Ronni Baslund
adfd9baafe
Brings up Dezky's local development environment end-to-end: Infrastructure (docker-compose): - Traefik v3.7 reverse proxy with mkcert TLS (v3.2 couldn't speak Docker API 1.54) - Postgres + Mongo + Redis with healthchecks and init script for per-service users - Authentik 2025.10 (server + worker) as OIDC IdP - Stalwart v0.16 mail server (image renamed from stalwartlabs/mail-server) - OCIS 7.0 with PROXY_TLS=false and OCIS_CONFIG_DIR=/etc/ocis so init writes where the server reads - Collabora office, plus the portal + provisioning service stubs - Docker network aliases on Traefik so containers resolve auth.dezky.local etc. through the network (not host /etc/hosts) - Docker socket mount parameterized for macOS Docker Desktop symlink path Authentik provisioning (done via API after stack boot): - ocis-provider (public client) + OCIS Files application - dezky-portal provider (confidential) + Dezky Portal application - Admin API token bound to akadmin manually since 2025.10's AUTHENTIK_BOOTSTRAP_TOKEN env var doesn't auto-materialize a token row Portal (apps/portal): - Nuxt 3 with nuxt-oidc-auth 1.0.0-beta.11 against generic 'oidc' preset - Global auth middleware; login at /auth/oidc/login redirects to Authentik - Visual implementation of Claude Design 'Auth' canvas: AuthShell, NodeMark, Auth* sub-components, design tokens as CSS custom properties - Pages: auth/login, auth/expired, auth/disabled, index (post-login landing) - mkcert root CA mounted into the portal so Node fetch trusts Authentik's self-signed cert (NODE_EXTRA_CA_CERTS) — dev only Docs: - AUTHENTIK-SETUP.md updated with manual token bind + portal provider scripted alternative - NEXT-STEPS.md: Phase 1 and Phase 2 marked done with file locations and dev-mode caveats Dev-mode shortcuts that need to be revisited before prod: - skipAccessTokenParsing on the OIDC config - NODE_EXTRA_CA_CERTS mkcert mount - Bootstrap password still the generated value in .env - Authentik admin token (dezky-bootstrap-token) is non-expiring
52 lines
1.4 KiB
YAML
52 lines
1.4 KiB
YAML
# Traefik dynamic configuration — TLS certificates and middleware
|
|
#
|
|
# Uses the wildcard mkcert certificate for all *.dezky.local hostnames.
|
|
# This file is watched and reloaded automatically by Traefik.
|
|
|
|
tls:
|
|
certificates:
|
|
- certFile: /certs/dezky.local.pem
|
|
keyFile: /certs/dezky.local-key.pem
|
|
stores:
|
|
- default
|
|
|
|
stores:
|
|
default:
|
|
defaultCertificate:
|
|
certFile: /certs/dezky.local.pem
|
|
keyFile: /certs/dezky.local-key.pem
|
|
|
|
http:
|
|
middlewares:
|
|
# Strong security headers for all services
|
|
secure-headers:
|
|
headers:
|
|
frameDeny: false # OCIS/Collabora need iframes
|
|
sslRedirect: true
|
|
browserXssFilter: true
|
|
contentTypeNosniff: true
|
|
forceSTSHeader: true
|
|
stsIncludeSubdomains: true
|
|
stsPreload: true
|
|
stsSeconds: 15552000
|
|
customFrameOptionsValue: "SAMEORIGIN"
|
|
|
|
# CORS for API calls between portal and provisioning service
|
|
cors:
|
|
headers:
|
|
accessControlAllowMethods:
|
|
- "GET"
|
|
- "POST"
|
|
- "PUT"
|
|
- "PATCH"
|
|
- "DELETE"
|
|
- "OPTIONS"
|
|
accessControlAllowOriginListRegex:
|
|
- "^https://([a-z0-9-]+\\.)?dezky\\.local$"
|
|
accessControlAllowHeaders:
|
|
- "Content-Type"
|
|
- "Authorization"
|
|
- "X-Requested-With"
|
|
accessControlMaxAge: 86400
|
|
addVaryHeader: true
|