# LemonSec Setup Guide

Complete setup instructions for different deployment methods.

## Table of Contents

1. [Portainer Git Deployment](#portainer-git-deployment-recommended) (Recommended)
2. [Docker Compose Manual](#docker-compose-manual)
3. [TrueNAS Nextcloud Specifics](#truenas-nextcloud-setup)
4. [Migration from NPM](#migration-from-nginx-proxy-manager)

---

## Portainer Git Deployment (Recommended)

Best for Proxmox users with Portainer already installed.

### Prerequisites

- Portainer running on Proxmox VM
- Git repository at `https://git.lemonlink.eu/impulsivefps/LemonSec`
- Cloudflare account
- TrueNAS Scale with Nextcloud

### Quick Steps

1. **Push code to Git**:
```bash
cd LemonSec
git init
git remote add origin https://git.lemonlink.eu/impulsivefps/LemonSec.git
git add .
git commit -m "Initial commit"
git push -u origin main
```

2. **Generate Secrets**:
```bash
openssl rand -hex 32  # Run 3 times
```
Save the 3 outputs for AUTHELIA_*_SECRET variables.

3. **Deploy in Portainer**:
- Stacks → Add Stack → Repository
- URL: `https://git.lemonlink.eu/impulsivefps/LemonSec`
- Add environment variables (see below)
- Deploy

### Required Environment Variables

| Variable | Description | Example |
|----------|-------------|---------|
| `CF_API_EMAIL` | Cloudflare email | `you@example.com` |
| `CF_API_KEY` | Cloudflare API key | `global-api-key` |
| `TRUENAS_IP` | TrueNAS VM IP | `192.168.1.100` |
| `TRUENAS_NEXTCLOUD_PORT` | Nextcloud port | `9001` |
| `AUTHELIA_JWT_SECRET` | Random hex string | `openssl rand -hex 32` |
| `AUTHELIA_SESSION_SECRET` | Random hex string | `openssl rand -hex 32` |
| `AUTHELIA_STORAGE_KEY` | Random hex string | `openssl rand -hex 32` |

**Full detailed guide**: [PORTAINER-DEPLOY.md](PORTAINER-DEPLOY.md)

---

## Docker Compose Manual

For systems without Portainer or for development.

### Prerequisites

- Docker 20.10+
- Docker Compose 2.0+
- Git

### Steps

1. **Clone repository**:
```bash
git clone https://git.lemonlink.eu/impulsivefps/LemonSec.git
cd LemonSec
```

2. **Configure environment**:
```bash
cp .env.example .env
nano .env
```

3. **Generate secrets**:
```bash
mkdir -p secrets
openssl rand -hex 32 > secrets/authelia_jwt_secret.txt
openssl rand -hex 32 > secrets/authelia_session_secret.txt
openssl rand -hex 32 > secrets/authelia_storage_key.txt
```

4. **Deploy**:
```bash
docker-compose up -d
```

5. **Setup CrowdSec**:
```bash
docker-compose exec crowdsec cscli bouncers add traefik-bouncer
# Add key to .env and restart
```

---

## TrueNAS Nextcloud Setup

If your Nextcloud runs on TrueNAS Scale (separate VM).

### Architecture

```
Internet → Cloudflare → Traefik (Proxmox) → TrueNAS (Nextcloud)
```

### Configuration

1. **Get TrueNAS Info**:
   - TrueNAS IP: `192.168.1.100`
   - Nextcloud Port: Check Apps → Nextcloud (e.g., `9001`)

2. **Set environment variables**:
```
TRUENAS_IP=192.168.1.100
TRUENAS_NEXTCLOUD_PORT=9001
```

3. **Configure TrueNAS Nextcloud**:
In TrueNAS → Apps → Nextcloud → Edit, add:
```
NEXTCLOUD_TRUSTED_DOMAINS=cloud.lemonlink.eu
OVERWRITEPROTOCOL=https
OVERWRITEHOST=cloud.lemonlink.eu
TRUSTED_PROXIES=192.168.1.50  # Your Proxmox VM IP
```

4. **DNS**:
Cloudflare → DNS:
- A record: `cloud` → YOUR_PUBLIC_IP (orange cloud)

5. **Test**:
Visit `https://cloud.lemonlink.eu`

**Detailed guide**: [SETUP-TRUENAS-NEXTCLOUD.md](SETUP-TRUENAS-NEXTCLOUD.md)

---

## Migration from Nginx Proxy Manager

If you're currently using NPM and want to migrate to LemonSec.

### Strategy

1. **Parallel running** (recommended):
   - Deploy LemonSec alongside NPM
   - Migrate services one by one
   - Test thoroughly
   - Only then remove NPM

2. **Direct migration**:
   - Export NPM config
   - Convert to Traefik format
   - Deploy and verify

### Migration Mapping

| NPM | Traefik |
|-----|---------|
| Proxy Hosts | Labels on router containers |
| SSL Certificates | Automatic via certresolver |
| Access Lists | Authelia middleware |
| Custom Locations | Path rules |
| Redirection Hosts | Redirect middleware |

**Full migration guide**: [MIGRATE-FROM-NPM.md](MIGRATE-FROM-NPM.md)

---

## Post-Deployment Checklist

- [ ] Nextcloud accessible at `https://cloud.lemonlink.eu`
- [ ] SSL certificate valid (green lock)
- [ ] Family can login with Nextcloud credentials
- [ ] Mobile apps sync successfully
- [ ] CrowdSec showing decisions (`docker exec crowdsec cscli decisions list`)
- [ ] Authelia accessible at `https://auth.lemonlink.eu`
- [ ] Backups configured

## Troubleshooting

### "CF_API_EMAIL not set"
→ Check environment variables in Portainer UI

### "502 Bad Gateway" for Nextcloud
→ Verify TRUENAS_IP and TRUENAS_NEXTCLOUD_PORT
→ Test: `curl http://TRUENAS_IP:PORT` from Proxmox VM

### "Access through untrusted domain"
→ Add domain to TrueNAS Nextcloud environment variables

### SSL Certificate issues
→ Check Cloudflare API credentials
→ Verify DNS records exist in Cloudflare

## Next Steps

1. **Add family to Authelia** (if using SSO)
2. **Enable monitoring** (Prometheus/Grafana)
3. **Add more services** (Vaultwarden, etc.)
4. **Configure backups**
5. **Review security settings**