Merge branch 'main' into conflict-resolved

2024-11-10 08:53:51 +08:00 · 2024-09-09 09:01:07 +02:00 · 2024-09-09 09:01:07 +02:00 · f5cb5c4516
commit f5cb5c4516
parent 40e6fce281 e21853286e
11 changed files with 420 additions and 132 deletions
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -0,0 +1,56 @@
+name: Docker Image Build and Analysis
+
+on:
+  schedule:
+    - cron: "0 0 * * *"  # Schedule the workflow to run daily at midnight (UTC time). Adjust the time if needed.
+  workflow_dispatch:  # Manual run trigger
+    inputs:
+      trigger-build:
+        description: 'Trigger a manual build and push'
+        default: 'true'
+
+jobs:
+  build-and-analyze:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build Docker image
+        id: build-image
+        run: |
+          echo "Building Docker image..."
+          docker build -t my-app-image:latest .
+          echo "Docker image built successfully."
+
+      - name: Install Docker Scout
+        run: |
+          echo "Installing Docker Scout..."
+          curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
+          echo "Docker Scout installed successfully."
+
+      - name: Analyze Docker image with Docker Scout
+        id: analyze-image
+        run: |
+          echo "Analyzing Docker image with Docker Scout..."
+          docker scout cves my-app-image:latest > scout-results.txt
+          cat scout-results.txt  # Print the report to the workflow logs for easy viewing
+          echo "Docker Scout analysis completed."
+
+      - name: Post Comment on Issue or PR
+        run: |
+          COMMENT="**Docker Image Build and Analysis Report**\n\nThe Docker image was built and analyzed successfully.\n\n**Build Summary:**\n- Image Tag: my-app-image:latest\n\n**Analysis Report:**\n\`\`\`\n$(cat scout-results.txt)\n\`\`\`"
+          
+          # Post comment using GitHub API
+          curl -X POST \
+            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Accept: application/vnd.github.v3+json" \
+            -d "{\"body\": \"$COMMENT\"}" \
+            "https://api.github.com/repos/NOXCIS/WGDashboard/issues/1/comments"  # Replace '1' with the issue or PR number
--- a/31
+++ b/31
@ -0,0 +1,31 @@
+# Pull from small Debian stable image.
+FROM alpine:latest AS builder
+
+LABEL maintainer="dselen@nerthus.nl"
+
+WORKDIR /opt/wireguarddashboard/src
+
+RUN    apk update && \
+    apk add --no-cache sudo gcc musl-dev rust cargo linux-headers 
+
+COPY ./docker/alpine/builder.sh /opt/wireguarddashboard/src/
+COPY ./docker/alpine/requirements.txt /opt/wireguarddashboard/src/
+RUN   chmod u+x /opt/wireguarddashboard/src/builder.sh
+RUN  /opt/wireguarddashboard/src/builder.sh
+
+
+FROM alpine:latest
+WORKDIR /opt/wireguarddashboard/src
+
+COPY ./src /opt/wireguarddashboard/src/
+COPY --from=builder /opt/wireguarddashboard/src/venv /opt/wireguarddashboard/src/venv
+COPY --from=builder /opt/wireguarddashboard/src/log /opt/wireguarddashboard/src/log/
+
+RUN    apk update && \
+    apk add --no-cache wireguard-tools sudo && \
+    apk add --no-cache  iptables ip6tables && \
+    chmod u+x /opt/wireguarddashboard/src/entrypoint.sh 
+
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 CMD curl -f http://localhost:10086/signin || exit 1
+
+ENTRYPOINT ["/opt/wireguarddashboard/src/entrypoint.sh"]
--- a/README.md
+++ b/README.md
@ -28,6 +28,9 @@

 ## 📣 What's New: v4.0

+> [!TIP]
+> [📹 Demo video on YouTube](https://www.youtube.com/watch?v=0mwzd5Gr2eU)
+
 ### 🎉 New Features

 - **Updated dashboard design**: Re-designed some of the section with more modern style and layout, the UI is faster and more responsive, it also uses less memory. But overall is still the same dashboard you're familiarized.
@ -59,6 +62,8 @@
 > Also, huge thanks to who contributed to this major release:
 > @bolgovrussia, @eduardorosabales, @Profik, @airgapper, @tokon2000, @bkeenke, @kontorskiy777, @bugsse, @Johnnykson, @DaanSelen, @shuricksumy and many others!

+
+
 <hr>

 ## 📋  Table of Content
@ -81,6 +86,7 @@
      * [Debian 11.10](#debian-1110)
      * [Red Hat Enterprise Linux 9.4 & CentOS 9-Stream](#red-hat-enterprise-linux-94--centos-9-stream)
      * [Fedora 40 & Fedora 39 & Fedora 38](#fedora-40--fedora-39--fedora-38)
+      * [Alpine Linux 3.20.2](#alpine-linux-3202)
    * [Manual Installation](#manual-installation)
  * [🪜 Usage](#-usage)
      * [Start/Stop/Restart WGDashboard](#startstoprestart-wgdashboard)
@ -260,6 +266,20 @@ firewall-cmd --add-port=51820/udp --permanent && \
 firewall-cmd --reload
 ```

+#### Alpine Linux 3.20.2
+
+```shell
+setup-interfaces -a ; \
+rc-service networking --quiet start ; \
+printf "https://mirrors.aliyun.com/alpine/latest-stable/main\nhttps://mirrors.aliyun.com/alpine/latest-stable/community" > /etc/apk/repositories ; \
+apk update ; \
+apk add wireguard-tools python3 python3-dev git iptables net-tools gcc musl-dev linux-headers sudo ; \
+git clone -b v4.0-alpine-linux https://github.com/donaldzou/WGDashboard.git ; \
+cd ./WGDashboard/src ; \
+chmod +x ./wgd.sh ; \
+./wgd.sh install
+```
+
 ### Manual Installation

 > [!NOTE]
--- a/compose.yaml
+++ b/compose.yaml
@ -0,0 +1,26 @@
+services:
+  
+  wireguard-dashboard:
+    build: ./
+    container_name: wiregate
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    restart: unless-stopped
+    environment:
+      - wg_net=10.0.0.1/24
+      - wg_port=51820
+    volumes:
+      - wgd_configs:/etc/wireguard
+      - wgd_app:/opt/wireguarddashboard/src
+    ports:
+      - 10086:10086/tcp
+      - 51820:51820/udp
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+   
+
+volumes:
+    wgd_configs:
+    wgd_app:
--- a/docker/alpine/builder.sh
+++ b/docker/alpine/builder.sh
@ -0,0 +1,43 @@
+venv_python="./venv/bin/python3"
+venv_gunicorn="./venv/bin/gunicorn"
+pythonExecutable="python3"
+
+
+_check_and_set_venv(){
+    VIRTUAL_ENV="./venv"
+    if [ ! -d $VIRTUAL_ENV ]; then
+    	printf "[WGDashboard] Creating Python Virtual Environment under ./venv\n"
+        { $pythonExecutable -m venv  $VIRTUAL_ENV; } >> ./log/install.txt
+    fi
+    
+    if ! $venv_python --version > /dev/null 2>&1
+    then
+    	printf "[WGDashboard] %s Python Virtual Environment under ./venv failed to create. Halting now.\n" "$heavy_crossmark"	
+    	kill  $TOP_PID
+    fi
+    
+    source ${VIRTUAL_ENV}/bin/activate
+
+}
+
+build_core () {
+    if [ ! -d "log" ]
+	  then 
+		printf "[WGDashboard] Creating ./log folder\n"
+		mkdir "log"
+	fi
+
+
+    apk add --no-cache python3 net-tools python3-dev py3-virtualenv
+    _check_and_set_venv
+    printf "[WGDashboard] Upgrading Python Package Manage (PIP)\n"
+    { date; python3 -m pip install --upgrade pip; printf "\n\n"; } >> ./log/install.txt
+    printf "[WGDashboard] Building Bcrypt & Psutil\n"
+    { date; python3 -m pip install -r requirements.txt ; printf "\n\n"; } >> ./log/install.txt
+    printf "[WGDashboard] Build Successfull!\n"
+    printf "[WGDashboard] Clean Up Pip!\n"
+    { date; rm -rf /opt/wireguarddashboard/src/venv/lib/python3.12/site-packages/pip* ; printf "\n\n"; } >> ./log/install.txt
+
+}
+
+build_core
--- a/docker/alpine/requirements.txt
+++ b/docker/alpine/requirements.txt
@ -0,0 +1,2 @@
+bcrypt
+psutil
--- a/src/dashboard.py
+++ b/src/dashboard.py
@ -442,6 +442,8 @@ class WireguardConfiguration:
            return self.message

    def __init__(self, name: str = None, data: dict = None):
+        print(f"[WGDashboard] Initialized Configuration: {name}")
+        
        self.__parser: configparser.ConfigParser = configparser.ConfigParser(strict=False)
        self.__parser.optionxform = str
        self.__configFileModifiedTime = None
@ -589,10 +591,15 @@ class WireguardConfiguration:
        for i in restricted:
            self.RestrictedPeers.append(Peer(i, self))
            
+    def configurationFileChanged(self) :
+        mt = os.path.getmtime(os.path.join(WG_CONF_PATH, f'{self.Name}.conf'))
+        changed = self.__configFileModifiedTime is None or self.__configFileModifiedTime != mt
+        self.__configFileModifiedTime = mt
+        return changed
+        
    def __getPeers(self):
        
-        mt = os.path.getmtime(os.path.join(WG_CONF_PATH, f'{self.Name}.conf'))
-        # if self.__configFileModifiedTime is None or self.__configFileModifiedTime != mt:
+        if self.configurationFileChanged():
            self.Peers = []
            with open(os.path.join(WG_CONF_PATH, f'{self.Name}.conf'), 'r') as configFile:
                p = []
@ -664,7 +671,12 @@ class WireguardConfiguration:
                                self.Peers.append(Peer(checkIfExist, self))
                except Exception as e:
                    print(f"[WGDashboard] {self.Name} Error: {str(e)}")
-            self.__configFileModifiedTime = mt
+        else:
+            self.Peers.clear()
+            checkIfExist = sqlSelect("SELECT * FROM '%s'" % self.Name).fetchall()
+            for i in checkIfExist:
+                self.Peers.append(Peer(i, self))
+        
            
    def addPeers(self, peers: list):
        for p in peers:
@ -803,12 +815,11 @@ class WireguardConfiguration:
            else:
                status = "stopped"
            if int(latestHandshake[count + 1]) > 0:
-                sqldb.execute("UPDATE '%s' SET latest_handshake = ?, status = ? WHERE id= ?" % self.Name
+                sqlUpdate("UPDATE '%s' SET latest_handshake = ?, status = ? WHERE id= ?" % self.Name
                              , (str(minus).split(".", maxsplit=1)[0], status, latestHandshake[count],))
            else:
-                sqldb.execute("UPDATE '%s' SET latest_handshake = 'No Handshake', status = ? WHERE id= ?" % self.Name
+                sqlUpdate("UPDATE '%s' SET latest_handshake = 'No Handshake', status = ? WHERE id= ?" % self.Name
                              , (status, latestHandshake[count],))
-            sqldb.commit()
            count += 2
    
    
@ -1284,16 +1295,20 @@ def _regexMatch(regex, text):
    return pattern.search(text) is not None


-def _getConfigurationList() -> [WireguardConfiguration]:
-    configurations = {}
+def _getConfigurationList():
+    # configurations = {}
    for i in os.listdir(WG_CONF_PATH):
        if _regexMatch("^(.{1,}).(conf)$", i):
            i = i.replace('.conf', '')
            try:
-                configurations[i] = WireguardConfiguration(i)
+                if i in WireguardConfigurations.keys():
+                    if WireguardConfigurations[i].configurationFileChanged():
+                        WireguardConfigurations[i] = WireguardConfiguration(i)
+                else:
+                    WireguardConfigurations[i] = WireguardConfiguration(i)
            except WireguardConfiguration.InvalidConfigurationFileException as e:
                print(f"{i} have an invalid configuration file.")
-    return configurations
+    


 def _checkIPWithRange(ip):
@ -1354,8 +1369,7 @@ def _generatePrivateKey() -> [bool, str]:
    except subprocess.CalledProcessError:
        return False, None

-
-def _getWireguardConfigurationAvailableIP(configName: str) -> tuple[bool, list[str]] | tuple[bool, None]:
+def _getWireguardConfigurationAvailableIP(configName: str, all: bool = False) -> tuple[bool, list[str]] | tuple[bool, None]:
    if configName not in WireguardConfigurations.keys():
        return False, None
    configuration = WireguardConfigurations[configName]
@ -1387,6 +1401,7 @@ def _getWireguardConfigurationAvailableIP(configName: str) -> tuple[bool, list[s
                if h not in existedAddress:
                    availableAddress.append(ipaddress.ip_network(h).compressed)
                    count += 1
+                    if not all:
                        if network.version == 6 and count > 255:
                            break
        return True, availableAddress
@ -1534,7 +1549,7 @@ def API_SignOut():

@app.route(f'{APP_PREFIX}/api/getWireguardConfigurations', methods=["GET"])
