itsi-server 0.1.2 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a59f65a9b7f82d2e3e4e94eed7b1de48b9579e6a2ee40887f6de7500da9cb391
-  data.tar.gz: 7e49394fbbef18255d4a15ac6335b7acb74d925f2c026c5b24dcf9032f37bdc9
+  metadata.gz: a9738897c1d51717595b2ab829af9a7ed03f14b818f451121abb9fe2dd90ae9a
+  data.tar.gz: 5b0cbc6234c01a11f509541b4ca963ff6743f3d3190c1c55f26eecedb5a49351
 SHA512:
-  metadata.gz: 5886b25965a3fa73fb3ad3f6d7e915558f5cbf69a6dd62ab8dee23b51d64735b43d90942eadb05b44cb374cd64e00ad6eec078686511ca257f5b3f3b3fe99d48
-  data.tar.gz: b799d8fe05a30559d593f14b13c8b9c9a9f9569b610703e904177ca177671f171e5493615a48c39dd181fb9c2a67f75945e8c592d84ae15414ca4ebef3929ed4
+  metadata.gz: ec4156d473dcbcc34bc9ae98bfb7161afd62b050fa8652630a26d7ca2dc3b226523b268cc21e86179cecd07a0699ce8766edb861a7dc9c729df1580c98ccff0e
+  data.tar.gz: cb19f0a410357782a691ba8aba8b27d24b3484d284ec363c46c16e3ead74eb8d4fb29e9f32aed59fe8442b8df8a35768fca39fc687a53bb98d15e589b1147d1b

data/ext/itsi_error/src/from.rs

@@ -65,6 +65,7 @@ impl From<ItsiError> for magnus::Error {
             ItsiError::ClientConnectionClosed => {
                 magnus::Error::new(magnus::exception::eof_error(), CLIENT_CONNECTION_CLOSED)
             }
+            ItsiError::Pass() => magnus::Error::new(magnus::exception::interrupt(), "Pass"),
         }
     }
 }

data/ext/itsi_error/src/lib.rs

@@ -19,4 +19,6 @@ pub enum ItsiError {
     Jump(String),
     #[error("Break")]
     Break(),
+    #[error("Pass")]
+    Pass(),
 }

data/ext/itsi_scheduler/extconf.rb

@@ -3,4 +3,4 @@
 require "mkmf"
 require "rb_sys/mkmf"
 
-create_rust_makefile("scheduler/itsi_scheduler")
+create_rust_makefile("itsi/scheduler/itsi_scheduler")

data/ext/itsi_server/Cargo.toml

@@ -17,7 +17,7 @@ itsi_error = { path = "../itsi_error" }
 socket2 = "0.5.8"
 parking_lot = "0.12.3"
 rustls-pemfile = "2.2.0"
-tokio-rustls = "0.23"
+tokio-rustls = "0.26.2"
 bytes = "1.3"
 rcgen = { version = "0.13.2", features = ["x509-parser", "pem"] }
 base64 = "0.22.1"
@@ -39,3 +39,5 @@ httparse = "1.10.1"
 async-channel = "2.3.1"
 tempfile = "3.18.0"
 sysinfo = "0.33.1"
+tokio-rustls-acme = "0.6.0"
+rustls = "0.23.23"

data/ext/itsi_server/extconf.rb

@@ -3,4 +3,4 @@
 require "mkmf"
 require "rb_sys/mkmf"
 
-create_rust_makefile("server/itsi_server")
+create_rust_makefile("itsi/server/itsi_server")

data/ext/itsi_server/src/lib.rs

@@ -56,6 +56,9 @@ pub fn log_error(msg: String) {
 #[magnus::init]
 fn init(ruby: &Ruby) -> Result<()> {
     itsi_tracing::init();
+    rustls::crypto::aws_lc_rs::default_provider()
+        .install_default()
+        .ok();
 
     let itsi = ruby.get_inner(&ITSI_MODULE);
     itsi.define_singleton_method("log_debug", function!(log_debug, 1))?;

data/ext/itsi_server/src/server/bind.rs

@@ -1,4 +1,7 @@
-use super::{bind_protocol::BindProtocol, tls::configure_tls};
+use super::{
+    bind_protocol::BindProtocol,
+    tls::{configure_tls, ItsiTlsAcceptor},
+};
 use itsi_error::ItsiError;
 use std::{
     collections::HashMap,
@@ -6,8 +9,6 @@ use std::{
     path::PathBuf,
     str::FromStr,
 };
-use tokio_rustls::rustls::ServerConfig;
-
 #[derive(Debug, Clone)]
 pub enum BindAddress {
     Ip(IpAddr),
@@ -26,7 +27,7 @@ pub struct Bind {
     pub address: BindAddress,
     pub port: Option<u16>, // None for Unix Sockets
     pub protocol: BindProtocol,
-    pub tls_config: Option<ServerConfig>,
+    pub tls_config: Option<ItsiTlsAcceptor>,
 }
 
 impl std::fmt::Debug for Bind {

data/ext/itsi_server/src/server/itsi_server.rs

@@ -2,7 +2,7 @@ use super::{
     bind::Bind,
     listener::Listener,
     serve_strategy::{cluster_mode::ClusterMode, single_mode::SingleMode},
-    signal::{reset_signal_handlers, SIGNAL_HANDLER_CHANNEL},
+    signal::{clear_signal_handlers, reset_signal_handlers, SIGNAL_HANDLER_CHANNEL},
 };
 use crate::{request::itsi_request::ItsiRequest, server::serve_strategy::ServeStrategy};
 use derive_more::Debug;
@@ -195,9 +195,11 @@ impl Server {
         Ok(Arc::new(listeners))
     }
 
-    pub(crate) fn build_strategy(self) -> Result<ServeStrategy> {
+    pub(crate) fn build_strategy(
+        self,
+        listeners: Arc<Vec<Arc<Listener>>>,
+    ) -> Result<ServeStrategy> {
         let server = Arc::new(self);
-        let listeners = server.listeners()?;
 
         let strategy = if server.config.workers == 1 {
             ServeStrategy::Single(Arc::new(SingleMode::new(
@@ -218,13 +220,25 @@ impl Server {
     pub fn start(&self) -> Result<()> {
         reset_signal_handlers();
         let rself = self.clone();
-        call_without_gvl(move || {
-            let strategy = rself.build_strategy()?;
+        let listeners = self.listeners()?;
+        let listeners_clone = listeners.clone();
+        call_without_gvl(move || -> Result<()> {
+            let strategy = rself.build_strategy(listeners_clone)?;
             if let Err(e) = strategy.run() {
                 error!("Error running server: {}", e);
                 strategy.stop()?;
             }
+            drop(strategy);
             Ok(())
-        })
+        })?;
+        if let Ok(listeners) = Arc::try_unwrap(listeners) {
+            listeners.into_iter().for_each(|listener| {
+                if let Ok(listener) = Arc::try_unwrap(listener) {
+                    listener.unbind()
+                };
+            });
+        }
+        clear_signal_handlers();
+        Ok(())
     }
 }

data/ext/itsi_server/src/server/lifecycle_event.rs

@@ -1,5 +1,6 @@
 #[derive(Debug, Clone)]
 pub enum LifecycleEvent {
+    Start,
     Shutdown,
     Restart,
     IncreaseWorkers,

data/ext/itsi_server/src/server/listener.rs

@@ -1,7 +1,8 @@
 use super::bind::{Bind, BindAddress};
 use super::bind_protocol::BindProtocol;
 use super::io_stream::IoStream;
-use itsi_error::Result;
+use super::tls::ItsiTlsAcceptor;
+use itsi_error::{ItsiError, Result};
 use itsi_tracing::info;
 use socket2::{Domain, Protocol, Socket, Type};
 use std::net::{IpAddr, SocketAddr, TcpListener};
@@ -11,12 +12,14 @@ use tokio::net::TcpListener as TokioTcpListener;
 use tokio::net::UnixListener as TokioUnixListener;
 use tokio::net::{unix, TcpStream, UnixStream};
 use tokio_rustls::TlsAcceptor;
+use tokio_stream::StreamExt;
+use tracing::error;
 
 pub(crate) enum Listener {
     Tcp(TcpListener),
-    TcpTls((TcpListener, TlsAcceptor)),
+    TcpTls((TcpListener, ItsiTlsAcceptor)),
     Unix(UnixListener),
-    UnixTls((UnixListener, TlsAcceptor)),
+    UnixTls((UnixListener, ItsiTlsAcceptor)),
 }
 
 pub(crate) enum TokioListener {
@@ -27,7 +30,7 @@ pub(crate) enum TokioListener {
     },
     TcpTls {
         listener: TokioTcpListener,
-        acceptor: TlsAcceptor,
+        acceptor: ItsiTlsAcceptor,
         host: String,
         port: u16,
     },
@@ -36,11 +39,19 @@ pub(crate) enum TokioListener {
     },
     UnixTls {
         listener: TokioUnixListener,
-        acceptor: TlsAcceptor,
+        acceptor: ItsiTlsAcceptor,
     },
 }
 
 impl TokioListener {
+    pub fn unbind(self) {
+        match self {
+            TokioListener::Tcp { listener, .. } => drop(listener.into_std().unwrap()),
+            TokioListener::TcpTls { listener, .. } => drop(listener.into_std().unwrap()),
+            TokioListener::Unix { listener } => drop(listener.into_std().unwrap()),
+            TokioListener::UnixTls { listener, .. } => drop(listener.into_std().unwrap()),
+        };
+    }
     pub(crate) async fn accept(&self) -> Result<IoStream> {
         match self {
             TokioListener::Tcp { listener, .. } => TokioListener::accept_tcp(listener).await,
@@ -59,9 +70,48 @@ impl TokioListener {
         Self::to_tokio_io(Stream::TcpStream(tcp_stream), None).await
     }
 
-    async fn accept_tls(listener: &TokioTcpListener, acceptor: &TlsAcceptor) -> Result<IoStream> {
+    pub async fn spawn_state_task(&self) {
+        if let TokioListener::TcpTls {
+            acceptor: ItsiTlsAcceptor::Automatic(_acme_acceptor, state, _server_config),
+            ..
+        } = self
+        {
+            let mut state = state.lock().await;
+            loop {
+                if let Some(event) = StreamExt::next(&mut *state).await {
+                    info!("Received acme event: {:?}", event)
+                }
+            }
+        }
+    }
+
+    async fn accept_tls(
+        listener: &TokioTcpListener,
+        acceptor: &ItsiTlsAcceptor,
+    ) -> Result<IoStream> {
         let tcp_stream = listener.accept().await?;
-        Self::to_tokio_io(Stream::TcpStream(tcp_stream), Some(acceptor)).await
+        match acceptor {
+            ItsiTlsAcceptor::Manual(tls_acceptor) => {
+                Self::to_tokio_io(Stream::TcpStream(tcp_stream), Some(tls_acceptor)).await
+            }
+            ItsiTlsAcceptor::Automatic(acme_acceptor, _, rustls_config) => {
+                let accept_future = acme_acceptor.accept(tcp_stream.0);
+                match accept_future.await.unwrap() {
+                    None => Err(ItsiError::Pass()),
+                    Some(start_handshake) => {
+                        let tls_stream = start_handshake
+                            .into_stream(rustls_config.clone())
+                            .await
+                            .unwrap();
+                        // Wrap in your IoStream::TcpTls variant
+                        Ok(IoStream::TcpTls {
+                            stream: tls_stream,
+                            addr: SockAddr::Tcp(Arc::new(tcp_stream.1)),
+                        })
+                    }
+                }
+            }
+        }
     }
 
     async fn accept_unix(listener: &TokioUnixListener) -> Result<IoStream> {
@@ -71,10 +121,20 @@ impl TokioListener {
 
     async fn accept_unix_tls(
         listener: &TokioUnixListener,
-        acceptor: &TlsAcceptor,
+        acceptor: &ItsiTlsAcceptor,
     ) -> Result<IoStream> {
         let unix_stream = listener.accept().await?;
-        Self::to_tokio_io(Stream::UnixStream(unix_stream), Some(acceptor)).await
+        match acceptor {
+            ItsiTlsAcceptor::Manual(tls_acceptor) => {
+                Self::to_tokio_io(Stream::UnixStream(unix_stream), Some(tls_acceptor)).await
+            }
+            ItsiTlsAcceptor::Automatic(_, _, _) => {
+                error!("Automatic TLS not supported on Unix sockets");
+                Err(ItsiError::UnsupportedProtocol(
+                    "Automatic TLS on Unix Sockets".to_owned(),
+                ))
+            }
+        }
     }
 
     async fn to_tokio_io(
@@ -166,6 +226,14 @@ impl std::fmt::Display for SockAddr {
 }
 
 impl Listener {
+    pub fn unbind(self) {
+        match self {
+            Listener::Tcp(listener) => drop(listener),
+            Listener::TcpTls((listener, _)) => drop(listener),
+            Listener::Unix(listener) => drop(listener),
+            Listener::UnixTls((listener, _)) => drop(listener),
+        };
+    }
     pub fn to_tokio_listener(&self) -> TokioListener {
         match self {
             Listener::Tcp(listener) => TokioListener::Tcp {
@@ -213,16 +281,12 @@ impl TryFrom<Bind> for Listener {
                 BindProtocol::Http => Listener::Tcp(connect_tcp_socket(addr, bind.port.unwrap())?),
                 BindProtocol::Https => {
                     let tcp_listener = connect_tcp_socket(addr, bind.port.unwrap())?;
-                    let tls_acceptor = TlsAcceptor::from(Arc::new(bind.tls_config.unwrap()));
-                    Listener::TcpTls((tcp_listener, tls_acceptor))
+                    Listener::TcpTls((tcp_listener, bind.tls_config.unwrap()))
                 }
                 _ => unreachable!(),
             },
             BindAddress::UnixSocket(path) => match bind.tls_config {
-                Some(tls_config) => {
-                    let tls_acceptor = TlsAcceptor::from(Arc::new(tls_config));
-                    Listener::UnixTls((connect_unix_socket(&path)?, tls_acceptor))
-                }
+                Some(tls_config) => Listener::UnixTls((connect_unix_socket(&path)?, tls_config)),
                 None => Listener::Unix(connect_unix_socket(&path)?),
             },
         };
@@ -237,9 +301,11 @@ fn connect_tcp_socket(addr: IpAddr, port: u16) -> Result<TcpListener> {
     };
     let socket = Socket::new(domain, Type::STREAM, Some(Protocol::TCP))?;
     let socket_address: SocketAddr = SocketAddr::new(addr, port);
+    socket.set_reuse_port(true).ok();
+    socket.set_reuse_address(true).ok();
     socket.set_nonblocking(true).ok();
     socket.set_nodelay(true).ok();
-    socket.set_recv_buffer_size(1_048_576).ok();
+    socket.set_recv_buffer_size(262_144).ok();
     socket.bind(&socket_address.into())?;
     socket.listen(1024)?;
     Ok(socket.into())
@@ -249,6 +315,7 @@ fn connect_unix_socket(path: &PathBuf) -> Result<UnixListener> {
     let _ = std::fs::remove_file(path);
     let socket = Socket::new(Domain::UNIX, Type::STREAM, None)?;
     socket.set_nonblocking(true).ok();
+
     let socket_address = socket2::SockAddr::unix(path)?;
 
     info!("Binding to {:?}", path);

data/ext/itsi_server/src/server/serve_strategy/cluster_mode.rs

@@ -72,6 +72,7 @@ impl ClusterMode {
         lifecycle_event: LifecycleEvent,
     ) -> Result<()> {
         match lifecycle_event {
+            LifecycleEvent::Start => Ok(()),
             LifecycleEvent::Shutdown => {
                 self.shutdown().await?;
                 Ok(())

data/ext/itsi_server/src/server/serve_strategy/single_mode.rs

@@ -95,6 +95,12 @@ impl SingleMode {
               let self_ref = self_ref.clone();
               let listener = listener.clone();
               let (shutdown_sender, mut shutdown_receiver) = tokio::sync::watch::channel::<RunningPhase>(RunningPhase::Running);
+              let listener_clone = listener.clone();
+
+              tokio::spawn(async move {
+                listener_clone.spawn_state_task().await;
+              });
+
               listener_task_set.spawn(async move {
                 let strategy = self_ref.clone();
                 loop {
@@ -124,6 +130,9 @@ impl SingleMode {
                       }
                     }
                 }
+                if let Ok(listener) = Arc::try_unwrap(listener){
+                  listener.unbind();
+                }
             });
 
           }

data/ext/itsi_server/src/server/signal.rs

@@ -45,7 +45,8 @@ fn receive_signal(signum: i32, _: sighandler_t) {
     }
 }
 
-pub fn reset_signal_handlers() {
+pub fn reset_signal_handlers() -> bool {
+    SIGINT_COUNT.store(0, std::sync::atomic::Ordering::SeqCst);
     unsafe {
         libc::signal(libc::SIGTERM, receive_signal as usize);
         libc::signal(libc::SIGINT, receive_signal as usize);
@@ -54,4 +55,16 @@ pub fn reset_signal_handlers() {
         libc::signal(libc::SIGTTIN, receive_signal as usize);
         libc::signal(libc::SIGTTOU, receive_signal as usize);
     }
+    true
+}
+
+pub fn clear_signal_handlers() {
+    unsafe {
+        libc::signal(libc::SIGTERM, libc::SIG_DFL);
+        libc::signal(libc::SIGINT, libc::SIG_DFL);
+        libc::signal(libc::SIGUSR1, libc::SIG_DFL);
+        libc::signal(libc::SIGUSR2, libc::SIG_DFL);
+        libc::signal(libc::SIGTTIN, libc::SIG_DFL);
+        libc::signal(libc::SIGTTOU, libc::SIG_DFL);
+    }
 }

data/ext/itsi_server/src/server/tls.rs

@@ -1,21 +1,69 @@
 use base64::{engine::general_purpose, Engine as _};
 use itsi_error::Result;
-use itsi_tracing::{info, warn};
+use itsi_tracing::info;
 use rcgen::{CertificateParams, DnType, KeyPair, SanType};
+use rustls::pki_types::{CertificateDer, PrivateKeyDer};
 use rustls_pemfile::{certs, pkcs8_private_keys};
-use std::{collections::HashMap, fs, io::BufReader};
-use tokio_rustls::rustls::{Certificate, PrivateKey, ServerConfig};
+use std::{
+    collections::HashMap,
+    env, fs,
+    io::{BufReader, Error},
+    sync::Arc,
+};
+use tokio::sync::Mutex;
+use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
+use tokio_rustls_acme::{caches::DirCache, AcmeAcceptor, AcmeConfig, AcmeState};
 
 const ITS_CA_CERT: &str = include_str!("./itsi_ca/itsi_ca.crt");
 const ITS_CA_KEY: &str = include_str!("./itsi_ca/itsi_ca.key");
 
