Initial commit

infra/configs/authentik/bootstrap.yaml

@@ -0,0 +1,334 @@
+# FILE: blueprints/ai-tax-agent-bootstrap.yaml
+# Authentik Bootstrap (v2025.x): users, groups, scope mappings, OIDC providers, applications
+
+version: 1
+
+metadata:
+  name: AI Tax Agent — Bootstrap + OIDC Providers
+
+entries:
+  # --- Groups first (so the admin user can reference them) -------------------
+  - model: authentik_core.group
+    state: present
+    identifiers:
+      name: "Administrators"
+    attrs:
+      is_superuser: true
+
+  - model: authentik_core.group
+    state: present
+    identifiers:
+      name: "Tax Reviewers"
+    attrs:
+      is_superuser: false
+
+  - model: authentik_core.group
+    state: present
+    identifiers:
+      name: "Accountants"
+    attrs:
+      is_superuser: false
+
+  - model: authentik_core.group
+    state: present
+    identifiers:
+      name: "Clients"
+    attrs:
+      is_superuser: false
+
+  # --- Admin user ------------------------------------------------------------
+  - model: authentik_core.user
+    state: present
+    identifiers:
+      username: admin
+    attrs:
+      name: "System Administrator"
+      email: admin@local.lan
+      is_active: true
+      is_staff: true
+      is_superuser: true
+      groups:
+        - !Find [authentik_core.group, [name, "Administrators"]]
+
+  # --- Scope mappings (find existing ones and get stable IDs) -----------------
+  - id: scope_openid
+    model: authentik_providers_oauth2.scopemapping
+    identifiers:
+      scope_name: openid
+
+  - id: scope_profile
+    model: authentik_providers_oauth2.scopemapping
+    identifiers:
+      scope_name: profile
+
+  - id: scope_email
+    model: authentik_providers_oauth2.scopemapping
+    identifiers:
+      scope_name: email
+
+  - id: scope_groups
+    model: authentik_providers_oauth2.scopemapping
+    identifiers:
+      scope_name: groups
+
+  - id: scope_offline
+    model: authentik_providers_oauth2.scopemapping
+    identifiers:
+      scope_name: offline_access
+
+  # Helper finders
+  - id: default_signing_key
+    model: authentik_crypto.certificatekeypair
+    state: present
+    identifiers:
+      name: "authentik Self-signed Certificate"
+
+  - id: default_authz_flow
+    model: authentik_flows.flow
+    state: present
+    identifiers:
+      slug: "default-authentication-flow"
+
+  - id: default_inval_flow
+    model: authentik_flows.flow
+    state: present
+    identifiers:
+      slug: "default-invalidation-flow"
+
+  # ========= OIDC Providers + Applications ==================================
+
+  # --- AI Tax Agent API ------------------------------------------------------
+  - model: authentik_providers_oauth2.oauth2provider
+    state: present
+    identifiers:
+      name: "AI Tax Agent API"
+    attrs:
+      client_id: "ai-tax-agent-api"
+      client_secret: !Env [AUTHENTIK_API_CLIENT_SECRET, "changeme-api-secret"]
+      authorization_grant_type: "authorization-code"
+      client_type: "confidential"
+      issuer_mode: "per_provider"
+      sub_mode: "hashed_user_id"
+      include_claims_in_id_token: true
+      signing_key: !KeyOf default_signing_key
+      redirect_uris:
+        - matching_mode: strict
+          url: "https://api.local.lan/auth/callback"
+        - matching_mode: strict
+          url: "https://review.local.lan/auth/callback"
+      scope_mappings:
+        - !KeyOf scope_openid
+        - !KeyOf scope_profile
+        - !KeyOf scope_email
+        - !KeyOf scope_groups
+        - !KeyOf scope_offline
+      authorization_flow: !KeyOf default_authz_flow
+      invalidation_flow: !KeyOf default_inval_flow
+
+  - model: authentik_core.application
+    state: present
+    identifiers:
+      slug: "ai-tax-agent-api"
+    attrs:
+      name: "AI Tax Agent API"
+      provider:
+        !Find [
+          authentik_providers_oauth2.oauth2provider,
+          [name, "AI Tax Agent API"],
+        ]
+      meta_launch_url: "https://api.local.lan"
+      meta_description: "AI Tax Agent API Services"
+      meta_publisher: "AI Tax Agent"
+      policy_engine_mode: "any"
+
+  # --- MinIO -----------------------------------------------------------------
+  - model: authentik_providers_oauth2.oauth2provider
+    state: present
+    identifiers:
+      name: "MinIO"
+    attrs:
+      client_id: "minio"
+      client_secret:
+        !Env [AUTHENTIK_MINIO_CLIENT_SECRET, "changeme-minio-secret"]
+      authorization_grant_type: "authorization-code"
+      client_type: "confidential"
+      issuer_mode: "per_provider"
+      sub_mode: "hashed_user_id"
+      include_claims_in_id_token: true
+      signing_key: !KeyOf default_signing_key
+      redirect_uris:
+        - matching_mode: strict
+          url: "https://minio.local.lan/oauth_callback"
+      scope_mappings:
+        - !KeyOf scope_openid
+        - !KeyOf scope_profile
+        - !KeyOf scope_email
+        - !KeyOf scope_groups
+        - !KeyOf scope_offline
+      authorization_flow: !KeyOf default_authz_flow
+      invalidation_flow: !KeyOf default_inval_flow
+
+  - model: authentik_core.application
+    state: present
+    identifiers:
+      slug: "minio"
+    attrs:
+      name: "MinIO"
+      provider:
+        !Find [authentik_providers_oauth2.oauth2provider, [name, "MinIO"]]
+      meta_launch_url: "https://minio.local.lan"
+      meta_description: "Object storage console"
+      meta_publisher: "AI Tax Agent"
+      policy_engine_mode: "any"
+
+  # --- UI Review (Proxy Provider for ForwardAuth) ---------------------------
+  - model: authentik_providers_proxy.proxyprovider
+    state: present
+    identifiers:
+      name: "UI Review Proxy"
+    attrs:
+      external_host: "https://review.${DOMAIN:-local}"
+      internal_host: "http://ui-review:3030"
+      authorization_flow: !KeyOf default_authz_flow
+      invalidation_flow: !KeyOf default_inval_flow
+      mode: "forward_single"
+      cookie_domain: "${DOMAIN:-local}"
+
+  - model: authentik_core.application
+    state: present
+    identifiers:
+      slug: "ui-review"
+    attrs:
+      name: "UI Review"
+      provider:
+        !Find [
+          authentik_providers_proxy.proxyprovider,
+          [name, "UI Review Proxy"],
+        ]
+      meta_launch_url: "https://review.${DOMAIN:-local}"
+      meta_description: "Tax Agent Platform - Review UI"
+      meta_publisher: "AI Tax Agent"
+      policy_engine_mode: "any"
+
+  # --- Vault -----------------------------------------------------------------
+  - model: authentik_providers_oauth2.oauth2provider
+    state: present
+    identifiers:
+      name: "Vault"
+    attrs:
+      client_id: "vault"
+      client_secret:
+        !Env [AUTHENTIK_VAULT_CLIENT_SECRET, "changeme-vault-secret"]
+      authorization_grant_type: "authorization-code"
+      client_type: "confidential"
+      issuer_mode: "per_provider"
+      sub_mode: "hashed_user_id"
+      include_claims_in_id_token: true
+      signing_key: !KeyOf default_signing_key
+      redirect_uris:
+        - matching_mode: strict
+          url: "https://vault.local.lan/ui/vault/auth/oidc/oidc/callback"
+        - matching_mode: strict
+          url: "https://vault.local.lan/oidc/callback"
+        - matching_mode: strict
+          url: "http://localhost:8250/oidc/callback"
+      scope_mappings:
+        - !KeyOf scope_openid
+        - !KeyOf scope_profile
+        - !KeyOf scope_email
+        - !KeyOf scope_groups
+        - !KeyOf scope_offline
+      authorization_flow: !KeyOf default_authz_flow
+      invalidation_flow: !KeyOf default_inval_flow
+
+  - model: authentik_core.application
+    state: present
+    identifiers:
+      slug: "vault"
+    attrs:
+      name: "Vault"
+      provider:
+        !Find [authentik_providers_oauth2.oauth2provider, [name, "Vault"]]
+      meta_launch_url: "https://vault.local.lan"
+      meta_description: "Secrets management (Vault)"
+      meta_publisher: "AI Tax Agent"
+      policy_engine_mode: "any"
+
+  # --- Grafana SSO Configuration -------------------------------------------
+
+  # Custom Role Mapping for Grafana
+  - model: authentik_providers_oauth2.scopemapping
+    state: present
+    identifiers:
+      name: "Grafana Role Mapping"
+    attrs:
+      name: "Grafana Role Mapping"
+      description: "Maps Authentik groups to Grafana roles"
+      scope_name: "role"
+      expression: |
+        # Map Authentik groups to Grafana roles
+        user_groups = [group.name for group in request.user.ak_groups.all()]
+
+        # Admin role mapping
+        if "authentik Admins" in user_groups or "Administrators" in user_groups:
+            return "Admin"
+
+        # Editor role mapping
+        if "Tax Reviewers" in user_groups or "Accountants" in user_groups:
+            return "Editor"
+
+        # Default to Viewer role
+        return "Viewer"
+
+  # Grafana OAuth2 Provider
+  - model: authentik_providers_oauth2.oauth2provider
+    state: present
+    identifiers:
+      name: "Grafana"
+    attrs:
+      client_id: "grafana"
+      client_secret: "${AUTHENTIK_GRAFANA_CLIENT_SECRET:-changeme-grafana-secret}"
+      client_type: "confidential"
+      redirect_uris: "https://grafana.${DOMAIN:-local.lan}/login/generic_oauth"
+      sub_mode: "hashed_user_id"
+      include_claims_in_id_token: true
+      issuer_mode: "per_provider"
+      signing_key:
+        !Find [
+          authentik_crypto.certificatekeypair,
+          [name, "authentik Self-signed Certificate"],
+        ]
+      property_mappings:
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [scope_name, "openid"],
+          ]
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [scope_name, "profile"],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [scope_name, "groups"],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [name, "Grafana Role Mapping"],
+          ]
+      authorization_flow: !KeyOf default_authz_flow
+      invalidation_flow: !KeyOf default_inval_flow
+
+  # Grafana Application
+  - model: authentik_core.application
+    state: present
+    identifiers:
+      slug: "grafana"
+    attrs:
+      name: "Grafana"
+      provider:
+        !Find [authentik_providers_oauth2.oauth2provider, [name, "Grafana"]]
+      meta_launch_url: "https://grafana.${DOMAIN:-local.lan}"
+      meta_description: "Grafana monitoring and observability platform"
+      meta_publisher: "Grafana Labs"
+      policy_engine_mode: "any"

