* Automatic Dockerfile update by release process

[skip ci]

Dockerfile

@@ -5,8 +5,8 @@ ARG SRCIMAGE=debian:bullseye-slim
 
 FROM  $SRCIMAGE AS builder
 
-ARG LSMB_VERSION="1.9.0-beta3"
-ARG LSMB_DL_DIR="Beta Releases"
+ARG LSMB_VERSION="1.9.10"
+ARG LSMB_DL_DIR="Releases"
 ARG ARTIFACT_LOCATION="https://download.ledgersmb.org/f/$LSMB_DL_DIR/$LSMB_VERSION/ledgersmb-$LSMB_VERSION.tar.gz"
 
 
@@ -43,8 +43,8 @@ RUN set -x ; \
 FROM  $SRCIMAGE
 LABEL org.opencontainers.image.authors="LedgerSMB project <devel@lists.ledgersmb.org>"
 
-ARG LSMB_VERSION="1.9.0-beta3"
-ARG LSMB_DL_DIR="Beta Releases"
+ARG LSMB_VERSION="1.9.10"
+ARG LSMB_DL_DIR="Releases"
 ARG ARTIFACT_LOCATION="https://download.ledgersmb.org/f/$LSMB_DL_DIR/$LSMB_VERSION/ledgersmb-$LSMB_VERSION.tar.gz"
 
 

README.md

@@ -4,8 +4,8 @@ Dockerfile for LedgerSMB Docker image
 
 # Supported tags
 
-- `1.9`, `1.9.x` - Latest official release from the 1.9 branch
-- `1.8`, `1.8.x`, `latest` - Latest official release from the 1.8 branch
+- `1.9`, `1.9.x`, `latest` - Latest official release from the 1.9 branch
+- `1.8`, `1.8.x` - Latest official release from the 1.8 branch
 - `1.7`, `1.7.x` - Latest official release from 1.7 branch
 - `1.6`, `1.6.33` - Last official release from 1.6 branch 
 - `1.5`, `1.5.30` - Last official release from 1.5 branch
@@ -46,7 +46,7 @@ could require additional setup of a mail service or CUPS printer service.
 This image can be installed either automatically with the Docker compose file
 or manually with docker only.
 
-## Docker-Compose installation and start
+## Docker-Compose: Installation and start
 
 This image provides `docker-compose.yml` which can be used to pull related
 images, install them, establish an internal network for their communications,
@@ -56,15 +56,27 @@ variables, are:
 
 ```plain
  $ docker-compose pull
- $ docker-compose up
+ $ docker-compose up -d
+```
+
+Or use the following to set a different password and/or parallel processing
+capacity (so called 'workers'):
+
+```plain
+ $ docker-compose pull
+ $ POSTGRES_PASSWORD=def \
+   LSMB_WORKERS=10 \
+   docker-compose up -d
 ```
 
 This will set up two containers: (1) a PostgreSQL container with persistent
 storage which is retained between container updates and (2) a LedgerSMB
 container configured to connect to the PostgreSQL container as its database
-server.
+server. Your LedgerSMB installation should now be accessible through
+[http://localhost:5762/](http://localhost:5762/).
 
-The database username and password are:
+The default number of workers is 5. The default database username and password
+are:
 
 ```plain
    username: postgres
@@ -111,9 +123,13 @@ Visit http://localhost:5762/login.pl to log in and get started.
 
 No persistant data is stored in the LedgerSMB container.
 
-All LedgerSMB data is stored in Postgres, so you can stop/destroy/run a
+All LedgerSMB data is stored in PostgreSQL, so you can stop/destroy/run a
 new LedgerSMB container as often as you want.
 
+In case of the Docker Compose setup, all PostgreSQL data is stored on the
+Docker volume with the name ending in `_pgdata`. This volume is not destroyed
+when updating the containers; only explicit removal destroys the data.
+
 # Environment Variables
 
 The LedgerSMB image uses several environment variables. They are all optional.
@@ -164,7 +180,51 @@ The following parameters are now supported to set mail preferences:
 * `LSMB_MAIL_SMTPPASS`
 * `LSMB_MAIL_SMTPAUTHMECH`
 
+# Advanced setup
 
+## Docker Compose with reverse proxy
+
+The `docker-compose-reverseproxy.yml` file shows a docker-compose setup
+which adds an Nginx reverse proxy configuration on top of the base
+`docker-compose.yml` configuration file. If the content of this repository
+is cloned into the current directory (`git clone https://github.com/ledgersmb/ledgersmb-docker.git ; cd ledgersmb-docker`), it can be used as:
+
+```plain
+ $ docker-compose \
+    -f docker-compose.yml \
+    -f docker-compose-reverseproxy.yml \
+       up -d
+```
+
+This setup can be used in combination with an image which runs the
+Certbot certificate renewal process *and* Nginx to do TLS termination. The
+default reverse proxy is mostly an example; it publishes on
+[http://localhost:8080/](http://localhost:8080/).
+
+An example of such an image can be found at
+[https://github.com/jonasalfredsson/docker-nginx-certbot](https://github.com/jonasalfredsson/docker-nginx-certbot),
+which is published on Docker Hub as
+[jonasal/nginx-certbot](https://hub.docker.com/r/jonasal/nginx-certbot).
+
+**Upgrade note** When upgrading this setup, please remove the volume ending
+in `_lsmbdata` before starting the upgraded containers. Without that, the
+webcontent won't be upgraded! E.g.:
+
+```plain
+  $ docker-compose \
+      -f docker-compose.yml \
+      -f docker-compose-reverseproxy.yml \
+        rm -s -f -v && \
+    docker volume rm ledgersmb-docker_lsmbdata && \
+    docker-compose \
+      -f docker-compose.yml \
+      -f docker-compose-reverseproxy.yml \
+        pull && \
+    docker-compose \
+      -f docker-compose.yml \
+      -f docker-compose-reverseproxy.yml \
+        up -d
+```
 
 # Troubleshooting/Developing
 

docker-compose-reverseproxy.yml

@@ -0,0 +1,31 @@
+# Use this docker-compose file as:
+#
+#  docker-compose -f docker-compose.yml -f docker-compose-reverseproxy.yml up -d
+#
+#
+# This command creates one
+# compose 'project' consisting of three containers
+#
+#  1. The PostgreSQL data  container
+#  2. The LedgerSMB application container
+#  3. The Nginx reverse proxy container
+#
+# In addition to publishing LedgerSMB on port 5762 on localhost,
+# this project also publishes Nginx's reverse proxied content on
+# port 8080 on localhost
+
+version: "3.2"
+services:
+  proxy:
+    image: nginx:1-alpine
+    volumes:
+      - "lsmbdata:/srv/ledgersmb"
+      - "./nginx.conf:/etc/nginx/nginx.conf"
+    ports:
+      - "8080:8080"
+  lsmb:
+    volumes:
+      - "lsmbdata:/srv/ledgersmb"
+
+volumes:
+  lsmbdata:

docker-compose.yml

@@ -16,10 +16,10 @@ services:
   # because that allows us to use the default hostname ("postgres")
   # from the LedgerSMB configuration
   postgres:
-    image: postgres:9.6-alpine
+    image: postgres:12-alpine
     environment:
       # Replace the password below for a secure setup
-      POSTGRES_PASSWORD: abc
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-abc}
       PGDATA: /var/lib/postgresql/data/pgdata
     networks:
       - internal
@@ -28,7 +28,7 @@ services:
   lsmb:
     depends_on:
       - postgres
-    image: ledgersmb/ledgersmb:1.9
+    image: ghcr.io/ledgersmb/ledgersmb:1.9
     networks:
       - internal
       - default
@@ -47,17 +47,26 @@ services:
       # improve the performance experience, increase memory and the
       # number of workers
       #
-      LSMB_WORKERS: 2
+      LSMB_WORKERS: ${LSMB_WORKERS:-5}
       #
       #
-      # SSMTP_ROOT:
-      # SSMTP_HOSTNAME:
-      # SSMTP_MAILHUB:
-      # SSMTP_AUTH_USER:
-      # SSMTP_AUTH_PASS:
-      # SSMTP_AUTH_METHOD:
-      # SSMTP_USE_STARTTLS:
-      # SSMTP_FROMLINE_OVERRIDE:
+
+      # LSMB_MAIL_SMTPHOST:
+      # LSMB_MAIL_SMTPPORT:
+      # LSMB_MAIL_SMTPTLS:
+      # LSMB_MAIL_SMTPSENDER_HOSTNAME:
+      # LSMB_MAIL_SMTPUSER:
+      # LSMB_MAIL_SMTPPASS:
+      # LSMB_MAIL_SMTPAUTHMECH:
+      #
+      #
+      # The PROXY_IP environment variable lets you set the IP address
+      # (range) of the reverse proxy used for TLS termination, which forwards
+      # its requests to this container. When this reverse proxy runs on the
+      # Docker host, the default below applies. In case the reverse proxy is
+      # hosted in a separate container, this setting needs to be adjusted.
+      #
+      # PROXY_IP: 172.17.0.1/12
 
 # having the dbdata volume is required to persist our
 # data between PostgreSQL container updates; without

nginx.conf

@@ -0,0 +1,81 @@
+# This is a full (minimal) nginx configuration file
+
+error_log /dev/stderr info;
+pid /tmp/nginx.pid;
+worker_processes 1;
+
+events {
+   worker_connections 1024;
+}
+
+http {
+   client_body_temp_path /tmp/client_body;
+   proxy_temp_path /tmp/proxy_temp;
+   fastcgi_temp_path /tmp/fastcgi_temp;
+   scgi_temp_path /tmp/scgi_temp;
+   uwsgi_temp_path /tmp/uwsgi_temp;
+
+   sendfile on;
+   tcp_nopush on;
+   tcp_nodelay on;
+   keepalive_timeout 65;
+   types_hash_max_size 2048;
+   include /etc/nginx/mime.types;
+   default_type application/octet-stream;
+
+   access_log /dev/stdout;
+   error_log /dev/stderr info;
+
+   gzip off;
+   gzip_static on;
+
+   server {
+      listen 8080 default_server;
+      listen [::]:8080 default_server ipv6only=on;
+
+      root /srv/ledgersmb/UI;
+
+      access_log /dev/stdout;
+      error_log /dev/stderr info;
+
+      # Don't log status polls
+      location /nginx_status {
+               stub_status on;
+               access_log off;
+               allow 127.0.0.1;
+               allow ::1;
+               deny all;
+      }
+
+      # Configuration files don't exist
+      location ^~ \.conf$ {
+         return 404;
+      }
+
+      # 'Hidden' files don't exist
+      location ~ /\. {
+         return 404;
+      }
+
+      location = / {
+         return 301 /login.pl;
+      }
+
+      # JS & CSS
+      location ~* \.(js|css)$ {
+         add_header Pragma "public";
+         add_header Cache-Control "public, must-revalidate, proxy-revalidate"; # Production
+         expires     7d; # Indicate that the resource can be cached for 1 week # Production
+         try_files $uri =404;
+      }
+
+      location / {
+         proxy_set_header        Host $host;
+         proxy_set_header        X-Real-IP $remote_addr;
+         proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+         proxy_set_header        X-Forwarded-Proto $scheme;
+         proxy_read_timeout      300;
+         proxy_pass              http://lsmb:5762;
+      }
+   }
+}

start.sh

@@ -85,6 +85,8 @@ ${LSMB_MAIL_SMTPHOST:+smtphost=$LSMB_MAIL_SMTPHOST
 }${LSMB_MAIL_SMTPPASS:+smtppass=$LSMB_MAIL_SMTPPASS
 }${LSMB_MAIL_SMTPAUTHMECH:+smtpauthmech=$LSMB_MAIL_SMTPAUTHMECH
 }
+[proxy]
+ip=${PROXY_IP:-172.17.0.1/12}
 EOF
   export LSMB_CONFIG_FILE='/tmp/ledgersmb.conf'
 fi