feat(deployments): add all-in-one Docker Compose stack with OpenLDAP

Add docker-compose.allinone.yaml with five services:
- PostgreSQL 16 with auto-applied migrations
- MinIO for S3-compatible file storage
- OpenLDAP (bitnami/openldap:2.6) with memberOf overlay and
  preconfigured silo-admins/silo-users/silo-viewers groups
- Silo API server built from Dockerfile
- Nginx reverse proxy (optional, via --profile nginx)

Add scripts/setup-docker.sh interactive helper that generates
deployments/.env and deployments/config.docker.yaml with random
credentials. Supports --non-interactive for CI.

Add deployments/ldap/ LDIF init scripts for memberOf overlay and
Silo role groups. Add deployments/nginx/ reverse proxy configs.

deployments/docker-compose.allinone.yaml

@@ -0,0 +1,172 @@
+# Silo All-in-One Stack
+# PostgreSQL + MinIO + OpenLDAP + Silo API + Nginx (optional)
+#
+# Quick start:
+#   ./scripts/setup-docker.sh
+#   docker compose -f deployments/docker-compose.allinone.yaml up -d
+#
+# With nginx reverse proxy:
+#   docker compose -f deployments/docker-compose.allinone.yaml --profile nginx up -d
+#
+# View logs:
+#   docker compose -f deployments/docker-compose.allinone.yaml logs -f
+#
+# Stop:
+#   docker compose -f deployments/docker-compose.allinone.yaml down
+#
+# Stop and delete data:
+#   docker compose -f deployments/docker-compose.allinone.yaml down -v
+
+services:
+  # ---------------------------------------------------------------------------
+  # PostgreSQL 16
+  # ---------------------------------------------------------------------------
+  postgres:
+    image: postgres:16-alpine
+    container_name: silo-postgres
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: silo
+      POSTGRES_USER: silo
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?Run ./scripts/setup-docker.sh first}
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+      - ../migrations:/docker-entrypoint-initdb.d:ro
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U silo -d silo"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    networks:
+      - silo-net
+
+  # ---------------------------------------------------------------------------
+  # MinIO (S3-compatible object storage)
+  # ---------------------------------------------------------------------------
+  minio:
+    image: minio/minio:latest
+    container_name: silo-minio
+    restart: unless-stopped
+    command: server /data --console-address ":9001"
+    environment:
+      MINIO_ROOT_USER: ${MINIO_ACCESS_KEY:?Run ./scripts/setup-docker.sh first}
+      MINIO_ROOT_PASSWORD: ${MINIO_SECRET_KEY:?Run ./scripts/setup-docker.sh first}
+    volumes:
+      - minio_data:/data
+    ports:
+      - "9001:9001"           # MinIO console (remove in hardened setups)
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - silo-net
+
+  # ---------------------------------------------------------------------------
+  # OpenLDAP (user directory for LDAP authentication)
+  # ---------------------------------------------------------------------------
+  openldap:
+    image: bitnami/openldap:2.6
+    container_name: silo-openldap
+    restart: unless-stopped
+    environment:
+      LDAP_ROOT: "dc=silo,dc=local"
+      LDAP_ADMIN_USERNAME: "admin"
+      LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:?Run ./scripts/setup-docker.sh first}
+      LDAP_USERS: ${LDAP_USERS:-siloadmin}
+      LDAP_PASSWORDS: ${LDAP_PASSWORDS:?Run ./scripts/setup-docker.sh first}
+      LDAP_GROUP: "silo-users"
+      LDAP_USER_OU: "users"
+      LDAP_GROUP_OU: "groups"
+    volumes:
+      - openldap_data:/bitnami/openldap
+      - ./ldap:/docker-entrypoint-initdb.d:ro
+    ports:
+      - "1389:1389"           # LDAP access for debugging (remove in hardened setups)
+    healthcheck:
+      test: ["CMD-SHELL", "ldapsearch -x -H ldap://localhost:1389 -b dc=silo,dc=local -D cn=admin,dc=silo,dc=local -w $${LDAP_ADMIN_PASSWORD} '(objectClass=organization)' >/dev/null 2>&1"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - silo-net
+
+  # ---------------------------------------------------------------------------
+  # Silo API Server
+  # ---------------------------------------------------------------------------
+  silo:
+    build:
+      context: ..
+      dockerfile: build/package/Dockerfile
+    container_name: silo-api
+    restart: unless-stopped
+    depends_on:
+      postgres:
+        condition: service_healthy
+      minio:
+        condition: service_healthy
+      openldap:
+        condition: service_healthy
+    env_file:
+      - .env
+    environment:
+      # These override values in config.docker.yaml via the Go config loader's
+      # direct env var support (see internal/config/config.go).
+      SILO_DB_HOST: postgres
+      SILO_DB_NAME: silo
+      SILO_DB_USER: silo
+      SILO_DB_PASSWORD: ${POSTGRES_PASSWORD}
+      SILO_MINIO_ENDPOINT: minio:9000
+      SILO_MINIO_ACCESS_KEY: ${MINIO_ACCESS_KEY}
+      SILO_MINIO_SECRET_KEY: ${MINIO_SECRET_KEY}
+    ports:
+      - "${SILO_PORT:-8080}:8080"
+    volumes:
+      - ../schemas:/etc/silo/schemas:ro
+      - ./config.docker.yaml:/etc/silo/config.yaml:ro
+    healthcheck:
+      test: ["CMD", "wget", "-qO-", "http://localhost:8080/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 15s
+    networks:
+      - silo-net
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  # ---------------------------------------------------------------------------
+  # Nginx reverse proxy (optional — enable with --profile nginx)
+  # ---------------------------------------------------------------------------
+  nginx:
+    image: nginx:alpine
+    container_name: silo-nginx
+    restart: unless-stopped
+    profiles:
+      - nginx
+    depends_on:
+      silo:
+        condition: service_healthy
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro
+      # Uncomment to mount TLS certificates:
+      # - /path/to/cert.pem:/etc/nginx/ssl/cert.pem:ro
+      # - /path/to/key.pem:/etc/nginx/ssl/key.pem:ro
+    networks:
+      - silo-net
+
+volumes:
+  postgres_data:
+  minio_data:
+  openldap_data:
+
+networks:
+  silo-net:
+    driver: bridge

deployments/ldap/memberof.ldif

@@ -0,0 +1,36 @@
+# Enable the memberOf overlay for OpenLDAP.
+# When a user is added to a groupOfNames, their entry automatically
+# gets a memberOf attribute pointing to the group DN.
+# This is required for Silo's LDAP role mapping.
+#
+# Loaded automatically by bitnami/openldap from /docker-entrypoint-initdb.d/
+
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: memberof
+
+dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcMemberOf
+olcOverlay: memberof
+olcMemberOfRefInt: TRUE
+olcMemberOfDangling: ignore
+olcMemberOfGroupOC: groupOfNames
+olcMemberOfMemberAD: member
+olcMemberOfMemberOfAD: memberOf
+
+# Enable refint overlay to maintain referential integrity
+# (removes memberOf when a user is removed from a group)
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: refint
+
+dn: olcOverlay=refint,olcDatabase={2}mdb,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcRefintConfig
+olcOverlay: refint
+olcRefintAttribute: memberOf member

deployments/ldap/silo-groups.ldif

@@ -0,0 +1,34 @@
+# Create Silo role groups for LDAP-based access control.
+# These groups map to Silo roles via auth.ldap.role_mapping in config.yaml.
+#
+# Group hierarchy:
+#   silo-admins  -> admin role  (full access)
+#   silo-users   -> editor role (create/modify items)
+#   silo-viewers  -> viewer role (read-only)
+#
+# The initial LDAP user (set via LDAP_USERS env var) is added to silo-admins.
+# Additional users can be added with ldapadd or ldapmodify.
+#
+# Loaded automatically by bitnami/openldap from /docker-entrypoint-initdb.d/
+# Note: This runs after the default tree is created (users/groups OUs exist).
+
+# Admin group — initial user is a member
+dn: cn=silo-admins,ou=groups,dc=silo,dc=local
+objectClass: groupOfNames
+cn: silo-admins
+description: Silo administrators (full access)
+member: cn=siloadmin,ou=users,dc=silo,dc=local
+
+# Editor group
+dn: cn=silo-users,ou=groups,dc=silo,dc=local
+objectClass: groupOfNames
+cn: silo-users
+description: Silo editors (create and modify items)
+member: cn=placeholder,ou=users,dc=silo,dc=local
+
+# Viewer group
+dn: cn=silo-viewers,ou=groups,dc=silo,dc=local
+objectClass: groupOfNames
+cn: silo-viewers
+description: Silo viewers (read-only access)
+member: cn=placeholder,ou=users,dc=silo,dc=local

deployments/nginx/nginx-nossl.conf

@@ -0,0 +1,44 @@
+# Silo Nginx Reverse Proxy — HTTP only (no TLS)
+#
+# Use this when TLS is terminated by an external load balancer or when
+# running on a trusted internal network without HTTPS.
+
+upstream silo_backend {
+    server silo:8080;
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    location / {
+        proxy_pass http://silo_backend;
+        proxy_http_version 1.1;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+
+        # SSE support
+        proxy_set_header Connection "";
+        proxy_buffering off;
+
+        # Timeouts
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 300s;
+
+        # File uploads (CAD files can be large)
+        client_max_body_size 100M;
+    }
+
+    location /nginx-health {
+        access_log off;
+        return 200 "OK\n";
+        add_header Content-Type text/plain;
+    }
+}

deployments/nginx/nginx.conf

@@ -0,0 +1,103 @@
+# Silo Nginx Reverse Proxy (Docker)
+#
+# HTTP reverse proxy with optional HTTPS. To enable TLS:
+#   1. Uncomment the ssl server block below
+#   2. Mount your certificate and key in docker-compose:
+#        volumes:
+#          - /path/to/cert.pem:/etc/nginx/ssl/cert.pem:ro
+#          - /path/to/key.pem:/etc/nginx/ssl/key.pem:ro
+#   3. Uncomment the HTTP-to-HTTPS redirect in the port 80 block
+
+upstream silo_backend {
+    server silo:8080;
+}
+
+# HTTP server
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    # Uncomment the next line to redirect all HTTP traffic to HTTPS
+    # return 301 https://$host$request_uri;
+
+    location / {
+        proxy_pass http://silo_backend;
+        proxy_http_version 1.1;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+
+        # SSE support
+        proxy_set_header Connection "";
+        proxy_buffering off;
+
+        # Timeouts
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 300s;
+
+        # File uploads (CAD files can be large)
+        client_max_body_size 100M;
+    }
+
+    # Health check endpoint for monitoring
+    location /nginx-health {
+        access_log off;
+        return 200 "OK\n";
+        add_header Content-Type text/plain;
+    }
+}
+
+# Uncomment for HTTPS (mount certs in docker-compose volumes)
+# server {
+#     listen 443 ssl http2;
+#     listen [::]:443 ssl http2;
+#     server_name _;
+#
+#     ssl_certificate /etc/nginx/ssl/cert.pem;
+#     ssl_certificate_key /etc/nginx/ssl/key.pem;
+#
+#     ssl_protocols TLSv1.2 TLSv1.3;
+#     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
+#     ssl_prefer_server_ciphers off;
+#     ssl_session_timeout 1d;
+#     ssl_session_cache shared:SSL:10m;
+#     ssl_session_tickets off;
+#
+#     # Security headers
+#     add_header X-Frame-Options "SAMEORIGIN" always;
+#     add_header X-Content-Type-Options "nosniff" always;
+#     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+#
+#     location / {
+#         proxy_pass http://silo_backend;
+#         proxy_http_version 1.1;
+#
+#         proxy_set_header Host $host;
+#         proxy_set_header X-Real-IP $remote_addr;
+#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#         proxy_set_header X-Forwarded-Proto $scheme;
+#         proxy_set_header X-Forwarded-Host $host;
+#         proxy_set_header X-Forwarded-Port $server_port;
+#
+#         proxy_set_header Connection "";
+#         proxy_buffering off;
+#
+#         proxy_connect_timeout 60s;
+#         proxy_send_timeout 60s;
+#         proxy_read_timeout 300s;
+#
+#         client_max_body_size 100M;
+#     }
+#
+#     location /nginx-health {
+#         access_log off;
+#         return 200 "OK\n";
+#         add_header Content-Type text/plain;
+#     }
+# }