ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
a43a172449f8a4a6b5a2ca9c4914b8eb787b7a2a
dezky/infrastructure/production/fleet/apps/platform-api-config.yaml
T
Ronni Baslund a43a172449
ci / changes (push) Successful in 4s
Details
ci / tc_portal (push) Has been skipped
Details
ci / build_operator (push) Has been skipped
Details
ci / test_platform_api (push) Successful in 34s
Details
ci / tc_booking (push) Has been skipped
Details
ci / tc_operator (push) Has been skipped
Details
ci / tc_website (push) Has been skipped
Details
ci / tc_platform_api (push) Successful in 23s
Details
ci / build_portal (push) Has been skipped
Details
ci / build_booking (push) Has been skipped
Details
ci / build_platform_api (push) Successful in 18s
Details
ci / deploy (push) Successful in 41s
Details
feat(domains): reserve the platform namespace + one workspace per domain 
dezky.eu doubles as the platform's infrastructure domain AND the company's
own employee mail domain (added to the dezky tenant via the normal Domains
flow). Guard rails in DomainsService.add:
- a domain already used by ANY other workspace is rejected — Stalwart's
  idempotent ensureDomain would otherwise silently share one mail domain
  (and its mailboxes) between tenants
- the PLATFORM_TENANT_DOMAIN apex is claimable only by the dezky tenant;
  everything under it (per-tenant service domains, auth/api/mail/* infra
  hosts) is reserved outright

Set PLATFORM_TENANT_DOMAIN=dezky.eu in the prod ConfigMap (was unset, so
prod service domains would have been {slug}.dezky.local) and align the
seeded dezky tenant's display domain with the environment.
2026-06-10 20:15:46 +02:00

56 lines
2.9 KiB
YAML
Raw Blame History

# Non-secret runtime config for platform-api. Cluster-internal service
# addresses and integration toggles. Secrets (Mongo URI, credential key,
# Stalwart password, webhook secret) live in the platform-api-secrets Secret.
apiVersion: v1
kind: ConfigMap
metadata:
name: platform-api-config
namespace: dezky-apps
labels:
app.kubernetes.io/name: platform-api
data:
# Stalwart runs on the HOST (not k3s). Pods reach it via the cni0 gateway IP
# on the JMAP management port; the firewall lets the pod CIDR through.
STALWART_API_URL: "http://10.42.0.1:8080"
STALWART_ADMIN_USER: "admin"
STALWART_PROVISIONING_ENABLED: "true"
# Base for per-tenant service mail domains ({slug}.dezky.eu) AND the
# reserved namespace for customer domains: only the dezky tenant may claim
# the apex; nothing under it can be added as a customer domain.
PLATFORM_TENANT_DOMAIN: "dezky.eu"
# JWT validation for portal/operator-issued access tokens. Public Authentik
# URLs on purpose: the token `iss` claim is the public URL, and the pod can
# hairpin to it through the node's public IP.
AUTHENTIK_ISSUER: "https://auth.dezky.eu/application/o/dezky-portal/,https://auth.dezky.eu/application/o/dezky-operator/"
AUTHENTIK_AUDIENCE: "dezky-portal,dezky-operator"
AUTHENTIK_JWKS_URI: "https://auth.dezky.eu/application/o/dezky-portal/jwks/"
AUTHENTIK_API_URL: "https://auth.dezky.eu/api/v3"
# OCIS is not deployed in production yet. The client is instantiated at boot
# (so the URL must exist) but only fails when a files feature is actually
# used. Swap to the real URL when the files tier lands.
OCIS_API_URL: "https://files.dezky.eu"
OCIS_OIDC_TOKEN_URL: "https://auth.dezky.eu/application/o/token/"
OCIS_OIDC_CLIENT_ID: "ocis-web"
OCIS_SVC_USERNAME: "svc-platform-api"
# Audit cold storage (Hetzner Object Storage) is not provisioned yet —
# archive stays off; the S3 client boots against the placeholder endpoint.
AUDIT_COLD_ENDPOINT: "https://fsn1.your-objectstorage.com"
AUDIT_COLD_REGION: "fsn1"
AUDIT_COLD_BUCKET: "dezky-audit"
AUDIT_HOT_RETENTION_DAYS: "90"
ARCHIVE_ENABLED: "false"
# Stripe billing dark-launched off in prod until live keys are wired.
BILLING_STRIPE_ENABLED: "false"
BOOKING_PUBLIC_URL: "https://booking.dezky.eu"
MEET_PUBLIC_URL: "https://meet.dezky.eu"
# Infrastructure health-probe targets (operator → /health/platform). The
# code defaults are docker-compose hostnames; these are the k3s addresses.
# "disabled" omits a service from the report until that tier is deployed.
HEALTH_STALWART_HOSTPORT: "10.42.0.1:8080"
HEALTH_AUTHENTIK_URL: "http://authentik-server.dezky-auth.svc.cluster.local/-/health/ready/"
HEALTH_POSTGRES_HOSTPORT: "postgres.dezky-data.svc.cluster.local:5432"
HEALTH_REDIS_HOSTPORT: "redis.dezky-data.svc.cluster.local:6379"
HEALTH_TRAEFIK_HOSTPORT: "traefik.kube-system.svc.cluster.local:80"
HEALTH_OCIS_URL: "disabled"
HEALTH_COLLABORA_URL: "disabled"
Reference in New Issue View Git Blame Copy Permalink