feat(deploy): ambrosio production stack (erosi.oier.ovh)
Self-contained compose for a single-VPS deploy behind the host's Caddy. App + Supabase API share erosi.oier.ovh; Keycloak on auth.oier.ovh. - infra/docker-compose.erosi.yml — full stack bound to 127.0.0.1 only (db, auth, rest, realtime, storage, imgproxy, kong, meta, keycloak, app) - infra/caddy/erosi.Caddyfile — host-Caddy snippet with TLS + path routing (/auth /rest /storage /realtime /graphql → kong, rest → app) - infra/scripts/deploy-erosi.sh — rsync + first-run secret generation + build + migrations + Caddy snippet install - keycloak/realm-export.erosi.json — prod redirect URIs, registration on, client secret as __KEYCLOAK_CLIENT_SECRET__ placeholder (deploy sub'd) - .env.erosi.example — env template with placeholders Supporting fixes to make the deploy work on a clean Supabase-postgres volume: - infra/db-init/00-role-passwords.sh — rewrote as idempotent bootstrap: CREATE the Supabase service roles if missing, set passwords on pre-existing ones, enable pg_cron/pgcrypto/uuid-ossp, create auth/storage/graphql_public/ _realtime/realtime schemas, create empty supabase_realtime publication, set per-role search_path (auth→auth, storage→storage). Old version only ALTERed passwords and relied on the roles already existing — worked for a grandfathered dev volume, failed on a fresh prod init. - infra/db-init/00-role-passwords.sql — removed (folded into .sh). - apps/web/vite.config.ts — PWA strategy generateSW (was injectManifest). The plugin's injectManifest hardcodes the SW source filename to service-worker.js and ignores the filename: 'sw.ts' override, making the production build fail. generateSW's auto-generated precache-only SW is functionally equivalent to our 5-line src/sw.ts. Tested end-to-end on ambrosio: all 9 containers up, 11 migrations applied, https://erosi.oier.ovh returns 200, Keycloak OIDC discovery serves the correct issuer, /auth/v1/settings lists Keycloak as the sole external provider.
This commit is contained in:
32
.env.erosi.example
Normal file
32
.env.erosi.example
Normal file
@@ -0,0 +1,32 @@
|
|||||||
|
# Production env for ambrosio — copy to .env on the server and fill in secrets.
|
||||||
|
# Generate JWT triplet: bash infra/scripts/rotate-jwt.sh
|
||||||
|
|
||||||
|
# ── Domains (change if you migrate to new hostnames) ────────────────────────
|
||||||
|
PUBLIC_APP_URL=https://erosi.oier.ovh
|
||||||
|
PUBLIC_SUPABASE_URL=https://erosi.oier.ovh
|
||||||
|
PUBLIC_KEYCLOAK_URL=https://auth.oier.ovh
|
||||||
|
PUBLIC_KEYCLOAK_REALM=colectivo
|
||||||
|
PUBLIC_KEYCLOAK_CLIENT_ID=colectivo-web
|
||||||
|
|
||||||
|
# Keycloak sees this as its canonical hostname (KC_HOSTNAME).
|
||||||
|
KEYCLOAK_HOSTNAME=auth.oier.ovh
|
||||||
|
|
||||||
|
# ── Postgres (single password for all internal roles) ───────────────────────
|
||||||
|
POSTGRES_PASSWORD=CHANGEME-strong-random-password
|
||||||
|
|
||||||
|
# ── Supabase JWT triplet (regenerate every 90 days) ─────────────────────────
|
||||||
|
# Produce all three with: bash infra/scripts/rotate-jwt.sh
|
||||||
|
SUPABASE_JWT_SECRET=CHANGEME-openssl-rand-base64-48
|
||||||
|
PUBLIC_SUPABASE_ANON_KEY=CHANGEME-sign-with-above
|
||||||
|
SUPABASE_SERVICE_ROLE_KEY=CHANGEME-sign-with-above
|
||||||
|
|
||||||
|
# ── Keycloak admin + client secret ──────────────────────────────────────────
|
||||||
|
KEYCLOAK_ADMIN=admin
|
||||||
|
KEYCLOAK_ADMIN_PASSWORD=CHANGEME-strong-random-password
|
||||||
|
# Must match the `secret` field of the colectivo-web client in realm-export.erosi.json.
|
||||||
|
KEYCLOAK_CLIENT_SECRET=CHANGEME-client-secret-32-chars
|
||||||
|
|
||||||
|
# ── Realtime encryption ─────────────────────────────────────────────────────
|
||||||
|
# DB_ENC_KEY: exactly 16 characters. SECRET_KEY_BASE: ≥ 64 characters.
|
||||||
|
REALTIME_ENC_KEY=CHANGEME16charkey
|
||||||
|
REALTIME_SECRET_KEY_BASE=CHANGEME-openssl-rand-base64-64-at-minimum-so-phoenix-is-happy
|
||||||
@@ -11,14 +11,14 @@ export default defineConfig({
|
|||||||
}),
|
}),
|
||||||
sveltekit(),
|
sveltekit(),
|
||||||
SvelteKitPWA({
|
SvelteKitPWA({
|
||||||
// Fase 6.1: custom SW at src/sw.ts (NOT src/service-worker.ts — SvelteKit
|
// `generateSW` strategy: the plugin auto-generates a Workbox SW that
|
||||||
// intercepts that filename and blocks Workbox imports; see gotcha #10
|
// precaches the built shell. Equivalent behavior to our previous
|
||||||
// in CLAUDE.md). Minimal strategy: precache the built shell, no runtime
|
// `src/sw.ts` (a 5-line precacheAndRoute wrapper) without the
|
||||||
// caching of Supabase. The $lib/sync pending_ops queue already handles
|
// injectManifest path, which in @vite-pwa/sveltekit 0.6.8 hardcodes
|
||||||
// offline writes; SyncBanner surfaces offline state to the user.
|
// the SW source filename to `service-worker.js` and breaks on any
|
||||||
strategies: 'injectManifest',
|
// custom filename. The $lib/sync pending_ops queue handles offline
|
||||||
srcDir: 'src',
|
// writes; SyncBanner surfaces offline state to the user.
