Database refactor

.github/workflows/test.yml

@@ -12,16 +12,24 @@ jobs:
     name: API Tests
     runs-on: ubuntu-24.04
     steps:
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+
       - name: Checkout
         uses: actions/checkout@v4
-      - name: Run tests
-        uses: docker/build-push-action@v6
+      - name: Install Podman
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y podman oathtool
+      - name: Start TimescaleDB
+        run: |
+          podman run --rm -d --name timescaledb -p 5432:5432 -e POSTGRES_PASSWORD=password -e POSTGRES_USER=report timescale/timescaledb-ha:pg17
+          # Wait for DB to be ready
+          for i in {1..30}; do
+            podman exec timescaledb pg_isready -U report && break
+            sleep 1
+          done
+      - name: Setup Go
+        uses: actions/setup-go@v5
         with:
-          push: false
-          context: api
-          target: test
-          cache-to: type=gha,mode=max,scope=api-testing
-          cache-from: type=gha,scope=api-testing
-          file: api/Containerfile
+          go-version: '1.24.4'
+      - name: Test with the Go CLI
+        run: cd api && go test

README.md

@@ -7,31 +7,68 @@ Firewalls can register to the server using [ns-plug](https://github.com/NethServ
 - create a route inside the proxy to access the firewall Luci RPC
 - store credentials to access the remote firewall
 
-## Quickstart
+## Development environment
 
-You can install it on [NS8](https://github.com/NethServer/ns8-nethsecurity-controller#install).
+You can install the controller on [NS8](https://github.com/NethServer/ns8-nethsecurity-controller#install).
 
-Otherwise, first make sure to have [podman](https://podman.io/) installed on your server.
+If you need a development environment, you can use the `dev.sh` script to start a podman pod with all the containers needed to run the controller.
+First make sure to have [podman](https://podman.io/) installed on your server.
 Containers should run under non-root users, but first you need to configure the tun device and the user.
 
 As root, execute:
 ```
-useradd -m controller
-loginctl enable-linger controller
-
 ip tuntap add dev tunsec mod tun
 ip addr add 172.21.0.1/16 dev tunsec
 ip link set dev tunsec up
 ```
 
+If you're running the dev environment on a distro with SELinux enabled, you also may need to create a module to allow the controller to access the tun device.
+Just execute:
+```
+checkmodule -M -m -o controller.mod controller.te
+semodule_package -o controller.pp -m controller.mod
+semodule -i controller.pp
+```
+
 Then change to non-root user, clone this repository and execute:
 ```
 su - controller
 
-./start.sh
+./dev.sh start
 ```
 
-The server will be available at `http://<fqdn>:8080/ui`.
+To stop the pod, execute:
+```
+./dev.sh stop
+```
+
+To run a specific image tag, you can use:
+```
+IMAGE_TAG=<tag> ./dev.sh start
+```
+
+The server will be available at `http://localhost:8080/`.
+Default credentials are: `admin/admin`.
+
+### UI development
+
+If you need to the develop the UI:
+
+- clone the [nethsecurity-ui](https://github.com/nethserver/nethsecurity-ui)
+- start the controller using the `dev.sh` script
+- start the UI in dev mode
+- access to the dev UI URL generated by vite, usually `http://localhost:5173/`
+```
+IMAGE_TAG=pr-123 ./dev.sh start
+git clone git@github.com:NethServer/nethsecurity-ui.git
+cd nethsecurity-ui
+cat <<EOF > .env.development
+VITE_API_SCHEME=http
+VITE_CONTROLLER_API_HOST=localhost:8080
+VITE_UI_MODE=controller
+EOF
+./dev.sh
+```
 
 ## How it works
 
@@ -74,6 +111,9 @@ The following environment variables can be used to configure the containers:
 - `PROXY_PORT`: proxy listening port, default is `8080`
 - `PROXY_BIND_IP`: proxy binding IP, default is `0.0.0.0`
 - `REPORT_DB_URI`: Timescale DB URI, like `postgresql://user:password@host:port/dbname`
+- `ALLOWED_IPS`: comma-separated list of allowed IPs, if empty, all IPs are allowed, default is empty
+- `PUBLIC_ENDPOINTS`: comma-separated list of public endpoints, that can be accessed even if `ALLOWED_IPS` is set, default is empty
+   If ALLOWED_IPS is set, the public endpoints should allow registration and ingestions from units, a good value should be: `/api/ingest,/api/units/register`
 
 ## REST API