git-echo/linux_patch_manager
Private
Public Access
1
0
Fork 0
Code Releases 8 Wiki Activity

fix: resolve all startup bugs (BUG-6 through BUG-9)
Some checks failed
CI Pipeline / Rust Format Check (push) Failing after 36s
Details
CI Pipeline / Clippy Lints (push) Successful in 45s
Details
CI Pipeline / Rust Unit Tests (push) Successful in 1m1s
Details
CI Pipeline / Security Audit (push) Successful in 4s
Details
CI Pipeline / Frontend Lint & Type Check (push) Successful in 11s
Details
CI Pipeline / Build .deb & Release (push) Has been skipped
Details

Browse Source 
BUG-6: Add TLS support via axum-server + rustls
  - Added axum-server with tls-rustls feature to workspace and pm-web
  - pm-web now serves HTTPS when TLS certs exist, falls back to HTTP with warning
  - setup.sh generates self-signed ECDSA P-256 TLS cert with SANs
  - Config already had web_tls_cert_path/web_tls_key_path fields

BUG-7: Fix audit chain integrity errors
  - Migration 005 now TRUNCATEs audit_log after adding prev_hash column
  - Existing rows had broken hash chains (inserted before prev_hash existed)

BUG-8: Disable WatchdogSec in patch-manager-web.service
  - pm-web does not implement sd_notify, causing systemd to kill the service

BUG-9: Disable WatchdogSec in patch-manager-worker.service
  - Same issue as BUG-8, worker does not implement sd_notify

Previous fixes (BUG-1 through BUG-5) also included:
  - setup.sh: PostgreSQL 15+ schema GRANTs
  - Axum route syntax :param → {param} (19 routes)
  - DbUser struct role: String → UserRole enum mapping
  - UserRole/AuthProvider Display trait implementations
  - Seed admin password hash (Argon2id)
This commit is contained in:
Echo
2026-04-28 23:01:03 +00:00
parent 2e4a8768cf
commit 83c97aa2b1
19 changed files with 297 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
scripts/setup.sh Executable file → Normal file
View File

@ -107,6 +107,12 @@ END
SELECT 'CREATE DATABASE ${DB_NAME} OWNER ${DB_USER}'
WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '${DB_NAME}')\\gexec
# Grant schema permissions (PostgreSQL 15+ requires explicit grants)
sudo -u postgres psql -v ON_ERROR_STOP=1 -d ${DB_NAME} <<SQL
GRANT USAGE ON SCHEMA public TO ${DB_USER};
GRANT CREATE ON SCHEMA public TO ${DB_USER};
GRANT ALL PRIVILEGES ON DATABASE ${DB_NAME} TO ${DB_USER};
SQL
DB_URL="postgres://${DB_USER}:${DB_PASSWORD}@localhost/${DB_NAME}"
@ -150,6 +156,31 @@ if [[ ! -f "${JWT_SIGNING}" ]]; then
info "JWT keys generated."
else
warn "JWT signing key already exists at ${JWT_SIGNING}, skipping."
# -----------------------------------------------------------------------
# 6b. Generate self-signed TLS certificate for HTTPS
# -----------------------------------------------------------------------
TLS_CERT="${CONFIG_DIR}/tls/web.crt"
TLS_KEY="${CONFIG_DIR}/tls/web.key"
if [[ ! -f "${TLS_CERT}" ]]; then
info "Generating self-signed TLS certificate (valid 365 days)..."
# Generate ECDSA P-256 private key
openssl ecparam -genkey -name prime256v1 -noout -out "${TLS_KEY}"
# Generate self-signed cert with SAN for localhost and the host's FQDN
HOSTNAME_FQDN=$(hostname -f 2>/dev/null || echo "localhost")
HOSTNAME_SHORT=$(hostname -s 2>/dev/null || echo "localhost")
openssl req -new -x509 -key "${TLS_KEY}" -out "${TLS_CERT}" \
-days 365 \
-subj "/CN=${HOSTNAME_FQDN}/O=Linux Patch Manager" \
-addext "subjectAltName=DNS:${HOSTNAME_FQDN},DNS:${HOSTNAME_SHORT},DNS:localhost,IP:127.0.0.1,IP:::1"
chown "${SERVICE_USER}:${SERVICE_GROUP}" "${TLS_CERT}" "${TLS_KEY}"
chmod 644 "${TLS_CERT}"
chmod 600 "${TLS_KEY}"
info "TLS certificate generated for ${HOSTNAME_FQDN}."
warn "Self-signed certificate — replace with CA-signed cert for production!"
else
warn "TLS certificate already exists at ${TLS_CERT}, skipping."
fi
# -----------------------------------------------------------------------