Skip to content

Commit 5ab0bc6

Browse files
committed
Initial Fluxheim project baseline
1 parent ce1f4db commit 5ab0bc6

57 files changed

Lines changed: 21224 additions & 64 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.cargo/audit.toml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
[advisories]
2+
ignore = [
3+
# Transitive through pingora-core -> prometheus 0.13.4 -> protobuf 2.28.0.
4+
# Fluxheim does not parse protobuf input. Remove this when Pingora moves to
5+
# prometheus >=0.14 or otherwise drops vulnerable protobuf 2.x.
6+
"RUSTSEC-2024-0437",
7+
]
8+
9+
[database]
10+
path = "/tmp/fluxheim-cargo-audit-advisory-db"
11+
url = "https://github.com/RustSec/advisory-db.git"
12+
fetch = true
13+
stale = false
14+
15+
[yanked]
16+
enabled = false
17+
update_index = false

.containerignore

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
.git
2+
.cargo
3+
target
4+
docs
5+
examples/public
6+
*.log
7+
*.tmp
8+
tmp

.github/CONTRIBUTING.md

Lines changed: 95 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,95 @@
1+
# Contributing To Fluxheim
2+
3+
Fluxheim is a fun Rust/Pingora project, but it is still security-sensitive
4+
infrastructure. Contributions are welcome when they keep the project small,
5+
clear, tested, and honest about what is stable.
6+
7+
## License
8+
9+
Fluxheim is licensed under the European Union Public Licence 1.2. By
10+
contributing, you agree that your contribution is provided under the same
11+
license.
12+
13+
## Development Setup
14+
15+
Use the pinned Rust toolchain from `rust-toolchain.toml`.
16+
17+
```bash
18+
cargo build
19+
cargo test
20+
```
21+
22+
Useful reduced builds:
23+
24+
```bash
25+
cargo build --no-default-features --features proxy
26+
cargo build --no-default-features --features web
27+
cargo build --no-default-features --features proxy,load-balancer
28+
```
29+
30+
## Checks
31+
32+
Before opening a pull request, run:
33+
34+
```bash
35+
scripts/checks.sh
36+
```
37+
38+
For release-sensitive changes, run:
39+
40+
```bash
41+
scripts/release_checks.sh
42+
```
43+
44+
Run the rootless Podman smoke when changing the container image or deployment
45+
files:
46+
47+
```bash
48+
FLUXHEIM_RELEASE_PODMAN=1 scripts/release_checks.sh
49+
```
50+
51+
## Security-Sensitive Changes
52+
53+
Treat these areas as high risk:
54+
55+
- request parsing and body limits;
56+
- TLS and certificate handling;
57+
- proxy routing and upstream selection;
58+
- cache keys, cache admission, and purge endpoints;
59+
- admin API, snapshots, and rollback;
60+
- logging, metrics, and privacy mode;
61+
- dependency updates.
62+
63+
Do not post exploitable security details in public issues. Follow
64+
[SECURITY.md](../SECURITY.md).
65+
66+
## Dependency Policy
67+
68+
Fluxheim uses `deny.toml`, `cargo-deny`, and `cargo-audit`.
69+
70+
When adding or updating crates:
71+
72+
- use crates.io releases unless there is a strong reason not to;
73+
- avoid git dependencies;
74+
- check maintenance status and license;
75+
- keep `Cargo.lock` updated;
76+
- run `cargo deny check` and `cargo audit`.
77+
78+
## Design Guidelines
79+
80+
- Prefer existing local patterns over new abstractions.
81+
- Keep modules feature-gated when they change the threat model.
82+
- Keep default builds focused on stable core behavior.
83+
- Do not make legacy or experimental protocols part of normal request paths.
84+
- Document stable, beta, experimental, and research features honestly.
85+
86+
## Pull Requests
87+
88+
Good pull requests are small enough to review and include:
89+
90+
- a clear summary;
91+
- tests for behavior changes;
92+
- docs or examples when user-facing behavior changes;
93+
- security notes for risky areas.
94+
95+
Large features should start with a roadmap or design-doc update before code.

.github/ISSUE_TEMPLATE.md

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
# Issue
2+
3+
Thanks for helping improve Fluxheim. If this is a security issue, do not open a
4+
public issue. Follow [SECURITY.md](../SECURITY.md) instead.
5+
6+
## What happened?
7+
8+
Describe the bug, missing behavior, or confusing documentation.
9+
10+
## What did you expect?
11+
12+
Describe the behavior you expected.
13+
14+
## How can we reproduce it?
15+
16+
Steps, config snippets, commands, or a small example are useful.
17+
18+
```toml
19+
# relevant Fluxheim config, if any
20+
```
21+
22+
```bash
23+
# relevant command, if any
24+
```
25+
26+
## Version and build
27+
28+
- Fluxheim version or commit:
29+
- Rust version:
30+
- Operating system:
31+
- Local binary or container:
32+
- Enabled features:
33+
34+
## Logs or output
35+
36+
Paste only relevant output. Remove tokens, private keys, cookies, IPs, domains,
37+
or other secrets before posting.
38+
39+
```text
40+
41+
```
42+
43+
## Extra context
44+
45+
Anything else that helps explain the issue.

.github/PULL_REQUEST_TEMPLATE.md

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
# Pull Request
2+
3+
## Summary
4+
5+
Describe what changed and why.
6+
7+
## Type
8+
9+
- [ ] Bug fix
10+
- [ ] Feature
11+
- [ ] Documentation
12+
- [ ] Refactor
13+
- [ ] Dependency update
14+
- [ ] Security hardening
15+
16+
## Checklist
17+
18+
- [ ] I kept the change scoped to Fluxheim's existing architecture.
19+
- [ ] I updated docs, examples, or roadmap entries when behavior changed.
20+
- [ ] I added or updated tests for behavior changes.
21+
- [ ] I ran `cargo fmt --all --check`.
22+
- [ ] I ran `cargo clippy --all-targets -- -D warnings`.
23+
- [ ] I ran `cargo test`.
24+
- [ ] I ran relevant feature builds or tests.
25+
- [ ] I checked dependency/license impact when adding or updating crates.
26+
- [ ] I did not commit secrets, private keys, tokens, local runtime data, or
27+
generated artifacts.
28+
29+
## Security Notes
30+
31+
Describe any security-sensitive impact. Mention request parsing, TLS, cache,
32+
proxy routing, admin endpoints, logging, metrics, or dependency changes if they
33+
are touched.
34+
35+
## Follow-Up
36+
37+
List any known remaining work or intentionally deferred tasks.

.github/dependabot.yml

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
version: 2
2+
3+
updates:
4+
- package-ecosystem: cargo
5+
directory: /
6+
schedule:
7+
interval: weekly
8+
day: monday
9+
time: "06:00"
10+
timezone: Europe/Stockholm
11+
open-pull-requests-limit: 5
12+
labels:
13+
- dependencies
14+
- rust
15+
commit-message:
16+
prefix: "chore"
17+
include: scope
18+
groups:
19+
rust-patch:
20+
update-types:
21+
- patch
22+
rust-minor:
23+
update-types:
24+
- minor
25+
26+
- package-ecosystem: github-actions
27+
directory: /
28+
schedule:
29+
interval: weekly
30+
day: monday
31+
time: "06:15"
32+
timezone: Europe/Stockholm
33+
open-pull-requests-limit: 5
34+
labels:
35+
- dependencies
36+
- github-actions
37+
commit-message:
38+
prefix: "chore"
39+
include: scope

.github/workflows/ci.yml

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
name: Rust CI
2+
3+
on:
4+
push:
5+
branches:
6+
- main
7+
pull_request:
8+
branches:
9+
- main
10+
11+
permissions:
12+
contents: read
13+
14+
env:
15+
CARGO_TERM_COLOR: always
16+
RUST_BACKTRACE: 1
17+
18+
jobs:
19+
checks:
20+
name: Format, lint, test, and audit
21+
runs-on: ubuntu-latest
22+
timeout-minutes: 45
23+
24+
steps:
25+
- name: Checkout repository
26+
uses: actions/checkout@v6
27+
28+
- name: Install Rust toolchain
29+
run: rustup show
30+
31+
- name: Cache Rust build output
32+
uses: Swatinem/rust-cache@v2
33+
with:
34+
cache-on-failure: true
35+
36+
- name: Install security tools
37+
uses: taiki-e/install-action@v2
38+
with:
39+
tool: cargo-deny,cargo-audit
40+
41+
- name: Check formatting
42+
run: cargo fmt --all --check
43+
44+
- name: Run clippy
45+
run: cargo clippy --all-targets -- -D warnings
46+
47+
- name: Run default tests
48+
run: cargo test
49+
50+
- name: Run feature build tests
51+
run: |
52+
cargo test --no-default-features --features proxy,load-balancer
53+
cargo test --no-default-features --features proxy,cache
54+
cargo test --no-default-features --features cache
55+
cargo test --no-default-features --features web
56+
cargo check --no-default-features --features proxy,tls-rustls
57+
58+
- name: Validate example configs
59+
run: |
60+
cargo run --quiet -- --check-config --config examples/fluxheim.toml
61+
cargo run --quiet -- --check-config --config examples/admin.toml
62+
cargo run --quiet -- --check-config --config examples/vhosts.toml
63+
cargo run --quiet -- --check-config --config examples/conf.d
64+
65+
- name: Check dependency policy
66+
run: cargo deny check
67+
68+
- name: Check RustSec advisories
69+
run: cargo audit

.gitignore

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,51 @@
1+
# Rust build output
12
/target/
3+
4+
# Local tool/runtime state
5+
/.agents/
6+
/.codex/
7+
README.internal.md
8+
9+
# Logs and diagnostics
210
*.log
11+
logs/
12+
*.pid
13+
14+
# Local environment and secrets
15+
.env
16+
.env.*
17+
!.env.example
18+
*.secret
19+
*.token
20+
*.key
21+
*.pem
22+
*.p12
23+
*.pfx
24+
*.der
25+
26+
# Fluxheim runtime data
27+
cache/
28+
acme/
29+
snapshots/
30+
runtime/
31+
data/
32+
tmp/
33+
temp/
34+
35+
# Container/local generated artifacts
36+
*.tar
37+
*.tar.gz
38+
*.tgz
39+
*.zip
40+
*.zst
41+
*.img
42+
*.qcow2
43+
44+
# Editor and OS noise
45+
.DS_Store
46+
Thumbs.db
47+
*~
48+
*.swp
49+
*.swo
50+
.idea/
51+
.vscode/

0 commit comments

Comments
 (0)