Can't log in from a fresh LXC deploy, and the service is LAN-only by
design. Rip out the whole bcrypt-password / signed-cookie session
layer: internal/auth, login templates, gen-admin-password binary +
Makefile targets, auth config block, login/logout routes and the
RequireSession middleware wrap. Agent bearer-token auth on
/api/v1/runs/{id}/* is untouched.
Operators who want a password can front the service with a reverse
proxy — noted in README and docs/operations.md.
This commit is contained in:
+10
-19
@@ -7,9 +7,9 @@
|
||||
# 2. Creates the `vetting` system user with /var/lib/vetting homedir.
|
||||
# 3. Copies the pre-built `vetting` binary into /usr/local/bin.
|
||||
# 4. Drops the systemd unit and example config into /etc/vetting.
|
||||
# 5. Reminds the operator to edit the config and set a bcrypt
|
||||
# password before enabling the service — we don't auto-start
|
||||
# because a placeholder password would just refuse to boot.
|
||||
# 5. Reminds the operator to edit the config before enabling
|
||||
# the service — we don't auto-start because the default bind
|
||||
# is loopback-only and needs at least a tweak to be useful.
|
||||
#
|
||||
# What it deliberately does NOT do:
|
||||
# - Build the orchestrator (this script assumes you ran
|
||||
@@ -95,20 +95,6 @@ install -d -m 0755 "${CONFIG_DIR}"
|
||||
echo "==> installing binary"
|
||||
install -m 0755 "${BINARY}" /usr/local/bin/vetting
|
||||
|
||||
# Install the bcrypt password generator too if we can find it — the
|
||||
# operator needs it to fill in auth.admin_password_bcrypt.
|
||||
GEN_PW=""
|
||||
for cand in \
|
||||
"${REPO_ROOT}/bin/gen-admin-password-linux-amd64" \
|
||||
"${REPO_ROOT}/bin/gen-admin-password" \
|
||||
"${SCRIPT_DIR}/gen-admin-password"; do
|
||||
if [[ -x "${cand}" ]]; then GEN_PW="${cand}"; break; fi
|
||||
done
|
||||
if [[ -n "${GEN_PW}" ]]; then
|
||||
echo "==> installing gen-admin-password"
|
||||
install -m 0755 "${GEN_PW}" /usr/local/bin/gen-admin-password
|
||||
fi
|
||||
|
||||
echo "==> installing config and systemd unit"
|
||||
# vetting.production.yaml uses absolute /var/lib/vetting + /var/log/vetting
|
||||
# paths that match the systemd unit's ReadWritePaths. vetting.example.yaml
|
||||
@@ -140,8 +126,9 @@ vetting is installed but not yet enabled.
|
||||
|
||||
Next steps:
|
||||
1. Edit ${CONFIG_DIR}/vetting.yaml and set:
|
||||
- auth.admin_password_bcrypt (run: gen-admin-password 'YOURPW')
|
||||
- auth.session_secret_hex (run: openssl rand -hex 32)
|
||||
- server.bind (127.0.0.1:8080 by default; switch to
|
||||
0.0.0.0:8080 once you're ready to expose
|
||||
it on the LAN)
|
||||
- server.public_url (the URL you'll browse to)
|
||||
- pxe.* if you want PXE boot support
|
||||
- notifiers + routes (optional)
|
||||
@@ -150,4 +137,8 @@ Next steps:
|
||||
3. Watch the logs:
|
||||
journalctl -fu vetting
|
||||
|
||||
The UI has no built-in auth — it trusts the LAN. If you need a
|
||||
password, front the service with a reverse proxy (Caddy/nginx
|
||||
basic-auth) instead.
|
||||
|
||||
EOF
|
||||
|
||||
@@ -65,9 +65,9 @@ fi
|
||||
echo "==> installing templ ${TEMPL_VERSION}"
|
||||
GOBIN=/usr/local/bin go install "github.com/a-h/templ/cmd/templ@${TEMPL_VERSION}"
|
||||
|
||||
echo "==> building orchestrator + gen-admin-password"
|
||||
echo "==> building orchestrator (make orchestrator-linux)"
|
||||
cd "${SRC_DIR}"
|
||||
make orchestrator-linux gen-admin-password-linux
|
||||
make orchestrator-linux
|
||||
|
||||
echo "==> running deploy/install.sh"
|
||||
bash deploy/install.sh --binary "bin/vetting-linux-amd64"
|
||||
|
||||
@@ -28,15 +28,6 @@ janitor:
|
||||
# Interval between cleanup sweeps. 0 defaults to 60.
|
||||
interval_minutes: 60
|
||||
|
||||
auth:
|
||||
# bcrypt hash of your admin password.
|
||||
# Generate via: ./bin/gen-admin-password "your-password"
|
||||
admin_password_bcrypt: "$2a$10$REPLACE_ME_WITH_A_REAL_BCRYPT_HASH_0123456789abcdefABCDEFxx"
|
||||
# Random 32-byte hex string used to sign session cookies.
|
||||
# Generate via: openssl rand -hex 32 (or use PowerShell equivalent)
|
||||
session_secret_hex: "0000000000000000000000000000000000000000000000000000000000000000"
|
||||
session_ttl_hours: 24
|
||||
|
||||
dispatcher:
|
||||
max_concurrent_runs: 3
|
||||
|
||||
|
||||
@@ -28,15 +28,6 @@ janitor:
|
||||
# Interval between cleanup sweeps. 0 defaults to 60.
|
||||
interval_minutes: 60
|
||||
|
||||
auth:
|
||||
# bcrypt hash of your admin password.
|
||||
# Generate via: gen-admin-password 'your-password'
|
||||
admin_password_bcrypt: "$2a$10$REPLACE_ME_WITH_A_REAL_BCRYPT_HASH_0123456789abcdefABCDEFxx"
|
||||
# Random 32-byte hex string used to sign session cookies.
|
||||
# Generate via: openssl rand -hex 32
|
||||
session_secret_hex: "0000000000000000000000000000000000000000000000000000000000000000"
|
||||
session_ttl_hours: 24
|
||||
|
||||
dispatcher:
|
||||
max_concurrent_runs: 3
|
||||
|
||||
|
||||
Reference in New Issue
Block a user