|
||||||
filename: 'sw.ts',
|
strategies: 'generateSW',
|
||||||
scope: '/',
|
scope: '/',
|
||||||
base: '/',
|
base: '/',
|
||||||
manifest: {
|
manifest: {
|
||||||
@@ -37,8 +37,10 @@ export default defineConfig({
|
|||||||
{ src: '/icons/icon-512-maskable.png', sizes: '512x512', type: 'image/png', purpose: 'maskable' }
|
{ src: '/icons/icon-512-maskable.png', sizes: '512x512', type: 'image/png', purpose: 'maskable' }
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
injectManifest: {
|
workbox: {
|
||||||
globPatterns: ['client/**/*.{js,css,ico,png,svg,webp,woff,woff2}']
|
globPatterns: ['client/**/*.{js,css,ico,png,svg,webp,woff,woff2}'],
|
||||||
|
// Supabase paths: never cache — always hit the network.
|
||||||
|
navigateFallbackDenylist: [/^\/auth\//, /^\/rest\//, /^\/realtime\//, /^\/storage\//]
|
||||||
},
|
},
|
||||||
devOptions: {
|
devOptions: {
|
||||||
enabled: true,
|
enabled: true,
|
||||||
|
|||||||
46
infra/caddy/erosi.Caddyfile
Normal file
46
infra/caddy/erosi.Caddyfile
Normal file
@@ -0,0 +1,46 @@
|
|||||||
|
# Caddyfile snippet for ambrosio host Caddy.
|
||||||
|
# Install path: /etc/caddy/Caddyfile (append these blocks).
|
||||||
|
# Reload: sudo systemctl reload caddy
|
||||||
|
#
|
||||||
|
# Docker services bind to 127.0.0.1 only; this file is the public entrypoint.
|
||||||
|
# TLS certificates are issued automatically by Caddy via Let's Encrypt.
|
||||||
|
|
||||||
|
# ── App + Supabase (single domain) ──────────────────────────────────────────
|
||||||
|
erosi.oier.ovh {
|
||||||
|
encode zstd gzip
|
||||||
|
|
||||||
|
# Supabase API paths → Kong gateway.
|
||||||
|
# Realtime MUST come before /auth, /rest, /storage to match its WS upgrade path first.
|
||||||
|
@supabase path /auth/v1/* /rest/v1/* /storage/v1/* /realtime/v1/* /graphql/v1/* /pg/*
|
||||||
|
handle @supabase {
|
||||||
|
# Realtime WebSockets require a long read timeout; PostgREST benefits from
|
||||||
|
# flush_interval for streaming responses. Caddy handles WS upgrades natively.
|
||||||
|
reverse_proxy 127.0.0.1:8000 {
|
||||||
|
transport http {
|
||||||
|
read_timeout 3600s
|
||||||
|
}
|
||||||
|
header_up X-Real-IP {remote_host}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Everything else → SvelteKit Node server.
|
||||||
|
handle {
|
||||||
|
reverse_proxy 127.0.0.1:3000 {
|
||||||
|
header_up X-Real-IP {remote_host}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# ── Keycloak ────────────────────────────────────────────────────────────────
|
||||||
|
auth.oier.ovh {
|
||||||
|
encode zstd gzip
|
||||||
|
|
||||||
|
# Keycloak 24 with KC_PROXY=edge uses the X-Forwarded-* headers that Caddy
|
||||||
|
# already sets automatically on every reverse_proxy (Proto, For, Host).
|
||||||
|
# Only X-Forwarded-Port is not default, so we add it explicitly — without
|
||||||
|
# it Keycloak builds redirect URIs with the internal port (8080).
|
||||||
|
reverse_proxy 127.0.0.1:8090 {
|
||||||
|
header_up X-Real-IP {remote_host}
|
||||||
|
header_up X-Forwarded-Port {server_port}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -1,32 +1,159 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
# Runs once on first container start (docker-entrypoint-initdb.d).
|
# Runs once on first container start (docker-entrypoint-initdb.d).
|
||||||
# Sets Supabase internal role passwords to POSTGRES_PASSWORD and creates
|
# Two cases:
|
||||||
# required schemas with correct grants.
|
# 1. Fresh volume (e.g. prod on ambrosio): the supabase/postgres image's
|
||||||
|
# initdb only creates the `postgres` role. Create all Supabase internal
|
||||||
|
# roles here, then set their passwords.
|
||||||
|
# 2. Pre-existing volume carried over from an older build that already has
|
||||||
|
# the roles (e.g. long-lived dev): only ALTER their passwords.
|
||||||
|
#
|
||||||
|
# Idempotent: safe on both paths.
|
||||||
|
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
PASS="${POSTGRES_PASSWORD:-postgres}"
|
PASS="${POSTGRES_PASSWORD:-postgres}"
|
||||||
|
|
||||||
psql -v ON_ERROR_STOP=1 --username supabase_admin --dbname postgres <<-EOSQL
|
# Connect as `postgres` (always exists post-initdb) on the Unix socket (trusted).
|
||||||
-- Set passwords for all Supabase internal roles.
|
psql -v ON_ERROR_STOP=1 --username postgres --dbname postgres <<-EOSQL
|
||||||
-- The supabase/postgres image creates them with hardcoded defaults;
|
-- ── Role bootstrap (idempotent) ───────────────────────────────────────
|
||||||
-- this overrides them so services connect with POSTGRES_PASSWORD.
|
-- Template for most service roles: NOLOGIN OR LOGIN depending on use.
|
||||||
ALTER ROLE authenticator WITH PASSWORD '${PASS}';
|
|
||||||
ALTER ROLE supabase_auth_admin WITH PASSWORD '${PASS}';
|
DO \$\$ BEGIN
|
||||||
ALTER ROLE supabase_replication_admin WITH PASSWORD '${PASS}';
|
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'supabase_admin') THEN
|
||||||
ALTER ROLE supabase_storage_admin WITH PASSWORD '${PASS}';
|
CREATE ROLE supabase_admin SUPERUSER CREATEDB CREATEROLE REPLICATION BYPASSRLS LOGIN PASSWORD '${PASS}';
|
||||||
ALTER ROLE pgbouncer WITH PASSWORD '${PASS}';
|
ELSE
|
||||||
|
ALTER ROLE supabase_admin WITH PASSWORD '${PASS}';
|
||||||
|
END IF;
|
||||||
|
|
||||||
|
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'anon') THEN
|
||||||
|
CREATE ROLE anon NOLOGIN NOINHERIT;
|
||||||
|
END IF;
|
||||||
|
|
||||||
|
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'authenticated') THEN
|
||||||
|
CREATE ROLE authenticated NOLOGIN NOINHERIT;
|
||||||
|
END IF;
|
||||||
|
|
||||||
|
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'service_role') THEN
|
||||||
|
CREATE ROLE service_role NOLOGIN NOINHERIT BYPASSRLS;
|
||||||
|
END IF;
|
||||||
|
|
||||||
|
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'authenticator') THEN
|
||||||
|
CREATE ROLE authenticator LOGIN NOINHERIT PASSWORD '${PASS}';
|
||||||
|
ELSE
|
||||||
|
ALTER ROLE authenticator WITH PASSWORD '${PASS}';
|
||||||
|
END IF;
|
||||||
|
-- authenticator must be able to SET ROLE to anon/authenticated/service_role.
|
||||||
|
GRANT anon, authenticated, service_role TO authenticator;
|
||||||
|
|
||||||
|
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'supabase_auth_admin') THEN
|
||||||
|
CREATE ROLE supabase_auth_admin LOGIN NOINHERIT CREATEROLE PASSWORD '${PASS}';
|
||||||
|
ELSE
|
||||||
|
ALTER ROLE supabase_auth_admin WITH PASSWORD '${PASS}';
|
||||||
|
END IF;
|
||||||
|
|
||||||
|
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'supabase_storage_admin') THEN
|
||||||
|
CREATE ROLE supabase_storage_admin LOGIN NOINHERIT CREATEROLE PASSWORD '${PASS}';
|
||||||
|
ELSE
|
||||||
|
ALTER ROLE supabase_storage_admin WITH PASSWORD '${PASS}';
|
||||||
|
END IF;
|
||||||
|
GRANT authenticator TO supabase_storage_admin;
|
||||||
|
|
||||||
|
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'supabase_replication_admin') THEN
|
||||||
|
CREATE ROLE supabase_replication_admin LOGIN REPLICATION PASSWORD '${PASS}';
|
||||||
|
ELSE
|
||||||
|
ALTER ROLE supabase_replication_admin WITH PASSWORD '${PASS}';
|
||||||
|
END IF;
|
||||||
|
|
||||||
|
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'supabase_realtime_admin') THEN
|
||||||
|
CREATE ROLE supabase_realtime_admin NOLOGIN NOINHERIT;
|
||||||
|
END IF;
|
||||||
|
|
||||||
|
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'pgbouncer') THEN
|
||||||
|
CREATE ROLE pgbouncer LOGIN PASSWORD '${PASS}';
|
||||||
|
ELSE
|
||||||
|
ALTER ROLE pgbouncer WITH PASSWORD '${PASS}';
|
||||||
|
END IF;
|
||||||
|
|
||||||
|
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'dashboard_user') THEN
|
||||||
|
CREATE ROLE dashboard_user CREATEROLE CREATEDB REPLICATION;
|
||||||
|
END IF;
|
||||||
|
END \$\$;
|
||||||
|
|
||||||
|
-- Grant postgres membership in service roles so seed inserts work.
|
||||||
|
GRANT anon, authenticated, service_role, supabase_auth_admin, supabase_storage_admin, supabase_realtime_admin TO postgres;
|
||||||
|
|
||||||
|
-- Per-role search_path + timeouts (match dev to avoid migration drift).
|
||||||
|
-- GoTrue's migrations issue unqualified CREATE TYPE / CREATE TABLE expecting
|
||||||
|
-- these to land in the `auth` schema — with no default here they end up in
|
||||||
|
-- `public` and later migrations that reference `auth.factor_type` blow up.
|
||||||
|
ALTER ROLE supabase_auth_admin SET search_path TO auth;
|
||||||
|
ALTER ROLE supabase_auth_admin SET idle_in_transaction_session_timeout TO 60000;
|
||||||
|
ALTER ROLE supabase_storage_admin SET search_path TO storage;
|
||||||
|
ALTER ROLE anon SET statement_timeout TO '3s';
|
||||||
|
ALTER ROLE authenticated SET statement_timeout TO '8s';
|
||||||
|
ALTER ROLE authenticator SET statement_timeout TO '8s';
|
||||||
|
ALTER ROLE authenticator SET lock_timeout TO '8s';
|
||||||
|
|
||||||
|
-- ── Extensions the migrations assume are enabled ─────────────────────
|
||||||
|
-- Migration 005 invokes cron.schedule(...); dev has pg_cron auto-enabled
|
||||||
|
-- via the image's supa-init scripts, prod does not.
|
||||||
|
CREATE EXTENSION IF NOT EXISTS pg_cron;
|
||||||
|
CREATE EXTENSION IF NOT EXISTS pgcrypto;
|
||||||
|
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
|
||||||
|
|
||||||
|
-- ── Schemas the Supabase services expect ─────────────────────────────
|
||||||
|
CREATE SCHEMA IF NOT EXISTS auth AUTHORIZATION supabase_auth_admin;
|
||||||
|
CREATE SCHEMA IF NOT EXISTS storage AUTHORIZATION supabase_storage_admin;
|
||||||
|
CREATE SCHEMA IF NOT EXISTS graphql_public;
|
||||||
|
|
||||||
-- Create the _realtime schema required by supabase/realtime
|
|
||||||
CREATE SCHEMA IF NOT EXISTS _realtime;
|
CREATE SCHEMA IF NOT EXISTS _realtime;
|
||||||
GRANT ALL ON SCHEMA _realtime TO supabase_replication_admin;
|
GRANT ALL ON SCHEMA _realtime TO supabase_replication_admin;
|
||||||
ALTER ROLE supabase_replication_admin SET search_path TO _realtime;
|
ALTER ROLE supabase_replication_admin SET search_path TO _realtime;
|
||||||
|
|
||||||
-- Pre-create the `realtime` schema. Realtime's per-tenant migrations
|
-- Pre-create the `realtime` schema so Realtime's per-tenant migrations
|
||||||
-- expect it to exist before running (they don't CREATE SCHEMA themselves)
|
-- don't fail on "schema realtime does not exist".
