style: final polish of comments and headers across all files

Author: webees

Dockerfile

@@ -14,7 +14,9 @@ ENV WORKDIR=/app \
     TZ="Asia/Shanghai" \
     OVERMIND_PROCFILE=/Procfile \
     OVERMIND_CAN_DIE=crontab \
+    # Gotify settings
     GOTIFY_SERVER_PORT=8080 \
+    # Trust Caddy proxy (localhost) to correctly parse X-Forwarded-For
     GOTIFY_SERVER_TRUSTEDPROXIES='["127.0.0.1"]'
 
 WORKDIR $WORKDIR
@@ -51,17 +53,17 @@ RUN apt update && apt install -y --no-install-recommends \
     tmux \
     msmtp \
     bsd-mailx \
-    # Binary tools
+    # Download binary tools
     && curl -fsSL "$SUPERCRONIC_URL" -o /usr/local/bin/supercronic \
     && curl -fsSL "$OVERMIND_URL" | gunzip -c - > /usr/local/bin/overmind \
     && chmod +x /usr/local/bin/supercronic /usr/local/bin/overmind /restic.sh \
-    # Mail symlinks
+    # Symlink msmtp for mail commands
     && ln -sf /usr/bin/msmtp /usr/bin/sendmail \
     && ln -sf /usr/bin/msmtp /usr/sbin/sendmail \
     # Cleanup
     && apt -y autoremove \
     && rm -rf /var/lib/apt/lists/*
 
-# Clear base image entrypoint
+# Clear base image entrypoint to allow Overmind to manage processes
 ENTRYPOINT []
 CMD ["overmind", "start"]

config/Caddyfile

@@ -8,6 +8,7 @@
 	admin off
 	persist_config off
 
+	# Trust Fly.io private networking for accurate IP parsing
 	servers {
 		trusted_proxies static private_ranges
 	}
@@ -21,13 +22,13 @@
 
 # ── Site Block ────────────────────────────────────────────────────────────────
 :80 {
-	# Explicitly handle health checks
+	# Always allow health checks bypass for Fly.io monitoring
 	handle /health {
 		respond "OK" 200
 	}
 
-	# Domain Whitelist Enforcement
-	# If CADDY_DOMAINS is set, block everything else
+	# Domain Access Control
+	# Block requests if CADDY_DOMAINS is set and host doesn't match
 	@outside_domain {
 		expression `{env.CADDY_DOMAINS} != ""`
 		not host {$CADDY_DOMAINS}
@@ -36,23 +37,30 @@
 		respond "Access Denied: Domain not allowed" 403
 	}
 
-	# Main application handling
+	# Main Reverse Proxy Logic
 	handle {
 		encode zstd gzip
 
+		# Harden security posture
 		header {
+			# Infrastructure protection
 			Strict-Transport-Security "max-age=31536000;"
 			X-Content-Type-Options "nosniff"
 			X-Frame-Options "DENY"
 			X-XSS-Protection "1; mode=block"
+
+			# Privacy & Anti-tracking
 			Referrer-Policy "strict-origin-when-cross-origin"
 			Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"
 			X-Robots-Tag "noindex, nofollow"
+
+			# Hide sensitive headers
 			-Server
 			-X-Powered-By
 			-Last-Modified
 		}
 
+		# Proxy to the application backend
 		reverse_proxy localhost:8080 {
 			header_up X-Real-IP {http.request.header.Fly-Client-IP}
 			header_up X-Forwarded-For {http.request.header.Fly-Client-IP}

config/Procfile

@@ -1,3 +1,8 @@
+# ╔═══════════════════════════════════════════════════════════════════════════╗
+# ║ Overmind Process Configuration                                            ║
+# ╚═══════════════════════════════════════════════════════════════════════════╝
+
+# Application services
 gotify: cd /app && ./gotify-app
 caddy: caddy run --config /Caddyfile
 crontab: supercronic /crontab

config/crontab

@@ -1,2 +1,6 @@
-# Restic backup
+# ╔═══════════════════════════════════════════════════════════════════════════╗
+# ║ Supercronic Crontab                                                       ║
+# ╚═══════════════════════════════════════════════════════════════════════════╝
+
+# Restic backup schedule
 @hourly /restic.sh backup

scripts/restic.sh

@@ -15,23 +15,26 @@ LOG_DIR="/var/log/restic"
 LOG="$LOG_DIR/$(date +%Y%m%d_%H%M%S).log"
 mkdir -p "$LOG_DIR"
 
-# ANSI colors
+# ANSI colors for terminal output
 R="\x1b[31;01m" G="\x1b[32;01m" Y="\x1b[33;01m" B="\x1b[34;01m" X="\x1b[0m"
 
 # ┌───────────────────────────────────────────────────────────────────────────┐
 # │ Utilities                                                                 │
 # └───────────────────────────────────────────────────────────────────────────┘
 
+# Log output to both stdout and a log file
 log() { "$@" 2>&1 | tee -a "$LOG"; }
 
+# Send email notification on failure or test
 mail() {
     [ -z "${SMTP_TO:-}" ] && return
-    # Strip ANSI codes, add UTF-8 header
+    # Strip ANSI colors and add UTF-8 content-type
     sed 's/\x1b\[[0-9;]*m//g' "$LOG" | command mail \
         -a "Content-Type: text/plain; charset=UTF-8" \
         -s "[$APP_NAME] $1" "$SMTP_TO"
 }
 
+# Run a command and log its status
 run() {
     log echo -en "${B}$2${X} "
     local out
@@ -42,10 +45,11 @@ run() {
     fi
     log echo -e "${R}✗${X}"
     log echo "$out"
-    mail "$2"
+    mail "Task Failed: $2"
     exit 2
 }
 
+# Initialize msmtp configuration for email sending
 initMail() {
     [ -z "${SMTP_TO:-}" ] && return
     [ -z "${SMTP_HOST:-}" ] && return
@@ -69,43 +73,49 @@ EOF
 # │ Commands                                                                  │
 # └───────────────────────────────────────────────────────────────────────────┘
 
+# Perform full backup, check, and prune
 cmdBackup() {
-    # Sync time to avoid R2/S3 signature mismatch
+    # Sync time to ensure S3/R2 requests are valid
     ntpdate -u pool.ntp.org 2>/dev/null || log echo -e "${Y}NTP sync skipped${X}"
 
+    # Unlock repository in case of previous interrupted runs
     restic unlock 2>/dev/null || true
 
+    # Initialize repository if it doesn't exist
     if ! restic cat config >/dev/null 2>&1; then
-        log echo -e "${Y}Repo not initialized${X}"
+        log echo -e "${Y}Repository not initialized, initializing now...${X}"
         run "restic init" "Repo init"
     fi
 
+    # Execute restic operations
     run "restic backup --verbose '$DATA'" "Restic backup"
     run "restic check" "Restic check"
     run "restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 3 --keep-yearly 3 --prune" "Snapshot prune"
 
+    # Cleanup old logs (older than 10 hours)
     find "$LOG_DIR" -name "*.log" -type f -mmin +600 -delete
 
-    log echo -e "${G}Backup complete ✨${X}"
+    log echo -e "${G}Backup process complete ✨${X}"
 }
 
+# Restore data from a specific snapshot ID
 cmdRestore() {
-    [ -z "${1:-}" ] && { echo "Usage: $0 restore <id>"; exit 1; }
+    [ -z "${1:-}" ] && { echo "Usage: $0 restore <snapshot-id>"; exit 1; }
     run "restic restore '$1' --target /" "Restore $1"
 }
 
 # ┌───────────────────────────────────────────────────────────────────────────┐
-# │ Main                                                                      │
+# │ Execution Entry Point                                                     │
 # └───────────────────────────────────────────────────────────────────────────┘
 
-[ -z "${RESTIC_PASSWORD:-}" ] && { echo "Missing RESTIC_PASSWORD"; exit 1; }
+[ -z "${RESTIC_PASSWORD:-}" ] && { echo "Error: RESTIC_PASSWORD not set"; exit 1; }
 
 initMail
 
 case "${1:-}" in
     backup)    cmdBackup ;;
     restore)   cmdRestore "${2:-}" ;;
     snapshots) restic snapshots ;;
-    mail-test) echo "Test email from $APP_NAME" | command mail -s "[$APP_NAME] Mail Test" "$SMTP_TO" && echo "Mail sent to $SMTP_TO" ;;
+    mail-test) echo "This is a test email from the $APP_NAME backup system." | command mail -s "[$APP_NAME] Mail Test" "$SMTP_TO" && echo "Test email sent to $SMTP_TO" ;;
     *)         echo "Usage: $0 {backup|restore <id>|snapshots|mail-test}"; exit 1 ;;
 esac