Open creativeprojects opened 3 months ago
[!IMPORTANT]
Review skipped
Draft detected.
Please check the settings in the CodeRabbit UI or the
.coderabbit.yaml
file in this repository. To trigger a single review, invoke the@coderabbitai review
command.You can disable this status message by setting the
reviews.review_status
tofalse
in the CodeRabbit configuration file.
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?
Attention: Patch coverage is 21.92817%
with 413 lines
in your changes missing coverage. Please review.
Project coverage is 70.24%. Comparing base (
ccccfa2
) to head (5d698ec
). Report is 1 commits behind head on master.
Files | Patch % | Lines |
---|---|---|
ssh/ssh.go | 0.00% | 97 Missing :warning: |
remote.go | 0.00% | 79 Missing :warning: |
remote/tar.go | 0.00% | 57 Missing :warning: |
serve.go | 0.00% | 53 Missing :warning: |
send.go | 0.00% | 49 Missing :warning: |
ssh/config.go | 0.00% | 23 Missing :warning: |
fuse/memfs.go | 75.41% | 14 Missing and 1 partial :warning: |
config/remote.go | 0.00% | 14 Missing :warning: |
config/config.go | 21.43% | 11 Missing :warning: |
fuse/file.go | 33.33% | 8 Missing :warning: |
... and 5 more |
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
I got a fully working proof of concept for the SSH mode 🎉
What do you think @jkellerer ?
SSH mode should be secure enough:
Obviously it still needs more work and also unit tests.
We'll see for the other modes later (with the security concerns)
will check it. Was a bit busy these days :)
Work in progress
Proof of concept on how to send a configuration profile to a remote server (along necessary files like exclude list, restic password, etc.)
Suggestion of connection type:
SSH
: secure connection (would be the default)HTTP
: basic http connection to be used within a VPN (do we want to provide that?)mTLS
: secure connection with client/server certificatesSSH connection doesn't need to have a resticprofile server waiting for connections. The two other types would need to.
New commands:
send
: connects to a remote via SSH and push the specified configurationserve
: serves configuration files (⚠️ no authentication, no encryption)New flag:
-r / --remote
: download configuration files from the endpoint then run using the downloaded configuration (only). can be used with-w / --wait
to inspect the mounted FS.Other security consideration
Ideally we want the remote clients to never save the configuration that was pushed to them. They run the backup and forget everything about it.
Configuration
New entries in the configuration could look like:
Implementation details:
os/fs
but it forbids using any rooted path, which sounds like it would be a massive refactoring.go-fuse
library to create a filesystem in memory from atar
stream (not sure how it's going to work on Windows yet)Demo of working SSH mode (logs from both the initiator and the remote)
More information
Discussion here: https://github.com/creativeprojects/resticprofile/issues/69