[![built with nix](https://img.shields.io/badge/built%20with-nix-%235277C3?logo=nixos)](https://nixos.org/)

# Poseidon

Oceanbox's comprehensive platform for oceanic data visualization, analysis, and processing.

## Documentation

- **[Nix Build System](nix/README.md)** - Comprehensive guide to the Nix-based build system, packages, containers, and workflows
- **[Scripts](scripts/README.md)** - Available utility scripts for development and deployment

## Bootstrapping Guide

To bootstrap Atlantis for development, build and run it using Tilt.

Some setup is required:

### Kubernetes Access

To run our application on the kubernetes cluster, Tilt needs access.
You need to authenticate with `oidc`, using your microsoft account.
Authentication configuration must be added to your `~/.kube/config`:

```yaml
---
- name: oidc
  user:
      exec:
          apiVersion: client.authentication.k8s.io/v1beta1
          args:
              - oidc-login
              - get-token
              - --oidc-issuer-url=https://login.microsoftonline.com/<...>/v2.0
              - --oidc-client-id=<...>
              - --oidc-client-secret=<...>
          command: kubectl
          env: null
          interactiveMode: IfAvailable
          provideClusterInfo: false
```

Substitute each `<...>` for the values corresponding to the correct Entra tenant.

Next, configure the required contexts to use `oidc` (also in your `~/.kube/config`):

```yaml
---
- context:
    cluster: ekman
    namespace: sorcerer
    user: oidc
  name: ekman
- context:
    cluster: oceanbox
    namespace: atlantis
    user: oidc
  name: oceanbox
```

Finally, **you must be granted the necessary priveleges in Entra to access the clusters.**
Verify that you have access with `kubectl`:

```shell
kubectl --context oceanbox -n default get pods
```

### Manifests

Required helm manifests are hosted in a separate repository: <https://gitlab.com/oceanbox/manifests>.
Clone it into a directory _in the same parent directory as this repository._

You'll have to run `helm dependency update` in the atlantis directory within the manifest repo to download the charts.

### NuGet

To retrieve packages from the private Oceanbox nuget registry, configure it with credentials in your `~/.nuget/NuGet/NuGet.Config`:

```xml
<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <packageSources>
        <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
        <add key="oceanbox" value="https://gitlab.com/api/v4/groups/14873744/-/packages/nuget/index.json" />
    </packageSources>
    <packageSourceCredentials>
        <oceanbox>
            <add key="Username" value="<Your-GitLab-Username>" />
            <add key="ClearTextPassword" value="<Your-GitLab-PAT>" />
        </oceanbox>
    </packageSourceCredentials>
    <packageSourceMapping>
        <packageSource key="nuget.org">
            <package pattern="*" />
        </packageSource>
        <packageSource key="oceanbox">
            <package pattern="Oceanbox.*" />
            <package pattern="ProjNet.FSharp" />
            <package pattern="Drifters.Api" />
            <package pattern="Fable.Lit" />
            <package pattern="Fable.Lit.*" />
            <package pattern="Fable.SignalR" />
            <package pattern="Fable.SignalR.*" />
            <package pattern="Fable.OpenLayers" />
            <package pattern="Matplotlib.*" />
        </packageSource>
    </packageSourceMapping>
</configuration>
```

Substitute with your own gitlab username and PAT in the credentials.

Now, we should be able to `restore`:

```shell
dotnet restore Poseidon.slnx
```

for `dotnet-tools` we use nix, so entering the shell using `nix-shell` or `direnv` is enough.

### Mkcert

To generate certificates correctly, vite needs the `mkcert` binary in a predefined path in our home directory.
`mkcert` is included in our dev shell, so we can create a symlink to its location in the nix store:

```fish
which mkcert | xargs -I{} ln -s {} ~/.vite-plugin-mkcert
```

> If this directory does not exist, create it first with `mkdir`.

### Docker Login

In order for Tilt to push the images it builds to the oceanbox registry, we must use `docker login` to authenticate with it.
First, create a personal access token in your gitlab account. It should have the `read_registry` and `write_registry` scopes set.

```fish
set -x TOKEN glpat-xxxx
```

Then, supply it to `docker login`:

```shell
echo "$TOKEN" | docker login gitlab.com -u <user> --password-stdin
```

When prompted, authenticate with your gitlab username and the PAT you just created.

### Create k8s Namespace

A namespace must be created for your tilt application to live in on the cluster.

```shell
kubectl create ns "$APP_NAMESPACE" --context oceanbox
```

### Running Tilt

In the project root, run tilt with the following command:

```shell
tilt up --context oceanbox
```

You should now be able to access the Atlantis client (with HMR) on <atlantis.local.oceanbox.io:8080>.

### Trust Root Certificate

> [!note]
> You'll need to run `just run-client` in `src/Atlantis` to generate the certificates in `~/.vite-plugin-mkcert/certs`

In order for your browser to allow you to access the web application, you must add the root certificate generated by `mkcert` to the list of trusted authorities in your browser:

1. In firefox, navigate to settings and search for _"Certificates"._
2. Click on _"View Certificates",_ then _"Import..."_ in the _"Authorities"_ tab.
3. Select the root certificate; `~/.vite-plugin-mkcert/certs/rootCA.pem`.
    - Make sure to check _"This certificate can identify websites"._

### Add `user` to OpenFGA

Ask [sales](support@oceanbox.io) to add your `azure-ad-user` to OpenFGA.

### CORS for Sorcerer

Add the `url` of your instance to the CORS list of Sorcerer
[here](https://gitlab.com/oceanbox/manifests/-/blob/main/values/sorcerer/kustomize/prod/appsettings.json?ref_type=heads#L52).