pub mod vfs; pub mod security; pub mod server; pub mod metrics; pub mod web; use std::net::SocketAddr; use std::path::PathBuf; use std::sync::Arc; use axum::{Router, routing::get}; use clap::Parser; use tonic::transport::{Identity, Server, ServerTlsConfig}; use vfs::local::LocalVfs; use furumi_common::proto::remote_file_system_server::RemoteFileSystemServer; use server::RemoteFileSystemImpl; use security::AuthInterceptor; #[derive(Parser, Debug)] #[command(version, about = "Furumi-ng: remote filesystem server over encrypted gRPC")] struct Args { /// IP address and port to bind the gRPC server to #[arg(short, long, env = "FURUMI_BIND", default_value = "0.0.0.0:50051")] bind: String, /// Document root directory to expose via VFS #[arg(short, long, env = "FURUMI_ROOT", default_value = ".")] root: PathBuf, /// Authentication Bearer token (leave empty to disable auth) #[arg(short, long, env = "FURUMI_TOKEN", default_value = "")] token: String, /// IP address and port for the Prometheus metrics HTTP endpoint #[arg(long, env = "FURUMI_METRICS_BIND", default_value = "0.0.0.0:9090")] metrics_bind: String, /// IP address and port for the web music player #[arg(long, env = "FURUMI_WEB_BIND", default_value = "0.0.0.0:8080")] web_bind: String, /// Disable the web music player UI #[arg(long, default_value_t = false)] no_web: bool, /// Disable TLS encryption (not recommended, use only for debugging) #[arg(long, default_value_t = false)] no_tls: bool, /// OIDC Issuer URL (e.g. https://auth.example.com/application/o/furumi/) #[arg(long, env = "FURUMI_OIDC_ISSUER_URL")] oidc_issuer_url: Option, /// OIDC Client ID #[arg(long, env = "FURUMI_OIDC_CLIENT_ID")] oidc_client_id: Option, /// OIDC Client Secret #[arg(long, env = "FURUMI_OIDC_CLIENT_SECRET")] oidc_client_secret: Option, /// OIDC Redirect URL (e.g. https://music.example.com/auth/callback) #[arg(long, env = "FURUMI_OIDC_REDIRECT_URL")] oidc_redirect_url: Option, /// OIDC Session Secret (32+ chars, for HMAC). If not provided, a random one is generated on startup. #[arg(long, env = "FURUMI_OIDC_SESSION_SECRET")] oidc_session_secret: Option, } async fn metrics_handler() -> String { metrics::render_metrics() } #[tokio::main] async fn main() -> Result<(), Box> { // Install ring as the default crypto provider for rustls (must be before any TLS usage) rustls::crypto::ring::default_provider() .install_default() .expect("Failed to install rustls crypto provider"); tracing_subscriber::fmt::init(); let args = Args::parse(); let addr: SocketAddr = args.bind.parse().unwrap_or_else(|e| { eprintln!("Error: Invalid bind address '{}': {}", args.bind, e); eprintln!(" Expected format: IP:PORT (e.g. 0.0.0.0:50051)"); std::process::exit(1); }); let metrics_addr: SocketAddr = args.metrics_bind.parse().unwrap_or_else(|e| { eprintln!("Error: Invalid metrics bind address '{}': {}", args.metrics_bind, e); eprintln!(" Expected format: IP:PORT (e.g. 0.0.0.0:9090)"); std::process::exit(1); }); // Resolve the document root to an absolute path for safety and clarity let root_path = std::fs::canonicalize(&args.root) .unwrap_or_else(|_| args.root.clone()); if !root_path.exists() || !root_path.is_dir() { eprintln!("Error: Root path {:?} does not exist or is not a directory", root_path); std::process::exit(1); } let vfs = Arc::new(LocalVfs::new(&root_path)); let remote_fs = RemoteFileSystemImpl::new(vfs); let auth = AuthInterceptor::new(args.token.clone()); let svc = RemoteFileSystemServer::with_interceptor(remote_fs, auth.clone()); // Print startup info println!("Furumi-ng Server v{} listening on {}", option_env!("FURUMI_VERSION").unwrap_or(env!("CARGO_PKG_VERSION")), addr); if args.no_tls { println!("WARNING: TLS is DISABLED — traffic is unencrypted"); } else { println!("TLS: enabled (auto-generated self-signed certificate)"); } if args.token.is_empty() { println!("WARNING: Authentication is DISABLED"); } else { println!("Authentication: enabled (Bearer token)"); } println!("Document Root: {:?}", root_path); println!("Metrics: http://{}/metrics", metrics_addr); // Spawn the Prometheus metrics HTTP server on a separate port let metrics_app = Router::new().route("/metrics", get(metrics_handler)); let metrics_listener = tokio::net::TcpListener::bind(metrics_addr).await?; tokio::spawn(async move { axum::serve(metrics_listener, metrics_app).await.unwrap(); }); // Spawn the web music player on its own port if !args.no_web { let web_addr: SocketAddr = args.web_bind.parse().unwrap_or_else(|e| { eprintln!("Error: Invalid web bind address '{}': {}", args.web_bind, e); std::process::exit(1); }); // Initialize OIDC State if provided let oidc_state = if let (Some(issuer), Some(client_id), Some(secret), Some(redirect)) = ( args.oidc_issuer_url, args.oidc_client_id, args.oidc_client_secret, args.oidc_redirect_url, ) { println!("OIDC (SSO): enabled for web UI (issuer: {})", issuer); match web::auth::oidc_init(issuer, client_id, secret, redirect, args.oidc_session_secret).await { Ok(state) => Some(Arc::new(state)), Err(e) => { eprintln!("Error initializing OIDC client: {}", e); std::process::exit(1); } } } else { None }; let web_app = web::build_router(root_path.clone(), args.token.clone(), oidc_state); let web_listener = tokio::net::TcpListener::bind(web_addr).await?; println!("Web player: http://{}", web_addr); tokio::spawn(async move { axum::serve(web_listener, web_app).await.unwrap(); }); } let mut builder = Server::builder() .tcp_keepalive(Some(std::time::Duration::from_secs(60))) .http2_keepalive_interval(Some(std::time::Duration::from_secs(60))); if !args.no_tls { let cert_pair = rcgen::generate_simple_self_signed(vec![ "localhost".to_string(), "furumi-ng".to_string(), ]) .expect("Failed to generate self-signed certificate"); let cert_pem = cert_pair.cert.pem(); let key_pem = cert_pair.signing_key.serialize_pem(); let identity = Identity::from_pem(cert_pem, key_pem); let tls_config = ServerTlsConfig::new().identity(identity); builder = builder.tls_config(tls_config)?; } builder .add_service(svc) .serve(addr) .await?; Ok(()) } #[cfg(test)] mod tests;