Ronni Baslund
901cc69ba3
Idle sessions died and left a broken page: when the access token expired, nuxt-oidc-auth's automatic refresh had no refresh token to use — neither Authentik provider carried the offline_access scope mapping (and the operator never requested the scope), so the module cleared the session and every /api call 401'd until a manual F5 happened to re-auth through Authentik's still-alive SSO session. Fix 1: offline_access end to end — scope mapping attached to both live providers (and blueprints, prod + dev), operator now requests the scope. Sessions renew server-side for up to 30 days of activity (Redis store + pinned token key from earlier make the refresh tokens durable). Fix 2: client plugin in both apps — a 401 from /api sends the browser through /auth/oidc/login instead of leaving dead buttons; invisible when Authentik's session is alive, a clean sign-in screen when it isn't. Loop-guarded. Full sign-out behavior unchanged.
dezky production — fleet (k3s app tier)
Pipeline verified end-to-end 2026-06-10: push to main → build → deploy.
k3s manifests for the dezky application tier that runs in-cluster on the
Hetzner AX41 node (see ../host/README.md for the host layer). This layer
deploys the first-party apps:
| App | Image | Public host | Internal Service |
|---|---|---|---|
| platform-api | git.lastcloud.io/ronnibaslund/dezky/platform-api |
api.dezky.eu |
platform-api.dezky-apps:3001 |
| portal | git.lastcloud.io/ronnibaslund/dezky/portal |
app.dezky.eu |
portal.dezky-apps:3000 |
| booking | git.lastcloud.io/ronnibaslund/dezky/booking |
booking.dezky.eu |
booking.dezky-apps:3000 |
| operator | git.lastcloud.io/ronnibaslund/dezky/operator |
operator.dezky.eu |
operator.dezky-apps:3000 |
All of them live in the dezky-apps namespace. The data tier (Postgres/Mongo/
Redis), Authentik and OCIS are added by other parts of the fleet layer and live
in their own namespaces; these manifests reference them by cluster DNS only.
Files
apps/
├── kustomization.yaml # bundles the non-secret resources
├── namespace.yaml # dezky-apps namespace
├── redirect-middleware.yaml # per-router HTTP→HTTPS redirect (ACME-safe)
├── platform-api.yaml # Deployment + Service + Ingress (api.dezky.eu)
├── platform-api-config.yaml # non-secret ConfigMap (Stalwart URL, toggles)
├── portal.yaml # Deployment + Service + Ingress (app.dezky.eu)
├── booking.yaml # Deployment + Service + Ingress (booking.dezky.eu)
├── operator.yaml # Deployment + Service + Ingress (operator.dezky.eu)
└── secrets.example.yaml # SECRET TEMPLATE — never commit real values
ci/
├── gitea-runner.yaml # in-cluster Gitea Actions runner (+ dind)
└── ci-deployer.yaml # ServiceAccount/RBAC the CI deploy job uses
Prerequisites (other fleet layers)
These manifests assume the cluster already has:
- Traefik ingress controller (ships with k3s) —
ingressClassName: traefik. - cert-manager with a
ClusterIssuernamedletsencrypt-prod(HTTP-01). The Ingresses request TLS certs via thecert-manager.io/cluster-issuerannotation; cert-manager fills the named*-tlsSecrets. - MongoDB reachable at
mongo.dezky-data.svc.cluster.local:27017. - Authentik reachable publicly at
https://auth.dezky.euwith OIDC clients provisioned for the portal. - Stalwart on the host, reachable from the pod CIDR at its node-internal IP
on
:8080(JMAP management). Update the placeholder IP inplatform-api-config.yaml.
DNS
Point these A/AAAA records at the AX41 public IP:
api.dezky.eu → <AX41 IP>
app.dezky.eu → <AX41 IP>
booking.dezky.eu → <AX41 IP>
Deploy
Push to main = release. CI (.gitea/workflows/ci.yml, runner in-cluster —
see ci/gitea-runner.yaml) typechecks + tests, builds each app image tagged
:latest and the commit SHA, pushes to the Gitea registry, then the deploy job
pins the kustomization to that SHA (kustomize edit set image), runs
kubectl apply -k apps/ and waits for the rollouts. No GitOps controller, no
bot commits — the pipeline that built the image deploys it.
