drip/deployments/README.md

# Docker Deployment

## Quick Start

### Server (Production)

```bash
# Copy and configure environment
cp .env.example .env
nano .env

# Edit server configuration
DOMAIN=tunnel.example.com
AUTH_TOKEN=your-secret-token
TLS_CERT=1
TLS_KEY=1

# Place certificates
mkdir -p certs
cp /path/to/fullchain.pem certs/
cp /path/to/privkey.pem certs/

# Uncomment volume mount in docker-compose.yml
# - ./certs:/app/data/certs:ro

# Start server
docker compose up -d

# View logs
docker compose logs -f
```

### Client (Development/Testing)

```bash
# Copy and configure client environment
cp .env.example .env.client
nano .env.client

# Edit client configuration
SERVER_ADDR=tunnel.example.com:443
AUTH_TOKEN=your-secret-token
TUNNEL_TYPE=http
LOCAL_PORT=3000

# Start client
docker compose -f docker-compose.client.yml --env-file .env.client up -d

# View logs
docker compose -f docker-compose.client.yml logs -f
```

## Configuration

### Environment Variables

Create `.env` from `.env.example`:

```bash
DOMAIN=tunnel.example.com
AUTH_TOKEN=your-secret-token
```

### TLS Certificates

**Option 1: Auto TLS (Let's Encrypt)**

```bash
# Enable in .env
AUTO_TLS=1

# Ensure port 80 is accessible for ACME challenges
```

**Option 2: Manual Certificates**

```bash
# Place certificates in ./certs/
mkdir -p certs
cp fullchain.pem certs/cert.pem
cp privkey.pem certs/key.pem

# Uncomment in docker-compose.yml
# - ./certs:/app/data/certs:ro

# Enable in .env
TLS_CERT=1
TLS_KEY=1
```

## Data Persistence

All data is stored in Docker volumes:

- `drip-data`: Server data and certificates at `/app/data`
- `client-data`: Client configuration at `/app/data`

### Backup

```bash
# Backup server data
docker run --rm -v drip-data:/data -v $(pwd):/backup alpine tar czf /backup/drip-backup.tar.gz -C /data .

# Restore
docker run --rm -v drip-data:/data -v $(pwd):/backup alpine tar xzf /backup/drip-backup.tar.gz -C /data
```

## Port Mapping

| Container Port | Host Port | Purpose |
|---------------|-----------|---------|
| 80 | 80 | HTTP (ACME challenges) |
| 443 | 443 | HTTPS (main service) |
| 8080 | 8080 | HTTP (no TLS) |
| 20000-20100 | 20000-20100 | TCP tunnels |

## Management

### Server

```bash
# Start
docker compose up -d

# Stop
docker compose down

# Restart
docker compose restart

# View logs
docker compose logs -f

# Shell access
docker compose exec server sh

# Update
docker compose pull
docker compose up -d
```

### Client

```bash
# Start
docker compose -f docker-compose.client.yml up -d

# Stop
docker compose -f docker-compose.client.yml down

# View logs
docker compose -f docker-compose.client.yml logs -f

# Different tunnel types
TUNNEL_TYPE=http LOCAL_PORT=3000 docker compose -f docker-compose.client.yml up -d
TUNNEL_TYPE=https LOCAL_PORT=8443 docker compose -f docker-compose.client.yml up -d
TUNNEL_TYPE=tcp LOCAL_PORT=5432 docker compose -f docker-compose.client.yml up -d
```

## Production Deployment

### With Reverse Proxy

If using Nginx/Traefik in front:

```yaml
services:
  server:
    ports:
      - "127.0.0.1:8080:8080"  # Only expose to localhost
    command: >
      server
      --domain tunnel.example.com
      --port 8080
      --token ${AUTH_TOKEN}
```

### Resource Limits

Adjust in `docker-compose.yml`:

```yaml
deploy:
  resources:
    limits:
      cpus: '2'
      memory: 512M
```

## Troubleshooting

**Certificate errors**

```bash
# Check certificate files
docker compose exec server ls -la /app/data/certs

# Check server logs
docker compose logs server | grep -i tls
```

**Connection issues**

```bash
# Verify port accessibility
curl -I https://tunnel.example.com

# Check server status
docker compose exec server /app/drip server --help
```

**Reset everything**

```bash
# Stop and remove everything
docker compose down -v

# Start fresh
docker compose up -d
```