Compare commits
10 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
a2f6cab492 | ||
|
|
476fda7203 | ||
|
|
9348336709 | ||
|
|
e5194a1dbb | ||
|
|
7c3d0e102f | ||
|
|
a0eaddf994 | ||
|
|
30be967887 | ||
|
|
2b8d0b3f43 | ||
|
|
07b15c8e01 | ||
|
|
65cc0c7b6d |
@@ -19,14 +19,38 @@ log.info("Database tables verified.")
|
||||
app = FastAPI(title="TFM aInventory API", version="1.1.0")
|
||||
log.info("TFM aInventory API process started.")
|
||||
|
||||
# [SECURITY FIX M-01] CORS: allow_origins=["*"] + allow_credentials=True is invalid per spec.
|
||||
# Allowed origins are configured via ALLOWED_ORIGINS environment variable (comma-separated).
|
||||
# Secure fallback: localhost only for development.
|
||||
_raw_origins = os.environ.get(
|
||||
"ALLOWED_ORIGINS",
|
||||
"http://localhost:8907,https://localhost:8909"
|
||||
)
|
||||
# [SECURITY FIX M-01] CORS Configuration
|
||||
# We dynamically build allowed origins from environment variables to simplify deployment.
|
||||
_raw_origins = os.environ.get("ALLOWED_ORIGINS", "")
|
||||
ALLOWED_ORIGINS = [o.strip() for o in _raw_origins.split(",") if o.strip()]
|
||||
|
||||
# Automatically add origins based on network_config.env variables if present
|
||||
server_ip = os.environ.get("SERVER_IP")
|
||||
front_port = os.environ.get("FRONTEND_PORT", "8907")
|
||||
front_ssl_port = os.environ.get("FRONTEND_SSL_PORT", "8909")
|
||||
back_ssl_port = os.environ.get("BACKEND_SSL_PORT", "8908")
|
||||
|
||||
# Always allow localhost
|
||||
defaults = [
|
||||
f"http://localhost:{front_port}",
|
||||
f"https://localhost:{front_ssl_port}",
|
||||
f"https://localhost:{back_ssl_port}",
|
||||
]
|
||||
for d in defaults:
|
||||
if d not in ALLOWED_ORIGINS:
|
||||
ALLOWED_ORIGINS.append(d)
|
||||
|
||||
# Add IP-based origins if SERVER_IP is set
|
||||
if server_ip and server_ip != "localhost":
|
||||
ip_origins = [
|
||||
f"http://{server_ip}:{front_port}",
|
||||
f"https://{server_ip}:{front_ssl_port}",
|
||||
f"https://{server_ip}:{back_ssl_port}",
|
||||
]
|
||||
for ip_o in ip_origins:
|
||||
if ip_o not in ALLOWED_ORIGINS:
|
||||
ALLOWED_ORIGINS.append(ip_o)
|
||||
|
||||
log.info(f"CORS allowed origins: {ALLOWED_ORIGINS}")
|
||||
|
||||
# Add CORS middleware FIRST (before rate limiter)
|
||||
|
||||
@@ -1,12 +1,13 @@
|
||||
# TFM aInventory - Caddy Self-Signed Internal Proxy
|
||||
# This replaces the need for `local-ssl-proxy` in Node.
|
||||
# TFM aInventory - Caddy Static Internal Configuration
|
||||
# We use standard ports 443/444 internally to decouple from host-side dynamic ports.
|
||||
|
||||
:{$FRONTEND_SSL_PORT} {
|
||||
https://:443 {
|
||||
tls internal
|
||||
reverse_proxy frontend:3000
|
||||
}
|
||||
|
||||
:{$BACKEND_SSL_PORT} {
|
||||
# Backend SSL Proxy
|
||||
https://:444 {
|
||||
tls internal
|
||||
reverse_proxy backend:8000
|
||||
}
|
||||
|
||||
@@ -1,28 +0,0 @@
|
||||
# =============================================================================
|
||||
# TFM aInventory - Central Network Configuration
|
||||
# =============================================================================
|
||||
# Use this file to customize the ports and IP address used by the application
|
||||
# without needing to modify the source code.
|
||||
#
|
||||
# IMPORTANT: After modifying this file, restart the application for changes
|
||||
# to take effect.
|
||||
# =============================================================================
|
||||
|
||||
# The primary IP address where the application will be accessed.
|
||||
# Used for CORS settings and documentation links.
|
||||
SERVER_IP=192.168.84.113
|
||||
|
||||
# --- BACKEND PORTS ---
|
||||
# Internal port for the FastAPI server (Backend)
|
||||
BACKEND_PORT=8906
|
||||
|
||||
# External port for the Backend HTTPS Proxy (Caddy/local-ssl-proxy)
|
||||
BACKEND_SSL_PORT=8908
|
||||
|
||||
# --- FRONTEND PORTS ---
|
||||
# Internal port for the Next.js dev/prod server
|
||||
FRONTEND_PORT=8907
|
||||
|
||||
# External port for the Frontend HTTPS Proxy (Caddy/local-ssl-proxy)
|
||||
# This is the port you will use in your browser (e.g. https://192.168.84.113:8909)
|
||||
FRONTEND_SSL_PORT=8909
|
||||
42
deploy.sh
Executable file
42
deploy.sh
Executable file
@@ -0,0 +1,42 @@
|
||||
#!/bin/bash
|
||||
# deploy.sh - Production Deployment Script for TFM aInventory
|
||||
# Forces Docker Compose to use the inventory.env file for both host and container.
|
||||
|
||||
echo "🐳 TFM aInventory - Starting Deployment..."
