chore(infra): production manifests + CI for scheduling apps
ci / typecheck (map[dir:apps/booking name:booking]) (push) Has been cancelled
ci / typecheck (map[dir:apps/portal name:portal]) (push) Has been cancelled
ci / typecheck (map[dir:apps/website name:website]) (push) Has been cancelled
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
ci / test (push) Has been cancelled
ci / typecheck (map[dir:apps/booking name:booking]) (push) Has been cancelled
ci / typecheck (map[dir:apps/portal name:portal]) (push) Has been cancelled
ci / typecheck (map[dir:apps/website name:website]) (push) Has been cancelled
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
ci / test (push) Has been cancelled
This commit is contained in:
Ronni Baslund
@@ -0,0 +1,52 @@
|
||||
# ─────────────────────────────────────────────────────────────────────────
|
||||
# Secret TEMPLATE — DO NOT COMMIT REAL VALUES.
|
||||
#
|
||||
# These are placeholders. In production, manage the real Secrets out-of-band
|
||||
# (sealed-secrets / SOPS / Rancher secret store), NOT in git. Copy this file,
|
||||
# fill in real values, and apply it separately — or render SealedSecrets from
|
||||
# it. The Deployments reference these Secrets by name via envFrom.
|
||||
#
|
||||
# Generate strong values with: openssl rand -hex 32
|
||||
# ─────────────────────────────────────────────────────────────────────────
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: platform-api-secrets
|
||||
namespace: dezky-apps
|
||||
type: Opaque
|
||||
stringData:
|
||||
# Mongo connection string for the in-cluster MongoDB (data tier namespace).
|
||||
MONGODB_URI: "mongodb://USER:PASSWORD@mongo.dezky-data.svc.cluster.local:27017/dezky?authSource=admin"
|
||||
# AES key used to encrypt stored scheduling credentials (e.g. CalDAV creds).
|
||||
SCHEDULING_CREDENTIAL_KEY: "REPLACE_WITH_openssl_rand_hex_32"
|
||||
# MUST equal the host's STALWART_ADMIN_PASSWORD (config.env on the AX41).
|
||||
STALWART_ADMIN_PASSWORD: "REPLACE_WITH_SAME_AS_HOST"
|
||||
# MUST equal the host's STALWART_WEBHOOK_SECRET (audit webhook HMAC).
|
||||
STALWART_WEBHOOK_SECRET: "REPLACE_WITH_SAME_AS_HOST"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: portal-secrets
|
||||
namespace: dezky-apps
|
||||
type: Opaque
|
||||
stringData:
|
||||
# Authentik OIDC client provisioned for the portal.
|
||||
NUXT_OIDC_CLIENT_ID: "REPLACE"
|
||||
NUXT_OIDC_CLIENT_SECRET: "REPLACE"
|
||||
NUXT_OIDC_REDIRECT_URI: "https://app.dezky.eu/auth/callback"
|
||||
# Public base URL of Authentik (used for login redirects + full sign-out).
|
||||
NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu"
|
||||
# nuxt-oidc-auth session encryption secret (openssl rand -hex 32).
|
||||
NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: booking-secrets
|
||||
namespace: dezky-apps
|
||||
type: Opaque
|
||||
stringData:
|
||||
# Cloudflare Turnstile site key for the public booking form (public value,
|
||||
# env-injected so it can rotate without a rebuild).
|
||||
NUXT_PUBLIC_TURNSTILE_SITE_KEY: "REPLACE"
|
||||
Reference in New Issue
Block a user