 def API_getWireguardConfigurations():
-    # WireguardConfigurations = _getConfigurationList()
+    _getConfigurationList()
    return ResponseObject(data=[wc for wc in WireguardConfigurations.values()])


@ -1841,17 +1856,7 @@ def API_addPeers(configName):
                if i not in availableIps[1]:
                    return ResponseObject(False, f"This IP is not available: {i}")
            
-            config.addPeers([{"id": public_key, "allowed_ip": ''.join(allowed_ips)}])
-            # subprocess.check_output(
-            #     f"wg set {config.Name} peer {public_key} allowed-ips {''.join(allowed_ips)}",
-            #     shell=True, stderr=subprocess.STDOUT)
-            # if len(preshared_key) > 0:
-            #     subprocess.check_output(
-            #         f"wg set {config.Name} peer {public_key} preshared-key {preshared_key}",
-            #         shell=True, stderr=subprocess.STDOUT)
-            # subprocess.check_output(
-            #     f"wg-quick save {config.Name}", shell=True, stderr=subprocess.STDOUT)
-            # config.getPeersList()
+            config.addPeers([{"id": public_key, "allowed_ip": ','.join(allowed_ips)}])
            found, peer = config.searchPeer(public_key)
            if found:
                return peer.updatePeer(name, private_key, preshared_key, dns_addresses, ",".join(allowed_ips),
@ -2188,7 +2193,7 @@ _, WG_CONF_PATH = DashboardConfig.GetConfig("Server", "wg_conf_path")


 WireguardConfigurations: dict[str, WireguardConfiguration] = {}
-WireguardConfigurations = _getConfigurationList()
+_getConfigurationList()

 def startThreads():
    bgThread = threading.Thread(target=backGroundThread)
--- a/src/entrypoint.sh
+++ b/src/entrypoint.sh
@ -0,0 +1,34 @@
+#!/bin/bash
+echo "Starting the WireGuard Dashboard Docker container."
+
+clean_up() {
+  # Cleaning out previous data such as the .pid file and starting the WireGuard Dashboard. Making sure to use the python venv.
+  echo "Looking for remains of previous instances..."
+  if [ -f "/opt/wireguarddashboard/app/src/gunicorn.pid" ]; then
+    echo "Found old .pid file, removing."
+    rm /opt/wireguarddashboard/app/src/gunicorn.pid
+  else
+    echo "No remains found, continuing."
+  fi
+}
+ensure_blocking() {
+  sleep 1s
+  echo "Ensuring container continuation."
+
+  # This function checks if the latest error log is created and tails it for docker logs uses.
+  if find "/opt/wireguarddashboard/src/log" -mindepth 1 -maxdepth 1 -type f | read -r; then
+    latestErrLog=$(find /opt/wireguarddashboard/src/log -name "error_*.log" | head -n 1)
+    latestAccLog=$(find /opt/wireguarddashboard/src/log -name "access_*.log" | head -n 1)
+    tail -f "${latestErrLog}" "${latestAccLog}"
+  fi
+
+  # Blocking command in case of erroring. So the container does not quit.
+  sleep infinity
+}
+
+{ date; clean_up; printf "\n\n"; } >> ./log/install.txt
+
+chmod u+x /opt/wireguarddashboard/src/wgd.sh
+/opt/wireguarddashboard/src/wgd.sh install
+/opt/wireguarddashboard/src/wgd.sh docker_start
+ensure_blocking
--- a/src/iptable-rules/postdown.sh
+++ b/src/iptable-rules/postdown.sh
@ -0,0 +1,13 @@
+#!/bin/bash
+WIREGUARD_INTERFACE=ADMINS
+WIREGUARD_LAN=10.0.0.1/24
+MASQUERADE_INTERFACE=eth0
+
+CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE"
+
+iptables -t nat -D POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN
+
+# Remove and delete the WIREGUARD_wg0 chain
+iptables -D FORWARD -j $CHAIN_NAME
+iptables -F $CHAIN_NAME
+iptables -X $CHAIN_NAME
--- a/src/iptable-rules/postup.sh
+++ b/src/iptable-rules/postup.sh
@ -0,0 +1,26 @@
+#!/bin/bash
+WIREGUARD_INTERFACE=ADMINS
+WIREGUARD_LAN=10.0.0.1/24
+MASQUERADE_INTERFACE=eth0
+
+iptables -t nat -I POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN
+
+# Add a WIREGUARD_wg0 chain to the FORWARD chain
+CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE"
+iptables -N $CHAIN_NAME
+iptables -A FORWARD -j $CHAIN_NAME
+
+# Accept related or established traffic
+iptables -A $CHAIN_NAME -o $WIREGUARD_INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Accept traffic from any Wireguard IP address connected to the Wireguard server
+iptables -A $CHAIN_NAME -s $WIREGUARD_LAN -i $WIREGUARD_INTERFACE -j ACCEPT
+
+# Allow traffic to the local loopback interface
+iptables -A $CHAIN_NAME -o lo -j ACCEPT
+
+# Drop everything else coming through the Wireguard interface
+iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -j DROP
+
+# Return to FORWARD chain
+iptables -A $CHAIN_NAME -j RETURN
--- a/src/wgd.sh
+++ b/src/wgd.sh
@ -65,10 +65,6 @@ _determineOS(){
      OS=$ID
  elif [ -f /etc/redhat-release ]; then
      OS="redhat"
-  elif [ -f /etc/alpine-release ]; then
-	  OS="alpine"
-#  elif [ -f /etc/arch-release ]; then
-#      OS="arch"
  else
      printf "[WGDashboard] %s Sorry, your OS is not supported. Currently the install script only support Debian-based, Red Hat-based OS. With experimental support for Alpine Linux.\n" "$heavy_crossmark"
      printf "%s\n" "$helpMsg"
@ -131,18 +127,6 @@ _installPythonVenv(){
 			ubuntu|debian)
 				{ sudo apt-get update; sudo apt-get install ${pythonExecutable}-venv;  } &>> ./log/install.txt
 			;;
-#			centos|fedora|redhat|rhel)
-#				if command -v dnf &> /dev/null; then
-#					{ sudo dnf install -y ${pythonExecutable}-virtualenv; printf "\n\n"; } >> ./log/install.txt
-#				else
-#					{ sudo yum install -y ${pythonExecutable}-virtualenv; printf "\n\n"; } >> ./log/install.txt
-#				fi
-#			;;
-#			*)
-#				printf "[WGDashboard] %s Sorry, your OS is not supported. Currently the install script only support Debian-based, Red Hat-based OS.\n" "$heavy_crossmark"
-#				printf "%s\n" "$helpMsg"
-#				kill  $TOP_PID
-#			;;
 		esac
 	fi
 	
@ -285,6 +269,7 @@ install_wgd(){
    fi
    _check_and_set_venv
    printf "[WGDashboard] Upgrading Python Package Manage (PIP)\n"
+	{ date; python3 -m ensurepip --upgrade; printf "\n\n"; } >> ./log/install.txt
    { date; python3 -m pip install --upgrade pip; printf "\n\n"; } >> ./log/install.txt
    printf "[WGDashboard] Installing latest Python dependencies\n"
 	{ date; python3 -m pip install -r requirements.txt ; printf "\n\n"; } >> ./log/install.txt #This all works on the default installation.
@ -356,6 +341,54 @@ stop_wgd() {
 	fi
 }

+startwgd_docker() {
+	_checkWireguard
+	printf "[WGDashboard][Docker] WireGuard configuration started\n"
+	{ date; start_core ; printf "\n\n"; } >> ./log/install.txt
+    gunicorn_start
+}
+
+start_core() {
+	local iptable_dir="/opt/wireguarddashboard/src/iptable-rules"
+	# Check if wg0.conf exists in /etc/wireguard
+	if [[ ! -f /etc/wireguard/wg0.conf ]]; then
+		echo "[WGDashboard][Docker] wg0.conf not found. Running generate configuration."
+		newconf_wgd
+	else
+		echo "[WGDashboard][Docker] wg0.conf already exists. Skipping WireGuard configuration generation."
+	fi
+	# Re-assign config_files to ensure it includes any newly created configurations
+	local config_files=$(find /etc/wireguard -type f -name "*.conf")
+	
+	# Set file permissions
+	find /etc/wireguard -type f -name "*.conf" -exec chmod 600 {} \;
+	find "$iptable_dir" -type f -name "*.sh" -exec chmod +x {} \;
+	
+	# Start WireGuard for each config file
+	for file in $config_files; do
+		config_name=$(basename "$file" ".conf")
+		wg-quick up "$config_name"
+	done
+}
+
+
+
+newconf_wgd() {
+    local wg_port_listen=$wg_port
+    local wg_addr_range=$wg_net
+    private_key=$(wg genkey)
+    public_key=$(echo "$private_key" | wg pubkey)
+    cat <<EOF >"/etc/wireguard/wg0.conf"
+[Interface]
+PrivateKey = $private_key
+Address = $wg_addr_range
+ListenPort = $wg_port_listen
+SaveConfig = true
+PostUp = /opt/wireguarddashboard/src/iptable-rules/postup.sh
+PreDown = /opt/wireguarddashboard/src/iptable-rules/postdown.sh
+EOF
+}
+
 start_wgd_debug() {
 	printf "%s\n" "$dashes"
 	_checkWireguard
@ -365,7 +398,6 @@ start_wgd_debug() {
 }

 update_wgd() {
-
 	_determineOS
 	if ! python3 --version > /dev/null 2>&1
 	then