tenseleyflow/hyprkvm / 34378cc

+    /// Enable TLS encryption (default: false for backwards compatibility)

+    #[serde(default)]

+    pub enabled: bool,

+

+

+    /// Enable TOFU (Trust On First Use) for unknown peers

+    #[serde(default = "default_true")]

+    pub tofu: bool,

+            enabled: false, // Default to false for backwards compatibility

+            tofu: true,

+    /// Pre-trusted certificate fingerprint (optional, for TLS pinning)

+    #[serde(default, skip_serializing_if = "Option::is_none")]

+

+    /// Override TLS setting for this neighbor (uses global setting if None)

+    #[serde(default, skip_serializing_if = "Option::is_none")]

+    pub tls: Option<bool>,

+    // TLS setup (if enabled)

+    let tls_enabled = config.network.tls.enabled;

+    if tls_enabled {

+        info!("TLS is enabled, ensuring certificates exist...");

+        let cert_path = std::path::Path::new(&config.network.tls.cert_path);

+        let key_path = std::path::Path::new(&config.network.tls.key_path);

+

+        if let Err(e) = network::ensure_certificate(cert_path, key_path, &config.machines.self_name) {

+            anyhow::bail!("Failed to setup TLS certificates: {}", e);

+        }

+

+        // Print certificate fingerprint for users to share

+        match network::get_cert_fingerprint(cert_path) {

+            Ok(fp) => {

+                info!("Certificate fingerprint: {}", fp);

+                info!("Share this fingerprint with peers for secure verification");

+            }

+            Err(e) => {

+                tracing::warn!("Could not read certificate fingerprint: {}", e);

+            }

+        }

+    } else {

+        info!("TLS is disabled (plain TCP mode for backwards compatibility)");

+    }

+

+    let server = if tls_enabled {

+        let cert_path = std::path::Path::new(&config.network.tls.cert_path);

+        let key_path = std::path::Path::new(&config.network.tls.key_path);

+        network::Server::bind_tls(listen_addr, cert_path, key_path).await?

+    } else {

+        network::Server::bind(listen_addr).await?

+    };

+    info!("Listening for connections on {} (TLS: {})", server.local_addr(), tls_enabled);

+        let neighbor_name = neighbor.name.clone();

+

+        // Determine if TLS should be used for this neighbor

+        // Per-neighbor override takes precedence over global setting

+        let use_tls = neighbor.tls.unwrap_or(tls_enabled);

+        let fingerprint = neighbor.fingerprint.clone();

+        let tofu_enabled = config.network.tls.tofu;

+                tracing::debug!("Connecting to {} at {} (TLS: {})...", direction, addr, use_tls);

+

+                // Connect with or without TLS

+                let conn_result = if use_tls {

+                    network::connect_tls(

+                        addr,

+                        &neighbor_name,

+                        fingerprint.as_deref(),

+                        tofu_enabled,

+                    ).await

+                } else {

+                    network::connect(addr).await

+                };

+

+                match conn_result {

+

+                                // Determine TLS settings for this neighbor

+                                let use_tls = n.tls.unwrap_or(tls_enabled);

+                                let fingerprint = n.fingerprint.clone();

+                                let tofu = config.network.tls.tofu;

+

+                                    // Connect with or without TLS

+                                    let conn_result = if use_tls {

+                                        network::connect_tls(addr, &neighbor_name, fingerprint.as_deref(), tofu).await

+                                    } else {

+                                        network::connect(addr).await

+                                    };

+

+                                    match conn_result {

+#![allow(unused_imports)]

+

+    #[allow(dead_code)]

+    #[allow(dead_code)]

+use tokio_rustls::TlsAcceptor;