📝(self-hosted) add documentation for self-hosting on docker compose

It describes the minimalist LaSuite Meet instance, with the simple feature of having a room conference.
2025-07-25 16:55:19 +02:00
parent 36ba0f9c8e
commit e4c2b42e4a
14 changed files with 680 additions and 4 deletions
--- a/docker/files/production/default.conf.template
+++ b/docker/files/production/default.conf.template
@@ -0,0 +1,50 @@
 upstream meet_backend {
    server ${BACKEND_HOST}:8000 fail_timeout=0;
 }
 upstream meet_frontend {
    server ${FRONTEND_HOST}:8080 fail_timeout=0;
 }
 server {
    listen 8083;
    server_name localhost;
    charset utf-8;
    # Disables server version feedback on pages and in headers
    server_tokens off;
    proxy_ssl_server_name on;
    location @proxy_to_meet_backend {
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_redirect off;
        proxy_pass http://meet_backend;
    }
    location @proxy_to_meet_frontend {
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_redirect off;
        proxy_pass http://meet_frontend;
    }
    location / {
        try_files $uri @proxy_to_meet_frontend;
    }
    location /api {
        try_files $uri @proxy_to_meet_backend;
    }
    location /admin {
        try_files $uri @proxy_to_meet_backend;
    }
    location /static {
        try_files $uri @proxy_to_meet_backend;
    }
 }
--- a/docs/examples/compose/compose.yaml
+++ b/docs/examples/compose/compose.yaml
@@ -0,0 +1,88 @@
 services:
  postgresql:
    image: postgres:16
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      interval: 1s
      timeout: 2s
      retries: 300
    env_file:
    - env.d/postgresql
    - env.d/common
    volumes:
    - ./data/databases/backend:/var/lib/postgresql/data/pgdata
  redis:
    image: redis:5
  backend:
    image: lasuite/meet-backend:latest
    user: ${DOCKER_USER:-1000}
    restart: always
    env_file:
    - env.d/common
    - env.d/backend
    - env.d/postgresql
    healthcheck:
      test: ["CMD", "python", "manage.py", "check"]
      interval: 15s
      timeout: 30s
      retries: 20
      start_period: 10s
    depends_on:
      postgresql:
        condition: service_healthy
        restart: true
      redis:
        condition: service_started
      livekit:
        condition: service_started
  frontend:
    image: lasuite/meet-frontend:latest
    user: "${DOCKER_USER:-1000}"
    entrypoint:
    - /docker-entrypoint.sh
    command: ["nginx", "-g", "daemon off;"]
    env_file:
    - env.d/common
    # Uncomment and set your values if using our nginx proxy example
    # environment:
    # - VIRTUAL_HOST=${MEET_HOST} # used by nginx proxy 
    # - VIRTUAL_PORT=8083 # used by nginx proxy
    # - LETSENCRYPT_HOST=${MEET_HOST} # used by lets encrypt to generate TLS certificate
    depends_on:
      backend:
        condition: service_healthy
    volumes:
    - ./default.conf.template:/etc/nginx/templates/docs.conf.template
 # Uncomment if using our nginx proxy example
 #    networks:
 #    - proxy-tier
 #    - default
  livekit:
    image: livekit/livekit-server:latest
    command: --config /config.yaml
    ports:
    - 7881:7881/tcp
    - 7882:7882/udp
    volumes:
      - ./livekit-server.yaml:/config.yaml
    # Uncomment and set your values if using our nginx proxy example
    # environment:
    # - VIRTUAL_HOST=${LIVEKIT_HOST} # used by nginx proxy 
    # - VIRTUAL_PORT=7880 # used by nginx proxy
    # - LETSENCRYPT_HOST=${LIVEKIT_HOST} # used by lets encrypt to generate TLS certificate
    depends_on:
      redis:
        condition: service_started
 # Uncomment if using our nginx proxy example
 #    networks:
 #    - proxy-tier
 #    - default
 # Uncomment if using our nginx proxy example
 #networks:
 #  proxy-tier:
 #    external: true
--- a/docs/examples/compose/keycloak/README.md
+++ b/docs/examples/compose/keycloak/README.md
@@ -0,0 +1,92 @@
 # Deploy and Configure Keycloak for Meet
 ## Installation
 > [!CAUTION]
 > We provide those instructions as an example, for production environments, you should follow the [official documentation](https://www.keycloak.org/documentation).
 ### Step 1: Prepare your working environment:
 ```bash
 mkdir keycloak/env.d && cd keycloak
 curl -o compose.yaml https://raw.githubusercontent.com/suitenumerique/meet/refs/heads/main/docs/examples/compose/keycloak/compose.yaml
 curl -o env.d/kc_postgresql https://raw.githubusercontent.com/suitenumerique/meet/refs/heads/main/env.d/production.dist/kc_postgresql
 curl -o env.d/keycloak https://raw.githubusercontent.com/suitenumerique/meet/refs/heads/main/env.d/production.dist/keycloak
 ```
 ### Step 2:. Update `env.d/` files
 The following variables need to be updated with your own values, others can be left as is:
 ```env
 POSTGRES_PASSWORD=<generate postgres password>
 KC_HOSTNAME=https://id.yourdomain.tld # Change with your own URL
 KC_BOOTSTRAP_ADMIN_PASSWORD=<generate your password>
 ```
 ### Step 3: Expose keycloak instance on https
 > [!NOTE]
 > You can skip this section if you already have your own setup.
 To access your Keycloak instance on the public network, it needs to be exposed on a domain with SSL termination. You can use our [example with nginx proxy and Let's Encrypt companion](../nginx-proxy/README.md) for automated creation/renewal of certificates using [acme.sh](http://acme.sh).
 If following our example, uncomment the environment and network sections in compose file and update it with your values.
 ```yaml
 version: '3'
 services:
  keycloak:
   ...
    # Uncomment and set your values if using our nginx proxy example
    # environment:
    # - VIRTUAL_HOST=id.yourdomain.tld # used by nginx proxy 
    # - VIRTUAL_PORT=8080 # used by nginx proxy
    # - LETSENCRYPT_HOST=id.yourdomain.tld # used by lets encrypt to generate TLS certificate
   ...
 # Uncomment if using our nginx proxy example
 #    networks:
 #    - proxy-tier
 #    - default
 # Uncomment if using our nginx proxy example
 #networks:
 #  proxy-tier:
 #    external: true
 ```
 ### Step 4: Start the service
 ```bash
 `docker compose up -d`
 ```
 Your keycloak instance is now available on https://doc.yourdomain.tld
 > [!CAUTION]
 > Version of the images are set to latest, you should pin it to the desired version to avoid unwanted upgrades when pulling latest image. You can find available versions on [Keycloak registry](https://quay.io/repository/keycloak/keycloak?tab=tags).
 ```
 ## Creating an OIDC Client for Meet Application
 ### Step 1: Create a New Realm
 1. Log in to the Keycloak administration console.
 2. Navigate to the realm tab and click on the "Create realm" button.
 3. Enter the name of the realm  - `meet`.
 4. Click "Create".
 #### Step 2: Create a New Client
 1. Navigate to the "Clients" tab.
 2. Click on the "Create client" button.
 3. Enter the client ID - e.g. `meet`.
 4. Enable "Client authentication" option.
 6. Set the "Valid redirect URIs" to the URL of your meet application suffixed with `/*` - e.g., "https://meet.example.com/*".
