Second attempt at using secret in elabftw

deploy

@@ -81,9 +81,9 @@ def deploy_stack(username: str, password: str, stack_name: Optional[str] = "stac
     stacks = portainer.StacksApi(client)
     # Then, deploy the substacks using the API
     print("Deploying substacks via portainer API")
-    portainer_deploy_stack("networks", stacks, endpoint_id)
+    # portainer_deploy_stack("networks", stacks, endpoint_id)
-    portainer_deploy_stack("volumes", stacks, endpoint_id)
+    # portainer_deploy_stack("volumes", stacks, endpoint_id)
-    portainer_deploy_stack("backend", stacks, endpoint_id)
+    # portainer_deploy_stack("backend", stacks, endpoint_id)
     portainer_deploy_stack("frontend", stacks, endpoint_id)
     print("Stack deployed!")
 

elab_db.yaml

@@ -0,0 +1,191 @@
+version: "3.8"
+
+services:
+  mysql:
+    image: mysql:8.0
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: on-failure
+    healthcheck:
+      test: ["CMD", "mysqladmin" ,"ping", "-h", "localhost"]
+      timeout: 20s
+      retries: 10
+    cap_drop:
+      - AUDIT_WRITE
+      - MKNOD
+      - SYS_CHROOT
+      - SETFCAP
+      - NET_RAW
+    cap_add:
+      - SYS_NICE
+    # secrets:
+    #   - elabftw_sql_key
+    environment:
+      MYSQL_DATABASE: "elabftw"
+      MYSQL_USER: "elabftw"
+      MYSQL_PASSWORD: "test" # MYSQL_PASSWORD_FILE: /run/secrets/elabftw_sql_key
+      MYSQL_ROOT_PASSWORD: "test" # MYSQL_RANDOM_ROOT_PASSWORD: 1
+      MYSQL_HOST: "172.252.0.3"
+      MYSQL_ROOT_HOST: "172.252.0.3" # Must allow root access from any host or won't work on swarm
+      TZ: "Europe/Paris"
+    volumes:
+      - elabftw_sql:/var/lib/mysql
+    networks:
+      test_net:
+        ipv4_address: "172.252.0.2"
+      # - i-form_research_server_stack
+
+
+networks:
+  test_net:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+        - subnet: 172.252.0.0/16
+
+# This defines the NFS volumes for persistence
+#! This requires nodes to be IP whitelisted in the NAS
+volumes:
+  traefik:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/traefik"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  letsencrypt:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/letsencrypt"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  web:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/web"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  grafana:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/grafana"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse_db:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse/postgres_db"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse_secrets:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse/secrets"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse_solr_data:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse/solr-data"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse_triggers:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse/triggers"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse_solr:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse/solr"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse_minio:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse/minio-data"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse_config:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse/config"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse_schema:
+    driver: local
+    driver_opts:
+      type: nfs
+      o: addr=192.168.1.237,nolock,soft,rw
+      device: ":volume1/dataverse/config/schema.xml"
+  # /opt/payara/appserver/glassfish/domains/domain1/config <- login config is here in container
+  dataverse_init:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse/init.d"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse_data:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse/data"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse_docroot:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse/docroot"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  neo4j:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/neo4j"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  senaite:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/senaite"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  elabftw_uploads:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/elabftw/uploads"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  elabftw_var:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/elabftw/var"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  elabftw_etc:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/elabftw/etc"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  elabftw_sql:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/elabftw/sql"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+
+# secrets:
+#   elabftw_sql_key:
+#     external: true
+#   elabftw_secret_key:
+#     external: true
+#   dataverse_postgres_key:
+#     external: true

elab_web.yaml

@@ -0,0 +1,189 @@
+services:
+  elabftw:
+    image: elabftw/elabimg:latest
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: on-failure
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+      - FOWNER
+      - DAC_OVERRIDE
+    # secrets:
+    #   - elabftw_sql_key
+    #   - elabftw_secret_key
+    environment:
+      SECRET_KEY: def00000c729ff8686c923b5fd05bf1318920d8945ac75d2c5d8430e4cd6ac96620356faab74f9d601d74d7e5f9bb2dbafb4a12e66f4f250de172a126706a0f785aa1959 # /run/secrets/elabftw_secret_key
+      DB_HOST: "172.252.0.2"
+      DB_PORT: "3306"
+      DB_NAME: "elabftw"
+      DB_USER: "elabftw"
+      DB_PASSWORD: "test" # "/run/secrets/elabftw_sql_key"
+      # - DB_PASSWORD=$$DB_PASSWORD
+      # DB_CERT_PATH: "/mysql-cert/cert.pem"
+      PHP_TIMEZONE: "Europe/Paris"
+      TZ: "Europe/Paris"
+      SERVER_NAME: "I-Form eLabFTW"
+      SITE_URL: "127.0.0.1:443" # "elab.i-form.ie"
+      # DISABLE_HTTPS: 1
+      ENABLE_LETSENCRYPT: 0
+    ports:
+      # - "3148:443"
+      - "443:443"
+    volumes:
+      - elabftw_uploads:/elabftw/uploads
+      - elabftw_var:/var/elabftw
+      - elabftw_etc:/etc/elabftw
+      # if you have enabled letsencrypt, uncomment the line below
+      # path to the folder with TLS certificate + private key
+      # host:container
+      #- /etc/letsencrypt:/ssl
+    networks:
+      i-form_research_server_stack_test_net:
+        ipv4_address: "172.252.0.3"
+      # - i-form_research_server_stack
+
+networks:
+  i-form_research_server_stack_test_net:
+    external: true
+
+# This defines the NFS volumes for persistence
+#! This requires nodes to be IP whitelisted in the NAS
+volumes:
+  traefik:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/traefik"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  letsencrypt:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/letsencrypt"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  web:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/web"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  grafana:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/grafana"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse_db:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse/postgres_db"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse_secrets:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse/secrets"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse_solr_data:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse/solr-data"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse_triggers:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse/triggers"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse_solr:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse/solr"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse_minio:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse/minio-data"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse_config:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse/config"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse_schema:
+    driver: local
+    driver_opts:
+      type: nfs
+      o: addr=192.168.1.237,nolock,soft,rw
+      device: ":volume1/dataverse/config/schema.xml"
+  # /opt/payara/appserver/glassfish/domains/domain1/config <- login config is here in container
+  dataverse_init:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse/init.d"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse_data:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse/data"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  dataverse_docroot:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/dataverse/docroot"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  neo4j:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/neo4j"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  senaite:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/senaite"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  elabftw_uploads:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/elabftw/uploads"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  elabftw_var:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/elabftw/var"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  elabftw_etc:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/elabftw/etc"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"
+  elabftw_sql:
+    driver: local
+    driver_opts:
+      type: nfs
+      device: ":volume1/elabftw/sql"
+      o: "addr=192.168.1.237,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14,nfsvers=4"

