From d1339d955b0ac2b375c676cc41134fc67500f04a Mon Sep 17 00:00:00 2001
From: Spbd1 <148923621+Spbd1@users.noreply.github.com>
Date: Mon, 11 May 2026 15:37:27 +0000
Subject: [PATCH] Prepare Docker Compose VPS deployment

---
 .dockerignore      |  4 ++++
 Dockerfile         | 13 +++++++++++--
 docker-compose.yml | 15 +++++++++++----
 3 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/.dockerignore b/.dockerignore
index 39d17f6..1c69f37 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -11,3 +11,7 @@ npm-debug.log*
 Dockerfile
 .dockerignore
 README.md
+.docker/
+docker-data/
+docker-compose.override.yml
+*.tar
diff --git a/Dockerfile b/Dockerfile
index 3ba82a6..9aa22f5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
-FROM node:20-alpine
+FROM node:22-alpine
 
 WORKDIR /app
-ENV NODE_ENV=production
+
 ENV NEXT_TELEMETRY_DISABLED=1
 
 COPY package*.json ./
@@ -11,8 +11,17 @@ COPY prisma ./prisma
 RUN npm run db:generate
 
 COPY . .
+
+ARG NEXT_PUBLIC_ENABLE_SERVER_SUBMISSION=false
+ENV NEXT_PUBLIC_ENABLE_SERVER_SUBMISSION=${NEXT_PUBLIC_ENABLE_SERVER_SUBMISSION}
+
 RUN npm run build
 
+ENV NODE_ENV=production
+ENV NEXT_TELEMETRY_DISABLED=1
+ENV HOSTNAME=0.0.0.0
+ENV PORT=3000
+
 EXPOSE 3000
 
 CMD ["npm", "run", "start"]
diff --git a/docker-compose.yml b/docker-compose.yml
index 5ef5320..0c1a222 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,24 +1,31 @@
 services:
   app:
-    build: .
+    build:
+      context: .
+      args:
+        # Public browser flag is embedded during `next build`; set it before building on the VPS.
+        NEXT_PUBLIC_ENABLE_SERVER_SUBMISSION: ${NEXT_PUBLIC_ENABLE_SERVER_SUBMISSION:-true}
     env_file:
       - path: .env
         required: false
     environment:
       NODE_ENV: production
       NEXT_TELEMETRY_DISABLED: "1"
-      APP_BASE_URL: ${APP_BASE_URL:-http://localhost:3000}
+      APP_BASE_URL: ${APP_BASE_URL:-http://127.0.0.1:3000}
       DATABASE_URL: postgresql://${POSTGRES_USER:-hcg}:${POSTGRES_PASSWORD:-hcg_password_change_me}@postgres:5432/${POSTGRES_DB:-hidden_cost_game}?schema=public
       ENABLE_SERVER_SUBMISSION: ${ENABLE_SERVER_SUBMISSION:-true}
       NEXT_PUBLIC_ENABLE_SERVER_SUBMISSION: ${NEXT_PUBLIC_ENABLE_SERVER_SUBMISSION:-true}
       ADMIN_EXPORT_TOKEN: ${ADMIN_EXPORT_TOKEN:-change-me-before-production}
-      ADMIN_DASHBOARD_PASSWORD: ${ADMIN_DASHBOARD_PASSWORD:-change-me-before-production}
       SUBMISSION_RATE_LIMIT_WINDOW_MS: ${SUBMISSION_RATE_LIMIT_WINDOW_MS:-60000}
       SUBMISSION_RATE_LIMIT_MAX: ${SUBMISSION_RATE_LIMIT_MAX:-20}
       MAX_SUBMISSION_BODY_BYTES: ${MAX_SUBMISSION_BODY_BYTES:-250000}
+      GOOGLE_SHEETS_WEBHOOK_URL: ${GOOGLE_SHEETS_WEBHOOK_URL:-}
+      GOOGLE_SHEETS_WEBHOOK_SECRET: ${GOOGLE_SHEETS_WEBHOOK_SECRET:-}
       CONSENT_VERSION: ${CONSENT_VERSION:-pilot-consent-v1}
       SCHEMA_VERSION: ${SCHEMA_VERSION:-research-export-v1}
     ports:
+      # VPS: app is reachable only on the host at http://127.0.0.1:3000.
+      # Public access should go through Caddy/Nginx with HTTPS termination.
       - "127.0.0.1:3000:3000"
     depends_on:
       postgres:
@@ -39,7 +46,7 @@ services:
       timeout: 5s
       retries: 5
     restart: unless-stopped
-    # Intentionally no ports: entry. Keep Postgres private to the Docker network in production.
+    # VPS: intentionally no `ports:` entry. Postgres stays private inside the Docker network.
 
 volumes:
   postgres_data: