deploy(prod): swap host Caddy for NetBird-Traefik labels + external Keycloak
Ambrosio's TLS is now handled by the Traefik that NetBird's self-hosted installer deploys. kong + app attach to that Traefik network and expose themselves via Docker-provider labels (erosi-kong priority 100 for Supabase API paths, erosi-app priority 1 for everything else on erosi.limonia.net). No container publishes host ports; host Caddy is out of the deploy path permanently. Keycloak is no longer bundled — PUBLIC_KEYCLOAK_URL points at an external IdP. The deploy script writes .env with FILL_IN_* placeholders for PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET, and TRAEFIK_NETWORK, and fails fast until they are filled. New domain: erosi.limonia.net. realm-export.erosi.json is retained as reference for the external Keycloak operator; it is no longer imported by this stack. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,46 +0,0 @@
|
||||
# Caddyfile snippet for ambrosio host Caddy.
|
||||
# Install path: /etc/caddy/Caddyfile (append these blocks).
|
||||
# Reload: sudo systemctl reload caddy
|
||||
#
|
||||
# Docker services bind to 127.0.0.1 only; this file is the public entrypoint.
|
||||
# TLS certificates are issued automatically by Caddy via Let's Encrypt.
|
||||
|
||||
# ── App + Supabase (single domain) ──────────────────────────────────────────
|
||||
erosi.oier.ovh {
|
||||
encode zstd gzip
|
||||
|
||||
# Supabase API paths → Kong gateway.
|
||||
# Realtime MUST come before /auth, /rest, /storage to match its WS upgrade path first.
|
||||
@supabase path /auth/v1/* /rest/v1/* /storage/v1/* /realtime/v1/* /graphql/v1/* /pg/*
|
||||
handle @supabase {
|
||||
# Realtime WebSockets require a long read timeout; PostgREST benefits from
|
||||
# flush_interval for streaming responses. Caddy handles WS upgrades natively.
|
||||
reverse_proxy 127.0.0.1:8000 {
|
||||
transport http {
|
||||
read_timeout 3600s
|
||||
}
|
||||
header_up X-Real-IP {remote_host}
|
||||
}
|
||||
}
|
||||
|
||||
# Everything else → SvelteKit Node server.
|
||||
handle {
|
||||
reverse_proxy 127.0.0.1:3000 {
|
||||
header_up X-Real-IP {remote_host}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# ── Keycloak ────────────────────────────────────────────────────────────────
|
||||
auth.oier.ovh {
|
||||
encode zstd gzip
|
||||
|
||||
# Keycloak 24 with KC_PROXY=edge uses the X-Forwarded-* headers that Caddy
|
||||
# already sets automatically on every reverse_proxy (Proto, For, Host).
|
||||
# Only X-Forwarded-Port is not default, so we add it explicitly — without
|
||||
# it Keycloak builds redirect URIs with the internal port (8080).
|
||||
reverse_proxy 127.0.0.1:8090 {
|
||||
header_up X-Real-IP {remote_host}
|
||||
header_up X-Forwarded-Port {server_port}
|
||||
}
|
||||
}
|
||||
@@ -1,11 +1,13 @@
|
||||
name: colectivo-erosi
|
||||
|
||||
# Production stack for ambrosio (OVH VPS).
|
||||
# Domains: erosi.oier.ovh (app + Supabase API) | auth.oier.ovh (Keycloak)
|
||||
# Production stack for ambrosio.
|
||||
# Domain: erosi.limonia.net (app + Supabase API, single-domain).
|
||||
# Keycloak: external — URL set via PUBLIC_KEYCLOAK_URL in .env.
|
||||
#
|
||||
# TLS + reverse proxy is handled by the HOST Caddy (systemd service on ambrosio,
|
||||
# config at /etc/caddy/Caddyfile) — NOT by a container. All services here bind
|
||||
# to 127.0.0.1 so only Caddy can reach them.
|
||||
# TLS + reverse proxy is handled by Traefik (deployed by NetBird's self-hosted
|
||||
# installer on ambrosio). `kong` and `app` attach to Traefik's Docker network
|
||||
# (name in ${TRAEFIK_NETWORK}) and expose themselves via traefik.* labels.
|
||||
# No container binds a host port.
|
||||
#
|
||||
# Bring up: docker compose -f infra/docker-compose.erosi.yml --env-file .env up -d --build
|
||||
# Logs: docker compose -f infra/docker-compose.erosi.yml logs -f
|
||||
@@ -54,8 +56,7 @@ services:
|
||||
GOTRUE_EXTERNAL_KEYCLOAK_CLIENT_ID: ${PUBLIC_KEYCLOAK_CLIENT_ID}
|
||||
GOTRUE_EXTERNAL_KEYCLOAK_SECRET: ${KEYCLOAK_CLIENT_SECRET}
|
||||
GOTRUE_EXTERNAL_KEYCLOAK_SCOPES: "openid profile email"
|
||||
# Public Keycloak base URL (browser sees this). The `/realms/colectivo`
|
||||
# suffix is appended by GoTrue.
|
||||
# Browser-facing Keycloak issuer URL. GoTrue appends /.well-known to it.
|
||||
GOTRUE_EXTERNAL_KEYCLOAK_URL: ${PUBLIC_KEYCLOAK_URL}/realms/${PUBLIC_KEYCLOAK_REALM}
|
||||
GOTRUE_EXTERNAL_KEYCLOAK_REDIRECT_URI: ${PUBLIC_SUPABASE_URL}/auth/v1/callback
|
||||
GOTRUE_MAILER_AUTOCONFIRM: "true"
|
||||
@@ -142,13 +143,11 @@ services:
|
||||
- storage-data:/var/lib/storage:ro
|
||||
networks: [colectivo]
|
||||
|
||||
# ── Kong (API Gateway) — bound to localhost only; host Caddy proxies it ────
|
||||
# ── Kong (API Gateway) — exposed on the Traefik network via labels ────────
|
||||
kong:
|
||||
image: kong:2.8.1
|
||||
restart: always
|
||||
entrypoint: ["/bin/bash", "/home/kong/kong-start.sh"]
|
||||
ports:
|
||||
- "127.0.0.1:8000:8000"
|
||||
depends_on:
|
||||
db: { condition: service_healthy }
|
||||
environment:
|
||||
@@ -163,39 +162,15 @@ services:
|
||||
volumes:
|
||||
- ./kong.yml:/home/kong/temp.yml:ro
|
||||
- ./kong-start.sh:/home/kong/kong-start.sh:ro
|
||||
networks: [colectivo]
|
||||
|
||||
# ── Keycloak 24 ────────────────────────────────────────────────────────────
|
||||
# Bound to localhost only; host Caddy proxies auth.oier.ovh → 127.0.0.1:8090.
|
||||
# KC_PROXY=edge expects X-Forwarded-* from Caddy.
|
||||
keycloak:
|
||||
image: quay.io/keycloak/keycloak:24.0.5
|
||||
restart: always
|
||||
ports:
|
||||
- "127.0.0.1:8090:8080"
