V2#35
Merged
Merged
Conversation
- docs/v2/node-api.openapi.yaml: frozen v2 node REST contract - .env.example for the v2 env surface - gitleaks config + ci workflow (vet/build/test, advisory lint)
Node core (clean break from v1): cmd/erebrus + internal/{config,store,wg,
p2p,registrar,telemetry,api,node}. SQLite peer store with race-free IP
allocation, WireGuard manager (wgctrl + templates), libp2p identity/DID,
Gin /api/v2 (peers CRUD + credentials + status) and /metrics. Removes the
v1 gRPC server, webapp, Caddy/agents, contract bindings and api/v1 tree.
Stealth carriers (internal/stealth): embedded sing-box running VLESS+REALITY
(tcp/:8443) and Hysteria2 (udp/:4443) for when WireGuard UDP is DPI-blocked.
Topology A — WireGuard stays the endpoint; node-wide carrier secret routes to
a direct outbound pinned to 127.0.0.1:<wg-port> so the node is not an open
proxy and per-client auth stays in WireGuard. Credential bundle now returns
vless:// + hysteria2:// share URIs and a full sing-box client profile. Minimal
custom protocol registry avoids tor/shadowsocks/gvisor. REQUIRES build tag
with_reality_server (wired into Makefile + Dockerfile).
Installer: new Linux-only install.sh (docker | host modes) with static-IP/NAT,
up+down bandwidth, and active inbound port-reachability preflight; host mode
adds App-Hosting + wildcard DNS guidance. Adds erebrus genmnemonic/version
subcommands. Modernizes docker-compose.yml (v2 env, stealth ports, NET_ADMIN).
Fixes .gitignore so the bare 'erebrus' pattern no longer ignored cmd/erebrus.
Retires the 2005-line v1 install-node.sh.
- Remove v1 cruft: .sample-env, docs/{deploy,node,setup,docs}.md, docs/setup.sh,
docs/docker.sh, docs/swagger.yml, Erebrus.postman_collection.json, and the
unused util/pkg/speedtest (drops the speedtest-go dependency).
- Docs: add docs/NODE.md (operator guide: install, ports, env, management,
troubleshooting) and docs/ARCHITECTURE.md (package layout + stealth topology);
move the v2 API contract to docs/node-api.openapi.yaml; link all from README.
- CI: ci.yml now builds/vets/tests with -tags with_reality_server (the stealth
start-test needs it). Replace the broken v1 image/release workflows
(root-package build, no tag, stale prod-deploy) with clean docker.yml (GHCR via
buildx) and release.yml (Linux amd64/arm64 from ./cmd/erebrus with the tag).
- .env.example: align GATEWAY_URL to gateway.erebrus.io, add NODE_API_TOKEN and
ENABLE_STEALTH/REALITY_HANDSHAKE_SERVER; gofmt.
Release-readiness sweep of the node. Security fixes: - Auth fails CLOSED: an unset NODE_API_TOKEN now disables the peer API in release mode (503) instead of allowing it open; open access only under RUNTYPE=debug. Token comparison is constant-time (crypto/subtle). - Peer handlers no longer echo raw internal/SQL error strings to clients; detail is logged, responses are generic. - SQLite DB (+WAL/SHM) forced to 0600 — it holds WG/REALITY private keys. Local dashboard + stats: - internal/api/web/index.html served at "/" — premium dark page with intro, live stats (connected users, bandwidth, live throughput, uptime), protocol badges, and the full API reference. Polls public endpoints only. - New GET /api/v2/stats — coarse public aggregates (no per-client rows); GET /healthz liveness probe. - wg.Manager.Stats() reads live device counters (rx/tx + active peers) via a new Controller.Stats; node.Service.Stats() adds uptime + store peer count. Docs: - docs/SECURITY-AUDIT.md — data-capture inventory (what's stored/transmitted/ logged), threat model (F1–F11 w/ severity+status), open-relay mitigation, operator hardening checklist, release sweep notes. - OpenAPI: documents /api/v2/stats + /healthz. README: dashboard + audit links.
Add internal/gatewayclient with frozen WS message schemas, contract tests, auto-registration against POST /api/v2/nodes/register, and a reconnecting client that sends hello, heartbeat, and usage_report frames. Wallet derivation (Solana default, EVM) signs registration challenges from the mnemonic. GatewayBridge handles drain/undrain, rotate_reality, and resync_peers; per-peer WG transfer counters feed usage deltas. Credentials persist in SQLite; NODE_ID/NODE_TOKEN env vars override. API bind unchanged (0.0.0.0) for testing.
Introduce EREBRUS_MODE (private|gateway) and EREBRUS_NETWORK_PROFILE (bridge|host-network|native) with defaults private+bridge. Legacy docker/host values map with deprecation warnings. Add optional API_BIND_ADDR and UNSAFE_PUBLIC_API while keeping 0.0.0.0 as the default bind for testing. Expose runtime_mode and network_profile on /api/v2/status. Installer writes the new env vars and warns on legacy --mode.
Add internal/transport with preferred ladder ordering, scoring, and selection. LocalProber evaluates configured listeners at startup. STEALTH_TCP_PORT and STEALTH_UDP_PORT (with VLESS_PORT/HYSTERIA2_PORT aliases) map to carrier ports. Gateway Mode warns when stealth is not on 443/tcp+udp.
Add carrier_credentials migration and rotation CLI (erebrus rotate carriers). Rotator archives secret hashes with grace period, regenerates stealth carrier secrets, and restarts sing-box. Credential bundles now use bundle_version 2 with transports array, issued_at, and expires_at.
Add services table, registry package, and erebrus serve / services list|inspect|remove commands. Services persist across restarts with private visibility by default.
Add internal/dns UDP resolver for *.ere names using the service registry, with upstream forwarding and DNS query logging disabled by default.
Add service_acls table and ACLChecker for vpn-peer, token, and public policies. Tests cover owner access and peer-grant rules.
Add internal/edge with HTTP reverse proxy for published services and Caddyfile generation. Gateway Mode can enable PUBLIC_GATEWAY_ENABLED to listen on :9081. Add erebrus services publish/unpublish commands.
Add service_domains table and erebrus services domain add|remove commands. Public edge proxy resolves custom domains via CNAME mappings to internal services.
Add internal/templates catalog and erebrus templates list|install commands. Templates register private vpn-peer services (ollama, drop-room, dashboard, etc.).
- Reorganize .env.example into required, debug/release profiles, and optional tiers - Pass EREBRUS_MODE, stealth ports, gateway, and edge vars through docker-compose - Extend installer env output with canonical STEALTH_* ports, gateway mode 443, and public edge settings when app hosting is enabled
Pre-deploy hardening from the v2 review. - `erebrus rotate carriers` no longer runs full node validation (it required WG_ENDPOINT_HOST) and no longer brings up WireGuard or starts a second stealth instance (which would clash with a running node for ports). Rotation is a local DB op: open store + load stealth secrets (no listeners) + rotate + persist. Prints a reminder to restart the node to serve new credentials. - Management API bind: the public-exposure warning now fires whenever the API is bound to a non-loopback address (the token-gated peer API is then reachable off-host), not only under UNSAFE_PUBLIC_API. Default bind stays 0.0.0.0 so the dashboard and gateway provisioning keep working; operators get a clear, actionable warning (firewall the port or set API_BIND_ADDR=127.0.0.1).
- EREBRUS_MODE: private | shared | public (gateway alias → public) - GET /api/v2/status: identity, access_mode, readiness checks - erebrus status, init, doctor commands for bare-metal operators - internal/initcfg for installer-aligned env generation - User-facing language: node identity and API key (not mnemonic/token) - docs/CLOUD.md and docs/INTERNAL-ENV.md for deployment guidance
…hared|public) EREBRUS_MODE now means how the node runs (container or host). EREBRUS_ACCESS controls who can use the node on the gateway. Installer: --mode container|host and --access; decouples Docker from private-only. Legacy EREBRUS_MODE=private|shared|public still parses with deprecation warnings.
…us.io theme - /api/v2/status identity adds wallet_chain, wallet_chain_label, wallet_address (derived from mnemonic; defaults to Solana) - Redesign local dashboard with erebrus.io colors, logo, identity cards, readiness - erebrus status CLI prints wallet address
Adds endpoints.wireguard (public_key, port, endpoint) to /api/v2/status and the local dashboard identity panel. Distinct from libp2p peer_id.
- Access badges show Private/Shared/Public (not "entitled users") - Region NO → Norway via region_label; badges prefixed Status/Access/Region - Explain node display name (NODE_NAME / hostname) on dashboard - Friendlier readiness check titles in UI
Register with org enrollment_secret + gateway PASETO peer API auth. Default EREBRUS_ACCESS to public so new nodes join the open pool unless operators explicitly set private.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
updates to accomodate changes in. the gateway