git-echo/linux_patch_api
Private
Public Access
1
0
Fork 0
Code Releases 32 Wiki Activity

feat: add auto-enrollment, cert validation, and crash loop fixes

Browse Source 
- Auto-enrollment on startup when certs are missing/invalid and enrollment.manager_url configured
- Certificate validation (existence, parse, expiry, key match, CA trust)
- --enroll exits after completion (no port conflict with systemd service)
- --renew-certs flag for manual cert renewal
- SO_REUSEADDR on TcpListener::bind (prevents Address already in use)
- Polling token persistence for enrollment resume after restart
- Exit code strategy (0=clean, 1=error, 2=enrollment in progress)
- HTTP 409 (host already exists) handling during enrollment
- Move 'Listening on' log after actual bind
- Increase RestartSec to 10s and add StartLimitBurst=5
- Postinst checks for certs and enrollment URL, prints guidance
- EnrollmentConfig.manager_url changed to Option<String>
- cert_renewal_threshold_days and polling_token config fields
- Updated SPEC.md and DEPLOYMENT_GUIDE.md with new workflow
- RCA document for crash loop root cause analysis
- Version bumped to 1.2.0
This commit is contained in:
git-echo
2026-05-29 10:44:42 -05:00
parent 48ec57581e
commit 1322598581
43 changed files with 1364 additions and 974 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
debian/postinst vendored
View File

@ -29,16 +29,60 @@ if [ "$1" = "configure" ]; then
# Enable the service (but don't start automatically - admin should configure first)
systemctl enable linux-patch-api.service
# Check for TLS certificates and enrollment URL
CERT_DIR="/etc/linux_patch_api/certs"
CA_CERT="$CERT_DIR/ca.pem"
SERVER_CERT="$CERT_DIR/server.pem"
SERVER_KEY="$CERT_DIR/server.key.pem"
CONFIG_FILE="/etc/linux_patch_api/config.yaml"
CERTS_MISSING=false
if [ ! -f "$CA_CERT" ] || [ ! -f "$SERVER_CERT" ] || [ ! -f "$SERVER_KEY" ]; then
CERTS_MISSING=true
fi
if [ "$CERTS_MISSING" = true ]; then
echo ""
echo "⚠ TLS certificates are missing. The service will not start without them."
echo ""
# Check if enrollment.manager_url is configured
if [ -f "$CONFIG_FILE" ]; then
# Check for manager_url in config (handles both old String format and new Option format)
MANAGER_URL=$(grep -E '^\s*manager_url:' "$CONFIG_FILE" 2>/dev/null | sed 's/^\s*manager_url:\s*//' | tr -d '"' | tr -d "'" | xargs)
if [ -n "$MANAGER_URL" ] && [ "$MANAGER_URL" != "" ]; then
echo "✓ Auto-enrollment is configured (manager_url: $MANAGER_URL)"
echo " Auto-enrollment will run on first service start."
echo " The service will automatically request and provision certificates."
else
echo "⚠ No enrollment.manager_url found in config.yaml."
echo ""
echo "To enable automatic certificate enrollment, add the manager URL:"
echo " 1. Edit /etc/linux_patch_api/config.yaml"
echo " 2. Add enrollment.manager_url: https://<your-manager-url>"
echo " 3. Start the service: systemctl start linux-patch-api"
echo ""
echo "Or enroll manually:"
echo " linux-patch-api --enroll https://<your-manager-url>"
echo ""
echo "Or place certificates manually:"
echo " - CA certificate: $CA_CERT"
echo " - Server certificate: $SERVER_CERT"
echo " - Server key: $SERVER_KEY"
fi
else
echo "⚠ Config file not found at $CONFIG_FILE"
echo " Please configure the service before starting."
fi
else
echo ""
echo "✓ TLS certificates found. The service is ready to start."
echo " Start the service: systemctl start linux-patch-api"
fi
echo ""
echo "linux-patch-api installed successfully!"
echo ""
echo "Next steps:"
echo " 1. Configure /etc/linux_patch_api/config.yaml with your settings"
echo " 2. Place TLS certificates in /etc/linux_patch_api/certs/"
echo " 3. Configure IP whitelist in /etc/linux_patch_api/whitelist.yaml"
echo " 4. Start the service: systemctl start linux-patch-api"
echo " 5. Check status: systemctl status linux-patch-api"
echo ""
fi
# Handle upgrade