Home

Awesome

Grist Omnibus

This is an experimental way to install Grist on a server quickly with authentication and certificate handling set up out of the box.

So you and your colleagues can log in: Screenshot from 2022-08-16 18-14-16

And use Grist without fuss: Screenshot from 2022-08-16 18-16-38

It bundles:

Here's the minimal configuration you need to provide.

The minimal storage needed is an empty directory mounted at /persist.

So here is a complete docker invocation that would work on a public instance with ports 80 and 443 available:

mkdir -p /tmp/grist-test
docker run \
  -p 80:80 -p 443:443 \
  -e URL=https://cool-beans.example.com \
  -e HTTPS=auto \
  -e TEAM=cool-beans \
  -e EMAIL=owner@example.com \
  -e PASSWORD=topsecret \
  -v /tmp/grist-test:/persist \
  --name grist --rm \
  -it gristlabs/grist-omnibus  # or grist-ee-omnibus for enterprise

And here is an invocation on localhost port 9999 - the only differences are the -p port configuration and the -e URL= environment variable.

mkdir -p /tmp/grist-test
docker run \
  -p 9999:80 \
  -e URL=http://localhost:9999 \
  -e TEAM=cool-beans \
  -e EMAIL=owner@example.com \
  -e PASSWORD=topsecret \
  -v /tmp/grist-test:/persist \
  --name grist --rm \
  -it gristlabs/grist-omnibus  # or grist-ee-omnibus for enterprise

If providing your own certificate (HTTPS=manual), provide a private key and certificate file as /custom/grist.key and custom/grist.crt respectively:

docker run \
  ...
  -e HTTPS=manual \
  -v $(PWD)/key.pem:/custom/grist.key \
  -v $(PWD)/cert.pem:/custom/grist.crt \
  ...

Remember if you are on a public server you don't need to do this, you can set HTTPS=auto and have Traefik + Let's Encrypt do the work for you.

If you run the omnibus behind a separate reverse proxy that terminates SSL, then you should HTTPS=external, and set an additional environment variable TRUSTED_PROXY_IPS to the IP address or IP range of the proxy. This may be a comma-separated list, e.g. 127.0.0.1/32,192.168.1.7. See Traefik's forwarded headers.

You can change dex.yaml (for example, to fill in keys for Google and Microsoft sign-ins, or to remove them) and then either rebuild the image or (easier) make the custom settings available to the omnibus as /custom/dex.yaml:

docker run \
  ...
  -v $PWD/dex.yaml:/custom/dex.yaml \
  ...

You can tell it is being used because Using /custom/dex.yaml will be printed instead of No /custom/dex.yaml.