Skip to content

docs: Add documentation for FlatRun Agent#152

Open
Lantum-Brendan wants to merge 8 commits into
flatrun:mainfrom
Lantum-Brendan:docs/create-docs
Open

docs: Add documentation for FlatRun Agent#152
Lantum-Brendan wants to merge 8 commits into
flatrun:mainfrom
Lantum-Brendan:docs/create-docs

Conversation

@Lantum-Brendan

Copy link
Copy Markdown

Add docs.json manifest and 5 markdown files covering overview, installation, configuration, API reference, and security.

Add docs.json manifest and 5 markdown files covering overview,
installation, configuration, API reference, and security.
@sourceant

sourceant Bot commented Jun 25, 2026

Copy link
Copy Markdown

Code Review Summary

This PR adds comprehensive documentation for the FlatRun Agent, including installation guides, configuration references, and a full OpenAPI 3.2 specification.

🚀 Key Improvements

  • Added a systemd service unit following best practices for non-root execution.
  • Provided a full OpenAPI definition for all API endpoints.
  • Consolidated overview, security, and plugin architecture into dedicated files.

💡 Minor Suggestions

  • Improve parameter syntax consistency between API reference markdown and OpenAPI YAML.
  • Update example paths to align with the recommended production directory /opt/flatrun.

@sourceant sourceant Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review complete. See the overview comment for a summary.

Comment thread docs/configuration.md Outdated
enabled: true
api_keys:
- "your-secure-api-key-here"
jwt_secret: "generate-a-secure-random-string-here"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hardcoding a specific instruction to generate a secret is better than using a placeholder string which might be accidentally left in production configurations.

Suggested change
jwt_secret: "generate-a-secure-random-string-here"
jwt_secret: "REPLACE_WITH_SECURE_RANDOM_STRING"

@nfebe nfebe left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of manually documenting all endpoints... we could introduce the openapi standard

@sourceant sourceant Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review complete. See the overview comment for a summary.

Comment thread docs.json Outdated
{ "title": "Installation", "path": "docs/installation.md" },
{ "title": "Configuration", "path": "docs/configuration.md" },
{ "title": "API Reference", "path": "docs/api-reference.md" },
{ "title": "Plugin Architecture", "path": "docs/PLUGIN_ARCHITECTURE.md" },

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consistency: All other documentation files use kebab-case (e.g., api-reference.md). It is recommended to rename PLUGIN_ARCHITECTURE.md to plugin-architecture.md for consistency and better URL readability in some static site generators.

Suggested change
{ "title": "Plugin Architecture", "path": "docs/PLUGIN_ARCHITECTURE.md" },
{ "title": "Plugin Architecture", "path": "docs/plugin-architecture.md" },

Comment thread docs/installation.md Outdated

[Service]
Type=simple
User=root

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Best Practice: Running the agent as root is generally discouraged unless strictly necessary. Since the agent primarily needs access to the Docker socket, it is safer to create a dedicated system user and add them to the docker group.

Suggested change
User=root
User=flatrun
Group=docker

Comment thread docs/installation.md
[Service]
Type=simple
User=root
WorkingDirectory=/opt/flatrun

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The installation guide should include a step to create the /opt/flatrun directory, otherwise the service will fail to start due to a missing WorkingDirectory.

Suggested change
WorkingDirectory=/opt/flatrun
WorkingDirectory=/opt/flatrun
# Ensure you run: sudo mkdir -p /opt/flatrun && sudo chown flatrun:flatrun /opt/flatrun

@sourceant sourceant Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review complete. See the overview comment for a summary.

Comment thread docs/installation.md
Type=simple
User=root
WorkingDirectory=/opt/flatrun
ExecStart=/usr/local/bin/flatrun-agent --config /opt/flatrun/config.yml

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The systemd service unit points to a config file in /opt/flatrun/config.yml, but the guide doesn't explicitly mention copying the config file to this directory. Users following this guide step-by-step will encounter a failure on startup.

Suggested change
ExecStart=/usr/local/bin/flatrun-agent --config /opt/flatrun/config.yml
ExecStart=/usr/local/bin/flatrun-agent --config /opt/flatrun/config.yml
# Note: Ensure you copy your config.yml to /opt/flatrun/ before starting.

@sourceant sourceant Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review complete. See the overview comment for a summary.

@@ -0,0 +1,14057 @@
openapi: 3.2.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The OpenAPI version 3.2.0 is not yet a standard officially supported by most tooling (3.0.x and 3.1.0 are standard). Using 3.1.0 is recommended for better compatibility with Swagger UI/Redoc.

Suggested change
openapi: 3.2.0
openapi: 3.1.0

Comment thread docs/configuration.md
### Reference

```yaml
deployments_path: /home/user/deployments

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The example path /home/user/deployments is a user-specific path. For a system-wide agent, it's better to suggest a path like /var/lib/flatrun/deployments to match standard Linux directory hierarchies.

Suggested change
deployments_path: /home/user/deployments
deployments_path: /var/lib/flatrun/deployments

@sourceant sourceant Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review complete. See the overview comment for a summary.

Comment thread docs/configuration.md

nginx:
container_name: nginx
config_path: /deployments/nginx/conf.d

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The configuration example uses /deployments/nginx/conf.d as a path, while the deployments_path at the top of the file suggests /home/user/deployments. This might confuse users about where the nginx configuration should reside relative to the deployments root.

Suggested change
config_path: /deployments/nginx/conf.d
config_path: /var/lib/flatrun/nginx/conf.d

Comment thread docs/installation.md
```ini
[Unit]
Description=FlatRun Agent
After=network.target docker.service

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding After=docker.service is good, but for better robustness, BindsTo=docker.service or PartOf=docker.service ensures the agent stops if the Docker daemon crashes or is stopped, which is critical since the agent depends entirely on it.

Suggested change
After=network.target docker.service
After=network.target docker.service
BindsTo=docker.service

@sourceant sourceant Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review complete. See the overview comment for a summary.

Comment thread docs/configuration.md

nginx:
container_name: nginx
config_path: /deployments/nginx/conf.d

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consistency issue: The config_path refers to /deployments/... but the global deployments_path (line 12) is defined as /home/user/deployments. Using relative paths or consistent absolute paths is recommended to prevent confusion.

Suggested change
config_path: /deployments/nginx/conf.d
config_path: /home/user/deployments/nginx/conf.d

Comment thread docs/installation.md
[Unit]
Description=FlatRun Agent
After=network.target docker.service
Requires=docker.service

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding Requires=docker.service ensures the service fails if Docker isn't available, but BindsTo=docker.service is even stronger, ensuring that if Docker is stopped or restarted, the FlatRun Agent follows suit.

Suggested change
Requires=docker.service
Requires=docker.service
BindsTo=docker.service

Comment thread docs/security.md
@@ -0,0 +1,23 @@
## Security

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The security section is currently a list of troubleshooting tips and basics. Consider adding a specific section about Docker socket security, as providing access to /var/run/docker.sock is equivalent to giving root access to the host.

Suggested change
## Security
- Use strong, unique API keys.
- Generate a secure JWT secret: `openssl rand -base64 32`.
- Run behind a reverse proxy (nginx) with HTTPS in production.
- **Restrict Docker socket access**: Ensure only the `docker` group and the `flatrun` user can access the socket. Avoid exposing the socket over TCP.
- Keep the agent updated.

@sourceant sourceant Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review complete. No specific code suggestions were generated. See the overview comment for a summary.

@sourceant sourceant Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review complete. See the overview comment for a summary.

Comment thread docs/configuration.md
enabled: true
api_keys:
- "your-secure-api-key-here"
jwt_secret: "REPLACE_WITH_SECURE_RANDOM_STRING" # generate via: openssl rand -base64 32

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security risk: While the comment suggests generating a secret, providing a placeholder in a documentation snippet often leads to users leaving it as-is. It is safer to use a prompt that clearly indicates action is required.

Suggested change
jwt_secret: "REPLACE_WITH_SECURE_RANDOM_STRING" # generate via: openssl rand -base64 32
+ jwt_secret: "GENERATED_VIA_OPENSSL_RAND" # generate via: openssl rand -base64 32

@Lantum-Brendan Lantum-Brendan requested a review from nfebe July 1, 2026 11:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants