jyapayne/kaboot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add better prod setup

Browse source
This commit is contained in:
Joey Yakimowich-Payne 2026-01-15 08:40:40 -07:00
commit c25cbf5101
No known key found for this signature in database
GPG key ID: 6BFE655FA5ABD1E1
2 changed files with 300 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

65
docs/PRODUCTION.md
View file

@ -2,7 +2,35 @@
This guide provides instructions for deploying Kaboot to a production environment with Caddy reverse proxy and automatic HTTPS.
## Quick Start (Caddy + Automated Authentik Setup)
## Quick Start (Automated Setup)
The easiest way to deploy Kaboot is using the automated setup script:
```bash
# Run the production setup script with your domains
./scripts/setup-prod.sh --domain kaboot.example.com --auth-domain auth.example.com
# Or run interactively (will prompt for domains)
./scripts/setup-prod.sh
```
This script automatically:
- Generates all required secrets (database passwords, API tokens, etc.)
- Creates the production `.env` file
- Creates the `Caddyfile` with your domains
- Creates the Authentik production blueprint
- Removes the development blueprint
- Builds the frontend with production URLs
After running the script, start the stack:
```bash
docker compose -f docker-compose.prod.yml -f docker-compose.caddy.yml up -d
```
## Manual Setup
If you prefer to configure manually, follow these steps:
```bash
# 1. Generate secrets
@ -59,16 +87,22 @@ In production, the stack consists of:
## Environment Variables
Create a production `.env` file. Do not commit this file to version control.
The `setup-prod.sh` script generates the `.env` file automatically. If you need to create it manually, here's the required configuration:
### Backend & Authentik Configuration
```env
# Database Passwords (Generated by setup.sh)
# Database (generate with: openssl rand -base64 36)
PG_PASS=your_strong_postgres_password
PG_USER=authentik
PG_DB=authentik
# Authentik Secrets (generate with: openssl rand -base64 60)
AUTHENTIK_SECRET_KEY=your_strong_authentik_secret
# Bootstrap credentials (Generated by setup.sh)
# Bootstrap credentials - used for initial Authentik setup
# AUTHENTIK_BOOTSTRAP_PASSWORD: Admin password (generate with: openssl rand -base64 24)
# AUTHENTIK_BOOTSTRAP_TOKEN: API token (generate with: openssl rand -hex 32)
AUTHENTIK_BOOTSTRAP_PASSWORD=your_admin_password
AUTHENTIK_BOOTSTRAP_TOKEN=your_api_token
@ -78,15 +112,18 @@ OIDC_JWKS_URI=https://auth.example.com/application/o/kaboot/jwks/
# Security
CORS_ORIGIN=https://kaboot.example.com
NODE_ENV=production
LOG_REQUESTS=true
```
### Frontend Configuration
The frontend requires environment variables at build time:
The frontend requires environment variables at **build time** (not runtime):
- `VITE_API_URL`: `https://kaboot.example.com/api`
- `VITE_OIDC_AUTHORITY`: `https://auth.example.com/application/o/kaboot/`
The `setup-prod.sh` script sets these automatically when building.
## Docker Compose Files
The project includes pre-configured compose files:
@ -236,9 +273,19 @@ server {
## Authentik Configuration for Production
### Option A: Automated Setup with Blueprint (Recommended)
### Option A: Automated Setup (Recommended)
Use the production blueprint for automated configuration:
The `setup-prod.sh` script handles all Authentik configuration automatically:
```bash
./scripts/setup-prod.sh --domain your-app.com --auth-domain auth.your-app.com
```
This creates the production blueprint with your domains and removes the development blueprint.
### Option B: Manual Blueprint Setup
If configuring manually:
```bash
# 1. Copy and configure the production blueprint
@ -257,7 +304,7 @@ rm authentik/blueprints/kaboot-setup.yaml
docker compose -f docker-compose.prod.yml up -d
```
### Option B: Manual Configuration
### Option C: Manual UI Configuration
1. **Update Redirect URIs**: In the Authentik Admin interface, go to **Applications** > **Providers** > **Kaboot OAuth2**. Update the **Redirect URIs** to use your production domain:
- `https://kaboot.example.com/callback`
@ -291,7 +338,7 @@ docker exec kaboot-postgresql pg_dump -U authentik authentik > authentik_backup_
## Security Checklist
- [ ] Run `./scripts/setup.sh` to generate strong secrets (don't use defaults).
- [ ] Run `./scripts/setup-prod.sh` to generate strong secrets (don't use defaults).
- [ ] Ensure `NODE_ENV` is set to `production`.
- [ ] Use HTTPS for all connections (Caddy handles this automatically).
- [ ] Set `CORS_ORIGIN` to your specific frontend domain (e.g., `https://kaboot.example.com`).