mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-14 17:41:09 +02:00
chore(infra): unify prod deploy on .env.macmini + document missing keys
Two pieces of the same cleanup: 1. build-app.sh now passes `--env-file .env.macmini` explicitly via a shared COMPOSE_ARGS array. Without it, docker compose silently fell back to `.env` in the project root — a separate file that happened to hold MANA_AUTH_KEK and other secrets that `.env.macmini` lacked. deploy.sh, restart.sh, and the CD workflow already used the flag; this aligns build-app.sh with the rest. Server-side .env.macmini was reconciled 2026-04-23 with the union of both files, so the duplicate `.env` is no longer needed. 2. .env.macmini.example now documents 7 keys the prod stack actually depends on but that had never been listed: GOOGLE_GEMINI_API_KEY / GOOGLE_GENAI_API_KEY (SDK aliases for Deep-Research + mana-ai), MANA_AI_PRIVATE_KEY_PEM / MANA_AI_PUBLIC_KEY_PEM (Mission-Grant keypair), MANA_AI_DEEP_RESEARCH_ENABLED + PUBLIC_AI_MISSION_GRANTS (feature flags), MANA_CORE_SERVICE_KEY (legacy alias), and the STT/ TTS internal shared secrets. Matrix-bot tokens deliberately left undocumented — no Matrix homeserver in the current running stack. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Till JS
parent
5c08653b19
commit
f719d1768f
2 changed files with 50 additions and 6 deletions
|
|
@ -118,17 +118,52 @@ AZURE_STORAGE_ACCOUNT_KEY=
|
|||
|
||||
# ─── Google Gemini ──────────────────────────────────────────
|
||||
# Used by mana-llm + several Gemini-Vision modules (planta, food).
|
||||
# GOOGLE_GEMINI_API_KEY and GOOGLE_GENAI_API_KEY are SDK-specific aliases
|
||||
# consumed by mana-research's Deep-Research provider (@google/genai) and
|
||||
# mana-ai's planner. In practice all three hold the same value.
|
||||
GEMINI_API_KEY=
|
||||
GOOGLE_GEMINI_API_KEY=
|
||||
GOOGLE_GENAI_API_KEY=
|
||||
|
||||
# ─── Mission Grants (AI Workbench) ──────────────────────────
|
||||
# EdDSA keypair used by mana-ai to unwrap server-side decryption grants.
|
||||
# Must be Ed25519 in PEM form, base64-encoded. Generate with:
|
||||
# openssl genpkey -algorithm Ed25519 -out key.pem
|
||||
# openssl pkey -in key.pem -pubout -out pub.pem
|
||||
# base64 -w0 key.pem # → MANA_AI_PRIVATE_KEY_PEM
|
||||
# base64 -w0 pub.pem # → MANA_AI_PUBLIC_KEY_PEM
|
||||
# Keep the private half server-only; the public half goes into the
|
||||
# browser so users can wrap grants for specific missions.
|
||||
MANA_AI_PRIVATE_KEY_PEM=
|
||||
MANA_AI_PUBLIC_KEY_PEM=
|
||||
|
||||
# ─── AI feature flags ───────────────────────────────────────
|
||||
# MANA_AI_DEEP_RESEARCH_ENABLED gates the async deep-research provider
|
||||
# in mana-research. PUBLIC_AI_MISSION_GRANTS surfaces the Mission-Grant
|
||||
# UI in the webapp. Both default off; set to "true" in production.
|
||||
MANA_AI_DEEP_RESEARCH_ENABLED=false
|
||||
PUBLIC_AI_MISSION_GRANTS=false
|
||||
|
||||
# ─── Service-to-service auth keys ───────────────────────────
|
||||
# Shared secrets backends use to call each other without going through
|
||||
# user JWTs. Generate with: openssl rand -base64 32
|
||||
# MANA_SERVICE_KEY appears in compose with BOTH a default and a no-default
|
||||
# reference, so it MUST be set to a real value in production.
|
||||
# MANA_CORE_SERVICE_KEY is a legacy alias consumed by games/arcade +
|
||||
# mana-ai's internal client; keep it in sync with MANA_SERVICE_KEY until
|
||||
# the rename is finished.
|
||||
MANA_SERVICE_KEY=
|
||||
MANA_CORE_SERVICE_KEY=
|
||||
MANA_CREDITS_SERVICE_KEY=
|
||||
MEMORO_SERVICE_KEY=
|
||||
|
||||
# ─── STT / TTS internal keys ────────────────────────────────
|
||||
# Shared secrets between mana-api and the GPU-hosted STT/TTS services
|
||||
# (see docs/WINDOWS_GPU_SERVER_SETUP.md). Required only if voice
|
||||
# features are enabled.
|
||||
STT_INTERNAL_API_KEY=
|
||||
TTS_INTERNAL_API_KEY=
|
||||
|
||||
# ─── Memoro Supabase (legacy) ───────────────────────────────
|
||||
# Memoro still keeps recording metadata in Supabase. Move to mana_platform
|
||||
# is tracked in the Memoro CLAUDE.md.
|
||||
|
|
|
|||
|
|
@ -14,8 +14,17 @@ set -e
|
|||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
|
||||
COMPOSE_FILE="$PROJECT_ROOT/docker-compose.macmini.yml"
|
||||
ENV_FILE="$PROJECT_ROOT/.env.macmini"
|
||||
DOCKER="${DOCKER_CMD:-/usr/local/bin/docker}"
|
||||
|
||||
# Explicit --env-file flag keeps this script aligned with deploy.sh /
|
||||
# restart.sh / the CD workflow (all use .env.macmini). Without it compose
|
||||
# falls back to .env in the project root — which used to be a separate
|
||||
# file holding a superset of secrets, and missing that file meant mana-
|
||||
# auth started with an empty MANA_AUTH_KEK. Server was reconciled
|
||||
# 2026-04-23; this flag keeps it that way.
|
||||
COMPOSE_ARGS=(-f "$COMPOSE_FILE" --env-file "$ENV_FILE")
|
||||
|
||||
# Minimum free memory (in MB) needed for a Docker build
|
||||
BUILD_MEM_THRESHOLD_MB=3000
|
||||
|
||||
|
|
@ -188,7 +197,7 @@ build_services() {
|
|||
done
|
||||
|
||||
echo "=== Building: ${services[*]} ==="
|
||||
$DOCKER compose -f "$COMPOSE_FILE" build --no-cache "${services[@]}" 2>&1
|
||||
$DOCKER compose "${COMPOSE_ARGS[@]}" build --no-cache "${services[@]}" 2>&1
|
||||
echo ""
|
||||
echo "=== Restarting: ${services[*]} ==="
|
||||
# Tear down existing containers BEFORE the up cycle. We hit "container
|
||||
|
|
@ -206,13 +215,13 @@ build_services() {
|
|||
# 3. `up -d --remove-orphans` then creates a clean new container
|
||||
# and silences the "Found orphan containers" warning we kept
|
||||
# seeing for the unrelated mana-game-whopixels leftover.
|
||||
$DOCKER compose -f "$COMPOSE_FILE" rm -fs "${services[@]}" 2>&1 \
|
||||
$DOCKER compose "${COMPOSE_ARGS[@]}" rm -fs "${services[@]}" 2>&1 \
|
||||
| grep -v 'No stopped containers' || true
|
||||
for svc in "${services[@]}"; do
|
||||
# Map compose service name → container_name from the compose config.
|
||||
# Falls back to the service name itself if container_name isn't set.
|
||||
local cname
|
||||
cname=$($DOCKER compose -f "$COMPOSE_FILE" config 2>/dev/null \
|
||||
cname=$($DOCKER compose "${COMPOSE_ARGS[@]}" config 2>/dev/null \
|
||||
| awk -v s="$svc:" '
|
||||
$0 ~ "^ "s {found=1; next}
|
||||
found && /^ [a-z]/ {found=0}
|
||||
|
|
@ -228,7 +237,7 @@ build_services() {
|
|||
echo "$orphans" | xargs -r $DOCKER rm -f 2>/dev/null || true
|
||||
fi
|
||||
done
|
||||
$DOCKER compose -f "$COMPOSE_FILE" up -d --no-deps --remove-orphans "${services[@]}" 2>&1
|
||||
$DOCKER compose "${COMPOSE_ARGS[@]}" up -d --no-deps --remove-orphans "${services[@]}" 2>&1
|
||||
}
|
||||
|
||||
# --- Main ---
|
||||
|
|
@ -273,7 +282,7 @@ case "$1" in
|
|||
--all-web)
|
||||
build_base_images
|
||||
# Find all web services in compose
|
||||
WEB_SERVICES=$($DOCKER compose -f "$COMPOSE_FILE" config --services 2>/dev/null | grep '\-web$' || true)
|
||||
WEB_SERVICES=$($DOCKER compose "${COMPOSE_ARGS[@]}" config --services 2>/dev/null | grep '\-web$' || true)
|
||||
if [ -n "$WEB_SERVICES" ]; then
|
||||
build_services $WEB_SERVICES
|
||||
else
|
||||
|
|
@ -291,7 +300,7 @@ echo "=== Build complete ==="
|
|||
# Show status of built services
|
||||
for svc in "$@"; do
|
||||
if [ "$svc" != "--base" ] && [ "$svc" != "--all-web" ]; then
|
||||
STATUS=$($DOCKER compose -f "$COMPOSE_FILE" ps --format '{{.Name}}\t{{.Status}}' "$svc" 2>/dev/null || echo "$svc: unknown")
|
||||
STATUS=$($DOCKER compose "${COMPOSE_ARGS[@]}" ps --format '{{.Name}}\t{{.Status}}' "$svc" 2>/dev/null || echo "$svc: unknown")
|
||||
echo " $STATUS"
|
||||
fi
|
||||
done
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue