init

docker-compose.yml

@@ -0,0 +1,145 @@
+version: '3.8'
+
+x-app-common: &odc_app
+  build: .
+  environment:
+    APACHE_DOCUMENT_ROOT: "public/"
+    PHP_EXTENSION_XDEBUG: "1"
+    PHP_INI_MEMORY_LIMIT: "1G"
+    PHP_EXTENSION_LDAP: 1
+    PHP_EXTENSION_INTL: 1
+    MAILER_DSN: ${MAILER_DSN}
+
+
+services:
+  traefik-odc:
+    image: "traefik:v2.5"
+
+    command:
+      #- "--log.level=DEBUG"
+      - "--api.insecure=false"
+      - "--providers.docker=true"
+      #- "--api.dashboard=true"
+
+      - "--providers.docker.exposedbydefault=false"
+
+      - "--entrypoints.unsecure.address=:80"
+      - "--entrypoints.web.address=:443"
+      # Global HTTP -> HTTPS
+      - "--entrypoints.unsecure.http.redirections.entryPoint.to=web"
+      - "--entrypoints.unsecure.http.redirections.entryPoint.scheme=https"
+      # SSL configuration
+      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
+      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=unsecure"
+      - "--certificatesresolvers.letsencrypt.acme.email=${registerEmailAdress}"
+      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
+
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.http-catchall.entrypoints=unsecure"
+      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+
+      - "traefik.http.routers.traefik-odc.rule=Host(`traefik.${PUBLIC_URL}`)"
+      - "traefik.http.routers.traefik-odc.entrypoints=web"
+      - "traefik.http.routers.traefik-odc.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.traefik-odc.service=api@internal"
+      - "traefik.http.routers.traefik-odc.middlewares=traefik-auth"
+      - "traefik.http.middlewares.traefik-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/" # test:test
+
+
+
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      -  ./data/letsencrypt:/letsencrypt
+      - ./tools/traefik/config.yml:/etc/traefik/dynamic_conf/conf.yml:ro
+
+  #Here is the ODC app
+  app-odc:
+    image: git.h2-invent.com/datenschutzcenter/application:3.0.4
+    depends_on:
+      db-odc:
+        condition: service_healthy
+    restart: unless-stopped
+
+    environment:
+      DATABASE_URL: mysql://odc:${ODC_DB_PW}@${RANDOMTAG}db-odc:3306/odc
+      OAUTH_KEYCLOAK_CLIENT_ID: opendatenschutzcenter
+      OAUTH_KEYCLOAK_CLIENT_SECRET: ${OAUTH_KEYCLOAK_CLIENT_SECRET}
+      OAUTH_KEYCLOAK_SERVER: ${HTTP_METHOD}://${PUBLIC_URL}/keycloak
+      OAUTH_KEYCLOAK_REALM: opendatenschutzcenter
+      MAILER_DSN: ${MAILER_DSN}
+      laF_version: ${GIT_VERSION}
+      registerEmailAdress: ${registerEmailAdress}
+      DEFAULT_EMAIL: ${registerEmailAdress}
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.app-odc.tls=true"
+      - "traefik.http.routers.app-odc.rule=Host(`${PUBLIC_URL}`)"
+      - "traefik.http.routers.app-odc.entrypoints=web"
+      - "traefik.http.services.app-odc.loadbalancer.server.port=8080"
+      - "traefik.http.routers.app-odc.tls.certresolver=letsencrypt"
+      - "traefik.http.services.app-odc.loadbalancer.sticky=true"
+      - "traefik.http.services.app-odc.loadbalancer.sticky.cookie.name=odc"
+      - "traefik.http.services.app-odc.loadbalancer.sticky.cookie.secure=true"
+    volumes:
+      - datenschutzcenter_uploads:/var/www/html/public/uploads:rw
+      - datenschutzcenter_secret_storage:/var/www/html/secretStorage:rw
+      - datenschutzcenter_data:/var/www/html/data:rw
+
+  db-odc:
+    image: mariadb:latest
+    hostname: ${RANDOMTAG}db-odc
+    healthcheck:
+      test: [ "CMD", "mariadb-admin" ,"ping", "-h", "localhost","-ptest" ]
+      timeout: 20s
+      retries: 10
+    restart: unless-stopped
+    environment:
+      MARIADB_ROOT_PASSWORD: test
+    volumes:
+      - mariadb:/var/lib/mysql
+      - ./mysql-initdb:/docker-entrypoint-initdb.d
+
+  keycloak-odc:
+    image: quay.io/keycloak/keycloak:22.0.3
+    depends_on:
+      app-odc:
+        condition: service_healthy
+    environment:
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PW}
+      KC_DB: mariadb
+      KC_DB_PASSWORD: ${KEYCLOAK_PW}
+      KC_DB_URL: jdbc:mariadb://${RANDOMTAG}db-odc:3306/keycloak
+      KC_DB_USERNAME: keycloak
+      KC_HOSTNAME_URL: ${HTTP_METHOD}://${PUBLIC_URL}/keycloak
+      KC_HOSTNAME_PATH: ${HTTP_METHOD}://${PUBLIC_URL}/keycloak
+      KC_HOSTNAME_ADMIN_URL: ${HTTP_METHOD}://${PUBLIC_URL}/keycloak
+      KC_HTTP_RELATIVE_PATH: /keycloak
+      KC_PROXY: passthrough
+
+    command:
+      - start-dev
+      - --import-realm
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.keycloak-odc.tls=true"
+      - "traefik.http.routers.keycloak-odc.rule=Host(`${PUBLIC_URL}`) && PathPrefix(`/keycloak`)"
+      - "traefik.http.routers.keycloak-odc.entrypoints=web"
+      - "traefik.http.services.keycloak-odc.loadbalancer.server.port=8080"
+      - "traefik.http.routers.keycloak-odc.tls.certresolver=letsencrypt"
+
+    volumes:
+      - ./keycloak/:/opt/keycloak/data/import
+
+
+volumes:
+  mariadb:
+  datenschutzcenter_uploads:
+  datenschutzcenter_data:
+  datenschutzcenter_secret_storage:

mysql-initdb/init-userdb.sql

@@ -0,0 +1,7 @@
+CREATE USER 'odc'@'%' IDENTIFIED BY '<open-datenschutzcenter-pw>';
+CREATE DATABASE odc;
+GRANT ALL PRIVILEGES ON odc.* TO 'odc'@'%';
+CREATE USER 'keycloak'@'%' IDENTIFIED BY '<keycloak-pw>';
+CREATE DATABASE keycloak;
+GRANT ALL PRIVILEGES ON keycloak.* TO 'keycloak'@'%';
+FLUSH PRIVILEGES;

setup.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+echo Welcome to the Docker Installer:
+
+FILE=env.local
+if [ -f "$FILE" ]; then
+    source $FILE
+else
+    touch $FILE
+    KEYCLOAK_PW=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+    ODC_DB_PW=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+    KEYCLOAK_ADMIN_PW=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+    NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+    echo "KEYCLOAK_PW=$KEYCLOAK_PW" >> $FILE
+    echo "KEYCLOAK_ADMIN_PW=$KEYCLOAK_ADMIN_PW" >> $FILE
+    echo "NEW_UUID=$NEW_UUID" >> $FILE
+    echo "ODC_DB_PW=$ODC_DB_PW" >> $FILE
+    source $FILE
+fi
+  ENVIRONMENT=${ENVIRONMENT:=prod}
+  read -p "Enter the environment dev/prod[$ENVIRONMENT]: " input
+  ENVIRONMENT=${input:=$ENVIRONMENT}
+  sed -i '/APP_ENV/d' $FILE
+  echo "APP_ENV=$ENVIRONMENT" >> $FILE
+
+  HTTP_METHOD=${HTTP_METHOD:=https}
+  read -p "Enter http/https for testing on local environment ALWAYS use http [$HTTP_METHOD]: " input
+  HTTP_METHOD=${input:=$HTTP_METHOD}
+  sed -i '/HTTP_METHOD/d' $FILE
+  echo "HTTP_METHOD=$HTTP_METHOD" >> $FILE
+
+  PUBLIC_URL=${PUBLIC_URL:=dev.domain.de}
+  read -p "Enter the url you want to enter the open-datenschutzcenter without http://, https:// or ports [$PUBLIC_URL]: " input
+  PUBLIC_URL=${input:=$PUBLIC_URL}
+  sed -i '/PUBLIC_URL/d' $FILE
+  echo "PUBLIC_URL=$PUBLIC_URL" >> $FILE
+
+
+echo ------------------------------------------------------------
+echo ----------------- Build the Keycloak -----------------------
+echo ------------------------------------------------------------
+
+sed -i "s|<clientsecret>|$NEW_UUID|g" keycloak/realm-export.json
+sed -i "s|<clientUrl>|$HTTP_METHOD://$PUBLIC_URL|g" keycloak/realm-export.json
+
+echo ------------------------------------------------------------
+echo ----------------- Build Mysql Init DB ----------------------
+echo ------------------------------------------------------------
+
+sed -i "s|<open-datenschutzcenter-pw>|$ODC_DB_PW|g" mysql-initdb/init-userdb.sql
+sed -i "s|<keycloak-pw>|$KEYCLOAK_PW|g" mysql-initdb/init-userdb.sql