From 1bcddadb7a19747bb0df970381051585b65992e1 Mon Sep 17 00:00:00 2001 From: Daan Date: Thu, 6 Jun 2024 16:11:49 +0200 Subject: [PATCH] Features tested working, feeling good about a release. --- docker/Dockerfile | 33 ++++++++++++++++++++++++--------- docker/compose.yaml | 2 +- docker/entrypoint.sh | 29 +++++++++++++++++------------ 3 files changed, 42 insertions(+), 22 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 1c5c681..aa75ae0 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -10,6 +10,7 @@ ARG dash_ver="v3.0.6.2" ENV wg_net="10.0.0.1" # wg_net is used functionally as an ARG for its environment variable nature, do not change unless you know what you are doing. +# Following ENV variables are changable on container runtime because /entrypoint.sh handles that. See compose.yaml for more info. ENV tz="Europe/Amsterdam" ENV global_dns="1.1.1.1" ENV enable_wg0="false" @@ -17,15 +18,27 @@ ENV isolated_peers="true" ENV public_ip="0.0.0.0" # Doing basic system maintenance. Change the timezone to the desired timezone. -RUN ln -sf /usr/share/zoneinfo/${tz} /etc/localtime \ - && apt-get update \ - && apt-get upgrade -y -# Removing the linux-image package to preserve space on the container. +RUN ln -sf /usr/share/zoneinfo/${tz} /etc/localtime -# Installing needed packages for installation. -RUN apt-get install -y --no-install-recommends git wireguard wireguard-tools python3 python3-pip python3-venv iproute2 openresolv procps iptables curl iputils-ping traceroute \ - && apt remove linux-image-* --autoremove -y \ - && apt-get clean +# Doing package management operations, such as upgrading +RUN apt-get update && apt-get upgrade -y \ + && apt-get install -y --no-install-recommends curl \ + git \ + iproute2 \ + iptables \ + iputils-ping \ + openresolv \ + procps \ + python3 \ + python3-pip \ + python3-venv \ + traceroute \ + wireguard \ + wireguard-tools \ + && apt-get remove linux-image-* --autoremove -y \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* +# Removing the Linux Image package to preserve space on the image, for this reason also deleting apt lists, to be able to install packages: run apt update. ENV WGDASH=/opt/wireguardashboard RUN python3 -m venv ${WGDASH}/venv @@ -41,6 +54,8 @@ RUN . ${WGDASH}/venv/bin/activate \ VOLUME /etc/wireguard # Generate basic WireGuard interface. Echoing the WireGuard interface config for readability, adjust if you want it for efficiency. +# Also setting the pipefail option, verbose: https://github.com/hadolint/hadolint/wiki/DL4006. +SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN wg genkey | tee /etc/wireguard/wg0_privatekey \ && echo "[Interface]" > /etc/wireguard/wg0.conf \ && echo "SaveConfig = true" >> /etc/wireguard/wg0.conf \ @@ -48,7 +63,7 @@ RUN wg genkey | tee /etc/wireguard/wg0_privatekey \ && echo "PrivateKey = $(cat /etc/wireguard/wg0_privatekey)" >> /etc/wireguard/wg0.conf \ && echo "PostUp = iptables -t nat -I POSTROUTING 1 -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /etc/wireguard/wg0.conf \ && echo "PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP" >> /etc/wireguard/wg0.conf \ - && echo "PreDown = iptables -t nat -D POSTROUTING -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /etc/wireguard/wg0.conf \ + && echo "PreDown = iptables -t nat -D POSTROUTING 1 -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /etc/wireguard/wg0.conf \ && echo "PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP" >> /etc/wireguard/wg0.conf \ && echo "ListenPort = 51820" >> /etc/wireguard/wg0.conf \ #&& echo "DNS = ${global_dns}" >> /etc/wireguard/wg0.conf \ diff --git a/docker/compose.yaml b/docker/compose.yaml index 7ac31af..5c2a1d9 100644 --- a/docker/compose.yaml +++ b/docker/compose.yaml @@ -6,7 +6,7 @@ services: environment: #- tz= # <--- Set container timezone, default: Europe/Amsterdam. #- global_dns= # <--- Set global DNS address, default: 1.1.1.1. - - enable_wg0=true # <--- If true, wg0 will be started on container startup. defaul: + - enable_wg0=true # <--- If true, wg0 will be started on container startup. default: false. - isolated_peers=false # <--- When set to true, it disallows peers to talk to eachother, setting to