Secure first-loop control-plane auth and mount routing.

Protect the control-plane API with explicit bearer auth, add node-scoped registration/heartbeat credentials, and make export mount paths an explicit contract field so mount profiles stay correct across runtimes. Generated with [Devin](https://cli.devin.ai/docs) Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-04-18 09:00:32 +00:00 · 2026-04-01 14:13:14 +00:00 · 2026-04-01 14:13:14 +00:00 · ed40da7326
commit ed40da7326
parent a7f85f4871
23 changed files with 3676 additions and 124 deletions
--- a/infra/docker/compose.dev.yml
+++ b/infra/docker/compose.dev.yml
@ -32,10 +32,15 @@ services:
      PORT: 3000
      BETTERNAS_VERSION: ${BETTERNAS_VERSION}
      NEXTCLOUD_BASE_URL: ${NEXTCLOUD_BASE_URL}
+      BETTERNAS_CONTROL_PLANE_STATE_PATH: /var/lib/betternas/control-plane/state.json
+      BETTERNAS_CONTROL_PLANE_CLIENT_TOKEN: ${BETTERNAS_CONTROL_PLANE_CLIENT_TOKEN}
+      BETTERNAS_CONTROL_PLANE_NODE_BOOTSTRAP_TOKEN: ${BETTERNAS_CONTROL_PLANE_NODE_BOOTSTRAP_TOKEN}
      BETTERNAS_EXAMPLE_MOUNT_URL: ${BETTERNAS_EXAMPLE_MOUNT_URL}
      BETTERNAS_NODE_DIRECT_ADDRESS: ${BETTERNAS_NODE_DIRECT_ADDRESS}
    ports:
      - "${BETTERNAS_CONTROL_PLANE_PORT}:3000"
+    volumes:
+      - control-plane-data:/var/lib/betternas/control-plane
    healthcheck:
      test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:3000/health"]
      interval: 5s
@ -79,6 +84,7 @@ services:
      NEXTCLOUD_ADMIN_USER: ${NEXTCLOUD_ADMIN_USER}
      NEXTCLOUD_ADMIN_PASSWORD: ${NEXTCLOUD_ADMIN_PASSWORD}
      BETTERNAS_CONTROL_PLANE_URL: http://control-plane:3000
+      BETTERNAS_CONTROL_PLANE_API_TOKEN: ${BETTERNAS_CONTROL_PLANE_CLIENT_TOKEN}
    ports:
      - "${BETTERNAS_NEXTCLOUD_PORT}:80"
    volumes:
@ -86,6 +92,7 @@ services:
      - nextcloud-custom-apps:/var/www/html/custom_apps

 volumes:
+  control-plane-data:
  nextcloud-data:
  nextcloud-custom-apps:
  postgres-data: