UW-THINKlab · infrared0 · Sep 12, 2025 · Sep 14, 2025 · Sep 14, 2025 · Sep 15, 2025
@@ -27,7 +27,7 @@ jobs:
         uses: subosito/flutter-action@v2
         with:
           channel: stable
-          flutter-version: '3.24.5'
+          flutter-version: '3.41.2'
 
       - run: flutter pub get
 
@@ -37,4 +37,3 @@ jobs:
       # Run Flutter tests
       - name: Run Unit tests
         run: flutter test ./test/unit_tests
-
@@ -18,7 +18,7 @@ jobs:
       - name: configure aws credentials
         uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
         with:
-          role-to-assume: arn:aws:iam::871683513797:role/supportsphere-laurelhurst-github-scaling-role
+          role-to-assume: arn:aws:iam::503561456208:role/supportsphere-laurelhurst-github-scaling-role
           role-session-name: github-workflow-run
           aws-region: ${{ env.AWS_REGION }}
       - name: Run the server

@@ -9,13 +9,13 @@ permissions:
 on:
   push:
     branches:
-      - main
+      - messages
   workflow_dispatch:
-    
+
 
 jobs:
   call-run-server:
-    uses: UW-THINKlab/resilience/.github/workflows/run-dev-server.yml@main
+    uses: UW-THINKlab/resilience/.github/workflows/run-dev-server.yml@messages
   build-and-publish:
     runs-on: ubuntu-latest
     # This workflow accesses secrets and checks out a PR, so only run if labelled
@@ -34,16 +34,15 @@ jobs:
       uses: subosito/flutter-action@v2
       with:
         channel: stable
-        flutter-version: '3.24.5'
+        flutter-version: '3.41.2'
     - run: flutter pub get
     # original values are in deployment/values.cloud.yaml
     - run: |
         flutter build web \
         --release \
         --base-href "/resilience/" \
-        --web-renderer html \
         --dart-define=SUPABASE_ANON_KEY=${{ secrets.CLOUD_DB_JWT_ANON_KEY}} \
-        --dart-define=SUPABASE_URL=${{ secrets.CLOUD_DB_URL}} 
+        --dart-define=SUPABASE_URL=${{ secrets.CLOUD_DB_URL}}
 
     - name: Upload Pages HTML
       uses: actions/upload-pages-artifact@v3

@@ -7,7 +7,7 @@ on:
 
 jobs:
   call-run-server:
-    uses: UW-THINKlab/resilience/.github/workflows/run-dev-server.yml@main
+    uses: UW-THINKlab/resilience/.github/workflows/run-dev-server.yml@messages
   add-preview:
     runs-on: ubuntu-latest
     # This workflow accesses secrets and checks out a PR, so only run if labelled
@@ -26,10 +26,10 @@ jobs:
       uses: subosito/flutter-action@v2
       with:
         channel: stable
-        flutter-version: '3.24.5'
+        flutter-version: '3.41.2'
     - run: flutter pub get
     # original values are in deployment/values.cloud.yaml
-    - run: flutter build web --web-renderer html --dart-define=SUPABASE_ANON_KEY=${{ secrets.CLOUD_DB_JWT_ANON_KEY}} --dart-define=SUPABASE_URL=${{ secrets.CLOUD_DB_URL}} 
+    - run: flutter build web --dart-define=SUPABASE_ANON_KEY=${{ secrets.CLOUD_DB_JWT_ANON_KEY}} --dart-define=SUPABASE_URL=${{ secrets.CLOUD_DB_URL}}
 
     - name: Deploy Website Preview
       if: always()

@@ -1,5 +1,4 @@
 # configuration file for SOPS/encryption
 creation_rules:
   - path_regex: values\.cloud\.yaml$
-    pgp: 'AD28C8D8C60268C5F329509B31FEC69867EB2B81'
-    kms: 'arn:aws:kms:us-west-2:871683513797:key/9531919a-aae2-4ad9-bd2a-4f30eb8250c3,arn:aws:kms:us-east-1:871683513797:key/0fc8c451-67d6-4b6f-8ad2-d8537d375937'
+    kms: 'arn:aws:kms:us-west-2:503561456208:key/8f487e8c-d6c5-4ed4-9ace-c5011baead84,arn:aws:kms:us-east-1:503561456208:key/4ce4551c-4b42-4e0a-ac14-961f385c9517'
@@ -27,12 +27,12 @@ provider "aws" {
 
