add Jenkinsfile

.gitignore

@@ -4,7 +4,3 @@ apps/proxy
 apps/administration/*
 apps/tools/app/*
 env/secrets.env
-infra/core/traefik/data/acme.json
-infra/**/.env
-infra/**/*.env.local
-infra/secrets/*

.gitmodules

@@ -3,10 +3,4 @@
 	url = https://gitea.mindboost.team/Mindboost/mindboost-backend.git
 [submodule "apps/frontend/src"]
 	path = apps/frontend/src
-	url = https://gitea.mindboost.team/Mindboost/mindboost-webapp.git
-[submodule "apps/tools/invoiceninja/dockerfiles"]
-	path = apps/tools/invoiceninja/dockerfiles
-	url = https://github.com/invoiceninja/dockerfiles.git
-[submodule "apps/security/Eduroam Analyzer/asn-updater"]
-	path = apps/security/Eduroam Analyzer/asn-updater
-	url = https://gitea.mindboost.team/mindboost/education-flagger.git
+	url = https://gitea.mindboost.team/Mindboost/mindboost-webapp.git

Jenkinsfile

@@ -22,13 +22,5 @@ pipeline {
                 build job: 'frontend-pipeline', wait: true
             }
         }
-
-        stage('Deploy Infrastructure') {
-            steps {
-                sshagent(['jenkins-ssh-key']) {
-                    sh "ssh user@server 'cd /opt/myapp && git pull origin main && docker compose up -d'"
-                }
-            }
-        }
     }
 }

Makefile

@@ -1,42 +0,0 @@
-SHELL := /bin/bash
-
-# Environment selection
-ENV ?= development
-COMMON_ENV := infra/env/$(ENV)/common.env
-
-# Helper to pass env files if present
-define with_env
-$(foreach f,$(1),$(if $(wildcard $(f)),--env-file $(f),))
-endef
-
-.PHONY: bootstrap proxy-up proxy-down proxy-logs app-up app-down app-logs ps
-
-bootstrap:
-	@bash scripts/infra/bootstrap.sh
-
-proxy-up:
-	@docker compose -f infra/core/traefik/docker-compose.yml $(call with_env,$(COMMON_ENV) infra/apps/traefik/.env) up -d
-
-proxy-down:
-	@docker compose -f infra/core/traefik/docker-compose.yml $(call with_env,$(COMMON_ENV) infra/apps/traefik/.env) down
-
-proxy-logs:
-	@docker compose -f infra/core/traefik/docker-compose.yml $(call with_env,$(COMMON_ENV) infra/apps/traefik/.env) logs -f
-
-# Usage: make app-up APP=nextcloud
-APP ?=
-app-up:
-	@test -n "$(APP)" || (echo "APP not set. Example: make app-up APP=nextcloud" && exit 1)
-	@docker compose -f infra/apps/$(APP)/docker-compose.yml $(call with_env,$(COMMON_ENV) infra/apps/$(APP)/.env) up -d
-
-app-down:
-	@test -n "$(APP)" || (echo "APP not set. Example: make app-down APP=nextcloud" && exit 1)
-	@docker compose -f infra/apps/$(APP)/docker-compose.yml $(call with_env,$(COMMON_ENV) infra/apps/$(APP)/.env) down
-
-app-logs:
-	@test -n "$(APP)" || (echo "APP not set. Example: make app-logs APP=nextcloud" && exit 1)
-	@docker compose -f infra/apps/$(APP)/docker-compose.yml $(call with_env,$(COMMON_ENV) infra/apps/$(APP)/.env) logs -f
-
-ps:
-	@docker ps --format 'table {{.Names}}\t{{.Image}}\t{{.Status}}\t{{.Networks}}'
-

README.md

@@ -2,30 +2,6 @@
 
 All the software used and hosted by mindboost organized in containers.
 
-## New Infra (v2) Overview
-
-This repo now includes a modular, best‑practice infrastructure under `infra/` to make replication and selective deployment easy. It is centered on Traefik as the reverse proxy with automatic TLS via Let's Encrypt, environment layering, and pick‑what‑you‑need application stacks.
-
-- Core: `infra/core/traefik` — Traefik with HTTPS (ACME), dashboard, and sane defaults
-- Apps: `infra/apps/<service>` — self‑contained stacks (e.g., `nextcloud`)
-- Env: `infra/env/<environment>/common.env` — environment defaults (dev/prod)
-- Secrets: `infra/secrets/` — local secret storage (ignored by git)
-- Make targets: top‑level `Makefile` to bootstrap, start proxy, and start apps
-
-Quickstart
-
-- Copy `infra/env/development/common.env` and adjust domains and ACME email.
-- Create the shared proxy network and ACME storage: `make bootstrap`
-- Start Traefik: `make proxy-up`
-- Start a service, e.g. Nextcloud: `make app-up APP=nextcloud`
-
-Notes
-
-- Traefik dashboard is exposed at `TRAEFIK_DASHBOARD_DOMAIN` with optional basic auth.
-- Services connect to an external `proxy` network for routing, plus their own internal network.
-- Each app has its own `.env.example`; copy to `.env` and adjust.
-- The legacy `apps/` structure remains as-is; new infra is additive and can coexist.
-
 ## Project Structure
 
 ./apps/
@@ -211,4 +187,4 @@ These scripts can be run from the command line to perform various tasks related
 To use a script, navigate to the scripts directory and run:
 
 ```bash
-./script-name.sh
+./script-name.sh

apps/backend/docker-compose.overwrite.yml

@@ -43,6 +43,6 @@ services:
 volumes:
   backend_redis_data:
     driver: local
-    name: "${INFRASTRUCTURE_LABEL:-default}_backend_redis_data"
+    name: "${INFRASTRUCTURE_LABEL}_backend_redis_data"
 
 

apps/develop/adminer/docker-compose.overwrite.yml

@@ -1,8 +0,0 @@
-services:
-  adminer:
-          profiles: ["all", "database", "backend", "adminer", "app"]
-          image: adminer
-          container_name: ${INFRASTRUCTURE_LABEL:-default}-adminer-${ENVIRONMENT:-development}
-          restart: always
-          ports:
-              - ${ADMINER_PORT:-0}:8080

apps/develop/adminer/docker-compose.yml

@@ -1,20 +0,0 @@
-services:
-  adminer:
-          profiles: ["all", "database", "backend", "adminer", "app"]
-          image: adminer
-          container_name: ${INFRASTRUCTURE_LABEL:-default}-adminer-${ENVIRONMENT:-development}
-          restart: always
-          ports:
-              - ${ADMINER_PORT:-0}:8080
-          networks:
-              - database
-              - proxy
-          labels:
-              - "traefik.enable=${TRAEFIK_ENABLE:-false}"
-              - "traefik.http.routers.${INFRASTRUCTURE_LABEL:-default}_adminer.entrypoints=${TRAEFIK_ENTRYPOINT:-websecure}"
-              - "traefik.http.routers.${INFRASTRUCTURE_LABEL:-default}_adminer.rule=Host(`${ADMINER_DOMAIN:-adminer.local}`)"
-              - "traefik.http.routers.${INFRASTRUCTURE_LABEL:-default}_adminer.tls=true"
-              - "traefik.http.routers.${INFRASTRUCTURE_LABEL:-default}_adminer.tls.certresolver=${TRAEFIK_CERT_RESOLVER:-http_resolver}"
-              - 'traefik.http.routers.${INFRASTRUCTURE_LABEL:-default}_adminer.service=adminer'
-              - "traefik.http.adminer.cloud.loadbalancer.server.port=8080"
-              - "traefik.docker.network=${TRAEFIK_NETWORK:-default}"

apps/develop/docker-compose.yml

@@ -1,9 +0,0 @@
-### Develop (./apps/develop/docker-compose.yml)
-# - [ ] Create services for Gitea, Jenkins, and Adminer
-# - [ ] Configure volumes for persistent storage of Git repositories, Jenkins data, and Adminer settings
-# - [ ] Set up environment variables using the new structure (../../env/${ENVIRONMENT:-development}/develop.env)
-# - [ ] Configure networking to allow these services to communicate with each other and the necessary application services
-# - [ ] Set up access controls and security measures for development tools
-
-include:
-  - ./gitea/docker-compose.yml

apps/develop/gitea/docker-compose.yml

@@ -1,44 +0,0 @@
-services:
-  gitea:
-    image: gitea/gitea:latest
-    container_name: ${INFRASTRUCTURE_LABEL:-mindboost}-gitea
-    profiles: ["all", "gitea","develop"]
-    restart: always
-    volumes:
-      - ${GITEA_VOLUME_PATH}:/data
-      - /etc/timezone:/etc/timezone:ro
-      - /etc/localtime:/etc/localtime:ro
-    depends_on:
-      - gitea_db
-    labels:
-      - "traefik.enable=${TRAEFIK_ENABLE:-false}"
-      - "traefik.http.routers.gitea.entrypoints=${TRAEFIK_ENTRYPOINT}"
-      - "traefik.http.routers.gitea.rule=(Host(`${GITEA_DOMAIN})`)"
-      - "traefik.http.routers.gitea.tls=true"
-      - "traefik.http.routers.gitea.tls.certresolver=${TRAEFIK_CERT_RESOLVER}"
-      - "traefik.http.routers.gitea.service=gitea"
-      - 'traefik.http.services.gitea.loadbalancer.gitea.port=3000'
-      - "traefik.http.routers.gitea.tls.domains[0].main=`${GITEA_TLS_DOMAIN_MAIN}`"
-
-      # SSH routing, can't route based on host so anything to port 222 will come to this container
-      - "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)"
-      - "traefik.tcp.routers.gitea-ssh.entrypoints=ssh"
-      - "traefik.tcp.routers.gitea-ssh.service=gitea-ssh-svc"
-      - "traefik.tcp.services.gitea-ssh-svc.loadbalancer.gitea.port=22"
-
-  gitea_db:
-    image: mysql:latest
-    container_name: ${INFRASTRUCTURE_LABEL:-mindboost}-gitea_db
-    profiles: ["all", "gitea","develop"]
-    restart: always
-    environment:
-      - MYSQL_ROOT_PASSWORD=${GITEA_MYSQL_ROOT_PASSWORD}
-      - MYSQL_DATABASE=${GITEA_MYSQL_DATABASE}
-      - MYSQL_USER=${GITEA_MYSQL_USER}
-      - MYSQL_PASSWORD=${GITEA_MYSQL_PASSWORD}
-    volumes:
-      - ${GITEA_DATABASE_VOLUME_PATH}:/var/lib/mysql
-
-networks: 
-  gitea:
-    

apps/develop/jenkins/docker-compose.yml

@@ -1,40 +0,0 @@
-### Jenkins (./apps/frontend/docker-compose.yml)
-services:
-  jenkins:
-    image: jenkins/jenkins:lts
-    container_name: jenkins
-    ports:
-      - "50000:50000" # Jenkins Agent Port
-    volumes:
-      - ../../../volumes/develop/jenkins:/var/jenkins_home
-      - ./plugins.yml:/usr/share/jenkins/ref/plugins.yml
-    depends_on:
-      - jenkins-plugins
-    environment:
-      - JAVA_OPTS=-Djenkins.install.runSetupWizard=false
-    networks:
-      - proxy
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.jenkins.rule=Host(`j.haslach2025.de`)"
-      - "traefik.http.routers.jenkins.entrypoints=websecure"
-      - "traefik.http.routers.jenkins.tls=true"
-      - "traefik.http.routers.jenkins.tls.certresolver=http_resolver"
-      - "traefik.http.services.jenkins.loadbalancer.server.port=8080" # interner Port von Jenkins
-      - "traefik.docker.network=proxy"
-
-  jenkins-plugins:
-    image: jenkins/jenkins:lts-jdk17
-    command: >
-      jenkins-plugin-cli -f /usr/share/jenkins/ref/plugins.yml --available-updates --output txt > /usr/share/jenkins/ref/plugins.yml
-    volumes:
-      - ./plugins.yml:/usr/share/jenkins/ref/plugins.yml
-    restart: "no"
-
-volumes:
-  jenkins_home:
-    driver: local
-
-networks:
-  proxy:
-    external: true

apps/docker-compose.all.yml

@@ -1,50 +0,0 @@
-##
-##      ONE SCRIPT TO RULE THEM ALL
-##
-##      Dieses Compose-File startet alle verfügbaren Services, abhängig von dem angegebenen ENVIRONMENT.
-
-##      Um diese Konfiguration zu verwenden, kannst du folgende Befehle nutzen:
-##      Um alle Services zu starten:
-##      docker compose -f docker-compose.all.yml --env-file ../env/.env.all --profile all up -d
-
-##      Um nur bestimmte Services zu starten (z.B. frontend und backend):
-##      docker compose -f docker-compose.all.yml --env-file ../env/.env.all --profile frontend --profile backend up -d
-
-##      
-##      Stellen Sie sicher, dass die .env.all Datei im angegebenen Verzeichnis existiert und den ENVIRONMENT Wert enthält.
-## 
-
-configs:
-  all:
-    file: ../env/.env.all
-include:
-  - path: ./proxy/docker-compose.yml
-    env_file: 
-      - ../env/.env.all
-      - ../env/${ENVIRONMENT:-development}/.env.proxy
-  - path: ./frontend/docker-compose.yml
-    env_file: 
-      - ../env/.env.all
-      - ../env/${ENVIRONMENT:-development}/.env.frontend
-  - path: ./backend/docker-compose.yml
-  - path: ./database/docker-compose.yml
-  - path: ./website/docker-compose.yml
-    env_file: 
-      - ../env/.env.all
-      - ../env/${ENVIRONMENT:-development}/.env.website
-      - ../env/${ENVIRONMENT:-development}/.env.proxy
-  - path: ./administration/docker-compose.yml
-    env_file: 
-      - ../env/.env.all
-      - ../env/${ENVIRONMENT:-development}/.env.administration
-      - ../env/${ENVIRONMENT:-development}/.env.proxy
-  - path: ./develop/docker-compose.yml
-    env_file: 
-      - ../env/.env.all
-      - ../env/${ENVIRONMENT:-development}/.env.develop
-      - ../env/${ENVIRONMENT:-development}/.env.proxy
-  - path: ./tools/docker-compose.yml
-    env_file: 
-      - ../env/.env.all
-      - ../env/${ENVIRONMENT:-development}/.env.tools
-      - ../env/${ENVIRONMENT:-development}/.env.proxy

apps/security/Eduroam Analyzer/.env.example

@@ -1,11 +0,0 @@
-# MaxMind (create a free GeoLite2 license key in your MaxMind account)
-MAXMIND_LICENSE_KEY=your_maxmind_license_key
-
-# PeeringDB (optional; reduces rate limits)
-PDB_API_KEY=your_peeringdb_api_key
-
-# existing Traefik/proxy network name (must already exist)
-PROXY_NETWORK=proxy
-
-# update interval in seconds (30 days)
-UPDATE_INTERVAL_SECONDS=2592000

apps/security/Eduroam Analyzer/.gitignore

@@ -1 +0,0 @@
-.env

apps/security/Eduroam Analyzer/Dockerfile

@@ -1,16 +0,0 @@
-FROM golang:1.22-alpine AS build
-WORKDIR /src
-COPY go.mod ./
-RUN go mod download
-COPY main.go ./
-RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /out/asn-header-service
-
-FROM alpine:3.20
-RUN adduser -D -H -u 10001 app
-USER 10001
-WORKDIR /app
-COPY --from=build /out/asn-header-service /app/asn-header-service
-EXPOSE 8080
-ENV ADDR=:8080
-ENTRYPOINT ["/app/asn-header-service"]
-

apps/security/Eduroam Analyzer/README.md

@@ -1,89 +0,0 @@
-# NREN / ASN Detection Service
-
-Dieses Projekt stellt einen **minimalen Microservice** bereit, um **Hochschul- und Forschungsnetzwerke (NRENs)** anhand der **Autonomous System Number (ASN)** zu erkennen.
-
-Der Zweck ist es, **Anfragen aus Hochschulnetzen (z. B. eduroam)** zu identifizieren, um **Research-bezogene Services kostenlos oder bevorzugt bereitzustellen**.
-
-Das System dient ausschließlich der **Netzwerk-Klassifikation** und **ersetzt keine Authentifizierung**.
-
----
-
-## Ziel
-
-- Erkennen, ob eine Anfrage aus einem **Hochschul- oder Forschungsnetz** stammt
-- Bereitstellung eines **Header-Hinweises** für nachgelagerte Services
-- Grundlage für Entscheidungen wie:
-  - kostenfreie Research-Features
-  - angepasste UI-Hinweise
-  - alternative Rate-Limits
-
----
-
-## Funktionsweise (Kurzfassung)
-
-```
-Client
-  → Traefik
-    → ForwardAuth
-      → ASN Detection Service
-        → Header wird ergänzt
-```
-
-1. Die Client-IP wird ermittelt
-2. Die zugehörige ASN wird lokal nachgeschlagen
-3. Die ASN wird mit einer NREN-ASN-Liste verglichen
-4. Das Ergebnis wird als HTTP-Header zurückgegeben
-
----
-
-## Datenquellen
-
-- **GeoLite2 ASN (MaxMind)**
-  - kostenlos
-  - lokal
-  - monatliche Aktualisierung
-
-- **NREN-ASN-Liste**
-  - abgeleitet aus PeeringDB
-  - Kategorie: `Research and Education`
-  - monatliche Aktualisierung
-
----
-
-## Bereitgestellte Header
-
-| Header | Beschreibung |
-|------|-------------|
-| `X-ASN` | ASN der Client-IP |
-| `X-ASN-ORG` | Organisation (optional) |
-| `X-NREN` | `1` wenn ASN zu einem Hochschul-/Forschungsnetz gehört, sonst `0` |
-
----
-
-## Integration
-
-Der Service wird als **Traefik ForwardAuth Middleware** eingebunden.  
-Die Header werden über `authResponseHeaders` an die eigentliche Anwendung weitergereicht.
-
-Der Service ist **nicht öffentlich exponiert** und kommuniziert ausschließlich über das interne Docker-Netzwerk.
-
----
-
-## Update-Strategie
-
-- monatliche Aktualisierung der ASN-Daten
-- keine externen Requests während der Anfrageverarbeitung
-
----
-
-## Einschränkungen
-
-- Die Erkennung ist **heuristisch**
-- Es gibt **keine Garantie**, dass jede Anfrage aus einem Hochschulnetz erkannt wird
-- Die Information darf **nicht als Authentifizierungsmerkmal** verwendet werden
-
----
-
-## Zusammenfassung
-
-Dieses Projekt ermöglicht eine **performante, datenschutzfreundliche Erkennung von Hochschulnetzen**, um **Research-Angebote kontextabhängig bereitzustellen**, ohne Nutzer zu identifizieren oder externe Dienste zur Laufzeit zu kontaktieren.

apps/security/Eduroam Analyzer/README_technical.md

@@ -1,89 +0,0 @@
-# NREN / ASN Detection Service
-
-Dieses Projekt stellt einen **minimalen Microservice** bereit, um **Hochschul- und Forschungsnetzwerke (NRENs)** anhand der **Autonomous System Number (ASN)** zu erkennen.
-
-Der Zweck ist es, **Anfragen aus Hochschulnetzen (z. B. eduroam)** zu identifizieren, um **Research-bezogene Services kostenlos oder bevorzugt bereitzustellen**.
-
-Das System dient ausschließlich der **Netzwerk-Klassifikation** und **ersetzt keine Authentifizierung**.
