DashCA

commit f61e85d9a78995ebed2c6c2c49bb62046e8ad9bd Author: Sami Date: Thu Mar 5 02:26:12 2026 -0800 Initial commit: DashCaddy v1.0 Full codebase including API server (32 modules + routes), dashboard frontend, DashCA certificate distribution, installer script, and deployment skills. diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e5cf659 --- /dev/null +++ b/.gitignore @@ -0,0 +1,54 @@ +# Dependencies +node_modules/ + +# Runtime state/config files (generated, not source) +dashcaddy-api/credentials.json +dashcaddy-api/alert-config.json +dashcaddy-api/audit-log.json +dashcaddy-api/audit-log.json.lock +dashcaddy-api/backup-config.json +dashcaddy-api/backup-history.json +dashcaddy-api/container-stats.json +dashcaddy-api/health-config.json +dashcaddy-api/health-history.json +dashcaddy-api/update-config.json +dashcaddy-api/update-history.json +dashcaddy-api/dashcaddy-errors.log + +# Build output +dashcaddy-installer/build-output/ +dashcaddy-installer/dist/ +status/dist/ + +# Vendor / third-party +status/vendor/ + +# Backup files +*.backup.html +*.backup.*.html +*.recovered +backups/ + +# IDE / editor +.claude/ +.kiro/ +.vscode/ + +# Session-specific docs (not project docs) +DEPLOYMENT-SUCCESS.md +FINAL-DEPLOYMENT-REPORT.md +TEST-RESULTS.md +TESTING-GUIDE.md +DashCA-Plan.md +vhdx-cleanup-instructions.md + +# Utility scripts (local only) +check-e.ps1 +disk-scan.ps1 +disk-scan2.ps1 +fix-wsl-and-mount.ps1 +import-services.js + +# OS files +Thumbs.db +.DS_Store diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 0000000..cf49bc5 --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1,230 @@ +# DashCaddy Project Guidelines for AI Assistants + +## HARD RULE: Docker Storage on E: Drive + +**ALL Docker container data, volumes, bind mounts, and app configs MUST use `E:/dockerdata/` via bind mounts or CIFS volumes. No exceptions.** + +- E: is a network share (`\\Sami-pc\e_share`) shared across all home network computers +- The ONLY thing allowed on C: is the Docker Desktop WSL engine VHD (`C:/dockerdata/DockerDesktopWSL/`) — this is the absolute bare minimum WSL2 requires (local NTFS). WSL2 cannot create VHDs on network shares. +- Keep C: Docker usage under 5GB +- When deploying new containers, always use `E:/dockerdata//` for bind mount paths +- For CIFS volumes in docker-compose, use `//Sami-pc/e_share/dockerdata/...` as the device path + +## CRITICAL: Production vs Development Paths + +### Production Files (LIVE - what actually runs) +``` +C:/caddy/ +├── Caddyfile # Active Caddy configuration +├── services.json # Services shown on dashboard +├── dns-credentials.json # DNS API credentials +├── config.json # DashCaddy configuration +└── sites/ + └── status/ # Dashboard frontend files + └── assets/ # Logos, fonts, icons +``` + +### Development Files (for editing/testing) +``` +e:/CaddyCerts/sites/ +├── caddy-api/ +│ ├── server.js # API server source code +│ ├── app-templates.js # Docker app templates (52+ apps) +│ ├── services.json # DEV ONLY - not used in production! +│ └── ... +└── status/ + └── index.html # Dashboard UI source +``` + +## Docker Container Mount Points + +The `caddy-api` container mounts production files: + +| Container Path | Host Path (Production) | +|----------------|------------------------| +| `/app/services.json` | `C:/caddy/services.json` | +| `/app/dns-credentials.json` | `C:/caddy/dns-credentials.json` | +| `/caddyfile` | `C:/caddy/Caddyfile` | +| `/app/assets` | `C:/caddy/sites/status/assets` | + +## When Making Changes + +### To add/remove services from dashboard: +Edit `C:/caddy/services.json` (NOT e:/CaddyCerts/sites/caddy-api/services.json) + +### To modify Caddy reverse proxy rules: +Edit `C:/caddy/Caddyfile`, then reload via: +```bash +curl -X POST http://localhost:2019/load -H "Content-Type: text/caddyfile" --data-binary @"C:/caddy/Caddyfile" +``` + +### To modify API server code: +Edit `e:/CaddyCerts/sites/caddy-api/server.js`, then: +1. Copy to production: `C:/caddy/sites/caddy-api/` +2. Restart container: `docker restart caddy-api` + +### To modify app templates: +Edit `e:/CaddyCerts/sites/caddy-api/app-templates.js` +(Templates are loaded at runtime, changes require container restart) + +### To modify dashboard UI: +Edit `e:/CaddyCerts/sites/status/index.html` +Copy to `C:/caddy/sites/status/` for production + +### To modify DashCA (CA certificate distribution): +Edit files in `e:/CaddyCerts/sites/ca/`, then: +1. Regenerate certificate formats: `cd e:/CaddyCerts/sites/ca/scripts && bash generate-all.sh` +2. Copy to production: `cp -r e:/CaddyCerts/sites/ca/* C:/caddy/sites/ca/` +3. Reload Caddy if Caddyfile changes were made + +## DashCA - Certificate Authority Distribution + +**Purpose**: Provides a one-click installation page for the root CA certificate, allowing users to easily trust *.sami domains on any device. + +**Access**: https://ca.sami (or https://ca.yourdomain for other installations) + +### File Locations + +**Development (for editing):** +``` +e:/CaddyCerts/sites/ca/ +├── index.html # Landing page +├── root.crt, root.der # Certificate formats +├── root.mobileconfig # Apple profile +├── intermediate.crt # Intermediate CA +├── cert-info.json # Certificate metadata +├── scripts/ +│ ├── install.ps1 # Windows installer +│ ├── install.sh # Linux/macOS installer +│ ├── generate-cert-info.js # Extract cert metadata +│ ├── generate-mobileconfig.js # Generate Apple profile +│ └── generate-all.sh # Regenerate all formats +└── assets/ # Icons, logos +``` + +**Production (served by Caddy):** +``` +C:/caddy/sites/ca/ +├── index.html +├── root.crt, root.der +├── root.mobileconfig +├── install.ps1, install.sh +└── assets/ +``` + +### Certificate Source + +Caddy's built-in PKI generates certificates at: +- **Root CA**: `C:/caddy/certs/pki/authorities/local/root.crt` +- **Intermediate CA**: `C:/caddy/certs/pki/authorities/local/intermediate.crt` + +**Certificate Info:** +- **CN**: Sami Home Network Root CA +- **Algorithm**: ECDSA P-256 with SHA-256 +- **Valid Until**: Dec 22, 2034 (~10 years) +- **Fingerprint**: `08:98:A5:63:F5:A1:A2:58:5F:02:D7:A8:A2:54:87:E6:BC:33:96:21:29:0E` + +### Deployment + +DashCA is a **static site** (not Docker-based), deployed via the app selector: +1. Navigate to App Selector in dashboard +2. Find "DashCA" in Security category +3. Click Deploy +4. System automatically: + - Creates `C:/caddy/sites/ca/` directory + - Copies files from development directory + - Generates certificate formats (DER, mobileconfig) + - Adds ca.sami block to Caddyfile + - Reloads Caddy configuration + - Registers service in `services.json` + +### Updating Certificates + +When Caddy's CA certificate is renewed (every ~10 years): + +```bash +# 1. Regenerate all certificate formats +cd e:/CaddyCerts/sites/ca/scripts +bash generate-all.sh + +# 2. Update fingerprint in installation scripts +# Edit install.ps1 - update $ExpectedFingerprint +# Edit install.sh - update EXPECTED_FP + +# 3. Copy to production +cp -r e:/CaddyCerts/sites/ca/* C:/caddy/sites/ca/ + +# 4. Notify users via dashboard or email +``` + +### API Endpoints + +- **GET /api/ca/info** - Returns certificate metadata (name, fingerprint, expiration, etc.) +- **GET /api/health/ca** - Returns CA expiration health status + - `healthy`: >90 days remaining + - `warning`: 30-90 days remaining + - `critical`: <30 days remaining + +### Caddyfile Configuration + +DashCA's Caddyfile block (auto-generated on deployment): +- **Root**: `C:/caddy/sites/ca` +- **TLS**: Internal (uses Caddy's local CA) +- **MIME Types**: Proper headers for .crt, .der, .mobileconfig, .ps1, .sh files +- **SPA Fallback**: Rewrites non-file requests to /index.html +- **Cache Control**: Certificates cached for 24h, HTML not cached + +### Supported Platforms + +- **Windows**: PowerShell installer (installs to LocalMachine\Root store) +- **macOS**: .mobileconfig profile or command-line installer +- **Linux**: Shell installer (Debian, RedHat, Arch) +- **iOS**: .mobileconfig profile (requires manual trust in Settings) +- **Android**: Direct .crt download (installs as user certificate) + +### Landing Page Features + +- Automatic OS detection +- QR code for mobile access +- Certificate info display (loaded from `/api/ca/info`) +- Platform-specific installation instructions +- Copy-to-clipboard for fingerprint and commands +- Download links for all certificate formats + +### Troubleshooting + +**Issue**: Certificate fingerprint mismatch during installation +**Cause**: CA certificate was renewed +**Solution**: Regenerate certificates and update fingerprints in install scripts + +**Issue**: *.sami sites still show warnings after CA install +**Cause**: Browser may have cached the untrusted state +**Solution**: Clear browser cache, restart browser, or visit site in incognito mode + +**Issue**: iOS doesn't trust certificate after profile install +**Cause**: iOS requires manual trust enablement +**Solution**: Settings → General → About → Certificate Trust Settings → Enable trust + +## Key Services + +| Service | Port | Description | +|---------|------|-------------| +| Caddy (HTTPS) | 443 | Reverse proxy | +| Caddy Admin | 2019 | Caddy API (note: NOT 2021) | +| DashCaddy API | 3001 | Dashboard backend | +| DNS2 (Primary) | 100.74.102.61:5380 | Technitium DNS | +| DNS1 (Secondary) | 192.168.254.204:5380 | Technitium DNS | + +## Common Mistakes to Avoid + +1. **Wrong services.json**: The API container reads from `C:/caddy/services.json`, not the development copy +2. **Caddy admin port**: It's 2019, not 2021 (check with `netstat` if unsure) +3. **DNS server**: DNS2 (100.74.102.61) is PRIMARY, DNS1 is secondary +4. **Caddyfile not reloaded**: After editing, must POST to /load endpoint or restart Caddy + +## Project Info + +- **Name**: DashCaddy +- **Version**: 1.0 +- **Purpose**: Unified management for Docker + Caddy + DNS +- **Local TLD**: .sami diff --git a/README.md b/README.md new file mode 100644 index 0000000..5f61b25 --- /dev/null +++ b/README.md @@ -0,0 +1,370 @@ +# DashCaddy + +**Self-hosted dashboard for managing Docker apps with automatic SSL, DNS, and reverse proxy configuration.** + +![Version](https://img.shields.io/badge/version-1.0.0-blue) +![License](https://img.shields.io/badge/license-MIT-green) + +## What is DashCaddy? + +DashCaddy is an all-in-one solution for self-hosting Docker applications. It combines: +- 🎨 **Beautiful Dashboard** - Monitor all your services in one place +- 🐳 **Docker Management** - Deploy 50+ pre-configured apps with one click +- 🔒 **Automatic SSL** - Internal CA with automatic certificate generation +- 🌐 **DNS Integration** - Automatic DNS record creation (Technitium DNS) +- 🔄 **Reverse Proxy** - Caddy configuration managed automatically +- 🔐 **Tailscale Support** - Secure remote access built-in + +## Features + +### Authentication & Security +- Built-in TOTP two-factor authentication +- Fine-grained access control per service +- Secure session management +- Group-based permissions + +### Dashboard +- Real-time service health monitoring +- Response time tracking +- Status indicators with visual feedback +- Weather widget +- Multiple themes (dark/light/blue) +- Import/export configuration + +### App Deployment +- 50+ pre-configured app templates +- One-click deployment +- Automatic DNS + SSL + reverse proxy setup +- Container health checking +- Deployment status tracking +- SSL certificate generation monitoring + +### Service Management +- Add/edit/delete services +- Restart containers +- View logs +- Update configurations +- Silent deletions (no annoying popups) + +### Developer Tools +- Error log viewer +- API endpoints for automation +- Import/export for testing +- Comprehensive error logging + +## Quick Start + +### Prerequisites +- Docker & Docker Compose +- Caddy web server +- Technitium DNS (optional, for automatic DNS) +- Node.js 18+ (for API server) + +### Installation + +1. **Clone the repository** +```bash +git clone https://github.com/yourusername/dashcaddy.git +cd dashcaddy +``` + +2. **Install dependencies** +```bash +cd caddy-api +npm install +``` + +3. **Configure environment** +```bash +cp .env.example .env +# Edit .env with your settings +``` + +4. **Start the API server** +```bash +npm start +``` + +5. **Configure Caddy** +Add to your Caddyfile: +``` +status.yourdomain.com { + root * /path/to/dashcaddy/status + file_server + reverse_proxy /api/* localhost:3001 +} +``` + +6. **Access the dashboard** +Open `https://status.yourdomain.com` in your browser + +## Configuration + +### Environment Variables + +Create a `.env` file in the `caddy-api` directory: + +```env +# Caddy Configuration +CADDYFILE_PATH=/path/to/Caddyfile +CADDY_ADMIN_URL=http://localhost:2019 + +# DNS Configuration (optional) +DNS_SERVER=192.168.1.1 +DNS_TOKEN=your-dns-token + +# File Paths +SERVICES_FILE=/path/to/services.json +ERROR_LOG_FILE=/path/to/dashcaddy-errors.log +``` + +### DNS Integration + +DashCaddy works with Technitium DNS for automatic DNS record creation: + +1. Install Technitium DNS +2. Create an API token with DNS management permissions +3. Configure DNS credentials in dashboard (🔑 Tokens button) + +### Tailscale Integration + +For secure remote access: + +1. Install Tailscale on your server +2. Services can be restricted to Tailscale-only access +3. Configure in deployment settings + +## Usage + +### Deploying an App + +1. Click **"App Selector"** button +2. Choose an app from the template library +3. Configure: + - Subdomain (e.g., `jellyfin` → `jellyfin.yourdomain.com`) + - Port (auto-suggested) + - IP address (defaults to localhost) + - Tailscale-only access (optional) +4. Click **"Deploy"** +5. Wait for SSL certificate generation (30-60 seconds) +6. Access your app! + +### Managing Services + +- **View Status**: Cards show real-time health and response times +- **Open Service**: Click "Open" button +- **Restart**: Click restart button (for Docker containers) +- **Delete**: Click delete button (removes everything: container, DNS, Caddy config) +- **Edit**: Click settings button to modify configuration + +### Viewing Error Logs + +1. Click **"📋 Logs"** button in toolbar +2. View all errors with timestamps and context +3. Refresh to see latest errors +4. Clear logs when resolved + +### Backup & Restore + +**Export Configuration:** +1. Click **"📤 Export"** button +2. JSON file downloads with all your services +3. Save safely + +**Import Configuration:** +1. Click **"📥 Import"** button +2. Select your backup JSON file +3. Confirm import +4. Dashboard reloads with restored configuration + +**Note**: API tokens are not exported for security. Reconfigure after import. + +## App Templates + +DashCaddy includes 50+ pre-configured templates: + +### Media & Entertainment +- Plex, Jellyfin, Emby +- Navidrome, Airsonic +- Tautulli, Overseerr + +### Downloads +- Sonarr, Radarr, Lidarr, Readarr +- Prowlarr, Bazarr +- qBittorrent, Transmission +- SABnzbd, NZBGet + +### Productivity +- Nextcloud +- Paperless-ngx +- BookStack, Outline +- Standard Notes + +### Management +- Portainer +- Homepage, Homarr +- Uptime Kuma +- Grafana + +### Security & Authentication +- Vaultwarden (Password Manager) + +### Development +- Gitea +- VS Code Server +- Jenkins, Drone CI + +### And many more! + +## API Endpoints + +### Services +- `GET /api/services` - List all services +- `POST /api/services` - Add service +- `PUT /api/services` - Bulk import services +- `DELETE /api/services/:id` - Remove service + +### App Deployment +- `GET /api/apps/templates` - List app templates +- `POST /api/apps/deploy` - Deploy new app +- `DELETE /api/apps/:id` - Remove deployed app + +### Error Logs +- `GET /api/error-logs` - Get error logs +- `DELETE /api/error-logs` - Clear error logs + +### DNS Management +- `POST /api/dns/record` - Create DNS record +- `DELETE /api/dns/record` - Delete DNS record + +### Caddy Management +- `GET /api/caddy/config` - Get Caddyfile content +- `POST /api/caddy/reload` - Reload Caddy configuration + +## Troubleshooting + +### SSL Certificate Errors + +**Problem**: "Secure Connection Failed" when accessing new service + +**Solution**: +- Wait 30-60 seconds for certificate generation +- Check dashboard notification for SSL status +- Manually reload Caddy: `caddy reload --config /path/to/Caddyfile` +- Check error logs in dashboard + +### DNS Not Resolving + +**Problem**: Service URL doesn't resolve + +**Solution**: +- Verify DNS server is running +- Check DNS credentials in 🔑 Tokens menu +- Manually add DNS record in Technitium DNS +- Flush DNS cache: `ipconfig /flushdns` (Windows) or `sudo systemd-resolve --flush-caches` (Linux) + +### Container Won't Start + +**Problem**: Deployment succeeds but service is offline + +**Solution**: +- Check Docker logs: `docker logs [container-id]` +- Verify port isn't already in use +- Check container resource limits +- View error logs in dashboard + +### Import/Export Issues + +**Problem**: Import fails or data is incomplete + +**Solution**: +- Validate JSON format +- Check file has `version` and `services` fields +- Reconfigure API tokens after import +- Check error logs for details + +## Development + +### Project Structure + +``` +dashcaddy/ +├── status/ # Dashboard frontend +│ ├── index.html # Main dashboard +│ └── assets/ # Logos, icons, fonts +├── caddy-api/ # API backend +│ ├── server.js # Express server +│ ├── app-templates.js # App template definitions +│ └── package.json # Dependencies +├── dashcaddy-installer/ # Electron installer (WIP) +└── docs/ # Documentation +``` + +### Adding Custom App Templates + +Edit `caddy-api/app-templates.js`: + +```javascript +"myapp": { + name: "My App", + description: "Description of my app", + icon: "🚀", + logo: "https://cdn.example.com/logo.png", + category: "Productivity", + docker: { + image: "myapp/myapp:latest", + ports: ["{{PORT}}:8080"], + volumes: ["/opt/myapp:/data"], + environment: { + "APP_ENV": "production" + } + }, + subdomain: "myapp", + defaultPort: 8080, + healthCheck: "/health" +} +``` + +### Contributing + +Contributions are welcome! Please: +1. Fork the repository +2. Create a feature branch +3. Make your changes +4. Test thoroughly +5. Submit a pull request + +## Roadmap + +- [ ] Service groups/categories +- [ ] Container log viewer +- [ ] DNS management UI +- [ ] Backup automation +- [ ] Multi-user support +- [ ] Mobile app +- [ ] Analytics dashboard +- [ ] Template marketplace + +## License + +MIT License - see LICENSE file for details + +## Credits + +- **Dashboard Icons**: [walkxcode/dashboard-icons](https://github.com/walkxcode/dashboard-icons) (MIT License) +- **Caddy**: [caddyserver.com](https://caddyserver.com/) +- **Technitium DNS**: [technitium.com/dns](https://technitium.com/dns/) + +## Support + +- **Issues**: [GitHub Issues](https://github.com/yourusername/dashcaddy/issues) +- **Discussions**: [GitHub Discussions](https://github.com/yourusername/dashcaddy/discussions) +- **Documentation**: [Wiki](https://github.com/yourusername/dashcaddy/wiki) + +## Acknowledgments + +Built with ❤️ for the self-hosting community. + +--- + +**DashCaddy** - Making self-hosting beautiful and effortless. diff --git a/WHAT-IS-DASHCADDY.md b/WHAT-IS-DASHCADDY.md new file mode 100644 index 0000000..c8b220c --- /dev/null +++ b/WHAT-IS-DASHCADDY.md @@ -0,0 +1,242 @@ +# What is DashCaddy? + +DashCaddy is a self-hosted web dashboard that unifies Docker container management, Caddy reverse proxy configuration, DNS automation, and SSL certificate provisioning into a single interface. It is designed for homelabbers and self-hosters who want to deploy and manage services without manually editing config files, writing Docker Compose YAML, or configuring DNS records by hand. + +You open one page, click "Deploy", pick an app, and DashCaddy handles everything: pulls the Docker image, starts the container, creates a DNS record, adds a reverse proxy block with automatic HTTPS, and registers the service on your dashboard — all in about 30 seconds. + +## The Stack + +| Layer | Technology | Role | +|-------|-----------|------| +| Frontend | Vanilla JS SPA (~12,000 lines across 33 modules) | Dashboard UI, modals, wizards | +| Backend | Node.js / Express (~20,000 lines across 22 modules + 20 route files) | API server with 125+ endpoints | +| Reverse Proxy | Caddy | HTTPS termination, internal CA, automatic certificates | +| DNS | Technitium DNS Server | Automatic A-record creation for `*.sami` domains | +| Containers | Docker (via dockerode) | Application lifecycle management | +| Auth | TOTP (RFC 6238) + JWT | Two-factor authentication for dashboard access | +| Encryption | AES-256-GCM | Credential storage with OS keychain fallback | + +The API server runs inside a Docker container (`caddy-api`) on port 3001. Caddy sits in front of everything on port 443, terminating TLS with certificates signed by its own root CA. + +## What It Does + +### One-Click App Deployment + +55 pre-configured templates across 16 categories (Media, Downloads, Productivity, Development, Monitoring, DNS, Security, and more). Each template defines the Docker image, default port, environment variables, volume mounts, health check endpoint, and setup instructions. Deploying an app: + +1. Pulls the Docker image +2. Creates the container with the right env vars, ports, and volumes +3. Creates a DNS A-record on Technitium (e.g., `plex.sami`) +4. Adds a reverse proxy block to the Caddyfile with TLS +5. Reloads Caddy +6. Registers the service on the dashboard with health monitoring + +### Dashboard + +Real-time service cards showing status (up/slow/down), response time, uptime percentage, and container ID. Each card has controls to open the service, restart the container, view logs, edit settings, manage auto-login credentials, or delete the service. + +Special top-row cards for DNS servers, internet connectivity, TOTP auth status, and the certificate authority. + +### Smart Arr Connect + +A four-phase wizard that auto-detects Plex, Radarr, Sonarr, Overseerr/Jellyseerr, and Prowlarr, fetches their API keys, and wires them together automatically — connecting Overseerr to Plex, configuring Prowlarr with indexers for Radarr/Sonarr, etc. + +### Auto-Login SSO + +Per-service credential storage that authenticates users into services transparently via Caddy's `forward_auth` directive. Supports cookie-based auth, JWT-based auth (Open WebUI, Plex), IP-based auth (router), and Emby/Jellyfin token auth with separate device IDs to avoid token invalidation. + +### DashCA (Certificate Authority Distribution) + +A static site at `ca.sami` that auto-detects the visitor's OS and provides one-click installation of the root CA certificate. Supports Windows (PowerShell), macOS (.mobileconfig), Linux (shell script), iOS (profile), and Android (direct .crt download). + +### Monitoring and Operations + +- **Health Checker**: Periodic HTTP probes with configurable endpoints per service +- **Resource Monitor**: Per-container CPU, memory, disk I/O, and network stats +- **Update Manager**: Checks Docker Hub for newer image versions, one-click updates +- **Backup/Restore**: Export/import full dashboard configuration as JSON +- **Audit Logger**: Tracks all administrative actions +- **Error Log Viewer**: Aggregated error logs with severity filtering +- **Metrics**: Request counts, response times, error rates, business events (deploys, deletions, DNS records created) +- **Notifications**: Configurable alerts for health check failures and resource thresholds + +### Security + +- TOTP two-factor authentication with QR code setup +- CSRF token protection on all mutating endpoints +- Helmet security headers +- Rate limiting (general, strict, TOTP tiers) +- Input validation and sanitization (via `validator` library) +- AES-256-GCM credential encryption with OS keychain integration +- Docker security scanning +- API key management +- Non-root container execution with health checks + +### Other Features + +- Three themes (dark, light, blue) +- Keyboard shortcuts +- Customizable logo with position control +- Weather widget +- Setup wizard with three modes (Simple, Homelab, Public Server) +- Guided onboarding tour (Driver.js) +- Tailscale integration for access control +- Media folder browser for configuring volume mounts +- Interactive API documentation (OpenAPI/Swagger) + +--- + +## Architecture Diagram + +``` + Browser (index.html) + │ + ▼ + Caddy :443 ─── TLS (internal CA) ───┐ + │ │ + ├── /api/* → caddy-api :3001 │ + ├── *.sami → reverse proxy │ + │ to Docker containers │ + └── ca.sami → static DashCA site │ + │ + caddy-api container │ + ├── Express (server.js) │ + │ ├── 20 route modules │ + │ ├── State Manager (lock) │ + │ ├── Credential Manager │ + │ ├── Health Checker │ + │ ├── Resource Monitor │ + │ └── Metrics Collector │ + │ │ + ├──→ Docker Engine (dockerode) │ + ├──→ Caddy Admin API :2019 │ + ├──→ Technitium DNS :5380 │ + └──→ services.json (file-locked) │ +``` + +## Current State + +**Version**: 0.95 (1.0 = public release) + +The project is fully functional and in daily use. All core features work. The codebase has a test suite (17 test files under `__tests__/`) covering validators, crypto, health checks, state management, API endpoints, and integration scenarios. + +--- + +## Obstacles to v1.0 Release + +### 1. Windows-Only — No Cross-Platform Support + +DashCaddy was built on and for Windows. The entire deployment model assumes: +- `C:/caddy/` as the production path +- Windows-style path handling throughout (`C:\caddy\Caddyfile`, `host.docker.internal`) +- Docker Desktop for Windows +- Windows Task Scheduler for backups +- PowerShell for CA certificate installation + +A Linux or macOS user cannot run this without significant path rewiring. For a public release, either the documentation must clearly state "Windows only" or the path handling needs to be abstracted with platform-aware defaults. + +### 2. Hardcoded Infrastructure Assumptions + +The codebase has assumptions baked in that only apply to the author's setup: + +- **`.sami` TLD**: The local domain suffix is referenced throughout (Caddyfile templates, DNS record creation, documentation). A public user would need their own TLD — this needs to be a first-run configuration option, not a find-and-replace exercise. +- **Technitium DNS**: DNS automation assumes Technitium's REST API. Users running Pi-hole, CoreDNS, or no local DNS server have no path. The DNS layer needs to be pluggable or clearly documented as a hard requirement. +- **Docker Desktop**: Container operations assume Docker Desktop's `host.docker.internal` hostname. Native Docker on Linux uses `localhost` differently. +- **Caddy internal CA**: The TLS model assumes Caddy's built-in PKI. Users wanting Let's Encrypt or other CAs need a different onboarding flow (partially addressed by the "Public Server" setup wizard mode). + +### 3. Single-Page HTML Monolith + +The frontend is a ~12,000-line single HTML + 33 JS files architecture with no build step, no bundler, no framework, and no component system. While this means zero build tooling to configure, it creates obstacles: + +- No minification or tree-shaking — the full payload is served on every load +- No code splitting — all 33 modules load upfront +- IIFEs communicate through `window` globals — fragile, hard to test +- No TypeScript — no compile-time safety on a 12k-line frontend +- CSS is embedded in the HTML — no style extraction or scoping + +This works fine for a personal tool but makes contribution and maintenance harder at scale. + +### 4. No Automated Test Coverage for the Frontend + +The backend has 17 test files with unit and integration tests. The frontend has zero tests. The dashboard UI is the primary interface users interact with, and it has no test safety net — no unit tests, no E2E tests, no screenshot regression tests. + +### 5. No CI/CD Pipeline + +There is no GitHub Actions workflow, no pre-commit hooks, no automated linting, and no automated test runs. The deployment process is manual: + +1. Edit files in `e:/CaddyCerts/sites/dashcaddy-api/` +2. Copy JS files to `C:/caddy/sites/dashcaddy-api/` +3. Run `docker restart caddy-api` + +A public project needs at minimum: automated tests on push, a linter, and a documented release process. + +### 6. No Installation or Setup Documentation + +There is no README explaining how to install DashCaddy from scratch. The `CLAUDE.md` is an internal reference for AI assistants. A new user would need: + +- Prerequisites (Docker Desktop, Caddy, Technitium, Node.js) +- Step-by-step installation guide +- First-run configuration walkthrough +- Troubleshooting guide +- Architecture overview + +### 7. Single-User Only + +There is no concept of user accounts, roles, or permissions. TOTP protects access but there's one global session. For a household with multiple users, there's no way to give someone read-only access or restrict who can deploy/delete containers. + +### 8. No Container Orchestration Beyond Single-Host + +DashCaddy manages containers on one Docker host. There's no support for: +- Docker Compose stacks (multi-container apps like Nextcloud + MariaDB + Redis) +- Docker Swarm or Kubernetes +- Remote Docker hosts +- Container networking (custom networks, inter-container communication) + +Apps that need multiple containers (databases, caches, sidecars) must be set up manually. + +### 9. Credential and Secret Management Gaps + +While credentials are encrypted with AES-256-GCM, the encryption key management has limitations: +- The master key derivation and storage strategy isn't documented for end users +- Key rotation exists but there's no scheduled rotation or policy +- Backup exports include encrypted credentials but the key management for restoring on a different machine isn't clear +- No integration with external secret managers (Vault, 1Password, etc.) + +### 10. Incomplete Template Coverage + +55 templates is a strong start, but several popular self-hosted apps are missing, and the template system has constraints: +- No user-contributed templates or template marketplace +- No template versioning — if an image tag changes, templates need manual updates +- No Docker Compose support — templates are single-container only +- Environment variable templating is basic (`{{PORT}}`, `{{SUBDOMAIN}}`) with no conditional logic + +### 11. No Persistent Logging or Metrics Storage + +Metrics (request counts, response times, business events) are in-memory only — they reset on container restart. There's no time-series database, no Prometheus endpoint, no Grafana integration. For a monitoring-focused dashboard, losing all metrics on restart is a significant gap. + +### 12. The Development/Production File Split + +The two-directory development model (`e:/CaddyCerts/sites/` for editing, `C:/caddy/` for production) works for the author but would confuse contributors and can't work as-is for other users. A public release needs a single canonical source of truth with a proper build/deploy pipeline. + +--- + +## What's Strong + +Despite these obstacles, DashCaddy has substantial strengths that position it well for release: + +- **Feature-complete for its core use case**: Deploy apps, manage reverse proxy, automate DNS — it all works +- **Security-first design**: TOTP, CSRF, rate limiting, encryption, input validation, non-root containers +- **Polished UI**: Themes, keyboard shortcuts, onboarding tour, skeleton loaders, responsive design +- **Smart Arr Connect**: A genuinely useful automation that saves significant manual configuration +- **Auto-Login SSO**: Handles the messy reality of diverse auth mechanisms (cookies, JWT, IP-based, localStorage) +- **55 app templates**: Broad coverage of the self-hosting ecosystem +- **Thread-safe state management**: Proper file locking prevents corruption under concurrent access +- **In-memory metrics and monitoring**: Even without persistence, the real-time view is useful +- **Test suite exists**: 17 backend test files covering critical paths +- **Modular route architecture**: 20 route files keep the 125+ endpoints organized and maintainable + +## Summary + +DashCaddy is a mature, feature-rich self-hosting dashboard that solves a real problem — the tedium of manually configuring Docker + reverse proxy + DNS for every new service. It's daily-driver stable for a single Windows user with Caddy and Technitium DNS. + +The gap between "works great for me" and "anyone can install this" is the remaining 0.05 to v1.0. The biggest obstacles are cross-platform support, installation documentation, and removing the hardcoded infrastructure assumptions. The frontend architecture and CI/CD are secondary concerns that matter more for long-term maintainability than for a functional v1.0 release. diff --git a/ca/README.md b/ca/README.md new file mode 100644 index 0000000..aa09881 --- /dev/null +++ b/ca/README.md @@ -0,0 +1,281 @@ +# DashCA - Certificate Authority Distribution + +A self-hosted landing page for distributing your root CA certificate with one-click installation across all major platforms. + +## Quick Start + +### Regenerate All Certificate Formats + +```bash +cd scripts +bash generate-all.sh +``` + +This will: +1. Copy root.crt and intermediate.crt from Caddy PKI +2. Generate root.der (DER format for Windows) +3. Generate root.mobileconfig (Apple profile for iOS/macOS) +4. Extract certificate metadata to cert-info.json + +### Deploy to Production + +```bash +# Copy all files to production directory +cp -r e:/CaddyCerts/sites/ca/* C:/caddy/sites/ca/ +``` + +Or deploy via the dashboard app selector (preferred method). + +## File Structure + +``` +ca/ +├── index.html # Landing page with OS detection +├── root.crt # Root CA certificate (PEM format) +├── root.der # Root CA certificate (DER format) +├── root.mobileconfig # Apple configuration profile +├── intermediate.crt # Intermediate CA certificate +├── cert-info.json # Certificate metadata (auto-generated) +├── scripts/ +│ ├── install.ps1 # Windows PowerShell installer +│ ├── install.sh # Linux/macOS shell installer +│ ├── generate-cert-info.js # Extract certificate metadata +│ ├── generate-mobileconfig.js # Generate Apple profile +│ └── generate-all.sh # Wrapper script to regenerate all +└── assets/ + └── (icons, logos, etc.) +``` + +## Certificate Information + +**Source:** Caddy's built-in PKI at `C:/caddy/certs/pki/authorities/local/` + +- **Name:** Sami Home Network Root CA +- **Algorithm:** ECDSA P-256 with SHA-256 +- **Valid Until:** Dec 22, 2034 +- **Fingerprint:** `08:98:A5:63:F5:A1:A2:58:5F:02:D7:A8:A2:54:87:E6:BC:33:96:21:29:0E` + +## Installation Scripts + +### Windows (install.ps1) + +Features: +- Requires Administrator privileges +- Downloads certificate from ca.sami +- Verifies SHA-256 fingerprint +- Installs to LocalMachine\Root store +- Checks for existing installation + +**One-liner:** +```powershell +irm https://ca.sami/install.ps1 | iex +``` + +### Linux/macOS (install.sh) + +Features: +- Requires sudo/root +- Auto-detects OS (Debian, RedHat, Arch, macOS) +- Platform-specific installation commands +- Fingerprint verification with OpenSSL +- Checks for existing installation + +**One-liner:** +```bash +curl -fsSL https://ca.sami/install.sh | sudo bash +``` + +### Apple Devices (root.mobileconfig) + +Features: +- Works on both iOS and macOS +- XML configuration profile format +- Contains base64-encoded certificate +- Unique UUIDs per generation +- User must manually trust after installation (iOS) + +**Installation:** +1. Download root.mobileconfig +2. iOS: Settings prompts automatically +3. macOS: System Settings → Profiles → Install +4. iOS: Enable trust in Certificate Trust Settings + +## Landing Page Features + +The landing page (`index.html`) includes: + +- **OS Detection:** Automatically detects Windows, macOS, Linux, iOS, Android +- **Certificate Info Display:** Shows name, fingerprint, expiration, algorithm +- **QR Code:** For easy mobile access (powered by qrcodejs library) +- **Download Links:** All certificate formats and installation scripts +- **Platform Tabs:** Detailed instructions for each operating system +- **Copy-to-Clipboard:** For fingerprint and command-line scripts +- **DashCaddy Theme:** Dark mode with Sami Grotesk font + +**API Integration:** +- Loads certificate info from `/api/ca/info` endpoint +- Falls back to static info if API unavailable + +## Development Workflow + +1. **Edit Files:** Make changes in `e:/CaddyCerts/sites/ca/` +2. **Test Locally:** Open `index.html` in browser (file:// protocol works) +3. **Regenerate Certificates:** Run `scripts/generate-all.sh` if CA renewed +4. **Deploy:** Copy to production or use dashboard deployment +5. **Verify:** Visit https://ca.sami and test on target platforms + +## Updating After CA Renewal + +When Caddy regenerates its CA certificate (every ~10 years): + +### 1. Regenerate Certificate Formats + +```bash +cd e:/CaddyCerts/sites/ca/scripts +bash generate-all.sh +``` + +### 2. Update Fingerprints in Scripts + +The new fingerprint will be in `cert-info.json`. Update these files: + +**install.ps1** (line 17): +```powershell +$ExpectedFingerprint = "NEW:FIN:GER:PRINT:HERE" +``` + +**install.sh** (line 13): +```bash +EXPECTED_FP="NEW:FIN:GER:PRINT:HERE" +``` + +### 3. Deploy to Production + +```bash +cp -r e:/CaddyCerts/sites/ca/* C:/caddy/sites/ca/ +``` + +### 4. Notify Users + +- Add banner to dashboard +- Send notification via configured channels +- Update documentation with new expiration date + +## API Endpoints + +DashCA integrates with DashCaddy API: + +### GET /api/ca/info + +Returns certificate metadata: + +```json +{ + "success": true, + "certificate": { + "name": "Sami Home Network Root CA", + "fingerprint": "08:98:A5:...", + "validFrom": "Feb 12 07:44:51 2025 GMT", + "validUntil": "Dec 22 07:44:51 2034 GMT", + "daysUntilExpiration": 3235, + "algorithm": "ECDSA P-256 with SHA-256", + "serialNumber": "c1:dc:48:...", + "downloadUrl": "https://ca.sami/root.crt" + } +} +``` + +### GET /api/health/ca + +Returns CA expiration health status: + +```json +{ + "status": "healthy", + "message": "CA certificate valid for 3235 days", + "daysUntilExpiration": 3235, + "expiresAt": "Dec 22 07:44:51 2034 GMT" +} +``` + +**Status values:** +- `healthy`: >90 days remaining +- `warning`: 30-90 days +- `critical`: <30 days or expired +- `error`: Certificate not found or error reading + +## Troubleshooting + +### Certificate Not Found Error + +**Symptom:** Scripts fail with "certificate not found" +**Cause:** Caddy hasn't generated the local CA yet +**Solution:** Visit any *.sami domain to trigger CA generation + +### Fingerprint Mismatch + +**Symptom:** Install scripts reject certificate with fingerprint mismatch +**Cause:** CA was renewed but scripts not updated +**Solution:** Run `generate-all.sh` and update fingerprints in install scripts + +### iOS Profile Won't Install + +**Symptom:** .mobileconfig shows error when installing +**Cause:** Invalid XML or missing UUIDs +**Solution:** Regenerate with `node generate-mobileconfig.js` + +### Android Shows "Not Trusted" + +**Symptom:** Certificate installs but sites still show warnings +**Cause:** Android installs as "user" certificate; some apps don't trust user CAs +**Solution:** This is by design. System CA installation requires root access. + +### Landing Page Shows "Loading..." + +**Symptom:** Certificate info stuck on loading state +**Cause:** API endpoint not accessible +**Solution:** Check that dashcaddy-api server is running and `/api/ca/info` responds + +## Testing Checklist + +Before deploying to production: + +- [ ] All certificate formats generated successfully +- [ ] Landing page loads correctly in browser +- [ ] OS detection works (test multiple user agents) +- [ ] QR code renders and scans correctly +- [ ] Download links work for all file types +- [ ] API endpoint returns valid certificate info +- [ ] Copy-to-clipboard buttons work +- [ ] Platform instruction tabs function correctly +- [ ] Responsive design works on mobile viewport +- [ ] HTTPS access works after deployment + +## Security Notes + +- **Private Key:** NEVER serve the CA private key (`root.key`). Only public certificates are safe to distribute. +- **Fingerprint Verification:** Install scripts verify fingerprint to prevent MITM attacks +- **Access Control:** ca.sami should only be accessible on your Tailnet/internal network +- **HTTPS Enforcement:** The page itself uses HTTPS (via Caddy's internal CA) to protect the distribution +- **No Auto-Execution:** All installation methods require explicit user action + +## Contributing + +When adding features to DashCA: + +1. Test on multiple platforms before committing +2. Update this README with new features +3. Add relevant sections to troubleshooting guide +4. Update CLAUDE.md if deployment process changes +5. Ensure backward compatibility with existing certificates + +## Resources + +- **Caddy PKI Documentation:** https://caddyserver.com/docs/caddyfile/directives/tls#pki +- **mobileconfig Format:** https://developer.apple.com/documentation/devicemanagement +- **OpenSSL Certificate Commands:** https://www.openssl.org/docs/man1.1.1/man1/x509.html +- **QR Code Library:** https://github.com/davidshimjs/qrcodejs + +--- + +**Part of the DashCaddy project** - Unified management for Docker + Caddy + DNS diff --git a/ca/cert-info.json b/ca/cert-info.json new file mode 100644 index 0000000..80e6f12 --- /dev/null +++ b/ca/cert-info.json @@ -0,0 +1,11 @@ +{ + "name": "Sami Home Network Root CA", + "fingerprint": "08:98:A5:63:F5:A1:A2:58:5F:02:D7:A8:A2:54:87:E6:BC:33:96:9F:9B:5D:B0:53:62:20:7F:AF:96:21:29:0E", + "validFrom": "Feb 12 07:44:51 2025 GMT", + "validUntil": "Dec 22 07:44:51 2034 GMT", + "daysUntilExpiration": 3235, + "algorithm": "ECDSA P-256 with SHA-256", + "issuer": "Sami Home Network Root CA", + "serialNumber": "C1DC482220B562C06853903A8956D052", + "generatedAt": "2026-02-11T10:43:32.863Z" +} \ No newline at end of file diff --git a/ca/index.html b/ca/index.html new file mode 100644 index 0000000..da70577 --- /dev/null +++ b/ca/index.html @@ -0,0 +1,1284 @@ + + + + + + DashCA - Certificate Authority + + + + + + + + +

+ + + + +

+ 📜 + Certificate Information +

Certificate Name

+ Loading... +

Algorithm

+ Loading... +

Valid Until

+ Loading... +

Days Remaining

+ Loading... +

SHA-256 Fingerprint

+ Loading... + +

+ + +

+ +

+ Detecting your operating system... +

+ +

+ + +

📱 Quick Access for Mobile

Scan with your phone's camera to visit this page

+ + +

+ 🔐 + Service Certificates +

+ SSL certificates generated for services on your network +

+ +

+ Loading... + Checking +

Fetching certificate status...

+ + +

+ 📦 + Alternative Downloads +

+ +

📄

Root Certificate (.crt)

PEM format, universal

+ + +

📄

Root Certificate (.der)

Binary format, Windows

+ + +

+ + +

+ + +

+ +

+ + +

+ 📖 + Installation Instructions +

+ +

+ + + + + +

+ + +

Run PowerShell as Administrator

Right-click the Start button and select "Windows PowerShell (Admin)" or "Terminal (Admin)"

Run the installation command

Copy and paste this command into PowerShell:

+ + +

Verify installation

Visit any *.sami domain (like https://status.sami) - you should see a secure connection with no warnings.

+ + +

Download the certificate profile

Click "Apple Profile" above to download root.mobileconfig

Install the profile

Open System Settings → Privacy & Security → Profiles. Click the downloaded profile and click "Install".

Alternative: Command line installation

Open Terminal and run:

+ + +

Open Terminal

Open your terminal application (usually Ctrl+Alt+T)

Run the installation command

Copy and paste this command (will prompt for sudo password):

+ + +

Supported distributions

The installer supports Debian/Ubuntu, RedHat/CentOS/Fedora, and Arch Linux. It will automatically detect your distribution and use the appropriate commands.

+ + +

Scan QR code or visit this page

Use your iPhone's camera to scan the QR code above, or visit https://ca.sami directly in Safari

Download the profile

Tap "Apple Profile" to download root.mobileconfig. You'll see a notification that the profile was downloaded.

Install the profile

Go to Settings (you should see a notification), tap on the downloaded profile, and tap "Install". Enter your passcode if prompted.

Trust the certificate

Go to Settings → General → About → Certificate Trust Settings. Enable full trust for "Sami Home Network Root CA".

+ + +

Download the certificate

Tap "Root Certificate (.crt)" above to download the certificate to your device

Install the certificate

Open Settings → Security → Encryption & credentials → Install a certificate → CA certificate. Select the downloaded file.

Note about user certificates

Android installs this as a "user" certificate. Some apps may not trust user certificates for security reasons. For full trust, you would need to install it as a system certificate (requires root access).

+ + + +

+ + + + diff --git a/ca/intermediate.crt b/ca/intermediate.crt new file mode 100644 index 0000000..d992ac2 --- /dev/null +++ b/ca/intermediate.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBtTCCAVugAwIBAgIRAIyx9ujLhds2Wffi6rROHOYwCgYIKoZIzj0EAwIwJDEi +MCAGA1UEAxMZU2FtaSBIb21lIE5ldHdvcmsgUm9vdCBDQTAeFw0yNjAyMTAxMTMx +MjBaFw0yNjAyMTcxMTMxMjBaMCwxKjAoBgNVBAMTIVNhbWkgSG9tZSBOZXR3b3Jr +IEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL3XMHS8 +bbGgHsGojPWIgDqHH65nxm/yvfrA/w5rXe1QNZ0oQfXdhUODuu1oTjdQiGSOxp5J +N7+r73DIIjDoO1SjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/ +AgEAMB0GA1UdDgQWBBRvN+rmvteWGd3Gj1ek/5lJWq5MXzAfBgNVHSMEGDAWgBQ1 +JUJhev790of0c/LsH+PAvsy4iTAKBggqhkjOPQQDAgNIADBFAiEAvWR3KVBGMsWp +OEyqcRAmI5kDvfE/zC8bf3IZru5pGFsCIEvil49Fg2ifB8+w5c2T0wjllpsBOUUy +HjpIXBIn9ix7 +-----END CERTIFICATE----- diff --git a/ca/root.crt b/ca/root.crt new file mode 100644 index 0000000..97a4ce4 --- /dev/null +++ b/ca/root.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBjTCCATKgAwIBAgIRAMHcSCIgtWLAaFOQOolW0FIwCgYIKoZIzj0EAwIwJDEi +MCAGA1UEAxMZU2FtaSBIb21lIE5ldHdvcmsgUm9vdCBDQTAeFw0yNTAyMTIwNzQ0 +NTFaFw0zNDEyMjIwNzQ0NTFaMCQxIjAgBgNVBAMTGVNhbWkgSG9tZSBOZXR3b3Jr +IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATs8K5hvh7qC77kdFgk +wyIu6SvzEtrK416lLkQkC+E79xIwGRKsZ7T/gd+0Bk0NMUZBxLww4F2Rl/kt3eGu +49rSo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNV +HQ4EFgQUNSVCYXr+/dKH9HPy7B/jwL7MuIkwCgYIKoZIzj0EAwIDSQAwRgIhAJE5 +d02KdZA6V79f4qNfmy3tJMmnL4MA2MHhDQ5qqZyqAiEA2UisGjAXYV3GAGo1d+8C +yam9Y42t1K8Fx5q5iy+bs8w= +-----END CERTIFICATE----- diff --git a/ca/root.der b/ca/root.der new file mode 100644 index 0000000..b22c573 Binary files /dev/null and b/ca/root.der differ diff --git a/ca/root.mobileconfig b/ca/root.mobileconfig new file mode 100644 index 0000000..611fd5e --- /dev/null +++ b/ca/root.mobileconfig @@ -0,0 +1,45 @@ + + + + + PayloadContent + + + PayloadCertificateFileName + root.crt + PayloadContent + + MIIBjTCCATKgAwIBAgIRAMHcSCIgtWLAaFOQOolW0FIwCgYIKoZIzj0EAwIwJDEiMCAGA1UEAxMZU2FtaSBIb21lIE5ldHdvcmsgUm9vdCBDQTAeFw0yNTAyMTIwNzQ0NTFaFw0zNDEyMjIwNzQ0NTFaMCQxIjAgBgNVBAMTGVNhbWkgSG9tZSBOZXR3b3JrIFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATs8K5hvh7qC77kdFgkwyIu6SvzEtrK416lLkQkC+E79xIwGRKsZ7T/gd+0Bk0NMUZBxLww4F2Rl/kt3eGu49rSo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUNSVCYXr+/dKH9HPy7B/jwL7MuIkwCgYIKoZIzj0EAwIDSQAwRgIhAJE5d02KdZA6V79f4qNfmy3tJMmnL4MA2MHhDQ5qqZyqAiEA2UisGjAXYV3GAGo1d+8Cyam9Y42t1K8Fx5q5iy+bs8w= + + PayloadDescription + Root CA certificate for Sami Home Network + PayloadDisplayName + Sami Home Network Root CA + PayloadIdentifier + com.sami-home.ca.root-ca + PayloadType + com.apple.security.root + PayloadUUID + 059F6B88-E62A-4219-90D5-7FABBE83540A + PayloadVersion + 1 + + + PayloadDescription + Install the Sami Home Network Root CA to trust locally-issued certificates for *.sami domains. + PayloadDisplayName + Sami Home Network Root CA + PayloadIdentifier + com.sami-home.ca + PayloadOrganization + Sami Home Network + PayloadRemovalDisallowed + + PayloadType + Configuration + PayloadUUID + AF495D1C-16AF-44A7-8C6C-173CC8E82FC3 + PayloadVersion + 1 + + diff --git a/ca/scripts/generate-all.sh b/ca/scripts/generate-all.sh new file mode 100644 index 0000000..3746d80 --- /dev/null +++ b/ca/scripts/generate-all.sh @@ -0,0 +1,50 @@ +#!/bin/bash +set -e + +# DashCA Certificate Generation Script +# This script generates all required certificate formats + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +CA_DIR="$(dirname "$SCRIPT_DIR")" +CADDY_CERT_DIR="C:/caddy/certs/pki/authorities/local" + +echo "======================================" +echo "DashCA Certificate Format Generator" +echo "======================================" +echo "" + +# Step 1: Copy certificates from Caddy +echo "[1/4] Copying certificates from Caddy PKI..." +if [ ! -f "$CADDY_CERT_DIR/root.crt" ]; then + echo "ERROR: Root certificate not found at $CADDY_CERT_DIR/root.crt" + exit 1 +fi + +cp "$CADDY_CERT_DIR/root.crt" "$CA_DIR/" +cp "$CADDY_CERT_DIR/intermediate.crt" "$CA_DIR/" 2>/dev/null || echo " (Intermediate certificate not found, skipping)" +echo " ✓ Certificates copied" + +# Step 2: Generate DER format +echo "[2/4] Generating DER format..." +openssl x509 -in "$CA_DIR/root.crt" -outform DER -out "$CA_DIR/root.der" +echo " ✓ DER format generated: root.der" + +# Step 3: Generate certificate info JSON +echo "[3/4] Extracting certificate metadata..." +node "$SCRIPT_DIR/generate-cert-info.js" + +# Step 4: Generate Apple mobileconfig +echo "[4/4] Generating Apple mobile configuration profile..." +node "$SCRIPT_DIR/generate-mobileconfig.js" + +echo "" +echo "======================================" +echo "✓ All certificate formats generated!" +echo "======================================" +echo "" +echo "Files created in: $CA_DIR" +ls -lh "$CA_DIR"/*.{crt,der,mobileconfig,json} 2>/dev/null || echo "Files created successfully" +echo "" +echo "To deploy to production:" +echo " cp -r $CA_DIR/* C:/caddy/sites/ca/" +echo "" diff --git a/ca/scripts/generate-cert-info.js b/ca/scripts/generate-cert-info.js new file mode 100644 index 0000000..d3d22c9 --- /dev/null +++ b/ca/scripts/generate-cert-info.js @@ -0,0 +1,75 @@ +const { execSync } = require('child_process'); +const fs = require('fs'); +const path = require('path'); + +const CERT_PATH = path.join(__dirname, '../root.crt'); +const OUTPUT_PATH = path.join(__dirname, '../cert-info.json'); + +function extractCertInfo() { + try { + console.log('Extracting certificate information from:', CERT_PATH); + + // Extract SHA-256 fingerprint + const fingerprint = execSync(`openssl x509 -in "${CERT_PATH}" -noout -fingerprint -sha256`) + .toString() + .trim() + .split('=')[1]; + + // Extract validity dates + const dates = execSync(`openssl x509 -in "${CERT_PATH}" -noout -dates`).toString(); + const notBefore = dates.match(/notBefore=(.*)/)[1].trim(); + const notAfter = dates.match(/notAfter=(.*)/)[1].trim(); + + // Extract subject + const subject = execSync(`openssl x509 -in "${CERT_PATH}" -noout -subject`) + .toString() + .trim() + .split('CN = ')[1] || execSync(`openssl x509 -in "${CERT_PATH}" -noout -subject`) + .toString() + .trim() + .split('CN=')[1]; + + // Extract serial number + const serialNumber = execSync(`openssl x509 -in "${CERT_PATH}" -noout -serial`) + .toString() + .trim() + .split('=')[1]; + + // Calculate days until expiration + const expirationDate = new Date(notAfter); + const today = new Date(); + const daysUntilExpiration = Math.floor((expirationDate - today) / (1000 * 60 * 60 * 24)); + + const certInfo = { + name: subject, + fingerprint: fingerprint, + validFrom: notBefore, + validUntil: notAfter, + daysUntilExpiration: daysUntilExpiration, + algorithm: 'ECDSA P-256 with SHA-256', + issuer: subject, // Self-signed root CA + serialNumber: serialNumber, + generatedAt: new Date().toISOString() + }; + + fs.writeFileSync(OUTPUT_PATH, JSON.stringify(certInfo, null, 2)); + console.log('✓ Certificate information extracted successfully!'); + console.log(' Output:', OUTPUT_PATH); + console.log(' Name:', certInfo.name); + console.log(' Fingerprint:', certInfo.fingerprint); + console.log(' Valid until:', certInfo.validUntil); + console.log(' Days until expiration:', certInfo.daysUntilExpiration); + + return certInfo; + } catch (error) { + console.error('Error extracting certificate information:', error.message); + process.exit(1); + } +} + +// Run if called directly +if (require.main === module) { + extractCertInfo(); +} + +module.exports = { extractCertInfo }; diff --git a/ca/scripts/generate-mobileconfig.js b/ca/scripts/generate-mobileconfig.js new file mode 100644 index 0000000..77fe85e --- /dev/null +++ b/ca/scripts/generate-mobileconfig.js @@ -0,0 +1,105 @@ +const fs = require('fs'); +const crypto = require('crypto'); +const path = require('path'); + +const CERT_PATH = path.join(__dirname, '../root.crt'); +const OUTPUT_PATH = path.join(__dirname, '../root.mobileconfig'); + +function generateUUID() { + return crypto.randomUUID().toUpperCase(); +} + +function generateMobileConfig() { + try { + console.log('Generating Apple mobile configuration profile...'); + console.log('Reading certificate from:', CERT_PATH); + + // Read certificate + const certPem = fs.readFileSync(CERT_PATH, 'utf8'); + + // Extract base64 content (remove PEM headers and newlines) + const certBase64 = certPem + .replace('-----BEGIN CERTIFICATE-----', '') + .replace('-----END CERTIFICATE-----', '') + .replace(/\s/g, ''); + + // Generate UUIDs for profile and payload + const profileUUID = generateUUID(); + const payloadUUID = generateUUID(); + + const mobileconfig = ` + + + + PayloadContent + + + PayloadCertificateFileName + root.crt + PayloadContent + + ${certBase64} + + PayloadDescription + Root CA certificate for Sami Home Network + PayloadDisplayName + Sami Home Network Root CA + PayloadIdentifier + com.sami-home.ca.root-ca + PayloadType + com.apple.security.root + PayloadUUID + ${payloadUUID} + PayloadVersion + 1 + + + PayloadDescription + Install the Sami Home Network Root CA to trust locally-issued certificates for *.sami domains. + PayloadDisplayName + Sami Home Network Root CA + PayloadIdentifier + com.sami-home.ca + PayloadOrganization + Sami Home Network + PayloadRemovalDisallowed + + PayloadType + Configuration + PayloadUUID + ${profileUUID} + PayloadVersion + 1 + + +`; + + fs.writeFileSync(OUTPUT_PATH, mobileconfig); + console.log('✓ Mobile configuration profile generated successfully!'); + console.log(' Output:', OUTPUT_PATH); + console.log(' Profile UUID:', profileUUID); + console.log(' Payload UUID:', payloadUUID); + console.log('\nTo install on iOS:'); + console.log(' 1. Download root.mobileconfig to your device'); + console.log(' 2. Open Settings app (it should prompt automatically)'); + console.log(' 3. Tap "Install Profile" and follow the prompts'); + console.log(' 4. Go to Settings > General > About > Certificate Trust Settings'); + console.log(' 5. Enable full trust for "Sami Home Network Root CA"'); + console.log('\nTo install on macOS:'); + console.log(' 1. Download root.mobileconfig'); + console.log(' 2. Open System Settings > Privacy & Security > Profiles'); + console.log(' 3. Click the profile and click Install'); + + return { profileUUID, payloadUUID }; + } catch (error) { + console.error('Error generating mobile configuration profile:', error.message); + process.exit(1); + } +} + +// Run if called directly +if (require.main === module) { + generateMobileConfig(); +} + +module.exports = { generateMobileConfig }; diff --git a/ca/scripts/install.ps1 b/ca/scripts/install.ps1 new file mode 100644 index 0000000..cc28a37 --- /dev/null +++ b/ca/scripts/install.ps1 @@ -0,0 +1,132 @@ +#Requires -RunAsAdministrator + +<# +.SYNOPSIS + Installs the Sami Home Network Root CA certificate to the Trusted Root Certification Authorities store. + +.DESCRIPTION + This script downloads the root CA certificate from ca.sami, verifies its fingerprint, + and installs it to the local machine's trusted root store. This allows all *.sami domains + to be trusted system-wide without browser warnings. + +.NOTES + Requires Administrator privileges. + For use with DashCA - https://ca.sami +#> + +$ErrorActionPreference = "Stop" + +# Configuration +$CertUrl = "https://ca.sami/root.crt" +$ExpectedFingerprint = "0898A563F5A1A2585F02D7A8A25487E6BC33969F9B5DB053622 07FAF9621290E" +$TempFile = "$env:TEMP\sami-root-ca.crt" + +# Colors +$Red = [System.ConsoleColor]::Red +$Green = [System.ConsoleColor]::Green +$Cyan = [System.ConsoleColor]::Cyan +$Yellow = [System.ConsoleColor]::Yellow + +Write-Host "" +Write-Host "========================================" -ForegroundColor $Cyan +Write-Host " DashCA Installer" -ForegroundColor $Cyan +Write-Host " Sami Home Network Root CA" -ForegroundColor $Cyan +Write-Host "========================================" -ForegroundColor $Cyan +Write-Host "" + +# Step 1: Download certificate +Write-Host "[1/4] Downloading certificate from $CertUrl..." -ForegroundColor $Cyan +try { + $ProgressPreference = 'SilentlyContinue' # Disable progress bar for faster download + Invoke-WebRequest -Uri $CertUrl -OutFile $TempFile -UseBasicParsing -ErrorAction Stop + Write-Host " ✓ Certificate downloaded" -ForegroundColor $Green +} catch { + Write-Host " ✗ Failed to download certificate" -ForegroundColor $Red + Write-Host " Error: $_" -ForegroundColor $Red + Write-Host "" + Write-Host "Troubleshooting:" -ForegroundColor $Yellow + Write-Host " - Ensure you are on the Tailnet/network where ca.sami is accessible" -ForegroundColor $Yellow + Write-Host " - Try accessing https://ca.sami in your browser first" -ForegroundColor $Yellow + exit 1 +} + +# Step 2: Verify fingerprint +Write-Host "[2/4] Verifying certificate fingerprint..." -ForegroundColor $Cyan +try { + $Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($TempFile) + $Fingerprint = $Cert.Thumbprint + + $NormalizedExpected = $ExpectedFingerprint -replace '[:\s]', '' + $NormalizedActual = $Fingerprint -replace '[:\s]', '' + + if ($NormalizedActual -ne $NormalizedExpected) { + Write-Host " ✗ Fingerprint mismatch!" -ForegroundColor $Red + Write-Host " Expected: $ExpectedFingerprint" -ForegroundColor $Yellow + Write-Host " Got: $Fingerprint" -ForegroundColor $Red + Remove-Item $TempFile -Force + Write-Host "" + Write-Host "SECURITY WARNING: The downloaded certificate does not match the expected fingerprint." -ForegroundColor $Red + Write-Host "This could indicate a man-in-the-middle attack or certificate renewal." -ForegroundColor $Red + Write-Host "Please verify with your network administrator before proceeding." -ForegroundColor $Red + exit 1 + } + + Write-Host " ✓ Fingerprint verified: $Fingerprint" -ForegroundColor $Green +} catch { + Write-Host " ✗ Failed to verify fingerprint" -ForegroundColor $Red + Write-Host " Error: $_" -ForegroundColor $Red + Remove-Item $TempFile -Force -ErrorAction SilentlyContinue + exit 1 +} + +# Step 3: Check if already installed +Write-Host "[3/4] Checking for existing certificate..." -ForegroundColor $Cyan +$ExistingCert = Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object { $_.Thumbprint -eq $Fingerprint } +if ($ExistingCert) { + Write-Host " ℹ Certificate already installed" -ForegroundColor $Yellow + Write-Host " Subject: $($ExistingCert.Subject)" -ForegroundColor $Yellow + Write-Host " Not After: $($ExistingCert.NotAfter)" -ForegroundColor $Yellow + Remove-Item $TempFile -Force + Write-Host "" + Write-Host "The Sami Home Network Root CA is already trusted on this system." -ForegroundColor $Green + Write-Host "No further action needed!" -ForegroundColor $Green + Write-Host "" + exit 0 +} +Write-Host " ✓ Certificate not yet installed, proceeding..." -ForegroundColor $Green + +# Step 4: Install certificate +Write-Host "[4/4] Installing certificate to Trusted Root store..." -ForegroundColor $Cyan +try { + $ImportedCert = Import-Certificate -FilePath $TempFile -CertStoreLocation Cert:\LocalMachine\Root -ErrorAction Stop + Write-Host " ✓ Certificate installed successfully" -ForegroundColor $Green + Write-Host " Subject: $($ImportedCert.Subject)" -ForegroundColor $Green + Write-Host " Thumbprint: $($ImportedCert.Thumbprint)" -ForegroundColor $Green +} catch { + Write-Host " ✗ Failed to install certificate" -ForegroundColor $Red + Write-Host " Error: $_" -ForegroundColor $Red + Remove-Item $TempFile -Force -ErrorAction SilentlyContinue + Write-Host "" + Write-Host "Installation failed. Please ensure you are running as Administrator." -ForegroundColor $Red + exit 1 +} + +# Cleanup +Remove-Item $TempFile -Force -ErrorAction SilentlyContinue + +Write-Host "" +Write-Host "========================================" -ForegroundColor $Green +Write-Host " SUCCESS!" -ForegroundColor $Green +Write-Host "========================================" -ForegroundColor $Green +Write-Host "" +Write-Host "The Sami Home Network Root CA has been installed to your Trusted Root store." -ForegroundColor $Green +Write-Host "" +Write-Host "What's next:" -ForegroundColor $Cyan +Write-Host " ✓ All *.sami domains will now be trusted system-wide" -ForegroundColor $Green +Write-Host " ✓ Browsers (Edge, Chrome, Firefox) will no longer show security warnings" -ForegroundColor $Green +Write-Host " ✓ Applications will trust HTTPS connections to your local services" -ForegroundColor $Green +Write-Host "" +Write-Host "Test it out:" -ForegroundColor $Cyan +Write-Host " Visit https://status.sami or any other *.sami service" -ForegroundColor $Yellow +Write-Host " The connection should show as secure with no warnings" -ForegroundColor $Yellow +Write-Host "" diff --git a/ca/scripts/install.sh b/ca/scripts/install.sh new file mode 100644 index 0000000..0fcb365 --- /dev/null +++ b/ca/scripts/install.sh @@ -0,0 +1,220 @@ +#!/bin/bash +# +# DashCA Installer - Sami Home Network Root CA +# Installs the root CA certificate system-wide on Linux and macOS +# +# Usage: curl -fsSL https://ca.sami/install.sh | sudo bash +# +set -e + +# Configuration +CERT_URL="https://ca.sami/root.crt" +EXPECTED_FP="08:98:A5:63:F5:A1:A2:58:5F:02:D7:A8:A2:54:87:E6:BC:33:96:9F:9B:5D:B0:53:62:20:7F:AF:96:21:29:0E" +CERT_NAME="Sami_Home_Network_Root_CA" + +# Colors +RED='\033[0;31m' +GREEN='\033[0;32m' +CYAN='\033[0;36m' +YELLOW='\033[1;33m' +NC='\033[0m' # No Color + +echo "" +echo -e "${CYAN}========================================${NC}" +echo -e "${CYAN} DashCA Installer${NC}" +echo -e "${CYAN} Sami Home Network Root CA${NC}" +echo -e "${CYAN}========================================${NC}" +echo "" + +# Check for root/sudo +if [[ $EUID -ne 0 ]]; then + echo -e "${RED}✗ This script requires root privileges${NC}" + echo "" + echo "Please run with sudo:" + echo -e " ${YELLOW}curl -fsSL https://ca.sami/install.sh | sudo bash${NC}" + echo "" + echo "Or download first, then run:" + echo -e " ${YELLOW}curl -o install.sh https://ca.sami/install.sh${NC}" + echo -e " ${YELLOW}sudo bash install.sh${NC}" + echo "" + exit 1 +fi + +# Detect OS +echo -e "${CYAN}[1/6] Detecting operating system...${NC}" +if [[ "$OSTYPE" == "darwin"* ]]; then + OS="macos" + OS_NAME="macOS" +elif [[ -f /etc/os-release ]]; then + . /etc/os-release + if [[ "$ID" == "debian" ]] || [[ "$ID" == "ubuntu" ]] || [[ "$ID_LIKE" == *"debian"* ]]; then + OS="debian" + OS_NAME="Debian/Ubuntu" + elif [[ "$ID" == "fedora" ]] || [[ "$ID" == "rhel" ]] || [[ "$ID" == "centos" ]] || [[ "$ID_LIKE" == *"fedora"* ]] || [[ "$ID_LIKE" == *"rhel"* ]]; then + OS="redhat" + OS_NAME="RedHat/CentOS/Fedora" + elif [[ "$ID" == "arch" ]] || [[ "$ID_LIKE" == *"arch"* ]]; then + OS="arch" + OS_NAME="Arch Linux" + else + OS="unknown" + OS_NAME="Unknown Linux" + fi +elif [[ -f /etc/redhat-release ]]; then + OS="redhat" + OS_NAME="RedHat/CentOS" +elif [[ -f /etc/arch-release ]]; then + OS="arch" + OS_NAME="Arch Linux" +else + OS="unknown" + OS_NAME="Unknown" +fi + +if [[ "$OS" == "unknown" ]]; then + echo -e "${RED} ✗ Unsupported operating system${NC}" + echo "" + echo "This script supports:" + echo " - Debian/Ubuntu" + echo " - RedHat/CentOS/Fedora" + echo " - Arch Linux" + echo " - macOS" + echo "" + echo "For manual installation, download the certificate:" + echo -e " ${YELLOW}curl -O $CERT_URL${NC}" + echo "" + exit 1 +fi + +echo -e "${GREEN} ✓ Detected: $OS_NAME${NC}" + +# Download certificate +echo -e "${CYAN}[2/6] Downloading certificate from $CERT_URL...${NC}" +TEMP_CERT=$(mktemp) +if ! curl -fsSL "$CERT_URL" -o "$TEMP_CERT"; then + echo -e "${RED} ✗ Failed to download certificate${NC}" + echo "" + echo -e "${YELLOW}Troubleshooting:${NC}" + echo " - Ensure you are on the Tailnet/network where ca.sami is accessible" + echo " - Try accessing https://ca.sami in your browser first" + echo " - Check your network connection" + rm -f "$TEMP_CERT" + exit 1 +fi +echo -e "${GREEN} ✓ Certificate downloaded${NC}" + +# Verify fingerprint +echo -e "${CYAN}[3/6] Verifying certificate fingerprint...${NC}" +if ! command -v openssl &> /dev/null; then + echo -e "${RED} ✗ OpenSSL not found${NC}" + echo "Please install OpenSSL to verify certificate fingerprint" + rm -f "$TEMP_CERT" + exit 1 +fi + +ACTUAL_FP=$(openssl x509 -in "$TEMP_CERT" -noout -fingerprint -sha256 | cut -d= -f2) + +if [[ "$ACTUAL_FP" != "$EXPECTED_FP" ]]; then + echo -e "${RED} ✗ Fingerprint mismatch!${NC}" + echo -e "${YELLOW} Expected: $EXPECTED_FP${NC}" + echo -e "${RED} Got: $ACTUAL_FP${NC}" + rm -f "$TEMP_CERT" + echo "" + echo -e "${RED}SECURITY WARNING: The downloaded certificate does not match the expected fingerprint.${NC}" + echo -e "${RED}This could indicate a man-in-the-middle attack or certificate renewal.${NC}" + echo -e "${RED}Please verify with your network administrator before proceeding.${NC}" + echo "" + exit 1 +fi + +echo -e "${GREEN} ✓ Fingerprint verified${NC}" + +# Extract certificate details +echo -e "${CYAN}[4/6] Extracting certificate information...${NC}" +CERT_SUBJECT=$(openssl x509 -in "$TEMP_CERT" -noout -subject | sed 's/subject=//') +CERT_NOT_AFTER=$(openssl x509 -in "$TEMP_CERT" -noout -enddate | sed 's/notAfter=//') +echo -e "${GREEN} ✓ Subject: $CERT_SUBJECT${NC}" +echo -e "${GREEN} ✓ Valid until: $CERT_NOT_AFTER${NC}" + +# Check if already installed +echo -e "${CYAN}[5/6] Checking for existing installation...${NC}" +ALREADY_INSTALLED=false + +case "$OS" in + debian) + if [[ -f "/usr/local/share/ca-certificates/${CERT_NAME}.crt" ]]; then + ALREADY_INSTALLED=true + fi + ;; + redhat) + if [[ -f "/etc/pki/ca-trust/source/anchors/${CERT_NAME}.crt" ]]; then + ALREADY_INSTALLED=true + fi + ;; + arch) + if [[ -f "/etc/ca-certificates/trust-source/anchors/${CERT_NAME}.crt" ]]; then + ALREADY_INSTALLED=true + fi + ;; + macos) + if security find-certificate -a -c "$CERT_SUBJECT" /Library/Keychains/System.keychain &>/dev/null; then + ALREADY_INSTALLED=true + fi + ;; +esac + +if [[ "$ALREADY_INSTALLED" == "true" ]]; then + echo -e "${YELLOW} ℹ Certificate already installed${NC}" + rm -f "$TEMP_CERT" + echo "" + echo -e "${GREEN}The Sami Home Network Root CA is already trusted on this system.${NC}" + echo -e "${GREEN}No further action needed!${NC}" + echo "" + exit 0 +fi + +echo -e "${GREEN} ✓ Certificate not yet installed, proceeding...${NC}" + +# Install based on OS +echo -e "${CYAN}[6/6] Installing certificate...${NC}" +case "$OS" in + debian) + cp "$TEMP_CERT" "/usr/local/share/ca-certificates/${CERT_NAME}.crt" + update-ca-certificates + echo -e "${GREEN} ✓ Certificate installed via update-ca-certificates${NC}" + ;; + redhat) + cp "$TEMP_CERT" "/etc/pki/ca-trust/source/anchors/${CERT_NAME}.crt" + update-ca-trust + echo -e "${GREEN} ✓ Certificate installed via update-ca-trust${NC}" + ;; + arch) + cp "$TEMP_CERT" "/etc/ca-certificates/trust-source/anchors/${CERT_NAME}.crt" + trust extract-compat + echo -e "${GREEN} ✓ Certificate installed via trust extract-compat${NC}" + ;; + macos) + security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$TEMP_CERT" + echo -e "${GREEN} ✓ Certificate installed to System Keychain${NC}" + ;; +esac + +# Cleanup +rm -f "$TEMP_CERT" + +echo "" +echo -e "${GREEN}========================================${NC}" +echo -e "${GREEN} SUCCESS!${NC}" +echo -e "${GREEN}========================================${NC}" +echo "" +echo -e "${GREEN}The Sami Home Network Root CA has been installed system-wide.${NC}" +echo "" +echo -e "${CYAN}What's next:${NC}" +echo -e " ${GREEN}✓${NC} All *.sami domains will now be trusted" +echo -e " ${GREEN}✓${NC} Browsers will no longer show security warnings" +echo -e " ${GREEN}✓${NC} Applications will trust HTTPS connections to your local services" +echo "" +echo -e "${CYAN}Test it out:${NC}" +echo -e " ${YELLOW}Visit https://status.sami or any other *.sami service${NC}" +echo -e " ${YELLOW}The connection should show as secure with no warnings${NC}" +echo "" diff --git a/dashcaddy-api/.dockerignore b/dashcaddy-api/.dockerignore new file mode 100644 index 0000000..3a4e192 --- /dev/null +++ b/dashcaddy-api/.dockerignore @@ -0,0 +1,10 @@ +node_modules/ +__tests__/ +jest.config.js +.env +.encryption-key +.gitignore +.dockerignore +*.log +*.md +docker-compose.yml diff --git a/dashcaddy-api/.license-counter b/dashcaddy-api/.license-counter new file mode 100644 index 0000000..56a6051 --- /dev/null +++ b/dashcaddy-api/.license-counter @@ -0,0 +1 @@ +1 \ No newline at end of file diff --git a/dashcaddy-api/.license-secret b/dashcaddy-api/.license-secret new file mode 100644 index 0000000..7627bf7 --- /dev/null +++ b/dashcaddy-api/.license-secret @@ -0,0 +1 @@ +1d87da6ce9285898051ed2b120628d730d13ec4accad95908b7fc2c0ab33db48 \ No newline at end of file diff --git a/dashcaddy-api/BUFFER_AUDIT.md b/dashcaddy-api/BUFFER_AUDIT.md new file mode 100644 index 0000000..e69de29 diff --git a/dashcaddy-api/BUFFER_SECURITY.md b/dashcaddy-api/BUFFER_SECURITY.md new file mode 100644 index 0000000..e69de29 diff --git a/dashcaddy-api/DOMAIN_STRATEGY.md b/dashcaddy-api/DOMAIN_STRATEGY.md new file mode 100644 index 0000000..e69de29 diff --git a/dashcaddy-api/Dockerfile b/dashcaddy-api/Dockerfile new file mode 100644 index 0000000..ec6b9ea --- /dev/null +++ b/dashcaddy-api/Dockerfile @@ -0,0 +1,25 @@ +FROM node:20-alpine + +WORKDIR /app + +# Install OpenSSL for certificate generation +RUN apk add --no-cache openssl + +COPY package*.json ./ +RUN npm install --production + +COPY *.js ./ +COPY routes/ ./routes/ +COPY openapi.yaml ./ + +# Note: Running as root because container needs Docker socket access +# (which is root-equivalent anyway). Socket access required for container management. + +EXPOSE 3001 + +STOPSIGNAL SIGTERM + +HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \ + CMD node -e "require('http').get('http://localhost:3001/health', (r) => { process.exit(r.statusCode === 200 ? 0 : 1); }).on('error', () => process.exit(1))" + +CMD ["node", "server.js"] diff --git a/dashcaddy-api/__tests__/api-endpoints.test.js b/dashcaddy-api/__tests__/api-endpoints.test.js new file mode 100644 index 0000000..4a5598f --- /dev/null +++ b/dashcaddy-api/__tests__/api-endpoints.test.js @@ -0,0 +1,423 @@ +/** + * API Endpoint Tests + * + * Comprehensive tests for critical DashCaddy API endpoints + * Tests the migrated StateManager integration and core functionality + */ + +const request = require('supertest'); +const fs = require('fs'); +const path = require('path'); +const os = require('os'); + +// Create a test instance of the app +// Note: We need to mock the service file to avoid affecting production +const testServicesFile = path.join(os.tmpdir(), `test-services-${Date.now()}.json`); +const testConfigFile = path.join(os.tmpdir(), `test-config-${Date.now()}.json`); + +// Set test environment +process.env.SERVICES_FILE = testServicesFile; +process.env.CONFIG_FILE = testConfigFile; +process.env.CADDYFILE_PATH = path.join(os.tmpdir(), 'test-Caddyfile'); +process.env.CADDY_ADMIN_URL = 'http://localhost:2019'; +process.env.ENABLE_HEALTH_CHECKER = 'false'; // Disable to avoid background processes +process.env.NODE_ENV = 'test'; + +// Initialize test files +fs.writeFileSync(testServicesFile, '[]', 'utf8'); +fs.writeFileSync(testConfigFile, '{}', 'utf8'); +fs.writeFileSync(process.env.CADDYFILE_PATH, '# Test Caddyfile', 'utf8'); + +// Now require the app (after env setup) +const app = require('../server'); + +describe('API Endpoints', () => { + + // Clean up before each test + beforeEach(() => { + fs.writeFileSync(testServicesFile, '[]', 'utf8'); + }); + + // Clean up after all tests + afterAll(() => { + try { + fs.unlinkSync(testServicesFile); + fs.unlinkSync(testConfigFile); + fs.unlinkSync(process.env.CADDYFILE_PATH); + } catch (e) { + // Ignore cleanup errors + } + }); + + describe('GET /api/health', () => { + test('should return healthy status', async () => { + const res = await request(app).get('/api/health'); + + expect(res.statusCode).toBe(200); + expect(res.body).toHaveProperty('status', 'ok'); + expect(res.body).toHaveProperty('timestamp'); + }); + }); + + describe('GET /api/services', () => { + test('should return empty array initially', async () => { + const res = await request(app).get('/api/services'); + + expect(res.statusCode).toBe(200); + expect(Array.isArray(res.body)).toBe(true); + expect(res.body.length).toBe(0); + }); + + test('should return services after adding', async () => { + // Add a service first + await request(app) + .post('/api/services') + .send({ + id: 'test-service', + name: 'Test Service', + logo: '/assets/test.png', + ip: 'localhost', + tailscaleOnly: false + }); + + // Now get services + const res = await request(app).get('/api/services'); + + expect(res.statusCode).toBe(200); + expect(res.body.length).toBe(1); + expect(res.body[0]).toMatchObject({ + id: 'test-service', + name: 'Test Service' + }); + }); + + test('should use StateManager (thread-safe)', async () => { + // This test verifies StateManager is being used + // by checking that the file is read correctly + + // Manually write to file + const testData = [{ id: 'manual', name: 'Manual Service' }]; + fs.writeFileSync(testServicesFile, JSON.stringify(testData, null, 2)); + + const res = await request(app).get('/api/services'); + + expect(res.statusCode).toBe(200); + expect(res.body).toEqual(testData); + }); + }); + + describe('POST /api/services', () => { + test('should add a new service', async () => { + const newService = { + id: 'plex', + name: 'Plex', + logo: '/assets/plex.png', + ip: 'localhost', + tailscaleOnly: false + }; + + const res = await request(app) + .post('/api/services') + .send(newService); + + expect(res.statusCode).toBe(200); + expect(res.body).toHaveProperty('success', true); + + // Verify service was added + const services = JSON.parse(fs.readFileSync(testServicesFile, 'utf8')); + expect(services.length).toBe(1); + expect(services[0].id).toBe(newService.id); + expect(services[0].name).toBe(newService.name); + expect(services[0].logo).toBe(newService.logo); + }); + + test('should reject duplicate service IDs', async () => { + const service = { + id: 'duplicate', + name: 'Duplicate Service' + }; + + // Add first time + await request(app).post('/api/services').send(service); + + // Try to add again + const res = await request(app).post('/api/services').send(service); + + expect(res.statusCode).toBe(409); // Conflict is the correct status code + expect(res.body).toHaveProperty('success', false); + expect(res.body.error).toContain('already exists'); + }); + + test('should validate required fields', async () => { + const res = await request(app) + .post('/api/services') + .send({ + // Missing 'id' and 'name' + logo: '/assets/test.png' + }); + + expect(res.statusCode).toBe(400); + expect(res.body).toHaveProperty('success', false); + }); + + test('should sanitize user input (XSS protection)', async () => { + const maliciousService = { + id: 'test', + name: '

', + logo: '/assets/test.png' + }; + + const res = await request(app) + .post('/api/services') + .send(maliciousService); + + // Input should be sanitized or rejected + const services = JSON.parse(fs.readFileSync(testServicesFile, 'utf8')); + + // If the service was added, script tags should be removed or escaped + if (services.length > 0) { + expect(services[0].id).not.toContain(' + + +`); +}); + +app.get('/api/docs/spec', asyncHandler(async (req, res) => { + const specPath = path.join(__dirname, 'openapi.yaml'); + if (await exists(specPath)) { + const yaml = await fsp.readFile(specPath, 'utf8'); + res.type('text/yaml').send(yaml); + } else { + errorResponse(res, 404, 'OpenAPI spec not found'); + } +}, 'api-docs-spec')); + +// Global error handler for typed errors +app.use((err, req, res, next) => { + if (err instanceof AppError) { + return res.status(err.statusCode).json({ + success: false, + error: err.message, + code: err.code, + ...(err.details ? { details: err.details } : {}) + }); + } + if (err instanceof ValidationError) { + return res.status(err.statusCode || 400).json({ + success: false, + error: err.message, + errors: err.errors || undefined + }); + } + next(err); +}); + +// Export app for testing +module.exports = app; + +if (require.main === module) { +// Validate configuration and wait for async config loads before starting server +(async () => { +await Promise.all([_configsReady, _notificationsReady]); +await licenseManager.load(); +await validateStartupConfig({ log, CADDYFILE_PATH, SERVICES_FILE, CONFIG_FILE, CADDY_ADMIN_URL, PORT }); + +const server = app.listen(PORT, '0.0.0.0', () => { + log.info('server', 'DashCaddy API server started', { port: PORT, caddyfile: CADDYFILE_PATH, caddyAdmin: CADDY_ADMIN_URL, services: SERVICES_FILE }); + if (BROWSE_ROOTS.length > 0) { + log.info('server', 'Media browse roots configured', { roots: BROWSE_ROOTS.map(r => r.hostPath) }); + } + + // Start new feature modules + log.info('server', 'Starting DashCaddy feature modules'); + + // Clean up stale port locks + (async () => { + try { + await portLockManager.cleanupStaleLocks(); + log.info('server', 'Port lock cleanup completed'); + } catch (error) { + log.error('server', 'Port lock cleanup failed', { error: error.message }); + } + })(); + + try { + resourceMonitor.start(); + log.info('server', 'Resource monitoring started'); + } catch (error) { + log.error('server', 'Resource monitoring failed to start', { error: error.message }); + } + + try { + backupManager.start(); + log.info('server', 'Backup manager started'); + } catch (error) { + log.error('server', 'Backup manager failed to start', { error: error.message }); + } + + (async () => { + try { + // Auto-configure health checker from services.json + await syncHealthCheckerServices({ log, SERVICES_FILE, servicesStateManager, healthChecker, buildDomain, APP }); + healthChecker.start(); + log.info('server', 'Health checker started'); + } catch (error) { + log.error('server', 'Health checker failed to start', { error: error.message }); + } + })(); + + try { + updateManager.start(); + log.info('server', 'Update manager started'); + } catch (error) { + log.error('server', 'Update manager failed to start', { error: error.message }); + } + + // Tailscale API sync (if OAuth configured) + if (tailscaleConfig.oauthConfigured) { + startTailscaleSyncTimer(); + // Run initial sync + syncFromTailscaleAPI().catch(e => log.warn('tailscale', 'Initial API sync failed', { error: e.message })); + } + + log.info('server', 'All feature modules initialized'); +}); + +// Graceful shutdown — drain connections before exiting +function shutdown(signal) { + log.info('shutdown', `${signal} received, draining connections...`); + resourceMonitor.stop(); + backupManager.stop(); + healthChecker.stop(); + updateManager.stop(); + stopTailscaleSyncTimer(); + server.close(() => { + log.info('shutdown', 'HTTP server closed'); + process.exit(0); + }); + // Force exit after 5s if connections don't drain + setTimeout(() => process.exit(0), 5000).unref(); +} +process.on('SIGTERM', () => shutdown('SIGTERM')); +process.on('SIGINT', () => shutdown('SIGINT')); +})(); // end async startup +} // end if (require.main === module) + +// #2: Catch unhandled errors so the process doesn't crash silently +process.on('unhandledRejection', (reason) => { + logError('unhandledRejection', reason instanceof Error ? reason : new Error(String(reason))); +}); +process.on('uncaughtException', (error) => { + logError('uncaughtException', error); + // Give the error log time to flush, then exit + setTimeout(() => process.exit(1), 1000).unref(); +}); diff --git a/dashcaddy-api/startup-validator.js b/dashcaddy-api/startup-validator.js new file mode 100644 index 0000000..abb7555 --- /dev/null +++ b/dashcaddy-api/startup-validator.js @@ -0,0 +1,209 @@ +/** + * Startup Validation Module + * Extracts startup configuration validation and health checker sync from server.js + * (Phase 3 refactoring) + */ + +const fs = require('fs'); +const fsp = require('fs').promises; +const path = require('path'); +const http = require('http'); +const https = require('https'); +const { exists, isAccessible } = require('./fs-helpers'); + +/** + * Validate startup configuration and environment. + * Fail fast with clear error messages if critical issues are found. + * + * @param {Object} deps + * @param {Function} deps.log - structured logger + * @param {string} deps.CADDYFILE_PATH + * @param {string} deps.SERVICES_FILE + * @param {string} deps.CONFIG_FILE + * @param {string} deps.CADDY_ADMIN_URL + * @param {number} deps.PORT + */ +async function validateStartupConfig({ log, CADDYFILE_PATH, SERVICES_FILE, CONFIG_FILE, CADDY_ADMIN_URL, PORT }) { + const errors = []; + const warnings = []; + + log.info('startup', 'Validating startup configuration...'); + + // 1. Check if Caddyfile exists and is writable + try { + if (await exists(CADDYFILE_PATH)) { + if (!(await isAccessible(CADDYFILE_PATH, fs.constants.R_OK | fs.constants.W_OK))) { + errors.push(`Caddyfile is not readable/writable: ${CADDYFILE_PATH}`); + } else { + log.info('startup', 'Caddyfile is accessible', { path: CADDYFILE_PATH }); + } + } else { + warnings.push(`Caddyfile does not exist: ${CADDYFILE_PATH} (will be created if needed)`); + } + } catch (error) { + errors.push(`Caddyfile is not readable/writable: ${CADDYFILE_PATH}`); + } + + // 2. Check if services file exists or can be created + const servicesDir = path.dirname(SERVICES_FILE); + try { + if (await exists(SERVICES_FILE)) { + // Validate it's valid JSON + try { + const content = await fsp.readFile(SERVICES_FILE, 'utf8'); + JSON.parse(content); + log.info('startup', 'Services file is valid JSON', { path: SERVICES_FILE }); + } catch (parseError) { + errors.push(`Services file exists but contains invalid JSON: ${SERVICES_FILE}`); + } + } else { + // Check if parent directory exists and is writable + if (await exists(servicesDir)) { + if (!(await isAccessible(servicesDir, fs.constants.W_OK))) { + errors.push(`Cannot access services file or directory: ${SERVICES_FILE}`); + } else { + log.info('startup', 'Services file directory is writable', { path: servicesDir }); + } + } else { + errors.push(`Services file directory does not exist: ${servicesDir}`); + } + } + } catch (error) { + errors.push(`Cannot access services file or directory: ${SERVICES_FILE}`); + } + + // 3. Check if port is available + const net = require('net'); + const portCheckServer = net.createServer(); + try { + portCheckServer.listen(PORT, '0.0.0.0'); + portCheckServer.close(); + log.info('startup', `Port ${PORT} is available`); + } catch (error) { + errors.push(`Port ${PORT} is already in use or cannot be bound`); + } + + // 4. Check if config file is valid JSON (if exists) + try { + if (await exists(CONFIG_FILE)) { + const content = await fsp.readFile(CONFIG_FILE, 'utf8'); + JSON.parse(content); + log.info('startup', 'Config file is valid JSON', { path: CONFIG_FILE }); + } else { + log.warn('startup', 'Config file does not exist (will use defaults)', { path: CONFIG_FILE }); + } + } catch (error) { + errors.push(`Config file exists but contains invalid JSON: ${CONFIG_FILE}`); + } + + // 5. Check Caddy admin API reachability (warning only, not critical) + const checkCaddyAdmin = () => { + return new Promise((resolve) => { + const urlObj = new URL(CADDY_ADMIN_URL); + const client = urlObj.protocol === 'https:' ? https : http; + + const req = client.request({ + hostname: urlObj.hostname, + port: urlObj.port, + path: '/config/', + method: 'GET', + timeout: 2000 + }, (res) => { + resolve(res.statusCode >= 200 && res.statusCode < 500); + }); + + req.on('error', () => resolve(false)); + req.on('timeout', () => { + req.destroy(); + resolve(false); + }); + req.end(); + }); + }; + + // Run async Caddy check (don't block startup) + checkCaddyAdmin().then(isReachable => { + if (isReachable) { + log.info('startup', 'Caddy admin API is reachable', { url: CADDY_ADMIN_URL }); + } else { + log.warn('startup', 'Caddy admin API is not reachable (may start later)', { url: CADDY_ADMIN_URL }); + } + }); + + // Print warnings + if (warnings.length > 0) { + warnings.forEach(warning => log.warn('startup', warning)); + } + + // Fail fast if there are critical errors + if (errors.length > 0) { + errors.forEach(err => log.error('startup', err)); + log.error('startup', 'Cannot start server — fix the above errors and try again'); + process.exit(1); + } + + log.info('startup', 'Startup configuration validation passed'); +} + +/** + * Auto-configure health checker from services.json + top-card services. + * + * @param {Object} deps + * @param {Function} deps.log - structured logger + * @param {string} deps.SERVICES_FILE + * @param {Object} deps.servicesStateManager - StateManager instance + * @param {Object} deps.healthChecker - health checker module + * @param {Function} deps.buildDomain - builds domain from subdomain + * @param {Object} deps.APP - app constants (USER_AGENTS) + */ +async function syncHealthCheckerServices({ log, SERVICES_FILE, servicesStateManager, healthChecker, buildDomain, APP }) { + try { + const topCardServices = [ + { id: 'dns1', name: 'DNS1' }, + { id: 'dns2', name: 'DNS2' }, + { id: 'internet', name: 'Internet' }, + ]; + + let appServices = []; + if (await exists(SERVICES_FILE)) { + const data = await servicesStateManager.read(); + appServices = Array.isArray(data) ? data : data.services || []; + } + + const allServices = [...topCardServices, ...appServices]; + const configuredIds = new Set(Object.keys(healthChecker.config.services || {})); + let added = 0; + + for (const svc of allServices) { + const id = svc.id || svc.name?.toLowerCase(); + if (!id || configuredIds.has(id)) continue; + + let url; + if (id === 'internet') { + url = 'https://www.google.com'; + } else if (svc.isExternal && svc.externalUrl) { + url = svc.externalUrl; + } else { + url = `https://${buildDomain(id)}`; + } + + healthChecker.configureService(id, { + name: svc.name || id, + url, + method: 'HEAD', + timeout: 5000, + expectedStatusCodes: [200, 201, 204, 301, 302, 303, 307, 308, 401, 403], + headers: { 'User-Agent': APP.USER_AGENTS.HEALTH }, + }); + added++; + } + + if (added > 0) { + log.info('health', 'Auto-configured services from services.json', { count: added }); + } + } catch (error) { + log.error('health', 'Error syncing services', { error: error.message }); + } +} + +module.exports = { validateStartupConfig, syncHealthCheckerServices }; diff --git a/dashcaddy-api/state-manager.js b/dashcaddy-api/state-manager.js new file mode 100644 index 0000000..ed963ca --- /dev/null +++ b/dashcaddy-api/state-manager.js @@ -0,0 +1,237 @@ +/** + * State Manager - Thread-safe file operations with locking + * + * Prevents data corruption when multiple API requests modify state files concurrently. + * Uses file-based locking with automatic retry and timeout handling. + * + * @module state-manager + */ + +const lockfile = require('proper-lockfile'); +const fs = require('fs').promises; +const fsSync = require('fs'); +const path = require('path'); + +class StateManager { + /** + * Create a StateManager instance + * @param {string} filePath - Path to the state file (e.g., services.json) + * @param {Object} options - Configuration options + * @param {number} options.lockTimeout - Max time to wait for lock (ms) + * @param {number} options.lockRetries - Number of lock acquisition retries + * @param {number} options.lockRetryInterval - Time between retries (ms) + */ + constructor(filePath, options = {}) { + this.filePath = filePath; + this.lockOptions = { + retries: { + retries: options.lockRetries || 10, + minTimeout: options.lockRetryInterval || 100, + maxTimeout: (options.lockRetryInterval || 100) * 3 + }, + stale: options.lockTimeout || 30000 // 30 seconds + }; + + // Ensure file exists + this._ensureFileExists(); + } + + /** + * Ensure the state file exists, create with empty array if not + * @private + */ + _ensureFileExists() { + if (!fsSync.existsSync(this.filePath)) { + const dir = path.dirname(this.filePath); + if (!fsSync.existsSync(dir)) { + fsSync.mkdirSync(dir, { recursive: true }); + } + fsSync.writeFileSync(this.filePath, '[]', 'utf8'); + } + } + + /** + * Read the state file (no locking required for read-only operations) + * @returns {Promise} Parsed JSON data + * @throws {Error} If file doesn't exist or JSON is invalid + */ + async read() { + try { + const content = await fs.readFile(this.filePath, 'utf8'); + return JSON.parse(content); + } catch (error) { + if (error.code === 'ENOENT') { + // File doesn't exist — recreate without locking (no file to lock) + this._ensureFileExists(); + return []; + } + throw new Error(`Failed to read state file: ${error.message}`); + } + } + + /** + * Write data to the state file (with locking) + * @param {any} data - Data to write (will be JSON.stringify'd) + * @returns {Promise} + * @throws {Error} If lock cannot be acquired or write fails + */ + async write(data) { + let release; + try { + // Acquire lock + release = await lockfile.lock(this.filePath, this.lockOptions); + + // Write data with pretty formatting + await fs.writeFile(this.filePath, JSON.stringify(data, null, 2), 'utf8'); + } catch (error) { + if (error.code === 'ELOCKED') { + throw new Error('State file is locked by another process. Try again.'); + } + throw new Error(`Failed to write state file: ${error.message}`); + } finally { + // Always release lock + if (release) { + try { + await release(); + } catch (e) { + // Lock release failure (non-critical, lock will expire via stale timeout) + } + } + } + } + + /** + * Update the state file using a callback function (atomic operation) + * This is the recommended method for most operations. + * + * @param {Function} updateFn - Function that receives current data and returns updated data + * @returns {Promise} The updated data + * @throws {Error} If lock cannot be acquired or update fails + * + * @example + * // Add a new service + * await stateManager.update(services => { + * services.push({ id: 'new-service', name: 'New Service' }); + * return services; + * }); + * + * @example + * // Remove a service + * await stateManager.update(services => { + * return services.filter(s => s.id !== 'old-service'); + * }); + */ + async update(updateFn) { + let release; + try { + // Acquire lock + release = await lockfile.lock(this.filePath, this.lockOptions); + + // Read current data + const content = await fs.readFile(this.filePath, 'utf8'); + const currentData = JSON.parse(content); + + // Apply update function + const updatedData = await updateFn(currentData); + + // Write updated data + await fs.writeFile(this.filePath, JSON.stringify(updatedData, null, 2), 'utf8'); + + return updatedData; + } catch (error) { + if (error.code === 'ELOCKED') { + throw new Error('State file is locked by another process. Try again.'); + } + throw new Error(`Failed to update state file: ${error.message}`); + } finally { + // Always release lock + if (release) { + try { + await release(); + } catch (e) { + // Lock release failure (non-critical, lock will expire via stale timeout) + } + } + } + } + + /** + * Check if the state file is currently locked + * @returns {Promise} True if locked, false otherwise + */ + async isLocked() { + try { + return await lockfile.check(this.filePath); + } catch (error) { + return false; + } + } + + /** + * Forcefully unlock the state file (use with caution!) + * Only use this if a lock is stuck due to a crashed process. + * @returns {Promise} + */ + async forceUnlock() { + try { + await lockfile.unlock(this.filePath); + } catch (error) { + // Ignore errors if file wasn't locked + if (error.code !== 'ENOTACQUIRED') { + throw error; + } + } + } + + /** + * Add an item to the state array (convenience method) + * @param {any} item - Item to add + * @returns {Promise} Updated array + */ + async addItem(item) { + return await this.update(items => { + items.push(item); + return items; + }); + } + + /** + * Remove an item from the state array by ID (convenience method) + * @param {string} id - ID of item to remove + * @returns {Promise} Updated array + */ + async removeItem(id) { + return await this.update(items => { + return items.filter(item => item.id !== id); + }); + } + + /** + * Update an item in the state array by ID (convenience method) + * @param {string} id - ID of item to update + * @param {Object} updates - Properties to update + * @returns {Promise} Updated array + */ + async updateItem(id, updates) { + return await this.update(items => { + return items.map(item => { + if (item.id === id) { + return { ...item, ...updates }; + } + return item; + }); + }); + } + + /** + * Find an item in the state array by ID (convenience method) + * @param {string} id - ID of item to find + * @returns {Promise} Found item or null + */ + async findItem(id) { + const items = await this.read(); + return items.find(item => item.id === id) || null; + } +} + +module.exports = StateManager; diff --git a/dashcaddy-api/test-security-fixes.js b/dashcaddy-api/test-security-fixes.js new file mode 100644 index 0000000..3186b5d --- /dev/null +++ b/dashcaddy-api/test-security-fixes.js @@ -0,0 +1,386 @@ +#!/usr/bin/env node +/** + * Automated Testing Script for DashCaddy Security Fixes + * + * Tests all implemented security improvements: + * 1. Path traversal protection + * 2. Request size limits + * 3. Startup validation + * 4. Port locking + * 5. Session management (LRU cache) + * 6. Enhanced error logging + * 7. Hardcoded secrets removal + */ + +const http = require('http'); +const https = require('https'); +const crypto = require('crypto'); + +const API_BASE = process.env.API_BASE || 'http://localhost:3001'; +const TEST_RESULTS = []; + +// Color codes for terminal output +const colors = { + reset: '\x1b[0m', + green: '\x1b[32m', + red: '\x1b[31m', + yellow: '\x1b[33m', + blue: '\x1b[34m', + cyan: '\x1b[36m' +}; + +function log(message, color = 'reset') { + console.log(`${colors[color]}${message}${colors.reset}`); +} + +function logTest(name) { + console.log(`\n${colors.cyan}━━━ Testing: ${name} ━━━${colors.reset}`); +} + +function logResult(passed, message) { + const icon = passed ? '✓' : '✗'; + const color = passed ? 'green' : 'red'; + log(` ${icon} ${message}`, color); + TEST_RESULTS.push({ passed, message }); +} + +async function makeRequest(path, options = {}) { + return new Promise((resolve, reject) => { + const url = new URL(path, API_BASE); + const isHttps = url.protocol === 'https:'; + const client = isHttps ? https : http; + + const requestOptions = { + hostname: url.hostname, + port: url.port || (isHttps ? 443 : 80), + path: url.pathname + url.search, + method: options.method || 'GET', + headers: options.headers || {}, + ...options + }; + + const req = client.request(requestOptions, (res) => { + let data = ''; + res.on('data', chunk => data += chunk); + res.on('end', () => { + resolve({ + statusCode: res.statusCode, + headers: res.headers, + body: data, + data: data ? (data.startsWith('{') || data.startsWith('[') ? JSON.parse(data) : data) : null + }); + }); + }); + + req.on('error', reject); + + if (options.body) { + req.write(typeof options.body === 'string' ? options.body : JSON.stringify(options.body)); + } + + req.end(); + }); +} + +// Test 1: Path Traversal Protection +async function testPathTraversal() { + logTest('Path Traversal Protection'); + + const attacks = [ + { path: '/api/browse/directories?path=../../../../../../etc/passwd', desc: 'Unix path traversal' }, + { path: '/api/browse/directories?path=..\\..\\..\\Windows\\System32', desc: 'Windows path traversal' }, + { path: '/api/browse/directories?path=%2e%2e%2f%2e%2e%2fetc%2fpasswd', desc: 'URL-encoded traversal' }, + { path: '/api/browse/directories?path=/allowed/media/../../../secrets', desc: 'Mixed path traversal' } + ]; + + for (const attack of attacks) { + try { + const response = await makeRequest(attack.path); + if (response.statusCode === 403 || response.statusCode === 400) { + logResult(true, `Blocked: ${attack.desc}`); + } else { + logResult(false, `NOT BLOCKED (${response.statusCode}): ${attack.desc}`); + } + } catch (error) { + logResult(false, `Error testing ${attack.desc}: ${error.message}`); + } + } +} + +// Test 2: Request Size Limits +async function testRequestSizeLimits() { + logTest('Request Size Limits'); + + // Test 1: Small payload (should work) + try { + const smallPayload = { data: 'a'.repeat(100) }; + const response = await makeRequest('/api/services', { + method: 'POST', + headers: { 'Content-Type': 'application/json' }, + body: JSON.stringify(smallPayload) + }); + logResult(true, 'Small payload accepted (100 bytes)'); + } catch (error) { + logResult(false, `Small payload rejected: ${error.message}`); + } + + // Test 2: Large payload on general endpoint (should fail) + try { + const largePayload = { data: 'a'.repeat(2 * 1024 * 1024) }; // 2MB + const response = await makeRequest('/api/services', { + method: 'POST', + headers: { 'Content-Type': 'application/json' }, + body: JSON.stringify(largePayload) + }); + if (response.statusCode === 413 || response.statusCode === 400) { + logResult(true, 'Large payload rejected on general endpoint (2MB)'); + } else { + logResult(false, `Large payload NOT rejected (status: ${response.statusCode})`); + } + } catch (error) { + if (error.message.includes('413') || error.message.includes('ECONNRESET')) { + logResult(true, 'Large payload rejected (connection reset)'); + } else { + logResult(false, `Unexpected error: ${error.message}`); + } + } + + // Test 3: Large payload on logo endpoint (should work) + try { + const largeImage = 'a'.repeat(5 * 1024 * 1024); // 5MB + const response = await makeRequest('/api/logo', { + method: 'POST', + headers: { 'Content-Type': 'application/json' }, + body: JSON.stringify({ logo: largeImage }) + }); + if (response.statusCode !== 413) { + logResult(true, 'Large payload accepted on logo endpoint (5MB)'); + } else { + logResult(false, 'Large payload rejected on logo endpoint'); + } + } catch (error) { + // May fail for other reasons (auth, validation), but not size + if (!error.message.includes('413')) { + logResult(true, 'Logo endpoint accepts large payloads (failed for non-size reason)'); + } else { + logResult(false, `Logo endpoint rejected large payload: ${error.message}`); + } + } +} + +// Test 3: Startup Validation +async function testStartupValidation() { + logTest('Startup Validation'); + + // Check if server is running (implies validation passed) + try { + const response = await makeRequest('/health'); + if (response.statusCode === 200) { + logResult(true, 'Server started successfully (validation passed)'); + } else { + logResult(false, `Server health check failed: ${response.statusCode}`); + } + } catch (error) { + logResult(false, `Cannot reach server: ${error.message}`); + } + + // Check for validation logs (requires access to logs) + log(' → Check Docker logs for: "✓ Startup configuration validation passed"', 'yellow'); +} + +// Test 4: Enhanced Error Logging (Request ID) +async function testEnhancedLogging() { + logTest('Enhanced Error Logging'); + + try { + // Make a request that will be logged + const response = await makeRequest('/api/services'); + + // Check if X-Request-ID header is present + if (response.headers['x-request-id']) { + const requestId = response.headers['x-request-id']; + const isValidUUID = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(requestId); + + if (isValidUUID) { + logResult(true, `Request ID header present and valid: ${requestId.substring(0, 8)}...`); + } else { + logResult(false, `Request ID present but invalid format: ${requestId}`); + } + } else { + logResult(false, 'Request ID header not present'); + } + } catch (error) { + logResult(false, `Error testing logging: ${error.message}`); + } +} + +// Test 5: Session Management (LRU Cache) +async function testSessionManagement() { + logTest('Session Management (LRU Cache)'); + + log(' → This test requires code inspection (cannot test cache behavior externally)', 'yellow'); + log(' → Manual verification: Check server.js for LRUCache usage', 'yellow'); + + // We can test that sessions still work + try { + const response = await makeRequest('/api/totp/setup', { method: 'POST' }); + if (response.statusCode === 200 || response.statusCode === 401) { + logResult(true, 'Session-based endpoints still functional'); + } else { + logResult(false, `Unexpected response from session endpoint: ${response.statusCode}`); + } + } catch (error) { + logResult(false, `Error testing session endpoints: ${error.message}`); + } +} + +// Test 6: Hardcoded Secrets Removal +async function testSecretsRemoval() { + logTest('Hardcoded Secrets Removal'); + + try { + // Read app-templates.js and check for "changeme123" + const fs = require('fs'); + const templatesPath = require('path').join(__dirname, 'app-templates.js'); + const content = fs.readFileSync(templatesPath, 'utf8'); + + const matches = content.match(/changeme123/g); + if (!matches || matches.length === 0) { + logResult(true, 'No hardcoded "changeme123" passwords found'); + } else { + logResult(false, `Found ${matches.length} instances of "changeme123" still in templates`); + } + + // Check for secrets arrays + const secretsMatches = content.match(/secrets:\s*\[/g); + if (secretsMatches && secretsMatches.length >= 10) { + logResult(true, `Found ${secretsMatches.length} secrets configurations`); + } else { + logResult(false, `Only found ${secretsMatches?.length || 0} secrets configurations (expected 14+)`); + } + } catch (error) { + logResult(false, `Error reading templates: ${error.message}`); + } +} + +// Test 7: Port Locking Mechanism +async function testPortLocking() { + logTest('Port Locking Mechanism'); + + try { + // Check if .port-locks directory exists + const fs = require('fs'); + const path = require('path'); + const locksDir = path.join(__dirname, '.port-locks'); + + if (fs.existsSync(locksDir)) { + logResult(true, 'Port locks directory exists'); + + // Check if it's writable + try { + const testFile = path.join(locksDir, 'test-write'); + fs.writeFileSync(testFile, 'test'); + fs.unlinkSync(testFile); + logResult(true, 'Port locks directory is writable'); + } catch (error) { + logResult(false, `Port locks directory not writable: ${error.message}`); + } + } else { + logResult(false, 'Port locks directory does not exist'); + } + + // Check if PortLockManager module exists + const portLockPath = path.join(__dirname, 'port-lock-manager.js'); + if (fs.existsSync(portLockPath)) { + logResult(true, 'PortLockManager module exists'); + } else { + logResult(false, 'PortLockManager module not found'); + } + } catch (error) { + logResult(false, `Error testing port locking: ${error.message}`); + } +} + +// Test 8: Docker Security Module +async function testDockerSecurity() { + logTest('Docker Image Verification'); + + try { + const fs = require('fs'); + const path = require('path'); + + // Check if docker-security.js exists + const securityPath = path.join(__dirname, 'docker-security.js'); + if (fs.existsSync(securityPath)) { + logResult(true, 'DockerSecurity module exists'); + } else { + logResult(false, 'DockerSecurity module not found'); + } + + // Check if config file exists + const configPath = path.join(__dirname, 'docker-security-config.json'); + if (fs.existsSync(configPath)) { + const config = JSON.parse(fs.readFileSync(configPath, 'utf8')); + logResult(true, `Security config exists (mode: ${config.verificationMode || 'not set'})`); + } else { + log(' → Security config will be created on first use', 'yellow'); + logResult(true, 'Config will be auto-created'); + } + } catch (error) { + logResult(false, `Error testing Docker security: ${error.message}`); + } +} + +// Main test runner +async function runTests() { + log('\n╔════════════════════════════════════════════════════╗', 'cyan'); + log('║ DashCaddy Security Fixes - Test Suite ║', 'cyan'); + log('╚════════════════════════════════════════════════════╝', 'cyan'); + + log(`\nAPI Base URL: ${API_BASE}`, 'blue'); + log('Starting tests...\n', 'blue'); + + // Run all tests + await testStartupValidation(); + await testPathTraversal(); + await testRequestSizeLimits(); + await testEnhancedLogging(); + await testSessionManagement(); + await testSecretsRemoval(); + await testPortLocking(); + await testDockerSecurity(); + + // Summary + log('\n╔════════════════════════════════════════════════════╗', 'cyan'); + log('║ Test Summary ║', 'cyan'); + log('╚════════════════════════════════════════════════════╝', 'cyan'); + + const passed = TEST_RESULTS.filter(r => r.passed).length; + const failed = TEST_RESULTS.filter(r => !r.passed).length; + const total = TEST_RESULTS.length; + + log(`\nTotal Tests: ${total}`, 'blue'); + log(`Passed: ${passed}`, 'green'); + log(`Failed: ${failed}`, failed > 0 ? 'red' : 'green'); + log(`Success Rate: ${((passed / total) * 100).toFixed(1)}%\n`, failed === 0 ? 'green' : 'yellow'); + + if (failed > 0) { + log('Failed tests:', 'red'); + TEST_RESULTS.filter(r => !r.passed).forEach(r => { + log(` ✗ ${r.message}`, 'red'); + }); + } + + process.exit(failed > 0 ? 1 : 0); +} + +// Run tests if executed directly +if (require.main === module) { + runTests().catch(error => { + log(`\nFatal error: ${error.message}`, 'red'); + console.error(error); + process.exit(1); + }); +} + +module.exports = { runTests }; diff --git a/dashcaddy-api/update-manager.js b/dashcaddy-api/update-manager.js new file mode 100644 index 0000000..d8ac7bd --- /dev/null +++ b/dashcaddy-api/update-manager.js @@ -0,0 +1,911 @@ +/** + * Update Management Module + * Checks for Docker image updates, manages update scheduling, + * and provides rollback capabilities + */ + +const Docker = require('dockerode'); +const EventEmitter = require('events'); +const fs = require('fs'); +const path = require('path'); +const https = require('https'); + +const docker = new Docker(); + +const UPDATE_CONFIG_FILE = process.env.UPDATE_CONFIG_FILE || path.join(__dirname, 'update-config.json'); +const UPDATE_HISTORY_FILE = process.env.UPDATE_HISTORY_FILE || path.join(__dirname, 'update-history.json'); +const CHECK_INTERVAL = parseInt(process.env.UPDATE_CHECK_INTERVAL || '3600000', 10); // 1 hour + +class UpdateManager extends EventEmitter { + constructor() { + super(); + this.config = this.loadConfig(); + this.history = this.loadHistory(); + this.availableUpdates = new Map(); + this.checking = false; + this.checkInterval = null; + } + + /** + * Start update checking + */ + start() { + if (this.checking) return; + + console.log('[UpdateManager] Starting update checks'); + this.checking = true; + + // Initial check + this.checkForUpdates(); + + // Schedule periodic checks + this.checkInterval = setInterval(() => this.checkForUpdates(), CHECK_INTERVAL); + } + + /** + * Stop update checking + */ + stop() { + if (!this.checking) return; + + console.log('[UpdateManager] Stopping update checks'); + this.checking = false; + + if (this.checkInterval) { + clearInterval(this.checkInterval); + this.checkInterval = null; + } + } + + /** + * Check for updates for all containers + */ + async checkForUpdates() { + try { + const containers = await docker.listContainers({ all: true }); + + for (const containerInfo of containers) { + try { + const container = docker.getContainer(containerInfo.Id); + const inspect = await container.inspect(); + + const imageName = inspect.Config.Image; + const currentDigest = inspect.Image; + + // Check if update available + const latestDigest = await this.getLatestImageDigest(imageName); + + if (latestDigest && latestDigest !== currentDigest) { + this.availableUpdates.set(containerInfo.Id, { + containerId: containerInfo.Id, + containerName: containerInfo.Names[0].replace(/^\//, ''), + imageName, + currentDigest: currentDigest.substring(0, 12), + latestDigest: latestDigest.substring(0, 12), + currentTag: this.extractTag(imageName), + detectedAt: new Date().toISOString() + }); + + this.emit('update-available', this.availableUpdates.get(containerInfo.Id)); + } else { + this.availableUpdates.delete(containerInfo.Id); + } + } catch (error) { + console.error(`[UpdateManager] Error checking ${containerInfo.Names[0]}:`, error.message); + } + } + + console.log(`[UpdateManager] Found ${this.availableUpdates.size} updates available`); + } catch (error) { + console.error('[UpdateManager] Error checking for updates:', error.message); + } + } + + /** + * Get latest image digest from registry + */ + async getLatestImageDigest(imageName) { + try { + // Parse image name + const [repository, tag] = imageName.split(':'); + const imageTag = tag || 'latest'; + + // For Docker Hub images + if (!repository.includes('/') || repository.split('/').length === 2) { + return await this.getDockerHubDigest(repository, imageTag); + } + + // For other registries (would need authentication) + console.warn(`[UpdateManager] Custom registry not yet supported: ${repository}`); + return null; + } catch (error) { + console.error(`[UpdateManager] Error getting digest for ${imageName}:`, error.message); + return null; + } + } + + /** + * Get image digest from Docker Hub + */ + async getDockerHubDigest(repository, tag) { + return new Promise((resolve, reject) => { + // Normalize repository name + const repo = repository.includes('/') ? repository : `library/${repository}`; + + const options = { + hostname: 'registry-1.docker.io', + path: `/v2/${repo}/manifests/${tag}`, + method: 'GET', + headers: { + 'Accept': 'application/vnd.docker.distribution.manifest.v2+json' + } + }; + + const req = https.request(options, (res) => { + if (res.statusCode === 401) { + // Need to authenticate + const authHeader = res.headers['www-authenticate']; + const authUrl = this.parseAuthHeader(authHeader); + + if (authUrl) { + this.authenticateAndGetDigest(authUrl, options).then(resolve).catch(reject); + } else { + reject(new Error('Authentication required but no auth URL found')); + } + return; + } + + const digest = res.headers['docker-content-digest']; + resolve(digest || null); + }); + + req.on('error', reject); + req.end(); + }); + } + + /** + * Parse authentication header + */ + parseAuthHeader(header) { + if (!header) return null; + + const match = header.match(/Bearer realm="([^"]+)"/); + if (!match) return null; + + const url = new URL(match[1]); + const params = header.match(/service="([^"]+)"/); + if (params) url.searchParams.set('service', params[1]); + + const scope = header.match(/scope="([^"]+)"/); + if (scope) url.searchParams.set('scope', scope[1]); + + return url.toString(); + } + + /** + * Authenticate and get digest + */ + async authenticateAndGetDigest(authUrl, originalOptions) { + return new Promise((resolve, reject) => { + https.get(authUrl, (res) => { + let data = ''; + res.on('data', chunk => data += chunk); + res.on('end', () => { + try { + const auth = JSON.parse(data); + const token = auth.token || auth.access_token; + + if (!token) { + reject(new Error('No token in auth response')); + return; + } + + // Retry original request with token + const options = { + ...originalOptions, + headers: { + ...originalOptions.headers, + 'Authorization': `Bearer ${token}` + } + }; + + const req = https.request(options, (res) => { + const digest = res.headers['docker-content-digest']; + resolve(digest || null); + }); + + req.on('error', reject); + req.end(); + } catch (error) { + reject(error); + } + }); + }).on('error', reject); + }); + } + + /** + * Extract tag from image name + */ + extractTag(imageName) { + const parts = imageName.split(':'); + return parts.length > 1 ? parts[parts.length - 1] : 'latest'; + } + + /** + * Update a container + */ + async updateContainer(containerId, options = {}) { + const startTime = Date.now(); + + console.log(`[UpdateManager] Starting update for container ${containerId}`); + this.emit('update-start', { containerId, timestamp: new Date().toISOString() }); + + try { + const container = docker.getContainer(containerId); + const inspect = await container.inspect(); + + const imageName = inspect.Config.Image; + const containerName = inspect.Name.replace(/^\//, ''); + const oldImageId = inspect.Image; + + // Get old image digest for rollback + let oldImageDigest = null; + try { + const oldImage = docker.getImage(oldImageId); + const oldImageInspect = await oldImage.inspect(); + oldImageDigest = oldImageInspect.RepoDigests?.[0] || oldImageId; + console.log(`[UpdateManager] Stored old image digest: ${oldImageDigest.substring(0, 40)}...`); + } catch (error) { + console.warn(`[UpdateManager] Could not get old image digest: ${error.message}`); + } + + // Create backup of current state + const backup = { + containerId, + containerName, + imageName, + imageId: oldImageId, + imageDigest: oldImageDigest, + config: inspect.Config, + hostConfig: inspect.HostConfig, + networkSettings: inspect.NetworkSettings, + timestamp: new Date().toISOString() + }; + + // Pull latest image + console.log(`[UpdateManager] Pulling latest image: ${imageName}`); + await this.pullImage(imageName); + + // Stop container + console.log(`[UpdateManager] Stopping container: ${containerName}`); + await container.stop(); + + // Remove old container + console.log(`[UpdateManager] Removing old container: ${containerName}`); + await container.remove(); + + // Create new container with same configuration + console.log(`[UpdateManager] Creating new container: ${containerName}`); + const newContainer = await docker.createContainer({ + name: containerName, + Image: imageName, + ...backup.config, + HostConfig: backup.hostConfig + }); + + // Start new container + console.log(`[UpdateManager] Starting new container: ${containerName}`); + await newContainer.start(); + + // Extended verification with health checks and port accessibility + console.log(`[UpdateManager] Performing extended verification...`); + await this.verifyContainerExtended(newContainer, inspect, options.verifyTimeout || 60000); + + // Get new image ID + const newInspect = await newContainer.inspect(); + const newImageId = newInspect.Image; + + // Remove old image only after successful verification + if (oldImageId !== newImageId) { + try { + console.log(`[UpdateManager] Removing old image: ${oldImageId.substring(0, 12)}`); + const oldImage = docker.getImage(oldImageId); + await oldImage.remove({ force: false }); + console.log(`[UpdateManager] Old image removed successfully`); + } catch (error) { + console.warn(`[UpdateManager] Could not remove old image (may be in use): ${error.message}`); + } + } + + const duration = Date.now() - startTime; + + const historyEntry = { + containerId: newContainer.id, + containerName, + imageName, + oldImageId: oldImageId.substring(0, 12), + newImageId: newImageId.substring(0, 12), + timestamp: new Date().toISOString(), + duration, + status: 'success', + backup + }; + + this.addToHistory(historyEntry); + this.availableUpdates.delete(containerId); + + this.emit('update-complete', historyEntry); + console.log(`[UpdateManager] Update completed in ${duration}ms`); + + return historyEntry; + } catch (error) { + const duration = Date.now() - startTime; + + const historyEntry = { + containerId, + timestamp: new Date().toISOString(), + duration, + status: 'failed', + error: error.message + }; + + this.addToHistory(historyEntry); + this.emit('update-failed', historyEntry); + + // Attempt rollback + if (options.autoRollback !== false) { + console.log(`[UpdateManager] Attempting rollback for ${containerId}`); + try { + await this.rollbackUpdate(containerId); + } catch (rollbackError) { + console.error(`[UpdateManager] Rollback failed:`, rollbackError.message); + } + } + + throw error; + } + } + + /** + * Pull Docker image + */ + async pullImage(imageName) { + return new Promise((resolve, reject) => { + docker.pull(imageName, (err, stream) => { + if (err) { + reject(err); + return; + } + + docker.modem.followProgress(stream, (err, output) => { + if (err) { + reject(err); + } else { + resolve(output); + } + }); + }); + }); + } + + /** + * Verify container is running and healthy + */ + async verifyContainer(container, timeout = 30000) { + const startTime = Date.now(); + + while (Date.now() - startTime < timeout) { + try { + const inspect = await container.inspect(); + + if (inspect.State.Running) { + // Check health if health check is configured + if (inspect.State.Health) { + if (inspect.State.Health.Status === 'healthy') { + return true; + } + } else { + // No health check, just verify it's running + return true; + } + } + + // Wait before checking again + await new Promise(resolve => setTimeout(resolve, 1000)); + } catch (error) { + throw new Error(`Container verification failed: ${error.message}`); + } + } + + throw new Error('Container verification timeout'); + } + + /** + * Extended container verification with health checks and port accessibility + * @param {object} container - Docker container object + * @param {object} oldInspect - Old container inspect data for port comparison + * @param {number} timeout - Verification timeout in milliseconds (default: 60000) + */ + async verifyContainerExtended(container, oldInspect, timeout = 60000) { + const startTime = Date.now(); + const maxAttempts = Math.floor(timeout / 2000); // Check every 2 seconds + let lastError = null; + + console.log(`[UpdateManager] Extended verification with ${maxAttempts} attempts over ${timeout/1000}s`); + + for (let attempt = 0; attempt < maxAttempts; attempt++) { + try { + const inspect = await container.inspect(); + + // Step 1: Verify container is running + if (!inspect.State.Running) { + lastError = 'Container is not running'; + throw new Error(lastError); + } + + // Step 2: Check Docker health check if available + if (inspect.State.Health) { + if (inspect.State.Health.Status === 'healthy') { + console.log(`[UpdateManager] Container health check: healthy`); + return true; + } else if (inspect.State.Health.Status === 'unhealthy') { + lastError = 'Container health check failed (unhealthy)'; + throw new Error(lastError); + } + // Status is 'starting' - continue waiting + console.log(`[UpdateManager] Health check status: ${inspect.State.Health.Status} (attempt ${attempt + 1}/${maxAttempts})`); + } else { + // Step 3: No Docker health check - verify HTTP port accessibility + const ports = this.extractPorts(inspect); + + if (ports.length > 0) { + // Try to access the first HTTP port + const primaryPort = ports[0]; + const testUrl = `http://localhost:${primaryPort.hostPort}`; + + try { + const response = await fetch(testUrl, { + signal: AbortSignal.timeout(3000), + redirect: 'manual' + }); + + // Accept 2xx, 3xx, 4xx as "accessible" (server is responding) + if (response.status >= 200 && response.status < 500) { + console.log(`[UpdateManager] Port ${primaryPort.hostPort} is accessible (HTTP ${response.status})`); + + // Wait a bit more to ensure stability + if (attempt >= 2) { + console.log(`[UpdateManager] Container verified successfully`); + return true; + } + } + } catch (fetchError) { + lastError = `Port ${primaryPort.hostPort} not accessible: ${fetchError.message}`; + console.log(`[UpdateManager] ${lastError} (attempt ${attempt + 1}/${maxAttempts})`); + } + } else { + // No ports exposed - just verify it's running for a few cycles + if (attempt >= 5) { + console.log(`[UpdateManager] Container running without exposed ports (verified)`); + return true; + } + } + } + + // Wait before next attempt + if (attempt < maxAttempts - 1) { + await new Promise(resolve => setTimeout(resolve, 2000)); + } + } catch (error) { + lastError = error.message; + console.log(`[UpdateManager] Verification attempt ${attempt + 1} failed: ${lastError}`); + + if (attempt < maxAttempts - 1) { + await new Promise(resolve => setTimeout(resolve, 2000)); + } + } + } + + // Verification failed + const duration = Date.now() - startTime; + throw new Error(`Extended verification failed after ${duration}ms: ${lastError || 'timeout'}`); + } + + /** + * Extract port mappings from container inspect data + * @param {object} inspect - Container inspect data + * @returns {Array} Array of port mappings + */ + extractPorts(inspect) { + const ports = []; + + if (inspect.NetworkSettings && inspect.NetworkSettings.Ports) { + for (const [containerPort, bindings] of Object.entries(inspect.NetworkSettings.Ports)) { + if (bindings && bindings.length > 0) { + for (const binding of bindings) { + if (binding.HostPort) { + ports.push({ + containerPort: containerPort.split('/')[0], + hostPort: binding.HostPort, + protocol: containerPort.split('/')[1] || 'tcp' + }); + } + } + } + } + } + + return ports; + } + + /** + * Rollback to previous version + */ + async rollbackUpdate(containerId) { + console.log(`[UpdateManager] Rolling back container ${containerId}`); + + // Find last successful update in history + const lastUpdate = this.history + .filter(h => h.containerId === containerId && h.status === 'success' && h.backup) + .pop(); + + if (!lastUpdate || !lastUpdate.backup) { + throw new Error('No backup found for rollback'); + } + + const backup = lastUpdate.backup; + + try { + // Stop and remove current container + try { + const container = docker.getContainer(containerId); + await container.stop(); + await container.remove(); + } catch (error) { + // Container might not exist, continue + } + + // Recreate container from backup + const newContainer = await docker.createContainer({ + name: backup.containerName, + Image: backup.imageName, + ...backup.config, + HostConfig: backup.hostConfig + }); + + await newContainer.start(); + + console.log(`[UpdateManager] Rollback completed for ${backup.containerName}`); + this.emit('rollback-complete', { containerId, containerName: backup.containerName }); + + return true; + } catch (error) { + console.error(`[UpdateManager] Rollback failed:`, error.message); + throw error; + } + } + + /** + * Schedule update for maintenance window + */ + scheduleUpdate(containerId, scheduledTime) { + const delay = new Date(scheduledTime).getTime() - Date.now(); + + if (delay < 0) { + throw new Error('Scheduled time must be in the future'); + } + + setTimeout(() => { + this.updateContainer(containerId).catch(error => { + console.error(`[UpdateManager] Scheduled update failed:`, error.message); + }); + }, delay); + + console.log(`[UpdateManager] Update scheduled for ${containerId} at ${scheduledTime}`); + } + + /** + * Get available updates + */ + getAvailableUpdates() { + return Array.from(this.availableUpdates.values()); + } + + /** + * Get update history + */ + getHistory(limit = 50) { + return this.history.slice(-limit).reverse(); + } + + /** + * Get changelog and release information from Docker Hub + * @param {string} imageName - Docker image name (e.g., "nginx:latest" or "linuxserver/plex") + * @returns {Object} Changelog information including tags, description, and URLs + */ + async getChangelog(imageName) { + try { + // Parse image name + const [fullRepo, tag] = imageName.split(':'); + const imageTag = tag || 'latest'; + + // Normalize repository name for Docker Hub API + let repo = fullRepo; + let namespace = 'library'; + + if (fullRepo.includes('/')) { + const parts = fullRepo.split('/'); + namespace = parts[0]; + repo = parts.slice(1).join('/'); + } + + const repoPath = namespace === 'library' ? repo : `${namespace}/${repo}`; + + // Fetch repository info from Docker Hub API + const repoInfo = await this.fetchDockerHubRepo(repoPath, namespace === 'library'); + + // Fetch available tags + const tags = await this.fetchDockerHubTags(repoPath, namespace === 'library'); + + // Build the Docker Hub URL + const hubUrl = namespace === 'library' + ? `https://hub.docker.com/_/${repo}` + : `https://hub.docker.com/r/${namespace}/${repo}`; + + return { + imageName, + currentTag: imageTag, + repository: { + name: repoPath, + description: repoInfo?.description || 'No description available', + shortDescription: repoInfo?.description?.substring(0, 200) || '', + starCount: repoInfo?.star_count || 0, + pullCount: repoInfo?.pull_count || 0, + lastUpdated: repoInfo?.last_updated || null + }, + tags: tags.slice(0, 10).map(t => ({ + name: t.name, + lastPushed: t.last_pushed || t.tag_last_pushed, + digest: t.digest?.substring(0, 12) || 'unknown', + size: t.full_size || t.size || 0 + })), + urls: { + dockerHub: hubUrl, + tags: `${hubUrl}/tags`, + dockerfile: repoInfo?.dockerfile_url || null + }, + changelog: this.formatChangelog(repoInfo, tags, imageTag) + }; + } catch (error) { + console.error(`[UpdateManager] Error fetching changelog for ${imageName}:`, error.message); + + // Return basic info even on error + const [fullRepo] = imageName.split(':'); + const repoPath = fullRepo.includes('/') ? fullRepo : `library/${fullRepo}`; + + return { + imageName, + error: error.message, + urls: { + dockerHub: `https://hub.docker.com/r/${repoPath.replace('library/', '_/')}`, + }, + changelog: 'Unable to fetch changelog. Visit Docker Hub for details.' + }; + } + } + + /** + * Fetch repository info from Docker Hub + */ + async fetchDockerHubRepo(repoPath, isLibrary) { + return new Promise((resolve, reject) => { + const apiPath = isLibrary + ? `/v2/repositories/library/${repoPath}` + : `/v2/repositories/${repoPath}`; + + const options = { + hostname: 'hub.docker.com', + path: apiPath, + method: 'GET', + headers: { + 'Accept': 'application/json', + 'User-Agent': 'DashCaddy/1.0' + } + }; + + const req = https.request(options, (res) => { + let data = ''; + res.on('data', chunk => data += chunk); + res.on('end', () => { + try { + if (res.statusCode === 200) { + resolve(JSON.parse(data)); + } else { + resolve(null); + } + } catch (e) { + resolve(null); + } + }); + }); + + req.on('error', () => resolve(null)); + req.setTimeout(10000, () => { + req.destroy(); + resolve(null); + }); + req.end(); + }); + } + + /** + * Fetch available tags from Docker Hub + */ + async fetchDockerHubTags(repoPath, isLibrary) { + return new Promise((resolve, reject) => { + const apiPath = isLibrary + ? `/v2/repositories/library/${repoPath}/tags?page_size=20&ordering=last_updated` + : `/v2/repositories/${repoPath}/tags?page_size=20&ordering=last_updated`; + + const options = { + hostname: 'hub.docker.com', + path: apiPath, + method: 'GET', + headers: { + 'Accept': 'application/json', + 'User-Agent': 'DashCaddy/1.0' + } + }; + + const req = https.request(options, (res) => { + let data = ''; + res.on('data', chunk => data += chunk); + res.on('end', () => { + try { + if (res.statusCode === 200) { + const parsed = JSON.parse(data); + resolve(parsed.results || []); + } else { + resolve([]); + } + } catch (e) { + resolve([]); + } + }); + }); + + req.on('error', () => resolve([])); + req.setTimeout(10000, () => { + req.destroy(); + resolve([]); + }); + req.end(); + }); + } + + /** + * Format changelog from repo info and tags + */ + formatChangelog(repoInfo, tags, currentTag) { + const lines = []; + + if (repoInfo?.description) { + lines.push(`**${repoInfo.description.split('\n')[0]}**`); + lines.push(''); + } + + // Find current and latest tags + const latestTag = tags.find(t => t.name === 'latest'); + const currentTagInfo = tags.find(t => t.name === currentTag); + + if (latestTag?.last_pushed || latestTag?.tag_last_pushed) { + const lastUpdated = new Date(latestTag.last_pushed || latestTag.tag_last_pushed); + lines.push(`Latest update: ${lastUpdated.toLocaleDateString()}`); + } + + if (tags.length > 0) { + lines.push(''); + lines.push('Recent tags:'); + tags.slice(0, 5).forEach(t => { + const date = t.last_pushed || t.tag_last_pushed; + const dateStr = date ? new Date(date).toLocaleDateString() : 'unknown'; + lines.push(` - ${t.name} (${dateStr})`); + }); + } + + if (repoInfo?.pull_count) { + lines.push(''); + lines.push(`Total pulls: ${repoInfo.pull_count.toLocaleString()}`); + } + + return lines.join('\n') || 'No changelog available'; + } + + /** + * Configure auto-update for a container + */ + configureAutoUpdate(containerId, config) { + if (!this.config.autoUpdate) { + this.config.autoUpdate = {}; + } + + this.config.autoUpdate[containerId] = { + enabled: config.enabled !== false, + schedule: config.schedule || 'weekly', + maintenanceWindow: config.maintenanceWindow, + autoRollback: config.autoRollback !== false, + securityOnly: config.securityOnly || false + }; + + this.saveConfig(); + } + + /** + * Add entry to history + */ + addToHistory(entry) { + this.history.push(entry); + + // Keep only last 100 entries + if (this.history.length > 100) { + this.history = this.history.slice(-100); + } + + this.saveHistory(); + } + + /** + * Load configuration + */ + loadConfig() { + try { + if (fs.existsSync(UPDATE_CONFIG_FILE)) { + return JSON.parse(fs.readFileSync(UPDATE_CONFIG_FILE, 'utf8')); + } + } catch (error) { + console.error('[UpdateManager] Error loading config:', error.message); + } + return { autoUpdate: {} }; + } + + /** + * Save configuration + */ + saveConfig() { + try { + fs.writeFileSync(UPDATE_CONFIG_FILE, JSON.stringify(this.config, null, 2)); + } catch (error) { + console.error('[UpdateManager] Error saving config:', error.message); + } + } + + /** + * Load history + */ + loadHistory() { + try { + if (fs.existsSync(UPDATE_HISTORY_FILE)) { + return JSON.parse(fs.readFileSync(UPDATE_HISTORY_FILE, 'utf8')); + } + } catch (error) { + console.error('[UpdateManager] Error loading history:', error.message); + } + return []; + } + + /** + * Save history + */ + saveHistory() { + try { + fs.writeFileSync(UPDATE_HISTORY_FILE, JSON.stringify(this.history, null, 2)); + } catch (error) { + console.error('[UpdateManager] Error saving history:', error.message); + } + } +} + +// Export singleton instance +module.exports = new UpdateManager(); diff --git a/dashcaddy-installer/BUILD_GUIDE.md b/dashcaddy-installer/BUILD_GUIDE.md new file mode 100644 index 0000000..8c45a0c --- /dev/null +++ b/dashcaddy-installer/BUILD_GUIDE.md @@ -0,0 +1,260 @@ +# DashCaddy Installer - Build Guide + +## Overview + +The DashCaddy Installer is a cross-platform Electron application that guides users through installing and configuring DashCaddy on their system. + +## Prerequisites + +- Node.js 18+ and npm +- Git +- Windows: No additional requirements +- macOS: Xcode Command Line Tools +- Linux: Standard build tools (gcc, make) + +## Installation + +```bash +# Clone the repository +cd dashcaddy-installer + +# Install dependencies +npm install +``` + +## Development + +### Run in Development Mode + +```bash +# Start the installer with DevTools +npm run dev + +# Or start normally +npm start +``` + +### Run Tests + +```bash +# Run all tests +npm test + +# Run tests in watch mode +npm run test:watch +``` + +## Building + +### Build for Current Platform + +```bash +npm run build +``` + +### Build for Specific Platforms + +```bash +# Windows (creates portable .exe and installer) +npm run build:win + +# macOS (creates .dmg) +npm run build:mac + +# Linux (creates AppImage and .deb) +npm run build:linux +``` + +### Build Output + +Built applications are placed in the `dist/` directory: + +- **Windows**: `dist/win-unpacked/DashCaddy Installer.exe` (portable) +- **macOS**: `dist/DashCaddy Installer.dmg` +- **Linux**: `dist/DashCaddy Installer.AppImage` and `.deb` + +## Project Structure + +``` +dashcaddy-installer/ +├── src/ +│ ├── main/ # Electron main process +│ │ ├── index.js # Main entry point & IPC handlers +│ │ ├── dependency-checker.js # Check/install Docker & Caddy +│ │ ├── config-manager.js # Configuration persistence +│ │ ├── file-deployer.js # Copy dashboard & API files +│ │ ├── caddyfile-generator.js # Generate Caddyfile +│ │ ├── browser-launcher.js # Open URLs in browser +│ │ └── service-manager.js # Start/stop services +│ ├── renderer/ # UI layer +│ │ ├── index.html # Main HTML +│ │ ├── wizard.js # Wizard logic & state +│ │ └── styles.css # Styling +│ ├── preload/ # IPC bridge +│ │ └── index.js # Secure IPC exposure +│ └── shared/ # Shared utilities +│ ├── constants.js # App constants +│ └── platform-utils.js # Platform detection +├── templates/ # Configuration templates +│ ├── Caddyfile.template # Caddyfile template +│ └── docker-compose.template.yml +├── assets/ # Images & icons +│ └── icon.png # App icon +└── package.json # Dependencies & build config +``` + +## Key Features + +### 1. Platform Detection +Automatically detects Windows, macOS, or Linux and adjusts paths and commands accordingly. + +### 2. Dependency Management +- Checks for Docker and Caddy installation +- Provides installation instructions/automation +- Validates versions + +### 3. Guided Installation +5-step wizard: +1. **Welcome** - Introduction and platform detection +2. **Folders** - Select installation directories +3. **Dependencies** - Check and install requirements +4. **Install** - Deploy files and configure +5. **Complete** - Success screen with dashboard link + +### 4. File Deployment +- Copies dashboard files from `status/` directory +- Copies API server from `dashcaddy-api/` directory +- Installs npm dependencies for API +- Skips unnecessary files (node_modules, .git) + +### 5. Configuration Generation +- Creates Caddyfile for reverse proxy +- Generates docker-compose.yml for API container +- Saves installation configuration for upgrades + +### 6. Service Management +- Starts Caddy web server +- Launches Docker containers +- Opens dashboard in browser when ready + +## Configuration + +### Build Configuration + +Edit `package.json` under the `build` section: + +```json +{ + "build": { + "appId": "com.dashcaddy.installer", + "productName": "DashCaddy Installer", + "icon": "assets/icon.png", + "win": { + "target": ["portable", "dir"] + } + } +} +``` + +### Source Paths + +The installer copies files from these source directories (relative to project root): + +- Dashboard: `../status/` +- API Server: `../dashcaddy-api/` + +These paths are configured in `src/main/file-deployer.js`. + +## Troubleshooting + +### Build Fails + +1. **Missing dependencies**: Run `npm install` +2. **Electron download fails**: Check internet connection or use `npm config set electron_mirror https://npmmirror.com/mirrors/electron/` +3. **Icon errors**: Ensure `assets/icon.png` exists and is valid + +### Installer Doesn't Start + +1. **Check Node version**: Must be 18+ +2. **Reinstall dependencies**: `rm -rf node_modules && npm install` +3. **Check console**: Run with `npm run dev` to see errors + +### Files Not Deploying + +1. **Check source paths**: Verify `status/` and `dashcaddy-api/` directories exist +2. **Check permissions**: Ensure write access to installation directory +3. **Check disk space**: Ensure sufficient space for installation + +## Testing + +### Unit Tests + +Tests are located in `src/main/*.test.js`: + +```bash +npm test +``` + +### Property-Based Tests + +Some modules include property-based tests using fast-check: + +```bash +npm test -- --testNamePattern="property" +``` + +### Manual Testing + +1. Run installer: `npm start` +2. Go through all wizard steps +3. Verify files are copied correctly +4. Check that services start +5. Confirm dashboard opens in browser + +## Deployment + +### Creating a Release + +1. Update version in `package.json` +2. Build for all platforms: + ```bash + npm run build:win + npm run build:mac + npm run build:linux + ``` +3. Test each build on target platform +4. Create GitHub release with built artifacts + +### Distribution + +- **Windows**: Distribute `.exe` file (portable, no installation required) +- **macOS**: Distribute `.dmg` file +- **Linux**: Distribute `.AppImage` (universal) or `.deb` (Debian/Ubuntu) + +## Advanced + +### Custom Branding + +Replace `assets/icon.png` with your custom icon (512x512 PNG recommended). + +### Custom Templates + +Edit templates in `templates/` directory to customize generated configurations. + +### Adding New Steps + +1. Add step definition to `wizard.js` steps array +2. Create render function (e.g., `renderMyStep()`) +3. Add case to `renderCurrentStep()` switch +4. Update navigation logic if needed + +## Support + +For issues or questions: +- Check existing documentation +- Review console logs with `npm run dev` +- Check GitHub issues + +## License + +MIT diff --git a/dashcaddy-installer/QUICK_START.md b/dashcaddy-installer/QUICK_START.md new file mode 100644 index 0000000..341167e --- /dev/null +++ b/dashcaddy-installer/QUICK_START.md @@ -0,0 +1,184 @@ +# DashCaddy Installer - Quick Start + +## For Developers + +### Setup & Run + +```bash +# Install dependencies +npm install + +# Run in development mode +npm start + +# Build for Windows +npm run build:win +``` + +The built installer will be at: `dist/win-unpacked/DashCaddy Installer.exe` + +## For End Users + +### Running the Installer + +1. **Download** the DashCaddy Installer executable +2. **Run** the installer (no installation required - it's portable) +3. **Follow** the 5-step wizard: + +#### Step 1: Welcome +- Review features and system requirements +- Confirm detected platform + +#### Step 2: Choose Folders +- Select installation directory (default: `C:\DashCaddy`) +- Optionally customize Docker data and Caddy config paths +- Click **Next** + +#### Step 3: Check Dependencies +- Installer checks for Docker and Caddy +- If missing, click **Install** buttons to install them +- Wait for installation to complete +- Click **Install** when both are ready + +#### Step 4: Installation +- Watch progress as DashCaddy is installed +- Files are copied and configured automatically +- Takes 1-3 minutes depending on system + +#### Step 5: Complete +- Installation successful! +- Click **Open Dashboard** to launch DashCaddy +- Dashboard opens at `http://localhost:8080` + +### What Gets Installed + +The installer creates this structure: + +``` +C:\DashCaddy\ +├── dashboard\ # Web dashboard files +├── api\ # API server +├── docker-data\ # Docker volumes +├── caddy\ # Caddy configuration +├── Caddyfile # Reverse proxy config +├── docker-compose.yml # Container orchestration +└── .dashcaddy-config.json # Installation settings +``` + +### System Requirements + +- **OS**: Windows 10/11, macOS 10.15+, or Linux +- **RAM**: 4GB minimum, 8GB recommended +- **Disk**: 2GB free space +- **Docker**: Required (installer can install) +- **Caddy**: Required (installer can install) + +### Accessing DashCaddy + +After installation: + +- **Dashboard**: http://localhost:8080 +- **API**: http://localhost:3001 +- **Caddy Admin**: http://localhost:2021 + +### Troubleshooting + +#### Installer Won't Start +- Ensure you have administrator/sudo privileges +- Check antivirus isn't blocking the installer +- Try running as administrator (Windows) + +#### Dependencies Won't Install +- Check internet connection +- Manually install Docker from docker.com +- Manually install Caddy from caddyserver.com + +#### Dashboard Won't Open +- Check if Caddy is running: `caddy version` +- Check if Docker is running: `docker ps` +- Verify port 8080 isn't in use +- Check installation logs + +#### Services Not Starting +- Ensure Docker daemon is running +- Check firewall settings +- Verify installation paths are correct + +### Uninstalling + +To remove DashCaddy: + +1. Stop services: + ```bash + cd C:\DashCaddy + docker compose down + taskkill /IM caddy.exe /F + ``` + +2. Delete installation directory: + ```bash + rmdir /s C:\DashCaddy + ``` + +### Next Steps + +After installation: + +1. **Add Services**: Click "+" to deploy Docker containers +2. **Configure DNS**: Set up custom domains (optional) +3. **Import Existing**: Import services from other systems +4. **Customize**: Change themes, logos, and settings + +### Getting Help + +- **Documentation**: Check README.md in installation directory +- **Logs**: View container logs in dashboard +- **Support**: Open GitHub issue for bugs + +## Development Notes + +### Testing the Installer + +```bash +# Run with DevTools for debugging +npm run dev + +# Test specific functionality +npm test + +# Build and test portable exe +npm run build:win +./dist/win-unpacked/DashCaddy\ Installer.exe +``` + +### Modifying the Installer + +Key files to edit: + +- **UI**: `src/renderer/wizard.js` and `styles.css` +- **Logic**: `src/main/index.js` (IPC handlers) +- **Deployment**: `src/main/file-deployer.js` +- **Config**: `src/main/caddyfile-generator.js` + +### Adding Features + +1. Add IPC handler in `src/main/index.js` +2. Expose in `src/preload/index.js` +3. Call from `src/renderer/wizard.js` +4. Update UI in `styles.css` if needed + +## Tips + +- **Portable**: The Windows .exe is fully portable - no installation needed +- **Upgrades**: Installer detects existing installations and can upgrade +- **Backups**: Installation config saved in `.dashcaddy-config.json` +- **Logs**: Check console with DevTools (Ctrl+Shift+I in dev mode) + +## What's Next? + +After successful installation, explore: + +- **App Templates**: 50+ pre-configured applications +- **DNS Integration**: Set up local domains with Cloudflare +- **Monitoring**: Real-time service health checks +- **Backups**: Export/import dashboard configurations diff --git a/dashcaddy-installer/README.md b/dashcaddy-installer/README.md new file mode 100644 index 0000000..f4ffc23 --- /dev/null +++ b/dashcaddy-installer/README.md @@ -0,0 +1,230 @@ +# DashCaddy Installer + +A cross-platform Electron application that provides a guided installation wizard for DashCaddy - the unified management platform for Docker containers and Caddy reverse proxy. + +## ✨ Features + +- **🎯 Guided 5-Step Wizard** - Simple, intuitive installation process +- **🔍 Automatic Dependency Detection** - Checks for Docker and Caddy +- **📦 One-Click Dependency Installation** - Installs missing requirements +- **🖥️ Cross-Platform Support** - Windows, macOS, and Linux +- **📁 Smart File Deployment** - Copies and configures all necessary files +- **⚙️ Auto-Configuration** - Generates Caddyfile and docker-compose.yml +- **🚀 Service Management** - Starts services and opens dashboard +- **💾 Configuration Persistence** - Saves settings for upgrades +- **🎨 Modern UI** - Clean, responsive interface with progress tracking + +## 🚀 Quick Start + +### For End Users + +1. **Download** the installer for your platform +2. **Run** the executable (portable, no installation needed) +3. **Follow** the wizard steps +4. **Access** your dashboard at http://localhost:8080 + +See [QUICK_START.md](QUICK_START.md) for detailed user instructions. + +### For Developers + +```bash +# Install dependencies +npm install + +# Run in development mode with DevTools +npm run dev + +# Build for Windows +npm run build:win +``` + +See [BUILD_GUIDE.md](BUILD_GUIDE.md) for comprehensive build instructions. + +## 📋 System Requirements + +- **Operating System**: Windows 10/11, macOS 10.15+, or Linux +- **RAM**: 4GB minimum, 8GB recommended +- **Disk Space**: 2GB free space +- **Dependencies**: Docker and Caddy (installer can install these) + +## 🏗️ Project Structure + +``` +dashcaddy-installer/ +├── src/ +│ ├── main/ # Electron main process +│ │ ├── index.js # Main entry & IPC handlers +│ │ ├── dependency-checker.js # Docker/Caddy detection +│ │ ├── config-manager.js # Configuration management +│ │ ├── file-deployer.js # File copying & deployment +│ │ ├── caddyfile-generator.js # Config generation +│ │ ├── browser-launcher.js # Browser integration +│ │ └── service-manager.js # Service control +│ ├── renderer/ # UI layer +│ │ ├── index.html # Main HTML +│ │ ├── wizard.js # Wizard logic +│ │ └── styles.css # Styling +│ ├── preload/ # IPC bridge +│ │ └── index.js # Secure IPC exposure +│ └── shared/ # Shared utilities +│ ├── constants.js # App constants +│ └── platform-utils.js # Platform detection +├── templates/ # Configuration templates +│ ├── Caddyfile.template # Caddyfile template +│ ├── docker-compose.template.yml +│ └── README.md +├── assets/ # Images & icons +│ ├── icon.png # App icon +│ └── dashcaddy-logo.png +├── dist/ # Build output (generated) +├── BUILD_GUIDE.md # Comprehensive build guide +├── QUICK_START.md # User quick start guide +└── package.json # Dependencies & config +``` + +## 🛠️ Development + +### Setup + +```bash +# Clone the repository +git clone +cd dashcaddy-installer + +# Install dependencies +npm install +``` + +### Running + +```bash +# Development mode with DevTools +npm run dev + +# Production mode +npm start +``` + +### Testing + +```bash +# Run all tests +npm test + +# Run tests in watch mode +npm run test:watch + +# Run property-based tests +npm test -- --testNamePattern="property" +``` + +### Building + +```bash +# Build for current platform +npm run build + +# Build for specific platforms +npm run build:win # Windows +npm run build:mac # macOS +npm run build:linux # Linux +``` + +**Build Output:** +- Windows: `dist/win-unpacked/DashCaddy Installer.exe` (168MB portable) +- macOS: `dist/DashCaddy Installer.dmg` +- Linux: `dist/DashCaddy Installer.AppImage` + +## 📖 Documentation + +- **[BUILD_GUIDE.md](BUILD_GUIDE.md)** - Complete build and development guide +- **[QUICK_START.md](QUICK_START.md)** - User installation guide +- **[templates/README.md](templates/README.md)** - Template documentation + +## 🎯 Installation Wizard Steps + +### 1. Welcome +- Introduction to DashCaddy +- Platform detection +- Feature overview + +### 2. Choose Folders +- Select installation directory +- Configure Docker data path +- Set Caddy config location + +### 3. Check Dependencies +- Detect Docker installation +- Detect Caddy installation +- Install missing dependencies + +### 4. Installation +- Deploy dashboard files +- Deploy API server +- Install npm dependencies +- Generate configurations +- Start services + +### 5. Complete +- Installation summary +- Dashboard URL +- Quick access button + +## 🔧 Configuration + +### Source Directories + +The installer copies files from: +- **Dashboard**: `../status/` → `{install}/dashboard/` +- **API Server**: `../dashcaddy-api/` → `{install}/api/` + +### Generated Files + +The installer creates: +- `Caddyfile` - Reverse proxy configuration +- `docker-compose.yml` - Container orchestration +- `.dashcaddy-config.json` - Installation settings + +### Default Ports + +- **Dashboard**: 8080 +- **API Server**: 3001 +- **Caddy Admin**: 2019 + +## 🐛 Troubleshooting + +### Build Issues +- Ensure Node.js 18+ is installed +- Delete `node_modules` and run `npm install` +- Check that source directories exist + +### Runtime Issues +- Run with `npm run dev` to see console errors +- Check that Docker daemon is running +- Verify Caddy is installed and accessible +- Ensure ports 8080, 3001, 2021 are available + +### Deployment Issues +- Verify source paths in `file-deployer.js` +- Check write permissions on installation directory +- Ensure sufficient disk space + +## 🤝 Contributing + +1. Fork the repository +2. Create a feature branch +3. Make your changes +4. Add tests if applicable +5. Submit a pull request + +## 📝 License + +MIT + +## 🙏 Acknowledgments + +Built with: +- [Electron](https://www.electronjs.org/) - Cross-platform desktop apps +- [electron-builder](https://www.electron.build/) - Build and packaging +- [Jest](https://jestjs.io/) - Testing framework +- [fast-check](https://fast-check.dev/) - Property-based testing diff --git a/dashcaddy-installer/assets/DashCaddy logo dark.png b/dashcaddy-installer/assets/DashCaddy logo dark.png new file mode 100644 index 0000000..c3fcddc Binary files /dev/null and b/dashcaddy-installer/assets/DashCaddy logo dark.png differ diff --git a/dashcaddy-installer/assets/dashcaddy logo blue.png b/dashcaddy-installer/assets/dashcaddy logo blue.png new file mode 100644 index 0000000..5c185b5 Binary files /dev/null and b/dashcaddy-installer/assets/dashcaddy logo blue.png differ diff --git a/dashcaddy-installer/assets/dashcaddy logo icon.png b/dashcaddy-installer/assets/dashcaddy logo icon.png new file mode 100644 index 0000000..694749d Binary files /dev/null and b/dashcaddy-installer/assets/dashcaddy logo icon.png differ diff --git a/dashcaddy-installer/assets/dashcaddy logo light.png b/dashcaddy-installer/assets/dashcaddy logo light.png new file mode 100644 index 0000000..1ff97d5 Binary files /dev/null and b/dashcaddy-installer/assets/dashcaddy logo light.png differ diff --git a/dashcaddy-installer/assets/dashcaddy logo.png b/dashcaddy-installer/assets/dashcaddy logo.png new file mode 100644 index 0000000..a82a54f Binary files /dev/null and b/dashcaddy-installer/assets/dashcaddy logo.png differ diff --git a/dashcaddy-installer/assets/dashcaddy-logo.png b/dashcaddy-installer/assets/dashcaddy-logo.png new file mode 100644 index 0000000..a82a54f Binary files /dev/null and b/dashcaddy-installer/assets/dashcaddy-logo.png differ diff --git a/dashcaddy-installer/assets/favicon.ico b/dashcaddy-installer/assets/favicon.ico new file mode 100644 index 0000000..f199ce6 Binary files /dev/null and b/dashcaddy-installer/assets/favicon.ico differ diff --git a/dashcaddy-installer/assets/icon.ico b/dashcaddy-installer/assets/icon.ico new file mode 100644 index 0000000..f199ce6 Binary files /dev/null and b/dashcaddy-installer/assets/icon.ico differ diff --git a/dashcaddy-installer/install.sh b/dashcaddy-installer/install.sh new file mode 100644 index 0000000..7609d2a --- /dev/null +++ b/dashcaddy-installer/install.sh @@ -0,0 +1,960 @@ +#!/usr/bin/env bash +# ============================================================================ +# DashCaddy Linux Installer v1.0 +# +# Zero-effort install: +# curl -fsSL https://get.dashcaddy.net | bash +# +# Zero-typing install (local mode, instant access): +# curl -fsSL https://get.dashcaddy.net | bash -s -- quick +# +# With a domain (only thing you type is the domain): +# curl -fsSL https://get.dashcaddy.net | bash -s -- --domain my.example.com +# +# Designed for accessibility — all choices are single keystrokes. +# ============================================================================ + +set -euo pipefail + +# ---- Constants ------------------------------------------------------------- +readonly DASHCADDY_VERSION="1.0.0" +readonly DASHCADDY_DOWNLOAD="https://get.dashcaddy.net/release/latest.tar.gz" +readonly DASHCADDY_REPO="" # Set to a git URL to clone instead of downloading +readonly INSTALL_DIR="/etc/dashcaddy" +readonly DOCKER_DATA="/opt/dockerdata" +readonly SITES_DIR="${INSTALL_DIR}/sites" +readonly API_DIR="${SITES_DIR}/dashcaddy-api" +readonly DASHBOARD_DIR="${SITES_DIR}/status" +readonly CONTAINER_NAME="dashcaddy-api" +readonly CADDY_ADMIN_PORT=2019 + +# ---- Tunables (overridable via flags) -------------------------------------- +API_PORT=3001 +LOCAL_PORT=8080 + +# ---- Runtime state --------------------------------------------------------- +DOMAIN_MODE="" # public | custom-tld | local +DOMAIN="" +EMAIL="" +TLD="" +CA_NAME="DashCaddy Local CA" +SOURCE_PATH="" +GIT_BRANCH="main" +SKIP_DOCKER=false +SKIP_CADDY=false +UNINSTALL=false +KEEP_CONFIG=false +AUTO_YES=false +QUICK=false +DISTRO="" +DISTRO_FAMILY="" # debian | rhel | arch +PUBLIC_IP="" +LAN_IP="" +STEP=0 +TOTAL_STEPS=7 + +# ---- Colors ---------------------------------------------------------------- +if [[ -t 1 ]]; then + RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[0;33m' + BLUE='\033[0;34m'; CYAN='\033[0;36m'; BOLD='\033[1m' + DIM='\033[2m'; NC='\033[0m' +else + RED=''; GREEN=''; YELLOW=''; BLUE=''; CYAN=''; BOLD=''; DIM=''; NC='' +fi + +# ============================================================================ +# Output Helpers +# ============================================================================ + +log() { echo -e "${CYAN}[DashCaddy]${NC} $*"; } +ok() { echo -e "${GREEN} ✓${NC} $*"; } +warn() { echo -e "${YELLOW} !${NC} $*"; } +err() { echo -e "${RED} ✗${NC} $*" >&2; } +fatal() { err "$*"; echo -e "${DIM} If this keeps failing, see: https://dashcaddy.net/docs/troubleshoot${NC}" >&2; exit 1; } + +step() { + STEP=$((STEP + 1)) + echo "" + echo -e "${BOLD}${BLUE} [${STEP}/${TOTAL_STEPS}] $*${NC}" + echo -e "${BLUE} ─────────────────────────────────────────${NC}" +} + +# Simple progress: run command in background, show dots +progress() { + local msg="$1"; shift + printf "${CYAN} ▸${NC} %s " "$msg" + + # Run the command, capture output for error reporting + local logfile="/tmp/dashcaddy-install-$$.log" + if "$@" >"$logfile" 2>&1; then + echo -e "${GREEN}done${NC}" + rm -f "$logfile" + return 0 + else + echo -e "${RED}failed${NC}" + echo -e "${DIM} Last output:${NC}" + tail -5 "$logfile" 2>/dev/null | sed 's/^/ /' + rm -f "$logfile" + return 1 + fi +} + +elapsed() { + local diff=$(( $(date +%s) - $1 )) + if (( diff < 60 )); then + echo "${diff}s" + else + printf '%dm%02ds' $((diff / 60)) $((diff % 60)) + fi +} + +# ============================================================================ +# System Detection +# ============================================================================ + +detect_system() { + # --- Root check --- + if [[ $EUID -ne 0 ]]; then + fatal "Must run as root. Try: sudo bash install.sh" + fi + + # --- OS detection --- + if [[ ! -f /etc/os-release ]]; then + fatal "Cannot detect OS — /etc/os-release not found." + fi + source /etc/os-release + + case "${ID,,}" in + ubuntu|debian|pop|linuxmint|elementary|zorin|raspbian) + DISTRO="${ID}"; DISTRO_FAMILY="debian" ;; + fedora|rhel|centos|rocky|almalinux|ol|amzn) + DISTRO="${ID}"; DISTRO_FAMILY="rhel" ;; + arch|manjaro|endeavouros) + DISTRO="${ID}"; DISTRO_FAMILY="arch" ;; + *) + DISTRO="${ID}"; DISTRO_FAMILY="debian" + warn "Unknown distro '${ID}' — using Debian-style commands" ;; + esac + + ok "OS: ${PRETTY_NAME:-$DISTRO}" + + # --- Architecture --- + local arch + arch=$(uname -m) + case "$arch" in + x86_64|amd64|aarch64|arm64) ok "Arch: ${arch}" ;; + *) warn "Arch '${arch}' may not be fully supported" ;; + esac + + # --- Network --- + LAN_IP=$(ip -4 route get 1.1.1.1 2>/dev/null | awk '{print $7; exit}' || hostname -I 2>/dev/null | awk '{print $1}' || echo "unknown") + PUBLIC_IP=$(curl -fsSL --max-time 3 https://api.ipify.org 2>/dev/null || curl -fsSL --max-time 3 https://ifconfig.me 2>/dev/null || echo "unknown") + ok "LAN IP: ${LAN_IP}" + ok "Public IP: ${PUBLIC_IP}" + + # --- Existing install? --- + if [[ -f "${INSTALL_DIR}/config.json" ]]; then + warn "Existing DashCaddy installation detected" + warn "Re-running will upgrade in place (configs preserved)" + fi +} + +# ============================================================================ +# Interactive Setup — minimal typing, number keys only +# ============================================================================ + +interactive_setup() { + # Skip if mode already set via flags + if [[ -n "$DOMAIN_MODE" ]]; then return; fi + + # Detect environment to offer smart defaults + local is_vps=false + if [[ "$PUBLIC_IP" != "unknown" && "$PUBLIC_IP" != "$LAN_IP" ]] || \ + [[ "$LAN_IP" =~ ^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.) ]]; then + : # Private IP — probably homelab or local + else + is_vps=true + fi + + echo "" + echo -e "${BOLD} How will you access DashCaddy?${NC}" + echo "" + + if $is_vps; then + echo -e " ${BOLD}1${NC}) Public domain ${DIM}— Let's Encrypt TLS (recommended for VPS)${NC}" + echo -e " ${BOLD}2${NC}) Quick start ${DIM}— http://${PUBLIC_IP}:${LOCAL_PORT} right now, add domain later${NC}" + echo -e " ${BOLD}3${NC}) Custom TLD ${DIM}— Internal CA for homelab (e.g., .home, .lab)${NC}" + else + echo -e " ${BOLD}1${NC}) Quick start ${DIM}— http://${LAN_IP}:${LOCAL_PORT} right now${NC}" + echo -e " ${BOLD}2${NC}) Custom TLD ${DIM}— Internal CA for homelab (e.g., .home, .lab)${NC}" + echo -e " ${BOLD}3${NC}) Public domain ${DIM}— Let's Encrypt TLS${NC}" + fi + + echo "" + local choice + read -rp "$(echo -e " ${YELLOW}Press 1, 2, or 3:${NC} ")" -n1 choice + echo "" + + if $is_vps; then + case "$choice" in + 1) setup_public_domain ;; + 2) DOMAIN_MODE="local" ;; + 3) setup_custom_tld ;; + *) DOMAIN_MODE="local"; warn "Defaulting to Quick Start" ;; + esac + else + case "$choice" in + 1) DOMAIN_MODE="local" ;; + 2) setup_custom_tld ;; + 3) setup_public_domain ;; + *) DOMAIN_MODE="local"; warn "Defaulting to Quick Start" ;; + esac + fi +} + +setup_public_domain() { + DOMAIN_MODE="public" + echo "" + read -rp "$(echo -e " ${YELLOW}Domain name:${NC} ")" DOMAIN + if [[ -z "$DOMAIN" ]]; then + fatal "Domain is required for public mode." + fi + + # Auto-check if domain points to this server + local resolved + resolved=$(dig +short "$DOMAIN" 2>/dev/null | head -1) + if [[ -n "$resolved" && "$resolved" == "$PUBLIC_IP" ]]; then + ok "${DOMAIN} correctly points to ${PUBLIC_IP}" + elif [[ -n "$resolved" ]]; then + warn "${DOMAIN} resolves to ${resolved}, but this server is ${PUBLIC_IP}" + echo -e " ${DIM}Let's Encrypt will fail if DNS doesn't point here.${NC}" + echo "" + read -rp "$(echo -e " ${YELLOW}Continue anyway? [y/N]:${NC} ")" -n1 cont + echo "" + [[ "$cont" =~ ^[Yy]$ ]] || fatal "Fix DNS first, then re-run the installer." + else + warn "Could not verify DNS for ${DOMAIN}" + echo -e " ${DIM}Make sure ${DOMAIN} points to ${PUBLIC_IP} for TLS to work.${NC}" + fi + + # Email — offer skip + echo "" + echo -e " ${DIM}Email for Let's Encrypt notifications (optional, press Enter to skip):${NC}" + read -rp " " EMAIL +} + +setup_custom_tld() { + DOMAIN_MODE="custom-tld" + echo "" + echo -e " ${DIM}Common choices: .home .local .lab .lan${NC}" + read -rp "$(echo -e " ${YELLOW}TLD (default .home):${NC} ")" TLD + [[ -z "$TLD" ]] && TLD=".home" + [[ "$TLD" != .* ]] && TLD=".$TLD" + + echo "" + read -rp "$(echo -e " ${YELLOW}CA name (default: DashCaddy Local CA):${NC} ")" input + [[ -n "$input" ]] && CA_NAME="$input" +} + +# ============================================================================ +# Dependency Installation +# ============================================================================ + +install_prereqs() { + # Only install what's missing + local needed=() + command -v curl &>/dev/null || needed+=(curl) + command -v jq &>/dev/null || needed+=(jq) + command -v dig &>/dev/null || needed+=(dnsutils) + # git only needed if using --source with a repo URL + [[ -n "$DASHCADDY_REPO" ]] && ! command -v git &>/dev/null && needed+=(git) + + if [[ ${#needed[@]} -eq 0 ]]; then + ok "Prerequisites already installed" + return + fi + + progress "Installing ${needed[*]}..." bash -c " + case '$DISTRO_FAMILY' in + debian) apt-get update -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq ${needed[*]} ;; + rhel) dnf install -y -q ${needed[*]} 2>/dev/null || yum install -y -q ${needed[*]} ;; + arch) pacman -Sy --noconfirm ${needed[*]} ;; + esac + " || warn "Some prerequisites may not have installed" +} + +install_docker() { + if $SKIP_DOCKER; then ok "Docker: skipped (--skip-docker)"; return; fi + + if command -v docker &>/dev/null && docker info &>/dev/null; then + ok "Docker: $(docker --version | grep -oP 'Docker version [\d.]+')" + return + fi + + progress "Installing Docker (this is the slowest step)..." bash -c " + case '$DISTRO_FAMILY' in + debian) + curl -fsSL https://get.docker.com | sh + ;; + rhel) + if command -v dnf &>/dev/null; then + dnf install -y -q dnf-plugins-core + dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo + dnf install -y -q docker-ce docker-ce-cli containerd.io docker-compose-plugin + else + yum install -y -q yum-utils + yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo + yum install -y -q docker-ce docker-ce-cli containerd.io docker-compose-plugin + fi + ;; + arch) + pacman -Sy --noconfirm docker docker-compose + ;; + esac + systemctl enable docker + systemctl start docker + " || fatal "Docker installation failed. Install manually: https://docs.docker.com/engine/install/" + + if docker info &>/dev/null; then + ok "Docker: $(docker --version | grep -oP 'Docker version [\d.]+')" + else + fatal "Docker installed but daemon not running. Try: systemctl start docker" + fi +} + +install_caddy() { + if $SKIP_CADDY; then ok "Caddy: skipped (--skip-caddy)"; return; fi + + if command -v caddy &>/dev/null; then + ok "Caddy: $(caddy version 2>/dev/null | head -1)" + return + fi + + progress "Installing Caddy..." bash -c " + case '$DISTRO_FAMILY' in + debian) + apt-get install -y -qq debian-keyring debian-archive-keyring apt-transport-https + curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg + curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list > /dev/null + apt-get update -qq + apt-get install -y -qq caddy + ;; + rhel) + if command -v dnf &>/dev/null; then + dnf install -y -q 'dnf-command(copr)' + dnf copr enable -y @caddy/caddy + dnf install -y -q caddy + else + yum install -y -q yum-plugin-copr + yum copr enable -y @caddy/caddy + yum install -y -q caddy + fi + ;; + arch) + pacman -Sy --noconfirm caddy + ;; + esac + # Stop default Caddy — we configure it ourselves + systemctl stop caddy 2>/dev/null || true + " || fatal "Caddy installation failed. Install manually: https://caddyserver.com/docs/install" + + ok "Caddy: $(caddy version 2>/dev/null | head -1)" +} + +# ============================================================================ +# Fix known OS issues automatically +# ============================================================================ + +fix_system_issues() { + # systemd-resolved stub — breaks Docker DNS and Tailscale + if [[ -L /etc/resolv.conf ]] && readlink /etc/resolv.conf | grep -q stub; then + rm -f /etc/resolv.conf + cat > /etc/resolv.conf <<'EOF' +# Set by DashCaddy installer (replaced systemd-resolved stub) +nameserver 1.1.1.1 +nameserver 8.8.8.8 +nameserver 1.0.0.1 +EOF + ok "Fixed systemd-resolved stub (replaced with public DNS)" + fi + + # Ensure /etc/caddy exists + mkdir -p /etc/caddy +} + +# ============================================================================ +# Directory & File Setup +# ============================================================================ + +create_directories() { + mkdir -p "$INSTALL_DIR" "$DOCKER_DATA" "$SITES_DIR" "$API_DIR" "$DASHBOARD_DIR" "${DASHBOARD_DIR}/assets" + ok "Directories created" +} + +fetch_source() { + local tmp_src="/tmp/dashcaddy-src-$$" + + if [[ -n "$SOURCE_PATH" ]]; then + if [[ ! -d "$SOURCE_PATH" ]]; then + fatal "Source path not found: $SOURCE_PATH" + fi + tmp_src="$SOURCE_PATH" + ok "Using local source: $SOURCE_PATH" + elif [[ -n "$DASHCADDY_REPO" ]]; then + # Git clone mode (for development) + progress "Cloning DashCaddy..." \ + git clone --depth 1 --branch "$GIT_BRANCH" "$DASHCADDY_REPO" "$tmp_src" \ + || fatal "Failed to clone DashCaddy. Check network." + else + # Download release tarball (default — no git needed) + mkdir -p "$tmp_src" + progress "Downloading DashCaddy v${DASHCADDY_VERSION}..." bash -c " + curl -fsSL '${DASHCADDY_DOWNLOAD}' | tar xz -C '$tmp_src' --strip-components=1 + " || fatal "Failed to download DashCaddy. Check network or try --source with a local copy." + fi + + # Find API source (handle different repo layouts) + local api_src="" + for try in "${tmp_src}/dashcaddy-api" "${tmp_src}/sites/dashcaddy-api" "${tmp_src}/api"; do + [[ -d "$try" ]] && api_src="$try" && break + done + [[ -z "$api_src" ]] && fatal "Cannot find dashcaddy-api/ in source" + + # Find dashboard source + local dash_src="" + for try in "${tmp_src}/status" "${tmp_src}/sites/status" "${tmp_src}/dashboard"; do + [[ -d "$try" ]] && dash_src="$try" && break + done + [[ -z "$dash_src" ]] && fatal "Cannot find dashboard source in source" + + # Deploy API files + cp -f "${api_src}"/*.js "$API_DIR/" 2>/dev/null || true + cp -f "${api_src}/package.json" "$API_DIR/" + cp -f "${api_src}/package-lock.json" "$API_DIR/" 2>/dev/null || true + cp -f "${api_src}/Dockerfile" "$API_DIR/" + cp -f "${api_src}/openapi.yaml" "$API_DIR/" 2>/dev/null || true + [[ -d "${api_src}/routes" ]] && cp -rf "${api_src}/routes" "$API_DIR/" + ok "API files deployed" + + # Deploy dashboard files + cp -f "${dash_src}/index.html" "$DASHBOARD_DIR/" + cp -f "${dash_src}/sw.js" "$DASHBOARD_DIR/" 2>/dev/null || true + for dir in css js dist vendor assets; do + [[ -d "${dash_src}/${dir}" ]] && cp -rf "${dash_src}/${dir}" "$DASHBOARD_DIR/" + done + ok "Dashboard files deployed" + + # Cleanup + [[ -z "$SOURCE_PATH" ]] && rm -rf "$tmp_src" +} + +create_seed_configs() { + local config_type dashboard_host tz + + case "$DOMAIN_MODE" in + public) config_type="public"; dashboard_host="$DOMAIN" ;; + custom-tld) config_type="homelab"; dashboard_host="dashcaddy${TLD}" ;; + local) config_type="local"; dashboard_host="${LAN_IP}:${LOCAL_PORT}" ;; + esac + + tz=$(timedatectl show --property=Timezone --value 2>/dev/null || echo 'UTC') + + # Only create files that don't already exist (preserve on re-install) + [[ -f "${INSTALL_DIR}/services.json" ]] || echo '[]' > "${INSTALL_DIR}/services.json" + [[ -f "${INSTALL_DIR}/dns-credentials.json" ]] || echo '{}' > "${INSTALL_DIR}/dns-credentials.json" + [[ -f "${INSTALL_DIR}/credentials.json" ]] || echo '{}' > "${INSTALL_DIR}/credentials.json" + [[ -f "${INSTALL_DIR}/notifications.json" ]] || echo '[]' > "${INSTALL_DIR}/notifications.json" + + if [[ ! -f "${INSTALL_DIR}/.encryption-key" ]]; then + openssl rand -hex 32 > "${INSTALL_DIR}/.encryption-key" + chmod 600 "${INSTALL_DIR}/.encryption-key" + fi + + # config.json — always regenerate (contains dashboard URL which may change) + cat > "${INSTALL_DIR}/config.json" < "$cf" < "$cf" < "$cf" < "${API_DIR}/docker-compose.yml" </dev/null || true + + cd "$API_DIR" + + progress "Building container image (30-60s)..." \ + docker compose build --quiet \ + || progress "Building container image (fallback)..." \ + docker-compose build --quiet \ + || fatal "Docker build failed. Check: docker info" + + progress "Starting container..." \ + docker compose up -d \ + || docker-compose up -d 2>/dev/null \ + || fatal "Failed to start container" + + # Wait for healthy + local i=0 + printf "${CYAN} ▸${NC} Waiting for API health check " + while (( i < 30 )); do + if curl -fsSL --max-time 2 "http://localhost:${API_PORT}/health" &>/dev/null; then + echo -e "${GREEN}healthy${NC}" + return + fi + printf "." + sleep 1 + i=$((i + 1)) + done + echo -e "${YELLOW}timeout${NC}" + warn "API may still be starting. Check: docker logs ${CONTAINER_NAME}" +} + +start_caddy() { + # Symlink our Caddyfile to where Caddy's systemd unit expects it + if [[ -f /etc/caddy/Caddyfile && ! -L /etc/caddy/Caddyfile ]]; then + mv /etc/caddy/Caddyfile /etc/caddy/Caddyfile.original 2>/dev/null || true + fi + ln -sf "${INSTALL_DIR}/Caddyfile" /etc/caddy/Caddyfile + + systemctl enable caddy >/dev/null 2>&1 + systemctl restart caddy 2>/dev/null + + sleep 2 + if systemctl is-active --quiet caddy; then + ok "Caddy is running" + else + warn "Caddy may have issues. Check: systemctl status caddy" + fi +} + +# ============================================================================ +# Firewall +# ============================================================================ + +open_firewall() { + if command -v ufw &>/dev/null && ufw status 2>/dev/null | grep -q "active"; then + case "$DOMAIN_MODE" in + public) + ufw allow 80/tcp >/dev/null 2>&1; ufw allow 443/tcp >/dev/null 2>&1 + ok "Firewall: opened 80, 443 (UFW)" ;; + local) + ufw allow "${LOCAL_PORT}"/tcp >/dev/null 2>&1 + ok "Firewall: opened ${LOCAL_PORT} (UFW)" ;; + esac + elif command -v firewall-cmd &>/dev/null && systemctl is-active --quiet firewalld 2>/dev/null; then + case "$DOMAIN_MODE" in + public) + firewall-cmd --permanent --add-service=http --add-service=https >/dev/null 2>&1 + firewall-cmd --reload >/dev/null 2>&1 + ok "Firewall: opened 80, 443 (firewalld)" ;; + local) + firewall-cmd --permanent --add-port="${LOCAL_PORT}"/tcp >/dev/null 2>&1 + firewall-cmd --reload >/dev/null 2>&1 + ok "Firewall: opened ${LOCAL_PORT} (firewalld)" ;; + esac + fi +} + +# ============================================================================ +# Uninstall +# ============================================================================ + +do_uninstall() { + echo -e "\n${BOLD} Uninstalling DashCaddy${NC}\n" + + echo " This will:" + echo " - Stop and remove the dashcaddy-api container" + echo " - Remove DashCaddy files from ${INSTALL_DIR}/" + if $KEEP_CONFIG; then + echo " - KEEP your config files (--keep-config)" + fi + echo " - NOT remove Docker or Caddy" + echo "" + + read -rp "$(echo -e " ${YELLOW}Continue? [y/N]:${NC} ")" -n1 answer + echo "" + [[ "$answer" =~ ^[Yy]$ ]] || { echo " Cancelled."; exit 0; } + + docker rm -f "$CONTAINER_NAME" 2>/dev/null && ok "Container removed" || true + + if [[ -L /etc/caddy/Caddyfile ]] && readlink /etc/caddy/Caddyfile | grep -q dashcaddy; then + rm -f /etc/caddy/Caddyfile + [[ -f /etc/caddy/Caddyfile.original ]] && mv /etc/caddy/Caddyfile.original /etc/caddy/Caddyfile + systemctl restart caddy 2>/dev/null || true + ok "Caddy config restored" + fi + + if $KEEP_CONFIG; then + rm -rf "$API_DIR" "$DASHBOARD_DIR" + ok "App files removed, config preserved in ${INSTALL_DIR}/" + else + rm -rf "$INSTALL_DIR" + ok "All files removed from ${INSTALL_DIR}/" + fi + + echo -e "\n${GREEN} DashCaddy uninstalled.${NC}\n" + exit 0 +} + +# ============================================================================ +# Argument Parsing +# ============================================================================ + +parse_args() { + while [[ $# -gt 0 ]]; do + case "$1" in + quick) QUICK=true; DOMAIN_MODE="local"; shift ;; + --domain) DOMAIN_MODE="public"; DOMAIN="${2:-}"; shift; shift ;; + --email) EMAIL="${2:-}"; shift; shift ;; + --tld) DOMAIN_MODE="custom-tld"; TLD="${2:-}"; shift; shift ;; + --ca-name) CA_NAME="${2:-}"; shift; shift ;; + --local) DOMAIN_MODE="local"; shift ;; + --port) LOCAL_PORT="${2:-8080}"; shift; shift ;; + --api-port) API_PORT="${2:-3001}"; shift; shift ;; + --source) SOURCE_PATH="${2:-}"; shift; shift ;; + --branch) GIT_BRANCH="${2:-main}"; shift; shift ;; + --skip-docker) SKIP_DOCKER=true; shift ;; + --skip-caddy) SKIP_CADDY=true; shift ;; + --uninstall) UNINSTALL=true; shift ;; + --keep-config) KEEP_CONFIG=true; shift ;; + --yes|-y) AUTO_YES=true; shift ;; + --help|-h) print_help; exit 0 ;; + *) warn "Unknown option: $1 (ignored)"; shift ;; + esac + done + + # Normalize TLD + if [[ -n "$TLD" && "$TLD" != .* ]]; then TLD=".$TLD"; fi +} + +print_help() { + cat <<'HELP' + + DashCaddy Linux Installer + + QUICK INSTALL (zero typing): + curl -fsSL https://get.dashcaddy.net | bash -s -- quick + + WITH DOMAIN: + curl -fsSL https://get.dashcaddy.net | bash -s -- --domain my.example.com + + INTERACTIVE: + curl -fsSL https://get.dashcaddy.net | bash + + OPTIONS: + quick Instant local install, zero questions + --domain DOMAIN Public domain (Let's Encrypt TLS) + --email EMAIL Let's Encrypt email (optional) + --tld TLD Custom TLD, internal CA (e.g., .home) + --local Local mode (http://IP:port) + --port PORT Port for local mode (default: 8080) + --source PATH Use local source files + --skip-docker Already have Docker + --skip-caddy Already have Caddy + --uninstall Remove DashCaddy + --keep-config Keep configs during uninstall + --yes Skip confirmations + +HELP +} + +# ============================================================================ +# Banner & Success +# ============================================================================ + +print_banner() { + echo "" + echo -e "${BOLD}${BLUE} ╔══════════════════════════════════════════════╗${NC}" + echo -e "${BOLD}${BLUE} ║${NC}${BOLD} DashCaddy Installer v${DASHCADDY_VERSION} ${BLUE}║${NC}" + echo -e "${BOLD}${BLUE} ╚══════════════════════════════════════════════╝${NC}" + echo "" +} + +print_success() { + local total_time=$1 + local url + + case "$DOMAIN_MODE" in + public) url="https://${DOMAIN}" ;; + custom-tld) url="https://dashcaddy${TLD}" ;; + local) url="http://${PUBLIC_IP}:${LOCAL_PORT}" ;; + esac + + # Also show LAN URL for local mode + local lan_url="" + if [[ "$DOMAIN_MODE" == "local" && "$LAN_IP" != "$PUBLIC_IP" ]]; then + lan_url="http://${LAN_IP}:${LOCAL_PORT}" + fi + + echo "" + echo -e "${GREEN}${BOLD} ┌──────────────────────────────────────────────┐${NC}" + echo -e "${GREEN}${BOLD} │ Installation Complete! │${NC}" + echo -e "${GREEN}${BOLD} └──────────────────────────────────────────────┘${NC}" + echo "" + echo -e " ${BOLD}Open in browser:${NC} ${url}" + [[ -n "$lan_url" ]] && echo -e " ${BOLD}LAN access:${NC} ${lan_url}" + echo "" + echo -e " ${DIM}Config: ${INSTALL_DIR}/ | Logs: docker logs dashcaddy-api${NC}" + echo -e " ${DIM}Installed in: ${total_time}${NC}" + + if [[ "$DOMAIN_MODE" == "public" ]]; then + echo "" + echo -e " ${CYAN}TLS will auto-provision on first visit.${NC}" + echo -e " ${CYAN}Ensure DNS for ${DOMAIN} → ${PUBLIC_IP}${NC}" + fi + + echo "" + echo -e " ${BOLD}Everything is managed from the dashboard — no CLI needed.${NC}" + echo -e " ${DIM}Deploy apps, manage Docker containers, edit Caddy configs,${NC}" + echo -e " ${DIM}and monitor services all from the web UI.${NC}" + echo "" +} + +# ============================================================================ +# Main +# ============================================================================ + +main() { + local start_time + start_time=$(date +%s) + + parse_args "$@" + + # Handle uninstall + if $UNINSTALL; then do_uninstall; fi + + print_banner + + # ---- Step 1: System check ---- + step "Checking system" + detect_system + fix_system_issues + + # ---- Step 2: Configuration ---- + if $QUICK; then + ok "Quick mode: http://${PUBLIC_IP}:${LOCAL_PORT}" + else + step "Configuration" + interactive_setup + fi + + # Show what we're doing + echo "" + case "$DOMAIN_MODE" in + public) log "Installing with domain: ${DOMAIN}" ;; + custom-tld) log "Installing with TLD: ${TLD}" ;; + local) log "Installing in local mode (port ${LOCAL_PORT})" ;; + esac + + # ---- Step 3: Dependencies ---- + step "Installing dependencies" + install_prereqs + install_docker + install_caddy + + # ---- Step 4: Deploy files ---- + step "Deploying DashCaddy" + create_directories + fetch_source + create_seed_configs + + # ---- Step 5: Configuration ---- + step "Generating configuration" + generate_caddyfile + generate_docker_compose + open_firewall + + # ---- Step 6: Build & start ---- + step "Building & starting services" + build_and_start + + # ---- Step 7: Start Caddy ---- + step "Starting web server" + start_caddy + + print_success "$(elapsed "$start_time")" +} + +main "$@" diff --git a/dashcaddy-installer/package.json b/dashcaddy-installer/package.json new file mode 100644 index 0000000..6e317a9 --- /dev/null +++ b/dashcaddy-installer/package.json @@ -0,0 +1,87 @@ +{ + "name": "dashcaddy-installer", + "version": "1.0.0", + "description": "Cross-platform installer for DashCaddy platform", + "main": "src/main/index.js", + "scripts": { + "start": "electron .", + "dev": "electron . --dev", + "test": "jest", + "test:watch": "jest --watch", + "build": "electron-builder", + "build:win": "electron-builder --win", + "build:mac": "electron-builder --mac", + "build:linux": "electron-builder --linux" + }, + "keywords": [ + "dashcaddy", + "installer", + "docker", + "caddy" + ], + "author": { + "name": "DashCaddy Team", + "email": "dashcaddy@sami.cloud" + }, + "homepage": "https://github.com/dashcaddy/dashcaddy", + "license": "MIT", + "devDependencies": { + "electron": "^28.3.3", + "electron-builder": "^24.9.1", + "fast-check": "^3.15.0", + "jest": "^29.7.0" + }, + "build": { + "appId": "com.dashcaddy.installer", + "productName": "DashCaddy Installer", + "asar": true, + "directories": { + "output": "build-output" + }, + "files": [ + "src/**/*", + "assets/**/*", + "templates/**/*" + ], + "extraResources": [ + { + "from": "../status", + "to": "status", + "filter": ["**/*", "!node_modules/**", "!.git/**", "!**/*.test.js", "!**/*.spec.js"] + }, + { + "from": "../dashcaddy-api", + "to": "dashcaddy-api", + "filter": ["**/*", "!node_modules/**", "!.git/**", "!**/*.test.js", "!**/*.spec.js"] + } + ], + "icon": "assets/favicon.ico", + "win": { + "target": [ + "nsis", + "portable" + ], + "icon": "assets/favicon.ico", + "signAndEditExecutable": false + }, + "mac": { + "target": "dmg", + "icon": "assets/dashcaddy-logo.png" + }, + "linux": { + "target": [ + "AppImage", + "deb" + ], + "icon": "assets/dashcaddy-logo.png", + "category": "Utility" + }, + "nsis": { + "oneClick": false, + "allowToChangeInstallationDirectory": true, + "installerIcon": "assets/icon.ico", + "uninstallerIcon": "assets/icon.ico", + "installerHeaderIcon": "assets/icon.ico" + } + } +} diff --git a/dashcaddy-installer/src/main/browser-launcher.js b/dashcaddy-installer/src/main/browser-launcher.js new file mode 100644 index 0000000..911d29c --- /dev/null +++ b/dashcaddy-installer/src/main/browser-launcher.js @@ -0,0 +1,111 @@ +const { exec } = require('child_process'); +const { promisify } = require('util'); +const { getPlatformInfo } = require('../shared/platform-utils'); + +const execAsync = promisify(exec); + +/** + * BrowserLauncher - Opens URLs in the default browser + */ +class BrowserLauncher { + /** + * Open URL in default browser + * @param {string} url - URL to open + */ + async openURL(url) { + try { + const platform = getPlatformInfo(); + let command; + + switch (platform.os) { + case 'windows': + command = `start ${url}`; + break; + case 'macos': + command = `open ${url}`; + break; + case 'linux': + command = `xdg-open ${url}`; + break; + default: + throw new Error(`Unsupported platform: ${platform.os}`); + } + + await execAsync(command); + + return { + success: true, + url, + platform: platform.os + }; + } catch (error) { + return { + success: false, + error: error.message, + url + }; + } + } + + /** + * Open dashboard in browser + * @param {number} port - Port dashboard is running on + * @param {string} hostname - Hostname (default: localhost) + */ + async openDashboard(port = 8080, hostname = 'localhost') { + const url = `http://${hostname}:${port}`; + return this.openURL(url); + } + + /** + * Wait for service to be ready before opening + * @param {string} url - URL to check + * @param {number} maxAttempts - Maximum number of attempts + * @param {number} delayMs - Delay between attempts in milliseconds + */ + async waitForService(url, maxAttempts = 30, delayMs = 1000) { + for (let attempt = 1; attempt <= maxAttempts; attempt++) { + try { + const response = await fetch(url); + if (response.ok) { + return { success: true, attempts: attempt }; + } + } catch (error) { + // Service not ready yet, continue waiting + } + + if (attempt < maxAttempts) { + await new Promise(resolve => setTimeout(resolve, delayMs)); + } + } + + return { + success: false, + error: `Service did not become ready after ${maxAttempts} attempts` + }; + } + + /** + * Open dashboard after waiting for it to be ready + * @param {number} port - Port dashboard is running on + * @param {string} hostname - Hostname (default: localhost) + */ + async openDashboardWhenReady(port = 8080, hostname = 'localhost') { + const url = `http://${hostname}:${port}`; + + // Wait for service to be ready + const waitResult = await this.waitForService(url); + + if (!waitResult.success) { + return { + success: false, + error: waitResult.error + }; + } + + // Open in browser + return this.openURL(url); + } +} + +module.exports = BrowserLauncher; diff --git a/dashcaddy-installer/src/main/caddyfile-generator.js b/dashcaddy-installer/src/main/caddyfile-generator.js new file mode 100644 index 0000000..551a946 --- /dev/null +++ b/dashcaddy-installer/src/main/caddyfile-generator.js @@ -0,0 +1,375 @@ +const fs = require('fs'); +const path = require('path'); +const { DEFAULT_PORTS } = require('../shared/constants'); + +/** + * CaddyfileGenerator - Creates Caddyfile and docker-compose.yml for DashCaddy + * + * Generates production-grade configs that match the patterns used by the + * running DashCaddy deployment (CORS snippets, admin origins, PKI, etc.) + */ +class CaddyfileGenerator { + /** + * Normalize a Windows path to forward slashes for Caddyfile/Docker Compose + */ + _p(s) { + return s.replace(/\\/g, '/'); + } + + /** + * Generate the CORS snippet block used by the API + */ + _corsSnippets() { + return `(cors-preflight) { + @preflight method OPTIONS + header @preflight { + Access-Control-Allow-Origin "*" + Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" + Access-Control-Allow-Headers "*" + Access-Control-Max-Age "600" + } + respond @preflight 204 +} +(cors-allow) { + header { + Access-Control-Allow-Origin "*" + Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" + Access-Control-Allow-Headers "*" + Access-Control-Max-Age "600" + } +} +`; + } + + /** + * Generate the dashcaddy_auth snippet for SSO + */ + _authSnippet(apiPort) { + return `# DashCaddy SSO auth snippet +(dashcaddy_auth) { + forward_auth localhost:${apiPort} { + uri /api/auth/gate/{args[0]} + copy_headers Authorization X-Api-Key X-App-Cookie X-Emby-Token X-Plex-Token + } +} +`; + } + + /** + * Generate the dashboard site block content (shared across all modes) + */ + _dashboardBlock(dashboardPath, tier, apiPort) { + let block = ''; + + block += ` root * ${this._p(dashboardPath)}\n`; + block += ` encode gzip\n\n`; + + // API proxy for intermediate/advanced tiers + if (tier !== 'basic') { + block += ` # API proxy to Docker container\n`; + block += ` handle /api/* {\n`; + block += ` reverse_proxy localhost:${apiPort}\n`; + block += ` }\n\n`; + } + + // SPA fallback with file_server + block += ` # Static site + SPA fallback\n`; + block += ` handle {\n`; + block += ` @notFile not file {path}\n`; + block += ` rewrite @notFile /index.html\n`; + block += ` file_server\n`; + block += ` }\n`; + + return block; + } + + /** + * Generate Caddyfile for local mode (IP:Port, no TLS) + */ + generateCaddyfile(options) { + const { + dashboardPath, + port = 8080, + tier = 'basic', + apiPort = DEFAULT_PORTS.API + } = options; + + const adminPort = DEFAULT_PORTS.CADDY_ADMIN; + + let caddyfile = `# DashCaddy Caddyfile - Local Mode +# Generated by DashCaddy Installer + +{ + admin localhost:${adminPort} { + origins localhost localhost:${adminPort} host.docker.internal host.docker.internal:${adminPort} + } + auto_https off +} + +`; + + if (tier !== 'basic') { + caddyfile += this._corsSnippets() + '\n'; + } + + caddyfile += `:${port} {\n`; + caddyfile += this._dashboardBlock(dashboardPath, tier, apiPort); + caddyfile += `}\n`; + + return caddyfile; + } + + /** + * Generate Caddyfile for public domain mode (Let's Encrypt TLS) + */ + generateCaddyfileWithDomain(options) { + const { + dashboardPath, + domain, + email = '', + tier = 'basic', + apiPort = DEFAULT_PORTS.API + } = options; + + const adminPort = DEFAULT_PORTS.CADDY_ADMIN; + + let caddyfile = `# DashCaddy Caddyfile - Public Domain Mode +# Generated by DashCaddy Installer + +{ + admin localhost:${adminPort} { + origins localhost localhost:${adminPort} host.docker.internal host.docker.internal:${adminPort} + } +`; + if (email) { + caddyfile += ` email ${email}\n`; + } + caddyfile += `}\n\n`; + + if (tier !== 'basic') { + caddyfile += this._corsSnippets() + '\n'; + caddyfile += this._authSnippet(apiPort) + '\n'; + } + + caddyfile += `${domain} {\n`; + caddyfile += this._dashboardBlock(dashboardPath, tier, apiPort); + caddyfile += `}\n`; + + return caddyfile; + } + + /** + * Generate Caddyfile for custom TLD mode (internal CA) + */ + generateCaddyfileCustomTLD(options) { + const { + dashboardPath, + installPath, + tld = '.home', + caName = 'DashCaddy Local CA', + tier = 'basic', + apiPort = DEFAULT_PORTS.API + } = options; + + const adminPort = DEFAULT_PORTS.CADDY_ADMIN; + const dashboardDomain = `dashcaddy${tld}`; + const certsPath = installPath ? this._p(path.join(installPath, 'certs')) : './certs'; + + let caddyfile = `# DashCaddy Caddyfile - Custom TLD Mode (${tld}) +# Generated by DashCaddy Installer + +{ + storage file_system { + root ${certsPath} + } + + admin localhost:${adminPort} { + origins localhost localhost:${adminPort} host.docker.internal host.docker.internal:${adminPort} + } + + pki { + ca local { + name "${caName}" + root_cn "${caName} Root CA" + intermediate_cn "${caName} Intermediate CA" + } + } +} + +`; + + if (tier !== 'basic') { + caddyfile += this._corsSnippets() + '\n'; + caddyfile += this._authSnippet(apiPort) + '\n'; + } + + caddyfile += `# Dashboard - ${dashboardDomain}\n`; + caddyfile += `${dashboardDomain} {\n`; + caddyfile += ` tls internal\n\n`; + caddyfile += this._dashboardBlock(dashboardPath, tier, apiPort); + caddyfile += `}\n`; + + return caddyfile; + } + + /** + * Write Caddyfile to disk + */ + async writeCaddyfile(content, outputPath) { + try { + await fs.promises.writeFile(outputPath, content, 'utf8'); + return { success: true, path: outputPath }; + } catch (error) { + return { success: false, error: error.message }; + } + } + + /** + * Create complete Caddyfile setup + * @param {string} installPath - Installation directory + * @param {Object} options - Configuration options + */ + async createCaddyfileSetup(installPath, options = {}) { + try { + const dashboardPath = path.join(installPath, 'sites', 'status'); + const caddyfilePath = path.join(installPath, 'Caddyfile'); + + let content; + if (options.domainMode === 'public') { + content = this.generateCaddyfileWithDomain({ + dashboardPath, + domain: options.publicDomain, + email: options.email, + tier: options.tier, + apiPort: options.apiPort + }); + } else if (options.domainMode === 'custom-tld') { + content = this.generateCaddyfileCustomTLD({ + dashboardPath, + installPath, + tld: options.tld, + caName: options.caName || 'DashCaddy Local CA', + tier: options.tier, + apiPort: options.apiPort + }); + } else { + content = this.generateCaddyfile({ + dashboardPath, + ...options + }); + } + + const result = await this.writeCaddyfile(content, caddyfilePath); + + if (!result.success) { + throw new Error(result.error); + } + + return { + success: true, + path: caddyfilePath, + content + }; + } catch (error) { + return { + success: false, + error: error.message + }; + } + } + + /** + * Generate docker-compose.yml for running the API server + * @param {string} installPath - Installation directory + * @param {Object} options - Configuration options + * @param {number} options.apiPort - API server port + * @param {string} options.lanIP - Host LAN IP address + * @param {string} options.tailscaleIP - Host Tailscale IP address + * @param {string} options.domainMode - Domain mode (local, public, custom-tld) + */ + generateDockerCompose(installPath, options = {}) { + const apiPort = options.apiPort || DEFAULT_PORTS.API; + const adminPort = DEFAULT_PORTS.CADDY_ADMIN; + const p = this._p.bind(this); + + // Core volume mounts + let volumes = ` - ${p(installPath)}/Caddyfile:/caddyfile:rw + - ${p(installPath)}/services.json:/app/services.json:rw + - ${p(installPath)}/dns-credentials.json:/app/dns-credentials.json:rw + - ${p(installPath)}/config.json:/app/config.json:rw + - ${p(installPath)}/credentials.json:/app/credentials.json:rw + - ${p(installPath)}/.encryption-key:/app/.encryption-key:rw + - ${p(installPath)}/notifications.json:/app/notifications.json:rw + - ${p(installPath)}/sites/status/assets:/app/assets:rw + - /var/run/docker.sock:/var/run/docker.sock`; + + // Add CA cert mount for custom-tld mode + if (options.domainMode === 'custom-tld') { + volumes += `\n - ${p(installPath)}/certs/pki/authorities/local:/app/pki:ro`; + } + + // Environment variables + let envVars = ` - CADDYFILE_PATH=/caddyfile + - CADDY_ADMIN_URL=http://host.docker.internal:${adminPort} + - ASSETS_PATH=/app/assets + - CREDENTIALS_FILE=/app/credentials.json + - NODE_ENV=production`; + + if (options.domainMode === 'custom-tld') { + envVars += `\n - CA_CERT_PATH=/app/pki/root.crt`; + } + + if (options.lanIP) { + envVars += `\n - HOST_LAN_IP=${options.lanIP}`; + } + if (options.tailscaleIP) { + envVars += `\n - HOST_TAILSCALE_IP=${options.tailscaleIP}`; + } + + const dockerCompose = `services: + dashcaddy-api: + build: . + container_name: dashcaddy-api + ports: + - "${apiPort}:${apiPort}" + volumes: +${volumes} + environment: +${envVars} + extra_hosts: + - "host.docker.internal:host-gateway" + restart: unless-stopped +`; + + return dockerCompose; + } + + /** + * Write docker-compose.yml to disk + * @param {string} installPath - Installation directory + * @param {Object} options - Configuration options + */ + async createDockerCompose(installPath, options = {}) { + try { + const content = this.generateDockerCompose(installPath, options); + const apiDir = path.join(installPath, 'sites', 'dashcaddy-api'); + await fs.promises.mkdir(apiDir, { recursive: true }); + const outputPath = path.join(apiDir, 'docker-compose.yml'); + + await fs.promises.writeFile(outputPath, content, 'utf8'); + + return { + success: true, + path: outputPath, + content + }; + } catch (error) { + return { + success: false, + error: error.message + }; + } + } +} + +module.exports = CaddyfileGenerator; diff --git a/dashcaddy-installer/src/main/config-manager.js b/dashcaddy-installer/src/main/config-manager.js new file mode 100644 index 0000000..4ec80a0 --- /dev/null +++ b/dashcaddy-installer/src/main/config-manager.js @@ -0,0 +1,781 @@ +const fs = require('fs').promises; +const path = require('path'); +const { REQUIRED_DIRS } = require('../shared/constants'); + +// Import crypto utilities for secure credential storage +let cryptoUtils; +try { + // Try to load from dashcaddy-api if available + cryptoUtils = require('../../dashcaddy-api/crypto-utils'); +} catch { + // Fallback: create minimal crypto implementation + const crypto = require('crypto'); + const ALGORITHM = 'aes-256-gcm'; + const KEY_LENGTH = 32; + const IV_LENGTH = 16; + + let encryptionKey = null; + + function loadOrCreateKey() { + if (encryptionKey) return encryptionKey; + if (process.env.DASHCADDY_ENCRYPTION_KEY) { + encryptionKey = Buffer.from(process.env.DASHCADDY_ENCRYPTION_KEY, 'hex'); + return encryptionKey; + } + encryptionKey = crypto.randomBytes(KEY_LENGTH); + console.warn('[ConfigManager] Using ephemeral encryption key - credentials will not persist across restarts'); + return encryptionKey; + } + + cryptoUtils = { + encrypt: (data) => { + const key = loadOrCreateKey(); + const iv = crypto.randomBytes(IV_LENGTH); + const plaintext = typeof data === 'object' ? JSON.stringify(data) : String(data); + const cipher = crypto.createCipheriv(ALGORITHM, key, iv); + let encrypted = cipher.update(plaintext, 'utf8', 'base64'); + encrypted += cipher.final('base64'); + const authTag = cipher.getAuthTag(); + return `${iv.toString('base64')}:${authTag.toString('base64')}:${encrypted}`; + }, + decrypt: (encryptedData) => { + const key = loadOrCreateKey(); + const parts = encryptedData.split(':'); + if (parts.length !== 3) throw new Error('Invalid encrypted data format'); + const iv = Buffer.from(parts[0], 'base64'); + const authTag = Buffer.from(parts[1], 'base64'); + const ciphertext = parts[2]; + const decipher = crypto.createDecipheriv(ALGORITHM, key, iv); + decipher.setAuthTag(authTag); + let decrypted = decipher.update(ciphertext, 'base64', 'utf8'); + decrypted += decipher.final('utf8'); + return decrypted; + }, + isEncrypted: (data) => { + if (typeof data !== 'string') return false; + const parts = data.split(':'); + return parts.length === 3; + } + }; +} + +class ConfigManager { + /** + * Saves installation configuration to disk + * @param {Object} config - Configuration object + * @param {string} installPath - Installation directory path + * @returns {Promise

When	IP	Action	Resource	Result
${timeAgo(e.timestamp)}	${e.ip \|\| '-'}	${e.action \|\| '-'}	${e.resource \|\| '-'}	${ok ? '✓' : '✗'}
${JSON.stringify(e.details, null, 2)}

Service	Status	Uptime 24h	Uptime 7d	Avg Response	Last Check
${s.name \|\| s.serviceId}	${isUp ? 'Up' : 'Down'}	${typeof u24 === 'number' ? u24.toFixed(1) + '%' : u24}	${typeof u7d === 'number' ? u7d.toFixed(1) + '%' : u7d}	${avgRt}	${lastCheck}
Loading details...

When	Container	Image	Duration	Status
${timeAgo(h.timestamp)}	${h.containerName}	${h.imageName}	${dur}	${ok ? '✓ success' : '✗ failed'}
${h.error}

+ 📜 + Certificate Information +

📱 Quick Access for Mobile

+ 🔐 + Service Certificates +

+ 📦 + Alternative Downloads +

+ 📖 + Installation Instructions +

Run PowerShell as Administrator

Run the installation command

Verify installation

Download the certificate profile

Install the profile

Alternative: Command line installation

Open Terminal

Run the installation command

Supported distributions

Scan QR code or visit this page

Download the profile

Install the profile

Trust the certificate

Download the certificate

Install the certificate

Note about user certificates

Welcome to DashCaddy

System Requirements

Docker

Caddy

Choose Installation Folders

Choose Deployment Tier

${tier.name}

How will you access DashCaddy?

${mode.name}

DNS Configuration

DNS Configuration

DNS Configuration

DNS Configuration

Dashboard Setup

Installation Failed

Installing DashCaddy

Installation Complete!

Installation Details

Service Status

Uninstall DashCaddy

Detected Installation

Preserve for Reinstall

Uninstalling DashCaddy

Uninstall Complete

Preserved Data

Authentication & CSRF (DC-1xx)

Deployment & Containers (DC-2xx)

DNS & Caddy Configuration (DC-3xx)

Service Management (DC-4xx)

Credentials & Auto-Login (DC-5xx)

Welcome to DashCaddy! 🎉

Choose your configuration:

Professional Home Lab Setup

Simple Setup

✓ What you'll have:

⚠️ Limitations:

Public Server Setup

⚠️ Requirements:

Review Your Configuration

Choose an App

Deploy Application

📜 Audit Log

💾 Backup & Restore

📤 Export Backup

📥 Restore Backup

📋 Backup Contents

⏰ Backup Schedule

Clock Settings

🔑 DNS Credentials

DNS1 (Windows)

DNS2 (Linux)

DNS3 (AlmaLinux)

DNS Settings

DNS Logs

Edit Service

Delete Service

Add Service

🌐 Choose a DNS Server