ZDDC
9ef90800b1
Three improvements bundled because they all ship as zddc-server v0.0.2: * /.admin/ debug dashboard with /whoami, /config, /logs sub-routes. Authorization via a top-level `admins:` glob list in <ZDDC_ROOT>/.zddc (root-only — subdir entries deliberately ignored to prevent privilege escalation via subtree write access). Non-admin requests get 404 so the page is invisible. Recent logs surface via a 500-entry slog ring buffer teed off the existing TextHandler. Lets operators debug without kubectl exec. * Default ZDDC_EMAIL_HEADER changes from `X-Email` to `X-Auth-Request-Email` — the oauth2-proxy / nginx auth-request convention that the TND helm chart already sets explicitly. Operators who set the env var explicitly are unaffected; deployments relying on the previous default need to set ZDDC_EMAIL_HEADER=X-Email or update their proxy. * dispatch() rejects any URL whose segments contain a dot prefix other than the recognized virtual prefixes (.admin, cfg.IndexPath / .archive). Matches the existing listing-pipeline filter so hidden subtrees on the served PVC (e.g. /srv/.devshell — used by the in-cluster dev-shell for persistent home-dir state) become unreachable via direct HTTP fetch, not just hidden in listings. Refreshes the X-Email reference in website/index.html accordingly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
33 lines
1.1 KiB
YAML
33 lines
1.1 KiB
YAML
# podman-compose.yaml — local development environment
|
|
# Usage: podman-compose up --build
|
|
#
|
|
# Requires a directory to serve. Set ZDDC_DATA_DIR to the path of your
|
|
# archive root, or mount it manually.
|
|
#
|
|
# Note: Use :z volume suffix for SELinux-enabled hosts (RHEL, Fedora, CentOS).
|
|
|
|
services:
|
|
zddc-server:
|
|
build:
|
|
context: .
|
|
dockerfile: Containerfile
|
|
image: zddc-server:dev
|
|
ports:
|
|
- "8443:8443"
|
|
# TLS modes (set via ZDDC_TLS_CERT):
|
|
# empty (default) — self-signed cert generated in memory at startup
|
|
# ZDDC_TLS_CERT=none — plain HTTP, no TLS (use when reverse proxy handles TLS)
|
|
# ZDDC_TLS_CERT=/path — load cert from file (also set ZDDC_TLS_KEY)
|
|
environment:
|
|
ZDDC_ROOT: /data
|
|
ZDDC_ADDR: ":8443"
|
|
ZDDC_LOG_LEVEL: debug
|
|
ZDDC_INDEX_PATH: .archive
|
|
# ZDDC_EMAIL_HEADER defaults to X-Auth-Request-Email — uncomment to override.
|
|
# ZDDC_EMAIL_HEADER: X-Auth-Request-Email
|
|
volumes:
|
|
- type: bind
|
|
source: ${ZDDC_DATA_DIR:-./testdata}
|
|
target: /data
|
|
options: z
|
|
restart: unless-stopped
|