Skip to content

feat: insecure tls & cacert for self-hosted repos #277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nicotsx merged 2 commits into from
Jan 2, 2026
Merged

feat: insecure tls & cacert for self-hosted repos #277

nicotsx merged 2 commits into from
Jan 2, 2026

Conversation

@nicotsx
Copy link
Owner

@nicotsx nicotsx commented Jan 2, 2026
edited by coderabbitai bot
Loading

Close #218

Summary by CodeRabbit

  • New Features

    • Added an "Advanced Settings" collapsible section with an insecure TLS toggle and CA certificate field in repository creation forms.
    • Collapsible UI improves settings organization and interaction.

  • Behavior Changes

    • TLS/CA settings now apply consistently across repository types and are propagated to backend operations.

  • Dependencies

    • Added a Radix UI collapsible library.

✏️ Tip: You can customize this high-level summary in your review settings.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 2, 2026
edited
Loading

Walkthrough

Adds a Collapsible UI component suite; introduces an Advanced TLS settings form and integrates it into repository creation; moves cacert and insecureTls fields from REST-only schema to the base repository schema; globalizes server-side CACERT/insecure TLS handling and simplifies temporary key cleanup usage.

Changes

Cohort / File(s) Summary
UI Component Suite
app/client/components/ui/collapsible.tsx, package.json		 New Collapsible, CollapsibleTrigger, CollapsibleContent components with context-based controlled/uncontrolled behavior; added dependency @radix-ui/react-collapsible.
Repository Form Components
app/client/modules/repositories/components/create-repository-form.tsx, app/client/modules/repositories/components/repository-forms/advanced-tls-form.tsx, app/client/modules/repositories/components/repository-forms/index.ts, app/client/modules/repositories/components/repository-forms/rest-repository-form.tsx		 Added AdvancedForm component (advanced TLS settings) using Collapsible; integrated AdvancedForm into CreateRepositoryForm; removed insecureTls/cacert fields from RestRepositoryForm; exported AdvancedForm.
Configuration Schema
app/schemas/restic.ts		 Moved cacert and insecureTls from restRepositoryConfigSchema into the (non-exported) baseRepositoryConfigSchema, making them available to all repository config types.
Server-side TLS & Env Handling
app/server/utils/restic.ts, app/server/modules/repositories/repositories.service.ts, app/server/modules/lifecycle/migration.ts		 Globalized CACERT and insecure TLS propagation to environment variables post-backend switch; cleanupTemporaryKeys signature changed to accept only env and call sites updated; encryptConfig now seals cacert unconditionally when present.
Repository Info Display
app/client/modules/repositories/tabs/info.tsx		 Added RepositoryConfig type import and replaced direct repository.config usage with typed config alias; updated UI checks to use config.cacert and config.insecureTls.

Possibly related PRs

Pre-merge checks

✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and concisely summarizes the main change: adding support for insecure TLS and CA certificates for self-hosted repositories.
Linked Issues check ✅ Passed The pull request implements the requested feature from issue #218 by adding --insecure-tls support and CA certificate handling across all repository types, with proper UI controls and backend configuration.
Out of Scope Changes check ✅ Passed All changes are directly related to implementing insecure TLS and CA certificate support. The addition of the Collapsible component is necessary for the Advanced Settings UI, and refactoring of cleanupTemporaryKeys aligns with the global CACERT handling implementation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 582e21a and 8eadac4.

📒 Files selected for processing (1)
  • app/server/modules/lifecycle/migration.ts
🧰 Additional context used
📓 Path-based instructions (3)
**/*.{ts,tsx,js,jsx,json}

📄 CodeRabbit inference engine (AGENTS.md)

Use Biome for code formatting and linting with bunx biome check --write ., format only with bunx biome format --write ., or lint with bunx biome lint .

Files:

  • app/server/modules/lifecycle/migration.ts
**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx,js,jsx}: Use tabs (not spaces) for indentation with a line width of 120 characters
Use double quotes for strings
Do not auto-organize imports - imports organization is disabled in Biome
All imports must include file extensions when targeting Node/Bun, as the project uses "type": "module"

Files:

  • app/server/modules/lifecycle/migration.ts
app/server/modules/**/*.ts

📄 CodeRabbit inference engine (AGENTS.md)

Server follows a modular service-oriented architecture with controller-service-database pattern in each module

Files:

  • app/server/modules/lifecycle/migration.ts
🧠 Learnings (2)
📚 Learning: 2025-12-28T17:31:39.171Z 
Learnt from: CR
Repo: nicotsx/zerobyte PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-28T17:31:39.171Z
Learning: Applies to app/server/utils/restic.ts : Update `buildEnv()` in `app/server/utils/restic.ts` to handle credentials and configuration when adding a new repository backend

Applied to files:

  • app/server/modules/lifecycle/migration.ts
📚 Learning: 2025-12-28T17:31:39.171Z 
Learnt from: CR
Repo: nicotsx/zerobyte PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-28T17:31:39.171Z
Learning: Applies to app/server/utils/restic.ts : Update `buildRepoUrl()` in `app/server/utils/restic.ts` when adding a new repository backend

Applied to files:

  • app/server/modules/lifecycle/migration.ts
🧬 Code graph analysis (1)
app/server/modules/lifecycle/migration.ts (1)
app/server/utils/restic.ts (1)
  • cleanupTemporaryKeys (877-897)
🔇 Additional comments (1)
app/server/modules/lifecycle/migration.ts (1)

80-80: LGTM! Correctly updated to match the simplified cleanup API.

The call site now matches the refactored cleanupTemporaryKeys(env) signature from app/server/utils/restic.ts. Since env is built from repository.config at line 72, all necessary cleanup paths (including the new RESTIC_CACERT) are already available in the environment. This change aligns with the PR's objective of globalizing TLS/cacert handling through environment variables.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Jan 2, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
app/client/components/ui/collapsible.tsx (1)

80-92: The hidden attribute may prevent close animations from being visible.

When open becomes false, the hidden attribute immediately hides the element and {open && children} unmounts children, both before the animate-accordion-up animation can complete. If smooth close animations are desired, consider using CSS-only visibility transitions or delaying the hidden state until the animation completes.

If the current behavior (instant close) is intentional for simplicity, this is fine as-is.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 08e43e1 and 582e21a.

⛔ Files ignored due to path filters (1)
  • bun.lock is excluded by !**/*.lock
📒 Files selected for processing (10)
  • app/client/components/ui/collapsible.tsx
  • app/client/modules/repositories/components/create-repository-form.tsx
  • app/client/modules/repositories/components/repository-forms/advanced-tls-form.tsx
  • app/client/modules/repositories/components/repository-forms/index.ts
  • app/client/modules/repositories/components/repository-forms/rest-repository-form.tsx
  • app/client/modules/repositories/tabs/info.tsx
  • app/schemas/restic.ts
  • app/server/modules/repositories/repositories.service.ts
  • app/server/utils/restic.ts
  • package.json
💤 Files with no reviewable changes (1)
  • app/client/modules/repositories/components/repository-forms/rest-repository-form.tsx
🧰 Additional context used
📓 Path-based instructions (7)
**/*.{ts,tsx,js,jsx,json}

📄 CodeRabbit inference engine (AGENTS.md)

Use Biome for code formatting and linting with bunx biome check --write ., format only with bunx biome format --write ., or lint with bunx biome lint .

Files:

  • app/client/modules/repositories/components/create-repository-form.tsx
  • app/client/modules/repositories/components/repository-forms/index.ts
  • package.json
  • app/client/components/ui/collapsible.tsx
  • app/client/modules/repositories/tabs/info.tsx
  • app/schemas/restic.ts
  • app/client/modules/repositories/components/repository-forms/advanced-tls-form.tsx
  • app/server/modules/repositories/repositories.service.ts
  • app/server/utils/restic.ts
**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx,js,jsx}: Use tabs (not spaces) for indentation with a line width of 120 characters
Use double quotes for strings
Do not auto-organize imports - imports organization is disabled in Biome
All imports must include file extensions when targeting Node/Bun, as the project uses "type": "module"

Files:

  • app/client/modules/repositories/components/create-repository-form.tsx
  • app/client/modules/repositories/components/repository-forms/index.ts
  • app/client/components/ui/collapsible.tsx
  • app/client/modules/repositories/tabs/info.tsx
  • app/schemas/restic.ts
  • app/client/modules/repositories/components/repository-forms/advanced-tls-form.tsx
  • app/server/modules/repositories/repositories.service.ts
  • app/server/utils/restic.ts
app/client/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

app/client/**/*.{ts,tsx}: Client uses TanStack Query for server state management
Client uses Radix UI primitives with custom Tailwind styling
Use Server-Sent Events hook (use-server-events.ts) for real-time updates in the client

Files:

  • app/client/modules/repositories/components/create-repository-form.tsx
  • app/client/modules/repositories/components/repository-forms/index.ts
  • app/client/components/ui/collapsible.tsx
  • app/client/modules/repositories/tabs/info.tsx
  • app/client/modules/repositories/components/repository-forms/advanced-tls-form.tsx
app/schemas/**/*.ts

📄 CodeRabbit inference engine (AGENTS.md)

Prefer ArkType over Zod for runtime schema validation

Files:

  • app/schemas/restic.ts
app/server/modules/**/*.ts

📄 CodeRabbit inference engine (AGENTS.md)

Server follows a modular service-oriented architecture with controller-service-database pattern in each module

Files:

  • app/server/modules/repositories/repositories.service.ts
app/server/modules/repositories/**/*.ts

📄 CodeRabbit inference engine (AGENTS.md)

Local repositories are stored in /var/lib/zerobyte/repositories/<repo-name>

Files:

  • app/server/modules/repositories/repositories.service.ts
app/server/utils/restic.ts

📄 CodeRabbit inference engine (AGENTS.md)

app/server/utils/restic.ts: Restic password file must have 0600 permissions and should never be exposed
Update buildRepoUrl() in app/server/utils/restic.ts when adding a new repository backend
Update buildEnv() in app/server/utils/restic.ts to handle credentials and configuration when adding a new repository backend
Restic password file is stored in /var/lib/zerobyte/restic/password and auto-generated on first run
Restic cache is stored in /var/lib/zerobyte/restic/cache

Files:

  • app/server/utils/restic.ts
🧠 Learnings (10)
📚 Learning: 2025-12-28T17:31:39.171Z 
Learnt from: CR
Repo: nicotsx/zerobyte PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-28T17:31:39.171Z
Learning: Applies to app/server/modules/repositories/repositories.dto.ts : Add DTO schemas in `app/server/modules/repositories/repositories.dto.ts` when adding a new repository backend

Applied to files:

  • app/client/modules/repositories/components/create-repository-form.tsx
  • app/client/modules/repositories/components/repository-forms/index.ts
  • app/client/modules/repositories/tabs/info.tsx
  • app/schemas/restic.ts
📚 Learning: 2025-12-22T19:49:56.761Z 
Learnt from: nicotsx
Repo: nicotsx/zerobyte PR: 197
File: app/client/modules/repositories/components/create-repository-form.tsx:112-112
Timestamp: 2025-12-22T19:49:56.761Z
Learning: During the repository import flow, when users provide a full path to an existing restic repository, do not implement server-side path sanitization for this flow. Rely on Restic to validate the path; the operation will fail if the path does not point to a valid restic repository. This guidance applies to repository import components under app/client/modules/repositories (not just the specified file).

Applied to files:

  • app/client/modules/repositories/components/create-repository-form.tsx
  • app/client/modules/repositories/tabs/info.tsx
  • app/client/modules/repositories/components/repository-forms/advanced-tls-form.tsx
📚 Learning: 2025-12-28T17:31:39.171Z 
Learnt from: CR
Repo: nicotsx/zerobyte PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-28T17:31:39.171Z
Learning: Applies to app/client/**/*.{ts,tsx} : Client uses Radix UI primitives with custom Tailwind styling

Applied to files:

  • package.json
📚 Learning: 2025-12-28T17:31:39.171Z 
Learnt from: CR
Repo: nicotsx/zerobyte PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-28T17:31:39.171Z
Learning: Applies to app/server/utils/restic.ts : Update `buildRepoUrl()` in `app/server/utils/restic.ts` when adding a new repository backend

Applied to files:

  • app/client/modules/repositories/tabs/info.tsx
  • app/schemas/restic.ts
  • app/server/modules/repositories/repositories.service.ts
  • app/server/utils/restic.ts
📚 Learning: 2025-12-28T17:31:39.171Z 
Learnt from: CR
Repo: nicotsx/zerobyte PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-28T17:31:39.171Z
Learning: Applies to app/server/utils/restic.ts : Update `buildEnv()` in `app/server/utils/restic.ts` to handle credentials and configuration when adding a new repository backend

Applied to files:

  • app/client/modules/repositories/tabs/info.tsx
  • app/schemas/restic.ts
  • app/server/modules/repositories/repositories.service.ts
  • app/server/utils/restic.ts
📚 Learning: 2025-12-28T17:31:39.171Z 
Learnt from: CR
Repo: nicotsx/zerobyte PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-28T17:31:39.171Z
Learning: Applies to app/schemas/volumes.ts : Add schemas for new volume backends to `app/schemas/volumes.ts` and update `volumeConfigSchema` discriminated union

Applied to files:

  • app/schemas/restic.ts
📚 Learning: 2025-12-28T17:31:39.171Z 
Learnt from: CR
Repo: nicotsx/zerobyte PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-28T17:31:39.171Z
Learning: Applies to app/server/utils/restic.ts : Restic password file is stored in `/var/lib/zerobyte/restic/password` and auto-generated on first run

Applied to files:

  • app/server/utils/restic.ts
📚 Learning: 2025-12-28T17:31:39.171Z 
Learnt from: CR
Repo: nicotsx/zerobyte PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-28T17:31:39.171Z
Learning: Applies to app/server/utils/restic.ts : Restic password file must have 0600 permissions and should never be exposed

Applied to files:

  • app/server/utils/restic.ts
📚 Learning: 2025-12-28T17:31:39.171Z 
Learnt from: CR
Repo: nicotsx/zerobyte PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-28T17:31:39.171Z
Learning: Applies to app/server/utils/restic.ts : Restic cache is stored in `/var/lib/zerobyte/restic/cache`

Applied to files:

  • app/server/utils/restic.ts
📚 Learning: 2025-11-29T15:55:09.080Z 
Learnt from: nicotsx
Repo: nicotsx/zerobyte PR: 78
File: app/server/modules/repositories/repositories.service.ts:221-223
Timestamp: 2025-11-29T15:55:09.080Z
Learning: Restic's restore command has built-in path validation that prevents writing outside the specified --target directory. It normalizes and validates paths to reject any attempts to escape the target location, so application-level path sanitization is not required when using restic restore.

Applied to files:

  • app/server/utils/restic.ts
🧬 Code graph analysis (2)
app/client/modules/repositories/tabs/info.tsx (1)
app/schemas/restic.ts (1)
  • RepositoryConfig (97-97)
app/server/modules/repositories/repositories.service.ts (2)
app/server/core/config.ts (1)
  • config (32-32)
app/server/utils/crypto.ts (1)
  • cryptoUtils (186-189)
🔇 Additional comments (11)
package.json (1)

36-36: LGTM!

The addition of @radix-ui/react-collapsible aligns with the project's existing usage of Radix UI primitives for custom Tailwind styling, as per coding guidelines.

app/server/utils/restic.ts (3)

208-217: LGTM!

The global CACERT and insecure TLS handling is correctly implemented:

  • CA certificate is written to a temp file with secure permissions (0600)
  • Uses cryptoUtils.resolveSecret for proper decryption
  • Internal env vars (RESTIC_CACERT, _INSECURE_TLS) correctly propagate to addCommonArgs

877-897: LGTM!

The cleanupTemporaryKeys function correctly:

  • Guards against deleting the default RESTIC_PASS_FILE (line 886)
  • Cleans up the temporary CA certificate file (lines 894-896)
  • Handles all temporary sensitive files consistently

906-912: LGTM!

The addCommonArgs function correctly adds the --insecure-tls and --cacert flags to restic commands when the corresponding environment variables are set.

app/client/modules/repositories/components/repository-forms/index.ts (1)

9-9: LGTM!

The AdvancedForm export follows the existing barrel export pattern.

app/client/modules/repositories/components/create-repository-form.tsx (1)

272-273: LGTM!

The AdvancedForm is correctly rendered after backend-specific forms, making TLS settings available for all repository types. This aligns with the schema changes that moved cacert and insecureTls to the base configuration.

app/server/modules/repositories/repositories.service.ts (1)

37-40: LGTM!

The cacert field is now correctly sealed unconditionally when present, aligning with the schema change that moved TLS settings to the base configuration. This ensures the CA certificate is encrypted for all backends, not just REST.

app/client/modules/repositories/tabs/info.tsx (2)

62-63: LGTM!

The type assertion to RepositoryConfig provides proper type safety for accessing TLS-related fields. This is a reasonable approach given that repository.config likely comes from an API response with a generic type.

121-140: LGTM!

The TLS settings display logic correctly:

  • Shows CA certificate status when configured
  • Uses defensive "insecureTls" in config check for backwards compatibility with existing configs
  • Appropriately uses red/green indicators for TLS validation status
app/schemas/restic.ts (1)

17-22: LGTM!

Moving cacert and insecureTls to baseRepositoryConfigSchema is a clean architectural change that makes TLS settings available to all repository backends through composition. This aligns with the PR objective of supporting insecure TLS and CA certificates for self-hosted repositories across all backends.

app/client/modules/repositories/components/repository-forms/advanced-tls-form.tsx (1)

21-112: Well-implemented interdependent form fields.

The mutual exclusivity logic between insecureTls and cacert is correctly implemented with appropriate disabling and contextual tooltips. The external link has proper security attributes (rel="noopener noreferrer"), and the defensive field.value ?? false handles undefined checkbox values gracefully.

@nicotsx nicotsx merged commit b8fe2a9 into main Jan 2, 2026
6 checks passed
@nicotsx nicotsx deleted the feat/insecure-tls-cacert-all-repos branch January 2, 2026 17:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature Request] Allow custom S3 repositories with self-signed certificates

2 participants

@nicotsx