@lamalibre/create-portlama 1.0.33 → 1.0.35

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (24) hide show
  1. package/package.json +1 -1
  2. package/src/lib/service-config.js +25 -20
  3. package/vendor/panel-client/dist/assets/index-BKznW-YZ.js +689 -0
  4. package/vendor/panel-client/dist/docs/00-introduction/how-it-works.md +17 -2
  5. package/vendor/panel-client/dist/docs/00-introduction/quickstart.md +2 -0
  6. package/vendor/panel-client/dist/docs/00-introduction/what-is-portlama.md +17 -2
  7. package/vendor/panel-client/dist/docs/01-concepts/security-model.md +11 -0
  8. package/vendor/panel-client/dist/docs/01-concepts/tickets.md +48 -11
  9. package/vendor/panel-client/dist/docs/02-guides/cloud-provisioning.md +336 -0
  10. package/vendor/panel-client/dist/docs/02-guides/desktop-app-setup.md +59 -2
  11. package/vendor/panel-client/dist/docs/03-architecture/overview.md +59 -11
  12. package/vendor/panel-client/dist/docs/03-architecture/panel-client.md +69 -40
  13. package/vendor/panel-client/dist/docs/03-architecture/panel-server.md +5 -2
  14. package/vendor/panel-client/dist/docs/03-architecture/system-overview.md +11 -3
  15. package/vendor/panel-client/dist/docs/04-api-reference/tickets.md +32 -18
  16. package/vendor/panel-client/dist/docs/06-reference/config-files.md +100 -5
  17. package/vendor/panel-client/dist/index.html +1 -1
  18. package/vendor/panel-server/package.json +1 -1
  19. package/vendor/panel-server/src/lib/authelia.js +1 -1
  20. package/vendor/panel-server/src/lib/certbot.js +9 -4
  21. package/vendor/panel-server/src/lib/tickets.js +33 -8
  22. package/vendor/panel-server/src/routes/management/certs.js +4 -8
  23. package/vendor/panel-server/src/routes/management/tickets.js +9 -2
  24. package/vendor/panel-client/dist/assets/index-DYc0AT5L.js +0 -689
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@lamalibre/create-portlama",
3
- "version": "1.0.33",
3
+ "version": "1.0.35",
4
4
  "description": "One-command setup for secure reverse tunnels with a management dashboard",
5
5
  "type": "module",
6
6
  "license": "SEE LICENSE IN LICENSE.md",
package/src/lib/service-config.js CHANGED
@@ -74,31 +74,36 @@ portlama ALL=(root) NOPASSWD: /usr/bin/systemctl restart portlama-panel
74
74
  # --- nginx config test ---
75
75
  portlama ALL=(root) NOPASSWD: /usr/sbin/nginx -t
76
76
 
77
- # --- certbot: restrict certonly to --nginx (code always passes --non-interactive) ---
78
- # Note: trailing wildcard allows additional flags; trust boundary is @lamalibre/ scope
79
- portlama ALL=(root) NOPASSWD: /usr/bin/certbot certonly --nginx *
80
- portlama ALL=(root) NOPASSWD: /usr/bin/certbot renew
81
- portlama ALL=(root) NOPASSWD: /usr/bin/certbot renew --cert-name *
82
- portlama ALL=(root) NOPASSWD: /usr/bin/certbot certificates
83
-
84
- # --- openssl: restricted to PKI and Let's Encrypt paths ---
85
- portlama ALL=(root) NOPASSWD: /usr/bin/openssl x509 -in /etc/portlama/pki/* *
86
- portlama ALL=(root) NOPASSWD: /usr/bin/openssl x509 -in /etc/letsencrypt/live/* *
77
+ # --- certbot: restrict to exact flag patterns used by the application ---
78
+ portlama ALL=(root) NOPASSWD: /usr/bin/certbot certonly --nginx -d * --email * --agree-tos --non-interactive
79
+ portlama ALL=(root) NOPASSWD: /usr/bin/certbot renew --non-interactive
80
+ portlama ALL=(root) NOPASSWD: /usr/bin/certbot renew --cert-name * --non-interactive
81
+ portlama ALL=(root) NOPASSWD: /usr/bin/certbot renew --cert-name * --force-renewal --non-interactive
82
+ portlama ALL=(root) NOPASSWD: /usr/bin/certbot certificates --non-interactive
83
+
84
+ # --- openssl: read-only operations (no trailing wildcards) ---
85
+ portlama ALL=(root) NOPASSWD: /usr/bin/openssl x509 -in /etc/portlama/pki/* -serial -noout
86
+ portlama ALL=(root) NOPASSWD: /usr/bin/openssl x509 -in /etc/portlama/pki/* -enddate -noout
87
+ portlama ALL=(root) NOPASSWD: /usr/bin/openssl x509 -checkend 86400 -noout -in /etc/letsencrypt/live/*
88
+ portlama ALL=(root) NOPASSWD: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/*
89
+ portlama ALL=(root) NOPASSWD: /usr/bin/openssl x509 -in /etc/letsencrypt/live/* -enddate -noout
90
+ # --- openssl: PKI generation and signing (trailing * for variable -subj CN) ---
91
+ # Trust boundary: only @lamalibre/ scoped code runs as portlama user
87
92
  portlama ALL=(root) NOPASSWD: /usr/bin/openssl x509 -req -in /etc/portlama/pki/* *
88
93
  portlama ALL=(root) NOPASSWD: /usr/bin/openssl genrsa -out /etc/portlama/pki/* *
89
94
  portlama ALL=(root) NOPASSWD: /usr/bin/openssl req -new -key /etc/portlama/pki/* *
90
95
  portlama ALL=(root) NOPASSWD: /usr/bin/openssl pkcs12 -export -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg sha1 -out /etc/portlama/pki/*
91
96
 
92
- # --- mv: restrict source to /tmp/ or known config paths ---
93
- portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /var/www/portlama/*
94
- portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /etc/nginx/sites-available/*
95
- portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /etc/systemd/system/chisel.service
96
- portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /etc/systemd/system/authelia.service
97
- portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /etc/systemd/system/portlama-panel.service
98
- portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /etc/portlama/pki/*
99
- portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /usr/local/bin/chisel
100
- portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /usr/local/bin/authelia
101
- portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/* /etc/authelia/*
97
+ # --- mv: restrict source to known temp-file prefixes (no bare /tmp/*) ---
98
+ portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/site-index-* /var/www/portlama/*
99
+ portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/site-upload-* /var/www/portlama/*
100
+ portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/invite-page-* /var/www/portlama/*
101
+ portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/nginx-* /etc/nginx/sites-available/*
102
+ portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/chisel-service-* /etc/systemd/system/chisel.service
103
+ portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/authelia-service-* /etc/systemd/system/authelia.service
104
+ portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/chisel-* /usr/local/bin/chisel
105
+ portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/authelia-* /usr/local/bin/authelia
106
+ portlama ALL=(root) NOPASSWD: /usr/bin/mv /tmp/portlama-authelia-* /etc/authelia/*
102
107
  portlama ALL=(root) NOPASSWD: /usr/bin/mv /etc/portlama/pki/*.new /etc/portlama/pki/*
103
108
  portlama ALL=(root) NOPASSWD: /usr/bin/mv /etc/nginx/sites-available/*.bak /etc/nginx/sites-available/*
104
109