150 lines
4.8 KiB
YAML
150 lines
4.8 KiB
YAML
# =============================================================================
|
|
# STELLA OPS - CRYPTOPRO CSP OVERLAY (Russia)
|
|
# =============================================================================
|
|
# CryptoPro CSP licensed provider overlay for compliance-russia.yml.
|
|
# Adds real CryptoPro CSP service for certified GOST R 34.10-2012 operations.
|
|
#
|
|
# IMPORTANT: Requires EULA acceptance before use.
|
|
#
|
|
# Usage (MUST be combined with stella-ops AND compliance-russia):
|
|
# CRYPTOPRO_ACCEPT_EULA=1 docker compose \
|
|
# -f docker-compose.stella-ops.yml \
|
|
# -f docker-compose.compliance-russia.yml \
|
|
# -f docker-compose.cryptopro.yml up -d
|
|
#
|
|
# For development/testing without CryptoPro license, use crypto-sim.yml instead:
|
|
# docker compose \
|
|
# -f docker-compose.stella-ops.yml \
|
|
# -f docker-compose.compliance-russia.yml \
|
|
# -f docker-compose.crypto-sim.yml up -d
|
|
#
|
|
# Requirements:
|
|
# - CryptoPro CSP license files in opt/cryptopro/downloads/
|
|
# - CRYPTOPRO_ACCEPT_EULA=1 environment variable
|
|
# - CryptoPro container images with GOST engine
|
|
#
|
|
# GOST Algorithms Provided:
|
|
# - GOST R 34.10-2012: Digital signature (256/512-bit)
|
|
# - GOST R 34.11-2012: Hash function (Streebog, 256/512-bit)
|
|
# - GOST R 34.12-2015: Block cipher (Kuznyechik, Magma)
|
|
#
|
|
# =============================================================================
|
|
|
|
x-cryptopro-labels: &cryptopro-labels
|
|
com.stellaops.component: "cryptopro-csp"
|
|
com.stellaops.crypto.provider: "cryptopro"
|
|
com.stellaops.crypto.profile: "russia"
|
|
com.stellaops.crypto.certified: "true"
|
|
|
|
x-cryptopro-env: &cryptopro-env
|
|
STELLAOPS_CRYPTO_PROVIDERS: "cryptopro.gost"
|
|
STELLAOPS_CRYPTO_CRYPTOPRO_URL: "http://cryptopro-csp:8080"
|
|
STELLAOPS_CRYPTO_CRYPTOPRO_ENABLED: "true"
|
|
|
|
networks:
|
|
stellaops:
|
|
external: true
|
|
name: stellaops
|
|
|
|
services:
|
|
# ---------------------------------------------------------------------------
|
|
# CryptoPro CSP - Certified GOST cryptography provider
|
|
# ---------------------------------------------------------------------------
|
|
cryptopro-csp:
|
|
build:
|
|
context: ../..
|
|
dockerfile: devops/services/cryptopro/linux-csp-service/Dockerfile
|
|
args:
|
|
CRYPTOPRO_ACCEPT_EULA: "${CRYPTOPRO_ACCEPT_EULA:-0}"
|
|
image: registry.stella-ops.org/stellaops/cryptopro-csp:2025.10.0
|
|
container_name: stellaops-cryptopro-csp
|
|
restart: unless-stopped
|
|
environment:
|
|
ASPNETCORE_URLS: "http://0.0.0.0:8080"
|
|
CRYPTOPRO_ACCEPT_EULA: "${CRYPTOPRO_ACCEPT_EULA:-0}"
|
|
# GOST algorithm configuration
|
|
CRYPTOPRO_GOST_SIGNATURE_ALGORITHM: "GOST R 34.10-2012"
|
|
CRYPTOPRO_GOST_HASH_ALGORITHM: "GOST R 34.11-2012"
|
|
# Container and key store settings
|
|
CRYPTOPRO_CONTAINER_NAME: "${CRYPTOPRO_CONTAINER_NAME:-stellaops-signing}"
|
|
CRYPTOPRO_USE_MACHINE_STORE: "${CRYPTOPRO_USE_MACHINE_STORE:-true}"
|
|
CRYPTOPRO_PROVIDER_TYPE: "${CRYPTOPRO_PROVIDER_TYPE:-80}"
|
|
volumes:
|
|
- ../../opt/cryptopro/downloads:/opt/cryptopro/downloads:ro
|
|
- ../../etc/cryptopro:/app/etc/cryptopro:ro
|
|
# Optional: Mount key containers
|
|
- cryptopro-keys:/var/opt/cprocsp/keys
|
|
ports:
|
|
- "${CRYPTOPRO_PORT:-18080}:8080"
|
|
networks:
|
|
- stellaops
|
|
healthcheck:
|
|
test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 30s
|
|
labels: *cryptopro-labels
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Override services to use CryptoPro
|
|
# ---------------------------------------------------------------------------
|
|
|
|
# Authority - Use CryptoPro for GOST signatures
|
|
authority:
|
|
environment:
|
|
<<: *cryptopro-env
|
|
depends_on:
|
|
- cryptopro-csp
|
|
labels:
|
|
com.stellaops.crypto.provider: "cryptopro"
|
|
|
|
# Signer - Use CryptoPro for GOST signatures
|
|
signer:
|
|
environment:
|
|
<<: *cryptopro-env
|
|
depends_on:
|
|
- cryptopro-csp
|
|
labels:
|
|
com.stellaops.crypto.provider: "cryptopro"
|
|
|
|
# Attestor - Use CryptoPro for GOST signatures
|
|
attestor:
|
|
environment:
|
|
<<: *cryptopro-env
|
|
depends_on:
|
|
- cryptopro-csp
|
|
labels:
|
|
com.stellaops.crypto.provider: "cryptopro"
|
|
|
|
# Scanner Web - Use CryptoPro for verification
|
|
scanner-web:
|
|
environment:
|
|
<<: *cryptopro-env
|
|
depends_on:
|
|
- cryptopro-csp
|
|
labels:
|
|
com.stellaops.crypto.provider: "cryptopro"
|
|
|
|
# Scanner Worker - Use CryptoPro for verification
|
|
scanner-worker:
|
|
environment:
|
|
<<: *cryptopro-env
|
|
depends_on:
|
|
- cryptopro-csp
|
|
labels:
|
|
com.stellaops.crypto.provider: "cryptopro"
|
|
|
|
# Excititor - Use CryptoPro for VEX signing
|
|
excititor:
|
|
environment:
|
|
<<: *cryptopro-env
|
|
depends_on:
|
|
- cryptopro-csp
|
|
labels:
|
|
com.stellaops.crypto.provider: "cryptopro"
|
|
|
|
volumes:
|
|
cryptopro-keys:
|
|
name: stellaops-cryptopro-keys
|