 # s3 tf state bucket
 
-resource "aws_s3_bucket" "tf_state" {
+data "aws_s3_bucket" "tf_state" {
   bucket = "${var.account_resource_prefix}-${var.account_id}-opentofu-state"
 }
 
 resource "aws_s3_bucket_versioning" "this" {
-  bucket = aws_s3_bucket.tf_state.bucket
+  bucket = data.aws_s3_bucket.tf_state.bucket
 
   versioning_configuration {
     status = "Enabled"
@@ -41,7 +41,7 @@ resource "aws_s3_bucket_versioning" "this" {
 }
 
 resource "aws_s3_bucket_public_access_block" "example" {
-  bucket = aws_s3_bucket.tf_state.bucket
+  bucket = data.aws_s3_bucket.tf_state.bucket
 
   block_public_acls       = true
   block_public_policy     = true
@@ -103,8 +103,8 @@ resource "aws_iam_policy" "tf_state_access" {
           "s3:ListBucket",
         ],
         Resource = [
-          "${aws_s3_bucket.tf_state.arn}/*",
-          aws_s3_bucket.tf_state.arn,
+          "${data.aws_s3_bucket.tf_state.arn}/*",
+          data.aws_s3_bucket.tf_state.arn,
         ],
       },
     ],
@@ -130,6 +130,7 @@ resource "aws_iam_role_policy" "kms_key_access" {
           "kms:UpdateKeyDescription",
           "kms:CreateKey",
           "kms:CreateAlias",
+          "kms:UpdateAlias"
         ],
         Resource = "*",
       },
@@ -196,4 +197,4 @@ resource "aws_iam_group_policy_attachment" "readonly" {
 resource "aws_iam_group_policy_attachment" "tf_state_access" {
   group      = aws_iam_group.this.name
   policy_arn = aws_iam_policy.tf_state_access.arn
-}
+}
@@ -2,5 +2,5 @@ account_resource_prefix = "supportsphere"
 account_additional_tags = {
   "Project" = "Support Sphere"
 }
-account_id     = "871683513797"
+account_id     = "503561456208"
 ops_group_name = "ssec-eng"
@@ -28,7 +28,7 @@ locals {
 provider "aws" {
   region = "us-west-2"
   assume_role {
-    role_arn     = "arn:aws:iam::871683513797:role/supportsphere-deploy"
+    role_arn     = "arn:aws:iam::${var.account_id}:role/supportsphere-deploy"
     session_name = "${local.resource_prefix}-infra-deployment"
     external_id  = "${local.resource_prefix}-infra-deployment"
   }

@@ -64,7 +64,8 @@ resource "aws_iam_role" "instance" {
             "ec2:StartInstances",
             "ec2:StopInstances",
             "ec2:AssociateAddress",
-            "ec2:DisassociateAddress"
+            "ec2:DisassociateAddress",
+            "kms:Decrypt"
           ],
           Resource = "*",
           Condition = {
@@ -189,18 +190,18 @@ resource "aws_autoscaling_group" "this" {
   }
 }
 
-// Autoscaling action to shutdown the server every weekday at 1AM UTC (6PM PDT/5PM PST)
-resource "aws_autoscaling_schedule" "scale_down" {
-  # only create this resource in non-prod environments
-  count = var.stage != "prod" ? 1 : 0
-
-  scheduled_action_name  = "${var.resource_prefix}-asg-shutdown-after-working-hours"
-  min_size               = 0
-  desired_capacity       = 0
-  max_size               = 1
-  recurrence             = "0 1 * * MON-FRI"
-  autoscaling_group_name = aws_autoscaling_group.this.name
-}
+//// Autoscaling action to shutdown the server every weekday at 1AM UTC (6PM PDT/5PM PST)
+//resource "aws_autoscaling_schedule" "scale_down" {
+//  # only create this resource in non-prod environments
+//  count = var.stage != "prod" ? 1 : 0
+//
+//  scheduled_action_name  = "${var.resource_prefix}-asg-shutdown-after-working-hours"
+//  min_size               = 0
+//  desired_capacity       = 0
+//  max_size               = 1
+//  recurrence             = "0 1 * * MON-FRI"
+//  autoscaling_group_name = aws_autoscaling_group.this.name
+//}
 
 // ALB and target group
 resource "aws_lb" "this" {
@@ -249,6 +250,6 @@ resource "aws_autoscaling_attachment" "this" {
 }
 
 resource "aws_acm_certificate" "this" {
-  domain_name       = "laurelhurst.supportsphere.nikiofti.me"
+  domain_name       = "laurelhurst.supportsphere.acmerocket.com"
   validation_method = "DNS"
-}
+}
@@ -11,33 +11,17 @@ users:
     groups: docker
 
 packages:
-  - git
-  - curl
-  - wget
   - python-pip
   - postgresql-client
   - awscli
-  - ca-certificates
   - gnupg-agent
-  - software-properties-common
   - apt-transport-https
   - cargo
   - libpq-dev
   - jq
+  - docker.io
 
 runcmd:
-  # docker installation borrowed from https://gist.github.com/vtrifonov-esfiddle/068dd818b5f929709b688c805c507e65
-  # install docker following the guide: https://docs.docker.com/install/linux/docker-ce/ubuntu/
-  - echo "Installing Docker"
-  - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
-  - sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
-  - sudo apt-get -y update
-  - sudo apt-get -y install docker-ce docker-ce-cli containerd.io
-  - sudo systemctl enable docker
-  # install docker-compose following the guide: https://docs.docker.com/compose/install/
-  - sudo curl -L "https://github.com/docker/compose/releases/download/1.25.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
-  - sudo chmod +x /usr/local/bin/docker-compose
-
   # install pixi
   - echo "Installing Pixi"
   - export PIXI_HOME=/opt/pixi
@@ -52,6 +36,13 @@ runcmd:
   - cd /opt
   - git clone https://github.com/${github_organization}/${github_repo}.git
   - cd ${github_repo}
+  # FIXME current dev branch
+  - git checkout messages
+
+  # tool pathing for root
+  - echo "export PATH=\$PATH:$PWD/.pixi/envs/backend/bin" >> /root/.bashrc
+  - echo "export KUBECONFIG=$PWD/.kube/config" >> /root/.bashrc
+
 
   # install backend tools
   - echo "Setting up backend infra"
@@ -71,4 +62,4 @@ runcmd:
   - pixi run -e backend cleanup-decrypted-supabase-cloud-values
 
   # Done! :)
-  - echo "Done!"
+  - echo "Done!"
@@ -0,0 +1,16 @@
+# Supabase Docker
+
+This is a minimal Docker Compose setup for self-hosting Supabase. Follow the steps [here](https://supabase.com/docs/guides/hosting/docker) to get started.
+
+
+## tl;dr
+1. Install [Docker](https://docs.docker.com/engine/install/), or your preferred container manager.
+2. Install [Supabase CLI](https://supabase.com/docs/guides/local-development/cli/getting-started).
+3. `supabase start` to start supabase.
+4. `pixi run db-init` to load the database.
+
+
+## Local Development
+
+
+## Cloud Deployment
@@ -0,0 +1,48 @@
+create table profiles (
+  id uuid references auth.users not null,
+  updated_at timestamp with time zone,
+  username text unique,
+  avatar_url text,
+  website text,
+
+  primary key (id),
+  unique(username),
+  constraint username_length check (char_length(username) >= 3)
+);
+
+alter table profiles enable row level security;
+
+create policy "Public profiles are viewable by the owner."
+  on profiles for select
+  using ( auth.uid() = id );
+
+create policy "Users can insert their own profile."
+  on profiles for insert
+  with check ( auth.uid() = id );
+
+create policy "Users can update own profile."
+  on profiles for update
+  using ( auth.uid() = id );
+
+-- Set up Realtime
+begin;
+  drop publication if exists supabase_realtime;
+  create publication supabase_realtime;
+commit;
+alter publication supabase_realtime add table profiles;
+
+-- Set up Storage
+insert into storage.buckets (id, name)
+values ('avatars', 'avatars');
+
+create policy "Avatar images are publicly accessible."
+  on storage.objects for select
+  using ( bucket_id = 'avatars' );
+
+create policy "Anyone can upload an avatar."
+  on storage.objects for insert
+  with check ( bucket_id = 'avatars' );
+
+create policy "Anyone can update an avatar."
+  on storage.objects for update
+  with check ( bucket_id = 'avatars' );
@@ -0,0 +1,34 @@
+version: "3.8"
+
+services:
+  studio:
+    build:
+      context: ..
+      dockerfile: apps/studio/Dockerfile
+      target: dev
+    ports:
+      - 8082:8082
+  mail:
+    container_name: supabase-mail
+    image: inbucket/inbucket:3.0.3
+    ports:
+      - '2500:2500' # SMTP
+      - '9000:9000' # web interface
+      - '1100:1100' # POP3
+  auth:
+    environment:
+      - GOTRUE_SMTP_USER=
+      - GOTRUE_SMTP_PASS=
+  meta:
+    ports:
+      - 5555:8080
+  db:
+    restart: 'no'
+    volumes:
+      # Always use a fresh database when developing
+      - /var/lib/postgresql/data
+      # Seed data should be inserted last (alphabetical order)
+      - ./dev/data.sql:/docker-entrypoint-initdb.d/seed.sql
+  storage:
+    volumes:
+      - /var/lib/storage