init

deploy/.env.example

@@ -0,0 +1,29 @@
+# Copy to .env (compose picks it up automatically). All values are overridable
+# at deploy time; defaults in compose.yaml are sensible for lab use.
+
+# ─── Web exposure ────────────────────────────────────────────────────────────
+WEB_PORT=8080
+CORS_ALLOW_ORIGIN=http://localhost:8080
+
+# ─── Auth (LAB ONLY) ─────────────────────────────────────────────────────────
+# When DEV_AUTH=1 the backend accepts a `dev_subject` in the login body
+# instead of requiring the reverse-proxy header. Switch to 0 once mTLS
+# termination is wired in front of nginx.
+DEV_AUTH=1
+
+# ─── Scheduler ───────────────────────────────────────────────────────────────
+# 6-field cron: sec min hour day month weekday
+CRON_SCHEDULE=0 0 3 * * *
+DAYS_WINDOW=30
+
+# ─── Storage ─────────────────────────────────────────────────────────────────
+DATABASE_URL=sqlite:///data/smgw.db?mode=rwc
+
+# ─── Sub-CA (TR-03129-4) ─────────────────────────────────────────────────────
+SUB_CA_ENDPOINT=https://test-ca.local/soap
+
+# ─── HSM (SoftHSMv2 inside container) ────────────────────────────────────────
+HSM_MODULE=/usr/lib/softhsm/libsofthsm2.so
+
+# ─── Logging ─────────────────────────────────────────────────────────────────
+RUST_LOG=info,smgw_pki_automator=debug

deploy/compose.yaml

@@ -0,0 +1,50 @@
+name: smgw-pki
+
+services:
+  backend:
+    image: smgw-pki-automator:dev
+    build:
+      context: ../backend
+      dockerfile: Dockerfile
+    container_name: smgw-pki-automator
+    environment:
+      RUST_LOG: ${RUST_LOG:-info,smgw_pki_automator=debug}
+      BIND_ADDR: 0.0.0.0:8443
+      CRON_SCHEDULE: ${CRON_SCHEDULE:-0 0 3 * * *}
+      DAYS_WINDOW: ${DAYS_WINDOW:-30}
+      DATABASE_URL: ${DATABASE_URL:-sqlite:///data/smgw.db?mode=rwc}
+      CORS_ALLOW_ORIGIN: ${CORS_ALLOW_ORIGIN:-http://localhost:8080}
+      DEV_AUTH: ${DEV_AUTH:-1}
+      SUB_CA_ENDPOINT: ${SUB_CA_ENDPOINT:-https://test-ca.local/soap}
+      HSM_MODULE: ${HSM_MODULE:-/usr/lib/softhsm/libsofthsm2.so}
+    volumes:
+      - backend_data:/data
+      - softhsm_tokens:/var/lib/softhsm/tokens
+    expose:
+      - "8443"
+    healthcheck:
+      test: ["CMD", "curl", "-fsS", "http://localhost:8443/health"]
+      interval: 5s
+      timeout: 3s
+      retries: 10
+      start_period: 10s
+
+  frontend:
+    image: smgw-pki-console:dev
+    build:
+      context: ../frontend
+      dockerfile: Dockerfile
+    container_name: smgw-pki-console
+    depends_on:
+      backend:
+        condition: service_healthy
+    ports:
+      - "${WEB_PORT:-8080}:80"
+    volumes:
+      # nginx.conf lives next to compose.yaml so ops can iterate without
+      # rebuilding the frontend image. Reload via `just nginx-reload`.
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
+
+volumes:
+  backend_data:
+  softhsm_tokens:

deploy/nginx.conf

@@ -0,0 +1,44 @@
+server {
+    listen 80;
+    server_name _;
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # SPA: route everything that isn't a real file back to index.html so
+    # TanStack Router handles deep links.
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    # API → Rust backend. The compose network name `backend` resolves to the
+    # smgw-pki-automator service.
+    location /api/ {
+        proxy_pass http://backend:8443/api/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # mTLS terminating proxy in front of nginx is expected to set this
+        # header. In dev (DEV_AUTH=1) the backend accepts a body field instead.
+        proxy_set_header X-Forwarded-Cert-Subject $http_x_forwarded_cert_subject;
+
+        proxy_buffering off;
+        proxy_read_timeout 300s;
+    }
+
+    # PKI callback path (TR-03129-4). Kept separate so it can be moved behind
+    # a different listener that requires a Sub-CA client certificate.
+    location /pki/ {
+        proxy_pass http://backend:8443/pki/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+    }
+
+    # Long-cache hashed assets.
+    location ~* \.(js|css|woff2?|svg|png|webp|avif)$ {
+        expires 7d;
+        access_log off;
+        try_files $uri =404;
+    }
+}