# /docker — linumiq.net remote access stack

## Networks
Shared external docker network: `edge` (created with `docker network create edge`).

## Shared env
`/docker/.env` — DOMAIN, LE_EMAIL.

## Per-service secrets
`/docker/<svc>/.env`, all `chmod 600`, owned `root:root`. See `/docker/SECRETS.md`
for the inventory.

## Service inventory (Wave A + Wave B)

| Service           | Compose dir                  | Container name           | Listens                          | Image                                |
|-------------------|------------------------------|--------------------------|----------------------------------|--------------------------------------|
| Supabase stack    | /docker/supabase             | supabase-*               | kong :8000, edge :9000 (internal)| supabase/* (pinned per compose)      |
| Caddy             | /docker/caddy                | caddy                    | :80, :443                        | caddy:2.10.2-alpine                  |
| frps              | /docker/frps                 | frps                     | :7000 ctrl, :7080 vhost, :7500 dash | snowdreamtech/frps:0.65.0         |
| Redis             | /docker/redis                | redis                    | :6379 (edge net only)            | redis:7.2-alpine                     |
| stripe-stub       | /docker/stripe-stub          | stripe-stub              | 127.0.0.1:4242                   | stripe-stub:1.0.0 (local build)      |
| bandwidth-worker  | /docker/bandwidth-worker     | bandwidth-worker         | (no inbound)                     | bandwidth-worker:1.0.0 (local build) |

## Start order
1. `cd /docker/redis && docker compose --env-file .env up -d`
2. `cd /docker/supabase && docker compose up -d`
3. `cd /docker/frps && docker compose up -d`
4. `cd /docker/caddy && docker compose up -d`
5. `cd /docker/stripe-stub && docker compose up -d`
6. `cd /docker/bandwidth-worker && docker compose up -d`
7. (later) `cd /docker/web && docker compose up -d`

## Stop order
Reverse of the above. `docker compose down` per directory.

## Edge functions
Mounted from `/docker/supabase/volumes/functions/`. The `main` function is a
router that reads the first URL path segment as the function name.
- Via Kong: `POST http://127.0.0.1:8000/functions/v1/<name>`
- Direct (intra-`edge` network, e.g. frps auth plugin):
  `POST http://supabase-edge-functions:9000/<name>`

After editing a function, `cd /docker/supabase && docker compose restart functions`
(or `up -d functions` if env changed).

## Wave B specifics
- `frps.toml` enables `[[httpPlugins]] name="auth"` pointing at
  `http://supabase-edge-functions:9000/auth-webhook`.
- `supabase-edge-functions` reads `REDIS_URL` from `/docker/supabase/.env`.
- bandwidth-worker polls `http://frps:7500/api/proxy/http` every 60s; deltas go
  to `public.usage_samples` and `public.tunnels.bytes_used` via PostgREST.