690419:1831 feat: update CI/CD to use SSH key authentication #05

specs/04-Infrastructure-OPS/04-00-docker-compose/QNAP/app/.env.example

@@ -5,14 +5,94 @@
 # วิธีใช้ (บน QNAP):
 #   cp /share/np-dms/.env.master  /share/np-dms/app/.env
 #   chmod 600 /share/np-dms/app/.env
-
 # --- ใช้โดย docker-compose-app.yml ---
-DB_PASSWORD=
-REDIS_PASSWORD=
+# File: .env (Unified for QNAP / Gitea Runner)
+# Change Log: 2026-04-19
+
+# ---------------------------------------------------------
+# 1. Backend Service Configuration
+# ---------------------------------------------------------
+TZ=Asia/Bangkok
+NODE_ENV=production
+PORT=3000
+
+# --- Database (MariaDB) ---
+DB_HOST=mariadb
+DB_PORT=3306
+DB_DATABASE=lcbp3
+DB_USERNAME=center
+DB_PASSWORD=Center#2025
+
+# --- Redis (Cache & Queue) ---
+REDIS_HOST=cache
+REDIS_PORT=6379
+REDIS_PASSWORD=redis3ac466bf9b6
+
+# --- Search (Elasticsearch) ---
+ELASTICSEARCH_HOST=search
+ELASTICSEARCH_PORT=9200
 ELASTICSEARCH_USERNAME=elastic
-ELASTICSEARCH_PASSWORD=
-JWT_SECRET=
-JWT_REFRESH_SECRET=
-AUTH_SECRET=
+ELASTICSEARCH_PASSWORD=elasticed0bbde94
+
+# --- Security (JWT) ---
+JWT_SECRET=jwtsecret65adde8c76c6a0847d9649b2b67a06db1504693e6c912e51499b76e
+JWT_EXPIRATION=24h
+JWT_REFRESH_SECRET=jwtrefreshf6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2
+
+# --- Numbering Logic ---
+NUMBERING_LOCK_TIMEOUT=5000
+NUMBERING_RESERVATION_TTL=300
+
+# --- File Storage ---
+UPLOAD_TEMP_DIR=/share/np-dms-as/data/uploads/temp
+UPLOAD_PERMANENT_DIR=/share/np-dms-as/data/uploads/permanent
+MAX_FILE_SIZE=52428800
+
+# ---------------------------------------------------------
+# 2. Frontend Service Configuration
+# ---------------------------------------------------------
+# หมายเหตุ: ค่าเหล่านี้จะถูกใช้ตอน Docker Build (ตาม deploy.sh)
+NEXT_PUBLIC_API_URL=https://backend.np-dms.work/api
+AUTH_URL=https://lcbp3.np-dms.work
+
+# --- NextAuth ---
+# ค่านี้ต้องตรงกับ JWT_SECRET หรือตั้งแยกตามความปลอดภัย
+AUTH_SECRET=jwtsecret65adde8c76c6a0847d9649b2b67a06db1504693e6c912e51499b76e
+AUTH_TRUST_HOST=true
+
+# --- Shared Context ---
+INTERNAL_API_URL=http://backend:3000/api
+HOSTNAME=0.0.0.0
+
+# --- Docker Image ---
 BACKEND_IMAGE_TAG=latest
 FRONTEND_IMAGE_TAG=latest
+
+# ClamAV
+CLAMAV_HOST=localhost
+CLAMAV_PORT=3310
+
+# ========================================
+# ADR-022 RAG — Retrieval-Augmented Generation
+# ========================================
+
+# Qdrant vector store (local docker-compose or QNAP)
+QDRANT_URL=http://localhost:6333
+
+# Ollama (Admin Desktop Desk-5439 — ADR-018 AI boundary)
+OLLAMA_EMBED_MODEL=nomic-embed-text
+OLLAMA_RAG_MODEL=gemma3:12b
+OLLAMA_URL=http://192.168.20.200:11434
+
+# Thai preprocessing microservice (PyThaiNLP — Admin Desktop)
+THAI_PREPROCESS_URL=http://192.168.20.200:8765
+
+# Typhoon API (cloud LLM — PUBLIC/INTERNAL only, never CONFIDENTIAL)
+TYPHOON_API_KEY=your-typhoon-api-key-here
+TYPHOON_API_URL=https://api.opentyphoon.ai/v1
+
+# RAG query config
+RAG_TOPK=20
+RAG_FINAL_K=5
+RAG_TIMEOUT_MS=5000
+RAG_QUERY_CACHE_TTL=300

specs/04-Infrastructure-OPS/04-00-docker-compose/QNAP/n8n/.env.example

@@ -1,3 +1,3 @@
 # Per-stack .env.example — n8n + postgres + tika + docker-socket-proxy
-N8N_DB_PASSWORD=
-N8N_ENCRYPTION_KEY=
+N8N_DB_PASSWORD=Np721220$
+N8N_ENCRYPTION_KEY=9AAIB7Da9DW1qAhJE5/Bz4SnbQjeAngI

specs/04-Infrastructure-OPS/04-00-docker-compose/QNAP/n8n/docker-compose.yml

@@ -15,6 +15,7 @@ x-logging: &default_logging
     options:
       max-size: '10m'
       max-file: '5'
+name: lcbp3-n8n
 services:
   n8n-db:
     <<: [*restart_policy, *default_logging]
@@ -112,7 +113,9 @@ services:
 
   n8n:
     <<: [*restart_policy, *default_logging]
-    image: n8nio/n8n:1.66.0
+    build:
+      context: ./n8n-custom
+      dockerfile: Dockerfile
     container_name: n8n
     depends_on:
       n8n-db:
@@ -163,6 +166,8 @@ services:
       EXECUTIONS_DATA_PRUNE: 'true'
       EXECUTIONS_DATA_MAX_AGE: 168
       # EXECUTIONS_DATA_PRUNE_TIMEOUT: 60
+      # Storage Migration (fix deprecation warning)
+      N8N_MIGRATE_FS_STORAGE_PATH: 'true'
 
     ports:
       - '5678:5678'

specs/04-Infrastructure-OPS/04-00-docker-compose/QNAP/n8n/n8n-custom/Dockerfile

@@ -1,4 +1,4 @@
-FROM n8nio/n8n:latest-debian
+FROM n8nio/n8n:2.16.1
 
 USER root
 
@@ -6,6 +6,6 @@ USER root
 RUN echo "deb http://archive.debian.org/debian buster main" > /etc/apt/sources.list && \
     echo "deb http://archive.debian.org/debian-security buster/updates main" >> /etc/apt/sources.list && \
     apt-get update -y && \
-    apt-get install -y poppler-utils
+    apt-get install -y poppler-utils python3 python3-pip
 
 USER node

specs/04-Infrastructure-OPS/04-00-docker-compose/QNAP/service/.env.example

@@ -1,4 +1,12 @@
 # Per-stack .env.example — services (cache, search)
 # Source: ../../.env.template
-REDIS_PASSWORD=
-ELASTICSEARCH_PASSWORD=
+# --- Redis (Cache & Queue) ---
+REDIS_HOST=cache
+REDIS_PORT=6379
+REDIS_PASSWORD=redis3ac466bf9b6
+
+# --- Search (Elasticsearch) ---
+ELASTICSEARCH_HOST=search
+ELASTICSEARCH_PORT=9200
+ELASTICSEARCH_USERNAME=elastic
+ELASTICSEARCH_PASSWORD=elasticed0bbde94

specs/04-Infrastructure-OPS/04-00-docker-compose/QNAP/service/docker-compose.yml

@@ -23,6 +23,7 @@ networks:
   lcbp3:
     external: true
 
+name: lcbp3-services
 services:
   # ----------------------------------------------------------------
   # 1. Redis (Caching + Distributed Lock + BullMQ queues)
@@ -30,13 +31,13 @@ services:
   # ----------------------------------------------------------------
   cache:
     <<: [*restart_policy, *default_logging]
-    image: redis:7-alpine
+    image: redis:7-alpine # ใช้ Alpine image เพื่อให้มีขน
     container_name: cache
     deploy:
       resources:
         limits:
           cpus: '1.0'
-          memory: 2G
+          memory: 2G # Redis เป็น in-memory, ให้ memory เพียงพอต่อการ
         reservations:
           cpus: '0.25'
           memory: 512M
@@ -80,12 +81,12 @@ services:
   # ----------------------------------------------------------------
   search:
     <<: [*restart_policy, *default_logging]
-    image: elasticsearch:8.11.1
+    image: elasticsearch:8.11.1 # แนะนำให้ระบุเวอร์ชันชัดเจน
     container_name: search
     deploy:
       resources:
         limits:
-          cpus: '2.0'
+          cpus: '2.0' # Elasticsearch ใช้ CPU และ Memory ค่อนข้างห
           memory: 4G
         reservations:
           cpus: '0.5'
@@ -100,7 +101,7 @@ services:
       # NOTE: หากเปิด xpack.security ต้องตั้ง ELASTIC_PASSWORD และอัปเดต backend client config
       # ค่าเริ่มต้น keep ปิดไว้เพราะ network เข้าถึงได้เฉพาะภายใน lcbp3 (ไม่มี host port)
       xpack.security.enabled: 'false'
-      # --- Performance ---
+      # --- Performance กำหนด Heap size (1GB) ให้เหมาะสมกับ memory limit (4G ---
       ES_JAVA_OPTS: '-Xms1g -Xmx1g'
     ulimits:
       memlock: