Document what we learned doing the real NetBird+Traefik migration: - Keycloak realm/client names are operator-chosen; the realm-export.json's literal "colectivo-web" / "colectivo" values are illustrative, not required. - Legacy Keycloak /auth/ base path: PUBLIC_KEYCLOAK_URL must include the suffix when the deployment serves realms under /auth/realms/... (hit this on auth.fosil.eu). Verify with the discovery URL returning 200. - NetBird's installer deploys Traefik with idleTimeout=0 (unlimited) by default — verify instead of prescribing 3600s. - Runbook: --no-cache fixes the intermittent vite SSR "transforming..." hang that surfaces as a PostHog shutdown timeout. - Runbook: any PUBLIC_* change needs an app rebuild (build args); secret changes only need `docker compose restart auth`. - Runbook: TRUNCATE recipe for wiping all app + auth data while keeping schema + migration tracking intact. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
45 lines
2.6 KiB
Plaintext
45 lines
2.6 KiB
Plaintext
# Production env for ambrosio — copy to .env on the server and fill in secrets.
|
|
# Generate JWT triplet: bash infra/scripts/rotate-jwt.sh
|
|
|
|
# ── App + Supabase API (single domain, routed by Traefik on ambrosio) ──────
|
|
PUBLIC_APP_URL=https://erosi.limonia.net
|
|
PUBLIC_SUPABASE_URL=https://erosi.limonia.net
|
|
|
|
# ── External Keycloak ──────────────────────────────────────────────────────
|
|
# The client must be confidential, with `openid` as a default client scope
|
|
# (GoTrue v2.158.1 doesn't send `openid` in the OAuth scope param — Keycloak
|
|
# must inject it), redirectUris including https://erosi.limonia.net/* and
|
|
# https://erosi.limonia.net/auth/v1/callback, and webOrigins https://erosi.limonia.net.
|
|
#
|
|
# NOTE: if your Keycloak uses the legacy `/auth/` base path (Keycloak ≤ 16 and
|
|
# some later distributions), PUBLIC_KEYCLOAK_URL must include it — e.g.
|
|
# https://auth.example.com/auth. Verify before deploying: a GET on
|
|
# ${PUBLIC_KEYCLOAK_URL}/realms/${PUBLIC_KEYCLOAK_REALM}/.well-known/openid-configuration
|
|
# must return 200 JSON. 404 = wrong base path.
|
|
PUBLIC_KEYCLOAK_URL=https://your-keycloak.example.com
|
|
PUBLIC_KEYCLOAK_REALM=your-realm
|
|
PUBLIC_KEYCLOAK_CLIENT_ID=your-client-id
|
|
KEYCLOAK_CLIENT_SECRET=CHANGEME-paste-from-external-keycloak
|
|
|
|
# ── Traefik (deployed by NetBird's self-hosted installer on ambrosio) ──────
|
|
# Copy these three values from what you answered during the NetBird install.
|
|
# The Docker network name is mandatory (Traefik auto-discovers our kong+app
|
|
# via labels only when we join the same network).
|
|
TRAEFIK_NETWORK=netbird
|
|
TRAEFIK_ENTRYPOINT=websecure
|
|
TRAEFIK_CERTRESOLVER=letsencrypt
|
|
|
|
# ── Postgres (single password for all internal roles) ───────────────────────
|
|
POSTGRES_PASSWORD=CHANGEME-strong-random-password
|
|
|
|
# ── Supabase JWT triplet (regenerate every 90 days) ─────────────────────────
|
|
# Produce all three with: bash infra/scripts/rotate-jwt.sh
|
|
SUPABASE_JWT_SECRET=CHANGEME-openssl-rand-base64-48
|
|
PUBLIC_SUPABASE_ANON_KEY=CHANGEME-sign-with-above
|
|
SUPABASE_SERVICE_ROLE_KEY=CHANGEME-sign-with-above
|
|
|
|
# ── Realtime encryption ─────────────────────────────────────────────────────
|
|
# DB_ENC_KEY: exactly 16 characters. SECRET_KEY_BASE: ≥ 64 characters.
|
|
REALTIME_ENC_KEY=CHANGEME16charkey
|
|
REALTIME_SECRET_KEY_BASE=CHANGEME-openssl-rand-base64-64-at-minimum-so-phoenix-is-happy
|