feat(configgen): Phase 2 Config-Generator + nginx → HAProxy-only Pivot

Architektur-Pivot: nginx fällt komplett weg. HAProxy 2.8+ übernimmt TLS-Termination, L7-Routing per Host-Header und LB. ACME-Webroot und Management-UI werden von edgeguard-api ausgeliefert (Phase 3 implementiert die zugehörigen Handler); HAProxy proxied /.well-known/acme-challenge/* und Management-FQDN-Traffic an 127.0.0.1:9443. Eine Distro-Abhängigkeit weniger, ein Renderer weniger, sauberere Trennung. Renderer (alle mit Embed-Templates + Tests): * internal/configgen/ — atomic write + systemctl reload helpers * internal/haproxy/ — :80 + :443, ACME-ACL, Host-Header-Routing, Stats-Frontend, api_backend Fallback * internal/firewall/ — default-deny input, stateful baseline, SSH-Rate-Limit, :80/:443 accept, Cluster-Peer-Set für mTLS :8443, Custom-Rules aus PG * internal/{squid,wireguard,unbound}/ — Stubs (ErrNotImplemented) Orchestrator + CLI: * internal/services/configorch/ — fester Reihenfolge-Run, Stubs sind soft-skip statt fatal * cmd/edgeguard-ctl render-config [--no-reload] [--only=svc1,svc2] Packaging: * postinst: /etc/edgeguard/nginx raus, /var/lib/edgeguard/acme rein, self-signed _default.pem via openssl req (damit HAProxy startet bevor certbot etwas issuet hat) * control: Depends nginx raus, openssl rein * edgeguard-ui: dependency auf nginx weg, "Served by edgeguard-api gin StaticFS" Live-Smoke: render-config gegen lokale PG schreibt /etc/edgeguard/ haproxy/haproxy.cfg + nftables.d/ruleset.nft korrekt; CRUD-Test aus Phase 2 läuft weiter unverändert. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-09 10:59:52 +02:00
parent 0a6f81beaa
commit 914538eed1
26 changed files with 1002 additions and 44 deletions
--- a/internal/firewall/firewall_test.go
+++ b/internal/firewall/firewall_test.go
@@ -0,0 +1,78 @@
+package firewall
+
+import (
+	"bytes"
+	"strings"
+	"testing"
+)
+
+func renderView(t *testing.T, v View) string {
+	t.Helper()
+	var buf bytes.Buffer
+	if err := tpl.Execute(&buf, v); err != nil {
+		t.Fatalf("template execute: %v", err)
+	}
+	return buf.String()
+}
+
+func TestRender_BaselineHasMandatorySections(t *testing.T) {
+	out := renderView(t, View{})
+	for _, w := range []string{
+		"flush ruleset",
+		"table inet edgeguard",
+		"set peer_ipv4",
+		"set peer_ipv6",
+		"chain input",
+		"type filter hook input priority 0; policy drop;",
+		"ct state established,related accept",
+		"iif lo accept",
+		"tcp dport 22 ct state new limit rate 10/minute accept",
+		"tcp dport { 80, 443 } accept",
+		"tcp dport 8443 ip  saddr @peer_ipv4 accept",
+		"chain forward",
+		"chain output",
+	} {
+		if !strings.Contains(out, w) {
+			t.Errorf("missing %q in baseline:\n%s", w, out)
+		}
+	}
+}
+
+func TestRender_PeerIPsPopulateSets(t *testing.T) {
+	v := View{
+		PeerIPv4: []string{"10.0.0.11", "10.0.0.12"},
+		PeerIPv6: []string{"fd00::1"},
+	}
+	out := renderView(t, v)
+	for _, w := range []string{
+		"elements = { 10.0.0.11, 10.0.0.12 }",
+		"elements = { fd00::1 }",
+	} {
+		if !strings.Contains(out, w) {
+			t.Errorf("missing %q:\n%s", w, out)
+		}
+	}
+}
+
+func TestRender_CustomRulesLandInChain(t *testing.T) {
+	v := View{
+		CustomRulesInput: []Rule{
+			{MatchExpr: "ip saddr 192.168.0.0/16 tcp dport 9090", Action: "accept", Comment: "monitoring"},
+		},
+		CustomRulesForward: []Rule{
+			{MatchExpr: "iif eth0 oif eth1", Action: "accept", Comment: "lan to wan"},
+		},
+	}
+	out := renderView(t, v)
+	want := []string{
+		"# monitoring",
+		"ip saddr 192.168.0.0/16 tcp dport 9090 accept",
+		"# lan to wan",
+		"iif eth0 oif eth1 accept",
+	}
+	for _, w := range want {
+		if !strings.Contains(out, w) {
+			t.Errorf("missing %q:\n%s", w, out)
+		}
+	}
+}