arcodange-org/factory
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b886f068242fdd25c8f46e0f725e6d6c801f087c
factory/vibe/guidebooks/lab-ecosystem/03-cms.md
Gabriel Radureau 7647a68cdc docs(vibe): bootstrap vibe/ knowledge tree + ecosystem AGENTS.md 
Add a root AGENTS.md (ecosystem map of factory/tools/cms + agent operating
rules + the persona cohort & workflow) and a new vibe/ knowledge base for LLM
agents, modeled on tree-docs conventions and the factory house style.

vibe/ folders (each with a README hub + contribution rules):
- ADR/      optimized MADR-lite; canonical home going forward (doc/adr stays historical)
- PRD/      one subfolder per PRD, mandatory STATUS.md, QA strategy for big ones
- investigations/  single INV-NNN-slug.md, or stub + folder w/ notebooks
- guidebooks/      tree-docs maps; lab-ecosystem guidebook of factory+tools+cms
- runbooks/        [AGENT]/[HUMAN] step procedures (EN; doc/runbooks stays FR)
- shareouts/       dated FR handouts (decks/mp4)

Seed content (first ADR + PRD): a safe, production-like environment to rehearse
risky changes and recovery without touching real prod — local-only sandbox
(k3d + arm64 VMs) with a hard prod/sandbox isolation boundary. Includes
INV-001 (prod blast-radius couplings), the ecosystem guidebook, and a FR shareout.

Conventions enforced: no-tombstone rule, breadcrumb spine, bidirectional
cross-links, theme:base mermaid (MCP-validated) + ordered-list-after-diagram.
Built with a Workflow + persona cohort; 24 files, zero dead links.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 11:52:37 +02:00

4.6 KiB
Raw Blame History

vibe > Guidebooks > Lab ecosystem > 03 · cms

03 · cms

Status: Active Last Updated: 2026-06-23 Upstream: 01 · factory Related: 02 · tools · secrets-and-vault.md

The cms repo is the public-facing site of the lab: a Nuxt static site served at arcodange.fr, plus the OpenTofu that owns its Cloudflare edge and its Zoho email. It is the one app whose primary audience is the open Internet, so it ties together the public-DNS, tunnel, CAPTCHA, and email plumbing.

The Nuxt site

Aspect Detail
App Static Nuxt site
Chart chart/ — Helm chart, deployed as ArgoCD app cms into the cms namespace
Image Built in CI to the Gitea registry; ArgoCD Image Updater tracks gitea.arcodange.lab/arcodange-org/cms:latest with the digest strategy (see 01 · factory)
Hostname arcodange.fr (public)

Cloudflare edge (cloudflare/)

OpenTofu (state in cloud object storage) manages the arcodange.fr zone. The domain is registered at OVH (factory's iac/ovh.tf grants the CMS an OVH OAuth2 client to edit nameservers) but its DNS is delegated to Cloudflare. The Cloudflare API token + account ID are pushed into the CMS Gitea repo as action secrets and mirrored into Vault by factory's iac/cloudflare.tf.

Cloudflare object Purpose
Zone arcodange.fr Public DNS for the site + email records
Cloudflare Pages option Static-hosting alternative for the Nuxt build
Cloudflared Zero-Trust tunnel Exposes internal Traefik to the Internet without opening home-LAN ports
Turnstile CAPTCHA Bot challenge on forms; wired to CrowdSec for decisioning

The Cloudflared tunnel token and Turnstile secret are stored in Vault (see secrets-and-vault.md); the Turnstile → CrowdSec link is the public-edge guard documented in 02 · tools.

Zoho email (zoho/)

Sets up email for arcodange.fr: org/account lookup via the Zoho API + shell scripts, the full DNS authentication record set, and the public aliases.

DNS record Role
CNAME (verify) Domain ownership verification
MX Mail routing to Zoho
SPF Authorized senders
DKIM Outbound signing
DMARC Alignment + reporting policy
BIMI Brand logo in inboxes

Seven aliases are provisioned: bonjour, contact, analytics, books, abonnements, helloworld, bureaux.

Public request + email path

%%{init: {'theme': 'base'}}%%
flowchart LR
    classDef edge fill:#d97706,stroke:#b45309,color:#fff
    classDef proc fill:#059669,stroke:#047857,color:#fff
    classDef store fill:#7c3aed,stroke:#6d28d9,color:#fff

    USER(["Visitor"]):::edge
    CF["Cloudflare<br>DNS + Turnstile"]:::edge
    TUN["Cloudflared tunnel"]:::edge
    TRAEFIK["internal Traefik"]:::proc
    CS["CrowdSec bouncer"]:::proc
    CMS["cms pod (Nuxt)<br>arcodange.fr"]:::proc
    MAIL(["Sender"]):::edge
    ZOHO["Zoho<br>MX / SPF / DKIM / DMARC / BIMI"]:::store

    USER --> CF -- "Turnstile challenge" --> TUN --> TRAEFIK --> CS --> CMS
    MAIL -- "MX lookup arcodange.fr" --> ZOHO
  1. A visitor resolves arcodange.fr through Cloudflare DNS; form submissions hit a Turnstile challenge.
  2. Traffic enters the home LAN through the Cloudflared Zero-Trust tunnel — no home-LAN ports are opened.
  3. The tunnel lands on internal Traefik, which routes through the CrowdSec bouncer (fed Turnstile/decision signals) to the cms Nuxt pod.
  4. Separately, email to arcodange.fr follows the MX record to Zoho, with SPF/DKIM/DMARC/BIMI authenticating and presenting the mail; the seven aliases land there.

Cross-references

  • Lab ecosystem hub — the whole-lab map.
  • 01 · factory — the ArgoCD app cms, and iac/cloudflare.tf / iac/ovh.tf that grant the CMS its Cloudflare token and OVH nameserver-edit rights.
  • 02 · toolsCrowdSec (the Traefik bouncer the Turnstile challenge feeds).
  • secrets-and-vault.md — the Cloudflared tunnel token and Turnstile/Cloudflare secrets stored in Vault.
  • Repo: arcodange-org/cms.
Reference in New Issue View Git Blame Copy Permalink