completed local setup with compose

2025-11-26 13:17:17 +00:00
parent 8fe5e62fee
commit fdba81809f
87 changed files with 5610 additions and 3376 deletions
--- a/infra/compose/traefik/traefik-dynamic.local.yml
+++ b/infra/compose/traefik/traefik-dynamic.local.yml
@@ -0,0 +1,89 @@
+http:
+  middlewares:
+    authentik-forwardauth:
+      forwardAuth:
+        address: "http://apa-authentik-outpost:9000/outpost.goauthentik.io/auth/traefik"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-authentik-username
+          - X-authentik-groups
+          - X-authentik-email
+          - X-authentik-name
+          - X-authentik-uid
+          - X-authentik-jwt
+          - X-authentik-meta-jwks
+          - X-authentik-meta-outpost
+          - X-authentik-meta-provider
+          - X-authentik-meta-app
+          - X-authentik-meta-version
+
+    # Large upload middleware for Gitea registry
+    gitea-large-upload:
+      buffering:
+        maxRequestBodyBytes: 5368709120 # 5GB
+        memRequestBodyBytes: 104857600 # 100MB
+        maxResponseBodyBytes: 5368709120 # 5GB
+        memResponseBodyBytes: 104857600 # 100MB
+        retryExpression: "IsNetworkError() && Attempts() < 3"
+
+    # Rate limiting for public APIs
+    rate-limit:
+      rateLimit:
+        average: 100
+        burst: 50
+        period: 1s
+
+    # Security headers
+    security-headers:
+      headers:
+        frameDeny: true
+        sslRedirect: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 31536000
+
+    # CORS headers
+    api-cors:
+      headers:
+        accessControlAllowMethods:
+          - GET
+          - POST
+          - PUT
+          - DELETE
+          - OPTIONS
+        accessControlAllowOriginList:
+          - "https://app.harkon.co.uk"
+        accessControlAllowHeaders:
+          - "Content-Type"
+          - "Authorization"
+        accessControlMaxAge: 100
+        addVaryHeader: true
+
+    # Strip API prefixes
+    strip-api-prefixes:
+      stripPrefix:
+        prefixes:
+          - "/rag-indexer"
+          - "/firm-connectors"
+          - "/normalize-map"
+          - "/ingestion"
+          - "/extract"
+          - "/forms"
+          - "/hmrc"
+          - "/ocr"
+          - "/reason"
+          - "/rpa"
+          - "/coverage"
+          - "/kg"
+          - "/rag"
+
+tls:
+  certificates:
+    - certFile: /var/traefik/certs/local.crt
+      keyFile: /var/traefik/certs/local.key
+  options:
+    default:
+      minVersion: VersionTLS12
+      sniStrict: false
--- a/infra/compose/traefik/traefik.local.yml
+++ b/infra/compose/traefik/traefik.local.yml
@@ -0,0 +1,35 @@
+# Traefik static configuration for local development (self-signed TLS)
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        options: default
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+    network: "apa-frontend"
+  file:
+    filename: "/etc/traefik/traefik-dynamic.yml"
+    watch: true
+
+api:
+  dashboard: true
+  insecure: true
+
+serversTransport:
+  insecureSkipVerify: true
+
+log:
+  level: INFO
+
+accessLog: {}