forked from subspacecloud/subspace
-
Notifications
You must be signed in to change notification settings - Fork 4
/
entrypoint.sh
206 lines (170 loc) · 6.26 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
#!/usr/bin/env sh
set -o errexit
set -o nounset
set -o pipefail
set -o xtrace
# Require environment variables.
if [ -z "${SUBSPACE_HTTP_HOST-}" ]; then
echo "Environment variable SUBSPACE_HTTP_HOST required. Exiting."
exit 1
fi
# Optional environment variables.
if [ -z "${SUBSPACE_BACKLINK-}" ]; then
export SUBSPACE_BACKLINK=""
fi
if [ -z "${SUBSPACE_THEME-}" ]; then
export SUBSPACE_THEME=""
fi
if [ -z "${SUBSPACE_IPV4_POOL-}" ]; then
export SUBSPACE_IPV4_POOL="10.99.97.0/24"
fi
if [ -z "${SUBSPACE_IPV6_POOL-}" ]; then
export SUBSPACE_IPV6_POOL="fd00::10:97:0/112"
fi
if [ -z "${SUBSPACE_NAMESERVER-}" ]; then
export SUBSPACE_NAMESERVER="1.1.1.1"
fi
if [ -z "${SUBSPACE_LETSENCRYPT-}" ]; then
export SUBSPACE_LETSENCRYPT="true"
fi
if [ -z "${SUBSPACE_HTTP_ADDR-}" ]; then
export SUBSPACE_HTTP_ADDR=":80"
fi
if [ -z "${SUBSPACE_LISTENPORT-}" ]; then
export SUBSPACE_LISTENPORT="51820"
fi
if [ -z "${SUBSPACE_HTTP_INSECURE-}" ]; then
export SUBSPACE_HTTP_INSECURE="false"
fi
export DEBIAN_FRONTEND="noninteractive"
if [ -z "${SUBSPACE_IPV4_GW-}" ]; then
export SUBSPACE_IPV4_PREF=$(echo ${SUBSPACE_IPV4_POOL-} | cut -d '/' -f1 | sed 's/.0$/./g')
export SUBSPACE_IPV4_GW=$(echo ${SUBSPACE_IPV4_PREF-}1)
fi
if [ -z "${SUBSPACE_IPV6_GW-}" ]; then
export SUBSPACE_IPV6_PREF=$(echo ${SUBSPACE_IPV6_POOL-} | cut -d '/' -f1 | sed 's/:0$/:/g')
export SUBSPACE_IPV6_GW=$(echo ${SUBSPACE_IPV6_PREF-}1)
fi
if [ -z "${SUBSPACE_IPV6_NAT_ENABLED-}" ]; then
export SUBSPACE_IPV6_NAT_ENABLED=1
fi
# Set DNS server
echo "nameserver ${SUBSPACE_NAMESERVER}" >/etc/resolv.conf
if [ -z "${SUBSPACE_DISABLE_MASQUERADE-}" ]; then
# IPv4
if ! /sbin/iptables -t nat --check POSTROUTING -s ${SUBSPACE_IPV4_POOL} -j MASQUERADE; then
/sbin/iptables -t nat --append POSTROUTING -s ${SUBSPACE_IPV4_POOL} -j MASQUERADE
fi
if ! /sbin/iptables --check FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT; then
/sbin/iptables --append FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
fi
if ! /sbin/iptables --check FORWARD -s ${SUBSPACE_IPV4_POOL} -j ACCEPT; then
/sbin/iptables --append FORWARD -s ${SUBSPACE_IPV4_POOL} -j ACCEPT
fi
if [[ ${SUBSPACE_IPV6_NAT_ENABLED-} -gt 0 ]]; then
# IPv6
if ! /sbin/ip6tables -t nat --check POSTROUTING -s ${SUBSPACE_IPV6_POOL} -j MASQUERADE; then
/sbin/ip6tables -t nat --append POSTROUTING -s ${SUBSPACE_IPV6_POOL} -j MASQUERADE
fi
if ! /sbin/ip6tables --check FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT; then
/sbin/ip6tables --append FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
fi
if ! /sbin/ip6tables --check FORWARD -s ${SUBSPACE_IPV6_POOL} -j ACCEPT; then
/sbin/ip6tables --append FORWARD -s ${SUBSPACE_IPV6_POOL} -j ACCEPT
fi
fi
fi
# ipv4 - DNS Leak Protection
if ! /sbin/iptables -t nat --check OUTPUT -s ${SUBSPACE_IPV4_POOL} -p udp --dport 53 -j DNAT --to ${SUBSPACE_IPV4_GW}:53; then
/sbin/iptables -t nat --append OUTPUT -s ${SUBSPACE_IPV4_POOL} -p udp --dport 53 -j DNAT --to ${SUBSPACE_IPV4_GW}:53
fi
if ! /sbin/iptables -t nat --check OUTPUT -s ${SUBSPACE_IPV4_POOL} -p tcp --dport 53 -j DNAT --to ${SUBSPACE_IPV4_GW}:53; then
/sbin/iptables -t nat --append OUTPUT -s ${SUBSPACE_IPV4_POOL} -p tcp --dport 53 -j DNAT --to ${SUBSPACE_IPV4_GW}:53
fi
# ipv6 - DNS Leak Protection
if ! /sbin/ip6tables --wait -t nat --check OUTPUT -s ${SUBSPACE_IPV6_POOL} -p udp --dport 53 -j DNAT --to ${SUBSPACE_IPV6_GW}; then
/sbin/ip6tables --wait -t nat --append OUTPUT -s ${SUBSPACE_IPV6_POOL} -p udp --dport 53 -j DNAT --to ${SUBSPACE_IPV6_GW}
fi
if ! /sbin/ip6tables --wait -t nat --check OUTPUT -s ${SUBSPACE_IPV6_POOL} -p tcp --dport 53 -j DNAT --to ${SUBSPACE_IPV6_GW}; then
/sbin/ip6tables --wait -t nat --append OUTPUT -s ${SUBSPACE_IPV6_POOL} -p tcp --dport 53 -j DNAT --to ${SUBSPACE_IPV6_GW}
fi
#
# WireGuard (${SUBSPACE_IPV4_POOL})
#
if ! test -d /data/wireguard; then
mkdir /data/wireguard
cd /data/wireguard
mkdir clients
mkdir clients/null
touch clients/null/null.conf # So you can cat *.conf safely
mkdir peers
mkdir peers/null
touch peers/null/null.conf # So you can cat *.conf safely
mkdir server
mkdir config
# Generate public/private server keys.
wg genkey | tee server/server.private | wg pubkey > server/server.public
fi
cat <<WGSERVER >/data/wireguard/server/server.conf
[Interface]
PrivateKey = $(cat /data/wireguard/server/server.private)
ListenPort = ${SUBSPACE_LISTENPORT}
WGSERVER
cat /data/wireguard/peers/*/*.conf >>/data/wireguard/server/server.conf
if ip link show wg0 2>/dev/null; then
ip link del wg0
fi
ip link add wg0 type wireguard
export SUBSPACE_IPV4_CIDR=$(echo ${SUBSPACE_IPV4_POOL-} | cut -d '/' -f2)
ip addr add ${SUBSPACE_IPV4_GW}/${SUBSPACE_IPV4_CIDR} dev wg0
export SUBSPACE_IPV6_CIDR=$(echo ${SUBSPACE_IPV6_POOL-} | cut -d '/' -f2)
ip addr add ${SUBSPACE_IPV6_GW}/${SUBSPACE_IPV6_CIDR} dev wg0
wg setconf wg0 /data/wireguard/server/server.conf
ip link set wg0 up
# dnsmasq service
if ! test -d /etc/service/dnsmasq; then
cat <<DNSMASQ >/etc/dnsmasq.conf
# Only listen on necessary addresses.
listen-address=127.0.0.1,${SUBSPACE_IPV4_GW},${SUBSPACE_IPV6_GW}
# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv
DNSMASQ
mkdir -p /etc/service/dnsmasq
cat <<RUNIT >/etc/service/dnsmasq/run
#!/bin/sh
exec /usr/sbin/dnsmasq --no-daemon
RUNIT
chmod +x /etc/service/dnsmasq/run
# dnsmasq service log
mkdir -p /etc/service/dnsmasq/log/main
cat <<RUNIT >/etc/service/dnsmasq/log/run
#!/bin/sh
exec svlogd -tt ./main
RUNIT
chmod +x /etc/service/dnsmasq/log/run
fi
# subspace service
if ! test -d /etc/service/subspace; then
mkdir /etc/service/subspace
cat <<RUNIT >/etc/service/subspace/run
#!/bin/sh
exec /usr/bin/subspace \
"--http-host=${SUBSPACE_HTTP_HOST}" \
"--http-addr=${SUBSPACE_HTTP_ADDR}" \
"--http-insecure=${SUBSPACE_HTTP_INSECURE}" \
"--backlink=${SUBSPACE_BACKLINK}" \
"--letsencrypt=${SUBSPACE_LETSENCRYPT}" \
"--theme=${SUBSPACE_THEME}"
RUNIT
chmod +x /etc/service/subspace/run
# subspace service log
mkdir -p /etc/service/subspace/log/main
cat <<RUNIT >/etc/service/subspace/log/run
#!/bin/sh
exec svlogd -tt ./main
RUNIT
chmod +x /etc/service/subspace/log/run
fi
exec $@