Ronni Baslund
c60937c5cb
ci / build (map[dir:apps/booking name:booking]) (push) Has been cancelled
ci / build (map[dir:apps/operator name:operator]) (push) Has been cancelled
ci / build (map[dir:apps/portal name:portal]) (push) Has been cancelled
ci / build (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
ci / deploy (push) Has been cancelled
ci / typecheck (map[dir:apps/booking name:booking]) (push) Has been cancelled
ci / typecheck (map[dir:apps/operator name:operator]) (push) Has been cancelled
ci / typecheck (map[dir:apps/portal name:portal]) (push) Has been cancelled
ci / typecheck (map[dir:apps/website name:website]) (push) Has been cancelled
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
ci / test (push) Has been cancelled
Push to main = release: after build, a deploy job pins each app image to the commit SHA (kustomize edit set image), kubectl-applies fleet/apps and waits for the rollouts. The runner already runs in-cluster, so it reaches the API server on the in-cluster service IP with a kubeconfig for the new ci-deployer ServiceAccount (namespace-scoped admin, KUBECONFIG_B64 repo secret). The drafted Flux sync/image-automation layer is removed — a GitOps controller plus bot tag-bump commits is more machinery than a single-node cluster needs. Sortable image tags and $imagepolicy markers go with it. Also: per-router ACME-safe HTTP->HTTPS redirects for the app ingresses, platform-api prod config completed (Authentik JWT/JWKS + admin API, Stalwart via the cni0 gateway IP, OCIS/cold-storage placeholders until those tiers exist) and the secrets template/README updated to match.
83 lines
3.9 KiB
YAML
83 lines
3.9 KiB
YAML
# ─────────────────────────────────────────────────────────────────────────
|
|
# Secret TEMPLATE — DO NOT COMMIT REAL VALUES.
|
|
#
|
|
# These are placeholders. In production, manage the real Secrets out-of-band
|
|
# (sealed-secrets / SOPS / Rancher secret store), NOT in git. Copy this file,
|
|
# fill in real values, and apply it separately — or render SealedSecrets from
|
|
# it. The Deployments reference these Secrets by name via envFrom.
|
|
#
|
|
# Generate strong values with: openssl rand -hex 32
|
|
# ─────────────────────────────────────────────────────────────────────────
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: platform-api-secrets
|
|
namespace: dezky-apps
|
|
type: Opaque
|
|
stringData:
|
|
# Mongo connection string for the in-cluster MongoDB (data tier namespace).
|
|
MONGODB_URI: "mongodb://USER:PASSWORD@mongo.dezky-data.svc.cluster.local:27017/dezky?authSource=admin"
|
|
# AES key used to encrypt stored scheduling credentials (e.g. CalDAV creds).
|
|
SCHEDULING_CREDENTIAL_KEY: "REPLACE_WITH_openssl_rand_hex_32"
|
|
# MUST equal the host's STALWART_ADMIN_PASSWORD (config.env on the AX41).
|
|
STALWART_ADMIN_PASSWORD: "REPLACE_WITH_SAME_AS_HOST"
|
|
# MUST equal the host's STALWART_WEBHOOK_SECRET (audit webhook HMAC).
|
|
STALWART_WEBHOOK_SECRET: "REPLACE_WITH_SAME_AS_HOST"
|
|
# Authentik admin API token (tenant/user provisioning). The Helm bootstrap
|
|
# token works: dezky-auth/authentik-secret.AUTHENTIK_BOOTSTRAP_TOKEN.
|
|
AUTHENTIK_API_TOKEN: "REPLACE_WITH_authentik-secret.AUTHENTIK_BOOTSTRAP_TOKEN"
|
|
# Tamper-evidence signing key for the audit hash chain. Rotating it closes
|
|
# the current segment — back it up alongside SCHEDULING_CREDENTIAL_KEY.
|
|
AUDIT_SIGNING_KEY: "REPLACE_WITH_openssl_rand_hex_32"
|
|
# Hetzner Object Storage IAM pair for audit cold storage. Not provisioned
|
|
# yet — keep the placeholders until the bucket exists (ARCHIVE_ENABLED is
|
|
# false in platform-api-config.yaml; the client only fails when used).
|
|
AUDIT_COLD_ACCESS_KEY: "not-configured"
|
|
AUDIT_COLD_SECRET_KEY: "not-configured"
|
|
# OCIS service-user password (files tier — not deployed in prod yet).
|
|
OCIS_SVC_PASSWORD: "not-configured"
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: portal-secrets
|
|
namespace: dezky-apps
|
|
type: Opaque
|
|
stringData:
|
|
# Authentik OIDC client provisioned for the portal.
|
|
NUXT_OIDC_CLIENT_ID: "REPLACE"
|
|
NUXT_OIDC_CLIENT_SECRET: "REPLACE"
|
|
NUXT_OIDC_REDIRECT_URI: "https://app.dezky.eu/auth/oidc/callback"
|
|
# Public base URL of Authentik (used for login redirects + full sign-out).
|
|
NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu"
|
|
# nuxt-oidc-auth session encryption secret (openssl rand -hex 32).
|
|
NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32"
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: booking-secrets
|
|
namespace: dezky-apps
|
|
type: Opaque
|
|
stringData:
|
|
# Cloudflare Turnstile site key for the public booking form (public value,
|
|
# env-injected so it can rotate without a rebuild).
|
|
NUXT_PUBLIC_TURNSTILE_SITE_KEY: "REPLACE"
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: operator-secrets
|
|
namespace: dezky-apps
|
|
type: Opaque
|
|
stringData:
|
|
# Authentik OIDC client provisioned for the operator (dezky-operator).
|
|
# NUXT_OIDC_CLIENT_SECRET MUST equal authentik-secret.OPERATOR_OIDC_CLIENT_SECRET.
|
|
NUXT_OIDC_CLIENT_ID: "dezky-operator"
|
|
NUXT_OIDC_CLIENT_SECRET: "REPLACE_WITH_authentik-secret.OPERATOR_OIDC_CLIENT_SECRET"
|
|
NUXT_OIDC_REDIRECT_URI: "https://operator.dezky.eu/auth/oidc/callback"
|
|
# Public base URL of Authentik (used for login redirects + full sign-out).
|
|
NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu"
|
|
# nuxt-oidc-auth session encryption secret (openssl rand -hex 32).
|
|
NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32"
|