2c465c01d2
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 10s
CI / integration (pull_request) Successful in 18s
CI / ui (pull_request) Successful in 1m4s
CI / conformance (pull_request) Successful in 9s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m39s
A browser has no signed VK Mini App launch params, so linking VK on the web uses
VK ID's raw OAuth 2.1 flow (PKCE, no @vkid/sdk): the SPA redirects to VK's hosted
login and returns with an authorization code, which the gateway exchanges
server-side (confidential, under the VK "Web" app's protected key) for the trusted
vk user id — then the existing link/merge machinery attaches or merges it.
- fbs LinkVKRequest{code, device_id, code_verifier}; codec + TS bindings.
- backend link.Service ConfirmVK/MergeVK/attachVK (KindVK, mirror Telegram),
handleLinkVK[Merge], routes /user/link/vk[/merge], backendclient LinkVK[Merge].
- gateway internal/vkid confidential code exchange (id.vk.com/oauth2/auth);
transcode link.vk.confirm/merge (registered only when configured) + config
GATEWAY_VK_ID_{APP_ID,CLIENT_SECRET,REDIRECT_URL} + main wiring.
- UI lib/vkid (PKCE authorize redirect + callback), Profile "Link VK" control,
boot callback handling; a merge re-authorizes for a fresh code (VK codes are
single-use). Web-only (a redirect strands a Mini App webview).
- Deploy: VITE_VK_APP_ID + VITE_VK_ID_REDIRECT_URL build args + gateway env,
ci.yaml/prod-deploy TEST_/PROD_ vars, compose/Dockerfile/.env.example/README.
- Tests: vkid exchange unit (string/number user_id, id_token fallback, errors),
transcode link.vk, backend ConfirmVK/MergeVK inttest, codec encodeLinkVK.
- Docs: ARCHITECTURE §4, FUNCTIONAL(+ru), gateway README.
106 lines
7.0 KiB
Bash
106 lines
7.0 KiB
Bash
# Environment for deploy/docker-compose.yml. The CI deploy job (ci.yaml) maps the
|
|
# Gitea TEST_-prefixed secrets/variables onto these unprefixed names; the prod
|
|
# deploy maps the PROD_-prefixed set the same way. Copy to deploy/.env for a local run.
|
|
#
|
|
# Full reference (required vs optional, defaults, secret-vs-variable): deploy/README.md.
|
|
|
|
# --- Postgres ---------------------------------------------------------------
|
|
POSTGRES_DB=scrabble
|
|
POSTGRES_USER=scrabble
|
|
POSTGRES_PASSWORD=change-me # required
|
|
|
|
# --- Dictionary -------------------------------------------------------------
|
|
# scrabble-dictionary release tag baked into the image as the SEED dictionary for a
|
|
# FRESH volume (image build-arg; also labels the resident seed version). After first
|
|
# boot the dawg-data volume preserves versions uploaded through the admin console and
|
|
# the active version lives in the DB. On a live volume a changed value is ignored (the
|
|
# recorded .seed_version marker wins — the seed-drift guard); change a running
|
|
# contour's dictionary through /_gm/dictionary (ARCHITECTURE.md §5).
|
|
DICT_VERSION=v1.3.0
|
|
|
|
# --- Logging ----------------------------------------------------------------
|
|
LOG_LEVEL=info
|
|
|
|
# --- Finished-game export ----------------------------------------------------
|
|
# HMAC key signing the public export download URLs (/dl/*). Required; generate a
|
|
# real contour value with `openssl rand -base64 32` (Gitea TEST_/PROD_EXPORT_SIGN_KEY).
|
|
EXPORT_SIGN_KEY=dev-export-sign-key
|
|
|
|
# --- Transactional email (Selectel relay) -----------------------------------
|
|
# Confirm-code email via the shared Selectel relay (one relay for every contour;
|
|
# limit 100 msgs / 5 min). Empty SMTP_RELAY_HOST makes the backend log codes instead
|
|
# of sending (dev). Port 465 = implicit TLS, else STARTTLS; no client cert is needed.
|
|
# TLS is implicit on port 465 and STARTTLS otherwise, unless SMTP_RELAY_TLS forces it
|
|
# (ssl|starttls) — required for Selectel's non-standard ports (1127 = SSL, 1126 =
|
|
# STARTTLS). FROM must use the prod domain (Selectel only accepts the verified sender
|
|
# domain), so it is the same on every contour; a display name is fine
|
|
# (`"Игра Эрудит" <no-reply@erudit-game.ru>`). PUBLIC_BASE_URL is the canonical https
|
|
# origin for links in the email — the contour's own public URL. Gitea
|
|
# TEST_/PROD_SMTP_RELAY_* + TEST_/PROD_PUBLIC_BASE_URL.
|
|
SMTP_RELAY_HOST=
|
|
SMTP_RELAY_PORT=465
|
|
SMTP_RELAY_TLS= # empty = auto by port; ssl | starttls to force
|
|
SMTP_RELAY_USER= # secret
|
|
SMTP_RELAY_PASS= # secret
|
|
SMTP_RELAY_FROM=no-reply@erudit-game.ru
|
|
PUBLIC_BASE_URL= # required when SMTP_RELAY_HOST is set (e.g. https://erudit-game.ru)
|
|
|
|
# Operator alerts (email). The backend emails the admin on new feedback / word complaints
|
|
# (coalesced), and Grafana emails infra alerts. Distinct senders; recipients may be several
|
|
# comma-separated addresses. Grafana reuses SMTP_RELAY_HOST/USER/PASS but dials the STARTTLS
|
|
# port (it can't do the backend's implicit TLS), GRAFANA_SMTP_PORT. All empty = off.
|
|
SMTP_RELAY_ADMIN_FROM= # backend admin-alert From (e.g. alerts@erudit-game.ru)
|
|
ADMIN_EMAIL= # backend admin-alert recipient(s), comma-separated
|
|
SMTP_RELAY_SERVICE_FROM= # Grafana alert From; the deploy derives a bare address for Grafana (it rejects "Name" <addr>)
|
|
SERVICE_EMAIL= # Grafana alert recipient(s), comma-separated
|
|
GRAFANA_SMTP_PORT= # Grafana STARTTLS port on SMTP_RELAY_HOST (Selectel: 1126)
|
|
GF_SMTP_ENABLED=false # set true to enable Grafana alert emails
|
|
|
|
# --- Edge / caddy -----------------------------------------------------------
|
|
# Test: ":80" (the host caddy terminates TLS and forwards to scrabble:80 on the
|
|
# external `edge` network). Prod: a domain so caddy does its own ACME.
|
|
CADDY_SITE_ADDRESS=:80
|
|
GM_BASICAUTH_USER=gm
|
|
GM_BASICAUTH_HASH= # required; `caddy hash-password` bcrypt hash
|
|
|
|
# --- UI build args (baked into the gateway image) ---------------------------
|
|
VITE_TELEGRAM_BOT_ID=
|
|
VITE_TELEGRAM_LINK= # friend-invite Mini App link (full URL, e.g. https://t.me/<bot>/<app>)
|
|
VITE_TELEGRAM_GAME_CHANNEL_NAME= # landing "Play in Telegram" link, the bot's game channel
|
|
VITE_VK_APP_LINK= # landing "Play on VK" link (full URL, https://vk.com/app<id>)
|
|
VITE_VK_APP_ID= # VK ID "Web" app id (client_id) for VK web-login linking; also the gateway's GATEWAY_VK_ID_APP_ID
|
|
VITE_VK_ID_REDIRECT_URL= # VK ID trusted redirect URL (e.g. https://erudit-game.ru/app/); also the gateway's exchange redirect_uri
|
|
VITE_GATEWAY_URL=
|
|
|
|
# --- Grafana ----------------------------------------------------------------
|
|
GRAFANA_ROOT_URL=/_gm/grafana/ # set the full https URL behind a real domain
|
|
GRAFANA_ADMIN_PASSWORD=admin
|
|
|
|
# --- Telegram validator + bot -----------------------------------------------
|
|
# The token is shared: the validator uses it as the HMAC secret, the bot for the
|
|
# Bot API. The bot-link wiring (validator/relay/mTLS addresses) is hard-wired in
|
|
# docker-compose.yml; the mTLS material is NOT here — run `deploy/gen-certs.sh`
|
|
# (writes deploy/certs/, gitignored) before `docker compose up`.
|
|
AWG_CONF= # required; AmneziaWG sidecar config (the bot's Telegram egress)
|
|
TELEGRAM_BOT_TOKEN= # required
|
|
TELEGRAM_GAME_CHANNEL_ID=
|
|
TELEGRAM_CHAT_ID= # moderated discussion chat (channel's linked group); empty disables gating
|
|
TELEGRAM_SUPPORT_CHAT_ID= # private forum supergroup for the support relay (topic per user); empty disables it
|
|
TELEGRAM_PROMO_BOT_TOKEN= # optional standalone promo bot token; empty disables it
|
|
TELEGRAM_BOT_USERNAME= # main bot @username without the @ (promo message); required when the promo token is set
|
|
TELEGRAM_BOT_LINK= # main bot Mini App link for the promo button (reuse VITE_TELEGRAM_LINK); required when the promo token is set
|
|
TELEGRAM_PROMO_START_PARAM= # promo button startapp payload — a variant-seed deep link (default verudit_ru-scrabble_en) adding English Scrabble for new users; empty forwards the user's /start payload
|
|
TELEGRAM_MINIAPP_URL= # required
|
|
TELEGRAM_TEST_ENV=false
|
|
TELEGRAM_API_BASE_URL=
|
|
|
|
# --- VK Mini App ------------------------------------------------------------
|
|
# The VK app's "protected key" (client_secret): the gateway verifies the Mini App
|
|
# launch-parameter signature in-process under it (a pure offline HMAC, no VK API call).
|
|
# Empty disables the VK auth path (auth.vk). Set from the Gitea TEST_/PROD_ secret.
|
|
GATEWAY_VK_APP_SECRET=
|
|
# VK ID web login (browser VK-identity linking) — a SEPARATE VK "Web" app: the gateway runs
|
|
# the confidential OAuth 2.1 code exchange under this protected key. The app id + redirect URL
|
|
# come from VITE_VK_APP_ID / VITE_VK_ID_REDIRECT_URL above. All three empty disables link.vk.*.
|
|
GATEWAY_VK_ID_CLIENT_SECRET=
|