-
----
-
-## Ziel
-
-- Erkennen, ob eine Anfrage aus einem **Hochschul- oder Forschungsnetz** stammt
-- Bereitstellung eines **Header-Hinweises** für nachgelagerte Services
-- Grundlage für Entscheidungen wie:
-  - kostenfreie Research-Features
-  - angepasste UI-Hinweise
-  - alternative Rate-Limits
-
----
-
-## Funktionsweise (Kurzfassung)
-
-```
-Client
-  → Traefik
-    → ForwardAuth
-      → ASN Detection Service
-        → Header wird ergänzt
-```
-
-1. Die Client-IP wird ermittelt
-2. Die zugehörige ASN wird lokal nachgeschlagen
-3. Die ASN wird mit einer NREN-ASN-Liste verglichen
-4. Das Ergebnis wird als HTTP-Header zurückgegeben
-
----
-
-## Datenquellen
-
-- **GeoLite2 ASN (MaxMind)**
-  - kostenlos
-  - lokal
-  - monatliche Aktualisierung
-
-- **NREN-ASN-Liste**
-  - abgeleitet aus PeeringDB
-  - Kategorie: `Research and Education`
-  - monatliche Aktualisierung
-
----
-
-## Bereitgestellte Header
-
-| Header | Beschreibung |
-|------|-------------|
-| `X-ASN` | ASN der Client-IP |
-| `X-ASN-ORG` | Organisation (optional) |
-| `X-NREN` | `1` wenn ASN zu einem Hochschul-/Forschungsnetz gehört, sonst `0` |
-
----
-
-## Integration
-
-Der Service wird als **Traefik ForwardAuth Middleware** eingebunden.  
-Die Header werden über `authResponseHeaders` an die eigentliche Anwendung weitergereicht.
-
-Der Service ist **nicht öffentlich exponiert** und kommuniziert ausschließlich über das interne Docker-Netzwerk.
-
----
-
-## Update-Strategie
-
-- monatliche Aktualisierung der ASN-Daten
-- keine externen Requests während der Anfrageverarbeitung
-
----
-
-## Einschränkungen
-
-- Die Erkennung ist **heuristisch**
-- Es gibt **keine Garantie**, dass jede Anfrage aus einem Hochschulnetz erkannt wird
-- Die Information darf **nicht als Authentifizierungsmerkmal** verwendet werden
-
----
-
-## Zusammenfassung
-
-Dieses Projekt ermöglicht eine **performante, datenschutzfreundliche Erkennung von Hochschulnetzen**, um **Research-Angebote kontextabhängig bereitzustellen**, ohne Nutzer zu identifizieren oder externe Dienste zur Laufzeit zu kontaktieren.

apps/security/Eduroam Analyzer/docker-compose.yml

@@ -1,36 +0,0 @@
-services:
-  asn-header:
-    build: .
-    container_name: asn-header
-    restart: unless-stopped
-    env_file: .env
-    environment:
-      MMDB_PATH: /data/GeoLite2-ASN.mmdb
-      ASN_LIST_PATH: /data/nren_asns.txt
-      ADDR: ":8080"
-    volumes:
-      - asn_data:/data:ro
-    networks:
-      - proxy
-
-  asn-updater:
-    build: ./asn-updater
-    container_name: asn-updater
-    restart: unless-stopped
-    env_file: .env
-    environment:
-      OUT_DIR: /data
-      PDB_INFO_TYPE: "Research and Education"
-      INTERVAL_SECONDS: "${UPDATE_INTERVAL_SECONDS}"
-    volumes:
-      - asn_data:/data
-    networks:
-      - proxy
-
-networks:
-  proxy:
-    external: true
-    name: ${PROXY_NETWORK}
-
-volumes:
-  asn_data:

apps/security/Eduroam Analyzer/go.mod

@@ -1,6 +0,0 @@
-module asn-header-service
-
-go 1.22
-
-require github.com/oschwald/maxminddb-golang v1.13.1
-

apps/security/Eduroam Analyzer/main.go

@@ -1,158 +0,0 @@
-package main
-
-import (
-	"bufio"
-	"log"
-	"net"
-	"net/http"
-	"os"
-	"strconv"
-	"strings"
-	"sync/atomic"
-	"time"
-
-	"github.com/oschwald/maxminddb-golang"
-)
-
-type asnRecord struct {
-	ASN uint   `maxminddb:"autonomous_system_number"`
-	Org string `maxminddb:"autonomous_system_organization"`
-}
-
-type server struct {
-	db         *maxminddb.Reader
-	nrenASNs   map[uint]struct{}
-	ready      atomic.Bool
-	versionTag string
-}
-
-func loadASNSet(path string) (map[uint]struct{}, error) {
-	f, err := os.Open(path)
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-
-	set := make(map[uint]struct{}, 4096)
-	sc := bufio.NewScanner(f)
-	for sc.Scan() {
-		line := strings.TrimSpace(sc.Text())
-		if line == "" || strings.HasPrefix(line, "#") {
-			continue
-		}
-		v, err := strconv.ParseUint(line, 10, 32)
-		if err != nil {
-			continue
-		}
-		set[uint(v)] = struct{}{}
-	}
-	return set, sc.Err()
-}
-
-func firstForwardedFor(r *http.Request) string {
-	xff := r.Header.Get("X-Forwarded-For")
-	if xff == "" {
-		return ""
-	}
-	parts := strings.Split(xff, ",")
-	if len(parts) == 0 {
-		return ""
-	}
-	return strings.TrimSpace(parts[0])
-}
-
-func remoteIP(r *http.Request) string {
-	// Prefer XFF (because Traefik is proxy)
-	ip := firstForwardedFor(r)
-	if ip != "" {
-		return ip
-	}
-	host, _, err := net.SplitHostPort(r.RemoteAddr)
-	if err == nil {
-		return host
-	}
-	return r.RemoteAddr
-}
-
-func (s *server) authHandler(w http.ResponseWriter, r *http.Request) {
-	if !s.ready.Load() {
-		w.WriteHeader(http.StatusServiceUnavailable)
-		return
-	}
-
-	ipStr := remoteIP(r)
-	parsed := net.ParseIP(ipStr)
-	if parsed == nil {
-		// Always 200: we enrich, not block
-		w.Header().Set("X-NREN", "0")
-		w.WriteHeader(http.StatusOK)
-		return
-	}
-
-	var rec asnRecord
-	if err := s.db.Lookup(parsed, &rec); err != nil || rec.ASN == 0 {
-		w.Header().Set("X-NREN", "0")
-		w.WriteHeader(http.StatusOK)
-		return
-	}
-
-	w.Header().Set("X-ASN", strconv.FormatUint(uint64(rec.ASN), 10))
-	if rec.Org != "" {
-		// optional: keep it short; some org strings can be long
-		w.Header().Set("X-ASN-ORG", rec.Org)
-	}
-
-	_, ok := s.nrenASNs[rec.ASN]
-	if ok {
-		w.Header().Set("X-NREN", "1")
-	} else {
-		w.Header().Set("X-NREN", "0")
-	}
-
-	w.Header().Set("Cache-Control", "no-store")
-	w.Header().Set("X-Service", s.versionTag)
-	w.WriteHeader(http.StatusOK)
-}
-
-func main() {
-	mmdbPath := getenv("MMDB_PATH", "/data/GeoLite2-ASN.mmdb")
-	asnListPath := getenv("ASN_LIST_PATH", "/data/nren_asns.txt")
-	addr := getenv("ADDR", ":8080")
-	version := getenv("VERSION_TAG", "asn-header-service")
-
-	db, err := maxminddb.Open(mmdbPath)
-	if err != nil {
-		log.Fatalf("failed to open mmdb: %v", err)
-	}
-	defer db.Close()
-
-	set, err := loadASNSet(asnListPath)
-	if err != nil {
-		log.Fatalf("failed to load asn list: %v", err)
-	}
-
-	s := &server{db: db, nrenASNs: set, versionTag: version}
-	s.ready.Store(true)
-
-	mux := http.NewServeMux()
-	mux.HandleFunc("/auth", s.authHandler)
-	mux.HandleFunc("/healthz", func(w http.ResponseWriter, _ *http.Request) { w.WriteHeader(http.StatusOK) })
-
-	srv := &http.Server{
-		Addr:              addr,
-		Handler:           mux,
-		ReadHeaderTimeout: 2 * time.Second,
-	}
-
-	log.Printf("listening on %s (asn_count=%d)", addr, len(set))
-	log.Fatal(srv.ListenAndServe())
-}
-
-func getenv(k, def string) string {
-	v := strings.TrimSpace(os.Getenv(k))
-	if v == "" {
-		return def
-	}
-	return v
-}
-

apps/security/docker-compose.linuxserver.yml

@@ -1,30 +0,0 @@
-services:
-  wireguard:
-    image: linuxserver/wireguard
-    container_name: wireguard
-    cap_add:
-      - NET_ADMIN
-      - SYS_MODULE
-    environment:
-      - PUID=1000
-      - PGID=1000
-      - TZ=Europe/Berlin
-      - SERVERURL=${SERVER_IP:?"❌ ERROR = SERVERURL is not set. Run set-server-ip.sh first."}
-      - SERVERPORT=51820
-      - PEERS=3 # Number of VPN clients to generate
-      - PEERDNS=auto
-      - INTERNAL_SUBNET=22.22.22.0
-    volumes:
-      - ../../volumes/security/wireguard/config:/config
-      - /lib/modules:/lib/modules
-    ports:
-      - "51820:51820/udp"
-    sysctls:
-      - net.ipv4.conf.all.src_valid_mark=1
-    restart: unless-stopped
-    networks:
-      - wireguard_network
-
-networks:
-  wireguard_network:
-    driver: bridge

apps/security/docker-compose.yml

@@ -1,50 +0,0 @@
-volumes:
-  etc_wireguard:
-
-services:
-  wg-easy:
-    environment:
-      # Change Language:
-      # (Supports: en, ua, ru, tr, no, pl, fr, de, ca, es, ko, vi, nl, is, pt, chs, cht, it, th, hi, ja, si)
-      - LANG=${WG_LANG:-de}
-      # ⚠️ Required:
-      # Change this to your host's public address
-      - WG_HOST=${SERVER_IP:-localhost}
-
-      # Optional:
-      # - PASSWORD_HASH=$$2y$$10$$hBCoykrB95WSzuV4fafBzOHWKu9sbyVa34GJr8VV5R/pIelfEMYyG # (needs double $$, hash of 'foobar123'; see "How_to_generate_an_bcrypt_hash.md" for generate the hash)
-      # - PORT=51821
-      # - WG_PORT=51820
-      # - WG_CONFIG_PORT=92820
-      - WG_DEFAULT_ADDRESS=${WG_DEFAULT_ADDRESS:-22.22.22.0}
-      # - WG_DEFAULT_DNS=1.1.1.1
-      # - WG_MTU=1420
-      # - WG_ALLOWED_IPS=192.168.15.0/24, 10.0.1.0/24
-      # - WG_PERSISTENT_KEEPALIVE=25
-      # - WG_PRE_UP=echo "Pre Up" > /etc/wireguard/pre-up.txt
-      # - WG_POST_UP=echo "Post Up" > /etc/wireguard/post-up.txt
-      # - WG_PRE_DOWN=echo "Pre Down" > /etc/wireguard/pre-down.txt
-      # - WG_POST_DOWN=echo "Post Down" > /etc/wireguard/post-down.txt
-      # - UI_TRAFFIC_STATS=true
-      # - UI_CHART_TYPE=0 # (0 Charts disabled, 1 # Line chart, 2 # Area chart, 3 # Bar chart)
-      # - WG_ENABLE_ONE_TIME_LINKS=true
-      # - UI_ENABLE_SORT_CLIENTS=true
-      # - WG_ENABLE_EXPIRES_TIME=true
-      # - ENABLE_PROMETHEUS_METRICS=false
-      # - PROMETHEUS_METRICS_PASSWORD=$$2a$$12$$vkvKpeEAHD78gasyawIod.1leBMKg8sBwKW.pQyNsq78bXV3INf2G # (needs double $$, hash of 'prometheus_password'; see "How_to_generate_an_bcrypt_hash.md" for generate the hash)
-
-    image: ghcr.io/wg-easy/wg-easy
-    container_name: wg-easy
-    volumes:
-      - ../../volumes/wireguardeasy/:/etc/wireguard
-    ports:
-      - "51820:51820/udp"
-      - "51821:51821/tcp"
-    restart: unless-stopped
-    cap_add:
-      - NET_ADMIN
-      - SYS_MODULE
-      # - NET_RAW # ⚠️ Uncomment if using Podman
-    sysctls:
-      - net.ipv4.ip_forward=1
-      - net.ipv4.conf.all.src_valid_mark=1

apps/security/set-server-ip.sh

@@ -1,2 +0,0 @@
-#!/bin/bash
-export SERVER_IP=$(curl -s https://api.ipify.org)

apps/tools/docker-compose.yml

@@ -1,11 +0,0 @@
-### Tools (./apps/tools/docker-compose.yml)
-# - [ ] Create services for Nextcloud, LimeSurvey, and LinkStack
-# - [ ] Configure volumes for persistent storage of files, survey data, and link management data
-# - [ ] Set up environment variables using the new structure (../../env/${ENVIRONMENT:-development}/tools.env)
-# - [ ] Configure networking to expose these services to the internet via the proxy
-# - [ ] Set up regular backup jobs for critical data in these services
-
-include: 
-  - path: ./nextcloud/docker-compose.yml
-  - path: ./limesurvey/docker-compose.yml
-  - path: ./invoiceninja/dockerfiles/debian/docker-compose.yml

apps/tools/nextcloud/docker-compose.yml

@@ -1,59 +0,0 @@
-services:
-  nextcloud-db:
-    image: mariadb:10.6
-    container_name: ${INFRASTRUCTURE_LABEL:-default}-nextcloud-db-${ENVIRONMENT:-development}
-    profiles: ["all", "tools", "nextcloud"]
-    command: --transaction-isolation=READ-COMMITTED --innodb_read_only_compressed=OFF
-    restart: unless-stopped
-    volumes:
-      - /etc/localtime:/etc/localtime:ro
-      - /etc/timezone:/etc/timezone:ro
-      - ../../volumes/tools/${INFRASTRUCTURE_LABEL:-default}_cloud/database:/var/lib/mysql
-    environment:
-      - MYSQL_ROOT_PASSWORD=headpiece-constant1-denim-mindboost #SQL root Passwort eingeben
-      - MYSQL_PASSWORD=idealist9-frayed-murkiness-mindboost #SQL Benutzer Passwort eingeben
-      - MYSQL_DATABASE=nextcloud-mindboost #Datenbank Name
-      - MYSQL_USER=mindboostcloud #SQL Nutzername
-      - MYSQL_INITDB_SKIP_TZINFO=1
-      - MARIADB_AUTO_UPGRADE=1
-  nextcloud-redis:
-    image: redis:alpine
-    container_name: ${INFRASTRUCTURE_LABEL:-default}-nextcloud-redis-${ENVIRONMENT:-development} 
-    profiles: ["all", "tools", "nextcloud"]
-    hostname: nextcloud-redis
-    restart: unless-stopped
-    command: redis-server --requirepass redis-mindboost-passwort # Redis Passwort eingeben
-  cloud:
-    image: nextcloud
-    container_name: ${INFRASTRUCTURE_LABEL:-default}-nextcloud-app-${ENVIRONMENT:-development} 
-    profiles: ["all", "tools", "nextcloud"]
-    restart: unless-stopped
-    depends_on:
-      - nextcloud-db
-      - nextcloud-redis
-    environment:
-        TRUSTED_PROXIES: 172.16.255.254/16
-        OVERWRITEPROTOCOL: https
-        OVERWRITECLIURL: https://${CLOUD_DOMAIN:-cloud}
-        OVERWRITEHOST: ${CLOUD_DOMAIN:-cloud}
-        REDIS_HOST: nextcloud-redis
-        REDIS_HOST_PASSWORD: redis-mindboost-passwort # Redis Passwort von oben wieder eingeben
-    volumes:
-      - ../../volumes/tools/${INFRASTRUCTURE_LABEL:-default}_cloudapp/:/var/www/html/data
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.${INFRASTRUCTURE_LABEL:-default}_cloud.entrypoints=websecure"
-      - "traefik.http.routers.${INFRASTRUCTURE_LABEL:-default}_cloud.rule=Host(`${CLOUD_DOMAIN}`)"
-      - "traefik.http.routers.${INFRASTRUCTURE_LABEL:-default}_cloud.tls=true"
-      - "traefik.http.routers.${INFRASTRUCTURE_LABEL:-default}_cloud.tls.certresolver=http_resolver"
-      - 'traefik.http.routers.${INFRASTRUCTURE_LABEL:-default}_cloud.service=cloud'
-      - "traefik.http.services.cloud.loadbalancer.server.port=80"
-      - "traefik.docker.network=${TRAEFIK_NETWORK:-default}"
-      - "traefik.http.routers.${INFRASTRUCTURE_LABEL:-default}_cloud.middlewares=nextcloud-dav,default@file"
-      - "traefik.http.middlewares.nextcloud-dav.replacepathregex.regex=^/.well-known/ca(l|rd)dav"
-      - "traefik.http.middlewares.nextcloud-dav.replacepathregex.replacement=/remote.php/dav/"
-    networks:
-      - ${TRAEFIK_NETWORK}
-networks:
-  nextcloud:
-    name: ${INFRASTRUCTURE_LABEL:-default}_nextcloud

apps/website/docker-compose.yml

@@ -1,29 +0,0 @@
-services:
-  kirbycms:
-    build:
-      context: ./kirby
-      dockerfile: Dockerfile
-    image: kirbycms
-    container_name: ${INFRASTRUCTURE_LABEL:-default}-kirbycms-${ENVIRONMENT:-development}
-    profiles: ["website","kirbycms","all"]
-    volumes:
-      - kirbycms_data:/var/www/html:rw # Persistente Daten
-    restart: unless-stopped
-    ports:
-      - 0:80
-    networks:
-      - ${TRAEFIK_NETWORK:-default}
-    labels:
-      - "traefik.enable=${TRAEFIK_ENABLE:-false}"
-      - "traefik.docker.network=${TRAEFIK_NETWORK:-default}"
-      - "traefik.http.routers.kirbycms.service=kirbycms"
-      - "traefik.http.routers.kirbycms.tls.certresolver=${TRAEFIK_CERT_RESOLVER:-default}"
-      - "traefik.http.routers.kirbycms.tls.domains[0].main=`${WEBSITE_DOMAIN:-kirby.local}`"
-      - "traefik.http.routers.kirbycms.rule=Host(`${WEBSITE_DOMAIN:-kirby.local}`)"
-      - "traefik.http.routers.kirbycms.entrypoints=${TRAEFIK_ENTRYPOINT:-default}"
-      - "traefik.http.routers.kirbycms.tls=true"
-      - "traefik.http.services.kirbycms.loadbalancer.server.port=80"
-volumes:
-  kirbycms_data:
-    driver: local
-

apps/website/kirby/Dockerfile

@@ -1,49 +0,0 @@
-# Use latest offical ubuntu image
-FROM ubuntu:latest
-
-# Set timezone
-ENV TZ=Europe/Berlin
-
-# Set geographic area using above variable
-# This is necessary, otherwise building the image doesn't work
-RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
-
-# Remove annoying messages during package installation
-ARG DEBIAN_FRONTEND=noninteractive
-
-# Install packages: web server & PHP plus extensions
-RUN apt-get update && apt-get install -y \
-  apache2 \
-  apache2-utils \
-  ca-certificates \
-  php \
-  libapache2-mod-php \
-  php-curl \
-  php-dom \
-  php-gd \
-  php-intl \
-  php-json \
-  php-mbstring \
-  php-xml \
-  php-zip && \
-  apt-get clean && rm -rf /var/lib/apt/lists/*
-
-# Copy virtual host configuration from current path onto existing 000-default.conf
-COPY default.conf /etc/apache2/sites-available/000-default.conf
-
-# Remove default content (existing index.html)
-RUN rm /var/www/html/*
-
-# Activate Apache modules headers & rewrite
-RUN a2enmod headers rewrite
-
-# Ensure Group Ownership for www-data every member of kirbygroup should edit files
-RUN groupadd -g 1003 kirbygroup && usermod -aG kirbygroup www-data
-RUN chown -R www-data:kirbygroup /var/www/html
-RUN chmod -R g+rw /var/www/html && find /var/www/html -type d -exec chmod g+xs {} \;
-
-# Tell container to listen to port 80 at runtime
-EXPOSE 80
-
-# Start Apache web server
-CMD [ "/usr/sbin/apache2ctl", "-DFOREGROUND" ]

apps/website/kirby/default.conf

@@ -1,9 +0,0 @@
-<VirtualHost *:80>
-    ServerName localhost
-    # Set the document root
-    DocumentRoot "/var/www/html"
-  <Directory "/var/www/html">
-    # Allow overriding the default configuration via `.htaccess`
-    AllowOverride All
-  </Directory>
-</VirtualHost>

apps/website/kirby/entrypoint.sh

@@ -1,7 +0,0 @@
-#!/bin/bash
-
-set -e -u
-
-[[ $USERID ]] && usermod --uid "${USERID}" www-data
-
-exec "$@"

apps/website/kirby/id.env

@@ -1 +0,0 @@
-USERID=${USERID:-0}

dev-fpm.docker-compose.yml

@@ -1,114 +0,0 @@
-version: "3.8"
-
-services:
-  mariadb_webapp_dev:
-    image: docker.io/bitnami/mariadb:11.1
-    container_name: ${DEV_COMPOSE_PREFIX:-dev}-mariadb
-    hostname: ${DEV_DB_HOST:-mariadb-webapp-dev}
-    environment:
-      MARIADB_USER: ${MARIADB_USER}
-      MARIADB_DATABASE: ${MARIADB_DATABASE}
-      MARIADB_PASSWORD: ${MARIADB_PASSWORD}
-      MARIADB_ROOT_PASSWORD: ${MARIADB_ROOT_PASSWORD}
-    networks:
-      - dev_backend
-    volumes:
-      - mindboost_mariadb_data_dev:/var/lib/mysql
-
-  laravel-redis-dev:
-    image: redis:alpine
-    container_name: ${DEV_COMPOSE_PREFIX:-dev}-redis
-    hostname: ${DEV_REDIS_HOST:-laravel-redis-dev}
-    command: redis-server --appendonly yes --requirepass ${REDIS_PASSWORD}
-    networks:
-      - dev_backend
-    restart: unless-stopped
-    volumes:
-      - ./data/redis-dev:/data
-
-  laravel_backend_dev:
-    image: ${BACKEND_IMAGE}
-    container_name: ${DEV_COMPOSE_PREFIX:-dev}-backend
-    environment:
-      APP_ENV: ${APP_ENV:-production}
-      APP_NAME: ${APP_NAME:-Mindboost Backend Dev}
-      APP_URL: https://${DEV_BACKEND_DOMAIN}
-      FRONTEND_URL: https://${DEV_FRONTEND_DOMAIN}
-      DB_CONNECTION: mysql
-      DB_HOST: ${DEV_DB_HOST:-mariadb-webapp-dev}
-      DB_PORT: ${DB_PORT:-3306}
-      DB_DATABASE: ${MARIADB_DATABASE}
-      DB_USERNAME: ${MARIADB_USER}
-      DB_PASSWORD: ${MARIADB_PASSWORD}
-      REDIS_HOST: ${DEV_REDIS_HOST:-laravel-redis-dev}
-      REDIS_PASSWORD: ${REDIS_PASSWORD}
-      REDIS_PORT: ${REDIS_PORT:-6379}
-      CACHE_DRIVER: redis
-      QUEUE_CONNECTION: redis
-      SESSION_DRIVER: redis
-    volumes:
-      - ${BACKEND_CODE_PATH:-./apps/backend/src}:/app
-      - ${BACKEND_PUBLIC_PATH:-./apps/backend/src/public}:/var/www/public
-      - ${BACKEND_ENV_FILE:-./env/development/.env.backend}:/var/www/.env
-      - ./logs/backend-dev:/var/www/storage/logs
-    depends_on:
-      - mariadb_webapp_dev
-      - laravel-redis-dev
-    networks:
-      - dev_backend
-
-  laravel-nginx-dev:
-    image: nginx:alpine
-    container_name: ${DEV_COMPOSE_PREFIX:-dev}-nginx
-    volumes:
-      - ./nginx:/etc/nginx/conf.d:ro
-      - ${BACKEND_PUBLIC_PATH:-./apps/backend/src/public}:/var/www/public:ro
-    depends_on:
-      - laravel_backend_dev
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.dev_backend_http.entrypoints=web"
-      - "traefik.http.routers.dev_backend_http.rule=Host(`${DEV_BACKEND_DOMAIN}`)"
-      - "traefik.http.routers.dev_backend_http.middlewares=traefik-https-redirect"
-      - "traefik.http.routers.dev_backend_https.entrypoints=websecure"
-      - "traefik.http.routers.dev_backend_https.rule=Host(`${DEV_BACKEND_DOMAIN}`)"
-      - "traefik.http.routers.dev_backend_https.tls=true"
-      - "traefik.http.routers.dev_backend_https.tls.certresolver=${TRAEFIK_CERT_RESOLVER}"
-      - "traefik.http.routers.dev_backend_https.service=dev_backend_service"
-      - "traefik.http.services.dev_backend_service.loadbalancer.server.port=80"
-      - "traefik.docker.network=${TRAEFIK_NETWORK}"
-    networks:
-      - dev_backend
-      - proxy
-
-  nuxt_frontend_dev:
-    image: ${NUXT_IMAGE}
-    container_name: ${DEV_COMPOSE_PREFIX:-dev}-frontend
-    environment:
-      VUE_APP_BACKEND_HOST_ADDRESS: https://${DEV_BACKEND_DOMAIN}
-      NUXT_PUBLIC_BACKEND_URL: https://${DEV_BACKEND_DOMAIN}
-    networks:
-      - dev_backend
-      - proxy
-    depends_on:
-      - laravel_backend_dev
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.dev_frontend_http.entrypoints=web"
-      - "traefik.http.routers.dev_frontend_http.rule=Host(`${DEV_FRONTEND_DOMAIN}`)"
-      - "traefik.http.routers.dev_frontend_http.middlewares=traefik-https-redirect"
-      - "traefik.http.routers.dev_frontend_https.entrypoints=websecure"
-      - "traefik.http.routers.dev_frontend_https.rule=Host(`${DEV_FRONTEND_DOMAIN}`)"
-      - "traefik.http.routers.dev_frontend_https.tls=true"
-      - "traefik.http.routers.dev_frontend_https.tls.certresolver=${TRAEFIK_CERT_RESOLVER}"
-      - "traefik.http.services.dev_frontend_https.loadbalancer.server.port=${VUE_INTERNAL_PORT}"
-      - "traefik.docker.network=${TRAEFIK_NETWORK}"
-
-networks:
-  dev_backend:
-    driver: bridge
-  proxy:
-    external: true
-
-volumes:
-  mindboost_mariadb_data_dev:

docs/infra.md

@@ -1,29 +0,0 @@
-Infrastructure v2
-
-Goals
-
-- Modular stacks you can pick individually (Nextcloud, etc.)
-- Unified reverse proxy (Traefik) with automatic TLS
-- Clear env layering and git‑ignored secrets
-- Simple Make targets for a smooth DX
-
-Layout
-
-- infra/core/traefik: Traefik compose + static/dynamic config
-- infra/apps/<service>: Self‑contained compose stacks and .env.example
-- infra/env/<env>/common.env: Shared environment defaults per environment
-- infra/secrets: Local secret files (ignored)
-- scripts/infra/bootstrap.sh: Creates proxy network and ACME storage
-
-Usage
-
-1. cp infra/env/development/common.env infra/env/development/common.env (adjust values)
-2. make bootstrap
-3. make proxy-up
-4. make app-up APP=nextcloud
-
-Security
-
-- Do not commit real secrets. Place them in local `.env` files or secret managers.
-- Optionally protect Traefik dashboard with basic auth via `TRAEFIK_BASIC_AUTH_USERS`.
-

env/.env.all

@@ -1,39 +0,0 @@
-##
-##  Einstellung die für das gesamte Projekt gelten. Also der Name und der Admin
-##  Das Environment muss "production","staging" oder "development" heißen
-
-INFRASTRUCTURE_LABEL=mindboost
-ENVIRONMENT=development
-
-ADMIN_USER=${INFRASTRUCTURE_LABEL:-default}_${ENVIRONMENT:-development}
-ADMIN_PASSWORD_HASH='$2y$05$U7noO29Ru/4VB5x8TpZo3.b4VjH6AAnhufJJUG2Vs7qHCM2Cd8yIK' # for development = admin
-
-SERVER_IP=127.0.0.1
-
-
-#################################################################################################
-#                                      🔧 ENVIRONMENT VARIABLES 🔧                               #
-#################################################################################################
-#
-# This file contains **default (fallback) values** for environment variables.
-# These values ensure that services run with sane defaults if no other configuration is provided.
-#
-# 📌 **ENVIRONMENT VARIABLE PRIORITY ORDER (Lowest to Highest)**
-#  1️⃣ **Fallback Values in the File** (Used only if no other source provides a value)
-#  2️⃣ **Global Defaults in `.env.all`** (Shared settings across all services)
-#  3️⃣ **Service-Specific `.env` Files** (Overrides per service group, e.g., `.env.backend`, `.env.proxy`)
-#  4️⃣ **Preloaded Shell Environment** (`export VAR=value` before running `docker compose`)
-#  5️⃣ **CLI Overrides** (`docker compose --env-file` or `-e VAR=value` → Highest Priority)
-#
-# 🔄 **Overwriting Behavior**
-# - Variables defined in **`.env.all`** override values in this file.
-# - Variables defined in **`.env.<service>`** (e.g., `.env.backend`) override `.env.all`.
-# - Variables explicitly **exported in the shell** take priority over all `.env` files.
-# - Variables passed via **CLI (`--env-file` or `-e VAR=value`)** have the **highest priority**.
-#
-# 🚀 **Key Takeaways**
-# ✅ Use `.env.all` for common values across environments.
-# ✅ Use `.env.<service>` for service-specific configurations.
-# ✅ If needed, manually override variables in the shell or CLI.
-#
-#################################################################################################

env/README.md

@@ -1,50 +0,0 @@
-# 🔧 Environment Configuration Guide
-
-## 🌍 Overview
-This project uses **environment variables** to manage configuration across different environments (development, staging, production, etc.). These variables are loaded from `.env` files and can be overridden at multiple levels.
-
----
-
-## 📌 **Environment Variable Priority (Lowest to Highest)**
-
-| 🔢 Priority | 📄 Source | 🔍 Description |
-|------------|-----------------------------|------------------------------------------------|
-| 1️⃣ **Fallback Values** | hardcoded defaults | Used only if no other configuration is provided |
-| 2️⃣ **Global Defaults** | `.env.all` | Shared settings for all services |
-| 3️⃣ **Service-Specific Overrides** | `.env.backend`, `.env.proxy`, etc. | Overrides `.env.all` with service-specific values |
-| 4️⃣ **Shell Environment Variables** | `export VAR=value` before running | Takes precedence over `.env` files |
-| 5️⃣ **CLI Overrides** | `docker compose --env-file` or `-e VAR=value` | **Highest priority** (for temporary overrides) |
-
----
-
-## 🔄 **Overwriting Behavior**
-- 🏗 **Variables defined in `.env.all`** override fallback values.
-- 🏗 **Variables defined in `.env.<service>`** (e.g., `.env.backend`) override `.env.all`.
-- 🔧 **Manually exported environment variables** in the shell take priority over `.env` files.
-- 🚀 **Variables passed via CLI (`--env-file` or `-e VAR=value`)** override everything.
-
----
-
-## 🚀 **Best Practices**
-✔️ **Use `.env.all` for global configurations** (e.g., `ENVIRONMENT=development`, `INFRASTRUCTURE_LABEL=myinfra`).  
-✔️ **Use `.env.<service>` for service-specific configurations** (e.g., `.env.backend` for Laravel, `.env.database` for MariaDB).  
-✔️ **If needed, manually override variables in the shell** using `export VAR=value`.  
-✔️ **Use CLI `--env-file` for temporary overrides** in testing/debugging scenarios.  
-
----
-
-## 🏗 **Example File Structure**
-```sh
-/env/
-  ├── .env.all                  # Global default variables
-  ├── development/
-  │   ├── .env.backend          # Backend service config for development
-  │   ├── .env.database         # Database config for development
-  │   ├── .env.proxy            # Proxy config for development
-  ├── staging/
-  │   ├── .env.backend          # Backend service config for staging
-  │   ├── .env.database         # Database config for staging
-  ├── production/
-  │   ├── .env.backend          # Backend service config for production
-  │   ├── .env.database         # Database config for production
-

env/development/.env.administration

@@ -1,7 +0,0 @@
-# ----------------------------------
-# Portainer
-# ----------------------------------
-
-PORTAINER_IMAGE=portainer/portainer-ce:latest
-PORTAINER_DATA_PATH=../../../volumes/administration/portainer/data
-

env/development/.env.backend

@@ -1,31 +0,0 @@
-
-
-# ----------------------------------
-# Redis
-# ----------------------------------
-REDIS_PASSWORD=laravel-redis-passwort
-REDIS_PORT=6379
-SERVER_IP=${SERVER_IP:-localhost}
-
-# ----------------------------------
-# Laravel Backend
-# ----------------------------------
-BACKEND_NETWORK=backend
-APP_ENV=${ENVIRONMENT-local}
-APP_NAME="mindboost backend - Compose Deployment"
-APP_URL=https://backend.local
-LARAVEL_PORT=8000
-LARAVEL_VITE_PORT=5173
-JWT_SECRET=zMtO8sgsnc4UixWSsYWE1pK9EdpNLzxNSoIPlUpTe6dDlarM3bu4cwM80tH3jA0F
-
-# ----------------------------------
-# Datenbank Zugriff - ! MUSS MIT .env.database übereinstimmen
-# ----------------------------------
-DB_HOST=database
-DB_PORT=3306
-DB_PASSWORD=1stronges-mindboostdb-passwort
-DB_USERNAME=${INFRASTRUCTURE_LABEL:-default}_${ENVIRONMENT:-development}
-DB_DATABASE=${INFRASTRUCTURE_LABEL:-default}_${ENVIRONMENT:-development}
-
-
-

env/development/.env.database

@@ -1,9 +0,0 @@
-# ----------------------------------
-# Datenbank (MariaDB)
-# ----------------------------------
-MARIADB_USER=${INFRASTRUCTURE_LABEL:-default}_${ENVIRONMENT:-development}
-MARIADB_DATABASE=${INFRASTRUCTURE_LABEL:-default}_${ENVIRONMENT:-development}
-MARIADB_ROOT_PASSWORD_FILE=/run/secrets/mariadb_root
-MARIADB_PASSWORD=1stronges-mindboostdb-passwort
-MARIADB_PORT=3306
-MARIADB_HOST=database

env/development/.env.develop

@@ -1,25 +0,0 @@
-# ----------------------------------
-# GITEA
-# ----------------------------------
-
-USER_UID=1000
-USER_GID=1000
-
-GITEA_VOLUME_PATH=../../../volumes/develop/gitea/gitea
-GITEA_DATABASE_VOLUME_PATH=../../../volumes/develop/gitea/gitea_db
-
-GITEA_MYSQL_ROOT_PASSWORD=very-difficult-passwort-gitea
-GITEA_MYSQL_USER=gitea
-GITEA_MYSQL_PASSWORD=very-difficult-gitea
-GITEA_MYSQL_DATABASE=gitea
-GITEA_MYSQL_ALLOW_EMPTY_PASSWORD=true
-
-# ----------------------------------
-# GITEA DB
-# ----------------------------------
-
-DB_HOST=gitea_db:3306
-DB_NAME=gitea
-DB_PASSWD=very-difficult-gitea
-DB_TYPE=mysql
-DB_USER=gitea

env/development/.env.frontend

@@ -1,4 +0,0 @@
-# ----------------------------------
-# VUE APP
-# ----------------------------------
-BACKEND_URL="backend.local"

env/development/.env.proxy

@@ -1,51 +0,0 @@
-# ----------------------------------
-# TRAEFIK
-# ----------------------------------
-
-TRAEFIK_ENABLE=true
-TRAEFIK_NETWORK=proxy
-TRAEFIK_BASIC_AUTH_USERS=${ADMIN_USER}:${ADMIN_PASSWORD_HASH}
-TRAEFIK_CERT_RESOLVER=
-
-##              Domains when TRAEFIK is ENABLED
-
-PORTAINER_DOMAIN=portainer.local
-FRONTEND_DOMAIN=frontend.local
-FRONTEND_DOMAIN_2=app.frontend.local
-BACKEND_DOMAIN=backend.local
-WEBSITE_DOMAIN=web.local
-ADMINER_DOMAIN=adminer.local
-GITEA_DOMAIN=gitea.local
-LIMESURVEY_DOMAIN=survey.local
-LINKSTACK_DOMAIN=linkstack.local
-TRAEFIK_DOMAIN=traefik.local
-CLOUD_DOMAIN=cloud.local
-KILLBILL_DOMAIN=killbill.local
-
-###              TLS for Domains
-
-PORTAINER_TLS_DOMAIN_MAIN=${PORTAINER_DOMAIN}
-FRONTEND_TLS_DOMAIN_MAIN=${FRONTEND_DOMAIN}
-FRONTEND_TLS_DOMAIN_SANS=${FRONTEND_DOMAIN_2}
-BACKEND_TLS_DOMAIN_MAIN=${BACKEND_DOMAIN}
-WEBSITE_TLS_DOMAIN_MAIN=${WEBSITE_DOMAIN}
-GITEA_TLS_DOMAIN_MAIN=${GITEA_DOMAIN}
-LIMESURVEY_TLS_DOMAIN_MAIN=${LIMESURVEY_DOMAIN}
-LINKSTACK_TLS_DOMAIN_MAIN=${LINKSTACK_DOMAIN}
-TRAEFIK_TLS_DOMAIN_MAIN=${TRAEFIK_DOMAIN}
-CLOUD_TLS_DOMAIN_MAIN=${CLOUD_DOMAIN}
-KILLBILL_TLS_DOMAIN_MAIN=${KILLBILL_DOMAIN}
-
-
-##                      MIDDLEWARES
-
-TRAEFIK_HTTPS_REDIRECT_MIDDLEWARE=${INFRASTRUCTURE_LABEL:-default}-https-redirect
-TRAEFIK_BASIC_AUTH_MIDDLEWARE=${INFRASTRUCTURE_LABEL:-default}-basic-auth
-
-
-##                      ENTRYPOINTS
-
-TRAEFIK_ENTRYPOINT=websecure
-TRAEFIK_ENTRYPOINT_HTTP=web
-
-

env/development/.env.tools

@@ -1,29 +0,0 @@
-# ----------------------------------
-#  NEXTCLOUD DB
-# ----------------------------------
-
-MYSQL_ROOT_PASSWORD=headpiece-constant1-denim-mindboost #SQL root Passwort eingeben
-MYSQL_PASSWORD=idealist9-frayed-murkiness-mindboost #SQL Benutzer Passwort eingeben
-MYSQL_DATABASE=nextcloud-mindboost #Datenbank Name
-MYSQL_USER=mindboostcloud #SQL Nutzername
-MYSQL_INITDB_SKIP_TZINFO=1
-MARIADB_AUTO_UPGRADE=1
-
-# ----------------------------------
-#  NEXTCLOUD CLOUD
-# ----------------------------------
-
-TRUSTED_PROXIES=172.16.255.254/16
-OVERWRITEPROTOCOL=https
-OVERWRITECLIURL=https://${CLOUD_DOMAIN:-cloud}
-OVERWRITEHOST=${CLOUD_DOMAIN:-cloud}
-REDIS_HOST=nextcloud-redis
-REDIS_HOST_PASSWORD=redis-mindboost-passwort
-
-# ----------------------------------
-#  KILLBILL PAYMENT
-# ----------------------------------
-
-KILLBILL_DAO_URL=jdbc:mysql://db:3306/killbill
-KILLBILL_DAO_USER=${ADMIN_USER:-root}
-KILLBILL_DAO_PASSWORD=${ADMIN_PASSWORD_HASH}

env/development/.env.website

@@ -1,5 +0,0 @@
-# ----------------------------------
-#  KIRBY CMS
-# ----------------------------------
-
-USER_ID=0

env/development/portainer/backend.env

@@ -1,31 +0,0 @@
-
-
-# ----------------------------------
-# Redis
-# ----------------------------------
-REDIS_PASSWORD=laravel-redis-passwort
-REDIS_PORT=6379
-SERVER_IP=${SERVER_IP:-localhost}
-
-# ----------------------------------
-# Laravel Backend
-# ----------------------------------
-BACKEND_NETWORK=backend
-APP_ENV=${ENVIRONMENT-local}
-APP_NAME="mindboost backend - Compose Deployment"
-APP_URL=https://backend.local
-LARAVEL_PORT=8000
-LARAVEL_VITE_PORT=5173
-JWT_SECRET=zMtO8sgsnc4UixWSsYWE1pK9EdpNLzxNSoIPlUpTe6dDlarM3bu4cwM80tH3jA0F
-
-# ----------------------------------
-# Datenbank Zugriff - ! MUSS MIT .env.database übereinstimmen
-# ----------------------------------
-DB_HOST=database
-DB_PORT=3306
-DB_PASSWORD=1stronges-mindboostdb-passwort
-DB_USERNAME=${INFRASTRUCTURE_LABEL:-default}_${ENVIRONMENT:-development}
-DB_DATABASE=${INFRASTRUCTURE_LABEL:-default}_${ENVIRONMENT:-development}
-
-
-

env/production/.env.backend

@@ -1 +0,0 @@
-${REDIS_PASSWORD}

env/production/.env.database

@@ -1,7 +0,0 @@
-# ----------------------------------
-# Datenbank (MariaDB)
-# ----------------------------------
-MARIADB_USER=${INFRASTRUCTURE_LABEL:-default}_${ENVIRONMENT:-development}
-MARIADB_DATABASE=${INFRASTRUCTURE_LABEL:-default}_${ENVIRONMENT:-development}
-MARIADB_PASSWORD=1stronges-mindboostdb-passwort
-MARIADB_ROOT_PASSWORD=1stronges-passwort-fuer-diedb

env/production/.env.develop

@@ -1 +0,0 @@
-ADMINER_PORT=8000

env/production/.env.portainer

@@ -1,3 +0,0 @@
-PORTAINER_IMAGE=portainer/portainer-ce:latest
-PORTAINER_DATA_PATH=/opt/containers/portainer/data
-PORTAINER_DOMAIN=portainer.yourdomain.com

env/production/.env.proxy

@@ -1,32 +0,0 @@
-TRAEFIK_HTTPS_REDIRECT_MIDDLEWARE=${INFRASTRUCTURE_LABEL:-default}-https-redirect
-TRAEFIK_BASIC_AUTH_MIDDLEWARE=${INFRASTRUCTURE_LABEL:-default}-basic-auth
-TRAEFIK_BASIC_AUTH_USERS=${ADMIN_USER}:${ADMIN_PASSWORD_HASH}
-
-# Service Crowdsec
-SERVICES_CROWDSEC_CONTAINER_NAME=crowdsec
-SERVICES_CROWDSEC_HOSTNAME=crowdsec
-SERVICES_CROWDSEC_IMAGE=crowdsecurity/crowdsec
-SERVICES_CROWDSEC_IMAGE_VERSION=latest
-SERVICES_CROWDSEC_NETWORKS_CROWDSEC_IPV4=172.31.254.254
-
-# Service Traefik
-SERVICES_TRAEFIK_CONTAINER_NAME=${INFRASTRUCTURE_LABEL:-default}-traefik
-SERVICES_TRAEFIK_HOSTNAME=${INFRASTRUCTURE_LABEL:-default}-traefik
-SERVICES_TRAEFIK_IMAGE=traefik
-SERVICES_TRAEFIK_IMAGE_VERSION=2.11
-SERVICES_TRAEFIK_LABELS_TRAEFIK_HOST=`traefik.haslach2025.de`
-SERVICES_TRAEFIK_NETWORKS_CROWDSEC_IPV4=172.31.254.253
-SERVICES_TRAEFIK_NETWORKS_PROXY_IPV4=172.30.255.254
-
-# Service Traefik Crowdsec Bouncer
-SERVICES_TRAEFIK_CROWDSEC_BOUNCER_CONTAINER_NAME=traefik_crowdsec_bouncer
-SERVICES_TRAEFIK_CROWDSEC_BOUNCER_HOSTNAME=traefik-crowdsec-bouncer
-SERVICES_TRAEFIK_CROWDSEC_BOUNCER_IMAGE=fbonalair/traefik-crowdsec-bouncer
-SERVICES_TRAEFIK_CROWDSEC_BOUNCER_IMAGE_VERSION=latest
-SERVICES_TRAEFIK_CROWDSEC_BOUNCER_NETWORKS_CROWDSEC_IPV4=172.31.254.252
-
-# Netzwerkeinstellungen
-NETWORKS_PROXY_NAME=proxy
-NETWORKS_PROXY_SUBNET_IPV4=172.30.0.0/16
-NETWORKS_CROWDSEC_NAME=crowdsec
-NETWORKS_CROWDSEC_SUBNET_IPV4=172.31.0.0/16

env/staging/.env.administration

@@ -1,6 +0,0 @@
-
-
-# ----------------------------------
-# Portainer
-# ----------------------------------
-

env/staging/.env.backend

@@ -1,15 +0,0 @@
-
-
-# ----------------------------------
-# Redis
-# ----------------------------------
-
-
-# ----------------------------------
-# Laravel Backend
-# ----------------------------------
-
-
-# ----------------------------------
-# Adminer
-# ----------------------------------

env/staging/.env.database

@@ -1,3 +0,0 @@
-# ----------------------------------
-# Datenbank (MariaDB)
-# ----------------------------------

env/staging/.env.develop

@@ -1,9 +0,0 @@
-# ----------------------------------
-# GITEA
-# ----------------------------------
-
-
-
-# ----------------------------------
-# GITEA DB
-# ----------------------------------

env/staging/.env.frontend

@@ -1,3 +0,0 @@
-# ----------------------------------
-# VUE APP
-# ----------------------------------

env/staging/.env.proxy

@@ -1,4 +0,0 @@
-# ----------------------------------
-# TRAEFIK
-# ----------------------------------
-

env/staging/.env.tools

@@ -1,9 +0,0 @@
-# ----------------------------------
-#  NEXTCLOUD DB
-# ----------------------------------
-
-
-
-# ----------------------------------
-#  NEXTCLOUD CLOUD
-# ----------------------------------

env/staging/.env.website

@@ -1,4 +0,0 @@
-# ----------------------------------
-#  KIRBY CMS
-# ----------------------------------
-

infra/apps/nextcloud/.env.example

@@ -1,14 +0,0 @@
-# Nextcloud stack configuration
-
-NEXTCLOUD_DOMAIN=cloud.example.com
-
-# Database
-NEXTCLOUD_DB_NAME=nextcloud
-NEXTCLOUD_DB_USER=nextcloud
-NEXTCLOUD_DB_PASSWORD=changeMe
-NEXTCLOUD_DB_ROOT_PASSWORD=changeMeRoot
-
-# PHP tuning
-NEXTCLOUD_PHP_MEMORY_LIMIT=512M
-NEXTCLOUD_PHP_UPLOAD_LIMIT=1024M
-

infra/apps/nextcloud/README.md

@@ -1,13 +0,0 @@
-Nextcloud Stack
-
-Env vars required (copy .env.example to .env and adjust):
-
-- NEXTCLOUD_DOMAIN: public domain for Nextcloud
-- NEXTCLOUD_DB_NAME, NEXTCLOUD_DB_USER, NEXTCLOUD_DB_PASSWORD, NEXTCLOUD_DB_ROOT_PASSWORD
-- Optional: NEXTCLOUD_PHP_MEMORY_LIMIT, NEXTCLOUD_PHP_UPLOAD_LIMIT
-
-Usage
-
-- Ensure the Traefik proxy stack is up and the external `${TRAEFIK_NETWORK}` network exists.
-- Run: `docker compose --env-file ../../env/${ENV}/common.env --env-file ./.env -f docker-compose.yml up -d`
-

infra/apps/nextcloud/docker-compose.yml

@@ -1,70 +0,0 @@
-services:
-  nextcloud:
-    image: nextcloud:28-apache
-    container_name: ${INFRASTRUCTURE_LABEL:-stack}-nextcloud
-    restart: unless-stopped
-    depends_on:
-      - db
-      - redis
-    environment:
-      - NEXTCLOUD_TRUSTED_DOMAINS=${NEXTCLOUD_DOMAIN}
-      - OVERWRITEHOST=${NEXTCLOUD_DOMAIN}
-      - OVERWRITEPROTOCOL=https
-      - OVERWRITECLIURL=https://${NEXTCLOUD_DOMAIN}
-      - REDIS_HOST=redis
-      - MYSQL_HOST=db
-      - MYSQL_DATABASE=${NEXTCLOUD_DB_NAME:-nextcloud}
-      - MYSQL_USER=${NEXTCLOUD_DB_USER:-nextcloud}
-      - MYSQL_PASSWORD=${NEXTCLOUD_DB_PASSWORD}
-      - PHP_MEMORY_LIMIT=${NEXTCLOUD_PHP_MEMORY_LIMIT:-512M}
-      - PHP_UPLOAD_LIMIT=${NEXTCLOUD_PHP_UPLOAD_LIMIT:-1024M}
-    volumes:
-      - nextcloud_data:/var/www/html
-    networks:
-      - nextcloud
-      - proxy
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.nextcloud.rule=Host(`${NEXTCLOUD_DOMAIN}`)
-      - traefik.http.routers.nextcloud.entrypoints=websecure
-      - traefik.http.routers.nextcloud.tls=true
-      - traefik.http.routers.nextcloud.tls.certresolver=letsencrypt
-      - traefik.http.services.nextcloud.loadbalancer.server.port=80
-      - traefik.http.routers.nextcloud.middlewares=security-headers@file
-      - traefik.docker.network=${TRAEFIK_NETWORK:-proxy}
-
-  db:
-    image: mariadb:11
-    container_name: ${INFRASTRUCTURE_LABEL:-stack}-nextcloud-db
-    restart: unless-stopped
-    environment:
-      - MYSQL_ROOT_PASSWORD=${NEXTCLOUD_DB_ROOT_PASSWORD}
-      - MYSQL_DATABASE=${NEXTCLOUD_DB_NAME:-nextcloud}
-      - MYSQL_USER=${NEXTCLOUD_DB_USER:-nextcloud}
-      - MYSQL_PASSWORD=${NEXTCLOUD_DB_PASSWORD}
-    volumes:
-      - db_data:/var/lib/mysql
-    networks:
-      - nextcloud
-
-  redis:
-    image: redis:7-alpine
-    container_name: ${INFRASTRUCTURE_LABEL:-stack}-nextcloud-redis
-    restart: unless-stopped
-    command: redis-server --appendonly yes
-    volumes:
-      - redis_data:/data
-    networks:
-      - nextcloud
-
-volumes:
-  nextcloud_data:
-  db_data:
-  redis_data:
-
-networks:
-  proxy:
-    external: true
-  nextcloud:
-    name: ${INFRASTRUCTURE_LABEL:-stack}-nextcloud
-

infra/core/traefik/docker-compose.yml

@@ -1,47 +0,0 @@
-services:
-  traefik:
-    image: traefik:v2.11
-    container_name: ${INFRASTRUCTURE_LABEL:-stack}-traefik
-    restart: unless-stopped
-    command: 
-      - --providers.file.directory=/etc/traefik/dynamic
-      - --providers.file.watch=true
-      - --providers.docker=true
-      - --providers.docker.exposedbydefault=false
-      - --providers.docker.network=${TRAEFIK_NETWORK:-proxy}
-      - --entrypoints.web.address=:80
-      - --entrypoints.websecure.address=:443
-      - --certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL}
-      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
-      - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
-      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
-      - --api.dashboard=true
-      - --log.level=${TRAEFIK_LOG_LEVEL:-INFO}
-      - --accesslog=true
-    ports:
-      - ${TRAEFIK_HTTP_PORT:-80}:80
-      - ${TRAEFIK_HTTPS_PORT:-443}:443
-    environment:
-      - TZ=${TZ:-UTC}
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - ./traefik.yml:/etc/traefik/traefik.yml:ro
-      - ./dynamic:/etc/traefik/dynamic:ro
-      - ./data:/letsencrypt
-    networks:
-      - proxy
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DASHBOARD_DOMAIN}`)
-      - traefik.http.routers.traefik.entrypoints=websecure
-      - traefik.http.routers.traefik.tls=true
-      - traefik.http.routers.traefik.tls.certresolver=letsencrypt
-      - traefik.http.routers.traefik.service=api@internal
-      - traefik.docker.network=${TRAEFIK_NETWORK:-proxy}
-      # Optional: protect dashboard with basic auth if TRAEFIK_BASIC_AUTH_USERS is set
-      - traefik.http.routers.traefik.middlewares=dashboard-basicauth@file
-
-networks:
-  proxy:
-    external: true
-

infra/core/traefik/dynamic/middlewares.yml

@@ -1,25 +0,0 @@
-http:
-  middlewares:
-    redirect-to-https:
-      redirectScheme:
-        scheme: https
-        permanent: true
-
-    security-headers:
-      headers:
-        frameDeny: true
-        contentTypeNosniff: true
-        browserXssFilter: true
-        referrerPolicy: no-referrer-when-downgrade
-        stsSeconds: 31536000
-        stsIncludeSubdomains: true
-        stsPreload: true
-
-    dashboard-basicauth:
-      basicAuth:
-        users:
-          # Provide users via env TRAEFIK_BASIC_AUTH_USERS, format: user:hashedpassword
-          # Example to generate: htpasswd -nbB admin 'yourpassword'
-          # If env is empty, you can comment this middleware out from labels
-          - ${TRAEFIK_BASIC_AUTH_USERS:-}
-

infra/core/traefik/dynamic/tls.yml

@@ -1,6 +0,0 @@
-tls:
-  options:
-    default:
-      minVersion: VersionTLS12
-      sniStrict: true
-

infra/core/traefik/traefik.yml

@@ -1,30 +0,0 @@
-api:
-  dashboard: true
-
-providers:
-  docker:
-    exposedByDefault: false
-    network: ${TRAEFIK_NETWORK:-proxy}
-  file:
-    directory: /etc/traefik/dynamic
-    watch: true
-
-entryPoints:
-  web:
-    address: ":80"
-  websecure:
-    address: ":443"
-
-log:
-  level: ${TRAEFIK_LOG_LEVEL:-INFO}
-
-accessLog: {}
-
-certificatesResolvers:
-  letsencrypt:
-    acme:
-      email: ${ACME_EMAIL}
-      storage: /letsencrypt/acme.json
-      httpChallenge:
-        entryPoint: web
-

infra/env/common.env.example

@@ -1,14 +0,0 @@
-# Global/defaults
-INFRASTRUCTURE_LABEL=mindboost
-TZ=UTC
-
-# Traefik / proxy
-TRAEFIK_NETWORK=proxy
-TRAEFIK_HTTP_PORT=80
-TRAEFIK_HTTPS_PORT=443
-TRAEFIK_LOG_LEVEL=INFO
-ACME_EMAIL=you@example.com
-TRAEFIK_DASHBOARD_DOMAIN=traefik.example.com
-# Optional basic auth users for dashboard (format: user:hashed)
-#TRAEFIK_BASIC_AUTH_USERS=admin:$2y$05$...
-

infra/env/development/common.env

@@ -1,11 +0,0 @@
-# Development defaults (copy to production and adjust as needed)
-INFRASTRUCTURE_LABEL=dev
-TZ=UTC
-
-TRAEFIK_NETWORK=proxy
-TRAEFIK_HTTP_PORT=80
-TRAEFIK_HTTPS_PORT=443
-TRAEFIK_LOG_LEVEL=INFO
-ACME_EMAIL=dev@example.com
-TRAEFIK_DASHBOARD_DOMAIN=traefik.local
-

nginx/dev-backend.conf

@@ -1,27 +0,0 @@
-server {
-    listen 80;
-    server_name _;
-
-    root /var/www/public;
-    index index.php index.html;
-
-    add_header X-Content-Type-Options nosniff;
-    add_header X-Frame-Options SAMEORIGIN;
-    add_header X-XSS-Protection "1; mode=block";
-
-    location / {
-        try_files $uri $uri/ /index.php?$query_string;
-    }
-
-    location ~ \.php$ {
-        include fastcgi_params;
-        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
-        fastcgi_param PATH_INFO $fastcgi_path_info;
-        fastcgi_pass laravel_backend_dev:9000;
-        fastcgi_index index.php;
-    }
-
-    location ~ /\.(?!well-known).* {
-        deny all;
-    }
-}

scripts/infra/bootstrap.sh

@@ -1,24 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# Create external proxy network if it doesn't exist and prepare Traefik state
-
-NETWORK_NAME=${TRAEFIK_NETWORK:-proxy}
-ACME_FILE="infra/core/traefik/data/acme.json"
-
-echo "[bootstrap] Ensuring external network '${NETWORK_NAME}' exists..."
-if ! docker network ls --format '{{.Name}}' | grep -qx "${NETWORK_NAME}"; then
-  docker network create "${NETWORK_NAME}"
-  echo "[bootstrap] Created network '${NETWORK_NAME}'."
-else
-  echo "[bootstrap] Network '${NETWORK_NAME}' already exists."
-fi
-
-echo "[bootstrap] Ensuring ACME storage exists with correct permissions..."
-mkdir -p "$(dirname "${ACME_FILE}")"
-touch "${ACME_FILE}"
-chmod 600 "${ACME_FILE}"
-echo "[bootstrap] ACME storage ready at ${ACME_FILE}."
-
-echo "[bootstrap] Done."
-