GW_MC/YANPM
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: GW_MC:7db23b01df8247b8181f3c160d263d5b346aa3f1
Branches Tags
GW_MC:master GW_MC:feature/upstream-service GW_MC:feature/agent-client GW_MC:feature/agent GW_MC:feature/frontend-login GW_MC:documentation
...
compare: GW_MC:feature/agent
Branches Tags
GW_MC:master GW_MC:feature/upstream-service GW_MC:feature/agent-client GW_MC:feature/agent GW_MC:feature/frontend-login GW_MC:documentation

5 Commits
7db23b01df ... feature/ag

Author SHA1 Message Date
GW_MC
0eafd6a264 feat: upgrade actions/cache to v4 and clean up imports in main.rs
All checks were successful
Test / test-frontend (pull_request) Successful in 23s
Details
Test / lint-frontend (pull_request) Successful in 26s
Details
Verify / verify-openapi-spec (pull_request) Successful in 4s
Details
Test / frontend-build (pull_request) Successful in 29s
Details
Test / test (pull_request) Successful in 55s
Details
Verify / verify-generated-code (pull_request) Successful in 1m10s
Details
Verify / verify-frontend-api-client (pull_request) Successful in 7s
Details
Test / lint (pull_request) Successful in 1m10s
Details
2025-12-22 18:26:19 +08:00
GW_MC
c14af00c08 feat: update dependencies and refactor command line argument handling for yanpm-agent
Some checks failed
Test / test-frontend (pull_request) Successful in 23s
Details
Test / lint-frontend (pull_request) Successful in 27s
Details
Verify / verify-openapi-spec (pull_request) Successful in 4s
Details
Test / frontend-build (pull_request) Successful in 30s
Details
Verify / verify-frontend-api-client (pull_request) Has been cancelled
Details
Verify / verify-generated-code (pull_request) Has been cancelled
Details
Test / test (pull_request) Has been cancelled
Details
Test / lint (pull_request) Has been cancelled
Details
2025-12-22 18:16:26 +08:00
GW_MC
dce8203322 feat: add comprehensive documentation for yanpm-agent, including API reference, configuration, deployment, usage examples, and troubleshooting 2025-12-22 17:56:18 +08:00
GW_MC
5cffb0a519 feat: add nginx reload and validation wrappers with sudo permissions 2025-12-22 17:18:36 +08:00
GW_MC
6e85bda13f Refactor container definitions 2025-12-22 14:32:57 +08:00
29 changed files with 749 additions and 175 deletions
Expand all files Collapse all files

6
.github/actions/setup-rust/action.yml vendored
View File

@@ -22,7 +22,7 @@ runs:
fetch-depth: 0
- name: Cache cargo registry
uses: actions/cache@v3
uses: actions/cache@v4
with:
path: ~/.cargo/registry
key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
@@ -30,7 +30,7 @@ runs:
${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
- name: Cache cargo index
uses: actions/cache@v3
uses: actions/cache@v4
with:
path: ~/.cargo/index
key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
@@ -51,7 +51,7 @@ runs:
${{ runner.os }}-rustup-
- name: Cache cargo build (target)
uses: actions/cache@v3
uses: actions/cache@v4
with:
path: target
key: ${{ runner.os }}-cargo-build-${{ hashFiles('**/Cargo.lock') }}

2
apps/agent/Cargo.toml
View File

@@ -11,5 +11,5 @@ tracing-subscriber = { version = "0.3.20", features = ["smallvec", "fmt", "ansi"
serde_json = { version = "1.0.145", features = ["std"] }
serde = { version = "1.0.228", features = ["std", "derive"] }
tokio-cron-scheduler = { version = "0.15.1", features = ["signal"] }
clap = { version = "4", features = ["derive"] }
clap = { version = "4", features = ["derive", "env"] }
nix = { version = "0.30.1", features = ["user", "fs"] }

19
apps/agent/doc/README.md Normal file
View File

@@ -0,0 +1,19 @@
# yanpm-agent Documentation
This directory contains in-depth documentation for the yanpm agent daemon (the binary built from `apps/agent`). The agent exposes a unix-socket HTTP API for writing nginx configuration fragments, validating them, and reloading nginx safely.
Docs included:
- `architecture.md` — Detailed explanation of the program flow and components.
- `configuration.md` — CLI flags, environment variables, defaults, and permission handling.
- `usage.md` — How to run the agent, curl examples, and systemd/docker hints.
- `api.md` — HTTP API endpoints, request and response schemas, examples.
- `deployment.md` — Deployment considerations, permissions, and systemd socket/unit examples.
- `troubleshooting.md` — Common errors and solutions.
For implementation details, see the source in `apps/agent/src` (notably `main.rs`, `routes.rs`, and the `commands/` submodule).
Integration notes
- The agent is intended to run as a companion agent for the API service in `apps/api`. The API service calls the agent over the unix-domain socket to write nginx fragments, validate them, and trigger reloads.
- A production Docker image is provided by `apps/agent/Dockerfile`. That Dockerfile packages nginx + the `yanpm-agent` binary and s6-overlay service scripts so a single container can run nginx and the agent alongside each other.

68
apps/agent/doc/api.md Normal file
View File

@@ -0,0 +1,68 @@
# HTTP API Reference
Base: HTTP over a unix-domain socket. Example using curl: `curl --unix-socket /path/to/socket -X POST http://localhost/<path>`
1) GET /status
- Response: 200 OK
- Body: JSON `{ "ok": true }`
2) POST /validate
- Request JSON:
```json
{
"config_name": "example",
"timestamp": 1234567890
}
```
- Behavior: validates the fragment file named by `config_name` and `timestamp` under the agent's internal subdirectory inside the configured nginx config directory. Delegates to `ValidateCommand::validate`.
- Success: 200 OK, body is `[rc, output]` tuple serialized as JSON (actual shape is `(i32, String)` returned from the command; examine responses for exact formatting).
- Error cases:
- 400 Bad Request: invalid or malformed JSON
- 500 Internal Server Error: validation error or missing fragment file
- Request JSON:
```json
{
"config_name": "example",
"timestamp": 1234567890
}
```
- Behavior: validates the fragment file named by `config_name` and `timestamp` under the agent's internal subdirectory inside the configured nginx config directory. Delegates to `ValidateCommand::validate`.
- Success: 200 OK, body is a JSON array `[rc, output]` where `rc` is the integer return code and `output` is the combined stdout/stderr string from the validation command (the command returns an `(i32, String)` tuple).
- Error cases:
- 400 Bad Request: invalid or malformed JSON
- 500 Internal Server Error: validation error or missing fragment file
3) POST /validate_and_reload
- Request JSON same as `/validate`.
- Behavior: runs validation and, on success, attempts to reload nginx. Returns an object with `rc` and `ro` (return code and combined stdout/stderr output).
- Success: 200 OK with body: `{ "rc": <int>, "ro": "<output>" }`
- Errors: 400 for malformed JSON, 500 if the validate-and-reload command fails (body presents error text).
4) POST /write_config
- Request JSON:
```json
{
"config_name": "example",
"timestamp": 1234567890,
"content": "server { ... }"
}
```
- Behavior: writes the provided `content` into an agent-managed fragment file named from `config_name` and `timestamp` in the internal subdirectory under `nginx_config_dir`.
- Success: 200 OK with empty body
- Error: 400 for malformed JSON, 500 if writing the file fails
Notes
- The agent expects callers to choose a `config_name` and `timestamp` that together form a unique filename. The concrete filename encoding is performed by `commands::run::to_file_name` in source.
- On validation failures the returned output often contains the full `nginx -t` output; inspect `ro` or the returned JSON error messages.

34
apps/agent/doc/architecture.md Normal file
View File

@@ -0,0 +1,34 @@
# Architecture and Runtime Flow
Overview
- The agent is an async HTTP server (axum) listening on a Unix domain socket and exposes a small JSON API to manage nginx configuration fragments.
- Core lifecycle is implemented in `apps/agent/src/main.rs`:
- parse CLI args and environment variables
- ensure the socket path and directory exist and have permissive but secure defaults
- bind a `tokio::net::UnixListener` to the socket
- create an `NginxService` (shared state) and an in-process cron `JobScheduler`
- mount axum routes (`/status`, `/validate`, `/validate_and_reload`, `/write_config`) and serve HTTP over the Unix socket
Key components
- `main.rs` — Bootstrapping, argument handling, socket setup and permission handling, scheduler start, and axum server startup.
- `routes.rs` — axum handlers for the HTTP API. It deserializes JSON payloads and delegates to `NginxService` methods. Handlers return appropriate HTTP status codes and JSON on error or success.
- `commands/` — Implementation of lower-level actions (writing fragment files, running `nginx -t`, validating, reloads). The `validate.rs` command contains sophisticated behavior to handle permission-limited environments by:
- creating wrapper nginx configs that include a single fragment
- trying `nginx -t` directly, attempting a privileged wrapper via `sudo` if available, and finally passing a writable PID override via `-g pid ...;` to avoid permission failures
Concurrency and state
- A single shared `NginxService` instance is stored in axum `State` and cloned into handlers; it holds the scheduler and the configured nginx config directory path.
- The JobScheduler is created with `tokio_cron_scheduler::JobScheduler` and started before serving requests.
Error handling and best-effort behavior
- Socket permission changes, GID changes, and directory creations are best-effort and log warnings on failure rather than failing hard.
- Most command failures are converted into JSON errors with appropriate HTTP status codes so callers can inspect command output.
Integration and packaging
- The agent is intended to run as a companion to the API server in `apps/api`. The API calls the agent over the unix socket to write fragments, validate them, and trigger reloads.
- `apps/agent/Dockerfile` builds a runtime image that includes `nginx` and the `yanpm-agent` binary (the Dockerfile uses s6-overlay to run multiple services). This image is suitable for deployments that prefer nginx and the agent colocated in a single container.

27
apps/agent/doc/configuration.md Normal file
View File

@@ -0,0 +1,27 @@
# Configuration and Environment
CLI flags and environment variables
- `--sock` / `YANPM_AGENT_SOCK` (default: `./yanpm-agent.sock`)
- Path to the Unix socket file the agent will bind to.
- If the socket directory does not exist the agent attempts to create it and set mode `0770`.
- `--nginx-config-dir` / `YANPM_NGINX_CONFIG_DIR` (default: `/etc/nginx/conf.d`)
- Directory where nginx fragments are written. The agent writes fragments into a subdirectory named by the agent (internal use).
- `--sock-perm` / `YANPM_AGENT_SOCK_PERM` (default: `660`)
- A 3-digit octal permission string applied to the socket file (best-effort). The program validates this is a 3-digit octal string.
- If the final digit is greater than `0` a warning is logged because that allows "others" access.
- `--sock-gid` / `YANPM_AGENT_SOCK_GID` (default: current user's primary group)
- GID to set on the socket file (best-effort).
Validation rules and behavior
- `sock_perm` must be exactly 3 octal digits (characters 0-7). The agent rejects invalid values at startup.
- When an existing path exists at the socket location the agent verifies it is a unix socket; if so it removes it before binding. If the path exists and is not a socket, startup fails.
- Setting permissions (`set_permissions`) and changing GID (`chown`) are attempted but non-fatal: failures are logged as warnings and the agent continues.
Notes about nginx config directory
- The agent writes fragments into a subdirectory (internal) of the configured `nginx_config_dir`. Ensure nginx is configured to include that subdirectory so fragments are picked up, or use `write_config` then trigger a reload.

62
apps/agent/doc/deployment.md Normal file
View File

@@ -0,0 +1,62 @@
# Deployment and Permissions
Socket location and permissions
- The agent binds a unix socket at the path given by `--sock` or `YANPM_AGENT_SOCK`. The agent will:
- create the parent directory (best-effort) and attempt to set its permissions to `0770`
- remove an existing socket file if it is a socket, or fail if the path exists and is not a socket
- apply the `sock_perm` (3-digit octal) to the socket file and optionally change its GID to `sock_gid`
Systemd socket/unit example
Create a `yanpm-agent.socket` unit that creates and owns the unix socket, and a `yanpm-agent.service` that runs the agent. Ensure the socket path used by systemd matches `--sock`.
Docker / container notes
- If running the agent inside a container and writing to host nginx config, bind-mount the host nginx config directory into the container at the path provided to `--nginx-config-dir`.
- Consider running the agent as a user with permission to write the nginx config directory or use a shared group and `sock_gid` so clients can access the socket.
- The repository provides a runtime image built by `apps/agent/Dockerfile` which packages `nginx` together with the `yanpm-agent` binary and s6-overlay service scripts. This image runs nginx and the agent in one container which is useful when the agent is acting as the runtime companion for the API (`apps/api`).
Privilege escalation for validation
- In many systems `nginx -t` may fail due to inability to access `/run/nginx.pid` or other privileged files. The agent attempts a best-effort sequence:
1. Run `nginx -t` directly.
2. If that fails with permission errors, try a privileged wrapper (e.g. `/usr/local/sbin/yanpm-nginx-validate` or `yanpm-nginx-validate-file`) via `sudo -n`.
3. If wrapper is unavailable or fails, retry `nginx -t` with a writable PID override via `-g 'pid /tmp/yanpm-validate-<pid>.pid;'`.
Security considerations
- Avoid setting `sock_perm` to allow world access unless explicitly intended.
- Prefer controlling socket group membership via `sock_gid` rather than making the socket world-writable.
s6 init scripts, wrappers and sudoers (runtime)
- Purpose: The image built by `apps/agent/Dockerfile` uses `s6-overlay` as PID 1 (the Dockerfile sets `ENTRYPOINT ["/init"]`). The repository includes `docker/s6/cont-init.d` scripts that run at container startup (one-shot) and `docker/s6/services.d` entries to run long-lived services (nginx and the agent). The cont-init scripts prepare runtime users, permissions, and helper wrappers the agent uses for privileged operations.
- Key cont-init scripts (in the repo):
- `docker/s6/cont-init.d/10-create-app-user` — ensures the `yanpm-agent` user and group exist (honoring `YANPM_AGENT_UID`, `YANPM_AGENT_GID`, and `YANPM_AGENT_SOCK_GID`), adds the user to the `nginx` group, and attempts to chown runtime directories like `/var/run/yanpm` and `/app/yanpm-agent` (logs warnings if chown fails for bind mounts or rootless containers).
- `docker/s6/cont-init.d/20-install-reload-wrapper` — installs three helper wrappers and a sudoers entry so the `yanpm-agent` user can perform narrowly-scoped privileged operations without a password.
- Wrapper scripts installed by `20-install-reload-wrapper`:
- `/usr/local/sbin/yanpm-nginx-reload` — runs `nginx -c /etc/nginx/nginx.conf -s reload` (used for reloading the running nginx master process).
- `/usr/local/sbin/yanpm-nginx-validate` — runs `nginx -c /etc/nginx/nginx.conf -t` (validates the main nginx config).
- `/usr/local/sbin/yanpm-nginx-validate-file` — securely validates a single nginx config file: it resolves the absolute path, ensures the target is a regular file (not a symlink), checks the file is owned by the `yanpm-agent` user, enforces it's not world-writable, then runs `nginx -c <file> -t`. This defends against symlink and race attacks when an unprivileged agent requests privileged validation.
- Sudoers entry:
- The init script writes `/etc/sudoers.d/yanpm-agent` with a rule allowing the configured agent user (default `yanpm-agent`) to run only the three wrappers with `NOPASSWD`. This gives the agent a limited, auditable privilege escalation surface; the agent code attempts to use these wrappers via `sudo -n` before falling back to less privileged strategies.
- Relevant environment variables (settable in the Dockerfile or at runtime):
- `YANPM_AGENT_SOCK` — unix socket path (default set in Dockerfile: `/var/run/yanpm/yanpm-agent.sock`).
- `YANPM_NGINX_CONFIG_DIR` — nginx config dir (default `/etc/nginx/conf.d`).
- `YANPM_AGENT_SOCK_PERM` — socket permissions (octal string, default `660`).
- `YANPM_AGENT_SOCK_GID` — desired GID for the socket (optional).
- `YANPM_AGENT_UID`, `YANPM_AGENT_GID` — runtime UID/GID used to create the `yanpm-agent` user in the container.
- How the agent uses these runtime helpers:
- `ValidateCommand` and `ReloadCommand` in the agent code try `nginx` operations directly; when permission problems occur they attempt the privileged wrappers via `sudo -n /usr/local/sbin/yanpm-nginx-validate` or `...-validate-file` and `...-reload`. The cont-init script's wrappers plus the sudoers entry implement that intended secure upgrade path.
- Notes and recommendations:
- The `validate-file` wrapper performs ownership and permission checks; ensure written fragments are created by the `yanpm-agent` user (the agent writes files as that user when running inside the container due to `10-create-app-user`).
- The cont-init scripts attempt to install `sudo` if missing; in minimal images you may prefer providing `sudo` at build time to avoid runtime installation attempts.
- If you bind-mount host directories (e.g., `/etc/nginx/conf.d`) into the container, ensure ownership and permissions are compatible with the agent user and `YANPM_AGENT_SOCK_GID` so the socket and files are accessible as intended.

27
apps/agent/doc/troubleshooting.md Normal file
View File

@@ -0,0 +1,27 @@
# Troubleshooting
Common issues and how to resolve them
- Socket path exists but is not a socket
- Symptom: startup fails with an error that the socket path exists and is not a socket.
- Fix: remove the file at the socket path or choose a different `--sock` path.
- Permission denied on socket directory or socket
- Symptom: socket creation or permission setting logs warnings; clients cannot connect.
- Fix: ensure the socket directory exists and has correct ownership/group and that `sock_perm` and `sock_gid` are configured appropriately. Consider using `chown`/`chmod` from a privileged context.
- `nginx -t` fails with `/run/nginx.pid: Permission denied`
- Symptom: validation fails; output contains permission denied for `/run/nginx.pid`.
- Fixes (tried by the agent):
1. If available, provide a privileged validation wrapper (e.g. `/usr/local/sbin/yanpm-nginx-validate`) that runs `nginx -t` with appropriate privileges.
2. Ensure the agent-runner has permission to read the main nginx configuration and `/run/nginx.pid` or allow the agent to use a writable PID override.
- Fragment file not found during validation
- Symptom: validate returns 500 with message `Config file not found`.
- Fix: make sure the fragment has been written via `/write_config` to the agent's internal subdirectory under `NGINX_CONFIG_DIR`, using the same `config_name` and `timestamp` as the validate call.
- Wrapper or sudo not available
- Symptom: attempts to run `sudo -n /usr/local/sbin/yanpm-nginx-validate` fail.
- Fix: install a wrapper script that allows unprivileged `sudo -n` validation or configure proper permissions on nginx state files.
If none of the above solves the problem, collect the logs produced by the agent (it uses `tracing`/`tracing_subscriber`) and include the exact command outputs from the validation steps when asking for help.

61
apps/agent/doc/usage.md Normal file
View File

@@ -0,0 +1,61 @@
# Usage and Examples
Running locally (development)
1. Build the agent (from repository root):
```sh
cargo build -p agent
```
2. Run the agent with defaults (socket in current directory):
```sh
./target/debug/yanpm-agent
```
3. Run with explicit socket and nginx config directory:
```sh
./target/debug/yanpm-agent --sock /run/yanpm/yanpm-agent.sock --nginx-config-dir /etc/nginx/conf.d
```
HTTP over unix-socket examples (using `socat` / `curl` helper)
If you want to call the API from the shell, you can use `socat` to convert the unix socket to an HTTP stream, or use tools that support unix sockets directly (e.g. `curl --unix-socket`). Examples below use `curl --unix-socket`.
Validate a fragment by name and timestamp:
```sh
curl --unix-socket ./yanpm-agent.sock -X POST http://localhost/validate \
-H 'Content-Type: application/json' \
-d '{"config_name":"example","timestamp":1234567890}'
```
Validate and reload (returns `rc` and `ro`):
```sh
curl --unix-socket ./yanpm-agent.sock -X POST http://localhost/validate_and_reload \
-H 'Content-Type: application/json' \
-d '{"config_name":"example","timestamp":1234567890}'
```
Write a fragment (create or update):
```sh
curl --unix-socket ./yanpm-agent.sock -X POST http://localhost/write_config \
-H 'Content-Type: application/json' \
-d '{"config_name":"example","timestamp":1234567890,"content":"server { listen 80; server_name example.local; }"}'
```
Status endpoint (health)
```sh
curl --unix-socket ./yanpm-agent.sock http://localhost/status
```
Notes
- Use the `config_name` and `timestamp` fields consistently: `timestamp` is typically a monotonic update ID from the caller ensuring unique file names.
- When running in containers, mount the host nginx config dir if you want the agent to write directly to host nginx configuration.
- The repository includes a runtime Docker image built by `apps/agent/Dockerfile` which bundles `nginx` and the `yanpm-agent` binary (via s6-overlay). Use that image when you want nginx and the agent colocated (the agent is intended as a runtime companion to `apps/api`).

170
apps/agent/docker/s6/cont-init.d/20-install-reload-wrapper Normal file
View File

@@ -0,0 +1,170 @@
#!/bin/sh
set -eu
# This init script installs a minimal nginx reload wrapper and a sudoers
# entry so the `yanpm-agent` user can perform a controlled reload via sudo.
WRAPPER_PATH="/usr/local/sbin/yanpm-nginx-reload"
SUDOERS_PATH="/etc/sudoers.d/yanpm-agent"
AGENT_USER="${YANPM_AGENT_USER:-yanpm-agent}"
# validate wrapper
VALIDATE_PATH="/usr/local/sbin/yanpm-nginx-validate"
# validate file wrapper
VALIDATE_FILE_PATH="/usr/local/sbin/yanpm-nginx-validate-file"
echo "[cont-init.d] install-reload-wrapper: setting up nginx reload helper"
# find nginx binary
NGINX_BIN="$(command -v nginx || true)"
if [ -z "${NGINX_BIN}" ]; then
echo "Warning: nginx binary not found in PATH; wrapper will still be created but may fail at runtime." >&2
NGINX_BIN="/usr/sbin/nginx"
fi
# Create wrapper
mkdir -p /usr/local/sbin /etc/sudoers.d
cat > "${WRAPPER_PATH}" <<- 'EOF'
#!/bin/sh
exec "@NGINX_BIN@" -c /etc/nginx/nginx.conf -s reload
EOF
# Replace placeholder with actual path
sed -i "s|@NGINX_BIN@|${NGINX_BIN}|g" "${WRAPPER_PATH}" || true
chmod 0750 "${WRAPPER_PATH}"
chown root:root "${WRAPPER_PATH}" || true
#
#
#
# Create validate wrapper
cat > "${VALIDATE_PATH}" <<- 'EOF'
#!/bin/sh
exec "@NGINX_BIN@" -c /etc/nginx/nginx.conf -t
EOF
# Replace placeholder with actual path in validate wrapper
sed -i "s|@NGINX_BIN@|${NGINX_BIN}|g" "${VALIDATE_PATH}" || true
chmod 0750 "${VALIDATE_PATH}"
chown root:root "${VALIDATE_PATH}" || true
#
#
#
# Create validate file wrapper (secure)
cat > "${VALIDATE_FILE_PATH}" <<-'EOF'
#!/bin/sh
set -eu
if [ $# -ne 1 ]; then
echo "Usage: $0 <nginx-config-file>" >&2
exit 2
fi
INPUT="$1"
# Resolve absolute path
if command -v readlink >/dev/null 2>&1; then
TARGET="$(readlink -f -- "$INPUT" 2>/dev/null || true)"
elif command -v realpath >/dev/null 2>&1; then
TARGET="$(realpath -- "$INPUT" 2>/dev/null || true)"
else
echo "Error: no path resolver (readlink/realpath) available" >&2
exit 3
fi
if [ -z "$TARGET" ]; then
echo "Error: cannot resolve path: $INPUT" >&2
exit 4
fi
# Must be a regular file and not a symlink
if [ ! -f "$TARGET" ] || [ -L "$TARGET" ]; then
echo "Error: ${TARGET} is not a regular file" >&2
exit 5
fi
# must be created by agent user
AGENT_UID="$(id -u yanpm-agent 2>/dev/null || true)"
if [ -z "$AGENT_UID" ]; then
echo "Error: yanpm-agent user not found" >&2
exit 6
fi
FILE_UID="$(stat -c %u -- "$TARGET" 2>/dev/null || true)"
if [ "$FILE_UID" != "$AGENT_UID" ]; then
echo "Error: ${TARGET} not owned by yanpm-agent user" >&2
exit 7
fi
# Ensure file is not world-writable; allow typical 664 (rw-rw-r--)
if command -v stat >/dev/null 2>&1; then
MODE="$(stat -c %a -- "$TARGET" 2>/dev/null || true)"
if [ -n "$MODE" ]; then
OTHERS=$(( MODE % 10 ))
if [ $(( OTHERS & 2 )) -ne 0 ]; then
echo "Error: ${TARGET} is world-writable" >&2
exit 8
fi
fi
elif command -v find >/dev/null 2>&1; then
if find "$TARGET" -maxdepth 0 -perm /002 -print -quit >/dev/null 2>&1; then
echo "Error: ${TARGET} is world-writable" >&2
exit 8
fi
fi
exec "@NGINX_BIN@" -c "$TARGET" -t
EOF
# Replace placeholder with actual path in validate file wrapper
sed -i "s|@NGINX_BIN@|${NGINX_BIN}|g" "${VALIDATE_FILE_PATH}" || true
chmod 0750 "${VALIDATE_FILE_PATH}"
chown root:root "${VALIDATE_FILE_PATH}" || true
echo "Created wrapper: ${WRAPPER_PATH} (owned by root, mode 750)"
#
#
#
# Ensure sudoers entry exists allowing the agent to run only this wrapper as root
if command -v sudo >/dev/null 2>&1; then
echo "sudo present; creating sudoers entry"
cat > "${SUDOERS_PATH}" <<- EOF
# Allow ${AGENT_USER} to run the nginx reload and validate wrappers without a password
${AGENT_USER} ALL=(root) NOPASSWD: ${WRAPPER_PATH}, ${VALIDATE_PATH}, ${VALIDATE_FILE_PATH}
EOF
chmod 0440 "${SUDOERS_PATH}" || true
echo "Wrote sudoers entry: ${SUDOERS_PATH}"
else
echo "sudo not found; attempting to install"
if command -v apk >/dev/null 2>&1; then
apk add --no-cache sudo || true
elif command -v apt-get >/dev/null 2>&1; then
apt-get update || true
apt-get install -y sudo || true
elif command -v yum >/dev/null 2>&1; then
yum install -y sudo || true
else
echo "No known package manager to install sudo; please ensure sudo is available in the image." >&2
fi
if command -v sudo >/dev/null 2>&1; then
cat > "${SUDOERS_PATH}" <<- EOF
# Allow ${AGENT_USER} to run the nginx reload and validate wrappers without a password
${AGENT_USER} ALL=(root) NOPASSWD: ${WRAPPER_PATH}, ${VALIDATE_PATH}, ${VALIDATE_FILE_PATH}
EOF
chmod 0440 "${SUDOERS_PATH}" || true
echo "Installed sudo and wrote sudoers entry: ${SUDOERS_PATH}"
else
echo "Failed to install sudo; the agent will not be able to reload nginx via sudo." >&2
fi
fi
exit 0

2
apps/agent/justfile Normal file
View File

@@ -0,0 +1,2 @@
build-docker:
docker build -t yanpm/agent:latest .

11
apps/agent/src/commands/reload.rs
View File

@@ -93,6 +93,17 @@ impl ReloadCommand {
}
// reload the running nginx master process (no -c) so it reloads its configured main config
// Prefer the restricted sudo wrapper if available, fall back to direct nginx reload.
// TODO: allow configuring the path to the wrapper
match run_cmd("sudo", &["-n", "/usr/local/sbin/yanpm-nginx-reload"], 10).await {
Ok(res) => Ok(res),
Err(e) => {
error!(
"sudo reload wrapper failed, falling back to direct nginx reload: {}",
e
);
run_cmd("nginx", &["-s", "reload"], 10).await
}
}
}
}

127
apps/agent/src/commands/validate.rs
View File

@@ -1,3 +1,5 @@
use tracing::{info, warn};
use crate::commands::{run::run_cmd, write_config::INTERNAL_CONFIG_FOLDER_NAME};
use std::path::PathBuf;
@@ -17,7 +19,51 @@ impl ValidateCommand {
pub async fn validate_all(
&self,
) -> Result<(i32, String), Box<dyn std::error::Error + Send + Sync>> {
run_cmd("nginx", &["-t"], 10).await
// Try a normal config test first. If it fails due to pid permission
// errors (common when running unprivileged against /run/nginx.pid),
// retry with a writable pid override so validation can succeed.
match run_cmd("nginx", &["-t"], 10).await {
Ok(res) => Ok(res),
Err(e) => {
info!(
"nginx -t failed: {}. Trying with privileged wrapper or writable pid override.",
e
);
let es = e.to_string();
if es.contains("/run/nginx.pid") && es.contains("Permission denied") {
// Try privileged validate wrapper if available (allows the agent to run
// nginx -t via sudo without modifying the main config).
match run_cmd(
"sudo",
// TODO: allow configuring the path to the wrapper
&["-n", "/usr/local/sbin/yanpm-nginx-validate"],
10,
)
.await
{
Ok(res) => return Ok(res),
Err(e) => {
warn!(
"Privileged validate wrapper failed: {}. Falling back to writable pid override.",
e
);
// Fallback to the existing writable-pid override if sudo wrapper
// isn't available or fails.
let pid_path = format!(
"{}/yanpm-validate-{}.pid",
std::env::temp_dir().display(),
std::process::id()
);
let g_arg = format!("pid {};", pid_path);
let args_vec = ["-t".to_string(), "-g".to_string(), g_arg];
let args_ref: Vec<&str> = args_vec.iter().map(|s| s.as_str()).collect();
return run_cmd("nginx", args_ref.as_slice(), 10).await;
}
}
}
Err(e)
}
}
}
pub async fn validate(
@@ -37,11 +83,84 @@ impl ValidateCommand {
return Err(format!("Config file not found: {}", full_path.display()).into());
}
run_cmd(
"nginx",
&["-t", "-c", full_path.to_str().ok_or("invalid config path")?],
// Create a temporary wrapper nginx config that provides the required
// top-level sections (`events` and `http`) and includes the fragment.
let fragment_path = full_path.to_str().ok_or("invalid config path")?.to_string();
let mut tmp_path = std::env::temp_dir();
let tmp_name = format!("yanpm-validate-{}-{}.conf", timestamp, std::process::id());
tmp_path.push(tmp_name);
let wrapper = format!(
"worker_processes 1;\nevents {{ worker_connections 1024; }}\nhttp {{\n include {};\n}}\n",
fragment_path
);
// Write the temporary wrapper file
tokio::fs::write(&tmp_path, wrapper).await?;
let tmp_path_str = tmp_path
.to_str()
.ok_or("invalid temp config path")?
.to_string();
// Run the test against the wrapper, telling nginx to place its pid
// somewhere writable so the config test doesn't fail with permission
// errors when running as an unprivileged user.
let result = match run_cmd("nginx", &["-t", "-c", &tmp_path_str], 10).await {
Ok(res) => Ok(res),
Err(e) => {
info!(
"nginx -t failed: {}. Trying with privileged wrapper or writable pid override.",
e
);
let es = e.to_string();
if es.contains("/run/nginx.pid") && es.contains("Permission denied") {
// Try privileged validate wrapper if available (allows the agent to run
// nginx -t via sudo without modifying the main config).
match run_cmd(
"sudo",
// TODO: allow configuring the path to the wrapper
&[
"-n",
"/usr/local/sbin/yanpm-nginx-validate-file",
&tmp_path_str,
],
10,
)
.await
{
Ok(res) => return Ok(res),
Err(e) => {
warn!(
"Privileged validate wrapper failed: {}. Falling back to writable pid override.",
e
);
let pid_path = format!(
"{}/yanpm-validate-{}.pid",
std::env::temp_dir().display(),
std::process::id()
);
let g_arg = format!("pid {};", pid_path);
let args_vec = [
"-t".to_string(),
"-c".to_string(),
tmp_path_str.clone(),
"-g".to_string(),
g_arg,
];
let args_ref: Vec<&str> = args_vec.iter().map(|s| s.as_str()).collect();
return run_cmd("nginx", args_ref.as_slice(), 10).await;
}
}
}
Err(e)
}
};
let _ = tokio::fs::remove_file(&tmp_path).await;
result
}
}

4
apps/agent/src/commands/write_config.rs
View File

@@ -2,6 +2,7 @@ use std::os::unix::fs::PermissionsExt;
use std::path::PathBuf;
use std::time::{SystemTime, UNIX_EPOCH};
use tokio::io::AsyncWriteExt;
use tracing::info;
use crate::commands::run::to_file_name;
@@ -26,6 +27,7 @@ impl WriteConfigCommand {
let path = self.nginx_config_dir.clone();
// ensure main config dir exists
tokio::fs::create_dir_all(&path).await?;
info!("Writing config to {:?}", path.join(&filename));
// create YANPM subdir where fragment files live
let yanpm_dir = path.join(INTERNAL_CONFIG_FOLDER_NAME);
@@ -62,7 +64,7 @@ impl WriteConfigCommand {
// set explicit permissions (rw-r-----)
tokio::fs::set_permissions(&final_path, std::fs::Permissions::from_mode(0o640)).await?;
info!("Config written and permissions set for {:?}", final_path);
Ok(())
}
}

91
apps/agent/src/main.rs
View File

@@ -5,7 +5,7 @@ mod routes;
use axum::routing::get;
use axum::{Router, routing::post};
use clap::{Arg, Command};
use clap::Parser;
use std::os::unix::fs::PermissionsExt;
use std::path::PathBuf;
use std::sync::Arc;
@@ -15,10 +15,6 @@ use tracing::{error, info, warn};
use crate::commands::NginxService;
use crate::routes::{status, validate, validate_and_reload, write_config};
const SOCK_ARG: &str = "sock";
const NGINX_CONFIG_DIR_ARG: &str = "nginx_config_dir";
const SOCK_PERM_ARG: &str = "sock_perm";
const SOCK_GID_ARG: &str = "sock_gid";
const SOCK_ENV: &str = "YANPM_AGENT_SOCK";
const SOCK_PERM_ENV: &str = "YANPM_AGENT_SOCK_PERM";
const NGINX_CONFIG_DIR_ENV: &str = "YANPM_NGINX_CONFIG_DIR";
@@ -28,6 +24,27 @@ const NGINX_CONFIG_DIR_DEFAULT: &str = "/etc/nginx/conf.d";
const SOCK_PERM_DEFAULT: &str = "660";
const SOCK_GID_DEFAULT: &str = "";
/// Command line arguments
#[derive(Parser, Debug)]
#[command(author, version, about, long_about = None)]
struct Args {
/// Unix socket path to bind the agent daemon to
#[arg(short = 's', long, default_value_t = String::from(SOCK_DEFAULT), env = SOCK_ENV)]
sock: String,
/// Directory where generated nginx config files will be written
#[arg(short = 'd', long, default_value_t = String::from(NGINX_CONFIG_DIR_DEFAULT), env = NGINX_CONFIG_DIR_ENV)]
nginx_config_dir: String,
/// Permissions to set on the unix socket (in octal), e.g. 660
#[arg(long, default_value_t = String::from(SOCK_PERM_DEFAULT), env = SOCK_PERM_ENV)]
sock_perm: String,
/// GID to set on the unix socket, default: current user's primary group
#[arg(long, default_value_t = String::from(SOCK_GID_DEFAULT), env = SOCK_GID_ENV)]
sock_gid: String,
}
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
let subscriber = tracing_subscriber::fmt()
@@ -40,39 +57,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
tracing::subscriber::set_global_default(subscriber)
.expect("Failed to set global default subscriber");
let args = Command::new("yanpm-agent")
.arg(
Arg::new(SOCK_ARG)
.short('s')
.long("sock")
.value_name("SOCK_PATH")
.help("Unix socket path to bind the agent daemon to")
.required(false),
)
.arg(
Arg::new(NGINX_CONFIG_DIR_ARG)
.short('d')
.long("nginx-config-dir")
.value_name("NGINX_CONFIG_DIR")
.help("Directory where generated nginx config files will be written")
.required(false),
)
.arg(
Arg::new(SOCK_PERM_ARG)
.long("sock-perm")
.value_name("SOCK_PERM")
.help("Permissions to set on the unix socket (in octal), e.g. 660")
.required(false),
)
.arg(
Arg::new(SOCK_GID_ARG)
.long("sock-gid")
.value_name("SOCK_GID")
.help("GID to set on the unix socket, default: current user's primary group")
.required(false),
)
.about("YANPM Agent Daemon")
.get_matches();
let args = Args::parse();
let (sock, nginx_config_dir, sock_perm, sock_gid) = get_args(&args).await?;
@@ -175,32 +160,12 @@ async fn main() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
}
async fn get_args(
args: &clap::ArgMatches,
args: &Args,
) -> Result<(String, String, u32, String), Box<dyn std::error::Error + Send + Sync>> {
let sock = args
.get_one::<String>(SOCK_ARG)
.cloned()
.unwrap_or_else(|| std::env::var(SOCK_ENV).unwrap_or_else(|_| SOCK_DEFAULT.to_string()));
let nginx_config_dir = args
.get_one::<String>(NGINX_CONFIG_DIR_ARG)
.cloned()
.unwrap_or_else(|| {
std::env::var(NGINX_CONFIG_DIR_ENV)
.unwrap_or_else(|_| NGINX_CONFIG_DIR_DEFAULT.to_string())
});
let sock_perm = args
.get_one::<String>(SOCK_PERM_ARG)
.cloned()
.unwrap_or_else(|| {
std::env::var(SOCK_PERM_ENV).unwrap_or_else(|_| SOCK_PERM_DEFAULT.to_string())
});
let sock_gid = args
.get_one::<String>(SOCK_GID_ARG)
.cloned()
.unwrap_or_else(|| {
std::env::var(SOCK_GID_ENV).unwrap_or_else(|_| SOCK_GID_DEFAULT.to_string())
});
let sock = args.sock.clone();
let nginx_config_dir = args.nginx_config_dir.clone();
let sock_perm = args.sock_perm.clone();
let sock_gid = args.sock_gid.clone();
if sock_perm.len() != 3 || !sock_perm.chars().all(|c| ('0'..='7').contains(&c)) {
return Err(std::io::Error::new(

4
apps/agent/src/routes.rs
View File

@@ -43,7 +43,7 @@ pub async fn validate(
}
};
let (_code, _output) = match nginx_controller
let resp = match nginx_controller
.validate(&params.config_name, params.timestamp)
.await
{
@@ -54,7 +54,7 @@ pub async fn validate(
}
};
(axum::http::StatusCode::OK,).into_response()
(axum::http::StatusCode::OK, axum::Json(resp)).into_response()
}
#[derive(Deserialize)]

4
apps/cli/src/cmd/db_migrate_and_generate.rs
View File

@@ -1,7 +1,7 @@
use clap::{Arg, Command};
use container::{
use container::containers::{
ConfigInfoType,
db::{DBInfo, sqlite::SQLiteContainer},
types::ConfigInfoType,
};
use migration::{generate_entity, migrate_database};
use shared::db_type::DBType;

40
apps/container/src/containers.rs Normal file
View File

@@ -0,0 +1,40 @@
pub mod agent;
pub mod db;
use std::{pin::Pin, sync::Arc};
use testcontainers::{ContainerAsync, GenericImage, TestcontainersError};
use crate::containers::{
agent::AgentContainerInfo,
db::{ContainerizedDBInfo, PreExistingDBInfo},
};
pub type UnStartedContainer =
Pin<Box<dyn Future<Output = Result<ContainerAsync<GenericImage>, TestcontainersError>> + Send>>;
pub type AgentConfigInfoType = ConfigInfoType<AgentContainerInfo, ()>;
pub type DBConfigInfoType = ConfigInfoType<ContainerizedDBInfo, PreExistingDBInfo>;
pub trait WithContainer {
fn container(&self) -> &Arc<ContainerAsync<GenericImage>>;
}
pub trait WithoutContainer {
fn on_delete(&self);
}
impl WithoutContainer for () {
fn on_delete(&self) {}
}
#[derive(Clone)]
pub enum ConfigInfoType<T, U>
where
T: WithContainer,
U: WithoutContainer,
{
Containerized(T),
PreExisting(U),
}

7
apps/container/src/agent.rs → apps/container/src/containers/agent.rs
View File

@@ -5,10 +5,7 @@ use testcontainers::{
runners::{AsyncBuilder, AsyncRunner},
};
use crate::{
db::UnStartedContainer,
types::{ConfigInfoType, WithContainer},
};
use crate::{WithContainer, containers::UnStartedContainer};
pub const SOCK_NAME: &str = "yanpm-agent.sock";
const SOCK_FOLDER: &str = "/var/run/yanpm";
@@ -25,8 +22,6 @@ pub struct AgentContainerConfig {
pub nginx_config: NginxConfig,
}
pub type AgentConfigInfoType = ConfigInfoType<AgentContainerInfo, ()>;
#[derive(Clone)]
pub struct AgentContainerInfo {
pub container: Arc<ContainerAsync<GenericImage>>,

15
apps/container/src/db.rs → apps/container/src/containers/db.rs
View File

@@ -5,18 +5,15 @@ pub mod sqlite;
use async_trait::async_trait;
use shared::db_type::DBType;
use std::error::Error;
use std::future::Future;
use std::{pin::Pin, sync::Arc};
use std::sync::Arc;
use url::Host;
use testcontainers::{ContainerAsync, GenericImage, TestcontainersError};
use testcontainers::{ContainerAsync, GenericImage};
use crate::{ConfigInfoType, WithContainer, WithoutContainer};
pub type UnStartedContainer =
Pin<Box<dyn Future<Output = Result<ContainerAsync<GenericImage>, TestcontainersError>> + Send>>;
pub type DBConfigInfoType = ConfigInfoType<ContainerizedDBInfo, PreExistingDBInfo>;
use crate::{
WithContainer, WithoutContainer,
containers::{DBConfigInfoType, UnStartedContainer},
};
#[derive(Clone)]
pub struct PreExistingDBInfo {

0
apps/container/src/db/config.rs → apps/container/src/containers/db/config.rs
View File

7
apps/container/src/db/postgresql.rs → apps/container/src/containers/db/postgresql.rs
View File

@@ -9,10 +9,13 @@ use testcontainers::{
use crate::{
ConfigInfoType,
containers::{
UnStartedContainer,
db::{
ContainerizedDBInfo, DBConfigInfoType, DBInfo, UnStartedContainer,
ContainerizedDBInfo, DBConfigInfoType, DBInfo,
config::{DatabaseContainerConfig, OptionalContainerConfig},
},
},
};
pub fn get_default_config() -> DatabaseContainerConfig {
@@ -53,7 +56,7 @@ impl DBInfo<OptionalContainerConfig> for PostgreSQLContainer {
);
ConfigInfoType::Containerized(ContainerizedDBInfo {
db_type: crate::db::DBType::PostgreSQL,
db_type: crate::containers::db::DBType::PostgreSQL,
container: Arc::new(pg_container),
container_name: self.config.container_name.clone(),
database_name: self.config.database_name.clone(),

4
apps/container/src/db/sqlite.rs → apps/container/src/containers/db/sqlite.rs
View File

@@ -4,7 +4,7 @@ use async_trait::async_trait;
use crate::{
ConfigInfoType,
db::{DBConfigInfoType, DBInfo, PreExistingDBInfo, UnStartedContainer},
containers::db::{DBConfigInfoType, DBInfo, PreExistingDBInfo, UnStartedContainer},
util::to_absolute_path,
};
@@ -69,7 +69,7 @@ impl DBInfo<OptionalContainerConfig> for SQLiteContainer {
.expect("Failed to create SQLite database file");
//
ConfigInfoType::PreExisting(PreExistingDBInfo {
db_type: crate::db::DBType::SQLite,
db_type: crate::containers::db::DBType::SQLite,
url: sqlite_url,
on_delete: {
let db_path = self.get_db_absolute_path();

33
apps/container/src/env.rs
View File

@@ -1,7 +1,5 @@
use std::io::Write;
use shared::db_type::DBType;
#[derive(Clone, Copy)]
pub enum EnvFileType {
DotEnv,
@@ -11,25 +9,16 @@ pub enum EnvFileType {
#[derive(Clone)]
pub struct EnvFile {
pub file_type: EnvFileType,
pub db_type: DBType,
pub db_url: String,
//
buffer: serde_json::Value,
}
impl EnvFile {
pub fn new(file_type: EnvFileType, db_type: DBType, db_url: String) -> Self {
let mut env_file = EnvFile {
pub fn new(file_type: EnvFileType) -> Self {
EnvFile {
file_type,
db_type,
db_url,
buffer: serde_json::Value::Object(serde_json::Map::new()),
};
env_file._write_line_buffer("DATABASE__TYPE", &env_file.db_type.to_string());
env_file._write_line_buffer("DATABASE__URL", &env_file.db_url.to_string());
env_file
}
}
pub fn write_line(&mut self, key: &str, value: &str) {
@@ -131,12 +120,10 @@ mod tests {
#[test]
fn test_env_file_write_yaml() {
let mut env_file_nested = EnvFile::new(
EnvFileType::Yaml,
DBType::SQLite,
"mysql://user:pass@localhost/db".to_string(),
);
let mut env_file_nested = EnvFile::new(EnvFileType::Yaml);
env_file_nested.write_line("DATABASE__TYPE", "SQLite");
env_file_nested.write_line("DATABASE__URL", "mysql://user:pass@localhost/db");
let mut output_stream = Vec::new();
env_file_nested.write(&mut output_stream, false);
let output_string = String::from_utf8(output_stream).unwrap();
@@ -150,11 +137,9 @@ DATABASE:
#[test]
fn test_env_file_write_env() {
let mut env_file_nested = EnvFile::new(
EnvFileType::DotEnv,
DBType::PostgreSQL,
"postgres://user:pass@localhost/db".to_string(),
);
let mut env_file_nested = EnvFile::new(EnvFileType::DotEnv);
env_file_nested.write_line("DATABASE__TYPE", "PostgreSQL");
env_file_nested.write_line("DATABASE__URL", "postgres://user:pass@localhost/db");
let mut output_stream = Vec::new();
env_file_nested.write(&mut output_stream, true);
let output_string = String::from_utf8(output_stream).unwrap();

10
apps/container/src/lib.rs
View File

@@ -1,13 +1,11 @@
pub mod agent;
pub mod db;
pub mod containers;
mod env;
pub mod types;
mod util;
use crate::{
agent::AgentConfigInfoType,
db::DBConfigInfoType,
types::{ConfigInfoType, WithContainer, WithoutContainer},
containers::{
AgentConfigInfoType, ConfigInfoType, DBConfigInfoType, WithContainer, WithoutContainer,
},
util::{
await_termination_signal, remove_file_if_exists, stop_container, to_absolute_path,
write_env_files,

32
apps/container/src/main.rs
View File

@@ -1,12 +1,15 @@
use std::sync::Arc;
use clap::Parser;
use container::agent::{AgentConfig, AgentContainerConfig, AgentContainerInfo, NginxConfig};
use container::start_attached;
use container::types::ConfigInfoType;
use container::{Config, agent};
use container::db::DBInfo;
use container::{
Config,
containers::{
ConfigInfoType,
agent::{AgentConfig, AgentContainerConfig, AgentContainerInfo, NginxConfig},
db::DBInfo,
},
start_attached,
};
/// Command line arguments
#[derive(Parser, Debug)]
@@ -17,6 +20,12 @@ struct Args {
db_type: String,
// agent related
/// agent image name
#[arg(long, default_value = "yanpm/agent", env = "AGENT_IMAGE_NAME")]
agent_image: String,
/// agent image tag
#[arg(long, default_value = "latest", env = "AGENT_IMAGE_TAG")]
agent_image_tag: String,
/// force build agent image
#[arg(long, default_value_t = false, env = "AGENT_FORCE_BUILD")]
agent_force_build: bool,
@@ -65,7 +74,7 @@ async fn main() {
println!("Starting container with database type: {}", args.db_type);
let db_config = match args.db_type.to_lowercase().as_str() {
"postgres" | "pg" | "pgsql" => {
use container::db::postgresql::PostgreSQLContainer;
use container::containers::db::postgresql::PostgreSQLContainer;
println!("Using PostgreSQL database");
PostgreSQLContainer::new(None)
.await
@@ -74,7 +83,7 @@ async fn main() {
}
"sqlite" | "sql" => {
println!("Using SQLite database");
use container::db::sqlite::SQLiteContainer;
use container::containers::db::sqlite::SQLiteContainer;
SQLiteContainer::new(None)
.await
.get_db_container_config_info()
@@ -89,7 +98,7 @@ async fn main() {
let agent_container = if let Some(agent_config) = &args.agent_container_config {
println!(
"Agent container will be used with socket path: {} and nginx config dir: {}",
"Agent container will be used with socket folder: {} and nginx config dir: {}",
agent_config.agent_config.sock_folder, agent_config.agent_config.nginx_config_dir
);
Some(agent_config.get_unstarted_container().await)
@@ -168,8 +177,9 @@ async fn parse_args() -> ParsedArgs {
ParsedArgs {
db_type: args.db_type,
agent_container_config: Some(AgentContainerConfig {
image: "yanpm-agent".to_string(),
tag: "latest".to_string(),
// TODO: allow customization of these fields via CLI args
image: args.agent_image,
tag: args.agent_image_tag,
container_name: format!("yanpm-agent-container-{}", time),
dockerfile_path,
force_build: args.agent_force_build,

25
apps/container/src/types.rs
View File

@@ -1,25 +0,0 @@
use std::sync::Arc;
use testcontainers::{ContainerAsync, GenericImage};
pub trait WithContainer {
fn container(&self) -> &Arc<ContainerAsync<GenericImage>>;
}
pub trait WithoutContainer {
fn on_delete(&self);
}
impl WithoutContainer for () {
fn on_delete(&self) {}
}
#[derive(Clone)]
pub enum ConfigInfoType<T, U>
where
T: WithContainer,
U: WithoutContainer,
{
Containerized(T),
PreExisting(U),
}

12
apps/container/src/util.rs
View File

@@ -4,10 +4,11 @@ use tokio::signal::unix::{SignalKind, signal};
use crate::{
API_CONFIG_PATH, DB_CONFIG_PATH,
agent::{AgentConfigInfoType, AgentContainerInfo, SOCK_NAME},
db::DBConfigInfoType,
containers::{
AgentConfigInfoType, ConfigInfoType, DBConfigInfoType, WithContainer, WithoutContainer,
agent::SOCK_NAME,
},
env::{self, EnvFile},
types::{ConfigInfoType, WithContainer, WithoutContainer},
};
// relative to the current working directory
@@ -30,7 +31,10 @@ pub fn write_env_files(db_config: &DBConfigInfoType, agent_config: &Option<Agent
DBConfigInfoType::PreExisting(config) => (config.db_type.clone(), config.url.clone()),
};
let mut api_env = EnvFile::new(env::EnvFileType::Yaml, db_type, db_url);
let mut api_env = EnvFile::new(env::EnvFileType::Yaml);
api_env.write_line("DATABASE__TYPE", db_type.to_string().as_str());
api_env.write_line("DATABASE__URL", db_url.as_str());
let mut db_env = api_env.clone();
db_env.file_type = env::EnvFileType::DotEnv;

8
justfile
View File

@@ -50,10 +50,6 @@ generate-openapi:
# Generate API client for frontend
cd apps/frontend && \
pnpm generate:openapi
# Generate OpenAPI spec for agent
cd apps/agent && \
cargo run -- --generate-openapi --openapi-output ./openapi.yaml
# TODO: Generate API client for agent in api
generate-all: generate-entity generate-openapi
@@ -68,6 +64,10 @@ build-backend:
cd apps/api && \
cargo build --release
build-docker:
cd apps/agent && \
docker build -t yanpm/agent:latest .
build-apps: build-frontend build-backend
act *args: