Merge branch 'stefanadelbert-linux-share-private' of github.com:openziti/zrok into stefanadelbert-linux-share-private

2024-11-21 23:53:19 +01:00 · 2024-06-27 11:43:26 -04:00 · 2024-06-27 11:43:26 -04:00 · 612d249c2d
commit 612d249c2d
parent 21253bad27 85c08b6ab5
6 changed files with 90 additions and 16 deletions
--- a/.goreleaser-linux-arm64.yml
+++ b/.goreleaser-linux-arm64.yml
@ -112,6 +112,9 @@ nfpms:
      - dst: /lib/systemd/system/
        src: ./nfpm/zrok-share.service

+      - dst: /etc/systemd/system/zrok-share.service.d/override.conf
+        src: ./nfpm/zrok-share.service.override.conf
+
      - dst: /opt/openziti/etc/zrok
        type: dir
        file_info:
--- a/.goreleaser-linux-armhf.yml
+++ b/.goreleaser-linux-armhf.yml
@ -112,6 +112,9 @@ nfpms:
      - dst: /lib/systemd/system/
        src: ./nfpm/zrok-share.service

+      - dst: /etc/systemd/system/zrok-share.service.d/override.conf
+        src: ./nfpm/zrok-share.service.override.conf
+
      - dst: /opt/openziti/etc/zrok
        type: dir
        file_info:
--- a/.goreleaser-linux.yml
+++ b/.goreleaser-linux.yml
@ -108,6 +108,9 @@ nfpms:
      - dst: /lib/systemd/system/
        src: ./nfpm/zrok-share.service

+      - dst: /etc/systemd/system/zrok-share.service.d/override.conf
+        src: ./nfpm/zrok-share.service.override.conf
+
      - dst: /opt/openziti/etc/zrok
        type: dir
        file_info:
--- a/nfpm/zrok-share.bash
+++ b/nfpm/zrok-share.bash
@ -55,7 +55,7 @@ fi
 }

 # default mode is 'reserved-public', override modes are reserved-private, temp-public, temp-private.
-: "${ZROK_FRONTEND_MODE:-reserved-public}"
+: "${ZROK_FRONTEND_MODE:=reserved-public}"
 if [[ "${ZROK_FRONTEND_MODE:-}" == temp-public ]]; then
  ZROK_CMD="share public --headless ${ZROK_VERBOSE:-}"
 elif [[ "${ZROK_FRONTEND_MODE:-}" == temp-private ]]; then
@ -121,13 +121,41 @@ case "${ZROK_BACKEND_MODE}" in
      echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}"
    fi
    ;;
+  tcpTunnel|udpTunnel|socks|vpn)
+    if ! [[ "${ZROK_FRONTEND_MODE}" =~ -private$ ]]; then
+      echo "ERROR: ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}' is a private share backend mode and cannot be used with ZROK_FRONTEND_MODE='${ZROK_FRONTEND_MODE}'" >&2
+      exit 1
+    else
+      case "${ZROK_BACKEND_MODE}" in
+        tcpTunnel|udpTunnel)
+          echo "INFO: ${ZROK_BACKEND_MODE} backend mode has target '${ZROK_TARGET}'"
+          ;;
+        vpn)
+          if [[ -n "${ZROK_TARGET}" ]]; then
+            ZROK_SVC_FILE=/etc/systemd/system/zrok-share.service.d/override.conf
+            if ! grep -qE '^AmbientCapabilities=CAP_NET_ADMIN' "${ZROK_SVC_FILE}"; then
+              echo "ERROR: you must uncomment 'AmbientCapabilities=CAP_NET_ADMIN' in '${ZROK_SVC_FILE}'"\
+                    "and run 'systemctl daemon-reload' to enable VPN mode" >&2
+              exit 1
+            fi
+          fi
+          ;;
+        socks)
+          if [[ -n "${ZROK_TARGET}" ]]; then
+            echo "WARNING: ZROK_TARGET='${ZROK_TARGET}' is ignored with ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}'" >&2
+            unset ZROK_TARGET
+          fi
+          ;;
+      esac
+    fi
+    ;;
  *)
    echo "WARNING: ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}' is not a recognized mode for a zrok public share."\
          " ZROK_TARGET value will not validated before running." >&2
    ;;
 esac

-[[ -n "${ZROK_UNIQUE_NAME:-}" ]] && {
+[[ "${ZROK_FRONTEND_MODE:-}" =~ ^reserved- && -n "${ZROK_UNIQUE_NAME:-}" ]] && {
  ZROK_CMD+=" --unique-name ${ZROK_UNIQUE_NAME}"
 }

--- a/nfpm/zrok-share.env
+++ b/nfpm/zrok-share.env
@ -17,48 +17,65 @@ ZROK_ENABLE_TOKEN=""
 #
 ZROK_ENVIRONMENT_NAME=""

-# You MUST set this if not using the default zrok.io API endpoint
+# You MUST set this if not using the default API endpoint
 #ZROK_API_ENDPOINT="https://api.zrok.io"

 #
-## ZROK BACKEND TARGET
+## ZROK BACKEND MODE AND TARGET
 #
 # You MUST define the backend target and mode. The frontend URL will be provisioned when the service starts. You MAY
 # change ZROK_TARGET and frontend URL will remain the same after a restart as long as the backend mode and frontend
 # authentication options are the same. Options that require provisioning a new frontend URL when changed are marked with
 # WARNING. You may delete /var/lib/zrok-share/.zrok/reserved.json and restart the service to provision a new frontend URL.
+
 #
+## BACKEND MODES THAT WORK WITH PUBLIC AND PRIVATE HTTP SHARES
+#
+
 # backend-mode "proxy" (default): share a backend web server URL that's reachable by this host; must begin with 'http://' or
 # 'https://'; must accept the HOST header of the proxy frontend. Check out backend mode "caddy" if you need more control.
-ZROK_TARGET=""                  # e.g., http://127.0.0.1:3000
 ZROK_BACKEND_MODE="proxy"
+ZROK_TARGET=""                  # e.g., http://127.0.0.1:3000
 # if defined, an https share's backend server certificate will not be verified with backend-mode 'proxy'
 # NOTE: changing this value does not require provisioning a new frontend URL
 #ZROK_INSECURE="--insecure"

 # backend-mode "web": run a web server and share a static HTML directory that's present on this host. Must be an
 # absolute path to a directory that is readable by 'other'
-#ZROK_TARGET="/var/www/html"
 #ZROK_BACKEND_MODE="web"
+#ZROK_TARGET="/var/www/html"

 # backend-mode "drive": run a WebDAV file server sharing a directory that's present on this host. Must be an absolute
 # path to a directory that is readable by 'other'
-#ZROK_TARGET="/usr/share/doc"
 #ZROK_BACKEND_MODE="drive"
+#ZROK_TARGET="/usr/share/doc"

 # backend-mode "caddy": run an embedded Caddy server configured by the supplied Caddyfile. Must be an absolute path that
 # is readable by 'other'.
-#ZROK_TARGET="/opt/openziti/etc/zrok/multiple_upstream.Caddyfile"
 #ZROK_BACKEND_MODE="caddy"
+#ZROK_TARGET="/opt/openziti/etc/zrok/multiple_upstream.Caddyfile"

-# DEBUG log level
-# NOTE: changing this value does not require provisioning a new frontend URL
-#ZROK_VERBOSE="--verbose"
+#
+## BACKEND MODES THAT ONLY WORK WITH PRIVATE SHARES
+#

-# you MAY set additional command-line options for the share; see "zrok reserve public --help" for hints
-# WARNING: changes take effect the next time the frontend URL is reserved
-# NOTE: basic auth and oauth are mutually exclusive
-ZROK_SHARE_OPTS=""
+# you MUST set ZROK_FRONTEND_MODE to 'reserved-private' or 'temp-private' to use private share backend modes
+
+#ZROK_BACKEND_MODE="tcpTunnel"
+#ZROK_TARGET="127.0.0.1:25565"
+
+#ZROK_BACKEND_MODE="udpTunnel"
+#ZROK_TARGET="127.0.0.1:53"
+
+# you MUST grant NET_ADMIN capability to the service to enable vpn mode, e.g., run these two commands:
+# sed -Ei 's/.*AmbientCapabilities=CAP_NET_ADMIN/AmbientCapabilities=CAP_NET_ADMIN/' /etc/systemd/system/zrok-share.service.d/override.conf
+# systemctl daemon-reload
+#ZROK_BACKEND_MODE="vpn"
+#ZROK_TARGET="172.16.0.1/12"
+
+# there is no target for socks mode because the share is only a dynamic exit for the proxy client
+#ZROK_BACKEND_MODE="socks"
+#ZROK_TARGET=""

 #
 ## ZROK FRONTEND 
@ -88,5 +105,15 @@ ZROK_SHARE_OPTS=""
 #ZROK_FRONTENDS="public"

 # you MAY set to change the frontend mode: reserved-public (default), reserved-private, temp-public, temp-private 
-# WARNING: changes take effect the next time the frontend URL is reserved
 #ZROK_FRONTEND_MODE="reserved-public"
+
+#
+## OPTIONS
+#
+
+# DEBUG log level
+# NOTE: changing this value does not require provisioning a new frontend URL
+#ZROK_VERBOSE="--verbose"
+
+# you MAY set additional command-line options for the share; see "zrok reserve public --help" for hints
+ZROK_SHARE_OPTS=""
--- a/nfpm/zrok-share.service.override.conf
+++ b/nfpm/zrok-share.service.override.conf
@ -0,0 +1,10 @@
+[Service]
+
+#
+## extra permissions
+#
+
+# allow adding tun device and IP routes and iptables rules; required when ZROK_BACKEND_MODE=vpn
+# AmbientCapabilities=CAP_NET_ADMIN
+
+# you must run 'systemctl daemon-reload' after modifying this file