From 66500bb128affdb99b3d904dda8365b841cf7922 Mon Sep 17 00:00:00 2001
From: Dmitrii Iurco <dmitrii.iurco@gmail.com>
Date: Thu, 28 May 2026 05:06:52 -0400
Subject: [PATCH] fix: use effective_domain for service links and clean up
 stale DNS records

Dashboard, Email, Calendar, and Files pages were building service URLs
with the internal LAN zone name (e.g. 'cell') instead of the public
effective domain (e.g. 'pic2.pic.ngo'), and always using http:// even
in DDNS mode where HTTPS is available.

Changes:
- Dashboard/Email/Calendar/Files: read effective_domain + domain_mode
  from ConfigContext; use effective_domain in non-LAN mode and https://
  for all DDNS domain modes.
- Calendar: show port 443 instead of 80 in DDNS mode.
- network_manager.update_split_horizon_zone: when the primary internal
  zone name is a parent of the effective DDNS domain (e.g. pic.ngo is a
  parent of pic2.pic.ngo), remove stale bootstrap service records (api,
  calendar, files, mail, webmail, webdav) that pollute the DNS display
  and would shadow public DNS responses.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 api/network_manager.py        | 12 ++++++++++++
 tests/test_network_manager.py | 37 +++++++++++++++++++++++++++++++++++
 webui/src/pages/Calendar.jsx  | 18 +++++++++--------
 webui/src/pages/Dashboard.jsx | 12 +++++++-----
 webui/src/pages/Email.jsx     | 10 ++++++----
 webui/src/pages/Files.jsx     | 20 ++++++++++---------
 6 files changed, 83 insertions(+), 26 deletions(-)

diff --git a/api/network_manager.py b/api/network_manager.py
index be9e2b4..8cc0904 100644
--- a/api/network_manager.py
+++ b/api/network_manager.py
@@ -182,6 +182,18 @@ class NetworkManager(BaseServiceManager):
         if not ok:
             logger.warning('update_split_horizon_zone: zone file write failed for %s', effective_domain)
 
+        # If the internal zone name happens to be a parent of the effective DDNS
+        # domain (e.g. primary_domain='pic.ngo', effective_domain='pic2.pic.ngo'),
+        # bootstrap service records like 'api', 'calendar' etc. would pollute the
+        # zone display and shadow the public domain.  Remove them.
+        _stale = {'api', 'webui', 'calendar', 'files', 'mail', 'webmail', 'webdav'}
+        if effective_domain.endswith('.' + primary_domain):
+            existing = self._load_dns_records(primary_domain)
+            cleaned = [r for r in existing if r.get('name', '') not in _stale]
+            if len(cleaned) < len(existing):
+                self.update_dns_zone(primary_domain, cleaned)
+                logger.info('Removed stale service records from zone %s', primary_domain)
+
         corefile = os.path.join(self.config_dir, 'dns', 'Corefile')
         peers_data = peers or []
         ok_cf = _fm.generate_corefile(
diff --git a/tests/test_network_manager.py b/tests/test_network_manager.py
index 5a66be3..804cffb 100644
--- a/tests/test_network_manager.py
+++ b/tests/test_network_manager.py
@@ -458,6 +458,43 @@ class TestUpdateSplitHorizonZone(unittest.TestCase):
         calls = [str(c) for c in mock_run.call_args_list]
         self.assertTrue(any('SIGUSR1' in c for c in calls))
 
+    @patch('subprocess.run')
+    def test_removes_stale_service_records_when_primary_is_parent(self, _mock):
+        """Stale LAN service names (api, calendar…) are removed from a parent zone."""
+        # Bootstrap a pic.ngo zone with service records (wrong internal zone name)
+        stale_records = [
+            {'name': 'pic2',    'type': 'A', 'value': '10.0.0.1'},
+            {'name': 'api',     'type': 'A', 'value': '10.0.0.1'},
+            {'name': 'calendar','type': 'A', 'value': '10.0.0.1'},
+            {'name': 'files',   'type': 'A', 'value': '10.0.0.1'},
+        ]
+        self.nm.update_dns_zone('pic.ngo', stale_records)
+
+        # update_split_horizon_zone should strip api/calendar/files from pic.ngo
+        self.nm.update_split_horizon_zone(
+            'pic2.pic.ngo', '172.20.0.2', primary_domain='pic.ngo'
+        )
+        content = open(os.path.join(self.data_dir, 'dns', 'pic.ngo.zone')).read()
+        self.assertNotIn('calendar', content)
+        self.assertNotIn('\napi ', content)
+        self.assertNotIn('\nfiles ', content)
+        # Non-stale record (pic2 is the cell_name, not in _stale set) survives
+        # but api/calendar/files are gone
+        self.assertIn('172.20.0.2', open(
+            os.path.join(self.data_dir, 'dns', 'pic2.pic.ngo.zone')).read())
+
+    @patch('subprocess.run')
+    def test_no_stale_cleanup_when_primary_not_parent(self, _mock):
+        """When primary_domain is unrelated, no zone file is touched."""
+        stale_records = [{'name': 'calendar', 'type': 'A', 'value': '10.0.0.1'}]
+        self.nm.update_dns_zone('cell', stale_records)
+        self.nm.update_split_horizon_zone(
+            'pic2.pic.ngo', '172.20.0.2', primary_domain='cell'
+        )
+        # cell zone is untouched
+        content = open(os.path.join(self.data_dir, 'dns', 'cell.zone')).read()
+        self.assertIn('calendar', content)
+
 
 if __name__ == '__main__':
     unittest.main() 
\ No newline at end of file
diff --git a/webui/src/pages/Calendar.jsx b/webui/src/pages/Calendar.jsx
index fd1a63d..05e7299 100644
--- a/webui/src/pages/Calendar.jsx
+++ b/webui/src/pages/Calendar.jsx
@@ -31,8 +31,10 @@ function InfoRow({ label, value }) {
 }
 
 function Calendar() {
-  const { domain = 'cell', service_ips = {}, service_configs = {} } = useConfig();
-  const cellHost    = `calendar.${domain}`;
+  const { domain = 'cell', effective_domain, domain_mode = 'lan', service_ips = {}, service_configs = {} } = useConfig();
+  const svcDomain = (domain_mode !== 'lan' && effective_domain) ? effective_domain : domain;
+  const proto = domain_mode === 'lan' ? 'http' : 'https';
+  const cellHost    = `calendar.${svcDomain}`;
   const calendarIp  = service_ips.vip_calendar || '172.20.0.21';
   const dnsIp       = service_ips.dns           || '172.20.0.3';
   const calendarPort = service_configs.calendar?.port ?? 5232;
@@ -85,10 +87,10 @@ function Calendar() {
             Use these settings in your calendar / contacts app (iOS, Android, Thunderbird, etc.)
           </p>
           <div className="bg-gray-50 rounded-lg px-4 py-2">
-            <InfoRow label="Server URL"    value={`http://${cellHost}`} />
-            <InfoRow label="CalDAV path"   value={`http://${cellHost}/`} />
-            <InfoRow label="CardDAV path"  value={`http://${cellHost}/`} />
-            <InfoRow label="Port"          value="80" />
+            <InfoRow label="Server URL"    value={`${proto}://${cellHost}`} />
+            <InfoRow label="CalDAV path"   value={`${proto}://${cellHost}/`} />
+            <InfoRow label="CardDAV path"  value={`${proto}://${cellHost}/`} />
+            <InfoRow label="Port"          value={domain_mode === 'lan' ? '80' : '443'} />
             <InfoRow label="Direct IP"     value={calendarIp} />
             <InfoRow label="Direct port"   value={String(calendarPort)} />
             <InfoRow label="Protocol"      value="HTTP (CalDAV/CardDAV)" />
@@ -118,7 +120,7 @@ function Calendar() {
               <p className="font-medium text-gray-900 mb-1">Android (DAVx⁵ app)</p>
               <ol className="list-decimal ml-4 space-y-0.5 text-xs text-gray-600">
                 <li>Install DAVx⁵ from Play Store / F-Droid</li>
-                <li>Login with URL: <span className="font-mono">http://{cellHost}/</span></li>
+                <li>Login with URL: <span className="font-mono">{proto}://{cellHost}/</span></li>
                 <li>Select calendars &amp; address books to sync</li>
               </ol>
             </div>
@@ -126,7 +128,7 @@ function Calendar() {
               <p className="font-medium text-gray-900 mb-1">Thunderbird</p>
               <ol className="list-decimal ml-4 space-y-0.5 text-xs text-gray-600">
                 <li>Calendar → New Calendar → On the Network</li>
-                <li>Format: CalDAV, Location: <span className="font-mono">http://{cellHost}/</span></li>
+                <li>Format: CalDAV, Location: <span className="font-mono">{proto}://{cellHost}/</span></li>
               </ol>
             </div>
           </div>
diff --git a/webui/src/pages/Dashboard.jsx b/webui/src/pages/Dashboard.jsx
index f626106..9ef95cb 100644
--- a/webui/src/pages/Dashboard.jsx
+++ b/webui/src/pages/Dashboard.jsx
@@ -21,12 +21,14 @@ import { useConfig } from '../contexts/ConfigContext';
 
 function Dashboard({ isOnline }) {
   const navigate = useNavigate();
-  const { domain = 'cell', cell_name = 'mycell' } = useConfig();
+  const { domain = 'cell', cell_name = 'mycell', effective_domain, domain_mode = 'lan' } = useConfig();
+  const svcDomain = (domain_mode !== 'lan' && effective_domain) ? effective_domain : domain;
+  const proto = domain_mode === 'lan' ? 'http' : 'https';
   const SERVICES = [
-    { name: 'Cell Home', url: `http://${cell_name}.${domain}`,   desc: 'Main UI — no login needed' },
-    { name: 'Calendar',  url: `http://calendar.${domain}`,       desc: 'Use your configured account credentials' },
-    { name: 'Files',     url: `http://files.${domain}`,          desc: 'Use your configured account credentials' },
-    { name: 'Webmail',   url: `http://mail.${domain}`,           desc: 'Use your configured account credentials' },
+    { name: 'Cell Home', url: domain_mode === 'lan' ? `http://${cell_name}.${domain}` : `https://${svcDomain}`, desc: 'Main UI — no login needed' },
+    { name: 'Calendar',  url: `${proto}://calendar.${svcDomain}`,  desc: 'Use your configured account credentials' },
+    { name: 'Files',     url: `${proto}://files.${svcDomain}`,     desc: 'Use your configured account credentials' },
+    { name: 'Webmail',   url: `${proto}://mail.${svcDomain}`,      desc: 'Use your configured account credentials' },
   ];
   const [cellStatus, setCellStatus] = useState(null);
   const [servicesStatus, setServicesStatus] = useState(null);
diff --git a/webui/src/pages/Email.jsx b/webui/src/pages/Email.jsx
index 97b978b..4fad071 100644
--- a/webui/src/pages/Email.jsx
+++ b/webui/src/pages/Email.jsx
@@ -31,8 +31,10 @@ function InfoRow({ label, value }) {
 }
 
 function Email() {
-  const { domain = 'cell', service_ips = {}, service_configs = {} } = useConfig();
-  const cellHost = `mail.${domain}`;
+  const { domain = 'cell', effective_domain, domain_mode = 'lan', service_ips = {}, service_configs = {} } = useConfig();
+  const svcDomain = (domain_mode !== 'lan' && effective_domain) ? effective_domain : domain;
+  const proto = domain_mode === 'lan' ? 'http' : 'https';
+  const cellHost = `mail.${svcDomain}`;
   const emailCfg = service_configs.email || {};
   const mailIp   = service_ips.vip_mail || '172.20.0.23';
   const dnsIp    = service_ips.dns      || '172.20.0.3';
@@ -113,8 +115,8 @@ function Email() {
             <h3 className="text-lg font-medium text-gray-900">Webmail</h3>
           </div>
           <div className="bg-gray-50 rounded-lg px-4 py-2">
-            <InfoRow label="URL"          value={`http://mail.${domain}`} />
-            <InfoRow label="Alt URL"      value={`http://webmail.${domain}`} />
+            <InfoRow label="URL"          value={`${proto}://mail.${svcDomain}`} />
+            <InfoRow label="Alt URL"      value={`${proto}://webmail.${svcDomain}`} />
             <InfoRow label="Direct IP"    value={`http://${mailIp}`} />
             <InfoRow label="Direct port"  value={String(webmailPort)} />
           </div>
diff --git a/webui/src/pages/Files.jsx b/webui/src/pages/Files.jsx
index aaeea44..bb1999f 100644
--- a/webui/src/pages/Files.jsx
+++ b/webui/src/pages/Files.jsx
@@ -31,9 +31,11 @@ function InfoRow({ label, value }) {
 }
 
 function Files() {
-  const { domain = 'cell', service_ips = {}, service_configs = {} } = useConfig();
-  const filesHost   = `files.${domain}`;
-  const webdavHost  = `webdav.${domain}`;
+  const { domain = 'cell', effective_domain, domain_mode = 'lan', service_ips = {}, service_configs = {} } = useConfig();
+  const svcDomain = (domain_mode !== 'lan' && effective_domain) ? effective_domain : domain;
+  const proto = domain_mode === 'lan' ? 'http' : 'https';
+  const filesHost   = `files.${svcDomain}`;
+  const webdavHost  = `webdav.${svcDomain}`;
   const filesIp     = service_ips.vip_files   || '172.20.0.22';
   const webdavIp    = service_ips.vip_webdav   || '172.20.0.24';
   const filesCfg    = service_configs.files    || {};
@@ -85,7 +87,7 @@ function Files() {
             <h3 className="text-lg font-medium text-gray-900">Web file manager</h3>
           </div>
           <div className="bg-gray-50 rounded-lg px-4 py-2">
-            <InfoRow label="URL"         value={`http://${filesHost}`} />
+            <InfoRow label="URL"         value={`${proto}://${filesHost}`} />
             <InfoRow label="Direct IP"   value={`http://${filesIp}`} />
             <InfoRow label="Direct port" value={String(filegatorPort)} />
           </div>
@@ -101,7 +103,7 @@ function Files() {
             <h3 className="text-lg font-medium text-gray-900">WebDAV (mount as drive)</h3>
           </div>
           <div className="bg-gray-50 rounded-lg px-4 py-2">
-            <InfoRow label="URL"         value={`http://${webdavHost}`} />
+            <InfoRow label="URL"         value={`${proto}://${webdavHost}`} />
             <InfoRow label="Direct IP"   value={`http://${webdavIp}`} />
             <InfoRow label="Direct port" value={String(webdavPort)} />
             <InfoRow label="Auth"        value="Basic (user / password)" />
@@ -120,19 +122,19 @@ function Files() {
           <div className="space-y-3 text-sm">
             <div>
               <p className="font-medium text-gray-900 mb-1">macOS (Finder)</p>
-              <p className="text-xs text-gray-600">Go → Connect to Server → <span className="font-mono">http://{webdavHost}</span></p>
+              <p className="text-xs text-gray-600">Go → Connect to Server → <span className="font-mono">{proto}://{webdavHost}</span></p>
             </div>
             <div>
               <p className="font-medium text-gray-900 mb-1">Windows</p>
-              <p className="text-xs text-gray-600">Map Network Drive → <span className="font-mono">\\{webdavHost}\DavWWWRoot</span> or use <span className="font-mono">http://{webdavHost}</span> in "Connect to a Web Site"</p>
+              <p className="text-xs text-gray-600">Map Network Drive → <span className="font-mono">\\{webdavHost}\DavWWWRoot</span> or use <span className="font-mono">{proto}://{webdavHost}</span> in "Connect to a Web Site"</p>
             </div>
             <div>
               <p className="font-medium text-gray-900 mb-1">iOS (Files app)</p>
-              <p className="text-xs text-gray-600">Files → ... → Connect to Server → <span className="font-mono">http://{webdavHost}</span></p>
+              <p className="text-xs text-gray-600">Files → ... → Connect to Server → <span className="font-mono">{proto}://{webdavHost}</span></p>
             </div>
             <div>
               <p className="font-medium text-gray-900 mb-1">Android</p>
-              <p className="text-xs text-gray-600">Use <strong>Solid Explorer</strong> or <strong>FX File Explorer</strong> → Add cloud → WebDAV → <span className="font-mono">http://{webdavHost}</span></p>
+              <p className="text-xs text-gray-600">Use <strong>Solid Explorer</strong> or <strong>FX File Explorer</strong> → Add cloud → WebDAV → <span className="font-mono">{proto}://{webdavHost}</span></p>
             </div>
           </div>
         </div>