caddyfile.example

.gitignore

@@ -1,6 +1,7 @@
 .DS_Store
 server/.env
 .env
+Caddyfile
 server/exportdanswer
 .vercel
 .env*.local

Caddyfile.example

@@ -5,6 +5,7 @@
 # For environment variable substitution, set:
 #   FRONTEND_DOMAIN=app.example.com
 #   API_DOMAIN=api.example.com
+#   AUTHENTIK_DOMAIN=authentik.example.com  (optional, for authentication)
 # Or edit this file directly with your domains.
 
 {$FRONTEND_DOMAIN:app.example.com} {
@@ -14,3 +15,8 @@
 {$API_DOMAIN:api.example.com} {
 	reverse_proxy server:1250
 }
+
+# Uncomment if using Authentik for authentication (see auth-setup.md)
+# {$AUTHENTIK_DOMAIN:authentik.example.com} {
+# 	reverse_proxy authentik-server-1:9000
+# }

docker-compose.prod.yml

@@ -3,7 +3,7 @@
 #
 # Prerequisites:
 # 1. Copy env.example to .env and configure for both server/ and www/
-# 2. Edit Caddyfile with your domains
+# 2. Copy Caddyfile.example to Caddyfile and edit with your domains
 # 3. Deploy Modal GPU functions (see gpu/modal_deployments/deploy-all.sh)
 
 services:

docs/docs/installation/auth-setup.md

@@ -62,25 +62,22 @@ sudo docker network connect reflector_default authentik-server-1
 
 ### Step 3: Add Authentik to Caddy
 
-Edit your `Caddyfile` to add the Authentik domain:
+Uncomment the Authentik section in your `Caddyfile` and set your domain:
 
+```bash
+nano Caddyfile
 ```
-app.example.com {
-    reverse_proxy web:3000
-}
 
-api.example.com {
+Uncomment and edit:
-    reverse_proxy server:1250
+```
-}
+{$AUTHENTIK_DOMAIN:authentik.example.com} {
-
-authentik.example.com {
     reverse_proxy authentik-server-1:9000
 }
 ```
 
 Reload Caddy:
 ```bash
-sudo docker exec reflector-caddy-1 caddy reload --config /etc/caddy/Caddyfile
+docker compose -f docker-compose.prod.yml exec caddy caddy reload --config /etc/caddy/Caddyfile
 ```
 
 ### Step 4: Create OAuth2 Provider in Authentik

docs/docs/installation/overview.md

@@ -192,19 +192,18 @@ FEATURE_REQUIRE_LOGIN=false
 
 **Location: YOUR SERVER (via SSH)**
 
-Edit Caddyfile with your domains:
-
 ```bash
+cp Caddyfile.example Caddyfile
 nano Caddyfile
 ```
 
-Replace example.com:
+Replace `example.com` with your domains:
 ```
-app.example.com {
+{$FRONTEND_DOMAIN:app.example.com} {
     reverse_proxy web:3000
 }
 
-api.example.com {
+{$API_DOMAIN:api.example.com} {
     reverse_proxy server:1250
 }
 ```
@@ -254,22 +253,25 @@ curl https://api.example.com/health
 
 ---
 
-## Step 8: Optional - Enable Authentication
+## Step 8: Enable Authentication (Required for Live Rooms)
 
-By default, Reflector is open (no login required). To add authentication:
+By default, Reflector is open (no login required). **Authentication is required if you want to use Live Meeting Rooms (Step 9).**
 
 See [Authentication Setup](./auth-setup) for full Authentik OAuth configuration.
 
 Quick summary:
 1. Deploy Authentik on your server
 2. Create OAuth provider in Authentik
-3. Update `server/.env`: `AUTH_BACKEND=jwt`
+3. Extract public key for JWT verification
-4. Update `www/.env`: `FEATURE_REQUIRE_LOGIN=true` + Authentik credentials
+4. Update `server/.env`: `AUTH_BACKEND=jwt` + `AUTH_JWT_AUDIENCE`
-5. Restart services
+5. Update `www/.env`: `FEATURE_REQUIRE_LOGIN=true` + Authentik credentials
+6. Mount JWT keys volume and restart services
 
 ---
 
-## Step 9: Optional - Enable Live Meeting Rooms
+## Step 9: Enable Live Meeting Rooms
+
+**Requires: Step 8 (Authentication)**
 
 Live rooms require Daily.co and AWS S3. Add to `server/.env`: