diff --git a/.github/workflows/external_trigger.yml b/.github/workflows/external_trigger.yml index bab64e2..8d9837b 100755 --- a/.github/workflows/external_trigger.yml +++ b/.github/workflows/external_trigger.yml @@ -20,7 +20,8 @@ jobs: echo "**** External trigger running off of master branch. To disable this trigger, set a Github secret named \"PAUSE_EXTERNAL_TRIGGER_WIREGUARD_MASTER\". ****" echo "External trigger running off of master branch. To disable this trigger, set a Github secret named \`PAUSE_EXTERNAL_TRIGGER_WIREGUARD_MASTER\`" >> $GITHUB_STEP_SUMMARY echo "**** Retrieving external version ****" - EXT_RELEASE=$(curl -u ${{ secrets.CR_USER }}:${{ secrets.CR_PAT }} -sX GET https://api.github.com/repos/WireGuard/wireguard-tools/tags | jq -r .[0].name) + EXT_RELEASE=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.20/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \ + && awk '/^P:'"wireguard-tools"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://') if [ -z "${EXT_RELEASE}" ] || [ "${EXT_RELEASE}" == "null" ]; then echo "**** Can't retrieve external version, exiting ****" FAILURE_REASON="Can't retrieve external version for wireguard branch master" @@ -73,6 +74,14 @@ jobs: echo "**** Version ${EXT_RELEASE} already pushed, exiting ****" echo "Version ${EXT_RELEASE} already pushed, exiting" >> $GITHUB_STEP_SUMMARY exit 0 + elif [[ $(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.20/main/aarch64/APKINDEX.tar.gz" | tar -xz -C /tmp && awk '/^P:'"wireguard-tools"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://') != "${EXT_RELEASE}" ]]; then + echo "**** New version ${EXT_RELEASE} found; but not all arch repos updated yet; exiting ****" + echo "New version ${EXT_RELEASE} found; but not all arch repos updated yet; exiting" >> $GITHUB_STEP_SUMMARY + FAILURE_REASON="New version ${EXT_RELEASE} for wireguard tag latest is detected, however not all arch repos are updated yet. Will try again later." + curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903, + "description": "**Trigger Failed** \n**Reason:** '"${FAILURE_REASON}"' \n"}], + "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }} + exit 0 elif [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-wireguard/job/master/lastBuild/api/json | jq -r '.building') == "true" ]; then echo "**** New version ${EXT_RELEASE} found; but there already seems to be an active build on Jenkins; exiting ****" echo "New version ${EXT_RELEASE} found; but there already seems to be an active build on Jenkins; exiting" >> $GITHUB_STEP_SUMMARY diff --git a/Dockerfile b/Dockerfile index 5071a98..5d36dde 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -FROM ghcr.io/linuxserver/baseimage-alpine:3.19 +FROM ghcr.io/linuxserver/baseimage-alpine:3.20 # set version label ARG BUILD_DATE @@ -11,11 +11,6 @@ LABEL maintainer="thespad" RUN \ echo "**** install dependencies ****" && \ - apk add --no-cache --virtual=build-dependencies \ - build-base \ - elfutils-dev \ - git \ - linux-headers && \ apk add --no-cache \ bc \ coredns \ @@ -28,7 +23,8 @@ RUN \ libcap-utils \ libqrencode-tools \ net-tools \ - openresolv && \ + openresolv \ + wireguard-tools && \ echo "wireguard" >> /etc/modules && \ cd /sbin && \ for i in ! !-save !-restore; do \ @@ -37,22 +33,11 @@ RUN \ ln -s iptables-legacy$(echo "${i}" | cut -c2-) iptables$(echo "${i}" | cut -c2-) && \ ln -s ip6tables-legacy$(echo "${i}" | cut -c2-) ip6tables$(echo "${i}" | cut -c2-); \ done && \ - echo "**** install wireguard-tools ****" && \ - if [ -z ${WIREGUARD_RELEASE+x} ]; then \ - WIREGUARD_RELEASE=$(curl -sX GET "https://api.github.com/repos/WireGuard/wireguard-tools/tags" \ - | jq -r .[0].name); \ - fi && \ - cd /app && \ - git clone https://git.zx2c4.com/wireguard-tools && \ - cd wireguard-tools && \ - git checkout "${WIREGUARD_RELEASE}" && \ - sed -i 's|\[\[ $proto == -4 \]\] && cmd sysctl -q net\.ipv4\.conf\.all\.src_valid_mark=1|[[ $proto == -4 ]] \&\& [[ $(sysctl -n net.ipv4.conf.all.src_valid_mark) != 1 ]] \&\& cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1|' src/wg-quick/linux.bash && \ - make -C src -j$(nproc) && \ - make -C src install && \ + sed -i 's|\[\[ $proto == -4 \]\] && cmd sysctl -q net\.ipv4\.conf\.all\.src_valid_mark=1|[[ $proto == -4 ]] \&\& [[ $(sysctl -n net.ipv4.conf.all.src_valid_mark) != 1 ]] \&\& cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1|' /usr/bin/wg-quick && \ rm -rf /etc/wireguard && \ ln -s /config/wg_confs /etc/wireguard && \ + printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \ echo "**** clean up ****" && \ - apk del --no-network build-dependencies && \ rm -rf \ /tmp/* diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index ffe34f5..d046e8f 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.19 +FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.20 # set version label ARG BUILD_DATE @@ -11,11 +11,6 @@ LABEL maintainer="thespad" RUN \ echo "**** install dependencies ****" && \ - apk add --no-cache --virtual=build-dependencies \ - build-base \ - elfutils-dev \ - git \ - linux-headers && \ apk add --no-cache \ bc \ coredns \ @@ -28,7 +23,8 @@ RUN \ libcap-utils \ libqrencode-tools \ net-tools \ - openresolv && \ + openresolv \ + wireguard-tools && \ echo "wireguard" >> /etc/modules && \ cd /sbin && \ for i in ! !-save !-restore; do \ @@ -37,22 +33,11 @@ RUN \ ln -s iptables-legacy$(echo "${i}" | cut -c2-) iptables$(echo "${i}" | cut -c2-) && \ ln -s ip6tables-legacy$(echo "${i}" | cut -c2-) ip6tables$(echo "${i}" | cut -c2-); \ done && \ - echo "**** install wireguard-tools ****" && \ - if [ -z ${WIREGUARD_RELEASE+x} ]; then \ - WIREGUARD_RELEASE=$(curl -sX GET "https://api.github.com/repos/WireGuard/wireguard-tools/tags" \ - | jq -r .[0].name); \ - fi && \ - cd /app && \ - git clone https://git.zx2c4.com/wireguard-tools && \ - cd wireguard-tools && \ - git checkout "${WIREGUARD_RELEASE}" && \ - sed -i 's|\[\[ $proto == -4 \]\] && cmd sysctl -q net\.ipv4\.conf\.all\.src_valid_mark=1|[[ $proto == -4 ]] \&\& [[ $(sysctl -n net.ipv4.conf.all.src_valid_mark) != 1 ]] \&\& cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1|' src/wg-quick/linux.bash && \ - make -C src -j$(nproc) && \ - make -C src install && \ + sed -i 's|\[\[ $proto == -4 \]\] && cmd sysctl -q net\.ipv4\.conf\.all\.src_valid_mark=1|[[ $proto == -4 ]] \&\& [[ $(sysctl -n net.ipv4.conf.all.src_valid_mark) != 1 ]] \&\& cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1|' /usr/bin/wg-quick && \ rm -rf /etc/wireguard && \ ln -s /config/wg_confs /etc/wireguard && \ + printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \ echo "**** clean up ****" && \ - apk del --no-network build-dependencies && \ rm -rf \ /tmp/* diff --git a/Jenkinsfile b/Jenkinsfile index 6e5e81c..543aa07 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -25,14 +25,17 @@ pipeline { DEV_DOCKERHUB_IMAGE = 'lsiodev/wireguard' PR_DOCKERHUB_IMAGE = 'lspipepr/wireguard' DIST_IMAGE = 'alpine' + DIST_TAG = '3.20' + DIST_REPO = 'http://dl-cdn.alpinelinux.org/alpine/v3.20/main/' + DIST_REPO_PACKAGES = 'wireguard-tools' MULTIARCH='true' CI='false' CI_WEB='false' CI_PORT='8080' CI_SSL='false' - CI_DELAY='120' - CI_DOCKERENV='TZ=US/Pacific' - CI_AUTH='user:password' + CI_DELAY='60' + CI_DOCKERENV='' + CI_AUTH='' CI_WEBPATH='' } stages { @@ -110,14 +113,15 @@ pipeline { /* ######################## External Release Tagging ######################## */ - // If this is a custom command to determine version use that command - stage("Set tag custom bash"){ + // If this is an alpine repo change for external version determine an md5 from the version string + stage("Set tag Alpine Repo"){ steps{ script{ env.EXT_RELEASE = sh( - script: ''' curl -sX GET https://api.github.com/repos/WireGuard/wireguard-tools/tags | jq -r .[0].name ''', + script: '''curl -sL "${DIST_REPO}x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \ + && awk '/^P:'"${DIST_REPO_PACKAGES}"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://' ''', returnStdout: true).trim() - env.RELEASE_LINK = 'custom_command' + env.RELEASE_LINK = 'alpine_repo' } } } @@ -852,11 +856,11 @@ pipeline { "tagger": {"name": "LinuxServer Jenkins","email": "jenkins@linuxserver.io","date": "'${GITHUB_DATE}'"}}' ''' echo "Pushing New release for Tag" sh '''#! /bin/bash - echo "Updating to ${EXT_RELEASE_CLEAN}" > releasebody.json + echo "Updating external repo packages to ${EXT_RELEASE_CLEAN}" > releasebody.json echo '{"tag_name":"'${META_TAG}'",\ "target_commitish": "master",\ "name": "'${META_TAG}'",\ - "body": "**LinuxServer Changes:**\\n\\n'${LS_RELEASE_NOTES}'\\n\\n**Remote Changes:**\\n\\n' > start + "body": "**LinuxServer Changes:**\\n\\n'${LS_RELEASE_NOTES}'\\n\\n**Repo Changes:**\\n\\n' > start printf '","draft": false,"prerelease": false}' >> releasebody.json paste -d'\\0' start releasebody.json > releasebody.json.done curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/releases -d @releasebody.json.done''' diff --git a/README.md b/README.md index a366faf..8980243 100644 --- a/README.md +++ b/README.md @@ -160,7 +160,7 @@ services: - PERSISTENTKEEPALIVE_PEERS= #optional - LOG_CONFS=true #optional volumes: - - /path/to/appdata/config:/config + - /path/to/wireguard/config:/config - /lib/modules:/lib/modules #optional ports: - 51820:51820/udp @@ -188,7 +188,7 @@ docker run -d \ -e PERSISTENTKEEPALIVE_PEERS= `#optional` \ -e LOG_CONFS=true `#optional` \ -p 51820:51820/udp \ - -v /path/to/appdata/config:/config \ + -v /path/to/wireguard/config:/config \ -v /lib/modules:/lib/modules `#optional` \ --sysctl="net.ipv4.conf.all.src_valid_mark=1" \ --restart unless-stopped \ @@ -382,6 +382,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **24.05.24:** - Rebase to Alpine 3.20, install wireguard-tools from Alpine repo. * **10.03.24:** - Use iptables-legacy on Alpine 3.19. * **05.03.24:** - Rebase master to Alpine 3.19. * **03.10.23:** - **Potentially Breaking Change:** Support for multiple interfaces added. Wireguard confs moved to `/config/wg_confs/`. Any file with a `.conf` extension in that folder will be treated as a live tunnel config and will be attempted to start. If any of the tunnels fail, all tunnels will be stopped. Tunnels are started in alphabetical order. Managed server conf will continue to be hardcoded to `wg0.conf`. diff --git a/jenkins-vars.yml b/jenkins-vars.yml index 0219a51..c20b7e0 100644 --- a/jenkins-vars.yml +++ b/jenkins-vars.yml @@ -2,12 +2,10 @@ # jenkins variables project_name: docker-wireguard -external_type: na -custom_version_command: "curl -sX GET https://api.github.com/repos/WireGuard/wireguard-tools/tags | jq -r .[0].name" +external_type: alpine_repo release_type: stable release_tag: latest ls_branch: master -build_armhf: false repo_vars: - CONTAINER_NAME = 'wireguard' - BUILD_VERSION_ARG = 'WIREGUARD_VERSION' @@ -17,14 +15,17 @@ repo_vars: - DEV_DOCKERHUB_IMAGE = 'lsiodev/wireguard' - PR_DOCKERHUB_IMAGE = 'lspipepr/wireguard' - DIST_IMAGE = 'alpine' + - DIST_TAG = '3.20' + - DIST_REPO = 'http://dl-cdn.alpinelinux.org/alpine/v3.20/main/' + - DIST_REPO_PACKAGES = 'wireguard-tools' - MULTIARCH='true' - CI='false' - CI_WEB='false' - CI_PORT='8080' - CI_SSL='false' - - CI_DELAY='120' - - CI_DOCKERENV='TZ=US/Pacific' - - CI_AUTH='user:password' + - CI_DELAY='60' + - CI_DOCKERENV='' + - CI_AUTH='' - CI_WEBPATH='' sponsor_links: - { name: "WireGuard", url: "https://www.wireguard.com/donations/" } diff --git a/readme-vars.yml b/readme-vars.yml index 4edfe2e..629fc19 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -23,7 +23,7 @@ common_param_env_vars_enabled: true param_container_name: "{{ project_name }}" param_usage_include_vols: true param_volumes: - - { vol_path: "/config", vol_host_path: "/path/to/appdata/config", desc: "Contains all relevant configuration files." } + - { vol_path: "/config", vol_host_path: "/path/to/{{ project_name }}/config", desc: "Contains all relevant configuration files." } opt_param_usage_include_vols: true opt_param_volumes: - { vol_path: "/lib/modules", vol_host_path: "/lib/modules", desc: "Host kernel modules for situations where they're not already loaded." } @@ -118,9 +118,9 @@ app_setup_block: | Site-to-site VPN in server mode requires customizing the `AllowedIPs` statement for a specific peer in `wg0.conf`. Since `wg0.conf` is autogenerated when server vars are changed, it is not recommended to edit it manually. In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_` to the additional subnets you'd like to add, comma separated and excluding the peer IP (ie. `"192.168.1.0/24,192.168.2.0/24"`). Replace `` with either the name or number of a peer (whichever is used in the `PEERS` var). - + For instance `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,192.168.2.0/24"` will result in the wg0.conf entry `AllowedIPs = 10.13.13.2,192.168.1.0/24,192.168.2.0/24` for the peer named `laptop`. - + Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can delete wg0.conf and restart the container to force regeneration if necessary. Don't forget to set the necessary POSTUP and POSTDOWN rules in your client's peer conf for lan access. @@ -128,6 +128,7 @@ app_setup_block: | # changelog changelogs: + - { date: "24.05.24:", desc: "Rebase to Alpine 3.20, install wireguard-tools from Alpine repo." } - { date: "10.03.24:", desc: "Use iptables-legacy on Alpine 3.19." } - { date: "05.03.24:", desc: "Rebase master to Alpine 3.19." } - { date: "03.10.23:", desc: "**Potentially Breaking Change:** Support for multiple interfaces added. Wireguard confs moved to `/config/wg_confs/`. Any file with a `.conf` extension in that folder will be treated as a live tunnel config and will be attempted to start. If any of the tunnels fail, all tunnels will be stopped. Tunnels are started in alphabetical order. Managed server conf will continue to be hardcoded to `wg0.conf`." }