feat: Phase 8 — encrypt credentials at rest, DHT refresh, pkarr eval
- Credentials now encrypted with ChaCha20-Poly1305 using node key - Auto-detects plaintext JSON for migration from existing installs - Added did:dht auto-refresh background task (every 2 hours) - Documented pkarr evaluation findings Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -156,6 +156,36 @@ impl Server {
|
||||
});
|
||||
}
|
||||
|
||||
// did:dht auto-refresh — re-publish DHT records every 2 hours
|
||||
if config.nostr_discovery_enabled {
|
||||
let data_dir = config.data_dir.clone();
|
||||
tokio::spawn(async move {
|
||||
let mut interval = tokio::time::interval(Duration::from_secs(7200));
|
||||
loop {
|
||||
interval.tick().await;
|
||||
let identity_dir = data_dir.join("identity");
|
||||
let node_key_path = identity_dir.join("node_key");
|
||||
if !node_key_path.exists() {
|
||||
continue;
|
||||
}
|
||||
match tokio::fs::read(&node_key_path).await {
|
||||
Ok(key_bytes) if key_bytes.len() == 32 => {
|
||||
let mut seed = [0u8; 32];
|
||||
seed.copy_from_slice(&key_bytes);
|
||||
let signing_key = ed25519_dalek::SigningKey::from_bytes(&seed);
|
||||
match crate::network::did_dht::create_and_publish(&signing_key, &[]).await {
|
||||
Ok(did) => tracing::info!(did = %did, "did:dht record refreshed"),
|
||||
Err(e) => tracing::debug!("did:dht refresh (non-fatal): {}", e),
|
||||
}
|
||||
}
|
||||
_ => {
|
||||
tracing::debug!("did:dht refresh skipped: no valid node key");
|
||||
}
|
||||
}
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
// Container health monitoring — auto-restart unhealthy containers
|
||||
// Respects webhook config: skips when disabled or ContainerCrash not subscribed
|
||||
crate::health_monitor::spawn_health_monitor(state_manager.clone(), config.data_dir.clone());
|
||||
|
||||
Reference in New Issue
Block a user