Ambrosio's TLS is now handled by the Traefik that NetBird's self-hosted installer deploys. kong + app attach to that Traefik network and expose themselves via Docker-provider labels (erosi-kong priority 100 for Supabase API paths, erosi-app priority 1 for everything else on erosi.limonia.net). No container publishes host ports; host Caddy is out of the deploy path permanently. Keycloak is no longer bundled — PUBLIC_KEYCLOAK_URL points at an external IdP. The deploy script writes .env with FILL_IN_* placeholders for PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET, and TRAEFIK_NETWORK, and fails fast until they are filled. New domain: erosi.limonia.net. realm-export.erosi.json is retained as reference for the external Keycloak operator; it is no longer imported by this stack. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4.1 KiB
4.1 KiB
Deployment
Production stack — ambrosio (OVH VPS)
Live URL: https://erosi.limonia.net (app + Supabase API, single-domain). Keycloak is external — its URL is set via PUBLIC_KEYCLOAK_URL in /opt/colectivo/.env. OVH VPS, Ubuntu 24, Docker 29.
infra/docker-compose.erosi.yml— full stack (db, auth, rest, realtime, storage, imgproxy, kong, app).studio,meta, and the bundledkeycloakservice are intentionally absent.kongandappattach to two Docker networks:colectivo(internal, for DB and inter-service traffic) andtraefik(external, named via${TRAEFIK_NETWORK}— the Traefik instance that NetBird's self-hosted installer deployed).- Reverse proxy: Traefik owns ports 80 + 443 on ambrosio. It discovers our services via
traefik.*labels (Docker provider):erosi-kong(priority 100) catches/rest/v1,/auth/v1,/realtime/v1,/storage/v1,/graphql/v1,/pgonerosi.limonia.net→kong:8000;erosi-app(priority 1) catches everything else on the same host →app:3000. TLS via Traefik's certresolver (${TRAEFIK_CERTRESOLVER}, defaults toletsencrypt). No container binds a host port. infra/scripts/deploy-erosi.sh— idempotent redeploy: rsync → on first run generate secrets + write/opt/colectivo/.envwith placeholders the operator fills in (PUBLIC_KEYCLOAK_URL,KEYCLOAK_CLIENT_SECRET,TRAEFIK_NETWORK) → subsequent runs fail fast if any placeholder is unfilled → docker compose build + up → apply pending migrations. Never touches/etc/caddy/*, never runssudo.keycloak/realm-export.erosi.json— not imported by this stack (no bundled Keycloak). Kept as reference for what the external Keycloak'scolectivo-webclient must have:redirectUris: ["https://erosi.limonia.net/*", "https://erosi.limonia.net/auth/v1/callback"],webOrigins: ["https://erosi.limonia.net"], confidential client,openidas a default client scope withinclude.in.token.scope=true..env.erosi.example— committed template. The real/opt/colectivo/.envon ambrosio is 600 and stays on the server.
Pre-deploy prerequisites
- External Keycloak reachable from ambrosio's Docker network (outbound HTTPS). Realm +
colectivo-webclient configured as described above; operator pastes the client secret into.envasKEYCLOAK_CLIENT_SECRET. - Users in the external Keycloak must match existing
auth.usersUUIDs (auth.users.id = keycloak sub) or the stack starts fresh with no prior users. Re-registering produces new sub UUIDs; either re-seedauth.users+auth.identitiesor wipe and start over. - NetBird's Traefik long-idle-timeout on the HTTPS entrypoint — required for Realtime WebSockets. Add to the Traefik container's args:
Default is ~180s; active shopping sessions disconnect without this. One-time change outside this repo.
--entryPoints.websecure.transport.respondingTimeouts.idleTimeout=3600s - DNS for
erosi.limonia.net→ ambrosio (A/AAAA). - Host Caddy disabled. The previous deploy used a systemd Caddy as TLS terminator; it must be stopped and
systemctl disable caddyso it doesn't race Traefik for 80/443 on reboot. Remove any# BEGIN colectivo-erosi … # END colectivo-erosiblock from/etc/caddy/Caddyfilefor tidiness.
Prod-specific fixes
Had to be made for the stack to boot cleanly on a fresh volume:
infra/db-init/00-role-passwords.sh— rewrote as idempotent bootstrap (see the "supabase/postgres doesn't bootstrap Supabase roles" gotcha inCLAUDE.md): creates all Supabase service roles if absent, enablespg_cron+pgcrypto+uuid-ossp, createsauth/storage/graphql_public/_realtime/realtimeschemas + emptysupabase_realtimepublication, setssupabase_auth_adminsearch_path toauth. The old00-role-passwords.sql(ALTER-only) has been removed.apps/web/vite.config.ts— PWA strategy switchedinjectManifest→generateSW(see the "injectManifest hardcoded filename" gotcha inCLAUDE.md).
Not yet configured on ambrosio
- SMTP (Resend)
- Automated backups — script exists at
infra/scripts/backup.sh, not scheduled - Lighthouse run against prod URL
- Final production icons