|
||||
|
||||
# 1. Check for configuration file
|
||||
if [ ! -f "inventory.env" ]; then
|
||||
echo "❌ ERROR: inventory.env not found!"
|
||||
echo "Please create it or use the template provided."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# 2. Source the env file for the current shell (helps some docker versions)
|
||||
export $(grep -v '^#' inventory.env | xargs)
|
||||
|
||||
# 3. Optional: Reset Caddy certificates if needed
|
||||
if [[ "$*" == *"--reset-ssl"* ]]; then
|
||||
echo "🧹 Resetting Caddy certificates..."
|
||||
docker compose down
|
||||
docker volume rm ainventory_caddy_data ainventory_caddy_config 2>/dev/null || true
|
||||
fi
|
||||
|
||||
# 4. Run Docker Compose with explicit env-file flag
|
||||
echo "🚀 Building and starting containers..."
|
||||
docker compose --env-file inventory.env up -d --build --remove-orphans
|
||||
|
||||
echo ""
|
||||
echo "🔍 Verifying port mapping..."
|
||||
docker compose ps --format "table {{.Name}}\t{{.Status}}\t{{.Ports}}"
|
||||
|
||||
echo ""
|
||||
echo "🚀 DIAGNOSTIC LOGS (Proxy SSL Handshake):"
|
||||
docker compose logs proxy --tail 20
|
||||
|
||||
echo ""
|
||||
echo "✅ Deployment requested."
|
||||
echo " ------------------------------------------------------------"
|
||||
echo " 1. SECURE ACCESS (Try first): https://${SERVER_IP:-localhost}:${FRONTEND_SSL_PORT:-8919}"
|
||||
echo " 2. DIRECT ACCESS (Fallback): http://${SERVER_IP:-localhost}:${FRONTEND_PORT:-8917}"
|
||||
echo " ------------------------------------------------------------"
|
||||
echo ""
|
||||
@@ -8,7 +8,7 @@ services:
|
||||
ports:
|
||||
- ${BACKEND_PORT:-8000}:8000
|
||||
env_file:
|
||||
- ./config/network_config.env
|
||||
- inventory.env
|
||||
volumes:
|
||||
- ./data:/app/data
|
||||
- ./logs:/app/logs
|
||||
@@ -16,7 +16,6 @@ services:
|
||||
environment:
|
||||
- DATA_DIR=/app/data
|
||||
- LOGS_DIR=/app/logs
|
||||
- ALLOWED_ORIGINS=http://localhost:${FRONTEND_PORT:-3001},https://localhost:${FRONTEND_SSL_PORT:-3003},http://${SERVER_IP:-localhost}:${FRONTEND_PORT:-3001},https://${SERVER_IP:-localhost}:${FRONTEND_SSL_PORT:-3003},https://localhost:${BACKEND_SSL_PORT:-3002},https://${SERVER_IP:-localhost}:${BACKEND_SSL_PORT:-3002}
|
||||
# [C-01] JWT secret key — GENERATE A SECURE VALUE FOR PRODUCTION!
|
||||
- JWT_SECRET_KEY=${JWT_SECRET_KEY:-change_me_in_production}
|
||||
restart: unless-stopped
|
||||
@@ -29,7 +28,7 @@ services:
|
||||
ports:
|
||||
- ${FRONTEND_PORT:-3000}:3000
|
||||
env_file:
|
||||
- ./config/network_config.env
|
||||
- inventory.env
|
||||
volumes:
|
||||
- ./logs:/app/logs
|
||||
# Write Next.js logs to both stdout (docker logs) and file (mapped volume)
|
||||
@@ -41,10 +40,10 @@ services:
|
||||
networks:
|
||||
- inventory_net
|
||||
ports:
|
||||
- ${BACKEND_SSL_PORT:-3002}:${BACKEND_SSL_PORT:-3002}
|
||||
- ${FRONTEND_SSL_PORT:-3003}:${FRONTEND_SSL_PORT:-3003}
|
||||
- ${BACKEND_SSL_PORT:-8918}:444
|
||||
- ${FRONTEND_SSL_PORT:-8919}:443
|
||||
env_file:
|
||||
- ./config/network_config.env
|
||||
- inventory.env
|
||||
volumes:
|
||||
- ./config/Caddyfile:/etc/caddy/Caddyfile
|
||||
# Persist the internal Caddy certificates so users don't get new certificate warnings constantly
|
||||
|
||||
@@ -29,6 +29,8 @@ cp install_service.sh "$PROD_DIR/"
|
||||
cp inventory.service.template "$PROD_DIR/"
|
||||
cp USER_GUIDE.md "$PROD_DIR/"
|
||||
cp README.md "$PROD_DIR/INSTALLATION_GUIDE.md"
|
||||
cp inventory.env "$PROD_DIR/"
|
||||
cp deploy.sh "$PROD_DIR/"
|
||||
cp .git_path "$PROD_DIR/" 2>/dev/null || true
|
||||
cp frontend/VERSION.json "$PROD_DIR/"
|
||||
cp frontend/VERSION.json "$PROD_DIR/frontend/"
|
||||
|
||||
@@ -1,5 +1 @@
|
||||
{
|
||||
"version": "1.8.9",
|
||||
"last_build": "2026-04-13-1954",
|
||||
"codename": "TypeFix"
|
||||
}
|
||||
{"version": "1.9.8", "last_build": "2026-04-13-2148", "codename": "FinalStability", "commit": "476fda72"}
|
||||
|
||||
19
inventory.env
Normal file
19
inventory.env
Normal file
@@ -0,0 +1,19 @@
|
||||
# =============================================================================
|
||||
# TFM aInventory - Docker Compose Environment
|
||||
# =============================================================================
|
||||
# This file is used by Docker Compose for host-side port mapping.
|
||||
# It should match the values in config/network_config.env
|
||||
# =============================================================================
|
||||
|
||||
SERVER_IP=192.168.84.113
|
||||
|
||||
# Backend Ports
|
||||
BACKEND_PORT=8916
|
||||
BACKEND_SSL_PORT=8918
|
||||
|
||||
# Frontend Ports
|
||||
FRONTEND_PORT=8917
|
||||
FRONTEND_SSL_PORT=8919
|
||||
|
||||
# Security
|
||||
JWT_SECRET_KEY=change_me_in_production
|
||||
@@ -7,7 +7,7 @@ echo "🚀 Starting TFM aInventory in Standalone Mode..."
|
||||
# Trapping termination signals to clean up child processes
|
||||
trap "echo 'Stopping all processes...'; kill 0" SIGINT SIGTERM EXIT
|
||||
|
||||
# --- CONFIGURATION (Default values, overridden by network_config.env) ---
|
||||
# --- CONFIGURATION (Default values, overridden by network_configinventory.env) ---
|
||||
BACKEND_PORT=8000
|
||||
FRONTEND_PORT=3001
|
||||
BACKEND_SSL_PORT=3002
|
||||
@@ -15,7 +15,7 @@ FRONTEND_SSL_PORT=3003
|
||||
SERVER_IP="localhost"
|
||||
|
||||
# Load Configuration from file if it exists
|
||||
CONFIG_PATH="$(cd "$(dirname "$0")" && pwd)/config/network_config.env"
|
||||
CONFIG_PATH="$(cd "$(dirname "$0")" && pwd)/inventory.env"
|
||||
if [ -f "$CONFIG_PATH" ]; then
|
||||
echo "⚙️ Loading network configuration from $CONFIG_PATH..."
|
||||
export $(grep -v '^#' "$CONFIG_PATH" | xargs)
|
||||
|
||||
@@ -53,8 +53,15 @@ def main():
|
||||
data['version'] = new_version
|
||||
data['last_build'] = datetime.now().strftime("%Y-%m-%d-%H%M")
|
||||
|
||||
# Get current git commit (short)
|
||||
try:
|
||||
commit_hash = run_command([git, 'rev-parse', '--short', 'HEAD'])
|
||||
data['commit'] = commit_hash
|
||||
except Exception:
|
||||
data['commit'] = 'unknown'
|
||||
|
||||
# Optional: Rotate changelog if needed, but for now just update version
|
||||
print(f"Incrementing version: {old_version} -> {new_version}")
|
||||
print(f"Incrementing version: {old_version} -> {new_version} (commit: {data['commit']})")
|
||||
|
||||
with open(VERSION_FILE, 'w') as f:
|
||||
json.dump(data, f, indent=2)
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
# --- CONFIGURATION (Default values, will be overridden by network_config.env) ---
|
||||
# --- CONFIGURATION (Default values, will be overridden by network_configinventory.env) ---
|
||||
BACKEND_PORT=8000
|
||||
FRONTEND_PORT=3001
|
||||
BACKEND_SSL_PORT=3002
|
||||
@@ -8,10 +8,10 @@ FRONTEND_SSL_PORT=3003
|
||||
SERVER_IP="localhost"
|
||||
|
||||
# Load Configuration from file if it exists
|
||||
CONFIG_PATH="$(cd "$(dirname "$0")" && pwd)/config/network_config.env"
|
||||
CONFIG_PATH="$(cd "$(dirname "$0")" && pwd)/inventory.env"
|
||||
if [ -f "$CONFIG_PATH" ]; then
|
||||
echo "⚙️ Loading network configuration from $CONFIG_PATH..."
|
||||
# Export variables from .env file (ignoring comments and empty lines)
|
||||
# Export variables from inventory.env file (ignoring comments and empty lines)
|
||||
export $(grep -v '^#' "$CONFIG_PATH" | xargs)
|
||||
fi
|
||||
|
||||
|
||||
Reference in New Issue
Block a user