completed local setup with compose

2025-11-26 13:17:17 +00:00
parent 8fe5e62fee
commit fdba81809f
87 changed files with 5610 additions and 3376 deletions
--- a/scripts/generate-secrets.sh
+++ b/scripts/generate-secrets.sh
@@ -13,51 +13,38 @@ NC='\033[0m' # No Color
 # Function to generate random string
 generate_secret() {
    local length=${1:-32}
-    openssl rand -base64 $length | tr -d "=+/" | cut -c1-$length
+    openssl rand -base64 "$length" | tr -d "=+/\n" | cut -c1-"$length"
 }

 # Function to generate UUID
 generate_uuid() {
-    python3 -c "import uuid; print(uuid.uuid4())"
+    python3 - <<'PY'
+import uuid
+print(uuid.uuid4())
+PY
 }

-echo -e "${BLUE}🔐 Generating secure secrets for AI Tax Agent...${NC}"
-echo
+write_env() {
+    local file=$1
+    local tmp="$file.tmp"
+    local ts
+    ts="$(date +%Y%m%d_%H%M%S)"

-# Generate secrets
-AUTHENTIK_SECRET_KEY=$(generate_secret 50)
-AUTHENTIK_OUTPOST_TOKEN=$(generate_secret 64)
-AUTHENTIK_API_CLIENT_SECRET=$(generate_secret 32)
-AUTHENTIK_GRAFANA_CLIENT_SECRET=$(generate_secret 32)
-GRAFANA_OAUTH_CLIENT_SECRET=$(generate_secret 32)
-NEXTAUTH_SECRET=$(generate_secret 32)
-VAULT_DEV_ROOT_TOKEN_ID=$(generate_uuid)
-POSTGRES_PASSWORD=$(generate_secret 16)
-NEO4J_PASSWORD=$(generate_secret 16)
-AUTHENTIK_DB_PASSWORD=$(generate_secret 16)
-MINIO_ROOT_PASSWORD=$(generate_secret 16)
-GRAFANA_PASSWORD=$(generate_secret 16)
+    if [ -f "$file" ]; then
+        cp "$file" "${file}.backup.${ts}"
+        echo -e "${YELLOW}📋 Backed up existing env to ${file}.backup.${ts}${NC}"
+    fi

-# Create .env file with generated secrets
-ENV_FILE="infra/compose/.env"
-BACKUP_FILE="infra/compose/.env.backup.$(date +%Y%m%d_%H%M%S)"
-
-# Backup existing .env if it exists
-if [ -f "$ENV_FILE" ]; then
-    echo -e "${YELLOW}📋 Backing up existing .env to $BACKUP_FILE${NC}"
-    cp "$ENV_FILE" "$BACKUP_FILE"
-fi
-
-echo -e "${GREEN}🔑 Generating new .env file with secure secrets...${NC}"
-
-cat > "$ENV_FILE" << EOF
+    cat > "$tmp" << EOF
 # AI Tax Agent Environment Configuration
 # Generated on $(date)
 # IMPORTANT: Keep these secrets secure and never commit to version control

 # Domain Configuration
-DOMAIN=local
-EMAIL=admin@local
+DOMAIN=${DOMAIN:-local.lan}
+EMAIL=${EMAIL:-admin@local.lan}
+ACME_EMAIL=${ACME_EMAIL:-${EMAIL:-admin@local.lan}}
+TRAEFIK_CERT_RESOLVER=${TRAEFIK_CERT_RESOLVER:-}

 # Database Passwords
 POSTGRES_PASSWORD=$POSTGRES_PASSWORD
@@ -65,11 +52,13 @@ NEO4J_PASSWORD=$NEO4J_PASSWORD
 AUTHENTIK_DB_PASSWORD=$AUTHENTIK_DB_PASSWORD

 # Object Storage
-MINIO_ROOT_USER=minio
+MINIO_ROOT_USER=${MINIO_ROOT_USER:-minio}
 MINIO_ROOT_PASSWORD=$MINIO_ROOT_PASSWORD
+MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY:-$MINIO_ROOT_USER}
+MINIO_SECRET_KEY=${MINIO_SECRET_KEY:-$MINIO_ROOT_PASSWORD}

 # Vector Database
-QDRANT__SERVICE__GRPC_PORT=6334
+QDRANT__SERVICE__GRPC_PORT=${QDRANT__SERVICE__GRPC_PORT:-6334}

 # Secrets Management
 VAULT_DEV_ROOT_TOKEN_ID=$VAULT_DEV_ROOT_TOKEN_ID
@@ -77,90 +66,147 @@ VAULT_DEV_ROOT_TOKEN_ID=$VAULT_DEV_ROOT_TOKEN_ID
 # Identity & SSO
 AUTHENTIK_SECRET_KEY=$AUTHENTIK_SECRET_KEY
 AUTHENTIK_OUTPOST_TOKEN=$AUTHENTIK_OUTPOST_TOKEN
-AUTHENTIK_BOOTSTRAP_EMAIL=admin@local.lan
-AUTHENTIK_BOOTSTRAP_PASSWORD=admin123
-AUTHENTIK_BOOTSTRAP_TOKEN=ak-bootstrap-token
+AUTHENTIK_BOOTSTRAP_EMAIL=${AUTHENTIK_BOOTSTRAP_EMAIL:-admin@${DOMAIN:-local.lan}}
+AUTHENTIK_BOOTSTRAP_PASSWORD=${AUTHENTIK_BOOTSTRAP_PASSWORD:-admin123}
+AUTHENTIK_BOOTSTRAP_TOKEN=${AUTHENTIK_BOOTSTRAP_TOKEN:-ak-bootstrap-token}
 AUTHENTIK_API_CLIENT_SECRET=$AUTHENTIK_API_CLIENT_SECRET
+AUTHENTIK_UI_REVIEW_CLIENT_SECRET=$AUTHENTIK_UI_REVIEW_CLIENT_SECRET
 AUTHENTIK_GRAFANA_CLIENT_SECRET=$AUTHENTIK_GRAFANA_CLIENT_SECRET
+AUTHENTIK_MINIO_CLIENT_SECRET=$AUTHENTIK_MINIO_CLIENT_SECRET
+AUTHENTIK_VAULT_CLIENT_SECRET=$AUTHENTIK_VAULT_CLIENT_SECRET

 # OAuth Client Secrets
-GRAFANA_OAUTH_CLIENT_ID=grafana
+GRAFANA_OAUTH_CLIENT_ID=${GRAFANA_OAUTH_CLIENT_ID:-grafana}
 GRAFANA_OAUTH_CLIENT_SECRET=$GRAFANA_OAUTH_CLIENT_SECRET

 # Monitoring
 GRAFANA_PASSWORD=$GRAFANA_PASSWORD

 # Feature Flags
-UNLEASH_ADMIN_TOKEN=admin:development.unleash-insecure-admin-api-token
+UNLEASH_ADMIN_TOKEN=$UNLEASH_ADMIN_TOKEN

 # Application Configuration
 NEXTAUTH_SECRET=$NEXTAUTH_SECRET
+JWT_SECRET=$JWT_SECRET
+ENCRYPTION_KEY=$ENCRYPTION_KEY
+
+# Event Bus / NATS
+EVENT_BUS_TYPE=${EVENT_BUS_TYPE:-nats}
+NATS_SERVERS=${NATS_SERVERS:-nats://apa-nats:4222}
+NATS_STREAM_NAME=${NATS_STREAM_NAME:-TAX_AGENT_EVENTS}
+NATS_CONSUMER_GROUP=${NATS_CONSUMER_GROUP:-tax-agent}
+NATS_LOG_LEVEL=${NATS_LOG_LEVEL:-info}
+
+# Redis Configuration
+REDIS_PASSWORD=$REDIS_PASSWORD

 # RAG & ML Models
-RAG_EMBEDDING_MODEL=bge-small-en-v1.5
-RAG_RERANKER_MODEL=cross-encoder/ms-marco-MiniLM-L-6-v2
-RAG_ALPHA_BETA_GAMMA=0.5,0.3,0.2
+RAG_EMBEDDING_MODEL=${RAG_EMBEDDING_MODEL:-bge-small-en-v1.5}
+RAG_RERANKER_MODEL=${RAG_RERANKER_MODEL:-cross-encoder/ms-marco-MiniLM-L-6-v2}
+RAG_ALPHA_BETA_GAMMA=${RAG_ALPHA_BETA_GAMMA:-0.5,0.3,0.2}

 # HMRC Integration
-HMRC_MTD_ITSA_MODE=sandbox
+HMRC_MTD_ITSA_MODE=${HMRC_MTD_ITSA_MODE:-sandbox}

 # Rate Limits
-RATE_LIMITS_HMRC_API_RPS=3
-RATE_LIMITS_HMRC_API_BURST=6
-RATE_LIMITS_LLM_API_RPS=10
-RATE_LIMITS_LLM_API_BURST=20
+RATE_LIMITS_HMRC_API_RPS=${RATE_LIMITS_HMRC_API_RPS:-3}
+RATE_LIMITS_HMRC_API_BURST=${RATE_LIMITS_HMRC_API_BURST:-6}
+RATE_LIMITS_LLM_API_RPS=${RATE_LIMITS_LLM_API_RPS:-10}
+RATE_LIMITS_LLM_API_BURST=${RATE_LIMITS_LLM_API_BURST:-20}

 # Confidence Thresholds
-CONFIDENCE_AUTO_SUBMIT=0.95
-CONFIDENCE_HUMAN_REVIEW=0.85
-CONFIDENCE_REJECT=0.50
+CONFIDENCE_AUTO_SUBMIT=${CONFIDENCE_AUTO_SUBMIT:-0.95}
+CONFIDENCE_HUMAN_REVIEW=${CONFIDENCE_HUMAN_REVIEW:-0.85}
+CONFIDENCE_REJECT=${CONFIDENCE_REJECT:-0.50}

 # Logging
-LOG_LEVEL=INFO
-LOG_FORMAT=json
+LOG_LEVEL=${LOG_LEVEL:-INFO}
+LOG_FORMAT=${LOG_FORMAT:-json}

 # Development Settings
-DEBUG=false
-DEVELOPMENT_MODE=true
+DEBUG=${DEBUG:-false}
+DEVELOPMENT_MODE=${DEVELOPMENT_MODE:-true}

 # Security
-ENCRYPTION_KEY_ID=default
-AUDIT_LOG_RETENTION_DAYS=90
-PII_LOG_RETENTION_DAYS=30
+ENCRYPTION_KEY_ID=${ENCRYPTION_KEY_ID:-default}
+AUDIT_LOG_RETENTION_DAYS=${AUDIT_LOG_RETENTION_DAYS:-90}
+PII_LOG_RETENTION_DAYS=${PII_LOG_RETENTION_DAYS:-30}

 # Backup & DR
-BACKUP_ENABLED=true
-BACKUP_SCHEDULE=0 2 * * *
-BACKUP_RETENTION_DAYS=30
+BACKUP_ENABLED=${BACKUP_ENABLED:-true}
+BACKUP_SCHEDULE="${BACKUP_SCHEDULE:-0 2 * * *}"
+BACKUP_RETENTION_DAYS=${BACKUP_RETENTION_DAYS:-30}

 # Performance Tuning
-MAX_WORKERS=4
-BATCH_SIZE=100
-CACHE_TTL_SECONDS=3600
-CONNECTION_POOL_SIZE=20
+MAX_WORKERS=${MAX_WORKERS:-4}
+BATCH_SIZE=${BATCH_SIZE:-100}
+CACHE_TTL_SECONDS=${CACHE_TTL_SECONDS:-3600}
+CONNECTION_POOL_SIZE=${CONNECTION_POOL_SIZE:-20}
+
+# Registry / build
+REGISTRY=${REGISTRY:-localhost:5000}
+REGISTRY_USER=${REGISTRY_USER:-admin}
+REGISTRY_PASSWORD=${REGISTRY_PASSWORD:-admin123}
+IMAGE_TAG=${IMAGE_TAG:-latest}
+OWNER=${OWNER:-local}

 # Feature Flags
-FEATURE_RAG_ENABLED=true
-FEATURE_FIRM_CONNECTORS_ENABLED=false
-FEATURE_HMRC_SUBMISSION_ENABLED=false
-FEATURE_ADVANCED_CALCULATIONS_ENABLED=true
+FEATURE_RAG_ENABLED=${FEATURE_RAG_ENABLED:-true}
+FEATURE_FIRM_CONNECTORS_ENABLED=${FEATURE_FIRM_CONNECTORS_ENABLED:-false}
+FEATURE_HMRC_SUBMISSION_ENABLED=${FEATURE_HMRC_SUBMISSION_ENABLED:-false}
+FEATURE_ADVANCED_CALCULATIONS_ENABLED=${FEATURE_ADVANCED_CALCULATIONS_ENABLED:-true}
+
+# API Keys (placeholders for local testing)
+OPENAI_API_KEY=${OPENAI_API_KEY:-sk-local-placeholder}
+ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-sk-ant-local-placeholder}
 EOF

-# Set secure permissions
-chmod 600 "$ENV_FILE"
+    mv "$tmp" "$file"
+    chmod 600 "$file"
+    echo -e "${GREEN}✅ Wrote secrets to $file${NC}"
+}
+
+echo -e "${BLUE}🔐 Generating secure secrets for AI Tax Agent...${NC}"
+echo
+
+# Generate secrets (random where appropriate)
+AUTHENTIK_SECRET_KEY=$(generate_secret 50)
+AUTHENTIK_OUTPOST_TOKEN=$(generate_secret 64)
+AUTHENTIK_API_CLIENT_SECRET=$(generate_secret 32)
+AUTHENTIK_UI_REVIEW_CLIENT_SECRET=$(generate_secret 32)
+AUTHENTIK_GRAFANA_CLIENT_SECRET=$(generate_secret 32)
+AUTHENTIK_MINIO_CLIENT_SECRET=$(generate_secret 32)
+AUTHENTIK_VAULT_CLIENT_SECRET=$(generate_secret 32)
+GRAFANA_OAUTH_CLIENT_SECRET=$(generate_secret 32)
+NEXTAUTH_SECRET=$(generate_secret 48)
+JWT_SECRET=$(generate_secret 48)
+ENCRYPTION_KEY=$(generate_secret 32)
+VAULT_DEV_ROOT_TOKEN_ID=$(generate_uuid)
+POSTGRES_PASSWORD=$(generate_secret 16)
+NEO4J_PASSWORD=$(generate_secret 16)
+AUTHENTIK_DB_PASSWORD=$(generate_secret 16)
+MINIO_ROOT_PASSWORD=$(generate_secret 16)
+MINIO_ACCESS_KEY=$(generate_secret 16)
+MINIO_SECRET_KEY=$(generate_secret 24)
+GRAFANA_PASSWORD=$(generate_secret 16)
+UNLEASH_ADMIN_TOKEN="admin:$(generate_secret 24)"
+REDIS_PASSWORD=$(generate_secret 16)
+
+# Defaults for commonly overridden values
+DOMAIN=${DOMAIN:-local.lan}
+EMAIL=${EMAIL:-admin@${DOMAIN}}
+ACME_EMAIL=${ACME_EMAIL:-$EMAIL}
+
+# Write env file
+write_env "infra/environments/local/.env"

-echo -e "${GREEN}✅ Secrets generated successfully!${NC}"
 echo
 echo -e "${YELLOW}📝 Important credentials:${NC}"
 echo -e "  ${BLUE}Grafana Admin:${NC} admin / $GRAFANA_PASSWORD"
-echo -e "  ${BLUE}Authentik Admin:${NC} admin@local (set password on first login)"
+echo -e "  ${BLUE}MinIO Admin:${NC} ${MINIO_ROOT_USER:-minio} / $MINIO_ROOT_PASSWORD"
 echo -e "  ${BLUE}Vault Root Token:${NC} $VAULT_DEV_ROOT_TOKEN_ID"
-echo -e "  ${BLUE}MinIO Admin:${NC} minio / $MINIO_ROOT_PASSWORD"
+echo -e "  ${BLUE}Authentik Bootstrap:${NC} ${AUTHENTIK_BOOTSTRAP_EMAIL:-admin@${DOMAIN}} / ${AUTHENTIK_BOOTSTRAP_PASSWORD:-admin123}"
 echo
 echo -e "${RED}⚠️  SECURITY WARNING:${NC}"
-echo -e "  • Keep the .env file secure and never commit it to version control"
-echo -e "  • Change default passwords on first login"
-echo -e "  • Use proper secrets management in production"
-echo -e "  • Regularly rotate secrets"
-echo
-echo -e "${GREEN}🚀 Ready to deploy with: make deploy-infra${NC}"
+echo -e "  • Keep the generated env files secure and out of version control"
+echo -e "  • Rotate secrets regularly for non-local environments"