Cleanup Blaze Config

.github/workflows/ci.yml

@@ -56,9 +56,10 @@ jobs:
         sed -i -r -e 's#^(VALIDATION_ENABLED)=.*$#\1="false"#' \
             data-node/fhir-validator/.env
         sed -i -r -e 's#^(OPENID_PROVIDER_URL)=.*$#\1="https://auth.localhost:444/realms/blaze"#' \
-                  -e 's#^(KC_HOSTNAME)=.*$#\1="https://auth.localhost:444/"#' \
+            data-node/fhir-server/.backend-env
+        sed -i -r -e 's#^(KC_HOSTNAME)=.*$#\1="https://auth.localhost:444/"#' \
                   -e 's#^(KC_HTTP_RELATIVE_PATH)=.*$#\1=/#' \
-            data-node/fhir-server/.env
+            data-node/fhir-server/.keycloak-env
         sed -i -r -e 's#^(FHIR_SERVER_HOSTNAME)=.*$#\1="fhir.localhost"#' \
                   -e 's#^(FLARE_HOSTNAME)=.*$#\1="flare.localhost"#' \
                   -e 's#^(KEYCLOAK_HOSTNAME)=.*$#\1="auth.localhost"#' \

data-node/fhir-server/.backend-env.default

@@ -0,0 +1,57 @@
+# --- Backend Configuration ---
+
+# --- Base Configuration ---
+# Base URL for the FHIR server
+# Default: http://fhir-server:8080
+BASE_URL="http://fhir-server:8080"
+
+# Logging level (trace, debug, info, warn, error)
+# Default: info
+LOG_LEVEL="debug"
+
+# --- JVM Performance Tuning ---
+# Java tool options for memory allocation
+# Default: system dependent
+JAVA_TOOL_OPTIONS="-Xmx4g"
+
+# --- Database Configuration ---
+# Database block cache size in MB
+# Default: 128
+DB_BLOCK_CACHE_SIZE="1024"
+
+# Database resource cache ratio (number of resources)
+# Default: 0.25
+# DB_RESOURCE_CACHE_SIZE_RATIO="0.25"
+
+# CQL expression cache size
+# Default: disabled
+CQL_EXPR_CACHE_SIZE="128"
+
+# --- Server Configuration ---
+# Local port binding for FHIR server
+# Default: 127.0.0.1:8081
+PORT_FHIR_SERVER_LOCALHOST="127.0.0.1:8081"
+
+# Enforce referential integrity in FHIR resources
+# Default: true
+# ENFORCE_REFERENTIAL_INTEGRITY="true"
+
+# External terminology service URL
+# Default: disabled
+EXTERN_TERMINOLOGY_SERVICE_URL="http://terminology-server:8080/fhir"
+
+# Enable admin API endpoints
+# Default: false
+ENABLE_ADMIN_API="true"
+
+# --- FHIR Server Authentication Configuration ---
+# OpenID Connect provider URL
+# Default: disabled
+OPENID_PROVIDER_URL="https://auth.localhost:444/realms/blaze"
+
+# Local OpenID client trust store path
+# Default: ../auth/trust-store.p12
+# LOCAL_OPENID_CLIENT_TRUST_STORE="../auth/trust-store.p12"
+
+# Trust store password
+OPENID_CLIENT_TRUST_STORE_PASS="insecure"

data-node/fhir-server/.frontend-env.default

@@ -0,0 +1,34 @@
+# --- Frontend Configuration ---
+
+# The base URL of the frontend as accessed by the browser.
+ORIGIN="https://fhir.localhost:444"
+
+# Backend base URL for internal communication
+BACKEND_BASE_URL="http://fhir-server:8080"
+
+# The client ID of the OAuth client used to communicate with the auth
+# provider.
+AUTH_CLIENT_ID="account"
+
+# The client secret of the OAuth client used to communicate with the
+# auth provider.
+AUTH_CLIENT_SECRET="insecure"
+
+# Authentication issuer URL
+AUTH_ISSUER="https://auth.localhost:444/realms/blaze"
+
+# A secret random string that is used to encrypt the session cookie.
+#
+# This should be a minimum of 32 characters, random string. On UNIX
+# systems you can use `openssl rand -hex 32` to generate one.
+AUTH_SECRET="6a0ca3f8e38a939c7c44caf61eb7e9c0055fde920b58929439789bc70c7073f6"
+
+# HTTP header for protocol forwarding
+PROTOCOL_HEADER="X-Forwarded-Proto"
+
+# HTTP header for host forwarding
+HOST_HEADER="X-Forwarded-Host"
+
+# Path to CA certificate
+# Default: ../auth/cert.pem
+# CA_CERT="../auth/cert.pem"

data-node/fhir-server/.keycloak-env.default

@@ -0,0 +1,70 @@
+# --- Keycloak Configuration ---
+
+# Enable Keycloak authentication
+# Default: true
+KEYCLOAK_ENABLED="true"
+
+# --- Keycloak Configuration ---
+# Keycloak database name
+# Default: keycloakdb
+KC_DB_URL_DB="keycloakdb"
+
+# Keycloak database username
+# Default: keycloakdbuser
+KC_DB_USERNAME="keycloakdbuser"
+
+# Keycloak database password
+# Default: keycloakdbpw
+KC_DB_PASSWORD="keycloakdbpw"
+
+# Keycloak bootstrap admin username
+# Default: admin
+KC_BOOTSTRAP_ADMIN_USERNAME="admin"
+
+# Keycloak bootstrap admin password
+# Default: admin
+KC_BOOTSTRAP_ADMIN_PASSWORD="admin"
+
+# Keycloak HTTP relative path
+# Default: /
+KC_HTTP_RELATIVE_PATH="/"
+
+# Keycloak hostname (public URL)
+# Default: https://auth.localhost:444
+KC_HOSTNAME="https://auth.localhost:444"
+
+# Keycloak admin console hostname
+# Default: https://auth.localhost:444
+KC_HOSTNAME_ADMIN="https://auth.localhost:444"
+
+# Keycloak logging level
+# Default: info
+KC_LOG_LEVEL="info"
+
+# Enable Keycloak health endpoints
+# Default: true
+KC_HEALTH_ENABLED="true"
+
+# Enable Keycloak metrics endpoints
+# Default: true
+KC_METRICS_ENABLED="true"
+
+# Keycloak proxy headers mode
+# Default: xforwarded
+KC_PROXY_HEADERS="xforwarded"
+
+# Enable Keycloak HTTP (non-HTTPS) mode
+# Default: true
+KC_HTTP_ENABLED="true"
+
+# Keycloak client ID
+# Default: account
+KEYCLOAK_CLIENT_ID="account"
+
+# Keycloak client secret
+# Default: insecure
+KEYCLOAK_CLIENT_SECRET="insecure"
+
+# Keycloak client host URL
+# Default: https://fhir.localhost:444
+KEYCLOAK_CLIENT_HOST_URL="https://fhir.localhost:444"

data-node/fhir-server/docker-compose.yml

@@ -1,14 +1,17 @@
 services:
   fhir-server:
-    image: samply/blaze:1.6.0
+    image: "samply/blaze:1.6.0@sha256:76b8d0947a8463921e4cd5db291b14d58c221d4ca474a582eea3f16294ef8b3d"
     healthcheck:
-      test: ["CMD-SHELL", "curl --fail -s http://localhost:8080/health"]
+      test: [ "CMD", "wget", "--spider", "http://localhost:8080/health" ]
       interval: 5s
       timeout: 5s
       retries: 3
       start_period: 60s
+    environment:
+      DB_SEARCH_PARAM_BUNDLE: "/app/custom-search-parameters.json"
+      OPENID_CLIENT_TRUST_STORE: "/app/trust-store.p12"
     env_file:
-      - .env
+      - .backend-env
     ports:
     - ${PORT_FHIR_SERVER_LOCALHOST:-127.0.0.1:8081}:8080
     extra_hosts:
@@ -17,17 +20,19 @@ services:
     volumes:
     - "./custom-search-parameters.json:/app/custom-search-parameters.json:ro"
     - "blaze-data:/app/data"
-    - "${LOCAL_OPENID_CLIENT_TRUST_STORE:-../auth/trust-store.p12}:/app/trust-store.p12"
+    - "${LOCAL_OPENID_CLIENT_TRUST_STORE:-../auth/trust-store.p12}:/app/trust-store.p12:ro"
 
   fhir-server-frontend:
-    image: samply/blaze-frontend:1.6.0
+    image: "samply/blaze-frontend:1.6.0@sha256:c9a455b168c1f15c087f859939e721f0ae81b47aa897bd3796a85be6bf3c5012"
     healthcheck:
       test: ["CMD-SHELL", "wget --spider http://127.0.0.1:3000/fhir/"]
       interval: 5s
       timeout: 5s
       retries: 3
+    environment:
+      NODE_EXTRA_CA_CERTS: "/app/cert.pem"
     env_file:
-      - .env
+      - .frontend-env
     ports:
     - ${PORT_FHIR_SERVER_FRONTEND_LOCALHOST:-127.0.0.1:8300}:3000
     extra_hosts: