By protecting the /me with basic authentication to not expose the API key to the world (via reverse proxy), you natively limit the publish but keep the get accessible from your cargo.
Here is the code of my dockerfile to generate the container for testing:
FROM rust:1-slim-buster as build
WORKDIR /app
ADD . /app/
RUN apt-get update && apt-get install -y libssl-dev pkg-config git
RUN cargo build --release
RUN find /app -iname estuary
FROM rust:1-slim-buster
# Estuary relies on being able to run `git` on the command-line.
# It additionally uses the `git2` crate which indirectly depends on `libssl`.
RUN apt-get update && apt-get install -y \
git \
pkg-config libssl-dev \
&& rm -rf /var/lib/apt/lists/*
COPY --from=build /app/target/release/estuary /usr/bin/
# Use a volume to store our service data
VOLUME ["/var/lib/estuary"]
# Configure the service.
#
# These env vars will get the files Estuary needs to write into our volume and
# enable some basic logging HOWEVER you'll still need to configure the
# **base url** based on the public host/port you want to use.
ENV ESTUARY_INDEX_DIR="/var/lib/estuary/index" \
ESTUARY_CRATE_DIR="/var/lib/estuary/crates" \
RUST_LOG="actix_web=INFO,estuary=INFO"
EXPOSE 7878
# When running the container, don't forget you'll need to specify the base url
# either via a flag or environment variable.
ENTRYPOINT ["estuary"]
Hi,
By protecting the /me with basic authentication to not expose the API key to the world (via reverse proxy), you natively limit the publish but keep the get accessible from your cargo.
Here is the code of my dockerfile to generate the container for testing: