deploy(prod): swap host Caddy for NetBird-Traefik labels + external Keycloak

Ambrosio's TLS is now handled by the Traefik that NetBird's self-hosted
installer deploys. kong + app attach to that Traefik network and expose
themselves via Docker-provider labels (erosi-kong priority 100 for
Supabase API paths, erosi-app priority 1 for everything else on
erosi.limonia.net). No container publishes host ports; host Caddy is
out of the deploy path permanently.

Keycloak is no longer bundled — PUBLIC_KEYCLOAK_URL points at an
external IdP. The deploy script writes .env with FILL_IN_* placeholders
for PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET, and TRAEFIK_NETWORK,
and fails fast until they are filled.

New domain: erosi.limonia.net. realm-export.erosi.json is retained
as reference for the external Keycloak operator; it is no longer
imported by this stack.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-23 23:49:10 +02:00
parent 0e4ada0083
commit 33b32cae4a
7 changed files with 117 additions and 183 deletions

View File

@@ -7,11 +7,15 @@
#
# First run:
# 1. rsyncs repo → ambrosio:/opt/colectivo/
# 2. if .env doesn't exist on server, generates secrets and writes it
# 3. patches realm-export.erosi.json with the generated Keycloak client secret
# 4. docker compose build + up -d
# 5. applies DB migrations
# 6. installs the Caddyfile snippet into host Caddy and reloads
# 2. if .env doesn't exist on server, generates secrets and writes it with
# placeholder values the operator must fill in (external Keycloak URL,
# Keycloak client secret, Traefik network name)
# 3. docker compose build + up -d
# 4. applies DB migrations
#
# TLS + routing is handled by Traefik (deployed by NetBird's self-hosted
# installer on ambrosio). This script never touches /etc/caddy/* or any host
# reverse-proxy config — it only manages the Docker stack.
#
# Subsequent runs: rsync + rebuild app + rolling restart.
@@ -43,7 +47,7 @@ rsync -az --delete \
--exclude 'playwright-report' \
"$REPO_ROOT/" "$DEPLOY_HOST:$DEPLOY_PATH/"
# ── 3. Bootstrap secrets on first run ─────────────────────────────────────
# ── 3. Bootstrap secrets on first run; sanity-check placeholders every run
ssh "$DEPLOY_HOST" bash -s << 'REMOTE'
set -euo pipefail
cd /opt/colectivo
@@ -57,21 +61,28 @@ if [ ! -f .env ]; then
PUBLIC_SUPABASE_ANON_KEY=$(echo "$JWT_OUT" | awk -F= '/^PUBLIC_SUPABASE_ANON_KEY=/{print substr($0, index($0,$2))}')
SUPABASE_SERVICE_ROLE_KEY=$(echo "$JWT_OUT" | awk -F= '/^SUPABASE_SERVICE_ROLE_KEY=/{print substr($0, index($0,$2))}')
# Other passwords + keys
# Postgres + Realtime secrets
POSTGRES_PASSWORD=$(openssl rand -hex 24)
KEYCLOAK_ADMIN_PASSWORD=$(openssl rand -hex 24)
KEYCLOAK_CLIENT_SECRET=$(openssl rand -hex 24)
REALTIME_ENC_KEY=$(openssl rand -hex 8) # 16 chars
REALTIME_SECRET_KEY_BASE=$(openssl rand -hex 48) # 96 chars
cat > .env <<EOF
# Generated on $(date -u +%Y-%m-%dT%H:%M:%SZ). Keep this file mode 600.
PUBLIC_APP_URL=https://erosi.oier.ovh
PUBLIC_SUPABASE_URL=https://erosi.oier.ovh
PUBLIC_KEYCLOAK_URL=https://auth.oier.ovh
PUBLIC_APP_URL=https://erosi.limonia.net
PUBLIC_SUPABASE_URL=https://erosi.limonia.net
