179 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
Ronni Baslund	fc621cdf81	fix(mail): drop contacts from the EAS bundle — Stalwart 404s empty addressbook homes ... BackendCombined login is all-or-nothing, and Stalwart returns 404 for /dav/card/<account>/ when the account's default address book was never created (it doesn't auto-create on the gateway's PROPFIND the way the calendar home worked) — so CardDAV killed every otherwise-successful EAS login. Exchange accounts now bundle mail + calendar; contacts stay on the Apple-profile CardDAV path. Re-enable BackendCardDAV once platform-api provisions a default address book at mailbox creation. Copy/docs aligned: portal hint, SERVICES.md, website FAQ (da+en).	2026-06-12 15:31:27 +02:00
Ronni Baslund	9bc89bcd5d	fix(mail): vendor AWL — Z-Push's CalDAV client requires it at login ... include/z_caldav.php needs XMLDocument.php from AWL (Andrew's Web Libraries); the Debian z-push packages pull php-awl in automatically but bookworm dropped the package, so vendor it from upstream at r0.65 into /usr/share/awl/inc (already on Z-Push's include_path). Only surfaces on *authenticated* requests: combined login hits IMAP first, so fake-credential smoke tests never reach the CalDAV class. Hardening from the same incident: a build-time class-load smoke test fails the image if any backend dependency is missing, and zend.exception_ignore_args stops uncaught fatals from logging the raw passwords Z-Push passes through Logon().	2026-06-12 14:21:55 +02:00
Ronni Baslund	959223c044	fix(mail): restore upstream IMAP config constants zpush dropped ... The replacement imap.config.php omitted constants the backend references unconditionally — SYSTEM_MIME_TYPES_MAPPING 500'd every authenticated request (backend construction, before login, so the unauthenticated 401 smoke tests never hit it). Define all remaining upstream constants with their defaults so the replacement file can never be narrower than the template it replaces.	2026-06-12 11:24:09 +02:00
Ronni Baslund	69e81757fd	docs(mail): correct ActiveSync claims + honest client-compat copy ... Stalwart never had ActiveSync built in — that now comes from the zpush gateway. SERVICES.md gains a zpush section with debug commands; website copy (da+en) states what actually works: IMAP everywhere, CalDAV/CardDAV, Exchange accounts in the phone's built-in apps, CalDAV Synchronizer for Outlook on Windows.	2026-06-12 11:12:23 +02:00
Ronni Baslund	7dd61e433f	feat(portal): Exchange account setup hint on the Users page ... Mailbox section now explains adding the mailbox as an Exchange account on iPhone/Android (built-in apps, not the Outlook app) and points Windows Outlook users at the CalDAV Synchronizer add-in. Apple profile header comment updated — EAS now exists via the zpush gateway, but the .mobileconfig stays the preferred Apple path.	2026-06-12 11:12:23 +02:00
Ronni Baslund	58a2c8077d	feat(mail): Z-Push Exchange ActiveSync gateway for mobile clients ... Wraps Stalwart in EAS so iOS/Android native Mail/Calendar 'Exchange' accounts get two-way mail+calendar+contacts sync (BackendCombined: IMAP + CalDAV /dav/cal/%l/ + CardDAV, credentials pass through). - services/zpush: Z-Push 2.6.4 (AGPLv3, see LICENSE-NOTES.md) on php:8.2-apache-bookworm (trixie dropped libc-client); PHP 8 sysv sprintf fatal sed-patched; autodiscover dispatcher answers mobilesync schema, proxies outlook schema to Stalwart unchanged - prod: zpush Deployment (replicas:1, Recreate — file sync state), /Microsoft-Server-ActiveSync Ingress on mail.dezky.eu (no redirect, POST-heavy), autodiscover.dezky.eu repointed to the dispatcher, selectorless stalwart-imaps/-smtps Services (host-Stalwart is implicit-TLS only: 993/465, no plain 143/587 — verified on node1) - CI: build+deploy zpush like the other apps EAS tops out at 14.1: covers native mobile clients, NOT the Outlook mobile app (needs 16.1) and not new Outlook for Windows (no EAS).	2026-06-12 11:12:11 +02:00
