Kyle Isom
cc1ac2e255
The vault server holds in-memory unsealed state (KEK, engine keys) that is lost on restart, requiring a full unseal ceremony. Previously the web UI ran inside the vault process, so any UI change forced a restart and re-unseal. This change extracts the web UI into a separate metacrypt-web binary that communicates with the vault over an authenticated gRPC connection. The web server carries no sealed state and can be restarted freely. - gen/metacrypt/v1/: generated Go bindings from proto/metacrypt/v1/ - internal/grpcserver/: full gRPC server implementation (System, Auth, Engine, PKI, Policy, ACME services) with seal/auth/admin interceptors - internal/webserver/: web server with gRPC vault client; templates embedded via web/embed.go (no runtime web/ directory needed) - cmd/metacrypt-web/: standalone binary entry point - internal/config: added [web] section (listen_addr, vault_grpc, etc.) - internal/server/routes.go: removed all web UI routes and handlers - cmd/metacrypt/server.go: starts gRPC server alongside HTTP server - Deploy: Dockerfile builds both binaries, docker-compose adds metacrypt-web service, new metacrypt-web.service systemd unit, Makefile gains proto/metacrypt-web targets Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
236 lines
8.7 KiB
Go
236 lines
8.7 KiB
Go
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
|
|
// versions:
|
|
// - protoc-gen-go-grpc v1.6.1
|
|
// - protoc v3.20.3
|
|
// source: metacrypt/v1/system.proto
|
|
|
|
package metacryptv1
|
|
|
|
import (
|
|
context "context"
|
|
grpc "google.golang.org/grpc"
|
|
codes "google.golang.org/grpc/codes"
|
|
status "google.golang.org/grpc/status"
|
|
)
|
|
|
|
// This is a compile-time assertion to ensure that this generated file
|
|
// is compatible with the grpc package it is being compiled against.
|
|
// Requires gRPC-Go v1.64.0 or later.
|
|
const _ = grpc.SupportPackageIsVersion9
|
|
|
|
const (
|
|
SystemService_Status_FullMethodName = "/metacrypt.v1.SystemService/Status"
|
|
SystemService_Init_FullMethodName = "/metacrypt.v1.SystemService/Init"
|
|
SystemService_Unseal_FullMethodName = "/metacrypt.v1.SystemService/Unseal"
|
|
SystemService_Seal_FullMethodName = "/metacrypt.v1.SystemService/Seal"
|
|
)
|
|
|
|
// SystemServiceClient is the client API for SystemService service.
|
|
//
|
|
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
|
|
type SystemServiceClient interface {
|
|
Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error)
|
|
Init(ctx context.Context, in *InitRequest, opts ...grpc.CallOption) (*InitResponse, error)
|
|
Unseal(ctx context.Context, in *UnsealRequest, opts ...grpc.CallOption) (*UnsealResponse, error)
|
|
Seal(ctx context.Context, in *SealRequest, opts ...grpc.CallOption) (*SealResponse, error)
|
|
}
|
|
|
|
type systemServiceClient struct {
|
|
cc grpc.ClientConnInterface
|
|
}
|
|
|
|
func NewSystemServiceClient(cc grpc.ClientConnInterface) SystemServiceClient {
|
|
return &systemServiceClient{cc}
|
|
}
|
|
|
|
func (c *systemServiceClient) Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error) {
|
|
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
|
|
out := new(StatusResponse)
|
|
err := c.cc.Invoke(ctx, SystemService_Status_FullMethodName, in, out, cOpts...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
func (c *systemServiceClient) Init(ctx context.Context, in *InitRequest, opts ...grpc.CallOption) (*InitResponse, error) {
|
|
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
|
|
out := new(InitResponse)
|
|
err := c.cc.Invoke(ctx, SystemService_Init_FullMethodName, in, out, cOpts...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
func (c *systemServiceClient) Unseal(ctx context.Context, in *UnsealRequest, opts ...grpc.CallOption) (*UnsealResponse, error) {
|
|
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
|
|
out := new(UnsealResponse)
|
|
err := c.cc.Invoke(ctx, SystemService_Unseal_FullMethodName, in, out, cOpts...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
func (c *systemServiceClient) Seal(ctx context.Context, in *SealRequest, opts ...grpc.CallOption) (*SealResponse, error) {
|
|
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
|
|
out := new(SealResponse)
|
|
err := c.cc.Invoke(ctx, SystemService_Seal_FullMethodName, in, out, cOpts...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
// SystemServiceServer is the server API for SystemService service.
|
|
// All implementations must embed UnimplementedSystemServiceServer
|
|
// for forward compatibility.
|
|
type SystemServiceServer interface {
|
|
Status(context.Context, *StatusRequest) (*StatusResponse, error)
|
|
Init(context.Context, *InitRequest) (*InitResponse, error)
|
|
Unseal(context.Context, *UnsealRequest) (*UnsealResponse, error)
|
|
Seal(context.Context, *SealRequest) (*SealResponse, error)
|
|
mustEmbedUnimplementedSystemServiceServer()
|
|
}
|
|
|
|
// UnimplementedSystemServiceServer must be embedded to have
|
|
// forward compatible implementations.
|
|
//
|
|
// NOTE: this should be embedded by value instead of pointer to avoid a nil
|
|
// pointer dereference when methods are called.
|
|
type UnimplementedSystemServiceServer struct{}
|
|
|
|
func (UnimplementedSystemServiceServer) Status(context.Context, *StatusRequest) (*StatusResponse, error) {
|
|
return nil, status.Error(codes.Unimplemented, "method Status not implemented")
|
|
}
|
|
func (UnimplementedSystemServiceServer) Init(context.Context, *InitRequest) (*InitResponse, error) {
|
|
return nil, status.Error(codes.Unimplemented, "method Init not implemented")
|
|
}
|
|
func (UnimplementedSystemServiceServer) Unseal(context.Context, *UnsealRequest) (*UnsealResponse, error) {
|
|
return nil, status.Error(codes.Unimplemented, "method Unseal not implemented")
|
|
}
|
|
func (UnimplementedSystemServiceServer) Seal(context.Context, *SealRequest) (*SealResponse, error) {
|
|
return nil, status.Error(codes.Unimplemented, "method Seal not implemented")
|
|
}
|
|
func (UnimplementedSystemServiceServer) mustEmbedUnimplementedSystemServiceServer() {}
|
|
func (UnimplementedSystemServiceServer) testEmbeddedByValue() {}
|
|
|
|
// UnsafeSystemServiceServer may be embedded to opt out of forward compatibility for this service.
|
|
// Use of this interface is not recommended, as added methods to SystemServiceServer will
|
|
// result in compilation errors.
|
|
type UnsafeSystemServiceServer interface {
|
|
mustEmbedUnimplementedSystemServiceServer()
|
|
}
|
|
|
|
func RegisterSystemServiceServer(s grpc.ServiceRegistrar, srv SystemServiceServer) {
|
|
// If the following call panics, it indicates UnimplementedSystemServiceServer was
|
|
// embedded by pointer and is nil. This will cause panics if an
|
|
// unimplemented method is ever invoked, so we test this at initialization
|
|
// time to prevent it from happening at runtime later due to I/O.
|
|
if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
|
|
t.testEmbeddedByValue()
|
|
}
|
|
s.RegisterService(&SystemService_ServiceDesc, srv)
|
|
}
|
|
|
|
func _SystemService_Status_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
|
in := new(StatusRequest)
|
|
if err := dec(in); err != nil {
|
|
return nil, err
|
|
}
|
|
if interceptor == nil {
|
|
return srv.(SystemServiceServer).Status(ctx, in)
|
|
}
|
|
info := &grpc.UnaryServerInfo{
|
|
Server: srv,
|
|
FullMethod: SystemService_Status_FullMethodName,
|
|
}
|
|
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
|
return srv.(SystemServiceServer).Status(ctx, req.(*StatusRequest))
|
|
}
|
|
return interceptor(ctx, in, info, handler)
|
|
}
|
|
|
|
func _SystemService_Init_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
|
in := new(InitRequest)
|
|
if err := dec(in); err != nil {
|
|
return nil, err
|
|
}
|
|
if interceptor == nil {
|
|
return srv.(SystemServiceServer).Init(ctx, in)
|
|
}
|
|
info := &grpc.UnaryServerInfo{
|
|
Server: srv,
|
|
FullMethod: SystemService_Init_FullMethodName,
|
|
}
|
|
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
|
return srv.(SystemServiceServer).Init(ctx, req.(*InitRequest))
|
|
}
|
|
return interceptor(ctx, in, info, handler)
|
|
}
|
|
|
|
func _SystemService_Unseal_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
|
in := new(UnsealRequest)
|
|
if err := dec(in); err != nil {
|
|
return nil, err
|
|
}
|
|
if interceptor == nil {
|
|
return srv.(SystemServiceServer).Unseal(ctx, in)
|
|
}
|
|
info := &grpc.UnaryServerInfo{
|
|
Server: srv,
|
|
FullMethod: SystemService_Unseal_FullMethodName,
|
|
}
|
|
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
|
return srv.(SystemServiceServer).Unseal(ctx, req.(*UnsealRequest))
|
|
}
|
|
return interceptor(ctx, in, info, handler)
|
|
}
|
|
|
|
func _SystemService_Seal_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
|
in := new(SealRequest)
|
|
if err := dec(in); err != nil {
|
|
return nil, err
|
|
}
|
|
if interceptor == nil {
|
|
return srv.(SystemServiceServer).Seal(ctx, in)
|
|
}
|
|
info := &grpc.UnaryServerInfo{
|
|
Server: srv,
|
|
FullMethod: SystemService_Seal_FullMethodName,
|
|
}
|
|
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
|
return srv.(SystemServiceServer).Seal(ctx, req.(*SealRequest))
|
|
}
|
|
return interceptor(ctx, in, info, handler)
|
|
}
|
|
|
|
// SystemService_ServiceDesc is the grpc.ServiceDesc for SystemService service.
|
|
// It's only intended for direct use with grpc.RegisterService,
|
|
// and not to be introspected or modified (even as a copy)
|
|
var SystemService_ServiceDesc = grpc.ServiceDesc{
|
|
ServiceName: "metacrypt.v1.SystemService",
|
|
HandlerType: (*SystemServiceServer)(nil),
|
|
Methods: []grpc.MethodDesc{
|
|
{
|
|
MethodName: "Status",
|
|
Handler: _SystemService_Status_Handler,
|
|
},
|
|
{
|
|
MethodName: "Init",
|
|
Handler: _SystemService_Init_Handler,
|
|
},
|
|
{
|
|
MethodName: "Unseal",
|
|
Handler: _SystemService_Unseal_Handler,
|
|
},
|
|
{
|
|
MethodName: "Seal",
|
|
Handler: _SystemService_Seal_Handler,
|
|
},
|
|
},
|
|
Streams: []grpc.StreamDesc{},
|
|
Metadata: "metacrypt/v1/system.proto",
|
|
}
|