# rSpace Deployment Guide

## Architecture

```
spaces.yml                     # Single source of truth for all spaces
    |
    v
generate.sh                    # Reads config, produces per-space compose files
    |
    v
generated/                     # Per-space docker-compose files (gitignored)
  docker-compose.space-*.yml
  tunnel-hostnames.yml         # Cloudflare tunnel entries
  dns-commands.sh              # DNS CNAME setup commands
```

Each "space" is a community Postiz instance with its own domain, database, Redis, and Temporal stack — all defined by a single block in `spaces.yml`.

## Prerequisites

- `yq` v4+ ([install](https://github.com/mikefarah/yq#install))
- Docker + Docker Compose
- Access to Netcup RS 8000 (`ssh netcup`)
- Cloudflare dashboard access (for DNS)

## Adding a New Space

### 1. Define the space

Edit `spaces.yml` and add a block:

```yaml
spaces:
  mycofi:
    primary_domain: socials.mycofi.earth
    fallback_domain: mycofi.rsocials.online
    email_from: noreply@mycofi.earth
    services:
      - postiz
```

Override any defaults if needed:

```yaml
  mycofi:
    primary_domain: socials.mycofi.earth
    fallback_domain: mycofi.rsocials.online
    email_from: noreply@mycofi.earth
    postiz:
      disable_registration: true
      email_from_name: MycoFi Socials
    services:
      - postiz
```

### 2. Generate compose files

```bash
./generate.sh            # All spaces
./generate.sh mycofi     # Single space
```

Output: `generated/docker-compose.space-mycofi.yml`

### 3. Create secrets

**Option A: .env file (simple)**

Create `generated/.env` (or per-space file):

```bash
JWT_SECRET=$(openssl rand -hex 32)
POSTGRES_PASSWORD=$(openssl rand -hex 16)
EMAIL_PASS=your-mailcow-password
```

**Option B: Infisical (recommended for production)**

```bash
# Install CLI: https://infisical.com/docs/cli/overview
infisical secrets set JWT_SECRET="$(openssl rand -hex 32)" \
  --projectId <space-project-id> --env prod
```

### 4. Deploy

```bash
# Simple deploy
cd generated/
docker compose -f docker-compose.space-mycofi.yml up -d

# With Infisical
infisical run --projectId <shared-id> --env prod -- \
  infisical run --projectId <space-id> --env prod -- \
  docker compose -f docker-compose.space-mycofi.yml up -d
```

### 5. Configure DNS + Tunnel

Add entries from `generated/tunnel-hostnames.yml` to `/root/cloudflared/config.yml` on Netcup:

```yaml
- hostname: socials.mycofi.earth
  service: http://localhost:80
- hostname: mycofi.rsocials.online
  service: http://localhost:80
```

Restart the tunnel:

```bash
ssh netcup "docker restart cloudflared"
```

Add Cloudflare DNS CNAMEs (in the dashboard for each domain zone):

| Type | Name | Target | Proxy |
|------|------|--------|-------|
| CNAME | `socials` | `a838e9dc-...cfargotunnel.com` | Proxied |

### 6. Verify

- `https://socials.mycofi.earth` -> Postiz login
- `https://mycofi.rsocials.online` -> 301 redirect to primary domain

## File Reference

| File | Purpose |
|------|---------|
| `spaces.yml` | Master config — all spaces, domains, defaults |
| `docker-compose.template.yml` | Postiz stack template with `{{PLACEHOLDER}}` vars |
| `generate.sh` | Reads config, fills template, outputs compose files |
| `generated/` | Build artifacts (gitignored) |
| `postiz/docker-compose.yml` | Legacy manual compose (kept for reference) |
| `infisical/docker-compose.yml` | Infisical secret manager deployment |
| `infisical/.env.example` | Required env vars for Infisical |

## Infisical Setup

### Deploy Infisical on Netcup

```bash
scp -r infisical/ netcup:/opt/infisical/
ssh netcup
cd /opt/infisical

# Generate secrets
cat > .env <<EOF
INFISICAL_DB_PASS=$(openssl rand -hex 16)
INFISICAL_ENCRYPTION_KEY=$(openssl rand -hex 16)
INFISICAL_AUTH_SECRET=$(openssl rand -base64 32)
SMTP_PASSWORD=<noreply@rmail.online password>
EOF

docker compose up -d
```

### Add DNS + Tunnel

1. Add `secrets.jeffemmett.com` CNAME in Cloudflare
2. Add hostname to tunnel config:
   ```yaml
   - hostname: secrets.jeffemmett.com
     service: http://localhost:80
   ```
3. `docker restart cloudflared`
4. Visit `https://secrets.jeffemmett.com` to complete setup

### Infisical Project Structure

```
Organization: rSpace
  Project: shared         -> SMTP creds, AI keys, Cloudflare tokens
  Project: space-<name>   -> Per-space: JWT_SECRET, POSTGRES_PASSWORD, social API keys
  Project: rspace-online  -> Landing page: GEMINI_API_KEY, RUNPOD keys
```

## Defaults

All defaults are in `spaces.yml` under `defaults.postiz:`. Per-space overrides go under `spaces.<name>.postiz:`.

| Setting | Default |
|---------|---------|
| Image | `ghcr.io/gitroomhq/postiz-app:latest` |
| Port | 5000 |
| PostgreSQL | `postgres:17-alpine` |
| Redis | `redis:7.2` |
| Temporal | `temporalio/auto-setup:1.28.1` |
| Email host | `mailcowdockerized-postfix-mailcow-1` |
| Email port | 587 |
| Storage | local |
| Registration | enabled |