# Model Dock Ingress Plan

This document defines the intended public ingress contract for Model Dock.

## Target public hostnames

- `n8n.mrksylvstr.com` -> `127.0.0.1:5678`
- `chat.mrksylvstr.com` -> `127.0.0.1:8080`
- `flow.mrksylvstr.com` -> `127.0.0.1:3001`
- `api.mrksylvstr.com` -> `127.0.0.1:4000`

## Internal service ownership

- `n8n.mrksylvstr.com` routes to the current host-side `n8n`
- `chat.mrksylvstr.com` routes to compose-managed Open WebUI
- `flow.mrksylvstr.com` routes to compose-managed Flowise
- `api.mrksylvstr.com` routes to compose-managed LiteLLM

## Design rules

- Keep app services bound to localhost only
- Do not expose app containers directly to the internet
- Put one reverse proxy in front of all public traffic
- Terminate TLS at the reverse proxy
- Route by hostname, not by path

## Why this shape

- Each app keeps a clean URL and auth boundary
- `n8n` works more reliably on its own subdomain than behind a path prefix
- Internal service moves later do not require public URL changes
- The proxy becomes the single external interface for the stack

## Reverse proxy requirements

- Support TLS certificates for all four hostnames
- Forward `Host`, `X-Forwarded-For`, `X-Forwarded-Proto`, and `X-Real-IP`
- Preserve websocket and streaming support
- Keep upstream targets private on `127.0.0.1`
- Return HTTP to HTTPS redirects on the public side

## Current local upstreams

- `n8n`: `http://127.0.0.1:5678`
- Open WebUI: `http://127.0.0.1:8080`
- Flowise: `http://127.0.0.1:3001`
- LiteLLM: `http://127.0.0.1:4000`

## Deployment note

- The current stack root is `/home/mark/modeldock`
- The intended long-term root is `/srv/arch1/modeldock`
- This ingress contract should stay the same across that migration

## n8n note

- `n8n` is currently host-side, not compose-managed
- If `n8n` later moves into compose, keep `n8n.mrksylvstr.com` unchanged and just retarget the reverse proxy upstream if needed

## Cutover checklist for public exposure later

1. Choose the reverse proxy implementation: Caddy, Nginx, or Traefik
2. Create DNS records for the four hostnames
3. Install TLS certificates on the proxy
4. Point each hostname at the matching localhost upstream
5. Verify login flows and websocket behavior for `n8n`, Open WebUI, and Flowise
6. Verify API responses for LiteLLM on `api.mrksylvstr.com`
7. Keep direct localhost bindings in place and do not widen container exposure