feat(managed-config): server-side scaffold for Pi-image device config

Kiosks running our pre-built image (managed_image=true at pairing) can have their hostname, timezone, network (DHCP/static + VLAN), and Wi-Fi configured from the admin UI. Pull-model: server stores desired-state JSON, kiosk heartbeat returns pending_config when version exceeds applied_version, kiosk echoes applied_version back. Wi-Fi PSK encrypted with the cluster key so ciphertext at rest is shipped to the kiosk without per-kiosk re-encryption. Server side only — kiosk Rust applier (betterframe-apply-config helper + rollback timer) and pair-initiate marker file are next. ci(pi-gen): use action's image-path output for asset upload pi-gen writes the .img.xz into pi-gen-action's own working dir, not our repo deploy/. Glob never matched. Use steps.pigen.outputs.image-path directly — no glob needed.
2026-05-26 17:56:34 +00:00 · 2026-05-20 03:18:11 +02:00 · 2026-05-20 03:18:11 +02:00 · dae5d0ce88
commit dae5d0ce88
parent 4e652c6fd1
11 changed files with 338 additions and 8 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -179,6 +179,7 @@ jobs:
                   deploy/pi-gen/stage-betterframe-client/prerun.sh
      - name: Build Pi image (pi-gen)
        id: pigen
        uses: usimd/pi-gen-action@v1.11.0
        with:
          image-name: betterframe-client-${{ inputs.version }}
@ -194,12 +195,16 @@ jobs:
          # Surface pi-gen's stdout/stderr (default suppressed).
          verbose-output: true
-      - name: List pi-gen output
+      - name: Show pi-gen output path
-        run: ls -la deploy/ || true
+        run: |
          echo "image-path: ${{ steps.pigen.outputs.image-path }}"
          ls -la "$(dirname '${{ steps.pigen.outputs.image-path }}')" || true
      # pi-gen writes the .img.xz under its own checkout (inside pi-gen-action's
      # working dir), not our repo deploy/. The action exposes the exact path
      # via the `image-path` output — use it directly instead of globbing.
      - name: Upload image to GitHub Release
        uses: softprops/action-gh-release@v3
        with:
          tag_name: ${{ inputs.tag }}
-          files: |
+          files: ${{ steps.pigen.outputs.image-path }}
            deploy/*.img.xz
--- a/server/src/plugins/service-admin-http/routes-admin.ts
+++ b/server/src/plugins/service-admin-http/routes-admin.ts
@ -1318,6 +1318,81 @@ export function registerAdminRoutes(app: H3, deps: AdminDeps): void {
    return new Response(null, { status: 302, headers: { location: `/admin/kiosks/${id}` } });
  });
  // Managed-image device config — admin pushes hostname/timezone/network/wifi
  // for kiosks running our pre-built Pi image. Builds a ManagedConfig object,
  // encrypts the wifi PSK with the cluster key (so it can be stored at rest
  // and delivered as ciphertext that the kiosk decrypts on-device with the
  // cluster key it received at pairing), then bumps managed_config_version
  // so the next heartbeat ships it to the kiosk.
  app.post("/admin/kiosks/:id/managed-config", async (event) => {
    const id = Number(getRouterParam(event, "id"));
    const kiosk = deps.repo.getKioskById(id);
    if (!kiosk) throw new Error("kiosk not found");
    if (!kiosk.managed_image) throw new Error("kiosk is not running a managed image");
    const body = await readBody<Record<string, string>>(event);
    const trim = (v: string | undefined) => (v ?? "").trim();
    const cfg: Record<string, unknown> = {};
    const hostname = trim(body?.["hostname"]);
    if (hostname) cfg["hostname"] = hostname;
    const timezone = trim(body?.["timezone"]);
    if (timezone) cfg["timezone"] = timezone;
    const netMode = trim(body?.["network_mode"]);
    if (netMode === "dhcp" || netMode === "static") {
      const net: Record<string, unknown> = { mode: netMode };
      const iface = trim(body?.["network_interface"]);
      if (iface) net["interface"] = iface;
      if (netMode === "static") {
        const ipCidr = trim(body?.["network_ip_cidr"]);
        if (ipCidr) net["ip_cidr"] = ipCidr;
        const gw = trim(body?.["network_gateway"]);
        if (gw) net["gateway"] = gw;
        const dnsRaw = trim(body?.["network_dns"]);
        if (dnsRaw) {
          net["dns"] = dnsRaw.split(",").map((s) => s.trim()).filter(Boolean);
        }
      }
      const vlanRaw = trim(body?.["network_vlan_id"]);
      if (vlanRaw) {
        const vlanId = Number(vlanRaw);
        if (Number.isInteger(vlanId) && vlanId >= 1 && vlanId <= 4094) {
          net["vlan_id"] = vlanId;
        }
      }
      cfg["network"] = net;
    }
    // Wifi: load existing first so blank PSK = "keep current". Re-encrypt PSK
    // only when the operator actually typed one.
    const ssid = trim(body?.["wifi_ssid"]);
    const pskPlaintext = body?.["wifi_psk"] ?? "";
    if (ssid) {
      const prev = kiosk.managed_config_json ? JSON.parse(kiosk.managed_config_json) : null;
      let pskCiphertext: string | null = prev?.wifi?.psk_ciphertext ?? null;
      if (pskPlaintext) {
        pskCiphertext = deps.secrets.encryptString(pskPlaintext, "cluster");
      }
      if (pskCiphertext) {
        cfg["wifi"] = { ssid, psk_ciphertext: pskCiphertext };
      }
    }
    deps.repo.updateKiosk(id, {
      managed_config_json: JSON.stringify(cfg),
      managed_config_version: kiosk.managed_config_version + 1,
      managed_config_error: null,
    } as any);
    audit(deps.repo, event as any, "kiosk.managed_config.update", {
      resource_type: "kiosk",
      resource_id: String(id),
      metadata: { version: kiosk.managed_config_version + 1 },
    });
    return new Response(null, { status: 302, headers: { location: `/admin/kiosks/${id}` } });
  });
  app.post("/admin/kiosks/:id/labels", async (event) => {
    const kioskId = Number(getRouterParam(event, "id"));
    const body = await readBody<Record<string, string>>(event);
--- a/server/src/plugins/service-api-http/index.ts
+++ b/server/src/plugins/service-api-http/index.ts
@ -215,12 +215,14 @@ function registerPairingRoutes(
      proposed_name?: string;
      hardware_model?: string;
      capabilities?: string[];
      managed_image?: boolean;
    }>(event);
    const result = initiatePairing(repo, {
      proposedName: body?.proposed_name ?? null,
      hardwareModel: body?.hardware_model ?? null,
      capabilities: body?.capabilities ?? [],
      managedImage: body?.managed_image === true,
      codeTtlSeconds: codeTtl,
    });
@ -303,6 +305,11 @@ function registerKioskRoutes(
      fan_pwm?: number | null;
      local_key?: string | null;
      local_port?: number | null;
      // Managed-image kiosk echoes back the version it last applied, and the
      // last apply error (if any). Server uses these to decide whether to
      // include pending_config in the response.
      managed_config_applied_version?: number;
      managed_config_error?: string | null;
    }>(event);
    // Capture the kiosk's LAN-side IP from the heartbeat connection so admin
@ -323,6 +330,22 @@ function registerKioskRoutes(
      local_last_ip: remoteIp,
    });
    // Managed-config echo: kiosk reports the version it has successfully
    // applied. Persist for the admin UI to render. Error string clears on a
    // successful apply (kiosk omits it). verifyKioskKey returns just {id};
    // re-read the full row to check the managed_image flag.
    const kioskFull = repo.getKioskById(kiosk.id);
    if (kioskFull?.managed_image && typeof body?.managed_config_applied_version === "number") {
      const patch: Record<string, unknown> = {
        managed_config_applied_version: body.managed_config_applied_version,
        managed_config_applied_at: new Date().toISOString(),
      };
      if (body.managed_config_error !== undefined) {
        patch["managed_config_error"] = body.managed_config_error ?? null;
      }
      repo.updateKiosk(kiosk.id, patch as any);
    }
    // Mirror to MQTT bridge (no-op when BF_MQTT_URL unset).
    mqtt.publishTelemetry(kiosk.id, {
      kiosk_app_version: body?.kiosk_app_version,
@ -377,7 +400,31 @@ function registerKioskRoutes(
      }
    }
-    return { ok: true, now: new Date().toISOString() };
+    // Re-read kiosk so we see the freshly-persisted applied_version above when
    // computing whether the server still has a newer config to deliver.
    const fresh = repo.getKioskById(kiosk.id);
    let pendingConfig: { version: number; config: unknown } | undefined;
    if (
      fresh?.managed_image
      && fresh.managed_config_version > fresh.managed_config_applied_version
      && fresh.managed_config_json
    ) {
      try {
        pendingConfig = {
          version: fresh.managed_config_version,
          config: JSON.parse(fresh.managed_config_json),
        };
      } catch {
        // Corrupt JSON — leave pendingConfig undefined; admin UI will show
        // the error. Don't break heartbeat.
      }
    }
    return {
      ok: true,
      now: new Date().toISOString(),
      ...(pendingConfig ? { pending_config: pendingConfig } : {}),
    };
  });
  // Event forwarding
--- a/server/src/plugins/service-store/mappers.ts
+++ b/server/src/plugins/service-store/mappers.ts
@ -265,6 +265,12 @@ export function rowToKiosk(r: Row): Kiosk {
    local_key: sn(r["local_key"]),
    local_port: nn(r["local_port"]),
    local_last_ip: sn(r["local_last_ip"]),
    managed_image: b(r["managed_image"]),
    managed_config_json: sn(r["managed_config_json"]),
    managed_config_version: n(r["managed_config_version"] ?? 0),
    managed_config_applied_version: n(r["managed_config_applied_version"] ?? 0),
    managed_config_applied_at: sn(r["managed_config_applied_at"]),
    managed_config_error: sn(r["managed_config_error"]),
    created_at: s(r["created_at"]),
  };
 }
--- a/server/src/plugins/service-store/migrations.ts
+++ b/server/src/plugins/service-store/migrations.ts
@ -781,4 +781,18 @@ export const MIGRATIONS: readonly MigrationEntry[] = [
  `CREATE INDEX IF NOT EXISTS idx_audit_log_ts ON audit_log(ts DESC)`,
  `CREATE INDEX IF NOT EXISTS idx_audit_log_action ON audit_log(action, ts DESC)`,
  `CREATE INDEX IF NOT EXISTS idx_audit_log_actor ON audit_log(actor_type, actor_id, ts DESC)`,
  // ---- Managed-image device config -----------------------------------------
  // For kiosks running our pre-built Pi image (managed_image=1), admins can
  // push hostname / timezone / network / wifi config. Kiosk pulls on heartbeat
  // when server's version > applied_version, applies via a privileged helper,
  // echoes applied_version back. managed_config_error captures last failure.
  (db: DatabaseSync) => {
    addColumnIfNotExists(db, "kiosks", "managed_image", "INTEGER NOT NULL DEFAULT 0");
    addColumnIfNotExists(db, "kiosks", "managed_config_json", "TEXT");
    addColumnIfNotExists(db, "kiosks", "managed_config_version", "INTEGER NOT NULL DEFAULT 0");
    addColumnIfNotExists(db, "kiosks", "managed_config_applied_version", "INTEGER NOT NULL DEFAULT 0");
    addColumnIfNotExists(db, "kiosks", "managed_config_applied_at", "TEXT");
    addColumnIfNotExists(db, "kiosks", "managed_config_error", "TEXT");
  },
 ];
--- a/server/src/plugins/service-store/repository.ts
+++ b/server/src/plugins/service-store/repository.ts
@ -971,11 +971,12 @@ export class Repository {
    key_prefix: string;
    capabilities?: string[];
    hardware_model?: string | null;
    managed_image?: boolean;
  }): Kiosk {
    const result = this.prep(
      `INSERT INTO kiosks
-        (name, key_hash, key_prefix, capabilities, hardware_model, paired_at)
+        (name, key_hash, key_prefix, capabilities, hardware_model, paired_at, managed_image)
-       VALUES (?, ?, ?, ?, ?, ?)`,
+       VALUES (?, ?, ?, ?, ?, ?, ?)`,
    ).run(
      input.name,
      input.key_hash,
@ -983,6 +984,7 @@ export class Repository {
      J(input.capabilities ?? []),
      input.hardware_model ?? null,
      isoNow(),
      input.managed_image ? 1 : 0,
    );
    const id = Number(result.lastInsertRowid);
    void this.notify("kiosks", "create", id);
--- a/server/src/schemas/wire/managed-config.ts
+++ b/server/src/schemas/wire/managed-config.ts
@ -0,0 +1,55 @@
 /**
 * Wire schema for the managed-image device config: pushed from server to
 * kiosks running our pre-built Pi OS image. Kiosks pull on heartbeat
 * (response includes `pending_config` when server-side version exceeds
 * `applied_version`), apply via a privileged helper, echo `applied_version`
 * back on the next heartbeat.
 *
 * Wifi PSKs are encrypted with the cluster_key delivered at pairing time,
 * so the server can store ciphertext at rest and ship it to the kiosk
 * without a per-kiosk re-encryption step.
 */
 import * as av from "@anyvali/js";
 export const NETWORK_MODES = ["dhcp", "static"] as const;
 export const managedNetworkConfig = av.object(
  {
    mode: av.enum_(NETWORK_MODES),
    // Interface name as exposed by NetworkManager (e.g. "eth0", "wlan0").
    // Optional — helper defaults to the primary wired interface.
    interface: av.optional(av.string().minLength(1).maxLength(32)),
    // IPv4 CIDR for static mode. Ignored when mode=dhcp.
    ip_cidr: av.optional(av.string().pattern("^[0-9.]+/[0-9]+$")),
    gateway: av.optional(av.string().minLength(1).maxLength(64)),
    dns: av.optional(av.array(av.string().minLength(1).maxLength(64))),
    // 802.1Q VLAN id; helper creates a virtual interface when set.
    vlan_id: av.optional(av.int().min(1).max(4094)),
  },
  { unknownKeys: "reject" },
 );
 export const managedWifiConfig = av.object(
  {
    ssid: av.string().minLength(1).maxLength(64),
    // PSK encrypted with cluster_key via shared/secrets.encryptString.
    // Helper decrypts in-process before handing to NetworkManager.
    psk_ciphertext: av.string().minLength(1).maxLength(512),
  },
  { unknownKeys: "reject" },
 );
 export const managedConfig = av.object(
  {
    hostname: av.optional(av.string().minLength(1).maxLength(64)),
    // IANA tz name, e.g. "Etc/UTC", "America/New_York".
    timezone: av.optional(av.string().minLength(1).maxLength(64)),
    network: av.optional(managedNetworkConfig),
    wifi: av.optional(managedWifiConfig),
  },
  { unknownKeys: "reject" },
 );
 export type ManagedNetworkConfig = av.Infer<typeof managedNetworkConfig>;
 export type ManagedWifiConfig = av.Infer<typeof managedWifiConfig>;
 export type ManagedConfig = av.Infer<typeof managedConfig>;
--- a/server/src/schemas/wire/pairing.ts
+++ b/server/src/schemas/wire/pairing.ts
@ -27,6 +27,9 @@ export const pairInitiateRequest = av.object(
    capabilities: av.array(av.enum_(KIOSK_CAPABILITIES)),
    os_version: av.optional(av.string().maxLength(128)),
    kiosk_app_version: av.optional(av.string().maxLength(64)),
    // True iff the kiosk runs our pre-built Pi OS image and ships the
    // betterframe-apply-config helper. Gates the admin Managed Config UI.
    managed_image: av.optional(av.bool()),
  },
  { unknownKeys: "reject" },
 );
--- a/server/src/shared/pairing.ts
+++ b/server/src/shared/pairing.ts
@ -28,6 +28,8 @@ export interface PairingInitiateInput {
  proposedName: string | null;
  hardwareModel: string | null;
  capabilities: string[];
  /** True iff kiosk runs our pre-built Pi image with the apply-config helper. */
  managedImage?: boolean;
  codeTtlSeconds: number;
 }
@ -56,7 +58,7 @@ export function initiatePairing(
    kiosk_hardware_model: input.hardwareModel,
    kiosk_capabilities: input.capabilities,
    expires_at: expiresAt,
-    extras: {},
+    extras: input.managedImage ? { managed_image: true } : {},
  });
  return { code, expiresAt };
@ -159,6 +161,7 @@ export async function confirmPairing(
      key_prefix: kioskKeyPrefix,
      capabilities: pc.kiosk_capabilities,
      hardware_model: pc.kiosk_hardware_model,
      managed_image: pc.extras?.["managed_image"] === true,
    });
    repo.createDisplayForKiosk(kiosk.id, {
--- a/server/src/shared/types.ts
+++ b/server/src/shared/types.ts
@ -219,6 +219,14 @@ export interface Kiosk {
  local_key: string | null;
  local_port: number | null;
  local_last_ip: string | null;
  // Managed-image device config. Only meaningful when managed_image=true; for
  // BYO-OS kiosks these fields stay at defaults and the admin UI hides them.
  managed_image: boolean;
  managed_config_json: string | null; // serialized ManagedConfig payload
  managed_config_version: number; // server-side, bumps on each save
  managed_config_applied_version: number; // echoed by kiosk after successful apply
  managed_config_applied_at: string | null;
  managed_config_error: string | null;
  created_at: string;
 }
--- a/server/src/web-templates/admin-pages.tsx
+++ b/server/src/web-templates/admin-pages.tsx
@ -1375,6 +1375,116 @@ export function renderKioskLabels(
  );
 }
 /**
 * Managed-image device config editor. Only rendered when the kiosk reported
 * managed_image=true at pairing. Server pushes the resulting JSON on the
 * next heartbeat; kiosk applies it and echoes the version back, so we show
 * "version N applied at …" plus the last error (if any) so the operator can
 * see whether their change actually landed.
 */
 function ManagedConfigCard(props: { kiosk: Kiosk }) {
  const k = props.kiosk;
  let cfg: {
    hostname?: string;
    timezone?: string;
    network?: {
      mode?: string;
      interface?: string;
      ip_cidr?: string;
      gateway?: string;
      dns?: string[];
      vlan_id?: number;
    };
    wifi?: { ssid?: string };
  } = {};
  if (k.managed_config_json) {
    try { cfg = JSON.parse(k.managed_config_json); } catch { /* ignore */ }
  }
  const net = cfg.network ?? {};
  const wifi = cfg.wifi ?? {};
  const pending = k.managed_config_version > k.managed_config_applied_version;
  return (
    <div class="card" style="margin-bottom:1.5rem">
      <h2 style="margin:0 0 1rem; font-size:1.1rem">Managed Config (Pi image)</h2>
      <div style="font-size:0.85rem; color:#666; margin-bottom:0.75rem">
        <div>
          Version: {String(k.managed_config_version)}
          {" · Applied: "}{String(k.managed_config_applied_version)}
          {k.managed_config_applied_at ? <> ({formatTime(k.managed_config_applied_at)})</> : null}
          {pending ? <span style="color:#b06; margin-left:0.5rem">pending push…</span> : null}
        </div>
        {k.managed_config_error
          ? <div style="color:#b00; margin-top:0.25rem">Last error: {k.managed_config_error}</div>
          : null}
      </div>
      <form method="post" action={`/admin/kiosks/${k.id}/managed-config`}>
        <div class="form-group">
          <label for="mc_hostname">Hostname</label>
          <input id="mc_hostname" name="hostname" type="text" class="form-input"
            value={cfg.hostname ?? ""} placeholder="betterframe-kiosk" />
        </div>
        <div class="form-group">
          <label for="mc_timezone">Timezone</label>
          <input id="mc_timezone" name="timezone" type="text" class="form-input"
            value={cfg.timezone ?? ""} placeholder="Etc/UTC" />
        </div>
        <h3 style="margin:1rem 0 0.5rem; font-size:0.95rem">Network</h3>
        <div class="form-group">
          <label for="mc_net_mode">Mode</label>
          <select id="mc_net_mode" name="network_mode" class="form-input">
            <option value="" selected={!net.mode}>—</option>
            <option value="dhcp" selected={net.mode === "dhcp"}>DHCP</option>
            <option value="static" selected={net.mode === "static"}>Static</option>
          </select>
        </div>
        <div class="form-group">
          <label for="mc_net_iface">Interface</label>
          <input id="mc_net_iface" name="network_interface" type="text" class="form-input"
            value={net.interface ?? ""} placeholder="eth0" />
        </div>
        <div class="form-group">
          <label for="mc_net_ip">Static IP (CIDR)</label>
          <input id="mc_net_ip" name="network_ip_cidr" type="text" class="form-input"
            value={net.ip_cidr ?? ""} placeholder="192.168.1.50/24" />
        </div>
        <div class="form-group">
          <label for="mc_net_gw">Gateway</label>
          <input id="mc_net_gw" name="network_gateway" type="text" class="form-input"
            value={net.gateway ?? ""} placeholder="192.168.1.1" />
        </div>
        <div class="form-group">
          <label for="mc_net_dns">DNS (comma-separated)</label>
          <input id="mc_net_dns" name="network_dns" type="text" class="form-input"
            value={(net.dns ?? []).join(", ")} placeholder="1.1.1.1, 8.8.8.8" />
        </div>
        <div class="form-group">
          <label for="mc_net_vlan">VLAN ID</label>
          <input id="mc_net_vlan" name="network_vlan_id" type="number" min="1" max="4094"
            class="form-input" value={net.vlan_id != null ? String(net.vlan_id) : ""} />
        </div>
        <h3 style="margin:1rem 0 0.5rem; font-size:0.95rem">Wi-Fi (optional)</h3>
        <div class="form-group">
          <label for="mc_wifi_ssid">SSID</label>
          <input id="mc_wifi_ssid" name="wifi_ssid" type="text" class="form-input"
            value={wifi.ssid ?? ""} />
        </div>
        <div class="form-group">
          <label for="mc_wifi_psk">PSK</label>
          <input id="mc_wifi_psk" name="wifi_psk" type="password" class="form-input"
            placeholder={wifi.ssid ? "(unchanged — leave blank to keep)" : ""} />
          <div style="font-size:0.75rem; color:#999; margin-top:0.2rem">
            Encrypted with cluster key before storage. Leave blank to keep existing PSK.
          </div>
        </div>
        <button type="submit" class="btn btn-primary">Save &amp; Push</button>
      </form>
    </div>
  );
 }
 export function KioskEditPage(props: KioskEditProps) {
  const k = props.kiosk;
  return (
@ -1631,6 +1741,8 @@ export function KioskEditPage(props: KioskEditProps) {
          </div>
        </div>
        {k.managed_image ? <ManagedConfigCard kiosk={k} /> : null}
        <form method="post" action={`/admin/kiosks/${k.id}/delete`} style="margin-top:1rem">
          <button type="submit" class="btn btn-danger" {...{"onclick": "return confirm('Delete this kiosk?')"}}>Delete Kiosk</button>
        </form>