Merge pull request #14 from gamerg21/code-formatting-updates

Enhanced Docker Build/Image Update & HTTPS

Author: gamerg21

DEPLOYMENT.md

@@ -102,6 +102,57 @@ docker-compose -f docker-compose.prod.yml logs -f app
 
 Access the application at `http://localhost:3000` (or your configured port).
 
+## HTTPS Configuration
+
+Safari on iPhones requires HTTPS for barcode scanning. You have two options:
+
+### Option 1: Auto-generated Self-signed Certificates (Quick Setup)
+
+1. **Enable HTTPS in your `.env` file:**
+   ```env
+   ENABLE_HTTPS=true
+   NEXTAUTH_URL=https://localhost:3000
+   ```
+
+2. **Restart containers:**
+   ```bash
+   docker-compose -f docker-compose.prod.yml up -d
+   ```
+
+The app will automatically generate self-signed certificates. Browsers will show a security warning, but Safari barcode scanning will work.
+
+### Option 2: Custom Certificates
+
+1. **Create a `certs` directory and add your certificates:**
+   ```bash
+   mkdir -p certs
+   # Copy your cert.pem and key.pem files here
+   ```
+
+2. **Enable HTTPS in `.env`:**
+   ```env
+   ENABLE_HTTPS=true
+   SSL_CERT_PATH=/app/certs/cert.pem
+   SSL_KEY_PATH=/app/certs/key.pem
+   NEXTAUTH_URL=https://yourdomain.com
+   ```
+
+3. **Certificates are automatically mounted** via the volume in `docker-compose.prod.yml`
+
+### Option 3: nginx Reverse Proxy (Recommended for Production)
+
+For production deployments, use nginx (or Traefik/Caddy) to handle SSL termination:
+
+1. **Keep HTTPS disabled in the app:**
+   ```env
+   ENABLE_HTTPS=false
+   NEXTAUTH_URL=https://yourdomain.com
+   ```
+
+2. **Configure nginx with SSL** (see [DOCKER.md](./DOCKER.md) for full example)
+
+This approach allows you to use Let's Encrypt certificates and is the recommended setup for production.
+
 ## Updating to Latest Version
 
 To update to the latest version:
@@ -196,12 +247,15 @@ Then update `DATABASE_URL` accordingly and restart.
 
 ## Production Deployment Tips
 
-1. **Use a reverse proxy** (nginx, Traefik, Caddy) for HTTPS
-2. **Set strong passwords** for database and NextAuth secret
-3. **Configure SMTP** for email authentication
-4. **Use environment-specific tags** (e.g., `v1.0.0` instead of `latest`)
-5. **Set up regular backups** of your database
-6. **Monitor logs** for errors and performance issues
+1. **Use a reverse proxy** (nginx, Traefik, Caddy) for HTTPS with Let's Encrypt certificates
+   - Keep `ENABLE_HTTPS=false` in the app and let the proxy handle SSL
+2. **For self-hosted instances**, enable `ENABLE_HTTPS=true` for auto-generated self-signed certs
+   - Safari will show a warning but barcode scanning will work
+3. **Set strong passwords** for database and NextAuth secret
+4. **Configure SMTP** for email authentication
+5. **Use environment-specific tags** (e.g., `v1.0.0` instead of `latest`)
+6. **Set up regular backups** of your database
+7. **Monitor logs** for errors and performance issues
 
 ## Support
 

DOCKER.md

@@ -83,6 +83,47 @@ docker-compose ps
 
 The application will be available at `http://localhost:3000` (or your configured port).
 
+### 4.5. Enable HTTPS (Optional)
+
+Safari on iPhones requires HTTPS for barcode scanning. You can enable HTTPS in two ways:
+
+#### Option A: Auto-generated Self-signed Certificates (Easiest)
+
+1. **Set `ENABLE_HTTPS=true` in your `.env` file:**
+   ```env
+   ENABLE_HTTPS=true
+   NEXTAUTH_URL=https://localhost:3000
+   ```
+
+2. **Restart containers:**
+   ```bash
+   docker-compose up -d
+   ```
+
+The app will automatically generate self-signed certificates on first startup. Browsers will show a security warning, but you can proceed and Safari barcode scanning will work.
+
+#### Option B: Custom Certificates
+
+1. **Generate or obtain your SSL certificates** and place them in a `certs` directory:
+   ```bash
+   mkdir -p certs
+   # Copy your cert.pem and key.pem files here
+   # Or use the provided script:
+   ./scripts/generate-self-signed-cert.sh
+   ```
+
+2. **Enable HTTPS in `.env`:**
+   ```env
+   ENABLE_HTTPS=true
+   SSL_CERT_PATH=/app/certs/cert.pem
+   SSL_KEY_PATH=/app/certs/key.pem
+   NEXTAUTH_URL=https://yourdomain.com
+   ```
+
+3. **The certificates will be automatically mounted** via the volume in `docker-compose.yml`
+
+**Note:** For production with proper SSL certificates, consider using a reverse proxy (nginx, Traefik, Caddy) with `ENABLE_HTTPS=false` and let the proxy handle SSL termination.
+
 ### 4. Run Database Migrations
 
 Migrations run automatically on container startup. If you need to run them manually:
@@ -105,14 +146,31 @@ docker-compose exec postgres psql -U postgres -d souschef -c "UPDATE \"User\" SE
 
 ### Using a Reverse Proxy
 
-For production, use a reverse proxy (nginx, Traefik, Caddy) in front of the application:
+For production, use a reverse proxy (nginx, Traefik, Caddy) in front of the application. This is the recommended approach for production deployments.
+
+**Important:** When using a reverse proxy, keep `ENABLE_HTTPS=false` in your `.env` file and let the proxy handle SSL termination.
 
-#### Example nginx configuration:
+#### Example nginx configuration with SSL:
 
 ```nginx
 server {
     listen 80;
     server_name souschef.yourdomain.com;
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name souschef.yourdomain.com;
+
+    # SSL certificates (use Let's Encrypt for production)
+    ssl_certificate /etc/letsencrypt/live/souschef.yourdomain.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/souschef.yourdomain.com/privkey.pem;
+    
+    # SSL configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
 
     location / {
         proxy_pass http://localhost:3000;
@@ -133,6 +191,7 @@ server {
 In your `.env` file, set:
 
 ```env
+ENABLE_HTTPS=false  # Let nginx handle SSL
 NEXTAUTH_URL=https://souschef.yourdomain.com
 ```
 
@@ -346,6 +405,10 @@ sudo chown -R 999:999 ./postgres_data
 | `NEXTAUTH_SECRET` | Yes | Secret for NextAuth.js | - |
 | `NEXTAUTH_URL` | Yes | Public URL of your application | `http://localhost:3000` |
 | `APP_PORT` | No | Application port (host) | `3000` |
+| `ENABLE_HTTPS` | No | Enable HTTPS mode (auto-generates self-signed certs if not provided) | `false` |
+| `SSL_CERT_PATH` | No | Path to SSL certificate file | `/app/certs/cert.pem` |
+| `SSL_KEY_PATH` | No | Path to SSL private key file | `/app/certs/key.pem` |
+| `HOSTNAME` | No | Hostname to bind to | `0.0.0.0` |
 | `SMTP_HOST` | No | SMTP server hostname | - |
 | `SMTP_PORT` | No | SMTP server port | `587` |
 | `SMTP_USER` | No | SMTP username | - |

Dockerfile

@@ -47,20 +47,44 @@ RUN adduser --system --uid 1001 nextjs
 # Copy necessary files from standalone build
 # Note: standalone build includes the minimal server, but we need to ensure
 # Prisma files are available for migrations
+# Copy the entire standalone directory to preserve all Next.js internal structure
 COPY --from=builder /app/.next/standalone ./
 COPY --from=builder /app/.next/static ./.next/static
 COPY --from=builder /app/public ./public
 
+# Copy the .next/server directory which contains compiled webpack files
+# that Next.js needs even in standalone mode
+COPY --from=builder /app/.next/server ./.next/server
+
+# Since we're using a custom server.js, we need all node_modules
+# Standalone mode doesn't include everything needed for custom servers
+# Copy all node_modules from builder to ensure all dependencies are available
+COPY --from=builder /app/node_modules ./node_modules
+
 # Copy Prisma files (needed for migrations and client)
 # These are needed even though standalone might include them, to ensure migrations work
 COPY --from=builder /app/src/generated ./src/generated
 COPY --from=builder /app/prisma ./prisma
 COPY --from=builder /app/prisma.config.js ./prisma.config.js
 COPY --from=builder /app/package.json ./package.json
 
+# Ensure Next.js module is properly available
+# Standalone build should include next, but we ensure it's accessible
+# The standalone build's node_modules should already have next, but we verify it's there
+
+# Copy our custom server.js to override the one from standalone build
+# This enables our HTTPS/HTTP flexible server functionality
+COPY --from=builder /app/server.js ./server.js
+
 # Install Prisma CLI globally for migrations (lightweight)
 RUN npm install -g prisma@^7.2.0
 
+# Install OpenSSL for certificate generation (needed for auto-generated self-signed certs)
+RUN apk add --no-cache openssl
+
+# Create certificates directory for auto-generated or mounted certificates
+RUN mkdir -p /app/certs && chmod 755 /app/certs
+
 # Set correct permissions
 RUN chown -R nextjs:nodejs /app
 

HTTPS_SETUP.md

@@ -100,8 +100,90 @@ If port 3000 is busy, you can change it in `server.js`:
 const port = 3001; // or any available port
 ```
 
+## Option 3: Docker/Production HTTPS Setup
+
+For Docker deployments, HTTPS can be enabled with automatic self-signed certificate generation:
+
+### Quick Setup (Auto-generated Certificates)
+
+1. **Enable HTTPS in your `.env` file:**
+   ```env
+   ENABLE_HTTPS=true
+   NEXTAUTH_URL=https://localhost:3000
+   ```
+
+2. **Start your containers:**
+   ```bash
+   docker-compose up -d
+   ```
+
+That's it! The app will automatically generate self-signed certificates on first startup. Safari will show a security warning, but you can proceed and barcode scanning will work.
+
+### Using Custom Certificates
+
+If you want to provide your own certificates:
+
+1. **Generate certificates** (optional - you can use the provided script):
+   ```bash
+   # Using the provided script
+   ./scripts/generate-self-signed-cert.sh
+   
+   # Or manually with OpenSSL
+   mkdir -p certs
+   openssl req -x509 -newkey rsa:2048 -keyout certs/key.pem -out certs/cert.pem -days 365 -nodes
+   ```
+
+2. **Mount certificates in docker-compose.yml** (already configured):
+   ```yaml
+   volumes:
+     - ./certs:/app/certs:rw
+   ```
+
+3. **Set environment variables** (optional - defaults work):
+   ```env
+   ENABLE_HTTPS=true
+   SSL_CERT_PATH=/app/certs/cert.pem
+   SSL_KEY_PATH=/app/certs/key.pem
+   ```
+
+### Using nginx Proxy (HTTP Backend)
+
+If you're using nginx or another reverse proxy for SSL termination:
+
+1. **Keep HTTPS disabled in the app:**
+   ```env
+   ENABLE_HTTPS=false
+   NEXTAUTH_URL=https://yourdomain.com
+   ```
+
+2. **Configure nginx to handle SSL** and proxy to the HTTP backend:
+   ```nginx
+   server {
+       listen 443 ssl;
+       server_name yourdomain.com;
+       
+       ssl_certificate /path/to/cert.pem;
+       ssl_certificate_key /path/to/key.pem;
+       
+       location / {
+           proxy_pass http://localhost:3000;
+           proxy_http_version 1.1;
+           proxy_set_header Upgrade $http_upgrade;
+           proxy_set_header Connection 'upgrade';
+           proxy_set_header Host $host;
+           proxy_set_header X-Real-IP $remote_addr;
+           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+           proxy_set_header X-Forwarded-Proto $scheme;
+           proxy_cache_bypass $http_upgrade;
+       }
+   }
+   ```
+
 ## Which Option Should I Use?
 
 - **Tunnel (Option 1)**: Best for quick testing, works immediately, no setup
 - **Local HTTPS (Option 2)**: Best for ongoing development, faster (no external service), requires one-time setup
+- **Docker Auto-generated (Option 3)**: Best for Docker deployments, works out-of-the-box, self-signed certs
+- **Docker Custom Certificates (Option 3)**: Best for production Docker deployments with your own certificates
+- **nginx Proxy (Option 3)**: Best for production with proper SSL certificates (Let's Encrypt, etc.)
 

docker-compose.prod.yml

@@ -1,3 +1,27 @@
+# ============================================================================
+# Docker Compose Configuration for Production Deployment (Pre-built Images)
+# ============================================================================
+# This file is for END USERS who want to deploy Sous Chef using pre-built
+# Docker images from Docker Hub. It pulls the image instead of building it.
+#
+# Use this if you:
+#   - Just want to run Sous Chef without building from source
+#   - Want faster deployments and updates
+#   - Are deploying to production or self-hosting
+#
+# Usage:
+#   docker-compose -f docker-compose.prod.yml up -d
+#
+# The image is configured as: gamerg21/sous-chef:latest
+# To use a different image, update the 'image' field in the 'app' service below.
+#
+# For developers who want to build from source code:
+#   See docker-compose.yml instead (builds locally using Dockerfile)
+#
+# Documentation:
+#   See DEPLOYMENT.md for detailed deployment instructions
+# ============================================================================
+
 services:
   # PostgreSQL Database
   postgres:
@@ -36,6 +60,14 @@ services:
       NEXTAUTH_URL: ${NEXTAUTH_URL:-http://localhost:3000}
       NEXTAUTH_SECRET: ${NEXTAUTH_SECRET}
 
+      # HTTPS Configuration (Optional)
+      # Set ENABLE_HTTPS=true to enable HTTPS mode
+      # If certificates are not provided, self-signed certs will be auto-generated
+      ENABLE_HTTPS: ${ENABLE_HTTPS:-true}
+      SSL_CERT_PATH: ${SSL_CERT_PATH:-/app/certs/cert.pem}
+      SSL_KEY_PATH: ${SSL_KEY_PATH:-/app/certs/key.pem}
+      HOSTNAME: ${HOSTNAME:-0.0.0.0}
+      
       # SMTP (Optional - for email authentication)
       SMTP_HOST: ${SMTP_HOST:-}
       SMTP_PORT: ${SMTP_PORT:-587}
@@ -47,6 +79,10 @@ services:
       NODE_ENV: production
     ports:
       - "${APP_PORT:-3000}:3000"
+    volumes:
+      # Optional: Mount custom certificates directory
+      # If not mounted and ENABLE_HTTPS=true, self-signed certs will be auto-generated
+      - ./certs:/app/certs:rw
     depends_on:
       postgres:
         condition: service_healthy