mirror of
https://github.com/openziti/zrok.git
synced 2024-12-31 11:09:19 +01:00
add zrok-share package
This commit is contained in:
parent
6e16a856a7
commit
80d5123674
@ -57,3 +57,80 @@ nfpms:
|
|||||||
- src: /opt/openziti/bin/zrok
|
- src: /opt/openziti/bin/zrok
|
||||||
dst: /usr/bin/zrok
|
dst: /usr/bin/zrok
|
||||||
type: "symlink"
|
type: "symlink"
|
||||||
|
|
||||||
|
- package_name: zrok-share
|
||||||
|
id: zrok-share
|
||||||
|
vendor: NetFoundry
|
||||||
|
homepage: https://zrok.io/
|
||||||
|
maintainer: support@zrok.io
|
||||||
|
description: |-
|
||||||
|
This package provides zrok-share.service. To enable, edit the "/opt/openziti/etc/zrok/zrok-share.env" file with the
|
||||||
|
desired target for sharing, and run "systemctl enable --now zrok-share.service".
|
||||||
|
license: Apache 2.0
|
||||||
|
|
||||||
|
# do not bundle the built binaries, only supporting files
|
||||||
|
meta: true
|
||||||
|
|
||||||
|
# Formats to be generated.
|
||||||
|
formats:
|
||||||
|
- deb
|
||||||
|
- rpm
|
||||||
|
|
||||||
|
# {{ .ConventionalFileName }} satisfies the RPM name convention.
|
||||||
|
file_name_template: "{{ .ConventionalFileName }}"
|
||||||
|
|
||||||
|
# Umask to be used on files without explicit mode set. (overridable)
|
||||||
|
umask: 0o002
|
||||||
|
|
||||||
|
# Package version within this release version.
|
||||||
|
release: 1
|
||||||
|
|
||||||
|
# Section.
|
||||||
|
section: default
|
||||||
|
|
||||||
|
# Priority.
|
||||||
|
priority: optional
|
||||||
|
|
||||||
|
# GoReleaser will automatically add the binaries here
|
||||||
|
dependencies:
|
||||||
|
- zrok
|
||||||
|
|
||||||
|
# this allows users to satisfy the requirement for jq another way, not with the package manager, e.g.
|
||||||
|
# apt install --no-recommends zrok-share
|
||||||
|
recommends:
|
||||||
|
- jq
|
||||||
|
|
||||||
|
overrides:
|
||||||
|
# yum and dnf do not automatically install "weak deps" aka "recommends", so we need to add them as a dependency
|
||||||
|
rpm:
|
||||||
|
dependencies:
|
||||||
|
- zrok
|
||||||
|
- jq
|
||||||
|
|
||||||
|
# Contents to add to the package.
|
||||||
|
contents:
|
||||||
|
- dst: /lib/systemd/system/
|
||||||
|
src: ./nfpm/zrok-share.service
|
||||||
|
|
||||||
|
- dst: /opt/openziti/etc/zrok
|
||||||
|
type: dir
|
||||||
|
file_info:
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- dst: /opt/openziti/bin/
|
||||||
|
src: ./nfpm/zrok-share.bash
|
||||||
|
file_info:
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- dst: /opt/openziti/bin/
|
||||||
|
src: ./nfpm/zrok-enable.bash
|
||||||
|
file_info:
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- dst: /opt/openziti/etc/zrok/
|
||||||
|
src: ./nfpm/zrok-share.env
|
||||||
|
type: config|noreplace
|
||||||
|
|
||||||
|
- dst: /opt/openziti/etc/zrok/
|
||||||
|
src: ./etc/caddy/multiple_upstream.Caddyfile
|
||||||
|
type: config|noreplace
|
||||||
|
@ -57,3 +57,80 @@ nfpms:
|
|||||||
- src: /opt/openziti/bin/zrok
|
- src: /opt/openziti/bin/zrok
|
||||||
dst: /usr/bin/zrok
|
dst: /usr/bin/zrok
|
||||||
type: "symlink"
|
type: "symlink"
|
||||||
|
|
||||||
|
- package_name: zrok-share
|
||||||
|
id: zrok-share
|
||||||
|
vendor: NetFoundry
|
||||||
|
homepage: https://zrok.io/
|
||||||
|
maintainer: support@zrok.io
|
||||||
|
description: |-
|
||||||
|
This package provides zrok-share.service. To enable, edit the "/opt/openziti/etc/zrok/zrok-share.env" file with the
|
||||||
|
desired target for sharing, and run "systemctl enable --now zrok-share.service".
|
||||||
|
license: Apache 2.0
|
||||||
|
|
||||||
|
# do not bundle the built binaries, only supporting files
|
||||||
|
meta: true
|
||||||
|
|
||||||
|
# Formats to be generated.
|
||||||
|
formats:
|
||||||
|
- deb
|
||||||
|
- rpm
|
||||||
|
|
||||||
|
# {{ .ConventionalFileName }} satisfies the RPM name convention.
|
||||||
|
file_name_template: "{{ .ConventionalFileName }}"
|
||||||
|
|
||||||
|
# Umask to be used on files without explicit mode set. (overridable)
|
||||||
|
umask: 0o002
|
||||||
|
|
||||||
|
# Package version within this release version.
|
||||||
|
release: 1
|
||||||
|
|
||||||
|
# Section.
|
||||||
|
section: default
|
||||||
|
|
||||||
|
# Priority.
|
||||||
|
priority: optional
|
||||||
|
|
||||||
|
# GoReleaser will automatically add the binaries here
|
||||||
|
dependencies:
|
||||||
|
- zrok
|
||||||
|
|
||||||
|
# this allows users to satisfy the requirement for jq another way, not with the package manager, e.g.
|
||||||
|
# apt install --no-recommends zrok-share
|
||||||
|
recommends:
|
||||||
|
- jq
|
||||||
|
|
||||||
|
overrides:
|
||||||
|
# yum and dnf do not automatically install "weak deps" aka "recommends", so we need to add them as a dependency
|
||||||
|
rpm:
|
||||||
|
dependencies:
|
||||||
|
- zrok
|
||||||
|
- jq
|
||||||
|
|
||||||
|
# Contents to add to the package.
|
||||||
|
contents:
|
||||||
|
- dst: /lib/systemd/system/
|
||||||
|
src: ./nfpm/zrok-share.service
|
||||||
|
|
||||||
|
- dst: /opt/openziti/etc/zrok
|
||||||
|
type: dir
|
||||||
|
file_info:
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- dst: /opt/openziti/bin/
|
||||||
|
src: ./nfpm/zrok-share.bash
|
||||||
|
file_info:
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- dst: /opt/openziti/bin/
|
||||||
|
src: ./nfpm/zrok-enable.bash
|
||||||
|
file_info:
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- dst: /opt/openziti/etc/zrok/
|
||||||
|
src: ./nfpm/zrok-share.env
|
||||||
|
type: config|noreplace
|
||||||
|
|
||||||
|
- dst: /opt/openziti/etc/zrok/
|
||||||
|
src: ./etc/caddy/multiple_upstream.Caddyfile
|
||||||
|
type: config|noreplace
|
||||||
|
@ -53,3 +53,80 @@ nfpms:
|
|||||||
- src: /opt/openziti/bin/zrok
|
- src: /opt/openziti/bin/zrok
|
||||||
dst: /usr/bin/zrok
|
dst: /usr/bin/zrok
|
||||||
type: "symlink"
|
type: "symlink"
|
||||||
|
|
||||||
|
- package_name: zrok-share
|
||||||
|
id: zrok-share
|
||||||
|
vendor: NetFoundry
|
||||||
|
homepage: https://zrok.io/
|
||||||
|
maintainer: support@zrok.io
|
||||||
|
description: |-
|
||||||
|
This package provides zrok-share.service. To enable, edit the "/opt/openziti/etc/zrok/zrok-share.env" file with the
|
||||||
|
desired target for sharing, and run "systemctl enable --now zrok-share.service".
|
||||||
|
license: Apache 2.0
|
||||||
|
|
||||||
|
# do not bundle the built binaries, only supporting files
|
||||||
|
meta: true
|
||||||
|
|
||||||
|
# Formats to be generated.
|
||||||
|
formats:
|
||||||
|
- deb
|
||||||
|
- rpm
|
||||||
|
|
||||||
|
# {{ .ConventionalFileName }} satisfies the RPM name convention.
|
||||||
|
file_name_template: "{{ .ConventionalFileName }}"
|
||||||
|
|
||||||
|
# Umask to be used on files without explicit mode set. (overridable)
|
||||||
|
umask: 0o002
|
||||||
|
|
||||||
|
# Package version within this release version.
|
||||||
|
release: 1
|
||||||
|
|
||||||
|
# Section.
|
||||||
|
section: default
|
||||||
|
|
||||||
|
# Priority.
|
||||||
|
priority: optional
|
||||||
|
|
||||||
|
# GoReleaser will automatically add the binaries here
|
||||||
|
dependencies:
|
||||||
|
- zrok
|
||||||
|
|
||||||
|
# this allows users to satisfy the requirement for jq another way, not with the package manager, e.g.
|
||||||
|
# apt install --no-recommends zrok-share
|
||||||
|
recommends:
|
||||||
|
- jq
|
||||||
|
|
||||||
|
overrides:
|
||||||
|
# yum and dnf do not automatically install "weak deps" aka "recommends", so we need to add them as a dependency
|
||||||
|
rpm:
|
||||||
|
dependencies:
|
||||||
|
- zrok
|
||||||
|
- jq
|
||||||
|
|
||||||
|
# Contents to add to the package.
|
||||||
|
contents:
|
||||||
|
- dst: /lib/systemd/system/
|
||||||
|
src: ./nfpm/zrok-share.service
|
||||||
|
|
||||||
|
- dst: /opt/openziti/etc/zrok
|
||||||
|
type: dir
|
||||||
|
file_info:
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- dst: /opt/openziti/bin/
|
||||||
|
src: ./nfpm/zrok-share.bash
|
||||||
|
file_info:
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- dst: /opt/openziti/bin/
|
||||||
|
src: ./nfpm/zrok-enable.bash
|
||||||
|
file_info:
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- dst: /opt/openziti/etc/zrok/
|
||||||
|
src: ./nfpm/zrok-share.env
|
||||||
|
type: config|noreplace
|
||||||
|
|
||||||
|
- dst: /opt/openziti/etc/zrok/
|
||||||
|
src: ./etc/caddy/multiple_upstream.Caddyfile
|
||||||
|
type: config|noreplace
|
||||||
|
@ -32,7 +32,7 @@ services:
|
|||||||
|
|
||||||
zrok-share:
|
zrok-share:
|
||||||
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
|
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
|
||||||
command: share private --headless --backend-mode proxy ${ZROK_BACKEND:-http://zrok-test:9090/}
|
command: share private --headless --backend-mode proxy ${ZROK_TARGET:-http://zrok-test:9090/}
|
||||||
depends_on:
|
depends_on:
|
||||||
zrok-enable:
|
zrok-enable:
|
||||||
condition: service_completed_successfully
|
condition: service_completed_successfully
|
||||||
|
@ -7,7 +7,7 @@ services:
|
|||||||
- sh
|
- sh
|
||||||
- -euc
|
- -euc
|
||||||
- |
|
- |
|
||||||
ZROK_UPSTREAM_URL="${ZROK_BACKEND:-http://zrok-test:9090}"
|
ZROK_UPSTREAM_URL="${ZROK_TARGET:-http://zrok-test:9090}"
|
||||||
ZROK_UPSTREAM_HOST="$(echo $${ZROK_UPSTREAM_URL}|sed -E 's#^https?://([^/:]+).*#\1#')"
|
ZROK_UPSTREAM_HOST="$(echo $${ZROK_UPSTREAM_URL}|sed -E 's#^https?://([^/:]+).*#\1#')"
|
||||||
mkdir -p /mnt/.zrok
|
mkdir -p /mnt/.zrok
|
||||||
cat <<CADDYFILE >| /mnt/.zrok/Caddyfile
|
cat <<CADDYFILE >| /mnt/.zrok/Caddyfile
|
||||||
@ -90,12 +90,12 @@ services:
|
|||||||
- -euc
|
- -euc
|
||||||
- |
|
- |
|
||||||
if [[ -s ~/.zrok/reserved.json ]]; then
|
if [[ -s ~/.zrok/reserved.json ]]; then
|
||||||
ZROK_RESERVE_TOKEN="$(jq '.token' ~/.zrok/reserved.json 2>/dev/null)"
|
ZROK_RESERVED_TOKEN="$(jq '.token' ~/.zrok/reserved.json 2>/dev/null)"
|
||||||
if [[ -z "$${ZROK_RESERVE_TOKEN}" || "$${ZROK_RESERVE_TOKEN}" == null ]]; then
|
if [[ -z "$${ZROK_RESERVED_TOKEN}" || "$${ZROK_RESERVED_TOKEN}" == null ]]; then
|
||||||
echo "ERROR: invalid reserved.json: $(jq -c . ~/.zrok/reserved.json)" >&2
|
echo "ERROR: invalid reserved.json: $(jq -c . ~/.zrok/reserved.json)" >&2
|
||||||
exit 1
|
exit 1
|
||||||
else
|
else
|
||||||
echo "INFO: zrok backend is already reserved: $${ZROK_RESERVE_TOKEN}"
|
echo "INFO: zrok backend is already reserved: $${ZROK_RESERVED_TOKEN}"
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
@ -108,7 +108,7 @@ services:
|
|||||||
ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}"
|
ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}"
|
||||||
fi
|
fi
|
||||||
if [[ -n "${ZROK_BACKEND_MODE:-}" && "${ZROK_BACKEND_MODE}" != caddy ]]; then
|
if [[ -n "${ZROK_BACKEND_MODE:-}" && "${ZROK_BACKEND_MODE}" != caddy ]]; then
|
||||||
ZROK_CMD+=" --backend-mode ${ZROK_BACKEND_MODE} ${ZROK_BACKEND:-http://zrok-test:9090}"
|
ZROK_CMD+=" --backend-mode ${ZROK_BACKEND_MODE} ${ZROK_TARGET:-http://zrok-test:9090}"
|
||||||
else
|
else
|
||||||
ZROK_CMD+=" --backend-mode caddy /mnt/.zrok/Caddyfile"
|
ZROK_CMD+=" --backend-mode caddy /mnt/.zrok/Caddyfile"
|
||||||
fi
|
fi
|
||||||
@ -138,21 +138,21 @@ services:
|
|||||||
if [[ -z "$${ZROK_PUBLIC_URLS}" || "$${ZROK_PUBLIC_URLS}" == null ]]; then
|
if [[ -z "$${ZROK_PUBLIC_URLS}" || "$${ZROK_PUBLIC_URLS}" == null ]]; then
|
||||||
echo "ERROR: frontend endpoints not defined" >&2
|
echo "ERROR: frontend endpoints not defined" >&2
|
||||||
exit 1
|
exit 1
|
||||||
else
|
else
|
||||||
echo "INFO: zrok public URLs: $${ZROK_PUBLIC_URLS}"
|
echo "INFO: zrok public URLs: $${ZROK_PUBLIC_URLS}"
|
||||||
fi
|
fi
|
||||||
ZROK_RESERVE_TOKEN=$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null)
|
ZROK_RESERVED_TOKEN=$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null)
|
||||||
if [[ -z "$${ZROK_RESERVE_TOKEN}" && "$${ZROK_RESERVE_TOKEN}" == null ]]; then
|
if [[ -z "$${ZROK_RESERVED_TOKEN}" && "$${ZROK_RESERVED_TOKEN}" == null ]]; then
|
||||||
echo "ERROR: zrok reservation token not defined" >&2
|
echo "ERROR: zrok reservation token not defined" >&2
|
||||||
exit 1
|
exit 1
|
||||||
else
|
else
|
||||||
echo "INFO: zrok reservation token: $${ZROK_RESERVE_TOKEN}"
|
echo "INFO: zrok reservation token: $${ZROK_RESERVED_TOKEN}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "INFO: running: zrok $${@} $${ZROK_RESERVE_TOKEN}"
|
echo "INFO: running: zrok $${@} $${ZROK_RESERVED_TOKEN}"
|
||||||
exec zrok "$${@}" $${ZROK_RESERVE_TOKEN}
|
exec zrok "$${@}" $${ZROK_RESERVED_TOKEN}
|
||||||
fi
|
fi
|
||||||
command: -- share reserved --headless
|
command: -- share reserved --headless
|
||||||
depends_on:
|
depends_on:
|
||||||
zrok-reserve:
|
zrok-reserve:
|
||||||
condition: service_completed_successfully
|
condition: service_completed_successfully
|
||||||
|
@ -48,7 +48,7 @@ services:
|
|||||||
if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then
|
if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then
|
||||||
ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}"
|
ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}"
|
||||||
fi
|
fi
|
||||||
ZROK_CMD+=" --backend-mode proxy ${ZROK_BACKEND:-http://zrok-test:9090/}"
|
ZROK_CMD+=" --backend-mode proxy ${ZROK_TARGET:-http://zrok-test:9090/}"
|
||||||
echo "INFO: running: zrok $${ZROK_CMD}"
|
echo "INFO: running: zrok $${ZROK_CMD}"
|
||||||
exec zrok $${ZROK_CMD}
|
exec zrok $${ZROK_CMD}
|
||||||
depends_on:
|
depends_on:
|
||||||
|
@ -54,10 +54,10 @@ This concludes sharing the demo web server. Read on to learn how to pivot to sha
|
|||||||
|
|
||||||
## Proxy Any Web Server
|
## Proxy Any Web Server
|
||||||
|
|
||||||
The simplest way to share your web server is to set `ZROK_BACKEND` (e.g. `https://example.com`) in the environment of the `docker compose up` command. When you restart the share will auto-configure for that upstream server URL. This applies to both temporary and reserved public shares.
|
The simplest way to share your web server is to set `ZROK_TARGET` (e.g. `https://example.com`) in the environment of the `docker compose up` command. When you restart the share will auto-configure for that upstream server URL. This applies to both temporary and reserved public shares.
|
||||||
|
|
||||||
```bash title=".env"
|
```bash title=".env"
|
||||||
ZROK_BACKEND="http://example.com:8080"
|
ZROK_TARGET="http://example.com:8080"
|
||||||
```
|
```
|
||||||
|
|
||||||
## Require Authentication
|
## Require Authentication
|
||||||
|
21
etc/caddy/README.md
Normal file
21
etc/caddy/README.md
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
|
||||||
|
# Caddyfile Samples
|
||||||
|
|
||||||
|
The Caddyfile samples in this directory are for use with `--backend-mode caddy ./my.Caddyfile` which runs an embedded
|
||||||
|
Caddy server.
|
||||||
|
|
||||||
|
With a zrok reserved share, you have the option to permanently override the path to the Caddyfile when you run `zrok
|
||||||
|
share reserved ${ZROK_RESERVED_TOKEN} --override-endpoint new.Caddyfile`.
|
||||||
|
|
||||||
|
The Caddyfile must have this structure because it is rendered as a Go template by zrok to bind the HTTP listener.
|
||||||
|
|
||||||
|
```console
|
||||||
|
http:// {
|
||||||
|
bind {{ .ZrokBindAddress }}
|
||||||
|
# customize reverse_proxy, file_server, etc.
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Notes
|
||||||
|
|
||||||
|
multiple_upstream.Caddyfile is bundled in the zrok-share package for Linux as an example Caddyfile.
|
@ -2,18 +2,24 @@
|
|||||||
#
|
#
|
||||||
http:// {
|
http:// {
|
||||||
# Bind to the zrok share
|
# Bind to the zrok share
|
||||||
bind {{ .ZrokBindAddress }}
|
bind {{ .ZrokBindAddress }}
|
||||||
|
|
||||||
# Handle paths starting with `/zrok/*`
|
# Handle paths starting with `/zrok/*`
|
||||||
# This will also strip the `/zrok/` from the path before sending to the backend
|
# This will also strip the `/zrok/` from the path before sending to the backend
|
||||||
handle_path /zrok/* {
|
handle_path /zrok/* {
|
||||||
reverse_proxy https://zrok.io {
|
reverse_proxy https://zrok.io {
|
||||||
header_up Host zrok.io
|
header_up Host zrok.io
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# All other traffic goes to localhost:3000
|
# serve index.html if it exists, else a file index
|
||||||
reverse_proxy /* 127.0.0.1:3000 {
|
handle_path /zrok-static/* {
|
||||||
header_up Host localhost:3000
|
root * /var/www/html
|
||||||
}
|
file_server browse
|
||||||
|
}
|
||||||
|
|
||||||
|
# All other traffic goes to localhost:3000
|
||||||
|
reverse_proxy /* 127.0.0.1:3000 {
|
||||||
|
header_up Host localhost:3000
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
4
nfpm/README.md
Normal file
4
nfpm/README.md
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
|
||||||
|
# nfpm supporting files
|
||||||
|
|
||||||
|
These files are sourced by nfpm when invoked by goreleaser to build Linux packages.
|
58
nfpm/zrok-enable.bash
Normal file
58
nfpm/zrok-enable.bash
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
#
|
||||||
|
# this script uses a zrok enable token to enable a zrok environment in $HOME/.zrok
|
||||||
|
#
|
||||||
|
|
||||||
|
set -o errexit
|
||||||
|
set -o nounset
|
||||||
|
set -o pipefail
|
||||||
|
|
||||||
|
BASENAME=$(basename "$0")
|
||||||
|
DEFAULT_ZROK_ENVIRONMENT_NAME="zrok-share.service on $(hostname -s)"
|
||||||
|
|
||||||
|
if (( $# )); then
|
||||||
|
case $1 in
|
||||||
|
-h|*help)
|
||||||
|
echo -e \
|
||||||
|
"Usage: ${BASENAME} FILENAME\n"\
|
||||||
|
"\tFILENAME\tfile containing environment variables to set"
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
# set HOME to the first colon-sep dir in STATE_DIRECTORY inherited from systemd, e.g. /var/lib/zrok-share
|
||||||
|
if [[ -n "${STATE_DIRECTORY:-}" ]]; then
|
||||||
|
export HOME="${STATE_DIRECTORY%:*}"
|
||||||
|
else
|
||||||
|
echo "ERROR: STATE_DIRECTORY is undefined. This script must be run from systemd because it runs as a"\
|
||||||
|
"dynamically-allocated user and exclusively manages the files in STATE_DIRECTORY" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ -s ~/.zrok/environment.json ]]; then
|
||||||
|
echo "INFO: zrok environment is already enabled. Delete '$(realpath ~/.zrok/environment.json)' if you want to create a"\
|
||||||
|
"new environment."
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if (( $# )); then
|
||||||
|
if [[ -s "$1" ]]; then
|
||||||
|
source "$1"
|
||||||
|
else
|
||||||
|
echo "ERROR: \$1="$1" is empty or not a readable file" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "ERROR: need filename argument to read environment configuration" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ -z "${ZROK_ENABLE_TOKEN}" ]]; then
|
||||||
|
echo "ERROR: ZROK_ENABLE_TOKEN is not defined" >&2
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
zrok config set apiEndpoint "${ZROK_API_ENDPOINT:-https://api.zrok.io}"
|
||||||
|
echo "INFO: running: zrok enable ..."
|
||||||
|
exec zrok enable --headless --description "${ZROK_ENVIRONMENT_NAME:-${DEFAULT_ZROK_ENVIRONMENT_NAME}}" "${ZROK_ENABLE_TOKEN}"
|
||||||
|
fi
|
133
nfpm/zrok-share.bash
Normal file
133
nfpm/zrok-share.bash
Normal file
@ -0,0 +1,133 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
#
|
||||||
|
# this script shares the configured backend for a reserved share token
|
||||||
|
#
|
||||||
|
|
||||||
|
set -o errexit
|
||||||
|
set -o nounset
|
||||||
|
set -o pipefail
|
||||||
|
|
||||||
|
if ! command -v jq &>/dev/null; then
|
||||||
|
echo "ERROR: jq is needed but not installed" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# set HOME to the first colon-sep dir in STATE_DIRECTORY inherited from systemd, e.g. /var/lib/zrok-share
|
||||||
|
export HOME="${STATE_DIRECTORY%:*}"
|
||||||
|
|
||||||
|
if (( $# )); then
|
||||||
|
if [[ -s "$1" ]]; then
|
||||||
|
source "$1"
|
||||||
|
else
|
||||||
|
echo "ERROR: '$1' is empty or not readable" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
# TODO: consider defining a default environment file
|
||||||
|
# if [[ -s /opt/openziti/etc/zrok.env ]]; then
|
||||||
|
# source /opt/openziti/etc/zrok.env
|
||||||
|
# else
|
||||||
|
# echo "ERROR: need /opt/openziti/etc/zrok.env or filename argument to read share configuration" >&2
|
||||||
|
# exit 1
|
||||||
|
# fi
|
||||||
|
echo "ERROR: need filename argument to read share configuration" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ -s ~/.zrok/reserved.json ]]; then
|
||||||
|
ZROK_RESERVED_TOKEN="$(jq '.token' ~/.zrok/reserved.json 2>/dev/null)"
|
||||||
|
if [[ -z "${ZROK_RESERVED_TOKEN}" || "${ZROK_RESERVED_TOKEN}" == null ]]; then
|
||||||
|
echo "ERROR: invalid reserved.json: '$(jq -c . ~/.zrok/reserved.json)'" >&2
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
echo "INFO: zrok backend is already reserved: ${ZROK_RESERVED_TOKEN}"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
ZROK_CMD="reserve public --json-output ${ZROK_VERBOSE:-}"
|
||||||
|
[[ -n "${ZROK_TARGET:-}" ]] || {
|
||||||
|
echo "ERROR: ZROK_TARGET was not defined in /opt/openziti/etc/zrok/zrok-share.env." >&2
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
[[ -n "${ZROK_BACKEND_MODE:-}" ]] || {
|
||||||
|
echo "WARNING: ZROK_BACKEND_MODE was not defined, assuming mode 'proxy'." >&2
|
||||||
|
ZROK_BACKEND_MODE="proxy"
|
||||||
|
}
|
||||||
|
case "${ZROK_BACKEND_MODE}" in
|
||||||
|
proxy)
|
||||||
|
if ! [[ "${ZROK_TARGET}" =~ ^https?:// ]]; then
|
||||||
|
echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an HTTP URL" >&2
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
caddy)
|
||||||
|
if ! [[ "${ZROK_TARGET}" =~ ^/ ]]; then
|
||||||
|
echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path." >&2
|
||||||
|
exit 1
|
||||||
|
elif ! [[ -f "${ZROK_TARGET}" && -r "${ZROK_TARGET}" ]]; then
|
||||||
|
echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not a readable regular file" >&2
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
web|drive)
|
||||||
|
if ! [[ "${ZROK_TARGET}" =~ ^/ ]]; then
|
||||||
|
echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path." >&2
|
||||||
|
exit 1
|
||||||
|
elif ! [[ -d "${ZROK_TARGET}" && -r "${ZROK_TARGET}" ]]; then
|
||||||
|
echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not a readable directory" >&2
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "WARNING: ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}' is not a recognized mode for a zrok public share."\
|
||||||
|
" ZROK_TARGET value will not validated before running." >&2
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
ZROK_CMD+=" --backend-mode ${ZROK_BACKEND_MODE} ${ZROK_TARGET}"
|
||||||
|
if [[ -n "${ZROK_SHARE_OPTS:-}" ]]; then
|
||||||
|
ZROK_CMD+=" ${ZROK_SHARE_OPTS}"
|
||||||
|
fi
|
||||||
|
if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then
|
||||||
|
ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}"
|
||||||
|
fi
|
||||||
|
if [[ -n "${ZROK_OAUTH_EMAILS:-}" ]]; then
|
||||||
|
for EMAIL in ${ZROK_OAUTH_EMAILS}; do
|
||||||
|
if ! [[ ${EMAIL} =~ @ ]]; then
|
||||||
|
echo "WARNING: '${EMAIL}' does not contain '@' so it may match more than one email domain!" >&2
|
||||||
|
fi
|
||||||
|
ZROK_CMD+=" --oauth-email-domains ${EMAIL}"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
echo "INFO: running: zrok ${ZROK_CMD}"
|
||||||
|
zrok ${ZROK_CMD} | jq -rc | tee ~/.zrok/reserved.json
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! [[ -s ~/.zrok/reserved.json ]]; then
|
||||||
|
echo "ERROR: empty or missing $(realpath ~/.zrok)/reserved.json" >&2
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
ZROK_PUBLIC_URLS=$(jq -cr '.frontend_endpoints' ~/.zrok/reserved.json 2>/dev/null)
|
||||||
|
if [[ -z "${ZROK_PUBLIC_URLS}" || "${ZROK_PUBLIC_URLS}" == null ]]; then
|
||||||
|
echo "ERROR: frontend endpoints not defined in $(realpath ~/.zrok)/reserved.json" >&2
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
echo "INFO: zrok public URLs: ${ZROK_PUBLIC_URLS}"
|
||||||
|
fi
|
||||||
|
ZROK_RESERVED_TOKEN=$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null)
|
||||||
|
if [[ -z "${ZROK_RESERVED_TOKEN}" || "${ZROK_RESERVED_TOKEN}" == null ]]; then
|
||||||
|
echo "ERROR: zrok reservation token not defined in $(realpath ~/.zrok)/reserved.json" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
ZROK_CMD="share reserved ${ZROK_RESERVED_TOKEN} --headless --override-endpoint ${ZROK_TARGET}"
|
||||||
|
ZROK_CMD+=" ${ZROK_VERBOSE:-} ${ZROK_INSECURE:-}"
|
||||||
|
if [[ -n "${ZROK_SHARE_OPTS:-}" ]]; then
|
||||||
|
ZROK_CMD+=" ${ZROK_SHARE_OPTS}"
|
||||||
|
fi
|
||||||
|
echo "INFO: running: zrok ${ZROK_CMD}"
|
||||||
|
exec zrok ${ZROK_CMD}
|
||||||
|
fi
|
79
nfpm/zrok-share.env
Normal file
79
nfpm/zrok-share.env
Normal file
@ -0,0 +1,79 @@
|
|||||||
|
# These values are sourced by the zrok-share.service. Search for "MUST" to identify the values that need to be changed.
|
||||||
|
|
||||||
|
#
|
||||||
|
## ZROK ENVIRONMENT
|
||||||
|
#
|
||||||
|
# You MUST enable a zrok environment. You MAY set the environment enable token here, or run
|
||||||
|
# /opt/openziti/bin/zrok-enable.bash as root for an interactive prompt to avoid saving the enable token to disk. Obtain
|
||||||
|
# the enable token from the zrok console after accepting your invitation and creating a password.
|
||||||
|
#
|
||||||
|
# WARNING: changing these values has no effect if /var/lib/zrok-share/.zrok/environment.json exists. Remove that file to
|
||||||
|
# enable a new environment and /var/lib/zrok-share/.zrok/reserved.json to provision a new frontend URL for the specified
|
||||||
|
# target.
|
||||||
|
#
|
||||||
|
ZROK_ENABLE_TOKEN=""
|
||||||
|
|
||||||
|
#
|
||||||
|
# You MAY customize the environment name that appears in the zrok console.
|
||||||
|
#
|
||||||
|
ZROK_ENVIRONMENT_NAME=""
|
||||||
|
|
||||||
|
# set if self-hosting zrok
|
||||||
|
#ZROK_API_ENDPOINT="https://api.zrok.io"
|
||||||
|
|
||||||
|
#
|
||||||
|
## ZROK BACKEND TARGET
|
||||||
|
#
|
||||||
|
# You MUST define the backend target and mode. The frontend URL will be provisioned when the service starts. You MAY
|
||||||
|
# change ZROK_TARGET and frontend URL will remain the same after a restart as long as the backend mode and frontend
|
||||||
|
# authentication options are the same. Options that require provisioning a new frontend URL when changed are marked with
|
||||||
|
# WARNING. You may delete /var/lib/zrok-share/.zrok/reserved.json and restart the service to provision a new frontend URL.
|
||||||
|
#
|
||||||
|
# backend-mode "proxy" (default): share a backend web server URL that's reachable by this host; must begin with 'http://' or
|
||||||
|
# 'https://'; must accept the HOST header of the proxy frontend. Check out backend mode "caddy" if you need more control.
|
||||||
|
ZROK_TARGET="" # e.g., http://127.0.0.1:3000
|
||||||
|
ZROK_BACKEND_MODE="proxy"
|
||||||
|
# if defined, an https share's backend server certificate will not be verified with backend-mode 'proxy'
|
||||||
|
# NOTE: changing this value does not require provisioning a new frontend URL
|
||||||
|
#ZROK_INSECURE="--insecure"
|
||||||
|
|
||||||
|
# backend-mode "web": run a web server and share a static HTML directory that's present on this host. Must be an
|
||||||
|
# absolute path to a directory that is readable by 'other'
|
||||||
|
#ZROK_TARGET="/var/www/html"
|
||||||
|
#ZROK_BACKEND_MODE="web"
|
||||||
|
|
||||||
|
# backend-mode "drive": run a WebDAV file server sharing a directory that's present on this host. Must be an absolute
|
||||||
|
# path to a directory that is readable by 'other'
|
||||||
|
#ZROK_TARGET="/usr/share/doc"
|
||||||
|
#ZROK_BACKEND_MODE="drive"
|
||||||
|
|
||||||
|
# backend-mode "caddy": run an embedded Caddy server configured by the supplied Caddyfile. Must be an absolute path that
|
||||||
|
# is readable by 'other'.
|
||||||
|
#ZROK_TARGET="/opt/openziti/etc/zrok/multiple_upstream.Caddyfile"
|
||||||
|
#ZROK_BACKEND_MODE="caddy"
|
||||||
|
|
||||||
|
# DEBUG log level
|
||||||
|
# NOTE: changing this value does not require provisioning a new frontend URL
|
||||||
|
#ZROK_VERBOSE="--verbose"
|
||||||
|
|
||||||
|
# you MAY set additional command-line options for the share; see "zrok reserve public --help" for hints
|
||||||
|
# WARNING: changing this value requires provisioning a new frontend URL
|
||||||
|
# NOTE: basic auth and oauth are mutually exclusive
|
||||||
|
ZROK_SHARE_OPTS=""
|
||||||
|
|
||||||
|
#
|
||||||
|
## ZROK FRONTEND
|
||||||
|
#
|
||||||
|
|
||||||
|
# you MAY set one OAuth2/OIDC provider; "google" and "github" are valid for the default instance api.zrok.io
|
||||||
|
# WARNING: changing this value requires provisioning a new frontend URL
|
||||||
|
# NOTE: basic auth and oauth are mutually exclusive
|
||||||
|
#ZROK_OAUTH_PROVIDER="google"
|
||||||
|
|
||||||
|
# you MAY restrict access to one or more email addresses or domains; must be a space-separate list
|
||||||
|
# WARNING: changing this value requires provisioning a new frontend URL
|
||||||
|
#ZROK_OAUTH_EMAILS="bob@acme.example.com alice@forge.example.com @corp.example.com"
|
||||||
|
|
||||||
|
# set if self-hosting zrok and not using only the default frontend name 'public'; must be a space-separated list
|
||||||
|
# WARNING: changing this value requires provisioning a new frontend URL
|
||||||
|
#ZROK_FRONTENDS="public"
|
17
nfpm/zrok-share.service
Normal file
17
nfpm/zrok-share.service
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=zrok reserved public share service
|
||||||
|
After=network-online.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
DynamicUser=yes
|
||||||
|
StateDirectory=zrok-share
|
||||||
|
UMask=0007
|
||||||
|
Environment=PFXLOG_NO_JSON=true
|
||||||
|
ExecStartPre=/opt/openziti/bin/zrok-enable.bash /opt/openziti/etc/zrok/zrok-share.env
|
||||||
|
ExecStart=/opt/openziti/bin/zrok-share.bash /opt/openziti/etc/zrok/zrok-share.env
|
||||||
|
Restart=always
|
||||||
|
RestartSec=3
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
Loading…
Reference in New Issue
Block a user