infra/configs/loki/loki-config.yml

@@ -0,0 +1,61 @@
+auth_enabled: false
+
+server:
+  http_listen_port: 3100
+  grpc_listen_port: 9096
+
+common:
+  path_prefix: /loki
+  storage:
+    filesystem:
+      chunks_directory: /loki/chunks
+      rules_directory: /loki/rules
+  replication_factor: 1
+  ring:
+    instance_addr: 127.0.0.1
+    kvstore:
+      store: inmemory
+
+query_range:
+  results_cache:
+    cache:
+      embedded_cache:
+        enabled: true
+        max_size_mb: 100
+
+schema_config:
+  configs:
+    - from: 2020-10-24
+      store: boltdb-shipper
+      object_store: filesystem
+      schema: v11
+      index:
+        prefix: index_
+        period: 24h
+
+ruler:
+  alertmanager_url: http://localhost:9093
+
+# Retention configuration
+limits_config:
+  retention_period: 744h  # 31 days
+  enforce_metric_name: false
+  reject_old_samples: true
+  reject_old_samples_max_age: 168h
+  ingestion_rate_mb: 10
+  ingestion_burst_size_mb: 20
+
+# Compactor for retention
+compactor:
+  working_directory: /loki/compactor
+  shared_store: filesystem
+  compaction_interval: 10m
+  retention_enabled: true
+  retention_delete_delay: 2h
+  retention_delete_worker_count: 150
+
+# Table manager for retention
+table_manager:
+  retention_deletes_enabled: true
+  retention_period: 744h
+

infra/configs/promtail/promtail-config.yml

@@ -0,0 +1,49 @@
+server:
+  http_listen_port: 9080
+  grpc_listen_port: 0
+
+positions:
+  filename: /tmp/positions.yaml
+
+clients:
+  - url: http://loki:3100/loki/api/v1/push
+
+scrape_configs:
+  # Docker container logs
+  - job_name: docker
+    docker_sd_configs:
+      - host: unix:///var/run/docker.sock
+        refresh_interval: 5s
+        filters:
+          - name: label
+            values: ["logging=promtail"]
+    relabel_configs:
+      - source_labels: ['__meta_docker_container_name']
+        regex: '/(.*)'
+        target_label: 'container'
+      - source_labels: ['__meta_docker_container_log_stream']
+        target_label: 'logstream'
+      - source_labels: ['__meta_docker_container_label_com_docker_compose_project']
+        target_label: 'project'
+      - source_labels: ['__meta_docker_container_label_com_docker_compose_service']
+        target_label: 'service'
+
+  # System logs (optional)
+  - job_name: system
+    static_configs:
+      - targets:
+          - localhost
+        labels:
+          job: varlogs
+          __path__: /var/log/*log
+
+  # Application-specific logs
+  - job_name: ai-tax-agent
+    static_configs:
+      - targets:
+          - localhost
+        labels:
+          job: ai-tax-agent
+          environment: production
+          __path__: /var/log/ai-tax-agent/*.log
+

infra/configs/traefik/app-middlewares.yml

@@ -0,0 +1,31 @@
+# Application-specific Traefik middlewares
+# These are loaded by the application infrastructure, not the external Traefik
+
+http:
+  middlewares:
+    # Large upload middleware for Gitea registry
+    gitea-large-upload:
+      buffering:
+        maxRequestBodyBytes: 5368709120   # 5GB
+        memRequestBodyBytes: 104857600    # 100MB
+        maxResponseBodyBytes: 5368709120  # 5GB
+        memResponseBodyBytes: 104857600   # 100MB
+        retryExpression: "IsNetworkError() && Attempts() < 3"
+    
+    # Rate limiting for public APIs
+    api-ratelimit:
+      rateLimit:
+        average: 100
+        burst: 50
+        period: 1s
+    
+    # Security headers
+    security-headers:
+      headers:
+        frameDeny: true
+        sslRedirect: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 31536000

infra/configs/traefik/certs/local.crt

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEHjCCAwagAwIBAgIUbOm5g4Xhb08Lk6DIpVst7+xZHOswDQYJKoZIhvcNAQEL
+BQAwEDEOMAwGA1UEAwwFbG9jYWwwHhcNMjUwOTI4MTExNTM1WhcNMzUwOTI2MTEx
+NTM1WjAQMQ4wDAYDVQQDDAVsb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAK0370DEo3dScS8uLwBsXkuaAHn9wO2fjxEHLZwHWfFo/16t+EEAi5c3
+zDs7nYQ7LPLndxBfO6xZ5uWKNIVtp6ARzAeRbGgbjXDdK3fOyRdhhKR3aZVOH1D0
+xUjEm/X5jEDv81sufSjk+DIQmh8hQnp3RwdHyhkIZUCTsBXMfnj+zs1UKTdRQBF5
+SUplGsbh6z3xCSI4jiNRb7mNHXqV3Fv6ycwF8YdthSDfueltBP4vT/CDtebkkKPF
+dx7YWEIPPUNqEoHqeI5iYP6gnWJYcr3vU+p2BuTwUICo+njzAf+P/SsjPHbujJob
+dbHUclBHIrIO4BpYZtY1a7E219MbqcECAwEAAaOCAW4wggFqMB0GA1UdDgQWBBQ7
+qHpza0Bb1xI1g7cMBx33JnFQljAfBgNVHSMEGDAWgBQ7qHpza0Bb1xI1g7cMBx33
+JnFQljAPBgNVHRMBAf8EBTADAQH/MIIBFQYDVR0RBIIBDDCCAQiCCWxvY2FsaG9z
+dIcEfwAAAYILKi5sb2NhbC5sYW6CDmF1dGgubG9jYWwubGFughFncmFmYW5hLmxv
+Y2FsLmxhboIQcmV2aWV3LmxvY2FsLmxhboINYXBpLmxvY2FsLmxhboIPdmF1bHQu
+bG9jYWwubGFugg9taW5pby5sb2NhbC5sYW6CE21pbmlvLWFwaS5sb2NhbC5sYW6C
+EHFkcmFudC5sb2NhbC5sYW6CD25lbzRqLmxvY2FsLmxhboIUcHJvbWV0aGV1cy5s
+b2NhbC5sYW6CDmxva2kubG9jYWwubGFughF1bmxlYXNoLmxvY2FsLmxhboIRdHJh
+ZWZpay5sb2NhbC5sYW4wDQYJKoZIhvcNAQELBQADggEBAICf+2MZ7BHbSD/pnvll
+G7Zmk+Bntj2F6RBQVZ2ZsKPWkHeZEYJDRvU0I2uL5tvvDJp4q0hjdluJllchhGgr
+qfu7i+kRnhzme7oyRTFGYp8b3zHBvLyJLmdIALxuNSjIEeh1Fx0lEhKwqOlA4y6T
+jziPmsGv3IonGJM2dURGNcR7DfG6H/Yl12qV8u/tVFTxqWL+hyCE7u8v+ZIcZ+fj
+82X7hXt1HvfP84EhVtfqQMb5xykLtXvPqggSCFXYIj2PanWdwEdE6P5Yr2D1Yz7r
+tzpmpoetrGoMWIeB0yiWgt0qJ/KK7meoCp64mqfBc48p1p/7kj2R/FRH1Jx3gFWy
+dT4=
+-----END CERTIFICATE-----

infra/configs/traefik/certs/local.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCtN+9AxKN3UnEv
+Li8AbF5LmgB5/cDtn48RBy2cB1nxaP9erfhBAIuXN8w7O52EOyzy53cQXzusWebl
+ijSFbaegEcwHkWxoG41w3St3zskXYYSkd2mVTh9Q9MVIxJv1+YxA7/NbLn0o5Pgy
+EJofIUJ6d0cHR8oZCGVAk7AVzH54/s7NVCk3UUAReUlKZRrG4es98QkiOI4jUW+5
+jR16ldxb+snMBfGHbYUg37npbQT+L0/wg7Xm5JCjxXce2FhCDz1DahKB6niOYmD+
+oJ1iWHK971Pqdgbk8FCAqPp48wH/j/0rIzx27oyaG3Wx1HJQRyKyDuAaWGbWNWux
+NtfTG6nBAgMBAAECggEAHvtkNcd2HX+HcxLloUPA0fDnqOo0OcxSQI9yHvhJpB5N
+nterEaVRUmjOhMGy+NXEwmWYLDt8ZuVloSTJJBxq4PyN68SdCTn0YH2Oqs03tpDg
+srIRFn10qHw/VTalVqed6HeCpYp5JHlf00SY7Hx8cX8oGytCAJw50AUad6ut62IM
+sp/QFdtkLhtq9vGzQUqyIP92Y/+GbxhB+eHkuvvFau1KJq7K8qhroFTwQFts9er2
+890Ujmz3bF2RhHixQcpXpsf/DMyylGJTbZDmSFkTDa/c1PzqvKrmL3wP7A3bk1E5
+CP8/a65ykotJEX8RkWqH2XxvRKpdWtCaeuCsmWUQ4QKBgQDTLbC9DWHCUYMWJhyW
+TKAeXx5xFGHIqggN28lIkXFiCVsTZyOuRDN7Q/CbOat/0JthrzyP18L+6ewZt2ZN
+RjdfGdnpUCJx6LR4dtBH8Rc+CjlSnqEgJIkgfIs8b9uEhMI1eQV+BAFQON3BzdpT
+wQ86aGsrdqtpfav7cImVfGcY/QKBgQDR+7OcnEwh8s/1J2niMKjk8agyCGGHWW4M
+g+vIv7lptavgEGOPMBv7QgmeuUjwSszphQXL36m39ZRmI5B+J0/onuQzv04tJeZY
+WZhA+T12a+1VnvUZNZm/qp0I2rW+4m+DmJoLQlvpaaFit/1fPJ6+IzI2VzPeWhw2
+vUQ5QIYhFQKBgFUWZc3mpGsNOMol1QLiIOnb3YImejfF+rTKx9FLeOnNZzrsJb5D
+kJKsDzgcBnPbc5/qYXZ7sv/O9OhvsvKTxh+1ZM3TEe3fm0emZ8l05K6EpBAcBkPT
+NMU4KUnSsBo2+6Fb/9CEgJr4LrG15bA1a5NXG0dJ60r37eHDuEvY8hlpAoGADWv2
+PhNrdlwL2NKtHO0ZTpD3vEL24OzhcOFZx9ohYtVe6BKEGpnrn/LHpKKZO+q8EE0V
+YsOoGH8U/jZVvQqMPAUz9u7Kc25Ru+H2Lmj/+brKT8e6SOM5MZwZL4CzT0Ev+Yxe
+hEu4jkHXM/Uot9arGuIrCngmc5b06LbOTo6GREUCgYArWyPYeETah/GVwU7/TNY5
+5f8lNbWBoXZfpVbWdoUZT6tGWciZsiXSR4x9f+1/LMIuChegSEazrJUDt7TbCkZs
+s4A66pnME37aYP2sMvJF3zSnQWVIyBgGI5xX0XW/WdozKl1mdFfigyWp58uo2dS2
+TxE3dy8rxpUdDCUmvJT/Fw==
+-----END PRIVATE KEY-----