Use this page as a quick checklist before exposing NodeTool beyond your laptop. It links to the canonical guides for config, auth, and proxy settings.
Applies Everywhere
- Require TLS termination at the proxy or ingress; use real certificates and redirect HTTP to HTTPS. See Proxy Reference.
- Do not run with
AUTH_PROVIDER=noneorlocaloutside isolated dev; usestaticorsupabaseand rotateWORKER_AUTH_TOKENregularly. See Authentication. - Keep secrets out of Git: load provider keys and tokens from env vars or a secrets manager; never commit
.envfiles with secrets. - Restrict Docker access: run the proxy with a dedicated network (
docker_network) and avoid exposing the Docker socket beyond the host. - Limit blast radius: run workers with
mem_limit/cpusand read-only mounts where possible. See Docker Resource Management.
Development (Local)
- Bind services to
127.0.0.1and avoid publishing container ports to the LAN. - Use temporary tokens for demos; clear
~/.config/nodetool/deployment.yamlwhen finished. - Disable Terminal WebSocket if unused (
NODETOOL_ENABLE_TERMINAL_WS=) to reduce exposed surfaces.
Staging
- Gate access behind VPN or IP allowlists; do not rely on obscurity.
- Use distinct Supabase projects and tokens from production; rotate service-role keys when people leave.
- Enable TLS end-to-end, including internal hops if traversing untrusted networks.
- Back up the workspace volume and databases on a schedule; restrict who can read the backups.
Production
- Enforce
AUTH_PROVIDER=supabase(orstaticwith long, rotated tokens for service-to-service traffic only). - Use dedicated proxy and worker identities; keep
proxy.yamlfree of embedded secrets and distribute bearer tokens via your secrets manager. - Set
idle_timeoutand per-service resource caps to prevent runaway workloads on multi-tenant hosts. - Centralize logging and monitor for auth failures, 429s, and container restarts; alert on unusual spikes.
- Keep images patched: rebuild regularly, track base image CVEs, and prune unused images.