diff options
| author | ertopogo <erwin.t.pombett@gmail.com> | 2026-02-21 20:49:01 +0100 |
|---|---|---|
| committer | ertopogo <erwin.t.pombett@gmail.com> | 2026-02-21 20:49:01 +0100 |
| commit | 5063ccc088f75f5f56cae32d8cf1987c69816200 (patch) | |
| tree | e2bfd2e9ab4600cf4647980161c1ae2ac1b08a4d | |
| parent | b713be161431729305701f80b3b6f53d2f07f62a (diff) | |
Ajouter 4 schemas Chiruca : Caddy reverse proxy, auth OIDC, Home Assistant, Vikunjamain
Co-authored-by: Cursor <cursoragent@cursor.com>
| -rw-r--r-- | micro/applications/homeassistant.mmd | 96 | ||||
| -rw-r--r-- | micro/applications/vikunja.mmd | 88 | ||||
| -rw-r--r-- | micro/iam/chiruca_auth.mmd | 99 | ||||
| -rw-r--r-- | micro/reseau/caddy_reverse_proxy.mmd | 74 |
4 files changed, 357 insertions, 0 deletions
diff --git a/micro/applications/homeassistant.mmd b/micro/applications/homeassistant.mmd new file mode 100644 index 0000000..a73084b --- /dev/null +++ b/micro/applications/homeassistant.mmd @@ -0,0 +1,96 @@ +%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 40, 'rankSpacing': 50}}}%%
+flowchart TB
+ subgraph ha_host ["huitral 192.168.99.22 - network_mode: host"]
+ direction TB
+
+ subgraph ha_container ["Home Assistant - Docker"]
+ direction TB
+ ha_core["HA Core<br/>ghcr.io/home-assistant/<br/>home-assistant:stable<br/>Port: 8123"]
+ ha_ws["WebSocket<br/>connexions longues"]
+ end
+
+ subgraph ha_config ["Configuration"]
+ direction LR
+ config_dir["/opt/homeassistant/config<br/>-> /config"]
+ config_yaml["configuration.yaml<br/>internal_url: ha.arauco.online<br/>external_url: ha.arauco.online"]
+ secrets["secrets.yaml"]
+ config_dir --- config_yaml
+ config_dir --- secrets
+ end
+
+ subgraph ha_proxy ["Reverse Proxy"]
+ trusted["trusted_proxies<br/>192.168.99.0/24<br/>use_x_forwarded_for: true"]
+ end
+
+ subgraph ha_integrations ["Integrations"]
+ direction TB
+
+ subgraph hacs_int ["HACS"]
+ direction LR
+ oidc_comp["hass-oidc-auth<br/>Composant OIDC"]
+ vikunja_int["Vikunja Todo<br/>Listes de taches"]
+ end
+
+ subgraph cameras ["Cameras"]
+ direction LR
+ onvif["ONVIF<br/>Decouverte auto + PTZ"]
+ rtsp["RTSP / MJPEG<br/>Flux video"]
+ end
+
+ subgraph local_todo ["Todo local"]
+ ha_todo["HA Shopping List<br/>Listes locales"]
+ end
+ end
+ end
+
+ subgraph oidc_auth ["Authentification OIDC"]
+ direction TB
+ auth_flow["auth_oidc:<br/>client_id: homeassistant<br/>discovery_url: kc.arauco.online<br/>/realms/chiruca/.well-known/<br/>openid-configuration"]
+ login_btn["Bouton SSO<br/>OpenID Connect"]
+ welcome["/auth/oidc/welcome<br/>Code unique 5 min"]
+ auth_flow --> login_btn --> welcome
+ end
+
+ subgraph keycloak_ext ["Keycloak npagnun .35"]
+ kc["Realm chiruca<br/>Client: homeassistant<br/>Redirect: ha.arauco.online<br/>/auth/oidc/callback"]
+ google["-> Google IdP"]
+ kc --> google
+ end
+
+ subgraph caddy_ext ["Caddy araucaria .50"]
+ caddy["ha.arauco.online<br/>HTTPS -> :8123<br/>WebSocket: read_timeout 0"]
+ end
+
+ subgraph vikunja_ext ["Vikunja huitral .22"]
+ vk["vk.arauco.online<br/>:3456<br/>API REST"]
+ end
+
+ subgraph users_ext ["Utilisateurs"]
+ direction TB
+ persons["Personnes HA<br/>paul, anne, toshiro..."]
+ notify["Notifications mobiles<br/>notify.mobile_app_*"]
+ end
+
+ caddy -->|"HTTP + WS"| ha_core
+ oidc_comp -->|"OIDC"| kc
+ vikunja_int -->|"API"| vk
+ ha_core --> ha_integrations
+ users_ext --> ha_core
+ persons -.-> notify
+
+ classDef haStyle fill:#1e4a4a,stroke:#4a9a9a,color:#a8e0e0
+ classDef configStyle fill:#2a3a4a,stroke:#6a8aaa,color:#b0d0e8
+ classDef iamStyle fill:#4a1e3a,stroke:#d94a8a,color:#f0a8c8
+ classDef svcStyle fill:#1e4a2e,stroke:#4a9a6a,color:#a8e0c0
+ classDef netStyle fill:#1e3a5f,stroke:#4a90d9,color:#a8d0f0
+ classDef secStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8
+ classDef userStyle fill:#3a1e5f,stroke:#8a6ad9,color:#c8b0f0
+
+ class ha_core,ha_ws haStyle
+ class config_dir,config_yaml,secrets configStyle
+ class trusted,auth_flow,login_btn,welcome secStyle
+ class oidc_comp,vikunja_int,onvif,rtsp,ha_todo svcStyle
+ class kc,google iamStyle
+ class caddy netStyle
+ class vk svcStyle
+ class persons,notify userStyle
diff --git a/micro/applications/vikunja.mmd b/micro/applications/vikunja.mmd new file mode 100644 index 0000000..19195b7 --- /dev/null +++ b/micro/applications/vikunja.mmd @@ -0,0 +1,88 @@ +%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 40, 'rankSpacing': 50}}}%%
+flowchart LR
+ subgraph vikunja_stack ["huitral 192.168.99.22 - Docker Compose"]
+ direction TB
+
+ subgraph vikunja_app ["vikunja"]
+ direction TB
+ vk_core["vikunja/vikunja<br/>Port: 3456<br/>VIKUNJA_SERVICE_PUBLICURL:<br/>https://vk.arauco.online"]
+ vk_cli["CLI: /app/vikunja/vikunja<br/>user list | create | delete<br/>dump | restore | doctor"]
+ end
+
+ subgraph vikunja_db ["vikunja-db"]
+ pg["postgres:16<br/>:5432 interne<br/>DB: vikunja<br/>User: vikunja"]
+ pg_vol["/opt/vikunja/db<br/>-> /var/lib/postgresql/data"]
+ end
+
+ subgraph vikunja_files ["Stockage"]
+ files_vol["/opt/vikunja/files"]
+ end
+
+ vk_core -->|"JDBC"| pg
+ end
+
+ subgraph oidc_conf ["OIDC Configuration"]
+ direction TB
+ oidc["VIKUNJA_AUTH_OPENIDCONNECT_*<br/>enabled: true<br/>redirecturl: vk.arauco.online<br/>/auth/openid/keycloak"]
+ oidc_auto["Auto-creation compte<br/>au 1er login OIDC"]
+ end
+
+ subgraph keycloak_ext ["Keycloak npagnun .35"]
+ direction TB
+ kc["Realm chiruca<br/>Client: vikunja<br/>Roles: admin | editor | viewer"]
+ google["-> Google IdP<br/>Identity Brokering"]
+ kc --> google
+ end
+
+ subgraph caddy_ext ["Caddy araucaria .50"]
+ caddy["vk.arauco.online<br/>HTTPS -> :3456"]
+ end
+
+ subgraph ha_ext ["Home Assistant huitral .22"]
+ direction TB
+ ha_hacs["HACS Integration<br/>Vikunja Todo"]
+ ha_todo["Listes todo par utilisateur<br/>paul, anne, toshiro..."]
+ ha_notify["Automations<br/>Notifications mobiles<br/>notify.mobile_app_*"]
+ ha_hacs --> ha_todo
+ ha_todo --> ha_notify
+ end
+
+ subgraph sync ["Synchronisation"]
+ direction TB
+ caldav["CalDAV<br/>vk.arauco.online/dav/<br/>principals/USER/"]
+ ics["ICS<br/>vk.arauco.online<br/>/api/v1/projects/ID"]
+ davx5["DAVx5<br/>Sync mobile"]
+ caldav --> davx5
+ end
+
+ subgraph user_model ["Modele utilisateurs"]
+ direction TB
+ kc_user["Keycloak<br/>paul@gmail.com"]
+ vk_user["Vikunja<br/>paul (auto OIDC)"]
+ ha_user["HA<br/>paul (compte separe)"]
+ kc_user -->|"OIDC"| vk_user
+ kc_user -.->|"OIDC HACS"| ha_user
+ end
+
+ caddy -->|"HTTP"| vk_core
+ oidc --> kc
+ ha_hacs -->|"API REST"| vk_core
+ vk_core --> sync
+
+ classDef svcStyle fill:#1e4a2e,stroke:#4a9a6a,color:#a8e0c0
+ classDef storStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8
+ classDef iamStyle fill:#4a1e3a,stroke:#d94a8a,color:#f0a8c8
+ classDef netStyle fill:#1e3a5f,stroke:#4a90d9,color:#a8d0f0
+ classDef haStyle fill:#1e4a4a,stroke:#4a9a9a,color:#a8e0e0
+ classDef syncStyle fill:#3a3a1e,stroke:#9a9a4a,color:#e0e0a8
+ classDef userStyle fill:#3a1e5f,stroke:#8a6ad9,color:#c8b0f0
+ classDef configStyle fill:#2a3a4a,stroke:#6a8aaa,color:#b0d0e8
+
+ class vk_core,vk_cli svcStyle
+ class pg,pg_vol,files_vol storStyle
+ class oidc,oidc_auto configStyle
+ class kc,google iamStyle
+ class caddy netStyle
+ class ha_hacs,ha_todo,ha_notify haStyle
+ class caldav,ics,davx5 syncStyle
+ class kc_user,vk_user,ha_user userStyle
diff --git a/micro/iam/chiruca_auth.mmd b/micro/iam/chiruca_auth.mmd new file mode 100644 index 0000000..858a779 --- /dev/null +++ b/micro/iam/chiruca_auth.mmd @@ -0,0 +1,99 @@ +%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 50, 'rankSpacing': 60}}}%%
+flowchart LR
+ subgraph user_side ["Cote Utilisateur"]
+ direction TB
+ user["Navigateur"]
+ jwt["Token JWT Keycloak<br/>dans le header"]
+ user --> jwt
+ end
+
+ subgraph google ["Google (IdP externe)"]
+ direction TB
+ goog_oauth["Google OAuth 2.0<br/>accounts.google.com"]
+ goog_claims["Claims Google<br/>sub, email, name<br/>picture, email_verified"]
+ end
+
+ subgraph keycloak ["Keycloak - npagnun .35<br/>Realm: chiruca"]
+ direction TB
+
+ subgraph endpoints ["Endpoints"]
+ direction LR
+ http_ep[":8080 HTTP"]
+ https_ep[":8443 HTTPS"]
+ health[":9000 Health"]
+ end
+
+ subgraph idp_conf ["Identity Provider"]
+ google_idp["Google IdP<br/>Identity Brokering<br/>First Broker Login"]
+ end
+
+ subgraph clients ["Clients OIDC"]
+ direction LR
+ c_vikunja["vikunja<br/>redirect: vk.arauco.online<br/>scope: openid email profile"]
+ c_ha["homeassistant<br/>redirect: ha.arauco.online<br/>/auth/oidc/callback"]
+ end
+
+ subgraph roles_conf ["Roles"]
+ direction TB
+ realm_roles["Realm roles<br/>admin | user<br/>gestionnaire-taches"]
+ cr_vikunja["Client vikunja<br/>admin | editor | viewer"]
+ cr_ha["Client homeassistant<br/>admin | user"]
+ end
+
+ subgraph groups_conf ["Groupes"]
+ direction TB
+ g_admins["/admins<br/>realm: admin<br/>vk: admin, ha: admin"]
+ g_terrain["/equipe-terrain<br/>realm: user, gest-taches<br/>vk: editor, ha: user"]
+ g_consult["/consultants<br/>realm: user<br/>vk: viewer, ha: user"]
+ end
+
+ subgraph oidc_flow ["Flux OIDC"]
+ direction LR
+ step1["1. /authorize<br/>client_id + scope"]
+ step2["2. Login Keycloak<br/>-> Login with Google"]
+ step3["3. Google auth<br/>+ consent"]
+ step4["4. Code -> Tokens<br/>JWT avec roles locaux"]
+ step1 --> step2 --> step3 --> step4
+ end
+ end
+
+ subgraph db ["Base de donnees"]
+ pg["PostgreSQL 15<br/>:5432 interne<br/>DB: keycloak"]
+ end
+
+ subgraph apps ["Applications Chiruca"]
+ direction TB
+ vikunja["Vikunja<br/>vk.arauco.online"]
+ ha["Home Assistant<br/>ha.arauco.online"]
+ end
+
+ user -->|"Login request"| apps
+ apps -->|"Redirect OIDC"| endpoints
+ step2 -->|"Redirect OAuth2"| goog_oauth
+ goog_oauth -->|"Code + ID Token"| google_idp
+ step4 -->|"JWT access_token<br/>+ refresh_token"| user
+ jwt -->|"Authorization: Bearer"| apps
+
+ keycloak --> pg
+
+ vikunja -->|"Token verify"| keycloak
+ ha -->|"Token verify"| keycloak
+
+ groups_conf -.->|"Heritage roles"| roles_conf
+
+ classDef userStyle fill:#1e3a5f,stroke:#4a90d9,color:#a8d0f0
+ classDef iamStyle fill:#4a1e3a,stroke:#d94a8a,color:#f0a8c8
+ classDef storStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8
+ classDef appStyle fill:#1e4a2e,stroke:#4a9a6a,color:#a8e0c0
+ classDef extStyle fill:#2a3a4a,stroke:#6a8aaa,color:#b0d0e8
+ classDef flowStyle fill:#3a2a1e,stroke:#aa7a4a,color:#e8c8a0
+ classDef groupStyle fill:#3a1e5f,stroke:#8a6ad9,color:#c8b0f0
+
+ class user,jwt userStyle
+ class goog_oauth,goog_claims extStyle
+ class http_ep,https_ep,health,google_idp,c_vikunja,c_ha iamStyle
+ class realm_roles,cr_vikunja,cr_ha iamStyle
+ class step1,step2,step3,step4 flowStyle
+ class g_admins,g_terrain,g_consult groupStyle
+ class pg storStyle
+ class vikunja,ha appStyle
diff --git a/micro/reseau/caddy_reverse_proxy.mmd b/micro/reseau/caddy_reverse_proxy.mmd new file mode 100644 index 0000000..3cddb40 --- /dev/null +++ b/micro/reseau/caddy_reverse_proxy.mmd @@ -0,0 +1,74 @@ +%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 50, 'rankSpacing': 60}}}%%
+flowchart LR
+ subgraph internet ["Internet"]
+ direction TB
+ dns_pub["DNS public<br/>*.arauco.online<br/>-> IP publique<br/>DynDNS Namecheap"]
+ client["Navigateur<br/>Utilisateur"]
+ client --> dns_pub
+ end
+
+ subgraph router ["Routeur Swisscom"]
+ gw["Gateway 192.168.99.1"]
+ nat["NAT<br/>:80 -> .50:80<br/>:443 -> .50:443"]
+ end
+
+ subgraph caddy_host ["araucaria 192.168.99.50"]
+ direction TB
+
+ subgraph caddy_svc ["Caddy - natif systemd"]
+ direction TB
+ listen[":80 HTTP<br/>:443 HTTPS"]
+ tls["TLS termination<br/>Let's Encrypt<br/>ACME HTTP-01"]
+ headers["Headers securite<br/>HSTS, X-Content-Type-Options<br/>X-Frame-Options, Referrer-Policy<br/>-Server"]
+ listen --> tls
+ end
+
+ subgraph routing ["Routes reverse proxy"]
+ direction TB
+ r_www["www.arauco.online"]
+ r_kc["kc.arauco.online"]
+ r_ha["ha.arauco.online"]
+ r_vk["vk.arauco.online"]
+ r_pm["pm.arauco.online"]
+ r_redir["arauco.online<br/>-> 301 www.*"]
+ end
+ end
+
+ subgraph npagnun ["npagnun .35"]
+ keycloak["Keycloak<br/>:8080 HTTP"]
+ kc_block["/admin/* bloque<br/>hors LAN 403"]
+ end
+
+ subgraph huitral ["huitral .22"]
+ direction TB
+ dt["der-topogo<br/>:3000"]
+ ha["Home Assistant<br/>:8123"]
+ vk["Vikunja<br/>:3456"]
+ pm["Pachamama<br/>:3030"]
+ ws_note["WebSocket HA<br/>read_timeout 0"]
+ end
+
+ dns_pub --> nat
+ nat --> listen
+
+ r_www -->|"HTTP"| dt
+ r_kc -->|"HTTP"| keycloak
+ r_ha -->|"HTTP + WS"| ha
+ r_vk -->|"HTTP"| vk
+ r_pm -->|"HTTP"| pm
+
+ tls --> routing
+
+ classDef extStyle fill:#2a3a4a,stroke:#6a8aaa,color:#b0d0e8
+ classDef netStyle fill:#1e3a5f,stroke:#4a90d9,color:#a8d0f0
+ classDef svcStyle fill:#1e4a2e,stroke:#4a9a6a,color:#a8e0c0
+ classDef iamStyle fill:#4a1e3a,stroke:#d94a8a,color:#f0a8c8
+ classDef secStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8
+ classDef routeStyle fill:#3a3a1e,stroke:#9a9a4a,color:#e0e0a8
+
+ class dns_pub,client,gw,nat extStyle
+ class listen,tls netStyle
+ class headers,kc_block secStyle
+ class r_www,r_kc,r_ha,r_vk,r_pm,r_redir routeStyle
+ class keycloak iamStyle
+ class dt,ha,vk,pm,ws_note svcStyle
|