# LemonSec - Quick Reference

## 🎯 Your Setup
- **Proxmox VM**: Docker/Portainer + LemonSec stack
- **TrueNAS Scale VM**: Nextcloud app
- **Goal**: Secure family access to Nextcloud via `cloud.lemonlink.eu`
- **Deploy Method**: Portainer Git Repository

## 🚀 Deploy via Portainer (5 min)

### 1. Push to Git
```bash
cd LemonSec
git remote add origin https://git.lemonlink.eu/impulsivefps/LemonSec.git
git add .
git commit -m "Initial deployment"
git push -u origin main
```

### 2. Portainer UI
- **Stacks** → **Add Stack** → **Repository**
- **URL**: `https://git.lemonlink.eu/impulsivefps/LemonSec`
- **Compose Path**: `docker-compose.yml`

### 3. Environment Variables
Copy from `stack.env` and fill in:

| Variable | Value |
|----------|-------|
| `CF_API_EMAIL` | your@email.com |
| `CF_API_KEY` | Cloudflare API key |
| `TRUENAS_IP` | 192.168.1.100 |
| `TRUENAS_NEXTCLOUD_PORT` | 9001 |
| `AUTHELIA_JWT_SECRET` | `openssl rand -hex 32` |
| `AUTHELIA_SESSION_SECRET` | `openssl rand -hex 32` |
| `AUTHELIA_STORAGE_KEY` | `openssl rand -hex 32` |

### 4. Deploy
Click **Deploy the stack**

### 5. Setup CrowdSec
```bash
docker exec crowdsec cscli bouncers add traefik-bouncer
# Copy key, add to Portainer env vars, redeploy
```

### 6. TrueNAS Config
TrueNAS → Apps → Nextcloud → Edit, add env:
```
NEXTCLOUD_TRUSTED_DOMAINS=cloud.lemonlink.eu
OVERWRITEPROTOCOL=https
TRUSTED_PROXIES=192.168.1.50  # Proxmox VM IP
```

### 7. Cloudflare DNS
- A record: `cloud` → YOUR_PUBLIC_IP (orange cloud)

### Done!
Visit: `https://cloud.lemonlink.eu` ✅

**Full guide**: [PORTAINER-DEPLOY.md](PORTAINER-DEPLOY.md)

---

## 📁 Repository Structure

| Path | Purpose |
|------|---------|
| `docker-compose.yml` | Main stack - Traefik, Authelia, CrowdSec, Nextcloud router |
| `stack.env` | Environment variable template for Portainer |
| `traefik/` | Traefik configuration files |
| `authelia/` | Authelia config and user database |
| `crowdsec/` | CrowdSec acquisition config |

## 🔧 Customization

### Add Family to Authelia
Edit `authelia/users_database.yml` → push → Portainer "Pull and redeploy"

### Add More Services
Edit `docker-compose.yml` → add router container → push → redeploy

### Update Stack
1. Edit files locally
2. `git commit -am "Update" && git push`
3. Portainer → Stacks → lemonsec → "Pull and redeploy"

## 📚 Documentation

- **[PORTAINER-DEPLOY.md](PORTAINER-DEPLOY.md)** - Detailed Portainer deployment
- **[SETUP-TRUENAS-NEXTCLOUD.md](SETUP-TRUENAS-NEXTCLOUD.md)** - TrueNAS specific setup
- **[MIGRATE-FROM-NPM.md](MIGRATE-FROM-NPM.md)** - NPM migration guide
- **[docs/CLOUDFLARE.md](docs/CLOUDFLARE.md)** - DNS/SSL configuration

## 🆘 Troubleshooting

| Issue | Solution |
|-------|----------|
| "CF_API_EMAIL not set" | Check env vars in Portainer UI |
| "502 Bad Gateway" | Verify TRUENAS_IP and PORT |
| "Untrusted domain" | Add domain to TrueNAS Nextcloud env |
| SSL errors | Check Cloudflare API credentials |

## ✅ Success Checklist

- [ ] `https://cloud.lemonlink.eu` loads Nextcloud
- [ ] Family can login with Nextcloud accounts
- [ ] Mobile apps work
- [ ] SSL certificate valid
- [ ] CrowdSec shows decisions