From 68eede42b289488522eb09ec915f79fe46ebfc3c Mon Sep 17 00:00:00 2001 From: chapeau Date: Thu, 4 Jul 2024 14:43:27 +0200 Subject: [PATCH] Add docker --- .dockerignore | 2 ++ config.toml | 32 --------------------------- config/config.toml | 15 +++++++++++++ docker-compose.yml | 51 ++++++++++++++++++++++++++++++++++++++++++++ docker/Dockerfile | 8 +++++++ docker/entrypoint.sh | 5 +++++ load.py | 29 +++++++++++++------------ poetry.lock | 23 ++++++-------------- pyproject.toml | 4 ++-- 9 files changed, 104 insertions(+), 65 deletions(-) create mode 100644 .dockerignore delete mode 100644 config.toml create mode 100644 config/config.toml create mode 100644 docker-compose.yml create mode 100644 docker/Dockerfile create mode 100755 docker/entrypoint.sh diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..31a196d --- /dev/null +++ b/.dockerignore @@ -0,0 +1,2 @@ +config +wg-pn.conf \ No newline at end of file diff --git a/config.toml b/config.toml deleted file mode 100644 index 5101653..0000000 --- a/config.toml +++ /dev/null @@ -1,32 +0,0 @@ -local = "net1" - - -[network.net1] -local_range = "192.168.1.0/30" -local_translated_range = "192.168.51.0/30" - -private_key = "priv" -public_key = "pub" -listen_port = 51820 -wireguard_address = "172.16.0.1/24" -endpoint = "1.2.3.4:51820" - -[network.net2] -local_range = "192.168.1.0/30" -local_translated_range = "192.168.64.0/30" - -private_key = "priv2" -public_key = "pub2" -listen_port = 51820 -wireguard_address = "172.16.0.2/24" -endpoint = "1.2.3.5:51820" - -[network.net3] -local_range = "192.168.1.0/30" -local_translated_range = "192.168.128.0/30" -untranslated_networks = "10.255.0.0/24" - -private_key = "priv3" -public_key = "pub3" -listen_port = 51820 -wireguard_address = "172.16.0.3/24" \ No newline at end of file diff --git a/config/config.toml b/config/config.toml new file mode 100644 index 0000000..74142fb --- /dev/null +++ b/config/config.toml @@ -0,0 +1,15 @@ +[network.net1] +local_range = "172.20.1.0/24" +local_translated_range = "172.21.1.0/24" + +public_key = "N2LlL0Ievsjv/ea/VDpJcivYL6hfYxdcD3W54kmjaEU=" +wireguard_address = "10.0.0.1/24" +endpoint = "172.20.0.11:51820" + +[network.net2] +local_range = "172.20.2.0/24" +local_translated_range = "172.22.1.0/24" + +public_key = "cisk8cRCQZaOxn6VaFVnpCYsamBp9iVLvhs4DtmnjS4=" +wireguard_address = "10.0.0.2/24" +endpoint = "172.20.0.12:51820" diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..f205429 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,51 @@ +services: + polyculenetwork1: + build: + context: . + dockerfile: ./docker/Dockerfile + container_name: polyculenetwork1 + volumes: + - "./config/config.toml:/config.toml" + environment: + - LOCAL_NETWORK=net1 + - PRIVATE_KEY=YLxXnAcelMMkanrdSHuci9ZSJyKQpRn7PdJK96IllV4= + - LISTEN_PORT=51820 + cap_add: + - NET_ADMIN + networks: + net1: + ipv4_address: 172.20.1.11 + internet: + ipv4_address: 172.20.0.11 + + polyculenetwork2: + build: + context: . + dockerfile: ./docker/Dockerfile + container_name: polyculenetwork2 + volumes: + - "./config/config.toml:/config.toml" + environment: + - LOCAL_NETWORK=net2 + - PRIVATE_KEY=OCllQNCxX5DxcJSEsjkvsWCry1FOnWe+aCupwEByFmk= + cap_add: + - NET_ADMIN + networks: + net2: + ipv4_address: 172.20.2.12 + internet: + ipv4_address: 172.20.0.12 + +networks: + net1: + ipam: + config: + - subnet: 172.20.1.0/24 + net2: + ipam: + config: + - subnet: 172.20.2.0/24 + internet: + ipam: + config: + - subnet: 172.20.0.0/24 \ No newline at end of file diff --git a/docker/Dockerfile b/docker/Dockerfile new file mode 100644 index 0000000..5f97f31 --- /dev/null +++ b/docker/Dockerfile @@ -0,0 +1,8 @@ +FROM python:3.11-alpine +ENV PYTHONUNBUFFERED=1 +RUN pip install poetry +RUN apk add nftables wireguard-tools +WORKDIR /code +COPY . /code/ +RUN poetry install +CMD docker/entrypoint.sh \ No newline at end of file diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh new file mode 100755 index 0000000..a373d72 --- /dev/null +++ b/docker/entrypoint.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +poetry run python load.py +wg-quick up ./wg-pn.conf +sleep infinity \ No newline at end of file diff --git a/load.py b/load.py index 5bfb2e0..da8c99b 100644 --- a/load.py +++ b/load.py @@ -20,7 +20,7 @@ import tomllib import jinja2 -dry_run = True +dry_run = False if dry_run: run = print else: @@ -32,27 +32,27 @@ def load_config(path): return data def load_firewall(): - data = load_config("config.toml") + data = load_config("/config.toml") - run("sudo nft -f templates/rules.nft") + run("nft -f templates/rules.nft") networks = data["network"].keys() - local_network = data["local"] + local_network = os.environ.get('LOCAL_NETWORK') remote_networks = list(filter(lambda k: k != local_network, networks)) local_range = str(ipaddress.IPv4Network(data["network"][local_network]["local_range"])) local_translated_range = str(ipaddress.IPv4Network(data["network"][local_network]["local_translated_range"])) remote_ranges = [str(ipaddress.IPv4Network(data["network"][net]["local_translated_range"])) for net in remote_networks] - run(f"sudo nft add element ip filter local_range {{ {local_range} }}") - run(f"sudo nft add element ip filter local_translated_range {{ {local_translated_range} }}") + run(f"nft add element ip filter local_range {{ {local_range} }}") + run(f"nft add element ip filter local_translated_range {{ {local_translated_range} }}") for net in remote_ranges: - run(f"sudo nft add element ip filter remote_range {{ {net} }}") + run(f"nft add element ip filter remote_range {{ {net} }}") for (loc, trans) in zip(ipaddress.IPv4Network(local_range), ipaddress.IPv4Network(local_translated_range)): - run(f"sudo nft add element ip filter ip_map_dnat {{ {loc} : {trans} }}") - run(f"sudo nft add element ip filter ip_map_dnat {{ {trans} : {loc} }}") + run(f"nft add element ip filter ip_map_snat {{ {loc} : {trans} }}") + run(f"nft add element ip filter ip_map_dnat {{ {trans} : {loc} }}") def load_wireguard(): @@ -63,9 +63,9 @@ def load_wireguard(): peers = [] - data = load_config("config.toml") + data = load_config("/config.toml") networks = data["network"].keys() - local_network = data["local"] + local_network = os.environ.get('LOCAL_NETWORK') remote_networks = list(filter(lambda k: k != local_network, networks)) for net in remote_networks: peer = { @@ -88,10 +88,11 @@ def load_wireguard(): with open("wg-pn.conf", "w") as f: f.write(template.render( - private_key=data["network"][local_network]["private_key"], - listen_port=data["network"][local_network]["listen_port"], + private_key=os.environ.get('PRIVATE_KEY'), + listen_port=os.environ.get('LISTEN_PORT', "51820"), wireguard_address=data["network"][local_network]["wireguard_address"], peers=peers )) -load_firewall() \ No newline at end of file +load_firewall() +load_wireguard() \ No newline at end of file diff --git a/poetry.lock b/poetry.lock index d98f21a..fd4fcea 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,14 +1,14 @@ -# This file is automatically @generated by Poetry 1.8.2 and should not be changed by hand. +# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand. [[package]] name = "jinja2" -version = "3.1.3" +version = "3.1.4" description = "A very fast and expressive template engine." optional = false python-versions = ">=3.7" files = [ - {file = "Jinja2-3.1.3-py3-none-any.whl", hash = "sha256:7d6d50dd97d52cbc355597bd845fabfbac3f551e1f99619e39a35ce8c370b5fa"}, - {file = "Jinja2-3.1.3.tar.gz", hash = "sha256:ac8bd6544d4bb2c9792bf3a159e80bba8fda7f07e81bc3aed565432d5925ba90"}, + {file = "jinja2-3.1.4-py3-none-any.whl", hash = "sha256:bc5dd2abb727a5319567b7a813e6a2e7318c39f4f487cfe6c89c6f9c7d25197d"}, + {file = "jinja2-3.1.4.tar.gz", hash = "sha256:4a3aee7acbbe7303aede8e9648d13b8bf88a429282aa6122a993f0ac800cb369"}, ] [package.dependencies] @@ -86,18 +86,7 @@ files = [ {file = "MarkupSafe-2.1.5.tar.gz", hash = "sha256:d283d37a890ba4c1ae73ffadf8046435c76e7bc2247bbb63c00bd1a709c6544b"}, ] -[[package]] -name = "toml" -version = "0.10.2" -description = "Python Library for Tom's Obvious, Minimal Language" -optional = false -python-versions = ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*" -files = [ - {file = "toml-0.10.2-py2.py3-none-any.whl", hash = "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b"}, - {file = "toml-0.10.2.tar.gz", hash = "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f"}, -] - [metadata] lock-version = "2.0" -python-versions = "^3.9" -content-hash = "da9d08994a725c881cc7a63ecde92b65151defd09f826417f8d27b15d9cd97d7" +python-versions = "^3.11" +content-hash = "c3237c8f339183364bdecaf2f59aee1f02a0099374326b5e0b314c04c07d8448" diff --git a/pyproject.toml b/pyproject.toml index f9ca24f..5b3542f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -7,9 +7,9 @@ readme = "README.md" package-mode = false [tool.poetry.dependencies] -python = "^3.9" +python = "^3.11" Jinja2 = "^3.1.3" -toml = "^0.10.2" +# toml = "^0.10.2" [build-system] requires = ["poetry-core"]