Fase 0: scaffold monorepo, SvelteKit skeleton, and dev infrastructure
- Turborepo + pnpm workspaces with apps/web and packages/types - SvelteKit app: Tailwind, Paraglide i18n (en/es), keycloak-js, Supabase client, auth/collective stores, PWA service worker skeleton, all route placeholders - packages/types: domain types (User, Collective, ShoppingList, etc.) and database.ts placeholder for generated types - Justfile with dev, db-*, kc-*, build, backup, restore, deploy recipes - infra/docker-compose.dev.yml: Postgres 15, GoTrue, PostgREST, Realtime v2.83, Storage, Kong (port 8001), Studio, Keycloak 24 - infra/docker-compose.prod.yml, kong.yml, db-init scripts, backup/deploy scripts - keycloak/realm-export.json with colectivo realm and 5 dev test users - supabase/config.toml and seed.sql with sample collective and items - GitHub Actions: ci.yml (lint+typecheck+build) and deploy.yml (GHCR + SSH) - .env.example documenting all required variables - Fixed docker-compose issues: Studio image tag, Kong port conflict (8001), internal role passwords init script, Realtime METRICS_JWT_SECRET/APP_NAME Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
233
infra/docker-compose.prod.yml
Normal file
233
infra/docker-compose.prod.yml
Normal file
@@ -0,0 +1,233 @@
|
||||
name: colectivo-prod
|
||||
|
||||
# Production stack. nginx is managed externally (not in this compose file).
|
||||
# All services are on the internal `colectivo` network only — no ports exposed
|
||||
# except Kong (proxied by nginx).
|
||||
#
|
||||
# Deploy: just deploy
|
||||
# Logs: just logs
|
||||
|
||||
services:
|
||||
|
||||
# ── PostgreSQL 15 ───────────────────────────────────────────────────────────
|
||||
db:
|
||||
image: supabase/postgres:15.1.1.78
|
||||
restart: always
|
||||
healthcheck:
|
||||
test: pg_isready -U postgres -h localhost
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 10
|
||||
environment:
|
||||
POSTGRES_HOST: /var/run/postgresql
|
||||
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
|
||||
JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||
JWT_EXP: 3600
|
||||
volumes:
|
||||
- db-data:/var/lib/postgresql/data
|
||||
- ./volumes/db/init:/docker-entrypoint-initdb.d:ro
|
||||
networks:
|
||||
- colectivo
|
||||
|
||||
# ── GoTrue ─────────────────────────────────────────────────────────────────
|
||||
auth:
|
||||
image: supabase/gotrue:v2.158.1
|
||||
restart: always
|
||||
depends_on:
|
||||
db:
|
||||
condition: service_healthy
|
||||
environment:
|
||||
GOTRUE_API_HOST: "0.0.0.0"
|
||||
GOTRUE_API_PORT: 9999
|
||||
GOTRUE_DB_DRIVER: postgres
|
||||
GOTRUE_DB_DATABASE_URL: postgres://supabase_auth_admin:${POSTGRES_PASSWORD}@db:5432/postgres
|
||||
GOTRUE_SITE_URL: ${PUBLIC_APP_URL}
|
||||
GOTRUE_JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||
GOTRUE_JWT_EXP: 3600
|
||||
GOTRUE_DISABLE_SIGNUP: "true"
|
||||
GOTRUE_MAILER_AUTOCONFIRM: "false"
|
||||
GOTRUE_SMTP_HOST: smtp.resend.com
|
||||
GOTRUE_SMTP_PORT: 587
|
||||
GOTRUE_SMTP_USER: resend
|
||||
GOTRUE_SMTP_PASS: ${RESEND_API_KEY}
|
||||
GOTRUE_SMTP_ADMIN_EMAIL: ${RESEND_FROM_EMAIL}
|
||||
networks:
|
||||
- colectivo
|
||||
|
||||
