chore: Upgrade debian image to 5.6.1 (HEXA-1552)

.env.dist

@@ -5,6 +5,9 @@
 DEBUG_LOGGING=false
 DEBUG_TOOLBAR=false
 
+# Allow self-registration (users can sign up without an invitation)
+ALLOW_SELF_REGISTRATION=false
+
 # Encryption settings
 SECRET_KEY='${SECRET_KEY}'
 ENCRYPTION_KEY='${ENCRYPTION_KEY}'
@@ -28,7 +31,7 @@ DATABASE_PASSWORD=hexa-app
 # Initial Django admin user
 DJANGO_SUPERUSER_USERNAME=root@openhexa.org
 DJANGO_SUPERUSER_EMAIL=root@openhexa.org
-DJANGO_SUPERUSER_PASSWORD=root
+DJANGO_SUPERUSER_PASSWORD=${DJANGO_SUPERUSER_PASSWORD}
 
 # Networking
 ############
@@ -125,9 +128,10 @@ WORKSPACE_BUCKET_PREFIX=hexa-test-
 
 # Storage backend to use for workspace files.
 # Options:
-#   - "fs" (local filesystem)
-#   - "gcp" (Google Cloud Storage)
+#   - "fs"    (local filesystem)
+#   - "gcp"   (Google Cloud Storage)
 #   - "azure" (Azure Blob Storage)
+#   - "s3"    (Amazon S3 or S3-compatible, e.g. MinIO)
 # Default: fs
 STORAGE_BACKEND=fs
 
@@ -140,16 +144,19 @@ WORKSPACE_STORAGE_LOCATION=$WORKSPACE_STORAGE_LOCATION
 # Generate with: base64 -w 0 service-account-key.json
 WORKSPACE_STORAGE_BACKEND_GCS_SERVICE_ACCOUNT_KEY=
 
-# # openssl rand -hex 16
-# WORKSPACE_STORAGE_ENGINE_AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
-# # openssl rand -base64 42
-# WORKSPACE_STORAGE_ENGINE_AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
-## AWS: To run it in AWS mode or in LocalHosting mode set the variable to s3
-WORKSPACE_STORAGE_BACKEND_AWS_ENDPOINT_URL=
-WORKSPACE_STORAGE_BACKEND_AWS_PUBLIC_ENDPOINT_URL=
-WORKSPACE_STORAGE_BACKEND_AWS_SECRET_ACCESS_KEY=
+## S3 (STORAGE_BACKEND=s3): Amazon S3 or S3-compatible storage (e.g. MinIO)
 WORKSPACE_STORAGE_BACKEND_AWS_ACCESS_KEY_ID=
+WORKSPACE_STORAGE_BACKEND_AWS_SECRET_ACCESS_KEY=
+# Region where buckets will be created (default: eu-central-1)
 WORKSPACE_STORAGE_BACKEND_AWS_BUCKET_REGION=
+# Internal endpoint for server-side API calls, set for MinIO or custom S3 (e.g. http://minio:9000)
+WORKSPACE_STORAGE_BACKEND_AWS_ENDPOINT_URL=
+# Public endpoint used in presigned URLs returned to clients: set when internal and public hosts differ
+# Falls back to WORKSPACE_STORAGE_BACKEND_AWS_ENDPOINT_URL when not set
+WORKSPACE_STORAGE_BACKEND_AWS_PUBLIC_ENDPOINT_URL=
+# Optional IAM role ARN to assume when generating short-lived notebook credentials via STS.
+# Falls back to static access key/secret when not set (required for MinIO or simple setups).
+WORKSPACE_STORAGE_BACKEND_AWS_ROLE_ARN=
 
 WORKSPACE_BUCKET_REGION=
 
@@ -163,3 +170,61 @@ WORKSPACE_BUCKET_REGION=
 
 # Bucket to store datasets for all workspaces
 WORKSPACE_DATASETS_BUCKET=hexa-datasets
+# Maximum number of files snapshotted per dataset version (used for previews)
+WORKSPACE_DATASETS_FILE_SNAPSHOT_SIZE=50
+
+# Static Webapps
+################
+
+# Optional parent domain to serve static webapps from a subdomain (e.g.
+# `app1.webapps.example.com`). Requires wildcard DNS pointing at this host.
+# Leave empty to completely disable webapps.
+# Example:
+# WEBAPPS_DOMAIN=webapps.example.com
+WEBAPPS_DOMAIN=
+
+# Comma-separated list of custom domains attached to public webapps. Each
+# domain must be set on the Webapp via Django admin AND listed here so Django
+# accepts the Host header. Example:
+# ADDITIONAL_ALLOWED_HOSTS=carte-sanitaire.gouv.ne,dashboard.example.org
+ADDITIONAL_ALLOWED_HOSTS=
+
+# Git server (Forgejo)
+######################
+# Backs OpenHEXA static webapps. Runs as a sibling container `forgejo`.
+# The admin password is auto-generated by setup.sh on first install.
+
+GIT_SERVER_ADMIN_USERNAME=openhexa-admin
+GIT_SERVER_ADMIN_PASSWORD=${GIT_SERVER_ADMIN_PASSWORD}
+
+# Absolute path to the directory where Forgejo persists its data
+# (SQLite metadata DB, git repositories, attachments, app.ini, ...).
+FORGEJO_STORAGE_LOCATION=$FORGEJO_STORAGE_LOCATION
+
+# AI Assistant
+##############
+
+# Monthly cap on AI assistant requests per workspace.
+ASSISTANT_MONTHLY_LIMIT=200
+
+# Optional Pydantic Logfire integration for AI agent observability.
+# When `true`, requires LOGFIRE_TOKEN to be set.
+LOGFIRE_SEND_TO_LOGFIRE=false
+# LOGFIRE_TOKEN=
+
+# OAuth2
+########
+
+OAUTH2_ACCESS_TOKEN_EXPIRE_SECONDS=3600
+# Comma-separated list of hosts allowed as OAuth2 redirect URIs.
+OAUTH2_ALLOWED_REDIRECT_URI_HOSTS=
+
+# JWT Workspace Tokens (optional)
+#################################
+# Required only for the `issueWorkspaceToken` GraphQL mutation. Generate a key
+# with: openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
+# OPENHEXA_JWT_PRIVATE_KEY=
+# OPENHEXA_JWT_KID=
+# OPENHEXA_JWT_ISSUER=https://app.openhexa.org
+# OPENHEXA_JWT_AUDIENCE=openhexa-clients
+# OPENHEXA_JWT_TTL=3600

.github/workflows/build_debian_package.yml

@@ -140,7 +140,11 @@ jobs:
         run: docker build -t openhexa/smoke-tests .
 
       - name: Run smoke tests
-        run: docker run -t --net=host -v "$(pwd)/test-results:/code/test-results" openhexa/smoke-tests http://localhost:3000/ root@openhexa.org root
+        run: |
+          SUPERUSER_PASSWORD=$(sudo grep -E '^DJANGO_SUPERUSER_PASSWORD=' /etc/openhexa/env.conf | cut -d= -f2-)
+          docker run -t --net=host \
+            -v "$(pwd)/test-results:/code/test-results" \
+            openhexa/smoke-tests http://localhost:3000/ root@openhexa.org "$SUPERUSER_PASSWORD"
 
       - name: Keep test results
         uses: actions/upload-artifact@v7

.gitignore

@@ -5,7 +5,9 @@ test-results/
 .secrets
 openhexa.nginx
 workspaces/
+forgejo_data/
 backup.conf*
 backup/
 workspaces-*
-.artifacts/
+forgejo_data-*
+.artifacts/