-
Notifications
You must be signed in to change notification settings - Fork 4
/
docker-compose.yaml
278 lines (251 loc) · 11.6 KB
/
docker-compose.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
---
version: "3.7"
services:
confidentialbackend:
# TODO replace with confidential-client fork when need arises
image: ghcr.io/uwcirg/helloworld-confidential-client-sof:${CONFIDENTIALBACKEND_IMAGE_TAG:-latest}
env_file:
confidentialbackend.env
environment:
REQUEST_CACHE_URL: redis://redis:6379/1
SESSION_REDIS: redis://redis:6379/0
# client ID regisered with SoF host (Keycloak)
SOF_CLIENT_ID: confidentialbackend_openid_client
PREFERRED_URL_SCHEME: https
# ultimate destination after SoF launch and backend auth
LAUNCH_DEST: 'https://screener.${BASE_DOMAIN:-localtest.me}/launch.html'
# do not pass launch/patient as Epic will infer standalone launch
SOF_CLIENT_SCOPES: "patient/*.read launch openid profile roles"
SOF_ACCESS_TOKEN_URL: 'https://keycloak.${BASE_DOMAIN:-localtest.me}/auth/realms/fEMR/protocol/openid-connect/token'
SOF_AUTHORIZE_URL: 'https://keycloak.${BASE_DOMAIN:-localtest.me}/auth/realms/fEMR/protocol/openid-connect/auth'
LOGSERVER_URL: "https://logs.${BASE_DOMAIN:-localtest.me}"
labels:
- "traefik.enable=true"
- "traefik.http.routers.confidentialbackend-${COMPOSE_PROJECT_NAME}.rule=Host(`confidentialbackend.${BASE_DOMAIN:-localtest.me}`)"
- "traefik.http.routers.confidentialbackend-${COMPOSE_PROJECT_NAME}.entrypoints=websecure"
- "traefik.http.routers.confidentialbackend-${COMPOSE_PROJECT_NAME}.tls=true"
- "traefik.http.routers.confidentialbackend-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt"
networks:
- ingress
- internal
depends_on:
- redis
db:
image: postgres:${POSTGRES_IMAGE_TAG:-12}
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
volumes:
- "db-data:/var/lib/postgresql/data"
# mount db creation script in place for bootstrap
- "./config/db:/docker-entrypoint-initdb.d"
networks:
- internal
femr:
image: ghcr.io/uwcirg/cosri-patientsearch:${FEMR_IMAGE_TAG:-develop}
env_file:
femr.env
environment:
APPLICATION_TITLE: "DCW"
MORE_MENU: ""
NEED_PATIENT_BANNER: "true"
OIDC_AUTHORIZE_URL: "https://keycloak.${BASE_DOMAIN:-localtest.me}/auth/realms/fEMR/protocol/openid-connect/auth"
OIDC_CLIENT_ID: femr_openid_client
OIDC_ISSUER: "https://keycloak.${BASE_DOMAIN:-localtest.me}/auth/realms/fEMR"
OIDC_REDIRECT_URIS: "https://keycloak.${BASE_DOMAIN:-localtest.me}/oidc_callback"
OIDC_USERINFO_URI: "https://keycloak.${BASE_DOMAIN:-localtest.me}/auth/realms/fEMR/protocol/openid-connect/userinfo"
OIDC_TOKEN_URI: "https://keycloak.${BASE_DOMAIN:-localtest.me}/auth/realms/fEMR/protocol/openid-connect/token"
OIDC_TOKEN_INTROSPECTION_URI: "https://keycloak.${BASE_DOMAIN:-localtest.me}/auth/realms/fEMR/protocol/openid-connect/token/introspect"
# TODO change to INTERNAL_FHIR_API
MAP_API: 'https://fhirwall.${BASE_DOMAIN:-localtest.me}/fhir/'
# FHIR URL passed to SoF client
SOF_HOST_FHIR_URL: 'https://fhirwall.${BASE_DOMAIN:-localtest.me}/fhir'
SOF_CLIENTS: '[{"id":"SCREENER", "label":"New Assessment", "launch_url":"https://confidentialbackend.${BASE_DOMAIN:-localtest.me}/auth/launch", "required_roles": ["clinician"]}, {"id":"SUMMARY", "label":"View Report", "launch_url":"https://summary.${BASE_DOMAIN:-localtest.me}/launch.html", "required_roles": ["clinician"]}]'
LOGSERVER_URL: "https://logs.${BASE_DOMAIN:-localtest.me}"
REDIS_URL: redis://redis:6379/1
depends_on:
- fhirwall
- keycloak
- logs
- redis
- confidentialbackend
- screener
labels:
- "traefik.enable=true"
- "traefik.http.routers.femr-${COMPOSE_PROJECT_NAME}.rule=Host(`femr.${BASE_DOMAIN:-localtest.me}`)"
- "traefik.http.routers.femr-${COMPOSE_PROJECT_NAME}.entrypoints=websecure"
- "traefik.http.routers.femr-${COMPOSE_PROJECT_NAME}.tls=true"
- "traefik.http.routers.femr-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt"
networks:
- ingress
- internal
fhir:
image: hapiproject/hapi:${FHIR_IMAGE_TAG:-v5.5.1}
environment:
SPRING_CONFIG_LOCATION: file:///opt/application.yaml
spring.datasource.url: jdbc:postgresql://db:5432/hapifhir
spring.datasource.username: postgres
spring.datasource.password: postgres
spring.datasource.driverClassName: org.postgresql.Driver
spring.jpa.hibernate.dialect: org.hibernate.dialect.PostgreSQL94Dialect
# make URLs relative to fEMR for pagination
# TODO remove when fEMR can rewrite URLs
hapi.fhir.server_address: 'https://femr.${BASE_DOMAIN:-localtest.me}/fhir/'
volumes:
- "./config/hapi/application.yaml:/opt/application.yaml:ro"
depends_on:
- db
networks:
internal:
aliases:
- fhir-internal
fhirwall:
image: ghcr.io/uwcirg/jwt-proxy:${PROXY_IMAGE_TAG:-latest}
env_file:
fhirwall.env
environment:
LOGSERVER_URL: "https://logs.${BASE_DOMAIN:-localtest.me}"
OIDC_AUTHORIZE_URL: "https://keycloak.${BASE_DOMAIN:-localtest.me}/auth/realms/fEMR/protocol/openid-connect/auth"
OIDC_TOKEN_URI: "https://keycloak.${BASE_DOMAIN:-localtest.me}/auth/realms/fEMR/protocol/openid-connect/token"
OIDC_TOKEN_INTROSPECTION_URI: "https://keycloak.${BASE_DOMAIN:-localtest.me}/auth/realms/fEMR/protocol/openid-connect/token/introspect"
UPSTREAM_SERVER: "http://fhir-internal:8080"
JWKS_URL: "https://keycloak.${BASE_DOMAIN:-localtest.me}/auth/realms/fEMR/protocol/openid-connect/certs"
PATH_WHITELIST: /fhir/metadata,/fhir/.well-known/smart-configuration
labels:
- "traefik.enable=true"
# add CORS middleware, configured to return `Access-Control-Allow-Origin: *`
# NB accessControlAllowOrigin is deprecated, but not noted in docs
# https://github.com/traefik/traefik/issues/8796
- "traefik.http.middlewares.fhirwall-${COMPOSE_PROJECT_NAME}-cors.headers.accessControlAllowOriginList=*"
- "traefik.http.middlewares.fhirwall-${COMPOSE_PROJECT_NAME}-cors.headers.accessControlAllowHeaders=Authorization,Origin,Content-Type,Accept,Cache-Control"
- "traefik.http.routers.fhirwall-${COMPOSE_PROJECT_NAME}.middlewares=fhirwall-${COMPOSE_PROJECT_NAME}-cors"
- "traefik.http.routers.fhirwall-${COMPOSE_PROJECT_NAME}.rule=Host(`fhirwall.${BASE_DOMAIN:-localtest.me}`)"
- "traefik.http.routers.fhirwall-${COMPOSE_PROJECT_NAME}.entrypoints=websecure"
- "traefik.http.routers.fhirwall-${COMPOSE_PROJECT_NAME}.tls=true"
- "traefik.http.routers.fhirwall-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt"
depends_on:
- fhir
- logs
networks:
- ingress
- internal
keycloak:
image: quay.io/keycloak/keycloak:${KEYCLOAK_IMAGE_TAG:-15.0.2}
labels:
- "traefik.enable=true"
- "traefik.http.routers.keycloak-${COMPOSE_PROJECT_NAME}.rule=Host(`keycloak.${BASE_DOMAIN:-localtest.me}`)"
- "traefik.http.routers.keycloak-${COMPOSE_PROJECT_NAME}.entrypoints=websecure"
- "traefik.http.routers.keycloak-${COMPOSE_PROJECT_NAME}.tls=true"
- "traefik.http.routers.keycloak-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt"
entrypoint:
# override default keycloak docker entrypoint script with our own
- /opt/jboss/tools/docker-entrypoint-override.sh
- /opt/jboss/tools/docker-entrypoint.sh
command:
- "-b"
- "0.0.0.0"
- "-Dkeycloak.migration.action=import"
# TODO use dir migration provider (`keycloak.migration.provider=dir`)
# https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/export-import.adoc
- "-Dkeycloak.migration.provider=singleFile"
- "-Dkeycloak.profile.feature.upload_scripts=enabled"
- "-Dkeycloak.migration.file=/opt/jboss/keycloak/realm-data.json"
- "-Dkeycloak.migration.strategy=IGNORE_EXISTING"
environment:
KEYCLOAK_FRONTEND_URL: "https://keycloak.${BASE_DOMAIN:-localtest.me}/auth"
PROXY_ADDRESS_FORWARDING: "true"
DB_VENDOR: postgres
DB_ADDR: db
DB_PORT: 5432
DB_DATABASE: keycloak
DB_USER: postgres
DB_PASSWORD: postgres
# https://nvd.nist.gov/vuln/detail/CVE-2021-44228
LOG4J_FORMAT_MSG_NO_LOOKUPS: "true"
# environment variables used to configure docker-entrypoint-override.sh
__KEYCLOAK_INPUT_CONFIG: /tmp/realm-data.json
__KEYCLOAK_OUTPUT_CONFIG: /opt/jboss/keycloak/realm-data.json
env_file:
- keycloak.env
volumes:
- "./config/keycloak/docker-entrypoint-override.sh:/opt/jboss/tools/docker-entrypoint-override.sh:ro"
- "./config/keycloak/realm-data.json:/tmp/realm-data.json"
- "./config/keycloak/jboss-logging-config.cli:/opt/jboss/startup-scripts/jboss-logging-config.cli"
- "./config/keycloak/dcw-keycloak-theme:/opt/jboss/keycloak/themes/dcw"
depends_on:
- db
networks:
- ingress
- internal
logs:
image: postgrest/postgrest
labels:
- "traefik.enable=true"
- "traefik.http.routers.logs-${COMPOSE_PROJECT_NAME}.rule=Host(`logs.${BASE_DOMAIN:-localtest.me}`)"
- "traefik.http.routers.logs-${COMPOSE_PROJECT_NAME}.entrypoints=websecure"
- "traefik.http.routers.logs-${COMPOSE_PROJECT_NAME}.tls=true"
- "traefik.http.routers.logs-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt"
environment:
PGRST_DB_URI: postgres://postgres:postgres@db:5432/app_db
PGRST_DB_SCHEMA: api
PGRST_DB_ANON_ROLE: web_anon
env_file:
- logs.env
depends_on:
- db
networks:
- ingress
- internal
redis:
image: redis
networks:
- internal
screener:
image: ghcr.io/uwcirg/asbi-screening-app:${SCREENER_IMAGE_TAG:-latest}
env_file:
- screener.env
environment:
VUE_APP_PROJECT_ID: 'DCW'
VUE_APP_DASHBOARD_URL: 'https://femr.${BASE_DOMAIN:-localtest.me}'
VUE_APP_CONF_API_URL: 'https://confidentialbackend.${BASE_DOMAIN:-localtest.me}'
VUE_APP_WRITE_BACK_MODE: 'smart'
VUE_APP_ALLOW_SKIPPING_QUESTIONNAIRE: "true"
# TODO remove when FHIR resources are PUT after SoF launch
# FHIR REST endpoint used by upload.py to upload static FHIR resources
FHIR_SERVER: https://fhir.${BASE_DOMAIN:-localtest.me}/fhir
depends_on:
- fhir
labels:
- "traefik.enable=true"
- "traefik.http.routers.screener-${COMPOSE_PROJECT_NAME}.rule=Host(`screener.${BASE_DOMAIN:-localtest.me}`)"
- "traefik.http.routers.screener-${COMPOSE_PROJECT_NAME}.entrypoints=websecure"
- "traefik.http.routers.screener-${COMPOSE_PROJECT_NAME}.tls=true"
- "traefik.http.routers.screener-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt"
networks:
- ingress
summary:
image: ghcr.io/uwcirg/patient-summary:${SUMMARY_IMAGE_TAG:-latest}
environment:
REACT_APP_CLIENT_ID: 'summary_openid_client'
REACT_APP_DASHBOARD_URL: 'https://femr.${BASE_DOMAIN:-localtest.me}'
REACT_APP_PROJECT_ID: 'DCW'
REACT_APP_QUESTIONNAIRES: minicog,ecog12,cp-ecog,adl_iadl,gad7,gds,c-idas,behav5,slums
depends_on:
- fhir
labels:
- "traefik.enable=true"
- "traefik.http.routers.summary-${COMPOSE_PROJECT_NAME}.rule=Host(`summary.${BASE_DOMAIN:-localtest.me}`)"
- "traefik.http.routers.summary-${COMPOSE_PROJECT_NAME}.entrypoints=websecure"
- "traefik.http.routers.summary-${COMPOSE_PROJECT_NAME}.tls=true"
- "traefik.http.routers.summary-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt"
networks:
- ingress
volumes:
db-data: {}
networks:
# internal network for backing services
internal:
# ingress network
ingress:
external: true
name: external_web