feat: Device Security — certificate management UI (CA settings, enrollment approval, revocation)

cypress/support/commands.ts

@@ -34,4 +34,4 @@
 //       visit(originalFn: CommandOriginalFn, url: string, options: Partial<VisitOptions>): Chainable<Element>
 //     }
 //   }
-// }
+// }

docker/Dockerfile

@@ -1,24 +1,16 @@
-FROM alpine:3.14
+FROM nginx:alpine
 
-RUN apk add --no-cache bash curl less ca-certificates git tzdata zip gettext \
-    nginx curl supervisor certbot-nginx && \
-    rm -rf /var/cache/apk/* && mkdir -p /run/nginx
-
-STOPSIGNAL SIGINT
 EXPOSE 80
-EXPOSE 443
-ENTRYPOINT ["/usr/bin/supervisord","-c","/etc/supervisord.conf"]
 
 WORKDIR /usr/share/nginx/html
-# copy configuration files
-COPY docker/default.conf /etc/nginx/http.d/default.conf
+
+# Copy nginx configs
 COPY docker/nginx.conf /etc/nginx/nginx.conf
-COPY docker/init_cert.sh /usr/local/init_cert.sh
-COPY docker/init_react_envs.sh /usr/local/init_react_envs.sh
-RUN chmod +x /usr/local/init_cert.sh && rm /etc/crontabs/root
-RUN chmod +x /usr/local/init_react_envs.sh
+COPY docker/default.conf /etc/nginx/conf.d/default.conf
+
+# Copy init script as an entrypoint hook (runs before nginx starts)
+COPY docker/init_react_envs.sh /docker-entrypoint.d/40-init-react-envs.sh
+RUN chmod +x /docker-entrypoint.d/40-init-react-envs.sh
 
-# configure supervisor
-COPY docker/supervisord.conf /etc/supervisord.conf
-# copy build files
-COPY out/ /usr/share/nginx/html/
+# Copy static build output
+COPY out/ /usr/share/nginx/html/

docker/init_react_envs.sh

@@ -1,67 +1,67 @@
-#!/bin/bash
+#!/bin/sh
 set -e
 
-if [[ -z "${AUTH_AUTHORITY}" ]]; then
-    if [[ -z "${AUTH0_DOMAIN}" ]]; then
+if [ -z "${AUTH_AUTHORITY}" ]; then
+    if [ -z "${AUTH0_DOMAIN}" ]; then
         echo "AUTH_AUTHORITY or AUTH0_DOMAIN environment variable must be set"
         exit 1
     fi
 fi
 
-if [[ -z "${AUTH_CLIENT_ID}" ]]; then
-    if [[ -z "${AUTH0_CLIENT_ID}" ]]; then
+if [ -z "${AUTH_CLIENT_ID}" ]; then
+    if [ -z "${AUTH0_CLIENT_ID}" ]; then
         echo "AUTH_CLIENT_ID or AUTH0_CLIENT_ID environment variable must be set"
         exit 1
     fi
 fi
 
-if [[ -z "${AUTH_AUDIENCE}" ]]; then
-    if [[ -z "${AUTH0_AUDIENCE}" ]]; then
+if [ -z "${AUTH_AUDIENCE}" ]; then
+    if [ -z "${AUTH0_AUDIENCE}" ]; then
         echo "AUTH_AUDIENCE or AUTH0_AUDIENCE environment variable must be set"
         exit 1
     fi
 fi
 
-if [[ "${AUTH_AUDIENCE}" == "none" ]]; then
+if [ "${AUTH_AUDIENCE}" = "none" ]; then
     unset AUTH_AUDIENCE
 fi
 
-if [[ -z "${AUTH_SUPPORTED_SCOPES}" ]]; then
-    if [[ -z "${AUTH0_DOMAIN}" ]]; then
+if [ -z "${AUTH_SUPPORTED_SCOPES}" ]; then
+    if [ -z "${AUTH0_DOMAIN}" ]; then
         echo "AUTH_SUPPORTED_SCOPES environment variable must be set"
         exit 1
     fi
 fi
 
-if [[ -z "${USE_AUTH0}" ]]; then
-    if [[ -z "${AUTH0_DOMAIN}" ]]; then
+if [ -z "${USE_AUTH0}" ]; then
+    if [ -z "${AUTH0_DOMAIN}" ]; then
         echo "USE_AUTH0 environment variable must be set"
         exit 1
     fi
 fi
 
-if [[ -z "${NETBIRD_MGMT_API_ENDPOINT}" ]]; then
+if [ -z "${NETBIRD_MGMT_API_ENDPOINT}" ]; then
     echo "NETBIRD_MGMT_API_ENDPOINT environment variable must be set"
     exit 1
 fi
 
-export AUTH_AUTHORITY=${AUTH_AUTHORITY:-https://$AUTH0_DOMAIN}
-export AUTH_CLIENT_ID=${AUTH_CLIENT_ID:-$AUTH0_CLIENT_ID}
-export AUTH_CLIENT_SECRET=${AUTH_CLIENT_SECRET}
-export AUTH_AUDIENCE=${AUTH_AUDIENCE:-$AUTH0_AUDIENCE}
-export AUTH_REDIRECT_URI=${AUTH_REDIRECT_URI}
-export AUTH_SILENT_REDIRECT_URI=${AUTH_SILENT_REDIRECT_URI}
-export USE_AUTH0=${USE_AUTH0:-true}
-export AUTH_SUPPORTED_SCOPES=${AUTH_SUPPORTED_SCOPES:-openid profile email api offline_access email_verified}
+export AUTH_AUTHORITY="${AUTH_AUTHORITY:-https://${AUTH0_DOMAIN}}"
+export AUTH_CLIENT_ID="${AUTH_CLIENT_ID:-${AUTH0_CLIENT_ID}}"
+export AUTH_CLIENT_SECRET="${AUTH_CLIENT_SECRET}"
+export AUTH_AUDIENCE="${AUTH_AUDIENCE:-${AUTH0_AUDIENCE}}"
+export AUTH_REDIRECT_URI="${AUTH_REDIRECT_URI}"
+export AUTH_SILENT_REDIRECT_URI="${AUTH_SILENT_REDIRECT_URI}"
+export USE_AUTH0="${USE_AUTH0:-true}"
+export AUTH_SUPPORTED_SCOPES="${AUTH_SUPPORTED_SCOPES:-openid profile email api offline_access email_verified}"
 
-export NETBIRD_MGMT_API_ENDPOINT=$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//')
-export NETBIRD_MGMT_GRPC_API_ENDPOINT=${NETBIRD_MGMT_GRPC_API_ENDPOINT}
-export NETBIRD_HOTJAR_TRACK_ID=${NETBIRD_HOTJAR_TRACK_ID}
-export NETBIRD_GOOGLE_ANALYTICS_ID=${NETBIRD_GOOGLE_ANALYTICS_ID}
-export NETBIRD_GOOGLE_TAG_MANAGER_ID=${NETBIRD_GOOGLE_TAG_MANAGER_ID}
-export NETBIRD_TOKEN_SOURCE=${NETBIRD_TOKEN_SOURCE:-accessToken}
-export NETBIRD_DRAG_QUERY_PARAMS=${NETBIRD_DRAG_QUERY_PARAMS:-false}
-export NETBIRD_WASM_PATH=${NETBIRD_WASM_PATH}
+export NETBIRD_MGMT_API_ENDPOINT="$(echo "$NETBIRD_MGMT_API_ENDPOINT" | sed -E 's/(:80|:443)$//')"
+export NETBIRD_MGMT_GRPC_API_ENDPOINT="${NETBIRD_MGMT_GRPC_API_ENDPOINT}"
+export NETBIRD_HOTJAR_TRACK_ID="${NETBIRD_HOTJAR_TRACK_ID}"
+export NETBIRD_GOOGLE_ANALYTICS_ID="${NETBIRD_GOOGLE_ANALYTICS_ID}"
+export NETBIRD_GOOGLE_TAG_MANAGER_ID="${NETBIRD_GOOGLE_TAG_MANAGER_ID}"
+export NETBIRD_TOKEN_SOURCE="${NETBIRD_TOKEN_SOURCE:-accessToken}"
+export NETBIRD_DRAG_QUERY_PARAMS="${NETBIRD_DRAG_QUERY_PARAMS:-false}"
+export NETBIRD_WASM_PATH="${NETBIRD_WASM_PATH}"
 
 echo "NetBird latest version: ${NETBIRD_LATEST_VERSION}"
 
@@ -74,4 +74,4 @@ for f in $(grep -R -l AUTH_SUPPORTED_SCOPES /usr/share/nginx/html); do
     cp "$f" "$f".copy
     envsubst "$ENV_STR" < "$f".copy > "$f"
     rm "$f".copy
-done
+done

docker/nginx.conf

@@ -1,6 +1,4 @@
 # /etc/nginx/nginx.conf
-daemon off;
-
 user nginx;
 
 # Set number of worker processes automatically based on number of CPU cores.
@@ -136,7 +134,7 @@ http {
 
 
 	# Includes virtual hosts configs.
-	include /etc/nginx/http.d/*.conf;
+	include /etc/nginx/conf.d/*.conf;
 }
 
 # TIP: Uncomment if you use stream module.

src/app/(dashboard)/device-security/devices/page.tsx

@@ -0,0 +1,41 @@
+"use client";
+
+import Breadcrumbs from "@components/Breadcrumbs";
+import Paragraph from "@components/Paragraph";
+import SkeletonTable from "@components/skeletons/SkeletonTable";
+import { ShieldCheckIcon } from "lucide-react";
+import React, { lazy, Suspense } from "react";
+import PageContainer from "@/layouts/PageContainer";
+
+const DevicesTable = lazy(
+  () => import("@/modules/device-security/DevicesTable"),
+);
+
+export default function DevicesPage() {
+  return (
+    <PageContainer>
+      <div className={"p-default py-6"}>
+        <Breadcrumbs>
+          <Breadcrumbs.Item
+            href={"/device-security/devices"}
+            label={"Device Security"}
+            icon={<ShieldCheckIcon size={13} />}
+          />
+          <Breadcrumbs.Item
+            href={"/device-security/devices"}
+            label={"Devices"}
+            active
+          />
+        </Breadcrumbs>
+        <h1>Device Certificates</h1>
+        <Paragraph>
+          Certificates issued to devices in your network. Renew or revoke
+          certificates to control device access.
+        </Paragraph>
+      </div>
+      <Suspense fallback={<SkeletonTable />}>
+        <DevicesTable />
+      </Suspense>
+    </PageContainer>
+  );
+}

src/app/(dashboard)/device-security/enrollments/page.tsx

@@ -0,0 +1,42 @@
+"use client";
+
+import Breadcrumbs from "@components/Breadcrumbs";
+import Paragraph from "@components/Paragraph";
+import SkeletonTable from "@components/skeletons/SkeletonTable";
+import { ShieldCheckIcon } from "lucide-react";
+import React, { lazy, Suspense } from "react";
+import PageContainer from "@/layouts/PageContainer";
+
+const EnrollmentsTable = lazy(
+  () => import("@/modules/device-security/EnrollmentsTable"),
+);
+
+export default function EnrollmentsPage() {
+  return (
+    <PageContainer>
+        <div className="p-default py-6">
+          <Breadcrumbs>
+            <Breadcrumbs.Item
+              href="/device-security/enrollments"
+              label="Device Security"
+              icon={<ShieldCheckIcon size={13} />}
+            />
+            <Breadcrumbs.Item
+              href="/device-security/enrollments"
+              label="Enrollments"
+              active
+            />
+          </Breadcrumbs>
+          <h1>Device Enrollments</h1>
+          <Paragraph>
+            Review and manage device enrollment requests. Approve or reject
+            pending requests to control which devices can connect to your
+            network.
+          </Paragraph>
+        </div>
+        <Suspense fallback={<SkeletonTable />}>
+          <EnrollmentsTable />
+        </Suspense>
+    </PageContainer>
+  );
+}

src/app/(dashboard)/device-security/inventory/page.tsx

@@ -0,0 +1,2 @@
+import InventoryPage from "@/modules/device-security/InventoryPage";
+export default InventoryPage;