Document how to disable SSL connections to the database (#6241)

* Document how to disable SSL connections to the database * Include a Docker Compose example * Add a note explaining why CI cache solutions are not suitable for Tuist caching needs
tuist · Apr 30, 2024 · baa4afb · baa4afb
1 parent d2af8da
commit baa4afb
Show file tree

Hide file tree

Showing 2 changed files with 95 additions and 14 deletions.
diff --git a/docs/docs/cloud/on-premise.md b/docs/docs/cloud/on-premise.md
@@ -65,10 +65,11 @@ As an on-premise user, you'll receive a license key that you'll need to expose a
 | Environment variable | Description | Required | Default | Example |
 | --- | --- | --- | --- | --- |
 | `DATABASE_URL` | The URL to access the Postgres database. Note that the URL should contain the authentication information | Yes | | `postgres://username:password@cloud.us-east-2.aws.test.com/production` |
+| `TUIST_USE_SSL_FOR_DATABASE` | When true, it uses [SSL](https://en.wikipedia.org/wiki/Transport_Layer_Security) to connect to the database | No | `1` | `1` |
 | `TUIST_APP_URL` | The base URL to access the instance from the Internet | Yes | | https://cloud.tuist.io |
 | `TUIST_SECRET_KEY_BASE` | The key to use to encrypt information (e.g. sessions in a cookie) | Yes | | | `c5786d9f869239cbddeca645575349a570ffebb332b64400c37256e1c9cb7ec831345d03dc0188edd129d09580d8cbf3ceaf17768e2048c037d9c31da5dcacfa` |
-| `TUIST_SECRET_KEY_PASSWORD` | <!-- TODO -->  | No | `$TUIST_SECRET_KEY_BASE` | |
-| `TUIST_SECRET_KEY_TOKENS` | <!-- TODO --> | No | `$TUIST_SECRET_KEY_BASE` | |        
+| `TUIST_SECRET_KEY_PASSWORD` | Pepper to generate hashed passwords | No | `$TUIST_SECRET_KEY_BASE` | |
+| `TUIST_SECRET_KEY_TOKENS` | Secret key to generate random tokens | No | `$TUIST_SECRET_KEY_BASE` | |        
 | `TUIST_USE_IPV6` | When `1` it configures the app to use IPv6 addresses | No | `0` | `1`|
 
