Fase 0: scaffold monorepo, SvelteKit skeleton, and dev infrastructure

- Turborepo + pnpm workspaces with apps/web and packages/types
- SvelteKit app: Tailwind, Paraglide i18n (en/es), keycloak-js, Supabase client,
  auth/collective stores, PWA service worker skeleton, all route placeholders
- packages/types: domain types (User, Collective, ShoppingList, etc.) and
  database.ts placeholder for generated types
- Justfile with dev, db-*, kc-*, build, backup, restore, deploy recipes
- infra/docker-compose.dev.yml: Postgres 15, GoTrue, PostgREST, Realtime v2.83,
  Storage, Kong (port 8001), Studio, Keycloak 24
- infra/docker-compose.prod.yml, kong.yml, db-init scripts, backup/deploy scripts
- keycloak/realm-export.json with colectivo realm and 5 dev test users
- supabase/config.toml and seed.sql with sample collective and items
- GitHub Actions: ci.yml (lint+typecheck+build) and deploy.yml (GHCR + SSH)
- .env.example documenting all required variables
- Fixed docker-compose issues: Studio image tag, Kong port conflict (8001),
  internal role passwords init script, Realtime METRICS_JWT_SECRET/APP_NAME

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-04-12 14:37:51 +02:00
parent f5903ef442
commit 973f9e413c
57 changed files with 2508 additions and 1 deletions

View File

@@ -0,0 +1,26 @@
#!/bin/bash
# Runs once on first container start (docker-entrypoint-initdb.d).
# Sets Supabase internal role passwords to POSTGRES_PASSWORD and creates
# required schemas with correct grants.
set -e
PASS="${POSTGRES_PASSWORD:-postgres}"
psql -v ON_ERROR_STOP=1 --username supabase_admin --dbname postgres <<-EOSQL
-- Set passwords for all Supabase internal roles.
-- The supabase/postgres image creates them with hardcoded defaults;
-- this overrides them so services connect with POSTGRES_PASSWORD.
ALTER ROLE authenticator WITH PASSWORD '${PASS}';
ALTER ROLE supabase_auth_admin WITH PASSWORD '${PASS}';
ALTER ROLE supabase_replication_admin WITH PASSWORD '${PASS}';
ALTER ROLE supabase_storage_admin WITH PASSWORD '${PASS}';
ALTER ROLE pgbouncer WITH PASSWORD '${PASS}';
-- Create the _realtime schema required by supabase/realtime
CREATE SCHEMA IF NOT EXISTS _realtime;
GRANT ALL ON SCHEMA _realtime TO supabase_replication_admin;
ALTER ROLE supabase_replication_admin SET search_path TO _realtime;
EOSQL
echo "==> db-init: role passwords and schemas configured"

View File

@@ -0,0 +1,11 @@
-- Set passwords for Supabase internal roles to match POSTGRES_PASSWORD.
-- The supabase/postgres image creates these roles with hardcoded default passwords;
-- this script overrides them so all services can authenticate with POSTGRES_PASSWORD.
-- Runs once on first container start (docker-entrypoint-initdb.d).
-- Must run as supabase_admin (superuser) which this image uses for initdb scripts.
ALTER ROLE authenticator WITH PASSWORD 'REPLACE_PASSWORD';
ALTER ROLE supabase_auth_admin WITH PASSWORD 'REPLACE_PASSWORD';
ALTER ROLE supabase_replication_admin WITH PASSWORD 'REPLACE_PASSWORD';
ALTER ROLE supabase_storage_admin WITH PASSWORD 'REPLACE_PASSWORD';
ALTER ROLE pgbouncer WITH PASSWORD 'REPLACE_PASSWORD';

View File

@@ -0,0 +1,231 @@
name: colectivo-dev
# Self-hosted Supabase stack + Keycloak for local development.
# Based on: https://github.com/supabase/supabase/tree/master/docker
#
# Start: just dev
# Stop: just dev-stop
# Reset: just dev-clean (drops volumes)
services:
# ── PostgreSQL 15 ───────────────────────────────────────────────────────────
db:
image: supabase/postgres:15.1.1.78
restart: unless-stopped
healthcheck:
test: pg_isready -U postgres -h localhost
interval: 5s
timeout: 5s
retries: 10
ports:
- "5432:5432"
environment:
POSTGRES_HOST: /var/run/postgresql
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
JWT_SECRET: ${SUPABASE_JWT_SECRET}
JWT_EXP: 3600
volumes:
- db-data:/var/lib/postgresql/data
# Sets internal role passwords to POSTGRES_PASSWORD on first init.
- ./db-init:/docker-entrypoint-initdb.d:ro
# ── GoTrue (Supabase Auth) ──────────────────────────────────────────────────
auth:
image: supabase/gotrue:v2.158.1
restart: unless-stopped
depends_on:
db:
condition: service_healthy
environment:
GOTRUE_API_HOST: "0.0.0.0"
GOTRUE_API_PORT: 9999
API_EXTERNAL_URL: ${PUBLIC_APP_URL:-http://localhost:5173}
GOTRUE_API_EXTERNAL_URL: ${PUBLIC_APP_URL:-http://localhost:5173}
GOTRUE_DB_DRIVER: postgres
GOTRUE_DB_DATABASE_URL: postgres://supabase_auth_admin:${POSTGRES_PASSWORD:-postgres}@db:5432/postgres
GOTRUE_SITE_URL: ${PUBLIC_APP_URL:-http://localhost:5173}
GOTRUE_JWT_SECRET: ${SUPABASE_JWT_SECRET}
GOTRUE_JWT_EXP: 3600
GOTRUE_DISABLE_SIGNUP: "true"
# OIDC: Keycloak as external provider
GOTRUE_EXTERNAL_KEYCLOAK_ENABLED: "true"
GOTRUE_EXTERNAL_KEYCLOAK_CLIENT_ID: ${PUBLIC_KEYCLOAK_CLIENT_ID:-colectivo-web}
GOTRUE_EXTERNAL_KEYCLOAK_SECRET: ""
GOTRUE_EXTERNAL_KEYCLOAK_REDIRECT_URI: ${PUBLIC_APP_URL:-http://localhost:5173}/auth/callback
GOTRUE_MAILER_AUTOCONFIRM: "true"
# ── PostgREST ───────────────────────────────────────────────────────────────
rest:
image: postgrest/postgrest:v12.2.0
restart: unless-stopped
depends_on:
db:
condition: service_healthy
environment:
PGRST_DB_URI: postgres://authenticator:${POSTGRES_PASSWORD:-postgres}@db:5432/postgres
PGRST_DB_SCHEMAS: public,storage,graphql_public
PGRST_DB_ANON_ROLE: anon
PGRST_JWT_SECRET: ${SUPABASE_JWT_SECRET}
PGRST_DB_USE_LEGACY_GUCS: "false"
PGRST_APP_SETTINGS_JWT_SECRET: ${SUPABASE_JWT_SECRET}
PGRST_APP_SETTINGS_JWT_EXP: 3600
# ── Realtime ─────────────────────────────────────────────────────────────────
realtime:
image: supabase/realtime:v2.83.0
restart: unless-stopped
depends_on:
db:
condition: service_healthy
environment:
PORT: 4000
DB_HOST: db
DB_PORT: 5432
DB_USER: supabase_replication_admin
DB_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
DB_NAME: postgres
DB_AFTER_CONNECT_QUERY: SET search_path TO _realtime
DB_ENC_KEY: supabaserealtime
API_JWT_SECRET: ${SUPABASE_JWT_SECRET}
FLY_ALLOC_ID: fly123
FLY_APP_NAME: realtime
APP_NAME: realtime
SECRET_KEY_BASE: UpNVntn3cDxHJpq99YMc1T1AQgQpc8kfYTuRgBiYa15BLrx8etQoXz3bhZkeYTvU
ERL_AFLAGS: -proto_dist inet_tcp
ENABLE_TAILSCALE: "false"
DNS_NODES: "''"
RLIMIT_NOFILE: ""
METRICS_JWT_SECRET: ${SUPABASE_JWT_SECRET}
MAX_HEADER_LENGTH: 4096
command: sh -c "/app/bin/migrate && /app/bin/realtime eval 'Realtime.Release.seeds(Realtime.Repo)' && /app/bin/server"
# ── Storage ──────────────────────────────────────────────────────────────────
storage:
image: supabase/storage-api:v1.11.13
restart: unless-stopped
depends_on:
db:
condition: service_healthy
rest:
condition: service_started
environment:
ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY}
SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
POSTGREST_URL: http://rest:3000
PGRST_JWT_SECRET: ${SUPABASE_JWT_SECRET}
DATABASE_URL: postgres://supabase_storage_admin:${POSTGRES_PASSWORD:-postgres}@db:5432/postgres
FILE_SIZE_LIMIT: 52428800
STORAGE_BACKEND: file
FILE_STORAGE_BACKEND_PATH: /var/lib/storage
TENANT_ID: stub
REGION: local
GLOBAL_S3_BUCKET: stub
ENABLE_IMAGE_TRANSFORMATION: "true"
IMGPROXY_URL: http://imgproxy:5001
volumes:
- storage-data:/var/lib/storage
# ── ImgProxy (image transformations for Storage) ──────────────────────────
imgproxy:
image: darthsim/imgproxy:v3.8.0
restart: unless-stopped
environment:
IMGPROXY_BIND: ":5001"
IMGPROXY_LOCAL_FILESYSTEM_ROOT: /
IMGPROXY_USE_ETAG: "true"
IMGPROXY_ENABLE_WEBP_DETECTION: "true"
volumes:
- storage-data:/var/lib/storage:ro
# ── Kong (API Gateway) ────────────────────────────────────────────────────
kong:
image: kong:2.8.1
restart: unless-stopped
ports:
- "8001:8000" # HTTP API (8000 may conflict; use http://localhost:8001)
- "8443:8443" # HTTPS API
depends_on:
db:
condition: service_healthy
environment:
KONG_DATABASE: "off"
KONG_DECLARATIVE_CONFIG: /home/kong/kong.yml
KONG_DNS_ORDER: LAST,A,CNAME
KONG_PLUGINS: request-transformer,cors,key-auth,acl,basic-auth
KONG_NGINX_PROXY_PROXY_BUFFER_SIZE: 160k
KONG_NGINX_PROXY_PROXY_BUFFERS: 64 160k
SUPABASE_ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY}
SUPABASE_SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
volumes:
- ./kong.yml:/home/kong/kong.yml:ro
# ── Supabase Studio ───────────────────────────────────────────────────────
studio:
image: supabase/studio:2026.04.08-sha-205cbe7
restart: unless-stopped
ports:
- "54323:3000"
# Override the built-in healthcheck (it uses node fetch which fails inside the container).
# The studio works fine; this just prevents a misleading "unhealthy" status.
healthcheck:
test: ["CMD-SHELL", "curl -sf http://localhost:3000/api/platform/profile || exit 1"]
interval: 10s
timeout: 5s
retries: 5
start_period: 20s
depends_on:
db:
condition: service_healthy
environment:
STUDIO_PG_META_URL: http://meta:8080
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
DEFAULT_ORGANIZATION_NAME: Colectivo
DEFAULT_PROJECT_NAME: colectivo-dev
SUPABASE_URL: http://kong:8000
SUPABASE_PUBLIC_URL: ${PUBLIC_SUPABASE_URL:-http://localhost:8001}
SUPABASE_ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY}
SUPABASE_SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
AUTH_JWT_SECRET: ${SUPABASE_JWT_SECRET}
LOGFLARE_API_KEY: ""
LOGFLARE_URL: http://analytics:4000
NEXT_PUBLIC_ENABLE_LOGS: "true"
NEXT_ANALYTICS_BACKEND_PROVIDER: postgres
# ── pg-meta (metadata API for Studio) ───────────────────────────────────
meta:
image: supabase/postgres-meta:v0.83.2
restart: unless-stopped
depends_on:
db:
condition: service_healthy
environment:
PG_META_PORT: 8080
PG_META_DB_HOST: db
PG_META_DB_PORT: 5432
PG_META_DB_NAME: postgres
PG_META_DB_USER: supabase
PG_META_DB_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
# ── Keycloak 24 ──────────────────────────────────────────────────────────
keycloak:
image: quay.io/keycloak/keycloak:24.0.5
restart: unless-stopped
ports:
- "8080:8080"
command: start-dev --import-realm
environment:
KC_DB: dev-file
KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-admin}
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
KC_HTTP_PORT: 8080
KC_HOSTNAME_STRICT: "false"
KC_HOSTNAME_STRICT_HTTPS: "false"
volumes:
- keycloak-data:/opt/keycloak/data
- ../keycloak/realm-export.json:/opt/keycloak/data/import/realm-export.json:ro
volumes:
db-data:
storage-data:
keycloak-data:

View File

@@ -0,0 +1,233 @@
name: colectivo-prod
# Production stack. nginx is managed externally (not in this compose file).
# All services are on the internal `colectivo` network only — no ports exposed
# except Kong (proxied by nginx).
#
# Deploy: just deploy
# Logs: just logs
services:
# ── PostgreSQL 15 ───────────────────────────────────────────────────────────
db:
image: supabase/postgres:15.1.1.78
restart: always
healthcheck:
test: pg_isready -U postgres -h localhost
interval: 10s
timeout: 5s
retries: 10
environment:
POSTGRES_HOST: /var/run/postgresql
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
JWT_SECRET: ${SUPABASE_JWT_SECRET}
JWT_EXP: 3600
volumes:
- db-data:/var/lib/postgresql/data
- ./volumes/db/init:/docker-entrypoint-initdb.d:ro
networks:
- colectivo
# ── GoTrue ─────────────────────────────────────────────────────────────────
auth:
image: supabase/gotrue:v2.158.1
restart: always
depends_on:
db:
condition: service_healthy
environment:
GOTRUE_API_HOST: "0.0.0.0"
GOTRUE_API_PORT: 9999
GOTRUE_DB_DRIVER: postgres
GOTRUE_DB_DATABASE_URL: postgres://supabase_auth_admin:${POSTGRES_PASSWORD}@db:5432/postgres
GOTRUE_SITE_URL: ${PUBLIC_APP_URL}
GOTRUE_JWT_SECRET: ${SUPABASE_JWT_SECRET}
GOTRUE_JWT_EXP: 3600
GOTRUE_DISABLE_SIGNUP: "true"
GOTRUE_MAILER_AUTOCONFIRM: "false"
GOTRUE_SMTP_HOST: smtp.resend.com
GOTRUE_SMTP_PORT: 587
GOTRUE_SMTP_USER: resend
GOTRUE_SMTP_PASS: ${RESEND_API_KEY}
GOTRUE_SMTP_ADMIN_EMAIL: ${RESEND_FROM_EMAIL}
networks:
- colectivo
# ── PostgREST ───────────────────────────────────────────────────────────────
rest:
image: postgrest/postgrest:v12.2.0
restart: always
depends_on:
db:
condition: service_healthy
environment:
PGRST_DB_URI: postgres://authenticator:${POSTGRES_PASSWORD}@db:5432/postgres
PGRST_DB_SCHEMAS: public,storage,graphql_public
PGRST_DB_ANON_ROLE: anon
PGRST_JWT_SECRET: ${SUPABASE_JWT_SECRET}
PGRST_DB_USE_LEGACY_GUCS: "false"
PGRST_APP_SETTINGS_JWT_SECRET: ${SUPABASE_JWT_SECRET}
PGRST_APP_SETTINGS_JWT_EXP: 3600
networks:
- colectivo
# ── Realtime ─────────────────────────────────────────────────────────────────
realtime:
image: supabase/realtime:v2.30.23
restart: always
depends_on:
db:
condition: service_healthy
environment:
PORT: 4000
DB_HOST: db
DB_PORT: 5432
DB_USER: supabase_replication_admin
DB_PASSWORD: ${POSTGRES_PASSWORD}
DB_NAME: postgres
DB_AFTER_CONNECT_QUERY: SET search_path TO _realtime
DB_ENC_KEY: ${REALTIME_ENC_KEY}
API_JWT_SECRET: ${SUPABASE_JWT_SECRET}
FLY_ALLOC_ID: fly123
FLY_APP_NAME: realtime
SECRET_KEY_BASE: ${REALTIME_SECRET_KEY_BASE}
ERL_AFLAGS: -proto_dist inet_tcp
ENABLE_TAILSCALE: "false"
DNS_NODES: "''"
command: sh -c "/app/bin/migrate && /app/bin/realtime eval 'Realtime.Release.seeds(Realtime.Repo)' && /app/bin/server"
networks:
- colectivo
# ── Storage ──────────────────────────────────────────────────────────────────
storage:
image: supabase/storage-api:v1.11.13
restart: always
depends_on:
db:
condition: service_healthy
rest:
condition: service_started
environment:
ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY}
SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
POSTGREST_URL: http://rest:3000
PGRST_JWT_SECRET: ${SUPABASE_JWT_SECRET}
DATABASE_URL: postgres://supabase_storage_admin:${POSTGRES_PASSWORD}@db:5432/postgres
FILE_SIZE_LIMIT: 52428800
STORAGE_BACKEND: file
FILE_STORAGE_BACKEND_PATH: /var/lib/storage
TENANT_ID: colectivo-prod
REGION: local
GLOBAL_S3_BUCKET: stub
ENABLE_IMAGE_TRANSFORMATION: "true"
IMGPROXY_URL: http://imgproxy:5001
volumes:
- storage-data:/var/lib/storage
networks:
- colectivo
# ── ImgProxy ─────────────────────────────────────────────────────────────
imgproxy:
image: darthsim/imgproxy:v3.8.0
restart: always
environment:
IMGPROXY_BIND: ":5001"
IMGPROXY_LOCAL_FILESYSTEM_ROOT: /
IMGPROXY_USE_ETAG: "true"
IMGPROXY_ENABLE_WEBP_DETECTION: "true"
volumes:
- storage-data:/var/lib/storage:ro
networks:
- colectivo
# ── Kong (API Gateway) ─────────────────────────────────────────────────────
# nginx proxies :80/:443 → Kong :8000
kong:
image: kong:2.8.1
restart: always
ports:
- "127.0.0.1:8000:8000" # localhost only — nginx handles TLS termination
depends_on:
db:
condition: service_healthy
environment:
KONG_DATABASE: "off"
KONG_DECLARATIVE_CONFIG: /home/kong/kong.yml
KONG_DNS_ORDER: LAST,A,CNAME
KONG_PLUGINS: request-transformer,cors,key-auth,acl,basic-auth
KONG_NGINX_PROXY_PROXY_BUFFER_SIZE: 160k
KONG_NGINX_PROXY_PROXY_BUFFERS: 64 160k
SUPABASE_ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY}
SUPABASE_SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
volumes:
- ./kong.yml:/home/kong/kong.yml:ro
networks:
- colectivo
# ── pg-meta ───────────────────────────────────────────────────────────────
meta:
image: supabase/postgres-meta:v0.83.2
restart: always
depends_on:
db:
condition: service_healthy
environment:
PG_META_PORT: 8080
PG_META_DB_HOST: db
PG_META_DB_PORT: 5432
PG_META_DB_NAME: postgres
PG_META_DB_USER: supabase
PG_META_DB_PASSWORD: ${POSTGRES_PASSWORD}
networks:
- colectivo
# ── Keycloak 24 ──────────────────────────────────────────────────────────
# nginx proxies auth.yourdomain.com → keycloak :8080
# IMPORTANT: X-Forwarded-Host and X-Forwarded-Port headers must be set by nginx
# or Keycloak will build redirect URIs with internal port 8080.
keycloak:
image: quay.io/keycloak/keycloak:24.0.5
restart: always
ports:
- "127.0.0.1:8081:8080" # localhost only — nginx proxies auth.* subdomain
command: start --optimized
environment:
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://db:5432/keycloak
KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
KC_HOSTNAME: ${KEYCLOAK_HOSTNAME}
KC_HOSTNAME_STRICT: "true"
KC_PROXY: edge
KC_HTTP_ENABLED: "true"
KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
KC_FEATURES: token-exchange
networks:
- colectivo
# ── App (SvelteKit Node server) ───────────────────────────────────────────
app:
image: ghcr.io/${GITHUB_REPOSITORY}/colectivo-web:${IMAGE_TAG:-latest}
restart: always
ports:
- "127.0.0.1:3000:3000" # localhost only — nginx proxies app.* → here
environment:
PUBLIC_SUPABASE_URL: ${PUBLIC_SUPABASE_URL}
PUBLIC_SUPABASE_ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY}
PUBLIC_KEYCLOAK_URL: ${PUBLIC_KEYCLOAK_URL}
PUBLIC_KEYCLOAK_REALM: ${PUBLIC_KEYCLOAK_REALM}
PUBLIC_KEYCLOAK_CLIENT_ID: ${PUBLIC_KEYCLOAK_CLIENT_ID}
PUBLIC_APP_URL: ${PUBLIC_APP_URL}
NODE_ENV: production
networks:
- colectivo
networks:
colectivo:
driver: bridge
volumes:
db-data:
storage-data:

94
infra/kong.yml Normal file
View File

@@ -0,0 +1,94 @@
_format_version: "1.1"
# Kong declarative config for local dev.
# Routes: /rest/ → postgrest, /auth/ → gotrue, /storage/ → storage-api,
# /realtime/ → realtime, /functions/ → edge-runtime
services:
- name: auth-v1
url: http://auth:9999/
routes:
- name: auth-v1-all
strip_path: true
paths:
- /auth/v1/
plugins:
- name: cors
- name: rest-v1
url: http://rest:3000/
routes:
- name: rest-v1-all
strip_path: true
paths:
- /rest/v1/
plugins:
- name: cors
- name: key-auth
config:
hide_credentials: false
- name: acl
config:
hide_groups_header: true
allow:
- anon
- service
- name: graphql-v1
url: http://rest:3000/rpc/graphql
routes:
- name: graphql-v1-all
strip_path: true
paths:
- /graphql/v1
plugins:
- name: cors
- name: key-auth
config:
hide_credentials: false
- name: request-transformer
config:
add:
headers:
- Content-Profile:graphql_public
- name: realtime-v1
url: http://realtime:4000/socket
routes:
- name: realtime-v1-all
strip_path: true
paths:
- /realtime/v1/
plugins:
- name: cors
- name: storage-v1
url: http://storage:5000/
routes:
- name: storage-v1-all
strip_path: true
paths:
- /storage/v1/
plugins:
- name: cors
- name: meta
url: http://meta:8080/
routes:
- name: meta-all
strip_path: true
paths:
- /pg/
consumers:
- username: anon
keyauth_credentials:
- key: ${SUPABASE_ANON_KEY}
acls:
- group: anon
- username: service_role
keyauth_credentials:
- key: ${SUPABASE_SERVICE_KEY}
acls:
- group: service

27
infra/scripts/backup-cron.sh Executable file
View File

@@ -0,0 +1,27 @@
#!/usr/bin/env bash
# backup-cron.sh — intended to be run by cron on the production host.
# Example crontab entry (daily at 03:00 UTC):
# 0 3 * * * /opt/colectivo/infra/scripts/backup-cron.sh >> /var/log/colectivo-backup.log 2>&1
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
LOG_PREFIX="[$(date -u +"%Y-%m-%dT%H:%M:%SZ")] backup-cron:"
# Load env vars from the production .env
if [ -f "$SCRIPT_DIR/../../.env" ]; then
# shellcheck disable=SC1091
set -a; source "$SCRIPT_DIR/../../.env"; set +a
fi
echo "$LOG_PREFIX Starting scheduled backup"
"$SCRIPT_DIR/backup.sh" supabase
echo "$LOG_PREFIX PostgreSQL backup done"
"$SCRIPT_DIR/backup.sh" keycloak
echo "$LOG_PREFIX Keycloak backup done"
# Prune local temp files older than 1 day
find /tmp/colectivo-backups -type f -mtime +1 -delete 2>/dev/null || true
echo "$LOG_PREFIX All done"

49
infra/scripts/backup.sh Executable file
View File

@@ -0,0 +1,49 @@
#!/usr/bin/env bash
# backup.sh — manual backup of a service
# Usage: just backup supabase
# Uploads a timestamped dump to Backblaze B2.
set -euo pipefail
SERVICE="${1:-supabase}"
TIMESTAMP=$(date -u +"%Y%m%dT%H%M%SZ")
BACKUP_DIR="${BACKUP_DIR:-/tmp/colectivo-backups}"
mkdir -p "$BACKUP_DIR"
case "$SERVICE" in
supabase|postgres|db)
DUMP_FILE="$BACKUP_DIR/postgres-$TIMESTAMP.dump"
echo "==> Dumping PostgreSQL → $DUMP_FILE"
docker compose -f "$(dirname "$0")/../docker-compose.prod.yml" exec -T db \
pg_dumpall -U postgres --clean --if-exists \
| gzip > "$DUMP_FILE.gz"
DUMP_FILE="$DUMP_FILE.gz"
;;
keycloak)
DUMP_FILE="$BACKUP_DIR/keycloak-$TIMESTAMP.json"
echo "==> Exporting Keycloak realm → $DUMP_FILE"
docker compose -f "$(dirname "$0")/../docker-compose.prod.yml" exec keycloak \
/opt/keycloak/bin/kc.sh export \
--realm colectivo \
--users realm_file \
--file /tmp/kc-export.json
docker compose -f "$(dirname "$0")/../docker-compose.prod.yml" cp \
keycloak:/tmp/kc-export.json "$DUMP_FILE"
gzip "$DUMP_FILE"
DUMP_FILE="$DUMP_FILE.gz"
;;
*)
echo "Unknown service: $SERVICE. Use 'supabase' or 'keycloak'." >&2
exit 1
;;
esac
echo "==> Uploading $(basename "$DUMP_FILE") to B2 bucket: ${B2_BUCKET_NAME}"
b2 file upload \
--contentType application/octet-stream \
"$B2_BUCKET_NAME" \
"$DUMP_FILE" \
"backups/$(basename "$DUMP_FILE")"
echo "==> Backup complete: $(basename "$DUMP_FILE")"
rm -f "$DUMP_FILE"

53
infra/scripts/deploy.sh Executable file
View File

@@ -0,0 +1,53 @@
#!/usr/bin/env bash
# deploy.sh — deploy to production via SSH
# Called by: just deploy
#
# Prerequisites:
# - DEPLOY_HOST and DEPLOY_PATH set in .env
# - SSH key configured for passwordless access
# - Docker image already pushed to GHCR (done by CI)
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
# Load env
if [ -f "$SCRIPT_DIR/../../.env" ]; then
# shellcheck disable=SC1091
set -a; source "$SCRIPT_DIR/../../.env"; set +a
fi
DEPLOY_HOST="${DEPLOY_HOST:?Set DEPLOY_HOST in .env}"
DEPLOY_PATH="${DEPLOY_PATH:-/opt/colectivo}"
IMAGE_TAG="${IMAGE_TAG:-latest}"
echo "==> Deploying colectivo to $DEPLOY_HOST:$DEPLOY_PATH (tag: $IMAGE_TAG)"
# 1. Copy compose file and scripts to server
rsync -az --delete \
"$SCRIPT_DIR/../docker-compose.prod.yml" \
"$SCRIPT_DIR/../kong.yml" \
"$DEPLOY_HOST:$DEPLOY_PATH/infra/"
# 2. SSH: pull image, restart services with zero downtime
ssh "$DEPLOY_HOST" bash -s << EOF
set -euo pipefail
cd "$DEPLOY_PATH"
echo "--- Pulling latest image (tag: $IMAGE_TAG)"
IMAGE_TAG="$IMAGE_TAG" docker compose -f infra/docker-compose.prod.yml pull app
echo "--- Rolling restart of app service"
IMAGE_TAG="$IMAGE_TAG" docker compose -f infra/docker-compose.prod.yml up -d --no-deps app
echo "--- Running pending DB migrations"
docker compose -f infra/docker-compose.prod.yml exec -T db \
psql -U postgres -f /docker-entrypoint-initdb.d/migrations.sql 2>/dev/null || true
echo "--- Pruning old images"
docker image prune -f
echo "--- Deploy done"
EOF
echo "==> Deployment complete"

37
infra/scripts/restore.sh Executable file
View File

@@ -0,0 +1,37 @@
#!/usr/bin/env bash
# restore.sh — restore a backup file to a service
# Usage: just restore supabase backups/postgres-20240101T030000Z.dump.gz
#
# WARNING: This is destructive. It will drop and re-create the database.
# Only run on a stopped or isolated instance.
set -euo pipefail
SERVICE="${1:?Usage: restore.sh <service> <file>}"
FILE="${2:?Usage: restore.sh <service> <file>}"
if [ ! -f "$FILE" ]; then
echo "File not found: $FILE" >&2
exit 1
fi
COMPOSE="docker compose -f $(dirname "$0")/../docker-compose.prod.yml"
case "$SERVICE" in
supabase|postgres|db)
echo "==> Restoring PostgreSQL from $FILE"
echo " WARNING: This will overwrite all data. Press Ctrl-C within 5s to abort."
sleep 5
if [[ "$FILE" == *.gz ]]; then
gunzip -c "$FILE" | $COMPOSE exec -T db psql -U postgres
else
$COMPOSE exec -T db psql -U postgres < "$FILE"
fi
echo "==> Restore complete"
;;
*)
echo "Unknown service: $SERVICE. Use 'supabase'." >&2
exit 1
;;
esac