Merge pull request #652 from openziti/stefanadelbert-linux-share-private

Stefanadelbert linux share private
2024-11-21 23:53:19 +01:00 · 2024-06-27 12:26:11 -04:00 · 2024-06-27 12:26:11 -04:00 · f95ee5984c
commit f95ee5984c
parent 82f56fea83 336256ae69
7 changed files with 111 additions and 21 deletions
--- a/.goreleaser-linux-arm64.yml
+++ b/.goreleaser-linux-arm64.yml
@ -112,6 +112,9 @@ nfpms:
      - dst: /lib/systemd/system/
        src: ./nfpm/zrok-share.service

+      - dst: /etc/systemd/system/zrok-share.service.d/override.conf
+        src: ./nfpm/zrok-share.service.override.conf
+
      - dst: /opt/openziti/etc/zrok
        type: dir
        file_info:
--- a/.goreleaser-linux-armhf.yml
+++ b/.goreleaser-linux-armhf.yml
@ -112,6 +112,9 @@ nfpms:
      - dst: /lib/systemd/system/
        src: ./nfpm/zrok-share.service

+      - dst: /etc/systemd/system/zrok-share.service.d/override.conf
+        src: ./nfpm/zrok-share.service.override.conf
+
      - dst: /opt/openziti/etc/zrok
        type: dir
        file_info:
--- a/.goreleaser-linux.yml
+++ b/.goreleaser-linux.yml
@ -108,6 +108,9 @@ nfpms:
      - dst: /lib/systemd/system/
        src: ./nfpm/zrok-share.service

+      - dst: /etc/systemd/system/zrok-share.service.d/override.conf
+        src: ./nfpm/zrok-share.service.override.conf
+
      - dst: /opt/openziti/etc/zrok
        type: dir
        file_info:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,9 +2,12 @@

 ## v0.4.34

+FEATURE: Linux service support for all private share modes (contribution from Stefan Adelbert @stefanadelbert)
+
 FIX: Fix for mixing limited and unlimited (-1) resource counts in the limits system (https://github.com/openziti/zrok/issues/680)

 CHANGE: bump many GitHub Actions that were using deprecated distributions of Node.js
+
 CHANGE: bump macOS runner for Node SDK from macos-11 to macos-12

 ## v0.4.33
--- a/nfpm/zrok-share.bash
+++ b/nfpm/zrok-share.bash
@ -54,9 +54,12 @@ fi
  exit 1
 }

-# default mode is reserved (public), override mode is temp-public, i.e., "share public" without a reserved subdomain
+# default mode is 'reserved-public', override modes are reserved-private, temp-public, temp-private.
+: "${ZROK_FRONTEND_MODE:=reserved-public}"
 if [[ "${ZROK_FRONTEND_MODE:-}" == temp-public ]]; then
  ZROK_CMD="share public --headless ${ZROK_VERBOSE:-}"
+elif [[ "${ZROK_FRONTEND_MODE:-}" == temp-private ]]; then
+  ZROK_CMD="share private --headless ${ZROK_VERBOSE:-}"
 elif [[ -s ~/.zrok/reserved.json ]]; then
  ZROK_RESERVED_TOKEN="$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null)"
  if [[ -z "${ZROK_RESERVED_TOKEN}" || "${ZROK_RESERVED_TOKEN}" == null ]]; then
@ -73,8 +76,13 @@ elif [[ -s ~/.zrok/reserved.json ]]; then
      exit 0
    fi
  fi
-else
+elif [[ "${ZROK_FRONTEND_MODE:-}" == reserved-public ]]; then
  ZROK_CMD="reserve public --json-output ${ZROK_VERBOSE:-}"
+elif [[ "${ZROK_FRONTEND_MODE:-}" == reserved-private ]]; then
+  ZROK_CMD="reserve private --json-output ${ZROK_VERBOSE:-}"
+else
+  echo "ERROR: invalid value for ZROK_FRONTEND_MODE '${ZROK_FRONTEND_MODE}'" >&2
+  exit 1
 fi

 [[ -n "${ZROK_BACKEND_MODE:-}" ]] || {
@ -88,12 +96,12 @@ case "${ZROK_BACKEND_MODE}" in
      echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an HTTP URL" >&2
      exit 1
    else
-      echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}"
+      echo "INFO: validated backend mode '${ZROK_BACKEND_MODE}' and target '${ZROK_TARGET}'"
    fi
    ;;
  caddy)
    if ! [[ "${ZROK_TARGET}" =~ ^/ ]]; then
-      echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path." >&2
+      echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path" >&2
      exit 1
    elif ! [[ -f "${ZROK_TARGET}" && -r "${ZROK_TARGET}" ]]; then
      echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not a readable regular file" >&2
@ -104,7 +112,7 @@ case "${ZROK_BACKEND_MODE}" in
    ;;
  web|drive)
    if ! [[ "${ZROK_TARGET}" =~ ^/ ]]; then
-      echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path." >&2
+      echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path" >&2
      exit 1
    elif ! [[ -d "${ZROK_TARGET}" && -r "${ZROK_TARGET}" ]]; then
      echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not a readable directory" >&2
@ -113,13 +121,41 @@ case "${ZROK_BACKEND_MODE}" in
      echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}"
    fi
    ;;
+  tcpTunnel|udpTunnel|socks|vpn)
+    if ! [[ "${ZROK_FRONTEND_MODE}" =~ -private$ ]]; then
+      echo "ERROR: ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}' is a private share backend mode and cannot be used with ZROK_FRONTEND_MODE='${ZROK_FRONTEND_MODE}'" >&2
+      exit 1
+    else
+      case "${ZROK_BACKEND_MODE}" in
+        tcpTunnel|udpTunnel)
+          echo "INFO: ${ZROK_BACKEND_MODE} backend mode has target '${ZROK_TARGET}'"
+          ;;
+        vpn)
+          if [[ -n "${ZROK_TARGET}" ]]; then
+            ZROK_SVC_FILE=/etc/systemd/system/zrok-share.service.d/override.conf
+            if ! grep -qE '^AmbientCapabilities=CAP_NET_ADMIN' "${ZROK_SVC_FILE}"; then
+              echo "ERROR: you must uncomment 'AmbientCapabilities=CAP_NET_ADMIN' in '${ZROK_SVC_FILE}'"\
+                    "and run 'systemctl daemon-reload' to enable VPN mode" >&2
+              exit 1
+            fi
+          fi
+          ;;
+        socks)
+          if [[ -n "${ZROK_TARGET}" ]]; then
+            echo "WARNING: ZROK_TARGET='${ZROK_TARGET}' is ignored with ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}'" >&2
+            unset ZROK_TARGET
+          fi
+          ;;
+      esac
+    fi
+    ;;
  *)
    echo "WARNING: ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}' is not a recognized mode for a zrok public share."\
          " ZROK_TARGET value will not validated before running." >&2
    ;;
 esac

-[[ -n "${ZROK_UNIQUE_NAME:-}" ]] && {
+[[ "${ZROK_FRONTEND_MODE:-}" =~ ^reserved- && -n "${ZROK_UNIQUE_NAME:-}" ]] && {
  ZROK_CMD+=" --unique-name ${ZROK_UNIQUE_NAME}"
 }

@ -142,8 +178,9 @@ fi

 echo "INFO: running: zrok ${ZROK_CMD}"

-if [[ "${ZROK_FRONTEND_MODE:-}" == temp-public ]]; then
-  # share until exit
+if [[ "${ZROK_FRONTEND_MODE:-}" =~ ^temp- ]]; then
+  # frontend mode starts with 'temp-', so is temporary.
+  # share without reserving until exit.
  exec zrok ${ZROK_CMD}
 else
  # reserve and continue
--- a/nfpm/zrok-share.env
+++ b/nfpm/zrok-share.env
@ -17,48 +17,65 @@ ZROK_ENABLE_TOKEN=""
 #
 ZROK_ENVIRONMENT_NAME=""

-# You MUST set this if not using the default zrok.io API endpoint
+# You MUST set this if not using the default API endpoint
 #ZROK_API_ENDPOINT="https://api.zrok.io"

 #
-## ZROK BACKEND TARGET
+## ZROK BACKEND MODE AND TARGET
 #
 # You MUST define the backend target and mode. The frontend URL will be provisioned when the service starts. You MAY
 # change ZROK_TARGET and frontend URL will remain the same after a restart as long as the backend mode and frontend
 # authentication options are the same. Options that require provisioning a new frontend URL when changed are marked with
 # WARNING. You may delete /var/lib/zrok-share/.zrok/reserved.json and restart the service to provision a new frontend URL.
+
 #
+## BACKEND MODES THAT WORK WITH PUBLIC AND PRIVATE HTTP SHARES
+#
+
 # backend-mode "proxy" (default): share a backend web server URL that's reachable by this host; must begin with 'http://' or
 # 'https://'; must accept the HOST header of the proxy frontend. Check out backend mode "caddy" if you need more control.
-ZROK_TARGET=""                  # e.g., http://127.0.0.1:3000
 ZROK_BACKEND_MODE="proxy"
+ZROK_TARGET=""                  # e.g., http://127.0.0.1:3000
 # if defined, an https share's backend server certificate will not be verified with backend-mode 'proxy'
 # NOTE: changing this value does not require provisioning a new frontend URL
 #ZROK_INSECURE="--insecure"

 # backend-mode "web": run a web server and share a static HTML directory that's present on this host. Must be an
 # absolute path to a directory that is readable by 'other'
-#ZROK_TARGET="/var/www/html"
 #ZROK_BACKEND_MODE="web"
+#ZROK_TARGET="/var/www/html"

 # backend-mode "drive": run a WebDAV file server sharing a directory that's present on this host. Must be an absolute
 # path to a directory that is readable by 'other'
-#ZROK_TARGET="/usr/share/doc"
 #ZROK_BACKEND_MODE="drive"
+#ZROK_TARGET="/usr/share/doc"

 # backend-mode "caddy": run an embedded Caddy server configured by the supplied Caddyfile. Must be an absolute path that
 # is readable by 'other'.
-#ZROK_TARGET="/opt/openziti/etc/zrok/multiple_upstream.Caddyfile"
 #ZROK_BACKEND_MODE="caddy"
+#ZROK_TARGET="/opt/openziti/etc/zrok/multiple_upstream.Caddyfile"

-# DEBUG log level
-# NOTE: changing this value does not require provisioning a new frontend URL
-#ZROK_VERBOSE="--verbose"
+#
+## BACKEND MODES THAT ONLY WORK WITH PRIVATE SHARES
+#

-# you MAY set additional command-line options for the share; see "zrok reserve public --help" for hints
-# WARNING: changes take effect the next time the frontend URL is reserved
-# NOTE: basic auth and oauth are mutually exclusive
-ZROK_SHARE_OPTS=""
+# you MUST set ZROK_FRONTEND_MODE to 'reserved-private' or 'temp-private' to use private share backend modes
+
+#ZROK_BACKEND_MODE="tcpTunnel"
+#ZROK_TARGET="127.0.0.1:25565"
+
+#ZROK_BACKEND_MODE="udpTunnel"
+#ZROK_TARGET="127.0.0.1:53"
+
+# you MUST grant NET_ADMIN capability to the service to enable vpn mode, e.g., run these two commands:
+# sed -Ei 's/.*AmbientCapabilities=CAP_NET_ADMIN/AmbientCapabilities=CAP_NET_ADMIN/' /etc/systemd/system/zrok-share.service.d/override.conf
+# systemctl daemon-reload
+#ZROK_BACKEND_MODE="vpn"
+#ZROK_TARGET="172.16.0.1/12"
+
+# there is no target for socks mode because the share is only a dynamic exit for the proxy client
+#ZROK_BACKEND_MODE="socks"
+#ZROK_TARGET=""

 #
 ## ZROK FRONTEND 
@ -86,3 +103,17 @@ ZROK_SHARE_OPTS=""
 # set if self-hosting zrok and not using only the default frontend name 'public'; must be a space-separated list
 # WARNING: changes take effect the next time the frontend URL is reserved
 #ZROK_FRONTENDS="public"
+
+# you MAY set to change the frontend mode: reserved-public (default), reserved-private, temp-public, temp-private 
+#ZROK_FRONTEND_MODE="reserved-public"
+
+#
+## OPTIONS
+#
+
+# DEBUG log level
+# NOTE: changing this value does not require provisioning a new frontend URL
+#ZROK_VERBOSE="--verbose"
+
+# you MAY set additional command-line options for the share; see "zrok reserve public --help" for hints
+ZROK_SHARE_OPTS=""
--- a/nfpm/zrok-share.service.override.conf
+++ b/nfpm/zrok-share.service.override.conf
@ -0,0 +1,10 @@
+[Service]
+
+#
+## extra permissions
+#
+
+# allow adding tun device and IP routes and iptables rules; required when ZROK_BACKEND_MODE=vpn
+# AmbientCapabilities=CAP_NET_ADMIN
+
+# you must run 'systemctl daemon-reload' after modifying this file