Merge remote-tracking branch 'origin/main'

2025-11-12 16:04:35 +01:00
parent 2d71d66992 106d05bedb
commit 0d9012c6ef
11 changed files with 279 additions and 71 deletions
--- a/apache/conf/gfa-status.conf
+++ b/apache/conf/gfa-status.conf
@@ -0,0 +1,31 @@
+<VirtualHost *:80>
+    ServerName gfa-status-test.psi.ch
+    DocumentRoot /var/www/gfa-status/web
+
+    ErrorLog /proc/self/fd/2
+    CustomLog /proc/self/fd/1 combined
+
+    Header set Access-Control-Allow-Origin "*"
+
+    # PHP configuration
+    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
+        SetHandler application/x-httpd-php
+    </FilesMatch>
+
+    php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fwebmaster@gfa-status.web.psi.ch"
+    php_admin_value upload_tmp_dir /var/www/clients/client45/web70/tmp
+    php_admin_value session.save_path /var/www/clients/client45/web70/tmp
+    php_admin_value open_basedir /var/www/clients/client45/web70/web:/var/www/clients/client45/web70/private:/var/www/clients/client45/web70/tmp:/var/www/gfa-status.web.psi.ch/web:/tmp:/usr/share/php:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/var/www/error/
+
+    <Directory /var/www/gfa-status.web.psi.ch/web>
+        Options +FollowSymLinks +Includes
+        AllowOverride All
+        Require all granted
+
+        # SSI support
+        AddType text/html .shtml
+        AddOutputFilter INCLUDES .shtml
+    </Directory>
+
+</VirtualHost>
+
--- a/apache/conf/rfmwtools.conf
+++ b/apache/conf/rfmwtools.conf
@@ -0,0 +1,29 @@
+<VirtualHost *:80>
+    ServerName rfmwtools-test.psi.ch
+
+    # Document root for static files
+    DocumentRoot /var/www/rfmwtools
+
+    # CGI scripts
+    ScriptAlias /cgi-bin/ /var/www/rfmwtools/cgi-bin/
+
+    <Directory "/var/www/rfmwtools/cgi-bin">
+        Options +ExecCGI +FollowSymLinks +Indexes
+        AddHandler cgi-script .sh .cgi
+        Require all granted
+
+        SetEnv SCRIPT_WORKDIR /var/www/rfmwtools/cgi-bin
+        DirectoryIndex rfmwtools.html
+    </Directory>
+
+    <Directory "/var/www/rfmwtools">
+        Options Indexes FollowSymLinks
+        AllowOverride None
+        Require all granted
+        DirectoryIndex rfmwtools.html
+    </Directory>
+
+    ErrorLog /proc/self/fd/2
+    CustomLog /proc/self/fd/1 combined
+</VirtualHost>
+
--- a/conf.d/00-default.conf
+++ b/conf.d/00-default.conf
@@ -0,0 +1,20 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+
+    return 404;
+
+}
+
+server {
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    server_name _;
+
+    ssl_certificate /etc/nginx/certs/default.psi.ch.crt;
+    ssl_certificate_key /etc/nginx/private/default.psi.ch.key;
+
+    return 404;
+}
+
--- a/conf.d/fluid-eos-test.conf
+++ b/conf.d/fluid-eos-test.conf
@@ -0,0 +1,37 @@
+# Churakov Sergey - ISPD migration
+server {
+    listen 80;
+    server_name fluid-eos-test.psi.ch;
+
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name fluid-eos-test.psi.ch;
+
+    root /opt/webcontent/fluid-eos;
+    index index.html;
+
+    ssl_certificate     /etc/nginx/certs/fluid-eos-test.psi.ch.crt;
+    ssl_certificate_key /etc/nginx/private/fluid-eos-test.psi.ch.key;
+
+    access_log /var/log/nginx/fluid-eos-test.access.log;
+    error_log  /var/log/nginx/fluid-eos-test.error.log;
+
+    location / {
+        autoindex on;
+        autoindex_exact_size off;
+        autoindex_localtime on;
+
+        try_files $uri $uri/ =404;
+    }
+    location ^~ /EOS/ {
+	autoindex on;
+        autoindex_exact_size off;
+        autoindex_localtime on;
+
+	try_files $uri $uri/ =404;
+    }
+}
+
--- a/conf.d/gfa-status-test.conf
+++ b/conf.d/gfa-status-test.conf
@@ -12,7 +12,7 @@ server {
    ssl_certificate_key /etc/nginx/private/gfa-status-test.psi.ch.key;

    location / {
-        proxy_pass http://gfa-status-test:80;
+        proxy_pass http://apache_app:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
--- a/conf.d/opticswiki.conf
+++ b/conf.d/opticswiki.conf
@@ -0,0 +1,24 @@
+# opticswiki conf for nginx
+# cloned from gfa-status-test.conf
+
+server {
+    listen 80;
+    server_name opticswiki.psi.ch;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name opticswiki.psi.ch;
+
+    ssl_certificate /etc/nginx/certs/opticswiki.psi.ch.crt;
+    ssl_certificate_key /etc/nginx/private/opticswiki.psi.ch.key;
+
+    location / {
+        proxy_pass http://opticswiki:80;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
--- a/conf.d/panda-maintenance.conf
+++ b/conf.d/panda-maintenance.conf
@@ -0,0 +1,29 @@
+server {
+    listen 80;
+    server_name panda-maintenance.psi.ch;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name panda-maintenance.psi.ch;
+
+    ssl_certificate /etc/nginx/certs/panda-maintenance.psi.ch.crt;
+    ssl_certificate_key /etc/nginx/private/panda-maintenance.psi.ch.key;
+
+
+    rewrite ^/$ /cmdbuild/ permanent;
+    location / {
+        return 404;
+    }
+
+    location /cmdbuild {
+        proxy_pass http://panda-maintenance-app:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        # https://forum.cmdbuild.org/t/cmdbuild-behind-nginx-reverse-proxy/5070/3
+        add_header Content-Security-Policy upgrade-insecure-requests always;
+    }
+}
--- a/conf.d/woodpecker-test.conf
+++ b/conf.d/woodpecker-test.conf
@@ -1,18 +1,18 @@
 server {
    listen 80;
-    server_name woodpecker-test.psi.ch;
+    server_name rfmwtools-test.psi.ch;
    return 301 https://$host$request_uri;
 }

 server {
    listen 443 ssl;
-    server_name woodpecker-test.psi.ch;
+    server_name rfmwtools-test.psi.ch;

-    ssl_certificate /etc/nginx/certs/woodpecker-test.psi.ch.crt;
-    ssl_certificate_key /etc/nginx/private/woodpecker-test.psi.ch.key;
+    ssl_certificate /etc/nginx/certs/rfmwtools-test.psi.ch.crt;
+    ssl_certificate_key /etc/nginx/private/rfmwtools-test.psi.ch.key;

    location / {
-        proxy_pass http://woodpecker_server:8000;
+        proxy_pass http://apache_app:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
--- a/conf.d/swiss-ecargo.conf
+++ b/conf.d/swiss-ecargo.conf
@@ -1,18 +1,18 @@
 server {
    listen 80;
-    server_name carculator-api-test.psi.ch;
+    server_name swiss-ecargo-api-test.psi.ch;
    return 301 https://$host$request_uri;
 }

 server {
    listen 443 ssl;
-    server_name carculator-api-test.psi.ch;
+    server_name swiss-ecargo-api-test.psi.ch;

-    ssl_certificate /etc/nginx/certs/carculator-api-test.psi.ch.crt;
-    ssl_certificate_key /etc/nginx/private/carculator-api-test.psi.ch.key;
+    ssl_certificate /etc/nginx/certs/swiss-ecargo-api-test.psi.ch.crt;
+    ssl_certificate_key /etc/nginx/private/swiss-ecargo-api-test.psi.ch.key;

    location / {
-        proxy_pass http://carculator:8000;
+        proxy_pass http://swiss-ecargo:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -11,16 +11,33 @@ services:
      - "80:80"
      - "443:443"
    volumes:
+      - /etc/letsencrypt/live:/etc/letsencrypt/live:ro
+      - /etc/letsencrypt/archive:/etc/letsencrypt/archive:ro
      - /etc/pki/tls/certs:/etc/nginx/certs:ro
      - /etc/pki/tls/private:/etc/nginx/private:ro
      - /etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - /etc/nginx/conf.d:/etc/nginx/conf.d:ro
      - /opt/webcontent/sinqstatus-test:/opt/webcontent/sinqstatus-test:ro
+      - /opt/webcontent/fluid-eos:/opt/webcontent/fluid-eos:ro
      - /opt/webcontent/it-strategy-dashboard/frontend/:/opt/webcontent/it-strategy-dashboard/:ro
    networks:
      - public
      - backend
- 
+
+  # rfwtools
+  # gfa-status-test
+  apache:
+    image: gitea.psi.ch/images/php-apache:latest
+    container_name: apache_app
+    restart: always
+    volumes:
+      - /opt/webcontent/rfmwtools:/var/www/rfmwtools:ro
+      - /opt/webcontent/gfa-status:/var/www/gfa-status:ro
+      - ./apache/conf/rfmwtools.conf:/etc/apache2/sites-enabled/rfmwtools.conf:ro
+      - ./apache/conf/gfa-status.conf:/etc/apache2/sites-enabled/gfa-status.conf:ro
+    networks:
+      - backend
+
  # linux-eng@psi.ch
  # Test app
  excalidraw:
@@ -36,19 +53,19 @@ services:
  pif-elog:
    image: gitea.psi.ch/images/elog:3.1.5
    container_name: pif-elog
-    restart: always    
+    restart: always
    volumes:
      - /opt/logbooks/pif:/usr/local/elog/logbooks
      - /opt/webcontent/pif/elog.cfg:/usr/local/elog/elogd.cfg
    networks:
-      - backend  
+      - backend

  # Krieger Jonas Andreas <jonas.krieger@psi.ch>, Raselli Andrea-Raeto <andrea.raselli@psi.ch>
  # Elog as a Service PoC mit musr-elog.psi.ch? linux-eng@psi.ch
  lmu-elog:
    image: gitea.psi.ch/images/elog:3.1.5
    container_name: lmu-elog
-    restart: always    
+    restart: always
    volumes:
      - /opt/logbooks/LMU:/usr/local/elog/logbooks
      - /opt/webcontent/LMU/elog.cfg:/usr/local/elog/elogd.cfg
@@ -62,23 +79,23 @@ services:
    image: gitea.psi.ch/images/mcda-calculator:1.0.3
    container_name: mcda-calculator
    restart: always
-    networks: 
+    networks:
      - backend

  # Romain Sacchi <romain.sacchi@psi.ch>
-  # Also installed on docker-dmz
-  # PSI Service
-  carculator:
-    image: gitea.psi.ch/sacchi_r/carculator:0.1.0
-    container_name: carculator
+  swiss-ecargo:
+    image: gitea.psi.ch/sacchi_r/swiss-ecargo:0.1.2
+    container_name: swiss-ecargo
    restart: always
+    environment:
+      - HOSTED_API_KEY=${ecargo_api_key}
    networks:
      - backend

  # Augustin Sven <sven.augustin@psi.ch>
  # POC for SiwssFel
  hedgedoc_app:
-    image: quay.io/hedgedoc/hedgedoc:1.10.1
+    image: quay.io/hedgedoc/hedgedoc:1.10.3
    container_name: hedgedoc
    environment:
      - CMD_DB_URL=postgres://${hedgedoc_user}:${hedgedoc_password}@hedgedoc_db:5432/hedgedoc
@@ -100,7 +117,7 @@ services:
      - /opt/webcontent/sf-hedgedoc/uploads:/hedgedoc/public/uploads
    restart: always
    depends_on:
-      - hedgedoc_db 
+      - hedgedoc_db
    networks:
      - backend
      - hedgedoc_backend
@@ -119,54 +136,23 @@ services:
    networks:
      - hedgedoc_backend

-  # Andreas Luedeke <andreas.luedeke@psi.ch>
-  # POC not running yet
-  gfa-status-test:
-    image: php:8.2-apache
-    container_name: gfa-status-test
-    volumes: 
-      - /opt/webcontent/gfa-status/web:/var/www/html
+  # Flechsig Uwe <uwe.flechsig@psi.ch>
+  # opticswiki (test setup)
+  # I assume gitea.psi.ch/images is the local image repository filled docker push
+  # /opt/webcontent/opticswiki must be filled once (before starting the container)
+  #   gitea.psi.ch/optics/opticswiki/ =>  make initvolumes
+  opticswiki:
+    image: gitea.psi.ch/images/opticswiki:1
+    container_name: opticswiki
    restart: always
+    volumes:
+      - /opt/webcontent/opticswiki/data:/usr/local/apache2/Foswiki-2.1.9/data
+      - /opt/webcontent/opticswiki/pub:/usr/local/apache2/Foswiki-2.1.9/pub
+      - /opt/webcontent/opticswiki/working:/usr/local/apache2/Foswiki-2.1.9/working
+      - /opt/webcontent/opticswiki/lib:/usr/local/apache2/Foswiki-2.1.9/lib
    networks:
      - backend
-
-  # Sven Augustin -Hax0rL0rd
-  # CI/CD Aaddition to Gitea (Jenkins for poor people)
-  woodpecker-server:
-    image: woodpeckerci/woodpecker-server:next
-    container_name: woodpecker_server
-    ports:
-      - 8000:8000
-    volumes:
-      - /opt/webcontent/woodpecker/server:/var/lib/woodpecker/
-    environment:
-      - WOODPECKER_OPEN=true
-      - WOODPECKER_HOST=https://woodpecker-test.psi.ch
-      - WOODPECKER_AGENT_SECRET={{ WOODPECKER_AGENT_SECRET }}
-      - WOODPECKER_GITEA=true
-      - WOODPECKER_GITEA_URL=https://gitea-test.psi.ch
-      - WOODPECKER_GITEA_CLIENT={{ WOODPECKER_GITEA_CLIENT }}
-      - WOODPECKER_GITEA_SECRET={{ WOODPECKER_GITEA_SECRET }}
-    networks:
-      - backend
-      - woodpecker_backend
-
-  woodpecker-agent:
-    image: woodpeckerci/woodpecker-agent:next
-    container_name: woodpecker_agent
-    command: agent
-    restart: always
-    depends_on:
-      - woodpecker-server
-    volumes:
-      - /opt/webcontent/woodpecker/agent/woodpecker:/etc/woodpecker
-      - /var/run/docker.sock:/var/run/docker.sock
-    environment:
-      - WOODPECKER_SERVER=woodpecker-server:9000
-      - WOODPECKER_AGENT_SECRET={{ WOODPECKER_AGENT_SECRET }}
-    networks:
-      - woodpecker_backend
-
+ 
  # Angelo Sozzi INC0150655 angelo.sozzi@psi.ch
  # POC Software - might be installed on docker-dmz
  n8n:
@@ -202,7 +188,7 @@ services:
      - it_strategy_dashboard_backend

  it-strategy-dashboard-backend:
-    image: gitea.psi.ch/9501/it-strategy-dashboard-backend:2.0
+    image: gitea.psi.ch/9501/it-strategy-dashboard-backend:2.0.1
    container_name: it-strategy-dashboard-backend
    restart: always
    environment:
@@ -242,10 +228,63 @@ services:
      timeout: 5s
      retries: 5

+# Christoph Hug <christoph.hug@psi.ch>, Simon Suter <simon.suter@psi.ch>
+# Panda-Maintenance (OpenMaint)
+  panda-maintenance-db:
+    image: postgis/postgis:17-3.5-alpine
+    container_name: panda-maintenance-db
+    volumes:
+      - /opt/webcontent/panda-maintenance/data:/var/lib/postgresql/data:rw
+    environment:
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW}
+    restart: always
+    mem_limit: 4000m
+    mem_reservation: 2000m
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready -U postgres" ]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 80s
+    networks:
+      - panda_maintenance_backend
+  panda-maintenance-app:
+    image: itmicus/cmdbuild:om-2.4-4.1.0
+    container_name: panda-maintenance-app
+    links:
+      - panda-maintenance-db
+    depends_on:
+      panda-maintenance-db:
+        condition: service_healthy
+    restart: always
+    volumes:
+      - /opt/webcontent/panda-maintenance/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh:ro
+    environment:
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW}
+      - POSTGRES_PORT=5432
+      - POSTGRES_HOST=panda-maintenance-db
+      - POSTGRES_DB=openmaint
+      - CMDBUILD_DUMP=empty.dump.xz
+      - JAVA_OPTS=-Xmx6000m -Xms3000m
+    mem_limit: 6000m
+    mem_reservation: 3500m
+    healthcheck:
+      test: [ "CMD", "curl", "-f", "-L", "http://localhost:8080/cmdbuild/ui" ]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+      start_period: 120s
+    networks:
+      - backend
+      - panda_maintenance_backend
+
+
 networks:
  public:
  backend:
  hedgedoc_backend:
-  woodpecker_backend:
  it_strategy_dashboard_backend:
+  panda_maintenance_backend:

--- a/nginx.conf
+++ b/nginx.conf
@@ -12,7 +12,6 @@ http {
    default_type  application/octet-stream;

    add_header X-Content-Type-Options nosniff;
-    add_header X-Frame-Options DENY;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # HSTS
    add_header Referrer-Policy no-referrer-when-downgrade;  # Referrer policy