Finalize deployment for keycloak, rabbitmq, and gotenberg

This commit is contained in:
Alexandros Mandilaras 2024-04-25 17:59:42 +03:00
parent 52799fdd7d
commit f1c1503b1c
13 changed files with 259 additions and 238 deletions

View File

@ -11,7 +11,7 @@ DOCX_APP_TAG=0.0.8
JSON_APP_TAG=0.0.6
ZENODO_APP_TAG=2.0.4
POSTGRES_TAG=16-alpine
ELK_VERSION=8.13.12
ELK_VERSION=8.13.0
KEYCLOAK_TAG=24.0.2
RABBITMQ_TAG=3.13-management
GOTENBERG_TAG=8.4.0

View File

@ -1,23 +1,24 @@
services:
############################## PROXY ########################################
# opendmp.proxy:
# user: ${DEPLOY_USER}:${DEPLOY_GROUP}
# restart: unless-stopped
# cpus: 1
# mem_limit: 256m
# ports:
# - "${PROXY_APP_PORT}:8081"
# - "${PROXY_MS_PORT}:8082"
# env_file:
# - proxy/proxy.env
# volumes:
# - proxy/nginx.conf:/etc/nginx/nginx.conf
# - proxy/ProxyNginx.conf:/etc/nginx/conf.d/default.conf
# - proxy/nginx-selfsigned.crt:/certifcates/cert.crt
# - proxy/nginx-selfsigned.key:/certifcates/key.key
# - logs/proxy:/tmp/logs
# networks:
# - opendmp-proxy-network
opendmp.proxy:
user: ${DEPLOY_USER}:${DEPLOY_GROUP}
restart: unless-stopped
cpus: 1
mem_limit: 256m
ports:
- "${PROXY_APP_PORT}:8081"
- "${PROXY_MS_PORT}:8082"
env_file:
- ./proxy/proxy.env
volumes:
# - ./proxy/template-variables:/etc/nginx/templates/10-variables.conf.template:ro
- ./proxy/nginx.conf:/etc/nginx/nginx.conf
- ./proxy/ProxyNginx.conf:/etc/nginx/conf.d/default.conf
- ./proxy/nginx-selfsigned.crt:/certifcates/cert.crt
- ./proxy/nginx-selfsigned.key:/certifcates/key.key
- ./logs/proxy:/tmp/logs
networks:
- opendmp-proxy-network
############################## OPENDMP APP #################################
# opendmp.backend:
@ -171,11 +172,17 @@ services:
# - "127.0.0.1:${POSTGRES_PORT}:5432" # If you want to make it accessible locally only
- "${POSTGRES_PORT}:5432"
env_file:
- postgres/postgres.env
- ./postgres/postgres.env
volumes:
- ./storage/postgres/data:/var/lib/postgresql/data
networks:
- opendmp-postgres-shared-network
healthcheck:
test: ["CMD-SHELL", "sh -c 'pg_isready -U opendmp-psql -d opendmp'"]
interval: 15s
timeout: 60s
retries: 5
################################# ELK #################################################
# opendmp.elasticsearch:
@ -188,18 +195,18 @@ services:
# env_file:
# - elk/config-elk/elasticsearch/elastic.env
# environment:
# - "ES_JAVA_OPTS=-Xmx512m -Xms512m"
# - ES_JAVA_OPTS=-Xmx512m -Xms512m
# ulimits:
# nproc: 65535
# memlock:
# soft: -1
# hard: -1
# volumes:
# - elk/config-elk/elasticsearch/certificates:/usr/share/elasticsearch/config/certificates
# - elk/config-elk/elasticsearch/config/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
# - elk/config-elk/elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
# - elk/data-elk/elasticsearch-data:/usr/share/elasticsearch/data
# - elk/data-elk/elasticsearch-log:/usr/share/elasticsearch/logs
# - ./elk/config-elk/elasticsearch/certificates:/usr/share/elasticsearch/config/certificates
# - ./elk/config-elk/elasticsearch/config/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
# - ./elk/config-elk/elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
# - ./elk/data-elk/elasticsearch-data:/usr/share/elasticsearch/data
# - ./elk/data-elk/elasticsearch-log:/usr/share/elasticsearch/logs
# expose:
# - "9200"
# - "9300"
@ -225,9 +232,9 @@ services:
# - xpack.license.self_generated.type=basic
# - xpack.security.enabled=true
# volumes:
# - elk/config-elk/kibana/certificates:/usr/share/kibana/certificates
# - elk/config-elk/kibana/certificates/ca:/usr/share/kibana/certificate_authorities
# - elk/config-elk/kibana/config:/usr/share/kibana/config:ro
# - ./elk/config-elk/kibana/certificates:/usr/share/kibana/certificates
# - ./elk/config-elk/kibana/certificates/ca:/usr/share/kibana/certificate_authorities
# - ./elk/config-elk/kibana/config:/usr/share/kibana/config:ro
# expose:
# - "5601"
# networks:
@ -240,6 +247,7 @@ services:
opendmp.keycloak:
restart: unless-stopped
command: ["start", "--log=console,file", "--log-file=/tmp/logs/keycloak.log", "--import-realm"]
# command: ["start", "--log=console,file", "--log-file=/tmp/logs/keycloak.log"]
cpus: 1
mem_limit: 1024M
security_opt:
@ -249,10 +257,10 @@ services:
environment:
- JAVA_OPTS_APPEND="-Djava.net.preferIPv4Stack=true"
volumes:
- logs/keycloak:/tmp/logs
- keycloak/imports/opendmp-realm.json:/opt/keycloak/data/import/opendmp-realm.json
- keycloak/certs/keycloak-selfsigned.crt:/tmp/keycloak-selfsigned.crt:ro
- keycloak/certs/keycloak-selfsigned.key:/tmp/keycloak-selfsigned.key:ro
- ./logs/keycloak:/tmp/logs
- ./keycloak/imports/opendmp-realm.json:/opt/keycloak/data/import/opendmp-realm.json
- ./keycloak/certs/keycloak-selfsigned.crt:/tmp/keycloak-selfsigned.crt:ro
- ./keycloak/certs/keycloak-selfsigned.key:/tmp/keycloak-selfsigned.key:ro
expose:
- "8443"
networks:
@ -261,34 +269,34 @@ services:
- opendmp-keycloak-shared-network
# ############################## RABBITMQ ###############################################
# opendmp.rabbitmq:
# labels:
# NAME: "rabbitmq"
# cpus: 1
# mem_limit: 512m
# restart: unless-stopped
# expose:
# - "15672"
# - "5672"
# env_file:
# - rabbitmq/rabbitmq.env
# # volumes:
# # - /rabbitmq/rabbitmq.config:/etc/rabbitmq/rabbitmq.config:ro
# networks:
# - opendmp-proxy-network
# - opendmp-rabbitmq-shared-network
opendmp.rabbitmq:
labels:
NAME: "rabbitmq"
cpus: 1
mem_limit: 512m
restart: unless-stopped
ports:
- "0.0.0.0:15672:15672"
- "0.0.0.0:5672:5672"
env_file:
- rabbitmq/rabbitmq.env
volumes:
- /rabbitmq/rabbitmq.conf:/etc/rabbitmq/rabbitmq.conf:ro
networks:
- opendmp-proxy-network
- opendmp-rabbitmq-shared-network
# ############################## GOTENBERG ##############################################
# opendmp.gotenberg:
# mem_limit: 2048m
# restart: unless-stopped
# expose:
# - "3000"
# hostname: gotenberg
# env_file:
# - gotenberg/gotenberg.env
# networks:
# - opendmp-gotenberg-shared-network
opendmp.gotenberg:
mem_limit: 2048m
restart: unless-stopped
expose:
- "3000"
hostname: gotenberg
env_file:
- gotenberg/gotenberg.env
networks:
- opendmp-gotenberg-shared-network
networks:
opendmp-elastic-network:

View File

@ -1,8 +1,11 @@
services:
############################## PROXY ########################################
# opendmp.proxy:
# container_name: opendmp.proxy
# image: nginx:${PROXY_TAG}
opendmp.proxy:
container_name: opendmp.proxy
image: nginx:${PROXY_TAG}
depends_on:
- opendmp.keycloak
# - opendmp.kibana
# ############################## OPENDMP APP #################################
@ -67,9 +70,11 @@ services:
# container_name: opendmp.elasticsearch
# image: elasticsearch
# build:
# context: /elk/elasticsearch/
# context: ./elk/elasticsearch/
# args:
# ELK_VERSION: $ELK_VERSION
# DEPLOY_USER : $DEPLOY_USER
# DEPLOY_GROUP : $DEPLOY_GROUP
# # opendmp.logstash:
# # container_name: opendmp.logstash
@ -85,9 +90,11 @@ services:
# container_name: opendmp.kibana
# image: kibana
# build:
# context: /elk/kibana/
# context: ./elk/kibana/
# args:
# ELK_VERSION: $ELK_VERSION
# DEPLOY_USER : $DEPLOY_USER
# DEPLOY_GROUP : $DEPLOY_GROUP
# depends_on:
# - opendmp.elasticsearch
@ -105,13 +112,16 @@ services:
opendmp.keycloak:
container_name: opendmp.keycloak
image: quay.io/keycloak/keycloak:${KEYCLOAK_TAG}
depends_on:
opendmp.postgres:
condition: service_healthy
# ############################## RABBITMQ ###############################################
# opendmp.rabbitmq:
# container_name: opendmp.rabbitmq
# image: rabbitmq:${RABBITMQ_TAG}
opendmp.rabbitmq:
container_name: opendmp.rabbitmq
image: rabbitmq:${RABBITMQ_TAG}
# ############################## GOTENBERG ##############################################
# opendmp.gotenberg:
# image: gotenberg/gotenberg:${GOTENBERG_TAG}
# container_name: opendmp.gotenberg
opendmp.gotenberg:
image: gotenberg/gotenberg:${GOTENBERG_TAG}
container_name: opendmp.gotenberg

View File

@ -1,18 +1,23 @@
ARG ELK_VERSION
ARG DEPLOY_USER
ARG DEPLOY_GROUP
# https://github.com/elastic/elasticsearch-docker
FROM docker.elastic.co/elasticsearch/elasticsearch:${ELK_VERSION}
ARG DEPLOY_USER
ARG DEPLOY_GROUP
ENV DEPLOY_USER $DEPLOY_USER
ENV DEPLOY_GROUP $DEPLOY_GROUP
RUN /usr/share/elasticsearch/bin/elasticsearch-plugin install analysis-icu && \
/usr/share/elasticsearch/bin/elasticsearch-plugin install analysis-phonetic
USER root
RUN groupmod -g ${DEPLOY_USER} elasticsearch
RUN usermod -u ${DEPLOY_USER} -g ${DEPLOY_USER} elasticsearch
RUN groupmod -g ${DEPLOY_GROUP} elasticsearch
RUN usermod -u ${DEPLOY_USER} -g ${DEPLOY_GROUP} elasticsearch
RUN chown -R elasticsearch /usr/share/elasticsearch
RUN sed -i -e 's/--userspec=1000/--userspec=${DEPLOY_USER}/g' \
-e 's/UID 1000/UID ${DEPLOY_USER}/' \
-e 's/chown -R 1000/chown -R ${DEPLOY_USER}/' /usr/local/bin/docker-entrypoint.sh
RUN sed -i -e 's/--userspec=1000/--userspec=1000/g' \
-e 's/UID 1000/UID 1000/' \
-e 's/chown -R 1000/chown -R 1000/' /usr/local/bin/docker-entrypoint.sh
RUN chown elasticsearch /usr/local/bin/docker-entrypoint.sh
ENV JAVA_HOME /usr/share/elasticsearch/jdk

View File

@ -1,14 +1,21 @@
ARG ELK_VERSION
ARG DEPLOY_USER
ARG DEPLOY_GROUP
# https://github.com/elastic/kibana-docker
FROM docker.elastic.co/kibana/kibana:${ELK_VERSION}
ARG DEPLOY_USER
ARG DEPLOY_GROUP
ENV DEPLOY_USER $DEPLOY_USER
ENV DEPLOY_GROUP $DEPLOY_GROUP
USER root
RUN groupmod -g 1008 kibana
RUN usermod -u 1008 -g 1008 kibana
RUN groupmod -g ${DEPLOY_GROUP} kibana
RUN usermod -u ${DEPLOY_USER} -g ${DEPLOY_GROUP} kibana
RUN chown -R kibana /usr/share/kibana
USER 1008:1008
USER ${DEPLOY_USER}:${DEPLOY_GROUP}
# Add your kibana plugins setup here
# Example: RUN kibana-plugin install <name|url>

View File

@ -5,14 +5,15 @@ KC_DB_URL_HOST=opendmp.postgres
KC_DB_SCHEMA=public
KC_DB_URL_DATABASE=keycloak
KC_DB_PORT=5432
KC_DB_USERNAME=keycloak-admin
KC_DB_PASSWORD=admin
KC_DB_USERNAME=keycloak-psql
KC_DB_PASSWORD=keycloak-admin
#Keycloak related configuration
KEYCLOAK_ADMIN=opendmp-admin
KEYCLOAK_ADMIN=keycloak-admin
KEYCLOAK_ADMIN_PASSWORD=admin
KC_HOSTNAME_URL=https://localhost:8082
KC_HOSTNAME_ADMIN_URL=https://localhost:8082
KC_HOSTNAME_URL=https://localhost:8082/keycloak
KC_HOSTNAME_ADMIN_URL=https://localhost:8082/keycloak
KC_HTTP_RELATIVE_PATH=/keycloak
KC_PROXY_HEADERS=xforwarded
KC_HOSTNAME_STRICT_HTTPS=true
KC_HOSTNAME_STRICT_BACKCHANNEL=true

View File

@ -3,7 +3,6 @@ ARG DEPLOY_USER
ARG DEPLOY_GROUP
FROM postgres:${POSTGRES_TAG}
COPY ./opendmp_init.sql /docker-entrypoint-initdb.d/
COPY ./keycloak_init.sql /docker-entrypoint-initdb.d/
COPY ./user_init.sql /docker-entrypoint-initdb.d/
ENTRYPOINT ["docker-entrypoint.sh"]
EXPOSE 5432

View File

@ -1,12 +1,3 @@
--
-- PostgreSQL database dump
--
-- Dumped from database version 16.2
-- Dumped by pg_dump version 16.2
-- Started on 2024-04-25 13:31:48
SET statement_timeout = 0;
SET lock_timeout = 0;
SET idle_in_transaction_session_timeout = 0;
@ -20,13 +11,13 @@ SET row_security = off;
--
-- TOC entry 4132 (class 1262 OID 49907)
-- Name: opendmp-test; Type: DATABASE; Schema: -; Owner: -
-- Name: opendmp; Type: DATABASE; Schema: -; Owner: -
--
CREATE DATABASE "opendmp-test" WITH TEMPLATE = template0 ENCODING = 'UTF8' LOCALE_PROVIDER = libc LOCALE = 'en_US.utf8';
CREATE DATABASE "opendmp" WITH TEMPLATE = template0 ENCODING = 'UTF8' LOCALE_PROVIDER = libc LOCALE = 'en_US.utf8';
\connect -reuse-previous=on "dbname='opendmp-test'"
\connect -reuse-previous=on "dbname='opendmp'"
SET statement_timeout = 0;
SET lock_timeout = 0;

View File

@ -1,4 +1,3 @@
#################### POSTGRES ########################
POSTGRES_USER=postgres
POSTGRES_PASSWORD=changeme
PGDATA=/var/lib/postgresql/data/
POSTGRES_PASSWORD=postgres-admin

View File

@ -1,4 +1,4 @@
CREATE USER keycloak_psql WITH PASSWORD 'keycloak-admin';
ALTER DATABASE keycloak OWNER TO keycloak_psql;
CREATE USER opendmp_psql WITH PASSWORD 'opendmp-admin';
ALTER DATABASE "opendmp-test" OWNER TO opendmp_psql;
CREATE USER "keycloak-psql" WITH PASSWORD 'keycloak-admin';
CREATE DATABASE keycloak WITH OWNER "keycloak-psql";
CREATE USER "opendmp-psql" WITH PASSWORD 'opendmp-admin';
ALTER DATABASE "opendmp" OWNER TO "opendmp-psql";

View File

@ -6,6 +6,8 @@ server {
}
server {
set $app_host $APP_HOST;
set $app_port $APP_PORT;
listen 8080;
server_name ${APP_HOST}${APP_PORT};
location / {
@ -13,74 +15,88 @@ server {
}
}
# server {
# set $app_host $APP_HOST;
# set $app_port $APP_PORT;
# listen 8081 ssl;
# ssl_certificate /certifcates/cert.crt;
# ssl_certificate_key /certifcates/key.key;
# server_name ${APP_HOST}${APP_PORT};
# proxy_pass_header Server;
# add_header X-XSS-Protection "1; mode=block" always;
# add_header X-Content-Type-Options nosniff;
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
# add_header Referrer-Policy 'strict-origin' always;
# add_header Feature-Policy "usb 'none'; xr-spatial-tracking 'none'" always;
# add_header Permissions-Policy "geolocation=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=()" always;
# location / {
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# # Fix the “It appears that your reverse proxy set up is broken" error.
# proxy_pass http://opendmp.frontend:8080;
# proxy_read_timeout 90;
# proxy_redirect http://opendmp.frontend:8080 https://${APP_HOST}${APP_PORT};
# }
# location /api/ {
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# # Fix the “It appears that your reverse proxy set up is broken" error.
# proxy_pass http://opendmp.backend:8080;
# proxy_read_timeout 90;
# proxy_redirect http://opendmp.backend:8080 https://${APP_HOST}${APP_PORT}/api;
# }
# location /api/notification/ {
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# # Fix the “It appears that your reverse proxy set up is broken" error.
# proxy_pass http://opendmp.notification:8080;
# proxy_read_timeout 90;
# proxy_redirect http://opendmp.notification:8080 https://${APP_HOST}${APP_PORT}/api/notification;
# }
# location /api/annotation/ {
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# # Fix the “It appears that your reverse proxy set up is broken" error.
# proxy_pass http://opendmp.annotation:8080;
# proxy_read_timeout 90;
# proxy_redirect http://opendmp.annotation:8080 https://${APP_HOST}${APP_PORT}/api/annotation;
# }
# }
server {
listen 8081 ssl;
ssl_certificate /certifcates/cert.crt;
ssl_certificate_key /certifcates/key.key;
server_name ${APP_HOST}${APP_PORT};
proxy_pass_header Server;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header Referrer-Policy 'strict-origin' always;
add_header Feature-Policy "usb 'none'; xr-spatial-tracking 'none'" always;
add_header Permissions-Policy "geolocation=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=()" always;
set $ms_host $MS_HOST;
set $ms_port $MS_PORT;
listen 8080;
server_name ${MS_HOST}${MS_PORT};
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://opendmp.frontend:8080;
proxy_read_timeout 90;
proxy_redirect http://opendmp.frontend:8080 https://${APP_HOST}${APP_PORT};
}
location /api/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://opendmp.backend:8080;
proxy_read_timeout 90;
proxy_redirect http://opendmp.backend:8080 https://${APP_HOST}${APP_PORT}/api;
}
location /api/notification/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://opendmp.notification:8080;
proxy_read_timeout 90;
proxy_redirect http://opendmp.notification:8080 https://${APP_HOST}${APP_PORT}/api/notification;
}
location /api/annotation/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://opendmp.annotation:8080;
proxy_read_timeout 90;
proxy_redirect http://opendmp.annotation:8080 https://${APP_HOST}${APP_PORT}/api/annotation;
return 301 https://$host$request_uri;
}
}
server {
set $ms_host $MS_HOST;
set $ms_port $MS_PORT;
listen 8082 ssl;
ssl_certificate /certifcates/cert.crt;
ssl_certificate_key /certifcates/key.key;
@ -111,23 +127,6 @@ server {
proxy_redirect http://opendmp.keycloak:8443 https://${MS_HOST}${MS_PORT}/keycloak;
}
location /rabbitmq/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass https://opendmp.rabbitmq:15672;
proxy_read_timeout 90;
proxy_redirect http://opendmp.rabbitmq:15672 https://${MS_HOST}${MS_PORT}/rabbitmq;
}
location /elastic/ {
proxy_set_header Host $host;

View File

@ -0,0 +1,2 @@
deprecated_features.permit.management_metrics_collection = false
proxy_protocol = true

View File

@ -1,3 +1,3 @@
RABBITMQ_DEFAULT_USER=guest
RABBITMQ_DEFAULT_PASS=guest
RABBITMQ_DEFAULT_VHOST=/rabbitmq/
RABBITMQ_DEFAULT_VHOST=/