doc: simplify architecture, some notes

Got rid of client-side 9p, which was just silly bloat. Using HTTP exclusively on the client side now, with htmx. Combined auth and api servers into monolithic buthd, which translates http/9p between client and backend 9p servers. Added some implementation and security notes, and part of shopfs.
author: Sam Anthony <sam@samanthony.xyz> 2026-03-07 11:45:19 -0500
committer: Sam Anthony <sam@samanthony.xyz> 2026-03-07 11:45:19 -0500
commit: 7c32f8a87889c8fdb8637243fd540061ea1a8539 (patch)
tree: fe5b5b42f3cfe74e755cf57419b7f3d3b6dd89bb /doc/sec.md
parent: 36381d86c6a690a7870ce360dad63be333361447 (diff)
download: buth-7c32f8a87889c8fdb8637243fd540061ea1a8539.zip
1 files changed, 13 insertions, 0 deletions
diff --git a/doc/sec.md b/doc/sec.md
new file mode 100644
index 0000000..93bca91
--- /dev/null
+++ b/doc/sec.md
@@ -0,0 +1,13 @@
+
+# Security
+
+## Notes
+
+Buthd should not have filesystem permission. It just translates HTTP/9P. Gets everything it needs from the 9P file servers.
+
+Concentrate TLS in relayd(8). Backend servers should not have to manage certificates, or even have access to them. They should not even have filesystem permission if possible. Buthd and httpd serve plain HTTP over Unix domain sockets or a secure VPN, e.g. Tailscale.
+
+Run all processes in chroot. This should be handled by the rc.d init script, not by the program, to avoid having to start as root before dropping privileges. Just start as unprivileged user in chroot to begin with.
+
+[[auth#Implementation notes]]
+
author	Sam Anthony <sam@samanthony.xyz>	2026-03-07 11:45:19 -0500
committer	Sam Anthony <sam@samanthony.xyz>	2026-03-07 11:45:19 -0500
commit	7c32f8a87889c8fdb8637243fd540061ea1a8539 (patch)
tree	fe5b5b42f3cfe74e755cf57419b7f3d3b6dd89bb /doc/sec.md
parent	36381d86c6a690a7870ce360dad63be333361447 (diff)
download	buth-7c32f8a87889c8fdb8637243fd540061ea1a8539.zip