From c2693c4648c2cb918fef8f11d6c86f226120bd79 Mon Sep 17 00:00:00 2001
From: Lang <7system7@gmail.com>
Date: Wed, 15 Apr 2026 20:03:48 +0200
Subject: [PATCH] fix: usr: another attempt to fix the email assets #4

---
 .env.dist                           | 9 +++++----
 config/packages/framework.yaml      | 2 ++
 config/packages/prod/framework.yaml | 8 ++++++++
 3 files changed, 15 insertions(+), 4 deletions(-)
 create mode 100644 config/packages/prod/framework.yaml

diff --git a/.env.dist b/.env.dist
index f397dfb..b6eb804 100644
--- a/.env.dist
+++ b/.env.dist
@@ -9,10 +9,11 @@ APP_NAME=mineseeker
 # APP_PUBLIC_HOSTNAME: The public hostname for your application (used for generating absolute URLs in emails)
 # For production, set this to your domain (e.g., mineseeker.com)
 APP_PUBLIC_HOSTNAME=localhost
-# TRUSTED_PROXIES: IPs/CIDRs of trusted reverse proxies (needed for correct URL scheme detection in emails)
-# For Docker development, this is overridden in compose.override.yaml to "0.0.0.0/0"
-# For production, set to your proxy's IP or Docker network CIDR (e.g., 172.18.0.0/16)
-TRUSTED_PROXIES=127.0.0.1
+# TRUSTED_PROXIES: Only needed for bare-metal dev behind a reverse proxy
+# For Docker development, this is set in compose.override.yaml
+# For production, set in PROD_ENV_FILE Gitea secret (use 172.18.0.0/16 initially)
+#TRUSTED_PROXIES=127.0.0.1,127.0.0.2
+#TRUSTED_HOSTS=localhost,example.com
 ###< symfony/framework-bundle ###
 
 ###> doctrine/doctrine-bundle ###
diff --git a/config/packages/framework.yaml b/config/packages/framework.yaml
index d087f1d..34cb676 100644
--- a/config/packages/framework.yaml
+++ b/config/packages/framework.yaml
@@ -10,6 +10,8 @@ framework:
 
   # Trust headers from reverse proxy (Caddy)
   # This ensures absolute_url() uses HTTPS scheme when behind a reverse proxy
+  # Production: TRUSTED_PROXIES from .env (Gitea secret)
+  # Development: TRUSTED_PROXIES from compose.override.yaml
   trusted_proxies: '%env(TRUSTED_PROXIES)%'
   trusted_headers: ['x-forwarded-for', 'x-forwarded-proto', 'x-forwarded-host', 'x-forwarded-port']
 
diff --git a/config/packages/prod/framework.yaml b/config/packages/prod/framework.yaml
new file mode 100644
index 0000000..ca09f57
--- /dev/null
+++ b/config/packages/prod/framework.yaml
@@ -0,0 +1,8 @@
+framework:
+  # In production with FrankenPHP, the reverse proxy (Caddy) is in the same container
+  # Requests come from 127.0.0.1, so we must trust that IP to process X-Forwarded-Proto headers
+  # TRUSTED_PROXIES is set in the .env file (stored in Gitea secrets)
+  # Typical value for Docker: 172.18.0.0/16 (or the specific Docker network CIDR)
+  # This must be provided by the PROD_ENV_FILE secret in Gitea
+  trusted_proxies: '%env(TRUSTED_PROXIES)%'
+  trusted_headers: ['x-forwarded-for', 'x-forwarded-proto', 'x-forwarded-host', 'x-forwarded-port']