|
||||
# Plain `start` (no --optimized) so Quarkus re-builds with the Postgres
|
||||
# driver on first boot. --optimized skips the build phase and falls back
|
||||
# to H2, producing "URL format error ... jdbc:h2" on startup.
|
||||
command: start --import-realm
|
||||
depends_on:
|
||||
db: { condition: service_healthy }
|
||||
environment:
|
||||
KC_DB: postgres
|
||||
KC_DB_URL: jdbc:postgresql://db:5432/keycloak
|
||||
KC_DB_USERNAME: keycloak
|
||||
KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
|
||||
KC_HOSTNAME: ${KEYCLOAK_HOSTNAME}
|
||||
KC_HOSTNAME_STRICT: "true"
|
||||
KC_HOSTNAME_STRICT_HTTPS: "true"
|
||||
KC_PROXY: edge
|
||||
KC_HTTP_ENABLED: "true"
|
||||
KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
|
||||
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
|
||||
KC_FEATURES: token-exchange
|
||||
volumes:
|
||||
- keycloak-data:/opt/keycloak/data
|
||||
- ../keycloak/realm-export.erosi.json:/opt/keycloak/data/import/realm-export.json:ro
|
||||
networks: [colectivo]
|
||||
networks: [colectivo, traefik]
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.docker.network=${TRAEFIK_NETWORK}"
|
||||
- "traefik.http.routers.erosi-kong.rule=Host(`erosi.limonia.net`) && (PathPrefix(`/rest/v1`) || PathPrefix(`/auth/v1`) || PathPrefix(`/realtime/v1`) || PathPrefix(`/storage/v1`) || PathPrefix(`/graphql/v1`) || PathPrefix(`/pg`))"
|
||||
- "traefik.http.routers.erosi-kong.entrypoints=${TRAEFIK_ENTRYPOINT}"
|
||||
- "traefik.http.routers.erosi-kong.tls.certresolver=${TRAEFIK_CERTRESOLVER}"
|
||||
- "traefik.http.routers.erosi-kong.priority=100"
|
||||
- "traefik.http.services.erosi-kong.loadbalancer.server.port=8000"
|
||||
|
||||
# ── App (SvelteKit Node server) — built on the host from the repo ──────────
|
||||
# Build args bake the PUBLIC_* values into the client bundle (SvelteKit reqs).
|
||||
@@ -212,8 +187,6 @@ services:
|
||||
PUBLIC_KEYCLOAK_CLIENT_ID: ${PUBLIC_KEYCLOAK_CLIENT_ID}
|
||||
PUBLIC_APP_URL: ${PUBLIC_APP_URL}
|
||||
restart: always
|
||||
ports:
|
||||
- "127.0.0.1:3000:3000"
|
||||
environment:
|
||||
PUBLIC_SUPABASE_URL: ${PUBLIC_SUPABASE_URL}
|
||||
PUBLIC_SUPABASE_ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY}
|
||||
@@ -222,13 +195,23 @@ services:
|
||||
PUBLIC_KEYCLOAK_CLIENT_ID: ${PUBLIC_KEYCLOAK_CLIENT_ID}
|
||||
PUBLIC_APP_URL: ${PUBLIC_APP_URL}
|
||||
NODE_ENV: production
|
||||
networks: [colectivo]
|
||||
networks: [colectivo, traefik]
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.docker.network=${TRAEFIK_NETWORK}"
|
||||
- "traefik.http.routers.erosi-app.rule=Host(`erosi.limonia.net`)"
|
||||
- "traefik.http.routers.erosi-app.entrypoints=${TRAEFIK_ENTRYPOINT}"
|
||||
- "traefik.http.routers.erosi-app.tls.certresolver=${TRAEFIK_CERTRESOLVER}"
|
||||
- "traefik.http.routers.erosi-app.priority=1"
|
||||
- "traefik.http.services.erosi-app.loadbalancer.server.port=3000"
|
||||
|
||||
networks:
|
||||
colectivo:
|
||||
driver: bridge
|
||||
traefik:
|
||||
name: ${TRAEFIK_NETWORK}
|
||||
external: true
|
||||
|
||||
volumes:
|
||||
db-data:
|
||||
storage-data:
|
||||
keycloak-data:
|
||||
|
||||
@@ -7,11 +7,15 @@
|
||||
#
|
||||
# First run:
|
||||
# 1. rsyncs repo → ambrosio:/opt/colectivo/
|
||||
# 2. if .env doesn't exist on server, generates secrets and writes it
|
||||
# 3. patches realm-export.erosi.json with the generated Keycloak client secret
|
||||
# 4. docker compose build + up -d
|
||||
# 5. applies DB migrations
|
||||
# 6. installs the Caddyfile snippet into host Caddy and reloads
|
||||
# 2. if .env doesn't exist on server, generates secrets and writes it with
|
||||
# placeholder values the operator must fill in (external Keycloak URL,
|
||||
# Keycloak client secret, Traefik network name)
|
||||
# 3. docker compose build + up -d
|
||||
# 4. applies DB migrations
|
||||
#
|
||||
# TLS + routing is handled by Traefik (deployed by NetBird's self-hosted
|
||||
# installer on ambrosio). This script never touches /etc/caddy/* or any host
|
||||
# reverse-proxy config — it only manages the Docker stack.
|
||||
#
|
||||
# Subsequent runs: rsync + rebuild app + rolling restart.
|
||||
|
||||
@@ -43,7 +47,7 @@ rsync -az --delete \
|
||||
--exclude 'playwright-report' \
|
||||
"$REPO_ROOT/" "$DEPLOY_HOST:$DEPLOY_PATH/"
|
||||
|
||||
# ── 3. Bootstrap secrets on first run ──────────────────────────────────────
|
||||
# ── 3. Bootstrap secrets on first run; sanity-check placeholders every run ─
|
||||
ssh "$DEPLOY_HOST" bash -s << 'REMOTE'
|
||||
set -euo pipefail
|
||||
cd /opt/colectivo
|
||||
@@ -57,21 +61,28 @@ if [ ! -f .env ]; then
|
||||
PUBLIC_SUPABASE_ANON_KEY=$(echo "$JWT_OUT" | awk -F= '/^PUBLIC_SUPABASE_ANON_KEY=/{print substr($0, index($0,$2))}')
|
||||
SUPABASE_SERVICE_ROLE_KEY=$(echo "$JWT_OUT" | awk -F= '/^SUPABASE_SERVICE_ROLE_KEY=/{print substr($0, index($0,$2))}')
|
||||
|
||||
# Other passwords + keys
|
||||
# Postgres + Realtime secrets
|
||||
POSTGRES_PASSWORD=$(openssl rand -hex 24)
|
||||
KEYCLOAK_ADMIN_PASSWORD=$(openssl rand -hex 24)
|
||||
KEYCLOAK_CLIENT_SECRET=$(openssl rand -hex 24)
|
||||
REALTIME_ENC_KEY=$(openssl rand -hex 8) # 16 chars
|
||||
REALTIME_SECRET_KEY_BASE=$(openssl rand -hex 48) # 96 chars
|
||||
|
||||
cat > .env <<EOF
|
||||
# Generated on $(date -u +%Y-%m-%dT%H:%M:%SZ). Keep this file mode 600.
|
||||
PUBLIC_APP_URL=https://erosi.oier.ovh
|
||||
PUBLIC_SUPABASE_URL=https://erosi.oier.ovh
|
||||
PUBLIC_KEYCLOAK_URL=https://auth.oier.ovh
|
||||
PUBLIC_APP_URL=https://erosi.limonia.net
|
||||
PUBLIC_SUPABASE_URL=https://erosi.limonia.net
|
||||
|
||||
# External Keycloak — FILL THESE IN before the stack will boot usefully.
|
||||
PUBLIC_KEYCLOAK_URL=FILL_IN_KEYCLOAK_URL
|
||||
PUBLIC_KEYCLOAK_REALM=colectivo
|
||||
PUBLIC_KEYCLOAK_CLIENT_ID=colectivo-web
|
||||
KEYCLOAK_HOSTNAME=auth.oier.ovh
|
||||
KEYCLOAK_CLIENT_SECRET=FILL_IN_CLIENT_SECRET
|
||||
|
||||
# Traefik (deployed by NetBird's self-hosted installer on ambrosio).
|
||||
# FILL_IN the network name the installer asked you for; defaults for
|
||||
# entrypoint + certresolver match NetBird's typical setup.
|
||||
TRAEFIK_NETWORK=FILL_IN_TRAEFIK_NETWORK
|
||||
TRAEFIK_ENTRYPOINT=websecure
|
||||
TRAEFIK_CERTRESOLVER=letsencrypt
|
||||
|
||||
POSTGRES_PASSWORD=$POSTGRES_PASSWORD
|
||||
|
||||
@@ -79,21 +90,24 @@ SUPABASE_JWT_SECRET=$SUPABASE_JWT_SECRET
|
||||
PUBLIC_SUPABASE_ANON_KEY=$PUBLIC_SUPABASE_ANON_KEY
|
||||
SUPABASE_SERVICE_ROLE_KEY=$SUPABASE_SERVICE_ROLE_KEY
|
||||
|
||||
KEYCLOAK_ADMIN=admin
|
||||
KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD
|
||||
KEYCLOAK_CLIENT_SECRET=$KEYCLOAK_CLIENT_SECRET
|
||||
|
||||
REALTIME_ENC_KEY=$REALTIME_ENC_KEY
|
||||
REALTIME_SECRET_KEY_BASE=$REALTIME_SECRET_KEY_BASE
|
||||
EOF
|
||||
chmod 600 .env
|
||||
echo "--- Wrote .env (mode 600). Keycloak admin password stored there."
|
||||
echo "--- Wrote .env (mode 600)."
|
||||
echo " Fill in: PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET, TRAEFIK_NETWORK"
|
||||
echo " then re-run this script."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Always substitute the client secret placeholder in the realm JSON.
|
||||
# Keycloak only imports the realm if it doesn't exist yet — on first boot only.
|
||||
source .env
|
||||
sed -i "s|__KEYCLOAK_CLIENT_SECRET__|$KEYCLOAK_CLIENT_SECRET|g" keycloak/realm-export.erosi.json
|
||||
# Every deploy: fail fast if the operator didn't finish the .env.
|
||||
if grep -q '^PUBLIC_KEYCLOAK_URL=FILL_IN_' .env \
|
||||
|| grep -q '^KEYCLOAK_CLIENT_SECRET=FILL_IN_' .env \
|
||||
|| grep -q '^TRAEFIK_NETWORK=FILL_IN_' .env; then
|
||||
echo "ERROR: /opt/colectivo/.env still contains FILL_IN_ placeholders." >&2
|
||||
echo " Fill in PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET, TRAEFIK_NETWORK and retry." >&2
|
||||
exit 1
|
||||
fi
|
||||
REMOTE
|
||||
|
||||
# ── 4. Build + bring up the stack ─────────────────────────────────────────
|
||||
@@ -146,39 +160,8 @@ for f in supabase/migrations/*.sql; do
|
||||
echo "FAIL"; exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
echo "--- Keycloak may need an extra minute to import the realm on first boot"
|
||||
REMOTE
|
||||
|
||||
# ── 5. Install Caddyfile snippet into host Caddy (idempotent) ─────────────
|
||||
ssh "$DEPLOY_HOST" bash -s << 'REMOTE'
|
||||
set -euo pipefail
|
||||
cd /opt/colectivo
|
||||
|
||||
MARKER_START="# BEGIN colectivo-erosi"
|
||||
MARKER_END="# END colectivo-erosi"
|
||||
|
||||
# Strip any previous version of our block from /etc/caddy/Caddyfile, then append fresh.
|
||||
sudo awk -v start="$MARKER_START" -v end="$MARKER_END" '
|
||||
$0 ~ start {skip=1}
|
||||
!skip {print}
|
||||
$0 ~ end {skip=0}
|
||||
' /etc/caddy/Caddyfile > /tmp/Caddyfile.new
|
||||
|
||||
{
|
||||
echo ""
|
||||
echo "$MARKER_START"
|
||||
cat infra/caddy/erosi.Caddyfile
|
||||
echo "$MARKER_END"
|
||||
} >> /tmp/Caddyfile.new
|
||||
|
||||
sudo mv /tmp/Caddyfile.new /etc/caddy/Caddyfile
|
||||
sudo caddy validate --config /etc/caddy/Caddyfile
|
||||
sudo systemctl reload caddy
|
||||
echo "--- Caddy reloaded"
|
||||
REMOTE
|
||||
|
||||
echo "==> Deploy complete."
|
||||
echo " App: https://erosi.oier.ovh"
|
||||
echo " Keycloak: https://auth.oier.ovh"
|
||||
echo " Admin pw: ssh $DEPLOY_HOST 'grep KEYCLOAK_ADMIN_PASSWORD $DEPLOY_PATH/.env'"
|
||||
echo " App: https://erosi.limonia.net"
|
||||
echo " Keycloak: external — see PUBLIC_KEYCLOAK_URL in $DEPLOY_PATH/.env"
|
||||
|
||||
Reference in New Issue
Block a user