factory/vibe/guidebooks/lab-ecosystem/03-cms.md

vibe > Guidebooks > Lab ecosystem > 03 · cms

03 · cms

Status: ✅ Active Last Updated: 2026-06-23 Upstream: 01 · factory Related: 02 · tools · secrets-and-vault.md Deeper dive: CMS guidebook

The cms repo is the public-facing site of the lab: a Nuxt static site served at arcodange.fr, plus the OpenTofu that owns its Cloudflare edge and its Zoho email. It is the one app whose primary audience is the open Internet, so it ties together the public-DNS, tunnel, CAPTCHA, and email plumbing.

The Nuxt site

Aspect	Detail
App	Static Nuxt site
Chart	chart/ — Helm chart, deployed as ArgoCD app cms into the cms namespace
Image	Built in CI to the Gitea registry; ArgoCD Image Updater tracks gitea.arcodange.lab/arcodange-org/cms:latest with the digest strategy (see 01 · factory)
Hostname	arcodange.fr (public)

Cloudflare edge (cloudflare/)

OpenTofu (state in cloud object storage) manages the arcodange.fr zone. The domain is registered at OVH (factory's iac/ovh.tf grants the CMS an OVH OAuth2 client to edit nameservers) but its DNS is delegated to Cloudflare. The Cloudflare API token + account ID are pushed into the CMS Gitea repo as action secrets and mirrored into Vault by factory's iac/cloudflare.tf.

Cloudflare object	Purpose
Zone arcodange.fr	Public DNS for the site + email records
Cloudflare Pages option	Static-hosting alternative for the Nuxt build
Cloudflared Zero-Trust tunnel	Exposes internal Traefik to the Internet without opening home-LAN ports
Turnstile CAPTCHA	Bot challenge on forms; wired to CrowdSec for decisioning

The Cloudflared tunnel token and Turnstile secret are stored in Vault (see secrets-and-vault.md); the Turnstile → CrowdSec link is the public-edge guard documented in 02 · tools.

Zoho email (zoho/)

Sets up email for arcodange.fr: org/account lookup via the Zoho API + shell scripts, the full DNS authentication record set, and the public aliases.

DNS record	Role
CNAME (verify)	Domain ownership verification
MX	Mail routing to Zoho
SPF	Authorized senders
DKIM	Outbound signing
DMARC	Alignment + reporting policy
BIMI	Brand logo in inboxes

Seven aliases are provisioned: bonjour, contact, analytics, books, abonnements, helloworld, bureaux.

Public request + email path

%%{init: {'theme': 'base'}}%%
flowchart LR
    classDef edge fill:#d97706,stroke:#b45309,color:#fff
    classDef proc fill:#059669,stroke:#047857,color:#fff
    classDef store fill:#7c3aed,stroke:#6d28d9,color:#fff

    USER(["Visitor"]):::edge
    CF["Cloudflare<br>DNS + Turnstile"]:::edge
    TUN["Cloudflared tunnel"]:::edge
    TRAEFIK["internal Traefik"]:::proc
    CS["CrowdSec bouncer"]:::proc
    CMS["cms pod (Nuxt)<br>arcodange.fr"]:::proc
    MAIL(["Sender"]):::edge
    ZOHO["Zoho<br>MX / SPF / DKIM / DMARC / BIMI"]:::store

    USER --> CF -- "Turnstile challenge" --> TUN --> TRAEFIK --> CS --> CMS
    MAIL -- "MX lookup arcodange.fr" --> ZOHO

1. A visitor resolves arcodange.fr through Cloudflare DNS; form submissions hit a Turnstile challenge.
2. Traffic enters the home LAN through the Cloudflared Zero-Trust tunnel — no home-LAN ports are opened.
3. The tunnel lands on internal Traefik, which routes through the CrowdSec bouncer (fed Turnstile/decision signals) to the cms Nuxt pod.
4. Separately, email to arcodange.fr follows the MX record to Zoho, with SPF/DKIM/DMARC/BIMI authenticating and presenting the mail; the seven aliases land there.

Cross-references

• CMS guidebook — the deeper-dive map of the cms repo: the Nuxt site, the Cloudflare edge, and Zoho email.
• Lab ecosystem hub — the whole-lab map.
• 01 · factory — the ArgoCD app cms, and iac/cloudflare.tf / iac/ovh.tf that grant the CMS its Cloudflare token and OVH nameserver-edit rights.
• 02 · tools — CrowdSec (the Traefik bouncer the Turnstile challenge feeds).
• secrets-and-vault.md — the Cloudflared tunnel token and Turnstile/Cloudflare secrets stored in Vault.
• Repo: arcodange-org/cms.