Skip to content

Commit 436acf3

Browse files
authored
Merge pull request #33 from gorecodes/develop
Develop
2 parents 0ee6d03 + f615500 commit 436acf3

3 files changed

Lines changed: 70 additions & 52 deletions

File tree

README.md

Lines changed: 25 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -8,45 +8,32 @@ Designed for Gentoo systems in a local environment. Not intended to be exposed t
88

99
## Authentication and approval
1010

11-
Arbor uses local username/password authentication, with optional TOTP at login via `ARBOR_AUTH_MODE=totp`.
11+
**Out of the box after a clean install:** password-only login, and privileged actions (install, uninstall, sync, etc.) require a password re-prompt in the browser (step-up re-auth) before they start. No root shell needed.
1212

13-
Privileged operations use a separate control, `ARBOR_APPROVAL_MODE`, so login requirements and root-action approval can be configured independently.
13+
Two independent knobs let you change this:
1414

15-
The mode applies to install, uninstall, world update, sync, preserved-rebuild, depclean, overlay changes, and other root-backed admin operations.
15+
- **`ARBOR_AUTH_MODE`** — what is required *at login* (password only, or password + TOTP)
16+
- **`ARBOR_APPROVAL_MODE`** — what is required *per privileged action* after login
1617

17-
Minimal `/etc/arbor/arbor.env` examples:
18+
They are independent: you can have TOTP at login with CLI approval, or no TOTP with step-up re-auth, or any combination.
19+
20+
**Important:** `ARBOR_AUTH_MODE=totp` requires that TOTP has already been enabled from the **Security page** in the web UI, which generates `/etc/arbor/totp.secret` automatically. Do not add `ARBOR_AUTH_MODE=totp` to the config before doing this or Arbor will refuse to start.
21+
22+
Common `/etc/arbor/arbor.env` setups:
1823

1924
```bash
20-
# local-first HTTP on loopback (bootstrap default)
25+
# Default: password login, browser step-up re-auth for privileged actions
2126
ARBOR_TLS=0
22-
23-
# password login + CLI approval for privileged operations (default)
24-
ARBOR_APPROVAL_MODE=cli
25-
26-
# direct HTTPS on Arbor itself (optional)
27-
# ARBOR_TLS=1
28-
# ARBOR_CERT=/etc/arbor/cert.pem
29-
# ARBOR_KEY=/etc/arbor/key.pem
30-
#
31-
# password + TOTP at login, no per-action approval prompt — auto-approve
32-
# must be acknowledged explicitly because it removes the second gate
33-
ARBOR_AUTH_MODE=totp
3427
ARBOR_APPROVAL_MODE=none
3528
ARBOR_ALLOW_AUTO_APPROVAL=1
36-
ARBOR_TOTP_SECRET_FILE=/etc/arbor/totp.secret
37-
38-
# password + TOTP at login, plus CLI approval for privileged operations
39-
ARBOR_AUTH_MODE=totp
40-
ARBOR_APPROVAL_MODE=cli
41-
ARBOR_TOTP_SECRET_FILE=/etc/arbor/totp.secret
4229

43-
# Optional
44-
# ARBOR_TOTP_ISSUER=Arbor
45-
# ARBOR_TOTP_ACCOUNT_NAME=arbor@my-host
30+
# Alternative: root-shell arbor-approve instead of browser re-prompt
31+
# ARBOR_APPROVAL_MODE=cli
32+
# (remove the two lines above)
4633

47-
# no per-action approval (refused at boot without the explicit ack)
48-
ARBOR_APPROVAL_MODE=none
49-
ARBOR_ALLOW_AUTO_APPROVAL=1
34+
# Add TOTP at login on top of either of the above:
35+
# ARBOR_AUTH_MODE=totp
36+
# ARBOR_TOTP_SECRET_FILE=/etc/arbor/totp.secret # created by the Security page
5037
```
5138

5239
### Login-time TOTP (2FA)
@@ -73,13 +60,17 @@ To disable TOTP, the owner must enter the **current password** and a fresh **TOT
7360

7461
After login, privileged operations follow `ARBOR_APPROVAL_MODE`:
7562

76-
- `ARBOR_APPROVAL_MODE=cli` (default): the authenticated session still needs root-shell confirmation via `arbor-approve`.
77-
- `ARBOR_APPROVAL_MODE=none`: the authenticated session can start privileged actions immediately. **Refused at startup** unless `ARBOR_ALLOW_AUTO_APPROVAL=1` is also set, so the operator must explicitly acknowledge that the second gate is being removed.
78-
- `ARBOR_APPROVAL_MODE=totp`: **no longer supported**. Existing deployments that used the legacy value are refused at startup with a migration message; choose `cli`, or `none` with the ack flag above.
63+
- `ARBOR_APPROVAL_MODE=none` (default): the authenticated session requires a password re-prompt in the browser (step-up, valid 120 s) before each privileged action. `ARBOR_ALLOW_AUTO_APPROVAL=1` must be set alongside this.
64+
- `ARBOR_APPROVAL_MODE=cli`: the authenticated session needs root-shell confirmation via `arbor-approve` instead of the browser re-prompt.
65+
- `ARBOR_APPROVAL_MODE=totp`: **no longer supported**. Refused at startup with a migration message; choose `none` or `cli`.
66+
67+
#### `none` (default)
68+
69+
The browser prompts for the password before each privileged action. On success the action starts immediately — no root shell required.
7970

80-
#### `cli` (default)
71+
#### `cli`
8172

82-
This is the original shell-first model and remains the safest mode for Arbor's intended local-first deployment.
73+
This is the original shell-first model.
8374

8475
1. Start the action in the browser as usual.
8576
2. Arbor creates a pending approval request and locks the UI.

config/arbor.env.example

Lines changed: 35 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,21 +1,43 @@
1-
# Arbor web service environment
2-
# Copy to /etc/arbor/arbor.env
1+
# Arbor web service environment — copy to /etc/arbor/arbor.env
32

3+
# --- Network ---
44
ARBOR_HOST=127.0.0.1
55
ARBOR_PORT=8443
6-
ARBOR_CERT=/etc/arbor/cert.pem
7-
ARBOR_KEY=/etc/arbor/key.pem
8-
ARBOR_ENABLE_OVERLAY_ADD=0
9-
# Auth backend: local only (username/password + cookie session)
6+
ARBOR_TLS=0
7+
# Set ARBOR_TLS=1 to have Arbor terminate TLS itself (needs cert + key below).
8+
# When behind a TLS-terminating reverse proxy (Apache/nginx) keep ARBOR_TLS=0
9+
# and set ARBOR_CORS_ORIGINS to your public origin instead.
10+
# ARBOR_TLS=1
11+
# ARBOR_CERT=/etc/arbor/cert.pem
12+
# ARBOR_KEY=/etc/arbor/key.pem
13+
# ARBOR_CORS_ORIGINS=https://arbor.lan
14+
15+
# --- Auth backend (do not change) ---
1016
ARBOR_AUTH_BACKEND=local
11-
# Auth DB permission auto-heal (system DB path only, root context). 1=enabled (default), 0=disabled.
12-
# ARBOR_AUTH_AUTOHEAL_PERMS=1
13-
# Approval mode: cli, totp, none
14-
# ARBOR_AUTH_MODE=cli
15-
# TOTP mode can read the secret from env or a file. Prefer the file in production.
17+
18+
# --- Login mode ---
19+
# Unset (default): password only at login.
20+
# totp: password + TOTP code at login. Enable TOTP from the Security page in
21+
# the web UI first — it generates /etc/arbor/totp.secret automatically.
22+
# Do NOT set this before enabling TOTP from the frontend or Arbor will
23+
# refuse to start (missing secret file).
24+
# ARBOR_AUTH_MODE=totp
1625
# ARBOR_TOTP_SECRET_FILE=/etc/arbor/totp.secret
1726
# ARBOR_TOTP_ISSUER=Arbor
1827
# ARBOR_TOTP_ACCOUNT_NAME=arbor@my-host
19-
# Optional overrides for IPC auth. By default Arbor reads /etc/arbor/ipc.key.
20-
# ARBOR_IPC_KEY=change-me
28+
29+
# --- Approval / step-up mode ---
30+
# none (default): privileged actions require a password re-prompt in the
31+
# browser (step-up re-auth, valid 120 s). No root shell needed.
32+
# ARBOR_ALLOW_AUTO_APPROVAL=1 must accompany this.
33+
# cli: privileged actions require `arbor-approve approve <id>`
34+
# from a root shell instead of the browser prompt.
35+
ARBOR_APPROVAL_MODE=none
36+
ARBOR_ALLOW_AUTO_APPROVAL=1
37+
# ARBOR_APPROVAL_MODE=cli
38+
39+
# --- Features ---
40+
ARBOR_ENABLE_OVERLAY_ADD=0
41+
42+
# --- IPC (leave unset to use /etc/arbor/ipc.key generated by setup.sh) ---
2143
# ARBOR_IPC_KEY_FILE=/etc/arbor/ipc.key

config/setup.sh

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -41,12 +41,17 @@ ARBOR_PORT=8443
4141
ARBOR_TLS=0
4242
ARBOR_ENABLE_OVERLAY_ADD=0
4343
ARBOR_AUTH_BACKEND=local
44-
# ARBOR_AUTH_MODE=cli
45-
# ARBOR_APPROVAL_MODE=cli
44+
# Approval/step-up mode (default: browser password re-prompt before each
45+
# privileged action). To require arbor-approve from a root shell instead,
46+
# set ARBOR_APPROVAL_MODE=cli and remove the two lines below.
47+
ARBOR_APPROVAL_MODE=none
48+
ARBOR_ALLOW_AUTO_APPROVAL=1
49+
# Login mode: unset = password only; totp = password + TOTP code.
50+
# Enable TOTP from the Security page in the web UI first — it creates
51+
# /etc/arbor/totp.secret automatically. Only then uncomment these two lines.
52+
# ARBOR_AUTH_MODE=totp
4653
# ARBOR_TOTP_SECRET_FILE=/etc/arbor/totp.secret
47-
# ARBOR_TOTP_ISSUER=Arbor
48-
# ARBOR_TOTP_ACCOUNT_NAME=arbor@my-host
49-
# Direct TLS on Arbor itself (optional)
54+
# Direct TLS on Arbor itself (leave unset when behind a reverse proxy)
5055
# ARBOR_TLS=1
5156
# ARBOR_CERT=/etc/arbor/cert.pem
5257
# ARBOR_KEY=/etc/arbor/key.pem

0 commit comments

Comments
 (0)