From 75bb1478fbb1c9cb6f25635023ea270f07259766 Mon Sep 17 00:00:00 2001
From: Ellie Huxtable <ellie@atuin.sh>
Date: Thu, 22 Jan 2026 16:12:12 -0800
Subject: chore(deps)!: update tls deps, remove built-in tls server support
 (#3091)

Update reqwest from 0.12 to 0.13 and remove the built-in TLS termination
from atuin-server. Users should use a reverse proxy (nginx, caddy,
traefik) for TLS/HTTPS support instead.

This removes:
- axum-server and rustls dependencies
- The [tls] configuration section
- The launch_with_tls function

Also updates metrics-exporter-prometheus from 0.17 to 0.18.

The reverse proxy approach is standard and provides better flexibility
for certificate management. I'd rather keep our server stack as minimal
as possible.

<!-- Thank you for making a PR! Bug fixes are always welcome, but if
you're adding a new feature or changing an existing one, we'd really
appreciate if you open an issue, post on the forum, or drop in on
Discord -->

## Checks
- [ ] I am happy for maintainers to push small adjustments to this PR,
to speed up the review cycle
- [ ] I have checked that there are no existing pull requests for the
same thing
---
 crates/atuin-server/src/lib.rs | 61 +++++++-----------------------------------
 1 file changed, 9 insertions(+), 52 deletions(-)

(limited to 'crates/atuin-server/src/lib.rs')

diff --git a/crates/atuin-server/src/lib.rs b/crates/atuin-server/src/lib.rs
index f1d616f2..fcf5dde6 100644
--- a/crates/atuin-server/src/lib.rs
+++ b/crates/atuin-server/src/lib.rs
@@ -5,9 +5,7 @@ use std::net::SocketAddr;
 
 use atuin_server_database::Database;
 use axum::{Router, serve};
-use axum_server::Handle;
-use axum_server::tls_rustls::RustlsConfig;
-use eyre::{Context, Result, eyre};
+use eyre::{Context, Result};
 
 mod handlers;
 mod metrics;
@@ -46,18 +44,14 @@ async fn shutdown_signal() {
 }
 
 pub async fn launch<Db: Database>(settings: Settings, addr: SocketAddr) -> Result<()> {
-    if settings.tls.enable {
-        launch_with_tls::<Db>(settings, addr, shutdown_signal()).await
-    } else {
-        launch_with_tcp_listener::<Db>(
-            settings,
-            TcpListener::bind(addr)
-                .await
-                .context("could not connect to socket")?,
-            shutdown_signal(),
-        )
-        .await
-    }
+    launch_with_tcp_listener::<Db>(
+        settings,
+        TcpListener::bind(addr)
+            .await
+            .context("could not connect to socket")?,
+        shutdown_signal(),
+    )
+    .await
 }
 
 pub async fn launch_with_tcp_listener<Db: Database>(
@@ -74,43 +68,6 @@ pub async fn launch_with_tcp_listener<Db: Database>(
     Ok(())
 }
 
-async fn launch_with_tls<Db: Database>(
-    settings: Settings,
-    addr: SocketAddr,
-    shutdown: impl Future<Output = ()>,
-) -> Result<()> {
-    let crypto_provider = rustls::crypto::ring::default_provider().install_default();
-    if crypto_provider.is_err() {
-        return Err(eyre!("Failed to install default crypto provider"));
-    }
-    let rustls_config = RustlsConfig::from_pem_file(
-        settings.tls.cert_path.clone(),
-        settings.tls.pkey_path.clone(),
-    )
-    .await;
-    if rustls_config.is_err() {
-        return Err(eyre!("Failed to load TLS key and/or certificate"));
-    }
-    let rustls_config = rustls_config.unwrap();
-
-    let r = make_router::<Db>(settings).await?;
-
-    let handle = Handle::new();
-
-    let server = axum_server::bind_rustls(addr, rustls_config)
-        .handle(handle.clone())
-        .serve(r.into_make_service());
-
-    tokio::select! {
-        _ = server => {}
-        _ = shutdown => {
-            handle.graceful_shutdown(None);
-        }
-    }
-
-    Ok(())
-}
-
 // The separate listener means it's much easier to ensure metrics are not accidentally exposed to
 // the public.
 pub async fn launch_metrics_server(host: String, port: u16) -> Result<()> {
-- 
cgit v1.3.1