From 5063ccc088f75f5f56cae32d8cf1987c69816200 Mon Sep 17 00:00:00 2001 From: ertopogo Date: Sat, 21 Feb 2026 20:49:01 +0100 Subject: Ajouter 4 schemas Chiruca : Caddy reverse proxy, auth OIDC, Home Assistant, Vikunja Co-authored-by: Cursor --- micro/applications/homeassistant.mmd | 96 ++++++++++++++++++++++++++++++++++ micro/applications/vikunja.mmd | 88 ++++++++++++++++++++++++++++++++ micro/iam/chiruca_auth.mmd | 99 ++++++++++++++++++++++++++++++++++++ micro/reseau/caddy_reverse_proxy.mmd | 74 +++++++++++++++++++++++++++ 4 files changed, 357 insertions(+) create mode 100644 micro/applications/homeassistant.mmd create mode 100644 micro/applications/vikunja.mmd create mode 100644 micro/iam/chiruca_auth.mmd create mode 100644 micro/reseau/caddy_reverse_proxy.mmd (limited to 'micro') diff --git a/micro/applications/homeassistant.mmd b/micro/applications/homeassistant.mmd new file mode 100644 index 0000000..a73084b --- /dev/null +++ b/micro/applications/homeassistant.mmd @@ -0,0 +1,96 @@ +%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 40, 'rankSpacing': 50}}}%% +flowchart TB + subgraph ha_host ["huitral 192.168.99.22 - network_mode: host"] + direction TB + + subgraph ha_container ["Home Assistant - Docker"] + direction TB + ha_core["HA Core
ghcr.io/home-assistant/
home-assistant:stable
Port: 8123"] + ha_ws["WebSocket
connexions longues"] + end + + subgraph ha_config ["Configuration"] + direction LR + config_dir["/opt/homeassistant/config
-> /config"] + config_yaml["configuration.yaml
internal_url: ha.arauco.online
external_url: ha.arauco.online"] + secrets["secrets.yaml"] + config_dir --- config_yaml + config_dir --- secrets + end + + subgraph ha_proxy ["Reverse Proxy"] + trusted["trusted_proxies
192.168.99.0/24
use_x_forwarded_for: true"] + end + + subgraph ha_integrations ["Integrations"] + direction TB + + subgraph hacs_int ["HACS"] + direction LR + oidc_comp["hass-oidc-auth
Composant OIDC"] + vikunja_int["Vikunja Todo
Listes de taches"] + end + + subgraph cameras ["Cameras"] + direction LR + onvif["ONVIF
Decouverte auto + PTZ"] + rtsp["RTSP / MJPEG
Flux video"] + end + + subgraph local_todo ["Todo local"] + ha_todo["HA Shopping List
Listes locales"] + end + end + end + + subgraph oidc_auth ["Authentification OIDC"] + direction TB + auth_flow["auth_oidc:
client_id: homeassistant
discovery_url: kc.arauco.online
/realms/chiruca/.well-known/
openid-configuration"] + login_btn["Bouton SSO
OpenID Connect"] + welcome["/auth/oidc/welcome
Code unique 5 min"] + auth_flow --> login_btn --> welcome + end + + subgraph keycloak_ext ["Keycloak npagnun .35"] + kc["Realm chiruca
Client: homeassistant
Redirect: ha.arauco.online
/auth/oidc/callback"] + google["-> Google IdP"] + kc --> google + end + + subgraph caddy_ext ["Caddy araucaria .50"] + caddy["ha.arauco.online
HTTPS -> :8123
WebSocket: read_timeout 0"] + end + + subgraph vikunja_ext ["Vikunja huitral .22"] + vk["vk.arauco.online
:3456
API REST"] + end + + subgraph users_ext ["Utilisateurs"] + direction TB + persons["Personnes HA
paul, anne, toshiro..."] + notify["Notifications mobiles
notify.mobile_app_*"] + end + + caddy -->|"HTTP + WS"| ha_core + oidc_comp -->|"OIDC"| kc + vikunja_int -->|"API"| vk + ha_core --> ha_integrations + users_ext --> ha_core + persons -.-> notify + + classDef haStyle fill:#1e4a4a,stroke:#4a9a9a,color:#a8e0e0 + classDef configStyle fill:#2a3a4a,stroke:#6a8aaa,color:#b0d0e8 + classDef iamStyle fill:#4a1e3a,stroke:#d94a8a,color:#f0a8c8 + classDef svcStyle fill:#1e4a2e,stroke:#4a9a6a,color:#a8e0c0 + classDef netStyle fill:#1e3a5f,stroke:#4a90d9,color:#a8d0f0 + classDef secStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8 + classDef userStyle fill:#3a1e5f,stroke:#8a6ad9,color:#c8b0f0 + + class ha_core,ha_ws haStyle + class config_dir,config_yaml,secrets configStyle + class trusted,auth_flow,login_btn,welcome secStyle + class oidc_comp,vikunja_int,onvif,rtsp,ha_todo svcStyle + class kc,google iamStyle + class caddy netStyle + class vk svcStyle + class persons,notify userStyle diff --git a/micro/applications/vikunja.mmd b/micro/applications/vikunja.mmd new file mode 100644 index 0000000..19195b7 --- /dev/null +++ b/micro/applications/vikunja.mmd @@ -0,0 +1,88 @@ +%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 40, 'rankSpacing': 50}}}%% +flowchart LR + subgraph vikunja_stack ["huitral 192.168.99.22 - Docker Compose"] + direction TB + + subgraph vikunja_app ["vikunja"] + direction TB + vk_core["vikunja/vikunja
Port: 3456
VIKUNJA_SERVICE_PUBLICURL:
https://vk.arauco.online"] + vk_cli["CLI: /app/vikunja/vikunja
user list | create | delete
dump | restore | doctor"] + end + + subgraph vikunja_db ["vikunja-db"] + pg["postgres:16
:5432 interne
DB: vikunja
User: vikunja"] + pg_vol["/opt/vikunja/db
-> /var/lib/postgresql/data"] + end + + subgraph vikunja_files ["Stockage"] + files_vol["/opt/vikunja/files"] + end + + vk_core -->|"JDBC"| pg + end + + subgraph oidc_conf ["OIDC Configuration"] + direction TB + oidc["VIKUNJA_AUTH_OPENIDCONNECT_*
enabled: true
redirecturl: vk.arauco.online
/auth/openid/keycloak"] + oidc_auto["Auto-creation compte
au 1er login OIDC"] + end + + subgraph keycloak_ext ["Keycloak npagnun .35"] + direction TB + kc["Realm chiruca
Client: vikunja
Roles: admin | editor | viewer"] + google["-> Google IdP
Identity Brokering"] + kc --> google + end + + subgraph caddy_ext ["Caddy araucaria .50"] + caddy["vk.arauco.online
HTTPS -> :3456"] + end + + subgraph ha_ext ["Home Assistant huitral .22"] + direction TB + ha_hacs["HACS Integration
Vikunja Todo"] + ha_todo["Listes todo par utilisateur
paul, anne, toshiro..."] + ha_notify["Automations
Notifications mobiles
notify.mobile_app_*"] + ha_hacs --> ha_todo + ha_todo --> ha_notify + end + + subgraph sync ["Synchronisation"] + direction TB + caldav["CalDAV
vk.arauco.online/dav/
principals/USER/"] + ics["ICS
vk.arauco.online
/api/v1/projects/ID"] + davx5["DAVx5
Sync mobile"] + caldav --> davx5 + end + + subgraph user_model ["Modele utilisateurs"] + direction TB + kc_user["Keycloak
paul@gmail.com"] + vk_user["Vikunja
paul (auto OIDC)"] + ha_user["HA
paul (compte separe)"] + kc_user -->|"OIDC"| vk_user + kc_user -.->|"OIDC HACS"| ha_user + end + + caddy -->|"HTTP"| vk_core + oidc --> kc + ha_hacs -->|"API REST"| vk_core + vk_core --> sync + + classDef svcStyle fill:#1e4a2e,stroke:#4a9a6a,color:#a8e0c0 + classDef storStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8 + classDef iamStyle fill:#4a1e3a,stroke:#d94a8a,color:#f0a8c8 + classDef netStyle fill:#1e3a5f,stroke:#4a90d9,color:#a8d0f0 + classDef haStyle fill:#1e4a4a,stroke:#4a9a9a,color:#a8e0e0 + classDef syncStyle fill:#3a3a1e,stroke:#9a9a4a,color:#e0e0a8 + classDef userStyle fill:#3a1e5f,stroke:#8a6ad9,color:#c8b0f0 + classDef configStyle fill:#2a3a4a,stroke:#6a8aaa,color:#b0d0e8 + + class vk_core,vk_cli svcStyle + class pg,pg_vol,files_vol storStyle + class oidc,oidc_auto configStyle + class kc,google iamStyle + class caddy netStyle + class ha_hacs,ha_todo,ha_notify haStyle + class caldav,ics,davx5 syncStyle + class kc_user,vk_user,ha_user userStyle diff --git a/micro/iam/chiruca_auth.mmd b/micro/iam/chiruca_auth.mmd new file mode 100644 index 0000000..858a779 --- /dev/null +++ b/micro/iam/chiruca_auth.mmd @@ -0,0 +1,99 @@ +%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 50, 'rankSpacing': 60}}}%% +flowchart LR + subgraph user_side ["Cote Utilisateur"] + direction TB + user["Navigateur"] + jwt["Token JWT Keycloak
dans le header"] + user --> jwt + end + + subgraph google ["Google (IdP externe)"] + direction TB + goog_oauth["Google OAuth 2.0
accounts.google.com"] + goog_claims["Claims Google
sub, email, name
picture, email_verified"] + end + + subgraph keycloak ["Keycloak - npagnun .35
Realm: chiruca"] + direction TB + + subgraph endpoints ["Endpoints"] + direction LR + http_ep[":8080 HTTP"] + https_ep[":8443 HTTPS"] + health[":9000 Health"] + end + + subgraph idp_conf ["Identity Provider"] + google_idp["Google IdP
Identity Brokering
First Broker Login"] + end + + subgraph clients ["Clients OIDC"] + direction LR + c_vikunja["vikunja
redirect: vk.arauco.online
scope: openid email profile"] + c_ha["homeassistant
redirect: ha.arauco.online
/auth/oidc/callback"] + end + + subgraph roles_conf ["Roles"] + direction TB + realm_roles["Realm roles
admin | user
gestionnaire-taches"] + cr_vikunja["Client vikunja
admin | editor | viewer"] + cr_ha["Client homeassistant
admin | user"] + end + + subgraph groups_conf ["Groupes"] + direction TB + g_admins["/admins
realm: admin
vk: admin, ha: admin"] + g_terrain["/equipe-terrain
realm: user, gest-taches
vk: editor, ha: user"] + g_consult["/consultants
realm: user
vk: viewer, ha: user"] + end + + subgraph oidc_flow ["Flux OIDC"] + direction LR + step1["1. /authorize
client_id + scope"] + step2["2. Login Keycloak
-> Login with Google"] + step3["3. Google auth
+ consent"] + step4["4. Code -> Tokens
JWT avec roles locaux"] + step1 --> step2 --> step3 --> step4 + end + end + + subgraph db ["Base de donnees"] + pg["PostgreSQL 15
:5432 interne
DB: keycloak"] + end + + subgraph apps ["Applications Chiruca"] + direction TB + vikunja["Vikunja
vk.arauco.online"] + ha["Home Assistant
ha.arauco.online"] + end + + user -->|"Login request"| apps + apps -->|"Redirect OIDC"| endpoints + step2 -->|"Redirect OAuth2"| goog_oauth + goog_oauth -->|"Code + ID Token"| google_idp + step4 -->|"JWT access_token
+ refresh_token"| user + jwt -->|"Authorization: Bearer"| apps + + keycloak --> pg + + vikunja -->|"Token verify"| keycloak + ha -->|"Token verify"| keycloak + + groups_conf -.->|"Heritage roles"| roles_conf + + classDef userStyle fill:#1e3a5f,stroke:#4a90d9,color:#a8d0f0 + classDef iamStyle fill:#4a1e3a,stroke:#d94a8a,color:#f0a8c8 + classDef storStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8 + classDef appStyle fill:#1e4a2e,stroke:#4a9a6a,color:#a8e0c0 + classDef extStyle fill:#2a3a4a,stroke:#6a8aaa,color:#b0d0e8 + classDef flowStyle fill:#3a2a1e,stroke:#aa7a4a,color:#e8c8a0 + classDef groupStyle fill:#3a1e5f,stroke:#8a6ad9,color:#c8b0f0 + + class user,jwt userStyle + class goog_oauth,goog_claims extStyle + class http_ep,https_ep,health,google_idp,c_vikunja,c_ha iamStyle + class realm_roles,cr_vikunja,cr_ha iamStyle + class step1,step2,step3,step4 flowStyle + class g_admins,g_terrain,g_consult groupStyle + class pg storStyle + class vikunja,ha appStyle diff --git a/micro/reseau/caddy_reverse_proxy.mmd b/micro/reseau/caddy_reverse_proxy.mmd new file mode 100644 index 0000000..3cddb40 --- /dev/null +++ b/micro/reseau/caddy_reverse_proxy.mmd @@ -0,0 +1,74 @@ +%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 50, 'rankSpacing': 60}}}%% +flowchart LR + subgraph internet ["Internet"] + direction TB + dns_pub["DNS public
*.arauco.online
-> IP publique
DynDNS Namecheap"] + client["Navigateur
Utilisateur"] + client --> dns_pub + end + + subgraph router ["Routeur Swisscom"] + gw["Gateway 192.168.99.1"] + nat["NAT
:80 -> .50:80
:443 -> .50:443"] + end + + subgraph caddy_host ["araucaria 192.168.99.50"] + direction TB + + subgraph caddy_svc ["Caddy - natif systemd"] + direction TB + listen[":80 HTTP
:443 HTTPS"] + tls["TLS termination
Let's Encrypt
ACME HTTP-01"] + headers["Headers securite
HSTS, X-Content-Type-Options
X-Frame-Options, Referrer-Policy
-Server"] + listen --> tls + end + + subgraph routing ["Routes reverse proxy"] + direction TB + r_www["www.arauco.online"] + r_kc["kc.arauco.online"] + r_ha["ha.arauco.online"] + r_vk["vk.arauco.online"] + r_pm["pm.arauco.online"] + r_redir["arauco.online
-> 301 www.*"] + end + end + + subgraph npagnun ["npagnun .35"] + keycloak["Keycloak
:8080 HTTP"] + kc_block["/admin/* bloque
hors LAN 403"] + end + + subgraph huitral ["huitral .22"] + direction TB + dt["der-topogo
:3000"] + ha["Home Assistant
:8123"] + vk["Vikunja
:3456"] + pm["Pachamama
:3030"] + ws_note["WebSocket HA
read_timeout 0"] + end + + dns_pub --> nat + nat --> listen + + r_www -->|"HTTP"| dt + r_kc -->|"HTTP"| keycloak + r_ha -->|"HTTP + WS"| ha + r_vk -->|"HTTP"| vk + r_pm -->|"HTTP"| pm + + tls --> routing + + classDef extStyle fill:#2a3a4a,stroke:#6a8aaa,color:#b0d0e8 + classDef netStyle fill:#1e3a5f,stroke:#4a90d9,color:#a8d0f0 + classDef svcStyle fill:#1e4a2e,stroke:#4a9a6a,color:#a8e0c0 + classDef iamStyle fill:#4a1e3a,stroke:#d94a8a,color:#f0a8c8 + classDef secStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8 + classDef routeStyle fill:#3a3a1e,stroke:#9a9a4a,color:#e0e0a8 + + class dns_pub,client,gw,nat extStyle + class listen,tls netStyle + class headers,kc_block secStyle + class r_www,r_kc,r_ha,r_vk,r_pm,r_redir routeStyle + class keycloak iamStyle + class dt,ha,vk,pm,ws_note svcStyle -- cgit v1.2.3