deploy(prod): swap host Caddy for NetBird-Traefik labels + external Keycloak
Ambrosio's TLS is now handled by the Traefik that NetBird's self-hosted installer deploys. kong + app attach to that Traefik network and expose themselves via Docker-provider labels (erosi-kong priority 100 for Supabase API paths, erosi-app priority 1 for everything else on erosi.limonia.net). No container publishes host ports; host Caddy is out of the deploy path permanently. Keycloak is no longer bundled — PUBLIC_KEYCLOAK_URL points at an external IdP. The deploy script writes .env with FILL_IN_* placeholders for PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET, and TRAEFIK_NETWORK, and fails fast until they are filled. New domain: erosi.limonia.net. realm-export.erosi.json is retained as reference for the external Keycloak operator; it is no longer imported by this stack. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,15 +1,27 @@
|
||||
# Production env for ambrosio — copy to .env on the server and fill in secrets.
|
||||
# Generate JWT triplet: bash infra/scripts/rotate-jwt.sh
|
||||
|
||||
# ── Domains (change if you migrate to new hostnames) ────────────────────────
|
||||
PUBLIC_APP_URL=https://erosi.oier.ovh
|
||||
PUBLIC_SUPABASE_URL=https://erosi.oier.ovh
|
||||
PUBLIC_KEYCLOAK_URL=https://auth.oier.ovh
|
||||
# ── App + Supabase API (single domain, routed by Traefik on ambrosio) ──────
|
||||
PUBLIC_APP_URL=https://erosi.limonia.net
|
||||
PUBLIC_SUPABASE_URL=https://erosi.limonia.net
|
||||
|
||||
# ── External Keycloak ──────────────────────────────────────────────────────
|
||||
# The client must be confidential, with `openid` as a default client scope
|
||||
# (GoTrue v2.158.1 doesn't send `openid` in the OAuth scope param — Keycloak
|
||||
# must inject it), redirectUris including https://erosi.limonia.net/* and
|
||||
# https://erosi.limonia.net/auth/v1/callback, and webOrigins https://erosi.limonia.net.
|
||||
PUBLIC_KEYCLOAK_URL=https://your-keycloak.example.com
|
||||
PUBLIC_KEYCLOAK_REALM=colectivo
|
||||
PUBLIC_KEYCLOAK_CLIENT_ID=colectivo-web
|
||||
KEYCLOAK_CLIENT_SECRET=CHANGEME-paste-from-external-keycloak
|
||||
|
||||
# Keycloak sees this as its canonical hostname (KC_HOSTNAME).
|
||||
KEYCLOAK_HOSTNAME=auth.oier.ovh
|
||||
# ── Traefik (deployed by NetBird's self-hosted installer on ambrosio) ──────
|
||||
# Copy these three values from what you answered during the NetBird install.
|
||||
# The Docker network name is mandatory (Traefik auto-discovers our kong+app
|
||||
# via labels only when we join the same network).
|
||||
TRAEFIK_NETWORK=netbird
|
||||
TRAEFIK_ENTRYPOINT=websecure
|
||||
TRAEFIK_CERTRESOLVER=letsencrypt
|
||||
|
||||
# ── Postgres (single password for all internal roles) ───────────────────────
|
||||
POSTGRES_PASSWORD=CHANGEME-strong-random-password
|
||||
@@ -20,12 +32,6 @@ SUPABASE_JWT_SECRET=CHANGEME-openssl-rand-base64-48
|
||||
PUBLIC_SUPABASE_ANON_KEY=CHANGEME-sign-with-above
|
||||
SUPABASE_SERVICE_ROLE_KEY=CHANGEME-sign-with-above
|
||||
|
||||
# ── Keycloak admin + client secret ──────────────────────────────────────────
|
||||
KEYCLOAK_ADMIN=admin
|
||||
KEYCLOAK_ADMIN_PASSWORD=CHANGEME-strong-random-password
|
||||
# Must match the `secret` field of the colectivo-web client in realm-export.erosi.json.
|
||||
KEYCLOAK_CLIENT_SECRET=CHANGEME-client-secret-32-chars
|
||||
|
||||
# ── Realtime encryption ─────────────────────────────────────────────────────
|
||||
# DB_ENC_KEY: exactly 16 characters. SECRET_KEY_BASE: ≥ 64 characters.
|
||||
REALTIME_ENC_KEY=CHANGEME16charkey
|
||||
|
||||
Reference in New Issue
Block a user