Draft incorporating firewall - audit only mode #1

Closed
yume wants to merge 6 commits from nyuukyou into master
7 changed files with 2028 additions and 1 deletions

View file

@ -11,5 +11,8 @@
"editor.codeActionsOnSave": { "editor.codeActionsOnSave": {
"source.fixAll": "explicit" "source.fixAll": "explicit"
}, },
"editor.formatOnSave": false "editor.formatOnSave": false,
"rust-analyzer.linkedProjects": [
"yume-mods/nyuukyou/Cargo.toml",
]
} }

View file

@ -1,4 +1,20 @@
services: services:
nyuukyou:
build: yume-mods/nyuukyou
restart: always
links:
- web
depends_on:
web:
condition: service_healthy
networks:
- internal_network
- external_network
ports:
- "3001:3001"
volumes:
- ./nyuukyou:/store
web: web:
build: . build: .
restart: always restart: always

1
yume-mods/nyuukyou/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
target/

1900
yume-mods/nyuukyou/Cargo.lock generated Normal file

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,12 @@
[package]
name = "nyuukyou"
version = "0.1.0"
edition = "2021"
[dependencies]
axum = "0.7"
clap = { version = "4.5.20", features = ["derive"] }
env_logger = "0.11.5"
fedivet = { git = "https://forge.yumechi.jp/yume/fedivet", tag = "testing-audit" }
serde = { version = "1.0.210", features = ["derive"] }
tokio = { version = "1" }

View file

@ -0,0 +1,30 @@
FROM debian:stable-slim AS builder
RUN apt-get update && apt-get install -yqq --no-install-recommends \
build-essential \
curl \
ca-certificates \
pkg-config \
libssl-dev \
git
RUN curl -sSL https://sh.rustup.rs | bash -s -- -y --default-toolchain nightly
COPY . /src
RUN cd /src && bash -c '. $HOME/.cargo/env; cargo build --release' && \
mkdir -p /target/usr/local/bin && cp /src/target/release/nyuukyou /target/usr/local/bin/nyuukyou
FROM debian:stable-slim
COPY --from=builder /target/ /
RUN apt-get update && \
apt-get install -yqq --no-install-recommends openssl curl ca-certificates && \
useradd -m -u 1000 -r nyuukyou && \
rm -rf /var/lib/apt/lists/*
USER nyuukyou
ENTRYPOINT [ "/usr/local/bin/nyuukyou" ]

View file

@ -0,0 +1,65 @@
use std::path::PathBuf;
use std::sync::Arc;
use axum::response::IntoResponse;
use clap::Parser;
use fedivet::evaluate::chain::audit::AuditOptions;
use fedivet::evaluate::Evaluator;
use fedivet::model::error::MisskeyError;
use fedivet::serve;
use fedivet::BaseAppState;
use fedivet::HasAppState;
use serde::Serialize;
#[derive(Parser)]
pub struct Args {
#[clap(short, long, default_value = "127.0.0.1:3001")]
pub listen: String,
#[clap(short, long, default_value = "http://web:3000")]
pub backend: String,
#[clap(long)]
pub tls_cert: Option<String>,
#[clap(long)]
pub tls_key: Option<String>,
}
#[allow(clippy::unused_async)]
async fn build_state<E: IntoResponse + Clone + Serialize + Send + Sync + 'static>(
base: Arc<BaseAppState<E>>,
_args: &Args,
) -> impl HasAppState<E> + Evaluator<E> {
base
.extract_meta()
.audited(AuditOptions::new(PathBuf::from("/store/log/audit/incoming")))
}
#[tokio::main]
async fn main() {
if std::env::var("RUST_LOG").is_err() {
std::env::set_var("RUST_LOG", "info");
}
env_logger::init();
let args = Args::parse();
let state = build_state::<MisskeyError>(
Arc::new(
BaseAppState::new(args.backend.parse().expect("Invalid backend URL")).with_empty_ctx(),
),
&args,
)
.await;
serve::run(
state.clone(),
serve::start(
state,
&args.listen,
args.tls_cert.as_deref(),
args.tls_key.as_deref(),
)
.await,
)
.await;
}