mirror of
http://172.20.10.11:3000/gitadmin/INSIGHT-MVP.git
synced 2026-06-25 00:36:39 +02:00
10f291cdda
Docker Infrastructure:
- docker-compose.yml with Traefik 3, PostgreSQL 16, PgBouncer, Redis 7, step-ca
- docker-compose.observability.yml with Prometheus, Grafana, Loki, Tempo, Promtail
- Traefik dynamic config (TLS, security headers, CORS, compression)
- PostgreSQL init script (uuid-ossp, pgcrypto, pg_trgm extensions)
- Grafana auto-provisioned datasources (Prometheus, Loki, Tempo)
NestJS Core-Service:
- Auth module: Login (email/password), TOTP 2FA, JWT RS256, token refresh/revocation
- Users module: CRUD, bcrypt cost 12, pagination, role-based access
- Tenants module: CRUD, member management, slug validation
- Prisma schemas: core (Users, AuthProviders, Tenants, Modules, AuditLog)
tenant (Contacts, Activities - CRM reference for Sprint 2)
- TenantPrismaService: Dynamic per-tenant DB connections with caching
- RedisService: Token blocklist, refresh token families, generic cache
- Global JwtAuthGuard with @Public() decorator, RolesGuard, GlobalExceptionFilter
- Health endpoint with DB + Redis status checks
- Swagger API documentation (dev only)
- Multi-stage Dockerfile (dev + production)
React Frontend:
- Vite 6 + React 18 + TypeScript strict
- AuthContext with silent refresh (access token in memory, NOT localStorage)
- Login page with TOTP 2FA support
- App shell with sidebar navigation
- Admin pages: Users + Tenants management tables
- API client with automatic token refresh interceptor
- Multi-stage Dockerfile (dev + nginx production)
CI/CD Pipelines:
- ci.yml: Lint, type-check, test, build on all branches
- deploy.yml: Docker build, push to Forgejo registry, SSH deploy
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
52 lines
1.4 KiB
YAML
52 lines
1.4 KiB
YAML
# ============================================================
|
|
# Traefik - Globale Middlewares
|
|
# ============================================================
|
|
|
|
http:
|
|
middlewares:
|
|
# Security-Headers fuer alle Responses
|
|
security-headers:
|
|
headers:
|
|
browserXssFilter: true
|
|
contentTypeNosniff: true
|
|
frameDeny: true
|
|
stsIncludeSubdomains: true
|
|
stsPreload: true
|
|
stsSeconds: 31536000
|
|
customFrameOptionsValue: "SAMEORIGIN"
|
|
referrerPolicy: "strict-origin-when-cross-origin"
|
|
contentSecurityPolicy: >-
|
|
default-src 'self';
|
|
script-src 'self' 'unsafe-inline';
|
|
style-src 'self' 'unsafe-inline';
|
|
img-src 'self' data: blob:;
|
|
font-src 'self';
|
|
connect-src 'self' wss://insight-dev.xinion.lan;
|
|
frame-ancestors 'self';
|
|
|
|
# CORS fuer API
|
|
cors-api:
|
|
headers:
|
|
accessControlAllowMethods:
|
|
- GET
|
|
- POST
|
|
- PUT
|
|
- PATCH
|
|
- DELETE
|
|
- OPTIONS
|
|
accessControlAllowHeaders:
|
|
- Content-Type
|
|
- Authorization
|
|
- X-Tenant-ID
|
|
- X-Request-ID
|
|
accessControlAllowOriginList:
|
|
- "https://insight-dev.xinion.lan"
|
|
accessControlMaxAge: 86400
|
|
accessControlAllowCredentials: true
|
|
addVaryHeader: true
|
|
|
|
# Kompression
|
|
gzip-compress:
|
|
compress:
|
|
excludedContentTypes:
|
|
- text/event-stream
|