Merge branch 'beta' into stable

fix #6154 

cp to canary

.cargo/config.toml

@@ -1,21 +1,2 @@
 [target.x86_64-pc-windows-msvc]
 rustflags = ["-C", "target-feature=+crt-static"]
-[target.aarch64-pc-windows-msvc]
-rustflags = ["-C", "target-feature=+crt-static"]
-[target.'cfg(target_os = "linux")']
-rustflags = ["-C", "link-args=-Wl,--warn-unresolved-symbols"]
-[target.'cfg(target_os = "macos")']
-rustflags = [
-  "-C",
-  "link-args=-Wl,-undefined,dynamic_lookup,-no_fixup_chains",
-  "-C",
-  "link-args=-all_load",
-  "-C",
-  "link-args=-weak_framework ScreenCaptureKit",
-]
-# https://sourceware.org/bugzilla/show_bug.cgi?id=21032
-# https://sourceware.org/bugzilla/show_bug.cgi?id=21031
-# https://github.com/rust-lang/rust/issues/134820
-# pthread_key_create() destructors and segfault after a DSO unloading
-[target.'cfg(all(target_env = "gnu", not(target_os = "windows")))']
-rustflags = ["-C", "link-args=-Wl,-z,nodelete"]

.devcontainer/Dockerfile

@@ -0,0 +1,9 @@
+FROM mcr.microsoft.com/devcontainers/base:bookworm
+
+# Install Homebrew For Linux
+RUN /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" && \
+    eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" && \
+    echo "eval \"\$($(brew --prefix)/bin/brew shellenv)\"" >> /home/vscode/.zshrc && \
+    echo "eval \"\$($(brew --prefix)/bin/brew shellenv)\"" >> /home/vscode/.bashrc && \
+    # Install Graphite
+    brew install withgraphite/tap/graphite && gt --version

.devcontainer/build.sh

@@ -1,11 +1,18 @@
 #!/bin/bash
 # This is a script used by the devcontainer to build the project
 
+#Enable yarn
+corepack enable
+corepack prepare yarn@stable --activate
+
 # install dependencies
 yarn install
 
 # Build Server Dependencies
-yarn affine @affine/server-native build
+yarn workspace @affine/storage build
 
 # Create database
-yarn affine @affine/server prisma migrate reset -f
+yarn workspace @affine/server prisma db push
+
+# Create user username: affine, password: affine
+echo "INSERT INTO \"users\"(\"id\",\"name\",\"email\",\"email_verified\",\"created_at\",\"password\") VALUES('99f3ad04-7c9b-441e-a6db-79f73aa64db9','affine','affine@affine.pro','2024-02-26 15:54:16.974','2024-02-26 15:54:16.974+00','\$argon2id\$v=19\$m=19456,t=2,p=1\$esDS3QCHRH0Kmeh87YPm5Q\$9S+jf+xzw2Hicj6nkWltvaaaXX3dQIxAFwCfFa9o38A');" | yarn workspace @affine/server prisma db execute --stdin

.devcontainer/devcontainer.json

@@ -1,16 +1,12 @@
 // For format details, see https://aka.ms/devcontainer.json.
 {
-  "name": "AFFiNE Dev Container",
+  "name": "Debian",
   "dockerComposeFile": "docker-compose.yml",
   "service": "app",
   "workspaceFolder": "/workspaces/${localWorkspaceFolderBasename}",
-  "containerEnv": {
-    "COREPACK_ENABLE_DOWNLOAD_PROMPT": "0"
-  },
   "features": {
     "ghcr.io/devcontainers/features/node:1": {
-      "version": "lts",
-      "installYarnUsingApt": false
+      "version": "18"
     },
     "ghcr.io/devcontainers/features/rust:1": {}
   },
@@ -20,10 +16,11 @@
       "extensions": [
         "ms-playwright.playwright",
         "esbenp.prettier-vscode",
-        "dbaeumer.vscode-eslint"
+        "streetsidesoftware.code-spell-checker"
       ]
     }
   },
   "updateContentCommand": "bash ./.devcontainer/build.sh",
-  "postCreateCommand": "bash ./.devcontainer/setup-user.sh"
+  "postCreateCommand": "bash ./.devcontainer/setup-user.sh",
+  "postStartCommand": ["yarn dev", "yarn workspace @affine/server dev"]
 }

.devcontainer/docker-compose.yml

@@ -2,20 +2,18 @@ version: '3.8'
 
 services:
   app:
-    security_opt:
-      - no-new-privileges:true
-    image: mcr.microsoft.com/devcontainers/base:bookworm
+    build:
+      context: .
+      dockerfile: Dockerfile
     volumes:
       - ../..:/workspaces:cached
     command: sleep infinity
     network_mode: service:db
     environment:
       DATABASE_URL: postgresql://affine:affine@db:5432/affine
-      REDIS_SERVER_HOST: redis
-      AFFINE_INDEXER_SEARCH_ENDPOINT: http://indexer:9308
 
   db:
-    image: pgvector/pgvector:pg16
+    image: postgres:latest
     restart: unless-stopped
     volumes:
       - postgres-data:/var/lib/postgresql/data
@@ -23,22 +21,6 @@ services:
       POSTGRES_PASSWORD: affine
       POSTGRES_USER: affine
       POSTGRES_DB: affine
-  redis:
-    image: redis
-
-  indexer:
-    image: manticoresearch/manticore:${MANTICORE_VERSION:-10.1.0}
-    ulimits:
-      nproc: 65535
-      nofile:
-        soft: 65535
-        hard: 65535
-      memlock:
-        soft: -1
-        hard: -1
-    volumes:
-      - manticoresearch_data:/var/lib/manticore
 
 volumes:
   postgres-data:
-  manticoresearch_data:

.devcontainer/setup-user.sh

@@ -1,9 +1,9 @@
 set -e
 
-npm install -g @withgraphite/graphite-cli@stable
-
 if [ -v GRAPHITE_TOKEN ];then
     gt auth --token $GRAPHITE_TOKEN
 fi
 
+git fetch origin canary:canary --depth=1
+git branch canary -t origin/canary
 gt init --trunk canary

.docker/dev/.env.example

@@ -1,15 +0,0 @@
-# postgres major version
-DB_VERSION=16
-# database credentials
-DB_PASSWORD=affine
-DB_USERNAME=affine
-DB_DATABASE_NAME=affine
-
-# elasticsearch env
-# ELASTIC_VERSION=9.0.1
-# enable for arm64, e.g.: macOS M1+
-# ELASTIC_VERSION_ARM64=-arm64
-# ELASTIC_PLATFORM=linux/arm64
-
-# manticoresearch
-MANTICORE_VERSION=10.1.0

.docker/dev/.gitignore

@@ -1,6 +0,0 @@
-postgres
-.env
-compose.yml
-certs/*
-!certs/.gitkeep
-nginx/conf.d/*

.docker/dev/README.md

@@ -1,21 +0,0 @@
-# Dev containers
-
-## Develop with domain
-
-> MacOs only, OrbStack only
-
-### 1. Generate and install Root CA
-
-```bash
-# the root ca file will be located at `./.docker/dev/certs/ca`
-yarn affine cert --install
-```
-
-### 2. Generate domain certs
-
-```bash
-# certificates will be located at `./.docker/dev/certs/${domain}`
-yarn affine cert --domain affine.localhost
-```
-
-### 3. Enable nginx service in compose.yml

.docker/dev/compose.yml.example

@@ -1,99 +0,0 @@
-name: affine_dev_services
-services:
-  postgres:
-    env_file:
-      - .env
-    image: pgvector/pgvector:pg${DB_VERSION:-16}
-    ports:
-      - 5432:5432
-    environment:
-      POSTGRES_PASSWORD: ${DB_PASSWORD}
-      POSTGRES_USER: ${DB_USERNAME}
-      POSTGRES_DB: ${DB_DATABASE_NAME}
-    volumes:
-      - postgres_data:/var/lib/postgresql/data
-
-  redis:
-    image: redis:latest
-    ports:
-      - 6379:6379
-
-  # https://mailpit.axllent.org/docs/install/docker/
-  mailpit:
-    image: axllent/mailpit:latest
-    ports:
-      - 1025:1025
-      - 8025:8025
-    environment:
-      MP_MAX_MESSAGES: 5000
-      MP_DATABASE: /data/mailpit.db
-      MP_SMTP_AUTH_ACCEPT_ANY: 1
-      MP_SMTP_AUTH_ALLOW_INSECURE: 1
-    volumes:
-      - mailpit_data:/data
-
-  # https://manual.manticoresearch.com/Starting_the_server/Docker
-  manticoresearch:
-    image: manticoresearch/manticore:${MANTICORE_VERSION:-10.1.0}
-    ports:
-      - 9308:9308
-    ulimits:
-      nproc: 65535
-      nofile:
-        soft: 65535
-        hard: 65535
-      memlock:
-        soft: -1
-        hard: -1
-    volumes:
-      - manticoresearch_data:/var/lib/manticore
-  
-  # elasticsearch:
-  #   image: docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION:-9.0.1}${ELASTIC_VERSION_ARM64}
-  #   platform: ${ELASTIC_PLATFORM}
-  #   labels:
-  #     co.elastic.logs/module: elasticsearch
-  #   volumes:
-  #     - elasticsearch_data:/usr/share/elasticsearch/data
-  #   ports:
-  #     - ${ES_PORT:-9200}:9200
-  #   environment:
-  #     - node.name=es01
-  #     - cluster.name=affine-dev
-  #     - discovery.type=single-node
-  #     - bootstrap.memory_lock=true
-  #     - xpack.security.enabled=false
-  #     - xpack.security.http.ssl.enabled=false
-  #     - xpack.security.transport.ssl.enabled=false
-  #     - xpack.license.self_generated.type=basic
-  #   mem_limit: ${ES_MEM_LIMIT:-1073741824}
-  #   ulimits:
-  #     memlock:
-  #       soft: -1
-  #       hard: -1
-  #   healthcheck:
-  #     test:
-  #       [
-  #         "CMD-SHELL",
-  #         "curl -s http://localhost:9200 | grep -q 'affine-dev'",
-  #       ]
-  #     interval: 10s
-  #     timeout: 10s
-  #     retries: 120
-
-  # nginx:
-  #   image: nginx:alpine
-  #   volumes:
-  #     - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
-  #     - ./nginx/conf.d:/etc/nginx/conf.d:ro
-  #     - ./certs:/etc/nginx/certs:ro
-  #   network_mode: host
-
-networks:
-  dev:
-
-volumes:
-  postgres_data:
-  manticoresearch_data:
-  mailpit_data:
-  elasticsearch_data:

.docker/dev/nginx/nginx.conf

@@ -1,28 +0,0 @@
-user nginx;
-worker_processes auto;
-
-error_log   /var/log/nginx/error.log;
-pid         /var/run/nginx.pid;
-
-events {
-  worker_connections  1024;
-}
-
-http {
-  include mime.types;
-  default_type  application/octet-stream;
-
-  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                    '$status $body_bytes_sent "$http_referer" '
-                    '"$http_user_agent" "$http_x_forwarded_for"';
-  access_log  /var/log/nginx/access.log  main;
-
-  sendfile on;
-  keepalive_timeout  65;
-  types_hash_max_size 2048;
-  client_max_body_size 512M;
-  server_names_hash_bucket_size 128;
-  ssi on;
-  gzip  on;
-  include "/etc/nginx/conf.d/*";
-}

.docker/dev/templates/nginx.conf

@@ -1,27 +0,0 @@
-server {
-  listen 80;
-  server_name DEV_DOMAIN;
-  
-  location / {
-    return 301 https://$host$request_uri;
-  }
-}
-
-server {
-  listen 443 ssl;
-  http2 on;
-  ssl_certificate /etc/nginx/certs/$host/crt;
-  ssl_certificate_key /etc/nginx/certs/$host/key;
-  server_name DEV_DOMAIN;
-
-  location / {
-    proxy_pass http://localhost:8080;
-    proxy_set_header   Host              $host;
-    proxy_set_header   X-Real-IP         $remote_addr;
-    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
-    proxy_set_header   X-Forwarded-Proto $scheme;
-    proxy_set_header   Upgrade           $http_upgrade;
-    proxy_set_header   Connection        "upgrade";
-    resolver 127.0.0.1;
-  }
-}

.docker/dev/templates/openssl.conf

@@ -1,25 +0,0 @@
-[req]
-distinguished_name = req_distinguished_name
-req_extensions = v3_req
-
-[req_distinguished_name]
-countryName = Country Name (2 letter code)
-countryName_default = US
-stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = MN
-localityName = Locality Name (eg, city)
-localityName_default = Minneapolis
-organizationalUnitName	= Organizational Unit Name (eg, section)
-organizationalUnitName_default	= Domain Control Validated
-commonName = Internet Widgits Ltd
-commonName_max	= 64
-
-[ v3_req ]
-# Extensions to add to a certificate request
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-subjectAltName = @alt_names
-
-[alt_names]
-DNS.1 = DEV_DOMAIN
-DNS.2 = *.DEV_DOMAIN

.docker/selfhost/.env.example

@@ -1,23 +0,0 @@
-# select a revision to deploy, available values: stable, beta, canary
-AFFINE_REVISION=stable
-
-# set the port for the server container it will expose the server on
-PORT=3010
-
-# set the host for the server for outgoing links
-# AFFINE_SERVER_HTTPS=true
-# AFFINE_SERVER_HOST=affine.yourdomain.com
-# or 
-# AFFINE_SERVER_EXTERNAL_URL=https://affine.yourdomain.com
-
-# position of the database data to persist
-DB_DATA_LOCATION=~/.affine/self-host/postgres/pgdata
-# position of the upload data(images, files, etc.) to persist
-UPLOAD_LOCATION=~/.affine/self-host/storage
-# position of the configuration files to persist
-CONFIG_LOCATION=~/.affine/self-host/config
-
-# database credentials
-DB_USERNAME=affine
-DB_PASSWORD=
-DB_DATABASE=affine

.docker/selfhost/.gitignore

@@ -1 +0,0 @@
-.env

.docker/selfhost/compose.yml

@@ -1,76 +0,0 @@
-name: affine
-services:
-  affine:
-    image: ghcr.io/toeverything/affine:${AFFINE_REVISION:-stable}
-    container_name: affine_server
-    ports:
-      - '${PORT:-3010}:3010'
-    depends_on:
-      redis:
-        condition: service_healthy
-      postgres:
-        condition: service_healthy
-      affine_migration:
-        condition: service_completed_successfully
-    volumes:
-      # custom configurations
-      - ${UPLOAD_LOCATION}:/root/.affine/storage
-      - ${CONFIG_LOCATION}:/root/.affine/config
-    env_file:
-      - .env
-    environment:
-      - REDIS_SERVER_HOST=redis
-      - DATABASE_URL=postgresql://${DB_USERNAME}:${DB_PASSWORD}@postgres:5432/${DB_DATABASE:-affine}
-      - AFFINE_INDEXER_ENABLED=false
-    restart: unless-stopped
-
-  affine_migration:
-    image: ghcr.io/toeverything/affine:${AFFINE_REVISION:-stable}
-    container_name: affine_migration_job
-    volumes:
-      # custom configurations
-      - ${UPLOAD_LOCATION}:/root/.affine/storage
-      - ${CONFIG_LOCATION}:/root/.affine/config
-    command: ['sh', '-c', 'node ./scripts/self-host-predeploy.js']
-    env_file:
-      - .env
-    environment:
-      - REDIS_SERVER_HOST=redis
-      - DATABASE_URL=postgresql://${DB_USERNAME}:${DB_PASSWORD}@postgres:5432/${DB_DATABASE:-affine}
-      - AFFINE_INDEXER_ENABLED=false
-    depends_on:
-      postgres:
-        condition: service_healthy
-      redis:
-        condition: service_healthy
-
-  redis:
-    image: redis
-    container_name: affine_redis
-    healthcheck:
-      test: ['CMD', 'redis-cli', '--raw', 'incr', 'ping']
-      interval: 10s
-      timeout: 5s
-      retries: 5
-    restart: unless-stopped
-
-  postgres:
-    image: pgvector/pgvector:pg16
-    container_name: affine_postgres
-    volumes:
-      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
-    environment:
-      POSTGRES_USER: ${DB_USERNAME}
-      POSTGRES_PASSWORD: ${DB_PASSWORD}
-      POSTGRES_DB: ${DB_DATABASE:-affine}
-      POSTGRES_INITDB_ARGS: '--data-checksums'
-      # you better set a password for you database
-      # or you may add 'POSTGRES_HOST_AUTH_METHOD=trust' to ignore postgres security policy
-      POSTGRES_HOST_AUTH_METHOD: trust
-    healthcheck:
-      test:
-        ['CMD', 'pg_isready', '-U', "${DB_USERNAME}", '-d', "${DB_DATABASE:-affine}"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
-    restart: unless-stopped

.docker/selfhost/config.example.json

@@ -1,6 +0,0 @@
-{
-  "$schema": "https://github.com/toeverything/affine/releases/latest/download/config.schema.json",
-  "server": {
-    "name": "AFFiNE Self Hosted Server"
-  }
-}

.dockerignore

@@ -1,26 +0,0 @@
-.git
-.github/**/*.md
-.gitignore
-
-# Local dependency/build artifacts
-/node_modules
-/target
-
-# Yarn v4 artifacts (not needed for image packaging)
-/.yarn/cache
-/.yarn/unplugged
-/.yarn/install-state.gz
-/.pnp.*
-
-# Test artifacts
-/test-results
-/playwright-report
-/coverage
-/.coverage
-
-# OS noise
-.DS_Store
-
-# Sourcemaps (keep server sourcemap for backend stacktraces)
-**/*.map
-!packages/backend/server/dist/main.js.map

.editorconfig

@@ -1,8 +1,6 @@
 # Editor configuration, see http://editorconfig.org
 root = true
 
-[*.rs]
-max_line_length = 120
 [*]
 charset = utf-8
 indent_style = space

.env.template

@@ -0,0 +1,14 @@
+ENABLE_PLUGIN=
+ENABLE_TEST_PROPERTIES=
+ENABLE_BC_PROVIDER=
+CHANGELOG_URL=
+ENABLE_PRELOADING=
+ENABLE_NEW_SETTING_MODAL=
+ENABLE_SQLITE_PROVIDER=
+ENABLE_NEW_SETTING_UNSTABLE_API=
+ENABLE_NOTIFICATION_CENTER=
+ENABLE_CLOUD=
+ENABLE_MOVE_DATABASE=
+SHOULD_REPORT_TRACE=
+TRACE_REPORT_ENDPOINT=
+CAPTCHA_SITE_KEY=

.eslintignore

@@ -0,0 +1,15 @@
+node_modules
+dist
+.next
+out
+storybook-static
+affine-out
+_next
+lib
+.eslintrc.js
+e2e-dist-*
+static
+web-static
+public
+packages/frontend/i18n/src/i18n-generated.ts
+packages/frontend/templates/edgeless-templates.gen.ts

.eslintrc.js

@@ -0,0 +1,289 @@
+const { resolve } = require('node:path');
+
+const createPattern = packageName => [
+  {
+    group: ['**/dist', '**/dist/**'],
+    message: 'Do not import from dist',
+    allowTypeImports: false,
+  },
+  {
+    group: ['**/src', '**/src/**'],
+    message: 'Do not import from src',
+    allowTypeImports: false,
+  },
+  {
+    group: [`@affine/${packageName}`],
+    message: 'Do not import package itself',
+    allowTypeImports: false,
+  },
+  {
+    group: [`@toeverything/${packageName}`],
+    message: 'Do not import package itself',
+    allowTypeImports: false,
+  },
+  {
+    group: ['@blocksuite/store'],
+    message: "Import from '@blocksuite/global/utils'",
+    importNames: ['assertExists', 'assertEquals'],
+  },
+  {
+    group: ['react-router-dom'],
+    message: 'Use `useNavigateHelper` instead',
+    importNames: ['useNavigate'],
+  },
+  {
+    group: ['yjs'],
+    message: 'Do not use this API because it has a bug',
+    importNames: ['mergeUpdates'],
+  },
+  {
+    group: ['@affine/env/constant'],
+    message:
+      'Do not import from @affine/env/constant. Use `environment.isDesktop` instead',
+    importNames: ['isDesktop'],
+  },
+];
+
+const allPackages = [
+  'packages/backend/server',
+  'packages/frontend/component',
+  'packages/frontend/core',
+  'packages/frontend/electron',
+  'packages/frontend/graphql',
+  'packages/frontend/i18n',
+  'packages/frontend/native',
+  'packages/frontend/templates',
+  'packages/frontend/workspace-impl',
+  'packages/common/debug',
+  'packages/common/env',
+  'packages/common/infra',
+  'packages/common/theme',
+  'packages/common/y-indexeddb',
+  'tools/cli',
+  'tests/storybook',
+];
+
+/**
+ * @type {import('eslint').Linter.Config}
+ */
+const config = {
+  root: true,
+  settings: {
+    react: {
+      version: 'detect',
+    },
+    next: {
+      rootDir: 'packages/frontend/core',
+    },
+  },
+  extends: [
+    'eslint:recommended',
+    'plugin:react-hooks/recommended',
+    'plugin:react/recommended',
+    'plugin:react/jsx-runtime',
+    'plugin:@typescript-eslint/recommended',
+    'prettier',
+  ],
+  parser: '@typescript-eslint/parser',
+  parserOptions: {
+    ecmaFeatures: {
+      globalReturn: false,
+      impliedStrict: true,
+      jsx: true,
+    },
+    ecmaVersion: 'latest',
+    sourceType: 'module',
+    project: resolve(__dirname, './tsconfig.eslint.json'),
+  },
+  plugins: [
+    'react',
+    '@typescript-eslint',
+    'simple-import-sort',
+    'sonarjs',
+    'i',
+    'unused-imports',
+    'unicorn',
+  ],
+  rules: {
+    'array-callback-return': 'error',
+    'no-undef': 'off',
+    'no-empty': 'off',
+    'no-func-assign': 'off',
+    'no-cond-assign': 'off',
+    'no-constant-binary-expression': 'error',
+    'no-constructor-return': 'error',
+    'no-self-compare': 'error',
+    eqeqeq: ['error', 'always', { null: 'ignore' }],
+    'react/prop-types': 'off',
+    'react/jsx-no-useless-fragment': 'error',
+    '@typescript-eslint/consistent-type-imports': 'error',
+    '@typescript-eslint/no-non-null-assertion': 'error',
+    '@typescript-eslint/no-explicit-any': 'off',
+    '@typescript-eslint/no-empty-function': 'off',
+    '@typescript-eslint/await-thenable': 'error',
+    '@typescript-eslint/require-array-sort-compare': 'error',
+    '@typescript-eslint/unified-signatures': 'error',
+    '@typescript-eslint/prefer-for-of': 'error',
+    '@typescript-eslint/no-unused-vars': [
+      'error',
+      {
+        varsIgnorePattern: '^_',
+        argsIgnorePattern: '^_',
+        caughtErrorsIgnorePattern: '^_',
+      },
+    ],
+    'unused-imports/no-unused-imports': 'error',
+    'simple-import-sort/imports': 'error',
+    'simple-import-sort/exports': 'error',
+    '@typescript-eslint/ban-ts-comment': [
+      'error',
+      {
+        'ts-expect-error': 'allow-with-description',
+        'ts-ignore': true,
+        'ts-nocheck': true,
+        'ts-check': false,
+      },
+    ],
+    '@typescript-eslint/no-restricted-imports': [
+      'error',
+      {
+        patterns: [
+          {
+            group: ['**/dist'],
+            message: "Don't import from dist",
+            allowTypeImports: false,
+          },
+          {
+            group: ['**/src'],
+            message: "Don't import from src",
+            allowTypeImports: false,
+          },
+          {
+            group: ['@blocksuite/store'],
+            message: "Import from '@blocksuite/global/utils'",
+            importNames: ['assertExists', 'assertEquals'],
+          },
+          {
+            group: ['react-router-dom'],
+            message: 'Use `useNavigateHelper` instead',
+            importNames: ['useNavigate'],
+          },
+          {
+            group: ['yjs'],
+            message: 'Do not use this API because it has a bug',
+            importNames: ['mergeUpdates'],
+          },
+        ],
+      },
+    ],
+    'unicorn/filename-case': [
+      'error',
+      {
+        case: 'kebabCase',
+        ignore: ['^\\[[a-zA-Z0-9-_]+\\]\\.tsx$'],
+      },
+    ],
+    'unicorn/no-unnecessary-await': 'error',
+    'unicorn/no-useless-fallback-in-spread': 'error',
+    'unicorn/prefer-dom-node-dataset': 'error',
+    'unicorn/prefer-dom-node-append': 'error',
+    'unicorn/prefer-dom-node-remove': 'error',
+    'unicorn/prefer-array-some': 'error',
+    'unicorn/prefer-date-now': 'error',
+    'unicorn/prefer-blob-reading-methods': 'error',
+    'unicorn/no-typeof-undefined': 'error',
+    'unicorn/no-useless-promise-resolve-reject': 'error',
+    'unicorn/no-new-array': 'error',
+    'unicorn/new-for-builtins': 'error',
+    'unicorn/prefer-node-protocol': 'error',
+    'sonarjs/no-all-duplicated-branches': 'error',
+    'sonarjs/no-element-overwrite': 'error',
+    'sonarjs/no-empty-collection': 'error',
+    'sonarjs/no-extra-arguments': 'error',
+    'sonarjs/no-identical-conditions': 'error',
+    'sonarjs/no-identical-expressions': 'error',
+    'sonarjs/no-ignored-return': 'error',
+    'sonarjs/no-one-iteration-loop': 'error',
+    'sonarjs/no-use-of-empty-return-value': 'error',
+    'sonarjs/non-existent-operator': 'error',
+    'sonarjs/no-collapsible-if': 'error',
+    'sonarjs/no-same-line-conditional': 'error',
+    'sonarjs/no-duplicated-branches': 'error',
+    'sonarjs/no-collection-size-mischeck': 'error',
+    'sonarjs/no-useless-catch': 'error',
+    'sonarjs/no-identical-functions': 'error',
+  },
+  overrides: [
+    {
+      files: 'packages/backend/server/**/*.ts',
+      rules: {
+        '@typescript-eslint/consistent-type-imports': 0,
+      },
+    },
+    {
+      files: '*.cjs',
+      rules: {
+        '@typescript-eslint/no-var-requires': 0,
+      },
+    },
+    ...allPackages.map(pkg => ({
+      files: [`${pkg}/src/**/*.ts`, `${pkg}/src/**/*.tsx`],
+      parserOptions: {
+        project: resolve(__dirname, './tsconfig.eslint.json'),
+      },
+      rules: {
+        '@typescript-eslint/no-restricted-imports': [
+          'error',
+          {
+            patterns: createPattern(pkg),
+          },
+        ],
+        '@typescript-eslint/no-floating-promises': [
+          'error',
+          {
+            ignoreVoid: false,
+            ignoreIIFE: false,
+          },
+        ],
+        '@typescript-eslint/no-misused-promises': ['error'],
+        '@typescript-eslint/prefer-readonly': 'error',
+        'i/no-extraneous-dependencies': ['error'],
+        'react-hooks/exhaustive-deps': [
+          'warn',
+          {
+            additionalHooks: 'useAsyncCallback',
+          },
+        ],
+      },
+    })),
+    {
+      files: [
+        '**/__tests__/**/*',
+        '**/*.stories.tsx',
+        '**/*.spec.ts',
+        '**/tests/**/*',
+        'scripts/**/*',
+        '**/benchmark/**/*',
+        '**/__debug__/**/*',
+        '**/e2e/**/*',
+      ],
+      rules: {
+        '@typescript-eslint/no-non-null-assertion': 0,
+        '@typescript-eslint/ban-ts-comment': [
+          'error',
+          {
+            'ts-expect-error': false,
+            'ts-ignore': true,
+            'ts-nocheck': true,
+            'ts-check': false,
+          },
+        ],
+        '@typescript-eslint/no-floating-promises': 0,
+        '@typescript-eslint/no-misused-promises': 0,
+        '@typescript-eslint/no-restricted-imports': 0,
+      },
+    },
+  ],
+};
+
+module.exports = config;

.github/CODEOWNERS

@@ -1,2 +0,0 @@
-/blocksuite/ @toeverything/blocksuite-core
-/packages/frontend/core/src/blocksuite @toeverything/blocksuite-core

.github/ISSUE_TEMPLATE/BUG-REPORT.yml

@@ -1,6 +1,6 @@
 name: Bug Report
 description: File a bug report
-title: '[Bug]: '
+title: "\u200b"
 labels: ['bug']
 body:
   - type: markdown
@@ -18,26 +18,20 @@ body:
     validations:
       required: true
   - type: dropdown
-    id: distribution
+    id: version
     attributes:
       label: Distribution version
-      description: What distribution of AFFiNE are you using?
+      description: What version of AFFiNE are you using?
       options:
         - macOS x64 (Intel)
         - macOS ARM 64 (Apple Silicon)
         - Windows x64
         - Linux
-        - Web (https://app.affine.pro)
-        - Beta Web (https://insider.affine.pro)
-        - Canary Web (https://affine.fail)
+        - Web (app.affine.pro)
+        - Web (affine.fail)
+        - Web (insider.affine.pro)
     validations:
       required: true
-  - type: input
-    id: version
-    attributes:
-      label: App Version
-      description: What version of AFFiNE are you using?
-      placeholder: (You can find AFFiNE version in [About AFFiNE] setting panel)
   - type: dropdown
     id: browsers
     attributes:
@@ -57,11 +51,6 @@ body:
         If you are self-hosting, please check the box and provide information about your setup.
       options:
         - label: 'Yes'
-  - type: input
-    id: selfhost-version
-    attributes:
-      label: Self-hosting Version
-      description: What version of AFFiNE are you selfhosting?
   - type: textarea
     id: logs
     attributes:
@@ -74,11 +63,3 @@ body:
       description: |
         Links? References? Anything that will give us more context about the issue you are encountering!
         Tip: You can attach images here
-  - type: checkboxes
-    attributes:
-      label: Is your content generated by AI?
-      description: >
-        (Required) Please confirm that the content you submit was not generated by AI or only minimally edited by AI.
-        If an administrator believes the post contains a large amount of AI-generated content, they may directly close the question.
-      options:
-        - label: I confirm that the content I submitted was **not** generated by AI / **merely contained minimal** AI edits.

.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml

@@ -1,6 +1,6 @@
 name: Feature Request
 description: Suggest a feature or improvement
-title: '[Feature Request]: '
+title: "\u200b"
 labels: ['feat', 'story']
 body:
   - type: markdown
@@ -34,11 +34,3 @@ body:
         See the AFFiNE [Contributing Guide](https://github.com/toeverything/affine/blob/canary/CONTRIBUTING.md) to get started.
       options:
         - label: Yes I'd like to help by submitting a PR!
-  - type: checkboxes
-    attributes:
-      label: Is your content generated by AI?
-      description: >
-        (Required) Please confirm that the content you submit was not generated by AI or only minimally edited by AI.
-        If an administrator believes the post contains a large amount of AI-generated content, they may directly close the question.
-      options:
-        - label: I confirm that the content I submitted was **not** generated by AI / **merely contained minimal** AI edits.

.github/actions/build-rust/action.yml

@@ -7,10 +7,9 @@ inputs:
   package:
     description: 'Package to build'
     required: true
-  no-build:
-    description: 'Whether to skip building'
+  nx_token:
+    description: 'Nx Cloud access token'
     required: false
-    default: 'false'
 
 runs:
   using: 'composite'
@@ -18,78 +17,39 @@ runs:
     - name: Print rustup toolchain version
       shell: bash
       id: rustup-version
-      working-directory: ${{ env.DEV_DRIVE_WORKSPACE || github.workspace }}
       run: |
         export RUST_TOOLCHAIN_VERSION="$(grep 'channel' rust-toolchain.toml | head -1 | awk -F '"' '{print $2}')"
         echo "Rust toolchain version: $RUST_TOOLCHAIN_VERSION"
         echo "RUST_TOOLCHAIN_VERSION=$RUST_TOOLCHAIN_VERSION" >> "$GITHUB_OUTPUT"
     - name: Setup Rust
       uses: dtolnay/rust-toolchain@stable
-      if: ${{ runner.os != 'Windows' }}
       with:
         toolchain: '${{ steps.rustup-version.outputs.RUST_TOOLCHAIN_VERSION }}'
         targets: ${{ inputs.target }}
       env:
         CARGO_INCREMENTAL: '1'
 
-    - name: Setup Rust
-      uses: dtolnay/rust-toolchain@stable
-      if: ${{ runner.os == 'Windows' }}
-      with:
-        toolchain: '${{ steps.rustup-version.outputs.RUST_TOOLCHAIN_VERSION }}'
-        targets: ${{ inputs.target }}
-      env:
-        CARGO_INCREMENTAL: '1'
-        CARGO_HOME: ${{ env.DEV_DRIVE }}/.cargo
-        RUSTUP_HOME: ${{ env.DEV_DRIVE }}/.rustup
-
     - name: Set CC
-      if: ${{ contains(inputs.target, 'linux') && inputs.no-build != 'true' }}
-      working-directory: ${{ env.DEV_DRIVE_WORKSPACE || github.workspace }}
+      if: ${{ contains(inputs.target, 'linux') && inputs.package != '@affine/native' }}
       shell: bash
-      # https://github.com/tree-sitter/tree-sitter/issues/4186
-      # pass -D_BSD_SOURCE to clang to fix the tree-sitter build issue
       run: |
-        echo "CC=clang -D_BSD_SOURCE" >> "$GITHUB_ENV"
-        echo "TARGET_CC=clang -D_BSD_SOURCE" >> "$GITHUB_ENV"
+        echo "CC=clang" >> "$GITHUB_ENV"
+        echo "TARGET_CC=clang" >> "$GITHUB_ENV"
 
     - name: Cache cargo
-      uses: Swatinem/rust-cache@v2
-      if: ${{ runner.os == 'Windows' }}
+      uses: actions/cache@v4
       with:
-        workspaces: ${{ env.DEV_DRIVE_WORKSPACE }}
-        save-if: ${{ github.ref_name == 'canary' }}
-        shared-key: ${{ inputs.target }}-${{ inputs.package }}
-      env:
-        CARGO_HOME: ${{ env.DEV_DRIVE }}/.cargo
-        RUSTUP_HOME: ${{ env.DEV_DRIVE }}/.rustup
-
-    - name: Cache cargo
-      uses: Swatinem/rust-cache@v2
-      if: ${{ runner.os != 'Windows' }}
-      with:
-        save-if: ${{ github.ref_name == 'canary' }}
-        shared-key: ${{ inputs.target }}-${{ inputs.package }}
-
+        path: |
+          ~/.cargo/registry/index/
+          ~/.cargo/registry/cache/
+          ~/.cargo/git/db/
+          ~/.napi-rs
+          target/${{ inputs.target }}
+        key: stable-${{ inputs.target }}-cargo-cache
     - name: Build
       shell: bash
-      if: ${{ runner.os != 'Windows' && inputs.no-build != 'true' }}
       run: |
-        if [[ "${{ inputs.target }}" == "x86_64-unknown-linux-gnu" ]]; then
-          yarn workspace ${{ inputs.package }} build --target ${{ inputs.target }}
-        else
-          yarn workspace ${{ inputs.package }} build --target ${{ inputs.target }} --use-napi-cross
-        fi
+        yarn workspace ${{ inputs.package }} nx build ${{ inputs.package }} -- --target ${{ inputs.target }} --use-napi-cross
       env:
+        NX_CLOUD_ACCESS_TOKEN: ${{ inputs.nx_token }}
         DEBUG: 'napi:*'
-
-    - name: Build
-      working-directory: ${{ env.DEV_DRIVE_WORKSPACE || github.workspace }}
-      shell: bash
-      if: ${{ runner.os == 'Windows' && inputs.no-build != 'true' }}
-      run: |
-        yarn workspace ${{ inputs.package }} build --target ${{ inputs.target }}
-      env:
-        DEBUG: 'napi:*'
-        CARGO_HOME: ${{ env.DEV_DRIVE }}/.cargo
-        RUSTUP_HOME: ${{ env.DEV_DRIVE }}/.rustup

.github/actions/cluster-auth/action.yml

@@ -1,36 +0,0 @@
-name: 'Auth to Cluster'
-description: 'Auth to the GCP Cluster'
-inputs:
-  gcp-project-number:
-    description: 'GCP project number'
-    required: true
-  gcp-project-id:
-    description: 'GCP project id'
-    required: true
-  service-account:
-    description: 'Service account'
-  cluster-name:
-    description: 'Cluster name'
-  cluster-location:
-    description: 'Cluster location'
-
-runs:
-  using: 'composite'
-  steps:
-    - id: auth
-      uses: google-github-actions/auth@v2
-      with:
-        workload_identity_provider: 'projects/${{ inputs.gcp-project-number }}/locations/global/workloadIdentityPools/github-actions/providers/github-actions-helm-deploy'
-        service_account: '${{ inputs.service-account }}'
-        token_format: 'access_token'
-        project_id: '${{ inputs.gcp-project-id }}'
-
-    - name: 'Setup gcloud cli'
-      uses: 'google-github-actions/setup-gcloud@v2'
-      with:
-        install_components: 'gke-gcloud-auth-plugin'
-
-    - id: get-gke-credentials
-      shell: bash
-      run: |
-        gcloud container clusters get-credentials ${{ inputs.cluster-name }} --region ${{ inputs.cluster-location }} --project ${{ inputs.gcp-project-id }}

.github/actions/copilot-test/action.yml

@@ -1,25 +0,0 @@
-name: 'Run Copilot E2E Test'
-description: 'Run Copilot E2E Test'
-inputs:
-  script:
-    description: 'Script to run'
-    default: 'yarn affine @affine-test/affine-cloud-copilot e2e --forbid-only'
-    required: false
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Server Copilot E2E Test
-      shell: bash
-      run: ${{ inputs.script }}
-      env:
-        COPILOT: true
-        DEV_SERVER_URL: http://localhost:8080
-
-    - name: Upload test results
-      if: ${{ failure() }}
-      uses: actions/upload-artifact@v4
-      with:
-        name: test-results-e2e-server-copilot
-        path: ./test-results
-        if-no-files-found: ignore

.github/actions/deploy/action.yml

@@ -1,6 +1,9 @@
 name: 'Deploy to Cluster'
 description: 'Deploy AFFiNE Cloud to cluster'
 inputs:
+  build-type:
+    description: 'Align with App build type, canary|beta|stable|internal'
+    default: 'canary'
   gcp-project-number:
     description: 'GCP project number'
     required: true
@@ -21,15 +24,27 @@ runs:
       shell: bash
       run: |
         echo "GIT_SHORT_HASH=$(git rev-parse --short HEAD)" >> "$GITHUB_ENV"
-    - name: 'Auth to cluster'
-      uses: './.github/actions/cluster-auth'
+    - uses: azure/setup-helm@v4
+    - id: auth
+      uses: google-github-actions/auth@v2
       with:
-        gcp-project-number: '${{ inputs.gcp-project-number }}'
-        gcp-project-id: '${{ inputs.gcp-project-id }}'
-        service-account: '${{ inputs.service-account }}'
-        cluster-name: '${{ inputs.cluster-name }}'
-        cluster-location: '${{ inputs.cluster-location }}'
+        workload_identity_provider: 'projects/${{ inputs.gcp-project-number }}/locations/global/workloadIdentityPools/github-actions/providers/github-actions-helm-deploy'
+        service_account: '${{ inputs.service-account }}'
+        token_format: 'access_token'
+        project_id: '${{ inputs.gcp-project-id }}'
+
+    - name: 'Setup gcloud cli'
+      uses: 'google-github-actions/setup-gcloud@v2'
+      with:
+        install_components: 'gke-gcloud-auth-plugin'
+
+    - id: get-gke-credentials
+      shell: bash
+      run: |
+        gcloud container clusters get-credentials ${{ inputs.cluster-name }} --region ${{ inputs.cluster-location }} --project ${{ inputs.gcp-project-id }}
 
     - name: Deploy
       shell: bash
       run: node ./.github/actions/deploy/deploy.mjs
+      env:
+        BUILD_TYPE: '${{ inputs.build-type }}'

.github/actions/deploy/deploy.mjs

@@ -10,105 +10,74 @@ const {
   DATABASE_USERNAME,
   DATABASE_PASSWORD,
   DATABASE_NAME,
-  GCLOUD_CONNECTION_NAME,
+  R2_ACCOUNT_ID,
+  R2_ACCESS_KEY_ID,
+  R2_SECRET_ACCESS_KEY,
+  ENABLE_CAPTCHA,
+  CAPTCHA_TURNSTILE_SECRET,
+  MAILER_SENDER,
+  MAILER_USER,
+  MAILER_PASSWORD,
+  AFFINE_GOOGLE_CLIENT_ID,
+  AFFINE_GOOGLE_CLIENT_SECRET,
   CLOUD_SQL_IAM_ACCOUNT,
-  APP_IAM_ACCOUNT,
-  REDIS_SERVER_HOST,
-  REDIS_SERVER_PASSWORD,
+  CLOUD_LOGGER_IAM_ACCOUNT,
+  GCLOUD_CONNECTION_NAME,
+  GCLOUD_CLOUD_SQL_INTERNAL_ENDPOINT,
+  REDIS_HOST,
+  REDIS_PASSWORD,
+  STRIPE_API_KEY,
+  STRIPE_WEBHOOK_KEY,
   STATIC_IP_NAME,
-  AFFINE_INDEXER_SEARCH_PROVIDER,
-  AFFINE_INDEXER_SEARCH_ENDPOINT,
-  AFFINE_INDEXER_SEARCH_API_KEY,
 } = process.env;
 
+// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
 const buildType = BUILD_TYPE || 'canary';
 
 const isProduction = buildType === 'stable';
 const isBeta = buildType === 'beta';
 const isInternal = buildType === 'internal';
 
-const replicaConfig = {
-  stable: {
-    front: Number(process.env.PRODUCTION_FRONT_REPLICA) || 2,
-    graphql: Number(process.env.PRODUCTION_GRAPHQL_REPLICA) || 2,
-    doc: Number(process.env.PRODUCTION_DOC_REPLICA) || 2,
-  },
-  beta: {
-    front: Number(process.env.BETA_FRONT_REPLICA) || 1,
-    graphql: Number(process.env.BETA_GRAPHQL_REPLICA) || 1,
-    doc: Number(process.env.BETA_DOC_REPLICA) || 1,
-  },
-  canary: { front: 1, graphql: 1, doc: 1 },
-};
-
-const cpuConfig = {
-  beta: { front: '1', graphql: '1', doc: '1' },
-  canary: { front: '500m', graphql: '1', doc: '500m' },
-};
-
-const memoryConfig = {
-  beta: { front: '1Gi', graphql: '1Gi', doc: '1Gi' },
-  canary: { front: '512Mi', graphql: '512Mi', doc: '512Mi' },
-};
-
 const createHelmCommand = ({ isDryRun }) => {
   const flag = isDryRun ? '--dry-run' : '--atomic';
   const imageTag = `${buildType}-${GIT_SHORT_HASH}`;
   const redisAndPostgres =
     isProduction || isBeta || isInternal
       ? [
-          `--set        cloud-sql-proxy.enabled=true`,
-          `--set-string cloud-sql-proxy.database.connectionName="${GCLOUD_CONNECTION_NAME}"`,
-          `--set-string global.database.host=${DATABASE_URL}`,
+          `--set-string global.database.url=${DATABASE_URL}`,
           `--set-string global.database.user=${DATABASE_USERNAME}`,
           `--set-string global.database.password=${DATABASE_PASSWORD}`,
           `--set-string global.database.name=${DATABASE_NAME}`,
-          `--set-string global.redis.host="${REDIS_SERVER_HOST}"`,
-          `--set-string global.redis.password="${REDIS_SERVER_PASSWORD}"`,
+          `--set        global.database.gcloud.enabled=true`,
+          `--set-string global.database.gcloud.connectionName="${GCLOUD_CONNECTION_NAME}"`,
+          `--set-string global.database.gcloud.cloudSqlInternal="${GCLOUD_CLOUD_SQL_INTERNAL_ENDPOINT}"`,
+          `--set-string global.redis.host="${REDIS_HOST}"`,
+          `--set-string global.redis.password="${REDIS_PASSWORD}"`,
         ]
       : [];
-  const indexerOptions = [
-    `--set-string global.indexer.provider="${AFFINE_INDEXER_SEARCH_PROVIDER}"`,
-    `--set-string global.indexer.endpoint="${AFFINE_INDEXER_SEARCH_ENDPOINT}"`,
-    `--set-string global.indexer.apiKey="${AFFINE_INDEXER_SEARCH_API_KEY}"`,
-  ];
-  const serviceAnnotations = [
-    `--set-json   front.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${APP_IAM_ACCOUNT}\\" }"`,
-    `--set-json   graphql.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${APP_IAM_ACCOUNT}\\" }"`,
-    `--set-json   doc.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${APP_IAM_ACCOUNT}\\" }"`,
-  ].concat(
+  const serviceAnnotations =
     isProduction || isBeta || isInternal
       ? [
-          `--set-json   front.services.web.annotations="{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }"`,
-          `--set-json   front.services.sync.annotations="{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }"`,
-          `--set-json   front.services.renderer.annotations="{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }"`,
-          `--set-json   graphql.service.annotations="{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }"`,
-          `--set-json   cloud-sql-proxy.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${CLOUD_SQL_IAM_ACCOUNT}\\" }"`,
-          `--set-json   cloud-sql-proxy.nodeSelector="{ \\"iam.gke.io/gke-metadata-server-enabled\\": \\"true\\" }"`,
+          `--set-json   web.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
+          `--set-json   graphql.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
+          `--set-json   graphql.serviceAccount.annotations=\"{ \\"iam.gke.io/gcp-service-account\\": \\"${CLOUD_LOGGER_IAM_ACCOUNT}\\"}\"`,
+          `--set-json   sync.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
+          `--set-json   sync.serviceAccount.annotations=\"{ \\"iam.gke.io/gcp-service-account\\": \\"${CLOUD_LOGGER_IAM_ACCOUNT}\\"}\"`,
+          `--set-json   cloud-sql-proxy.serviceAccount.annotations=\"{ \\"iam.gke.io/gcp-service-account\\": \\"${CLOUD_SQL_IAM_ACCOUNT}\\" }\"`,
+          `--set-json   cloud-sql-proxy.nodeSelector=\"{ \\"iam.gke.io/gke-metadata-server-enabled\\": \\"true\\" }\"`,
         ]
-      : []
-  );
-
-  const cpu = cpuConfig[buildType];
-  const memory = memoryConfig[buildType];
-  let resources = [];
-  if (cpu) {
-    resources = resources.concat([
-      `--set        front.resources.requests.cpu="${cpu.front}"`,
-      `--set        graphql.resources.requests.cpu="${cpu.graphql}"`,
-      `--set        doc.resources.requests.cpu="${cpu.doc}"`,
-    ]);
-  }
-  if (memory) {
-    resources = resources.concat([
-      `--set        front.resources.requests.memory="${memory.front}"`,
-      `--set        graphql.resources.requests.memory="${memory.graphql}"`,
-      `--set        doc.resources.requests.memory="${memory.doc}"`,
-    ]);
-  }
-
-  const replica = replicaConfig[buildType] || replicaConfig.canary;
-
+      : [];
+  const webReplicaCount = isProduction ? 3 : isBeta ? 2 : 2;
+  const graphqlReplicaCount = isProduction
+    ? Number(process.env.PRODUCTION_GRAPHQL_REPLICA) || 3
+    : isBeta
+      ? Number(process.env.isBeta_GRAPHQL_REPLICA) || 2
+      : 2;
+  const syncReplicaCount = isProduction
+    ? Number(process.env.PRODUCTION_SYNC_REPLICA) || 3
+    : isBeta
+      ? Number(process.env.BETA_SYNC_REPLICA) || 2
+      : 2;
   const namespace = isProduction
     ? 'production'
     : isBeta
@@ -116,37 +85,41 @@ const createHelmCommand = ({ isDryRun }) => {
       : isInternal
         ? 'internal'
         : 'dev';
-
-  const hosts = (DEPLOY_HOST || CANARY_DEPLOY_HOST)
-    .split(',')
-    .map(host => host.trim())
-    .filter(host => host);
-  const primaryHost = hosts[0] || '0.0.0.0';
+  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+  const host = DEPLOY_HOST || CANARY_DEPLOY_HOST;
   const deployCommand = [
     `helm upgrade --install affine .github/helm/affine`,
     `--namespace  ${namespace}`,
-    `--set-string global.deployment.type="affine"`,
-    `--set-string global.deployment.platform="gcp"`,
-    `--set-string global.app.buildType="${buildType}"`,
     `--set        global.ingress.enabled=true`,
-    `--set-json   global.ingress.annotations="{ \\"kubernetes.io/ingress.class\\": \\"gce\\", \\"kubernetes.io/ingress.allow-http\\": \\"true\\", \\"kubernetes.io/ingress.global-static-ip-name\\": \\"${STATIC_IP_NAME}\\" }"`,
-    ...hosts.map(
-      (host, index) => `--set global.ingress.hosts[${index}]=${host}`
-    ),
+    `--set-json   global.ingress.annotations=\"{ \\"kubernetes.io/ingress.class\\": \\"gce\\", \\"kubernetes.io/ingress.allow-http\\": \\"true\\", \\"kubernetes.io/ingress.global-static-ip-name\\": \\"${STATIC_IP_NAME}\\" }\"`,
+    `--set-string global.ingress.host="${host}"`,
     `--set-string global.version="${APP_VERSION}"`,
     ...redisAndPostgres,
-    ...indexerOptions,
-    `--set        front.replicaCount=${replica.front}`,
-    `--set-string front.image.tag="${imageTag}"`,
-    `--set-string front.app.host="${primaryHost}"`,
-    `--set        graphql.replicaCount=${replica.graphql}`,
+    `--set        web.replicaCount=${webReplicaCount}`,
+    `--set-string web.image.tag="${imageTag}"`,
+    `--set        graphql.replicaCount=${graphqlReplicaCount}`,
     `--set-string graphql.image.tag="${imageTag}"`,
-    `--set-string graphql.app.host="${primaryHost}"`,
-    `--set-string doc.image.tag="${imageTag}"`,
-    `--set-string doc.app.host="${primaryHost}"`,
-    `--set        doc.replicaCount=${replica.doc}`,
+    `--set        graphql.app.host=${host}`,
+    `--set        graphql.app.captcha.enabled=${ENABLE_CAPTCHA}`,
+    `--set-string graphql.app.captcha.turnstile.secret="${CAPTCHA_TURNSTILE_SECRET}"`,
+    `--set        graphql.app.objectStorage.r2.enabled=true`,
+    `--set-string graphql.app.objectStorage.r2.accountId="${R2_ACCOUNT_ID}"`,
+    `--set-string graphql.app.objectStorage.r2.accessKeyId="${R2_ACCESS_KEY_ID}"`,
+    `--set-string graphql.app.objectStorage.r2.secretAccessKey="${R2_SECRET_ACCESS_KEY}"`,
+    `--set-string graphql.app.mailer.sender="${MAILER_SENDER}"`,
+    `--set-string graphql.app.mailer.user="${MAILER_USER}"`,
+    `--set-string graphql.app.mailer.password="${MAILER_PASSWORD}"`,
+    `--set-string graphql.app.oauth.google.enabled=true`,
+    `--set-string graphql.app.oauth.google.clientId="${AFFINE_GOOGLE_CLIENT_ID}"`,
+    `--set-string graphql.app.oauth.google.clientSecret="${AFFINE_GOOGLE_CLIENT_SECRET}"`,
+    `--set-string graphql.app.payment.stripe.apiKey="${STRIPE_API_KEY}"`,
+    `--set-string graphql.app.payment.stripe.webhookKey="${STRIPE_WEBHOOK_KEY}"`,
+    `--set        graphql.app.experimental.enableJwstCodec=${isInternal}`,
+    `--set        graphql.app.features.earlyAccessPreview=false`,
+    `--set        graphql.app.features.syncClientVersionCheck=true`,
+    `--set        sync.replicaCount=${syncReplicaCount}`,
+    `--set-string sync.image.tag="${imageTag}"`,
     ...serviceAnnotations,
-    ...resources,
     `--timeout 10m`,
     flag,
   ].join(' ');

.github/actions/download-core/action.yml

@@ -0,0 +1,22 @@
+name: 'Download core artifacts'
+description: 'Download core artifacts and extract to dist'
+inputs:
+  path:
+    description: 'Path to extract'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Download tar.gz
+      uses: actions/download-artifact@v4
+      with:
+        name: core
+        path: .
+
+    - name: Extract core artifacts
+      shell: bash
+      run: |
+        mkdir -p ${{ inputs.path }}
+        tar -xvf dist.tar.gz --directory ${{ inputs.path }}
+        rm dist.tar.gz

.github/actions/download-web/action.yml

@@ -1,22 +0,0 @@
-name: 'Download core artifacts'
-description: 'Download core artifacts and extract to dist'
-inputs:
-  path:
-    description: 'Path to extract'
-    required: true
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Download tar.gz
-      uses: actions/download-artifact@v4
-      with:
-        name: web
-        path: .
-
-    - name: Extract core artifacts
-      shell: bash
-      run: |
-        mkdir -p ${{ inputs.path }}
-        tar -xvf dist.tar.gz --directory ${{ inputs.path }}
-        rm dist.tar.gz

