build: replace custom nginx / certbot config with BunkerWeb (#1695)

* build: start replace of proxy img with bunkerweb

* build: add working bunkerweb development config

* build: auto start pyxform with depends_on

* build: include build justfile (removed from gitignore)

* build: add odk ssl cert to backend img hardcoded

* build: configurable bunkerweb via env vars + odkcentral https proxy

* build: update internal odkcentral https://proxy --> https://odkcentral:8443

* build: remove nginx proxy containers configs / builds

* ci: remove proxy build workflow

* docs: remove refs to building proxy images

* build: remove script using nginx proxy containers

* build: remove dyanmic var names from proxy (not possible)

* build: disable security for proxy in local development

* build: start config for docker compose development proxy

* build: add OPTIONS http type to ALLOWED_METHODS

* build: comment headers overwrite until merge possible / fixed

* build: add electric sync service to bunkerweb setup

* build: add bunkerweb config for mapper frontend

* docs: add madr document about choosing bunkerweb waf

* build: setup bunkerweb config for dev server compose file

* build: update bunkerweb config --> 1.6.0

* build: dev compose config specify BUNKERWEB_INSTANCES

.env.example

@@ -1,5 +1,5 @@
 ### ODK Central ###
-ODK_CENTRAL_URL=${ODK_CENTRAL_URL:-"https://proxy"}
+ODK_CENTRAL_URL=${ODK_CENTRAL_URL:-"https://odkcentral:8443"}
 ODK_CENTRAL_USER=${ODK_CENTRAL_USER:-"[email protected]"}
 ODK_CENTRAL_PASSWD=${ODK_CENTRAL_PASSWD:-"Password1234"}
 CENTRAL_WEBHOOK_API_KEY=${CENTRAL_WEBHOOK_API_KEY}

.github/labeler.yml

@@ -14,7 +14,6 @@ devops:
   - changed-files:
       - any-glob-to-any-file:
           - .github/**
-          - nginx/**
           - scripts/**
           - docker-*.yml
           - ./**/Dockerfile

.github/workflows/build_and_deploy.yml

@@ -17,7 +17,7 @@ on:
 
 jobs:
   backend-test:
-    uses: hotosm/gh-workflows/.github/workflows/test_compose.yml@2.0.9
+    uses: hotosm/gh-workflows/.github/workflows/test_compose.yml@3.1.1
     with:
       image_name: ghcr.io/${{ github.repository }}/backend
       build_context: src/backend
@@ -30,20 +30,20 @@ jobs:
     secrets: inherit
 
   frontend-unit-test:
-    uses: hotosm/gh-workflows/.github/workflows/test_pnpm.yml@2.0.9
+    uses: hotosm/gh-workflows/.github/workflows/test_pnpm.yml@3.1.1
     with:
       working_dir: src/frontend
 
   backend-build:
-    uses: hotosm/gh-workflows/.github/workflows/image_build.yml@2.0.9
+    uses: hotosm/gh-workflows/.github/workflows/image_build.yml@3.1.1
     needs: [backend-test]
     with:
       context: src/backend
       build_target: prod
       image_name: ghcr.io/${{ github.repository }}/backend
 
   frontend-build:
-    uses: hotosm/gh-workflows/.github/workflows/image_build.yml@2.0.9
+    uses: hotosm/gh-workflows/.github/workflows/image_build.yml@3.1.1
     needs: [frontend-unit-test]
     with:
       context: src
@@ -153,7 +153,7 @@ jobs:
     needs:
       - smoke-test-backend
       - smoke-test-frontend
-    uses: hotosm/gh-workflows/.github/workflows/remote_deploy_compose.yml@2.0.9
+    uses: hotosm/gh-workflows/.github/workflows/remote_deploy_compose.yml@3.1.1
     with:
       environment: ${{ github.ref_name }}
       docker_compose_file: "deploy/compose.${{ github.ref_name }}.yaml"

.github/workflows/build_ci_img.yml

@@ -16,7 +16,7 @@ on:
 
 jobs:
   backend-ci-build:
-    uses: hotosm/gh-workflows/.github/workflows/image_build.yml@2.0.9
+    uses: hotosm/gh-workflows/.github/workflows/image_build.yml@3.1.1
     with:
       context: src/backend
       build_target: ci

.github/workflows/build_odk_imgs.yml

@@ -13,7 +13,7 @@ on:
 
 jobs:
   build-odkcentral:
-    uses: hotosm/gh-workflows/.github/workflows/image_build.yml@2.0.9
+    uses: hotosm/gh-workflows/.github/workflows/image_build.yml@3.1.1
     with:
       context: odkcentral/api
       image_tags: |
@@ -24,7 +24,7 @@ jobs:
       multi_arch: true
 
   build-odkcentral-ui:
-    uses: hotosm/gh-workflows/.github/workflows/image_build.yml@2.0.9
+    uses: hotosm/gh-workflows/.github/workflows/image_build.yml@3.1.1
     with:
       context: odkcentral/ui
       image_tags: |

.github/workflows/docs.yml

@@ -12,19 +12,19 @@ on:
 
 jobs:
   build_doxygen:
-    uses: hotosm/gh-workflows/.github/workflows/doxygen_build.yml@2.0.9
+    uses: hotosm/gh-workflows/.github/workflows/doxygen_build.yml@3.1.1
     with:
       output_path: docs/apidocs
 
   build_openapi_json:
-    uses: hotosm/gh-workflows/.github/workflows/openapi_build.yml@2.0.9
+    uses: hotosm/gh-workflows/.github/workflows/openapi_build.yml@3.1.1
     with:
       image: ghcr.io/${{ github.repository }}/backend:ci-${{ github.ref_name }}
       example_env_file_path: ".env.example"
       output_path: docs/openapi.json
 
   publish_docs:
-    uses: hotosm/gh-workflows/.github/workflows/mkdocs_build.yml@2.0.9
+    uses: hotosm/gh-workflows/.github/workflows/mkdocs_build.yml@3.1.1
     needs:
       - build_doxygen
       - build_openapi_json

.github/workflows/pr_test_backend.yml

@@ -14,7 +14,7 @@ on:
 
 jobs:
   pytest:
-    uses: hotosm/gh-workflows/.github/workflows/test_compose.yml@2.0.9
+    uses: hotosm/gh-workflows/.github/workflows/test_compose.yml@3.1.1
     with:
       image_name: ghcr.io/${{ github.repository }}/backend
       build_context: src/backend

.github/workflows/pr_test_frontend.yml

@@ -14,12 +14,12 @@ on:
 
 jobs:
   unit-tests:
-    uses: hotosm/gh-workflows/.github/workflows/test_pnpm.yml@2.0.9
+    uses: hotosm/gh-workflows/.github/workflows/test_pnpm.yml@3.1.1
     with:
       working_dir: src/frontend
 
   e2e-tests:
-    uses: hotosm/gh-workflows/.github/workflows/test_compose.yml@2.0.9
+    uses: hotosm/gh-workflows/.github/workflows/test_compose.yml@3.1.1
     with:
       playwright: true
       cache_image: false

.github/workflows/tag_build.yml

@@ -9,7 +9,7 @@ on:
 
 jobs:
   backend-build:
-    uses: hotosm/gh-workflows/.github/workflows/image_build.yml@2.0.9
+    uses: hotosm/gh-workflows/.github/workflows/image_build.yml@3.1.1
     with:
       context: src/backend
       build_target: prod

.github/workflows/wiki.yml

@@ -10,6 +10,6 @@ on:
 
 jobs:
   publish-docs-to-wiki:
-    uses: hotosm/gh-workflows/.github/workflows/wiki.yml@2.0.9
+    uses: hotosm/gh-workflows/.github/workflows/wiki.yml@3.1.1
     with:
       homepage_path: "wiki_redirect.md"

README.md

@@ -18,7 +18,7 @@
 <!-- prettier-ignore-start -->
 <div align="center">
 
-| **CI/CD** | | [![Build and Deploy](https://github.com/hotosm/fmtm/actions/workflows/build_and_deploy.yml/badge.svg?branch=main)](https://github.com/hotosm/fmtm/actions/workflows/build_and_deploy.yml?query=branch%3Amain) [![Build CI Img](https://github.com/hotosm/fmtm/actions/workflows/build_ci_img.yml/badge.svg?branch=development)](https://github.com/hotosm/fmtm/actions/workflows/build_ci_img.yml) [![Build ODK Images](https://github.com/hotosm/fmtm/actions/workflows/build_odk_imgs.yml/badge.svg?branch=development)](https://github.com/hotosm/fmtm/actions/workflows/build_odk_imgs.yml) <br> [![🔧 Build Proxy Images](https://github.com/hotosm/fmtm/actions/workflows/build_proxy_imgs.yml/badge.svg?branch=development)](https://github.com/hotosm/fmtm/actions/workflows/build_proxy_imgs.yml) [![Publish Docs](https://github.com/hotosm/fmtm/actions/workflows/docs.yml/badge.svg?branch=development)](https://github.com/hotosm/fmtm/actions/workflows/docs.yml) [![pre-commit.ci](https://results.pre-commit.ci/badge/github/hotosm/fmtm/development.svg)](https://results.pre-commit.ci/latest/github/hotosm/fmtm/development) |
+| **CI/CD** | | [![Build and Deploy](https://github.com/hotosm/fmtm/actions/workflows/build_and_deploy.yml/badge.svg?branch=main)](https://github.com/hotosm/fmtm/actions/workflows/build_and_deploy.yml?query=branch%3Amain) [![Build CI Img](https://github.com/hotosm/fmtm/actions/workflows/build_ci_img.yml/badge.svg?branch=development)](https://github.com/hotosm/fmtm/actions/workflows/build_ci_img.yml) [![Build ODK Images](https://github.com/hotosm/fmtm/actions/workflows/build_odk_imgs.yml/badge.svg?branch=development)](https://github.com/hotosm/fmtm/actions/workflows/build_odk_imgs.yml) <br> [![Publish Docs](https://github.com/hotosm/fmtm/actions/workflows/docs.yml/badge.svg?branch=development)](https://github.com/hotosm/fmtm/actions/workflows/docs.yml) [![pre-commit.ci](https://results.pre-commit.ci/badge/github/hotosm/fmtm/development.svg)](https://results.pre-commit.ci/latest/github/hotosm/fmtm/development) |
 | :--- | :--- | :--- |
 | **Tech Stack** | | ![FastAPI](https://img.shields.io/badge/FastAPI-005571?style=for-the-badge&logo=fastapi) ![React](https://img.shields.io/badge/react-%2320232a.svg?style=for-the-badge&logo=react&logoColor=%2361DAFB) ![Svelte](https://img.shields.io/badge/Svelte-4A4A55?style=for-the-badge&logo=svelte) ![Postgres](https://img.shields.io/badge/postgres-%23316192.svg?style=for-the-badge&logo=postgresql&logoColor=white) ![Kubernetes](https://img.shields.io/badge/kubernetes-%23326ce5.svg?style=for-the-badge&logo=kubernetes&logoColor=white) ![Docker](https://img.shields.io/badge/docker-%230db7ed.svg?style=for-the-badge&logo=docker&logoColor=white) |
 | **Code Style** | | [![Backend Style](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/format.json&labelColor=202235)](https://github.com/astral-sh/ruff) [![Frontend Style](https://img.shields.io/badge/code%20style-prettier-F7B93E?logo=Prettier)](https://github.com/prettier/prettier) [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://pre-commit.com) |

compose.yaml

@@ -18,6 +18,7 @@
 name: fmtm
 
 volumes:
+  nginx-configs:
   fmtm_data:
   fmtm_db_data:
   fmtm_logs:
@@ -29,16 +30,20 @@ volumes:
 networks:
   fmtm-net:
     name: fmtm-${GIT_BRANCH:-local}
+    ipam:
+      driver: default
+      config:
+        - subnet: 10.20.30.0/24
 
 services:
   proxy:
-    image: "ghcr.io/hotosm/fmtm/proxy:debug"
-    build:
-      context: nginx
-      target: debug
-      args:
-        NGINX_TAG: "${NGINX_TAG:-1.27.0}"
+    # Extend proxy-configs so environment var config is duplicated
+    extends:
+      service: proxy-config
+    image: "ghcr.io/bunkerity/bunkerweb:${BUNKERWEB_TAG:-1.6.0}"
     depends_on:
+      proxy-config:
+        condition: service_started
       api:
         condition: service_started
       ui:
@@ -56,13 +61,67 @@ services:
       electric:
         condition: service_started
     volumes:
-      - central_frontend:/usr/share/nginx/html/central
+      - nginx-configs:/etc/nginx
+      - central_frontend:/var/www/html/odk.fmtm.localhost:ro
     ports:
-      - ${FMTM_DEV_PORT:-7050}:80
+      - ${FMTM_DEV_PORT:-7050}:8080
     networks:
-      - fmtm-net
+      fmtm-net:
+        ipv4_address: 10.20.30.50
     restart: "unless-stopped"
 
+  # This is needed by bunkerweb, but we don't use it
+  proxy-config:
+    image: "ghcr.io/bunkerity/bunkerweb-scheduler:${BUNKERWEB_TAG:-1.6.0}"
+    environment:
+      # General
+      BUNKERWEB_INSTANCES: proxy:5000
+      LOG_LEVEL: notice
+      API_WHITELIST_IP: 127.0.0.0/8 10.20.30.0/24
+      MULTISITE: yes
+      USE_REVERSE_PROXY: yes
+      REVERSE_PROXY_INTERCEPT_ERRORS: no
+      ALLOWED_METHODS: OPTIONS|HEAD|GET|POST|PATCH|PUT|DELETE
+      USE_REAL_IP: yes
+      SERVE_FILES: yes
+      USE_BACKUP: no
+      USE_METRICS: no
+      # USE_ANTIBOT: yes
+      USE_BAD_BEHAVIOR: no
+      USE_LIMIT_REQ: no
+      USE_MODSECURITY: no
+      USE_BROTLI: yes
+      # Reverse proxy configs
+      SERVER_NAME: fmtm.localhost mapper.fmtm.localhost api.fmtm.localhost s3.fmtm.localhost sync.fmtm.localhost odk.fmtm.localhost odkcentral
+      fmtm.localhost_REVERSE_PROXY_HOST: http://ui:7051
+      fmtm.localhost_MAX_CLIENT_SIZE: 1G
+      mapper.fmtm.localhost_REVERSE_PROXY_HOST: http://ui-mapper:7055
+      mapper.fmtm.localhost_MAX_CLIENT_SIZE: 1G
+      api.fmtm.localhost_REVERSE_PROXY_HOST: http://api:8000
+      api.fmtm.localhost_MAX_CLIENT_SIZE: 1G
+      s3.fmtm.localhost_REVERSE_PROXY_HOST: http://s3:9000
+      s3.fmtm.localhost_MAX_CLIENT_SIZE: 10G
+      sync.fmtm.localhost_REVERSE_PROXY_HOST: http://electric:3000
+      sync.fmtm.localhost_MAX_CLIENT_SIZE: 1G
+      odk.fmtm.localhost_REVERSE_PROXY_HOST: http://central:8383
+      odk.fmtm.localhost_REVERSE_PROXY_URL: ~ ^/v\d
+      # buffer requests, but not responses, so streaming out works
+      odk.fmtm.localhost_REVERSE_PROXY_BUFFERING: no
+      odk.fmtm.localhost_MAX_CLIENT_SIZE: 500m
+      # Service for local development only to facilitate https odkcentral
+      odkcentral_REVERSE_PROXY_HOST: http://central:8383
+      odkcentral_REVERSE_PROXY_URL: ~ ^/v\d
+      odkcentral_REVERSE_PROXY_BUFFERING: no
+      # Custom cert only for local development
+      odkcentral_USE_CUSTOM_SSL: yes
+      odkcentral_AUTO_REDIRECT_HTTP_TO_HTTPS: no
+      odkcentral_CUSTOM_SSL_CERT_DATA: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUI5RENDQVhtZ0F3SUJBZ0lVWXFyb0dWRVdsK204eU9OY2pUU2pCWThkckN3d0NnWUlLb1pJemowRUF3SXcKRlRFVE1CRUdBMVVFQXd3S2IyUnJZMlZ1ZEhKaGJEQWdGdzB5TkRBM01qTXhNakF6TVRWYUdBOHlNVEkwTURZeQpPVEV5TURNeE5Wb3dGVEVUTUJFR0ExVUVBd3dLYjJSclkyVnVkSEpoYkRCMk1CQUdCeXFHU000OUFnRUdCU3VCCkJBQWlBMklBQktSZmpOQVFzWUI0ekNXckdETHdKNEVIRDRTNW5rL1Z3aG00TmYwN203c0RTai9RTzlYK0JnNjIKeWlMbWVzT1ZMRExHRklpZXZ2aHIrZkxNY0YwUDQwN0FWKytER1o5bXZ6VmNwMVdZMlE5NllpTVVuelM3MWx0RQo4K3BXbFBmanRLT0JoekNCaERBZEJnTlZIUTRFRmdRVWNVekZsNUpWN1dUM045VUhxbmhSRHlWT3ZjY3dId1lEClZSMGpCQmd3Rm9BVWNVekZsNUpWN1dUM045VUhxbmhSRHlWT3ZjY3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QXgKQmdOVkhSRUVLakFvZ2dwdlpHdGpaVzUwY21Gc2doUXFMbTlrYXk1bWJYUnRMbXh2WTJGc2FHOXpkSWNFQ2hRZQpNakFLQmdncWhrak9QUVFEQWdOcEFEQm1BakVBb2xuOGRubmlQN0dKSEJPQW4rTHVCV0ZhaUY1NHFZRmpTYyt1Clpia1cwY1pyNWw2VnZ6WVlBdGdWbUtOdTB5WWRBakVBMWlvT2JRTERYdDV3S1JPWjV5VUtmbys2T21IbTV1NWkKQU5LUHd2MExqc2ZIYk5hbzJMWnduK0VxTjNtdUpPNXEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+      odkcentral_CUSTOM_SSL_KEY_DATA: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JRzJBZ0VBTUJBR0J5cUdTTTQ5QWdFR0JTdUJCQUFpQklHZU1JR2JBZ0VCQkRCc21pQjBmUU5hR1VobEdpWnMKNks1YVo1K1hUOVM1cFdlWkhZc05SVXRlK2FRZ1hIK0pTSmpwRnFqRnNLN21abldoWkFOaUFBU2tYNHpRRUxHQQplTXdscXhneThDZUJCdytFdVo1UDFjSVp1RFg5TzV1N0Ewby8wRHZWL2dZT3Rzb2k1bnJEbFN3eXhoU0lucjc0CmEvbnl6SEJkRCtOT3dGZnZneG1mWnI4MVhLZFZtTmtQZW1JakZKODB1OVpiUlBQcVZwVDM0N1E9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+    networks:
+      - fmtm-net
+    restart: "no"
+    entrypoint: timeout 120 ./entrypoint.sh
+
   api:
     image: "ghcr.io/hotosm/fmtm/backend:${TAG_OVERRIDE:-debug}"
     build:
@@ -101,6 +160,8 @@ services:
     #   - "5678-5679:5678" # Debugger port
     networks:
       - fmtm-net
+    extra_hosts:
+      odkcentral: 10.20.30.50
     restart: "unless-stopped"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8000/__lbheartbeat__"]
@@ -173,8 +234,10 @@ services:
         condition: service_healthy
       s3:
         condition: service_healthy
+      pyxform:
+        condition: service_started
     environment:
-      - DOMAIN=${CENTRAL_DOMAIN_OVERRIDE:-odk.${FMTM_DOMAIN}:${FMTM_DEV_PORT:-7050}}
+      - DOMAIN=${FMTM_ODK_DOMAIN:-odk.fmtm.localhost}:${FMTM_DEV_PORT:-7050}
       - SSL_TYPE=upstream
       - SYSADMIN_EMAIL=${ODK_CENTRAL_USER}
       - SYSADMIN_PASSWD=${ODK_CENTRAL_PASSWD}

contrib/just/build/Justfile

@@ -40,3 +40,24 @@ alias:
   else
       echo "'dc' alias already exists in ~/.bashrc."
   fi
+
+# Generate certs for local ODK Central https
+[no-cd]
+gen-odk-cert:
+    #!/usr/bin/env sh
+    openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -days 36500 \
+    -nodes -keyout odkcentral.key -out odkcentral.crt -subj "/CN=odkcentral" \
+    -addext "subjectAltName=DNS:odkcentral,DNS:*.odk.fmtm.localhost,IP:10.20.30.50"
+
+    CERT_BASE64=$(cat odkcentral.crt | base64 -w0)
+    KEY_BASE64=$(cat odkcentral.key | base64 -w0)
+
+    echo
+    echo "Cert base64:"
+    echo
+    echo ${CERT_BASE64}
+    echo
+    echo "Key base64:"
+    echo
+    echo ${KEY_BASE64}
+    echo