├── .env
├── .gitattributes
├── .github
└── workflows
│ ├── pre-release.yml
│ └── release.yml
├── .gitignore
├── Documents
└── Database.md
├── Jenkinsfile
├── Jenkinsfile_pgdump-only
├── Jenkinsfile_pushContainer
├── LICENSE
├── Netzlink Logo Weiss-Rot.png
├── README.md
├── Rscript
└── Dockerfile
├── apache2
├── Dockerfile
├── certs
│ ├── sormas-docker-test.com.crt
│ └── sormas-docker-test.com.key
├── httpd-ssl.conf
├── httpd.conf
├── index.html
├── mod_auth_openidc.so
└── vhost.conf.sh
├── apache2nginx.sh
├── build_lbds.Jenkinsfile
├── build_polling_github.Jenkinsfile
├── central
├── .env
├── .env_etcd
├── .env_keycloak
├── .gitignore
├── backup
│ ├── .gitignore
│ ├── Dockerfile
│ ├── README.md
│ ├── entrypoint.sh
│ ├── main.sh
│ └── tests
│ │ ├── backup-multiple.sh
│ │ ├── backup.sh
│ │ ├── check.sh
│ │ ├── docker-compose.yml
│ │ ├── start.sh
│ │ └── testers
│ │ ├── etcd
│ │ ├── Dockerfile
│ │ └── res
│ │ │ ├── entrypoint.sh
│ │ │ ├── etcd-secured.yml
│ │ │ ├── etcd.yml
│ │ │ └── setup.sh
│ │ └── postgres
│ │ ├── Dockerfile
│ │ └── res
│ │ ├── entrypoint.sh
│ │ ├── first.sql
│ │ └── second.sql
├── docker-compose-build.yml
├── docker-compose.yml
├── etcd
│ ├── Dockerfile
│ ├── etcd.yml
│ ├── fixtures
│ │ ├── import.txt
│ │ └── server-descriptors.txt
│ ├── setup_and_run.sh
│ └── tls-setup
│ │ ├── Makefile
│ │ ├── README.md
│ │ ├── certs
│ │ ├── ca
│ │ │ ├── ca-key.pem
│ │ │ ├── ca.csr
│ │ │ └── ca.pem
│ │ ├── etcd
│ │ │ ├── etcd-key.pem
│ │ │ ├── etcd.csr
│ │ │ └── etcd.pem
│ │ └── peer-etcd
│ │ │ ├── peer-etcd-key.pem
│ │ │ ├── peer-etcd.csr
│ │ │ └── peer-etcd.pem
│ │ └── config
│ │ ├── ca-config.json
│ │ ├── ca-csr.json
│ │ └── req-csr.json
└── keycloak
│ └── import
│ └── realm-s2s.json.example
├── database_update.sql
├── docker-compose-angular.yml
├── docker-compose-build.yml
├── docker-compose-external-db.yml
├── docker-compose-keycloak.yml
├── docker-compose-ldbs.yml
├── docker-compose-s2s.yml
├── docker-compose-sb-keycloak.yml
├── docker-compose-sb.yml
├── docker-compose.yml
├── docker-compose_nginx.yml
├── keycloak-postgres
├── Dockerfile
├── README.md
└── psql.conf
├── keycloak
├── Dockerfile
├── README.md
├── start-keycloak.sh
└── update-realm.sh
├── lbds
├── Dockerfile
├── Jenkinsfile
└── entrypoint.sh
├── letsencrypt
├── Dockerfile
├── certs
│ └── sormas-docker-test.com
│ │ ├── fullchain.pem
│ │ └── privkey.pem
├── package_versions.txt
└── root
│ ├── app
│ ├── duckdns-txt
│ └── le-renew.sh
│ ├── defaults
│ ├── default
│ ├── dns-conf
│ │ ├── aliyun.ini
│ │ ├── cloudflare.ini
│ │ ├── cloudxns.ini
│ │ ├── cpanel.ini
│ │ ├── digitalocean.ini
│ │ ├── dnsimple.ini
│ │ ├── dnsmadeeasy.ini
│ │ ├── domeneshop.ini
│ │ ├── gandi.ini
│ │ ├── google.json
│ │ ├── inwx.ini
│ │ ├── linode.ini
│ │ ├── luadns.ini
│ │ ├── nsone.ini
│ │ ├── ovh.ini
│ │ ├── rfc2136.ini
│ │ ├── route53.ini
│ │ └── transip.ini
│ ├── fail2ban
│ │ ├── fail2ban.local
│ │ └── filter.d
│ │ │ └── nginx-badbots.conf
│ ├── jail.local
│ ├── ldap.conf
│ ├── nginx.conf
│ ├── proxy.conf
│ ├── ssl.conf
│ └── vhost.conf.sh
│ └── etc
│ ├── cont-init.d
│ ├── 50-config
│ └── 60-renew
│ ├── crontabs
│ └── root
│ ├── logrotate.d
│ ├── fail2ban
│ └── lerotate
│ └── services.d
│ └── fail2ban
│ └── run
├── logo.png
├── payara
└── Dockerfile
├── pg_debug
├── Dockerfile
└── debug.sh
├── pg_dump
├── Dockerfile
├── entrypoint.sh
├── pg_dump
└── prescripts.d
│ └── 00-migrate-dumps.sh
├── postgres
├── Dockerfile
├── README.md
├── alter_system.py
├── docker-entrypoint.sh
├── psql.conf
├── setup_sormas.sh
├── tuning_parameters.conf
└── update_sormas.sh
├── services-base.yml
├── setup_dev.sh
└── sormas
├── Dockerfile
├── Dockerfile_DE
├── additional_wars
└── docker-copy-dummy.txt
├── admin.json
├── docker-entrypoint.sh
├── entrypoint
└── start-server.sh
├── glowroot-0.13.6-dist.zip
└── setup-server.sh
/.env:
--------------------------------------------------------------------------------
1 | SORMAS_POSTGRES_PASSWORD=password
2 | SORMAS_POSTGRES_USER=sormas_user
3 |
4 | SORMAS_DOCKER_VERSION=2.47.0-rc2
5 | SORMAS_VERSION=1.86.0
6 | # only needed for CI build systems
7 | SORMAS_DEMIS_VERSION=1.27.0
8 |
9 | SORMAS_SERVER_URL=sormas-docker-test.com
10 | SORMAS_URL=https://github.com/hzi-braunschweig/SORMAS-Project/releases/download/
11 |
12 | SORMAS_DISTRICT_EXTERNAL_ID=''
13 |
14 | KEYCLOAK_DB_HOST=keycloak-postgres
15 | KEYCLOAK_DB_USER=keycloak
16 | KEYCLOAK_DB_PASSWORD=password
17 | KEYCLOAK_ADMIN_USER=admin
18 | KEYCLOAK_ADMIN_PASSWORD=password
19 |
20 | KEYCLOAK_SORMAS_UI_SECRET=changeit
21 | KEYCLOAK_SORMAS_REST_SECRET=changeit
22 | KEYCLOAK_SORMAS_BACKEND_SECRET=changeit
23 |
24 | DB_HOST=postgres
25 | DOMAIN_NAME=sormas
26 | DB_NAME=sormas
27 | DB_JDBC_MAXPOOLSIZE=512
28 | DB_JDBC_IDLE_TIMEOUT=300
29 | LOCALE=de-DE
30 | COUNTRY_NAME=germany
31 | EPIDPREFIX=DEU
32 | MAIL_HOST=10.210.4.13
33 | SMTP_PORT=25
34 | SMTP_USER=
35 | SMTP_PASSWORD=
36 | SMTP_STARTTLS=false
37 | SMTP_SSL=false
38 | SMTP_ASYNC_SENDING=false
39 | SMTP_AUTH_ENABLED=false
40 | EMAIL_NOTIFICATION_ENABLED=false
41 | LOG_SENDER_ADDRESS=noreply@sormas.netzlink.com
42 | LOG_RECIPIENT_ADDRESS=
43 | LOG_SUBJECT="SORMAS [TEST]: %logger{20} - %m"
44 | SEPARATOR=\;
45 | EMAIL_SENDER_ADDRESS=noreply@sormas-docker-test.com
46 | EMAIL_SENDER_NAME=SORMAS
47 | LATITUDE=52.2109803
48 | LONGITUDE=10.5314925
49 | MAP_ZOOM=10
50 | MAIL_FROM="root@localhost"
51 | SORMAS_PATH=/srv/dockerdata/sormas
52 | APPSERVER_JVM_MAX=4096M
53 | APPSERVER_MEM=4300M
54 | APPSERVER_MEM_RESERVED=1500M
55 | WEBSERVER_MEM=1000M
56 | WEBSERVER_MEM_RESERVED=200M
57 | WEBSERVER_CPUS=2.0
58 | KEYCLOAK_CPUS=2.0
59 | KEYCLOAK_MEM=1024M
60 | KEYCLOAK_MEM_RESERVED=512M
61 | DB_MEM=5000M
62 | DB_MEM_RESERVED=1000M
63 | DB_CPUS=4.0
64 | # ALLOWED_FILE_EXTENSIONS=".pdf,.txt,.doc,.docx,.odt,.xls,.xlsx,.ods,.ppt,.pptx,.odp,.jpg,.jpeg,.png,.gif,.msg"
65 |
66 | HTTP_TIMEOUT=3600
67 |
68 | KEYCLOAK_DB_MEM=2000M
69 | KEYCLOAK_DB_MEM_RESERVED=1000M
70 | KEYCLOAK_DB_CPUS=2.0
71 |
72 | DB_DUMP_MEM=500M
73 | DB_DUMP_MEM_RESERVED=100M
74 | DB_DUMP_CPUS=1.0
75 | TZ=Europe/Berlin
76 | DISABLE_CERTBOT=true
77 | LETSENCRYPT_MAIL=
78 | GEO_UUID=
79 | DEVMODE=false
80 | JSON_LOGGING=false
81 | PROMETHEUS_SERVERS=127.0.0.1
82 | NAMESIMILARITYTHRESHOLD=0.4D
83 | CREATE_DEFAULT_ENTITIES=false
84 | GEO_TEMPLATE=https://sg.geodatenzentrum.de/gdz_geokodierung_bund__${GEO_UUID}/geosearch.json?query=${street}+${houseNumber},${postalCode}+${city}&filter=typ:haus&count1
85 | GEO_LONG_TEMPLATE=$.features[0].geometry.coordinates[0]
86 | GEO_LAT_TEMPLATE=$.features[0].geometry.coordinates[1]
87 | DC_EXCLUDE_ARCHIVED_PERSON_ENTRIES=false
88 | MAP_USECOUNTRYCENTER=true
89 | FEATURE_AUTOMATICCASECLASSIFICATION=false
90 |
91 | CUSTOMBRANDING_ENABLED=false
92 | CUSTOMBRANDING_NAME=SORMAS
93 | CUSTOMBRANDING_LOGO_PATH=none
94 | CUSTOMBRANDING_USE_LOGINSIDEBAR=true
95 | CUSTOMBRANDING_LOGINBACKGROUND_PATH=
96 |
97 | # SORMAS Central
98 | #SORMAS_CENTRAL_ENABLED=1
99 | CENTRAL_OIDC_URL=localhost:8080
100 | CENTRAL_ETCD_HOST=localhost:2379
101 | CENTRAL_ETCD_CA_PATH=/opt/sormas/central/etcd/ca.pem
102 | CENTRAL_LOCATION_SYNC=false
103 |
104 | # SORMAS2SORMAS
105 | #SORMAS2SORMAS_ENABLED=1
106 | SORMAS2SORMAS_PATH=/opt/sormas/sormas2sormas/
107 | SORMAS2SORMAS_KEYALIAS= # seems to be unused
108 | SORMAS2SORMAS_ID=HZITEST
109 | SORMAS2SORMAS_KEYSTORENAME=sormas-docker-test.com.s2s.keystore.p12
110 | SORMAS2SORMAS_KEYPASSWORD=password
111 | SORMAS2SORMAS_ROOTCAALIAS=S2SCA
112 | SORMAS2SORMAS_TRUSTSTORENAME=sormas-docker-test.com.truststore.p12
113 | SORMAS2SORMAS_TRUSTSTOREPASSWORD=password
114 |
115 | SORMAS2SORMAS_OIDC_REALM=s2s
116 | SORMAS2SORMAS_OIDC_CLIENTID=HZITEST
117 | SORMAS2SORMAS_OIDC_CLIENTSECRET=changeme
118 |
119 | SORMAS2SORMAS_ETCD_CLIENTNAME=s2s-client
120 | SORMAS2SORMAS_ETCD_CLIENTPASSWORD=password
121 | SORMAS2SORMAS_ETCD_KEYPREFIX=s2s
122 |
123 | CACERTS_PASS=changeit
124 | KEYSTORE_PASS=changeit
125 |
126 | SORMAS_ORG_ID=HZI_TEST
127 | SORMAS_ORG_NAME="HZI Braunschweig"
128 |
129 | LBDS_CONTEXT_PATH=/changeit
130 | LBDS_JAR_FILE_VERSION=1.14.5
131 | LBDS_POSTGRES_USER=changeit
132 | LBDS_POSTGRES_PASSWORD=changeit
133 | CROWDCODE_NEXUS_USER=crowdcode_nexus_user
134 | CROWDCODE_NEXUS_PASSWORD=crowdcode_nexus_password
135 | LINKMOBILITY_USER=changeit
136 | LINKMOBILITY_PASSWORD=changeit
137 |
138 | AS_ADMIN_NEWPASSWORD=N3wAsAdm!nPW
139 |
140 | BACKUP_FILES="documents custom"
141 |
142 | SORMAS_ANGULAR_KEYCLOAK_REALM=SORMAS
143 | SORMAS_ANGULAR_KEYCLOAK_CLIENT_ID=sormas-angular
144 |
145 | GLOWROOT_ENABLED=false
146 |
--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | # These files are text and should be normalized (convert crlf => lf)
2 | # See https://help.github.com/articles/dealing-with-line-endings/
3 | # And especially https://adaptivepatchwork.com/2012/03/01/mind-the-end-of-your-line/
4 |
5 | ## GITATTRIBUTES FOR WEB PROJECTS
6 | #
7 | # These settings are for any web project.
8 | #
9 | # Details per file setting:
10 | # text These files should be normalized (i.e. convert CRLF to LF).
11 | # binary These files are binary and should be left untouched.
12 | #
13 | # Note that binary is a macro for -text -diff.
14 | ######################################################################
15 |
16 | ## AUTO-DETECT
17 | ## Handle line endings automatically for files detected as
18 | ## text and leave all files detected as binary untouched.
19 | ## This will handle all files NOT defined below.
20 | * text=auto
21 |
22 | ## SOURCE CODE
23 | *.bat text eol=crlf
24 | *.coffee text
25 | *.css text
26 | gradlew text eol=lf
27 | *.htm text
28 | *.html text
29 | *.inc text
30 | *.ini text
31 | *.js text
32 | *.json text
33 | *.jsx text
34 | *.less text
35 | *.pom text
36 | *.od text
37 | *.onlydata text
38 | *.php text
39 | *.pl text
40 | *.py text eol=lf
41 | *.rb text
42 | *.sass text
43 | *.scm text
44 | *.scss text
45 | *.sh text eol=lf
46 | *.sql text
47 | *.styl text
48 | *.tag text
49 | *.ts text
50 | *.tsx text
51 | *.xml text
52 | *.xhtml text
53 |
54 | ## DOCKER
55 | *.dockerignore text
56 | Dockerfile text eol=lf
57 |
58 | ## DOCUMENTATION
59 | *.markdown text
60 | *.md text
61 | *.mdwn text
62 | *.mdown text
63 | *.mkd text
64 | *.mkdn text
65 | *.mdtxt text
66 | *.mdtext text
67 | *.txt text
68 | AUTHORS text
69 | CHANGELOG text
70 | CHANGES text
71 | CONTRIBUTING text
72 | COPYING text
73 | copyright text
74 | *COPYRIGHT* text
75 | INSTALL text
76 | license text
77 | LICENSE text
78 | NEWS text
79 | readme text
80 | *README* text
81 | TODO text
82 |
83 | ## TEMPLATES
84 | *.dot text
85 | *.ejs text
86 | *.haml text
87 | *.handlebars text
88 | *.hbs text
89 | *.hbt text
90 | *.jade text
91 | *.latte text
92 | *.mustache text
93 | *.njk text
94 | *.phtml text
95 | *.tmpl text
96 | *.tpl text
97 | *.twig text
98 |
99 | ## LINTERS
100 | .csslintrc text
101 | .eslintrc text
102 | .htmlhintrc text
103 | .jscsrc text
104 | .jshintrc text
105 | .jshintignore text
106 | .stylelintrc text
107 |
108 | ## CONFIGS
109 | *.bowerrc text
110 | *.cnf text
111 | *.conf text
112 | *.config text
113 | .browserslistrc text
114 | .editorconfig text
115 | .gitattributes text
116 | .gitconfig text
117 | .htaccess text
118 | *.npmignore text
119 | *.yaml text
120 | *.yml text
121 | browserslist text
122 | Makefile text
123 | makefile text
124 |
125 | ## HEROKU
126 | Procfile text
127 | .slugignore text
128 |
129 | ## GRAPHICS
130 | *.ai binary
131 | *.bmp binary
132 | *.eps binary
133 | *.gif binary
134 | *.ico binary
135 | *.jng binary
136 | *.jp2 binary
137 | *.jpg binary
138 | *.jpeg binary
139 | *.jpx binary
140 | *.jxr binary
141 | *.pdf binary
142 | *.png binary
143 | *.psb binary
144 | *.psd binary
145 | *.svg text
146 | *.svgz binary
147 | *.tif binary
148 | *.tiff binary
149 | *.wbmp binary
150 | *.webp binary
151 |
152 | ## AUDIO
153 | *.kar binary
154 | *.m4a binary
155 | *.mid binary
156 | *.midi binary
157 | *.mp3 binary
158 | *.ogg binary
159 | *.ra binary
160 |
161 | ## VIDEO
162 | *.3gpp binary
163 | *.3gp binary
164 | *.as binary
165 | *.asf binary
166 | *.asx binary
167 | *.fla binary
168 | *.flv binary
169 | *.m4v binary
170 | *.mng binary
171 | *.mov binary
172 | *.mp4 binary
173 | *.mpeg binary
174 | *.mpg binary
175 | *.ogv binary
176 | *.swc binary
177 | *.swf binary
178 | *.webm binary
179 |
180 | ## ARCHIVES
181 | *.7z binary
182 | *.gz binary
183 | *.jar binary
184 | *.rar binary
185 | *.tar binary
186 | *.zip binary
187 |
188 | ## FONTS
189 | *.ttf binary
190 | *.eot binary
191 | *.otf binary
192 | *.woff binary
193 | *.woff2 binary
194 |
195 | ## EXECUTABLES
196 | *.exe binary
197 | *.pyc binary
--------------------------------------------------------------------------------
/.github/workflows/pre-release.yml:
--------------------------------------------------------------------------------
1 | name: Create pre-release
2 |
3 | on:
4 | push:
5 | branches:
6 | - "integration"
7 |
8 | jobs:
9 | pre-release:
10 | name: "Pre Release"
11 | runs-on: "ubuntu-latest"
12 |
13 | steps:
14 | - name: Checkout
15 | uses: actions/checkout@v2
16 | - name: Get versions
17 | run: |
18 | echo "SORMAS_DOCKER_VERSION=$(cat .env | grep SORMAS_DOCKER_VERSION | cut -d '=' -f2)" >> $GITHUB_ENV
19 | echo "SORMAS_VERSION=$(cat .env | grep SORMAS_VERSION | cut -d '=' -f2)" >> $GITHUB_ENV
20 | - name: Release
21 | uses: softprops/action-gh-release@v0.1.14
22 | #if: startsWith(github.ref, 'refs/tags/')
23 | with:
24 | prerelease: true
25 | tag_name: v${{ env.SORMAS_DOCKER_VERSION }}
26 | target_commitish: integration
27 | body: |
28 | ## Versions
29 | SORMAS VERSION: ${{ env.SORMAS_VERSION }}
30 |
31 | ## Application release notes
32 | https://github.com/sormas-foundation/SORMAS-Project/releases/tag/v${{ env.SORMAS_VERSION }}
33 |
--------------------------------------------------------------------------------
/.github/workflows/release.yml:
--------------------------------------------------------------------------------
1 | name: Create release
2 |
3 | on:
4 | push:
5 | branches:
6 | - "master"
7 |
8 | jobs:
9 | release:
10 | name: "Release"
11 | runs-on: "ubuntu-latest"
12 |
13 | steps:
14 | - name: Checkout
15 | uses: actions/checkout@v2
16 | - name: Get versions
17 | run: |
18 | echo "SORMAS_DOCKER_VERSION=$(cat .env | grep SORMAS_DOCKER_VERSION | cut -d '=' -f2)" >> $GITHUB_ENV
19 | echo "SORMAS_VERSION=$(cat .env | grep SORMAS_VERSION | cut -d '=' -f2)" >> $GITHUB_ENV
20 | - name: Release
21 | uses: softprops/action-gh-release@v0.1.14
22 | #if: startsWith(github.ref, 'refs/tags/')
23 | with:
24 | prerelease: false
25 | tag_name: v${{ env.SORMAS_DOCKER_VERSION }}
26 | target_commitish: master
27 | body: |
28 | ## Versions
29 | SORMAS VERSION: ${{ env.SORMAS_VERSION }}
30 |
31 | ## Application release notes
32 | https://github.com/sormas-foundation/SORMAS-Project/releases/tag/v${{ env.SORMAS_VERSION }}
33 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | /.project
2 | .idea
3 | /.pydevproject
4 | /ATT04797.env
5 | /docker-compose-fr.yml
6 |
--------------------------------------------------------------------------------
/Documents/Database.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | 
8 |
9 |
10 |
11 | # Database
12 |
13 | Sormas uses postgres as database backend.
14 |
15 | ## Configuration
16 |
17 | ### Default configuration
18 |
19 | Database related values set in `.env`file:
20 |
21 | * Database server: `DB_HOST`: postgres
22 | * Sormas Database: `DB_NAME`: sormas
23 | * Sormas Database User: `SORMAS_POSTGRES_USER`: sormas_user
24 | * Sormas Database Password: `SORMAS_POSTGRES_PASSWORD`: password
25 |
26 | ### Parameters for containers
27 |
28 | Several parameters are configured in `docker-compose.yml`:
29 |
30 | #### Database
31 |
32 | The `postgres` container is set up with the `SORMAS_POSTGRES_PASSWORD` from the `.env` file. The `sormas` DB is created and initialized. The `sormas` user gets created.
33 |
34 | Additionally, the `postgres`container listens on localhost port 5432. This can be used to access the `sormas` database e.g. for creating local DB dumps.
35 |
36 | Database files for `sormas` are held on the host in a local folder.
37 |
38 | ```yaml
39 | services:
40 | postgres:
41 | environment:
42 | - POSTGRES_PASSWORD=${SORMAS_POSTGRES_PASSWORD}
43 | - DB_NAME=sormas
44 | - SORMAS_POSTGRES_PASSWORD=${SORMAS_POSTGRES_PASSWORD}
45 | - SORMAS_POSTGRES_USER=${SORMAS_POSTGRES_USER}
46 | ports:
47 | - "127.0.0.1:5432:5432"
48 | volumes:
49 | - ${SORMAS_PATH}/psqldata:/var/lib/postgresql/data
50 | ```
51 |
52 | #### pg_dump container
53 |
54 | In the default installation a pg_dump container is started. This container dumps all database on the host (except postgres and template) on a regular basis to a folder on the host (`/backup`).
55 |
56 | ```yaml
57 | services:
58 | pg_dump:
59 | environment:
60 | - DB_HOST=${DB_HOST}
61 | - PGPASSWORD=${SORMAS_POSTGRES_PASSWORD}
62 | - POSTGRES_USER=${SORMAS_POSTGRES_USER}
63 | - MIN=15,45 # Twice the hour on 15 and 45 (use crontab notation)
64 | - HOUR= # Keep empty for every hour. Use crontab notation otherwise
65 | volumes:
66 | - /backup:/var/opt/db_dumps
67 | ```
68 |
69 | #### sormas
70 |
71 | The `sormas` container uses postgres informations from the `.env` file.
72 |
73 | ```yaml
74 | services:
75 | sormas:
76 | environment:
77 | - SORMAS_POSTGRES_USER=${SORMAS_POSTGRES_USER}
78 | - SORMAS_POSTGRES_PASSWORD=${SORMAS_POSTGRES_PASSWORD}
79 | - DB_HOST=${DB_HOST}
80 | - DB_NAME=${DB_NAME}
81 |
82 | ```
83 | ### partner
84 |
85 |
86 |
87 | 
91 |
92 |
93 |
94 |
--------------------------------------------------------------------------------
/Jenkinsfile:
--------------------------------------------------------------------------------
1 | node {
2 |
3 | def SORMAS_VERSION=''
4 | def SORMAS_VERSION_NIGHTLY=''
5 |
6 |
7 | stage('checkout') {
8 | git branch: '${BRANCH}', url: 'https://github.com/sormas-foundation/SORMAS-Docker.git'
9 | }
10 |
11 | stage('set variables') {
12 | echo 'Setting variables'
13 | SORMAS_VERSION_NIGHTLY= sh (
14 | script: 'curl -s https://raw.githubusercontent.com/sormas-foundation/SORMAS-Project/development/sormas-base/pom.xml | grep SNAPSHOT | sed s/\\// | sed s/\\<\\\\/version\\>// | sed \'s/[[:space:]]//g\'',
15 | returnStdout: true
16 | ).trim()
17 | if (params.BUILD_NIGHTLY != null && params.BUILD_NIGHTLY) {
18 | echo 'Build NIGHTLY'
19 | SORMAS_VERSION = SORMAS_VERSION_NIGHTLY
20 | sh """
21 | sed -i 's,SORMAS_URL=.*\$,SORMAS_URL=http://10.160.41.100/,' ./.env
22 | sed -i 's,SORMAS_VERSION=.*\$,SORMAS_VERSION=${SORMAS_VERSION},' ./.env
23 | """
24 | }
25 |
26 | else {
27 | if (params.VERSION_TO_BUILD != null) {
28 | echo 'Build Version specified in parameters: ${params.VERSION_TO_BUILD}'
29 | SORMAS_VERSION = params.VERSION_TO_BUILD
30 | }
31 | else {
32 | echo 'Build Version from .env'
33 | SORMAS_VERSION = sh (
34 | script: "source ./.env &> /dev/null && echo \$SORMAS_VERSION",
35 | returnStdout: true
36 | ).trim()
37 | }
38 | }
39 | if (params.SORMAS_DOCKER_VERSION != null) {
40 | echo 'Set SORMAS_DOCKER_VERSION to ${SORMAS_DOCKER_VERSION}'
41 | sh """
42 | sed -i 's,SORMAS_DOCKER_VERSION=.#*\$,SORMAS_DOCKER_VERSION=${SORMAS_DOCKER_VERSION},' ./.env
43 | """
44 | }
45 |
46 | sh """
47 | sed -i "/^GEO_TEMPLATE/d " ./.env
48 | cat ./.env
49 | """
50 |
51 |
52 | echo "${SORMAS_VERSION}"
53 | }
54 |
55 | stage('Build SORMAS') {
56 | echo 'Building SORMAS'
57 | sh """
58 | source ./.env
59 | sudo docker build --build-arg SORMAS_URL=\$SORMAS_URL --build-arg SORMAS_VERSION=\$SORMAS_VERSION --pull --no-cache -t sormas-application:${SORMAS_DOCKER_VERSION} sormas/
60 | sudo docker build --build-arg SORMAS_URL=\$SORMAS_URL --build-arg SORMAS_VERSION=\$SORMAS_VERSION --pull --no-cache -t sormas-postgres:${SORMAS_DOCKER_VERSION} postgres/
61 | sudo docker build --build-arg SORMAS_URL=\$SORMAS_URL --build-arg SORMAS_VERSION=\$SORMAS_VERSION --pull --no-cache -t sormas-apache2:${SORMAS_DOCKER_VERSION} apache2/
62 | sudo docker build --build-arg SORMAS_URL=\$SORMAS_URL --build-arg SORMAS_VERSION=\$SORMAS_VERSION --pull --no-cache -t sormas-pg-dump:${SORMAS_DOCKER_VERSION} pg_dump/
63 | """
64 | }
65 |
66 |
67 | stage('DEPLOY SORMAS') {
68 | echo 'Deploying locally....'
69 | withCredentials([ usernamePassword(credentialsId: 'registry.netzlink.com', usernameVariable: 'MY_SECRET_USER_NLI', passwordVariable: 'MY_SECRET_USER_PASSWORD_NLI' )]) {
70 | sh """
71 | sudo docker login -u '$MY_SECRET_USER_NLI' -p '$MY_SECRET_USER_PASSWORD_NLI' registry.netzlink.com
72 | sudo docker tag sormas-application:${SORMAS_DOCKER_VERSION} registry.netzlink.com/hzibraunschweig/sormas-application:${SORMAS_DOCKER_VERSION}
73 | sudo docker push registry.netzlink.com/hzibraunschweig/sormas-application:${SORMAS_DOCKER_VERSION}
74 | sudo docker tag sormas-postgres:${SORMAS_DOCKER_VERSION} registry.netzlink.com/hzibraunschweig/sormas-postgres:${SORMAS_DOCKER_VERSION}
75 | sudo docker push registry.netzlink.com/hzibraunschweig/sormas-postgres:${SORMAS_DOCKER_VERSION}
76 | sudo docker tag sormas-apache2:${SORMAS_DOCKER_VERSION} registry.netzlink.com/hzibraunschweig/sormas-apache2:${SORMAS_DOCKER_VERSION}
77 | sudo docker push registry.netzlink.com/hzibraunschweig/sormas-apache2:${SORMAS_DOCKER_VERSION}
78 | sudo docker tag sormas-pg-dump:${SORMAS_DOCKER_VERSION} registry.netzlink.com/hzibraunschweig/sormas-pg-dump:${SORMAS_DOCKER_VERSION}
79 | sudo docker push registry.netzlink.com/hzibraunschweig/sormas-pg-dump:${SORMAS_DOCKER_VERSION}
80 | """
81 | }
82 |
83 | echo 'Deploying to docker.io....'
84 | withCredentials([ usernamePassword(credentialsId: 'dockerhub', usernameVariable: 'MY_SECRET_USER_NLI', passwordVariable: 'MY_SECRET_USER_PASSWORD_NLI' )]) {
85 | sh """
86 | sudo docker login -u '$MY_SECRET_USER_NLI' -p '$MY_SECRET_USER_PASSWORD_NLI' docker.io
87 | sudo docker tag sormas-application:${SORMAS_DOCKER_VERSION} docker.io/hzibraunschweig/sormas-application:${SORMAS_DOCKER_VERSION}
88 | sudo docker push docker.io/hzibraunschweig/sormas-application:${SORMAS_DOCKER_VERSION}
89 | sudo docker tag sormas-postgres:${SORMAS_DOCKER_VERSION} docker.io/hzibraunschweig/sormas-postgres:${SORMAS_DOCKER_VERSION}
90 | sudo docker push docker.io/hzibraunschweig/sormas-postgres:${SORMAS_DOCKER_VERSION}
91 | sudo docker tag sormas-apache2:${SORMAS_DOCKER_VERSION} docker.io/hzibraunschweig/sormas-apache2:${SORMAS_DOCKER_VERSION}
92 | sudo docker push docker.io/hzibraunschweig/sormas-apache2:${SORMAS_DOCKER_VERSION}
93 | sudo docker tag sormas-pg-dump:${SORMAS_DOCKER_VERSION} docker.io/hzibraunschweig/sormas-pg-dump:${SORMAS_DOCKER_VERSION}
94 | sudo docker push docker.io/hzibraunschweig/sormas-pg-dump:${SORMAS_DOCKER_VERSION}
95 | """
96 | }
97 | }
98 |
99 |
100 | stage('Build LBDS') {
101 | echo 'Building....'
102 | withCredentials([ usernamePassword(credentialsId: 'crowdcodeNexus', usernameVariable: 'CROWDCODE_NEXUS_USER', passwordVariable: 'CROWDCODE_NEXUS_PASSWORD' )]) {
103 | sh """
104 | source ./.env
105 | cd lbds
106 | sudo docker build --pull --no-cache --build-arg LBDS_JAR_FILE_VERSION=${LBDS_JAR_FILE_VERSION} --build-arg CROWDCODE_NEXUS_USER=${CROWDCODE_NEXUS_USER} --build-arg CROWDCODE_NEXUS_PASSWORD="${CROWDCODE_NEXUS_PASSWORD}" -t hzibraunschweig/lbds:${LBDS_JAR_FILE_VERSION} .
107 | """
108 | }
109 | }
110 |
111 |
112 | stage('Deploy LBDS') {
113 | echo 'Deploying....'
114 | withCredentials([ usernamePassword(credentialsId: 'registry.netzlink.com', usernameVariable: 'MY_SECRET_USER_NLI', passwordVariable: 'MY_SECRET_USER_PASSWORD_NLI' )]) {
115 | sh """
116 | sudo docker login -u '$MY_SECRET_USER_NLI' -p '$MY_SECRET_USER_PASSWORD_NLI' registry.netzlink.com
117 | sudo docker tag hzibraunschweig/lbds:${LBDS_JAR_FILE_VERSION} registry.netzlink.com/hzibraunschweig/lbds:${LBDS_JAR_FILE_VERSION}
118 | sudo docker push registry.netzlink.com/hzibraunschweig/lbds:${LBDS_JAR_FILE_VERSION}
119 | sudo docker tag hzibraunschweig/lbds:${LBDS_JAR_FILE_VERSION} registry.netzlink.com/hzibraunschweig/lbds:${SORMAS_DOCKER_VERSION}
120 | sudo docker push registry.netzlink.com/hzibraunschweig/lbds:${SORMAS_DOCKER_VERSION}
121 | echo 'Finished'
122 | """
123 | }
124 | }
125 | }
--------------------------------------------------------------------------------
/Jenkinsfile_pgdump-only:
--------------------------------------------------------------------------------
1 | node {
2 |
3 | def SORMAS_VERSION=''
4 |
5 | stage('checkout') {
6 | git branch: '${BRANCH}', url: 'https://github.com/sormas-foundation/SORMAS-Docker.git'
7 | }
8 |
9 | stage('set variables') {
10 | echo 'Setting variables'
11 | sh "sed -i 's,SORMAS_URL=.*\$,SORMAS_URL=http://10.160.41.100/,' ./.env"
12 | sh "sed -i 's,SORMAS_DOCKER_VERSION=.*\$,SORMAS_DOCKER_VERSION=DEVOPS,' ./.env"
13 | sh "sed -i '/^GEO_TEMPLATE/d ' ./.env"
14 | SORMAS_VERSION= sh (
15 | script: 'curl -s https://raw.githubusercontent.com/sormas-foundation/SORMAS-Project/development/sormas-base/pom.xml | grep SNAPSHOT | sed s/\\// | sed s/\\<\\\\/version\\>// | sed \'s/[[:space:]]//g\'',
16 | returnStdout: true
17 | ).trim()
18 | echo "${SORMAS_VERSION}"
19 | echo "${SORMAS_DOCKER_VERSION}"
20 | }
21 |
22 | stage('Build PGDUMP') {
23 | echo 'Building PGDUMP'
24 | sh "cat ./.env"
25 | sh "sudo buildah bud --build-arg SORMAS_URL='http://10.160.41.100/' --build-arg SORMAS_VERSION=${SORMAS_VERSION} --pull-always --no-cache -t sormas-pg-dump:${SORMAS_DOCKER_VERSION} pg_dump/"
26 | }
27 |
28 | stage('Deploy PGDUMP registry') {
29 | echo 'Deploying PGDUMP registry'
30 | withCredentials([ usernamePassword(credentialsId: 'registry.netzlink.com', usernameVariable: 'MY_SECRET_USER_NLI', passwordVariable: 'MY_SECRET_USER_PASSWORD_NLI' )]) {
31 | sh """
32 | sudo buildah login -u '$MY_SECRET_USER_NLI' -p '$MY_SECRET_USER_PASSWORD_NLI' registry.netzlink.com
33 | sudo buildah push -f v2s2 sormas-pg-dump:${SORMAS_DOCKER_VERSION} registry.netzlink.com/hzibraunschweig/sormas-pg-dump:${SORMAS_DOCKER_VERSION}
34 | """
35 | }
36 | }
37 |
38 | stage('Deploy PGDUMP to docker.io') {
39 | echo 'Deploying PGDUMP to docker.io'
40 | withCredentials([ usernamePassword(credentialsId: 'dockerhub', usernameVariable: 'MY_SECRET_USER', passwordVariable: 'MY_SECRET_USER_PASSWORD' )]) {
41 | sh """
42 | sudo buildah login -u '$MY_SECRET_USER' -p '$MY_SECRET_USER_PASSWORD' docker.io
43 | sudo buildah push -f v2s2 sormas-pg-dump:${SORMAS_DOCKER_VERSION} hzibraunschweig/sormas-pg-dump:${SORMAS_DOCKER_VERSION}
44 | """
45 | }
46 | }
47 |
48 |
49 |
50 | }
51 |
--------------------------------------------------------------------------------
/Jenkinsfile_pushContainer:
--------------------------------------------------------------------------------
1 | node {
2 |
3 | stage('checkout') {
4 | git branch: '${BRANCH}', url: 'https://github.com/sormas-foundation/SORMAS-Docker.git'
5 | }
6 |
7 |
8 |
9 | stage('DEPLOY to Netzlink Registry') {
10 | if (env.DEPLOY_LOCAL.toBoolean()) {
11 | echo 'Deploying locally....'
12 | withCredentials([ usernamePassword(credentialsId: 'registry.netzlink.com', usernameVariable: 'MY_SECRET_USER_NLI', passwordVariable: 'MY_SECRET_USER_PASSWORD_NLI' )]) {
13 | sh """
14 | sed -i "/^GEO_TEMPLATE/d " ./.env
15 | source ./.env
16 | sudo buildah login -u $MY_SECRET_USER_NLI -p $MY_SECRET_USER_PASSWORD_NLI registry.netzlink.com
17 |
18 | sudo buildah push -f v2s2 sormas-application registry.netzlink.com/hzibraunschweig/sormas-application:$SORMAS_DOCKER_VERSION
19 | sudo buildah push -f v2s2 sormas-application registry.netzlink.com/hzibraunschweig/sormas-application:latest
20 |
21 | sudo buildah push -f v2s2 sormas-postgres registry.netzlink.com/hzibraunschweig/sormas-postgres:$SORMAS_DOCKER_VERSION
22 | sudo buildah push -f v2s2 sormas-postgres registry.netzlink.com/hzibraunschweig/sormas-postgres:latest
23 |
24 | sudo buildah push -f v2s2 sormas-apache2 registry.netzlink.com/hzibraunschweig/sormas-apache2:$SORMAS_DOCKER_VERSION
25 | sudo buildah push -f v2s2 sormas-apache2 registry.netzlink.com/hzibraunschweig/sormas-apache2:latest
26 |
27 | sudo buildah push -f v2s2 sormas-pg-dump registry.netzlink.com/hzibraunschweig/sormas-pg-dump:$SORMAS_DOCKER_VERSION
28 | sudo buildah push -f v2s2 sormas-pg-dump registry.netzlink.com/hzibraunschweig/sormas-pg-dump:latest
29 |
30 | #sudo buildah push -f v2s2 sormas-letsencrypt registry.netzlink.com/hzibraunschweig/sormas-letsencrypt:$SORMAS_DOCKER_VERSION
31 | #sudo buildah push -f v2s2 sormas-letsencrypt registry.netzlink.com/hzibraunschweig/sormas-letsencrypt:latest
32 |
33 | sudo buildah push -f v2s2 sormas-keycloak registry.netzlink.com/hzibraunschweig/sormas-keycloak:$SORMAS_DOCKER_VERSION
34 | sudo buildah push -f v2s2 sormas-keycloak registry.netzlink.com/hzibraunschweig/sormas-keycloak:latest
35 |
36 | sudo buildah push -f v2s2 sormas-keycloak-postgres registry.netzlink.com/hzibraunschweig/keycloak-postgres:$SORMAS_DOCKER_VERSION
37 | sudo buildah push -f v2s2 sormas-keycloak-postgres registry.netzlink.com/hzibraunschweig/keycloak-postgres:latest
38 |
39 | #sudo buildah push -f v2s2 central-keycloak registry.netzlink.com/hzibraunschweig/central-keycloak:$SORMAS_DOCKER_VERSION
40 | #sudo buildah push -f v2s2 central-keycloak registry.netzlink.com/hzibraunschweig/central-keycloak:latest
41 |
42 | #sudo buildah push -f v2s2 central-redis registry.netzlink.com/hzibraunschweig/central-redis:$SORMAS_DOCKER_VERSION
43 | #sudo buildah push -f v2s2 central-redis registry.netzlink.com/hzibraunschweig/central-redis:latest
44 | """
45 | }
46 | }
47 | }
48 |
49 | stage('DEPLOY to docker.io') {
50 |
51 | echo 'Deploying to docker.io....'
52 | withCredentials([ usernamePassword(credentialsId: 'dockerhub', usernameVariable: 'MY_SECRET_USER_DOCKER', passwordVariable: 'MY_SECRET_USER_PASSWORD_DOCKER' )]) {
53 | withCredentials([ usernamePassword(credentialsId: 'registry.netzlink.com', usernameVariable: 'MY_SECRET_USER_NLI', passwordVariable: 'MY_SECRET_USER_PASSWORD_NLI' )]) {
54 | sh """
55 | sudo buildah rmi --prune
56 | sudo buildah login -u $MY_SECRET_USER_NLI -p $MY_SECRET_USER_PASSWORD_NLI registry.netzlink.com
57 |
58 | sudo buildah pull registry.netzlink.com/hzibraunschweig/sormas-apache2:$SORMAS_DOCKER_VERSION
59 | sudo buildah logout
60 | sudo buildah login -u $MY_SECRET_USER_DOCKER -p $MY_SECRET_USER_PASSWORD_DOCKER docker.io
61 | sudo buildah push -f v2s2 hzibraunschweig/sormas-apache2:$SORMAS_DOCKER_VERSION hzibraunschweig/sormas-apache2:$SORMAS_DOCKER_VERSION
62 |
63 | sudo buildah logout
64 | """
65 | }
66 | }
67 | }
68 | stage('DEPLOY to quay') {
69 | echo 'Deploying to quay....'
70 | withCredentials([ usernamePassword(credentialsId: 'quay_registry', usernameVariable: 'MY_SECRET_USER_QUAY', passwordVariable: 'MY_SECRET_USER_PASSWORD_QUAY' )]) {
71 | withCredentials([ usernamePassword(credentialsId: 'registry.netzlink.com', usernameVariable: 'MY_SECRET_USER_NLI', passwordVariable: 'MY_SECRET_USER_PASSWORD_NLI' )]) {
72 | sh """
73 |
74 | """
75 | }
76 | }
77 | }
78 |
79 | }
--------------------------------------------------------------------------------
/Netzlink Logo Weiss-Rot.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SORMAS-Foundation/SORMAS-Docker/2c74a8ac64848e67970edfa554ccd490edbedaa2/Netzlink Logo Weiss-Rot.png
--------------------------------------------------------------------------------
/Rscript/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM hzibraunschweig/sormas-payara:5.2022.5
2 | ENV DEBIAN_FRONTEND=noninteractive
3 |
4 | RUN apt update \
5 | && apt install -y gpg-agent
6 |
7 | RUN apt update -qq \
8 | && apt install -y --no-install-recommends software-properties-common dirmngr \
9 | && apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E298A3A825C0D65DFD57CBB651716619E084DAB9 \
10 | && wget -qO- https://cloud.r-project.org/bin/linux/ubuntu/marutter_pubkey.asc | tee -a /etc/apt/trusted.gpg.d/cran_ubuntu_key.asc \
11 | && add-apt-repository "deb https://cloud.r-project.org/bin/linux/ubuntu $(lsb_release -cs)-cran40/" \
12 | && apt-get update \
13 | && apt-get upgrade -y \
14 | && apt-get -y install r-base libpq-dev gcc build-essential gfortran libblas-dev liblapack-dev libxml2-dev libglpk-dev --no-install-recommends\
15 | && apt-get clean
16 |
17 | RUN R -e "install.packages('epicontacts', version='1.1.0', repos='http://cran.rstudio.com/')"
18 | RUN R -e "install.packages('outbreaks', version='1.5.0', repos='http://cran.rstudio.com/')"
19 | RUN R -e "install.packages('RPostgreSQL', version='0.6-2', repos='http://cran.rstudio.com/')"
20 | RUN R -e "install.packages('GGally', version='1.5.0', repos='http://cran.rstudio.com/')"
21 | RUN R -e "install.packages('network', version='1.16.0', repos='http://cran.rstudio.com/')"
22 | RUN R -e "install.packages('sna', version='2.5', repos='http://cran.rstudio.com/')"
23 | RUN R -e "install.packages('visNetwork', version='2.0.9', repos='http://cran.rstudio.com/')"
24 | RUN R -e "install.packages('dplyr', version='0.8.5', repos='http://cran.rstudio.com/')"
25 |
--------------------------------------------------------------------------------
/apache2/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM httpd:2.4-alpine as build
2 | ARG SORMAS_SERVER_URL
3 |
4 | ARG SORMAS_VERSION=1.82.0
5 | ARG MOD_AUTH_OPENIDC_VERSION=2.4.11.3
6 |
7 | ENV SORMAS_VERSION=$SORMAS_VERSION
8 | ARG SORMAS_URL=https://github.com/sormas-foundation/SORMAS-Project/releases/download/
9 |
10 |
11 |
12 |
13 |
14 | RUN apk update --no-cache && \
15 | apk upgrade --no-cache
16 |
17 | RUN apk add --no-cache tzdata openssl curl bash build-base libcrypto3
18 |
19 | RUN apk add --no-cache git apache2-dev openssl-dev curl-dev jansson-dev pcre-dev pkgconf wget autoconf automake libtool make g++
20 |
21 | RUN apk update --no-cache
22 |
23 | RUN mkdir -p /usr/src/cjose && cd /usr/src/cjose
24 | RUN cd /usr/src/cjose && \
25 | git clone https://github.com/cisco/cjose.git && \
26 | cd cjose && \
27 | ./configure CFLAGS="-Wno-error=deprecated-declarations" && make && make install && mkdir -p /tmp && ls -la && cp lib/* /tmp && ls -la /tmp
28 |
29 |
30 | RUN mkdir -p /usr/src/apache2 && cd /usr/src/apache2
31 | RUN cd /usr/src/apache2 && wget https://github.com/zmartzone/mod_auth_openidc/archive/refs/tags/v${MOD_AUTH_OPENIDC_VERSION}.tar.gz && tar xzvf v${MOD_AUTH_OPENIDC_VERSION}.tar.gz && cd mod_auth_openidc-${MOD_AUTH_OPENIDC_VERSION}/
32 | RUN cd /usr/src/apache2/mod_auth_openidc-${MOD_AUTH_OPENIDC_VERSION}/ && ls -la && ./autogen.sh && ./configure && make && make install && mkdir -p /tmp && cp .libs/mod_auth_openidc.so /tmp
33 |
34 |
35 |
36 |
37 | FROM httpd:2.4-alpine
38 | ARG SORMAS_SERVER_URL
39 | ARG SORMAS_VERSION=1.82.0
40 |
41 |
42 | ENV SORMAS_VERSION=$SORMAS_VERSION
43 | ARG SORMAS_URL=https://github.com/sormas-foundation/SORMAS-Project/releases/download/
44 |
45 | RUN apk update --no-cache && \
46 | apk upgrade --no-cache && \
47 | apk add --no-cache --upgrade tzdata jansson pcre hiredis bash curl binutils
48 | RUN mkdir -p /var/log/apache2/ \
49 | && mkdir /usr/local/apache2/conf.d/ \
50 | && chown -R www-data:www-data /var/log/apache2/
51 |
52 |
53 | COPY --from=build /tmp/libcjose.so.0.0.0 .
54 | COPY --from=build /tmp/libcjose.lai .
55 | COPY --from=build /tmp/libcjose.a .
56 | RUN /usr/bin/install -c libcjose.so.0.0.0 /usr/local/lib/libcjose.so.0.0.0 && \
57 | (cd /usr/local/lib && { ln -s -f libcjose.so.0.0.0 libcjose.so.0 || { rm -f libcjose.so.0 && ln -s libcjose.so.0.0.0 libcjose.so.0; }; }) && \
58 | (cd /usr/local/lib && { ln -s -f libcjose.so.0.0.0 libcjose.so || { rm -f libcjose.so && ln -s libcjose.so.0.0.0 libcjose.so; }; }) && \
59 | /usr/bin/install -c libcjose.lai /usr/local/lib/libcjose.la && \
60 | /usr/bin/install -c libcjose.a /usr/local/lib/libcjose.a && \
61 | chmod 644 /usr/local/lib/libcjose.a && \
62 | ranlib /usr/local/lib/libcjose.a && \
63 | PATH="/usr/local/apache2/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/sbin" ldconfig -n /usr/local/lib
64 |
65 | COPY --from=build /tmp/mod_auth_openidc.so .
66 | RUN /usr/bin/install -c -d /usr/lib/apache2 && \
67 | /usr/bin/install -c -p -m 755 ./mod_auth_openidc.so /usr/lib/apache2/mod_auth_openidc.so
68 |
69 |
70 | COPY ./vhost.conf.sh /tmp/vhost.conf.sh
71 | COPY ./httpd.conf /usr/local/apache2/conf/httpd.conf
72 | COPY ./httpd-ssl.conf /usr/local/apache2/conf/extra/httpd-ssl.conf
73 | RUN chmod +x /tmp/vhost.conf.sh
74 |
75 | RUN ls -la /tmp
76 |
77 | RUN mkdir -p /var/www/sormas/downloads && \
78 | DEPLOY_PATH=$(mktemp -d) && \
79 | cd ${DEPLOY_PATH} && \
80 | wget ${SORMAS_URL}v${SORMAS_VERSION}/sormas_${SORMAS_VERSION}.zip -O sormas.zip && \
81 | unzip sormas.zip deploy/android/* && \
82 | mv deploy/android/* /var/www/sormas/downloads/ && \
83 | cd - && \
84 | rm -rf ${DEPLOY_PATH}
85 |
86 |
87 | ENTRYPOINT ["/tmp/vhost.conf.sh"]
88 | CMD ["/usr/local/apache2/bin/httpd","-D","FOREGROUND"]
89 |
--------------------------------------------------------------------------------
/apache2/certs/sormas-docker-test.com.crt:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIGBzCCA++gAwIBAgIUPpYp/KdUWY5F4GAdCbH9FC567xwwDQYJKoZIhvcNAQEL
3 | BQAwgZIxCzAJBgNVBAYTAkRFMRUwEwYDVQQIDAxMb3dlciBTYXhvbnkxEjAQBgNV
4 | BAcMCUJydW5zd2ljazEqMCgGA1UECgwhTmV0emxpbmsgSW5mb3JtYXRpb25zdGVj
5 | aG5payBHbWJIMQswCQYDVQQLDAJJVDEfMB0GA1UEAwwWc29ybWFzLWRvY2tlci10
6 | ZXN0LmNvbTAeFw0yMTA2MDgwNzQ4NTlaFw0zMTA2MDYwNzQ4NTlaMIGSMQswCQYD
7 | VQQGEwJERTEVMBMGA1UECAwMTG93ZXIgU2F4b255MRIwEAYDVQQHDAlCcnVuc3dp
8 | Y2sxKjAoBgNVBAoMIU5ldHpsaW5rIEluZm9ybWF0aW9uc3RlY2huaWsgR21iSDEL
9 | MAkGA1UECwwCSVQxHzAdBgNVBAMMFnNvcm1hcy1kb2NrZXItdGVzdC5jb20wggIi
10 | MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDCvfdZGi2PAd/igpjGB5cNJVnH
11 | e0cPOoIgrPVZw6KHg6I+2M0WtZ2da6lLNglyUCZ854VchMVN+6HSuj3ux9o8B2di
12 | ms3gwDoP8IVsGNUPrMOuVdaZ0LAFM4ZMRhwUo37EkZUTyEdwVPbSDFHf+D1W3IOG
13 | jrxlRLY/ae0zavtEMRz8dyQM+VCdbY5LMz6zQ3xdbWy00z4WenjYNxQqucRh6U4i
14 | tOt8kTOTZMvFviH3//VaJu8FLnDcou0CRthRkpTEcqygd0if0Qo32cGNxHr0TpKo
15 | R1u/gzv2Ug70zT78UhPppI/oeXjOsc5E+jP5JVl506Cd70nlHHByuzh+LcdHrRSD
16 | BeE4iI7PYGgF4OnGDcHnxGtzK0loteiwDSjfxHsI5crFZxuNrKbJCUjm4Z1f5gAM
17 | u8bi9uyv/pJR8/VsujqRH1lRY+9Xx7PlW+i66pV1+lM8LhCeJorMBPWgyTDE0f36
18 | IljuCMLlk1BeCPUnqhW6P9Yd34CR8wdpe58M0840RHgh/LS1ulHCJeJ1+x6THHT8
19 | XTJiJQ8vRpjkA6p2zYn+//+aCrL3tP7cUs/CjHm5tFrzGNP6MCdUZtnyiySVbnvA
20 | xBs2gwbCGyTO7Z5qhRl7xjhvyEONsO+AKQpofh0TW/+gb3ANucAKc5xMaha3MdhX
21 | UsuOD20R1H4l8zgPlQIDAQABo1MwUTAdBgNVHQ4EFgQUFYzjnGb9svG5+tWaYknR
22 | 2D1CoMowHwYDVR0jBBgwFoAUFYzjnGb9svG5+tWaYknR2D1CoMowDwYDVR0TAQH/
23 | BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAWd7JV66LajiPvBnLJqG676GD1M9X
24 | BB1H4oIvLKbXwgajaCk1s81EeHuvvQR7dilMrFOSciiYvhwU/ROTpKBNzolI8+fn
25 | CV42OA0Gd7g+6jnprBSLD6pOHVKxj1ZJ6kgYTFi82M7qWLeeOWwXRMhyW7QEUXHR
26 | r7DcA6tXhCBJhOmwgqyLbxf6EoJxY7d7aeFrXqgnrKJBswS9PJvXH7gmnLhNCKuX
27 | qfsqoZdwIijMUh8Ee7E1p23k20f84OlMn4HCOb4jZDfGJxe1V//nInzXL8OZ9aWU
28 | bsmWs+W58Cd1xmy2ehSRGNRic5zQEsvCnR8wUYk8HeLM9y8b0zj5ekNybUuR6Dev
29 | nsn5EYFRj/+1knUFJzbQvFDk2a6adsJL8SVazi6bLiY2P18xXCFV3AqCombn/M5v
30 | CiTHEkSgY91n0KCIj+pNZpTIDFTuVrSMzAJci9Q37vF0YGpv+/Lhnwm2+DwyW9ze
31 | vgOwyByUkDgWC8E5yQPcPK6vARhS0gaY9izb1tnd5oF1yDG1KLfrBhb1t/R1t1Up
32 | 7vK4vonLB4YSgG6Ua6SN2rCmZOsHtmqZQ8JT8VsjVmxFQMD+c9rXh0H/g/YvG/yD
33 | LTpJTBpxEOlp5U2nxlU/f3ooVk1Cu8uXSTFBmz80rQpcw/6ElwHclTcsIAqLb7KU
34 | MObWw4WjwBy8dBs=
35 | -----END CERTIFICATE-----
--------------------------------------------------------------------------------
/apache2/certs/sormas-docker-test.com.key:
--------------------------------------------------------------------------------
1 | -----BEGIN PRIVATE KEY-----
2 | MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDCvfdZGi2PAd/i
3 | gpjGB5cNJVnHe0cPOoIgrPVZw6KHg6I+2M0WtZ2da6lLNglyUCZ854VchMVN+6HS
4 | uj3ux9o8B2dims3gwDoP8IVsGNUPrMOuVdaZ0LAFM4ZMRhwUo37EkZUTyEdwVPbS
5 | DFHf+D1W3IOGjrxlRLY/ae0zavtEMRz8dyQM+VCdbY5LMz6zQ3xdbWy00z4WenjY
6 | NxQqucRh6U4itOt8kTOTZMvFviH3//VaJu8FLnDcou0CRthRkpTEcqygd0if0Qo3
7 | 2cGNxHr0TpKoR1u/gzv2Ug70zT78UhPppI/oeXjOsc5E+jP5JVl506Cd70nlHHBy
8 | uzh+LcdHrRSDBeE4iI7PYGgF4OnGDcHnxGtzK0loteiwDSjfxHsI5crFZxuNrKbJ
9 | CUjm4Z1f5gAMu8bi9uyv/pJR8/VsujqRH1lRY+9Xx7PlW+i66pV1+lM8LhCeJorM
10 | BPWgyTDE0f36IljuCMLlk1BeCPUnqhW6P9Yd34CR8wdpe58M0840RHgh/LS1ulHC
11 | JeJ1+x6THHT8XTJiJQ8vRpjkA6p2zYn+//+aCrL3tP7cUs/CjHm5tFrzGNP6MCdU
12 | ZtnyiySVbnvAxBs2gwbCGyTO7Z5qhRl7xjhvyEONsO+AKQpofh0TW/+gb3ANucAK
13 | c5xMaha3MdhXUsuOD20R1H4l8zgPlQIDAQABAoICADSJKwFOnpvF1bA1qyFBSu6w
14 | 9Ndr2m+xSQmnn0joDiCg0lRCCJHnzO167eDsYwADv15S1xduegvfpnhC5hJUt/sZ
15 | xDpFqOTI9uD18giHanMgGGofnhVAxzuf+sr43vpyYPCGlcEQdrVHNo7T5AKX5XRZ
16 | aOIT/58SOlhBK0yDv+VVmoxBV+hoGededtSyrmeN/S73JixiEI3f3Fn4AejE1MXV
17 | Os8CH8UrJs7Mkmx2LpPI6Ve4ySKMtMXQ7j9+/TyEXr3gcdGYXG9A5ZDLnfuw1bqy
18 | t73OAmJX9QUuffpspGFNgzG0w13j50NblFnnZb4A5XKINPxmYXj9gxhwiX0AvJGQ
19 | P1zMJwOeuuPLQuUNUBuaucT5lVoZpkF1olvwOunWjymJQ/vBaqASlgtnIp7zCGAQ
20 | oOszy1kh7+5233ubCxZs0V9jOH+pQd/c2EYwimkhJnP8pazrBvRwIOo7+3GsYzhm
21 | M1M13hl+DQvoc5f2BTXD53ADBxBNIfovn4+Dcqcje8EmOD/KwGZDBabxmA0sfLfc
22 | yOLsy7zr0Bq/YdLn22v9VhOFPwpFlS0CK1pUTxREHHwQD42bLk66alS9wpKGsHgm
23 | SJofPY2L9xQX1HCGXwN1LvEyiIHfzQhRndN4cmpzC2vcfYwZISZS6g9+rFM9ILQC
24 | nzvLlIOjPXYHx65DP3ABAoIBAQD7TpF71bBK90fHCx4+Z43RZ6lEJtVmwR0rFbLh
25 | C475NUkjIRILoGF4R2n7sjwfza8t+7bgIvKvLopnoLHyuEUxeygxAs8+/0vbkmP9
26 | 3pr2814B9MKmJZsXE/g8Rlv3E2562Sj6FmADwVA6Rfu7JkKL3ktz5h7E4rjIcGOQ
27 | 1B3nmYowzjJMNWSxFBa69HM+qVG+lstD63NxnOe7iDJtQ1ibtt3LiDxqzTq3+hdg
28 | aZvfQd7kQFhbjNsiKJd0HwPpbueMEioOhN+bLZ7eB3XAvIVxgd9aJC4EPU4X0O5O
29 | fYuCm2/cqrTZBL3G/M3KM8FSxcS5Z0X7FBQwlIeLtK1BJJHVAoIBAQDGYPnxx6eq
30 | RMkS5R/tumMrmBsBn9ezYiPA+wu69VJk+UuR0Mfl7g+/wHjPS/rVoRQ1VqPdKtFG
31 | dAFZlHTC0lTT7cy3USNdNlfuGR8ChQD4vG4brN+wZ6kReMMl95XLF/B/v6u5gDB6
32 | mhzMMJqxeBQEE+4Q37sppHX8k8rL8twRdp/axH3k2lmO+eBdvSUwnYDwgcILZV9q
33 | vmfA3P9KNMn4VvCe/9Qsw2m2AVhL67PzouK9Ztvqg3HeI5YkM9yondVnJqEFZ1sr
34 | bhpzbz1zFhxiykFaVNSG4NTQ3Sn5C8dbkPHrnnfirgrZvHvISBTM5EaFIwQ2WeQY
35 | v53mlxxUvqbBAoIBAHnYAyOWXK5MLGnuExDQpmr0JpZbebYjRWAhWiRQtVZQppA4
36 | tYYbkYZ+oX0eUpZc5GWYGHedmiqjlwldWUnEXA/8lWUF5rO1lfL0jDSHXH0FS/wI
37 | zuM9cm+DCCU5O9eUfUlkxsBSXuUTMjG+wqlfiH5GHjEoTpzJDCxqiWur3H/w6pZ1
38 | Mt/ON26/vbGRWdr0vyR3+j+JBeT83UIIa+Kb93cv92N6P0jNDn4q7HCbY66gQlBK
39 | fkyNA6YRJjVv4Daqxesc13VIqR2UxeUCmu4CuXRqMn+C8SivDJDxhMlbh2ugr2C/
40 | B4X9DYJQCfrSkxXtu07lKoHsn0laikmLJUFjWK0CggEAZ+LBAWyc0P3UjqCOZ+AD
41 | rwCoo+EhBD+Qma7eJbnyvA4RFPtQs4hHlxMkMOqJIPaJrqUAiwGxNkPpsQ+dVajv
42 | 40vUuOs0qcuboIRnSNp998Q1pSiSu76NOykSiP9u4jxXJY8qTqpiuNGb4xJQ8D8B
43 | vGDzesKvMM9/OhXrTYKQ3FRSwi3D/+SYodcZN/2lTCAvNcO96lnb7fpoOweAaUvb
44 | uMFOoPU4F3j+EuIBa0CzrBLQyn7jC5xqNPpN1geStnpxFuOTz1Cg3c167JiEhZA+
45 | rT1dnABwi3GSAQ7QvCr+62SsS8dg4MRjykJ6UBfvTJz+kRoVSqEoYg12kxrvKzHs
46 | AQKCAQBgaRHmwrIKUmSWML7lg77adc9+yqUJe/GeX01wcM/8OMOlR5XPkLVqw+ps
47 | J8FkvMG9bI+HpdqUXWOUR14Tes57z/3BXPDFoqSoU/zr7osk58tCRB0RP4OuFQ+f
48 | cDIxI1ub0sEQa6FkAVbf5c16K3Zx/Cd3qqW0x24nhCUdtcuu7F4Sn12/rF7jRZJl
49 | He5NdlLJFkCJWJrjP6sExpcMF5J+HcTmCM7SSQ2yfPuJmcDwuHw5UE6OMpfG32qb
50 | T5GnakNMSY0crUiAESWqu/kZjK2XsONYA2VTDKOIMjHUD8Id4HT0dz/D5Qo0QPMI
51 | hNQr6Ih8gvp55qD6mYZ3eYxOvP+x
52 | -----END PRIVATE KEY-----
--------------------------------------------------------------------------------
/apache2/index.html:
--------------------------------------------------------------------------------
1 |
2 |
3 | SORMAS HZI
4 | SORMAS HZI
--------------------------------------------------------------------------------
/apache2/mod_auth_openidc.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SORMAS-Foundation/SORMAS-Docker/2c74a8ac64848e67970edfa554ccd490edbedaa2/apache2/mod_auth_openidc.so
--------------------------------------------------------------------------------
/apache2/vhost.conf.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | cat << EOF > /usr/local/apache2/conf.d/000_${SORMAS_SERVER_URL}.conf
4 |
5 | ServerName ${SORMAS_SERVER_URL}
6 |
7 | RewriteEngine On
8 | RewriteCond %{HTTPS} !=on
9 | RewriteRule ^/(.*) https://${SORMAS_SERVER_URL}/$REQUEST_URI [R,L]
10 |
11 |
12 | Redirect 301 /$REQUEST_URI https://${SORMAS_SERVER_URL}/$REQUEST_URI
13 |
14 |
15 | EOF
16 |
17 | cat << EOF > /usr/local/apache2/conf.d/001_ssl_${SORMAS_SERVER_URL}.conf
18 | Listen 443
19 |
20 | ServerName ${SORMAS_SERVER_URL}
21 | # RedirectMatch: All locations not listed here will be redirected to sormas-ui
22 | # APACHE_REDIRECT_EXCLUDE Example Usage: "|test|test2" will add /test and /test2 to that list
23 | # IMPORTANT: it needs to start with "|"
24 | RedirectMatch "^(/(?!downloads|keycloak|metrics${APACHE_REDIRECT_EXCLUDE}).*)" https://${SORMAS_SERVER_URL}/sormas-ui\$1
25 |
26 | ErrorLog /var/log/apache2/error.log
27 | LogLevel warn
28 | LogFormat "%h %l %u %t \"%r\" %>s %b _%D_ \"%{User}i\" \"%{Connection}i\" \"%{Referer}i\" \"%{User-agent}i\"" combined_ext
29 | CustomLog /var/log/apache2/access.log combined_ext
30 |
31 | SSLEngine on
32 | SSLCertificateFile /usr/local/apache2/certs/${SORMAS_SERVER_URL}.crt
33 | SSLCertificateKeyFile /usr/local/apache2/certs/${SORMAS_SERVER_URL}.key
34 | #SSLCertificateChainFile /etc/ssl/certs/${SORMAS_SEVER_URL}.ca-bundle
35 |
36 | # disable weak ciphers and old TLS/SSL
37 | SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
38 | SSLCipherSuite TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305
39 | SSLHonorCipherOrder on
40 | #SSLCompression off
41 |
42 | ProxyRequests Off
43 | ProxyPreserveHost On
44 | ProxyPass /sormas-ui http://sormas:6080/sormas-ui connectiontimeout=5 timeout=${HTTP_TIMEOUT}
45 | ProxyPassReverse /sormas-ui http://sormas:6080/sormas-ui
46 | ProxyPass /sormas-rest http://sormas:6080/sormas-rest connectiontimeout=5 timeout=${HTTP_TIMEOUT}
47 | ProxyPassReverse /sormas-rest http://sormas:6080/sormas-rest
48 | ProxyPass /keycloak http://keycloak:8080/keycloak connectiontimeout=5 timeout=${HTTP_TIMEOUT}
49 | ProxyPassReverse /keycloak http://keycloak:8080/keycloak
50 | ProxyPass /sormas-angular http://sormas-angular:80/ connectiontimeout=5 timeout=${HTTP_TIMEOUT}
51 | ProxyPassReverse /sormas-angular/ http://sormas-angular:80/
52 |
53 | ProxyPass http://sormas:6080/metrics connectiontimeout=5 timeout=${HTTP_TIMEOUT}
54 | ProxyPassReverse http://sormas:6080/metrics
55 | Order deny,allow
56 | Deny from all
57 | Allow from ${PROMETHEUS_SERVERS}
58 |
59 |
60 | RequestHeader set X-Forwarded-Proto https
61 |
62 | Options -Indexes
63 | AliasMatch "/downloads/sormas-(.*)" "/var/www/sormas/downloads/sormas-\$1"
64 |
65 | Alias "/downloads" "/var/www/sormas/downloads/"
66 |
67 |
68 | Require all granted
69 | Options +Indexes
70 |
71 |
72 |
73 | AddOutputFilterByType DEFLATE text/plain text/html text/xml
74 | AddOutputFilterByType DEFLATE text/css text/javascript
75 | AddOutputFilterByType DEFLATE application/json
76 | AddOutputFilterByType DEFLATE application/xml application/xhtml+xml
77 | AddOutputFilterByType DEFLATE application/javascript application/x-javascript
78 | DeflateCompressionLevel 1
79 |
80 | # Includes all files with the .conf ending in the conf.d/001_ssl_includes/ Directory
81 | # IMPORTANT: if you include a location you need to add it to the APACHE_REDIRECT_EXCLUDE variable
82 | IncludeOptional conf.d/001_ssl_includes/*.conf
83 |
84 | EOF
85 | exec $@
86 |
--------------------------------------------------------------------------------
/apache2nginx.sh:
--------------------------------------------------------------------------------
1 | #! /bin/#!/usr/bin/env bash
2 |
3 | source ./.env
4 | mkdir -p ./letsencrypt/certs/${SORMAS_SERVER_URL}
5 | cp ./apache2/certs/${SORMAS_SERVER_URL}.crt ./letsencrypt/certs/${SORMAS_SERVER_URL}/fullchain.pem
6 | cp ./apache2/certs/${SORMAS_SERVER_URL}.key ./letsencrypt/certs/${SORMAS_SERVER_URL}/privkey.pem
7 |
--------------------------------------------------------------------------------
/build_lbds.Jenkinsfile:
--------------------------------------------------------------------------------
1 | node {
2 |
3 | def SORMAS_VERSION=''
4 | def SORMAS_VERSION_NIGHTLY=''
5 |
6 |
7 | stage('checkout') {
8 | git branch: '${BRANCH}', url: 'https://github.com/sormas-foundation/SORMAS-Docker.git'
9 | }
10 |
11 |
12 |
13 | stage('Build LBDS') {
14 | echo 'Building....'
15 | withCredentials([ usernamePassword(credentialsId: 'crowdcodeNexus', usernameVariable: 'CROWDCODE_NEXUS_USER', passwordVariable: 'CROWDCODE_NEXUS_PASSWORD' )]) {
16 | sh """
17 | source ./.env
18 | cd lbds
19 | sudo docker build --pull --no-cache --build-arg LBDS_JAR_FILE_VERSION=${LBDS_JAR_FILE_VERSION} --build-arg CROWDCODE_NEXUS_USER=${CROWDCODE_NEXUS_USER} --build-arg CROWDCODE_NEXUS_PASSWORD="${CROWDCODE_NEXUS_PASSWORD}" -t hzibraunschweig/lbds:${LBDS_JAR_FILE_VERSION} .
20 | """
21 | }
22 | }
23 |
24 |
25 | stage('Deploy LBDS to registry') {
26 | echo 'Deploying....'
27 | withCredentials([ usernamePassword(credentialsId: 'registry.netzlink.com', usernameVariable: 'MY_SECRET_USER_NLI', passwordVariable: 'MY_SECRET_USER_PASSWORD_NLI' )]) {
28 | sh """
29 | sudo docker login -u '$MY_SECRET_USER_NLI' -p '$MY_SECRET_USER_PASSWORD_NLI' registry.netzlink.com
30 | sudo docker tag hzibraunschweig/lbds:${LBDS_JAR_FILE_VERSION} registry.netzlink.com/hzibraunschweig/lbds:${LBDS_JAR_FILE_VERSION}
31 | sudo docker push registry.netzlink.com/hzibraunschweig/lbds:${LBDS_JAR_FILE_VERSION}
32 | sudo docker tag hzibraunschweig/lbds:${LBDS_JAR_FILE_VERSION} registry.netzlink.com/hzibraunschweig/lbds:${SORMAS_DOCKER_VERSION}
33 | sudo docker push registry.netzlink.com/hzibraunschweig/lbds:${SORMAS_DOCKER_VERSION}
34 | echo 'Finished'
35 | """
36 | }
37 | }
38 | }
--------------------------------------------------------------------------------
/build_polling_github.Jenkinsfile:
--------------------------------------------------------------------------------
1 | node {
2 |
3 | stage('checkout') {
4 | git branch: '${BRANCH}', url: 'https://github.com/sormas-foundation/SORMAS-Docker.git'
5 | }
6 |
7 | stage('set variables') {
8 | sh "sed -i '/^GEO_TEMPLATE/d ' ./.env"
9 | }
10 |
11 | stage('Build') {
12 | sh """
13 | source ./.env
14 | sudo docker system prune -f
15 | sudo docker build --pull --no-cache -t sormas-application:latest sormas/
16 | sudo docker build --no-cache -t sormas-postgres:latest postgres/
17 | sudo docker build --pull --no-cache -t sormas-apache2:latest apache2/
18 | sudo docker build --pull --no-cache -t sormas-pg-dump:latest pg_dump/
19 | sudo docker build --pull --no-cache -t sormas-keycloak:latest keycloak/
20 | sudo docker build --pull --no-cache -t sormas-keycloak-postgres:latest keycloak-postgres/
21 | sudo docker build --pull --no-cache -t sormas-pg-debug:latest pg_debug/
22 | """
23 | }
24 | }
--------------------------------------------------------------------------------
/central/.env:
--------------------------------------------------------------------------------
1 | DOCKER_REGISTRY=docker.io
2 | CENTRAL_DOCKER_VERSION=0.1
3 | CENTRAL_ETCD_VERSION=v3.5.0
4 | CENTRAL_KEYCLOAK_VERSION=12.0.4
5 |
--------------------------------------------------------------------------------
/central/.env_etcd:
--------------------------------------------------------------------------------
1 | ROOT_PWD=password
2 | S2S_CLIENT_PWD=password
3 |
--------------------------------------------------------------------------------
/central/.env_keycloak:
--------------------------------------------------------------------------------
1 | KEYCLOAK_USER=admin
2 | KEYCLOAK_PASSWORD=admin
3 |
--------------------------------------------------------------------------------
/central/.gitignore:
--------------------------------------------------------------------------------
1 | keycloak/data
--------------------------------------------------------------------------------
/central/backup/.gitignore:
--------------------------------------------------------------------------------
1 | volumes
2 |
--------------------------------------------------------------------------------
/central/backup/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM alpine:3.15.0 as builder
2 | ADD https://github.com/etcd-io/etcd/releases/download/v3.5.2/etcd-v3.5.2-linux-amd64.tar.gz /etcd-v3.5.2-linux-amd64.tar.gz
3 | RUN tar xzvf /etcd-v3.5.2-linux-amd64.tar.gz
4 |
5 | ######################################################################################################################################################
6 |
7 | FROM alpine:3.15.0
8 |
9 | # Packages installation from repository
10 | RUN apk add docker-cli postgresql-client zstd tree
11 |
12 | # etcdctl installation
13 | COPY --from=builder etcd-v3.5.2-linux-amd64 /etcd
14 | RUN ln -s /etcd/etcdctl /usr/bin/etcdctl
15 |
16 | # Scripts
17 | COPY main.sh /main.sh
18 |
19 | # Entrypoint and command configuration
20 | COPY entrypoint.sh /entrypoint.sh
21 | ENTRYPOINT ["/entrypoint.sh"]
22 | CMD [ "/usr/sbin/crond", "-f" ]
23 |
24 | VOLUME "/backup"
25 |
--------------------------------------------------------------------------------
/central/backup/README.md:
--------------------------------------------------------------------------------
1 | # S2S central backup
2 |
3 | This image is created to provide S2S central backup functionality.
4 |
5 | ## Main responsibility
6 |
7 | Main responsibility of this images are:
8 | * backup of postgres database
9 | * backup of ETCD cluster
10 | * removal of old backups
11 |
12 | ## Image features
13 |
14 | There are two noteworthy features of docker image: cron configuration and volume for backups storing.
15 |
16 | ### Cron
17 |
18 | Backup is triggered via internal cron job. It's default configuration can be described via this snippet:
19 |
20 | ```
21 | # min hour day month weekday command
22 | ${MIN} ${HOUR} * * * /main.sh >> /log 2>&1
23 | ```
24 |
25 | where MIN is selected randomly in range of "1-20,31-59" and HOUR is "0,4,7,8,9,10,11,12,13,14,15,16,17,18,20".
26 |
27 | To change this configuration, use environment variables MIN and HOUR, e.g.
28 |
29 | MIN=1,4
30 |
31 | HOUR=*
32 |
33 | ### Volume
34 |
35 | By default docker image has one anonymous volume mounted at internal directory **/backup**.
36 |
37 | ## Postgres backups
38 |
39 | Postgres backups are done for every container labeled **backup.type=postgres** (see [example](tests/docker-compose.yml)).
40 |
41 | Postgres container needs these environment variables to be defined:
42 | * POSTGRES_USER
43 | * POSTGRES_PASSWORD
44 |
45 | Backups are done for all databases visible for POSTGRES_USER in postgres instance besides default ones:
46 | * postgres
47 | * template0
48 | * template1
49 |
50 | ## ETCD backup
51 |
52 | ETCD backups are done for every container labeled **backup.type=etcd** (see [example](tests/docker-compose.yml)).
53 |
54 | Postgres container needs these labels to be defined:
55 | * backup.user - etcd user with right to read everything
56 | * backup.password - if user is defined, this label has to be also defined
57 | * backup.encrypted - indicates, that https has to be used (certificate is not validated)
58 |
59 | ## Removal of old backups
60 |
61 | As disk space is not unlimited, removal of old backups is introduced. When quantity of backups for each database or etcd cluster is reached, oldest backup is removed. This threshold can be configured via environment variable **MAX_DUMPS**. If this variable is not defined, it is taking value of 60. With default cron configuration it will provide around 2 days worth of backups.
62 |
63 | ## Tests
64 |
65 | In directory you can find scripts and additional resources which supports manual testing of this image.
66 |
67 | ### docker-compose.yml
68 |
69 | This manifest contains example of deployment.
70 |
71 | ### start.sh
72 |
73 | Helper script used to start local deployment used for testing. Noteworthy is that **main.sh** script is mounted as volume. This enables to changing backup behavior "on the fly".
74 |
75 | ### check.sh
76 |
77 | This script is showing current contents of test databases and etcd clusters.
78 |
79 | ### backup.sh
80 |
81 | This script removes all backups, trigger backup mechanism once and shows content of **/backup** directory in tree format.
82 |
83 | ### backup-multiple.sh
84 |
85 | This script removes all backups, trigger backup mechanism couple of times and shows content of **/backup** directory in tree format.
86 |
--------------------------------------------------------------------------------
/central/backup/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | # This section provides MIN in range of "1-20,31-59", e.g. MIN=5,35
4 | RAND=$(( $RANDOM % 19 + 1 ))
5 | MIN=${MIN:-${RAND},$(( ${RAND} + 30 ))}
6 | HOUR=${HOUR:-0,4,7,8,9,10,11,12,13,14,15,16,17,18,20}
7 |
8 | cat<> /log 2>&1
11 | EOF
12 |
13 | # see: https://github.com/dubiousjim/dcron/issues/13
14 | # ignore using `exec` for `dcron` to get another pid instead of `1`
15 | "$@"
16 | # sleep infinity
17 |
--------------------------------------------------------------------------------
/central/backup/main.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | GetContainerLabel() {
4 | CONTAINER_ID=$1
5 | LABEL=$2
6 | docker inspect --format="{{index .Config.Labels \"$LABEL\"}}" $CONTAINER_ID
7 | }
8 |
9 | GetComposeService() {
10 | CONTAINER_ID=$1
11 | docker inspect --format='{{index .Config.Labels "com.docker.compose.service"}}' $CONTAINER_ID
12 | }
13 |
14 | GetContainerEnv() {
15 | CONTAINER_ID=$1
16 | ENV=$2
17 | docker inspect --format='{{range .Config.Env}}{{println .}}{{end}}' $CONTAINER_ID | grep $ENV | sed 's/^.*=//'
18 | }
19 |
20 | GetBackupLabeledContainers() {
21 | TYPE=$1
22 | docker container ls --filter "label=backup.type=$TYPE" --format='{{json .ID}}' | tr -d '"'
23 | }
24 |
25 | GetDatabasesToBackup() {
26 | psql -l -t | cut -d '|' -f 1 | tr -d '[[:blank:]]' | grep -v -E "postgres|template0|template1" | sed '/^$/d'
27 | }
28 |
29 | CleanOldDumps() {
30 | DUMP_DIR=$1
31 | DUMPS_TO_REMOVE=$(ls $DUMP_DIR | head -n -$MAX_DUMPS)
32 | for DUMP in $DUMPS_TO_REMOVE; do
33 | echo "Removing old dump \"$DUMP\""
34 | rm $DUMP_DIR/$DUMP
35 | done
36 | }
37 |
38 | DumpDatabase() {
39 | SERVICE=$1
40 | DATABASE=$2
41 | mkdir -p /backup/postgres/$SERVICE/$DATABASE
42 | pg_dump $DATABASE | zstd > /backup/postgres/$SERVICE/$DATABASE/$SERVICE.$DATABASE.$DATE.zst
43 | }
44 |
45 | CleanDatabaseDumps() {
46 | SERVICE=$1
47 | DATABASE=$2
48 | CleanOldDumps /backup/postgres/$SERVICE/$DATABASE
49 | }
50 |
51 | DumpETCD() {
52 | SERVICE=$1
53 | ETCD_FLAGS=$2
54 | mkdir -p /backup/etcd/$SERVICE
55 |
56 | TMP_BACKUP=$(mktemp -u)
57 | etcdctl snapshot save $TMP_BACKUP $ETCD_FLAGS &>/dev/null
58 | zstd -q --rm $TMP_BACKUP -o /backup/etcd/$SERVICE/$SERVICE.etcd.$DATE.zst
59 | }
60 |
61 | CleanETCDDumps() {
62 | SERVICE=$1
63 | CleanOldDumps /backup/etcd/$SERVICE
64 | }
65 |
66 | ######################################################################################################################################################
67 | ### Main
68 | ######################################################################################################################################################
69 |
70 | export DATE=$(date +%F-%T)
71 | MAX_DUMPS=${MAX_DUMPS:-60} # Should backups around two days worth of backups with default settings
72 |
73 | ##################################################
74 | ### Postgres backups
75 | ##################################################
76 |
77 | for CONTAINER_ID in $(GetBackupLabeledContainers postgres); do
78 | SERVICE=$(GetComposeService $CONTAINER_ID)
79 | POSTGRES_USER=$(GetContainerEnv $CONTAINER_ID POSTGRES_USER)
80 | POSTGRES_PASSWORD=$(GetContainerEnv $CONTAINER_ID POSTGRES_PASSWORD)
81 |
82 | export PGUSER=$POSTGRES_USER
83 | export PGPASSWORD=$POSTGRES_PASSWORD
84 | export PGHOST=$CONTAINER_ID
85 |
86 | for DATABASE in $(GetDatabasesToBackup); do
87 | DumpDatabase $SERVICE $DATABASE
88 | CleanDatabaseDumps $SERVICE $DATABASE
89 | done
90 | done
91 |
92 | ##################################################
93 | ### ETCD backups
94 | ##################################################
95 |
96 | for CONTAINER_ID in $(GetBackupLabeledContainers etcd); do
97 | SERVICE=$(GetComposeService $CONTAINER_ID)
98 | ETCD_USER=$(GetContainerLabel $CONTAINER_ID backup.user)
99 | ETCD_PASSWORD=$(GetContainerLabel $CONTAINER_ID backup.password)
100 | ETCD_ENCRYPTED=$(GetContainerLabel $CONTAINER_ID backup.encrypted)
101 |
102 | ETCD_FLAGS=""
103 | if [ "$ETCD_USER" != "" ] && [ "$ETCD_PASSWORD" != "" ]; then
104 | ETCD_FLAGS="--user=$ETCD_USER --password=$ETCD_PASSWORD"
105 | fi
106 |
107 | if [ "$ETCD_ENCRYPTED" == "true" ]; then
108 | ETCD_FLAGS="$ETCD_FLAGS --endpoints=https://$SERVICE:2379 --insecure-transport=false --insecure-skip-tls-verify"
109 | else
110 | ETCD_FLAGS="$ETCD_FLAGS --endpoints=http://$SERVICE:2379"
111 | fi
112 |
113 | DumpETCD $SERVICE "$ETCD_FLAGS"
114 | CleanETCDDumps $SERVICE
115 | done
116 |
--------------------------------------------------------------------------------
/central/backup/tests/backup-multiple.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | ITERATION=${1:-30}
4 |
5 | set -x
6 | PS4="\n>>>>>> "
7 |
8 | docker-compose exec backup sh -c "rm -fr /backup/*"
9 | for i in $(seq 1 $ITERATION); do
10 | echo ">>>>>> $i/$ITERATION"
11 | docker-compose exec backup /main.sh
12 | done
13 | docker-compose exec backup tree -C /backup
14 | docker-compose exec backup date
15 |
--------------------------------------------------------------------------------
/central/backup/tests/backup.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | set -x
4 | PS4="\n>>>>>> "
5 |
6 | docker-compose exec backup sh -c "rm -fr /backup/*"
7 | docker-compose exec backup /main.sh
8 | docker-compose exec backup tree -C /backup
9 | docker-compose exec backup date
10 |
--------------------------------------------------------------------------------
/central/backup/tests/check.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | set -x
4 | PS4="\n>>>>>> "
5 |
6 | docker-compose exec postgres_first psql -U first_user first_default_database -c '\dt;'
7 | docker-compose exec postgres_first psql -U first_user first_database_created_by_init -c 'SELECT * FROM Persons;'
8 |
9 | docker-compose exec postgres_second psql -U second_user second_default_database -c '\dt;'
10 | docker-compose exec postgres_second psql -U second_user second_database_created_by_init -c 'SELECT * FROM Persons;'
11 |
12 | docker-compose exec etcd_plain etcdctl get / --prefix
13 | docker-compose exec etcd_auth etcdctl get / --prefix --user=root --password=second_password
14 | #https://github.com/etcd-io/etcd/issues/11693#issuecomment-825653253
15 | docker-compose exec etcd_secured etcdctl --insecure-transport=false --insecure-skip-tls-verify get / --prefix --user=root --password=secured_password
16 |
--------------------------------------------------------------------------------
/central/backup/tests/docker-compose.yml:
--------------------------------------------------------------------------------
1 | version: '2.3'
2 |
3 | services:
4 | postgres_first:
5 | labels:
6 | - backup.type=postgres
7 | build:
8 | context: testers/postgres
9 | command: first
10 | environment:
11 | - POSTGRES_PASSWORD=dbsecret_for_first_database
12 | - POSTGRES_USER=first_user
13 | - POSTGRES_DB=first_default_database
14 | volumes:
15 | - ./volumes/postgres_1:/var/lib/postgresql/data
16 |
17 | postgres_second:
18 | labels:
19 | - backup.type=postgres
20 | build:
21 | context: testers/postgres
22 | command: second
23 | environment:
24 | - POSTGRES_PASSWORD=dbsecret_for_second_database
25 | - POSTGRES_USER=second_user
26 | - POSTGRES_DB=second_default_database
27 | volumes:
28 | - ./volumes/postgres_2:/var/lib/postgresql/data
29 |
30 | etcd_plain:
31 | labels:
32 | - backup.type=etcd
33 | build:
34 | context: testers/etcd
35 | command: plain
36 |
37 | etcd_auth:
38 | labels:
39 | - backup.type=etcd
40 | - backup.user=root
41 | - backup.password=second_password
42 | build:
43 | context: testers/etcd
44 | command: auth
45 |
46 | etcd_secured:
47 | labels:
48 | - backup.type=etcd
49 | - backup.user=root
50 | - backup.password=secured_password
51 | - backup.encrypted=true
52 | build:
53 | context: testers/etcd
54 | command: secured
55 |
56 | backup:
57 | build:
58 | context: ..
59 | environment:
60 | - MAX_DUMPS=3
61 | volumes:
62 | - /var/run/docker.sock:/var/run/docker.sock
63 | - ./volumes/backup:/backup
64 | - ./local-test.sh:/local-test.sh
65 | - ../main.sh:/main.sh
66 |
--------------------------------------------------------------------------------
/central/backup/tests/start.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | docker-compose down && sudo rm -fr volumes/ && docker-compose up --build --remove-orphans
4 |
--------------------------------------------------------------------------------
/central/backup/tests/testers/etcd/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM quay.io/coreos/etcd:v3.5.0
2 |
3 | RUN apt update && apt install -y bash openssl
4 |
5 | COPY res /res
6 | RUN chmod a+x /res/*.sh
7 | ENTRYPOINT ["/res/entrypoint.sh"]
8 | CMD []
9 |
--------------------------------------------------------------------------------
/central/backup/tests/testers/etcd/res/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -x
3 | CMD=$1
4 |
5 | case $CMD in
6 | plain|auth)
7 | /res/setup.sh $CMD &
8 | /usr/local/bin/etcd --config-file /res/etcd.yml
9 | ;;
10 |
11 | secured)
12 | mkdir /certs
13 | cd /certs
14 | openssl req \
15 | -nodes \
16 | -newkey rsa:2048 \
17 | -keyout server.key \
18 | -x509 \
19 | -days 365 \
20 | -out server.crt \
21 | -subj "/CN=etcd_secured" \
22 | -addext "subjectAltName = DNS:etcd_secured"
23 | openssl x509 -in server.crt -text -noout
24 | cd /
25 |
26 | /res/setup.sh $CMD &
27 | /usr/local/bin/etcd --config-file /res/etcd-secured.yml
28 | ;;
29 |
30 | *)
31 | echo "CMD \"$CMD\" is not know"
32 | exit -1
33 | ;;
34 | esac
35 |
--------------------------------------------------------------------------------
/central/backup/tests/testers/etcd/res/etcd-secured.yml:
--------------------------------------------------------------------------------
1 | advertise-client-urls: https://0.0.0.0:2379
2 | listen-client-urls: https://0.0.0.0:2379
3 | initial-cluster-state: new
4 | client-transport-security:
5 | cert-file: /certs/server.crt
6 | key-file: /certs/server.key
7 |
--------------------------------------------------------------------------------
/central/backup/tests/testers/etcd/res/etcd.yml:
--------------------------------------------------------------------------------
1 | advertise-client-urls: http://0.0.0.0:2379
2 | listen-client-urls: http://0.0.0.0:2379
3 | initial-cluster-state: new
4 |
--------------------------------------------------------------------------------
/central/backup/tests/testers/etcd/res/setup.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | set -x
3 | CMD=$1
4 | sleep 5
5 |
6 | case $CMD in
7 | plain)
8 | etcdctl put /a/b Poland
9 | etcdctl put /a/b/c China
10 | etcdctl put /a/c Germany
11 | etcdctl get / --prefix
12 | ;;
13 |
14 | auth)
15 | etcdctl user add root --new-user-password=second_password
16 | etcdctl put /x/y Atlantic
17 | etcdctl put /x/y/z Baltic
18 | etcdctl put /x/z Narnia
19 | etcdctl get / --prefix
20 | etcdctl auth enable
21 | etcdctl get / --prefix --user=root --password=second_password
22 | ;;
23 |
24 | secured)
25 | etcdctl --endpoints=https://etcd_secured:2379 --cacert=/certs/server.crt user add root --new-user-password=secured_password
26 | etcdctl --endpoints=https://etcd_secured:2379 --cacert=/certs/server.crt put /1/2 Rivest
27 | etcdctl --endpoints=https://etcd_secured:2379 --cacert=/certs/server.crt put /1/2/3 Shamir
28 | etcdctl --endpoints=https://etcd_secured:2379 --cacert=/certs/server.crt put /1/3 Adleman
29 | etcdctl --endpoints=https://etcd_secured:2379 --cacert=/certs/server.crt get / --prefix
30 | etcdctl --endpoints=https://etcd_secured:2379 --cacert=/certs/server.crt auth enable
31 | etcdctl --endpoints=https://etcd_secured:2379 --cacert=/certs/server.crt get / --prefix --user=root --password=secured_password
32 | ;;
33 | *)
34 | echo "CMD \"$CMD\" is not know"
35 | exit 1
36 | ;;
37 | esac
38 |
--------------------------------------------------------------------------------
/central/backup/tests/testers/postgres/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM postgres:13.4
2 |
3 | COPY res /res
4 | RUN chmod a+x /res/*.sh
5 | ENTRYPOINT [ "/res/entrypoint.sh" ]
6 | CMD []
7 |
--------------------------------------------------------------------------------
/central/backup/tests/testers/postgres/res/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | INIT_TYPE=$1
4 |
5 | case $INIT_TYPE in
6 | first)
7 | cp /res/first.sql /docker-entrypoint-initdb.d/
8 | ;;
9 | second)
10 | cp /res/second.sql /docker-entrypoint-initdb.d/
11 | ;;
12 | esac
13 |
14 | /usr/local/bin/docker-entrypoint.sh postgres
15 |
--------------------------------------------------------------------------------
/central/backup/tests/testers/postgres/res/first.sql:
--------------------------------------------------------------------------------
1 | CREATE DATABASE first_database_created_by_init;
2 | \c first_database_created_by_init;
3 |
4 | CREATE SEQUENCE seq_person;
5 | CREATE TABLE Persons (
6 | LastName varchar(255),
7 | FirstName varchar(255),
8 | id integer NOT NULL DEFAULT nextval('seq_person')
9 | );
10 |
11 | INSERT INTO Persons VALUES ('First', 'User');
12 | INSERT INTO Persons VALUES ('Second', 'User');
13 |
--------------------------------------------------------------------------------
/central/backup/tests/testers/postgres/res/second.sql:
--------------------------------------------------------------------------------
1 | CREATE DATABASE second_database_created_by_init;
2 | \c second_database_created_by_init;
3 |
4 | CREATE SEQUENCE seq_person;
5 | CREATE TABLE Persons (
6 | LastName varchar(255),
7 | FirstName varchar(255),
8 | id integer NOT NULL DEFAULT nextval('seq_person')
9 | );
10 |
11 | INSERT INTO Persons VALUES ('Third', 'User');
12 | INSERT INTO Persons VALUES ('Fourth', 'User');
13 |
--------------------------------------------------------------------------------
/central/docker-compose-build.yml:
--------------------------------------------------------------------------------
1 | services:
2 | etcd:
3 | build: etcd
4 | image: ${DOCKER_REGISTRY}/hzibraunschweig/central-etcd:${CENTRAL_DOCKER_VERSION}
5 |
6 | backup:
7 | build: backup
8 | image: ${DOCKER_REGISTRY}/hzibraunschweig/central-backup:${CENTRAL_DOCKER_VERSION}
9 |
--------------------------------------------------------------------------------
/central/docker-compose.yml:
--------------------------------------------------------------------------------
1 | version: '3.8'
2 |
3 | services:
4 |
5 | keycloak:
6 | image: quay.io/keycloak/keycloak:${CENTRAL_KEYCLOAK_VERSION}
7 | env_file:
8 | - .env_keycloak
9 | volumes:
10 | - ./keycloak/data:/opt/jboss/keycloak/standalone/data/
11 | ports:
12 | - 8080:8080
13 |
14 | etcd:
15 | image: quay.io/coreos/etcd:${CENTRAL_ETCD_VERSION}
16 | env_file:
17 | - .env_etcd
18 | volumes:
19 | - ./etcd/fixtures:/srv/fixtures
20 | - ./etcd/tls-setup/certs/:/srv/certs/
21 | - ./etcd/etcd.yml:/etc/etcd/etcd.yml:ro
22 | ports:
23 | - "4001:4001"
24 | - "2379:2379"
25 | - "2380:2380"
26 |
27 |
--------------------------------------------------------------------------------
/central/etcd/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM quay.io/coreos/etcd:v3.5.0
2 |
3 | RUN apt update && apt upgrade -y
4 | RUN apt install bash procps -y
5 |
6 | RUN mkdir /srv/fixtures/
7 | COPY setup_and_run.sh /srv
8 |
9 | RUN mkdir /srv/certs/
10 | CMD /srv/setup_and_run.sh
--------------------------------------------------------------------------------
/central/etcd/etcd.yml:
--------------------------------------------------------------------------------
1 | data-dir: /var/run/etcd/
2 | name: etcd
3 | log-level: debug
4 | listen-client-urls: https://0.0.0.0:2379
5 | advertise-client-urls: https://etcd:2379
6 | client-transport-security:
7 | cert-file: /srv/certs/etcd/etcd.pem
8 | key-file: /srv/certs/etcd/etcd-key.pem
9 |
--------------------------------------------------------------------------------
/central/etcd/fixtures/import.txt:
--------------------------------------------------------------------------------
1 | /s2s/2.sormas.id.sormas_a {"id":"2.sormas.id.sormas_a","name":"sormas_a_org_name","hostName":"sormas_a:6080"}
2 | /s2s/2.sormas.id.sormas_b {"id":"2.sormas.id.sormas_b","name":"sormas_b_org_name","hostName":"sormas_b:6080"}
3 |
--------------------------------------------------------------------------------
/central/etcd/fixtures/server-descriptors.txt:
--------------------------------------------------------------------------------
1 | /s2s/2.sormas.id.sormas_a {"id":"2.sormas.id.sormas_a","name":"sormas_a_org_name","hostName":"sormas_a:6080"}
2 | /s2s/2.sormas.id.sormas_b {"id":"2.sormas.id.sormas_b","name":"sormas_b_org_name","hostName":"sormas_b:6080"}
3 |
--------------------------------------------------------------------------------
/central/etcd/setup_and_run.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # fork to background
4 | /usr/local/bin/etcd --config-file /etc/etcd/etcd.yml &
5 |
6 |
7 | echo "starting import"
8 | sleep 3
9 |
10 | if [ ! -f /srv/fixtures/import.txt ]; then
11 | echo "File not found!"
12 | fi
13 |
14 |
15 | # see https://mywiki.wooledge.org/BashFAQ/089
16 | while read -r line <&3; do
17 | key=$(echo "${line}" | cut -d' ' -f1)
18 | value=$(echo "${line}" | cut -d' ' -f2)
19 | echo "Inserting ${key} : ${value}"
20 | etcdctl --cacert=/srv/certs/ca/ca.pem --endpoints=https://localhost:2379 put "$key" "$value" || exit 0
21 | done 3
2 |
3 |
8 |
9 |
10 |
11 | # Container Postgres
12 |
13 | The postgres container is build from image `postgres:10-alpine`. It uses a prepared `/etc/postgresql/postgresql.conf` file with parameter:
14 |
15 | ```shell
16 | max_prepared_transactions = 110 # zero disables the feature
17 | ```
18 |
19 | This is needed to successfully deploy Keycloak for SORMAS.
20 |
21 |
22 |
23 | 
29 |
30 |
31 |
32 |
--------------------------------------------------------------------------------
/keycloak/Dockerfile:
--------------------------------------------------------------------------------
1 | ARG KEYCLOAK_VERSION=21.1.2
2 |
3 | # 1. Get config data from SORMAS release archive
4 | FROM redhat/ubi8-minimal:latest as config-source
5 | USER root
6 | RUN microdnf update && microdnf install -y wget unzip
7 |
8 | ARG SORMAS_URL=https://github.com/sormas-foundation/SORMAS-Project/releases/download/
9 | ARG SORMAS_VERSION=1.82.0
10 |
11 | RUN cd /tmp && \
12 | wget ${SORMAS_URL}v${SORMAS_VERSION}/sormas_${SORMAS_VERSION}.zip -O sormas.zip && \
13 | unzip sormas.zip
14 |
15 | # 2. Configure keycloak
16 | # when updating keycloak version check https://www.keycloak.org/docs/latest/upgrading/index.html#migration-changes
17 | # also make sure to update the keycloak dependency in SORMAS-Project
18 | ARG KEYCLOAK_VERSION
19 | FROM quay.io/keycloak/keycloak:${KEYCLOAK_VERSION} as kc-builder
20 | WORKDIR /opt/keycloak
21 |
22 | USER root
23 | COPY --from=config-source /tmp/deploy/keycloak /tmp/deploy/keycloak
24 | RUN chown -R -c keycloak /tmp/deploy/keycloak
25 | USER keycloak
26 |
27 | RUN mv /tmp/deploy/keycloak/themes/* themes/
28 |
29 | RUN mkdir "data/import" && \
30 | mv /tmp/deploy/keycloak/SORMAS.json data/import/ && \
31 | mv /tmp/deploy/keycloak/*.jar providers/
32 |
33 | # Optimize startup by building once
34 | # https://www.keycloak.org/server/configuration#_optimize_the_keycloak_startup
35 | # --http-relative-path to register the reverse proxy path
36 | # Addtional settings are done when starting the keycloak in /start-keycloak.sh
37 | RUN bin/kc.sh build --db postgres --spi-password-hashing-sormas-sha256-enabled=true \
38 | --http-relative-path=/keycloak --health-enabled=true --metrics-enabled=true
39 |
40 | # 3. Runtime container
41 | ARG KEYCLOAK_VERSION
42 | FROM quay.io/keycloak/keycloak:${KEYCLOAK_VERSION}
43 |
44 | USER root
45 | COPY start-keycloak.sh /start-keycloak.sh
46 | COPY update-realm.sh /update-realm.sh
47 | COPY --from=kc-builder /opt/keycloak/ /opt/keycloak/
48 | RUN chown keycloak /start-keycloak.sh \
49 | && chown keycloak /update-realm.sh \
50 | && chmod ug+x /start-keycloak.sh \
51 | && chmod ug+x /update-realm.sh
52 | USER keycloak
53 | WORKDIR /opt/keycloak
54 |
55 | ENTRYPOINT ["/start-keycloak.sh"]
--------------------------------------------------------------------------------
/keycloak/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
8 |
9 |
10 |
11 | # Container Keycloak
12 |
13 | The Keycloak container is built from `jboss/keycloak:16.1.0`.
14 |
15 | It loads a predefined `SORMAS` Realm, `sormas` theme and a custom SPI `sormas-keycloak-service-provider`.
16 |
17 | ## SORMAS Realm
18 |
19 | It comes predefined with 4 clients and 1 role.
20 |
21 | Clients:
22 | * `sormas-app` - client used by the mobile app to perform the OAuth2 Flow
23 | * `sormas-rest` - client used by the backend to validate access trough the REST API
24 | * supports Basic and Bearer authentication
25 | * requires `REST_USER` role to pre-validate the access to the API
26 | * `sormas-ui` - client used by the Sormas UI to authenticate the user trough OpenID
27 | * `sormas-backend` - client used by the backend to handle user creation and password resets
28 |
29 | Role: `REST_USER`
30 |
31 | ## Customization
32 |
33 | The container comes with a custom SORMAS theme which provides custom styles for the following screens:
34 | * Login
35 | * Set Password
36 | * Reset Password
37 |
38 | Besides, custom styles there are some custom translation messages.
39 |
40 | ## Deploy
41 |
42 | ### Environment variables
43 |
44 | The deployment can be customized through the following environment variables.
45 | ```
46 | KEYCLOAK_DB_HOST
47 | KEYCLOAK_DB_NAME
48 | KEYCLOAK_DB_USER
49 | KEYCLOAK_DB_PASSWORD
50 | KEYCLOAK_DB_VENDOR
51 |
52 | KEYCLOAK_ADMIN_USER
53 | KEYCLOAK_ADMIN_PASSWORD
54 |
55 | KEYCLOAK_CPUS
56 | KEYCLOAK_MEM
57 | KEYCLOAK_MEM_RESERVED
58 |
59 | KEYCLOAK_SORMAS_UI_SECRET
60 | KEYCLOAK_SORMAS_REST_SECRET
61 | KEYCLOAK_SORMAS_BACKEND_SECRET
62 |
63 | SORMAS_SERVER_URL
64 | ```
65 |
66 | In case Keycloak is enabled as an Authentication provider, the following environment variables are needed for the SORMAS app:
67 | ```
68 | CACERTS_PASS
69 | KEYSTORE_PASS
70 | ```
71 |
72 |
73 | ### Manual configurations
74 |
75 | Besides, the deployment variables, some manual configuration is required as well.
76 |
77 | After deploy the following configurations have to be done from the Keycloak Admin Console:
78 | 1. Enable internationalization for `sormas-ui` and select the available locales and default locale.
79 | 2. Update email SMTP settings for the SORMAS realm
80 |
81 | ### Keycloak Configuration Upgrade
82 |
83 | Keycloak configurations changes usually are part of the [SORMAS.json](https://github.com/sormas-foundation/SORMAS-Project/blob/development/sormas-base/setup/keycloak/SORMAS.json) file.
84 |
85 | The SORMAS Keycloak image automatically adds any new realm resources by running the [update-realm.sh](update-realm.sh) script at startup.
86 | This only imports new resources and doesn't remove/update existing resources.
87 |
88 | Any update or deletion have to be done manually using the Keycloak Admin console.
89 |
90 |
--------------------------------------------------------------------------------
/keycloak/start-keycloak.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -e
3 |
4 | /update-realm.sh &
5 |
6 | # --import-realm imports all realm JSON files provided in data/import https://www.keycloak.org/server/containers#_importing_a_realm_on_startup
7 | # --hostname-strict-https b/c of keycloak/keycloak#11922
8 | # --http-enabled / --proxy for HTTP between reverse proxy and the container
9 | /opt/keycloak/bin/kc.sh start --optimized --import-realm \
10 | --hostname-strict-https=false --http-enabled=true --proxy=edge \
11 | --log-level=INFO,org.keycloak.events:DEBUG
--------------------------------------------------------------------------------
/keycloak/update-realm.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | KCADM="/opt/keycloak/bin/kcadm.sh"
4 |
5 | until $(${KCADM} config credentials --server http://localhost:8080/keycloak \
6 | --user ${KEYCLOAK_ADMIN} --password ${KEYCLOAK_ADMIN_PASSWORD} --realm master &> /dev/null);
7 | do
8 | sleep 5s
9 | done
10 |
11 | ${KCADM} create partialImport -r SORMAS -s ifResourceExists=SKIP -o -f /opt/keycloak/data/import/SORMAS.json
--------------------------------------------------------------------------------
/lbds/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM openjdk:13
2 |
3 | LABEL maintainer="development@crowdcode.io" \
4 | description="Document Import Service"
5 |
6 | ARG LBDS_JAR_FILE_VERSION=1.14.5
7 | ARG CROWDCODE_NEXUS_USER=unknown
8 | ARG CROWDCODE_NEXUS_PASSWORD=unknown
9 |
10 | ENV LBDS_JAR_FILE_VERSION=$LBDS_JAR_FILE_VERSION
11 | ENV BACKENDPATH=unknown
12 |
13 | # Add a service user to run our application so that it doesn't need to run as root
14 | RUN useradd -ms /bin/bash serviceuser
15 | WORKDIR /home/serviceuser
16 | ADD entrypoint.sh entrypoint.sh
17 |
18 | RUN chmod 755 entrypoint.sh && chown serviceuser entrypoint.sh \
19 | && mkdir -p /home/serviceuser/var/log/payload && chown -R serviceuser /home/serviceuser/var \
20 | && mkdir /config && chmod 755 /config
21 |
22 | RUN yum -y update \
23 | && yum -y install wget \
24 | && yum clean all
25 |
26 | RUN echo "${CROWDCODE_NEXUS_USER}" && echo "${CROWDCODE_NEXUS_PASSWORD}"
27 |
28 | RUN BACKENDPATH=`echo ${LBDS_JAR_FILE_VERSION} | sed "s#-.*#-SNAPSHOT#"` \
29 | && wget -v -O service-application.jar \
30 | --user="${CROWDCODE_NEXUS_USER}" \
31 | --password="${CROWDCODE_NEXUS_PASSWORD}" \
32 | "https://repo.crowdcode.io/repository/hzi-maven-group/org/hzi/sormas/lbds/lbds-backend/${BACKENDPATH}/lbds-backend-${LBDS_JAR_FILE_VERSION}.jar"
33 |
34 | ENV SPRING_OUTPUT_ANSI_ENABLED=ALWAYS \
35 | JAVA_OPTS="-Xmx512M"
36 |
37 | USER serviceuser
38 |
39 | EXPOSE 8080
40 |
41 | ENTRYPOINT ["./entrypoint.sh"]
--------------------------------------------------------------------------------
/lbds/Jenkinsfile:
--------------------------------------------------------------------------------
1 | node {
2 |
3 |
4 | stage('checkout') {
5 | git branch: '${BRANCH}', url: 'https://github.com/sormas-foundation/SORMAS-Docker.git'
6 | }
7 |
8 | stage('Build') {
9 | echo 'Building....'
10 | withCredentials([ usernamePassword(credentialsId: 'crowdcodeNexus', usernameVariable: 'CROWDCODE_NEXUS_USER', passwordVariable: 'CROWDCODE_NEXUS_PASSWORD' )]) {
11 | sh """
12 | cd lbds
13 | sudo buildah bud --pull-always --no-cache --build-arg LBDS_JAR_FILE_VERSION=${LBDS_JAR_FILE_VERSION} --build-arg CROWDCODE_NEXUS_USER=${CROWDCODE_NEXUS_USER} --build-arg CROWDCODE_NEXUS_PASSWORD="${CROWDCODE_NEXUS_PASSWORD}" -t hzibraunschweig/lbds:${LBDS_JAR_FILE_VERSION} .
14 | """
15 | }
16 | }
17 |
18 |
19 | stage('Deploy') {
20 | echo 'Deploying....'
