enki/kindexr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
kindexr/docs/FIPS.md
T
enki 57cda1281b rewrite phases 0+1 in Rust; archive Go implementation 
Move entire Go tree to archive/go/ preserving history. Add Rust
implementation: axum HTTP server, nostr-sdk relay reader, sqlx/SQLite
storage, Torznab caps+search endpoints, figment config, clap CLI.
Update spec.md tech stack and repo layout to reflect Rust. Add
docs/FIPS.md with Mode A/B/C deployment walkthrough. Add Phase 6
(FIPS deployment) to phase plan.
2026-05-17 02:23:26 -07:00

2.8 KiB
Raw Permalink Blame History

FIPS Deployment

kindexr can run on a FIPS-networked host so that peers reach it over a private overlay without exposing the Torznab port to the public internet. Three deployment modes are defined; operators choose the one that matches their network topology.

Prerequisites

  1. FIPS daemon installed and running on the operator host.
  2. A node identity established (fips id or equivalent — consult your FIPS daemon docs).
  3. kindexr Phase 0/1 installed and passing its smoke tests (/health returns db_ok: true).

Mode A — kindexr bound to a FIPS address (recommended)

Sonarr/Radarr on a peer host resolve kindexr.fips over the overlay and connect directly to kindexr's HTTP port. No public port is opened.

Step by step

  1. Find your FIPS address (example: fd00::1:2:3:4). Add it to server.listen in /etc/kindexr/config.yaml:

    server:
  listen: "[fd00::1:2:3:4]:9117"
  base_url: "http://kindexr.fips:9117"

  2. Register the hostname with the FIPS daemon:

    # /etc/fips/hosts  (or equivalent for your FIPS implementation)
kindexr.fips  fd00::1:2:3:4

  3. Restart kindexr:

    systemctl restart kindexr

  4. On the peer host, confirm resolution and reachability:

    curl http://kindexr.fips:9117/health

  5. Generate an API key for the peer:

    kindexr-cli apikey create --label sonarr-peer

    The key is printed to stdout. Copy it.

  6. In Sonarr (or Radarr/Prowlarr), add a Torznab indexer:

    • URL: http://kindexr.fips:9117
    • API Key: <key from step 5>
    • Click Test — it should return green.

Mode B — private relay paths via FIPS WSS endpoints

Use FIPS-resolvable relay URLs so both the relay subscription traffic and the publisher outbox travel over the overlay rather than the public internet.

Example config.yaml snippet:

relays:
  - "wss://relay.fips:7777"
  - "wss://relay2.fips:7777"

publisher:
  enabled: false          # set true when Phase 4 is in use
  outbox:
    - "wss://outbox.fips:7778"

Replace the hostnames with whatever your FIPS daemon resolves. The kindexr process itself does not need to bind a FIPS address in Mode B — only the relay connections use the overlay.

Mode C — direct fips Rust crate integration (deferred)

Direct integration via a fips Rust crate would let kindexr register as a FIPS service and resolve peers programmatically, without relying on the system resolver.

This is deferred until the FIPS Rust crate stabilizes past 0.x. When it lands:

  • Add fips = "x.y" to Cargo.toml.
  • Wire fips::Node into src/main.rs alongside the axum server.
  • Bind the Torznab listener to the FIPS-assigned address automatically.
  • Expose the FIPS node ID in /health for peer discovery.

No code changes are needed in Phases 05 for Mode C; it will be a Phase 6 task.

Reference in New Issue View Git Blame Copy Permalink