feat: docker-compose prod setup

2025-10-30 16:21:41 +01:00 · 2025-10-30 16:21:41 +01:00 · 56fb0c26e9
commit 56fb0c26e9
parent cdc91aec57
7 changed files with 156 additions and 21 deletions
--- a/config/prod.exs
+++ b/config/prod.exs
@ -16,5 +16,16 @@ config :swoosh, local: false
 # Do not print debug messages in production
 config :logger, level: :info

+# AshAuthentication production configuration
+# These must be set at compile-time (not in runtime.exs) because
+# Application.compile_env!/3 is used in lib/accounts/user.ex
+config :mv, :session_identifier, :jti
+
+config :mv, :require_token_presence_for_authentication, true
+
+# Token signing secret - using a placeholder that MUST be overridden
+# at runtime via environment variable in config/runtime.exs
+config :mv, :token_signing_secret, "REPLACE_ME_AT_RUNTIME"
+
 # Runtime production configuration, including reading
 # of environment variables, is done on config/runtime.exs.
--- a/config/runtime.exs
+++ b/config/runtime.exs
@ -53,12 +53,23 @@ if config_env() == :prod do

  config :mv, :dns_cluster_query, System.get_env("DNS_CLUSTER_QUERY")

-  config :mv, :rauthy, redirect_uri: "http://localhost:4000/auth/user/rauthy/callback"
+  # Rauthy OIDC configuration
+  config :mv, :rauthy,
+    client_id: System.get_env("OIDC_CLIENT_ID") || "mv",
+    base_url: System.get_env("OIDC_BASE_URL") || "http://localhost:8080/auth/v1",
+    client_secret: System.get_env("OIDC_CLIENT_SECRET"),
+    redirect_uri: System.get_env("OIDC_REDIRECT_URI") || "http://#{host}:#{port}/auth/user/rauthy/callback"

-  # AshAuthentication production configuration
-  config :mv, :session_identifier, :jti
+  # Token signing secret from environment variable
+  # This overrides the placeholder value set in prod.exs
+  token_signing_secret =
+    System.get_env("TOKEN_SIGNING_SECRET") ||
+      raise """
+      environment variable TOKEN_SIGNING_SECRET is missing.
+      You can generate one by calling: mix phx.gen.secret
+      """

-  config :mv, :require_token_presence_for_authentication, true
+  config :mv, :token_signing_secret, token_signing_secret

  config :mv, MvWeb.Endpoint,
    url: [host: host, port: 443, scheme: "https"],
@ -70,7 +81,13 @@ if config_env() == :prod do
      ip: {0, 0, 0, 0, 0, 0, 0, 0},
      port: port
    ],
-    secret_key_base: secret_key_base
+    secret_key_base: secret_key_base,
+    # Allow connections from localhost and 127.0.0.1
+    check_origin: [
+      "//#{host}",
+      "//localhost:#{port}",
+      "//127.0.0.1:#{port}"
+    ]

  # ## SSL Support
  #