feature Keycloak Auth

.env.template

@@ -0,0 +1,207 @@
+# ===================================================================
+# Environment Configuration Template - Meldestelle Project
+# ===================================================================
+# Copy this file to .env and customize the values for your environment
+# Security Note: Never commit .env files containing production secrets!
+# ===================================================================
+
+# ===================================================================
+# Build Configuration
+# ===================================================================
+# Docker image versions
+DOCKER_GRADLE_VERSION=9.0.0
+DOCKER_JAVA_VERSION=21
+DOCKER_KEYCLOAK_VERSION=26.4.0
+DOCKER_PROMETHEUS_VERSION=v2.54.1
+DOCKER_GRAFANA_VERSION=11.3.0
+
+# Application version
+DOCKER_APP_VERSION=1.0.0
+APP_VERSION=1.0.0
+APP_NAME=Meldestelle
+
+# Build metadata
+BUILD_DATE=
+# BUILD_DATE will be auto-generated if not set
+
+# Spring profiles for services
+SPRING_PROFILES_ACTIVE=docker,keycloak
+DOCKER_SPRING_PROFILES_DEFAULT=default
+DOCKER_SPRING_PROFILES_DOCKER=docker
+
+# ===================================================================
+# Infrastructure Services - Port Configuration
+# ===================================================================
+# Database
+POSTGRES_DB=meldestelle
+# Note: Username and password are now managed via Docker secrets
+
+# Redis Cache
+REDIS_PORT=6379
+
+# Keycloak Authentication
+KEYCLOAK_PORT=8180
+KEYCLOAK_LOG_LEVEL=INFO
+
+# Service Discovery
+CONSUL_HOST=consul
+CONSUL_PORT=8500
+CONSUL_ENABLED=true
+
+# Messaging
+ZOOKEEPER_CLIENT_PORT=2181
+KAFKA_PORT=9092
+KAFKA_BROKER_ID=1
+KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR=1
+
+# Monitoring
+PROMETHEUS_PORT=9090
+GRAFANA_PORT=3000
+
+# ===================================================================
+# Application Services - Port Configuration
+# ===================================================================
+# API Gateway
+GATEWAY_HOST=api-gateway
+GATEWAY_PORT=8081
+
+# Microservices
+PING_SERVICE_PORT=8082
+MEMBERS_SERVICE_PORT=8083
+HORSES_SERVICE_PORT=8084
+EVENTS_SERVICE_PORT=8085
+MASTERDATA_SERVICE_PORT=8086
+AUTH_SERVICE_PORT=8087
+MONITORING_SERVER_PORT=8088
+
+# ===================================================================
+# Client Applications - Port Configuration
+# ===================================================================
+# Web Application
+WEB_APP_PORT=4000
+WEB_APP_DOMAIN=localhost
+NODE_ENV=production
+
+# Nginx Configuration
+NGINX_WORKER_PROCESSES=auto
+NGINX_WORKER_CONNECTIONS=1024
+
+# Desktop Application
+DESKTOP_VNC_WEB_PORT=6080
+DESKTOP_VNC_PORT=5901
+DESKTOP_APP_DOMAIN=localhost
+
+# ===================================================================
+# Security Configuration
+# ===================================================================
+# JWT Configuration
+JWT_ISSUER=meldestelle-auth-server
+JWT_AUDIENCE=meldestelle-services
+
+# Note: JWT_SECRET is now managed via Docker secrets
+# Generate with: openssl rand -hex 32
+
+# Keycloak Configuration
+KEYCLOAK_REALM=meldestelle
+KEYCLOAK_CLIENT_ID=api-gateway
+
+# Note: All passwords and secrets are now managed via Docker secrets
+# Run: ./docker/secrets/setup-secrets.sh to generate secure secrets
+
+# ===================================================================
+# Data Storage Configuration
+# ===================================================================
+# Data directory for persistent volumes
+# Default: ./data (relative to project root)
+# Production: /var/lib/meldestelle or dedicated mount point
+DATA_PATH=./data
+
+# Volume configuration
+# These directories will be created under DATA_PATH:
+# - postgres/     (PostgreSQL data)
+# - redis/        (Redis data)
+# - prometheus/   (Prometheus metrics)
+# - grafana/      (Grafana dashboards)
+# - keycloak/     (Keycloak data)
+# - consul/       (Consul data)
+# - monitoring/   (Custom monitoring data)
+# - desktop-app/  (Desktop application data)
+
