Deploy Readeck for production

This document will show how to deploy Readeck on a Linux server with systemd and an Nginx reverse proxy. You'll need root access to create a user and install the service.

Create a user

It's strongly recommended to no run Readeck as the root user and the first thing we'll do is create a group and a user for the service.

groupadd --system readeck
useradd --system -d /var/lib/readeck -M -s /bin/false -g readeck readeck
mkdir /var/lib/readeck
chown readeck:readeck /var/lib/readeck

This creates a readeck user belonging to the group readeck, as well as a directory /var/lib/readeck.

Install the Readeck binary

This downloads the last Readeck release and makes it executable by any user on the system.

wget -O /usr/local/bin/readeck https://codeberg.org/readeck/readeck/releases/download/0.14.0/readeck-0.14.0-linux-amd64
chmod a+x /usr/local/bin/readeck

Create a configuration folder

You don't need a configuration file at first but you'll need a configuration folder:

mkdir /etc/readeck
chown readeck:root /etc/readeck
chmod 0750 /etc/readeck

Create a Systemd service

Create a file /etc/systemd/system/readeck.service with the following content:

[Unit]
Description=Readeck - Open Source bookmark manager
After=network.target

[Service]
User=readeck
Group=readeck
ExecStart=/usr/local/bin/readeck serve -config /etc/readeck/config.toml
Restart=on-failure
RestartSec=5

ProtectSystem=full
PrivateTmp=true
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

Now, you can reload systemd and start readeck:

systemctl daemon-reload
systemctl start readeck

You can check that Readeck is running:

systemctl status readeck

Setup a reverse proxy

Now, Readeck is running but is listening publicly on the port 8000 for anyone who wants to connect. You might not want that and put it behind a reverse proxy such as Nginx or Caddy.

Let's first edit the configuration to listen only on localhost. In /etc/readeck/config.toml, edit the following lines:

[server]
host = "127.0.0.1"
port = 8000
allowed_hosts = ["read.example.net"]
use_x_forwarded_for = true
use_x_forwarded_host = true
use_x_forwarded_proto = true

Change the value of allowed_hosts, and port if you'd like to use something else.

Important

Setting a value for allowed_hosts is a good security measure.
If you're using readeck as a container behind a reverse proxy, you must set the environment variable READECK_USE_X_FORWARDED=1.

We'll assume Nginx is installed and that you followed any necessary step to have a TLS certificate. Here's a fragment of a virtual host than can serve Readeck:

server {
    server_name readeck.example.net;

    listen 443 ssl http2;
    listent [::]:443 ssl http2;

    # ... certificate configuration

    location / {
        proxy_pass http://127.0.0.1:8000/;
        proxy_set_header  X-Real-IP         $remote_addr;
        proxy_set_header  Host              $host;
        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto $scheme;
        proxy_redirect off;
        proxy_buffering off;
        client_max_body_size 50M;
    }
}

2024 © Readeck