Andrew Phillips
17be6abaab
Major overhaul of server architecture and security posture: - Streaming: Unified all I/O through PIPESIZE (8192-byte) buffers. POST bodies stream via MpscReader through the save pipeline. GET content streams from disk via decompression to client. Removed save_item_with_reader, get_item_content_info, ChannelReader. 413 responses keep partial items (nonfatal by design). - Security: XSS protection in all HTML pages via html_escape crate. Security headers middleware (nosniff, frame deny, referrer policy). CORS tightened to explicit headers. Input validation for tags (256 chars), metadata (128/4096), pagination (10k cap). Config file reads use from_utf8_lossy. Generic error messages in HTML. Diff endpoint has 10 MB per-item cap. max_body_size config option. - Panics eliminated: Path unwraps → proper error propagation. Mutex unwraps → map_err (registries) / expect with message (local). - MCP removed: Deleted all MCP code, rmcp dependency, mcp feature. - Docs: Updated README, DESIGN, AGENTS to reflect all changes.
68 lines
1.8 KiB
Docker
68 lines
1.8 KiB
Docker
# Build stage
|
|
FROM rust:1.88-slim AS builder
|
|
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
cmake \
|
|
curl \
|
|
make \
|
|
gcc \
|
|
musl-tools \
|
|
pkg-config \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
RUN rustup target add x86_64-unknown-linux-musl
|
|
|
|
WORKDIR /app
|
|
|
|
# Copy manifests and fetch dependencies (cached layer)
|
|
COPY Cargo.toml Cargo.lock ./
|
|
RUN mkdir src && echo 'fn main() {}' > src/main.rs && echo '' > src/lib.rs
|
|
RUN cargo fetch --target x86_64-unknown-linux-musl
|
|
|
|
# Copy real source and build static binary
|
|
# magic feature excluded (requires shared libmagic; fallback uses `file` command)
|
|
COPY src/ src/
|
|
RUN cargo build --release --target x86_64-unknown-linux-musl \
|
|
--no-default-features --features lz4,gzip,server,swagger,client,tls \
|
|
&& strip target/x86_64-unknown-linux-musl/release/keep
|
|
|
|
# Runtime stage - scratch since binary is fully static
|
|
FROM scratch
|
|
|
|
COPY --from=builder /app/target/x86_64-unknown-linux-musl/release/keep /keep
|
|
COPY --from=builder /etc/ssl/certs/ /etc/ssl/certs/
|
|
|
|
EXPOSE 21080
|
|
|
|
# General options
|
|
# ENV KEEP_CONFIG=/config/config.yml
|
|
# Mount a volume for persistent storage: -v keep-data:/data
|
|
ENV KEEP_DIR=/data
|
|
ENV KEEP_LIST_FORMAT="id,time,size,tags,meta:hostname"
|
|
|
|
# Item options
|
|
# ENV KEEP_COMPRESSION=lz4
|
|
# ENV KEEP_META_PLUGINS=""
|
|
# ENV KEEP_FILTERS=""
|
|
|
|
# Server options
|
|
ENV KEEP_SERVER_ADDRESS=0.0.0.0
|
|
ENV KEEP_SERVER_PORT=21080
|
|
# ENV KEEP_SERVER_USERNAME="keep"
|
|
# ENV KEEP_SERVER_PASSWORD=""
|
|
# ENV KEEP_SERVER_PASSWORD_HASH=""
|
|
# ENV KEEP_SERVER_JWT_SECRET=""
|
|
# ENV KEEP_SERVER_JWT_SECRET_FILE=/config/jwt_secret
|
|
|
|
# TLS options
|
|
# ENV KEEP_SERVER_CERT=/certs/cert.pem
|
|
# ENV KEEP_SERVER_KEY=/certs/key.pem
|
|
|
|
# Client options
|
|
# ENV KEEP_CLIENT_URL=""
|
|
# ENV KEEP_CLIENT_USERNAME="keep"
|
|
# ENV KEEP_CLIENT_PASSWORD=""
|
|
# ENV KEEP_CLIENT_JWT=""
|
|
|
|
ENTRYPOINT ["/keep"]
|