Add AI monitoring enhancements and host metadata features

- Add host metadata API for custom URL editing on hosts page - Enhance AI routing with unified resource provider lookup - Add encryption key watcher script for debugging key issues - Improve AI service with better command timeout handling - Update dev environment workflow with key monitoring docs - Fix resource store deduplication logic
2026-02-18 00:17:39 +01:00 · 2025-12-09 16:27:46 +00:00
parent 927ac76bad
commit c8adbb7ae5
17 changed files with 1101 additions and 110 deletions
--- a/scripts/hot-dev.sh
+++ b/scripts/hot-dev.sh
@@ -241,6 +241,26 @@ else
        log_info "Production mode: Using dev config directory: ${PULSE_DATA_DIR}"
    fi

+    # Auto-restore encryption key from backup if missing
+    if [[ ! -f "${PULSE_DATA_DIR}/.encryption.key" ]]; then
+        BACKUP_KEY=$(find "${PULSE_DATA_DIR}" -maxdepth 1 -name '.encryption.key.bak*' -type f 2>/dev/null | head -1)
+        if [[ -n "${BACKUP_KEY}" ]] && [[ -f "${BACKUP_KEY}" ]]; then
+            echo ""
+            log_error "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+            log_error "!! ENCRYPTION KEY WAS MISSING - AUTO-RESTORING FROM BACKUP !!"
+            log_error "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+            log_error "!! Backup used: ${BACKUP_KEY}"
+            log_error "!! "
+            log_error "!! To find out what deleted the key, run:"
+            log_error "!!   sudo journalctl -u encryption-key-watcher -n 100"
+            log_error "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+            echo ""
+            cp -f "${BACKUP_KEY}" "${PULSE_DATA_DIR}/.encryption.key"
+            chmod 600 "${PULSE_DATA_DIR}/.encryption.key"
+            log_info "Restored encryption key from backup"
+        fi
+    fi
+
    if [[ -z ${PULSE_ENCRYPTION_KEY:-} ]]; then
        if [[ -f "${PULSE_DATA_DIR}/.encryption.key" ]]; then
            export PULSE_ENCRYPTION_KEY="$(<"${PULSE_DATA_DIR}/.encryption.key")"
--- a/scripts/sync-production-config.sh
+++ b/scripts/sync-production-config.sh
@@ -22,6 +22,29 @@ echo ""
 HAVE_PROD_KEY=false

 # CRITICAL: Always sync production encryption key to dev when it exists
+# First, check if the key is missing but a backup exists - auto-restore it
+if [ ! -f "$PROD_DIR/.encryption.key" ]; then
+    # Look for backup keys in production directory
+    BACKUP_KEY=$(find "$PROD_DIR" -maxdepth 1 -name '.encryption.key.bak*' -type f 2>/dev/null | head -1)
+    if [ -n "$BACKUP_KEY" ] && [ -f "$BACKUP_KEY" ]; then
+        echo ""
+        echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+        echo "!! ENCRYPTION KEY WAS MISSING - AUTO-RESTORING FROM BACKUP !!"
+        echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+        echo "!! Backup used: $BACKUP_KEY"
+        echo "!! "
+        echo "!! To find out what deleted the key, run:"
+        echo "!!   sudo journalctl -u encryption-key-watcher -n 100"
+        echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+        echo ""
+        cp -f "$BACKUP_KEY" "$PROD_DIR/.encryption.key"
+        chmod 600 "$PROD_DIR/.encryption.key"
+        # Ensure proper ownership (may need root, so try but don't fail)
+        chown pulse:pulse "$PROD_DIR/.encryption.key" 2>/dev/null || true
+        echo "✓ Restored encryption key from backup"
+    fi
+fi
+
 if [ -f "$PROD_DIR/.encryption.key" ]; then
    if [ ! -f "$DEV_DIR/.encryption.key" ]; then
        cp -f "$PROD_DIR/.encryption.key" "$DEV_DIR/.encryption.key"
--- a/scripts/watch-encryption-key.sh
+++ b/scripts/watch-encryption-key.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+# Watch the encryption key file for any modifications or deletions
+# Logs to journald with full context about what process did it
+
+LOG_TAG="encryption-key-watcher"
+WATCH_DIR="/etc/pulse"
+WATCH_FILE=".encryption.key"
+
+log_event() {
+    local event="$1"
+    local file="$2"
+    
+    # Get current process info
+    echo "[$LOG_TAG] EVENT: $event on $file at $(date '+%Y-%m-%d %H:%M:%S')"
+    
+    # Try to capture what processes are accessing /etc/pulse
+    echo "[$LOG_TAG] Processes with open files in /etc/pulse:"
+    lsof +D /etc/pulse 2>/dev/null | head -20 || echo "  (lsof failed)"
+    
+    # Log the current state of the file
+    if [[ -f "$WATCH_DIR/$WATCH_FILE" ]]; then
+        echo "[$LOG_TAG] File still exists: $(ls -la "$WATCH_DIR/$WATCH_FILE")"
+    else
+        echo "[$LOG_TAG] *** FILE IS MISSING! ***"
+        echo "[$LOG_TAG] Contents of $WATCH_DIR:"
+        ls -la "$WATCH_DIR" | grep -i enc
+    fi
+    
+    # Log recent sudo commands
+    echo "[$LOG_TAG] Recent sudo activity:"
+    journalctl -u sudo --since "2 minutes ago" --no-pager 2>/dev/null | tail -10 || true
+}
+
+echo "[$LOG_TAG] Starting encryption key watcher..."
+echo "[$LOG_TAG] Monitoring: $WATCH_DIR/$WATCH_FILE"
+
+# Watch for all relevant events on the directory
+inotifywait -m -e delete,move,modify,attrib,create "$WATCH_DIR" --format '%e %f' 2>/dev/null | while read event file; do
+    # Only log events related to encryption key
+    if [[ "$file" == ".encryption.key"* ]]; then
+        log_event "$event" "$file"
+    fi
+done