Add docs

docs/PRODUCTION.md

@@ -16,11 +16,10 @@ The easiest way to deploy Kaboot is using the automated setup script:
 
 This script automatically:
 - Generates all required secrets (database passwords, API tokens, etc.)
-- Creates the production `.env` file
+- Creates the production `.env` file with domain configuration
 - Creates the `Caddyfile` with your domains
 - Creates the Authentik production blueprint
 - Removes the development blueprint
-- Builds the frontend with production URLs
 
 After running the script, start the stack:
 
@@ -67,19 +66,16 @@ cp Caddyfile.example Caddyfile
 # Edit Caddyfile - replace example.com with your domains
 
 # 4. Update .env with production values
+#    - KABOOT_DOMAIN=your-app.com
+#    - AUTH_DOMAIN=auth.your-app.com
 #    - OIDC_ISSUER=https://auth.your-app.com/application/o/kaboot/
 #    - OIDC_JWKS_URI=https://auth.your-app.com/application/o/kaboot/jwks/
 #    - CORS_ORIGIN=https://your-app.com
 
-# 5. Build frontend with production URLs
+# 5. Start the stack (frontend builds automatically in Docker)
-VITE_API_URL=https://your-app.com/api \
+docker compose -f docker-compose.prod.yml -f docker-compose.caddy.yml up -d --build
-VITE_OIDC_AUTHORITY=https://auth.your-app.com/application/o/kaboot/ \
-npm run build
 
-# 6. Start the stack
+# 6. Verify
-docker compose -f docker-compose.prod.yml -f docker-compose.caddy.yml up -d
-
-# 7. Verify
 docker compose -f docker-compose.prod.yml -f docker-compose.caddy.yml ps
 ```
 
@@ -90,6 +86,8 @@ docker compose -f docker-compose.prod.yml -f docker-compose.caddy.yml ps
 -   DNS A records pointing your domains to your server (see below).
 -   A Google Gemini API key (optional, for AI quiz generation).
 
+> **Note**: Node.js is **not** required on the production server. The frontend is built inside a Docker container.
+
 ## DNS Configuration
 
 You need two DNS records pointing to your server's IP address. You can use either:
@@ -159,10 +157,9 @@ Both should return your server's IP address. You can also use [dnschecker.org](h
 ## Architecture Overview
 
 In production, the stack consists of:
--   **Caddy**: Reverse proxy with automatic HTTPS via Let's Encrypt.
+-   **Kaboot Frontend**: Multi-stage Docker build (Node.js builds assets, Caddy serves them). Includes automatic HTTPS via Let's Encrypt.
--   **Authentik**: Identity Provider for OAuth2/OIDC authentication.
 -   **Kaboot Backend**: Express server for quiz logic and SQLite storage.
--   **Kaboot Frontend**: Static assets served via Caddy.
+-   **Authentik**: Identity Provider for OAuth2/OIDC authentication.
 -   **PostgreSQL**: Database for Authentik.
 -   **Redis**: Cache and task queue for Authentik.
 
@@ -199,11 +196,13 @@ LOG_REQUESTS=true
 
 ### Frontend Configuration
 
-The frontend requires environment variables at **build time** (not runtime):
+The frontend is built inside Docker using the `KABOOT_DOMAIN` and `AUTH_DOMAIN` variables from your `.env` file. These are passed as build arguments to the Dockerfile:
--   `VITE_API_URL`: `https://kaboot.example.com/api`
--   `VITE_OIDC_AUTHORITY`: `https://auth.example.com/application/o/kaboot/`
 
-The `setup-prod.sh` script sets these automatically when building.
+-   `VITE_API_URL`: `https://${KABOOT_DOMAIN}`
+-   `VITE_BACKEND_URL`: `https://${KABOOT_DOMAIN}`
+-   `VITE_AUTHENTIK_URL`: `https://${AUTH_DOMAIN}`
+
+The `setup-prod.sh` script sets these domain variables automatically.
 
 ## Docker Compose Files
 
@@ -260,28 +259,21 @@ auth.example.com {
 }
 ```
 
-**Step 2: Build the Frontend**
+**Step 2: Start with Caddy**
-
-```bash
-npm run build
-```
-
-This creates the `dist/` directory with production assets.
-
-**Step 3: Start with Caddy**
 
 Use both compose files together:
 
 ```bash
-docker compose -f docker-compose.prod.yml -f docker-compose.caddy.yml up -d
+docker compose -f docker-compose.prod.yml -f docker-compose.caddy.yml up -d --build
 ```
 
 This will:
+- Build the frontend inside Docker with production URLs baked in
 - Start all Kaboot services (backend, Authentik, PostgreSQL, Redis)
 - Start Caddy as a reverse proxy on ports 80 and 443
 - Automatically obtain SSL certificates from Let's Encrypt
 
-**Step 4: Verify**
+**Step 3: Verify**
 
 Check that all services are running:
 
@@ -289,10 +281,10 @@ Check that all services are running:
 docker compose -f docker-compose.prod.yml -f docker-compose.caddy.yml ps
 ```
 
-View Caddy logs:
+View frontend/Caddy logs:
 
 ```bash
-docker logs kaboot-caddy
+docker logs kaboot-frontend
 ```
 
 Check Authentik blueprint was applied: