feat(deploy): ambrosio production stack (erosi.oier.ovh)
Self-contained compose for a single-VPS deploy behind the host's Caddy. App + Supabase API share erosi.oier.ovh; Keycloak on auth.oier.ovh. - infra/docker-compose.erosi.yml — full stack bound to 127.0.0.1 only (db, auth, rest, realtime, storage, imgproxy, kong, meta, keycloak, app) - infra/caddy/erosi.Caddyfile — host-Caddy snippet with TLS + path routing (/auth /rest /storage /realtime /graphql → kong, rest → app) - infra/scripts/deploy-erosi.sh — rsync + first-run secret generation + build + migrations + Caddy snippet install - keycloak/realm-export.erosi.json — prod redirect URIs, registration on, client secret as __KEYCLOAK_CLIENT_SECRET__ placeholder (deploy sub'd) - .env.erosi.example — env template with placeholders Supporting fixes to make the deploy work on a clean Supabase-postgres volume: - infra/db-init/00-role-passwords.sh — rewrote as idempotent bootstrap: CREATE the Supabase service roles if missing, set passwords on pre-existing ones, enable pg_cron/pgcrypto/uuid-ossp, create auth/storage/graphql_public/ _realtime/realtime schemas, create empty supabase_realtime publication, set per-role search_path (auth→auth, storage→storage). Old version only ALTERed passwords and relied on the roles already existing — worked for a grandfathered dev volume, failed on a fresh prod init. - infra/db-init/00-role-passwords.sql — removed (folded into .sh). - apps/web/vite.config.ts — PWA strategy generateSW (was injectManifest). The plugin's injectManifest hardcodes the SW source filename to service-worker.js and ignores the filename: 'sw.ts' override, making the production build fail. generateSW's auto-generated precache-only SW is functionally equivalent to our 5-line src/sw.ts. Tested end-to-end on ambrosio: all 9 containers up, 11 migrations applied, https://erosi.oier.ovh returns 200, Keycloak OIDC discovery serves the correct issuer, /auth/v1/settings lists Keycloak as the sole external provider.
This commit is contained in:
234
infra/docker-compose.erosi.yml
Normal file
234
infra/docker-compose.erosi.yml
Normal file
@@ -0,0 +1,234 @@
|
||||
name: colectivo-erosi
|
||||
|
||||
# Production stack for ambrosio (OVH VPS).
|
||||
# Domains: erosi.oier.ovh (app + Supabase API) | auth.oier.ovh (Keycloak)
|
||||
#
|
||||
# TLS + reverse proxy is handled by the HOST Caddy (systemd service on ambrosio,
|
||||
# config at /etc/caddy/Caddyfile) — NOT by a container. All services here bind
|
||||
# to 127.0.0.1 so only Caddy can reach them.
|
||||
#
|
||||
# Bring up: docker compose -f infra/docker-compose.erosi.yml --env-file .env up -d --build
|
||||
# Logs: docker compose -f infra/docker-compose.erosi.yml logs -f
|
||||
# Tear down: docker compose -f infra/docker-compose.erosi.yml down
|
||||
|
||||
services:
|
||||
|
||||
# ── PostgreSQL 15 (Supabase image — internal roles preconfigured) ──────────
|
||||
db:
|
||||
image: supabase/postgres:15.1.1.78
|
||||
restart: always
|
||||
healthcheck:
|
||||
test: pg_isready -U postgres -h localhost
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 10
|
||||
environment:
|
||||
POSTGRES_HOST: /var/run/postgresql
|
||||
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
|
||||
JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||
JWT_EXP: 3600
|
||||
volumes:
|
||||
- db-data:/var/lib/postgresql/data
|
||||
- ./db-init:/docker-entrypoint-initdb.d:ro
|
||||
networks: [colectivo]
|
||||
|
||||
# ── GoTrue (Supabase Auth) ─────────────────────────────────────────────────
|
||||
auth:
|
||||
image: supabase/gotrue:v2.158.1
|
||||
restart: always
|
||||
depends_on:
|
||||
db: { condition: service_healthy }
|
||||
environment:
|
||||
GOTRUE_API_HOST: "0.0.0.0"
|
||||
GOTRUE_API_PORT: 9999
|
||||
API_EXTERNAL_URL: ${PUBLIC_APP_URL}
|
||||
GOTRUE_API_EXTERNAL_URL: ${PUBLIC_APP_URL}
|
||||
GOTRUE_DB_DRIVER: postgres
|
||||
GOTRUE_DB_DATABASE_URL: postgres://supabase_auth_admin:${POSTGRES_PASSWORD}@db:5432/postgres
|
||||
GOTRUE_SITE_URL: ${PUBLIC_APP_URL}
|
||||
GOTRUE_URI_ALLOW_LIST: "${PUBLIC_APP_URL}/auth/callback,${PUBLIC_APP_URL}/*"
|
||||
GOTRUE_JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||
GOTRUE_JWT_EXP: 3600
|
||||
GOTRUE_DISABLE_SIGNUP: "false"
|
||||
GOTRUE_EXTERNAL_KEYCLOAK_ENABLED: "true"
|
||||
GOTRUE_EXTERNAL_KEYCLOAK_CLIENT_ID: ${PUBLIC_KEYCLOAK_CLIENT_ID}
|
||||
GOTRUE_EXTERNAL_KEYCLOAK_SECRET: ${KEYCLOAK_CLIENT_SECRET}
|
||||
GOTRUE_EXTERNAL_KEYCLOAK_SCOPES: "openid profile email"
