From 00611ef9dca2def6ad882cc703621fa03dc548a7 Mon Sep 17 00:00:00 2001 From: Dselen Date: Tue, 20 Aug 2024 09:58:25 -0500 Subject: [PATCH] Progress so far. --- docker/Dockerfile | 68 +++++++++++++---------- docker/{Docker-explain.md => README.md} | 0 docker/compose.yaml | 6 +- docker/entrypoint.sh | 73 +++++++++++++++++-------- 4 files changed, 90 insertions(+), 57 deletions(-) rename docker/{Docker-explain.md => README.md} (100%) diff --git a/docker/Dockerfile b/docker/Dockerfile index fb373d2..7070a5c 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,5 +1,5 @@ # Pull from small Debian stable image. -FROM debian:stable-slim +FROM debian:stable-slim AS build LABEL maintainer="dselen@nerthus.nl" # Declaring environment variables, change Peernet to an address you like, standard is a 24 bit subnet. @@ -9,46 +9,52 @@ ENV wg_net="10.0.0.1" # Following ENV variables are changable on container runtime because /entrypoint.sh handles that. See compose.yaml for more info. ENV tz="Europe/Amsterdam" ENV global_dns="1.1.1.1" -ENV enable_wg0="false" +ENV enable="(`none`)" ENV isolated_peers="true" ENV public_ip="0.0.0.0" # Doing basic system maintenance. Change the timezone to the desired timezone. RUN ln -sf /usr/share/zoneinfo/${tz} /etc/localtime -# Doing package management operations, such as upgrading -RUN apt-get update && apt-get upgrade -y \ - && apt-get install -y --no-install-recommends curl \ - git \ - iproute2 \ - iptables \ - iputils-ping \ - openresolv \ - procps \ - python3 \ - python3-pip \ - python3-venv \ - traceroute \ - wireguard \ - wireguard-tools \ - && apt-get remove linux-image-* --autoremove -y \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* -# Removing the Linux Image package to preserve space on the image, for this reason also deleting apt lists, to be able to install packages: run apt update. - # Using WGDASH -- like wg_net functionally as a ARG command. But it is needed in entrypoint.sh so it needs to be exported as environment variable. ENV WGDASH=/opt/wireguarddashboard -RUN python3 -m venv ${WGDASH}/venv + +# Doing package management operations, such as upgrading +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + curl \ + git \ + iproute2 \ + iptables \ + iputils-ping \ + openresolv \ + procps \ + python3 \ + python3-pip \ + python3-venv \ + traceroute \ + wireguard \ + wireguard-tools \ + sudo && \ + apt-get remove -y linux-image-* && \ + apt-get autoremove -y && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +# Removing the Linux Image package to preserve space on the image, for this reason also deleting apt lists, to be able to install packages: run apt update. # Doing WireGuard Dashboard installation measures. Modify the git clone command to get the preferred version, with a specific branch for example. -RUN . ${WGDASH}/venv/bin/activate \ - && git clone https://github.com/donaldzou/WGDashboard.git ${WGDASH}/app \ - && pip3 install -r ${WGDASH}/app/src/requirements.txt \ - && chmod +x ${WGDASH}/app/src/wgd.sh \ - && .${WGDASH}/app/src/wgd.sh install +RUN git clone https://github.com/donaldzou/WGDashboard.git ${WGDASH} \ + && rm ${WGDASH}/.git -rdf \ + && python3 -m venv ${WGDASH}/src/venv \ + && . ${WGDASH}/src/venv/bin/activate \ + && chmod +x ${WGDASH}/src/wgd.sh \ + && cd ${WGDASH}/src \ + && ./wgd.sh install -# Set the volume to be used for persistency. +# Set the volume to be used for WireGuard configuration persistency. VOLUME /etc/wireguard +VOLUME ${WGDASH} # Generate basic WireGuard interface. Echoing the WireGuard interface config for readability, adjust if you want it for efficiency. # Also setting the pipefail option, verbose: https://github.com/hadolint/hadolint/wiki/DL4006. @@ -67,7 +73,9 @@ RUN wg genkey | tee /etc/wireguard/wg0_privatekey \ && rm /etc/wireguard/wg0_privatekey # Defining a way for Docker to check the health of the container. In this case: checking the login URL. -HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 CMD curl -f http://localhost:10086/signin || exit 1 +HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ + CMD [ "$(curl -s -o /dev/null -w '%{http_code}' http://localhost:10086/)" -eq "200" ] || exit 1 + # Copy the basic entrypoint.sh script. COPY entrypoint.sh /entrypoint.sh diff --git a/docker/Docker-explain.md b/docker/README.md similarity index 100% rename from docker/Docker-explain.md rename to docker/README.md diff --git a/docker/compose.yaml b/docker/compose.yaml index 9d7509f..c79b5a5 100644 --- a/docker/compose.yaml +++ b/docker/compose.yaml @@ -1,12 +1,12 @@ services: wireguard-dashboard: - image: repo.nerthus.nl/app/wireguard-dashboard:latest + image: dselen/wgdashboard:dev restart: unless-stopped container_name: wire-dash environment: #- tz= # <--- Set container timezone, default: Europe/Amsterdam. #- global_dns= # <--- Set global DNS address, default: 1.1.1.1. - - enable_wg0=true # <--- If true, wg0 will be started on container startup. default: false. + - enable=wg0,wg1 # <--- If true, wg0 will be started on container startup. default: false. - isolated_peers=false # <--- When set to true, it disallows peers to talk to eachother, setting to false, allows it, default: true. #- public_ip= # <--- Set public IP to ensure the correct one is chosen, defaulting to the IP give by ifconfig.me. ports: @@ -14,7 +14,7 @@ services: - 51820:51820/udp volumes: - conf:/etc/wireguard - - app:/opt/wireguarddashboard/app + - app:/opt/wireguarddashboard cap_add: - NET_ADMIN diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 118e9ef..6316ab7 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -1,30 +1,48 @@ #!/bin/bash echo "Starting the WireGuard Dashboard Docker container." +# === CLEAN UP === clean_up() { + echo "--------------------- CLEAN UP -----------------------" # Cleaning out previous data such as the .pid file and starting the WireGuard Dashboard. Making sure to use the python venv. echo "Looking for remains of previous instances..." - if [ -f "/opt/wireguarddashboard/app/src/gunicorn.pid" ]; then + local pid_file="${WGDASH}/src/gunicorn.pid" + if [ -f $pid_file ]; then echo "Found old .pid file, removing." - rm /opt/wireguarddashboard/app/src/gunicorn.pid + rm $pid_file else - echo "No remains found, continuing." + echo "No pid remains found, continuing." + fi + + local pycache="${WGDASH}/src/__pycache__" + if [ -d "$pycache" ]; then + local pycache_filecount=$(find "$pycache" -maxdepth 1 -type f | wc -l) + if [ "$pycache_filecount" -gt 0 ]; then + echo "Found old pycaches, removing." + rm -rf "$pycache"/* + else + echo "No pycaches found, continuing." + fi + else + echo "No pycaches found, continuing." fi } +# === CORE SERVICES === start_core() { + echo "--------------------- STARTING CORE -----------------------" + # This first step is to ensure the wg0.conf file exists, and if not, then its copied over from the ephemeral container storage. if [ ! -f "/etc/wireguard/wg0.conf" ]; then cp "/wg0.conf" "/etc/wireguard/wg0.conf" - echo "WireGuard interface file copied over." + echo "Standard WG0 Configuration file not found, grabbing template." else - echo "WireGuard interface file looks to already be existing." + echo "Standard WG0 Configuration file found, using that." fi echo "Activating Python venv and executing the WireGuard Dashboard service." - - . "${WGDASH}"/venv/bin/activate - cd "${WGDASH}"/app/src || return # If changing the directory fails (permission or presence error), then bash will exist this function, causing the WireGuard Dashboard to not be succesfully launched. + . "${WGDASH}"/src/venv/bin/activate + cd "${WGDASH}"/src || return # If changing the directory fails (permission or presence error), then bash will exist this function, causing the WireGuard Dashboard to not be succesfully launched. bash wgd.sh start # The following section takes care of the firewall rules regarding the 'isolated_peers' feature, which allows or drops packets destined from the wg0 to the wg0 interface. @@ -45,17 +63,22 @@ start_core() { fi - # The following section takes care of - if [ "${enable_wg0,,}" = "true" ]; then - echo "Preference for wg0 to be turned on found." - - wg-quick up wg0 - else - echo "Preference for wg0 to be turned off found." - fi + # The following section takes care of enabling wireguard interfaces on startup. + IFS=',' read -r -a enable_array <<< "${enable}" + for interface in "${enable_array[@]}"; do + echo "Preference for $interface to be turned on found." + if [ -f "/etc/wireguard/${interface}.conf" ]; then + echo "Found corresponding configuration file, activating..." + wg-quick up $interface + else + echo "No corresponding configuration file found for $interface doing nothing." + fi + done } +# === SET ENV VARS === set_envvars() { + echo "------------------------------------------------------------" echo "Setting relevant variables for operation." # If the timezone is different, for example in North-America or Asia. @@ -67,11 +90,11 @@ set_envvars() { fi # Changing the DNS used for clients and the dashboard itself. - if [ "${global_dns}" != "$(grep "peer_global_dns = " /opt/wireguarddashboard/app/src/wg-dashboard.ini | awk '{print $NF}')" ]; then + if [ "${global_dns}" != "$(grep "peer_global_dns = " /opt/wireguarddashboard/src/wg-dashboard.ini | awk '{print $NF}')" ]; then echo "Changing default dns." #sed -i "s/^DNS = .*/DNS = ${global_dns}/" /etc/wireguard/wg0.conf # Uncomment if you want to have DNS on server-level. - sed -i "s/^peer_global_dns = .*/peer_global_dns = ${global_dns}/" /opt/wireguarddashboard/app/src/wg-dashboard.ini + sed -i "s/^peer_global_dns = .*/peer_global_dns = ${global_dns}/" /opt/wireguarddashboard/src/wg-dashboard.ini fi # Setting the public IP of the WireGuard Dashboard container host. If not defined, it will trying fetching it using a curl to ifconfig.me. @@ -79,22 +102,24 @@ set_envvars() { default_ip=$(curl -s ifconfig.me) echo "Trying to fetch the Public-IP using ifconfig.me: ${default_ip}" - sed -i "s/^remote_endpoint = .*/remote_endpoint = ${default_ip}/" /opt/wireguarddashboard/app/src/wg-dashboard.ini - elif [ "${public_ip}" != "$(grep "remote_endpoint = " /opt/wireguarddashboard/app/src/wg-dashboard.ini | awk '{print $NF}')" ]; then + sed -i "s/^remote_endpoint = .*/remote_endpoint = ${default_ip}/" /opt/wireguarddashboard/src/wg-dashboard.ini + elif [ "${public_ip}" != "$(grep "remote_endpoint = " /opt/wireguarddashboard/src/wg-dashboard.ini | awk '{print $NF}')" ]; then echo "Setting the Public-IP using given variable: ${public_ip}" - sed -i "s/^remote_endpoint = .*/remote_endpoint = ${public_ip}/" /opt/wireguarddashboard/app/src/wg-dashboard.ini + sed -i "s/^remote_endpoint = .*/remote_endpoint = ${public_ip}/" /opt/wireguarddashboard/src/wg-dashboard.ini fi } +# === CLEAN UP === ensure_blocking() { + echo "------------------------------------------------------------" sleep 1s echo "Ensuring container continuation." # This function checks if the latest error log is created and tails it for docker logs uses. - if find "/opt/wireguarddashboard/app/src/log" -mindepth 1 -maxdepth 1 -type f | read -r; then - latestErrLog=$(find /opt/wireguarddashboard/app/src/log -name "error_*.log" | head -n 1) - latestAccLog=$(find /opt/wireguarddashboard/app/src/log -name "access_*.log" | head -n 1) + if find "/opt/wireguarddashboard/src/log" -mindepth 1 -maxdepth 1 -type f | read -r; then + latestErrLog=$(find /opt/wireguarddashboard/src/log -name "error_*.log" | head -n 1) + latestAccLog=$(find /opt/wireguarddashboard/src/log -name "access_*.log" | head -n 1) tail -f "${latestErrLog}" "${latestAccLog}" fi