From e581b3a69fe20d756fb8c876594bb093b2f5394c Mon Sep 17 00:00:00 2001 From: ultram4rine Date: Thu, 16 Dec 2021 22:35:15 +0400 Subject: [PATCH] Wireguard exporter friendly tags (#81) * add friendly name * add friendly name as option to configuration * add friendly name configuration to readme --- README.md | 103 +++++++++++++------------- internal/server/configuration.go | 2 + internal/server/handlers_interface.go | 2 +- internal/server/server_helper.go | 2 +- internal/wireguard/peermanager.go | 7 +- internal/wireguard/tpl/interface.tpl | 5 +- 6 files changed, 64 insertions(+), 57 deletions(-) diff --git a/README.md b/README.md index 765fbdc..d05d7d1 100644 --- a/README.md +++ b/README.md @@ -108,57 +108,58 @@ For example: `CONFIG_FILE=/home/test/config.yml ./wg-portal-amd64`. ### Configuration Options The following configuration options are available: -| environment | yaml | yaml_parent | default_value | description | -|-----------------------|-------------------|-------------|-------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------| -| LISTENING_ADDRESS | listeningAddress | core | :8123 | The address on which the web server is listening. Optional IP address and port, e.g.: 127.0.0.1:8080. | -| EXTERNAL_URL | externalUrl | core | http://localhost:8123 | The external URL where the web server is reachable. This link is used in emails that are created by the WireGuard Portal. | -| WEBSITE_TITLE | title | core | WireGuard VPN | The website title. | -| COMPANY_NAME | company | core | WireGuard Portal | The company name (for branding). | -| MAIL_FROM | mailFrom | core | WireGuard VPN | The email address from which emails are sent. | -| LOGO_URL | logoUrl | core | /img/header-logo.png | The logo displayed in the page's header. | -| ADMIN_USER | adminUser | core | admin@wgportal.local | The administrator user. Must be a valid email address. | -| ADMIN_PASS | adminPass | core | wgportal | The administrator password. If unchanged, a random password will be set on first startup. | -| EDITABLE_KEYS | editableKeys | core | true | Allow to edit key-pairs in the UI. | -| CREATE_DEFAULT_PEER | createDefaultPeer | core | false | If an LDAP user logs in for the first time, a new WireGuard peer will be created on the WG_DEFAULT_DEVICE if this option is enabled. | -| SELF_PROVISIONING | selfProvisioning | core | false | Allow registered users to automatically create peers via the RESTful API. | -| LDAP_ENABLED | ldapEnabled | core | false | Enable or disable the LDAP backend. | -| SESSION_SECRET | sessionSecret | core | secret | Use a custom secret to encrypt session data. | -| DATABASE_TYPE | typ | database | sqlite | Either mysql or sqlite. | -| DATABASE_HOST | host | database | | The mysql server address. | -| DATABASE_PORT | port | database | | The mysql server port. | -| DATABASE_NAME | database | database | data/wg_portal.db | For sqlite database: the database file-path, otherwise the database name. | -| DATABASE_USERNAME | user | database | | The mysql user. | -| DATABASE_PASSWORD | password | database | | The mysql password. | -| EMAIL_HOST | host | email | 127.0.0.1 | The email server address. | -| EMAIL_PORT | port | email | 25 | The email server port. | -| EMAIL_TLS | tls | email | false | Use STARTTLS. DEPRECATED: use EMAIL_ENCRYPTION instead. | -| EMAIL_ENCRYPTION | encryption | email | none | Either none, tls or starttls. | -| EMAIL_CERT_VALIDATION | certcheck | email | false | Validate the email server certificate. | -| EMAIL_USERNAME | user | email | | An optional username for SMTP authentication. | -| EMAIL_PASSWORD | pass | email | | An optional password for SMTP authentication. | -| EMAIL_AUTHTYPE | auth | email | plain | Either plain, login or crammd5. If username and password are empty, this value is ignored. | -| WG_DEVICES | devices | wg | wg0 | A comma separated list of WireGuard devices. | -| WG_DEFAULT_DEVICE | defaultDevice | wg | wg0 | This device is used for auto-created peers (if CREATE_DEFAULT_PEER is enabled). | -| WG_CONFIG_PATH | configDirectory | wg | /etc/wireguard | If set, interface configuration updates will be written to this path, filename: .conf. | -| MANAGE_IPS | manageIPAddresses | wg | true | Handle IP address setup of interface, only available on linux. | -| LDAP_URL | url | ldap | ldap://srv-ad01.company.local:389 | The LDAP server url. | -| LDAP_STARTTLS | startTLS | ldap | true | Use STARTTLS. | -| LDAP_CERT_VALIDATION | certcheck | ldap | false | Validate the LDAP server certificate. | -| LDAP_BASEDN | dn | ldap | DC=COMPANY,DC=LOCAL | The base DN for searching users. | -| LDAP_USER | user | ldap | company\\\\ldap_wireguard | The bind user. | -| LDAP_PASSWORD | pass | ldap | SuperSecret | The bind password. | -| LDAP_LOGIN_FILTER | loginFilter | ldap | (&(objectClass=organizationalPerson)(mail={{login_identifier}})(!userAccountControl:1.2.840.113556.1.4.803:=2)) | {{login_identifier}} will be replaced with the login email address. | -| LDAP_SYNC_FILTER | syncFilter | ldap | (&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*)) | The filter string for the LDAP synchronization service. | -| LDAP_ADMIN_GROUP | adminGroup | ldap | CN=WireGuardAdmins,OU=_O_IT,DC=COMPANY,DC=LOCAL | Users in this group are marked as administrators. | -| LDAP_ATTR_EMAIL | attrEmail | ldap | mail | User email attribute. | -| LDAP_ATTR_FIRSTNAME | attrFirstname | ldap | givenName | User firstname attribute. | -| LDAP_ATTR_LASTNAME | attrLastname | ldap | sn | User lastname attribute. | -| LDAP_ATTR_PHONE | attrPhone | ldap | telephoneNumber | User phone number attribute. | -| LDAP_ATTR_GROUPS | attrGroups | ldap | memberOf | User groups attribute. | -| LOG_LEVEL | | | debug | Specify log level, one of: trace, debug, info, off. | -| LOG_JSON | | | false | Format log output as JSON. | -| LOG_COLOR | | | true | Colorize log output. | -| CONFIG_FILE | | | config.yml | The config file path. | +| environment | yaml | yaml_parent | default_value | description | +|----------------------------|-------------------------|-------------|-------------------------------------------------|-------------------------------------------------------------------------------------------| +| LISTENING_ADDRESS | listeningAddress | core | :8123 | The address on which the web server is listening. Optional IP address and port, e.g.: 127.0.0.1:8080. | +| EXTERNAL_URL | externalUrl | core | http://localhost:8123 | The external URL where the web server is reachable. This link is used in emails that are created by the WireGuard Portal. | +| WEBSITE_TITLE | title | core | WireGuard VPN | The website title. | +| COMPANY_NAME | company | core | WireGuard Portal | The company name (for branding). | +| MAIL_FROM | mailFrom | core | WireGuard VPN | The email address from which emails are sent. | +| LOGO_URL | logoUrl | core | /img/header-logo.png | The logo displayed in the page's header. | +| ADMIN_USER | adminUser | core | admin@wgportal.local | The administrator user. Must be a valid email address. | +| ADMIN_PASS | adminPass | core | wgportal | The administrator password. If unchanged, a random password will be set on first startup. | +| EDITABLE_KEYS | editableKeys | core | true | Allow to edit key-pairs in the UI. | +| CREATE_DEFAULT_PEER | createDefaultPeer | core | false | If an LDAP user logs in for the first time, a new WireGuard peer will be created on the WG_DEFAULT_DEVICE if this option is enabled. | +| SELF_PROVISIONING | selfProvisioning | core | false | Allow registered users to automatically create peers via the RESTful API. | +| WG_EXPORTER_FRIENDLY_NAMES | wgExporterFriendlyNames | core | false | Enable integration with [prometheus_wireguard_exporter friendly name](https://github.com/MindFlavor/prometheus_wireguard_exporter#friendly-tags). | +| LDAP_ENABLED | ldapEnabled | core | false | Enable or disable the LDAP backend. | +| SESSION_SECRET | sessionSecret | core | secret | Use a custom secret to encrypt session data. | +| DATABASE_TYPE | typ | database | sqlite | Either mysql or sqlite. | +| DATABASE_HOST | host | database | | The mysql server address. | +| DATABASE_PORT | port | database | | The mysql server port. | +| DATABASE_NAME | database | database | data/wg_portal.db | For sqlite database: the database file-path, otherwise the database name. | +| DATABASE_USERNAME | user | database | | The mysql user. | +| DATABASE_PASSWORD | password | database | | The mysql password. | +| EMAIL_HOST | host | email | 127.0.0.1 | The email server address. | +| EMAIL_PORT | port | email | 25 | The email server port. | +| EMAIL_TLS | tls | email | false | Use STARTTLS. DEPRECATED: use EMAIL_ENCRYPTION instead. | +| EMAIL_ENCRYPTION | encryption | email | none | Either none, tls or starttls. | +| EMAIL_CERT_VALIDATION | certcheck | email | false | Validate the email server certificate. | +| EMAIL_USERNAME | user | email | | An optional username for SMTP authentication. | +| EMAIL_PASSWORD | pass | email | | An optional password for SMTP authentication. | +| EMAIL_AUTHTYPE | auth | email | plain | Either plain, login or crammd5. If username and password are empty, this value is ignored. | +| WG_DEVICES | devices | wg | wg0 | A comma separated list of WireGuard devices. | +| WG_DEFAULT_DEVICE | defaultDevice | wg | wg0 | This device is used for auto-created peers (if CREATE_DEFAULT_PEER is enabled). | +| WG_CONFIG_PATH | configDirectory | wg | /etc/wireguard | If set, interface configuration updates will be written to this path, filename: .conf. | +| MANAGE_IPS | manageIPAddresses | wg | true | Handle IP address setup of interface, only available on linux. | +| LDAP_URL | url | ldap | ldap://srv-ad01.company.local:389 | The LDAP server url. | +| LDAP_STARTTLS | startTLS | ldap | true | Use STARTTLS. | +| LDAP_CERT_VALIDATION | certcheck | ldap | false | Validate the LDAP server certificate. | +| LDAP_BASEDN | dn | ldap | DC=COMPANY,DC=LOCAL | The base DN for searching users. | +| LDAP_USER | user | ldap | company\\\\ldap_wireguard | The bind user. | +| LDAP_PASSWORD | pass | ldap | SuperSecret | The bind password. | +| LDAP_LOGIN_FILTER | loginFilter | ldap | (&(objectClass=organizationalPerson)(mail={{login_identifier}})(!userAccountControl:1.2.840.113556.1.4.803:=2)) | {{login_identifier}} will be replaced with the login email address. | +| LDAP_SYNC_FILTER | syncFilter | ldap | (&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*)) | The filter string for the LDAP synchronization service. | +| LDAP_ADMIN_GROUP | adminGroup | ldap | CN=WireGuardAdmins,OU=_O_IT,DC=COMPANY,DC=LOCAL | Users in this group are marked as administrators. | +| LDAP_ATTR_EMAIL | attrEmail | ldap | mail | User email attribute. | +| LDAP_ATTR_FIRSTNAME | attrFirstname | ldap | givenName | User firstname attribute. | +| LDAP_ATTR_LASTNAME | attrLastname | ldap | sn | User lastname attribute. | +| LDAP_ATTR_PHONE | attrPhone | ldap | telephoneNumber | User phone number attribute. | +| LDAP_ATTR_GROUPS | attrGroups | ldap | memberOf | User groups attribute. | +| LOG_LEVEL | | | debug | Specify log level, one of: trace, debug, info, off. | +| LOG_JSON | | | false | Format log output as JSON. | +| LOG_COLOR | | | true | Colorize log output. | +| CONFIG_FILE | | | config.yml | The config file path. | ### Sample yaml configuration config.yml: diff --git a/internal/server/configuration.go b/internal/server/configuration.go index 61ba426..3b013d1 100644 --- a/internal/server/configuration.go +++ b/internal/server/configuration.go @@ -67,6 +67,7 @@ type Config struct { EditableKeys bool `yaml:"editableKeys" envconfig:"EDITABLE_KEYS"` CreateDefaultPeer bool `yaml:"createDefaultPeer" envconfig:"CREATE_DEFAULT_PEER"` SelfProvisioningAllowed bool `yaml:"selfProvisioning" envconfig:"SELF_PROVISIONING"` + WGExoprterFriendlyNames bool `yaml:"wgExporterFriendlyNames" envconfig:"WG_EXPORTER_FRIENDLY_NAMES"` LdapEnabled bool `yaml:"ldapEnabled" envconfig:"LDAP_ENABLED"` SessionSecret string `yaml:"sessionSecret" envconfig:"SESSION_SECRET"` LogoUrl string `yaml:"logoUrl" envconfig:"LOGO_URL"` @@ -91,6 +92,7 @@ func NewConfig() *Config { cfg.Core.AdminPassword = "wgportal" cfg.Core.LdapEnabled = false cfg.Core.EditableKeys = true + cfg.Core.WGExoprterFriendlyNames = false cfg.Core.SessionSecret = "secret" cfg.Database.Typ = "sqlite" diff --git a/internal/server/handlers_interface.go b/internal/server/handlers_interface.go index f22dec5..72f5a6f 100644 --- a/internal/server/handlers_interface.go +++ b/internal/server/handlers_interface.go @@ -112,7 +112,7 @@ func (s *Server) GetInterfaceConfig(c *gin.Context) { currentSession := GetSessionData(c) device := s.peers.GetDevice(currentSession.DeviceName) peers := s.peers.GetActivePeers(device.DeviceName) - cfg, err := device.GetConfigFile(peers) + cfg, err := device.GetConfigFile(peers, s.config.Core.WGExoprterFriendlyNames) if err != nil { s.GetHandleError(c, http.StatusInternalServerError, "ConfigFile error", err.Error()) return diff --git a/internal/server/server_helper.go b/internal/server/server_helper.go index 2fd482f..0ffd50c 100644 --- a/internal/server/server_helper.go +++ b/internal/server/server_helper.go @@ -209,7 +209,7 @@ func (s *Server) WriteWireGuardConfigFile(device string) error { } dev := s.peers.GetDevice(device) - cfg, err := dev.GetConfigFile(s.peers.GetActivePeers(device)) + cfg, err := dev.GetConfigFile(s.peers.GetActivePeers(device), s.config.Core.WGExoprterFriendlyNames) if err != nil { return errors.WithMessage(err, "failed to get config file") } diff --git a/internal/wireguard/peermanager.go b/internal/wireguard/peermanager.go index 5afa1be..0e1d95b 100644 --- a/internal/wireguard/peermanager.go +++ b/internal/wireguard/peermanager.go @@ -338,12 +338,13 @@ func (d Device) GetConfig() wgtypes.Config { return cfg } -func (d Device) GetConfigFile(peers []Peer) ([]byte, error) { +func (d Device) GetConfigFile(peers []Peer, friendlyNames bool) ([]byte, error) { var tplBuff bytes.Buffer err := templateCache.ExecuteTemplate(&tplBuff, "interface.tpl", gin.H{ - "Peers": peers, - "Interface": d, + "Peers": peers, + "Interface": d, + "FriendlyNames": friendlyNames, }) if err != nil { return nil, errors.Wrap(err, "failed to execute server template") diff --git a/internal/wireguard/tpl/interface.tpl b/internal/wireguard/tpl/interface.tpl index 9662a5a..745347c 100644 --- a/internal/wireguard/tpl/interface.tpl +++ b/internal/wireguard/tpl/interface.tpl @@ -56,6 +56,9 @@ PostDown = {{ .Interface.PostDown }} # -WGP- PrivateKey: {{.PrivateKey}} {{- end}} [Peer] +{{- if $.FriendlyNames}} +# friendly_name = {{ .Identifier }} +{{- end}} PublicKey = {{ .PublicKey }} {{- if .PresharedKey}} PresharedKey = {{ .PresharedKey }} @@ -75,4 +78,4 @@ Endpoint = {{ .Endpoint }} PersistentKeepalive = {{ .PersistentKeepalive }} {{- end}} {{- end}} -{{end}} \ No newline at end of file +{{end}}