137 lines
5 KiB
Markdown
137 lines
5 KiB
Markdown
# Sawa Control Panel — Issues & Decisions
|
|
|
|
*Track open questions, known problems, and architectural decisions here.*
|
|
|
|
---
|
|
|
|
## Open Issues
|
|
|
|
### ISSUE-001 — sudo whitelist scope
|
|
**Status:** Partially resolved ✅
|
|
**Note:** Sudoers whitelist deployed. Panel still runs as root via PM2 — migration to `panel` user pending.
|
|
|
|
---
|
|
|
|
### ISSUE-002 — Client cert distribution to mobile
|
|
**Status:** Open
|
|
**Priority:** High
|
|
|
|
Installing a client certificate on Android/iOS requires PKCS12 (.p12) format. Script generates .p12 correctly. Transfer mechanism not yet implemented.
|
|
|
|
**Options:**
|
|
- One-time HTTPS download endpoint on server (auto-deletes after download)
|
|
- AirDrop (iOS only)
|
|
- Manual USB transfer
|
|
|
|
---
|
|
|
|
### ISSUE-003 — Service status parsing reliability
|
|
**Status:** Open
|
|
**Priority:** Medium
|
|
|
|
`rc-service <name> status` returns inconsistent output across services. Should normalize to `started | stopped | crashed | unknown`.
|
|
|
|
**Suggested fix:** Use `rc-status` instead — returns structured view of all services in one call.
|
|
|
|
---
|
|
|
|
### ISSUE-004 — Build and deploy workflow
|
|
**Status:** Resolved ✅
|
|
`deploy.ps1` implemented. Tar+gzip bundles, single file upload per component, server-side extract. Flags: `-All -Backend -Frontend -Nginx -Certs`.
|
|
|
|
---
|
|
|
|
### ISSUE-005 — wlan0 fails on boot
|
|
**Status:** Open — low priority
|
|
wpa_supplicant starts before WiFi hardware is ready. `sleep 5` pre-up workaround in `/etc/network/interfaces` — not yet confirmed stable across reboots.
|
|
|
|
---
|
|
|
|
### ISSUE-006 — Diskless/RAM mode not configured
|
|
**Status:** Open — planned
|
|
Currently in `sys` mode. USB wear reduction requires diskless conversion. Test on spare USB clone first — never on master.
|
|
|
|
---
|
|
|
|
### ISSUE-007 — Disk usage shows corrupt data intermittently
|
|
**Status:** Open
|
|
**Priority:** High — fix in Phase 4
|
|
|
|
Disk panel shows `/` at 445% full with 224GB size, then snaps back to correct values on next poll. Virtual/pseudo filesystems leaking through filter in `systemInfo.js`.
|
|
|
|
**Fix:** Filter by filesystem type — only include `ext4`, `ext3`, `xfs`, `btrfs`, `vfat`. Exclude `tmpfs`, `devtmpfs`, `sysfs`, `proc`, `cgroup`, `overlay`, and any mount where size is 0.
|
|
|
|
---
|
|
|
|
### ISSUE-008 — MariaDB restart shows false error in UI
|
|
**Status:** Open — cosmetic
|
|
**Priority:** Low
|
|
|
|
Panel shows error dialog on MariaDB restart:
|
|
```
|
|
/usr/bin/mysqld_safe: Deprecated program name.
|
|
Use 'mariadbd-safe' instead.
|
|
* ERROR: mariadb failed to start
|
|
```
|
|
Service actually starts correctly. Exit code is non-zero due to deprecation warning being misread as failure.
|
|
|
|
**Fix:** In `rcService.js`, treat this specific stderr pattern as warning not error for mariadb.
|
|
|
|
---
|
|
|
|
### ISSUE-009 — TLS 1.3 incompatible with nginx mTLS client cert request
|
|
**Status:** Resolved ✅
|
|
With TLS 1.3, nginx never sends `CertificateRequest` — browsers never prompt for or send client cert. Fixed by setting `ssl_protocols TLSv1.2;` in `sawa-panel.conf`. Revisit when nginx adds proper TLS 1.3 post-handshake auth support.
|
|
|
|
---
|
|
|
|
### ISSUE-010 — Rogue default.conf intercepted mTLS requests
|
|
**Status:** Resolved ✅
|
|
`/etc/nginx/conf.d/default.conf` had a `listen 443 ssl` catch-all block with no mTLS, intercepting all requests before `sawa-panel.conf`. Deleted. `http.d/default.conf` (port 80 → 404) retained.
|
|
|
|
**Prevention needed:** Deploy script should warn about conflicting 443 server blocks.
|
|
|
|
---
|
|
|
|
## Resolved Decisions
|
|
|
|
### DECISION-001 — Authentication: nginx mTLS ✅
|
|
Client certificates only. No login page. Unauthorized devices get TLS handshake failure.
|
|
|
|
### DECISION-002 — Frontend: React + Vite + Tailwind CSS ✅
|
|
|
|
### DECISION-003 — Backend: Node.js + Express ✅
|
|
|
|
### DECISION-004 — Database stack convention ✅
|
|
|
|
| Use case | Database |
|
|
|----------|----------|
|
|
| WordPress, Laravel | MariaDB |
|
|
| Node.js apps | PostgreSQL |
|
|
| Sessions, queues | Redis (RDB+AOF) |
|
|
| Pure caching | Memcached |
|
|
|
|
### DECISION-005 — Panel on LAN only, port 443 ✅
|
|
|
|
### DECISION-006 — Phase 4 UI redesign ✅
|
|
|
|
- **Header:** persistent CPU% + RAM% + Uptime + Live dot
|
|
- **Sidebar:** collapsible sections — System / Services (tree) / Websites
|
|
- **Services:** toggle switches, each service gets own detail page
|
|
- **Websites:** add/remove form + enable/disable toggles
|
|
- **Per-service pages:** relevant stats + controls (pgAdmin iframe for PostgreSQL, phpMyAdmin for MariaDB — Phase 5)
|
|
|
|
---
|
|
|
|
## Technical Debt
|
|
|
|
- [ ] Panel runs as `root` via PM2 — migrate to `panel` user
|
|
- [ ] `noatime` not set on fstab — USB write wear pending
|
|
- [ ] Diskless mode not configured — ISSUE-006
|
|
- [ ] MariaDB deprecated binary warning — ISSUE-008
|
|
- [ ] `resolv.conf` not protected from `networking restart` overwrite
|
|
- [ ] `firstboot.sh` clone logic not tested on real hardware clone
|
|
- [ ] No log rotation — logs will grow unbounded
|
|
- [ ] SSH on port 22 — move to non-standard port to reduce scan noise
|
|
- [ ] Deploy script does not warn about conflicting nginx 443 server blocks
|
|
- [ ] `create-client.sh` uses temp file workaround for EKU extension — works but fragile
|