Shellcheck, added server secret checks, removed double-quotes from library file calls
parent
62aade7f41
commit
ed69581682
|
@ -7,18 +7,18 @@ source /etc/wgapi/config
|
|||
case "${REQUEST_METHOD}" in
|
||||
|
||||
# List peers
|
||||
'GET') "/usr/lib/wgapi/admin/peer/list" "${HTTP_X_REAL_IP}" "${QUERY_STRING}";;
|
||||
'GET') /usr/lib/wgapi/admin/peer/list "${HTTP_X_REAL_IP}" "${QUERY_STRING}";;
|
||||
|
||||
# Add peer
|
||||
'POST') "/usr/lib/wgapi/admin/peer/add" "${HTTP_X_REAL_IP}" "${QUERY_STRING}";;
|
||||
'POST') /usr/lib/wgapi/admin/peer/add "${HTTP_X_REAL_IP}" "${QUERY_STRING}";;
|
||||
|
||||
# Delete peer
|
||||
'DELETE') "/usr/lib/wgapi/admin/peer/del" "${HTTP_X_REAL_IP}" "${QUERY_STRING}";;
|
||||
'DELETE') /usr/lib/wgapi/admin/peer/del "${HTTP_X_REAL_IP}" "${QUERY_STRING}";;
|
||||
|
||||
# Needed for CORS preflight
|
||||
'OPTIONS') "/usr/lib/wgapi/http_res" 200;;
|
||||
'OPTIONS') /usr/lib/wgapi/http_res 200;;
|
||||
|
||||
# Bad request
|
||||
*) printf 'Invalid HTTP verb' | "/usr/lib/wgapi/http_res" 405;;
|
||||
*) printf 'Invalid HTTP verb' | /usr/lib/wgapi/http_res 405;;
|
||||
|
||||
esac
|
||||
|
|
|
@ -7,14 +7,14 @@ source /etc/wgapi/config
|
|||
case "${REQUEST_METHOD}" in
|
||||
|
||||
# Add new user
|
||||
'POST') "/usr/lib/wgapi/admin/user/add" "${HTTP_X_REAL_IP}" "${QUERY_STRING}";;
|
||||
'POST') /usr/lib/wgapi/admin/user/add "${HTTP_X_REAL_IP}" "${QUERY_STRING}";;
|
||||
|
||||
# Delete user
|
||||
'DELETE') "/usr/lib/wgapi/admin/user/del" "${HTTP_X_REAL_IP}" "${QUERY_STRING}";;
|
||||
'DELETE') /usr/lib/wgapi/admin/user/del "${HTTP_X_REAL_IP}" "${QUERY_STRING}";;
|
||||
|
||||
# Needed for CORS preflight
|
||||
'OPTIONS') "/usr/lib/wgapi/http_res" 200;;
|
||||
'OPTIONS') /usr/lib/wgapi/http_res 200;;
|
||||
|
||||
# Bad request
|
||||
*) printf 'Invalid HTTP verb' | "/usr/lib/wgapi/http_res" 405;;
|
||||
*) printf 'Invalid HTTP verb' | /usr/lib/wgapi/http_res 405;;
|
||||
esac
|
||||
|
|
|
@ -7,18 +7,18 @@ source /etc/wgapi/config
|
|||
case "${REQUEST_METHOD}" in
|
||||
|
||||
# List peers
|
||||
'GET') "/usr/lib/wgapi/dashboard/peer/list" "${HTTP_X_REAL_IP}";;
|
||||
'GET') /usr/lib/wgapi/dashboard/peer/list "${HTTP_X_REAL_IP}";;
|
||||
|
||||
# Add peer
|
||||
'POST') "/usr/lib/wgapi/dashboard/peer/add" "${HTTP_X_REAL_IP}" "${QUERY_STRING}";;
|
||||
'POST') /usr/lib/wgapi/dashboard/peer/add "${HTTP_X_REAL_IP}" "${QUERY_STRING}";;
|
||||
|
||||
# Delete peer
|
||||
'DELETE') "/usr/lib/wgapi/dashboard/peer/del" "${HTTP_X_REAL_IP}" "${QUERY_STRING}";;
|
||||
'DELETE') /usr/lib/wgapi/dashboard/peer/del "${HTTP_X_REAL_IP}" "${QUERY_STRING}";;
|
||||
|
||||
# Needed for CORS preflight
|
||||
'OPTIONS') "/usr/lib/wgapi/http_res" 200;;
|
||||
'OPTIONS') /usr/lib/wgapi/http_res 200;;
|
||||
|
||||
# Bad request
|
||||
*) printf 'Invalid HTTP verb' | "/usr/lib/wgapi/http_res" 405;;
|
||||
*) printf 'Invalid HTTP verb' | /usr/lib/wgapi/http_res 405;;
|
||||
|
||||
esac
|
||||
|
|
|
@ -7,9 +7,9 @@ source /etc/wgapi/config
|
|||
case "${REQUEST_METHOD}" in
|
||||
|
||||
# Get cert
|
||||
'GET') "/usr/lib/wgapi/dashboard/ssl" "${HTTP_X_REAL_IP}" "${QUERY_STRING}";;
|
||||
'GET') /usr/lib/wgapi/dashboard/ssl "${HTTP_X_REAL_IP}" "${QUERY_STRING}";;
|
||||
|
||||
# Bad request
|
||||
*) printf 'Invalid HTTP verb' | "/usr/lib/wgapi/http_res" 405;;
|
||||
*) printf 'Invalid HTTP verb' | /usr/lib/wgapi/http_res 405;;
|
||||
|
||||
esac
|
||||
|
|
|
@ -7,15 +7,15 @@ source /etc/wgapi/config
|
|||
case "${REQUEST_METHOD}" in
|
||||
|
||||
# Add
|
||||
'POST') "/usr/lib/wgapi/fed/peer/add" "${HTTP_X_REAL_IP}" "${QUERY_STRING}";;
|
||||
'POST') /usr/lib/wgapi/fed/peer/add "${HTTP_X_REAL_IP}" "${QUERY_STRING}";;
|
||||
|
||||
# Delete
|
||||
'DELETE') "/usr/lib/wgapi/fed/peer/del" "${HTTP_X_REAL_IP}" "${QUERY_STRING}";;
|
||||
'DELETE') /usr/lib/wgapi/fed/peer/del "${HTTP_X_REAL_IP}" "${QUERY_STRING}";;
|
||||
|
||||
# Needed for CORS preflight
|
||||
'OPTIONS') "/usr/lib/wgapi/http_res" 200;;
|
||||
'OPTIONS') /usr/lib/wgapi/http_res 200;;
|
||||
|
||||
# Bad request
|
||||
*) printf 'Invalid HTTP verb' | "/usr/lib/wgapi/http_res" 405;;
|
||||
*) printf 'Invalid HTTP verb' | /usr/lib/wgapi/http_res 405;;
|
||||
|
||||
esac
|
||||
|
|
|
@ -5,12 +5,12 @@
|
|||
# QUERYSTRING: ?t=$token&host=$newhostname&user=$username&num=$usernumber
|
||||
|
||||
source /etc/wgapi/config
|
||||
ip="${1}" & qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')"
|
||||
ip="${1}"; qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')"
|
||||
|
||||
# Check token
|
||||
token_fail(){
|
||||
printf 'Rejecting admin %s request for new peer due to %s token\n' "${ip}" "${1}" >&2
|
||||
printf 'Invalid token\n' | "/usr/lib/wgapi/http_res" 403; exit
|
||||
printf 'Invalid token\n' | /usr/lib/wgapi/http_res 403; exit
|
||||
}
|
||||
saved_token="$(grep "${ip}" /var/local/wgapi/tokens | cut -f2)"
|
||||
[ "${saved_token}" == "" ] && token_fail 'missing' &
|
||||
|
@ -23,9 +23,9 @@ username="$(<<<"${qs}" grep -oP 'user=(.*)' | sed 's/^user=//')"
|
|||
usernumber="$(<<<"${qs}" grep -oP 'num=(.*)' | sed 's/^num=//')"
|
||||
if ! domain="${hostname:?}.${username:?}.${TLD:?}"; then
|
||||
printf 'ERROR! Hostname "%s" or username "%s" or tld "%s" missing!\n' "${hostname}" "${username}" "${TLD}" >&2
|
||||
printf 'Hostname or username missing!\n' | "/usr/lib/wgapi/http_res" 400; exit
|
||||
printf 'Hostname or username missing!\n' | /usr/lib/wgapi/http_res 400; exit
|
||||
elif [[ "${usernumber}" == "" ]]; then
|
||||
printf 'Usernumber missing!\n' | tee >(cat 1>&2) | "/usr/lib/wgapi/http_res" 400; exit
|
||||
printf 'Usernumber missing!\n' | tee >(cat 1>&2) | /usr/lib/wgapi/http_res 400; exit
|
||||
else
|
||||
printf 'Admin %s requested new peer %s for user number %s\n' "${ip}" "${domain}" "${usernumber}" >&2
|
||||
fi
|
||||
|
@ -33,36 +33,36 @@ fi
|
|||
# Check hostname length
|
||||
if ! [[ ${#hostname} -ge 3 ]]; then
|
||||
printf 'Rejecting hostname %s because it is too short.\n' "${hostname}" >&2
|
||||
printf 'Hostname too short\n' | "/usr/lib/wgapi/http_res" 400; exit
|
||||
printf 'Hostname too short\n' | /usr/lib/wgapi/http_res 400; exit
|
||||
fi
|
||||
|
||||
# Check if new peer already exists
|
||||
if "/usr/lib/wgapi/ns_lookup_send" "${domain}" >/dev/null; then
|
||||
printf 'Host %s already exists!\n' "${domain}" | tee >(cat 1>&2) | "/usr/lib/wgapi/http_res" 409; exit
|
||||
if /usr/lib/wgapi/ns_lookup_send "${domain}" >/dev/null; then
|
||||
printf 'Host %s already exists!\n' "${domain}" | tee >(cat 1>&2) | /usr/lib/wgapi/http_res 409; exit
|
||||
fi
|
||||
|
||||
# Get all peer IPs
|
||||
if ! wg_output="$(sudo /usr/bin/wg show "${TLD}" allowed-ips)"; then
|
||||
printf 'ERROR! Wireguard failed!\n' >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Filter out the user's
|
||||
user_peers="$(grep "${IPV4_NET%.*.*}.${usernumber}." <<<"${wg_output}" 2>/dev/null)"
|
||||
if [ "${user_peers}" == "" ]; then
|
||||
printf "ERROR! Couldn't find any peers for %s!\n" "${IPV4_NET%.*.*}.${usernumber}." >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Get user peer domains
|
||||
if ! peers="$("/usr/lib/wgapi/ips_to_peers" tsv <<<"${user_peers}")"; then
|
||||
if ! peers="$(/usr/lib/wgapi/ips_to_peers tsv <<<"${user_peers}")"; then
|
||||
printf 'ERROR! Failed to retrieve peers for %s!\n' "${IPV4_NET%.*.*}.${usernumber}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Create new IPs
|
||||
ipv4s="$(<<<"${peers}" awk '{print $2}')"
|
||||
ipv6s="$(<<<"${peers}" awk '{print $3}')"
|
||||
#ipv6s="$(<<<"${peers}" awk '{print $3}')"
|
||||
# Increment hostnumber from 1 until an unused one is found
|
||||
used_hostnumbers="$(<<<"${ipv4s}" cut -d'.' -f4 | sort | uniq)"
|
||||
hostnumber=1; while <<<"${used_hostnumbers}" grep -q "${hostnumber}"
|
||||
|
@ -72,7 +72,7 @@ ipv4="${IPV4_NET%.*.*}.${usernumber}.${hostnumber}"
|
|||
ipv6="${IPV6_NET%:*:*}:${usernumber}:${hostnumber}"
|
||||
if ! printf 'IP addresses for %s created: %s %s\n' "${domain:?}" "${ipv4:?}" "${ipv6:?}" >&2; then
|
||||
printf 'ERROR! Failed to create IP addresses for %s!' "${domain}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Create wg config
|
||||
|
@ -81,13 +81,13 @@ pubkey="$(echo "${privkey}" | /usr/bin/wg pubkey)"
|
|||
address="${ipv4}/${IPV4_NET##*/},${ipv6}/${IPV6_NET##*/}"
|
||||
|
||||
# Update nameserver
|
||||
if "/usr/lib/wgapi/ns_update_add" "${domain:?}" "${ipv4:?}" "${ipv6:?}"
|
||||
if /usr/lib/wgapi/ns_update_add "${domain:?}" "${ipv4:?}" "${ipv6:?}"
|
||||
then printf 'Successfully added %s to DNS server.\n' "${domain}" >&2
|
||||
else printf 'ERROR! Failed to add %s %s %s to DNS server!\n' "${domain}" "${ipv4}" "${ipv6}" >&2
|
||||
fi &
|
||||
|
||||
# Create SSL cert
|
||||
if "/usr/lib/wgapi/ssl_peer_add" "${hostname:?}" "${username:?}" "IP:${ipv4},IP:${ipv6}"
|
||||
if /usr/lib/wgapi/ssl_peer_add "${hostname:?}" "${username:?}" "IP:${ipv4},IP:${ipv6}"
|
||||
then printf 'Successfully signed SSL certs for %s\n' "${domain}" >&2
|
||||
else printf 'ERROR! Failed to create certs for %s with IPS: %s %s!\n' "${domain}" "${ipv4}" "${ipv6}" >&2
|
||||
fi
|
||||
|
@ -101,17 +101,17 @@ while IFS=$'\t' read -r server_hostname server_ipv4 server_ipv6 server_pubkey se
|
|||
if [ "${server_hostname}" == "${LOCAL_SERVER}" ]; then
|
||||
server_blocks="${server_blocks}\n[Peer] # ${server_hostname}.${TLD}\nPublicKey=${server_pubkey}\nPresharedKey=${server_psk}\nAllowedIPs=${server_ipv4}/${IPV4_NET#*/},${server_ipv6}/${IPV6_NET#*/}\nEndpoint=${server_endpoint}\n"
|
||||
# Add new user to local wireguard
|
||||
if "/usr/lib/wgapi/wg_peer_add" "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128"; then
|
||||
if /usr/lib/wgapi/wg_peer_add "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128"; then
|
||||
printf 'Added %s to local wireguard server.\n' "${domain}" >&2
|
||||
else
|
||||
printf 'ERROR! Failed to add %s to local wireguard server!\n' "${domain}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
# Remote server
|
||||
else
|
||||
server_blocks="${server_blocks}\n[Peer] # ${server_hostname}.${TLD}\nPublicKey=${server_pubkey}\nPresharedKey=${server_psk}\nAllowedIPs=${server_ipv4}/32,${server_ipv6}/128\nEndpoint=${server_endpoint}\n"
|
||||
# Send new user config to federated server
|
||||
if "/usr/lib/wgapi/fed_peer_add" "${server_admin}" "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128" "${server_secret}"; then
|
||||
if /usr/lib/wgapi/fed_peer_add "${server_url}" "${server_secret}" "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128" "${server_secret}"; then
|
||||
printf 'Sent %s to remote wireguard server %s.\n' "${domain}" "${server_hostname}" >&2
|
||||
else
|
||||
printf 'ERROR! Failed to send %s to remote wireguard server %s!\n' "${domain}" "${server_hostname}" >&2
|
||||
|
@ -119,4 +119,4 @@ while IFS=$'\t' read -r server_hostname server_ipv4 server_ipv6 server_pubkey se
|
|||
fi
|
||||
done </etc/wgapi/servers
|
||||
wg_config="[Interface] # ${hostname}.${username}.${TLD}\nPrivateKey=${privkey:?}\nAddress=${address:?}\n${WG_DNS}\n${server_blocks:?}"
|
||||
<<<"${wg_config}" "/usr/lib/wgapi/http_res" 202
|
||||
<<<"${wg_config}" /usr/lib/wgapi/http_res 202
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
# QUERYSTRING: ?t=$token&pubkey=$pubkey
|
||||
|
||||
source /etc/wgapi/config
|
||||
ip="${1}" & qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')"
|
||||
ip="${1}"; qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')"
|
||||
|
||||
# Parse pubkey
|
||||
pubkey="$(<<<"${qs#}" grep 'pubkey=' | sed 's/pubkey=//')"
|
||||
|
@ -14,7 +14,7 @@ printf '%s requested to delete %s\n' "${ip}" "${pubkey}" >&2
|
|||
# Check token
|
||||
token_fail(){
|
||||
printf 'Rejecting admin %s request to delete peer due to %s token\n' "${ip}" "${1}" >&2
|
||||
printf 'Invalid token\n' | "/usr/lib/wgapi/http_res" 403; exit
|
||||
printf 'Invalid token\n' | /usr/lib/wgapi/http_res 403; exit
|
||||
}
|
||||
saved_token="$(grep "${ip}" /var/local/wgapi/tokens | cut -f2)"
|
||||
[ "${saved_token}" == "" ] && token_fail 'missing' &
|
||||
|
@ -24,33 +24,33 @@ printf '%s token was valid\n' "${ip}" >&2
|
|||
# Get peer IP list
|
||||
if ! wg_output="$(sudo /usr/bin/wg show "${TLD}" allowed-ips)"; then
|
||||
printf 'ERROR! Wireguard failed!\n' >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Filter out this user's
|
||||
user_peer="$(grep "${pubkey}" <<<"${wg_output}" 2>/dev/null)"
|
||||
if [ "${user_peer}" == "" ]; then
|
||||
printf 'ERROR! Could not find user for pubkey %s!\n' "${pubkey}" >&2
|
||||
printf 'Peer not found' | "/usr/lib/wgapi/http_res" 404; exit
|
||||
printf 'Peer not found' | /usr/lib/wgapi/http_res 404; exit
|
||||
fi
|
||||
|
||||
# Get peer domains
|
||||
if ! peer="$("/usr/lib/wgapi/ips_to_peers" tsv <<<"${user_peer}" | grep "${pubkey}")"; then
|
||||
if ! peer="$(/usr/lib/wgapi/ips_to_peers tsv <<<"${user_peer}" | grep "${pubkey}")"; then
|
||||
printf 'ERROR! Failed to lookup domain for pubkey %s!\n' "${pubkey}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
domain="$(<<<"${peer}" cut -f1)"
|
||||
ipv4="$(<<<"${peer}" cut -f2)"
|
||||
ipv6="$(<<<"${peer}" cut -f3)"
|
||||
if ! printf 'Delete request was for %s %s %s\n' "${domain:?}" "${ipv4:?}" "${ipv6:?}" >&2; then
|
||||
printf 'ERROR! Failed to collect peer data: %s %s %s\n' "${domain}" "${ipv4}" "${ipv6}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Make sure admin isn't deleting their own peer
|
||||
if [ "${ip}" == "${ipv4}" ] || [ "${ip}" == "${ipv6}" ]; then
|
||||
printf 'Admin requested to delete peer from itself: %s.\n' "${ip}" >&2
|
||||
printf 'You cannot delete a peer from itself!' | "/usr/lib/wgapi/http_res" 400; exit
|
||||
printf 'You cannot delete a peer from itself!' | /usr/lib/wgapi/http_res 400; exit
|
||||
fi
|
||||
|
||||
hostname="$(<<<"${domain}" cut -d'.' -f1)"
|
||||
|
@ -62,37 +62,37 @@ username="$(<<<"${domain}" cut -d'.' -f2)"
|
|||
for_server_do() {
|
||||
[[ ${server_hostname:0:1} = \# ]] && return # Ignore comments
|
||||
server_hostname="${1}"; server_ipv4="${2}"; server_ipv6="${3}"; server_pubkey="${4}"
|
||||
server_endpoint="${5}"; server_admin="${6}"; server_secret="${7}"
|
||||
server_endpoint="${5}"; server_url="${6}"; server_secret="${7}"
|
||||
if [ "${server_hostname}" == "${LOCAL_SERVER}" ]; then
|
||||
# Local server
|
||||
if "/usr/lib/wgapi/wg_peer_del" "${pubkey}"; then
|
||||
if /usr/lib/wgapi/wg_peer_del "${pubkey}"; then
|
||||
printf 'Deleted %s from local wireguard server.\n' "${domain}" >&2
|
||||
else
|
||||
printf 'ERROR! Failed to delete %s from local wireguard server!\n' "${domain}" >&2
|
||||
# TODO: clear existing progress
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
else
|
||||
# Federated server
|
||||
if "/usr/lib/wgapi/fed_peer_del" "${server_admin}" "${pubkey}"; then
|
||||
if /usr/lib/wgapi/fed_peer_del "${server_url}" "${server_secret}" "${pubkey}"; then
|
||||
printf 'Deleted %s from remote wireguard server %s.\n' "${domain}" "${server_hostname}" >&2
|
||||
else
|
||||
printf 'ERROR! Failed to delete %s from remote wireguard server %s!\n' "${domain}" "${server_hostname}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
fi
|
||||
}; while IFS=$'\t' read -r server_hostname server_ipv4 server_ipv6 server_pubkey server_endpoint server_admin server_secret
|
||||
do for_server_do "${server_hostname}" "${server_ipv4}" "${server_ipv6}" "${server_pubkey}" "${server_endpoint}" "${server_admin}" "${server_secret}" &
|
||||
}; while IFS=$'\t' read -r server_hostname server_ipv4 server_ipv6 server_pubkey server_endpoint server_url server_secret
|
||||
do for_server_do "${server_hostname}" "${server_ipv4}" "${server_ipv6}" "${server_pubkey}" "${server_endpoint}" "${server_url}" "${server_secret}" &
|
||||
done </etc/wgapi/servers &
|
||||
|
||||
# Update nameserver
|
||||
if "/usr/lib/wgapi/ns_update_del" "${domain:?}" "${ipv4:?}" "${ipv6:?}"
|
||||
if /usr/lib/wgapi/ns_update_del "${domain:?}" "${ipv4:?}" "${ipv6:?}"
|
||||
then printf 'Successfully deleted %s from DNS server.\n' "${domain}" >&2
|
||||
else printf 'ERROR! Failed to delete %s %s %s from DNS server!\n' "${domain}" "${ipv4}" "${ipv6}" >&2
|
||||
fi &
|
||||
|
||||
# Delete SSL cert
|
||||
if "/usr/lib/wgapi/ssl_peer_del" "${hostname:?}" "${username:?}"
|
||||
if /usr/lib/wgapi/ssl_peer_del "${hostname:?}" "${username:?}"
|
||||
then printf 'Successfully deleted SSL certs for %s\n' "${domain}" >&2
|
||||
else printf 'ERROR! Failed to delete certs for %s!\n' "${domain}" >&2
|
||||
fi
|
||||
|
@ -101,4 +101,4 @@ fi
|
|||
# Do it before updating nameserver and certs because
|
||||
# if wireguard worked, there's no going back. The admin
|
||||
# can clean up missing records and certs after checking the logs
|
||||
printf 'Deleted %s.%s.%s' "${hostname}" "${username}" "${TLD}" | "/usr/lib/wgapi/http_res" 202
|
||||
printf 'Deleted %s.%s.%s' "${hostname}" "${username}" "${TLD}" | /usr/lib/wgapi/http_res 202
|
|
@ -5,7 +5,7 @@
|
|||
# QUERYSTRING: ?un=$username
|
||||
|
||||
source /etc/wgapi/config
|
||||
ip="${1}" & qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')"
|
||||
ip="${1}"; qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')"
|
||||
un="$(<<<"${qs}" grep -oP 'un=(.*)' | sed 's/^un=//' | xargs)"
|
||||
printf 'Admin %s requested peer listing...\n' "${ip}" >&2
|
||||
|
||||
|
@ -20,7 +20,7 @@ fi
|
|||
# Get peer IP list
|
||||
if ! peers="$(sudo /usr/bin/wg show "${TLD}" allowed-ips)"; then
|
||||
printf 'ERROR! Wireguard failed!\n' >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Filter out single user (if provided)
|
||||
|
@ -28,15 +28,15 @@ if [ "${un}" != '' ]; then
|
|||
peers="$(grep "${IPV4_NET%.*.*}\.${un}\." <<<"${peers}" 2>/dev/null)"
|
||||
if [ "${peers}" == '' ]; then
|
||||
printf 'User number %s not found!\n' "${un}" >&2
|
||||
printf 'User not found!\n' | "/usr/lib/wgapi/http_res" 404; exit
|
||||
printf 'User not found!\n' | /usr/lib/wgapi/http_res 404; exit
|
||||
fi
|
||||
fi
|
||||
|
||||
# Get domains for each peer
|
||||
if peers="[$("/usr/lib/wgapi/ips_to_peers" json <<<"${peers}")]"; then
|
||||
printf '{"token":"%s","peers":%s}' "${token:?}" "${peers:?}" | "/usr/lib/wgapi/http_res" 200 'application/json'
|
||||
if peers="[$(/usr/lib/wgapi/ips_to_peers json <<<"${peers}")]"; then
|
||||
printf '{"token":"%s","peers":%s}' "${token:?}" "${peers:?}" | /usr/lib/wgapi/http_res 200 'application/json'
|
||||
printf 'Sent peers to admin %s\n' "${ip}" >&2
|
||||
else
|
||||
printf 'ERROR: Failed to lookup user domain: %s\n' "${ip}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
|
|
@ -5,12 +5,12 @@
|
|||
# QUERYSTRING: ?t=$token&host=$hostname&user=$username
|
||||
|
||||
source /etc/wgapi/config
|
||||
ip="${1}" & qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')"
|
||||
ip="${1}"; qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')"
|
||||
|
||||
# Check token
|
||||
token_fail(){
|
||||
printf 'Rejecting admin %s request for new peer due to %s token\n' "${ip}" "${1}" >&2
|
||||
printf 'Invalid token\n' | "/usr/lib/wgapi/http_res" 403; exit
|
||||
printf 'Invalid token\n' | /usr/lib/wgapi/http_res 403; exit
|
||||
}
|
||||
saved_token="$(grep "${ip}" /var/local/wgapi/tokens | cut -f2)"
|
||||
[ "${saved_token}" == "" ] && token_fail 'missing' &
|
||||
|
@ -22,34 +22,34 @@ hostname="$(<<<"${qs}" grep -oP 'host=(.*)' | sed 's/^host=//' | xargs | tr -dc
|
|||
username="$(<<<"${qs}" grep -oP 'user=(.*)' | sed 's/^user=//' | xargs | tr -dc 'a-z0-9' | head -c10)"
|
||||
if ! domain="${hostname:?}.${username:?}.${TLD:?}"; then
|
||||
printf 'ERROR! Hostname "%s" or username "%s" or tld "%s" missing!\n' "${hostname}" "${username}" "${TLD}" >&2
|
||||
printf 'Hostname or username missing!\n' | "/usr/lib/wgapi/http_res" 400; exit
|
||||
printf 'Hostname or username missing!\n' | /usr/lib/wgapi/http_res 400; exit
|
||||
else
|
||||
printf 'Admin %s requested new user created with initial peer of %s\n' "${ip}" "${domain}" >&2
|
||||
fi
|
||||
if ! [[ ${#hostname} -ge 3 ]]; then
|
||||
printf 'Rejecting hostname %s because it is too short.\n' "${hostname}" >&2
|
||||
printf 'Hostname too short\n' | "/usr/lib/wgapi/http_res" 400; exit
|
||||
printf 'Hostname too short\n' | /usr/lib/wgapi/http_res 400; exit
|
||||
elif ! [[ ${#username} -ge 3 ]]; then
|
||||
printf 'Rejecting username %s because it is too short.\n' "${username}" >&2
|
||||
printf 'Username too short\n' | "/usr/lib/wgapi/http_res" 400; exit
|
||||
printf 'Username too short\n' | /usr/lib/wgapi/http_res 400; exit
|
||||
fi
|
||||
|
||||
# Check if user already exists
|
||||
if "/usr/lib/wgapi/ns_lookup_rxfr" | grep ".${username}.${TLD}" >/dev/null; then
|
||||
printf 'User %s already exists!\n' "${username}" | tee >(cat 1>&2) | "/usr/lib/wgapi/http_res" 409
|
||||
if /usr/lib/wgapi/ns_lookup_rxfr | grep ".${username}.${TLD}" >/dev/null; then
|
||||
printf 'User %s already exists!\n' "${username}" | tee >(cat 1>&2) | /usr/lib/wgapi/http_res 409
|
||||
exit
|
||||
fi
|
||||
|
||||
# Get all peer IPs
|
||||
if ! peers="$(sudo /usr/bin/wg show "${TLD}" allowed-ips)"; then
|
||||
printf 'ERROR! Wireguard failed!\n' >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Create new IPs
|
||||
hostnumber='1'
|
||||
ipv4s="$(printf '%s\n' "${peers}" | awk '{print $2,$3}' | tr ' ' '\n' | grep '\.' | cut -d'/' -f1)"
|
||||
ipv6s="$(printf '%s\n' "${peers}" | awk '{print $2,$3}' | tr ' ' '\n' | grep '\:' | cut -d'/' -f1)"
|
||||
#ipv6s="$(printf '%s\n' "${peers}" | awk '{print $2,$3}' | tr ' ' '\n' | grep '\:' | cut -d'/' -f1)"
|
||||
# Increment hostnumber from 1 until an unused one is found
|
||||
used_usernumbers="$(<<<"${ipv4s}" cut -d'.' -f3 | sort | uniq)"
|
||||
usernumber=1; while <<<"${used_usernumbers}" grep -q "${usernumber}"
|
||||
|
@ -59,7 +59,7 @@ ipv4="${IPV4_NET%.*.*}.${usernumber}.${hostnumber}"
