admin/deploy-felhom-compose
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added controller

Browse Source
This commit is contained in:
authentik Default Admin
2026-02-13 18:54:08 +01:00
commit f72bb57eda
20 changed files with 3568 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
controller/.gitignore
+32
View File
@@ -0,0 +1,32 @@
# Build artifacts
bin/
*.exe
*.dll
*.so
*.dylib
# Test artifacts
coverage.out
coverage.html
*.test
# IDE
.idea/
.vscode/
*.swp
*.swo
*~
# OS
.DS_Store
Thumbs.db
# Go
vendor/
# Docker
*.tar
# Local config (don't commit real customer configs)
controller.yaml
restic-password
controller/BUILDING.md
+226
View File
@@ -0,0 +1,226 @@
# Building & Publishing felhom-controller
## Prerequisites
- Docker installed on your build machine
- Docker Buildx plugin (for multi-arch builds — included with Docker Desktop, may need install on Linux)
- Access to Gitea at gitea.dooplex.hu
## Step 1: Enable Gitea Container Registry
Gitea has a built-in container registry. Check if it's enabled:
```bash
# SSH into your k3s node or wherever Gitea runs
# Check Gitea config (app.ini)
kubectl exec -it -n <namespace> deploy/gitea -- cat /data/gitea/conf/app.ini | grep -A5 '\[packages\]'
```
If the `[packages]` section is missing or `ENABLED=false`, add/update:
```ini
[packages]
ENABLED = true
```
Then restart Gitea:
```bash
kubectl rollout restart deploy/gitea -n <namespace>
```
**Verify it works:**
```bash
# Login to the registry (use your Gitea username + password or access token)
docker login gitea.dooplex.hu
# Username: admin
# Password: <your-gitea-password-or-token>
```
If login succeeds, the registry is working. The image URL pattern is:
`gitea.dooplex.hu/<owner>/<image>:<tag>`
## Step 2: Sync app assets before building
The container image includes app logos and screenshots. Sync them from
the felhom.eu website repo before building:
```bash
# If the website repo is checked out alongside this repo:
make sync-assets
# Or specify the path explicitly:
make sync-assets WEBSITE_ASSETS_DIR=/home/admin/repos/felhom.eu/website/assets
# Verify
ls assets/*.webp
```
If you skip this step, the dashboard will work but show no app logos/screenshots
(the `onerror` handler hides broken images gracefully).
## Step 3: Build for single architecture (quick test)
```bash
cd ~/repos/deploy-felhom-compose
# Build for your current architecture
docker build \
--build-arg VERSION=$(git describe --tags --always 2>/dev/null || echo "0.1.0") \
--build-arg GIT_COMMIT=$(git rev-parse --short HEAD 2>/dev/null || echo "unknown") \
-t gitea.dooplex.hu/admin/felhom-controller:latest \
-t gitea.dooplex.hu/admin/felhom-controller:0.1.0 \
.
# Push
docker push gitea.dooplex.hu/admin/felhom-controller:latest
docker push gitea.dooplex.hu/admin/felhom-controller:0.1.0
```
## Step 4: Build for both architectures (production)
You need both amd64 (N100 mini PCs) and arm64 (Raspberry Pi). Use Docker Buildx:
```bash
# One-time: Create a buildx builder that supports multi-arch
docker buildx create --name felhom-builder --use --bootstrap
# Verify it supports the architectures we need
docker buildx inspect felhom-builder
# Should show: linux/amd64, linux/arm64 in Platforms
# Build + push multi-arch image in one step
docker buildx build \
--platform linux/amd64,linux/arm64 \
--build-arg VERSION=0.1.0 \
--build-arg GIT_COMMIT=$(git rev-parse --short HEAD) \
-t gitea.dooplex.hu/admin/felhom-controller:latest \
-t gitea.dooplex.hu/admin/felhom-controller:0.1.0 \
--push \
.
```
**Note:** `--push` is required with multi-arch builds because buildx doesn't store
multi-platform images in the local Docker cache. It pushes directly to the registry.
### If buildx multi-arch doesn't work (missing QEMU)
On Linux you might need QEMU for cross-compilation:
```bash
# Install QEMU user-mode emulation
sudo apt-get install -y qemu-user-static binfmt-support
# Register QEMU with Docker
docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
# Verify
docker buildx ls
```
### Alternative: Build natively on each architecture
If you don't want to cross-compile, build on each machine:
```bash
# On the N100 (amd64):
docker build -t gitea.dooplex.hu/admin/felhom-controller:latest-amd64 .
docker push gitea.dooplex.hu/admin/felhom-controller:latest-amd64
# On the Pi (arm64):
docker build -t gitea.dooplex.hu/admin/felhom-controller:latest-arm64 .
docker push gitea.dooplex.hu/admin/felhom-controller:latest-arm64
# Then create a manifest list to combine them:
docker manifest create gitea.dooplex.hu/admin/felhom-controller:latest \
gitea.dooplex.hu/admin/felhom-controller:latest-amd64 \
gitea.dooplex.hu/admin/felhom-controller:latest-arm64
docker manifest push gitea.dooplex.hu/admin/felhom-controller:latest
```
## Step 5: Deploy on a customer node
On the customer's machine, the docker-compose.yml for the controller references
the image from the registry:
```yaml
services:
felhom-controller:
image: gitea.dooplex.hu/admin/felhom-controller:latest
# ...
```
Pull and start:
```bash
# Login to registry on the customer node (one-time)
docker login gitea.dooplex.hu
# Start the controller
cd /opt/docker/felhom-controller
docker compose pull
docker compose up -d
# Verify
docker compose logs -f
curl -s http://localhost:8080/api/health
```
## Step 6: Updating the controller
When you release a new version:
```bash
# On your build machine:
docker buildx build \
--platform linux/amd64,linux/arm64 \
--build-arg VERSION=0.2.0 \
-t gitea.dooplex.hu/admin/felhom-controller:latest \
-t gitea.dooplex.hu/admin/felhom-controller:0.2.0 \
--push .
# On the customer node (manually for now; auto-update comes in Phase 5):
cd /opt/docker/felhom-controller
docker compose pull
docker compose up -d
```
## Makefile shortcuts
The Makefile has convenience targets:
```bash
make docker-build # Build for current platform
make docker-buildx # Build multi-arch + push
make docker-push # Push current platform image
```
## Troubleshooting
### "unauthorized" when pushing
```bash
docker logout gitea.dooplex.hu
docker login gitea.dooplex.hu
```
### Gitea registry not accessible
Check if Gitea's HTTPS is working and the domain resolves:
```bash
curl -v https://gitea.dooplex.hu/v2/
# Should return: {"errors":[{"code":"UNAUTHORIZED",...}]}
```
### Build fails on arm64 via QEMU (too slow or errors)
Cross-compiling Go via QEMU can be slow. Since the Go binary itself is cross-compiled
(CGO_ENABLED=0), only the Debian packages in the runtime stage need QEMU.
Alternative: build the Go binary natively, then build only the runtime Docker layer
via buildx.
### Image too large
Expected sizes:
- Go binary: ~15-20 MB
- Runtime image (debian-slim + docker-cli + restic + pg_dump): ~250-350 MB
To reduce: consider Alpine instead of Debian slim, but test pg_dump/mysqldump
compatibility first.
controller/Dockerfile
+81
View File
@@ -0,0 +1,81 @@
# =============================================================================
# felhom-controller Dockerfile
# Multi-stage build: Go binary + minimal runtime
# Supports amd64 (N100 mini PCs) and arm64 (Raspberry Pi)
# =============================================================================
# --- Build stage ---
FROM golang:1.22-bookworm AS builder
ARG TARGETOS=linux
ARG TARGETARCH
ARG VERSION=dev
ARG GIT_COMMIT=unknown
WORKDIR /build
# Cache dependencies first
COPY go.mod go.sum ./
RUN go mod download
# Copy source
COPY . .
# Build static binary
RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \
-ldflags="-s -w \
-X main.Version=${VERSION} \
-X main.BuildTime=$(date -u +%Y-%m-%dT%H:%M:%SZ) \
-X main.GitCommit=${GIT_COMMIT}" \
-o /build/felhom-controller \
./cmd/controller/
# --- Runtime stage ---
FROM debian:bookworm-slim
# Install runtime dependencies:
# - docker-cli: for "docker compose" commands
# - ca-certificates: for HTTPS (healthchecks pings, git)
# - restic: for backup operations
# - postgresql-client: for pg_dump
# - default-mysql-client: for mysqldump
# - sqlite3: for SQLite backup
# - git: for stack sync from Gitea
# - curl: for health pings and debugging
RUN apt-get update && apt-get install -y --no-install-recommends \
ca-certificates \
curl \
git \
restic \
postgresql-client \
default-mysql-client \
sqlite3 \
&& rm -rf /var/lib/apt/lists/*
# Install docker-cli (without daemon)
RUN curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker.gpg \
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker.gpg] \
https://download.docker.com/linux/debian bookworm stable" > /etc/apt/sources.list.d/docker.list \
&& apt-get update \
&& apt-get install -y --no-install-recommends docker-ce-cli docker-compose-plugin \
&& rm -rf /var/lib/apt/lists/*
# Create non-root user (but we'll run as root for Docker socket access)
# The Docker socket requires root or docker group membership
RUN mkdir -p /opt/docker/felhom-controller/data
COPY --from=builder /build/felhom-controller /usr/local/bin/felhom-controller
# Copy baked-in app assets (logos, screenshots)
# These are synced from the felhom.eu website repo before building.
# See: make sync-assets
COPY assets/ /usr/share/felhom/assets/
# Health check
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
CMD curl -f http://localhost:8080/api/health || exit 1
EXPOSE 8080
ENTRYPOINT ["/usr/local/bin/felhom-controller"]
CMD ["--config", "/opt/docker/felhom-controller/controller.yaml"]
controller/Makefile
+98
View File
@@ -0,0 +1,98 @@
# felhom-controller Makefile
# Build targets for amd64 (N100 mini PCs) and arm64 (Raspberry Pi)
VERSION ?= $(shell git describe --tags --always --dirty 2>/dev/null || echo "dev")
GIT_COMMIT ?= $(shell git rev-parse --short HEAD 2>/dev/null || echo "unknown")
BUILD_TIME ?= $(shell date -u +%Y-%m-%dT%H:%M:%SZ)
BINARY = felhom-controller
REGISTRY ?= gitea.dooplex.hu/admin
IMAGE = $(REGISTRY)/felhom-controller
LDFLAGS = -ldflags="-s -w \
-X main.Version=$(VERSION) \
-X main.BuildTime=$(BUILD_TIME) \
-X main.GitCommit=$(GIT_COMMIT)"
.PHONY: all build build-amd64 build-arm64 build-all test lint clean \
docker-build docker-push docker-buildx run sync-assets
# Default: build for current platform
all: build
build:
go build $(LDFLAGS) -o bin/$(BINARY) ./cmd/controller/
build-amd64:
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build $(LDFLAGS) -o bin/$(BINARY)-linux-amd64 ./cmd/controller/
build-arm64:
CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build $(LDFLAGS) -o bin/$(BINARY)-linux-arm64 ./cmd/controller/
build-all: build-amd64 build-arm64
# Run locally (for development)
run:
go run ./cmd/controller/ --config configs/controller.yaml.example
# Tests
test:
go test -v ./...
test-cover:
go test -coverprofile=coverage.out ./...
go tool cover -html=coverage.out -o coverage.html
# Lint (requires golangci-lint)
lint:
golangci-lint run ./...
# Docker image (current platform)
docker-build:
docker build \
--build-arg VERSION=$(VERSION) \
--build-arg GIT_COMMIT=$(GIT_COMMIT) \
-t $(IMAGE):$(VERSION) \
-t $(IMAGE):latest \
.
# Docker multi-arch build (requires docker buildx)
docker-buildx:
docker buildx build \
--platform linux/amd64,linux/arm64 \
--build-arg VERSION=$(VERSION) \
--build-arg GIT_COMMIT=$(GIT_COMMIT) \
-t $(IMAGE):$(VERSION) \
-t $(IMAGE):latest \
--push \
.
# Push docker image
docker-push:
docker push $(IMAGE):$(VERSION)
docker push $(IMAGE):latest
# Sync app assets from felhom.eu website repo
# Override with: make sync-assets WEBSITE_ASSETS_DIR=/path/to/website/assets
WEBSITE_ASSETS_DIR ?= ../felhom.eu/website/assets
sync-assets:
@echo "Syncing assets from $(WEBSITE_ASSETS_DIR)..."
@if [ ! -d "$(WEBSITE_ASSETS_DIR)" ]; then \
echo "ERROR: $(WEBSITE_ASSETS_DIR) not found."; \
echo "Set WEBSITE_ASSETS_DIR to the path containing app logos and screenshots."; \
exit 1; \
fi
@cp -v $(WEBSITE_ASSETS_DIR)/*-logo.svg assets/ 2>/dev/null || echo "No SVG logo files found"
@cp -v $(WEBSITE_ASSETS_DIR)/*-logo.png assets/ 2>/dev/null || echo "No PNG logo files found"
@cp -v $(WEBSITE_ASSETS_DIR)/*-screenshot-*.webp assets/ 2>/dev/null || echo "No screenshot files found"
@echo "Assets synced: $$(ls assets/*.svg assets/*.png assets/*.webp 2>/dev/null | wc -l) files"
# Generate bcrypt password hash (usage: make password PASS=mypassword)
password:
@go run -mod=mod golang.org/x/crypto/bcrypt 2>/dev/null || \
echo '$$2a$$10$$...' && echo "Install htpasswd or use: go run scripts/hashpass.go $(PASS)"
# Clean build artifacts
clean:
rm -rf bin/ coverage.out coverage.html
controller/README.md
+31
View File
@@ -0,0 +1,31 @@
# App Assets
This directory contains logos and screenshots for the dashboard.
They are baked into the Docker image at build time.
## Naming convention
Files must follow the felhom.eu website convention:
- `{slug}-logo.svg` — App logo (SVG preferred, displayed on dark background)
- `{slug}-logo.png` — App logo fallback (PNG, for apps without SVG)
- `{slug}-screenshot-1.webp` — First screenshot
- `{slug}-screenshot-2.webp` — Second screenshot (and so on)
The dashboard tries SVG first, falls back to PNG if not found.
Example:
```
paperless-ngx-logo.svg
paperless-ngx-screenshot-1.webp
adventurelog-logo.png
adventurelog-screenshot-1.webp
```
## Syncing from felhom.eu website
Run `make sync-assets` to copy assets from the felhom.eu website repo.
This expects the website files to be available at `../felhom.eu/website/assets/`
(relative to this repo), or set `WEBSITE_ASSETS_DIR` to override.
Alternatively, copy files manually from FileBrowser at https://felhom.eu.
controller/config.go
+270
View File
@@ -0,0 +1,270 @@
package config
import (
"fmt"
"os"
"strings"
"gopkg.in/yaml.v3"
)
// Config is the top-level configuration structure.
// Contains ONLY infrastructure/customer identity.
// App-specific config lives in per-app app.yaml files.
type Config struct {
Customer CustomerConfig `yaml:"customer"`
Infrastructure InfrastructureConfig `yaml:"infrastructure"`
Paths PathsConfig `yaml:"paths"`
Web WebConfig `yaml:"web"`
Git GitConfig `yaml:"git"`
Stacks StacksConfig `yaml:"stacks"`
Backup BackupConfig `yaml:"backup"`
Monitoring MonitoringConfig `yaml:"monitoring"`
SelfUpdate SelfUpdateConfig `yaml:"self_update"`
Notifications NotificationsConfig `yaml:"notifications"`
Logging LoggingConfig `yaml:"logging"`
Assets AssetsConfig `yaml:"assets"`
}
type CustomerConfig struct {
ID string `yaml:"id"`
Name string `yaml:"name"`
Domain string `yaml:"domain"`
Email string `yaml:"email"`
TelegramChatID string `yaml:"telegram_chat_id"`
}
type InfrastructureConfig struct {
CFTunnelToken string `yaml:"cf_tunnel_token"`
CFAPIToken string `yaml:"cf_api_token"`
}
type PathsConfig struct {
StacksDir string `yaml:"stacks_dir"`
DataDir string `yaml:"data_dir"`
BackupDir string `yaml:"backup_dir"`
DBDumpDir string `yaml:"db_dump_dir"`
}
type WebConfig struct {
Listen string `yaml:"listen"`
PasswordHash string `yaml:"password_hash"`
SessionSecret string `yaml:"session_secret"`
}
type GitConfig struct {
RepoURL string `yaml:"repo_url"`
Branch string `yaml:"branch"`
SyncInterval string `yaml:"sync_interval"`
Username string `yaml:"username"`
Token string `yaml:"token"`
}
type StacksConfig struct {
Protected []string `yaml:"protected"`
UpdateWindow string `yaml:"update_window"`
ComposeCommand string `yaml:"compose_command"`
}
type BackupConfig struct {
Enabled bool `yaml:"enabled"`
ResticRepo string `yaml:"restic_repo"`
ResticPasswordFile string `yaml:"restic_password_file"`
DBDumpSchedule string `yaml:"db_dump_schedule"`
ResticSchedule string `yaml:"restic_schedule"`
Retention RetentionConfig `yaml:"retention"`
PruneSchedule string `yaml:"prune_schedule"`
}
type RetentionConfig struct {
KeepDaily int `yaml:"keep_daily"`
KeepWeekly int `yaml:"keep_weekly"`
KeepMonthly int `yaml:"keep_monthly"`
}
type MonitoringConfig struct {
Enabled bool `yaml:"enabled"`
HealthchecksBase string `yaml:"healthchecks_base"`
PingUUIDs PingUUIDsConfig `yaml:"ping_uuids"`
HealthCheckSchedule string `yaml:"health_check_schedule"`
Thresholds ThresholdsConfig `yaml:"thresholds"`
}
type PingUUIDsConfig struct {
DBDump string `yaml:"db_dump"`
Backup string `yaml:"backup"`
SystemHealth string `yaml:"system_health"`
}
type ThresholdsConfig struct {
DiskWarnPercent int `yaml:"disk_warn_percent"`
DiskCritPercent int `yaml:"disk_crit_percent"`
BackupMaxAgeHours int `yaml:"backup_max_age_hours"`
CPUWarnPercent int `yaml:"cpu_warn_percent"`
MemoryWarnPercent int `yaml:"memory_warn_percent"`
TemperatureWarnCelsius int `yaml:"temperature_warn_celsius"`
}
type SelfUpdateConfig struct {
Enabled bool `yaml:"enabled"`
CheckInterval string `yaml:"check_interval"`
Image string `yaml:"image"`
AutoUpdate bool `yaml:"auto_update"`
HealthTimeoutSeconds int `yaml:"health_timeout_seconds"`
}
type NotificationsConfig struct {
CustomerEvents []string `yaml:"customer_events"`
OperatorEvents []string `yaml:"operator_events"`
}
type LoggingConfig struct {
Level string `yaml:"level"`
File string `yaml:"file"`
MaxSizeMB int `yaml:"max_size_mb"`
MaxFiles int `yaml:"max_files"`
}
type AssetsConfig struct {
SourceURL string `yaml:"source_url"` // Only used during build, not runtime
}
// Load reads and parses the config file, applies defaults, and validates.
func Load(path string) (*Config, error) {
data, err := os.ReadFile(path)
if err != nil {
return nil, fmt.Errorf("reading config file: %w", err)
}
// Expand environment variables in the YAML
expanded := os.ExpandEnv(string(data))
cfg := &Config{}
if err := yaml.Unmarshal([]byte(expanded), cfg); err != nil {
return nil, fmt.Errorf("parsing config file: %w", err)
}
applyDefaults(cfg)
applyEnvOverrides(cfg)
if err := validate(cfg); err != nil {
return nil, fmt.Errorf("config validation: %w", err)
}
return cfg, nil
}
func applyDefaults(cfg *Config) {
d := func(val *string, def string) {
if *val == "" {
*val = def
}
}
di := func(val *int, def int) {
if *val == 0 {
*val = def
}
}
d(&cfg.Paths.StacksDir, "/opt/docker/stacks")
d(&cfg.Paths.DataDir, "/opt/docker/felhom-controller/data")
d(&cfg.Paths.BackupDir, "/srv/backups")
d(&cfg.Paths.DBDumpDir, "/srv/backups/db-dumps")
d(&cfg.Web.Listen, ":8080")
d(&cfg.Git.Branch, "main")
d(&cfg.Git.SyncInterval, "15m")
d(&cfg.Stacks.UpdateWindow, "03:00-05:00")
d(&cfg.Backup.ResticRepo, "/srv/backups/restic-repo")
d(&cfg.Backup.DBDumpSchedule, "02:30")
d(&cfg.Backup.ResticSchedule, "03:00")
d(&cfg.Backup.PruneSchedule, "weekly")
di(&cfg.Backup.Retention.KeepDaily, 7)
di(&cfg.Backup.Retention.KeepWeekly, 4)
di(&cfg.Backup.Retention.KeepMonthly, 6)
d(&cfg.Monitoring.HealthchecksBase, "https://status.felhom.eu")
d(&cfg.Monitoring.HealthCheckSchedule, "06:00")
di(&cfg.Monitoring.Thresholds.DiskWarnPercent, 80)
di(&cfg.Monitoring.Thresholds.DiskCritPercent, 90)
di(&cfg.Monitoring.Thresholds.BackupMaxAgeHours, 36)
di(&cfg.Monitoring.Thresholds.CPUWarnPercent, 90)
di(&cfg.Monitoring.Thresholds.MemoryWarnPercent, 85)
di(&cfg.Monitoring.Thresholds.TemperatureWarnCelsius, 75)
d(&cfg.SelfUpdate.CheckInterval, "6h")
di(&cfg.SelfUpdate.HealthTimeoutSeconds, 60)
d(&cfg.Logging.Level, "info")
di(&cfg.Logging.MaxSizeMB, 10)
di(&cfg.Logging.MaxFiles, 3)
d(&cfg.Assets.SourceURL, "https://felhom.eu")
}
func applyEnvOverrides(cfg *Config) {
envStr := func(key string, target *string) {
if v := os.Getenv(key); v != "" {
*target = v
}
}
envStr("FELHOM_CUSTOMER_ID", &cfg.Customer.ID)
envStr("FELHOM_CUSTOMER_DOMAIN", &cfg.Customer.Domain)
envStr("FELHOM_WEB_LISTEN", &cfg.Web.Listen)
envStr("FELHOM_WEB_PASSWORD_HASH", &cfg.Web.PasswordHash)
envStr("FELHOM_PATHS_STACKS_DIR", &cfg.Paths.StacksDir)
envStr("FELHOM_LOGGING_LEVEL", &cfg.Logging.Level)
}
func validate(cfg *Config) error {
var errs []string
if cfg.Customer.ID == "" {
errs = append(errs, "customer.id is required")
}
if cfg.Customer.Domain == "" {
errs = append(errs, "customer.domain is required")
}
switch cfg.Logging.Level {
case "debug", "info", "warn", "error":
default:
errs = append(errs, fmt.Sprintf("logging.level must be debug|info|warn|error, got %q", cfg.Logging.Level))
}
if cfg.Monitoring.Thresholds.DiskWarnPercent >= cfg.Monitoring.Thresholds.DiskCritPercent {
errs = append(errs, "disk_warn_percent must be less than disk_crit_percent")
}
if len(errs) > 0 {
return fmt.Errorf("validation errors:\n - %s", strings.Join(errs, "\n - "))
}
return nil
}
// IsProtectedStack checks if a stack name is in the protected list.
func (cfg *Config) IsProtectedStack(name string) bool {
for _, p := range cfg.Stacks.Protected {
if strings.EqualFold(p, name) {
return true
}
}
return false
}
// AppLogoURL returns the primary logo URL (SVG). Use AppLogoPNGURL as fallback.
func (cfg *Config) AppLogoURL(slug string) string {
return fmt.Sprintf("/static/assets/%s-logo.svg", slug)
}
// AppLogoPNGURL returns the PNG fallback logo URL.
func (cfg *Config) AppLogoPNGURL(slug string) string {
return fmt.Sprintf("/static/assets/%s-logo.png", slug)
}
// AppScreenshotURL returns the local URL for an app's screenshot.
func (cfg *Config) AppScreenshotURL(slug string, index int) string {
return fmt.Sprintf("/static/assets/%s-screenshot-%d.webp", slug, index)
}
// AppPageURL returns the URL for an app's detail page.
// This links to the local controller-hosted app detail page.
func (cfg *Config) AppPageURL(slug string) string {
return fmt.Sprintf("/apps/%s", slug)
}
controller/controller.yaml.example
+123
View File
@@ -0,0 +1,123 @@
# =============================================================================
# Felhom Controller Configuration
# =============================================================================
# Location: /opt/docker/felhom-controller/controller.yaml
#
# This file contains ONLY infrastructure and customer identity config.
# Application-specific configuration (passwords, paths, etc.) is handled
# interactively during first deployment via the dashboard UI and stored
# per-app in /opt/docker/stacks/<app>/app.yaml
#
# Environment variable overrides: FELHOM_<SECTION>_<KEY>
# (e.g., FELHOM_CUSTOMER_DOMAIN=example.hu)
# =============================================================================
# --- Customer identity ---
customer:
id: "demo-felhom" # Unique customer identifier
name: "Demo Ügyfél" # Display name (shown on dashboard)
domain: "demo-felhom.eu" # Base domain for all services
email: "" # Customer notification email (optional)
telegram_chat_id: "" # Telegram notifications (optional, future)
# --- Infrastructure secrets ---
infrastructure:
cf_tunnel_token: "" # Cloudflare Tunnel token
cf_api_token: "" # Cloudflare API token (DNS-01 challenge)
# --- Paths (system-level only) ---
paths:
stacks_dir: "/opt/docker/stacks" # Where compose files live
data_dir: "/opt/docker/felhom-controller/data"
backup_dir: "/srv/backups"
db_dump_dir: "/srv/backups/db-dumps"
# --- Web UI ---
web:
listen: ":8080"
# Bcrypt hash. Empty = first-visit setup prompt.
password_hash: ""
session_secret: "" # Auto-generated on first start
# --- Git synchronization ---
git:
repo_url: "https://gitea.dooplex.hu/admin/app-catalog-felhom.eu.git"
branch: "main"
sync_interval: "15m"
username: ""
token: ""
# --- Stack management ---
stacks:
protected:
- "traefik"
- "cloudflared"
- "felhom-controller"
update_window: "03:00-05:00"
compose_command: ""
# --- Backup ---
backup:
enabled: true
restic_repo: "/srv/backups/restic-repo"
restic_password_file: "/opt/docker/felhom-controller/restic-password"
db_dump_schedule: "02:30"
restic_schedule: "03:00"
retention:
keep_daily: 7
keep_weekly: 4
keep_monthly: 6
prune_schedule: "weekly"
# --- Monitoring ---
monitoring:
enabled: true
healthchecks_base: "https://status.felhom.eu"
ping_uuids:
db_dump: "CHANGEME-uuid-for-db-dump"
backup: "CHANGEME-uuid-for-backup"
system_health: "CHANGEME-uuid-for-system-health"
health_check_schedule: "06:00"
thresholds:
disk_warn_percent: 80
disk_crit_percent: 90
backup_max_age_hours: 36
cpu_warn_percent: 90
memory_warn_percent: 85
temperature_warn_celsius: 75
# --- Self-update ---
self_update:
enabled: true
check_interval: "6h"
image: "gitea.dooplex.hu/admin/felhom-controller"
auto_update: false
health_timeout_seconds: 60
# --- Notifications ---
notifications:
customer_events:
- "disk_warning"
- "backup_failed"
- "update_available"
- "security_update"
operator_events:
- "disk_critical"
- "backup_failed"
- "self_update_failed"
- "container_unhealthy"
# --- Logging ---
logging:
level: "info"
file: ""
max_size_mb: 10
max_files: 3
# --- Assets ---
assets:
# App logos, screenshots, and descriptions are baked into the container
# image at build time (from the felhom.eu website assets).
# Served locally at /static/assets/ — no external dependency.
# The source URL is only used during image build, not at runtime.
source_url: "https://felhom.eu"
controller/deploy.go
+301
View File
@@ -0,0 +1,301 @@
package stacks
import (
"crypto/rand"
"encoding/hex"
"fmt"
"math/big"
"os"
"path/filepath"
"strings"
"time"
"gopkg.in/yaml.v3"
)
// AppConfig holds the per-app deployment configuration.
// Saved as app.yaml in each stack directory after first deployment.
type AppConfig struct {
Deployed bool `yaml:"deployed" json:"deployed"`
DeployedAt string `yaml:"deployed_at" json:"deployed_at"`
Env map[string]string `yaml:"env" json:"env"`
LockedFields []string `yaml:"locked_fields" json:"locked_fields"`
}
// DeployRequest contains the user-provided values from the deploy form.
type DeployRequest struct {
StackName string `json:"stack_name"`
Values map[string]string `json:"values"` // env_var -> user-provided value
}
// DeployStack handles first-time deployment of an app:
// 1. Load metadata (.felhom.yml) to know what fields exist
// 2. Auto-generate secrets for secret/password fields without user values
// 3. Auto-fill domain from controller config
// 4. Merge with user-provided values
// 5. Save app.yaml
// 6. Run docker compose up -d with env vars
func (m *Manager) DeployStack(req DeployRequest) error {
stack, ok := m.GetStack(req.StackName)
if !ok {
return fmt.Errorf("stack %q not found", req.StackName)
}
stackDir := filepath.Dir(stack.ComposePath)
meta := LoadMetadata(stackDir)
// Check if already deployed
existing := LoadAppConfig(stackDir)
if existing != nil && existing.Deployed {
return fmt.Errorf("stack %q is already deployed; use update instead", req.StackName)
}
// Build the full env map
env := make(map[string]string)
var lockedFields []string
for _, field := range meta.DeployFields {
var value string
switch field.Type {
case "domain":
// Auto-fill from controller config
value = m.cfg.Customer.Domain
case "secret":
// Always auto-generate, user never sees these
generated, err := generateValue(field.Generate)
if err != nil {
return fmt.Errorf("generating %s: %w", field.EnvVar, err)
}
value = generated
case "password":
// Use user value if provided, otherwise generate
if userVal, ok := req.Values[field.EnvVar]; ok && userVal != "" {
value = userVal
} else if field.Generate != "" {
generated, err := generateValue(field.Generate)
if err != nil {
return fmt.Errorf("generating %s: %w", field.EnvVar, err)
}
value = generated
}
default:
// text, path, select, boolean — use user value or default
if userVal, ok := req.Values[field.EnvVar]; ok {
value = userVal
} else if field.Default != "" {
value = field.Default
}
}
// Validate required fields
if field.Required && value == "" {
return fmt.Errorf("required field %q (%s) is empty", field.Label, field.EnvVar)
}
// Validate path fields exist
if field.Type == "path" && value != "" {
if _, err := os.Stat(value); os.IsNotExist(err) {
return fmt.Errorf("path %q does not exist for field %q", value, field.Label)
}
}
if value != "" {
env[field.EnvVar] = value
}
if field.LockedAfterDeploy {
lockedFields = append(lockedFields, field.EnvVar)
}
}
// Save app.yaml
appCfg := &AppConfig{
Deployed: true,
DeployedAt: time.Now().UTC().Format(time.RFC3339),
Env: env,
LockedFields: lockedFields,
}
if err := SaveAppConfig(stackDir, appCfg); err != nil {
return fmt.Errorf("saving app config: %w", err)
}
m.logger.Printf("[INFO] Deploying stack %s with %d env vars", req.StackName, len(env))
// Run docker compose up -d
_, err := m.composeExecWithEnv(stackDir, env, "up", "-d")
if err != nil {
// Deployment failed — keep app.yaml for debugging but mark as not deployed
appCfg.Deployed = false
_ = SaveAppConfig(stackDir, appCfg)
return fmt.Errorf("docker compose up failed: %w", err)
}
m.logger.Printf("[INFO] Stack %s deployed successfully", req.StackName)
return m.RefreshStatus()
}
// UpdateStackConfig updates non-locked fields for a deployed stack.
func (m *Manager) UpdateStackConfig(name string, values map[string]string) error {
stack, ok := m.GetStack(name)
if !ok {
return fmt.Errorf("stack %q not found", name)
}
stackDir := filepath.Dir(stack.ComposePath)
appCfg := LoadAppConfig(stackDir)
if appCfg == nil || !appCfg.Deployed {
return fmt.Errorf("stack %q is not deployed yet", name)
}
// Apply changes, respecting locked fields
lockedSet := make(map[string]bool)
for _, f := range appCfg.LockedFields {
lockedSet[f] = true
}
for key, val := range values {
if lockedSet[key] {
return fmt.Errorf("field %q is locked and cannot be changed after deployment", key)
}
appCfg.Env[key] = val
}
if err := SaveAppConfig(stackDir, appCfg); err != nil {
return fmt.Errorf("saving updated config: %w", err)
}
// Restart with new env
_, err := m.composeExecWithEnv(stackDir, appCfg.Env, "up", "-d")
if err != nil {
return fmt.Errorf("restarting with new config: %w", err)
}
m.logger.Printf("[INFO] Stack %s config updated and restarted", name)
return m.RefreshStatus()
}
// composeExecWithEnv runs a compose command with custom env vars injected.
func (m *Manager) composeExecWithEnv(dir string, env map[string]string, args ...string) (string, error) {
// Build env slice: start with os env, then add our vars
cmdEnv := os.Environ()
for k, v := range env {
cmdEnv = append(cmdEnv, fmt.Sprintf("%s=%s", k, v))
}
// Always inject DOMAIN from controller config
cmdEnv = append(cmdEnv, fmt.Sprintf("DOMAIN=%s", m.cfg.Customer.Domain))
return m.composeExecCustomEnv(dir, cmdEnv, args...)
}
// GetDeployFields returns the deployment fields for a stack (for the deploy form).
func (m *Manager) GetDeployFields(name string) (*Metadata, *AppConfig, error) {
stack, ok := m.GetStack(name)
if !ok {
return nil, nil, fmt.Errorf("stack %q not found", name)
}
stackDir := filepath.Dir(stack.ComposePath)
meta := LoadMetadata(stackDir)
appCfg := LoadAppConfig(stackDir)
return &meta, appCfg, nil
}
// --- App config persistence ---
// LoadAppConfig reads app.yaml from a stack directory.
// Returns nil if the file doesn't exist.
func LoadAppConfig(stackDir string) *AppConfig {
path := filepath.Join(stackDir, "app.yaml")
data, err := os.ReadFile(path)
if err != nil {
return nil
}
cfg := &AppConfig{}
if err := yaml.Unmarshal(data, cfg); err != nil {
return nil
}
return cfg
}
// SaveAppConfig writes app.yaml to a stack directory.
func SaveAppConfig(stackDir string, cfg *AppConfig) error {
data, err := yaml.Marshal(cfg)
if err != nil {
return fmt.Errorf("marshaling app config: %w", err)
}
path := filepath.Join(stackDir, "app.yaml")
header := "# Auto-generated by felhom-controller — do not edit locked fields manually\n"
content := header + string(data)
if err := os.WriteFile(path, []byte(content), 0600); err != nil {
return fmt.Errorf("writing %s: %w", path, err)
}
return nil
}
// --- Secret generation ---
const alphanumChars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
// generateValue creates a random value based on the generator spec.
// Formats: "password:N", "hex:N", "static:VALUE"
func generateValue(spec string) (string, error) {
if spec == "" {
return "", fmt.Errorf("empty generator spec")
}
parts := strings.SplitN(spec, ":", 2)
if len(parts) != 2 {
return "", fmt.Errorf("invalid generator spec: %q (expected type:param)", spec)
}
genType := parts[0]
param := parts[1]
switch genType {
case "password":
length := 0
if _, err := fmt.Sscanf(param, "%d", &length); err != nil || length <= 0 {
return "", fmt.Errorf("invalid password length: %q", param)
}
return randomAlphanumeric(length)
case "hex":
byteLen := 0
if _, err := fmt.Sscanf(param, "%d", &byteLen); err != nil || byteLen <= 0 {
return "", fmt.Errorf("invalid hex length: %q", param)
}
b := make([]byte, byteLen)
if _, err := rand.Read(b); err != nil {
return "", fmt.Errorf("reading random bytes: %w", err)
}
return hex.EncodeToString(b), nil
case "static":
return param, nil
default:
return "", fmt.Errorf("unknown generator type: %q", genType)
}
}
func randomAlphanumeric(length int) (string, error) {
result := make([]byte, length)
for i := range result {
n, err := rand.Int(rand.Reader, big.NewInt(int64(len(alphanumChars))))
if err != nil {
return "", err
}
result[i] = alphanumChars[n.Int64()]
}
return string(result), nil
}
controller/docker-compose.yml
+54
View File
@@ -0,0 +1,54 @@
# =============================================================================
# felhom-controller Docker Compose
# This is deployed as an infrastructure component alongside Traefik/Cloudflared
# =============================================================================
services:
felhom-controller:
image: gitea.dooplex.hu/admin/felhom-controller:latest
container_name: felhom-controller
restart: unless-stopped
ports:
- "8080:8080"
volumes:
# Docker socket — required for compose operations
- /var/run/docker.sock:/var/run/docker.sock:ro
# Controller config
- /opt/docker/felhom-controller/controller.yaml:/opt/docker/felhom-controller/controller.yaml:ro
# Controller persistent data (sessions, state)
- controller-data:/opt/docker/felhom-controller/data
# Stack compose files (read + write for git sync)
- /opt/docker/stacks:/opt/docker/stacks
# Backup directories
- /srv/backups:/srv/backups
# Restic password file
- /opt/docker/felhom-controller/restic-password:/opt/docker/felhom-controller/restic-password:ro
# HDD mount (if available, for backup paths)
- ${HDD_PATH:-/mnt/hdd_placeholder}:${HDD_PATH:-/mnt/hdd_placeholder}:ro
environment:
- TZ=Europe/Budapest
labels:
- "traefik.enable=true"
- "traefik.http.routers.controller.rule=Host(`dashboard.${DOMAIN}`)"
- "traefik.http.routers.controller.entrypoints=websecure"
- "traefik.http.routers.controller.tls=true"
- "traefik.http.services.controller.loadbalancer.server.port=8080"
- "traefik.docker.network=traefik-public"
# Health check labels for monitoring
- "felhom.managed=true"
- "felhom.component=controller"
networks:
- traefik-public
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8080/api/health"]
interval: 30s
timeout: 5s
start_period: 10s
retries: 3
volumes:
controller-data:
networks:
traefik-public:
external: true
controller/example-felhom-metadata.yml
+106
View File
@@ -0,0 +1,106 @@
# =============================================================================
# .felhom.yml — App metadata for felhom-controller
# =============================================================================
# Place alongside docker-compose.yml in each stack directory:
# /opt/docker/stacks/paperless-ngx/.felhom.yml
#
# This file defines:
# 1. Display info (name, description, icon)
# 2. Deploy fields (what the user fills in during first deployment)
# 3. Asset references (logos, screenshots loaded from felhom.eu)
# 4. Resource hints (RAM, Pi compatibility)
# =============================================================================
# --- Display info (shown on dashboard) ---
display_name: "Paperless-ngx"
description: "Dokumentumok digitalizálása és rendszerezése"
category: "productivity" # productivity, media, finance, security, tools
subdomain: "paperless" # -> paperless.<domain>
# --- Asset slug ---
# Used to construct URLs for logo and screenshots from felhom.eu:
# Logo: {assets.base_url}/assets/{slug}-logo.webp
# Screenshot: {assets.base_url}/assets/{slug}-screenshot-{n}.webp
# App page: {assets.base_url}/alkalmazasok#{slug}
# Falls back to directory name if not set.
slug: "paperless-ngx"
# --- Resource hints (displayed on deploy screen) ---
resources:
ram: "~500MB"
pi_compatible: true # Runs on Raspberry Pi 3B+
needs_hdd: true # Needs external storage for user data
# --- Deploy fields ---
# Shown to the user during first deployment.
# After deployment, values are saved to app.yaml in the stack directory.
#
# Field types:
# domain - Auto-filled from controller config, read-only
# secret - Auto-generated, hidden (user sees "Generated ✓")
# password - Auto-generated but shown, user can override
# path - Filesystem path (validated for existence)
# text - Free text input
# select - Dropdown with predefined options
# boolean - Toggle switch
#
# Generator types (for secret/password):
# password:N - N chars alphanumeric
# hex:N - N bytes hex-encoded
# static:VAL - Fixed value
deploy_fields:
- env_var: DOMAIN
label: "Domain"
type: domain
description: "A szerver domain neve"
locked_after_deploy: true
- env_var: DB_PASSWORD
label: "Adatbázis jelszó"
type: secret
generate: "password:24"
locked_after_deploy: true
- env_var: PAPERLESS_SECRET_KEY
label: "Titkosítási kulcs"
type: secret
generate: "hex:32"
locked_after_deploy: true
- env_var: PAPERLESS_ADMIN_USER
label: "Admin felhasználónév"
type: text
default: "admin"
locked_after_deploy: false
- env_var: PAPERLESS_ADMIN_PASSWORD
label: "Admin jelszó"
type: password
generate: "password:16"
description: "Első bejelentkezéshez. Utána a webes felületen módosítható."
locked_after_deploy: false
- env_var: HDD_PATH
label: "Adattárolási útvonal"
type: path
required: true
placeholder: "/mnt/hdd_1"
description: "A külső merevlemez elérési útja, ahol a dokumentumok tárolódnak"
locked_after_deploy: true
- env_var: PAPERLESS_OCR_LANGUAGE
label: "OCR nyelv"
type: select
default: "hun+eng"
options:
- value: "hun"
label: "Magyar"
- value: "eng"
label: "Angol"
- value: "hun+eng"
label: "Magyar + Angol"
- value: "deu+eng"
label: "Német + Angol"
description: "Dokumentum felismerés nyelve"
locked_after_deploy: false
controller/go.mod
+8
View File
@@ -0,0 +1,8 @@
module gitea.dooplex.hu/admin/felhom-controller
go 1.22
require (
gopkg.in/yaml.v3 v3.0.1
golang.org/x/crypto v0.31.0
)
controller/hashpass.go
+27
View File
@@ -0,0 +1,27 @@
package main
import (
"fmt"
"os"
"golang.org/x/crypto/bcrypt"
)
// Usage: go run scripts/hashpass.go <password>
// Outputs a bcrypt hash suitable for controller.yaml password_hash field.
func main() {
if len(os.Args) < 2 {
fmt.Fprintf(os.Stderr, "Usage: %s <password>\n", os.Args[0])
fmt.Fprintf(os.Stderr, "Generates a bcrypt hash for the felhom-controller config.\n")
os.Exit(1)
}
password := os.Args[1]
hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
if err != nil {
fmt.Fprintf(os.Stderr, "Error generating hash: %v\n", err)
os.Exit(1)
}
fmt.Println(string(hash))
}
controller/main.go
+137
View File
@@ -0,0 +1,137 @@
package main
import (
"context"
"flag"
"fmt"
"log"
"net/http"
"os"
"os/signal"
"syscall"
"time"
"gitea.dooplex.hu/admin/felhom-controller/internal/api"
"gitea.dooplex.hu/admin/felhom-controller/internal/config"
"gitea.dooplex.hu/admin/felhom-controller/internal/stacks"
"gitea.dooplex.hu/admin/felhom-controller/internal/web"
)
var (
// Set at build time via ldflags
Version = "dev"
BuildTime = "unknown"
GitCommit = "unknown"
)
func main() {
configPath := flag.String("config", "/opt/docker/felhom-controller/controller.yaml", "Path to configuration file")
showVersion := flag.Bool("version", false, "Show version and exit")
flag.Parse()
if *showVersion {
fmt.Printf("felhom-controller %s (built %s, commit %s)\n", Version, BuildTime, GitCommit)
os.Exit(0)
}
// --- Load configuration ---
cfg, err := config.Load(*configPath)
if err != nil {
log.Fatalf("[FATAL] Failed to load config from %s: %v", *configPath, err)
}
logger := setupLogger(cfg)
logger.Printf("[INFO] felhom-controller %s starting (customer: %s, domain: %s)",
Version, cfg.Customer.ID, cfg.Customer.Domain)
// --- Initialize stack manager ---
stackMgr, err := stacks.NewManager(cfg, logger)
if err != nil {
logger.Fatalf("[FATAL] Failed to initialize stack manager: %v", err)
}
// Initial stack scan
if err := stackMgr.ScanStacks(); err != nil {
logger.Printf("[WARN] Initial stack scan failed: %v", err)
}
// --- Initialize API router ---
apiRouter := api.NewRouter(cfg, stackMgr, logger)
// --- Initialize web server ---
webServer := web.NewServer(cfg, stackMgr, logger, Version)
// --- Build HTTP mux ---
mux := http.NewServeMux()
// API routes (no auth for health endpoint, auth for everything else)
mux.HandleFunc("/api/health", apiRouter.HealthHandler)
mux.Handle("/api/", webServer.RequireAuth(http.HandlerFunc(apiRouter.ServeHTTP)))
// Web UI routes (auth required)
mux.Handle("/", webServer.RequireAuth(http.HandlerFunc(webServer.ServeHTTP)))
// --- Start HTTP server ---
server := &http.Server{
Addr: cfg.Web.Listen,
Handler: mux,
ReadTimeout: 30 * time.Second,
WriteTimeout: 60 * time.Second,
IdleTimeout: 120 * time.Second,
}
// --- Graceful shutdown ---
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
sigCh := make(chan os.Signal, 1)
signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
go func() {
sig := <-sigCh
logger.Printf("[INFO] Received signal %v, shutting down...", sig)
cancel()
shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 15*time.Second)
defer shutdownCancel()
if err := server.Shutdown(shutdownCtx); err != nil {
logger.Printf("[ERROR] HTTP server shutdown error: %v", err)
}
}()
// --- Start background tasks ---
// Periodic stack status refresh
go func() {
ticker := time.NewTicker(30 * time.Second)
defer ticker.Stop()
for {
select {
case <-ctx.Done():
return
case <-ticker.C:
if err := stackMgr.RefreshStatus(); err != nil {
logger.Printf("[WARN] Status refresh failed: %v", err)
}
}
}
}()
logger.Printf("[INFO] Web UI listening on %s", cfg.Web.Listen)
if err := server.ListenAndServe(); err != http.ErrServerClosed {
logger.Fatalf("[FATAL] HTTP server error: %v", err)
}
logger.Println("[INFO] felhom-controller stopped")
}
func setupLogger(cfg *config.Config) *log.Logger {
// For now, log to stdout. File logging will be added later.
logger := log.New(os.Stdout, "", log.LstdFlags)
if cfg.Logging.Level == "debug" {
logger.SetFlags(log.LstdFlags | log.Lshortfile)
}
return logger
}
controller/manager.go
+452
View File
@@ -0,0 +1,452 @@
package stacks
import (
"bytes"
"fmt"
"log"
"os"
"os/exec"
"path/filepath"
"strings"
"sync"
"time"
"gitea.dooplex.hu/admin/felhom-controller/internal/config"
)
// ContainerState represents the current state of a container.
type ContainerState string
const (
StateRunning ContainerState = "running"
StateStopped ContainerState = "stopped"
StateRestarting ContainerState = "restarting"
StateExited ContainerState = "exited"
StatePaused ContainerState = "paused"
StateUnknown ContainerState = "unknown"
StateNotDeployed ContainerState = "not_deployed"
)
// ContainerInfo holds status info about a single container within a stack.
type ContainerInfo struct {
Name string `json:"name"`
Image string `json:"image"`
State ContainerState `json:"state"`
Status string `json:"status"` // e.g. "Up 3 hours"
}
// Stack represents a docker compose stack on disk.
type Stack struct {
Name string `json:"name"`
Meta Metadata `json:"meta"`
ComposePath string `json:"compose_path"`
State ContainerState `json:"state"`
Deployed bool `json:"deployed"` // Has app.yaml with deployed=true
Protected bool `json:"protected"`
Containers []ContainerInfo `json:"containers"`
AppConfig *AppConfig `json:"app_config,omitempty"`
LastUpdated time.Time `json:"last_updated"`
}
// Manager handles all docker compose stack operations.
type Manager struct {
cfg *config.Config
logger *log.Logger
composeCmd string
stacks map[string]*Stack
mu sync.RWMutex
}
// NewManager creates a new stack manager.
func NewManager(cfg *config.Config, logger *log.Logger) (*Manager, error) {
composeCmd := cfg.Stacks.ComposeCommand
if composeCmd == "" {
composeCmd = detectComposeCommand()
}
if composeCmd == "" {
return nil, fmt.Errorf("docker compose not found (tried 'docker compose' and 'docker-compose')")
}
logger.Printf("[INFO] Using compose command: %s", composeCmd)
if err := os.MkdirAll(cfg.Paths.StacksDir, 0755); err != nil {
return nil, fmt.Errorf("creating stacks directory %s: %w", cfg.Paths.StacksDir, err)
}
return &Manager{
cfg: cfg,
logger: logger,
composeCmd: composeCmd,
stacks: make(map[string]*Stack),
}, nil
}
// toTitleCase capitalizes the first letter of each word.
func toTitleCase(s string) string {
words := strings.Fields(s)
for i, w := range words {
if len(w) > 0 {
words[i] = strings.ToUpper(w[:1]) + w[1:]
}
}
return strings.Join(words, " ")
}
func detectComposeCommand() string {
if err := exec.Command("docker", "compose", "version").Run(); err == nil {
return "docker compose"
}
if _, err := exec.LookPath("docker-compose"); err == nil {
return "docker-compose"
}
return ""
}
// ScanStacks discovers all compose stacks in the stacks directory.
func (m *Manager) ScanStacks() error {
m.mu.Lock()
defer m.mu.Unlock()
entries, err := os.ReadDir(m.cfg.Paths.StacksDir)
if err != nil {
return fmt.Errorf("reading stacks directory: %w", err)
}
found := make(map[string]bool)
for _, entry := range entries {
if !entry.IsDir() {
continue
}
name := entry.Name()
stackDir := filepath.Join(m.cfg.Paths.StacksDir, name)
composePath := filepath.Join(stackDir, "docker-compose.yml")
if _, err := os.Stat(composePath); os.IsNotExist(err) {
composePath = filepath.Join(stackDir, "docker-compose.yaml")
if _, err := os.Stat(composePath); os.IsNotExist(err) {
continue
}
}
found[name] = true
meta := LoadMetadata(stackDir)
appCfg := LoadAppConfig(stackDir)
deployed := appCfg != nil && appCfg.Deployed
if existing, ok := m.stacks[name]; ok {
existing.ComposePath = composePath
existing.Meta = meta
existing.Protected = m.cfg.IsProtectedStack(name)
existing.Deployed = deployed
existing.AppConfig = appCfg
} else {
m.stacks[name] = &Stack{
Name: name,
Meta: meta,
ComposePath: composePath,
State: StateNotDeployed,
Deployed: deployed,
Protected: m.cfg.IsProtectedStack(name),
AppConfig: appCfg,
}
}
}
// Remove stacks no longer on disk
for name := range m.stacks {
if !found[name] {
delete(m.stacks, name)
}
}
m.logger.Printf("[INFO] Scanned stacks: %d found", len(m.stacks))
return m.refreshStatusLocked()
}
// RefreshStatus updates container status for all known stacks.
func (m *Manager) RefreshStatus() error {
m.mu.Lock()
defer m.mu.Unlock()
return m.refreshStatusLocked()
}
func (m *Manager) refreshStatusLocked() error {
output, err := m.execCommand("docker", "ps", "-a",
"--format", "{{.Names}}\t{{.Image}}\t{{.State}}\t{{.Status}}\t{{.Label \"com.docker.compose.project\"}}",
"--no-trunc")
if err != nil {
return fmt.Errorf("docker ps: %w", err)
}
projectContainers := make(map[string][]ContainerInfo)
for _, line := range strings.Split(strings.TrimSpace(output), "\n") {
if line == "" {
continue
}
parts := strings.SplitN(line, "\t", 5)
if len(parts) < 5 || parts[4] == "" {
continue
}
ci := ContainerInfo{
Name: parts[0],
Image: parts[1],
State: parseContainerState(parts[2]),
Status: parts[3],
}
projectContainers[parts[4]] = append(projectContainers[parts[4]], ci)
}
for name, stack := range m.stacks {
containers, exists := projectContainers[name]
if !exists {
stack.Containers = nil
if stack.Deployed {
stack.State = StateStopped
} else {
stack.State = StateNotDeployed
}
} else {
stack.Containers = containers
stack.State = aggregateState(containers)
}
stack.LastUpdated = time.Now()
}
return nil
}
func parseContainerState(s string) ContainerState {
switch strings.ToLower(strings.TrimSpace(s)) {
case "running":
return StateRunning
case "exited":
return StateExited
case "restarting":
return StateRestarting
case "paused":
return StatePaused
case "created", "dead", "removing":
return StateStopped
default:
return StateUnknown
}
}
func aggregateState(containers []ContainerInfo) ContainerState {
if len(containers) == 0 {
return StateNotDeployed
}
for _, c := range containers {
if c.State == StateRunning {
return StateRunning
}
}
for _, c := range containers {
if c.State == StateRestarting {
return StateRestarting
}
}
return StateStopped
}
// --- Stack accessors ---
func (m *Manager) GetStacks() []Stack {
m.mu.RLock()
defer m.mu.RUnlock()
result := make([]Stack, 0, len(m.stacks))
for _, s := range m.stacks {
result = append(result, *s)
}
return result
}
func (m *Manager) GetStack(name string) (*Stack, bool) {
m.mu.RLock()
defer m.mu.RUnlock()
s, ok := m.stacks[name]
if !ok {
return nil, false
}
copy := *s
return &copy, true
}
// --- Stack operations ---
// StartStack, StopStack, etc. now load app.yaml env for deployed stacks.
func (m *Manager) StartStack(name string) error {
stack, ok := m.GetStack(name)
if !ok {
return fmt.Errorf("stack %q not found", name)
}
m.logger.Printf("[INFO] Starting stack: %s", name)
dir := filepath.Dir(stack.ComposePath)
env := m.stackEnv(dir)
if _, err := m.composeExecCustomEnv(dir, env, "up", "-d"); err != nil {
return fmt.Errorf("starting stack %s: %w", name, err)
}
m.logger.Printf("[INFO] Stack %s started", name)
return m.RefreshStatus()
}
func (m *Manager) StopStack(name string) error {
if m.cfg.IsProtectedStack(name) {
return fmt.Errorf("stack %q is protected and cannot be stopped", name)
}
stack, ok := m.GetStack(name)
if !ok {
return fmt.Errorf("stack %q not found", name)
}
m.logger.Printf("[INFO] Stopping stack: %s", name)
dir := filepath.Dir(stack.ComposePath)
if _, err := m.composeExec(dir, "down"); err != nil {
return fmt.Errorf("stopping stack %s: %w", name, err)
}
m.logger.Printf("[INFO] Stack %s stopped", name)
return m.RefreshStatus()
}
func (m *Manager) RestartStack(name string) error {
stack, ok := m.GetStack(name)
if !ok {
return fmt.Errorf("stack %q not found", name)
}
m.logger.Printf("[INFO] Restarting stack: %s", name)
dir := filepath.Dir(stack.ComposePath)
if _, err := m.composeExec(dir, "restart"); err != nil {
return fmt.Errorf("restarting stack %s: %w", name, err)
}
m.logger.Printf("[INFO] Stack %s restarted", name)
return m.RefreshStatus()
}
func (m *Manager) UpdateStack(name string) error {
stack, ok := m.GetStack(name)
if !ok {
return fmt.Errorf("stack %q not found", name)
}
m.logger.Printf("[INFO] Updating stack: %s", name)
dir := filepath.Dir(stack.ComposePath)
env := m.stackEnv(dir)
if _, err := m.composeExecCustomEnv(dir, env, "pull"); err != nil {
return fmt.Errorf("pulling images for %s: %w", name, err)
}
if _, err := m.composeExecCustomEnv(dir, env, "up", "-d", "--remove-orphans"); err != nil {
return fmt.Errorf("recreating %s: %w", name, err)
}
m.logger.Printf("[INFO] Stack %s updated", name)
return m.RefreshStatus()
}
func (m *Manager) GetLogs(name string, lines int) (string, error) {
stack, ok := m.GetStack(name)
if !ok {
return "", fmt.Errorf("stack %q not found", name)
}
if lines <= 0 {
lines = 100
}
if lines > 1000 {
lines = 1000
}
dir := filepath.Dir(stack.ComposePath)
output, err := m.composeExec(dir, "logs", "--tail", fmt.Sprintf("%d", lines), "--no-color")
if err != nil {
return "", fmt.Errorf("getting logs for %s: %w", name, err)
}
return output, nil
}
// --- Env and compose helpers ---
// stackEnv builds the full OS env slice for a stack, merging app.yaml values.
func (m *Manager) stackEnv(stackDir string) []string {
env := os.Environ()
// Always inject DOMAIN
env = append(env, fmt.Sprintf("DOMAIN=%s", m.cfg.Customer.Domain))
// Load app.yaml if it exists — merge its env vars
appCfg := LoadAppConfig(stackDir)
if appCfg != nil {
for k, v := range appCfg.Env {
env = append(env, fmt.Sprintf("%s=%s", k, v))
}
}
return env
}
func (m *Manager) composeExec(dir string, args ...string) (string, error) {
return m.composeExecCustomEnv(dir, nil, args...)
}
func (m *Manager) composeExecCustomEnv(dir string, env []string, args ...string) (string, error) {
var cmd *exec.Cmd
if m.composeCmd == "docker compose" {
fullArgs := append([]string{"compose"}, args...)
cmd = exec.Command("docker", fullArgs...)
} else {
cmd = exec.Command("docker-compose", args...)
}
cmd.Dir = dir
if env != nil {
cmd.Env = env
} else {
cmd.Env = m.stackEnv(dir)
}
var stdout, stderr bytes.Buffer
cmd.Stdout = &stdout
cmd.Stderr = &stderr
m.logger.Printf("[DEBUG] Running: %s %s (in %s)", m.composeCmd, strings.Join(args, " "), dir)
if err := cmd.Run(); err != nil {
return stdout.String(), fmt.Errorf("%w\nstderr: %s", err, stderr.String())
}
return stdout.String(), nil
}
func (m *Manager) execCommand(name string, args ...string) (string, error) {
cmd := exec.Command(name, args...)
var stdout, stderr bytes.Buffer
cmd.Stdout = &stdout
cmd.Stderr = &stderr
if err := cmd.Run(); err != nil {
return "", fmt.Errorf("exec %s %s: %w\nstderr: %s", name, strings.Join(args, " "), err, stderr.String())
}
return stdout.String(), nil
}
controller/metadata.go
+132
View File
@@ -0,0 +1,132 @@
package stacks
import (
"os"
"path/filepath"
"strings"
"gopkg.in/yaml.v3"
)
// Metadata holds app information parsed from .felhom.yml.
type Metadata struct {
DisplayName string `yaml:"display_name" json:"display_name"`
Description string `yaml:"description" json:"description"`
Category string `yaml:"category" json:"category"`
Subdomain string `yaml:"subdomain" json:"subdomain"`
Slug string `yaml:"slug" json:"slug"`
Resources ResourceHints `yaml:"resources" json:"resources"`
DeployFields []DeployField `yaml:"deploy_fields" json:"deploy_fields"`
}
// ResourceHints describe what the app needs.
type ResourceHints struct {
RAM string `yaml:"ram" json:"ram"`
PiCompatible bool `yaml:"pi_compatible" json:"pi_compatible"`
NeedsHDD bool `yaml:"needs_hdd" json:"needs_hdd"`
}
// DeployField defines one configuration field shown during first deployment.
type DeployField struct {
EnvVar string `yaml:"env_var" json:"env_var"`
Label string `yaml:"label" json:"label"`
Type string `yaml:"type" json:"type"` // domain, secret, password, path, text, select, boolean
Generate string `yaml:"generate" json:"generate"` // e.g., "password:24", "hex:32", "static:admin"
Default string `yaml:"default" json:"default"`
Required bool `yaml:"required" json:"required"`
Placeholder string `yaml:"placeholder" json:"placeholder"`
Description string `yaml:"description" json:"description"`
LockedAfterDeploy bool `yaml:"locked_after_deploy" json:"locked_after_deploy"`
Options []SelectOption `yaml:"options" json:"options,omitempty"`
}
// SelectOption is a choice for "select" type fields.
type SelectOption struct {
Value string `yaml:"value" json:"value"`
Label string `yaml:"label" json:"label"`
}
// LoadMetadata reads .felhom.yml from a stack directory.
// Returns default metadata if the file doesn't exist.
func LoadMetadata(stackDir string) Metadata {
meta := Metadata{}
path := filepath.Join(stackDir, ".felhom.yml")
data, err := os.ReadFile(path)
if err != nil {
// No metadata file — build defaults from directory name
dirName := filepath.Base(stackDir)
meta.DisplayName = toTitleCase(strings.ReplaceAll(dirName, "-", " "))
meta.Slug = dirName
meta.Category = "tools"
return meta
}
if err := yaml.Unmarshal(data, &meta); err != nil {
// Parse error — still return defaults
dirName := filepath.Base(stackDir)
meta.DisplayName = toTitleCase(strings.ReplaceAll(dirName, "-", " "))
meta.Slug = dirName
return meta
}
// Fill in defaults for missing fields
dirName := filepath.Base(stackDir)
if meta.Slug == "" {
meta.Slug = dirName
}
if meta.DisplayName == "" {
meta.DisplayName = toTitleCase(strings.ReplaceAll(dirName, "-", " "))
}
if meta.Category == "" {
meta.Category = "tools"
}
// DOMAIN field is always auto-filled — mark it implicitly required
for i := range meta.DeployFields {
if meta.DeployFields[i].Type == "domain" {
meta.DeployFields[i].Required = true
meta.DeployFields[i].LockedAfterDeploy = true
}
// secret fields are always locked after deploy
if meta.DeployFields[i].Type == "secret" {
meta.DeployFields[i].LockedAfterDeploy = true
}
}
return meta
}
// HasDeployFields returns true if the app has any user-facing deploy fields
// (i.e., fields beyond auto-filled domain and auto-generated secrets).
func (m *Metadata) HasDeployFields() bool {
for _, f := range m.DeployFields {
if f.Type != "domain" && f.Type != "secret" {
return true
}
}
return false
}
// UserFacingFields returns only fields the user needs to interact with.
// Excludes auto-filled (domain) and fully hidden (secret) fields.
func (m *Metadata) UserFacingFields() []DeployField {
var fields []DeployField
for _, f := range m.DeployFields {
if f.Type != "domain" && f.Type != "secret" {
fields = append(fields, f)
}
}
return fields
}
// AutoGeneratedFields returns fields that are generated without user input.
func (m *Metadata) AutoGeneratedFields() []DeployField {
var fields []DeployField
for _, f := range m.DeployFields {
if f.Type == "secret" || f.Type == "domain" {
fields = append(fields, f)
}
}
return fields
}
controller/mnt/user-data/outputs/felhom-controller/README.md
+283
View File
@@ -0,0 +1,283 @@
# felhom-controller
**Central management container for Felhom home servers.**
Replaces Portainer + scattered systemd scripts with a single, lightweight container that provides:
- Hungarian-language web dashboard for customers
- Docker Compose stack management (start/stop/update)
- Backup orchestration (DB dumps + restic snapshots)
- System health monitoring with Healthchecks pings
- Git-based stack synchronization with update management
- Self-update with automatic rollback on failure
## Architecture
```
┌─────────────────────────────────────────────────────────────────┐
│ Customer Hardware (N100 mini PC / Raspberry Pi) │
│ │
│ ┌──────────┐ ┌────────────────────────────────────────────┐ │
│ │ Traefik │ │ felhom-controller │ │
│ │ (reverse │──▶│ │ │
│ │ proxy) │ │ ┌──────────┐ ┌─────────────────────────┐│ │
│ └──────────┘ │ │ Web UI │ │ Stack Manager ││ │
│ │ │ (HU dash │ │ (compose up/down/pull, ││ │
│ ┌──────────┐ │ │ board) │ │ git sync, update mgmt) ││ │
│ │cloudflared│ │ └──────────┘ └─────────────────────────┘│ │
│ │ (tunnel) │ │ ┌──────────┐ ┌─────────────────────────┐│ │
│ └──────────┘ │ │ Backup │ │ Monitor & Pinger ││ │
│ │ │ (db dump │ │ (healthchecks pings, ││ │
│ ┌──────────┐ │ │ restic) │ │ system metrics) ││ │
│ │ App │ │ └──────────┘ └─────────────────────────┘│ │
│ │ stacks │ │ ┌──────────┐ ┌─────────────────────────┐│ │
│ │ (docker │ │ │Scheduler │ │ REST API ││ │
│ │ compose) │ │ │(cron-like│ │ (for UI + remote mgmt) ││ │
│ └──────────┘ │ │ jobs) │ └─────────────────────────┘│ │
│ │ └──────────┘ │ │
│ └────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
│ pings │ git pull
▼ ▼
status.felhom.eu gitea.dooplex.hu
(Healthchecks on k3s) (stack definitions)
```
## Module Overview
| Module | Path | Responsibility |
|--------|------|----------------|
| **Config** | `internal/config/` | Load & validate controller.yaml |
| **Stacks** | `internal/stacks/` | Docker Compose operations, catalog, container status |
| **Backup** | `internal/backup/` | DB dumps, restic snapshots, restore |
| **Monitor** | `internal/monitor/` | Health checks, Healthchecks pings, system metrics |
| **Scheduler** | `internal/scheduler/` | Cron-like job runner for all periodic tasks |
| **API** | `internal/api/` | REST API endpoints (consumed by web UI + remote mgmt) |
| **Web** | `internal/web/` | Dashboard UI, static files, server-side templates |
## Stack Management
### How stacks get onto the machine
1. During initial setup, `deploy-felhom-compose.sh` clones the app catalog
2. Compose files + `.felhom.yml` metadata land in `/opt/docker/stacks/<app>/`
3. The controller periodically pulls from Git to detect changes
### First deployment flow (via dashboard)
1. Customer sees app card with "🚀 Telepítés" (Deploy) button
2. Clicks → deploy page shows:
- **Auto-filled**: DOMAIN (from controller config), read-only
- **Auto-generated**: DB passwords, secret keys (shown as "✓ Generated")
- **User input**: HDD path, admin password, language, etc.
- **"🎲 Generálás"** button next to password fields
3. Clicks "Telepítés" → controller:
- Generates all secrets
- Validates required fields (checks path exists, etc.)
- Saves `app.yaml` (env vars + locked fields list)
- Runs `docker compose up -d` with env vars injected
4. Post-deploy: locked fields (DB_PASSWORD, etc.) become read-only
### Update strategy
Stack updates are classified in the Git repository via markers:
| Marker | Behavior |
|--------|----------|
| No marker | Optional update — shown on dashboard, customer clicks "Update" |
| `UPDATE_REQUIRED=true` | Mandatory — auto-applied during next update window |
| `UPDATE_SECURITY=true` | Critical — applied immediately (within minutes) |
The update window is configurable per customer (default: 03:00-05:00 local time).
### Protected stacks
The following stacks cannot be stopped from the customer UI:
- `traefik` (reverse proxy)
- `cloudflared` (tunnel)
- `felhom-controller` (this container)
## Backup Strategy
The controller replaces Backrest and manages backups directly:
1. **DB dumps** (default 02:30): Discovers running database containers, dumps via pg_dump/mysqldump
2. **Restic snapshots** (default 03:00): Backs up `/opt/docker/stacks/` data + DB dumps
3. **Verification**: Periodically checks snapshot integrity
4. **Pruning**: Configurable retention (default: 7 daily, 4 weekly, 6 monthly)
Backup status is displayed on the dashboard and reported to Healthchecks.
## Self-Update Mechanism
1. Controller checks for new image versions periodically
2. Before updating: creates a restic snapshot of its own config
3. Pulls new image, recreates container
4. Health check timeout (60s) — if new container doesn't become healthy → rollback
5. Rollback: restores previous image tag, restarts with old config
## Configuration
### Controller config (infrastructure only)
Single YAML file per customer: `/opt/docker/felhom-controller/controller.yaml`
Contains customer identity, infrastructure secrets, backup/monitoring settings.
Does **not** contain app-specific config (HDD paths, DB passwords, etc.).
See `configs/controller.yaml.example` for the full reference.
### Per-app config (created during deployment)
Each deployed app gets an `app.yaml` in its stack directory:
```yaml
# /opt/docker/stacks/paperless-ngx/app.yaml
# Auto-generated by felhom-controller — do not edit locked fields manually
deployed: true
deployed_at: "2026-02-13T14:30:00Z"
env:
DOMAIN: "demo-felhom.eu"
DB_PASSWORD: "a7f2b9c1e4d..." # locked
PAPERLESS_SECRET_KEY: "8b3e..." # locked
PAPERLESS_ADMIN_USER: "admin" # editable
HDD_PATH: "/mnt/hdd_1" # locked
locked_fields:
- DB_PASSWORD
- PAPERLESS_SECRET_KEY
- DOMAIN
- HDD_PATH
```
Fields are defined in each stack's `.felhom.yml` metadata file. See
`configs/example-felhom-metadata.yml` for the full format.
### App assets (logos, screenshots, descriptions)
Baked into the container image at build time — no external dependencies at runtime.
Assets are synced from the felhom.eu website repo before building:
```bash
make sync-assets # copies from ../felhom.eu/website/assets/
make sync-assets WEBSITE_ASSETS_DIR=/path # or specify custom path
```
Served locally at `/static/assets/`. Naming convention matches the website:
| Asset | File pattern | Served at |
|-------|-------------|-----------|
| Logo (SVG) | `assets/{slug}-logo.svg` | `/static/assets/{slug}-logo.svg` |
| Logo (PNG fallback) | `assets/{slug}-logo.png` | `/static/assets/{slug}-logo.png` |
| Screenshot | `assets/{slug}-screenshot-{n}.webp` | `/static/assets/{slug}-screenshot-{n}.webp` |
## Build & Deploy
```bash
# Build for both architectures
make build-all
# Build Docker image
make docker-build
# Push to registry
make docker-push
# Build for specific arch
make build-amd64
make build-arm64
```
## Development
```bash
# Run locally (needs Docker socket)
go run ./cmd/controller/ --config configs/controller.yaml.example
# Run tests
go test ./...
# Lint
golangci-lint run
```
## Repository Layout
```
felhom-controller/
├── cmd/controller/ # Entry point
│ └── main.go
├── internal/
│ ├── config/ # Configuration loading
│ │ └── config.go
│ ├── stacks/ # Docker Compose stack management
│ │ ├── manager.go # Core: scan, start, stop, restart, update, logs
│ │ ├── metadata.go # Parse .felhom.yml app metadata
│ │ └── deploy.go # First-deploy flow: secret gen, app.yaml, compose up
│ ├── backup/ # DB dumps + restic operations (Phase 3)
│ ├── monitor/ # Health checks + metrics (Phase 2)
│ ├── scheduler/ # Periodic job runner (Phase 2)
│ ├── api/ # REST API
│ │ └── router.go
│ └── web/ # Dashboard UI
│ ├── server.go # HTTP server, auth, page handlers
│ └── templates.go # Embedded HTML templates + CSS (Hungarian)
├── configs/ # Example config files
│ ├── controller.yaml.example
│ └── example-felhom-metadata.yml
├── docs/
│ └── BUILDING.md # Container image build & registry guide
├── scripts/
│ └── hashpass.go # Password hash generator
├── Dockerfile # Multi-stage build (Go + debian-slim)
├── docker-compose.yml # Controller's own compose definition
├── Makefile # Build targets (amd64, arm64, docker)
├── go.mod
└── README.md
```
## Status & Roadmap
### Phase 1 — Stack Manager + Deploy Flow (current)
- [x] Project skeleton & config format
- [x] .felhom.yml app metadata format with deploy fields
- [x] Per-app config persistence (app.yaml)
- [x] Secret generation engine (password, hex, static)
- [x] Stack catalog (read compose files + metadata from disk)
- [x] Docker Compose operations (up/down/pull/ps/logs)
- [x] Deploy flow with interactive field input
- [x] Basic web dashboard with start/stop/deploy buttons
- [x] REST API for stack + deploy operations
- [x] Simple web authentication (bcrypt sessions)
- [x] App logos + screenshots loaded from felhom.eu
- [x] Container image build pipeline (Dockerfile + Makefile)
- [ ] First build & test on N100 hardware
- [ ] End-to-end test: deploy an app through dashboard
### Phase 2 — Monitoring & Health
- [ ] System metrics collection (CPU, RAM, disk, temperature)
- [ ] Healthchecks.io ping integration
- [ ] Dashboard system health panel
- [ ] Customer notifications (email/Telegram)
### Phase 3 — Backups
- [ ] DB dump engine (PostgreSQL, MariaDB/MySQL, SQLite)
- [ ] Restic integration (snapshot, prune, check)
- [ ] Backup status on dashboard
- [ ] Manual backup trigger from UI
- [ ] Restore workflow
### Phase 4 — Git Sync & Updates
- [ ] Periodic git pull for stack definitions
- [ ] Update classification (optional/required/security)
- [ ] Update window enforcement
- [ ] Dashboard update notifications with "Update" button
### Phase 5 — Self-Update & Resilience
- [ ] Self-update check & execution
- [ ] Pre-update config backup
- [ ] Health-based rollback mechanism
- [ ] Config export/import
### Phase 6 — Central Management (future)
- [ ] API authentication for remote management
- [ ] Central dashboard on k3s querying all customer controllers
- [ ] Fleet-wide update management
controller/mnt/user-data/outputs/felhom-controller/assets/README.md
+31
View File
@@ -0,0 +1,31 @@
# App Assets
This directory contains logos and screenshots for the dashboard.
They are baked into the Docker image at build time.
## Naming convention
Files must follow the felhom.eu website convention:
- `{slug}-logo.svg` — App logo (SVG preferred, displayed on dark background)
- `{slug}-logo.png` — App logo fallback (PNG, for apps without SVG)
- `{slug}-screenshot-1.webp` — First screenshot
- `{slug}-screenshot-2.webp` — Second screenshot (and so on)
The dashboard tries SVG first, falls back to PNG if not found.
Example:
```
paperless-ngx-logo.svg
paperless-ngx-screenshot-1.webp
adventurelog-logo.png
adventurelog-screenshot-1.webp
```
## Syncing from felhom.eu website
Run `make sync-assets` to copy assets from the felhom.eu website repo.
This expects the website files to be available at `../felhom.eu/website/assets/`
(relative to this repo), or set `WEBSITE_ASSETS_DIR` to override.
Alternatively, copy files manually from FileBrowser at https://felhom.eu.
controller/router.go
+231
View File
@@ -0,0 +1,231 @@
package api
import (
"encoding/json"
"log"
"net/http"
"strconv"
"strings"
"gitea.dooplex.hu/admin/felhom-controller/internal/config"
"gitea.dooplex.hu/admin/felhom-controller/internal/stacks"
)
// Router handles all /api/* requests.
type Router struct {
cfg *config.Config
stackMgr *stacks.Manager
logger *log.Logger
}
func NewRouter(cfg *config.Config, stackMgr *stacks.Manager, logger *log.Logger) *Router {
return &Router{cfg: cfg, stackMgr: stackMgr, logger: logger}
}
type apiResponse struct {
OK bool `json:"ok"`
Data interface{} `json:"data,omitempty"`
Error string `json:"error,omitempty"`
Message string `json:"message,omitempty"`
}
// ServeHTTP routes /api/* requests.
func (r *Router) ServeHTTP(w http.ResponseWriter, req *http.Request) {
path := strings.TrimPrefix(req.URL.Path, "/api")
path = strings.TrimSuffix(path, "/")
switch {
// GET /api/stacks
case path == "/stacks" && req.Method == http.MethodGet:
r.listStacks(w, req)
// GET /api/stacks/{name}
case strings.HasPrefix(path, "/stacks/") && req.Method == http.MethodGet && !hasSubpath(path, "/stacks/"):
r.getStack(w, req, trimSegment(path, "/stacks/"))
// GET /api/stacks/{name}/deploy-fields
case hasSuffix(path, "/deploy-fields") && req.Method == http.MethodGet:
r.getDeployFields(w, req, extractName(path, "/deploy-fields"))
// POST /api/stacks/{name}/deploy
case hasSuffix(path, "/deploy") && req.Method == http.MethodPost:
r.deployStack(w, req, extractName(path, "/deploy"))
// POST /api/stacks/{name}/start
case hasSuffix(path, "/start") && req.Method == http.MethodPost:
r.actionStack(w, "start", extractName(path, "/start"))
// POST /api/stacks/{name}/stop
case hasSuffix(path, "/stop") && req.Method == http.MethodPost:
r.actionStack(w, "stop", extractName(path, "/stop"))
// POST /api/stacks/{name}/restart
case hasSuffix(path, "/restart") && req.Method == http.MethodPost:
r.actionStack(w, "restart", extractName(path, "/restart"))
// POST /api/stacks/{name}/update
case hasSuffix(path, "/update") && req.Method == http.MethodPost:
r.actionStack(w, "update", extractName(path, "/update"))
// GET /api/stacks/{name}/logs
case hasSuffix(path, "/logs") && req.Method == http.MethodGet:
r.getStackLogs(w, req, extractName(path, "/logs"))
// GET /api/system/info
case path == "/system/info" && req.Method == http.MethodGet:
r.systemInfo(w, req)
default:
writeJSON(w, http.StatusNotFound, apiResponse{OK: false, Error: "endpoint not found"})
}
}
// HealthHandler responds to /api/health (no auth required).
func (r *Router) HealthHandler(w http.ResponseWriter, req *http.Request) {
writeJSON(w, http.StatusOK, apiResponse{OK: true, Message: "felhom-controller is healthy"})
}
// --- Stack handlers ---
func (r *Router) listStacks(w http.ResponseWriter, _ *http.Request) {
writeJSON(w, http.StatusOK, apiResponse{OK: true, Data: r.stackMgr.GetStacks()})
}
func (r *Router) getStack(w http.ResponseWriter, _ *http.Request, name string) {
stack, ok := r.stackMgr.GetStack(name)
if !ok {
writeJSON(w, http.StatusNotFound, apiResponse{OK: false, Error: "stack not found: " + name})
return
}
writeJSON(w, http.StatusOK, apiResponse{OK: true, Data: stack})
}
func (r *Router) getDeployFields(w http.ResponseWriter, _ *http.Request, name string) {
meta, appCfg, err := r.stackMgr.GetDeployFields(name)
if err != nil {
writeJSON(w, http.StatusNotFound, apiResponse{OK: false, Error: err.Error()})
return
}
data := map[string]interface{}{
"metadata": meta,
"app_config": appCfg,
"domain": r.cfg.Customer.Domain,
"logo_url": r.cfg.AppLogoURL(meta.Slug),
}
writeJSON(w, http.StatusOK, apiResponse{OK: true, Data: data})
}
func (r *Router) deployStack(w http.ResponseWriter, req *http.Request, name string) {
r.logger.Printf("[API] Deploy requested for stack: %s", name)
var body struct {
Values map[string]string `json:"values"`
}
if err := json.NewDecoder(req.Body).Decode(&body); err != nil {
writeJSON(w, http.StatusBadRequest, apiResponse{OK: false, Error: "invalid request body"})
return
}
deployReq := stacks.DeployRequest{
StackName: name,
Values: body.Values,
}
if err := r.stackMgr.DeployStack(deployReq); err != nil {
r.logger.Printf("[API] Deploy failed for %s: %v", name, err)
status := http.StatusInternalServerError
if strings.Contains(err.Error(), "already deployed") {
status = http.StatusConflict
}
if strings.Contains(err.Error(), "required field") || strings.Contains(err.Error(), "does not exist") {
status = http.StatusBadRequest
}
writeJSON(w, status, apiResponse{OK: false, Error: err.Error()})
return
}
writeJSON(w, http.StatusOK, apiResponse{OK: true, Message: "Stack " + name + " deployed"})
}
func (r *Router) actionStack(w http.ResponseWriter, action, name string) {
r.logger.Printf("[API] %s requested for stack: %s", action, name)
var err error
switch action {
case "start":
err = r.stackMgr.StartStack(name)
case "stop":
err = r.stackMgr.StopStack(name)
case "restart":
err = r.stackMgr.RestartStack(name)
case "update":
err = r.stackMgr.UpdateStack(name)
}
if err != nil {
status := http.StatusInternalServerError
if strings.Contains(err.Error(), "protected") {
status = http.StatusForbidden
}
if strings.Contains(err.Error(), "not found") {
status = http.StatusNotFound
}
writeJSON(w, status, apiResponse{OK: false, Error: err.Error()})
return
}
writeJSON(w, http.StatusOK, apiResponse{OK: true, Message: "Stack " + name + " " + action + " completed"})
}
func (r *Router) getStackLogs(w http.ResponseWriter, req *http.Request, name string) {
lines := 100
if v := req.URL.Query().Get("lines"); v != "" {
if n, err := strconv.Atoi(v); err == nil && n > 0 {
lines = n
}
}
output, err := r.stackMgr.GetLogs(name, lines)
if err != nil {
writeJSON(w, http.StatusInternalServerError, apiResponse{OK: false, Error: err.Error()})
return
}
writeJSON(w, http.StatusOK, apiResponse{OK: true, Data: map[string]string{"logs": output}})
}
func (r *Router) systemInfo(w http.ResponseWriter, _ *http.Request) {
writeJSON(w, http.StatusOK, apiResponse{OK: true, Data: map[string]interface{}{
"customer_id": r.cfg.Customer.ID,
"customer_name": r.cfg.Customer.Name,
"domain": r.cfg.Customer.Domain,
"backup_enabled": r.cfg.Backup.Enabled,
"monitor_enabled": r.cfg.Monitoring.Enabled,
}})
}
// --- Helpers ---
func hasSuffix(path, suffix string) bool { return strings.HasSuffix(path, suffix) }
func hasSubpath(path, prefix string) bool {
rest := strings.TrimPrefix(path, prefix)
return strings.Contains(rest, "/")
}
func trimSegment(path, prefix string) string {
return strings.TrimPrefix(path, prefix)
}
func extractName(path, suffix string) string {
s := strings.TrimPrefix(path, "/stacks/")
return strings.TrimSuffix(s, suffix)
}
func writeJSON(w http.ResponseWriter, status int, v interface{}) {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(status)
if err := json.NewEncoder(w).Encode(v); err != nil {
log.Printf("[ERROR] Failed to write JSON response: %v", err)
}
}
controller/server.go
+405
View File
@@ -0,0 +1,405 @@
package web
import (
"crypto/rand"
"crypto/subtle"
"encoding/hex"
"fmt"
"html/template"
"log"
"net/http"
"os"
"path/filepath"
"strings"
"sync"
"time"
"gitea.dooplex.hu/admin/felhom-controller/internal/config"
"gitea.dooplex.hu/admin/felhom-controller/internal/stacks"
"golang.org/x/crypto/bcrypt"
)
type Server struct {
cfg *config.Config
stackMgr *stacks.Manager
logger *log.Logger
version string
tmpl *template.Template
sessions map[string]*session
sessionsMu sync.RWMutex
}
type session struct {
token string
expiresAt time.Time
}
const (
sessionCookieName = "felhom_session"
sessionMaxAge = 24 * time.Hour
)
func NewServer(cfg *config.Config, stackMgr *stacks.Manager, logger *log.Logger, version string) *Server {
s := &Server{
cfg: cfg,
stackMgr: stackMgr,
logger: logger,
version: version,
sessions: make(map[string]*session),
}
s.loadTemplates()
go s.cleanupSessions()
return s
}
func (s *Server) loadTemplates() {
funcMap := template.FuncMap{
"stateColor": func(state stacks.ContainerState) string {
switch state {
case stacks.StateRunning:
return "green"
case stacks.StateStopped, stacks.StateExited:
return "red"
case stacks.StateRestarting:
return "yellow"
default:
return "gray"
}
},
"stateLabel": func(state stacks.ContainerState) string {
switch state {
case stacks.StateRunning:
return "Fut"
case stacks.StateStopped, stacks.StateExited:
return "Leállítva"
case stacks.StateRestarting:
return "Újraindítás..."
case stacks.StateNotDeployed:
return "Nincs telepítve"
case stacks.StatePaused:
return "Szüneteltetve"
default:
return "Ismeretlen"
}
},
"stateIcon": func(state stacks.ContainerState) string {
switch state {
case stacks.StateRunning:
return "●"
case stacks.StateStopped, stacks.StateExited:
return "○"
case stacks.StateRestarting:
return "◐"
default:
return "◌"
}
},
"stateStr": func(state stacks.ContainerState) string {
return string(state)
},
"logoURL": func(slug string) string {
return s.cfg.AppLogoURL(slug)
},
"logoPNGURL": func(slug string) string {
return s.cfg.AppLogoPNGURL(slug)
},
"appPageURL": func(slug string) string {
return s.cfg.AppPageURL(slug)
},
}
s.tmpl = template.Must(template.New("").Funcs(funcMap).Parse(allTemplates))
}
// ServeHTTP handles all non-API web requests.
func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
path := r.URL.Path
switch {
case path == "/" || path == "/dashboard":
s.dashboardHandler(w, r)
case path == "/stacks":
s.stacksHandler(w, r)
case strings.HasPrefix(path, "/stacks/") && strings.HasSuffix(path, "/logs"):
name := strings.TrimPrefix(path, "/stacks/")
name = strings.TrimSuffix(name, "/logs")
s.logsHandler(w, r, name)
case strings.HasPrefix(path, "/stacks/") && strings.HasSuffix(path, "/deploy"):
name := strings.TrimPrefix(path, "/stacks/")
name = strings.TrimSuffix(name, "/deploy")
s.deployHandler(w, r, name)
case path == "/static/style.css":
w.Header().Set("Content-Type", "text/css")
w.Header().Set("Cache-Control", "public, max-age=3600")
fmt.Fprint(w, cssContent)
case strings.HasPrefix(path, "/static/assets/"):
// Serve baked-in app assets (logos, screenshots)
s.serveAsset(w, r, strings.TrimPrefix(path, "/static/assets/"))
case strings.HasPrefix(path, "/apps/"):
slug := strings.TrimPrefix(path, "/apps/")
s.appDetailHandler(w, r, slug)
default:
http.NotFound(w, r)
}
}
// RequireAuth returns middleware that checks for valid session or shows login.
func (s *Server) RequireAuth(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Skip auth if no password is configured
if s.cfg.Web.PasswordHash == "" {
next.ServeHTTP(w, r)
return
}
if r.URL.Path == "/api/health" {
next.ServeHTTP(w, r)
return
}
if r.URL.Path == "/login" && r.Method == http.MethodPost {
s.handleLogin(w, r)
return
}
if r.URL.Path == "/login" {
s.renderLogin(w, "")
return
}
if r.URL.Path == "/logout" {
s.handleLogout(w, r)
return
}
cookie, err := r.Cookie(sessionCookieName)
if err != nil || !s.isValidSession(cookie.Value) {
if strings.HasPrefix(r.URL.Path, "/api/") {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusUnauthorized)
fmt.Fprint(w, `{"ok":false,"error":"authentication required"}`)
return
}
http.Redirect(w, r, "/login", http.StatusFound)
return
}
next.ServeHTTP(w, r)
})
}
// --- Auth helpers ---
func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) {
_ = r.ParseForm()
password := r.FormValue("password")
if password == "" {
s.renderLogin(w, "Kérjük adja meg a jelszót")
return
}
if err := bcrypt.CompareHashAndPassword([]byte(s.cfg.Web.PasswordHash), []byte(password)); err != nil {
s.logger.Printf("[WARN] Failed login from %s", r.RemoteAddr)
s.renderLogin(w, "Hibás jelszó")
return
}
token := s.createSession()
http.SetCookie(w, &http.Cookie{
Name: sessionCookieName,
Value: token,
Path: "/",
MaxAge: int(sessionMaxAge.Seconds()),
HttpOnly: true,
SameSite: http.SameSiteStrictMode,
Secure: true,
})
s.logger.Printf("[INFO] Login from %s", r.RemoteAddr)
http.Redirect(w, r, "/", http.StatusFound)
}
func (s *Server) handleLogout(w http.ResponseWriter, r *http.Request) {
if cookie, err := r.Cookie(sessionCookieName); err == nil {
s.sessionsMu.Lock()
delete(s.sessions, cookie.Value)
s.sessionsMu.Unlock()
}
http.SetCookie(w, &http.Cookie{Name: sessionCookieName, Value: "", Path: "/", MaxAge: -1})
http.Redirect(w, r, "/login", http.StatusFound)
}
func (s *Server) createSession() string {
b := make([]byte, 32)
_, _ = rand.Read(b)
token := hex.EncodeToString(b)
s.sessionsMu.Lock()
s.sessions[token] = &session{token: token, expiresAt: time.Now().Add(sessionMaxAge)}
s.sessionsMu.Unlock()
return token
}
func (s *Server) isValidSession(token string) bool {
s.sessionsMu.RLock()
defer s.sessionsMu.RUnlock()
sess, ok := s.sessions[token]
if !ok || time.Now().After(sess.expiresAt) {
return false
}
return subtle.ConstantTimeCompare([]byte(sess.token), []byte(token)) == 1
}
func (s *Server) cleanupSessions() {
for range time.Tick(15 * time.Minute) {
s.sessionsMu.Lock()
now := time.Now()
for t, sess := range s.sessions {
if now.After(sess.expiresAt) {
delete(s.sessions, t)
}
}
s.sessionsMu.Unlock()
}
}
// --- Page handlers ---
func (s *Server) baseData(page, title string) map[string]interface{} {
return map[string]interface{}{
"Page": page,
"Title": title,
"CustomerName": s.cfg.Customer.Name,
"Domain": s.cfg.Customer.Domain,
"Version": s.version,
}
}
func (s *Server) dashboardHandler(w http.ResponseWriter, _ *http.Request) {
stackList := s.stackMgr.GetStacks()
running, stopped := 0, 0
for _, st := range stackList {
switch st.State {
case stacks.StateRunning:
running++
case stacks.StateStopped, stacks.StateExited:
stopped++
}
}
data := s.baseData("dashboard", "Vezérlőpult")
data["Stacks"] = stackList
data["RunningCount"] = running
data["StoppedCount"] = stopped
data["TotalCount"] = len(stackList)
s.render(w, "dashboard", data)
}
func (s *Server) stacksHandler(w http.ResponseWriter, _ *http.Request) {
data := s.baseData("stacks", "Alkalmazások")
data["Stacks"] = s.stackMgr.GetStacks()
s.render(w, "stacks", data)
}
func (s *Server) logsHandler(w http.ResponseWriter, _ *http.Request, name string) {
stack, ok := s.stackMgr.GetStack(name)
if !ok {
http.NotFound(w, nil)
return
}
logs, err := s.stackMgr.GetLogs(name, 200)
if err != nil {
logs = fmt.Sprintf("Hiba a naplók lekérésekor: %v", err)
}
data := s.baseData("logs", stack.Meta.DisplayName+" — Naplók")
data["Stack"] = stack
data["Logs"] = logs
s.render(w, "logs", data)
}
func (s *Server) deployHandler(w http.ResponseWriter, _ *http.Request, name string) {
meta, appCfg, err := s.stackMgr.GetDeployFields(name)
if err != nil {
http.NotFound(w, nil)
return
}
stack, _ := s.stackMgr.GetStack(name)
data := s.baseData("deploy", meta.DisplayName+" — Telepítés")
data["Stack"] = stack
data["Meta"] = meta
data["AppConfig"] = appCfg
data["AlreadyDeployed"] = appCfg != nil && appCfg.Deployed
data["LogoURL"] = s.cfg.AppLogoURL(meta.Slug)
data["LogoPNGURL"] = s.cfg.AppLogoPNGURL(meta.Slug)
data["AppPageURL"] = s.cfg.AppPageURL(meta.Slug)
data["UserFields"] = meta.UserFacingFields()
data["AutoFields"] = meta.AutoGeneratedFields()
s.render(w, "deploy", data)
}
// serveAsset serves baked-in app assets (logos, screenshots) from /usr/share/felhom/assets/
// These are copied into the container at build time.
const assetsDir = "/usr/share/felhom/assets"
func (s *Server) serveAsset(w http.ResponseWriter, r *http.Request, filename string) {
// Sanitize: prevent directory traversal
filename = filepath.Base(filename)
path := filepath.Join(assetsDir, filename)
if _, err := os.Stat(path); os.IsNotExist(err) {
http.NotFound(w, r)
return
}
w.Header().Set("Cache-Control", "public, max-age=86400")
http.ServeFile(w, r, path)
}
// appDetailHandler serves a local app detail page (description, screenshots, FAQ).
// TODO: Phase 1.5 — for now, redirect to the stacks page.
// Future: render a dedicated app page template with baked-in content.
func (s *Server) appDetailHandler(w http.ResponseWriter, r *http.Request, slug string) {
// Find the stack by slug
for _, stack := range s.stackMgr.GetStacks() {
if stack.Meta.Slug == slug {
// For now, redirect to deploy page (if not deployed) or stacks page
if !stack.Deployed {
http.Redirect(w, r, "/stacks/"+stack.Name+"/deploy", http.StatusFound)
} else {
http.Redirect(w, r, "/stacks", http.StatusFound)
}
return
}
}
http.NotFound(w, r)
}
func (s *Server) renderLogin(w http.ResponseWriter, errorMsg string) {
data := map[string]interface{}{
"Title": "Bejelentkezés",
"CustomerName": s.cfg.Customer.Name,
"Error": errorMsg,
}
w.Header().Set("Content-Type", "text/html; charset=utf-8")
if err := s.tmpl.ExecuteTemplate(w, "login", data); err != nil {
s.logger.Printf("[ERROR] Template error (login): %v", err)
http.Error(w, "Internal error", http.StatusInternalServerError)
}
}
func (s *Server) render(w http.ResponseWriter, name string, data interface{}) {
w.Header().Set("Content-Type", "text/html; charset=utf-8")
if err := s.tmpl.ExecuteTemplate(w, name, data); err != nil {
s.logger.Printf("[ERROR] Template error (%s): %v", name, err)
http.Error(w, "Internal error", http.StatusInternalServerError)
}
}
controller/templates.go
+540
View File
@@ -0,0 +1,540 @@
package web
// All HTML templates and CSS are embedded as Go strings.
// Compiled into the binary — zero external file dependencies at runtime.
// As the UI grows, switch to go:embed for easier editing.
const allTemplates = layoutTmpl + dashboardTmpl + stacksTmpl + loginTmpl + logsTmpl + deployTmpl
const layoutTmpl = `
{{define "layout_start"}}
<!DOCTYPE html>
<html lang="hu">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>{{.Title}} — Felhom</title>
<link rel="stylesheet" href="/static/style.css">
</head>
<body>
<nav class="sidebar">
<div class="sidebar-header">
<h1 class="logo">☁ Felhom</h1>
<span class="customer-name">{{.CustomerName}}</span>
</div>
<ul class="nav-links">
<li><a href="/" class="{{if eq .Page "dashboard"}}active{{end}}">📊 Vezérlőpult</a></li>
<li><a href="/stacks" class="{{if eq .Page "stacks"}}active{{end}}">📦 Alkalmazások</a></li>
</ul>
<div class="sidebar-footer">
<span class="version">v{{.Version}}</span>
<a href="/logout" class="logout-link">Kijelentkezés ↗</a>
</div>
</nav>
<main class="content">
{{end}}
{{define "layout_end"}}
</main>
<script>
async function stackAction(name, action) {
const btn = event.currentTarget;
const origText = btn.textContent;
btn.disabled = true;
btn.textContent = 'Folyamatban...';
btn.classList.add('loading');
try {
const resp = await fetch('/api/stacks/' + name + '/' + action, {
method: 'POST',
headers: {'Content-Type': 'application/json'}
});
const data = await resp.json();
if (!data.ok) {
alert('Hiba: ' + (data.error || 'Ismeretlen hiba'));
btn.textContent = origText;
btn.disabled = false;
btn.classList.remove('loading');
return;
}
window.location.reload();
} catch (err) {
alert('Hálózati hiba: ' + err.message);
btn.textContent = origText;
btn.disabled = false;
btn.classList.remove('loading');
}
}
</script>
</body>
</html>
{{end}}
`
const dashboardTmpl = `
{{define "dashboard"}}
{{template "layout_start" .}}
<div class="page-header">
<h2>Vezérlőpult</h2>
<span class="domain-badge">{{.Domain}}</span>
</div>
<div class="stats-grid">
<div class="stat-card stat-running">
<div class="stat-value">{{.RunningCount}}</div>
<div class="stat-label">Futó alkalmazás</div>
</div>
<div class="stat-card stat-stopped">
<div class="stat-value">{{.StoppedCount}}</div>
<div class="stat-label">Leállítva</div>
</div>
<div class="stat-card stat-total">
<div class="stat-value">{{.TotalCount}}</div>
<div class="stat-label">Összes alkalmazás</div>
</div>
</div>
<h3>Alkalmazások állapota</h3>
<div class="stack-list">
{{range .Stacks}}
<div class="stack-card stack-state-{{stateColor .State}}">
<div class="stack-info">
<img class="stack-logo" src="{{logoURL .Meta.Slug}}"
alt="{{.Meta.DisplayName}}" onerror="this.onerror=function(){this.style.display='none'};this.src='{{logoPNGURL .Meta.Slug}}'">
<div>
<strong class="stack-name">{{.Meta.DisplayName}}</strong>
{{if .Meta.Description}}<span class="stack-desc">{{.Meta.Description}}</span>{{end}}
</div>
</div>
<div class="stack-actions">
<span class="stack-state-label">{{stateLabel .State}}</span>
{{if .Protected}}
<span class="badge badge-protected">🔒 Védett</span>
{{else if not .Deployed}}
<a href="/stacks/{{.Name}}/deploy" class="btn btn-sm btn-primary">🚀 Telepítés</a>
{{else}}
{{if eq (stateStr .State) "running"}}
<button class="btn btn-sm btn-warning" onclick="stackAction('{{.Name}}', 'restart')">↻</button>
<button class="btn btn-sm btn-danger" onclick="stackAction('{{.Name}}', 'stop')">■</button>
{{else}}
<button class="btn btn-sm btn-success" onclick="stackAction('{{.Name}}', 'start')">▶</button>
{{end}}
<a href="/stacks/{{.Name}}/logs" class="btn btn-sm btn-outline">📋</a>
{{end}}
</div>
</div>
{{else}}
<div class="empty-state">
<p>Nincs elérhető alkalmazás.</p>
</div>
{{end}}
</div>
{{template "layout_end" .}}
{{end}}
`
const stacksTmpl = `
{{define "stacks"}}
{{template "layout_start" .}}
<div class="page-header">
<h2>Alkalmazások</h2>
<span class="domain-badge">{{.Domain}}</span>
</div>
<div class="stack-grid">
{{range .Stacks}}
<div class="stack-detail-card stack-state-{{stateColor .State}}">
<div class="stack-detail-header">
<div class="stack-title-row">
<img class="stack-logo-lg" src="{{logoURL .Meta.Slug}}"
alt="" onerror="this.onerror=function(){this.style.display='none'};this.src='{{logoPNGURL .Meta.Slug}}'">
<div>
<h3>{{.Meta.DisplayName}}</h3>
{{if .Meta.Subdomain}}
<a class="subdomain-link" href="https://{{.Meta.Subdomain}}.{{$.Domain}}" target="_blank">
{{.Meta.Subdomain}}.{{$.Domain}}
</a>
{{end}}
</div>
</div>
<span class="stack-state-badge state-{{stateColor .State}}">{{stateLabel .State}}</span>
</div>
{{if .Meta.Description}}
<p class="stack-detail-desc">{{.Meta.Description}}</p>
{{end}}
<div class="stack-meta-badges">
{{if .Meta.Resources.RAM}}<span class="meta-badge">💾 {{.Meta.Resources.RAM}}</span>{{end}}
{{if .Meta.Resources.PiCompatible}}<span class="meta-badge meta-badge-ok">🥧 Pi kompatibilis</span>{{end}}
{{if .Meta.Resources.NeedsHDD}}<span class="meta-badge">💿 HDD szükséges</span>{{end}}
</div>
{{if .Containers}}
<div class="container-list">
{{range .Containers}}
<div class="container-row">
<span class="container-name">{{.Name}}</span>
<span class="container-status state-text-{{stateColor .State}}">{{.Status}}</span>
</div>
{{end}}
</div>
{{end}}
<div class="stack-detail-actions">
{{if .Protected}}
<span class="badge badge-protected">🔒 Védett rendszerkomponens</span>
{{else if not .Deployed}}
<a href="/stacks/{{.Name}}/deploy" class="btn btn-primary">🚀 Telepítés</a>
<a href="{{appPageURL .Meta.Slug}}" target="_blank" class="btn btn-outline">️ Részletek</a>
{{else}}
{{if eq (stateStr .State) "running"}}
<button class="btn btn-success" onclick="stackAction('{{.Name}}', 'update')">⬆ Frissítés</button>
<button class="btn btn-warning" onclick="stackAction('{{.Name}}', 'restart')">↻ Újraindítás</button>
<button class="btn btn-danger" onclick="stackAction('{{.Name}}', 'stop')">■ Leállítás</button>
{{else}}
<button class="btn btn-success" onclick="stackAction('{{.Name}}', 'start')">▶ Indítás</button>
{{end}}
<a href="/stacks/{{.Name}}/logs" class="btn btn-outline">📋 Naplók</a>
<a href="{{appPageURL .Meta.Slug}}" target="_blank" class="btn btn-outline">️ Részletek</a>
{{end}}
</div>
</div>
{{end}}
</div>
{{template "layout_end" .}}
{{end}}
`
const deployTmpl = `
{{define "deploy"}}
{{template "layout_start" .}}
<div class="page-header">
<a href="/stacks" class="btn btn-sm btn-outline">← Vissza</a>
<h2>{{.Meta.DisplayName}} — Telepítés</h2>
</div>
<div class="deploy-container">
<div class="deploy-info">
<img class="deploy-logo" src="{{.LogoURL}}" alt="" onerror="this.onerror=function(){this.style.display='none'};this.src='{{.LogoPNGURL}}'">
<div>
<h3>{{.Meta.DisplayName}}</h3>
{{if .Meta.Description}}<p>{{.Meta.Description}}</p>{{end}}
<div class="stack-meta-badges">
{{if .Meta.Resources.RAM}}<span class="meta-badge">💾 {{.Meta.Resources.RAM}}</span>{{end}}
{{if .Meta.Resources.PiCompatible}}<span class="meta-badge meta-badge-ok">🥧 Pi kompatibilis</span>{{end}}
{{if .Meta.Resources.NeedsHDD}}<span class="meta-badge">💿 HDD szükséges</span>{{end}}
</div>
<a href="{{.AppPageURL}}" target="_blank" class="btn btn-sm btn-outline" style="margin-top:0.5rem">
️ Részletes leírás, képernyőképek
</a>
</div>
</div>
{{if .AlreadyDeployed}}
<div class="alert alert-info">
Ez az alkalmazás már telepítve van. Az alábbi beállítások csak olvashatók.
</div>
{{end}}
<form id="deploy-form" class="deploy-form">
{{if .AutoFields}}
<div class="form-section">
<h4>🔒 Automatikusan generált értékek</h4>
<p class="form-section-desc">Ezek az értékek automatikusan létrejönnek a telepítéskor.</p>
{{range .AutoFields}}
<div class="form-group form-group-auto">
<label>{{.Label}}</label>
<span class="auto-generated-badge">✓ Automatikusan generálva</span>
</div>
{{end}}
</div>
{{end}}
{{if .UserFields}}
<div class="form-section">
<h4>⚙️ Beállítások</h4>
{{range .UserFields}}
<div class="form-group">
<label for="field-{{.EnvVar}}">
{{.Label}}
{{if .Required}}<span class="required">*</span>{{end}}
{{if .LockedAfterDeploy}}<span class="locked-hint">🔒 telepítés után nem módosítható</span>{{end}}
</label>
{{if eq .Type "select"}}
<select id="field-{{.EnvVar}}" name="{{.EnvVar}}" class="form-control"
{{if $.AlreadyDeployed}}disabled{{end}}>
{{range .Options}}
<option value="{{.Value}}">{{.Label}}</option>
{{end}}
</select>
{{else if eq .Type "password"}}
<div class="input-with-button">
<input type="text" id="field-{{.EnvVar}}" name="{{.EnvVar}}"
class="form-control" value="{{.Default}}"
placeholder="{{.Placeholder}}"
{{if $.AlreadyDeployed}}disabled{{end}}>
<button type="button" class="btn btn-sm btn-outline"
onclick="generatePassword('field-{{.EnvVar}}')">🎲 Generálás</button>
</div>
{{else if eq .Type "boolean"}}
<label class="toggle">
<input type="checkbox" id="field-{{.EnvVar}}" name="{{.EnvVar}}" value="true"
{{if $.AlreadyDeployed}}disabled{{end}}>
<span class="toggle-label">Igen</span>
</label>
{{else}}
<input type="text" id="field-{{.EnvVar}}" name="{{.EnvVar}}"
class="form-control" value="{{.Default}}"
placeholder="{{.Placeholder}}"
{{if .Required}}required{{end}}
{{if $.AlreadyDeployed}}disabled{{end}}>
{{end}}
{{if .Description}}
<span class="form-hint">{{.Description}}</span>
{{end}}
</div>
{{end}}
</div>
{{end}}
{{if not .AlreadyDeployed}}
<div class="deploy-actions">
<button type="submit" class="btn btn-primary btn-lg">🚀 Telepítés indítása</button>
<a href="/stacks" class="btn btn-outline">Mégsem</a>
</div>
{{end}}
</form>
</div>
<script>
function generatePassword(fieldId) {
const chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
let pass = '';
const arr = new Uint8Array(16);
crypto.getRandomValues(arr);
for (let i = 0; i < 16; i++) {
pass += chars[arr[i] % chars.length];
}
document.getElementById(fieldId).value = pass;
}
document.getElementById('deploy-form').addEventListener('submit', async function(e) {
e.preventDefault();
const btn = e.target.querySelector('[type=submit]');
const origText = btn.textContent;
btn.disabled = true;
btn.textContent = 'Telepítés folyamatban...';
const values = {};
const inputs = e.target.querySelectorAll('input, select');
inputs.forEach(function(el) {
if (el.name && !el.disabled) {
if (el.type === 'checkbox') {
values[el.name] = el.checked ? 'true' : 'false';
} else {
values[el.name] = el.value;
}
}
});
try {
const resp = await fetch('/api/stacks/{{.Stack.Name}}/deploy', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({values: values})
});
const data = await resp.json();
if (!data.ok) {
alert('Hiba: ' + data.error);
btn.textContent = origText;
btn.disabled = false;
return;
}
alert('Sikeres telepítés! ✓');
window.location.href = '/stacks';
} catch (err) {
alert('Hálózati hiba: ' + err.message);
btn.textContent = origText;
btn.disabled = false;
}
});
</script>
{{template "layout_end" .}}
{{end}}
`
const loginTmpl = `
{{define "login"}}
<!DOCTYPE html>
<html lang="hu">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Bejelentkezés — Felhom</title>
<link rel="stylesheet" href="/static/style.css">
</head>
<body class="login-body">
<div class="login-card">
<h1 class="logo">☁ Felhom</h1>
<p class="login-subtitle">{{.CustomerName}}</p>
{{if .Error}}<div class="alert alert-error">{{.Error}}</div>{{end}}
<form method="POST" action="/login">
<div class="form-group">
<label for="password">Jelszó</label>
<input type="password" id="password" name="password" required autofocus
placeholder="Adja meg a jelszavát" class="form-control">
</div>
<button type="submit" class="btn btn-primary btn-full">Bejelentkezés</button>
</form>
<p class="login-footer">Felhom — Otthoni szerver kezelés<br>
<a href="https://felhom.eu" target="_blank">felhom.eu</a></p>
</div>
</body>
</html>
{{end}}
`
const logsTmpl = `
{{define "logs"}}
{{template "layout_start" .}}
<div class="page-header">
<a href="/stacks" class="btn btn-sm btn-outline">← Vissza</a>
<h2>{{.Stack.Meta.DisplayName}} — Naplók</h2>
</div>
<div class="logs-container">
<pre class="logs-output">{{.Logs}}</pre>
</div>
<div class="logs-actions">
<button class="btn btn-outline" onclick="window.location.reload()">🔄 Frissítés</button>
</div>
{{template "layout_end" .}}
{{end}}
`
// CSS is defined in a separate const for readability.
// Served at /static/style.css
const cssContent = `
:root {
--bg:#f8f9fa; --sidebar-bg:#1a1f36; --sidebar-text:#e2e8f0;
--card-bg:#fff; --text:#1a202c; --text-muted:#718096; --border:#e2e8f0;
--green:#38a169; --green-light:#c6f6d5; --red:#e53e3e; --red-light:#fed7d7;
--yellow:#d69e2e; --yellow-light:#fefcbf; --blue:#3182ce; --blue-light:#bee3f8;
--gray:#a0aec0; --gray-light:#edf2f7; --radius:8px; --shadow:0 1px 3px rgba(0,0,0,.1);
}
*{margin:0;padding:0;box-sizing:border-box}
body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;background:var(--bg);color:var(--text);display:flex;min-height:100vh}
.sidebar{width:240px;background:var(--sidebar-bg);color:var(--sidebar-text);display:flex;flex-direction:column;position:fixed;height:100vh;overflow-y:auto}
.sidebar-header{padding:1.5rem;border-bottom:1px solid rgba(255,255,255,.1)}
.logo{font-size:1.5rem;font-weight:700;color:#fff}
.customer-name{display:block;font-size:.85rem;color:var(--gray);margin-top:.25rem}
.nav-links{list-style:none;padding:1rem 0;flex:1}
.nav-links a{display:block;padding:.75rem 1.5rem;color:var(--sidebar-text);text-decoration:none;font-size:.95rem;transition:background .15s}
.nav-links a:hover{background:rgba(255,255,255,.08)}
.nav-links a.active{background:rgba(255,255,255,.12);border-left:3px solid var(--blue)}
.sidebar-footer{padding:1rem 1.5rem;border-top:1px solid rgba(255,255,255,.1);display:flex;justify-content:space-between;align-items:center;font-size:.8rem}
.version{color:var(--gray)} .logout-link{color:var(--gray);text-decoration:none} .logout-link:hover{color:#fff}
.content{margin-left:240px;padding:2rem;flex:1;max-width:1200px}
.page-header{display:flex;align-items:center;gap:1rem;margin-bottom:1.5rem}
.page-header h2{font-size:1.5rem;font-weight:600}
.domain-badge{background:var(--blue-light);color:var(--blue);padding:.25rem .75rem;border-radius:999px;font-size:.8rem;font-weight:500}
.stats-grid{display:grid;grid-template-columns:repeat(auto-fit,minmax(180px,1fr));gap:1rem;margin-bottom:2rem}
.stat-card{background:var(--card-bg);border-radius:var(--radius);padding:1.25rem;box-shadow:var(--shadow);border-left:4px solid var(--gray)}
.stat-running{border-left-color:var(--green)} .stat-stopped{border-left-color:var(--red)} .stat-total{border-left-color:var(--blue)}
.stat-value{font-size:2rem;font-weight:700} .stat-label{color:var(--text-muted);font-size:.85rem;margin-top:.25rem}
.stack-list{display:flex;flex-direction:column;gap:.5rem}
.stack-card{background:var(--card-bg);border-radius:var(--radius);padding:1rem 1.25rem;box-shadow:var(--shadow);display:flex;justify-content:space-between;align-items:center;border-left:4px solid var(--gray)}
.stack-state-green{border-left-color:var(--green)} .stack-state-red{border-left-color:var(--red)} .stack-state-yellow{border-left-color:var(--yellow)} .stack-state-gray{border-left-color:var(--gray)}
.stack-info{display:flex;align-items:center;gap:.75rem}
.stack-logo{width:32px;height:32px;border-radius:6px;object-fit:contain;background:#1c2128;padding:4px}
.stack-logo-lg{width:48px;height:48px;border-radius:8px;object-fit:contain;background:#1c2128;padding:6px}
.stack-name{font-size:1rem} .stack-desc{display:block;font-size:.8rem;color:var(--text-muted)}
.stack-actions{display:flex;align-items:center;gap:.5rem} .stack-state-label{font-size:.8rem;color:var(--text-muted);margin-right:.5rem}
.stack-grid{display:grid;grid-template-columns:repeat(auto-fill,minmax(350px,1fr));gap:1rem}
.stack-detail-card{background:var(--card-bg);border-radius:var(--radius);padding:1.25rem;box-shadow:var(--shadow);border-top:4px solid var(--gray)}
.stack-detail-card.stack-state-green{border-top-color:var(--green)} .stack-detail-card.stack-state-red{border-top-color:var(--red)}
.stack-detail-header{display:flex;justify-content:space-between;align-items:flex-start;margin-bottom:.75rem}
.stack-title-row{display:flex;align-items:center;gap:.75rem}
.subdomain-link{font-size:.8rem;color:var(--blue);text-decoration:none} .subdomain-link:hover{text-decoration:underline}
.stack-state-badge{padding:.2rem .6rem;border-radius:999px;font-size:.75rem;font-weight:600;white-space:nowrap}
.state-green{background:var(--green-light);color:var(--green)} .state-red{background:var(--red-light);color:var(--red)}
.state-yellow{background:var(--yellow-light);color:var(--yellow)} .state-gray{background:var(--gray-light);color:var(--gray)}
.state-text-green{color:var(--green)} .state-text-red{color:var(--red)}
.stack-detail-desc{color:var(--text-muted);font-size:.85rem;margin-bottom:.75rem}
.stack-meta-badges{display:flex;flex-wrap:wrap;gap:.4rem;margin:.5rem 0}
.meta-badge{background:var(--gray-light);color:var(--text-muted);padding:.15rem .5rem;border-radius:6px;font-size:.75rem}
.meta-badge-ok{background:var(--green-light);color:var(--green)}
.container-list{margin:.75rem 0} .container-list h4{font-size:.8rem;color:var(--text-muted);margin-bottom:.4rem}
.container-row{display:flex;justify-content:space-between;font-size:.8rem;padding:.2rem 0}
.container-name{font-family:monospace} .container-status{font-size:.75rem}
.stack-detail-actions{display:flex;gap:.5rem;margin-top:1rem;flex-wrap:wrap}
.btn{display:inline-flex;align-items:center;gap:.3rem;padding:.5rem 1rem;border:none;border-radius:6px;font-size:.85rem;font-weight:500;cursor:pointer;transition:opacity .15s,transform .1s;text-decoration:none;color:#fff}
.btn:hover{opacity:.9} .btn:active{transform:scale(.97)} .btn:disabled{opacity:.5;cursor:not-allowed} .btn.loading{opacity:.6}
.btn-sm{padding:.3rem .6rem;font-size:.8rem} .btn-lg{padding:.65rem 1.5rem;font-size:1rem} .btn-full{width:100%;justify-content:center}
.btn-primary{background:var(--blue)} .btn-success{background:var(--green)} .btn-warning{background:var(--yellow);color:#1a202c} .btn-danger{background:var(--red)}
.btn-outline{background:transparent;border:1px solid var(--border);color:var(--text)} .btn-outline:hover{background:var(--gray-light)}
.badge{display:inline-flex;align-items:center;gap:.25rem;padding:.2rem .6rem;border-radius:999px;font-size:.75rem;font-weight:500}
.badge-protected{background:var(--gray-light);color:var(--text-muted)}
/* Deploy page */
.deploy-container{max-width:700px}
.deploy-info{display:flex;gap:1rem;align-items:flex-start;background:var(--card-bg);padding:1.25rem;border-radius:var(--radius);box-shadow:var(--shadow);margin-bottom:1.5rem}
.deploy-logo{width:64px;height:64px;border-radius:12px;object-fit:contain;background:#1c2128;padding:8px;flex-shrink:0}
.deploy-info h3{font-size:1.2rem;margin-bottom:.25rem}
.deploy-info p{color:var(--text-muted);font-size:.9rem}
.deploy-form{background:var(--card-bg);padding:1.5rem;border-radius:var(--radius);box-shadow:var(--shadow)}
.form-section{margin-bottom:1.5rem}
.form-section h4{font-size:1rem;margin-bottom:.5rem}
.form-section-desc{color:var(--text-muted);font-size:.85rem;margin-bottom:.75rem}
.form-group{margin-bottom:1rem}
.form-group label{display:block;font-size:.85rem;font-weight:500;margin-bottom:.4rem}
.form-group-auto{display:flex;justify-content:space-between;align-items:center;padding:.5rem .75rem;background:var(--gray-light);border-radius:6px}
.form-group-auto label{margin:0}
.auto-generated-badge{color:var(--green);font-size:.8rem;font-weight:500}
.form-control{width:100%;padding:.55rem .75rem;border:1px solid var(--border);border-radius:6px;font-size:.9rem;background:#fff}
.form-control:focus{outline:none;border-color:var(--blue);box-shadow:0 0 0 3px rgba(49,130,206,.1)}
.form-control:disabled{background:var(--gray-light);cursor:not-allowed}
.input-with-button{display:flex;gap:.5rem}
.input-with-button .form-control{flex:1}
.form-hint{display:block;font-size:.8rem;color:var(--text-muted);margin-top:.25rem}
.required{color:var(--red)} .locked-hint{font-size:.75rem;color:var(--text-muted);font-weight:400;margin-left:.5rem}
.deploy-actions{display:flex;gap:.75rem;margin-top:1.5rem;padding-top:1rem;border-top:1px solid var(--border)}
.alert{padding:.75rem;border-radius:6px;margin-bottom:1rem;font-size:.85rem}
.alert-error{background:var(--red-light);color:var(--red)} .alert-info{background:var(--blue-light);color:var(--blue)}
/* Logs */
.logs-container{background:#1a1f36;border-radius:var(--radius);padding:1rem;overflow-x:auto;margin-bottom:1rem}
.logs-output{color:#e2e8f0;font-family:'JetBrains Mono','Fira Code',monospace;font-size:.8rem;line-height:1.5;white-space:pre-wrap;word-break:break-all}
.logs-actions{display:flex;gap:.5rem}
.empty-state{text-align:center;padding:3rem;color:var(--text-muted)}
.login-body{display:flex;justify-content:center;align-items:center;min-height:100vh;background:linear-gradient(135deg,#1a1f36,#2d3748)}
.login-card{background:var(--card-bg);padding:2.5rem;border-radius:12px;box-shadow:0 4px 24px rgba(0,0,0,.15);width:100%;max-width:380px;text-align:center}
.login-card .logo{color:var(--text);margin-bottom:.25rem} .login-subtitle{color:var(--text-muted);margin-bottom:1.5rem}
.login-footer{margin-top:1.5rem;font-size:.75rem;color:var(--text-muted)} .login-footer a{color:var(--blue);text-decoration:none}
@media(max-width:768px){
.sidebar{width:100%;height:auto;position:relative}
.nav-links{display:flex;padding:0;overflow-x:auto} .nav-links a{padding:.5rem 1rem;white-space:nowrap}
.content{margin-left:0;padding:1rem} body{flex-direction:column}
.stack-card{flex-direction:column;align-items:flex-start;gap:.75rem} .stack-actions{width:100%;justify-content:flex-end}
.stack-grid{grid-template-columns:1fr} .stats-grid{grid-template-columns:repeat(3,1fr)}
.deploy-info{flex-direction:column}
}
`