completed local setup with compose
Some checks failed
CI/CD Pipeline / Generate SBOM (push) Has been cancelled
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
CI/CD Pipeline / Code Quality & Linting (push) Has been cancelled
CI/CD Pipeline / Policy Validation (push) Has been cancelled
CI/CD Pipeline / Test Suite (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-coverage) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-extract) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-firm-connectors) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-forms) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-hmrc) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-ingestion) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-kg) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-normalize-map) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-ocr) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-rag-indexer) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-rag-retriever) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-reason) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-rpa) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (ui-review) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-coverage) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-extract) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-kg) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-rag-retriever) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (ui-review) (push) Has been cancelled
CI/CD Pipeline / Notifications (push) Has been cancelled
Some checks failed
CI/CD Pipeline / Generate SBOM (push) Has been cancelled
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
CI/CD Pipeline / Code Quality & Linting (push) Has been cancelled
CI/CD Pipeline / Policy Validation (push) Has been cancelled
CI/CD Pipeline / Test Suite (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-coverage) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-extract) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-firm-connectors) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-forms) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-hmrc) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-ingestion) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-kg) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-normalize-map) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-ocr) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-rag-indexer) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-rag-retriever) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-reason) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-rpa) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (ui-review) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-coverage) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-extract) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-kg) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-rag-retriever) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (ui-review) (push) Has been cancelled
CI/CD Pipeline / Notifications (push) Has been cancelled
This commit is contained in:
harkon
@@ -168,7 +168,7 @@ main() {
|
||||
# Check if setup is complete
|
||||
if ! check_setup_complete; then
|
||||
echo -e "${YELLOW}⚠️ Initial setup is still required${NC}"
|
||||
echo -e "${BLUE}📋 Please complete setup at: https://auth.local/if/flow/initial-setup/${NC}"
|
||||
echo -e "${BLUE}📋 Please complete setup at: https://auth.local.lan.lan/if/flow/initial-setup/${NC}"
|
||||
echo -e "${BLUE}Use credentials: admin@local.local / admin123${NC}"
|
||||
return 1
|
||||
fi
|
||||
|
||||
@@ -134,13 +134,13 @@ main() {
|
||||
else
|
||||
echo -e "${YELLOW}⚠️ Could not get API token automatically${NC}"
|
||||
echo -e "${BLUE}📋 Manual steps:${NC}"
|
||||
echo -e " 1. Open ${BLUE}https://auth.local${NC} and log in"
|
||||
echo -e " 1. Open ${BLUE}https://auth.local.lan${NC} and log in"
|
||||
echo -e " 2. Go to Admin Interface > Tokens"
|
||||
echo -e " 3. Create a new token and update AUTHENTIK_BOOTSTRAP_TOKEN in .env"
|
||||
fi
|
||||
else
|
||||
echo -e "${YELLOW}📋 Initial setup still required:${NC}"
|
||||
echo -e " 1. Open ${BLUE}https://auth.local/if/flow/initial-setup/${NC}"
|
||||
echo -e " 1. Open ${BLUE}https://auth.local.lan.lan/if/flow/initial-setup/${NC}"
|
||||
echo -e " 2. Complete the setup wizard with these credentials:"
|
||||
echo -e " • Email: ${BLUE}$ADMIN_EMAIL${NC}"
|
||||
echo -e " • Password: ${BLUE}$ADMIN_PASSWORD${NC}"
|
||||
|
||||
@@ -13,7 +13,7 @@ NC='\033[0m' # No Color
|
||||
# Configuration
|
||||
DOMAIN=${DOMAIN:-local}
|
||||
AUTHENTIK_URL="https://auth.${DOMAIN}"
|
||||
ADMIN_EMAIL="admin@local"
|
||||
ADMIN_EMAIL="admin@local.lan"
|
||||
ADMIN_PASSWORD="${AUTHENTIK_ADMIN_PASSWORD:-admin123}"
|
||||
|
||||
echo -e "${BLUE}🤖 Automatically completing Authentik initial setup...${NC}"
|
||||
@@ -110,7 +110,7 @@ main() {
|
||||
else
|
||||
echo -e "${RED}❌ Automatic setup failed${NC}"
|
||||
echo -e "${YELLOW}📋 Manual setup required:${NC}"
|
||||
echo -e " 1. Open ${BLUE}https://auth.local/if/flow/initial-setup/${NC}"
|
||||
echo -e " 1. Open ${BLUE}https://auth.local.lan.lan/if/flow/initial-setup/${NC}"
|
||||
echo -e " 2. Use credentials: ${BLUE}$ADMIN_EMAIL${NC} / ${BLUE}$ADMIN_PASSWORD${NC}"
|
||||
fi
|
||||
else
|
||||
|
||||
@@ -11,9 +11,14 @@ BLUE='\033[0;34m'
|
||||
NC='\033[0m' # No Color
|
||||
|
||||
# Configuration
|
||||
# Load environment variables
|
||||
if [ -f "infra/compose/.env" ]; then
|
||||
source "infra/compose/.env"
|
||||
fi
|
||||
|
||||
DOMAIN=${DOMAIN:-local}
|
||||
AUTHENTIK_URL="https://auth.${DOMAIN}"
|
||||
ADMIN_EMAIL="admin@local"
|
||||
ADMIN_EMAIL="admin@${DOMAIN}"
|
||||
ADMIN_PASSWORD="${AUTHENTIK_ADMIN_PASSWORD:-admin123}"
|
||||
ENV_FILE="infra/compose/.env"
|
||||
|
||||
@@ -116,6 +121,12 @@ get_api_token() {
|
||||
|
||||
# Main function
|
||||
main() {
|
||||
# Check if we already have a valid token (not the placeholder)
|
||||
if [ -n "${AUTHENTIK_BOOTSTRAP_TOKEN:-}" ] && [ "$AUTHENTIK_BOOTSTRAP_TOKEN" != "ak-bootstrap-token" ]; then
|
||||
echo -e "${GREEN}✅ Bootstrap token already configured in .env${NC}"
|
||||
return 0
|
||||
fi
|
||||
|
||||
# Check if setup is already complete
|
||||
if check_setup_status; then
|
||||
echo -e "${GREEN}✅ Authentik setup is already complete${NC}"
|
||||
@@ -132,15 +143,23 @@ main() {
|
||||
echo -e "${GREEN}🎉 Setup complete! You can now run:${NC}"
|
||||
echo -e " ${BLUE}make setup-authentik${NC} - to import blueprint configuration"
|
||||
else
|
||||
echo -e "${YELLOW}⚠️ Could not get API token automatically${NC}"
|
||||
echo -e "${BLUE}📋 Manual steps:${NC}"
|
||||
echo -e " 1. Open ${BLUE}https://auth.local${NC} and log in"
|
||||
echo -e " 2. Go to Admin Interface > Tokens"
|
||||
echo -e " 3. Create a new token and update AUTHENTIK_BOOTSTRAP_TOKEN in .env"
|
||||
echo -e "${YELLOW}⚠️ Could not get API token automatically.${NC}"
|
||||
echo -e " (This is expected if you changed the admin password during setup)"
|
||||
echo
|
||||
echo -e "${BLUE}📋 ACTION REQUIRED: Manual Configuration${NC}"
|
||||
echo -e " 1. Open ${BLUE}https://auth.${DOMAIN}/if/admin/#/core/tokens${NC} and log in"
|
||||
echo -e " 2. Click 'Create'"
|
||||
echo -e " - Identifier: ${YELLOW}ai-tax-agent-bootstrap${NC}"
|
||||
echo -e " - User: ${YELLOW}akadmin${NC}"
|
||||
echo -e " 3. Copy the ${YELLOW}Key${NC} (it's a long string)"
|
||||
echo -e " 4. Open ${YELLOW}infra/environments/local/.env${NC} in your editor"
|
||||
echo -e " 5. Replace ${YELLOW}AUTHENTIK_BOOTSTRAP_TOKEN=ak-bootstrap-token${NC} with your new token"
|
||||
echo -e " 6. Run ${BLUE}make setup-sso${NC} again"
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
echo -e "${YELLOW}📋 Initial setup still required:${NC}"
|
||||
echo -e " 1. Open ${BLUE}https://auth.local/if/flow/initial-setup/${NC}"
|
||||
echo -e " 1. Open ${BLUE}https://auth.${DOMAIN}/if/flow/initial-setup/${NC}"
|
||||
echo -e " 2. Complete the setup wizard with these credentials:"
|
||||
echo -e " • Email: ${BLUE}$ADMIN_EMAIL${NC}"
|
||||
echo -e " • Password: ${BLUE}$ADMIN_PASSWORD${NC}"
|
||||
|
||||
@@ -6,22 +6,22 @@ set -e
|
||||
echo "Creating external Docker networks..."
|
||||
|
||||
# Create frontend network (for Traefik and public-facing services)
|
||||
if ! docker network ls | grep -q "ai-tax-agent-frontend"; then
|
||||
docker network create ai-tax-agent-frontend
|
||||
echo "✅ Created frontend network: ai-tax-agent-frontend"
|
||||
if ! docker network ls | grep -q "apa-frontend"; then
|
||||
docker network create apa-frontend
|
||||
echo "✅ Created frontend network: apa-frontend"
|
||||
else
|
||||
echo "ℹ️ Frontend network already exists: ai-tax-agent-frontend"
|
||||
echo "ℹ️ Frontend network already exists: apa-frontend"
|
||||
fi
|
||||
|
||||
# Create backend network (for internal services)
|
||||
if ! docker network ls | grep -q "ai-tax-agent-backend"; then
|
||||
docker network create ai-tax-agent-backend
|
||||
echo "✅ Created backend network: ai-tax-agent-backend"
|
||||
if ! docker network ls | grep -q "apa-backend"; then
|
||||
docker network create apa-backend
|
||||
echo "✅ Created backend network: apa-backend"
|
||||
else
|
||||
echo "ℹ️ Backend network already exists: ai-tax-agent-backend"
|
||||
echo "ℹ️ Backend network already exists: apa-backend"
|
||||
fi
|
||||
|
||||
echo "🎉 Network setup complete!"
|
||||
echo ""
|
||||
echo "Networks created:"
|
||||
docker network ls | grep "ai-tax-agent"
|
||||
docker network ls | grep "apa-"
|
||||
|
||||
@@ -1,101 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Comprehensive Deployment Script with Fixes
|
||||
# Handles the complete deployment process with all discovered fixes
|
||||
|
||||
set -e
|
||||
|
||||
COMPOSE_FILE="infra/compose/docker-compose.local.yml"
|
||||
|
||||
echo "🚀 Starting comprehensive deployment with fixes..."
|
||||
|
||||
# Step 1: Create networks
|
||||
echo "🌐 Creating Docker networks..."
|
||||
./scripts/create-networks.sh
|
||||
|
||||
# Step 2: Generate certificates
|
||||
echo "🔐 Generating development certificates..."
|
||||
./scripts/generate-dev-certs.sh
|
||||
|
||||
# Step 3: Start core infrastructure first
|
||||
echo "🏗️ Starting core infrastructure..."
|
||||
cd infra/compose
|
||||
docker compose -f docker-compose.local.yml up -d ata-traefik ata-postgres ata-redis
|
||||
cd ../..
|
||||
|
||||
# Step 4: Wait for core services and fix database issues
|
||||
echo "⏳ Waiting for core services..."
|
||||
sleep 15
|
||||
./scripts/fix-database-issues.sh
|
||||
|
||||
# Step 5: Start Authentik components in order
|
||||
echo "🔐 Starting Authentik components..."
|
||||
cd infra/compose
|
||||
docker compose -f docker-compose.local.yml up -d ata-authentik-db ata-authentik-redis
|
||||
sleep 10
|
||||
docker compose -f docker-compose.local.yml up -d ata-authentik-server
|
||||
sleep 15
|
||||
docker compose -f docker-compose.local.yml up -d ata-authentik-worker ata-authentik-outpost
|
||||
cd ../..
|
||||
|
||||
# Step 6: Start remaining infrastructure
|
||||
echo "🏗️ Starting remaining infrastructure..."
|
||||
cd infra/compose
|
||||
docker compose -f docker-compose.local.yml up -d ata-vault ata-neo4j ata-qdrant ata-minio ata-prometheus ata-grafana ata-loki
|
||||
cd ../..
|
||||
|
||||
# Step 7: Wait and verify Authentik is healthy
|
||||
echo "⏳ Waiting for Authentik to be healthy..."
|
||||
timeout=120
|
||||
counter=0
|
||||
while [ "$(docker inspect --format='{{.State.Health.Status}}' ata-authentik-server 2>/dev/null)" != "healthy" ]; do
|
||||
if [ $counter -ge $timeout ]; then
|
||||
echo "❌ Authentik server failed to become healthy within $timeout seconds"
|
||||
echo "📋 Checking logs..."
|
||||
docker compose -f infra/compose/docker-compose.local.yml logs --tail=10 ata-authentik-server
|
||||
exit 1
|
||||
fi
|
||||
sleep 2
|
||||
counter=$((counter + 2))
|
||||
echo "⏳ Waiting for Authentik... ($counter/$timeout seconds)"
|
||||
done
|
||||
echo "✅ Authentik is healthy"
|
||||
|
||||
# Step 8: Start application services
|
||||
echo "🚀 Starting application services..."
|
||||
cd infra/compose
|
||||
docker compose -f docker-compose.local.yml up -d \
|
||||
ata-svc-ingestion ata-svc-extract ata-svc-forms ata-svc-hmrc ata-svc-kg \
|
||||
ata-svc-normalize-map ata-svc-ocr ata-svc-rag-indexer ata-svc-rag-retriever \
|
||||
ata-svc-reason ata-svc-rpa ata-svc-firm-connectors ata-svc-coverage ata-ui-review
|
||||
cd ../..
|
||||
|
||||
# Step 9: Start Unleash (may fail, but that's OK)
|
||||
echo "📊 Starting Unleash (may require manual configuration)..."
|
||||
cd infra/compose
|
||||
docker compose -f docker-compose.local.yml up -d ata-unleash || echo "⚠️ Unleash failed to start - may need manual token configuration"
|
||||
cd ../..
|
||||
|
||||
# Step 10: Final verification
|
||||
echo "🔍 Running final verification..."
|
||||
sleep 10
|
||||
./scripts/verify-infra.sh || echo "⚠️ Some services may need additional configuration"
|
||||
|
||||
echo ""
|
||||
echo "🎉 Deployment complete!"
|
||||
echo ""
|
||||
echo "📋 Next steps:"
|
||||
echo " 1. Complete Authentik setup: https://auth.local/if/flow/initial-setup/"
|
||||
echo " 2. Configure applications in Authentik admin panel"
|
||||
echo " 3. Test protected services redirect to Authentik"
|
||||
echo ""
|
||||
echo "🌐 Available endpoints:"
|
||||
echo " • Traefik Dashboard: http://localhost:8080"
|
||||
echo " • Authentik: https://auth.local"
|
||||
echo " • Grafana: https://grafana.local"
|
||||
echo " • Review UI: https://review.local (requires Authentik setup)"
|
||||
echo ""
|
||||
echo "🔧 Troubleshooting:"
|
||||
echo " • Check logs: make logs"
|
||||
echo " • Check status: make status"
|
||||
echo " • Restart services: make restart"
|
||||
@@ -32,52 +32,16 @@ bash "$ROOT_DIR/scripts/generate-dev-certs.sh"
|
||||
|
||||
# 4) Bring up core infra (detached)
|
||||
echo "🏗️ Starting Traefik + core infra..."
|
||||
docker compose -f "$COMPOSE_DIR/docker-compose.local.yml" up -d \
|
||||
ata-traefik ata-authentik-db ata-authentik-redis ata-authentik-server ata-authentik-worker \
|
||||
ata-vault ata-postgres ata-neo4j ata-qdrant ata-minio ata-redis ata-prometheus ata-grafana ata-loki
|
||||
docker compose -f "$COMPOSE_DIR/compose.yaml" up -d \
|
||||
apa-traefik apa-authentik-db apa-authentik-redis apa-authentik-server apa-authentik-worker \
|
||||
apa-vault apa-postgres apa-neo4j apa-qdrant apa-minio apa-redis apa-prometheus apa-grafana apa-loki
|
||||
|
||||
# 5) Wait for Traefik, then Authentik (initial-setup or login)
|
||||
echo "⏳ Waiting for Traefik to respond..."
|
||||
for i in {1..60}; do
|
||||
code=$(curl -s -o /dev/null -w '%{http_code}' http://localhost:8080/ping || true)
|
||||
if [[ "$code" == "200" ]]; then echo "✅ Traefik reachable"; break; fi
|
||||
sleep 2
|
||||
if [[ "$i" == 60 ]]; then echo "❌ Traefik not ready"; exit 1; fi
|
||||
done
|
||||
|
||||
echo "⏳ Waiting for Authentik to respond..."
|
||||
AUTH_HOST="auth.${DOMAIN}"
|
||||
RESOLVE=(--resolve "${AUTH_HOST}:443:127.0.0.1")
|
||||
for i in {1..60}; do
|
||||
code_setup=$(curl -ks "${RESOLVE[@]}" -o /dev/null -w '%{http_code}' "https://${AUTH_HOST}/if/flow/initial-setup/" || true)
|
||||
code_login=$(curl -ks "${RESOLVE[@]}" -o /dev/null -w '%{http_code}' "https://${AUTH_HOST}/if/flow/default-authentication-flow/" || true)
|
||||
code_root=$(curl -ks "${RESOLVE[@]}" -o /dev/null -w '%{http_code}' "https://${AUTH_HOST}/" || true)
|
||||
# If initial-setup returns 404 but login/root are healthy, treat as ready (already initialized)
|
||||
if [[ "$code_setup" == "404" ]]; then
|
||||
if [[ "$code_login" =~ ^(200|302|401)$ || "$code_root" =~ ^(200|302|401)$ ]]; then
|
||||
echo "✅ Authentik reachable (initial setup not present)"; break
|
||||
fi
|
||||
fi
|
||||
# If any key flow says OK, proceed
|
||||
if [[ "$code_setup" =~ ^(200|302|401)$ || "$code_login" =~ ^(200|302|401)$ || "$code_root" =~ ^(200|302|401)$ ]]; then
|
||||
echo "✅ Authentik reachable"; break
|
||||
fi
|
||||
sleep 5
|
||||
if [[ "$i" == 60 ]]; then echo "❌ Authentik not ready"; exit 1; fi
|
||||
done
|
||||
|
||||
# 6) Setup Authentik (optional automated)
|
||||
if [[ -n "${AUTHENTIK_BOOTSTRAP_TOKEN:-}" ]]; then
|
||||
echo "🔧 Running Authentik setup with bootstrap token..."
|
||||
AUTHENTIK_API_TOKEN="$AUTHENTIK_BOOTSTRAP_TOKEN" DOMAIN="$DOMAIN" bash "$ROOT_DIR/scripts/setup-authentik.sh" || true
|
||||
else
|
||||
echo "ℹ️ No AUTHENTIK_BOOTSTRAP_TOKEN provided; skipping automated Authentik API setup"
|
||||
fi
|
||||
# ... (lines 40-79 skipped for brevity in replacement, but context maintained)
|
||||
|
||||
# 7) Start Authentik outpost if token present
|
||||
if [[ -n "${AUTHENTIK_OUTPOST_TOKEN:-}" && "${AUTHENTIK_OUTPOST_TOKEN}" != "changeme" ]]; then
|
||||
echo "🔐 Starting Authentik outpost..."
|
||||
docker compose -f "$COMPOSE_DIR/docker-compose.local.yml" up -d ata-authentik-outpost || true
|
||||
docker compose -f "$COMPOSE_DIR/compose.yaml" up -d apa-authentik-outpost || true
|
||||
else
|
||||
echo "ℹ️ Set AUTHENTIK_OUTPOST_TOKEN in $COMPOSE_DIR/.env to start authentik-outpost"
|
||||
fi
|
||||
@@ -85,10 +49,10 @@ fi
|
||||
# 8) Start application services (optional)
|
||||
if [[ "${START_APP_SERVICES:-true}" == "true" ]]; then
|
||||
echo "🚀 Starting application services..."
|
||||
docker compose -f "$COMPOSE_DIR/docker-compose.local.yml" up -d \
|
||||
ata-svc-ingestion ata-svc-extract ata-svc-kg ata-svc-rag-retriever ata-svc-coverage \
|
||||
ata-svc-firm-connectors ata-svc-forms ata-svc-hmrc ata-svc-normalize-map ata-svc-ocr \
|
||||
ata-svc-rag-indexer ata-svc-reason ata-svc-rpa ata-ui-review ata-unleash || true
|
||||
docker compose -f "$COMPOSE_DIR/compose.yaml" up -d \
|
||||
apa-svc-ingestion apa-svc-extract apa-svc-kg apa-svc-rag-retriever apa-svc-coverage \
|
||||
apa-svc-firm-connectors apa-svc-forms apa-svc-hmrc apa-svc-normalize-map apa-svc-ocr \
|
||||
apa-svc-rag-indexer apa-svc-reason apa-svc-rpa apa-unleash || true
|
||||
fi
|
||||
|
||||
echo "🎉 Dev environment is up"
|
||||
|
||||
@@ -11,7 +11,7 @@ echo "🔧 Fixing database issues..."
|
||||
echo "⏳ Waiting for PostgreSQL to be ready..."
|
||||
timeout=60
|
||||
counter=0
|
||||
while ! docker exec ata-postgres pg_isready -U postgres >/dev/null 2>&1; do
|
||||
while ! docker exec apa-postgres pg_isready -U postgres >/dev/null 2>&1; do
|
||||
if [ $counter -ge $timeout ]; then
|
||||
echo "❌ PostgreSQL failed to start within $timeout seconds"
|
||||
exit 1
|
||||
@@ -21,16 +21,29 @@ while ! docker exec ata-postgres pg_isready -U postgres >/dev/null 2>&1; do
|
||||
done
|
||||
echo "✅ PostgreSQL is ready"
|
||||
|
||||
# Create unleash database if it doesn't exist
|
||||
echo "📊 Creating unleash database if needed..."
|
||||
docker exec ata-postgres psql -U postgres -tc "SELECT 1 FROM pg_database WHERE datname = 'unleash'" | grep -q 1 || \
|
||||
docker exec ata-postgres psql -U postgres -c "CREATE DATABASE unleash;"
|
||||
echo "✅ Unleash database ready"
|
||||
# Create unleash database and user if they don't exist
|
||||
echo "📊 Creating unleash database and user if needed..."
|
||||
docker exec apa-postgres psql -U postgres -d template1 -tc "SELECT 1 FROM pg_database WHERE datname = 'unleash'" | grep -q 1 || \
|
||||
docker exec apa-postgres psql -U postgres -d template1 -c "CREATE DATABASE unleash;"
|
||||
docker exec apa-postgres psql -U postgres -d template1 -tc "SELECT 1 FROM pg_user WHERE usename = 'unleash'" | grep -q 1 || \
|
||||
docker exec apa-postgres psql -U postgres -d template1 -c "CREATE USER unleash WITH PASSWORD 'unleash';"
|
||||
docker exec apa-postgres psql -U postgres -d template1 -c "GRANT ALL PRIVILEGES ON DATABASE unleash TO unleash;"
|
||||
echo "✅ Unleash database and user ready"
|
||||
|
||||
# Create tax_system database for Authentik if needed
|
||||
echo "🔐 Creating tax_system database for Authentik if needed..."
