# Compose Stacks

This folder is for the self-contained local stack (self-signed TLS) and Traefik assets. Remote environments use the shared compose files in `infra/base` together with `infra/scripts/deploy.sh`.

## Local development (self-signed TLS)

- Copy envs: `cp infra/compose/env.example infra/compose/.env` then set passwords/secrets and the dev domain (defaults to `local.lan`).
- Host aliases: add the domain to `/etc/hosts` (e.g. `127.0.0.1 auth.local.lan api.local.lan grafana.local.lan vault.local.lan minio.local.lan`).
- Networks: `./infra/scripts/setup-networks.sh` (creates `apa-frontend` and `apa-backend` used everywhere).
- Run: `cd infra/compose && docker compose --env-file .env -f docker-compose.local.yml up -d`.
- Stop: `docker compose --env-file .env -f docker-compose.local.yml down`.
- TLS: Traefik mounts `infra/compose/traefik/certs/local.{crt,key}`. Regenerate if needed with `openssl req -x509 -newkey rsa:2048 -nodes -keyout infra/compose/traefik/certs/local.key -out infra/compose/traefik/certs/local.crt -days 365 -subj "/CN=*.local.lan"`.

## Cloud / remote (Let’s Encrypt)

- **Structure**:

  - `infra/environments/production/` contains the unified `compose.yaml` and `compose.override.yaml` (for port binding).
  - `infra/base/` contains the shared service definitions.
  - `infra/scripts/deploy.sh` is the deployment automation script.

- **Configuration**:

  - Create `infra/environments/production/.env` based on `.env.example`.
  - Ensure `DOMAIN` is set (e.g., `app.harkon.co.uk`).
  - Ensure `AUTHENTIK_BOOTSTRAP_EMAIL` matches the blueprint (e.g., `admin@app.harkon.co.uk`).
  - Ensure `AUTHENTIK_BOOTSTRAP_FILE` is set to `./authentik/bootstrap-prod.yaml`.

- **Deployment**:

  1. SSH into the server.
  2. Navigate to the project directory.
  3. Run: `./infra/scripts/deploy.sh production all`
     - This deploys infrastructure, monitoring, and application services.
     - It automatically uses the production compose files and environment variables.

- **Certificates**:
  - Traefik uses DNS-01 via GoDaddy (configured in `infra/environments/production/.env`).
  - Ensure `GODADDY_API_KEY` and `GODADDY_API_SECRET` are set.
  - Certificates are stored in `infra/base/certs/` (mapped to `/var/traefik/certs` in container).

## Files of note

- `docker-compose.local.yml` – full local stack.
- `traefik/traefik.local.yml` and `traefik/traefik-dynamic.local.yml` – static/dynamic Traefik config for local.
- `traefik/certs/` – self-signed certs used by the local proxy.
- `env.example` – defaults for local `.env`.