Require edge and runtime cookie for Tribes nodes

2026-04-01 23:52:31 +02:00
parent 210ec96d65
commit ea249f1975
2 changed files with 36 additions and 43 deletions
--- a/tribes/services/tribes.scm
+++ b/tribes/services/tribes.scm
@@ -233,13 +233,12 @@

       (setenv "SECRET_KEY_BASE" (read-secret secret-key-file))
       (setenv "TOKEN_SIGNING_SECRET" (read-secret token-file))
-       (unless (string=? #$distribution "none")
-         (unless (file-exists? release-cookie-file)
-           (format (current-error-port)
-                   "missing Tribes release cookie file: ~a~%"
-                   release-cookie-file)
-           (exit 1))
-         (setenv "RELEASE_COOKIE" (read-secret release-cookie-file)))
+       (unless (file-exists? release-cookie-file)
+         (format (current-error-port)
+                 "missing Tribes release cookie file: ~a~%"
+                 release-cookie-file)
+         (exit 1))
+       (setenv "RELEASE_COOKIE" (read-secret release-cookie-file))
       #$@env-setters
       (apply execl
              #$(file-append package "/bin/tribes")
--- a/tribes/system/installer.scm
+++ b/tribes/system/installer.scm
@@ -65,15 +65,12 @@
  "Return an installed NBDE operating-system extended with PostgreSQL and the
 Tribes service.  By default it uses the pinned upstream package; setting
 TRIBES_SOURCE_DIRECTORY switches to a development source override."
-  (let* ((edge-enabled? (getenv/bool "TRIBES_ENABLE_EDGE" #f))
-         (service-user (getenv/default "TRIBES_SERVICE_USER" "tribes"))
+  (let* ((service-user (getenv/default "TRIBES_SERVICE_USER" "tribes"))
         (service-group (getenv/default "TRIBES_SERVICE_GROUP" service-user))
         (database-user (getenv/default "TRIBES_DATABASE_USER" service-user))
         (public-host (getenv/default "TRIBES_PUBLIC_HOST" host-name))
-         (public-port (getenv/integer "TRIBES_HTTP_PORT"
-                                      (if edge-enabled? 443 4000)))
-         (listen-port (getenv/integer "TRIBES_LISTEN_PORT"
-                                      (if edge-enabled? 4000 public-port)))
+         (public-port (getenv/integer "TRIBES_HTTP_PORT" 443))
+         (listen-port (getenv/integer "TRIBES_LISTEN_PORT" 4000))
         (package (tribes-installer-package))
         (tribes-config
          (tribes-configuration
@@ -86,11 +83,9 @@ TRIBES_SOURCE_DIRECTORY switches to a development source override."
            (getenv/default "TRIBES_PLUGIN_DIRECTORY" "/var/lib/tribes/plugins"))
           (host public-host)
           (listen-address
-            (getenv/default "TRIBES_LISTEN_ADDRESS"
-                            (and edge-enabled? "127.0.0.1")))
+            (getenv/default "TRIBES_LISTEN_ADDRESS" "127.0.0.1"))
           (listen-port listen-port)
-           (scheme (getenv/default "TRIBES_SCHEME"
-                                   (if edge-enabled? "https" "http")))
+           (scheme (getenv/default "TRIBES_SCHEME" "https"))
           (port public-port)
           (relay-url (getenv "TRIBES_RELAY_URL"))
           (host-manifest (getenv "TRIBES_HOST_MANIFEST"))
@@ -117,32 +112,31 @@ TRIBES_SOURCE_DIRECTORY switches to a development source override."
           (log-file
            (getenv/default "TRIBES_LOG_FILE" "/var/log/tribes/tribes.log"))))
         (edge-config
-          (and edge-enabled?
-               (tribes-edge-configuration
-                (certificate-name
-                 (getenv/default "TRIBES_ACME_CERTIFICATE_NAME"
-                                 (safe-name public-host)))
-                (certificate-subjects
-                 (let ((subjects (comma-list (getenv "TRIBES_ACME_SUBJECTS"))))
-                   (if (null? subjects)
-                       (list public-host)
-                       subjects)))
-                (certificate-email
-                 (or (getenv "TRIBES_ACME_EMAIL")
-                     (error "TRIBES_ACME_EMAIL is required when TRIBES_ENABLE_EDGE is true")))
-                (certificate-profile
-                 (getenv/default "TRIBES_ACME_PROFILE" "shortlived"))
-                (renew-days (getenv/integer "TRIBES_ACME_RENEW_DAYS" 4))
-                (http-port (getenv/integer "TRIBES_EDGE_HTTP_PORT" 80))
-                (https-port (getenv/integer "TRIBES_EDGE_HTTPS_PORT" 443))
-                (challenge-address
-                 (getenv/default "TRIBES_ACME_LISTEN_ADDRESS" "127.0.0.1"))
-                (challenge-port
-                 (getenv/integer "TRIBES_ACME_LISTEN_PORT" 8080))
-                (cache-address
-                 (getenv/default "TRIBES_EDGE_CACHE_ADDRESS" "127.0.0.1"))
-                (cache-port
-                 (getenv/integer "TRIBES_EDGE_CACHE_PORT" 6081)))))
+          (tribes-edge-configuration
+           (certificate-name
+            (getenv/default "TRIBES_ACME_CERTIFICATE_NAME"
+                            (safe-name public-host)))
+           (certificate-subjects
+            (let ((subjects (comma-list (getenv "TRIBES_ACME_SUBJECTS"))))
+              (if (null? subjects)
+                  (list public-host)
+                  subjects)))
+           (certificate-email
+            (or (getenv "TRIBES_ACME_EMAIL")
+                (error "TRIBES_ACME_EMAIL is required for Tribes nodes")))
+           (certificate-profile
+            (getenv/default "TRIBES_ACME_PROFILE" "shortlived"))
+           (renew-days (getenv/integer "TRIBES_ACME_RENEW_DAYS" 4))
+           (http-port (getenv/integer "TRIBES_EDGE_HTTP_PORT" 80))
+           (https-port (getenv/integer "TRIBES_EDGE_HTTPS_PORT" 443))
+           (challenge-address
+            (getenv/default "TRIBES_ACME_LISTEN_ADDRESS" "127.0.0.1"))
+           (challenge-port
+            (getenv/integer "TRIBES_ACME_LISTEN_PORT" 8080))
+           (cache-address
+            (getenv/default "TRIBES_EDGE_CACHE_ADDRESS" "127.0.0.1"))
+           (cache-port
+            (getenv/integer "TRIBES_EDGE_CACHE_PORT" 6081))))
         (node-config
          (tribes-node-configuration
           (postgresql (postgresql-configuration