From ea249f1975c3f713f976324faa7c08319ec4e984 Mon Sep 17 00:00:00 2001 From: Steffen Beyer Date: Wed, 1 Apr 2026 23:52:31 +0200 Subject: [PATCH] Require edge and runtime cookie for Tribes nodes --- tribes/services/tribes.scm | 13 ++++---- tribes/system/installer.scm | 66 +++++++++++++++++-------------------- 2 files changed, 36 insertions(+), 43 deletions(-) diff --git a/tribes/services/tribes.scm b/tribes/services/tribes.scm index 7759a1b..ee52590 100644 --- a/tribes/services/tribes.scm +++ b/tribes/services/tribes.scm @@ -233,13 +233,12 @@ (setenv "SECRET_KEY_BASE" (read-secret secret-key-file)) (setenv "TOKEN_SIGNING_SECRET" (read-secret token-file)) - (unless (string=? #$distribution "none") - (unless (file-exists? release-cookie-file) - (format (current-error-port) - "missing Tribes release cookie file: ~a~%" - release-cookie-file) - (exit 1)) - (setenv "RELEASE_COOKIE" (read-secret release-cookie-file))) + (unless (file-exists? release-cookie-file) + (format (current-error-port) + "missing Tribes release cookie file: ~a~%" + release-cookie-file) + (exit 1)) + (setenv "RELEASE_COOKIE" (read-secret release-cookie-file)) #$@env-setters (apply execl #$(file-append package "/bin/tribes") diff --git a/tribes/system/installer.scm b/tribes/system/installer.scm index 952bd19..0d09670 100644 --- a/tribes/system/installer.scm +++ b/tribes/system/installer.scm @@ -65,15 +65,12 @@ "Return an installed NBDE operating-system extended with PostgreSQL and the Tribes service. By default it uses the pinned upstream package; setting TRIBES_SOURCE_DIRECTORY switches to a development source override." - (let* ((edge-enabled? (getenv/bool "TRIBES_ENABLE_EDGE" #f)) - (service-user (getenv/default "TRIBES_SERVICE_USER" "tribes")) + (let* ((service-user (getenv/default "TRIBES_SERVICE_USER" "tribes")) (service-group (getenv/default "TRIBES_SERVICE_GROUP" service-user)) (database-user (getenv/default "TRIBES_DATABASE_USER" service-user)) (public-host (getenv/default "TRIBES_PUBLIC_HOST" host-name)) - (public-port (getenv/integer "TRIBES_HTTP_PORT" - (if edge-enabled? 443 4000))) - (listen-port (getenv/integer "TRIBES_LISTEN_PORT" - (if edge-enabled? 4000 public-port))) + (public-port (getenv/integer "TRIBES_HTTP_PORT" 443)) + (listen-port (getenv/integer "TRIBES_LISTEN_PORT" 4000)) (package (tribes-installer-package)) (tribes-config (tribes-configuration @@ -86,11 +83,9 @@ TRIBES_SOURCE_DIRECTORY switches to a development source override." (getenv/default "TRIBES_PLUGIN_DIRECTORY" "/var/lib/tribes/plugins")) (host public-host) (listen-address - (getenv/default "TRIBES_LISTEN_ADDRESS" - (and edge-enabled? "127.0.0.1"))) + (getenv/default "TRIBES_LISTEN_ADDRESS" "127.0.0.1")) (listen-port listen-port) - (scheme (getenv/default "TRIBES_SCHEME" - (if edge-enabled? "https" "http"))) + (scheme (getenv/default "TRIBES_SCHEME" "https")) (port public-port) (relay-url (getenv "TRIBES_RELAY_URL")) (host-manifest (getenv "TRIBES_HOST_MANIFEST")) @@ -117,32 +112,31 @@ TRIBES_SOURCE_DIRECTORY switches to a development source override." (log-file (getenv/default "TRIBES_LOG_FILE" "/var/log/tribes/tribes.log")))) (edge-config - (and edge-enabled? - (tribes-edge-configuration - (certificate-name - (getenv/default "TRIBES_ACME_CERTIFICATE_NAME" - (safe-name public-host))) - (certificate-subjects - (let ((subjects (comma-list (getenv "TRIBES_ACME_SUBJECTS")))) - (if (null? subjects) - (list public-host) - subjects))) - (certificate-email - (or (getenv "TRIBES_ACME_EMAIL") - (error "TRIBES_ACME_EMAIL is required when TRIBES_ENABLE_EDGE is true"))) - (certificate-profile - (getenv/default "TRIBES_ACME_PROFILE" "shortlived")) - (renew-days (getenv/integer "TRIBES_ACME_RENEW_DAYS" 4)) - (http-port (getenv/integer "TRIBES_EDGE_HTTP_PORT" 80)) - (https-port (getenv/integer "TRIBES_EDGE_HTTPS_PORT" 443)) - (challenge-address - (getenv/default "TRIBES_ACME_LISTEN_ADDRESS" "127.0.0.1")) - (challenge-port - (getenv/integer "TRIBES_ACME_LISTEN_PORT" 8080)) - (cache-address - (getenv/default "TRIBES_EDGE_CACHE_ADDRESS" "127.0.0.1")) - (cache-port - (getenv/integer "TRIBES_EDGE_CACHE_PORT" 6081))))) + (tribes-edge-configuration + (certificate-name + (getenv/default "TRIBES_ACME_CERTIFICATE_NAME" + (safe-name public-host))) + (certificate-subjects + (let ((subjects (comma-list (getenv "TRIBES_ACME_SUBJECTS")))) + (if (null? subjects) + (list public-host) + subjects))) + (certificate-email + (or (getenv "TRIBES_ACME_EMAIL") + (error "TRIBES_ACME_EMAIL is required for Tribes nodes"))) + (certificate-profile + (getenv/default "TRIBES_ACME_PROFILE" "shortlived")) + (renew-days (getenv/integer "TRIBES_ACME_RENEW_DAYS" 4)) + (http-port (getenv/integer "TRIBES_EDGE_HTTP_PORT" 80)) + (https-port (getenv/integer "TRIBES_EDGE_HTTPS_PORT" 443)) + (challenge-address + (getenv/default "TRIBES_ACME_LISTEN_ADDRESS" "127.0.0.1")) + (challenge-port + (getenv/integer "TRIBES_ACME_LISTEN_PORT" 8080)) + (cache-address + (getenv/default "TRIBES_EDGE_CACHE_ADDRESS" "127.0.0.1")) + (cache-port + (getenv/integer "TRIBES_EDGE_CACHE_PORT" 6081)))) (node-config (tribes-node-configuration (postgresql (postgresql-configuration