roof/pic - pic - Gitea: Git with a cup of tea

roof/pic

Fork 0

Commit Graph

Author	SHA1	Message	Date
roof	8ea834e108	feat: Phase 3 - per-peer internet routing via exit cell Adds the ability to route a specific peer's internet traffic through a connected cell acting as an exit relay. Cell A side: - PUT /api/peers/<peer>/route-via {"via_cell": "cellB"} sets route_via - Updates WG AllowedIPs to include 0.0.0.0/0 for the exit cell peer - Adds ip rule + ip route in policy table inside cell-wireguard so the specific peer's traffic egresses via cellB's WG IP - Sets exit_relay_active on the cell link and pushes use_as_exit_relay=True to cellB via peer-sync Cell B side: - Receives use_as_exit_relay in the peer-sync payload - Calls apply_cell_rules(..., exit_relay=True) to add FORWARD -o eth0 ACCEPT - Stores remote_exit_relay_active flag for startup recovery Startup recovery: - apply_all_cell_rules passes exit_relay=remote_exit_relay_active (cellB) - _apply_startup_enforcement reapplies ip rule for each peer with route_via (cellA) since policy routing rules don't survive container restart peer_registry gets route_via field with lazy migration. 22 new tests across test_cell_link_manager, test_peer_registry, test_peer_route_via. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-01 16:23:31 -04:00
roof	09138fbc18	A5: Extract all route groups into Flask blueprints (app.py -1735 lines) Extract 9 route groups out of app.py into routes/ blueprints: - routes/network.py — DNS, DHCP, NTP, network info/test (10 routes) - routes/wireguard.py — WireGuard keys, peers, config, enforcement (18 routes) - routes/cells.py — cell-to-cell connections (5 routes) - routes/peers.py — peer CRUD + IP update + _next_peer_ip helper (10 routes) - routes/routing.py — NAT, peer routes, firewall, iptables (17 routes) - routes/vault.py — certs, trust, secrets (19 routes) - routes/containers.py — containers, images, volumes (14 routes) - routes/services.py — service bus, logs, services status/connectivity (18 routes) - routes/peer_dashboard.py — peer-scoped dashboard/services (2 routes) All blueprints use lazy `from app import X` inside route bodies to preserve test patch compatibility (patch('app.email_manager', mock) still works). Also included in this commit: - A1 fix: backup/restore now includes email/calendar user files - A2 fix: apply_config sets applying=True flag via helper container - A3 fix: add_peer rolls back firewall on DNS failure app.py reduced: 3011 → 1294 lines. 1021 tests passing. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-01 06:11:21 -04:00

Author

SHA1

Message

Date

roof

8ea834e108

feat: Phase 3 - per-peer internet routing via exit cell

Adds the ability to route a specific peer's internet traffic through a
connected cell acting as an exit relay.

Cell A side:
- PUT /api/peers/<peer>/route-via {"via_cell": "cellB"} sets route_via
- Updates WG AllowedIPs to include 0.0.0.0/0 for the exit cell peer
- Adds ip rule + ip route in policy table inside cell-wireguard so the
  specific peer's traffic egresses via cellB's WG IP
- Sets exit_relay_active on the cell link and pushes use_as_exit_relay=True
  to cellB via peer-sync

Cell B side:
- Receives use_as_exit_relay in the peer-sync payload
- Calls apply_cell_rules(..., exit_relay=True) to add FORWARD -o eth0 ACCEPT
- Stores remote_exit_relay_active flag for startup recovery

Startup recovery:
- apply_all_cell_rules passes exit_relay=remote_exit_relay_active (cellB)
- _apply_startup_enforcement reapplies ip rule for each peer with route_via (cellA)
  since policy routing rules don't survive container restart

peer_registry gets route_via field with lazy migration.
22 new tests across test_cell_link_manager, test_peer_registry, test_peer_route_via.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-01 16:23:31 -04:00

roof

09138fbc18

A5: Extract all route groups into Flask blueprints (app.py -1735 lines)

Extract 9 route groups out of app.py into routes/ blueprints:
- routes/network.py  — DNS, DHCP, NTP, network info/test (10 routes)
- routes/wireguard.py — WireGuard keys, peers, config, enforcement (18 routes)
- routes/cells.py    — cell-to-cell connections (5 routes)
- routes/peers.py    — peer CRUD + IP update + _next_peer_ip helper (10 routes)
- routes/routing.py  — NAT, peer routes, firewall, iptables (17 routes)
- routes/vault.py    — certs, trust, secrets (19 routes)
- routes/containers.py — containers, images, volumes (14 routes)
- routes/services.py — service bus, logs, services status/connectivity (18 routes)
- routes/peer_dashboard.py — peer-scoped dashboard/services (2 routes)

All blueprints use lazy `from app import X` inside route bodies to preserve
test patch compatibility (patch('app.email_manager', mock) still works).

Also included in this commit:
- A1 fix: backup/restore now includes email/calendar user files
- A2 fix: apply_config sets applying=True flag via helper container
- A3 fix: add_peer rolls back firewall on DNS failure

app.py reduced: 3011 → 1294 lines. 1021 tests passing.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-01 06:11:21 -04:00

2 Commits