feat(agent): per-agent direct-TLS cert client + HTTPS listener wiring
The agent obtains a valid wildcard cert for *.<hash>.agent.unarr.app from the web broker (ACME DNS-01) so the https web player reaches it directly over HTTPS instead of the CloudFlare funnel. - internal/acme: generate EC P-256 key + CSR locally (private key never leaves the machine), fetch the signed chain from the broker, persist it atomically, NeedsIssue renewal check - daemon: generate + persist a stable agent_hash in config.toml; register before requesting the cert (broker ownership check needs the row); arm the HTTPS listener with the cert; 6h renewal poll hot-swaps it (no restart) - report httpsStreamPort + agentHash on register/sync - stream_server: emit Access-Control-Allow-Private-Network on PNA preflight so an https page can reach the agent on loopback / LAN
This commit is contained in:
Deivid Soto
parent
3a8c6ddd30
commit
2fcc0d397f
9 changed files with 423 additions and 19 deletions
|
|
@ -22,6 +22,8 @@ type DaemonConfig struct {
|
|||
Version string
|
||||
DownloadDir string
|
||||
StreamPort int // port for the HTTP stream server
|
||||
HTTPSStreamPort int // TLS stream listener port (per-agent direct-TLS); 0 when off
|
||||
AgentHash string // stable high-entropy hash for *.<hash>.agent.unarr.app
|
||||
StreamSecret string // hex HMAC key for stream tokens (reported so the web can mint HLS tokens)
|
||||
LanIP string // LAN IP (reported in sync for stream URL resolution)
|
||||
TailscaleIP string // Tailscale IP (reported in sync for stream URL resolution)
|
||||
|
|
@ -135,6 +137,8 @@ func (d *Daemon) Register(ctx context.Context) error {
|
|||
Version: d.cfg.Version,
|
||||
DownloadDir: d.cfg.DownloadDir,
|
||||
StreamPort: d.cfg.StreamPort,
|
||||
HTTPSStreamPort: d.cfg.HTTPSStreamPort,
|
||||
AgentHash: d.cfg.AgentHash,
|
||||
StreamSecret: d.cfg.StreamSecret,
|
||||
LanIP: d.cfg.LanIP,
|
||||
TailscaleIP: d.cfg.TailscaleIP,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue