ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
25d932d3c1af76094f6b6b1c19222b9a983300f0
dezky/infrastructure/production/fleet/apps/secrets.example.yaml
T
Ronni Baslund 91134c94f5
ci / typecheck (map[dir:apps/operator name:operator]) (push) Successful in 19s
Details
ci / typecheck (map[dir:apps/booking name:booking]) (push) Successful in 22s
Details
ci / typecheck (map[dir:apps/website name:website]) (push) Successful in 23s
Details
ci / typecheck (map[dir:apps/portal name:portal]) (push) Successful in 28s
Details
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Successful in 23s
Details
ci / test (push) Successful in 31s
Details
ci / build (map[dir:apps/booking name:booking]) (push) Successful in 9s
Details
ci / build (map[dir:apps/operator name:operator]) (push) Successful in 43s
Details
ci / build (map[dir:services/platform-api name:platform-api]) (push) Successful in 5s
Details
ci / build (map[dir:apps/portal name:portal]) (push) Successful in 51s
Details
ci / deploy (push) Failing after 3m42s
Details
feat(auth): Redis-backed OIDC sessions for portal + operator 
nuxt-oidc-auth persists sessions via useStorage('oidc'), whose default
mount is per-pod memory — broken at >1 replica (random 401s) and every
deploy logged all users out. A nitro plugin now mounts 'oidc' on the
dezky-data Redis (db 1, app-prefixed keys, 14d TTL) when SESSION_REDIS_URL
is set; dev keeps the memory driver with no Redis required. Replicas back
to 2 for both apps.
2026-06-10 18:48:16 +02:00

122 lines
6.9 KiB
YAML
Raw Blame History

# ─────────────────────────────────────────────────────────────────────────
# Secret TEMPLATE — DO NOT COMMIT REAL VALUES.
#
# These are placeholders. In production, manage the real Secrets out-of-band
# (sealed-secrets / SOPS / Rancher secret store), NOT in git. Copy this file,
# fill in real values, and apply it separately — or render SealedSecrets from
# it. The Deployments reference these Secrets by name via envFrom.
#
# Generate strong values with: openssl rand -hex 32
# ─────────────────────────────────────────────────────────────────────────
apiVersion: v1
kind: Secret
metadata:
name: platform-api-secrets
namespace: dezky-apps
type: Opaque
stringData:
# Mongo connection string for the in-cluster MongoDB (data tier namespace).
MONGODB_URI: "mongodb://USER:PASSWORD@mongo.dezky-data.svc.cluster.local:27017/dezky?authSource=admin"
# AES key used to encrypt stored scheduling credentials (e.g. CalDAV creds).
SCHEDULING_CREDENTIAL_KEY: "REPLACE_WITH_openssl_rand_hex_32"
# MUST equal the host's STALWART_ADMIN_PASSWORD (config.env on the AX41).
STALWART_ADMIN_PASSWORD: "REPLACE_WITH_SAME_AS_HOST"
# MUST equal the host's STALWART_WEBHOOK_SECRET (audit webhook HMAC).
STALWART_WEBHOOK_SECRET: "REPLACE_WITH_SAME_AS_HOST"
# Authentik admin API token (tenant/user provisioning). The Helm bootstrap
# token works: dezky-auth/authentik-secret.AUTHENTIK_BOOTSTRAP_TOKEN.
AUTHENTIK_API_TOKEN: "REPLACE_WITH_authentik-secret.AUTHENTIK_BOOTSTRAP_TOKEN"
# Tamper-evidence signing key for the audit hash chain. Rotating it closes
# the current segment — back it up alongside SCHEDULING_CREDENTIAL_KEY.
AUDIT_SIGNING_KEY: "REPLACE_WITH_openssl_rand_hex_32"
# Hetzner Object Storage IAM pair for audit cold storage. Not provisioned
# yet — keep the placeholders until the bucket exists (ARCHIVE_ENABLED is
# false in platform-api-config.yaml; the client only fails when used).
AUDIT_COLD_ACCESS_KEY: "not-configured"
AUDIT_COLD_SECRET_KEY: "not-configured"
# OCIS service-user password (files tier — not deployed in prod yet).
OCIS_SVC_PASSWORD: "not-configured"
---
apiVersion: v1
kind: Secret
metadata:
name: portal-secrets
namespace: dezky-apps
type: Opaque
stringData:
# Authentik OIDC client provisioned for the portal.
NUXT_OIDC_CLIENT_ID: "REPLACE"
NUXT_OIDC_CLIENT_SECRET: "REPLACE"
NUXT_OIDC_REDIRECT_URI: "https://app.dezky.eu/auth/oidc/callback"
# Public base URL of Authentik (used for login redirects + full sign-out).
NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu"
# nuxt-oidc-auth session encryption secret (openssl rand -hex 32).
NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32"
# ── Runtime overrides for the BAKED OIDC provider config ────────────────
# The prod image is built in CI with no env, so nuxt.config bakes EMPTY
# client creds and .local URLs into runtimeConfig. Nitro only overrides
# runtimeConfig keys whose env name matches the config path —
# oidc.providers.oidc.* → NUXT_OIDC_PROVIDERS_OIDC_*. The plain
# NUXT_OIDC_* names above only work in dev (nuxt.config evaluated at
# runtime); production needs BOTH sets.
NUXT_OIDC_PROVIDERS_OIDC_CLIENT_ID: "REPLACE_same_as_NUXT_OIDC_CLIENT_ID"
NUXT_OIDC_PROVIDERS_OIDC_CLIENT_SECRET: "REPLACE_same_as_NUXT_OIDC_CLIENT_SECRET"
NUXT_OIDC_PROVIDERS_OIDC_REDIRECT_URI: "https://app.dezky.eu/auth/oidc/callback"
NUXT_OIDC_PROVIDERS_OIDC_AUTHORIZATION_URL: "https://auth.dezky.eu/application/o/authorize/"
NUXT_OIDC_PROVIDERS_OIDC_TOKEN_URL: "https://auth.dezky.eu/application/o/token/"
NUXT_OIDC_PROVIDERS_OIDC_USER_INFO_URL: "https://auth.dezky.eu/application/o/userinfo/"
NUXT_OIDC_PROVIDERS_OIDC_LOGOUT_URL: "https://auth.dezky.eu/application/o/dezky-portal/end-session/"
NUXT_OIDC_PROVIDERS_OIDC_OPEN_ID_CONFIGURATION: "https://auth.dezky.eu/application/o/dezky-portal/.well-known/openid-configuration"
# Refresh-token encryption + auth-session secret — without them sessions
# die on every pod restart (random keys are generated per boot).
NUXT_OIDC_TOKEN_KEY: "data:;base64,REPLACE_WITH_openssl_rand_base64_32"
NUXT_OIDC_AUTH_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_24"
# Shared session storage (server/plugins/session-storage.ts) — required for
# >1 replica and for sessions to survive deploys. Password = dezky-data
# redis-secret.REDIS_PASSWORD; db 1 keeps app sessions out of Authentik's
# keyspace.
SESSION_REDIS_URL: "redis://:REDIS_PASSWORD@redis.dezky-data.svc.cluster.local:6379/1"
---
apiVersion: v1
kind: Secret
metadata:
name: booking-secrets
namespace: dezky-apps
type: Opaque
stringData:
# Cloudflare Turnstile site key for the public booking form (public value,
# env-injected so it can rotate without a rebuild).
NUXT_PUBLIC_TURNSTILE_SITE_KEY: "REPLACE"
---
apiVersion: v1
kind: Secret
metadata:
name: operator-secrets
namespace: dezky-apps
type: Opaque
stringData:
# Authentik OIDC client provisioned for the operator (dezky-operator).
# NUXT_OIDC_CLIENT_SECRET MUST equal authentik-secret.OPERATOR_OIDC_CLIENT_SECRET.
NUXT_OIDC_CLIENT_ID: "dezky-operator"
NUXT_OIDC_CLIENT_SECRET: "REPLACE_WITH_authentik-secret.OPERATOR_OIDC_CLIENT_SECRET"
NUXT_OIDC_REDIRECT_URI: "https://operator.dezky.eu/auth/oidc/callback"
# Public base URL of Authentik (used for login redirects + full sign-out).
NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu"
# nuxt-oidc-auth session encryption secret (openssl rand -hex 32).
NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32"
# Runtime overrides for the baked OIDC provider config — see the portal
# section above for why production needs the NUXT_OIDC_PROVIDERS_OIDC_*
# names in addition to the plain ones.
NUXT_OIDC_PROVIDERS_OIDC_CLIENT_ID: "dezky-operator"
NUXT_OIDC_PROVIDERS_OIDC_CLIENT_SECRET: "REPLACE_same_as_NUXT_OIDC_CLIENT_SECRET"
NUXT_OIDC_PROVIDERS_OIDC_REDIRECT_URI: "https://operator.dezky.eu/auth/oidc/callback"
NUXT_OIDC_PROVIDERS_OIDC_AUTHORIZATION_URL: "https://auth.dezky.eu/application/o/authorize/"
NUXT_OIDC_PROVIDERS_OIDC_TOKEN_URL: "https://auth.dezky.eu/application/o/token/"
NUXT_OIDC_PROVIDERS_OIDC_USER_INFO_URL: "https://auth.dezky.eu/application/o/userinfo/"
NUXT_OIDC_PROVIDERS_OIDC_LOGOUT_URL: "https://auth.dezky.eu/application/o/dezky-operator/end-session/"
NUXT_OIDC_PROVIDERS_OIDC_OPEN_ID_CONFIGURATION: "https://auth.dezky.eu/application/o/dezky-operator/.well-known/openid-configuration"
NUXT_OIDC_TOKEN_KEY: "data:;base64,REPLACE_WITH_openssl_rand_base64_32"
NUXT_OIDC_AUTH_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_24"
# Shared session storage — see the portal section above.
SESSION_REDIS_URL: "redis://:REDIS_PASSWORD@redis.dezky-data.svc.cluster.local:6379/1"
Reference in New Issue View Git Blame Copy Permalink