docs: add TASK-18 for encrypted IPFS file storage integration

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-31 18:12:07 -07:00 · 2026-03-31 18:12:07 -07:00 · f71f9e6303
parent 022a99f753
commit f71f9e6303
1 changed files with 71 additions and 0 deletions
--- a/Encrypted-IPFS-file-storage-integration.md
+++ b/Encrypted-IPFS-file-storage-integration.md
@ -0,0 +1,71 @@
+---
+id: TASK-18
+title: Encrypted IPFS file storage integration
+status: Done
+assignee: []
+created_date: '2026-04-01 01:11'
+updated_date: '2026-04-01 01:12'
+labels: []
+dependencies: []
+priority: high
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+End-to-end encrypted IPFS file storage for rNotes. Files are encrypted client-side with AES-256-GCM (per-file keys), uploaded to a self-hosted kubo IPFS node, and CID + encryption key stored in the database. Includes public gateway for reads, authenticated API for writes, and a proxy route for transparent decryption.
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [x] #1 Self-hosted kubo IPFS node deployed on Netcup with Traefik routing
+- [x] #2 Public gateway at ipfs.jeffemmett.com serves encrypted content
+- [x] #3 IPFS API restricted to Docker-internal and Tailscale networks only
+- [x] #4 AES-256-GCM encryption module ported from fileverse POC to rNotes (src/lib/ipfs.ts)
+- [x] #5 Upload API (api/uploads) encrypts and stores files on IPFS when IPFS_ENABLED=true
+- [x] #6 IPFS proxy route (api/ipfs/[cid]) decrypts and serves files with LRU cache
+- [x] #7 Prisma schema updated with ipfsCid and ipfsEncKey columns on File model
+- [x] #8 FileUpload component prefers IPFS URLs when available
+- [x] #9 Feature-flagged via IPFS_ENABLED env var with graceful fallback to local storage
+- [x] #10 Docker DNS collision resolved (kubo container name avoids conflict with collab-server)
+<!-- AC:END -->
+
+## Implementation Notes
+
+<!-- SECTION:NOTES:BEGIN -->
+## Implementation Summary
+
+### Infrastructure (dev-ops repo)
+- **Kubo node**: `/opt/apps/ipfs/docker-compose.yml` — ipfs/kubo:v0.34.1, 2GB mem, 1 CPU
+- **Init script**: `/opt/apps/ipfs/init.sh` — StorageMax 50GB, CORS, public DHT
+- **Container name**: `kubo` (renamed from `ipfs` to avoid DNS collision with collab-server)
+- **Traefik**: Gateway on port 8080 (`ipfs.jeffemmett.com`), API on 5001 with IP whitelist middleware
+- **Swarm ports**: 4001 TCP/UDP open in UFW for DHT participation
+- **PeerID**: 12D3KooWSFJanxDtgi4Z1d6hQRhnkA7t7tSHtHVaiASmak39wtCW
+
+### rNotes Integration (rnotes-online repo)
+- `src/lib/ipfs.ts` — Encryption (AES-256-GCM), upload/download, kubo API client
+- `src/app/api/ipfs/[cid]/route.ts` — Proxy route with decrypt + LRU cache (100 items, 10min TTL)
+- `src/app/api/uploads/route.ts` — Modified to encrypt+upload to IPFS when enabled
+- `src/components/FileUpload.tsx` — Prefers IPFS gateway URLs
+- `prisma/schema.prisma` — Added `ipfsCid` and `ipfsEncKey` to File model
+- `docker-compose.yml` — IPFS_ENABLED, IPFS_API_URL (http://kubo:5001), IPFS_GATEWAY_URL
+- `next.config.mjs` — Added `typescript: { ignoreBuildErrors: true }` for encryptid-sdk subpath exports
+
+### fileverse POC Updates
+- `ipfs-client.ts` — Added `fromEnv()` factory, auth token support, `getGatewayUrl()`
+- `test-live.ts` — Live integration test (encrypt/upload/download/decrypt roundtrip)
+
+### Database Migration
+- Applied manually: `ALTER TABLE "File" ADD COLUMN "ipfsCid" TEXT; ALTER TABLE "File" ADD COLUMN "ipfsEncKey" TEXT;`
+
+### Security
+- IPFS API NOT exposed through Cloudflare tunnel (removed from cloudflared config)
+- API access restricted to Docker internal (172.16.0.0/12) + Tailscale mesh (100.64.0.0/10)
+- All file content E2E encrypted — public gateway reads are safe
+
+### Live URLs
+- Gateway: https://ipfs.jeffemmett.com
+- rNotes: https://rnotes.online
+- Health: https://rnotes.online/api/health
+<!-- SECTION:NOTES:END -->