Ronni Baslund	2e3c0f9188	docs(runbook): monitoring update — TCP-25 rationale + blacklist monitors	2026-06-11 11:49:00 +02:00
Ronni Baslund	c6b6f8faec	docs(runbook): HetrixTools monitoring (uptime monitors + node1 agent)	2026-06-11 11:23:23 +02:00
Ronni Baslund	901cc69ba3	fix(auth): silent session renewal + 401 auto-recovery ... Idle sessions died and left a broken page: when the access token expired, nuxt-oidc-auth's automatic refresh had no refresh token to use — neither Authentik provider carried the offline_access scope mapping (and the operator never requested the scope), so the module cleared the session and every /api call 401'd until a manual F5 happened to re-auth through Authentik's still-alive SSO session. Fix 1: offline_access end to end — scope mapping attached to both live providers (and blueprints, prod + dev), operator now requests the scope. Sessions renew server-side for up to 30 days of activity (Redis store + pinned token key from earlier make the refresh tokens durable). Fix 2: client plugin in both apps — a 401 from /api sends the browser through /auth/oidc/login instead of leaving dead buttons; invisible when Authentik's session is alive, a clean sign-in screen when it isn't. Loop-guarded. Full sign-out behavior unchanged.	2026-06-11 09:21:15 +02:00
Ronni Baslund	33d6c23733	docs(stalwart): neutral SMTP banner in the white-label bootstrap notes ... Applied live: x:MtaStageConnect smtpGreeting now 'hostname + ESMTP' (default leaked 'Stalwart ESMTP at your service' to banner scanners). EHLO/IMAP greeting strings are hardcoded upstream — accepted for now.	2026-06-11 09:09:02 +02:00
Ronni Baslund	9195017904	fix(portal): Apple profile mail account labeled with the address ... Per Ronni: the Mail account shows the full address (ronni@dezky.eu) instead of the bare domain. Calendar/contacts keep the domain labels.	2026-06-11 08:45:49 +02:00
Ronni Baslund	a45d64d4ed	fix(portal): Apple profile labels derive from the user's domain ... 'dezky mail (…)' in the customer's account list is the same white-label leak as 'Stalwart Calendar' one layer up — partner tenants must see THEIR domain, not the platform brand. Every user-visible label in the .mobileconfig (account descriptions, payload names, organization) now derives from the address's own domain.	2026-06-11 08:41:19 +02:00
Ronni Baslund	2b9a77c6b9	docs(stalwart): white-label groupware defaults in the bootstrap notes ... Stalwart names every account's default calendar 'Stalwart Calendar' and address book 'Stalwart Address Book' — visible in Apple Calendar/Contacts. Set to neutral 'Calendar'/'Contacts' on the live server (x:Calendar + x:AddressBook singletons via management JMAP, existing ronni@dezky.eu collections renamed); recorded as bootstrap step 4 for rebuilds.	2026-06-11 08:39:11 +02:00
Ronni Baslund	6667d18db0	feat(portal): sign Apple profiles — Verified instead of 'unsigned' warning ... Unsigned .mobileconfig installs trip macOS warnings ('unknown developer') and an extra System Settings hunt. The route now wraps the profile in PKCS#7 SignedData (node-forge, SHA-256, full chain embedded) using the portal's own cert-manager LE certificate mounted read-only into the pod (PROFILE_SIGN_CERT/KEY). Publicly-trusted chain → Apple shows Verified. Dev (no env) and any signing failure fall back to unsigned — the download must never break over the badge. Signature round-trip verified with openssl smime.	2026-06-11 08:28:14 +02:00
Ronni Baslund	77898c5027	feat(mail): CalDAV/CardDAV exposed + in the Apple profile ... DAV was internal-only (the node's :443 is Traefik's). New mail-dav Ingress routes /.well-known/caldav, /.well-known/carddav and /dav on mail.dezky.eu through to Stalwart — with the HTTPS-redirect middleware (safe for DAV's GET/PROPFIND; kept OFF the autodiscover Ingress whose POSTs don't survive redirects). The _caldavs/_carddavs SRV records are now legitimate, so the Domains page surfaces them, and the Apple .mobileconfig gains CalDAV + CardDAV payloads: one install sets up Mail, Calendar and Contacts on Mac/iPhone. Stalwart's STALWART_PUBLIC_URL is set to https://mail.dezky.eu on the host (discovery documents).	2026-06-11 08:23:15 +02:00
