From fcf1e06c66add9b796d06cb73d0cb5308b6a483b Mon Sep 17 00:00:00 2001
From: Claude Agent <claude-agent@romfast.ro>
Date: Tue, 3 Mar 2026 15:44:53 +0000
Subject: [PATCH] feat(infra): add Dokploy LXC 103 and new IIS web domains
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add LXC 103 Dokploy infrastructure (v0.28.2) with Traefik
- Deploy pdf-qr-app and qr-generator via Dokploy from GitHub
- Configure IIS VM 201: roa-qr and *.roa.romfast.ro wildcard sites
- Add SSL certificates (Let's Encrypt + wildcard DNS challenge)
- Fix Docker Swarm VIP DNS issue with dnsrr endpoint mode
- Document architecture: IIS → Traefik → Dokploy containers

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 proxmox/README.md                             |  56 ++++-
 proxmox/lxc103-dokploy/README.md              | 166 +++++++++++++
 proxmox/lxc103-dokploy/docs/pdf-qr-app.md     |  87 +++++++
 proxmox/vm201-windows/README.md               |  14 +-
 .../docs/vm201-dokploy-infrastructure.md      | 225 ++++++++++++++++++
 .../iis-configs/roa-apps-wildcard.web.config  |  41 ++++
 .../iis-configs/roa-qr.web.config             |  29 +++
 .../scripts/setup-new-iis-sites.ps1           | 158 ++++++++++++
 8 files changed, 770 insertions(+), 6 deletions(-)
 create mode 100644 proxmox/lxc103-dokploy/README.md
 create mode 100644 proxmox/lxc103-dokploy/docs/pdf-qr-app.md
 create mode 100644 proxmox/vm201-windows/docs/vm201-dokploy-infrastructure.md
 create mode 100644 proxmox/vm201-windows/iis-configs/roa-apps-wildcard.web.config
 create mode 100644 proxmox/vm201-windows/iis-configs/roa-qr.web.config
 create mode 100644 proxmox/vm201-windows/scripts/setup-new-iis-sites.ps1

diff --git a/proxmox/README.md b/proxmox/README.md
index ea4ad03..bb8edd5 100644
--- a/proxmox/README.md
+++ b/proxmox/README.md
@@ -15,6 +15,11 @@ proxmox/
 │       ├── scripts/
 │       └── config/
 │
+├── lxc103-dokploy/                    # LXC 103 - Dokploy + Traefik (Deployment Platform)
+│   ├── README.md                      # Configurare, arhitectură, workflow deploy
+│   └── docs/
+│       └── pdf-qr-app.md             # Deploy pdf-qr-app pe Dokploy
+│
 ├── lxc104-flowise/                    # LXC 104 - Flowise AI (Chatbot Maria)
 │   ├── README.md                      # Infrastructură chatbot, ngrok, troubleshooting
 │   └── docs/
@@ -50,11 +55,16 @@ proxmox/
 │   ├── README.md                      # Informații generale VM
 │   ├── docs/
 │   │   ├── vm201-certificat-letsencrypt-iis.md
+│   │   ├── vm201-dokploy-infrastructure.md    # Arhitectură Dokploy + domenii
 │   │   ├── vm201-troubleshooting-backup-nfs.md
 │   │   └── vm201-troubleshooting-pana-curent-2026-01-11.md
+│   ├── iis-configs/                   # web.config pentru site-uri IIS
+│   │   ├── roa-qr.web.config          # Proxy roa-qr.romfast.ro → LXC 103
+│   │   └── roa-apps-wildcard.web.config # Proxy *.roa.romfast.ro → LXC 103
 │   └── scripts/
 │       ├── check-ssl-certificates.ps1
-│       └── monitor-ssl-certificates.sh
+│       ├── monitor-ssl-certificates.sh
+│       └── setup-new-iis-sites.ps1    # Setup site-uri IIS noi (Dokploy)
 │
 ├── lxc110-moltbot/                    # LXC 110 - MoltBot (AI Telegram Bot)
 │   ├── README.md                      # Configurare, securitate, comenzi
@@ -96,6 +106,31 @@ ssh root@10.0.20.201 "upsc nutdev1"
 
 ---
 
+### LXC 103 - Dokploy + Traefik (Deployment Platform)
+**Director:** `lxc103-dokploy/`
+**IP:** 10.0.20.167 | **Host:** pvemini
+
+| Fișier | Descriere |
+|--------|-----------|
+| `README.md` | Configurare, arhitectură, workflow deploy app-uri |
+| `docs/pdf-qr-app.md` | Deploy pdf-qr-app în Dokploy |
+
+**Rol:** Control plane pentru deployment aplicații publice ROMFAST.
+Traefik pe LXC 103 routează toate subdomeniile `*.roa.romfast.ro`.
+
+**Quick Start:**
+```bash
+# Status containere Dokploy + Traefik
+ssh root@10.0.20.201 "pct exec 103 -- docker ps"
+
+# Logs Traefik
+ssh root@10.0.20.201 "pct exec 103 -- docker logs traefik -f"
+```
+
+**URL:** https://dokploy.romfast.ro
+
+---
+
 ### LXC 104 - Flowise AI (Chatbot Maria)
 **Director:** `lxc104-flowise/`
 **IP:** 10.0.20.161 | **Host:** pvemini
@@ -270,8 +305,8 @@ echo | openssl s_client -connect roa.romfast.ro:443 -servername roa.romfast.ro 2
 ### LXC Containers
 | VMID | Nume | IP | Serviciu | Documentație |
 |------|------|-----|----------|--------------|
-| 100 | portainer | 10.0.20.170 | Docker Management | `cluster/README.md` |
-| 103 | dokploy | 10.0.20.167 | Deployment Platform | `cluster/README.md` |
+| 100 | portainer | 10.0.20.170 | Docker Management (Remote Node) | `cluster/README.md` |
+| **103** | **dokploy** | **10.0.20.167** | **Dokploy + Traefik (App Deployment)** | **`lxc103-dokploy/`** |
 | **104** | **flowise** | **10.0.20.161** | **Flowise AI (Chatbot Maria)** | **`lxc104-flowise/`** |
 | 106 | gitea | 10.0.20.165 | Git Server | `cluster/README.md` |
 | **108** | **central-oracle** | **10.0.20.121** | **Oracle XE 21c** | **`lxc108-oracle/`** |
@@ -318,6 +353,14 @@ echo | openssl s_client -connect roa.romfast.ro:443 -servername roa.romfast.ro 2
 - **Reînnoiesc certificate SSL** → `vm201-windows/docs/vm201-certificat-letsencrypt-iis.md`
 - **Rezolv probleme VM locked** → `vm201-windows/docs/vm201-troubleshooting-backup-nfs.md`
 - **Informații generale** → `vm201-windows/README.md`
+- **Configurez site-uri IIS noi (Dokploy)** → `vm201-windows/docs/vm201-dokploy-infrastructure.md`
+- **Script setup IIS automat** → `vm201-windows/scripts/setup-new-iis-sites.ps1`
+
+### Dokploy + Traefik (LXC 103)
+- **Deploy aplicație nouă** → `lxc103-dokploy/README.md` → "Workflow: Adăugare App Nouă"
+- **Setup server LXC 100** → `lxc103-dokploy/README.md` → "Pasul 2"
+- **Deploy pdf-qr-app** → `lxc103-dokploy/docs/pdf-qr-app.md`
+- **Arhitectură domenii** → `vm201-windows/docs/vm201-dokploy-infrastructure.md`
 
 ### MoltBot AI (LXC 110)
 - **Configurare și comenzi** → `lxc110-moltbot/README.md`
@@ -342,7 +385,10 @@ echo | openssl s_client -connect roa.romfast.ro:443 -servername roa.romfast.ro 2
 | Portainer (Oracle) | http://10.0.20.121:9443 |
 | Portainer Principal | http://10.0.20.170:9443 |
 | Gitea | http://10.0.20.165:3000 |
-| Dokploy | http://10.0.20.167:3000 |
+| Dokploy (intern) | http://10.0.20.167:3000 |
+| Dokploy (public) | https://dokploy.romfast.ro |
+| pdf-qr-app | https://roa-qr.romfast.ro |
+| Apps wildcard | https://*.roa.romfast.ro |
 | Flowise AI (local) | http://10.0.20.161:3000 |
 | Flowise AI (public) | https://mutual-special-koala.ngrok-free.app |
 | Chatbot Maria | https://www.romfast.ro/chatbot_maria.html |
@@ -361,6 +407,6 @@ echo | openssl s_client -connect roa.romfast.ro:443 -servername roa.romfast.ro 2
 
 ---
 
-**Ultima actualizare:** 2026-01-29
+**Ultima actualizare:** 2026-03-02
 **Autor:** Marius Mutu
 **Proiect:** ROMFASTSQL - Infrastructure Documentation
diff --git a/proxmox/lxc103-dokploy/README.md b/proxmox/lxc103-dokploy/README.md
new file mode 100644
index 0000000..e007c86
--- /dev/null
+++ b/proxmox/lxc103-dokploy/README.md
@@ -0,0 +1,166 @@
+# LXC 103 - Dokploy + Traefik (Control Plane Public)
+
+## Informații Generale
+
+- **CTID:** 103
+- **IP:** 10.0.20.167
+- **Rol:** Dokploy Control Plane + Traefik routing public
+- **Host Proxmox:** pvemini (10.0.20.201)
+- **Status:** Running (onboot: enabled)
+
+---
+
+## Arhitectura
+
+LXC 103 este nodul central pentru deployment-ul aplicațiilor publice ROMFAST.
+
+```
+Internet → 188.26.14.103 → VM 201 IIS (SSL termination)
+                                │
+                    *.roa.romfast.ro, roa-qr, dokploy
+                                │
+                          LXC 103 :443 (Traefik)
+                          ├── dokploy.romfast.ro  → Dokploy UI :3000
+                          ├── roa-qr.romfast.ro   → pdf-qr-app container
+                          ├── app1.roa.romfast.ro → app1 container
+                          └── app2.roa.romfast.ro → app2 container
+```
+
+### De ce app-urile publice stau pe LXC 103
+
+Dokploy instalează Traefik SEPARAT pe fiecare server. Traefik LXC 103 și
+Traefik LXC 100 nu comunică între ele. Wildcadul `*.roa.romfast.ro` poate fi
+conectat doar la UN singur Traefik — LXC 103.
+
+**LXC 100** se folosește pentru:
+- Backend-uri consumate intern (fără DNS public)
+- Job-uri cron, workers, servicii administrative
+
+---
+
+## Servicii Instalate
+
+| Serviciu | Port | Descriere |
+|----------|------|-----------|
+| Dokploy UI | 3000 | Management deployment, CI/CD |
+| Traefik | 443 | Routing HTTPS pentru toate app-urile publice |
+| Traefik Dashboard | 8080 | Monitoring routelor (intern) |
+
+---
+
+## Domenii Gestionate
+
+| Domeniu | Destinație |
+|---------|-----------|
+| `dokploy.romfast.ro` | Dokploy UI (port 3000) |
+| `roa-qr.romfast.ro` | pdf-qr-app container |
+| `*.roa.romfast.ro` | Orice app deployată prin Dokploy |
+
+---
+
+## Setup Inițial
+
+### Pasul 1 — Oprire nginx existent pe LXC 100
+
+> **Executat pe LXC 100** (10.0.20.170) via Portainer terminal sau Proxmox console:
+
+```bash
+docker stop docker-nginx-1
+docker rm docker-nginx-1
+
+# Verifică porturile sunt libere
+ss -tlnp | grep -E ':80|:443'
+```
+
+### Pasul 2 — Generare SSH Key în Dokploy + Adăugare LXC 100
+
+**În Dokploy UI** (https://dokploy.romfast.ro):
+1. Settings → SSH Keys → **Create SSH Key**
+2. Copiază public key-ul generat
+
+**Pe LXC 100** (10.0.20.170):
+```bash
+echo "ssh-ed25519 AAAA...[cheia copiată din Dokploy]" >> /root/.ssh/authorized_keys
+chmod 600 /root/.ssh/authorized_keys
+```
+
+**În Dokploy UI:**
+1. Servers → **Add Server**
+2. IP: `10.0.20.170`, User: `root`
+3. **Test Connection** → **Setup Server**
+4. Verificare: pe LXC 100, `docker ps` → trebuie container Traefik
+
+### Pasul 3 — Deploy pdf-qr-app pe LXC 103
+
+**În Dokploy UI:**
+1. Services → **Create Service** → Docker Compose
+2. **Server:** LXC 103 (local)
+3. Docker Compose: conținutul app-ului pdf-qr (vezi `docs/pdf-qr-app.md`)
+4. Domain: `roa-qr.romfast.ro`
+5. **Deploy**
+
+---
+
+## Workflow: Adăugare App Nouă
+
+```
+1. Dokploy UI → New Service → docker-compose → domain: numeapp.roa.romfast.ro
+2. DNS: adaugă numeapp.roa.romfast.ro A 188.26.14.103
+   (dacă e sub *.roa.romfast.ro, wildcard DNS acoperă automat)
+3. SSL: Win-ACME pe VM 201 generează cert dacă nu există wildcard
+4. Gata — Traefik pe LXC 103 routează automat
+```
+
+---
+
+## Verificare
+
+```bash
+# Traefik funcționează (din LAN)
+curl -I https://10.0.20.167/
+
+# Dokploy UI accesibil
+curl -I https://dokploy.romfast.ro/
+
+# pdf-qr-app accesibil
+curl -I https://roa-qr.romfast.ro/
+
+# Test wildcard (după deploy app cu hostname)
+curl -I https://app1.roa.romfast.ro/
+
+# LXC 100 Portainer funcționează în continuare
+curl -sk https://10.0.20.170:9443/api/status
+```
+
+---
+
+## Configurare Traefik (gestionat automat de Dokploy)
+
+Traefik pe LXC 103 este configurat și actualizat automat de Dokploy la fiecare
+deploy. Nu modificați manual configurația Traefik fără să înțelegeți impactul.
+
+```bash
+# Status containere pe LXC 103
+docker ps
+
+# Logs Traefik
+docker logs traefik -f
+
+# Verificare routere Traefik
+curl http://localhost:8080/api/http/routers | jq .
+```
+
+---
+
+## Documentație Asociată
+
+- **Arhitectură completă IIS:** `../vm201-windows/docs/vm201-dokploy-infrastructure.md`
+- **Setup IIS VM 201:** `../vm201-windows/scripts/setup-new-iis-sites.ps1`
+- **Web.config IIS proxy:** `../vm201-windows/iis-configs/`
+- **LXC 100 (Remote Node):** `../lxc100-portainer/README.md` *(de creat)*
+
+---
+
+**Ultima actualizare:** 2026-03-02
+**Autor:** Marius Mutu
+**Proiect:** ROMFASTSQL - LXC 103 Dokploy
diff --git a/proxmox/lxc103-dokploy/docs/pdf-qr-app.md b/proxmox/lxc103-dokploy/docs/pdf-qr-app.md
new file mode 100644
index 0000000..d97d07b
--- /dev/null
+++ b/proxmox/lxc103-dokploy/docs/pdf-qr-app.md
@@ -0,0 +1,87 @@
+# pdf-qr-app — Migrare pe Dokploy LXC 103
+
+## Descriere
+
+Aplicație pentru generare PDF cu coduri QR, migrată de pe VM 201 IIS
+pe Dokploy/LXC 103 ca serviciu Docker containerizat.
+
+- **Domeniu:** `roa-qr.romfast.ro`
+- **Server:** LXC 103 (10.0.20.167)
+- **Deployment:** Dokploy → Docker Compose
+
+---
+
+## Deploy în Dokploy UI
+
+### 1. Creare Service
+
+1. Deschide https://dokploy.romfast.ro
+2. **Services** → **Create Service** → **Docker Compose**
+3. Name: `pdf-qr-app`
+4. Server: **LXC 103 (local)**
+
+### 2. Docker Compose
+
+Completează cu docker-compose.yml al app-ului:
+
+```yaml
+version: "3.8"
+services:
+  pdf-qr-app:
+    image: <image-pdf-qr>
+    restart: unless-stopped
+    environment:
+      - NODE_ENV=production
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.pdf-qr.rule=Host(`roa-qr.romfast.ro`)"
+      - "traefik.http.routers.pdf-qr.tls=true"
+      - "traefik.http.services.pdf-qr.loadbalancer.server.port=3000"
+```
+
+### 3. Domain Configuration
+
+În Dokploy, secțiunea **Domains**:
+- Domain: `roa-qr.romfast.ro`
+- HTTPS: enabled
+- Certificate: managed by Traefik
+
+### 4. Deploy
+
+Click **Deploy** → monitorizează logs
+
+---
+
+## Verificare Post-Deploy
+
+```bash
+# Din LAN (direct Traefik)
+curl -I https://10.0.20.167/ -H "Host: roa-qr.romfast.ro"
+
+# Public (prin IIS proxy)
+curl -I https://roa-qr.romfast.ro/
+```
+
+---
+
+## DNS Necesar
+
+```
+roa-qr.romfast.ro    A    188.26.14.103
+```
+
+---
+
+## SSL Certificate (Win-ACME pe VM 201)
+
+```powershell
+cd C:\Tools\win-acme
+
+# Găsește Site ID pentru roa-qr
+Import-Module WebAdministration
+Get-Website | Select-Object ID, Name
+
+# Generează certificat
+.\wacs.exe --source iis --siteid <ID_roa-qr> --accepttos --emailaddress admin@romfast.ro
+iisreset
+```
diff --git a/proxmox/vm201-windows/README.md b/proxmox/vm201-windows/README.md
index 022a9a7..e01cc52 100644
--- a/proxmox/vm201-windows/README.md
+++ b/proxmox/vm201-windows/README.md
@@ -60,8 +60,11 @@ ssh root@10.0.20.201 "qm config 201 | grep -E 'efidisk|virtio'"
   - roa.romfast.ro
   - dokploy.romfast.ro
   - gitea.romfast.ro
+  - roa-qr.romfast.ro ← **NOU** (proxy → LXC 103 Traefik → pdf-qr-app)
+  - *.roa.romfast.ro ← **NOU** wildcard (proxy → LXC 103 Traefik → Dokploy apps)
 
 **Documentație:** Vezi `vm201-certificat-letsencrypt-iis.md`
+**Arhitectură Dokploy:** Vezi `vm201-dokploy-infrastructure.md`
 
 #### 3. Monitorizare UPS
 - **WinNUT Client** - Monitorizare vizuală status UPS în timp real
@@ -99,6 +102,8 @@ ssh root@10.0.20.201 "qm config 201 | grep -E 'efidisk|virtio'"
   - Default Web Site (roa.romfast.ro)
   - Dokploy (dokploy.romfast.ro)
   - Gitea (gitea.romfast.ro)
+  - roa-qr (roa-qr.romfast.ro) → proxy LXC 103 Traefik
+  - roa-apps (*.roa.romfast.ro) → proxy wildcard LXC 103 Traefik
 
 **Configurare SSL:** Vezi `vm201-certificat-letsencrypt-iis.md`
 
@@ -339,12 +344,18 @@ ssh root@10.0.20.201 "qm delsnapshot 201 pre-update-snapshot"
 
 ### Documentație VM 201 Specifică
 - **SSL Certificates IIS:** `docs/vm201-certificat-letsencrypt-iis.md`
+- **Arhitectură Dokploy + Domenii:** `docs/vm201-dokploy-infrastructure.md`
 - **Troubleshooting Incident 2025-10-08:** `docs/vm201-troubleshooting-backup-nfs.md`
 - **Troubleshooting Pană Curent 2026-01-11:** `docs/vm201-troubleshooting-pana-curent-2026-01-11.md`
 
 ### Scripturi VM 201
 - **Verificare certificate (Windows):** `scripts/check-ssl-certificates.ps1`
 - **Monitorizare certificate (Proxmox):** `scripts/monitor-ssl-certificates.sh`
+- **Setup site-uri IIS noi (Dokploy):** `scripts/setup-new-iis-sites.ps1`
+
+### Configurații IIS
+- **web.config roa-qr.romfast.ro:** `iis-configs/roa-qr.web.config`
+- **web.config *.roa.romfast.ro:** `iis-configs/roa-apps-wildcard.web.config`
 
 ### Documentație Infrastructură Generală
 - **Proxmox Cluster General:** `../cluster/README.md`
@@ -376,6 +387,7 @@ ssh root@10.0.20.201 "qm delsnapshot 201 pre-update-snapshot"
   - Dokploy: 10.0.20.167:3000
   - Gitea: 10.0.20.165:3000
   - Portainer: 10.0.20.170:9443
+  - LXC 103 Traefik (*.roa.romfast.ro, roa-qr): 10.0.20.167:443
 
 ### High Availability și Replicare
 
@@ -446,6 +458,6 @@ qm migrate 201 pvemini --online
 
 ---
 
-**Ultima actualizare:** 2026-01-11
+**Ultima actualizare:** 2026-03-02
 **Autor:** Marius Mutu
 **Proiect:** ROMFASTSQL - VM 201 Documentation
diff --git a/proxmox/vm201-windows/docs/vm201-dokploy-infrastructure.md b/proxmox/vm201-windows/docs/vm201-dokploy-infrastructure.md
new file mode 100644
index 0000000..82cf999
--- /dev/null
+++ b/proxmox/vm201-windows/docs/vm201-dokploy-infrastructure.md
@@ -0,0 +1,225 @@
+# VM 201 IIS — Infrastructură Web Dokploy
+
+## Obiectiv
+
+Structură clară de domenii pentru toate serviciile ROMFAST, cu Dokploy ca
+platformă unificată de deployment. Un singur wildcard DNS (`*.roa.romfast.ro`)
+acoperă toate app-urile deployate prin Dokploy.
+
+---
+
+## Structura Completă a Domeniilor
+
+```
+romfast.ro (DNS → 188.26.14.103 → NAT → VM 201 IIS)
+│
+├── roa.romfast.ro               ← IIS Default Web Site
+│   ├── /contafinupdate          ← fișiere locale IIS (rămân neschimbate)
+│   ├── /roaupdate               ← fișiere locale IIS (rămân neschimbate)
+│   └── /*                       ← proxy → 10.0.20.36 (ROA Windows prod)
+│
+├── roa2web.romfast.ro           ← IIS Site 2 (existent)
+│   └── proxy → 10.0.20.36
+│
+├── roa-qr.romfast.ro            ← IIS Site NOU → Traefik LXC 103
+│   └── pdf-qr-app (migrat pe Dokploy/LXC 103)
+│
+├── dokploy.romfast.ro           ← IIS Site (existent)
+│   └── proxy → Traefik LXC 103 → Dokploy UI
+│
+├── gitea.romfast.ro             ← IIS Site (existent)
+│   └── proxy → Gitea LXC 106
+│
+└── *.roa.romfast.ro             ← IIS Site NOU (wildcard) → Traefik LXC 103
+    ├── app1.roa.romfast.ro      ← app deployată în Dokploy pe LXC 103
+    ├── app2.roa.romfast.ro      ← altă app deployată pe LXC 103
+    └── [orice app viitoare]
+```
+
+---
+
+## Arhitectura Serverelor
+
+```
+VM 201 IIS (10.0.20.122) — SSL termination + routing per domeniu
+    │
+    ├── *.roa.romfast.ro + roa-qr.romfast.ro + dokploy.romfast.ro
+    │       ↓ proxy HTTPS
+    │   LXC 103 Traefik (10.0.20.167:443)
+    │       ├── dokploy.roa.romfast.ro / dokploy.romfast.ro → Dokploy UI
+    │       ├── roa-qr.romfast.ro → pdf-qr-app container
+    │       ├── app1.roa.romfast.ro → app1 container
+    │       ├── app2.roa.romfast.ro → app2 container
+    │       └── [configurat automat de Dokploy la fiecare deploy]
+    │
+    └── roa.romfast.ro, roa2web.romfast.ro, gitea.romfast.ro
+            ↓ proxy spre destinații existente (neschimbat)
+
+LXC 103 (10.0.20.167) — Dokploy Control Plane + Execution Node Public
+    ├── Dokploy UI (port 3000) — management toate serverele
+    ├── Traefik (port 443) — routing public pentru TOATE app-urile publice
+    └── SSH management → LXC 100
+
+LXC 100 (10.0.20.170) — Remote Execution Node (gestionat din Dokploy)
+    ├── Traefik propriu (instalat de Dokploy) — pentru servicii interne
+    ├── App-uri fără DNS public (backend-uri, jobs, servicii interne)
+    └── Portainer UI (port 9443) — rămâne funcțional
+```
+
+---
+
+## Rezumat Roluri
+
+| Component | Rol |
+|-----------|-----|
+| **VM 201 IIS** | SSL termination, routing per domeniu |
+| **LXC 103 Traefik** | Routing pentru TOATE app-urile publice (`*.roa.romfast.ro`) |
+| **LXC 103 Dokploy** | UI management, CI/CD, deployment pe LXC 103 și LXC 100 |
+| **LXC 100** | Compute pentru servicii interne/backend fără DNS public |
+| **LXC 100 Traefik** | Routing intern pentru app-urile pe LXC 100 |
+| **LXC 100 Portainer** | Vizualizare containere locale (port 9443) |
+
+---
+
+## Implementare Pași
+
+### Pasul 1 — LXC 100: Oprire nginx existent
+
+```bash
+# Pe LXC 100 (via Portainer terminal sau Proxmox console)
+docker stop docker-nginx-1
+docker rm docker-nginx-1
+ss -tlnp | grep -E ':80|:443'   # verifică porturile sunt libere
+```
+
+### Pasul 2 — Dokploy: Generare SSH Key + Adăugare LXC 100
+
+**În Dokploy UI** (https://dokploy.romfast.ro):
+1. Settings → SSH Keys → **Create SSH Key** → copiază public key
+
+**Pe LXC 100:**
+```bash
+echo "ssh-ed25519 AAAA...[cheia copiată]" >> /root/.ssh/authorized_keys
+chmod 600 /root/.ssh/authorized_keys
+```
+
+**În Dokploy UI:**
+1. Servers → Add Server → IP: `10.0.20.170`, User: `root`
+2. Test Connection → Setup Server
+3. Verificare: pe LXC 100, `docker ps` → trebuie container Traefik
+
+### Pasul 3 — Dokploy: Deploy pdf-qr-app pe LXC 103
+
+**În Dokploy UI:**
+1. Services → Create Service → Docker Compose
+2. **Server: LXC 103 (local)**
+3. Docker Compose: conținutul app-ului pdf-qr
+4. Domain: `roa-qr.romfast.ro`
+5. Deploy
+
+### Pasul 4 — IIS VM 201: Site nou `roa-qr.romfast.ro`
+
+Rulează scriptul PowerShell (sau manual):
+
+```powershell
+# Rulează scriptul complet
+C:\scripts\setup-new-iis-sites.ps1
+```
+
+Sau manual:
+```powershell
+New-Item -Path "C:\inetpub\roa-qr" -ItemType Directory -Force
+New-Website -Name "roa-qr" -PhysicalPath "C:\inetpub\roa-qr" `
+            -HostHeader "roa-qr.romfast.ro" -Port 80
+New-WebBinding -Name "roa-qr" -Protocol https -Port 443 `
+               -HostHeader "roa-qr.romfast.ro" -SslFlags 1
+```
+
+Copiază `iis-configs/roa-qr.web.config` → `C:\inetpub\roa-qr\web.config`
+
+### Pasul 5 — IIS VM 201: Site wildcard `*.roa.romfast.ro`
+
+```powershell
+New-Item -Path "C:\inetpub\roa-apps" -ItemType Directory -Force
+New-Website -Name "roa-apps" -PhysicalPath "C:\inetpub\roa-apps" `
+            -HostHeader "*.roa.romfast.ro" -Port 80
+New-WebBinding -Name "roa-apps" -Protocol https -Port 443 `
+               -HostHeader "*.roa.romfast.ro" -SslFlags 1
+```
+
+Copiază `iis-configs/roa-apps-wildcard.web.config` → `C:\inetpub\roa-apps\web.config`
+
+**Notă:** Wildcard hostname (`*.roa.romfast.ro`) funcționează din IIS 10 cu SNI.
+
+### Pasul 6 — DNS + SSL
+
+**DNS** (la provider):
+```
+roa-qr.romfast.ro         A      188.26.14.103
+*.roa.romfast.ro          A      188.26.14.103   ← wildcard
+```
+
+**SSL Certificate** pe VM 201 — Win-ACME:
+```powershell
+cd C:\Tools\win-acme
+
+# Certificate pentru roa-qr.romfast.ro
+.\wacs.exe --source iis --siteid <ID_roa-qr> --accepttos --emailaddress admin@romfast.ro
+
+# Certificate wildcard *.roa.romfast.ro (necesită DNS challenge)
+# Dacă provider-ul DNS nu suportă API Win-ACME → certificate individuale
+.\wacs.exe --source iis --siteid <ID_roa-apps> --accepttos --emailaddress admin@romfast.ro
+iisreset
+```
+
+**Notă SSL wildcard:** Certificate wildcard (`*.roa.romfast.ro`) necesită DNS challenge
+(nu HTTP-01). Dacă provider-ul DNS nu suportă API Win-ACME, generează certificate
+individuale per subdomain când adaugi app-uri noi.
+
+---
+
+## Workflow: Adăugare App Nouă
+
+```
+1. Dokploy UI → New Service → docker-compose → domain: numeapp.roa.romfast.ro
+2. DNS: adaugă numeapp.roa.romfast.ro A 188.26.14.103
+   (acoperit de wildcard *.roa.romfast.ro dacă e configurat)
+3. SSL: Win-ACME pe VM 201 generează cert dacă nu e wildcard
+4. Gata — Traefik pe LXC 103 routează automat
+```
+
+---
+
+## Verificare Completă
+
+```bash
+# Traefik LXC 103 funcționează
+curl -I https://10.0.20.167/
+
+# pdf-qr-app accesibil public
+curl -I https://roa-qr.romfast.ro/
+
+# Wildcard funcționează (după deploy app)
+curl -I https://app1.roa.romfast.ro/
+
+# LXC 100 Portainer funcționează
+curl -sk https://10.0.20.170:9443/api/status
+```
+
+---
+
+## Fișiere Asociate
+
+| Fișier | Scop |
+|--------|------|
+| `../scripts/setup-new-iis-sites.ps1` | Script PowerShell setup IIS automat |
+| `../iis-configs/roa-qr.web.config` | web.config proxy pentru roa-qr.romfast.ro |
+| `../iis-configs/roa-apps-wildcard.web.config` | web.config proxy wildcard *.roa.romfast.ro |
+| `../../lxc103-dokploy/README.md` | Documentație LXC 103 Dokploy |
+| `../../lxc103-dokploy/docs/pdf-qr-app.md` | Deploy pdf-qr-app în Dokploy |
+
+---
+
+**Ultima actualizare:** 2026-03-02
+**Autor:** Marius Mutu
+**Proiect:** ROMFASTSQL - Infrastructură Web Dokploy
diff --git a/proxmox/vm201-windows/iis-configs/roa-apps-wildcard.web.config b/proxmox/vm201-windows/iis-configs/roa-apps-wildcard.web.config
new file mode 100644
index 0000000..1f2caf8
--- /dev/null
+++ b/proxmox/vm201-windows/iis-configs/roa-apps-wildcard.web.config
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  web.config pentru site-ul IIS wildcard: *.roa.romfast.ro
+  Locatie pe VM 201: C:\inetpub\roa-apps\web.config
+
+  Functie: Proxy HTTPS wildcard catre LXC 103 Traefik (10.0.20.167)
+  Destinatie: toate app-urile deployate prin Dokploy pe LXC 103
+
+  Exemple de subdomenii acoperite:
+    - app1.roa.romfast.ro    → app1 container
+    - app2.roa.romfast.ro    → app2 container
+    - dokploy.roa.romfast.ro → Dokploy UI
+    - [orice viitor subdomain]
+
+  Prerequisite:
+    - IIS URL Rewrite Module instalat
+    - IIS Application Request Routing (ARR) instalat
+    - IIS 10+ cu SNI support (Windows Server 2016+ sau Windows 10+)
+    - Binding *.roa.romfast.ro cu SslFlags=1 (SNI)
+
+  Nota SSL wildcard:
+    Certificate *.roa.romfast.ro necesita DNS challenge (nu HTTP-01).
+    Alternativa: certificate individuale per subdomain la fiecare app noua.
+-->
+<configuration>
+  <system.webServer>
+    <rewrite>
+      <rules>
+        <rule name="Proxy to LXC 103 Traefik" stopProcessing="true">
+          <match url="(.*)" />
+          <action type="Rewrite" url="https://10.0.20.167/{R:1}" />
+          <serverVariables>
+            <set name="HTTP_X_FORWARDED_PROTO" value="https" />
+            <set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" />
+            <set name="HTTP_X_REAL_IP" value="{REMOTE_ADDR}" />
+          </serverVariables>
+        </rule>
+      </rules>
+    </rewrite>
+  </system.webServer>
+</configuration>
diff --git a/proxmox/vm201-windows/iis-configs/roa-qr.web.config b/proxmox/vm201-windows/iis-configs/roa-qr.web.config
new file mode 100644
index 0000000..fd7ccfb
--- /dev/null
+++ b/proxmox/vm201-windows/iis-configs/roa-qr.web.config
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  web.config pentru site-ul IIS: roa-qr.romfast.ro
+  Locatie pe VM 201: C:\inetpub\roa-qr\web.config
+
+  Functie: Proxy HTTPS catre LXC 103 Traefik (10.0.20.167)
+  Destinatie: pdf-qr-app container gestionat de Dokploy
+
+  Prerequisite:
+    - IIS URL Rewrite Module instalat
+    - IIS Application Request Routing (ARR) instalat
+-->
+<configuration>
+  <system.webServer>
+    <rewrite>
+      <rules>
+        <rule name="Proxy to LXC 103 Traefik" stopProcessing="true">
+          <match url="(.*)" />
+          <action type="Rewrite" url="https://10.0.20.167/{R:1}" />
+          <serverVariables>
+            <set name="HTTP_X_FORWARDED_PROTO" value="https" />
+            <set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" />
+            <set name="HTTP_X_REAL_IP" value="{REMOTE_ADDR}" />
+          </serverVariables>
+        </rule>
+      </rules>
+    </rewrite>
+  </system.webServer>
+</configuration>
diff --git a/proxmox/vm201-windows/scripts/setup-new-iis-sites.ps1 b/proxmox/vm201-windows/scripts/setup-new-iis-sites.ps1
new file mode 100644
index 0000000..92cd005
--- /dev/null
+++ b/proxmox/vm201-windows/scripts/setup-new-iis-sites.ps1
@@ -0,0 +1,158 @@
+# setup-new-iis-sites.ps1
+# Creare site-uri IIS noi pentru infrastructura Dokploy ROMFAST
+#
+# Site-uri create:
+#   1. roa-qr.romfast.ro  → proxy la LXC 103 Traefik (pdf-qr-app)
+#   2. *.roa.romfast.ro   → proxy wildcard la LXC 103 Traefik (toate app-urile Dokploy)
+#
+# Rulat pe VM 201 (roacentral) ca Administrator
+# Prerequisite: IIS URL Rewrite Module instalat
+#
+# Verificare prerequisite:
+#   Get-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/rewrite' -name 'enabled'
+
+Import-Module WebAdministration
+
+$LXC103_IP = "10.0.20.167"
+$ADMIN_EMAIL = "admin@romfast.ro"
+
+# ============================================================
+# SITE 1: roa-qr.romfast.ro
+# ============================================================
+
+$RoaQrName = "roa-qr"
+$RoaQrHost = "roa-qr.romfast.ro"
+$RoaQrPath = "C:\inetpub\roa-qr"
+
+Write-Host "Creare site: $RoaQrHost" -ForegroundColor Cyan
+
+# Creare director
+New-Item -Path $RoaQrPath -ItemType Directory -Force | Out-Null
+
+# Creare site IIS (HTTP)
+if (-not (Get-Website -Name $RoaQrName -ErrorAction SilentlyContinue)) {
+    New-Website -Name $RoaQrName `
+                -PhysicalPath $RoaQrPath `
+                -HostHeader $RoaQrHost `
+                -Port 80
+    Write-Host "  [OK] Site $RoaQrName creat pe port 80" -ForegroundColor Green
+} else {
+    Write-Host "  [INFO] Site $RoaQrName deja existent" -ForegroundColor Yellow
+}
+
+# Adaugă binding HTTPS cu SNI
+$existingHttps = Get-WebBinding -Name $RoaQrName -Protocol "https" -ErrorAction SilentlyContinue
+if (-not $existingHttps) {
+    New-WebBinding -Name $RoaQrName `
+                   -Protocol https `
+                   -Port 443 `
+                   -HostHeader $RoaQrHost `
+                   -SslFlags 1    # SNI enabled
+    Write-Host "  [OK] Binding HTTPS adăugat cu SNI" -ForegroundColor Green
+}
+
+# Creare web.config cu proxy rule
+$RoaQrWebConfig = @"
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+  <system.webServer>
+    <rewrite>
+      <rules>
+        <rule name="Proxy to LXC 103 Traefik" stopProcessing="true">
+          <match url="(.*)" />
+          <action type="Rewrite" url="https://$($LXC103_IP)/{R:1}" />
+          <serverVariables>
+            <set name="HTTP_X_FORWARDED_PROTO" value="https" />
+            <set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" />
+            <set name="HTTP_X_REAL_IP" value="{REMOTE_ADDR}" />
+          </serverVariables>
+        </rule>
+      </rules>
+    </rewrite>
+  </system.webServer>
+</configuration>
+"@
+
+Set-Content -Path "$RoaQrPath\web.config" -Value $RoaQrWebConfig -Encoding UTF8
+Write-Host "  [OK] web.config creat pentru $RoaQrHost" -ForegroundColor Green
+
+# ============================================================
+# SITE 2: *.roa.romfast.ro (wildcard)
+# ============================================================
+
+$RoaAppsName = "roa-apps"
+$RoaAppsHost = "*.roa.romfast.ro"
+$RoaAppsPath = "C:\inetpub\roa-apps"
+
+Write-Host "`nCreare site wildcard: $RoaAppsHost" -ForegroundColor Cyan
+
+# Creare director
+New-Item -Path $RoaAppsPath -ItemType Directory -Force | Out-Null
+
+# Creare site IIS (HTTP)
+if (-not (Get-Website -Name $RoaAppsName -ErrorAction SilentlyContinue)) {
+    New-Website -Name $RoaAppsName `
+                -PhysicalPath $RoaAppsPath `
+                -HostHeader $RoaAppsHost `
+                -Port 80
+    Write-Host "  [OK] Site $RoaAppsName creat pe port 80" -ForegroundColor Green
+} else {
+    Write-Host "  [INFO] Site $RoaAppsName deja existent" -ForegroundColor Yellow
+}
+
+# Adaugă binding HTTPS cu SNI (wildcard funcționează din IIS 10 cu SNI)
+$existingHttps = Get-WebBinding -Name $RoaAppsName -Protocol "https" -ErrorAction SilentlyContinue
+if (-not $existingHttps) {
+    New-WebBinding -Name $RoaAppsName `
+                   -Protocol https `
+                   -Port 443 `
+                   -HostHeader $RoaAppsHost `
+                   -SslFlags 1    # SNI enabled - obligatoriu pentru wildcard
+    Write-Host "  [OK] Binding HTTPS wildcard adăugat cu SNI" -ForegroundColor Green
+}
+
+# Creare web.config cu proxy rule (identic cu roa-qr)
+$RoaAppsWebConfig = @"
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+  <system.webServer>
+    <rewrite>
+      <rules>
+        <rule name="Proxy to LXC 103 Traefik" stopProcessing="true">
+          <match url="(.*)" />
+          <action type="Rewrite" url="https://$($LXC103_IP)/{R:1}" />
+          <serverVariables>
+            <set name="HTTP_X_FORWARDED_PROTO" value="https" />
+            <set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" />
+            <set name="HTTP_X_REAL_IP" value="{REMOTE_ADDR}" />
+          </serverVariables>
+        </rule>
+      </rules>
+    </rewrite>
+  </system.webServer>
+</configuration>
+"@
+
+Set-Content -Path "$RoaAppsPath\web.config" -Value $RoaAppsWebConfig -Encoding UTF8
+Write-Host "  [OK] web.config creat pentru *.roa.romfast.ro" -ForegroundColor Green
+
+# ============================================================
+# STATUS FINAL
+# ============================================================
+
+Write-Host "`n=== STATUS SITE-URI IIS ===" -ForegroundColor Cyan
+Get-Website | Select-Object ID, Name, State,
+    @{N='Bindings'; E={($_.Bindings.Collection | ForEach-Object { $_.bindingInformation }) -join ', '}} |
+    Format-Table -AutoSize
+
+Write-Host "`n=== PAȘI URMĂTORI ===" -ForegroundColor Yellow
+Write-Host "1. Generează certificate SSL cu Win-ACME:"
+Write-Host "   cd C:\Tools\win-acme"
+Write-Host "   .\wacs.exe --source iis --siteid <ID_roa-qr> --accepttos --emailaddress $ADMIN_EMAIL"
+Write-Host "   NOTĂ: Wildcard *.roa.romfast.ro necesita DNS challenge (nu HTTP-01)"
+Write-Host ""
+Write-Host "2. Dacă Win-ACME nu suportă DNS challenge pentru wildcard,"
+Write-Host "   generează certificate individuale per subdomain la fiecare app nouă."
+Write-Host ""
+Write-Host "3. Aplică certificate în IIS Manager (SNI obligatoriu)."
+Write-Host "4. iisreset"