Document what we learned doing the real NetBird+Traefik migration: - Keycloak realm/client names are operator-chosen; the realm-export.json's literal "colectivo-web" / "colectivo" values are illustrative, not required. - Legacy Keycloak /auth/ base path: PUBLIC_KEYCLOAK_URL must include the suffix when the deployment serves realms under /auth/realms/... (hit this on auth.fosil.eu). Verify with the discovery URL returning 200. - NetBird's installer deploys Traefik with idleTimeout=0 (unlimited) by default — verify instead of prescribing 3600s. - Runbook: --no-cache fixes the intermittent vite SSR "transforming..." hang that surfaces as a PostHog shutdown timeout. - Runbook: any PUBLIC_* change needs an app rebuild (build args); secret changes only need `docker compose restart auth`. - Runbook: TRUNCATE recipe for wiping all app + auth data while keeping schema + migration tracking intact. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
6.9 KiB
Deployment
Production stack — ambrosio (OVH VPS)
Live URL: https://erosi.limonia.net (app + Supabase API, single-domain). Keycloak is external — its URL is set via PUBLIC_KEYCLOAK_URL in /opt/colectivo/.env. OVH VPS, Ubuntu 24, Docker 29.
infra/docker-compose.erosi.yml— full stack (db, auth, rest, realtime, storage, imgproxy, kong, app).studio,meta, and the bundledkeycloakservice are intentionally absent.kongandappattach to two Docker networks:colectivo(internal, for DB and inter-service traffic) andtraefik(external, named via${TRAEFIK_NETWORK}— the Traefik instance that NetBird's self-hosted installer deployed).- Reverse proxy: Traefik owns ports 80 + 443 on ambrosio. It discovers our services via
traefik.*labels (Docker provider):erosi-kong(priority 100) catches/rest/v1,/auth/v1,/realtime/v1,/storage/v1,/graphql/v1,/pgonerosi.limonia.net→kong:8000;erosi-app(priority 1) catches everything else on the same host →app:3000. TLS via Traefik's certresolver (${TRAEFIK_CERTRESOLVER}, defaults toletsencrypt). No container binds a host port. infra/scripts/deploy-erosi.sh— idempotent redeploy: rsync → on first run generate secrets + write/opt/colectivo/.envwith placeholders the operator fills in (PUBLIC_KEYCLOAK_URL,KEYCLOAK_CLIENT_SECRET,TRAEFIK_NETWORK) → subsequent runs fail fast if any placeholder is unfilled → docker compose build + up → apply pending migrations. Never touches/etc/caddy/*, never runssudo.keycloak/realm-export.erosi.json— not imported by this stack (no bundled Keycloak). Kept as reference for what the external Keycloak client must have — realm name, client id, and client secret are operator-chosen and wired in via.env(PUBLIC_KEYCLOAK_REALM,PUBLIC_KEYCLOAK_CLIENT_ID,KEYCLOAK_CLIENT_SECRET), so the file's literalcolectivo-web/colectivovalues are illustrative, not required. What the client must actually have:redirectUris: ["https://erosi.limonia.net/*", "https://erosi.limonia.net/auth/v1/callback"],webOrigins: ["https://erosi.limonia.net"], confidential,openidas a default client scope withinclude.in.token.scope=true..env.erosi.example— committed template. The real/opt/colectivo/.envon ambrosio is 600 and stays on the server.
Pre-deploy prerequisites
- External Keycloak reachable from ambrosio's Docker network (outbound HTTPS). Realm + confidential client configured as described above;
.envgetsPUBLIC_KEYCLOAK_URL,PUBLIC_KEYCLOAK_REALM,PUBLIC_KEYCLOAK_CLIENT_ID,KEYCLOAK_CLIENT_SECRET. If the Keycloak deployment uses the legacy/auth/base path (Keycloak ≤ 16 default; some distributions still carry it —auth.fosil.euis one) thenPUBLIC_KEYCLOAK_URLmust include it, e.g.https://auth.example.com/auth. Verify by opening${PUBLIC_KEYCLOAK_URL}/realms/${PUBLIC_KEYCLOAK_REALM}/.well-known/openid-configuration— it should return 200 JSON; 404 means the base path is wrong. - Users in the external Keycloak must match existing
auth.usersUUIDs (auth.users.id = keycloak sub) or the stack starts fresh with no prior users. Re-registering produces new sub UUIDs; either re-seedauth.users+auth.identitiesor wipe and start over. - Traefik idle timeout on the HTTPS entrypoint — NetBird's installer sets
--entryPoints.websecure.transport.respondingTimeouts.idleTimeout=0(unlimited) by default, which is what Realtime WebSockets need. Verify withdocker inspect netbird-traefik --format '{{range .Args}}{{.}}{{"\n"}}{{end}}' | grep idleTimeout. If it's not0or≥3600s, bump it — otherwise active shopping sessions disconnect. - DNS for
erosi.limonia.net→ ambrosio (A/AAAA). - Host Caddy disabled:
sudo systemctl stop caddy && sudo systemctl disable caddy. Withoutdisable, the unit comes back on reboot and races Traefik for 80/443. Remove any# BEGIN colectivo-erosi … # ENDblock from/etc/caddy/Caddyfilefor tidiness.
Prod-specific fixes
Had to be made for the stack to boot cleanly on a fresh volume:
infra/db-init/00-role-passwords.sh— rewrote as idempotent bootstrap (see the "supabase/postgres doesn't bootstrap Supabase roles" gotcha inCLAUDE.md): creates all Supabase service roles if absent, enablespg_cron+pgcrypto+uuid-ossp, createsauth/storage/graphql_public/_realtime/realtimeschemas + emptysupabase_realtimepublication, setssupabase_auth_adminsearch_path toauth. The old00-role-passwords.sql(ALTER-only) has been removed.apps/web/vite.config.ts— PWA strategy switchedinjectManifest→generateSW(see the "injectManifest hardcoded filename" gotcha inCLAUDE.md).
Runbook
App build hang / PostHog timeout
The app image's final build stage (pnpm --filter @colectivo/web build → vite SSR) occasionally stalls during transforming... and ~9 minutes later dies with UnhandledPromiseRejection: "Timeout while shutting down PostHog". Intermittent; reproducible across rebuilds with the same layer cache.
Fix: rebuild with --no-cache once:
ssh ambrosio 'cd /opt/colectivo && docker compose --env-file .env -f infra/docker-compose.erosi.yml build --no-cache app'
Subsequent normal builds succeed. Run inside tmux if you're on a flaky SSH link — the no-cache build takes 5–15 minutes and losing the connection kills BuildKit.
Changing PUBLIC_* env values (URL, realm, client id)
Any change to PUBLIC_APP_URL, PUBLIC_SUPABASE_URL, PUBLIC_KEYCLOAK_URL, PUBLIC_KEYCLOAK_REALM, PUBLIC_KEYCLOAK_CLIENT_ID requires an app rebuild (those values are baked into the client bundle at build time via docker-compose.erosi.yml build args). After editing .env:
ssh ambrosio 'cd /opt/colectivo && docker compose --env-file .env -f infra/docker-compose.erosi.yml build app && docker compose --env-file .env -f infra/docker-compose.erosi.yml up -d'
KEYCLOAK_CLIENT_SECRET is runtime-only (GoTrue reads it) — for that one a docker compose restart auth is enough.
Wipe all app + auth data (keep schema, keep migrations)
When switching Keycloak realms or starting fresh:
BEGIN;
TRUNCATE TABLE public.notes, public.tasks, public.task_lists,
public.shopping_items, public.shopping_lists, public.item_frequency,
public.collective_invitations, public.collective_members, public.collectives,
public.users
RESTART IDENTITY CASCADE;
TRUNCATE TABLE auth.refresh_tokens, auth.sessions, auth.identities, auth.users
RESTART IDENTITY CASCADE;
COMMIT;
CASCADE also empties auth.mfa_factors, auth.mfa_amr_claims, auth.mfa_challenges, auth.one_time_tokens — expected. Never touch auth.schema_migrations or public._applied_migrations (they track what DDL has been applied).
Not yet configured on ambrosio
- SMTP (Resend)
- Automated backups — script exists at
infra/scripts/backup.sh, not scheduled - Lighthouse run against prod URL
- Final production icons