# Deploy on Ubuntu Server

Docker setup for **Authentik** (OIDC) + **React frontend** + **Node API**.

Docker host IP: `172.237.44.156`

## Architecture

```
Browser
   ├─► :80   web (React + nginx)
   ├─► :3001 api (optional direct access)
   └─► :9000 Authentik (login / OIDC)
```

## 1. Install Docker on Ubuntu

Copy the project to the server, then:

```bash
cd deploy
chmod +x install-ubuntu.sh start-authentik.sh
sudo ./install-ubuntu.sh
sudo usermod -aG docker $USER
# Log out and SSH back in so docker runs without sudo
```

## 2. Configure environment

```bash
cd deploy
cp .env.example .env
nano .env
```

Set at minimum:

| Variable | Example |
|----------|---------|
| `SERVER_HOST` | `172.237.44.156` |
| `AUTHENTIK_HOST` | `http://172.237.44.156:9000` |
| `PUBLIC_WEB_URL` | `http://172.237.44.156` |
| `PUBLIC_API_URL` | `http://172.237.44.156` |
| `OIDC_CLIENT_ID` | from Authentik provider (after step 4) |

## 3. Start Authentik

```bash
chmod +x start-authentik.sh
./start-authentik.sh
```

Or manually:

```bash
cp .env.authentik.example .env
nano .env   # set AUTHENTIK_HOST=http://YOUR_SERVER_IP:9000
mkdir -p data certs custom-templates
docker compose -f docker-compose.authentik.yml --env-file .env up -d
```

Open `http://YOUR_SERVER_IP:9000` and create the admin account.

**Ubuntu firewall** (if UFW is enabled):

```bash
sudo ufw allow 9000/tcp
sudo ufw allow 80/tcp
sudo ufw allow 3001/tcp
```

**Azure / cloud:** open inbound ports 80, 9000 (and 3001 if needed) in the network security group.

## 4. Create OAuth app in Authentik

1. **Providers** → **OAuth2/OpenID Provider**
   - Client type: **Public**
   - Redirect URIs: `http://YOUR_SERVER_IP` (and `http://YOUR_SERVER_IP/`)
   - Scopes: `openid`, `profile`, `email`
2. **Applications** → slug `oidc-demo`, link provider
3. Copy **Client ID** → `OIDC_CLIENT_ID` in `deploy/.env`

## 5. Build and start the demo app

`deploy/.env` is **not in git** — create it on the server first:

```bash
cp .env.example .env
nano .env
chmod +x up-app.sh diagnose.sh
./up-app.sh
```

Or manually:

```bash
docker compose --env-file .env up -d --build
```

If the API container is unhealthy, check logs:

```bash
docker compose --env-file .env logs api
docker compose --env-file .env ps
```

Rebuild after changes: `docker compose --env-file .env up -d --build api`

Verify:

```bash
curl http://localhost/health          # via nginx → api
curl http://localhost:3001/health     # api direct
curl http://localhost:9000/if/flow/initial-setup/  # authentik (after setup)
```

Open **http://YOUR_SERVER_IP** in a browser and sign in.

## Useful commands

```bash
# Logs
docker compose --env-file .env logs -f
docker compose -f docker-compose.authentik.yml --env-file .env logs -f

# Stop
docker compose --env-file .env down
docker compose -f docker-compose.authentik.yml --env-file .env down

# Rebuild frontend after .env URL changes
docker compose --env-file .env up -d --build web
```

## Production notes

- Put **HTTPS** in front (Caddy, nginx, or Traefik) and set `AUTHENTIK_HOST` / `PUBLIC_WEB_URL` to `https://…`
- Set Authentik redirect URIs to your HTTPS frontend URL
- Do not commit `deploy/.env` (secrets)