3178e25e78
User-Frage: „Werden via haproxy die echten IPs durchgereicht?". Antwort: X-Forwarded-For ja (option forwardfor), aber Apps wie WordPress/Mailcow brauchen zusätzlich X-Forwarded-Proto=https um Redirect-Loops zu vermeiden, und X-Real-IP ist die bequeme single-value-Variante die viele Tools out-of-the-box lesen (ohne die XFF-Chain parsen zu müssen). Beide Frontends (public_https + mgmt_https) emittieren jetzt: http-request set-header X-Forwarded-Proto https http-request set-header X-Real-IP %[src] Was Backends sehen: X-Forwarded-For: <client-ip> (defaults: option forwardfor) X-Forwarded-Proto: https (NEW) X-Real-IP: <client-ip> (NEW, single value) PROXY-Protocol-Toggle pro Backend kommt nicht in diesem Release — der Operator hat „nur Header-Variante" gewählt. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
87 lines
3.0 KiB
Go
87 lines
3.0 KiB
Go
// Command edgeguard-ctl is the admin CLI for setup, migrations and
|
|
// (later) cluster ops. v1 wires migrate + initdb so postinst can
|
|
// initialise a fresh node; cluster-* and promote remain stubs until
|
|
// Phase 3.
|
|
package main
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/setup"
|
|
)
|
|
|
|
var version = "1.0.78"
|
|
|
|
const usage = `edgeguard-ctl — EdgeGuard CLI
|
|
|
|
Usage:
|
|
edgeguard-ctl <command> [args]
|
|
|
|
Commands:
|
|
version Print version and exit
|
|
migrate up Apply pending migrations
|
|
migrate down Roll back the most recent migration (dev only)
|
|
migrate check Validate embedded migrations (no DB connect)
|
|
migrate dump [dir] Write embedded SQL files to dir (default: ./migrations)
|
|
initdb Create PostgreSQL role + database (idempotent)
|
|
render-config Regenerate haproxy / nftables configs from PG (--no-reload, --only=)
|
|
wg-import [--path <dir>] Import existing /etc/wireguard/*.conf files into the DB
|
|
reset-password Generate a one-time token for the /reset-password UI flow
|
|
cluster-join Join an existing cluster (Phase 3, not yet implemented)
|
|
promote Promote this node's PG to primary (Phase 3, not yet implemented)
|
|
dump-config Print effective config (Phase 3, not yet implemented)
|
|
`
|
|
|
|
func main() {
|
|
if len(os.Args) < 2 {
|
|
fmt.Fprint(os.Stderr, usage)
|
|
os.Exit(2)
|
|
}
|
|
switch os.Args[1] {
|
|
case "-h", "--help", "help":
|
|
fmt.Print(usage)
|
|
case "version", "--version":
|
|
fmt.Println(version)
|
|
case "migrate":
|
|
os.Exit(cmdMigrate(os.Args[2:]))
|
|
case "initdb":
|
|
os.Exit(cmdInitDB(os.Args[2:]))
|
|
case "render-config":
|
|
os.Exit(cmdRenderConfig(os.Args[2:]))
|
|
case "wg-import":
|
|
os.Exit(cmdWGImport(os.Args[2:]))
|
|
case "reset-password":
|
|
os.Exit(cmdResetPassword())
|
|
case "cluster-join", "cluster-leave", "promote", "dump-config":
|
|
fmt.Fprintf(os.Stderr, "edgeguard-ctl: %q is a Phase-3 stub — not yet implemented\n", os.Args[1])
|
|
os.Exit(1)
|
|
default:
|
|
fmt.Fprintf(os.Stderr, "edgeguard-ctl: unknown command %q\n", os.Args[1])
|
|
fmt.Fprint(os.Stderr, usage)
|
|
os.Exit(2)
|
|
}
|
|
}
|
|
|
|
// cmdResetPassword generates a single-use reset token and prints it to
|
|
// stdout. Operator pastes it into the /reset-password UI within 30 min.
|
|
// File mode 0600, owned by the edgeguard user — the CLI muss als sudo
|
|
// edgeguard ausgeführt werden (oder als root); fremde User sehen das
|
|
// Token nicht.
|
|
func cmdResetPassword() int {
|
|
store := setup.NewStore(setup.DefaultDir)
|
|
token, err := store.GenerateResetToken()
|
|
if err != nil {
|
|
fmt.Fprintf(os.Stderr, "edgeguard-ctl reset-password: %v\n", err)
|
|
return 1
|
|
}
|
|
fmt.Println("Admin-Password-Reset-Token (gültig 30 Minuten):")
|
|
fmt.Println()
|
|
fmt.Println(" " + token)
|
|
fmt.Println()
|
|
fmt.Println("→ UI öffnen: https://<box-fqdn>/reset-password")
|
|
fmt.Println("→ Token eingeben, neues Passwort setzen (min. 12 Zeichen)")
|
|
fmt.Println("→ Token ist single-use und wird beim erfolgreichen Reset gelöscht.")
|
|
return 0
|
|
}
|