deploy(prod): swap host Caddy for NetBird-Traefik labels + external Keycloak

Ambrosio's TLS is now handled by the Traefik that NetBird's self-hosted
installer deploys. kong + app attach to that Traefik network and expose
themselves via Docker-provider labels (erosi-kong priority 100 for
Supabase API paths, erosi-app priority 1 for everything else on
erosi.limonia.net). No container publishes host ports; host Caddy is
out of the deploy path permanently.

Keycloak is no longer bundled — PUBLIC_KEYCLOAK_URL points at an
external IdP. The deploy script writes .env with FILL_IN_* placeholders
for PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET, and TRAEFIK_NETWORK,
and fails fast until they are filled.

New domain: erosi.limonia.net. realm-export.erosi.json is retained
as reference for the external Keycloak operator; it is no longer
imported by this stack.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-23 23:49:10 +02:00
parent 0e4ada0083
commit 33b32cae4a
7 changed files with 117 additions and 183 deletions

View File

@@ -1,46 +0,0 @@
# Caddyfile snippet for ambrosio host Caddy.
# Install path: /etc/caddy/Caddyfile (append these blocks).
# Reload: sudo systemctl reload caddy
#
# Docker services bind to 127.0.0.1 only; this file is the public entrypoint.
# TLS certificates are issued automatically by Caddy via Let's Encrypt.
# ── App + Supabase (single domain) ──────────────────────────────────────────
erosi.oier.ovh {
encode zstd gzip
# Supabase API paths → Kong gateway.
# Realtime MUST come before /auth, /rest, /storage to match its WS upgrade path first.
@supabase path /auth/v1/* /rest/v1/* /storage/v1/* /realtime/v1/* /graphql/v1/* /pg/*
handle @supabase {
# Realtime WebSockets require a long read timeout; PostgREST benefits from
# flush_interval for streaming responses. Caddy handles WS upgrades natively.
reverse_proxy 127.0.0.1:8000 {
transport http {
read_timeout 3600s
}
header_up X-Real-IP {remote_host}
}
}
# Everything else → SvelteKit Node server.
handle {
reverse_proxy 127.0.0.1:3000 {
header_up X-Real-IP {remote_host}
}
}
}
# ── Keycloak ────────────────────────────────────────────────────────────────
auth.oier.ovh {
encode zstd gzip
# Keycloak 24 with KC_PROXY=edge uses the X-Forwarded-* headers that Caddy
# already sets automatically on every reverse_proxy (Proto, For, Host).
# Only X-Forwarded-Port is not default, so we add it explicitly — without
# it Keycloak builds redirect URIs with the internal port (8080).
reverse_proxy 127.0.0.1:8090 {
header_up X-Real-IP {remote_host}
header_up X-Forwarded-Port {server_port}
}
}

View File

@@ -1,11 +1,13 @@
name: colectivo-erosi
# Production stack for ambrosio (OVH VPS).
# Domains: erosi.oier.ovh (app + Supabase API) | auth.oier.ovh (Keycloak)
# Production stack for ambrosio.
# Domain: erosi.limonia.net (app + Supabase API, single-domain).
# Keycloak: external — URL set via PUBLIC_KEYCLOAK_URL in .env.
#
# TLS + reverse proxy is handled by the HOST Caddy (systemd service on ambrosio,
# config at /etc/caddy/Caddyfile) — NOT by a container. All services here bind
# to 127.0.0.1 so only Caddy can reach them.
# TLS + reverse proxy is handled by Traefik (deployed by NetBird's self-hosted
# installer on ambrosio). `kong` and `app` attach to Traefik's Docker network
# (name in ${TRAEFIK_NETWORK}) and expose themselves via traefik.* labels.
# No container binds a host port.
#
# Bring up: docker compose -f infra/docker-compose.erosi.yml --env-file .env up -d --build
# Logs: docker compose -f infra/docker-compose.erosi.yml logs -f
@@ -54,8 +56,7 @@ services:
GOTRUE_EXTERNAL_KEYCLOAK_CLIENT_ID: ${PUBLIC_KEYCLOAK_CLIENT_ID}
GOTRUE_EXTERNAL_KEYCLOAK_SECRET: ${KEYCLOAK_CLIENT_SECRET}
GOTRUE_EXTERNAL_KEYCLOAK_SCOPES: "openid profile email"
# Public Keycloak base URL (browser sees this). The `/realms/colectivo`
# suffix is appended by GoTrue.
# Browser-facing Keycloak issuer URL. GoTrue appends /.well-known to it.
GOTRUE_EXTERNAL_KEYCLOAK_URL: ${PUBLIC_KEYCLOAK_URL}/realms/${PUBLIC_KEYCLOAK_REALM}
GOTRUE_EXTERNAL_KEYCLOAK_REDIRECT_URI: ${PUBLIC_SUPABASE_URL}/auth/v1/callback
GOTRUE_MAILER_AUTOCONFIRM: "true"
@@ -142,13 +143,11 @@ services:
- storage-data:/var/lib/storage:ro
networks: [colectivo]
# ── Kong (API Gateway) — bound to localhost only; host Caddy proxies it ────
# ── Kong (API Gateway) — exposed on the Traefik network via labels ────────
kong:
image: kong:2.8.1
restart: always
entrypoint: ["/bin/bash", "/home/kong/kong-start.sh"]
ports:
- "127.0.0.1:8000:8000"
depends_on:
db: { condition: service_healthy }
environment:
@@ -163,39 +162,15 @@ services:
volumes:
- ./kong.yml:/home/kong/temp.yml:ro
- ./kong-start.sh:/home/kong/kong-start.sh:ro
networks: [colectivo]
# ── Keycloak 24 ────────────────────────────────────────────────────────────
# Bound to localhost only; host Caddy proxies auth.oier.ovh → 127.0.0.1:8090.
# KC_PROXY=edge expects X-Forwarded-* from Caddy.
keycloak:
image: quay.io/keycloak/keycloak:24.0.5
restart: always
ports:
- "127.0.0.1:8090:8080"
# Plain `start` (no --optimized) so Quarkus re-builds with the Postgres
# driver on first boot. --optimized skips the build phase and falls back
# to H2, producing "URL format error ... jdbc:h2" on startup.
command: start --import-realm
depends_on:
db: { condition: service_healthy }
environment:
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://db:5432/keycloak
KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
KC_HOSTNAME: ${KEYCLOAK_HOSTNAME}
KC_HOSTNAME_STRICT: "true"
KC_HOSTNAME_STRICT_HTTPS: "true"
KC_PROXY: edge
KC_HTTP_ENABLED: "true"
KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
KC_FEATURES: token-exchange
volumes:
- keycloak-data:/opt/keycloak/data
- ../keycloak/realm-export.erosi.json:/opt/keycloak/data/import/realm-export.json:ro
networks: [colectivo]
networks: [colectivo, traefik]
labels:
- "traefik.enable=true"
- "traefik.docker.network=${TRAEFIK_NETWORK}"
- "traefik.http.routers.erosi-kong.rule=Host(`erosi.limonia.net`) && (PathPrefix(`/rest/v1`) || PathPrefix(`/auth/v1`) || PathPrefix(`/realtime/v1`) || PathPrefix(`/storage/v1`) || PathPrefix(`/graphql/v1`) || PathPrefix(`/pg`))"
- "traefik.http.routers.erosi-kong.entrypoints=${TRAEFIK_ENTRYPOINT}"
- "traefik.http.routers.erosi-kong.tls.certresolver=${TRAEFIK_CERTRESOLVER}"
- "traefik.http.routers.erosi-kong.priority=100"
- "traefik.http.services.erosi-kong.loadbalancer.server.port=8000"
# ── App (SvelteKit Node server) — built on the host from the repo ──────────
# Build args bake the PUBLIC_* values into the client bundle (SvelteKit reqs).
@@ -212,8 +187,6 @@ services:
PUBLIC_KEYCLOAK_CLIENT_ID: ${PUBLIC_KEYCLOAK_CLIENT_ID}
PUBLIC_APP_URL: ${PUBLIC_APP_URL}
restart: always
ports:
- "127.0.0.1:3000:3000"
environment:
PUBLIC_SUPABASE_URL: ${PUBLIC_SUPABASE_URL}
PUBLIC_SUPABASE_ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY}
@@ -222,13 +195,23 @@ services:
PUBLIC_KEYCLOAK_CLIENT_ID: ${PUBLIC_KEYCLOAK_CLIENT_ID}
PUBLIC_APP_URL: ${PUBLIC_APP_URL}
NODE_ENV: production
networks: [colectivo]
networks: [colectivo, traefik]
labels:
- "traefik.enable=true"
- "traefik.docker.network=${TRAEFIK_NETWORK}"
- "traefik.http.routers.erosi-app.rule=Host(`erosi.limonia.net`)"
- "traefik.http.routers.erosi-app.entrypoints=${TRAEFIK_ENTRYPOINT}"
- "traefik.http.routers.erosi-app.tls.certresolver=${TRAEFIK_CERTRESOLVER}"
- "traefik.http.routers.erosi-app.priority=1"
- "traefik.http.services.erosi-app.loadbalancer.server.port=3000"
networks:
colectivo:
driver: bridge
traefik:
name: ${TRAEFIK_NETWORK}
external: true
volumes:
db-data:
storage-data:
keycloak-data:

View File

@@ -7,11 +7,15 @@
#
# First run:
# 1. rsyncs repo → ambrosio:/opt/colectivo/
# 2. if .env doesn't exist on server, generates secrets and writes it
# 3. patches realm-export.erosi.json with the generated Keycloak client secret
# 4. docker compose build + up -d
# 5. applies DB migrations
# 6. installs the Caddyfile snippet into host Caddy and reloads
# 2. if .env doesn't exist on server, generates secrets and writes it with
# placeholder values the operator must fill in (external Keycloak URL,
# Keycloak client secret, Traefik network name)
# 3. docker compose build + up -d
# 4. applies DB migrations
#
# TLS + routing is handled by Traefik (deployed by NetBird's self-hosted
# installer on ambrosio). This script never touches /etc/caddy/* or any host
# reverse-proxy config — it only manages the Docker stack.
#
# Subsequent runs: rsync + rebuild app + rolling restart.
@@ -43,7 +47,7 @@ rsync -az --delete \
--exclude 'playwright-report' \
"$REPO_ROOT/" "$DEPLOY_HOST:$DEPLOY_PATH/"
# ── 3. Bootstrap secrets on first run ─────────────────────────────────────
# ── 3. Bootstrap secrets on first run; sanity-check placeholders every run
ssh "$DEPLOY_HOST" bash -s << 'REMOTE'
set -euo pipefail
cd /opt/colectivo
@@ -57,21 +61,28 @@ if [ ! -f .env ]; then
PUBLIC_SUPABASE_ANON_KEY=$(echo "$JWT_OUT" | awk -F= '/^PUBLIC_SUPABASE_ANON_KEY=/{print substr($0, index($0,$2))}')
SUPABASE_SERVICE_ROLE_KEY=$(echo "$JWT_OUT" | awk -F= '/^SUPABASE_SERVICE_ROLE_KEY=/{print substr($0, index($0,$2))}')
# Other passwords + keys
# Postgres + Realtime secrets
POSTGRES_PASSWORD=$(openssl rand -hex 24)
KEYCLOAK_ADMIN_PASSWORD=$(openssl rand -hex 24)
KEYCLOAK_CLIENT_SECRET=$(openssl rand -hex 24)
REALTIME_ENC_KEY=$(openssl rand -hex 8) # 16 chars
REALTIME_SECRET_KEY_BASE=$(openssl rand -hex 48) # 96 chars
cat > .env <<EOF
# Generated on $(date -u +%Y-%m-%dT%H:%M:%SZ). Keep this file mode 600.
PUBLIC_APP_URL=https://erosi.oier.ovh
PUBLIC_SUPABASE_URL=https://erosi.oier.ovh
PUBLIC_KEYCLOAK_URL=https://auth.oier.ovh
PUBLIC_APP_URL=https://erosi.limonia.net
PUBLIC_SUPABASE_URL=https://erosi.limonia.net
# External Keycloak — FILL THESE IN before the stack will boot usefully.
PUBLIC_KEYCLOAK_URL=FILL_IN_KEYCLOAK_URL
PUBLIC_KEYCLOAK_REALM=colectivo
PUBLIC_KEYCLOAK_CLIENT_ID=colectivo-web
KEYCLOAK_HOSTNAME=auth.oier.ovh
KEYCLOAK_CLIENT_SECRET=FILL_IN_CLIENT_SECRET
# Traefik (deployed by NetBird's self-hosted installer on ambrosio).
# FILL_IN the network name the installer asked you for; defaults for
# entrypoint + certresolver match NetBird's typical setup.
TRAEFIK_NETWORK=FILL_IN_TRAEFIK_NETWORK
TRAEFIK_ENTRYPOINT=websecure
TRAEFIK_CERTRESOLVER=letsencrypt
POSTGRES_PASSWORD=$POSTGRES_PASSWORD
@@ -79,21 +90,24 @@ SUPABASE_JWT_SECRET=$SUPABASE_JWT_SECRET
PUBLIC_SUPABASE_ANON_KEY=$PUBLIC_SUPABASE_ANON_KEY
SUPABASE_SERVICE_ROLE_KEY=$SUPABASE_SERVICE_ROLE_KEY
KEYCLOAK_ADMIN=admin
KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD
KEYCLOAK_CLIENT_SECRET=$KEYCLOAK_CLIENT_SECRET
REALTIME_ENC_KEY=$REALTIME_ENC_KEY
REALTIME_SECRET_KEY_BASE=$REALTIME_SECRET_KEY_BASE
EOF
chmod 600 .env
echo "--- Wrote .env (mode 600). Keycloak admin password stored there."
echo "--- Wrote .env (mode 600)."
echo " Fill in: PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET, TRAEFIK_NETWORK"
echo " then re-run this script."
exit 0
fi
# Always substitute the client secret placeholder in the realm JSON.
# Keycloak only imports the realm if it doesn't exist yet — on first boot only.
source .env
sed -i "s|__KEYCLOAK_CLIENT_SECRET__|$KEYCLOAK_CLIENT_SECRET|g" keycloak/realm-export.erosi.json
# Every deploy: fail fast if the operator didn't finish the .env.
if grep -q '^PUBLIC_KEYCLOAK_URL=FILL_IN_' .env \
|| grep -q '^KEYCLOAK_CLIENT_SECRET=FILL_IN_' .env \
|| grep -q '^TRAEFIK_NETWORK=FILL_IN_' .env; then
echo "ERROR: /opt/colectivo/.env still contains FILL_IN_ placeholders." >&2
echo " Fill in PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET, TRAEFIK_NETWORK and retry." >&2
exit 1
fi
REMOTE
# ── 4. Build + bring up the stack ─────────────────────────────────────────
@@ -146,39 +160,8 @@ for f in supabase/migrations/*.sql; do
echo "FAIL"; exit 1
fi
done
echo "--- Keycloak may need an extra minute to import the realm on first boot"
REMOTE
# ── 5. Install Caddyfile snippet into host Caddy (idempotent) ─────────────
ssh "$DEPLOY_HOST" bash -s << 'REMOTE'
set -euo pipefail
cd /opt/colectivo
MARKER_START="# BEGIN colectivo-erosi"
MARKER_END="# END colectivo-erosi"
# Strip any previous version of our block from /etc/caddy/Caddyfile, then append fresh.
sudo awk -v start="$MARKER_START" -v end="$MARKER_END" '
$0 ~ start {skip=1}
!skip {print}
$0 ~ end {skip=0}
' /etc/caddy/Caddyfile > /tmp/Caddyfile.new
{
echo ""
echo "$MARKER_START"
cat infra/caddy/erosi.Caddyfile
echo "$MARKER_END"
} >> /tmp/Caddyfile.new
sudo mv /tmp/Caddyfile.new /etc/caddy/Caddyfile
sudo caddy validate --config /etc/caddy/Caddyfile
sudo systemctl reload caddy
echo "--- Caddy reloaded"
REMOTE
echo "==> Deploy complete."
echo " App: https://erosi.oier.ovh"
echo " Keycloak: https://auth.oier.ovh"
echo " Admin pw: ssh $DEPLOY_HOST 'grep KEYCLOAK_ADMIN_PASSWORD $DEPLOY_PATH/.env'"
echo " App: https://erosi.limonia.net"
echo " Keycloak: external — see PUBLIC_KEYCLOAK_URL in $DEPLOY_PATH/.env"