Ronni Baslund
559348f6bc
Security & audit (admin) - Audit log: real, tenant-scoped — widened GET /tenants/:slug/audit with q/action/outcome/actorEmail/since/before; UI gains search, outcome + time filters, action chips, cursor pagination, and client-side CSV export. - Security policy: new tenant.securityPolicy (mfaMode, session idle/absolute, allowedCountries, ipAllowlist) + PATCH /tenants/:slug/security-policy (membership-gated, audited). Editable, labelled by enforcement status. - MFA: live enrollment overview via GET /tenants/:slug/mfa-status (Authentik countAuthenticators per member). - SSO apps (Dezky as IdP): real Authentik OIDC provider + application CRUD, scoped to the tenant group. New AuthentikClient methods (provider/app/binding + flow/key/scope discovery), TenantSsoApp schema, TenantSsoService (rollback on partial failure; client secret never stored), GET/POST/DELETE /tenants/:slug/sso-apps. Validated end-to-end against live Authentik. - Deferred: shared-flow MFA/geo/session enforcement (global auth-flow blast radius) — to be done as its own reviewed change. Bundled in-progress work that shares the same files (kept together so the tree stays green): - Storage page: StorageService + GET /tenants/:slug/storage (OCIS-backed), storage.get proxy, storage.vue. - Per-tenant roles: User.tenantRoles + MeProfile.tenantRoles plumbing.
66 lines
4.2 KiB
Bash
66 lines
4.2 KiB
Bash
# ─────────────────────────────────────────────────────────────────
|
|
# Dezky Local Development — Environment Variables
|
|
# ─────────────────────────────────────────────────────────────────
|
|
#
|
|
# Copy this file to .env and fill in the values.
|
|
# Generate secure random values with: openssl rand -hex 32
|
|
#
|
|
# DO NOT commit .env to git.
|
|
# ─────────────────────────────────────────────────────────────────
|
|
|
|
# ────────────────────────────────────────
|
|
# Database root passwords
|
|
# ────────────────────────────────────────
|
|
POSTGRES_ROOT_PASSWORD=changeme_use_openssl_rand
|
|
MONGO_ROOT_PASSWORD=changeme_use_openssl_rand
|
|
REDIS_PASSWORD=changeme_use_openssl_rand
|
|
|
|
# ────────────────────────────────────────
|
|
# Per-service DB passwords
|
|
# ────────────────────────────────────────
|
|
AUTHENTIK_DB_PASSWORD=changeme_use_openssl_rand
|
|
OCIS_DB_PASSWORD=changeme_use_openssl_rand
|
|
|
|
# ────────────────────────────────────────
|
|
# Authentik
|
|
# ────────────────────────────────────────
|
|
# AUTHENTIK_SECRET_KEY must be 50+ chars
|
|
AUTHENTIK_SECRET_KEY=changeme_run_openssl_rand_hex_50
|
|
AUTHENTIK_BOOTSTRAP_PASSWORD=admin_change_this_after_first_login
|
|
# AUTHENTIK_BOOTSTRAP_TOKEN is used by the provisioning service to call Authentik API
|
|
AUTHENTIK_BOOTSTRAP_TOKEN=changeme_use_openssl_rand_hex_32
|
|
|
|
# ────────────────────────────────────────
|
|
# Operator OIDC (dezky-operator)
|
|
# ────────────────────────────────────────
|
|
# The operator app differs from the portal: its OAuth provider is provisioned
|
|
# declaratively by the operator-application blueprint, which CONSUMES the secret
|
|
# below (rather than Authentik generating one for you to copy out). You must set
|
|
# a value BEFORE first boot — on a fresh environment the blueprint creates the
|
|
# provider with exactly this secret, and the operator container authenticates
|
|
# with the same value, so the two only agree if it's set here first.
|
|
# Generate with: openssl rand -hex 64
|
|
OPERATOR_OIDC_CLIENT_ID=dezky-operator
|
|
OPERATOR_OIDC_CLIENT_SECRET=changeme_run_openssl_rand_hex_64
|
|
|
|
# ────────────────────────────────────────
|
|
# Stalwart Mail
|
|
# ────────────────────────────────────────
|
|
STALWART_ADMIN_PASSWORD=changeme_use_openssl_rand
|
|
|
|
# ────────────────────────────────────────
|
|
# OCIS
|
|
# ────────────────────────────────────────
|
|
OCIS_ADMIN_PASSWORD=changeme_use_openssl_rand
|
|
# Dedicated OCIS service user (Authentik) used by platform-api to read drive
|
|
# quotas for the Storage page via an OIDC password grant. Must exist in
|
|
# Authentik, have access to the OCIS application, and hold the OCIS admin role
|
|
# (required to list all drives). See docs/NEXT-STEPS.md.
|
|
OCIS_SVC_USERNAME=svc-platform-api
|
|
OCIS_SVC_PASSWORD=changeme_use_openssl_rand
|
|
|
|
# ────────────────────────────────────────
|
|
# Collabora
|
|
# ────────────────────────────────────────
|
|
COLLABORA_ADMIN_PASSWORD=changeme_use_openssl_rand
|