|
||||||
-- and without it every tenant connect fails with "schema realtime does
|
|
||||||
-- not exist" → PoolingReplicationError → no postgres_changes delivery.
|
|
||||||
CREATE SCHEMA IF NOT EXISTS realtime AUTHORIZATION supabase_admin;
|
CREATE SCHEMA IF NOT EXISTS realtime AUTHORIZATION supabase_admin;
|
||||||
|
|
||||||
|
-- Empty publication that migration 007 will ALTER with specific tables.
|
||||||
|
-- (supabase/postgres image ships this pre-created in newer versions;
|
||||||
|
-- on v15.1.1.78 it does not.)
|
||||||
|
CREATE PUBLICATION supabase_realtime;
|
||||||
|
|
||||||
|
-- PostgREST needs USAGE on public for anon + authenticated + service_role.
|
||||||
|
GRANT USAGE ON SCHEMA public TO anon, authenticated, service_role;
|
||||||
|
|
||||||
|
-- Default privileges for future tables in public (RLS policies still apply).
|
||||||
|
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO anon, authenticated, service_role;
|
||||||
|
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO anon, authenticated, service_role;
|
||||||
|
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON FUNCTIONS TO anon, authenticated, service_role;
|
||||||
|
|
||||||
|
-- GoTrue runs its own migrations against `public.schema_migrations`. PG 15
|
||||||
|
-- revokes CREATE from public by default, so grant it back to the service roles.
|
||||||
|
GRANT CREATE, USAGE ON SCHEMA public TO supabase_auth_admin, supabase_storage_admin;
|
||||||
|
|
||||||
|
-- Storage migrations call statements that require database-level grants
|
||||||
|
-- (e.g. CREATE EXTENSION, ALTER DEFAULT PRIVILEGES).
|
||||||
|
GRANT ALL ON DATABASE postgres TO supabase_auth_admin, supabase_storage_admin;
|
||||||
|
|
||||||
|
-- ── Keycloak database + role (separate DB, idempotent) ───────────────
|
||||||
|
-- CREATE DATABASE cannot run in a transaction, so run it via \gexec.
|
||||||
|
SELECT 'CREATE DATABASE keycloak'
|
||||||
|
WHERE NOT EXISTS (SELECT 1 FROM pg_database WHERE datname = 'keycloak') \gexec
|
||||||
|
|
||||||
|
DO \$\$ BEGIN
|
||||||
|
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'keycloak') THEN
|
||||||
|
CREATE ROLE keycloak LOGIN PASSWORD '${PASS}';
|
||||||
|
ELSE
|
||||||
|
ALTER ROLE keycloak WITH PASSWORD '${PASS}';
|
||||||
|
END IF;
|
||||||
|
END \$\$;
|
||||||
|
|
||||||
|
GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;
|
||||||
EOSQL
|
EOSQL
|
||||||
|
|
||||||
echo "==> db-init: role passwords and schemas configured"
|
# Keycloak also needs CREATE on the keycloak database's public schema.
|
||||||
|
psql -v ON_ERROR_STOP=1 --username postgres --dbname keycloak <<-EOSQL
|
||||||
|
GRANT ALL ON SCHEMA public TO keycloak;
|
||||||
|
EOSQL
|
||||||
|
|
||||||
|
echo "==> db-init: roles bootstrapped, passwords set, schemas created"
|
||||||
|
|||||||
@@ -1,11 +0,0 @@
|
|||||||
-- Set passwords for Supabase internal roles to match POSTGRES_PASSWORD.
|
|
||||||
-- The supabase/postgres image creates these roles with hardcoded default passwords;
|
|
||||||
-- this script overrides them so all services can authenticate with POSTGRES_PASSWORD.
|
|
||||||
-- Runs once on first container start (docker-entrypoint-initdb.d).
|
|
||||||
-- Must run as supabase_admin (superuser) which this image uses for initdb scripts.
|
|
||||||
|
|
||||||
ALTER ROLE authenticator WITH PASSWORD 'REPLACE_PASSWORD';
|
|
||||||
ALTER ROLE supabase_auth_admin WITH PASSWORD 'REPLACE_PASSWORD';
|
|
||||||
ALTER ROLE supabase_replication_admin WITH PASSWORD 'REPLACE_PASSWORD';
|
|
||||||
ALTER ROLE supabase_storage_admin WITH PASSWORD 'REPLACE_PASSWORD';
|
|
||||||
ALTER ROLE pgbouncer WITH PASSWORD 'REPLACE_PASSWORD';
|
|
||||||
234
infra/docker-compose.erosi.yml
Normal file
234
infra/docker-compose.erosi.yml
Normal file
@@ -0,0 +1,234 @@
|
|||||||
|
name: colectivo-erosi
|
||||||
|
|
||||||
|
# Production stack for ambrosio (OVH VPS).
|
||||||
|
# Domains: erosi.oier.ovh (app + Supabase API) | auth.oier.ovh (Keycloak)
|
||||||
|
#
|
||||||
|
# TLS + reverse proxy is handled by the HOST Caddy (systemd service on ambrosio,
|
||||||
|
# config at /etc/caddy/Caddyfile) — NOT by a container. All services here bind
|
||||||
|
# to 127.0.0.1 so only Caddy can reach them.
|
||||||
|
#
|
||||||
|
# Bring up: docker compose -f infra/docker-compose.erosi.yml --env-file .env up -d --build
|
||||||
|
# Logs: docker compose -f infra/docker-compose.erosi.yml logs -f
|
||||||
|
# Tear down: docker compose -f infra/docker-compose.erosi.yml down
|
||||||
|
|
||||||
|
services:
|
||||||
|
|
||||||
|
# ── PostgreSQL 15 (Supabase image — internal roles preconfigured) ──────────
|
||||||
|
db:
|
||||||
|
image: supabase/postgres:15.1.1.78
|
||||||
|
restart: always
|
||||||
|
healthcheck:
|
||||||
|
test: pg_isready -U postgres -h localhost
|
||||||
|
interval: 10s
|
||||||
|
timeout: 5s
|
||||||
|
retries: 10
|
||||||
|
environment:
|
||||||
|
POSTGRES_HOST: /var/run/postgresql
|
||||||
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
|
||||||
|
JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||||
|
JWT_EXP: 3600
|
||||||
|
volumes:
|
||||||
|
- db-data:/var/lib/postgresql/data
|
||||||
|
- ./db-init:/docker-entrypoint-initdb.d:ro
|
||||||
|
networks: [colectivo]
|
||||||
|
|
||||||
|
# ── GoTrue (Supabase Auth) ─────────────────────────────────────────────────
|
||||||
|
auth:
|
||||||
|
image: supabase/gotrue:v2.158.1
|
||||||
|
restart: always
|
||||||
|
depends_on:
|
||||||
|
db: { condition: service_healthy }
|
||||||
|
environment:
|
||||||
|
GOTRUE_API_HOST: "0.0.0.0"
|
||||||
|
GOTRUE_API_PORT: 9999
|
||||||
|
API_EXTERNAL_URL: ${PUBLIC_APP_URL}
|
||||||
|
GOTRUE_API_EXTERNAL_URL: ${PUBLIC_APP_URL}
|
||||||
|
GOTRUE_DB_DRIVER: postgres
|
||||||
|
GOTRUE_DB_DATABASE_URL: postgres://supabase_auth_admin:${POSTGRES_PASSWORD}@db:5432/postgres
|
||||||
|
GOTRUE_SITE_URL: ${PUBLIC_APP_URL}
|
||||||
|
GOTRUE_URI_ALLOW_LIST: "${PUBLIC_APP_URL}/auth/callback,${PUBLIC_APP_URL}/*"
|
||||||
|
GOTRUE_JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||||
|
GOTRUE_JWT_EXP: 3600
|
||||||
|
GOTRUE_DISABLE_SIGNUP: "false"
|
||||||
|
GOTRUE_EXTERNAL_KEYCLOAK_ENABLED: "true"
|
||||||
|
GOTRUE_EXTERNAL_KEYCLOAK_CLIENT_ID: ${PUBLIC_KEYCLOAK_CLIENT_ID}
|
||||||
|
GOTRUE_EXTERNAL_KEYCLOAK_SECRET: ${KEYCLOAK_CLIENT_SECRET}
|
||||||
|
GOTRUE_EXTERNAL_KEYCLOAK_SCOPES: "openid profile email"
|
||||||
|
# Public Keycloak base URL (browser sees this). The `/realms/colectivo`
|
||||||
|
# suffix is appended by GoTrue.
|
||||||
|
GOTRUE_EXTERNAL_KEYCLOAK_URL: ${PUBLIC_KEYCLOAK_URL}/realms/${PUBLIC_KEYCLOAK_REALM}
|
||||||
|
GOTRUE_EXTERNAL_KEYCLOAK_REDIRECT_URI: ${PUBLIC_SUPABASE_URL}/auth/v1/callback
|
||||||
|
GOTRUE_MAILER_AUTOCONFIRM: "true"
|
||||||
|
networks: [colectivo]
|
||||||
|
|
||||||
|
# ── PostgREST ──────────────────────────────────────────────────────────────
|
||||||
|
rest:
|
||||||
|
image: postgrest/postgrest:v12.2.0
|
||||||
|
restart: always
|
||||||
|
depends_on:
|
||||||
|
db: { condition: service_healthy }
|
||||||
|
environment:
|
||||||
|
PGRST_DB_URI: postgres://authenticator:${POSTGRES_PASSWORD}@db:5432/postgres
|
||||||
|
PGRST_DB_SCHEMAS: public,storage,graphql_public
|
||||||
|
PGRST_DB_ANON_ROLE: anon
|
||||||
|
PGRST_JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||||
|
PGRST_DB_USE_LEGACY_GUCS: "false"
|
||||||
|
PGRST_APP_SETTINGS_JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||||
|
PGRST_APP_SETTINGS_JWT_EXP: 3600
|
||||||
|
networks: [colectivo]
|
||||||
|
|
||||||
|
# ── Realtime (pinned to v2.76.5 — see CLAUDE.md note on handle_out/3) ──────
|
||||||
|
realtime:
|
||||||
|
image: supabase/realtime:v2.76.5
|
||||||
|
restart: always
|
||||||
|
depends_on:
|
||||||
|
db: { condition: service_healthy }
|
||||||
|
environment:
|
||||||
|
PORT: 4000
|
||||||
|
DB_HOST: db
|
||||||
|
DB_PORT: 5432
|
||||||
|
DB_USER: supabase_admin
|
||||||
|
DB_PASSWORD: ${POSTGRES_PASSWORD}
|
||||||
|
DB_NAME: postgres
|
||||||
|
DB_AFTER_CONNECT_QUERY: SET search_path TO _realtime
|
||||||
|
DB_ENC_KEY: ${REALTIME_ENC_KEY}
|
||||||
|
API_JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||||
|
SELF_HOST_TENANT_NAME: realtime
|
||||||
|
SEED_SELF_HOST: "true"
|
||||||
|
RUN_JANITOR: "true"
|
||||||
|
APP_NAME: realtime
|
||||||
|
SECRET_KEY_BASE: ${REALTIME_SECRET_KEY_BASE}
|
||||||
|
ERL_AFLAGS: -proto_dist inet_tcp
|
||||||
|
DNS_NODES: "''"
|
||||||
|
RLIMIT_NOFILE: "10000"
|
||||||
|
METRICS_JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||||
|
networks: [colectivo]
|
||||||
|
|
||||||
|
# ── Storage ────────────────────────────────────────────────────────────────
|
||||||
|
storage:
|
||||||
|
image: supabase/storage-api:v1.11.13
|
||||||
|
restart: always
|
||||||
|
depends_on:
|
||||||
|
db: { condition: service_healthy }
|
||||||
|
rest: { condition: service_started }
|
||||||
|
environment:
|
||||||
|
ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY}
|
||||||
|
SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
|
||||||
|
POSTGREST_URL: http://rest:3000
|
||||||
|
PGRST_JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||||
|
DATABASE_URL: postgres://supabase_storage_admin:${POSTGRES_PASSWORD}@db:5432/postgres
|
||||||
|
FILE_SIZE_LIMIT: 52428800
|
||||||
|
STORAGE_BACKEND: file
|
||||||
|
FILE_STORAGE_BACKEND_PATH: /var/lib/storage
|
||||||
|
TENANT_ID: colectivo-erosi
|
||||||
|
REGION: local
|
||||||
|
GLOBAL_S3_BUCKET: stub
|
||||||
|
ENABLE_IMAGE_TRANSFORMATION: "true"
|
||||||
|
IMGPROXY_URL: http://imgproxy:5001
|
||||||
|
volumes:
|
||||||
|
- storage-data:/var/lib/storage
|
||||||
|
networks: [colectivo]
|
||||||
|
|
||||||
|
# ── ImgProxy ───────────────────────────────────────────────────────────────
|
||||||
|
imgproxy:
|
||||||
|
image: darthsim/imgproxy:v3.8.0
|
||||||
|
restart: always
|
||||||
|
environment:
|
||||||
|
IMGPROXY_BIND: ":5001"
|
||||||
|
IMGPROXY_LOCAL_FILESYSTEM_ROOT: /
|
||||||
|
IMGPROXY_USE_ETAG: "true"
|
||||||
|
IMGPROXY_ENABLE_WEBP_DETECTION: "true"
|
||||||
|
volumes:
|
||||||
|
- storage-data:/var/lib/storage:ro
|
||||||
|
networks: [colectivo]
|
||||||
|
|
||||||
|
# ── Kong (API Gateway) — bound to localhost only; host Caddy proxies it ────
|
||||||
|
kong:
|
||||||
|
image: kong:2.8.1
|
||||||
|
restart: always
|
||||||
|
entrypoint: ["/bin/bash", "/home/kong/kong-start.sh"]
|
||||||
|
ports:
|
||||||
|
- "127.0.0.1:8000:8000"
|
||||||
|
depends_on:
|
||||||
|
db: { condition: service_healthy }
|
||||||
|
environment:
|
||||||
|
KONG_DATABASE: "off"
|
||||||
|
KONG_DECLARATIVE_CONFIG: /home/kong/kong.yml
|
||||||
|
KONG_DNS_ORDER: LAST,A,CNAME
|
||||||
|
KONG_PLUGINS: request-transformer,cors,key-auth,acl,basic-auth,rate-limiting
|
||||||
|
KONG_NGINX_PROXY_PROXY_BUFFER_SIZE: 160k
|
||||||
|
KONG_NGINX_PROXY_PROXY_BUFFERS: 64 160k
|
||||||
|
SUPABASE_ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY}
|
||||||
|
SUPABASE_SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
|
||||||
|
volumes:
|
||||||
|
- ./kong.yml:/home/kong/temp.yml:ro
|
||||||
|
- ./kong-start.sh:/home/kong/kong-start.sh:ro
|
||||||
|
networks: [colectivo]
|
||||||
|
|
||||||
|
# ── Keycloak 24 ────────────────────────────────────────────────────────────
|
||||||
|
# Bound to localhost only; host Caddy proxies auth.oier.ovh → 127.0.0.1:8090.
|
||||||
|
# KC_PROXY=edge expects X-Forwarded-* from Caddy.
|
||||||
|
keycloak:
|
||||||
|
image: quay.io/keycloak/keycloak:24.0.5
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- "127.0.0.1:8090:8080"
|
||||||
|
# Plain `start` (no --optimized) so Quarkus re-builds with the Postgres
|
||||||
|
# driver on first boot. --optimized skips the build phase and falls back
|
||||||
|
# to H2, producing "URL format error ... jdbc:h2" on startup.
|
||||||
|
command: start --import-realm
|
||||||
|
depends_on:
|
||||||
|
db: { condition: service_healthy }
|
||||||
|
environment:
|
||||||
|
KC_DB: postgres
|
||||||
|
KC_DB_URL: jdbc:postgresql://db:5432/keycloak
|
||||||
|
KC_DB_USERNAME: keycloak
|
||||||
|
KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
|
||||||
|
KC_HOSTNAME: ${KEYCLOAK_HOSTNAME}
|
||||||
|
KC_HOSTNAME_STRICT: "true"
|
||||||
|
KC_HOSTNAME_STRICT_HTTPS: "true"
|
||||||
|
KC_PROXY: edge
|
||||||
|
KC_HTTP_ENABLED: "true"
|
||||||
|
KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
|
||||||
|
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
|
||||||
|
KC_FEATURES: token-exchange
|
||||||
|
volumes:
|
||||||
|
- keycloak-data:/opt/keycloak/data
|
||||||
|
- ../keycloak/realm-export.erosi.json:/opt/keycloak/data/import/realm-export.json:ro
|
||||||
|
networks: [colectivo]
|
||||||
|
|
||||||
|
# ── App (SvelteKit Node server) — built on the host from the repo ──────────
|
||||||
|
# Build args bake the PUBLIC_* values into the client bundle (SvelteKit reqs).
|
||||||
|
app:
|
||||||
|
image: colectivo-web:erosi
|
||||||
|
build:
|
||||||
|
context: ..
|
||||||
|
dockerfile: apps/web/Dockerfile
|
||||||
|
args:
|
||||||
|
PUBLIC_SUPABASE_URL: ${PUBLIC_SUPABASE_URL}
|
||||||
|
PUBLIC_SUPABASE_ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY}
|
||||||
|
PUBLIC_KEYCLOAK_URL: ${PUBLIC_KEYCLOAK_URL}
|
||||||
|
PUBLIC_KEYCLOAK_REALM: ${PUBLIC_KEYCLOAK_REALM}
|
||||||
|
PUBLIC_KEYCLOAK_CLIENT_ID: ${PUBLIC_KEYCLOAK_CLIENT_ID}
|
||||||
|
PUBLIC_APP_URL: ${PUBLIC_APP_URL}
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- "127.0.0.1:3000:3000"
|
||||||
|
environment:
|
||||||
|
PUBLIC_SUPABASE_URL: ${PUBLIC_SUPABASE_URL}
|
||||||
|
PUBLIC_SUPABASE_ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY}
|
||||||
|
PUBLIC_KEYCLOAK_URL: ${PUBLIC_KEYCLOAK_URL}
|
||||||
|
PUBLIC_KEYCLOAK_REALM: ${PUBLIC_KEYCLOAK_REALM}
|
||||||
|
PUBLIC_KEYCLOAK_CLIENT_ID: ${PUBLIC_KEYCLOAK_CLIENT_ID}
|
||||||
|
PUBLIC_APP_URL: ${PUBLIC_APP_URL}
|
||||||
|
NODE_ENV: production
|
||||||
|
networks: [colectivo]
|
||||||
|
|
||||||
|
networks:
|
||||||
|
colectivo:
|
||||||
|
driver: bridge
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
db-data:
|
||||||
|
storage-data:
|
||||||
|
keycloak-data:
|
||||||
175
infra/scripts/deploy-erosi.sh
Executable file
175
infra/scripts/deploy-erosi.sh
Executable file
@@ -0,0 +1,175 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
# Deploy the full stack to ambrosio.
|
||||||
|
#
|
||||||
|
# Usage: infra/scripts/deploy-erosi.sh
|
||||||
|
# Env: DEPLOY_HOST=ambrosio (override if needed)
|
||||||
|
# DEPLOY_PATH=/opt/colectivo
|
||||||
|
#
|
||||||
|
# First run:
|
||||||
|
# 1. rsyncs repo → ambrosio:/opt/colectivo/
|
||||||
|
# 2. if .env doesn't exist on server, generates secrets and writes it
|
||||||
|
# 3. patches realm-export.erosi.json with the generated Keycloak client secret
|
||||||
|
# 4. docker compose build + up -d
|
||||||
|
# 5. applies DB migrations
|
||||||
|
# 6. installs the Caddyfile snippet into host Caddy and reloads
|
||||||
|
#
|
||||||
|
# Subsequent runs: rsync + rebuild app + rolling restart.
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
DEPLOY_HOST="${DEPLOY_HOST:-ambrosio}"
|
||||||
|
DEPLOY_PATH="${DEPLOY_PATH:-/opt/colectivo}"
|
||||||
|
REPO_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
|
||||||
|
|
||||||
|
echo "==> Deploying to $DEPLOY_HOST:$DEPLOY_PATH"
|
||||||
|
|
||||||
|
# ── 1. Ensure target dir exists ────────────────────────────────────────────
|
||||||
|
ssh "$DEPLOY_HOST" "sudo mkdir -p $DEPLOY_PATH && sudo chown \$(id -u):\$(id -g) $DEPLOY_PATH"
|
||||||
|
|
||||||
|
# ── 2. rsync repo (excluding node_modules / build artefacts / local env) ──
|
||||||
|
rsync -az --delete \
|
||||||
|
--exclude '.git' \
|
||||||
|
--exclude 'node_modules' \
|
||||||
|
--exclude '.svelte-kit' \
|
||||||
|
--exclude 'apps/web/build' \
|
||||||
|
--exclude 'apps/web/.vite' \
|
||||||
|
--exclude '**/*.log' \
|
||||||
|
--exclude '**/.env' \
|
||||||
|
--exclude '**/.env.development' \
|
||||||
|
--exclude '**/.env.local' \
|
||||||
|
--exclude 'lighthouse-report.html' \
|
||||||
|
--exclude 'coverage' \
|
||||||
|
--exclude 'test-results' \
|
||||||
|
--exclude 'playwright-report' \
|
||||||
|
"$REPO_ROOT/" "$DEPLOY_HOST:$DEPLOY_PATH/"
|
||||||
|
|
||||||
|
# ── 3. Bootstrap secrets on first run ──────────────────────────────────────
|
||||||
|
ssh "$DEPLOY_HOST" bash -s << 'REMOTE'
|
||||||
|
set -euo pipefail
|
||||||
|
cd /opt/colectivo
|
||||||
|
|
||||||
|
if [ ! -f .env ]; then
|
||||||
|
echo "--- First deploy: generating secrets"
|
||||||
|
|
||||||
|
# JWT triplet (anon + service_role)
|
||||||
|
JWT_OUT=$(bash infra/scripts/rotate-jwt.sh)
|
||||||
|
SUPABASE_JWT_SECRET=$(echo "$JWT_OUT" | awk -F= '/^SUPABASE_JWT_SECRET=/{print substr($0, index($0,$2))}')
|
||||||
|
PUBLIC_SUPABASE_ANON_KEY=$(echo "$JWT_OUT" | awk -F= '/^PUBLIC_SUPABASE_ANON_KEY=/{print substr($0, index($0,$2))}')
|
||||||
|
SUPABASE_SERVICE_ROLE_KEY=$(echo "$JWT_OUT" | awk -F= '/^SUPABASE_SERVICE_ROLE_KEY=/{print substr($0, index($0,$2))}')
|
||||||
|
|
||||||
|
# Other passwords + keys
|
||||||
|
POSTGRES_PASSWORD=$(openssl rand -hex 24)
|
||||||
|
KEYCLOAK_ADMIN_PASSWORD=$(openssl rand -hex 24)
|
||||||
|
KEYCLOAK_CLIENT_SECRET=$(openssl rand -hex 24)
|
||||||
|
REALTIME_ENC_KEY=$(openssl rand -hex 8) # 16 chars
|
||||||
|
REALTIME_SECRET_KEY_BASE=$(openssl rand -hex 48) # 96 chars
|
||||||
|
|
||||||
|
cat > .env <<EOF
|
||||||
|
# Generated on $(date -u +%Y-%m-%dT%H:%M:%SZ). Keep this file mode 600.
|
||||||
|
PUBLIC_APP_URL=https://erosi.oier.ovh
|
||||||
|
PUBLIC_SUPABASE_URL=https://erosi.oier.ovh
|
||||||
|
PUBLIC_KEYCLOAK_URL=https://auth.oier.ovh
|
||||||
|
PUBLIC_KEYCLOAK_REALM=colectivo
|
||||||
|
PUBLIC_KEYCLOAK_CLIENT_ID=colectivo-web
|
||||||
|
KEYCLOAK_HOSTNAME=auth.oier.ovh
|
||||||
|
|
||||||
|
POSTGRES_PASSWORD=$POSTGRES_PASSWORD
|
||||||
|
|
||||||
|
SUPABASE_JWT_SECRET=$SUPABASE_JWT_SECRET
|
||||||
|
PUBLIC_SUPABASE_ANON_KEY=$PUBLIC_SUPABASE_ANON_KEY
|
||||||
|
SUPABASE_SERVICE_ROLE_KEY=$SUPABASE_SERVICE_ROLE_KEY
|
||||||
|
|
||||||
|
KEYCLOAK_ADMIN=admin
|
||||||
|
KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD
|
||||||
|
KEYCLOAK_CLIENT_SECRET=$KEYCLOAK_CLIENT_SECRET
|
||||||
|
|
||||||
|
REALTIME_ENC_KEY=$REALTIME_ENC_KEY
|
||||||
|
REALTIME_SECRET_KEY_BASE=$REALTIME_SECRET_KEY_BASE
|
||||||
|
EOF
|
||||||
|
chmod 600 .env
|
||||||
|
echo "--- Wrote .env (mode 600). Keycloak admin password stored there."
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Always substitute the client secret placeholder in the realm JSON.
|
||||||
|
# Keycloak only imports the realm if it doesn't exist yet — on first boot only.
|
||||||
|
source .env
|
||||||
|
sed -i "s|__KEYCLOAK_CLIENT_SECRET__|$KEYCLOAK_CLIENT_SECRET|g" keycloak/realm-export.erosi.json
|
||||||
|
REMOTE
|
||||||
|
|
||||||
|
# ── 4. Build + bring up the stack ─────────────────────────────────────────
|
||||||
|
ssh "$DEPLOY_HOST" bash -s << 'REMOTE'
|
||||||
|
set -euo pipefail
|
||||||
|
cd /opt/colectivo
|
||||||
|
|
||||||
|
echo "--- Building app image"
|
||||||
|
docker compose --env-file .env -f infra/docker-compose.erosi.yml build app
|
||||||
|
|
||||||
|
echo "--- Bringing stack up (detached)"
|
||||||
|
docker compose --env-file .env -f infra/docker-compose.erosi.yml up -d
|
||||||
|
|
||||||
|
echo "--- Waiting for db to be healthy"
|
||||||
|
for i in $(seq 1 60); do
|
||||||
|
if docker compose --env-file .env -f infra/docker-compose.erosi.yml ps db --format json | grep -q '"Health":"healthy"'; then
|
||||||
|
echo "db healthy"; break
|
||||||
|
fi
|
||||||
|
sleep 2
|
||||||
|
done
|
||||||
|
|
||||||
|
echo "--- Applying migrations"
|
||||||
|
docker compose --env-file .env -f infra/docker-compose.erosi.yml exec -T db \
|
||||||
|
psql -U postgres -d postgres -c "CREATE TABLE IF NOT EXISTS public._applied_migrations (filename TEXT PRIMARY KEY, applied_at TIMESTAMPTZ DEFAULT now());"
|
||||||
|
|
||||||
|
for f in supabase/migrations/*.sql; do
|
||||||
|
fn=$(basename "$f")
|
||||||
|
already=$(docker compose --env-file .env -f infra/docker-compose.erosi.yml exec -T db \
|
||||||
|
psql -U postgres -d postgres -tAq -c "SELECT count(*) FROM public._applied_migrations WHERE filename='$fn'")
|
||||||
|
if [ "${already:-0}" -gt 0 ]; then
|
||||||
|
echo " skip $fn (applied)"
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
printf " apply %s ... " "$fn"
|
||||||
|
if docker compose --env-file .env -f infra/docker-compose.erosi.yml exec -T db \
|
||||||
|
psql -U postgres -d postgres -v ON_ERROR_STOP=1 -q < "$f"; then
|
||||||
|
docker compose --env-file .env -f infra/docker-compose.erosi.yml exec -T db \
|
||||||
|
psql -U postgres -d postgres -c "INSERT INTO public._applied_migrations (filename) VALUES ('$fn') ON CONFLICT DO NOTHING;"
|
||||||
|
echo "ok"
|
||||||
|
else
|
||||||
|
echo "FAIL"; exit 1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
echo "--- Keycloak may need an extra minute to import the realm on first boot"
|
||||||
|
REMOTE
|
||||||
|
|
||||||
|
# ── 5. Install Caddyfile snippet into host Caddy (idempotent) ─────────────
|
||||||
|
ssh "$DEPLOY_HOST" bash -s << 'REMOTE'
|
||||||
|
set -euo pipefail
|
||||||
|
cd /opt/colectivo
|
||||||
|
|
||||||
|
MARKER_START="# BEGIN colectivo-erosi"
|
||||||
|
MARKER_END="# END colectivo-erosi"
|
||||||
|
|
||||||
|
# Strip any previous version of our block from /etc/caddy/Caddyfile, then append fresh.
|
||||||
|
sudo awk -v start="$MARKER_START" -v end="$MARKER_END" '
|
||||||
|
$0 ~ start {skip=1}
|
||||||
|
!skip {print}
|
||||||
|
$0 ~ end {skip=0}
|
||||||
|
' /etc/caddy/Caddyfile > /tmp/Caddyfile.new
|
||||||
|
|
||||||
|
{
|
||||||
|
echo ""
|
||||||
|
echo "$MARKER_START"
|
||||||
|
cat infra/caddy/erosi.Caddyfile
|
||||||
|
echo "$MARKER_END"
|
||||||
|
} >> /tmp/Caddyfile.new
|
||||||
|
|
||||||
|
sudo mv /tmp/Caddyfile.new /etc/caddy/Caddyfile
|
||||||
|
sudo caddy validate --config /etc/caddy/Caddyfile
|
||||||
|
sudo systemctl reload caddy
|
||||||
|
echo "--- Caddy reloaded"
|
||||||
|
REMOTE
|
||||||
|
|
||||||
|
echo "==> Deploy complete."
|
||||||
|
echo " App: https://erosi.oier.ovh"
|
||||||
|
echo " Keycloak: https://auth.oier.ovh"
|
||||||
|
echo " Admin pw: ssh $DEPLOY_HOST 'grep KEYCLOAK_ADMIN_PASSWORD $DEPLOY_PATH/.env'"
|
||||||
1851
keycloak/realm-export.erosi.json
Normal file
1851
keycloak/realm-export.erosi.json
Normal file
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user