Skip to content

Commit 8db9638

Browse files
committed
Prepare Fluxheim 1.0.0 release
1 parent 0f32de4 commit 8db9638

7 files changed

Lines changed: 99 additions & 24 deletions

File tree

CHANGELOG.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,10 @@ behavior when the change improves security or project direction.
99

1010
## Unreleased
1111

12+
## 1.0.0 - Gateway Foundation
13+
14+
Released: 2026-05-08
15+
1216
### Added
1317

1418
- `1.0` gateway migration fixtures and smoke coverage for representative

Cargo.lock

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[package]
22
name = "fluxheim"
3-
version = "0.5.0"
3+
version = "1.0.0"
44
edition = "2024"
55
rust-version = "1.95"
66
license = "EUPL-1.2"

README.md

Lines changed: 14 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -225,24 +225,23 @@ scripts/validate-features.sh proxy,web,tls-rustls,load-balancer
225225

226226
</details>
227227

228-
## Next Target: 1.0 Gateway Core
228+
## Current Stable: 1.0 Gateway Core
229229

230-
Fluxheim will not treat every planned feature as part of `1.0`. The `1.0`
231-
target is the first release intended to migrate representative real multi-site
230+
Fluxheim does not treat every planned feature as part of `1.0`. The `1.0`
231+
release is the first release intended to migrate representative real multi-site
232232
gateway configs.
233233

234-
Already landed after `0.5.0`: route-level exact/prefix/fallback matching,
235-
route actions for proxy/static/redirects, route prefix stripping, per-route
236-
body limits, upstream connect/read/send timeout knobs, websocket-safe upgrade
237-
smoke coverage for `/chat/`-style routes, and custom upstream error pages,
238-
secure static aliases with optional directory listing, cleartext ACME challenge
239-
exceptions, safe dynamic request-header templates for common proxy migrations,
240-
SNI certificate selection for the default rustls TLS backend and
241-
callback-capable TLS backends, and native systemd deployment files for manually
242-
compiled binaries. Direct proxy upstream DNS names
243-
are resolved per request and resolution failures return upstream errors instead
244-
of panicking the worker, which covers local Podman service names for the non-LB
245-
gateway path.
234+
Included in `1.0`: route-level exact/prefix/fallback matching, route actions
235+
for proxy/static/redirects, route prefix stripping, per-route body limits,
236+
upstream connect/read/send timeout knobs, websocket-safe upgrade smoke coverage
237+
for `/chat/`-style routes, custom upstream error pages, secure static aliases
238+
with optional directory listing, cleartext ACME challenge exceptions, safe
239+
dynamic request-header templates for common proxy migrations, SNI certificate
240+
selection for the default rustls TLS backend and callback-capable TLS backends,
241+
and native systemd deployment files for manually compiled binaries. Direct proxy
242+
upstream DNS names are resolved per request and resolution failures return
243+
upstream errors instead of panicking the worker, which covers local Podman
244+
service names for the non-LB gateway path.
246245

247246
After `1.0`, the planned release ladder continues with TLS policy hardening,
248247
operations tooling, load balancing, cache improvements, certificate automation,

RELEASE_NOTES_1.0.0.md

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
# Fluxheim 1.0.0 Release Notes
2+
3+
## Release Metadata
4+
5+
- Version: `1.0.0`
6+
- Release date: 2026-05-08
7+
- Git tag: `v1.0.0`
8+
- Release type: stable gateway foundation
9+
10+
## Summary
11+
12+
Fluxheim `1.0.0` is the first stable gateway foundation release. It is intended
13+
for production testing of static sites, vhosts, redirects, TLS/SNI, HTTP/2,
14+
secure defaults, systemd/RPM deployment, and external ACME challenge forwarding.
15+
16+
## Highlights
17+
18+
- Static site serving with secure path validation, index files, ETags, range
19+
requests, and optional directory listing.
20+
- Vhost routing with default-vhost fallback, wildcard host matching, route
21+
exact/prefix/fallback matching, redirects, static route actions, and proxy
22+
route actions.
23+
- HTTP to HTTPS redirects and canonical host redirects that preserve safe request
24+
URIs.
25+
- TLS with rustls by default, static vhost certificates, SNI selection, and
26+
default-vhost fallback certificate support.
27+
- External ACME HTTP-01 challenge forwarding helper for
28+
`/.well-known/acme-challenge/`.
29+
- Dynamic request header templates for common proxy migrations.
30+
- Native systemd/RPM packaging, packaged default config/site, and server
31+
preparation helper.
32+
- CodeQL, cargo audit/deny, SBOM generation, reproducible-build checks, panic
33+
policy hardening, zeroized admin token handling, and constant-time admin token
34+
verification.
35+
36+
## Validated Scope
37+
38+
- Native RPM/systemd deployment.
39+
- Static web roots and config preflight.
40+
- HTTP/80 and TLS/443 listeners.
41+
- HTTP/2 via ALPN.
42+
- Multi-certificate SNI with rustls.
43+
- External certbot/Actalis challenge forwarding.
44+
- Basic proxy migration headers and route/vhost proxying.
45+
46+
## Known Limits
47+
48+
- Native ACME certificate issuance/storage is still future work; use an external
49+
ACME client plus deploy hook for this release.
50+
- HTTP/3/QUIC is post-1.0 work.
51+
- Advanced gateway modules such as compression policy, identity-aware auth,
52+
trusted proxy providers, secure links, WAF, and WASM are roadmap items.
53+
- Vhost TLS certificate changes require the normal process restart/reload
54+
workflow; automatic renewal reload is not first-class yet.
55+
56+
## Checksums And Signatures
57+
58+
Record during the release:
59+
60+
- Commit: to be filled after the release-prep commit
61+
- Local gate: GitHub CI green before tag; local release metadata checks passed
62+
- CodeQL/code scanning: no open release-blocking alerts before tag
63+
- Source archive checksums: to be filled
64+
- Binary checksums: to be filled
65+
- SBOM checksums: to be filled
66+
- Reproducible build: to be filled
67+
- Container digests: to be filled
68+
- Tag signature: to be filled

docs/release-runbook.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ Use this from a clean `main` checkout. Set the release variables once, then
77
reuse them through the commands below:
88

99
```bash
10-
RELEASE_VERSION=0.5.0
10+
RELEASE_VERSION=1.0.0
1111
TAG="v${RELEASE_VERSION}"
1212
TITLE="Fluxheim ${RELEASE_VERSION}"
1313
RELEASE_NOTES="RELEASE_NOTES_${RELEASE_VERSION}.md"

packaging/rpm/fluxheim.spec

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -7,15 +7,15 @@
77
%{!?_unitdir:%global _unitdir %{_prefix}/lib/systemd/system}
88

99
Name: fluxheim
10-
Version: 0.5.0
10+
Version: 1.0.0
1111
Release: 1%{?dist}
1212
Summary: Modular Pingora-based reverse proxy and static web server
1313
License: EUPL-1.2
1414
URL: https://github.com/valkyoth/fluxheim
1515
Source0: https://github.com/valkyoth/fluxheim/archive/refs/tags/v%{version}/%{name}-%{version}.tar.gz
1616
# Create with:
1717
# cargo vendor vendor > /tmp/fluxheim-cargo-config.toml
18-
# tar -czf fluxheim-0.5.0-vendor.tar.gz vendor
18+
# tar -czf fluxheim-1.0.0-vendor.tar.gz vendor
1919
Source1: %{name}-%{version}-vendor.tar.gz
2020
Source2: fluxheim.tmpfiles
2121
Source3: fluxheim.service
@@ -43,9 +43,10 @@ Requires(pre): shadow-utils
4343
Requires: ca-certificates
4444

4545
%description
46-
Fluxheim is a modular Rust edge server built on Pingora. The 0.5.x release line
47-
is a basic-sites preview for static website hosting, static TLS certificates,
48-
vhost routing, secure header policy, and simple whole-vhost reverse proxying.
46+
Fluxheim is a modular Rust edge server built on Pingora. The 1.0 release is the
47+
gateway foundation for static website hosting, vhost routing, HTTP to HTTPS
48+
redirects, static TLS certificates with SNI, secure header policy, route-level
49+
proxy/static/redirect behavior, and native systemd deployment.
4950

5051
This spec builds from vendored Cargo dependencies and uses Cargo offline mode.
5152
It intentionally does not download crates during the RPM build.
@@ -118,7 +119,7 @@ fi
118119

119120
%files
120121
%license LICENSE
121-
%doc README.md CHANGELOG.md ROADMAP.md RELEASE_NOTES_0.5.0.md docs examples
122+
%doc README.md CHANGELOG.md ROADMAP.md RELEASE_NOTES_1.0.0.md docs examples
122123
%{_bindir}/fluxheim
123124
%{_tmpfilesdir}/fluxheim.conf
124125
%{_sysusersdir}/fluxheim.conf
@@ -135,5 +136,8 @@ fi
135136
%config(noreplace) %attr(0644,fluxheim,fluxheim) /srv/fluxheim/index.html
136137

137138
%changelog
139+
* Fri May 08 2026 Fluxheim Maintainers <1921261+eldryoth@users.noreply.github.com> - 1.0.0-1
140+
- Stable gateway foundation release with vhosts, TLS/SNI, redirects, static sites, routes, and systemd/RPM packaging.
141+
138142
* Wed May 06 2026 Fluxheim Maintainers <1921261+eldryoth@users.noreply.github.com> - 0.5.0-1
139143
- Initial RPM packaging spec for the basic-sites preview.

0 commit comments

Comments
 (0)