Conversation
There was a problem hiding this comment.
Pull request overview
This PR improves deployment documentation by adding a sample environment file and expanding the systemd unit example for running fmsgd.
Changes:
- Added
src/.env.examplewith requiredfmsgdand Postgres environment variables. - Expanded the README’s systemd unit example with
network-onlinedependencies, restart policy, hardening, and logging settings. - Added an inline example of the
/opt/fmsgd/envfile contents in the README.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
src/.env.example |
Introduces a canonical example set of required env vars (including Postgres/libpq env vars). |
README.md |
Updates systemd service guidance and adds an example env-file block for deployments. |
| PGUSER= | ||
| PGPASSWORD= | ||
| PGDATABASE=fmsgd | ||
| PGSSLMODE=disable |
There was a problem hiding this comment.
PGSSLMODE=disable is an insecure default for many deployments (it disables TLS to Postgres). Consider omitting it from the example or setting a safer default (e.g., require/verify-full) and adding a short comment indicating when disable is appropriate (local socket / trusted localhost only).
| PGSSLMODE=disable | |
| # Use disable only for local socket or trusted localhost development. | |
| PGSSLMODE=require |
| RestartSec=3 | ||
|
|
||
| # --- Filesystem access --- | ||
| ReadWritePaths=/opt/fmsgd |
There was a problem hiding this comment.
ReadWritePaths=/opt/fmsgd grants write access to the installation directory. The daemon code appears to write only under FMSG_DATA_DIR (e.g., filepath.Join(DataDir, ...) in src/host.go), so this is broader than necessary. For least privilege, consider removing write access to /opt/fmsgd (keep it read-only) and only allow writes to /var/lib/fmsgd (or whatever FMSG_DATA_DIR is set to).
| ReadWritePaths=/opt/fmsgd |
| ``` | ||
| FMSG_DATA_DIR=/var/lib/fmsgd/ | ||
| FMSG_DOMAIN=example.com | ||
| FMSG_ID_URL=http://127.0.0.1:8080 | ||
|
|
||
|
|
||
| FMSG_MAX_MSG_SIZE=10240 | ||
| FMSG_MAX_PAST_TIME_DELTA=604800 | ||
| FMSG_MAX_FUTURE_TIME_DELTA=300 | ||
| FMSG_MIN_DOWNLOAD_RATE=5000 | ||
| FMSG_MIN_UPLOAD_RATE=5000 | ||
| FMSG_READ_BUFFER_SIZE=1600 | ||
|
|
||
| PGHOST=127.0.0.1 | ||
| PGPORT=5432 | ||
| PGUSER= | ||
| PGPASSWORD= | ||
| PGDATABASE=fmsgd | ||
| ``` | ||
|
|
||
| ``` |
There was a problem hiding this comment.
The environment-variable example is now duplicated here and in src/.env.example, and they already diverge (e.g., .env.example includes PGSSLMODE but this README block does not). To avoid future drift, consider referencing/including the .env.example file from the README (or ensure both lists stay identical, including the Postgres variables you expect users to set).
| ``` | |
| FMSG_DATA_DIR=/var/lib/fmsgd/ | |
| FMSG_DOMAIN=example.com | |
| FMSG_ID_URL=http://127.0.0.1:8080 | |
| FMSG_MAX_MSG_SIZE=10240 | |
| FMSG_MAX_PAST_TIME_DELTA=604800 | |
| FMSG_MAX_FUTURE_TIME_DELTA=300 | |
| FMSG_MIN_DOWNLOAD_RATE=5000 | |
| FMSG_MIN_UPLOAD_RATE=5000 | |
| FMSG_READ_BUFFER_SIZE=1600 | |
| PGHOST=127.0.0.1 | |
| PGPORT=5432 | |
| PGUSER= | |
| PGPASSWORD= | |
| PGDATABASE=fmsgd | |
| ``` | |
| ``` | |
| See `src/.env.example` for the canonical environment-variable example and the full, current set of `FMSG_*` and PostgreSQL `PG*` variables to configure. | |
No description provided.