Ronni Baslund	716d854b3d	fix(ci): grant ci-deployer Endpoints write (admin role excludes it) ... The deploy failed creating the selectorless stalwart-http Service's Endpoints: since the CVE-2021-25740 hardening the namespaced 'admin' role no longer grants write on legacy Endpoints. Explicit endpoints + endpointslices rules on the ci-deployer role (already applied live); manifest comment touch retriggers the infra apply.	2026-06-11 08:08:42 +02:00
Ronni Baslund	88ac5e620c	feat(mail): Outlook/Thunderbird autodiscovery over HTTPS ... Outlook autodiscovers via POST https://autodiscover.<domain>/autodiscover/ autodiscover.xml and Thunderbird via autoconfig.<domain>/mail/ config-v1.1.xml — Stalwart serves both (verified, answers carry mail.dezky.eu:993/465) but its HTTP listener wasn't reachable from outside (the node's :443 is Traefik's). New exact-path-only Ingress routes JUST those discovery endpoints to host-Stalwart via a selectorless Service + Endpoints on the cni0 gateway; the admin/management surface stays internal, and there's no HTTPS-redirect middleware because Thunderbird probes plain HTTP and Outlook POSTs. Domains page now also lists the autoconfig/autodiscover CNAMEs under the autodiscovery slot (CNAME verified against the mail host; a bare A record warns instead of failing). Customer-domain autodiscovery (per-domain certs + automated Ingress) is a follow-up.	2026-06-11 08:04:55 +02:00
Ronni Baslund	221179c4db	feat(portal): Apple Mail profile download on user rows + drawer ... The .mobileconfig button only lived on the transient credential dialogs (invite/create/reset results) — nowhere to fetch a profile for an existing mailbox. Row kebab menu gains 'Download Apple Mail profile' (mailbox users only) and the user drawer shows the button next to the mailbox address.	2026-06-11 08:00:15 +02:00
Ronni Baslund	d964efcab7	fix(portal): localPart is string | undefined under noUncheckedIndexedAccess ... split('@')[0] needs a fallback even though the email regex guarantees the separator — portal typecheck (CI) rejected the mobileconfig route.	2026-06-11 07:49:07 +02:00
Ronni Baslund	a5d82903af	fix(ci): deploy only apps whose build actually succeeded ... When an app's typecheck failed, its build job was SKIPPED — which the deploy condition tolerates (so other apps still ship) — but the deploy script keyed on the change flags alone and pinned the never-built image tag, ImagePullBackOff'ing the app (happened to portal on f6bac10). Deployable now means changed AND build result == success; otherwise the app keeps its live image, including in the manifest-apply path.	2026-06-11 07:45:08 +02:00
Ronni Baslund	acf0d082e4	feat(portal): one-click Apple Mail setup via .mobileconfig ... Apple Mail ignores RFC 6186 SRV autodiscovery and 'Microsoft Exchange' needs EWS/EAS that Stalwart doesn't speak — so custom-domain users were stuck typing IMAP/SMTP servers manually. New session-gated portal route generates an Apple configuration profile (IMAP 993 + SMTP 465 on the runtime mail host, username = address, NO password embedded — profiles are plaintext, Apple prompts at install). 'Add to Apple Mail' buttons on the three credential screens (invite result, mailbox created, password reset). CalDAV/CardDAV payloads join when DAV is reachable from outside (the node's :443 belongs to Traefik for now).	2026-06-11 07:44:49 +02:00
Ronni Baslund	38fb0f586e	fix(portal): checks map includes the autodiscovery kind ... DomainView.checks was a hardcoded five-kind union, so indexing it with the new autodiscovery RecordKey failed the portal typecheck (CI red on f6bac10). Use Record<RecordKind, RecordStatus>.	2026-06-10 22:20:33 +02:00
Ronni Baslund	f6bac10ff3	feat(domains): surface autodiscovery SRV records (RFC 6186) ... Mail clients could never autoconfigure: Stalwart's zone file contains the _imaps/_submissions/_pop3s SRV records but classify() dropped everything except mx/spf/dkim/dmarc, so customers never saw them and every client needed manual server entry. New 'autodiscovery' record kind: classified from the zone (only the services actually reachable in prod — the _jmap/_caldavs SRVs target :443 which Traefik owns, deferred to the webmail story), verified via resolveSrv (missing=bad, wrong target=warn), shown as an OPTIONAL slot on the portal Domains page that never gates the domain status or the records-to-fix nag. Also fixed on the live server via management JMAP (x:SystemSettings): hostname was the machine name node1.dezky.eu from the v0.16 auto-bootstrap — MX/SRV targets and the SMTP banner now say mail.dezky.eu, and the LE x:Certificate is set as defaultCertificateId.	2026-06-10 22:11:34 +02:00
Ronni Baslund	e77a963390	feat(infra): real TLS for mail.dezky.eu ... The cert-sync timer waited forever for a mail/mail-tls secret no Certificate resource ever requested — Stalwart served self-signed certs since install, so mail clients refused the IMAP handshake ('cannot verify account name or password' in Apple Mail). Adds the cert-manager Certificate (HTTP-01 via Traefik on :80) and documents the v0.16 wrinkle: TLS files aren't read from config anymore; a one-time file-backed x:Certificate object (created via management JMAP) points at the synced paths, after which cert-sync renewals keep working unchanged. Verified: :993 now serves the Let's Encrypt cert, verify rc=0.	2026-06-10 21:58:35 +02:00
Ronni Baslund	83214eb379	feat(tenants): isPlatformTenant flag replaces PLATFORM_TENANT_SLUG ... Identifying the company tenant by slug in env was fragile — every purge/recreate changed the slug (or id) and the apex guard chased reality through three config flips in one day. The identity now lives ON the tenant document: isPlatformTenant, operator-set from the tenant page (single holder — setting it clears the flag everywhere else), guarded so tenant admins can't set it on themselves through the shared PATCH route. The dezky.eu apex guard reads the flag; PLATFORM_TENANT_SLUG is gone. Dev seed flags its seeded tenant. config-rev 5 rolls platform-api.	2026-06-10 21:47:27 +02:00
Ronni Baslund	eefe1b3ec3	fix(infra): platform tenant is dezky-aps; disable prod seeding ... The recreated company tenant got slug dezky-aps (wizard auto-derives from the display name 'Dezky ApS'), so the dezky.eu apex guard 409'd it while the config still said 'dezky'. Also SEED_ENABLED=false in prod — the seeder resurrected a ghost 'dezky' tenant on every platform-api boot, which is how the slug landscape kept shifting. config-rev 4 rolls the pods.	2026-06-10 21:35:59 +02:00
Ronni Baslund	2bc302c082	feat(operator): partner-style tenant provisioning wizard + admin invite ... The minimal create modal silently dropped adminName/adminEmail — the invite only existed in the partner wizard's server path. Operator now gets the same 5-step wizard UX (organization, domain, first admin, plan with live price catalog, review) composed client-side: POST /tenants creates + provisions, then POST /users/invite-tenant-admin (new, operator-only — lives in UsersModule because UsersModule already imports TenantsModule and the reverse would be circular) runs the same inviteTenantAdmin flow the partner gets, and the result view hands over the single-use recovery link or temp password. Tenant detail page gains an Invite admin action for retries/successors. PLATFORM_TENANT_SLUG back to 'dezky' (the recreated company tenant) + config-rev bump to roll platform-api.	2026-06-10 21:22:14 +02:00
Ronni Baslund	fb4ff48617	feat(tenants): hard-delete (purge) for soft-deleted tenants ... Soft-delete kept the slug occupied forever — no way to remove a test tenant and reuse its name, and external resources lingered. DELETE /tenants/:slug/purge (platform-admin only, two-step: refuses anything not already soft-deleted) tears down the Stalwart service + customer domains (never the platform apex — the management admin account lives there) and the Authentik group, then removes domains/subscriptions/invoices/user links/the tenant doc. Audit trail is kept. Operator detail page shows a 'Purge permanently' card once a tenant is soft-deleted.	2026-06-10 21:07:08 +02:00
Ronni Baslund	25d932d3c1	fix(domains): platform tenant slug is configurable (prod: dezky-aps) ... The company tenant ended up as slug dezky-aps (the seeded 'dezky' tenant was deleted), so the hardcoded apex allowance for slug 'dezky' would have rejected adding dezky.eu to the real tenant. PLATFORM_TENANT_SLUG env (default 'dezky') now names the only tenant allowed to claim the PLATFORM_TENANT_DOMAIN apex.	2026-06-10 20:57:31 +02:00
Ronni Baslund	f66a343472	fix(infra): Stalwart v0.16 management admin is a real account (admin@dezky.eu) ... The v0.16 config migration silently dropped the fallback admin — the live server had ZERO accounts, so every platform-api JMAP call 401'd and tenant mail provisioning was dead. Bootstrapped via recovery mode on node1 (STALWART_RECOVERY_ADMIN): created the dezky.eu domain + an admin account with the Admin role and the existing STALWART_ADMIN_PASSWORD. v0.16 logins use the full address, so STALWART_ADMIN_USER becomes admin@dezky.eu; config-rev annotation bump rolls platform-api so it picks up the new env. install.sh follow-ups now document the recovery-mode bootstrap for rebuilds instead of the defunct fallback-admin promise.	2026-06-10 20:50:25 +02:00
Ronni Baslund	a43a172449	feat(domains): reserve the platform namespace + one workspace per domain ... dezky.eu doubles as the platform's infrastructure domain AND the company's own employee mail domain (added to the dezky tenant via the normal Domains flow). Guard rails in DomainsService.add: - a domain already used by ANY other workspace is rejected — Stalwart's idempotent ensureDomain would otherwise silently share one mail domain (and its mailboxes) between tenants - the PLATFORM_TENANT_DOMAIN apex is claimable only by the dezky tenant; everything under it (per-tenant service domains, auth/api/mail/* infra hosts) is reserved outright Set PLATFORM_TENANT_DOMAIN=dezky.eu in the prod ConfigMap (was unset, so prod service domains would have been {slug}.dezky.local) and align the seeded dezky tenant's display domain with the environment.	2026-06-10 20:15:46 +02:00
Ronni Baslund	4907d0a856	feat(ci): change-gated pipeline — only test/build/deploy what changed ... A 'changes' job diffs the push range (github.event.before..sha; falls back to everything on first/force pushes and when this workflow file itself changes) and gates per-app typecheck/test/build jobs. Deploy is asymmetric on purpose: app-only changes roll just the changed Deployments via kubectl set image; manifest changes (fleet/apps/**) apply the kustomization with every app pinned to its live image (or this push's sha) so an apply never resets unchanged apps to :latest. Docs-only pushes run nothing.	2026-06-10 19:57:50 +02:00
Ronni Baslund	94270c1f22	fix(health): env-driven infrastructure probe targets ... The operator infrastructure page probed docker-compose hostnames (stalwart/postgres/redis/traefik…) which don't resolve in k3s — 7 of 9 services showed down. Probe targets now come from HEALTH_* env vars with the compose names as dev defaults; platform-api-config.yaml sets the in-cluster/host addresses. 'disabled' omits a service from the report — used for OCIS/Collabora until the files tier is deployed.	2026-06-10 19:51:25 +02:00
Ronni Baslund	0840efb759	fix(operator,portal): env-driven sign-out URLs + host labels (no more .local in prod) ... Operator sign-out hardcoded the dev Authentik end-session URL, so prod logout landed on auth.dezky.local. Mirror the portal's env-driven pattern (NUXT_PUBLIC_AUTH_URL/NUXT_PUBLIC_OPERATOR_URL with .local fallbacks). Expose authUrl/operatorUrl via public runtimeConfig and use them for the Authentik admin links and the cosmetic host labels (sidebar, eyebrows, auth-page hints). Portal: signed-out + webmail copy now derive their hosts from runtime config (new public.mailUrl, NUXT_PUBLIC_MAIL_URL in prod).	2026-06-10 19:51:25 +02:00
Ronni Baslund	45ed282eed	fix(auth): unmount the module's build-time oidc mount before Redis mount ... nuxt-oidc-auth registers its own 'oidc' storage mount at build, so storage.mount('oidc', …) at runtime threw 'already mounted at oidc:' and crash-looped the new pods. Unmount the memory mount first.	2026-06-10 18:54:07 +02:00
Ronni Baslund	91134c94f5	feat(auth): Redis-backed OIDC sessions for portal + operator ... nuxt-oidc-auth persists sessions via useStorage('oidc'), whose default mount is per-pod memory — broken at >1 replica (random 401s) and every deploy logged all users out. A nitro plugin now mounts 'oidc' on the dezky-data Redis (db 1, app-prefixed keys, 14d TTL) when SESSION_REDIS_URL is set; dev keeps the memory driver with no Redis required. Replicas back to 2 for both apps.	2026-06-10 18:48:16 +02:00
Ronni Baslund	fd0c5d011b	fix(infra): single replica for portal/operator (per-pod OIDC sessions) ... nuxt-oidc-auth stores sessions in per-pod memory. With 2 replicas, any request balanced to the pod that didn't handle the login 401s — in practice roughly half of all operator API calls failed after sign-in. One replica until sessions move to shared storage (nitro storage on the dezky-data Redis), then scale back up. Already scaled live; this pins the manifests so the next deploy doesn't undo it.	2026-06-10 18:41:59 +02:00
Ronni Baslund	83212d7c23	feat(operator): create direct tenants from the operator portal ... The operator could list and inspect tenants but had no create flow — tenant creation only existed as the partner-portal wizard, which always attaches a partnerId. Platform-api's POST /tenants (platform-admin only, no partner field) was already built for this; add the missing UI: a New tenant modal on the tenants page (slug, name, plan/cycle/currency/seats, optional primary mail domain + first-admin invite) and the server proxy route. Operator-created tenants are direct customers; attach a partner later if needed.	2026-06-10 13:53:41 +02:00
Ronni Baslund	b155e34fe6	fix(infra): runtime OIDC overrides for prod portal/operator login ... CI builds the Nuxt images with no env, so nuxt.config bakes empty OIDC client creds and .local Authentik URLs into runtimeConfig — sign-in dead-ended on the app's own /auth/login. Nitro env overrides only apply when the var name matches the runtimeConfig path (oidc.providers.oidc.* -> NUXT_OIDC_PROVIDERS_OIDC_*), so production secrets need that second set of names; the plain NUXT_OIDC_* ones only work in dev. Also pin NUXT_OIDC_TOKEN_KEY/AUTH_SESSION_SECRET so sessions survive pod restarts. Live secrets patched on the cluster accordingly.	2026-06-10 13:24:29 +02:00
Ronni Baslund	3b9b06a99b	docs(runbook): app tier + push-to-deploy CI/CD flow ... Bring the runbook up to the 2026-06-10 state: app tier + CI/CD in current state, a Deploy flow section (push to main = release, rollback, break-glass, required Gitea secrets), reproduce steps 8-9 (app tier secrets+apply, CI runner + ci-deployer with the runner gotchas), per-router ACME-safe redirect instead of the old global one, platform-api key read-back for Bitwarden, and a pruned TODO list.	2026-06-10 12:19:47 +02:00
Ronni Baslund	9a58e486e3	docs(fleet): note verified push-to-deploy pipeline	2026-06-10 09:20:18 +02:00
Ronni Baslund	323c46fba1	fix(ci): share dind's unix socket with the runner (jobs need a mountable docker host) ... gitea/runner can only bind-mount a UNIX-socket docker host into job containers — the old tcp://localhost:2376 + TLS daemon address cannot be mounted, so build jobs still had no docker API. Share dind's /var/run/docker.sock with the runner via a /var/run emptyDir and drop the DOCKER_HOST/TLS env; the runner auto-finds the socket and the bind path resolves inside dind where the socket lives.	2026-06-10 08:51:44 +02:00
Ronni Baslund	1114be6c93	fix(ci): expose the dind docker host to job containers ... gitea/runner 1.x no longer auto-mounts the docker daemon into job containers (act_runner 0.2.x did), so 'docker build' in the build jobs failed with 'cannot connect to /var/run/docker.sock'. container.docker_host "" restores find-and-mount.	2026-06-10 08:34:54 +02:00
Ronni Baslund	3590c356a4	fix(ci): registry login via REGISTRY_TOKEN PAT ... The per-job GITHUB_TOKEN is no longer accepted by the container registry's /v2/ basic-auth endpoint since the act_runner -> gitea/runner switch (login fails 'unauthorized' before push). Use a personal access token with package read+write scope, provided as the REGISTRY_TOKEN repo secret.	2026-06-10 08:18:32 +02:00
Ronni Baslund	ec707643d6	fix(ci): act_runner 0.2.11 -> gitea/runner 1.0.8 ... Gitea 1.26 never marked finished jobs complete with the deprecated act_runner 0.2.11: the runner ran the job, logged 'Job succeeded' and freed its slot, but Gitea kept the job 'Running' forever, so dependent jobs (build -> deploy) were never dispatched. gitea/runner is the successor project; config, env vars and the .runner registration file are unchanged.	2026-06-10 08:02:40 +02:00
Ronni Baslund	c60937c5cb	feat(ci): deploy to k3s straight from the pipeline (drop Flux plan) ... Push to main = release: after build, a deploy job pins each app image to the commit SHA (kustomize edit set image), kubectl-applies fleet/apps and waits for the rollouts. The runner already runs in-cluster, so it reaches the API server on the in-cluster service IP with a kubeconfig for the new ci-deployer ServiceAccount (namespace-scoped admin, KUBECONFIG_B64 repo secret). The drafted Flux sync/image-automation layer is removed — a GitOps controller plus bot tag-bump commits is more machinery than a single-node cluster needs. Sortable image tags and $imagepolicy markers go with it. Also: per-router ACME-safe HTTP->HTTPS redirects for the app ingresses, platform-api prod config completed (Authentik JWT/JWKS + admin API, Stalwart via the cni0 gateway IP, OCIS/cold-storage placeholders until those tiers exist) and the secrets template/README updated to match.	2026-06-10 07:53:55 +02:00
Ronni Baslund	52e0f5e375	feat(operator): production build + k3s deployment ... - Dockerfile for the operator app (same pattern as portal/booking). - Env-driven auth/app base URLs in nuxt.config so one build serves dev (.local) and production (.eu). - Deployment + Service + Ingress on operator.dezky.eu. - Add operator to the typecheck matrix.	2026-06-10 07:53:55 +02:00
Ronni Baslund	d02eb5ec50	fix(authentik): pin chart 2026.5.2, grant_types allowlist, portal redirect URI ... - Pin the helm-controller chart version (unset = silent latest upgrades) and move the image tag under global.image per the 2026.5 chart layout. - Authentik 2026.5 enforces a per-provider grant_types allowlist; empty list rejected every authorize request. Allow authorization_code + refresh_token for portal and operator providers. - Fix the portal redirect URI to the nuxt-oidc-auth callback path. - Serve the auth ingress on :80 with a per-router HTTPS redirect so the cert-manager HTTP-01 solver keeps working.	2026-06-10 07:53:49 +02:00
Ronni Baslund	c814bfdf3b	feat(ci): build + push app images to the Gitea registry ... After typecheck + test pass on main, build portal/booking/platform-api images (matrix) via the dind sidecar and push to git.lastcloud.io tagged latest + SHA. Auth uses the runner's job token against the same Gitea instance.	2026-06-09 09:02:36 +02:00
Ronni Baslund	e3ce011674	fix(ci): drop actions/setup-node — use runner image's node (fixes ETXTBSY) ... actions/setup-node writes node into a tool-cache shared across concurrent jobs; with capacity>1 one job execs node while another writes it → "/usr/bin/env: 'node': Text file busy". The catthehacker runner image already ships node 24, and corepack (bundled) reads each app's packageManager — so setup-node is unneeded. Removing it eliminates the shared-cache race.	2026-06-08 23:00:58 +02:00