914538eed1
Architektur-Pivot: nginx fällt komplett weg. HAProxy 2.8+ übernimmt
TLS-Termination, L7-Routing per Host-Header und LB. ACME-Webroot
und Management-UI werden von edgeguard-api ausgeliefert (Phase 3
implementiert die zugehörigen Handler); HAProxy proxied
/.well-known/acme-challenge/* und Management-FQDN-Traffic an
127.0.0.1:9443. Eine Distro-Abhängigkeit weniger, ein Renderer
weniger, sauberere Trennung.
Renderer (alle mit Embed-Templates + Tests):
* internal/configgen/ — atomic write + systemctl reload helpers
* internal/haproxy/ — :80 + :443, ACME-ACL, Host-Header-Routing,
Stats-Frontend, api_backend Fallback
* internal/firewall/ — default-deny input, stateful baseline,
SSH-Rate-Limit, :80/:443 accept,
Cluster-Peer-Set für mTLS :8443,
Custom-Rules aus PG
* internal/{squid,wireguard,unbound}/ — Stubs (ErrNotImplemented)
Orchestrator + CLI:
* internal/services/configorch/ — fester Reihenfolge-Run, Stubs
sind soft-skip statt fatal
* cmd/edgeguard-ctl render-config [--no-reload] [--only=svc1,svc2]
Packaging:
* postinst: /etc/edgeguard/nginx raus, /var/lib/edgeguard/acme rein,
self-signed _default.pem via openssl req (damit HAProxy startet
bevor certbot etwas issuet hat)
* control: Depends nginx raus, openssl rein
* edgeguard-ui: dependency auf nginx weg, "Served by edgeguard-api
gin StaticFS"
Live-Smoke: render-config gegen lokale PG schreibt /etc/edgeguard/
haproxy/haproxy.cfg + nftables.d/ruleset.nft korrekt; CRUD-Test aus
Phase 2 läuft weiter unverändert.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
137 lines
3.6 KiB
Go
137 lines
3.6 KiB
Go
// Package routingrules implements CRUD against the `routing_rules`
|
|
// table. A rule maps (domain, path_prefix) → backend; higher priority
|
|
// wins, ties broken by id.
|
|
package routingrules
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
|
|
"github.com/jackc/pgx/v5"
|
|
"github.com/jackc/pgx/v5/pgxpool"
|
|
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/models"
|
|
)
|
|
|
|
var ErrNotFound = errors.New("routing rule not found")
|
|
|
|
type Repo struct {
|
|
Pool *pgxpool.Pool
|
|
}
|
|
|
|
func New(pool *pgxpool.Pool) *Repo { return &Repo{Pool: pool} }
|
|
|
|
const baseSelect = `
|
|
SELECT id, domain_id, path_prefix, backend_id, priority, active,
|
|
created_at, updated_at
|
|
FROM routing_rules
|
|
`
|
|
|
|
// List returns rules ordered by domain_id then priority desc — the
|
|
// shape the config-renderer wants when building HAProxy backends.
|
|
func (r *Repo) List(ctx context.Context) ([]models.RoutingRule, error) {
|
|
rows, err := r.Pool.Query(ctx, baseSelect+
|
|
" ORDER BY domain_id ASC, priority DESC, id ASC")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer rows.Close()
|
|
out := make([]models.RoutingRule, 0, 16)
|
|
for rows.Next() {
|
|
rr, err := scanRule(rows)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
out = append(out, *rr)
|
|
}
|
|
return out, rows.Err()
|
|
}
|
|
|
|
// ListForDomain narrows List to a single domain — handlers expose this
|
|
// as GET /domains/:id/routing-rules so the UI only fetches what it needs.
|
|
func (r *Repo) ListForDomain(ctx context.Context, domainID int64) ([]models.RoutingRule, error) {
|
|
rows, err := r.Pool.Query(ctx, baseSelect+
|
|
" WHERE domain_id = $1 ORDER BY priority DESC, id ASC", domainID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer rows.Close()
|
|
out := make([]models.RoutingRule, 0, 4)
|
|
for rows.Next() {
|
|
rr, err := scanRule(rows)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
out = append(out, *rr)
|
|
}
|
|
return out, rows.Err()
|
|
}
|
|
|
|
func (r *Repo) Get(ctx context.Context, id int64) (*models.RoutingRule, error) {
|
|
row := r.Pool.QueryRow(ctx, baseSelect+" WHERE id = $1", id)
|
|
rr, err := scanRule(row)
|
|
if err != nil {
|
|
if errors.Is(err, pgx.ErrNoRows) {
|
|
return nil, ErrNotFound
|
|
}
|
|
return nil, err
|
|
}
|
|
return rr, nil
|
|
}
|
|
|
|
func (r *Repo) Create(ctx context.Context, rr models.RoutingRule) (*models.RoutingRule, error) {
|
|
row := r.Pool.QueryRow(ctx, `
|
|
INSERT INTO routing_rules (domain_id, path_prefix, backend_id, priority, active)
|
|
VALUES ($1, $2, $3, $4, $5)
|
|
RETURNING id, domain_id, path_prefix, backend_id, priority, active,
|
|
created_at, updated_at`,
|
|
rr.DomainID, rr.PathPrefix, rr.BackendID, rr.Priority, rr.Active)
|
|
return scanRule(row)
|
|
}
|
|
|
|
func (r *Repo) Update(ctx context.Context, id int64, rr models.RoutingRule) (*models.RoutingRule, error) {
|
|
row := r.Pool.QueryRow(ctx, `
|
|
UPDATE routing_rules SET
|
|
domain_id = $1,
|
|
path_prefix = $2,
|
|
backend_id = $3,
|
|
priority = $4,
|
|
active = $5,
|
|
updated_at = NOW()
|
|
WHERE id = $6
|
|
RETURNING id, domain_id, path_prefix, backend_id, priority, active,
|
|
created_at, updated_at`,
|
|
rr.DomainID, rr.PathPrefix, rr.BackendID, rr.Priority, rr.Active, id)
|
|
out, err := scanRule(row)
|
|
if err != nil {
|
|
if errors.Is(err, pgx.ErrNoRows) {
|
|
return nil, ErrNotFound
|
|
}
|
|
return nil, err
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
func (r *Repo) Delete(ctx context.Context, id int64) error {
|
|
tag, err := r.Pool.Exec(ctx, `DELETE FROM routing_rules WHERE id = $1`, id)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if tag.RowsAffected() == 0 {
|
|
return ErrNotFound
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func scanRule(row interface{ Scan(...any) error }) (*models.RoutingRule, error) {
|
|
var rr models.RoutingRule
|
|
if err := row.Scan(
|
|
&rr.ID, &rr.DomainID, &rr.PathPrefix, &rr.BackendID,
|
|
&rr.Priority, &rr.Active,
|
|
&rr.CreatedAt, &rr.UpdatedAt,
|
|
); err != nil {
|
|
return nil, err
|
|
}
|
|
return &rr, nil
|
|
}
|