34 lines
1.5 KiB
Markdown
34 lines
1.5 KiB
Markdown
# FlowerCore SignalControl platform notes
|
|
|
|
This app owns the cluster web manager at `signalcontrol.iamworkin.lan` and documents the physical Pi pilot at `signal-a.iamworkin.lan` / `pirelay`.
|
|
|
|
## mTLS enrollment pattern
|
|
|
|
Do not install or restart anything from this repo. The intended pirelay pattern is the Pi-signage step-ca-agent shape:
|
|
|
|
- stable node identity: `pirelay`
|
|
- local private key and CSR generated on the node
|
|
- CSR submitted through the approved DeviceManagement/step-ca enrollment path
|
|
- client certificate and chain stored node-local under `/etc/flowercore/signalcontrol/mtls/`
|
|
- daily renewal timer, renewing only when fewer than 30 days remain
|
|
- certificate used for DM-agent to DM-web traffic and future SignalControl inter-service calls
|
|
|
|
Secrets, enrollment codes, private keys, p12 passphrases, and OIDC client secrets stay out of Git.
|
|
|
|
## Telemetry
|
|
|
|
Monitoring manifests add a dedicated Prometheus job:
|
|
|
|
- `signalcontrol-pi-app`
|
|
- target `10.0.58.113:5200`
|
|
- path `/metrics/prometheus`
|
|
- labels `instance="pirelay"`, `host="signal-a.iamworkin.lan"`, `service="signalcontrol-pi"`
|
|
|
|
Host metrics continue through the `edge-nodes` node_exporter target at `10.0.58.113:9100`.
|
|
|
|
## Physical-control audit
|
|
|
|
The app ships with `FlowerCore:SignalControl:PhysicalAudit:Enabled=false` and `ForwardingEnabled=false`. Enabling local audit creates a SHA-256 hash chain for physical-control mutations. Forwarding to `https://audit.iamworkin.lan/api/v1/audit/signalcontrol` requires flipping the forwarding gate separately.
|
|
|
|
Telemetry reads and `/metrics` scrapes are not audited.
|