- Turborepo + pnpm workspaces with apps/web and packages/types - SvelteKit app: Tailwind, Paraglide i18n (en/es), keycloak-js, Supabase client, auth/collective stores, PWA service worker skeleton, all route placeholders - packages/types: domain types (User, Collective, ShoppingList, etc.) and database.ts placeholder for generated types - Justfile with dev, db-*, kc-*, build, backup, restore, deploy recipes - infra/docker-compose.dev.yml: Postgres 15, GoTrue, PostgREST, Realtime v2.83, Storage, Kong (port 8001), Studio, Keycloak 24 - infra/docker-compose.prod.yml, kong.yml, db-init scripts, backup/deploy scripts - keycloak/realm-export.json with colectivo realm and 5 dev test users - supabase/config.toml and seed.sql with sample collective and items - GitHub Actions: ci.yml (lint+typecheck+build) and deploy.yml (GHCR + SSH) - .env.example documenting all required variables - Fixed docker-compose issues: Studio image tag, Kong port conflict (8001), internal role passwords init script, Realtime METRICS_JWT_SECRET/APP_NAME Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
71 lines
3.5 KiB
Plaintext
71 lines
3.5 KiB
Plaintext
# ─────────────────────────────────────────────────────────────────────────────
|
|
# Colectivo — environment variables
|
|
# Copy to .env and fill in real values. Never commit .env to version control.
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
# ── Supabase ──────────────────────────────────────────────────────────────────
|
|
|
|
# URL of the self-hosted Supabase instance (Kong gateway)
|
|
PUBLIC_SUPABASE_URL=http://localhost:8001
|
|
|
|
# Supabase anon key (public, safe to expose in the browser)
|
|
# Generated during `supabase start` or set manually in supabase/config.toml
|
|
PUBLIC_SUPABASE_ANON_KEY=
|
|
|
|
# Supabase service role key (private — never expose in the browser)
|
|
# Used only in Edge Functions or server-side scripts
|
|
SUPABASE_SERVICE_ROLE_KEY=
|
|
|
|
# JWT secret — MUST be set to the Keycloak RS256 public key (PEM format, one line)
|
|
# Supabase uses this to validate Keycloak-issued JWTs for RLS
|
|
# Rotate simultaneously with Keycloak signing key rotation
|
|
SUPABASE_JWT_SECRET=
|
|
|
|
# ── Keycloak ──────────────────────────────────────────────────────────────────
|
|
|
|
# Public URL of the Keycloak server (used by the browser for OIDC redirects)
|
|
PUBLIC_KEYCLOAK_URL=http://localhost:8080
|
|
|
|
# Keycloak realm name
|
|
PUBLIC_KEYCLOAK_REALM=colectivo
|
|
|
|
# Keycloak client ID (public PKCE client — no secret)
|
|
PUBLIC_KEYCLOAK_CLIENT_ID=colectivo-web
|
|
|
|
# Keycloak admin credentials (used by infra scripts only — never in app code)
|
|
KEYCLOAK_ADMIN=admin
|
|
KEYCLOAK_ADMIN_PASSWORD=
|
|
|
|
# ── Email (Resend) ────────────────────────────────────────────────────────────
|
|
|
|
# Resend API key — used by Edge Functions to send invitation emails
|
|
RESEND_API_KEY=
|
|
|
|
# From address for outgoing emails
|
|
RESEND_FROM_EMAIL=noreply@yourdomain.com
|
|
|
|
# ── Backup (Backblaze B2) ─────────────────────────────────────────────────────
|
|
|
|
B2_BUCKET_NAME=colectivo-backups
|
|
B2_APPLICATION_KEY_ID=
|
|
B2_APPLICATION_KEY=
|
|
|
|
# ── App ───────────────────────────────────────────────────────────────────────
|
|
|
|
# Publicly accessible origin of the app (no trailing slash)
|
|
# Used in Edge Functions to build invitation URLs
|
|
PUBLIC_APP_URL=http://localhost:5173
|
|
|
|
# ── Docker / Infra ────────────────────────────────────────────────────────────
|
|
|
|
# Postgres superuser password (used by Supabase internally)
|
|
POSTGRES_PASSWORD=
|
|
|
|
# Supabase dashboard username/password (Studio)
|
|
DASHBOARD_USERNAME=supabase
|
|
DASHBOARD_PASSWORD=
|
|
|
|
# Production SSH target for deploy script
|
|
DEPLOY_HOST=user@your-vps-ip
|
|
DEPLOY_PATH=/opt/colectivo
|