Sekurŝranko

An efficient and memory-safe Threema Safe server implementation written in Rust.

This is a private project, not developed nor endorsed by Threema GmbH.

The server spec can be found in the Cryptography Whitepaper.

Features

The following features are implemented:

• [x] Request config
• [x] Download backups
• [x] Upload backups
• [x] Delete backups
• [x] Settings configurable by user
• [x] User agent validation

To be implemented:

• [ ] Automatic cleanup of expired backups

The following feature is out of scope and should be handled by another server component (e.g. Nginx):

• [ ] Throttling
• [ ] TLS termination

Docker

There is a Docker image for this project:

docker run \
    -v /sekursranko:/tmp/sekursranko \
    -p 3000:3000 \
    docker.io/dbrgn/sekursranko:master

Config variables can be passed to the Docker image as uppercase env vars, for example:

docker run -e MAX_BACKUP_BYTES=12345 (...)

The image for the master branch is re-built on every push. The image for the latest release and the master branch is re-built every week.

Note: The UID/GID of the user within the Docker image is fixed to 1337.

Note: I do not offer any guarantees for this published image. It's purely provided for convenience. For critical setups, build the image yourself.

Building

To make a release build:

cargo build --release

You will find the binary at target/release/sekursranko.

Testing

Sekurŝranko is thoroughly covered by unit tests and integration tests.

To run the tests:

cargo test

In case you want to enable logging:

RUST_LOG=sekursranko=trace cargo test

To run linting:

rustup component add clippy
cargo clippy --all-targets --all-features

Running

Simply execute the binary with the -c or --config argument:

./sekursranko --config config.toml

You can find an example configfile in this repository at config.example.toml.

Configure logging using the RUST_LOG env var:

RUST_LOG=sekursranko=debug ./sekursranko -c config.toml

Deployment Notes

Sekurŝranko is meant to be run behind a reverse proxy (e.g. Nginx) that does TLS termination. That's why it currently doesn't support TLS directly.

Note that you cannot backup to a server without TLS from the Threema app.

Name

The name of this project is the Esperanto word for "safe". English-speaking people might recognize the "sekur-" prefix (-> secure), and German-speaking people might recognize the "-ŝranko" suffix (-> "Schrank", a cabinet).

License

Licensed under either of

• Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
• MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT) at your option.

Contributing

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.