|
|||
ipv6="${IPV6_NET%:*:*}:${usernumber}:${hostnumber}"
|
||||
if ! printf 'IP addresses for %s created: %s %s\n' "${domain:?}" "${ipv4:?}" "${ipv6:?}" >&2; then
|
||||
printf 'ERROR! Failed to create IP addresses for %s!' "${domain}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Create wg config
|
||||
|
@ -68,7 +68,7 @@ pubkey="$(echo "${privkey}" | /usr/bin/wg pubkey)"
|
|||
address="${ipv4}/${IPV4_NET##*/},${ipv6}/${IPV6_NET##*/}"
|
||||
|
||||
# Update nameserver
|
||||
if "/usr/lib/wgapi/ns_update_add" "${domain:?}" "${ipv4:?}" "${ipv6:?}"
|
||||
if /usr/lib/wgapi/ns_update_add "${domain:?}" "${ipv4:?}" "${ipv6:?}"
|
||||
then printf 'Successfully added %s to DNS server.\n' "${domain}" >&2
|
||||
else printf 'ERROR! Failed to add %s %s %s to DNS server!\n' "${domain}" "${ipv4}" "${ipv6}" >&2
|
||||
fi &
|
||||
|
@ -76,9 +76,9 @@ fi &
|
|||
# Create SSL cert
|
||||
if ! sudo mkdir "${SSL_CONFIG_DIR:?}/${username:?}/"; then
|
||||
printf 'Failed to create directory %s/%s/:\n' "${SSL_CONFIG_DIR}" "${username}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
if "/usr/lib/wgapi/ssl_peer_add" "${hostname:?}" "${username:?}" "IP:${ipv4},IP:${ipv6}"
|
||||
if /usr/lib/wgapi/ssl_peer_add "${hostname:?}" "${username:?}" "IP:${ipv4},IP:${ipv6}"
|
||||
then printf 'Successfully signed SSL certs for %s\n' "${domain}" >&2
|
||||
else printf 'ERROR! Failed to create certs for %s with IPS: %s %s!\n' "${domain}" "${ipv4}" "${ipv6}" >&2
|
||||
fi
|
||||
|
@ -92,18 +92,18 @@ while IFS=$'\t' read -r server_hostname server_ipv4 server_ipv6 server_pubkey se
|
|||
if [ "${server_hostname}" == "${LOCAL_SERVER}" ]; then
|
||||
server_blocks="${server_blocks}\n[Peer] # ${server_hostname}.${TLD}\nPublicKey=${server_pubkey}\nPresharedKey=${server_psk}\nAllowedIPs=${server_ipv4}/${IPV4_NET#*/},${server_ipv6}/${IPV6_NET#*/}\nEndpoint=${server_endpoint}\n"
|
||||
# Add new user to local wireguard
|
||||
if "/usr/lib/wgapi/wg_peer_add" "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128"; then
|
||||
if /usr/lib/wgapi/wg_peer_add "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128"; then
|
||||
printf 'Added %s to local wireguard server.\n' "${domain}" >&2
|
||||
else
|
||||
printf 'ERROR! Failed to add %s to local wireguard server!\n' "${domain}" >&2
|
||||
# TODO: clear existing progress
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
# Remote server
|
||||
else
|
||||
server_blocks="${server_blocks}\n[Peer] # ${server_hostname}.${TLD}\nPublicKey=${server_pubkey}\nPresharedKey=${server_psk}\nAllowedIPs=${server_ipv4}/32,${server_ipv6}/128\nEndpoint=${server_endpoint}\n"
|
||||
# Send new user config to federated server
|
||||
if "/usr/lib/wgapi/fed_peer_add" "${server_admin}" "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128" "${server_secret}"; then
|
||||
if /usr/lib/wgapi/fed_peer_add "${server_url}" "${server_secret}" "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128" "${server_secret}"; then
|
||||
printf 'Sent %s to remote wireguard server %s.\n' "${domain}" "${server_hostname}" >&2
|
||||
else
|
||||
printf 'ERROR! Failed to send %s to remote wireguard server %s!\n' "${domain}" "${server_hostname}" >&2
|
||||
|
@ -111,4 +111,4 @@ while IFS=$'\t' read -r server_hostname server_ipv4 server_ipv6 server_pubkey se
|
|||
fi
|
||||
done </etc/wgapi/servers
|
||||
wg_config="[Interface] # ${hostname}.${username}.${TLD}\nPrivateKey=${privkey:?}\nAddress=${address:?}\n${WG_DNS}\n${server_blocks:?}"
|
||||
<<<"${wg_config}" "/usr/lib/wgapi/http_res" 202
|
||||
<<<"${wg_config}" /usr/lib/wgapi/http_res 202
|
||||
|
|
|
@ -5,12 +5,12 @@
|
|||
# QUERYSTRING: ?t=$token&user=$username&un=$usernumber
|
||||
|
||||
source /etc/wgapi/config
|
||||
ip="${1}" & qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')"
|
||||
ip="${1}"; qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')"
|
||||
|
||||
# Check token
|
||||
token_fail(){
|
||||
printf 'Rejecting admin %s request for new peer due to %s token\n' "${ip}" "${1}" >&2
|
||||
printf 'Invalid token\n' | "/usr/lib/wgapi/http_res" 403; exit
|
||||
printf 'Invalid token\n' | /usr/lib/wgapi/http_res 403; exit
|
||||
}
|
||||
saved_token="$(grep "${ip}" /var/local/wgapi/tokens | cut -f2)"
|
||||
[ "${saved_token}" == "" ] && token_fail 'missing' &
|
||||
|
@ -21,9 +21,9 @@ printf '%s token was valid\n' "${ip}" >&2
|
|||
username="$(<<<"${qs}" grep -oP 'user=(.*)' | sed 's/^user=//')"
|
||||
usernumber="$(<<<"${qs}" grep -oP 'un=(.*)' | sed 's/^un=//')"
|
||||
if [[ "${username}" == "" ]]; then
|
||||
printf 'ERROR! Username missing!\n' | tee >(cat 1>&2) | "/usr/lib/wgapi/http_res" 400; exit
|
||||
printf 'ERROR! Username missing!\n' | tee >(cat 1>&2) | /usr/lib/wgapi/http_res 400; exit
|
||||
elif [[ "${usernumber}" == "" ]]; then
|
||||
printf 'ERROR! Usernumber missing!\n' | tee >(cat 1>&2) |"/usr/lib/wgapi/http_res" 400; exit
|
||||
printf 'ERROR! Usernumber missing!\n' | tee >(cat 1>&2) |/usr/lib/wgapi/http_res 400; exit
|
||||
else
|
||||
printf 'Admin %s requested deletion of user "%s" with usernumber "%s"\n' "${ip}" "${username}" "${usernumber}" >&2
|
||||
fi
|
||||
|
@ -31,20 +31,20 @@ fi
|
|||
# Get all peer IPs
|
||||
if ! wg_output="$(sudo /usr/bin/wg show "${TLD}" allowed-ips)"; then
|
||||
printf 'ERROR! Wireguard failed!\n' >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Filter out the user's
|
||||
user_peers="$(grep "${IPV4_NET%.*.*}.${usernumber}." <<<"${wg_output}" 2>/dev/null)"
|
||||
if [ "${user_peers}" == "" ]; then
|
||||
printf "ERROR! Couldn't find any peers for %s!\n" "${IPV4_NET%.*.*}.${usernumber}." >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Get user peer domains
|
||||
if ! peers="$("/usr/lib/wgapi/ips_to_peers" tsv <<<"${user_peers}")"; then
|
||||
if ! peers="$(/usr/lib/wgapi/ips_to_peers tsv <<<"${user_peers}")"; then
|
||||
printf 'ERROR! Failed to retrieve domains for peers for %s!\n' "${IPV4_NET%.*.*}.${usernumber}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Run this function in parallel in the while loop below
|
||||
|
@ -52,23 +52,23 @@ fi
|
|||
for_server_do() {
|
||||
[[ ${server_hostname:0:1} = \# ]] && return # Ignore comments
|
||||
server_hostname="${1}"; server_ipv4="${2}"; server_ipv6="${3}"; server_pubkey="${4}"
|
||||
server_endpoint="${5}"; server_admin="${6}"; server_secret="${7}"
|
||||
server_endpoint="${5}"; server_url="${6}"; server_secret="${7}"
|
||||
if [ "${server_hostname}" == "${LOCAL_SERVER}" ]; then
|
||||
# Local server
|
||||
if "/usr/lib/wgapi/wg_peer_del" "${pubkey}"; then
|
||||
if /usr/lib/wgapi/wg_peer_del "${pubkey}"; then
|
||||
printf 'Deleted %s from local wireguard server.\n' "${domain}" >&2
|
||||
else
|
||||
printf 'ERROR! Failed to delete %s from local wireguard server!\n' "${domain}" >&2
|
||||
# TODO: clear existing progress
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
else
|
||||
# Federated server
|
||||
if "/usr/lib/wgapi/fed_peer_del" "${server_admin}" "${pubkey}"; then
|
||||
if /usr/lib/wgapi/fed_peer_del "${server_url}" "${server_secret}" "${pubkey}"; then
|
||||
printf 'Deleted %s from remote wireguard server %s.\n' "${domain}" "${server_hostname}" >&2
|
||||
else
|
||||
printf 'ERROR! Failed to delete %s from remote wireguard server %s!\n' "${domain}" "${server_hostname}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
