Merge pull request 'Add prebuilt docker-compose, .env.example, and prebuilt install docs' (#4) from fix/prod-auth-http-deploy into main

Reviewed-on: #4
2026-06-10 15:38:44 +02:00
parent 415ec7152f ad7d20021d
commit 0ded1af6bc
4 changed files with 77 additions and 1 deletions
@@ -0,0 +1,16 @@
+# Copy to `.env` beside docker-compose.prebuilt.yml and fill in real values.
+# IMPORTANT: do NOT wrap values in quotes — the compose `environment:` list form
+# embeds the literal quotes, producing a malformed Authority that fails OIDC
+# metadata discovery (IDX20803).
+
+# Image tag to run (default: latest)
+SPTB_TAG=latest
+
+# OIDC app sign-in (required in Production). Authority is derived from TenantId.
+Oidc__TenantId=00000000-0000-0000-0000-000000000000
+Oidc__ClientId=00000000-0000-0000-0000-000000000000
+Oidc__ClientSecret=your-client-secret
+
+# Optional: seed the first admin while the user store is empty (local form login).
+# Bootstrap__AdminEmail=admin@example.com
+# Bootstrap__AdminPassword=change-me
@@ -65,3 +65,7 @@ data/exports/
 data/templates/
 data/audit.jsonl
 data/appcerts/
+
+# Local secrets
+.env
+!.env.example
@@ -47,7 +47,21 @@ These are separate and registered on **different** Entra apps. Don't conflate th

 Persistent state (profiles, settings, templates, logs, exports, certs) lives in `DataFolder`.

-## Installation — Docker
+## Installation — Docker (prebuilt image)
+
+Pulls the published image from the Gitea registry — no local build needed.
+
+```bash
+cp .env.example .env      # then edit .env with your OIDC values
+docker compose -f docker-compose.prebuilt.yml pull
+docker compose -f docker-compose.prebuilt.yml up -d
+```
+
+The compose file reads config from `.env` (see [`.env.example`](.env.example)). Pin a
+version with `SPTB_TAG`, e.g. `SPTB_TAG=v1.2.0` in `.env`. Don't quote values — the
+list form embeds literal quotes and breaks OIDC discovery.
+
+## Installation — Docker (build locally)

 ```bash
 docker compose up -d --build
@@ -0,0 +1,42 @@
+# Runs the prebuilt image from the Gitea registry (no local build).
+#   docker compose -f docker-compose.prebuilt.yml pull
+#   docker compose -f docker-compose.prebuilt.yml up -d
+#
+# Pin a version by overriding the tag:  SPTB_TAG=v1.2.0 docker compose ...
+# Set the OIDC secrets via a .env file next to this compose file (see below).
+services:
+  sptb-web:
+    image: git.azuze.fr/kawa/sptb-web:${SPTB_TAG:-latest}
+    container_name: sptb-web
+    ports:
+      - "8080:8080"
+    volumes:
+      - sptb-data:/data
+    environment:
+      - ASPNETCORE_ENVIRONMENT=Production
+      - DataFolder=/data
+      # OIDC config — overrides the placeholder values baked into appsettings.json.
+      # Authority is derived from TenantId in code; do NOT set an Authority key.
+      # Put real values in a .env file beside this compose file (NO quotes around
+      # values — the list form embeds literal quotes and breaks discovery):
+      #   Oidc__TenantId=<entra-tenant-guid>
+      #   Oidc__ClientId=<app-client-id>
+      #   Oidc__ClientSecret=<app-client-secret>
+      - Oidc__TenantId=${Oidc__TenantId:-}
+      - Oidc__ClientId=${Oidc__ClientId:-}
+      - Oidc__ClientSecret=${Oidc__ClientSecret:-}
+      # Optional: seed first admin while the user store is empty (local form login).
+      - Bootstrap__AdminEmail=${Bootstrap__AdminEmail:-}
+      - Bootstrap__AdminPassword=${Bootstrap__AdminPassword:-}
+    restart: unless-stopped
+    healthcheck:
+      # /account/login is anonymous and returns 200; -f fails on >=400.
+      test: ["CMD", "curl", "-fsS", "http://localhost:8080/account/login"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+
+volumes:
+  sptb-data:
+    driver: local