Add example environment configuration and Docker Compose setup
CI / Go Tests (push) Failing after 9s
CI / Build (push) Successful in 9s
Format / gofmt (push) Successful in 7s
Release Artifacts / Validate release tag (push) Successful in 1s
Release Artifacts / Build and release executables (push) Failing after 8s
Release Artifacts / Build and release Docker image (push) Has been skipped

- Introduced a new `.env.example` file to provide a template for environment variables used by the Scratchbox server.
- Added a `docker-compose.example.yml` file to facilitate easy deployment of the Scratchbox service with Docker.
- Updated `docker-entrypoint.sh` to enforce environment variable settings for server configuration.
- Removed the generation of a config key file from the workflow, simplifying the configuration process.
- Adjusted the README.md to reflect changes in configuration management and usage instructions.
This commit is contained in:
2026-06-01 04:36:53 -05:00
parent f74e028227
commit bc9077660b
10 changed files with 672 additions and 112 deletions
+105 -20
View File
@@ -9,13 +9,10 @@ Scratch content is gzip-compressed and AES-encrypted on disk transparently; API/
1. Generate defaults directly:
- `go run ./cmd/scratchbox generate-config > config.yaml`
2. Generate an encryption key file next to the config:
- `go run ./cmd/scratchbox generate-key > config.key`
- or: `openssl rand -base64 32 > config.key`
3. Adjust settings for your environment.
4. Start the server:
2. Adjust settings for your environment.
3. Start the server:
- `go run ./cmd/scratchbox server --config config.yaml`
5. Open:
4. Open:
- `http://127.0.0.1:8080/`
Without `--config`, built-in defaults are used.
@@ -34,19 +31,109 @@ Optionally set a custom image name/tag:
- `make docker DOCKER_IMAGE=scratchbox:latest`
Run with persistent data and config directories:
Run with persistent data and env-based config:
- `mkdir -p ./docker-data ./docker-config`
- `docker run --rm -p 8080:8080 -v "$(pwd)/docker-data:/data" -v "$(pwd)/docker-config:/config" scratchbox:dev`
- `mkdir -p ./docker-data`
- `cp .env.example .env`
- `docker run --rm -p 8080:8080 --env-file .env -v "$(pwd)/docker-data:/data" scratchbox:dev`
- Without `.env`, the image still starts with default config and uses `SCRATCHBOX_STORAGE_DATA_DIR=/data`.
- The image always forces `SCRATCHBOX_STORAGE_DATA_DIR=/data`.
- The image always forces `SCRATCHBOX_SERVER_LISTEN_ADDR=:8080`.
- The image always forces `SCRATCHBOX_SERVER_ACCESS_LOG_FILE_PATH` to empty (stdout-only access logs).
Use the included Compose example:
- `cp docker-compose.example.yml docker-compose.yml`
- `cp .env.example .env`
- `mkdir -p ./docker-data`
- `docker compose up -d`
Inside the container, the default command is:
- `scratchbox server --config /config/config.yaml`
- `scratchbox server --env`
- The image forces `SCRATCHBOX_STORAGE_DATA_DIR=/data`.
- The image forces `SCRATCHBOX_SERVER_LISTEN_ADDR=:8080`.
- The image forces `SCRATCHBOX_SERVER_ACCESS_LOG_FILE_PATH` to empty.
Create config files with the image (writes to mounted `./docker-config`):
To run with a YAML config instead, pass `--config` explicitly (mutually exclusive with `--env`):
- `docker run --rm -v "$(pwd)/docker-config:/config" scratchbox:dev generate-config > ./docker-config/config.yaml`
- `docker run --rm -v "$(pwd)/docker-config:/config" scratchbox:dev generate-key > ./docker-config/config.key`
- `docker run --rm -p 8080:8080 -v "$(pwd)/docker-data:/data" -v "$(pwd)/docker-config:/config" scratchbox:dev server --config /config/config.yaml`
Storage encryption key behavior:
- The key file is always stored at `storage.data_dir/metadata.key` (next to `metadata`).
- Scratchbox only auto-generates this key when `storage.data_dir` has no existing files.
- If the key is missing and files already exist in `storage.data_dir`, startup fails to prevent corruption.
- On subsequent startups, Scratchbox reuses the same key file from that data directory.
- Keep `storage.data_dir` persistent; losing or replacing `metadata.key` makes existing scratches unreadable.
Environment variables supported by `scratchbox server --env`:
- `SCRATCHBOX_SERVER_LISTEN_ADDR`
- `SCRATCHBOX_SERVER_READ_HEADER_TIMEOUT`
- `SCRATCHBOX_SERVER_READ_TIMEOUT`
- `SCRATCHBOX_SERVER_WRITE_TIMEOUT`
- `SCRATCHBOX_SERVER_IDLE_TIMEOUT`
- `SCRATCHBOX_SERVER_MAX_HEADER_BYTES`
- `SCRATCHBOX_SERVER_ACCESS_LOG_ENABLED`
- `SCRATCHBOX_SERVER_ACCESS_LOG_FILE_PATH` (forced empty by Docker image)
- `SCRATCHBOX_SERVER_ACCESS_LOG_MAX_SIZE`
- `SCRATCHBOX_SERVER_ACCESS_LOG_MAX_BACKUPS`
- `SCRATCHBOX_LIMITS_MAX_UPLOAD_SIZE`
- `SCRATCHBOX_LIMITS_DEFAULT_TTL`
- `SCRATCHBOX_LIMITS_RAW_CACHE_MAX_SIZE`
- `SCRATCHBOX_LIMITS_RAW_CACHE_MAX_ENTRIES`
- `SCRATCHBOX_STORAGE_DATA_DIR`
- `SCRATCHBOX_STORAGE_CLEANUP_INTERVAL`
- `SCRATCHBOX_SECURITY_ALLOWED_IPS` (comma-separated)
- `SCRATCHBOX_SECURITY_TRUST_PROXY_HEADERS`
- `SCRATCHBOX_SECURITY_TRUSTED_PROXY_IPS` (comma-separated)
- `SCRATCHBOX_SECURITY_RATE_LIMIT_UI_ENABLED`
- `SCRATCHBOX_SECURITY_RATE_LIMIT_UI_REQUESTS_PER_MINUTE`
- `SCRATCHBOX_SECURITY_RATE_LIMIT_UI_BURST`
- `SCRATCHBOX_SECURITY_RATE_LIMIT_API_READ_ENABLED`
- `SCRATCHBOX_SECURITY_RATE_LIMIT_API_READ_REQUESTS_PER_MINUTE`
- `SCRATCHBOX_SECURITY_RATE_LIMIT_API_READ_BURST`
- `SCRATCHBOX_SECURITY_RATE_LIMIT_API_WRITE_ENABLED`
- `SCRATCHBOX_SECURITY_RATE_LIMIT_API_WRITE_REQUESTS_PER_MINUTE`
- `SCRATCHBOX_SECURITY_RATE_LIMIT_API_WRITE_BURST`
Example `.env` for Docker:
```dotenv
# server
SCRATCHBOX_SERVER_LISTEN_ADDR=:8080
SCRATCHBOX_SERVER_READ_HEADER_TIMEOUT=5s
SCRATCHBOX_SERVER_READ_TIMEOUT=30s
SCRATCHBOX_SERVER_WRITE_TIMEOUT=30s
SCRATCHBOX_SERVER_IDLE_TIMEOUT=120s
SCRATCHBOX_SERVER_MAX_HEADER_BYTES=1048576
SCRATCHBOX_SERVER_ACCESS_LOG_ENABLED=true
# limits
SCRATCHBOX_LIMITS_MAX_UPLOAD_SIZE=100MiB
SCRATCHBOX_LIMITS_DEFAULT_TTL=15m
SCRATCHBOX_LIMITS_RAW_CACHE_MAX_SIZE=200MiB
SCRATCHBOX_LIMITS_RAW_CACHE_MAX_ENTRIES=32
# storage
SCRATCHBOX_STORAGE_DATA_DIR=/data
SCRATCHBOX_STORAGE_CLEANUP_INTERVAL=1m
# security
SCRATCHBOX_SECURITY_ALLOWED_IPS=127.0.0.1
SCRATCHBOX_SECURITY_TRUST_PROXY_HEADERS=false
SCRATCHBOX_SECURITY_TRUSTED_PROXY_IPS=
SCRATCHBOX_SECURITY_RATE_LIMIT_UI_ENABLED=false
SCRATCHBOX_SECURITY_RATE_LIMIT_UI_REQUESTS_PER_MINUTE=360
SCRATCHBOX_SECURITY_RATE_LIMIT_UI_BURST=120
SCRATCHBOX_SECURITY_RATE_LIMIT_API_READ_ENABLED=false
SCRATCHBOX_SECURITY_RATE_LIMIT_API_READ_REQUESTS_PER_MINUTE=300
SCRATCHBOX_SECURITY_RATE_LIMIT_API_READ_BURST=100
SCRATCHBOX_SECURITY_RATE_LIMIT_API_WRITE_ENABLED=true
SCRATCHBOX_SECURITY_RATE_LIMIT_API_WRITE_REQUESTS_PER_MINUTE=30
SCRATCHBOX_SECURITY_RATE_LIMIT_API_WRITE_BURST=10
```
## Release Artifacts
@@ -80,7 +167,6 @@ To run from an unpacked artifact:
If you do not have a config file yet, generate one first:
- `go run ./cmd/scratchbox generate-config > config.yaml`
- `go run ./cmd/scratchbox generate-key > config.key`
## Configuration
@@ -142,12 +228,11 @@ All configuration is YAML.
- `cleanup_interval`: background interval for deleting expired content.
- Must be at least `10s`
- Default: `1m`
- `encryption_key_file`: path to a file containing a base64-encoded 32-byte key used for at-rest encryption.
- Relative paths are resolved from the config file directory
- Default: `config.key` (expected alongside `config.yaml`)
- Keep this key stable across restarts
- Changing the key makes existing scratch files unreadable
- `generate-key` emits a fresh random key each run
- Encryption key file is managed automatically at `storage.data_dir/metadata.key`.
- Auto-generated only when `storage.data_dir` has no existing files
- If missing while files exist in `storage.data_dir`, startup fails
- Reused on subsequent startups for the same data directory
- Changing/removing this file makes existing scratch files unreadable
### `security`