# Server-only dev pieces (NOT in git) Two files required by the dev environment live **only on the server** because they sit under gitignored paths (Supabase `volumes/` and the secret-bearing `frps.toml`), matching the production gitignore policy. They are documented here so the dev setup is fully reproducible from the repo. --- ## 1. Shared on-demand-TLS authorizer (prod `check-subdomain` edge function) Path on server (gitignored, prod stack): `/docker/supabase/volumes/functions/check-subdomain/index.ts` The shared Caddy uses a single global `on_demand_tls { ask ... }` endpoint, so this prod function authorizes dev hostnames too. It was extended **additively** — the prod allow-list logic is byte-for-byte unchanged. The added block, placed at the top of the request handler: ```ts // Dev environment (served by the same shared Caddy). const DEV_RESERVED = new Set([ "app-dev.linumiq.net", "api-dev.linumiq.net", ]); const DEV_SUFFIX = ".dev.linumiq.net"; const DEV_AUTHORIZER = "http://supabase-dev-edge-functions:9000/check-subdomain"; // ...inside Deno.serve handler, before the prod reserved/label checks: // Dev reserved hosts served by the shared Caddy. if (DEV_RESERVED.has(domain)) { return new Response("ok: dev reserved", { status: 200 }); } // Dev tunnel subdomains: delegate to the dev authorizer, which validates the // label against the dev tunnels table. Fail closed if it is unreachable. if (domain.endsWith(DEV_SUFFIX)) { try { const r = await fetch( `${DEV_AUTHORIZER}?domain=${encodeURIComponent(domain)}`, ); const body = await r.text(); return new Response(body, { status: r.status }); } catch (_e) { return deny("dev authorizer unreachable"); } } ``` The dev authorizer it delegates to is the **unmodified** prod logic running in the dev stack (`/docker/dev/supabase/volumes/functions/check-subdomain/index.ts`, identical to prod's original, with `TUNNEL_BASE_DOMAIN=dev.linumiq.net`). To reach the dev authorizer, the prod `functions` container is also attached to the `dev_edge` network (see `caddy`/supabase compose). After editing, restart: `cd /docker/supabase && docker compose restart functions`. --- ## 2. Dev frps config (`/docker/dev/frps/frps.toml`) Gitignored because it carries the dev frps dashboard password. A sanitized template is tracked at `frps/frps.toml.example`; copy it and set the password. --- ## 3. Dev secrets All dev secrets are generated fresh and independent of prod. They live in the gitignored `*/.env` / `.env.production` files under `/docker/dev/` and in `/docker/dev/.dev-secrets.env`. Never commit them.