From 92f754e012f278c622b0775d2662f24209013a1a Mon Sep 17 00:00:00 2001
From: m17hr1l <m17hr1l@wehackforyou.com>
Date: Mon, 25 May 2026 16:42:46 +0200
Subject: [PATCH] stage-28: wire LETSENCRYPT_HOST + LETSENCRYPT_EMAIL on the
 cockpit service
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds the two env vars nginxproxy/acme-companion looks for to issue +
auto-renew the TLS cert for psyc.neuronetz.ai. LETSENCRYPT_EMAIL is
interpolated from the prod .env (LETSENCRYPT_EMAIL=...) with a sensible
fallback so dev / local deploys don't fail on the variable being unset.
.env.example documents the var.

Requires the proxy stack to (a) have acme-companion alongside
nginx-proxy with shared certs/vhost.d/html volumes and (b) publish :443.
psyc-side change only — no app code touched.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .env.example       | 6 ++++++
 docker-compose.yml | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/.env.example b/.env.example
index 8fa3982..5edf74c 100644
--- a/.env.example
+++ b/.env.example
@@ -14,6 +14,12 @@ OTX_API_KEY=
 # (raises throttling from ~5 to ~50 requests / 30s)
 NVD_API_KEY=
 
+# --- Production-only: Let's Encrypt email for the acme-companion sidecar ---
+# Used as the contact address for the TLS cert acme-companion issues for
+# psyc.neuronetz.ai. Safe to leave the default in dev (cert isn't issued
+# without a reachable acme-companion + public DNS + :443).
+# LETSENCRYPT_EMAIL=admin@neuronetz.ai
+
 # --- Internal service URLs — overridden in docker compose; defaults for venv CLI ---
 # PSYC_MOCK_CERT_URL=http://127.0.0.1:8770
 # PSYC_INFERENCE_URL=http://127.0.0.1:8771
diff --git a/docker-compose.yml b/docker-compose.yml
index 6a10a7a..9ca670b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -20,6 +20,12 @@ services:
     environment:
       VIRTUAL_HOST: psyc.neuronetz.ai
       VIRTUAL_PORT: "8767"
+      # Triggers nginxproxy/acme-companion (which must be running alongside
+      # nginx-proxy on the host) to issue + auto-renew a Let's Encrypt cert
+      # for psyc.neuronetz.ai. LETSENCRYPT_EMAIL comes from .env so per-env
+      # configurable — falls back to the default if unset.
+      LETSENCRYPT_HOST: psyc.neuronetz.ai
+      LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL:-admin@neuronetz.ai}
       PSYC_MOCK_CERT_URL: http://mock-cert:8770
       PSYC_SOAR_URL: http://mock-cert:8770
       PSYC_INFERENCE_URL: http://inference:8771