mirror of
https://github.com/lukaszraczylo/gohoarder.git
synced 2026-06-06 22:59:29 +00:00
lukaszraczylo
c0061b99e3
- [x] Implement GORM V2 metadata store with SQLite, PostgreSQL, and MySQL support - [x] Add database migration system using gormigrate for schema versioning - [x] Create migration CLI tool with support for migrate, rollback, and status commands - [x] Add Docker support for migration container (Dockerfile.migrate) - [x] Implement automatic partition management for PostgreSQL time-series tables - [x] Add background aggregation worker for download statistics - [x] Support connection pooling configuration (max_open_conns, max_idle_conns, conn_max_lifetime) - [x] Add blocking mechanism based on vulnerability thresholds in stats and handlers - [x] Update Helm charts with migration init containers and multi-database configuration - [x] Replace deprecated SQLite store with optimized GORM implementation - [x] Add comprehensive integration tests for MySQL and PostgreSQL - [x] Update frontend to display blocked packages and storage utilization - [x] Add goreleaser configuration for migrate binary and container image - [x] Update configuration examples with database backend options and recommendations
218 lines
6.1 KiB
Plaintext
218 lines
6.1 KiB
Plaintext
# GoHoarder Configuration Example
|
|
#
|
|
# Port Configuration:
|
|
# - Backend server port is configured below (server.port)
|
|
# - Frontend dev server uses frontend/.env (VITE_PORT and VITE_BACKEND_URL)
|
|
# - When running `make run`, both will start with their configured ports
|
|
# - The frontend automatically proxies /api and /ws requests to the backend
|
|
|
|
server:
|
|
host: "0.0.0.0"
|
|
port: 8080 # Backend API server port
|
|
read_timeout: "5m"
|
|
write_timeout: "5m"
|
|
idle_timeout: "2m"
|
|
tls:
|
|
enabled: false
|
|
cert_file: ""
|
|
key_file: ""
|
|
|
|
storage:
|
|
backend: "filesystem" # filesystem, s3, smb, nfs
|
|
path: "/var/cache/gohoarder"
|
|
|
|
filesystem:
|
|
base_path: "/var/cache/gohoarder"
|
|
|
|
s3:
|
|
endpoint: "s3.amazonaws.com"
|
|
region: "us-east-1"
|
|
bucket: "gohoarder-cache"
|
|
access_key_id: ""
|
|
secret_access_key: ""
|
|
use_ssl: true
|
|
|
|
smb:
|
|
host: ""
|
|
share: ""
|
|
username: ""
|
|
password: ""
|
|
domain: ""
|
|
|
|
metadata:
|
|
# Backend: sqlite, postgresql, mysql, mariadb, file
|
|
#
|
|
# Choose based on your deployment:
|
|
# - sqlite: Single instance, local storage (NOT for network filesystems like SMB/NFS!)
|
|
# - postgresql: Production, multiple replicas, works with any storage including SMB/NFS
|
|
# - mysql: Production alternative to PostgreSQL
|
|
# - file: Simple file-based metadata (limited features)
|
|
#
|
|
# IMPORTANT: SQLite + SMB/NFS = Database locked errors!
|
|
# For network storage (SMB, NFS), use PostgreSQL or MySQL.
|
|
backend: "sqlite"
|
|
connection: "file:gohoarder.db?cache=shared&mode=rwc" # Legacy, not used with GORM
