Literally a complete rewrite, devouring whole thing with Nix and wg-bond

.envrc

@@ -0,0 +1 @@
+use flake

.gitignore

@@ -4,6 +4,7 @@
 *.dll
 *.so
 *.dylib
+.direnv
 
 # Test binary, built with `go test -c`
 *.test

cmd/subspace/handlers.go

@@ -414,113 +414,25 @@ func profileAddHandler(w *Web) {
 		return
 	}
 
-	ipv4Pref := "10.99.97."
-	if pref := getEnv("SUBSPACE_IPV4_PREF", "nil"); pref != "nil" {
-		ipv4Pref = pref
-	}
-	ipv4Gw := "10.99.97.1"
-	if gw := getEnv("SUBSPACE_IPV4_GW", "nil"); gw != "nil" {
-		ipv4Gw = gw
-	}
-	ipv4Cidr := "24"
-	if cidr := getEnv("SUBSPACE_IPV4_CIDR", "nil"); cidr != "nil" {
-		ipv4Cidr = cidr
-	}
-	ipv6Pref := "fd00::10:97:"
-	if pref := getEnv("SUBSPACE_IPV6_PREF", "nil"); pref != "nil" {
-		ipv6Pref = pref
-	}
-	ipv6Gw := "fd00::10:97:1"
-	if gw := getEnv("SUBSPACE_IPV6_GW", "nil"); gw != "nil" {
-		ipv6Gw = gw
-	}
-	ipv6Cidr := "64"
-	if cidr := getEnv("SUBSPACE_IPV6_CIDR", "nil"); cidr != "nil" {
-		ipv6Cidr = cidr
-	}
-	listenport := "51820"
-	if port := getEnv("SUBSPACE_LISTENPORT", "nil"); port != "nil" {
-		listenport = port
-	}
-	endpointHost := httpHost
-	if eh := getEnv("SUBSPACE_ENDPOINT_HOST", "nil"); eh != "nil" {
-		endpointHost = eh
-	}
-	allowedips := "0.0.0.0/0, ::/0"
-	if ips := getEnv("SUBSPACE_ALLOWED_IPS", "nil"); ips != "nil" {
-		allowedips = ips
-	}
-	ipv4Enabled := true
-	if enable := getEnv("SUBSPACE_IPV4_NAT_ENABLED", "1"); enable == "0" {
-		ipv4Enabled = false
-	}
-	ipv6Enabled := true
-	if enable := getEnv("SUBSPACE_IPV6_NAT_ENABLED", "1"); enable == "0" {
-		ipv6Enabled = false
-	}
-	disableDNS := false
-	if shouldDisableDNS := getEnv("SUBSPACE_DISABLE_DNS", "0"); shouldDisableDNS == "1" {
-		disableDNS = true
-	}
-
 	script := `
-cd {{$.Datadir}}/wireguard
-wg_private_key="$(wg genkey)"
-wg_public_key="$(echo $wg_private_key | wg pubkey)"
-
-wg set wg0 peer ${wg_public_key} allowed-ips {{if .Ipv4Enabled}}{{$.IPv4Pref}}{{$.Profile.Number}}/32{{end}}{{if .Ipv6Enabled}}{{if .Ipv4Enabled}},{{end}}{{$.IPv6Pref}}{{$.Profile.Number}}/128{{end}}
-
-cat <<WGPEER >peers/{{$.Profile.ID}}.conf
-[Peer]
-PublicKey = ${wg_public_key}
-AllowedIPs = {{if .Ipv4Enabled}}{{$.IPv4Pref}}{{$.Profile.Number}}/32{{end}}{{if .Ipv6Enabled}}{{if .Ipv4Enabled}},{{end}}{{$.IPv6Pref}}{{$.Profile.Number}}/128{{end}}
-WGPEER
-
-cat <<WGCLIENT >clients/{{$.Profile.ID}}.conf
-[Interface]
-PrivateKey = ${wg_private_key}
-{{- if not .DisableDNS }}
-DNS = {{if .Ipv4Enabled}}{{$.IPv4Gw}}{{end}}{{if .Ipv6Enabled}}{{if .Ipv4Enabled}},{{end}}{{$.IPv6Gw}}{{end}}
-{{- end }}
-Address = {{if .Ipv4Enabled}}{{$.IPv4Pref}}{{$.Profile.Number}}/{{$.IPv4Cidr}}{{end}}{{if .Ipv6Enabled}}{{if .Ipv4Enabled}},{{end}}{{$.IPv6Pref}}{{$.Profile.Number}}/{{$.IPv6Cidr}}{{end}}
-
-[Peer]
-PublicKey = $(cat server.public)
-
-Endpoint = {{$.EndpointHost}}:{{$.Listenport}}
-AllowedIPs = {{$.AllowedIPS}}
-WGCLIENT
-`
+	cd {{$.Datadir}}/wireguard
+
+	wg-bond add {{$.Profile.ID}} --dns 1.1.1.1
+	wg-bond conf {{$.Profile.ID}} -T subspace-root > clients/{{$.Profile.ID}}.conf
+
+	# Syncing configuration
+	wg-bond conf subspace-root > subspace.conf
+	wg-quick strip ./subspace.conf > sync.conf
+	wg-quick down ./subspace.conf
+	wg-quick up ./subspace.conf
+
+	`
 	_, err = bash(script, struct {
-		Profile      Profile
-		EndpointHost string
-		Datadir      string
-		IPv4Gw       string
-		IPv6Gw       string
-		IPv4Pref     string
-		IPv6Pref     string
-		IPv4Cidr     string
-		IPv6Cidr     string
-		Listenport   string
-		AllowedIPS   string
-		Ipv4Enabled  bool
-		Ipv6Enabled  bool
-		DisableDNS   bool
+		Profile Profile
+		Datadir string
 	}{
 		profile,
-		endpointHost,
 		datadir,
-		ipv4Gw,
-		ipv6Gw,
-		ipv4Pref,
-		ipv6Pref,
-		ipv4Cidr,
-		ipv6Cidr,
-		listenport,
-		allowedips,
-		ipv4Enabled,
-		ipv6Enabled,
-		disableDNS,
 	})
 	if err != nil {
 		logger.Warn(err)
@@ -570,11 +482,19 @@ func profileDeleteHandler(w *Web) {
 	}
 	if err := deleteProfile(profile); err != nil {
 		logger.Errorf("delete profile failed: %s", err)
-		w.Redirect("/profile/delete?error=deleteprofile")
+		if profile.UserID == "" {
+			w.Redirect("/?error=deleteprofile")
+		} else {
+			w.Redirect("/profile/delete?error=deleteprofile")
+		}
 		return
 	}
 	if w.Admin {
-		w.Redirect("/user/edit/%s?success=deleteprofile", profile.UserID)
+		if profile.UserID == "" {
+			w.Redirect("/?success=deleteprofile")
+		} else {
+			w.Redirect("/user/edit/%s?success=deleteprofile", profile.UserID)
+		}
 		return
 	}
 	w.Redirect("/?success=deleteprofile")
@@ -684,13 +604,17 @@ func helpHandler(w *Web) {
 //
 func deleteProfile(profile Profile) error {
 	script := `
-# WireGuard
-cd {{$.Datadir}}/wireguard
-peerid=$(cat peers/{{$.Profile.ID}}.conf | awk '/PublicKey/ { printf("%s", $3) }' )
-wg set wg0 peer $peerid remove
-rm peers/{{$.Profile.ID}}.conf
-rm clients/{{$.Profile.ID}}.conf
-`
+		cd {{$.Datadir}}/wireguard
+
+		wg-bond rm {{$.Profile.ID}}
+
+		# Syncing configuration
+		wg-bond conf subspace-root > subspace.conf
+		wg-quick strip ./subspace.conf > sync.conf
+		wg-quick down ./subspace.conf
+		wg-quick up ./subspace.conf
+	`
+
 	output, err := bash(script, struct {
 		Datadir string
 		Profile Profile

