Update readme

Author: cilki

Cargo.lock

@@ -8,13 +8,42 @@
 
 <hr>
 
-`sandpolis` is a **virtual estate monitoring/management tool** under active
-development.
+`sandpolis` is a **virtual estate monitoring/management tool** (VEM²) under
+active development.
 
 <p align="center">
 	<img src="https://raw.githubusercontent.com/fossable/sandpolis/master/.github/images/overview.png" />
 </p>
 
+## Virtual estate
+
+Virtual/digital estate is an all-encompassing term that generally refers to all
+of the (non-physical) assets in your possession. Some of them may be entirely
+virtual, like accounts on _github.com_. Others have a physical component as
+well, like a server in your closet, Raspberry Pi, or laptop.
+
+All of these entities are part of your _virtual estate_ and are often
+intricately connected in various ways. As an example, you might have an SSH key
+or API token on your machine that grants access to repositories (a kind of
+digital asset) on Github. And suppose your machine also has an authorized key
+installed that allows access from another machine:
+
+```
+┌──────────┐  SSH Key  ┌──────────┐  API Token  ┌───────────────────┐
+│Machine A ┼───────────►Machine B ┼─────────────► Github            │
+└──────────┘           └──────────┘             │                   │
+                                                │  - Private repos  │
+                                                └───────────────────┘
+```
+
+If you care about those repos, then Sandpolis can map out an attack surface that
+includes both `Machine A` and `Machine B`. If `Machine A` happens to have a weak
+password or one that's shared with another website, then the attack surface is
+consequently expanded with appropriate probabilities.
+
+Mapping these relationships automatically is possible because Sandpolis runs an
+agent on `Machine A` and `Machine B` (and has API access to Github).
+
 ## Security Warning
 
 Sandpolis is an extremely high-value attack target as it provides management
@@ -27,23 +56,36 @@ available:
 
 - Users can be required to login with two-factor authentication codes.
 
-- User permissions can restrict what users are able to do and on what instances.
-
-- Agents can optionally run in _read only_ mode which still provides useful
-  information, but prohibits all write operations. This can significantly
-  mitigate potential damage in the event of server compromise.
+- User permissions restrict what users are able to do and on what instances.
 
 Even with several layers of strong authentication, there's always risk that the
-Sandpolis server can be compromised. If the risks of "single point of
-compromise" outweigh the convenience of having a unified management interface,
-then **don't use Sandpolis**.
+Sandpolis server can be compromised. If the risks of introducing a "single point
+of compromise" outweigh the convenience of having a unified management
+interface, then **don't use Sandpolis**.
+
+You can choose how much trust you allocate to the Sandpolis network. For
+example, agents can optionally run in _read only_ mode which still provides
+useful monitoring information, but prohibits all write operations (including
+agent updates). This can significantly mitigate potential damage in the event of
+server compromise.
 
 ## Layers
 
-Features are organized into _layers_ that can be toggled on/off in the UI.
+Features are organized into _layers_ that can be toggled on/off in the UI. If
+you build Sandpolis from source, it's also easy to pick and choose what layers
+are included:
+
+```sh
+# Build the Sandpolis server with remote desktop capabilities ONLY
+cargo build --no-default-features --features server --features layer-desktop
+```
 
 ### Account
 
+Models online/offline accounts and their relationships to agent instances.
+Enables higher-order analysis of virtual estate like attack surface mapping and
+compromise tracing.
+
 ### Alert
 
 Triggers user notifications when certain events are detected in the Sandpolis
@@ -57,24 +99,71 @@ Provides access to remote desktop capabilities.
 ### Filesystem
 
 Provides read/write access to agent filesystems. The Sandpolis client can also
-mount a remote filesystem.
+mount an agent's filesystem.
 
 ### Logging
 
 ### Package
 
-Integrates with the package manager on agents to manages package versions.
+Integrates with package managers to monitor package versions.
 
 ### Probe
 
 Probes are managable from the Sandpolis network, but don't run agent software.
 Instead, a remote Sandpolis agent instance connects to probes over a standard
 protocol like SSH, SNMP, Docker, etc.
 
+You can interact with probes almost as if they were regular agents (as long as
+the gateway instance remains online).
+
 ### Shell
 
 Provides an interactive remote shell.
 
 ### Tunnel
 
 ### User
+
+## Installation
+
+<details>
+<summary>Crates.io</summary>
+
+![Crates.io Total Downloads](https://img.shields.io/crates/d/sandpolis)
+
+#### Install from crates.io
+
+```sh
+cargo install sandpolis
+```
+
+</details>
+
+<details>
+<summary>Docker</summary>
+
+#### Install server from DockerHub
+
+![Docker Pulls](https://img.shields.io/docker/pulls/sandpolis/server)
+![Docker Image Size](https://img.shields.io/docker/image-size/sandpolis/server)
+![Docker Stars](https://img.shields.io/docker/stars/sandpolis/server)
+
+```yml
+# Docker compose
+services:
+	sandpolis-server:
+		image: sandpolis/server
+		restart: unless-stopped
+```
+
+#### Install client from DockerHub
+
+![Docker Pulls](https://img.shields.io/docker/pulls/sandpolis/client)
+![Docker Image Size](https://img.shields.io/docker/image-size/sandpolis/client)
+![Docker Stars](https://img.shields.io/docker/stars/sandpolis/client)
+
+```sh
+alias sandpolis-client="docker run --rm sandpolis/client"
+```
+
+</details>

README.md

@@ -1,20 +1,40 @@
-use ratatui::{buffer::Buffer, crossterm::event::KeyCode, layout::Rect};
-use std::collections::HashMap;
+use ratatui::text::Text;
+use ratatui::widgets::Cell;
+use ratatui::{buffer::Buffer, crossterm::event::KeyCode, layout::Rect, widgets::WidgetRef};
+use ratatui::{
+    layout::Constraint,
+    style::{Style, Stylize},
+    widgets::{Block, Row, Table},
+};
 
 /// Shows help message
 pub struct HelpWidget {
-    pub keybindings: HashMap<KeyCode, String>,
+    pub keybindings: Vec<(KeyCode, String)>,
 }
 
 impl HelpWidget {
     pub fn height(&self) -> u16 {
-        todo!()
+        self.keybindings.len() as u16
     }
 }
 
 impl WidgetRef for HelpWidget {
     fn render_ref(&self, area: Rect, buf: &mut Buffer) {
-        let block = Block::default().borders(Borders::ALL);
-        block.render(area, buf);
+        let rows: Vec<Row> = self
+            .keybindings
+            .iter()
+            .map(|(key, description)| {
+                Row::new(vec![
+                    Cell::from(description.clone()).italic(),
+                    Cell::from(Text::from(key.to_string()).right_aligned()).bold(),
+                ])
+            })
+            .collect();
+
+        let widths = [Constraint::Percentage(90), Constraint::Percentage(10)];
+        Table::new(rows, widths)
+            .column_spacing(1)
+            .style(Style::new().blue())
+            .render_ref(area, buf);
     }
 }

sandpolis-client/src/tui/help.rs

@@ -7,6 +7,7 @@ use ratatui::{
     widgets::{Widget, WidgetRef},
 };
 use std::time::Duration;
+use tokio::sync::broadcast::{Receiver, Sender};
 use tokio_stream::StreamExt;
 
 pub mod help;
@@ -57,3 +58,5 @@ pub enum Message {
     FocusChanged,
     ServerSelected,
 }
+
+pub type MessageBus<T> = (Sender<T>, Receiver<T>);

sandpolis-client/src/tui/mod.rs

@@ -16,6 +16,7 @@ sandpolis-instance = { path = "../sandpolis-instance", version = "0.0.1" }
 sandpolis-network = { path = "../sandpolis-network", version = "0.0.1" }
 sandpolis-client = { path = "../sandpolis-client", version = "0.0.1" }
 sandpolis-database = { path = "../sandpolis-database", version = "0.0.1" }
+sandpolis-group = { path = "../sandpolis-group", version = "0.0.1" }
 
 [features]
 agent = ["dep:axum", "dep:axum-macros"]

sandpolis-power/Cargo.toml

@@ -1,5 +1,6 @@
 use anyhow::Result;
 use messages::{PowerRequest, PowerResponse};
+use sandpolis_group::GroupName;
 use sandpolis_instance::InstanceId;
 use sandpolis_network::NetworkLayer;
 use serde::{Deserialize, Serialize};

sandpolis-power/src/lib.rs

@@ -62,4 +62,8 @@ pub struct ServerBannerData {
     /// An image to display on the login screen
     #[serde(with = "serde_bytes")]
     pub image: Option<Vec<u8>>, // TODO validate with image decoder
+
+    /// Whether users are required to provide a second authentication mechanism
+    /// on login
+    pub mfa: bool,
 }

sandpolis-server/src/lib.rs

@@ -56,10 +56,11 @@ openraft = { git = "https://github.com/databendlabs/openraft", optional = true,
   "type-alias",
 ] }
 
-# Client exclusive
+# Terminal client exclusive
 ratatui = { workspace = true, optional = true }
 ratatui-image = { workspace = true, optional = true }
 image = { workspace = true, optional = true }
+tui-popup = "0.6.0"
 
 [features]
 # Instances