Ronni Baslund
adfd9baafe
Brings up Dezky's local development environment end-to-end: Infrastructure (docker-compose): - Traefik v3.7 reverse proxy with mkcert TLS (v3.2 couldn't speak Docker API 1.54) - Postgres + Mongo + Redis with healthchecks and init script for per-service users - Authentik 2025.10 (server + worker) as OIDC IdP - Stalwart v0.16 mail server (image renamed from stalwartlabs/mail-server) - OCIS 7.0 with PROXY_TLS=false and OCIS_CONFIG_DIR=/etc/ocis so init writes where the server reads - Collabora office, plus the portal + provisioning service stubs - Docker network aliases on Traefik so containers resolve auth.dezky.local etc. through the network (not host /etc/hosts) - Docker socket mount parameterized for macOS Docker Desktop symlink path Authentik provisioning (done via API after stack boot): - ocis-provider (public client) + OCIS Files application - dezky-portal provider (confidential) + Dezky Portal application - Admin API token bound to akadmin manually since 2025.10's AUTHENTIK_BOOTSTRAP_TOKEN env var doesn't auto-materialize a token row Portal (apps/portal): - Nuxt 3 with nuxt-oidc-auth 1.0.0-beta.11 against generic 'oidc' preset - Global auth middleware; login at /auth/oidc/login redirects to Authentik - Visual implementation of Claude Design 'Auth' canvas: AuthShell, NodeMark, Auth* sub-components, design tokens as CSS custom properties - Pages: auth/login, auth/expired, auth/disabled, index (post-login landing) - mkcert root CA mounted into the portal so Node fetch trusts Authentik's self-signed cert (NODE_EXTRA_CA_CERTS) — dev only Docs: - AUTHENTIK-SETUP.md updated with manual token bind + portal provider scripted alternative - NEXT-STEPS.md: Phase 1 and Phase 2 marked done with file locations and dev-mode caveats Dev-mode shortcuts that need to be revisited before prod: - skipAccessTokenParsing on the OIDC config - NODE_EXTRA_CA_CERTS mkcert mount - Bootstrap password still the generated value in .env - Authentik admin token (dezky-bootstrap-token) is non-expiring
92 lines
5.2 KiB
TOML
92 lines
5.2 KiB
TOML
# Stalwart Mail Server — Local Development Configuration
|
|
#
|
|
# This is a minimal config for local dev. Production config will have:
|
|
# - Real TLS certs (Let's Encrypt)
|
|
# - DKIM signing with real keys
|
|
# - SPF/DMARC enforcement
|
|
# - Rspamd integration
|
|
# - Hetzner Object Storage for blob storage
|
|
#
|
|
# Reference: https://stalw.art/docs
|
|
|
|
[server]
|
|
hostname = "mail.dezky.local"
|
|
|
|
[server.listener]
|
|
"smtp" = { bind = "[::]:25", protocol = "smtp" }
|
|
"submission" = { bind = "[::]:587", protocol = "smtp", tls.implicit = false }
|
|
"submissions" = { bind = "[::]:465", protocol = "smtp", tls.implicit = true }
|
|
"imap" = { bind = "[::]:143", protocol = "imap", tls.implicit = false }
|
|
"imaps" = { bind = "[::]:993", protocol = "imap", tls.implicit = true }
|
|
"sieve" = { bind = "[::]:4190", protocol = "managesieve" }
|
|
"http" = { bind = "[::]:8080", protocol = "http" }
|
|
|
|
# ─────────────────────────────────────────────────────────────────
|
|
# Storage — RocksDB embedded for local dev (single-binary simplicity)
|
|
# Production will use PostgreSQL backend
|
|
# ─────────────────────────────────────────────────────────────────
|
|
[store."rocksdb"]
|
|
type = "rocksdb"
|
|
path = "/opt/stalwart/data"
|
|
compression = "lz4"
|
|
|
|
[storage]
|
|
data = "rocksdb"
|
|
fts = "rocksdb"
|
|
blob = "rocksdb"
|
|
lookup = "rocksdb"
|
|
directory = "internal"
|
|
|
|
# ─────────────────────────────────────────────────────────────────
|
|
# Directory — internal user store for local dev
|
|
# Production will wire OIDC to Authentik
|
|
# ─────────────────────────────────────────────────────────────────
|
|
[directory."internal"]
|
|
type = "internal"
|
|
store = "rocksdb"
|
|
|
|
# ─────────────────────────────────────────────────────────────────
|
|
# TLS — Self-signed in dev, Traefik terminates the public-facing HTTPS
|
|
# ─────────────────────────────────────────────────────────────────
|
|
[certificate."default"]
|
|
cert = "%{file:/opt/stalwart/etc/tls/cert.pem}%"
|
|
private-key = "%{file:/opt/stalwart/etc/tls/key.pem}%"
|
|
default = true
|
|
|
|
# ─────────────────────────────────────────────────────────────────
|
|
# Authentication for local development
|
|
# ─────────────────────────────────────────────────────────────────
|
|
[authentication]
|
|
fallback-admin.user = "admin"
|
|
fallback-admin.secret = "$env{STALWART_ADMIN_PASSWORD}"
|
|
|
|
# ─────────────────────────────────────────────────────────────────
|
|
# Resolver — use the Docker DNS for local dev
|
|
# ─────────────────────────────────────────────────────────────────
|
|
[resolver]
|
|
type = "system"
|
|
preserve-intermediates = true
|
|
concurrency = 2
|
|
|
|
# ─────────────────────────────────────────────────────────────────
|
|
# Logging
|
|
# ─────────────────────────────────────────────────────────────────
|
|
[tracer."stdout"]
|
|
type = "stdout"
|
|
level = "info"
|
|
ansi = false
|
|
enable = true
|
|
|
|
# ─────────────────────────────────────────────────────────────────
|
|
# Spam filtering — disabled in dev (no Rspamd configured)
|
|
# Production: integrate Rspamd via milter
|
|
# ─────────────────────────────────────────────────────────────────
|
|
[spam-filter]
|
|
enable = false
|
|
|
|
# ─────────────────────────────────────────────────────────────────
|
|
# Local development hint:
|
|
# After first boot, create your first mailbox by visiting
|
|
# https://mail.dezky.local and using admin credentials.
|
|
# ─────────────────────────────────────────────────────────────────
|