From ad7d20021d541638e96f74ff5ba32ea5430465fb Mon Sep 17 00:00:00 2001
From: kawa <us.fame.sq@gmail.com>
Date: Wed, 10 Jun 2026 11:51:35 +0200
Subject: [PATCH] Add prebuilt docker-compose, .env.example, and prebuilt
 install docs

---
 .env.example                | 16 ++++++++++++++
 .gitignore                  |  4 ++++
 README.md                   | 16 +++++++++++++-
 docker-compose.prebuilt.yml | 42 +++++++++++++++++++++++++++++++++++++
 4 files changed, 77 insertions(+), 1 deletion(-)
 create mode 100644 .env.example
 create mode 100644 docker-compose.prebuilt.yml

diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..be804f7
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,16 @@
+# Copy to `.env` beside docker-compose.prebuilt.yml and fill in real values.
+# IMPORTANT: do NOT wrap values in quotes — the compose `environment:` list form
+# embeds the literal quotes, producing a malformed Authority that fails OIDC
+# metadata discovery (IDX20803).
+
+# Image tag to run (default: latest)
+SPTB_TAG=latest
+
+# OIDC app sign-in (required in Production). Authority is derived from TenantId.
+Oidc__TenantId=00000000-0000-0000-0000-000000000000
+Oidc__ClientId=00000000-0000-0000-0000-000000000000
+Oidc__ClientSecret=your-client-secret
+
+# Optional: seed the first admin while the user store is empty (local form login).
+# Bootstrap__AdminEmail=admin@example.com
+# Bootstrap__AdminPassword=change-me
diff --git a/.gitignore b/.gitignore
index 2e3422b..131c964 100644
--- a/.gitignore
+++ b/.gitignore
@@ -65,3 +65,7 @@ data/exports/
 data/templates/
 data/audit.jsonl
 data/appcerts/
+
+# Local secrets
+.env
+!.env.example
diff --git a/README.md b/README.md
index 639ded6..b741006 100644
--- a/README.md
+++ b/README.md
@@ -47,7 +47,21 @@ These are separate and registered on **different** Entra apps. Don't conflate th
 
 Persistent state (profiles, settings, templates, logs, exports, certs) lives in `DataFolder`.
 
-## Installation — Docker
+## Installation — Docker (prebuilt image)
+
+Pulls the published image from the Gitea registry — no local build needed.
+
+```bash
+cp .env.example .env      # then edit .env with your OIDC values
+docker compose -f docker-compose.prebuilt.yml pull
+docker compose -f docker-compose.prebuilt.yml up -d
+```
+
+The compose file reads config from `.env` (see [`.env.example`](.env.example)). Pin a
+version with `SPTB_TAG`, e.g. `SPTB_TAG=v1.2.0` in `.env`. Don't quote values — the
+list form embeds literal quotes and breaks OIDC discovery.
+
+## Installation — Docker (build locally)
 
 ```bash
 docker compose up -d --build
diff --git a/docker-compose.prebuilt.yml b/docker-compose.prebuilt.yml
new file mode 100644
index 0000000..4c9cd5a
--- /dev/null
+++ b/docker-compose.prebuilt.yml
@@ -0,0 +1,42 @@
+# Runs the prebuilt image from the Gitea registry (no local build).
+#   docker compose -f docker-compose.prebuilt.yml pull
+#   docker compose -f docker-compose.prebuilt.yml up -d
+#
+# Pin a version by overriding the tag:  SPTB_TAG=v1.2.0 docker compose ...
+# Set the OIDC secrets via a .env file next to this compose file (see below).
+services:
+  sptb-web:
+    image: git.azuze.fr/kawa/sptb-web:${SPTB_TAG:-latest}
+    container_name: sptb-web
+    ports:
+      - "8080:8080"
+    volumes:
+      - sptb-data:/data
+    environment:
+      - ASPNETCORE_ENVIRONMENT=Production
+      - DataFolder=/data
+      # OIDC config — overrides the placeholder values baked into appsettings.json.
+      # Authority is derived from TenantId in code; do NOT set an Authority key.
+      # Put real values in a .env file beside this compose file (NO quotes around
+      # values — the list form embeds literal quotes and breaks discovery):
+      #   Oidc__TenantId=<entra-tenant-guid>
+      #   Oidc__ClientId=<app-client-id>
+      #   Oidc__ClientSecret=<app-client-secret>
+      - Oidc__TenantId=${Oidc__TenantId:-}
+      - Oidc__ClientId=${Oidc__ClientId:-}
+      - Oidc__ClientSecret=${Oidc__ClientSecret:-}
+      # Optional: seed first admin while the user store is empty (local form login).
+      - Bootstrap__AdminEmail=${Bootstrap__AdminEmail:-}
+      - Bootstrap__AdminPassword=${Bootstrap__AdminPassword:-}
+    restart: unless-stopped
+    healthcheck:
+      # /account/login is anonymous and returns 200; -f fails on >=400.
+      test: ["CMD", "curl", "-fsS", "http://localhost:8080/account/login"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+
+volumes:
+  sptb-data:
+    driver: local
-- 
2.52.0