|
||||
# Public Keycloak base URL (browser sees this). The `/realms/colectivo`
|
||||
# suffix is appended by GoTrue.
|
||||
GOTRUE_EXTERNAL_KEYCLOAK_URL: ${PUBLIC_KEYCLOAK_URL}/realms/${PUBLIC_KEYCLOAK_REALM}
|
||||
GOTRUE_EXTERNAL_KEYCLOAK_REDIRECT_URI: ${PUBLIC_SUPABASE_URL}/auth/v1/callback
|
||||
GOTRUE_MAILER_AUTOCONFIRM: "true"
|
||||
networks: [colectivo]
|
||||
|
||||
# ── PostgREST ──────────────────────────────────────────────────────────────
|
||||
rest:
|
||||
image: postgrest/postgrest:v12.2.0
|
||||
restart: always
|
||||
depends_on:
|
||||
db: { condition: service_healthy }
|
||||
environment:
|
||||
PGRST_DB_URI: postgres://authenticator:${POSTGRES_PASSWORD}@db:5432/postgres
|
||||
PGRST_DB_SCHEMAS: public,storage,graphql_public
|
||||
PGRST_DB_ANON_ROLE: anon
|
||||
PGRST_JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||
PGRST_DB_USE_LEGACY_GUCS: "false"
|
||||
PGRST_APP_SETTINGS_JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||
PGRST_APP_SETTINGS_JWT_EXP: 3600
|
||||
networks: [colectivo]
|
||||
|
||||
# ── Realtime (pinned to v2.76.5 — see CLAUDE.md note on handle_out/3) ──────
|
||||
realtime:
|
||||
image: supabase/realtime:v2.76.5
|
||||
restart: always
|
||||
depends_on:
|
||||
db: { condition: service_healthy }
|
||||
environment:
|
||||
PORT: 4000
|
||||
DB_HOST: db
|
||||
DB_PORT: 5432
|
||||
DB_USER: supabase_admin
|
||||
DB_PASSWORD: ${POSTGRES_PASSWORD}
|
||||
DB_NAME: postgres
|
||||
DB_AFTER_CONNECT_QUERY: SET search_path TO _realtime
|
||||
DB_ENC_KEY: ${REALTIME_ENC_KEY}
|
||||
API_JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||
SELF_HOST_TENANT_NAME: realtime
|
||||
SEED_SELF_HOST: "true"
|
||||
RUN_JANITOR: "true"
|
||||
APP_NAME: realtime
|
||||
SECRET_KEY_BASE: ${REALTIME_SECRET_KEY_BASE}
|
||||
ERL_AFLAGS: -proto_dist inet_tcp
|
||||
DNS_NODES: "''"
|
||||
RLIMIT_NOFILE: "10000"
|
||||
METRICS_JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||
networks: [colectivo]
|
||||
|
||||
# ── Storage ────────────────────────────────────────────────────────────────
|
||||
storage:
|
||||
image: supabase/storage-api:v1.11.13
|
||||
restart: always
|
||||
depends_on:
|
||||
db: { condition: service_healthy }
|
||||
rest: { condition: service_started }
|
||||
environment:
|
||||
ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY}
|
||||
SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
|
||||
POSTGREST_URL: http://rest:3000
|
||||
PGRST_JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||
DATABASE_URL: postgres://supabase_storage_admin:${POSTGRES_PASSWORD}@db:5432/postgres
|
||||
FILE_SIZE_LIMIT: 52428800
|
||||
STORAGE_BACKEND: file
|
||||
FILE_STORAGE_BACKEND_PATH: /var/lib/storage
|
||||
TENANT_ID: colectivo-erosi
|
||||
REGION: local
|
||||
GLOBAL_S3_BUCKET: stub
|
||||
ENABLE_IMAGE_TRANSFORMATION: "true"
|
||||
IMGPROXY_URL: http://imgproxy:5001
|
||||
volumes:
|
||||
- storage-data:/var/lib/storage
|
||||
networks: [colectivo]
|
||||
|
||||
# ── ImgProxy ───────────────────────────────────────────────────────────────
|
||||
imgproxy:
|
||||
image: darthsim/imgproxy:v3.8.0
|
||||
restart: always
|
||||
environment:
|
||||
IMGPROXY_BIND: ":5001"
|
||||
IMGPROXY_LOCAL_FILESYSTEM_ROOT: /
|
||||
IMGPROXY_USE_ETAG: "true"
|
||||
IMGPROXY_ENABLE_WEBP_DETECTION: "true"
|
||||
volumes:
|
||||
- storage-data:/var/lib/storage:ro
|
||||
networks: [colectivo]
|
||||
|
||||
# ── Kong (API Gateway) — bound to localhost only; host Caddy proxies it ────
|
||||
kong:
|
||||
image: kong:2.8.1
|
||||
restart: always
|
||||
entrypoint: ["/bin/bash", "/home/kong/kong-start.sh"]
|
||||
ports:
|
||||
- "127.0.0.1:8000:8000"
|
||||
depends_on:
|
||||
db: { condition: service_healthy }
|
||||
environment:
|
||||
KONG_DATABASE: "off"
|
||||
KONG_DECLARATIVE_CONFIG: /home/kong/kong.yml
|
||||
KONG_DNS_ORDER: LAST,A,CNAME
|
||||
KONG_PLUGINS: request-transformer,cors,key-auth,acl,basic-auth,rate-limiting
|
||||
KONG_NGINX_PROXY_PROXY_BUFFER_SIZE: 160k
|
||||
KONG_NGINX_PROXY_PROXY_BUFFERS: 64 160k
|
||||
SUPABASE_ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY}
|
||||
SUPABASE_SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
|
||||
volumes:
|
||||
- ./kong.yml:/home/kong/temp.yml:ro
|
||||
- ./kong-start.sh:/home/kong/kong-start.sh:ro
|
||||
networks: [colectivo]
|
||||
|
||||
# ── Keycloak 24 ────────────────────────────────────────────────────────────
|
||||
# Bound to localhost only; host Caddy proxies auth.oier.ovh → 127.0.0.1:8090.
|
||||
# KC_PROXY=edge expects X-Forwarded-* from Caddy.
|
||||
keycloak:
|
||||
image: quay.io/keycloak/keycloak:24.0.5
|
||||
restart: always
|
||||
ports:
|
||||
- "127.0.0.1:8090:8080"
|
||||
# Plain `start` (no --optimized) so Quarkus re-builds with the Postgres
|
||||
# driver on first boot. --optimized skips the build phase and falls back
|
||||
# to H2, producing "URL format error ... jdbc:h2" on startup.
|
||||
command: start --import-realm
|
||||
depends_on:
|
||||
db: { condition: service_healthy }
|
||||
environment:
|
||||
KC_DB: postgres
|
||||
KC_DB_URL: jdbc:postgresql://db:5432/keycloak
|
||||
KC_DB_USERNAME: keycloak
|
||||
KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
|
||||
KC_HOSTNAME: ${KEYCLOAK_HOSTNAME}
|
||||
KC_HOSTNAME_STRICT: "true"
|
||||
KC_HOSTNAME_STRICT_HTTPS: "true"
|
||||
KC_PROXY: edge
|
||||
KC_HTTP_ENABLED: "true"
|
||||
KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
|
||||
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
|
||||
KC_FEATURES: token-exchange
|
||||
volumes:
|
||||
- keycloak-data:/opt/keycloak/data
|
||||
- ../keycloak/realm-export.erosi.json:/opt/keycloak/data/import/realm-export.json:ro
|
||||
networks: [colectivo]
|
||||
|
||||
# ── App (SvelteKit Node server) — built on the host from the repo ──────────
|
||||
# Build args bake the PUBLIC_* values into the client bundle (SvelteKit reqs).
|
||||
app:
|
||||
image: colectivo-web:erosi
|
||||
build:
|
||||
context: ..
|
||||
dockerfile: apps/web/Dockerfile
|
||||
args:
|
||||
PUBLIC_SUPABASE_URL: ${PUBLIC_SUPABASE_URL}
|
||||
PUBLIC_SUPABASE_ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY}
|
||||
PUBLIC_KEYCLOAK_URL: ${PUBLIC_KEYCLOAK_URL}
|
||||
PUBLIC_KEYCLOAK_REALM: ${PUBLIC_KEYCLOAK_REALM}
|
||||
PUBLIC_KEYCLOAK_CLIENT_ID: ${PUBLIC_KEYCLOAK_CLIENT_ID}
|
||||
PUBLIC_APP_URL: ${PUBLIC_APP_URL}
|
||||
restart: always
|
||||
ports:
|
||||
- "127.0.0.1:3000:3000"
|
||||
environment:
|
||||
PUBLIC_SUPABASE_URL: ${PUBLIC_SUPABASE_URL}
|
||||
PUBLIC_SUPABASE_ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY}
|
||||
PUBLIC_KEYCLOAK_URL: ${PUBLIC_KEYCLOAK_URL}
|
||||
PUBLIC_KEYCLOAK_REALM: ${PUBLIC_KEYCLOAK_REALM}
|
||||
PUBLIC_KEYCLOAK_CLIENT_ID: ${PUBLIC_KEYCLOAK_CLIENT_ID}
|
||||
PUBLIC_APP_URL: ${PUBLIC_APP_URL}
|
||||
NODE_ENV: production
|
||||
networks: [colectivo]
|
||||
|
||||
networks:
|
||||
colectivo:
|
||||
driver: bridge
|
||||
|
||||
volumes:
|
||||
db-data:
|
||||
storage-data:
|
||||
keycloak-data:
|
||||
Reference in New Issue
Block a user