.github/actions/prepare-release/action.yml

@@ -1,41 +0,0 @@
-name: Prepare Release
-description: 'Prepare Release'
-outputs:
-  APP_VERSION:
-    description: 'App Version'
-    value: ${{ steps.get-version.outputs.APP_VERSION }}
-  GIT_SHORT_HASH:
-    description: 'Git Short Hash'
-    value: ${{ steps.get-version.outputs.GIT_SHORT_HASH }}
-  BUILD_TYPE:
-    description: 'Build Type'
-    value: ${{ steps.get-version.outputs.BUILD_TYPE }}
-runs:
-  using: 'composite'
-  steps:
-    - name: Get Version
-      id: get-version
-      shell: bash
-      run: |
-        GIT_SHORT_HASH=$(git rev-parse --short HEAD)
-        if [ "${{ github.ref_type }}" == "tag" ]; then
-          APP_VERSION=$(echo "${{ github.ref_name }}" | sed 's/^v//')
-        else
-          APP_VERSION=$(date '+%Y.%-m.%-d-canary.%-H%M')
-        fi
-        if [[ "$APP_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-          BUILD_TYPE=stable
-        elif [[ "$APP_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+-beta\.[0-9]+$ ]]; then
-          BUILD_TYPE=beta
-        elif [[ "$APP_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+-canary\.[0-9a-f]+$ ]]; then
-          BUILD_TYPE=canary
-        else
-          echo "Error: unsupported version string: $APP_VERSION" >&2
-          exit 1
-        fi
-        echo $APP_VERSION
-        echo $GIT_SHORT_HASH
-        echo $BUILD_TYPE
-        echo "APP_VERSION=$APP_VERSION" >> "$GITHUB_OUTPUT"
-        echo "GIT_SHORT_HASH=$GIT_SHORT_HASH" >> "$GITHUB_OUTPUT"
-        echo "BUILD_TYPE=$BUILD_TYPE" >> "$GITHUB_OUTPUT"

.github/actions/server-test-env/action.yml

@@ -1,30 +0,0 @@
-name: 'Prepare Server Test Environment'
-description: 'Prepare Server Test Environment'
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Initialize database
-      shell: bash
-      run: |
-        psql -h localhost -U postgres -c "CREATE DATABASE affine;"
-        psql -h localhost -U postgres -c "CREATE USER affine WITH PASSWORD 'affine';"
-        psql -h localhost -U postgres -c "ALTER USER affine WITH SUPERUSER;"
-      env:
-        PGPASSWORD: affine
-
-    - name: Run init-db script
-      shell: bash
-      env:
-        NODE_ENV: test
-      run: |
-        yarn affine @affine/server prisma generate
-        yarn affine @affine/server prisma migrate deploy
-        yarn affine @affine/server data-migration run
-
-    - name: Import config
-      shell: bash
-      env:
-        DEFAULT_CONFIG: '{}'
-      run: |
-        printf '%s\n' "${SERVER_CONFIG:-$DEFAULT_CONFIG}" > ./packages/backend/server/config.json

.github/actions/setup-node/action.yml

@@ -13,18 +13,10 @@ inputs:
     description: 'Run the install step for Playwright.'
     required: false
     default: 'false'
-  playwright-platform:
-    description: 'The platform to install Playwright for.'
-    required: false
-    default: 'chromium,webkit'
   electron-install:
     description: 'Download the Electron binary'
     required: false
     default: 'true'
-  corepack-install:
-    description: 'Install CorePack'
-    required: false
-    default: 'false'
   hard-link-nm:
     description: 'set nmMode to hardlinks-local in .yarnrc.yml'
     required: false
@@ -39,19 +31,10 @@ inputs:
   full-cache:
     description: 'Full installation cache'
     required: false
+
 runs:
   using: 'composite'
   steps:
-    - name: Output workspace path
-      id: workspace-path
-      shell: bash
-      run: |
-        if [ -n "${{ env.DEV_DRIVE_WORKSPACE }}" ]; then
-          echo "workspace_path=${{ env.DEV_DRIVE_WORKSPACE }}" >> $GITHUB_OUTPUT
-        else
-          echo "workspace_path=${{ github.workspace }}" >> $GITHUB_OUTPUT
-        fi
-
     - name: Setup Node.js
       uses: actions/setup-node@v4
       with:
@@ -59,37 +42,24 @@ runs:
         registry-url: https://npm.pkg.github.com
         scope: '@toeverything'
 
-    - uses: kenchan0130/actions-system-info@master
-      id: system-info
-
-    - name: Init CorePack
-      if: ${{ inputs.corepack-install == 'true' }}
-      shell: bash
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
-      run: corepack enable
-
     - name: Set nmMode
       if: ${{ inputs.hard-link-nm == 'false' }}
       shell: bash
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       run: yarn config set nmMode classic
 
     - name: Set nmHoistingLimits
       if: ${{ inputs.nmHoistingLimits }}
       shell: bash
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       run: yarn config set nmHoistingLimits ${{ inputs.nmHoistingLimits }}
 
     - name: Set enableScripts
       if: ${{ inputs.enableScripts == 'false' }}
       shell: bash
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       run: yarn config set enableScripts false
 
     - name: Set yarn global cache path
       shell: bash
       id: yarn-cache
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       run: node -e "const p = $(yarn config cacheFolder --json).effective; console.log('yarn_global_cache=' + p)" >> $GITHUB_OUTPUT
 
     - name: Cache non-full yarn cache on Linux
@@ -97,9 +67,9 @@ runs:
       if: ${{ inputs.full-cache != 'true' && runner.os == 'Linux' }}
       with:
         path: |
-          ${{ steps.workspace-path.outputs.workspace_path }}/node_modules
+          node_modules
           ${{ steps.yarn-cache.outputs.yarn_global_cache }}
-        key: node_modules-cache-${{ github.job }}-${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}
+        key: node_modules-cache-${{ github.job }}-${{ runner.os }}
 
     # The network performance on macOS is very poor
     # and the decompression performance on Windows is very terrible
@@ -110,7 +80,7 @@ runs:
       with:
         path: |
           ${{ steps.yarn-cache.outputs.yarn_global_cache }}
-        key: node_modules-cache-${{ github.job }}-${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}
+        key: node_modules-cache-${{ github.job }}-${{ runner.os }}
 
     - name: Cache full yarn cache on Linux
       uses: actions/cache@v4
@@ -119,7 +89,7 @@ runs:
         path: |
           node_modules
           ${{ steps.yarn-cache.outputs.yarn_global_cache }}
-        key: node_modules-cache-full-${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}
+        key: node_modules-cache-full-${{ runner.os }}
 
     - name: Cache full yarn cache on non-Linux
       uses: actions/cache@v4
@@ -127,12 +97,23 @@ runs:
       with:
         path: |
           ${{ steps.yarn-cache.outputs.yarn_global_cache }}
-        key: node_modules-cache-full-${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}
+        key: node_modules-cache-full-${{ runner.os }}
 
     - name: yarn install
       if: ${{ inputs.package-install == 'true' }}
+      continue-on-error: true
+      shell: bash
+      run: yarn ${{ inputs.extra-flags }}
+      env:
+        HUSKY: '0'
+        PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: '1'
+        ELECTRON_SKIP_BINARY_DOWNLOAD: '1'
+        SENTRYCLI_SKIP_DOWNLOAD: '1'
+        DEBUG: '*'
+
+    - name: yarn install (try again)
+      if: ${{ steps.install.outcome == 'failure' }}
       shell: bash
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       run: yarn ${{ inputs.extra-flags }}
       env:
         HUSKY: '0'
@@ -145,7 +126,6 @@ runs:
       id: playwright-version
       if: ${{ inputs.playwright-install == 'true' }}
       shell: bash
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       run: echo "version=$(yarn why --json @playwright/test | grep -h 'workspace:.' | jq --raw-output '.children[].locator' | sed -e 's/@playwright\/test@.*://' | head -n 1)" >> $GITHUB_OUTPUT
 
       # Attempt to restore the correct Playwright browser binaries based on the
@@ -158,8 +138,8 @@ runs:
       id: playwright-cache
       if: ${{ inputs.playwright-install == 'true' }}
       with:
-        path: ${{ steps.workspace-path.outputs.workspace_path }}/node_modules/.cache/ms-playwright
-        key: '${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}-playwright-${{ steps.playwright-version.outputs.version }}'
+        path: ${{ github.workspace }}/node_modules/.cache/ms-playwright
+        key: '${{ runner.os }}-playwright-${{ steps.playwright-version.outputs.version }}'
         # As a fallback, if the Playwright version has changed, try use the
         # most recently cached version. There's a good chance that at least one
         # of the browser binary versions haven't been updated, so Playwright can
@@ -169,22 +149,20 @@ runs:
         # date cache, but still let Playwright decide if it needs to download
         # new binaries or not.
         restore-keys: |
-          ${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}-playwright-
+          ${{ runner.os }}-playwright-
 
     # If the Playwright browser binaries weren't able to be restored, we tell
     # playwright to install everything for us.
     - name: Install Playwright's dependencies
       shell: bash
       if: inputs.playwright-install == 'true'
-      run: yarn playwright install --with-deps $(echo "${{ inputs.playwright-platform }}" | tr ',' ' ')
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
+      run: yarn playwright install --with-deps chromium
       env:
-        PLAYWRIGHT_BROWSERS_PATH: ${{ steps.workspace-path.outputs.workspace_path }}/node_modules/.cache/ms-playwright
+        PLAYWRIGHT_BROWSERS_PATH: ${{ github.workspace }}/node_modules/.cache/ms-playwright
 
     - name: Get installed Electron version
       id: electron-version
       if: ${{ inputs.electron-install == 'true' }}
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       shell: bash
       run: |
         echo "version=$(yarn why --json electron | grep -h 'workspace:.' | jq --raw-output '.children[].locator' | sed -e 's/@playwright\/test@.*://' | head -n 1)" >> $GITHUB_OUTPUT
@@ -193,20 +171,14 @@ runs:
       id: electron-cache
       if: ${{ inputs.electron-install == 'true' }}
       with:
-        path: ${{ steps.workspace-path.outputs.workspace_path }}/node_modules/.cache/electron
-        key: '${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}-electron-${{ steps.electron-version.outputs.version }}'
+        path: 'node_modules/.cache/electron'
+        key: '${{ runner.os }}-electron-${{ steps.electron-version.outputs.version }}'
         restore-keys: |
-          ${{ runner.os }}-${{ runner.arch }}-${{ steps.system-info.outputs.name }}-${{ steps.system-info.outputs.release }}-${{ steps.system-info.outputs.version }}-electron-
+          ${{ runner.os }}-electron-
 
     - name: Install Electron binary
       shell: bash
       if: inputs.electron-install == 'true'
       run: node ./node_modules/electron/install.js
-      working-directory: ${{ steps.workspace-path.outputs.workspace_path }}
       env:
-        electron_config_cache: ${{ steps.workspace-path.outputs.workspace_path }}/node_modules/.cache/electron
-
-    - name: Write PLAYWRIGHT_BROWSERS_PATH env
-      shell: bash
-      run: |
-        echo "PLAYWRIGHT_BROWSERS_PATH=${{ steps.workspace-path.outputs.workspace_path }}/node_modules/.cache/ms-playwright" >> $GITHUB_ENV
+        electron_config_cache: ./node_modules/.cache/electron

.github/actions/setup-version/action.yml

@@ -1,18 +1,24 @@
 name: Setup Version
 description: 'Setup Version'
-inputs:
-  app-version:
+outputs:
+  APP_VERSION:
     description: 'App Version'
-    required: true
-  ios-app-version:
-    description: 'iOS App Store Version (Optional, use App version if empty)'
-    required: false
-    type: string
+    value: ${{ steps.version.outputs.APP_VERSION }}
 runs:
   using: 'composite'
   steps:
     - name: 'Write Version'
+      id: version
       shell: bash
-      env:
-        IOS_APP_VERSION: ${{ inputs.ios-app-version }}
-      run: ./scripts/set-version.sh ${{ inputs.app-version }}
+      run: |
+        if [ "${{ github.ref_type }}" == "tag" ]; then
+          APP_VERSION=$(echo "${{ github.ref_name }}" | sed 's/^v//')
+        else
+          PACKAGE_VERSION=$(node -p "require('./package.json').version")
+          TIME_VERSION=$(date +%Y%m%d%H%M)
+          GIT_SHORT_HASH=$(git rev-parse --short HEAD)
+          APP_VERSION=$PACKAGE_VERSION-nightly-$TIME_VERSION-$GIT_SHORT_HASH
+        fi
+        echo $APP_VERSION
+        echo "APP_VERSION=$APP_VERSION" >> "$GITHUB_OUTPUT"
+        ./scripts/set-version.sh $APP_VERSION

.github/deployment/front/Dockerfile

@@ -0,0 +1,11 @@
+FROM openresty/openresty:1.25.3.1-0-buster
+WORKDIR /app
+COPY ./packages/frontend/core/dist ./dist
+COPY ./.github/deployment/front/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
+COPY ./.github/deployment/front/affine.nginx.conf /etc/nginx/conf.d/affine.nginx.conf
+
+RUN mkdir -p /var/log/nginx && \
+  rm /etc/nginx/conf.d/default.conf
+
+EXPOSE 8080
+CMD ["/usr/local/openresty/bin/openresty", "-g", "daemon off;"]

.github/deployment/front/affine.nginx.conf

@@ -0,0 +1,13 @@
+server {
+    listen 8080;
+    root /app/dist;
+
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    error_page 404 /404.html;
+    location = /404.html {
+        internal;
+    }
+}

.github/deployment/front/nginx.conf

@@ -0,0 +1,14 @@
+worker_processes  4;
+error_log /var/log/nginx/error.log warn;
+pcre_jit on;
+events {
+    worker_connections 1024;
+}
+http {
+    include       mime.types;
+    log_format    main  '$remote_addr [$time_local] "$request" '
+                        '$status $body_bytes_sent "$http_referer" '
+                        '"$http_user_agent" "$http_x_forwarded_for"';
+    access_log    /var/log/nginx/access.log  main;
+    include /etc/nginx/conf.d/*.conf;
+}

.github/deployment/node/Dockerfile

@@ -1,35 +1,11 @@
-# syntax=docker/dockerfile:1.7
-
-FROM node:22-bookworm-slim AS assets
-WORKDIR /app
+FROM node:20-bookworm-slim
 
 COPY ./packages/backend/server /app
-COPY ./packages/frontend/apps/web/dist /app/static
-COPY ./packages/frontend/admin/dist /app/static/admin
-COPY ./packages/frontend/apps/mobile/dist /app/static/mobile
-
-# Keep server sourcemap for stacktraces, but don't ship frontend/node_modules sourcemaps.
-ARG TARGETARCH
-ARG TARGETVARIANT
-# Needed for Prisma engine resolution (and potential engine download during cleanup).
-RUN apt-get update && \
-  apt-get install -y --no-install-recommends openssl ca-certificates && \
-  rm -rf /var/lib/apt/lists/*
-
-RUN AFFINE_DOCKER_CLEAN=1 TARGETARCH="${TARGETARCH}" TARGETVARIANT="${TARGETVARIANT}" node ./scripts/docker-clean.mjs
-
-FROM node:22-bookworm-slim
+COPY ./packages/frontend/core/dist /app/static
 WORKDIR /app
 
-COPY --from=assets /app /app
-
 RUN apt-get update && \
-  apt-get install -y --no-install-recommends openssl libjemalloc2 && \
+  apt-get install -y --no-install-recommends openssl && \
   rm -rf /var/lib/apt/lists/*
 
-# Enable jemalloc by preloading the library
-ENV LD_PRELOAD=libjemalloc.so.2
-
-EXPOSE 3010
-
-CMD ["node", "./dist/main.js"]
+CMD ["node", "--import", "./scripts/register.js", "./dist/index.js"]

.github/deployment/self-host/compose.yaml

@@ -0,0 +1,59 @@
+services:
+  affine:
+    image: ghcr.io/toeverything/affine-graphql:stable
+    container_name: affine_selfhosted
+    command:
+      ['sh', '-c', 'node ./scripts/self-host-predeploy && node ./dist/index.js']
+    ports:
+      - '3010:3010'
+      - '5555:5555'
+    depends_on:
+      redis:
+        condition: service_healthy
+      postgres:
+        condition: service_healthy
+    volumes:
+      # custom configurations
+      - ~/.affine/self-host/config:/root/.affine/config
+      # blob storage
+      - ~/.affine/self-host/storage:/root/.affine/storage
+    logging:
+      driver: 'json-file'
+      options:
+        max-size: '1000m'
+    restart: unless-stopped
+    environment:
+      - NODE_OPTIONS="--import=./scripts/register.js"
+      - AFFINE_CONFIG_PATH=/root/.affine/config
+      - REDIS_SERVER_HOST=redis
+      - DATABASE_URL=postgres://affine:affine@postgres:5432/affine
+      - NODE_ENV=production
+      - AFFINE_ADMIN_EMAIL=${AFFINE_ADMIN_EMAIL}
+      - AFFINE_ADMIN_PASSWORD=${AFFINE_ADMIN_PASSWORD}
+  redis:
+    image: redis
+    container_name: affine_redis
+    restart: unless-stopped
+    volumes:
+      - ~/.affine/self-host/redis:/data
+    healthcheck:
+      test: ['CMD', 'redis-cli', '--raw', 'incr', 'ping']
+      interval: 10s
+      timeout: 5s
+      retries: 5
+  postgres:
+    image: postgres
+    container_name: affine_postgres
+    restart: unless-stopped
+    volumes:
+      - ~/.affine/self-host/postgres:/var/lib/postgresql/data
+    healthcheck:
+      test: ['CMD-SHELL', 'pg_isready -U affine']
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    environment:
+      POSTGRES_USER: affine
+      POSTGRES_PASSWORD: affine
+      POSTGRES_DB: affine
+      PGDATA: /var/lib/postgresql/data/pgdata

.github/helm/affine/Chart.yaml

@@ -3,4 +3,4 @@ name: affine
 description: AFFiNE cloud chart
 type: application
 version: 0.0.0
-appVersion: "0.26.1"
+appVersion: "0.12.0"

.github/helm/affine/charts/doc/Chart.yaml

@@ -1,11 +0,0 @@
-apiVersion: v2
-name: doc
-description: AFFiNE doc server
-type: application
-version: 0.0.0
-appVersion: "0.26.1"
-dependencies:
-  - name: gcloud-sql-proxy
-    version: 0.0.0
-    repository: "file://../gcloud-sql-proxy"
-    condition: .global.database.gcloud.enabled

.github/helm/affine/charts/doc/templates/NOTES.txt

@@ -1,16 +0,0 @@
-1. Get the application URL by running these commands:
-{{- if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "doc.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "doc.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "doc.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "doc.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
-{{- end }}

.github/helm/affine/charts/doc/templates/_helpers.tpl

@@ -1,63 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "doc.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "doc.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "doc.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "doc.labels" -}}
-helm.sh/chart: {{ include "doc.chart" . }}
-{{ include "doc.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-monitoring: enabled
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "doc.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "doc.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "doc.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "doc.fullname" .) .Values.global.docService.name }}
-{{- else }}
-{{- default "default" .Values.global.docService.name }}
-{{- end }}
-{{- end }}

.github/helm/affine/charts/doc/templates/deployment.yaml

@@ -1,118 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "doc.fullname" . }}
-  labels:
-    {{- include "doc.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "doc.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      {{- with .Values.podAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        {{- include "doc.selectorLabels" . | nindent 8 }}
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "doc.serviceAccountName" . }}
-      containers:
-        - name: {{ .Chart.Name }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          env:
-          - name: AFFINE_PRIVATE_KEY
-            valueFrom:
-              secretKeyRef:
-                name: "{{ .Values.global.secret.secretName }}"
-                key: key
-          - name: NODE_ENV
-            value: "{{ .Values.env }}"
-          - name: NODE_OPTIONS
-            value: "--max-old-space-size=4096"
-          - name: NO_COLOR
-            value: "1"
-          - name: DEPLOYMENT_TYPE
-            value: "{{ .Values.global.deployment.type }}"
-          - name: DEPLOYMENT_PLATFORM
-            value: "{{ .Values.global.deployment.platform }}"
-          - name: SERVER_FLAVOR
-            value: "doc"
-          - name: AFFINE_ENV
-            value: "{{ .Release.Namespace }}"
-          - name: DATABASE_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: pg-postgresql
-                key: postgres-password
-          - name: DATABASE_URL
-            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.host }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
-          - name: REDIS_SERVER_ENABLED
-            value: "true"
-          - name: REDIS_SERVER_HOST
-            value: "{{ .Values.global.redis.host }}"
-          - name: REDIS_SERVER_PORT
-            value: "{{ .Values.global.redis.port }}"
-          - name: REDIS_SERVER_USER
-            value: "{{ .Values.global.redis.username }}"
-          - name: REDIS_SERVER_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: redis
-                key: redis-password
-          - name: REDIS_SERVER_DATABASE
-            value: "{{ .Values.global.redis.database }}"
-          - name: AFFINE_INDEXER_SEARCH_PROVIDER
-            value: "{{ .Values.global.indexer.provider }}"
-          - name: AFFINE_INDEXER_SEARCH_ENDPOINT
-            value: "{{ .Values.global.indexer.endpoint }}"
-          - name: AFFINE_INDEXER_SEARCH_API_KEY
-            valueFrom:
-              secretKeyRef:
-                name: indexer
-                key: indexer-apiKey
-          - name: AFFINE_SERVER_PORT
-            value: "{{ .Values.global.docService.port }}"
-          - name: AFFINE_SERVER_SUB_PATH
-            value: "{{ .Values.app.path }}"
-          - name: AFFINE_SERVER_HOST
-            value: "{{ .Values.app.host }}"
-          - name: AFFINE_SERVER_HTTPS
-            value: "{{ .Values.app.https }}"
-          ports:
-            - name: http
-              containerPort: {{ .Values.global.docService.port }}
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /info
-              port: http
-            initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
-            timeoutSeconds: {{ .Values.probe.timeoutSeconds }}
-          readinessProbe:
-            httpGet:
-              path: /info
-              port: http
-            initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
-            timeoutSeconds: {{ .Values.probe.timeoutSeconds }}
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}

.github/helm/affine/charts/doc/templates/service.yaml

@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "doc.fullname" . }}
-  labels:
-    {{- include "doc.labels" . | nindent 4 }}
-  {{- with .Values.service.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.global.docService.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    {{- include "doc.selectorLabels" . | nindent 4 }}

.github/helm/affine/charts/doc/templates/serviceaccount.yaml

@@ -1,12 +0,0 @@
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "doc.serviceAccountName" . }}
-  labels:
-    {{- include "doc.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

.github/helm/affine/charts/doc/templates/tests/test-connection.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "{{ include "doc.fullname" . }}-test-connection"
-  labels:
-    {{- include "doc.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": test
-spec:
-  containers:
-    - name: wget
-      image: busybox
-      command: ['wget']
-      args: ['{{ include "doc.fullname" . }}:{{ .Values.global.docService.port }}']
-  restartPolicy: Never

.github/helm/affine/charts/doc/values.yaml

@@ -1,43 +0,0 @@
-replicaCount: 1
-image:
-  repository: ghcr.io/toeverything/affine
-  pullPolicy: IfNotPresent
-  tag: ''
-
-imagePullSecrets: []
-nameOverride: ''
-fullnameOverride: ''
-# map to NODE_ENV environment variable
-env: 'production'
-app:
-  # AFFINE_SERVER_SUB_PATH
-  path: ''
-  # AFFINE_SERVER_HOST
-  host: '0.0.0.0'
-  https: true
-  copilot:
-    enabled: false
-    secretName: copilot
-    openai:
-      key: ''
-serviceAccount:
-  create: true
-  annotations: {}
-
-podAnnotations: {}
-
-podSecurityContext:
-  fsGroup: 2000
-
-resources:
-  requests:
-    cpu: '1'
-    memory: 4Gi
-
-probe:
-  initialDelaySeconds: 20
-  timeoutSeconds: 5
-
-nodeSelector: {}
-tolerations: []
-affinity: {}

.github/helm/affine/charts/front/Chart.yaml

@@ -1,11 +0,0 @@
-apiVersion: v2
-name: front
-description: AFFiNE front server
-type: application
-version: 0.0.0
-appVersion: "0.26.1"
-dependencies:
-  - name: gcloud-sql-proxy
-    version: 0.0.0
-    repository: "file://../gcloud-sql-proxy"
-    condition: .global.database.gcloud.enabled

.github/helm/affine/charts/front/templates/NOTES.txt

@@ -1,16 +0,0 @@
-1. Get the application URL by running these commands:
-{{- if contains "NodePort" .Values.services.sync.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ .Values.services.sync.name }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.services.sync.type }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ .Values.services.sync.name }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ .Values.services.sync.name }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-  echo http://$SERVICE_IP:{{ .Values.services.sync.port }}
-{{- else if contains "ClusterIP" .Values.services.sync.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "front.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
-{{- end }}

.github/helm/affine/charts/front/templates/_helpers.tpl

@@ -1,63 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "front.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "front.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "front.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "front.labels" -}}
-helm.sh/chart: {{ include "front.chart" . }}
-{{ include "front.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-monitoring: enabled
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "front.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "front.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "front.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "front.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}

.github/helm/affine/charts/front/templates/deployment.yaml

@@ -1,120 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "front.fullname" . }}
-  labels:
-    {{- include "front.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "front.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      {{- with .Values.podAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        {{- include "front.selectorLabels" . | nindent 8 }}
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "front.serviceAccountName" . }}
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      containers:
-        - name: {{ .Chart.Name }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          env:
-            - name: AFFINE_PRIVATE_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: "{{ .Values.global.secret.secretName }}"
-                  key: key
-            - name: NODE_ENV
-              value: "{{ .Values.env }}"
-            - name: NODE_OPTIONS
-              value: "{{ .Values.nodeOptions }}"
-            - name: NO_COLOR
-              value: "1"
-            - name: DEPLOYMENT_TYPE
-              value: "{{ .Values.global.deployment.type }}"
-            - name: DEPLOYMENT_PLATFORM
-              value: "{{ .Values.global.deployment.platform }}"
-            - name: SERVER_FLAVOR
-              value: "front"
-            - name: AFFINE_ENV
-              value: "{{ .Release.Namespace }}"
-            - name: DATABASE_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: pg-postgresql
-                  key: postgres-password
-            - name: DATABASE_URL
-              value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.host }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
-            - name: REDIS_SERVER_ENABLED
-              value: "true"
-            - name: REDIS_SERVER_HOST
-              value: "{{ .Values.global.redis.host }}"
-            - name: REDIS_SERVER_PORT
-              value: "{{ .Values.global.redis.port }}"
-            - name: REDIS_SERVER_USER
-              value: "{{ .Values.global.redis.username }}"
-            - name: REDIS_SERVER_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: redis
-                  key: redis-password
-            - name: REDIS_SERVER_DATABASE
-              value: "{{ .Values.global.redis.database }}"
-            - name: AFFINE_INDEXER_SEARCH_PROVIDER
-              value: "{{ .Values.global.indexer.provider }}"
-            - name: AFFINE_INDEXER_SEARCH_ENDPOINT
-              value: "{{ .Values.global.indexer.endpoint }}"
-            - name: AFFINE_INDEXER_SEARCH_API_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: indexer
-                  key: indexer-apiKey
-            - name: AFFINE_SERVER_PORT
-              value: "{{ .Values.app.port }}"
-            - name: AFFINE_SERVER_SUB_PATH
-              value: "{{ .Values.app.path }}"
-            - name: AFFINE_SERVER_HOST
-              value: "{{ .Values.app.host }}"
-            - name: AFFINE_SERVER_HTTPS
-              value: "{{ .Values.app.https }}"
-            - name: DOC_SERVICE_ENDPOINT
-              value: "http://{{ .Values.global.docService.name }}:{{ .Values.global.docService.port }}"
-          ports:
-            - name: http
-              containerPort: {{ .Values.app.port }}
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /info
-              port: http
-            initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
-          readinessProbe:
-            httpGet:
-              path: /info
-              port: http
-            initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}

.github/helm/affine/charts/front/templates/service-renderer.yaml

@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ .Values.services.renderer.name }}
-  labels:
-    {{- include "front.labels" . | nindent 4 }}
-  {{- with .Values.services.renderer.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  type: {{ .Values.services.renderer.type }}
-  ports:
-    - port: {{ .Values.services.renderer.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    {{- include "front.selectorLabels" . | nindent 4 }}

.github/helm/affine/charts/front/templates/service-sync.yaml

@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ .Values.services.sync.name }}
-  labels:
-    {{- include "front.labels" . | nindent 4 }}
-  {{- with .Values.services.sync.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  type: {{ .Values.services.sync.type }}
-  ports:
-    - port: {{ .Values.services.sync.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    {{- include "front.selectorLabels" . | nindent 4 }}

.github/helm/affine/charts/front/templates/service-web.yaml

@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ .Values.services.web.name }}
-  labels:
-    {{- include "front.labels" . | nindent 4 }}
-  {{- with .Values.services.web.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  type: {{ .Values.services.web.type }}
-  ports:
-    - port: {{ .Values.services.web.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    {{- include "front.selectorLabels" . | nindent 4 }}

.github/helm/affine/charts/front/templates/serviceaccount.yaml

@@ -1,12 +0,0 @@
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "front.serviceAccountName" . }}
-  labels:
-    {{- include "front.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

.github/helm/affine/charts/front/templates/tests/test-connection.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "{{ include "front.fullname" . }}-test-connection"
-  labels:
-    {{- include "front.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": test
-spec:
-  containers:
-    - name: wget
-      image: busybox
-      command: ['wget']
-      args: ['{{ .Values.services.sync.name }}:{{ .Values.services.sync.port }}']
-  restartPolicy: Never

.github/helm/affine/charts/front/values.yaml

@@ -1,60 +0,0 @@
-replicaCount: 1
-image:
-  repository: ghcr.io/toeverything/affine
-  pullPolicy: IfNotPresent
-  tag: ''
-
-imagePullSecrets: []
-nameOverride: ''
-fullnameOverride: ''
-# map to NODE_ENV environment variable
-env: 'production'
-nodeOptions: '--max-old-space-size=3072'
-app:
-  # AFFINE_SERVER_PORT
-  port: 3010
-  # AFFINE_SERVER_SUB_PATH
-  path: ''
-  # AFFINE_SERVER_HOST
-  host: '0.0.0.0'
-  https: true
-serviceAccount:
-  create: true
-  annotations: {}
-  name: 'affine-front'
-
-podAnnotations: {}
-
-podSecurityContext:
-  fsGroup: 2000
-
-resources:
-  requests:
-    cpu: '2'
-    memory: 4Gi
-
-probe:
-  initialDelaySeconds: 20
-
-services:
-  sync:
-    name: affine-sync
-    type: ClusterIP
-    port: 3010
-    annotations:
-      cloud.google.com/backend-config: '{"default": "affine-api-backendconfig"}'
-  renderer:
-    name: affine-renderer
-    type: ClusterIP
-    port: 3000
-    annotations:
-      cloud.google.com/backend-config: '{"default": "affine-api-backendconfig"}'
-  web:
-    name: affine-web
-    type: ClusterIP
-    port: 8080
-    annotations: {}
-
-nodeSelector: {}
-tolerations: []
-affinity: {}

.github/helm/affine/charts/gcloud-sql-proxy/templates/NOTES.txt

@@ -1,4 +1,4 @@
-{{- if .Values.enabled -}}
+{{- if .Values.global.database.gcloud.enabled -}}
 1. Get the application URL by running these commands:
 {{- if contains "NodePort" .Values.service.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gcloud-sql-proxy.fullname" . }})

.github/helm/affine/charts/gcloud-sql-proxy/templates/deployment.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.enabled -}}
+{{- if .Values.global.database.gcloud.enabled -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -42,7 +42,7 @@ spec:
             - "0.0.0.0"
             - "--structured-logs"
             - "--auto-iam-authn"
-            - "{{ .Values.database.connectionName }}"
+            - "{{ .Values.global.database.gcloud.connectionName }}"
           env:
             # Enable HTTP healthchecks on port 9801. This enables /liveness,
             # /readiness and /startup health check endpoints. Allow connections
@@ -56,7 +56,7 @@ spec:
               value: 0.0.0.0
           ports:
             - name: cloud-sql-proxy
-              containerPort: {{ .Values.service.port }}
+              containerPort: {{ .Values.global.database.gcloud.proxyPort }}
               protocol: TCP
             - containerPort: 9801
               protocol: TCP

.github/helm/affine/charts/gcloud-sql-proxy/templates/service.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.enabled -}}
+{{- if .Values.global.database.gcloud.enabled -}}
 apiVersion: v1
 kind: Service
 metadata:

.github/helm/affine/charts/gcloud-sql-proxy/templates/serviceaccount.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.enabled -}}
+{{- if .Values.global.database.gcloud.enabled -}}
 {{- if .Values.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount

.github/helm/affine/charts/gcloud-sql-proxy/templates/tests/test-connection.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.enabled -}}
+{{- if .Values.global.database.gcloud.enabled -}}
 apiVersion: v1
 kind: Pod
 metadata:

.github/helm/affine/charts/gcloud-sql-proxy/values.yaml

@@ -1,7 +1,4 @@
-replicaCount: 2
-enabled: false
-database: 
-  connectionName: ""
+replicaCount: 3
 
 image:
   # the tag is defined as chart appVersion.
@@ -33,11 +30,8 @@ service:
 
 resources:
   limits:
-    memory: "1Gi"
-    cpu: "1"
-  requests:
-    memory: "512Mi"
-    cpu: "100m"
+    memory: "4Gi"
+    cpu: "2"
 
 volumes: []
 volumeMounts: []

.github/helm/affine/charts/graphql/Chart.yaml

@@ -3,7 +3,7 @@ name: graphql
 description: AFFiNE GraphQL server
 type: application
 version: 0.0.0
-appVersion: "0.26.1"
+appVersion: "0.12.0"
 dependencies:
   - name: gcloud-sql-proxy
     version: 0.0.0

.github/helm/affine/charts/graphql/templates/_helpers.tpl

@@ -61,3 +61,18 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{- define "jwt.key" -}}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace .Values.app.jwt.secretName -}}
+{{- if and $secret $secret.data.private -}}
+{{/*
+   Reusing existing secret data
+*/}}
+key: {{ $secret.data.private }}
+{{- else -}}
+{{/*
+    Generate new data
+*/}}
+key: {{ genPrivateKey "ecdsa" | b64enc }}
+{{- end -}}
+{{- end -}}

.github/helm/affine/charts/graphql/templates/captcha-secret.yaml

@@ -0,0 +1,9 @@
+{{- if .Values.app.captcha.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.captcha.secretName }}"
+type: Opaque
+data:
+  turnstileSecret: {{ .Values.app.captcha.turnstile.secret | b64enc }}
+{{- end }}

.github/helm/affine/charts/graphql/templates/deployment.yaml

@@ -28,32 +28,34 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
-          - name: AFFINE_PRIVATE_KEY
+          - name: AUTH_PRIVATE_KEY
             valueFrom:
               secretKeyRef:
-                name: "{{ .Values.global.secret.secretName }}"
+                name: "{{ .Values.app.jwt.secretName }}"
                 key: key
           - name: NODE_ENV
             value: "{{ .Values.env }}"
           - name: NODE_OPTIONS
-            value: "--max-old-space-size=2048"
+            value: "--max-old-space-size=4096"
           - name: NO_COLOR
             value: "1"
           - name: DEPLOYMENT_TYPE
-            value: "{{ .Values.global.deployment.type }}"
-          - name: DEPLOYMENT_PLATFORM
-            value: "{{ .Values.global.deployment.platform }}"
+            value: "affine"
           - name: SERVER_FLAVOR
             value: "graphql"
           - name: AFFINE_ENV
             value: "{{ .Release.Namespace }}"
+          - name: NEXTAUTH_URL
+            value: "{{ .Values.global.ingress.host }}"
           - name: DATABASE_PASSWORD
             valueFrom:
               secretKeyRef:
                 name: pg-postgresql
                 key: postgres-password
           - name: DATABASE_URL
-            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.host }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.url }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+          - name: REDIS_SERVER_ENABLED
+            value: "true"
           - name: REDIS_SERVER_HOST
             value: "{{ .Values.global.redis.host }}"
           - name: REDIS_SERVER_PORT
@@ -67,15 +69,6 @@ spec:
                 key: redis-password
           - name: REDIS_SERVER_DATABASE
             value: "{{ .Values.global.redis.database }}"
-          - name: AFFINE_INDEXER_SEARCH_PROVIDER
-            value: "{{ .Values.global.indexer.provider }}"
-          - name: AFFINE_INDEXER_SEARCH_ENDPOINT
-            value: "{{ .Values.global.indexer.endpoint }}"
-          - name: AFFINE_INDEXER_SEARCH_API_KEY
-            valueFrom:
-              secretKeyRef:
-                name: indexer
-                key: indexer-apiKey
           - name: AFFINE_SERVER_PORT
             value: "{{ .Values.service.port }}"
           - name: AFFINE_SERVER_SUB_PATH
@@ -84,20 +77,117 @@ spec:
             value: "{{ .Values.app.host }}"
           - name: AFFINE_SERVER_HTTPS
             value: "{{ .Values.app.https }}"
-          - name: DOC_SERVICE_ENDPOINT
-            value: "http://{{ .Values.global.docService.name }}:{{ .Values.global.docService.port }}"
+          - name: ENABLE_R2_OBJECT_STORAGE
+            value: "{{ .Values.app.objectStorage.r2.enabled }}"
+          - name: ENABLE_CAPTCHA
+            value: "{{ .Values.app.captcha.enabled }}"
+          - name: FEATURES_EARLY_ACCESS_PREVIEW
+            value: "{{ .Values.app.features.earlyAccessPreview }}"
+          - name: FEATURES_SYNC_CLIENT_VERSION_CHECK
+            value: "{{ .Values.app.features.syncClientVersionCheck }}"
+          - name: MAILER_HOST
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.mailer.secretName }}"
+                key: host
+          - name: MAILER_PORT
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.mailer.secretName }}"
+                key: port
+          - name: MAILER_USER
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.mailer.secretName }}"
+                key: user
+          - name: MAILER_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.mailer.secretName }}"
+                key: password
+          - name: MAILER_SENDER
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.mailer.secretName }}"
+                key: sender
+          - name: STRIPE_API_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.payment.stripe.secretName }}"
+                key: stripeAPIKey
+          - name: STRIPE_WEBHOOK_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.payment.stripe.secretName }}"
+                key: stripeWebhookKey
+          - name: DOC_MERGE_INTERVAL
+            value: "{{ .Values.app.doc.mergeInterval }}"
+          {{ if .Values.app.experimental.enableJwstCodec }}
+          - name: DOC_MERGE_USE_JWST_CODEC
+            value: "true"
+          {{ end }}
+          {{ if .Values.app.objectStorage.r2.enabled }}
+          - name: R2_OBJECT_STORAGE_ACCOUNT_ID
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
+                key: accountId
+          - name: R2_OBJECT_STORAGE_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
+                key: accessKeyId
+          - name: R2_OBJECT_STORAGE_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
+                key: secretAccessKey
+          {{ end }}
+          {{ if .Values.app.captcha.enabled }}
+          - name: CAPTCHA_TURNSTILE_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.captcha.secretName }}"
+                key: turnstileSecret
+          {{ end }}
+          {{ if .Values.app.oauth.google.enabled }}
+          - name: OAUTH_GOOGLE_ENABLED
+            value: "true"
+          - name: OAUTH_GOOGLE_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.google.secretName }}"
+                key: clientId
+          - name: OAUTH_GOOGLE_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.google.secretName }}"
+                key: clientSecret
+          {{ end }}
+          {{ if .Values.app.oauth.github.enabled }}
+          - name: OAUTH_GITHUB_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.github.secretName }}"
+                key: clientId
+          - name: OAUTH_GITHUB_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.oauth.github.secretName }}"
+                key: clientSecret
+          {{ end }}
           ports:
             - name: http
               containerPort: {{ .Values.service.port }}
               protocol: TCP
           livenessProbe:
             httpGet:
-              path: /info
+              path: /
               port: http
             initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
           readinessProbe:
             httpGet:
-              path: /info
+              path: /
               port: http
             initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
           resources:

.github/helm/affine/charts/graphql/templates/jwt-secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.jwt.secretName }}"
+type: Opaque
+data:
+{{- ( include "jwt.key" . ) | indent 2 -}}

.github/helm/affine/charts/graphql/templates/mailer.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.app.mailer.secretName -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.mailer.secretName }}"
+type: Opaque
+data:
+  host: "{{ .Values.app.mailer.host | b64enc }}"
+  port: "{{ .Values.app.mailer.port | b64enc }}"
+  user: "{{ .Values.app.mailer.user | b64enc }}"
+  password: "{{ .Values.app.mailer.password | b64enc }}"
+  sender: "{{ .Values.app.mailer.sender | b64enc }}"
+{{- end }}

.github/helm/affine/charts/graphql/templates/migration.yaml

@@ -22,37 +22,36 @@ spec:
             value: "{{ .Values.env }}"
           - name: AFFINE_ENV
             value: "{{ .Release.Namespace }}"
-          - name: DEPLOYMENT_TYPE
-            value: "{{ .Values.global.deployment.type }}"
-          - name: DEPLOYMENT_PLATFORM
-            value: "{{ .Values.global.deployment.platform }}"
           - name: DATABASE_PASSWORD
             valueFrom:
               secretKeyRef:
                 name: pg-postgresql
                 key: postgres-password
+          {{ if not .Values.global.database.gcloud.enabled }}
           - name: DATABASE_URL
-            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.host }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
-          - name: REDIS_SERVER_HOST
-            value: "{{ .Values.global.redis.host }}"
-          - name: REDIS_SERVER_PORT
-            value: "{{ .Values.global.redis.port }}"
-          - name: REDIS_SERVER_USER
-            value: "{{ .Values.global.redis.username }}"
-          - name: REDIS_SERVER_PASSWORD
+            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.url }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+          {{ end }}
+          {{ if .Values.global.database.gcloud.enabled }}
+          - name: DATABASE_URL
+            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.gcloud.cloudSqlInternal }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+          {{ end }}
+          {{ if .Values.app.objectStorage.r2.enabled }}
+          - name: R2_OBJECT_STORAGE_ACCOUNT_ID
             valueFrom:
               secretKeyRef:
-                name: redis
-                key: redis-password
-          - name: AFFINE_INDEXER_SEARCH_PROVIDER
-            value: "{{ .Values.global.indexer.provider }}"
-          - name: AFFINE_INDEXER_SEARCH_ENDPOINT
-            value: "{{ .Values.global.indexer.endpoint }}"
-          - name: AFFINE_INDEXER_SEARCH_API_KEY
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
+                key: accountId
+          - name: R2_OBJECT_STORAGE_ACCESS_KEY_ID
             valueFrom:
               secretKeyRef:
-                name: indexer
-                key: indexer-apiKey
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
+                key: accessKeyId
+          - name: R2_OBJECT_STORAGE_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.objectStorage.r2.secretName }}"
+                key: secretAccessKey
+          {{ end }}
         resources:
           requests:
             cpu: '100m'

.github/helm/affine/charts/graphql/templates/oauth.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.app.oauth.google.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.oauth.google.secretName }}"
+type: Opaque
+data:
+  clientId: "{{ .Values.app.oauth.google.clientId | b64enc }}"
+  clientSecret: "{{ .Values.app.oauth.google.clientSecret | b64enc }}"
+{{- end }}
+---
+{{- if .Values.app.oauth.github.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.oauth.github.secretName }}"
+type: Opaque
+data:
+  clientId: "{{ .Values.app.oauth.github.clientId | b64enc }}"
+  clientSecret: "{{ .Values.app.oauth.github.clientSecret | b64enc }}"
+{{- end }}

.github/helm/affine/charts/graphql/templates/payment.yml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.payment.stripe.secretName }}"
+type: Opaque
+data:
+  stripeAPIKey: "{{ .Values.app.payment.stripe.apiKey | b64enc }}"
+  stripeWebhookKey: "{{ .Values.app.payment.stripe.webhookKey | b64enc }}"

.github/helm/affine/charts/graphql/templates/r2-secret.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.app.objectStorage.r2.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.objectStorage.r2.secretName }}"
+type: Opaque
+data:
+  accountId: {{ .Values.app.objectStorage.r2.accountId | b64enc }}
+  accessKeyId: {{ .Values.app.objectStorage.r2.accessKeyId | b64enc }}
+  secretAccessKey: {{ .Values.app.objectStorage.r2.secretAccessKey | b64enc }}
+{{- end }}

.github/helm/affine/charts/graphql/templates/secret.yaml

@@ -1,18 +0,0 @@
-{{- $privateKey := default (genPrivateKey "ecdsa") .Values.global.secret.privateKey | b64enc | quote }}
-
-{{- if not .Values.global.secret.privateKey }}
-{{- $existingKey := (lookup "v1" "Secret" .Release.Namespace .Values.global.secret.secretName) }}
-{{- if $existingKey }}
-{{- $privateKey = index $existingKey.data "key" }}
-{{- end -}}
-{{- end -}}
-
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Values.global.secret.secretName }}
-  annotations:
-    "helm.sh/resource-policy": "keep"
-type: Opaque
-data:
-  key: {{ $privateKey }}

.github/helm/affine/charts/graphql/templates/service.yaml

@@ -4,10 +4,6 @@ metadata:
   name: {{ include "graphql.fullname" . }}
   labels:
     {{- include "graphql.labels" . | nindent 4 }}
-  {{- with .Values.service.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
 spec:
   type: {{ .Values.service.type }}
   ports:

.github/helm/affine/charts/graphql/values.yaml

@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  repository: ghcr.io/toeverything/affine
+  repository: ghcr.io/toeverything/affine-graphql
   pullPolicy: IfNotPresent
   tag: ''
 
@@ -10,12 +10,58 @@ fullnameOverride: ''
 # map to NODE_ENV environment variable
 env: 'production'
 app:
+  experimental:
+    enableJwstCodec: true
   # AFFINE_SERVER_SUB_PATH
   path: ''
   # AFFINE_SERVER_HOST
   host: '0.0.0.0'
   https: true
-  
+  doc:
+    mergeInterval: "3000"
+  jwt:
+    secretName: jwt-private-key
+    # base64 encoded ecdsa private key
+    privateKey: ''
+  captcha:
+    enable: false
+    secretName: captcha
+    turnstile:
+      secret: ''
+  objectStorage:
+    r2:
+      enabled: false
+      secretName: r2
+      accountId: ''
+      accessKeyId: ''
+      secretAccessKey: ''
+  oauth: 
+    google:
+      enabled: false
+      secretName: oauth-google
+      clientId: ''
+      clientSecret: ''
+    github:
+      enabled: false
+      secretName: oauth-github
+      clientId: ''
+      clientSecret: ''
+  mailer:
+    secretName: 'mailer'
+    host: 'smtp.gmail.com'
+    port: '465'
+    user: ''
+    password: ''
+    sender: 'noreply@toeverything.info'
+  payment:
+    stripe:
+      secretName: 'stripe'
+      apiKey: ''
+      webhookKey: ''
+  features:
+    earlyAccessPreview: false
+    syncClientVersionCheck: false
+
 serviceAccount:
   create: true
   annotations: {}
@@ -28,8 +74,8 @@ podSecurityContext:
 
 resources:
   requests:
-    cpu: '2'
-    memory: 2Gi
+    cpu: '4'
+    memory: 4Gi
 
 probe:
   initialDelaySeconds: 20

.github/helm/affine/charts/sync/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

.github/helm/affine/charts/sync/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: sync
+description: AFFiNE Sync Server
+type: application
+version: 0.0.0
+appVersion: "0.12.0"
+dependencies:
+  - name: gcloud-sql-proxy
+    version: 0.0.0
+    repository: "file://../gcloud-sql-proxy"
+    condition: .global.database.gcloud.enabled

.github/helm/affine/charts/sync/templates/NOTES.txt

@@ -0,0 +1,16 @@
+1. Get the application URL by running these commands:
+{{- if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "sync.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "sync.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "sync.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "sync.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

.github/helm/affine/charts/sync/templates/_helpers.tpl

@@ -0,0 +1,63 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "sync.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "sync.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "sync.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "sync.labels" -}}
+helm.sh/chart: {{ include "sync.chart" . }}
+{{ include "sync.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+monitoring: enabled
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "sync.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "sync.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "sync.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "sync.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

.github/helm/affine/charts/sync/templates/deployment.yaml

@@ -0,0 +1,98 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "sync.fullname" . }}
+  labels:
+    {{- include "sync.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "sync.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "sync.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "sync.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+          - name: NODE_ENV
+            value: "{{ .Values.env }}"
+          - name: NO_COLOR
+            value: "1"
+          - name: DEPLOYMENT_TYPE
+            value: "affine"
+          - name: SERVER_FLAVOR
+            value: "sync"
+          - name: NEXTAUTH_URL
+            value: "{{ .Values.global.ingress.host }}"
+          - name: AFFINE_ENV
+            value: "{{ .Release.Namespace }}"
+          - name: DATABASE_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: pg-postgresql
+                key: postgres-password
+          - name: DATABASE_URL
+            value: postgres://{{ .Values.global.database.user }}:$(DATABASE_PASSWORD)@{{ .Values.global.database.url }}:{{ .Values.global.database.port }}/{{ .Values.global.database.name }}
+          - name: REDIS_SERVER_ENABLED
+            value: "true"
+          - name: REDIS_SERVER_HOST
+            value: "{{ .Values.global.redis.host }}"
+          - name: REDIS_SERVER_PORT
+            value: "{{ .Values.global.redis.port }}"
+          - name: REDIS_SERVER_USER
+            value: "{{ .Values.global.redis.username }}"
+          - name: REDIS_SERVER_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: redis
+                key: redis-password
+          - name: REDIS_SERVER_DATABASE
+            value: "{{ .Values.global.redis.database }}"
+          - name: AFFINE_SERVER_PORT
+            value: "{{ .Values.service.port }}"
+          - name: AFFINE_SERVER_HOST
+            value: "{{ .Values.app.host }}"
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+            initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
+          readinessProbe:
+            tcpSocket:
+              port: http
+            initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

.github/helm/affine/charts/sync/templates/service.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "sync.fullname" . }}
+  labels:
+    {{- include "sync.labels" . | nindent 4 }}
+  {{- with .Values.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "sync.selectorLabels" . | nindent 4 }}

.github/helm/affine/charts/sync/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "sync.serviceAccountName" . }}
+  labels:
+    {{- include "sync.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

.github/helm/affine/charts/sync/templates/tests/test-connection.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "sync.fullname" . }}-test-connection"
+  labels:
+    {{- include "sync.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "sync.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never

.github/helm/affine/charts/sync/values.yaml

@@ -0,0 +1,39 @@
+replicaCount: 1
+image:
+  repository: ghcr.io/toeverything/affine-graphql
+  pullPolicy: IfNotPresent
+  tag: ''
+
+imagePullSecrets: []
+nameOverride: ''
+fullnameOverride: ''
+# map to NODE_ENV environment variable
+env: 'production'
+app:
+  # AFFINE_SERVER_HOST
+  host: '0.0.0.0'
+
+serviceAccount:
+  create: true
+  annotations: {}
+  name: 'affine-sync'
+
+podAnnotations: {}
+
+podSecurityContext:
+  fsGroup: 2000
+
+resources:
+  limits:
+    cpu: '4'
+    memory: 8Gi
+  requests:
+    cpu: '2'
+    memory: 4Gi
+
+probe:
+  initialDelaySeconds: 20
+
+nodeSelector: {}
+tolerations: []
+affinity: {}

.github/helm/affine/charts/web/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

.github/helm/affine/charts/web/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: web
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.0
+appVersion: "0.7.0-canary.18"

.github/helm/affine/charts/web/templates/NOTES.txt

@@ -0,0 +1,16 @@
+1. Get the application URL by running these commands:
+{{- if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "web.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "web.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "web.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "web.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

.github/helm/affine/charts/web/templates/_helpers.tpl

@@ -0,0 +1,63 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "web.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "web.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "web.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "web.labels" -}}
+helm.sh/chart: {{ include "web.chart" . }}
+{{ include "web.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+monitoring: enabled
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "web.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "web.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "web.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "web.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

.github/helm/affine/charts/web/templates/deployment.yaml

@@ -0,0 +1,57 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "web.fullname" . }}
+  labels:
+    {{- include "web.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "web.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "web.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "web.serviceAccountName" . }}
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: {{ .Values.probe.initialDelaySeconds }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

.github/helm/affine/charts/web/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "web.fullname" . }}
+  labels:
+    {{- include "web.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "web.selectorLabels" . | nindent 4 }}

.github/helm/affine/charts/web/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "web.serviceAccountName" . }}
+  labels:
+    {{- include "web.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

.github/helm/affine/charts/web/templates/tests/test-connection.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "web.fullname" . }}-test-connection"
+  labels:
+    {{- include "web.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "web.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never