Every `just deploy` now takes a pg_dumpall to /opt/colectivo/backups/predeploy-<ts>-<sha>.sql.gz BEFORE rebuilding the app or applying migrations, aborts the deploy if the dump is < 1 KiB, and (on success) appends `<iso-ts> \t <sha> \t <backup-file>` to /opt/colectivo/.deploys.log on ambrosio. Keeps the newest 10 backups (prunes older predeploy-* files). New `infra/scripts/rollback-erosi.sh` reads .deploys.log and pairs a code rollback with a DB restore atomically: just rollback-list # show recent deploys just rollback # roll back to N-1 just rollback-to <sha> # roll back to a specific deploy just rollback-code # roll back code only, keep current DB Rollback safety: - 5-second abort window. - Verifies the target SHA exists locally + the backup is still on prod (warns if it's been pruned past the 10-deploy window). - Uses a temporary git worktree so the user's working tree isn't disturbed. - Stops app/auth/rest/realtime/storage before the gunzip|psql restore. - Rebuilds the app image at the rolled-back SHA with the same GIT_SHA build-arg path the deploy uses (so __APP_COMMIT__ in the bundle matches the running code). - Does NOT write a new .deploys.log entry — rollback is intentionally not a deploy event; the next `just deploy` is from current HEAD. - Storage volume (/var/lib/storage user uploads) is NOT rolled back. Justfile `deploy` recipe repointed from the stale `deploy.sh` (which referenced GHCR pull) to `deploy-erosi.sh` (the active prod path). New project-scoped skill: `.claude/skills/deploy/SKILL.md` documents the flow + safety boundaries for Claude-assisted invocations. `.gitignore` keeps `.claude/settings.local.json` ignored but tracks `.claude/skills/`. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
12 KiB
Deployment
Production stack — ambrosio (OVH VPS)
Live URL: https://erosi.limonia.net (app + Supabase API, single-domain). Keycloak is external — its URL is set via PUBLIC_KEYCLOAK_URL in /opt/colectivo/.env. OVH VPS, Ubuntu 24, Docker 29.
infra/docker-compose.erosi.yml— full stack (db, auth, rest, realtime, storage, imgproxy, kong, app, caddy).studio,meta, and the bundledkeycloakservice are intentionally absent. All services live on a single internal Docker network (colectivo); nothing on the stack is bound to a public network or labeled for an external reverse proxy.- Internal edge — Caddy on
:3000:infra/Caddyfile.erosidoes the path split —/rest/v1,/auth/v1,/realtime/v1,/storage/v1,/graphql/v1,/pg→kong:8000; everything else →app:3000. WebSockets pass through (Caddy'sreverse_proxyhandles upgrade headers). Plain HTTP, no TLS. The container publishes host port 3000 (ports: ["3000:3000"]). Global block setsauto_https off+admin off, so the only listening socket is:3000— no ACME, no admin API. - External reverse proxy + TLS are owned outside this repo (originally NetBird's self-hosted Traefik on ambrosio). Whatever proxy fronts the host terminates TLS for
erosi.limonia.netand forwards plain HTTP toambrosio:3000. Repo has no labels, no Traefik network attachment, no cert config — only the bind on:3000. infra/scripts/deploy-erosi.sh— idempotent redeploy: rsync → on first run generate secrets + write/opt/colectivo/.envwith placeholders the operator fills in (PUBLIC_KEYCLOAK_URL,KEYCLOAK_CLIENT_SECRET) → subsequent runs fail fast if any placeholder is unfilled → docker compose build + up → apply pending migrations. Never touches/etc/caddy/*, never runssudo. Note: bind-mounted files (e.g.Caddyfile.erosi) requiredocker compose restart caddyafter editing — the script'sup -donly recreates services whose compose definition changed.keycloak/realm-export.erosi.json— not imported by this stack (no bundled Keycloak). Kept as reference for what the external Keycloak client must have — realm name, client id, and client secret are operator-chosen and wired in via.env(PUBLIC_KEYCLOAK_REALM,PUBLIC_KEYCLOAK_CLIENT_ID,KEYCLOAK_CLIENT_SECRET), so the file's literalcolectivo-web/colectivovalues are illustrative, not required. What the client must actually have:redirectUris: ["https://erosi.limonia.net/*", "https://erosi.limonia.net/auth/v1/callback"],webOrigins: ["https://erosi.limonia.net"], confidential,openidas a default client scope withinclude.in.token.scope=true..env.erosi.example— committed template. The real/opt/colectivo/.envon ambrosio is 600 and stays on the server.
Pre-deploy prerequisites
- External Keycloak reachable from ambrosio's Docker network (outbound HTTPS). Realm + confidential client configured as described above;
.envgetsPUBLIC_KEYCLOAK_URL,PUBLIC_KEYCLOAK_REALM,PUBLIC_KEYCLOAK_CLIENT_ID,KEYCLOAK_CLIENT_SECRET. If the Keycloak deployment uses the legacy/auth/base path (Keycloak ≤ 16 default; some distributions still carry it —auth.fosil.euis one) thenPUBLIC_KEYCLOAK_URLmust include it, e.g.https://auth.example.com/auth. Verify by opening${PUBLIC_KEYCLOAK_URL}/realms/${PUBLIC_KEYCLOAK_REALM}/.well-known/openid-configuration— it should return 200 JSON; 404 means the base path is wrong. - Users in the external Keycloak must match existing
auth.usersUUIDs (auth.users.id = keycloak sub) or the stack starts fresh with no prior users. Re-registering produces new sub UUIDs; either re-seedauth.users+auth.identitiesor wipe and start over. - External proxy idle timeout — Realtime WebSockets stay open for the entire shopping session, so whatever fronts the host must allow long-lived idle connections. NetBird's installer sets
--entryPoints.websecure.transport.respondingTimeouts.idleTimeout=0(unlimited) by default; if the external proxy is something else, configure ≥3600s on the relevant entrypoint. Symptom of a too-short timeout: client reconnects continuously mid-session. - External proxy upstream — forward
erosi.limonia.net(HTTPS, terminate TLS there) toambrosio:3000(plain HTTP). One upstream is enough; Caddy inside the stack does the kong-vs-app path split. - DNS for
erosi.limonia.net→ ambrosio (A/AAAA). - Host Caddy disabled:
sudo systemctl stop caddy && sudo systemctl disable caddy. Withoutdisable, the unit comes back on reboot and races the external proxy for 80/443. Remove any# BEGIN colectivo-erosi … # ENDblock from/etc/caddy/Caddyfilefor tidiness. (The internal Caddy inside the stack runs in a container on:3000and is unrelated to this host unit.)
Prod-specific fixes
Had to be made for the stack to boot cleanly on a fresh volume:
infra/db-init/00-role-passwords.sh— rewrote as idempotent bootstrap (see the "supabase/postgres doesn't bootstrap Supabase roles" gotcha inCLAUDE.md): creates all Supabase service roles if absent, enablespg_cron+pgcrypto+uuid-ossp, createsauth/storage/graphql_public/_realtime/realtimeschemas + emptysupabase_realtimepublication, setssupabase_auth_adminsearch_path toauth. The old00-role-passwords.sql(ALTER-only) has been removed.apps/web/vite.config.ts— PWA strategy switchedinjectManifest→generateSW(see the "injectManifest hardcoded filename" gotcha inCLAUDE.md).
Runbook
App build hang / PostHog timeout
The app image's final build stage (pnpm --filter @colectivo/web build → vite SSR) occasionally stalls during transforming... and ~9 minutes later dies with UnhandledPromiseRejection: "Timeout while shutting down PostHog". Intermittent; reproducible across rebuilds with the same layer cache.
Fix: rebuild with --no-cache once:
ssh ambrosio 'cd /opt/colectivo && docker compose --env-file .env -f infra/docker-compose.erosi.yml build --no-cache app'
Subsequent normal builds succeed. Run inside tmux if you're on a flaky SSH link — the no-cache build takes 5–15 minutes and losing the connection kills BuildKit.
Changing PUBLIC_* env values (URL, realm, client id)
Any change to PUBLIC_APP_URL, PUBLIC_SUPABASE_URL, PUBLIC_KEYCLOAK_URL, PUBLIC_KEYCLOAK_REALM, PUBLIC_KEYCLOAK_CLIENT_ID requires an app rebuild (those values are baked into the client bundle at build time via docker-compose.erosi.yml build args). After editing .env:
ssh ambrosio 'cd /opt/colectivo && docker compose --env-file .env -f infra/docker-compose.erosi.yml build app && docker compose --env-file .env -f infra/docker-compose.erosi.yml up -d'
KEYCLOAK_CLIENT_SECRET is runtime-only (GoTrue reads it) — for that one a docker compose restart auth is enough.
Rollback (code + DB)
Every just deploy pairs a code-rsync with a pg_dumpall taken just before the build, and logs the pair to /opt/colectivo/.deploys.log on ambrosio. Rollback uses that log to restore both atomically.
just rollback-list # show recent deploys (timestamp / sha / backup)
just rollback # roll back code + DB to N-1
just rollback-to <git-sha> # roll back to a specific deploy
just rollback-code # roll back code only, leave DB at current state
Safety:
- 5-second abort window before anything destructive runs.
- Verifies the target SHA exists in the local git repo (fetch first if you're rolling back to an old commit).
- Verifies the matching backup is still on ambrosio (older than 10 deploys = pruned).
- Stops
app/auth/rest/realtime/storagebefore thegunzip | psqlrestore so they don't observe inconsistent state. - Materialises the target commit into a temp
git worktree; your working tree is untouched. - Does not write to
.deploys.log— rollback is intentionally not a deploy event. The nextjust deploywill be from your current HEAD. - The storage volume (user uploads at
/var/lib/storage) is not rolled back. Treated as append-only.
When to use --code-only: regression is UI/JS only and the DB schema is forward-compatible. Skips the destructive restore but still rebuilds + redeploys the older app image.
Wipe all app + auth data (keep schema, keep migrations)
When switching Keycloak realms or starting fresh:
BEGIN;
TRUNCATE TABLE public.notes, public.tasks, public.task_lists,
public.shopping_items, public.shopping_lists, public.item_frequency,
public.collective_invitations, public.collective_members, public.collectives,
public.users
RESTART IDENTITY CASCADE;
TRUNCATE TABLE auth.refresh_tokens, auth.sessions, auth.identities, auth.users
RESTART IDENTITY CASCADE;
COMMIT;
CASCADE also empties auth.mfa_factors, auth.mfa_amr_claims, auth.mfa_challenges, auth.one_time_tokens — expected. Never touch auth.schema_migrations or public._applied_migrations (they track what DDL has been applied).
Server administration (Fase 13)
The instance has a global server_admin role separate from the per-collective admin role. Server admins can list/soft-delete/restore/hard-delete any collective, remove members, set server-level section visibility defaults, and read the append-only audit log at /admin/audit.
Promoting the first admin
Set SERVER_ADMIN_EMAIL in .env to the operator's email BEFORE first deploy. infra/db-init/10-server-admin-seed.sh runs once on first volume init and inserts the matching user into public.server_admins.
Gotcha: docker-entrypoint-initdb.d fires before any user has signed in via Keycloak, so public.users is empty and the script will log WARNING: no public.users row matches email <...>, skipping. To actually bootstrap:
- Bring up the stack normally (
docker compose --env-file .env -f infra/docker-compose.erosi.yml up -d). - Sign in once via Keycloak using
SERVER_ADMIN_EMAILto populatepublic.users. - Re-run the bootstrap script manually:
The
docker compose -f infra/docker-compose.erosi.yml exec -T db \ bash /docker-entrypoint-initdb.d/10-server-admin-seed.sh </dev/null</dev/nullredirect is mandatory per the heredoc-stdin gotcha (the surrounding bash heredoc on the SSH side would otherwise be drained).
After this server_admins is non-empty and the script is a no-op forever.
Promoting subsequent admins
Use /admin/admins → "Promote user" with the target's email. Or directly in SQL:
INSERT INTO public.server_admins (user_id, granted_by)
SELECT id, '<your-user-id>'::uuid FROM public.users WHERE email = '<target>'
ON CONFLICT (user_id) DO NOTHING;
Last-admin guard
revoke_server_admin() refuses to remove the only remaining admin (P0003 'last_admin'). If you really need to demote the last admin (e.g. handover), promote the replacement FIRST.
Audit log
Every privileged RPC writes to public.admin_actions. Read it from /admin/audit or with:
SELECT created_at, actor_id, action, target_type, target_id, payload
FROM public.admin_actions ORDER BY created_at DESC LIMIT 100;
The log is append-only via RLS — there are no INSERT/UPDATE/DELETE policies, only the SECURITY DEFINER RPCs can write. A postgres superuser shell can still delete rows; the threat model is "malicious admin via the product UI", not "operator with DB access".
Not yet configured on ambrosio
- SMTP (Resend)
- Automated backups — script exists at
infra/scripts/backup.sh, not scheduled - Lighthouse run against prod URL
- Final production icons