diff options
| author | ertopogo <erwin.t.pombett@gmail.com> | 2026-02-22 19:31:53 +0100 |
|---|---|---|
| committer | ertopogo <erwin.t.pombett@gmail.com> | 2026-02-22 19:31:53 +0100 |
| commit | 4e0d25b944fd9632e2555c4f6ae01b4728262dfb (patch) | |
| tree | 7a4e5e36850105483ce3cda2b57441aa8c6bd5e2 | |
| parent | 5063ccc088f75f5f56cae32d8cf1987c69816200 (diff) | |
Application:ajout de lucien-sens bon, vikunja, homeassistant
| -rw-r--r-- | SCHEMA_CENTRAL.md | 6 | ||||
| -rw-r--r-- | micro/applications/der_topogo.mmd | 101 | ||||
| -rw-r--r-- | micro/applications/homeassistant.mmd | 2 | ||||
| -rw-r--r-- | micro/applications/lucien_sens_bon.mmd | 97 | ||||
| -rw-r--r-- | micro/applications/vikunja.mmd | 2 | ||||
| -rw-r--r-- | micro/iam/chiruca_auth.mmd | 6 | ||||
| -rw-r--r-- | micro/reseau/caddy_reverse_proxy.mmd | 10 |
7 files changed, 222 insertions, 2 deletions
diff --git a/SCHEMA_CENTRAL.md b/SCHEMA_CENTRAL.md index 0325774..72baf95 100644 --- a/SCHEMA_CENTRAL.md +++ b/SCHEMA_CENTRAL.md @@ -85,6 +85,7 @@ flowchart TB | Schema | Fichier | Description |
|--------|---------|-------------|
| Topologie reseau | [topologie_reseau.mmd](micro/reseau/topologie_reseau.mmd) | IPs, interfaces, DNS, routage, acces externe |
+| Caddy Reverse Proxy | [caddy_reverse_proxy.mmd](micro/reseau/caddy_reverse_proxy.mmd) | Reverse proxy Caddy, TLS Let's Encrypt, routes sous-domaines |
### Machines virtuelles
@@ -101,12 +102,17 @@ flowchart TB | Schema | Fichier | Description |
|--------|---------|-------------|
| Keycloak IAM | [keycloak_iam.mmd](micro/iam/keycloak_iam.mmd) | OIDC, realms, clients, RBAC, flux d'authentification |
+| Auth Chiruca | [chiruca_auth.mmd](micro/iam/chiruca_auth.mmd) | Flux auth realm chiruca, Google IdP, clients OIDC (HA, Vikunja, der-topogo) |
### Applications
| Schema | Fichier | Description |
|--------|---------|-------------|
| Korradi.dev | [korradi_stack.mmd](micro/applications/korradi_stack.mmd) | Stack applicatif: Next.js, Fastify, Widget SDK, Traefik |
+| Home Assistant | [homeassistant.mmd](micro/applications/homeassistant.mmd) | Domotique, OIDC Keycloak, cameras, integrations HACS |
+| Vikunja | [vikunja.mmd](micro/applications/vikunja.mmd) | Gestion taches, OIDC Keycloak, CalDAV, integration HA |
+| Lucien-sens-bon | [lucien_sens_bon.mmd](micro/applications/lucien_sens_bon.mmd) | E-commerce MedusaJS, auth JWT/Cookie native |
+| Der-topogo | [der_topogo.mmd](micro/applications/der_topogo.mmd) | Site consulting, Payload CMS, OIDC Keycloak planifie |
---
diff --git a/micro/applications/der_topogo.mmd b/micro/applications/der_topogo.mmd new file mode 100644 index 0000000..edace84 --- /dev/null +++ b/micro/applications/der_topogo.mmd @@ -0,0 +1,101 @@ +%% Source projet : E:\Dev\Web-Works\Der-topogo
+%% Auth active : Payload CMS natif (email/password, RBAC admin/editor/viewer)
+%% Auth planifiee : Auth.js v5 + Keycloak OIDC (client dertopogo)
+%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 40, 'rankSpacing': 50}}}%%
+flowchart TB
+ subgraph huitral_docker ["huitral 192.168.99.22 - Docker"]
+ direction TB
+
+ subgraph dt_app ["der-topogo - Next.js 16 + Payload CMS v3"]
+ direction TB
+ nextjs["Next.js standalone<br/>Port: 3000<br/>App Router + TypeScript"]
+ payload["Payload CMS v3<br/>Admin: /admin<br/>REST API + GraphQL"]
+ middleware["Middleware Next.js<br/>CSP headers<br/>connect-src: kc.arauco.online"]
+ end
+ end
+
+ subgraph pg_ext ["PostgreSQL externe"]
+ pg["PostgreSQL<br/>@payloadcms/db-postgres"]
+ end
+
+ subgraph auth_payload ["AuthN Active - Payload CMS natif"]
+ direction TB
+ pay_login["1. Login /admin<br/>email + password"]
+ pay_session["2. Session Payload<br/>PAYLOAD_SECRET"]
+ pay_access["3. Acces admin<br/>Controle par collection"]
+ pay_login --> pay_session --> pay_access
+ end
+
+ subgraph rbac_payload ["AuthZ - RBAC Payload"]
+ direction TB
+ role_admin["admin<br/>CRUD toutes collections<br/>gestion utilisateurs"]
+ role_editor["editor<br/>Lecture + ecriture articles<br/>upload media"]
+ role_viewer["viewer<br/>Lecture seule"]
+ end
+
+ subgraph auth_oidc_planned ["AuthN Planifiee - Auth.js v5 + Keycloak"]
+ direction TB
+ oidc_step1["1. Login SSO<br/>Auth.js provider Keycloak"]
+ oidc_step2["2. Redirect OIDC<br/>kc.arauco.online<br/>/realms/chiruca"]
+ oidc_step3["3. Callback<br/>/api/auth/callback/keycloak"]
+ oidc_step4["4. Session Auth.js<br/>AUTH_SECRET"]
+ oidc_step1 -.-> oidc_step2 -.-> oidc_step3 -.-> oidc_step4
+ end
+
+ subgraph keycloak_ext ["Keycloak - npagnun .35"]
+ direction TB
+ kc["Realm chiruca<br/>Client: dertopogo<br/>Type: confidential"]
+ google["-> Google IdP"]
+ kc --> google
+ end
+
+ subgraph caddy_ext ["Caddy - araucaria .50"]
+ direction TB
+ caddy_pub["dt.arauco.online<br/>HTTPS -> :3000<br/>HSTS, X-Frame-Options: DENY<br/>X-Content-Type-Options: nosniff"]
+ caddy_lan["dt.huitral.ruka.lan<br/>HTTPS auto-signe -> :3000"]
+ end
+
+ subgraph security ["Headers securite"]
+ direction LR
+ csp["CSP<br/>connect-src: kc.arauco.online<br/>Exclu pour /admin"]
+ sec_headers["HSTS 2 ans<br/>X-Frame-Options: DENY<br/>Referrer-Policy: strict-origin<br/>Permissions-Policy: restrict"]
+ end
+
+ subgraph users ["Utilisateurs"]
+ direction TB
+ visitor["Visiteur public<br/>Pages sans auth"]
+ cms_admin["Admin CMS<br/>Payload /admin"]
+ sso_user["Utilisateur SSO<br/>Auth.js + Keycloak"]
+ end
+
+ caddy_pub -->|"HTTP"| nextjs
+ caddy_lan -->|"HTTP"| nextjs
+ nextjs --> payload
+ payload -->|"JDBC"| pg
+
+ auth_payload -.->|"Flux actif"| payload
+ auth_oidc_planned -.->|"Flux planifie"| kc
+
+ visitor --> caddy_pub
+ cms_admin --> caddy_pub
+ sso_user -.->|"Planifie"| caddy_pub
+
+ classDef svcStyle fill:#1e4a2e,stroke:#4a9a6a,color:#a8e0c0
+ classDef storStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8
+ classDef iamStyle fill:#4a1e3a,stroke:#d94a8a,color:#f0a8c8
+ classDef netStyle fill:#1e3a5f,stroke:#4a90d9,color:#a8d0f0
+ classDef secStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8
+ classDef userStyle fill:#3a1e5f,stroke:#8a6ad9,color:#c8b0f0
+ classDef flowStyle fill:#3a2a1e,stroke:#aa7a4a,color:#e8c8a0
+ classDef plannedStyle fill:#2a2a2a,stroke:#666,stroke-dasharray: 5 5,color:#999
+
+ class nextjs,payload,middleware svcStyle
+ class pg storStyle
+ class pay_login,pay_session,pay_access flowStyle
+ class role_admin,role_editor,role_viewer secStyle
+ class oidc_step1,oidc_step2,oidc_step3,oidc_step4 plannedStyle
+ class kc,google iamStyle
+ class caddy_pub,caddy_lan netStyle
+ class csp,sec_headers secStyle
+ class visitor,cms_admin userStyle
+ class sso_user plannedStyle
diff --git a/micro/applications/homeassistant.mmd b/micro/applications/homeassistant.mmd index a73084b..577261c 100644 --- a/micro/applications/homeassistant.mmd +++ b/micro/applications/homeassistant.mmd @@ -1,3 +1,5 @@ +%% Source projet : E:\Dev\Chiruca
+%% Auth : OIDC Keycloak via HACS (hass-oidc-auth), realm chiruca
%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 40, 'rankSpacing': 50}}}%%
flowchart TB
subgraph ha_host ["huitral 192.168.99.22 - network_mode: host"]
diff --git a/micro/applications/lucien_sens_bon.mmd b/micro/applications/lucien_sens_bon.mmd new file mode 100644 index 0000000..b98da90 --- /dev/null +++ b/micro/applications/lucien_sens_bon.mmd @@ -0,0 +1,97 @@ +%% Source projet : E:\Dev\Web-Works\Lucien-sens-bon
+%% Auth : native MedusaJS (JWT + Cookie session) - PAS de Keycloak/OIDC
+%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 40, 'rankSpacing': 50}}}%%
+flowchart TB
+ subgraph huitral_docker ["huitral 192.168.99.22 - Docker Compose"]
+ direction TB
+
+ subgraph lsb_backend ["backend - MedusaJS"]
+ direction TB
+ medusa["medusajs/medusa<br/>Port: 9000<br/>API REST + Admin /app"]
+ admin_ui["Dashboard Admin<br/>/app (Medusa Admin)"]
+ end
+
+ subgraph lsb_storefront ["storefront - Next.js"]
+ direction TB
+ nextjs["node:18-alpine<br/>Port: 8000<br/>Pages: catalogue, panier,<br/>checkout, login, register"]
+ sdk["Medusa JS SDK<br/>medusaClient"]
+ end
+
+ subgraph lsb_redis ["Redis"]
+ redis["redis:alpine<br/>:6379<br/>Cache + Event bus"]
+ end
+ end
+
+ subgraph pg_ext ["PostgreSQL - npagnun .35"]
+ pg["PostgreSQL<br/>:5432<br/>DB: medusa_lsb"]
+ end
+
+ subgraph auth_client ["AuthN Client (storefront)"]
+ direction TB
+ step_c1["1. POST /store/auth<br/>email + password"]
+ step_c2["2. Response<br/>access_token: JWT"]
+ step_c3["3. localStorage<br/>lsb_customer_token"]
+ step_c4["4. Appels API<br/>Authorization: Bearer JWT"]
+ step_c1 --> step_c2 --> step_c3 --> step_c4
+ end
+
+ subgraph auth_admin ["AuthN Admin (dashboard)"]
+ direction TB
+ step_a1["1. POST /admin/auth<br/>email + password"]
+ step_a2["2. Cookie session signe<br/>COOKIE_SECRET"]
+ step_a3["3. JWT admin<br/>JWT_SECRET"]
+ step_a4["4. Acces /app<br/>Cookie + CORS verifie"]
+ step_a1 --> step_a2 --> step_a3 --> step_a4
+ end
+
+ subgraph cors_conf ["CORS"]
+ direction LR
+ admin_cors["ADMIN_CORS<br/>api-lsb.arauco.online<br/>lsb.arauco.online<br/>domaines LAN"]
+ store_cors["STORE_CORS<br/>lsb.arauco.online<br/>domaines LAN"]
+ end
+
+ subgraph caddy_ext ["Caddy - araucaria .50"]
+ direction TB
+ caddy_lsb["lsb.arauco.online<br/>HTTPS -> :8000"]
+ caddy_api["api-lsb.arauco.online<br/>HTTPS -> :9000"]
+ caddy_lan_lsb["lsb.huitral.ruka.lan<br/>HTTP -> :8000"]
+ caddy_lan_api["api-lsb.huitral.ruka.lan<br/>HTTP -> :9000"]
+ end
+
+ subgraph users ["Utilisateurs"]
+ direction TB
+ customer["Client e-commerce<br/>JWT Bearer"]
+ admin["Administrateur<br/>Cookie session"]
+ end
+
+ caddy_lsb -->|"HTTP"| nextjs
+ caddy_api -->|"HTTP"| medusa
+ caddy_lan_lsb -->|"HTTP"| nextjs
+ caddy_lan_api -->|"HTTP"| medusa
+
+ sdk -->|"API REST"| medusa
+ medusa --> redis
+ medusa -->|"JDBC"| pg
+
+ customer --> caddy_lsb
+ admin --> caddy_api
+
+ auth_client -.->|"Flux"| sdk
+ auth_admin -.->|"Flux"| admin_ui
+
+ classDef svcStyle fill:#1e4a2e,stroke:#4a9a6a,color:#a8e0c0
+ classDef storStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8
+ classDef netStyle fill:#1e3a5f,stroke:#4a90d9,color:#a8d0f0
+ classDef secStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8
+ classDef userStyle fill:#3a1e5f,stroke:#8a6ad9,color:#c8b0f0
+ classDef configStyle fill:#2a3a4a,stroke:#6a8aaa,color:#b0d0e8
+ classDef flowStyle fill:#3a2a1e,stroke:#aa7a4a,color:#e8c8a0
+
+ class medusa,admin_ui,nextjs,sdk svcStyle
+ class redis svcStyle
+ class pg storStyle
+ class caddy_lsb,caddy_api,caddy_lan_lsb,caddy_lan_api netStyle
+ class admin_cors,store_cors configStyle
+ class step_c1,step_c2,step_c3,step_c4 flowStyle
+ class step_a1,step_a2,step_a3,step_a4 flowStyle
+ class customer,admin userStyle
diff --git a/micro/applications/vikunja.mmd b/micro/applications/vikunja.mmd index 19195b7..a74ddcb 100644 --- a/micro/applications/vikunja.mmd +++ b/micro/applications/vikunja.mmd @@ -1,3 +1,5 @@ +%% Source projet : E:\Dev\Chiruca
+%% Auth : OIDC Keycloak natif, realm chiruca, auto-creation compte
%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 40, 'rankSpacing': 50}}}%%
flowchart LR
subgraph vikunja_stack ["huitral 192.168.99.22 - Docker Compose"]
diff --git a/micro/iam/chiruca_auth.mmd b/micro/iam/chiruca_auth.mmd index 858a779..04d3f81 100644 --- a/micro/iam/chiruca_auth.mmd +++ b/micro/iam/chiruca_auth.mmd @@ -31,6 +31,7 @@ flowchart LR direction LR
c_vikunja["vikunja<br/>redirect: vk.arauco.online<br/>scope: openid email profile"]
c_ha["homeassistant<br/>redirect: ha.arauco.online<br/>/auth/oidc/callback"]
+ c_dt["dertopogo (planifie)<br/>redirect: dt.arauco.online<br/>/api/auth/callback/keycloak<br/>Type: confidential"]
end
subgraph roles_conf ["Roles"]
@@ -38,6 +39,7 @@ flowchart LR realm_roles["Realm roles<br/>admin | user<br/>gestionnaire-taches"]
cr_vikunja["Client vikunja<br/>admin | editor | viewer"]
cr_ha["Client homeassistant<br/>admin | user"]
+ cr_dt["Client dertopogo (planifie)<br/>roles a definir"]
end
subgraph groups_conf ["Groupes"]
@@ -65,6 +67,7 @@ flowchart LR direction TB
vikunja["Vikunja<br/>vk.arauco.online"]
ha["Home Assistant<br/>ha.arauco.online"]
+ dt["der-topogo (planifie)<br/>dt.arauco.online"]
end
user -->|"Login request"| apps
@@ -78,6 +81,7 @@ flowchart LR vikunja -->|"Token verify"| keycloak
ha -->|"Token verify"| keycloak
+ dt -.->|"Token verify (planifie)"| keycloak
groups_conf -.->|"Heritage roles"| roles_conf
@@ -88,6 +92,7 @@ flowchart LR classDef extStyle fill:#2a3a4a,stroke:#6a8aaa,color:#b0d0e8
classDef flowStyle fill:#3a2a1e,stroke:#aa7a4a,color:#e8c8a0
classDef groupStyle fill:#3a1e5f,stroke:#8a6ad9,color:#c8b0f0
+ classDef plannedStyle fill:#2a2a2a,stroke:#666,stroke-dasharray: 5 5,color:#999
class user,jwt userStyle
class goog_oauth,goog_claims extStyle
@@ -97,3 +102,4 @@ flowchart LR class g_admins,g_terrain,g_consult groupStyle
class pg storStyle
class vikunja,ha appStyle
+ class c_dt,cr_dt,dt plannedStyle
diff --git a/micro/reseau/caddy_reverse_proxy.mmd b/micro/reseau/caddy_reverse_proxy.mmd index 3cddb40..92ff28f 100644 --- a/micro/reseau/caddy_reverse_proxy.mmd +++ b/micro/reseau/caddy_reverse_proxy.mmd @@ -30,6 +30,8 @@ flowchart LR r_ha["ha.arauco.online"]
r_vk["vk.arauco.online"]
r_pm["pm.arauco.online"]
+ r_lsb["lsb.arauco.online"]
+ r_api_lsb["api-lsb.arauco.online"]
r_redir["arauco.online<br/>-> 301 www.*"]
end
end
@@ -45,6 +47,8 @@ flowchart LR ha["Home Assistant<br/>:8123"]
vk["Vikunja<br/>:3456"]
pm["Pachamama<br/>:3030"]
+ lsb_sf["Medusa Storefront<br/>:8000"]
+ lsb_be["Medusa Backend<br/>:9000"]
ws_note["WebSocket HA<br/>read_timeout 0"]
end
@@ -56,6 +60,8 @@ flowchart LR r_ha -->|"HTTP + WS"| ha
r_vk -->|"HTTP"| vk
r_pm -->|"HTTP"| pm
+ r_lsb -->|"HTTP"| lsb_sf
+ r_api_lsb -->|"HTTP"| lsb_be
tls --> routing
@@ -69,6 +75,6 @@ flowchart LR class dns_pub,client,gw,nat extStyle
class listen,tls netStyle
class headers,kc_block secStyle
- class r_www,r_kc,r_ha,r_vk,r_pm,r_redir routeStyle
+ class r_www,r_kc,r_ha,r_vk,r_pm,r_lsb,r_api_lsb,r_redir routeStyle
class keycloak iamStyle
- class dt,ha,vk,pm,ws_note svcStyle
+ class dt,ha,vk,pm,lsb_sf,lsb_be,ws_note svcStyle
|