diff --git a/Dockerfile b/Dockerfile index f727358..baab160 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ && chmod a+r /etc/apt/keyrings/docker.gpg \ && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" > /etc/apt/sources.list.d/docker.list \ && apt-get update \ - && apt-get install -y --no-install-recommends docker-ce-cli docker-compose-plugin \ + && apt-get install -y --no-install-recommends docker-ce-cli docker-compose-plugin git \ && rm -rf /var/lib/apt/lists/* # Set working directory @@ -28,6 +28,15 @@ COPY app/ ./app/ COPY templates/ ./templates/ COPY static/ ./static/ +# Bake version info at build time +ARG GIT_COMMIT=unknown +ARG GIT_BRANCH=unknown +ARG GIT_COMMIT_DATE=unknown +RUN echo "{\"commit\": \"$GIT_COMMIT\", \"branch\": \"$GIT_BRANCH\", \"date\": \"$GIT_COMMIT_DATE\"}" > /app/version.json + +# Allow git to operate in the /app-source volume (owner may differ from container user) +RUN git config --global --add safe.directory /app-source + # Create data directories RUN mkdir -p /app/data /app/logs /app/backups diff --git a/app/database.py b/app/database.py index db25258..967ac6b 100644 --- a/app/database.py +++ b/app/database.py @@ -118,6 +118,10 @@ def _run_migrations() -> None: ("system_config", "ldap_base_dn", "TEXT"), ("system_config", "ldap_user_filter", "TEXT DEFAULT '(sAMAccountName={username})'"), ("system_config", "ldap_group_dn", "TEXT"), + # Update management + ("system_config", "git_repo_url", "TEXT"), + ("system_config", "git_branch", "TEXT DEFAULT 'main'"), + ("system_config", "git_token_encrypted", "TEXT"), ] for table, column, col_type in migrations: if not _has_column(table, column): diff --git a/app/models.py b/app/models.py index ba0447b..20c3303 100644 --- a/app/models.py +++ b/app/models.py @@ -194,6 +194,11 @@ class SystemConfig(Base): ) ldap_group_dn: Mapped[Optional[str]] = mapped_column(String(500), nullable=True) + # Update management + git_repo_url: Mapped[Optional[str]] = mapped_column(String(500), nullable=True) + git_branch: Mapped[Optional[str]] = mapped_column(String(100), default="main") + git_token_encrypted: Mapped[Optional[str]] = mapped_column(Text, nullable=True) + created_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.utcnow) updated_at: Mapped[datetime] = mapped_column( DateTime, default=datetime.utcnow, onupdate=datetime.utcnow @@ -245,6 +250,9 @@ class SystemConfig(Base): "ldap_base_dn": self.ldap_base_dn or "", "ldap_user_filter": self.ldap_user_filter or "(sAMAccountName={username})", "ldap_group_dn": self.ldap_group_dn or "", + "git_repo_url": self.git_repo_url or "", + "git_branch": self.git_branch or "main", + "git_token_set": bool(self.git_token_encrypted), "created_at": self.created_at.isoformat() if self.created_at else None, "updated_at": self.updated_at.isoformat() if self.updated_at else None, } diff --git a/app/routers/settings.py b/app/routers/settings.py index 09fe2ab..26e15e2 100644 --- a/app/routers/settings.py +++ b/app/routers/settings.py @@ -15,8 +15,8 @@ from sqlalchemy.orm import Session from app.database import get_db from app.dependencies import get_current_user from app.models import SystemConfig, User -from app.services import dns_service, ldap_service, npm_service -from app.utils.config import get_system_config +from app.services import dns_service, ldap_service, npm_service, update_service +from app.utils.config import DATABASE_PATH, get_system_config from app.utils.security import encrypt_value from app.utils.validators import SystemConfigUpdate @@ -94,6 +94,10 @@ async def update_settings( if "ldap_bind_password" in update_data: row.ldap_bind_password_encrypted = encrypt_value(update_data.pop("ldap_bind_password")) + # Handle git token encryption + if "git_token" in update_data: + row.git_token_encrypted = encrypt_value(update_data.pop("git_token")) + for field, value in update_data.items(): if hasattr(row, field): setattr(row, field, value) @@ -310,3 +314,61 @@ async def delete_logo( db.commit() return {"branding_logo_path": None} + + +@router.get("/version") +async def get_version( + current_user: User = Depends(get_current_user), + db: Session = Depends(get_db), +): + """Return current installed version and latest available from the git remote. + + Returns: + Dict with current version, latest version, and needs_update flag. + """ + config = get_system_config(db) + current = update_service.get_current_version() + if not config or not config.git_repo_url: + return {"current": current, "latest": None, "needs_update": False} + result = await update_service.check_for_updates(config) + return result + + +@router.post("/update") +async def trigger_update( + current_user: User = Depends(get_current_user), + db: Session = Depends(get_db), +): + """Backup the database, git pull the latest code, and rebuild the container. + + The rebuild is fire-and-forget — the app will restart in ~60 seconds. + Only admin users may trigger an update. + + Returns: + Dict with ok, message, and backup path. + """ + if getattr(current_user, "role", "admin") != "admin": + raise HTTPException( + status_code=status.HTTP_403_FORBIDDEN, + detail="Only admin users can trigger an update.", + ) + config = get_system_config(db) + if not config: + raise HTTPException( + status_code=status.HTTP_404_NOT_FOUND, + detail="System configuration not initialized.", + ) + if not config.git_repo_url: + raise HTTPException( + status_code=status.HTTP_400_BAD_REQUEST, + detail="git_repo_url is not configured in settings.", + ) + + result = update_service.trigger_update(config, DATABASE_PATH) + if not result.get("ok"): + raise HTTPException( + status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, + detail=result.get("message", "Update failed."), + ) + logger.info("Update triggered by %s.", current_user.username) + return result diff --git a/app/services/update_service.py b/app/services/update_service.py new file mode 100644 index 0000000..37541d0 --- /dev/null +++ b/app/services/update_service.py @@ -0,0 +1,198 @@ +"""Update management — version check and in-place update via git + docker compose.""" + +import json +import logging +import shutil +import subprocess +from datetime import datetime +from pathlib import Path +from typing import Any + +import httpx + +SOURCE_DIR = "/app-source" +VERSION_FILE = "/app/version.json" +BACKUP_DIR = "/app/backups" + +logger = logging.getLogger(__name__) + + +def get_current_version() -> dict: + """Read the version baked at build time from /app/version.json.""" + try: + data = json.loads(Path(VERSION_FILE).read_text()) + return { + "commit": data.get("commit", "unknown"), + "branch": data.get("branch", "unknown"), + "date": data.get("date", "unknown"), + } + except Exception: + return {"commit": "unknown", "branch": "unknown", "date": "unknown"} + + +async def check_for_updates(config: Any) -> dict: + """Query the Gitea API for the latest commit on the configured branch. + + Parses the repo URL to build the Gitea API endpoint: + https://git.example.com/owner/repo + → https://git.example.com/api/v1/repos/owner/repo/branches/{branch} + + Returns dict with current, latest, needs_update, and optional error. + """ + current = get_current_version() + if not config.git_repo_url: + return { + "current": current, + "latest": None, + "needs_update": False, + "error": "git_repo_url not configured", + } + + repo_url = config.git_repo_url.rstrip("/") + parts = repo_url.split("/") + if len(parts) < 5: + return { + "current": current, + "latest": None, + "needs_update": False, + "error": f"Cannot parse repo URL: {repo_url}", + } + + base_url = "/".join(parts[:-2]) + owner = parts[-2] + repo = parts[-1] + branch = config.git_branch or "main" + api_url = f"{base_url}/api/v1/repos/{owner}/{repo}/branches/{branch}" + + headers = {} + if config.git_token: + headers["Authorization"] = f"token {config.git_token}" + + try: + async with httpx.AsyncClient(timeout=10) as client: + resp = await client.get(api_url, headers=headers) + if resp.status_code != 200: + return { + "current": current, + "latest": None, + "needs_update": False, + "error": f"Gitea API returned HTTP {resp.status_code}", + } + data = resp.json() + latest_commit = data.get("commit", {}) + full_sha = latest_commit.get("id", "unknown") + short_sha = full_sha[:8] if full_sha != "unknown" else "unknown" + latest = { + "commit": short_sha, + "commit_full": full_sha, + "message": latest_commit.get("commit", {}).get("message", "").split("\n")[0], + "date": latest_commit.get("commit", {}).get("committer", {}).get("date", ""), + "branch": branch, + } + current_sha = current.get("commit", "unknown") + needs_update = ( + current_sha != "unknown" + and short_sha != "unknown" + and current_sha != short_sha + and not full_sha.startswith(current_sha) + ) + return {"current": current, "latest": latest, "needs_update": needs_update} + except Exception as exc: + return { + "current": current, + "latest": None, + "needs_update": False, + "error": str(exc), + } + + +def backup_database(db_path: str) -> str: + """Create a timestamped backup of the SQLite database. + + Returns the backup file path. + """ + Path(BACKUP_DIR).mkdir(parents=True, exist_ok=True) + timestamp = datetime.utcnow().strftime("%Y%m%d_%H%M%S") + backup_path = f"{BACKUP_DIR}/netbird_msp_{timestamp}.db" + shutil.copy2(db_path, backup_path) + logger.info("Database backed up to %s", backup_path) + return backup_path + + +def trigger_update(config: Any, db_path: str) -> dict: + """Backup DB, git pull latest code, then fire-and-forget docker compose rebuild. + + Returns immediately after launching the rebuild. The container will restart + in ~30-60 seconds causing a brief HTTP connection drop. + + Args: + config: AppConfig with git_repo_url, git_branch, git_token. + db_path: Absolute path to the SQLite database file. + + Returns: + Dict with ok (bool), message, backup path, and pulled_branch. + """ + # 1. Backup database before any changes + try: + backup_path = backup_database(db_path) + except Exception as exc: + logger.error("Database backup failed: %s", exc) + return {"ok": False, "message": f"Database backup failed: {exc}", "backup": None} + + # 2. Build git pull command (embed token in URL if provided) + branch = config.git_branch or "main" + if config.git_token and config.git_repo_url: + scheme_sep = config.git_repo_url.split("://", 1) + if len(scheme_sep) == 2: + auth_url = f"{scheme_sep[0]}://token:{config.git_token}@{scheme_sep[1]}" + else: + auth_url = config.git_repo_url + pull_cmd = ["git", "-C", SOURCE_DIR, "pull", auth_url, branch] + else: + pull_cmd = ["git", "-C", SOURCE_DIR, "pull", "origin", branch] + + # 3. Git pull (synchronous — must complete before rebuild) + try: + result = subprocess.run( + pull_cmd, + capture_output=True, + text=True, + timeout=120, + ) + except subprocess.TimeoutExpired: + return {"ok": False, "message": "git pull timed out after 120s.", "backup": backup_path} + except Exception as exc: + return {"ok": False, "message": f"git pull error: {exc}", "backup": backup_path} + + if result.returncode != 0: + stderr = result.stderr.strip()[:500] + logger.error("git pull failed (exit %d): %s", result.returncode, stderr) + return { + "ok": False, + "message": f"git pull failed: {stderr}", + "backup": backup_path, + } + + logger.info("git pull succeeded: %s", result.stdout.strip()[:200]) + + # 4. Fire-and-forget docker compose rebuild — the container will restart itself + compose_cmd = [ + "docker", "compose", + "-f", f"{SOURCE_DIR}/docker-compose.yml", + "up", "--build", "-d", + ] + subprocess.Popen( + compose_cmd, + stdout=subprocess.DEVNULL, + stderr=subprocess.DEVNULL, + ) + logger.info("docker compose up --build -d triggered — container will restart shortly.") + + return { + "ok": True, + "message": ( + "Update gestartet. Die App wird in ca. 60 Sekunden mit der neuen Version verfügbar sein." + ), + "backup": backup_path, + "pulled_branch": branch, + } diff --git a/app/utils/config.py b/app/utils/config.py index c0f84d1..0eb66c5 100644 --- a/app/utils/config.py +++ b/app/utils/config.py @@ -50,6 +50,10 @@ class AppConfig: ldap_base_dn: str = "" ldap_user_filter: str = "(sAMAccountName={username})" ldap_group_dn: str = "" + # Update management + git_repo_url: str = "" + git_branch: str = "main" + git_token: str = "" # decrypted # --------------------------------------------------------------------------- @@ -117,6 +121,10 @@ def get_system_config(db: Session) -> Optional[AppConfig]: ldap_bind_password = decrypt_value(row.ldap_bind_password_encrypted) if row.ldap_bind_password_encrypted else "" except Exception: ldap_bind_password = "" + try: + git_token = decrypt_value(row.git_token_encrypted) if row.git_token_encrypted else "" + except Exception: + git_token = "" return AppConfig( base_domain=row.base_domain, @@ -149,4 +157,7 @@ def get_system_config(db: Session) -> Optional[AppConfig]: ldap_base_dn=getattr(row, "ldap_base_dn", "") or "", ldap_user_filter=getattr(row, "ldap_user_filter", "(sAMAccountName={username})") or "(sAMAccountName={username})", ldap_group_dn=getattr(row, "ldap_group_dn", "") or "", + git_repo_url=getattr(row, "git_repo_url", "") or "", + git_branch=getattr(row, "git_branch", "main") or "main", + git_token=git_token, ) diff --git a/app/utils/validators.py b/app/utils/validators.py index 28bdd4b..27c6181 100644 --- a/app/utils/validators.py +++ b/app/utils/validators.py @@ -154,6 +154,10 @@ class SystemConfigUpdate(BaseModel): ldap_base_dn: Optional[str] = Field(None, max_length=500) ldap_user_filter: Optional[str] = Field(None, max_length=255) ldap_group_dn: Optional[str] = Field(None, max_length=500) + # Update management + git_repo_url: Optional[str] = Field(None, max_length=500) + git_branch: Optional[str] = Field(None, max_length=100) + git_token: Optional[str] = None # plaintext, encrypted before storage @field_validator("ssl_mode") @classmethod diff --git a/docker-compose.yml b/docker-compose.yml index f5302e4..f972e6c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -38,7 +38,12 @@ services: # Only accessible from within the Docker network — never expose port externally netbird-msp-appliance: - build: . + build: + context: . + args: + GIT_COMMIT: ${GIT_COMMIT:-unknown} + GIT_BRANCH: ${GIT_BRANCH:-unknown} + GIT_COMMIT_DATE: ${GIT_COMMIT_DATE:-unknown} container_name: netbird-msp-appliance restart: unless-stopped security_opt: @@ -55,6 +60,7 @@ services: - ./backups:/app/backups:z - /var/run/docker.sock:/var/run/docker.sock:z - ${DATA_DIR:-/opt/netbird-instances}:${DATA_DIR:-/opt/netbird-instances}:z + - .:/app-source:z environment: - SECRET_KEY=${SECRET_KEY} - DATABASE_PATH=/app/data/netbird_msp.db diff --git a/update.sh b/update.sh new file mode 100755 index 0000000..2e166b5 --- /dev/null +++ b/update.sh @@ -0,0 +1,70 @@ +#!/bin/bash +# update.sh — SSH-based manual update for NetBird MSP Appliance +# Usage: bash update.sh [branch] +# Run from the host as root or the user that owns the install directory. +set -euo pipefail + +INSTALL_DIR="/opt/netbird-msp" +BRANCH="${1:-main}" + +cd "$INSTALL_DIR" + +echo "=== NetBird MSP Appliance Update ===" +echo "Install dir : $INSTALL_DIR" +echo "Branch : $BRANCH" +echo "Current : $(git log --oneline -1 2>/dev/null || echo 'unknown')" +echo "" + +# --- Backup database --- +BACKUP_DIR="$INSTALL_DIR/backups" +mkdir -p "$BACKUP_DIR" +DB_FILE="$INSTALL_DIR/data/netbird_msp.db" +if [ -f "$DB_FILE" ]; then + TIMESTAMP=$(date +%Y%m%d_%H%M%S) + BACKUP_FILE="$BACKUP_DIR/netbird_msp_${TIMESTAMP}.db" + cp "$DB_FILE" "$BACKUP_FILE" + echo "✓ Database backed up to $BACKUP_FILE" +else + echo "⚠ No database file found at $DB_FILE — skipping backup" +fi + +# --- Pull latest code --- +git fetch origin "$BRANCH" +git checkout "$BRANCH" +git pull origin "$BRANCH" +echo "✓ Code updated to: $(git log --oneline -1)" + +# --- Export build args --- +export GIT_COMMIT=$(git rev-parse HEAD) +export GIT_BRANCH=$(git rev-parse --abbrev-ref HEAD) +export GIT_COMMIT_DATE=$(git log -1 --format=%cI) + +echo "" +echo "Building with:" +echo " GIT_COMMIT = $GIT_COMMIT" +echo " GIT_BRANCH = $GIT_BRANCH" +echo " GIT_COMMIT_DATE = $GIT_COMMIT_DATE" +echo "" + +# --- Rebuild and restart --- +docker compose up --build -d +echo "✓ Container rebuilt and restarted" + +# --- Health check --- +echo "Waiting for app to start..." +for i in $(seq 1 12); do + sleep 5 + if curl -sf http://localhost:8000/api/health > /dev/null 2>&1; then + echo "" + echo "✓ App is healthy!" + echo "=== Update complete ===" + echo "New version: $(git log --oneline -1)" + exit 0 + fi + printf " Waiting... (%ds)\n" "$((i * 5))" +done + +echo "" +echo "⚠ Health check timed out after 60s." +echo " Check logs with: docker logs netbird-msp-appliance" +exit 1