Qortal-Nextcloud-Integration/docs/devprod-ssl.md

Dev-Production SSL Stack

This stack mirrors the local dev environment, but adds HTTPS via Caddy.

Files

• docker-compose.devprod.yml
• docker-compose.devprod.nossl.yml
• .env.devprod.example
• deploy/Caddyfile.devprod

Setup

1. Copy env and edit:

cp .env.devprod.example .env.devprod

Or run the helper script:

./start-devprod.sh

The script can also set the Nextcloud trusted domain for you. If you skip it, run:

make trust-domain-devprod-nossl domain=cloud.example.com

The helper scripts also ensure:

• BROKER_INTERNAL_API_TOKEN is present (auto-generated if missing)
• BROKER_CORS_ALLOWED_ORIGINS defaults to NEXTCLOUD_PUBLIC_URL when empty

2. Set domains:

NEXTCLOUD_DOMAIN=cloud.example.com
BROKER_DOMAIN=qortalbroker.example.com

3. Start the stack:

make up-devprod

4. Install the OIDC app (if needed):

make install-oidc-devprod

5. Configure user_oidc provider (example):

make occ-devprod cmd="user_oidc:provider qortal -c nextcloud-local -s dev-secret -d https://qortalbroker.example.com/.well-known/openid-configuration --scope='openid profile email' --mapping-uid=sub --mapping-display-name=name --mapping-email=email"

6. Rebuild/recreate after env changes:

./recreate-devprod.sh

This script now also disables/enables the qortal_integration app to refresh assets.

Notes

• For public domains, leave CADDY_TLS empty so Caddy uses Let's Encrypt.
• For local testing, set:

CADDY_TLS=tls internal

• To avoid port conflicts (e.g. local Caddy already on 443), override:

CADDY_HTTP_PORT=8081
CADDY_HTTPS_PORT=8443

• For local TLS, you must trust the Caddy local CA cert.

• If you have an external proxy handling TLS, use the no-SSL stack:

make up-devprod-nossl

Then proxy to:

• Nextcloud: http://127.0.0.1:${DEVPROD_HTTP_PORT}
• Broker: http://127.0.0.1:${DEVPROD_BROKER_PORT}
• Optional Qortal node API/gateway: http://127.0.0.1:${QORTAL_NODE_API_HOST_PORT} and internal gateway on 8080 via template configs in deploy/templates/proxy/

Make sure your proxy sets X-Forwarded-Proto: https to avoid redirect loops.

External Auth container (optional)

To run the External Auth container alongside the stack, set the profile:

COMPOSE_PROFILES=external-auth make up-devprod-nossl

Then set:

QORTAL_EXTERNAL_AUTH_BASE_URL=http://external_auth:3191

When using the no-SSL stack, update:

PUBLIC_HTTPS_PORT=443

• If app:install user_oidc fails with a permissions error, run:

make fix-apps-perms-devprod

• If you created .env.devprod before we added optional OIDC env keys, add:

OIDC_LOGIN_LOGO_URL=
OIDC_PRIVATE_KEY_PEM=
OIDC_KEY_ID=

Trusted domain helper

If you see "untrusted domain" errors in Nextcloud, run:

make trust-domain-devprod-nossl

• Broker should be reachable by both Nextcloud and the user’s browser.
• If user_oidc refuses HTTP, ensure NEXTCLOUD_TRUSTED_DOMAINS includes your domain.