devops folders consolidate

devops/compose/docker-compose.cryptopro.yml

@@ -0,0 +1,149 @@
+# =============================================================================
+# STELLA OPS - CRYPTOPRO CSP OVERLAY (Russia)
+# =============================================================================
+# CryptoPro CSP licensed provider overlay for compliance-russia.yml.
+# Adds real CryptoPro CSP service for certified GOST R 34.10-2012 operations.
+#
+# IMPORTANT: Requires EULA acceptance before use.
+#
+# Usage (MUST be combined with stella-ops AND compliance-russia):
+#   CRYPTOPRO_ACCEPT_EULA=1 docker compose \
+#     -f docker-compose.stella-ops.yml \
+#     -f docker-compose.compliance-russia.yml \
+#     -f docker-compose.cryptopro.yml up -d
+#
+# For development/testing without CryptoPro license, use crypto-sim.yml instead:
+#   docker compose \
+#     -f docker-compose.stella-ops.yml \
+#     -f docker-compose.compliance-russia.yml \
+#     -f docker-compose.crypto-sim.yml up -d
+#
+# Requirements:
+# - CryptoPro CSP license files in opt/cryptopro/downloads/
+# - CRYPTOPRO_ACCEPT_EULA=1 environment variable
+# - CryptoPro container images with GOST engine
+#
+# GOST Algorithms Provided:
+# - GOST R 34.10-2012: Digital signature (256/512-bit)
+# - GOST R 34.11-2012: Hash function (Streebog, 256/512-bit)
+# - GOST R 34.12-2015: Block cipher (Kuznyechik, Magma)
+#
+# =============================================================================
+
+x-cryptopro-labels: &cryptopro-labels
+  com.stellaops.component: "cryptopro-csp"
+  com.stellaops.crypto.provider: "cryptopro"
+  com.stellaops.crypto.profile: "russia"
+  com.stellaops.crypto.certified: "true"
+
+x-cryptopro-env: &cryptopro-env
+  STELLAOPS_CRYPTO_PROVIDERS: "cryptopro.gost"
+  STELLAOPS_CRYPTO_CRYPTOPRO_URL: "http://cryptopro-csp:8080"
+  STELLAOPS_CRYPTO_CRYPTOPRO_ENABLED: "true"
+
+networks:
+  stellaops:
+    external: true
+    name: stellaops
+
+services:
+  # ---------------------------------------------------------------------------
+  # CryptoPro CSP - Certified GOST cryptography provider
+  # ---------------------------------------------------------------------------
+  cryptopro-csp:
+    build:
+      context: ../..
+      dockerfile: devops/services/cryptopro/linux-csp-service/Dockerfile
+      args:
+        CRYPTOPRO_ACCEPT_EULA: "${CRYPTOPRO_ACCEPT_EULA:-0}"
+    image: registry.stella-ops.org/stellaops/cryptopro-csp:2025.10.0
+    container_name: stellaops-cryptopro-csp
+    restart: unless-stopped
+    environment:
+      ASPNETCORE_URLS: "http://0.0.0.0:8080"
+      CRYPTOPRO_ACCEPT_EULA: "${CRYPTOPRO_ACCEPT_EULA:-0}"
+      # GOST algorithm configuration
+      CRYPTOPRO_GOST_SIGNATURE_ALGORITHM: "GOST R 34.10-2012"
+      CRYPTOPRO_GOST_HASH_ALGORITHM: "GOST R 34.11-2012"
+      # Container and key store settings
+      CRYPTOPRO_CONTAINER_NAME: "${CRYPTOPRO_CONTAINER_NAME:-stellaops-signing}"
+      CRYPTOPRO_USE_MACHINE_STORE: "${CRYPTOPRO_USE_MACHINE_STORE:-true}"
+      CRYPTOPRO_PROVIDER_TYPE: "${CRYPTOPRO_PROVIDER_TYPE:-80}"
+    volumes:
+      - ../../opt/cryptopro/downloads:/opt/cryptopro/downloads:ro
+      - ../../etc/cryptopro:/app/etc/cryptopro:ro
+      # Optional: Mount key containers
+      - cryptopro-keys:/var/opt/cprocsp/keys
+    ports:
+      - "${CRYPTOPRO_PORT:-18080}:8080"
+    networks:
+      - stellaops
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+    labels: *cryptopro-labels
+
+  # ---------------------------------------------------------------------------
+  # Override services to use CryptoPro
+  # ---------------------------------------------------------------------------
+
+  # Authority - Use CryptoPro for GOST signatures
+  authority:
+    environment:
+      <<: *cryptopro-env
+    depends_on:
+      - cryptopro-csp
+    labels:
+      com.stellaops.crypto.provider: "cryptopro"
+
+  # Signer - Use CryptoPro for GOST signatures
+  signer:
+    environment:
+      <<: *cryptopro-env
+    depends_on:
+      - cryptopro-csp
+    labels:
+      com.stellaops.crypto.provider: "cryptopro"
+
+  # Attestor - Use CryptoPro for GOST signatures
+  attestor:
+    environment:
+      <<: *cryptopro-env
+    depends_on:
+      - cryptopro-csp
+    labels:
+      com.stellaops.crypto.provider: "cryptopro"
+
+  # Scanner Web - Use CryptoPro for verification
+  scanner-web:
+    environment:
+      <<: *cryptopro-env
+    depends_on:
+      - cryptopro-csp
+    labels:
+      com.stellaops.crypto.provider: "cryptopro"
+
+  # Scanner Worker - Use CryptoPro for verification
+  scanner-worker:
+    environment:
+      <<: *cryptopro-env
+    depends_on:
+      - cryptopro-csp
+    labels:
+      com.stellaops.crypto.provider: "cryptopro"
+
+  # Excititor - Use CryptoPro for VEX signing
+  excititor:
+    environment:
+      <<: *cryptopro-env
+    depends_on:
+      - cryptopro-csp
+    labels:
+      com.stellaops.crypto.provider: "cryptopro"
+
+volumes:
+  cryptopro-keys:
+    name: stellaops-cryptopro-keys