Merge b9eb1406bb into bbc69f945e

Update release.yml
2026-03-22 11:08:28 +03:00 · 2026-03-22 11:04:09 +03:00 · 2026-03-22 10:36:54 +03:00 · 2026-03-22 10:28:06 +03:00 · 2026-03-22 00:27:16 +03:00 · 2026-03-22 00:18:54 +03:00
6 changed files with 345 additions and 143 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -4,7 +4,6 @@ on:
  push:
    tags:
      - '[0-9]+.[0-9]+.[0-9]+'
-      - '[0-9]+.[0-9]+.[0-9]+-*'
  workflow_dispatch:

 concurrency:
@ -13,204 +12,274 @@ concurrency:

 permissions:
  contents: read
+  packages: write

 env:
  CARGO_TERM_COLOR: always
-  RUST_BACKTRACE: "1"
  BINARY_NAME: telemt

 jobs:
-  prepare:
+# ==========================
+# GNU / glibc
+# ==========================
+  build-gnu:
+    name: GNU ${{ matrix.target }}
    runs-on: ubuntu-latest
-    outputs:
-      version: ${{ steps.meta.outputs.version }}
-      prerelease: ${{ steps.meta.outputs.prerelease }}
-      release_enabled: ${{ steps.meta.outputs.release_enabled }}
-    steps:
-      - id: meta
-        run: |
-          set -euo pipefail
-
-          if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
-            VERSION="${GITHUB_REF#refs/tags/}"
-            RELEASE_ENABLED=true
-          else
-            VERSION="manual-${GITHUB_SHA::7}"
-            RELEASE_ENABLED=false
-          fi
-
-          if [[ "$VERSION" == *"-alpha"* || "$VERSION" == *"-beta"* || "$VERSION" == *"-rc"* ]]; then
-            PRERELEASE=true
-          else
-            PRERELEASE=false
-          fi
-
-          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
-          echo "prerelease=$PRERELEASE" >> "$GITHUB_OUTPUT"
-          echo "release_enabled=$RELEASE_ENABLED" >> "$GITHUB_OUTPUT"
-
-  checks:
-    runs-on: ubuntu-latest
-    container:
-      image: debian:trixie
-    steps:
-      - run: |
-          apt-get update
-          apt-get install -y build-essential clang llvm pkg-config curl git
-
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
-        with:
-          components: rustfmt, clippy
-
-      - uses: actions/cache@v4
-        with:
-          path: |
-            /github/home/.cargo/registry
-            /github/home/.cargo/git
-            target
-          key: checks-${{ hashFiles('**/Cargo.lock') }}
-
-      - run: cargo fetch --locked
-      - run: cargo fmt --all -- --check
-      - run: cargo clippy
-      - run: cargo test
-
-  build-binaries:
-    needs: [prepare, checks]
-    runs-on: ubuntu-latest
-    container:
-      image: debian:trixie

    strategy:
      fail-fast: false
      matrix:
        include:
-          - rust_target: x86_64-unknown-linux-gnu
-            zig_target: x86_64-unknown-linux-gnu.2.28
-            asset_name: telemt-x86_64-linux-gnu
-          - rust_target: aarch64-unknown-linux-gnu
-            zig_target: aarch64-unknown-linux-gnu.2.28
-            asset_name: telemt-aarch64-linux-gnu
-          - rust_target: x86_64-unknown-linux-musl
-            zig_target: x86_64-unknown-linux-musl
-            asset_name: telemt-x86_64-linux-musl
-          - rust_target: aarch64-unknown-linux-musl
-            zig_target: aarch64-unknown-linux-musl
-            asset_name: telemt-aarch64-linux-musl
+          - target: x86_64-unknown-linux-gnu
+            asset: telemt-x86_64-linux-gnu
+          - target: aarch64-unknown-linux-gnu
+            asset: telemt-aarch64-linux-gnu

    steps:
-      - run: |
-          apt-get update
-          apt-get install -y clang llvm pkg-config curl git python3 python3-pip file tar xz-utils
-
      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
+
+      - uses: dtolnay/rust-toolchain@v1
        with:
-          targets: ${{ matrix.rust_target }}
+          toolchain: stable
+          targets: |
+            x86_64-unknown-linux-gnu
+            aarch64-unknown-linux-gnu
+
+      - name: Install deps
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y \
+            build-essential \
+            clang \
+            lld \
+            pkg-config \
+            gcc-aarch64-linux-gnu \
+            g++-aarch64-linux-gnu

      - uses: actions/cache@v4
        with:
          path: |
-            /github/home/.cargo/registry
-            /github/home/.cargo/git
+            ~/.cargo/registry
+            ~/.cargo/git
            target
-          key: build-${{ matrix.zig_target }}-${{ hashFiles('**/Cargo.lock') }}
+          key: gnu-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }}

-      - run: |
-          python3 -m pip install --user --break-system-packages cargo-zigbuild
-          echo "/github/home/.local/bin" >> "$GITHUB_PATH"
+      - name: Build
+        run: |
+          if [ "${{ matrix.target }}" = "aarch64-unknown-linux-gnu" ]; then
+            export CC=aarch64-linux-gnu-gcc
+            export CXX=aarch64-linux-gnu-g++
+            export CC_aarch64_unknown_linux_gnu=aarch64-linux-gnu-gcc
+            export CXX_aarch64_unknown_linux_gnu=aarch64-linux-gnu-g++
+            export RUSTFLAGS="-C linker=aarch64-linux-gnu-gcc"
+          else
+            export CC=clang
+            export CXX=clang++
+            export CC_x86_64_unknown_linux_gnu=clang
+            export CXX_x86_64_unknown_linux_gnu=clang++
+            export RUSTFLAGS="-C linker=clang -C link-arg=-fuse-ld=lld"
+          fi

-      - run: cargo fetch --locked
+          cargo build --release --target ${{ matrix.target }}

-      - run: |
-          cargo zigbuild --release --locked --target "${{ matrix.zig_target }}"
+      - name: Package
+        run: |
+          mkdir -p dist
+          BIN=target/${{ matrix.target }}/release/${{ env.BINARY_NAME }}

-      - run: |
-          BIN="target/${{ matrix.rust_target }}/release/${BINARY_NAME}"
-          llvm-strip "$BIN" || true
+          cp "$BIN" dist/${{ env.BINARY_NAME }}-${{ matrix.target }}

-      - run: |
-          BIN="target/${{ matrix.rust_target }}/release/${BINARY_NAME}"
-          OUT="$RUNNER_TEMP/${{ matrix.asset_name }}"
-          mkdir -p "$OUT"
-          install -m755 "$BIN" "$OUT/${BINARY_NAME}"
-
-          tar -C "$RUNNER_TEMP" -czf "${{ matrix.asset_name }}.tar.gz" "${{ matrix.asset_name }}"
-          sha256sum "${{ matrix.asset_name }}.tar.gz" > "${{ matrix.asset_name }}.sha256"
+          cd dist
+          tar -czf ${{ matrix.asset }}.tar.gz ${{ env.BINARY_NAME }}-${{ matrix.target }}
+          sha256sum ${{ matrix.asset }}.tar.gz > ${{ matrix.asset }}.sha256

      - uses: actions/upload-artifact@v4
        with:
-          name: ${{ matrix.asset_name }}
+          name: ${{ matrix.asset }}
          path: |
-            ${{ matrix.asset_name }}.tar.gz
-            ${{ matrix.asset_name }}.sha256
+            dist/${{ matrix.asset }}.tar.gz
+            dist/${{ matrix.asset }}.sha256

-  docker-image:
-    name: Docker ${{ matrix.platform }}
-    needs: [prepare, build-binaries]
+# ==========================
+# MUSL
+# ==========================
+  build-musl:
+    name: MUSL ${{ matrix.target }}
    runs-on: ubuntu-latest

+    container:
+      image: rust:slim-bookworm
+
    strategy:
+      fail-fast: false
      matrix:
        include:
-          - platform: linux/amd64
-            artifact: telemt-x86_64-linux-gnu
-          - platform: linux/arm64
-            artifact: telemt-aarch64-linux-gnu
+          - target: x86_64-unknown-linux-musl
+            asset: telemt-x86_64-linux-musl
+          - target: aarch64-unknown-linux-musl
+            asset: telemt-aarch64-linux-musl
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install deps
+        run: |
+          apt-get update
+          apt-get install -y \
+            musl-tools \
+            pkg-config \
+            curl
+
+      - uses: actions/cache@v4
+        if: matrix.target == 'aarch64-unknown-linux-musl'
+        with:
+          path: ~/.musl-aarch64
+          key: musl-toolchain-aarch64-v1
+
+      - name: Install aarch64 musl toolchain
+        if: matrix.target == 'aarch64-unknown-linux-musl'
+        run: |
+          set -e
+
+          TOOLCHAIN_DIR="$HOME/.musl-aarch64"
+          ARCHIVE="aarch64-linux-musl-cross.tgz"
+          URL="https://github.com/telemt/telemt/releases/download/toolchains/$ARCHIVE"
+
+          if [ -x "$TOOLCHAIN_DIR/bin/aarch64-linux-musl-gcc" ]; then
+            echo "✅ MUSL toolchain already installed"
+          else
+            echo "⬇️ Downloading musl toolchain from Telemt GitHub Releases..."
+
+            curl -fL \
+              --retry 5 \
+              --retry-delay 3 \
+              --connect-timeout 10 \
+              --max-time 120 \
+              -o "$ARCHIVE" "$URL"
+
+            mkdir -p "$TOOLCHAIN_DIR"
+            tar -xzf "$ARCHIVE" --strip-components=1 -C "$TOOLCHAIN_DIR"
+          fi
+
+          echo "$TOOLCHAIN_DIR/bin" >> $GITHUB_PATH
+
+      - name: Add rust target
+        run: rustup target add ${{ matrix.target }}
+
+      - uses: actions/cache@v4
+        with:
+          path: |
+            /usr/local/cargo/registry
+            /usr/local/cargo/git
+            target
+          key: musl-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }}
+
+      - name: Build
+        run: |
+          if [ "${{ matrix.target }}" = "aarch64-unknown-linux-musl" ]; then
+            export CC=aarch64-linux-musl-gcc
+            export CC_aarch64_unknown_linux_musl=aarch64-linux-musl-gcc
+            export RUSTFLAGS="-C target-feature=+crt-static -C linker=aarch64-linux-musl-gcc"
+          else
+            export CC=musl-gcc
+            export CC_x86_64_unknown_linux_musl=musl-gcc
+            export RUSTFLAGS="-C target-feature=+crt-static"
+          fi
+
+          cargo build --release --target ${{ matrix.target }}
+
+      - name: Package
+        run: |
+          mkdir -p dist
+          BIN=target/${{ matrix.target }}/release/${{ env.BINARY_NAME }}
+
+          cp "$BIN" dist/${{ env.BINARY_NAME }}-${{ matrix.target }}
+
+          cd dist
+          tar -czf ${{ matrix.asset }}.tar.gz ${{ env.BINARY_NAME }}-${{ matrix.target }}
+          sha256sum ${{ matrix.asset }}.tar.gz > ${{ matrix.asset }}.sha256
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.asset }}
+          path: |
+            dist/${{ matrix.asset }}.tar.gz
+            dist/${{ matrix.asset }}.sha256
+
+# ==========================
+# Docker
+# ==========================
+  docker:
+    name: Docker
+    runs-on: ubuntu-latest
+    needs: [build-gnu, build-musl]
+    continue-on-error: true

    steps:
      - uses: actions/checkout@v4

      - uses: actions/download-artifact@v4
        with:
-          name: ${{ matrix.artifact }}
-          path: dist
+          path: artifacts

-      - run: |
-          mkdir docker-build
-          tar -xzf dist/*.tar.gz -C docker-build --strip-components=1
+      - name: Extract binaries
+        run: |
+          mkdir dist
+          find artifacts -name "*.tar.gz" -exec tar -xzf {} -C dist \;

+          cp dist/telemt-x86_64-unknown-linux-musl dist/telemt || true
+
+      - uses: docker/setup-qemu-action@v3
      - uses: docker/setup-buildx-action@v3

-      - name: Login
-        if: ${{ needs.prepare.outputs.release_enabled == 'true' }}
+      - name: Login to GHCR
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      - uses: docker/build-push-action@v6
-        with:
-          context: ./docker-build
-          platforms: ${{ matrix.platform }}
-          push: ${{ needs.prepare.outputs.release_enabled == 'true' }}
-          tags: ghcr.io/${{ github.repository }}:${{ needs.prepare.outputs.version }}
-          cache-from: type=gha,scope=telemt-${{ matrix.platform }}
-          cache-to: type=gha,mode=max,scope=telemt-${{ matrix.platform }}
-          provenance: false
-          sbom: false
+      - name: Extract version
+        id: vars
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT

+      - name: Build & Push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: |
+            ghcr.io/${{ github.repository }}:${{ steps.vars.outputs.VERSION }}
+            ghcr.io/${{ github.repository }}:latest
+          build-args: |
+            BINARY=dist/telemt
+
+# ==========================
+# Release
+# ==========================
  release:
-    if: ${{ needs.prepare.outputs.release_enabled == 'true' }}
-    needs: [prepare, build-binaries]
+    name: Release
    runs-on: ubuntu-latest
+    needs: [build-gnu, build-musl]
+
    permissions:
      contents: write

    steps:
      - uses: actions/download-artifact@v4
        with:
-          path: release-artifacts
-          pattern: telemt-*
+          path: artifacts

-      - run: |
-          mkdir upload
-          find release-artifacts -type f \( -name '*.tar.gz' -o -name '*.sha256' \) -exec cp {} upload/ \;
+      - name: Flatten artifacts
+        run: |
+          mkdir dist
+          find artifacts -type f -exec cp {} dist/ \;

-      - uses: softprops/action-gh-release@v2
+      - name: Create Release
+        uses: softprops/action-gh-release@v2
        with:
-          files: upload/*
+          files: dist/*
          generate_release_notes: true
-          prerelease: ${{ needs.prepare.outputs.prerelease == 'true' }}
+          draft: false
+          prerelease: ${{ contains(github.ref, '-rc') || contains(github.ref, '-beta') || contains(github.ref, '-alpha') }}
--- a/65
+++ b/65
@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1
+
 # ==========================
 # Stage 1: Build
 # ==========================
@ -5,36 +7,87 @@ FROM rust:1.88-slim-bookworm AS builder

 RUN apt-get update && apt-get install -y --no-install-recommends \
    pkg-config \
+    ca-certificates \
    && rm -rf /var/lib/apt/lists/*

 WORKDIR /build

+# Depcache
 COPY Cargo.toml Cargo.lock* ./
 RUN mkdir src && echo 'fn main() {}' > src/main.rs && \
    cargo build --release 2>/dev/null || true && \
    rm -rf src

+# Build
 COPY . .
 RUN cargo build --release && strip target/release/telemt

 # ==========================
-# Stage 2: Runtime
+# Stage 2: Compress (strip + UPX)
 # ==========================
-FROM debian:bookworm-slim
+FROM debian:12-slim AS minimal
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    upx \
+    binutils \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=builder /build/target/release/telemt /telemt
+
+RUN strip /telemt || true
+RUN upx --best --lzma /telemt || true
+
+# ==========================
+# Stage 3: Debug base
+# ==========================
+FROM debian:12-slim AS debug-base

 RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates \
+    tzdata \
+    curl \
+    iproute2 \
+    busybox \
    && rm -rf /var/lib/apt/lists/*

-RUN useradd -r -s /usr/sbin/nologin telemt
+# ==========================
+# Stage 4: Debug image
+# ==========================
+FROM debug-base AS debug

 WORKDIR /app

-COPY --from=builder /build/target/release/telemt /app/telemt
+COPY --from=minimal /telemt /app/telemt
 COPY config.toml /app/config.toml

-RUN chown -R telemt:telemt /app
-USER telemt
+USER root
+
+EXPOSE 443
+EXPOSE 9090
+EXPOSE 9091
+
+ENTRYPOINT ["/app/telemt"]
+CMD ["config.toml"]
+
+# ==========================
+# Stage 5: Production (distroless)
+# ==========================
+FROM gcr.io/distroless/base-debian12 AS prod
+
+WORKDIR /app
+
+COPY --from=minimal /telemt /app/telemt
+COPY config.toml /app/config.toml
+
+# TLS + timezone + shell
+COPY --from=debug-base /etc/ssl/certs /etc/ssl/certs
+COPY --from=debug-base /usr/share/zoneinfo /usr/share/zoneinfo
+COPY --from=debug-base /bin/busybox /bin/busybox
+
+RUN ["/bin/busybox", "--install", "-s", "/bin"]
+
+# distroless user
+USER nonroot:nonroot

 EXPOSE 443
 EXPOSE 9090
--- a/docs/API.md
+++ b/docs/API.md
@ -1060,6 +1060,8 @@ Link generation uses active config and enabled modes:
 | `PATCH /v1/users/{username}` | Partial update of provided fields only. Missing fields remain unchanged. Current implementation persists full config document on success. |
 | `POST /v1/users/{username}/rotate-secret` | Currently returns `404` in runtime route matcher; request schema is reserved for intended behavior. |
 | `DELETE /v1/users/{username}` | Deletes only specified user, removes this user from related optional `access.user_*` maps, blocks last-user deletion, and atomically updates only related `access.*` TOML tables. |
+| `POST /v1/users/{username}/reset-octets` | Resets the per-user octet counters (`octets_from_client` and `octets_to_client`) to zero. Returns `{ "username": "...", "octets_reset": true }`. Useful for implementing periodic (monthly/daily) quota resets without restarting the proxy. |
+| `POST /v1/users/reset-octets` | Resets octet counters for **all** tracked users. Returns `{ "users_reset": N }`. |

 All mutating endpoints:
 - Respect `read_only` mode.
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@ -372,6 +372,19 @@ async fn handle(
                .await;
                Ok(success_response(StatusCode::OK, users, revision))
            }
+            ("POST", "/v1/users/reset-octets") => {
+                let count = shared.stats.reset_all_user_octets();
+                shared.runtime_events.record(
+                    "api.users.reset_octets.ok",
+                    format!("users_reset={}", count),
+                );
+                let revision = current_revision(&shared.config_path).await?;
+                Ok(success_response(
+                    StatusCode::OK,
+                    model::ResetAllOctetsResponse { users_reset: count },
+                    revision,
+                ))
+            }
            ("POST", "/v1/users") => {
                if api_cfg.read_only {
                    return Ok(error_response(
@ -523,6 +536,37 @@ async fn handle(
                        );
                        return Ok(success_response(StatusCode::OK, data, revision));
                    }
+                    // POST /v1/users/{username}/reset-octets
+                    if method == Method::POST
+                        && let Some(base_user) = user.strip_suffix("/reset-octets")
+                        && !base_user.is_empty()
+                        && !base_user.contains('/')
+                    {
+                        let found = shared.stats.reset_user_octets(base_user);
+                        shared.runtime_events.record(
+                            if found { "api.user.reset_octets.ok" } else { "api.user.reset_octets.not_found" },
+                            format!("username={}", base_user),
+                        );
+                        if !found {
+                            return Ok(error_response(
+                                request_id,
+                                ApiFailure::new(
+                                    StatusCode::NOT_FOUND,
+                                    "user_not_found",
+                                    &format!("No stats entry for user '{}'", base_user),
+                                ),
+                            ));
+                        }
+                        let revision = current_revision(&shared.config_path).await?;
+                        return Ok(success_response(
+                            StatusCode::OK,
+                            model::ResetOctetsResponse {
+                                username: base_user.to_string(),
+                                octets_reset: true,
+                            },
+                            revision,
+                        ));
+                    }
                    if method == Method::POST {
                        return Ok(error_response(
                            request_id,
--- a/src/api/model.rs
+++ b/src/api/model.rs
@ -459,6 +459,17 @@ pub(super) struct CreateUserRequest {
    pub(super) max_unique_ips: Option<usize>,
 }

+#[derive(Serialize)]
+pub(super) struct ResetOctetsResponse {
+    pub(super) username: String,
+    pub(super) octets_reset: bool,
+}
+
+#[derive(Serialize)]
+pub(super) struct ResetAllOctetsResponse {
+    pub(super) users_reset: usize,
+}
+
 #[derive(Deserialize)]
 pub(super) struct PatchUserRequest {
    pub(super) secret: Option<String>,
--- a/src/stats/mod.rs
+++ b/src/stats/mod.rs
@ -1745,6 +1745,29 @@ impl Stats {
            .unwrap_or(0)
    }
    
+
+    /// Reset per-user octet counters to zero (both from_client and to_client).
+    /// Used by the API to implement periodic quota resets without restarting the proxy.
+    pub fn reset_user_octets(&self, user: &str) -> bool {
+        if let Some(entry) = self.user_stats.get(user) {
+            entry.octets_from_client.store(0, Ordering::Relaxed);
+            entry.octets_to_client.store(0, Ordering::Relaxed);
+            true
+        } else {
+            false
+        }
+    }
+
+    /// Reset octet counters for all tracked users.
+    pub fn reset_all_user_octets(&self) -> usize {
+        let mut count = 0;
+        for entry in self.user_stats.iter() {
+            entry.octets_from_client.store(0, Ordering::Relaxed);
+            entry.octets_to_client.store(0, Ordering::Relaxed);
+            count += 1;
+        }
+        count
+    }
    pub fn get_handshake_timeouts(&self) -> u64 { self.handshake_timeouts.load(Ordering::Relaxed) }
    pub fn get_upstream_connect_attempt_total(&self) -> u64 {
        self.upstream_connect_attempt_total.load(Ordering::Relaxed)
Author	SHA1	Message	Date
Saman	eeba759268	Merge `b9eb1406bb` into `bbc69f945e`	2026-03-22 11:08:28 +03:00
Alexey	bbc69f945e	Update release.yml	2026-03-22 11:04:09 +03:00
Alexey	9de8b2f0bf	Update release.yml	2026-03-22 10:36:54 +03:00
Alexey	4e5b67bae8	Update release.yml	2026-03-22 10:28:06 +03:00
Alexey	73f218b62a	Update release.yml	2026-03-22 00:27:16 +03:00
Alexey	13ff3af1db	Update release.yml	2026-03-22 00:18:54 +03:00
Alexey	77f717e3d1	Merge pull request #534 from telemt/workflow Update release.yml	2026-03-22 00:16:11 +03:00
Alexey	db3e246390	Update release.yml	2026-03-22 00:15:56 +03:00
Alexey	b74ba38d40	Merge pull request #533 from telemt/workflow Workflow	2026-03-22 00:10:38 +03:00
Alexey	269fce839f	Update Dockerfile	2026-03-22 00:10:19 +03:00
Alexey	5a4072c964	Update release.yml	2026-03-22 00:08:16 +03:00
SamNet-dev	b9eb1406bb	feat(api): add POST /v1/users/{username}/reset-octets endpoint Add endpoints to reset per-user octet counters without restarting the proxy, enabling external tools to implement periodic (monthly/daily) quota resets. New endpoints: - POST /v1/users/{username}/reset-octets — reset single user - POST /v1/users/reset-octets — reset all users Changes: - stats/mod.rs: add reset_user_octets() and reset_all_user_octets() - api/mod.rs: add route handlers for both endpoints - api/model.rs: add ResetOctetsResponse and ResetAllOctetsResponse - docs/API.md: document new endpoints Closes #510	2026-03-20 09:24:30 -05:00