cmd/subspace/main.go

@@ -89,9 +89,9 @@ func init() {
 	cli.StringVar(&datadir, "datadir", "/data", "data dir")
 	cli.StringVar(&backlink, "backlink", "/", "backlink (optional)")
 	cli.StringVar(&httpHost, "http-host", "", "HTTP host")
-	cli.StringVar(&httpAddr, "http-addr", ":80", "HTTP listen address")
+	cli.StringVar(&httpAddr, "http-addr", ":5555", "HTTP listen address")
 	cli.BoolVar(&httpInsecure, "http-insecure", false, "enable sessions cookies for http (no https) not recommended")
-	cli.BoolVar(&letsencrypt, "letsencrypt", true, "enable TLS using Let's Encrypt on port 443")
+	cli.BoolVar(&letsencrypt, "letsencrypt", false, "enable TLS using Let's Encrypt on port 443")
 	cli.BoolVar(&showVersion, "version", false, "display version and exit")
 	cli.BoolVar(&showHelp, "help", false, "display help and exit")
 	cli.BoolVar(&debug, "debug", false, "debug mode")
@@ -261,13 +261,13 @@ func main() {
 
 		httpd := &http.Server{
 			Handler:        certmanager.HTTPHandler(redir),
-			Addr:           net.JoinHostPort(httpIP, "80"),
+			Addr:           net.JoinHostPort(httpIP, "1080"),
 			WriteTimeout:   httpTimeout,
 			ReadTimeout:    httpTimeout,
 			MaxHeaderBytes: maxHeaderBytes,
 		}
 		if err := httpd.ListenAndServe(); err != nil {
-			logger.Fatalf("http server on port 80 failed: %s", err)
+			logger.Fatalf("http server on port 1080 failed: %s", err)
 		}
 	}()
 

cmd/subspace/utils.go

@@ -62,7 +62,7 @@ set -o xtrace
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
 	defer cancel()
 
-	output, err := exec.CommandContext(ctx, "/bin/bash", "-c", string(script.Bytes())).CombinedOutput()
+	output, err := exec.CommandContext(ctx, "/usr/bin/env", "bash", "-c", string(script.Bytes())).CombinedOutput()
 	if err != nil {
 		return string(output), fmt.Errorf("command failed: %s\n%s", err, string(output))
 	}

default.nix

@@ -0,0 +1,3 @@
+(import (fetchTarball https://github.com/edolstra/flake-compat/archive/master.tar.gz) {
+  src = builtins.fetchGit ./.;
+}).defaultNix