21 | withCredentials([ usernamePassword(credentialsId: 'registry.netzlink.com', usernameVariable: 'MY_SECRET_USER_NLI', passwordVariable: 'MY_SECRET_USER_PASSWORD_NLI' )]) {
22 | sh """
23 | echo "${MY_SECRET_USER_NLI}"
24 | echo "'${MY_SECRET_USER_NLI}'"
25 |
26 | sudo buildah login -u '$MY_SECRET_USER_NLI' -p '$MY_SECRET_USER_PASSWORD_NLI' registry.netzlink.com
27 | sudo buildah push -f v2s2 hzibraunschweig/lbds:${LBDS_JAR_FILE_VERSION} registry.netzlink.com/hzibraunschweig/lbds:${LBDS_JAR_FILE_VERSION}
28 | echo 'Finished'
29 | """
30 | }
31 | }
32 | }
--------------------------------------------------------------------------------
/lbds/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | exec java ${JAVA_OPTS} -Djava.security.egd=file:/dev/./urandom -jar "./service-application.jar" "$@"
3 |
--------------------------------------------------------------------------------
/letsencrypt/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM lsiobase/nginx:3.11
2 |
3 | # set version label
4 |
5 | ARG CERTBOT_VERSION=1.3.0
6 | ARG SORMAS_URL=https://github.com/sormas-foundation/SORMAS-Project/releases/download/
7 |
8 | ARG SORMAS_VERSION=1.82.0
9 |
10 |
11 | ENV SORMAS_VERSION=$SORMAS_VERSION
12 | LABEL maintainer="aptalca"
13 |
14 | # environment settings
15 | ENV DHLEVEL=2048 ONLY_SUBDOMAINS=false AWS_CONFIG_FILE=/config/dns-conf/route53.ini
16 | ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2
17 |
18 | RUN \
19 | echo "**** install build packages ****" && \
20 | apk add --no-cache --virtual=build-dependencies \
21 | g++ \
22 | gcc \
23 | libffi-dev \
24 | openssl-dev \
25 | python3-dev && \
26 | echo "**** install runtime packages ****" && \
27 | apk add --no-cache --upgrade \
28 | curl \
29 | fail2ban \
30 | gnupg \
31 | memcached \
32 | nginx \
33 | nginx-mod-http-echo \
34 | nginx-mod-http-fancyindex \
35 | nginx-mod-http-geoip2 \
36 | nginx-mod-http-headers-more \
37 | nginx-mod-http-image-filter \
38 | nginx-mod-http-lua \
39 | nginx-mod-http-lua-upstream \
40 | nginx-mod-http-nchan \
41 | nginx-mod-http-perl \
42 | nginx-mod-http-redis2 \
43 | nginx-mod-http-set-misc \
44 | nginx-mod-http-upload-progress \
45 | nginx-mod-http-xslt-filter \
46 | nginx-mod-mail \
47 | nginx-mod-rtmp \
48 | nginx-mod-stream \
49 | nginx-mod-stream-geoip2 \
50 | nginx-vim \
51 | php7-bcmath \
52 | php7-bz2 \
53 | php7-ctype \
54 | php7-curl \
55 | php7-dom \
56 | php7-exif \
57 | php7-ftp \
58 | php7-gd \
59 | php7-iconv \
60 | php7-imap \
61 | php7-intl \
62 | php7-ldap \
63 | php7-mcrypt \
64 | php7-memcached \
65 | php7-mysqli \
66 | php7-mysqlnd \
67 | php7-opcache \
68 | php7-pdo_mysql \
69 | php7-pdo_odbc \
70 | php7-pdo_pgsql \
71 | php7-pdo_sqlite \
72 | php7-pear \
73 | php7-pecl-apcu \
74 | php7-pecl-imagick \
75 | php7-pecl-redis \
76 | php7-pgsql \
77 | php7-phar \
78 | php7-posix \
79 | php7-soap \
80 | php7-sockets \
81 | php7-sodium \
82 | php7-sqlite3 \
83 | php7-tokenizer \
84 | php7-xml \
85 | php7-xmlreader \
86 | php7-xmlrpc \
87 | php7-zip \
88 | py3-cryptography \
89 | py3-future \
90 | py3-pip && \
91 | echo "**** install certbot plugins ****" && \
92 | if [ -z ${CERTBOT_VERSION+x} ]; then \
93 | CERTBOT="certbot"; \
94 | else \
95 | CERTBOT="certbot==${CERTBOT_VERSION}"; \
96 | fi && \
97 | python3 -m pip install -U pip && \
98 | pip3 install -U \
99 | pip && \
100 | pip3 install -U \
101 | ${CERTBOT} \
102 | certbot-dns-aliyun \
103 | certbot-dns-cloudflare \
104 | certbot-dns-cloudxns \
105 | certbot-dns-cpanel \
106 | certbot-dns-digitalocean \
107 | certbot-dns-dnsimple \
108 | certbot-dns-dnsmadeeasy \
109 | certbot-dns-domeneshop \
110 | certbot-dns-google \
111 | certbot-dns-inwx \
112 | certbot-dns-linode \
113 | certbot-dns-luadns \
114 | certbot-dns-nsone \
115 | certbot-dns-ovh \
116 | certbot-dns-rfc2136 \
117 | certbot-dns-route53 \
118 | certbot-dns-transip \
119 | certbot-plugin-gandi \
120 | cryptography \
121 | requests && \
122 | echo "**** remove unnecessary fail2ban filters ****" && \
123 | rm \
124 | /etc/fail2ban/jail.d/alpine-ssh.conf && \
125 | echo "**** copy fail2ban default action and filter to /default ****" && \
126 | mkdir -p /defaults/fail2ban && mkdir -p /defaults/proxy-confs && \
127 | mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
128 | mv /etc/fail2ban/filter.d /defaults/fail2ban/ && \
129 | echo "**** configure nginx ****" && \
130 | rm -f /etc/nginx/conf.d/default.conf && \
131 | echo "**** download sormas apk ****" && \
132 | mkdir -p /defaults/www/sormas/downloads && \
133 | DEPLOY_PATH=$(mktemp -d) && \
134 | cd ${DEPLOY_PATH} && \
135 | wget ${SORMAS_URL}v${SORMAS_VERSION}/sormas_${SORMAS_VERSION}.zip -O sormas.zip && \
136 | unzip sormas.zip deploy/android/* && \
137 | mv deploy/android/* /defaults/www/sormas/downloads/ && \
138 | cd - && \
139 | rm -rf ${DEPLOY_PATH} && \
140 | echo "**** cleanup ****" && \
141 | apk del --purge \
142 | build-dependencies && \
143 | for cleanfiles in *.pyc *.pyo; \
144 | do \
145 | find /usr/lib/python3.* -iname "${cleanfiles}" -exec rm -f '{}' + \
146 | ; done && \
147 | rm -rf \
148 | /tmp/* \
149 | /root/.cache
150 |
151 | # add local files
152 | COPY root/ /
153 |
--------------------------------------------------------------------------------
/letsencrypt/certs/sormas-docker-test.com/fullchain.pem:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIDxTCCAq2gAwIBAgIJAJEkYdo7iIACMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNV
3 | BAYTAkRFMRUwEwYDVQQIDAxMb3dlciBTYXhvbnkxEjAQBgNVBAcMCUJydW5zd2lj
4 | azERMA8GA1UECgwITmV0emxpbmsxCzAJBgNVBAsMAklUMR8wHQYDVQQDDBZzb3Jt
5 | YXMtZG9ja2VyLXRlc3QuY29tMB4XDTIwMDIyNjEzMzgwMloXDTIxMDIyNTEzMzgw
6 | MloweTELMAkGA1UEBhMCREUxFTATBgNVBAgMDExvd2VyIFNheG9ueTESMBAGA1UE
7 | BwwJQnJ1bnN3aWNrMREwDwYDVQQKDAhOZXR6bGluazELMAkGA1UECwwCSVQxHzAd
8 | BgNVBAMMFnNvcm1hcy1kb2NrZXItdGVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
9 | A4IBDwAwggEKAoIBAQC3PWt7ir3iHU/OA8d4tMzNpYJkyZ1qMfS6Bdclp6WbtD2/
10 | iUh4QR7d99bMLJgw3oBb/5DspoD6FKqntxUsocLg9RmwfmyuLTHYVgYsitehWpcY
11 | cDHYm0wZnxNH1MEFhaO9uZoW00FbNlDc3LhEYcoO055yxaO6cqcWJwcaC4cLexUc
12 | /xYLbuhP5mVmg/lamGukf+hEwmy6Cdy8JBZfv7ty/wPPEfyR4TvWo6SLmAp19dQy
13 | 7sK2E1JHwlb5zX/8Z/CZ0FyBGXoHghnuUdLRUQGJFUThkujwXDWcrk9wDzxg0Jaj
14 | vmZeA4Caqg0giO/GQZcwtfrgQxGdqxWdZkHdGiLRAgMBAAGjUDBOMB0GA1UdDgQW
15 | BBS1Jz40ffjNkL0rBUmOjBFlbfR+QjAfBgNVHSMEGDAWgBS1Jz40ffjNkL0rBUmO
16 | jBFlbfR+QjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBVlcRN/OkW
17 | YXkHJ7y6Cc1zufqEcIo1QOLlBShBqyal157yTpuZ1wb59S81D4VLWcNXeI/A+1K7
18 | YNfnprm5FgTx05fmj/Sfb27+lxuPzC23feZQ2dqg2BzkVYrSgkDxQelw97k6lUKO
19 | DVUaqqvT5NMXg4eMVYSr7refTPrhKtgzE2Ip9GsNHxVfjYb8njy+dCooDHZ8295D
20 | +HWeCYf6t9oY1R9QrrK3kcADW4D3ZelfM7Jw9VBJsZ6WcERg3tD3918HafLMnCy1
21 | eDGCICmVh+LSKYrDaTlVfzDflkOxJq/XD4/1wReC7LU99CaZEVY69am42A/O5ZBP
22 | SOYGzn8mgKDa
23 | -----END CERTIFICATE-----
--------------------------------------------------------------------------------
/letsencrypt/certs/sormas-docker-test.com/privkey.pem:
--------------------------------------------------------------------------------
1 | -----BEGIN PRIVATE KEY-----
2 | MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC3PWt7ir3iHU/O
3 | A8d4tMzNpYJkyZ1qMfS6Bdclp6WbtD2/iUh4QR7d99bMLJgw3oBb/5DspoD6FKqn
4 | txUsocLg9RmwfmyuLTHYVgYsitehWpcYcDHYm0wZnxNH1MEFhaO9uZoW00FbNlDc
5 | 3LhEYcoO055yxaO6cqcWJwcaC4cLexUc/xYLbuhP5mVmg/lamGukf+hEwmy6Cdy8
6 | JBZfv7ty/wPPEfyR4TvWo6SLmAp19dQy7sK2E1JHwlb5zX/8Z/CZ0FyBGXoHghnu
7 | UdLRUQGJFUThkujwXDWcrk9wDzxg0JajvmZeA4Caqg0giO/GQZcwtfrgQxGdqxWd
8 | ZkHdGiLRAgMBAAECggEADXRJDA0n3A5i6bGFV+uOjhr09AmJsV5xpacAIReqJUCa
9 | uBGQbKP7bDjiYKN1mUD9E8Q0E+w11CboUOA0gc5uzK2ycS8XM8LFwiiu015ubr6E
10 | EZtLTag5cjgn5kJM2ebyGuAh3EMurU/TqCPcs8iqWWRYYfz5BJuegRXkg5kNFV6Y
11 | YpgZ9DwM0H30z66qxkRptlKcLniM9kurRSNTcwSKQCRBRA5Kgd+4KuR1m8tuNQnB
12 | L30iRcZk2facBdY9KSBruh6DbYnocc367d0BQkoruuhppQfPKlWdZUtqpqKEdwSh
13 | oDX76+Hj/2nXxi2y9TOp1royUiScxrgDE/u07H5GsQKBgQDco/6E9q7wvyKpd3jX
14 | sKow7330nI2hUKxfWoqUT0HjVVfuPibCaLRwIAcUttIgACe1t18IVZh+IE+eiPR/
15 | PDGJMVyCQdR+JtjNbQvk7M/pdJRZqO+/5kRV+aPtMHcsi5lEHZsjjiA0CIPTy76f
16 | bolGmWlGkGnMYUdBRxiv4aau/wKBgQDUmwZIf3gye4zDFPMqw7kHs7azHukRRZS8
17 | HV13gzErEnQmXGFoivH0OCyaCDc7gzay86u5XvRpTw7PnMb32NA2wRJOpY5Lewat
18 | +e9dppwDKw2NFhYQBxKRYk5FMsOFbil0vXyhaMuvPcg1f+kcDVAX29HcueFqFgs1
19 | X/GXgSH+LwKBgA0YptjZk5Syo6oPb1rOH6v76ywDxtxWX4ThaOxYr/6AaFG52q8b
20 | a+pj3Ee8ekhv+ettUPS7r+t8m307f9e1iPMtvOH2alh6kc/Psy8JZ2XiB5Qy1Ng9
21 | IL1Brhs8DzbTqmtCnpzDqOGtx7VgmJX6B6frHzaTB9SbyZD0WWDHMg+dAoGAeARb
22 | c6mhrL3aJHY7HzUFyrdEt7EHWNyyrc7V6JWCuBHex5j21BE7rOXZJ8rjgxD7W+H6
23 | Wtajmp8qeUDDgT4/q+kp8IO85Bc7GhMxcOiQwakYKUECi2GytaeND7ssbLJXbLNb
24 | G7MQ6Igz8R+X9GH/iLhqq/OysDRpd2QF+cTH77kCgYBBQvcB0ClTP16V1gnYLbGy
25 | oEk4T8YBXERbpnCoEfImWVK56dKzwGQ3wQm4++u3I6niYBbW1Hcw2BzkHNWqBReK
26 | Qi0Y4fhzjqWsBSqEZPD9K1bzqOVYuoBzDnlwgZonSx9VG+LPVqOx9BPy/0q+H68w
27 | IM8ZhZYBmEKNi3Nm9FNObQ==
28 | -----END PRIVATE KEY-----
--------------------------------------------------------------------------------
/letsencrypt/package_versions.txt:
--------------------------------------------------------------------------------
1 | alpine-baselayout-3.2.0-r3
2 | alpine-keys-2.1-r2
3 | apache2-utils-2.4.41-r0
4 | apk-tools-2.10.5-r0
5 | apr-1.7.0-r0
6 | apr-util-1.6.1-r6
7 | argon2-libs-20190702-r1
8 | bash-5.0.11-r1
9 | busybox-1.31.1-r9
10 | c-client-2007f-r11
11 | ca-certificates-20191127-r1
12 | ca-certificates-cacert-20191127-r1
13 | coreutils-8.31-r0
14 | curl-7.67.0-r0
15 | db-5.3.28-r1
16 | expat-2.2.9-r1
17 | fail2ban-0.10.4-r2
18 | fontconfig-2.13.1-r2
19 | freetype-2.10.1-r0
20 | gdbm-1.13-r1
21 | git-2.24.1-r0
22 | git-perl-2.24.1-r0
23 | glib-2.62.6-r0
24 | gmp-6.1.2-r1
25 | gnupg-2.2.19-r0
26 | gnutls-3.6.10-r1
27 | icu-libs-64.2-r1
28 | imagemagick-libs-7.0.9.7-r0
29 | ip6tables-1.8.3-r2
30 | iptables-1.8.3-r2
31 | lcms2-2.9-r1
32 | libacl-2.2.53-r0
33 | libassuan-2.5.3-r0
34 | libattr-2.4.48-r0
35 | libblkid-2.34-r1
36 | libbsd-0.10.0-r0
37 | libbz2-1.0.8-r1
38 | libc-utils-0.7.2-r0
39 | libcap-2.27-r0
40 | libcrypto1.1-1.1.1d-r3
41 | libcurl-7.67.0-r0
42 | libedit-20191211.3.1-r0
43 | libevent-2.1.11-r0
44 | libffi-3.2.1-r6
45 | libgcc-9.2.0-r4
46 | libgcrypt-1.8.5-r0
47 | libgd-2.2.5-r2
48 | libgpg-error-1.36-r2
49 | libice-1.0.10-r0
50 | libintl-0.20.1-r2
51 | libjpeg-turbo-2.0.4-r0
52 | libksba-1.3.5-r0
53 | libldap-2.4.48-r1
54 | libltdl-2.4.6-r7
55 | libmagic-5.37-r1
56 | libmaxminddb-1.4.2-r0
57 | libmcrypt-2.5.8-r7
58 | libmemcached-libs-1.0.18-r4
59 | libmnl-1.0.4-r0
60 | libmount-2.34-r1
61 | libnftnl-libs-1.1.5-r0
62 | libpng-1.6.37-r1
63 | libpq-12.2-r0
64 | libressl3.0-libcrypto-3.0.2-r0
65 | libressl3.0-libssl-3.0.2-r0
66 | libsasl-2.1.27-r5
67 | libseccomp-2.4.2-r2
68 | libsecret-0.19.1-r0
69 | libsm-1.2.3-r0
70 | libsodium-1.0.18-r0
71 | libssl1.1-1.1.1d-r3
72 | libstdc++-9.2.0-r4
73 | libtasn1-4.15.0-r0
74 | libtls-standalone-2.9.1-r0
75 | libunistring-0.9.10-r0
76 | libuuid-2.34-r1
77 | libwebp-1.0.3-r0
78 | libx11-1.6.9-r0
79 | libxau-1.0.9-r0
80 | libxcb-1.13.1-r0
81 | libxdmcp-1.1.3-r0
82 | libxext-1.3.4-r0
83 | libxml2-2.9.10-r2
84 | libxpm-3.5.13-r0
85 | libxslt-1.1.34-r0
86 | libxt-1.2.0-r0
87 | libzip-1.5.2-r0
88 | linux-pam-1.3.1-r1
89 | logrotate-3.15.1-r0
90 | luajit-2.1.0_beta3-r6
91 | memcached-1.5.20-r0
92 | musl-1.1.24-r2
93 | musl-utils-1.1.24-r2
94 | nano-4.6-r0
95 | ncurses-libs-6.1_p20200118-r2
96 | ncurses-terminfo-base-6.1_p20200118-r2
97 | nettle-3.5.1-r0
98 | nghttp2-libs-1.40.0-r0
99 | nginx-1.16.1-r6
100 | nginx-mod-devel-kit-1.16.1-r6
101 | nginx-mod-http-echo-1.16.1-r6
102 | nginx-mod-http-fancyindex-1.16.1-r6
103 | nginx-mod-http-geoip2-1.16.1-r6
104 | nginx-mod-http-headers-more-1.16.1-r6
105 | nginx-mod-http-image-filter-1.16.1-r6
106 | nginx-mod-http-lua-1.16.1-r6
107 | nginx-mod-http-lua-upstream-1.16.1-r6
108 | nginx-mod-http-nchan-1.16.1-r6
109 | nginx-mod-http-perl-1.16.1-r6
110 | nginx-mod-http-redis2-1.16.1-r6
111 | nginx-mod-http-set-misc-1.16.1-r6
112 | nginx-mod-http-upload-progress-1.16.1-r6
113 | nginx-mod-http-xslt-filter-1.16.1-r6
114 | nginx-mod-mail-1.16.1-r6
115 | nginx-mod-rtmp-1.16.1-r6
116 | nginx-mod-stream-1.16.1-r6
117 | nginx-mod-stream-geoip2-1.16.1-r6
118 | nginx-vim-1.16.1-r6
119 | npth-1.6-r0
120 | openssl-1.1.1d-r3
121 | p11-kit-0.23.18.1-r0
122 | pcre-8.43-r0
123 | pcre2-10.34-r1
124 | perl-5.30.1-r0
125 | perl-error-0.17028-r0
126 | perl-git-2.24.1-r0
127 | php7-7.3.16-r0
128 | php7-bcmath-7.3.16-r0
129 | php7-bz2-7.3.16-r0
130 | php7-common-7.3.16-r0
131 | php7-ctype-7.3.16-r0
132 | php7-curl-7.3.16-r0
133 | php7-dom-7.3.16-r0
134 | php7-exif-7.3.16-r0
135 | php7-fileinfo-7.3.16-r0
136 | php7-fpm-7.3.16-r0
137 | php7-ftp-7.3.16-r0
138 | php7-gd-7.3.16-r0
139 | php7-iconv-7.3.16-r0
140 | php7-imap-7.3.16-r0
141 | php7-intl-7.3.16-r0
142 | php7-json-7.3.16-r0
143 | php7-ldap-7.3.16-r0
144 | php7-mbstring-7.3.16-r0
145 | php7-mysqli-7.3.16-r0
146 | php7-mysqlnd-7.3.16-r0
147 | php7-opcache-7.3.16-r0
148 | php7-openssl-7.3.16-r0
149 | php7-pdo-7.3.16-r0
150 | php7-pdo_mysql-7.3.16-r0
151 | php7-pdo_odbc-7.3.16-r0
152 | php7-pdo_pgsql-7.3.16-r0
153 | php7-pdo_sqlite-7.3.16-r0
154 | php7-pear-7.3.16-r0
155 | php7-pecl-apcu-5.1.18-r0
156 | php7-pecl-igbinary-3.0.1-r1
157 | php7-pecl-imagick-3.4.4-r2
158 | php7-pecl-mcrypt-1.0.3-r0
159 | php7-pecl-memcached-3.1.5-r0
160 | php7-pecl-redis-5.1.1-r0
161 | php7-pgsql-7.3.16-r0
162 | php7-phar-7.3.16-r0
163 | php7-posix-7.3.16-r0
164 | php7-session-7.3.16-r0
165 | php7-simplexml-7.3.16-r0
166 | php7-soap-7.3.16-r0
167 | php7-sockets-7.3.16-r0
168 | php7-sodium-7.3.16-r0
169 | php7-sqlite3-7.3.16-r0
170 | php7-tokenizer-7.3.16-r0
171 | php7-xml-7.3.16-r0
172 | php7-xmlreader-7.3.16-r0
173 | php7-xmlrpc-7.3.16-r0
174 | php7-xmlwriter-7.3.16-r0
175 | php7-zip-7.3.16-r0
176 | pinentry-1.1.0-r2
177 | popt-1.16-r7
178 | py3-asn1crypto-1.2.0-r1
179 | py3-cffi-1.13.2-r0
180 | py3-cparser-2.19-r4
181 | py3-cryptography-2.8-r1
182 | py3-future-0.18.2-r0
183 | py3-idna-2.8-r3
184 | py3-six-1.13.0-r0
185 | python3-3.8.2-r0
186 | readline-8.0.1-r0
187 | scanelf-1.2.4-r0
188 | shadow-4.7-r1
189 | sqlite-libs-3.30.1-r1
190 | ssl_client-1.31.1-r9
191 | tzdata-2019c-r0
192 | unixodbc-2.3.7-r2
193 | xz-5.2.4-r0
194 | xz-libs-5.2.4-r0
195 | zlib-1.2.11-r3
196 |
--------------------------------------------------------------------------------
/letsencrypt/root/app/duckdns-txt:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | . /config/donoteditthisfile.conf
4 |
5 | curl https://www.duckdns.org/update?domains=${CERTBOT_DOMAIN}\&token=${ORIGDUCKDNSTOKEN}\&txt=${CERTBOT_VALIDATION}
6 |
7 | echo "sleeping 60"
8 | sleep 60
9 |
--------------------------------------------------------------------------------
/letsencrypt/root/app/le-renew.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | echo "<------------------------------------------------->"
4 | echo
5 | echo "<------------------------------------------------->"
6 | echo "cronjob running on "$(date)
7 | if [ "${DISABLE_CERTBOT}" = true ];then
8 | echo "Certbot disabled"
9 | exit 0
10 | fi
11 |
12 | . /config/donoteditthisfile.conf
13 |
14 |
15 | echo "Running certbot renew"
16 | if [ "$ORIGVALIDATION" = "dns" ] || [ "$ORIGVALIDATION" = "duckdns" ]; then
17 | echo "Running dns validation"
18 | certbot -n renew \
19 | --post-hook "if ps aux | grep [n]ginx: > /dev/null; then s6-svc -h /var/run/s6/services/nginx; fi; \
20 | cd /config/keys/letsencrypt && \
21 | openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && \
22 | sleep 1 && \
23 | cat privkey.pem fullchain.pem > priv-fullchain-bundle.pem"
24 | else
25 | echo "Running http validation"
26 | certbot -n renew \
27 | --pre-hook "if ps aux | grep [n]ginx: > /dev/null; then s6-svc -d /var/run/s6/services/nginx; fi" \
28 | --post-hook "if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; \
29 | cd /config/keys/letsencrypt && \
30 | openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && \
31 | sleep 1 && \
32 | cat privkey.pem fullchain.pem > priv-fullchain-bundle.pem"
33 | fi
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/default:
--------------------------------------------------------------------------------
1 | ## Version 2020/03/05 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default
2 |
3 | # redirect all traffic to https
4 | server {
5 | listen 80 default_server;
6 | listen [::]:80 default_server;
7 | server_name _;
8 | return 301 https://$host$request_uri;
9 | }
10 |
11 | # main server block
12 | server {
13 | listen 443 ssl http2 default_server;
14 | listen [::]:443 ssl http2 default_server;
15 |
16 | root /config/www;
17 | index index.html index.htm index.php;
18 |
19 | server_name _;
20 |
21 | # enable subfolder method reverse proxy confs
22 | include /config/nginx/proxy-confs/*.subfolder.conf;
23 |
24 | # all ssl related config moved to ssl.conf
25 | include /config/nginx/ssl.conf;
26 |
27 | # enable for ldap auth
28 | #include /config/nginx/ldap.conf;
29 |
30 | client_max_body_size 0;
31 |
32 | location / {
33 | try_files $uri $uri/ /index.html /index.php?$args =404;
34 | }
35 |
36 | location ~ \.php$ {
37 | fastcgi_split_path_info ^(.+\.php)(/.+)$;
38 | fastcgi_pass 127.0.0.1:9000;
39 | fastcgi_index index.php;
40 | include /etc/nginx/fastcgi_params;
41 | }
42 |
43 | # sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
44 | # notice this is within the same server block as the base
45 | # don't forget to generate the .htpasswd file as described on docker hub
46 | # location ^~ /cp {
47 | # auth_basic "Restricted";
48 | # auth_basic_user_file /config/nginx/.htpasswd;
49 | # include /config/nginx/proxy.conf;
50 | # proxy_pass http://192.168.1.50:5050/cp;
51 | # }
52 |
53 | }
54 |
55 | # sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
56 | # notice this is a new server block, you need a new server block for each subdomain
57 | #server {
58 | # listen 443 ssl http2;
59 | # listen [::]:443 ssl http2;
60 | #
61 | # root /config/www;
62 | # index index.html index.htm index.php;
63 | #
64 | # server_name cp.*;
65 | #
66 | # include /config/nginx/ssl.conf;
67 | #
68 | # client_max_body_size 0;
69 | #
70 | # location / {
71 | # auth_basic "Restricted";
72 | # auth_basic_user_file /config/nginx/.htpasswd;
73 | # include /config/nginx/proxy.conf;
74 | # proxy_pass http://192.168.1.50:5050;
75 | # }
76 | #}
77 |
78 | # sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
79 | # ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
80 | # notice this is a new server block, you need a new server block for each subdomain
81 | #server {
82 | # listen 443 ssl http2;
83 | # listen [::]:443 ssl http2;
84 | #
85 | # root /config/www;
86 | # index index.html index.htm index.php;
87 | #
88 | # server_name heimdall.*;
89 | #
90 | # include /config/nginx/ssl.conf;
91 | #
92 | # include /config/nginx/ldap.conf;
93 | #
94 | # client_max_body_size 0;
95 | #
96 | # location / {
97 | # # the next two lines will enable ldap auth along with the included ldap.conf in the server block
98 | # auth_request /auth;
99 | # error_page 401 =200 /login;
100 | #
101 | # include /config/nginx/proxy.conf;
102 | # resolver 127.0.0.11 valid=30s;
103 | # set $upstream_app heimdall;
104 | # set $upstream_port 443;
105 | # set $upstream_proto https;
106 | # proxy_pass $upstream_proto://$upstream_app:$upstream_port;
107 | # }
108 | #}
109 |
110 | # enable vhost config
111 | include /config/nginx/proxy-confs/vhost.conf;
112 | # enable proxy cache for auth
113 | proxy_cache_path cache/ keys_zone=auth_cache:10m;
114 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/dns-conf/aliyun.ini:
--------------------------------------------------------------------------------
1 | # Obtain Aliyun RAM AccessKey
2 | # https://ram.console.aliyun.com/
3 | # And ensure your RAM account has AliyunDNSFullAccess permission.
4 |
5 | certbot_dns_aliyun:dns_aliyun_access_key = 12345678
6 | certbot_dns_aliyun:dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef
7 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/dns-conf/cloudflare.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-cloudflare/certbot_dns_cloudflare/__init__.py#L20
2 | # Replace with your values
3 | dns_cloudflare_email = cloudflare@example.com
4 | dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567
5 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/dns-conf/cloudxns.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-cloudxns/certbot_dns_cloudxns/__init__.py#L20
2 | # Replace with your values
3 | dns_cloudxns_api_key = 1234567890abcdef1234567890abcdef
4 | dns_cloudxns_secret_key = 1122334455667788
5 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/dns-conf/cpanel.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/badjware/certbot-dns-cpanel#credentials
2 | # Replace with your values
3 | # include the scheme and the port number (usually 2083 for https)
4 | certbot_dns_cpanel:cpanel_url = https://cpanel.example.com:2083
5 | certbot_dns_cpanel:cpanel_username = username
6 | certbot_dns_cpanel:cpanel_password = 1234567890abcdef
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/dns-conf/digitalocean.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-digitalocean/certbot_dns_digitalocean/__init__.py#L21
2 | # Replace with your value
3 | dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff
4 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/dns-conf/dnsimple.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-dnsimple/certbot_dns_dnsimple/__init__.py#L20
2 | # Replace with your value
3 | dns_dnsimple_token = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
4 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/dns-conf/dnsmadeeasy.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-dnsmadeeasy/certbot_dns_dnsmadeeasy/__init__.py#L20
2 | # Replace with your values
3 | dns_dnsmadeeasy_api_key = 1c1a3c91-4770-4ce7-96f4-54c0eb0e457a
4 | dns_dnsmadeeasy_secret_key = c9b5625f-9834-4ff8-baba-4ed5f32cae55
5 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/dns-conf/domeneshop.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/domeneshop/certbot-dns-domeneshop#credentials
2 | # Replace with your values
3 | certbot_dns_domeneshop:dns_domeneshop_client_token=1234567890abcdef
4 | certbot_dns_domeneshop:dns_domeneshop_client_secret=1234567890abcdefghijklmnopqrstuvxyz1234567890abcdefghijklmnopqrs
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/dns-conf/gandi.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/obynio/certbot-plugin-gandi#usage
2 | # Replace with your value
3 | certbot_plugin_gandi:dns_api_key=APIKEY
4 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/dns-conf/google.json:
--------------------------------------------------------------------------------
1 | {
2 | "instructions": "https://github.com/certbot/certbot/blob/master/certbot-dns-google/certbot_dns_google/__init__.py",
3 | "_comment": "Replace with your values",
4 | "type": "service_account",
5 | "rest": "..."
6 | }
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/dns-conf/inwx.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/oGGy990/certbot-dns-inwx
2 | # Replace with your values
3 | certbot_dns_inwx:dns_inwx_url = https://api.domrobot.com/xmlrpc/
4 | certbot_dns_inwx:dns_inwx_username = your_username
5 | certbot_dns_inwx:dns_inwx_password = your_password
6 | certbot_dns_inwx:dns_inwx_shared_secret = your_shared_secret optional
7 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/dns-conf/linode.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-linode/certbot_dns_linode/__init__.py#L25
2 | # Replace with your values
3 | dns_linode_key = 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ64
4 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/dns-conf/luadns.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-luadns/certbot_dns_luadns/__init__.py#L20
2 | # Replace with your values
3 | dns_luadns_email = user@example.com
4 | dns_luadns_token = 0123456789abcdef0123456789abcdef
5 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/dns-conf/nsone.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-nsone/certbot_dns_nsone/__init__.py#L20
2 | # Replace with your value
3 | dns_nsone_api_key = MDAwMDAwMDAwMDAwMDAw
4 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/dns-conf/ovh.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-ovh/certbot_dns_ovh/__init__.py#L20
2 | # Replace with your values
3 | dns_ovh_endpoint = ovh-eu
4 | dns_ovh_application_key = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
5 | dns_ovh_application_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
6 | dns_ovh_consumer_key = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
7 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/dns-conf/rfc2136.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-rfc2136/certbot_dns_rfc2136/__init__.py#L20
2 | # Replace with your values
3 | # Target DNS server
4 | dns_rfc2136_server = 192.0.2.1
5 | # TSIG key name
6 | dns_rfc2136_name = keyname.
7 | # TSIG key secret
8 | dns_rfc2136_secret = 4q4wM/2I180UXoMyN4INVhJNi8V9BCV+jMw2mXgZw/CSuxUT8C7NKKFs \
9 | AmKd7ak51vWKgSl12ib86oQRPkpDjg==
10 | # TSIG key algorithm
11 | dns_rfc2136_algorithm = HMAC-SHA512
12 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/dns-conf/route53.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-route53/certbot_dns_route53/__init__.py#L18
2 | # Replace with your values
3 | [default]
4 | aws_access_key_id=AKIAIOSFODNN7EXAMPLE
5 | aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
6 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/dns-conf/transip.ini:
--------------------------------------------------------------------------------
1 | # Instructions: https://readthedocs.org/projects/certbot-dns-transip/
2 | # Convert the key to an RSA key (openssl rsa -in transip.key -out transip-rsa.key)
3 | # Place .key-file in the same directory as this file. Location "/config/dns-conf" is from within the container
4 |
5 | certbot_dns_transip:dns_transip_username =
6 | certbot_dns_transip:dns_transip_key_file = /config/dns-conf/transip-rsa.key
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/fail2ban/fail2ban.local:
--------------------------------------------------------------------------------
1 | [Definition]
2 |
3 | logtarget = /config/log/fail2ban/fail2ban.log
4 | dbfile = /config/fail2ban/fail2ban.sqlite3
5 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/fail2ban/filter.d/nginx-badbots.conf:
--------------------------------------------------------------------------------
1 | # Fail2Ban configuration file
2 | #
3 | # Regexp to catch known spambots and software alike. Please verify
4 | # that it is your intent to block IPs which were driven by
5 | # above mentioned bots.
6 |
7 |
8 | [Definition]
9 |
10 | badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
11 | badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
12 |
13 | failregex = ^ -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
14 |
15 | ignoreregex =
16 |
17 | # DEV Notes:
18 | # List of bad bots fetched from http://www.user-agents.org
19 | # Generated on Thu Nov 7 14:23:35 PST 2013 by files/gen_badbots.
20 | #
21 | # Author: Yaroslav Halchenko
22 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/jail.local:
--------------------------------------------------------------------------------
1 | # This is the custom version of the jail.conf for fail2ban
2 | # Feel free to modify this and add additional filters
3 | # Then you can drop the new filter conf files into the fail2ban-filters
4 | # folder and restart the container
5 |
6 | [DEFAULT]
7 |
8 | # "bantime" is the number of seconds that a host is banned.
9 | bantime = 600
10 |
11 | # A host is banned if it has generated "maxretry" during the last "findtime"
12 | # seconds.
13 | findtime = 600
14 |
15 | # "maxretry" is the number of failures before a host get banned.
16 | maxretry = 5
17 |
18 |
19 | [ssh]
20 |
21 | enabled = false
22 |
23 |
24 | [nginx-http-auth]
25 |
26 | enabled = true
27 | filter = nginx-http-auth
28 | port = http,https
29 | logpath = /config/log/nginx/error.log
30 |
31 |
32 | [nginx-badbots]
33 |
34 | enabled = true
35 | port = http,https
36 | filter = nginx-badbots
37 | logpath = /config/log/nginx/access.log
38 | maxretry = 2
39 |
40 |
41 | [nginx-botsearch]
42 |
43 | enabled = true
44 | port = http,https
45 | filter = nginx-botsearch
46 | logpath = /config/log/nginx/access.log
47 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/ldap.conf:
--------------------------------------------------------------------------------
1 | ## Version 2020/03/13 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/ldap.conf
2 | ## this conf is meant to be used in conjuntction with our ldap-auth image: https://github.com/linuxserver/docker-ldap-auth
3 | ## see the heimdall example in the default site config for info on enabling ldap auth
4 | ## for further instructions on this conf, see https://github.com/nginxinc/nginx-ldap-auth
5 |
6 | location /login {
7 | resolver 127.0.0.11 valid=30s;
8 | set $upstream_auth_app ldap-auth;
9 | set $upstream_auth_port 9000;
10 | set $upstream_auth_proto http;
11 | proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port;
12 | proxy_set_header X-Target $request_uri;
13 | }
14 |
15 | location = /auth {
16 | resolver 127.0.0.11 valid=30s;
17 | set $upstream_auth_app ldap-auth;
18 | set $upstream_auth_port 8888;
19 | set $upstream_auth_proto http;
20 | proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port;
21 |
22 | proxy_pass_request_body off;
23 | proxy_set_header Content-Length "";
24 |
25 | #Before enabling the below caching options, make sure you have the line "proxy_cache_path cache/ keys_zone=auth_cache:10m;" at the bottom your default site config
26 | #proxy_cache auth_cache;
27 | #proxy_cache_valid 200 10m;
28 | #proxy_cache_key "$http_authorization$cookie_nginxauth";
29 |
30 | # As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
31 | # communicates with a LDAP server, passing in the following
32 | # parameters to specify which user account to authenticate. To
33 | # eliminate the need to modify the Python code, this file contains
34 | # 'proxy_set_header' directives that set the values of the
35 | # parameters. Set or change them as instructed in the comments.
36 | #
37 | # Parameter Proxy header
38 | # ----------- ----------------
39 | # url X-Ldap-URL
40 | # starttls X-Ldap-Starttls
41 | # basedn X-Ldap-BaseDN
42 | # binddn X-Ldap-BindDN
43 | # bindpasswd X-Ldap-BindPass
44 | # cookiename X-CookieName
45 | # realm X-Ldap-Realm
46 | # template X-Ldap-Template
47 |
48 | # (Required) Set the URL and port for connecting to the LDAP server,
49 | # by replacing 'example.com'.
50 | # Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
51 | proxy_set_header X-Ldap-URL "ldap://example.com";
52 |
53 | # (Optional) Establish a TLS-enabled LDAP session after binding to the
54 | # LDAP server.
55 | # This is the 'proper' way to establish encrypted TLS connections, see
56 | # http://www.openldap.org/faq/data/cache/185.html
57 | #proxy_set_header X-Ldap-Starttls "true";
58 |
59 | # (Required) Set the Base DN, by replacing the value enclosed in
60 | # double quotes.
61 | proxy_set_header X-Ldap-BaseDN "cn=Users,dc=test,dc=local";
62 |
63 | # (Required) Set the Bind DN, by replacing the value enclosed in
64 | # double quotes.
65 | proxy_set_header X-Ldap-BindDN "cn=root,dc=test,dc=local";
66 |
67 | # (Required) Set the Bind password, by replacing 'secret'.
68 | proxy_set_header X-Ldap-BindPass "secret";
69 |
70 | # (Required) The following directives set the cookie name and pass
71 | # it, respectively. They are required for cookie-based
72 | # authentication. Comment them out if using HTTP basic
73 | # authentication.
74 | proxy_set_header X-CookieName "nginxauth";
75 | proxy_set_header Cookie nginxauth=$cookie_nginxauth;
76 |
77 | # (Required if using Microsoft Active Directory as the LDAP server)
78 | # Set the LDAP template by uncommenting the following directive.
79 | #proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";
80 |
81 | # (Optional if using OpenLDAP as the LDAP server) Set the LDAP
82 | # template by uncommenting the following directive and replacing
83 | # '(cn=%(username)s)' which is the default set in
84 | # nginx-ldap-auth-daemon.py.
85 | #proxy_set_header X-Ldap-Template "(cn=%(username)s)";
86 |
87 | # (Optional) Set the realm name, by uncommenting the following
88 | # directive and replacing 'Restricted' which is the default set
89 | # in nginx-ldap-auth-daemon.py.
90 | #proxy_set_header X-Ldap-Realm "Restricted";
91 | }
92 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/nginx.conf:
--------------------------------------------------------------------------------
1 | ## Version 2019/12/19 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf
2 |
3 | user abc;
4 | worker_processes 4;
5 | pid /run/nginx.pid;
6 | include /etc/nginx/modules/*.conf;
7 |
8 | events {
9 | worker_connections 768;
10 | # multi_accept on;
11 | }
12 |
13 | http {
14 |
15 | ##
16 | # Basic Settings
17 | ##
18 |
19 | sendfile on;
20 | tcp_nopush on;
21 | tcp_nodelay on;
22 | keepalive_timeout 65;
23 | types_hash_max_size 2048;
24 | variables_hash_max_size 2048;
25 | large_client_header_buffers 4 16k;
26 |
27 | # server_tokens off;
28 |
29 | # server_names_hash_bucket_size 64;
30 | # server_name_in_redirect off;
31 |
32 | client_max_body_size 0;
33 |
34 | include /etc/nginx/mime.types;
35 | default_type application/octet-stream;
36 |
37 | ##
38 | # Logging Settings
39 | ##
40 |
41 | access_log /config/log/nginx/access.log;
42 | error_log /config/log/nginx/error.log;
43 |
44 | ##
45 | # Gzip Settings
46 | ##
47 |
48 | gzip on;
49 | gzip_disable "msie6";
50 |
51 | # gzip_vary on;
52 | # gzip_proxied any;
53 | # gzip_comp_level 6;
54 | # gzip_buffers 16 8k;
55 | # gzip_http_version 1.1;
56 | # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
57 |
58 | ##
59 | # nginx-naxsi config
60 | ##
61 | # Uncomment it if you installed nginx-naxsi
62 | ##
63 |
64 | #include /etc/nginx/naxsi_core.rules;
65 |
66 | ##
67 | # nginx-passenger config
68 | ##
69 | # Uncomment it if you installed nginx-passenger
70 | ##
71 |
72 | #passenger_root /usr;
73 | #passenger_ruby /usr/bin/ruby;
74 |
75 | ##
76 | # Virtual Host Configs
77 | ##
78 | include /etc/nginx/conf.d/*.conf;
79 | include /config/nginx/site-confs/*;
80 | lua_load_resty_core off;
81 |
82 | }
83 |
84 |
85 | #mail {
86 | # # See sample authentication script at:
87 | # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
88 | #
89 | # # auth_http localhost/auth.php;
90 | # # pop3_capabilities "TOP" "USER";
91 | # # imap_capabilities "IMAP4rev1" "UIDPLUS";
92 | #
93 | # server {
94 | # listen localhost:110;
95 | # protocol pop3;
96 | # proxy on;
97 | # }
98 | #
99 | # server {
100 | # listen localhost:143;
101 | # protocol imap;
102 | # proxy on;
103 | # }
104 | #}
105 | daemon off;
106 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/proxy.conf:
--------------------------------------------------------------------------------
1 | ## Version 2019/10/23 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/proxy.conf
2 |
3 | client_body_buffer_size 128k;
4 |
5 | #Timeout if the real server is dead
6 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
7 |
8 | # Advanced Proxy Config
9 | send_timeout 1h;
10 | proxy_read_timeout 1h;
11 | proxy_send_timeout 1h;
12 | proxy_connect_timeout 1h;
13 |
14 | # TLS 1.3 early data
15 | proxy_set_header Early-Data $ssl_early_data;
16 |
17 | # Basic Proxy Config
18 | proxy_set_header Host $host;
19 | proxy_set_header X-Real-IP $remote_addr;
20 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
21 | proxy_set_header X-Forwarded-Proto https;
22 | proxy_set_header X-Forwarded-Host $host;
23 | proxy_set_header X-Forwarded-Ssl on;
24 | proxy_redirect http:// $scheme://;
25 | proxy_http_version 1.1;
26 | proxy_set_header Connection "";
27 | #proxy_cookie_path / "/; HTTPOnly; Secure"; # enable at your own risk, may break certain apps
28 | proxy_cache_bypass $cookie_session;
29 | proxy_no_cache $cookie_session;
30 | proxy_buffers 32 4k;
31 | proxy_headers_hash_bucket_size 128;
32 | proxy_headers_hash_max_size 1024;
33 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/ssl.conf:
--------------------------------------------------------------------------------
1 | ## Version 2020/01/07 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/ssl.conf
2 |
3 | # session settings
4 | ssl_session_timeout 1d;
5 | ssl_session_cache shared:SSL:50m;
6 | ssl_session_tickets off;
7 |
8 | # Diffie-Hellman parameter for DHE cipher suites
9 | ssl_dhparam /config/nginx/dhparams.pem;
10 |
11 | # ssl certs
12 | ssl_certificate /config/keys/letsencrypt/fullchain.pem;
13 | ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
14 |
15 | # protocols
16 | # using generated 2020-01-07, https://ssl-config.mozilla.org/#server=nginx&server-version=1.16.1-r4&config=intermediate&openssl-version=1.1.1d-r3
17 | ssl_protocols TLSv1.2 TLSv1.3;
18 | ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
19 | ssl_prefer_server_ciphers off;
20 |
21 | # HSTS, remove # from the line below to enable HSTS
22 | #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
23 |
24 | # OCSP Stapling
25 | ssl_stapling on;
26 | ssl_stapling_verify on;
27 | resolver 127.0.0.11 valid=30s; # Docker DNS Server
28 |
29 | # Enable TLS 1.3 early data
30 | ssl_early_data on;
31 |
32 | # Optional additional headers
33 | #add_header Content-Security-Policy "upgrade-insecure-requests";
34 | #add_header X-Frame-Options "SAMEORIGIN" always;
35 | #add_header X-XSS-Protection "1; mode=block" always;
36 | #add_header X-Content-Type-Options "nosniff" always;
37 | #add_header X-UA-Compatible "IE=Edge" always;
38 | #add_header Cache-Control "no-transform" always;
39 | #add_header Referrer-Policy "same-origin" always;
40 |
--------------------------------------------------------------------------------
/letsencrypt/root/defaults/vhost.conf.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | cat << EOF > /config/nginx/proxy-confs/vhost.conf
4 | server {
5 | listen 80;
6 | server_name ${URL};
7 | return 301 https://\$host\$request_uri;
8 | }
9 |
10 | server {
11 | listen 80;
12 | listen 443 ssl;
13 | server_name *.${URL};
14 | return 301 https://${URL}\$request_uri;
15 | }
16 |
17 | server {
18 | listen 443 ssl;
19 | server_name ${URL};
20 |
21 | ssl_certificate /etc/letsencrypt/live/${URL}/fullchain.pem;
22 | ssl_certificate_key /etc/letsencrypt/live/${URL}/privkey.pem;
23 |
24 | ssl_protocols TLSv1.2 TLSv1.3;
25 | ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
26 | ssl_prefer_server_ciphers off;
27 |
28 | proxy_hide_header X-Powered-By;
29 | proxy_cookie_domain ~(?P([-0-9a-z]+\.)?[-0-9a-z]+\.[a-z]+)$ "\$secure_domain; secure";
30 |
31 | add_header Public-Key-Pins 'pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=^C max-age=60;';
32 | add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
33 | add_header X-XSS-Protection "1; mode=block";
34 | add_header Referrer-Policy no-referrer;
35 | add_header X-Content-Type-Options nosniff;
36 |
37 | access_log /config/log/nginx/access.log;
38 | error_log /config/log/nginx/error.log crit;
39 |
40 | location ~ "^(/(?!(downloads|sormas-ui|sormas-rest|metrics)).*)" {
41 | rewrite ^(.*)$ https://${URL}/sormas-ui\\\$1 redirect;
42 | }
43 |
44 | location /sormas-ui {
45 | proxy_pass http://sormas:6080/sormas-ui;
46 | proxy_read_timeout ${HTTP_TIMEOUT}s;
47 | proxy_set_header X-Forwarded-Host \$host:\$server_port;
48 | proxy_set_header X-Forwarded-Server \$host;
49 | proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
50 | }
51 |
52 | location /sormas-rest {
53 | proxy_pass http://sormas:6080/sormas-rest;
54 | proxy_read_timeout ${HTTP_TIMEOUT}s;
55 | proxy_set_header X-Forwarded-Host \$host:\$server_port;
56 | proxy_set_header X-Forwarded-Server \$host;
57 | proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
58 | }
59 |
60 | location /metrics {
61 | $(for server in ${PROMETHEUS_SERVERS}
62 | do
63 | echo "allow $server;"
64 | done)
65 | deny all;
66 | proxy_pass http://sormas:6080/metrics;
67 | proxy_read_timeout ${HTTP_TIMEOUT}s;
68 | proxy_set_header X-Forwarded-Host \$host:\$server_port;
69 | proxy_set_header X-Forwarded-Server \$host;
70 | proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
71 | }
72 |
73 | location /downloads {
74 | root /config/www/sormas/;
75 | autoindex on;
76 | }
77 | }
78 | EOF
--------------------------------------------------------------------------------
/letsencrypt/root/etc/cont-init.d/60-renew:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | # Check if the cert is expired or expires within a day, if so, renew
4 | if openssl x509 -in /config/keys/letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then
5 | echo "The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am)."
6 | else
7 | echo "The cert is either expired or it expires within the next day. Attempting to renew. This could take up to 10 minutes."
8 | /app/le-renew.sh
9 | sleep 1
10 | fi
--------------------------------------------------------------------------------
/letsencrypt/root/etc/crontabs/root:
--------------------------------------------------------------------------------
1 | # do daily/weekly/monthly maintenance
2 | # min hour day month weekday command
3 | */15 * * * * run-parts /etc/periodic/15min
4 | 0 * * * * run-parts /etc/periodic/hourly
5 | 0 2 * * * run-parts /etc/periodic/daily
6 | 0 3 * * 6 run-parts /etc/periodic/weekly
7 | 0 5 1 * * run-parts /etc/periodic/monthly
8 | # renew letsencrypt certs
9 | 8 2 * * * /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1
10 |
--------------------------------------------------------------------------------
/letsencrypt/root/etc/logrotate.d/fail2ban:
--------------------------------------------------------------------------------
1 | /config/log/fail2ban/fail2ban.log {
2 | weekly
3 | rotate 7
4 | missingok
5 | compress
6 | delaycompress
7 | nodateext
8 | postrotate
9 | /usr/bin/fail2ban-client flushlogs 1>/dev/null || true
10 | endscript
11 | su abc abc
12 | }
13 |
--------------------------------------------------------------------------------
/letsencrypt/root/etc/logrotate.d/lerotate:
--------------------------------------------------------------------------------
1 | /config/log/letsencrypt/*.log {
2 | weekly
3 | rotate 52
4 | compress
5 | delaycompress
6 | nodateext
7 | missingok
8 | notifempty
9 | sharedscripts
10 | su abc abc
11 | }
12 |
--------------------------------------------------------------------------------
/letsencrypt/root/etc/services.d/fail2ban/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 |
3 | exec \
4 | fail2ban-client -x -f start
5 |
--------------------------------------------------------------------------------
/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SORMAS-Foundation/SORMAS-Docker/2c74a8ac64848e67970edfa554ccd490edbedaa2/logo.png
--------------------------------------------------------------------------------
/payara/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM azul/zulu-openjdk:11
2 | ENV DEBIAN_FRONTEND=noninteractive
3 | RUN apt-get update \
4 | && apt-get upgrade -y \
5 | && apt-get -y install wget unzip postgresql vim curl --no-install-recommends\
6 | && apt-get clean
7 |
8 | RUN wget --no-check-certificate -O /tmp/payara-5.2022.5.zip "https://search.maven.org/remotecontent?filepath=fish/payara/distributions/payara/5.2022.5/payara-5.2022.5.zip" \
9 | && unzip -q -o /tmp/payara-5.2022.5.zip -d /opt/ \
10 | && rm -R /opt/payara5/glassfish/domains \
11 | && rm /tmp/payara-5.2022.5.zip
12 |
--------------------------------------------------------------------------------
/pg_debug/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM debian:bullseye
2 |
3 | RUN apt update && \
4 | apt upgrade -y && \
5 | apt install -y \
6 | pgstat \
7 | pgtop \
8 | pg-activity
9 |
10 | CMD [ "sleep", "infinity" ]
11 |
--------------------------------------------------------------------------------
/pg_debug/debug.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/bash
2 | eval $(head ../.env)
3 | docker run \
4 | --network sormas-docker_default \
5 | -it registry.netzlink.com/hzibraunschweig/pg_debug:${SORMAS_VERSION} \
6 | bash
7 |
--------------------------------------------------------------------------------
/pg_dump/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM alpine:3.17
2 |
3 | RUN apk update --no-cache && \
4 | apk upgrade --no-cache && \
5 | apk add --no-cache --upgrade postgresql14-client tar dcron tzdata zstd
6 |
7 | COPY pg_dump /root
8 | COPY entrypoint.sh /entrypoint.sh
9 | COPY prescripts.d /prescripts.d
10 |
11 | ENTRYPOINT ["/entrypoint.sh" ]
12 | CMD [ "/usr/sbin/crond", "-f" ]
13 |
--------------------------------------------------------------------------------
/pg_dump/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | set -e
3 |
4 |
5 | ####################################################################################################
6 | ### Crontab settings
7 | ####################################################################################################
8 |
9 | # see man 5 crontab
10 | #
11 | # examples for minutes and hours:
12 | # 0,2,4,6,8,10,12,14,16,18,20,22
13 | # */2
14 | # two times the hour at 15 and 45 min
15 | # MIN="15,45"
16 | # HOUR=
17 | #
18 | # every two hours at 17 min
19 | # MIN="17"
20 | # HOUR="*/2"
21 |
22 | RAND=$(( $RANDOM % 19 + 1 ))
23 |
24 | MIN=${MIN:-${RAND},$(( ${RAND} + 30 ))}
25 | HOUR=${HOUR:-0,4,7,8,9,10,11,12,13,14,15,16,17,18,20}
26 |
27 | cat<> /var/opt/db_dumps/logs/pg_dump.log 2>&1
30 | EOF
31 |
32 | ####################################################################################################
33 | ### Run prescripts
34 | ####################################################################################################
35 |
36 | for file in $(ls /prescripts.d/); do
37 | echo "Running /prescripts.d/$file"
38 | /prescripts.d/$file
39 | done
40 |
41 | echo "Prescripts done"
42 |
43 | ####################################################################################################
44 | ### Run cmd
45 | ####################################################################################################
46 |
47 | # see: https://github.com/dubiousjim/dcron/issues/13
48 | # ignore using `exec` for `dcron` to get another pid instead of `1`
49 | # exec "$@"
50 | "$@"
51 |
--------------------------------------------------------------------------------
/pg_dump/pg_dump:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | # if parameter 1 is set use it as common alias to created file names - no backup removal/rotation in that case
4 | if [ -n "$1" ]; then
5 | COMMON=$1
6 | DELETE=f
7 | else
8 | COMMON=$( date +%F-%T )
9 | DELETE=t
10 | fi
11 |
12 | # default compression is set to 3
13 | COMPRESSION_LEVEL=${2:-3}
14 | DUMP_PATH=/var/opt/db_dumps
15 | BAK_EXT=.zst
16 | GZ_EXT=.gz
17 | # Get a list of all databases and skip postgres and template databases
18 | DBS=$(psql -h ${DB_HOST} -U ${POSTGRES_USER} -l -t --field-separator=': ' -A -x | grep Name | awk '{ print $2 }' | grep -v -E 'postgres|template')
19 | if [ $? -ne 0 ];then
20 | echo "Backup process step during DBS listing failed!!"
21 | exit 100;
22 | fi
23 |
24 | for d in ${DBS};do
25 | BAK="${DUMP_PATH}/db/$d.${COMMON}.sql"
26 | if [ -f "${BAK}${BAK_EXT}" ];then
27 | echo "Backup of ${d} skipped. File ${BAK}${BAK_EXT} already exists!!"
28 | continue
29 | fi
30 | pg_dump -h ${DB_HOST} -U ${POSTGRES_USER} ${d} | zstd -$COMPRESSION_LEVEL -T0 >${BAK}${BAK_EXT}
31 | if [ $? -eq 0 ];then
32 | echo "Backup using compression_level ($COMPRESSION_LEVEL) of ${BAK}${BAK_EXT} completed."
33 | if [ "${DELETE}" == "t" ];then
34 | echo "Deleting old dumps for ${d}"
35 | # keep 1 day => delete all but the last 10 dumps - with .gz or .zst extention
36 | echo "$(ls -rt ${DUMP_PATH}/db/${d}.*${BAK_EXT} ${DUMP_PATH}/db/${d}.*${GZ_EXT} 2>/dev/null | head -n -10)"
37 | ls -rt ${DUMP_PATH}/db/${d}.*${BAK_EXT} ${DUMP_PATH}/db/${d}.*${GZ_EXT} 2>/dev/null | head -n -10 | xargs -r rm
38 | fi
39 | else
40 | if [[ -f ${BAK}${BAK_EXT} ]]; then
41 | rm -rf ${BAK}${BAK_EXT}
42 | fi
43 | echo "Backup of ${BAK}${BAK_EXT} failed!!"
44 | exit 1;
45 | fi
46 | done
47 |
48 | # remove double quotations from variable
49 | BACKUP_FILES=$( echo $BACKUP_FILES | tr -d '"' )
50 | # Start Filebackup
51 | if [ -n "${BACKUP_FILES}" ]; then
52 | FILE_BACKUP_TARGET=${DUMP_PATH}/documents/files.${COMMON}${BAK_EXT}
53 | echo "Backup of ${BACKUP_FILES} in ${BACKUP_PATH}"
54 | cd ${BACKUP_PATH} && \
55 | tar cf ${FILE_BACKUP_TARGET} -I 'zstd -T0 -${COMPRESSION_LEVEL}' ${BACKUP_FILES}
56 | if [ $? -ge 1 ]; then
57 | echo "Backup of ${BACKUP_FILES} in ${BACKUP_PATH} failed"
58 | rm ${FILE_BACKUP_TARGET}
59 | exit 42;
60 | fi
61 | if [ "${DELETE}" == "t" ];then
62 | echo "Deleting old file backups"
63 | # delete all BUT the last 1 ONLY (documents) file - with .zst extention
64 | echo "$(ls -rt ${DUMP_PATH}/documents/files.*${BAK_EXT} 2>/dev/null | head -n -1)"
65 | ls -rt ${DUMP_PATH}/documents/files.*${BAK_EXT} 2>/dev/null | head -n -1 | xargs -r rm
66 | fi
67 | fi
68 |
69 | exit 0;
70 |
--------------------------------------------------------------------------------
/pg_dump/prescripts.d/00-migrate-dumps.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | set -e
4 |
5 | function MigrateDumps() {
6 | [ ! -d $1 ] && { mkdir $1; echo "Created $1"; } || { echo "$1 already created. Skipping migration... "; return; }
7 | for file in $(ls $2); do
8 | mv $file $1/
9 | echo "Moved $file to $1/$file"
10 | done
11 | }
12 |
13 | MigrateDumps /var/opt/db_dumps/db "/var/opt/db_dumps/*.sql.zst"
14 | MigrateDumps /var/opt/db_dumps/documents "/var/opt/db_dumps/files.*.zst"
15 | MigrateDumps /var/opt/db_dumps/logs "/var/opt/db_dumps/pg_dump.log"
16 |
--------------------------------------------------------------------------------
/postgres/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM postgres:14.10-alpine
2 |
3 | RUN apk update --no-cache && \
4 | apk upgrade --no-cache && \
5 | # this line below keeping fixed musl lib version is unnecessary under docker 20.10.3+ but musl-dev has to be normally included in apk add, then
6 | # apk add --no-cache --repository http://dl-cdn.alpinelinux.org/alpine/v3.13/main/ 'musl<1.2.2-r3' 'musl-dev<1.2.2-r3' && \
7 | apk add --no-cache openssl curl tzdata py-pip python3-dev postgresql-dev postgresql-contrib make gcc py3-psutil musl-dev
8 |
9 |
10 | COPY psql.conf /etc/postgresql/postgresql.conf
11 | COPY alter_system.py /usr/local/bin/
12 | COPY tuning_parameters.conf /etc/postgresql/
13 | COPY setup_sormas.sh /docker-entrypoint-initdb.d/
14 | COPY update_sormas.sh /docker-entrypoint-updatedb.d/
15 | COPY docker-entrypoint.sh /usr/local/bin/
16 |
--------------------------------------------------------------------------------
/postgres/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
8 |
9 |
10 |
11 | # Container Postgres
12 |
13 | The postgres container is build from image `postgres:10-alpine`. It uses a prepared `/etc/postgresql/postgresql.conf` file with parameter:
14 |
15 | ```shell
16 | max_prepared_transactions = 110 # zero disables the feature
17 | ```
18 |
19 | This is needed to successfully deploy sormas.
20 |
21 | During initial setup `/docker-entrypoint-initdb.d/setup_sormas.sh` is executed. Here the sormas user and databases will get created and configured.
22 |
23 | ```sql
24 | CREATE USER ${SORMAS_POSTGRES_USER} WITH PASSWORD '${SORMAS_POSTGRES_PASSWORD}' CREATEDB;
25 | CREATE DATABASE ${DB_NAME} WITH OWNER = '${SORMAS_POSTGRES_USER}' ENCODING = 'UTF8';
26 | \c ${DB_NAME}
27 | CREATE OR REPLACE PROCEDURAL LANGUAGE plpgsql;
28 | ALTER PROCEDURAL LANGUAGE plpgsql OWNER TO ${SORMAS_POSTGRES_USER};
29 | CREATE EXTENSION pg_trgm;
30 | CREATE EXTENSION pgcrypto;
31 | GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO ${SORMAS_POSTGRES_USER};
32 | ```
33 |
34 |
35 |
36 |
42 |
43 |
44 |
45 | # Environment variables
46 |
47 | These configurations of postgres can be passed to container via environment variables. For more information about them, please refer to postgres documentation.
48 | * SUPERUSER_RESERVED_CONNECTIONS
49 | * EFFECTIVE_IO_CONCURRENCY
50 | * RANDOM_PAGE_COST
51 | * BGWRITER_DELAY
52 | * BGWRITER_LRU_MAXPAGES
53 | * BGWRITER_LRU_MULTIPLIER
54 | * BGWRITER_FLUSH_AFTER
55 | * IDLE_IN_TRANSACTION_SESSION_TIMEOUT
56 |
--------------------------------------------------------------------------------
/postgres/alter_system.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | """
3 | ALTER SYSTEM writes the given parameter setting to the postgresql.auto.conf file,
4 | which is read in addition to postgresql.conf
5 | """
6 | import sys
7 | import os
8 | import re
9 | import psutil
10 | import optparse
11 |
12 | kB = 1024
13 | MB = 1048576
14 | GB = 1073741824
15 | TB = 1099511627776
16 |
17 | def read_options(program_args):
18 | parser = optparse.OptionParser(usage="usage: %prog [options]",
19 | version="0.0.1b",
20 | conflict_handler="resolve")
21 |
22 | parser.add_option('-i', '--input-config', dest="input_config", default=None,
23 | help="Input configuration file")
24 |
25 | parser.add_option('-o', '--output-config', dest="output_config", default=None,
26 | help="Output configuration file")
27 |
28 | parser.add_option('-t', '--tuning-parameters', dest="tuning_config", default=None,
29 | help="Tuning parameter configuration file")
30 |
31 | options, args = parser.parse_args(program_args)
32 | return options, args, parser
33 |
34 | def humanize(value):
35 | if isinstance(value, str) and not value.isdigit():
36 | return value
37 | v = int(value)
38 | val = int(v / TB)
39 | if val > 0:
40 | return str(val)+ "TB"
41 | val = int(v / GB)
42 | if val > 0:
43 | return str(val)+ "GB"
44 | val = int(v / MB)
45 | if val > 0:
46 | return str(val)+ "MB"
47 | val = int(v / kB)
48 | if val > 0:
49 | return str(val)+ "kB"
50 | return str(v)
51 |
52 | def human_to_int(value):
53 | if "TB" in value:
54 | return TB * int(value.strip("TB"))
55 | if "GB" in value:
56 | return GB * int(value.strip("GB"))
57 | if "MB" in value:
58 | return MB * int(value.strip("MB"))
59 | if "kB" in value:
60 | return kB * int(value.strip("kB"))
61 | return int(value)
62 |
63 | # Get memory limit
64 | # returns amount of memory in bytes as int
65 | def get_mem():
66 | # get memory numbers from host
67 | sysmem = psutil.virtual_memory().total
68 | # cgroup v2
69 | try:
70 | mem = open("/sys/fs/cgroup/memory.max").read().rstrip()
71 | except IOError:
72 | # cgroup v1
73 | try:
74 | mem = open("/sys/fs/cgroup/memory/memory.limit_in_bytes").read().rstrip()
75 | # no cgroup memory limits configured, assuming max
76 | except IOError:
77 | mem = "max"
78 |
79 | # max in cgroup v2, -1 in v1
80 | # if max or cgroup limit mem bigger than sysmem, use sysmem, else use cgroup mem limit
81 | return sysmem if mem in ("max", "-1") or int(mem) > sysmem else int(mem)
82 |
83 | # Get CPU limit
84 | # returns amount of CPUs as int
85 | def get_cpu():
86 | # cgroup v2
87 | try:
88 | cpu_quota, cpu_period = open("/sys/fs/cgroup/cpu.max").read().rstrip().split()
89 | except IOError:
90 | # cgroup v1
91 | try:
92 | cpu_quota = open("/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us").read().rstrip()
93 | cpu_period = open("/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us").read().rstrip()
94 | # no cgroup memory limits configured, assuming max
95 | except IOError:
96 | cpu_quota = "max"
97 |
98 | # max in cgroup v2, -1 in v1
99 | # if max, use system cpu count, else calculate cpu limits
100 | return psutil.cpu_count() if cpu_quota in ("max", "-1") else int(cpu_quota) // int(cpu_period) + 1
101 |
102 | def read_config_file(filename):
103 | config = {}
104 | for i, line in enumerate(open(filename)):
105 | line = line.rstrip('\n')
106 | comment_index = line.find('#')
107 | equal_index = line.find('=')
108 | if equal_index >= 0 and ( comment_index > equal_index or comment_index == -1):
109 | name, value = line.split('=', 1)
110 | name = name.strip()
111 | value = re.sub(r'#.*$', '', value).strip()
112 | config[name] = value
113 | return config
114 |
115 | def get_tuning_values(config, filename):
116 | mem = get_mem()
117 | cpu = get_cpu()
118 | values = {}
119 | for i, line in enumerate(open(filename)):
120 | line = line.rstrip('\n')
121 | comment_index = line.find('#')
122 | equal_index = line.find('=')
123 | if equal_index >= 0 and ( comment_index > equal_index or comment_index == -1):
124 | name, value = line.split('=', 1)
125 | name = name.strip()
126 | value = re.sub(r'#.*$', '', value).strip()
127 | # are there any used variables in the formula referring to config variables from
128 | # the config file? e.g.: max_connections
129 | # loop over all elements of formula
130 | for v in value.split():
131 | # element is a variable from the config file?
132 | if v in config:
133 | # assign value from config file to variable
134 | exec( v + " = int(config['" + v + "'])" )
135 | # shared_buffers = mem / 4 => values['shared_buffers'] = int(men/4)
136 | try:
137 | exec( "values['" + name + "'] = int(" + value + ")" )
138 | except ValueError:
139 | exec( "values['" + name + "'] = " + value )
140 |
141 | if "maintenance_work_mem" in values and values['maintenance_work_mem'] > int( 2 * GB ):
142 | values['maintenance_work_mem'] = int( 2 * GB )
143 | if "wal_buffers" in values and values['wal_buffers'] > int( 16 * MB ):
144 | values['wal_buffers'] =int( 16 * MB )
145 | # set max_connections depending on JDBC_MAXPOOLSIZE
146 | pool_size = 0
147 | try:
148 | pool_size = int( os.environ['DB_JDBC_MAXPOOLSIZE'] )
149 | except:
150 | pool_size = 128
151 | if pool_size < 128:
152 | pool_size = 128
153 | values['max_connections'] = pool_size * 2 + 14
154 | return values
155 |
156 | def alter_system(filename, config, values):
157 | auto = open(filename, 'w')
158 | for name, value in values.items():
159 | if name in ['max_connections']:
160 | auto.write(name + " = '" + str(value) + "'\n")
161 | else:
162 | auto.write(name + " = '" + humanize(value) + "'\n")
163 | auto.close()
164 |
165 | def main(program_args):
166 | options, args, parser = read_options(program_args)
167 | config = read_config_file(options.input_config)
168 | values = get_tuning_values(config, options.tuning_config)
169 | alter_system(options.output_config, config, values)
170 |
171 | if __name__ == '__main__':
172 | sys.exit(main(sys.argv))
173 |
--------------------------------------------------------------------------------
/postgres/setup_sormas.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -e
3 |
4 | # Set up the database
5 | echo "Starting database setup..."
6 |
7 | psql -v ON_ERROR_STOP=1 --username "postgres" <