arcodange-org/factory
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
9b545e6f8f1a2c1ba0c32e9a51a2d5d5b1d3447f
factory/vibe/guidebooks/cms
History

README.md

vibe > Guidebooks > CMS

CMS

Status: Active Last Updated: 2026-06-23 Upstream: lab-ecosystem 03 · cms Downstream: Site (Nuxt) · Cloudflare · Zoho email Related: tools CrowdSec · secrets-and-vault concept · tofu CI flow · safe-env ADR

This guidebook maps the cms repo — the one app in the lab whose primary audience is the open Internet. It serves the public site arcodange.fr and owns the OpenTofu that wires its Cloudflare edge, its Cloudflared tunnel into the cluster, its Turnstile CAPTCHA, and its Zoho email.

Two faces of one repo

The cms repo holds two distinct concerns that share a domain but live in different directories.

Face Where What it is
The SITE repo root (app/, content/, chart/) A Nuxt 4 application (Nuxt Content + Nuxt Studio) built to static output and deployed two ways: to Cloudflare Pages (public arcodange.fr / www) and into k3s via a Helm chart (ArgoCD app cms) reachable through the Cloudflared tunnel (e.g. cms-rec.arcodange.fr, www.arcodange.lab)
The IaC cloudflare/ OpenTofu managing the arcodange.fr zone (registered at OVH, DNS delegated to Cloudflare), Cloudflare Pages, the Cloudflared Zero-Trust tunnel into internal Traefik, a Turnstile CAPTCHA feeding CrowdSec, and Zoho email

The site is what visitors see; the IaC is how they reach it and how mail flows. Both deploy from the same Gitea repo through Gitea Actions.

Public request + email flow

%%{init: {'theme': 'base'}}%%
flowchart LR
    classDef edge fill:#d97706,stroke:#b45309,color:#fff
    classDef proc fill:#059669,stroke:#047857,color:#fff
    classDef store fill:#7c3aed,stroke:#6d28d9,color:#fff

    USER(["Visitor"]):::edge
    CFDNS["Cloudflare DNS<br>arcodange.fr zone"]:::edge
    PAGES["Cloudflare Pages<br>(static Nuxt build)"]:::proc
    TUN["Cloudflared tunnel"]:::edge
    TRAEFIK["internal Traefik"]:::proc
    CS["CrowdSec bouncer<br>(Turnstile-backed)"]:::proc
    CMS["cms pod (Nuxt)<br>cms-rec.arcodange.fr"]:::proc
    MAIL(["Sender"]):::edge
    ZOHO["Zoho<br>MX / SPF / DKIM / DMARC / BIMI"]:::store

    USER --> CFDNS
    CFDNS -- "arcodange.fr / www" --> PAGES
    CFDNS -- "*.arcodange.fr" --> TUN
    TUN --> TRAEFIK --> CS --> CMS
    MAIL -- "MX lookup arcodange.fr" --> ZOHO
  1. A visitor resolves a hostname under arcodange.fr through Cloudflare DNS (the zone OpenTofu manages).
  2. The apex and www records (proxied CNAMEs) land on Cloudflare Pages, which serves the static Nuxt build directly from the edge.
  3. Wildcard *.arcodange.fr hostnames route through the Cloudflared Zero-Trust tunnel — no home-LAN ports are opened — onto internal Traefik, which passes the request through the CrowdSec bouncer (its CAPTCHA challenge backed by Turnstile) to the in-cluster cms Nuxt pod (e.g. cms-rec.arcodange.fr).
  4. Separately, email to arcodange.fr follows the MX record to Zoho, with SPF/DKIM/DMARC/BIMI authenticating and presenting the mail.

Index

Page What it maps Status
Site (Nuxt) The Nuxt 4 app: Nuxt Content + Studio, static build, the dual deploy to Cloudflare Pages and to k3s via the Helm chart / ArgoCD app cms Active
Cloudflare The cloudflare/ OpenTofu: zone (OVH-registered, CF-delegated), Pages, the Cloudflared tunnel into Traefik, and the Turnstile CAPTCHA for CrowdSec Active
Zoho email Zoho mail IaC: domain verification, MX/SPF/DKIM/DMARC/BIMI records, and the public aliases Active

Maintenance rule

Important

If any component documented in this guidebook is altered, update the page describing it in the same change. A reference map that drifts from the real cms repo sends readers and agents down dead paths. The PR that changes a component is the PR that updates its CMS guidebook page.

Cross-references

  • lab-ecosystem 03 · cms — the whole-lab view of where cms sits among factory + tools.
  • tools CrowdSec — the Traefik bouncer the Turnstile challenge feeds for public-edge decisioning.
  • secrets-and-vault concept — where the Cloudflared tunnel token, Turnstile secret, and Cloudflare/Zoho/OVH credentials live in Vault.
  • tofu CI flow — the OpenTofu apply pipeline pattern the cloudflare/ IaC follows in Gitea Actions.
  • safe-env ADR — why public-facing surfaces like this one are isolated from a safe prod-like environment.
  • Repo: arcodange-org/cms.
Reference in New Issue View Git Blame Copy Permalink