netbird/management
Mikhail Bragin 2c2c1e19df
Peer configuration management (#69)
* feature: add config properties to the SyncResponse of the management gRpc service

* fix: lint errors

* chore: modify management protocol according to the review notes

* fix: management proto fields sequence

* feature: add proper peer configuration to be synced

* chore: minor changes

* feature: finalize peer config management

* fix: lint errors

* feature: add management server config file

* refactor: extract hosts-config to a separate file

* refactor: review notes applied to correct file_store usage

* refactor: extract management service configuration to a file

* refactor: simplify management config
2021-07-30 17:46:38 +02:00
..
cmd Peer configuration management (#69) 2021-07-30 17:46:38 +02:00
proto Peer configuration management (#69) 2021-07-30 17:46:38 +02:00
server Peer configuration management (#69) 2021-07-30 17:46:38 +02:00
Dockerfile refactor: set default flags in code not Dockerfile 2021-07-17 17:26:51 +02:00
main.go Move management server to a separate directory (#67) 2021-07-24 16:14:29 +02:00
README.md Peer configuration management (#69) 2021-07-30 17:46:38 +02:00

Wiretrustee Management Server

Run Management service (Docker)

You can run service in 2 modes - with TLS or without (not recommended).

Run with TLS (Let's Encrypt).

The server where you are running a container has to have a public IP (for Let's Encrypt certificate challenge). In the following example 33073 is a gRpc port, 443 is a port for Let's Encrypt challenge and HTTP API.

Replace with your server's public domain (e.g. mydomain.com or subdomain sub.mydomain.com).

docker run -d --name wiretrustee-management \
-p 33073:33073  \
-p 443:443  \
-v /var/lib/wiretrustee/:/var/lib/wiretrustee/  \
-v /etc/wiretrustee/:/etc/wiretrustee/  \
wiretrustee/wiretrustee:management-v0.0.8-SNAPSHOT-079d35e-amd64  \
--port 33073  \
--datadir /var/lib/wiretrustee/ \
--hosts-config /etc/wiretrustee/hosts-config.json \
--letsencrypt-domain <YOUR-DOMAIN>  \
--log-level info

Trigger Let's encrypt certificate generation:

curl https://<YOUR-DOMAIN>

The certificate will be persisted in the datadir/letsencrypt/ folder (e.g. /var/lib/wiretrustee/letsencrypt/). Make sure that the datadir is mapped to some folder on a host machine. Consequent restarts of the container will pick up previously generated certificate so there is no need to trigger certificate generation with the curl command on every restart.

Below are optional steps (some checks).

Inspect datadir to see if the folder contains Let's Encrypt certificate:

ls /var/lib/wiretrustee/letsencrypt/

The output should be something similar to this:

root@wiretrustee-test-2:~# ls /var/lib/wiretrustee/letsencrypt/
acme_account+key  <YOUR-DOMAIN>  <YOUR-DOMAIN>+rsa

Check certificate:

echo | openssl s_client -showcerts -servername <YOUR-DOMAIN> -connect <YOUR-DOMAIN>:33073 2>/dev/null | openssl x509 -inform pem -noout -text

The output should be something similar to this:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:07:7a:8e:f3:78:0d:bc:4d:f0:82:9b:1a:a3:c1:89:6c:ae
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Jul 17 14:19:45 2021 GMT
            Not After : Oct 15 14:19:43 2021 GMT
        Subject: CN = <YOUR-DOMAIN>
        
        ...        
        
            Signature Algorithm: sha256WithRSAEncryption
         3a:a3:27:5c:aa:35:11:b0:9a:89:d4:da:03:30:16:bc:3e:01:
         9f:7a:14:0a:1c:f3:c3:1c:67:86:31:bd:63:0f:19:81:66:77:
         34:32:e8:ac:be:16:1d:55:5e:d5:71:73:d7:50:b4:fb:56:6d:
         14:b3:2f:ae:04:52:e5:f4:e2:86:dd:fe:b8:b0:bf:52:84:bf:
         5f:d2:56:9f:7b:70:6c:b8:f4:e8:c8:94:7f:89:e9:0d:37:55:
         c7:c7:6c:51:88:09:9a:40:4a:52:88:c6:8b:1b:9c:d4:a2:a5:
         4d:c7:23:4b:81:b8:4a:90:3f:a3:50:80:6e:bb:1f:1c:c2:19:
         99:d4:57:7b:82:07:f3:ca:71:6d:83:e8:5a:98:70:98:13:a1:
         64:81:0d:01:db:41:37:46:6f:a5:c6:e5:cf:7d:ba:f8:26:b1:
         53:58:fc:7d:48:2a:55:f3:14:e7:5e:7d:0f:3d:23:98:83:00:
         08:19:b0:62:93:a4:66:96:db:25:3f:e7:02:44:25:c1:62:4d:
         75:90:5b:b6:59:68:42:58:37:88:2f:84:c2:77:8f:9f:50:ed:
         b5:f7:b1:31:8a:b6:ca:9e:5a:90:e9:3f:5b:eb:d4:c3:f6:82:
         42:16:5f:f4:62:ed:51:9c:ac:b1:ba:4e:6f:ea:ec:ab:43:ba:
         d1:25:ab:28

Run without TLS.

docker run -d --name wiretrustee-management \
-p 33073:33073  \
-v /var/lib/wiretrustee/:/var/lib/wiretrustee/  \
-v /etc/wiretrustee/:/etc/wiretrustee/  \
wiretrustee/wiretrustee:management-v0.0.8-SNAPSHOT-079d35e-amd64  \
--port 33073  \
--datadir /var/lib/wiretrustee/ \
--hosts-config /etc/wiretrustee/hosts-config.json \
--letsencrypt-domain app.wiretrustee.com  \
--log-level debug

hosts-config.json file example:

{
    "Stuns": [
        {
            "Proto": 2,
            "Host": "stun.wiretrustee.com",
            "Port": 3468,
            "Username": "",
            "Password": null
        }
    ],
    "Turns": [
        {
            "Proto": 2,
            "Host": "stun.wiretrustee.com",
            "Port": 3468,
            "Username": "some_user",
            "Password": "c29tZV9wYXNzd29yZA=="
        }
    ],
    "Signal": {
        "Proto": 2,
        "Host": "signal.wiretrustee.com",
        "Port": 10000,
        "Username": "",
        "Password": null
    }
}

For development purposes:

Install golang gRpc tools:

#!/bin/bash
go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26
go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.1

Generate gRpc code:

#!/bin/bash
protoc -I proto/ proto/management.proto --go_out=. --go-grpc_out=.