deploy(prod): swap NetBird-Traefik labels for off-stack proxy + internal Caddy

The stack no longer talks to any specific external proxy. Removed traefik.*
labels and the shared `traefik` external network from kong + app, and dropped
TRAEFIK_NETWORK / TRAEFIK_ENTRYPOINT / TRAEFIK_CERTRESOLVER from the .env
template and the deploy-script bootstrap.

Internal edge is a `caddy:2-alpine` container on the `colectivo` network,
publishing host port 3000. `infra/Caddyfile.erosi` does the path split:
/rest|/auth|/realtime|/storage|/graphql|/pg -> kong:8000, everything else
-> app:3000. Global block sets `auto_https off` + `admin off` so :3000 is
the only listener.

Whatever proxy fronts the host (NetBird's Traefik, nginx, anything) just
terminates TLS for erosi.limonia.net and forwards plain HTTP to
ambrosio:3000. Off-stack and out of this repo.

Docs (CLAUDE.md + docs/deployment.md) updated to describe the two-layer
edge. Includes the gotcha that bind-mounted file edits (Caddyfile) need
`docker compose restart caddy` since `up -d` won't recreate the container
on file-only changes.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
2026-05-17 22:26:06 +02:00
parent dee9ee8014
commit d4a781ddcf
6 changed files with 58 additions and 59 deletions

View File

@@ -21,13 +21,11 @@ PUBLIC_KEYCLOAK_REALM=your-realm
PUBLIC_KEYCLOAK_CLIENT_ID=your-client-id PUBLIC_KEYCLOAK_CLIENT_ID=your-client-id
KEYCLOAK_CLIENT_SECRET=CHANGEME-paste-from-external-keycloak KEYCLOAK_CLIENT_SECRET=CHANGEME-paste-from-external-keycloak
# ── Traefik (deployed by NetBird's self-hosted installer on ambrosio) ────── # ── Reverse proxy ──────────────────────────────────────────────────────────
# Copy these three values from what you answered during the NetBird install. # TLS + outermost routing live outside this repo. The stack exposes a single
# The Docker network name is mandatory (Traefik auto-discovers our kong+app # host port (3000) where an internal Caddy fans out kong (Supabase API) vs
# via labels only when we join the same network). # app (SvelteKit). Configure whatever external proxy you use to terminate
TRAEFIK_NETWORK=netbird # HTTPS for PUBLIC_APP_URL and forward plain HTTP to ambrosio:3000.
TRAEFIK_ENTRYPOINT=websecure
TRAEFIK_CERTRESOLVER=letsencrypt
# ── Postgres (single password for all internal roles) ─────────────────────── # ── Postgres (single password for all internal roles) ───────────────────────
POSTGRES_PASSWORD=CHANGEME-strong-random-password POSTGRES_PASSWORD=CHANGEME-strong-random-password

View File

@@ -4,7 +4,7 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
## Project Status ## Project Status
**Fase 05 complete. Fase 6 complete (deploy readiness: PWA injectManifest SW + manifest + iOS meta tags + placeholder icons + Kong rate-limit on invitations + dev JWT rotation + prod env template + rls-audit.sh + Justfile lighthouse/rls-audit/test-rate-limit). Production stack deployed to ambrosio (OVH VPS) at https://erosi.limonia.net (app + Supabase, external Keycloak); TLS via Traefik (deployed by NetBird's self-hosted installer, Docker-provider with label-based routing); PWA strategy switched to generateSW to unblock the prod build (see the "injectManifest hardcoded filename" gotcha below). Fase 7 complete: 12 new Playwright tests fill the collective-flow UI gap (O-01..O-03 onboarding, I-01..I-05 invitation acceptance, MC-02..MC-05 admin-manage) — writing them surfaced + fixed three latent bugs in the product code (atomic `create_collective()` RPC, pendingInvitationToken restore after login, manage page not reloading on late $currentCollective hydration). Plus migration 013 (auth.users role/aud default trigger) — found after the first real self-registration on prod via Keycloak→GoTrue left the user with empty `role`/`aud` columns, breaking every REST call with `role "" does not exist`. Post-fase-7 prod auth hardening (2026-04-20..21, see `docs/history/fase-8-auth-logout.md`): migration 014 extends the role/aud guard to UPDATE (GoTrue's pop-ORM resends role='' right after the INSERT and clobbered the INSERT trigger's backfill); `logout()` now does RP-initiated Keycloak end-session + lands on a new public `/logged-out` route, which both actually ends the Keycloak SSO cookie (so the next login re-prompts) and closes a PKCE-verifier race that produced "PKCE code verifier not found in storage" on prod. 259 tests green: 45 pgTAP + 140 Vitest integration + 15 Vitest unit + 59 Playwright + 1 Vitest rate-limit (gated, run via `just test-rate-limit`). 3 skipped in `just test-all` (2 Realtime presence — upstream `handle_out/3` bug; 1 rate-limit — gated). Push notifications + CI Docker + final production icons deliberately out of scope. ✅** **Fase 05 complete. Fase 6 complete (deploy readiness: PWA injectManifest SW + manifest + iOS meta tags + placeholder icons + Kong rate-limit on invitations + dev JWT rotation + prod env template + rls-audit.sh + Justfile lighthouse/rls-audit/test-rate-limit). Production stack deployed to ambrosio (OVH VPS) at https://erosi.limonia.net (app + Supabase, external Keycloak); edge proxy now off-stack — internal Caddy fans kong/app on host port 3000, whatever external proxy fronts the host terminates TLS and forwards plain HTTP to ambrosio:3000 (originally NetBird's self-hosted Traefik, now proxy-agnostic); PWA strategy switched to generateSW to unblock the prod build (see the "injectManifest hardcoded filename" gotcha below). Fase 7 complete: 12 new Playwright tests fill the collective-flow UI gap (O-01..O-03 onboarding, I-01..I-05 invitation acceptance, MC-02..MC-05 admin-manage) — writing them surfaced + fixed three latent bugs in the product code (atomic `create_collective()` RPC, pendingInvitationToken restore after login, manage page not reloading on late $currentCollective hydration). Plus migration 013 (auth.users role/aud default trigger) — found after the first real self-registration on prod via Keycloak→GoTrue left the user with empty `role`/`aud` columns, breaking every REST call with `role "" does not exist`. Post-fase-7 prod auth hardening (2026-04-20..21, see `docs/history/fase-8-auth-logout.md`): migration 014 extends the role/aud guard to UPDATE (GoTrue's pop-ORM resends role='' right after the INSERT and clobbered the INSERT trigger's backfill); `logout()` now does RP-initiated Keycloak end-session + lands on a new public `/logged-out` route, which both actually ends the Keycloak SSO cookie (so the next login re-prompts) and closes a PKCE-verifier race that produced "PKCE code verifier not found in storage" on prod. 259 tests green: 45 pgTAP + 140 Vitest integration + 15 Vitest unit + 59 Playwright + 1 Vitest rate-limit (gated, run via `just test-rate-limit`). 3 skipped in `just test-all` (2 Realtime presence — upstream `handle_out/3` bug; 1 rate-limit — gated). Push notifications + CI Docker + final production icons deliberately out of scope. ✅**
## Documentation Map ## Documentation Map
@@ -165,10 +165,11 @@ Defined in `keycloak/realm-export.json` and `supabase/seed.sql`. All use passwor
- Push notifications require iOS 16.4+ and the PWA must be installed to the home screen. - Push notifications require iOS 16.4+ and the PWA must be installed to the home screen.
- Test the shopping session mode on a real iPhone during development, not only in DevTools. - Test the shopping session mode on a real iPhone during development, not only in DevTools.
**Traefik (prod) — WebSocket for Realtime:** **Edge proxy (prod):**
- Traefik routes `Host(erosi.limonia.net) && PathPrefix(/rest/v1, /auth/v1, /realtime/v1, ...)` to Kong via Docker-provider labels (priority 100); everything else on the same host falls through to the SvelteKit app (priority 1). Routing lives on the `kong` and `app` services' `labels:` block in `infra/docker-compose.erosi.yml` — no Traefik config files. NetBird's self-hosted installer (≥ v0.65) deploys Traefik with `--providers.docker=true` + `--providers.docker.exposedByDefault=false`, so our labeled services are auto-discovered on the `netbird_netbird` Docker network. - Two layers. Internal: a Caddy container on the `colectivo` Docker network listens on `:3000` (host port `3000:3000`) and does the path split — `/rest/v1`, `/auth/v1`, `/realtime/v1`, `/storage/v1`, `/graphql/v1`, `/pg``kong:8000`; everything else → `app:3000`. Config in `infra/Caddyfile.erosi`, mounted into `caddy:2-alpine`. Plain HTTP, no TLS, no Host matching. Global block sets `auto_https off` + `admin off` so the only socket is `:3000`.
- The HTTPS entrypoint needs `respondingTimeouts.idleTimeout` set to either `0` (unlimited, NetBird's default) or `≥3600s`. At the default ~180s, Realtime WebSockets drop mid-shopping-session and the client reconnects continuously. Verify with `docker inspect netbird-traefik --format '{{range .Args}}{{.}}{{"\n"}}{{end}}' | grep idleTimeout`. - External: TLS termination + outermost routing live outside this repo (originally NetBird's self-hosted Traefik on ambrosio, but the stack is proxy-agnostic now). Whatever fronts the host terminates `https://erosi.limonia.net` and forwards plain HTTP to `ambrosio:3000`. One upstream is enough — Caddy fans out internally.
- Traefik auto-sets `X-Forwarded-{Proto,Host,Port,For}` when `tls.certresolver` is configured on the router, so no extra middleware is needed for the app. - External proxy must allow long-lived idle WebSockets for Realtime (≥3600s, or unlimited). NetBird's default is `0` (unlimited). Symptom of too-short: client reconnects continuously mid-shopping-session.
- Bind-mounted files (Caddyfile, etc.) require `docker compose restart caddy` after editing. The deploy script's `up -d` only recreates services whose compose definition changed — a Caddyfile-only edit will silently keep the old config loaded.
- CSP `connect-src` must include both `https://erosi.limonia.net` and `wss://erosi.limonia.net`. - CSP `connect-src` must include both `https://erosi.limonia.net` and `wss://erosi.limonia.net`.
**External Keycloak:** **External Keycloak:**

View File

@@ -4,9 +4,10 @@
Live URL: **https://erosi.limonia.net** (app + Supabase API, single-domain). Keycloak is external — its URL is set via `PUBLIC_KEYCLOAK_URL` in `/opt/colectivo/.env`. OVH VPS, Ubuntu 24, Docker 29. Live URL: **https://erosi.limonia.net** (app + Supabase API, single-domain). Keycloak is external — its URL is set via `PUBLIC_KEYCLOAK_URL` in `/opt/colectivo/.env`. OVH VPS, Ubuntu 24, Docker 29.
- `infra/docker-compose.erosi.yml` — full stack (db, auth, rest, realtime, storage, imgproxy, kong, app). `studio`, `meta`, and the bundled `keycloak` service are intentionally absent. `kong` and `app` attach to two Docker networks: `colectivo` (internal, for DB and inter-service traffic) and `traefik` (external, named via `${TRAEFIK_NETWORK}` — the Traefik instance that NetBird's self-hosted installer deployed). - `infra/docker-compose.erosi.yml` — full stack (db, auth, rest, realtime, storage, imgproxy, kong, app, caddy). `studio`, `meta`, and the bundled `keycloak` service are intentionally absent. All services live on a single internal Docker network (`colectivo`); nothing on the stack is bound to a public network or labeled for an external reverse proxy.
- **Reverse proxy**: Traefik owns ports 80 + 443 on ambrosio. It discovers our services via `traefik.*` labels (Docker provider): `erosi-kong` (priority 100) catches `/rest/v1`, `/auth/v1`, `/realtime/v1`, `/storage/v1`, `/graphql/v1`, `/pg` on `erosi.limonia.net``kong:8000`; `erosi-app` (priority 1) catches everything else on the same host → `app:3000`. TLS via Traefik's certresolver (`${TRAEFIK_CERTRESOLVER}`, defaults to `letsencrypt`). No container binds a host port. - **Internal edge — Caddy on `:3000`**: `infra/Caddyfile.erosi` does the path split — `/rest/v1`, `/auth/v1`, `/realtime/v1`, `/storage/v1`, `/graphql/v1`, `/pg``kong:8000`; everything else → `app:3000`. WebSockets pass through (Caddy's `reverse_proxy` handles upgrade headers). Plain HTTP, no TLS. The container publishes host port 3000 (`ports: ["3000:3000"]`). Global block sets `auto_https off` + `admin off`, so the only listening socket is `:3000` — no ACME, no admin API.
- `infra/scripts/deploy-erosi.sh` — idempotent redeploy: rsync → on first run generate secrets + write `/opt/colectivo/.env` with placeholders the operator fills in (`PUBLIC_KEYCLOAK_URL`, `KEYCLOAK_CLIENT_SECRET`, `TRAEFIK_NETWORK`) → subsequent runs fail fast if any placeholder is unfilled → docker compose build + up → apply pending migrations. Never touches `/etc/caddy/*`, never runs `sudo`. - **External reverse proxy + TLS** are owned outside this repo (originally NetBird's self-hosted Traefik on ambrosio). Whatever proxy fronts the host terminates TLS for `erosi.limonia.net` and forwards plain HTTP to `ambrosio:3000`. Repo has no labels, no Traefik network attachment, no cert config — only the bind on `:3000`.
- `infra/scripts/deploy-erosi.sh` — idempotent redeploy: rsync → on first run generate secrets + write `/opt/colectivo/.env` with placeholders the operator fills in (`PUBLIC_KEYCLOAK_URL`, `KEYCLOAK_CLIENT_SECRET`) → subsequent runs fail fast if any placeholder is unfilled → docker compose build + up → apply pending migrations. Never touches `/etc/caddy/*`, never runs `sudo`. Note: bind-mounted files (e.g. `Caddyfile.erosi`) require `docker compose restart caddy` after editing — the script's `up -d` only recreates services whose compose definition changed.
- `keycloak/realm-export.erosi.json`**not imported** by this stack (no bundled Keycloak). Kept as reference for what the external Keycloak client must have — realm name, client id, and client secret are operator-chosen and wired in via `.env` (`PUBLIC_KEYCLOAK_REALM`, `PUBLIC_KEYCLOAK_CLIENT_ID`, `KEYCLOAK_CLIENT_SECRET`), so the file's literal `colectivo-web` / `colectivo` values are illustrative, not required. What the client must actually have: `redirectUris: ["https://erosi.limonia.net/*", "https://erosi.limonia.net/auth/v1/callback"]`, `webOrigins: ["https://erosi.limonia.net"]`, confidential, `openid` as a default client scope with `include.in.token.scope=true`. - `keycloak/realm-export.erosi.json`**not imported** by this stack (no bundled Keycloak). Kept as reference for what the external Keycloak client must have — realm name, client id, and client secret are operator-chosen and wired in via `.env` (`PUBLIC_KEYCLOAK_REALM`, `PUBLIC_KEYCLOAK_CLIENT_ID`, `KEYCLOAK_CLIENT_SECRET`), so the file's literal `colectivo-web` / `colectivo` values are illustrative, not required. What the client must actually have: `redirectUris: ["https://erosi.limonia.net/*", "https://erosi.limonia.net/auth/v1/callback"]`, `webOrigins: ["https://erosi.limonia.net"]`, confidential, `openid` as a default client scope with `include.in.token.scope=true`.