false, allows it, default: true. #- public_ip= # <--- Set public IP to ensure the correct one is chosen, defaulting to the IP give by ifconfig.me. ports: diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 2825e61..4024b30 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -15,21 +15,26 @@ start_core() { # Cleaning out previous data such as the .pid file and starting the WireGuard Dashboard. Making sure to use the python venv. echo "Activating Python venv and executing the WireGuard Dashboard service." - . ${WGDASH}/venv/bin/activate - cd ${WGDASH}/app/src + . "${WGDASH}"/venv/bin/activate + cd "${WGDASH}"/app/src || return # If changing the directory fails (permission or presence error), then bash will exist this function, causing the WireGuard Dashboard to not be succesfully launched. bash wgd.sh start - echo "${isolated_peers}" + # The following section takes care of the firewall rules regarding the 'isolated_peers' feature, which allows or drops packets destined from the wg0 to the wg0 interface. if [ "${isolated_peers,,}" == "false" ]; then echo "Isolated peers disabled, adjusting." - sed -i '/^.*FORWARD -i wg0 -o wg0 -j DROP.*$/s/^/#/' /etc/wireguard/wg0.conf - elif [ "${isolated_peers,,}" == "true" ]; then + sed -i '/PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP/d' /etc/wireguard/wg0.conf + sed -i '/PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP/d' /etc/wireguard/wg0.conf + elif [ "${isolated_peers,,}" == "true" ] && \ + [ "$(grep -c "PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP" /etc/wireguard/wg0.conf)" -lt 1 ] && \ + [ "$(grep -c "PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP" /etc/wireguard/wg0.conf)" -lt 1 ]; then echo "Isolated peers enabled, adjusting." - sed -i 's/^#//' /etc/wireguard/wg0.conf + sed -i '/PostUp = iptables -t nat -I POSTROUTING 1 -s/a PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP' /etc/wireguard/wg0.conf + sed -i '/PreDown = iptables -t nat -D POSTROUTING 1 -s/a PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP' /etc/wireguard/wg0.conf fi + # The following section takes care of if [ "${enable_wg0,,}" == "true" ]; then echo "Preference for wg0 to be turned on found." @@ -46,15 +51,15 @@ set_envvars() { if [ "${tz}" != "$(cat /etc/timezone)" ]; then echo "Changing timezone." - ln -sf /usr/share/zoneinfo/${tz} /etc/localtime - echo ${tz} > /etc/timezone + ln -sf /usr/share/zoneinfo/"${tz}" /etc/localtime + echo "${tz}" > /etc/timezone fi # Changing the DNS used for clients and the dashboard itself. if [ "${global_dns}" != "$(grep "peer_global_dns = " /opt/wireguardashboard/app/src/wg-dashboard.ini | awk '{print $NF}')" ]; then echo "Changing default dns." - sed -i 's/^DNS = .*/DNS = ${global_dns}/' /etc/wireguard/wg0.conf + #sed -i "s/^DNS = .*/DNS = ${global_dns}/" /etc/wireguard/wg0.conf # Uncomment if you want to have DNS on server-level. sed -i "s/^peer_global_dns = .*/peer_global_dns = ${global_dns}/" /opt/wireguardashboard/app/src/wg-dashboard.ini fi @@ -64,7 +69,7 @@ set_envvars() { echo "Trying to fetch the Public-IP using ifconfig.me: ${default_ip}" sed -i "s/^remote_endpoint = .*/remote_endpoint = ${default_ip}/" /opt/wireguardashboard/app/src/wg-dashboard.ini - elif [ "${public_ip}" != $(grep "remote_endpoint = " /opt/wireguardashboard/app/src/wg-dashboard.ini | awk '{print $NF}') ]; then + elif [ "${public_ip}" != "$(grep "remote_endpoint = " /opt/wireguardashboard/app/src/wg-dashboard.ini | awk '{print $NF}')" ]; then echo "Setting the Public-IP using given variable: ${public_ip}" sed -i "s/^remote_endpoint = .*/remote_endpoint = ${public_ip}/" /opt/wireguardashboard/app/src/wg-dashboard.ini @@ -76,9 +81,9 @@ ensure_blocking() { # This function checks if the latest error log is created and tails it for docker logs uses. if find "/opt/wireguardashboard/app/src/log" -mindepth 1 -maxdepth 1 -type f | read -r; then - latestlog=$(ls -t /opt/wireguardashboard/app/src/log/error_*.log | head -n 1) + latestlog=$(find /opt/wireguardashboard/app/src/log -name "error_*.log" | head -n 1) sleep 3s - tail -f ${latestlog} + tail -f "${latestlog}" fi # Blocking command in case of erroring. So the container does not quit.