369 lines
14 KiB
Go
369 lines
14 KiB
Go
// Command edgeguard-api serves the management REST API on
|
|
// 127.0.0.1:9443. HAProxy (or a dev curl) terminates TLS in front of
|
|
// it; this process is plain HTTP behind that.
|
|
package main
|
|
|
|
import (
|
|
"context"
|
|
"crypto/rand"
|
|
"log"
|
|
"log/slog"
|
|
"net/http"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
"github.com/jackc/pgx/v5/pgxpool"
|
|
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/cluster"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/database"
|
|
firewallrender "git.netcell-it.de/projekte/edgeguard-native/internal/firewall"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/haproxy"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/handlers"
|
|
chronyrender "git.netcell-it.de/projekte/edgeguard-native/internal/chrony"
|
|
squidrender "git.netcell-it.de/projekte/edgeguard-native/internal/squid"
|
|
unboundrender "git.netcell-it.de/projekte/edgeguard-native/internal/unbound"
|
|
wgrender "git.netcell-it.de/projekte/edgeguard-native/internal/wireguard"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/handlers/response"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/acme"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/audit"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/backends"
|
|
dnssvc "git.netcell-it.de/projekte/edgeguard-native/internal/services/dns"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/domains"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/firewall"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/forwardproxy"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/ipaddresses"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/networkifs"
|
|
ntpsvc "git.netcell-it.de/projekte/edgeguard-native/internal/services/ntp"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/routingrules"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/secrets"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/session"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/setup"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/tlscerts"
|
|
wgsvc "git.netcell-it.de/projekte/edgeguard-native/internal/services/wireguard"
|
|
)
|
|
|
|
var version = "1.0.46"
|
|
|
|
func main() {
|
|
addr := os.Getenv("EDGEGUARD_API_ADDR")
|
|
if addr == "" {
|
|
addr = "127.0.0.1:9443"
|
|
}
|
|
|
|
dataDir := os.Getenv("EDGEGUARD_DATA_DIR")
|
|
if dataDir == "" {
|
|
dataDir = setup.DefaultDir
|
|
}
|
|
setupStore := setup.NewStore(dataDir)
|
|
|
|
signer, err := session.NewSignerFromPath("")
|
|
if err != nil {
|
|
// /var/lib/edgeguard not writable in dev → fall back to a
|
|
// process-local secret so `go run` works without sudo. Tokens
|
|
// won't survive a restart, which is fine for an unprivileged
|
|
// developer machine.
|
|
slog.Warn("session signer: persisted secret unavailable, using ephemeral",
|
|
"error", err)
|
|
signer = session.NewSigner(randomEphemeralSecret(), nil, 0)
|
|
}
|
|
|
|
gin.SetMode(gin.ReleaseMode)
|
|
r := gin.New()
|
|
r.Use(handlers.Recover())
|
|
|
|
// Health endpoints are mounted *before* SetupGate so they answer
|
|
// 200 even on a virgin box. UI uses /api/v1/system/health for the
|
|
// post-upgrade version-flip poll.
|
|
r.GET("/healthz", func(c *gin.Context) {
|
|
response.OK(c, gin.H{"status": "ok", "version": version})
|
|
})
|
|
r.GET("/api/health", func(c *gin.Context) {
|
|
response.OK(c, gin.H{"status": "ok", "version": version})
|
|
})
|
|
|
|
// ACME HTTP-01 webroot — HAProxy proxies these through pre-setup
|
|
// so certbot can issue the first cert. Webroot location matches
|
|
// certbot's default; override via EDGEGUARD_ACME_WEBROOT for
|
|
// dev/tests.
|
|
acmeWebroot := os.Getenv("EDGEGUARD_ACME_WEBROOT")
|
|
handlers.NewACMEHandler(acmeWebroot).Register(r)
|
|
|
|
v1 := r.Group("/api/v1")
|
|
v1.Use(handlers.SetupGate(setupStore))
|
|
|
|
requireAuth := handlers.RequireAuth(signer)
|
|
|
|
handlers.NewSetupHandler(setupStore).Register(v1)
|
|
handlers.NewSystemHandler(version).Register(v1)
|
|
handlers.NewAuthHandler(setupStore, signer).Register(v1, requireAuth)
|
|
|
|
// Open the DB pool best-effort. Without a reachable PG, CRUD
|
|
// handlers stay unregistered and only Auth/Setup/System answer —
|
|
// good enough for `go run` on a developer machine that has no
|
|
// postgres-16 yet.
|
|
pool, err := openDBBestEffort()
|
|
if err != nil {
|
|
slog.Warn("DB pool unavailable, CRUD endpoints disabled",
|
|
"error", err)
|
|
} else {
|
|
slog.Info("DB pool open, registering CRUD handlers")
|
|
|
|
nodeID, nodeErr := cluster.EnsureNodeID("")
|
|
if nodeErr != nil {
|
|
slog.Warn("node-id not persisted, using ephemeral",
|
|
"id", nodeID, "error", nodeErr)
|
|
}
|
|
clusterStore := cluster.NewStore(pool)
|
|
|
|
// Self-register in ha_nodes — only if setup is complete
|
|
// (we want the operator-defined FQDN, not the OS hostname,
|
|
// to land in api_url). Failures are logged but non-fatal.
|
|
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
|
st, _ := setupStore.Load()
|
|
if st != nil && st.Completed {
|
|
if _, err := cluster.EnsureSelfRegistered(ctx, clusterStore, st.FQDN, "primary"); err != nil {
|
|
slog.Warn("self-register in ha_nodes failed", "error", err)
|
|
}
|
|
}
|
|
cancel()
|
|
|
|
auditRepo := audit.New(pool)
|
|
domainsRepo := domains.New(pool)
|
|
backendsRepo := backends.New(pool)
|
|
routingRepo := routingrules.New(pool)
|
|
ifsRepo := networkifs.New(pool)
|
|
ipsRepo := ipaddresses.New(pool)
|
|
tlsRepo := tlscerts.New(pool)
|
|
fwZones := firewall.NewZonesRepo(pool)
|
|
fwAddrObj := firewall.NewAddressObjectsRepo(pool)
|
|
fwAddrGrp := firewall.NewAddressGroupsRepo(pool)
|
|
fwSvc := firewall.NewServicesRepo(pool)
|
|
fwSvcGrp := firewall.NewServiceGroupsRepo(pool)
|
|
fwRules := firewall.NewRulesRepo(pool)
|
|
fwNAT := firewall.NewNATRulesRepo(pool)
|
|
secretsBox := secrets.New("")
|
|
wgIfaces := wgsvc.NewInterfacesRepo(pool)
|
|
wgPeers := wgsvc.NewPeersRepo(pool)
|
|
fwdProxyRepo := forwardproxy.New(pool)
|
|
dnsRepo := dnssvc.New(pool)
|
|
ntpRepo := ntpsvc.New(pool)
|
|
|
|
// ACME (Let's Encrypt). Email comes from setup.json — the
|
|
// wizard collects acme_email and the issuer registers an
|
|
// account on first /tls-certs/issue call.
|
|
var acmeService handlers.LetsEncryptIssuer
|
|
if st != nil && st.ACMEEmail != "" {
|
|
acmeService = acme.New(st.ACMEEmail)
|
|
}
|
|
|
|
// HAProxy reload — re-rendert haproxy.cfg + sudo systemctl
|
|
// reload haproxy. Wird in Domains/Backends/RoutingRules-Handler
|
|
// injiziert, damit jede Änderung ohne expliziten render-config-
|
|
// Aufruf live geht. Errors werden geloggt, nicht failed
|
|
// (Row schon committed, Operator kann manuell re-triggern).
|
|
haproxyReloader := func(ctx context.Context) error {
|
|
return haproxy.New(pool).Render(ctx)
|
|
}
|
|
|
|
authed := v1.Group("")
|
|
authed.Use(requireAuth)
|
|
handlers.NewDomainsHandler(domainsRepo, routingRepo, auditRepo, nodeID, haproxyReloader).Register(authed)
|
|
handlers.NewBackendsHandler(backendsRepo, auditRepo, nodeID, haproxyReloader).Register(authed)
|
|
handlers.NewRoutingRulesHandler(routingRepo, auditRepo, nodeID, haproxyReloader).Register(authed)
|
|
handlers.NewNetworksHandler(ifsRepo, ipsRepo, fwZones, auditRepo, nodeID).Register(authed)
|
|
handlers.NewIPAddressesHandler(ipsRepo, auditRepo, nodeID).Register(authed)
|
|
handlers.NewClusterHandler(clusterStore, nodeID).Register(authed)
|
|
handlers.NewAuditHandler(auditRepo).Register(authed)
|
|
handlers.NewHAProxyStatsHandler().Register(authed)
|
|
handlers.NewTLSCertsHandler(tlsRepo, auditRepo, nodeID, acmeService).Register(authed)
|
|
// Firewall reload: nach jeder Mutation den Renderer neu fahren
|
|
// (writes ruleset.nft + sudo nft -f). Errors loggen, nicht failen.
|
|
fwReloader := func(ctx context.Context) error {
|
|
return firewallrender.New(pool).Render(ctx)
|
|
}
|
|
handlers.NewFirewallHandler(fwZones, fwAddrObj, fwAddrGrp, fwSvc, fwSvcGrp, fwRules, fwNAT, auditRepo, nodeID, fwReloader, pool).Register(authed)
|
|
|
|
// withFW wraps a service-reloader so that AFTER the service is
|
|
// reloaded, the firewall is also re-rendered. Necessary for
|
|
// services whose state feeds the auto-FW-rule generator (DNS
|
|
// listen-IPs, Squid ACL count, WG listen-port, NTP serve-clients).
|
|
// Service-Reload-Errors propagieren; FW-Errors werden nur
|
|
// geloggt (DB-Row ist commited, FW kann nachgezogen werden).
|
|
withFW := func(svc func(context.Context) error) func(context.Context) error {
|
|
return func(ctx context.Context) error {
|
|
if err := svc(ctx); err != nil {
|
|
return err
|
|
}
|
|
if err := fwReloader(ctx); err != nil {
|
|
slog.Warn("firewall: re-render after service mutation failed", "error", err)
|
|
}
|
|
return nil
|
|
}
|
|
}
|
|
|
|
// WireGuard reload: re-render /etc/edgeguard/wireguard/*.conf
|
|
// + restart wg-quick@<iface>. Same pattern as the haproxy +
|
|
// firewall reloaders. WG braucht FW-Trigger (server-mode
|
|
// listen-port wird Auto-Rule).
|
|
wgReloader := func(ctx context.Context) error {
|
|
return wgrender.New(pool, secretsBox).Render(ctx)
|
|
}
|
|
handlers.NewWireguardHandler(wgIfaces, wgPeers, secretsBox, auditRepo, nodeID, withFW(wgReloader)).Register(authed)
|
|
|
|
// Squid forward-proxy reload — re-render squid.conf + reload
|
|
// squid.service. sudoers im postinst whitelistet das. ACL-Count
|
|
// triggert Auto-FW-Rule für tcp/3128.
|
|
squidReloader := func(ctx context.Context) error {
|
|
return squidrender.New(pool).Render(ctx)
|
|
}
|
|
handlers.NewForwardProxyHandler(fwdProxyRepo, auditRepo, nodeID, withFW(squidReloader)).Register(authed)
|
|
|
|
// Unbound DNS reload — re-render edgeguard.conf + restart
|
|
// unbound. Listen-IPs triggern Auto-FW-Rule für udp/tcp 53.
|
|
unboundReloader := func(ctx context.Context) error {
|
|
return unboundrender.New(pool).Render(ctx)
|
|
}
|
|
handlers.NewDNSHandler(dnsRepo, auditRepo, nodeID, withFW(unboundReloader)).Register(authed)
|
|
|
|
// Chrony NTP reload — re-render edgeguard.conf + restart chrony.
|
|
// Listen-IPs + serve_clients triggern Auto-FW-Rule für udp/123.
|
|
chronyReloader := func(ctx context.Context) error {
|
|
return chronyrender.New(pool).Render(ctx)
|
|
}
|
|
handlers.NewNTPHandler(ntpRepo, auditRepo, nodeID, withFW(chronyReloader)).Register(authed)
|
|
}
|
|
|
|
mountUI(r)
|
|
|
|
log.Printf("edgeguard-api %s listening on %s", version, addr)
|
|
srv := &http.Server{Addr: addr, Handler: r}
|
|
if err := srv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
|
|
log.Fatalf("edgeguard-api: %v", err)
|
|
}
|
|
}
|
|
|
|
// mountUI serves the management UI — Vite-built static assets under
|
|
// /usr/share/edgeguard/ui/ — with SPA fallback (any path that isn't
|
|
// /api/* or /healthz and isn't a real file → index.html). When the
|
|
// dist directory is missing (dev box without `bun run build`), a
|
|
// placeholder HTML page is served at /.
|
|
func mountUI(r *gin.Engine) {
|
|
uiDir := os.Getenv("EDGEGUARD_UI_DIR")
|
|
if uiDir == "" {
|
|
uiDir = "/usr/share/edgeguard/ui"
|
|
}
|
|
indexPath := filepath.Join(uiDir, "index.html")
|
|
|
|
if _, err := os.Stat(indexPath); err != nil {
|
|
slog.Warn("UI dist not found, serving placeholder",
|
|
"ui_dir", uiDir, "error", err)
|
|
r.NoRoute(func(c *gin.Context) {
|
|
path := c.Request.URL.Path
|
|
if isAPIPath(path) {
|
|
c.Status(http.StatusNotFound)
|
|
return
|
|
}
|
|
c.Data(http.StatusOK, "text/html; charset=utf-8", []byte(uiPlaceholder))
|
|
})
|
|
return
|
|
}
|
|
|
|
r.NoRoute(func(c *gin.Context) {
|
|
path := c.Request.URL.Path
|
|
if isAPIPath(path) {
|
|
c.Status(http.StatusNotFound)
|
|
return
|
|
}
|
|
// Serve real file when one exists for the requested path.
|
|
// filepath.Clean blocks `..` traversal; the join still pins
|
|
// the result inside uiDir even with shenanigans.
|
|
clean := filepath.Clean(path)
|
|
if !strings.HasPrefix(clean, "/") {
|
|
clean = "/" + clean
|
|
}
|
|
full := filepath.Join(uiDir, clean)
|
|
if !strings.HasPrefix(full, uiDir) {
|
|
c.Status(http.StatusForbidden)
|
|
return
|
|
}
|
|
if info, err := os.Stat(full); err == nil && !info.IsDir() {
|
|
c.File(full)
|
|
return
|
|
}
|
|
// SPA fallback — React Router renders the right page.
|
|
c.File(indexPath)
|
|
})
|
|
}
|
|
|
|
// isAPIPath returns true for paths the API owns; UI serves
|
|
// everything else. /healthz and /api/health are technically API
|
|
// surfaces but don't need to fall through to index.html either.
|
|
func isAPIPath(p string) bool {
|
|
return strings.HasPrefix(p, "/api/") || p == "/healthz" || p == "/api/health"
|
|
}
|
|
|
|
const uiPlaceholder = `<!doctype html>
|
|
<html lang="en"><head><meta charset="utf-8"><title>EdgeGuard</title></head>
|
|
<body style="font-family: -apple-system, sans-serif; max-width: 640px; margin: 4em auto; line-height: 1.5;">
|
|
<h1>EdgeGuard</h1>
|
|
<p>The management UI has not been built yet. From the project root, run:</p>
|
|
<pre style="background:#f4f4f4;padding:12px;border-radius:4px;">cd management-ui && bun install && bun run build</pre>
|
|
<p>Then the same URL will serve the React SPA. The REST API is fully functional at
|
|
<code>/api/v1/*</code> regardless.</p>
|
|
</body></html>`
|
|
|
|
// openDBBestEffort opens the pool with a 3s timeout. Returns the
|
|
// non-nil error so callers can decide whether to register CRUD or
|
|
// degrade gracefully.
|
|
func openDBBestEffort() (*pgxpoolPool, error) {
|
|
ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
|
|
defer cancel()
|
|
dsn := database.ConnStringFromEnv()
|
|
return database.Open(ctx, dsn)
|
|
}
|
|
|
|
// pgxpoolPool aliases the concrete pool type so we don't import it in
|
|
// main.go on every platform — keeps the import block lean.
|
|
type pgxpoolPool = pgxpool.Pool
|
|
|
|
// nodeIDOrHostname returns the node identifier audit_log entries are
|
|
// stamped with. v1 just uses /etc/machine-id (or the hostname on dev
|
|
// machines without one). Phase 3's cluster store will replace this.
|
|
func nodeIDOrHostname() string {
|
|
if b, err := os.ReadFile("/etc/machine-id"); err == nil {
|
|
s := string(b)
|
|
s = stripTrailingNewline(s)
|
|
if s != "" {
|
|
return s
|
|
}
|
|
}
|
|
if h, err := os.Hostname(); err == nil {
|
|
return h
|
|
}
|
|
return "unknown"
|
|
}
|
|
|
|
func stripTrailingNewline(s string) string {
|
|
for len(s) > 0 && (s[len(s)-1] == '\n' || s[len(s)-1] == '\r') {
|
|
s = s[:len(s)-1]
|
|
}
|
|
return s
|
|
}
|
|
|
|
// randomEphemeralSecret is the fallback for dev environments where
|
|
// /var/lib/edgeguard isn't writable. Tokens issued with this secret
|
|
// die on restart — production reads/writes the persistent file via
|
|
// session.NewSignerFromPath.
|
|
func randomEphemeralSecret() []byte {
|
|
b := make([]byte, 32)
|
|
if _, err := rand.Read(b); err != nil {
|
|
// Should never happen on a sane Linux box; fall back to a
|
|
// time-based filler so the process can at least start.
|
|
log.Printf("WARN: crypto/rand read failed: %v", err)
|
|
}
|
|
return b
|
|
}
|