# Turbostarter (Knosia) Production Deployment

**Date:** 2026-02-03 22:00
**Context:** Full production deployment of Turbostarter Next.js monorepo on NUC via Coolify

## Deployment Details

| Property | Value |
|----------|-------|
| **URL** | `https://alezmad-nuc.tail58f5ad.ts.net` |
| **Service UUID** | `v4gogwwc8wkk4888ksscc4k4` |
| **Service Name** | Knosia |
| **Architecture** | Tailscale Funnel (HTTPS) → Traefik (HTTP:80) → web container |
| **FQDN (internal)** | `http://alezmad-nuc.tail58f5ad.ts.net` |
| **Registry Image** | `192.168.1.3:3030/alezmad/turbostarter:latest` |
| **Gitea Repo** | `alezmad/turbostarter` |

## Container Stack

| Container | Image | Status |
|-----------|-------|--------|
| `web-v4gogwwc8wkk4888ksscc4k4` | `localhost:3030/alezmad/turbostarter:latest` | running:healthy |
| `db-v4gogwwc8wkk4888ksscc4k4` | `pgvector/pgvector:pg17` | running:healthy |
| `minio-v4gogwwc8wkk4888ksscc4k4` | `minio/minio:latest` | running:healthy |
| `minio-init-v4gogwwc8wkk4888ksscc4k4` | `minio/mc:latest` | exited (expected) |

## Credentials

| Service | Credential |
|---------|-----------|
| **Database** | `postgres://turbostarter:turbostarter@db:5432/core` |
| **MinIO** | `minioadmin` / `minioadmin` |
| **Better Auth Secret** | `WyfMfoRclem2Bc/Ek3/2nWsiIdHkjIOvAhJXevDAx/E=` |
| **Admin User** | `me+admin@turbostarter.dev` / `Pa$$w0rd` |
| **Regular User** | `me+user@turbostarter.dev` / `Pa$$w0rd` |

## Database Schemas

- 11 auth tables (Better Auth)
- PostgreSQL schemas: `chat`, `pdf`, `image` (Drizzle pgSchema)
- Seeded with 5 users and organization data

## Key Configuration Decisions

1. **HTTPS via Tailscale Funnel** — not Cloudflare (Spanish ISPs block Cloudflare shared IPs during LaLiga)
2. **FQDN set to HTTP internally** — Tailscale terminates TLS, Traefik must not redirect to HTTPS (causes loop)
3. **BETTER_AUTH_TRUSTED_ORIGINS** — runtime env var added to `server.ts` so origins can be configured without rebuilding
4. **NEXT_PUBLIC_URL** — build-time ARG in Dockerfile, baked into static output
5. **CSP `upgrade-insecure-requests`** — kept in place (production security), requires valid HTTPS

## Build Command

```bash
cd /Users/agutierrez/Desktop/turbostarter-export
docker build --platform linux/amd64 \
  --build-arg NEXT_PUBLIC_URL=https://alezmad-nuc.tail58f5ad.ts.net \
  -t 192.168.1.3:3030/alezmad/turbostarter:latest .
docker push 192.168.1.3:3030/alezmad/turbostarter:latest
```

## Code Changes Made

1. **Dockerfile** — simplified to single-stage build, added `NEXT_PUBLIC_URL` build arg
2. **packages/auth/src/server.ts** — added `BETTER_AUTH_TRUSTED_ORIGINS` env var support in trustedOrigins array

## Related
- Coolify service: http://192.168.1.3:8000 (service ID 29)
- Gitea repo: http://192.168.1.3:3030/alezmad/turbostarter
- Tailscale Funnel: `tailscale funnel status` on NUC