diff --git a/apache/conf/gfa-status.conf b/apache/conf/gfa-status.conf
new file mode 100644
index 0000000..23bf340
--- /dev/null
+++ b/apache/conf/gfa-status.conf
@@ -0,0 +1,31 @@
+
+ ServerName gfa-status-test.psi.ch
+ DocumentRoot /var/www/gfa-status/web
+
+ ErrorLog /proc/self/fd/2
+ CustomLog /proc/self/fd/1 combined
+
+ Header set Access-Control-Allow-Origin "*"
+
+ # PHP configuration
+
+ SetHandler application/x-httpd-php
+
+
+ php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fwebmaster@gfa-status.web.psi.ch"
+ php_admin_value upload_tmp_dir /var/www/clients/client45/web70/tmp
+ php_admin_value session.save_path /var/www/clients/client45/web70/tmp
+ php_admin_value open_basedir /var/www/clients/client45/web70/web:/var/www/clients/client45/web70/private:/var/www/clients/client45/web70/tmp:/var/www/gfa-status.web.psi.ch/web:/tmp:/usr/share/php:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/var/www/error/
+
+
+ Options +FollowSymLinks +Includes
+ AllowOverride All
+ Require all granted
+
+ # SSI support
+ AddType text/html .shtml
+ AddOutputFilter INCLUDES .shtml
+
+
+
+
diff --git a/apache/conf/rfmwtools.conf b/apache/conf/rfmwtools.conf
new file mode 100644
index 0000000..e86abfd
--- /dev/null
+++ b/apache/conf/rfmwtools.conf
@@ -0,0 +1,29 @@
+
+ ServerName rfmwtools-test.psi.ch
+
+ # Document root for static files
+ DocumentRoot /var/www/rfmwtools
+
+ # CGI scripts
+ ScriptAlias /cgi-bin/ /var/www/rfmwtools/cgi-bin/
+
+
+ Options +ExecCGI +FollowSymLinks +Indexes
+ AddHandler cgi-script .sh .cgi
+ Require all granted
+
+ SetEnv SCRIPT_WORKDIR /var/www/rfmwtools/cgi-bin
+ DirectoryIndex rfmwtools.html
+
+
+
+ Options Indexes FollowSymLinks
+ AllowOverride None
+ Require all granted
+ DirectoryIndex rfmwtools.html
+
+
+ ErrorLog /proc/self/fd/2
+ CustomLog /proc/self/fd/1 combined
+
+
diff --git a/conf.d/00-default.conf b/conf.d/00-default.conf
new file mode 100644
index 0000000..4cd2df5
--- /dev/null
+++ b/conf.d/00-default.conf
@@ -0,0 +1,20 @@
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+ server_name _;
+
+ return 404;
+
+}
+
+server {
+ listen 443 ssl default_server;
+ listen [::]:443 ssl default_server;
+ server_name _;
+
+ ssl_certificate /etc/nginx/certs/default.psi.ch.crt;
+ ssl_certificate_key /etc/nginx/private/default.psi.ch.key;
+
+ return 404;
+}
+
diff --git a/conf.d/fluid-eos-test.conf b/conf.d/fluid-eos-test.conf
new file mode 100644
index 0000000..e0e1a21
--- /dev/null
+++ b/conf.d/fluid-eos-test.conf
@@ -0,0 +1,37 @@
+# Churakov Sergey - ISPD migration
+server {
+ listen 80;
+ server_name fluid-eos-test.psi.ch;
+
+ return 301 https://$host$request_uri;
+}
+
+server {
+ listen 443 ssl;
+ server_name fluid-eos-test.psi.ch;
+
+ root /opt/webcontent/fluid-eos;
+ index index.html;
+
+ ssl_certificate /etc/nginx/certs/fluid-eos-test.psi.ch.crt;
+ ssl_certificate_key /etc/nginx/private/fluid-eos-test.psi.ch.key;
+
+ access_log /var/log/nginx/fluid-eos-test.access.log;
+ error_log /var/log/nginx/fluid-eos-test.error.log;
+
+ location / {
+ autoindex on;
+ autoindex_exact_size off;
+ autoindex_localtime on;
+
+ try_files $uri $uri/ =404;
+ }
+ location ^~ /EOS/ {
+ autoindex on;
+ autoindex_exact_size off;
+ autoindex_localtime on;
+
+ try_files $uri $uri/ =404;
+ }
+}
+
diff --git a/conf.d/gfa-status-test.conf b/conf.d/gfa-status-test.conf
index b7fec56..6c991a0 100644
--- a/conf.d/gfa-status-test.conf
+++ b/conf.d/gfa-status-test.conf
@@ -12,7 +12,7 @@ server {
ssl_certificate_key /etc/nginx/private/gfa-status-test.psi.ch.key;
location / {
- proxy_pass http://gfa-status-test:80;
+ proxy_pass http://apache_app:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
diff --git a/conf.d/opticswiki.conf b/conf.d/opticswiki.conf
new file mode 100644
index 0000000..0090bac
--- /dev/null
+++ b/conf.d/opticswiki.conf
@@ -0,0 +1,24 @@
+# opticswiki conf for nginx
+# cloned from gfa-status-test.conf
+
+server {
+ listen 80;
+ server_name opticswiki.psi.ch;
+ return 301 https://$host$request_uri;
+}
+
+server {
+ listen 443 ssl;
+ server_name opticswiki.psi.ch;
+
+ ssl_certificate /etc/nginx/certs/opticswiki.psi.ch.crt;
+ ssl_certificate_key /etc/nginx/private/opticswiki.psi.ch.key;
+
+ location / {
+ proxy_pass http://opticswiki:80;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+}
diff --git a/conf.d/panda-maintenance.conf b/conf.d/panda-maintenance.conf
new file mode 100644
index 0000000..f34d885
--- /dev/null
+++ b/conf.d/panda-maintenance.conf
@@ -0,0 +1,29 @@
+server {
+ listen 80;
+ server_name panda-maintenance.psi.ch;
+ return 301 https://$host$request_uri;
+}
+
+server {
+ listen 443 ssl;
+ server_name panda-maintenance.psi.ch;
+
+ ssl_certificate /etc/nginx/certs/panda-maintenance.psi.ch.crt;
+ ssl_certificate_key /etc/nginx/private/panda-maintenance.psi.ch.key;
+
+
+ rewrite ^/$ /cmdbuild/ permanent;
+ location / {
+ return 404;
+ }
+
+ location /cmdbuild {
+ proxy_pass http://panda-maintenance-app:8080;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ # https://forum.cmdbuild.org/t/cmdbuild-behind-nginx-reverse-proxy/5070/3
+ add_header Content-Security-Policy upgrade-insecure-requests always;
+ }
+}
diff --git a/conf.d/woodpecker-test.conf b/conf.d/rfmwtools.conf
similarity index 55%
rename from conf.d/woodpecker-test.conf
rename to conf.d/rfmwtools.conf
index df81b84..5331c38 100644
--- a/conf.d/woodpecker-test.conf
+++ b/conf.d/rfmwtools.conf
@@ -1,18 +1,18 @@
server {
listen 80;
- server_name woodpecker-test.psi.ch;
+ server_name rfmwtools-test.psi.ch;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
- server_name woodpecker-test.psi.ch;
+ server_name rfmwtools-test.psi.ch;
- ssl_certificate /etc/nginx/certs/woodpecker-test.psi.ch.crt;
- ssl_certificate_key /etc/nginx/private/woodpecker-test.psi.ch.key;
+ ssl_certificate /etc/nginx/certs/rfmwtools-test.psi.ch.crt;
+ ssl_certificate_key /etc/nginx/private/rfmwtools-test.psi.ch.key;
location / {
- proxy_pass http://woodpecker_server:8000;
+ proxy_pass http://apache_app:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
diff --git a/conf.d/carculator.conf b/conf.d/swiss-ecargo.conf
similarity index 53%
rename from conf.d/carculator.conf
rename to conf.d/swiss-ecargo.conf
index 47cab13..00e3ef9 100644
--- a/conf.d/carculator.conf
+++ b/conf.d/swiss-ecargo.conf
@@ -1,18 +1,18 @@
server {
listen 80;
- server_name carculator-api-test.psi.ch;
+ server_name swiss-ecargo-api-test.psi.ch;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
- server_name carculator-api-test.psi.ch;
+ server_name swiss-ecargo-api-test.psi.ch;
- ssl_certificate /etc/nginx/certs/carculator-api-test.psi.ch.crt;
- ssl_certificate_key /etc/nginx/private/carculator-api-test.psi.ch.key;
+ ssl_certificate /etc/nginx/certs/swiss-ecargo-api-test.psi.ch.crt;
+ ssl_certificate_key /etc/nginx/private/swiss-ecargo-api-test.psi.ch.key;
location / {
- proxy_pass http://carculator:8000;
+ proxy_pass http://swiss-ecargo:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
diff --git a/docker-compose.yaml b/docker-compose.yaml
index f894c18..5b482d3 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -11,16 +11,33 @@ services:
- "80:80"
- "443:443"
volumes:
+ - /etc/letsencrypt/live:/etc/letsencrypt/live:ro
+ - /etc/letsencrypt/archive:/etc/letsencrypt/archive:ro
- /etc/pki/tls/certs:/etc/nginx/certs:ro
- /etc/pki/tls/private:/etc/nginx/private:ro
- /etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- /etc/nginx/conf.d:/etc/nginx/conf.d:ro
- /opt/webcontent/sinqstatus-test:/opt/webcontent/sinqstatus-test:ro
+ - /opt/webcontent/fluid-eos:/opt/webcontent/fluid-eos:ro
- /opt/webcontent/it-strategy-dashboard/frontend/:/opt/webcontent/it-strategy-dashboard/:ro
networks:
- public
- backend
-
+
+ # rfwtools
+ # gfa-status-test
+ apache:
+ image: gitea.psi.ch/images/php-apache:latest
+ container_name: apache_app
+ restart: always
+ volumes:
+ - /opt/webcontent/rfmwtools:/var/www/rfmwtools:ro
+ - /opt/webcontent/gfa-status:/var/www/gfa-status:ro
+ - ./apache/conf/rfmwtools.conf:/etc/apache2/sites-enabled/rfmwtools.conf:ro
+ - ./apache/conf/gfa-status.conf:/etc/apache2/sites-enabled/gfa-status.conf:ro
+ networks:
+ - backend
+
# linux-eng@psi.ch
# Test app
excalidraw:
@@ -36,19 +53,19 @@ services:
pif-elog:
image: gitea.psi.ch/images/elog:3.1.5
container_name: pif-elog
- restart: always
+ restart: always
volumes:
- /opt/logbooks/pif:/usr/local/elog/logbooks
- /opt/webcontent/pif/elog.cfg:/usr/local/elog/elogd.cfg
networks:
- - backend
+ - backend
# Krieger Jonas Andreas , Raselli Andrea-Raeto
# Elog as a Service PoC mit musr-elog.psi.ch? linux-eng@psi.ch
lmu-elog:
image: gitea.psi.ch/images/elog:3.1.5
container_name: lmu-elog
- restart: always
+ restart: always
volumes:
- /opt/logbooks/LMU:/usr/local/elog/logbooks
- /opt/webcontent/LMU/elog.cfg:/usr/local/elog/elogd.cfg
@@ -62,23 +79,23 @@ services:
image: gitea.psi.ch/images/mcda-calculator:1.0.3
container_name: mcda-calculator
restart: always
- networks:
+ networks:
- backend
# Romain Sacchi
- # Also installed on docker-dmz
- # PSI Service
- carculator:
- image: gitea.psi.ch/sacchi_r/carculator:0.1.0
- container_name: carculator
+ swiss-ecargo:
+ image: gitea.psi.ch/sacchi_r/swiss-ecargo:0.1.2
+ container_name: swiss-ecargo
restart: always
+ environment:
+ - HOSTED_API_KEY=${ecargo_api_key}
networks:
- backend
# Augustin Sven
# POC for SiwssFel
hedgedoc_app:
- image: quay.io/hedgedoc/hedgedoc:1.10.1
+ image: quay.io/hedgedoc/hedgedoc:1.10.3
container_name: hedgedoc
environment:
- CMD_DB_URL=postgres://${hedgedoc_user}:${hedgedoc_password}@hedgedoc_db:5432/hedgedoc
@@ -100,7 +117,7 @@ services:
- /opt/webcontent/sf-hedgedoc/uploads:/hedgedoc/public/uploads
restart: always
depends_on:
- - hedgedoc_db
+ - hedgedoc_db
networks:
- backend
- hedgedoc_backend
@@ -119,54 +136,23 @@ services:
networks:
- hedgedoc_backend
- # Andreas Luedeke
- # POC not running yet
- gfa-status-test:
- image: php:8.2-apache
- container_name: gfa-status-test
- volumes:
- - /opt/webcontent/gfa-status/web:/var/www/html
+ # Flechsig Uwe
+ # opticswiki (test setup)
+ # I assume gitea.psi.ch/images is the local image repository filled docker push
+ # /opt/webcontent/opticswiki must be filled once (before starting the container)
+ # gitea.psi.ch/optics/opticswiki/ => make initvolumes
+ opticswiki:
+ image: gitea.psi.ch/images/opticswiki:1
+ container_name: opticswiki
restart: always
+ volumes:
+ - /opt/webcontent/opticswiki/data:/usr/local/apache2/Foswiki-2.1.9/data
+ - /opt/webcontent/opticswiki/pub:/usr/local/apache2/Foswiki-2.1.9/pub
+ - /opt/webcontent/opticswiki/working:/usr/local/apache2/Foswiki-2.1.9/working
+ - /opt/webcontent/opticswiki/lib:/usr/local/apache2/Foswiki-2.1.9/lib
networks:
- backend
-
- # Sven Augustin -Hax0rL0rd
- # CI/CD Aaddition to Gitea (Jenkins for poor people)
- woodpecker-server:
- image: woodpeckerci/woodpecker-server:next
- container_name: woodpecker_server
- ports:
- - 8000:8000
- volumes:
- - /opt/webcontent/woodpecker/server:/var/lib/woodpecker/
- environment:
- - WOODPECKER_OPEN=true
- - WOODPECKER_HOST=https://woodpecker-test.psi.ch
- - WOODPECKER_AGENT_SECRET={{ WOODPECKER_AGENT_SECRET }}
- - WOODPECKER_GITEA=true
- - WOODPECKER_GITEA_URL=https://gitea-test.psi.ch
- - WOODPECKER_GITEA_CLIENT={{ WOODPECKER_GITEA_CLIENT }}
- - WOODPECKER_GITEA_SECRET={{ WOODPECKER_GITEA_SECRET }}
- networks:
- - backend
- - woodpecker_backend
-
- woodpecker-agent:
- image: woodpeckerci/woodpecker-agent:next
- container_name: woodpecker_agent
- command: agent
- restart: always
- depends_on:
- - woodpecker-server
- volumes:
- - /opt/webcontent/woodpecker/agent/woodpecker:/etc/woodpecker
- - /var/run/docker.sock:/var/run/docker.sock
- environment:
- - WOODPECKER_SERVER=woodpecker-server:9000
- - WOODPECKER_AGENT_SECRET={{ WOODPECKER_AGENT_SECRET }}
- networks:
- - woodpecker_backend
-
+
# Angelo Sozzi INC0150655 angelo.sozzi@psi.ch
# POC Software - might be installed on docker-dmz
n8n:
@@ -202,7 +188,7 @@ services:
- it_strategy_dashboard_backend
it-strategy-dashboard-backend:
- image: gitea.psi.ch/9501/it-strategy-dashboard-backend:2.0
+ image: gitea.psi.ch/9501/it-strategy-dashboard-backend:2.0.1
container_name: it-strategy-dashboard-backend
restart: always
environment:
@@ -242,10 +228,63 @@ services:
timeout: 5s
retries: 5
+# Christoph Hug , Simon Suter
+# Panda-Maintenance (OpenMaint)
+ panda-maintenance-db:
+ image: postgis/postgis:17-3.5-alpine
+ container_name: panda-maintenance-db
+ volumes:
+ - /opt/webcontent/panda-maintenance/data:/var/lib/postgresql/data:rw
+ environment:
+ - POSTGRES_USER=postgres
+ - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW}
+ restart: always
+ mem_limit: 4000m
+ mem_reservation: 2000m
+ healthcheck:
+ test: [ "CMD-SHELL", "pg_isready -U postgres" ]
+ interval: 30s
+ timeout: 10s
+ retries: 3
+ start_period: 80s
+ networks:
+ - panda_maintenance_backend
+ panda-maintenance-app:
+ image: itmicus/cmdbuild:om-2.4-4.1.0
+ container_name: panda-maintenance-app
+ links:
+ - panda-maintenance-db
+ depends_on:
+ panda-maintenance-db:
+ condition: service_healthy
+ restart: always
+ volumes:
+ - /opt/webcontent/panda-maintenance/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh:ro
+ environment:
+ - POSTGRES_USER=postgres
+ - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW}
+ - POSTGRES_PORT=5432
+ - POSTGRES_HOST=panda-maintenance-db
+ - POSTGRES_DB=openmaint
+ - CMDBUILD_DUMP=empty.dump.xz
+ - JAVA_OPTS=-Xmx6000m -Xms3000m
+ mem_limit: 6000m
+ mem_reservation: 3500m
+ healthcheck:
+ test: [ "CMD", "curl", "-f", "-L", "http://localhost:8080/cmdbuild/ui" ]
+ interval: 30s
+ timeout: 10s
+ retries: 5
+ start_period: 120s
+ networks:
+ - backend
+ - panda_maintenance_backend
+
+
networks:
public:
backend:
hedgedoc_backend:
- woodpecker_backend:
it_strategy_dashboard_backend:
+ panda_maintenance_backend:
diff --git a/nginx.conf b/nginx.conf
index 022ad56..6516663 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -12,7 +12,6 @@ http {
default_type application/octet-stream;
add_header X-Content-Type-Options nosniff;
- add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # HSTS
add_header Referrer-Policy no-referrer-when-downgrade; # Referrer policy