Files
collective-lists/.env.erosi.example
Oier Bravo Urtasun d4a781ddcf deploy(prod): swap NetBird-Traefik labels for off-stack proxy + internal Caddy
The stack no longer talks to any specific external proxy. Removed traefik.*
labels and the shared `traefik` external network from kong + app, and dropped
TRAEFIK_NETWORK / TRAEFIK_ENTRYPOINT / TRAEFIK_CERTRESOLVER from the .env
template and the deploy-script bootstrap.

Internal edge is a `caddy:2-alpine` container on the `colectivo` network,
publishing host port 3000. `infra/Caddyfile.erosi` does the path split:
/rest|/auth|/realtime|/storage|/graphql|/pg -> kong:8000, everything else
-> app:3000. Global block sets `auto_https off` + `admin off` so :3000 is
the only listener.

Whatever proxy fronts the host (NetBird's Traefik, nginx, anything) just
terminates TLS for erosi.limonia.net and forwards plain HTTP to
ambrosio:3000. Off-stack and out of this repo.

Docs (CLAUDE.md + docs/deployment.md) updated to describe the two-layer
edge. Includes the gotcha that bind-mounted file edits (Caddyfile) need
`docker compose restart caddy` since `up -d` won't recreate the container
on file-only changes.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-17 22:26:06 +02:00

43 lines
2.7 KiB
Plaintext

# Production env for ambrosio — copy to .env on the server and fill in secrets.
# Generate JWT triplet: bash infra/scripts/rotate-jwt.sh
# ── App + Supabase API (single domain, routed by Traefik on ambrosio) ──────
PUBLIC_APP_URL=https://erosi.limonia.net
PUBLIC_SUPABASE_URL=https://erosi.limonia.net
# ── External Keycloak ──────────────────────────────────────────────────────
# The client must be confidential, with `openid` as a default client scope
# (GoTrue v2.158.1 doesn't send `openid` in the OAuth scope param — Keycloak
# must inject it), redirectUris including https://erosi.limonia.net/* and
# https://erosi.limonia.net/auth/v1/callback, and webOrigins https://erosi.limonia.net.
#
# NOTE: if your Keycloak uses the legacy `/auth/` base path (Keycloak ≤ 16 and
# some later distributions), PUBLIC_KEYCLOAK_URL must include it — e.g.
# https://auth.example.com/auth. Verify before deploying: a GET on
# ${PUBLIC_KEYCLOAK_URL}/realms/${PUBLIC_KEYCLOAK_REALM}/.well-known/openid-configuration
# must return 200 JSON. 404 = wrong base path.
PUBLIC_KEYCLOAK_URL=https://your-keycloak.example.com
PUBLIC_KEYCLOAK_REALM=your-realm
PUBLIC_KEYCLOAK_CLIENT_ID=your-client-id
KEYCLOAK_CLIENT_SECRET=CHANGEME-paste-from-external-keycloak
# ── Reverse proxy ──────────────────────────────────────────────────────────
# TLS + outermost routing live outside this repo. The stack exposes a single
# host port (3000) where an internal Caddy fans out kong (Supabase API) vs
# app (SvelteKit). Configure whatever external proxy you use to terminate
# HTTPS for PUBLIC_APP_URL and forward plain HTTP to ambrosio:3000.
# ── Postgres (single password for all internal roles) ───────────────────────
POSTGRES_PASSWORD=CHANGEME-strong-random-password
# ── Supabase JWT triplet (regenerate every 90 days) ─────────────────────────
# Produce all three with: bash infra/scripts/rotate-jwt.sh
SUPABASE_JWT_SECRET=CHANGEME-openssl-rand-base64-48
PUBLIC_SUPABASE_ANON_KEY=CHANGEME-sign-with-above
SUPABASE_SERVICE_ROLE_KEY=CHANGEME-sign-with-above
# ── Realtime encryption ─────────────────────────────────────────────────────
# DB_ENC_KEY: exactly 16 characters. SECRET_KEY_BASE: ≥ 64 characters.
REALTIME_ENC_KEY=CHANGEME16charkey
REALTIME_SECRET_KEY_BASE=CHANGEME-openssl-rand-base64-64-at-minimum-so-phoenix-is-happy