Fase 0: scaffold monorepo, SvelteKit skeleton, and dev infrastructure

- Turborepo + pnpm workspaces with apps/web and packages/types
- SvelteKit app: Tailwind, Paraglide i18n (en/es), keycloak-js, Supabase client,
  auth/collective stores, PWA service worker skeleton, all route placeholders
- packages/types: domain types (User, Collective, ShoppingList, etc.) and
  database.ts placeholder for generated types
- Justfile with dev, db-*, kc-*, build, backup, restore, deploy recipes
- infra/docker-compose.dev.yml: Postgres 15, GoTrue, PostgREST, Realtime v2.83,
  Storage, Kong (port 8001), Studio, Keycloak 24
- infra/docker-compose.prod.yml, kong.yml, db-init scripts, backup/deploy scripts
- keycloak/realm-export.json with colectivo realm and 5 dev test users
- supabase/config.toml and seed.sql with sample collective and items
- GitHub Actions: ci.yml (lint+typecheck+build) and deploy.yml (GHCR + SSH)
- .env.example documenting all required variables
- Fixed docker-compose issues: Studio image tag, Kong port conflict (8001),
  internal role passwords init script, Realtime METRICS_JWT_SECRET/APP_NAME

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-04-12 14:37:51 +02:00
parent f5903ef442
commit 973f9e413c
57 changed files with 2508 additions and 1 deletions

70
.env.example Normal file
View File

@@ -0,0 +1,70 @@
# ─────────────────────────────────────────────────────────────────────────────
# Colectivo — environment variables
# Copy to .env and fill in real values. Never commit .env to version control.
# ─────────────────────────────────────────────────────────────────────────────
# ── Supabase ──────────────────────────────────────────────────────────────────
# URL of the self-hosted Supabase instance (Kong gateway)
PUBLIC_SUPABASE_URL=http://localhost:8001
# Supabase anon key (public, safe to expose in the browser)
# Generated during `supabase start` or set manually in supabase/config.toml
PUBLIC_SUPABASE_ANON_KEY=
# Supabase service role key (private — never expose in the browser)
# Used only in Edge Functions or server-side scripts
SUPABASE_SERVICE_ROLE_KEY=
# JWT secret — MUST be set to the Keycloak RS256 public key (PEM format, one line)
# Supabase uses this to validate Keycloak-issued JWTs for RLS
# Rotate simultaneously with Keycloak signing key rotation
SUPABASE_JWT_SECRET=
# ── Keycloak ──────────────────────────────────────────────────────────────────
# Public URL of the Keycloak server (used by the browser for OIDC redirects)
PUBLIC_KEYCLOAK_URL=http://localhost:8080
# Keycloak realm name
PUBLIC_KEYCLOAK_REALM=colectivo
# Keycloak client ID (public PKCE client — no secret)
PUBLIC_KEYCLOAK_CLIENT_ID=colectivo-web
# Keycloak admin credentials (used by infra scripts only — never in app code)
KEYCLOAK_ADMIN=admin
KEYCLOAK_ADMIN_PASSWORD=
# ── Email (Resend) ────────────────────────────────────────────────────────────
# Resend API key — used by Edge Functions to send invitation emails
RESEND_API_KEY=
# From address for outgoing emails
RESEND_FROM_EMAIL=noreply@yourdomain.com
# ── Backup (Backblaze B2) ─────────────────────────────────────────────────────
B2_BUCKET_NAME=colectivo-backups
B2_APPLICATION_KEY_ID=
B2_APPLICATION_KEY=
# ── App ───────────────────────────────────────────────────────────────────────
# Publicly accessible origin of the app (no trailing slash)
# Used in Edge Functions to build invitation URLs
PUBLIC_APP_URL=http://localhost:5173
# ── Docker / Infra ────────────────────────────────────────────────────────────
# Postgres superuser password (used by Supabase internally)
POSTGRES_PASSWORD=
# Supabase dashboard username/password (Studio)
DASHBOARD_USERNAME=supabase
DASHBOARD_PASSWORD=
# Production SSH target for deploy script
DEPLOY_HOST=user@your-vps-ip
DEPLOY_PATH=/opt/colectivo