-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client/Server mode: sending configuration profile to a remote server #377
base: master
Are you sure you want to change the base?
Conversation
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #377 +/- ##
==========================================
- Coverage 72.24% 70.24% -2.00%
==========================================
Files 127 139 +12
Lines 12925 13432 +507
==========================================
+ Hits 9337 9434 +97
- Misses 3160 3567 +407
- Partials 428 431 +3
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
008609a
to
27b0dba
Compare
I got a fully working proof of concept for the SSH mode 🎉 What do you think @jkellerer ? SSH mode should be secure enough:
Obviously it still needs more work and also unit tests. We'll see for the other modes later (with the security concerns) |
a340c97
to
73896c4
Compare
will check it. Was a bit busy these days :) |
73896c4
to
5d698ec
Compare
5d698ec
to
7809348
Compare
7809348
to
b7c7296
Compare
Work in progress
Proof of concept on how to send a configuration profile to a remote server (along necessary files like exclude list, restic password, etc.)
Suggestion of connection type:
SSH
: secure connection (would be the default)HTTP
: basic http connection to be used within a VPN (do we want to provide that?)mTLS
: secure connection with client/server certificatesSSH connection doesn't need to have a resticprofile server waiting for connections. The two other types would need to.
New commands:
send
: connects to a remote via SSH and push the specified configurationserve
: serves configuration files (New flag:
-r / --remote
: download configuration files from the endpoint then run using the downloaded configuration (only). can be used with-w / --wait
to inspect the mounted FS.Other security consideration
Ideally we want the remote clients to never save the configuration that was pushed to them. They run the backup and forget everything about it.
We should investigate how to ask the kernel not to swap the file contents<- doesn't seem to be possible in GoConfiguration
New entries in the configuration could look like:
Implementation details:
os/fs
but it forbids using any rooted path, which sounds like it would be a massive refactoring.go-fuse
library to create a filesystem in memory from atar
stream (not sure how it's going to work on Windows yet)Demo of working SSH mode (logs from both the initiator and the remote)
More information
Discussion here: #69