# Dev-Production SSL Stack

This stack mirrors the local dev environment, but adds HTTPS via Caddy.

## Files

- `docker-compose.devprod.yml`
- `docker-compose.devprod.nossl.yml`
- `.env.devprod.example`
- `deploy/Caddyfile.devprod`

## Setup

1. Copy env and edit:

```bash
cp .env.devprod.example .env.devprod
```

Or run the helper script:

```bash
./start-devprod.sh
```

The script can also set the Nextcloud trusted domain for you. If you skip it, run:

```bash
make trust-domain-devprod-nossl domain=cloud.example.com
```

The helper scripts also ensure:
- `BROKER_INTERNAL_API_TOKEN` is present (auto-generated if missing)
- `BROKER_CORS_ALLOWED_ORIGINS` defaults to `NEXTCLOUD_PUBLIC_URL` when empty

2. Set domains:

```
NEXTCLOUD_DOMAIN=cloud.example.com
BROKER_DOMAIN=qortalbroker.example.com
```

3. Start the stack:

```bash
make up-devprod
```

4. Install the OIDC app (if needed):

```bash
make install-oidc-devprod
```

5. Configure `user_oidc` provider (example):

```bash
make occ-devprod cmd="user_oidc:provider qortal -c nextcloud-local -s dev-secret -d https://qortalbroker.example.com/.well-known/openid-configuration --scope='openid profile email' --mapping-uid=sub --mapping-display-name=name --mapping-email=email"
```

6. Rebuild/recreate after env changes:

```bash
./recreate-devprod.sh
```

This script now also disables/enables the `qortal_integration` app to refresh assets.

## Notes

- For **public domains**, leave `CADDY_TLS` empty so Caddy uses Let's Encrypt.
- For **local testing**, set:

```
CADDY_TLS=tls internal
```

- To avoid port conflicts (e.g. local Caddy already on 443), override:

```
CADDY_HTTP_PORT=8081
CADDY_HTTPS_PORT=8443
```

- For local TLS, you must trust the Caddy local CA cert.

- If you have an external proxy handling TLS, use the **no-SSL** stack:

```
make up-devprod-nossl
```

Then proxy to:
- Nextcloud: `http://127.0.0.1:${DEVPROD_HTTP_PORT}`
- Broker: `http://127.0.0.1:${DEVPROD_BROKER_PORT}`
- Optional Qortal node API/gateway: `http://127.0.0.1:${QORTAL_NODE_API_HOST_PORT}` and internal gateway on `8080` via template configs in `deploy/templates/proxy/`

Make sure your proxy sets `X-Forwarded-Proto: https` to avoid redirect loops.

## External Auth container (optional)

To run the External Auth container alongside the stack, set the profile:

```bash
COMPOSE_PROFILES=external-auth make up-devprod-nossl
```

Then set:

```
QORTAL_EXTERNAL_AUTH_BASE_URL=http://external_auth:3191
```

When using the no-SSL stack, update:

```
PUBLIC_HTTPS_PORT=443
```

- If `app:install user_oidc` fails with a permissions error, run:

```bash
make fix-apps-perms-devprod
```

- If you created `.env.devprod` before we added optional OIDC env keys, add:

```
OIDC_LOGIN_LOGO_URL=
OIDC_PRIVATE_KEY_PEM=
OIDC_KEY_ID=
```

## Trusted domain helper

If you see "untrusted domain" errors in Nextcloud, run:

```bash
make trust-domain-devprod-nossl
```
- Broker should be reachable by both Nextcloud and the user’s browser.
- If `user_oidc` refuses HTTP, ensure `NEXTCLOUD_TRUSTED_DOMAINS` includes your domain.