Allow JAVA_OPTS to be Specified

[DiCanio]

Allows to specify java options via environment variables.

For example using a custom trust store can be achieved by specifying the following options:
-Djavax.net.ssl.trustStore=<path-to-trust-store> -Djavax.net.ssl.trustStorePassword=<trust-store-pw>

[DiCanio]

Example setup for running FLARE in conjunction with a FHIR server behind a reverse proxy using a self signed certificate:

nginx.conf:

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    ssl_certificate /run/secrets/cert.pem;
    ssl_certificate_key /run/secrets/key.pem;
    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers off;
    add_header Strict-Transport-Security "max-age=63072000" always;

    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name fhir-server;

        location /fhir {
            proxy_pass http://fhir-server-backend:8080;

            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
		    proxy_read_timeout 43200s;
        }
    }
}

docker-compose.yml

version: "3.7"

services:
  fhir-server:
    restart: on-failure
    image: nginx:1.21
    ports:
      - "10443:443"
    secrets:
      - cert.pem
      - key.pem
    volumes:
      - type: bind
        source: ./nginx.conf
        target: /etc/nginx/nginx.conf
        read_only: true
    environment:
      TZ: Europe/Berlin

  fhir-server-backend:
    image: "ghcr.io/num-codex/blaze:0.14"
    environment:
      BASE_URL: "http://fhir-server:8080"
      JAVA_TOOL_OPTIONS: "-Xmx4g"
      LOG_LEVEL: debug
    ports:
      - ${PORT_BLAZE_FHIR:-127.0.0.1:8082}:8080
    volumes:
      - "blaze-data:/app/data"
    depends_on:
      - fhir-server

  flare:
    build:
      dockerfile: server/Dockerfile
      context: .
    ports:
      - "8081:8080"
    environment:
      MAPPINGS_FILE: ${FLARE_ONTOLOGY_FILES_FOLDER:-/opt/flare/ontology}/codex-term-code-mapping.json
      CONCEPT_TREE_FILE: ${FLARE_ONTOLOGY_FILES_FOLDER:-/opt/flare/ontology}/codex-code-tree.json
      FLARE_FHIR_SERVER_URL: https://fhir-server/fhir/
      JAVA_OPTS: "-Djavax.net.ssl.trustStore=/opt/flare/certs/truststore -Djavax.net.ssl.trustStorePassword=changeit"
    volumes:
      - ${FLARE_LOCAL_CONCEPT_TREE_PATH:-./ontology/codex-code-tree.json}:${FLARE_ONTOLOGY_FILES_FOLDER:-/opt/flare/ontology}/codex-code-tree.json
      - ${FLARE_LOCAL_TERM_CODE_MAPPING_PATH:-./ontology/codex-term-code-mapping.json}:${FLARE_ONTOLOGY_FILES_FOLDER:-/opt/flare/ontology}/codex-term-code-mapping.json
      - ./truststore:/opt/flare/certs/truststore
    depends_on:
      - fhir-server-backend

volumes:
  blaze-data:

secrets:
  cert.pem:
    file: ./cert.pem
  key.pem:
    file: ./key.pem

The trust store itself is a PKCS12 file created by Java's keytool. Notice that the self-signed certificate requires the CN to be fhir-server for this setup to run.