Can't log in from a fresh LXC deploy, and the service is LAN-only by
design. Rip out the whole bcrypt-password / signed-cookie session
layer: internal/auth, login templates, gen-admin-password binary +
Makefile targets, auth config block, login/logout routes and the
RequireSession middleware wrap. Agent bearer-token auth on
/api/v1/runs/{id}/* is untouched.
Operators who want a password can front the service with a reverse
proxy — noted in README and docs/operations.md.
This commit is contained in:
+10
-19
@@ -7,9 +7,9 @@
|
||||
# 2. Creates the `vetting` system user with /var/lib/vetting homedir.
|
||||
# 3. Copies the pre-built `vetting` binary into /usr/local/bin.
|
||||
# 4. Drops the systemd unit and example config into /etc/vetting.
|
||||
# 5. Reminds the operator to edit the config and set a bcrypt
|
||||
# password before enabling the service — we don't auto-start
|
||||
# because a placeholder password would just refuse to boot.
|
||||
# 5. Reminds the operator to edit the config before enabling
|
||||
# the service — we don't auto-start because the default bind
|
||||
# is loopback-only and needs at least a tweak to be useful.
|
||||
#
|
||||
# What it deliberately does NOT do:
|
||||
# - Build the orchestrator (this script assumes you ran
|
||||
@@ -95,20 +95,6 @@ install -d -m 0755 "${CONFIG_DIR}"
|
||||
echo "==> installing binary"
|
||||
install -m 0755 "${BINARY}" /usr/local/bin/vetting
|
||||
|
||||
# Install the bcrypt password generator too if we can find it — the
|
||||
# operator needs it to fill in auth.admin_password_bcrypt.
|
||||
GEN_PW=""
|
||||
for cand in \
|
||||
"${REPO_ROOT}/bin/gen-admin-password-linux-amd64" \
|
||||
"${REPO_ROOT}/bin/gen-admin-password" \
|
||||
"${SCRIPT_DIR}/gen-admin-password"; do
|
||||
if [[ -x "${cand}" ]]; then GEN_PW="${cand}"; break; fi
|
||||
done
|
||||
if [[ -n "${GEN_PW}" ]]; then
|
||||
echo "==> installing gen-admin-password"
|
||||
install -m 0755 "${GEN_PW}" /usr/local/bin/gen-admin-password
|
||||
fi
|
||||
|
||||
echo "==> installing config and systemd unit"
|
||||
# vetting.production.yaml uses absolute /var/lib/vetting + /var/log/vetting
|
||||
# paths that match the systemd unit's ReadWritePaths. vetting.example.yaml
|
||||
@@ -140,8 +126,9 @@ vetting is installed but not yet enabled.
|
||||
|
||||
Next steps:
|
||||
1. Edit ${CONFIG_DIR}/vetting.yaml and set:
|
||||
- auth.admin_password_bcrypt (run: gen-admin-password 'YOURPW')
|
||||
- auth.session_secret_hex (run: openssl rand -hex 32)
|
||||
- server.bind (127.0.0.1:8080 by default; switch to
|
||||
0.0.0.0:8080 once you're ready to expose
|
||||
it on the LAN)
|
||||
- server.public_url (the URL you'll browse to)
|
||||
- pxe.* if you want PXE boot support
|
||||
- notifiers + routes (optional)
|
||||
@@ -150,4 +137,8 @@ Next steps:
|
||||
3. Watch the logs:
|
||||
journalctl -fu vetting
|
||||
|
||||
The UI has no built-in auth — it trusts the LAN. If you need a
|
||||
password, front the service with a reverse proxy (Caddy/nginx
|
||||
basic-auth) instead.
|
||||
|
||||
EOF
|
||||
|
||||
Reference in New Issue
Block a user