Self-contained compose for a single-VPS deploy behind the host's Caddy. App + Supabase API share erosi.oier.ovh; Keycloak on auth.oier.ovh. - infra/docker-compose.erosi.yml — full stack bound to 127.0.0.1 only (db, auth, rest, realtime, storage, imgproxy, kong, meta, keycloak, app) - infra/caddy/erosi.Caddyfile — host-Caddy snippet with TLS + path routing (/auth /rest /storage /realtime /graphql → kong, rest → app) - infra/scripts/deploy-erosi.sh — rsync + first-run secret generation + build + migrations + Caddy snippet install - keycloak/realm-export.erosi.json — prod redirect URIs, registration on, client secret as __KEYCLOAK_CLIENT_SECRET__ placeholder (deploy sub'd) - .env.erosi.example — env template with placeholders Supporting fixes to make the deploy work on a clean Supabase-postgres volume: - infra/db-init/00-role-passwords.sh — rewrote as idempotent bootstrap: CREATE the Supabase service roles if missing, set passwords on pre-existing ones, enable pg_cron/pgcrypto/uuid-ossp, create auth/storage/graphql_public/ _realtime/realtime schemas, create empty supabase_realtime publication, set per-role search_path (auth→auth, storage→storage). Old version only ALTERed passwords and relied on the roles already existing — worked for a grandfathered dev volume, failed on a fresh prod init. - infra/db-init/00-role-passwords.sql — removed (folded into .sh). - apps/web/vite.config.ts — PWA strategy generateSW (was injectManifest). The plugin's injectManifest hardcodes the SW source filename to service-worker.js and ignores the filename: 'sw.ts' override, making the production build fail. generateSW's auto-generated precache-only SW is functionally equivalent to our 5-line src/sw.ts. Tested end-to-end on ambrosio: all 9 containers up, 11 migrations applied, https://erosi.oier.ovh returns 200, Keycloak OIDC discovery serves the correct issuer, /auth/v1/settings lists Keycloak as the sole external provider.
33 lines
1.8 KiB
Plaintext
33 lines
1.8 KiB
Plaintext
# Production env for ambrosio — copy to .env on the server and fill in secrets.
|
|
# Generate JWT triplet: bash infra/scripts/rotate-jwt.sh
|
|
|
|
# ── Domains (change if you migrate to new hostnames) ────────────────────────
|
|
PUBLIC_APP_URL=https://erosi.oier.ovh
|
|
PUBLIC_SUPABASE_URL=https://erosi.oier.ovh
|
|
PUBLIC_KEYCLOAK_URL=https://auth.oier.ovh
|
|
PUBLIC_KEYCLOAK_REALM=colectivo
|
|
PUBLIC_KEYCLOAK_CLIENT_ID=colectivo-web
|
|
|
|
# Keycloak sees this as its canonical hostname (KC_HOSTNAME).
|
|
KEYCLOAK_HOSTNAME=auth.oier.ovh
|
|
|
|
# ── Postgres (single password for all internal roles) ───────────────────────
|
|
POSTGRES_PASSWORD=CHANGEME-strong-random-password
|
|
|
|
# ── Supabase JWT triplet (regenerate every 90 days) ─────────────────────────
|
|
# Produce all three with: bash infra/scripts/rotate-jwt.sh
|
|
SUPABASE_JWT_SECRET=CHANGEME-openssl-rand-base64-48
|
|
PUBLIC_SUPABASE_ANON_KEY=CHANGEME-sign-with-above
|
|
SUPABASE_SERVICE_ROLE_KEY=CHANGEME-sign-with-above
|
|
|
|
# ── Keycloak admin + client secret ──────────────────────────────────────────
|
|
KEYCLOAK_ADMIN=admin
|
|
KEYCLOAK_ADMIN_PASSWORD=CHANGEME-strong-random-password
|
|
# Must match the `secret` field of the colectivo-web client in realm-export.erosi.json.
|
|
KEYCLOAK_CLIENT_SECRET=CHANGEME-client-secret-32-chars
|
|
|
|
# ── Realtime encryption ─────────────────────────────────────────────────────
|
|
# DB_ENC_KEY: exactly 16 characters. SECRET_KEY_BASE: ≥ 64 characters.
|
|
REALTIME_ENC_KEY=CHANGEME16charkey
|
|
REALTIME_SECRET_KEY_BASE=CHANGEME-openssl-rand-base64-64-at-minimum-so-phoenix-is-happy
|