# ── PostgREST ───────────────────────────────────────────────────────────────
|
||||
rest:
|
||||
image: postgrest/postgrest:v12.2.0
|
||||
restart: always
|
||||
depends_on:
|
||||
db:
|
||||
condition: service_healthy
|
||||
environment:
|
||||
PGRST_DB_URI: postgres://authenticator:${POSTGRES_PASSWORD}@db:5432/postgres
|
||||
PGRST_DB_SCHEMAS: public,storage,graphql_public
|
||||
PGRST_DB_ANON_ROLE: anon
|
||||
PGRST_JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||
PGRST_DB_USE_LEGACY_GUCS: "false"
|
||||
PGRST_APP_SETTINGS_JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||
PGRST_APP_SETTINGS_JWT_EXP: 3600
|
||||
networks:
|
||||
- colectivo
|
||||
|
||||
# ── Realtime ─────────────────────────────────────────────────────────────────
|
||||
realtime:
|
||||
image: supabase/realtime:v2.30.23
|
||||
restart: always
|
||||
depends_on:
|
||||
db:
|
||||
condition: service_healthy
|
||||
environment:
|
||||
PORT: 4000
|
||||
DB_HOST: db
|
||||
DB_PORT: 5432
|
||||
DB_USER: supabase_replication_admin
|
||||
DB_PASSWORD: ${POSTGRES_PASSWORD}
|
||||
DB_NAME: postgres
|
||||
DB_AFTER_CONNECT_QUERY: SET search_path TO _realtime
|
||||
DB_ENC_KEY: ${REALTIME_ENC_KEY}
|
||||
API_JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||
FLY_ALLOC_ID: fly123
|
||||
FLY_APP_NAME: realtime
|
||||
SECRET_KEY_BASE: ${REALTIME_SECRET_KEY_BASE}
|
||||
ERL_AFLAGS: -proto_dist inet_tcp
|
||||
ENABLE_TAILSCALE: "false"
|
||||
DNS_NODES: "''"
|
||||
command: sh -c "/app/bin/migrate && /app/bin/realtime eval 'Realtime.Release.seeds(Realtime.Repo)' && /app/bin/server"
|
||||
networks:
|
||||
- colectivo
|
||||
|
||||
# ── Storage ──────────────────────────────────────────────────────────────────
|
||||
storage:
|
||||
image: supabase/storage-api:v1.11.13
|
||||
restart: always
|
||||
depends_on:
|
||||
db:
|
||||
condition: service_healthy
|
||||
rest:
|
||||
condition: service_started
|
||||
environment:
|
||||
ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY}
|
||||
SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
|
||||
POSTGREST_URL: http://rest:3000
|
||||
PGRST_JWT_SECRET: ${SUPABASE_JWT_SECRET}
|
||||
DATABASE_URL: postgres://supabase_storage_admin:${POSTGRES_PASSWORD}@db:5432/postgres
|
||||
FILE_SIZE_LIMIT: 52428800
|
||||
STORAGE_BACKEND: file
|
||||
FILE_STORAGE_BACKEND_PATH: /var/lib/storage
|
||||
TENANT_ID: colectivo-prod
|
||||
REGION: local
|
||||
GLOBAL_S3_BUCKET: stub
|
||||
ENABLE_IMAGE_TRANSFORMATION: "true"
|
||||
IMGPROXY_URL: http://imgproxy:5001
|
||||
volumes:
|
||||
- storage-data:/var/lib/storage
|
||||
networks:
|
||||
- colectivo
|
||||
|
||||
# ── ImgProxy ─────────────────────────────────────────────────────────────
|
||||
imgproxy:
|
||||
image: darthsim/imgproxy:v3.8.0
|
||||
restart: always
|
||||
environment:
|
||||
IMGPROXY_BIND: ":5001"
|
||||
IMGPROXY_LOCAL_FILESYSTEM_ROOT: /
|
||||
IMGPROXY_USE_ETAG: "true"
|
||||
IMGPROXY_ENABLE_WEBP_DETECTION: "true"
|
||||
volumes:
|
||||
- storage-data:/var/lib/storage:ro
|
||||
networks:
|
||||
- colectivo
|
||||
|
||||
# ── Kong (API Gateway) ─────────────────────────────────────────────────────
|
||||
# nginx proxies :80/:443 → Kong :8000
|
||||
kong:
|
||||
image: kong:2.8.1
|
||||
restart: always
|
||||
ports:
|
||||
- "127.0.0.1:8000:8000" # localhost only — nginx handles TLS termination
|
||||
depends_on:
|
||||
db:
|
||||
condition: service_healthy
|
||||
environment:
|
||||
KONG_DATABASE: "off"
|
||||
KONG_DECLARATIVE_CONFIG: /home/kong/kong.yml
|
||||
KONG_DNS_ORDER: LAST,A,CNAME
|
||||
KONG_PLUGINS: request-transformer,cors,key-auth,acl,basic-auth
|
||||
KONG_NGINX_PROXY_PROXY_BUFFER_SIZE: 160k
|
||||
KONG_NGINX_PROXY_PROXY_BUFFERS: 64 160k
|
||||
SUPABASE_ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY}
|
||||
SUPABASE_SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
|
||||
volumes:
|
||||
- ./kong.yml:/home/kong/kong.yml:ro
|
||||
networks:
|
||||
- colectivo
|
||||
|
||||
# ── pg-meta ───────────────────────────────────────────────────────────────
|
||||
meta:
|
||||
image: supabase/postgres-meta:v0.83.2
|
||||
restart: always
|
||||
depends_on:
|
||||
db:
|
||||
condition: service_healthy
|
||||
environment:
|
||||
PG_META_PORT: 8080
|
||||
PG_META_DB_HOST: db
|
||||
PG_META_DB_PORT: 5432
|
||||
PG_META_DB_NAME: postgres
|
||||
PG_META_DB_USER: supabase
|
||||
PG_META_DB_PASSWORD: ${POSTGRES_PASSWORD}
|
||||
networks:
|
||||
- colectivo
|
||||
|
||||
# ── Keycloak 24 ──────────────────────────────────────────────────────────
|
||||
# nginx proxies auth.yourdomain.com → keycloak :8080
|
||||
# IMPORTANT: X-Forwarded-Host and X-Forwarded-Port headers must be set by nginx
|
||||
# or Keycloak will build redirect URIs with internal port 8080.
|
||||
keycloak:
|
||||
image: quay.io/keycloak/keycloak:24.0.5
|
||||
restart: always
|
||||
ports:
|
||||
- "127.0.0.1:8081:8080" # localhost only — nginx proxies auth.* subdomain
|
||||
command: start --optimized
|
||||
environment:
|
||||
KC_DB: postgres
|
||||
KC_DB_URL: jdbc:postgresql://db:5432/keycloak
|
||||
KC_DB_USERNAME: keycloak
|
||||
KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
|
||||
KC_HOSTNAME: ${KEYCLOAK_HOSTNAME}
|
||||
KC_HOSTNAME_STRICT: "true"
|
||||
KC_PROXY: edge
|
||||
KC_HTTP_ENABLED: "true"
|
||||
KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
|
||||
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
|
||||
KC_FEATURES: token-exchange
|
||||
networks:
|
||||
- colectivo
|
||||
|
||||
# ── App (SvelteKit Node server) ───────────────────────────────────────────
|
||||
app:
|
||||
image: ghcr.io/${GITHUB_REPOSITORY}/colectivo-web:${IMAGE_TAG:-latest}
|
||||
restart: always
|
||||
ports:
|
||||
- "127.0.0.1:3000:3000" # localhost only — nginx proxies app.* → here
|
||||
environment:
|
||||
PUBLIC_SUPABASE_URL: ${PUBLIC_SUPABASE_URL}
|
||||
PUBLIC_SUPABASE_ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY}
|
||||
PUBLIC_KEYCLOAK_URL: ${PUBLIC_KEYCLOAK_URL}
|
||||
PUBLIC_KEYCLOAK_REALM: ${PUBLIC_KEYCLOAK_REALM}
|
||||
PUBLIC_KEYCLOAK_CLIENT_ID: ${PUBLIC_KEYCLOAK_CLIENT_ID}
|
||||
PUBLIC_APP_URL: ${PUBLIC_APP_URL}
|
||||
NODE_ENV: production
|
||||
networks:
|
||||
- colectivo
|
||||
|
||||
networks:
|
||||
colectivo:
|
||||
driver: bridge
|
||||
|
||||
volumes:
|
||||
db-data:
|
||||
storage-data:
|
||||
Reference in New Issue
Block a user