deploy(prod): swap NetBird-Traefik labels for off-stack proxy + internal Caddy
The stack no longer talks to any specific external proxy. Removed traefik.* labels and the shared `traefik` external network from kong + app, and dropped TRAEFIK_NETWORK / TRAEFIK_ENTRYPOINT / TRAEFIK_CERTRESOLVER from the .env template and the deploy-script bootstrap. Internal edge is a `caddy:2-alpine` container on the `colectivo` network, publishing host port 3000. `infra/Caddyfile.erosi` does the path split: /rest|/auth|/realtime|/storage|/graphql|/pg -> kong:8000, everything else -> app:3000. Global block sets `auto_https off` + `admin off` so :3000 is the only listener. Whatever proxy fronts the host (NetBird's Traefik, nginx, anything) just terminates TLS for erosi.limonia.net and forwards plain HTTP to ambrosio:3000. Off-stack and out of this repo. Docs (CLAUDE.md + docs/deployment.md) updated to describe the two-layer edge. Includes the gotcha that bind-mounted file edits (Caddyfile) need `docker compose restart caddy` since `up -d` won't recreate the container on file-only changes. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -9,13 +9,14 @@
|
||||
# 1. rsyncs repo → ambrosio:/opt/colectivo/
|
||||
# 2. if .env doesn't exist on server, generates secrets and writes it with
|
||||
# placeholder values the operator must fill in (external Keycloak URL,
|
||||
# Keycloak client secret, Traefik network name)
|
||||
# Keycloak client secret)
|
||||
# 3. docker compose build + up -d
|
||||
# 4. applies DB migrations
|
||||
#
|
||||
# TLS + routing is handled by Traefik (deployed by NetBird's self-hosted
|
||||
# installer on ambrosio). This script never touches /etc/caddy/* or any host
|
||||
# reverse-proxy config — it only manages the Docker stack.
|
||||
# Internal edge is a Caddy container listening on host port 3000 — the
|
||||
# external proxy (TLS terminator, off-stack) forwards plain HTTP to
|
||||
# ambrosio:3000. This script never touches the host reverse-proxy config —
|
||||
# it only manages the Docker stack.
|
||||
#
|
||||
# Subsequent runs: rsync + rebuild app + rolling restart.
|
||||
|
||||
@@ -77,13 +78,6 @@ PUBLIC_KEYCLOAK_REALM=colectivo
|
||||
PUBLIC_KEYCLOAK_CLIENT_ID=colectivo-web
|
||||
KEYCLOAK_CLIENT_SECRET=FILL_IN_CLIENT_SECRET
|
||||
|
||||
# Traefik (deployed by NetBird's self-hosted installer on ambrosio).
|
||||
# FILL_IN the network name the installer asked you for; defaults for
|
||||
# entrypoint + certresolver match NetBird's typical setup.
|
||||
TRAEFIK_NETWORK=FILL_IN_TRAEFIK_NETWORK
|
||||
TRAEFIK_ENTRYPOINT=websecure
|
||||
TRAEFIK_CERTRESOLVER=letsencrypt
|
||||
|
||||
POSTGRES_PASSWORD=$POSTGRES_PASSWORD
|
||||
|
||||
SUPABASE_JWT_SECRET=$SUPABASE_JWT_SECRET
|
||||
@@ -95,17 +89,16 @@ REALTIME_SECRET_KEY_BASE=$REALTIME_SECRET_KEY_BASE
|
||||
EOF
|
||||
chmod 600 .env
|
||||
echo "--- Wrote .env (mode 600)."
|
||||
echo " Fill in: PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET, TRAEFIK_NETWORK"
|
||||
echo " Fill in: PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET"
|
||||
echo " then re-run this script."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Every deploy: fail fast if the operator didn't finish the .env.
|
||||
if grep -q '^PUBLIC_KEYCLOAK_URL=FILL_IN_' .env \
|
||||
|| grep -q '^KEYCLOAK_CLIENT_SECRET=FILL_IN_' .env \
|
||||
|| grep -q '^TRAEFIK_NETWORK=FILL_IN_' .env; then
|
||||
|| grep -q '^KEYCLOAK_CLIENT_SECRET=FILL_IN_' .env; then
|
||||
echo "ERROR: /opt/colectivo/.env still contains FILL_IN_ placeholders." >&2
|
||||
echo " Fill in PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET, TRAEFIK_NETWORK and retry." >&2
|
||||
echo " Fill in PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET and retry." >&2
|
||||
exit 1
|
||||
fi
|
||||
REMOTE
|
||||
|
||||
Reference in New Issue
Block a user