add systemd service unit and rate limit headers

Systemd deployment: - examples/flaskpaste.service with security hardening - examples/flaskpaste.env with all config options - README deployment section updated Rate limit headers (X-RateLimit-*): - Limit, Remaining, Reset on 201 and 429 responses - Per-IP tracking with auth multiplier - api.md documented
2025-12-24 17:51:14 +01:00
parent cb6eebee59
commit cf458347ef
7 changed files with 265 additions and 22 deletions
--- a/examples/flaskpaste.env
+++ b/examples/flaskpaste.env
@@ -0,0 +1,48 @@
+# FlaskPaste environment configuration
+# Install: sudo mkdir -p /etc/flaskpaste && sudo cp flaskpaste.env /etc/flaskpaste/env
+# Permissions: sudo chmod 600 /etc/flaskpaste/env
+
+# Flask environment
+FLASK_ENV=production
+
+# Database path
+FLASKPASTE_DB=/opt/flaskpaste/data/pastes.db
+
+# Paste limits
+FLASKPASTE_MAX_ANON=3145728
+FLASKPASTE_MAX_AUTH=52428800
+
+# Expiry (tiered by authentication level)
+FLASKPASTE_EXPIRY_ANON=86400
+FLASKPASTE_EXPIRY_UNTRUSTED=604800
+FLASKPASTE_EXPIRY_TRUSTED=2592000
+
+# Proof-of-work (set to 0 to disable)
+FLASKPASTE_POW_DIFFICULTY=20
+FLASKPASTE_POW_TTL=300
+
+# Anti-flood
+FLASKPASTE_ANTIFLOOD=1
+FLASKPASTE_ANTIFLOOD_THRESHOLD=5
+FLASKPASTE_ANTIFLOOD_MAX=28
+
+# Rate limiting
+FLASKPASTE_RATE_LIMIT=1
+FLASKPASTE_RATE_WINDOW=60
+FLASKPASTE_RATE_MAX=10
+FLASKPASTE_RATE_AUTH_MULT=5
+
+# Content deduplication
+FLASKPASTE_DEDUP_WINDOW=3600
+FLASKPASTE_DEDUP_MAX=3
+
+# URL prefix (for reverse proxy path-based routing)
+# FLASKPASTE_URL_PREFIX=/paste
+
+# Proxy trust (set shared secret for header validation)
+# FLASKPASTE_PROXY_SECRET=your-secret-here
+
+# PKI (uncomment to enable certificate authority)
+# FLASKPASTE_PKI_ENABLED=1
+# FLASKPASTE_PKI_CA_PASSWORD=change-this-secure-password
+# FLASKPASTE_PKI_CERT_DAYS=365