AI-CMS/render.yaml at main · OpenGraph-AI/AI-CMS · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# Render Blueprint — one-click deploy of the full stack.
#
# 1. Push this repo to GitHub.
# 2. In Render: New → Blueprint → connect the repo. Render reads this file
#    and provisions both services in one go.
# 3. Set every `sync: false` secret in the Render dashboard when prompted.
#    `BACKEND_URL` on the frontend is auto-wired from the backend service
#    (see `fromService` below).
# 4. The backend's pre-deploy command runs the SQL migration on every push
#    so new tables/columns appear before the new code starts.
#
# Both services share the same git repo; Render rebuilds whichever one has
# changes touching its rootDir / Dockerfile.

services:
  # ----- FastAPI backend (Python + Docker) -----
  - type: web
    name: 1ai-x-cms-api
    runtime: docker
    plan: starter
    dockerfilePath: ./Dockerfile
    healthCheckPath: /health
    # Idempotent — schema_migrations table tracks applied filenames so this
    # is safe to run on every deploy.
    preDeployCommand: python -m backend.migrate
    envVars:
      # ---- Secrets pinned in the Render dashboard (kept out of git) ----
      - key: OPENAI_API_KEY
        sync: false
      - key: OPENROUTER_API_KEY  # primary image + video provider
        sync: false
      - key: AI_GATEWAY_API_KEY  # Vercel AI Gateway — image fallback only
        sync: false
      - key: SUPABASE_URL
        sync: false
      - key: SUPABASE_SERVICE_ROLE_KEY
        sync: false
      - key: SUPABASE_ASSETS_BUCKET
        sync: false
      # Used by `python -m backend.migrate` (pre-deploy hook) only.
      # Supabase session-pooler URL; percent-encode any `@` in the password
      # as `%40`.
      - key: DATABASE_URL
        sync: false
      # Comma-separated CORS allow-list — set to the frontend's Render URL
      # once it's been provisioned (Render generates URLs after first deploy
      # so we can't auto-populate this with fromService).
      - key: FRONTEND_ORIGINS
        sync: false

      # --- Single-user admin gate ---
      # Defaults are admin / 1601admin. Override in the dashboard if needed.
      - key: AUTH_USERNAME
        sync: false
      - key: AUTH_PASSWORD
        sync: false
      # Sign the session cookie. Pin a long random value (Render's
      # `generateValue: true` does this automatically and never re-rolls).
      - key: AUTH_SESSION_SECRET
        generateValue: true
      # Production runs behind HTTPS, so the session cookie must be flagged
      # Secure. Static value, safe to commit.
      - key: AUTH_COOKIE_HTTPS_ONLY
        value: "1"

      # ---- Defaults (safe to commit) ----
      - key: OPENAI_INTENT_MODEL
        value: gpt-4.1
      - key: OPENAI_PLANNER_MODEL
        value: gpt-4.1
      - key: OPENAI_VISION_MODEL
        value: gpt-4o
      # Render persists this directory across requests (not across deploys);
      # Supabase Storage is the durable path for finished artefacts.
      - key: STORAGE_DIR
        value: /app/storage

  # ----- Next.js frontend (Node + standard `next start`) -----
  - type: web
    name: 1ai-x-cms-web
    runtime: node
    plan: starter
    rootDir: frontend
    buildCommand: npm install && npm run build
    startCommand: npm start
    healthCheckPath: /
    envVars:
      # Auto-resolved by Render from the backend service's public hostname,
      # so the user doesn't have to paste it manually after first deploy.
      - key: BACKEND_URL
        fromService:
          type: web
          name: 1ai-x-cms-api
          property: host
      - key: NODE_ENV
        value: production