package main import ( "log" "net/http" "os" "strconv" "time" "greencoast/internal/api" "greencoast/internal/index" "greencoast/internal/storage" ) func getenvBool(key string, def bool) bool { v := os.Getenv(key) if v == "" { return def } b, err := strconv.ParseBool(v) if err != nil { return def } return b } func staticHeaders(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // Same security posture as API w.Header().Set("Referrer-Policy", "no-referrer") w.Header().Set("Cross-Origin-Opener-Policy", "same-origin") w.Header().Set("Cross-Origin-Resource-Policy", "same-site") w.Header().Set("Permissions-Policy", "camera=(), microphone=(), geolocation=(), interest-cohort=(), browsing-topics=()") w.Header().Set("X-Frame-Options", "DENY") w.Header().Set("X-Content-Type-Options", "nosniff") w.Header().Set("Strict-Transport-Security", "max-age=15552000; includeSubDomains; preload") // Basic CORS for client assets w.Header().Set("Access-Control-Allow-Origin", "*") if r.Method == http.MethodOptions { w.Header().Set("Access-Control-Allow-Methods", "GET, OPTIONS") w.Header().Set("Access-Control-Allow-Headers", "Content-Type") w.WriteHeader(http.StatusNoContent) return } next.ServeHTTP(w, r) }) } func main() { // ---- Config via env ---- httpAddr := os.Getenv("GC_HTTP_ADDR") if httpAddr == "" { httpAddr = ":9080" // API } // Optional TLS for API httpsAddr := os.Getenv("GC_HTTPS_ADDR") // leave empty for HTTP certFile := os.Getenv("GC_TLS_CERT") keyFile := os.Getenv("GC_TLS_KEY") dataDir := os.Getenv("GC_DATA_DIR") if dataDir == "" { dataDir = "/var/lib/greencoast" } // Static dir + port (frontend) staticDir := os.Getenv("GC_STATIC_DIR") if staticDir == "" { staticDir = "/opt/greencoast/client" } staticAddr := os.Getenv("GC_STATIC_ADDR") if staticAddr == "" { staticAddr = ":9082" } coarseTS := getenvBool("GC_COARSE_TS", false) zeroTrust := getenvBool("GC_ZERO_TRUST", true) signingSecretHex := os.Getenv("GC_SIGNING_SECRET_HEX") // Discord SSO discID := os.Getenv("GC_DISCORD_CLIENT_ID") discSecret := os.Getenv("GC_DISCORD_CLIENT_SECRET") discRedirect := os.Getenv("GC_DISCORD_REDIRECT_URI") // ---- Storage ---- store, err := storage.NewFS(dataDir) if err != nil { log.Fatalf("storage init: %v", err) } // ---- Index ---- ix := index.New() // Optional: auto-reindex from disk on boot if w, ok := any(store).(interface { Walk(func(hash string, size int64, mod time.Time) error) error }); ok { if err := w.Walk(func(hash string, size int64, mod time.Time) error { return ix.Put(index.Entry{ Hash: hash, Bytes: size, StoredAt: mod.UTC().Format(time.RFC3339Nano), Private: false, }) }); err != nil { log.Printf("reindex on boot: %v", err) } } // ---- Auth/Providers ---- ap := api.AuthProviders{ SigningSecretHex: signingSecretHex, Discord: api.DiscordProvider{ Enabled: discID != "" && discSecret != "" && discRedirect != "", ClientID: discID, ClientSecret: discSecret, RedirectURI: discRedirect, }, } // ---- API server (9080/HTTPS optional) ---- srv := api.New(store, ix, coarseTS, zeroTrust, ap) // Serve the static client in a goroutine on 9082 go func() { if st, err := os.Stat(staticDir); err != nil || !st.IsDir() { log.Printf("WARN: GC_STATIC_DIR %q not found or not a dir; client may 404", staticDir) } mux := http.NewServeMux() mux.Handle("/", http.FileServer(http.Dir(staticDir))) log.Printf("static listening on %s (dir=%s)", staticAddr, staticDir) if err := http.ListenAndServe(staticAddr, staticHeaders(mux)); err != nil { log.Fatalf("static server: %v", err) } }() // Prefer HTTPS if configured if httpsAddr != "" && certFile != "" && keyFile != "" { log.Printf("starting HTTPS API on %s", httpsAddr) if err := srv.ListenHTTPS(httpsAddr, certFile, keyFile); err != nil { log.Fatal(err) } return } // Otherwise HTTP log.Printf("starting HTTP API on %s", httpAddr) if err := srv.ListenHTTP(httpAddr); err != nil { log.Fatal(err) } _ = time.Second }