diff --git a/.envrc b/.envrc new file mode 100644 index 00000000..3550a30f --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake diff --git a/.gitignore b/.gitignore index 76f78dfe..34d0b4ec 100644 --- a/.gitignore +++ b/.gitignore @@ -4,6 +4,7 @@ *.dll *.so *.dylib +.direnv # Test binary, built with `go test -c` *.test diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 5c7aab14..00000000 --- a/Dockerfile +++ /dev/null @@ -1,43 +0,0 @@ -FROM golang:1.16-alpine as build - -RUN apk add --no-cache \ - git \ - make - -WORKDIR /src - -COPY Makefile ./ -# go.mod and go.sum if exists -COPY go.* ./ -COPY cmd/ ./cmd -COPY web ./web - -ARG BUILD_VERSION=unknown - -ENV GODEBUG="netdns=go http2server=0" - -RUN make build BUILD_VERSION=${BUILD_VERSION} - -FROM alpine:3.13.4 -LABEL maintainer="github.com/subspacecommunity/subspace" - -COPY --from=build /src/subspace /usr/bin/subspace -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -COPY bin/my_init /sbin/my_init - -ENV DEBIAN_FRONTEND noninteractive - -RUN chmod +x /usr/bin/subspace /usr/local/bin/entrypoint.sh /sbin/my_init - -RUN apk add --no-cache \ - iproute2 \ - iptables \ - ip6tables \ - dnsmasq \ - socat \ - wireguard-tools \ - runit - -ENTRYPOINT ["/usr/local/bin/entrypoint.sh" ] - -CMD [ "/sbin/my_init" ] diff --git a/bin/my_init b/bin/my_init deleted file mode 100755 index af391f62..00000000 --- a/bin/my_init +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/sh - -shutdown() { - echo "shutting down container" - - # first shutdown any service started by runit - for _srv in $(ls -1 /etc/service); do - sv force-stop $_srv - done - - # shutdown runsvdir command - kill -HUP $RUNSVDIR - wait $RUNSVDIR - - # give processes time to stop - sleep 0.5 - - # kill any other processes still running in the container - for _pid in $(ps -eo pid | grep -v PID | tr -d ' ' | grep -v '^1$' | head -n -6); do - timeout -t 5 /bin/sh -c "kill $_pid && wait $_pid || kill -9 $_pid" - done - exit -} - -# store enviroment variables -export > /etc/envvars - -PATH=/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin - -exec env - PATH=$PATH runsvdir -P /etc/service & - -RUNSVDIR=$! -echo "Started runsvdir, PID is $RUNSVDIR" -echo "wait for processes to start...." - -sleep 5 -for _srv in $(ls -1 /etc/service); do - sv status $_srv -done - -# catch shutdown signals -trap shutdown SIGTERM SIGHUP SIGQUIT SIGINT -wait $RUNSVDIR - -shutdown diff --git a/cmd/subspace/handlers.go b/cmd/subspace/handlers.go index 229417be..2e395431 100644 --- a/cmd/subspace/handlers.go +++ b/cmd/subspace/handlers.go @@ -414,113 +414,25 @@ func profileAddHandler(w *Web) { return } - ipv4Pref := "10.99.97." - if pref := getEnv("SUBSPACE_IPV4_PREF", "nil"); pref != "nil" { - ipv4Pref = pref - } - ipv4Gw := "10.99.97.1" - if gw := getEnv("SUBSPACE_IPV4_GW", "nil"); gw != "nil" { - ipv4Gw = gw - } - ipv4Cidr := "24" - if cidr := getEnv("SUBSPACE_IPV4_CIDR", "nil"); cidr != "nil" { - ipv4Cidr = cidr - } - ipv6Pref := "fd00::10:97:" - if pref := getEnv("SUBSPACE_IPV6_PREF", "nil"); pref != "nil" { - ipv6Pref = pref - } - ipv6Gw := "fd00::10:97:1" - if gw := getEnv("SUBSPACE_IPV6_GW", "nil"); gw != "nil" { - ipv6Gw = gw - } - ipv6Cidr := "64" - if cidr := getEnv("SUBSPACE_IPV6_CIDR", "nil"); cidr != "nil" { - ipv6Cidr = cidr - } - listenport := "51820" - if port := getEnv("SUBSPACE_LISTENPORT", "nil"); port != "nil" { - listenport = port - } - endpointHost := httpHost - if eh := getEnv("SUBSPACE_ENDPOINT_HOST", "nil"); eh != "nil" { - endpointHost = eh - } - allowedips := "0.0.0.0/0, ::/0" - if ips := getEnv("SUBSPACE_ALLOWED_IPS", "nil"); ips != "nil" { - allowedips = ips - } - ipv4Enabled := true - if enable := getEnv("SUBSPACE_IPV4_NAT_ENABLED", "1"); enable == "0" { - ipv4Enabled = false - } - ipv6Enabled := true - if enable := getEnv("SUBSPACE_IPV6_NAT_ENABLED", "1"); enable == "0" { - ipv6Enabled = false - } - disableDNS := false - if shouldDisableDNS := getEnv("SUBSPACE_DISABLE_DNS", "0"); shouldDisableDNS == "1" { - disableDNS = true - } - script := ` -cd {{$.Datadir}}/wireguard -wg_private_key="$(wg genkey)" -wg_public_key="$(echo $wg_private_key | wg pubkey)" - -wg set wg0 peer ${wg_public_key} allowed-ips {{if .Ipv4Enabled}}{{$.IPv4Pref}}{{$.Profile.Number}}/32{{end}}{{if .Ipv6Enabled}}{{if .Ipv4Enabled}},{{end}}{{$.IPv6Pref}}{{$.Profile.Number}}/128{{end}} - -cat <peers/{{$.Profile.ID}}.conf -[Peer] -PublicKey = ${wg_public_key} -AllowedIPs = {{if .Ipv4Enabled}}{{$.IPv4Pref}}{{$.Profile.Number}}/32{{end}}{{if .Ipv6Enabled}}{{if .Ipv4Enabled}},{{end}}{{$.IPv6Pref}}{{$.Profile.Number}}/128{{end}} -WGPEER - -cat <clients/{{$.Profile.ID}}.conf -[Interface] -PrivateKey = ${wg_private_key} -{{- if not .DisableDNS }} -DNS = {{if .Ipv4Enabled}}{{$.IPv4Gw}}{{end}}{{if .Ipv6Enabled}}{{if .Ipv4Enabled}},{{end}}{{$.IPv6Gw}}{{end}} -{{- end }} -Address = {{if .Ipv4Enabled}}{{$.IPv4Pref}}{{$.Profile.Number}}/{{$.IPv4Cidr}}{{end}}{{if .Ipv6Enabled}}{{if .Ipv4Enabled}},{{end}}{{$.IPv6Pref}}{{$.Profile.Number}}/{{$.IPv6Cidr}}{{end}} - -[Peer] -PublicKey = $(cat server.public) - -Endpoint = {{$.EndpointHost}}:{{$.Listenport}} -AllowedIPs = {{$.AllowedIPS}} -WGCLIENT -` + cd {{$.Datadir}}/wireguard + + wg-bond add {{$.Profile.ID}} --dns 1.1.1.1 + wg-bond conf {{$.Profile.ID}} -T subspace-root > clients/{{$.Profile.ID}}.conf + + # Syncing configuration + wg-bond conf subspace-root > subspace.conf + wg-quick strip ./subspace.conf > sync.conf + wg-quick down ./subspace.conf + wg-quick up ./subspace.conf + + ` _, err = bash(script, struct { - Profile Profile - EndpointHost string - Datadir string - IPv4Gw string - IPv6Gw string - IPv4Pref string - IPv6Pref string - IPv4Cidr string - IPv6Cidr string - Listenport string - AllowedIPS string - Ipv4Enabled bool - Ipv6Enabled bool - DisableDNS bool + Profile Profile + Datadir string }{ profile, - endpointHost, datadir, - ipv4Gw, - ipv6Gw, - ipv4Pref, - ipv6Pref, - ipv4Cidr, - ipv6Cidr, - listenport, - allowedips, - ipv4Enabled, - ipv6Enabled, - disableDNS, }) if err != nil { logger.Warn(err) @@ -570,11 +482,19 @@ func profileDeleteHandler(w *Web) { } if err := deleteProfile(profile); err != nil { logger.Errorf("delete profile failed: %s", err) - w.Redirect("/profile/delete?error=deleteprofile") + if profile.UserID == "" { + w.Redirect("/?error=deleteprofile") + } else { + w.Redirect("/profile/delete?error=deleteprofile") + } return } if w.Admin { - w.Redirect("/user/edit/%s?success=deleteprofile", profile.UserID) + if profile.UserID == "" { + w.Redirect("/?success=deleteprofile") + } else { + w.Redirect("/user/edit/%s?success=deleteprofile", profile.UserID) + } return } w.Redirect("/?success=deleteprofile") @@ -684,13 +604,17 @@ func helpHandler(w *Web) { // func deleteProfile(profile Profile) error { script := ` -# WireGuard -cd {{$.Datadir}}/wireguard -peerid=$(cat peers/{{$.Profile.ID}}.conf | awk '/PublicKey/ { printf("%s", $3) }' ) -wg set wg0 peer $peerid remove -rm peers/{{$.Profile.ID}}.conf -rm clients/{{$.Profile.ID}}.conf -` + cd {{$.Datadir}}/wireguard + + wg-bond rm {{$.Profile.ID}} + + # Syncing configuration + wg-bond conf subspace-root > subspace.conf + wg-quick strip ./subspace.conf > sync.conf + wg-quick down ./subspace.conf + wg-quick up ./subspace.conf + ` + output, err := bash(script, struct { Datadir string Profile Profile diff --git a/cmd/subspace/main.go b/cmd/subspace/main.go index 1956ac9d..d399515e 100644 --- a/cmd/subspace/main.go +++ b/cmd/subspace/main.go @@ -89,9 +89,9 @@ func init() { cli.StringVar(&datadir, "datadir", "/data", "data dir") cli.StringVar(&backlink, "backlink", "/", "backlink (optional)") cli.StringVar(&httpHost, "http-host", "", "HTTP host") - cli.StringVar(&httpAddr, "http-addr", ":80", "HTTP listen address") + cli.StringVar(&httpAddr, "http-addr", ":5555", "HTTP listen address") cli.BoolVar(&httpInsecure, "http-insecure", false, "enable sessions cookies for http (no https) not recommended") - cli.BoolVar(&letsencrypt, "letsencrypt", true, "enable TLS using Let's Encrypt on port 443") + cli.BoolVar(&letsencrypt, "letsencrypt", false, "enable TLS using Let's Encrypt on port 443") cli.BoolVar(&showVersion, "version", false, "display version and exit") cli.BoolVar(&showHelp, "help", false, "display help and exit") cli.BoolVar(&debug, "debug", false, "debug mode") @@ -261,13 +261,13 @@ func main() { httpd := &http.Server{ Handler: certmanager.HTTPHandler(redir), - Addr: net.JoinHostPort(httpIP, "80"), + Addr: net.JoinHostPort(httpIP, "1080"), WriteTimeout: httpTimeout, ReadTimeout: httpTimeout, MaxHeaderBytes: maxHeaderBytes, } if err := httpd.ListenAndServe(); err != nil { - logger.Fatalf("http server on port 80 failed: %s", err) + logger.Fatalf("http server on port 1080 failed: %s", err) } }() diff --git a/cmd/subspace/utils.go b/cmd/subspace/utils.go index 4f34348c..ab7d7fa4 100644 --- a/cmd/subspace/utils.go +++ b/cmd/subspace/utils.go @@ -62,7 +62,7 @@ set -o xtrace ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute) defer cancel() - output, err := exec.CommandContext(ctx, "/bin/bash", "-c", string(script.Bytes())).CombinedOutput() + output, err := exec.CommandContext(ctx, "/usr/bin/env", "bash", "-c", string(script.Bytes())).CombinedOutput() if err != nil { return string(output), fmt.Errorf("command failed: %s\n%s", err, string(output)) } diff --git a/default.nix b/default.nix new file mode 100644 index 00000000..b22e926e --- /dev/null +++ b/default.nix @@ -0,0 +1,3 @@ +(import (fetchTarball https://github.com/edolstra/flake-compat/archive/master.tar.gz) { + src = builtins.fetchGit ./.; +}).defaultNix diff --git a/deps.nix b/deps.nix new file mode 100644 index 00000000..0324ceaf --- /dev/null +++ b/deps.nix @@ -0,0 +1,373 @@ +# file generated from go.mod using vgo2nix (https://github.com/nix-community/vgo2nix) +[ + { + goPackagePath = "github.com/beevik/etree"; + fetch = { + type = "git"; + url = "https://github.com/beevik/etree"; + rev = "v1.1.0"; + sha256 = "12dqgh8swrnk8c1bwqmq4mgd65rj4waxgb02filkm3f52vyxryxn"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/boombuler/barcode"; + fetch = { + type = "git"; + url = "https://github.com/boombuler/barcode"; + rev = "6c824513bacc"; + sha256 = "0v4ypgh3xarzfpgys838mgkfabqacbjklhf4kfqnycs0v0anvnlr"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/crewjam/httperr"; + fetch = { + type = "git"; + url = "https://github.com/crewjam/httperr"; + rev = "a946449404da"; + sha256 = "1f7plyp60wp7zjyxqia0blxapby2qpf2f01760mllrgc5ylvm4y9"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/crewjam/saml"; + fetch = { + type = "git"; + url = "https://github.com/crewjam/saml"; + rev = "v0.4.5"; + sha256 = "0lzqqzqbm0pknrzqv6l6nf868p31cy88vmzm155q65aa0c6p69vh"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/davecgh/go-spew"; + fetch = { + type = "git"; + url = "https://github.com/davecgh/go-spew"; + rev = "v1.1.1"; + sha256 = "0hka6hmyvp701adzag2g26cxdj47g21x6jz4sc6jjz1mn59d474y"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/dchest/uniuri"; + fetch = { + type = "git"; + url = "https://github.com/dchest/uniuri"; + rev = "8902c56451e9"; + sha256 = "1x5bsbm1nlphsv96zd0rbclfaa1swpz5bp14x7s5dbxp0awk2gd4"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/dgrijalva/jwt-go"; + fetch = { + type = "git"; + url = "https://github.com/dgrijalva/jwt-go"; + rev = "v3.2.0"; + sha256 = "08m27vlms74pfy5z79w67f9lk9zkx6a9jd68k3c4msxy75ry36mp"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/dustin/go-humanize"; + fetch = { + type = "git"; + url = "https://github.com/dustin/go-humanize"; + rev = "v1.0.0"; + sha256 = "1kqf1kavdyvjk7f8kx62pnm7fbypn9z1vbf8v2qdh3y7z7a0cbl3"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/gorilla/securecookie"; + fetch = { + type = "git"; + url = "https://github.com/gorilla/securecookie"; + rev = "v1.1.1"; + sha256 = "16bqimpxs9vj5n59vm04y04v665l7jh0sddxn787pfafyxcmh410"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/jonboulle/clockwork"; + fetch = { + type = "git"; + url = "https://github.com/jonboulle/clockwork"; + rev = "v0.2.1"; + sha256 = "0ri5zcpbqxgminm3zp3zsyhr6d46m9nfcmmnba4vmb5szzvd7xlw"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/jteeuwen/go-bindata"; + fetch = { + type = "git"; + url = "https://github.com/jteeuwen/go-bindata"; + rev = "6025e8de665b"; + sha256 = "0mfp4mld38wswl020p11i1qrqrx5s74qv5f1cw116zd5w9n2q0aj"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/julienschmidt/httprouter"; + fetch = { + type = "git"; + url = "https://github.com/julienschmidt/httprouter"; + rev = "v1.3.0"; + sha256 = "1a6sy0ysqknsjssjh7qg1dqn21xmj9a36c57nrk7srfmab4ffmk1"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/kevinburke/go-bindata"; + fetch = { + type = "git"; + url = "https://github.com/kevinburke/go-bindata"; + rev = "v3.23.0"; + sha256 = "1dns8x8vvcn8vka6bgnn2bp0y97pcdpi0brr7d2s5zy3847j90d4"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/konsorten/go-windows-terminal-sequences"; + fetch = { + type = "git"; + url = "https://github.com/konsorten/go-windows-terminal-sequences"; + rev = "v1.0.3"; + sha256 = "1yrsd4s8vhjnxhwbigirymz89dn6qfjnhn28i33vvvdgf96j6ypl"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/kr/pretty"; + fetch = { + type = "git"; + url = "https://github.com/kr/pretty"; + rev = "v0.2.1"; + sha256 = "0vzfz06y9q8gs2nxx0kys0591vzp78k0fvpb8digi5n15h3b25hy"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/kr/pty"; + fetch = { + type = "git"; + url = "https://github.com/kr/pty"; + rev = "v1.1.1"; + sha256 = "0383f0mb9kqjvncqrfpidsf8y6ns5zlrc91c6a74xpyxjwvzl2y6"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/kr/text"; + fetch = { + type = "git"; + url = "https://github.com/kr/text"; + rev = "v0.1.0"; + sha256 = "1gm5bsl01apvc84bw06hasawyqm4q84vx1pm32wr9jnd7a8vjgj1"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/mattermost/xml-roundtrip-validator"; + fetch = { + type = "git"; + url = "https://github.com/mattermost/xml-roundtrip-validator"; + rev = "bcd7e1b9601e"; + sha256 = "0brxsz6j8kxp61xx68ws7g2dd88c1z9vv4nzhxfzk3cqsgys11w8"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/niemeyer/pretty"; + fetch = { + type = "git"; + url = "https://github.com/niemeyer/pretty"; + rev = "a10e7caefd8e"; + sha256 = "1jmazh4xzaa3v6g46hz60q2z7nmqs9l9cxdzmmscn3kbcs2znq4v"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/pkg/errors"; + fetch = { + type = "git"; + url = "https://github.com/pkg/errors"; + rev = "v0.8.1"; + sha256 = "0g5qcb4d4fd96midz0zdk8b9kz8xkzwfa8kr1cliqbg8sxsy5vd1"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/pmezard/go-difflib"; + fetch = { + type = "git"; + url = "https://github.com/pmezard/go-difflib"; + rev = "v1.0.0"; + sha256 = "0c1cn55m4rypmscgf0rrb88pn58j3ysvc2d0432dp3c6fqg6cnzw"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/pquerna/otp"; + fetch = { + type = "git"; + url = "https://github.com/pquerna/otp"; + rev = "v1.2.0"; + sha256 = "088njs8i7b0syyz20hzd3lcjxy61chc518d71lvykw2g9c9wsc7l"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/russellhaering/goxmldsig"; + fetch = { + type = "git"; + url = "https://github.com/russellhaering/goxmldsig"; + rev = "v1.1.0"; + sha256 = "0qg3zp4vp31m0l89g0rl76y1mn3ckv5k4nx6b4hb6rrvzkmxd9x0"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/sirupsen/logrus"; + fetch = { + type = "git"; + url = "https://github.com/sirupsen/logrus"; + rev = "v1.6.0"; + sha256 = "1zf9is1yxxnna0d1pyag2m9ziy3l27zb2j92p9msm1gx5jjrvzzj"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/skip2/go-qrcode"; + fetch = { + type = "git"; + url = "https://github.com/skip2/go-qrcode"; + rev = "a3b48390827e"; + sha256 = "0nsaph5bkxsp0rv28v0wanfjx2pvkq9qim27lav67v27k57hl9lx"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/stretchr/objx"; + fetch = { + type = "git"; + url = "https://github.com/stretchr/objx"; + rev = "v0.1.0"; + sha256 = "19ynspzjdynbi85xw06mh8ad5j0qa1vryvxjgvbnyrr8rbm4vd8w"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/stretchr/testify"; + fetch = { + type = "git"; + url = "https://github.com/stretchr/testify"; + rev = "v1.6.1"; + sha256 = "1yhiqqzjvi63pf01rgzx68gqkkvjx03fvl5wk30br5l6s81s090l"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/subspacecommunity/subspace"; + fetch = { + type = "git"; + url = "https://github.com/subspacecommunity/subspace"; + rev = "v1.5.0"; + sha256 = "10vvsi4k6xgsvshaz70zrfpznxhykqjl37sc83dqbksf4mm9kidw"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/zenazn/goji"; + fetch = { + type = "git"; + url = "https://github.com/zenazn/goji"; + rev = "64eb34159fe5"; + sha256 = "0ziixsr9j0644kcz5kqgq46rqxb4iay4627783jlb5bc5gqwd7rs"; + moduleDir = ""; + }; + } + { + goPackagePath = "golang.org/x/crypto"; + fetch = { + type = "git"; + url = "https://go.googlesource.com/crypto"; + rev = "06a226fb4e37"; + sha256 = "0fdig6jx81g7a44dnxggibl909wchsj4nakmmhhz7db36sl0d7m5"; + moduleDir = ""; + }; + } + { + goPackagePath = "golang.org/x/net"; + fetch = { + type = "git"; + url = "https://go.googlesource.com/net"; + rev = "d87ec0cfa476"; + sha256 = "1hnbhvih5sc87939fb8gsbzc7acs4wv8v0p2sbrxzlv98znnrl8k"; + moduleDir = ""; + }; + } + { + goPackagePath = "golang.org/x/sys"; + fetch = { + type = "git"; + url = "https://go.googlesource.com/sys"; + rev = "85ca7c5b95cd"; + sha256 = "1504qkgbhhm4f0bhk77v2r1lj6x171ay5m79alkg78wjb5cign5l"; + moduleDir = ""; + }; + } + { + goPackagePath = "golang.org/x/text"; + fetch = { + type = "git"; + url = "https://go.googlesource.com/text"; + rev = "v0.3.0"; + sha256 = "0r6x6zjzhr8ksqlpiwm5gdd7s209kwk5p4lw54xjvz10cs3qlq19"; + moduleDir = ""; + }; + } + { + goPackagePath = "gopkg.in/alexcesaro/quotedprintable.v3"; + fetch = { + type = "git"; + url = "https://gopkg.in/alexcesaro/quotedprintable.v3"; + rev = "2caba252f4dc"; + sha256 = "1fi38y0f7877ra8xi6782vp2ahfghzk4apj3ca6lljjyzgahij79"; + moduleDir = ""; + }; + } + { + goPackagePath = "gopkg.in/check.v1"; + fetch = { + type = "git"; + url = "https://gopkg.in/check.v1"; + rev = "8fa46927fb4f"; + sha256 = "0fx03x0nx9mjwnqphnx852q9p76qg7cazrachvgr1bj357lplrcw"; + moduleDir = ""; + }; + } + { + goPackagePath = "gopkg.in/gomail.v2"; + fetch = { + type = "git"; + url = "https://gopkg.in/gomail.v2"; + rev = "81ebce5c23df"; + sha256 = "0zdykrv5s19lnq0g49p6njldy4cpk4g161vyjafiw7f84h8r28mc"; + moduleDir = ""; + }; + } + { + goPackagePath = "gopkg.in/yaml.v3"; + fetch = { + type = "git"; + url = "https://gopkg.in/yaml.v3"; + rev = "9f266ea9e77c"; + sha256 = "1bbai3lzb50m0x2vwsdbagrbhvfylj9k1m32hgbqwldqx4p9ay35"; + moduleDir = ""; + }; + } +] diff --git a/entrypoint.sh b/entrypoint.sh deleted file mode 100644 index 2d6cb8ab..00000000 --- a/entrypoint.sh +++ /dev/null @@ -1,254 +0,0 @@ -#!/usr/bin/env sh -set -o errexit -set -o nounset -set -o pipefail -set -o xtrace - -# Require environment variables. -if [ -z "${SUBSPACE_HTTP_HOST-}" ]; then - echo "Environment variable SUBSPACE_HTTP_HOST required. Exiting." - exit 1 -fi -# Optional environment variables. -if [ -z "${SUBSPACE_BACKLINK-}" ]; then - export SUBSPACE_BACKLINK="/" -fi - -if [ -z "${SUBSPACE_IPV4_POOL-}" ]; then - export SUBSPACE_IPV4_POOL="10.99.97.0/24" -fi -if [ -z "${SUBSPACE_IPV6_POOL-}" ]; then - export SUBSPACE_IPV6_POOL="fd00::10:97:0/112" -fi -if [ -z "${SUBSPACE_NAMESERVERS-}" ]; then - export SUBSPACE_NAMESERVERS="1.1.1.1,1.0.0.1" -fi - -if [ -z "${SUBSPACE_LETSENCRYPT-}" ]; then - export SUBSPACE_LETSENCRYPT="true" -fi - -if [ -z "${SUBSPACE_HTTP_ADDR-}" ]; then - export SUBSPACE_HTTP_ADDR=":80" -fi - -if [ -z "${SUBSPACE_LISTENPORT-}" ]; then - export SUBSPACE_LISTENPORT="51820" -fi - -if [ -z "${SUBSPACE_HTTP_INSECURE-}" ]; then - export SUBSPACE_HTTP_INSECURE="false" -fi - -if [ -z "${SUBSPACE_THEME-}" ]; then - export SUBSPACE_THEME="green" -fi - -export DEBIAN_FRONTEND="noninteractive" - -if [ -z "${SUBSPACE_IPV4_GW-}" ]; then - export SUBSPACE_IPV4_PREF=$(echo ${SUBSPACE_IPV4_POOL-} | cut -d '/' -f1 | sed 's/.0$/./g') - export SUBSPACE_IPV4_GW=$(echo ${SUBSPACE_IPV4_PREF-}1) - -fi - -if [ -z "${SUBSPACE_IPV6_GW-}" ]; then - export SUBSPACE_IPV6_PREF=$(echo ${SUBSPACE_IPV6_POOL-} | cut -d '/' -f1 | sed 's/:0$/:/g') - export SUBSPACE_IPV6_GW=$(echo ${SUBSPACE_IPV6_PREF-}1) -fi - -if [ -z "${SUBSPACE_IPV6_NAT_ENABLED-}" ] || [ "${SUBSPACE_IPV6_NAT_ENABLED}" != "0" ]; then - export SUBSPACE_IPV6_NAT_ENABLED=1 -else - export SUBSPACE_IPV6_NAT_ENABLED=0 -fi - -if [ -z "${SUBSPACE_IPV4_NAT_ENABLED-}" ] || [ "${SUBSPACE_IPV4_NAT_ENABLED}" != "0" ]; then - export SUBSPACE_IPV4_NAT_ENABLED=1 -else - export SUBSPACE_IPV4_NAT_ENABLED=0 -fi - -# DNS server is disabled if the flag is not ommited and set to anything other than 0. -if ! [ -z "${SUBSPACE_DISABLE_DNS-}" ] && [ "${SUBSPACE_DISABLE_DNS}" != "0" ]; then - export SUBSPACE_DISABLE_DNS=1 -else - export SUBSPACE_DISABLE_DNS=0 -fi - -if [ "$SUBSPACE_IPV6_NAT_ENABLED" == "0" ] && [ "$SUBSPACE_IPV4_NAT_ENABLED" == "0" ]; then - echo "One of envionment variables SUBSPACE_IPV6_NAT_ENABLED, SUBSPACE_IPV4_NAT_ENABLED must be set to 1." - echo "Got SUBSPACE_IPV6_NAT_ENABLED=$SUBSPACE_IPV6_NAT_ENABLED, SUBSPACE_IPV4_NAT_ENABLED=$SUBSPACE_IPV4_NAT_ENABLED" - exit 1 -fi - -# Empty out inherited nameservers -echo "" >/etc/resolv.conf -# Set DNS servers -echo ${SUBSPACE_NAMESERVERS} | tr "," "\n" | while read -r ns; do echo "nameserver ${ns}" >>/etc/resolv.conf; done - -if [ -z "${SUBSPACE_DISABLE_MASQUERADE-}" ]; then - if [[ ${SUBSPACE_IPV4_NAT_ENABLED} -ne 0 ]]; then - # IPv4 - if ! /sbin/iptables -t nat --check POSTROUTING -s ${SUBSPACE_IPV4_POOL} -j MASQUERADE; then - /sbin/iptables -t nat --append POSTROUTING -s ${SUBSPACE_IPV4_POOL} -j MASQUERADE - fi - - if ! /sbin/iptables --check FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT; then - /sbin/iptables --append FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - fi - - if ! /sbin/iptables --check FORWARD -s ${SUBSPACE_IPV4_POOL} -j ACCEPT; then - /sbin/iptables --append FORWARD -s ${SUBSPACE_IPV4_POOL} -j ACCEPT - fi - fi - - if [[ ${SUBSPACE_IPV6_NAT_ENABLED} -ne 0 ]]; then - # IPv6 - if ! /sbin/ip6tables -t nat --check POSTROUTING -s ${SUBSPACE_IPV6_POOL} -j MASQUERADE; then - /sbin/ip6tables -t nat --append POSTROUTING -s ${SUBSPACE_IPV6_POOL} -j MASQUERADE - fi - - if ! /sbin/ip6tables --check FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT; then - /sbin/ip6tables --append FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - fi - - if ! /sbin/ip6tables --check FORWARD -s ${SUBSPACE_IPV6_POOL} -j ACCEPT; then - /sbin/ip6tables --append FORWARD -s ${SUBSPACE_IPV6_POOL} -j ACCEPT - fi - fi -fi - -if [[ ${SUBSPACE_IPV4_NAT_ENABLED} -ne 0 ]]; then - # ipv4 - DNS Leak Protection - if ! /sbin/iptables -t nat --check OUTPUT -s ${SUBSPACE_IPV4_POOL} -p udp --dport 53 -j DNAT --to ${SUBSPACE_IPV4_GW}:53; then - /sbin/iptables -t nat --append OUTPUT -s ${SUBSPACE_IPV4_POOL} -p udp --dport 53 -j DNAT --to ${SUBSPACE_IPV4_GW}:53 - fi - - if ! /sbin/iptables -t nat --check OUTPUT -s ${SUBSPACE_IPV4_POOL} -p tcp --dport 53 -j DNAT --to ${SUBSPACE_IPV4_GW}:53; then - /sbin/iptables -t nat --append OUTPUT -s ${SUBSPACE_IPV4_POOL} -p tcp --dport 53 -j DNAT --to ${SUBSPACE_IPV4_GW}:53 - fi -fi - -if [[ ${SUBSPACE_IPV6_NAT_ENABLED} -ne 0 ]]; then - # ipv6 - DNS Leak Protection - if ! /sbin/ip6tables --wait -t nat --check OUTPUT -s ${SUBSPACE_IPV6_POOL} -p udp --dport 53 -j DNAT --to ${SUBSPACE_IPV6_GW}; then - /sbin/ip6tables --wait -t nat --append OUTPUT -s ${SUBSPACE_IPV6_POOL} -p udp --dport 53 -j DNAT --to ${SUBSPACE_IPV6_GW} - fi - - if ! /sbin/ip6tables --wait -t nat --check OUTPUT -s ${SUBSPACE_IPV6_POOL} -p tcp --dport 53 -j DNAT --to ${SUBSPACE_IPV6_GW}; then - /sbin/ip6tables --wait -t nat --append OUTPUT -s ${SUBSPACE_IPV6_POOL} -p tcp --dport 53 -j DNAT --to ${SUBSPACE_IPV6_GW} - fi -fi -# -# WireGuard (${SUBSPACE_IPV4_POOL}) -# -umask_val=$(umask) -umask 0077 -if ! test -d /data/wireguard; then - mkdir /data/wireguard - cd /data/wireguard - - mkdir clients - touch clients/null.conf # So you can cat *.conf safely - mkdir peers - touch peers/null.conf # So you can cat *.conf safely - - # Generate public/private server keys. - wg genkey | tee server.private | wg pubkey >server.public -fi - -cat </data/wireguard/server.conf -[Interface] -PrivateKey = $(cat /data/wireguard/server.private) -ListenPort = ${SUBSPACE_LISTENPORT} - -WGSERVER -cat /data/wireguard/peers/*.conf >>/data/wireguard/server.conf -umask ${umask_val} -[ -f /data/config.json ] && chmod 600 /data/config.json # Special handling of file not created by start-up script - -if ip link show wg0 2>/dev/null; then - ip link del wg0 -fi -ip link add wg0 type wireguard -if [[ ${SUBSPACE_IPV4_NAT_ENABLED} -ne 0 ]]; then - export SUBSPACE_IPV4_CIDR=$(echo ${SUBSPACE_IPV4_POOL-} | cut -d '/' -f2) - ip addr add ${SUBSPACE_IPV4_GW}/${SUBSPACE_IPV4_CIDR} dev wg0 -fi -if [[ ${SUBSPACE_IPV6_NAT_ENABLED} -ne 0 ]]; then - export SUBSPACE_IPV6_CIDR=$(echo ${SUBSPACE_IPV6_POOL-} | cut -d '/' -f2) - ip addr add ${SUBSPACE_IPV6_GW}/${SUBSPACE_IPV6_CIDR} dev wg0 -fi -wg setconf wg0 /data/wireguard/server.conf -ip link set wg0 up - -# dnsmasq service -if [[ ${SUBSPACE_DISABLE_DNS} == "0" ]]; then - DNSMASQ_LISTEN_ADDRESS="127.0.0.1" - if [[ ${SUBSPACE_IPV4_NAT_ENABLED} -ne 0 ]]; then - DNSMASQ_LISTEN_ADDRESS="${DNSMASQ_LISTEN_ADDRESS},${SUBSPACE_IPV4_GW}" - fi - if [[ ${SUBSPACE_IPV6_NAT_ENABLED} -ne 0 ]]; then - DNSMASQ_LISTEN_ADDRESS="${DNSMASQ_LISTEN_ADDRESS},${SUBSPACE_IPV6_GW}" - fi - - if ! test -d /etc/service/dnsmasq; then - cat </etc/dnsmasq.conf - # Only listen on necessary addresses. - listen-address=${DNSMASQ_LISTEN_ADDRESS} - - # Never forward plain names (without a dot or domain part) - domain-needed - - # Never forward addresses in the non-routed address spaces. - bogus-priv - - # Allow extending dnsmasq by providing custom configurations. - conf-dir=/etc/dnsmasq.d -DNSMASQ - - mkdir -p /etc/service/dnsmasq - cat </etc/service/dnsmasq/run -#!/bin/sh -exec /usr/sbin/dnsmasq --keep-in-foreground -RUNIT - chmod +x /etc/service/dnsmasq/run - - # dnsmasq service log - mkdir -p /etc/service/dnsmasq/log/main - cat </etc/service/dnsmasq/log/run -#!/bin/sh -exec svlogd -tt ./main -RUNIT - chmod +x /etc/service/dnsmasq/log/run - fi -fi - -# subspace service -if ! test -d /etc/service/subspace; then - mkdir /etc/service/subspace - cat </etc/service/subspace/run -#!/bin/sh -source /etc/envvars -exec /usr/bin/subspace \ - "--http-host=${SUBSPACE_HTTP_HOST}" \ - "--http-addr=${SUBSPACE_HTTP_ADDR}" \ - "--http-insecure=${SUBSPACE_HTTP_INSECURE}" \ - "--backlink=${SUBSPACE_BACKLINK}" \ - "--letsencrypt=${SUBSPACE_LETSENCRYPT}" \ - "--theme=${SUBSPACE_THEME}" -RUNIT - chmod +x /etc/service/subspace/run - - # subspace service log - mkdir /etc/service/subspace/log - mkdir /etc/service/subspace/log/main - cat </etc/service/subspace/log/run -#!/bin/sh -exec svlogd -tt ./main -RUNIT - chmod +x /etc/service/subspace/log/run -fi - -exec $@ diff --git a/flake.lock b/flake.lock new file mode 100644 index 00000000..3fa08630 --- /dev/null +++ b/flake.lock @@ -0,0 +1,41 @@ +{ + "nodes": { + "flake-utils": { + "locked": { + "lastModified": 1644229661, + "narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "3cecb5b042f7f209c56ffd8371b2711a290ec797", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1645433236, + "narHash": "sha256-4va4MvJ076XyPp5h8sm5eMQvCrJ6yZAbBmyw95dGyw4=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "7f9b6e2babf232412682c09e57ed666d8f84ac2d", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 00000000..0c92855a --- /dev/null +++ b/flake.nix @@ -0,0 +1,265 @@ +{ + description = "A fork of the simple WireGuard VPN server GUI community maintained "; + + inputs.flake-utils.url = "github:numtide/flake-utils"; + + outputs = { self, nixpkgs, flake-utils }: (flake-utils.lib.eachDefaultSystem (system: + let + pkgs = import nixpkgs { inherit system; overlays = [ self.overlay ]; }; + in + { + packages.subspace = pkgs.subspace; + packages.wireguard-tools = pkgs.wireguard-tools; + + defaultPackage = self.packages.${system}.subspace; + + devShell = pkgs.mkShell { + buildInputs = with pkgs; [ self.packages.${system}.wireguard-tools wg-bond go go-bindata ]; + }; + })) // { + overlay = final: prev: { + wireguard-tools = prev.wireguard-tools.overrideDerivation (super: { + patches = super.patches ++ [ + ./wg-quick-no-uid.patch + ]; + }); + + subspace = + let + goPackagePath = "github.com/subspacecommunity/subspace"; + version = "1.5.0"; + in + final.buildGoPackage { + inherit goPackagePath version; + src = nixpkgs.lib.cleanSource ./.; + name = "subspace"; + goDeps = ./deps.nix; + nativeBuildInputs = with final; [ go-bindata which diffutils ]; + buildPhase = '' + runHook preBuild + cd go/src/${goPackagePath} + export CGO_ENABLED=0 + rm -rf subspace + go-bindata -o cmd/subspace/bindata.go --prefix "web/" --pkg main web/... + go build -v --compiler gc --ldflags "-extldflags -static -s -w -X main.version=${version}" -o subspace ./cmd/subspace + runHook postBuild + ''; + installPhase = '' + install -Dm777 subspace $out/bin/subspace + + mkdir -p $out/libexec + cp -r web $out/libexec/web + ''; + }; + }; + nixosModule = { pkgs, lib, config, ... }: + with lib; + let + cfg = config.services.subspace; + in + { + options.services.subspace = { + enable = mkEnableOption "subspace"; + + package = mkOption { + description = "A package from which to take subspace"; + default = self.defaultPackage.${pkgs.system}; + type = types.package; + }; + + privateKeyFile = mkOption { + description = "Path to Wireguard private key"; + default = "/secrets/subspace.private"; + type = types.str; + }; + + user = mkOption { + description = "User account under which Subspace runs."; + default = "subspace"; + type = types.str; + }; + group = mkOption { + description = "Group account under which Subspace runs."; + default = "subspace"; + type = types.str; + }; + + httpHost = mkOption { + description = "The host to listen on and set cookies for"; + default = "localhost"; + type = types.str; + }; + backlink = mkOption { + description = "The page to set the home button to"; + default = "/"; + type = types.str; + }; + dataDir = mkOption { + description = "Path to data folder"; + default = "/var/lib/subspace"; + type = types.str; + }; + debug = mkOption { + description = "Place subspace into debug mode for verbose log output"; + default = false; + type = types.bool; + }; + httpInsecure = mkOption { + description = "enable session cookies for http and remove redirect to https"; + default = false; + type = types.bool; + }; + letsencrypt = mkOption { + description = "Whether or not to use a LetsEncrypt certificate"; + default = true; + type = types.bool; + }; + httpAddr = mkOption { + description = "HTTP Listen address"; + default = ":3331"; + type = types.str; + }; + params = mkOption { + description = "Parameters for Subspace binary"; + default = ""; + type = types.str; + }; + proxyPort = mkOption { + description = "Port for managed WireGuard interface"; + default = "53222"; + type = types.str; + }; + subnet = mkOption { + description = "Subnet to be used by Subspace VPN"; + default = "10.0.0.0/24"; + type = types.str; + }; + }; + + config = mkIf cfg.enable { + users.users = optionalAttrs (cfg.user == "subspace") ({ + subspace = { + isSystemUser = true; + group = cfg.group; + # uid = config.ids.uids.subspace; + description = "Subspace WireGuard GUI user"; + home = cfg.dataDir; + }; + }); + + users.groups = optionalAttrs (cfg.group == "subspace") ({ + subspace = { + # gid = config.ids.gids.subspace; + }; + }); + + systemd.tmpfiles.rules = [ "d ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group}" ]; + + systemd.services.subspace = rec { + description = "A simple WireGuard VPN server GUI"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + startLimitBurst = mkDefault 5; + startLimitIntervalSec = mkDefault 300; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + + Restart = mkDefault "on-failure"; + RestartSec = mkDefault 10; + + CapabilityBoundingSet = "CAP_NET_ADMIN"; + AmbientCapabilities = "CAP_NET_ADMIN"; + + ReadWritePaths = [ "${cfg.dataDir}" ]; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + ]; + + RestrictNamespaces = "yes"; + DeviceAllow = "no"; + KeyringMode = "private"; + NoNewPrivileges = "yes"; + NotifyAccess = "none"; + PrivateDevices = "yes"; + PrivateMounts = "yes"; + PrivateTmp = "yes"; + ProtectClock = "yes"; + ProtectControlGroups = "yes"; + ProtectHome = "yes"; + ProtectKernelLogs = "yes"; + ProtectKernelModules = "yes"; + ProtectKernelTunables = "yes"; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictSUIDSGID = "yes"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "~@clock" + "~@debug" + "~@module" + "~@mount" + "~@raw-io" + "~@reboot" + "~@swap" + # "~@privileged" + "~@resources" + "~@cpu-emulation" + "~@obsolete" + ]; + RestrictRealtime = "yes"; + Delegate = "no"; + LockPersonality = "yes"; + MemoryDenyWriteExecute = "yes"; + RemoveIPC = "yes"; + UMask = "0027"; + ProtectHostname = "yes"; + ProcSubset = "pid"; + + WorkingDirectory = "${cfg.package}/libexec"; + }; + + path = with pkgs; [ wg-bond self.packages.${system}.wireguard-tools iptables bash gawk ]; + + preStart = '' + if [[ ! -f ${cfg.dataDir}/wireguard/wg-bond.json ]]; then + mkdir -p ${cfg.dataDir}/wireguard/ + mkdir -p ${cfg.dataDir}/wireguard/clients + mkdir -p ${cfg.dataDir}/wireguard/peers + wg-bond -c ${cfg.dataDir}/wireguard/wg-bond.json init subspace --network "${cfg.subnet}" + wg-bond -c ${cfg.dataDir}/wireguard/wg-bond.json add subspace-root --endpoint ${cfg.httpHost}:${cfg.proxyPort} --center --gateway --masquerade eth0 + fi + if [[ ! -d ${cfg.dataDir}/wireguard/clients ]]; then mkdir -p ${cfg.dataDir}/wireguard/clients; fi + if [[ ! -d ${cfg.dataDir}/wireguard/peers ]]; then mkdir -p ${cfg.dataDir}/wireguard/peers; fi + wg-bond -c ${cfg.dataDir}/wireguard/wg-bond.json conf subspace-root > ${cfg.dataDir}/wireguard/subspace.conf + wg-quick up ${cfg.dataDir}/wireguard/subspace.conf + + chmod -R u+rwX,g+rX,o-rwx ${cfg.dataDir} + chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} + ''; + + postStop = '' + wg-quick down ${cfg.dataDir}/wireguard/subspace.conf + ''; + + script = '' + ${cfg.package}/bin/subspace \ + --http-host="${cfg.httpHost}" \ + --backlink="${cfg.backlink}" \ + --datadir="${cfg.dataDir}" \ + --debug="${if cfg.debug then "true" else "false"}" \ + --http-addr="${cfg.httpAddr}" \ + --http-insecure="${if cfg.httpInsecure then "true" else "false"}" \ + --letsencrypt="${if cfg.letsencrypt then "true" else "false"}" \ + ${cfg.params} + ''; + }; + }; + }; + }; + +} diff --git a/scripts/dockerfiles/386.dockerfile b/scripts/dockerfiles/386.dockerfile deleted file mode 100644 index 442af184..00000000 --- a/scripts/dockerfiles/386.dockerfile +++ /dev/null @@ -1,56 +0,0 @@ -FROM alpine AS builder - -# Download QEMU, see https://github.com/docker/hub-feedback/issues/1261 -ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v3.0.0%2Bresin/qemu-3.0.0+resin-aarch64.tar.gz -RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1 - - -FROM i386/golang:1.14.4-buster as build - -# Add QEMU -COPY --from=builder qemu-aarch64-static /usr/bin - -RUN apt-get update \ - && apt-get install -y git make \ - && rm -rf /var/lib/apt/lists/* - -WORKDIR /src - -COPY Makefile ./ -# go.mod and go.sum if exists -COPY go.