From 4937bd60a63dcc9d36a7f38d81a71d5c2ca0c9ce Mon Sep 17 00:00:00 2001 From: Vladimir Serov Date: Sun, 27 Feb 2022 03:51:24 +0300 Subject: [PATCH 01/24] flake.nix: initial --- cmd/subspace/handlers.go | 3 +- cmd/subspace/main.go | 8 +- cmd/subspace/utils.go | 2 +- deps.nix | 373 +++++++++++++++++++++++++++++++++++++++ flake.lock | 25 +++ flake.nix | 116 ++++++++++++ 6 files changed, 520 insertions(+), 7 deletions(-) create mode 100644 deps.nix create mode 100644 flake.lock create mode 100644 flake.nix diff --git a/cmd/subspace/handlers.go b/cmd/subspace/handlers.go index 229417be..cb215c4f 100644 --- a/cmd/subspace/handlers.go +++ b/cmd/subspace/handlers.go @@ -9,7 +9,6 @@ import ( "os" "regexp" "strings" - "github.com/crewjam/saml/samlsp" "github.com/julienschmidt/httprouter" "github.com/pquerna/otp/totp" @@ -468,7 +467,7 @@ cd {{$.Datadir}}/wireguard wg_private_key="$(wg genkey)" wg_public_key="$(echo $wg_private_key | wg pubkey)" -wg set wg0 peer ${wg_public_key} allowed-ips {{if .Ipv4Enabled}}{{$.IPv4Pref}}{{$.Profile.Number}}/32{{end}}{{if .Ipv6Enabled}}{{if .Ipv4Enabled}},{{end}}{{$.IPv6Pref}}{{$.Profile.Number}}/128{{end}} +# wg set wg0 peer ${wg_public_key} allowed-ips {{if .Ipv4Enabled}}{{$.IPv4Pref}}{{$.Profile.Number}}/32{{end}}{{if .Ipv6Enabled}}{{if .Ipv4Enabled}},{{end}}{{$.IPv6Pref}}{{$.Profile.Number}}/128{{end}} cat <peers/{{$.Profile.ID}}.conf [Peer] diff --git a/cmd/subspace/main.go b/cmd/subspace/main.go index 1956ac9d..d399515e 100644 --- a/cmd/subspace/main.go +++ b/cmd/subspace/main.go @@ -89,9 +89,9 @@ func init() { cli.StringVar(&datadir, "datadir", "/data", "data dir") cli.StringVar(&backlink, "backlink", "/", "backlink (optional)") cli.StringVar(&httpHost, "http-host", "", "HTTP host") - cli.StringVar(&httpAddr, "http-addr", ":80", "HTTP listen address") + cli.StringVar(&httpAddr, "http-addr", ":5555", "HTTP listen address") cli.BoolVar(&httpInsecure, "http-insecure", false, "enable sessions cookies for http (no https) not recommended") - cli.BoolVar(&letsencrypt, "letsencrypt", true, "enable TLS using Let's Encrypt on port 443") + cli.BoolVar(&letsencrypt, "letsencrypt", false, "enable TLS using Let's Encrypt on port 443") cli.BoolVar(&showVersion, "version", false, "display version and exit") cli.BoolVar(&showHelp, "help", false, "display help and exit") cli.BoolVar(&debug, "debug", false, "debug mode") @@ -261,13 +261,13 @@ func main() { httpd := &http.Server{ Handler: certmanager.HTTPHandler(redir), - Addr: net.JoinHostPort(httpIP, "80"), + Addr: net.JoinHostPort(httpIP, "1080"), WriteTimeout: httpTimeout, ReadTimeout: httpTimeout, MaxHeaderBytes: maxHeaderBytes, } if err := httpd.ListenAndServe(); err != nil { - logger.Fatalf("http server on port 80 failed: %s", err) + logger.Fatalf("http server on port 1080 failed: %s", err) } }() diff --git a/cmd/subspace/utils.go b/cmd/subspace/utils.go index 4f34348c..ab7d7fa4 100644 --- a/cmd/subspace/utils.go +++ b/cmd/subspace/utils.go @@ -62,7 +62,7 @@ set -o xtrace ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute) defer cancel() - output, err := exec.CommandContext(ctx, "/bin/bash", "-c", string(script.Bytes())).CombinedOutput() + output, err := exec.CommandContext(ctx, "/usr/bin/env", "bash", "-c", string(script.Bytes())).CombinedOutput() if err != nil { return string(output), fmt.Errorf("command failed: %s\n%s", err, string(output)) } diff --git a/deps.nix b/deps.nix new file mode 100644 index 00000000..0324ceaf --- /dev/null +++ b/deps.nix @@ -0,0 +1,373 @@ +# file generated from go.mod using vgo2nix (https://github.com/nix-community/vgo2nix) +[ + { + goPackagePath = "github.com/beevik/etree"; + fetch = { + type = "git"; + url = "https://github.com/beevik/etree"; + rev = "v1.1.0"; + sha256 = "12dqgh8swrnk8c1bwqmq4mgd65rj4waxgb02filkm3f52vyxryxn"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/boombuler/barcode"; + fetch = { + type = "git"; + url = "https://github.com/boombuler/barcode"; + rev = "6c824513bacc"; + sha256 = "0v4ypgh3xarzfpgys838mgkfabqacbjklhf4kfqnycs0v0anvnlr"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/crewjam/httperr"; + fetch = { + type = "git"; + url = "https://github.com/crewjam/httperr"; + rev = "a946449404da"; + sha256 = "1f7plyp60wp7zjyxqia0blxapby2qpf2f01760mllrgc5ylvm4y9"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/crewjam/saml"; + fetch = { + type = "git"; + url = "https://github.com/crewjam/saml"; + rev = "v0.4.5"; + sha256 = "0lzqqzqbm0pknrzqv6l6nf868p31cy88vmzm155q65aa0c6p69vh"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/davecgh/go-spew"; + fetch = { + type = "git"; + url = "https://github.com/davecgh/go-spew"; + rev = "v1.1.1"; + sha256 = "0hka6hmyvp701adzag2g26cxdj47g21x6jz4sc6jjz1mn59d474y"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/dchest/uniuri"; + fetch = { + type = "git"; + url = "https://github.com/dchest/uniuri"; + rev = "8902c56451e9"; + sha256 = "1x5bsbm1nlphsv96zd0rbclfaa1swpz5bp14x7s5dbxp0awk2gd4"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/dgrijalva/jwt-go"; + fetch = { + type = "git"; + url = "https://github.com/dgrijalva/jwt-go"; + rev = "v3.2.0"; + sha256 = "08m27vlms74pfy5z79w67f9lk9zkx6a9jd68k3c4msxy75ry36mp"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/dustin/go-humanize"; + fetch = { + type = "git"; + url = "https://github.com/dustin/go-humanize"; + rev = "v1.0.0"; + sha256 = "1kqf1kavdyvjk7f8kx62pnm7fbypn9z1vbf8v2qdh3y7z7a0cbl3"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/gorilla/securecookie"; + fetch = { + type = "git"; + url = "https://github.com/gorilla/securecookie"; + rev = "v1.1.1"; + sha256 = "16bqimpxs9vj5n59vm04y04v665l7jh0sddxn787pfafyxcmh410"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/jonboulle/clockwork"; + fetch = { + type = "git"; + url = "https://github.com/jonboulle/clockwork"; + rev = "v0.2.1"; + sha256 = "0ri5zcpbqxgminm3zp3zsyhr6d46m9nfcmmnba4vmb5szzvd7xlw"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/jteeuwen/go-bindata"; + fetch = { + type = "git"; + url = "https://github.com/jteeuwen/go-bindata"; + rev = "6025e8de665b"; + sha256 = "0mfp4mld38wswl020p11i1qrqrx5s74qv5f1cw116zd5w9n2q0aj"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/julienschmidt/httprouter"; + fetch = { + type = "git"; + url = "https://github.com/julienschmidt/httprouter"; + rev = "v1.3.0"; + sha256 = "1a6sy0ysqknsjssjh7qg1dqn21xmj9a36c57nrk7srfmab4ffmk1"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/kevinburke/go-bindata"; + fetch = { + type = "git"; + url = "https://github.com/kevinburke/go-bindata"; + rev = "v3.23.0"; + sha256 = "1dns8x8vvcn8vka6bgnn2bp0y97pcdpi0brr7d2s5zy3847j90d4"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/konsorten/go-windows-terminal-sequences"; + fetch = { + type = "git"; + url = "https://github.com/konsorten/go-windows-terminal-sequences"; + rev = "v1.0.3"; + sha256 = "1yrsd4s8vhjnxhwbigirymz89dn6qfjnhn28i33vvvdgf96j6ypl"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/kr/pretty"; + fetch = { + type = "git"; + url = "https://github.com/kr/pretty"; + rev = "v0.2.1"; + sha256 = "0vzfz06y9q8gs2nxx0kys0591vzp78k0fvpb8digi5n15h3b25hy"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/kr/pty"; + fetch = { + type = "git"; + url = "https://github.com/kr/pty"; + rev = "v1.1.1"; + sha256 = "0383f0mb9kqjvncqrfpidsf8y6ns5zlrc91c6a74xpyxjwvzl2y6"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/kr/text"; + fetch = { + type = "git"; + url = "https://github.com/kr/text"; + rev = "v0.1.0"; + sha256 = "1gm5bsl01apvc84bw06hasawyqm4q84vx1pm32wr9jnd7a8vjgj1"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/mattermost/xml-roundtrip-validator"; + fetch = { + type = "git"; + url = "https://github.com/mattermost/xml-roundtrip-validator"; + rev = "bcd7e1b9601e"; + sha256 = "0brxsz6j8kxp61xx68ws7g2dd88c1z9vv4nzhxfzk3cqsgys11w8"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/niemeyer/pretty"; + fetch = { + type = "git"; + url = "https://github.com/niemeyer/pretty"; + rev = "a10e7caefd8e"; + sha256 = "1jmazh4xzaa3v6g46hz60q2z7nmqs9l9cxdzmmscn3kbcs2znq4v"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/pkg/errors"; + fetch = { + type = "git"; + url = "https://github.com/pkg/errors"; + rev = "v0.8.1"; + sha256 = "0g5qcb4d4fd96midz0zdk8b9kz8xkzwfa8kr1cliqbg8sxsy5vd1"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/pmezard/go-difflib"; + fetch = { + type = "git"; + url = "https://github.com/pmezard/go-difflib"; + rev = "v1.0.0"; + sha256 = "0c1cn55m4rypmscgf0rrb88pn58j3ysvc2d0432dp3c6fqg6cnzw"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/pquerna/otp"; + fetch = { + type = "git"; + url = "https://github.com/pquerna/otp"; + rev = "v1.2.0"; + sha256 = "088njs8i7b0syyz20hzd3lcjxy61chc518d71lvykw2g9c9wsc7l"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/russellhaering/goxmldsig"; + fetch = { + type = "git"; + url = "https://github.com/russellhaering/goxmldsig"; + rev = "v1.1.0"; + sha256 = "0qg3zp4vp31m0l89g0rl76y1mn3ckv5k4nx6b4hb6rrvzkmxd9x0"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/sirupsen/logrus"; + fetch = { + type = "git"; + url = "https://github.com/sirupsen/logrus"; + rev = "v1.6.0"; + sha256 = "1zf9is1yxxnna0d1pyag2m9ziy3l27zb2j92p9msm1gx5jjrvzzj"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/skip2/go-qrcode"; + fetch = { + type = "git"; + url = "https://github.com/skip2/go-qrcode"; + rev = "a3b48390827e"; + sha256 = "0nsaph5bkxsp0rv28v0wanfjx2pvkq9qim27lav67v27k57hl9lx"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/stretchr/objx"; + fetch = { + type = "git"; + url = "https://github.com/stretchr/objx"; + rev = "v0.1.0"; + sha256 = "19ynspzjdynbi85xw06mh8ad5j0qa1vryvxjgvbnyrr8rbm4vd8w"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/stretchr/testify"; + fetch = { + type = "git"; + url = "https://github.com/stretchr/testify"; + rev = "v1.6.1"; + sha256 = "1yhiqqzjvi63pf01rgzx68gqkkvjx03fvl5wk30br5l6s81s090l"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/subspacecommunity/subspace"; + fetch = { + type = "git"; + url = "https://github.com/subspacecommunity/subspace"; + rev = "v1.5.0"; + sha256 = "10vvsi4k6xgsvshaz70zrfpznxhykqjl37sc83dqbksf4mm9kidw"; + moduleDir = ""; + }; + } + { + goPackagePath = "github.com/zenazn/goji"; + fetch = { + type = "git"; + url = "https://github.com/zenazn/goji"; + rev = "64eb34159fe5"; + sha256 = "0ziixsr9j0644kcz5kqgq46rqxb4iay4627783jlb5bc5gqwd7rs"; + moduleDir = ""; + }; + } + { + goPackagePath = "golang.org/x/crypto"; + fetch = { + type = "git"; + url = "https://go.googlesource.com/crypto"; + rev = "06a226fb4e37"; + sha256 = "0fdig6jx81g7a44dnxggibl909wchsj4nakmmhhz7db36sl0d7m5"; + moduleDir = ""; + }; + } + { + goPackagePath = "golang.org/x/net"; + fetch = { + type = "git"; + url = "https://go.googlesource.com/net"; + rev = "d87ec0cfa476"; + sha256 = "1hnbhvih5sc87939fb8gsbzc7acs4wv8v0p2sbrxzlv98znnrl8k"; + moduleDir = ""; + }; + } + { + goPackagePath = "golang.org/x/sys"; + fetch = { + type = "git"; + url = "https://go.googlesource.com/sys"; + rev = "85ca7c5b95cd"; + sha256 = "1504qkgbhhm4f0bhk77v2r1lj6x171ay5m79alkg78wjb5cign5l"; + moduleDir = ""; + }; + } + { + goPackagePath = "golang.org/x/text"; + fetch = { + type = "git"; + url = "https://go.googlesource.com/text"; + rev = "v0.3.0"; + sha256 = "0r6x6zjzhr8ksqlpiwm5gdd7s209kwk5p4lw54xjvz10cs3qlq19"; + moduleDir = ""; + }; + } + { + goPackagePath = "gopkg.in/alexcesaro/quotedprintable.v3"; + fetch = { + type = "git"; + url = "https://gopkg.in/alexcesaro/quotedprintable.v3"; + rev = "2caba252f4dc"; + sha256 = "1fi38y0f7877ra8xi6782vp2ahfghzk4apj3ca6lljjyzgahij79"; + moduleDir = ""; + }; + } + { + goPackagePath = "gopkg.in/check.v1"; + fetch = { + type = "git"; + url = "https://gopkg.in/check.v1"; + rev = "8fa46927fb4f"; + sha256 = "0fx03x0nx9mjwnqphnx852q9p76qg7cazrachvgr1bj357lplrcw"; + moduleDir = ""; + }; + } + { + goPackagePath = "gopkg.in/gomail.v2"; + fetch = { + type = "git"; + url = "https://gopkg.in/gomail.v2"; + rev = "81ebce5c23df"; + sha256 = "0zdykrv5s19lnq0g49p6njldy4cpk4g161vyjafiw7f84h8r28mc"; + moduleDir = ""; + }; + } + { + goPackagePath = "gopkg.in/yaml.v3"; + fetch = { + type = "git"; + url = "https://gopkg.in/yaml.v3"; + rev = "9f266ea9e77c"; + sha256 = "1bbai3lzb50m0x2vwsdbagrbhvfylj9k1m32hgbqwldqx4p9ay35"; + moduleDir = ""; + }; + } +] diff --git a/flake.lock b/flake.lock new file mode 100644 index 00000000..f5ebb2be --- /dev/null +++ b/flake.lock @@ -0,0 +1,25 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1645433236, + "narHash": "sha256-4va4MvJ076XyPp5h8sm5eMQvCrJ6yZAbBmyw95dGyw4=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "7f9b6e2babf232412682c09e57ed666d8f84ac2d", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 00000000..482beb0e --- /dev/null +++ b/flake.nix @@ -0,0 +1,116 @@ +{ + outputs = { self, nixpkgs }: + let onPkgs = fn: builtins.mapAttrs fn nixpkgs.legacyPackages; + in + { + defaultPackage = onPkgs (_: pkgs: + let + deps = pkgs.runCommand "subspace-deps" + { + buildInputs = with pkgs; [ go cacert ]; + outputHashAlgo = "sha256"; + outputHashMode = "recursive"; + outputHash = ""; + } '' + mkdir -p $out + export HOME=/build + export GOPATH=$out + cd ${./.} + go install ./cmd/subspace + ''; + goPackagePath = "github.com/subspacecommunity/subspace"; + version = "1.5.0"; + in + # deps + pkgs.buildGoPackage { + inherit goPackagePath version; + src = ./.; + name = "subspace"; + goDeps = ./deps.nix; + nativeBuildInputs = with pkgs; [ go-bindata which diffutils ]; + buildPhase = '' + runHook preBuild + cd go/src/${goPackagePath} + export CGO_ENABLED=0 + rm -rf subspace + go-bindata -o cmd/subspace/bindata.go --prefix "web/" --pkg main web/... + go build -v --compiler gc --ldflags "-extldflags -static -s -w -X main.version=${version}" -o subspace ./cmd/subspace + runHook postBuild + ''; + installPhase = '' + install -Dm777 subspace $out/bin/subspace + + mkdir -p $out/libexec + cp -r web $out/libexec/web + ''; + } + ); + + # nixosConfigurations = { + # # testContainer = {} + # }; + + nixosModule = { pkgs, lib, config, ... }: + with lib; + let + subspace = self.defaultPackage."${config.system}"; + cfg = config.services.subspace; + in + { + options = { + services.subspace = { + enable = mkEnableOption "subspace"; + dataDir = mkOption { + description = "Path to data folder"; + default = "/var/subspace/data"; + type = types.path; + }; + privateKeyFile = { + description = "Path to Wireguard private key"; + default = "/secrets/subspace.private"; + type = types.path; + }; + params = mkOption { + description = "Parameters for Subspace binary"; + default = "--http-host localhost -http-addr \":3331\" -http-insecure"; + type = types.str; + }; + }; + + }; + config = mkIf cfg.enable { + systemd.services.subspace = { + description = "AMule daemon"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + preStart = '' + mkdir -p ${cfg.dataDir} + pushd ${cfg.dataDir} + + mkdir -p wireguard/clients + touch wireguard/clients/null.conf + + mkdir -p wireguard/peers + touch wireguard/peers/null.conf + + cp ${cfg.privateKeyFile} wireguard/server.private + cat ${cfg.privateKeyFile} | ${pkgs.wireguard-tools}/bin/wg pubkey > server.public + + chmod -R u+r a-rwx ${user} ${cfg.dataDir} + chown -r ${user} ${cfg.dataDir} + ''; + + script = '' + cd ${subspace}/libexec + ${subspace}/bin/subspace \ + -datadir=${cfg.dataDir} \ + ${cfg.params} + ''; + }; + }; + }; + + }; + +} From 61047014c66d6a5fd488b110ca2a83e93d7b0944 Mon Sep 17 00:00:00 2001 From: notgne2 Date: Sat, 26 Feb 2022 23:39:14 -0700 Subject: [PATCH 02/24] Fix NixOS module --- default.nix | 3 ++ flake.nix | 135 +++++++++++++++++++++++++++++++++++++++------------- 2 files changed, 104 insertions(+), 34 deletions(-) create mode 100644 default.nix diff --git a/default.nix b/default.nix new file mode 100644 index 00000000..b22e926e --- /dev/null +++ b/default.nix @@ -0,0 +1,3 @@ +(import (fetchTarball https://github.com/edolstra/flake-compat/archive/master.tar.gz) { + src = builtins.fetchGit ./.; +}).defaultNix diff --git a/flake.nix b/flake.nix index 482beb0e..bd54ce10 100644 --- a/flake.nix +++ b/flake.nix @@ -21,7 +21,6 @@ goPackagePath = "github.com/subspacecommunity/subspace"; version = "1.5.0"; in - # deps pkgs.buildGoPackage { inherit goPackagePath version; src = ./.; @@ -46,46 +45,112 @@ } ); - # nixosConfigurations = { - # # testContainer = {} - # }; - nixosModule = { pkgs, lib, config, ... }: with lib; let - subspace = self.defaultPackage."${config.system}"; cfg = config.services.subspace; in { - options = { - services.subspace = { - enable = mkEnableOption "subspace"; - dataDir = mkOption { - description = "Path to data folder"; - default = "/var/subspace/data"; - type = types.path; - }; - privateKeyFile = { - description = "Path to Wireguard private key"; - default = "/secrets/subspace.private"; - type = types.path; - }; - params = mkOption { - description = "Parameters for Subspace binary"; - default = "--http-host localhost -http-addr \":3331\" -http-insecure"; - type = types.str; - }; + options.services.subspace = { + enable = mkEnableOption "subspace"; + + package = mkOption { + description = "A package from which to take subspace"; + default = self.defaultPackage.${pkgs.system}; + type = types.package; + }; + + privateKeyFile = mkOption { + description = "Path to Wireguard private key"; + default = "/secrets/subspace.private"; + type = types.str; + }; + + user = mkOption { + description = "User account under which Subspace runs."; + default = "subspace"; + type = types.str; + }; + group = mkOption { + description = "Group account under which Subspace runs."; + default = "subspace"; + type = types.str; + }; + + httpHost = mkOption { + description = "The host to listen on and set cookies for"; + default = "localhost"; + type = types.str; + }; + backlink = mkOption { + description = "The page to set the home button to"; + default = "/"; + type = types.str; + }; + dataDir = mkOption { + description = "Path to data folder"; + default = "/var/lib/subspace"; + type = types.str; + }; + debug = mkOption { + description = "Place subspace into debug mode for verbose log output"; + default = false; + type = types.bool; + }; + httpInsecure = mkOption { + description = "enable session cookies for http and remove redirect to https"; + default = false; + type = types.bool; + }; + letsencrypt = mkOption { + description = "Whether or not to use a LetsEncrypt certificate"; + default = true; + type = types.bool; + }; + httpAddr = mkOption { + description = "HTTP Listen address"; + default = ":3331"; + type = types.str; }; + params = mkOption { + description = "Parameters for Subspace binary"; + default = ""; + type = types.str; + }; }; + config = mkIf cfg.enable { + users.users = optionalAttrs (cfg.user == "subspace") ({ + subspace = { + isSystemUser = true; + group = cfg.group; + # uid = config.ids.uids.subspace; + description = "Subspace WireGuard GUI user"; + home = cfg.dataDir; + }; + }); + + users.groups = optionalAttrs (cfg.group == "subspace") ({ + subspace = { + # gid = config.ids.gids.subspace; + }; + }); + + systemd.tmpfiles.rules = [ "d ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group}" ]; + systemd.services.subspace = { - description = "AMule daemon"; + description = "A simple WireGuard VPN server GUI"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + WorkingDirectory = "${cfg.package}/libexec"; + }; + preStart = '' - mkdir -p ${cfg.dataDir} pushd ${cfg.dataDir} mkdir -p wireguard/clients @@ -96,21 +161,23 @@ cp ${cfg.privateKeyFile} wireguard/server.private cat ${cfg.privateKeyFile} | ${pkgs.wireguard-tools}/bin/wg pubkey > server.public - - chmod -R u+r a-rwx ${user} ${cfg.dataDir} - chown -r ${user} ${cfg.dataDir} ''; script = '' - cd ${subspace}/libexec - ${subspace}/bin/subspace \ - -datadir=${cfg.dataDir} \ + ${cfg.package}/bin/subspace \ + --http-host="${cfg.httpHost}" \ + --backlink="${cfg.backlink}" \ + --datadir="${cfg.dataDir}" \ + --debug="${if cfg.debug then "true" else "false"}" \ + --http-addr="${cfg.httpAddr}" \ + --http-insecure="${if cfg.httpInsecure then "true" else "false"}" \ + --letsencrypt="${if cfg.letsencrypt then "true" else "false"}" \ ${cfg.params} ''; }; }; - }; - + } + ; }; } From 469647040903b09edd8c5f27ab7ac5d72d61812b Mon Sep 17 00:00:00 2001 From: Vladimir Serov Date: Sun, 27 Feb 2022 11:08:10 +0300 Subject: [PATCH 03/24] added reload hook --- cmd/subspace/handlers.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/cmd/subspace/handlers.go b/cmd/subspace/handlers.go index cb215c4f..a87e85db 100644 --- a/cmd/subspace/handlers.go +++ b/cmd/subspace/handlers.go @@ -461,6 +461,10 @@ func profileAddHandler(w *Web) { if shouldDisableDNS := getEnv("SUBSPACE_DISABLE_DNS", "0"); shouldDisableDNS == "1" { disableDNS = true } + reloadScript := "" + if reloadScript_ := getEnv("SUBSPACE_WIREGUARD_RELOAD_SCRIPT", ""); reloadScript == "" { + reloadScript = reloadScript_ + } script := ` cd {{$.Datadir}}/wireguard @@ -468,6 +472,7 @@ wg_private_key="$(wg genkey)" wg_public_key="$(echo $wg_private_key | wg pubkey)" # wg set wg0 peer ${wg_public_key} allowed-ips {{if .Ipv4Enabled}}{{$.IPv4Pref}}{{$.Profile.Number}}/32{{end}}{{if .Ipv6Enabled}}{{if .Ipv4Enabled}},{{end}}{{$.IPv6Pref}}{{$.Profile.Number}}/128{{end}} +{{$.ReloadScript}} cat <peers/{{$.Profile.ID}}.conf [Peer] @@ -502,6 +507,7 @@ WGCLIENT IPv6Cidr string Listenport string AllowedIPS string + ReloadScript string Ipv4Enabled bool Ipv6Enabled bool DisableDNS bool @@ -517,6 +523,7 @@ WGCLIENT ipv6Cidr, listenport, allowedips, + reloadScript, ipv4Enabled, ipv6Enabled, disableDNS, From 84cb14c6a5963126eda2a367d344cf74a765b6b8 Mon Sep 17 00:00:00 2001 From: Vladimir Serov Date: Sun, 27 Feb 2022 13:56:56 +0300 Subject: [PATCH 04/24] fixed service permissions; added reload hooks --- cmd/subspace/handlers.go | 7 +-- flake.nix | 93 ++++++++++++++++++++++++++-------------- 2 files changed, 63 insertions(+), 37 deletions(-) diff --git a/cmd/subspace/handlers.go b/cmd/subspace/handlers.go index a87e85db..577a3755 100644 --- a/cmd/subspace/handlers.go +++ b/cmd/subspace/handlers.go @@ -471,8 +471,7 @@ cd {{$.Datadir}}/wireguard wg_private_key="$(wg genkey)" wg_public_key="$(echo $wg_private_key | wg pubkey)" -# wg set wg0 peer ${wg_public_key} allowed-ips {{if .Ipv4Enabled}}{{$.IPv4Pref}}{{$.Profile.Number}}/32{{end}}{{if .Ipv6Enabled}}{{if .Ipv4Enabled}},{{end}}{{$.IPv6Pref}}{{$.Profile.Number}}/128{{end}} -{{$.ReloadScript}} +wg set subspace peer ${wg_public_key} allowed-ips {{if .Ipv4Enabled}}{{$.IPv4Pref}}{{$.Profile.Number}}/32{{end}}{{if .Ipv6Enabled}}{{if .Ipv4Enabled}},{{end}}{{$.IPv6Pref}}{{$.Profile.Number}}/128{{end}} cat <peers/{{$.Profile.ID}}.conf [Peer] @@ -507,7 +506,6 @@ WGCLIENT IPv6Cidr string Listenport string AllowedIPS string - ReloadScript string Ipv4Enabled bool Ipv6Enabled bool DisableDNS bool @@ -523,7 +521,6 @@ WGCLIENT ipv6Cidr, listenport, allowedips, - reloadScript, ipv4Enabled, ipv6Enabled, disableDNS, @@ -693,7 +690,7 @@ func deleteProfile(profile Profile) error { # WireGuard cd {{$.Datadir}}/wireguard peerid=$(cat peers/{{$.Profile.ID}}.conf | awk '/PublicKey/ { printf("%s", $3) }' ) -wg set wg0 peer $peerid remove +wg set subspace peer $peerid remove rm peers/{{$.Profile.ID}}.conf rm clients/{{$.Profile.ID}}.conf ` diff --git a/flake.nix b/flake.nix index bd54ce10..77f44cf9 100644 --- a/flake.nix +++ b/flake.nix @@ -5,19 +5,6 @@ { defaultPackage = onPkgs (_: pkgs: let - deps = pkgs.runCommand "subspace-deps" - { - buildInputs = with pkgs; [ go cacert ]; - outputHashAlgo = "sha256"; - outputHashMode = "recursive"; - outputHash = ""; - } '' - mkdir -p $out - export HOME=/build - export GOPATH=$out - cd ${./.} - go install ./cmd/subspace - ''; goPackagePath = "github.com/subspacecommunity/subspace"; version = "1.5.0"; in @@ -112,41 +99,49 @@ default = ":3331"; type = types.str; }; - params = mkOption { description = "Parameters for Subspace binary"; default = ""; type = types.str; }; + proxyPort = mkOption { + description = "Port for managed WireGuard interface"; + default = "53222"; + type = types.str; + }; + masqueradeInterface = mkOption { + description = "What interface to use to proxy traffic"; + type = types.str; + }; }; config = mkIf cfg.enable { - users.users = optionalAttrs (cfg.user == "subspace") ({ - subspace = { - isSystemUser = true; - group = cfg.group; - # uid = config.ids.uids.subspace; - description = "Subspace WireGuard GUI user"; - home = cfg.dataDir; - }; - }); - - users.groups = optionalAttrs (cfg.group == "subspace") ({ - subspace = { + # users.users = optionalAttrs (cfg.user == "subspace") ({ + # subspace = { + # isSystemUser = true; + # group = cfg.group; + # # uid = config.ids.uids.subspace; + # description = "Subspace WireGuard GUI user"; + # home = cfg.dataDir; + # }; + # }); + + # users.groups = optionalAttrs (cfg.group == "subspace") ({ + # subspace = { # gid = config.ids.gids.subspace; - }; - }); + # }; + # }); - systemd.tmpfiles.rules = [ "d ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group}" ]; + # systemd.tmpfiles.rules = [ "d ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group}" ]; - systemd.services.subspace = { + systemd.services.subspace = rec { description = "A simple WireGuard VPN server GUI"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { - User = cfg.user; - Group = cfg.group; + # User = cfg.user; + # Group = cfg.group; WorkingDirectory = "${cfg.package}/libexec"; }; @@ -161,9 +156,36 @@ cp ${cfg.privateKeyFile} wireguard/server.private cat ${cfg.privateKeyFile} | ${pkgs.wireguard-tools}/bin/wg pubkey > server.public + + { + echo "[Interface]" + echo "PrivateKey = $(cat wireguard/server.private)" + echo "ListenPort = ${cfg.proxyPort}" + echo + cat wireguard/peers/* + } > wireguard/subspace.conf ''; + path = with pkgs; [ wireguard-tools iptables bash gawk ]; + + environment = { + SUBSPACE_HTTP_HOST = cfg.httpHost; + SUBSPACE_HTTP_ADDR = cfg.httpAddr; + SUBSPACE_NAMESERVERS = "1.1.1.1,8.8.8.8"; + SUBSPACE_LISTENPORT = cfg.proxyPort; + SUBSPACE_IPV4_POOL = "10.99.97.0/24"; + SUBSPACE_IPV6_POOL = "fd00::10:97:0/64"; + SUBSPACE_IPV4_GW = "10.99.97.1"; + SUBSPACE_IPV6_GW = "fd00::10:97:1"; + SUBSPACE_IPV4_NAT_ENABLED = "1"; + SUBSPACE_IPV6_NAT_ENABLED = "1"; + SUBSPACE_DISABLE_DNS = "0"; + }; + script = '' + wg-quick up ${cfg.dataDir}/wireguard/subspace.conf + iptables -A POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV4_POOL} -o ${cfg.masqueradeInterface} + ip6tables -A POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV6_POOL} -o ${cfg.masqueradeInterface} ${cfg.package}/bin/subspace \ --http-host="${cfg.httpHost}" \ --backlink="${cfg.backlink}" \ @@ -174,6 +196,13 @@ --letsencrypt="${if cfg.letsencrypt then "true" else "false"}" \ ${cfg.params} ''; + + postStop = '' + wg-quick down ${cfg.dataDir}/wireguard/subspace.conf + iptables -D POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV4_POOL} -o ${cfg.masqueradeInterface} + ip6tables -D POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV6_POOL} -o ${cfg.masqueradeInterface} + ''; + }; }; } From 49fa08f68df9300e2313cef174db21edbf7c1828 Mon Sep 17 00:00:00 2001 From: notgne2 Date: Sun, 27 Feb 2022 16:38:03 -0700 Subject: [PATCH 05/24] Harden systemd service more --- flake.nix | 152 ++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 107 insertions(+), 45 deletions(-) diff --git a/flake.nix b/flake.nix index 77f44cf9..a72e0434 100644 --- a/flake.nix +++ b/flake.nix @@ -10,7 +10,7 @@ in pkgs.buildGoPackage { inherit goPackagePath version; - src = ./.; + src = nixpkgs.lib.cleanSource ./.; name = "subspace"; goDeps = ./deps.nix; nativeBuildInputs = with pkgs; [ go-bindata which diffutils ]; @@ -116,23 +116,23 @@ }; config = mkIf cfg.enable { - # users.users = optionalAttrs (cfg.user == "subspace") ({ - # subspace = { - # isSystemUser = true; - # group = cfg.group; - # # uid = config.ids.uids.subspace; - # description = "Subspace WireGuard GUI user"; - # home = cfg.dataDir; - # }; - # }); - - # users.groups = optionalAttrs (cfg.group == "subspace") ({ - # subspace = { + users.users = optionalAttrs (cfg.user == "subspace") ({ + subspace = { + isSystemUser = true; + group = cfg.group; + # uid = config.ids.uids.subspace; + description = "Subspace WireGuard GUI user"; + home = cfg.dataDir; + }; + }); + + users.groups = optionalAttrs (cfg.group == "subspace") ({ + subspace = { # gid = config.ids.gids.subspace; - # }; - # }); + }; + }); - # systemd.tmpfiles.rules = [ "d ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group}" ]; + systemd.tmpfiles.rules = [ "d ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group}" ]; systemd.services.subspace = rec { description = "A simple WireGuard VPN server GUI"; @@ -140,31 +140,103 @@ after = [ "network.target" ]; serviceConfig = { - # User = cfg.user; - # Group = cfg.group; + User = cfg.user; + Group = cfg.group; + + CapabilityBoundingSet = "CAP_NET_ADMIN"; + AmbientCapabilities = "CAP_NET_ADMIN"; + + ReadWritePaths = [ "${cfg.dataDir}" ]; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + ]; + + RestrictNamespaces = "yes"; + DeviceAllow = "no"; + KeyringMode = "private"; + NoNewPrivileges = "yes"; + NotifyAccess = "none"; + PrivateDevices = "yes"; + PrivateMounts = "yes"; + PrivateTmp = "yes"; + ProtectClock = "yes"; + ProtectControlGroups = "yes"; + ProtectHome = "yes"; + ProtectKernelLogs = "yes"; + ProtectKernelModules = "yes"; + ProtectKernelTunables = "yes"; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictSUIDSGID = "yes"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "~@clock" + "~@debug" + "~@module" + "~@mount" + "~@raw-io" + "~@reboot" + "~@swap" + "~@privileged" + "~@resources" + "~@cpu-emulation" + "~@obsolete" + ]; + RestrictRealtime = "yes"; + Delegate = "no"; + LockPersonality = "yes"; + MemoryDenyWriteExecute = "yes"; + RemoveIPC = "yes"; + UMask = "0027"; + ProtectHostname = "yes"; + ProcSubset = "pid"; + WorkingDirectory = "${cfg.package}/libexec"; - }; - preStart = '' - pushd ${cfg.dataDir} + ExecStartPre = + let + preStart = pkgs.writeShellScript "subspace-pre-start" '' + pushd ${cfg.dataDir} - mkdir -p wireguard/clients - touch wireguard/clients/null.conf + mkdir -p wireguard/clients + touch wireguard/clients/null.conf - mkdir -p wireguard/peers - touch wireguard/peers/null.conf + mkdir -p wireguard/peers + touch wireguard/peers/null.conf - cp ${cfg.privateKeyFile} wireguard/server.private - cat ${cfg.privateKeyFile} | ${pkgs.wireguard-tools}/bin/wg pubkey > server.public + cp ${cfg.privateKeyFile} wireguard/server.private + cat ${cfg.privateKeyFile} | ${pkgs.wireguard-tools}/bin/wg pubkey > server.public - { - echo "[Interface]" - echo "PrivateKey = $(cat wireguard/server.private)" - echo "ListenPort = ${cfg.proxyPort}" - echo - cat wireguard/peers/* - } > wireguard/subspace.conf - ''; + { + echo "[Interface]" + echo "PrivateKey = $(cat wireguard/server.private)" + echo "ListenPort = ${cfg.proxyPort}" + echo + cat wireguard/peers/* + } > wireguard/subspace.conf + + wg-quick up ${cfg.dataDir}/wireguard/subspace.conf + iptables -A POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV4_POOL} -o ${cfg.masqueradeInterface} + ip6tables -A POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV6_POOL} -o ${cfg.masqueradeInterface} + + chmod -R u+rwX,g+rX,o-rwx ${cfg.dataDir} + chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} + ''; + in + "+" + preStart; + + ExecStopPost = + let + postStop = pkgs.writeShellScript "subspace-post-stop" '' + wg-quick down ${cfg.dataDir}/wireguard/subspace.conf + iptables -D POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV4_POOL} -o ${cfg.masqueradeInterface} + ip6tables -D POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV6_POOL} -o ${cfg.masqueradeInterface} + ''; + in + "+" + postStop; + }; path = with pkgs; [ wireguard-tools iptables bash gawk ]; @@ -183,9 +255,6 @@ }; script = '' - wg-quick up ${cfg.dataDir}/wireguard/subspace.conf - iptables -A POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV4_POOL} -o ${cfg.masqueradeInterface} - ip6tables -A POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV6_POOL} -o ${cfg.masqueradeInterface} ${cfg.package}/bin/subspace \ --http-host="${cfg.httpHost}" \ --backlink="${cfg.backlink}" \ @@ -196,13 +265,6 @@ --letsencrypt="${if cfg.letsencrypt then "true" else "false"}" \ ${cfg.params} ''; - - postStop = '' - wg-quick down ${cfg.dataDir}/wireguard/subspace.conf - iptables -D POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV4_POOL} -o ${cfg.masqueradeInterface} - ip6tables -D POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV6_POOL} -o ${cfg.masqueradeInterface} - ''; - }; }; } From 35fc222ba69c8fe506075dc6c8a1b22bb6065963 Mon Sep 17 00:00:00 2001 From: Vladimir Serov Date: Mon, 28 Feb 2022 02:50:19 +0300 Subject: [PATCH 06/24] fixed incorrect admin account redirects Also deletion messages --- cmd/subspace/handlers.go | 12 ++++++++++-- web/templates/index.html | 2 +- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/cmd/subspace/handlers.go b/cmd/subspace/handlers.go index 577a3755..025a085d 100644 --- a/cmd/subspace/handlers.go +++ b/cmd/subspace/handlers.go @@ -573,11 +573,19 @@ func profileDeleteHandler(w *Web) { } if err := deleteProfile(profile); err != nil { logger.Errorf("delete profile failed: %s", err) - w.Redirect("/profile/delete?error=deleteprofile") + if profile.UserID == "" { + w.Redirect("/?error=deleteprofile") + } else { + w.Redirect("/profile/delete?error=deleteprofile") + } return } if w.Admin { - w.Redirect("/user/edit/%s?success=deleteprofile", profile.UserID) + if profile.UserID == "" { + w.Redirect("/?success=deleteprofile") + } else { + w.Redirect("/user/edit/%s?success=deleteprofile", profile.UserID) + } return } w.Redirect("/?success=deleteprofile") diff --git a/web/templates/index.html b/web/templates/index.html index 8f138b93..13343873 100644 --- a/web/templates/index.html +++ b/web/templates/index.html @@ -23,7 +23,7 @@ {{if eq $error "addprofile"}} Adding device failed {{else if eq $error "deleteprofile"}} - Adding device failed + Deleting device failed {{else if eq $error "profilename"}} Device name is required {{else}} From 9806775afade3d3455b6fac289274a492129e11a Mon Sep 17 00:00:00 2001 From: notgne2 Date: Sun, 27 Feb 2022 16:56:39 -0700 Subject: [PATCH 07/24] fix environment variables for service --- flake.nix | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/flake.nix b/flake.nix index a72e0434..5ee9d55f 100644 --- a/flake.nix +++ b/flake.nix @@ -241,12 +241,9 @@ path = with pkgs; [ wireguard-tools iptables bash gawk ]; environment = { - SUBSPACE_HTTP_HOST = cfg.httpHost; - SUBSPACE_HTTP_ADDR = cfg.httpAddr; - SUBSPACE_NAMESERVERS = "1.1.1.1,8.8.8.8"; SUBSPACE_LISTENPORT = cfg.proxyPort; - SUBSPACE_IPV4_POOL = "10.99.97.0/24"; - SUBSPACE_IPV6_POOL = "fd00::10:97:0/64"; + SUBSPACE_IPV4_PREF = "10.99.97."; + SUBSPACE_IPV6_PREF = "fd00::10:97:"; SUBSPACE_IPV4_GW = "10.99.97.1"; SUBSPACE_IPV6_GW = "fd00::10:97:1"; SUBSPACE_IPV4_NAT_ENABLED = "1"; From c5eb86f7a1abb860481c60c3578db42103261cc4 Mon Sep 17 00:00:00 2001 From: notgne2 Date: Sun, 27 Feb 2022 18:45:23 -0700 Subject: [PATCH 08/24] use _PREF environment variables for iptables routing in module --- flake.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.nix b/flake.nix index 5ee9d55f..21116c6d 100644 --- a/flake.nix +++ b/flake.nix @@ -218,8 +218,8 @@ } > wireguard/subspace.conf wg-quick up ${cfg.dataDir}/wireguard/subspace.conf - iptables -A POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV4_POOL} -o ${cfg.masqueradeInterface} - ip6tables -A POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV6_POOL} -o ${cfg.masqueradeInterface} + iptables -A POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV4_PREF}0/24 -o ${cfg.masqueradeInterface} + ip6tables -A POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV6_PREF}/112 -o ${cfg.masqueradeInterface} chmod -R u+rwX,g+rX,o-rwx ${cfg.dataDir} chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} @@ -231,8 +231,8 @@ let postStop = pkgs.writeShellScript "subspace-post-stop" '' wg-quick down ${cfg.dataDir}/wireguard/subspace.conf - iptables -D POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV4_POOL} -o ${cfg.masqueradeInterface} - ip6tables -D POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV6_POOL} -o ${cfg.masqueradeInterface} + iptables -D POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV4_PREF}0/24 -o ${cfg.masqueradeInterface} + ip6tables -D POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV6_PREF}/112 -o ${cfg.masqueradeInterface} ''; in "+" + postStop; From 724d08ae5e3ae64eddd1e9c200e24059faceeb55 Mon Sep 17 00:00:00 2001 From: notgne2 Date: Sun, 27 Feb 2022 20:29:08 -0700 Subject: [PATCH 09/24] add IP addresses in preStart --- flake.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/flake.nix b/flake.nix index 21116c6d..9912fb89 100644 --- a/flake.nix +++ b/flake.nix @@ -220,6 +220,8 @@ wg-quick up ${cfg.dataDir}/wireguard/subspace.conf iptables -A POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV4_PREF}0/24 -o ${cfg.masqueradeInterface} ip6tables -A POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV6_PREF}/112 -o ${cfg.masqueradeInterface} + ip addr add dev subspace ${environment.SUBSPACE_IPV4_PREF}1/24 + ip addr add dev subspace ${environment.SUBSPACE_IPV6_PREF}1/112 chmod -R u+rwX,g+rX,o-rwx ${cfg.dataDir} chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} From 3145edcae82129a3597e61f1e4499842e22b44b2 Mon Sep 17 00:00:00 2001 From: notgne2 Date: Sun, 27 Feb 2022 21:59:16 -0700 Subject: [PATCH 10/24] Add more configurable options to NixOS module --- flake.nix | 49 ++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 38 insertions(+), 11 deletions(-) diff --git a/flake.nix b/flake.nix index 9912fb89..cbb24b04 100644 --- a/flake.nix +++ b/flake.nix @@ -109,10 +109,37 @@ default = "53222"; type = types.str; }; + masqueradeInterface = mkOption { description = "What interface to use to proxy traffic"; type = types.str; }; + + ipv4Pref = mkOption { + description = "Cursed IPv4 subnet preference"; + default = "10.99.97."; + type = types.str; + }; + ipv6Pref = mkOption { + description = "Cursed IPv6 subnet preference"; + default = "fd00::10:97:"; + type = types.str; + }; + ipv4Gw = mkOption { + description = "IPv4 address to be used as a gateway"; + default = "10.99.97.1"; + type = types.str; + }; + ipv6Gw = mkOption { + description = "IPv6 address to be used as a gateway"; + default = "fd00::10:97:1"; + type = types.str; + }; + disableDns = mkOption { + default = false; + description = "Disable configuring the chosen gateway as a DNS server"; + type = types.bool; + }; }; config = mkIf cfg.enable { @@ -218,10 +245,10 @@ } > wireguard/subspace.conf wg-quick up ${cfg.dataDir}/wireguard/subspace.conf - iptables -A POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV4_PREF}0/24 -o ${cfg.masqueradeInterface} - ip6tables -A POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV6_PREF}/112 -o ${cfg.masqueradeInterface} - ip addr add dev subspace ${environment.SUBSPACE_IPV4_PREF}1/24 - ip addr add dev subspace ${environment.SUBSPACE_IPV6_PREF}1/112 + iptables -A POSTROUTING -t nat -j MASQUERADE -s ${cfg.ipv4Pref}0/24 -o ${cfg.masqueradeInterface} + ip6tables -A POSTROUTING -t nat -j MASQUERADE -s ${cfg.ipv6Pref}/112 -o ${cfg.masqueradeInterface} + ip addr add dev subspace ${cfg.ipv4Gw}/24 + ip addr add dev subspace ${cfg.ipv6Gw}/112 chmod -R u+rwX,g+rX,o-rwx ${cfg.dataDir} chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} @@ -233,8 +260,8 @@ let postStop = pkgs.writeShellScript "subspace-post-stop" '' wg-quick down ${cfg.dataDir}/wireguard/subspace.conf - iptables -D POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV4_PREF}0/24 -o ${cfg.masqueradeInterface} - ip6tables -D POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV6_PREF}/112 -o ${cfg.masqueradeInterface} + iptables -D POSTROUTING -t nat -j MASQUERADE -s ${cfg.ipv4Pref}0/24 -o ${cfg.masqueradeInterface} + ip6tables -D POSTROUTING -t nat -j MASQUERADE -s ${cfg.ipv6Pref}/112 -o ${cfg.masqueradeInterface} ''; in "+" + postStop; @@ -244,13 +271,13 @@ environment = { SUBSPACE_LISTENPORT = cfg.proxyPort; - SUBSPACE_IPV4_PREF = "10.99.97."; - SUBSPACE_IPV6_PREF = "fd00::10:97:"; - SUBSPACE_IPV4_GW = "10.99.97.1"; - SUBSPACE_IPV6_GW = "fd00::10:97:1"; + SUBSPACE_IPV4_PREF = cfg.ipv4Pref; + SUBSPACE_IPV6_PREF = cfg.ipv6Pref; + SUBSPACE_IPV4_GW = cfg.ipv4Gw; + SUBSPACE_IPV6_GW = cfg.ipv6Gw; SUBSPACE_IPV4_NAT_ENABLED = "1"; SUBSPACE_IPV6_NAT_ENABLED = "1"; - SUBSPACE_DISABLE_DNS = "0"; + SUBSPACE_DISABLE_DNS = if cfg.disableDns then "true" else "false"; }; script = '' From 6ca2ac4de8d626d9385648061f9b5a144e5e2a0e Mon Sep 17 00:00:00 2001 From: notgne2 Date: Sun, 27 Feb 2022 22:03:17 -0700 Subject: [PATCH 11/24] Fix environment values for disableDns --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index cbb24b04..3da57b18 100644 --- a/flake.nix +++ b/flake.nix @@ -277,7 +277,7 @@ SUBSPACE_IPV6_GW = cfg.ipv6Gw; SUBSPACE_IPV4_NAT_ENABLED = "1"; SUBSPACE_IPV6_NAT_ENABLED = "1"; - SUBSPACE_DISABLE_DNS = if cfg.disableDns then "true" else "false"; + SUBSPACE_DISABLE_DNS = if cfg.disableDns then "1" else "0"; }; script = '' From 66cf51778e99b55aa3436c151f3e66bf197f16b6 Mon Sep 17 00:00:00 2001 From: Vladimir Serov Date: Tue, 1 Mar 2022 02:27:59 +0300 Subject: [PATCH 12/24] initial wg-bond config management --- .envrc | 1 + cmd/subspace/handlers.go | 137 +++++++-------------------------------- flake.nix | 3 + 3 files changed, 28 insertions(+), 113 deletions(-) create mode 100644 .envrc diff --git a/.envrc b/.envrc new file mode 100644 index 00000000..3550a30f --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake diff --git a/cmd/subspace/handlers.go b/cmd/subspace/handlers.go index 025a085d..094b7c25 100644 --- a/cmd/subspace/handlers.go +++ b/cmd/subspace/handlers.go @@ -9,6 +9,7 @@ import ( "os" "regexp" "strings" + "github.com/crewjam/saml/samlsp" "github.com/julienschmidt/httprouter" "github.com/pquerna/otp/totp" @@ -413,117 +414,24 @@ func profileAddHandler(w *Web) { return } - ipv4Pref := "10.99.97." - if pref := getEnv("SUBSPACE_IPV4_PREF", "nil"); pref != "nil" { - ipv4Pref = pref - } - ipv4Gw := "10.99.97.1" - if gw := getEnv("SUBSPACE_IPV4_GW", "nil"); gw != "nil" { - ipv4Gw = gw - } - ipv4Cidr := "24" - if cidr := getEnv("SUBSPACE_IPV4_CIDR", "nil"); cidr != "nil" { - ipv4Cidr = cidr - } - ipv6Pref := "fd00::10:97:" - if pref := getEnv("SUBSPACE_IPV6_PREF", "nil"); pref != "nil" { - ipv6Pref = pref - } - ipv6Gw := "fd00::10:97:1" - if gw := getEnv("SUBSPACE_IPV6_GW", "nil"); gw != "nil" { - ipv6Gw = gw - } - ipv6Cidr := "64" - if cidr := getEnv("SUBSPACE_IPV6_CIDR", "nil"); cidr != "nil" { - ipv6Cidr = cidr - } - listenport := "51820" - if port := getEnv("SUBSPACE_LISTENPORT", "nil"); port != "nil" { - listenport = port - } - endpointHost := httpHost - if eh := getEnv("SUBSPACE_ENDPOINT_HOST", "nil"); eh != "nil" { - endpointHost = eh - } - allowedips := "0.0.0.0/0, ::/0" - if ips := getEnv("SUBSPACE_ALLOWED_IPS", "nil"); ips != "nil" { - allowedips = ips - } - ipv4Enabled := true - if enable := getEnv("SUBSPACE_IPV4_NAT_ENABLED", "1"); enable == "0" { - ipv4Enabled = false - } - ipv6Enabled := true - if enable := getEnv("SUBSPACE_IPV6_NAT_ENABLED", "1"); enable == "0" { - ipv6Enabled = false - } - disableDNS := false - if shouldDisableDNS := getEnv("SUBSPACE_DISABLE_DNS", "0"); shouldDisableDNS == "1" { - disableDNS = true - } - reloadScript := "" - if reloadScript_ := getEnv("SUBSPACE_WIREGUARD_RELOAD_SCRIPT", ""); reloadScript == "" { - reloadScript = reloadScript_ - } - script := ` -cd {{$.Datadir}}/wireguard -wg_private_key="$(wg genkey)" -wg_public_key="$(echo $wg_private_key | wg pubkey)" - -wg set subspace peer ${wg_public_key} allowed-ips {{if .Ipv4Enabled}}{{$.IPv4Pref}}{{$.Profile.Number}}/32{{end}}{{if .Ipv6Enabled}}{{if .Ipv4Enabled}},{{end}}{{$.IPv6Pref}}{{$.Profile.Number}}/128{{end}} - -cat <peers/{{$.Profile.ID}}.conf -[Peer] -PublicKey = ${wg_public_key} -AllowedIPs = {{if .Ipv4Enabled}}{{$.IPv4Pref}}{{$.Profile.Number}}/32{{end}}{{if .Ipv6Enabled}}{{if .Ipv4Enabled}},{{end}}{{$.IPv6Pref}}{{$.Profile.Number}}/128{{end}} -WGPEER - -cat <clients/{{$.Profile.ID}}.conf -[Interface] -PrivateKey = ${wg_private_key} -{{- if not .DisableDNS }} -DNS = {{if .Ipv4Enabled}}{{$.IPv4Gw}}{{end}}{{if .Ipv6Enabled}}{{if .Ipv4Enabled}},{{end}}{{$.IPv6Gw}}{{end}} -{{- end }} -Address = {{if .Ipv4Enabled}}{{$.IPv4Pref}}{{$.Profile.Number}}/{{$.IPv4Cidr}}{{end}}{{if .Ipv6Enabled}}{{if .Ipv4Enabled}},{{end}}{{$.IPv6Pref}}{{$.Profile.Number}}/{{$.IPv6Cidr}}{{end}} - -[Peer] -PublicKey = $(cat server.public) - -Endpoint = {{$.EndpointHost}}:{{$.Listenport}} -AllowedIPs = {{$.AllowedIPS}} -WGCLIENT -` + cd {{$.Datadir}}/wireguard + + wg-bond add {{$.Profile.ID}} --dns 1.1.1.1 + wg-bond conf {{$.Profile.ID}} -T subspace-root > clients/{{$.Profile.ID}}.conf + + # Syncing configuration + wg-bond conf subspace-root > subspace.conf + wg-quick strip ./subspace.conf > sync.conf + wg syncconf subspace ./sync.conf + + ` _, err = bash(script, struct { - Profile Profile - EndpointHost string - Datadir string - IPv4Gw string - IPv6Gw string - IPv4Pref string - IPv6Pref string - IPv4Cidr string - IPv6Cidr string - Listenport string - AllowedIPS string - Ipv4Enabled bool - Ipv6Enabled bool - DisableDNS bool + Profile Profile + Datadir string }{ profile, - endpointHost, datadir, - ipv4Gw, - ipv6Gw, - ipv4Pref, - ipv6Pref, - ipv4Cidr, - ipv6Cidr, - listenport, - allowedips, - ipv4Enabled, - ipv6Enabled, - disableDNS, }) if err != nil { logger.Warn(err) @@ -695,13 +603,16 @@ func helpHandler(w *Web) { // func deleteProfile(profile Profile) error { script := ` -# WireGuard -cd {{$.Datadir}}/wireguard -peerid=$(cat peers/{{$.Profile.ID}}.conf | awk '/PublicKey/ { printf("%s", $3) }' ) -wg set subspace peer $peerid remove -rm peers/{{$.Profile.ID}}.conf -rm clients/{{$.Profile.ID}}.conf -` + cd {{$.Datadir}}/wireguard + + wg-bond rm {{$.Profile.ID}} + + # Syncing configuration + wg-bond conf subspace-root > subspace.conf + wg-quick strip ./subspace.conf > sync.conf + wg syncconf subspace ./sync.conf + ` + output, err := bash(script, struct { Datadir string Profile Profile diff --git a/flake.nix b/flake.nix index a72e0434..2c075275 100644 --- a/flake.nix +++ b/flake.nix @@ -31,6 +31,9 @@ ''; } ); + devShell = onPkgs (_: pkgs: with pkgs; mkShell { + buildInputs = [ wg-bond go go-bindata ]; + }); nixosModule = { pkgs, lib, config, ... }: with lib; From 1b2be1a2820de4f70948726a6ee378e61d6ff7e6 Mon Sep 17 00:00:00 2001 From: Vladimir Serov Date: Tue, 1 Mar 2022 02:44:38 +0300 Subject: [PATCH 13/24] flake.nix/systemd: updated teardown/setup process --- flake.nix | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) diff --git a/flake.nix b/flake.nix index 2c075275..92cb6138 100644 --- a/flake.nix +++ b/flake.nix @@ -206,23 +206,8 @@ mkdir -p wireguard/clients touch wireguard/clients/null.conf - mkdir -p wireguard/peers - touch wireguard/peers/null.conf - - cp ${cfg.privateKeyFile} wireguard/server.private - cat ${cfg.privateKeyFile} | ${pkgs.wireguard-tools}/bin/wg pubkey > server.public - - { - echo "[Interface]" - echo "PrivateKey = $(cat wireguard/server.private)" - echo "ListenPort = ${cfg.proxyPort}" - echo - cat wireguard/peers/* - } > wireguard/subspace.conf - + wg-bond conf subspace-root > ${cfg.dataDir}/wireguard/subspace.conf wg-quick up ${cfg.dataDir}/wireguard/subspace.conf - iptables -A POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV4_POOL} -o ${cfg.masqueradeInterface} - ip6tables -A POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV6_POOL} -o ${cfg.masqueradeInterface} chmod -R u+rwX,g+rX,o-rwx ${cfg.dataDir} chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} @@ -234,8 +219,6 @@ let postStop = pkgs.writeShellScript "subspace-post-stop" '' wg-quick down ${cfg.dataDir}/wireguard/subspace.conf - iptables -D POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV4_POOL} -o ${cfg.masqueradeInterface} - ip6tables -D POSTROUTING -t nat -j MASQUERADE -s ${environment.SUBSPACE_IPV6_POOL} -o ${cfg.masqueradeInterface} ''; in "+" + postStop; From 072ef5625f3bb40a469737c7236edee2c18d0b92 Mon Sep 17 00:00:00 2001 From: Vladimir Serov Date: Tue, 1 Mar 2022 02:45:31 +0300 Subject: [PATCH 14/24] ignoring direnv --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 76f78dfe..34d0b4ec 100644 --- a/.gitignore +++ b/.gitignore @@ -4,6 +4,7 @@ *.dll *.so *.dylib +.direnv # Test binary, built with `go test -c` *.test From 291cbef0ae3af4ce386bd482575de0d99e9719c3 Mon Sep 17 00:00:00 2001 From: Vladimir Serov Date: Tue, 1 Mar 2022 04:51:28 +0300 Subject: [PATCH 15/24] patched wg-quick to skip uid checks --- flake.nix | 19 ++++++++++++++++--- wg-quick-no-uid.patch | 13 +++++++++++++ 2 files changed, 29 insertions(+), 3 deletions(-) create mode 100644 wg-quick-no-uid.patch diff --git a/flake.nix b/flake.nix index 8b0b474e..4875aaa1 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,15 @@ let onPkgs = fn: builtins.mapAttrs fn nixpkgs.legacyPackages; in { + packages = onPkgs (_: pkgs: + { + patchedWGTools = pkgs.wireguard-tools.overrideDerivation (super: { + patches = super.patches ++ [ + ./wg-quick-no-uid.patch + ]; + }); + } + ); defaultPackage = onPkgs (_: pkgs: let goPackagePath = "github.com/subspacecommunity/subspace"; @@ -31,8 +40,8 @@ ''; } ); - devShell = onPkgs (_: pkgs: with pkgs; mkShell { - buildInputs = [ wg-bond go go-bindata ]; + devShell = onPkgs (system: pkgs: with pkgs; mkShell { + buildInputs = [ self.packages.${system}.patchedWGTools wg-bond go go-bindata ]; }); nixosModule = { pkgs, lib, config, ... }: @@ -233,11 +242,15 @@ mkdir -p wireguard/clients touch wireguard/clients/null.conf + pushd wireguard wg-bond conf subspace-root > ${cfg.dataDir}/wireguard/subspace.conf wg-quick up ${cfg.dataDir}/wireguard/subspace.conf + popd chmod -R u+rwX,g+rX,o-rwx ${cfg.dataDir} chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} + + popd ''; in "+" + preStart; @@ -251,7 +264,7 @@ "+" + postStop; }; - path = with pkgs; [ wireguard-tools iptables bash gawk ]; + path = with pkgs; [ wg-bond self.packages.${system}.patchedWGTools iptables bash gawk ]; environment = { SUBSPACE_LISTENPORT = cfg.proxyPort; diff --git a/wg-quick-no-uid.patch b/wg-quick-no-uid.patch new file mode 100644 index 00000000..03cc0d00 --- /dev/null +++ b/wg-quick-no-uid.patch @@ -0,0 +1,13 @@ +diff --git a/wg-quick/linux.bash b/wg-quick/linux.bash +index e4d4c4f..bd407d4 100755 +--- a/wg-quick/linux.bash ++++ b/wg-quick/linux.bash +@@ -82,7 +82,7 @@ read_bool() { + } + + auto_su() { +- [[ $UID == 0 ]] || exec sudo -p "$PROGRAM must be run as root. Please enter the password for %u to continue: " -- "$BASH" -- "$SELF" "${ARGS[@]}" ++ : + } + + add_if() { From 5a94bc9dd502e7477cc10640f7a97a981e4b8875 Mon Sep 17 00:00:00 2001 From: Vladimir Serov Date: Tue, 1 Mar 2022 11:46:00 +0300 Subject: [PATCH 16/24] flake.nix: oops --- flake.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index 4875aaa1..6f475967 100644 --- a/flake.nix +++ b/flake.nix @@ -243,8 +243,8 @@ touch wireguard/clients/null.conf pushd wireguard - wg-bond conf subspace-root > ${cfg.dataDir}/wireguard/subspace.conf - wg-quick up ${cfg.dataDir}/wireguard/subspace.conf + wg-bond conf subspace-root > ${cfg.dataDir}/subspace.conf + wg-quick up ${cfg.dataDir}/subspace.conf popd chmod -R u+rwX,g+rX,o-rwx ${cfg.dataDir} From bce5b1162e45e9f84e4e3d5e2284aabe08a2db63 Mon Sep 17 00:00:00 2001 From: notgne2 Date: Tue, 1 Mar 2022 04:39:18 -0700 Subject: [PATCH 17/24] Clean up NixOS module --- flake.nix | 83 ++++++++----------------------------------------------- 1 file changed, 12 insertions(+), 71 deletions(-) diff --git a/flake.nix b/flake.nix index 6f475967..42e9eec6 100644 --- a/flake.nix +++ b/flake.nix @@ -121,37 +121,6 @@ default = "53222"; type = types.str; }; - - masqueradeInterface = mkOption { - description = "What interface to use to proxy traffic"; - type = types.str; - }; - - ipv4Pref = mkOption { - description = "Cursed IPv4 subnet preference"; - default = "10.99.97."; - type = types.str; - }; - ipv6Pref = mkOption { - description = "Cursed IPv6 subnet preference"; - default = "fd00::10:97:"; - type = types.str; - }; - ipv4Gw = mkOption { - description = "IPv4 address to be used as a gateway"; - default = "10.99.97.1"; - type = types.str; - }; - ipv6Gw = mkOption { - description = "IPv6 address to be used as a gateway"; - default = "fd00::10:97:1"; - type = types.str; - }; - disableDns = mkOption { - default = false; - description = "Disable configuring the chosen gateway as a DNS server"; - type = types.bool; - }; }; config = mkIf cfg.enable { @@ -218,7 +187,7 @@ "~@raw-io" "~@reboot" "~@swap" - "~@privileged" + # "~@privileged" "~@resources" "~@cpu-emulation" "~@obsolete" @@ -233,49 +202,21 @@ ProcSubset = "pid"; WorkingDirectory = "${cfg.package}/libexec"; - - ExecStartPre = - let - preStart = pkgs.writeShellScript "subspace-pre-start" '' - pushd ${cfg.dataDir} - - mkdir -p wireguard/clients - touch wireguard/clients/null.conf - - pushd wireguard - wg-bond conf subspace-root > ${cfg.dataDir}/subspace.conf - wg-quick up ${cfg.dataDir}/subspace.conf - popd - - chmod -R u+rwX,g+rX,o-rwx ${cfg.dataDir} - chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} - - popd - ''; - in - "+" + preStart; - - ExecStopPost = - let - postStop = pkgs.writeShellScript "subspace-post-stop" '' - wg-quick down ${cfg.dataDir}/wireguard/subspace.conf - ''; - in - "+" + postStop; }; path = with pkgs; [ wg-bond self.packages.${system}.patchedWGTools iptables bash gawk ]; - environment = { - SUBSPACE_LISTENPORT = cfg.proxyPort; - SUBSPACE_IPV4_PREF = cfg.ipv4Pref; - SUBSPACE_IPV6_PREF = cfg.ipv6Pref; - SUBSPACE_IPV4_GW = cfg.ipv4Gw; - SUBSPACE_IPV6_GW = cfg.ipv6Gw; - SUBSPACE_IPV4_NAT_ENABLED = "1"; - SUBSPACE_IPV6_NAT_ENABLED = "1"; - SUBSPACE_DISABLE_DNS = if cfg.disableDns then "1" else "0"; - }; + preStart = '' + wg-bond -c ${cfg.dataDir}/wireguard/wg-bond.json conf subspace-root > ${cfg.dataDir}/subspace.conf + wg-quick up ${cfg.dataDir}/subspace.conf + + chmod -R u+rwX,g+rX,o-rwx ${cfg.dataDir} + chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} + ''; + + postStop = '' + wg-quick down ${cfg.dataDir}/wireguard/subspace.conf + ''; script = '' ${cfg.package}/bin/subspace \ From 89f8ac948e74028856393836ef9b0630702c9929 Mon Sep 17 00:00:00 2001 From: notgne2 Date: Tue, 1 Mar 2022 04:42:53 -0700 Subject: [PATCH 18/24] Remove unused Docker-related files --- Dockerfile | 43 ----- bin/my_init | 45 ----- entrypoint.sh | 254 ------------------------- scripts/dockerfiles/386.dockerfile | 56 ------ scripts/dockerfiles/amd64.dockerfile | 43 ----- scripts/dockerfiles/arm32v5.dockerfile | 60 ------ scripts/dockerfiles/arm32v6.dockerfile | 56 ------ scripts/dockerfiles/arm32v7.dockerfile | 57 ------ scripts/dockerfiles/arm64v8.dockerfile | 56 ------ scripts/dockerfiles/hooks/post_push | 43 ----- scripts/dockerfiles/hooks/pre_build | 5 - 11 files changed, 718 deletions(-) delete mode 100644 Dockerfile delete mode 100755 bin/my_init delete mode 100644 entrypoint.sh delete mode 100644 scripts/dockerfiles/386.dockerfile delete mode 100644 scripts/dockerfiles/amd64.dockerfile delete mode 100644 scripts/dockerfiles/arm32v5.dockerfile delete mode 100644 scripts/dockerfiles/arm32v6.dockerfile delete mode 100644 scripts/dockerfiles/arm32v7.dockerfile delete mode 100644 scripts/dockerfiles/arm64v8.dockerfile delete mode 100644 scripts/dockerfiles/hooks/post_push delete mode 100644 scripts/dockerfiles/hooks/pre_build diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 5c7aab14..00000000 --- a/Dockerfile +++ /dev/null @@ -1,43 +0,0 @@ -FROM golang:1.16-alpine as build - -RUN apk add --no-cache \ - git \ - make - -WORKDIR /src - -COPY Makefile ./ -# go.mod and go.sum if exists -COPY go.* ./ -COPY cmd/ ./cmd -COPY web ./web - -ARG BUILD_VERSION=unknown - -ENV GODEBUG="netdns=go http2server=0" - -RUN make build BUILD_VERSION=${BUILD_VERSION} - -FROM alpine:3.13.4 -LABEL maintainer="github.com/subspacecommunity/subspace" - -COPY --from=build /src/subspace /usr/bin/subspace -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -COPY bin/my_init /sbin/my_init - -ENV DEBIAN_FRONTEND noninteractive - -RUN chmod +x /usr/bin/subspace /usr/local/bin/entrypoint.sh /sbin/my_init - -RUN apk add --no-cache \ - iproute2 \ - iptables \ - ip6tables \ - dnsmasq \ - socat \ - wireguard-tools \ - runit - -ENTRYPOINT ["/usr/local/bin/entrypoint.sh" ] - -CMD [ "/sbin/my_init" ] diff --git a/bin/my_init b/bin/my_init deleted file mode 100755 index af391f62..00000000 --- a/bin/my_init +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/sh - -shutdown() { - echo "shutting down container" - - # first shutdown any service started by runit - for _srv in $(ls -1 /etc/service); do - sv force-stop $_srv - done - - # shutdown runsvdir command - kill -HUP $RUNSVDIR - wait $RUNSVDIR - - # give processes time to stop - sleep 0.5 - - # kill any other processes still running in the container - for _pid in $(ps -eo pid | grep -v PID | tr -d ' ' | grep -v '^1$' | head -n -6); do - timeout -t 5 /bin/sh -c "kill $_pid && wait $_pid || kill -9 $_pid" - done - exit -} - -# store enviroment variables -export > /etc/envvars - -PATH=/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin - -exec env - PATH=$PATH runsvdir -P /etc/service & - -RUNSVDIR=$! -echo "Started runsvdir, PID is $RUNSVDIR" -echo "wait for processes to start...." - -sleep 5 -for _srv in $(ls -1 /etc/service); do - sv status $_srv -done - -# catch shutdown signals -trap shutdown SIGTERM SIGHUP SIGQUIT SIGINT -wait $RUNSVDIR - -shutdown diff --git a/entrypoint.sh b/entrypoint.sh deleted file mode 100644 index 2d6cb8ab..00000000 --- a/entrypoint.sh +++ /dev/null @@ -1,254 +0,0 @@ -#!/usr/bin/env sh -set -o errexit -set -o nounset -set -o pipefail -set -o xtrace - -# Require environment variables. -if [ -z "${SUBSPACE_HTTP_HOST-}" ]; then - echo "Environment variable SUBSPACE_HTTP_HOST required. Exiting." - exit 1 -fi -# Optional environment variables. -if [ -z "${SUBSPACE_BACKLINK-}" ]; then - export SUBSPACE_BACKLINK="/" -fi - -if [ -z "${SUBSPACE_IPV4_POOL-}" ]; then - export SUBSPACE_IPV4_POOL="10.99.97.0/24" -fi -if [ -z "${SUBSPACE_IPV6_POOL-}" ]; then - export SUBSPACE_IPV6_POOL="fd00::10:97:0/112" -fi -if [ -z "${SUBSPACE_NAMESERVERS-}" ]; then - export SUBSPACE_NAMESERVERS="1.1.1.1,1.0.0.1" -fi - -if [ -z "${SUBSPACE_LETSENCRYPT-}" ]; then - export SUBSPACE_LETSENCRYPT="true" -fi - -if [ -z "${SUBSPACE_HTTP_ADDR-}" ]; then - export SUBSPACE_HTTP_ADDR=":80" -fi - -if [ -z "${SUBSPACE_LISTENPORT-}" ]; then - export SUBSPACE_LISTENPORT="51820" -fi - -if [ -z "${SUBSPACE_HTTP_INSECURE-}" ]; then - export SUBSPACE_HTTP_INSECURE="false" -fi - -if [ -z "${SUBSPACE_THEME-}" ]; then - export SUBSPACE_THEME="green" -fi - -export DEBIAN_FRONTEND="noninteractive" - -if [ -z "${SUBSPACE_IPV4_GW-}" ]; then - export SUBSPACE_IPV4_PREF=$(echo ${SUBSPACE_IPV4_POOL-} | cut -d '/' -f1 | sed 's/.0$/./g') - export SUBSPACE_IPV4_GW=$(echo ${SUBSPACE_IPV4_PREF-}1) - -fi - -if [ -z "${SUBSPACE_IPV6_GW-}" ]; then - export SUBSPACE_IPV6_PREF=$(echo ${SUBSPACE_IPV6_POOL-} | cut -d '/' -f1 | sed 's/:0$/:/g') - export SUBSPACE_IPV6_GW=$(echo ${SUBSPACE_IPV6_PREF-}1) -fi - -if [ -z "${SUBSPACE_IPV6_NAT_ENABLED-}" ] || [ "${SUBSPACE_IPV6_NAT_ENABLED}" != "0" ]; then - export SUBSPACE_IPV6_NAT_ENABLED=1 -else - export SUBSPACE_IPV6_NAT_ENABLED=0 -fi - -if [ -z "${SUBSPACE_IPV4_NAT_ENABLED-}" ] || [ "${SUBSPACE_IPV4_NAT_ENABLED}" != "0" ]; then - export SUBSPACE_IPV4_NAT_ENABLED=1 -else - export SUBSPACE_IPV4_NAT_ENABLED=0 -fi - -# DNS server is disabled if the flag is not ommited and set to anything other than 0. -if ! [ -z "${SUBSPACE_DISABLE_DNS-}" ] && [ "${SUBSPACE_DISABLE_DNS}" != "0" ]; then - export SUBSPACE_DISABLE_DNS=1 -else - export SUBSPACE_DISABLE_DNS=0 -fi - -if [ "$SUBSPACE_IPV6_NAT_ENABLED" == "0" ] && [ "$SUBSPACE_IPV4_NAT_ENABLED" == "0" ]; then - echo "One of envionment variables SUBSPACE_IPV6_NAT_ENABLED, SUBSPACE_IPV4_NAT_ENABLED must be set to 1." - echo "Got SUBSPACE_IPV6_NAT_ENABLED=$SUBSPACE_IPV6_NAT_ENABLED, SUBSPACE_IPV4_NAT_ENABLED=$SUBSPACE_IPV4_NAT_ENABLED" - exit 1 -fi - -# Empty out inherited nameservers -echo "" >/etc/resolv.conf -# Set DNS servers -echo ${SUBSPACE_NAMESERVERS} | tr "," "\n" | while read -r ns; do echo "nameserver ${ns}" >>/etc/resolv.conf; done - -if [ -z "${SUBSPACE_DISABLE_MASQUERADE-}" ]; then - if [[ ${SUBSPACE_IPV4_NAT_ENABLED} -ne 0 ]]; then - # IPv4 - if ! /sbin/iptables -t nat --check POSTROUTING -s ${SUBSPACE_IPV4_POOL} -j MASQUERADE; then - /sbin/iptables -t nat --append POSTROUTING -s ${SUBSPACE_IPV4_POOL} -j MASQUERADE - fi - - if ! /sbin/iptables --check FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT; then - /sbin/iptables --append FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - fi - - if ! /sbin/iptables --check FORWARD -s ${SUBSPACE_IPV4_POOL} -j ACCEPT; then - /sbin/iptables --append FORWARD -s ${SUBSPACE_IPV4_POOL} -j ACCEPT - fi - fi - - if [[ ${SUBSPACE_IPV6_NAT_ENABLED} -ne 0 ]]; then - # IPv6 - if ! /sbin/ip6tables -t nat --check POSTROUTING -s ${SUBSPACE_IPV6_POOL} -j MASQUERADE; then - /sbin/ip6tables -t nat --append POSTROUTING -s ${SUBSPACE_IPV6_POOL} -j MASQUERADE - fi - - if ! /sbin/ip6tables --check FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT; then - /sbin/ip6tables --append FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - fi - - if ! /sbin/ip6tables --check FORWARD -s ${SUBSPACE_IPV6_POOL} -j ACCEPT; then - /sbin/ip6tables --append FORWARD -s ${SUBSPACE_IPV6_POOL} -j ACCEPT - fi - fi -fi - -if [[ ${SUBSPACE_IPV4_NAT_ENABLED} -ne 0 ]]; then - # ipv4 - DNS Leak Protection - if ! /sbin/iptables -t nat --check OUTPUT -s ${SUBSPACE_IPV4_POOL} -p udp --dport 53 -j DNAT --to ${SUBSPACE_IPV4_GW}:53; then - /sbin/iptables -t nat --append OUTPUT -s ${SUBSPACE_IPV4_POOL} -p udp --dport 53 -j DNAT --to ${SUBSPACE_IPV4_GW}:53 - fi - - if ! /sbin/iptables -t nat --check OUTPUT -s ${SUBSPACE_IPV4_POOL} -p tcp --dport 53 -j DNAT --to ${SUBSPACE_IPV4_GW}:53; then - /sbin/iptables -t nat --append OUTPUT -s ${SUBSPACE_IPV4_POOL} -p tcp --dport 53 -j DNAT --to ${SUBSPACE_IPV4_GW}:53 - fi -fi - -if [[ ${SUBSPACE_IPV6_NAT_ENABLED} -ne 0 ]]; then - # ipv6 - DNS Leak Protection - if ! /sbin/ip6tables --wait -t nat --check OUTPUT -s ${SUBSPACE_IPV6_POOL} -p udp --dport 53 -j DNAT --to ${SUBSPACE_IPV6_GW}; then - /sbin/ip6tables --wait -t nat --append OUTPUT -s ${SUBSPACE_IPV6_POOL} -p udp --dport 53 -j DNAT --to ${SUBSPACE_IPV6_GW} - fi - - if ! /sbin/ip6tables --wait -t nat --check OUTPUT -s ${SUBSPACE_IPV6_POOL} -p tcp --dport 53 -j DNAT --to ${SUBSPACE_IPV6_GW}; then - /sbin/ip6tables --wait -t nat --append OUTPUT -s ${SUBSPACE_IPV6_POOL} -p tcp --dport 53 -j DNAT --to ${SUBSPACE_IPV6_GW} - fi -fi -# -# WireGuard (${SUBSPACE_IPV4_POOL}) -# -umask_val=$(umask) -umask 0077 -if ! test -d /data/wireguard; then - mkdir /data/wireguard - cd /data/wireguard - - mkdir clients - touch clients/null.conf # So you can cat *.conf safely - mkdir peers - touch peers/null.conf # So you can cat *.conf safely - - # Generate public/private server keys. - wg genkey | tee server.private | wg pubkey >server.public -fi - -cat </data/wireguard/server.conf -[Interface] -PrivateKey = $(cat /data/wireguard/server.private) -ListenPort = ${SUBSPACE_LISTENPORT} - -WGSERVER -cat /data/wireguard/peers/*.conf >>/data/wireguard/server.conf -umask ${umask_val} -[ -f /data/config.json ] && chmod 600 /data/config.json # Special handling of file not created by start-up script - -if ip link show wg0 2>/dev/null; then - ip link del wg0 -fi -ip link add wg0 type wireguard -if [[ ${SUBSPACE_IPV4_NAT_ENABLED} -ne 0 ]]; then - export SUBSPACE_IPV4_CIDR=$(echo ${SUBSPACE_IPV4_POOL-} | cut -d '/' -f2) - ip addr add ${SUBSPACE_IPV4_GW}/${SUBSPACE_IPV4_CIDR} dev wg0 -fi -if [[ ${SUBSPACE_IPV6_NAT_ENABLED} -ne 0 ]]; then - export SUBSPACE_IPV6_CIDR=$(echo ${SUBSPACE_IPV6_POOL-} | cut -d '/' -f2) - ip addr add ${SUBSPACE_IPV6_GW}/${SUBSPACE_IPV6_CIDR} dev wg0 -fi -wg setconf wg0 /data/wireguard/server.conf -ip link set wg0 up - -# dnsmasq service -if [[ ${SUBSPACE_DISABLE_DNS} == "0" ]]; then - DNSMASQ_LISTEN_ADDRESS="127.0.0.1" - if [[ ${SUBSPACE_IPV4_NAT_ENABLED} -ne 0 ]]; then - DNSMASQ_LISTEN_ADDRESS="${DNSMASQ_LISTEN_ADDRESS},${SUBSPACE_IPV4_GW}" - fi - if [[ ${SUBSPACE_IPV6_NAT_ENABLED} -ne 0 ]]; then - DNSMASQ_LISTEN_ADDRESS="${DNSMASQ_LISTEN_ADDRESS},${SUBSPACE_IPV6_GW}" - fi - - if ! test -d /etc/service/dnsmasq; then - cat </etc/dnsmasq.conf - # Only listen on necessary addresses. - listen-address=${DNSMASQ_LISTEN_ADDRESS} - - # Never forward plain names (without a dot or domain part) - domain-needed - - # Never forward addresses in the non-routed address spaces. - bogus-priv - - # Allow extending dnsmasq by providing custom configurations. - conf-dir=/etc/dnsmasq.d -DNSMASQ - - mkdir -p /etc/service/dnsmasq - cat </etc/service/dnsmasq/run -#!/bin/sh -exec /usr/sbin/dnsmasq --keep-in-foreground -RUNIT - chmod +x /etc/service/dnsmasq/run - - # dnsmasq service log - mkdir -p /etc/service/dnsmasq/log/main - cat </etc/service/dnsmasq/log/run -#!/bin/sh -exec svlogd -tt ./main -RUNIT - chmod +x /etc/service/dnsmasq/log/run - fi -fi - -# subspace service -if ! test -d /etc/service/subspace; then - mkdir /etc/service/subspace - cat </etc/service/subspace/run -#!/bin/sh -source /etc/envvars -exec /usr/bin/subspace \ - "--http-host=${SUBSPACE_HTTP_HOST}" \ - "--http-addr=${SUBSPACE_HTTP_ADDR}" \ - "--http-insecure=${SUBSPACE_HTTP_INSECURE}" \ - "--backlink=${SUBSPACE_BACKLINK}" \ - "--letsencrypt=${SUBSPACE_LETSENCRYPT}" \ - "--theme=${SUBSPACE_THEME}" -RUNIT - chmod +x /etc/service/subspace/run - - # subspace service log - mkdir /etc/service/subspace/log - mkdir /etc/service/subspace/log/main - cat </etc/service/subspace/log/run -#!/bin/sh -exec svlogd -tt ./main -RUNIT - chmod +x /etc/service/subspace/log/run -fi - -exec $@ diff --git a/scripts/dockerfiles/386.dockerfile b/scripts/dockerfiles/386.dockerfile deleted file mode 100644 index 442af184..00000000 --- a/scripts/dockerfiles/386.dockerfile +++ /dev/null @@ -1,56 +0,0 @@ -FROM alpine AS builder - -# Download QEMU, see https://github.com/docker/hub-feedback/issues/1261 -ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v3.0.0%2Bresin/qemu-3.0.0+resin-aarch64.tar.gz -RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1 - - -FROM i386/golang:1.14.4-buster as build - -# Add QEMU -COPY --from=builder qemu-aarch64-static /usr/bin - -RUN apt-get update \ - && apt-get install -y git make \ - && rm -rf /var/lib/apt/lists/* - -WORKDIR /src - -COPY Makefile ./ -# go.mod and go.sum if exists -COPY go.* ./ -COPY cmd/ ./cmd -COPY web ./web - -ARG BUILD_VERSION=unknown -ARG GOARCH=386 - -ENV GODEBUG="netdns=go http2server=0" - -RUN make build BUILD_VERSION=${BUILD_VERSION} - -FROM i386/alpine:3.11.6 -LABEL maintainer="github.com/subspacecommunity/subspace" - -# Add QEMU -COPY --from=builder qemu-aarch64-static /usr/bin - -ENV DEBIAN_FRONTEND noninteractive -RUN apk add --no-cache \ - iproute2 \ - iptables \ - ip6tables \ - dnsmasq \ - socat \ - wireguard-tools \ - runit - -COPY --from=build /src/subspace /usr/bin/subspace -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -COPY bin/my_init /sbin/my_init - -RUN chmod +x /usr/bin/subspace /usr/local/bin/entrypoint.sh /sbin/my_init - -ENTRYPOINT ["/usr/local/bin/entrypoint.sh" ] - -CMD [ "/sbin/my_init" ] diff --git a/scripts/dockerfiles/amd64.dockerfile b/scripts/dockerfiles/amd64.dockerfile deleted file mode 100644 index df486a3f..00000000 --- a/scripts/dockerfiles/amd64.dockerfile +++ /dev/null @@ -1,43 +0,0 @@ -FROM golang:1.14 as build - -RUN apt-get update \ - && apt-get install -y git make \ - && rm -rf /var/lib/apt/lists/* - -WORKDIR /src - -COPY Makefile ./ -# go.mod and go.sum if exists -COPY go.* ./ -COPY cmd/ ./cmd -COPY web ./web - -ARG BUILD_VERSION=unknown -ARG GOARCH=amd64 - -ENV GODEBUG="netdns=go http2server=0" - -RUN make build BUILD_VERSION=${BUILD_VERSION} - -FROM alpine:3.11.6 -LABEL maintainer="github.com/subspacecommunity/subspace" - -ENV DEBIAN_FRONTEND noninteractive -RUN apk add --no-cache \ - iproute2 \ - iptables \ - ip6tables \ - dnsmasq \ - socat \ - wireguard-tools \ - runit - -COPY --from=build /src/subspace /usr/bin/subspace -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -COPY bin/my_init /sbin/my_init - -RUN chmod +x /usr/bin/subspace /usr/local/bin/entrypoint.sh /sbin/my_init - -ENTRYPOINT ["/usr/local/bin/entrypoint.sh" ] - -CMD [ "/sbin/my_init" ] diff --git a/scripts/dockerfiles/arm32v5.dockerfile b/scripts/dockerfiles/arm32v5.dockerfile deleted file mode 100644 index 8f3a47a5..00000000 --- a/scripts/dockerfiles/arm32v5.dockerfile +++ /dev/null @@ -1,60 +0,0 @@ -FROM alpine AS builder - -# Download QEMU, see https://github.com/docker/hub-feedback/issues/1261 -ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v3.0.0%2Bresin/qemu-3.0.0+resin-arm.tar.gz -RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1 - - -FROM arm32v5/golang:1.14.4-buster as build - -# Add QEMU -COPY --from=builder qemu-arm-static /usr/bin - -RUN apt-get update \ - && apt-get install -y git make \ - && rm -rf /var/lib/apt/lists/* - -WORKDIR /src - -COPY Makefile ./ -# go.mod and go.sum if exists -COPY go.* ./ -COPY cmd/ ./cmd -COPY web ./web - -ARG BUILD_VERSION=unknown -ARG GOARCH=arm -ENV GOARM=5 - -ENV GODEBUG="netdns=go http2server=0" - -RUN make build BUILD_VERSION=${BUILD_VERSION} - - -FROM arm32v5/debian:buster-backports -LABEL maintainer="github.com/subspacecommunity/subspace" - -# Add QEMU -COPY --from=builder qemu-arm-static /usr/bin - -RUN apt-get update \ - && apt-get install -y \ - iproute2 \ - iptables \ - dnsmasq \ - socat \ - wireguard-tools \ - runit \ - && rm -rf /var/lib/apt/lists/* - -COPY --from=build /src/subspace /usr/bin/subspace -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -COPY bin/my_init /sbin/my_init - -ENV DEBIAN_FRONTEND noninteractive - -RUN chmod +x /usr/bin/subspace /usr/local/bin/entrypoint.sh /sbin/my_init - -ENTRYPOINT ["/usr/local/bin/entrypoint.sh" ] - -CMD [ "/sbin/my_init" ] diff --git a/scripts/dockerfiles/arm32v6.dockerfile b/scripts/dockerfiles/arm32v6.dockerfile deleted file mode 100644 index e52fdf6c..00000000 --- a/scripts/dockerfiles/arm32v6.dockerfile +++ /dev/null @@ -1,56 +0,0 @@ -FROM alpine AS builder - -# Download QEMU, see https://github.com/docker/hub-feedback/issues/1261 -ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v3.0.0%2Bresin/qemu-3.0.0+resin-arm.tar.gz -RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1 - - -FROM arm32v6/golang:1.14.4-alpine as build - -# Add QEMU -COPY --from=builder qemu-arm-static /usr/bin - -RUN apk add --no-cache git make gcc musl-dev - -WORKDIR /src - -COPY Makefile ./ -# go.mod and go.sum if exists -COPY go.* ./ -COPY cmd/ ./cmd -COPY web ./web - -ARG BUILD_VERSION=unknown -ARG GOARCH=arm -ENV GOARM=6 - -ENV GODEBUG="netdns=go http2server=0" - -RUN make build BUILD_VERSION=${BUILD_VERSION} - - -FROM arm32v6/alpine:3.11.6 -LABEL maintainer="github.com/subspacecommunity/subspace" - -# Add QEMU -COPY --from=builder qemu-arm-static /usr/bin - -ENV DEBIAN_FRONTEND noninteractive -RUN apk add --no-cache \ - iproute2 \ - iptables \ - ip6tables \ - dnsmasq \ - socat \ - wireguard-tools \ - runit - -COPY --from=build /src/subspace /usr/bin/subspace -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -COPY bin/my_init /sbin/my_init - -RUN chmod +x /usr/bin/subspace /usr/local/bin/entrypoint.sh /sbin/my_init - -ENTRYPOINT ["/usr/local/bin/entrypoint.sh" ] - -CMD [ "/sbin/my_init" ] diff --git a/scripts/dockerfiles/arm32v7.dockerfile b/scripts/dockerfiles/arm32v7.dockerfile deleted file mode 100644 index b5687605..00000000 --- a/scripts/dockerfiles/arm32v7.dockerfile +++ /dev/null @@ -1,57 +0,0 @@ -FROM alpine AS builder - -# Download QEMU, see https://github.com/docker/hub-feedback/issues/1261 -ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v3.0.0%2Bresin/qemu-3.0.0+resin-arm.tar.gz -RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1 - - -FROM arm32v7/golang:1.14.4-buster as build - -# Add QEMU -COPY --from=builder qemu-arm-static /usr/bin - -RUN apt-get update \ - && apt-get install -y git make \ - && rm -rf /var/lib/apt/lists/* - -WORKDIR /src - -COPY Makefile ./ -# go.mod and go.sum if exists -COPY go.* ./ -COPY cmd/ ./cmd -COPY web ./web - -ARG BUILD_VERSION=unknown -ARG GOARCH=arm -ENV GOARM=7 - -ENV GODEBUG="netdns=go http2server=0" - -RUN make build BUILD_VERSION=${BUILD_VERSION} - -FROM arm32v7/alpine:3.11.6 -LABEL maintainer="github.com/subspacecommunity/subspace" - -# Add QEMU -COPY --from=builder qemu-arm-static /usr/bin - -ENV DEBIAN_FRONTEND noninteractive -RUN apk add --no-cache \ - iproute2 \ - iptables \ - ip6tables \ - dnsmasq \ - socat \ - wireguard-tools \ - runit - -COPY --from=build /src/subspace /usr/bin/subspace -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -COPY bin/my_init /sbin/my_init - -RUN chmod +x /usr/bin/subspace /usr/local/bin/entrypoint.sh /sbin/my_init - -ENTRYPOINT ["/usr/local/bin/entrypoint.sh" ] - -CMD [ "/sbin/my_init" ] diff --git a/scripts/dockerfiles/arm64v8.dockerfile b/scripts/dockerfiles/arm64v8.dockerfile deleted file mode 100644 index 43cc72d3..00000000 --- a/scripts/dockerfiles/arm64v8.dockerfile +++ /dev/null @@ -1,56 +0,0 @@ -FROM alpine AS builder - -# Download QEMU, see https://github.com/docker/hub-feedback/issues/1261 -ENV QEMU_URL https://github.com/balena-io/qemu/releases/download/v3.0.0%2Bresin/qemu-3.0.0+resin-aarch64.tar.gz -RUN apk add curl && curl -L ${QEMU_URL} | tar zxvf - -C . --strip-components 1 - - -FROM arm64v8/golang:1.14.4-buster as build - -# Add QEMU -COPY --from=builder qemu-aarch64-static /usr/bin - -RUN apt-get update \ - && apt-get install -y git make \ - && rm -rf /var/lib/apt/lists/* - -WORKDIR /src - -COPY Makefile ./ -# go.mod and go.sum if exists -COPY go.