Refactor golden image handling in backup upload process</message>

<message>Update the _set_golden_from_path function to improve the handling of existing golden image files. Replace the existing unlink logic with a more robust method that safely removes files or broken symlinks using the missing_ok parameter. This change enhances the reliability of the backup upload process by ensuring that stale references are properly cleared before setting a new golden image path.
2026-02-24 00:19:40 +02:00
parent df180120aa
commit 808fbf5c7c
136 changed files with 407837 additions and 2 deletions
--- a/backup-from-device/gnss-guard/tm-gnss-guard/server/nginx/conf.d/default.conf
+++ b/backup-from-device/gnss-guard/tm-gnss-guard/server/nginx/conf.d/default.conf
@@ -0,0 +1,101 @@
+# GNSS Guard Server - Nginx Configuration
+# This file is used for initial setup (HTTP only)
+# After SSL setup, this file is replaced with the SSL configuration
+
+upstream gnss_server {
+    server gnss-server:8000;
+}
+
+# =============================================================================
+# IP WHITELIST FOR DASHBOARD ACCESS
+# =============================================================================
+# These IPs can access the web dashboard and admin endpoints.
+# The validation API endpoints (/api/v1/validation*) are open to all.
+#
+# To update: edit this file and run ./deploy_server.sh --restart
+# =============================================================================
+
+geo $ip_whitelist {
+    default         0;
+    
+    # Office IPs - Whitelisted for dashboard access
+    213.149.164.73  1;  # Socrates Office 5G
+    87.228.228.45   1;  # Thaleias Office
+    93.109.218.195  1;  # HQ Cyta
+    65.18.217.50    1;  # HQ Cablenet
+    93.109.218.196  1;  # HQ Cyta 2
+    62.228.7.94     1;  # Socrates Home 3
+    195.97.70.162   1;  # Piraeus Office
+    
+    # Localhost only (for internal health checks)
+    127.0.0.1       1;
+    # NOTE: Docker internal networks (10.0.0.0/8, 172.16.0.0/12) are NOT whitelisted
+    # to prevent privilege escalation if an attacker gains container access
+}
+
+# HTTP server
+server {
+    listen 80;
+    server_name _;
+
+    # Let's Encrypt challenge location - always open
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    # =========================================================================
+    # PUBLIC ENDPOINTS - Open to all (asset token authentication)
+    # =========================================================================
+    
+    # Validation API - accessible from anywhere (clients authenticate with tokens)
+    location /api/v1/validation {
+        proxy_pass http://gnss_server;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 300;
+        proxy_connect_timeout 300;
+    }
+
+    # Health check endpoint - open
+    location /health {
+        proxy_pass http://gnss_server;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+    }
+
+    # =========================================================================
+    # RESTRICTED ENDPOINTS - Office IPs only (session authentication)
+    # =========================================================================
+    
+    # All other endpoints require IP whitelist
+    location / {
+        # Check IP whitelist
+        # TEMPORARILY DISABLED - uncomment to re-enable IP whitelisting
+        # if ($ip_whitelist = 0) {
+        #     return 403;
+        # }
+        
+        proxy_pass http://gnss_server;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+        proxy_read_timeout 300;
+        proxy_connect_timeout 300;
+    }
+
+    # Custom error page for 403
+    error_page 403 /403.html;
+    location = /403.html {
+        internal;
+        default_type text/html;
+        return 403 '<!DOCTYPE html><html><head><title>Access Denied</title><style>body{font-family:sans-serif;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;background:#060b10;color:#e5e9f5;}.container{text-align:center;}.title{font-size:48px;margin-bottom:20px;color:#c62828;}.msg{font-size:18px;color:#9aa3b8;}</style></head><body><div class="container"><div class="title">403</div><div class="msg">Access Denied<br>Your IP is not authorized to access this resource.</div></div></body></html>';
+    }
+}