steve
811157b4ce
Self-hosted deployments already terminate TLS at Caddy/Traefik/nginx; making the server do TLS too means double cert config, dual ACME plumbing, and an untested code path. Drop RM_TLS_CERT/RM_TLS_KEY, remove TLSEnabled() and the ListenAndServeTLS branch. Replace the cookie's "Secure if TLS-in-process" check with a new RM_COOKIE_SECURE flag (default true). Local HTTP-only testing sets RM_COOKIE_SECURE=false; production is always behind a TLS proxy and the cookie stays Secure. Default port :8443 → :8080. docker-compose binds 127.0.0.1 only and populates RM_TRUSTED_PROXY. spec.md §4.1/§10.1 rewritten with a Caddyfile snippet and a hard "do not expose RM_LISTEN publicly" warning. enrollResponse keeps cert_pin_sha256 in the shape but the server can't introspect a cert it doesn't terminate — operator pastes the proxy's hash into -cert-pin at install time. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
22 lines
777 B
YAML
22 lines
777 B
YAML
# Reference deployment for the restic-manager control plane.
|
|
# Mirrors spec.md §10.1. Adjust image tag and RM_BASE_URL for your env.
|
|
#
|
|
# The server speaks plain HTTP. Front it with a TLS-terminating
|
|
# reverse proxy (Caddy/Traefik/nginx). RM_TRUSTED_PROXY must contain
|
|
# the proxy's IP/CIDR so X-Forwarded-* headers are honoured.
|
|
services:
|
|
restic-manager:
|
|
image: ghcr.io/dcglab/restic-manager:latest
|
|
restart: unless-stopped
|
|
# Bind to localhost only — the proxy is what the public reaches.
|
|
ports:
|
|
- "127.0.0.1:8080:8080"
|
|
volumes:
|
|
- ./data:/data
|
|
environment:
|
|
- RM_DATA_DIR=/data
|
|
- RM_LISTEN=:8080
|
|
- RM_BASE_URL=https://restic.lab.example
|
|
- RM_SECRET_KEY_FILE=/data/secret.key
|
|
- RM_TRUSTED_PROXY=172.16.0.0/12
|