testing: bootstrap UI, agent reliability, NS-01..04 + alert username
CI / Test (rest) (pull_request) Successful in 29s
CI / Lint (pull_request) Successful in 32s
CI / Build (windows/amd64) (pull_request) Successful in 22s
CI / Test (store) (pull_request) Successful in 1m22s
CI / Test (server-http) (pull_request) Successful in 1m30s
CI / Build (linux/amd64) (pull_request) Successful in 22s
CI / Build (linux/arm64) (pull_request) Successful in 41s
CI / Test (rest) (pull_request) Successful in 29s
CI / Lint (pull_request) Successful in 32s
CI / Build (windows/amd64) (pull_request) Successful in 22s
CI / Test (store) (pull_request) Successful in 1m22s
CI / Test (server-http) (pull_request) Successful in 1m30s
CI / Build (linux/amd64) (pull_request) Successful in 22s
CI / Build (linux/arm64) (pull_request) Successful in 41s
Smoothes the rough edges that came up exercising a live deployment.
First-run bootstrap UI: /bootstrap renders a username + password form
that uses the in-memory token directly (operator no longer copies it
out of the log); /login redirects there while bootstrap is available.
Agent reliability: failJob synthetic envelopes so command.run early
returns no longer hang the server-side job; runtime probe of restic
restore --help drives --no-ownership instead of version sniffing
(0.18.x had it removed). Server unit re-shaped: ProtectSystem=full
plus ReadWritePaths=/etc/restic-manager, no ProtectHome — restore
can now write anywhere a user might want.
Restore wizard: default target is /root/rm-restore/<job-id>/ with
clearer help text. Re-init confirm input uses .field (was .input,
which doesn't exist — text was invisible).
NS-01 host delete: store DeleteHost, admin-band /hosts/{id}/delete
with hostname-confirm danger zone, audit, FK cascade, live WS close.
NS-02 enrollment-token recovery: outstanding-tokens panel on
/hosts/new, regenerate (preserves attachments) and revoke handlers
+ audit, store-level ListOutstandingEnrollmentTokens and
DeleteEnrollmentToken.
NS-03 repo init / probe surface: migration 0020 adds
hosts.repo_status + repo_status_error; WS handler projects every
init job's outcome onto the host row (idempotent already-initialised
collapses to ready); creds-save resets status and dispatches a fresh
probe; /hosts/{id}/repo/probe retry endpoint with banner.
NS-04 dashboard live + sort + filter: query-string filter
(q/status/repo_status/tag/sort/dir), 5s htmx live poll mirroring the
alerts pattern with a localStorage live toggle, sortable column
headers, filter row + clear.
Alerts page: ack'd-by line resolves user_id ULID to username.
Compose.yaml ignored — host-specific.
This commit is contained in:
@@ -49,12 +49,10 @@ detect_arch() {
|
||||
ensure_dirs() {
|
||||
install -d -m 0700 -o root -g root "$RM_CONFIG_DIR"
|
||||
install -d -m 0700 -o root -g root "$RM_STATE_DIR"
|
||||
# Default new-directory restore target: $HOME/rm-restore. Pre-create
|
||||
# so the systemd unit's ReadWritePaths bind-mount applies cleanly
|
||||
# (paths that don't exist when systemd starts get a soft-fail
|
||||
# because of the '-' prefix, but the agent then can't mkdir into
|
||||
# the read-only /root). Mode 0700 + root-owned matches the threat
|
||||
# model — files restored here are operator-readable as root.
|
||||
# Default new-directory restore target: $HOME/rm-restore. With the
|
||||
# current unit (ProtectSystem=full, no ReadWritePaths pin) the agent
|
||||
# can mkdir anywhere on real filesystems, so this is just a courtesy
|
||||
# pre-create so the wizard's default lands in a tidy spot.
|
||||
install -d -m 0700 -o root -g root /root/rm-restore
|
||||
}
|
||||
|
||||
|
||||
@@ -33,17 +33,26 @@ CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_CHOWN
|
||||
AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_CHOWN
|
||||
|
||||
# Hardening — blocks privilege escalation even from root, and
|
||||
# confines writes / network / kernel access to what restic actually
|
||||
# needs. Filesystem reads stay open: that's the whole job.
|
||||
# confines kernel / namespace / privilege surface. Filesystem reads
|
||||
# stay open (that's the whole job) and restore writes are
|
||||
# unrestricted: a backup tool whose entire purpose is "put files
|
||||
# back where they belong" can't have ProtectHome=read-only or
|
||||
# ProtectSystem=strict without breaking on the first cross-user
|
||||
# restore. ProtectSystem=full keeps /usr, /boot, /efi read-only so a
|
||||
# compromised agent can't swap out /usr/bin/restic or drop a kernel
|
||||
# module, while leaving /home, /root, /var, /opt, /srv, /tmp etc.
|
||||
# writable for arbitrary restore targets. The agent is treated as a
|
||||
# high-trust component (it runs operator hooks as root and holds
|
||||
# repo credentials); the residual hardening is about kernel + privesc
|
||||
# protection, not write confinement.
|
||||
NoNewPrivileges=true
|
||||
ProtectSystem=strict
|
||||
# /etc/restic-manager: agent.yaml + secrets.enc.
|
||||
# /var/lib/restic-manager: agent state (currently unused but reserved).
|
||||
# /root/rm-restore: default target for new-directory restores
|
||||
# ($HOME/rm-restore/<job-id>/ resolves here for User=root).
|
||||
# ReadWritePaths overrides ProtectHome=read-only on this subdir only.
|
||||
ReadWritePaths=/etc/restic-manager /var/lib/restic-manager -/root/rm-restore
|
||||
ProtectHome=read-only
|
||||
ProtectSystem=full
|
||||
# ProtectSystem=full mounts /usr, /boot, /efi *and* /etc read-only.
|
||||
# The agent rewrites /etc/restic-manager/agent.yaml on enrolment and
|
||||
# whenever a new SecretsKey is minted, so we need a targeted
|
||||
# write-exemption for that dir. No exemption for the rest of /etc:
|
||||
# the agent has no business editing /etc/passwd, /etc/sudoers, etc.
|
||||
ReadWritePaths=/etc/restic-manager
|
||||
ProtectHostname=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
|
||||
Reference in New Issue
Block a user