steve
02e4ef7544
Smoothes the rough edges that came up exercising a live deployment.
First-run bootstrap UI: /bootstrap renders a username + password form
that uses the in-memory token directly (operator no longer copies it
out of the log); /login redirects there while bootstrap is available.
Agent reliability: failJob synthetic envelopes so command.run early
returns no longer hang the server-side job; runtime probe of restic
restore --help drives --no-ownership instead of version sniffing
(0.18.x had it removed). Server unit re-shaped: ProtectSystem=full
plus ReadWritePaths=/etc/restic-manager, no ProtectHome — restore
can now write anywhere a user might want.
Restore wizard: default target is /root/rm-restore/<job-id>/ with
clearer help text. Re-init confirm input uses .field (was .input,
which doesn't exist — text was invisible).
NS-01 host delete: store DeleteHost, admin-band /hosts/{id}/delete
with hostname-confirm danger zone, audit, FK cascade, live WS close.
NS-02 enrollment-token recovery: outstanding-tokens panel on
/hosts/new, regenerate (preserves attachments) and revoke handlers
+ audit, store-level ListOutstandingEnrollmentTokens and
DeleteEnrollmentToken.
NS-03 repo init / probe surface: migration 0020 adds
hosts.repo_status + repo_status_error; WS handler projects every
init job's outcome onto the host row (idempotent already-initialised
collapses to ready); creds-save resets status and dispatches a fresh
probe; /hosts/{id}/repo/probe retry endpoint with banner.
NS-04 dashboard live + sort + filter: query-string filter
(q/status/repo_status/tag/sort/dir), 5s htmx live poll mirroring the
alerts pattern with a localStorage live toggle, sortable column
headers, filter row + clear.
Alerts page: ack'd-by line resolves user_id ULID to username.
Compose.yaml ignored — host-specific.
104 lines
3.2 KiB
Go
104 lines
3.2 KiB
Go
// ui_host_delete.go — admin-band danger-zone host deletion (NS-01).
|
|
//
|
|
// Removes the host row from the store; FK cascades wipe schedules,
|
|
// jobs, snapshots metadata, source groups, alerts, host_credentials,
|
|
// host_repo_maintenance, host_repo_stats, and the schedule junction.
|
|
// Also closes the host's active WS connection so the agent's bearer
|
|
// stops being usable in the same tick (the bearer hash lives on the
|
|
// hosts row itself, so DeleteHost already revokes it for any future
|
|
// auth attempt — closing the live socket is the courtesy that drops
|
|
// the in-flight session).
|
|
//
|
|
// Audit-logged with action="host.deleted" so the trail records who
|
|
// performed the deletion and against which host.
|
|
package http
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"log/slog"
|
|
stdhttp "net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/oklog/ulid/v2"
|
|
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/store"
|
|
)
|
|
|
|
func (s *Server) handleUIHostDelete(w stdhttp.ResponseWriter, r *stdhttp.Request) {
|
|
u := s.requireUIUser(w, r)
|
|
if u == nil {
|
|
return
|
|
}
|
|
host, ok := s.loadHostForUI(w, r)
|
|
if !ok {
|
|
return
|
|
}
|
|
if err := r.ParseForm(); err != nil {
|
|
stdhttp.Error(w, "bad request", stdhttp.StatusBadRequest)
|
|
return
|
|
}
|
|
confirm := strings.TrimSpace(r.PostForm.Get("confirm_hostname"))
|
|
if confirm != host.Name {
|
|
// Mismatch — bounce back to host detail with a flash via the
|
|
// query string. The detail page doesn't render an error banner
|
|
// today; rather than thread a new field through the page model
|
|
// for one site, we rely on the JS confirm() the form already
|
|
// shows, plus a 303 back to the host page so the operator can
|
|
// see they're still there. Surfacing as a 400 with a tidy
|
|
// message keeps the audit trail clean.
|
|
stdhttp.Error(w,
|
|
"hostname confirmation did not match — go back and re-type",
|
|
stdhttp.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// Drop any live WS session before pulling the row so the agent
|
|
// gets a clean close rather than discovering the rug-pull on the
|
|
// next read. A nil Conn just means the agent was already offline.
|
|
if s.deps.Hub != nil {
|
|
if c := s.deps.Hub.Conn(host.ID); c != nil {
|
|
_ = c.Close()
|
|
}
|
|
}
|
|
|
|
if err := s.deps.Store.DeleteHost(r.Context(), host.ID); err != nil {
|
|
if errors.Is(err, store.ErrNotFound) {
|
|
// Race: someone else deleted it between loadHostForUI and
|
|
// here. Treat as success.
|
|
stdhttp.Redirect(w, r, "/", stdhttp.StatusSeeOther)
|
|
return
|
|
}
|
|
slog.Error("ui host delete: store", "host_id", host.ID, "err", err)
|
|
stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
uid := u.ID
|
|
hostID := host.ID
|
|
// Stash the host name in the audit payload so an operator reading
|
|
// the trail later sees *which* host was removed even though the
|
|
// row no longer exists.
|
|
payload, _ := json.Marshal(struct {
|
|
Name string `json:"name"`
|
|
}{Name: host.Name})
|
|
_ = s.deps.Store.AppendAudit(r.Context(), store.AuditEntry{
|
|
ID: ulid.Make().String(),
|
|
UserID: &uid,
|
|
Actor: "user",
|
|
Action: "host.deleted",
|
|
TargetKind: ptr("host"),
|
|
TargetID: &hostID,
|
|
TS: time.Now().UTC(),
|
|
Payload: payload,
|
|
})
|
|
|
|
if wantsHTML(r) {
|
|
w.Header().Set("HX-Redirect", "/")
|
|
w.WriteHeader(stdhttp.StatusNoContent)
|
|
return
|
|
}
|
|
stdhttp.Redirect(w, r, "/", stdhttp.StatusSeeOther)
|
|
}
|