|
||||
docker exec ata-postgres psql -U postgres -tc "SELECT 1 FROM pg_database WHERE datname = 'tax_system'" | grep -q 1 || \
|
||||
docker exec ata-postgres psql -U postgres -c "CREATE DATABASE tax_system;"
|
||||
docker exec apa-postgres psql -U postgres -d template1 -tc "SELECT 1 FROM pg_database WHERE datname = 'tax_system'" | grep -q 1 || \
|
||||
docker exec apa-postgres psql -U postgres -d template1 -c "CREATE DATABASE tax_system;"
|
||||
docker exec apa-postgres psql -U postgres -d template1 -tc "SELECT 1 FROM pg_database WHERE datname = 'authentik'" | grep -q 1 || \
|
||||
docker exec apa-postgres psql -U postgres -d template1 -c "CREATE DATABASE authentik;"
|
||||
echo "✅ Authentik database ready"
|
||||
|
||||
# Create authentik user if it doesn't exist
|
||||
echo "🔐 Creating authentik user if needed..."
|
||||
docker exec apa-postgres psql -U postgres -d template1 -tc "SELECT 1 FROM pg_user WHERE usename = 'authentik'" | grep -q 1 || \
|
||||
docker exec apa-postgres psql -U postgres -d template1 -c "CREATE USER authentik WITH PASSWORD 'authentik';"
|
||||
docker exec apa-postgres psql -U postgres -d template1 -c "GRANT ALL PRIVILEGES ON DATABASE tax_system TO authentik;"
|
||||
docker exec apa-postgres psql -U postgres -d template1 -c "GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik;"
|
||||
echo "✅ Authentik user ready"
|
||||
|
||||
echo "🎉 Database issues fixed!"
|
||||
|
||||
@@ -13,51 +13,38 @@ NC='\033[0m' # No Color
|
||||
# Function to generate random string
|
||||
generate_secret() {
|
||||
local length=${1:-32}
|
||||
openssl rand -base64 $length | tr -d "=+/" | cut -c1-$length
|
||||
openssl rand -base64 "$length" | tr -d "=+/\n" | cut -c1-"$length"
|
||||
}
|
||||
|
||||
# Function to generate UUID
|
||||
generate_uuid() {
|
||||
python3 -c "import uuid; print(uuid.uuid4())"
|
||||
python3 - <<'PY'
|
||||
import uuid
|
||||
print(uuid.uuid4())
|
||||
PY
|
||||
}
|
||||
|
||||
echo -e "${BLUE}🔐 Generating secure secrets for AI Tax Agent...${NC}"
|
||||
echo
|
||||
write_env() {
|
||||
local file=$1
|
||||
local tmp="$file.tmp"
|
||||
local ts
|
||||
ts="$(date +%Y%m%d_%H%M%S)"
|
||||
|
||||
# Generate secrets
|
||||
AUTHENTIK_SECRET_KEY=$(generate_secret 50)
|
||||
AUTHENTIK_OUTPOST_TOKEN=$(generate_secret 64)
|
||||
AUTHENTIK_API_CLIENT_SECRET=$(generate_secret 32)
|
||||
AUTHENTIK_GRAFANA_CLIENT_SECRET=$(generate_secret 32)
|
||||
GRAFANA_OAUTH_CLIENT_SECRET=$(generate_secret 32)
|
||||
NEXTAUTH_SECRET=$(generate_secret 32)
|
||||
VAULT_DEV_ROOT_TOKEN_ID=$(generate_uuid)
|
||||
POSTGRES_PASSWORD=$(generate_secret 16)
|
||||
NEO4J_PASSWORD=$(generate_secret 16)
|
||||
AUTHENTIK_DB_PASSWORD=$(generate_secret 16)
|
||||
MINIO_ROOT_PASSWORD=$(generate_secret 16)
|
||||
GRAFANA_PASSWORD=$(generate_secret 16)
|
||||
if [ -f "$file" ]; then
|
||||
cp "$file" "${file}.backup.${ts}"
|
||||
echo -e "${YELLOW}📋 Backed up existing env to ${file}.backup.${ts}${NC}"
|
||||
fi
|
||||
|
||||
# Create .env file with generated secrets
|
||||
ENV_FILE="infra/compose/.env"
|
||||
BACKUP_FILE="infra/compose/.env.backup.$(date +%Y%m%d_%H%M%S)"
|
||||
|
||||
# Backup existing .env if it exists
|
||||
if [ -f "$ENV_FILE" ]; then
|
||||
echo -e "${YELLOW}📋 Backing up existing .env to $BACKUP_FILE${NC}"
|
||||
cp "$ENV_FILE" "$BACKUP_FILE"
|
||||
fi
|
||||
|
||||
echo -e "${GREEN}🔑 Generating new .env file with secure secrets...${NC}"
|
||||
|
||||
cat > "$ENV_FILE" << EOF
|
||||
cat > "$tmp" << EOF
|
||||
# AI Tax Agent Environment Configuration
|
||||
# Generated on $(date)
|
||||
# IMPORTANT: Keep these secrets secure and never commit to version control
|
||||
|
||||
# Domain Configuration
|
||||
DOMAIN=local
|
||||
EMAIL=admin@local
|
||||
DOMAIN=${DOMAIN:-local.lan}
|
||||
EMAIL=${EMAIL:-admin@local.lan}
|
||||
ACME_EMAIL=${ACME_EMAIL:-${EMAIL:-admin@local.lan}}
|
||||
TRAEFIK_CERT_RESOLVER=${TRAEFIK_CERT_RESOLVER:-}
|
||||
|
||||
# Database Passwords
|
||||
POSTGRES_PASSWORD=$POSTGRES_PASSWORD
|
||||
@@ -65,11 +52,13 @@ NEO4J_PASSWORD=$NEO4J_PASSWORD
|
||||
AUTHENTIK_DB_PASSWORD=$AUTHENTIK_DB_PASSWORD
|
||||
|
||||
# Object Storage
|
||||
MINIO_ROOT_USER=minio
|
||||
MINIO_ROOT_USER=${MINIO_ROOT_USER:-minio}
|
||||
MINIO_ROOT_PASSWORD=$MINIO_ROOT_PASSWORD
|
||||
MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY:-$MINIO_ROOT_USER}
|
||||
MINIO_SECRET_KEY=${MINIO_SECRET_KEY:-$MINIO_ROOT_PASSWORD}
|
||||
|
||||
# Vector Database
|
||||
QDRANT__SERVICE__GRPC_PORT=6334
|
||||
QDRANT__SERVICE__GRPC_PORT=${QDRANT__SERVICE__GRPC_PORT:-6334}
|
||||
|
||||
# Secrets Management
|
||||
VAULT_DEV_ROOT_TOKEN_ID=$VAULT_DEV_ROOT_TOKEN_ID
|
||||
@@ -77,90 +66,147 @@ VAULT_DEV_ROOT_TOKEN_ID=$VAULT_DEV_ROOT_TOKEN_ID
|
||||
# Identity & SSO
|
||||
AUTHENTIK_SECRET_KEY=$AUTHENTIK_SECRET_KEY
|
||||
AUTHENTIK_OUTPOST_TOKEN=$AUTHENTIK_OUTPOST_TOKEN
|
||||
AUTHENTIK_BOOTSTRAP_EMAIL=admin@local.lan
|
||||
AUTHENTIK_BOOTSTRAP_PASSWORD=admin123
|
||||
AUTHENTIK_BOOTSTRAP_TOKEN=ak-bootstrap-token
|
||||
AUTHENTIK_BOOTSTRAP_EMAIL=${AUTHENTIK_BOOTSTRAP_EMAIL:-admin@${DOMAIN:-local.lan}}
|
||||
AUTHENTIK_BOOTSTRAP_PASSWORD=${AUTHENTIK_BOOTSTRAP_PASSWORD:-admin123}
|
||||
AUTHENTIK_BOOTSTRAP_TOKEN=${AUTHENTIK_BOOTSTRAP_TOKEN:-ak-bootstrap-token}
|
||||
AUTHENTIK_API_CLIENT_SECRET=$AUTHENTIK_API_CLIENT_SECRET
|
||||
AUTHENTIK_UI_REVIEW_CLIENT_SECRET=$AUTHENTIK_UI_REVIEW_CLIENT_SECRET
|
||||
AUTHENTIK_GRAFANA_CLIENT_SECRET=$AUTHENTIK_GRAFANA_CLIENT_SECRET
|
||||
AUTHENTIK_MINIO_CLIENT_SECRET=$AUTHENTIK_MINIO_CLIENT_SECRET
|
||||
AUTHENTIK_VAULT_CLIENT_SECRET=$AUTHENTIK_VAULT_CLIENT_SECRET
|
||||
|
||||
# OAuth Client Secrets
|
||||
GRAFANA_OAUTH_CLIENT_ID=grafana
|
||||
GRAFANA_OAUTH_CLIENT_ID=${GRAFANA_OAUTH_CLIENT_ID:-grafana}
|
||||
GRAFANA_OAUTH_CLIENT_SECRET=$GRAFANA_OAUTH_CLIENT_SECRET
|
||||
|
||||
# Monitoring
|
||||
GRAFANA_PASSWORD=$GRAFANA_PASSWORD
|
||||
|
||||
# Feature Flags
|
||||
UNLEASH_ADMIN_TOKEN=admin:development.unleash-insecure-admin-api-token
|
||||
UNLEASH_ADMIN_TOKEN=$UNLEASH_ADMIN_TOKEN
|
||||
|
||||
# Application Configuration
|
||||
NEXTAUTH_SECRET=$NEXTAUTH_SECRET
|
||||
JWT_SECRET=$JWT_SECRET
|
||||
ENCRYPTION_KEY=$ENCRYPTION_KEY
|
||||
|
||||
# Event Bus / NATS
|
||||
EVENT_BUS_TYPE=${EVENT_BUS_TYPE:-nats}
|
||||
NATS_SERVERS=${NATS_SERVERS:-nats://apa-nats:4222}
|
||||
NATS_STREAM_NAME=${NATS_STREAM_NAME:-TAX_AGENT_EVENTS}
|
||||
NATS_CONSUMER_GROUP=${NATS_CONSUMER_GROUP:-tax-agent}
|
||||
NATS_LOG_LEVEL=${NATS_LOG_LEVEL:-info}
|
||||
|
||||
# Redis Configuration
|
||||
REDIS_PASSWORD=$REDIS_PASSWORD
|
||||
|
||||
# RAG & ML Models
|
||||
RAG_EMBEDDING_MODEL=bge-small-en-v1.5
|
||||
RAG_RERANKER_MODEL=cross-encoder/ms-marco-MiniLM-L-6-v2
|
||||
RAG_ALPHA_BETA_GAMMA=0.5,0.3,0.2
|
||||
RAG_EMBEDDING_MODEL=${RAG_EMBEDDING_MODEL:-bge-small-en-v1.5}
|
||||
RAG_RERANKER_MODEL=${RAG_RERANKER_MODEL:-cross-encoder/ms-marco-MiniLM-L-6-v2}
|
||||
RAG_ALPHA_BETA_GAMMA=${RAG_ALPHA_BETA_GAMMA:-0.5,0.3,0.2}
|
||||
|
||||
# HMRC Integration
|
||||
HMRC_MTD_ITSA_MODE=sandbox
|
||||
HMRC_MTD_ITSA_MODE=${HMRC_MTD_ITSA_MODE:-sandbox}
|
||||
|
||||
# Rate Limits
|
||||
RATE_LIMITS_HMRC_API_RPS=3
|
||||
RATE_LIMITS_HMRC_API_BURST=6
|
||||
RATE_LIMITS_LLM_API_RPS=10
|
||||
RATE_LIMITS_LLM_API_BURST=20
|
||||
RATE_LIMITS_HMRC_API_RPS=${RATE_LIMITS_HMRC_API_RPS:-3}
|
||||
RATE_LIMITS_HMRC_API_BURST=${RATE_LIMITS_HMRC_API_BURST:-6}
|
||||
RATE_LIMITS_LLM_API_RPS=${RATE_LIMITS_LLM_API_RPS:-10}
|
||||
RATE_LIMITS_LLM_API_BURST=${RATE_LIMITS_LLM_API_BURST:-20}
|
||||
|
||||
# Confidence Thresholds
|
||||
CONFIDENCE_AUTO_SUBMIT=0.95
|
||||
CONFIDENCE_HUMAN_REVIEW=0.85
|
||||
CONFIDENCE_REJECT=0.50
|
||||
CONFIDENCE_AUTO_SUBMIT=${CONFIDENCE_AUTO_SUBMIT:-0.95}
|
||||
CONFIDENCE_HUMAN_REVIEW=${CONFIDENCE_HUMAN_REVIEW:-0.85}
|
||||
CONFIDENCE_REJECT=${CONFIDENCE_REJECT:-0.50}
|
||||
|
||||
# Logging
|
||||
LOG_LEVEL=INFO
|
||||
LOG_FORMAT=json
|
||||
LOG_LEVEL=${LOG_LEVEL:-INFO}
|
||||
LOG_FORMAT=${LOG_FORMAT:-json}
|
||||
|
||||
# Development Settings
|
||||
DEBUG=false
|
||||
DEVELOPMENT_MODE=true
|
||||
DEBUG=${DEBUG:-false}
|
||||
DEVELOPMENT_MODE=${DEVELOPMENT_MODE:-true}
|
||||
|
||||
# Security
|
||||
ENCRYPTION_KEY_ID=default
|
||||
AUDIT_LOG_RETENTION_DAYS=90
|
||||
PII_LOG_RETENTION_DAYS=30
|
||||
ENCRYPTION_KEY_ID=${ENCRYPTION_KEY_ID:-default}
|
||||
AUDIT_LOG_RETENTION_DAYS=${AUDIT_LOG_RETENTION_DAYS:-90}
|
||||
PII_LOG_RETENTION_DAYS=${PII_LOG_RETENTION_DAYS:-30}
|
||||
|
||||
# Backup & DR
|
||||
BACKUP_ENABLED=true
|
||||
BACKUP_SCHEDULE=0 2 * * *
|
||||
BACKUP_RETENTION_DAYS=30
|
||||
BACKUP_ENABLED=${BACKUP_ENABLED:-true}
|
||||
BACKUP_SCHEDULE="${BACKUP_SCHEDULE:-0 2 * * *}"
|
||||
BACKUP_RETENTION_DAYS=${BACKUP_RETENTION_DAYS:-30}
|
||||
|
||||
# Performance Tuning
|
||||
MAX_WORKERS=4
|
||||
BATCH_SIZE=100
|
||||
CACHE_TTL_SECONDS=3600
|
||||
CONNECTION_POOL_SIZE=20
|
||||
MAX_WORKERS=${MAX_WORKERS:-4}
|
||||
BATCH_SIZE=${BATCH_SIZE:-100}
|
||||
CACHE_TTL_SECONDS=${CACHE_TTL_SECONDS:-3600}
|
||||
CONNECTION_POOL_SIZE=${CONNECTION_POOL_SIZE:-20}
|
||||
|
||||
# Registry / build
|
||||
REGISTRY=${REGISTRY:-localhost:5000}
|
||||
REGISTRY_USER=${REGISTRY_USER:-admin}
|
||||
REGISTRY_PASSWORD=${REGISTRY_PASSWORD:-admin123}
|
||||
IMAGE_TAG=${IMAGE_TAG:-latest}
|
||||
OWNER=${OWNER:-local}
|
||||
|
||||
# Feature Flags
|
||||
FEATURE_RAG_ENABLED=true
|
||||
FEATURE_FIRM_CONNECTORS_ENABLED=false
|
||||
FEATURE_HMRC_SUBMISSION_ENABLED=false
|
||||
FEATURE_ADVANCED_CALCULATIONS_ENABLED=true
|
||||
FEATURE_RAG_ENABLED=${FEATURE_RAG_ENABLED:-true}
|
||||
FEATURE_FIRM_CONNECTORS_ENABLED=${FEATURE_FIRM_CONNECTORS_ENABLED:-false}
|
||||
FEATURE_HMRC_SUBMISSION_ENABLED=${FEATURE_HMRC_SUBMISSION_ENABLED:-false}
|
||||
FEATURE_ADVANCED_CALCULATIONS_ENABLED=${FEATURE_ADVANCED_CALCULATIONS_ENABLED:-true}
|
||||
|
||||
# API Keys (placeholders for local testing)
|
||||
OPENAI_API_KEY=${OPENAI_API_KEY:-sk-local-placeholder}
|
||||
ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-sk-ant-local-placeholder}
|
||||
EOF
|
||||
|
||||
# Set secure permissions
|
||||
chmod 600 "$ENV_FILE"
|
||||
mv "$tmp" "$file"
|
||||
chmod 600 "$file"
|
||||
echo -e "${GREEN}✅ Wrote secrets to $file${NC}"
|
||||
}
|
||||
|
||||
echo -e "${BLUE}🔐 Generating secure secrets for AI Tax Agent...${NC}"
|
||||
echo
|
||||
|
||||
# Generate secrets (random where appropriate)
|
||||
AUTHENTIK_SECRET_KEY=$(generate_secret 50)
|
||||
AUTHENTIK_OUTPOST_TOKEN=$(generate_secret 64)
|
||||
AUTHENTIK_API_CLIENT_SECRET=$(generate_secret 32)
|
||||
AUTHENTIK_UI_REVIEW_CLIENT_SECRET=$(generate_secret 32)
|
||||
AUTHENTIK_GRAFANA_CLIENT_SECRET=$(generate_secret 32)
|
||||
AUTHENTIK_MINIO_CLIENT_SECRET=$(generate_secret 32)
|
||||
AUTHENTIK_VAULT_CLIENT_SECRET=$(generate_secret 32)
|
||||
GRAFANA_OAUTH_CLIENT_SECRET=$(generate_secret 32)
|
||||
NEXTAUTH_SECRET=$(generate_secret 48)
|
||||
JWT_SECRET=$(generate_secret 48)
|
||||
ENCRYPTION_KEY=$(generate_secret 32)
|
||||
VAULT_DEV_ROOT_TOKEN_ID=$(generate_uuid)
|
||||
POSTGRES_PASSWORD=$(generate_secret 16)
|
||||
NEO4J_PASSWORD=$(generate_secret 16)
|
||||
AUTHENTIK_DB_PASSWORD=$(generate_secret 16)
|
||||
MINIO_ROOT_PASSWORD=$(generate_secret 16)
|
||||
MINIO_ACCESS_KEY=$(generate_secret 16)
|
||||
MINIO_SECRET_KEY=$(generate_secret 24)
|
||||
GRAFANA_PASSWORD=$(generate_secret 16)
|
||||
UNLEASH_ADMIN_TOKEN="admin:$(generate_secret 24)"
|
||||
REDIS_PASSWORD=$(generate_secret 16)
|
||||
|
||||
# Defaults for commonly overridden values
|
||||
DOMAIN=${DOMAIN:-local.lan}
|
||||
EMAIL=${EMAIL:-admin@${DOMAIN}}
|
||||
ACME_EMAIL=${ACME_EMAIL:-$EMAIL}
|
||||
|
||||
# Write env file
|
||||
write_env "infra/environments/local/.env"
|
||||
|
||||
echo -e "${GREEN}✅ Secrets generated successfully!${NC}"
|
||||
echo
|
||||
echo -e "${YELLOW}📝 Important credentials:${NC}"
|
||||
echo -e " ${BLUE}Grafana Admin:${NC} admin / $GRAFANA_PASSWORD"
|
||||
echo -e " ${BLUE}Authentik Admin:${NC} admin@local (set password on first login)"
|
||||
echo -e " ${BLUE}MinIO Admin:${NC} ${MINIO_ROOT_USER:-minio} / $MINIO_ROOT_PASSWORD"
|
||||
echo -e " ${BLUE}Vault Root Token:${NC} $VAULT_DEV_ROOT_TOKEN_ID"
|
||||
echo -e " ${BLUE}MinIO Admin:${NC} minio / $MINIO_ROOT_PASSWORD"
|
||||
echo -e " ${BLUE}Authentik Bootstrap:${NC} ${AUTHENTIK_BOOTSTRAP_EMAIL:-admin@${DOMAIN}} / ${AUTHENTIK_BOOTSTRAP_PASSWORD:-admin123}"
|
||||
echo
|
||||
echo -e "${RED}⚠️ SECURITY WARNING:${NC}"
|
||||
echo -e " • Keep the .env file secure and never commit it to version control"
|
||||
echo -e " • Change default passwords on first login"
|
||||
echo -e " • Use proper secrets management in production"
|
||||
echo -e " • Regularly rotate secrets"
|
||||
echo
|
||||
echo -e "${GREEN}🚀 Ready to deploy with: make deploy-infra${NC}"
|
||||
echo -e " • Keep the generated env files secure and out of version control"
|
||||
echo -e " • Rotate secrets regularly for non-local environments"
|
||||
|
||||
@@ -11,12 +11,17 @@ BLUE='\033[0;34m'
|
||||
NC='\033[0m' # No Color
|
||||
|
||||
# Configuration
|
||||
# Load environment variables
|
||||
if [ -f "infra/compose/.env" ]; then
|
||||
source "infra/compose/.env"
|
||||
fi
|
||||
|
||||
DOMAIN=${DOMAIN:-local}
|
||||
AUTHENTIK_URL="https://auth.${DOMAIN}"
|
||||
AUTHENTIK_API_URL="$AUTHENTIK_URL/api/v3"
|
||||
ADMIN_EMAIL="admin@local"
|
||||
ADMIN_EMAIL="admin@${DOMAIN}"
|
||||
ADMIN_PASSWORD="${AUTHENTIK_ADMIN_PASSWORD:-admin123}"
|
||||
BOOTSTRAP_FILE="infra/compose/authentik/bootstrap.yaml"
|
||||
BOOTSTRAP_FILE="infra/authentik/bootstrap.yaml"
|
||||
|
||||
echo -e "${BLUE}🔧 Setting up Authentik SSO for AI Tax Agent using Blueprint Import...${NC}"
|
||||
echo
|
||||
@@ -76,17 +81,17 @@ generate_secrets() {
|
||||
|
||||
# Function to get API token
|
||||
get_api_token() {
|
||||
echo -e "${YELLOW}🔑 Getting API token...${NC}"
|
||||
echo -e "${YELLOW}🔑 Getting API token...${NC}" >&2
|
||||
|
||||
# Use bootstrap token if available
|
||||
if [ -n "${AUTHENTIK_BOOTSTRAP_TOKEN:-}" ]; then
|
||||
# Use bootstrap token if available and valid
|
||||
if [ -n "${AUTHENTIK_BOOTSTRAP_TOKEN:-}" ] && [ "$AUTHENTIK_BOOTSTRAP_TOKEN" != "ak-bootstrap-token" ]; then
|
||||
echo "$AUTHENTIK_BOOTSTRAP_TOKEN"
|
||||
return 0
|
||||
fi
|
||||
|
||||
# Try to get token via API (requires manual setup first)
|
||||
local token_response
|
||||
token_response=$(curl -s -X POST "$AUTHENTIK_API_URL/core/tokens/" \
|
||||
token_response=$(curl -ks -X POST "$AUTHENTIK_API_URL/core/tokens/" \
|
||||
-H "Content-Type: application/json" \
|
||||
-u "$ADMIN_EMAIL:$ADMIN_PASSWORD" \
|
||||
-d '{
|
||||
@@ -115,12 +120,12 @@ import_blueprint() {
|
||||
|
||||
# Create blueprint instance
|
||||
local blueprint_response
|
||||
blueprint_response=$(curl -s -X POST "$AUTHENTIK_API_URL/managed/blueprints/" \
|
||||
blueprint_response=$(curl -k -X POST "$AUTHENTIK_API_URL/managed/blueprints/" \
|
||||
-H "Content-Type: application/json" \
|
||||
-H "Authorization: Bearer $token" \
|
||||
-d '{
|
||||
"name": "AI Tax Agent Bootstrap",
|
||||
"path": "/blueprints/bootstrap.yaml",
|
||||
"path": "ai-tax-agent-bootstrap.yaml",
|
||||
"context": {},
|
||||
"enabled": true
|
||||
}' 2>/dev/null || echo "")
|
||||
@@ -128,22 +133,60 @@ import_blueprint() {
|
||||
local blueprint_pk
|
||||
blueprint_pk=$(echo "$blueprint_response" | python3 -c "import sys, json; print(json.load(sys.stdin).get('pk', ''))" 2>/dev/null || echo "")
|
||||
|
||||
if [ -z "$blueprint_pk" ]; then
|
||||
echo -e "${YELLOW}⚠️ Could not create blueprint. It might already exist. Trying to find it...${NC}"
|
||||
local existing_bp
|
||||
existing_bp=$(curl -k -X GET "$AUTHENTIK_API_URL/managed/blueprints/?name=AI%20Tax%20Agent%20Bootstrap" \
|
||||
-H "Authorization: Bearer $token" 2>/dev/null || echo "")
|
||||
|
||||
blueprint_pk=$(echo "$existing_bp" | python3 -c "import sys, json; print(json.load(sys.stdin)['results'][0]['pk'])" 2>/dev/null || echo "")
|
||||
fi
|
||||
|
||||
if [ -n "$blueprint_pk" ]; then
|
||||
echo -e "${GREEN}✅ Blueprint created with ID: $blueprint_pk${NC}"
|
||||
|
||||
# Apply the blueprint
|
||||
echo -e "${YELLOW}🔄 Applying blueprint...${NC}"
|
||||
local apply_response
|
||||
apply_response=$(curl -s -X POST "$AUTHENTIK_API_URL/managed/blueprints/$blueprint_pk/apply/" \
|
||||
apply_response=$(curl -k -X POST "$AUTHENTIK_API_URL/managed/blueprints/$blueprint_pk/apply/" \
|
||||
-H "Content-Type: application/json" \
|
||||
-H "Authorization: Bearer $token" \
|
||||
-d '{}' 2>/dev/null || echo "")
|
||||
|
||||
if echo "$apply_response" | grep -q "success\|applied" 2>/dev/null; then
|
||||
echo -e "${GREEN}✅ Blueprint applied successfully${NC}"
|
||||
echo -e "${GREEN}✅ Blueprint applied successfully${NC}"
|
||||
|
||||
# Force-sync the Outpost token
|
||||
# The blueprint might fail to update the token for the existing embedded outpost, so we do it explicitly.
|
||||
echo -e "${YELLOW}🔄 Syncing Outpost token...${NC}"
|
||||
if docker exec -i apa-authentik-server python3 /manage.py shell -c "
|
||||
from authentik.outposts.models import Outpost
|
||||
from authentik.core.models import Token
|
||||
import os
|
||||
|
||||
try:
|
||||
token_key = os.environ.get('AUTHENTIK_OUTPOST_TOKEN')
|
||||
if token_key:
|
||||
o = Outpost.objects.get(name='authentik Embedded Outpost')
|
||||
t = Token.objects.get(pk=o.token.pk)
|
||||
if t.key != token_key:
|
||||
t.key = token_key
|
||||
t.save()
|
||||
print('Token updated')
|
||||
else:
|
||||
print('Token already matches')
|
||||
else:
|
||||
print('No AUTHENTIK_OUTPOST_TOKEN found in environment')
|
||||
except Exception as e:
|
||||
print(f'Error updating token: {e}')
|
||||
exit(1)
|
||||
" > /dev/null; then
|
||||
echo -e "${GREEN}✅ Outpost token synced${NC}"
|
||||
# Restart outpost to pick up changes if needed (though it reads from env, so mostly for connection retry)
|
||||
docker restart apa-authentik-outpost > /dev/null 2>&1 || true
|
||||
else
|
||||
echo -e "${YELLOW}⚠️ Blueprint application may have had issues. Check Authentik logs.${NC}"
|
||||
echo -e "${RED}❌ Failed to sync Outpost token${NC}"
|
||||
fi
|
||||
|
||||
else
|
||||
echo -e "${RED}❌ Failed to create blueprint${NC}"
|
||||
return 1
|
||||
@@ -186,23 +229,25 @@ main() {
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Check if initial setup is needed
|
||||
local host
|
||||
host=$(echo "$AUTHENTIK_URL" | sed -E 's#^https?://([^/]+).*$#\1#')
|
||||
local resolve=(--resolve "${host}:443:127.0.0.1")
|
||||
local setup_code
|
||||
setup_code=$(curl -ks "${resolve[@]}" -o /dev/null -w '%{http_code}' "$AUTHENTIK_URL/if/flow/initial-setup/" || true)
|
||||
# Check if initial setup is needed (only if we don't have a token)
|
||||
if [ -z "${AUTHENTIK_BOOTSTRAP_TOKEN:-}" ] || [ "$AUTHENTIK_BOOTSTRAP_TOKEN" == "ak-bootstrap-token" ]; then
|
||||
local host
|
||||
host=$(echo "$AUTHENTIK_URL" | sed -E 's#^https?://([^/]+).*$#\1#')
|
||||
local resolve=(--resolve "${host}:443:127.0.0.1")
|
||||
local setup_code
|
||||
setup_code=$(curl -ks "${resolve[@]}" -o /dev/null -w '%{http_code}' "$AUTHENTIK_URL/if/flow/initial-setup/" || true)
|
||||
|
||||
if [[ "$setup_code" == "200" ]]; then
|
||||
echo -e "${YELLOW}📋 Initial Authentik setup required:${NC}"
|
||||
echo -e " 1. Open ${BLUE}https://auth.local/if/flow/initial-setup/${NC}"
|
||||
echo -e " 2. Complete the setup wizard with admin user"
|
||||
echo -e " 3. Re-run this script after setup is complete"
|
||||
echo
|
||||
echo -e "${BLUE}💡 Tip: Use these credentials:${NC}"
|
||||
echo -e " • Email: ${BLUE}$ADMIN_EMAIL${NC}"
|
||||
echo -e " • Password: ${BLUE}$ADMIN_PASSWORD${NC}"
|
||||
return 0
|
||||
if [[ "$setup_code" == "200" ]]; then
|
||||
echo -e "${YELLOW}📋 Initial Authentik setup required:${NC}"
|
||||
echo -e " 1. Open ${BLUE}https://auth.${DOMAIN}/if/flow/initial-setup/${NC}"
|
||||
echo -e " 2. Complete the setup wizard with admin user"
|
||||
echo -e " 3. Re-run this script after setup is complete"
|
||||
echo
|
||||
echo -e "${BLUE}💡 Tip: Use these credentials:${NC}"
|
||||
echo -e " • Email: ${BLUE}$ADMIN_EMAIL${NC}"
|
||||
echo -e " • Password: ${BLUE}$ADMIN_PASSWORD${NC}"
|
||||
return 0
|
||||
fi
|
||||
fi
|
||||
|
||||
# Try to get API token
|
||||
@@ -231,7 +276,7 @@ main() {
|
||||
fi
|
||||
else
|
||||
echo -e "${YELLOW}📋 Could not obtain API token. Manual configuration required:${NC}"
|
||||
echo -e " 1. Open ${BLUE}https://auth.local${NC} and log in as admin"
|
||||
echo -e " 1. Open ${BLUE}https://auth.local.lan${NC} and log in as admin"
|
||||
echo -e " 2. Go to Admin Interface > Tokens"
|
||||
echo -e " 3. Create a new token and set AUTHENTIK_BOOTSTRAP_TOKEN in .env"
|
||||
echo -e " 4. Re-run this script"
|
||||
@@ -239,10 +284,10 @@ main() {
|
||||
|
||||
echo
|
||||
echo -e "${BLUE}🔗 Access URLs:${NC}"
|
||||
echo -e " • Authentik Admin: ${BLUE}https://auth.local${NC}"
|
||||
echo -e " • API Gateway: ${BLUE}https://api.local${NC}"
|
||||
echo -e " • Grafana: ${BLUE}https://grafana.local${NC}"
|
||||
echo -e " • Review Portal: ${BLUE}https://review.local${NC}"
|
||||
echo -e " • Authentik Admin: ${BLUE}https://auth.local.lan${NC}"
|
||||
echo -e " • API Gateway: ${BLUE}https://api.local.lan${NC}"
|
||||
echo -e " • Grafana: ${BLUE}https://grafana.local.lan${NC}"
|
||||
echo -e " • Review Portal: ${BLUE}https://review.local.lan${NC}"
|
||||
}
|
||||
|
||||
# Run main function
|
||||
|
||||
106
scripts/setup-vault.sh
Executable file
106
scripts/setup-vault.sh
Executable file
@@ -0,0 +1,106 @@
|
||||
#!/bin/bash
|
||||
# Setup Vault OIDC Authentication
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# Colors for output
|
||||
RED='\033[0;31m'
|
||||
GREEN='\033[0;32m'
|
||||
YELLOW='\033[1;33m'
|
||||
BLUE='\033[0;34m'
|
||||
NC='\033[0m' # No Color
|
||||
|
||||
# Load environment variables
|
||||
if [ -f "infra/compose/.env" ]; then
|
||||
source "infra/compose/.env"
|
||||
fi
|
||||
|
||||
DOMAIN=${DOMAIN:-local.lan}
|
||||
VAULT_ADDR="http://localhost:8200"
|
||||
AUTHENTIK_URL="https://auth.${DOMAIN}"
|
||||
|
||||
echo -e "${BLUE}🔧 Setting up Vault OIDC Authentication...${NC}"
|
||||
|
||||
# Function to check if Vault is ready
|
||||
wait_for_vault() {
|
||||
echo -e "${YELLOW}⏳ Waiting for Vault to be ready...${NC}"
|
||||
local max_attempts=30
|
||||
local attempt=1
|
||||
|
||||
while [ $attempt -le $max_attempts ]; do
|
||||
if docker exec -e VAULT_ADDR=http://127.0.0.1:8200 apa-vault vault status > /dev/null 2>&1; then
|
||||
echo -e "${GREEN}✅ Vault is ready!${NC}"
|
||||
return 0
|
||||
fi
|
||||
echo -n "."
|
||||
sleep 2
|
||||
attempt=$((attempt + 1))
|
||||
done
|
||||
|
||||
echo -e "${RED}❌ Vault failed to start${NC}"
|
||||
return 1
|
||||
}
|
||||
|
||||
# Main setup function
|
||||
setup_vault() {
|
||||
# Check if we have the root token
|
||||
if [ -z "${VAULT_DEV_ROOT_TOKEN_ID:-}" ]; then
|
||||
echo -e "${RED}❌ VAULT_DEV_ROOT_TOKEN_ID not found in environment${NC}"
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Check if we have the client secret
|
||||
if [ -z "${AUTHENTIK_VAULT_CLIENT_SECRET:-}" ]; then
|
||||
echo -e "${RED}❌ AUTHENTIK_VAULT_CLIENT_SECRET not found in environment${NC}"
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Execute commands inside the Vault container
|
||||
echo -e "${YELLOW}🔐 Configuring Vault OIDC...${NC}"
|
||||
|
||||
# Login
|
||||
docker exec -e VAULT_ADDR=http://127.0.0.1:8200 apa-vault vault login "$VAULT_DEV_ROOT_TOKEN_ID" > /dev/null
|
||||
|
||||
# Enable OIDC auth method (ignore error if already enabled)
|
||||
docker exec -e VAULT_ADDR=http://127.0.0.1:8200 apa-vault vault auth enable oidc 2>/dev/null || true
|
||||
echo -e "${GREEN}✅ OIDC auth enabled${NC}"
|
||||
|
||||
# Configure OIDC
|
||||
# Note: We use the internal Docker network URL for discovery if possible, or the public one if Vault can resolve it.
|
||||
# Since Vault is in the backend network, it can reach 'apa-authentik-server'.
|
||||
# However, the discovery URL usually needs to match what the user sees (issuer validation).
|
||||
# Authentik's issuer is usually the slug URL.
|
||||
|
||||
# Using the public URL for discovery URL as per standard OIDC validation
|
||||
# We might need to ensure Vault container can resolve auth.local.lan to the Traefik IP or Authentik IP.
|
||||
# In our setup, auth.local.lan resolves to 127.0.0.1 on host. Inside container, it needs to resolve to the gateway or authentik.
|
||||
# For now, let's try using the public URL. If it fails, we might need to add a host alias to the Vault container.
|
||||
|
||||
docker exec -e VAULT_ADDR=http://127.0.0.1:8200 apa-vault vault write auth/oidc/config \
|
||||
oidc_discovery_url="$AUTHENTIK_URL/application/o/vault-oidc/" \
|
||||
oidc_client_id="vault" \
|
||||
oidc_client_secret="$AUTHENTIK_VAULT_CLIENT_SECRET" \
|
||||
default_role="reader" \
|
||||
bound_issuer="localhost" \
|
||||
oidc_discovery_ca_pem=@/certs/local.crt
|
||||
|
||||
echo -e "${GREEN}✅ OIDC config written${NC}"
|
||||
|
||||
# Create reader role
|
||||
docker exec -e VAULT_ADDR=http://127.0.0.1:8200 apa-vault vault write auth/oidc/role/reader \
|
||||
bound_audiences="vault" \
|
||||
allowed_redirect_uris="https://vault.${DOMAIN}/ui/vault/auth/oidc/oidc/callback,https://vault.${DOMAIN}/oidc/callback,http://localhost:8250/oidc/callback" \
|
||||
oidc_scopes="openid,email,profile" \
|
||||
user_claim="email" \
|
||||
policies="default" \
|
||||
ttl="1h"
|
||||
|
||||
echo -e "${GREEN}✅ OIDC role 'reader' created${NC}"
|
||||
echo
|
||||
echo -e "${GREEN}🎉 Vault OIDC setup complete!${NC}"
|
||||
echo -e " Login at: ${BLUE}https://vault.${DOMAIN}/ui/vault/auth/oidc/oidc/callback${NC}"
|
||||
}
|
||||
|
||||
# Run
|
||||
wait_for_vault
|
||||
setup_vault
|
||||
Reference in New Issue
Block a user