nextcloud-nodered-ocs-api/docs/DEPLOYMENT.md

# Deployment guide

## Target layout (example)

| Service | Host | Port |
|---------|------|------|
| Nextcloud | `https://cloud.example.com` | 443 |
| Node-RED | same VM, `192.168.1.26` | 1880 |

Node-RED must be reachable from users’ browsers (for the iframe) and from itself (for API calls to Nextcloud).

## 1. Deploy Node-RED (Docker)

On the Ubuntu VM:

```bash
cd /home/ncadmin/nextcloud-node-red   # or your clone path
git pull                              # get latest nodes + entrypoint

docker compose build --no-cache
docker compose up -d
```

Or without Compose:

```bash
docker build --no-cache -t nextcloud-node-red:latest .
docker rm -f nextcloud-node-red 2>/dev/null || true
docker run -d \
  --name nextcloud-node-red \
  --network host \
  -v node-red-data:/data \
  --restart unless-stopped \
  nextcloud-node-red:latest
```

Verify:

```bash
docker logs -n 30 nextcloud-node-red
# Expect: [entrypoint] Installing nextcloud nodes...
#         User directory : /data

curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:1880/
# Expect: 200
```

### Nextcloud URL in config nodes

Inside Node-RED, set **Nextcloud URL** to something the **container** can resolve:

| Scenario | URL |
|----------|-----|
| Nextcloud on same VM, host networking | `https://127.0.0.1` or `https://cloud.example.com` |
| Nextcloud on another host | `https://192.168.1.x` or public hostname |

Test from inside the container:

```bash
docker exec nextcloud-node-red wget -qO- --no-check-certificate \
  https://cloud.example.com/status.php
```

## 2. Deploy Nextcloud app

```bash
sudo cp -r nodered-embed /var/www/nextcloud/apps/
sudo chown -R www-data:www-data /var/www/nextcloud/apps/nodered-embed
sudo -u www-data php /var/www/nextcloud/occ app:enable nodered_embed
```

Configure in **Settings → Administration → Node-RED Embed**:

- **Node-RED URL:** `http://192.168.1.26:1880` (use the address clients use; not `127.0.0.1` unless only local admins use it)

## 3. Reverse proxy (optional)

If Node-RED is behind nginx/Apache with TLS:

- Ensure the proxy does **not** send `X-Frame-Options: DENY` (blocks iframe embed).
- Point Nextcloud admin URL to the public HTTPS URL, e.g. `https://nodered.example.com`.

If Nextcloud is behind a proxy, CSP host extraction uses the hostname from `nodered_url` — use the same hostname users load in the iframe.

## 4. Firewall

Allow **1880/tcp** (or your mapped port) from Nextcloud users’ networks if they open the embed from LAN/VPN.

## 5. Updating custom nodes

After changing files under `nodes/nextcloud-ocs/`:

```bash
docker builder prune -af          # optional, avoids stale COPY cache
docker build --no-cache -t nextcloud-node-red:latest .
docker restart nextcloud-node-red
```

Confirm version:

```bash
docker exec nextcloud-node-red cat \
  /data/node_modules/node-red-contrib-nextcloud-ocs/package.json | grep version
```

### When to delete the volume

Delete `node-red-data` only if:

- Palette shows wrong/old nodes after rebuild, or
- Entrypoint copy failed with permission errors from old root-owned files

**Warning:** removes all flows and credentials.

```bash
docker rm -f nextcloud-node-red
docker volume rm node-red-data
docker compose up -d
```

## 6. Backup

Back up the Docker volume:

```bash
docker run --rm -v node-red-data:/data -v $(pwd):/backup alpine \
  tar czf /backup/node-red-data-backup.tar.gz -C /data .
```

Restore by extracting into a new volume before first start.

## 7. Production checklist

- [ ] Set `credentialSecret` in Node-RED settings (`/data/settings.js`)
- [ ] Use app passwords with minimal needed scopes
- [ ] TLS on Nextcloud; consider TLS on Node-RED if exposed beyond LAN
- [ ] Restrict who can access Node-RED (firewall / VPN / admin-only NC group)
- [ ] Enable Nextcloud app only for trusted admins if flows can access sensitive data