devops folders consolidate

devops/compose/docker-compose.sm-remote.yml

@@ -0,0 +1,153 @@
+# =============================================================================
+# STELLA OPS - SM REMOTE OVERLAY (China)
+# =============================================================================
+# SM Remote service overlay for compliance-china.yml.
+# Provides SM2/SM3/SM4 (ShangMi) cryptographic operations via software provider
+# or integration with OSCCA-certified hardware security modules.
+#
+# Usage (MUST be combined with stella-ops AND compliance-china):
+#   docker compose \
+#     -f docker-compose.stella-ops.yml \
+#     -f docker-compose.compliance-china.yml \
+#     -f docker-compose.sm-remote.yml up -d
+#
+# For development/testing without SM hardware, use crypto-sim.yml instead:
+#   docker compose \
+#     -f docker-compose.stella-ops.yml \
+#     -f docker-compose.compliance-china.yml \
+#     -f docker-compose.crypto-sim.yml up -d
+#
+# SM Algorithms Provided:
+# - SM2: Public key cryptography (ECDSA-like, 256-bit curve) - GM/T 0003-2012
+# - SM3: Cryptographic hash function (256-bit output) - GM/T 0004-2012
+# - SM4: Block cipher (128-bit key/block, AES-like) - GM/T 0002-2012
+# - SM9: Identity-based cryptography - GM/T 0044-2016
+#
+# Providers:
+# - cn.sm.soft: Software-only implementation using BouncyCastle
+# - cn.sm.remote.http: Remote HSM integration via HTTP API
+#
+# OSCCA Compliance:
+# - All cryptographic operations use SM algorithms exclusively
+# - Hardware Security Modules should be OSCCA-certified
+# - Certificates comply with GM/T 0015 (Certificate Profile)
+#
+# =============================================================================
+
+x-sm-remote-labels: &sm-remote-labels
+  com.stellaops.component: "sm-remote"
+  com.stellaops.crypto.provider: "sm"
+  com.stellaops.crypto.profile: "china"
+  com.stellaops.crypto.jurisdiction: "china"
+
+x-sm-remote-env: &sm-remote-env
+  STELLAOPS_CRYPTO_PROVIDERS: "cn.sm.soft,cn.sm.remote.http"
+  STELLAOPS_CRYPTO_SM_REMOTE_URL: "http://sm-remote:56080"
+  STELLAOPS_CRYPTO_SM_ENABLED: "true"
+  SM_SOFT_ALLOWED: "1"
+
+networks:
+  stellaops:
+    external: true
+    name: stellaops
+
+services:
+  # ---------------------------------------------------------------------------
+  # SM Remote Service - ShangMi cryptography provider
+  # ---------------------------------------------------------------------------
+  sm-remote:
+    build:
+      context: ../..
+      dockerfile: devops/services/sm-remote/Dockerfile
+    image: registry.stella-ops.org/stellaops/sm-remote:2025.10.0
+    container_name: stellaops-sm-remote
+    restart: unless-stopped
+    environment:
+      ASPNETCORE_URLS: "http://0.0.0.0:56080"
+      ASPNETCORE_ENVIRONMENT: "Production"
+      # Enable software-only SM2 provider (for testing/development)
+      SM_SOFT_ALLOWED: "${SM_SOFT_ALLOWED:-1}"
+      # Optional: Remote HSM configuration (for production with OSCCA-certified HSM)
+      SM_REMOTE_HSM_URL: "${SM_REMOTE_HSM_URL:-}"
+      SM_REMOTE_HSM_API_KEY: "${SM_REMOTE_HSM_API_KEY:-}"
+      SM_REMOTE_HSM_TIMEOUT: "${SM_REMOTE_HSM_TIMEOUT:-30000}"
+      # Optional: Client certificate authentication for HSM
+      SM_REMOTE_CLIENT_CERT_PATH: "${SM_REMOTE_CLIENT_CERT_PATH:-}"
+      SM_REMOTE_CLIENT_CERT_PASSWORD: "${SM_REMOTE_CLIENT_CERT_PASSWORD:-}"
+    volumes:
+      - ../../etc/sm-remote:/app/etc/sm-remote:ro
+      # Optional: Mount SM key containers
+      - sm-remote-keys:/var/lib/stellaops/sm-keys
+    ports:
+      - "${SM_REMOTE_PORT:-56080}:56080"
+    networks:
+      - stellaops
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:56080/status"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 15s
+    labels: *sm-remote-labels
+
+  # ---------------------------------------------------------------------------
+  # Override services to use SM Remote
+  # ---------------------------------------------------------------------------
+
+  # Authority - Use SM Remote for SM2 signatures
+  authority:
+    environment:
+      <<: *sm-remote-env
+    depends_on:
+      - sm-remote
+    labels:
+      com.stellaops.crypto.provider: "sm"
+
+  # Signer - Use SM Remote for SM2 signatures
+  signer:
+    environment:
+      <<: *sm-remote-env
+    depends_on:
+      - sm-remote
+    labels:
+      com.stellaops.crypto.provider: "sm"
+
+  # Attestor - Use SM Remote for SM2 signatures
+  attestor:
+    environment:
+      <<: *sm-remote-env
+    depends_on:
+      - sm-remote
+    labels:
+      com.stellaops.crypto.provider: "sm"
+
+  # Scanner Web - Use SM Remote for verification
+  scanner-web:
+    environment:
+      <<: *sm-remote-env
+    depends_on:
+      - sm-remote
+    labels:
+      com.stellaops.crypto.provider: "sm"
+
+  # Scanner Worker - Use SM Remote for verification
+  scanner-worker:
+    environment:
+      <<: *sm-remote-env
+    depends_on:
+      - sm-remote
+    labels:
+      com.stellaops.crypto.provider: "sm"
+
+  # Excititor - Use SM Remote for VEX signing
+  excititor:
+    environment:
+      <<: *sm-remote-env
+    depends_on:
+      - sm-remote
+    labels:
+      com.stellaops.crypto.provider: "sm"
+
+volumes:
+  sm-remote-keys:
+    name: stellaops-sm-remote-keys