From 14c6a0a2cd6d6898abf87cf93ffc94dd4a3749a3 Mon Sep 17 00:00:00 2001 From: Keith Irwin Date: Sun, 2 Apr 2023 13:46:52 -0600 Subject: [PATCH] #9 Renamed to wagon and added README info --- LICENSE.md | 9 +++ README.md | 116 ++++++++++++++++++++++++++++++++--- back/admin.Dockerfile | 8 +-- back/admin_peer.cgi | 14 ++--- back/admin_user.cgi | 12 ++-- back/dashboard.Dockerfile | 8 +-- back/dashboard.cgi | 14 ++--- back/dashboard_ssl.cgi | 8 +-- back/fed.Dockerfile | 6 +- back/fed.cgi | 12 ++-- back/lib/admin/peer/add | 40 ++++++------ back/lib/admin/peer/del | 34 +++++----- back/lib/admin/peer/list | 16 ++--- back/lib/admin/user/add | 36 +++++------ back/lib/admin/user/del | 32 +++++----- back/lib/dashboard/peer/add | 42 ++++++------- back/lib/dashboard/peer/del | 34 +++++----- back/lib/dashboard/peer/list | 16 ++--- back/lib/dashboard/ssl | 20 +++--- back/lib/fed/peer/add | 16 ++--- back/lib/fed/peer/del | 16 ++--- back/lib/fed_peer_add | 2 +- back/lib/fed_peer_del | 2 +- back/lib/http_res | 2 +- back/lib/ips_to_peers | 4 +- back/lib/ns_lookup_axfr | 6 +- back/lib/ns_lookup_rdns | 6 +- back/lib/ns_lookup_send | 4 +- back/lib/ns_update_add | 10 +-- back/lib/ns_update_del | 10 +-- back/lib/ns_update_rev_ipv4 | 2 +- back/lib/ns_update_rev_ipv6 | 2 +- back/lib/ns_update_send | 4 +- back/lib/ssl_peer_add | 4 +- back/lib/ssl_peer_del | 4 +- back/lib/wg_peer_add | 4 +- back/lib/wg_peer_del | 4 +- back/lib/wg_user_list | 6 +- docker-compose.yml.sample | 30 ++++----- etc/servers.sample | 4 +- 40 files changed, 362 insertions(+), 257 deletions(-) create mode 100644 LICENSE.md diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 0000000..24ebe93 --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,9 @@ +# The MIT License (MIT) + +Copyright © 2023 Keith Irwin ([ki9.gf4.pw](https://ki9.gf4.pw/)) + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/README.md b/README.md index 204ae63..9d2a417 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,113 @@ -# wgapi +# wagon 2022-2023 Keith Irwin ([ki9.gf4.pw](https://ki9.gf4.pw/)) +[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) -wgapi is a web application for managing a large number of hosts on a wireguard network. Each host is assigned a domain name on a custom top-level-domain (TLD) and TLS certificates are signed by a custom certificate authority (CA) and provided to the user. +`wagon` is a an api, user dashboard, and admin ui for managing devices and services on a dns-enabled wireguard network. It was built with small web communities in mind. -## Features +## IP address allocation - - Multi-server federation (hub-and-spoke networking with one or more hubs) - - No login screen; authentication is IP-based - - Private keys are not stored in a central location - - No database; all data are stored stored in wireguard and the nameserver +`wagon` manages devices on a wireguard network, `10.X.Y.Z/16` where `X` is a number associated with the community, configured at the first setup. Servers are hosted on `10.X.0.Z/24`, where each `Z` is a different server. Finally, each user gets a number `Y` (between 1 and 254) and a `/24` subnet for each of their their devices, `Z`. -## Installation +**For example:** Your home pc could be `10.11.1.1` and your phone `10.11.1.2`. After configuring wireguard, you can use either device to ping your friend, whose pc is at `10.11.2.1`. -Installation involves multiple steps. +IPv6 is also preconfigured for a `/96` subnet, with users getting their own `/112` network for each `/128` device. -**TODO**: Write complete implementation instructions +## Nameserver + +`wagon` manages a bind9 nameserver through the `nsupdate` command. Device domain names have a similar structure as IP addresses, `A.B.C`, where: + + - `C` is the community's top-level-domain (TLD) + - `B` is the username + - `A` is hostname of the device + +The TLD could be anything that isn't already a global TLD like `.com`. The recursive nameserver provides private wireguard IPs to on this private domain zone. It must be configured to answer `.mynet` queries only within its own network on `10.X.0.0/16`. This nameserver is then preconfigured in clients' wireguard configs' `DNS = ` setting. + + **For example:** Your home pc could be `pc.myuser.mynet` and your phone `phone.myuser.mynet`. Either can ping up `phone.myfriend.mynet`. These would point to `10.11.1.1`, `10.11.1.2`, and `10.11.2.1` respectively + + Servers (IPs with `Y=0`) have domains of the form `A.C`, as above. Wildcard subdomains are CNAMEd to their base address, that is, `*.phone.myuser.mynet` CNAMEs to `phone.myuser.mynet` and `*.smyerver.mynet` CNAMEs to `myserver.mynet`. Of course, this means no username can match a server hostname. + + The nameserver is also preconfigured for rDNS so you can perform lookups on IP addresses: + + ```sh + $ nslookup 10.11.1.1 +1.1.11.10.in-addr.arpa name = pc.myuser.mynet. + ``` + +Using this setup, the community's entire wireguard network and DNS can be accessed from any device by importing a single wireguard config. One purpose of `wagon` is to easily generate these device configs. + +## Certificate authority + +`wagon` also automatically signs SSL certs for its own invented TLD (`.mynet`) so network-hosted services can be encrypted. The certificates are signed for the IPs and wildcard domains listed above, so, with the right web proxy configuration, a user can use the *same* certificate to self-host a service on any of these domains: + + - `https://10.11.1.2/` + - `https://[fd69:1337:0:420:f4:11:1:2]/` + - `https://mypc.myuser.mynet/` + - `https://myservice.mypc.myuser.mynet/` + - `https://myotherservice.mypc.myuser.mynet/` + - `https://anyotherservice.mypc.myuser.mynet/` + +The `wagon` user dashboard provides a server certificate and key that the user can download. Any wireguard-connected device with the community's ca certificate imported in their browser or OS will be able to see a green lock on their browser when visiting these private sites. + +These certs can be used for other internet protocols like irc or imap. + +## Self-hosting and firewalls + +Since firewalls and web proxies understand CIDR notation, controlling access to services is easy: + + - Allow `10.11.1.1/32` to allow access to pc.myuser.mynet only + - Allow `10.11.1.0/24` to allow access to any of myuser's devices + - Allow `10.11.2.1/32` to allow access to a friend's pc + - Allow `10.11.2.0/24` to allow access to any of a friend's devices + - Allow `10.11.0.0/16` to allow access to anyone in the community + - Allow `10.0.0.0/8` to allow access to any other community (someday, maybe) + +Allowing access to virtual webservers is just as simple. For example, I can let my friend access my development server with these allow/deny lines in an nginx vhost config (only showing IPv4, but works with IPv6 too). + +```nginx +server { + server_name dev.mypc.myuser.mynet; + listen 10.11.1.1:443 ssh http2; + + ssl_certificate /path/to/downloaded/mypc.myuser.mynet/server.crt; + ssl_certificate_key /path/to/downloaded/mypc.myuser.mynet/server.key; + ssl_stapling off; + + allow 10.11.1.0/24; # My devices + allow 10.11.2.0/24; # My friend's devices + deny all; # Everyone else + + # Proxy to local dev server + location / { + proxy_pass http://localhost:8080; + } +} +``` + +## Dashboard + +Users can access a dashboard with a list of devices and links to download `server.crt` and `server.key`. Users can add and delete these devices, and admins can add/delete devices and users from a seperate admin interface. When adding a new user or device, the dashboard displays a wireguard configuration which must be copied or saved before the page is refreshed. + +In this way, there is no central server storing all the private keys, like with most wireguard dashboards. In fact, `wagon` does not have a database and does not store any data at all; everything is stored in the server's nameserver and wireguard config. + +This also means there is no login to the dashboard. Users simply connect to the dashboard over wireguard from any connected device, and `wagon` will recognize your IP and serve up a list of other devices on that same `/24` subnet. + +## Structure + +`wagon` is written in bash and run as a cgi script. It can be run in- or outside of docker. Why bash? Because it has great "SDKs" for wireguard (`wg`), nameserver updates (`nsupdate`), and SSL certs (`openssl`). The libraries used in the scripts are themselves scripts. Each script follows the unix philosophy of handling text through standard means (arguments and stdin to stdout), so individual libraries could be replaced with faster alternatives (c, rust, go) in the future. + +## Project status + +The wireguard dashboard and admin are in a working alpha state. I have it implemented on my own network, [gf4](https://www.gf4.pw/), and it seems to be working there. What still needs to be done: + + - The code probably contains hardcoded variables specific to gf4, that must be moved to configs/environment files + - There is almost no documentation, and extensive tutorials are needed for the initial setup of wireguard, bind9, and the CA keys. + - Future implementation of a mail relay, web proxy, and SIP server, and their respective tabs on the web dashboard + - Replacing + +## Contributing + +If you think you can help with any of these bulletpoints, please reach out to me: + +[@ki9:gf4.pw](matrix:@ki9:gf4.pw) on matrix +[wagon@ki9.gf4.pw](mailto:wagon@ki9.gf4.pw) by email +[https://ki9.gf4.pw/contact]() diff --git a/back/admin.Dockerfile b/back/admin.Dockerfile index ebd7c87..7f46499 100644 --- a/back/admin.Dockerfile +++ b/back/admin.Dockerfile @@ -7,9 +7,9 @@ RUN apt-get update && apt-get install --yes \ && rm -rf /var/lib/apt/lists/* # Create dirs and temp files -RUN mkdir /usr/lib/wgapi /var/log/wgapi /var/local/wgapi -RUN touch /var/local/wgapi/tokens -RUN chown -R www-data:www-data /usr/lib/wgapi /var/log/wgapi /var/local/wgapi +RUN mkdir /usr/lib/wagon /var/log/wagon /var/local/wagon +RUN touch /var/local/wagon/tokens +RUN chown -R www-data:www-data /usr/lib/wagon /var/log/wagon /var/local/wagon # Configure apache RUN a2enmod cgi rewrite @@ -26,7 +26,7 @@ RUN echo "www-data ALL=(ALL:ALL) NOPASSWD: /usr/bin/wg, /usr/bin/openssl, /usr/b COPY admin_peer.cgi /usr/lib/cgi-bin/peer COPY admin_user.cgi /usr/lib/cgi-bin/user # TODO: Copy only needed libs -COPY lib/ /usr/lib/wgapi/ +COPY lib/ /usr/lib/wagon/ # Run time! EXPOSE ${PORT} diff --git a/back/admin_peer.cgi b/back/admin_peer.cgi index 216912b..ddf139a 100755 --- a/back/admin_peer.cgi +++ b/back/admin_peer.cgi @@ -1,24 +1,24 @@ #!/bin/bash -# FILE: wgapi:back/admin_peer.cgi +# FILE: wagon:back/admin_peer.cgi # DESCRIPTION: Recieves incoming admin requests for peer operations -source /etc/wgapi/config +source /etc/wagon/config case "${REQUEST_METHOD}" in # List peers - 'GET') /usr/lib/wgapi/admin/peer/list "${HTTP_X_REAL_IP}" "${QUERY_STRING}";; + 'GET') /usr/lib/wagon/admin/peer/list "${HTTP_X_REAL_IP}" "${QUERY_STRING}";; # Add peer - 'POST') /usr/lib/wgapi/admin/peer/add "${HTTP_X_REAL_IP}" "${QUERY_STRING}";; + 'POST') /usr/lib/wagon/admin/peer/add "${HTTP_X_REAL_IP}" "${QUERY_STRING}";; # Delete peer - 'DELETE') /usr/lib/wgapi/admin/peer/del "${HTTP_X_REAL_IP}" "${QUERY_STRING}";; + 'DELETE') /usr/lib/wagon/admin/peer/del "${HTTP_X_REAL_IP}" "${QUERY_STRING}";; # Needed for CORS preflight - 'OPTIONS') /usr/lib/wgapi/http_res 200;; + 'OPTIONS') /usr/lib/wagon/http_res 200;; # Bad request - *) printf 'Invalid HTTP verb' | /usr/lib/wgapi/http_res 405;; + *) printf 'Invalid HTTP verb' | /usr/lib/wagon/http_res 405;; esac diff --git a/back/admin_user.cgi b/back/admin_user.cgi index f757f24..d2a37f8 100755 --- a/back/admin_user.cgi +++ b/back/admin_user.cgi @@ -1,20 +1,20 @@ #!/bin/bash -# FILE: wgapi:back/admin_user.cgi +# FILE: wagon:back/admin_user.cgi # DESCRIPTION: Server for requests to /user/ -source /etc/wgapi/config +source /etc/wagon/config case "${REQUEST_METHOD}" in # Add new user - 'POST') /usr/lib/wgapi/admin/user/add "${HTTP_X_REAL_IP}" "${QUERY_STRING}";; + 'POST') /usr/lib/wagon/admin/user/add "${HTTP_X_REAL_IP}" "${QUERY_STRING}";; # Delete user - 'DELETE') /usr/lib/wgapi/admin/user/del "${HTTP_X_REAL_IP}" "${QUERY_STRING}";; + 'DELETE') /usr/lib/wagon/admin/user/del "${HTTP_X_REAL_IP}" "${QUERY_STRING}";; # Needed for CORS preflight - 'OPTIONS') /usr/lib/wgapi/http_res 200;; + 'OPTIONS') /usr/lib/wagon/http_res 200;; # Bad request - *) printf 'Invalid HTTP verb' | /usr/lib/wgapi/http_res 405;; + *) printf 'Invalid HTTP verb' | /usr/lib/wagon/http_res 405;; esac diff --git a/back/dashboard.Dockerfile b/back/dashboard.Dockerfile index 3b38fa3..3d5d4ae 100644 --- a/back/dashboard.Dockerfile +++ b/back/dashboard.Dockerfile @@ -7,9 +7,9 @@ RUN apt-get update && apt-get install --yes \ && rm -rf /var/lib/apt/lists/* # Create dirs and temp files -RUN mkdir /usr/lib/wgapi /var/log/wgapi /var/local/wgapi -RUN touch /var/local/wgapi/tokens -RUN chown -R www-data:www-data /usr/lib/wgapi /var/log/wgapi /var/local/wgapi +RUN mkdir /usr/lib/wagon /var/log/wagon /var/local/wagon +RUN touch /var/local/wagon/tokens +RUN chown -R www-data:www-data /usr/lib/wagon /var/log/wagon /var/local/wagon # Configure apache RUN a2enmod cgi rewrite @@ -26,7 +26,7 @@ RUN echo "www-data ALL=(ALL:ALL) NOPASSWD: /usr/bin/wg, /usr/bin/openssl, /usr/b COPY dashboard.cgi /usr/lib/cgi-bin/index.cgi COPY dashboard_ssl.cgi /usr/lib/cgi-bin/ssl # TODO: Copy only needed libs -COPY lib/ /usr/lib/wgapi/ +COPY lib/ /usr/lib/wagon/ # Run time! EXPOSE ${PORT} diff --git a/back/dashboard.cgi b/back/dashboard.cgi index 66ab10f..10fc82f 100755 --- a/back/dashboard.cgi +++ b/back/dashboard.cgi @@ -1,24 +1,24 @@ #!/bin/bash -# FILE: wgapi:back/dashboard.cgi +# FILE: wagon:back/dashboard.cgi # DESCRIPTION: Recieves incoming dashboard API requests -source /etc/wgapi/config +source /etc/wagon/config case "${REQUEST_METHOD}" in # List peers - 'GET') /usr/lib/wgapi/dashboard/peer/list "${HTTP_X_REAL_IP}";; + 'GET') /usr/lib/wagon/dashboard/peer/list "${HTTP_X_REAL_IP}";; # Add peer - 'POST') /usr/lib/wgapi/dashboard/peer/add "${HTTP_X_REAL_IP}" "${QUERY_STRING}";; + 'POST') /usr/lib/wagon/dashboard/peer/add "${HTTP_X_REAL_IP}" "${QUERY_STRING}";; # Delete peer - 'DELETE') /usr/lib/wgapi/dashboard/peer/del "${HTTP_X_REAL_IP}" "${QUERY_STRING}";; + 'DELETE') /usr/lib/wagon/dashboard/peer/del "${HTTP_X_REAL_IP}" "${QUERY_STRING}";; # Needed for CORS preflight - 'OPTIONS') /usr/lib/wgapi/http_res 200;; + 'OPTIONS') /usr/lib/wagon/http_res 200;; # Bad request - *) printf 'Invalid HTTP verb' | /usr/lib/wgapi/http_res 405;; + *) printf 'Invalid HTTP verb' | /usr/lib/wagon/http_res 405;; esac diff --git a/back/dashboard_ssl.cgi b/back/dashboard_ssl.cgi index 36c5756..2fd6417 100755 --- a/back/dashboard_ssl.cgi +++ b/back/dashboard_ssl.cgi @@ -1,15 +1,15 @@ #!/bin/bash -# FILE: wgapi:back/dashboard_ssl.cgi +# FILE: wagon:back/dashboard_ssl.cgi # DESCRIPTION: Sends SSL certs and keys to users -source /etc/wgapi/config +source /etc/wagon/config case "${REQUEST_METHOD}" in # Get cert - 'GET') /usr/lib/wgapi/dashboard/ssl "${HTTP_X_REAL_IP}" "${QUERY_STRING}";; + 'GET') /usr/lib/wagon/dashboard/ssl "${HTTP_X_REAL_IP}" "${QUERY_STRING}";; # Bad request - *) printf 'Invalid HTTP verb' | /usr/lib/wgapi/http_res 405;; + *) printf 'Invalid HTTP verb' | /usr/lib/wagon/http_res 405;; esac diff --git a/back/fed.Dockerfile b/back/fed.Dockerfile index 6cd3d36..7433a4b 100644 --- a/back/fed.Dockerfile +++ b/back/fed.Dockerfile @@ -7,8 +7,8 @@ RUN apt-get update && apt-get install --yes \ && rm -rf /var/lib/apt/lists/* # Create dirs and temp files -RUN mkdir /usr/lib/wgapi /var/log/wgapi -RUN chown -R www-data:www-data /usr/lib/wgapi /var/log/wgapi +RUN mkdir /usr/lib/wagon /var/log/wagon +RUN chown -R www-data:www-data /usr/lib/wagon /var/log/wagon # Configure apache RUN a2enmod cgi rewrite @@ -24,7 +24,7 @@ RUN echo "www-data ALL=(ALL:ALL) NOPASSWD: /usr/bin/wg, /usr/bin/[, /usr/bin/tee # Copy over cgi and libs COPY fed.cgi /usr/lib/cgi-bin/index.cgi # TODO: Copy only needed libs -COPY lib/ /usr/lib/wgapi/ +COPY lib/ /usr/lib/wagon/ # Run time! EXPOSE ${PORT} diff --git a/back/fed.cgi b/back/fed.cgi index c5f55d8..1f08f8e 100755 --- a/back/fed.cgi +++ b/back/fed.cgi @@ -1,21 +1,21 @@ #!/bin/bash -# FILE: wgapi:back/fed.cgi +# FILE: wagon:back/fed.cgi # DESCRIPTION: Recieves incoming federated requests -source /etc/wgapi/config +source /etc/wagon/config case "${REQUEST_METHOD}" in # Add - 'POST') /usr/lib/wgapi/fed/peer/add "${HTTP_X_REAL_IP}" "${QUERY_STRING}";; + 'POST') /usr/lib/wagon/fed/peer/add "${HTTP_X_REAL_IP}" "${QUERY_STRING}";; # Delete - 'DELETE') /usr/lib/wgapi/fed/peer/del "${HTTP_X_REAL_IP}" "${QUERY_STRING}";; + 'DELETE') /usr/lib/wagon/fed/peer/del "${HTTP_X_REAL_IP}" "${QUERY_STRING}";; # Needed for CORS preflight - 'OPTIONS') /usr/lib/wgapi/http_res 200;; + 'OPTIONS') /usr/lib/wagon/http_res 200;; # Bad request - *) printf 'Invalid HTTP verb' | /usr/lib/wgapi/http_res 405;; + *) printf 'Invalid HTTP verb' | /usr/lib/wagon/http_res 405;; esac diff --git a/back/lib/admin/peer/add b/back/lib/admin/peer/add index 3f7d684..c1d61cd 100755 --- a/back/lib/admin/peer/add +++ b/back/lib/admin/peer/add @@ -4,15 +4,15 @@ # USAGE: add $remote_ip $querystring # QUERYSTRING: ?t=$token&host=$newhostname&user=$username&num=$usernumber -source /etc/wgapi/config +source /etc/wagon/config ip="${1}"; qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')" # Check token token_fail(){ printf 'Rejecting admin %s request for new peer due to %s token\n' "${ip}" "${1}" >&2 - printf 'Invalid token\n' | /usr/lib/wgapi/http_res 403; exit 1 + printf 'Invalid token\n' | /usr/lib/wagon/http_res 403; exit 1 } -saved_token="$(grep "${ip}" /var/local/wgapi/tokens | cut -f2)" +saved_token="$(grep "${ip}" /var/local/wagon/tokens | cut -f2)" [ "${saved_token}" == "" ] && token_fail 'missing' <<<"${qs}" grep -qx "t=${saved_token}" || token_fail 'mismatched' printf '%s token was valid\n' "${ip}" >&2 @@ -23,9 +23,9 @@ username="$(<<<"${qs}" grep -oP 'user=(.