Deploy Readeck for production
This document will show how to deploy Readeck on a Linux server with systemd and an Nginx reverse proxy. You'll need root access to create a user and install the service.
Create a user
It's strongly recommended to no run Readeck as the root user and the first thing we'll do is create a group and a user for the service.
groupadd --system readeck
useradd --system -d /var/lib/readeck -M -s /bin/false -g readeck readeck
mkdir /var/lib/readeck
chown readeck:readeck /var/lib/readeck
This creates a readeck
user belonging to the group readeck
, as well as a directory /var/lib/readeck
.
Install the Readeck binary
This downloads the last Readeck release and makes it executable by any user on the system.
wget -O /usr/local/bin/readeck https://codeberg.org/readeck/readeck/releases/download/0.13.2/readeck-0.13.2-linux-amd64
chmod a+x /usr/local/bin/readeck
Create a configuration folder
You don't need a configuration file at first but you'll need a configuration folder:
mkdir /etc/readeck
chown readeck:root /etc/readeck
chmod 0750 /etc/readeck
Create a Systemd service
Create a file /etc/systemd/system/readeck.service
with the following content:
[Unit]
Description=Readeck - Open Source bookmark manager
After=network.target
[Service]
User=readeck
Group=readeck
ExecStart=/usr/local/bin/readeck serve -config /etc/readeck/config.toml
Restart=on-failure
RestartSec=5
ProtectSystem=full
PrivateTmp=true
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
Now, you can reload systemd and start readeck:
systemctl daemon-reload
systemctl start readeck
You can check that Readeck is running:
systemctl status readeck
Setup a reverse proxy
Now, Readeck is running but is listening publicly on the port 8000
for anyone who wants to connect. You might not want that and put it behind a reverse proxy such as Nginx or Caddy.
Let's first edit the configuration to listen only on localhost. In /etc/readeck/config.toml
, edit the following lines:
[server]
host = "127.0.0.1"
port = 8000
allowed_hosts = ["read.example.net"]
use_x_forwarded_for = true
use_x_forwarded_host = true
use_x_forwarded_proto = true
Change the value of allowed_hosts
, and port
if you'd like to use something else.
Important
Setting a value for allowed_hosts
is a good security measure.
If you're using readeck as a container behind a reverse proxy, you must set the environment variable READECK_USE_X_FORWARDED=1
.
We'll assume Nginx is installed and that you followed any necessary step to have a TLS certificate. Here's a fragment of a virtual host than can serve Readeck:
server {
server_name readeck.example.net;
listen 443 ssl http2;
listent [::]:443 ssl http2;
# ... certificate configuration
location / {
proxy_pass http://127.0.0.1:8000/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_buffering off;
client_max_body_size 50M;
}
}