Merge branch 'main' of https://git.send.nrw/sendnrw/edge-wol

.gitea/workflows/release.yml

@@ -1,14 +1,18 @@
-# Git(tea) Actions workflow: Build and publish standalone binaries
+# Git(tea) Actions workflow: Build and publish standalone binaries **plus** bundled `static/` assets
 # ────────────────────────────────────────────────────────────────────
-#  ✧  Builds the Go‑based WoL server for three targets
+#  ✧  Builds the Go‑based WoL server for four targets **and** packt das Verzeichnis
-#       • linux/amd64   → wol-server-linux-amd64.tar.gz
+#      `static` zusammen mit der Binary, sodass es relativ zur ausführbaren Datei
-#       • linux/arm64   → wol-server-linux-arm64.tar.gz   (Raspberry Pi 4/5, 64‑bit OS)
+#      liegt (wichtig für die eingebauten Bootstrap‑Assets & favicon).
-#       • windows/amd64 → wol-server-windows-amd64.zip
+#
-#  ✧  Uploads artifacts to the workflow and, if a tag (vX.Y.Z) is pushed,
+#       • linux/amd64    → wol-server-linux-amd64.tar.gz
-#      attaches them to the corresponding release.
+#       • linux/arm64    → wol-server-linux-arm64.tar.gz
+#       • linux/arm/v7   → wol-server-linux-armv7.tar.gz
+#       • windows/amd64  → wol-server-windows-amd64.zip
+#
+#  ✧  Artefakte landen im Workflow und – bei Tag‑Push (vX.Y.Z) – als Release‑Assets.
 #
 #  Secrets/variables:
-#    GITEA_TOKEN – optional, only needed if default token lacks release perms.
+#    GITEA_TOKEN – optional, falls default token keine Release‑Rechte hat.
 # ────────────────────────────────────────────────────────────────────
 
 name: build-binaries
@@ -20,6 +24,7 @@ on:
 
 jobs:
   build:
+    if: startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-fast
 
     strategy:
@@ -28,15 +33,19 @@ jobs:
           - goos: linux
             goarch: amd64
             ext: ""
-          - goos: linux   # Raspberry Pi (64‑bit)
+          - goos: linux
             goarch: arm64
             ext: ""
+          - goos: linux
+            goarch: arm
+            goarm: "7"
+            ext: ""
           - goos: windows
             goarch: amd64
             ext: ".exe"
 
     env:
-      GO_VERSION: "1.22"
+      GO_VERSION: "1.25"
       BINARY_NAME: wol-server
 
     steps:
@@ -49,35 +58,45 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           cache: true
 
-      - name: Build ${{ matrix.goos }}/${{ matrix.goarch }}
+      - name: Build ${{ matrix.goos }}/${{ matrix.goarch }}${{ matrix.goarm && format('/v{0}', matrix.goarm) || '' }}
         shell: bash
         run: |
-          mkdir -p dist
+          set -e
-          GOOS=${{ matrix.goos }} GOARCH=${{ matrix.goarch }} go build -trimpath -ldflags "-s -w" \
+          mkdir -p dist/package
-            -o "dist/${BINARY_NAME}-${{ matrix.goos }}-${{ matrix.goarch }}${{ matrix.ext }}" .
+          if [ -n "${{ matrix.goarm }}" ]; then export GOARM=${{ matrix.goarm }}; fi
+          CGO_ENABLED=0 GOOS=${{ matrix.goos }} GOARCH=${{ matrix.goarch }} go build -trimpath -ldflags "-s -w" \
+            -o "dist/package/${BINARY_NAME}${{ matrix.ext }}" .
+          # Assets: statisches Verzeichnis beilegen
+          cp -r static dist/package/
 
-      - name: Package archive
+      - name: Package archive with static assets
         shell: bash
         run: |
+          set -e
           cd dist
-          FILE="${BINARY_NAME}-${{ matrix.goos }}-${{ matrix.goarch }}${{ matrix.ext }}"
           if [ "${{ matrix.goos }}" == "windows" ]; then
-            zip "${BINARY_NAME}-windows-amd64.zip" "$FILE"
+            ZIP_NAME="${BINARY_NAME}-windows-amd64.zip"
-            rm "$FILE"
+            (cd package && zip -r "../$ZIP_NAME" .)
           else
-            tar -czf "${BINARY_NAME}-${{ matrix.goos }}-${{ matrix.goarch }}.tar.gz" "$FILE"
+            ARCH_SUFFIX="${{ matrix.goarch }}"
-            rm "$FILE"
+            if [ "${{ matrix.goarch }}" == "arm" ]; then ARCH_SUFFIX="armv${{ matrix.goarm }}"; fi
+            TAR_NAME="${BINARY_NAME}-${{ matrix.goos }}-${ARCH_SUFFIX}.tar.gz"
+            tar -czf "$TAR_NAME" -C package .
           fi
 
       - name: Upload workflow artifact
         uses: actions/upload-artifact@v3
         with:
-          name: ${{ matrix.goos }}-${{ matrix.goarch }}
+          name: ${{ matrix.goos }}-${{ matrix.goarch }}${{ matrix.goarm && format('v{0}', matrix.goarm) || '' }}
-          path: |
+          path: dist/*.tar.gz
-            dist/*.zip
+          if-no-files-found: ignore
-            dist/*.tar.gz
+      - uses: actions/upload-artifact@v3
+        with:
+          name: windows-amd64
+          path: dist/*.zip
+          if-no-files-found: ignore
 
-  # Optional release step for tag pushes
+  # Release Schritt für Tag‑Pushes
   release:
     if: startsWith(github.ref, 'refs/tags/')
     needs: build
@@ -86,7 +105,7 @@ jobs:
       contents: write
 
     steps:
-      - name: Download build artifacts
+      - name: Download artifacts
         uses: actions/download-artifact@v3
         with:
           path: ./dist
@@ -103,3 +122,91 @@ jobs:
           files: |
             dist/**/wol-server-*.tar.gz
             dist/**/wol-server-*.zip
+  publish-agent:
+    if: startsWith(github.ref, 'refs/tags/')
+    needs: release
+    runs-on: ubuntu-fast
+    env:
+      PRODUCT: edge-wol
+      AGENT_URL: ${{ secrets.AGENT_URL }}
+      AGENT_TOKEN: ${{ secrets.AGENT_TOKEN }}
+
+      # Funktioniert in GitHub und Gitea (Actions) weitgehend gleich:
+      SERVER_URL: ${{ github.server_url }}       # z.B. https://github.com oder https://gitea.example.com
+      REPOSITORY: ${{ github.repository }}       # owner/repo
+      TAG: ${{ github.ref_name }}                # vX.Y.Z
+
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+        with:
+          path: ./dist
+
+      - name: Publish release metadata to Version Agent
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          if [[ -z "${AGENT_URL:-}" || -z "${AGENT_TOKEN:-}" ]]; then
+            echo "Missing AGENT_URL or AGENT_TOKEN" >&2; exit 1
+          fi
+
+          VERSION="${TAG#v}"                     # 12.3.1[-rc.1|-beta.1]
+          MAJOR="${VERSION%%.*}"                 # 12
+          BRANCH="${MAJOR}.x"                    # 12.x
+
+          CHANNEL="stable"
+          [[ "$VERSION" == *"-rc"* ]] && CHANNEL="rc"
+          [[ "$VERSION" == *"-beta"* ]] && CHANNEL="beta"
+          # Optional: Nightly-Channel bei Non-Tag-Builds (separater Job, siehe unten)
+
+          RELEASED_AT="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
+          NOTES_URL="${SERVER_URL}/${REPOSITORY}/releases/tag/${TAG}"
+
+          publish() { # args: OS ARCH FILE
+            local OS="$1" ARCH="$2" FILE="$3"
+            local BIT="64"
+            case "$ARCH" in 386|armv7) BIT="32";; esac
+
+            local FNAME="$(basename "$FILE")"
+            local URL="${SERVER_URL}/${REPOSITORY}/releases/download/${TAG}/${FNAME}"
+
+            local SHA256 SIZE
+            SHA256="$(sha256sum "$FILE" | awk '{print $1}')"
+            SIZE="$(stat -c%s "$FILE")"
+
+            jq -n \
+              --arg branch "$BRANCH" \
+              --arg channel "$CHANNEL" \
+              --arg arch "$ARCH" \
+              --arg bit "$BIT" \
+              --arg os "$OS" \
+              --arg version "$VERSION" \
+              --arg released_at "$RELEASED_AT" \
+              --arg notes "$NOTES_URL" \
+              --arg url "$URL" \
+              --arg sha256 "$SHA256" \
+              --argjson size "$SIZE" \
+              '{
+                branch:$branch, channel:$channel, arch:$arch, bit:$bit, os:$os,
+                release:{
+                  version:$version, released_at:$released_at, notes_url:$notes,
+                  assets:[{url:$url, sha256:$sha256, size_bytes:$size}]
+                }
+              }' > payload.json
+            echo @payload.json
+            curl -fsS -H "Content-Type: application/json" \
+                 -H "Authorization: Bearer ${AGENT_TOKEN}" \
+                 -d @payload.json "${AGENT_URL}/v1/publish"
+          }
+
+          shopt -s nullglob
+
+          # linux/amd64
+          for f in dist/**/${PRODUCT}-linux-amd64.tar.gz;  do publish linux   amd64 "$f"; done
+          # linux/arm64
+          for f in dist/**/${PRODUCT}-linux-arm64.tar.gz;  do publish linux   arm64 "$f"; done
+          # linux/armv7
+          for f in dist/**/${PRODUCT}-linux-armv7.tar.gz;  do publish linux   armv7 "$f"; done
+          # windows/amd64
+          for f in dist/**/${PRODUCT}-windows-amd64.zip;   do publish windows amd64 "$f"; done

Dockerfile

@@ -1,6 +1,6 @@
 # -------- Dockerfile (Multi-Stage Build) --------
 # 1. Builder-Stage
-FROM golang:1.24-alpine AS builder
+FROM golang:1.25-alpine AS builder
 
 WORKDIR /app
 COPY go.* ./
@@ -28,7 +28,12 @@ EXPOSE 8080
 ENV EW_USERNAME=admin \
     EW_PASSWORD=admin \
     EW_DB=/data/machines.json \
-    EW_PRODUCTIVE=true
+    EW_PRODUCTIVE=true \
+    EW_FORCEINSECURECOOKIE=false \
+    HTTP_PORT=8080 \
+    HTTP_TLS=false \
+    HTTP_TLS_CERTIFICATE=./server-cert.pem \
+    HTTP_TLS_PRIVATEKEY=./server-key.pem
 
 
 ENTRYPOINT ["/bin/edgewol"]

compose.yml

@@ -2,7 +2,6 @@ services:
   api:
     image: git.send.nrw/sendnrw/edge-wol:latest
     container_name: edgewol
-    restart: unless-stopped
     volumes:
       - /docker/edgewol/machines.json:/data/machines.json
     #labels:

go.mod

@@ -1,5 +1,5 @@
 module git.send.nrw/sendnrw/edge-wol
 
-go 1.24.4
+go 1.25.3
 
 require golang.org/x/crypto v0.40.0

main.go

@@ -41,10 +41,14 @@ import (
 )
 
 var (
-	username       = GetENV("EW_USERNAME", "root")
+	HTTP_PORT            string = "8080"
-	password       = GetENV("EW_PASSWORD", "root")
+	HTTP_TLS             bool   = false
-	productive     = Enabled("EW_PRODUCTIVE", false)
+	HTTP_TLS_PRIVATEKEY  string = ""
-	hashedPassword = ""
+	HTTP_TLS_CERTIFICATE string = ""
+	username                    = GetENV("EW_USERNAME", "root")
+	password                    = GetENV("EW_PASSWORD", "root")
+	productive                  = Enabled("EW_PRODUCTIVE", false)
+	hashedPassword              = ""
 )
 
 var (
@@ -185,7 +189,17 @@ func generateSessionToken() string {
 func main() {
 	// Determine DB path and load machines.
 	hashedPassword = hashPassword(password)
-	dbPath = GetENV("EW_DB", "/data/machines.json")
+	if productive {
+		dbPath = GetENV("EW_DB", "/data/machines.json")
+	} else {
+		dbPath = "./machines.json"
+	}
+
+	HTTP_PORT = GetENV("HTTP_PORT", "8080")
+	HTTP_TLS = Enabled("HTTP_TLS", true)
+	HTTP_TLS_CERTIFICATE = GetENV("HTTP_TLS_CERTIFICATE", "./server-cert.pem")
+	HTTP_TLS_PRIVATEKEY = GetENV("HTTP_TLS_PRIVATEKEY", "./server-key.pem")
+
 	loadMachines()
 
 	// Save on SIGINT/SIGTERM.
@@ -223,13 +237,25 @@ func main() {
 				// Speichere Session
 				sessionStore[token] = user
 
+				var envSecure bool
+				if productive {
+					var forceInsecure bool = Enabled("EW_FORCEINSECURECOOKIE", false)
+					if forceInsecure {
+						envSecure = r.TLS != nil
+					} else {
+						envSecure = true
+					}
+				} else {
+					envSecure = r.TLS != nil
+				}
+
 				// Cookie setzen
 				http.SetCookie(w, &http.Cookie{
 					Name:     "session",
 					Value:    token,
 					Path:     "/",
 					HttpOnly: true,
-					Secure:   true,
+					Secure:   envSecure,
 					SameSite: http.SameSiteLaxMode,
 				})
 
@@ -298,15 +324,18 @@ func main() {
 	http.HandleFunc("/add", addHandler)
 	http.HandleFunc("/remove", removeHandler)
 
-	addr := os.Getenv("LISTEN")
+	if HTTP_TLS {
-	if addr == "" {
+		log.Printf("WoL server listening on %s (DB: %s)", ":"+HTTP_PORT, dbPath)
-		addr = ":8080"
+		if err := http.ListenAndServeTLS(":"+HTTP_PORT, HTTP_TLS_CERTIFICATE, HTTP_TLS_PRIVATEKEY, nil); err != nil {
+			log.Fatalf("http server error: %v", err)
+		}
+	} else {
+		log.Printf("WoL server listening on %s (DB: %s)", ":"+HTTP_PORT, dbPath)
+		if err := http.ListenAndServe(":"+HTTP_PORT, nil); err != nil {
+			log.Fatalf("http server error: %v", err)
+		}
 	}
 
-	log.Printf("WoL server listening on %s (DB: %s)", addr, dbPath)
-	if err := http.ListenAndServe(addr, nil); err != nil {
-		log.Fatalf("http server error: %v", err)
-	}
 }
 
 // ========= persistence =========