git-echo/linux_patch_manager
Private
Public Access
1
0
Fork 0
Code Releases 8 Wiki Activity
104 Commits 34 Branches 23 Tags
ee33ba5740b2632167c61c81e6dd60a463e146fa
Commit Graph

9 Commits

Author SHA1 Message Date
Echo
ee33ba5740 feat: setup.sh generates CA-signed web cert instead of self-signed
Some checks failed
CI Pipeline / Rust Format Check (push) Failing after 4s
Details
CI Pipeline / Clippy Lints (push) Successful in 46s
Details
CI Pipeline / Rust Unit Tests (push) Successful in 1m1s
Details
CI Pipeline / Security Audit (push) Successful in 4s
Details
CI Pipeline / Frontend Lint & Type Check (push) Failing after 10s
Details
CI Pipeline / Build .deb & Release (push) Has been skipped
Details 
- Generate internal CA (ECDSA P-256, 10-year validity) if not present
- Sign web server cert with internal CA (1-year validity)
- Add SANs for hostname, short hostname, localhost, and host IP
- Add EKU: serverAuth to web cert
- pm-ca will load existing CA on startup
- Simplify host cert section to only show agent deployment files
 2026-05-06 02:08:01 +00:00
Echo
a6b9c054b2 fix: missing fi closing JWT keys if-block in setup.sh
Some checks failed
CI Pipeline / Rust Format Check (push) Failing after 5s
Details
CI Pipeline / Clippy Lints (push) Successful in 52s
Details
CI Pipeline / Rust Unit Tests (push) Successful in 1m3s
Details
CI Pipeline / Security Audit (push) Successful in 3s
Details
CI Pipeline / Frontend Lint & Type Check (push) Successful in 11s
Details
CI Pipeline / Build .deb & Release (push) Has been skipped
Details
2026-04-28 23:29:04 +00:00
Echo
e18739f0ec fix: missing SQL heredoc delimiter in setup.sh
Some checks failed
CI Pipeline / Rust Format Check (push) Failing after 5s
Details
CI Pipeline / Clippy Lints (push) Successful in 45s
Details
CI Pipeline / Rust Unit Tests (push) Successful in 1m2s
Details
CI Pipeline / Security Audit (push) Successful in 3s
Details
CI Pipeline / Frontend Lint & Type Check (push) Successful in 11s
Details
CI Pipeline / Build .deb & Release (push) Has been skipped
Details
2026-04-28 23:24:54 +00:00
Echo
83c97aa2b1 fix: resolve all startup bugs (BUG-6 through BUG-9)
Some checks failed
CI Pipeline / Rust Format Check (push) Failing after 36s
Details
CI Pipeline / Clippy Lints (push) Successful in 45s
Details
CI Pipeline / Rust Unit Tests (push) Successful in 1m1s
Details
CI Pipeline / Security Audit (push) Successful in 4s
Details
CI Pipeline / Frontend Lint & Type Check (push) Successful in 11s
Details
CI Pipeline / Build .deb & Release (push) Has been skipped
Details 
BUG-6: Add TLS support via axum-server + rustls
  - Added axum-server with tls-rustls feature to workspace and pm-web
  - pm-web now serves HTTPS when TLS certs exist, falls back to HTTP with warning
  - setup.sh generates self-signed ECDSA P-256 TLS cert with SANs
  - Config already had web_tls_cert_path/web_tls_key_path fields

BUG-7: Fix audit chain integrity errors
  - Migration 005 now TRUNCATEs audit_log after adding prev_hash column
  - Existing rows had broken hash chains (inserted before prev_hash existed)

BUG-8: Disable WatchdogSec in patch-manager-web.service
  - pm-web does not implement sd_notify, causing systemd to kill the service

BUG-9: Disable WatchdogSec in patch-manager-worker.service
  - Same issue as BUG-8, worker does not implement sd_notify

Previous fixes (BUG-1 through BUG-5) also included:
  - setup.sh: PostgreSQL 15+ schema GRANTs
  - Axum route syntax :param → {param} (19 routes)
  - DbUser struct role: String → UserRole enum mapping
  - UserRole/AuthProvider Display trait implementations
  - Seed admin password hash (Argon2id)
 2026-04-28 23:01:03 +00:00
Echo
001c90f4d8 Fix build-package.sh - handle broken pipe from head command
Some checks failed
CI Pipeline / Rust Format Check (push) Successful in 3s
Details
CI Pipeline / Clippy Lints (push) Successful in 45s
Details
CI Pipeline / Rust Unit Tests (push) Successful in 1m0s
Details
CI Pipeline / Security Audit (push) Successful in 3s
Details
CI Pipeline / Frontend Lint & Type Check (push) Successful in 12s
Details
CI Pipeline / Build .deb & Release (push) Failing after 3m15s
Details
2026-04-27 22:50:44 +00:00
Echo
475bcde7ed ci: Use standalone release script to fix JSON escaping issues
All checks were successful
Build .deb Package / build-and-package (push) Successful in 2m10s
Details 
- Shell/curl JSON escaping caused HTTP 422 errors
- Created scripts/create-release.py for reliable Gitea release creation
- Uses Python urllib for proper JSON handling and multipart upload
- Supports GITEA_TOKEN/GITHUB_TOKEN env vars with fallback
 2026-04-24 12:30:23 +00:00
Echo
4e992afacc feat: Add .deb packaging for Ubuntu 24.04 release 
- debian/control: Package metadata with dependencies
- debian/postinst: Service user, dirs, JWT key gen, config, cron setup
- debian/prerm: Graceful service stop before upgrade
- debian/postrm: Purge cleanup (user, data, config, cron)
- debian/changelog: 1.0.0-1 initial release
- debian/install: File manifest
- scripts/build-package.sh: Full build pipeline (cargo release, frontend, dpkg-deb)
- .gitignore: Exclude *.deb and package-build/
 2026-04-24 00:58:38 +00:00
Echo
297bf1bd83 feat(M11+M12): Email notifications, audit hardening, deployment packaging, backup/DR, integration testing 
M11 - Email Notifications + Audit Logging Hardening:
- Email notifier (lettre crate) with templates for patch failure, job completion, maintenance reminders
- Audit log hash chaining (prev_hash + row_hash) for tamper-evident logging
- Periodic + on-demand audit integrity verification
- Audit logging for all config changes and certificate operations
- Frontend: email settings integration, audit integrity verification action

M12 - Deployment Packaging, Backup/DR, Integration Testing:
- scripts/backup.sh: Nightly pg_dump, CA backup (GPG), config backup (secrets excluded unless encrypted)
- scripts/setup.sh: Enhanced with backup dir, seed migration, backup cron, systemd target install
- systemd units: Restart=always, WatchdogSec, ReadWritePaths, security hardening
- systemd/patch-manager.target: Service target for coordinated lifecycle
- docs/runbooks/restore.md: Full DR runbook with RPO 24h / RTO 4h targets
- scripts/integration-test.sh: 9 test suites covering full API lifecycle
- scripts/performance-test.sh: NFR validation (dashboard <5s, CIDR /22 <10s, API <2s)
- docs/security-review.md: Comprehensive security control verification
- docs/compliance-mapping.md: HIPAA (6 sections) + PCI-DSS v4.0 (9 requirements) mapped
 2026-04-24 00:45:51 +00:00
Echo
da5a94d838 feat(M1): Project scaffolding, DB schema, core infrastructure 
- Initialize Rust workspace with 7 crates (pm-web, pm-worker, pm-core,
  pm-agent-client, pm-auth, pm-ca, pm-reports)
- React + TypeScript + Vite + MUI frontend scaffold
- Full PostgreSQL schema: all 17 tables with indexes and constraints
- pm-core: config (TOML+env), db (SQLx pool + migrations), error
  (unified AppError + JSON envelope), request_id (ULID middleware),
  logging (tracing JSON/pretty)
- pm-web: Axum skeleton, /status/health endpoint, static file serving
- pm-worker: Tokio skeleton, heartbeat writer, schema version check
- Embedded sqlx migrations with advisory lock (single-writer)
- systemd unit files, setup.sh, build-frontend.sh
- config.example.toml with all configuration keys
- docs/runbooks/restore.md
- cargo check passes with zero warnings

Closes M1.
 2026-04-23 15:55:53 +00:00