admin/honeyDueAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9ea058347f7fef4687c9bf36228c16d278ef4dfe
honeyDueAPI/deploy-k3s/config.yaml.example
T
Trey t 9ea058347f
Backend CI / Test (push) Has been cancelled
Details
Backend CI / Contract Tests (push) Has been cancelled
Details
Backend CI / Build (push) Has been cancelled
Details
Backend CI / Lint (push) Has been cancelled
Details
Backend CI / Secret Scanning (push) Has been cancelled
Details
Fix Apple Sign In: update bundle IDs from old com.tt.honeyDue.* to com.myhoneydue.* 
The iOS app was renamed (MyCrib → Casera → honeyDue) and the bundle ID
was updated to com.myhoneydue.honeyDue (release) / .dev (debug), but
APPLE_CLIENT_ID and APNS_TOPIC across env templates and k3s configs
still pointed at the old com.tt.honeyDue.honeyDueDev value. This made
verifyAudience reject every Apple identity token (aud claim mismatch).

Updated:
- deploy/prod.env.example: bundle ID + comment that empty client_id
  rejects all tokens with DEBUG=false
- .env.example: add Sign in with Apple block (was missing entirely)
- deploy-k3s{,-dev}/config.yaml.example: apple_auth.client_id default
- deploy-k3s-dev/scripts/00-init.sh: same
- docker-compose.dev.yml: APNS_TOPIC fallback
- docs/deployment/10-secrets-config.md: doc reference

The live deploy/prod.env and local .env are .gitignored — they were
edited in place and need to ship via deploy_prod.sh to take effect.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 23:58:44 -05:00

121 lines
3.4 KiB
Plaintext
Raw Blame History

# config.yaml — single source of truth for honeyDue K3s deployment
# Copy to config.yaml, fill in all empty values, then run scripts in order.
# This file is gitignored — never commit it with real values.
# --- Hetzner Cloud ---
cluster:
hcloud_token: "" # Hetzner API token (Read/Write)
ssh_public_key: ~/.ssh/id_ed25519.pub
ssh_private_key: ~/.ssh/id_ed25519
k3s_version: v1.31.4+k3s1
location: fsn1 # Hetzner datacenter
instance_type: cx33 # 4 vCPU, 16GB RAM
# Filled by 01-provision-cluster.sh, or manually after creating servers
nodes:
- name: honeydue-master1
ip: ""
roles: [master, redis] # 'redis' = pin Redis PVC here
- name: honeydue-master2
ip: ""
roles: [master]
- name: honeydue-master3
ip: ""
roles: [master]
# Hetzner Load Balancer IP (created in console after provisioning)
load_balancer_ip: ""
# --- Domains ---
domains:
api: api.myhoneydue.com
admin: admin.myhoneydue.com
base: myhoneydue.com
# --- Container Registry (GHCR) ---
registry:
server: ghcr.io
namespace: "" # GitHub username or org
username: "" # GitHub username
token: "" # PAT with read:packages, write:packages
# --- Database (Neon PostgreSQL) ---
database:
host: "" # e.g. ep-xxx.us-east-2.aws.neon.tech
port: 5432
user: ""
name: honeydue
sslmode: require
max_open_conns: 25
max_idle_conns: 10
max_lifetime: "600s"
# --- Email (Fastmail) ---
email:
host: smtp.fastmail.com
port: 587
user: "" # Fastmail email address
from: "honeyDue <noreply@myhoneydue.com>"
use_tls: true
# --- Push Notifications ---
push:
apns_key_id: ""
apns_team_id: ""
apns_topic: com.myhoneydue.honeyDue
apns_production: true
apns_use_sandbox: false
# --- B2 Object Storage ---
storage:
b2_key_id: ""
b2_app_key: ""
b2_bucket: ""
b2_endpoint: "" # e.g. s3.us-west-004.backblazeb2.com
max_file_size: 10485760
allowed_types: "image/jpeg,image/png,image/gif,image/webp,application/pdf"
# --- Worker Schedules (UTC hours) ---
worker:
task_reminder_hour: 14
overdue_reminder_hour: 15
daily_digest_hour: 3
# --- Feature Flags ---
features:
push_enabled: true
email_enabled: true
webhooks_enabled: true
onboarding_emails_enabled: true
pdf_reports_enabled: true
worker_enabled: true
# --- Redis ---
redis:
password: "" # Set a strong password; leave empty for no auth (NOT recommended for production)
# --- Admin Panel ---
admin:
basic_auth_user: "" # HTTP basic auth username for admin panel
basic_auth_password: "" # HTTP basic auth password for admin panel
# --- Apple Auth / IAP (optional, leave empty if unused) ---
# client_id MUST equal the iOS Release bundle ID — Apple identity tokens
# are rejected if the `aud` claim doesn't match.
apple_auth:
client_id: "com.myhoneydue.honeyDue"
team_id: ""
iap_key_id: ""
iap_issuer_id: ""
iap_bundle_id: ""
iap_key_path: ""
iap_sandbox: false
# --- Google Auth / IAP (optional, leave empty if unused) ---
google_auth:
client_id: ""
android_client_id: ""
ios_client_id: ""
iap_package_name: ""
iap_service_account_path: ""
Reference in New Issue View Git Blame Copy Permalink