diff --git a/VERSION b/VERSION index 28dff43..2e9116b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.0.35 +1.0.36 diff --git a/cmd/edgeguard-api/main.go b/cmd/edgeguard-api/main.go index 5bf6965..aedc6bf 100644 --- a/cmd/edgeguard-api/main.go +++ b/cmd/edgeguard-api/main.go @@ -43,7 +43,7 @@ import ( wgsvc "git.netcell-it.de/projekte/edgeguard-native/internal/services/wireguard" ) -var version = "1.0.35" +var version = "1.0.36" func main() { addr := os.Getenv("EDGEGUARD_API_ADDR") diff --git a/cmd/edgeguard-ctl/main.go b/cmd/edgeguard-ctl/main.go index 6f9ec9b..38bff6d 100644 --- a/cmd/edgeguard-ctl/main.go +++ b/cmd/edgeguard-ctl/main.go @@ -9,7 +9,7 @@ import ( "os" ) -var version = "1.0.35" +var version = "1.0.36" const usage = `edgeguard-ctl — EdgeGuard CLI diff --git a/cmd/edgeguard-scheduler/main.go b/cmd/edgeguard-scheduler/main.go index 29b270d..7a1f570 100644 --- a/cmd/edgeguard-scheduler/main.go +++ b/cmd/edgeguard-scheduler/main.go @@ -21,7 +21,7 @@ import ( "git.netcell-it.de/projekte/edgeguard-native/internal/services/tlscerts" ) -var version = "1.0.35" +var version = "1.0.36" const ( // renewTickInterval — how often we re-evaluate expiring certs. diff --git a/internal/configgen/configgen.go b/internal/configgen/configgen.go index 1dcd35b..409f966 100644 --- a/internal/configgen/configgen.go +++ b/internal/configgen/configgen.go @@ -87,6 +87,18 @@ func ReloadService(name string) error { return nil } +// RestartService runs `sudo -n systemctl restart .service`. +// Use over ReloadService when the daemon needs to re-read more than +// just rules — e.g. unbound rebinds listen-sockets only on startup, +// so a settings.listen_addresses change requires restart. +func RestartService(name string) error { + cmd := exec.Command("sudo", "-n", "/usr/bin/systemctl", "restart", name+".service") + if out, err := cmd.CombinedOutput(); err != nil { + return fmt.Errorf("sudo systemctl restart %s.service: %w (output: %s)", name, err, strings.TrimSpace(string(out))) + } + return nil +} + // EtcEdgeguard is the on-target config root. Templated path used by // all renderers — never let renderers hard-code their own. const EtcEdgeguard = "/etc/edgeguard" diff --git a/internal/unbound/unbound.go b/internal/unbound/unbound.go index 8dee80a..c06ea36 100644 --- a/internal/unbound/unbound.go +++ b/internal/unbound/unbound.go @@ -131,7 +131,13 @@ func (g *Generator) Render(ctx context.Context) error { if g.SkipReload { return nil } - return configgen.ReloadService("unbound") + // Restart statt reload: unbound bindet Listen-Sockets nur beim + // Startup. Bei Settings-Änderungen (listen_addresses-Wechsel) + // greift ein bloßes 'systemctl reload' nicht — die neuen IPs + // werden erst nach echtem Restart gebound. Trade-off: ~200ms + // Downtime des Resolvers, dafür konsistentes Verhalten für jede + // Mutation. + return configgen.RestartService("unbound") } func splitCSV(s string) []string { diff --git a/management-ui/package.json b/management-ui/package.json index b784721..d7f22a5 100644 --- a/management-ui/package.json +++ b/management-ui/package.json @@ -1,7 +1,7 @@ { "name": "edgeguard-management-ui", "private": true, - "version": "1.0.35", + "version": "1.0.36", "type": "module", "scripts": { "dev": "vite", diff --git a/management-ui/src/components/Layout/Sidebar.tsx b/management-ui/src/components/Layout/Sidebar.tsx index 621b7ea..d2797fd 100644 --- a/management-ui/src/components/Layout/Sidebar.tsx +++ b/management-ui/src/components/Layout/Sidebar.tsx @@ -73,7 +73,7 @@ const NAV: NavSection[] = [ }, ] -const VERSION = '1.0.35' +const VERSION = '1.0.36' export default function Sidebar({ isOpen, onClose }: SidebarProps) { const { t } = useTranslation() diff --git a/packaging/debian/edgeguard-api/DEBIAN/postinst b/packaging/debian/edgeguard-api/DEBIAN/postinst index 545cfc6..7830777 100755 --- a/packaging/debian/edgeguard-api/DEBIAN/postinst +++ b/packaging/debian/edgeguard-api/DEBIAN/postinst @@ -58,6 +58,8 @@ edgeguard ALL=(root) NOPASSWD: /usr/bin/systemctl reload squid.service edgeguard ALL=(root) NOPASSWD: /bin/systemctl reload squid.service edgeguard ALL=(root) NOPASSWD: /usr/bin/systemctl reload unbound.service edgeguard ALL=(root) NOPASSWD: /bin/systemctl reload unbound.service +edgeguard ALL=(root) NOPASSWD: /usr/bin/systemctl restart unbound.service +edgeguard ALL=(root) NOPASSWD: /bin/systemctl restart unbound.service SUDOERS # ── Distro-Conf-Includes für die per-Service Renderer ─────────