Merge df0f2584ae into 4ea6876b74

feat(models): add basic database structure

6design/design.md

@@ -45,11 +45,11 @@ flowchart LR
     proc_cron[Task planner] --> proc_queue
     proc_queue_worker --> ext_bank[(Bank API)]
     proc_queue_worker --> db
-    client[Client/UI] --> api[API Gateway / Web Server]
-    api --> svc[Web API]
+    client[Client/UI] <--> api[API Gateway / Web Server]
+    api <--> svc[Web API]
     svc --> proc_queue
-    svc --> db[(Database)]
-    svc --> cache[(Cache)]
+    svc <--> db[(Database)]
+    svc <--> cache[(Cache)]
 ```
 
 - Components and responsibilities: What does each box do?

7project/backend/Dockerfile

@@ -5,4 +5,4 @@ COPY requirements.txt .
 RUN pip install --no-cache-dir -r requirements.txt
 COPY . .
 EXPOSE 8000
-CMD alembic upgrade head && uvicorn app.app:app --host 0.0.0.0 --port 8000
+CMD alembic upgrade head && uvicorn app.app:fastApi --host 0.0.0.0 --port 8000

7project/backend/alembic/versions/2025_10_10_1405-7af8f296d089_add_user_oauth.py

@@ -0,0 +1,48 @@
+"""add user oauth
+
+Revision ID: 7af8f296d089
+Revises: 390041bd839e
+Create Date: 2025-10-10 14:05:00.153376
+
+"""
+from typing import Sequence, Union
+
+import fastapi_users_db_sqlalchemy
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = '7af8f296d089'
+down_revision: Union[str, Sequence[str], None] = '390041bd839e'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Upgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('oauth_account',
+    sa.Column('id', fastapi_users_db_sqlalchemy.generics.GUID(), nullable=False),
+    sa.Column('user_id', fastapi_users_db_sqlalchemy.generics.GUID(), nullable=False),
+    sa.Column('oauth_name', sa.String(length=100), nullable=False),
+    sa.Column('access_token', sa.String(length=1024), nullable=False),
+    sa.Column('expires_at', sa.Integer(), nullable=True),
+    sa.Column('refresh_token', sa.String(length=1024), nullable=True),
+    sa.Column('account_id', sa.String(length=320), nullable=False),
+    sa.Column('account_email', sa.String(length=320), nullable=False),
+    sa.ForeignKeyConstraint(['user_id'], ['user.id'], ondelete='cascade'),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_oauth_account_account_id'), 'oauth_account', ['account_id'], unique=False)
+    op.create_index(op.f('ix_oauth_account_oauth_name'), 'oauth_account', ['oauth_name'], unique=False)
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    """Downgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_index(op.f('ix_oauth_account_oauth_name'), table_name='oauth_account')
+    op.drop_index(op.f('ix_oauth_account_account_id'), table_name='oauth_account')
+    op.drop_table('oauth_account')
+    # ### end Alembic commands ###

7project/backend/app/app.py

@@ -1,15 +1,16 @@
 from fastapi import Depends, FastAPI
 from fastapi.middleware.cors import CORSMiddleware
 
+import app.services.user_service
 from app.models.user import User
 
 from app.schemas.user import UserCreate, UserRead, UserUpdate
 from app.services.user_service import auth_backend, current_active_verified_user, fastapi_users
 
-app = FastAPI()
+fastApi = FastAPI()
 
 # CORS for frontend dev server
-app.add_middleware(
+fastApi.add_middleware(
     CORSMiddleware,
     allow_origins=[
         "http://localhost:5173",
@@ -20,37 +21,48 @@ app.add_middleware(
     allow_headers=["*"],
 )
 
-app.include_router(
+fastApi.include_router(
     fastapi_users.get_auth_router(auth_backend), prefix="/auth/jwt", tags=["auth"]
 )
-app.include_router(
+fastApi.include_router(
     fastapi_users.get_register_router(UserRead, UserCreate),
     prefix="/auth",
     tags=["auth"],
 )
-app.include_router(
+fastApi.include_router(
     fastapi_users.get_reset_password_router(),
     prefix="/auth",
     tags=["auth"],
 )
-app.include_router(
+fastApi.include_router(
     fastapi_users.get_verify_router(UserRead),
     prefix="/auth",
     tags=["auth"],
 )
-app.include_router(
+fastApi.include_router(
     fastapi_users.get_users_router(UserRead, UserUpdate),
     prefix="/users",
     tags=["users"],
 )
 
+fastApi.include_router(
+    fastapi_users.get_oauth_router(
+        app.services.user_service.mojeid_oauth_service,
+        auth_backend,
+        "SECRET",
+        associate_by_email=True
+    ),
+    prefix="/auth/mojeid",
+    tags=["auth"],
+)
+
 
 # Liveness/root endpoint
-@app.get("/", include_in_schema=False)
+@fastApi.get("/", include_in_schema=False)
 async def root():
     return {"status": "ok"}
 
 
-@app.get("/authenticated-route")
+@fastApi.get("/authenticated-route")
 async def authenticated_route(user: User = Depends(current_active_verified_user)):
     return {"message": f"Hello {user.email}!"}

7project/backend/app/models/user.py

@@ -1,12 +1,19 @@
+from typing import List
+
 from sqlalchemy import Column, String
 from sqlalchemy.orm import relationship
-from fastapi_users.db import SQLAlchemyBaseUserTableUUID
+from fastapi_users.db import SQLAlchemyBaseUserTableUUID, SQLAlchemyBaseOAuthAccountTableUUID
 from app.core.base import Base
 
 
+class OAuthAccount(SQLAlchemyBaseOAuthAccountTableUUID, Base):
+    pass
+
+
 class User(SQLAlchemyBaseUserTableUUID, Base):
     first_name = Column(String(length=100), nullable=True)
     last_name = Column(String(length=100), nullable=True)
+    oauth_accounts = relationship("OAuthAccount", lazy="joined")
 
     # Relationship
     transactions = relationship("Transaction", back_populates="user")

7project/backend/app/oauth/moje_id.py

@@ -0,0 +1,48 @@
+import json
+from typing import Optional, Literal
+
+from httpx_oauth.clients.openid import OpenID
+from httpx_oauth.oauth2 import OAuth2Token, GetAccessTokenError, T
+
+
+# claims=%7B%22id_token%22%3A%7B%22birthdate%22%3A%7B%22essential%22%3Atrue%7D%2C%22name%22%3A%7B%22essential%22%3Atrue%7D%2C%22given_name%22%3A%7B%22essential%22%3Atrue%7D%2C%22family_name%22%3A%7B%22essential%22%3Atrue%7D%2C%22email%22%3A%7B%22essential%22%3Atrue%7D%2C%22address%22%3A%7B%22essential%22%3Afalse%7D%2C%22mojeid_valid%22%3A%7B%22essential%22%3Atrue%7D%7D%7D
+class MojeIDOAuth(OpenID):
+    def __init__(self, client_id: str, client_secret: str):
+        super().__init__(
+            client_id,
+            client_secret,
+            "https://mojeid.regtest.nic.cz/.well-known/openid-configuration/",
+            "MojeID",
+            base_scopes=["openid", "email", "profile"],
+        )
+
+    async def get_authorization_url(
+            self,
+            redirect_uri: str,
+            state: Optional[str] = None,
+            scope: Optional[list[str]] = None,
+            code_challenge: Optional[str] = None,
+            code_challenge_method: Optional[Literal["plain", "S256"]] = None,
+            extras_params: Optional[T] = None,
+    ) -> str:
+        required_fields = {
+            'id_token': {
+                'name': {'essential': True},
+                'given_name': {'essential': True},
+                'family_name': {'essential': True},
+                'email': {'essential': True},
+                'mojeid_valid': {'essential': True},
+            }}
+
+        if extras_params is None:
+            extras_params = {}
+        extras_params["claims"] = json.dumps(required_fields)
+
+        return await super().get_authorization_url(
+            redirect_uri,
+            state,
+            scope,
+            code_challenge,
+            code_challenge_method,
+            extras_params,
+        )

7project/backend/app/services/db.py

@@ -4,11 +4,13 @@ from sqlalchemy.ext.asyncio import AsyncSession
 from fastapi_users.db import SQLAlchemyUserDatabase
 
 from ..core.db import async_session_maker
-from ..models.user import User
+from ..models.user import User, OAuthAccount
+
 
 async def get_async_session() -> AsyncGenerator[AsyncSession, None]:
     async with async_session_maker() as session:
         yield session
 
+
 async def get_user_db(session: AsyncSession = Depends(get_async_session)):
-    yield SQLAlchemyUserDatabase(session, User)
+    yield SQLAlchemyUserDatabase(session, User, OAuthAccount)

7project/backend/app/services/user_service.py

@@ -12,6 +12,7 @@ from fastapi_users.authentication.strategy.jwt import JWTStrategy
 from fastapi_users.db import SQLAlchemyUserDatabase
 
 from app.models.user import User
+from app.oauth.moje_id import MojeIDOAuth
 from app.services.db import get_user_db
 from app.core.queue import enqueue_email
 
@@ -19,6 +20,11 @@ SECRET = os.getenv("SECRET", "CHANGE_ME_SECRET")
 FRONTEND_URL = os.getenv("FRONTEND_URL", "http://localhost:5173")
 BACKEND_URL = os.getenv("BACKEND_URL", "http://localhost:8000")
 
