85b3cb6852
All checks were successful
Publish Server Image / build-and-push-image (push) Successful in 2m12s
195 lines
6.9 KiB
Rust
195 lines
6.9 KiB
Rust
pub mod vfs;
|
|
pub mod security;
|
|
pub mod server;
|
|
pub mod metrics;
|
|
pub mod web;
|
|
|
|
use std::net::SocketAddr;
|
|
use std::path::PathBuf;
|
|
use std::sync::Arc;
|
|
use axum::{Router, routing::get};
|
|
use clap::Parser;
|
|
use tonic::transport::{Identity, Server, ServerTlsConfig};
|
|
use vfs::local::LocalVfs;
|
|
use furumi_common::proto::remote_file_system_server::RemoteFileSystemServer;
|
|
use server::RemoteFileSystemImpl;
|
|
use security::AuthInterceptor;
|
|
|
|
#[derive(Parser, Debug)]
|
|
#[command(version, about = "Furumi-ng: remote filesystem server over encrypted gRPC")]
|
|
struct Args {
|
|
/// IP address and port to bind the gRPC server to
|
|
#[arg(short, long, env = "FURUMI_BIND", default_value = "0.0.0.0:50051")]
|
|
bind: String,
|
|
|
|
/// Document root directory to expose via VFS
|
|
#[arg(short, long, env = "FURUMI_ROOT", default_value = ".")]
|
|
root: PathBuf,
|
|
|
|
/// Authentication Bearer token (leave empty to disable auth)
|
|
#[arg(short, long, env = "FURUMI_TOKEN", default_value = "")]
|
|
token: String,
|
|
|
|
/// IP address and port for the Prometheus metrics HTTP endpoint
|
|
#[arg(long, env = "FURUMI_METRICS_BIND", default_value = "0.0.0.0:9090")]
|
|
metrics_bind: String,
|
|
|
|
/// IP address and port for the web music player
|
|
#[arg(long, env = "FURUMI_WEB_BIND", default_value = "0.0.0.0:8080")]
|
|
web_bind: String,
|
|
|
|
/// Disable the web music player UI
|
|
#[arg(long, default_value_t = false)]
|
|
no_web: bool,
|
|
|
|
/// Disable TLS encryption (not recommended, use only for debugging)
|
|
#[arg(long, default_value_t = false)]
|
|
no_tls: bool,
|
|
|
|
/// OIDC Issuer URL (e.g. https://auth.example.com/application/o/furumi/)
|
|
#[arg(long, env = "FURUMI_OIDC_ISSUER_URL")]
|
|
oidc_issuer_url: Option<String>,
|
|
|
|
/// OIDC Client ID
|
|
#[arg(long, env = "FURUMI_OIDC_CLIENT_ID")]
|
|
oidc_client_id: Option<String>,
|
|
|
|
/// OIDC Client Secret
|
|
#[arg(long, env = "FURUMI_OIDC_CLIENT_SECRET")]
|
|
oidc_client_secret: Option<String>,
|
|
|
|
/// OIDC Redirect URL (e.g. https://music.example.com/auth/callback)
|
|
#[arg(long, env = "FURUMI_OIDC_REDIRECT_URL")]
|
|
oidc_redirect_url: Option<String>,
|
|
|
|
/// OIDC Session Secret (32+ chars, for HMAC). If not provided, a random one is generated on startup.
|
|
#[arg(long, env = "FURUMI_OIDC_SESSION_SECRET")]
|
|
oidc_session_secret: Option<String>,
|
|
}
|
|
|
|
async fn metrics_handler() -> String {
|
|
metrics::render_metrics()
|
|
}
|
|
|
|
#[tokio::main]
|
|
async fn main() -> Result<(), Box<dyn std::error::Error>> {
|
|
// Install ring as the default crypto provider for rustls (must be before any TLS usage)
|
|
rustls::crypto::ring::default_provider()
|
|
.install_default()
|
|
.expect("Failed to install rustls crypto provider");
|
|
|
|
tracing_subscriber::fmt::init();
|
|
|
|
let args = Args::parse();
|
|
let addr: SocketAddr = args.bind.parse().unwrap_or_else(|e| {
|
|
eprintln!("Error: Invalid bind address '{}': {}", args.bind, e);
|
|
eprintln!(" Expected format: IP:PORT (e.g. 0.0.0.0:50051)");
|
|
std::process::exit(1);
|
|
});
|
|
|
|
let metrics_addr: SocketAddr = args.metrics_bind.parse().unwrap_or_else(|e| {
|
|
eprintln!("Error: Invalid metrics bind address '{}': {}", args.metrics_bind, e);
|
|
eprintln!(" Expected format: IP:PORT (e.g. 0.0.0.0:9090)");
|
|
std::process::exit(1);
|
|
});
|
|
|
|
// Resolve the document root to an absolute path for safety and clarity
|
|
let root_path = std::fs::canonicalize(&args.root)
|
|
.unwrap_or_else(|_| args.root.clone());
|
|
|
|
if !root_path.exists() || !root_path.is_dir() {
|
|
eprintln!("Error: Root path {:?} does not exist or is not a directory", root_path);
|
|
std::process::exit(1);
|
|
}
|
|
|
|
let vfs = Arc::new(LocalVfs::new(&root_path));
|
|
let remote_fs = RemoteFileSystemImpl::new(vfs);
|
|
let auth = AuthInterceptor::new(args.token.clone());
|
|
let svc = RemoteFileSystemServer::with_interceptor(remote_fs, auth.clone());
|
|
|
|
// Print startup info
|
|
println!("Furumi-ng Server v{} listening on {}", option_env!("FURUMI_VERSION").unwrap_or(env!("CARGO_PKG_VERSION")), addr);
|
|
if args.no_tls {
|
|
println!("WARNING: TLS is DISABLED — traffic is unencrypted");
|
|
} else {
|
|
println!("TLS: enabled (auto-generated self-signed certificate)");
|
|
}
|
|
if args.token.is_empty() {
|
|
println!("WARNING: Authentication is DISABLED");
|
|
} else {
|
|
println!("Authentication: enabled (Bearer token)");
|
|
}
|
|
println!("Document Root: {:?}", root_path);
|
|
println!("Metrics: http://{}/metrics", metrics_addr);
|
|
|
|
// Spawn the Prometheus metrics HTTP server on a separate port
|
|
let metrics_app = Router::new().route("/metrics", get(metrics_handler));
|
|
let metrics_listener = tokio::net::TcpListener::bind(metrics_addr).await?;
|
|
tokio::spawn(async move {
|
|
axum::serve(metrics_listener, metrics_app).await.unwrap();
|
|
});
|
|
|
|
// Spawn the web music player on its own port
|
|
if !args.no_web {
|
|
let web_addr: SocketAddr = args.web_bind.parse().unwrap_or_else(|e| {
|
|
eprintln!("Error: Invalid web bind address '{}': {}", args.web_bind, e);
|
|
std::process::exit(1);
|
|
});
|
|
|
|
// Initialize OIDC State if provided
|
|
let oidc_state = if let (Some(issuer), Some(client_id), Some(secret), Some(redirect)) = (
|
|
args.oidc_issuer_url,
|
|
args.oidc_client_id,
|
|
args.oidc_client_secret,
|
|
args.oidc_redirect_url,
|
|
) {
|
|
println!("OIDC (SSO): enabled for web UI (issuer: {})", issuer);
|
|
match web::auth::oidc_init(issuer, client_id, secret, redirect, args.oidc_session_secret).await {
|
|
Ok(state) => Some(Arc::new(state)),
|
|
Err(e) => {
|
|
eprintln!("Error initializing OIDC client: {}", e);
|
|
std::process::exit(1);
|
|
}
|
|
}
|
|
} else {
|
|
None
|
|
};
|
|
|
|
let web_app = web::build_router(root_path.clone(), args.token.clone(), oidc_state);
|
|
let web_listener = tokio::net::TcpListener::bind(web_addr).await?;
|
|
println!("Web player: http://{}", web_addr);
|
|
tokio::spawn(async move {
|
|
axum::serve(web_listener, web_app).await.unwrap();
|
|
});
|
|
}
|
|
|
|
let mut builder = Server::builder()
|
|
.tcp_keepalive(Some(std::time::Duration::from_secs(60)))
|
|
.http2_keepalive_interval(Some(std::time::Duration::from_secs(60)));
|
|
|
|
if !args.no_tls {
|
|
let cert_pair = rcgen::generate_simple_self_signed(vec![
|
|
"localhost".to_string(),
|
|
"furumi-ng".to_string(),
|
|
])
|
|
.expect("Failed to generate self-signed certificate");
|
|
|
|
let cert_pem = cert_pair.cert.pem();
|
|
let key_pem = cert_pair.signing_key.serialize_pem();
|
|
|
|
let identity = Identity::from_pem(cert_pem, key_pem);
|
|
let tls_config = ServerTlsConfig::new().identity(identity);
|
|
builder = builder.tls_config(tls_config)?;
|
|
}
|
|
|
|
builder
|
|
.add_service(svc)
|
|
.serve(addr)
|
|
.await?;
|
|
|
|
Ok(())
|
|
}
|
|
|
|
#[cfg(test)]
|
|
mod tests;
|