This repository provides a reproducible deployment of the Record Manager ecosystem, integrating UI, backend services, authentication, MediaCMS, and supporting infrastructure.
The deployment is based on:
- 1.1 Authentication Configuration
- 1.2 MediaCMS Configuration
- 1.3 Environment Configuration
- 1.4 Build and Start Services
Before starting the deployment, configure authentication.
Refer to:
Authentication is based on:
- Keycloak realm:
record-manager - OIDC clients for:
record-managermediacmsannotator
The default configuration provides fundamental access.
- Configuration directory:
configs/mediacms
For advanced configuration, refer to:
Important:
- Users must have appropriate roles assigned in Keycloak.
- Without correct role assignment, access will be denied.
Configure environment variables before starting the deployment.
A detailed description is provided in:
.env.example
Create your environment file:
cp .env.example .envThen configure the following (
- Keycloak admin credentials
- Database passwords
- MediaCMS admin credentials
The deployment supports two modes:
- Local development
- Domain-based deployment (
PUBLIC_ORIGINdefined in.env)
A Makefile is provided to simplify running common compose combinations.
make help| Target | Description |
|---|---|
make dev |
Local dev stack (no auth) |
make dev-oauth |
Local dev with Keycloak on host |
make dev-rm |
Local dev with RM images |
make prod |
Production deployment |
make down |
Stop all services |
make logs |
Tail logs |
make ps |
Show running containers |
Use this mode when running the stack locally. The docker-compose.dev.yml override:
- Binds ports on all interfaces (
0.0.0.0) for LAN access - Disables OAuth2 authentication requirement
- Enables verbose logging
- Disables Celery workers
- Exposes GraphDB port directly
The docker-compose.local-oauth.yml override additionally:
- Skips OIDC issuer verification
- Disables secure cookies (need if Keycloak is running on
localhostwithout TLS)
make dev-oauthOr manually:
docker compose \
-f docker-compose.yml \
-f docker-compose.dev.yml \
-f docker-compose.local-oauth.yml \
--env-file .env \
up --build -dUse this mode when PUBLIC_ORIGIN is set to a publicly reachable domain in .env.
The docker-compose.prod.yml override binds ports to 127.0.0.1 only — an external
reverse proxy is expected to forward public traffic to the stack.
make prodOr manually:
docker compose \
-f docker-compose.yml \
-f docker-compose.prod.yml \
--env-file .env \
up --build -dIn the base
docker-compose.yml, exposed ports are not defined. Ports are defined exclusively in environment-specific overrides. Running the base compose without an override leaves no ports published and the services will not be reachable from outside the container network. Port definitions live in the environment-specific compose files:docker-compose.prod.ymlanddocker-compose.dev.yml.
The keycloak-config (Terraform) container is the source of truth for Keycloak configuration. Manual changes made in the Keycloak Admin UI may be overwritten by Terraform configuration during the next application restart.
Client secrets keycloak-secrets are shared at runtime. The following services consume secrets:
- OAuth2 Proxy (Annotator authentication)
- MediaCMS
If a client secret is modified manually in the Keycloak UI it is needed to regenerate and synchronize the secrets. Re-run the keycloak-config container and restart the dependent services:
docker compose down keycloak-config oauth2-proxy mediacms nginx
docker volume rm <project>_keycloak-secrets
docker compose --env-file .env up -d keycloak-config oauth2-proxy mediacms nginxIn order to resolve newly assigned IP addresses after restart, gateway need to be restarted too.
- Roles are defined at the realm level and grouped via Terraform.
- Users must
- be assigned to a group or
- roles must be assigned to users to gain access to services
- Each group contains a predefined set of realm roles.
- 🔗 Annotator User Docs — uploading assets, creating playlists, and accessing the Annotator.