History

Codex 0e462012da SECURITY - PLATFORM: add staging hardening baseline		2026-05-12 12:57:56 +03:00
..
authentik	UI - МЕЖПРОЕКТНАЯ КОММУНИКАЦИЯ: очистка loader Authentik	2026-05-12 09:33:09 +03:00
reverse-proxy	SECURITY - PLATFORM: add staging hardening baseline	2026-05-12 12:57:56 +03:00
scripts	SECURITY - PLATFORM: add staging hardening baseline	2026-05-12 12:57:56 +03:00
.env.example	SECURITY - PLATFORM: internal token and staging plan	2026-05-12 12:49:58 +03:00
.env.staging.example	SECURITY - PLATFORM: add staging hardening baseline	2026-05-12 12:57:56 +03:00
README.md	АРХ - NODEDC PLATFORM: bootstrap Authentik applications	2026-05-04 11:07:09 +03:00
docker-compose.dev.yml	АРХ - NODEDC PLATFORM: запуск локального proxy/Authentik стенда	2026-05-04 10:31:59 +03:00
docker-compose.staging.example.yml	SECURITY - PLATFORM: add staging hardening baseline	2026-05-12 12:57:56 +03:00

README.md

NODE.DC Platform Infra

Эта папка предназначена для локального и staging infra слоя:

Authentik;
reverse proxy;
локальные домены;
shared env examples;
будущие docker compose файлы.

Первый local dev слой проксирует текущие локальные приложения без физического переноса репозиториев:

auth.local.nodedc -> authentik-server:9000;
launcher.local.nodedc -> host.docker.internal:5173;
task.local.nodedc -> host.docker.internal:8090.

Authentik построен по актуальной официальной Docker Compose схеме 2026.2: PostgreSQL 16, server и worker. Redis для Authentik в этой версии официального compose не используется.

Reverse proxy использует PLATFORM_PROXY_IMAGE=nodedc/plane-proxy:ru, потому что этот локальный образ уже содержит Caddy и не требует отдельного pull с Docker Hub. На чистой машине можно заменить значение на caddy:2-alpine.

Expected files

infra/
  .env.example
  scripts/init-dev-env.sh
  docker-compose.dev.yml
  docker-compose.staging.yml
  reverse-proxy/
  authentik/

Local start

Add local domains to /etc/hosts:

127.0.0.1 auth.local.nodedc
127.0.0.1 launcher.local.nodedc
127.0.0.1 task.local.nodedc

This requires admin rights on macOS.

Generate local secrets:

./infra/scripts/init-dev-env.sh

Start infra:

docker compose --env-file infra/.env -f infra/docker-compose.dev.yml up -d

Check services:

docker compose --env-file infra/.env -f infra/docker-compose.dev.yml ps
curl -I -H 'Host: auth.local.nodedc' http://127.0.0.1/
curl -I -H 'Host: launcher.local.nodedc' http://127.0.0.1/
curl -I -H 'Host: task.local.nodedc' http://127.0.0.1/

Generated Authentik bootstrap credentials are stored only in infra/.env.

Bootstrap local Authentik groups and OIDC applications:

NODEDC_BOOTSTRAP_ADMIN_EMAIL=dcctouch@gmail.com infra/scripts/bootstrap-authentik-dev.sh

The script is idempotent. It creates NODE.DC groups, Launcher and Task Manager OAuth2 providers, application tiles, group access bindings and local OIDC client secrets in infra/.env.

Current local status

This stack was verified locally with PLATFORM_PROXY_IMAGE=nodedc/plane-proxy:ru:

auth.local.nodedc returns 302 to the Authentik authentication flow through Caddy;
launcher.local.nodedc returns 200 from the current Vite launcher through Caddy;
task.local.nodedc returns 200 from the current Plane runtime through Caddy;
Authentik server, Authentik worker and PostgreSQL report healthy in Docker Compose.
Authentik login via auth.local.nodedc has been verified manually with the local admin user.

Browser testing still requires /etc/hosts entries on the host machine.

Troubleshooting

If Docker Hub pulls hang on caddy:2-alpine, keep PLATFORM_PROXY_IMAGE=nodedc/plane-proxy:ru on this workstation. If the local Plane proxy image is unavailable on a clean machine, set:

PLATFORM_PROXY_IMAGE=caddy:2-alpine

Current decision

Текущий Plane runtime не переносится в compose платформы до backup и отдельного шага миграции.