4b6a088e38
- fips::service::active_unit() picks whichever fips unit is running
(archipelago-fips.service vs upstream fips.service) so
handle_fips_restart and handle_fips_reconnect don't silently no-op
on hosts where the archipelago-managed unit was never created.
- peer_connectivity_summary(anchor_candidates) replaces the old
identity-cache check. anchor_connected is now true when at least
one authenticated peer's npub matches the public anchor OR any
entry in seed-anchors.json, which matches what the user actually
cares about ("am I in the mesh?") rather than what the card used
to claim ("is this one specific public anchor reachable?").
- FipsStatus::query takes data_dir now (so it can read seed-anchors)
rather than identity_dir. All call-sites updated.
- handle_fips_reconnect re-pushes seed anchors after restart so the
new daemon gets dialed without waiting for the 5-min apply loop.
- FipsNetworkCard label drops "(fips.v0l.io)" — misleading now that
multiple anchors may be configured.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
197 lines
8.0 KiB
Rust
197 lines
8.0 KiB
Rust
//! FIPS (Free Internetworking Peering System) daemon integration.
|
||
//!
|
||
//! github.com/jmcorgan/fips — a spanning-tree mesh routing protocol that
|
||
//! uses Nostr secp256k1 keys as native node identity. Archipelago ships
|
||
//! the daemon as an apt package, feeds it the seed-derived key from
|
||
//! `/data/identity/fips_key`, and supervises it via
|
||
//! `archipelago-fips.service`.
|
||
//!
|
||
//! This module is the in-process bridge:
|
||
//! - [`service`]: systemctl status / start / stop / restart / unmask.
|
||
//! - [`config`]: materialise `/etc/fips/fips.yaml` + install the key.
|
||
//! - [`update`]: query GitHub (tracking `main`) for a newer build,
|
||
//! verify SHA256, install via dpkg, restart.
|
||
//!
|
||
//! Privileged operations shell out via `sudo systemctl …` and `sudo dpkg …`
|
||
//! (mirroring the vpn/update patterns already in the codebase); the
|
||
//! sudoers rule shipped in the ISO whitelists exactly those commands for
|
||
//! the `archipelago` service user.
|
||
//!
|
||
//! FIPS is dark on the wire until onboarding writes the key. Before that,
|
||
//! `FipsStatus::installed` reports the package state and `service_active`
|
||
//! returns false; the transport router keeps routing via Tor.
|
||
|
||
// Consumers land in the next phase (RPC endpoints + onboarding hookup);
|
||
// the module is deliberately API-ready ahead of those call-sites.
|
||
#![allow(dead_code)]
|
||
|
||
pub mod anchors;
|
||
pub mod config;
|
||
pub mod dial;
|
||
pub mod iface;
|
||
pub mod service;
|
||
pub mod update;
|
||
|
||
use serde::{Deserialize, Serialize};
|
||
use std::path::{Path, PathBuf};
|
||
|
||
/// Systemd unit name supervised by archipelago.
|
||
pub const SERVICE_UNIT: &str = "archipelago-fips.service";
|
||
|
||
/// Path the FIPS daemon reads its config from (Debian package default).
|
||
pub const DAEMON_CONFIG_PATH: &str = "/etc/fips/fips.yaml";
|
||
|
||
/// Path the FIPS daemon reads its private key from.
|
||
pub const DAEMON_KEY_PATH: &str = "/etc/fips/fips.key";
|
||
|
||
/// Path the FIPS daemon reads its public key from.
|
||
pub const DAEMON_PUB_PATH: &str = "/etc/fips/fips.pub";
|
||
|
||
/// Upstream repository the updater tracks (branch `main`).
|
||
pub const UPSTREAM_REPO: &str = "jmcorgan/fips";
|
||
|
||
/// Default UDP port the daemon listens on.
|
||
pub const DEFAULT_UDP_PORT: u16 = 8668;
|
||
|
||
/// Upstream systemd unit shipped by the `fips` debian package. Archipelago
|
||
/// prefers its own supervision (`archipelago-fips.service`) but respects an
|
||
/// already-running upstream unit so legacy/dev nodes — where no seed-derived
|
||
/// key exists — still report FIPS as active in the UI.
|
||
pub const UPSTREAM_SERVICE_UNIT: &str = "fips.service";
|
||
|
||
/// Aggregated runtime status of the FIPS subsystem, surfaced to the dashboard.
|
||
#[derive(Debug, Clone, Serialize, Deserialize)]
|
||
pub struct FipsStatus {
|
||
/// Whether the `fips` debian package is installed on the host.
|
||
pub installed: bool,
|
||
/// Installed daemon version string reported by `fipsctl --version`,
|
||
/// or None if not installed / not queryable.
|
||
pub version: Option<String>,
|
||
/// `systemctl is-active archipelago-fips.service` result: "active",
|
||
/// "inactive", "failed", "masked", "unknown".
|
||
pub service_state: String,
|
||
/// State of the upstream `fips.service` (shipped by the debian package).
|
||
pub upstream_service_state: String,
|
||
/// True if either the archipelago-managed or upstream unit is active.
|
||
pub service_active: bool,
|
||
/// Whether the seed-derived FIPS key has been materialised on disk.
|
||
/// The archipelago-managed service cannot start meaningfully until
|
||
/// this is true; legacy nodes may still report FIPS active via the
|
||
/// upstream unit without this file.