+#[derive(Clone)]
+pub enum ItsiTlsAcceptor {
+    Manual(TlsAcceptor),
+    Automatic(
+        AcmeAcceptor,
+        Arc<Mutex<AcmeState<Error>>>,
+        Arc<ServerConfig>,
+    ),
+}
+
 // Generates a TLS configuration based on either :
 // * Input "cert" and "key" options (either paths or Base64-encoded strings) or
 // * Performs automatic certificate generation/retrieval. Generated certs use an internal self-signed Isti CA.
 // If a non-local host or optional domain parameter is provided,
 // an automated certificate will attempt to be fetched using let's encrypt.
-pub fn configure_tls(host: &str, query_params: &HashMap<String, String>) -> Result<ServerConfig> {
-    info!("TLS Options {:?}", query_params);
+pub fn configure_tls(
+    host: &str,
+    query_params: &HashMap<String, String>,
+) -> Result<ItsiTlsAcceptor> {
+    let domains = query_params
+        .get("domains")
+        .map(|v| v.split(',').map(String::from).collect::<Vec<_>>());
+
+    if query_params.get("cert").is_none() || query_params.get("key").is_none() {
+        if let Some(domains) = domains {
+            let directory_url = env::var("ACME_DIRECTORY_URL")
+                .unwrap_or_else(|_| "https://acme-v02.api.letsencrypt.org/directory".to_string());
+            info!(
+                domains = format!("{:?}", domains),
+                directory_url, "Requesting acme cert"
+            );
+            let acme_state = AcmeConfig::new(domains)
+                .contact(["mailto:wc@pico.net.nz"])
+                .cache(DirCache::new("./rustls_acme_cache"))
+                .directory(directory_url)
+                .state();
+            let rustls_config = ServerConfig::builder()
+                .with_no_client_auth()
+                .with_cert_resolver(acme_state.resolver());
+            let acceptor = acme_state.acceptor();
+            return Ok(ItsiTlsAcceptor::Automatic(
+                acceptor,
+                Arc::new(Mutex::new(acme_state)),
+                Arc::new(rustls_config),
+            ));
+        }
+    }
     let (certs, key) = if let (Some(cert_path), Some(key_path)) =
         (query_params.get("cert"), query_params.get("key"))
     {
@@ -24,36 +72,19 @@ pub fn configure_tls(host: &str, query_params: &HashMap<String, String>) -> Resu
         let key = load_private_key(key_path);
         (certs, key)
     } else {
-        let domains_param = query_params
-            .get("domains")
-            .map(|v| v.split(',').map(String::from).collect());
-        let host_string = host.to_string();
-        let domains = domains_param.or_else(|| {
-            if host_string != "localhost" {
-                Some(vec![host_string])
-            } else {
-                None
-            }
-        });
-
-        if let Some(domains) = domains {
-            retrieve_acme_cert(domains)?
-        } else {
-            generate_ca_signed_cert(vec![host.to_owned()])?
-        }
+        generate_ca_signed_cert(vec![host.to_owned()])?
     };
 
     let mut config = ServerConfig::builder()
-        .with_safe_defaults()
         .with_no_client_auth()
         .with_single_cert(certs, key)
         .expect("Failed to build TLS config");
 
     config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
-    Ok(config)
+    Ok(ItsiTlsAcceptor::Manual(TlsAcceptor::from(Arc::new(config))))
 }
 
-pub fn load_certs(path: &str) -> Vec<Certificate> {
+pub fn load_certs(path: &str) -> Vec<CertificateDer<'static>> {
     let data = if let Some(stripped) = path.strip_prefix("base64:") {
         general_purpose::STANDARD
             .decode(stripped)
@@ -71,14 +102,20 @@ pub fn load_certs(path: &str) -> Vec<Certificate> {
             })
             .collect::<Result<_>>()
             .expect("Failed to parse certificate file");
-        certs_der.into_iter().map(Certificate).collect()
+        certs_der
+            .into_iter()
+            .map(|vec| {
+                // Convert the owned Vec<u8> into a CertificateDer and force 'static.
+                unsafe { std::mem::transmute(CertificateDer::from(vec)) }
+            })
+            .collect()
     } else {
-        vec![Certificate(data)]
+        vec![CertificateDer::from(data)]
     }
 }
 
 /// Loads a private key from a file or Base64.
-pub fn load_private_key(path: &str) -> PrivateKey {
+pub fn load_private_key(path: &str) -> PrivateKeyDer<'static> {
     let key_data = if let Some(stripped) = path.strip_prefix("base64:") {
         general_purpose::STANDARD
             .decode(stripped)
@@ -97,13 +134,15 @@ pub fn load_private_key(path: &str) -> PrivateKey {
             .collect::<Result<_>>()
             .expect("Failed to parse private key");
         if !keys.is_empty() {
-            return PrivateKey(keys[0].clone());
+            return PrivateKeyDer::try_from(keys[0].clone()).unwrap();
         }
     }
-    PrivateKey(key_data)
+    PrivateKeyDer::try_from(key_data).unwrap()
 }
 
-pub fn generate_ca_signed_cert(domains: Vec<String>) -> Result<(Vec<Certificate>, PrivateKey)> {
+pub fn generate_ca_signed_cert(
+    domains: Vec<String>,
+) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)> {
     info!("Generating New Itsi CA - Self signed Certificate. Use `itsi ca export` to export the CA certificate for import into your local trust store.");
 
     let ca_kp = KeyPair::from_pem(ITS_CA_KEY).expect("Failed to load embedded CA key");
@@ -140,13 +179,10 @@ pub fn generate_ca_signed_cert(domains: Vec<String>) -> Result<(Vec<Certificate>
 
     let ee_cert = ee_params.signed_by(&ee_key, &ca_cert, &ca_kp).unwrap();
     let ee_cert_der = ee_cert.der().to_vec();
-    let ee_cert = Certificate(ee_cert_der);
-    let ca_cert = Certificate(ca_cert.der().to_vec());
-    Ok((vec![ee_cert, ca_cert], PrivateKey(ee_key.serialize_der())))
-}
-
-/// TODO: Retrieves an ACME certificate for a given domain.
-pub fn retrieve_acme_cert(domains: Vec<String>) -> Result<(Vec<Certificate>, PrivateKey)> {
-    warn!("Retrieving ACME cert for {}", domains.join(", "));
-    generate_ca_signed_cert(domains)
+    let ee_cert = CertificateDer::from(ee_cert_der);
+    let ca_cert = CertificateDer::from(ca_cert.der().to_vec());
+    Ok((
+        vec![ee_cert, ca_cert],
+        PrivateKeyDer::try_from(ee_key.serialize_der()).unwrap(),
+    ))
 }

data/lib/itsi/server/version.rb

@@ -2,6 +2,6 @@
 
 module Itsi
   class Server
-    VERSION = "0.1.2"
+    VERSION = "0.1.4"
   end
 end

data/lib/itsi/server.rb

@@ -9,6 +9,20 @@ require_relative "server/rack/handler/itsi"
 
 module Itsi
   class Server
+
+    def self.running?
+      @running ||= false
+    end
+
+    def self.start(app:, **opts)
+      server = new(app: ->{app}, **opts)
+      @running = true
+      Signal.trap('INT', 'DEFAULT')
+      server.start
+    ensure
+      @running = false
+    end
+
     def self.call(app, request)
       respond request, app.call(request.to_env)
     end

data/lib/itsi/signals.rb

@@ -1,18 +1,23 @@
 module Itsi
   module Signals
     DEFAULT_SIGNALS = ["DEFAULT", ""].freeze
-    module TrapInterceptor
-      def trap(signal, command = nil, &block)
-        return super unless DEFAULT_SIGNALS.include?(command.to_s) && block.nil?
-        Itsi::Server.reset_signal_handlers
+    module SignalTrap
+      def self.trap(signal, *args, &block)
+        if DEFAULT_SIGNALS.include?(command.to_s) && block.nil?
+          Itsi::Server.reset_signal_handlers
+          nil
+        else
+          super(signal, *args, &block)
+        end
       end
     end
-    [Kernel, Signal].each do |receiver|
-      receiver.singleton_class.prepend(TrapInterceptor)
-    end
-
-    [Object].each do |receiver|
-      receiver.include(TrapInterceptor)
-    end
   end
 end
+
+[Kernel, Signal].each do |receiver|
+  receiver.singleton_class.prepend(Itsi::Signals::SignalTrap)
+end
+
+[Object].each do |receiver|
+  receiver.include(Itsi::Signals::SignalTrap)
+end

metadata

@@ -1,28 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: itsi-server
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.4
 platform: ruby
 authors:
 - Wouter Coppieters
 bindir: exe
 cert_chain: []
-date: 2025-03-13 00:00:00.000000000 Z
+date: 2025-03-14 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: libclang
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '14.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '14.0'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement