NODEDC_PLATFORM/infra/README.md

# NODE.DC Platform Infra

Эта папка предназначена для локального и staging infra слоя:

- Authentik;
- reverse proxy;
- локальные домены;
- shared env examples;
- будущие docker compose файлы.

Первый local dev слой проксирует текущие локальные приложения без физического переноса репозиториев:

- `auth.local.nodedc` -> `authentik-server:9000`;
- `launcher.local.nodedc` -> `host.docker.internal:5173`;
- `task.local.nodedc` -> `host.docker.internal:8090`.

Authentik построен по актуальной официальной Docker Compose схеме 2026.2: PostgreSQL 16, server и worker. Redis для Authentik в этой версии официального compose не используется.

Reverse proxy использует `PLATFORM_PROXY_IMAGE=nodedc/plane-proxy:ru`, потому что этот локальный образ уже содержит Caddy и не требует отдельного pull с Docker Hub. На чистой машине можно заменить значение на `caddy:2-alpine`.

## Expected files

```text
infra/
  .env.example
  scripts/init-dev-env.sh
  docker-compose.dev.yml
  docker-compose.staging.yml
  reverse-proxy/
  authentik/
```

## Local start

1. Add local domains to `/etc/hosts`:

```text
127.0.0.1 auth.local.nodedc
127.0.0.1 launcher.local.nodedc
127.0.0.1 task.local.nodedc
```

This requires admin rights on macOS.

2. Generate local secrets:

```bash
./infra/scripts/init-dev-env.sh
```

3. Start infra:

```bash
docker compose --env-file infra/.env -f infra/docker-compose.dev.yml up -d
```

4. Check services:

```bash
docker compose --env-file infra/.env -f infra/docker-compose.dev.yml ps
curl -I -H 'Host: auth.local.nodedc' http://127.0.0.1/
curl -I -H 'Host: launcher.local.nodedc' http://127.0.0.1/
curl -I -H 'Host: task.local.nodedc' http://127.0.0.1/
```

Generated Authentik bootstrap credentials are stored only in `infra/.env`.

5. Bootstrap local Authentik groups and OIDC applications:

```bash
NODEDC_BOOTSTRAP_ADMIN_EMAIL=dcctouch@gmail.com infra/scripts/bootstrap-authentik-dev.sh
```

The script is idempotent. It creates NODE.DC groups, Launcher and Task Manager OAuth2 providers, application tiles, group access bindings and local OIDC client secrets in `infra/.env`.

## Current local status

This stack was verified locally with `PLATFORM_PROXY_IMAGE=nodedc/plane-proxy:ru`:

- `auth.local.nodedc` returns `302` to the Authentik authentication flow through Caddy;
- `launcher.local.nodedc` returns `200` from the current Vite launcher through Caddy;
- `task.local.nodedc` returns `200` from the current Plane runtime through Caddy;
- Authentik server, Authentik worker and PostgreSQL report healthy in Docker Compose.
- Authentik login via `auth.local.nodedc` has been verified manually with the local admin user.

Browser testing still requires `/etc/hosts` entries on the host machine.

## Troubleshooting

If Docker Hub pulls hang on `caddy:2-alpine`, keep `PLATFORM_PROXY_IMAGE=nodedc/plane-proxy:ru` on this workstation. If the local Plane proxy image is unavailable on a clean machine, set:

```bash
PLATFORM_PROXY_IMAGE=caddy:2-alpine
```

## Current decision

Текущий Plane runtime не переносится в compose платформы до backup и отдельного шага миграции.