* ./ -COPY cmd/ ./cmd -COPY web ./web - -ARG BUILD_VERSION=unknown -ARG GOARCH=386 - -ENV GODEBUG="netdns=go http2server=0" - -RUN make build BUILD_VERSION=${BUILD_VERSION} - -FROM i386/alpine:3.11.6 -LABEL maintainer="github.com/subspacecommunity/subspace" - -# Add QEMU -COPY --from=builder qemu-aarch64-static /usr/bin - -ENV DEBIAN_FRONTEND noninteractive -RUN apk add --no-cache \ - iproute2 \ - iptables \ - ip6tables \ - dnsmasq \ - socat \ - wireguard-tools \ - runit - -COPY --from=build /src/subspace /usr/bin/subspace -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -COPY bin/my_init /sbin/my_init - -RUN chmod +x /usr/bin/subspace /usr/local/bin/entrypoint.sh /sbin/my_init - -ENTRYPOINT ["/usr/local/bin/entrypoint.sh" ] - -CMD [ "/sbin/my_init" ] diff --git a/scripts/dockerfiles/amd64.dockerfile b/scripts/dockerfiles/amd64.dockerfile deleted file mode 100644 index df486a3f..00000000 --- a/scripts/dockerfiles/amd64.dockerfile +++ /dev/null @@ -1,43 +0,0 @@ -FROM golang:1.14 as build - -RUN apt-get update \ - && apt-get install -y git make \ - && rm -rf /var/lib/apt/lists/* - -WORKDIR /src - -COPY Makefile ./ -# go.mod and go.sum if exists -COPY go.* ./ -COPY cmd/ ./cmd -COPY web ./web - -ARG BUILD_VERSION=unknown -ARG GOARCH=amd64 - -ENV GODEBUG="netdns=go http2server=0" - -RUN make build BUILD_VERSION=${BUILD_VERSION} - -FROM alpine:3.11.6 -LABEL maintainer="github.com/subspacecommunity/subspace" - -ENV DEBIAN_FRONTEND noninteractive -RUN apk add --no-cache \ - iproute2 \ - iptables \ - ip6tables \ - dnsmasq \ - socat \ - wireguard-tools \ - runit - -COPY --from=build /src/subspace /usr/bin/subspace -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -COPY bin/my_init /sbin/my_init - -RUN chmod +x /usr/bin/subspace /usr/local/bin/entrypoint.sh /sbin/my_init - -ENTRYPOINT ["/usr/local/bin/entrypoint.sh" ] - -CMD [ "/sbin/my_init" ] diff --git a/scripts/dockerfiles/arm32v5.dockerfile b/scripts/dockerfiles/arm32v5.dockerfile deleted file mode 100644 index 8f3a47a5..00000000 --- a/scripts/dockerfiles/arm32v5.dockerfile +++ /dev/null @@ -1,60 +0,0 @@ -FROM alpine AS builder - -# Download QEMU, see https://github.com/docker/hub-feedback/issues/1261 -ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v3.0.0%2Bresin/qemu-3.0.0+resin-arm.tar.gz -RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1 - - -FROM arm32v5/golang:1.14.4-buster as build - -# Add QEMU -COPY --from=builder qemu-arm-static /usr/bin - -RUN apt-get update \ - && apt-get install -y git make \ - && rm -rf /var/lib/apt/lists/* - -WORKDIR /src - -COPY Makefile ./ -# go.mod and go.sum if exists -COPY go.* ./ -COPY cmd/ ./cmd -COPY web ./web - -ARG BUILD_VERSION=unknown -ARG GOARCH=arm -ENV GOARM=5 - -ENV GODEBUG="netdns=go http2server=0" - -RUN make build BUILD_VERSION=${BUILD_VERSION} - - -FROM arm32v5/debian:buster-backports -LABEL maintainer="github.com/subspacecommunity/subspace" - -# Add QEMU -COPY --from=builder qemu-arm-static /usr/bin - -RUN apt-get update \ - && apt-get install -y \ - iproute2 \ - iptables \ - dnsmasq \ - socat \ - wireguard-tools \ - runit \ - && rm -rf /var/lib/apt/lists/* - -COPY --from=build /src/subspace /usr/bin/subspace -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -COPY bin/my_init /sbin/my_init - -ENV DEBIAN_FRONTEND noninteractive - -RUN chmod +x /usr/bin/subspace /usr/local/bin/entrypoint.sh /sbin/my_init - -ENTRYPOINT ["/usr/local/bin/entrypoint.sh" ] - -CMD [ "/sbin/my_init" ] diff --git a/scripts/dockerfiles/arm32v6.dockerfile b/scripts/dockerfiles/arm32v6.dockerfile deleted file mode 100644 index e52fdf6c..00000000 --- a/scripts/dockerfiles/arm32v6.dockerfile +++ /dev/null @@ -1,56 +0,0 @@ -FROM alpine AS builder - -# Download QEMU, see https://github.com/docker/hub-feedback/issues/1261 -ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v3.0.0%2Bresin/qemu-3.0.0+resin-arm.tar.gz -RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1 - - -FROM arm32v6/golang:1.14.4-alpine as build - -# Add QEMU -COPY --from=builder qemu-arm-static /usr/bin - -RUN apk add --no-cache git make gcc musl-dev - -WORKDIR /src - -COPY Makefile ./ -# go.mod and go.sum if exists -COPY go.* ./ -COPY cmd/ ./cmd -COPY web ./web - -ARG BUILD_VERSION=unknown -ARG GOARCH=arm -ENV GOARM=6 - -ENV GODEBUG="netdns=go http2server=0" - -RUN make build BUILD_VERSION=${BUILD_VERSION} - - -FROM arm32v6/alpine:3.11.6 -LABEL maintainer="github.com/subspacecommunity/subspace" - -# Add QEMU -COPY --from=builder qemu-arm-static /usr/bin - -ENV DEBIAN_FRONTEND noninteractive -RUN apk add --no-cache \ - iproute2 \ - iptables \ - ip6tables \ - dnsmasq \ - socat \ - wireguard-tools \ - runit - -COPY --from=build /src/subspace /usr/bin/subspace -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -COPY bin/my_init /sbin/my_init - -RUN chmod +x /usr/bin/subspace /usr/local/bin/entrypoint.sh /sbin/my_init - -ENTRYPOINT ["/usr/local/bin/entrypoint.sh" ] - -CMD [ "/sbin/my_init" ] diff --git a/scripts/dockerfiles/arm32v7.dockerfile b/scripts/dockerfiles/arm32v7.dockerfile deleted file mode 100644 index b5687605..00000000 --- a/scripts/dockerfiles/arm32v7.dockerfile +++ /dev/null @@ -1,57 +0,0 @@ -FROM alpine AS builder - -# Download QEMU, see https://github.com/docker/hub-feedback/issues/1261 -ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v3.0.0%2Bresin/qemu-3.0.0+resin-arm.tar.gz -RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1 - - -FROM arm32v7/golang:1.14.4-buster as build - -# Add QEMU -COPY --from=builder qemu-arm-static /usr/bin - -RUN apt-get update \ - && apt-get install -y git make \ - && rm -rf /var/lib/apt/lists/* - -WORKDIR /src - -COPY Makefile ./ -# go.mod and go.sum if exists -COPY go.* ./ -COPY cmd/ ./cmd -COPY web ./web - -ARG BUILD_VERSION=unknown -ARG GOARCH=arm -ENV GOARM=7 - -ENV GODEBUG="netdns=go http2server=0" - -RUN make build BUILD_VERSION=${BUILD_VERSION} - -FROM arm32v7/alpine:3.11.6 -LABEL maintainer="github.com/subspacecommunity/subspace" - -# Add QEMU -COPY --from=builder qemu-arm-static /usr/bin - -ENV DEBIAN_FRONTEND noninteractive -RUN apk add --no-cache \ - iproute2 \ - iptables \ - ip6tables \ - dnsmasq \ - socat \ - wireguard-tools \ - runit - -COPY --from=build /src/subspace /usr/bin/subspace -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -COPY bin/my_init /sbin/my_init - -RUN chmod +x /usr/bin/subspace /usr/local/bin/entrypoint.sh /sbin/my_init - -ENTRYPOINT ["/usr/local/bin/entrypoint.sh" ] - -CMD [ "/sbin/my_init" ] diff --git a/scripts/dockerfiles/arm64v8.dockerfile b/scripts/dockerfiles/arm64v8.dockerfile deleted file mode 100644 index 43cc72d3..00000000 --- a/scripts/dockerfiles/arm64v8.dockerfile +++ /dev/null @@ -1,56 +0,0 @@ -FROM alpine AS builder - -# Download QEMU, see https://github.com/docker/hub-feedback/issues/1261 -ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v3.0.0%2Bresin/qemu-3.0.0+resin-aarch64.tar.gz -RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1 - - -FROM arm64v8/golang:1.14.4-buster as build - -# Add QEMU -COPY --from=builder qemu-aarch64-static /usr/bin - -RUN apt-get update \ - && apt-get install -y git make \ - && rm -rf /var/lib/apt/lists/* - -WORKDIR /src - -COPY Makefile ./ -# go.mod and go.sum if exists -COPY go.* ./ -COPY cmd/ ./cmd -COPY web ./web - -ARG BUILD_VERSION=unknown -ARG GOARCH=arm64 - -ENV GODEBUG="netdns=go http2server=0" - -RUN make build BUILD_VERSION=${BUILD_VERSION} - -FROM arm64v8/alpine:3.11.6 -LABEL maintainer="github.com/subspacecommunity/subspace" - -# Add QEMU -COPY --from=builder qemu-aarch64-static /usr/bin - -ENV DEBIAN_FRONTEND noninteractive -RUN apk add --no-cache \ - iproute2 \ - iptables \ - ip6tables \ - dnsmasq \ - socat \ - wireguard-tools \ - runit - -COPY --from=build /src/subspace /usr/bin/subspace -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -COPY bin/my_init /sbin/my_init - -RUN chmod +x /usr/bin/subspace /usr/local/bin/entrypoint.sh /sbin/my_init - -ENTRYPOINT ["/usr/local/bin/entrypoint.sh" ] - -CMD [ "/sbin/my_init" ] diff --git a/scripts/dockerfiles/hooks/post_push b/scripts/dockerfiles/hooks/post_push deleted file mode 100644 index b76e3853..00000000 --- a/scripts/dockerfiles/hooks/post_push +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash - -# Use manifest-tool to create the manifest, given the experimental -# "docker manifest" command isn't available yet on Docker Hub. - -curl -Lo manifest-tool https://github.com/estesp/manifest-tool/releases/download/v0.9.0/manifest-tool-linux-amd64 -chmod +x manifest-tool - -git_tag=$(git describe --abbrev=0 --tags) -IFS=. read major minor bugfix < multi-arch-manifest.yaml -image: subspacecommunity/subspace -tags: ['latest', '${major}.${minor}.${bugfix}', '${major}.${minor}', '${major}'] -manifests: - - image: subspacecommunity/subspace:amd64 - platform: - architecture: amd64 - os: linux - - image: subspacecommunity/subspace:386 - platform: - architecture: 386 - os: linux - - image: subspacecommunity/subspace:arm32v6 - platform: - architecture: arm - os: linux - variant: v6 - - image: subspacecommunity/subspace:arm32v7 - platform: - architecture: arm - os: linux - variant: v7 - - image: subspacecommunity/subspace:arm64v8 - platform: - architecture: arm64 - os: linux - variant: v8 -EOF - -./manifest-tool push from-spec multi-arch-manifest.yaml diff --git a/scripts/dockerfiles/hooks/pre_build b/scripts/dockerfiles/hooks/pre_build deleted file mode 100644 index 0a94f7e5..00000000 --- a/scripts/dockerfiles/hooks/pre_build +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - -# Register qemu-*-static for all supported processors except the -# current one, but also remove all registered binfmt_misc before -docker run --rm --privileged multiarch/qemu-user-static:register --reset diff --git a/web/templates/index.html b/web/templates/index.html index 8f138b93..13343873 100644 --- a/web/templates/index.html +++ b/web/templates/index.html @@ -23,7 +23,7 @@ {{if eq $error "addprofile"}} Adding device failed {{else if eq $error "deleteprofile"}} - Adding device failed + Deleting device failed {{else if eq $error "profilename"}} Device name is required {{else}} diff --git a/wg-quick-no-uid.patch b/wg-quick-no-uid.patch new file mode 100644 index 00000000..03cc0d00 --- /dev/null +++ b/wg-quick-no-uid.patch @@ -0,0 +1,13 @@ +diff --git a/wg-quick/linux.bash b/wg-quick/linux.bash +index e4d4c4f..bd407d4 100755 +--- a/wg-quick/linux.bash ++++ b/wg-quick/linux.bash +@@ -82,7 +82,7 @@ read_bool() { + } + + auto_su() { +- [[ $UID == 0 ]] || exec sudo -p "$PROGRAM must be run as root. Please enter the password for %u to continue: " -- "$BASH" -- "$SELF" "${ARGS[@]}" ++ : + } + + add_if() {