Enables the auth providers and transactional email flows the self-hosted
Supabase was missing compared to the cloud instance:
- GoTrue now accepts Google and Apple OAuth (web flow); Apple client-secret
JWT is signed fresh on every activation from the SOPS-stored .p8 so
there's no 6-month rotation ritual.
- SMTP points at mail.cloonar.com:587 with SASL auth via a new `supabase`
LDAP account; a `noreply@fueltide.io` mailAlias lets that account send
as the fueltide.io address.
- rspamd on mail.cloonar.com gets a per-domain DKIM key for fueltide.io
(selector `default`) so outbound mail is signed.
- MAILER_AUTOCONFIRM is off so signup confirmation + password reset
actually go through email.
- SITE_URL + URI_ALLOW_LIST point at app.fueltide.io / stage so links in
emails and OAuth redirects land in the right app.
FUELTIDE_AUTH_SETUP.md documents the manual steps (LDAP entries, SOPS
additions, DNS records, Google/Apple console setup) that must be completed
before merging.
Implement AVIF image content negotiation with WebP fallback for
cloonar.dev website. Browser will receive AVIF if supported and
available, otherwise WebP, falling back to original JPEG/PNG.
- Add AVIF-first content negotiation in image location block
- Maintain existing WebP fallback logic
- Include .avif in long-term cache headers (365d)
- Add Vary: Accept header for proper CDN/browser caching
AVIF files should be placed at /avif/$request_uri.avif to be served.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
