8 changed files with 0 additions and 500 deletions
--- a/.env
+++ b/.env
@ -1,18 +0,0 @@
 ALFRESCO_DIR=~/alfresco
 ALFRESCO_LICENSE_DIR=~/alfresco/license
 PROXY_PROTOCOL=http
 PROXY_HOST=localhost
 PROXY_PORT=8080
 IDENTITY_SERVICE_PROTOCOL=http
 IDENTITY_SERVICE_HOST=auth.example.org
 IDENTITY_SERVICE_PORT=8080
 ACS_TAG=7.4.1.1
 ATE_AIO_TAG=4.0.0
 AAMQ_TAG=latest
 POSTGRES_TAG=13
 ASIE_TAG=2.0.8.2
 APS_TAG=2.4.1
 AIS_TAG=1.8.0.1
 ACS_SHARE_TAG=7.4.1.2
--- a/README.md
+++ b/README.md
@ -3,10 +3,3 @@
 This Git Repository intends to represent environments in Docker Compose.  All environments are effectively a derivative of other environments.  The original environment is the environment represented by the `base` branch.  All derivative environments are represented by other branches.  Those branches are named in the format `{core}.{parent}`.
 ## Licensing
 This version of Alfresco requires licensing.
 ### APS
 APS requires a license file for it to work.  For licensing to work, you must place your license file in the following directory relative to the user home directory that runs the Docker Compose command: `alfresco/license/aps`.  The filename must be `activiti.lic`.  You can use symbolic linking if desired.
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,148 +1,3 @@
 # Originally sourced from https://github.com/Alfresco/acs-deployment/blob/4.0.3/docker-compose/docker-compose.yml
 #
 version: "3"
 services:
    platform:
        image: alfresco/alfresco-content-repository-community:${ACS_TAG}
        environment:
            JAVA_TOOL_OPTIONS: "
                -Dencryption.keystore.type=JCEKS
                -Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding
                -Dencryption.keyAlgorithm=DESede
                -Dencryption.keystore.location=/usr/local/tomcat/shared/classes/alfresco/extension/keystore/keystore
                -Dmetadata-keystore.password=mp6yc0UD9e
                -Dmetadata-keystore.aliases=metadata
                -Dmetadata-keystore.metadata.password=oKIWzVdEdA
                -Dmetadata-keystore.metadata.algorithm=DESede
                "
            JAVA_OPTS: "
                -Xms512m -Xmx1g
                -Ddb.driver=org.postgresql.Driver
                -Ddb.username=alfresco
                -Ddb.password=alfresco
                -Ddb.url=jdbc:postgresql://postgres-acs:5432/alfresco
                -Dindex.subsystem.name=solr6
                -Dsolr.host=search
                -Dsolr.secureComms=secret
                -Dsolr.sharedSecret=alfresco-secret
                -Dalfresco.host=${PROXY_HOST}
                -Dalfresco.port=${PROXY_PORT}
                -Dalfresco.protocol=${PROXY_PROTOCOL}
                -Daos.baseUrlOverwrite=${PROXY_PROTOCOL}://${PROXY_HOST}:${PROXY_PORT}/alfresco/aos
                -Dmessaging.broker.url=\"failover:(nio://activemq:61616)?timeout=3000&jms.useCompression=true\"
                -Ddeployment.method=DOCKER_COMPOSE
                -DlocalTransform.core-aio.url=http://transform-core-aio:8090/
                -Dalfresco-pdf-renderer.url=http://transform-core-aio:8090/
                -Djodconverter.url=http://transform-core-aio:8090/
                -Dimg.url=http://transform-core-aio:8090/
                -Dtika.url=http://transform-core-aio:8090/
                -Dtransform.misc.url=http://transform-core-aio:8090/
                -Dcsrf.filter.enabled=false
                -Dcors.enabled=true
                -Dcors.allowed.origins=http://localhost:4200,http://localhost:8080,${PROXY_PROTOCOL}://${PROXY_HOST}
                -Dtransform.service.enabled=false
                -Dlocal.transform.service.enabled=true
                -Dauthentication.chain=aims:identity-service,builtin:alfrescoNtlm
                -Didentity-service.authentication.defaultAdministratorUserNames=admin.1
                -Didentity-service.auth-server-url=http://identity:8080/auth
                -Dsystem.content.eagerOrphanCleanup=true
                -Dsystem.content.orphanProtectDays=0
                -Djodconverter.enabled=false
                "
        depends_on:
            postgres-acs:
                condition: service_started
            activemq:
                condition: service_started
            identity:
                condition: service_healthy
    transform-core-aio:
        image: alfresco/alfresco-transform-core-aio:${ATE_AIO_TAG}
    postgres-acs:
        image: postgres:${POSTGRES_TAG}
        environment:
            POSTGRES_PASSWORD: alfresco
            POSTGRES_USER: alfresco
            POSTGRES_DB: alfresco
        command: postgres -c max_connections=300 -c log_min_messages=LOG
    search:
        image: alfresco/alfresco-search-services:${ASIE_TAG}
        environment:
            SOLR_ALFRESCO_HOST: platform
            SOLR_SOLR_HOST: search
            SOLR_CREATE_ALFRESCO_DEFAULTS: alfresco,archive
            ALFRESCO_SECURE_COMMS: secret
            JAVA_TOOL_OPTIONS: "
                -Dalfresco.secureComms.secret=alfresco-secret
                "
        healthcheck:
            test: "curl -fsS http://localhost:8983/solr"
    activemq:
        image: alfresco/alfresco-activemq:${AAMQ_TAG}
        environment:
            ACTIVEMQ_OPTS_MEMORY: -Xms64m -Xmx256m
            ACTIVEMQ_ADMIN_LOGIN: alfresco
            ACTIVEMQ_ADMIN_PASSWORD: alfresco
    activiti-app:
        image: quay.io/alfresco/alfresco-process-services:${APS_TAG}
        environment:
            ACTIVITI_DATASOURCE_USERNAME: alfresco
            ACTIVITI_DATASOURCE_PASSWORD: alfresco
            ACTIVITI_DATASOURCE_DRIVER: org.postgresql.Driver
            ACTIVITI_HIBERNATE_DIALECT: org.hibernate.dialect.PostgreSQLDialect
            ACTIVITI_DATASOURCE_URL: 'jdbc:postgresql://postgres-aps:5432/activiti?characterEncoding=UTF-8'
            IDENTITY_SERVICE_ENABLED: "true"
            IDENTITY_SERVICE_AUTH: http://identity:8080/auth
            IDENTITY_SERVICE_CONTENT_SSO_REDIRECT_URI: ${PROXY_PROTOCOL}://${PROXY_HOST}:${PROXY_PORT}/activiti-app/app/rest/integration/sso/confirm-auth-request
            JAVA_OPTS: "-Xms128m -Xmx256m"
        depends_on:
            - postgres-aps
        volumes:
            - "$ALFRESCO_LICENSE_DIR/aps:/home/alfresco/.activiti/enterprise-license:ro"
    postgres-aps:
        image: postgres:${POSTGRES_TAG}
        environment:
            POSTGRES_DB: activiti
            POSTGRES_USER: alfresco
            POSTGRES_PASSWORD: alfresco
        command: postgres -c max_connections=300 -c log_min_messages=LOG
    identity:
        image: alfresco/alfresco-identity-service:${AIS_TAG}
        user: jboss
        environment:
            KEYCLOAK_USER: admin
            KEYCLOAK_PASSWORD: admin
            KEYCLOAK_FRONTEND_URL: ${IDENTITY_SERVICE_PROTOCOL}://${IDENTITY_SERVICE_HOST}:${IDENTITY_SERVICE_PORT}/auth
            KEYCLOAK_IMPORT: /tmp/keycloak-alfresco-realm.json
            KEYCLOAK_STATISTICS: enabled
        networks:
            default:
                aliases:
                    - "${IDENTITY_SERVICE_HOST}"
        healthcheck:
            test: ["CMD", "curl", "-f", "http://localhost:8080/auth/realms/alfresco"]
            interval: 10s
            timeout: 10s
            # Really long startup times on Windows
            retries: 18
        volumes:
            - ./keycloak-alfresco-realm.json:/tmp/keycloak-alfresco-realm.json:ro
    proxy:
        build: ./nginx-ingress
        image: local/nginx-ingress:acs-aps-aims
        ports:
            - 8080:8080
        depends_on:
            - platform
            - activiti-app
            - identity
--- a/keycloak-alfresco-realm.json
+++ b/keycloak-alfresco-realm.json
@ -1,62 +0,0 @@
 {
  "realm": "alfresco",
  "enabled": true,
  "sslRequired": "external",
  "registrationAllowed": false,
  "roles": {
    "realm": [ {
      "name": "user",
      "description": "User privileges"
    }, {
      "name": "admin",
      "description": "Administrator privileges"
    } ]
  },
  "clients": [
    {
      "clientId": "alfresco",
      "name": "Alfresco Products",
      "enabled": true,
      "alwaysDisplayInConsole": false,
      "redirectUris": [ "*" ],
      "standardFlowEnabled": true,
      "implicitFlowEnabled": true,
      "directAccessGrantsEnabled": false,
      "publicClient": true,
      "protocol": "openid-connect",
      "attributes": {
        "login_theme": "alfresco"
      }
    },
    {
      "clientId": "acs-share",
      "name": "ACS Share",
      "enabled": true,
      "alwaysDisplayInConsole": false,
      "redirectUris": [ "*" ],
      "standardFlowEnabled": true,
      "implicitFlowEnabled": false,
      "directAccessGrantsEnabled": false,
      "publicClient": true,
      "protocol": "openid-connect",
      "attributes": {
        "login_theme": "alfresco"
      }
    }
  ],
  "requiredCredentials": [ "password" ],
  "users": [
    {
      "username": "admin",
      "email": "admin@app.activiti.com",
      "enabled": true,
      "credentials" : [
        {
          "type" : "password",
          "value" : "admin"
        }
      ],
      "realmRoles": [ "user", "admin" ]
    }
  ]
 }
--- a/nginx-ingress/Dockerfile
+++ b/nginx-ingress/Dockerfile
@ -1,8 +0,0 @@
 FROM nginx:stable-alpine
 COPY nginx.conf /etc/nginx/nginx.conf
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 ENTRYPOINT [ "/entrypoint.sh" ]
--- a/nginx-ingress/entrypoint.sh
+++ b/nginx-ingress/entrypoint.sh
@ -1,19 +0,0 @@
 #!/bin/sh
 if [[ $ACS_PLATFORM_URL ]]; then
  sed -i s%http:\/\/platform:8080%"$ACS_PLATFORM_URL"%g /etc/nginx/nginx.conf
 fi
 if [[ $APS_APP_URL ]]; then
  sed -i s%http:\/\/activiti-app:8080%"$APS_APP_URL"%g /etc/nginx/nginx.conf
 fi
 if [[ $AIMS_URL ]]; then
  sed -i s%http:\/\/identity:8080%"$AIMS_URL"%g /etc/nginx/nginx.conf
 fi
 if [[ $ACCESS_LOG ]]; then
  sed -i s%\#ENV_ACCESS_LOG%"access_log $ACCESS_LOG;"%g /etc/nginx/nginx.conf
 fi
 nginx -g "daemon off;"
--- a/nginx-ingress/nginx.conf
+++ b/nginx-ingress/nginx.conf
@ -1,66 +0,0 @@
 worker_processes  1;
 events {
    worker_connections  1024;
 }
 http {
    server {
        listen *:8080;
        client_max_body_size 0;
        set  $allowOriginSite *;
        proxy_pass_request_headers on;
        proxy_pass_header Set-Cookie;
        # External settings, do not remove
        #ENV_ACCESS_LOG
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        proxy_redirect off;
 #        proxy_buffering off;
        proxy_buffer_size	64k;
        proxy_buffers		4 256k;
        proxy_busy_buffers_size	256k;
        proxy_set_header Host              $http_host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass_header Set-Cookie;
        # Protect access to SOLR APIs
        location ~ ^(/.*/service/api/solr/.*)$ {return 403;}
        location ~ ^(/.*/s/api/solr/.*)$ {return 403;}
        location ~ ^(/.*/wcservice/api/solr/.*)$ {return 403;}
        location ~ ^(/.*/wcs/api/solr/.*)$ {return 403;}
        location ~ ^(/.*/proxy/alfresco/api/solr/.*)$ {return 403 ;}
        location ~ ^(/.*/-default-/proxy/alfresco/api/.*)$ {return 403;}
        # Protect access to Prometheus endpoint
        location ~ ^(/.*/s/prometheus)$ {return 403;}
        location / {
            proxy_pass http://platform:8080;
        }
        location /alfresco/ {
            proxy_pass http://platform:8080;
        }
        location /activiti-app/ {
            proxy_pass http://activiti-app:8080;
            # If using external proxy / load balancer (for initial redirect if no trailing slash)
            absolute_redirect off;
        }
        location /auth/ {
            proxy_pass http://identity:8080;
            # If using external proxy / load balancer (for initial redirect if no trailing slash)
            absolute_redirect off;
        }
    }
 }
--- a/server.xml
+++ b/server.xml
@ -1,175 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at
      http://www.apache.org/licenses/LICENSE-2.0
  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
 -->
 <!-- Note:  A "Server" is not itself a "Container", so you may not
     define subcomponents such as "Valves" at this level.
