OneLab Kubernetes GitOps (Argo CD)

- Helm charts: onelab app + observability (Loki/Promtail/Grafana) - Values under gitops/values/ with public-safe placeholders - Argo CD Application (spec.sources, 2.6+) Made-with: Cursor
2026-03-20 12:27:45 +01:00
commit 68f9745c06
44 changed files with 2466 additions and 0 deletions
--- a/gitops/charts/onelab/files/advanced.conf
+++ b/gitops/charts/onelab/files/advanced.conf
@@ -0,0 +1,5 @@
+[
+ {rabbit, [
+  {tcp_listeners, []}
+  ]}
+].
--- a/gitops/charts/onelab/files/configurations.gotmpl
+++ b/gitops/charts/onelab/files/configurations.gotmpl
@@ -0,0 +1,133 @@
+---
+onelab:
+  domain: {{ .Values.onelab.domain | quote }}
+  logs:
+    path: "/logs"
+    level: info
+  assets:
+    purge: 1d
+  shared:
+    inputs:
+      path: "./data/shared/inputs"
+      archive_path: "./data/shared/archived"
+  security:
+    cors: '*'
+    auth:
+      token:
+        expiration: 5m
+        key: {{ .Values.onelab.secrets.authTokenKey | quote }}
+      password:
+        expiration: 90d
+        min_length: 8
+        prevent_reuse: 5
+      allow_list: []
+      block_list: []
+      authentifier: "email"
+    ratelimit:
+      ip:
+        max: 1000
+        duration: 1d
+      auth:
+        max: 5
+        duration: 5m
+        delay_after: 2
+        delay_ms: 1000
+    devices:
+        cors: '*'
+    monitoring:
+        token: {{ .Values.onelab.secrets.monitoringToken | quote }}
+  params:
+    session:
+      idle: 45m
+      remember_me: true
+    lab:
+      creation_policy: many
+{{- if .Values.onelab.compliance.enabled }}
+    compliance:
+      require_electronic_signature: {{ .Values.onelab.compliance.requireElectronicSignature }}
+      execution_operator_restriction_policy: {{ .Values.onelab.compliance.executionOperatorRestrictionPolicy | quote }}
+      execution_admin_expert_restriction_policy: {{ .Values.onelab.compliance.executionAdminExpertRestrictionPolicy | quote }}
+      prevent_csv_import: {{ .Values.onelab.compliance.preventCsvImport }}
+      prevent_manual_metadata_edit: {{ .Values.onelab.compliance.preventManualMetadataEdit }}
+      device_restart: {{ .Values.onelab.compliance.deviceRestart }}
+{{- end }}
+    signup: false
+{{- if .Values.onelab.intercom.appid }}
+    intercom:
+      appid: {{ .Values.onelab.intercom.appid | quote }}
+      secret: {{ .Values.onelab.intercom.secret | quote }}
+{{- end }}
+  mailer:
+    noreply: {{ .Values.onelab.mailer.noreply | quote }}
+    queue:
+      scheduling: 15
+      maxsize: 50
+    error:
+      maxtries: 3
+      timeout: 60
+  ldap:
+    enabled: {{ if or .Values.onelab.ldap.enabled .Values.features.ldapWorker }}true{{ else }}false{{ end }}
+{{- if or .Values.onelab.ldap.enabled .Values.features.ldapWorker }}
+    {{- if .Values.onelab.ldap.timeout }}
+    timeout: {{ .Values.onelab.ldap.timeout | int }}
+    {{- end }}
+    {{- if .Values.onelab.ldap.encryption }}
+    encryption: {{ .Values.onelab.ldap.encryption | quote }}
+    {{- end }}
+    {{- if .Values.onelab.ldap.policy }}
+    policy: {{ .Values.onelab.ldap.policy | quote }}
+    {{- end }}
+    {{- if kindIs "bool" .Values.onelab.ldap.verifyCertificates }}
+    verify_certificates: {{ .Values.onelab.ldap.verifyCertificates }}
+    {{- end }}
+    {{- if or .Values.onelab.ldap.tlsCaPath .Values.onelab.ldap.tlsCertPath .Values.onelab.ldap.tlsKeyPath .Values.onelab.ldap.tlsCiphers .Values.onelab.ldap.tlsSslVersion }}
+    tls:
+      {{- if .Values.onelab.ldap.tlsCaPath }}
+      ca: {{ .Values.onelab.ldap.tlsCaPath | quote }}
+      {{- end }}
+      {{- if .Values.onelab.ldap.tlsCertPath }}
+      cert: {{ .Values.onelab.ldap.tlsCertPath | quote }}
+      {{- end }}
+      {{- if .Values.onelab.ldap.tlsKeyPath }}
+      key: {{ .Values.onelab.ldap.tlsKeyPath | quote }}
+      {{- end }}
+      {{- if .Values.onelab.ldap.tlsCiphers }}
+      ciphers: {{ .Values.onelab.ldap.tlsCiphers | quote }}
+      {{- end }}
+      {{- if .Values.onelab.ldap.tlsSslVersion }}
+      ssl_version: {{ .Values.onelab.ldap.tlsSslVersion | quote }}
+      {{- end }}
+    {{- end }}
+{{- end }}
+  services:
+    db:
+      host: db
+      database: postgres
+      username: postgres
+      password: {{ .Values.postgresql.auth.password | quote }}
+      schema: onelab
+    redis:
+      host: redis
+      port: "6379"
+    rabbit:
+      url: rabbitmq
+      port: 5671
+      token: {{ .Values.onelab.secrets.rabbitToken | quote }}
+    api:
+      replicas: {{ .Values.replicas.api }}
+    apidevice:
+      replicas: {{ .Values.replicas.apidevice }}
+    apirabbit:
+      replicas: {{ .Values.replicas.apirabbit }}
+    devices:
+      replicas: {{ .Values.replicas.devices }}
+    experiments:
+      replicas: {{ .Values.replicas.experiments }}
+    images:
+      replicas: {{ .Values.replicas.images }}
+    manual:
+      replicas: {{ .Values.replicas.manual }}
+    website:
+      ssr: {{ .Values.website.ssr }}
+    ws:
+      replicas: {{ .Values.replicas.ws }}
--- a/gitops/charts/onelab/files/enable_plugins
+++ b/gitops/charts/onelab/files/enable_plugins
@@ -0,0 +1 @@
+[rabbitmq_auth_backend_http, rabbitmq_auth_backend_cache, rabbitmq_management, rabbitmq_event_exchange].
--- a/gitops/charts/onelab/files/error-404.html
+++ b/gitops/charts/onelab/files/error-404.html
@@ -0,0 +1,98 @@
+<!doctype html>
+<html lang="en">
+
+<head>
+  <meta charset="utf-8">
+  <title>OneLab - Page Not Found</title>
+  <meta name="description" content="The page you are looking for does not exist or has been moved.">
+  <meta name="robots" content="noindex, nofollow">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <link href="https://fonts.googleapis.com/css?family=Open+Sans&display=swap" rel="stylesheet">
+  <style>
+    body {
+      font-family: "Open Sans", sans-serif, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
+    }
+
+    .page {
+      position: absolute;
+      top: 0;
+      bottom: 0;
+      left: 0;
+      right: 0;
+      text-align: center;
+      padding: 128px;
+      display: flex;
+      flex-direction: column;
+      align-items: center;
+    }
+
+    .content {
+      width: 360px;
+      max-width: 90%;
+    }
+
+    .main {
+      font-size: 32px;
+      font-weight: 600;
+      margin-top: 64px;
+      font-stretch: normal;
+      font-style: normal;
+      line-height: normal;
+      letter-spacing: normal;
+      text-align: center;
+      color: #4a4a4a;
+    }
+
+    .code {
+      margin-top: 8px;
+      font-size: 13px;
+      letter-spacing: 2px;
+      color: #888;
+      text-transform: uppercase;
+    }
+
+    .sub {
+      margin-top: 24px;
+      font-size: 15px;
+      line-height: 1.47;
+      color: #4a4a4a;
+    }
+
+    a.login-btn {
+      display: inline-block;
+      margin-top: 32px;
+      padding: 12px 28px;
+      border-radius: 1000px;
+      background: #6cb644;
+      color: #fff;
+      text-decoration: none;
+      font-weight: 600;
+      box-shadow: 0 2px 4px rgba(0, 0, 0, .15);
+      font-size: 15px;
+    }
+
+    a.login-btn:hover,
+    a.login-btn:focus {
+      background: #3a8611;
+    }
+  </style>
+</head>
+
+<body>
+  <div class="page" role="main" aria-labelledby="title">
+    <div class="content">
+      <div class="img">
+        <img
+          src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAALsAAAAvCAQAAAARbnO0AAAABGdBTUEAALGPC/xhBQAAC7VJREFUeNrtW3l0FdUdHgIkCAiyb1ZEkH1TREQRBVzqgrIVkCMFpbREPEKAIgoRxIWlilatuIRzEMUcN5YgtYYeEFRA+b47bxKeiX0algAqYFDZpDVMzyx3Zt7+XhJSqLn3n7yZO3f57u/+7vdboii/suLrIgYZlZ3O2Ait2EuvoVQVb+Eb0M2adWb6xxSWQqemXpDUZ3oKrxJzkMUc/pPZfJZ3a00rHxz1RjxtVD58bsEeSOMpq3/OTHyxF2A+vren5VSexiZxXeXCjkx79KJzC3bUxi9W/2JOohMazyOhkHvA/7toUgV7Av0/bva+x988gcb+VL4UHXK7FvuurII9gSv1Mt5eeH4i+rwasz3wHuZLYrjvSq0rBjCDH3kk/qjvsirYK24qizx6fGGgXsjba/mFA/0BXBQTrsZqT7bz100A2Mais9Y1v5lerSJh9zf0dUGf/GYxxl0ZCru/oeiRdwlqVxianTiw+Lz4APThaXsqJ8UdEe/nesh1Nmad58sx+Nqo3KAoHMzNLLHblFLDQ9EoFLsji/ud/r7Da2rP8sMeqIdMao54/ISPOVJP4TP2DJ8Ih31XLTGBW/GD/fsXbhXTEoArThFzzFUF0Dje7myTks5R0dpodQhnSTc5Q0yynxzi1giX8H70Ce1nVy0uczbZy5VeDDYwkoUdQ3gwwgwCKLD/eiUM9q9xOML9dUC9tTygF5+H/9gjxqa+am9nkitiXhTtZYdYHwZ7NPZzRL3Y20deA3wWtfV6L/DJwS4mGSZKzJmEwx6tZSkeKDvsu2rh33ZPs2LL+hNS4oIhiiBRWXbLU/Ke9sLO0/RhJefyBXzsebrKc3FXx4fO881iNDuhLQcjy5H+BWWDHQMkV4bOEm7gEj7O91DgPVWRYWcpduJtzOez2Iif3JWIEeXQ7DPNcQv8DWM3s9UDP4/b4c1yYuKWUNi5w6tQ1FtxSC5Mu9BZ8ANO68lB5+16y7JjKTomD3sgDcUOkFmo7+n3aqgxYf/Ey8tEE77lvPmhoFE5WFhb9AukxWu0x57Y3+J1l9fAmdYfQmAv0lNCjv1Yp+0YqfX4nf3kqbA5PGTPYVnysPN+RxgmhRHj6pIKhMPOVeEcSs4DOhedafL4sz3UIwns47+DDV8H9i/DLQFnOxfb4wyW3D+cqqG+rZsPSSiSgF2e1g8izvjNUNhj8XY9xbFS9sRxo1yv3umuA/041DWQeBWHuSyOvcQI9+yIHvid6eNyfDAL44JeU2pLZsSDXVH4j2AJxnPSyaB1CK/40t7QzsnBXni+1OuRLehw2MN5exCc10h5Vy+Na3IVWhYOlpoj7LLA5WKLxYmW5rtHzF8H8y4x8ZpmEQ3RWaHfHujNBHSWPM6jE4BdOhvetr9eE9f5YCz2xuRgR0fJunfVKr+0m0TZ5kQcGJVMt/EqW9HEUUxTvd8jU1H0GjjpPfPSrsFShe/ZLw6G6uewJdzngNMzAdhfsPt91/69JRHYpeWQKOyir/3d7ihzTlLa3btODI+KQwuHI40xFKQ8b/yT4duSQGOGobSkMcZ5JgbSSHxawThHhkfE8cP7QpeYFOw5dtu93Bq9ikHJwc5OFSvtgTRpnYgbYow6zwCeG1DTHGOGKeGfWBYu0o0eCFsBjTNZWr6lgMQInDDQEi2Vgkbmn6ZNF8uX4iGLi8oCO160235Yka6wQD3nUPepCGnH5c4qYwb9fK3YyWVCaOHr4uoKranWVa/u+p7QzTUE8xqwu7VZCh5zhspxm4eAfp0TNSlxDYFkYBfDHbPs0or0QDp27/sVIe2OJ/ZAZBddBRatDvY62jU3knUlRssTAR33RTgBCcBeeL5zoeSHO8kwJNgXkgSBnOoIzT0R3q6NytuzI2zSGKev58tByW8W98bygXp9gj86Ax5khssz9Wq8ius8l96rERVPArB7jRF8hm5B3v6JPMVSPFQW2IvPwzeO33OJ14OodZAkNqK061zHdkH9LHS8Tics+lcm0C0G9308V4sF4A085vVVEFiNlcjFt0E8Y1WwnzA52P2p/NTjDVnJybiJQznbdddyfCjsLOHD0apWxx7pt673hfv4FmdzKl/mFscpFd0nc4qbsRRTOJvZHheDyUnKVvx1HdtmXmKhqC7SZIlC7U5zXqi+Sw52RfE39wRMIngJPZdUZnyy6R5kZoQ7k8vqgUzEcIxpUkrxnZJ4oGCBV+aDpr0tUu5AsrCbLDei2cSD4l7vpiYHu6KIu5xwhbcWoTAq7HsjrZXHxIRyhjnGmsx9U1LRKtFEPIhN3uOJYmS5gY3ywm75M7CGRz0KbTOm5DWIwmQShF0xiPBCBlz1AYFxeo1YBNLfUMzxqhbswVMJXYVxKUr+b8oaI2kr+opB7B477UCvodUxaqRQmD/VehfZBepPRUfRX/Rnu8hSgZrW17FqJIqnXaj2xgCtjSTCgTSrrT/VNYiCn/jrsjtuE/0tr0lVOUeLnsJRYprWpgqJSi2WEuNRrUMVFpVWAvUcTjW/Co3KUzHVHUZ1XxUalVg41MwkXeNe4lWlkiQ+NK8u/l7Ni5vNpOgpvvZn9aXW7Zw74DgeH1K1J44nf4Q4kj7kcVE013IFHvNR3PF/CLthciTbr3opDovOqMkPwtMqfrWwq735OrZzlRiOExbs6MM3uA0r2Uux0i+mYBO34U31TiOygnfsBd6Mt7Gd2RzMtYalymViBJZjO9dxaAgUt2ON6U6YEO7JRm3Mx0Z8iBnGSeBU/tn+5losN0J1HMhsbsNyJ6ugJjOwHhvFo8aYYpo7FlbnN+N4gke4lmvZXVFwEZbyU67isLPv7h3FI5iu9lZv5bvQDdjFcO7GEFwk7sDXor+icDI3oI+vi/g9Bxt+bJw0Fzkd33Aie6l3YiN04xrhPpAj2UtM4jGjpdfXgyI0zm/GHer1YY6InXxG66B1xWvGdhY0wlcYZ8bnvzHyCMQEfCluEa05EntEDzPauR3rcZOxKXzZME/kNikKS7U2ojUy+YXoK/qiPjriW6SrF6vXYHt5MhvPQPGnsgS3eZWMnoJv0c9eyGB8oihcwuddD4gFu785jhvypFj/82TDrl5jw/xoqAsMT6GIO2Qan+f5LJknqaeg0IiI+rrgkLgFOw3XqVYHP0op53jmmJknuU4SU81w2L1KBuudjJ6W+CF51XgmFUxPlgTrdrZjKV/nCqPiHRzXq+U3Qy6K+boYa0zdgh23UXP6CId9eLB+xXL6OJc+w8OHtt44EnP4uTUWV3CXxUHEHdCx3FJ2OOG8zeE+ReFHMr1PGuPRYWcJ18mvcdwb0fqfF197nPDEuY/72ouW+EUMUq+W1ZItf3NxF1ZT86dasIu+KI4OO4ZAeKDphx+NWJC4CzvRllu9iobZfMkdy9fKorE8ys8NvY5uPMZr5VvjLOB9/jFIRS5z0wjDYN+HdLfvhP6fqPI8ZigwUmkUywn6s6HboXK2LbWtvTFBPQWHzdS5k6aOLZRSK3rEhl0M4m5ra8VonpJZkfa7sfjK8rbr1Yx7xLDzcEBrY8ipmVdVhHRHQFqYmSf/skLg/rpGDgJncou8JSzYMURm8vAVrLaFpq5FDs4m0ng592M1ZnAxAzxtwK725H7mMINLjKvVlL43kC5GI4uaXkNeqVpXFBB4FeuNTCqTc0SB3Z/KLcgV9zIDecjCV8HeOa7gPvEoZvEjrgqkaV35nbjCAAoqppsn5RDf4lQ8x91W8hL+imI+gUz6jXilvyH3IRfTuchIKzRhb8FjeBHp2oV5DSC4gzPxGAqkIJ1NwNfnRC7iVF8rPmxlDeQ14EQs4HgrToLaHIZM/oUTDVVR0EguIZDGgbyHA3k7d5kAZsi4CjoGh4H16hyG+cww5FNcFxrDEYM4VzyIAZb0y+xDXysxxxhPa4p0LODdbshFXMGZnCvDjOoFvJ+Leb/WFI9Y50D0EE9iljGKXkOMFk9y8lml18tXRGsriR/dUFjlb6s8vn8PdqIIe6HKfzOoKomW/wIUYeDeIwVFgwAAAABJRU5ErkJggg=="
+          alt="OneLab logo">
+      </div>
+      <div class="main" id="title">Page not found</div>
+      <div class="code">Error 404</div>
+      <div class="sub">The page you requested doesn’t exist, was removed, or is temporarily unavailable. You can return
+        to the application by logging in again.</div>
+      <a href="/login" class="login-btn" aria-label="Go to login page">Go to Home page</a>
+    </div>
+  </div>
+</body>
+
+</html>
--- a/gitops/charts/onelab/files/nginx.conf.tpl
+++ b/gitops/charts/onelab/files/nginx.conf.tpl
@@ -0,0 +1,337 @@
+
+worker_processes 4;
+
+events { worker_connections 1024; }
+
+http {
+  include /etc/nginx/mime.types;
+  
+  client_max_body_size 2m;
+
+  # don't send the nginx version number in error pages and Server header
+  server_tokens off;
+
+  sendfile on;
+
+  upstream website {
+    server website:4000;
+  }
+
+  upstream main {
+    server main:80;
+  }
+
