telebit/cmd/mgmt/README.md

209 lines
4.6 KiB
Markdown
Raw Normal View History

2020-11-13 09:43:17 +00:00
# Telebit Mgmt
2020-11-12 13:30:52 +00:00
2020-11-13 11:26:25 +00:00
| [Telebit Client](../../) | [Telebit Relay](../telebit) | **Telebit Mgmt** |
2020-11-12 13:30:52 +00:00
2020-11-13 11:26:25 +00:00
Device Management, Authorization, and ACME Relay Server.
# Usage
2020-11-12 13:30:52 +00:00
2020-11-13 11:26:25 +00:00
This does not need to be on a public port for client devices,
but it must be directly accessible by the telebit relay.
2020-11-12 13:30:52 +00:00
2020-11-13 11:26:25 +00:00
It must also run on port 80 if HTTP-01 challenges are being relayed.
2020-11-12 13:30:52 +00:00
2020-11-13 11:26:25 +00:00
This should be https-enabled unless on localhost behind the telebit relay.
2020-11-12 13:30:52 +00:00
2020-11-13 11:26:25 +00:00
```bash
./telebit-mgmt
2020-11-12 13:30:52 +00:00
```
2020-11-13 11:26:25 +00:00
```bash
# allow access to privileged ports
sudo setcap 'cap_net_bind_service=+ep' ./telebit-mgmt
```
Command-line flags or `.env` may be used.
2020-11-13 09:43:17 +00:00
```bash
2020-11-13 11:26:25 +00:00
# --secret
export SECRET=XxX-mgmt-secret-XxX
# --domain
export DOMAIN=devices.example.com
# --tunnel-domain
export TUNNEL_DOMAIN=tunnel.example.com
# --db-url
export DB_URL=postgres://postgres:postgres@localhost:5432/postgres
# --port
export PORT=6468
2020-11-13 09:43:17 +00:00
```
2020-11-13 11:26:25 +00:00
See `./telebit --help` for all options. \
See [`examples/mgmt.env`][mgmt-env] for detail explanations.
[mgmt-env]: /../../examples/mgmt.env
## System Services
You can use `serviceman` to run `postgres`, `telebit`, and `telebit-mgmt` as system services
```bash
curl -fsS https://webinstall.dev/serviceman | bash
2020-11-13 09:43:17 +00:00
```
2020-11-13 11:26:25 +00:00
See the Cheat Sheet at https://webinstall.dev/serviceman
You can, of course, configure systemd (or whatever) by hand if you prefer.
## Install Postgres
Install postgres and start it as a service on MacOS and Linux:
2020-11-12 13:30:52 +00:00
```bash
2020-11-13 11:26:25 +00:00
curl -sS https://webinstall.dev/postgres | bash
```
2020-11-12 13:30:52 +00:00
2020-11-13 11:26:25 +00:00
```bash
sudo env PATH="$PATH" \
serviceman add --system --username $(whoami) --name postgres -- \
postgres -D "$HOME/.local/share/postgres/var" -p 5432
2020-11-12 13:30:52 +00:00
```
2020-11-13 09:43:17 +00:00
2020-11-13 11:26:25 +00:00
See the Cheat Sheet at https://webinstall.dev/postgres
2020-11-13 09:43:17 +00:00
2020-11-13 11:26:25 +00:00
## Create Admin Token
The admin token can be used to interact with the server.
2020-11-13 09:43:17 +00:00
2020-11-13 11:26:25 +00:00
```bash
VENDOR_ID="example.com"
MGMT_SECRET=XxX-mgmt-secret-XxX
ADMIN_TOKEN=$(go run cmd/signjwt/*.go \
2020-11-13 11:26:25 +00:00
--debug \
--expires-in 15m \
--vendor-id $VENDOR_ID \
--secret $MGMT_SECRET \
--machine-ppid $MGMT_SECRET
)
2020-11-13 09:43:17 +00:00
```
2020-11-13 11:26:25 +00:00
## Register New Device
This will return a new shared secret that can be used to register a new client device.
2020-11-13 09:43:17 +00:00
```bash
2020-11-13 11:26:25 +00:00
my_subdomain="foobar"
my_mgmt_host=https://mgmt.example.com
curl -X POST $my_mgmt_host/api/devices \
-H "Authorization: Bearer ${ADMIN_TOKEN}" \
-H "Content-Type: application/json" \
-d '{ "slug": "'$my_subdomain'" }'
2020-11-13 09:43:17 +00:00
```
2020-11-13 11:26:25 +00:00
# API
```bash
my_subdomain="ruby"
curl -X DELETE http://mgmt.example.com:6468/api/subscribers/ruby" -H "Authorization: Bearer ${TOKEN}"
```
2020-11-13 09:43:17 +00:00
2020-11-13 11:26:25 +00:00
```json
{ "success": true }
```
2020-11-13 09:43:17 +00:00
Create a token with the same `SECRET` used with the `mgmt` server,
and add a device by its `subdomain`.
To build `signjwt`:
```bash
go build -mod=vendor -ldflags "-s -w" -o signjwt cmd/signjwt/*.go
```
To generate an `admin` token:
```bash
VENDOR_ID="test-id"
SECRET="xxxxxxxxxxx"
TOKEN=$(./signjwt \
--expires-in 15m \
--vendor-id $VENDOR_ID \
--secret $SECRET \
--machine-ppid $SECRET
)
```
Authorize a device:
```bash
my_subdomain="xxxx"
2020-11-13 11:26:25 +00:00
my_mgmt_host=http://mgmt.example.com:6468
2020-11-13 09:43:17 +00:00
curl -X POST $my_mgmt_host/api/devices \
-H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \
-d '{ "slug": "'$my_subdomain'" }'
```
```json
{ "shared_key": "ZZZZZZZZ" }
```
Show data of a single device
```bash
my_subdomain="xxxx"
2020-11-13 11:26:25 +00:00
curl -L http://mgmt.example.com:6468/api/devices/${my_subdomain} -H "Authorization: Bearer ${TOKEN}"
2020-11-13 09:43:17 +00:00
```
```json
{ "subdomain": "sub1", "updated_at": "2020-05-20T12:00:01Z" }
```
Get a list of connected devices:
```bash
2020-11-13 11:26:25 +00:00
curl -L http://mgmt.example.com:6468/api/devices -H "Authorization: Bearer ${TOKEN}"
2020-11-13 09:43:17 +00:00
```
```json
[{ "subdomain": "sub1", "updated_at": "2020-05-20T12:00:01Z" }]
```
Get a list of disconnected devices:
```bash
2020-11-13 11:26:25 +00:00
curl -L http://mgmt.example.com:6468/api/devices?inactive=true -H "Authorization: Bearer ${TOKEN}"
2020-11-13 09:43:17 +00:00
```
Deauthorize a device:
```bash
my_subdomain="xxxx"
2020-11-13 11:26:25 +00:00
curl -L -X DELETE http://mgmt.example.com:6468/api/devices/${my_subdomain} -H "Authorization: Bearer ${TOKEN}"
```
# Build
You can build with `go build`:
```bash
go build -mod vendor -race -o telebit-mgmt cmd/mgmt/*.go
2020-11-13 11:26:25 +00:00
```
Or with `goreleaser`:
```bash
goreleaser --rm-dist --skip-publish --snapshot
```
Or cross-compile:
```bash
go generate ./...
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -mod vendor -o telebit-mgmt-linux ./cmd/mgmt/*.go
CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -mod vendor -o telebit-mgmt-macos ./cmd/mgmt/*.go
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -mod vendor -o telebit-mgmt-windows-debug.exe ./cmd/mgmt/*.go
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -mod vendor -ldflags "-H windowsgui" -o telebit-mgmt-windows.exe ./cmd/mgmt/*.go
2020-11-13 09:43:17 +00:00
```