enki/kindexr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bac30ecfdf58bb3e887628ceb7dee39a90717621
kindexr/docs/FIPS.md
T
enki 57cda1281b rewrite phases 0+1 in Rust; archive Go implementation 
Move entire Go tree to archive/go/ preserving history. Add Rust
implementation: axum HTTP server, nostr-sdk relay reader, sqlx/SQLite
storage, Torznab caps+search endpoints, figment config, clap CLI.
Update spec.md tech stack and repo layout to reflect Rust. Add
docs/FIPS.md with Mode A/B/C deployment walkthrough. Add Phase 6
(FIPS deployment) to phase plan.
2026-05-17 02:23:26 -07:00

103 lines
2.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# FIPS Deployment
kindexr can run on a FIPS-networked host so that peers reach it over a private overlay
without exposing the Torznab port to the public internet. Three deployment modes are
defined; operators choose the one that matches their network topology.
---
## Prerequisites
1. FIPS daemon installed and running on the operator host.
2. A node identity established (`fips id` or equivalent — consult your FIPS daemon docs).
3. kindexr Phase 0/1 installed and passing its smoke tests (`/health` returns `db_ok: true`).
---
## Mode A — kindexr bound to a FIPS address (recommended)
Sonarr/Radarr on a peer host resolve `kindexr.fips` over the overlay and connect
directly to kindexr's HTTP port. No public port is opened.
### Step by step
1. Find your FIPS address (example: `fd00::1:2:3:4`). Add it to `server.listen` in
`/etc/kindexr/config.yaml`:
```yaml
server:
listen: "[fd00::1:2:3:4]:9117"
base_url: "http://kindexr.fips:9117"
```
2. Register the hostname with the FIPS daemon:
```
# /etc/fips/hosts (or equivalent for your FIPS implementation)
kindexr.fips fd00::1:2:3:4
```
3. Restart kindexr:
```
systemctl restart kindexr
```
4. On the **peer host**, confirm resolution and reachability:
```
curl http://kindexr.fips:9117/health
```
5. Generate an API key for the peer:
```
kindexr-cli apikey create --label sonarr-peer
```
The key is printed to stdout. Copy it.
6. In Sonarr (or Radarr/Prowlarr), add a Torznab indexer:
- URL: `http://kindexr.fips:9117`
- API Key: `<key from step 5>`
- Click **Test** — it should return green.
---
## Mode B — private relay paths via FIPS WSS endpoints
Use FIPS-resolvable relay URLs so both the relay subscription traffic and the
publisher outbox travel over the overlay rather than the public internet.
Example `config.yaml` snippet:
```yaml
relays:
- "wss://relay.fips:7777"
- "wss://relay2.fips:7777"
publisher:
enabled: false # set true when Phase 4 is in use
outbox:
- "wss://outbox.fips:7778"
```
Replace the hostnames with whatever your FIPS daemon resolves. The kindexr process
itself does not need to bind a FIPS address in Mode B — only the relay connections
use the overlay.
---
## Mode C — direct fips Rust crate integration (deferred)
Direct integration via a `fips` Rust crate would let kindexr register as a FIPS
service and resolve peers programmatically, without relying on the system resolver.
This is deferred until the FIPS Rust crate stabilizes past 0.x. When it lands:
- Add `fips = "x.y"` to `Cargo.toml`.
- Wire `fips::Node` into `src/main.rs` alongside the axum server.
- Bind the Torznab listener to the FIPS-assigned address automatically.
- Expose the FIPS node ID in `/health` for peer discovery.
No code changes are needed in Phases 05 for Mode C; it will be a Phase 6 task.
Reference in New Issue View Git Blame Copy Permalink