projekte/edgeguard-native
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e379162a7f5851b789b8555e8aafa57d5e2ac2a0
edgeguard-native/cmd/edgeguard-scheduler/main.go
Debian e379162a7f fix(firewall+nat): NAT funktioniert end-to-end + Edge-Sysctl-Profil 
Mehrere zusammenhängende Fehler beim Import der NAT-Rules von der
alten EdgeGuard-Box gefunden + behoben:

1. nft-Template: NAT-Rules landeten als Comment (gleicher
   Whitespace-Trimmer-Bug wie bei den Operator-Rules vor zwei
   commits). Fix: Body auf eigener Zeile via {{""}}-Padding.

2. nft-Syntax-Reihenfolge: emittierte 'tcp ip daddr X dport Y' →
   parser-Fehler. Korrekt ist L3-match (ip saddr/daddr) zuerst,
   dann L4 (tcp/udp dport). Reihenfolge in der dnat-Zeile
   getauscht.

3. eth0 als Iface-Row hinzugefügt (Type ethernet, role wan) damit
   der zone→iface-Lookup für 'wan' tatsächlich auf das Linux-Iface
   trifft. Vorher war nur 'WAN'-bridge in der DB, das im Kernel
   nicht existiert → iifname-match griff nicht.

4. forward-chain: ct status dnat accept (DNAT-Pakete dürfen
   forwarden) + Auto-Forward pro SNAT/masquerade-Rule für die
   Origin-Pakete (return geht via established,related).

5. postrouting_nat: ct status dnat masquerade als Hairpin-Catch-All
   — sonst antwortet das DNAT-Ziel via seinem default-GW (oft
   nicht zur EdgeGuard-Box) → SYN_SENT + UNREPLIED. Trade-off:
   Backend sieht Box-IP statt client-IP.

6. Sysctl-Profil /etc/sysctl.d/99-edgeguard.conf bei jedem Install:
   - Forwarding (ip_forward + ipv6 forwarding) — Voraussetzung für
     ALLES NAT/DNAT/Masquerade.
   - Conntrack-Buckets + max=524288 (Edge-Box trackt viele
     parallele Sessions).
   - HAProxy-Tuning (somaxconn 64k, rmem/wmem 16M, keepalive,
     tcp_tw_reuse, ip_local_port_range).
   - BBR + fq als modernes Congestion-Control + Queueing.
   - Anti-DoS: tcp_syncookies, log_martians, kptr_restrict.

Verified end-to-end:
  $ nc -v 89.163.205.100 2030
  SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.16

Version 1.0.25.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 00:10:42 +02:00

86 lines
2.5 KiB
Go
Raw Blame History

// edgeguard-scheduler runs background jobs that don't belong on the
// API request path:
//
// - ACME cert renewal (every 6h, re-issues anything < 30d to expiry)
//
// Future jobs (cluster heartbeat, backup, audit-log retention)
// hang off the same Tick loop. Stays single-process — no leader
// election yet (Phase 3).
package main
import (
"context"
"log/slog"
"os"
"time"
"git.netcell-it.de/projekte/edgeguard-native/internal/database"
"git.netcell-it.de/projekte/edgeguard-native/internal/services/acme"
"git.netcell-it.de/projekte/edgeguard-native/internal/services/certrenewer"
"git.netcell-it.de/projekte/edgeguard-native/internal/services/setup"
"git.netcell-it.de/projekte/edgeguard-native/internal/services/tlscerts"
)
var version = "1.0.25"
const (
// renewTickInterval — how often we re-evaluate expiring certs.
// 6h is enough: LE renewal window is 30 days; missing one tick
// makes no difference. Hourly would log too much.
renewTickInterval = 6 * time.Hour
// certDir matches handlers.NewTLSCertsHandler default — HAProxy
// reads from this directory.
certDir = "/etc/edgeguard/tls"
)
func main() {
slog.SetDefault(slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelInfo})))
slog.Info("edgeguard-scheduler starting", "version", version)
ctx := context.Background()
pool, err := database.Open(ctx, database.ConnStringFromEnv())
if err != nil {
slog.Error("scheduler: DB open failed — sleeping forever", "error", err)
select {}
}
defer pool.Close()
tlsRepo := tlscerts.New(pool)
setupStore := setup.NewStore(setup.DefaultDir)
st, _ := setupStore.Load()
var renewer *certrenewer.Service
if st != nil && st.ACMEEmail != "" {
issuer := acme.New(st.ACMEEmail)
renewer = certrenewer.New(tlsRepo, issuer, certDir, 30*24*time.Hour)
slog.Info("scheduler: ACME renewer enabled",
"email", st.ACMEEmail, "tick", renewTickInterval, "threshold", "30d")
} else {
slog.Warn("scheduler: setup.acme_email empty — ACME renewal disabled until setup wizard ran")
}
if renewer != nil {
runRenewer(ctx, renewer)
}
tick := time.NewTicker(renewTickInterval)
defer tick.Stop()
for range tick.C {
if renewer != nil {
runRenewer(ctx, renewer)
}
}
}
func runRenewer(ctx context.Context, r *certrenewer.Service) {
res, err := r.Run(ctx)
if err != nil {
slog.Error("scheduler: renewer run failed", "error", err)
return
}
slog.Info("scheduler: renewer pass complete",
"checked", res.Checked, "renewed", res.Renewed,
"failed", res.Failed, "skipped", res.Skipped)
}
Reference in New Issue View Git Blame Copy Permalink