deploy(prod): swap host Caddy for NetBird-Traefik labels + external Keycloak
Ambrosio's TLS is now handled by the Traefik that NetBird's self-hosted installer deploys. kong + app attach to that Traefik network and expose themselves via Docker-provider labels (erosi-kong priority 100 for Supabase API paths, erosi-app priority 1 for everything else on erosi.limonia.net). No container publishes host ports; host Caddy is out of the deploy path permanently. Keycloak is no longer bundled — PUBLIC_KEYCLOAK_URL points at an external IdP. The deploy script writes .env with FILL_IN_* placeholders for PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET, and TRAEFIK_NETWORK, and fails fast until they are filled. New domain: erosi.limonia.net. realm-export.erosi.json is retained as reference for the external Keycloak operator; it is no longer imported by this stack. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -7,11 +7,15 @@
|
||||
#
|
||||
# First run:
|
||||
# 1. rsyncs repo → ambrosio:/opt/colectivo/
|
||||
# 2. if .env doesn't exist on server, generates secrets and writes it
|
||||
# 3. patches realm-export.erosi.json with the generated Keycloak client secret
|
||||
# 4. docker compose build + up -d
|
||||
# 5. applies DB migrations
|
||||
# 6. installs the Caddyfile snippet into host Caddy and reloads
|
||||
# 2. if .env doesn't exist on server, generates secrets and writes it with
|
||||
# placeholder values the operator must fill in (external Keycloak URL,
|
||||
# Keycloak client secret, Traefik network name)
|
||||
# 3. docker compose build + up -d
|
||||
# 4. applies DB migrations
|
||||
#
|
||||
# TLS + routing is handled by Traefik (deployed by NetBird's self-hosted
|
||||
# installer on ambrosio). This script never touches /etc/caddy/* or any host
|
||||
# reverse-proxy config — it only manages the Docker stack.
|
||||
#
|
||||
# Subsequent runs: rsync + rebuild app + rolling restart.
|
||||
|
||||
@@ -43,7 +47,7 @@ rsync -az --delete \
|
||||
--exclude 'playwright-report' \
|
||||
"$REPO_ROOT/" "$DEPLOY_HOST:$DEPLOY_PATH/"
|
||||
|
||||
# ── 3. Bootstrap secrets on first run ──────────────────────────────────────
|
||||
# ── 3. Bootstrap secrets on first run; sanity-check placeholders every run ─
|
||||
ssh "$DEPLOY_HOST" bash -s << 'REMOTE'
|
||||
set -euo pipefail
|
||||
cd /opt/colectivo
|
||||
@@ -57,21 +61,28 @@ if [ ! -f .env ]; then
|
||||
PUBLIC_SUPABASE_ANON_KEY=$(echo "$JWT_OUT" | awk -F= '/^PUBLIC_SUPABASE_ANON_KEY=/{print substr($0, index($0,$2))}')
|
||||
SUPABASE_SERVICE_ROLE_KEY=$(echo "$JWT_OUT" | awk -F= '/^SUPABASE_SERVICE_ROLE_KEY=/{print substr($0, index($0,$2))}')
|
||||
|
||||
# Other passwords + keys
|
||||
# Postgres + Realtime secrets
|
||||
POSTGRES_PASSWORD=$(openssl rand -hex 24)
|
||||
KEYCLOAK_ADMIN_PASSWORD=$(openssl rand -hex 24)
|
||||
KEYCLOAK_CLIENT_SECRET=$(openssl rand -hex 24)
