhost/api/info"]
-      interval: 1m
-      timeout: 3s
     depends_on:
       - db
       - redis

root/entrypoint.sh

@@ -2,6 +2,16 @@
 # Exit when any command fails
 set -e
 
+FILE_ENV_VARS="$(env | grep '__FILE=')"
+for env_var in $FILE_ENV_VARS; do
+    var_name="$(echo $env_var | grep -o '.*__FILE=' | sed 's/__FILE=//g')"
+    file_path="$(echo $env_var | grep -o '__FILE=.*' | sed 's/__FILE=//g')"
+    file_content="$(cat $file_path)"
+    [[ ! $? -eq 0 ]] && exit 1 # Exit if last command failed
+    new_var="$(echo $var_name=$file_content)"
+    export $(echo $new_var | xargs)
+done
+
 COMMAND_ARG1="$1"
 COMMAND_ARG2="$2"
 

root/etc/nginx/nginx.conf

@@ -35,8 +35,7 @@ http {
     }
 
     server {
-        listen 80;
+        listen [::]:80 ipv6only=off;
-        listen [::0]:80;
         server_name _;
         root /var/www/wallabag/web;
 

tests/credentials/db_password

@@ -0,0 +1 @@
+wallapass

tests/credentials/env_secret

@@ -0,0 +1 @@
+F00B4R

tests/credentials/postgres_password

@@ -0,0 +1 @@
+my-secret-pw

tests/docker-compose.postgresql-secret.yml

@@ -0,0 +1,31 @@
+version: '2'
+services:
+  wallabag:
+    build:
+      context: ../
+    image: wallabag:postgresql
+    container_name: wallabag
+    environment:
+      - POSTGRES_PASSWORD__FILE=/run/secrets/postgres_password
+      - POSTGRES_USER=my-super-user
+      - SYMFONY__ENV__SECRET__FILE=/run/secrets/env_secret
+      - SYMFONY__ENV__DATABASE_DRIVER=pdo_pgsql
+      - SYMFONY__ENV__DATABASE_HOST=db
+      - SYMFONY__ENV__DATABASE_PORT=5432
+      - SYMFONY__ENV__DATABASE_NAME=wallabag
+      - SYMFONY__ENV__DATABASE_USER=wallabag
+      - SYMFONY__ENV__DATABASE_PASSWORD__FILE=/run/secrets/db_password
+    ports:
+      - "127.0.0.1:80:80"
+    # Docker Secrets require Swarm Mode, so we use volumes instead to spoof the behaviour
+    volumes:
+      - ./credentials/db_password:/run/secrets/db_password
+      - ./credentials/postgres_password:/run/secrets/postgres_password
+      - ./credentials/env_secret:/run/secrets/env_secret
+  db:
+    image: postgres:10.3
+    environment:
+      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
+      - POSTGRES_USER=my-super-user
+    volumes:
+      - ./credentials/postgres_password:/run/secrets/postgres_password

tests/test_login.py

@@ -28,7 +28,7 @@ def docker_cleanup():
 
 @pytest.fixture(scope="session")
 def docker_compose_command() -> str:
-    return "docker-compose"
+    return "docker compose"
 
 @pytest.fixture(scope="session")
 def docker_compose_file(pytestconfig, database):