Dispatcharr/docker/entrypoint.celery.sh
None b30a24e2fb feat: add TLS connection support for Redis and PostgreSQL (#950)
- Add 10 env vars for Redis/PostgreSQL TLS (REDIS_SSL, REDIS_SSL_VERIFY, REDIS_SSL_CA_CERT, REDIS_SSL_CERT, REDIS_SSL_KEY, POSTGRES_SSL, POSTGRES_SSL_MODE, POSTGRES_SSL_CA_CERT, POSTGRES_SSL_CERT, POSTGRES_SSL_KEY)
- Propagate SSL params to all Redis connection points: RedisClient, stream view, PubSub, client manager, Celery broker/result backend, Django Channels, and pre-Django startup scripts
- Add Celery SSL config via URL query string params (required by Kombu's internal URL parsing)
- Add PostgreSQL sslmode and certificate options to DATABASES config
- Add startup validation: cert file existence, URL scheme conflict detection, TLS status logging
- Add TLS error hints to Redis connection failure messages
- Add Connection Security panel in System Settings (modular mode only) showing encryption, verification, and mTLS status
- Add PG client key permission fix in web and celery entrypoints for Docker Desktop compatibility (0777 to 0600)
- Add TLS env var passthrough in entrypoint for su - login shells
- Document TLS env vars in modular docker-compose.yml
- Change env_mode from dev/prod to actual DISPATCHARR_ENV value for modular mode detection
2026-03-21 17:24:09 -05:00

83 lines
3.2 KiB
Bash

#!/bin/bash
set -e
cd /app
source /dispatcharrpy/bin/activate
# Function to echo with timestamp
echo_with_timestamp() {
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1"
}
# Wait for Django secret key (generated by the web container on startup)
JWT_TIMEOUT=120
JWT_WAITED=0
echo 'Waiting for Django secret key...'
while [ ! -f /data/jwt ]; do
if [ $JWT_WAITED -ge $JWT_TIMEOUT ]; then
echo "❌ ERROR: Timed out waiting for /data/jwt after ${JWT_TIMEOUT}s."
echo " Is the web container running? Does it have the /data volume mounted?"
exit 1
fi
sleep 1
JWT_WAITED=$((JWT_WAITED + 1))
done
export DJANGO_SECRET_KEY="$(tr -d '\r\n' < /data/jwt)"
# --- NumPy version switching for legacy hardware ---
if [ "$USE_LEGACY_NUMPY" = "true" ]; then
# Check if NumPy was compiled with baseline support
if "$VIRTUAL_ENV/bin/python" -c "import numpy; numpy.show_config()" 2>&1 | grep -qi "baseline" || [ $? -ne 0 ]; then
echo_with_timestamp "🔧 Switching to legacy NumPy (no CPU baseline)..."
uv pip install --python "$VIRTUAL_ENV/bin/python" --no-cache --force-reinstall --no-deps /opt/numpy-*.whl
echo_with_timestamp "✅ Legacy NumPy installed"
else
echo_with_timestamp "✅ Legacy NumPy (no baseline) already installed, skipping reinstallation"
fi
fi
# Fix TLS client key permissions for PostgreSQL (same issue as web entrypoint).
# libpq requires 0600 but Docker Desktop mounts files as 0777.
if [ -n "${POSTGRES_SSL_KEY:-}" ] && [ -f "$POSTGRES_SSL_KEY" ]; then
_key_perms=$(stat -c '%a' "$POSTGRES_SSL_KEY" 2>/dev/null)
if [ "$_key_perms" != "600" ] && [ "$_key_perms" != "640" ]; then
_fixed_key="/data/.pg-client-celery.key"
cp "$POSTGRES_SSL_KEY" "$_fixed_key"
chmod 600 "$_fixed_key"
# Match ownership to the user running Celery if running as root
if [ "$(id -u)" = "0" ] && [ -n "${PUID:-}" ]; then
chown "${PUID}:${PGID:-$PUID}" "$_fixed_key"
fi
export POSTGRES_SSL_KEY="$_fixed_key"
echo "Fixed PostgreSQL client key permissions (${_key_perms} → 600)"
fi
fi
# Wait for migrations to complete
# Uses 'migrate --check' which exits 0 only when all migrations are applied,
# and exits 1 on unapplied migrations OR connection errors (safe either way)
MIG_TIMEOUT=300
MIG_WAITED=0
echo 'Waiting for migrations to complete...'
until python manage.py migrate --check >/dev/null 2>&1; do
if [ $MIG_WAITED -ge $MIG_TIMEOUT ]; then
echo "❌ ERROR: Timed out waiting for migrations after ${MIG_TIMEOUT}s."
echo " Check web container logs for migration errors."
exit 1
fi
echo_with_timestamp 'Migrations not ready yet, waiting...'
sleep 2
MIG_WAITED=$((MIG_WAITED + 2))
done
# Start Celery
echo 'Migrations complete, starting Celery...'
celery -A dispatcharr beat -l info &
# Default to nice level 5 (lower priority) - safe for unprivileged containers
# Negative values require SYS_NICE capability
NICE_LEVEL="${CELERY_NICE_LEVEL:-5}"
if [ "$NICE_LEVEL" -lt 0 ] 2>/dev/null; then
echo "Warning: CELERY_NICE_LEVEL=$NICE_LEVEL is negative, requires SYS_NICE capability"
fi
nice -n "$NICE_LEVEL" celery -A dispatcharr worker -l info --autoscale=6,1