 ### Authentication environment configuration
@@ -225,4 +226,91 @@ kill_timeout = "5s"
   url_prefix = "/"
 ```
 
-Then you can run `fly launch --local-only --no-deploy` to launch the app. On subsequent deploys, instead of running `fly launch --local-only`, you will need to run `fly deploy --local-only`. Fly.io doesn't allow to pull private Docker images, which is why we need to use the `--local-only` flag.
+Then you can run `fly launch --local-only --no-deploy` to launch the app. On subsequent deploys, instead of running `fly launch --local-only`, you will need to run `fly deploy --local-only`. Fly.io doesn't allow to pull private Docker images, which is why we need to use the `--local-only` flag.
+
+### Docker Compose
+
+Below is an example of a `docker-compose.yml` file that you can use as a reference to deploy the service:
+
+```yaml
+version: '3.8'
+services:
+  db:
+    image: postgres:14.1-alpine
+    restart: always
+    environment:
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=postgres
+    ports:
+      - '5432:5432'
+    volumes: 
+      - db:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
+  pgweb:
+    container_name: pgweb  
+    restart: always  
+    image: sosedoff/pgweb
+    ports:
+      - "8081:8081"
+    links:
+      - db:db  
+    environment:
+      PGWEB_DATABASE_URL: postgres://postgres:postgres@db:5432/postgres?sslmode=disable
+    depends_on:
+      - db 
+
+  tuist:
+    image: ghcr.io/tuist/cloud-on-premise:latest
+    container_name: tuist_cloud
+    depends_on:
+      - db
+    ports:
+      - "80:80"
+      - "8080:8080"
+      - "443:443"
+    expose:
+      - "80"
+      - "8080"
+      - "443:443"
+    environment:
+      # Base Tuist Env - https://docs.tuist.io/cloud/on-premise#base-environment-configuration
+      TUIST_USE_SSL_FOR_DATABASE: "0"
+      TUIST_LICENSE:  # ...
+      TUIST_CLOUD_HOSTED: "0"
+      DATABASE_URL: postgres://postgres:postgres@db:5432/postgres?sslmode=disable
+      TUIST_APP_URL: https://localhost:8080
+      TUIST_SECRET_KEY_BASE: # ...
+      WEB_CONCURRENCY: 80
+
+      # Auth - one method
+      # GitHub Auth - https://docs.tuist.io/cloud/on-premise#github
+      TUIST_GITHUB_OAUTH_ID: 
+      TUIST_GITHUB_OAUTH_SECRET: 
+
+      # Okta Auth - https://docs.tuist.io/cloud/on-premise#okta
+      TUIST_OKTA_SITE:
+      TUIST_OKTA_CLIENT_ID:
+      TUIST_OKTA_CLIENT_SECRET:
+      TUIST_OKTA_AUTHORIZE_URL: # Optional
+      TUIST_OKTA_TOKEN_URL: # Optional
+      TUIST_OKTA_USER_INFO_URL: # Optional
+      TUIST_OKTA_EVENT_HOOK_SECRET: # Optional
+
+      # Storage
+      TUIST_S3_ACCESS_KEY_ID: # ...
+      TUIST_S3_SECRET_ACCESS_KEY: # ...
+      TUIST_S3_BUCKET_NAME: # ...
+      TUIST_S3_REGION: # ...
+      TUIST_S3_ENDPOINT: # https://amazonaws.com
+
+      # Other
+
+volumes:
+  db:
+    driver: local
+```
diff --git a/docs/docs/cloud/what-is-cloud.md b/docs/docs/cloud/what-is-cloud.md
@@ -15,17 +15,6 @@ Tuist Cloud, a closed-source paid service, enhances Tuist by adding server-requi
 > [!IMPORTANT] PROJECT ONBOARDING
 > Due to [Xcode's default to convenience](/guide/introduction/cost-of-convenience) your project might contain implicit configurations that can prevent some Tuist Cloud features from working as expected, and therefore require manual adjustments.
 
-## Sustainability
-
-Similar to many other open-source projects, Tuist also necessitated full-time dedicated personnel to adequately meet the demand for support and feature requests. Tuist Cloud plays a crucial role in fulfilling this requirement by enabling the financing of full-time personnel for the project.
-
-Becoming Tuist Cloud user is synonym to supporting the the development of Tuist and many of the open source that makes Tuist and other community open source projects possible. We wished the economics of open source were much different and organizations and government recognized the value of open source and financially supported it, but at the time of write, that's unfortunately not the case, so creating a business is the only option we were left with.
-
-> [!INFO] BUT I WANT TO USE MY CI CACHE...
-> Users often don't understand the need for paying for caching when their CI provider already provides a solution. We understand it, it doesn't make sense logically, but financially, we believe it does, because Tuist has reached a point that needs funding to continue to support its development. Avoiding doing so, like we had to suffer from in the past, puts Tuist and all our efforts at risk.
-
-<!-- > This is a comment we hear often from users. We also had to experience users trying to workaround the CLI measures to ensure exclusivity of the features with Tuist Cloud. -->
-
 ## Features
 
 ### Binary caching across environments
@@ -35,6 +24,10 @@ Tuist Cloud offers a robust storage solution for Tuist, enabling the sharing of
 > [!TIP] RETURN OF INVESTMENT (ROI)
 > To assist organizations in evaluating their return on investment (ROI), we've developed an [**ROI calculator**](https://tuist.io/cloud). For instance, consider an organization with approximately 20 developers. If their clean builds take 10 minutes and they achieve a 70% cache effectiveness, they could potentially reduce development time by 24,000 hours and recover up to $6.4 million a year.
 
+> [!NOTE] CI CACHE
+> CI built-in caches either don't provide hash-based caching or they do, but they don't support the artifact-level hashing granularity that's required for an efficient cache. Therefore, they are not a suitable solution for Tuist's caching requirements.
+
+
 ### Selective testing across environments
 
 Once teams reach a certain scale, they often grapple with optimizing their CI process to maintain quick turnaround times. While **testing everything** continually might work for smaller teams, it becomes impractical on a larger scale. At this juncture, many teams resort to investing in superior hardware, creating custom tools, complicating their CI pipelines, or worse, accepting slower development cycles. But there's a better way.