Deployment

Coldrune runs behind a reverse proxy that handles TLS, rate limiting, and the X-Real-Ip header.

Caution

Do not expose Coldrune directly to the internet. It trusts X-Real-Ip and X-Forwarded-For headers unconditionally, so a trusted reverse proxy must set these.

Process management with systemd

Create /etc/systemd/system/coldrune.service:

[Unit]
Description=Coldrune Secret Manager
After=network.target

[Service]
Type=simple
User=coldrune
Group=coldrune
WorkingDirectory=/var/lib/coldrune
EnvironmentFile=/etc/coldrune/.env
ExecStart=/usr/local/bin/coldrune server start
Restart=on-failure
RestartSec=5

# Hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/coldrune
PrivateTmp=true

[Install]
WantedBy=multi-user.target

Set up the user and directories:

# Create system user
sudo useradd --system --shell /usr/sbin/nologin --home /var/lib/coldrune coldrune
sudo mkdir -p /var/lib/coldrune /etc/coldrune

# Place your .env file
sudo cp .env /etc/coldrune/.env
sudo chmod 600 /etc/coldrune/.env
sudo chown coldrune:coldrune /etc/coldrune/.env

# Enable and start
sudo systemctl daemon-reload
sudo systemctl enable coldrune
sudo systemctl start coldrune

# Check status
sudo systemctl status coldrune
sudo journalctl -u coldrune -f

Reverse proxy

nginx

upstream coldrune {
    server 127.0.0.1:7100;
}

# Rate limiting zone
limit_req_zone $binary_remote_addr zone=coldrune_api:10m rate=30r/s;

server {
    listen 443 ssl http2;
    server_name api.coldrune.com;

    ssl_certificate     /etc/letsencrypt/live/api.coldrune.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/api.coldrune.com/privkey.pem;

    # Pass real client IP
    proxy_set_header X-Real-Ip $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;

    location / {
        limit_req zone=coldrune_api burst=60 nodelay;
        proxy_pass http://coldrune;
    }
}

server {
    listen 80;
    server_name api.coldrune.com;
    return 301 https://$host$request_uri;
}

Caddy

api.coldrune.com {
    reverse_proxy localhost:7100 {
        header_up X-Real-Ip {remote_host}
    }
}

Caddy handles TLS automatically via Let’s Encrypt.

Verify

# Health check
curl https://api.coldrune.com/health
# {"status": "ok"}

# Login
coldrune --server-url https://api.coldrune.com auth login --email admin@example.com

Database location

By default, Coldrune creates coldrune.db in the working directory. For production, set an explicit path:

COLDRUNE_DB_PATH=/var/lib/coldrune/coldrune.db

The database file and its WAL/SHM companions are created with 0600 permissions.