# tOS Infrastructure Memory

## Docker Stack
- **Location**: `/home/mehmed/Entwicklung/githubProjekte/tOS/docker/`
- **Compose file**: `docker-compose.yml` (name: tos)
- **Services**: PostgreSQL 16, Redis 7, Keycloak 24.0
- **Network**: `tos-network` (bridge)
- **Volumes**: `tos-postgres-data`, `tos-redis-data`

## Ports (Default)
| Service    | Port |
|------------|------|
| PostgreSQL | 5432 |
| Redis      | 6379 |
| Keycloak   | 8080 |
| API        | 3001 |
| Frontend   | 3000 |

## Keycloak Configuration
- **Realm**: `tOS`
- **Clients**: `tos-frontend` (public), `tos-backend` (confidential)
- **Roles Hierarchy**:
  - admin -> hr-manager, manager, department_head, team-lead, employee
  - hr-manager -> employee
  - manager -> department_head, employee
  - department_head -> team-lead, employee
  - team-lead -> employee
- **Test Users**: admin, manager, depthead, employee, hrmanager, teamlead
- **Default passwords**: `<username>123` (temporary)

## Environment Variables
- **Root `.env.example`**: Application config (NextAuth, Keycloak, API keys)
- **Docker `.env.example`**: Container config (ports, credentials)
- **Critical Production Secrets**:
  - `ENCRYPTION_KEY` - 32 bytes for credential encryption
  - `JWT_SECRET` - API token signing
  - `NEXTAUTH_SECRET` - Session encryption
  - `KEYCLOAK_BACKEND_CLIENT_SECRET`

## Package Scripts
```bash
pnpm docker:up     # Start infrastructure
pnpm docker:down   # Stop infrastructure
pnpm docker:logs   # View logs
pnpm docker:reset  # Destroy volumes and restart
pnpm dev           # Start dev servers
```

## Known Issues / Lessons Learned
- Keycloak 24+ (UBI9) has no curl; use bash TCP redirect for health checks
- Realm import: file must be at `/opt/keycloak/data/import/` with `--import-realm` flag
- Health check `start_period` should be 90s+ for Keycloak (Java startup)