 1. Set the "Web Origins" to the URL of your meet application - e.g. `https://meet.example.com`.
 1. Click "Save".
 #### Step 3: Get Client Credentials
 1. Go to the "Credentials" tab.
 2. Copy the client ID (`meet` in this example) and the client secret.
--- a/docs/examples/compose/keycloak/compose.yaml
+++ b/docs/examples/compose/keycloak/compose.yaml
@@ -0,0 +1,36 @@
 services:
  postgresql:
    image: postgres:16
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      interval: 1s
      timeout: 2s
      retries: 300
    env_file:
    - env.d/kc_postgresql
    volumes:
    - ./data/keycloak:/var/lib/postgresql/data/pgdata
  keycloak:
    image: quay.io/keycloak/keycloak:latest
    command: ["start"]
    env_file:
    - env.d/kc_postgresql
    - env.d/keycloak
    # Uncomment and set your values if using our nginx proxy example
    # environment:
    # - VIRTUAL_HOST=id.yourdomain.tld # used by nginx proxy 
    # - VIRTUAL_PORT=8080 # used by nginx proxy
    # - LETSENCRYPT_HOST=id.yourdomain.tld # used by lets encrypt to generate TLS certificate
    depends_on:
      postgresql:
        condition: service_healthy
        restart: true
 # Uncomment if using our nginx proxy example
 #    networks:
 #    - proxy-tier
 #    - default
 #
 #networks:
 #  proxy-tier:
 #    external: true
--- a/docs/examples/compose/nginx-proxy/README.md
+++ b/docs/examples/compose/nginx-proxy/README.md
@@ -0,0 +1,39 @@
 # Nginx proxy with automatic SSL certificates
 > [!CAUTION]
 > We provide those instructions as an example, for extended development or production environments, you should follow the [official documentation](https://github.com/nginx-proxy/acme-companion/tree/main/docs).
 Nginx-proxy sets up a container running nginx and docker-gen. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped.
 Acme-companion is a lightweight companion container for nginx-proxy. It handles the automated creation, renewal and use of SSL certificates for proxied Docker containers through the ACME protocol.
 ## Installation
 ### Step 1: Prepare your working environment:
 ```bash
 mkdir nginx-proxy && cd nginx-proxy
 curl -o compose.yaml https://raw.githubusercontent.com/suitenumerique/meet/refs/heads/main/docs/examples/compose/nginx-proxy/compose.yaml
 ```
 ### Step 2: Edit `DEFAULT_EMAIL` in the compose file.
 Albeit optional, it is recommended to provide a valid default email address through the `DEFAULT_EMAIL` environment variable, so that Let's Encrypt can warn you about expiring certificates and allow you to recover your account.
 ### Step 3: Create docker network
 Containers need share the same network for auto-discovery.
 ```bash
 docker network create proxy-tier
 ```
 ### Step 4: Start service
 ```bash
 docker compose up -d
 ```
 ## Usage
 Once both nginx-proxy and acme-companion containers are up and running, start any container you want proxied with environment variables `VIRTUAL_HOST` and `LETSENCRYPT_HOST` both set to the domain(s) your proxied container is going to use.
--- a/docs/examples/compose/nginx-proxy/compose.yaml
+++ b/docs/examples/compose/nginx-proxy/compose.yaml
@@ -0,0 +1,36 @@
 services:
  nginx-proxy:
    image: nginxproxy/nginx-proxy
    container_name: nginx-proxy
    ports:
    - "80:80"
    - "443:443"
    volumes:
    - html:/usr/share/nginx/html
    - certs:/etc/nginx/certs:ro
    - /var/run/docker.sock:/tmp/docker.sock:ro
    networks:
    - proxy-tier
  acme-companion:
    image: nginxproxy/acme-companion
    container_name: nginx-proxy-acme
    environment:
    - DEFAULT_EMAIL=mail@yourdomain.tld
    volumes_from:
    - nginx-proxy
    volumes:
    - certs:/etc/nginx/certs:rw
    - acme:/etc/acme.sh
    - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
    - proxy-tier
 networks:
  proxy-tier:
    external: true
 volumes:
  html:
  certs:
  acme:
--- a/docs/examples/livekit/server.yaml
+++ b/docs/examples/livekit/server.yaml
@@ -0,0 +1,22 @@
 port: 7880
 redis:
  address: redis:6379
 keys:
  meet: <your livekit secret key>
 # WebRTC configuration
 rtc:
  # # when set, LiveKit will attempt to use a UDP mux so all UDP traffic goes through
  # # listed port(s). To maximize system performance, we recommend using a range of ports
  # # greater or equal to the number of vCPUs on the machine.
  # # port_range_start & end must not be set for this config to take effect
  udp_port: 7882
  # when set, LiveKit enable WebRTC ICE over TCP when UDP isn't available
  # this port *cannot* be behind load balancer or TLS, and must be exposed on the node
  # WebRTC transports are encrypted and do not require additional encryption
  # only 80/443 on public IP are allowed if less than 1024
  tcp_port: 7881
  # use_external_ip should be set to true for most cloud environments where
  # the host has a public IP address, but is not exposed to the process.
  # LiveKit will attempt to use STUN to discover the true IP, and advertise
  # that IP with its clients
  use_external_ip: true
--- a/docs/installation/README.md
+++ b/docs/installation/README.md
@@ -6,12 +6,9 @@ Here are a bunch of resources to help you install the project.
 La Suite Meet maintainers use only the Kubernetes deployment method in production, so advanced support is available exclusively for this setup. Please follow the instructions provided [here](/docs/installation/kubernetes.md).
 ## Docker Compose
-We understand that not everyone has a Kubernetes cluster available.
+We understand that not everyone has a Kubernetes cluster available, please follow the instructions provided [here](/docs/installation/compose.md) to set up a docker compose instance.
 We also provide [Docker images](https://hub.docker.com/u/lasuite?page=1&search=meet) that can be deployed using Compose.
 > [!WARNING]  
 > Under construction: A PR is in progress to support deploying La Suite Meet via Docker Compose.
 ## Other ways to install La Suite Meet
 Community members have contributed alternative ways to install La Suite Meet 🙏. While maintainers may not provide direct support, we help keep these instructions up to date, and you can reach out to contributors or the community for assistance.
--- a/docs/installation/compose.md
+++ b/docs/installation/compose.md
@@ -0,0 +1,227 @@
 # Installation with docker compose
 We provide a sample configuration for running Meet using Docker Compose. Please note that this configuration is experimental, and the official way to deploy Meet in production is to use [k8s](../installation/k8s.md)
 ## Requirements
 All services are required to run the minimalist instance of LaSuite Meet. Click the links for ready-to-use configuration examples:
 | Service           | Purpose | Example Config                                           |
 |-------------------|---------|----------------------------------------------------------|
 | **PostgreSQL**    | Main database | [compose.yaml](../examples/compose/compose.yaml)         |
 | **Redis**         | Cache & sessions | [compose.yaml](../examples/compose/compose.yaml)         |
 | **Livekit**       | Real-time communication | [compose.yaml](../examples/compose/compose.yaml)         |
 | **OIDC Provider** | User authentication | [Keycloak setup](../examples/compose/keycloak/README.md) |
 | **SMTP Service**  | Email notifications | -                                                        |
 > [!NOTE] Some advanced features, as Recording and transcription, require additional services (MinIO, email). See `/features` folder for details.
 ## Software Requirements
 Ensure you have Docker Compose(v2) installed on your host server. Follow the official guidelines for a reliable setup:
 Docker Compose is included with Docker Engine:
 - **Docker Engine:** We suggest adhering to the instructions provided by Docker
  for [installing Docker Engine](https://docs.docker.com/engine/install/).
 For older versions of Docker Engine that do not include Docker Compose:
 - **Docker Compose:** Install it as per the [official documentation](https://docs.docker.com/compose/install/).
 > [!NOTE]
 > `docker-compose` may not be supported. You are advised to use `docker compose` instead.
 ## Step 1: Prepare your working environment:
 ```bash
 mkdir -p meet/env.d && cd meet
 curl -o compose.yaml https://raw.githubusercontent.com/suitenumerique/meet/refs/heads/main/docs/examples/compose/compose.yaml
 curl -o .env https://raw.githubusercontent.com/suitenumerique/meet/refs/heads/main/env.d/production.dist/hosts
 curl -o env.d/common https://raw.githubusercontent.com/suitenumerique/meet/refs/heads/main/env.d/production.dist/common
 curl -o env.d/postgresql https://raw.githubusercontent.com/suitenumerique/meet/refs/heads/main/env.d/production.dist/postgresql
 curl -o livekit-server.yaml https://raw.githubusercontent.com/suitenumerique/meet/refs/heads/main/docs/examples/livekit/server.yaml
 curl -o default.conf.template https://raw.githubusercontent.com/suitenumerique/meet/refs/heads/main/docker/files/production/default.conf.template
 ```
 ## Step 2: Configuration
 Meet configuration is achieved through environment variables. We provide a [detailed description of all variables](../env.md).
 In this example, we assume the following services:
 - OIDC provider on https://id.yourdomain.tld
 - Livekit server on https://livekit.yourdomain.tld
 - Meet server on https://meet.yourdomain.tld
 **Set your own values in `.env`**
 ### OIDC
 Authentication in Meet is managed through Open ID Connect protocol. A functional Identity Provider implementing this protocol is required.
 For guidance, refer to our [Keycloak deployment example](../examples/compose/keycloak/README.md).
 If using Keycloak as your Identity Provider, in `env.d/common` set `OIDC_RP_CLIENT_ID` and `OIDC_RP_CLIENT_SECRET` variables with those of the OIDC client created for Meet. By default we have set `meet` as the realm name, if you have named your realm differently, update the value `REALM_NAME` in `.env`
 For others OIDC providers, update the variables in `env.d/common`.
 ### Postgresql
 Meet uses PostgreSQL as its database. Although an external PostgreSQL can be used, our example provides a deployment method.
 If you are using the example provided, you need to generate a secure key for `DB_PASSWORD` and set it in `env.d/postgresql`. 
 If you are using an external service or not using our default values, you should update the variables in `env.d/postgresql`
 ### Redis
 Meet uses Redis for caching and inter-service communication. While an external Redis can be used, our example provides a deployment method.
 If you are using an external service, you need to set `REDIS_URL` environment variable in `env.d/common`.
 ### Livekit
 [LiveKit](https://github.com/livekit/livekit) server is used as the WebRTC SFU (Selective Forwarding Unit) allowing multi-user conferencing. For more information, head to [livekit documentation](https://docs.livekit.io/home/self-hosting/).
 Generate a secure key for `LIVEKIT_API_SECRET` in `env.d/common`.
 We provide a minimal recommanded config for production environment in `livekit-server.yaml`. Set the previously generated API secret key in the config file.
 To view other customization options, see [config-sample.yaml](https://github.com/livekit/livekit/blob/master/config-sample.yaml)
 > [!NOTE]
 > In this example, we configured multiplexing on a single UDP port. For better performances, you can configure a range of UDP ports. 
 ### Meet
 The Meet backend is built on the Django Framework.
 Generate a [secure key](https://docs.djangoproject.com/en/5.2/ref/settings/#secret-key.) for `DJANGO_SECRET_KEY` in `env.d/common`. 
 ### Mail
 The following environment variables are required in `env.d/common` for the mail service to send invitations :
 ```env
 DJANGO_EMAIL_HOST=<smtp host> 
 DJANGO_EMAIL_HOST_USER=<smtp user> 
 DJANGO_EMAIL_HOST_PASSWORD=<smtp password>
 DJANGO_EMAIL_PORT=<smtp port> 
 DJANGO_EMAIL_FROM=<your email address>
 #DJANGO_EMAIL_USE_TLS=true # A flag to enable or disable TLS for email sending.
 #DJANGO_EMAIL_USE_SSL=true # A flag to enable or disable SSL for email sending.
 DJANGO_EMAIL_BRAND_NAME=<brand name used in email templates> # e.g. "La Suite Numérique"
 DJANGO_EMAIL_LOGO_IMG=<logo image to use in email templates.> # e.g. "https://meet.yourdomain.tld/assets/logo-suite-numerique.png" 
 ```
 ## Step 3: Configure your firewall
 If you are using a firewall as it is usually recommended in a production environment you will need to allow the webservice traffic on ports 80 and 443 but also to allow UDP traffic for the WebRTC service.
 The following ports will need to be opened:
 - 80/tcp - for TLS issuance
 - 443/tcp - for listening on HTTPS and TURN/TLS packets
 - 7881/tcp - WebRTC ICE over TCP
 - 7882/udp - for WebRTC multiplexing over UDP
 If you are using ufw, enter the follwoing:
 ```
 ufw allow 80/tcp
 ufw allow 443/tcp
 ufw allow 443/udp
 ufw allow 7881/tcp
 ufw allow 7882/udp
 ufw enable
 ``` 
 ## Step 4: Reverse proxy and SSL/TLS
 > [!WARNING]
 > In a production environment, configure SSL/TLS termination to run your instance on https.
 If you have your own certificates and proxy setup, you can skip this part.
 You can follow our [nginx proxy example](../examples/compose/nginx-proxy/README.md) with automatic generation and renewal of certificate with Let's Encrypt. 
 You will need to uncomment the environment and network sections in compose file and update it with your values.
 ```yaml
  frontend:
    ...
    # Uncomment and set your values if using our nginx proxy example
    # environment:
    # - VIRTUAL_HOST=${MEET_HOST} # used by nginx proxy 
    # - VIRTUAL_PORT=8083 # used by nginx proxy
    # - LETSENCRYPT_HOST=${MEET_HOST} # used by lets encrypt to generate TLS certificate
    ...
 # Uncomment if using our nginx proxy example
 #    networks:
 #    - proxy-tier
 #    - default
 ...
    # environment:
    # - VIRTUAL_HOST=${LIVEKIT_HOST} # used by nginx proxy 
    # - VIRTUAL_PORT=7880 # used by nginx proxy
    # - LETSENCRYPT_HOST=${LIVEKIT_HOST} # used by lets encrypt to generate TLS certificate
 # Uncomment if using our nginx proxy example
 #    networks:
 #    - proxy-tier
 #    - default
 #networks:
 #  proxy-tier:
 #    external: true
 ```
 ## Step 5: Start Meet
 You are ready to start your Meet application !
 ```bash
 docker compose up -d
 ```
 > [!NOTE]
 > Version of the images are set to latest, you should pin it to the desired version to avoid unwanted upgrades when pulling latest image.
 ## Step 6: Run the database migration and create Django admin user
 ```bash
 docker compose run --rm backend python manage.py migrate
 docker compose run --rm backend python manage.py createsuperuser --email <admin email> --password <admin password>
 ```
 Replace `<admin email>` with the email of your admin user and generate a secure password. 
 Your Meet instance is now available on the domain you defined, https://meet.yourdomain.tld.
 THe admin interface is available on https://meet.yourdomain.tld/admin with the admin user you just created.
 ## How to upgrade your Meet application
 Before running an upgrade you must check the [Upgrade document](../../UPGRADE.md) for specific procedures that might be needed.
 You can also check the [Changelog](../../CHANGELOG.md) for brief summary of the changes.
 ### Step 1: Edit the images tag with the desired version
 ### Step 2: Pull the images
 ```bash
 docker compose pull
 ```
 ### Step 3: Restart your containers
 ```bash
 docker compose restart
 ```
 ### Step 4: Run the database migration
 Your database schema may need to be updated, run:
 ```bash
 docker compose run --rm backend python manage.py migrate
 ```
--- a/env.d/production.dist/common
+++ b/env.d/production.dist/common
@@ -0,0 +1,50 @@
 # Django
 DJANGO_ALLOWED_HOSTS=${MEET_HOST}
 DJANGO_SECRET_KEY=<generate a secret key>
 DJANGO_SETTINGS_MODULE=meet.settings
 DJANGO_CONFIGURATION=Production
 # Python
 PYTHONPATH=/app
 # Meet settings
 # Mail
 DJANGO_EMAIL_HOST=<smtp host> 
 DJANGO_EMAIL_HOST_USER=<smtp user> 
 DJANGO_EMAIL_HOST_PASSWORD=<smtp password>
 DJANGO_EMAIL_PORT=<smtp port> 
 DJANGO_EMAIL_FROM=<your email address>
 #DJANGO_EMAIL_USE_TLS=true # A flag to enable or disable TLS for email sending.
 #DJANGO_EMAIL_USE_SSL=true # A flag to enable or disable SSL for email sending.
 DJANGO_EMAIL_BRAND_NAME="La Suite Numérique" 
 DJANGO_EMAIL_LOGO_IMG="https://${meet_HOST}/assets/logo-suite-numerique.png"
 # Backend url
 MEET_BASE_URL="https://${MEET_HOST}"
 # OIDC
 OIDC_OP_JWKS_ENDPOINT=https://${KEYCLOAK_HOST}/realms/${REALM_NAME}/protocol/openid-connect/certs
 OIDC_OP_AUTHORIZATION_ENDPOINT=https://${KEYCLOAK_HOST}/realms/${REALM_NAME}/protocol/openid-connect/auth
 OIDC_OP_TOKEN_ENDPOINT=https://${KEYCLOAK_HOST}/realms/${REALM_NAME}/protocol/openid-connect/token
 OIDC_OP_USER_ENDPOINT=https://${KEYCLOAK_HOST}/realms/${REALM_NAME}/protocol/openid-connect/userinfo
 OIDC_OP_LOGOUT_ENDPOINT=https://${KEYCLOAK_HOST}/realms/${REALM_NAME}/protocol/openid-connect/logout
 OIDC_RP_CLIENT_ID=<client_id>
 OIDC_RP_CLIENT_SECRET=<client secret>
 OIDC_RP_SIGN_ALGO=RS256
 OIDC_RP_SCOPES="openid email"
 LOGIN_REDIRECT_URL=https://${MEET_HOST}
 LOGIN_REDIRECT_URL_FAILURE=https://${MEET_HOST}
 LOGOUT_REDIRECT_URL=https://${MEET_HOST}
 OIDC_REDIRECT_ALLOWED_HOSTS=["https://${MEET_HOST}"]
 # Livekit Token settings
 LIVEKIT_API_SECRET=<generate a secret key>
 LIVEKIT_API_KEY=meet
 LIVEKIT_API_URL=https://${LIVEKIT_HOST}
 ALLOW_UNREGISTERED_ROOMS=False
--- a/env.d/production.dist/hosts
+++ b/env.d/production.dist/hosts
@@ -0,0 +1,7 @@
 MEET_HOST=meet.domain.tld
 KEYCLOAK_HOST=id.domain.tld
 LIVEKIT_HOST=livekit.domain.tld
 BACKEND_INTERNAL_HOST=backend
 FRONTEND_INTERNAL_HOST=frontend
 LIVEKIT_INTERNAL_HOST=livekit
 REALM_NAME=meet
--- a/env.d/production.dist/kc_postgresql
+++ b/env.d/production.dist/kc_postgresql
@@ -0,0 +1,13 @@
 # Postgresql db container configuration
 POSTGRES_DB=keycloak
 POSTGRES_USER=keycloak
 POSTGRES_PASSWORD=<generate postgres password>
 PGDATA=/var/lib/postgresql/data/pgdata
 # Keycloak postgresql configuration
 KC_DB=postgres
 KC_DB_SCHEMA=public
 KC_DB_URL_HOST=postgresql
 KC_DB_NAME=${POSTGRES_DB}
 KC_DB_USER=${POSTGRES_USER}
 KC_DB_PASSWORD=${POSTGRES_PASSWORD}
--- a/env.d/production.dist/keycloak
+++ b/env.d/production.dist/keycloak
@@ -0,0 +1,8 @@
 # Keycloak admin user
 KC_BOOTSTRAP_ADMIN_USERNAME=admin
 KC_BOOTSTRAP_ADMIN_PASSWORD=<generate your password>
 # Keycloak configuration
 KC_HOSTNAME=https://id.yourdomain.tld # Change with your own URL
 KC_PROXY_HEADERS=xforwarded # in this example we are running behind an nginx proxy
 KC_HTTP_ENABLED=true # in this example we are running behind an nginx proxy
--- a/env.d/production.dist/postgresql
+++ b/env.d/production.dist/postgresql
@@ -0,0 +1,11 @@
 # App database configuration
 DB_HOST=postgresql
 DB_NAME=meet
 DB_USER=meet
 DB_PASSWORD=<generate a secure password>
 DB_PORT=5432
 # Postgresql db container configuration
 POSTGRES_DB=meet
 POSTGRES_USER=meet
 POSTGRES_PASSWORD=${DB_PASSWORD}