ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
fd0c5d011b58428aa3886c251dde4660a5244f70
dezky/infrastructure/production/fleet/apps/secrets.example.yaml
T
Ronni Baslund b155e34fe6
ci / typecheck (map[dir:apps/booking name:booking]) (push) Successful in 20s
Details
ci / typecheck (map[dir:apps/operator name:operator]) (push) Successful in 24s
Details
ci / typecheck (map[dir:apps/portal name:portal]) (push) Successful in 26s
Details
ci / typecheck (map[dir:apps/website name:website]) (push) Successful in 23s
Details
ci / build (map[dir:apps/booking name:booking]) (push) Successful in 9s
Details
ci / build (map[dir:apps/operator name:operator]) (push) Successful in 9s
Details
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Successful in 18s
Details
ci / test (push) Successful in 34s
Details
ci / build (map[dir:apps/portal name:portal]) (push) Successful in 6s
Details
ci / build (map[dir:services/platform-api name:platform-api]) (push) Successful in 6s
Details
ci / deploy (push) Successful in 41s
Details
fix(infra): runtime OIDC overrides for prod portal/operator login 
CI builds the Nuxt images with no env, so nuxt.config bakes empty OIDC
client creds and .local Authentik URLs into runtimeConfig — sign-in
dead-ended on the app's own /auth/login. Nitro env overrides only apply
when the var name matches the runtimeConfig path
(oidc.providers.oidc.* -> NUXT_OIDC_PROVIDERS_OIDC_*), so production
secrets need that second set of names; the plain NUXT_OIDC_* ones only
work in dev. Also pin NUXT_OIDC_TOKEN_KEY/AUTH_SESSION_SECRET so sessions
survive pod restarts. Live secrets patched on the cluster accordingly.
2026-06-10 13:24:29 +02:00

115 lines
6.5 KiB
YAML
Raw Blame History

# ─────────────────────────────────────────────────────────────────────────
# Secret TEMPLATE — DO NOT COMMIT REAL VALUES.
#
# These are placeholders. In production, manage the real Secrets out-of-band
# (sealed-secrets / SOPS / Rancher secret store), NOT in git. Copy this file,
# fill in real values, and apply it separately — or render SealedSecrets from
# it. The Deployments reference these Secrets by name via envFrom.
#
# Generate strong values with: openssl rand -hex 32
# ─────────────────────────────────────────────────────────────────────────
apiVersion: v1
kind: Secret
metadata:
name: platform-api-secrets
namespace: dezky-apps
type: Opaque
stringData:
# Mongo connection string for the in-cluster MongoDB (data tier namespace).
MONGODB_URI: "mongodb://USER:PASSWORD@mongo.dezky-data.svc.cluster.local:27017/dezky?authSource=admin"
# AES key used to encrypt stored scheduling credentials (e.g. CalDAV creds).
SCHEDULING_CREDENTIAL_KEY: "REPLACE_WITH_openssl_rand_hex_32"
# MUST equal the host's STALWART_ADMIN_PASSWORD (config.env on the AX41).
STALWART_ADMIN_PASSWORD: "REPLACE_WITH_SAME_AS_HOST"
# MUST equal the host's STALWART_WEBHOOK_SECRET (audit webhook HMAC).
STALWART_WEBHOOK_SECRET: "REPLACE_WITH_SAME_AS_HOST"
# Authentik admin API token (tenant/user provisioning). The Helm bootstrap
# token works: dezky-auth/authentik-secret.AUTHENTIK_BOOTSTRAP_TOKEN.
AUTHENTIK_API_TOKEN: "REPLACE_WITH_authentik-secret.AUTHENTIK_BOOTSTRAP_TOKEN"
# Tamper-evidence signing key for the audit hash chain. Rotating it closes
# the current segment — back it up alongside SCHEDULING_CREDENTIAL_KEY.
AUDIT_SIGNING_KEY: "REPLACE_WITH_openssl_rand_hex_32"
# Hetzner Object Storage IAM pair for audit cold storage. Not provisioned
# yet — keep the placeholders until the bucket exists (ARCHIVE_ENABLED is
# false in platform-api-config.yaml; the client only fails when used).
AUDIT_COLD_ACCESS_KEY: "not-configured"
AUDIT_COLD_SECRET_KEY: "not-configured"
# OCIS service-user password (files tier — not deployed in prod yet).
OCIS_SVC_PASSWORD: "not-configured"
---
apiVersion: v1
kind: Secret
metadata:
name: portal-secrets
namespace: dezky-apps
type: Opaque
stringData:
# Authentik OIDC client provisioned for the portal.
NUXT_OIDC_CLIENT_ID: "REPLACE"
NUXT_OIDC_CLIENT_SECRET: "REPLACE"
NUXT_OIDC_REDIRECT_URI: "https://app.dezky.eu/auth/oidc/callback"
# Public base URL of Authentik (used for login redirects + full sign-out).
NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu"
# nuxt-oidc-auth session encryption secret (openssl rand -hex 32).
NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32"
# ── Runtime overrides for the BAKED OIDC provider config ────────────────
# The prod image is built in CI with no env, so nuxt.config bakes EMPTY
# client creds and .local URLs into runtimeConfig. Nitro only overrides
# runtimeConfig keys whose env name matches the config path —
# oidc.providers.oidc.* → NUXT_OIDC_PROVIDERS_OIDC_*. The plain
# NUXT_OIDC_* names above only work in dev (nuxt.config evaluated at
# runtime); production needs BOTH sets.
NUXT_OIDC_PROVIDERS_OIDC_CLIENT_ID: "REPLACE_same_as_NUXT_OIDC_CLIENT_ID"
NUXT_OIDC_PROVIDERS_OIDC_CLIENT_SECRET: "REPLACE_same_as_NUXT_OIDC_CLIENT_SECRET"
NUXT_OIDC_PROVIDERS_OIDC_REDIRECT_URI: "https://app.dezky.eu/auth/oidc/callback"
NUXT_OIDC_PROVIDERS_OIDC_AUTHORIZATION_URL: "https://auth.dezky.eu/application/o/authorize/"
NUXT_OIDC_PROVIDERS_OIDC_TOKEN_URL: "https://auth.dezky.eu/application/o/token/"
NUXT_OIDC_PROVIDERS_OIDC_USER_INFO_URL: "https://auth.dezky.eu/application/o/userinfo/"
NUXT_OIDC_PROVIDERS_OIDC_LOGOUT_URL: "https://auth.dezky.eu/application/o/dezky-portal/end-session/"
NUXT_OIDC_PROVIDERS_OIDC_OPEN_ID_CONFIGURATION: "https://auth.dezky.eu/application/o/dezky-portal/.well-known/openid-configuration"
# Refresh-token encryption + auth-session secret — without them sessions
# die on every pod restart (random keys are generated per boot).
NUXT_OIDC_TOKEN_KEY: "data:;base64,REPLACE_WITH_openssl_rand_base64_32"
NUXT_OIDC_AUTH_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_24"
---
apiVersion: v1
kind: Secret
metadata:
name: booking-secrets
namespace: dezky-apps
type: Opaque
stringData:
# Cloudflare Turnstile site key for the public booking form (public value,
# env-injected so it can rotate without a rebuild).
NUXT_PUBLIC_TURNSTILE_SITE_KEY: "REPLACE"
---
apiVersion: v1
kind: Secret
metadata:
name: operator-secrets
namespace: dezky-apps
type: Opaque
stringData:
# Authentik OIDC client provisioned for the operator (dezky-operator).
# NUXT_OIDC_CLIENT_SECRET MUST equal authentik-secret.OPERATOR_OIDC_CLIENT_SECRET.
NUXT_OIDC_CLIENT_ID: "dezky-operator"
NUXT_OIDC_CLIENT_SECRET: "REPLACE_WITH_authentik-secret.OPERATOR_OIDC_CLIENT_SECRET"
NUXT_OIDC_REDIRECT_URI: "https://operator.dezky.eu/auth/oidc/callback"
# Public base URL of Authentik (used for login redirects + full sign-out).
NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu"
# nuxt-oidc-auth session encryption secret (openssl rand -hex 32).
NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32"
# Runtime overrides for the baked OIDC provider config — see the portal
# section above for why production needs the NUXT_OIDC_PROVIDERS_OIDC_*
# names in addition to the plain ones.
NUXT_OIDC_PROVIDERS_OIDC_CLIENT_ID: "dezky-operator"
NUXT_OIDC_PROVIDERS_OIDC_CLIENT_SECRET: "REPLACE_same_as_NUXT_OIDC_CLIENT_SECRET"
NUXT_OIDC_PROVIDERS_OIDC_REDIRECT_URI: "https://operator.dezky.eu/auth/oidc/callback"
NUXT_OIDC_PROVIDERS_OIDC_AUTHORIZATION_URL: "https://auth.dezky.eu/application/o/authorize/"
NUXT_OIDC_PROVIDERS_OIDC_TOKEN_URL: "https://auth.dezky.eu/application/o/token/"
NUXT_OIDC_PROVIDERS_OIDC_USER_INFO_URL: "https://auth.dezky.eu/application/o/userinfo/"
NUXT_OIDC_PROVIDERS_OIDC_LOGOUT_URL: "https://auth.dezky.eu/application/o/dezky-operator/end-session/"
NUXT_OIDC_PROVIDERS_OIDC_OPEN_ID_CONFIGURATION: "https://auth.dezky.eu/application/o/dezky-operator/.well-known/openid-configuration"
NUXT_OIDC_TOKEN_KEY: "data:;base64,REPLACE_WITH_openssl_rand_base64_32"
NUXT_OIDC_AUTH_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_24"
Reference in New Issue View Git Blame Copy Permalink