Merge branch 'dev' into feat/resource-policies

2026-05-09 05:44:24 +00:00 · 2026-02-28 01:08:12 +01:00
parent 7b02d4104d 8347203bbe
commit c292578f80
214 changed files with 13059 additions and 7647 deletions
--- a/server/db/sqlite/index.ts
+++ b/server/db/sqlite/index.ts
@@ -1,4 +1,6 @@
 export * from "./driver";
+export * from "./logsDriver";
+export * from "./safeRead";
 export * from "./schema/schema";
 export * from "./schema/privateSchema";
 export * from "./migrate";
--- a/server/db/sqlite/logsDriver.ts
+++ b/server/db/sqlite/logsDriver.ts
@@ -0,0 +1,7 @@
+import { db as mainDb } from "./driver";
+
+// SQLite doesn't support separate databases for logs in the same way as Postgres
+// Always use the main database connection for SQLite
+export const logsDb = mainDb;
+export default logsDb;
+export const primaryLogsDb = logsDb;
--- a/server/db/sqlite/safeRead.ts
+++ b/server/db/sqlite/safeRead.ts
@@ -0,0 +1,11 @@
+import { db } from "./driver";
+
+/**
+ * Runs a read query. For SQLite there is no replica/primary distinction,
+ * so the query is executed once against the database.
+ */
+export async function safeRead<T>(
+    query: (d: typeof db) => Promise<T>
+): Promise<T> {
+    return query(db);
+}
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -45,7 +45,11 @@ export const orgs = sqliteTable("orgs", {
        .default(0),
    settingsLogRetentionDaysAction: integer("settingsLogRetentionDaysAction") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
        .notNull()
-        .default(0)
+        .default(0),
+    sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
+    sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
+    isBillingOrg: integer("isBillingOrg", { mode: "boolean" }),
+    billingOrgId: text("billingOrgId")
 });

 export const userDomains = sqliteTable("userDomains", {
@@ -255,7 +259,11 @@ export const siteResources = sqliteTable("siteResources", {
    udpPortRangeString: text("udpPortRangeString").notNull().default("*"),
    disableIcmp: integer("disableIcmp", { mode: "boolean" })
        .notNull()
-        .default(false)
+        .default(false),
+    authDaemonPort: integer("authDaemonPort").default(22123),
+    authDaemonMode: text("authDaemonMode")
+        .$type<"site" | "remote">()
+        .default("site")
 });

 export const clientSiteResources = sqliteTable("clientSiteResources", {
@@ -635,7 +643,8 @@ export const userOrgs = sqliteTable("userOrgs", {
    isOwner: integer("isOwner", { mode: "boolean" }).notNull().default(false),
    autoProvisioned: integer("autoProvisioned", {
        mode: "boolean"
-    }).default(false)
+    }).default(false),
+    pamUsername: text("pamUsername") // cleaned username for ssh and such
 });

 export const emailVerificationCodes = sqliteTable("emailVerificationCodes", {
@@ -676,7 +685,13 @@ export const roles = sqliteTable("roles", {
    description: text("description"),
    requireDeviceApproval: integer("requireDeviceApproval", {
        mode: "boolean"
-    }).default(false)
+    }).default(false),
+    sshSudoMode: text("sshSudoMode").default("none"), // "none" | "full" | "commands"
+    sshSudoCommands: text("sshSudoCommands").default("[]"),
+    sshCreateHomeDir: integer("sshCreateHomeDir", { mode: "boolean" }).default(
+        true
+    ),
+    sshUnixGroups: text("sshUnixGroups").default("[]")
 });

 export const roleActions = sqliteTable("roleActions", {
@@ -1122,6 +1137,16 @@ export const deviceWebAuthCodes = sqliteTable("deviceWebAuthCodes", {
    })
 });

+export const roundTripMessageTracker = sqliteTable("roundTripMessageTracker", {
+    messageId: integer("messageId").primaryKey({ autoIncrement: true }),
+    wsClientId: text("clientId"),
+    messageType: text("messageType"),
+    sentAt: integer("sentAt").notNull(),
+    receivedAt: integer("receivedAt"),
+    error: text("error"),
+    complete: integer("complete", { mode: "boolean" }).notNull().default(false)
+});
+
 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
 export type Site = InferSelectModel<typeof sites>;
@@ -1183,3 +1208,6 @@ export type SecurityKey = InferSelectModel<typeof securityKeys>;
 export type WebauthnChallenge = InferSelectModel<typeof webauthnChallenge>;
 export type RequestAuditLog = InferSelectModel<typeof requestAuditLog>;
 export type DeviceWebAuthCode = InferSelectModel<typeof deviceWebAuthCodes>;
+export type RoundTripMessageTracker = InferSelectModel<
+    typeof roundTripMessageTracker
+>;