|
||
pub key_present: bool,
|
||
/// Local FIPS npub (bech32). Prefers the seed-derived key when
|
||
/// present; falls back to the upstream daemon's own key on legacy
|
||
/// nodes where `/etc/fips/fips.pub` is readable.
|
||
pub npub: Option<String>,
|
||
/// Number of currently authenticated FIPS peers, per
|
||
/// `fipsctl show peers`. 0 → isolated / anchor unreachable;
|
||
/// >0 → DHT routing is viable.
|
||
#[serde(default)]
|
||
pub authenticated_peer_count: u32,
|
||
/// True when at least one peer in the identity cache is a known
|
||
/// public anchor (currently `fips.v0l.io`). Anchors bootstrap DHT
|
||
/// routing for general-case deployments, so a red anchor status is
|
||
/// the top UX indicator of "FIPS traffic will probably degrade to
|
||
/// Tor until the anchor is reachable."
|
||
#[serde(default)]
|
||
pub anchor_connected: bool,
|
||
}
|
||
|
||
impl FipsStatus {
|
||
/// Snapshot the current state across package, key, and service.
|
||
///
|
||
/// `data_dir` is the archipelago data-dir (used to load the
|
||
/// operator-configured seed-anchor list so "anchor_connected" means
|
||
/// "at least one authenticated peer matches a public or configured
|
||
/// seed anchor", not just "fips.v0l.io specifically").
|
||
pub async fn query(data_dir: &Path) -> Self {
|
||
let identity_dir = identity_dir_from(data_dir);
|
||
let installed = service::package_installed().await;
|
||
let version = if installed {
|
||
service::daemon_version().await.ok()
|
||
} else {
|
||
None
|
||
};
|
||
let service_state = service::unit_state(SERVICE_UNIT).await;
|
||
let upstream_service_state = service::unit_state(UPSTREAM_SERVICE_UNIT).await;
|
||
let service_active =
|
||
service_state == "active" || upstream_service_state == "active";
|
||
let key_present = crate::identity::fips_key_exists(&identity_dir);
|
||
|
||
// Prefer the seed-derived npub; otherwise read the daemon's own
|
||
// key file at /etc/fips/fips.pub (world-readable per debian pkg).
|
||
let npub = match crate::identity::fips_npub(&identity_dir).await {
|
||
Ok(Some(n)) => Some(n),
|
||
_ => service::read_upstream_npub().await.ok().flatten(),
|
||
};
|
||
|
||
let (authenticated_peer_count, anchor_connected) = if service_active {
|
||
// Build the anchor-candidate list: hardcoded public anchor
|
||
// plus every entry in the operator's seed-anchors.json.
|
||
// The card lights up if any of them is authenticated.
|
||
let mut anchor_npubs = vec![service::PUBLIC_ANCHOR_NPUB.to_string()];
|
||
if let Ok(seed) = anchors::load(data_dir).await {
|
||
anchor_npubs.extend(seed.into_iter().map(|a| a.npub));
|
||
}
|
||
service::peer_connectivity_summary(&anchor_npubs).await
|
||
} else {
|
||
(0, false)
|
||
};
|
||
|
||
Self {
|
||
installed,
|
||
version,
|
||
service_state,
|
||
upstream_service_state,
|
||
service_active,
|
||
key_present,
|
||
npub,
|
||
authenticated_peer_count,
|
||
anchor_connected,
|
||
}
|
||
}
|
||
}
|
||
|
||
/// Compose a data-dir–relative identity directory path.
|
||
/// Mirrors the convention used elsewhere in the codebase so callers don't
|
||
/// have to repeat the `.join("identity")` each time.
|
||
pub fn identity_dir_from(data_dir: &Path) -> PathBuf {
|
||
data_dir.join("identity")
|
||
}
|
||
|
||
#[cfg(test)]
|
||
mod tests {
|
||
use super::*;
|
||
|
||
#[tokio::test]
|
||
async fn test_status_reports_no_key_pre_onboarding() {
|
||
let dir = tempfile::tempdir().unwrap();
|
||
// query() now takes a data_dir (parent) rather than identity_dir,
|
||
// since it also reads seed-anchors.json for the anchor check.
|
||
// No identity/ subdir → no key; no seed-anchors.json → public
|
||
// anchor is the only candidate.
|
||
let status = FipsStatus::query(dir.path()).await;
|
||
assert!(!status.key_present, "no key before onboarding");
|
||
assert!(status.npub.is_none());
|
||
// `installed`, `service_state`, `version` depend on the host and are
|
||
// not asserted here — query() must return cleanly regardless.
|
||
}
|
||
|
||
#[test]
|
||
fn test_identity_dir_from() {
|
||
let data = Path::new("/var/lib/archipelago");
|
||
assert_eq!(
|
||
identity_dir_from(data),
|
||
Path::new("/var/lib/archipelago/identity")
|
||
);
|
||
}
|
||
|
||
#[test]
|
||
fn test_constants_have_expected_shape() {
|
||
assert!(SERVICE_UNIT.ends_with(".service"));
|
||
assert!(DAEMON_CONFIG_PATH.starts_with('/'));
|
||
assert!(DAEMON_KEY_PATH.starts_with('/'));
|
||
assert_eq!(UPSTREAM_REPO, "jmcorgan/fips");
|
||
}
|
||
}
|