ronnibaslund/dezky
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
41af70d57b6a38cf6e88a5f78419176c2ba72f93
dezky/.env.example
T
Ronni Baslund 47eb9502f8 feat(platform): real email domains, mailboxes & member lifecycle 
Wire the mail/identity stack to real Stalwart/Authentik/OCIS provisioning,
replacing the mocked Domains and Users pages.

Domains (customer-admin):
- StalwartClient: real JMAP management (v0.16 dropped REST) — create/list/delete
  email domains via x:Domain at the internal http://stalwart:8080 listener;
  DKIM auto-generated; the records to publish are read from the domain's
  dnsZoneFile. Gated by STALWART_PROVISIONING_ENABLED.
- New Domain collection + DomainsModule: add/list/recheck/set-DMARC/remove,
  tenant-membership-gated and audited.
- DnsVerifierService: verifies MX/SPF/DKIM/DMARC/ownership against a public
  resolver (1.1.1.1/8.8.8.8) and diffs them against the expected records.
- Remove is guarded: refuses while accounts/aliases/mailing lists still use the
  domain (via Stalwart referential integrity).
- Domains page + add wizard on real data; sidebar badge counts domains needing
  attention.

Users & groups (customer-admin):
- Create a member provisioned across Authentik SSO, a Stalwart mailbox on the
  tenant's primary domain, and OCIS — returning a one-time password.
- Lifecycle: suspend/resume (Authentik is_active + freeze the mailbox via
  account permissions, original password preserved), force-logout (terminate
  sessions, filtered client-side so it can never end other users' sessions),
  reset password (new one-time password on SSO + mailbox), and remove (tear down
  mailbox + SSO identity + OCIS + doc; mailbox-in-use aware for multi-tenant
  users). Self-suspend / self-force-logout are blocked.

Infra: point platform-api at the internal Stalwart listener; document the new
STALWART_/provisioning vars in .env.example.
2026-06-01 21:19:42 +02:00

80 lines
5.0 KiB
Bash
Raw Blame History

# ─────────────────────────────────────────────────────────────────
# Dezky Local Development — Environment Variables
# ─────────────────────────────────────────────────────────────────
#
# Copy this file to .env and fill in the values.
# Generate secure random values with: openssl rand -hex 32
#
# DO NOT commit .env to git.
# ─────────────────────────────────────────────────────────────────
# ────────────────────────────────────────
# Database root passwords
# ────────────────────────────────────────
POSTGRES_ROOT_PASSWORD=changeme_use_openssl_rand
MONGO_ROOT_PASSWORD=changeme_use_openssl_rand
REDIS_PASSWORD=changeme_use_openssl_rand
# ────────────────────────────────────────
# Per-service DB passwords
# ────────────────────────────────────────
AUTHENTIK_DB_PASSWORD=changeme_use_openssl_rand
OCIS_DB_PASSWORD=changeme_use_openssl_rand
# ────────────────────────────────────────
# Authentik
# ────────────────────────────────────────
# AUTHENTIK_SECRET_KEY must be 50+ chars
AUTHENTIK_SECRET_KEY=changeme_run_openssl_rand_hex_50
AUTHENTIK_BOOTSTRAP_PASSWORD=admin_change_this_after_first_login
# AUTHENTIK_BOOTSTRAP_TOKEN is used by the provisioning service to call Authentik API
AUTHENTIK_BOOTSTRAP_TOKEN=changeme_use_openssl_rand_hex_32
# ────────────────────────────────────────
# Operator OIDC (dezky-operator)
# ────────────────────────────────────────
# The operator app differs from the portal: its OAuth provider is provisioned
# declaratively by the operator-application blueprint, which CONSUMES the secret
# below (rather than Authentik generating one for you to copy out). You must set
# a value BEFORE first boot — on a fresh environment the blueprint creates the
# provider with exactly this secret, and the operator container authenticates
# with the same value, so the two only agree if it's set here first.
# Generate with: openssl rand -hex 64
OPERATOR_OIDC_CLIENT_ID=dezky-operator
OPERATOR_OIDC_CLIENT_SECRET=changeme_run_openssl_rand_hex_64
# ────────────────────────────────────────
# Stalwart Mail
# ────────────────────────────────────────
# Fallback admin login (config.toml authentication.fallback-admin). platform-api
# uses admin + this password for Basic auth on the JMAP management API.
STALWART_ADMIN_USER=admin
STALWART_ADMIN_PASSWORD=changeme_use_openssl_rand
# HMAC secret Stalwart signs its audit webhook POSTs with (verified by
# platform-api at /ingest/stalwart/webhook). openssl rand -hex 32
STALWART_WEBHOOK_SECRET=changeme_use_openssl_rand_hex_32
# Set true to let platform-api create/delete domains + DKIM in Stalwart from the
# customer-admin Domains page. Off by default (domain steps record 'skipped').
STALWART_PROVISIONING_ENABLED=false
# ────────────────────────────────────────
# OCIS
# ────────────────────────────────────────
OCIS_ADMIN_PASSWORD=changeme_use_openssl_rand
# Dedicated OCIS service user (Authentik) used by platform-api to read drive
# quotas for the Storage page via an OIDC password grant. Must exist in
# Authentik, have access to the OCIS application, and hold the OCIS admin role
# (required to list all drives). See docs/NEXT-STEPS.md.
OCIS_SVC_USERNAME=svc-platform-api
OCIS_SVC_PASSWORD=changeme_use_openssl_rand
# OCIS account UUID of the service user, used to grant it the OCIS admin role at
# startup (required for libregraph ListAllDrives). Populate after the OCIS
# bootstrap autoprovisions the account (see docs/NEXT-STEPS.md). Leave empty
# until then.
OCIS_ADMIN_USER_ID=
# ────────────────────────────────────────
# Collabora
# ────────────────────────────────────────
COLLABORA_ADMIN_PASSWORD=changeme_use_openssl_rand
Reference in New Issue View Git Blame Copy Permalink