This repository has been archived by the owner on Mar 25, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
docker-compose.yml
75 lines (74 loc) · 3.55 KB
/
docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
version: "3"
volumes:
onto:
driver: local
pgdata:
driver: local
services:
db:
image: postgres-ontoserver
container_name: ontoserver-db
build:
context: ./postgres
volumes:
- pgdata:/var/lib/postgresql/data
environment:
- POSTGRES_HOST_AUTH_METHOD=trust
ontoserver:
image: aehrc/ontoserver:latest
container_name: ontoserver-onto
depends_on:
- db
environment:
# TLS is handled by nginx
- ONTOSERVER_INSECURE=true
# what is the FHIR base url of your Ontoserver? Used to generate links and is featured in the conformance statement
- conformance.fhir.base=https://athena.local/fhir # <== CHANGE THIS SETTING
# enables the OAuth sub-system, required
- ontoserver.security.enabled=true
# is read-only access to FHIR allowed? if false, only /fhir/metadata is allowed without authentication
- ontoserver.security.readOnly.fhir=false # change?
- ontoserver.security.readOnly.api=false # change?
- ontoserver.security.readOnly.synd=false # change?
# can also be Basic, but the documentation does not state how Basic credentials are verified
- conformance.security.kinds=SMART-on-FHIR
# this is the text that displays in the conformance statement
- conformance.security.description=This server uses OpenID Connect to
authorize requests. Read-Only FHIR requests are NOT allowed.
# this is featured in the machine-readable ConformanceStatement and should point to the "authorize" url of your keycloak installation
- conformance.security.authorize=https://athena.local/auth/realms/ontoserver/protocol/openid-connect/auth #<== CHANGE THIS SETTING
# dito, point to your token endpoit
- conformance.security.token=https://athena.local/auth/realms/ontoserver/protocol/openid-connect/token # <== CHANGE THIS SETTING
# keycloak does not really support symmetric signing keys for JWTs using HS256 (rather, the key can not be extracted),
# so that RS256 asymmetric crypto is used for key signing. The public key for RS256 can be obtained in the 'Realm Settings'
# section for the chosen Realm, and then go to "Keys" and copy the Public Key via the button in the RS256 row.
# Replace the public key in the line below, keeping the markers intact (with 5 leading and trailing dashes!).
- ontoserver.security.token.secret=-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApeS3BVDSzwmrKZqcQoTR8bZoaTcyFovmgDsRYclvbnJ10Jw7gM6epUenDyXuW3x0EZjkvA12SsvcPp1mLnY1qaLMb/4gLAWUgbjUif9wcWzQHe4SqzWMKHZAalszGkB9x045kYdFfLdVMAh1UQsB9CZFUEeKtR4GD85bllZQAG/NsDlCjNH119RS+qQUwB2eQiVcVDgkVCovbzB8olbdFw11s8/I1r/ZGGvEhxthHfqvX1o7JbXfqHu7lgQu+FE9f820ySXBQwJOnDR4MOsGJl2eT8t2cH4aqUxH/qO/a9oMl/3eu0ezkUq+L5cgYRJ4frvDlVoIZ4284aJSAPwdpwIDAQAB
-----END PUBLIC KEY----- # CHANGE THIS SETTING
- JAVA_OPTS=-Xmx4G # 2G mimimum, 8G optimum
keycloak:
image: ontoserver-keycloak
container_name: ontoserver-keycloak
build:
context: ./keycloak
depends_on:
- db
environment:
- KEYCLOAK_USER_FILE=/opt/secrets/username.secret #<== CREATE THIS FILE
- KEYCLOAK_PASSWORD_FILE=/opt/secrets/password.secret #<== CREATE THIS FILE
- DB_VENDOR=postgres
- DB_ADDR=db
- DB_DATABASE=keycloak
- PROXY_ADDRESS_FORWARDING=true # essential for operating behind proxy!
nginx:
image: ontoserver-nginx
container_name: ontoserver-nginx
build:
context: ./nginx
ports:
- "80:80"
- "443:443"
depends_on:
- ontoserver
- keycloak