+  upstream api {
+    server api:3000;
+  }
+
+  upstream api-device {
+    server api-device:3000;
+  }
+
+  upstream api-rabbit {
+    server api-rabbit:3000;
+  }
+
+  upstream designer {
+    server designer:80;
+  }
+
+  upstream runner {
+    server runner:80;
+  }
+
+  upstream static {
+    server static:80;
+  }
+
+  upstream websocket-worker {
+    server websocket-worker:3030;
+  }
+
+  # Restore the real client IP from the upstream reverse proxy
+  # Trust all RFC 1918 private ranges (covers any Docker network config)
+  set_real_ip_from  10.0.0.0/8;
+  set_real_ip_from  172.16.0.0/12;
+  set_real_ip_from  192.168.0.0/16;
+  real_ip_header    X-Real-IP;
+
+  limit_req_zone $binary_remote_addr zone=auth:10m rate=1r/s;
+  limit_req_zone $binary_remote_addr zone=website:10m rate=5r/s;
+  limit_req_zone $binary_remote_addr zone=global:10m rate=10r/s;
+
+  # redirect all http traffic to https
+  server {
+    listen 80 default_server;
+{{- if .Values.revproxy.ipv6Listen }}
+    listen [::]:80 default_server;
+{{- end }}
+    server_name localhost;
+
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 10240;
+    gzip_proxied expired no-cache no-store private auth;
+    gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript;
+    gzip_disable "MSIE [1-6]\.";
+
+    root /data/;
+
+    location ^~ /lab/ {
+      rewrite ^/lab/(.*?) /app/lab/$1 last;
+    }
+
+    location ^~ /assets/ {
+      location ~* \.(?:css|js|woff|woff2|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
+        expires 1M;
+        access_log off;
+        add_header Cache-Control "public";
+
+        try_files $uri $uri/ /error-404.html =404;
+      }
+      expires -1;
+      add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+
+      try_files $uri $uri/ /error-404.html =404;
+    }
+
+    location ^~ /static/ {
+      location ~* \.(?:css|js|woff|woff2|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
+        expires 1M;
+        access_log off;
+        add_header Cache-Control "public";
+
+        proxy_pass  http://static;
+        proxy_redirect  off;
+        proxy_set_header  Host $host;
+        proxy_set_header  X-Real-IP $remote_addr;
+        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header  X-Forwarded-Host $server_name;
+      }
+
+      expires -1;
+      add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+
+      proxy_pass  http://static;
+      proxy_redirect  off;
+      proxy_set_header  Host $host;
+      proxy_set_header  X-Real-IP $remote_addr;
+      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header  X-Forwarded-Host $server_name;
+    }
+
+    location ^~ /sitemap.xml {
+      limit_req zone=global burst=10 nodelay;
+
+      proxy_pass  http://api;
+      proxy_redirect  off;
+      proxy_set_header  Host $host;
+      proxy_set_header  X-Real-IP $remote_addr;
+      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header  X-Forwarded-Host $server_name;
+    }
+
+    location ^~ /robots.txt {
+      limit_req zone=global burst=10 nodelay;
+
+      proxy_pass  http://api;
+      proxy_redirect  off;
+      proxy_set_header  Host $host;
+      proxy_set_header  X-Real-IP $remote_addr;
+      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header  X-Forwarded-Host $server_name;
+    }
+
+    location ^~ /api/ {
+      limit_req zone=global burst=10 nodelay;
+
+      proxy_pass  http://api;
+      proxy_redirect  off;
+      proxy_set_header  Cookie $http_cookie;
+      proxy_set_header  Host $host;
+      proxy_set_header  X-Real-IP $remote_addr;
+      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header  X-Forwarded-Host $server_name;
+    }
+
+    location ^~ /api/v1/auth/ {
+      # apply rate limiting
+      limit_req zone=auth burst=5 nodelay;
+  
+      proxy_pass http://api;
+      proxy_redirect  off;
+      proxy_set_header  Cookie $http_cookie;
+      proxy_set_header  Host $host;
+      proxy_set_header  X-Real-IP $remote_addr;
+      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header  X-Forwarded-Host $server_name;
+    }
+    
+    location ^~ /api/v1/firmwares {
+      limit_req zone=global burst=10 nodelay;
+    
+      client_max_body_size 600M;
+
+      proxy_pass  http://api;
+      proxy_redirect  off;
+      proxy_set_header  Cookie $http_cookie;
+      proxy_set_header  Host $host;
+      proxy_set_header  X-Real-IP $remote_addr;
+      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header  X-Forwarded-Host $server_name;
+    }
+
+    location ^~ /api/v1/rmq/ {
+      proxy_pass  http://api-rabbit;
+      proxy_redirect  off;
+      proxy_set_header  Cookie $http_cookie;
+      proxy_set_header  Host $host;
+      proxy_set_header  X-Real-IP $remote_addr;
+      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header  X-Forwarded-Host $server_name;
+    }
+
+    location ^~ /device-api/ {
+      limit_req zone=global burst=10 nodelay;
+      client_max_body_size 600m;
+
+      proxy_pass  http://api-device;
+      proxy_redirect  off;
+      proxy_set_header  Cookie $http_cookie;
+      proxy_set_header  Host $host;
+      proxy_set_header  X-Real-IP $remote_addr;
+      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header  X-Forwarded-Host $server_name;
+    }
+
+    location ^~ /app/designer/ {
+      location ~* \.(?:css|js|woff|woff2|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
+        expires 1M;
+        access_log off;
+        add_header Cache-Control "public";
+
+        proxy_pass  http://designer;
+        proxy_redirect  off;
+        proxy_set_header  Cookie $http_cookie;
+        proxy_set_header  Host $host;
+        proxy_set_header  X-Real-IP $remote_addr;
+        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header  X-Forwarded-Host $server_name;
+      }
+
+      expires -1;
+      add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+
+      proxy_pass  http://designer;
+      proxy_redirect  off;
+      proxy_set_header  Cookie $http_cookie;
+      proxy_set_header  Host $host;
+      proxy_set_header  X-Real-IP $remote_addr;
+      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header  X-Forwarded-Host $server_name;
+    }
+
+    location ^~ /app/runner/ {
+      location ~* \.(?:css|js|woff|woff2|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
+        expires 1M;
+        access_log off;
+        add_header Cache-Control "public";
+
+        proxy_pass  http://runner;
+        proxy_redirect  off;
+        proxy_set_header  Cookie $http_cookie;
+        proxy_set_header  Host $host;
+        proxy_set_header  X-Real-IP $remote_addr;
+        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header  X-Forwarded-Host $server_name;
+      }
+      
+      expires -1;
+      add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+
+      proxy_pass  http://runner;
+      proxy_redirect  off;
+      proxy_set_header  Cookie $http_cookie;
+      proxy_set_header  Host $host;
+      proxy_set_header  X-Real-IP $remote_addr;
+      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header  X-Forwarded-Host $server_name;
+    }
+
+    location ^~ /ws/ {
+      proxy_pass  http://websocket-worker;
+      proxy_redirect  off;
+      proxy_set_header  Cookie $http_cookie;
+      proxy_set_header  Host $host;
+      proxy_set_header  X-Real-IP $remote_addr;
+      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header  X-Forwarded-Host $server_name;
+      
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+    }
+    
+    location ^~ /app/ {
+      location ~* \.(?:css|js|woff|woff2|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
+        expires 1M;
+        access_log off;
+        add_header Cache-Control "public";
+
+        proxy_pass  http://main;
+        proxy_redirect  off;
+        proxy_set_header  Cookie $http_cookie;
+        proxy_set_header  Host $host;
+        proxy_set_header  X-Real-IP $remote_addr;
+        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header  X-Forwarded-Host $server_name;
+      }
+      
+      expires -1;
+      add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+
+      proxy_pass  http://main;
+      proxy_redirect  off;
+      proxy_set_header  Cookie $http_cookie;
+      proxy_set_header  Host $host;
+      proxy_set_header  X-Real-IP $remote_addr;
+      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header  X-Forwarded-Host $server_name;
+    }
+    
+    # Static assets for website (including /media/ subdirectory)
+     location ~* ^/.+\.(?:css|js|woff|woff2|ttf|eot|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {   
+        expires 1M;
+        access_log off;
+        add_header Cache-Control "public";
+
+        proxy_pass  http://website;
+        proxy_redirect  off;
+        proxy_set_header  Cookie $http_cookie;
+        proxy_set_header  Host $host;
+        proxy_set_header  X-Real-IP $remote_addr;
+        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header  X-Forwarded-Host $server_name;
+    }
+
+    # Website SSR routes (rate limited)
+    location ~ ^/(library(/[^/]+)?|login(/(reset|change))?|signup)?$ {
+      limit_req zone=website burst=10 nodelay;
+
+      expires -1;
+      add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+
+      proxy_pass  http://website;
+      proxy_redirect  off;
+      proxy_set_header  Cookie $http_cookie;
+      proxy_set_header  Host $host;
+      proxy_set_header  X-Real-IP $remote_addr;
+      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header  X-Forwarded-Host $server_name;
+    }
+
+    # Catch-all for junk requests
+    location /  {
+      try_files $uri $uri/ /error-404.html =404;
+    }
+  }
+}
--- a/gitops/charts/onelab/files/rabbit-definitions.json
+++ b/gitops/charts/onelab/files/rabbit-definitions.json
@@ -0,0 +1,20 @@
+{
+    "rabbit_version": "3.6.5",
+    "users": [
+    ],
+    "vhosts": [
+        {
+            "name": "devices"
+        },
+        {
+            "name": "internal"
+        }
+    ],
+    "permissions": [
+      ],
+    "parameters": [],
+    "policies": [],
+    "queues": [],
+    "exchanges": [],
+    "bindings": []
+}
--- a/gitops/charts/onelab/files/rabbit.conf
+++ b/gitops/charts/onelab/files/rabbit.conf
@@ -0,0 +1,54 @@
+# Auth server config
+
+auth_backends.1             = cache
+
+auth_cache.cached_backend   = http
+auth_cache.cache_ttl        = 5000
+
+auth_http.user_path         = http://revproxy/api/v1/rmq/user
+auth_http.vhost_path        = http://revproxy/api/v1/rmq/vhost
+auth_http.resource_path     = http://revproxy/api/v1/rmq/resource
+auth_http.topic_path        = http://revproxy/api/v1/rmq/topic
+
+listeners.ssl.default = 5671
+
+# generated with "cat server.crt server.key > server.pem"
+# fullchain
+ssl_options.cacertfile = /etc/rabbitmq/ssl/rabbit.fullchain.pem 
+
+ssl_options.certfile   = /etc/rabbitmq/ssl/rabbit.crt
+ssl_options.keyfile    = /etc/rabbitmq/ssl/rabbit.key
+
+# not very secure
+ssl_options.verify     = verify_peer
+ssl_options.fail_if_no_peer_cert = false
+
+# for TLS version and cipher
+ssl_options.versions.1 = tlsv1.2
+
+# these MUST be disabled if TLSv1.3 is used
+ssl_options.honor_cipher_order   = true
+ssl_options.honor_ecc_order      = true
+
+# These are highly recommended for TLSv1.2 but cannot be used
+# with TLSv1.3. If TLSv1.3 is enabled, these lines MUST be removed.
+ssl_options.client_renegotiation = false
+ssl_options.secure_renegotiate   = true
+
+ssl_options.ciphers.1  = ECDHE-ECDSA-AES256-GCM-SHA384
+ssl_options.ciphers.2  = ECDHE-RSA-AES256-GCM-SHA384
+ssl_options.ciphers.3  = ECDH-ECDSA-AES256-GCM-SHA384
+ssl_options.ciphers.4  = ECDH-RSA-AES256-GCM-SHA384
+ssl_options.ciphers.5  = DHE-RSA-AES256-GCM-SHA384
+ssl_options.ciphers.6  = DHE-DSS-AES256-GCM-SHA384
+ssl_options.ciphers.7  = ECDHE-ECDSA-AES128-GCM-SHA256
+ssl_options.ciphers.8  = ECDHE-RSA-AES128-GCM-SHA256
+ssl_options.ciphers.9  = ECDH-ECDSA-AES128-GCM-SHA256
+ssl_options.ciphers.10 = ECDH-RSA-AES128-GCM-SHA256
+ssl_options.ciphers.11 = DHE-RSA-AES128-GCM-SHA256
+ssl_options.ciphers.12 = DHE-DSS-AES128-GCM-SHA256
+
+management.load_definitions = /opt/definitions.json
+
+# For connection events
+event_exchange.vhost = devices
				`@@ -0,0 +1 @@`
				`[rabbitmq_auth_backend_http, rabbitmq_auth_backend_cache, rabbitmq_management, rabbitmq_event_exchange].`