mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-05-12 22:28:31 +00:00
71217dfae4
Implements complete HTTP mode installation workflow for external PVE hosts.
New installer features:
- `--http-mode` flag: Enable HTTP server mode for remote temperature monitoring
- `--http-addr <addr>` flag: Configure listen address (default :8443)
- Auto-generates self-signed TLS certificates (4096-bit RSA, 10-year validity)
- Registers with Pulse API and receives authentication token
- Configures systemd service with proper security hardening
Installation workflow (HTTP mode):
1. Validate --pulse-server parameter is provided
2. Generate TLS certificate with SAN (hostname + IPs)
3. Call Pulse API POST /api/temperature-proxy/register
4. Receive and store auth token securely (mode 600)
5. Append HTTP config to config.yaml
6. Update systemd service with TLS paths
7. Start service
TLS certificate generation:
- Uses openssl req with RSA 4096-bit keys
- 10-year validity period
- SubjectAltName includes hostname + all IPs
- Files stored in /etc/pulse-sensor-proxy/tls/
- Permissions: 640 root:pulse-sensor-proxy
- Logs SHA256 fingerprint for audit
API registration:
- Calls POST /api/temperature-proxy/register
- Payload: {"hostname": "...", "proxy_url": "https://..."}
- Response: {"token": "...", "pve_instance": "..."}
- Aborts installation on registration failure (fail-fast)
- Token stored in config.yaml
Systemd service updates:
- Adds ReadOnlyPaths=/etc/pulse-sensor-proxy/tls for HTTP mode
- RestrictAddressFamilies already includes AF_INET/AF_INET6
- Maintains all existing security hardening
Error handling:
- Validates required parameters before starting
- Aborts on TLS generation failure
- Aborts on API registration failure
- Provides actionable troubleshooting guidance
- Logs clear error messages
Security:
- Tokens stored with mode 600, owned by service user
- TLS keys protected with mode 640
- Service runs as unprivileged pulse-sensor-proxy user
- Full systemd hardening maintained
Usage example:
curl -fsSL https://pulse-server/download/install-sensor-proxy.sh | \
bash -s -- --http-mode --pulse-server https://pulse.example.com:7655
Related to #571
|
||
|---|---|---|
| .. | ||
| dev | ||
| lib | ||
| systemd | ||
| tests | ||
| .go-version | ||
| backup-claude-md.sh | ||
| build-release.sh | ||
| bundle.manifest | ||
| bundle.sh | ||
| clean-mock-alerts.sh | ||
| cleanup.sh | ||
| codex-router.sh | ||
| create-sensor-user.sh | ||
| docker-build.sh | ||
| generate-release-notes.sh | ||
| harden-sensor-proxy.sh | ||
| hot-dev.sh | ||
| install-container-agent.sh | ||
| install-docker-agent-v2.sh | ||
| install-docker-agent.sh | ||
| install-docker.sh | ||
| install-go-toolchain.sh | ||
| install-host-agent.ps1 | ||
| install-host-agent.sh | ||
| install-sensor-proxy.sh | ||
| package-helm-chart.sh | ||
| pulse-auto-update.sh | ||
| pulse-proxy-rotate-keys.sh | ||
| pulse-sensor-cleanup.sh | ||
| pulse-sensor-proxy.service | ||
| run-tests-mock.sh | ||
| secure-sensor-files.sh | ||
| setup-log-forwarding.sh | ||
| sync-production-config.sh | ||
| test-vm-disk.sh | ||
| toggle-mock.sh | ||
| trigger-release.sh | ||
| uninstall-host-agent.ps1 | ||
| uninstall-host-agent.sh | ||
| validate-published-release.sh | ||
| validate-release.sh | ||