@ -80,12 +80,12 @@ delete_peer() {
|
|||
printf 'Deleting peer %s\n' "${domain}" >&2
|
||||
|
||||
# Remove peer from wireguard
|
||||
while IFS=$'\t' read -r server_hostname server_ipv4 server_ipv6 server_pubkey server_endpoint server_admin server_secret
|
||||
do for_server_do "${server_hostname}" "${server_ipv4}" "${server_ipv6}" "${server_pubkey}" "${server_endpoint}" "${server_admin}" "${server_secret}" &
|
||||
while IFS=$'\t' read -r server_hostname server_ipv4 server_ipv6 server_pubkey server_endpoint server_url server_secret
|
||||
do for_server_do "${server_hostname}" "${server_ipv4}" "${server_ipv6}" "${server_pubkey}" "${server_endpoint}" "${server_url}" "${server_secret}" &
|
||||
done </etc/wgapi/servers &
|
||||
|
||||
# Remove peer from nameserver
|
||||
if "/usr/lib/wgapi/ns_update_del" "${domain:?}" "${ipv4:?}" "${ipv6:?}"
|
||||
if /usr/lib/wgapi/ns_update_del "${domain:?}" "${ipv4:?}" "${ipv6:?}"
|
||||
then printf 'Successfully deleted %s from DNS server.\n' "${domain}" >&2
|
||||
else printf 'ERROR! Failed to delete %s %s %s from DNS server!\n' "${domain}" "${ipv4}" "${ipv6}" >&2
|
||||
fi
|
||||
|
@ -104,4 +104,4 @@ fi
|
|||
# Do it before updating nameserver and certs because
|
||||
# if wireguard worked, there's no going back. The admin
|
||||
# can clean up missing records and certs after checking the logs
|
||||
printf 'Deleted %s' "${username}" | "/usr/lib/wgapi/http_res" 202
|
||||
printf 'Deleted %s' "${username}" | /usr/lib/wgapi/http_res 202
|
|
@ -5,20 +5,20 @@
|
|||
# QUERYSTRING: ?t=$token&name=$hostname
|
||||
|
||||
source /etc/wgapi/config
|
||||
ip="${1}" & qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')"
|
||||
ip="${1}"; qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')"
|
||||
|
||||
# Check hostname
|
||||
hostname="$(<<<"${qs}" grep -oP 'name=(.*)' | sed 's/^name//' | xargs | tr -dc 'a-z0-9' | head -c10)"
|
||||
printf '%s requested new peer with hostname %s\n' "${ip}" "${hostname}" >&2
|
||||
if ! [[ ${#hostname} -ge 3 ]]; then
|
||||
printf 'Rejecting hostname %s because it is too short.\n' "${hostname}" >&2
|
||||
printf 'Hostname too short\n' | "/usr/lib/wgapi/http_res" 400; exit
|
||||
printf 'Hostname too short\n' | /usr/lib/wgapi/http_res 400; exit
|
||||
fi
|
||||
|
||||
# Check token
|
||||
token_fail(){
|
||||
printf 'Rejecting %s request for new peer due to %s token\n' "${ip}" "${1}" >&2
|
||||
printf 'Invalid token\n' | "/usr/lib/wgapi/http_res" 403; exit
|
||||
printf 'Invalid token\n' | /usr/lib/wgapi/http_res 403; exit
|
||||
}
|
||||
saved_token="$(grep "${ip}" /var/local/wgapi/tokens | cut -f2)"
|
||||
[ "${saved_token}" == "" ] && token_fail 'missing' &
|
||||
|
@ -26,17 +26,17 @@ saved_token="$(grep "${ip}" /var/local/wgapi/tokens | cut -f2)"
|
|||
printf '%s token was valid\n' "${ip}" >&2
|
||||
|
||||
# Check user
|
||||
username="$("/usr/lib/wgapi/ns_lookup_rdns" "${ip}" | cut -d'.' -f2)" || (
|
||||
username="$(/usr/lib/wgapi/ns_lookup_rdns "${ip}" | cut -d'.' -f2)" || (
|
||||
printf 'User domains not found for %s\n' "${ip}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
)
|
||||
printf '%s identified as %s\n' "${ip}" "${username}" >&2
|
||||
domain="${hostname}.${username}.${TLD}"
|
||||
|
||||
# Check if new peer already exists
|
||||
if "/usr/lib/wgapi/ns_lookup_send" "${domain}" >/dev/null; then
|
||||
if /usr/lib/wgapi/ns_lookup_send "${domain}" >/dev/null; then
|
||||
printf '%s.%s.%s already exists!\n' "${hostname}" "${username}" "${TLD}" >&2
|
||||
printf 'Hostname %s already exists!\n' "${hostname}" | "/usr/lib/wgapi/http_res" 409; exit
|
||||
printf 'Hostname %s already exists!\n' "${hostname}" | /usr/lib/wgapi/http_res 409; exit
|
||||
fi
|
||||
|
||||
# Create new domain
|
||||
|
@ -46,32 +46,32 @@ printf 'New domain will be %s\n' "${domain}" >&2
|
|||
# Get peer IP list
|
||||
if ! wg_output="$(sudo /usr/bin/wg show "${TLD}" allowed-ips)"; then
|
||||
printf 'ERROR! Wireguard failed!\n' >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Filter out this user's
|
||||
user_peers="$(grep "${ip%[.:]*}" <<<"${wg_output}" 2>/dev/null)"
|
||||
if [ "${user_peers}" == "" ]; then
|
||||
printf "ERROR! %s accessed the dashboard but isn't on the network!\n" "${ip}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Get domains
|
||||
if ! peers="$("/usr/lib/wgapi/ips_to_peers" tsv <<<"${user_peers}")"; then
|
||||
if ! peers="$(/usr/lib/wgapi/ips_to_peers tsv <<<"${user_peers}")"; then
|
||||
printf 'ERROR! Failed to parse peers for %s!\n' "${ip}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Make sure hostname isn't taken
|
||||
hostnames="$(<<<"${peers}" awk '{print $1}' | cut -d'.' -f1)"
|
||||
if <<<"${hostnames}" grep -x "${hostname}"; then
|
||||
printf 'User %s already has a host named %s!\n' "${username}" "${hostname}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Create new IPs
|
||||
ipv4s="$(<<<"${peers}" awk '{print $2}')"
|
||||
ipv6s="$(<<<"${peers}" awk '{print $3}')"
|
||||
#ipv6s="$(<<<"${peers}" awk '{print $3}')"
|
||||
usernumber="$(<<<"${ipv4s}" head -n1 | cut -d'.' -f3)"
|
||||
# Increment hostnumber from 1 until an unused one is found
|
||||
used_hostnumbers="$(<<<"${ipv4s}" cut -d'.' -f4 | sort | uniq)"
|
||||
|
@ -82,7 +82,7 @@ ipv4="${IPV4_NET%.*.*}.${usernumber}.${hostnumber}"
|
|||
ipv6="${IPV6_NET%:*:*}:${usernumber}:${hostnumber}"
|
||||
if ! printf 'IP addresses for %s created: %s %s\n' "${domain:?}" "${ipv4:?}" "${ipv6:?}" >&2; then
|
||||
printf 'ERROR! Failed to create IP addresses for %s!' "${domain}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Create wg config
|
||||
|
@ -91,13 +91,13 @@ pubkey="$(echo "${privkey}" | /usr/bin/wg pubkey)"
|
|||
address="${ipv4}/${IPV4_NET##*/},${ipv6}/${IPV6_NET##*/}"
|
||||
|
||||
# Update nameserver
|
||||
if "/usr/lib/wgapi/ns_update_add" "${domain:?}" "${ipv4:?}" "${ipv6:?}"
|
||||
if /usr/lib/wgapi/ns_update_add "${domain:?}" "${ipv4:?}" "${ipv6:?}"
|
||||
then printf 'Successfully added %s to DNS server.\n' "${domain}" >&2
|
||||
else printf 'ERROR! Failed to add %s %s %s to DNS server!\n' "${domain}" "${ipv4}" "${ipv6}" >&2
|
||||
fi &
|
||||
|
||||
# Create SSL cert
|
||||
if "/usr/lib/wgapi/ssl_peer_add" "${hostname:?}" "${username:?}" "IP:${ipv4},IP:${ipv6}"
|
||||
if /usr/lib/wgapi/ssl_peer_add "${hostname:?}" "${username:?}" "IP:${ipv4},IP:${ipv6}"
|
||||
then printf 'Successfully signed SSL certs for %s\n' "${domain}" >&2
|
||||
else printf 'ERROR! Failed to create certs for %s with IPS: %s %s!\n' "${domain}" "${ipv4}" "${ipv6}" >&2
|
||||
fi
|
||||
|
@ -111,17 +111,17 @@ while IFS=$'\t' read -r server_hostname server_ipv4 server_ipv6 server_pubkey se
|
|||
if [ "${server_hostname}" == "${LOCAL_SERVER}" ]; then
|
||||
server_blocks="${server_blocks}\n[Peer] # ${server_hostname}.${TLD}\nPublicKey=${server_pubkey}\nPresharedKey=${server_psk}\nAllowedIPs=${server_ipv4}/${IPV4_NET#*/},${server_ipv6}/${IPV6_NET#*/}\nEndpoint=${server_endpoint}\n"
|
||||
# Add new user to local wireguard
|
||||
if "/usr/lib/wgapi/wg_peer_add" "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128"; then
|
||||
if /usr/lib/wgapi/wg_peer_add "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128"; then
|
||||
printf 'Added %s to local wireguard server.\n' "${domain}" >&2
|
||||
else
|
||||
printf 'ERROR! Failed to add %s to local wireguard server!\n' "${domain}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
# Remote server
|
||||
else
|
||||
server_blocks="${server_blocks}\n[Peer] # ${server_hostname}.${TLD}\nPublicKey=${server_pubkey}\nPresharedKey=${server_psk}\nAllowedIPs=${server_ipv4}/32,${server_ipv6}/128\nEndpoint=${server_endpoint}\n"
|
||||
# Send new user config to federated server
|
||||
if "/usr/lib/wgapi/fed_peer_add" "${server_admin}" "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128" "${server_secret}"; then
|
||||
if /usr/lib/wgapi/fed_peer_add "${server_url}" "${server_secret}" "${pubkey}" "${server_psk}" "${ipv4}/32,${ipv6}/128" "${server_secret}"; then
|
||||
printf 'Sent %s to remote wireguard server %s.\n' "${domain}" "${server_hostname}" >&2
|
||||
else
|
||||
printf 'ERROR! Failed to send %s to remote wireguard server %s!\n' "${domain}" "${server_hostname}" >&2
|
||||
|
@ -129,4 +129,4 @@ while IFS=$'\t' read -r server_hostname server_ipv4 server_ipv6 server_pubkey se
|
|||
fi
|
||||
done </etc/wgapi/servers
|
||||
wg_config="[Interface] # ${hostname}.${username}.${TLD}\nPrivateKey=${privkey:?}\nAddress=${address:?}\n${WG_DNS}\n${server_blocks:?}"
|
||||
<<<"${wg_config}" "/usr/lib/wgapi/http_res" 202
|
||||
<<<"${wg_config}" /usr/lib/wgapi/http_res 202
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
# QUERYSTRING: ?t=$token&pubkey=$pubkey
|
||||
|
||||
source /etc/wgapi/config
|
||||
ip="${1}" & qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')"
|
||||
ip="${1}"; qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')"
|
||||
|
||||
# Parse pubkey
|
||||
pubkey="$(<<<"${qs#}" grep 'pubkey=' | sed 's/pubkey=//')"
|
||||
|
@ -14,7 +14,7 @@ printf '%s requested to delete %s\n' "${ip}" "${pubkey:?}" >&2
|
|||
# Check token
|
||||
token_fail(){
|
||||
printf 'Rejecting %s request to delete peer due to %s token\n' "${ip}" "${1}" >&2
|
||||
printf 'Invalid token\n' | "/usr/lib/wgapi/http_res" 403; exit
|
||||
printf 'Invalid token\n' | /usr/lib/wgapi/http_res 403; exit
|
||||
}
|
||||
saved_token="$(grep "${ip}" /var/local/wgapi/tokens | cut -f2)"
|
||||
[ "${saved_token}" == "" ] && token_fail 'missing' &
|
||||
|
@ -24,33 +24,33 @@ printf '%s token was valid\n' "${ip}" >&2
|
|||
# Get peer IP list
|
||||
if ! wg_output="$(sudo /usr/bin/wg show "${TLD}" allowed-ips)"; then
|
||||
printf 'ERROR! Wireguard failed!\n' >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Filter out this user's
|
||||
user_peers="$(grep "${ip%[.:]*}" <<<"${wg_output}" 2>/dev/null)"
|
||||
if [ "${user_peers}" == "" ]; then
|
||||
printf "ERROR! %s accessed the dashboard but isn't on the network!\n" "${ip}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Get peer domains
|
||||
if ! peer="$("/usr/lib/wgapi/ips_to_peers" tsv <<<"${user_peers}" | grep "${pubkey}")"; then
|
||||
if ! peer="$(/usr/lib/wgapi/ips_to_peers tsv <<<"${user_peers}" | grep "${pubkey}")"; then
|
||||
printf 'ERROR! Peer %s not found for user %s!\n' "${pubkey}" "${ip}" >&2 &
|
||||
printf 'Peer not found\n' | "/usr/lib/wgapi/http_res" 404; exit
|
||||
printf 'Peer not found\n' | /usr/lib/wgapi/http_res 404; exit
|
||||
fi
|
||||
domain="$(<<<"${peer}" cut -f1)"
|
||||
ipv4="$(<<<"${peer}" cut -f2)"
|
||||
ipv6="$(<<<"${peer}" cut -f3)"
|
||||
if ! printf 'Delete request was for %s %s %s\n' "${domain:?}" "${ipv4:?}" "${ipv6:?}" >&2; then
|
||||
printf 'ERROR! Failed to collect peer data: %s %s %s\n' "${domain}" "${ipv4}" "${ipv6}" >&2 &
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Make sure user isn't deleting their own peer
|
||||
if [ "${ip}" == "${ipv4}" ] || [ "${ip}" == "${ipv6}" ]; then
|
||||
printf 'User requested to delete peer from itself: %s.\n' "${ip}" >&2
|
||||
printf 'You cannot delete a peer from itself!' | "/usr/lib/wgapi/http_res" 400; exit
|
||||
printf 'You cannot delete a peer from itself!' | /usr/lib/wgapi/http_res 400; exit
|
||||
fi
|
||||
|
||||
hostname="$(<<<"${domain}" cut -d'.' -f1)"
|
||||
|
@ -62,37 +62,37 @@ username="$(<<<"${domain}" cut -d'.' -f2)"
|
|||
for_server_do() {
|
||||
[[ ${server_hostname:0:1} = \# ]] && return # Ignore comments
|
||||
server_hostname="${1}"; server_ipv4="${2}"; server_ipv6="${3}"; server_pubkey="${4}"
|
||||
server_endpoint="${5}"; server_admin="${6}"; server_secret="${7}"
|
||||
server_endpoint="${5}"; server_url="${6}"; server_secret="${7}"
|
||||
if [ "${server_hostname}" == "${LOCAL_SERVER}" ]; then
|
||||
# Local server
|
||||
if "/usr/lib/wgapi/wg_peer_del" "${pubkey}"; then
|
||||
if /usr/lib/wgapi/wg_peer_del "${pubkey}"; then
|
||||
printf 'Deleted %s from local wireguard server.\n' "${domain}" >&2
|
||||
else
|
||||
printf 'ERROR! Failed to delete %s from local wireguard server!\n' "${domain}" >&2
|
||||
# TODO: clear existing progress
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
else
|
||||
# Federated server
|
||||
if "/usr/lib/wgapi/fed_peer_del" "${server_admin}" "${pubkey}"; then
|
||||
if /usr/lib/wgapi/fed_peer_del "${server_url}" "${server_secret}" "${pubkey}"; then
|
||||
printf 'Deleted %s from remote wireguard server %s.\n' "${domain}" "${server_hostname}" >&2
|
||||
else
|
||||
printf 'ERROR! Failed to delete %s from remote wireguard server %s!\n' "${domain}" "${server_hostname}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
fi
|
||||
}; while IFS=$'\t' read -r server_hostname server_ipv4 server_ipv6 server_pubkey server_endpoint server_admin server_secret
|
||||
do for_server_do "${server_hostname}" "${server_ipv4}" "${server_ipv6}" "${server_pubkey}" "${server_endpoint}" "${server_admin}" "${server_secret}" &
|
||||
}; while IFS=$'\t' read -r server_hostname server_ipv4 server_ipv6 server_pubkey server_endpoint server_url server_secret
|
||||
do for_server_do "${server_hostname}" "${server_ipv4}" "${server_ipv6}" "${server_pubkey}" "${server_endpoint}" "${server_url}" "${server_secret}" &
|
||||
done </etc/wgapi/servers &
|
||||
|
||||
# Update nameserver
|
||||
if "/usr/lib/wgapi/ns_update_del" "${domain:?}" "${ipv4:?}" "${ipv6:?}"
|
||||
if /usr/lib/wgapi/ns_update_del "${domain:?}" "${ipv4:?}" "${ipv6:?}"
|
||||
then printf 'Successfully deleted %s from DNS server.\n' "${domain}" >&2
|
||||
else printf 'ERROR! Failed to delete %s %s %s from DNS server!\n' "${domain}" "${ipv4}" "${ipv6}" >&2
|
||||
fi &
|
||||
|
||||
# Create SSL cert
|
||||
if "/usr/lib/wgapi/ssl_peer_del" "${hostname:?}" "${username:?}"
|
||||
if /usr/lib/wgapi/ssl_peer_del "${hostname:?}" "${username:?}"
|
||||
then printf 'Successfully deleted SSL certs for %s\n' "${domain}" >&2
|
||||
else printf 'ERROR! Failed to delete certs for %s!\n' "${domain}" >&2
|
||||
fi
|
||||
|
@ -101,4 +101,4 @@ fi
|
|||
# Do it before updating nameserver and certs because
|
||||
# if wireguard worked, there's no going back. The admin
|
||||
# can clean up missing records and certs after checking the logs
|
||||
printf 'Deleted %s.%s.%s' "${hostname}" "${username}" "${TLD}" | "/usr/lib/wgapi/http_res" 202
|
||||
printf 'Deleted %s.%s.%s' "${hostname}" "${username}" "${TLD}" | /usr/lib/wgapi/http_res 202
|
|
@ -18,21 +18,21 @@ fi
|
|||
# Get peer IP list
|
||||
if ! wg_output="$(sudo /usr/bin/wg show "${TLD}" allowed-ips)"; then
|
||||
printf 'ERROR! Wireguard failed!\n' >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Filter out this user's
|
||||
user_peers="$(grep "${ip%[.:]*}" <<<"${wg_output}" 2>/dev/null)"
|
||||
if [ "${user_peers}" == '' ]; then
|
||||
printf "ERROR! %s accessed the dashboard but isn't on the network!\n" "${ip}" >&2
|
||||
printf 'User not found!\n' | "/usr/lib/wgapi/http_res" 403; exit
|
||||
printf 'User not found!\n' | /usr/lib/wgapi/http_res 403; exit
|
||||
fi
|
||||
|
||||
# Get domains for each one
|
||||
if peers="[$("/usr/lib/wgapi/ips_to_peers" json <<<"${user_peers}")]"; then
|
||||
printf '{"token":"%s","peers":%s}' "${token}" "${peers}" | "/usr/lib/wgapi/http_res" 200 'application/json'
|
||||
if peers="[$(/usr/lib/wgapi/ips_to_peers json <<<"${user_peers}")]"; then
|
||||
printf '{"token":"%s","peers":%s}' "${token}" "${peers}" | /usr/lib/wgapi/http_res 200 'application/json'
|
||||
printf 'Sent peers to user %s\n' "${ip}" >&2
|
||||
else
|
||||
printf 'ERROR: Failed to lookup domains for user: %s\n' "${ip}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
|
|
@ -5,50 +5,50 @@
|
|||
# QUERYSTRING: ?host=$hostname&ext=crt
|
||||
|
||||
source /etc/wgapi/config
|
||||
ip="${1}" & qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')"
|
||||
ip="${1}"; qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')"
|
||||
|
||||
# Parse querystring
|
||||
hostname="$(<<<"${qs}" grep -oP 'host=(.*)' | sed 's/^host=//' | xargs)" &
|
||||
hostname="$(<<<"${qs}" grep -oP 'host=(.*)' | sed 's/^host=//' | xargs)"
|
||||
ext="$(<<<"${qs}" grep -oP 'ext=(.*)' | sed 's/^ext=//' | xargs)"
|
||||
|
||||
if ! file="${hostname:?}/server.${ext:?}"; then
|
||||
printf 'ERROR! Hostname "%s" or extension "%s" missing!\n' "${hostname}" "${ext}" >&2
|
||||
printf 'Hostname or extension missing!\n' | "/usr/lib/wgapi/http_res" 400; exit
|
||||
printf 'Hostname or extension missing!\n' | /usr/lib/wgapi/http_res 400; exit
|
||||
else
|
||||
printf 'User %s requested SSL file %s\n' "${ip}" "${file}" >&2
|
||||
fi
|
||||
|
||||
# Make sure extension is 'crt' or 'key'
|
||||
if [ "${ext}" != 'crt' ] && [ "${ext}" != 'key' ]; then
|
||||
printf 'Invalid extension: %s\n' "${ext}" | tee >(cat 1>&2) | "/usr/lib/wgapi/http_res" 400; exit
|
||||
printf 'Invalid extension: %s\n' "${ext}" | tee >(cat 1>&2) | /usr/lib/wgapi/http_res 400; exit
|
||||
fi
|
||||
|
||||
# Get username
|
||||
if ! domain="$("/usr/lib/wgapi/ns_lookup_rdns" "${ip}")"; then
|
||||
printf 'ERROR! Failed to lookup domain from user IP %s\n' "${ip}" | tee >(cat 1>&2) | "/usr/lib/wgapi/http_res" 500
|
||||
if ! domain="$(/usr/lib/wgapi/ns_lookup_rdns "${ip}")"; then
|
||||
printf 'ERROR! Failed to lookup domain from user IP %s\n' "${ip}" | tee >(cat 1>&2) | /usr/lib/wgapi/http_res 500
|
||||
exit 7
|
||||
fi; if ! username="$(<<<"${domain}" cut -d'.' -f2)"; then
|
||||
printf 'ERROR! Failed to parse username from domain "%s"\n' "${domain}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
else
|
||||
printf 'User %s is "%s"\n' "${ip}" "${username}" >&2
|
||||
fi
|
||||
|
||||
if ! path="${SSL_CONFIG_DIR:?}/${username:?}/${file}"; then
|
||||
printf 'ERROR! Username "%s" or SSL_CONFIG_DIR "%s" missing!\n' "${username}" "${SSL_CONFIG_DIR}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Check that the file exists
|
||||
if ! [ -f "${path}" ]; then
|
||||
printf 'ERROR! File missing: "%s"\n' "${path}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
||||
# Try to return it to the user
|
||||
if <"${path}" "/usr/lib/wgapi/http_res" 200; then
|
||||
if <"${path}" /usr/lib/wgapi/http_res 200; then
|
||||
printf 'Sent SSL file "%s" to %s\n' "${path}" "${username}" >&2
|
||||
else
|
||||
printf 'ERROR! Failed to return file: "%s"\n' "${path}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
|
|
|
@ -2,25 +2,33 @@
|
|||
# FILE: fed/peer/add
|
||||
# DESCRIPTION: Add a new peer from a federated server
|
||||
# USAGE: add $remote_ip $querystring
|
||||
# QUERYSTRING: ?pubkey=$pubkey&psk=$psk&ips=$allowedips
|
||||
# QUERYSTRING: ?secret=$secret&pubkey=$pubkey&psk=$psk&ips=$allowedips
|
||||
|
||||
source /etc/wgapi/config
|
||||
ip="${1}" & qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')"
|
||||
pubkey="$(<<<"${qs}" grep -oP 'pubkey=(.*)' | sed 's/^pubkey//' | xargs)" &
|
||||
psk="$(<<<"${qs}" grep -oP 'psk=(.*)' | sed 's/^psk//' | xargs)" &
|
||||
ip="${1}"; qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')"
|
||||
secret="$(<<<"${qs}" grep -oP 'secret=(.*)' | sed 's/^secret//' | xargs)"
|
||||
pubkey="$(<<<"${qs}" grep -oP 'pubkey=(.*)' | sed 's/^pubkey//' | xargs)"
|
||||
psk="$(<<<"${qs}" grep -oP 'psk=(.*)' | sed 's/^psk//' | xargs)"
|
||||
allowedips="$(<<<"${qs}" grep -oP 'ips=(.*)' | sed 's/^ips//' | xargs)"
|
||||
|
||||
# Check that requesting ip is in the servers file
|
||||
if ! sed '/^#/d' /etc/wgapi/servers | cut -f2,3 | grep -w "${ip}"; then
|
||||
printf "ERROR! Federated server %s requested to create new peer but isn't in servers file!/n" "${ip}" >&2
|
||||
"/usr/lib/wgapi/http_res" 403; exit
|
||||
/usr/lib/wgapi/http_res 403; exit
|
||||
fi
|
||||
|
||||
# Check server secret
|
||||
local_secret="$(grep -w "^${LOCAL_SERVER}" /etc/wgapi/servers | cut -f7)"
|
||||
if ! [ "${local_secret}" == "${secret}" ]; then
|
||||
printf "ERROR! Federated server %s provided a secret, %s, that doesn't match the one in our servers file, %s\n" "${ip}" "${secret}" "${local_secret}" >&2
|
||||
/usr/lib/wgapi/http_res 403; exit
|
||||
fi
|
||||
|
||||
# Add peer to wireguard
|
||||
if "/usr/lib/wgapi/wg_peer_add" "${pubkey}" "${server_psk}" "${allowedips}"; then
|
||||
if /usr/lib/wgapi/wg_peer_add "${pubkey}" "${psk}" "${allowedips}"; then
|
||||
printf 'Added %s to wireguard.\n' "${pubkey}" >&2
|
||||
else
|
||||
printf 'ERROR! Failed to add %s to wireguard!\n' "${pubkey}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
"/usr/lib/wgapi/http_res" 200
|
||||
/usr/lib/wgapi/http_res 200
|
||||
|
|
|
@ -2,23 +2,31 @@
|
|||
# FILE: fed/peer/del
|
||||
# DESCRIPTION: Delete a peer from a federated server
|
||||
# USAGE: del $remote_ip $querystring
|
||||
# QUERYSTRING: ?pubkey=$pubkey
|
||||
# QUERYSTRING: ?secret=$secret&pubkey=$pubkey
|
||||
|
||||
source /etc/wgapi/config
|
||||
ip="${1}" & qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')"
|
||||
ip="${1}"; qs="$(<<<"${2}" tr '&' '\n' | sed 's/?//')"
|
||||
secret="$(<<<"${qs}" grep -oP 'secret=(.*)' | sed 's/^secret//' | xargs)"
|
||||
pubkey="$(<<<"${qs}" grep -oP 'pubkey=(.*)' | sed 's/^pubkey//' | xargs)"
|
||||
|
||||
# Check that requesting ip is in the servers file
|
||||
if ! sed '/^#/d' /etc/wgapi/servers | cut -f2,3 | grep -w "${ip}"; then
|
||||
printf "ERROR! Federated server %s requested to create new peer but isn't in servers file!/n" "${ip}" >&2
|
||||
"/usr/lib/wgapi/http_res" 403; exit
|
||||
/usr/lib/wgapi/http_res 403; exit
|
||||
fi
|
||||
|
||||
# Check server secret
|
||||
local_secret="$(grep -w "^${LOCAL_SERVER}" /etc/wgapi/servers | cut -f7)"
|
||||
if ! [ "${local_secret}" == "${secret}" ]; then
|
||||
printf "ERROR! Federated server %s provided a secret, %s, that doesn't match the one in our servers file, %s\n" "${ip}" "${secret}" "${local_secret}" >&2
|
||||
/usr/lib/wgapi/http_res 403; exit
|
||||
fi
|
||||
|
||||
# Delete peer from wireguard
|
||||
if "/usr/lib/wgapi/wg_peer_del" "${pubkey}"; then
|
||||
if /usr/lib/wgapi/wg_peer_del "${pubkey}"; then
|
||||
printf 'Deleted %s from wireguard.\n' "${pubkey}" >&2
|
||||
else
|
||||
printf 'ERROR! Failed to delete %s from wireguard!\n' "${pubkey}" >&2
|
||||
"/usr/lib/wgapi/http_res" 500; exit
|
||||
/usr/lib/wgapi/http_res 500; exit
|
||||
fi
|
||||
"/usr/lib/wgapi/http_res" 200
|
||||
/usr/lib/wgapi/http_res 200
|
|
@ -1,14 +1,14 @@
|
|||
#!/bin/bash
|
||||
# FILE: fed_peer_add
|
||||
# DESCRIPTION: Sends details about a new peer to a federated server
|
||||
# USAGE: fed_peer_add server pubkey psk allowedips
|
||||
# USAGE: fed_peer_add url secret pubkey psk allowedips
|
||||
|
||||
source /etc/wgapi/config
|
||||
server="${1}" & pubkey="${2}" & psk="${3}" & allowedips="${4}"
|
||||
url="${1}"; secret="${2}"; pubkey="${3}"; psk="${4}"; allowedips="${5}"
|
||||
|
||||
if res="$(curl --silent --request POST "wg-test-fed.${server}.${TLD}?pubkey=${pubkey}&psk=${psk}&ips=${allowedips}")"; then
|
||||
printf 'Sent peer %s to federated server %s\n' "${pubkey}" "${server}" >&2
|
||||
if res="$(curl --silent --request POST "${url}?secret=${secret}&pubkey=${pubkey}&psk=${psk}&ips=${allowedips}")"; then
|
||||
printf 'Sent peer %s to federated server %s\n' "${pubkey}" "${url}" >&2
|
||||
else
|
||||
printf 'ERROR: Failed to send peer to federated server %s: %s\n' "${server}" "${res}" >&2
|
||||
printf 'ERROR: Failed to send peer to federated server %s: %s\n' "${url}" "${res}" >&2
|
||||
exit 1
|
||||
fi
|
|
@ -1,14 +1,14 @@
|
|||
#!/bin/bash
|
||||
# FILE: fed_peer_del
|
||||
# DESCRIPTION: Sends details to a federated server about a peer to be deleted
|
||||
# USAGE: fed_peer_del server pubkey
|
||||
# USAGE: fed_peer_del url secret pubkey
|
||||
|
||||
source /etc/wgapi/config
|
||||
server="${1}" & pubkey="${2}"
|
||||
url="${1}"; secret="${2}"; pubkey="${3}"
|
||||
|
||||
if res="$(curl --silent --request DELETE "wg-test-fed.${server}.${TLD}?pubkey=${pubkey}")"; then
|
||||
printf 'Sent peer %s to federated server %s\n' "${pubkey}" "${server}" >&2
|
||||
if res="$(curl --silent --request DELETE "${url}?secret=${secret}&pubkey=${pubkey}")"; then
|
||||
printf 'Sent peer %s to federated server %s\n' "${pubkey}" "${url}" >&2
|
||||
else
|
||||
printf 'ERROR: Failed to send peer to federated server %s: %s\n' "${server}" "${res}" >&2
|
||||
printf 'ERROR: Failed to send peer to federated server %s: %s\n' "${url}" "${res}" >&2
|
||||
exit 1
|
||||
fi
|
|
@ -11,7 +11,7 @@
|
|||
|
||||
source /etc/wgapi/config
|
||||
|
||||
domain="$("/usr/lib/wgapi/ns_lookup_send" "${1}")"
|
||||
domain="$(/usr/lib/wgapi/ns_lookup_send "${1}")"
|
||||
case $? in
|
||||
0) printf '%s' "${domain%.}" | cut -d'=' -f2 | xargs -0; exit 0;;
|
||||
4) printf 'Domain for %s not found!\n' "${1}" >&2; exit 3;;
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
|
||||
source /etc/wgapi/config
|
||||
|
||||
res="$("/usr/lib/wgapi/ns_lookup_send" "-query=AXFR" "${TLD}.")"
|
||||
res="$(/usr/lib/wgapi/ns_lookup_send "-query=AXFR" "${TLD}.")"
|
||||
case $? in
|
||||
0) printf '%s' "${res}"; exit 0;;
|
||||
4) printf 'Domain for %s not found!\n' "${1}" >&2; exit 4;;
|
||||
|
|
|
@ -10,6 +10,7 @@
|
|||
|
||||
source /etc/wgapi/config
|
||||
|
||||
# Ignore SC2068 and leave ${@} unquoted so it can expand
|
||||
if ! res="$(/usr/bin/nslookup ${@} "${DNS_MASTER}")"
|
||||
then exit 5
|
||||
fi
|
||||
|
|
|
@ -5,10 +5,10 @@
|
|||
|
||||
source /etc/wgapi/config
|
||||
|
||||
"/usr/lib/wgapi/ns_update_send" "update add ${1}. ${DNS_TTL} A ${2}
|
||||
/usr/lib/wgapi/ns_update_send "update add ${1}. ${DNS_TTL} A ${2}
|
||||
update add ${1}. ${DNS_TTL} AAAA ${3}
|
||||
update add *.${1}. ${DNS_TTL} CNAME ${1}.
|
||||
send
|
||||
update add $("/usr/lib/wgapi/ns_update_rev_ipv4" "${2}") ${DNS_TTL} PTR ${1}.
|
||||
update add $(/usr/lib/wgapi/ns_update_rev_ipv4 "${2}") ${DNS_TTL} PTR ${1}.
|
||||
send
|
||||
update add $("/usr/lib/wgapi/ns_update_rev_ipv6" "${3}") ${DNS_TTL} PTR ${1}." || exit 1
|
||||
update add $(/usr/lib/wgapi/ns_update_rev_ipv6 "${3}") ${DNS_TTL} PTR ${1}." || exit 1
|
||||
|
|
|
@ -5,10 +5,10 @@
|
|||
|
||||
source /etc/wgapi/config
|
||||
|
||||
"/usr/lib/wgapi/ns_update_send" "update delete ${1}. A
|
||||
/usr/lib/wgapi/ns_update_send "update delete ${1}. A
|
||||
update delete ${1}. AAAA
|
||||
update delete *.${1}. CNAME
|
||||
send
|
||||
update delete $("/usr/lib/wgapi/ns_update_rev_ipv4" "${2}") PTR
|
||||
update delete $(/usr/lib/wgapi/ns_update_rev_ipv4 "${2}") PTR
|
||||
send
|
||||
update delete $("/usr/lib/wgapi/ns_update_rev_ipv6" "${3}") PTR" || exit 1
|
||||
update delete $(/usr/lib/wgapi/ns_update_rev_ipv6 "${3}") PTR" || exit 1
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
# 8: failed to set permissions
|
||||
|
||||
source /etc/wgapi/config
|
||||
hostname="${1}" & username="${2}" & ipstring="${3}"
|
||||
hostname="${1}"; username="${2}"; ipstring="${3}"
|
||||
|
||||
# Make a directory for the new files
|
||||
if ! sudo mkdir "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/"; then
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# USAGE: del hostname username
|
||||
|
||||
source /etc/wgapi/config
|
||||
hostname="${1}" & username="${2}"
|
||||
hostname="${1}"; username="${2}"
|
||||
|
||||
if ! sudo rm -rf "${SSL_CONFIG_DIR:?}/${username:?}/${hostname:?}/" 2>/dev/null; then
|
||||
printf 'ERROR! %s failed to delete %s!\n' "${0}" "${SSL_CONFIG_DIR}/${username}/${hostname}/" >&2
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# USAGE: add pubkey psk allowedips
|
||||
|
||||
source /etc/wgapi/config
|
||||
pubkey="${1}" & psk="${2}" & allowedips="${3}"
|
||||
pubkey="${1}"; psk="${2}"; allowedips="${3}"
|
||||
|
||||
if ! res="$(printf '%s\n' "${psk}" | sudo /usr/bin/wg set "${TLD}" peer "${pubkey}" preshared-key /dev/stdin allowed-ips "${allowedips}")"; then
|
||||
printf '%s %s\n' "${?}" "${res}" >&2
|
||||
|
|
|
@ -5,11 +5,11 @@
|
|||
|
||||
source /etc/wgapi/config
|
||||
|
||||
/usr/bin/wg show "${TLD}" allowed-ips \
|
||||
/usr/bin/wg show "${TLD}" allowed-ips | \
|
||||
while IFS=$' ' read -r pubkey ipv4 ipv6; do
|
||||
ipv4="${ipv4%%/*}"
|
||||
ipv6="${ipv6%%/*}"
|
||||
domain="$("/usr/lib/wgapi/ns_lookup_rdns" "${ipv4}")" || exit 4
|
||||
domain="$(/usr/lib/wgapi/ns_lookup_rdns "${ipv4}")" || exit 4
|
||||
username="$(<<<"${domain}" cut -d'.' -f2)"
|
||||
hostname="$(<<<"${domain}" cut -d'.' -f1)"
|
||||
case "${2}" in
|
||||
|
|
|
@ -22,9 +22,11 @@
|
|||
[X] Remove bash errors
|
||||
[X] Move loging to STDERR
|
||||
[X] Remove extraneous checks
|
||||
[ ] Federated servers
|
||||
[ ] shellcheck
|
||||
[X] Federated servers
|
||||
[X] shellcheck
|
||||
[ ] Check server secrets
|
||||
[ ] Deploy on GF4
|
||||
[ ] Testing
|
||||
[ ] Prepare for IPv4 exhaustion
|
||||
[ ] Deduplicate code
|
||||
[ ] shellcheck
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
TLD='tld'
|
||||
LOCAL_SERVER='myhost'
|
||||
LOCAL_SERVER='myhost1'
|
||||
IPV4_NET='10.3.0.0/16'
|
||||
IPV6_NET='fd69:1337:0:420:f4:f3::/96'
|
||||
WG_DNS='DNS=10.3.0.1,10.3.0.2,fd69:1337:0:420:f4:f3:0:1,fd69:1337:0:420:f4:f3:0:2'
|
||||
|
|
Loading…
Reference in New Issue