feat(configgen): Phase 2 Config-Generator + nginx → HAProxy-only Pivot
Architektur-Pivot: nginx fällt komplett weg. HAProxy 2.8+ übernimmt
TLS-Termination, L7-Routing per Host-Header und LB. ACME-Webroot
und Management-UI werden von edgeguard-api ausgeliefert (Phase 3
implementiert die zugehörigen Handler); HAProxy proxied
/.well-known/acme-challenge/* und Management-FQDN-Traffic an
127.0.0.1:9443. Eine Distro-Abhängigkeit weniger, ein Renderer
weniger, sauberere Trennung.
Renderer (alle mit Embed-Templates + Tests):
* internal/configgen/ — atomic write + systemctl reload helpers
* internal/haproxy/ — :80 + :443, ACME-ACL, Host-Header-Routing,
Stats-Frontend, api_backend Fallback
* internal/firewall/ — default-deny input, stateful baseline,
SSH-Rate-Limit, :80/:443 accept,
Cluster-Peer-Set für mTLS :8443,
Custom-Rules aus PG
* internal/{squid,wireguard,unbound}/ — Stubs (ErrNotImplemented)
Orchestrator + CLI:
* internal/services/configorch/ — fester Reihenfolge-Run, Stubs
sind soft-skip statt fatal
* cmd/edgeguard-ctl render-config [--no-reload] [--only=svc1,svc2]
Packaging:
* postinst: /etc/edgeguard/nginx raus, /var/lib/edgeguard/acme rein,
self-signed _default.pem via openssl req (damit HAProxy startet
bevor certbot etwas issuet hat)
* control: Depends nginx raus, openssl rein
* edgeguard-ui: dependency auf nginx weg, "Served by edgeguard-api
gin StaticFS"
Live-Smoke: render-config gegen lokale PG schreibt /etc/edgeguard/
haproxy/haproxy.cfg + nftables.d/ruleset.nft korrekt; CRUD-Test aus
Phase 2 läuft weiter unverändert.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Debian
90
internal/configgen/configgen.go
Normal file
90
internal/configgen/configgen.go
Normal file
@@ -0,0 +1,90 @@
|
||||
// Package configgen contains shared helpers used by the per-service
|
||||
// renderers in internal/{haproxy,firewall,squid,wireguard,unbound}/.
|
||||
//
|
||||
// Each renderer satisfies the Generator interface: Render reads state
|
||||
// from PG, writes the rendered config to /etc/edgeguard/<svc>/ via
|
||||
// AtomicWrite, then signals the running daemon via systemctl reload
|
||||
// (or its service-specific reload command). Failures are surfaced
|
||||
// to the caller — the orchestrator decides whether one bad renderer
|
||||
// aborts the whole run.
|
||||
package configgen
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
"os/exec"
|
||||
"path/filepath"
|
||||
)
|
||||
|
||||
// Generator is the contract every per-service renderer satisfies.
|
||||
//
|
||||
// Name returns a stable identifier ("haproxy", "nftables", …)
|
||||
// used in CLI output and audit logs. Render does the actual write +
|
||||
// reload work; ctx may be cancelled (e.g. orchestrator timeout).
|
||||
type Generator interface {
|
||||
Name() string
|
||||
Render(ctx context.Context) error
|
||||
}
|
||||
|
||||
// ErrNotImplemented is returned by stub renderers (squid, wireguard,
|
||||
// unbound in v1). The orchestrator treats it as a soft skip — logged
|
||||
// but never fatal.
|
||||
var ErrNotImplemented = errors.New("renderer not implemented yet")
|
||||
|
||||
// AtomicWrite writes data to path atomically via a temp file in the
|
||||
// same directory + rename. Both the temp file and the final file are
|
||||
// fsync'd to make the rename durable across an OS crash. Mode is
|
||||
// applied AFTER the rename so the previous file's permissions don't
|
||||
// leak through.
|
||||
func AtomicWrite(path string, data []byte, mode os.FileMode) error {
|
||||
dir := filepath.Dir(path)
|
||||
if err := os.MkdirAll(dir, 0o750); err != nil {
|
||||
return fmt.Errorf("mkdir %s: %w", dir, err)
|
||||
}
|
||||
tmp, err := os.CreateTemp(dir, ".eg-render-*")
|
||||
if err != nil {
|
||||
return fmt.Errorf("tempfile: %w", err)
|
||||
}
|
||||
tmpPath := tmp.Name()
|
||||
defer os.Remove(tmpPath) // no-op if rename succeeded
|
||||
|
||||
if _, err := tmp.Write(data); err != nil {
|
||||
tmp.Close()
|
||||
return fmt.Errorf("write %s: %w", tmpPath, err)
|
||||
}
|
||||
if err := tmp.Sync(); err != nil {
|
||||
tmp.Close()
|
||||
return fmt.Errorf("fsync %s: %w", tmpPath, err)
|
||||
}
|
||||
if err := tmp.Close(); err != nil {
|
||||
return fmt.Errorf("close %s: %w", tmpPath, err)
|
||||
}
|
||||
if err := os.Chmod(tmpPath, mode); err != nil {
|
||||
return fmt.Errorf("chmod %s: %w", tmpPath, err)
|
||||
}
|
||||
if err := os.Rename(tmpPath, path); err != nil {
|
||||
return fmt.Errorf("rename %s → %s: %w", tmpPath, path, err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// ReloadService sends `systemctl reload <name>`. Returns the
|
||||
// CombinedOutput on failure so the caller can surface the actual
|
||||
// systemd error to the operator.
|
||||
//
|
||||
// Some services don't support reload (nftables — no daemon); for
|
||||
// those, callers should run the service-specific reload directly
|
||||
// rather than calling this helper.
|
||||
func ReloadService(name string) error {
|
||||
cmd := exec.Command("systemctl", "reload", name)
|
||||
if out, err := cmd.CombinedOutput(); err != nil {
|
||||
return fmt.Errorf("systemctl reload %s: %w (output: %s)", name, err, string(out))
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// EtcEdgeguard is the on-target config root. Templated path used by
|
||||
// all renderers — never let renderers hard-code their own.
|
||||
const EtcEdgeguard = "/etc/edgeguard"
|
||||
Reference in New Issue
Block a user