# FIPS Deployment kindexr can run on a FIPS-networked host so that peers reach it over a private overlay without exposing the Torznab port to the public internet. Three deployment modes are defined; operators choose the one that matches their network topology. --- ## Prerequisites 1. FIPS daemon installed and running on the operator host. 2. A node identity established (`fips id` or equivalent — consult your FIPS daemon docs). 3. kindexr Phase 0/1 installed and passing its smoke tests (`/health` returns `db_ok: true`). --- ## Mode A — kindexr bound to a FIPS address (recommended) Sonarr/Radarr on a peer host resolve `kindexr.fips` over the overlay and connect directly to kindexr's HTTP port. No public port is opened. ### Step by step 1. Find your FIPS address (example: `fd00::1:2:3:4`). Add it to `server.listen` in `/etc/kindexr/config.yaml`: ```yaml server: listen: "[fd00::1:2:3:4]:9117" base_url: "http://kindexr.fips:9117" ``` 2. Register the hostname with the FIPS daemon: ``` # /etc/fips/hosts (or equivalent for your FIPS implementation) kindexr.fips fd00::1:2:3:4 ``` 3. Restart kindexr: ``` systemctl restart kindexr ``` 4. On the **peer host**, confirm resolution and reachability: ``` curl http://kindexr.fips:9117/health ``` 5. Generate an API key for the peer: ``` kindexr-cli apikey create --label sonarr-peer ``` The key is printed to stdout. Copy it. 6. In Sonarr (or Radarr/Prowlarr), add a Torznab indexer: - URL: `http://kindexr.fips:9117` - API Key: `` - Click **Test** — it should return green. --- ## Mode B — private relay paths via FIPS WSS endpoints Use FIPS-resolvable relay URLs so both the relay subscription traffic and the publisher outbox travel over the overlay rather than the public internet. Example `config.yaml` snippet: ```yaml relays: - "wss://relay.fips:7777" - "wss://relay2.fips:7777" publisher: enabled: false # set true when Phase 4 is in use outbox: - "wss://outbox.fips:7778" ``` Replace the hostnames with whatever your FIPS daemon resolves. The kindexr process itself does not need to bind a FIPS address in Mode B — only the relay connections use the overlay. --- ## Mode C — direct fips Rust crate integration (deferred) Direct integration via a `fips` Rust crate would let kindexr register as a FIPS service and resolve peers programmatically, without relying on the system resolver. This is deferred until the FIPS Rust crate stabilizes past 0.x. When it lands: - Add `fips = "x.y"` to `Cargo.toml`. - Wire `fips::Node` into `src/main.rs` alongside the axum server. - Bind the Torznab listener to the FIPS-assigned address automatically. - Expose the FIPS node ID in `/health` for peer discovery. No code changes are needed in Phases 0–5 for Mode C; it will be a Phase 6 task.