sander/Hostityourself
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
98 commits 2 branches 0 tags 149 MiB
Find a file
Claude 48b9ccf152
feat: M4 Hardening — encryption, resource limits, monitoring, backups 
## Env var encryption at rest (AES-256-GCM)
- server/src/crypto.rs: new module — encrypt/decrypt with AES-256-GCM
  Key = SHA-256(HIY_SECRET_KEY); non-prefixed values pass through
  transparently for zero-downtime migration
- Cargo.toml: aes-gcm = "0.10"
- routes/envvars.rs: encrypt on SET; list returns masked values (••••)
- routes/databases.rs: pg_password and DATABASE_URL stored encrypted
- routes/ui.rs: decrypt pg_password when rendering DB card
- builder.rs: decrypt env vars when writing the .env file for containers
- .env.example: add HIY_SECRET_KEY entry

## Per-app resource limits
- apps table: memory_limit (default 512m) + cpu_limit (default 0.5)
  added via idempotent ALTER TABLE in db.rs migration
- models.rs: App, CreateApp, UpdateApp gain memory_limit + cpu_limit
- routes/apps.rs: persist limits on create, update via PUT
- builder.rs: pass MEMORY_LIMIT + CPU_LIMIT to build script
- builder/build.sh: use $MEMORY_LIMIT / $CPU_LIMIT in podman run
  (replaces hardcoded --cpus="0.5"; --memory now also set)

## Monitoring (opt-in compose profile)
- infra/docker-compose.yml: gatus + netdata under `monitoring` profile
  Enable: podman compose --profile monitoring up -d
  Gatus on :8080, Netdata on :19999
- infra/gatus.yml: Gatus config checking HIY /api/status every minute

## Backup cron job
- infra/backup.sh: dumps SQLite, copies env files + git repos into a
  dated .tar.gz; optional rclone upload; 30-day local retention
  Suggested cron: 0 3 * * * /path/to/infra/backup.sh

https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
2026-03-24 15:06:42 +00:00
builder feat: M4 Hardening — encryption, resource limits, monitoring, backups 2026-03-24 15:06:42 +00:00
docs feat: M4 Hardening — encryption, resource limits, monitoring, backups 2026-03-24 15:06:42 +00:00
infra feat: M4 Hardening — encryption, resource limits, monitoring, backups 2026-03-24 15:06:42 +00:00
proxy chore: gitignore generated proxy/caddy.json 2026-03-22 18:18:08 +00:00
scripts feat: git push deploy (roadmap step 2) 2026-03-23 08:54:55 +00:00
server feat: M4 Hardening — encryption, resource limits, monitoring, backups 2026-03-24 15:06:42 +00:00
.dockerignore Add .dockerignore to drop build context from ~1.8 GB to a few KB 2026-03-22 10:13:53 +00:00
.env.example Add session-based auth to dashboard and API 2026-03-20 13:45:16 +00:00
.gitattributes Add .gitattributes: force LF line endings for shell scripts 2026-03-19 09:40:26 +00:00
.gitignore chore: gitignore generated proxy/caddy.json 2026-03-22 18:18:08 +00:00
Cargo.lock feat: M4 Hardening — encryption, resource limits, monitoring, backups 2026-03-24 15:06:42 +00:00
Cargo.toml M1: Rust control plane, builder, dashboard, and infra 2026-03-19 08:25:59 +00:00
README.md readme 2026-03-24 15:48:16 +01:00

README.md

Be in control of YOUR apps and YOUR data

Features

  • Deploy ANY containerized apps in seconds
  • Builtin security
  • Builtin postgres
  • Uses podman for app isolation
  • Runs on your hardware (linux vm/host)
  • Integrate with git using github webhooks or add your own git remote
    • automatic redeployment after git push
  • Builtin ssl. Automatically provisioned using let's encrypt.