48b9ccf152
## Env var encryption at rest (AES-256-GCM) - server/src/crypto.rs: new module — encrypt/decrypt with AES-256-GCM Key = SHA-256(HIY_SECRET_KEY); non-prefixed values pass through transparently for zero-downtime migration - Cargo.toml: aes-gcm = "0.10" - routes/envvars.rs: encrypt on SET; list returns masked values (••••) - routes/databases.rs: pg_password and DATABASE_URL stored encrypted - routes/ui.rs: decrypt pg_password when rendering DB card - builder.rs: decrypt env vars when writing the .env file for containers - .env.example: add HIY_SECRET_KEY entry ## Per-app resource limits - apps table: memory_limit (default 512m) + cpu_limit (default 0.5) added via idempotent ALTER TABLE in db.rs migration - models.rs: App, CreateApp, UpdateApp gain memory_limit + cpu_limit - routes/apps.rs: persist limits on create, update via PUT - builder.rs: pass MEMORY_LIMIT + CPU_LIMIT to build script - builder/build.sh: use $MEMORY_LIMIT / $CPU_LIMIT in podman run (replaces hardcoded --cpus="0.5"; --memory now also set) ## Monitoring (opt-in compose profile) - infra/docker-compose.yml: gatus + netdata under `monitoring` profile Enable: podman compose --profile monitoring up -d Gatus on :8080, Netdata on :19999 - infra/gatus.yml: Gatus config checking HIY /api/status every minute ## Backup cron job - infra/backup.sh: dumps SQLite, copies env files + git repos into a dated .tar.gz; optional rclone upload; 30-day local retention Suggested cron: 0 3 * * * /path/to/infra/backup.sh https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH |
||
|---|---|---|
| .. | ||
| src | ||
| templates | ||
| Cargo.toml | ||