diff --git a/config/bffh/bffh.dhall b/config/bffh/bffh.dhall index 938385a..d16b0a7 100644 --- a/config/bffh/bffh.dhall +++ b/config/bffh/bffh.dhall @@ -25,8 +25,8 @@ ], -- Configure TLS. BFFH requires a PEM-encoded certificate and the associated key as two separate files - certfile = "/etc/bffh/cert.pem", - keyfile = "/etc/bffh/key.pem", + certfile = "/etc/letsencrypt/cert.pem", + keyfile = "/etc/letsencrypt/key.pem", -- BFFH right now requires a running MQTT broker. mqtt_url = "tcp://mqtt:1883", @@ -43,190 +43,252 @@ -- In dhall you can also easily import definitions from other files, e.g. you could write -- roles = ./roles.dhall + + + + + + + + + + + roles = { - -- Role definitions - -- A role definition is of the form - -- rolename = { - -- parents = [], - -- permissions = [], - -- } - -- - -- Role names are case sensitive, so RoleName != rolename. - -- - -- If you want either parents or permissions to be empty its best to completely skip it: - testrole = { - permissions = [ "lab.some.admin" ] - }, - somerole = { - parents = ["testparent"], - -- "Permissions" are formatted as Perm Rules, so you can use the wildcards '*' and '+' - permissions = [ "lab.test.*" ] - }, - -- Roles can inherit from each other. In that case a member of e.g. 'somerole' that inherits from - -- 'testparent' will have all the permissions of 'somerole' AND 'testparent' assigned to them. - -- Right now permissions are stricly additive so you can't take a permission away in a child role that a parent - -- role grants. - testparent = { - permissions = [ - "lab.some.write", - "lab.some.read", - "lab.some.disclose" + Admin = { + permissions = [ + "TestEnv.Admin", + "TestEnv.Manage.A", + "TestEnv.Manage.B", + "TestEnv.Manage.C", + "TestEnv.Write.A", + "TestEnv.Write.B", + "TestEnv.Write.C", + "TestEnv.Read.A", + "TestEnv.Read.B", + "TestEnv.Read.C", + "TestEnv.Disclose.A", + "TestEnv.Disclose.B", + "TestEnv.Disclose.C" ] + }, + + ManageA = { + permissions = [ "TestEnv.Manage.A" ] + }, + ManageB = { + permissions = [ "TestEnv.Manage.B" ] + }, + ManageC = { + permissions = [ "TestEnv.Manage.C" ] + }, + + UseA = { + permissions = [ "TestEnv.Write.A" ] + }, + UseB = { + permissions = [ "TestEnv.Write.B" ] + }, + UseC = { + permissions = [ "TestEnv.Write.C" ] + }, + + ReadA = { + permissions = [ "TestEnv.Read.A" ] + }, + ReadB = { + permissions = [ "TestEnv.Read.B" ] + }, + ReadC = { + permissions = [ "TestEnv.Read.C" ] + }, + + DiscloseA = { + permissions = [ "TestEnv.Disclose.A" ] + }, + DiscloseB = { + permissions = [ "TestEnv.Disclose.B" ] + }, + DiscloseC = { + permissions = [ "TestEnv.Disclose.C" ] } }, - -- Configure machines - -- "Machines" (which in future will be more appropiately named "resources") are the main thing bffh is concerned - -- with. - -- You can define an almost limitless amount of machines (well 2^64 - 1, so 18_446_744_073_709_551_615 to be precise) - -- Each of these machines can then have several "actors" and "initiators" assigned machines = { - Testmachine = { - -- A machine comes with two "names". The id above ("Testmachine") and the "name" ("MachineA"). - -- The id is what you'll use in the config format and is strictly limited to alphanumeric characters and '_' - -- and must begin with a letter. Most importantly you CAN NOT use '-' or spaces in an identifier - -- (dhall makes this technically possible but you can break things in subtle ways) - - -- REQUIRED. The "name" of a machine is what will be presented to humans. It can contain all unicode - -- including spaces and nonprintable characters. - -- A name SHOULD be short but unique. - name = "MachineA", - - -- OPTIONAL. A description can be assigned to machines. It will also only be shown to humans. Thus it is - -- once again limited only to unicode. If you want to provide your users with important additional - -- information other than the name this is the place to do it. - description = "A test machine", - - -- OPTIONAL. If you have a wiki going into more detail how to use a certain machine or what to keep in - -- mind when using it you can provide a URL here that will be presented to users. - wiki = "https://wiki.example.org/machineA", - - -- OPTIONAL. You can assign categories to machines to allow clients to group/filter machines by them. - category = "Testcategory", - - -- REQUIRED. - -- Each machine MUST have *all* Permission levels assigned to it. - -- Permissions aren't PermRules as used in the 'roles' definitions but must be precise without wildcards. - -- Permission levels aren't additive, so a user having 'manage' permission does not automatically get - -- 'read' or 'write' permission. - - -- (Note, disclose is not fully implemented at the moment) - -- Users lacking 'disclose' will not be informed about this machine in any way and it will be hidden from - -- them in the client. Usually the best idea is to assign 'read' and 'disclose' to the same permission. - disclose = "lab.test.read", - - -- Users lacking 'read' will be shown a machine including name, description, category and wiki but not - -- it's current state. The current user is not disclosed. - read = "lab.test.read", - - -- The 'write' permission allows to 'use' the machine. - write = "lab.test.write", - - -- Manage represents the 'superuser' permission. Users with this permission can force set any state and - -- read out the current user - manage = "lab.test.admin" + MachineA1 = { + name = "MachineA1", + description = "Description of MachineA1", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryA", + + disclose = "TestEnv.Disclose.A", + read = "TestEnv.Read.A", + write = "TestEnv.Write.A", + manage = "TestEnv.Manage.A" }, - Another = { - wiki = "test_another", - category = "test", - disclose = "lab.test.read", - manage = "lab.test.admin", - name = "Another", - read = "lab.test.read", - write = "lab.test.write" + MachineA2 = { + name = "MachineA2", + description = "Description of MachineA2", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryA", + + disclose = "TestEnv.Disclose.A", + read = "TestEnv.Read.A", + write = "TestEnv.Write.A", + manage = "TestEnv.Manage.A" + }, + MachineA3 = { + name = "MachineA3", + description = "Description of MachineA3", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryA", + + disclose = "TestEnv.Disclose.A", + read = "TestEnv.Read.A", + write = "TestEnv.Write.A", + manage = "TestEnv.Manage.A" + }, + MachineA4 = { + name = "MachineA4", + description = "Description of MachineA4", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryA", + + disclose = "TestEnv.Disclose.A", + read = "TestEnv.Read.A", + write = "TestEnv.Write.A", + manage = "TestEnv.Manage.A" + }, + MachineA5 = { + name = "MachineA5", + description = "Description of MachineA5", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryA", + + disclose = "TestEnv.Disclose.A", + read = "TestEnv.Read.A", + write = "TestEnv.Write.A", + manage = "TestEnv.Manage.A" + }, + + MachineB1 = { + name = "MachineB1", + description = "Description of MachineB1", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryB", + + disclose = "TestEnv.Disclose.B", + read = "TestEnv.Read.B", + write = "TestEnv.Write.B", + manage = "TestEnv.Manage.B" + }, + MachineB2 = { + name = "MachineB2", + description = "Description of MachineB2", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryB", + + disclose = "TestEnv.Disclose.B", + read = "TestEnv.Read.B", + write = "TestEnv.Write.B", + manage = "TestEnv.Manage.B" + }, + MachineB3 = { + name = "MachineB3", + description = "Description of MachineB3", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryB", + + disclose = "TestEnv.Disclose.B", + read = "TestEnv.Read.B", + write = "TestEnv.Write.B", + manage = "TestEnv.Manage.B" + }, + MachineB4 = { + name = "MachineB4", + description = "Description of MachineB4", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryB", + + disclose = "TestEnv.Disclose.B", + read = "TestEnv.Read.B", + write = "TestEnv.Write.B", + manage = "TestEnv.Manage.B" + }, + MachineB5 = { + name = "MachineB5", + description = "Description of MachineB5", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryB", + + disclose = "TestEnv.Disclose.B", + read = "TestEnv.Read.B", + write = "TestEnv.Write.B", + manage = "TestEnv.Manage.B" + }, + + MachineC1 = { + name = "MachineC1", + description = "Description of MachineC1", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryC", + + disclose = "TestEnv.Disclose.C", + read = "TestEnv.Read.C", + write = "TestEnv.Write.C", + manage = "TestEnv.Manage.C" + }, + MachineC2 = { + name = "MachineC2", + description = "Description of MachineC2", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryC", + + disclose = "TestEnv.Disclose.C", + read = "TestEnv.Read.C", + write = "TestEnv.Write.C", + manage = "TestEnv.Manage.C" + }, + MachineC3 = { + name = "MachineC3", + description = "Description of MachineC3", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryC", + + disclose = "TestEnv.Disclose.C", + read = "TestEnv.Read.C", + write = "TestEnv.Write.C", + manage = "TestEnv.Manage.C" + }, + MachineC4 = { + name = "MachineC4", + description = "Description of MachineC4", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryC", + + disclose = "TestEnv.Disclose.C", + read = "TestEnv.Read.C", + write = "TestEnv.Write.C", + manage = "TestEnv.Manage.C" + }, + MachineC5 = { + name = "MachineC5", + description = "Description of MachineC5", + wiki = "https://fab-access.readthedocs.io", + category = "CategoryC", + + disclose = "TestEnv.Disclose.C", + read = "TestEnv.Read.C", + write = "TestEnv.Write.C", + manage = "TestEnv.Manage.C" }, - Yetmore = { - description = "Yet more test machines", - disclose = "lab.test.read", - manage = "lab.test.admin", - name = "Yetmore", - read = "lab.test.read", - write = "lab.test.write" - } }, + + actors = {=}, - -- Actor configuration. Actors are how bffh affects change in the real world by e.g. switching a power socket - -- using a shelly - actors = { - -- Actors similarly to machines have an 'id'. This id (here "Shelly1234") is limited to Alphanumeric ASCII - -- and must begin with a letter. - Shelly1234 = { - -- Actors are modular pieces of code that are loaded as required. The "Shelly" module will send - -- activation signals to a shelly switched power socket over MQTT - module = "Shelly", - -- Actors can have arbitrary parameters passed to them, varying by actor module. - params = { - -- For Shelly you can configure the MQTT topic segment it uses. Shellies listen to a specific topic - -- containing their name (which is usually of the form "shelly_" but can be changed). - -- If you do not configure a topic here the actor will use it's 'id' (in this case "Shelly1234"). - topic = "Topic1234" - } - }, + actor_connections = [] : List { machine : Text, actor : Text }, - Bash = { - -- The "Process" module runs a given script or command on state change. - -- bffh invoces the given cmd as `$ ${cmd} ${args} ${id} ${state}` so e.g. as - -- `$ ./examples/actor.sh your ad could be here Bash inuse` - module = "Process", - params = { - -- which is configured by the (required) 'cmd' parameter. Paths are relative to PWD of bffh. Systemd - -- and similar process managers may change this PWD so it's usually the most future-proof to use - -- absolute paths. - cmd = "./examples/actor.sh", - -- You can pass static args in here, these will be passed to every invocation of the command by this actor. - -- args passed here are split by whitespace, so these here will be passed as 5 separate arguments - args = "your ad could be here" - } - }, - - DoorControl1 = { - -- This actor calls the actor.py script in examples/ - -- It gets passed it's own name, so you can have several actors - -- from the same script. - -- If you need to pass more arguments to the command you can use the `args` key in - -- `params` as is done with the actor `Bash` - module = "Process", - -- the `args` are passed in front of all other parameters so they are best suited to - -- optional parameters like e.g. the verboseness - params = { cmd = "/usr/local/lib/bffh/adapters/actor.py", args = "-vvv" } - }, - DoorControl2 = { - module = "Process", - params = { cmd = "/usr/local/lib/bffh/adapters/actor.py", } - }, - DoorControl3 = { - -- This is an example for how it looks like if an actor is misconfigured. - -- the actor.py doesn't know anything about DoorControl3 and, if this actor is enabled, - -- will return with an error showing up in the server logs. - module = "Process", - params = { cmd = "/usr/local/lib/bffh/adapters/actor.py", } - }, - - Bash2 = { module = "Process", params = { cmd = "/usr/local/lib/bffh/adapters/actor.sh" , args = "this is a different one" }}, - FailBash = { module = "Process", params = { cmd = "/usr/local/lib/bffh/adapters/fail-actor.sh" }} - }, - - -- Linkng up machines to actors - -- Actors need to be connected to machines to be useful. A machine can be connected to multiple actors, but one - -- actor can only be connected to one machine. - actor_connections = [ - { machine = "Testmachine", actor = "Shelly1234" }, - { machine = "Another", actor = "Bash" }, - { machine = "Yetmore", actor = "Bash2" }, - { machine = "Yetmore", actor = "FailBash"} - ], - - -- Initiators are configured almost the same way as Actors, refer to actor documentation for more details - -- The below '{=}' is what you need if you want to define *no* initiators at all and only use the API with apps - -- to let people use machines. initiators = {=}, - -- The "Dummy" initiator will try to use and return a machine as the given user every few seconds. It's good to - -- test your system but will spam your log so is disabled by default. - --initiators = { Initiator = { module = "Dummy", params = { uid = "Testuser" } } }, - -- Linking up machines to initiators. Similar to actors a machine can have several initiators assigned but an - -- initiator can only be assigned to one machine. - -- The below is once again how you have to define *no* initiators. - init_connections = [] : List { machine : Text, initiator : Text } - --init_connections = [{ machine = "Testmachine", initiator = "Initiator" }] + init_connections = [] : List { machine : Text, initiator : Text }, } diff --git a/config/bffh/users.toml b/config/bffh/users.toml index 59b267a..4c4e83d 100644 --- a/config/bffh/users.toml +++ b/config/bffh/users.toml @@ -1,14 +1,173 @@ -[Testuser] -# These roles have to be defined in 'bffh.dhall'. -# Non-existant roles will not crash the server but print a `WARN` level message in the -# server log in the form "Did not find role somerole/internal while trying to tally". -roles = ["somerole/internal", "testrole/internal"] - -# The password will be hashed using argon2id on load time and is not available in plaintext afterwards. +[Admin1] +roles = ["Admin"] passwd = "secret" - -# You can add whatever random data you want. -# It will get stored in the `kv` field in UserData. -# This is not used for anything at the moment noot = "noot!" -cardkey = "7ab8704a61b5317e1fe4cae9e3e1fd8d" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[Admin2] +roles = ["Admin"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[ManagerA1] +roles = ["ManageA", "UseA", "ReadA", "DiscloseA"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[ManagerA2] +roles = ["ManageA", "UseA", "ReadA", "DiscloseA"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[ManagerB1] +roles = ["ManageB", "UseB", "ReadB", "DiscloseB"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[ManagerB2] +roles = ["ManageB", "UseB", "ReadB", "DiscloseB"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[ManagerC1] +roles = ["ManageC", "UseC", "ReadC", "DiscloseC"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[ManagerC2] +roles = ["ManageC", "UseC", "ReadC", "DiscloseC"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[ManagerABC1] +roles = ["ManageA", "UseA", "ReadA", "DiscloseA", "ManageB", "UseB", "ReadB", "DiscloseB", "ManageC", "UseC", "ReadC", "DiscloseC"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[ManagerABC2] +roles = ["ManageA", "UseA", "ReadA", "DiscloseA", "ManageB", "UseB", "ReadB", "DiscloseB", "ManageC", "UseC", "ReadC", "DiscloseC"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerA1] +roles = ["UseA", "ReadA", "DiscloseA"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerA2] +roles = ["UseA", "ReadA", "DiscloseA"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerB1] +roles = ["UseB", "ReadB", "DiscloseB"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerB2] +roles = ["UseB", "ReadB", "DiscloseB"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerC1] +roles = ["UseC", "ReadC", "DiscloseC"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerC2] +roles = ["UseC", "ReadC", "DiscloseC"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerABC1] +roles = ["UseA", "ReadA", "DiscloseA", "UseB", "ReadB", "DiscloseB", "UseC", "ReadC", "DiscloseC"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerABC2] +roles = ["UseA", "ReadA", "DiscloseA", "UseB", "ReadB", "DiscloseB", "UseC", "ReadC", "DiscloseC"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[GuestA1] +roles = ["ReadA", "DiscloseA"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[GuestA2] +roles = ["ReadA", "DiscloseA"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[GuestB1] +roles = ["ReadB", "DiscloseB"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[GuestB2] +roles = ["ReadB", "DiscloseB"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[GuestC1] +roles = ["ReadC", "DiscloseC"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[GuestC2] +roles = ["ReadC", "DiscloseC"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[GuestABC1] +roles = ["ReadA", "DiscloseA", "ReadB", "DiscloseB", "ReadC", "DiscloseC"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[GuestABC2] +roles = ["ReadA", "DiscloseA", "ReadB", "DiscloseB", "ReadC", "DiscloseC"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerQRA] +roles = ["UseA", "ReadA"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerQRB] +roles = ["UseB", "ReadB"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +[MakerQRC] +roles = ["UseC", "ReadC"] +passwd = "secret" +noot = "noot!" +cardkey = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \ No newline at end of file diff --git a/config/cert/cert.pem b/config/cert/cert.pem new file mode 100644 index 0000000..f771f32 --- /dev/null +++ b/config/cert/cert.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFYzCCA0ugAwIBAgIUD/WP9/ClkcITVEE1ApyenpySXkswDQYJKoZIhvcNAQEL +BQAwQTELMAkGA1UEBhMCREUxDzANBgNVBAgMBkJlcmxpbjEPMA0GA1UEBwwGQmVy +bGluMRAwDgYDVQQKDAdSTEtNIFVHMB4XDTIyMDQyMDEzNTk1MFoXDTIzMDQyMDEz +NTk1MFowQTELMAkGA1UEBhMCREUxDzANBgNVBAgMBkJlcmxpbjEPMA0GA1UEBwwG +QmVybGluMRAwDgYDVQQKDAdSTEtNIFVHMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A +MIICCgKCAgEAtlDacP0s0CjC5mP7pe2/uAo7nrP2WHztnG9ougbAcmSnmOCNWxYo +3ItGZQ4morGqTndx1yrr7/ZXVmqvvxtbcwQc99u4KFw9DrzCr/5la5SJv/KsBOW4 +mjNNPJY79DKsULuOo6nqZGUFNhk+nbFSjMy684zsIvj6YNeYE4lvPGVtQ+buBlep +FjYwyFgezpbdYnVPNKCCEag3Pgxi2Sxys9vaaUIP/BpMrLXXARk5sFHV5kiQRRZ6 +mw7hQz9Sb7BbQHeH1ejTLUNSTpHZ5fdptVTQRwt2Er5FgLcBPwckGymOCSsg8Bop +N6zFutybVl0vYK0KkslADLo+S8/W81ckKpUYFnk0zw9ET8LlrMnzc9jfV5BMtijz +sKArOC/ALLXz5FiPfpq+vVpqy354YkIy+n4xBKYpp9s3xeBpMLgupL/Tx7yB9Dxs +9Dp0vzDnx6UDHHo+U9OZYTmjy2oFxhM3lN73Hs2L2zgmWYUgksCQYJOUcXtGUW6C +nYLiSDJPqBoFSVGlUVSf9Aq4h23OWyRPD8GKcMQXVdFUEckgf5BRpGkxDigsDaAu +uN0QHCPw3fTg69xmIt0PxWGy+bEFSPZd83CtnklOAXTv7EnHb0HtZ1fDSqvbcGIi +A5LaCitC4Z5IaU7Ub23AY8BcjLnRopPIOVLrLvmznCoy0ntLBht/Z/0CAwEAAaNT +MFEwHQYDVR0OBBYEFOJ3+fyj1u6eou6MOktC5vUG2JPVMB8GA1UdIwQYMBaAFOJ3 ++fyj1u6eou6MOktC5vUG2JPVMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL +BQADggIBAE0eleTJs87FJ9Kuex/8NNZXs+4OjqetPbIJV32+IvIht1c51Bbo0MrS +7RdE4MIj5XyC6vpk+vpb/rnFr8Q655J7Ao/iVhwIW9k8Y4uJL5YvIrJyM9w/JWNa +Jp2f5Jc0xJmKaU7rkegokosg7y7vJGz+l2oeWcBFf6BQ/zcifUFGTah0u0qe2vGR +9dFZ07CAqawFvLsg/xDwmXkhEVWjB9CmwbbH5fgd9fpBL8wGiraaVCiVSwun9jzn +ylBCWF24BoI5UAjHgbPDAqwkbTLJaDPZF52AOT9M6UY9naJ8PflykwIqvAejZvbi +CrfUjqXS2F387VGJ9/xxzM2ZeMjWXT+FjOKJAZBf4r5CjsUvpBQZw/LiHfKzzTos +VauB6qJhIcqUUUpFdKeeyGkExfxsCuHfTk8n2g3kCYZUpgKt55gmFGUMqP8qXSko +6BfGIEtIEHdBdb5++IBIXINMj7mLYimk/iQkGWwQTN3RXCck6yN5lzUNNQ81Ea97 +dj4/UAzf9mztNVmZJMZ/sqVxUciGy+kr6JJi/4pUGIZh5IezHY5bS4dRAN0mQFzz +aYkyZlGrVrvex7zBeyO88erMnFMxFS1el9ms0Izu85NmkryWkg+U7yzJAFqJXDHT +an1Se25jGeyqyA0Y2soZ9GjxkTkOkXuPIYr+LdZPpd8ce0KI5ncg +-----END CERTIFICATE----- diff --git a/config/cert/key.pem b/config/cert/key.pem new file mode 100644 index 0000000..9b64f24 --- /dev/null +++ b/config/cert/key.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQC2UNpw/SzQKMLm +Y/ul7b+4Cjues/ZYfO2cb2i6BsByZKeY4I1bFijci0ZlDiaisapOd3HXKuvv9ldW +aq+/G1tzBBz327goXD0OvMKv/mVrlIm/8qwE5biaM008ljv0MqxQu46jqepkZQU2 +GT6dsVKMzLrzjOwi+Ppg15gTiW88ZW1D5u4GV6kWNjDIWB7Olt1idU80oIIRqDc+ +DGLZLHKz29ppQg/8GkystdcBGTmwUdXmSJBFFnqbDuFDP1JvsFtAd4fV6NMtQ1JO +kdnl92m1VNBHC3YSvkWAtwE/ByQbKY4JKyDwGik3rMW63JtWXS9grQqSyUAMuj5L +z9bzVyQqlRgWeTTPD0RPwuWsyfNz2N9XkEy2KPOwoCs4L8AstfPkWI9+mr69WmrL +fnhiQjL6fjEEpimn2zfF4GkwuC6kv9PHvIH0PGz0OnS/MOfHpQMcej5T05lhOaPL +agXGEzeU3vcezYvbOCZZhSCSwJBgk5Rxe0ZRboKdguJIMk+oGgVJUaVRVJ/0CriH +bc5bJE8PwYpwxBdV0VQRySB/kFGkaTEOKCwNoC643RAcI/Dd9ODr3GYi3Q/FYbL5 +sQVI9l3zcK2eSU4BdO/sScdvQe1nV8NKq9twYiIDktoKK0LhnkhpTtRvbcBjwFyM +udGik8g5Uusu+bOcKjLSe0sGG39n/QIDAQABAoICAAPNs4T0bzUniItkbhlT2LJW ++k/xCrRlZNKk618oKWcpjOqOUryh/Xe+axlMHoe546bv7H7T7SisL73Ei4aV5EZF +wXH1UkX7SKXQT9J6oPSJ3IbV4ftXLI8A/31CWB1b2kbz5sGo15RBHEb451rEWofH +9KWEnN+M6LJRBSHxNdIhfpJSVMhql0M4nbNsTTY7pQI7FswvBg+mvgJMIVrNB9aT +QV79SxaUGOHoiEQEWfUA/BCqFmJumd+2w4HS5h4g5IJ3i+ytRwyUcTjk55IZ44lu +K8szpMK21/3bs4m0VS9A4m70CKOhtBbugpCHrjDy0Dx417Xgv3aUgxyzSRV6Da3R +sskwsGII7lPVNXGNMbtLGZCMc63igNa9UzZrR34Te7g/9gdubg5frKUEn4lkIP7P +FqYZxBXswVeSnzYS0XQ5j88L1BeoJrYoYdoj28HPwL36RP5ouzldgLMYc42/yRpd +sv27OMbzk3jcpjyNkmpPMHze5oyu6chzUXw4WvOl8iQZlO4uWzOXrkRf1upwNoVw +jqnCbU9Hvh+8Rg8QbnW8y0nY6RXTiINogQvRl+Vi8TyU0RSDaUHwou6QIGbFDXAw +3zvGATuNqMYe9zysZnJVYJ/CDE5eH/b5XTCIUoKvFEYm02C0ymSlqYPO59McOPek +lSgAqbRAj9qNXUHFJ+/5AoIBAQDGPxSPNTTfLNjj8wBF+ZJRK5FxZ9qx6GhNlxRI +ziKFH/ozP1mNxZKqLu+ta/IeHsJCuJ3oYzQBCnUcAMmuY8cMW9ocr8iU8dlmjN/u +G5SXZ50JdXhIyfvPAGjnGeRGqkzjmZFHEE7go+AS5o1wMTpFDCffyEvYJKNWFRnu +f+eRdvPYueyGBkKx7QimOzFZPufgYaJNiL2YJY4KlHD7Bmc8pX8ep6bXN6HEfDCF +6PiWfxDPi8ey0VWnEkfAOWRwOfVxyOFd+8sTMQ3W2/CTbzIyP1NJioeR3sZFMiXL +EStG14ihDHedA/zHMwci3aWUW3RVE21gEivp0akAEMaG8hLFAoIBAQDrbbHT/AC8 +K7rswHISXR515P1OROTK7mcLq+ujjoDnVCDg91IivfFlwb52vkOMKEQDNqVLYp6S +dkbNt21CJUsjYhhJ5mUXJUrWJpembVT87uplyi5+MYmCx5jIK9UwzFoKXwRVkLhq +tz118/THgduIYTzBeDOnmWdcsw3PIW8CxIfMJAfWQJPVDZRisX2Ox8KRzGR4UqPS +gAOBi9pwf05aLennT+5GlaTsxdotmf3VWTEHZJGnFJHrbU7Vm17wW9Y+SZWx+ocZ +7PhuFA1snB8t2wGaYa7UacqzD5gTC1/SOsUK7RTyL5yPP88AY7gV7PViDWI8lPTP ++Hmf9jWUU3PZAoIBAARyWcW0jdELsnm6c6EeLfgAIC0JBVDEQ8KpxtyzMvcFdpk7 +rIiPi/ChSOL87ttaGUVh2rjhsMLtNx8/rUZqGobecJAAKWGd4yB3vHYczEJxIoaZ +ye7oCOvluHSmkgY7v6nDQgz0ArDrPBVwcm+3yvTNhv9wALOCbt95bbF50PnkTyfn +U7TV4x0WkgEYhszXql/QENHoZUhKX1tBZR9cT2h+1dEcNZPSPaCooHYAecL2aqwd +GIecRm2O7WkUYHpb8nNw7A0tnqp5iTPujwDfl6Kk5PtbThspggz/SPW7Fttp7jie +jPhKpJrbPCe+DP685mkaHHPxNGb0OvQzbCCOwXkCggEAPlZQVMoQQ8Lsfs3CJpyj +eSIF9FiHoDgZ7tw5y5frB9Wd0xOJmwtiRMhVL0nXxt/Oim9IuzpEtJE+1C+ybWZE +i/zoY4Du2X8VXrjfRMEEVOjKBePQBbgGKivBh5cbnw0s9jwMgL+OJSuZyYasFLuM +roLYvH2gZ8tVtBTxHhxDMZ9qOaJ8tL1qp2ouFSfcEBdSrJpLLBTtrcoZo46ta0Y6 +L+SiX44pkGUFQ3BsAdEZhglU0xlM+8mVjZnm2uaF7+zRQLLpQTQN286ERVln6I86 +LkEkHoWo7jOI6XrCkKBdYeQP0oHOHwZ+VOvXWsoMrzmMC8dxcIsce4jWY4Wk0D58 +mQKCAQAhQJm5Rji/lzVY3eu6TvuWMdoyt4DnZjSWCbhWjhZ3Fsv1xpGwNmfxoExb +TbqnwcEZKCyF12vgh8/zXYRwwCF0PKe0rR3GsfgM+bPpcFVuIp1vGRLYO49eYRmm +s372NCQkZMcNpzX+jB1MtLt/Jx/P8lb3eaExoknpZpDzYlhxU8UNEtogMfyvUt/i +9hZtjCRMCkEV4o/C/8/VuchwLWR5fRrJDydTLxavIAhOjfCGKoU4EiIqAZjJnJKk +jHHvxLwbXjSNZe41n872lOmNUweTch3ikRBMqDsXoELyCVXmoupnwIajO1eV2sWq ++cqdvrc3lDTZ3QIesrwgLuCGSQpj +-----END PRIVATE KEY----- diff --git a/docker-compose.yaml b/docker-compose.yaml index 23c73fd..bb8180e 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,18 +1,31 @@ version: "3.8" services: + #dnsrobocert: + # image: adferrand/dnsrobocert + # pull_policy: always + # restart: always + # volumes: + # - "./config/cert:/etc/letsencrypt" + # - "./config/dnsrobocert:/etc/dnsrobocert" + bffh: - image: registry.gitlab.com/fabinfra/fabaccess/bffh:latest + image: registry.gitlab.com/fabinfra/fabaccess/bffh:v0.3-pre pull_policy: always restart: always ports: - - "59661:59661" + - "59666:59661" + entrypoint: ["sh", "-c", "bffhd -c /etc/bffh/bffh.dhall --load=/etc/bffh/users.toml; bffhd -c /etc/bffh/bffh.dhall"] + environment: + - "RUST_LOG=debug" volumes: # generate a sample config.toml by running "docker run registry.gitlab.com/fabinfra/fabaccess/bffh:dev-latest --print-default > examples/config.toml" from the project root. You may have to delete the ipv6 listen section. - "./config/bffh:/etc/bffh" - "./adapters:/usr/local/lib/bffh/adapters" + - "./config/cert:/etc/letsencrypt" - data:/var/lib/bffh links: - mqtt + mqtt: image: eclipse-mosquitto:1.6.15 restart: always @@ -20,5 +33,7 @@ services: - "1883:1883" volumes: - "./config/mosquitto/mosquitto.conf:/mosquitto/config/mosquitto.conf" + volumes: data: +