*)' | sed 's/^user=//')" usernumber="$(<<<"${qs}" grep -oP 'num=(.*)' | sed 's/^num=//')" if ! domain="${hostname:?}.${username:?}.${TLD:?}"; then printf 'ERROR! Hostname "%s" or username "%s" or tld "%s" missing!\n' "${hostname}" "${username}" "${TLD}" >&2 - printf 'Hostname or username missing!\n' | /usr/lib/wgapi/http_res 400; exit + printf 'Hostname or username missing!\n' | /usr/lib/wagon/http_res 400; exit elif [[ "${usernumber}" == "" ]]; then - printf 'Usernumber missing!\n' | tee >(cat 1>&2) | /usr/lib/wgapi/http_res 400; exit + printf 'Usernumber missing!\n' | tee >(cat 1>&2) | /usr/lib/wagon/http_res 400; exit else printf 'Admin %s requested new peer %s for user number %s\n' "${ip}" "${domain}" "${usernumber}" >&2 fi @@ -33,31 +33,31 @@ fi # Check hostname length if ! [[ ${#hostname} -ge 3 ]]; then printf 'Rejecting hostname %s because it is too short.\n' "${hostname}" >&2 - printf 'Hostname too short\n' | /usr/lib/wgapi/http_res 400; exit + printf 'Hostname too short\n' | /usr/lib/wagon/http_res 400; exit fi # Check if new peer already exists -if /usr/lib/wgapi/ns_lookup_send "${domain}" >/dev/null; then - printf 'Host %s already exists!\n' "${domain}" | tee >(cat 1>&2) | /usr/lib/wgapi/http_res 409; exit +if /usr/lib/wagon/ns_lookup_send "${domain}" >/dev/null; then + printf 'Host %s already exists!\n' "${domain}" | tee >(cat 1>&2) | /usr/lib/wagon/http_res 409; exit fi # Get all peer IPs if ! wg_output="$(sudo /usr/bin/wg show "${TLD}" allowed-ips)"; then printf 'ERROR! Wireguard failed!\n' >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Filter out the user's user_peers="$(grep "${IPV4_NET%.*.*}.${usernumber}." <<<"${wg_output}" 2>/dev/null)" if [ "${user_peers}" == "" ]; then printf "ERROR! Couldn't find any peers for %s!\n" "${IPV4_NET%.*.*}.${usernumber}." >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Get user peer domains -if ! peers="$(/usr/lib/wgapi/ips_to_peers tsv <<<"${user_peers}")"; then +if ! peers="$(/usr/lib/wagon/ips_to_peers tsv <<<"${user_peers}")"; then printf 'ERROR! Failed to retrieve peers for %s!\n' "${IPV4_NET%.*.*}.${usernumber}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Create new IPs @@ -72,7 +72,7 @@ ipv4="${IPV4_NET%.*.*}.${usernumber}.${hostnumber}" ipv6="${IPV6_NET%:*:*}:${usernumber}:${hostnumber}" if ! printf 'IP addresses for %s created: %s %s\n' "${domain:?}" "${ipv4:?}" "${ipv6:?}" >&2; then printf 'ERROR! Failed to create IP addresses for %s!' "${domain}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Create wg config @@ -81,13 +81,13 @@ pubkey="$(echo "${privkey}" | /usr/bin/wg pubkey)" address="${ipv4}/${IPV4_NET##*/},${ipv6}/${IPV6_NET##*/}" # Update nameserver -if /usr/lib/wgapi/ns_update_add "${domain:?}" "${ipv4:?}" "${ipv6:?}" +if /usr/lib/wagon/ns_update_add "${domain:?}" "${ipv4:?}" "${ipv6:?}" then printf 'Successfully added %s to DNS server.\n' "${domain}" >&2 else printf 'ERROR! Failed to add %s %s %s to DNS server!\n' "${domain}" "${ipv4}" "${ipv6}" >&2 fi & # Create SSL cert -if /usr/lib/wgapi/ssl_peer_add "${hostname:?}" "${username:?}" "IP:${ipv4},IP:${ipv6}" +if /usr/lib/wagon/ssl_peer_add "${hostname:?}" "${username:?}" "IP:${ipv4},IP:${ipv6}" then printf 'Successfully signed SSL certs for %s\n' "${domain}" >&2 else printf 'ERROR! Failed to create certs for %s with IPS: %s %s!\n' "${domain}" "${ipv4}" "${ipv6}" >&2 fi @@ -101,22 +101,22 @@ while IFS=$'\t' read -r server_hostname server_ipv4 server_ipv6 server_pubkey se if [ "${server_hostname}" == "${LOCAL_SERVER}" ]; then server_blocks="${server_blocks}\n[Peer] # ${server_hostname}.${TLD}\nPublicKey=${server_pubkey}\nPresharedKey=${server_psk}\nAllowedIPs=${server_ipv4}/${IPV4_NET#*/},${server_ipv6}/${IPV6_NET#*/}\nEndpoint=${server_endpoint}\n" # Add new user to local wireguard - if /usr/lib/wgapi/wg_peer_add "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128"; then + if /usr/lib/wagon/wg_peer_add "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128"; then printf 'Added %s to local wireguard server.\n' "${domain}" >&2 else printf 'ERROR! Failed to add %s to local wireguard server!\n' "${domain}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Remote server else server_blocks="${server_blocks}\n[Peer] # ${server_hostname}.${TLD}\nPublicKey=${server_pubkey}\nPresharedKey=${server_psk}\nAllowedIPs=${server_ipv4}/32,${server_ipv6}/128\nEndpoint=${server_endpoint}\n" # Send new user config to federated server - if /usr/lib/wgapi/fed_peer_add "${server_url}" "${server_secret}" "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128" "${server_secret}"; then + if /usr/lib/wagon/fed_peer_add "${server_url}" "${server_secret}" "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128" "${server_secret}"; then printf 'Sent %s to remote wireguard server %s.\n' "${domain}" "${server_hostname}" >&2 else printf 'ERROR! Failed to send %s to remote wireguard server %s!\n' "${domain}" "${server_hostname}" >&2 fi fi -done &2 # Check token token_fail(){ printf 'Rejecting admin %s request to delete peer due to %s token\n' "${ip}" "${1}" >&2 - printf 'Invalid token\n' | /usr/lib/wgapi/http_res 403; exit + printf 'Invalid token\n' | /usr/lib/wagon/http_res 403; exit } -saved_token="$(grep "${ip}" /var/local/wgapi/tokens | cut -f2)" +saved_token="$(grep "${ip}" /var/local/wagon/tokens | cut -f2)" [ "${saved_token}" == "" ] && token_fail 'missing' <<<"${qs}" grep -qx "t=${saved_token}" || token_fail 'mismatched' printf '%s token was valid\n' "${ip}" >&2 @@ -24,33 +24,33 @@ printf '%s token was valid\n' "${ip}" >&2 # Get peer IP list if ! wg_output="$(sudo /usr/bin/wg show "${TLD}" allowed-ips)"; then printf 'ERROR! Wireguard failed!\n' >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Filter out this user's user_peer="$(grep "${pubkey}" <<<"${wg_output}" 2>/dev/null)" if [ "${user_peer}" == "" ]; then printf 'ERROR! Could not find user for pubkey %s!\n' "${pubkey}" >&2 - printf 'Peer not found' | /usr/lib/wgapi/http_res 404; exit + printf 'Peer not found' | /usr/lib/wagon/http_res 404; exit fi # Get peer domains -if ! peer="$(/usr/lib/wgapi/ips_to_peers tsv <<<"${user_peer}" | grep "${pubkey}")"; then +if ! peer="$(/usr/lib/wagon/ips_to_peers tsv <<<"${user_peer}" | grep "${pubkey}")"; then printf 'ERROR! Failed to lookup domain for pubkey %s!\n' "${pubkey}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi domain="$(<<<"${peer}" cut -f1)" ipv4="$(<<<"${peer}" cut -f2)" ipv6="$(<<<"${peer}" cut -f3)" if ! printf 'Delete request was for %s %s %s\n' "${domain:?}" "${ipv4:?}" "${ipv6:?}" >&2; then printf 'ERROR! Failed to collect peer data: %s %s %s\n' "${domain}" "${ipv4}" "${ipv6}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Make sure admin isn't deleting their own peer if [ "${ip}" == "${ipv4}" ] || [ "${ip}" == "${ipv6}" ]; then printf 'Admin requested to delete peer from itself: %s.\n' "${ip}" >&2 - printf 'You cannot delete a peer from itself!' | /usr/lib/wgapi/http_res 400; exit + printf 'You cannot delete a peer from itself!' | /usr/lib/wagon/http_res 400; exit fi hostname="$(<<<"${domain}" cut -d'.' -f1)" @@ -65,34 +65,34 @@ for_server_do() { server_endpoint="${5}"; server_url="${6}"; server_secret="${7}" if [ "${server_hostname}" == "${LOCAL_SERVER}" ]; then # Local server - if /usr/lib/wgapi/wg_peer_del "${pubkey}"; then + if /usr/lib/wagon/wg_peer_del "${pubkey}"; then printf 'Deleted %s from local wireguard server.\n' "${domain}" >&2 else printf 'ERROR! Failed to delete %s from local wireguard server!\n' "${domain}" >&2 # TODO: clear existing progress - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi else # Federated server - if /usr/lib/wgapi/fed_peer_del "${server_url}" "${server_secret}" "${pubkey}"; then + if /usr/lib/wagon/fed_peer_del "${server_url}" "${server_secret}" "${pubkey}"; then printf 'Deleted %s from remote wireguard server %s.\n' "${domain}" "${server_hostname}" >&2 else printf 'ERROR! Failed to delete %s from remote wireguard server %s!\n' "${domain}" "${server_hostname}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi fi }; while IFS=$'\t' read -r server_hostname server_ipv4 server_ipv6 server_pubkey server_endpoint server_url server_secret do for_server_do "${server_hostname}" "${server_ipv4}" "${server_ipv6}" "${server_pubkey}" "${server_endpoint}" "${server_url}" "${server_secret}" & -done &2 else printf 'ERROR! Failed to delete %s %s %s from DNS server!\n' "${domain}" "${ipv4}" "${ipv6}" >&2 fi & # Delete SSL cert -if /usr/lib/wgapi/ssl_peer_del "${hostname:?}" "${username:?}" +if /usr/lib/wagon/ssl_peer_del "${hostname:?}" "${username:?}" then printf 'Successfully deleted SSL certs for %s\n' "${domain}" >&2 else printf 'ERROR! Failed to delete certs for %s!\n' "${domain}" >&2 fi @@ -101,4 +101,4 @@ fi # Do it before updating nameserver and certs because # if wireguard worked, there's no going back. The admin # can clean up missing records and certs after checking the logs -printf 'Deleted %s.%s.%s' "${hostname}" "${username}" "${TLD}" | /usr/lib/wgapi/http_res 202 \ No newline at end of file +printf 'Deleted %s.%s.%s' "${hostname}" "${username}" "${TLD}" | /usr/lib/wagon/http_res 202 \ No newline at end of file diff --git a/back/lib/admin/peer/list b/back/lib/admin/peer/list index d9c9e35..5e5bafe 100755 --- a/back/lib/admin/peer/list +++ b/back/lib/admin/peer/list @@ -4,23 +4,23 @@ # USAGE: list $remote_ip $querystring # QUERYSTRING: ?un=$username -source /etc/wgapi/config +source /etc/wagon/config ip="${1}"; qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')" un="$(<<<"${qs}" grep -oP 'un=(.*)' | sed 's/^un=//' | xargs)" printf 'Admin %s requested peer listing...\n' "${ip}" >&2 # Create token if needed -token="$(grep "${ip}" /var/local/wgapi/tokens | cut -f2)" +token="$(grep "${ip}" /var/local/wagon/tokens | cut -f2)" if [ "${token}" == "" ]; then printf 'Creating token for %s...\n' "${ip}" >&2 token="$(>/var/local/wgapi/tokens + printf '%s\t%s\n' "${ip}" "${token}" >>/var/local/wagon/tokens fi # Get peer IP list if ! peers="$(sudo /usr/bin/wg show "${TLD}" allowed-ips)"; then printf 'ERROR! Wireguard failed!\n' >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Filter out single user (if provided) @@ -28,15 +28,15 @@ if [ "${un}" != '' ]; then peers="$(grep "${IPV4_NET%.*.*}\.${un}\." <<<"${peers}" 2>/dev/null)" if [ "${peers}" == '' ]; then printf 'User number %s not found!\n' "${un}" >&2 - printf 'User not found!\n' | /usr/lib/wgapi/http_res 404; exit + printf 'User not found!\n' | /usr/lib/wagon/http_res 404; exit fi fi # Get domains for each peer -if peers="[$(/usr/lib/wgapi/ips_to_peers json <<<"${peers}")]"; then - printf '{"token":"%s","peers":%s}' "${token:?}" "${peers:?}" | /usr/lib/wgapi/http_res 200 'application/json' +if peers="[$(/usr/lib/wagon/ips_to_peers json <<<"${peers}")]"; then + printf '{"token":"%s","peers":%s}' "${token:?}" "${peers:?}" | /usr/lib/wagon/http_res 200 'application/json' printf 'Sent peers to admin %s\n' "${ip}" >&2 else printf 'ERROR: Failed to lookup user domain: %s\n' "${ip}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi diff --git a/back/lib/admin/user/add b/back/lib/admin/user/add index b7657ce..1324ba5 100755 --- a/back/lib/admin/user/add +++ b/back/lib/admin/user/add @@ -4,15 +4,15 @@ # USAGE: add $remote_ip $querystring # QUERYSTRING: ?t=$token&host=$hostname&user=$username -source /etc/wgapi/config +source /etc/wagon/config ip="${1}"; qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')" # Check token token_fail(){ printf 'Rejecting admin %s request for new peer due to %s token\n' "${ip}" "${1}" >&2 - printf 'Invalid token\n' | /usr/lib/wgapi/http_res 403; exit + printf 'Invalid token\n' | /usr/lib/wagon/http_res 403; exit } -saved_token="$(grep "${ip}" /var/local/wgapi/tokens | cut -f2)" +saved_token="$(grep "${ip}" /var/local/wagon/tokens | cut -f2)" [ "${saved_token}" == "" ] && token_fail 'missing' <<<"${qs}" grep -qx "t=${saved_token}" || token_fail 'mismatched' printf '%s token was valid\n' "${ip}" >&2 @@ -22,28 +22,28 @@ hostname="$(<<<"${qs}" grep -oP 'host=(.*)' | sed 's/^host=//' | xargs | tr -dc username="$(<<<"${qs}" grep -oP 'user=(.*)' | sed 's/^user=//' | xargs | tr -dc 'a-z0-9' | head -c10)" if ! domain="${hostname:?}.${username:?}.${TLD:?}"; then printf 'ERROR! Hostname "%s" or username "%s" or tld "%s" missing!\n' "${hostname}" "${username}" "${TLD}" >&2 - printf 'Hostname or username missing!\n' | /usr/lib/wgapi/http_res 400; exit + printf 'Hostname or username missing!\n' | /usr/lib/wagon/http_res 400; exit else printf 'Admin %s requested new user created with initial peer of %s\n' "${ip}" "${domain}" >&2 fi if ! [[ ${#hostname} -ge 3 ]]; then printf 'Rejecting hostname %s because it is too short.\n' "${hostname}" >&2 - printf 'Hostname too short\n' | /usr/lib/wgapi/http_res 400; exit + printf 'Hostname too short\n' | /usr/lib/wagon/http_res 400; exit elif ! [[ ${#username} -ge 3 ]]; then printf 'Rejecting username %s because it is too short.\n' "${username}" >&2 - printf 'Username too short\n' | /usr/lib/wgapi/http_res 400; exit + printf 'Username too short\n' | /usr/lib/wagon/http_res 400; exit fi # Check if user already exists -if /usr/lib/wgapi/ns_lookup_axfr | grep ".${username}.${TLD}" >/dev/null; then - printf 'User %s already exists!\n' "${username}" | tee >(cat 1>&2) | /usr/lib/wgapi/http_res 409 +if /usr/lib/wagon/ns_lookup_axfr | grep ".${username}.${TLD}" >/dev/null; then + printf 'User %s already exists!\n' "${username}" | tee >(cat 1>&2) | /usr/lib/wagon/http_res 409 exit fi # Get all peer IPs if ! peers="$(sudo /usr/bin/wg show "${TLD}" allowed-ips)"; then printf 'ERROR! Wireguard failed!\n' >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Create new IPs @@ -59,7 +59,7 @@ ipv4="${IPV4_NET%.*.*}.${usernumber}.${hostnumber}" ipv6="${IPV6_NET%:*:*}:${usernumber}:${hostnumber}" if ! printf 'IP addresses for %s created: %s %s\n' "${domain:?}" "${ipv4:?}" "${ipv6:?}" >&2; then printf 'ERROR! Failed to create IP addresses for %s!' "${domain}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Create wg config @@ -68,7 +68,7 @@ pubkey="$(echo "${privkey}" | /usr/bin/wg pubkey)" address="${ipv4}/${IPV4_NET##*/},${ipv6}/${IPV6_NET##*/}" # Update nameserver -if /usr/lib/wgapi/ns_update_add "${domain:?}" "${ipv4:?}" "${ipv6:?}" +if /usr/lib/wagon/ns_update_add "${domain:?}" "${ipv4:?}" "${ipv6:?}" then printf 'Successfully added %s to DNS server.\n' "${domain}" >&2 else printf 'ERROR! Failed to add %s %s %s to DNS server!\n' "${domain}" "${ipv4}" "${ipv6}" >&2 fi & @@ -76,9 +76,9 @@ fi & # Create SSL cert if ! sudo mkdir "${SSL_CONFIG_DIR:?}/${username:?}/"; then printf 'Failed to create directory %s/%s/:\n' "${SSL_CONFIG_DIR}" "${username}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi -if /usr/lib/wgapi/ssl_peer_add "${hostname:?}" "${username:?}" "IP:${ipv4},IP:${ipv6}" +if /usr/lib/wagon/ssl_peer_add "${hostname:?}" "${username:?}" "IP:${ipv4},IP:${ipv6}" then printf 'Successfully signed SSL certs for %s\n' "${domain}" >&2 else printf 'ERROR! Failed to create certs for %s with IPS: %s %s!\n' "${domain}" "${ipv4}" "${ipv6}" >&2 fi @@ -92,23 +92,23 @@ while IFS=$'\t' read -r server_hostname server_ipv4 server_ipv6 server_pubkey se if [ "${server_hostname}" == "${LOCAL_SERVER}" ]; then server_blocks="${server_blocks}\n[Peer] # ${server_hostname}.${TLD}\nPublicKey=${server_pubkey}\nPresharedKey=${server_psk}\nAllowedIPs=${server_ipv4}/${IPV4_NET#*/},${server_ipv6}/${IPV6_NET#*/}\nEndpoint=${server_endpoint}\n" # Add new user to local wireguard - if /usr/lib/wgapi/wg_peer_add "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128"; then + if /usr/lib/wagon/wg_peer_add "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128"; then printf 'Added %s to local wireguard server.\n' "${domain}" >&2 else printf 'ERROR! Failed to add %s to local wireguard server!\n' "${domain}" >&2 # TODO: clear existing progress - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Remote server else server_blocks="${server_blocks}\n[Peer] # ${server_hostname}.${TLD}\nPublicKey=${server_pubkey}\nPresharedKey=${server_psk}\nAllowedIPs=${server_ipv4}/32,${server_ipv6}/128\nEndpoint=${server_endpoint}\n" # Send new user config to federated server - if /usr/lib/wgapi/fed_peer_add "${server_url}" "${server_secret}" "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128" "${server_secret}"; then + if /usr/lib/wagon/fed_peer_add "${server_url}" "${server_secret}" "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128" "${server_secret}"; then printf 'Sent %s to remote wireguard server %s.\n' "${domain}" "${server_hostname}" >&2 else printf 'ERROR! Failed to send %s to remote wireguard server %s!\n' "${domain}" "${server_hostname}" >&2 fi fi -done &2 - printf 'Invalid token\n' | /usr/lib/wgapi/http_res 403; exit + printf 'Invalid token\n' | /usr/lib/wagon/http_res 403; exit } -saved_token="$(grep "${ip}" /var/local/wgapi/tokens | cut -f2)" +saved_token="$(grep "${ip}" /var/local/wagon/tokens | cut -f2)" [ "${saved_token}" == "" ] && token_fail 'missing' <<<"${qs}" grep -qx "t=${saved_token}" || token_fail 'mismatched' printf '%s token was valid\n' "${ip}" >&2 @@ -21,9 +21,9 @@ printf '%s token was valid\n' "${ip}" >&2 username="$(<<<"${qs}" grep -oP 'user=(.*)' | sed 's/^user=//')" usernumber="$(<<<"${qs}" grep -oP 'un=(.*)' | sed 's/^un=//')" if [[ "${username}" == "" ]]; then - printf 'ERROR! Username missing!\n' | tee >(cat 1>&2) | /usr/lib/wgapi/http_res 400; exit + printf 'ERROR! Username missing!\n' | tee >(cat 1>&2) | /usr/lib/wagon/http_res 400; exit elif [[ "${usernumber}" == "" ]]; then - printf 'ERROR! Usernumber missing!\n' | tee >(cat 1>&2) |/usr/lib/wgapi/http_res 400; exit + printf 'ERROR! Usernumber missing!\n' | tee >(cat 1>&2) |/usr/lib/wagon/http_res 400; exit else printf 'Admin %s requested deletion of user "%s" with usernumber "%s"\n' "${ip}" "${username}" "${usernumber}" >&2 fi @@ -31,20 +31,20 @@ fi # Get all peer IPs if ! wg_output="$(sudo /usr/bin/wg show "${TLD}" allowed-ips)"; then printf 'ERROR! Wireguard failed!\n' >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Filter out the user's user_peers="$(grep "${IPV4_NET%.*.*}.${usernumber}." <<<"${wg_output}" 2>/dev/null)" if [ "${user_peers}" == "" ]; then printf "ERROR! Couldn't find any peers for %s!\n" "${IPV4_NET%.*.*}.${usernumber}." >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Get user peer domains -if ! peers="$(/usr/lib/wgapi/ips_to_peers tsv <<<"${user_peers}")"; then +if ! peers="$(/usr/lib/wagon/ips_to_peers tsv <<<"${user_peers}")"; then printf 'ERROR! Failed to retrieve domains for peers for %s!\n' "${IPV4_NET%.*.*}.${usernumber}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Run this function in parallel in the while loop below @@ -55,20 +55,20 @@ for_server_do() { server_endpoint="${5}"; server_url="${6}"; server_secret="${7}" if [ "${server_hostname}" == "${LOCAL_SERVER}" ]; then # Local server - if /usr/lib/wgapi/wg_peer_del "${pubkey}"; then + if /usr/lib/wagon/wg_peer_del "${pubkey}"; then printf 'Deleted %s from local wireguard server.\n' "${domain}" >&2 else printf 'ERROR! Failed to delete %s from local wireguard server!\n' "${domain}" >&2 # TODO: clear existing progress - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi else # Federated server - if /usr/lib/wgapi/fed_peer_del "${server_url}" "${server_secret}" "${pubkey}"; then + if /usr/lib/wagon/fed_peer_del "${server_url}" "${server_secret}" "${pubkey}"; then printf 'Deleted %s from remote wireguard server %s.\n' "${domain}" "${server_hostname}" >&2 else printf 'ERROR! Failed to delete %s from remote wireguard server %s!\n' "${domain}" "${server_hostname}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi fi } @@ -82,10 +82,10 @@ delete_peer() { # Remove peer from wireguard while IFS=$'\t' read -r server_hostname server_ipv4 server_ipv6 server_pubkey server_endpoint server_url server_secret do for_server_do "${server_hostname}" "${server_ipv4}" "${server_ipv6}" "${server_pubkey}" "${server_endpoint}" "${server_url}" "${server_secret}" & - done &2 else printf 'ERROR! Failed to delete %s %s %s from DNS server!\n' "${domain}" "${ipv4}" "${ipv6}" >&2 fi @@ -104,4 +104,4 @@ fi # Do it before updating nameserver and certs because # if wireguard worked, there's no going back. The admin # can clean up missing records and certs after checking the logs -printf 'Deleted %s' "${username}" | /usr/lib/wgapi/http_res 202 \ No newline at end of file +printf 'Deleted %s' "${username}" | /usr/lib/wagon/http_res 202 \ No newline at end of file diff --git a/back/lib/dashboard/peer/add b/back/lib/dashboard/peer/add index 85eacb8..4b080ec 100755 --- a/back/lib/dashboard/peer/add +++ b/back/lib/dashboard/peer/add @@ -4,7 +4,7 @@ # USAGE: add $remote_ip $querystring # QUERYSTRING: ?t=$token&name=$hostname -source /etc/wgapi/config +source /etc/wagon/config ip="${1}"; qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')" # Check hostname @@ -12,31 +12,31 @@ hostname="$(<<<"${qs}" grep -oP 'name=(.*)' | sed 's/^name//' | xargs | tr -dc ' printf '%s requested new peer with hostname %s\n' "${ip}" "${hostname}" >&2 if ! [[ ${#hostname} -ge 3 ]]; then printf 'Rejecting hostname %s because it is too short.\n' "${hostname}" >&2 - printf 'Hostname too short\n' | /usr/lib/wgapi/http_res 400; exit + printf 'Hostname too short\n' | /usr/lib/wagon/http_res 400; exit fi # Check token token_fail(){ printf 'Rejecting %s request for new peer due to %s token\n' "${ip}" "${1}" >&2 - printf 'Invalid token\n' | /usr/lib/wgapi/http_res 403; exit + printf 'Invalid token\n' | /usr/lib/wagon/http_res 403; exit } -saved_token="$(grep "${ip}" /var/local/wgapi/tokens | cut -f2)" +saved_token="$(grep "${ip}" /var/local/wagon/tokens | cut -f2)" [ "${saved_token}" == "" ] && token_fail 'missing' <<<"${qs}" grep -qx "t=${saved_token}" || token_fail 'mismatched' printf '%s token was valid\n' "${ip}" >&2 # Check user -username="$(/usr/lib/wgapi/ns_lookup_rdns "${ip}" | cut -d'.' -f2)" || ( +username="$(/usr/lib/wagon/ns_lookup_rdns "${ip}" | cut -d'.' -f2)" || ( printf 'User domains not found for %s\n' "${ip}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit ) printf '%s identified as %s\n' "${ip}" "${username}" >&2 domain="${hostname}.${username}.${TLD}" # Check if new peer already exists -if /usr/lib/wgapi/ns_lookup_send "${domain}" >/dev/null; then +if /usr/lib/wagon/ns_lookup_send "${domain}" >/dev/null; then printf '%s.%s.%s already exists!\n' "${hostname}" "${username}" "${TLD}" >&2 - printf 'Hostname %s already exists!\n' "${hostname}" | /usr/lib/wgapi/http_res 409; exit + printf 'Hostname %s already exists!\n' "${hostname}" | /usr/lib/wagon/http_res 409; exit fi # Create new domain @@ -46,27 +46,27 @@ printf 'New domain will be %s\n' "${domain}" >&2 # Get peer IP list if ! wg_output="$(sudo /usr/bin/wg show "${TLD}" allowed-ips)"; then printf 'ERROR! Wireguard failed!\n' >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Filter out this user's user_peers="$(grep "${ip%[.:]*}" <<<"${wg_output}" 2>/dev/null)" if [ "${user_peers}" == "" ]; then printf "ERROR! %s accessed the dashboard but isn't on the network!\n" "${ip}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Get domains -if ! peers="$(/usr/lib/wgapi/ips_to_peers tsv <<<"${user_peers}")"; then +if ! peers="$(/usr/lib/wagon/ips_to_peers tsv <<<"${user_peers}")"; then printf 'ERROR! Failed to parse peers for %s!\n' "${ip}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Make sure hostname isn't taken hostnames="$(<<<"${peers}" awk '{print $1}' | cut -d'.' -f1)" if <<<"${hostnames}" grep -x "${hostname}"; then printf 'User %s already has a host named %s!\n' "${username}" "${hostname}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Create new IPs @@ -82,7 +82,7 @@ ipv4="${IPV4_NET%.*.*}.${usernumber}.${hostnumber}" ipv6="${IPV6_NET%:*:*}:${usernumber}:${hostnumber}" if ! printf 'IP addresses for %s created: %s %s\n' "${domain:?}" "${ipv4:?}" "${ipv6:?}" >&2; then printf 'ERROR! Failed to create IP addresses for %s!' "${domain}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Create wg config @@ -91,13 +91,13 @@ pubkey="$(echo "${privkey}" | /usr/bin/wg pubkey)" address="${ipv4}/${IPV4_NET##*/},${ipv6}/${IPV6_NET##*/}" # Update nameserver -if /usr/lib/wgapi/ns_update_add "${domain:?}" "${ipv4:?}" "${ipv6:?}" +if /usr/lib/wagon/ns_update_add "${domain:?}" "${ipv4:?}" "${ipv6:?}" then printf 'Successfully added %s to DNS server.\n' "${domain}" >&2 else printf 'ERROR! Failed to add %s %s %s to DNS server!\n' "${domain}" "${ipv4}" "${ipv6}" >&2 fi & # Create SSL cert -if /usr/lib/wgapi/ssl_peer_add "${hostname:?}" "${username:?}" "IP:${ipv4},IP:${ipv6}" +if /usr/lib/wagon/ssl_peer_add "${hostname:?}" "${username:?}" "IP:${ipv4},IP:${ipv6}" then printf 'Successfully signed SSL certs for %s\n' "${domain}" >&2 else printf 'ERROR! Failed to create certs for %s with IPS: %s %s!\n' "${domain}" "${ipv4}" "${ipv6}" >&2 fi @@ -111,22 +111,22 @@ while IFS=$'\t' read -r server_hostname server_ipv4 server_ipv6 server_pubkey se if [ "${server_hostname}" == "${LOCAL_SERVER}" ]; then server_blocks="${server_blocks}\n[Peer] # ${server_hostname}.${TLD}\nPublicKey=${server_pubkey}\nPresharedKey=${server_psk}\nAllowedIPs=${server_ipv4}/${IPV4_NET#*/},${server_ipv6}/${IPV6_NET#*/}\nEndpoint=${server_endpoint}\n" # Add new user to local wireguard - if /usr/lib/wgapi/wg_peer_add "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128"; then + if /usr/lib/wagon/wg_peer_add "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128"; then printf 'Added %s to local wireguard server.\n' "${domain}" >&2 else printf 'ERROR! Failed to add %s to local wireguard server!\n' "${domain}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Remote server else server_blocks="${server_blocks}\n[Peer] # ${server_hostname}.${TLD}\nPublicKey=${server_pubkey}\nPresharedKey=${server_psk}\nAllowedIPs=${server_ipv4}/32,${server_ipv6}/128\nEndpoint=${server_endpoint}\n" # Send new user config to federated server - if /usr/lib/wgapi/fed_peer_add "${server_url}" "${server_secret}" "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128" "${server_secret}"; then + if /usr/lib/wagon/fed_peer_add "${server_url}" "${server_secret}" "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128" "${server_secret}"; then printf 'Sent %s to remote wireguard server %s.\n' "${domain}" "${server_hostname}" >&2 else printf 'ERROR! Failed to send %s to remote wireguard server %s!\n' "${domain}" "${server_hostname}" >&2 fi fi -done &2 # Check token token_fail(){ printf 'Rejecting %s request to delete peer due to %s token\n' "${ip}" "${1}" >&2 - printf 'Invalid token\n' | /usr/lib/wgapi/http_res 403; exit + printf 'Invalid token\n' | /usr/lib/wagon/http_res 403; exit } -saved_token="$(grep "${ip}" /var/local/wgapi/tokens | cut -f2)" +saved_token="$(grep "${ip}" /var/local/wagon/tokens | cut -f2)" [ "${saved_token}" == "" ] && token_fail 'missing' <<<"${qs}" grep -qx "t=${saved_token}" || token_fail 'mismatched' printf '%s token was valid\n' "${ip}" >&2 @@ -24,33 +24,33 @@ printf '%s token was valid\n' "${ip}" >&2 # Get peer IP list if ! wg_output="$(sudo /usr/bin/wg show "${TLD}" allowed-ips)"; then printf 'ERROR! Wireguard failed!\n' >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Filter out this user's user_peers="$(grep "${ip%[.:]*}" <<<"${wg_output}" 2>/dev/null)" if [ "${user_peers}" == "" ]; then printf "ERROR! %s accessed the dashboard but isn't on the network!\n" "${ip}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Get peer domains -if ! peer="$(/usr/lib/wgapi/ips_to_peers tsv <<<"${user_peers}" | grep "${pubkey}")"; then +if ! peer="$(/usr/lib/wagon/ips_to_peers tsv <<<"${user_peers}" | grep "${pubkey}")"; then printf 'ERROR! Peer %s not found for user %s!\n' "${pubkey}" "${ip}" >&2 & - printf 'Peer not found\n' | /usr/lib/wgapi/http_res 404; exit + printf 'Peer not found\n' | /usr/lib/wagon/http_res 404; exit fi domain="$(<<<"${peer}" cut -f1)" ipv4="$(<<<"${peer}" cut -f2)" ipv6="$(<<<"${peer}" cut -f3)" if ! printf 'Delete request was for %s %s %s\n' "${domain:?}" "${ipv4:?}" "${ipv6:?}" >&2; then printf 'ERROR! Failed to collect peer data: %s %s %s\n' "${domain}" "${ipv4}" "${ipv6}" >&2 & - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Make sure user isn't deleting their own peer if [ "${ip}" == "${ipv4}" ] || [ "${ip}" == "${ipv6}" ]; then printf 'User requested to delete peer from itself: %s.\n' "${ip}" >&2 - printf 'You cannot delete a peer from itself!' | /usr/lib/wgapi/http_res 400; exit + printf 'You cannot delete a peer from itself!' | /usr/lib/wagon/http_res 400; exit fi hostname="$(<<<"${domain}" cut -d'.' -f1)" @@ -65,34 +65,34 @@ for_server_do() { server_endpoint="${5}"; server_url="${6}"; server_secret="${7}" if [ "${server_hostname}" == "${LOCAL_SERVER}" ]; then # Local server - if /usr/lib/wgapi/wg_peer_del "${pubkey}"; then + if /usr/lib/wagon/wg_peer_del "${pubkey}"; then printf 'Deleted %s from local wireguard server.\n' "${domain}" >&2 else printf 'ERROR! Failed to delete %s from local wireguard server!\n' "${domain}" >&2 # TODO: clear existing progress - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi else # Federated server - if /usr/lib/wgapi/fed_peer_del "${server_url}" "${server_secret}" "${pubkey}"; then + if /usr/lib/wagon/fed_peer_del "${server_url}" "${server_secret}" "${pubkey}"; then printf 'Deleted %s from remote wireguard server %s.\n' "${domain}" "${server_hostname}" >&2 else printf 'ERROR! Failed to delete %s from remote wireguard server %s!\n' "${domain}" "${server_hostname}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi fi }; while IFS=$'\t' read -r server_hostname server_ipv4 server_ipv6 server_pubkey server_endpoint server_url server_secret do for_server_do "${server_hostname}" "${server_ipv4}" "${server_ipv6}" "${server_pubkey}" "${server_endpoint}" "${server_url}" "${server_secret}" & -done &2 else printf 'ERROR! Failed to delete %s %s %s from DNS server!\n' "${domain}" "${ipv4}" "${ipv6}" >&2 fi & # Create SSL cert -if /usr/lib/wgapi/ssl_peer_del "${hostname:?}" "${username:?}" +if /usr/lib/wagon/ssl_peer_del "${hostname:?}" "${username:?}" then printf 'Successfully deleted SSL certs for %s\n' "${domain}" >&2 else printf 'ERROR! Failed to delete certs for %s!\n' "${domain}" >&2 fi @@ -101,4 +101,4 @@ fi # Do it before updating nameserver and certs because # if wireguard worked, there's no going back. The admin # can clean up missing records and certs after checking the logs -printf 'Deleted %s.%s.%s' "${hostname}" "${username}" "${TLD}" | /usr/lib/wgapi/http_res 202 \ No newline at end of file +printf 'Deleted %s.%s.%s' "${hostname}" "${username}" "${TLD}" | /usr/lib/wagon/http_res 202 \ No newline at end of file diff --git a/back/lib/dashboard/peer/list b/back/lib/dashboard/peer/list index 1f9bdd8..23e430f 100755 --- a/back/lib/dashboard/peer/list +++ b/back/lib/dashboard/peer/list @@ -3,36 +3,36 @@ # DESCRIPTION: List a user's peers # USAGE: list $remote_ip -source /etc/wgapi/config +source /etc/wagon/config ip="${1}" printf '%s requested peer listing...\n' "${ip}" >&2 # Create token if needed -token="$(grep "${ip}" /var/local/wgapi/tokens | cut -f2)" +token="$(grep "${ip}" /var/local/wagon/tokens | cut -f2)" if [ "${token}" == "" ]; then printf 'Creating token for %s...\n' "${ip}" >&2 token="$(>/var/local/wgapi/tokens + printf '%s\t%s\n' "${ip}" "${token}" >>/var/local/wagon/tokens fi # Get peer IP list if ! wg_output="$(sudo /usr/bin/wg show "${TLD}" allowed-ips)"; then printf 'ERROR! Wireguard failed!\n' >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Filter out this user's user_peers="$(grep "${ip%[.:]*}" <<<"${wg_output}" 2>/dev/null)" if [ "${user_peers}" == '' ]; then printf "ERROR! %s accessed the dashboard but isn't on the network!\n" "${ip}" >&2 - printf 'User not found!\n' | /usr/lib/wgapi/http_res 403; exit + printf 'User not found!\n' | /usr/lib/wagon/http_res 403; exit fi # Get domains for each one -if peers="[$(/usr/lib/wgapi/ips_to_peers json <<<"${user_peers}")]"; then - printf '{"token":"%s","peers":%s}' "${token}" "${peers}" | /usr/lib/wgapi/http_res 200 'application/json' +if peers="[$(/usr/lib/wagon/ips_to_peers json <<<"${user_peers}")]"; then + printf '{"token":"%s","peers":%s}' "${token}" "${peers}" | /usr/lib/wagon/http_res 200 'application/json' printf 'Sent peers to user %s\n' "${ip}" >&2 else printf 'ERROR: Failed to lookup domains for user: %s\n' "${ip}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi diff --git a/back/lib/dashboard/ssl b/back/lib/dashboard/ssl index edc7290..7d62c7d 100755 --- a/back/lib/dashboard/ssl +++ b/back/lib/dashboard/ssl @@ -4,7 +4,7 @@ # USAGE: ssl remote_ip querystring # QUERYSTRING: ?host=$hostname&ext=crt -source /etc/wgapi/config +source /etc/wagon/config ip="${1}"; qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')" # Parse querystring @@ -13,42 +13,42 @@ ext="$(<<<"${qs}" grep -oP 'ext=(.*)' | sed 's/^ext=//' | xargs)" if ! file="${hostname:?}/server.${ext:?}"; then printf 'ERROR! Hostname "%s" or extension "%s" missing!\n' "${hostname}" "${ext}" >&2 - printf 'Hostname or extension missing!\n' | /usr/lib/wgapi/http_res 400; exit + printf 'Hostname or extension missing!\n' | /usr/lib/wagon/http_res 400; exit else printf 'User %s requested SSL file %s\n' "${ip}" "${file}" >&2 fi # Make sure extension is 'crt' or 'key' if [ "${ext}" != 'crt' ] && [ "${ext}" != 'key' ]; then - printf 'Invalid extension: %s\n' "${ext}" | tee >(cat 1>&2) | /usr/lib/wgapi/http_res 400; exit + printf 'Invalid extension: %s\n' "${ext}" | tee >(cat 1>&2) | /usr/lib/wagon/http_res 400; exit fi # Get username -if ! domain="$(/usr/lib/wgapi/ns_lookup_rdns "${ip}")"; then - printf 'ERROR! Failed to lookup domain from user IP %s\n' "${ip}" | tee >(cat 1>&2) | /usr/lib/wgapi/http_res 500 +if ! domain="$(/usr/lib/wagon/ns_lookup_rdns "${ip}")"; then + printf 'ERROR! Failed to lookup domain from user IP %s\n' "${ip}" | tee >(cat 1>&2) | /usr/lib/wagon/http_res 500 exit 7 fi; if ! username="$(<<<"${domain}" cut -d'.' -f2)"; then printf 'ERROR! Failed to parse username from domain "%s"\n' "${domain}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit else printf 'User %s is "%s"\n' "${ip}" "${username}" >&2 fi if ! path="${SSL_CONFIG_DIR:?}/${username:?}/${file}"; then printf 'ERROR! Username "%s" or SSL_CONFIG_DIR "%s" missing!\n' "${username}" "${SSL_CONFIG_DIR}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Check that the file exists if ! [ -f "${path}" ]; then printf 'ERROR! File missing: "%s"\n' "${path}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi # Try to return it to the user -if <"${path}" /usr/lib/wgapi/http_res 200; then +if <"${path}" /usr/lib/wagon/http_res 200; then printf 'Sent SSL file "%s" to %s\n' "${path}" "${username}" >&2 else printf 'ERROR! Failed to return file: "%s"\n' "${path}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi diff --git a/back/lib/fed/peer/add b/back/lib/fed/peer/add index 0a68c61..0d67a9b 100755 --- a/back/lib/fed/peer/add +++ b/back/lib/fed/peer/add @@ -4,7 +4,7 @@ # USAGE: add $remote_ip $querystring # QUERYSTRING: ?secret=$secret&pubkey=$pubkey&psk=$psk&ips=$allowedips -source /etc/wgapi/config +source /etc/wagon/config ip="${1}"; qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')" secret="$(<<<"${qs}" grep -oP 'secret=(.*)' | sed 's/^secret=//' | xargs)" pubkey="$(<<<"${qs}" grep -oP 'pubkey=(.*)' | sed 's/^pubkey=//' | xargs)" @@ -12,24 +12,24 @@ psk="$(<<<"${qs}" grep -oP 'psk=(.*)' | sed 's/^psk=//' | xargs)" allowedips="$(<<<"${qs}" grep -oP 'ips=(.*)' | sed 's/^ips=//' | xargs)" # Check that requesting ip is in the servers file -if ! sed '/^#/d' /etc/wgapi/servers | cut -f2,3 | grep -qw "${ip}"; then +if ! sed '/^#/d' /etc/wagon/servers | cut -f2,3 | grep -qw "${ip}"; then printf "ERROR! Federated server %s requested to create new peer but isn't in servers file!/n" "${ip}" >&2 - /usr/lib/wgapi/http_res 403; exit + /usr/lib/wagon/http_res 403; exit fi # Check server secret -local_secret="$(grep -w "^${LOCAL_SERVER}" /etc/wgapi/servers | cut -f7)" +local_secret="$(grep -w "^${LOCAL_SERVER}" /etc/wagon/servers | cut -f7)" if ! [ "${local_secret}" == "${secret}" ]; then printf "ERROR! Federated server %s provided a secret, %s, that doesn't match the one in our servers file, %s\n" "${ip}" "${secret}" "${local_secret}" >&2 - /usr/lib/wgapi/http_res 403; exit + /usr/lib/wagon/http_res 403; exit fi # Add peer to wireguard -if /usr/lib/wgapi/wg_peer_add "${pubkey}" "${psk}" "${allowedips}"; then +if /usr/lib/wagon/wg_peer_add "${pubkey}" "${psk}" "${allowedips}"; then printf 'Added %s to wireguard.\n' "${pubkey}" >&2 else printf 'ERROR! Failed to add %s to wireguard!\n' "${pubkey}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi -/usr/lib/wgapi/http_res 200 +/usr/lib/wagon/http_res 200 diff --git a/back/lib/fed/peer/del b/back/lib/fed/peer/del index 961ff40..f2e40c2 100755 --- a/back/lib/fed/peer/del +++ b/back/lib/fed/peer/del @@ -4,30 +4,30 @@ # USAGE: del $remote_ip $querystring # QUERYSTRING: ?secret=$secret&pubkey=$pubkey -source /etc/wgapi/config +source /etc/wagon/config ip="${1}"; qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')" secret="$(<<<"${qs}" grep -oP 'secret=(.*)' | sed 's/^secret=//' | xargs)" pubkey="$(<<<"${qs}" grep -oP 'pubkey=(.*)' | sed 's/^pubkey=//' | xargs)" # Check that requesting ip is in the servers file -if ! sed '/^#/d' /etc/wgapi/servers | cut -f2,3 | grep -qw "${ip}"; then +if ! sed '/^#/d' /etc/wagon/servers | cut -f2,3 | grep -qw "${ip}"; then printf "ERROR! Federated server %s requested to create new peer but isn't in servers file!/n" "${ip}" >&2 - /usr/lib/wgapi/http_res 403; exit + /usr/lib/wagon/http_res 403; exit fi # Check server secret -local_secret="$(grep -w "^${LOCAL_SERVER}" /etc/wgapi/servers | cut -f7)" +local_secret="$(grep -w "^${LOCAL_SERVER}" /etc/wagon/servers | cut -f7)" if ! [ "${local_secret}" == "${secret}" ]; then printf "ERROR! Federated server %s provided a secret, %s, that doesn't match the one in our servers file, %s\n" "${ip}" "${secret}" "${local_secret}" >&2 - /usr/lib/wgapi/http_res 403; exit + /usr/lib/wagon/http_res 403; exit fi # Delete peer from wireguard -if /usr/lib/wgapi/wg_peer_del "${pubkey}"; then +if /usr/lib/wagon/wg_peer_del "${pubkey}"; then printf 'Deleted %s from wireguard.\n' "${pubkey}" >&2 else printf 'ERROR! Failed to delete %s from wireguard!\n' "${pubkey}" >&2 - /usr/lib/wgapi/http_res 500; exit + /usr/lib/wagon/http_res 500; exit fi -/usr/lib/wgapi/http_res 200 \ No newline at end of file +/usr/lib/wagon/http_res 200 \ No newline at end of file diff --git a/back/lib/fed_peer_add b/back/lib/fed_peer_add index a0b4cc4..14fa77a 100755 --- a/back/lib/fed_peer_add +++ b/back/lib/fed_peer_add @@ -3,7 +3,7 @@ # DESCRIPTION: Sends details about a new peer to a federated server # USAGE: fed_peer_add url secret pubkey psk allowedips -source /etc/wgapi/config +source /etc/wagon/config url="${1}"; secret="${2}"; pubkey="${3}"; psk="${4}"; allowedips="${5}" if curl --silent -o /dev/null --fail --request POST --cacert "${SSL_CA_CERT}" "${url}?secret=${secret}&pubkey=${pubkey}&psk=${psk}&ips=${allowedips}"; then diff --git a/back/lib/fed_peer_del b/back/lib/fed_peer_del index dd75688..c53f782 100755 --- a/back/lib/fed_peer_del +++ b/back/lib/fed_peer_del @@ -3,7 +3,7 @@ # DESCRIPTION: Sends details to a federated server about a peer to be deleted # USAGE: fed_peer_del url secret pubkey -source /etc/wgapi/config +source /etc/wagon/config url="${1}"; secret="${2}"; pubkey="${3}" if curl --silent -o /dev/null --fail --request DELETE --cacert "${SSL_CA_CERT}" "${url}?secret=${secret}&pubkey=${pubkey}"; then diff --git a/back/lib/http_res b/back/lib/http_res index 8454344..877e6e1 100755 --- a/back/lib/http_res +++ b/back/lib/http_res @@ -1,5 +1,5 @@ #!/bin/bash -# FILE: wgapi:back/lib/http/res +# FILE: wagon:back/lib/http/res # DESCRIPTION: Formats an http response from arguments # USAGE: [printf "message" |] res [200] [text/plain] diff --git a/back/lib/ips_to_peers b/back/lib/ips_to_peers index 84de325..940db2b 100755 --- a/back/lib/ips_to_peers +++ b/back/lib/ips_to_peers @@ -9,11 +9,11 @@ # 5: Invalid format # 6: Config file not found -source /etc/wgapi/config +source /etc/wagon/config format="${1}" # Perform AXFR lookup -res="$(/usr/lib/wgapi/ns_lookup_axfr)" || exit 4 +res="$(/usr/lib/wagon/ns_lookup_axfr)" || exit 4 # This should read from stdin # TODO: Run this loop in parallel diff --git a/back/lib/ns_lookup_axfr b/back/lib/ns_lookup_axfr index 9cd7765..7f50541 100755 --- a/back/lib/ns_lookup_axfr +++ b/back/lib/ns_lookup_axfr @@ -1,5 +1,5 @@ #!/bin/bash -# FILE: wgapi:back/lib/ns_lookup_rxfr +# FILE: wagon:back/lib/ns_lookup_rxfr # DESCRIPTION: Get all records # USAGE: ns_lookup_rxfr # OUTPUT: The complete set of records for the TLD @@ -11,9 +11,9 @@ # 7: nslookup refused # 8: nslookup error -source /etc/wgapi/config +source /etc/wagon/config -res="$(/usr/lib/wgapi/ns_lookup_send "-query=AXFR" "${TLD}.")" +res="$(/usr/lib/wagon/ns_lookup_send "-query=AXFR" "${TLD}.")" case $? in 0) printf '%s' "${res}"; exit 0;; 4) printf 'Domain for %s not found!\n' "${1}" >&2; exit 4;; diff --git a/back/lib/ns_lookup_rdns b/back/lib/ns_lookup_rdns index 078f86d..a6f5828 100755 --- a/back/lib/ns_lookup_rdns +++ b/back/lib/ns_lookup_rdns @@ -1,5 +1,5 @@ #!/bin/bash -# FILE: wgapi:back/lib/ns_lookup_rdns +# FILE: wagon:back/lib/ns_lookup_rdns # DESCRIPTION: Get a domain from an IP address # USAGE: rdns ip # OUTPUT: The domain for that IP @@ -9,9 +9,9 @@ # 5: nslookup not found # 6: Bad usage -source /etc/wgapi/config +source /etc/wagon/config -domain="$(/usr/lib/wgapi/ns_lookup_send "${1}")" +domain="$(/usr/lib/wagon/ns_lookup_send "${1}")" case $? in 0) printf '%s' "${domain%.}" | cut -d'=' -f2 | xargs -0; exit 0;; 4) printf 'Domain for %s not found!\n' "${1}" >&2; exit 3;; diff --git a/back/lib/ns_lookup_send b/back/lib/ns_lookup_send index c64f1bf..b94434b 100755 --- a/back/lib/ns_lookup_send +++ b/back/lib/ns_lookup_send @@ -1,5 +1,5 @@ #!/bin/bash -# FILE: wgapi:back/lib/ns_lookup_send +# FILE: wagon:back/lib/ns_lookup_send # DESCRIPTION: Send nslookup command to DNS master server # USAGE: send [option] cmd # ERRORS: @@ -8,7 +8,7 @@ # 5: other nslookup error # 6: nslookup refused -source /etc/wgapi/config +source /etc/wagon/config # Ignore SC2068 and leave ${@} unquoted so it can expand if ! res="$(/usr/bin/nslookup ${@} "${DNS_MASTER}")" diff --git a/back/lib/ns_update_add b/back/lib/ns_update_add index 6c25446..a6486d6 100755 --- a/back/lib/ns_update_add +++ b/back/lib/ns_update_add @@ -1,14 +1,14 @@ #!/bin/bash -# FILE: wgapi:back/lib/ns/update/add +# FILE: wagon:back/lib/ns/update/add # DESCRIPTION: Add a new peer's domain to nameserver # USAGE: add domain ipv4 ipv6 -source /etc/wgapi/config +source /etc/wagon/config -/usr/lib/wgapi/ns_update_send "update add ${1}. ${DNS_TTL} A ${2} +/usr/lib/wagon/ns_update_send "update add ${1}. ${DNS_TTL} A ${2} update add ${1}. ${DNS_TTL} AAAA ${3} update add *.${1}. ${DNS_TTL} CNAME ${1}. send -update add $(/usr/lib/wgapi/ns_update_rev_ipv4 "${2}") ${DNS_TTL} PTR ${1}. +update add $(/usr/lib/wagon/ns_update_rev_ipv4 "${2}") ${DNS_TTL} PTR ${1}. send -update add $(/usr/lib/wgapi/ns_update_rev_ipv6 "${3}") ${DNS_TTL} PTR ${1}." || exit 1 +update add $(/usr/lib/wagon/ns_update_rev_ipv6 "${3}") ${DNS_TTL} PTR ${1}." || exit 1 diff --git a/back/lib/ns_update_del b/back/lib/ns_update_del index 0c639b8..92e2af7 100755 --- a/back/lib/ns_update_del +++ b/back/lib/ns_update_del @@ -1,14 +1,14 @@ #!/bin/bash -# FILE: wgapi:back/lib/ns/update/del +# FILE: wagon:back/lib/ns/update/del # DESCRIPTION: Use nsupdate to delete host RRs # USAGE: del domain ipv4 ipv6 -source /etc/wgapi/config +source /etc/wagon/config -/usr/lib/wgapi/ns_update_send "update delete ${1}. A +/usr/lib/wagon/ns_update_send "update delete ${1}. A update delete ${1}. AAAA update delete *.${1}. CNAME send -update delete $(/usr/lib/wgapi/ns_update_rev_ipv4 "${2}") PTR +update delete $(/usr/lib/wagon/ns_update_rev_ipv4 "${2}") PTR send -update delete $(/usr/lib/wgapi/ns_update_rev_ipv6 "${3}") PTR" || exit 1 +update delete $(/usr/lib/wagon/ns_update_rev_ipv6 "${3}") PTR" || exit 1 diff --git a/back/lib/ns_update_rev_ipv4 b/back/lib/ns_update_rev_ipv4 index 76874d9..f9c89f5 100755 --- a/back/lib/ns_update_rev_ipv4 +++ b/back/lib/ns_update_rev_ipv4 @@ -1,5 +1,5 @@ #!/bin/bash -# FILE: wgapi:back/lib/ns/update/rev_ipv4 +# FILE: wagon:back/lib/ns/update/rev_ipv4 # DESCRIPTION: Returns the rDNS reversed version of an IPv4 address # USAGE: rev_ipv4 10.2.0.1 # OUTPUT: 1.0.2.10.in-addr.arpa diff --git a/back/lib/ns_update_rev_ipv6 b/back/lib/ns_update_rev_ipv6 index 7c9f64d..b328726 100755 --- a/back/lib/ns_update_rev_ipv6 +++ b/back/lib/ns_update_rev_ipv6 @@ -1,5 +1,5 @@ #!/bin/bash -# FILE: wgapi:back/lib/ns/update/rev_ipv6 +# FILE: wagon:back/lib/ns/update/rev_ipv6 # DESCRIPTION: Returns the rDNS reversed version of an IPv6 address # USAGE: rev_ipv6 ... # OUTPUT: ...ip6.arpa diff --git a/back/lib/ns_update_send b/back/lib/ns_update_send index 495a50f..62bef71 100755 --- a/back/lib/ns_update_send +++ b/back/lib/ns_update_send @@ -1,9 +1,9 @@ #!/bin/bash -# FILE: wgapi:back/lib/ns/update/send +# FILE: wagon:back/lib/ns/update/send # DESCRIPTION: Send stuff to the nsupdate server # USAGE: send cmd -source /etc/wgapi/config +source /etc/wagon/config printf 'server %s\n%s\nsend\n' "${DNS_MASTER}" "${1}" \ | nsupdate -y "${DNS_KEY}" | tee >(cat 1>&2) diff --git a/back/lib/ssl_peer_add b/back/lib/ssl_peer_add index 2cdb2f9..e20b433 100755 --- a/back/lib/ssl_peer_add +++ b/back/lib/ssl_peer_add @@ -1,5 +1,5 @@ #!/bin/bash -# FILE: wgapi:back/lib/ssl/peer/add +# FILE: wagon:back/lib/ssl/peer/add # DESCRIPTION: Create SSL certs for a new host # USAGE: add hostname username ipstring # ERRORS: @@ -7,7 +7,7 @@ # 7: openssl failed # 8: failed to set permissions -source /etc/wgapi/config +source /etc/wagon/config hostname="${1}"; username="${2}"; ipstring="${3}" # Make a directory for the new files diff --git a/back/lib/ssl_peer_del b/back/lib/ssl_peer_del index ccd0547..d99f088 100755 --- a/back/lib/ssl_peer_del +++ b/back/lib/ssl_peer_del @@ -1,9 +1,9 @@ #!/bin/bash -# FILE: wgapi:back/lib/ssl/peer/del +# FILE: wagon:back/lib/ssl/peer/del # DESCRIPTION: Delete SSL cert for a removed device # USAGE: del hostname username -source /etc/wgapi/config +source /etc/wagon/config hostname="${1}"; username="${2}" if ! sudo rm -rf "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/" 2>/dev/null; then diff --git a/back/lib/wg_peer_add b/back/lib/wg_peer_add index d36f7ec..fb76cf8 100755 --- a/back/lib/wg_peer_add +++ b/back/lib/wg_peer_add @@ -1,9 +1,9 @@ #!/bin/bash -# FILE: wgapi:back/lib/wg/peer/add +# FILE: wagon:back/lib/wg/peer/add # DESCRIPTION: Add a new peer to a wireguard interface # USAGE: add pubkey psk allowedips -source /etc/wgapi/config +source /etc/wagon/config pubkey="${1}"; psk="${2}"; allowedips="${3}" if ! res="$(printf '%s\n' "${psk}" | sudo /usr/bin/wg set "${TLD}" peer "${pubkey}" preshared-key /dev/stdin allowed-ips "${allowedips}")"; then diff --git a/back/lib/wg_peer_del b/back/lib/wg_peer_del index 3f73481..72d22b6 100755 --- a/back/lib/wg_peer_del +++ b/back/lib/wg_peer_del @@ -1,9 +1,9 @@ #!/bin/bash -# FILE: wgapi:back/lib/wg/peer/del +# FILE: wagon:back/lib/wg/peer/del # DESCRIPTION: Delete a peer from a wireguard interface # USAGE: del pubkey -source /etc/wgapi/config +source /etc/wagon/config if ! res="$(sudo /usr/bin/wg set "${TLD}" peer "${1}" remove)"; then printf 'ERROR! Wireguard failed: %s\n' "${res}" >&2 diff --git a/back/lib/wg_user_list b/back/lib/wg_user_list index 59e92b0..b8afdc3 100755 --- a/back/lib/wg_user_list +++ b/back/lib/wg_user_list @@ -1,15 +1,15 @@ #!/bin/bash -# FILE: wgapi:back/lib/wg/user/list +# FILE: wagon:back/lib/wg/user/list # DESCRIPTION: List all devices from all users # USAGE: list json|tsv -source /etc/wgapi/config +source /etc/wagon/config /usr/bin/wg show "${TLD}" allowed-ips | \ while IFS=$' ' read -r pubkey ipv4 ipv6; do ipv4="${ipv4%%/*}" ipv6="${ipv6%%/*}" - domain="$(/usr/lib/wgapi/ns_lookup_rdns "${ipv4}")" || exit 4 + domain="$(/usr/lib/wagon/ns_lookup_rdns "${ipv4}")" || exit 4 username="$(<<<"${domain}" cut -d'.' -f2)" hostname="$(<<<"${domain}" cut -d'.' -f1)" case "${2}" in diff --git a/docker-compose.yml.sample b/docker-compose.yml.sample index 7aa4b56..b4dca55 100644 --- a/docker-compose.yml.sample +++ b/docker-compose.yml.sample @@ -1,7 +1,7 @@ version: '3' networks: - wgapi: - name: wgapi + wagon: + name: wagon ipam: config: - subnet: "172.19.0.0/16" @@ -13,22 +13,22 @@ services: dockerfile: dashboard.Dockerfile args: PORT: 4442 - container_name: wgapi-dashboard-backend + container_name: wagon-dashboard-backend cap_add: - NET_ADMIN network_mode: host volumes: - '/etc/ssl/private:/etc/ssl/private' - - './etc:/etc/wgapi:ro' - - '/var/log/wgapi.log:/var/log/apache2/error.log' + - './etc:/etc/wagon:ro' + - '/var/log/wagon.log:/var/log/apache2/error.log' dashboard-frontend: build: context: front dockerfile: dashboard.Dockerfile - container_name: wgapi-dashboard-frontend + container_name: wagon-dashboard-frontend networks: - wgapi: + wagon: ipv4_address: 172.19.0.2 admin-backend: @@ -40,19 +40,19 @@ services: cap_add: - NET_ADMIN network_mode: host - container_name: wgapi-admin-backend + container_name: wagon-admin-backend volumes: - - '/var/log/wgapi.log:/var/log/apache2/error.log' + - '/var/log/wagon.log:/var/log/apache2/error.log' - '/etc/ssl/private:/etc/ssl/private' - - './etc:/etc/wgapi:ro' + - './etc:/etc/wagon:ro' admin-frontend: build: context: front dockerfile: admin.Dockerfile - container_name: wgapi-admin-frontend + container_name: wagon-admin-frontend networks: - wgapi: + wagon: ipv4_address: 172.19.0.3 fed-backend: @@ -64,7 +64,7 @@ services: cap_add: - NET_ADMIN network_mode: host - container_name: wgapi-fed-backend + container_name: wagon-fed-backend volumes: - - '/var/log/wgapi.log:/var/log/apache2/error.log' - - './etc:/etc/wgapi:ro' + - '/var/log/wagon.log:/var/log/apache2/error.log' + - './etc:/etc/wagon:ro' diff --git a/etc/servers.sample b/etc/servers.sample index 56803da..7b55126 100644 --- a/etc/servers.sample +++ b/etc/servers.sample @@ -1,3 +1,3 @@ # host ipv4 ipv6 pubkey wg-endpoint admin-endpoint secret -myhost1 10.3.0.1 fd69:1337:0:420:f4:f3:0:1 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= 123.123.123.123:51820 https://wgapi-admin.myhost2.tld XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -myhost2 10.3.0.2 fd69:1337:0:420:f4:f3:0:2 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= 234.234.234.234:51820 https://wgapi-admin.myhost2.tld XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +myhost1 10.3.0.1 fd69:1337:0:420:f4:f3:0:1 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= 123.123.123.123:51820 https://wagon-admin.myhost2.tld XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +myhost2 10.3.0.2 fd69:1337:0:420:f4:f3:0:2 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= 234.234.234.234:51820 https://wagon-admin.myhost2.tld XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX