Files
collective-lists/docs/deployment.md
Oier Bravo Urtasun dee9ee8014 docs(deploy): runbook + fixes from the limonia.net cutover
Document what we learned doing the real NetBird+Traefik migration:

- Keycloak realm/client names are operator-chosen; the realm-export.json's
  literal "colectivo-web" / "colectivo" values are illustrative, not required.
- Legacy Keycloak /auth/ base path: PUBLIC_KEYCLOAK_URL must include the
  suffix when the deployment serves realms under /auth/realms/... (hit this
  on auth.fosil.eu). Verify with the discovery URL returning 200.
- NetBird's installer deploys Traefik with idleTimeout=0 (unlimited) by
  default — verify instead of prescribing 3600s.
- Runbook: --no-cache fixes the intermittent vite SSR "transforming..."
  hang that surfaces as a PostHog shutdown timeout.
- Runbook: any PUBLIC_* change needs an app rebuild (build args); secret
  changes only need `docker compose restart auth`.
- Runbook: TRUNCATE recipe for wiping all app + auth data while keeping
  schema + migration tracking intact.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 01:58:00 +02:00

67 lines
6.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Deployment
## Production stack — ambrosio (OVH VPS)
Live URL: **https://erosi.limonia.net** (app + Supabase API, single-domain). Keycloak is external — its URL is set via `PUBLIC_KEYCLOAK_URL` in `/opt/colectivo/.env`. OVH VPS, Ubuntu 24, Docker 29.
- `infra/docker-compose.erosi.yml` — full stack (db, auth, rest, realtime, storage, imgproxy, kong, app). `studio`, `meta`, and the bundled `keycloak` service are intentionally absent. `kong` and `app` attach to two Docker networks: `colectivo` (internal, for DB and inter-service traffic) and `traefik` (external, named via `${TRAEFIK_NETWORK}` — the Traefik instance that NetBird's self-hosted installer deployed).
- **Reverse proxy**: Traefik owns ports 80 + 443 on ambrosio. It discovers our services via `traefik.*` labels (Docker provider): `erosi-kong` (priority 100) catches `/rest/v1`, `/auth/v1`, `/realtime/v1`, `/storage/v1`, `/graphql/v1`, `/pg` on `erosi.limonia.net``kong:8000`; `erosi-app` (priority 1) catches everything else on the same host → `app:3000`. TLS via Traefik's certresolver (`${TRAEFIK_CERTRESOLVER}`, defaults to `letsencrypt`). No container binds a host port.
- `infra/scripts/deploy-erosi.sh` — idempotent redeploy: rsync → on first run generate secrets + write `/opt/colectivo/.env` with placeholders the operator fills in (`PUBLIC_KEYCLOAK_URL`, `KEYCLOAK_CLIENT_SECRET`, `TRAEFIK_NETWORK`) → subsequent runs fail fast if any placeholder is unfilled → docker compose build + up → apply pending migrations. Never touches `/etc/caddy/*`, never runs `sudo`.
- `keycloak/realm-export.erosi.json`**not imported** by this stack (no bundled Keycloak). Kept as reference for what the external Keycloak client must have — realm name, client id, and client secret are operator-chosen and wired in via `.env` (`PUBLIC_KEYCLOAK_REALM`, `PUBLIC_KEYCLOAK_CLIENT_ID`, `KEYCLOAK_CLIENT_SECRET`), so the file's literal `colectivo-web` / `colectivo` values are illustrative, not required. What the client must actually have: `redirectUris: ["https://erosi.limonia.net/*", "https://erosi.limonia.net/auth/v1/callback"]`, `webOrigins: ["https://erosi.limonia.net"]`, confidential, `openid` as a default client scope with `include.in.token.scope=true`.
- `.env.erosi.example` — committed template. The real `/opt/colectivo/.env` on ambrosio is 600 and stays on the server.
## Pre-deploy prerequisites
1. **External Keycloak** reachable from ambrosio's Docker network (outbound HTTPS). Realm + confidential client configured as described above; `.env` gets `PUBLIC_KEYCLOAK_URL`, `PUBLIC_KEYCLOAK_REALM`, `PUBLIC_KEYCLOAK_CLIENT_ID`, `KEYCLOAK_CLIENT_SECRET`. **If the Keycloak deployment uses the legacy `/auth/` base path** (Keycloak ≤ 16 default; some distributions still carry it — `auth.fosil.eu` is one) then `PUBLIC_KEYCLOAK_URL` must include it, e.g. `https://auth.example.com/auth`. Verify by opening `${PUBLIC_KEYCLOAK_URL}/realms/${PUBLIC_KEYCLOAK_REALM}/.well-known/openid-configuration` — it should return 200 JSON; 404 means the base path is wrong.
2. **Users in the external Keycloak must match existing `auth.users` UUIDs** (`auth.users.id = keycloak sub`) or the stack starts fresh with no prior users. Re-registering produces new sub UUIDs; either re-seed `auth.users` + `auth.identities` or wipe and start over.
3. **Traefik idle timeout on the HTTPS entrypoint** — NetBird's installer sets `--entryPoints.websecure.transport.respondingTimeouts.idleTimeout=0` (unlimited) by default, which is what Realtime WebSockets need. Verify with `docker inspect netbird-traefik --format '{{range .Args}}{{.}}{{"\n"}}{{end}}' | grep idleTimeout`. If it's not `0` or `≥3600s`, bump it — otherwise active shopping sessions disconnect.
4. **DNS** for `erosi.limonia.net` → ambrosio (A/AAAA).
5. **Host Caddy disabled**: `sudo systemctl stop caddy && sudo systemctl disable caddy`. Without `disable`, the unit comes back on reboot and races Traefik for 80/443. Remove any `# BEGIN colectivo-erosi … # END` block from `/etc/caddy/Caddyfile` for tidiness.
## Prod-specific fixes
Had to be made for the stack to boot cleanly on a fresh volume:
- `infra/db-init/00-role-passwords.sh` — rewrote as idempotent bootstrap (see the "supabase/postgres doesn't bootstrap Supabase roles" gotcha in `CLAUDE.md`): creates all Supabase service roles if absent, enables `pg_cron` + `pgcrypto` + `uuid-ossp`, creates `auth` / `storage` / `graphql_public` / `_realtime` / `realtime` schemas + empty `supabase_realtime` publication, sets `supabase_auth_admin` search_path to `auth`. The old `00-role-passwords.sql` (ALTER-only) has been removed.
- `apps/web/vite.config.ts` — PWA strategy switched `injectManifest``generateSW` (see the "injectManifest hardcoded filename" gotcha in `CLAUDE.md`).
## Runbook
### App build hang / PostHog timeout
The `app` image's final build stage (`pnpm --filter @colectivo/web build` → vite SSR) occasionally stalls during `transforming...` and ~9 minutes later dies with `UnhandledPromiseRejection: "Timeout while shutting down PostHog"`. Intermittent; reproducible across rebuilds with the same layer cache.
Fix: rebuild with `--no-cache` once:
```sh
ssh ambrosio 'cd /opt/colectivo && docker compose --env-file .env -f infra/docker-compose.erosi.yml build --no-cache app'
```
Subsequent normal builds succeed. Run inside `tmux` if you're on a flaky SSH link — the no-cache build takes 515 minutes and losing the connection kills BuildKit.
### Changing `PUBLIC_*` env values (URL, realm, client id)
Any change to `PUBLIC_APP_URL`, `PUBLIC_SUPABASE_URL`, `PUBLIC_KEYCLOAK_URL`, `PUBLIC_KEYCLOAK_REALM`, `PUBLIC_KEYCLOAK_CLIENT_ID` requires an **app rebuild** (those values are baked into the client bundle at build time via `docker-compose.erosi.yml` build args). After editing `.env`:
```sh
ssh ambrosio 'cd /opt/colectivo && docker compose --env-file .env -f infra/docker-compose.erosi.yml build app && docker compose --env-file .env -f infra/docker-compose.erosi.yml up -d'
```
`KEYCLOAK_CLIENT_SECRET` is runtime-only (GoTrue reads it) — for that one a `docker compose restart auth` is enough.
### Wipe all app + auth data (keep schema, keep migrations)
When switching Keycloak realms or starting fresh:
```sql
BEGIN;
TRUNCATE TABLE public.notes, public.tasks, public.task_lists,
public.shopping_items, public.shopping_lists, public.item_frequency,
public.collective_invitations, public.collective_members, public.collectives,
public.users
RESTART IDENTITY CASCADE;
TRUNCATE TABLE auth.refresh_tokens, auth.sessions, auth.identities, auth.users
RESTART IDENTITY CASCADE;
COMMIT;
```
CASCADE also empties `auth.mfa_factors`, `auth.mfa_amr_claims`, `auth.mfa_challenges`, `auth.one_time_tokens` — expected. Never touch `auth.schema_migrations` or `public._applied_migrations` (they track what DDL has been applied).
## Not yet configured on ambrosio
- SMTP (Resend)
- Automated backups — script exists at `infra/scripts/backup.sh`, not scheduled
- Lighthouse run against prod URL
- Final production icons