Restore backup_volumes and fix secrets declarations in MySQL DB containers

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/729f8a52-a9df-49b9-b95f-20103c416d52

community-containers/bahmni-lite/bahmni-lite.json

@@ -75,6 +75,11 @@
                     "source": "nextcloud_aio_bahmni_configuration_checksums",
                     "destination": "/openmrs/data/configuration_checksums",
                     "writeable": true
+                },
+                {
+                    "source": "nextcloud_aio_bahmni_openmrs_logs",
+                    "destination": "/openmrs/data/logs",
+                    "writeable": true
                 }
             ],
             "backup_volumes": [
@@ -83,7 +88,8 @@
                 "nextcloud_aio_bahmni_clinical_forms",
                 "nextcloud_aio_bahmni_lab_results",
                 "nextcloud_aio_bahmni_uploaded_files",
-                "nextcloud_aio_bahmni_configuration_checksums"
+                "nextcloud_aio_bahmni_configuration_checksums",
+                "nextcloud_aio_bahmni_openmrs_logs"
             ],
             "depends_on": [
                 "nextcloud-aio-bahmni-openmrsdb",
@@ -210,6 +216,7 @@
                 "MYSQL_PASSWORD=%BAHMNI_REPORTS_DB_PASSWORD%"
             ],
             "secrets": [
+                "BAHMNI_MYSQL_ROOT_PASSWORD",
                 "BAHMNI_REPORTS_DB_PASSWORD"
             ],
             "volumes": [
@@ -317,6 +324,7 @@
                 "MYSQL_PASSWORD=%BAHMNI_CRATER_DB_PASSWORD%"
             ],
             "secrets": [
+                "BAHMNI_MYSQL_ROOT_PASSWORD",
                 "BAHMNI_CRATER_DB_PASSWORD"
             ],
             "volumes": [
@@ -407,6 +415,7 @@
                 "MYSQL_PASSWORD=%BAHMNI_CRATER_ATOMFEED_DB_PASSWORD%"
             ],
             "secrets": [
+                "BAHMNI_MYSQL_ROOT_PASSWORD",
                 "BAHMNI_CRATER_ATOMFEED_DB_PASSWORD"
             ],
             "volumes": [

community-containers/bahmni-lite/readme.md

@@ -16,7 +16,7 @@ Bahmni Lite includes the following services:
 - **Crater Atomfeed** + **Crater Atomfeed DB** – OpenMRS ↔ Crater sync service
 
 ### Notes
-- You need to configure a reverse proxy in order to use this container bundle, since Bahmni needs a dedicated (sub)domain! For that, you might have a look at https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy or follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md. You need to point the reverse proxy at `nextcloud-aio-bahmni-openmrs:8080` for the core Bahmni/OpenMRS application.
+- You need to configure a reverse proxy in order to use this container bundle, since Bahmni needs a dedicated (sub)domain! The easiest way is to install the [Caddy community container](https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy), which auto-configures `bahmni.your-nc-domain.com` for you — just point a CNAME record for `bahmni.your-nc-domain.com` at your server before enabling Caddy. Caddy will automatically route all Bahmni paths (`/openmrs/`, `/bahmni/`, `/bahmni-new/`, `/bahmni-lab/`, `/implementer-interface/`, `/document_images/`, `/uploaded_results/`, `/uploaded-files/`, `/appointments/`, `/reports/`) to the correct backend containers. Alternatively, you can follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md and configure your own reverse proxy manually using the path-to-container mapping documented below.
 - The core Bahmni EMR is accessible at `/openmrs/` on the OpenMRS container (`nextcloud-aio-bahmni-openmrs`, port `8080`). After starting, visit `http://<your-domain>/openmrs/` and log in with the default credentials: username `admin`, password `Admin123`. **⚠️ Change the default OpenMRS admin password immediately after first login.** The Bahmni database image ships with this well-known default — leaving it in place is a serious security risk. Note: after changing the OpenMRS admin password, you must also update `OPENMRS_ATOMFEED_PASSWORD` in the `nextcloud-aio-bahmni-crater-atomfeed` container to match the new password, otherwise the Crater billing sync will stop working.
 - For the full Bahmni UI experience (Bahmni Web, Bahmni Apps Frontend etc.), a reverse proxy must be set up to route the following paths to the correct containers:
   - `/openmrs/` → `nextcloud-aio-bahmni-openmrs:8080`
@@ -29,6 +29,7 @@ Bahmni Lite includes the following services:
   - `/reports/` → `nextcloud-aio-bahmni-reports:8080`
 - The Crater billing system can be reached at `nextcloud-aio-bahmni-crater-nginx:80`. The Crater admin email is `admin@bahmni.org` and the password is shown next to the container in the AIO interface.
 - All Bahmni data (patient images, documents, clinical forms, databases) will be automatically included in AIOs backup solution!
+- The [Fail2ban community container](https://github.com/nextcloud/all-in-one/tree/main/community-containers/fail2ban) auto-configures brute-force protection for Bahmni/OpenMRS login attempts when both containers are enabled.
 - This container bundle requires significant system resources. A minimum of **4 GB RAM** and **2 CPU cores** is recommended; **8 GB RAM** is preferred for production use.
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack.
 

community-containers/caddy/readme.md

@@ -1,5 +1,5 @@
 ## Caddy with geoblocking
-This container bundles caddy and auto-configures it for you. It also covers [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden) by listening on `bw.$NC_DOMAIN`, if installed. It also covers [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart) by listening on `mail.$NC_DOMAIN`, if installed. It also covers [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) by listening on `media.$NC_DOMAIN`, if installed. It also covers [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) by listening on `ldap.$NC_DOMAIN`, if installed. It also covers [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb) by listening on `tables.$NC_DOMAIN`, if installed. It also covers [seerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr) by listening on `requests.$NC_DOMAIN`, if installed. It also covers [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter) by listening on `metrics.$NC_DOMAIN`, if installed. It also covers [LocalAI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai) by listening on `ai.$NC_DOMAIN`, if installed.
+This container bundles caddy and auto-configures it for you. It also covers [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden) by listening on `bw.$NC_DOMAIN`, if installed. It also covers [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart) by listening on `mail.$NC_DOMAIN`, if installed. It also covers [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) by listening on `media.$NC_DOMAIN`, if installed. It also covers [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) by listening on `ldap.$NC_DOMAIN`, if installed. It also covers [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb) by listening on `tables.$NC_DOMAIN`, if installed. It also covers [seerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr) by listening on `requests.$NC_DOMAIN`, if installed. It also covers [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter) by listening on `metrics.$NC_DOMAIN`, if installed. It also covers [LocalAI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai) by listening on `ai.$NC_DOMAIN`, if installed. It also covers [Bahmni Lite](https://github.com/nextcloud/all-in-one/tree/main/community-containers/bahmni-lite) by listening on `bahmni.$NC_DOMAIN`, if installed.
 
 ### Notes
 - This container is incompatible with the [npmplus](https://github.com/nextcloud/all-in-one/tree/main/community-containers/npmplus) community container. So make sure that you do not enable both at the same time!
@@ -15,6 +15,7 @@ This container bundles caddy and auto-configures it for you. It also covers [vau
 - If you want to use this with [seerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr), make sure that you point `requests.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for seerr.
 - If you want to use this with [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter), make sure that you point `metrics.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for nextcloud-exporter.
 - If you want to use this with [local AI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai), make sure that you point `ai.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for local AI.
+- If you want to use this with [Bahmni Lite](https://github.com/nextcloud/all-in-one/tree/main/community-containers/bahmni-lite), make sure that you point `bahmni.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for Bahmni Lite.
 - After the container was started the first time, you should see a new `nextcloud-aio-caddy` folder and inside there an `allowed-countries.txt` file when you open the files app with the default `admin` user. In there you can adjust the allowed country codes for caddy by adding them to the first line, e.g. `IT FR` would allow access from italy and france. Private ip-ranges are always allowed. Additionally, in order to activate this config, you need to get an account at https://dev.maxmind.com/geoip/geolite2-free-geolocation-data and download the `GeoLite2-Country.mmdb` and upload it with this exact name into the `nextcloud-aio-caddy` folder. Afterwards restart all containers from the AIO interface and your new config should be active!
 - You can add your own Caddy configurations in `/data/caddy-imports/` inside the Caddy container (`sudo docker exec -it nextcloud-aio-caddy bash`). These will be imported on container startup. **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack

community-containers/fail2ban/fail2ban.json

@@ -35,6 +35,11 @@
                     "source": "nextcloud_aio_jellyseerr",
                     "destination": "/jellyseerr",
                     "writeable": false
+                },
+                {
+                    "source": "nextcloud_aio_bahmni_openmrs_logs",
+                    "destination": "/bahmni-openmrs",
+                    "writeable": false
                 }
             ]
         }

community-containers/fail2ban/readme.md

@@ -1,5 +1,5 @@
 ## Fail2ban
-This container bundles fail2ban and auto-configures it for you in order to block ip-addresses automatically. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin, and https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr, if installed.
+This container bundles fail2ban and auto-configures it for you in order to block ip-addresses automatically. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin, https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr, and https://github.com/nextcloud/all-in-one/tree/main/community-containers/bahmni-lite, if installed.
 
 ### Notes
 - If you get an error like `"ip6tables v1.8.9 (legacy): can't initialize ip6tables table filter': Table does not exist (do you need to insmod?)"`, you need to enable ip6tables on your host via `sudo modprobe ip6table_filter`.