Update to 2022-01-30 19:00

roles/penpot/templates/config.js.j2

@@ -0,0 +1,12 @@
+var penpotPublicURI = "{{ penpot_public_url }}";
+var penpotDemoWarning = false;
+var penpotAllowDemoUsers = false;
+{% if penpot_oidc_auth %}
+var penpotOIDCClientID = "{{ penpot_oidc_client_id }}";
+{% endif %}
+{% if penpot_ldap_auth %}
+var penpotLoginWithLDAP = true;
+{% endif %}
+var penpotRegistrationEnabled = {{ penpot_allow_user_registration | ternary('true', 'false') }};
+var penpotAnalyticsEnabled = false;
+var penpotFlags = "{{ penpot_allow_user_registration | ternary('enable-registration', '') }}";

roles/penpot/templates/env.j2

@@ -0,0 +1,78 @@
+
+PENPOT_HTTP_SERVER_PORT={{ penpot_ports['backend'] }}
+PENPOT_SREPL_PORT={{ penpot_ports['srepl'] }}
+
+# Should be set to the public domain where penpot is going to be served.
+PENPOT_PUBLIC_URI={{ penpot_public_url }}
+
+# Standard database connection parameters (only postgresql is supported):
+PENPOT_DATABASE_URI=postgresql://{{ penpot_db_server }}:{{ penpot_db_port }}/{{ penpot_db_name }}
+PENPOT_DATABASE_USERNAME={{ penpot_db_user }}
+PENPOT_DATABASE_PASSWORD={{ penpot_db_pass }}
+
+# Redis is used for the websockets notifications.
+PENPOT_REDIS_URI={{ penpot_redis_url }}
+
+# By default, files uploaded by users are stored in local filesystem. But it
+# can be configured to store in AWS S3 or completely in de the database.
+# Storing in the database makes the backups more easy but will make access to
+# media less performant.
+ASSETS_STORAGE_BACKEND=assets-fs
+PENPOT_STORAGE_ASSETS_FS_DIRECTORY={{ penpot_root_dir }}/data/assets
+
+# Telemetry. When enabled, a periodical process will send anonymous data about
+# this instance. Telemetry data will enable us to learn on how the application
+# is used, based on real scenarios. If you want to help us, please leave it
+# enabled.
+PENPOT_TELEMETRY_ENABLED=false
+
+# Email sending configuration. By default, emails are printed in the console,
+# but for production usage is recommended to setup a real SMTP provider. Emails
+# are used to confirm user registrations.
+PENPOT_SMTP_ENABLED=true
+PENPOT_SMTP_DEFAULT_FROM={{ penpot_email_from }}
+PENPOT_SMTP_DEFAULT_REPLY_TO={{ penpot_email_from }}
+PENPOT_SMTP_HOST={{ penpot_smtp_server }}
+PENPOT_SMTP_PORT={{ penpot_smtp_port }}
+{% if penpot_smtp_user is defined and penpot_smtp_pass is defined %}
+PENPOT_SMTP_USERNAME={{ penpot_smtp_user }}
+PENPOT_SMTP_PASSWORD={{ penpot_smtp_pass }}
+{% endif %}
+PENPOT_SMTP_TLS={{ penpot_smtp_tls | ternary('true','false') }}
+PENPOT_SMTP_SSL={{ penpot_smtp_ssl | ternary('true','false') }}
+
+# Feature flags. Right now they are only affect frontend, but in
+# future release they will affect to both backend and frontend.
+PENPOT_FLAGS="{{ penpot_allow_user_registration | ternary('enable-registration', '') }}"
+
+# Comma separated list of allowed domains to register. Empty to allow all.
+PENPOT_REGISTRATION_DOMAIN_WHITELIST="{{ penpot_user_registration_allowed_domains | join(',') }}"
+
+## Authentication providers
+{% if penpot_oidc_auth %}
+PENPOT_OIDC_BASE_URI={{ penpot_oidc_base_url }}
+PENPOT_OIDC_USER_URL={{ penpot_oidc_user_url }}
+PENPOT_OIDC_AUTH_URL={{ penpot_oidc_auth_url }}
+PENPOT_OIDC_TOKEN_URL={{ penpot_oidc_token_url }}
+PENPOT_OIDC_SCOPE={{ penpot_oidc_scope }}
+PENPOT_OIDC_CLIENT_ID={{ penpot_oidc_client_id }}
+PENPOT_OIDC_CLIENT_SECRET={{ penpot_oidc_client_secret }}
+{% endif %}
+
+{% if penpot_ldap_auth %}
+# LDAP
+PENPOT_LDAP_HOST={{ penpot_ldap_server }}
+PENPOT_LDAP_PORT={{ penpot_ldap_port }}
+PENPOT_LDAP_SSL={{ penpot_ldap_ssl | ternary('true', 'false') }}
+PENPOT_LDAP_STARTTLS={{ penpot_ldap_tls | ternary('true', 'false') }}
+PENPOT_LDAP_BASE_DN={{ penpot_ldap_base_dn }}
+{% if penpot_ldap_bind_dn is defined and penpot_ldap_bind_pass is defined %}
+PENPOT_LDAP_BIND_DN={{ penpot_ldap_bind_dn }}
+PENPOT_LDAP_BIND_PASSWORD={{ penpot_ldap_bind_pass }}
+{% endif %}
+PENPOT_LDAP_ATTRS_USERNAME={{ penpot_ldap_attr_username }}
+PENPOT_LDAP_ATTRS_EMAIL={{ penpot_ldap_attr_email }}
+PENPOT_LDAP_ATTRS_FULLNAME={{ penpot_ldap_attr_fullname }}
+PENPOT_LDAP_ATTRS_PHOTO={{ penpot_ldap_attr_photo }}
+PENPOT_LOGIN_WITH_LDAP=true
+{% endif %}

roles/penpot/templates/nginx.conf.j2

@@ -0,0 +1,76 @@
+server {
+    listen 443 ssl http2;
+    server_name {{ penpot_public_url | urlsplit('hostname') }};
+
+    client_max_body_size 50M;
+    charset utf-8;
+
+    proxy_http_version 1.1;
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Scheme $scheme;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+    etag off;
+    root {{ penpot_root_dir }}/frontend;
+
+    location ~* \.(js|css).*$ {
+        add_header Cache-Control "max-age=86400" always; # 24 hours
+    }
+
+    location ~* \.(html).*$ {
+        add_header Cache-Control "no-cache, max-age=0" always;
+    }
+
+    location /api {
+        proxy_pass http://localhost:{{ penpot_ports['backend'] }}/api;
+    }
+
+    location /dbg {
+        proxy_pass http://localhost:{{ penpot_ports['backend'] }}/dbg;
+    }
+
+    location /export {
+        proxy_pass http://localhost:{{ penpot_ports['exporter'] }};
+    }
+
+    location /ws/notifications {
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_pass http://localhost:{{ penpot_ports['backend'] }}/ws/notifications;
+    }
+
+    location @handle_redirect {
+        set $redirect_uri "$upstream_http_location";
+        set $redirect_host "$upstream_http_x_host";
+        set $redirect_cache_control "$upstream_http_cache_control";
+
+        proxy_buffering off;
+
+        proxy_set_header Host "$redirect_host";
+        proxy_hide_header etag;
+        proxy_hide_header x-amz-id-2;
+        proxy_hide_header x-amz-request-id;
+        proxy_hide_header x-amz-meta-server-side-encryption;
+        proxy_hide_header x-amz-server-side-encryption;
+        proxy_pass $redirect_uri;
+
+        add_header x-internal-redirect "$redirect_uri";
+        add_header x-cache-control "$redirect_cache_control";
+        add_header cache-control "$redirect_cache_control";
+    }
+
+    location /assets {
+        proxy_pass http://localhost:{{ penpot_ports['backend'] }}/assets;
+        recursive_error_pages on;
+        proxy_intercept_errors on;
+        error_page 301 302 307 = @handle_redirect;
+    }
+
+    location /internal/assets {
+        internal;
+        alias {{ penpot_root_dir }}/data/assets;
+        add_header x-internal-redirect "$upstream_http_x_accel_redirect";
+    }
+}

roles/penpot/templates/penpot-exporter.service.j2

@@ -0,0 +1,32 @@
+[Unit]
+Description=Penpot exporter
+After=syslog.target network.target
+
+[Service]
+Type=simple
+User={{ penpot_user }}
+WorkingDirectory={{ penpot_root_dir }}/exporter
+Environment=PENPOT_HTTP_SERVER_PORT={{ penpot_ports['exporter'] }}
+ExecStart=/bin/node {{ penpot_root_dir }}/exporter/app.js
+PrivateTmp=yes
+NoNewPrivileges=true
+Restart=on-failure
+MemoryLimit=512M
+SyslogIdentifier=penpot-exporter
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+PrivateDevices=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectSystem=full
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RestrictRealtime=true
+RestrictNamespaces=true
+ReadWritePaths=/run {{ penpot_root_dir }}/data
+LockPersonality=true
+
+[Install]
+WantedBy=multi-user.target

roles/penpot/templates/penpot-server.service.j2

@@ -0,0 +1,33 @@
+[Unit]
+Description=Penpot server
+After=syslog.target network.target
+
+[Service]
+Type=simple
+User={{ penpot_user }}
+WorkingDirectory={{ penpot_root_dir }}/backend
+EnvironmentFile={{ penpot_root_dir }}/etc/env
+ExecStart={{ penpot_root_dir }}/backend/run.sh
+SuccessExitStatus=143
+PrivateTmp=yes
+NoNewPrivileges=true
+Restart=on-failure
+MemoryLimit=2048M
+SyslogIdentifier=penpot-server
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+PrivateDevices=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectSystem=full
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RestrictRealtime=true
+RestrictNamespaces=true
+ReadWritePaths=/run {{ penpot_root_dir }}/data
+LockPersonality=true
+
+[Install]
+WantedBy=multi-user.target

roles/penpot/templates/post-backup.j2

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -eo pipefail
+
+rm -f {{ penpot_root_dir }}/backup/{{ penpot_db_name }}.sql.zst

roles/penpot/templates/pre-backup.j2

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+set -eo pipefail
+
+PGPASSWORD='{{ penpot_db_pass }}' /usr/pgsql-14/bin/pg_dump \
+  --clean \
+  --create \
+  --username={{ penpot_db_user | quote }} \
+  --host={{ penpot_db_server | quote }} \
+  --port={{ penpot_db_port }} \
+  {{ penpot_db_name | quote }} | \
+  zstd -c > {{ penpot_root_dir }}/backup/{{ penpot_db_name | quote }}.sql.zst