     Documentation at /docs/config/server.html
 -->
 <Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" logArgs="false" />
  <!-- Security listener. Documentation at /docs/config/listeners.html
  <Listener className="org.apache.catalina.security.SecurityListener" />
  -->
  <!-- APR library loader. Documentation at /docs/apr.html -->
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
  <!-- Global JNDI resources
       Documentation at /docs/jndi-resources-howto.html
  -->
  <GlobalNamingResources>
    <!-- Editable user database that can also be used by
         UserDatabaseRealm to authenticate users
    -->
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>
  <!-- A "Service" is a collection of one or more "Connectors" that share
       a single "Container" Note:  A "Service" is not itself a "Container",
       so you may not define subcomponents such as "Valves" at this level.
       Documentation at /docs/config/service.html
   -->
  <Service name="Catalina">
    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
    <!--
    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
        maxThreads="150" minSpareThreads="4"/>
    -->
    <!-- A "Connector" represents an endpoint by which requests are received
         and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
    -->
    <Connector port="8080" protocol="HTTP/1.1"
               Server=" "
               connectionTimeout="20000"
               redirectPort="8443"
               proxyName="alfresco.inteligr8.com" proxyPort="443" />
    <!-- A "Connector" using the shared thread pool-->
    <!--
    <Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443"
               proxyHost="alfresco.inteligr8.com" proxyPort="443" />
    -->
    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
         This connector uses the NIO implementation. The default
         SSLImplementation will depend on the presence of the APR/native
         library and the useOpenSSL attribute of the AprLifecycleListener.
         Either JSSE or OpenSSL style configuration may be used regardless of
         the SSLImplementation selected. JSSE style configuration is used below.
    -->
    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
    -->
    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
         This connector uses the APR/native implementation which always uses
         OpenSSL for TLS.
         Either JSSE or OpenSSL style configuration may be used. OpenSSL style
         configuration is used below.
    -->
    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                         certificateFile="conf/localhost-rsa-cert.pem"
                         certificateChainFile="conf/localhost-rsa-chain.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
    -->
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <!--
    <Connector protocol="AJP/1.3"
               address="::1"
               port="8009"
               redirectPort="8443" />
    -->
    <!-- An Engine represents the entry point (within Catalina) that processes
         every request.  The Engine implementation for Tomcat stand alone
         analyzes the HTTP headers included with the request, and passes them
         on to the appropriate Host (virtual host).
         Documentation at /docs/config/engine.html -->
    <!-- You should set jvmRoute to support load-balancing via AJP ie :
    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
    -->
    <Engine name="Catalina" defaultHost="localhost">
      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->
      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>
      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">
        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
        <!--
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        -->
        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
 	<Valve className="org.apache.catalina.valves.RemoteIpValve" />
      </Host>
    </Engine>
  </Service>
 </Server>