2.13.1

[ElderEvil]

Summary by CodeRabbit

• New Features

  • Added a TrueNAS deployment example configuration.

• Improvements

  • Improved public file URL resolution for storage access.
  • Added HTTPS support and optional access/secret key configuration for storage endpoints.

• Documentation

  • Added an example environment file with sample values for TrueNAS deployment and storage settings.

[coderabbitai]

📝 Walkthrough

Walkthrough

Resolve RustFS public vs internal endpoints in the adapter, update example environment templates with HTTPS and access credentials, and add a new TrueNAS example env file containing comprehensive RustFS and service settings.

Changes

RustFS Configuration & URL Resolution

Layer / File(s)	Summary
Configuration backend/.env.example, docs/examples/.env.truenas.example	Updated RustFS host to s3-api.evillab.dev, enabled RUSTFS_USE_HTTPS=True, and added RUSTFS_ACCESS_KEY / RUSTFS_SECRET_KEY; new TrueNAS example env file added with RustFS and other service placeholders.
Endpoint Docstring backend/app/services/storage/rustfs_adapter.py	Added docstring to _get_endpoint_url() describing its role as the internal S3 endpoint resolver.
Public URL Resolution backend/app/services/storage/rustfs_adapter.py	Introduced private _get_public_base_url() that prefers RUSTFS_PUBLIC_URL and falls back to internal endpoint; updated public_url to use this helper.
Examples / Compose docs/examples/docker-compose.truenas.yml	Example docker-compose shows RustFS env context (no semantic service changes).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I nibble paths and hop through configs bright,
Public URLs by day, internal by night,
Secrets tucked in lines so neat,
Buckets found and endpoints meet —
A rabbit's fix, concise and light. 🐇✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title '2.13.1' appears to be a version number rather than a descriptive summary of the changes made in the pull request.	Use a descriptive title that summarizes the main changes, such as 'Update RustFS configuration and add TrueNAS example environment setup' instead of just the version number.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 2.13.1

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

backend/app/services/storage/rustfs_adapter.py (1)

63-68: 💤 Low value

_get_public_base_url — logic is correct; consider using settings.RUSTFS_PUBLIC_URL directly.

getattr(settings, "RUSTFS_PUBLIC_URL", "") will actually return None (not "") because the attribute is defined in Settings as str | None = None — the getattr fallback only applies when the attribute is absent entirely. The if public_url: check is falsy for both None and "", so the behaviour is correct, but the intent would be clearer using the typed attribute directly:

♻️ Optional refactor

 def _get_public_base_url(self) -> str:
     """Public-facing URL for generating file URLs. Falls back to internal endpoint."""
-    public_url = getattr(settings, "RUSTFS_PUBLIC_URL", "")
-    if public_url:
-        return public_url.rstrip("/")
+    if settings.RUSTFS_PUBLIC_URL:
+        return settings.RUSTFS_PUBLIC_URL.rstrip("/")
     return self._get_endpoint_url()

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/app/services/storage/rustfs_adapter.py` around lines 63 - 68, The use
of getattr(settings, "RUSTFS_PUBLIC_URL", "") in _get_public_base_url is
misleading because Settings defines RUSTFS_PUBLIC_URL as str | None; replace the
getattr call with direct access to settings.RUSTFS_PUBLIC_URL, check its
truthiness (if settings.RUSTFS_PUBLIC_URL) and return
settings.RUSTFS_PUBLIC_URL.rstrip("/") when present, otherwise return
self._get_endpoint_url(); keep the function name _get_public_base_url and
preserve the fallback behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/examples/.env.truenas.example`:
- Line 51: The env variable assignment for EMAIL_FROM_NAME is unquoted
("EMAIL_FROM_NAME=Fallout Shelter") which splits into two tokens when sourced;
update the assignment to include quotes around the value
(EMAIL_FROM_NAME="Fallout Shelter") so the full name is preserved—look for the
EMAIL_FROM_NAME entry in the example env file and mirror the quoting used in
backend/.env.example.
- Around line 30-32: Replace the real personal identifiers in the example env
with generic placeholders: change FIRST_SUPERUSER_USERNAME and
FIRST_SUPERUSER_EMAIL to non-personal values (e.g.,
FIRST_SUPERUSER_USERNAME=example_admin and
FIRST_SUPERUSER_EMAIL=example@example.com) and keep FIRST_SUPERUSER_PASSWORD as
a clear placeholder like CHANGE-ME-strong-password; update the .env example so
it contains no real PII and commit the sanitized example to the repo.
- Around line 57-64: Replace the hard-coded RUSTFS_SECRET_KEY value with a
non-sensitive placeholder (e.g., RUSTFS_SECRET_KEY=CHANGE-ME) and add a clear
comment above the RustFS block warning "Shared dev credentials — do NOT use in
production; rotate immediately if these are real." Also ensure RUSTFS_ACCESS_KEY
and RUSTFS_DEFAULT_BUCKET are likewise marked as placeholders and, if the
current secret is an actual shared credential, rotate it immediately and remove
any real credentials from this template (references: RUSTFS_SECRET_KEY,
RUSTFS_ACCESS_KEY, RUSTFS_DEFAULT_BUCKET).

---

Nitpick comments:
In `@backend/app/services/storage/rustfs_adapter.py`:
- Around line 63-68: The use of getattr(settings, "RUSTFS_PUBLIC_URL", "") in
_get_public_base_url is misleading because Settings defines RUSTFS_PUBLIC_URL as
str | None; replace the getattr call with direct access to
settings.RUSTFS_PUBLIC_URL, check its truthiness (if settings.RUSTFS_PUBLIC_URL)
and return settings.RUSTFS_PUBLIC_URL.rstrip("/") when present, otherwise return
self._get_endpoint_url(); keep the function name _get_public_base_url and
preserve the fallback behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e5883a66-98a4-400d-82f5-0bc95de3db78

📥 Commits

Reviewing files that changed from the base of the PR and between 2de962e and 0ea12b5.

📒 Files selected for processing (4)

• backend/.env.example
• backend/app/services/storage/rustfs_adapter.py
• docs/examples/.env.truenas.example
• docs/examples/docker-compose.truenas.yml

💤 Files with no reviewable changes (1)

• docs/examples/docker-compose.truenas.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

PII exposure — replace real email/username with generic placeholders.

FIRST_SUPERUSER_EMAIL=elder.evil.dev@proton.me is a real personal email address committed to a public repository. Example files are copied by end users as starting points; embedding a real email exposes it to scrapers and violates privacy best practices. The username on line 30 is also a personal identifier.

🛡️ Proposed fix

-FIRST_SUPERUSER_USERNAME=ElderEvil
-FIRST_SUPERUSER_EMAIL=elder.evil.dev@proton.me
+FIRST_SUPERUSER_USERNAME=admin
+FIRST_SUPERUSER_EMAIL=admin@example.com

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	FIRST_SUPERUSER_USERNAME=ElderEvil
	FIRST_SUPERUSER_EMAIL=elder.evil.dev@proton.me
	FIRST_SUPERUSER_PASSWORD=CHANGE-ME-strong-password
	FIRST_SUPERUSER_USERNAME=admin
	FIRST_SUPERUSER_EMAIL=admin@example.com
	FIRST_SUPERUSER_PASSWORD=CHANGE-ME-strong-password

🧰 Tools

🪛 dotenv-linter (4.0.0)

[warning] 31-31: [UnorderedKey] The FIRST_SUPERUSER_EMAIL key should go before the FIRST_SUPERUSER_USERNAME key

(UnorderedKey)

---

[warning] 32-32: [UnorderedKey] The FIRST_SUPERUSER_PASSWORD key should go before the FIRST_SUPERUSER_USERNAME key

(UnorderedKey)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/examples/.env.truenas.example` around lines 30 - 32, Replace the real
personal identifiers in the example env with generic placeholders: change
FIRST_SUPERUSER_USERNAME and FIRST_SUPERUSER_EMAIL to non-personal values (e.g.,
FIRST_SUPERUSER_USERNAME=example_admin and
FIRST_SUPERUSER_EMAIL=example@example.com) and keep FIRST_SUPERUSER_PASSWORD as
a clear placeholder like CHANGE-ME-strong-password; update the .env example so
it contains no real PII and commit the sanitized example to the repo.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

EMAIL_FROM_NAME value with a space must be quoted.

EMAIL_FROM_NAME=Fallout Shelter — sourcing this in a shell will set the variable to Fallout and attempt to execute Shelter as a command. The equivalent line in backend/.env.example (Line 71) correctly uses EMAIL_FROM_NAME="Fallout Shelter".

🛡️ Proposed fix

-EMAIL_FROM_NAME=Fallout Shelter
+EMAIL_FROM_NAME="Fallout Shelter"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	EMAIL_FROM_NAME=Fallout Shelter
	EMAIL_FROM_NAME="Fallout Shelter"

🧰 Tools

🪛 dotenv-linter (4.0.0)

[warning] 51-51: [UnorderedKey] The EMAIL_FROM_NAME key should go before the SMTP_HOST key

(UnorderedKey)

---

[warning] 51-51: [ValueWithoutQuotes] This value needs to be surrounded in quotes

(ValueWithoutQuotes)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/examples/.env.truenas.example` at line 51, The env variable assignment
for EMAIL_FROM_NAME is unquoted ("EMAIL_FROM_NAME=Fallout Shelter") which splits
into two tokens when sourced; update the assignment to include quotes around the
value (EMAIL_FROM_NAME="Fallout Shelter") so the full name is preserved—look for
the EMAIL_FROM_NAME entry in the example env file and mirror the quoting used in
backend/.env.example.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Real-looking RustFS credentials without a "CHANGE-ME" warning in a production-deployment template.

RUSTFS_SECRET_KEY=4P^2F2bwB7&kwhN! is a real-looking credential with no placeholder annotation. Unlike backend/.env.example which carries a "Shared dev credentials — do NOT use in production" comment, this TrueNAS template has no such caveat, creating a risk that users copy it verbatim into production. If this is an actual shared credential, it should be rotated immediately.

🛡️ Proposed fix

-RUSTFS_HOSTNAME=s3-api.evillab.dev
-RUSTFS_PORT=443
-RUSTFS_USE_HTTPS=True
-RUSTFS_ACCESS_KEY=admin
-RUSTFS_SECRET_KEY=4P^2F2bwB7&kwhN!
-RUSTFS_DEFAULT_BUCKET=fallout-shelter
-# Public URL for generating user-facing file links
-RUSTFS_PUBLIC_URL=https://s3.evillab.dev
+RUSTFS_HOSTNAME=s3-api.yourdomain.com
+RUSTFS_PORT=443
+RUSTFS_USE_HTTPS=True
+RUSTFS_ACCESS_KEY=CHANGE-ME-access-key
+RUSTFS_SECRET_KEY=CHANGE-ME-strong-secret
+RUSTFS_DEFAULT_BUCKET=fallout-shelter
+# Public URL for generating user-facing file links
+RUSTFS_PUBLIC_URL=https://s3.yourdomain.com

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUSTFS_HOSTNAME=s3-api.evillab.dev
	RUSTFS_PORT=443
	RUSTFS_USE_HTTPS=True
	RUSTFS_ACCESS_KEY=admin
	RUSTFS_SECRET_KEY=4P^2F2bwB7&kwhN!
	RUSTFS_DEFAULT_BUCKET=fallout-shelter
	# Public URL for generating user-facing file links
	RUSTFS_PUBLIC_URL=https://s3.evillab.dev
	RUSTFS_HOSTNAME=s3-api.yourdomain.com
	RUSTFS_PORT=443
	RUSTFS_USE_HTTPS=True
	RUSTFS_ACCESS_KEY=CHANGE-ME-access-key
	RUSTFS_SECRET_KEY=CHANGE-ME-strong-secret
	RUSTFS_DEFAULT_BUCKET=fallout-shelter
	# Public URL for generating user-facing file links
	RUSTFS_PUBLIC_URL=https://s3.yourdomain.com

🧰 Tools

🪛 dotenv-linter (4.0.0)

[warning] 60-60: [UnorderedKey] The RUSTFS_ACCESS_KEY key should go before the RUSTFS_HOSTNAME key

(UnorderedKey)

---

[warning] 61-61: [UnorderedKey] The RUSTFS_SECRET_KEY key should go before the RUSTFS_USE_HTTPS key

(UnorderedKey)

---

[warning] 62-62: [UnorderedKey] The RUSTFS_DEFAULT_BUCKET key should go before the RUSTFS_HOSTNAME key

(UnorderedKey)

---

[warning] 64-64: [UnorderedKey] The RUSTFS_PUBLIC_URL key should go before the RUSTFS_SECRET_KEY key

(UnorderedKey)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/examples/.env.truenas.example` around lines 57 - 64, Replace the
hard-coded RUSTFS_SECRET_KEY value with a non-sensitive placeholder (e.g.,
RUSTFS_SECRET_KEY=CHANGE-ME) and add a clear comment above the RustFS block
warning "Shared dev credentials — do NOT use in production; rotate immediately
if these are real." Also ensure RUSTFS_ACCESS_KEY and RUSTFS_DEFAULT_BUCKET are
likewise marked as placeholders and, if the current secret is an actual shared
credential, rotate it immediately and remove any real credentials from this
template (references: RUSTFS_SECRET_KEY, RUSTFS_ACCESS_KEY,
RUSTFS_DEFAULT_BUCKET).

[coderabbitai]

♻️ Duplicate comments (3)

docs/examples/.env.truenas.example (3)

51-51: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Quote EMAIL_FROM_NAME to avoid token-splitting when sourced.

EMAIL_FROM_NAME=Fallout Shelter is parsed incorrectly by shell-style sourcing due to the space.

🛠️ Proposed fix

-EMAIL_FROM_NAME=Fallout Shelter
+EMAIL_FROM_NAME="Fallout Shelter"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/examples/.env.truenas.example` at line 51, The EMAIL_FROM_NAME
environment variable value contains a space and must be quoted to avoid
token-splitting when sourced; update the example to set EMAIL_FROM_NAME to a
quoted string (e.g., wrap the Fallout Shelter value in double quotes) so shells
parse it as a single value and preserve the space.

---

30-31: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Replace personal admin identifiers with neutral placeholders.

This example file still contains real personal identifiers (ElderEvil, elder.evil.dev@proton.me), which should not be committed in public templates.

🛡️ Proposed fix

-FIRST_SUPERUSER_USERNAME=ElderEvil
-FIRST_SUPERUSER_EMAIL=elder.evil.dev@proton.me
+FIRST_SUPERUSER_USERNAME=example_admin
+FIRST_SUPERUSER_EMAIL=example@example.com

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/examples/.env.truenas.example` around lines 30 - 31, Replace the
personal identifiers in the example env by swapping FIRST_SUPERUSER_USERNAME and
FIRST_SUPERUSER_EMAIL values to neutral placeholders: update
FIRST_SUPERUSER_USERNAME from "ElderEvil" to a generic value (e.g., "admin") and
FIRST_SUPERUSER_EMAIL from "elder.evil.dev@proton.me" to a non-personal example
address (e.g., "admin@example.com") so the template contains no real personal
data.

---

57-64: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid weak default RustFS credentials in deployment template.

RUSTFS_ACCESS_KEY=admin is a weak copy-paste default for a production-oriented template. Use explicit CHANGE-ME placeholders and a warning comment for this block.

🔐 Proposed fix

+# Shared dev credentials — do NOT use in production; rotate immediately if real.
 RUSTFS_HOSTNAME=s3-api.evillab.dev
 RUSTFS_PORT=443
 RUSTFS_USE_HTTPS=True
-RUSTFS_ACCESS_KEY=admin
+RUSTFS_ACCESS_KEY=CHANGE-ME-access-key
 RUSTFS_SECRET_KEY=CHANGE-ME-use-openssl-rand-hex-32
 RUSTFS_DEFAULT_BUCKET=fallout-shelter
 # Public URL for generating user-facing file links
 RUSTFS_PUBLIC_URL=https://s3.evillab.dev

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/examples/.env.truenas.example` around lines 57 - 64, The template
exposes weak default credentials; replace RUSTFS_ACCESS_KEY=admin with an
explicit placeholder (e.g. RUSTFS_ACCESS_KEY=CHANGE-ME) and ensure
RUSTFS_SECRET_KEY remains a clear placeholder (e.g.
RUSTFS_SECRET_KEY=CHANGE-ME-use-openssl-rand-hex-32), and add a short warning
comment above this block instructing operators to set strong, unique credentials
(mentioning using openssl rand -hex 32) before deploying; update
RUSTFS_ACCESS_KEY and RUSTFS_SECRET_KEY in the file and keep the rest of the
RUSTFS_* vars unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@docs/examples/.env.truenas.example`:
- Line 51: The EMAIL_FROM_NAME environment variable value contains a space and
must be quoted to avoid token-splitting when sourced; update the example to set
EMAIL_FROM_NAME to a quoted string (e.g., wrap the Fallout Shelter value in
double quotes) so shells parse it as a single value and preserve the space.
- Around line 30-31: Replace the personal identifiers in the example env by
swapping FIRST_SUPERUSER_USERNAME and FIRST_SUPERUSER_EMAIL values to neutral
placeholders: update FIRST_SUPERUSER_USERNAME from "ElderEvil" to a generic
value (e.g., "admin") and FIRST_SUPERUSER_EMAIL from "elder.evil.dev@proton.me"
to a non-personal example address (e.g., "admin@example.com") so the template
contains no real personal data.
- Around line 57-64: The template exposes weak default credentials; replace
RUSTFS_ACCESS_KEY=admin with an explicit placeholder (e.g.
RUSTFS_ACCESS_KEY=CHANGE-ME) and ensure RUSTFS_SECRET_KEY remains a clear
placeholder (e.g. RUSTFS_SECRET_KEY=CHANGE-ME-use-openssl-rand-hex-32), and add
a short warning comment above this block instructing operators to set strong,
unique credentials (mentioning using openssl rand -hex 32) before deploying;
update RUSTFS_ACCESS_KEY and RUSTFS_SECRET_KEY in the file and keep the rest of
the RUSTFS_* vars unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 57cfc366-06db-40fd-9ca4-6b41adc21512

📥 Commits

Reviewing files that changed from the base of the PR and between 0ea12b5 and cf3da6b.

📒 Files selected for processing (2)

• docs/examples/.env.truenas.example
• docs/examples/docker-compose.truenas.yml

💤 Files with no reviewable changes (1)

• docs/examples/docker-compose.truenas.yml