deploy code

deploy/.env.authentik.example

@@ -0,0 +1,20 @@
+# Authentik — Ubuntu server (.env for docker-compose.authentik.yml)
+
+# Docker host public IP (no trailing slash)
+AUTHENTIK_HOST=http://172.237.44.156:9000
+
+# Host ports
+COMPOSE_PORT_HTTP=9000
+COMPOSE_PORT_HTTPS=9443
+
+# Database
+PG_DB=authentik
+PG_USER=authentik
+PG_PASS=CHANGE_ME_run_openssl_rand_base64_36
+
+# Required secret (generate once)
+AUTHENTIK_SECRET_KEY=CHANGE_ME_run_openssl_rand_base64_60
+
+# Optional image pin
+# AUTHENTIK_IMAGE=ghcr.io/goauthentik/server
+# AUTHENTIK_TAG=2026.2.3

deploy/.env.example

@@ -0,0 +1,27 @@
+# --- Server (Docker host IP) ---
+SERVER_HOST=172.237.44.156
+
+# Authentik HTTP port exposed on the host
+COMPOSE_PORT_HTTP=9000
+COMPOSE_PORT_HTTPS=9443
+
+# Public URL Authentik uses for OAuth (no trailing slash)
+AUTHENTIK_HOST=http://172.237.44.156:9000
+
+# --- Authentik secrets (generate on first setup) ---
+PG_PASS=change-me-generate-with-openssl
+AUTHENTIK_SECRET_KEY=change-me-generate-with-openssl
+
+# --- OIDC app (after creating provider in Authentik UI) ---
+OIDC_APP_SLUG=oidc-demo
+OIDC_CLIENT_ID=your-client-id
+
+# --- This project's containers ---
+PUBLIC_WEB_URL=http://172.237.44.156
+PUBLIC_API_URL=http://172.237.44.156
+
+AUTHENTIK_URL=http://172.237.44.156:9000
+OIDC_ISSUER=
+OIDC_AUDIENCE=your-client-id
+
+CORS_ORIGIN=http://172.237.44.156

deploy/.gitignore

@@ -0,0 +1,2 @@
+.env
+authentik.compose.yml

deploy/README.md

@@ -0,0 +1,118 @@
+# Deploy on Ubuntu Server
+
+Docker setup for **Authentik** (OIDC) + **React frontend** + **Node API**.
+
+Docker host IP: `172.237.44.156`
+
+## Architecture
+
+```
+Browser
+   ├─► :80   web (React + nginx)
+   ├─► :3001 api (optional direct access)
+   └─► :9000 Authentik (login / OIDC)
+```
+
+## 1. Install Docker on Ubuntu
+
+Copy the project to the server, then:
+
+```bash
+cd deploy
+chmod +x install-ubuntu.sh start-authentik.sh
+sudo ./install-ubuntu.sh
+sudo usermod -aG docker $USER
+# Log out and SSH back in so docker runs without sudo
+```
+
+## 2. Configure environment
+
+```bash
+cd deploy
+cp .env.example .env
+nano .env
+```
+
+Set at minimum:
+
+| Variable | Example |
+|----------|---------|
+| `SERVER_HOST` | `172.237.44.156` |
+| `AUTHENTIK_HOST` | `http://172.237.44.156:9000` |
+| `PUBLIC_WEB_URL` | `http://172.237.44.156` |
+| `PUBLIC_API_URL` | `http://172.237.44.156` |
+| `OIDC_CLIENT_ID` | from Authentik provider (after step 4) |
+
+## 3. Start Authentik
+
+```bash
+chmod +x start-authentik.sh
+./start-authentik.sh
+```
+
+Or manually:
+
+```bash
+cp .env.authentik.example .env
+nano .env   # set AUTHENTIK_HOST=http://YOUR_SERVER_IP:9000
+mkdir -p data certs custom-templates
+docker compose -f docker-compose.authentik.yml --env-file .env up -d
+```
+
+Open `http://YOUR_SERVER_IP:9000` and create the admin account.
+
+**Ubuntu firewall** (if UFW is enabled):
+
+```bash
+sudo ufw allow 9000/tcp
+sudo ufw allow 80/tcp
+sudo ufw allow 3001/tcp
+```
+
+**Azure / cloud:** open inbound ports 80, 9000 (and 3001 if needed) in the network security group.
+
+## 4. Create OAuth app in Authentik
+
+1. **Providers** → **OAuth2/OpenID Provider**
+   - Client type: **Public**
+   - Redirect URIs: `http://YOUR_SERVER_IP` (and `http://YOUR_SERVER_IP/`)
+   - Scopes: `openid`, `profile`, `email`
+2. **Applications** → slug `oidc-demo`, link provider
+3. Copy **Client ID** → `OIDC_CLIENT_ID` in `deploy/.env`
+
+## 5. Build and start the demo app
+
+```bash
+docker compose --env-file .env up -d --build
+```
+
+Verify:
+
+```bash
+curl http://localhost/health          # via nginx → api
+curl http://localhost:3001/health     # api direct
+curl http://localhost:9000/if/flow/initial-setup/  # authentik (after setup)
+```
+
+Open **http://YOUR_SERVER_IP** in a browser and sign in.
+
+## Useful commands
+
+```bash
+# Logs
+docker compose --env-file .env logs -f
+docker compose -f docker-compose.authentik.yml --env-file .env logs -f
+
+# Stop
+docker compose --env-file .env down
+docker compose -f docker-compose.authentik.yml --env-file .env down
+
+# Rebuild frontend after .env URL changes
+docker compose --env-file .env up -d --build web
+```
+
+## Production notes
+
+- Put **HTTPS** in front (Caddy, nginx, or Traefik) and set `AUTHENTIK_HOST` / `PUBLIC_WEB_URL` to `https://…`
+- Set Authentik redirect URIs to your HTTPS frontend URL
+- Do not commit `deploy/.env` (secrets)

deploy/docker-compose.authentik.yml

@@ -0,0 +1,82 @@
+# Authentik on Ubuntu — official stack (PostgreSQL + server + worker)
+# Usage:
+#   cp .env.authentik.example .env
+#   nano .env
+#   mkdir -p data certs custom-templates
+#   docker compose -f docker-compose.authentik.yml --env-file .env up -d
+
+name: authentik
+
+services:
+  postgresql:
+    image: docker.io/library/postgres:16-alpine
+    restart: unless-stopped
+    env_file:
+      - .env
+    environment:
+      POSTGRES_DB: ${PG_DB:-authentik}
+      POSTGRES_PASSWORD: ${PG_PASS:?set PG_PASS in .env}
+      POSTGRES_USER: ${PG_USER:-authentik}
+    healthcheck:
+      test:
+        - CMD-SHELL
+        - pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
+      interval: 30s
+      retries: 5
+      start_period: 20s
+      timeout: 5s
+    volumes:
+      - database:/var/lib/postgresql/data
+
+  server:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.2.3}
+    restart: unless-stopped
+    command: server
+    shm_size: 512mb
+    depends_on:
+      postgresql:
+        condition: service_healthy
+    env_file:
+      - .env
+    environment:
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?set AUTHENTIK_SECRET_KEY in .env}
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+      # Public URL for OAuth redirects (set in .env, e.g. http://YOUR_UBUNTU_IP:9000)
+      AUTHENTIK_HOST: ${AUTHENTIK_HOST:?set AUTHENTIK_HOST in .env}
+    ports:
+      - ${COMPOSE_PORT_HTTP:-9000}:9000
+      - ${COMPOSE_PORT_HTTPS:-9443}:9443
+    volumes:
+      - ./data:/data
+      - ./custom-templates:/templates
+
+  worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.2.3}
+    restart: unless-stopped
+    command: worker
+    user: root
+    shm_size: 512mb
+    depends_on:
+      postgresql:
+        condition: service_healthy
+    env_file:
+      - .env
+    environment:
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?set AUTHENTIK_SECRET_KEY in .env}
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+      AUTHENTIK_HOST: ${AUTHENTIK_HOST}
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./data:/data
+      - ./certs:/certs
+      - ./custom-templates:/templates
+
+volumes:
+  database:
+    driver: local

deploy/docker-compose.yml

@@ -0,0 +1,44 @@
+# OIDC demo app (API + React). Run Authentik separately or via docker-compose.authentik.yml
+name: oidc-auth-app
+
+services:
+  api:
+    build:
+      context: ../backend
+      dockerfile: Dockerfile
+    restart: unless-stopped
+    environment:
+      PORT: 3001
+      CORS_ORIGIN: ${CORS_ORIGIN:-http://localhost}
+      AUTHENTIK_URL: ${AUTHENTIK_URL}
+      OIDC_APP_SLUG: ${OIDC_APP_SLUG:-oidc-demo}
+      OIDC_ISSUER: ${OIDC_ISSUER:-}
+      OIDC_AUDIENCE: ${OIDC_AUDIENCE}
+    ports:
+      - "${API_PORT:-3001}:3001"
+    healthcheck:
+      test:
+        [
+          "CMD-SHELL",
+          "node -e \"fetch('http://127.0.0.1:3001/health').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))\"",
+        ]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+
+  web:
+    build:
+      context: ../frontend
+      dockerfile: Dockerfile
+      args:
+        VITE_AUTHENTIK_URL: ${AUTHENTIK_HOST}
+        VITE_OIDC_APP_SLUG: ${OIDC_APP_SLUG:-oidc-demo}
+        VITE_OIDC_CLIENT_ID: ${OIDC_CLIENT_ID}
+        VITE_API_URL: ${PUBLIC_API_URL}
+    restart: unless-stopped
+    ports:
+      - "${WEB_PORT:-80}:80"
+    depends_on:
+      api:
+        condition: service_healthy

deploy/install-ubuntu.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+# Install Docker Engine + Compose plugin on Ubuntu 22.04/24.04
+set -euo pipefail
+
+if [[ "${EUID:-}" -ne 0 ]]; then
+  echo "Run as root: sudo ./install-ubuntu.sh"
+  exit 1
+fi
+
+apt-get update
+apt-get install -y ca-certificates curl gnupg
+
+install -m 0755 -d /etc/apt/keyrings
+if [[ ! -f /etc/apt/keyrings/docker.gpg ]]; then
+  curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+  chmod a+r /etc/apt/keyrings/docker.gpg
+fi
+
+ARCH="$(dpkg --print-architecture)"
+CODENAME="$(. /etc/os-release && echo "${VERSION_CODENAME:-$UBUNTU_CODENAME}")"
+
+echo "deb [arch=${ARCH} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu ${CODENAME} stable" \
+  > /etc/apt/sources.list.d/docker.list
+
+apt-get update
+apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+
+systemctl enable docker
+systemctl start docker
+
+echo ""
+echo "Docker installed:"
+docker --version
+docker compose version
+echo ""
+echo "Next (as your user, not root):"
+echo "  sudo usermod -aG docker \$USER"
+echo "  # log out and back in, then:"
+echo "  cd deploy && cp .env.example .env && nano .env"
+echo "  ./setup-authentik.sh"
+echo "  docker compose -f docker-compose.authentik.yml --env-file .env up -d"
+echo "  docker compose --env-file .env up -d --build"

deploy/start-authentik.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+# Start Authentik on Ubuntu
+set -euo pipefail
+cd "$(dirname "$0")"
+
+if ! command -v docker >/dev/null 2>&1; then
+  echo "Docker not found. Run: sudo ./install-ubuntu.sh"
+  exit 1
+fi
+
+if [[ ! -f .env ]]; then
+  echo "Creating .env from .env.authentik.example"
+  cp .env.authentik.example .env
+  PG_PASS="$(openssl rand -base64 36 | tr -d '\n')"
+  AUTHENTIK_SECRET_KEY="$(openssl rand -base64 60 | tr -d '\n')"
+  sed -i.bak "s|^PG_PASS=.*|PG_PASS=${PG_PASS}|" .env
+  sed -i.bak "s|^AUTHENTIK_SECRET_KEY=.*|AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}|" .env
+  rm -f .env.bak
+  echo "Generated secrets in .env — edit AUTHENTIK_HOST to your server IP."
+fi
+
+mkdir -p data certs custom-templates
+
+docker compose -f docker-compose.authentik.yml --env-file .env up -d
+
+# shellcheck disable=SC1091
+source .env 2>/dev/null || true
+echo ""
+echo "Authentik starting. Open: ${AUTHENTIK_HOST:-http://YOUR_IP:9000}"
+echo "Logs: docker compose -f docker-compose.authentik.yml --env-file .env logs -f"