sander/Hostityourself
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Hostityourself/infra/gatus.yml
Claude 48b9ccf152
feat: M4 Hardening — encryption, resource limits, monitoring, backups 
## Env var encryption at rest (AES-256-GCM)
- server/src/crypto.rs: new module — encrypt/decrypt with AES-256-GCM
  Key = SHA-256(HIY_SECRET_KEY); non-prefixed values pass through
  transparently for zero-downtime migration
- Cargo.toml: aes-gcm = "0.10"
- routes/envvars.rs: encrypt on SET; list returns masked values (••••)
- routes/databases.rs: pg_password and DATABASE_URL stored encrypted
- routes/ui.rs: decrypt pg_password when rendering DB card
- builder.rs: decrypt env vars when writing the .env file for containers
- .env.example: add HIY_SECRET_KEY entry

## Per-app resource limits
- apps table: memory_limit (default 512m) + cpu_limit (default 0.5)
  added via idempotent ALTER TABLE in db.rs migration
- models.rs: App, CreateApp, UpdateApp gain memory_limit + cpu_limit
- routes/apps.rs: persist limits on create, update via PUT
- builder.rs: pass MEMORY_LIMIT + CPU_LIMIT to build script
- builder/build.sh: use $MEMORY_LIMIT / $CPU_LIMIT in podman run
  (replaces hardcoded --cpus="0.5"; --memory now also set)

## Monitoring (opt-in compose profile)
- infra/docker-compose.yml: gatus + netdata under `monitoring` profile
  Enable: podman compose --profile monitoring up -d
  Gatus on :8080, Netdata on :19999
- infra/gatus.yml: Gatus config checking HIY /api/status every minute

## Backup cron job
- infra/backup.sh: dumps SQLite, copies env files + git repos into a
  dated .tar.gz; optional rclone upload; 30-day local retention
  Suggested cron: 0 3 * * * /path/to/infra/backup.sh

https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
2026-03-24 15:06:42 +00:00

39 lines
927 B
YAML
Raw Blame History

# Gatus uptime / health check configuration for HIY.
# Docs: https://github.com/TwiN/gatus
web:
port: 8080
# In-memory storage — no persistence needed for uptime checks.
storage:
type: memory
# Alert via email when an endpoint is down (optional — remove if not needed).
# alerting:
# email:
# from: gatus@yourdomain.com
# username: gatus@yourdomain.com
# password: ${EMAIL_PASSWORD}
# host: smtp.yourdomain.com
# port: 587
# to: you@yourdomain.com
endpoints:
- name: HIY Dashboard
url: http://server:3000/api/status
interval: 1m
conditions:
- "[STATUS] == 200"
alerts:
- type: email
description: HIY dashboard is unreachable
send-on-resolved: true
# Add an entry per deployed app:
#
# - name: my-app
# url: http://my-app:3001/health
# interval: 1m
# conditions:
# - "[STATUS] == 200"
# - "[RESPONSE_TIME] < 500"
Reference in a new issue View git blame Copy permalink