feat(deploy): ambrosio production stack (erosi.oier.ovh)

Self-contained compose for a single-VPS deploy behind the host's Caddy.
App + Supabase API share erosi.oier.ovh; Keycloak on auth.oier.ovh.

- infra/docker-compose.erosi.yml — full stack bound to 127.0.0.1 only
  (db, auth, rest, realtime, storage, imgproxy, kong, meta, keycloak, app)
- infra/caddy/erosi.Caddyfile — host-Caddy snippet with TLS + path routing
  (/auth /rest /storage /realtime /graphql → kong, rest → app)
- infra/scripts/deploy-erosi.sh — rsync + first-run secret generation +
  build + migrations + Caddy snippet install
- keycloak/realm-export.erosi.json — prod redirect URIs, registration on,
  client secret as __KEYCLOAK_CLIENT_SECRET__ placeholder (deploy sub'd)
- .env.erosi.example — env template with placeholders

Supporting fixes to make the deploy work on a clean Supabase-postgres volume:

- infra/db-init/00-role-passwords.sh — rewrote as idempotent bootstrap:
  CREATE the Supabase service roles if missing, set passwords on pre-existing
  ones, enable pg_cron/pgcrypto/uuid-ossp, create auth/storage/graphql_public/
  _realtime/realtime schemas, create empty supabase_realtime publication,
  set per-role search_path (auth→auth, storage→storage). Old version only
  ALTERed passwords and relied on the roles already existing — worked for a
  grandfathered dev volume, failed on a fresh prod init.

- infra/db-init/00-role-passwords.sql — removed (folded into .sh).

- apps/web/vite.config.ts — PWA strategy generateSW (was injectManifest).
  The plugin's injectManifest hardcodes the SW source filename to
  service-worker.js and ignores the filename: 'sw.ts' override, making the
  production build fail. generateSW's auto-generated precache-only SW is
  functionally equivalent to our 5-line src/sw.ts.

Tested end-to-end on ambrosio: all 9 containers up, 11 migrations applied,
https://erosi.oier.ovh returns 200, Keycloak OIDC discovery serves the
correct issuer, /auth/v1/settings lists Keycloak as the sole external
provider.
This commit is contained in:
2026-04-14 19:41:33 +02:00
parent 2db5aaac14
commit 74e919aa71
8 changed files with 2494 additions and 38 deletions

175
infra/scripts/deploy-erosi.sh Executable file
View File

@@ -0,0 +1,175 @@
#!/usr/bin/env bash
# Deploy the full stack to ambrosio.
#
# Usage: infra/scripts/deploy-erosi.sh
# Env: DEPLOY_HOST=ambrosio (override if needed)
# DEPLOY_PATH=/opt/colectivo
#
# First run:
# 1. rsyncs repo → ambrosio:/opt/colectivo/
# 2. if .env doesn't exist on server, generates secrets and writes it
# 3. patches realm-export.erosi.json with the generated Keycloak client secret
# 4. docker compose build + up -d
# 5. applies DB migrations
# 6. installs the Caddyfile snippet into host Caddy and reloads
#
# Subsequent runs: rsync + rebuild app + rolling restart.
set -euo pipefail
DEPLOY_HOST="${DEPLOY_HOST:-ambrosio}"
DEPLOY_PATH="${DEPLOY_PATH:-/opt/colectivo}"
REPO_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
echo "==> Deploying to $DEPLOY_HOST:$DEPLOY_PATH"
# ── 1. Ensure target dir exists ────────────────────────────────────────────
ssh "$DEPLOY_HOST" "sudo mkdir -p $DEPLOY_PATH && sudo chown \$(id -u):\$(id -g) $DEPLOY_PATH"
# ── 2. rsync repo (excluding node_modules / build artefacts / local env) ──
rsync -az --delete \
--exclude '.git' \
--exclude 'node_modules' \
--exclude '.svelte-kit' \
--exclude 'apps/web/build' \
--exclude 'apps/web/.vite' \
--exclude '**/*.log' \
--exclude '**/.env' \
--exclude '**/.env.development' \
--exclude '**/.env.local' \
--exclude 'lighthouse-report.html' \
--exclude 'coverage' \
--exclude 'test-results' \
--exclude 'playwright-report' \
"$REPO_ROOT/" "$DEPLOY_HOST:$DEPLOY_PATH/"
# ── 3. Bootstrap secrets on first run ──────────────────────────────────────
ssh "$DEPLOY_HOST" bash -s << 'REMOTE'
set -euo pipefail
cd /opt/colectivo
if [ ! -f .env ]; then
echo "--- First deploy: generating secrets"
# JWT triplet (anon + service_role)
JWT_OUT=$(bash infra/scripts/rotate-jwt.sh)
SUPABASE_JWT_SECRET=$(echo "$JWT_OUT" | awk -F= '/^SUPABASE_JWT_SECRET=/{print substr($0, index($0,$2))}')
PUBLIC_SUPABASE_ANON_KEY=$(echo "$JWT_OUT" | awk -F= '/^PUBLIC_SUPABASE_ANON_KEY=/{print substr($0, index($0,$2))}')
SUPABASE_SERVICE_ROLE_KEY=$(echo "$JWT_OUT" | awk -F= '/^SUPABASE_SERVICE_ROLE_KEY=/{print substr($0, index($0,$2))}')
# Other passwords + keys
POSTGRES_PASSWORD=$(openssl rand -hex 24)
KEYCLOAK_ADMIN_PASSWORD=$(openssl rand -hex 24)
KEYCLOAK_CLIENT_SECRET=$(openssl rand -hex 24)
REALTIME_ENC_KEY=$(openssl rand -hex 8) # 16 chars
REALTIME_SECRET_KEY_BASE=$(openssl rand -hex 48) # 96 chars
cat > .env <<EOF
# Generated on $(date -u +%Y-%m-%dT%H:%M:%SZ). Keep this file mode 600.
PUBLIC_APP_URL=https://erosi.oier.ovh
PUBLIC_SUPABASE_URL=https://erosi.oier.ovh
PUBLIC_KEYCLOAK_URL=https://auth.oier.ovh
PUBLIC_KEYCLOAK_REALM=colectivo
PUBLIC_KEYCLOAK_CLIENT_ID=colectivo-web
KEYCLOAK_HOSTNAME=auth.oier.ovh
POSTGRES_PASSWORD=$POSTGRES_PASSWORD
SUPABASE_JWT_SECRET=$SUPABASE_JWT_SECRET
PUBLIC_SUPABASE_ANON_KEY=$PUBLIC_SUPABASE_ANON_KEY
SUPABASE_SERVICE_ROLE_KEY=$SUPABASE_SERVICE_ROLE_KEY
KEYCLOAK_ADMIN=admin
KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD
KEYCLOAK_CLIENT_SECRET=$KEYCLOAK_CLIENT_SECRET
REALTIME_ENC_KEY=$REALTIME_ENC_KEY
REALTIME_SECRET_KEY_BASE=$REALTIME_SECRET_KEY_BASE
EOF
chmod 600 .env
echo "--- Wrote .env (mode 600). Keycloak admin password stored there."
fi
# Always substitute the client secret placeholder in the realm JSON.
# Keycloak only imports the realm if it doesn't exist yet — on first boot only.
source .env
sed -i "s|__KEYCLOAK_CLIENT_SECRET__|$KEYCLOAK_CLIENT_SECRET|g" keycloak/realm-export.erosi.json
REMOTE
# ── 4. Build + bring up the stack ─────────────────────────────────────────
ssh "$DEPLOY_HOST" bash -s << 'REMOTE'
set -euo pipefail
cd /opt/colectivo
echo "--- Building app image"
docker compose --env-file .env -f infra/docker-compose.erosi.yml build app
echo "--- Bringing stack up (detached)"
docker compose --env-file .env -f infra/docker-compose.erosi.yml up -d
echo "--- Waiting for db to be healthy"
for i in $(seq 1 60); do
if docker compose --env-file .env -f infra/docker-compose.erosi.yml ps db --format json | grep -q '"Health":"healthy"'; then
echo "db healthy"; break
fi
sleep 2
done
echo "--- Applying migrations"
docker compose --env-file .env -f infra/docker-compose.erosi.yml exec -T db \
psql -U postgres -d postgres -c "CREATE TABLE IF NOT EXISTS public._applied_migrations (filename TEXT PRIMARY KEY, applied_at TIMESTAMPTZ DEFAULT now());"
for f in supabase/migrations/*.sql; do
fn=$(basename "$f")
already=$(docker compose --env-file .env -f infra/docker-compose.erosi.yml exec -T db \
psql -U postgres -d postgres -tAq -c "SELECT count(*) FROM public._applied_migrations WHERE filename='$fn'")
if [ "${already:-0}" -gt 0 ]; then
echo " skip $fn (applied)"
continue
fi
printf " apply %s ... " "$fn"
if docker compose --env-file .env -f infra/docker-compose.erosi.yml exec -T db \
psql -U postgres -d postgres -v ON_ERROR_STOP=1 -q < "$f"; then
docker compose --env-file .env -f infra/docker-compose.erosi.yml exec -T db \
psql -U postgres -d postgres -c "INSERT INTO public._applied_migrations (filename) VALUES ('$fn') ON CONFLICT DO NOTHING;"
echo "ok"
else
echo "FAIL"; exit 1
fi
done
echo "--- Keycloak may need an extra minute to import the realm on first boot"
REMOTE
# ── 5. Install Caddyfile snippet into host Caddy (idempotent) ─────────────
ssh "$DEPLOY_HOST" bash -s << 'REMOTE'
set -euo pipefail
cd /opt/colectivo
MARKER_START="# BEGIN colectivo-erosi"
MARKER_END="# END colectivo-erosi"
# Strip any previous version of our block from /etc/caddy/Caddyfile, then append fresh.
sudo awk -v start="$MARKER_START" -v end="$MARKER_END" '
$0 ~ start {skip=1}
!skip {print}
$0 ~ end {skip=0}
' /etc/caddy/Caddyfile > /tmp/Caddyfile.new
{
echo ""
echo "$MARKER_START"
cat infra/caddy/erosi.Caddyfile
echo "$MARKER_END"
} >> /tmp/Caddyfile.new
sudo mv /tmp/Caddyfile.new /etc/caddy/Caddyfile
sudo caddy validate --config /etc/caddy/Caddyfile
sudo systemctl reload caddy
echo "--- Caddy reloaded"
REMOTE
echo "==> Deploy complete."
echo " App: https://erosi.oier.ovh"
echo " Keycloak: https://auth.oier.ovh"
echo " Admin pw: ssh $DEPLOY_HOST 'grep KEYCLOAK_ADMIN_PASSWORD $DEPLOY_PATH/.env'"