josh/Vetting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove operator auth — trust the LAN
CI / Lint + build + test (push) Failing after 5m15s
Details

Browse Source 
Can't log in from a fresh LXC deploy, and the service is LAN-only by
design. Rip out the whole bcrypt-password / signed-cookie session
layer: internal/auth, login templates, gen-admin-password binary +
Makefile targets, auth config block, login/logout routes and the
RequireSession middleware wrap. Agent bearer-token auth on
/api/v1/runs/{id}/* is untouched.

Operators who want a password can front the service with a reverse
proxy — noted in README and docs/operations.md.
This commit is contained in:
Josh Wright
2026-04-17 22:31:49 -04:00
parent 273e7593bc
commit 42da48864f
19 changed files with 52 additions and 492 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+7 -11
View File
@@ -22,20 +22,16 @@ notifications.
## Quick start (local, against QEMU)
```bash
# 1. Build
make all
# 2. Generate an admin password hash and paste it into the config.
./bin/gen-admin-password 'your-password'
# Edit deploy/vetting.example.yaml:
# auth.admin_password_bcrypt = <that hash>
# auth.session_secret_hex = $(openssl rand -hex 32)
# 3. Run
./bin/vetting --config deploy/vetting.example.yaml
# → http://localhost:8080
```
The UI has no built-in auth — bind to loopback or LAN only, or front
the service with a reverse proxy (Caddy/nginx basic-auth) if you
want a password. The agent↔orchestrator channel keeps its own
bearer-token auth and is unaffected.
For a full end-to-end QEMU walk-through (bridge setup, host registration,
PXE boot), see [docs/operations.md § First vetting run](docs/operations.md#first-vetting-run).
@@ -53,7 +49,7 @@ which lays down the binary, systemd unit, example config, and
`vetting` service user. Then:
```bash
# Edit /etc/vetting/vetting.yaml (bcrypt password, session secret, public URL)
# Edit /etc/vetting/vetting.yaml (server.bind + server.public_url)
sudo systemctl enable --now vetting
journalctl -fu vetting
```
@@ -80,7 +76,7 @@ live-image/ mkosi config for the PXE-bootable Debian live image
deploy/ systemd unit + install.sh + example config
docs/ operator + developer docs
test/e2e/ build-tag-gated QEMU + PXE full-stack test
tools/ small CLI helpers (e.g. gen-admin-password)
tools/ small CLI helpers
```
## Development