-
Notifications
You must be signed in to change notification settings - Fork 457
/
entrypoint.sh
182 lines (149 loc) · 5.73 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
#!/bin/bash
set -o errexit
set -o nounset
set -o pipefail
set -o xtrace
# Require environment variables.
if [ -z "${SUBSPACE_HTTP_HOST-}" ] ; then
echo "Environment variable SUBSPACE_HTTP_HOST required. Exiting."
exit 1
fi
# Optional environment variables.
if [ -z "${SUBSPACE_BACKLINK-}" ] ; then
export SUBSPACE_BACKLINK=""
fi
if [ -z "${SUBSPACE_LETSENCRYPT-}" ] ; then
export SUBSPACE_LETSENCRYPT="true"
fi
if [ -z "${SUBSPACE_HTTP_ADDR-}" ] ; then
export SUBSPACE_HTTP_ADDR=":80"
fi
if [ -z "${SUBSPACE_HTTP_INSECURE-}" ] ; then
export SUBSPACE_HTTP_INSECURE="false"
fi
export NAMESERVER="1.1.1.1"
export DEBIAN_FRONTEND="noninteractive"
# Set DNS server
echo "nameserver ${NAMESERVER}" >/etc/resolv.conf
# ipv4
if ! /sbin/iptables -t nat --check POSTROUTING -s 10.99.97.0/24 -j MASQUERADE ; then
/sbin/iptables -t nat --append POSTROUTING -s 10.99.97.0/24 -j MASQUERADE
fi
if ! /sbin/iptables --check FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ; then
/sbin/iptables --append FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
fi
if ! /sbin/iptables --check FORWARD -s 10.99.97.0/24 -j ACCEPT ; then
/sbin/iptables --append FORWARD -s 10.99.97.0/24 -j ACCEPT
fi
# ipv6
if ! /sbin/ip6tables -t nat --check POSTROUTING -s fd00::10:97:0/112 -j MASQUERADE ; then
/sbin/ip6tables -t nat --append POSTROUTING -s fd00::10:97:0/112 -j MASQUERADE
fi
if ! /sbin/ip6tables --check FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ; then
/sbin/ip6tables --append FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
fi
if ! /sbin/ip6tables --check FORWARD -s fd00::10:97:0/112 -j ACCEPT ; then
/sbin/ip6tables --append FORWARD -s fd00::10:97:0/112 -j ACCEPT
fi
# ipv4 - DNS Leak Protection
if ! /sbin/iptables -t nat --check OUTPUT -s 10.99.97.0/16 -p udp --dport 53 -j DNAT --to 10.99.97.1:53 ; then
/sbin/iptables -t nat --append OUTPUT -s 10.99.97.0/16 -p udp --dport 53 -j DNAT --to 10.99.97.1:53
fi
if ! /sbin/iptables -t nat --check OUTPUT -s 10.99.97.0/16 -p tcp --dport 53 -j DNAT --to 10.99.97.1:53 ; then
/sbin/iptables -t nat --append OUTPUT -s 10.99.97.0/16 -p tcp --dport 53 -j DNAT --to 10.99.97.1:53
fi
# ipv6 - DNS Leak Protection
if ! /sbin/ip6tables --wait -t nat --check OUTPUT -s fd00::10:97:0/112 -p udp --dport 53 -j DNAT --to fd00::10:97:1 ; then
/sbin/ip6tables --wait -t nat --append OUTPUT -s fd00::10:97:0/112 -p udp --dport 53 -j DNAT --to fd00::10:97:1
fi
if ! /sbin/ip6tables --wait -t nat --check OUTPUT -s fd00::10:97:0/112 -p tcp --dport 53 -j DNAT --to fd00::10:97:1 ; then
/sbin/ip6tables --wait -t nat --append OUTPUT -s fd00::10:97:0/112 -p tcp --dport 53 -j DNAT --to fd00::10:97:1
fi
# # Delete
# /sbin/iptables -t nat --delete OUTPUT -s 10.99.97.0/16 -p udp --dport 53 -j DNAT --to 10.99.97.1:53
# /sbin/iptables -t nat --delete OUTPUT -s 10.99.97.0/16 -p tcp --dport 53 -j DNAT --to 10.99.97.1:53
# /sbin/ip6tables --wait -t nat --delete OUTPUT -s fd00::10:97:0/112 -p udp --dport 53 -j DNAT --to fd00::10:97:1
# /sbin/ip6tables --wait -t nat --delete OUTPUT -s fd00::10:97:0/112 -p tcp --dport 53 -j DNAT --to fd00::10:97:1
# /sbin/iptables -t nat --delete POSTROUTING -s 10.99.97.0/24 -j MASQUERADE
# /sbin/iptables --delete FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# /sbin/iptables --delete FORWARD -s 10.99.97.0/24 -j ACCEPT
# /sbin/ip6tables -t nat --delete POSTROUTING -s fd00::10:97:0/112 -j MASQUERADE
# /sbin/ip6tables --delete FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# /sbin/ip6tables --delete FORWARD -s fd00::10:97:0/112 -j ACCEPT
#
# WireGuard (10.99.97.0/24)
#
if ! test -d /data/wireguard ; then
mkdir /data/wireguard
cd /data/wireguard
mkdir clients
touch clients/null.conf # So you can cat *.conf safely
mkdir peers
touch peers/null.conf # So you can cat *.conf safely
# Generate public/private server keys.
wg genkey | tee server.private | wg pubkey > server.public
fi
cat <<WGSERVER >/data/wireguard/server.conf
[Interface]
PrivateKey = $(cat /data/wireguard/server.private)
ListenPort = 51820
WGSERVER
cat /data/wireguard/peers/*.conf >>/data/wireguard/server.conf
if ip link show wg0 2>/dev/null; then
ip link del wg0
fi
ip link add wg0 type wireguard
ip addr add 10.99.97.1/24 dev wg0
ip addr add fd00::10:97:1/112 dev wg0
wg setconf wg0 /data/wireguard/server.conf
ip link set wg0 up
# dnsmasq service
if ! test -d /etc/sv/dnsmasq ; then
cat <<DNSMASQ >/etc/dnsmasq.conf
# Only listen on necessary addresses.
listen-address=127.0.0.1,10.99.97.1,fd00::10:97:1
# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv
DNSMASQ
mkdir /etc/sv/dnsmasq
cat <<RUNIT >/etc/sv/dnsmasq/run
#!/bin/sh
exec /usr/sbin/dnsmasq --no-daemon
RUNIT
chmod +x /etc/sv/dnsmasq/run
# dnsmasq service log
mkdir /etc/sv/dnsmasq/log
mkdir /etc/sv/dnsmasq/log/main
cat <<RUNIT >/etc/sv/dnsmasq/log/run
#!/bin/sh
exec svlogd -tt ./main
RUNIT
chmod +x /etc/sv/dnsmasq/log/run
ln -s /etc/sv/dnsmasq /etc/service/dnsmasq
fi
# subspace service
if ! test -d /etc/sv/subspace ; then
mkdir /etc/sv/subspace
cat <<RUNIT >/etc/sv/subspace/run
#!/bin/sh
exec /usr/bin/subspace \
"--http-host=${SUBSPACE_HTTP_HOST}" \
"--http-addr=${SUBSPACE_HTTP_ADDR}" \
"--http-insecure=${SUBSPACE_HTTP_INSECURE}" \
"--backlink=${SUBSPACE_BACKLINK}" \
"--letsencrypt=${SUBSPACE_LETSENCRYPT}"
RUNIT
chmod +x /etc/sv/subspace/run
# subspace service log
mkdir /etc/sv/subspace/log
mkdir /etc/sv/subspace/log/main
cat <<RUNIT >/etc/sv/subspace/log/run
#!/bin/sh
exec svlogd -tt ./main
RUNIT
chmod +x /etc/sv/subspace/log/run
ln -s /etc/sv/subspace /etc/service/subspace
fi
exec $@