From 4e0d25b944fd9632e2555c4f6ae01b4728262dfb Mon Sep 17 00:00:00 2001
From: ertopogo <erwin.t.pombett@gmail.com>
Date: Sun, 22 Feb 2026 19:31:53 +0100
Subject: Application:ajout de lucien-sens bon, vikunja, homeassistant

---
 micro/applications/der_topogo.mmd | 101 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)
 create mode 100644 micro/applications/der_topogo.mmd

(limited to 'micro/applications/der_topogo.mmd')
diff --git a/micro/applications/der_topogo.mmd b/micro/applications/der_topogo.mmd
new file mode 100644
index 0000000..edace84
--- /dev/null
+++ b/micro/applications/der_topogo.mmd
@@ -0,0 +1,101 @@
+%% Source projet : E:\Dev\Web-Works\Der-topogo
+%% Auth active : Payload CMS natif (email/password, RBAC admin/editor/viewer)
+%% Auth planifiee : Auth.js v5 + Keycloak OIDC (client dertopogo)
+%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 40, 'rankSpacing': 50}}}%%
+flowchart TB
+    subgraph huitral_docker ["huitral 192.168.99.22 - Docker"]
+        direction TB
+
+        subgraph dt_app ["der-topogo - Next.js 16 + Payload CMS v3"]
+            direction TB
+            nextjs["Next.js standalone<br/>Port: 3000<br/>App Router + TypeScript"]
+            payload["Payload CMS v3<br/>Admin: /admin<br/>REST API + GraphQL"]
+            middleware["Middleware Next.js<br/>CSP headers<br/>connect-src: kc.arauco.online"]
+        end
+    end
+
+    subgraph pg_ext ["PostgreSQL externe"]
+        pg["PostgreSQL<br/>@payloadcms/db-postgres"]
+    end
+
+    subgraph auth_payload ["AuthN Active - Payload CMS natif"]
+        direction TB
+        pay_login["1. Login /admin<br/>email + password"]
+        pay_session["2. Session Payload<br/>PAYLOAD_SECRET"]
+        pay_access["3. Acces admin<br/>Controle par collection"]
+        pay_login --> pay_session --> pay_access
+    end
+
+    subgraph rbac_payload ["AuthZ - RBAC Payload"]
+        direction TB
+        role_admin["admin<br/>CRUD toutes collections<br/>gestion utilisateurs"]
+        role_editor["editor<br/>Lecture + ecriture articles<br/>upload media"]
+        role_viewer["viewer<br/>Lecture seule"]
+    end
+
+    subgraph auth_oidc_planned ["AuthN Planifiee - Auth.js v5 + Keycloak"]
+        direction TB
+        oidc_step1["1. Login SSO<br/>Auth.js provider Keycloak"]
+        oidc_step2["2. Redirect OIDC<br/>kc.arauco.online<br/>/realms/chiruca"]
+        oidc_step3["3. Callback<br/>/api/auth/callback/keycloak"]
+        oidc_step4["4. Session Auth.js<br/>AUTH_SECRET"]
+        oidc_step1 -.-> oidc_step2 -.-> oidc_step3 -.-> oidc_step4
+    end
+
+    subgraph keycloak_ext ["Keycloak - npagnun .35"]
+        direction TB
+        kc["Realm chiruca<br/>Client: dertopogo<br/>Type: confidential"]
+        google["-> Google IdP"]
+        kc --> google
+    end
+
+    subgraph caddy_ext ["Caddy - araucaria .50"]
+        direction TB
+        caddy_pub["dt.arauco.online<br/>HTTPS -> :3000<br/>HSTS, X-Frame-Options: DENY<br/>X-Content-Type-Options: nosniff"]
+        caddy_lan["dt.huitral.ruka.lan<br/>HTTPS auto-signe -> :3000"]
+    end
+
+    subgraph security ["Headers securite"]
+        direction LR
+        csp["CSP<br/>connect-src: kc.arauco.online<br/>Exclu pour /admin"]
+        sec_headers["HSTS 2 ans<br/>X-Frame-Options: DENY<br/>Referrer-Policy: strict-origin<br/>Permissions-Policy: restrict"]
+    end
+
+    subgraph users ["Utilisateurs"]
+        direction TB
+        visitor["Visiteur public<br/>Pages sans auth"]
+        cms_admin["Admin CMS<br/>Payload /admin"]
+        sso_user["Utilisateur SSO<br/>Auth.js + Keycloak"]
+    end
+
+    caddy_pub -->|"HTTP"| nextjs
+    caddy_lan -->|"HTTP"| nextjs
+    nextjs --> payload
+    payload -->|"JDBC"| pg
+
+    auth_payload -.->|"Flux actif"| payload
+    auth_oidc_planned -.->|"Flux planifie"| kc
+
+    visitor --> caddy_pub
+    cms_admin --> caddy_pub
+    sso_user -.->|"Planifie"| caddy_pub
+
+    classDef svcStyle fill:#1e4a2e,stroke:#4a9a6a,color:#a8e0c0
+    classDef storStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8
+    classDef iamStyle fill:#4a1e3a,stroke:#d94a8a,color:#f0a8c8
+    classDef netStyle fill:#1e3a5f,stroke:#4a90d9,color:#a8d0f0
+    classDef secStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8
+    classDef userStyle fill:#3a1e5f,stroke:#8a6ad9,color:#c8b0f0
+    classDef flowStyle fill:#3a2a1e,stroke:#aa7a4a,color:#e8c8a0
+    classDef plannedStyle fill:#2a2a2a,stroke:#666,stroke-dasharray: 5 5,color:#999
+
+    class nextjs,payload,middleware svcStyle
+    class pg storStyle
+    class pay_login,pay_session,pay_access flowStyle
+    class role_admin,role_editor,role_viewer secStyle
+    class oidc_step1,oidc_step2,oidc_step3,oidc_step4 plannedStyle
+    class kc,google iamStyle
+    class caddy_pub,caddy_lan netStyle
+    class csp,sec_headers secStyle
+    class visitor,cms_admin userStyle
+    class sso_user plannedStyle
-- 
cgit v1.2.3