|
|
|
|
# SQLite configuration (for local storage only)
|
|
# Use with local storage classes (local-path, hostPath, or RWX like longhorn)
|
|
# DO NOT use with SMB/NFS network storage!
|
|
sqlite:
|
|
path: "gohoarder.db"
|
|
wal_mode: true # Set to false for network filesystems if you must use SQLite
|
|
|
|
# PostgreSQL configuration (recommended for production)
|
|
# Works with any storage including SMB/NFS
|
|
# Supports multiple replicas and high availability
|
|
postgresql:
|
|
host: "localhost"
|
|
port: 5432
|
|
database: "gohoarder"
|
|
user: "gohoarder"
|
|
password: ""
|
|
ssl_mode: "disable" # disable, require, verify-ca, verify-full
|
|
|
|
# MySQL/MariaDB configuration (alternative to PostgreSQL)
|
|
# Works with any storage including SMB/NFS
|
|
mysql:
|
|
host: "localhost"
|
|
port: 3306
|
|
database: "gohoarder"
|
|
user: "gohoarder"
|
|
password: ""
|
|
charset: "utf8mb4"
|
|
parse_time: true
|
|
|
|
# GORM connection pool settings (applies to all database backends)
|
|
max_open_conns: 25 # Maximum number of open connections to the database
|
|
max_idle_conns: 5 # Maximum number of idle connections in the pool
|
|
conn_max_lifetime: 3600 # Maximum lifetime of a connection in seconds (1 hour)
|
|
log_level: "warn" # GORM log level: silent, error, warn, info
|
|
|
|
cache:
|
|
default_ttl: "168h" # 7 days
|
|
cleanup_interval: "1h"
|
|
max_size_bytes: 536870912000 # 500GB
|
|
per_project_quota: 53687091200 # 50GB
|
|
ttl_overrides:
|
|
npm: "168h"
|
|
pip: "168h"
|
|
go: "168h"
|
|
|
|
security:
|
|
enabled: false
|
|
block_on_severity: "high" # none, low, medium, high, critical
|
|
scan_on_download: true # Scan packages on first download
|
|
rescan_interval: "24h" # How often to re-scan packages (e.g., 24h, 168h for weekly)
|
|
update_db_on_startup: false # Update vulnerability databases on startup
|
|
allowed_packages: [] # Packages that bypass security checks (format: "registry/name@version")
|
|
ignored_cves: [] # CVE IDs to ignore globally (e.g., "CVE-2021-23337")
|
|
|
|
block_thresholds:
|
|
critical: 0 # Max critical vulns (0 = block any)
|
|
high: -1 # Max high vulns (-1 = unlimited)
|
|
medium: -1 # Max medium vulns
|
|
low: -1 # Max low vulns
|
|
|
|
scanners:
|
|
# Trivy - Comprehensive vulnerability scanner from Aqua Security
|
|
# Supports: containers, OS packages, language packages
|
|
trivy:
|
|
enabled: false
|
|
timeout: "5m"
|
|
cache_db: "/var/lib/trivy"
|
|
|
|
# OSV - Google's Open Source Vulnerabilities database
|
|
# Supports: npm, PyPI, Go, Maven, NuGet, etc.
|
|
osv:
|
|
enabled: false
|
|
api_url: "https://api.osv.dev"
|
|
timeout: "30s"
|
|
|
|
# Grype - Multi-ecosystem vulnerability scanner from Anchore
|
|
# Supports: all package types, containers, SBOMs
|
|
grype:
|
|
enabled: false
|
|
timeout: "5m"
|
|
|
|
# govulncheck - Official Go vulnerability scanner from the Go team
|
|
# Supports: Go modules only
|
|
govulncheck:
|
|
enabled: false
|
|
timeout: "5m"
|
|
|
|
# npm-audit - npm's built-in vulnerability scanner
|
|
# Supports: npm packages only
|
|
npm_audit:
|
|
enabled: false
|
|
timeout: "2m"
|
|
|
|
# pip-audit - Python package vulnerability scanner
|
|
# Supports: PyPI packages only
|
|
pip_audit:
|
|
enabled: false
|
|
timeout: "2m"
|
|
|
|
# GitHub Advisory Database - GitHub's security advisory database
|
|
# Supports: npm, pip, go, maven, nuget, cargo, pub
|
|
# Optional: Set token for higher API rate limits (60 req/hour unauthenticated, 5000 req/hour authenticated)
|
|
ghsa:
|
|
enabled: false
|
|
timeout: "30s"
|
|
token: "" # Optional: GitHub personal access token (ghp_...)
|
|
|
|
# Static Analysis - Basic static analysis and package validation
|
|
static:
|
|
enabled: true
|
|
max_package_size: 2147483648 # 2GB
|
|
check_checksums: true
|
|
block_suspicious: false
|
|
allowed_licenses: []
|
|
|
|
auth:
|
|
enabled: true
|
|
key_expiration: "0" # Never expire (0), or duration like "8760h" for 1 year
|
|
bcrypt_cost: 10
|
|
audit_log: true
|
|
|
|
network:
|
|
connect_timeout: "10s"
|
|
read_timeout: "5m"
|
|
write_timeout: "5m"
|
|
max_idle_conns: 100
|
|
max_conns_per_host: 10
|
|
|
|
rate_limit:
|
|
per_api_key: 1000
|
|
per_ip: 100
|
|
burst_size: 50
|
|
|
|
circuit_breaker:
|
|
threshold: 5
|
|
timeout: "30s"
|
|
reset_interval: "60s"
|
|
|
|
retry:
|
|
max_attempts: 3
|
|
initial_backoff: "1s"
|
|
max_backoff: "30s"
|
|
|
|
logging:
|
|
level: "info" # debug, info, warn, error
|
|
format: "json" # json, pretty
|
|
|
|
handlers:
|
|
go:
|
|
enabled: true
|
|
upstream_proxy: "https://proxy.golang.org"
|
|
checksum_db: "https://sum.golang.org"
|
|
verify_checksums: true
|
|
|
|
npm:
|
|
enabled: true
|
|
upstream_registry: "https://registry.npmjs.org"
|
|
|
|
pypi:
|
|
enabled: true
|
|
upstream_url: "https://pypi.org"
|
|
simple_api_url: "https://pypi.org/simple"
|