+# ===================================================================
+# Development and Testing
+# ===================================================================
+# Enable debug mode for Java applications
+DEBUG=false
+
+# Enable Wasm compilation for client applications
+enableWasm=false
+
+# ===================================================================
+# Production Deployment Settings
+# ===================================================================
+# Container resource limits (configured in docker-compose files)
+# These are documented here for reference:
+
+# Infrastructure Services Resource Limits:
+# - postgres: 2 CPU, 2GB RAM (reserved: 0.5 CPU, 512MB RAM)
+# - redis: 1 CPU, 1GB RAM (reserved: 0.25 CPU, 256MB RAM)
+# - keycloak: 2 CPU, 2GB RAM (reserved: 0.5 CPU, 1GB RAM)
+# - consul: 1 CPU, 512MB RAM (reserved: 0.25 CPU, 128MB RAM)
+# - kafka: 2 CPU, 2GB RAM (reserved: 0.5 CPU, 512MB RAM)
+# - zookeeper: 1 CPU, 1GB RAM (reserved: 0.25 CPU, 256MB RAM)
+# - prometheus: 1 CPU, 2GB RAM (reserved: 0.25 CPU, 512MB RAM)
+# - grafana: 1 CPU, 1GB RAM (reserved: 0.25 CPU, 256MB RAM)
+# - api-gateway: 2 CPU, 2GB RAM (reserved: 0.5 CPU, 1GB RAM)
+
+# Microservices Resource Limits:
+# - ping-service: 1 CPU, 1GB RAM (reserved: 0.25 CPU, 256MB RAM)
+# - members-service: 2 CPU, 2GB RAM (reserved: 0.5 CPU, 512MB RAM)
+# - horses-service: 2 CPU, 2GB RAM (reserved: 0.5 CPU, 512MB RAM)
+# - events-service: 2 CPU, 2GB RAM (reserved: 0.5 CPU, 512MB RAM)
+# - masterdata-service: 1.5 CPU, 1.5GB RAM (reserved: 0.5 CPU, 512MB RAM)
+# - auth-server: 1.5 CPU, 1.5GB RAM (reserved: 0.5 CPU, 512MB RAM)
+
+# Client Applications Resource Limits:
+# - web-app: 1 CPU, 512MB RAM (reserved: 0.25 CPU, 128MB RAM)
+# - desktop-app: 2 CPU, 2GB RAM (reserved: 0.5 CPU, 512MB RAM)
+# - monitoring-server: 1 CPU, 1GB RAM (reserved: 0.25 CPU, 256MB RAM)
+
+# ===================================================================
+# Security Notes
+# ===================================================================
+# 1. All passwords and secrets are managed via Docker secrets
+# 2. Run ./docker/secrets/setup-secrets.sh to generate secure credentials
+# 3. Containers run as non-root users where possible
+# 4. Security options: no-new-privileges enabled for all services
+# 5. Networks are isolated with custom subnet (172.20.0.0/16)
+# 6. Volumes have proper permissions and are mounted read-only where appropriate
+# 7. Health checks are configured for all services
+# 8. Resource limits prevent resource exhaustion attacks
+
+# ===================================================================
+# Usage Instructions
+# ===================================================================
+# 1. Copy this file: cp .env.template .env
+# 2. Customize values in .env for your environment
+# 3. Generate secrets: ./docker/secrets/setup-secrets.sh --all
+# 4. Create data directories: mkdir -p ./data/{postgres,redis,prometheus,grafana,keycloak,consul}
+# 5. Deploy infrastructure: docker-compose -f docker-compose.yml.optimized up -d
+# 6. Deploy services: docker-compose -f docker-compose.yml.optimized -f docker-compose.services.yml.optimized up -d
+# 7. Deploy clients: docker-compose -f docker-compose.yml.optimized -f docker-compose.services.yml.optimized -f docker-compose.clients.yml.optimized up -d
+
+# ===================================================================
+# Monitoring and Logging
+# ===================================================================
+# Access URLs (when running with default ports):
+# - Grafana Dashboard: http://localhost:3000 (admin credentials in secrets)
+# - Prometheus Metrics: http://localhost:9090
+# - Consul UI: http://localhost:8500
+# - Keycloak Admin: http://localhost:8180/admin (admin credentials in secrets)
+# - API Gateway: http://localhost:8081
+# - Web Application: http://localhost:4000
+# - Desktop VNC: http://localhost:6080
+
+# Log locations (inside containers):
+# - Application logs: /app/logs/
+# - Nginx logs: /var/log/nginx/
+# - System logs: journalctl -u docker