Merge branch 'zrok_copy_p1' of github.com:openziti/zrok into zrok_copy_p1

This commit is contained in:
Michael Quigley 2023-11-27 14:18:41 -05:00
commit 3f817de8ec
No known key found for this signature in database
GPG Key ID: 9B60314A9DD20A62
17 changed files with 727 additions and 29 deletions

View File

@ -57,3 +57,80 @@ nfpms:
- src: /opt/openziti/bin/zrok - src: /opt/openziti/bin/zrok
dst: /usr/bin/zrok dst: /usr/bin/zrok
type: "symlink" type: "symlink"
- package_name: zrok-share
id: zrok-share
vendor: NetFoundry
homepage: https://zrok.io/
maintainer: support@zrok.io
description: |-
This package provides zrok-share.service. To enable, edit the "/opt/openziti/etc/zrok/zrok-share.env" file with the
desired target for sharing, and run "systemctl enable --now zrok-share.service".
license: Apache 2.0
# do not bundle the built binaries, only supporting files
meta: true
# Formats to be generated.
formats:
- deb
- rpm
# {{ .ConventionalFileName }} satisfies the RPM name convention.
file_name_template: "{{ .ConventionalFileName }}"
# Umask to be used on files without explicit mode set. (overridable)
umask: 0o002
# Package version within this release version.
release: 1
# Section.
section: default
# Priority.
priority: optional
# GoReleaser will automatically add the binaries here
dependencies:
- zrok
# this allows users to satisfy the requirement for jq another way, not with the package manager, e.g.
# apt install --no-recommends zrok-share
recommends:
- jq
overrides:
# yum and dnf do not automatically install "weak deps" aka "recommends", so we need to add them as a dependency
rpm:
dependencies:
- zrok
- jq
# Contents to add to the package.
contents:
- dst: /lib/systemd/system/
src: ./nfpm/zrok-share.service
- dst: /opt/openziti/etc/zrok
type: dir
file_info:
mode: 0755
- dst: /opt/openziti/bin/
src: ./nfpm/zrok-share.bash
file_info:
mode: 0755
- dst: /opt/openziti/bin/
src: ./nfpm/zrok-enable.bash
file_info:
mode: 0755
- dst: /opt/openziti/etc/zrok/
src: ./nfpm/zrok-share.env
type: config|noreplace
- dst: /opt/openziti/etc/zrok/
src: ./etc/caddy/multiple_upstream.Caddyfile
type: config|noreplace

View File

@ -57,3 +57,80 @@ nfpms:
- src: /opt/openziti/bin/zrok - src: /opt/openziti/bin/zrok
dst: /usr/bin/zrok dst: /usr/bin/zrok
type: "symlink" type: "symlink"
- package_name: zrok-share
id: zrok-share
vendor: NetFoundry
homepage: https://zrok.io/
maintainer: support@zrok.io
description: |-
This package provides zrok-share.service. To enable, edit the "/opt/openziti/etc/zrok/zrok-share.env" file with the
desired target for sharing, and run "systemctl enable --now zrok-share.service".
license: Apache 2.0
# do not bundle the built binaries, only supporting files
meta: true
# Formats to be generated.
formats:
- deb
- rpm
# {{ .ConventionalFileName }} satisfies the RPM name convention.
file_name_template: "{{ .ConventionalFileName }}"
# Umask to be used on files without explicit mode set. (overridable)
umask: 0o002
# Package version within this release version.
release: 1
# Section.
section: default
# Priority.
priority: optional
# GoReleaser will automatically add the binaries here
dependencies:
- zrok
# this allows users to satisfy the requirement for jq another way, not with the package manager, e.g.
# apt install --no-recommends zrok-share
recommends:
- jq
overrides:
# yum and dnf do not automatically install "weak deps" aka "recommends", so we need to add them as a dependency
rpm:
dependencies:
- zrok
- jq
# Contents to add to the package.
contents:
- dst: /lib/systemd/system/
src: ./nfpm/zrok-share.service
- dst: /opt/openziti/etc/zrok
type: dir
file_info:
mode: 0755
- dst: /opt/openziti/bin/
src: ./nfpm/zrok-share.bash
file_info:
mode: 0755
- dst: /opt/openziti/bin/
src: ./nfpm/zrok-enable.bash
file_info:
mode: 0755
- dst: /opt/openziti/etc/zrok/
src: ./nfpm/zrok-share.env
type: config|noreplace
- dst: /opt/openziti/etc/zrok/
src: ./etc/caddy/multiple_upstream.Caddyfile
type: config|noreplace

View File

@ -53,3 +53,80 @@ nfpms:
- src: /opt/openziti/bin/zrok - src: /opt/openziti/bin/zrok
dst: /usr/bin/zrok dst: /usr/bin/zrok
type: "symlink" type: "symlink"
- package_name: zrok-share
id: zrok-share
vendor: NetFoundry
homepage: https://zrok.io/
maintainer: support@zrok.io
description: |-
This package provides zrok-share.service. To enable, edit the "/opt/openziti/etc/zrok/zrok-share.env" file with the
desired target for sharing, and run "systemctl enable --now zrok-share.service".
license: Apache 2.0
# do not bundle the built binaries, only supporting files
meta: true
# Formats to be generated.
formats:
- deb
- rpm
# {{ .ConventionalFileName }} satisfies the RPM name convention.
file_name_template: "{{ .ConventionalFileName }}"
# Umask to be used on files without explicit mode set. (overridable)
umask: 0o002
# Package version within this release version.
release: 1
# Section.
section: default
# Priority.
priority: optional
# GoReleaser will automatically add the binaries here
dependencies:
- zrok
# this allows users to satisfy the requirement for jq another way, not with the package manager, e.g.
# apt install --no-recommends zrok-share
recommends:
- jq
overrides:
# yum and dnf do not automatically install "weak deps" aka "recommends", so we need to add them as a dependency
rpm:
dependencies:
- zrok
- jq
# Contents to add to the package.
contents:
- dst: /lib/systemd/system/
src: ./nfpm/zrok-share.service
- dst: /opt/openziti/etc/zrok
type: dir
file_info:
mode: 0755
- dst: /opt/openziti/bin/
src: ./nfpm/zrok-share.bash
file_info:
mode: 0755
- dst: /opt/openziti/bin/
src: ./nfpm/zrok-enable.bash
file_info:
mode: 0755
- dst: /opt/openziti/etc/zrok/
src: ./nfpm/zrok-share.env
type: config|noreplace
- dst: /opt/openziti/etc/zrok/
src: ./etc/caddy/multiple_upstream.Caddyfile
type: config|noreplace

View File

@ -1,5 +1,9 @@
# CHANGELOG # CHANGELOG
## v0.4.16
FEATURE: Publish Linux packages for `zrok` CLI and a systemd service for running a reserved public share (`zrok-share`).
## v0.4.15 ## v0.4.15
CHANGE: Updated the code signing and notarization process for macos binaries. The previous release process used the `gon` utility to handle both code signing and notarization. Apple changed the requirements and the `gon` utility no longer properly functions as of 2023-11-01. The `goreleaser` process has been adjusted to use the `notarytool` utility that ships with XCode to sign and notarize the binary (https://github.com/openziti/zrok/issues/435) CHANGE: Updated the code signing and notarization process for macos binaries. The previous release process used the `gon` utility to handle both code signing and notarization. Apple changed the requirements and the `gon` utility no longer properly functions as of 2023-11-01. The `goreleaser` process has been adjusted to use the `notarytool` utility that ships with XCode to sign and notarize the binary (https://github.com/openziti/zrok/issues/435)

View File

@ -32,7 +32,7 @@ services:
zrok-share: zrok-share:
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok} image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
command: share private --headless --backend-mode proxy ${ZROK_BACKEND:-http://zrok-test:9090/} command: share private --headless --backend-mode proxy ${ZROK_TARGET:-http://zrok-test:9090/}
depends_on: depends_on:
zrok-enable: zrok-enable:
condition: service_completed_successfully condition: service_completed_successfully

View File

@ -7,7 +7,7 @@ services:
- sh - sh
- -euc - -euc
- | - |
ZROK_UPSTREAM_URL="${ZROK_BACKEND:-http://zrok-test:9090}" ZROK_UPSTREAM_URL="${ZROK_TARGET:-http://zrok-test:9090}"
ZROK_UPSTREAM_HOST="$(echo $${ZROK_UPSTREAM_URL}|sed -E 's#^https?://([^/:]+).*#\1#')" ZROK_UPSTREAM_HOST="$(echo $${ZROK_UPSTREAM_URL}|sed -E 's#^https?://([^/:]+).*#\1#')"
mkdir -p /mnt/.zrok mkdir -p /mnt/.zrok
cat <<CADDYFILE >| /mnt/.zrok/Caddyfile cat <<CADDYFILE >| /mnt/.zrok/Caddyfile
@ -90,12 +90,12 @@ services:
- -euc - -euc
- | - |
if [[ -s ~/.zrok/reserved.json ]]; then if [[ -s ~/.zrok/reserved.json ]]; then
ZROK_RESERVE_TOKEN="$(jq '.token' ~/.zrok/reserved.json 2>/dev/null)" ZROK_RESERVED_TOKEN="$(jq '.token' ~/.zrok/reserved.json 2>/dev/null)"
if [[ -z "$${ZROK_RESERVE_TOKEN}" || "$${ZROK_RESERVE_TOKEN}" == null ]]; then if [[ -z "$${ZROK_RESERVED_TOKEN}" || "$${ZROK_RESERVED_TOKEN}" == null ]]; then
echo "ERROR: invalid reserved.json: $(jq -c . ~/.zrok/reserved.json)" >&2 echo "ERROR: invalid reserved.json: $(jq -c . ~/.zrok/reserved.json)" >&2
exit 1 exit 1
else else
echo "INFO: zrok backend is already reserved: $${ZROK_RESERVE_TOKEN}" echo "INFO: zrok backend is already reserved: $${ZROK_RESERVED_TOKEN}"
exit 0 exit 0
fi fi
else else
@ -108,7 +108,7 @@ services:
ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}" ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}"
fi fi
if [[ -n "${ZROK_BACKEND_MODE:-}" && "${ZROK_BACKEND_MODE}" != caddy ]]; then if [[ -n "${ZROK_BACKEND_MODE:-}" && "${ZROK_BACKEND_MODE}" != caddy ]]; then
ZROK_CMD+=" --backend-mode ${ZROK_BACKEND_MODE} ${ZROK_BACKEND:-http://zrok-test:9090}" ZROK_CMD+=" --backend-mode ${ZROK_BACKEND_MODE} ${ZROK_TARGET:-http://zrok-test:9090}"
else else
ZROK_CMD+=" --backend-mode caddy /mnt/.zrok/Caddyfile" ZROK_CMD+=" --backend-mode caddy /mnt/.zrok/Caddyfile"
fi fi
@ -141,16 +141,16 @@ services:
else else
echo "INFO: zrok public URLs: $${ZROK_PUBLIC_URLS}" echo "INFO: zrok public URLs: $${ZROK_PUBLIC_URLS}"
fi fi
ZROK_RESERVE_TOKEN=$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null) ZROK_RESERVED_TOKEN=$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null)
if [[ -z "$${ZROK_RESERVE_TOKEN}" && "$${ZROK_RESERVE_TOKEN}" == null ]]; then if [[ -z "$${ZROK_RESERVED_TOKEN}" && "$${ZROK_RESERVED_TOKEN}" == null ]]; then
echo "ERROR: zrok reservation token not defined" >&2 echo "ERROR: zrok reservation token not defined" >&2
exit 1 exit 1
else else
echo "INFO: zrok reservation token: $${ZROK_RESERVE_TOKEN}" echo "INFO: zrok reservation token: $${ZROK_RESERVED_TOKEN}"
fi fi
echo "INFO: running: zrok $${@} $${ZROK_RESERVE_TOKEN}" echo "INFO: running: zrok $${@} $${ZROK_RESERVED_TOKEN}"
exec zrok "$${@}" $${ZROK_RESERVE_TOKEN} exec zrok "$${@}" $${ZROK_RESERVED_TOKEN}
fi fi
command: -- share reserved --headless command: -- share reserved --headless
depends_on: depends_on:

View File

@ -48,7 +48,7 @@ services:
if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then
ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}" ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}"
fi fi
ZROK_CMD+=" --backend-mode proxy ${ZROK_BACKEND:-http://zrok-test:9090/}" ZROK_CMD+=" --backend-mode proxy ${ZROK_TARGET:-http://zrok-test:9090/}"
echo "INFO: running: zrok $${ZROK_CMD}" echo "INFO: running: zrok $${ZROK_CMD}"
exec zrok $${ZROK_CMD} exec zrok $${ZROK_CMD}
depends_on: depends_on:

View File

@ -54,10 +54,10 @@ This concludes sharing the demo web server. Read on to learn how to pivot to sha
## Proxy Any Web Server ## Proxy Any Web Server
The simplest way to share your web server is to set `ZROK_BACKEND` (e.g. `https://example.com`) in the environment of the `docker compose up` command. When you restart the share will auto-configure for that upstream server URL. This applies to both temporary and reserved public shares. The simplest way to share your web server is to set `ZROK_TARGET` (e.g. `https://example.com`) in the environment of the `docker compose up` command. When you restart the share will auto-configure for that upstream server URL. This applies to both temporary and reserved public shares.
```bash title=".env" ```bash title=".env"
ZROK_BACKEND="http://example.com:8080" ZROK_TARGET="http://example.com:8080"
``` ```
## Require Authentication ## Require Authentication

View File

@ -0,0 +1,142 @@
---
title: Linux Service
sidebar_position: 40
---
## Goal
Proxy a reserved public subdomain to a backend target with a Linux service.
## How it Works
The `zrok-share` package creates a `zrok-share.service` unit in systemd. The administrator edits the service's configuration file to specify the:
1. zrok environment enable token
1. target URL or files to be shared and backend mode, e.g. `proxy`
1. authentication options, if wanted
When the service starts it will:
1. enable the zrok environment unless `/var/lib/zrok-share/.zrok/environment.json` exists
1. reserve a public subdomain for the service unless `/var/lib/zrok-share/.zrok/reserved.json` exists
1. start sharing the target specified in the configuration file
## Installation
1. Download the OpenZiti install script.
```bash
curl -sSo ./openziti-install.bash https://get.openziti.io/install.bash
```
1. Inspect the script to ensure it is suitable to run as root on your system.
```bash
less ./openziti-install.bash
```
1. Run the script as root to install the `zrok-share` package.
```bash
sudo bash ./openziti-install.bash zrok-share
```
## Enable
Save the enable token from the zrok console in the configuration file.
```bash title="/opt/openziti/etc/zrok/zrok-share.env"
ZROK_ENABLE_TOKEN="14cbfca9772f"
```
## Use Cases
You may change the target for the current backend mode, e.g. `proxy`, by editing the configuration file and restarting the service. The reserved subdomain will remain the same.
You may switch between backend modes or change authentication options by deleting `/var/lib/zrok-share/.zrok/reserved.json` and restarting the service. A new subdomain will be reserved.
### Proxy a Web Server
Proxy a reserved subdomain to an existing web server. The web server could be on a private network or on the same host as zrok.
```bash title="/opt/openziti/etc/zrok/zrok-share.env"
ZROK_TARGET="http://127.0.0.1:3000"
ZROK_BACKEND_MODE="proxy"
```
### Serve Static Files
Run zrok's embedded web server to serve the files in a directory. If there's an `index.html` file in the directory then visitors will see that web page in their browser, otherwise they'll see a generated index of the files. The directory must be readable by 'other', e.g. `chmod -R o+rX /var/www/html`.
```bash title="/opt/openziti/etc/zrok/zrok-share.env"
ZROK_TARGET="/var/www/html"
ZROK_BACKEND_MODE="web"
```
### WebDAV Server
This uses zrok's `drive` backend mode to serve a directory of static files as a WebDAV resource. The directory must be readable by 'other', e.g. `chmod -R o+rX /usr/share/doc`.
```bash title="/opt/openziti/etc/zrok/zrok-share.env"
ZROK_TARGET="/usr/share/doc"
ZROK_BACKEND_MODE="drive"
```
### Caddy Server
Use zrok's built-in Caddy server to serve static files or as a reverse proxy to multiple web servers with various HTTP routes or as a load-balanced set. A sample Caddyfile is available in the path shown.
```bash title="/opt/openziti/etc/zrok/zrok-share.env"
ZROK_TARGET="/opt/openziti/etc/zrok/multiple_upstream.Caddyfile"
ZROK_BACKEND_MODE="caddy"
```
## Authentication
You can limit access to certain email addresses with OAuth or require a password.
### OAuth
You can require that visitors authenticate with an email address that matches at least one of the suffixes you specify. Add the following to the configuration file.
```bash title="/opt/openziti/etc/zrok/zrok-share.env"
ZROK_OAUTH_PROVIDER="github" # or google
ZROK_OAUTH_EMAILS="bob@example.com @acme.example.com"
```
### Password
Enable HTTP basic authentication by adding the following to the configuration file.
```bash title="/opt/openziti/etc/zrok/zrok-share.env"
ZROK_BASIC_AUTH="user:passwd"
```
## Start the Service
Start the service, and check the zrok console or the service log for the reserved subdomain.
```bash title="run now and at startup"
sudo systemctl enable --now zrok-share.service
```
```bash title="run now"
sudo systemctl restart zrok-share.service
```
```bash
journalctl -u zrok-share.service
```
## Compatibility
The Linux distribution must have a package manager that understands the `.deb` or `.rpm` format and be running systemd v232 or newer. The service was tested with:
* Ubuntu 20.04, 22.04, 23.04
* Debian 11 12
* Rocky 8, 9
* Fedora 37, 38
## Package Contents
The files included in the `zrok-share` package are sourced [here in GitHub](https://github.com/openziti/zrok/tree/main/nfpm).

View File

@ -1,6 +1,6 @@
{ {
"label": "Self Hosting", "label": "Self Hosting",
"position": 20, "position": 80,
"link": { "link": {
"type": "generated-index" "type": "generated-index"
} }

21
etc/caddy/README.md Normal file
View File

@ -0,0 +1,21 @@
# Caddyfile Samples
The Caddyfile samples in this directory are for use with `--backend-mode caddy ./my.Caddyfile` which runs an embedded
Caddy server.
With a zrok reserved share, you have the option to permanently override the path to the Caddyfile when you run `zrok
share reserved ${ZROK_RESERVED_TOKEN} --override-endpoint new.Caddyfile`.
The Caddyfile must have this structure because it is rendered as a Go template by zrok to bind the HTTP listener.
```console
http:// {
bind {{ .ZrokBindAddress }}
# customize reverse_proxy, file_server, etc.
}
```
## Notes
multiple_upstream.Caddyfile is bundled in the zrok-share package for Linux as an example Caddyfile.

View File

@ -2,18 +2,24 @@
# #
http:// { http:// {
# Bind to the zrok share # Bind to the zrok share
bind {{ .ZrokBindAddress }} bind {{ .ZrokBindAddress }}
# Handle paths starting with `/zrok/*` # Handle paths starting with `/zrok/*`
# This will also strip the `/zrok/` from the path before sending to the backend # This will also strip the `/zrok/` from the path before sending to the backend
handle_path /zrok/* { handle_path /zrok/* {
reverse_proxy https://zrok.io { reverse_proxy https://zrok.io {
header_up Host zrok.io header_up Host zrok.io
} }
} }
# All other traffic goes to localhost:3000 # serve index.html if it exists, else a file index
reverse_proxy /* 127.0.0.1:3000 { handle_path /zrok-static/* {
header_up Host localhost:3000 root * /var/www/html
} file_server browse
}
# All other traffic goes to localhost:3000
reverse_proxy /* 127.0.0.1:3000 {
header_up Host localhost:3000
}
} }

4
nfpm/README.md Normal file
View File

@ -0,0 +1,4 @@
# nfpm supporting files
These files are sourced by nfpm when invoked by goreleaser to build Linux packages.

58
nfpm/zrok-enable.bash Normal file
View File

@ -0,0 +1,58 @@
#!/usr/bin/env bash
#
# this script uses a zrok enable token to enable a zrok environment in $HOME/.zrok
#
set -o errexit
set -o nounset
set -o pipefail
BASENAME=$(basename "$0")
DEFAULT_ZROK_ENVIRONMENT_NAME="zrok-share.service on $(hostname -s)"
if (( $# )); then
case $1 in
-h|*help)
echo -e \
"Usage: ${BASENAME} FILENAME\n"\
"\tFILENAME\tfile containing environment variables to set"
exit 0
;;
esac
fi
# set HOME to the first colon-sep dir in STATE_DIRECTORY inherited from systemd, e.g. /var/lib/zrok-share
if [[ -n "${STATE_DIRECTORY:-}" ]]; then
export HOME="${STATE_DIRECTORY%:*}"
else
echo "ERROR: STATE_DIRECTORY is undefined. This script must be run from systemd because it runs as a"\
"dynamically-allocated user and exclusively manages the files in STATE_DIRECTORY" >&2
exit 1
fi
if [[ -s ~/.zrok/environment.json ]]; then
echo "INFO: zrok environment is already enabled. Delete '$(realpath ~/.zrok/environment.json)' if you want to create a"\
"new environment."
exit 0
fi
if (( $# )); then
if [[ -s "$1" ]]; then
source "$1"
else
echo "ERROR: \$1="$1" is empty or not a readable file" >&2
exit 1
fi
else
echo "ERROR: need filename argument to read environment configuration" >&2
exit 1
fi
if [[ -z "${ZROK_ENABLE_TOKEN}" ]]; then
echo "ERROR: ZROK_ENABLE_TOKEN is not defined" >&2
exit 1
else
zrok config set apiEndpoint "${ZROK_API_ENDPOINT:-https://api.zrok.io}"
echo "INFO: running: zrok enable ..."
exec zrok enable --headless --description "${ZROK_ENVIRONMENT_NAME:-${DEFAULT_ZROK_ENVIRONMENT_NAME}}" "${ZROK_ENABLE_TOKEN}"
fi

132
nfpm/zrok-share.bash Normal file
View File

@ -0,0 +1,132 @@
#!/usr/bin/env bash
#
# this script shares the configured backend for a reserved share token
#
set -o errexit
set -o nounset
set -o pipefail
if ! command -v jq &>/dev/null; then
echo "ERROR: jq is needed but not installed" >&2
exit 1
fi
# set HOME to the first colon-sep dir in STATE_DIRECTORY inherited from systemd, e.g. /var/lib/zrok-share
export HOME="${STATE_DIRECTORY%:*}"
if (( $# )); then
if [[ -s "$1" ]]; then
source "$1"
else
echo "ERROR: '$1' is empty or not readable" >&2
exit 1
fi
else
# TODO: consider defining a default environment file
# if [[ -s /opt/openziti/etc/zrok.env ]]; then
# source /opt/openziti/etc/zrok.env
# else
# echo "ERROR: need /opt/openziti/etc/zrok.env or filename argument to read share configuration" >&2
# exit 1
# fi
echo "ERROR: need filename argument to read share configuration" >&2
exit 1
fi
if [[ -s ~/.zrok/reserved.json ]]; then
ZROK_RESERVED_TOKEN="$(jq '.token' ~/.zrok/reserved.json 2>/dev/null)"
if [[ -z "${ZROK_RESERVED_TOKEN}" || "${ZROK_RESERVED_TOKEN}" == null ]]; then
echo "ERROR: invalid reserved.json: '$(jq -c . ~/.zrok/reserved.json)'" >&2
exit 1
else
echo "INFO: zrok backend is already reserved: ${ZROK_RESERVED_TOKEN}"
fi
else
ZROK_CMD="reserve public --json-output ${ZROK_VERBOSE:-}"
[[ -n "${ZROK_TARGET:-}" ]] || {
echo "ERROR: ZROK_TARGET was not defined in /opt/openziti/etc/zrok/zrok-share.env." >&2
exit 1
}
[[ -n "${ZROK_BACKEND_MODE:-}" ]] || {
echo "WARNING: ZROK_BACKEND_MODE was not defined, assuming mode 'proxy'." >&2
ZROK_BACKEND_MODE="proxy"
}
case "${ZROK_BACKEND_MODE}" in
proxy)
if ! [[ "${ZROK_TARGET}" =~ ^https?:// ]]; then
echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an HTTP URL" >&2
exit 1
else
echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}"
fi
;;
caddy)
if ! [[ "${ZROK_TARGET}" =~ ^/ ]]; then
echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path." >&2
exit 1
elif ! [[ -f "${ZROK_TARGET}" && -r "${ZROK_TARGET}" ]]; then
echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not a readable regular file" >&2
exit 1
else
echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}"
fi
;;
web|drive)
if ! [[ "${ZROK_TARGET}" =~ ^/ ]]; then
echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path." >&2
exit 1
elif ! [[ -d "${ZROK_TARGET}" && -r "${ZROK_TARGET}" ]]; then
echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not a readable directory" >&2
exit 1
else
echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}"
fi
;;
*)
echo "WARNING: ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}' is not a recognized mode for a zrok public share."\
" ZROK_TARGET value will not validated before running." >&2
;;
esac
ZROK_CMD+=" --backend-mode ${ZROK_BACKEND_MODE} ${ZROK_TARGET}"
if [[ -n "${ZROK_SHARE_OPTS:-}" ]]; then
ZROK_CMD+=" ${ZROK_SHARE_OPTS}"
fi
if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then
ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}"
if [[ -n "${ZROK_OAUTH_EMAILS:-}" ]]; then
for EMAIL in ${ZROK_OAUTH_EMAILS}; do
ZROK_CMD+=" --oauth-email-domains ${EMAIL}"
done
fi
elif [[ -n "${ZROK_BASIC_AUTH:-}" ]]; then
ZROK_CMD+=" --basic-auth ${ZROK_BASIC_AUTH}"
fi
echo "INFO: running: zrok ${ZROK_CMD}"
zrok ${ZROK_CMD} | jq -rc | tee ~/.zrok/reserved.json
fi
if ! [[ -s ~/.zrok/reserved.json ]]; then
echo "ERROR: empty or missing $(realpath ~/.zrok)/reserved.json" >&2
exit 1
else
ZROK_PUBLIC_URLS=$(jq -cr '.frontend_endpoints' ~/.zrok/reserved.json 2>/dev/null)
if [[ -z "${ZROK_PUBLIC_URLS}" || "${ZROK_PUBLIC_URLS}" == null ]]; then
echo "ERROR: frontend endpoints not defined in $(realpath ~/.zrok)/reserved.json" >&2
exit 1
else
echo "INFO: zrok public URLs: ${ZROK_PUBLIC_URLS}"
fi
ZROK_RESERVED_TOKEN=$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null)
if [[ -z "${ZROK_RESERVED_TOKEN}" || "${ZROK_RESERVED_TOKEN}" == null ]]; then
echo "ERROR: zrok reservation token not defined in $(realpath ~/.zrok)/reserved.json" >&2
exit 1
fi
ZROK_CMD="share reserved ${ZROK_RESERVED_TOKEN} --headless --override-endpoint ${ZROK_TARGET}"
ZROK_CMD+=" ${ZROK_VERBOSE:-} ${ZROK_INSECURE:-}"
if [[ -n "${ZROK_SHARE_OPTS:-}" ]]; then
ZROK_CMD+=" ${ZROK_SHARE_OPTS}"
fi
echo "INFO: running: zrok ${ZROK_CMD}"
exec zrok ${ZROK_CMD}
fi

83
nfpm/zrok-share.env Normal file
View File

@ -0,0 +1,83 @@
# These values are sourced by the zrok-share.service. Search for "MUST" to identify the values that need to be changed.
#
## ZROK ENVIRONMENT
#
# You MUST enable a zrok environment by setting the environment enable token here. This file must be readable by
# 'other'. Obtain the enable token from the zrok console after accepting your invitation and creating a password.
#
# WARNING: changing these values has no effect if /var/lib/zrok-share/.zrok/environment.json exists. Remove that file to
# enable a new environment and /var/lib/zrok-share/.zrok/reserved.json to provision a new frontend URL for the specified
# target.
#
ZROK_ENABLE_TOKEN=""
#
# You MAY customize the environment name that appears in the zrok console.
#
ZROK_ENVIRONMENT_NAME=""
# You MUST set this only if self-hosting the zrok controller.
#ZROK_API_ENDPOINT="https://api.zrok.io"
#
## ZROK BACKEND TARGET
#
# You MUST define the backend target and mode. The frontend URL will be provisioned when the service starts. You MAY
# change ZROK_TARGET and frontend URL will remain the same after a restart as long as the backend mode and frontend
# authentication options are the same. Options that require provisioning a new frontend URL when changed are marked with
# WARNING. You may delete /var/lib/zrok-share/.zrok/reserved.json and restart the service to provision a new frontend URL.
#
# backend-mode "proxy" (default): share a backend web server URL that's reachable by this host; must begin with 'http://' or
# 'https://'; must accept the HOST header of the proxy frontend. Check out backend mode "caddy" if you need more control.
ZROK_TARGET="" # e.g., http://127.0.0.1:3000
ZROK_BACKEND_MODE="proxy"
# if defined, an https share's backend server certificate will not be verified with backend-mode 'proxy'
# NOTE: changing this value does not require provisioning a new frontend URL
#ZROK_INSECURE="--insecure"
# backend-mode "web": run a web server and share a static HTML directory that's present on this host. Must be an
# absolute path to a directory that is readable by 'other'
#ZROK_TARGET="/var/www/html"
#ZROK_BACKEND_MODE="web"
# backend-mode "drive": run a WebDAV file server sharing a directory that's present on this host. Must be an absolute
# path to a directory that is readable by 'other'
#ZROK_TARGET="/usr/share/doc"
#ZROK_BACKEND_MODE="drive"
# backend-mode "caddy": run an embedded Caddy server configured by the supplied Caddyfile. Must be an absolute path that
# is readable by 'other'.
#ZROK_TARGET="/opt/openziti/etc/zrok/multiple_upstream.Caddyfile"
#ZROK_BACKEND_MODE="caddy"
# DEBUG log level
# NOTE: changing this value does not require provisioning a new frontend URL
#ZROK_VERBOSE="--verbose"
# you MAY set additional command-line options for the share; see "zrok reserve public --help" for hints
# WARNING: changing this value requires provisioning a new frontend URL
# NOTE: basic auth and oauth are mutually exclusive
ZROK_SHARE_OPTS=""
#
## ZROK FRONTEND
#
# you MAY set one OAuth2/OIDC provider; "google" and "github" are valid for the default instance api.zrok.io
# WARNING: changing this value requires provisioning a new frontend URL
# NOTE: basic auth and oauth are mutually exclusive
#ZROK_OAUTH_PROVIDER="google"
# you MAY restrict access to one or more email addresses or domains; must be a space-separate list
# WARNING: changing this value requires provisioning a new frontend URL
#ZROK_OAUTH_EMAILS="bob@acme.example.com alice@forge.example.com @corp.example.com"
# you MAY require a password with HTTP basic authentication
# WARNING: changing this value requires provisioning a new frontend URL
# NOTE: basic auth and oauth are mutually exclusive
#ZROK_BASIC_AUTH=""
# set if self-hosting zrok and not using only the default frontend name 'public'; must be a space-separated list
# WARNING: changing this value requires provisioning a new frontend URL
#ZROK_FRONTENDS="public"

17
nfpm/zrok-share.service Normal file
View File

@ -0,0 +1,17 @@
[Unit]
Description=zrok reserved public share service
After=network-online.target
[Service]
Type=simple
DynamicUser=yes
StateDirectory=zrok-share
UMask=0007
Environment=PFXLOG_NO_JSON=true
ExecStartPre=/opt/openziti/bin/zrok-enable.bash /opt/openziti/etc/zrok/zrok-share.env
ExecStart=/opt/openziti/bin/zrok-share.bash /opt/openziti/etc/zrok/zrok-share.env
Restart=always
RestartSec=3
[Install]
WantedBy=multi-user.target