elabftw-compose.yaml

@@ -0,0 +1,457 @@
+# docker-elabftw configuration file
+# use : "docker-compose up -d" to start containers
+# this config file contains all the possible configuration options, shown with default values
+# https://hub.docker.com/r/elabftw/elabimg/
+# https://www.elabftw.net
+version: "3"
+
+# our first container is nginx + php-fpm + elabftw
+services:
+  web:
+    # the latest tag points to the latest stable version
+    # use the next tag to use alpha/beta version
+    # use a specific version to pin the image
+    # example: elabftw/elabimg:4.0.5
+    # default value: elabftw/elabimg:latest
+    image: elabftw/elabimg:latest
+    # this ensures the container will be restarted after a reboot of the server
+    # default value: always
+    restart: always
+    # comment this out if you use several containers with redis, as you can't have several containers with the same name
+    # default value: elabftw
+    container_name: elabftw
+    # make sure we wait for mysql to be available before starting
+    # comment this out if you're not using a mysql container
+    # note: the mysql container needs an healthcheck block for this to work
+    depends_on:
+      - mysql
+
+    # limit number of processes
+    # this option is commented out because it is not in v3 of compose files, only v2
+    # even though it works as expected in a v3 file with recent docker-compose
+    #pids_limit: 42
+
+    # add a security flag to prevent a process gaining new privileges
+    security_opt:
+      - no-new-privileges:true
+
+    # restrict capabilities of the root user to the strict minimum
+    # see CIS Docker Benchmark v1.5 5.3
+    # see ANSSI-FT-082 23/09/2020 R8
+    # WARNING: for Centos7/8, comment out these lines (cap_drop and cap_add)
+    # If you get this error in the logs:
+    # nginx: [emerg] bind() to 0.0.0.0:443 failed (13: Permission denied)
+    # comment out these lines!
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+      - FOWNER
+      - DAC_OVERRIDE
+
+    # environment variables passed to the container to configure options at run time (when container is started)
+    # commented variables are optional
+    environment:
+      #######################
+      # MYSQL CONFIGURATION #
+      #######################
+      # name of the MySQL server (by default "mysql" the name of the mysql container in default elabftw Docker configuration)
+      # you can put here the IP address of an existing MySQL server if you already have one running
+      # default value: mysql
+      - DB_HOST=mysql
+
+      # port on which the MySQL server is listening
+      # you probably don't need to modify this value
+      # default value: 3306
+      - DB_PORT=3306
+
+      # name of the MySQL database
+      # you probably don't need to modify this value
+      # default value: elabftw
+      - DB_NAME=elabftw
+
+      # MySQL user with write access to the previously named database
+      # you probably don't need to modify this value
+      # default value: elabftw
+      - DB_USER=elabftw
+
+      # MySQL password; a random password has been generated for you but feel free to change it if needed
+      # default value: generated randomly if you get the config from get.elabftw.net
+      #- DB_PASSWORD=secr3t
+
+      # Mysql Cert path: you only need this if you connect to a mysql server with tls
+      # Use a volume that points to /mysql-cert in the container
+      # optional
+      #- DB_CERT_PATH=/mysql-cert/cert.pem
+
+      #####################
+      # PHP CONFIGURATION #
+      #####################
+      # the timezone in which the server is
+      # better if changed (see list of available values: http://php.net/manual/en/timezones.php
+      - PHP_TIMEZONE=Europe/Paris
+      # again
+      - TZ=Europe/Paris
+
+      # optional: set the limit of simultaneous request that will be served
+      # see http://php.net/manual/en/install.fpm.configuration.php
+      # default value: 50
+      #- PHP_MAX_CHILDREN=50
+
+      # optional: adjust the max execution time of PHP scripts. Allows for bigger ZIP exports.
+      # default value: 120
+      #- PHP_MAX_EXECUTION_TIME=120
+
+      # optional: adjust the amount of memory available to PHP, increase it if you run into issues
+      # example value: 512M
+      # default value: 256M
+      #- MAX_PHP_MEMORY=256M
+
+      # optional: set a password to get access to /php-status, which will display various metrics about the php-fpm processes
+      # also works for /nginx-status, for metrics about nginx process
+      # if this is not set, a random password will be generated but never displayed, effectively disabling access to this endpoint
+      # the enpdoint can be accessed with the "elabftw" user, and the password you set below
+      # example value: my-cool-password
+      # default value: not set
+      #- STATUS_PASSWORD=
+
+      #########################
+      # ELABFTW CONFIGURATION #
+      #########################
+      # The secret key is used for encrypting the SMTP and Timestamping passwords
+      # A random one has been generated for you, if you wish to change it you can
+      # get another secret key from https://get.elabftw.net/?key
+      # if you don't want to get it from an external source you can also do that:
+      # docker run --rm -t --entrypoint '/bin/sh' elabftw/elabimg -c "php -d memory_limit=10M -d open_basedir='' bin/console tools:genkey"
+      # Note: the value MUST be generated as shown in the methods above.
+      # default value: generated randomly if you get the config from get.elabftw.net
+      # - SECRET_KEY=
+
+      # The canonical URL to the website, including port if not standard
+      # Use the user-facing URL here.
+      # example value: https://elab.uni-delta.fr
+      # example value: https://elab.uni-delta.fr:3148
+      - SITE_URL=http://127.0.0.1:443
+
+      # optional: adjust maximum size of uploaded files
+      # default value: 100M
+      #- MAX_UPLOAD_SIZE=100M
+
+      # optional: s3 storage credentials
+      #- ELAB_AWS_ACCESS_KEY=
+      #- ELAB_AWS_SECRET_KEY=
+
+      #######################
+      # NGINX CONFIGURATION #
+      #######################
+      # change to your server name in nginx config
+      # default value: localhost
+      # example value: elab.uni.edu
+      - SERVER_NAME=localhost
+
+      # optional: disable https, use this to have an http server listening on port 443
+      # useful if the SSL stack is handled by haproxy or something alike
+      # default value: false
+      - DISABLE_HTTPS=false
+
+      # set to true to use letsencrypt or other certificates
+      # note: does nothing if DISABLE_HTTPS is set to true
+      # default value: false
+      - ENABLE_LETSENCRYPT=false
+
+      # optional: enable ipv6 (make sure you have an AAAA dns record!)
+      # default value: false
+      #- ENABLE_IPV6=false
+
+      # optional: adjust the user/group that will own the uploaded files (and run the webserver)
+      # useful if your files are stored on an NFS mount point where the files ownership are imposed by the NFS server
+      # default value: nginx
+      # example value: nobody
+      #- ELABFTW_USER=nginx
+      # default value: nginx
+      # example value: nobody
+      #- ELABFTW_GROUP=nginx
+      # default value: 101
+      # example value: 65534
+      #- ELABFTW_USERID=101
+      # default value: 101
+      # example value: 65534
+      #- ELABFTW_GROUPID=101
+
+      # optional: enable if you want nginx to be configured with set_real_ip_from directives
+      # default value: false
+      #- SET_REAL_IP=false
+      # the IP address/addresses. Separate them with a , AND A SPACE. Several set_real_ip_from lines will be added to the nginx config. One for each.
+      # this does nothing if SET_REAL_IP is set to false
+      #- SET_REAL_IP_FROM=192.168.31.48, 192.168.0.42, 10.10.13.37
+
+      # optional: adjust the number of worker processes nginx will spawn
+      # default value: auto
+      # if auto doesn't work for you, use the number of cores available on the server (or less)
+      #- NGINX_WORK_PROC=auto
+
+      # optional: allow javascript code to call the API from an external service
+      # this will add a response header Access-Control-Allow-Origin with content of the env var as value
+      # mdn doc: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
+      # default: header not set (empty value)
+      # example value: app.example.org
+      # example value: *
+      #- ALLOW_ORIGIN=
+
+      # optional: define methods allowed to javascript code calling the API from an external service
+      # this will add a response header Access-Control-Allow-Methods with content of the env var as value
+      # mdn doc: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
+      # default: header not set (empty value)
+      # example value: GET, POST, PATCH
+      #- ALLOW_METHODS=
+
+      # optional: define headers allowed to javascript code calling the API from an external service
+      # this will add a response header Access-Control-Allow-Headers with content of the env var as value
+      # mdn doc: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
+      # default: header not set (empty value)
+      # example value: Content-Type, Authorization
+      #- ALLOW_HEADERS=
+
+      # optional: modify the keepalive_timeout value
+      # nginx doc: http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
+      # default: 10s
+      # example value: 5s
+      #- KEEPALIVE_TIMEOUT=10s
+
+      #######################
+      # REDIS CONFIGURATION #
+      #######################
+      # optional: use a redis server to store the PHP sessions
+      # default value: false
+      #- USE_REDIS=false
+      # optional: set an IP or hostname for the redis server
+      # default value: redis
+      #- REDIS_HOST=redis
+      # optional: set a custom port for redis
+      # default value: 6379
+      #- REDIS_PORT=6379
+      # optional: set a username for redis
+      # default value: <empty>
+      #- REDIS_USERNAME=
+      # optional: set a password for redis
+      # default value: <empty>
+      #- REDIS_PASSWORD=
+
+      ######################
+      # LDAP CONFIGURATION #
+      ######################
+      # optional: configure ldap certificate verification behavior: will create /etc/openldap/ldap.conf with TLS_REQCERT config line
+      # default value: false
+      # possible values: never, allow, try
+      #- LDAP_TLS_REQCERT=false
+
+      #################
+      # MISCELLANEOUS #
+      #################
+      # optional: be less verbose during init
+      # default value: false
+      #- SILENT_INIT=false
+
+      # optional: automatically install the database structure on container start
+      # default value: false
+      #- AUTO_DB_INIT=false
+
+      # optional: automatically update the database structure on container start
+      # default value: false
+      #- AUTO_DB_UPDATE=false
+
+      #######
+      # DEV #
+      #######
+      # set to true for development
+      # default value: false
+      #- DEV_MODE=false
+
+    ports:
+      # Important note about exposing ports: due to the way Docker deals with the host firewall, it is recommended to use '127.0.0.1:1234:443'
+      # if you only want to expose the service locally (on port 1234 in this example). See https://github.com/moby/moby/issues/22054
+      # Another option is to use the "expose" directive instead of "ports" and let your reverse proxy figure things out.
+      #
+      # if you want elabftw to run on a different port, change the first number
+      # host:container
+      - "443:443"
+      # if you are aiming for running multiple instances of this container you can put a range like so:
+      # - "3100-3200:443"
+      # use redis for session storage if that is the case, or configure your load balancer with sticky sessions
+    volumes:
+      # this is where you will keep the uploaded files persistently
+      # for Windows users it might look like this
+      # - D:\Users\Nico\elab-data\web:/elabftw/uploads
+      # host:container
+      - /var/elabftw/web:/elabftw/uploads
+      #
+      # TLS configuration
+      #
+      # Note: if your certificate is not from letsencrypt, make sure to have those two files:
+      #
+      #       /etc/letsencrypt/live/SERVER_NAME/fullchain.pem
+      #       /etc/letsencrypt/live/SERVER_NAME/privkey.pem
+      #
+      # in the folder /etc/letsencrypt (or any folder you like as long as you adapt the line below
+      # replace SERVER_NAME with the value of SERVER_NAME of course.
+      #
+      # if you have enabled letsencrypt, uncomment the line below
+      # path to the folder with TLS certificate + private key
+      # host:container
+      #- /etc/letsencrypt:/ssl
+      #
+      # MYSQL cert path
+      #- /path/to/cert/folder:/mysql-cert
+
+    networks:
+      - elabftw-net
+
+  # the mysql database image
+  # Note: if you already have a MySQL server running, you don't need to use this image, as you can use the already existing one
+  # In this case, add the IP address of the server in DB_HOST and comment out or remove this block
+  mysql:
+    image: mysql:8.0
+    restart: always
+    # fix issue with "The server requested authentication method unknown to the client [caching_sha2_password]"
+    # now commented out because no longer necessary
+    #command: --default-authentication-plugin=mysql_native_password
+    container_name: mysql
+    # add an healthcheck block so the web container knows when it is ready to accept connections
+    # use double $ here so env vars are correctly found
+    healthcheck:
+      test: "/usr/bin/mysql --user=$$MYSQL_USER --password=$$MYSQL_PASSWORD --execute 'SHOW DATABASES;'"
+      interval: 5s
+      timeout: 5s
+      retries: 20
+    # drop some capabilities
+    cap_drop:
+      - AUDIT_WRITE
+      - MKNOD
+      - SYS_CHROOT
+      - SETFCAP
+      - NET_RAW
+    cap_add:
+      - SYS_NICE
+    environment:
+      # need to change
+      #- MYSQL_ROOT_PASSWORD=secr3t
+      # no need to change
+      - MYSQL_DATABASE=elabftw
+      # no need to change
+      - MYSQL_USER=elabftw
+      # need to change IMPORTANT: this should be the same password as DB_PASSWORD from the elabftw container
+      #- MYSQL_PASSWORD=secr3t
+      # need to change, this is your timezone, see PHP_TIMEZONE from the elabftw container
+      - TZ=Europe/Paris
+      # Update this if you want to run the server on a different port than 3306.
+      # - MYSQL_TCP_PORT=3306
+
+    volumes:
+      # this is where you will keep the database persistently
+      # for Windows users it might look like this
+      # - D:\Users\Nico\elab-data\mysql:/var/lib/mysql
+      # host:container
+      - /var/elabftw/mysql:/var/lib/mysql
+      # The mysql container exposes 3306/33060. Though it does not make an operational difference,
+      # make sure to document your usage here.
+    expose:
+      - "3306"
+    networks:
+      - elabftw-net
+
+  # example of a redis container
+  # uncomment if you want to spawn a redis container to manage sessions
+  #redis:
+  #  image: redis:6.0-alpine
+  #  restart: always
+  #  container_name: redis
+  #  networks:
+  #    - elabftw-net
+
+  # example of a keeex container (experimental!)
+  #keeex:
+  #  image: repo.keeex.me/fkeeex_daemon:latest
+  #  container_name: keeex
+  #  restart: always
+  #  environment:
+  #    - FKEEEX_CONFIG_USER=user@example.org
+  #    - FKEEEX_CONFIG_PASSWORD=
+  #    # Set a random passphrase here. You can generate one with "openssl rand -base64 32".
+  #    - FKEEEX_CONFIG_PASSPHRASE=
+  #  expose:
+  #    - 8080
+  #  networks:
+  #    - elabftw-net
+
+  ###############################################################
+  # EVERYTHING BELOW THIS LINE IS FOR DEVELOPMENT PURPOSES ONLY #
+  # Except for the networks lines, so don't delete them!         #
+  ###############################################################
+
+  # PHPMYADMIN
+  # uncomment this part if you want to have phpmyadmin running too
+  #phpmyadmin:
+  #    image: phpmyadmin/phpmyadmin
+  #    container_name: phpmyadmin
+  #    environment:
+  #        - PMA_PORT=3307
+  #    links:
+  #        - mysql:db
+  #    ports:
+  #        - "8080:80"
+  #    networks:
+  #        - elabftw-net
+
+  # SWAGGER UI
+  # swagger allows you to consult the documentation generated by apidoc/v2/openapi.yaml
+  # running a local container is perfect to see the changes right after a change
+  #
+  #swagger:
+  #  image: swaggerapi/swagger-ui:v5.0.0
+  #  restart: always
+  #  container_name: swagger-elab-local
+  #  ports:
+  #    - "8085:8080"
+  #  volumes:
+  #    - /path/to/local/elabftw/apidoc/v2:/usr/share/nginx/html/swagger:ro
+  #  environment:
+  #    - API_URL=swagger/openapi.yaml
+  #  networks:
+  #      - elabftw-net
+
+  # LDAP
+  # example for ldap server + admin interface
+  # uncomment if you want to work on LDAP authentication
+  #ldap:
+  #    image: osixia/openldap:1.4.0
+  #    container_name: ldap
+  #    restart: always
+  #    hostname: example.org
+  #    environment:
+  #      - LDAP_TLS_VERIFY_CLIENT=try
+  #      - LDAP_OPENLDAP_UID=1000
+  #      - LDAP_OPENLDAP_GID=1000
+  #    ports:
+  #      - "389:389"
+  #      - "636:636"
+  #    volumes:
+  #      - /var/elabftw/ldap-data/ldap:/var/lib/ldap
+  #      - /var/elabftw/ldap-data/slapd.d:/etc/ldap/slapd.d
+  #    networks:
+  #        - elabftw-net
+  #ldapadmin:
+  #    image: osixia/phpldapadmin:0.9.0
+  #    container_name: ldapadmin
+  #    environment:
+  #      - PHPLDAPADMIN_LDAP_HOSTS=ldap
+  #    restart: always
+  #    ports:
+  #      - "6443:443"
+  #    networks:
+  #        - elabftw-net
+
+# the internal elabftw network
+networks:
+  elabftw-net:

frontend.yaml

@@ -72,7 +72,7 @@ services:
       - elabftw_sql_key
       - elabftw_secret_key
     environment:
-      SECRET_KEY: "${cat /run/secrets/elabftw_secret_key}"
+      SECRET_KEY: "$${cat /run/secrets/elabftw_secret_key}"
       DB_HOST: "172.252.0.7"
       DB_PORT: "3306"
       DB_NAME: "elabftw"

ip_map.txt

@@ -0,0 +1,14 @@
+coredns: 172.252.0.2
+traefik: 172.252.0.3
+rsync: 172.252.0.4
+portainer-agent: 172.252.0.5
+dataverse_db: 172.252.0.6
+mysql: 172.252.0.7  <- needs to be changed once elabftw is set
+nginx: 172.252.0.8
+solr: 172.252.0.9
+minio: 172.252.0.10
+dataverse: 172.252.0.11
+grafana: 172.252.0.12
+neodash: 172.252.0.13
+senaite: 172.252.0.14
+elabftw: 172.252.0.15