Ronni Baslund
22b2583f0b
O.0 prep from OPERATOR-PLAN.md. Mechanical refactor before adding partner management and operator-specific endpoints. The service now owns more than just provisioning orchestration (it'll soon own partners, tenant lifecycle actions, multi-audience JWT validation), so the name 'platform-api' reflects its scope better. What changed: - Directory: services/provisioning/ -> services/platform-api/ - Package: @dezky/provisioning -> @dezky/platform-api - Docker: container_name dezky-provisioning -> dezky-platform-api; compose service key 'provisioning' -> 'platform-api'; volume provisioning_node_modules -> platform_api_node_modules - Portal: PROVISIONING_INTERNAL_URL env var -> PLATFORM_API_INTERNAL_URL, default URL http://provisioning:3001 -> http://platform-api:3001 in all three proxy routes (me.get.ts, tenants/index.post.ts, tenants/[slug]/ reconcile.post.ts), plus NUXT_API_BASE updated - Health endpoint service identifier and main.ts log lines updated to 'dezky-platform-api' - Docs swept: README, CLAUDE.md, SERVICES.md, AUTHENTIK-SETUP.md, NEXT-STEPS.md, TROUBLESHOOTING.md, OPERATOR-PLAN.md, traefik/dynamic.yml What deliberately stays: - Internal module names ProvisioningService / ProvisioningModule (those describe an orchestration sub-concern, not the service's purpose) - Tenant.provisioningStatus / provisioningErrors field names (state per integration, not service name) - File services/platform-api/src/tenants/provisioning.service.ts - 'Hetzner provisioning' references in production-prep docs (infrastructure provisioning, unrelated) Verified end-to-end after rename: /api/me returns 200 with profile + 2 tenants + subscription, /api/tenants/dezky/reconcile returns 200 with Authentik integration still ok. OPERATOR-PLAN.md O.0 checkboxes ticked.
52 lines
1.4 KiB
YAML
52 lines
1.4 KiB
YAML
# Traefik dynamic configuration — TLS certificates and middleware
|
|
#
|
|
# Uses the wildcard mkcert certificate for all *.dezky.local hostnames.
|
|
# This file is watched and reloaded automatically by Traefik.
|
|
|
|
tls:
|
|
certificates:
|
|
- certFile: /certs/dezky.local.pem
|
|
keyFile: /certs/dezky.local-key.pem
|
|
stores:
|
|
- default
|
|
|
|
stores:
|
|
default:
|
|
defaultCertificate:
|
|
certFile: /certs/dezky.local.pem
|
|
keyFile: /certs/dezky.local-key.pem
|
|
|
|
http:
|
|
middlewares:
|
|
# Strong security headers for all services
|
|
secure-headers:
|
|
headers:
|
|
frameDeny: false # OCIS/Collabora need iframes
|
|
sslRedirect: true
|
|
browserXssFilter: true
|
|
contentTypeNosniff: true
|
|
forceSTSHeader: true
|
|
stsIncludeSubdomains: true
|
|
stsPreload: true
|
|
stsSeconds: 15552000
|
|
customFrameOptionsValue: "SAMEORIGIN"
|
|
|
|
# CORS for API calls between portal and platform-api
|
|
cors:
|
|
headers:
|
|
accessControlAllowMethods:
|
|
- "GET"
|
|
- "POST"
|
|
- "PUT"
|
|
- "PATCH"
|
|
- "DELETE"
|
|
- "OPTIONS"
|
|
accessControlAllowOriginListRegex:
|
|
- "^https://([a-z0-9-]+\\.)?dezky\\.local$"
|
|
accessControlAllowHeaders:
|
|
- "Content-Type"
|
|
- "Authorization"
|
|
- "X-Requested-With"
|
|
accessControlMaxAge: 86400
|
|
addVaryHeader: true
|