OPC # 0001: Extract OPC into standalone repo

2026-04-25 17:26:42 -04:00
commit 42383bdc03
170 changed files with 21365 additions and 0 deletions
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGzCCAgOgAwIBAgIUS0kgcdXIrlOk/K6g2bfLDRycqk8wDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAwwOKi5jbGFyaXR5LnRlc3QwHhcNMjYwNDI0MjIwMDUzWhcN
+MjgwNzI3MjIwMDUzWjAZMRcwFQYDVQQDDA4qLmNsYXJpdHkudGVzdDCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMWAJ62tsrnMaMnF3NR2Yfv1LKS9IRfm
+sTtTWba7D8fcs9JXGlEn+vMa10AjV91yaSQoQdwLCOwkF58CmLBs0K+vvPoLgvcZ
+BQxVrBj0t1YlTwLcez8vEgb2tHKGo914T/YLh+clF8oig9tIIiTNbngUGabpWUym
+vPllDQ8nB0m4IkHbMAhgdDUG9X5Vc/lWHW6gxhRiUQt7HLqWJ2lLleQR5qEqRQx+
+RmtseS11jhzwDYf1VVzQ2AE2tUaq82p0cZAF8uFZnESuv1Hcu+1KBfjCaGXJ/485
+gg1q01sYhAkX0LAK/CqRBOd7zp9cDm3NX0tLBj4Gek6h0kFGkmRtAmcCAwEAAaNb
+MFkwHQYDVR0OBBYEFJNI82Atz7k2pa2IZECO9aG30dnHMA8GA1UdEwEB/wQFMAMB
+Af8wJwYDVR0RBCAwHoIOKi5jbGFyaXR5LnRlc3SCDGNsYXJpdHkudGVzdDANBgkq
+hkiG9w0BAQsFAAOCAQEAO5MyjFXcOZeEwPJRel8Mvg1HRwu97tL/BB9Hb13JWzdx
+FBBqwOdRrG8IB7byXLjH1ng4xMM+WI9yeZ29bV/PcrZwermGNzU+ob1SrvJYh0hb
+sX0zeXKjKDGMsdlyZAERnvGOxlPzNtYRpeSD7h3qKtuzJiReCNdGzSh+2bLfxEIb
+wTJJNgnXRA4GGK5zghmzOEpq/w8sqpB4hLz9OK8a33QOKp79LrfyT1B9uZq4uHZ8
+SvTX89KZOGmUQraF/6QvL3CcMutwzf4unKxyaStflrcGjCn/eEe8Ea3IWL1EwU8K
+9JvyDvWgv7oib7FA2BZGbYvT+wsFjiFBzTcWUX132g==
+-----END CERTIFICATE-----
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFgCetrbK5zGjJ
+xdzUdmH79SykvSEX5rE7U1m2uw/H3LPSVxpRJ/rzGtdAI1fdcmkkKEHcCwjsJBef
+ApiwbNCvr7z6C4L3GQUMVawY9LdWJU8C3Hs/LxIG9rRyhqPdeE/2C4fnJRfKIoPb
+SCIkzW54FBmm6VlMprz5ZQ0PJwdJuCJB2zAIYHQ1BvV+VXP5Vh1uoMYUYlELexy6
+lidpS5XkEeahKkUMfkZrbHktdY4c8A2H9VVc0NgBNrVGqvNqdHGQBfLhWZxErr9R
+3LvtSgX4wmhlyf+POYINatNbGIQJF9CwCvwqkQTne86fXA5tzV9LSwY+BnpOodJB
+RpJkbQJnAgMBAAECggEAGc9MICXNb/t3DDtHxxorZuZc7bBrpTh4G9UiKb+badZ9
+R3UrksSDRobQ72hPALkFZXy/Upa8lUOINLb9pjyqLvNr4k9jz4/c+YYupdpBJUhd
+4XVXw+OOWwudfEP9ISGqbXCHU50k1T0adysfjyirkZSq34WqLlqx4nOit8K1cJwc
+5+jvApwOPz6zf9kFJYjybbUSPO8bFLVTpjs3hgUzaCMkYMn6R/5bR5SMeqCbZILB
+fkGm+KaeS3cIY7PhDhSoiWJUR5/ZsaoT5s1IM5aGTe62XVY5eoMixYEibx/e68XC
+eL3eWO304QU6AgMKHFhtTKFpnJHlyV/gu084/xWC7QKBgQD9lrkRgDDMXfuDtFRr
+LiQ3QFEmmj0m2ekHIpdZDY3rJ0bbQzTw4cqWs437qMKcTczK70mfxp/IjPoky+8i
+bSlm/pR+U/YwsgK0dxGLzHbIQYYQdI4BjBsysNOvxnKUxRciAMpIW5ULGKYUkCde
+dhH5c2Rmve0yq6MYJ8DCOTXCwwKBgQDHYOd50Tjw5i+a5wcHEsfY+r/Vsu1u1BrS
+/sdpJ+dKxx50TQO4F7tnrugwJ9cvxPDGQApDHFbIwn70zQuDNvYLD2CTtwHoJHx/
+wuP3p0Rw3DmhKI9CN0oXclqNV3PZ54PZ2M5HEl0zkpoIse4YtWc0uyO6RKVHHtPr
+jGjTKeZ/jQKBgAc7XinGmx2o7HxUDzhDR5sfxXCxY18RRdkDPoe2oD59j0K/hun7
+tnhXxIvRw0ML4PREoLfixTnF83hLLJWxwUWDqx5zLIk0+mjFIIX5HcYWQEmF2Wrn
+4PqwGklgAnKFsGQy25H2sqhvWoUpm0XRXi/b/5gCgJo6VNtiftfLI+JbAoGAC496
+3H1dJ9qw9/JdXfOg0tv3M5TkX4C87W8IcPh3WMai5Wtxw8Lcgu6JWAF3YLWyoEwm
+TC3gelOMuPUKrdkJ+yoxF1+NJMC410+dmEaCmWirjsSjSdua2DExPvDLLt9VrdP8
+YfKWpN7jP43RmG0sRspzD+HbE3yeHRJPIa9URiECgYEAyxOOXDCQSPifgIRZe5hr
+u+WsMukUypizXq36/ydCfMD7HcPOgO6bNkNsh6WlaaNrFQwR2O96V0BvrSAI242a
+bTEyUx7fTwoZmn/8O6/WIwkyYolixNYbClcAIopbOXxJ9bJ1KqS47mHv1RrQ8FqN
+OpJWMvrAktqNT5tjDeIj6mc=
+-----END PRIVATE KEY-----
@@ -0,0 +1,2 @@
+# Placeholder so the conf.d directory is tracked by git and exists at container mount time.
+# The provisioning worker writes per-tenant .conf files here at runtime.
@@ -0,0 +1,19 @@
+# Auto-generated by ControlPlane.Worker — do not edit manually.
+# Tenant: fdev-app-clarity-01000000
+server {
+    listen 443 ssl;
+    server_name fdev-app-clarity-01000000.clarity.test;
+
+    ssl_certificate     /etc/nginx/certs/clarity.test.crt;
+    ssl_certificate_key /etc/nginx/certs/clarity.test.key;
+
+    location / {
+        # Docker DNS resolves the container name on the managed network
+        set $upstream http://fdev-app-clarity-01000000:8080;
+        proxy_pass $upstream;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
@@ -0,0 +1,19 @@
+# Auto-generated by ControlPlane.Worker — do not edit manually.
+# Tenant: fdev-app-clarity-02000000
+server {
+    listen 443 ssl;
+    server_name fdev-app-clarity-02000000.clarity.test;
+
+    ssl_certificate     /etc/nginx/certs/clarity.test.crt;
+    ssl_certificate_key /etc/nginx/certs/clarity.test.key;
+
+    location / {
+        # Docker DNS resolves the container name on the managed network
+        set $upstream http://fdev-app-clarity-02000000:8080;
+        proxy_pass $upstream;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
@@ -0,0 +1,19 @@
+# Auto-generated by ControlPlane.Worker — do not edit manually.
+# Tenant: fdev-app-clarity-03000000
+server {
+    listen 443 ssl;
+    server_name fdev-app-clarity-03000000.clarity.test;
+
+    ssl_certificate     /etc/nginx/certs/clarity.test.crt;
+    ssl_certificate_key /etc/nginx/certs/clarity.test.key;
+
+    location / {
+        # Docker DNS resolves the container name on the managed network
+        set $upstream http://fdev-app-clarity-03000000:8080;
+        proxy_pass $upstream;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
@@ -0,0 +1,19 @@
+# Auto-generated by ControlPlane.Worker — do not edit manually.
+# Tenant: fdev-app-clarity-04000000
+server {
+    listen 443 ssl;
+    server_name fdev-app-clarity-04000000.clarity.test;
+
+    ssl_certificate     /etc/nginx/certs/clarity.test.crt;
+    ssl_certificate_key /etc/nginx/certs/clarity.test.key;
+
+    location / {
+        # Docker DNS resolves the container name on the managed network
+        set $upstream http://fdev-app-clarity-04000000:8080;
+        proxy_pass $upstream;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
@@ -0,0 +1,21 @@
+server {
+    listen 443 ssl;
+    server_name opc.clarity.test;
+
+    ssl_certificate     /etc/nginx/certs/clarity.test.crt;
+    ssl_certificate_key /etc/nginx/certs/clarity.test.key;
+
+    # Git over HTTP needs larger body and longer timeouts
+    client_max_body_size 100m;
+    proxy_read_timeout   300s;
+    proxy_send_timeout   300s;
+
+    location / {
+        set $upstream http://gitea:3000;
+        proxy_pass $upstream;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
@@ -0,0 +1,16 @@
+server {
+    listen 443 ssl;
+    server_name keycloak.clarity.test;
+
+    ssl_certificate     /etc/nginx/certs/clarity.test.crt;
+    ssl_certificate_key /etc/nginx/certs/clarity.test.key;
+
+    location / {
+        set $upstream http://keycloak:8080;
+        proxy_pass $upstream;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
@@ -0,0 +1,27 @@
+events {
+    worker_connections 1024;
+}
+
+http {
+    # Use Docker's embedded DNS resolver so container names resolve dynamically.
+    # This is critical — without it nginx resolves upstream names at startup only
+    # and won't pick up newly provisioned tenant containers.
+    resolver 127.0.0.11 valid=5s ipv6=off;
+
+    # Shared log format
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent"';
+
+    access_log /var/log/nginx/access.log main;
+    error_log  /var/log/nginx/error.log warn;
+
+    # Redirect all HTTP → HTTPS
+    server {
+        listen 80 default_server;
+        return 301 https://$host$request_uri;
+    }
+
+    # Pick up per-tenant server blocks dropped by the provisioning worker
+    include /etc/nginx/conf.d/*.conf;
+}