Ronni Baslund
f8618b2bbc
The Storage page + endpoint landed earlier but had no working OCIS backend credential. OCIS has no service-account/client-credentials grant and trusts a single issuer, and basic auth resolves no user in our external-IdP setup — so authenticate OcisClient via an OIDC refresh-token bootstrap instead: - One-time headless login of svc-platform-api against the ocis provider (public client ocis-web, issuer .../o/ocis/) yields a refresh token, persisted in Mongo (ocis_credentials) and rotated on every use. - OcisClient mints access tokens with the refresh_token grant; the service user holds the OCIS admin role (OCIS_ADMIN_USER_ID) so libregraph ListAllDrives works. - scripts/bootstrap-ocis.mjs re-runs the bootstrap if the token lapses. - Dashboard Plan card gains a storage capacity bar beside seats; hidden when storage is unavailable. - compose + .env.example: OCIS service OIDC env and admin user id. - docs/NEXT-STEPS: document the mechanism and the dead-end alternatives.
71 lines
4.5 KiB
Bash
71 lines
4.5 KiB
Bash
# ─────────────────────────────────────────────────────────────────
|
|
# Dezky Local Development — Environment Variables
|
|
# ─────────────────────────────────────────────────────────────────
|
|
#
|
|
# Copy this file to .env and fill in the values.
|
|
# Generate secure random values with: openssl rand -hex 32
|
|
#
|
|
# DO NOT commit .env to git.
|
|
# ─────────────────────────────────────────────────────────────────
|
|
|
|
# ────────────────────────────────────────
|
|
# Database root passwords
|
|
# ────────────────────────────────────────
|
|
POSTGRES_ROOT_PASSWORD=changeme_use_openssl_rand
|
|
MONGO_ROOT_PASSWORD=changeme_use_openssl_rand
|
|
REDIS_PASSWORD=changeme_use_openssl_rand
|
|
|
|
# ────────────────────────────────────────
|
|
# Per-service DB passwords
|
|
# ────────────────────────────────────────
|
|
AUTHENTIK_DB_PASSWORD=changeme_use_openssl_rand
|
|
OCIS_DB_PASSWORD=changeme_use_openssl_rand
|
|
|
|
# ────────────────────────────────────────
|
|
# Authentik
|
|
# ────────────────────────────────────────
|
|
# AUTHENTIK_SECRET_KEY must be 50+ chars
|
|
AUTHENTIK_SECRET_KEY=changeme_run_openssl_rand_hex_50
|
|
AUTHENTIK_BOOTSTRAP_PASSWORD=admin_change_this_after_first_login
|
|
# AUTHENTIK_BOOTSTRAP_TOKEN is used by the provisioning service to call Authentik API
|
|
AUTHENTIK_BOOTSTRAP_TOKEN=changeme_use_openssl_rand_hex_32
|
|
|
|
# ────────────────────────────────────────
|
|
# Operator OIDC (dezky-operator)
|
|
# ────────────────────────────────────────
|
|
# The operator app differs from the portal: its OAuth provider is provisioned
|
|
# declaratively by the operator-application blueprint, which CONSUMES the secret
|
|
# below (rather than Authentik generating one for you to copy out). You must set
|
|
# a value BEFORE first boot — on a fresh environment the blueprint creates the
|
|
# provider with exactly this secret, and the operator container authenticates
|
|
# with the same value, so the two only agree if it's set here first.
|
|
# Generate with: openssl rand -hex 64
|
|
OPERATOR_OIDC_CLIENT_ID=dezky-operator
|
|
OPERATOR_OIDC_CLIENT_SECRET=changeme_run_openssl_rand_hex_64
|
|
|
|
# ────────────────────────────────────────
|
|
# Stalwart Mail
|
|
# ────────────────────────────────────────
|
|
STALWART_ADMIN_PASSWORD=changeme_use_openssl_rand
|
|
|
|
# ────────────────────────────────────────
|
|
# OCIS
|
|
# ────────────────────────────────────────
|
|
OCIS_ADMIN_PASSWORD=changeme_use_openssl_rand
|
|
# Dedicated OCIS service user (Authentik) used by platform-api to read drive
|
|
# quotas for the Storage page via an OIDC password grant. Must exist in
|
|
# Authentik, have access to the OCIS application, and hold the OCIS admin role
|
|
# (required to list all drives). See docs/NEXT-STEPS.md.
|
|
OCIS_SVC_USERNAME=svc-platform-api
|
|
OCIS_SVC_PASSWORD=changeme_use_openssl_rand
|
|
# OCIS account UUID of the service user, used to grant it the OCIS admin role at
|
|
# startup (required for libregraph ListAllDrives). Populate after the OCIS
|
|
# bootstrap autoprovisions the account (see docs/NEXT-STEPS.md). Leave empty
|
|
# until then.
|
|
OCIS_ADMIN_USER_ID=
|
|
|
|
# ────────────────────────────────────────
|
|
# Collabora
|
|
# ────────────────────────────────────────
|
|
COLLABORA_ADMIN_PASSWORD=changeme_use_openssl_rand
|