chore: initial scaffold with running local stack and portal auth
Brings up Dezky's local development environment end-to-end: Infrastructure (docker-compose): - Traefik v3.7 reverse proxy with mkcert TLS (v3.2 couldn't speak Docker API 1.54) - Postgres + Mongo + Redis with healthchecks and init script for per-service users - Authentik 2025.10 (server + worker) as OIDC IdP - Stalwart v0.16 mail server (image renamed from stalwartlabs/mail-server) - OCIS 7.0 with PROXY_TLS=false and OCIS_CONFIG_DIR=/etc/ocis so init writes where the server reads - Collabora office, plus the portal + provisioning service stubs - Docker network aliases on Traefik so containers resolve auth.dezky.local etc. through the network (not host /etc/hosts) - Docker socket mount parameterized for macOS Docker Desktop symlink path Authentik provisioning (done via API after stack boot): - ocis-provider (public client) + OCIS Files application - dezky-portal provider (confidential) + Dezky Portal application - Admin API token bound to akadmin manually since 2025.10's AUTHENTIK_BOOTSTRAP_TOKEN env var doesn't auto-materialize a token row Portal (apps/portal): - Nuxt 3 with nuxt-oidc-auth 1.0.0-beta.11 against generic 'oidc' preset - Global auth middleware; login at /auth/oidc/login redirects to Authentik - Visual implementation of Claude Design 'Auth' canvas: AuthShell, NodeMark, Auth* sub-components, design tokens as CSS custom properties - Pages: auth/login, auth/expired, auth/disabled, index (post-login landing) - mkcert root CA mounted into the portal so Node fetch trusts Authentik's self-signed cert (NODE_EXTRA_CA_CERTS) — dev only Docs: - AUTHENTIK-SETUP.md updated with manual token bind + portal provider scripted alternative - NEXT-STEPS.md: Phase 1 and Phase 2 marked done with file locations and dev-mode caveats Dev-mode shortcuts that need to be revisited before prod: - skipAccessTokenParsing on the OIDC config - NODE_EXTRA_CA_CERTS mkcert mount - Bootstrap password still the generated value in .env - Authentik admin token (dezky-bootstrap-token) is non-expiring
This commit is contained in:
Ronni Baslund
@@ -0,0 +1,83 @@
|
||||
// Nuxt 3 configuration for Dezky portal
|
||||
// https://nuxt.com/docs/api/configuration/nuxt-config
|
||||
|
||||
export default defineNuxtConfig({
|
||||
compatibilityDate: '2026-01-01',
|
||||
devtools: { enabled: true },
|
||||
|
||||
modules: ['nuxt-oidc-auth'],
|
||||
|
||||
css: ['~/assets/styles/tokens.css', '~/assets/styles/base.css'],
|
||||
|
||||
app: {
|
||||
head: {
|
||||
link: [
|
||||
{ rel: 'preconnect', href: 'https://fonts.googleapis.com' },
|
||||
{ rel: 'preconnect', href: 'https://fonts.gstatic.com', crossorigin: '' },
|
||||
{
|
||||
rel: 'stylesheet',
|
||||
href: 'https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=Inter+Tight:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500;600;700&display=swap',
|
||||
},
|
||||
],
|
||||
},
|
||||
},
|
||||
|
||||
runtimeConfig: {
|
||||
mongodbUri: process.env.MONGODB_URI,
|
||||
apiBase: process.env.NUXT_API_BASE,
|
||||
public: {
|
||||
authUrl: process.env.NUXT_PUBLIC_AUTH_URL,
|
||||
portalUrl: process.env.NUXT_PUBLIC_PORTAL_URL,
|
||||
},
|
||||
},
|
||||
|
||||
oidc: {
|
||||
defaultProvider: 'oidc',
|
||||
session: {
|
||||
expirationCheck: true,
|
||||
automaticRefresh: true,
|
||||
},
|
||||
middleware: {
|
||||
globalMiddlewareEnabled: true,
|
||||
customLoginPage: true,
|
||||
},
|
||||
providers: {
|
||||
// Generic OIDC against our Authentik instance (provider preset key MUST be one of
|
||||
// apple, auth0, cognito, entra, github, keycloak, logto, microsoft, oidc, paypal, zitadel).
|
||||
oidc: {
|
||||
clientId: process.env.NUXT_OIDC_CLIENT_ID || '',
|
||||
clientSecret: process.env.NUXT_OIDC_CLIENT_SECRET || '',
|
||||
redirectUri: process.env.NUXT_OIDC_REDIRECT_URI || '',
|
||||
authorizationUrl: 'https://auth.dezky.local/application/o/authorize/',
|
||||
tokenUrl: 'https://auth.dezky.local/application/o/token/',
|
||||
userInfoUrl: 'https://auth.dezky.local/application/o/userinfo/',
|
||||
logoutUrl: 'https://auth.dezky.local/application/o/dezky-portal/end-session/',
|
||||
// Discovery URL — used by id_token validation to fetch JWKS + issuer
|
||||
openIdConfiguration:
|
||||
'https://auth.dezky.local/application/o/dezky-portal/.well-known/openid-configuration',
|
||||
scope: ['openid', 'profile', 'email'],
|
||||
userNameClaim: 'preferred_username',
|
||||
responseType: 'code',
|
||||
grantType: 'authorization_code',
|
||||
pkce: true,
|
||||
// Authentik's access tokens aren't always parseable as JWT — skip strict parsing
|
||||
skipAccessTokenParsing: true,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
||||
vite: {
|
||||
server: {
|
||||
hmr: {
|
||||
protocol: 'wss',
|
||||
clientPort: 443,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
||||
nitro: {
|
||||
routeRules: {
|
||||
'/api/**': { cors: true },
|
||||
},
|
||||
},
|
||||
})
|
||||
Reference in New Issue
Block a user