Add TLS example config

config/TLS-example/README.md

@@ -0,0 +1,116 @@
+# TLS example
+
+This folder contains example files that can be used as a base when deploying a more `production like` setup.
+
+**Note** this is not usable as is, manual intervention is required.
+
+## Configuration example
+
+### config.yaml file
+
+In the `config.yaml` the following entries must be set:
+
+```yaml
+archive:
+    s3url:
+    accesskey:
+    secretkey:
+
+inbox:
+    s3url:
+    accesskey:
+    secretkey:
+
+c4gh:
+    passphrase:
+
+elixir:
+    id:
+    secret:
+    redirectUrl:
+
+session:
+    domain:
+
+s3inbox:
+```
+
+The `config.yaml` contains comments to help setting the correct value
+
+### env file
+
+The following entries in the env file needs to be set:
+
+- `C4GH_KEYPATH`: path to the crypt4gh private key.
+- `rabbitmq_MQ_PASSWORD`: admin password to the RabbitMQ server
+- `rabbitmq_MQ_USER`: username for the RabbitMQ admin
+- `postgres_POSTGRES_PASSWORD`: password for the `postgres` user
+
+After which the file needs to be renamed with a dot prefix (`.env`)
+
+#### service credentials
+
+These credentials can be created manually in Postgres/RabbitMQ, or with the use of the `make_credentials` script once the RabbitMQ and Postgres containers are running. The usernames should be the same as the `container_name` in the docker-compose file
+
+##### RabbitMQ
+
+- finalize_BROKER_PASSWORD
+- ingest_BROKER_PASSWORD
+- mapper_BROKER_PASSWORD
+- verify_BROKER_PASSWORD
+- inbox_BROKER_PASSWORD
+
+##### Postgres
+
+- download_DB_PASSWORD
+- finalize_DB_PASSWORD
+- ingest_DB_PASSWORD
+- mapper_DB_PASSWORD
+- verify_DB_PASSWORD
+- inbox_DB_PASSWORD
+
+### iss.json file
+
+In the `iss.json` file a block for the publicly available endpoint for REMS should to be added.
+
+### certificates
+
+All containers except `auth` needs certificates with DNS entries matching the `container_name` in the docker-compose file.  
+These certificate files should adhere to the [cert-manager](https://cert-manager.io/) naming convention (tls.crt, tls.key, ca.crt).
+
+The following containers also needs external certificates generated by a public CA like [Let's Encrypt](https://letsencrypt.org/):
+
+- Auth
+- Download
+- S3inbox
+
+These certificate files should adhere to Let's Encrypts naming schema (fullchain.pem, privkey.pem).
+
+All certificates for a service should be placed in a folder with the same name as the `container_name` and be placed next to the docker-compose file.  
+Permissions for the private key needs to be set at `0400` and the owner set as shown below:
+
+- rabbitmq - `100:101`
+- postgres - `70:70`
+- all others - `65534:65534`
+
+If automatic certificate rotation is done through cron it is easier to set the owner to root and group based on the service with the permissions to `0640` for all files in each folder.
+
+- rabbitmq - `0:101`
+- postgres - `0:70`
+- all others - `0:65534`
+
+## Bootstrapping
+
+First The RabbitMQ and Postgres servers needs to be started.
+
+```cmd
+docker compose up -d postgres rabbitmq
+```
+
+When they are running with status `healthy` credentials for the services can be created, either manually or by executing the `make_credentials` script.
+
+Once the credentials have been created the rest of the services can be started.
+
+```cmd
+docker compose up -d
+```

config/TLS-example/config.yaml

@@ -0,0 +1,105 @@
+app: # this is for download
+  host: "0.0.0.0"
+  port: "8443"
+  servercert: "/certificates/fullchain.pem"
+  serverkey: "/certificates/privkey.pem"
+
+archive:
+  type: "s3"
+  url: ""
+#  port: only needed if port is not 80 or 443
+  accesskey: ""
+  secretkey: ""
+  bucket: "archive"
+  chunksize: 32
+
+broker:
+  host: "rabbitmq"
+  port: 5671 # This is the default SSL port
+  # user: "" # dont set, this should be unique for each service
+  # password: "" # dont set, this should be unique for each service
+  vhost: "sda"
+  # queue: "" # dont set, this is unique for each service
+  exchange: "sda"
+  # routingKey: "" # dont set, this is unique for each service
+  routingError: "error"
+  ssl: "true"
+  cacert: /certificates/ca.crt # if certificates are signed by an private PKI
+  # verifyPeer: "false" 
+# If verifyPeer is true clientKey and clientCert needs to be set
+  # clientCert: /certificates/tls.crt
+  # clientKey: /certificates/tls.key
+
+c4gh:
+  passphrase: ""
+  filepath: "/c4gh/gdi.sec.pem"
+
+db:
+  host: "postgres"
+  port: 5432
+  # user: "" # dont set, this should be unique for each service
+  # password: "" # dont set, this should be unique for each service
+  database: "sda"
+  sslmode: "verify-ca"
+  cacert: /certificates/ca.crt # if certificates are signed by an private PKI
+  clientCert: /certificates/tls.crt
+  clientKey: /certificates/tls.key
+
+
+elixir: # used by the auth service
+  id: "" # LS AAI client ID
+  secret: "" # LS AAI client secret
+  provider: "https://login.elixir-czech.org/oidc/"
+  jwkpath: "jwks"
+  redirectUrl: "" # public url to the auth endpoint
+
+inbox:
+  type: "s3"
+  url: ""
+#  port: only needed if port is not 80 or 443
+  accesskey: ""
+  secretkey: ""
+  bucket: "inbox"
+  chunksize: 32
+
+log:
+  level: "info"
+  format: "json"
+
+oidc:
+  configuration:
+    url: "https://login.elixir-czech.org/oidc/.well-known/openid-configuration"
+  trusted:
+    iss: "/iss.json"
+
+schema:
+  type: isolated
+
+server:
+  jwtpubkeyurl: "https://login.elixir-czech.org/oidc/jwks"
+  cert: "/certificates/fullchain.pem"
+  key: "/certificates/privkey.pem"
+
+session:
+  # session key expiration time in seconds
+  # default value = -1 for disabled state
+  # a positive integer enables sessions
+  # a negative integer disables sessions
+  expiration: 28800
+  # domain name must be set to the hostname (FQDN) of the service
+  domain: ""
+  # session cookie Secure value, if true, TLS must be active
+  # default value = true
+  secure: true
+  # session cookie HttpOnly value, if true, TLS must be active
+  # default value = true
+  httponly: true
+  # name of session cookie
+  # default value = sda_session_key
+  name: "sda_session_key"
+
+# these are used by the auth container
+s3inbox: "" # public URL to the s3inbox
+resignjwt: "false"
+infoText: "About GDI"
+infoUrl: "https://gdi.onemilliongenomes.eu/" # or this can be a national site where information about the available datasets can be found.