# External Keycloak — FILL THESE IN before the stack will boot usefully.
PUBLIC_KEYCLOAK_URL=FILL_IN_KEYCLOAK_URL
PUBLIC_KEYCLOAK_REALM=colectivo
PUBLIC_KEYCLOAK_CLIENT_ID=colectivo-web
KEYCLOAK_HOSTNAME=auth.oier.ovh
KEYCLOAK_CLIENT_SECRET=FILL_IN_CLIENT_SECRET
# Traefik (deployed by NetBird's self-hosted installer on ambrosio).
# FILL_IN the network name the installer asked you for; defaults for
# entrypoint + certresolver match NetBird's typical setup.
TRAEFIK_NETWORK=FILL_IN_TRAEFIK_NETWORK
TRAEFIK_ENTRYPOINT=websecure
TRAEFIK_CERTRESOLVER=letsencrypt
POSTGRES_PASSWORD=$POSTGRES_PASSWORD
@@ -79,21 +90,24 @@ SUPABASE_JWT_SECRET=$SUPABASE_JWT_SECRET
PUBLIC_SUPABASE_ANON_KEY=$PUBLIC_SUPABASE_ANON_KEY
SUPABASE_SERVICE_ROLE_KEY=$SUPABASE_SERVICE_ROLE_KEY
KEYCLOAK_ADMIN=admin
KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD
KEYCLOAK_CLIENT_SECRET=$KEYCLOAK_CLIENT_SECRET
REALTIME_ENC_KEY=$REALTIME_ENC_KEY
REALTIME_SECRET_KEY_BASE=$REALTIME_SECRET_KEY_BASE
EOF
chmod 600 .env
echo "--- Wrote .env (mode 600). Keycloak admin password stored there."
echo "--- Wrote .env (mode 600)."
echo " Fill in: PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET, TRAEFIK_NETWORK"
echo " then re-run this script."
exit 0
fi
# Always substitute the client secret placeholder in the realm JSON.
# Keycloak only imports the realm if it doesn't exist yet — on first boot only.
source .env
sed -i "s|__KEYCLOAK_CLIENT_SECRET__|$KEYCLOAK_CLIENT_SECRET|g" keycloak/realm-export.erosi.json
# Every deploy: fail fast if the operator didn't finish the .env.
if grep -q '^PUBLIC_KEYCLOAK_URL=FILL_IN_' .env \
|| grep -q '^KEYCLOAK_CLIENT_SECRET=FILL_IN_' .env \
|| grep -q '^TRAEFIK_NETWORK=FILL_IN_' .env; then
echo "ERROR: /opt/colectivo/.env still contains FILL_IN_ placeholders." >&2
echo " Fill in PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET, TRAEFIK_NETWORK and retry." >&2
exit 1
fi
REMOTE
# ── 4. Build + bring up the stack ─────────────────────────────────────────
@@ -146,39 +160,8 @@ for f in supabase/migrations/*.sql; do
echo "FAIL"; exit 1
fi
done
echo "--- Keycloak may need an extra minute to import the realm on first boot"
REMOTE
# ── 5. Install Caddyfile snippet into host Caddy (idempotent) ─────────────
ssh "$DEPLOY_HOST" bash -s << 'REMOTE'
set -euo pipefail
cd /opt/colectivo
MARKER_START="# BEGIN colectivo-erosi"
MARKER_END="# END colectivo-erosi"
# Strip any previous version of our block from /etc/caddy/Caddyfile, then append fresh.
sudo awk -v start="$MARKER_START" -v end="$MARKER_END" '
$0 ~ start {skip=1}
!skip {print}
$0 ~ end {skip=0}
' /etc/caddy/Caddyfile > /tmp/Caddyfile.new
{
echo ""
echo "$MARKER_START"
cat infra/caddy/erosi.Caddyfile
echo "$MARKER_END"
} >> /tmp/Caddyfile.new
sudo mv /tmp/Caddyfile.new /etc/caddy/Caddyfile
sudo caddy validate --config /etc/caddy/Caddyfile
sudo systemctl reload caddy
echo "--- Caddy reloaded"
REMOTE
echo "==> Deploy complete."
echo " App: https://erosi.oier.ovh"
echo " Keycloak: https://auth.oier.ovh"
echo " Admin pw: ssh $DEPLOY_HOST 'grep KEYCLOAK_ADMIN_PASSWORD $DEPLOY_PATH/.env'"
echo " App: https://erosi.limonia.net"
echo " Keycloak: external — see PUBLIC_KEYCLOAK_URL in $DEPLOY_PATH/.env"