# LiteCharmsSecurity

An enterprise-grade Identity and Access Management (IAM) solution built on top of **Skoruba Duende IdentityServer**. This repository houses the entire security architecture for the Lite Charms ecosystem, providing Single Sign-On (SSO), OAuth 2.0, and OpenID Connect (OIDC) capabilities.

---

## 🌐 Infrastructure Architecture

This solution is optimized for production-grade self-hosting behind a secure reverse-proxy tunnel.

* **Identity Provider (STS):** `sts.security.khongisa.co.za` (Port `8083`)
* **Management Console (Admin UI):** `admin.security.khongisa.co.za` (Port `8081`)
* **Management Backend (Admin API):** `api.security.khongisa.co.za` (Port `8082`)

### Deployment Stack
* **Reverse Proxy / Edge Router:** Pangolin (Handles full external SSL termination).
* **Container Orchestrator:** Dockhand VM (Automated GitOps deployments pulled directly from Gitea).
* **Database Layer:** Dedicated PostgreSQL running in an isolated Proxmox LXC Container (`192.168.1.170`).

---

## 🛠️ Environment Variables Configuration

Do not check production secrets into Git. Define the following environment variables within the **Dockhand UI** before launching or updating the stack:

| Variable | Description | Example / Default |
| :--- | :--- | :--- |
| `DB_PASSWORD` | Master password for the Postgres LXC container database instance. | *[Secure Sensitive Value]* |
| `SMTP_PASSWORD` | Password for the outbox notification transactional mail provider. | *[Secure Sensitive Value]* |
| `SMTP_HOST` | Outbound mail relay server domain. | `mail.litecharms.co.za` |
| `SMTP_LOGIN` | Corporate security transactional system email account. | `security@litecharms.co.za` |
| `APPLY_MIGRATIONS` | Toggles automatic Entity Framework database migrations on startup. | `true` (First Run Only) |
| `APPLY_SEED` | Seeds baseline system roles, client configurations, and default admin users. | `true` (First Run Only) |

---

## 🚀 Deployment Instructions via Dockhand

### 1. First-Time Setup (Initialization Mode)
When deploying this stack for the absolute first time onto a blank database instance, ensure both flags are explicitly enabled in the Dockhand dashboard:
```env
APPLY_MIGRATIONS=true
APPLY_SEED=true