AmpliPi
AmpliPi copied to clipboard
Published
20 hours ago •
micro-nova
micro-nova
Add support tunnel functionality
Users of AmpliPis ought to have the ability to instantiate a support tunnel connection from their appliances in the field to a Micro-Nova shell server. This will allow us to easily see bugs in the field and shorten the feedback loop between a support request and fix.
This implementation will need to be extremely transparent, privacy preserving and rigorously secure. Any proposed implementation should check these boxes:
- [ ] e2e encrypted
- [ ] all access to customer appliances requires two factors and explicit customer action to provide access
- [ ] the design should not permit customer boxes to access internal micronova resources
- [ ] logs of all access & interactions with the appliance should be available for the end user to peruse
more?
A quick sketch of a proposed implementation might look something like this:
- on the amplipi, a form with some details is filled out and a button labelled "start a support tunnel" button is clicked
- amplipi generates a public/private key and passphrase for a wireguard tunnel
- an API server at micronova listens for requests for support. an amplipi POSTs the public key to this service
- the service creates a queue of "support requests" with the details of the support tunnel request
- when a particular item in the queue is approved by a micronova engineer, the service launches a throwaway VM; this then instantiates its own wireguard material and through the API provides that public key back to the amplipi (cons: we may need to spend money. the amplipi probably needs to poll until this key material is available.)
- the passphrase the amplipi generates is provided out of band by the customer in a support request and is used as both the wireguard tunnel PSK and ssh password.
- after a session,
.bash_historyis uploaded someplace and provided to the end user (this is not a great implementation of the transparency here - would love ideas.) - the web service (and possibly the appliance itself) reaps all VMs/connections that have been idle for X hrs, or when explicitly closed.