120 lines
5.2 KiB
YAML
120 lines
5.2 KiB
YAML
---
|
|
services:
|
|
# КуСфера instance configured for multi-tenancy using keycloak as identity provider
|
|
# The graph service is setup to consume users via the CS3 API.
|
|
qsfera:
|
|
image: ${OC_DOCKER_IMAGE:-qsfera/qsfera-rolling}:${OC_DOCKER_TAG:-latest}
|
|
# changelog: https://github.com/qsfera/server/tree/main/changelog
|
|
# release notes: https://docs.qsfera.eu/qsfera_release_notes.html
|
|
networks:
|
|
qsfera-net:
|
|
entrypoint:
|
|
- /bin/sh
|
|
# run qsfera init to initialize a configuration file with random secrets
|
|
# it will fail on subsequent runs, because the config file already exists
|
|
# therefore we ignore the error and then start the qsfera server
|
|
command: ["-c", "qsfera init || true; qsfera server"]
|
|
environment:
|
|
OC_MULTI_TENANT_ENABLED: "true"
|
|
# enable services that are not started automatically
|
|
OC_URL: https://${OC_DOMAIN:-cloud.qsfera.test}
|
|
OC_LOG_LEVEL: ${LOG_LEVEL:-info}
|
|
OC_LOG_COLOR: "${LOG_PRETTY:-false}"
|
|
OC_LOG_PRETTY: "${LOG_PRETTY:-false}"
|
|
OC_EXCLUDE_RUN_SERVICES: idm,idp
|
|
PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
|
|
OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.qsfera.test}/realms/qsfera
|
|
PROXY_OIDC_REWRITE_WELLKNOWN: "true"
|
|
WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
|
|
PROXY_USER_OIDC_CLAIM: "uuid"
|
|
PROXY_USER_CS3_CLAIM: "userid"
|
|
WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "https://${KEYCLOAK_DOMAIN:-keycloak.qsfera.test}/realms/qsfera/account"
|
|
# admin and demo accounts must be created in Keycloak
|
|
OC_ADMIN_USER_ID: ""
|
|
SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
|
|
GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
|
|
GRAPH_USERNAME_MATCH: "none"
|
|
GROUPS_DRIVER: "null"
|
|
# This is needed to set the correct CSP rules for КуСфера
|
|
IDP_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.qsfera.test}
|
|
# do not use SSL between the reverse proxy and КуСфера
|
|
PROXY_TLS: "false"
|
|
# INSECURE: needed if КуСфера / reverse proxy is using self generated certificates
|
|
OC_INSECURE: "${INSECURE:-false}"
|
|
# basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
|
|
PROXY_ENABLE_BASIC_AUTH: "false"
|
|
GRAPH_IDENTITY_BACKEND: "cs3"
|
|
PROXY_CSP_CONFIG_FILE_LOCATION: /etc/qsfera/csp.yaml
|
|
OC_LDAP_URI: ldaps://ldap-server:1636
|
|
OC_LDAP_INSECURE: "true"
|
|
OC_LDAP_BIND_DN: "cn=admin,dc=qsfera,dc=eu"
|
|
OC_LDAP_BIND_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
|
|
OC_LDAP_USER_BASE_DN: "ou=users,dc=qsfera,dc=eu"
|
|
OC_LDAP_USER_SCHEMA_TENANT_ID: "qsferaMemberOfSchool"
|
|
PROXY_LOG_LEVEL: "debug"
|
|
volumes:
|
|
- ./config/qsfera/csp.yaml:/etc/qsfera/csp.yaml
|
|
# configure the .env file to use own paths instead of docker internal volumes
|
|
- ${OC_CONFIG_DIR:-qsfera-config}:/etc/qsfera
|
|
- ${OC_DATA_DIR:-qsfera-data}:/var/lib/qsfera
|
|
logging:
|
|
driver: ${LOG_DRIVER:-local}
|
|
restart: always
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.qsfera.entrypoints=https"
|
|
- "traefik.http.routers.qsfera.rule=Host(`${OC_DOMAIN:-cloud.qsfera.test}`)"
|
|
- "traefik.http.routers.qsfera.service=qsfera"
|
|
- "traefik.http.services.qsfera.loadbalancer.server.port=9200"
|
|
- "traefik.http.routers.qsfera.${TRAEFIK_SERVICES_TLS_CONFIG}"
|
|
# Stand-alone instance of the 'graph' service to serve the provisioning API
|
|
provsioning:
|
|
image: ${OC_DOCKER_IMAGE:-qsfera/qsfera-rolling}:${OC_DOCKER_TAG:-latest}
|
|
networks:
|
|
qsfera-net:
|
|
entrypoint:
|
|
- /bin/sh
|
|
# run qsfera init to initialize a configuration file with random secrets
|
|
# it will fail on subsequent runs, because the config file already exists
|
|
# therefore we ignore the error and then start the qsfera server
|
|
command: ["-c", "qsfera init || true; qsfera graph server"]
|
|
environment:
|
|
OC_LOG_LEVEL: "debug"
|
|
OC_LOG_COLOR: "${LOG_PRETTY:-false}"
|
|
OC_LOG_PRETTY: "${LOG_PRETTY:-false}"
|
|
# This just runs the standalone graph service we don't need access to the registry
|
|
MICRO_REGISTRY: "memory"
|
|
# INSECURE: needed if КуСфера / reverse proxy is using self generated certificates
|
|
OC_INSECURE: "${INSECURE:-false}"
|
|
GRAPH_HTTP_ADDR: "0.0.0.0:9120"
|
|
GRAPH_HTTP_API_TOKEN: "${PROVISIONING_API_TOKEN:-changeme}"
|
|
# disable listening for events
|
|
GRAPH_EVENTS_ENDPOINT: ""
|
|
GRAPH_STORE_NODES: ""
|
|
GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
|
|
GRAPH_USERNAME_MATCH: "none"
|
|
GRAPH_LDAP_EDUCATION_RESOURCES_ENABLED: "true"
|
|
GRAPH_LDAP_SCHOOL_BASE_DN: "ou=tenants,dc=qsfera,dc=eu"
|
|
OC_LDAP_URI: ldaps://ldap-server:1636
|
|
OC_LDAP_INSECURE: "true"
|
|
OC_LDAP_BIND_DN: "cn=admin,dc=qsfera,dc=eu"
|
|
OC_LDAP_BIND_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
|
|
OC_LDAP_USER_BASE_DN: "ou=users,dc=qsfera,dc=eu"
|
|
OC_LDAP_USER_FILTER: "(objectclass=inetOrgPerson)"
|
|
volumes:
|
|
# configure the .env file to use own paths instead of docker internal volumes
|
|
- ${PROVISIONING_CONFIG_DIR:-provisioning-config}:/etc/qsfera
|
|
logging:
|
|
driver: ${LOG_DRIVER:-local}
|
|
restart: always
|
|
ports:
|
|
- "9120:9120"
|
|
|
|
volumes:
|
|
qsfera-config:
|
|
qsfera-data:
|
|
provisioning-config:
|
|
|
|
networks:
|
|
qsfera-net:
|