+mojeid_oauth_service = MojeIDOAuth(
+    os.getenv("MOJEID_CLIENT_ID", "CHANGE_ME_CLIENT_ID"),
+    os.getenv("MOJEID_CLIENT_SECRET", "CHANGE_ME_CLIENT_SECRET"),
+)
+
 class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
     reset_password_token_secret = SECRET
     verification_token_secret = SECRET

7project/backend/requirements.txt

@@ -11,6 +11,7 @@ asyncmy==0.2.9
 bcrypt==4.3.0
 billiard==4.2.2
 celery==5.5.3
+certifi==2025.10.5
 cffi==2.0.0
 click==8.1.8
 click-didyoumean==0.3.1
@@ -25,7 +26,10 @@ fastapi-users==14.0.1
 fastapi-users-db-sqlalchemy==7.0.0
 greenlet==3.2.4
 h11==0.16.0
+httpcore==1.0.9
 httptools==0.6.4
+httpx==0.28.1
+httpx-oauth==0.16.1
 idna==3.10
 kombu==5.5.4
 makefun==1.16.0

7project/tofu/modules/maxscale/charts/maxscale-helm/templates/config.yaml

@@ -60,6 +60,8 @@ spec:
         scrapeTimeout: 10s
         prometheusRelease: kube-prometheus-stack
         jobLabel: mariadb-monitoring
+    auth:
+      generate: true
 
     tls:
       enabled: true

7project/tofu/modules/maxscale/main.tf

@@ -31,7 +31,7 @@ locals {
 
 resource "kubectl_manifest" "secrets" {
   yaml_body  = local.mariadb_secret_yaml
-   depends_on = [ kubernetes_namespace.mariadb-operator ]
+  depends_on = [kubernetes_namespace.mariadb-operator]
 }
 
 
@@ -41,7 +41,7 @@ resource "helm_release" "mariadb-operator-crds" {
   chart      = "mariadb-operator-crds"
   namespace  = "mariadb-operator"
   version    = "25.8.4"
-    depends_on       = [ kubectl_manifest.secrets ]
+  depends_on = [kubectl_manifest.secrets]
   timeout    = 3600
 }
 
@@ -50,8 +50,9 @@ resource "helm_release" "mariadb-operator" {
   name       = "mariadb-operator"
   repository = "https://helm.mariadb.com/mariadb-operator"
   chart      = "mariadb-operator"
-    depends_on       = [ helm_release.mariadb-operator-crds, kubectl_manifest.secrets ]
+  depends_on = [helm_release.mariadb-operator-crds, kubectl_manifest.secrets]
   namespace  = "mariadb-operator"
+  version    = "25.8.3"
   timeout    = 3600
 }
 
@@ -59,7 +60,7 @@ resource "helm_release" "maxscale_helm" {
   name       = "maxscale-helm"
   chart      = "${path.module}/charts/maxscale-helm"
   version    = "1.0.8"
-  depends_on = [ helm_release.mariadb-operator-crds, kubectl_manifest.secrets ]
+  depends_on = [helm_release.mariadb-operator-crds, kubectl_manifest.secrets]
   timeout    = 3600
 
   set = [

7project/tofu/modules/metrics-server/values.yaml

@@ -0,0 +1,15 @@
+# Values overriding defaults for metrics-server Helm chart
+# Fix TLS and address selection issues when scraping kubelets (common on Talos)
+args:
+  - --kubelet-insecure-tls
+  - --kubelet-preferred-address-types=InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP
+  - --kubelet-use-node-status-port=true
+
+# Using hostNetwork often helps in restricted CNI/DNS environments
+#hostNetwork: true
+# Required when hostNetwork is true so DNS works as expected
+#dnsPolicy: ClusterFirstWithHostNet
+
+# Enable metrics API service monitor if Prometheus Operator is present (optional)
+# serviceMonitor:
+#   enabled: true

7project/tofu/modules/rabbitmq/main.tf

@@ -16,6 +16,12 @@ terraform {
   }
 }
 
+resource "kubernetes_namespace" "rabbitmq_namespace" {
+  metadata {
+    name = "rabbitmq-system"
+  }
+}
+
 
 resource "helm_release" "rabbitmq_operator" {
   name       = "rabbitmq-cluster-operator"
@@ -25,7 +31,6 @@ resource "helm_release" "rabbitmq_operator" {
   version = "4.4.34"
 
   namespace = "rabbitmq-system"
-  create_namespace = true
 
   # Zde můžete přepsat výchozí hodnoty chartu, pokud by bylo potřeba
   # Například sledovat jen určité namespace, nastavit tolerations atd.
@@ -59,6 +64,7 @@ resource "helm_release" "rabbitmq_operator" {
       value = "true"
     }
   ]
+  depends_on = [kubernetes_namespace.rabbitmq_namespace]
 }
 
 

7project/tofu/modules/rabbitmq/rabbit-cluster.yaml

@@ -2,4 +2,4 @@ apiVersion: rabbitmq.com/v1beta1
 kind: RabbitmqCluster
 metadata:
   name: 'rabbitmq-cluster'
-  namespace: "rabbitmq"
+  namespace: "rabbitmq-system"

7project/tofu/modules/rabbitmq/rabbit-ui.yaml

@@ -2,7 +2,7 @@ apiVersion: networking.cfargotunnel.com/v1alpha1
 kind: TunnelBinding
 metadata:
   name: rabbit-tunnel-binding
-  namespace: rabbitmq
+  namespace: rabbitmq-system
 subjects:
   - name: rabbit-gui
     spec: