chahine/rebreak-monorepo
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
rebreak-monorepo/backend/nitro.config.ts
chahinebrini 0cac3c9d1a feat(calls): Phase 1a — TURN ice-servers endpoint + coturn ops + DM call-button header 
Backend:
- GET /api/calls/ice-servers: ephemeral HMAC TURN credentials (10-min TTL),
  iceTransportPolicy:"relay" (no IP leak), 503 until coturn configured
- nitro runtimeConfig: turnHost/turnSecret/turnRealm (Infisical staging set)

Ops:
- ops/calls/ runbook + turnserver.conf (self-hosted coturn, force-relay,
  use-auth-secret, hardening). coturn provisioned + verified on rebreak-server.

Frontend (DM header redesign):
- removed standalone "i" button; header center (avatar+name+chevron) opens info sheet
- call icon top-right, only when canCall (mutual-follow + callsEnabled);
  shows "coming soon" until the WebRTC client lands

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-04 03:06:33 +02:00

153 lines
8.6 KiB
TypeScript
Raw Blame History

import { defineNitroConfig } from "nitropack/config";
export default defineNitroConfig({
compatibilityDate: "latest",
srcDir: "server",
preset: "node-server",
// Static-Assets explizit: GoTrue lädt Mail-Templates von
// https://api.staging.rebreak.org/templates/*.html → kommt aus public/templates/.
// Default-publicAssets greift nicht zuverlässig wenn srcDir auf "server" zeigt.
publicAssets: [{ baseURL: "/", dir: "../public", maxAge: 60 * 60 }],
// Supabase als external dep — nicht bundlen
externals: {
inline: [/^(?!@supabase\/supabase-js)/],
},
imports: {
dirs: ["db", "db/**", "utils", "utils/**"],
exclude: ["**/node_modules/**"],
},
runtimeConfig: {
// ─── Database / Core ─────────────────────────────────────────────────
databaseUrl:
process.env.DATABASE_URL ?? process.env.NUXT_DATABASE_URL ?? "",
encryptionKey: process.env.ENCRYPTION_KEY ?? "",
// ─── Admin / Cron ────────────────────────────────────────────────────
adminSecret: process.env.ADMIN_SECRET ?? "",
cronSecret: process.env.CRON_SECRET ?? "",
// Shared secret for AdGuard→Backend DoH-handshake (POST /api/devices/protected/handshake).
// Set in Infisical as HANDSHAKE_SECRET before enabling AdGuard webhook.
handshakeSecret: process.env.HANDSHAKE_SECRET ?? "",
// ─── LLM-Provider ────────────────────────────────────────────────────
// Infisical staging hat NUXT_*-prefix für openrouter+groq, andere ohne.
openrouterApiKey:
process.env.OPENROUTER_API_KEY ??
process.env.NUXT_OPENROUTER_API_KEY ??
"",
openaiApiKey:
process.env.OPENAI_API_KEY ?? process.env.NUXT_OPENAI_API_KEY ?? "",
groqApiKey: process.env.GROQ_API_KEY ?? process.env.NUXT_GROQ_API_KEY ?? "",
googleAiApiKey: process.env.GOOGLE_AI_API_KEY ?? "",
geminiApiKey: process.env.GEMINI_API_KEY ?? "",
// ─── TTS-Provider ────────────────────────────────────────────────────
googleApiKey:
process.env.GOOGLE_API_KEY ?? process.env.NUXT_GOOGLE_API_KEY ?? "",
deepgramApiKey:
process.env.DEEPGRAM_API_KEY ?? process.env.NUXT_DEEPGRAM_API_KEY ?? "",
azureTtsKey: process.env.AZURE_TTS_KEY ?? "",
azureTtsRegion: process.env.AZURE_TTS_REGION ?? "",
// NEU im backend/-Layout (existieren in nuxt.config.ts NICHT, aber backend code liest sie)
cartesiaApiKey: process.env.CARTESIA_API_KEY ?? "",
cartesiaVoiceId: process.env.CARTESIA_VOICE_ID ?? "",
elevenlabsApiKey: process.env.ELEVENLABS_API_KEY ?? "",
elevenlabsVoiceId: process.env.ELEVENLABS_VOICE_ID ?? "",
// ─── Supabase (Server-only) ──────────────────────────────────────────
// Im alten Nuxt-Layout via @nuxtjs/supabase auto-injected. In standalone Nitro
// explizit deklarieren, damit auth/middleware nicht 500't.
// server/utils/auth.ts:32 liest `config.public.supabase ?? config.supabase`,
// also beide Pfade müssen existieren.
// Infisical staging-Namen: SUPABASE_KEY (nicht ANON_KEY), SUPABASE_SERVICE_KEY
// (nicht SERVICE_ROLE_KEY). NIE umbenennen ohne Infisical-secret-rotation.
supabaseUrl: process.env.SUPABASE_URL ?? "https://db-staging.rebreak.org",
supabaseAnonKey:
process.env.SUPABASE_KEY ?? process.env.SUPABASE_ANON_KEY ?? "",
supabaseServiceKey:
process.env.SUPABASE_SERVICE_KEY ??
process.env.SUPABASE_SERVICE_ROLE_KEY ??
"",
// ─── Voice-Calls / TURN (coturn, self-hosted) ───────────────────────
// Ephemere TURN-Credentials werden vom Backend per HMAC aus TURN_SECRET
// gemintet (coturn `use-auth-secret`). Host = coturn-Domain, Realm = coturn-
// realm. In Infisical setzen, BEVOR /api/calls/ice-servers genutzt wird:
// TURN_HOST (z.B. turn.rebreak.org)
// TURN_SECRET (shared secret, identisch zu coturn static-auth-secret)
// TURN_REALM (z.B. rebreak.org)
turnHost: process.env.TURN_HOST ?? "",
turnSecret: process.env.TURN_SECRET ?? "",
turnRealm: process.env.TURN_REALM ?? "rebreak.org",
// ─── Stripe ──────────────────────────────────────────────────────────
stripeSecretKey: process.env.STRIPE_SECRET_KEY ?? "",
stripeWebhookSecret: process.env.STRIPE_WEBHOOK_SECRET ?? "",
// ─── Email / External APIs ───────────────────────────────────────────
resendApiKey: process.env.RESEND_API_KEY ?? "",
// ─── Brevo (Mail-Versand) ────────────────────────────────────────────
// Auth-Hook (send-email.post.ts) → Brevo Transactional API.
// BREVO_API_KEY ist Brevo REST API-Key (Format: xkeysib-...),
// separater Key vom SMTP-Key der für GoTrue-Fallback genutzt wird.
brevoApiKey: process.env.BREVO_API_KEY ?? "",
// Send-Email-Hook Webhook-Secret (Standard-Webhooks Format).
// Liste comma-separated: "v1,whsec_<base64>" (multi-secret für Rotation).
// Muss IDENTISCH zu GOTRUE_HOOK_SEND_EMAIL_SECRETS im docker-compose sein.
hookSendEmailSecrets: process.env.HOOK_SEND_EMAIL_SECRETS ?? "",
// Sender-Email-Adresse im From-Header. Sender-Name wird pro Mail-Typ
// dynamisch in templates.ts gesetzt.
mailSenderEmail: process.env.MAIL_SENDER_EMAIL ?? "welcome@rebreak.org",
// ─── AdGuard Home (RebreakMagic DNS-over-HTTPS) ──────────────────────
// Base-URL für AdGuard Home REST API. Default: dns.rebreak.org (Hetzner).
adguardBaseUrl: process.env.ADGUARD_BASE_URL ?? "https://dns.rebreak.org",
// Basic-Auth Credentials für /control/clients/* API-Endpoints.
// User + Password aus AdGuard-Settings → Users → Add User (Admin-Rechte).
adguardUser: process.env.ADGUARD_USER ?? "",
adguardPassword: process.env.ADGUARD_PASSWORD ?? "",
// ─── Microsoft OAuth (PKCE, Public Client) ───────────────────────────────
// Client-ID der Azure-App-Registrierung "Rebreak Mail Access".
// Tenant: 'common' (Multi-Tenant + Personal-Accounts) — hardcoded im Code.
// Kein client_secret: Public Client / PKCE-Flow (keine Client-Secret-Exposure).
// Infisical secret name: MS_OAUTH_CLIENT_ID
msOauthClientId:
process.env.MS_OAUTH_CLIENT_ID ?? "427575e1-0ec5-4468-b4a2-7ae3ce99a154",
// ─── Google OAuth (PKCE, Public Client / iOS Native) ────────────────────
// Client-ID der Google Cloud Console App-Registrierung "Rebreak".
// Typ: iOS-App (Native Client — kein client_secret, PKCE S256).
// Scope: https://mail.google.com/ (IMAP-Vollzugriff für XOAUTH2).
// KRITISCH: prompt=consent + access_type=offline in init.post.ts sind PFLICHT
// damit Google ein refresh_token ausstellt. Ohne das: nur 1h access_token.
// Infisical secret name: GOOGLE_OAUTH_CLIENT_ID
googleOauthClientId:
process.env.GOOGLE_OAUTH_CLIENT_ID ??
"864178840836-i09oblmcel5q4rgggq9dids17mv9560u.apps.googleusercontent.com",
// ─── Bot-User-IDs (DB-User-References für Lyra/Rebreak-Bot-Posts) ────
lyraBotUserId: process.env.LYRA_BOT_USER_ID ?? "",
rebreakBotUserId: process.env.REBREAK_BOT_USER_ID ?? "",
// ─── Public (client-readable) ────────────────────────────────────────
public: {
stripePublishableKey: process.env.STRIPE_PUBLISHABLE_KEY ?? "",
appUrl: process.env.APP_URL ?? "https://staging.rebreak.org",
apiBase: process.env.API_BASE ?? "https://staging.rebreak.org",
// server/utils/auth.ts liest config.public.supabase.{url,key}
// — wenn das fehlt, 500-cascade auf allen authentifizierten Routes
// (Incident 2026-05-06).
supabase: {
url: process.env.SUPABASE_URL ?? "https://db-staging.rebreak.org",
key: process.env.SUPABASE_KEY ?? process.env.SUPABASE_ANON_KEY ?? "",
},
},
},
});
Reference in New Issue View Git Blame Copy Permalink