|
||||
REALTIME_ENC_KEY=$(openssl rand -hex 8) # 16 chars
|
||||
REALTIME_SECRET_KEY_BASE=$(openssl rand -hex 48) # 96 chars
|
||||
|
||||
cat > .env <<EOF
|
||||
# Generated on $(date -u +%Y-%m-%dT%H:%M:%SZ). Keep this file mode 600.
|
||||
PUBLIC_APP_URL=https://erosi.oier.ovh
|
||||
PUBLIC_SUPABASE_URL=https://erosi.oier.ovh
|
||||
PUBLIC_KEYCLOAK_URL=https://auth.oier.ovh
|
||||
PUBLIC_APP_URL=https://erosi.limonia.net
|
||||
PUBLIC_SUPABASE_URL=https://erosi.limonia.net
|
||||
|
||||
# External Keycloak — FILL THESE IN before the stack will boot usefully.
|
||||
PUBLIC_KEYCLOAK_URL=FILL_IN_KEYCLOAK_URL
|
||||
PUBLIC_KEYCLOAK_REALM=colectivo
|
||||
PUBLIC_KEYCLOAK_CLIENT_ID=colectivo-web
|
||||
KEYCLOAK_HOSTNAME=auth.oier.ovh
|
||||
KEYCLOAK_CLIENT_SECRET=FILL_IN_CLIENT_SECRET
|
||||
|
||||
# Traefik (deployed by NetBird's self-hosted installer on ambrosio).
|
||||
# FILL_IN the network name the installer asked you for; defaults for
|
||||
# entrypoint + certresolver match NetBird's typical setup.
|
||||
TRAEFIK_NETWORK=FILL_IN_TRAEFIK_NETWORK
|
||||
TRAEFIK_ENTRYPOINT=websecure
|
||||
TRAEFIK_CERTRESOLVER=letsencrypt
|
||||
|
||||
POSTGRES_PASSWORD=$POSTGRES_PASSWORD
|
||||
|
||||
@@ -79,21 +90,24 @@ SUPABASE_JWT_SECRET=$SUPABASE_JWT_SECRET
|
||||
PUBLIC_SUPABASE_ANON_KEY=$PUBLIC_SUPABASE_ANON_KEY
|
||||
SUPABASE_SERVICE_ROLE_KEY=$SUPABASE_SERVICE_ROLE_KEY
|
||||
|
||||
KEYCLOAK_ADMIN=admin
|
||||
KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD
|
||||
KEYCLOAK_CLIENT_SECRET=$KEYCLOAK_CLIENT_SECRET
|
||||
|
||||
REALTIME_ENC_KEY=$REALTIME_ENC_KEY
|
||||
REALTIME_SECRET_KEY_BASE=$REALTIME_SECRET_KEY_BASE
|
||||
EOF
|
||||
chmod 600 .env
|
||||
echo "--- Wrote .env (mode 600). Keycloak admin password stored there."
|
||||
echo "--- Wrote .env (mode 600)."
|
||||
echo " Fill in: PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET, TRAEFIK_NETWORK"
|
||||
echo " then re-run this script."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Always substitute the client secret placeholder in the realm JSON.
|
||||
# Keycloak only imports the realm if it doesn't exist yet — on first boot only.
|
||||
source .env
|
||||
sed -i "s|__KEYCLOAK_CLIENT_SECRET__|$KEYCLOAK_CLIENT_SECRET|g" keycloak/realm-export.erosi.json
|
||||
# Every deploy: fail fast if the operator didn't finish the .env.
|
||||
if grep -q '^PUBLIC_KEYCLOAK_URL=FILL_IN_' .env \
|
||||
|| grep -q '^KEYCLOAK_CLIENT_SECRET=FILL_IN_' .env \
|
||||
|| grep -q '^TRAEFIK_NETWORK=FILL_IN_' .env; then
|
||||
echo "ERROR: /opt/colectivo/.env still contains FILL_IN_ placeholders." >&2
|
||||
echo " Fill in PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET, TRAEFIK_NETWORK and retry." >&2
|
||||
exit 1
|
||||
fi
|
||||
REMOTE
|
||||
|
||||
# ── 4. Build + bring up the stack ─────────────────────────────────────────
|
||||
@@ -146,39 +160,8 @@ for f in supabase/migrations/*.sql; do
|
||||
echo "FAIL"; exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
echo "--- Keycloak may need an extra minute to import the realm on first boot"
|
||||
REMOTE
|
||||
|
||||
# ── 5. Install Caddyfile snippet into host Caddy (idempotent) ─────────────
|
||||
ssh "$DEPLOY_HOST" bash -s << 'REMOTE'
|
||||
set -euo pipefail
|
||||
cd /opt/colectivo
|
||||
|
||||
MARKER_START="# BEGIN colectivo-erosi"
|
||||
MARKER_END="# END colectivo-erosi"
|
||||
|
||||
# Strip any previous version of our block from /etc/caddy/Caddyfile, then append fresh.
|
||||
sudo awk -v start="$MARKER_START" -v end="$MARKER_END" '
|
||||
$0 ~ start {skip=1}
|
||||
!skip {print}
|
||||
$0 ~ end {skip=0}
|
||||
' /etc/caddy/Caddyfile > /tmp/Caddyfile.new
|
||||
|
||||
{
|
||||
echo ""
|
||||
echo "$MARKER_START"
|
||||
cat infra/caddy/erosi.Caddyfile
|
||||
echo "$MARKER_END"
|
||||
} >> /tmp/Caddyfile.new
|
||||
|
||||
sudo mv /tmp/Caddyfile.new /etc/caddy/Caddyfile
|
||||
sudo caddy validate --config /etc/caddy/Caddyfile
|
||||
sudo systemctl reload caddy
|
||||
echo "--- Caddy reloaded"
|
||||
REMOTE
|
||||
|
||||
echo "==> Deploy complete."
|
||||
echo " App: https://erosi.oier.ovh"
|
||||
echo " Keycloak: https://auth.oier.ovh"
|
||||
echo " Admin pw: ssh $DEPLOY_HOST 'grep KEYCLOAK_ADMIN_PASSWORD $DEPLOY_PATH/.env'"
|
||||
echo " App: https://erosi.limonia.net"
|
||||
echo " Keycloak: external — see PUBLIC_KEYCLOAK_URL in $DEPLOY_PATH/.env"
|
||||
|
||||
Reference in New Issue
Block a user