From 7c32f8a87889c8fdb8637243fd540061ea1a8539 Mon Sep 17 00:00:00 2001
From: Sam Anthony <sam@samanthony.xyz>
Date: Sat, 7 Mar 2026 11:45:19 -0500
Subject: doc: simplify architecture, some notes

Got rid of client-side 9p, which was just silly bloat. Using HTTP
exclusively on the client side now, with htmx.

Combined auth and api servers into monolithic buthd, which translates
http/9p between client and backend 9p servers.

Added some implementation and security notes, and part of shopfs.
---
 doc/sec.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 doc/sec.md

(limited to 'doc/sec.md')

diff --git a/doc/sec.md b/doc/sec.md
new file mode 100644
index 0000000..93bca91
--- /dev/null
+++ b/doc/sec.md
@@ -0,0 +1,13 @@
+
+# Security
+
+## Notes
+
+Buthd should not have filesystem permission. It just translates HTTP/9P. Gets everything it needs from the 9P file servers.
+
+Concentrate TLS in relayd(8). Backend servers should not have to manage certificates, or even have access to them. They should not even have filesystem permission if possible. Buthd and httpd serve plain HTTP over Unix domain sockets or a secure VPN, e.g. Tailscale.
+
+Run all processes in chroot. This should be handled by the rc.d init script, not by the program, to avoid having to start as root before dropping privileges. Just start as unprivileged user in chroot to begin with.
+
+[[auth#Implementation notes]]
+
-- 
cgit v1.2.3