docs: update readme

feat: dockerfile
feat: bind mist on all interfaces
2026-03-01 12:59:36 +01:00 · 2026-03-01 12:57:30 +01:00 · 2026-03-01 12:57:24 +01:00
3 changed files with 54 additions and 21 deletions
--- a/22
+++ b/22
@@ -0,0 +1,22 @@
+FROM ghcr.io/gleam-lang/gleam:v1.14.0-erlang-alpine
+
+RUN apk add --no-cache elixir git libstdc++ openssl
+
+WORKDIR /app
+
+COPY gleam.toml manifest.toml ./
+COPY src/ ./src/
+
+RUN gleam deps download && gleam build --target erlang
+
+RUN adduser -D -H spasteg && chown -R spasteg:spasteg /app
+
+ENV PORT=3000
+EXPOSE 3000
+
+USER spasteg
+
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+    CMD wget --no-verbose --tries=1 --spider http://localhost:3000/ || exit 1
+
+ENTRYPOINT ["gleam", "run", "--target", "erlang", "--", "--no-halt"]
--- a/README.md
+++ b/README.md
@@ -11,6 +11,14 @@ A secure, self-hostable "burn after reading" paste service with ephemeral storag
 - Fast and reliable
 - Written in Gleam (type-safe)

+## Architecture
+
+- Gleam: Type-safe language built upon the BEAM
+- Web: Wisp framework + Mist HTTP server
+- Frontend: Lustre for HTML rendering
+- Storage: In-memory only (no persistence)
+- Security: AES-256-GCM client-side encryption, CSRF tokens, rate limiting, security headers
+
 ## Configuration

 ### SECRET_KEY_BASE (Required for Production)
@@ -50,6 +58,29 @@ gleam run

 The server starts on `http://localhost:3000`.

+## Docker image+deployment
+
+### Build
+
+```bash
+docker build -t spasteg .
+```
+
+### Run
+
+```bash
+# Generate a secure key
+docker run -p 3000:3000 -e SECRET_KEY_BASE=$(openssl rand -base64 48) spasteg
+```
+
+**With custom port:**
+
+```bash
+docker run -p 8080:3000 -e SECRET_KEY_BASE=$(openssl rand -base64 48) -e PORT=3000 spasteg
+```
+
+The container exposes port 3000 and runs as a non-root user with a health check configured.
+
 ## Usage

 1. Visit `http://localhost:3000`
@@ -60,27 +91,6 @@ The server starts on `http://localhost:3000`.

 Note: the creator cannot see their post with the copied link (except in private browsing) - it would be burned immediately.

-## Architecture
-
- **Gleam**: Type-safe language built upon the BEAM
- **Web**: Wisp framework + Mist HTTP server
- **Frontend**: Lustre for HTML rendering
- **Storage**: In-memory only (no persistence)
- **Security**: AES-256-GCM client-side encryption, CSRF tokens, rate limiting, security headers
-
-## Security Notes
-
- Pastes are client-side encrypted (AES-256-GCM) before being sent to server
- Server never sees the decryption key (stored in URL fragment after `#`)
- Data is stored **encrypted** in server memory only
- Data is **never written to disk**
- All data is lost on server restart
- CSRF protection via double-submit cookie pattern
- Rate limiting: 10 requests per IP (resets on server restart)
- Security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- 10MB maximum paste size limit
- Intended for ephemeral sharing only — do not store sensitive data
-
 ## License

 This project is licensed under the GNU General Public License v3.0 or later (GPLv3+). See the [LICENSE](LICENSE) file for details.
--- a/src/spasteg.gleam
+++ b/src/spasteg.gleam
@@ -29,6 +29,7 @@ pub fn main() {
      secret_key_base,
    )
    |> mist.new
+    |> mist.bind("0.0.0.0")
    |> mist.port(3000)
    |> mist.start
Author	SHA1	Message	Date
Kharec	53dd416c17	docs: update readme	2026-03-01 12:59:36 +01:00
Kharec	31da68b6c1	feat: dockerfile	2026-03-01 12:57:30 +01:00
Kharec	2ecfda256b	feat: bind mist on all interfaces	2026-03-01 12:57:24 +01:00