Michael J Wright Archive Documentation

Fedora + Cloudflare Repository Platform

This repository houses the production infrastructure that powers Michael J Wright’s digital archive. Fedora 6 provides the preservation back-end, Cloudflare delivers the public experience, and the surrounding automation keeps the stack reliable for curators, developers, and partner institutions.

1. System Overview

Layer Purpose Key Services
Content & Metadata Preservation-grade storage for photography, writing, and research artefacts Fedora 6 (Tomcat), PostgreSQL
Delivery Edge Secure public access, API proxying, documentation Cloudflare Worker, Cloudflare Pages, Cloudflare Tunnel
Operations Monitoring, automation, onboarding Grafana, Prometheus, Zero Trust (planned), /docs hub

Authoritative domains

Stakeholder Roles

Role Responsibilities Access Path
Archive Curator Create/curate Fedora resources, maintain metadata quality, manage version history Uses Worker-backed tools or ingestion scripts with curator credentials
Digital Producer Plan releases, coordinate partner feeds, oversee roadmap & checklists References documentation hub and Grafana dashboards
Developer / Integrator Extend APIs, build ingestion tooling, maintain Worker and tunnel Works in this repository, Cloudflare dashboard, and automation scripts
Partner Institution Consume scheduled exports or API endpoints Receives exports, uses Worker endpoints with scoped credentials
Public Audience Explore storytelling front-end, browse curated narratives Visits https://michaeljwright.com.au (separate web project)

2. Quick Start

# Prerequisites: Docker Desktop + Compose, Node 18+, Cloudflare Wrangler CLI

git clone git@github.com:Rob142857/fedoraMJWArtist.git
cd fedoraMJWArtist

npm install                 # installs wrangler + build tooling
cp .env.example .env        # (optional) start from template; this repo may commit .env for VM deployment

# Runtime credentials live in config/runtime.env; Worker secrets are set via Wrangler.

pwsh -ExecutionPolicy Bypass -File .\quickstartdockerandcloudflared.ps1 -ForceRestartTunnel

The PowerShell script ensures Docker Desktop is running, starts the Compose stack, and verifies the Cloudflare Tunnel.

Collection Structure (Ready for Curation)

The repository is initialized with the following collection hierarchy:

/fcrepo/rest/
├── paintings/
│   ├── coastal-studies/
│   ├── desert-series/
│   ├── blue-mountains-landscapes/
│   ├── urban-fragments/
│   └── abstract-compositions/
├── drawings/
│   ├── sketches/
│   ├── prints/
│   └── mixed-media/
├── sculptures/
│   ├── bronze-works/
│   ├── wood-carvings/
│   └── installations/
├── photographs/
│   ├── nature-studies/
│   ├── native-flora/
│   ├── urban-fragments/
│   └── portrait-studies/
├── poems/
│   ├── winter-sonnets/
│   ├── nature-poetry/
│   └── urban-meditations/
└── notebooks/
    ├── outback-journals/
    ├── sketchbooks/
    └── travel-writing/

Access Points:

For Curators: See docs/curators-guide.md for complete workflow documentation.

Deploy Worker & Pages

# Worker (API proxy)
npx wrangler secret put FEDORA_BASIC_AUTH   # paste "Basic base64(user:pass)" (use a dedicated non-admin/service user)
npx wrangler deploy

# Helper (recommended): prompts for username/password and sets the secret without manual base64 copy/paste
npm run secret:fedora:deploy

# Bootstrap (recommended for new setups): generates/rotates a dedicated Fedora service user in config/runtime.env,
# recreates the Fedora container (Tomcat picks up the new user), sets FEDORA_BASIC_AUTH, and deploys.
npm run bootstrap:syndication:creds

# Documentation / frontend
npm run pages:deploy

3. Repository & API Architecture

  1. Collections & Metadata

    • Fedora containers mirror archival structure: Root → Collections → {Projects, Exhibitions, Writings}.
    • Descriptive metadata uses Dublin Core + custom JSON-LD; technical EXIF/IPTC kept as RDF or JSON binaries.
    • Fedora stores low-resolution, watermarked access copies (JPEG/WebP as needed). Full-resolution masters/originals are stored elsewhere and referenced from Fedora metadata.

  2. Ingestion Workflow (Planned)

    • Manifest-driven uploader (CSV/JSON) posts binaries + metadata to Fedora REST.
    • Fedora memento keeps automatic version history.
    • WebAC or Worker enforcement separates curator, read-only, and public access paths.

  3. Syndication APIs

    • Cloudflare Worker emits JSON (metadata + preview asset URLs).
    • Responses are cached with ETags and stored in CDN edge.
    • Search metadata will be mirrored into OpenSearch/Algolia for faceted discovery.

  4. Public Site Integration

    • michaeljwright.com.au consumes Worker endpoints (/api/v1/...).
    • Public experiences use low-res, watermarked previews from the archive; master/original delivery is handled outside Fedora.
    • Editors access a secure Pages admin surface backed by the same API.

  5. Partner Distribution

    • Nightly exports (JSON, CSV, METS) and optional OAI-PMH feed.
    • Webhooks / queues (e.g., Azure Service Bus) notify partners of new resources.

  6. Governance & Operations

    • Rotate Worker secrets quarterly, enforce HTTPS only, audit Cloudflare tunnel logs.
    • Snapshot Fedora binaries + Postgres to offsite storage on a schedule.
    • Prometheus + Grafana dashboards track ingest latency, Worker health, tunnel status.
    • /docs captures metadata standards, runbooks, and onboarding guides.

4. Documentation Hub (/docs)

Run npm run build:docs to regenerate HTML artefacts from Markdown sources:

Markdown Published URL Primary Audience Purpose
docs/project-overview.md /docs/project-overview.html Curators & stakeholders Non-technical story of the archive within the broader project
docs/metadata-schema.md /docs/metadata-schema.html Developers & curators Comprehensive metadata field reference and file technical metadata
README.md /docs/README.html Developers & operators Platform overview, setup, and automation tooling
PRODUCTION_CHECKLIST.md /docs/PRODUCTION_CHECKLIST.html Producers & operations Go-live checklist and handover steps
docs/engagement-plan.md /docs/engagement-plan.html Producers & partners Stakeholder onboarding plan
docs/development-roadmap.md /docs/development-roadmap.html Project team Roadmap, backlog, and status buckets
docs/fedora-upgrade-guide.md /docs/fedora-upgrade-guide.html Operations & developers Fedora backend update runbook
docs/ent365-install-guide.md /docs/ent365-install-guide.html Operations ENT365 host deployment checklist

npm run pages:deploy rebuilds documentation and publishes to Cloudflare Pages (custom domain + branch alias).

Audience tip:

5. Environment & Secrets

Docker runtime credentials

Fedora/Tomcat user credentials for the Docker host are read from:

After updating config/runtime.env, apply it by recreating the Fedora container:

docker compose up -d --force-recreate mjw-fedora

Required entries in config/runtime.env (for syndication reads):

Cloudflare Worker (api.data) required config

Secrets (Cloudflare-side):

Vars (wrangler.toml / Cloudflare-side):

On Ubuntu (in this repo dir), after editing config/runtime.env you can sync FEDORA_BASIC_AUTH to Cloudflare with:

./scripts/sync-worker-fedora-basic-auth-from-runtime-env.sh
npx wrangler deploy --config wrangler.toml

On Ubuntu, a single-command bootstrap that updates the Tomcat service user password in config/runtime.env, recreates the Fedora container, syncs FEDORA_BASIC_AUTH, and deploys is available:

./scripts/bootstrap-syndication-creds.sh

If you intentionally want to rotate the Fedora service password (and then sync + deploy), run:

./scripts/bootstrap-syndication-creds.sh config/runtime.env wrangler.toml --rotate

Important: FEDORA_BASIC_AUTH must match the Fedora service user password currently active in Tomcat. Avoid rotating on one machine while syncing secrets from another.

Variable Location Notes
FEDORA_ADMIN_USERNAME, FEDORA_ADMIN_PASSWORD .env, injected into Tomcat Primary Fedora admin
FEDORA_SECONDARY_USERNAME, FEDORA_SECONDARY_PASSWORD .env Secondary account (can be repurposed for Worker)
FEDORA_BASIC_AUTH Cloudflare Worker secret Base64 user:pass used for Worker-to-Fedora authentication (prefer least-privilege, non-admin credentials)
POSTGRES_* .env Database credentials; rotate with backups

After editing .env, rerun the quickstart script to restart containers and reload Tomcat config.

6. Key Commands

# Verify docker services & tunnel
pwsh -ExecutionPolicy Bypass -File .\quickstartdockerandcloudflared.ps1 -ForceRestartTunnel

# Tail Worker logs
npx wrangler tail

# Deploy Worker + documentation
npx wrangler deploy
npm run pages:preview   # preview on https://main.fedora-frontend.pages.dev
npm run pages:deploy    # publish to https://data.michaeljwright.com.au

# Compose operations
docker compose ps
docker compose logs fcrepo
docker compose down

7. Support & Next Steps

OpenAPI

This repo includes an OpenAPI document describing the Worker endpoints used for integration and syndication:

Live (syndication-only):

It covers:

Syndication quickstart

Syndication is collaboration-only. If you want to consume/archive MJW materials in another site (e.g. a Vite/React frontend), contact AdminRob / project maintainers to set up access.

What partners must provide:

What we issue/configure:

Security note: do not embed partner API keys in a public browser client; proxy requests through a server-side component (e.g., a Cloudflare Worker) so secrets stay private.

Consumer app (MJW-com-au): required secrets

For the Vite/React consumer site (“MJW-com-au”), the only credential required to use the syndication endpoints is:

Recommended (non-secret) config:

Implementation guidance (Pages Functions proxy pattern):

Track progress in docs/development-roadmap.md and update /docs on each sprint.