Trey t
9ea058347f
The iOS app was renamed (MyCrib → Casera → honeyDue) and the bundle ID
was updated to com.myhoneydue.honeyDue (release) / .dev (debug), but
APPLE_CLIENT_ID and APNS_TOPIC across env templates and k3s configs
still pointed at the old com.tt.honeyDue.honeyDueDev value. This made
verifyAudience reject every Apple identity token (aud claim mismatch).
Updated:
- deploy/prod.env.example: bundle ID + comment that empty client_id
rejects all tokens with DEBUG=false
- .env.example: add Sign in with Apple block (was missing entirely)
- deploy-k3s{,-dev}/config.yaml.example: apple_auth.client_id default
- deploy-k3s-dev/scripts/00-init.sh: same
- docker-compose.dev.yml: APNS_TOPIC fallback
- docs/deployment/10-secrets-config.md: doc reference
The live deploy/prod.env and local .env are .gitignored — they were
edited in place and need to ship via deploy_prod.sh to take effect.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
105 lines
2.9 KiB
Plaintext
105 lines
2.9 KiB
Plaintext
# config.yaml — single source of truth for honeyDue K3s DEV deployment
|
|
# Copy to config.yaml, fill in all empty values, then run scripts in order.
|
|
# This file is gitignored — never commit it with real values.
|
|
|
|
# --- Server ---
|
|
server:
|
|
host: "" # Server IP or SSH config alias
|
|
user: root # SSH user
|
|
ssh_key: ~/.ssh/id_ed25519
|
|
|
|
# --- Domains ---
|
|
domains:
|
|
api: devapi.myhoneydue.com
|
|
admin: devadmin.myhoneydue.com
|
|
base: dev.myhoneydue.com
|
|
|
|
# --- Container Registry (GHCR) ---
|
|
registry:
|
|
server: ghcr.io
|
|
namespace: "" # GitHub username or org
|
|
username: "" # GitHub username
|
|
token: "" # PAT with read:packages, write:packages
|
|
|
|
# --- Database (in-cluster PostgreSQL) ---
|
|
database:
|
|
name: honeydue_dev
|
|
user: honeydue
|
|
# password goes in secrets/postgres_password.txt
|
|
max_open_conns: 10
|
|
max_idle_conns: 5
|
|
max_lifetime: "600s"
|
|
|
|
# --- Email (Fastmail) ---
|
|
email:
|
|
host: smtp.fastmail.com
|
|
port: 587
|
|
user: "" # Fastmail email address
|
|
from: "honeyDue DEV <noreply@myhoneydue.com>"
|
|
use_tls: true
|
|
|
|
# --- Push Notifications ---
|
|
push:
|
|
apns_key_id: ""
|
|
apns_team_id: ""
|
|
apns_topic: com.myhoneydue.honeyDue.dev
|
|
apns_production: false
|
|
apns_use_sandbox: true # Sandbox for dev
|
|
|
|
# --- Object Storage (in-cluster MinIO — S3-compatible, replaces B2) ---
|
|
storage:
|
|
minio_root_user: honeydue # MinIO access key
|
|
# minio_root_password goes in secrets/minio_root_password.txt
|
|
bucket: honeydue-dev
|
|
max_file_size: 10485760
|
|
allowed_types: "image/jpeg,image/png,image/gif,image/webp,application/pdf"
|
|
|
|
# --- Worker Schedules (UTC hours) ---
|
|
worker:
|
|
task_reminder_hour: 14
|
|
overdue_reminder_hour: 15
|
|
daily_digest_hour: 3
|
|
|
|
# --- Feature Flags ---
|
|
features:
|
|
push_enabled: true
|
|
email_enabled: false # Disabled for dev by default
|
|
webhooks_enabled: false
|
|
onboarding_emails_enabled: false
|
|
pdf_reports_enabled: true
|
|
worker_enabled: true
|
|
|
|
# --- Redis ---
|
|
redis:
|
|
password: "" # Set a strong password
|
|
|
|
# --- Admin Panel ---
|
|
admin:
|
|
basic_auth_user: "" # HTTP basic auth username
|
|
basic_auth_password: "" # HTTP basic auth password
|
|
|
|
# --- TLS ---
|
|
tls:
|
|
mode: letsencrypt # "letsencrypt" or "cloudflare"
|
|
letsencrypt_email: "" # Required if mode=letsencrypt
|
|
# If mode=cloudflare, create secrets/cloudflare-origin.crt and .key
|
|
|
|
# --- Apple Auth / IAP (optional) ---
|
|
# client_id MUST equal the iOS Debug bundle ID for the dev backend.
|
|
apple_auth:
|
|
client_id: "com.myhoneydue.honeyDue.dev"
|
|
team_id: ""
|
|
iap_key_id: ""
|
|
iap_issuer_id: ""
|
|
iap_bundle_id: ""
|
|
iap_key_path: ""
|
|
iap_sandbox: true
|
|
|
|
# --- Google Auth / IAP (optional) ---
|
|
google_auth:
|
|
client_id: ""
|
|
android_client_id: ""
|
|
ios_client_id: ""
|
|
iap_package_name: ""
|
|
iap_service_account_path: ""
|