Self-contained compose for a single-VPS deploy behind the host's Caddy. App + Supabase API share erosi.oier.ovh; Keycloak on auth.oier.ovh. - infra/docker-compose.erosi.yml — full stack bound to 127.0.0.1 only (db, auth, rest, realtime, storage, imgproxy, kong, meta, keycloak, app) - infra/caddy/erosi.Caddyfile — host-Caddy snippet with TLS + path routing (/auth /rest /storage /realtime /graphql → kong, rest → app) - infra/scripts/deploy-erosi.sh — rsync + first-run secret generation + build + migrations + Caddy snippet install - keycloak/realm-export.erosi.json — prod redirect URIs, registration on, client secret as __KEYCLOAK_CLIENT_SECRET__ placeholder (deploy sub'd) - .env.erosi.example — env template with placeholders Supporting fixes to make the deploy work on a clean Supabase-postgres volume: - infra/db-init/00-role-passwords.sh — rewrote as idempotent bootstrap: CREATE the Supabase service roles if missing, set passwords on pre-existing ones, enable pg_cron/pgcrypto/uuid-ossp, create auth/storage/graphql_public/ _realtime/realtime schemas, create empty supabase_realtime publication, set per-role search_path (auth→auth, storage→storage). Old version only ALTERed passwords and relied on the roles already existing — worked for a grandfathered dev volume, failed on a fresh prod init. - infra/db-init/00-role-passwords.sql — removed (folded into .sh). - apps/web/vite.config.ts — PWA strategy generateSW (was injectManifest). The plugin's injectManifest hardcodes the SW source filename to service-worker.js and ignores the filename: 'sw.ts' override, making the production build fail. generateSW's auto-generated precache-only SW is functionally equivalent to our 5-line src/sw.ts. Tested end-to-end on ambrosio: all 9 containers up, 11 migrations applied, https://erosi.oier.ovh returns 200, Keycloak OIDC discovery serves the correct issuer, /auth/v1/settings lists Keycloak as the sole external provider.
47 lines
1.8 KiB
Caddyfile
47 lines
1.8 KiB
Caddyfile
# Caddyfile snippet for ambrosio host Caddy.
|
|
# Install path: /etc/caddy/Caddyfile (append these blocks).
|
|
# Reload: sudo systemctl reload caddy
|
|
#
|
|
# Docker services bind to 127.0.0.1 only; this file is the public entrypoint.
|
|
# TLS certificates are issued automatically by Caddy via Let's Encrypt.
|
|
|
|
# ── App + Supabase (single domain) ──────────────────────────────────────────
|
|
erosi.oier.ovh {
|
|
encode zstd gzip
|
|
|
|
# Supabase API paths → Kong gateway.
|
|
# Realtime MUST come before /auth, /rest, /storage to match its WS upgrade path first.
|
|
@supabase path /auth/v1/* /rest/v1/* /storage/v1/* /realtime/v1/* /graphql/v1/* /pg/*
|
|
handle @supabase {
|
|
# Realtime WebSockets require a long read timeout; PostgREST benefits from
|
|
# flush_interval for streaming responses. Caddy handles WS upgrades natively.
|
|
reverse_proxy 127.0.0.1:8000 {
|
|
transport http {
|
|
read_timeout 3600s
|
|
}
|
|
header_up X-Real-IP {remote_host}
|
|
}
|
|
}
|
|
|
|
# Everything else → SvelteKit Node server.
|
|
handle {
|
|
reverse_proxy 127.0.0.1:3000 {
|
|
header_up X-Real-IP {remote_host}
|
|
}
|
|
}
|
|
}
|
|
|
|
# ── Keycloak ────────────────────────────────────────────────────────────────
|
|
auth.oier.ovh {
|
|
encode zstd gzip
|
|
|
|
# Keycloak 24 with KC_PROXY=edge uses the X-Forwarded-* headers that Caddy
|
|
# already sets automatically on every reverse_proxy (Proto, For, Host).
|
|
# Only X-Forwarded-Port is not default, so we add it explicitly — without
|
|
# it Keycloak builds redirect URIs with the internal port (8080).
|
|
reverse_proxy 127.0.0.1:8090 {
|
|
header_up X-Real-IP {remote_host}
|
|
header_up X-Forwarded-Port {server_port}
|
|
}
|
|
}
|