* ./ -COPY cmd/ ./cmd -COPY web ./web - -ARG BUILD_VERSION=unknown -ARG GOARCH=arm64 - -ENV GODEBUG="netdns=go http2server=0" - -RUN make build BUILD_VERSION=${BUILD_VERSION} - -FROM arm64v8/alpine:3.11.6 -LABEL maintainer="github.com/subspacecommunity/subspace" - -# Add QEMU -COPY --from=builder qemu-aarch64-static /usr/bin - -ENV DEBIAN_FRONTEND noninteractive -RUN apk add --no-cache \ - iproute2 \ - iptables \ - ip6tables \ - dnsmasq \ - socat \ - wireguard-tools \ - runit - -COPY --from=build /src/subspace /usr/bin/subspace -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -COPY bin/my_init /sbin/my_init - -RUN chmod +x /usr/bin/subspace /usr/local/bin/entrypoint.sh /sbin/my_init - -ENTRYPOINT ["/usr/local/bin/entrypoint.sh" ] - -CMD [ "/sbin/my_init" ] diff --git a/scripts/dockerfiles/hooks/post_push b/scripts/dockerfiles/hooks/post_push deleted file mode 100644 index b76e3853..00000000 --- a/scripts/dockerfiles/hooks/post_push +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash - -# Use manifest-tool to create the manifest, given the experimental -# "docker manifest" command isn't available yet on Docker Hub. - -curl -Lo manifest-tool https://github.com/estesp/manifest-tool/releases/download/v0.9.0/manifest-tool-linux-amd64 -chmod +x manifest-tool - -git_tag=$(git describe --abbrev=0 --tags) -IFS=. read major minor bugfix < multi-arch-manifest.yaml -image: subspacecommunity/subspace -tags: ['latest', '${major}.${minor}.${bugfix}', '${major}.${minor}', '${major}'] -manifests: - - image: subspacecommunity/subspace:amd64 - platform: - architecture: amd64 - os: linux - - image: subspacecommunity/subspace:386 - platform: - architecture: 386 - os: linux - - image: subspacecommunity/subspace:arm32v6 - platform: - architecture: arm - os: linux - variant: v6 - - image: subspacecommunity/subspace:arm32v7 - platform: - architecture: arm - os: linux - variant: v7 - - image: subspacecommunity/subspace:arm64v8 - platform: - architecture: arm64 - os: linux - variant: v8 -EOF - -./manifest-tool push from-spec multi-arch-manifest.yaml diff --git a/scripts/dockerfiles/hooks/pre_build b/scripts/dockerfiles/hooks/pre_build deleted file mode 100644 index 0a94f7e5..00000000 --- a/scripts/dockerfiles/hooks/pre_build +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - -# Register qemu-*-static for all supported processors except the -# current one, but also remove all registered binfmt_misc before -docker run --rm --privileged multiarch/qemu-user-static:register --reset From b0095f44b60dcbae9c73c6b9e2ad1bc4c24bce19 Mon Sep 17 00:00:00 2001 From: notgne2 Date: Tue, 1 Mar 2022 05:03:50 -0700 Subject: [PATCH 19/24] Restructure flake to use flake-utils and an overlay --- flake.lock | 16 +++ flake.nix | 409 +++++++++++++++++++++++++++-------------------------- 2 files changed, 224 insertions(+), 201 deletions(-) diff --git a/flake.lock b/flake.lock index f5ebb2be..3fa08630 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,20 @@ { "nodes": { + "flake-utils": { + "locked": { + "lastModified": 1644229661, + "narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "3cecb5b042f7f209c56ffd8371b2711a290ec797", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1645433236, @@ -16,6 +31,7 @@ }, "root": { "inputs": { + "flake-utils": "flake-utils", "nixpkgs": "nixpkgs" } } diff --git a/flake.nix b/flake.nix index 42e9eec6..669fb506 100644 --- a/flake.nix +++ b/flake.nix @@ -1,28 +1,40 @@ { - outputs = { self, nixpkgs }: - let onPkgs = fn: builtins.mapAttrs fn nixpkgs.legacyPackages; + description = "A fork of the simple WireGuard VPN server GUI community maintained "; + + inputs.flake-utils.url = "github:numtide/flake-utils"; + + outputs = { self, nixpkgs, flake-utils }: (flake-utils.lib.eachDefaultSystem (system: + let + pkgs = import nixpkgs { inherit system; overlays = [ self.overlay ]; }; in { - packages = onPkgs (_: pkgs: - { - patchedWGTools = pkgs.wireguard-tools.overrideDerivation (super: { - patches = super.patches ++ [ - ./wg-quick-no-uid.patch - ]; - }); - } - ); - defaultPackage = onPkgs (_: pkgs: + packages.subspace = pkgs.subspace; + packages.wireguard-tools = pkgs.wireguard-tools; + + defaultPackage = self.packages.${system}.subspace; + + devShell = pkgs.mkShell { + buildInputs = with pkgs; [ self.packages.${system}.wireguard-tools wg-bond go go-bindata ]; + }; + })) // { + overlay = final: prev: { + wireguard-tools = prev.wireguard-tools.overrideDerivation (super: { + patches = super.patches ++ [ + ./wg-quick-no-uid.patch + ]; + }); + + subspace = let goPackagePath = "github.com/subspacecommunity/subspace"; version = "1.5.0"; in - pkgs.buildGoPackage { + final.buildGoPackage { inherit goPackagePath version; src = nixpkgs.lib.cleanSource ./.; name = "subspace"; goDeps = ./deps.nix; - nativeBuildInputs = with pkgs; [ go-bindata which diffutils ]; + nativeBuildInputs = with final; [ go-bindata which diffutils ]; buildPhase = '' runHook preBuild cd go/src/${goPackagePath} @@ -38,201 +50,196 @@ mkdir -p $out/libexec cp -r web $out/libexec/web ''; - } - ); - devShell = onPkgs (system: pkgs: with pkgs; mkShell { - buildInputs = [ self.packages.${system}.patchedWGTools wg-bond go go-bindata ]; - }); + }; + }; + nixosModule = { pkgs, lib, config, ... }: + with lib; + let + cfg = config.services.subspace; + in + { + options.services.subspace = { + enable = mkEnableOption "subspace"; + + package = mkOption { + description = "A package from which to take subspace"; + default = self.defaultPackage.${pkgs.system}; + type = types.package; + }; - nixosModule = { pkgs, lib, config, ... }: - with lib; - let - cfg = config.services.subspace; - in - { - options.services.subspace = { - enable = mkEnableOption "subspace"; - - package = mkOption { - description = "A package from which to take subspace"; - default = self.defaultPackage.${pkgs.system}; - type = types.package; - }; + privateKeyFile = mkOption { + description = "Path to Wireguard private key"; + default = "/secrets/subspace.private"; + type = types.str; + }; - privateKeyFile = mkOption { - description = "Path to Wireguard private key"; - default = "/secrets/subspace.private"; - type = types.str; - }; + user = mkOption { + description = "User account under which Subspace runs."; + default = "subspace"; + type = types.str; + }; + group = mkOption { + description = "Group account under which Subspace runs."; + default = "subspace"; + type = types.str; + }; - user = mkOption { - description = "User account under which Subspace runs."; - default = "subspace"; - type = types.str; - }; - group = mkOption { - description = "Group account under which Subspace runs."; - default = "subspace"; - type = types.str; + httpHost = mkOption { + description = "The host to listen on and set cookies for"; + default = "localhost"; + type = types.str; + }; + backlink = mkOption { + description = "The page to set the home button to"; + default = "/"; + type = types.str; + }; + dataDir = mkOption { + description = "Path to data folder"; + default = "/var/lib/subspace"; + type = types.str; + }; + debug = mkOption { + description = "Place subspace into debug mode for verbose log output"; + default = false; + type = types.bool; + }; + httpInsecure = mkOption { + description = "enable session cookies for http and remove redirect to https"; + default = false; + type = types.bool; + }; + letsencrypt = mkOption { + description = "Whether or not to use a LetsEncrypt certificate"; + default = true; + type = types.bool; + }; + httpAddr = mkOption { + description = "HTTP Listen address"; + default = ":3331"; + type = types.str; + }; + params = mkOption { + description = "Parameters for Subspace binary"; + default = ""; + type = types.str; + }; + proxyPort = mkOption { + description = "Port for managed WireGuard interface"; + default = "53222"; + type = types.str; + }; + }; + + config = mkIf cfg.enable { + users.users = optionalAttrs (cfg.user == "subspace") ({ + subspace = { + isSystemUser = true; + group = cfg.group; + # uid = config.ids.uids.subspace; + description = "Subspace WireGuard GUI user"; + home = cfg.dataDir; }; + }); - httpHost = mkOption { - description = "The host to listen on and set cookies for"; - default = "localhost"; - type = types.str; - }; - backlink = mkOption { - description = "The page to set the home button to"; - default = "/"; - type = types.str; - }; - dataDir = mkOption { - description = "Path to data folder"; - default = "/var/lib/subspace"; - type = types.str; - }; - debug = mkOption { - description = "Place subspace into debug mode for verbose log output"; - default = false; - type = types.bool; + users.groups = optionalAttrs (cfg.group == "subspace") ({ + subspace = { + # gid = config.ids.gids.subspace; }; - httpInsecure = mkOption { - description = "enable session cookies for http and remove redirect to https"; - default = false; - type = types.bool; - }; - letsencrypt = mkOption { - description = "Whether or not to use a LetsEncrypt certificate"; - default = true; - type = types.bool; - }; - httpAddr = mkOption { - description = "HTTP Listen address"; - default = ":3331"; - type = types.str; - }; - params = mkOption { - description = "Parameters for Subspace binary"; - default = ""; - type = types.str; - }; - proxyPort = mkOption { - description = "Port for managed WireGuard interface"; - default = "53222"; - type = types.str; - }; - }; + }); - config = mkIf cfg.enable { - users.users = optionalAttrs (cfg.user == "subspace") ({ - subspace = { - isSystemUser = true; - group = cfg.group; - # uid = config.ids.uids.subspace; - description = "Subspace WireGuard GUI user"; - home = cfg.dataDir; - }; - }); - - users.groups = optionalAttrs (cfg.group == "subspace") ({ - subspace = { - # gid = config.ids.gids.subspace; - }; - }); - - systemd.tmpfiles.rules = [ "d ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group}" ]; - - systemd.services.subspace = rec { - description = "A simple WireGuard VPN server GUI"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - - serviceConfig = { - User = cfg.user; - Group = cfg.group; - - CapabilityBoundingSet = "CAP_NET_ADMIN"; - AmbientCapabilities = "CAP_NET_ADMIN"; - - ReadWritePaths = [ "${cfg.dataDir}" ]; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_NETLINK" - ]; - - RestrictNamespaces = "yes"; - DeviceAllow = "no"; - KeyringMode = "private"; - NoNewPrivileges = "yes"; - NotifyAccess = "none"; - PrivateDevices = "yes"; - PrivateMounts = "yes"; - PrivateTmp = "yes"; - ProtectClock = "yes"; - ProtectControlGroups = "yes"; - ProtectHome = "yes"; - ProtectKernelLogs = "yes"; - ProtectKernelModules = "yes"; - ProtectKernelTunables = "yes"; - ProtectProc = "invisible"; - ProtectSystem = "strict"; - RestrictSUIDSGID = "yes"; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "~@clock" - "~@debug" - "~@module" - "~@mount" - "~@raw-io" - "~@reboot" - "~@swap" - # "~@privileged" - "~@resources" - "~@cpu-emulation" - "~@obsolete" - ]; - RestrictRealtime = "yes"; - Delegate = "no"; - LockPersonality = "yes"; - MemoryDenyWriteExecute = "yes"; - RemoveIPC = "yes"; - UMask = "0027"; - ProtectHostname = "yes"; - ProcSubset = "pid"; - - WorkingDirectory = "${cfg.package}/libexec"; - }; - - path = with pkgs; [ wg-bond self.packages.${system}.patchedWGTools iptables bash gawk ]; - - preStart = '' - wg-bond -c ${cfg.dataDir}/wireguard/wg-bond.json conf subspace-root > ${cfg.dataDir}/subspace.conf - wg-quick up ${cfg.dataDir}/subspace.conf - - chmod -R u+rwX,g+rX,o-rwx ${cfg.dataDir} - chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} - ''; - - postStop = '' - wg-quick down ${cfg.dataDir}/wireguard/subspace.conf - ''; - - script = '' - ${cfg.package}/bin/subspace \ - --http-host="${cfg.httpHost}" \ - --backlink="${cfg.backlink}" \ - --datadir="${cfg.dataDir}" \ - --debug="${if cfg.debug then "true" else "false"}" \ - --http-addr="${cfg.httpAddr}" \ - --http-insecure="${if cfg.httpInsecure then "true" else "false"}" \ - --letsencrypt="${if cfg.letsencrypt then "true" else "false"}" \ - ${cfg.params} - ''; + systemd.tmpfiles.rules = [ "d ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group}" ]; + + systemd.services.subspace = rec { + description = "A simple WireGuard VPN server GUI"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + + CapabilityBoundingSet = "CAP_NET_ADMIN"; + AmbientCapabilities = "CAP_NET_ADMIN"; + + ReadWritePaths = [ "${cfg.dataDir}" ]; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + ]; + + RestrictNamespaces = "yes"; + DeviceAllow = "no"; + KeyringMode = "private"; + NoNewPrivileges = "yes"; + NotifyAccess = "none"; + PrivateDevices = "yes"; + PrivateMounts = "yes"; + PrivateTmp = "yes"; + ProtectClock = "yes"; + ProtectControlGroups = "yes"; + ProtectHome = "yes"; + ProtectKernelLogs = "yes"; + ProtectKernelModules = "yes"; + ProtectKernelTunables = "yes"; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictSUIDSGID = "yes"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "~@clock" + "~@debug" + "~@module" + "~@mount" + "~@raw-io" + "~@reboot" + "~@swap" + # "~@privileged" + "~@resources" + "~@cpu-emulation" + "~@obsolete" + ]; + RestrictRealtime = "yes"; + Delegate = "no"; + LockPersonality = "yes"; + MemoryDenyWriteExecute = "yes"; + RemoveIPC = "yes"; + UMask = "0027"; + ProtectHostname = "yes"; + ProcSubset = "pid"; + + WorkingDirectory = "${cfg.package}/libexec"; }; + + path = with pkgs; [ wg-bond self.packages.${system}.wireguard-tools iptables bash gawk ]; + + preStart = '' + wg-bond -c ${cfg.dataDir}/wireguard/wg-bond.json conf subspace-root > ${cfg.dataDir}/subspace.conf + wg-quick up ${cfg.dataDir}/subspace.conf + + chmod -R u+rwX,g+rX,o-rwx ${cfg.dataDir} + chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} + ''; + + postStop = '' + wg-quick down ${cfg.dataDir}/wireguard/subspace.conf + ''; + + script = '' + ${cfg.package}/bin/subspace \ + --http-host="${cfg.httpHost}" \ + --backlink="${cfg.backlink}" \ + --datadir="${cfg.dataDir}" \ + --debug="${if cfg.debug then "true" else "false"}" \ + --http-addr="${cfg.httpAddr}" \ + --http-insecure="${if cfg.httpInsecure then "true" else "false"}" \ + --letsencrypt="${if cfg.letsencrypt then "true" else "false"}" \ + ${cfg.params} + ''; }; - } - ; - }; + }; + }; + }; } From 917306097a3ff909e2bea6513477ca1165b0ce5f Mon Sep 17 00:00:00 2001 From: Roman Melnikov Date: Fri, 25 Nov 2022 16:21:02 +0800 Subject: [PATCH 20/24] Fix subspace service pre-start script Problem: Subspace fails to start on a fresh server due to lack of some configs and directories. Solution: Create these configs during service pre-start. --- flake.nix | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index 669fb506..ef442414 100644 --- a/flake.nix +++ b/flake.nix @@ -129,6 +129,11 @@ default = "53222"; type = types.str; }; + subnet = mkOption { + description = "Subnet to be used by Subspace VPN"; + default = "10.0.0.0/24"; + type = types.str; + }; }; config = mkIf cfg.enable { @@ -215,8 +220,17 @@ path = with pkgs; [ wg-bond self.packages.${system}.wireguard-tools iptables bash gawk ]; preStart = '' - wg-bond -c ${cfg.dataDir}/wireguard/wg-bond.json conf subspace-root > ${cfg.dataDir}/subspace.conf - wg-quick up ${cfg.dataDir}/subspace.conf + if [[ ! -f ${cfg.dataDir}/wireguard/wg-bond.json ]]; then + mkdir -p ${cfg.dataDir}/wireguard/ + mkdir -p ${cfg.dataDir}/wireguard/clients + mkdir -p ${cfg.dataDir}/wireguard/peers + wg-bond -c ${cfg.dataDir}/wireguard/wg-bond.json init subspace --network "${cfg.subnet}" + wg-bond -c ${cfg.dataDir}/wireguard/wg-bond.json add subspace-root --endpoint ${cfg.httpHost}:${cfg.proxyPort} --center --gateway --masquerade eth0 + fi + if [[ ! -d ${cfg.dataDir}/wireguard/clients ]]; then mkdir -p ${cfg.dataDir}/wireguard/clients; fi + if [[ ! -d ${cfg.dataDir}/wireguard/peers ]]; then mkdir -p ${cfg.dataDir}/wireguard/peers; fi + wg-bond -c ${cfg.dataDir}/wireguard/wg-bond.json conf subspace-root > ${cfg.dataDir}/wireguard/subspace.conf + wg-quick up ${cfg.dataDir}/wireguard/subspace.conf chmod -R u+rwX,g+rX,o-rwx ${cfg.dataDir} chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} From 8ffe097bb75e7ea3434481d5bc65a221b6366449 Mon Sep 17 00:00:00 2001 From: Roman Melnikov Date: Fri, 25 Nov 2022 18:54:17 +0800 Subject: [PATCH 21/24] Don't use 'wg syncconf' Problem: 'wg syncconf' doesn't work as expected and doesn't add routes for new peers. Solution: Restart interface via 'wg-quick' instead. --- cmd/subspace/handlers.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/cmd/subspace/handlers.go b/cmd/subspace/handlers.go index 094b7c25..2e395431 100644 --- a/cmd/subspace/handlers.go +++ b/cmd/subspace/handlers.go @@ -423,7 +423,8 @@ func profileAddHandler(w *Web) { # Syncing configuration wg-bond conf subspace-root > subspace.conf wg-quick strip ./subspace.conf > sync.conf - wg syncconf subspace ./sync.conf + wg-quick down ./subspace.conf + wg-quick up ./subspace.conf ` _, err = bash(script, struct { @@ -610,7 +611,8 @@ func deleteProfile(profile Profile) error { # Syncing configuration wg-bond conf subspace-root > subspace.conf wg-quick strip ./subspace.conf > sync.conf - wg syncconf subspace ./sync.conf + wg-quick down ./subspace.conf + wg-quick up ./subspace.conf ` output, err := bash(script, struct { From d815cad021ab00b6ea16e7dab131b41d1a627949 Mon Sep 17 00:00:00 2001 From: Sergey Gulin Date: Fri, 22 Dec 2023 14:17:23 +0300 Subject: [PATCH 22/24] [Chore] Add systemd unit restart policy Problem: By default, systemd services generated from the NixOS system configuration don't attempt to restart on failure since Restart=no. However, in some cases, running processes can fail for unclear reasons, and the simplest way to bring the failed service back to life is to restart it. Instead, currently, the service will fail and trigger an alert without attempting to restart. Solution: Add default values for startLimitBurst, startLimitIntervalSec, Restart, and RestartSec. --- flake.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/flake.nix b/flake.nix index ef442414..0c92855a 100644 --- a/flake.nix +++ b/flake.nix @@ -160,10 +160,16 @@ wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; + startLimitBurst = mkDefault 5; + startLimitIntervalSec = mkDefault 300; + serviceConfig = { User = cfg.user; Group = cfg.group; + Restart = mkDefault "on-failure"; + RestartSec = mkDefault 10; + CapabilityBoundingSet = "CAP_NET_ADMIN"; AmbientCapabilities = "CAP_NET_ADMIN"; From 85d6bdfb543455762077073ba3961ea63b9d3773 Mon Sep 17 00:00:00 2001 From: Sergey Gulin Date: Wed, 17 Dec 2025 04:19:37 +0300 Subject: [PATCH 23/24] [OPS-1548] Use upstream wg-bond Problem: wg-bond was removed from recent nixpkgs. Solution: Use wg-bond from cab404/wg-bond. --- flake.lock | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++- flake.nix | 11 +++++++---- 2 files changed, 58 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index 3fa08630..ba779b9e 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,21 @@ { "nodes": { + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1648199409, + "narHash": "sha256-JwPKdC2PoVBkG6E+eWw3j6BMR6sL3COpYWfif7RVb8Y=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "64a525ee38886ab9028e6f61790de0832aa3ef03", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1644229661, @@ -29,10 +45,44 @@ "type": "indirect" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1644420267, + "narHash": "sha256-rFJuctggkjM412OC6OGPdXogFp7czGDW05ueWqpJbj8=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "98bb5b77c8c6666824a4c13d23befa1e07210ef1", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, "root": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "wg-bond": "wg-bond" + } + }, + "wg-bond": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1702302857, + "narHash": "sha256-4F73ljT+EptSGg5at4ITbSlG4zYy07jOe0Yrxp88xtw=", + "owner": "cab404", + "repo": "wg-bond", + "rev": "a5884e451e4cec38f8c0a7e25d79a66926517274", + "type": "github" + }, + "original": { + "owner": "cab404", + "repo": "wg-bond", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 0c92855a..161f7ddd 100644 --- a/flake.nix +++ b/flake.nix @@ -1,9 +1,12 @@ { description = "A fork of the simple WireGuard VPN server GUI community maintained "; - inputs.flake-utils.url = "github:numtide/flake-utils"; + inputs = { + flake-utils.url = "github:numtide/flake-utils"; + wg-bond.url = "github:cab404/wg-bond"; + }; - outputs = { self, nixpkgs, flake-utils }: (flake-utils.lib.eachDefaultSystem (system: + outputs = { self, nixpkgs, flake-utils, wg-bond }: (flake-utils.lib.eachDefaultSystem (system: let pkgs = import nixpkgs { inherit system; overlays = [ self.overlay ]; }; in @@ -14,7 +17,7 @@ defaultPackage = self.packages.${system}.subspace; devShell = pkgs.mkShell { - buildInputs = with pkgs; [ self.packages.${system}.wireguard-tools wg-bond go go-bindata ]; + buildInputs = with pkgs; [ self.packages.${system}.wireguard-tools wg-bond.defaultPackage.${system} go go-bindata ]; }; })) // { overlay = final: prev: { @@ -223,7 +226,7 @@ WorkingDirectory = "${cfg.package}/libexec"; }; - path = with pkgs; [ wg-bond self.packages.${system}.wireguard-tools iptables bash gawk ]; + path = with pkgs; [ wg-bond.defaultPackage.${system} self.packages.${system}.wireguard-tools iptables bash gawk ]; preStart = '' if [[ ! -f ${cfg.dataDir}/wireguard/wg-bond.json ]]; then From f2bb094143ab048e6bca3870a9bcf42af54680ae Mon Sep 17 00:00:00 2001 From: Sergey Gulin Date: Mon, 22 Dec 2025 11:09:17 +0300 Subject: [PATCH 24/24] [OPS-1548] Pin compatible wg-bond version Problem: In last commit wg-bond was updated to latest upstream, which is no lonegr compatible with subspace. See https://github.com/subspacecommunity/subspace/pull/222#issuecomment-3676753259 Solution: Pin wg-bond to v0.2.0, which was used until it was removed from nixpkgs. --- flake.lock | 56 ++++++++++++++++++++++++++++-------------------------- flake.nix | 21 +++++++++++++++++--- 2 files changed, 47 insertions(+), 30 deletions(-) diff --git a/flake.lock b/flake.lock index ba779b9e..08cc833c 100644 --- a/flake.lock +++ b/flake.lock @@ -1,21 +1,5 @@ { "nodes": { - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1648199409, - "narHash": "sha256-JwPKdC2PoVBkG6E+eWw3j6BMR6sL3COpYWfif7RVb8Y=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "64a525ee38886ab9028e6f61790de0832aa3ef03", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "flake-utils": { "locked": { "lastModified": 1644229661, @@ -47,16 +31,18 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1644420267, - "narHash": "sha256-rFJuctggkjM412OC6OGPdXogFp7czGDW05ueWqpJbj8=", - "owner": "nixos", + "lastModified": 1593718460, + "narHash": "sha256-uuuZjY0i6hJx+wlkAkGvIiBsiRaUsGpl5aN9EDu2Dv0=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "98bb5b77c8c6666824a4c13d23befa1e07210ef1", + "rev": "3b4df94aeb6e215085d08e3d5b0edc1313b9f584", "type": "github" }, "original": { - "id": "nixpkgs", - "type": "indirect" + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" } }, "root": { @@ -66,21 +52,37 @@ "wg-bond": "wg-bond" } }, + "utils": { + "locked": { + "lastModified": 1593533949, + "narHash": "sha256-j5OH1uR8Mu/NqYH44+gnPln0eoGNNahxl0qNSYNi0Og=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "400fa6d9af95481440d8d69a6b49de5901936730", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "wg-bond": { "inputs": { - "flake-compat": "flake-compat", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_2", + "utils": "utils" }, "locked": { - "lastModified": 1702302857, - "narHash": "sha256-4F73ljT+EptSGg5at4ITbSlG4zYy07jOe0Yrxp88xtw=", + "lastModified": 1596763862, + "narHash": "sha256-HtBxB6J1r2+FcNk56W39Wlbdml9ha6zZx2em4buqYBI=", "owner": "cab404", "repo": "wg-bond", - "rev": "a5884e451e4cec38f8c0a7e25d79a66926517274", + "rev": "cbea75726e05932e51bbc531675ee015ef1c9e62", "type": "github" }, "original": { "owner": "cab404", + "ref": "v0.2.0", "repo": "wg-bond", "type": "github" } diff --git a/flake.nix b/flake.nix index 161f7ddd..69ffa010 100644 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,9 @@ inputs = { flake-utils.url = "github:numtide/flake-utils"; - wg-bond.url = "github:cab404/wg-bond"; + + # Don't update this this input, as newer versions of wg-bond are no longer compatible with subspace + wg-bond.url = "github:cab404/wg-bond/v0.2.0"; }; outputs = { self, nixpkgs, flake-utils, wg-bond }: (flake-utils.lib.eachDefaultSystem (system: @@ -13,11 +15,24 @@ { packages.subspace = pkgs.subspace; packages.wireguard-tools = pkgs.wireguard-tools; + packages.wg-bond = with pkgs; rustPlatform.buildRustPackage { + pname = "wg-bond"; + version = "0.2.0"; + + src = wg-bond; + + cargoHash = "sha256-Itw3fnKfUW+67KKB2Y7tutGBTm3E8mGNhBL4MOGEn9o="; + + nativeBuildInputs = [ makeWrapper ]; + postInstall = '' + wrapProgram $out/bin/wg-bond --set PATH ${lib.makeBinPath [ wireguard-tools ]} + ''; + }; defaultPackage = self.packages.${system}.subspace; devShell = pkgs.mkShell { - buildInputs = with pkgs; [ self.packages.${system}.wireguard-tools wg-bond.defaultPackage.${system} go go-bindata ]; + buildInputs = with pkgs; [ self.packages.${system}.wireguard-tools self.packages.${system}.wg-bond go go-bindata ]; }; })) // { overlay = final: prev: { @@ -226,7 +241,7 @@ WorkingDirectory = "${cfg.package}/libexec"; }; - path = with pkgs; [ wg-bond.defaultPackage.${system} self.packages.${system}.wireguard-tools iptables bash gawk ]; + path = with pkgs; [ self.packages.${system}.wg-bond self.packages.${system}.wireguard-tools iptables bash gawk ]; preStart = '' if [[ ! -f ${cfg.dataDir}/wireguard/wg-bond.json ]]; then