Merge branch 'master' of github.com:Manevolent/lixonet-ee

# Conflicts: # version
2021-09-21 14:54:18 -06:00 · 2021-09-21 14:54:18 -06:00 · 9fa7811e22
commit 9fa7811e22
parent 9e26ec8a3b 0357d14fa4
5 changed files with 160 additions and 28 deletions
--- a/11
+++ b/11
@ -1,13 +1,16 @@
 FROM docker/compose:alpine-1.25.5
 MAINTAINER Team Lixo <lixonet@team.lixo>
-RUN apk add curl git py-pip && pip install netcalc
+RUN apk add gnupg curl git py-pip openssh bash && pip install netcalc
 RUN curl -L "https://github.com/gliderlabs/sigil/releases/download/v0.5.0/sigil_0.5.0_$(uname -sm|tr \  _).tgz" | tar -zxC /usr/local/bin
 RUN adduser -u 431 -g docker -s /sbin/nologin -D lixonet
 VOLUME /etc/lixonet
-WORKDIR /run
+WORKDIR /app
 ADD . .
 RUN chmod +x build.sh
-CMD  ["./build.sh"]
+RUN chown -R lixonet:lixonet /app && chmod -R 700 /app && chmod +x /app/run.sh
 USER lixonet
 CMD  ["/app/run.sh"]
--- a/README.md
+++ b/README.md
@ -4,12 +4,48 @@ This is the semi-official, testing Lixonet EE repository.
 Custom configurations should be supplied in a `lixonet.conf` file in the `name=value` format, such as your subnet.  Additionally, a tinc keypair is also be required.
 # Setup, Installation, and Updating
 #### Prerequisites/Setup:
 1. `eth0` is the **LAN** or **WAN** interface supporting external routing, DNS, etc., and is the **bridged** interface to a router that will statically route the entire desired network subnet (i.e. x.x.0.0/21) through it.  You may also have an `eth1` (and so on, so forth) that you statically configure for your entire, wide subnet (i.e. x.x.0.0/21) if you want to use two physical adapters.  If you do have more than one interface, make sure that `internal_gateway` is set to the router IP address that can route your personal Lixonet subnets, and not your WAN gateway (unless they're the same).
 2. `tun` and `tap` are in `/etc/modules` to load at boot (https://www.cyberciti.biz/faq/linux-how-to-load-a-kernel-module-automatically-at-boot-time/) and the system has been rebooted afterwards.
 3. IPv4 forwarding is on: `sysctl -w net.ipv4.ip_forward=1`
 4. Clone this repository: `git clone <url>`
 5. `mkdir /etc/lixonet/(mesh)/` where `(mesh)` is something like `teamlixo` if you're planning to use `teamlixo.mesh`.
 6. Fill out `/etc/lixonet/(mesh)/lixonet.conf` (see: **Configuration options**)
 7. Supply `/etc/lixonet/(mesh)/tinc.key` (see: **Generating keypairs for tinc**)
 8. Supply `/etc/lixonet/id_rsa` and `/etc/lixonet/(mesh)/id_rsa` for each mesh you'll be connected to (see: **Generating SSH keys**). Remember each id_rsa is unique!
 9. Supply `/etc/lixonet/known_hosts` (see: **Setting `known_hosts`**)
 **Generating keypairs for tinc (`tinc.key`)**:
 Source: https://www.tinc-vpn.org/documentation/Generating-keypairs.html
 Run: `tincd -n lixonet -K`
 **Generating SSH keys (`id_rsa`)**:
 1. I recommend PuTTYgen (https://www.puttygen.com/) on Windows, ssh-genkey on Linux.
 2. Generate at least **two** keys.  One will be for `lixonet-ee`, one will be for whichever repositories you're a part of (i.e. `teamlixo.mesh`).
 3. Share the public keys (starting with something like `ssh-rsa`) with the repository owner(s) listed below so they can add a "Deploy key" to the repository for you.
 **Setting `known_hosts`**
 For GitHub, at this time the contents would be:
 ```
 |1|hW/UPBCtfR0M/2GejxakBvoqGNY=|DXk4SRaJXzawNdHyBe9mrxvWYvk= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
 ```
 Don't take my word for it, see: https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
 #### Install/Update:
 1. Read and follow the prerequisites above and make sure you are ready to install.
 2. Clone or navigate to a cloned repository folder you already have.
 3. Run `chmod +x install.sh && ./install.sh`
 4. Enjoy!
 # Configuration options
 #### Location
@ -146,22 +182,3 @@ These settings are optional, and are already defaulted to general network common
 * `bind_forward_address`: The overridden DNS server IP address to forward all requests for your own domain to.  Defaults to the value of `internal_gateway`, which is proper in most if not all cases.  Your BIND zone is automatically converted from your `tinc_peer_name` (i.e. `lkwco_mane_lixo` becomes `lkwco.mane.lixo`).
 * `tld`: The network-wide TLD to use.  Defaults to `lixo`.
 # Setup, Installation, and Updating
 #### Prerequisites/Setup:
 1. `eth0` is the **LAN** or **WAN** interface supporting external routing, DNS, etc., and is the **bridged** interface to a router that will statically route the entire desired network subnet (i.e. x.x.0.0/21) through it.  You may also have an `eth1` (and so on, so forth) that you statically configure for your entire, wide subnet (i.e. x.x.0.0/21) if you want to use two physical adapters.  If you do have more than one interface, make sure that `internal_gateway` is set to the router IP address that can route your personal Lixonet subnets, and not your WAN gateway (unless they're the same).
 2. `tun` and `tap` are in `/etc/modules` to load at boot (https://www.cyberciti.biz/faq/linux-how-to-load-a-kernel-module-automatically-at-boot-time/) and the system has been rebooted afterwards.
 3. IPv4 forwarding is on: `sysctl -w net.ipv4.ip_forward=1`
 4. Clone this repository: `git clone <url>`
 5. `mkdir /etc/lixonet/(mesh)/`
 6. Fill out `/etc/lixonet/(mesh)lixonet.conf` (see: **Configuration options**)
 7. Supply `/etc/lixonet/(mesh)/tinc.key`
 #### Install/Update:
 You should **no longer** need to run `build.sh` directly.  Instead, use a "self-configuring" Docker container to make your life easier.
 1. Clone or navigate to a cloned repository folder you already have.
 2. Run `git clean -f -d && git reset --hard && git pull origin master && docker build -t lixonet-ee . && docker run --rm -it -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /var/run/docker.sock:/var/run/docker.sock lixonet-ee`
--- a/build.sh
+++ b/build.sh
@ -1,9 +1,15 @@
 #!/bin/ash
 # https://stackoverflow.com/questions/3474526/stop-on-first-error
 # http://web.archive.org/web/20110314180918/http://www.davidpashley.com/articles/writing-robust-shell-scripts.html
 set +e
 process_template ( ) {
    processed_filename=$(dirname $1)/$(basename $1 .tmpl)
    echo "Processing template $1 -> $processed_filename"
 	set -e
    sh -c "sigil -f $1 -p $2 > $processed_filename"
 	set +e
    rm $1
 }
@ -41,7 +47,7 @@ do
    # Clone and copy the repository
    rm -rf "$(basename "$git" .git)"
-    git clone $git || { echo "clone $git failed, quitting" ; exit 1; }
+    GIT_SSH_COMMAND="ssh -i /etc/lixonet/${netname}/id_rsa -o IdentitiesOnly=yes" git clone $git || { echo "clone $git failed, quitting" ; exit 1; }
    echo "Creating work directory..."
    rm -rf work
    mkdir --verbose work
@ -60,6 +66,7 @@ do
    # Tinc
    #  Remove existing configuration
    rm -v -rf /etc/tinc/$netname/*
    #  Copy all tinc default files to /etc/(tinc)
    find tinc -type d | sed -e "s@tinc@tinc/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{}
    find tinc -type f | sed -e "s@tinc/@@g" | xargs -I '{}' cp --verbose tinc/{} /etc/tinc/$netname/{}
@ -71,10 +78,7 @@ do
    #  Copy private key
    cp /etc/lixonet/$netname/tinc.key /etc/tinc/$netname/rsa_key.priv
    #  Set permissions for tinc scripts
-    chmod +x /etc/tinc/$netname/tinc-up
+    chmod +x /etc/tinc/$netname/tinc-up /etc/tinc/$netname/tinc-down /etc/tinc/$netname/subnet-up /etc/tinc/$netname/subnet-down
    chmod +x /etc/tinc/$netname/tinc-down
    chmod +x /etc/tinc/$netname/subnet-up
    chmod +x /etc/tinc/$netname/subnet-down
    # Bird
    #  Remove existing configuration
@ -105,8 +109,12 @@ do
    echo $sigil_vars | tr ' ' '\n' > .env
    cat docker-compose.yml
 	set -e
    docker-compose -p $netname down
    docker-compose -p $netname up -d --build --remove-orphans
 	set +e
    rm .env
    # Pop directory
--- a/install.sh
+++ b/install.sh
@ -0,0 +1,47 @@
 #!/bin/ash
 # See: Dockerfile
 UID=431
 GID=431
 # Grab origin
 ORIGIN=`git remote get-url origin`
 echo "Setting access to /var/run/docker.sock."
 chown -v $UID:$GID /var/run/docker.sock
 echo "Setting read access to /etc/lixonet/."
 chown -R $UID:$GID /etc/lixonet/
 chmod -R 440 /etc/lixonet/
 chmod -R a+X /etc/lixonet/
 echo "Setting write access to service directories."
 mkdir /etc/bind
 chown -R $UID:$GID /etc/bind/
 chmod -R 660 /etc/bind/
 chmod -R a+X /etc/bind/
 mkdir /etc/bird
 chown -R $UID:$GID /etc/bird/
 chmod -R 660 /etc/bird/
 chmod -R a+X /etc/bird/
 mkdir /etc/tinc
 chown -R $UID:$GID /etc/tinc/
 chmod -R 660 /etc/tinc/
 chmod -R a+X /etc/tinc/
 echo "Setting exclusive read access to SSH keys."
 chmod -v 400 /etc/lixonet/id_rsa
 chmod -v 400 /etc/lixonet/*/id_rsa
 chmod -v 400 /etc/lixonet/known_hosts
 stat /etc/lixonet/id_rsa
 stat /etc/lixonet/*/id_rsa
 stat /etc/lixonet/known_hosts
 echo "Enabling write access to /etc/lixonet/version."
 touch /etc/lixonet/version
 chmod 660 /etc/lixonet/version
 stat /etc/lixonet/version
 docker build -t lixonet-ee . && docker run --restart always -d -e DOCKER_HOST=unix:///var/run/docker.sock -e GIT_URL=$ORIGIN -v /var/run/docker.sock:/var/run/docker.sock -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /etc/lixonet/known_hosts:/home/lixonet/.ssh/known_hosts -v /etc/lixonet/id_rsa:/home/lixonet/.ssh/id_rsa lixonet-ee
--- a/run.sh
+++ b/run.sh
@ -0,0 +1,57 @@
 #!/bin/bash
 delay=900
 version_file=/etc/lixonet/version
 log=/app/log/lixonet.log
 mkdir /app/log
 while true
 do
  (
      set +e
      current_version=`cat $version_file || echo 0`
 	  gpg --import <trusted_signers >> $log 2>&1
 	  (echo 5; echo y; echo save) | gpg --command-fd 0 --no-tty --no-greeting -q --edit-key "$(gpg --list-packets <trusted_signers | awk '$1=="keyid:"{print$2;exit}')" trust >> $log 2>&1
 	  if [ $? -ne 0 ]; then
 		echo "GPG import from trusted_signers failed. For more details, see $log"
 		sleep $delay
 		continue
 	  fi
 	  git fetch $GIT_URL >> $log 2>&1
 	  if [ $? -ne 0 ]; then
 		echo "Git fetch from $GIT_URL failed. For more details, see $log"
 		sleep $delay
 		continue
 	  fi
 	  latest_commit=`git log "--format=%G? %H" | grep ^G | head -n 1 | cut -d' ' -f2`
 	  if test -z $latest_commit; then
 		sleep $delay
 		continue
 	  fi
 	  git reset --hard >> $log 2>&1
 	  git checkout $latest_commit >> $log 2>&1
 	  if [ $? -ne 0 ]; then
 		echo "Git checkout failed. For more details, see $log"
 		sleep $delay
 		continue
 	  fi
 	  checkout_version=`cat version`
 	  if [ "$checkout_version" -gt "$current_version" ]; then
 		echo "Updating to version $checkout_version..."
 		chmod +x build.sh && ./build.sh >> $log 2>&1
 		if [ $? -eq 0 ]; then
 			echo "Update completed successfully."
 			echo $checkout_version > $version_file
 		else
 			echo "Update failed; version was not updated. Trying again in $delay seconds. For more details, see $log"
 			continue
 		fi
 	  fi
  )
  sleep $delay
 done