From 30ae54d906f9debe76171bc8aa1ae162cb1109f3 Mon Sep 17 00:00:00 2001 From: Piotr Mankowski Date: Fri, 6 Dec 2024 23:16:19 +0000 Subject: [PATCH 1/3] Updated with reverse proxy --- .env.local | 8 ++ .../config/grafana.json | 50 ------- .../config/jempi.json | 49 ------- .../config/openhim.json | 50 ------- .../config/realm.json | 23 ---- .../config/superset.json | 46 ------- .../docker-compose-postgres.cluster.yml | 75 ----------- .../docker-compose-postgres.dev.yml | 8 -- .../docker-compose-postgres.yml | 40 ------ .../docker-compose.dev.yml | 8 -- .../docker-compose.yml | 67 ---------- .../package-metadata.json | 45 ------- .../identity-access-manager-keycloak/swarm.sh | 126 ------------------ config.yaml | 1 + .../docker-compose.yml | 9 +- packages/database-mysql/package-metadata.json | 1 + .../package-metadata.json | 10 +- .../config/nginx-temp-insecure.conf | 37 +++++ .../config/nginx-temp-secure.conf | 77 +++++++++++ .../http-isanteplus-insecure.conf | 11 ++ .../http-openhim-insecure.conf | 40 ++++++ .../stream-openhim-insecure.conf | 7 + .../http-isanteplus-secure.conf | 31 +++++ .../http-openhim-secure.conf | 117 ++++++++++++++++ .../reverse-proxy-nginx/package-metadata.json | 21 +++ 25 files changed, 361 insertions(+), 596 deletions(-) delete mode 100644 __unused__/identity-access-manager-keycloak/config/grafana.json delete mode 100644 __unused__/identity-access-manager-keycloak/config/jempi.json delete mode 100644 __unused__/identity-access-manager-keycloak/config/openhim.json delete mode 100644 __unused__/identity-access-manager-keycloak/config/realm.json delete mode 100644 __unused__/identity-access-manager-keycloak/config/superset.json delete mode 100644 __unused__/identity-access-manager-keycloak/docker-compose-postgres.cluster.yml delete mode 100644 __unused__/identity-access-manager-keycloak/docker-compose-postgres.dev.yml delete mode 100644 __unused__/identity-access-manager-keycloak/docker-compose-postgres.yml delete mode 100644 __unused__/identity-access-manager-keycloak/docker-compose.dev.yml delete mode 100644 __unused__/identity-access-manager-keycloak/docker-compose.yml delete mode 100644 __unused__/identity-access-manager-keycloak/package-metadata.json delete mode 100644 __unused__/identity-access-manager-keycloak/swarm.sh create mode 100644 packages/reverse-proxy-nginx/config/nginx-temp-insecure.conf create mode 100644 packages/reverse-proxy-nginx/config/nginx-temp-secure.conf create mode 100644 packages/reverse-proxy-nginx/package-conf-insecure/http-isanteplus-insecure.conf create mode 100644 packages/reverse-proxy-nginx/package-conf-insecure/http-openhim-insecure.conf create mode 100644 packages/reverse-proxy-nginx/package-conf-insecure/stream-openhim-insecure.conf create mode 100644 packages/reverse-proxy-nginx/package-conf-secure/http-isanteplus-secure.conf create mode 100644 packages/reverse-proxy-nginx/package-conf-secure/http-openhim-secure.conf create mode 100644 packages/reverse-proxy-nginx/package-metadata.json diff --git a/.env.local b/.env.local index 345d4f5..de1a3bb 100644 --- a/.env.local +++ b/.env.local @@ -18,6 +18,14 @@ OPENHIM_MONGO_ATNAURL=mongodb://mongo-1:27017/openhim # iSantePlus and MySQL MYSQL_ROOT_PASSWORD=change_for_prod! +MYSQL_USE_LOCAL=false OMRS_CONFIG_CONNECTION_USERNAME_1=openmrs OMRS_CONFIG_CONNECTION_PASSWORD_1=change_for_prod! OMRS_CONFIG_CONNECTION_URL_1=jdbc:mysql://mysql:3306/openmrs?autoReconnect=true + +# Reverse Proxy +DOMAIN_NAME=localhost +SUBDOMAINS= +STAGING=true +INSECURE=true +INSECURE_PORTS=5001:5001-80:80-8080:8080-5601:5601-5488:5488-3000:3000-9200:9200-8089:8089-9001:9001-3033:3033-50000:50000 diff --git a/__unused__/identity-access-manager-keycloak/config/grafana.json b/__unused__/identity-access-manager-keycloak/config/grafana.json deleted file mode 100644 index 29d83bf..0000000 --- a/__unused__/identity-access-manager-keycloak/config/grafana.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "clientId": "${KC_GRAFANA_CLIENT_ID}", - "name": "grafana", - "description": "", - "rootUrl": "${KC_GRAFANA_ROOT_URL}", - "adminUrl": "${KC_GRAFANA_ROOT_URL}", - "baseUrl": "${KC_GRAFANA_ROOT_URL}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "${KC_GRAFANA_CLIENT_SECRET}", - "redirectUris": ["${KC_GRAFANA_ROOT_URL}/login/generic_oauth"], - "webOrigins": ["${KC_GRAFANA_ROOT_URL}"], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "post.logout.redirect.uris": "${KC_GRAFANA_ROOT_URL}/login", - "client.secret.creation.time": "1672390081", - "backchannel.logout.session.required": "true", - "oauth2.device.authorization.grant.enabled": "false", - "display.on.consent.screen": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "frontchannel.logout.url": "${KC_GRAFANA_ROOT_URL}/logout" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": ["web-origins", "acr", "roles", "profile", "email"], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ], - "access": { - "view": true, - "configure": true, - "manage": true - } -} diff --git a/__unused__/identity-access-manager-keycloak/config/jempi.json b/__unused__/identity-access-manager-keycloak/config/jempi.json deleted file mode 100644 index 3a2dc1c..0000000 --- a/__unused__/identity-access-manager-keycloak/config/jempi.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "clientId": "${KC_JEMPI_CLIENT_ID}", - "name": "JeMPI", - "description": "", - "rootUrl": "${KC_JEMPI_ROOT_URL}", - "adminUrl": "${KC_JEMPI_ROOT_URL}", - "baseUrl": "${KC_JEMPI_ROOT_URL}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "${KC_JEMPI_CLIENT_SECRET}", - "redirectUris": ["${KC_JEMPI_ROOT_URL}/login"], - "webOrigins": ["${KC_JEMPI_ROOT_URL}"], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "client.secret.creation.time": "1674028783", - "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "${KC_JEMPI_ROOT_URL}", - "display.on.consent.screen": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": ["web-origins", "acr", "roles", "profile", "email"], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ], - "access": { - "view": true, - "configure": true, - "manage": true - } -} diff --git a/__unused__/identity-access-manager-keycloak/config/openhim.json b/__unused__/identity-access-manager-keycloak/config/openhim.json deleted file mode 100644 index 6d830b5..0000000 --- a/__unused__/identity-access-manager-keycloak/config/openhim.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "clientId": "${KC_OPENHIM_CLIENT_ID}", - "name": "OpenHIM", - "description": "", - "rootUrl": "${KC_OPENHIM_ROOT_URL}", - "adminUrl": "${KC_OPENHIM_ROOT_URL}", - "baseUrl": "${KC_OPENHIM_ROOT_URL}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "${KC_OPENHIM_CLIENT_SECRET}", - "redirectUris": ["${KC_OPENHIM_ROOT_URL}"], - "webOrigins": ["${KC_OPENHIM_ROOT_URL}"], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "client.secret.creation.time": "1674028783", - "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "${KC_OPENHIM_ROOT_URL}", - "display.on.consent.screen": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "frontchannel.logout.url": "${KC_OPENHIM_ROOT_URL}/#!/logout" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": ["web-origins", "acr", "roles", "profile", "email"], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ], - "access": { - "view": true, - "configure": true, - "manage": true - } -} diff --git a/__unused__/identity-access-manager-keycloak/config/realm.json b/__unused__/identity-access-manager-keycloak/config/realm.json deleted file mode 100644 index 4a2fa7a..0000000 --- a/__unused__/identity-access-manager-keycloak/config/realm.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "id": "${KC_REALM_NAME}", - "realm": "${KC_REALM_NAME}", - "displayNameHtml": "
Keycloak
", - "enabled": true, - "clients": [], - "users": [ - { - "email": "test@jembi.org", - "username": "test", - "enabled": true, - "credentials": [ - { - "temporary": false, - "type": "password", - "value": "dev_password_only" - } - ], - "realmRoles": ["default-roles-${KC_REALM_NAME}"], - "clientRoles": {} - } - ] -} diff --git a/__unused__/identity-access-manager-keycloak/config/superset.json b/__unused__/identity-access-manager-keycloak/config/superset.json deleted file mode 100644 index 4043250..0000000 --- a/__unused__/identity-access-manager-keycloak/config/superset.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "clientId": "${KC_SUPERSET_CLIENT_ID}", - "name": "superset", - "description": "", - "rootUrl": "${KC_SUPERSET_ROOT_URL}", - "adminUrl": "${KC_SUPERSET_ROOT_URL}", - "baseUrl": "${KC_SUPERSET_ROOT_URL}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "${KC_SUPERSET_CLIENT_SECRET}", - "redirectUris": ["${KC_SUPERSET_ROOT_URL}/oidc_callback"], - "webOrigins": ["${KC_SUPERSET_ROOT_URL}"], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "client.secret.creation.time": "1674028783", - "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "${KC_SUPERSET_ROOT_URL}/login/", - "display.on.consent.screen": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "frontchannel.logout.url": "${KC_SUPERSET_ROOT_URL}/backchannel-logout/" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": ["web-origins", "acr", "roles", "profile", "email"], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ], - "access": { "view": true, "configure": true, "manage": true } -} diff --git a/__unused__/identity-access-manager-keycloak/docker-compose-postgres.cluster.yml b/__unused__/identity-access-manager-keycloak/docker-compose-postgres.cluster.yml deleted file mode 100644 index a6ec706..0000000 --- a/__unused__/identity-access-manager-keycloak/docker-compose-postgres.cluster.yml +++ /dev/null @@ -1,75 +0,0 @@ -version: '3.9' - -services: - keycloak-postgres-1: - environment: - REPMGR_PARTNER_NODES: ${KC_REPMGR_PARTNER_NODES} - deploy: - placement: - constraints: - - "node.labels.name==node-1" - - keycloak-postgres-2: - image: bitnami/postgresql-repmgr:14 - environment: - POSTGRESQL_PASSWORD: ${KC_POSTGRESQL_PASSWORD} - POSTGRESQL_USERNAME: ${KC_POSTGRESQL_USERNAME} - POSTGRESQL_DATABASE: ${KC_POSTGRESQL_DATABASE} - REPMGR_NODE_NETWORK_NAME: keycloak-postgres-2 - REPMGR_PASSWORD: ${KC_REPMGR_PASSWORD} - REPMGR_RECONNECT_INTERVAL: 3 - REPMGR_NODE_NAME: keycloak-postgres-2 - REPMGR_PRIMARY_HOST: ${KC_REPMGR_PRIMARY_HOST} - REPMGR_PARTNER_NODES: ${KC_REPMGR_PARTNER_NODES} - volumes: - - 'keycloak-postgres-2-data:/bitnami/postgresql' - deploy: - placement: - constraints: - - "node.labels.name==node-2" - replicas: 1 - resources: - limits: - cpus: ${KC_POSTGRES_CPU_LIMIT} - memory: ${KC_POSTGRES_MEMORY_LIMIT} - reservations: - cpus: ${KC_POSTGRES_CPU_RESERVE} - memory: ${KC_POSTGRES_MEMORY_RESERVE} - networks: - default: - keycloak_backup_net: {} - - - keycloak-postgres-3: - image: bitnami/postgresql-repmgr:14 - environment: - POSTGRESQL_PASSWORD: ${KC_POSTGRESQL_PASSWORD} - POSTGRESQL_USERNAME: ${KC_POSTGRESQL_USERNAME} - POSTGRESQL_DATABASE: ${KC_POSTGRESQL_DATABASE} - REPMGR_NODE_NETWORK_NAME: keycloak-postgres-3 - REPMGR_PASSWORD: ${KC_REPMGR_PASSWORD} - REPMGR_RECONNECT_INTERVAL: 3 - REPMGR_NODE_NAME: keycloak-postgres-3 - REPMGR_PRIMARY_HOST: ${KC_REPMGR_PRIMARY_HOST} - REPMGR_PARTNER_NODES: ${KC_REPMGR_PARTNER_NODES} - volumes: - - 'keycloak-postgres-3-data:/bitnami/postgresql' - deploy: - placement: - constraints: - - "node.labels.name==node-3" - replicas: 1 - resources: - limits: - cpus: ${KC_POSTGRES_CPU_LIMIT} - memory: ${KC_POSTGRES_MEMORY_LIMIT} - reservations: - cpus: ${KC_POSTGRES_CPU_RESERVE} - memory: ${KC_POSTGRES_MEMORY_RESERVE} - networks: - default: - keycloak_backup_net: {} - -volumes: - keycloak-postgres-2-data: - keycloak-postgres-3-data: diff --git a/__unused__/identity-access-manager-keycloak/docker-compose-postgres.dev.yml b/__unused__/identity-access-manager-keycloak/docker-compose-postgres.dev.yml deleted file mode 100644 index 79e221a..0000000 --- a/__unused__/identity-access-manager-keycloak/docker-compose-postgres.dev.yml +++ /dev/null @@ -1,8 +0,0 @@ -version: '3.9' - -services: - keycloak-postgres-1: - ports: - - target: 5432 - published: 5434 - mode: host diff --git a/__unused__/identity-access-manager-keycloak/docker-compose-postgres.yml b/__unused__/identity-access-manager-keycloak/docker-compose-postgres.yml deleted file mode 100644 index 4a8f227..0000000 --- a/__unused__/identity-access-manager-keycloak/docker-compose-postgres.yml +++ /dev/null @@ -1,40 +0,0 @@ -version: "3.9" - -services: - keycloak-postgres-1: - image: bitnami/postgresql-repmgr:14 - environment: - POSTGRESQL_PASSWORD: ${KC_POSTGRESQL_PASSWORD} - POSTGRESQL_USERNAME: ${KC_POSTGRESQL_USERNAME} - POSTGRESQL_DATABASE: ${KC_POSTGRESQL_DATABASE} - POSTGRESQL_POSTGRES_PASSWORD: ${KC_POSTGRESQL_PASSWORD} - REPMGR_NODE_NETWORK_NAME: keycloak-postgres-1 - REPMGR_PASSWORD: ${KC_REPMGR_PASSWORD} - REPMGR_RECONNECT_INTERVAL: 3 - REPMGR_NODE_NAME: keycloak-postgres-1 - REPMGR_PRIMARY_HOST: ${KC_REPMGR_PRIMARY_HOST} - REPMGR_PARTNER_NODES: ${KC_REPMGR_PARTNER_NODES} - volumes: - - "keycloak-postgres-1-data:/bitnami/postgresql" - deploy: - replicas: 1 - resources: - limits: - cpus: ${KC_POSTGRES_CPU_LIMIT} - memory: ${KC_POSTGRES_MEMORY_LIMIT} - reservations: - cpus: ${KC_POSTGRES_CPU_RESERVE} - memory: ${KC_POSTGRES_MEMORY_RESERVE} - networks: - default: - keycloak_backup_net: {} - -volumes: - keycloak-postgres-1-data: - -networks: - default: - keycloak_backup_net: - name: keycloak_backup - driver: overlay - attachable: true diff --git a/__unused__/identity-access-manager-keycloak/docker-compose.dev.yml b/__unused__/identity-access-manager-keycloak/docker-compose.dev.yml deleted file mode 100644 index 1505f15..0000000 --- a/__unused__/identity-access-manager-keycloak/docker-compose.dev.yml +++ /dev/null @@ -1,8 +0,0 @@ -version: '3.9' - -services: - identity-access-manager-keycloak: - ports: - - target: 8080 - published: 9088 - mode: host diff --git a/__unused__/identity-access-manager-keycloak/docker-compose.yml b/__unused__/identity-access-manager-keycloak/docker-compose.yml deleted file mode 100644 index fc5e4c2..0000000 --- a/__unused__/identity-access-manager-keycloak/docker-compose.yml +++ /dev/null @@ -1,67 +0,0 @@ -version: '3.9' - -services: - identity-access-manager-keycloak: - image: keycloak/keycloak:20.0 - command: - [ - "start", - "--proxy=edge", - "--hostname-url=${KC_FRONTEND_URL}", - "--import-realm" - ] - hostname: identity-access-manager-keycloak - healthcheck: - test: curl --fail http://localhost:8080/health/ready || exit 1 - interval: 10s - timeout: 5s - retries: 5 - start_period: 30s - configs: - - target: /opt/keycloak/data/import/realm.json - source: realm.json - environment: - KC_DB: postgres - KC_DB_USERNAME: ${KC_POSTGRESQL_USERNAME} - KC_DB_PASSWORD: ${KC_POSTGRESQL_PASSWORD} - KC_DB_URL: "jdbc:postgresql://${KC_POSTGRES_REPLICA_SET}/${KC_POSTGRESQL_DATABASE}?targetServerType=primary" - KC_METRICS_ENABLED: "true" - KC_HEALTH_ENABLED: "true" - KC_REALM_NAME: ${KC_REALM_NAME} - KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN} - KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD} - KC_GRAFANA_CLIENT_ID: ${KC_GRAFANA_CLIENT_ID} - KC_GRAFANA_CLIENT_SECRET: ${KC_GRAFANA_CLIENT_SECRET} - KC_GRAFANA_ROOT_URL: ${KC_GRAFANA_ROOT_URL} - KC_JEMPI_CLIENT_ID: ${KC_JEMPI_CLIENT_ID} - KC_JEMPI_CLIENT_SECRET: ${KC_JEMPI_CLIENT_SECRET} - KC_JEMPI_ROOT_URL: ${KC_JEMPI_ROOT_URL} - KC_SUPERSET_CLIENT_ID: ${KC_SUPERSET_CLIENT_ID} - KC_SUPERSET_CLIENT_SECRET: ${KC_SUPERSET_CLIENT_SECRET} - KC_SUPERSET_ROOT_URL: ${KC_SUPERSET_ROOT_URL} - KC_OPENHIM_CLIENT_ID: ${KC_OPENHIM_CLIENT_ID} - KC_OPENHIM_CLIENT_SECRET: ${KC_OPENHIM_CLIENT_SECRET} - KC_OPENHIM_ROOT_URL: ${KC_OPENHIM_ROOT_URL} - deploy: - placement: - max_replicas_per_node: 1 - networks: - reverse-proxy: - public: - default: - -configs: - realm.json: - file: ./config/realm.json - name: realm.json-${realm_json_DIGEST:?err} - labels: - name: keycloak - -networks: - reverse-proxy: - name: reverse-proxy_public - external: true - public: - name: keycloak_public - external: true - default: diff --git a/__unused__/identity-access-manager-keycloak/package-metadata.json b/__unused__/identity-access-manager-keycloak/package-metadata.json deleted file mode 100644 index 928ca89..0000000 --- a/__unused__/identity-access-manager-keycloak/package-metadata.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "id": "identity-access-manager-keycloak", - "name": "Identity Access Manager Keycloak", - "description": "An identity and access management solution", - "type": "infrastructure", - "version": "0.0.1", - "dependencies": [], - "environmentVariables": { - "KEYCLOAK_ADMIN": "admin", - "KEYCLOAK_ADMIN_PASSWORD": "dev_password_only", - "KC_FRONTEND_URL": "http://localhost:9088", - "KC_REALM_NAME": "platform-realm", - "KC_REPMGR_PRIMARY_HOST": "keycloak-postgres-1", - "KC_REPMGR_PARTNER_NODES": "keycloak-postgres-1", - "KC_REPMGR_PASSWORD": "instant101", - "KC_POSTGRES_REPLICA_SET": "keycloak-postgres-1:5432", - "KC_POSTGRES_CPU_LIMIT": "0", - "KC_POSTGRES_CPU_RESERVE": "0.05", - "KC_POSTGRES_MEMORY_LIMIT": "3G", - "KC_POSTGRES_MEMORY_RESERVE": "500M", - "KC_POSTGRESQL_PASSWORD": "instant101", - "KC_POSTGRESQL_USERNAME": "admin", - "KC_POSTGRESQL_DATABASE": "keycloak", - "KC_GRAFANA_SSO_ENABLED": "false", - "KC_GRAFANA_CLIENT_ID": "grafana-oauth", - "KC_GRAFANA_CLIENT_SECRET": "CV14QfwnpYFj1IH5dK5lScPNCYAIYP1c", - "KC_GRAFANA_ROOT_URL": "http://localhost:3000", - "KC_GRAFANA_CLIENT_ROLES": "admin,editor,viewer", - "KC_JEMPI_SSO_ENABLED": "false", - "KC_JEMPI_CLIENT_ID": "jempi-oauth", - "KC_JEMPI_CLIENT_SECRET": "Tbe3llP5OJIlqUjz7K1wPp8YDAdCOEMn", - "KC_JEMPI_ROOT_URL": "http://localhost:3033", - "KC_JEMPI_CLIENT_ROLES": "admin", - "KC_SUPERSET_SSO_ENABLED": "false", - "KC_SUPERSET_CLIENT_ID": "superset-oauth", - "KC_SUPERSET_CLIENT_SECRET": "g0J7oLbX69dL3CS8HVjRYlhRYVsPoDbQ", - "KC_SUPERSET_ROOT_URL": "http://localhost:8089", - "KC_SUPERSET_CLIENT_ROLES": "admin", - "KC_OPENHIM_SSO_ENABLED": "false", - "KC_OPENHIM_CLIENT_ID": "openhim-oauth", - "KC_OPENHIM_CLIENT_SECRET": "tZKfEbWf0Ka5HBNZwFrdSyQH2xT1sNMR", - "KC_OPENHIM_ROOT_URL": "http://localhost:9000", - "KC_OPENHIM_CLIENT_ROLES": "admin" - } -} diff --git a/__unused__/identity-access-manager-keycloak/swarm.sh b/__unused__/identity-access-manager-keycloak/swarm.sh deleted file mode 100644 index df472e8..0000000 --- a/__unused__/identity-access-manager-keycloak/swarm.sh +++ /dev/null @@ -1,126 +0,0 @@ -#!/bin/bash - -declare ACTION="" -declare MODE="" -declare COMPOSE_FILE_PATH="" -declare UTILS_PATH="" -declare STACK="keycloak" - -function init_vars() { - ACTION=$1 - MODE=$2 - - COMPOSE_FILE_PATH=$( - cd "$(dirname "${BASH_SOURCE[0]}")" || exit - pwd -P - ) - - UTILS_PATH="${COMPOSE_FILE_PATH}/../utils" - - readonly ACTION - readonly MODE - readonly COMPOSE_FILE_PATH - readonly UTILS_PATH -} - -# shellcheck disable=SC1091 -function import_sources() { - source "${UTILS_PATH}/docker-utils.sh" - source "${UTILS_PATH}/config-utils.sh" - source "${UTILS_PATH}/log.sh" -} - -function append_client_config() { - local -r CONFIG_NAME="${1:?$(missing_param "append_client_config" "CONFIG_NAME")}" - local -r CLIENT_ID_ENV_NAME="${2:?$(missing_param "append_client_config" "CLIENT_ID_ENV_NAME")}" - local -r CLIENT_ROLES_ENV_NAME="${3:?$(missing_param "append_client_config" "CLIENT_ROLES_ENV_NAME")}" - - # Comma separate env var and quote the values - IFS=',' read -r -a client_roles_array <<<"$CLIENT_ROLES_ENV_NAME" - client_roles_quoted=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${client_roles_array[@]}") - # Append clients configs - yq ".clients += [load(\"${COMPOSE_FILE_PATH}/config/$CONFIG_NAME.json\")]" "${COMPOSE_FILE_PATH}/config/realm.json" >tmp.json - # Append clients roles - jq ".users[0].clientRoles += {\"$CLIENT_ID_ENV_NAME\": ${client_roles_quoted[*]}}" tmp.json >"${COMPOSE_FILE_PATH}/config/realm.json" - rm -f tmp.json -} - -function append_config_sso_enabled() { - if [[ "${KC_GRAFANA_SSO_ENABLED}" == "true" ]]; then - append_client_config "grafana" "$KC_GRAFANA_CLIENT_ID" "$KC_GRAFANA_CLIENT_ROLES" - fi - if [[ "${KC_SUPERSET_SSO_ENABLED}" == "true" ]]; then - append_client_config "superset" "$KC_SUPERSET_CLIENT_ID" "$KC_SUPERSET_CLIENT_ROLES" - fi - if [[ "${KC_JEMPI_SSO_ENABLED}" == "true" ]]; then - append_client_config "jempi" "$KC_JEMPI_CLIENT_ID" "$KC_JEMPI_CLIENT_ROLES" - fi - if [[ "${KC_OPENHIM_SSO_ENABLED}" == "true" ]]; then - append_client_config "openhim" "$KC_OPENHIM_CLIENT_ID" "$KC_OPENHIM_CLIENT_ROLES" - fi -} - -function initialize_package() { - local postgres_cluster_compose_filename="" - local postgres_dev_compose_filename="" - local keycloak_dev_compose_filename="" - - if [ "${MODE}" == "dev" ]; then - log info "Running package in DEV mode" - postgres_dev_compose_filename="docker-compose-postgres.dev.yml" - keycloak_dev_compose_filename="docker-compose.dev.yml" - else - log info "Running package in PROD mode" - fi - - if [ "${CLUSTERED_MODE}" == "true" ]; then - postgres_cluster_compose_filename="docker-compose-postgres.cluster.yml" - fi - - append_config_sso_enabled - - ( - docker::deploy_service $STACK "${COMPOSE_FILE_PATH}" "docker-compose-postgres.yml" "$postgres_cluster_compose_filename" "$postgres_dev_compose_filename" - docker::deploy_service $STACK "${COMPOSE_FILE_PATH}" "docker-compose.yml" "$keycloak_dev_compose_filename" - ) || - { - log error "Failed to deploy package" - exit 1 - } -} - -function destroy_package() { - docker::stack_destroy $STACK - - if [[ "${CLUSTERED_MODE}" == "true" ]]; then - log warn "Volumes are only deleted on the host on which the command is run. Postgres volumes on other nodes are not deleted" - fi - - docker::prune_configs "keycloak" -} - -main() { - init_vars "$@" - import_sources - - if [[ "${ACTION}" == "init" ]] || [[ "${ACTION}" == "up" ]]; then - if [[ "${CLUSTERED_MODE}" == "true" ]]; then - log info "Running package in Cluster node mode" - else - log info "Running package in Single node mode" - fi - - initialize_package - elif [[ "${ACTION}" == "down" ]]; then - log info "Scaling down package" - - docker::scale_services $STACK 0 - elif [[ "${ACTION}" == "destroy" ]]; then - log info "Destroying package" - destroy_package - else - log error "Valid options are: init, up, down, or destroy" - fi -} - -main "$@" diff --git a/config.yaml b/config.yaml index 7337325..1ff5f30 100644 --- a/config.yaml +++ b/config.yaml @@ -7,4 +7,5 @@ packages: - database-mysql - emr-isanteplus - data-pipeline-isanteplus + - reverse-proxy-nginx diff --git a/packages/data-pipeline-isanteplus/docker-compose.yml b/packages/data-pipeline-isanteplus/docker-compose.yml index dc27a6a..35a7b41 100644 --- a/packages/data-pipeline-isanteplus/docker-compose.yml +++ b/packages/data-pipeline-isanteplus/docker-compose.yml @@ -22,8 +22,7 @@ services: source: config.json networks: - - openhim - - shr + - isanteplus-local configs: config.json: @@ -35,10 +34,12 @@ networks: openhim: name: openhim_public external: true - shr: - name: shr + isanteplus-local: + name: isanteplus-local external: true +`` + diff --git a/packages/database-mysql/package-metadata.json b/packages/database-mysql/package-metadata.json index e629406..c454f28 100644 --- a/packages/database-mysql/package-metadata.json +++ b/packages/database-mysql/package-metadata.json @@ -8,6 +8,7 @@ "environmentVariables": { "MYSQL_IMAGE": "isanteplus-mysql:5.7.44", "MYSQL_ROOT_PASSWORD": "change_for_prod!", + "MYSQL_USE_LOCAL": "false", "OMRS_CONFIG_CONNECTION_USERNAME_1": "openmrs", "OMRS_CONFIG_CONNECTION_PASSWORD_1": "change_for_prod!", "OPENMRS_DB_COUNT": "1", diff --git a/packages/interoperability-layer-openhim/package-metadata.json b/packages/interoperability-layer-openhim/package-metadata.json index 797bf5c..d893f26 100644 --- a/packages/interoperability-layer-openhim/package-metadata.json +++ b/packages/interoperability-layer-openhim/package-metadata.json @@ -18,7 +18,7 @@ "OPENHIM_CORE_MAX_REPLICAS_PER_NODE": "1", "OPENHIM_CONSOLE_INSTANCES": "1", "OPENHIM_CONSOLE_MAX_REPLICAS_PER_NODE": "1", - "OPENHIM_CORE_MEDIATOR_HOSTNAME": "openhimcomms.sedish.live", + "OPENHIM_CORE_MEDIATOR_HOSTNAME": "localhost", "OPENHIM_MEDIATOR_API_PORT": "443", "OPENHIM_CPU_LIMIT": "0", "OPENHIM_CPU_RESERVE": "0.05", @@ -41,10 +41,10 @@ "KC_OPENHIM_SSO_ENABLED": true, "KC_OPENHIM_CLIENT_ID": "openhim-oauth", "KC_OPENHIM_CLIENT_SECRET": "tZKfEbWf0Ka5HBNZwFrdSyQH2xT1sNMR", - "KC_OPENHIM_ROOT_URL": "https://openhimconsole.sedish.live", + "KC_OPENHIM_ROOT_URL": "http://localhost", "KC_API_URL": "http://identity-access-manager-keycloak:8080", - "OPENHIM_CONSOLE_BASE_URL": "https://openhimconsole.sedish.live", - "OPENHIM_API_HOST": "openhimcore.sedish.live", - "OPENHIM_API_PORT": "443" + "OPENHIM_CONSOLE_BASE_URL": "http://localhost", + "OPENHIM_API_HOST": "localhost", + "OPENHIM_API_PORT": "8090" } } diff --git a/packages/reverse-proxy-nginx/config/nginx-temp-insecure.conf b/packages/reverse-proxy-nginx/config/nginx-temp-insecure.conf new file mode 100644 index 0000000..795448b --- /dev/null +++ b/packages/reverse-proxy-nginx/config/nginx-temp-insecure.conf @@ -0,0 +1,37 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 1024; +} + +# Platform Reverse Proxy +http { + #Custom Headers + add_header Strict-Transport-Security max-age=15768000; + + #Compression + gzip on; + gzip_proxied any; + gzip_types application/json application/fhir+json; + gzip_vary on; + + #http context Proxy config + proxy_headers_hash_max_size 512; + proxy_headers_hash_bucket_size 128; + proxy_set_header Host $host:$server_port; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + include /etc/nginx/conf.d/http-*.conf; + include /etc/nginx/conf.d/package-conf-insecure/http-*.conf; +} + +stream { + include /etc/nginx/conf.d/stream-*.conf; + include /etc/nginx/conf.d/package-conf-insecure/stream-*.conf; +} diff --git a/packages/reverse-proxy-nginx/config/nginx-temp-secure.conf b/packages/reverse-proxy-nginx/config/nginx-temp-secure.conf new file mode 100644 index 0000000..5b15eb4 --- /dev/null +++ b/packages/reverse-proxy-nginx/config/nginx-temp-secure.conf @@ -0,0 +1,77 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 1024; +} + +# Platform Reverse Proxy +http { + server_names_hash_bucket_size 64; + + #Custom Headers + add_header Strict-Transport-Security max-age=15768000; + + #Compression + gzip on; + gzip_proxied any; + gzip_types application/json application/fhir+json; + gzip_vary on; + + #SSL + ssl_certificate /run/secrets/fullchain.pem; + ssl_certificate_key /run/secrets/privkey.pem; + + #http context Proxy config + proxy_headers_hash_max_size 512; + proxy_headers_hash_bucket_size 128; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_read_timeout 99999; + proxy_connect_timeout 99999; + proxy_send_timeout 99999; + + # Prevent serving nginx version on error pages + server_tokens off; + + server { + listen 80; + server_name domain_name; + + # Why are these repeated every block? + location /.well-known/acme-challenge/ { + resolver 127.0.0.11 valid=30s; + set $upstream_certbot certbot; + proxy_pass http://$upstream_certbot$request_uri; + } + + location / { + return 301 https://$host$request_uri; + } + } + + server { + listen 443; + server_name domain_name; + + location /.well-known/acme-challenge/ { + resolver 127.0.0.11 valid=30s; + set $upstream_certbot certbot; + proxy_pass https://$upstream_certbot$request_uri; + } + } + + include /etc/nginx/conf.d/http-*.conf; + include /etc/nginx/conf.d/package-conf-secure/http-*.conf; +} + +stream { + include /etc/nginx/conf.d/stream-*.conf; +} diff --git a/packages/reverse-proxy-nginx/package-conf-insecure/http-isanteplus-insecure.conf b/packages/reverse-proxy-nginx/package-conf-insecure/http-isanteplus-insecure.conf new file mode 100644 index 0000000..db918d4 --- /dev/null +++ b/packages/reverse-proxy-nginx/package-conf-insecure/http-isanteplus-insecure.conf @@ -0,0 +1,11 @@ +# iSantePlus +server { + listen 8080; + client_max_body_size 10M; + + location / { + resolver 127.0.0.11 valid=30s; + set $upstream_isanteplus isanteplus; + proxy_pass http://$upstream_isanteplus:8080; + } +} diff --git a/packages/reverse-proxy-nginx/package-conf-insecure/http-openhim-insecure.conf b/packages/reverse-proxy-nginx/package-conf-insecure/http-openhim-insecure.conf new file mode 100644 index 0000000..eff8694 --- /dev/null +++ b/packages/reverse-proxy-nginx/package-conf-insecure/http-openhim-insecure.conf @@ -0,0 +1,40 @@ +# OpenHIM Core HTTP server config +server { + listen 5001; + client_max_body_size 10M; + + location / { + resolver 127.0.0.11 valid=30s; + set $upstream_openhim_core openhim-core; + proxy_pass http://$upstream_openhim_core:5001; + } +} + +# OpenHIM Console +server { + listen 80; + + location /fhir-ig-importer { + resolver 127.0.0.11 valid=30s; + set $upstream_fhir_ig_importer_ui fhir-ig-importer-ui; + proxy_pass http://$upstream_fhir_ig_importer_ui:8080/jembi-fhir-ig-importer.js; + } + + location /kafka-mapper-consumer-ui { + resolver 127.0.0.11 valid=30s; + set $upstream_kafka_consumer_mapper_ui kafka-mapper-consumer-ui; + proxy_pass http://$upstream_kafka_consumer_mapper_ui:80/jembi-kafka-mapper-consumer-ui.js; + } + + location /reprocess-mediator-ui { + resolver 127.0.0.11 valid=30s; + set $upstream_reprocess_mediator_ui reprocess-mediator-ui; + proxy_pass http://$upstream_reprocess_mediator_ui:80/jembi-reprocessor-mediator-microfrontend.js; + } + + location / { + resolver 127.0.0.11 valid=30s; + set $upstream_openhim_console openhim-console; + proxy_pass http://$upstream_openhim_console:80; + } +} diff --git a/packages/reverse-proxy-nginx/package-conf-insecure/stream-openhim-insecure.conf b/packages/reverse-proxy-nginx/package-conf-insecure/stream-openhim-insecure.conf new file mode 100644 index 0000000..00b7a70 --- /dev/null +++ b/packages/reverse-proxy-nginx/package-conf-insecure/stream-openhim-insecure.conf @@ -0,0 +1,7 @@ +# use a stream so don't terminate ssl here +server { + listen 8090; + resolver 127.0.0.11 valid=30s; + set $upstream_openhim_core openhim-core; + proxy_pass $upstream_openhim_core:8080; +} diff --git a/packages/reverse-proxy-nginx/package-conf-secure/http-isanteplus-secure.conf b/packages/reverse-proxy-nginx/package-conf-secure/http-isanteplus-secure.conf new file mode 100644 index 0000000..9c485ef --- /dev/null +++ b/packages/reverse-proxy-nginx/package-conf-secure/http-isanteplus-secure.conf @@ -0,0 +1,31 @@ +server { + listen 80; + server_name isanteplus.*; + + location /.well-known/acme-challenge/ { + resolver 127.0.0.11 valid=30s; + set $upstream_certbot certbot; + proxy_pass http://$upstream_certbot$request_uri; + } + + location / { + return 301 https://$host$request_uri; + } +} +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name isanteplus.*; + + location /.well-known/acme-challenge/ { + resolver 127.0.0.11 valid=30s; + set $upstream_certbot certbot; + proxy_pass http://$upstream_certbot$request_uri; + } + + location / { + resolver 127.0.0.11 valid=30s; + set $upstream_isanteplus isanteplus; + proxy_pass http://$upstream_isanteplus:8080; + } +} diff --git a/packages/reverse-proxy-nginx/package-conf-secure/http-openhim-secure.conf b/packages/reverse-proxy-nginx/package-conf-secure/http-openhim-secure.conf new file mode 100644 index 0000000..342bc8f --- /dev/null +++ b/packages/reverse-proxy-nginx/package-conf-secure/http-openhim-secure.conf @@ -0,0 +1,117 @@ +# OpenHIM Core API server config +server { + listen 80; + server_name openhimcomms.*; + + location /.well-known/acme-challenge/ { + resolver 127.0.0.11 valid=30s; + set $upstream_certbot certbot; + proxy_pass http://$upstream_certbot$request_uri; + } + + location / { + return 301 https://$host$request_uri; + } +} +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name openhimcomms.*; + + location /.well-known/acme-challenge/ { + resolver 127.0.0.11 valid=30s; + set $upstream_certbot certbot; + proxy_pass http://$upstream_certbot$request_uri; + } + + location / { + resolver 127.0.0.11 valid=30s; + set $upstream_openhim_core openhim-core; + proxy_pass https://$upstream_openhim_core:8080; + } +} + +# OpenHIM Core HTTP server config +server { + listen 80; + server_name openhimcore.*; + + location /.well-known/acme-challenge/ { + resolver 127.0.0.11 valid=30s; + set $upstream_certbot certbot; + proxy_pass http://$upstream_certbot$request_uri; + } + + location / { + return 301 https://$host$request_uri; + } +} +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name openhimcore.*; + client_max_body_size 10M; + + location /.well-known/acme-challenge/ { + resolver 127.0.0.11 valid=30s; + set $upstream_certbot certbot; + proxy_pass http://$upstream_certbot$request_uri; + } + + location / { + resolver 127.0.0.11 valid=30s; + set $upstream_openhim_core openhim-core; + proxy_pass https://$upstream_openhim_core:5000; + } +} + +# OpenHIM Console +server { + listen 80; + server_name openhimconsole.*; + + location /.well-known/acme-challenge/ { + resolver 127.0.0.11 valid=30s; + set $upstream_certbot certbot; + proxy_pass http://$upstream_certbot$request_uri; + } + + location / { + return 301 https://$host$request_uri; + } +} +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name openhimconsole.*; + + location /fhir-ig-importer { + resolver 127.0.0.11 valid=30s; + set $upstream_fhir_ig_importer_ui fhir-ig-importer-ui; + proxy_pass http://$upstream_fhir_ig_importer_ui:8080/jembi-fhir-ig-importer.js; + } + + location /kafka-mapper-consumer-ui { + resolver 127.0.0.11 valid=30s; + set $upstream_kafka_consumer_mapper_ui kafka-mapper-consumer-ui; + proxy_pass http://$upstream_kafka_consumer_mapper_ui:80/jembi-kafka-mapper-consumer-ui.js; + } + + location /reprocess-mediator-ui { + resolver 127.0.0.11 valid=30s; + set $upstream_reprocess_mediator_ui reprocess-mediator-ui; + proxy_pass http://$upstream_reprocess_mediator_ui:80/jembi-reprocessor-mediator-microfrontend.js; + } + + location /.well-known/acme-challenge/ { + resolver 127.0.0.11 valid=30s; + set $upstream_certbot certbot; + proxy_pass http://$upstream_certbot$request_uri; + } + + location / { + resolver 127.0.0.11 valid=30s; + set $upstream_openhim_console openhim-console; + proxy_pass http://$upstream_openhim_console:80; + } +} diff --git a/packages/reverse-proxy-nginx/package-metadata.json b/packages/reverse-proxy-nginx/package-metadata.json new file mode 100644 index 0000000..fe25f00 --- /dev/null +++ b/packages/reverse-proxy-nginx/package-metadata.json @@ -0,0 +1,21 @@ +{ + "id": "reverse-proxy-nginx", + "name": "Nginx Reverse Proxy package", + "description": "nginx reverse proxy", + "type": "use-case", + "version": "0.0.1", + "dependencies": [], + "environmentVariables": { + "REVERSE_PROXY_INSTANCES": "1", + "NGINX_CPU_LIMIT": "0", + "NGINX_CPU_RESERVE": "0.05", + "NGINX_MEMORY_LIMIT": "3G", + "NGINX_MEMORY_RESERVE": "500M", + "DOMAIN_NAME": "localhost", + "SUBDOMAINS": "", + "RENEWAL_EMAIL": "dummy@jembi.org", + "STAGING": "true", + "INSECURE": "true", + "INSECURE_PORTS": "5001:5001-80:80-8080:8080-5601:5601-5488:5488-3000:3000-9200:9200-8089:8089-9001:9001-3033:3033-50000:50000" + } +} From c915f0b7cd3787a7c8e53f6db34011ad76c12070 Mon Sep 17 00:00:00 2001 From: Piotr Mankowski Date: Fri, 6 Dec 2024 23:20:04 +0000 Subject: [PATCH 2/3] Action fix --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c5faaca..b3dd57e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -32,7 +32,7 @@ jobs: run: ./get-cli.sh linux latest - name: Boot up HIE - run: ./instant project init --env-file .env.hie + run: ./instant project init --env-file .env.local - name: Display container status run: docker service ls From 84ad25c03c30abc45a62e6a58af57b3930294346 Mon Sep 17 00:00:00 2001 From: Piotr Mankowski Date: Fri, 6 Dec 2024 23:46:48 +0000 Subject: [PATCH 3/3] Updates and fixes --- config.yaml | 2 +- .../docker-compose.yml | 2 -- .../reverse-proxy-nginx/docker-compose.yml | 22 +++++++++++++++++++ 3 files changed, 23 insertions(+), 3 deletions(-) create mode 100644 packages/reverse-proxy-nginx/docker-compose.yml diff --git a/config.yaml b/config.yaml index 1ff5f30..eff3508 100644 --- a/config.yaml +++ b/config.yaml @@ -6,6 +6,6 @@ packages: - interoperability-layer-openhim - database-mysql - emr-isanteplus - - data-pipeline-isanteplus + # - data-pipeline-isanteplus - reverse-proxy-nginx diff --git a/packages/data-pipeline-isanteplus/docker-compose.yml b/packages/data-pipeline-isanteplus/docker-compose.yml index 35a7b41..7911fa1 100644 --- a/packages/data-pipeline-isanteplus/docker-compose.yml +++ b/packages/data-pipeline-isanteplus/docker-compose.yml @@ -38,8 +38,6 @@ networks: name: isanteplus-local external: true -`` - diff --git a/packages/reverse-proxy-nginx/docker-compose.yml b/packages/reverse-proxy-nginx/docker-compose.yml new file mode 100644 index 0000000..13a0371 --- /dev/null +++ b/packages/reverse-proxy-nginx/docker-compose.yml @@ -0,0 +1,22 @@ +services: + # Proxies requests to internal services + reverse-proxy-nginx: + image: nginx:stable + networks: + public: + deploy: + replicas: ${REVERSE_PROXY_INSTANCES} + placement: + max_replicas_per_node: 1 + resources: + limits: + cpus: ${NGINX_CPU_LIMIT} + memory: ${NGINX_MEMORY_LIMIT} + reservations: + cpus: ${NGINX_CPU_RESERVE} + memory: ${NGINX_MEMORY_RESERVE} + +networks: + public: + name: reverse-proxy_public + external: true