Files
collective-lists/.env.erosi.example
Oier Bravo Urtasun 74e919aa71 feat(deploy): ambrosio production stack (erosi.oier.ovh)
Self-contained compose for a single-VPS deploy behind the host's Caddy.
App + Supabase API share erosi.oier.ovh; Keycloak on auth.oier.ovh.

- infra/docker-compose.erosi.yml — full stack bound to 127.0.0.1 only
  (db, auth, rest, realtime, storage, imgproxy, kong, meta, keycloak, app)
- infra/caddy/erosi.Caddyfile — host-Caddy snippet with TLS + path routing
  (/auth /rest /storage /realtime /graphql → kong, rest → app)
- infra/scripts/deploy-erosi.sh — rsync + first-run secret generation +
  build + migrations + Caddy snippet install
- keycloak/realm-export.erosi.json — prod redirect URIs, registration on,
  client secret as __KEYCLOAK_CLIENT_SECRET__ placeholder (deploy sub'd)
- .env.erosi.example — env template with placeholders

Supporting fixes to make the deploy work on a clean Supabase-postgres volume:

- infra/db-init/00-role-passwords.sh — rewrote as idempotent bootstrap:
  CREATE the Supabase service roles if missing, set passwords on pre-existing
  ones, enable pg_cron/pgcrypto/uuid-ossp, create auth/storage/graphql_public/
  _realtime/realtime schemas, create empty supabase_realtime publication,
  set per-role search_path (auth→auth, storage→storage). Old version only
  ALTERed passwords and relied on the roles already existing — worked for a
  grandfathered dev volume, failed on a fresh prod init.

- infra/db-init/00-role-passwords.sql — removed (folded into .sh).

- apps/web/vite.config.ts — PWA strategy generateSW (was injectManifest).
  The plugin's injectManifest hardcodes the SW source filename to
  service-worker.js and ignores the filename: 'sw.ts' override, making the
  production build fail. generateSW's auto-generated precache-only SW is
  functionally equivalent to our 5-line src/sw.ts.

Tested end-to-end on ambrosio: all 9 containers up, 11 migrations applied,
https://erosi.oier.ovh returns 200, Keycloak OIDC discovery serves the
correct issuer, /auth/v1/settings lists Keycloak as the sole external
provider.
2026-04-14 19:41:33 +02:00

33 lines
1.8 KiB
Plaintext

# Production env for ambrosio — copy to .env on the server and fill in secrets.
# Generate JWT triplet: bash infra/scripts/rotate-jwt.sh
# ── Domains (change if you migrate to new hostnames) ────────────────────────
PUBLIC_APP_URL=https://erosi.oier.ovh
PUBLIC_SUPABASE_URL=https://erosi.oier.ovh
PUBLIC_KEYCLOAK_URL=https://auth.oier.ovh
PUBLIC_KEYCLOAK_REALM=colectivo
PUBLIC_KEYCLOAK_CLIENT_ID=colectivo-web
# Keycloak sees this as its canonical hostname (KC_HOSTNAME).
KEYCLOAK_HOSTNAME=auth.oier.ovh
# ── Postgres (single password for all internal roles) ───────────────────────
POSTGRES_PASSWORD=CHANGEME-strong-random-password
# ── Supabase JWT triplet (regenerate every 90 days) ─────────────────────────
# Produce all three with: bash infra/scripts/rotate-jwt.sh
SUPABASE_JWT_SECRET=CHANGEME-openssl-rand-base64-48
PUBLIC_SUPABASE_ANON_KEY=CHANGEME-sign-with-above
SUPABASE_SERVICE_ROLE_KEY=CHANGEME-sign-with-above
# ── Keycloak admin + client secret ──────────────────────────────────────────
KEYCLOAK_ADMIN=admin
KEYCLOAK_ADMIN_PASSWORD=CHANGEME-strong-random-password
# Must match the `secret` field of the colectivo-web client in realm-export.erosi.json.
KEYCLOAK_CLIENT_SECRET=CHANGEME-client-secret-32-chars
# ── Realtime encryption ─────────────────────────────────────────────────────
# DB_ENC_KEY: exactly 16 characters. SECRET_KEY_BASE: ≥ 64 characters.
REALTIME_ENC_KEY=CHANGEME16charkey
REALTIME_SECRET_KEY_BASE=CHANGEME-openssl-rand-base64-64-at-minimum-so-phoenix-is-happy