chahinebrini
db7875fb34
feat(ops/mdm): AdGuard ClientID handshake — nginx + watcher
End-to-end DoH-to-backend wiring for Mac auto-activation:
Mac → dns.rebreak.org/dns-query/<token> → nginx → AdGuard
→ querylog.json (CP field) → watcher.py → POST /handshake → backend
- ops/nginx/dns.rebreak.org.conf: vhost with `location ^~ /dns-query`
prefix-match (not exact). proxy_pass without trailing slash preserves
the full path so AdGuard parses the ClientID natively.
- watcher.py: NDJSON tail with inode-based rotation safety, per-token
60s in-memory cooldown, urllib (no external deps), graceful 401/404/5xx
- rebreak-handshake-watcher.service: systemd unit, EnvironmentFile with
chmod 600 (HANDSHAKE_SECRET never in git), NoNewPrivileges + PrivateTmp
- DOH_CLIENTID_HANDSHAKE.md: architecture + flow diagram + risk table
- RUNBOOK.md: status/logs/restart commands + deploy ordering
Not yet deployed. Verify-checklist before `nginx -s reload`:
1. confirm AdGuard DoH port (config assumes 127.0.0.1:3000)
2. confirm TLS cert exists for dns.rebreak.org
3. snapshot current nginx config
4. `nginx -t` dry-run
5. functional curl + grep CP in querylog before starting watcher
2026-05-15 22:41:38 +02:00
..
2026-05-15 22:41:38 +02:00
2026-05-15 22:41:38 +02:00
2026-05-11 16:01:11 +02:00
2026-05-10 23:59:25 +02:00
2026-05-07 00:35:50 +02:00
2026-05-07 18:22:58 +02:00
2026-05-07 20:18:49 +02:00
2026-05-10 23:59:25 +02:00
2026-05-07 18:22:58 +02:00
2026-05-07 18:22:58 +02:00
2026-05-07 18:22:58 +02:00
2026-05-07 18:22:58 +02:00
2026-05-07 18:22:58 +02:00
2026-05-07 18:22:58 +02:00