One-time bootstrap for the deploy job's cluster access:
# 1) ServiceAccount + RBAC (admin scoped to dezky-apps).
kubectl apply -f ci/ci-deployer.yaml
# 2) Mint a kubeconfig from its token and store it as the Gitea repo secret
# KUBECONFIG_B64 (repo Settings → Actions → Secrets). API server address is
# the in-cluster service IP — the runner's jobs run inside the cluster.
TOKEN=$(kubectl -n dezky-apps get secret ci-deployer-token -o jsonpath='{.data.token}' | base64 -d)
CA=$(kubectl -n dezky-apps get secret ci-deployer-token -o jsonpath='{.data.ca\.crt}')
cat <<EOF | base64 | pbcopy # paste into the KUBECONFIG_B64 secret
apiVersion: v1
kind: Config
clusters:
- name: dezky
cluster:
server: https://10.43.0.1:443
certificate-authority-data: $CA
users:
- name: ci-deployer
user:
token: $TOKEN
contexts:
- name: dezky
context: {cluster: dezky, user: ci-deployer, namespace: dezky-apps}
current-context: dezky
EOF
Manual / break-glass deploy (first boot, runner down, secrets changed):
# Real Secrets are applied out-of-band (NOT from git) and the Deployments
# won't start without them. Copy the template, fill in values, apply.
cp apps/secrets.example.yaml /tmp/dezky-secrets.yaml
$EDITOR /tmp/dezky-secrets.yaml # fill every REPLACE / PASSWORD
kubectl apply -f /tmp/dezky-secrets.yaml
rm /tmp/dezky-secrets.yaml
kubectl apply -k apps/
kubectl -n dezky-apps rollout status deploy/platform-api
kubectl -n dezky-apps get ingress,certificate
Required env / secrets
Non-secret config lives in platform-api-config.yaml (ConfigMap) and inline
env: in each Deployment. Secrets are defined in secrets.example.yaml and
must be supplied at deploy time:
platform-api (platform-api-secrets)
| Key | Purpose | How to get it |
|---|---|---|
MONGODB_URI |
Portal/app database connection | From the in-cluster Mongo credentials |
SCHEDULING_CREDENTIAL_KEY |
AES key encrypting stored scheduling creds | openssl rand -hex 32 — back up |
STALWART_ADMIN_PASSWORD |
JMAP management auth | Same value as the host config.env |
STALWART_WEBHOOK_SECRET |
Audit webhook HMAC | Same value as the host config.env |
AUTHENTIK_API_TOKEN |
Authentik admin API (provisioning) | dezky-auth/authentik-secret.AUTHENTIK_BOOTSTRAP_TOKEN |
AUDIT_SIGNING_KEY |
Audit hash-chain signing key | openssl rand -hex 32 — back up |
AUDIT_COLD_ACCESS_KEY / AUDIT_COLD_SECRET_KEY |
Hetzner Object Storage IAM | placeholder until the bucket exists |
OCIS_SVC_PASSWORD |
OCIS service user (files tier) | placeholder until OCIS is deployed |
Non-secret runtime config (Authentik issuer/audience/JWKS, Stalwart URL, OCIS
URL, cold-storage endpoint, feature toggles) lives in
platform-api-config.yaml. PORT and DEZKY_ENV are set inline.
portal (portal-secrets)
| Key | Purpose |
|---|---|
NUXT_OIDC_CLIENT_ID / NUXT_OIDC_CLIENT_SECRET |
Authentik OIDC client |
NUXT_OIDC_REDIRECT_URI |
https://app.dezky.eu/auth/callback |
NUXT_OIDC_SESSION_SECRET |
Session encryption (openssl rand -hex 32) |
NUXT_PUBLIC_AUTH_URL |
Public Authentik URL (login + full sign-out) |
PLATFORM_API_INTERNAL_URL / NUXT_API_BASE / NUXT_PUBLIC_PORTAL_URL are set
inline in portal.yaml.
booking (booking-secrets)
| Key | Purpose |
|---|---|
NUXT_PUBLIC_TURNSTILE_SITE_KEY |
Cloudflare Turnstile site key (public, env-injected) |
PLATFORM_API_INTERNAL_URL / NUXT_PUBLIC_SITE_URL are set inline in
booking.yaml.
Never commit real secret values.
secrets.example.yamlis a template and is deliberately excluded fromkustomization.yaml. Manage real secrets via sealed-secrets / SOPS / the Rancher secret store.