refactor: Standardize Umami analytics environment variables to non-public names with fallbacks to NEXT_PUBLIC_ prefixed versions.

2026-02-06 22:35:49 +01:00
parent 259d712105
commit e179e8162c
15 changed files with 243 additions and 245 deletions
--- a/docs/ENV_MIGRATION.md
+++ b/docs/ENV_MIGRATION.md
@@ -7,29 +7,31 @@ This guide helps you migrate from the old fragile environment variable setup to
 ### Before (Fragile & Overkill)

 ❌ **Problems:**
+
 - Environment variables passed individually via SSH (12+ vars)
 - Duplicate definitions in Dockerfile, docker-compose.yml, and deploy.yml
- Build args included runtime-only variables (SENTRY_DSN, MAIL_*, REDIS_*)
+- Build args included runtime-only variables (SENTRY*DSN, MAIL*_, REDIS\__)
 - No single source of truth
 - Difficult to maintain and error-prone

 ```yaml
 # Old deploy.yml - FRAGILE!
 ssh root@alpha.mintel.me \
-  "MAIL_FROM='${{ secrets.MAIL_FROM }}' \
-   MAIL_HOST='${{ secrets.MAIL_HOST }}' \
-   MAIL_PASSWORD='${{ secrets.MAIL_PASSWORD }}' \
-   MAIL_PORT='${{ secrets.MAIL_PORT }}' \
-   MAIL_RECIPIENTS='${{ secrets.MAIL_RECIPIENTS }}' \
-   MAIL_USERNAME='${{ secrets.MAIL_USERNAME }}' \
-   NEXT_PUBLIC_BASE_URL='${{ secrets.NEXT_PUBLIC_BASE_URL }}' \
-   ... (12+ variables) \
-   /home/deploy/deploy.sh"
+"MAIL_FROM='${{ secrets.MAIL_FROM }}' \
+MAIL_HOST='${{ secrets.MAIL_HOST }}' \
+MAIL_PASSWORD='${{ secrets.MAIL_PASSWORD }}' \
+MAIL_PORT='${{ secrets.MAIL_PORT }}' \
+MAIL_RECIPIENTS='${{ secrets.MAIL_RECIPIENTS }}' \
+MAIL_USERNAME='${{ secrets.MAIL_USERNAME }}' \
+NEXT_PUBLIC_BASE_URL='${{ secrets.NEXT_PUBLIC_BASE_URL }}' \
+... (12+ variables) \
+/home/deploy/deploy.sh"
 ```

 ### After (Clean & Robust)

 ✅ **Benefits:**
+
 - Single `.env` file on server contains all runtime variables
 - Only `NEXT_PUBLIC_*` variables passed as build args (3 vars)
 - Clear separation: build-time vs runtime
@@ -46,6 +48,7 @@ ssh root@alpha.mintel.me "/home/deploy/deploy.sh"
 ### Step 1: Update Gitea Secrets

 **Remove these secrets** (no longer needed in CI/CD):
+
 - ❌ `MAIL_FROM`
 - ❌ `MAIL_HOST`
 - ❌ `MAIL_PASSWORD`
@@ -58,9 +61,11 @@ ssh root@alpha.mintel.me "/home/deploy/deploy.sh"
 - ❌ `SENTRY_DSN` (from build args)

 **Keep these secrets** (still needed for build):
+
 - ✅ `NEXT_PUBLIC_BASE_URL`
- ✅ `NEXT_PUBLIC_UMAMI_WEBSITE_ID`
- ✅ `NEXT_PUBLIC_UMAMI_SCRIPT_URL`
+- ✅ `NEXT_PUBLIC_BASE_URL`
+- ✅ `UMAMI_WEBSITE_ID`
+- ✅ `UMAMI_API_ENDPOINT`
 - ✅ `REGISTRY_USER`
 - ✅ `REGISTRY_PASS`
 - ✅ `ALPHA_SSH_KEY`
@@ -81,8 +86,8 @@ NODE_ENV=production
 NEXT_PUBLIC_BASE_URL=https://klz-cables.com

 # Analytics
-NEXT_PUBLIC_UMAMI_WEBSITE_ID=your-actual-id
-NEXT_PUBLIC_UMAMI_SCRIPT_URL=https://analytics.infra.mintel.me/script.js
+UMAMI_WEBSITE_ID=your-actual-id
+UMAMI_API_ENDPOINT=https://analytics.infra.mintel.me

 # Error Tracking
 SENTRY_DSN=your-actual-dsn
@@ -168,6 +173,7 @@ git push origin main
 ```

 The CI/CD workflow will:
+
 1. Build with only `NEXT_PUBLIC_*` build args
 2. Push to registry
 3. SSH to server and run deploy.sh
@@ -197,21 +203,22 @@ curl -I https://klz-cables.com

 ## Comparison Table

-| Aspect | Before | After |
-|--------|--------|-------|
-| **Gitea Secrets** | 15+ secrets | 8 secrets |
-| **Build Args** | 4 vars (including runtime-only) | 3 vars (NEXT_PUBLIC_* only) |
-| **Runtime Vars** | Passed via SSH command | Loaded from .env file |
-| **Maintenance** | Update in 3 places | Update in 1 place |
-| **Security** | Secrets in CI logs | Secrets only on server |
-| **Clarity** | Confusing duplication | Clear separation |
-| **Robustness** | Fragile SSH command | Robust file-based config |
+| Aspect            | Before                          | After                        |
+| ----------------- | ------------------------------- | ---------------------------- |
+| **Gitea Secrets** | 15+ secrets                     | 8 secrets                    |
+| **Build Args**    | 4 vars (including runtime-only) | 3 vars (NEXT*PUBLIC*\* only) |
+| **Runtime Vars**  | Passed via SSH command          | Loaded from .env file        |
+| **Maintenance**   | Update in 3 places              | Update in 1 place            |
+| **Security**      | Secrets in CI logs              | Secrets only on server       |
+| **Clarity**       | Confusing duplication           | Clear separation             |
+| **Robustness**    | Fragile SSH command             | Robust file-based config     |

 ## Rollback Plan

 If you need to rollback to the old system:

 1. Revert the changes in git:
+
   ```bash
   git revert HEAD
   git push origin main
@@ -229,7 +236,8 @@ A: `NEXT_PUBLIC_*` variables are special in Next.js - they're embedded into the

 **Q: Can I update environment variables without rebuilding?**

-A: Yes, for runtime-only variables (MAIL_*, REDIS_*, SENTRY_DSN, etc.). Just edit the `.env` file on the server and restart containers:
+A: Yes, for runtime-only variables (MAIL*\*, REDIS*\*, SENTRY_DSN, etc.). Just edit the `.env` file on the server and restart containers:
+
 ```bash
 nano /home/deploy/sites/klz-cables.com/.env
 docker-compose down && docker-compose up -d
@@ -240,6 +248,7 @@ For `NEXT_PUBLIC_*` variables, you need to rebuild the Docker image since they'r
 **Q: Where should I store the .env file backup?**

 A: Keep a secure backup outside the server:
+
 ```bash
 # Download from server
 scp root@alpha.mintel.me:/home/deploy/sites/klz-cables.com/.env \
@@ -250,7 +259,8 @@ scp root@alpha.mintel.me:/home/deploy/sites/klz-cables.com/.env \

 **Q: What if I accidentally commit .env to git?**

-A: 
+A:
+
 1. Remove it immediately: `git rm .env && git commit -m "Remove .env"`
 2. Rotate all credentials in the file
 3. Update the `.gitignore` to ensure it doesn't happen again (already done)
@@ -267,6 +277,7 @@ If you encounter issues during migration:
 ## Summary

 The new system is:
+
 - ✅ **Simpler**: One .env file instead of scattered variables
 - ✅ **Cleaner**: Clear separation of build vs runtime
 - ✅ **Robust**: File-based config instead of fragile SSH commands