feat(cli): automation bundle + identity-minimization features
Reduces manual setup steps and trims user-identifying data exposed by the server/client, in the spirit of the deployment story: an operator on the wire sees less, and the admin types fewer commands. New CLI subcommands: - `aura server-init`: one shot — pki init + issue-server + writes a ready server.toml with auto-detected egress iface; flags --enable-knock, --enable-cover-traffic, --no-nat, --run-as toggle the new transport defenses and privilege drop. - `aura provision-client`: issues a client cert and assembles the full bundle (ca.crt + client.crt + client.key + client.toml in one directory) ready to hand over to the client device. --id is optional (defaults to a fresh UUIDv4, so client identities don't have to encode anything real). Identity / log minimization: - `aura pki issue-client --id` is now optional — UUIDv4 by default. - `[server]/[client] no_logs = true` filters peer_id, client_ip, source_addr, client_id, local_ip, user, id, assigned_ip, peer field values through a custom tracing FormatFields layer (events still fire but the identifying fields are redacted before being written). - `[client] bridges = [...]`: secondary server addresses; build_dial_targets shuffles them after the primary, so blocking one IP doesn't kill the client. - Auto-detect egress iface in [server.nat] (via detect_default_egress_iface); egress_iface in config becomes optional with graceful fallback. Config examples updated; backward-compatible (all new sections optional with serde defaults). Workspace: 207 tests passed (+22), clippy -D warnings clean, fmt clean. No new workspace deps. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
xah30
@@ -15,6 +15,14 @@ sni = "cdn.example.com"
|
||||
# no-op (use a service account instead). When omitted (or already running as non-root) no
|
||||
# privilege change happens.
|
||||
# run_as = "nobody"
|
||||
# Suppress identifier fields (peer_id, client_ip, source_addr, ...) from log output. The events
|
||||
# still fire; only the identifying fields are dropped before formatting. Default: false. Set to
|
||||
# true to keep the local log file from accumulating per-session identifiers.
|
||||
no_logs = false
|
||||
# Optional fallback server addresses (IP or IP:port). When the primary `server_addr` cannot be
|
||||
# reached on any transport, the client retries the bridges in a process-randomised order, using
|
||||
# the same per-transport ports from [transport]. The bridge `:port` part is parsed but ignored.
|
||||
# bridges = ["203.0.113.11", "203.0.113.12"]
|
||||
|
||||
[pki]
|
||||
# Trust anchor (the Aura CA) and this client's leaf cert/key, all PEM.
|
||||
@@ -107,3 +115,14 @@ masquerade = true
|
||||
# Existing connections keep the mask they connected with. Default: true.
|
||||
# When `false`, the static values above ([client] sni, [transport] obfuscate, ...) are used as-is.
|
||||
enabled = true
|
||||
|
||||
[transport.knock]
|
||||
# UDP port-knocking. Must match the server's setting. Default: false.
|
||||
enabled = false
|
||||
knock_secret_source = "ca_fingerprint"
|
||||
|
||||
[transport.cover]
|
||||
# Idle-time cover traffic. Must match the server's setting. Default: false.
|
||||
enabled = false
|
||||
mean_interval_ms = 500
|
||||
jitter = 0.5
|
||||
|
||||
@@ -14,6 +14,11 @@ workers = 4
|
||||
# uses setgid/setuid; Windows is a no-op (use a service account instead). When omitted (or
|
||||
# already running as non-root) no privilege change happens.
|
||||
# run_as = "nobody"
|
||||
# Suppress identifier fields (peer_id, client_ip, source_addr, ...) from log output. The events
|
||||
# still fire (so counters and rates are unaffected); only the offending fields are dropped before
|
||||
# formatting. Default: false. Set to true on production hosts to keep the log file from accumulating
|
||||
# the per-client identifiers Russian telcos may be compelled to forward on request.
|
||||
no_logs = false
|
||||
|
||||
[pki]
|
||||
# Trust anchor (the Aura CA) and this server's leaf cert/key, all PEM.
|
||||
@@ -98,3 +103,19 @@ masquerade = true
|
||||
# needed. Existing connections keep the mask they accepted with. Default: true.
|
||||
# When `false`, the static values above ([mimicry] sni, [transport] obfuscate, ...) are used as-is.
|
||||
enabled = true
|
||||
|
||||
[transport.knock]
|
||||
# UDP port-knocking. When `enabled = true`, the UDP transport demands a 16-byte HMAC prefix on
|
||||
# every HS datagram, derived from `knock_secret_source` (`"ca_fingerprint"` = SHA-256 of the CA
|
||||
# cert DER). To a passive scanner the listening UDP port looks closed. Default: false.
|
||||
enabled = false
|
||||
knock_secret_source = "ca_fingerprint"
|
||||
|
||||
[transport.cover]
|
||||
# Idle-time cover traffic. When `enabled = true`, an established UDP connection periodically
|
||||
# injects encrypted Ping frames during idle windows so the on-wire byte rate stays roughly
|
||||
# constant. `mean_interval_ms` controls how often the chaffer wakes up; `jitter` is the
|
||||
# uniform-random fraction applied (e.g. 0.5 = ±50%). Default: disabled.
|
||||
enabled = false
|
||||
mean_interval_ms = 500
|
||||
jitter = 0.5
|
||||
|
||||
Reference in New Issue
Block a user