more bugfix namespace problm and pangeapilot files

.env.example

@@ -10,6 +10,58 @@
 # specially useful if you want to deploy in a specific domain
 #MUSICIAN_API_BASE_URL='https://orchestra.example.org'
 #MUSICIAN_ALLOWED_HOSTS='musician.example.org'
+
+# DEVICEHUB
+####
+
+# Please fill in these three variables
+DEVICEHUB_API_DLT='http://$FIXME_IP_API_DLT'
+DEVICEHUB_API_DLT_TOKEN=$FIXME_TOKEN
+DEVICEHUB_API_RESOLVER='http://$FIXME_IP_API_RESOLVER'
+# you might change or register ID_FEDERATED if you change DEVICEHUB_HOST
+DEVICEHUB_ID_FEDERATED='DH12'
+# TODO this should be guessed by DEVICEHUB_HOST, and avoid hardcode of ID_FEDERATED
+DEVICEHUB_SERVER_ID_FEDERATED='DH12'
+DEVICEHUB_CLIENT_ID_FEDERATED='DH20'
+
+# Database Variables
+DEVICEHUB_DB_USER='dhub'
+DEVICEHUB_DB_PASSWORD='ereuse'
+DEVICEHUB_DB_HOST='localhost'
+DEVICEHUB_DB_DATABASE='dpp'
+DEVICEHUB_SCHEMA='dbtest'
+DEVICEHUB_DB_SCHEMA='dbtest'
+
+#DEVICEHUB_SERVER_ID_DEVICEHUB_HOST='http://devicehub-server-id.example.com'
+DEVICEHUB_SERVER_ID_DEVICEHUB_HOST='http://localhost:5000'
+#DEVICEHUB_CLIENT_ID_DEVICEHUB_HOST='http://devicehub-client-id.example.com'
+DEVICEHUB_CLIENT_ID_DEVICEHUB_HOST='http://localhost:5001'
+DEVICEHUB_SERVER_ID_SERVICE='server_id'
+DEVICEHUB_CLIENT_ID_SERVICE='client_id'
+DEVICEHUB_HOST='localhost'
+
+DEVICEHUB_EMAIL_DEMO='user@example.com'
+DEVICEHUB_SERVER_ID_EMAIL_DEMO='user5000@example.com'
+DEVICEHUB_CLIENT_ID_EMAIL_DEMO='user5001@example.com'
+DEVICEHUB_PASSWORD_DEMO='1234'
+
+DEVICEHUB_JWT_PASS='uncomment-it-and-fill-this'
+DEVICEHUB_SECRET_KEY='uncomment-it-and-fill-this'
+
+# important to import snapshots (step 15)
+#   rel path starts with ./
+DEVICEHUB_SNAPSHOTS_PATH='./examples/snapshots'
+#   full path starts with /
+#DEVICEHUB_SNAPSHOTS_PATH='/tmp/dhub_docker/snapshots'
+DEVICEHUB_IMPORT_SNAPSHOTS='n'
+
+# If you have a URL_MANUALS implementation, please change this url
+DEVICEHUB_URL_MANUALS='http://localhost:4000'
+
+# on devicehub without dpp case, uncomment for a production deployment.
+#   That is, use of gunicorn instead of a debug python server
+#DEVICEHUB_DEPLOYMENT='PROD'
+
 # IDHUB
 ####
 
@@ -17,6 +69,7 @@ IDHUB_TIME_ZONE='Europe/Madrid'
 #IDHUB_SECRET_KEY='uncomment-it-and-fill-this'
 # enable dev flags when DEVELOPMENT deployment
 IDHUB_DEPLOYMENT='DEVELOPMENT'
+#IDHUB_DEPLOYMENT='PROD'
 # adapt to your domain in a production/reverse proxy env
 IDHUB_CSRF_TRUSTED_ORIGINS='https://idhub.example.org'
 
@@ -34,3 +87,27 @@ IDHUB_EMAIL_BACKEND="django.core.mail.backends.smtp.EmailBackend"
 IDHUB_USER='admin'
 IDHUB_PASSWD='admin'
 IDHUB_EMAIL='admin@example.org'
+
+# AUTHENTIK aka goauthentik
+####
+
+AUTHENTIK_PG_PASS=goauthentik
+AUTHENTIK_PG_USER=goauthentik
+AUTHENTIK_PG_DB=goauthentik
+AUTHENTIK_SECRET_KEY=fixme_EMeeeT-$DEzm{4%=qo2L8!A=b3H-8HV>ycCs2vP+C
+
+# SMTP Host Emails are sent to
+AUTHENTIK_EMAIL__HOST='smtp.pangea.org'
+AUTHENTIK_EMAIL__PORT=587
+# Optionally authenticate (don't add quotation marks to your password)
+AUTHENTIK_EMAIL__USERNAME='fixme_H6v<MIBmni23=uuc@y'
+AUTHENTIK_EMAIL__PASSWORD=fixme_T?Q|19r{P<e_cGq29E
+AUTHENTIK_EMAIL__USE_TLS=true
+AUTHENTIK_EMAIL__USE_SSL=false
+AUTHENTIK_EMAIL__TIMEOUT=10
+# Email address authentik will send from, should have a correct @domain
+AUTHENTIK_EMAIL__FROM='noreply@example.org'
+
+AUTHENTIK_BOOTSTRAP_EMAIL='admin@example.org'
+AUTHENTIK_BOOTSTRAP_TOKEN='fixme_!dN94KJ%Uz%f?+NES'
+AUTHENTIK_BOOTSTRAP_PASSWORD='fixme_<1|-@4-yDsat@p>XES'

.gitignore

@@ -7,5 +7,5 @@ django-orchestra
 django-musician
 IdHub
 
-idhub1__pilot-xo9b/
-idhub2__pilot-xo9b/
+idhub1__*
+idhub2__*

Makefile

@@ -9,6 +9,7 @@ project := dkr-dsg.ac.upc.edu/trustchain-oc1-orchestral
 orchestra_branch := `git -C django-orchestra branch --show-current`
 orchestra_commit := `git -C django-orchestra log -1 --format=%h`
 orchestra_tag := ${orchestra_branch}__${orchestra_commit}
+orchestra_tag := latest
 orchestra_image := ${project}/orchestra:${orchestra_tag}
 
 ####
@@ -18,8 +19,21 @@ orchestra_image := ${project}/orchestra:${orchestra_tag}
 musician_branch := `git -C django-musician branch --show-current`
 musician_commit := `git -C django-musician log -1 --format=%h`
 musician_tag := ${musician_branch}__${musician_commit}
+musician_tag := latest
 musician_image := ${project}/musician:${musician_tag}
 
+####
+# devicehub image tag
+####
+
+# TODO
+
+devicehub_branch := `git -C devicehub-teal branch --show-current`
+devicehub_commit := `git -C devicehub-teal log -1 --format=%h`
+devicehub_tag := ${devicehub_branch}__${devicehub_commit}
+devicehub_tag := latest
+devicehub_image := ${project}/devicehub:${devicehub_tag}
+
 ####
 # idhub image tag
 ####
@@ -27,15 +41,16 @@ musician_image := ${project}/musician:${musician_tag}
 idhub_branch := `git -C IdHub branch --show-current`
 idhub_commit := `git -C IdHub log -1 --format=%h`
 idhub_tag := ${idhub_branch}__${idhub_commit}
+idhub_tag := latest
 idhub_image := ${project}/idhub:${idhub_tag}
 
 .PHONY: idhub_build
 idhub_build:
-	docker build -f docker/idhub.Dockerfile -t ${idhub_image} -t ${project}/idhub:latest .
+	docker build -f docker/idhub.Dockerfile -t ${idhub_image} -t ${project}/idhub:${idhub_branch}__latest .
 
 docker_build:
 	docker build -f docker/orchestra.Dockerfile -t ${orchestra_image}  -t ${project}/orchestra:latest .
-	#docker build -f docker/musician.Dockerfile -t ${musician_image}  -t ${project}/musician:latest .
+	docker build -f docker/musician.Dockerfile -t ${musician_image}  -t ${project}/musician:latest .
 	$(MAKE) idhub_build
 	@printf "\n##########################\n"
 	@printf "\nimage: ${orchestra_image}\n"

docker-compose__pilot-lafede.yml

@@ -2,7 +2,6 @@ version: "3.9"
 services:
 
   idhub1:
-    container_name: idhub1
     init: true
     image: dkr-dsg.ac.upc.edu/trustchain-oc1-orchestral/idhub:latest
     environment:

docker-compose__pilot-pangea.yml

@@ -0,0 +1,159 @@
+version: "3.9"
+services:
+
+  orchestra:
+    init: true
+    image: dkr-dsg.ac.upc.edu/trustchain-oc1-orchestral/orchestra:latest
+    environment:
+      - SECRET_KEY=${ORCHESTRA_SECRET_KEY:-publicsecretisnotsecureVtmKBfxpVV47PpBCF2Nzz2H6qnbd}
+    ports:
+      - "9080:9080"
+    # TODO configure volumes
+    #volumes:
+    #  - .:/home
+
+  musician:
+    init: true
+    image: dkr-dsg.ac.upc.edu/trustchain-oc1-orchestral/musician:latest
+    ports:
+      - "8080:8080"
+    environment:
+      - SECRET_KEY=${MUSICIAN_SECRET_KEY:-publicsecretisnotsecureVtmKBfxpVV47PpBCF2Nzz2H6qnbd}
+      - API_BASE_URL=${MUSICIAN_API_BASE_URL:-http://nginx-orchestra-api:3000}
+      - ALLOWED_HOSTS=${MUSICIAN_ALLOWED_HOSTS:-*}
+    # TODO configure volumes
+    #volumes:
+    #  - .:/home
+
+  # WARNING: this containers is hardcoded and is only useful in localhost deployments
+  #   and as a reference for reachable deployments
+  nginx-orchestra-api:
+    image: nginx
+    ports:
+      - 3000:3000
+    volumes:
+      # src https://hub.docker.com/_/nginx
+      # src https://github.com/docker-library/docs/tree/master/nginx#complex-configuration
+      - ./docker/nginx-orchestra-api.nginx.conf:/etc/nginx/nginx.conf:ro
+
+  idhub:
+    init: true
+    image: dkr-dsg.ac.upc.edu/trustchain-oc1-orchestral/idhub:latest
+    environment:
+      - DEPLOYMENT=${IDHUB_DEPLOYMENT}
+      - SECRET_KEY=${IDHUB_SECRET_KEY:-publicsecretisnotsecureVtmKBfxpVV47PpBCF2Nzz2H6qnbd}
+      - ALLOWED_HOSTS=${IDHUB_ALLOWED_HOSTS:-*}
+      - STATIC_ROOT=${IDHUB_STATIC_ROOT:-/static/}
+      - MEDIA_ROOT=${IDHUB_MEDIA_ROOT:-/media/}
+      - PORT=${IDHUB_PORT:-9001}
+      - DJANGO_SUPERUSER_USERNAME=${IDHUB_USER}
+      - DJANGO_SUPERUSER_PASSWORD=${IDHUB_PASSWD}
+      - DJANGO_SUPERUSER_EMAIL=${IDHUB_EMAIL}
+      - CSRF_TRUSTED_ORIGINS=https://idhub1-xo9b.demo.pangea.org
+      - DEFAULT_FROM_EMAIL=${IDHUB_DEFAULT_FROM_EMAIL}
+      - EMAIL_HOST=${IDHUB_EMAIL_HOST}
+      - EMAIL_HOST_USER=${IDHUB_EMAIL_HOST_USER}
+      - EMAIL_HOST_PASSWORD=${IDHUB_EMAIL_HOST_PASSWORD}
+      - EMAIL_PORT=${IDHUB_EMAIL_PORT}
+      - EMAIL_USE_TLS=${IDHUB_EMAIL_USE_TLS}
+      - EMAIL_BACKEND=${IDHUB_EMAIL_BACKEND}
+      - RESPONSE_URI=https://idhub1-xo9b.demo.pangea.org/oidc4vp/
+      - ALLOW_CODE_URI=https://idhub1-xo9b.demo.pangea.org/oidc4vp/allow_code
+      - SUPPORTED_CREDENTIALS=['MembershipCard']
+    ports:
+      - 9021:9001
+
+  # from https://goauthentik.io/docs/installation/docker-compose
+  #   https://goauthentik.io/docker-compose.yml
+  ga_postgresql:
+    image: docker.io/library/postgres:12-alpine
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - ga_database:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: ${AUTHENTIK_PG_PASS:?database password required}
+      POSTGRES_USER: ${AUTHENTIK_PG_USER:-authentik}
+      POSTGRES_DB: ${AUTHENTIK_PG_DB:-authentik}
+    env_file:
+      - .env
+  ga_redis:
+    image: docker.io/library/redis:alpine
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - ga_redis:/data
+  ga_server:
+    image: ${AUTHENTIK_AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_AUTHENTIK_TAG:-2023.10.5}
+    restart: unless-stopped
+    command: server
+    environment:
+      AUTHENTIK_REDIS__HOST: ga_redis
+      AUTHENTIK_POSTGRESQL__HOST: ga_postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
+      AUTHENTIK_EMAIL__HOST: ${AUTHENTIK_EMAIL__HOST}
+      AUTHENTIK_EMAIL__PORT: ${AUTHENTIK_EMAIL__PORT}
+      AUTHENTIK_EMAIL__USERNAME: ${AUTHENTIK_EMAIL__USERNAME}
+      AUTHENTIK_EMAIL__PASSWORD: ${AUTHENTIK_EMAIL__PASSWORD}
+      AUTHENTIK_EMAIL__USE_TLS: ${AUTHENTIK_EMAIL__USE_TLS}
+      AUTHENTIK_EMAIL__USE_SSL: ${AUTHENTIK_EMAIL__USE_SSL}
+      AUTHENTIK_EMAIL__TIMEOUT: ${AUTHENTIK_EMAIL__TIMEOUT}
+      AUTHENTIK_EMAIL__FROM: ${AUTHENTIK_EMAIL__FROM}
+    volumes:
+      - ./media:/media
+      - ./custom-templates:/templates
+    env_file:
+      - .env
+    ports:
+      - "${COMPOSE_PORT_HTTP:-9000}:9000"
+      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
+    depends_on:
+      - ga_postgresql
+      - ga_redis
+  ga_worker:
+    image: ${AUTHENTIK_AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_AUTHENTIK_TAG:-2023.10.5}
+    restart: unless-stopped
+    command: worker
+    environment:
+      AUTHENTIK_REDIS__HOST: ga_redis
+      AUTHENTIK_POSTGRESQL__HOST: ga_postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
+    # `user: root` and the docker socket volume are optional.
+    # See more for the docker socket integration here:
+    # https://goauthentik.io/docs/outposts/integrations/docker
+    # Removing `user: root` also prevents the worker from fixing the permissions
+    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
+    # (1000:1000 by default)
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./media:/media
+      - ./certs:/certs
+      - ./custom-templates:/templates
+    env_file:
+      - .env
+    depends_on:
+      - ga_postgresql
+      - ga_redis
+
+volumes:
+  shared:
+  ga_database:
+    driver: local
+  ga_redis:
+    driver: local

docker-compose__pilot-setem.yml

@@ -2,7 +2,6 @@ version: "3.9"
 services:
 
   idhub1:
-    container_name: idhub1
     init: true
     image: dkr-dsg.ac.upc.edu/trustchain-oc1-orchestral/idhub:latest
     environment:
@@ -33,7 +32,6 @@ services:
       - sharedsecret:/sharedsecret:rw
 
   idhub2:
-    container_name: idhub2
     init: true
     image: dkr-dsg.ac.upc.edu/trustchain-oc1-orchestral/idhub:latest
     environment:

docker-compose__pilot-xo9b.yml

@@ -2,7 +2,6 @@ version: "3.9"
 services:
 
   idhub1:
-    container_name: idhub1
     init: true
     image: dkr-dsg.ac.upc.edu/trustchain-oc1-orchestral/idhub:latest
     environment:
@@ -33,7 +32,6 @@ services:
       - sharedsecret:/sharedsecret:rw
 
   idhub2:
-    container_name: idhub2
     init: true
     image: dkr-dsg.ac.upc.edu/trustchain-oc1-orchestral/idhub:latest
     environment: