feat: add TLS for node bridge
This commit is contained in:
Peter Steinberger
@@ -6,6 +6,7 @@ import type { HealthSummary } from "../commands/health.js";
|
||||
import type { ClawdbotConfig } from "../config/config.js";
|
||||
import { deriveDefaultBridgePort, deriveDefaultCanvasHostPort } from "../config/port-defaults.js";
|
||||
import type { NodeBridgeServer } from "../infra/bridge/server.js";
|
||||
import { loadBridgeTlsRuntime } from "../infra/bridge/server/tls.js";
|
||||
import { pickPrimaryTailnetIPv4, pickPrimaryTailnetIPv6 } from "../infra/tailnet.js";
|
||||
import type { RuntimeEnv } from "../runtime.js";
|
||||
import type { ChatAbortControllerEntry } from "./chat-abort.js";
|
||||
@@ -71,7 +72,7 @@ export async function startGatewayBridgeRuntime(params: {
|
||||
}): Promise<GatewayBridgeRuntime> {
|
||||
const wideAreaDiscoveryEnabled = params.cfg.discovery?.wideArea?.enabled === true;
|
||||
|
||||
const bridgeEnabled = (() => {
|
||||
let bridgeEnabled = (() => {
|
||||
if (params.cfg.bridge?.enabled !== undefined) return params.cfg.bridge.enabled === true;
|
||||
return process.env.CLAWDBOT_BRIDGE_ENABLED !== "0";
|
||||
})();
|
||||
@@ -111,6 +112,14 @@ export async function startGatewayBridgeRuntime(params: {
|
||||
return "0.0.0.0";
|
||||
})();
|
||||
|
||||
const bridgeTls = bridgeEnabled
|
||||
? await loadBridgeTlsRuntime(params.cfg.bridge?.tls, params.logBridge)
|
||||
: { enabled: false, required: false };
|
||||
if (bridgeTls.required && !bridgeTls.enabled) {
|
||||
params.logBridge.warn(bridgeTls.error ?? "bridge tls: failed to enable; bridge disabled");
|
||||
bridgeEnabled = false;
|
||||
}
|
||||
|
||||
const canvasHostPort = (() => {
|
||||
if (process.env.CLAWDBOT_CANVAS_HOST_PORT !== undefined) {
|
||||
const parsed = Number.parseInt(process.env.CLAWDBOT_CANVAS_HOST_PORT, 10);
|
||||
@@ -197,6 +206,7 @@ export async function startGatewayBridgeRuntime(params: {
|
||||
bridgeEnabled,
|
||||
bridgePort,
|
||||
bridgeHost,
|
||||
bridgeTls: bridgeTls.enabled ? bridgeTls : undefined,
|
||||
machineDisplayName: params.machineDisplayName,
|
||||
canvasHostPort: canvasHostPortForBridge,
|
||||
canvasHostHost: canvasHostHostForBridge,
|
||||
@@ -212,6 +222,9 @@ export async function startGatewayBridgeRuntime(params: {
|
||||
machineDisplayName: params.machineDisplayName,
|
||||
port: params.port,
|
||||
bridgePort: bridge?.port,
|
||||
bridgeTls: bridgeTls.enabled
|
||||
? { enabled: true, fingerprintSha256: bridgeTls.fingerprintSha256 }
|
||||
: undefined,
|
||||
canvasPort: canvasHostPortForBridge,
|
||||
wideAreaDiscoveryEnabled,
|
||||
logDiscovery: params.logDiscovery,
|
||||
|
||||
@@ -11,6 +11,7 @@ export async function startGatewayDiscovery(params: {
|
||||
machineDisplayName: string;
|
||||
port: number;
|
||||
bridgePort?: number;
|
||||
bridgeTls?: { enabled: boolean; fingerprintSha256?: string };
|
||||
canvasPort?: number;
|
||||
wideAreaDiscoveryEnabled: boolean;
|
||||
logDiscovery: { info: (msg: string) => void; warn: (msg: string) => void };
|
||||
@@ -27,6 +28,8 @@ export async function startGatewayDiscovery(params: {
|
||||
gatewayPort: params.port,
|
||||
bridgePort: params.bridgePort,
|
||||
canvasPort: params.canvasPort,
|
||||
bridgeTlsEnabled: params.bridgeTls?.enabled ?? false,
|
||||
bridgeTlsFingerprintSha256: params.bridgeTls?.fingerprintSha256,
|
||||
sshPort,
|
||||
tailnetDns,
|
||||
cliPath: resolveBonjourCliPath(),
|
||||
@@ -51,6 +54,8 @@ export async function startGatewayDiscovery(params: {
|
||||
displayName: formatBonjourInstanceName(params.machineDisplayName),
|
||||
tailnetIPv4,
|
||||
tailnetIPv6: tailnetIPv6 ?? undefined,
|
||||
bridgeTlsEnabled: params.bridgeTls?.enabled ?? false,
|
||||
bridgeTlsFingerprintSha256: params.bridgeTls?.fingerprintSha256,
|
||||
tailnetDns,
|
||||
sshPort,
|
||||
cliPath: resolveBonjourCliPath(),
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
import type { NodeBridgeServer } from "../infra/bridge/server.js";
|
||||
import { startNodeBridgeServer } from "../infra/bridge/server.js";
|
||||
import type { BridgeTlsRuntime } from "../infra/bridge/server/tls.js";
|
||||
import type { ClawdbotConfig } from "../config/config.js";
|
||||
import { bumpSkillsSnapshotVersion } from "../agents/skills/refresh.js";
|
||||
import { recordRemoteNodeInfo, refreshRemoteNodeBins } from "../infra/skills-remote.js";
|
||||
@@ -23,6 +24,7 @@ export async function startGatewayNodeBridge(params: {
|
||||
bridgeEnabled: boolean;
|
||||
bridgePort: number;
|
||||
bridgeHost: string | null;
|
||||
bridgeTls?: BridgeTlsRuntime;
|
||||
machineDisplayName: string;
|
||||
canvasHostPort?: number;
|
||||
canvasHostHost?: string;
|
||||
@@ -111,6 +113,7 @@ export async function startGatewayNodeBridge(params: {
|
||||
const started = await startNodeBridgeServer({
|
||||
host: params.bridgeHost,
|
||||
port: params.bridgePort,
|
||||
tls: params.bridgeTls?.tlsOptions,
|
||||
serverName: params.machineDisplayName,
|
||||
canvasHostPort: params.canvasHostPort,
|
||||
canvasHostHost: params.canvasHostHost,
|
||||
@@ -158,7 +161,8 @@ export async function startGatewayNodeBridge(params: {
|
||||
},
|
||||
});
|
||||
if (started.port > 0) {
|
||||
params.logBridge.info(`listening on tcp://${params.bridgeHost}:${started.port} (node)`);
|
||||
const scheme = params.bridgeTls?.enabled ? "tls" : "tcp";
|
||||
params.logBridge.info(`listening on ${scheme}://${params.bridgeHost}:${started.port} (node)`);
|
||||
return { bridge: started, nodePresenceTimers };
|
||||
}
|
||||
} catch (err) {
|
||||
|
||||
Reference in New Issue
Block a user