- `.env.erosi.example` — committed template. The real `/opt/colectivo/.env` on ambrosio is 600 and stays on the server. - `.env.erosi.example` — committed template. The real `/opt/colectivo/.env` on ambrosio is 600 and stays on the server.
@@ -14,9 +15,10 @@ Live URL: **https://erosi.limonia.net** (app + Supabase API, single-domain). Key
1. **External Keycloak** reachable from ambrosio's Docker network (outbound HTTPS). Realm + confidential client configured as described above; `.env` gets `PUBLIC_KEYCLOAK_URL`, `PUBLIC_KEYCLOAK_REALM`, `PUBLIC_KEYCLOAK_CLIENT_ID`, `KEYCLOAK_CLIENT_SECRET`. **If the Keycloak deployment uses the legacy `/auth/` base path** (Keycloak ≤ 16 default; some distributions still carry it — `auth.fosil.eu` is one) then `PUBLIC_KEYCLOAK_URL` must include it, e.g. `https://auth.example.com/auth`. Verify by opening `${PUBLIC_KEYCLOAK_URL}/realms/${PUBLIC_KEYCLOAK_REALM}/.well-known/openid-configuration` — it should return 200 JSON; 404 means the base path is wrong. 1. **External Keycloak** reachable from ambrosio's Docker network (outbound HTTPS). Realm + confidential client configured as described above; `.env` gets `PUBLIC_KEYCLOAK_URL`, `PUBLIC_KEYCLOAK_REALM`, `PUBLIC_KEYCLOAK_CLIENT_ID`, `KEYCLOAK_CLIENT_SECRET`. **If the Keycloak deployment uses the legacy `/auth/` base path** (Keycloak ≤ 16 default; some distributions still carry it — `auth.fosil.eu` is one) then `PUBLIC_KEYCLOAK_URL` must include it, e.g. `https://auth.example.com/auth`. Verify by opening `${PUBLIC_KEYCLOAK_URL}/realms/${PUBLIC_KEYCLOAK_REALM}/.well-known/openid-configuration` — it should return 200 JSON; 404 means the base path is wrong.
2. **Users in the external Keycloak must match existing `auth.users` UUIDs** (`auth.users.id = keycloak sub`) or the stack starts fresh with no prior users. Re-registering produces new sub UUIDs; either re-seed `auth.users` + `auth.identities` or wipe and start over. 2. **Users in the external Keycloak must match existing `auth.users` UUIDs** (`auth.users.id = keycloak sub`) or the stack starts fresh with no prior users. Re-registering produces new sub UUIDs; either re-seed `auth.users` + `auth.identities` or wipe and start over.
3. **Traefik idle timeout on the HTTPS entrypoint** — NetBird's installer sets `--entryPoints.websecure.transport.respondingTimeouts.idleTimeout=0` (unlimited) by default, which is what Realtime WebSockets need. Verify with `docker inspect netbird-traefik --format '{{range .Args}}{{.}}{{"\n"}}{{end}}' | grep idleTimeout`. If it's not `0` or `≥3600s`, bump it — otherwise active shopping sessions disconnect. 3. **External proxy idle timeout** — Realtime WebSockets stay open for the entire shopping session, so whatever fronts the host must allow long-lived idle connections. NetBird's installer sets `--entryPoints.websecure.transport.respondingTimeouts.idleTimeout=0` (unlimited) by default; if the external proxy is something else, configure ≥3600s on the relevant entrypoint. Symptom of a too-short timeout: client reconnects continuously mid-session.
4. **DNS** for `erosi.limonia.net` → ambrosio (A/AAAA). 4. **External proxy upstream** forward `erosi.limonia.net` (HTTPS, terminate TLS there) to `ambrosio:3000` (plain HTTP). One upstream is enough; Caddy inside the stack does the kong-vs-app path split.
5. **Host Caddy disabled**: `sudo systemctl stop caddy && sudo systemctl disable caddy`. Without `disable`, the unit comes back on reboot and races Traefik for 80/443. Remove any `# BEGIN colectivo-erosi … # END` block from `/etc/caddy/Caddyfile` for tidiness. 5. **DNS** for `erosi.limonia.net` → ambrosio (A/AAAA).
6. **Host Caddy disabled**: `sudo systemctl stop caddy && sudo systemctl disable caddy`. Without `disable`, the unit comes back on reboot and races the external proxy for 80/443. Remove any `# BEGIN colectivo-erosi … # END` block from `/etc/caddy/Caddyfile` for tidiness. (The internal Caddy inside the stack runs in a container on `:3000` and is unrelated to this host unit.)
## Prod-specific fixes ## Prod-specific fixes

11
infra/Caddyfile.erosi Normal file
View File

@@ -0,0 +1,11 @@
{
auto_https off
admin off
}
:3000 {
@api path /rest/v1/* /auth/v1/* /realtime/v1/* /storage/v1/* /graphql/v1/* /pg/*
reverse_proxy @api kong:8000
reverse_proxy app:3000
}

View File

@@ -1,13 +1,13 @@
name: colectivo-erosi name: colectivo-erosi
# Production stack for ambrosio. # Production stack for ambrosio.
# Domain: erosi.limonia.net (app + Supabase API, single-domain).
# Keycloak: external — URL set via PUBLIC_KEYCLOAK_URL in .env. # Keycloak: external — URL set via PUBLIC_KEYCLOAK_URL in .env.
# #
# TLS + reverse proxy is handled by Traefik (deployed by NetBird's self-hosted # Reverse proxy + TLS are owned externally and not described here. The stack
# installer on ambrosio). `kong` and `app` attach to Traefik's Docker network # exposes nothing publicly — `kong` (8000) and `app` (3000) listen on the
# (name in ${TRAEFIK_NETWORK}) and expose themselves via traefik.* labels. # internal `colectivo` Docker network only. Whatever proxy fronts the host is
# No container binds a host port. # responsible for reaching them (e.g. via the Docker network or by mapping
# host ports).
# #
# Bring up: docker compose -f infra/docker-compose.erosi.yml --env-file .env up -d --build # Bring up: docker compose -f infra/docker-compose.erosi.yml --env-file .env up -d --build
# Logs: docker compose -f infra/docker-compose.erosi.yml logs -f # Logs: docker compose -f infra/docker-compose.erosi.yml logs -f
@@ -162,15 +162,7 @@ services:
volumes: volumes:
- ./kong.yml:/home/kong/temp.yml:ro - ./kong.yml:/home/kong/temp.yml:ro
- ./kong-start.sh:/home/kong/kong-start.sh:ro - ./kong-start.sh:/home/kong/kong-start.sh:ro
networks: [colectivo, traefik] networks: [colectivo]
labels:
- "traefik.enable=true"
- "traefik.docker.network=${TRAEFIK_NETWORK}"
- "traefik.http.routers.erosi-kong.rule=Host(`erosi.limonia.net`) && (PathPrefix(`/rest/v1`) || PathPrefix(`/auth/v1`) || PathPrefix(`/realtime/v1`) || PathPrefix(`/storage/v1`) || PathPrefix(`/graphql/v1`) || PathPrefix(`/pg`))"
- "traefik.http.routers.erosi-kong.entrypoints=${TRAEFIK_ENTRYPOINT}"
- "traefik.http.routers.erosi-kong.tls.certresolver=${TRAEFIK_CERTRESOLVER}"
- "traefik.http.routers.erosi-kong.priority=100"
- "traefik.http.services.erosi-kong.loadbalancer.server.port=8000"
# ── App (SvelteKit Node server) — built on the host from the repo ────────── # ── App (SvelteKit Node server) — built on the host from the repo ──────────
# Build args bake the PUBLIC_* values into the client bundle (SvelteKit reqs). # Build args bake the PUBLIC_* values into the client bundle (SvelteKit reqs).
@@ -195,22 +187,24 @@ services:
PUBLIC_KEYCLOAK_CLIENT_ID: ${PUBLIC_KEYCLOAK_CLIENT_ID} PUBLIC_KEYCLOAK_CLIENT_ID: ${PUBLIC_KEYCLOAK_CLIENT_ID}
PUBLIC_APP_URL: ${PUBLIC_APP_URL} PUBLIC_APP_URL: ${PUBLIC_APP_URL}
NODE_ENV: production NODE_ENV: production
networks: [colectivo, traefik] networks: [colectivo]
labels:
- "traefik.enable=true" # ── Internal edge: path-split kong vs app on a single port ────────────────
- "traefik.docker.network=${TRAEFIK_NETWORK}" # Plain HTTP. TLS + outermost routing live on whatever external proxy
- "traefik.http.routers.erosi-app.rule=Host(`erosi.limonia.net`)" # fronts the host; that proxy only needs to know about port 3000.
- "traefik.http.routers.erosi-app.entrypoints=${TRAEFIK_ENTRYPOINT}" caddy:
- "traefik.http.routers.erosi-app.tls.certresolver=${TRAEFIK_CERTRESOLVER}" image: caddy:2-alpine
- "traefik.http.routers.erosi-app.priority=1" restart: always
- "traefik.http.services.erosi-app.loadbalancer.server.port=3000" depends_on: [kong, app]
volumes:
- ./Caddyfile.erosi:/etc/caddy/Caddyfile:ro
ports:
- "3000:3000"
networks: [colectivo]
networks: networks:
colectivo: colectivo:
driver: bridge driver: bridge
traefik:
name: ${TRAEFIK_NETWORK}
external: true
volumes: volumes:
db-data: db-data:

View File

@@ -9,13 +9,14 @@
# 1. rsyncs repo → ambrosio:/opt/colectivo/ # 1. rsyncs repo → ambrosio:/opt/colectivo/
# 2. if .env doesn't exist on server, generates secrets and writes it with # 2. if .env doesn't exist on server, generates secrets and writes it with
# placeholder values the operator must fill in (external Keycloak URL, # placeholder values the operator must fill in (external Keycloak URL,
# Keycloak client secret, Traefik network name) # Keycloak client secret)
# 3. docker compose build + up -d # 3. docker compose build + up -d
# 4. applies DB migrations # 4. applies DB migrations
# #
# TLS + routing is handled by Traefik (deployed by NetBird's self-hosted # Internal edge is a Caddy container listening on host port 3000 — the
# installer on ambrosio). This script never touches /etc/caddy/* or any host # external proxy (TLS terminator, off-stack) forwards plain HTTP to
# reverse-proxy config — it only manages the Docker stack. # ambrosio:3000. This script never touches the host reverse-proxy config —
# it only manages the Docker stack.
# #
# Subsequent runs: rsync + rebuild app + rolling restart. # Subsequent runs: rsync + rebuild app + rolling restart.
@@ -77,13 +78,6 @@ PUBLIC_KEYCLOAK_REALM=colectivo
PUBLIC_KEYCLOAK_CLIENT_ID=colectivo-web PUBLIC_KEYCLOAK_CLIENT_ID=colectivo-web
KEYCLOAK_CLIENT_SECRET=FILL_IN_CLIENT_SECRET KEYCLOAK_CLIENT_SECRET=FILL_IN_CLIENT_SECRET
# Traefik (deployed by NetBird's self-hosted installer on ambrosio).
# FILL_IN the network name the installer asked you for; defaults for
# entrypoint + certresolver match NetBird's typical setup.
TRAEFIK_NETWORK=FILL_IN_TRAEFIK_NETWORK
TRAEFIK_ENTRYPOINT=websecure
TRAEFIK_CERTRESOLVER=letsencrypt
POSTGRES_PASSWORD=$POSTGRES_PASSWORD POSTGRES_PASSWORD=$POSTGRES_PASSWORD
SUPABASE_JWT_SECRET=$SUPABASE_JWT_SECRET SUPABASE_JWT_SECRET=$SUPABASE_JWT_SECRET
@@ -95,17 +89,16 @@ REALTIME_SECRET_KEY_BASE=$REALTIME_SECRET_KEY_BASE
EOF EOF
chmod 600 .env chmod 600 .env
echo "--- Wrote .env (mode 600)." echo "--- Wrote .env (mode 600)."
echo " Fill in: PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET, TRAEFIK_NETWORK" echo " Fill in: PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET"
echo " then re-run this script." echo " then re-run this script."
exit 0 exit 0
fi fi
# Every deploy: fail fast if the operator didn't finish the .env. # Every deploy: fail fast if the operator didn't finish the .env.
if grep -q '^PUBLIC_KEYCLOAK_URL=FILL_IN_' .env \ if grep -q '^PUBLIC_KEYCLOAK_URL=FILL_IN_' .env \
|| grep -q '^KEYCLOAK_CLIENT_SECRET=FILL_IN_' .env \ || grep -q '^KEYCLOAK_CLIENT_SECRET=FILL_IN_' .env; then
|| grep -q '^TRAEFIK_NETWORK=FILL_IN_' .env; then
echo "ERROR: /opt/colectivo/.env still contains FILL_IN_ placeholders." >&2 echo "ERROR: /opt/colectivo/.env still contains FILL_IN_ placeholders." >&2
echo " Fill in PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET, TRAEFIK_NETWORK and retry." >&2 echo " Fill in PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET and retry." >&2
exit 1 exit 1
fi fi
REMOTE REMOTE