diff --git a/.fpm b/.fpm index 06ae1335..889fb9c2 100644 --- a/.fpm +++ b/.fpm @@ -1,6 +1,5 @@ -s dir --name defguard-gateway ---architecture x86_64 --description "defguard VPN gateway service" --url "https://defguard.net/" --maintainer "teonite" diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml new file mode 100644 index 00000000..cc36a3b6 --- /dev/null +++ b/.github/workflows/build-docker.yml @@ -0,0 +1,80 @@ +name: Build Docker image + +on: + workflow_call: + inputs: + tags: + description: "List of tags as key-value pair attributes" + required: false + type: string + +env: + GHCR_REPO: ghcr.io/defguard/gateway + +jobs: + build-docker: + runs-on: + - self-hosted + - Linux + - ${{ matrix.runner }} + strategy: + matrix: + cpu: [arm64, amd64] + include: + - cpu: arm64 + runner: ARM64 + - cpu: amd64 + runner: X64 + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: recursive + - name: Login to GitHub container registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + with: + buildkitd-config-inline: | + [registry."docker.io"] + mirrors = ["dockerhub-proxy.teonite.net"] + - name: Build container + uses: docker/build-push-action@v5 + with: + context: . + platforms: linux/${{ matrix.cpu }} + provenance: false + push: true + tags: ${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.cpu }} + cache-from: type=gha + cache-to: type=gha,mode=max + + docker-manifest: + runs-on: [self-hosted, Linux] + needs: [build-docker] + steps: + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ${{ env.GHCR_REPO }} + tags: ${{ inputs.tags }} + - name: Login to GitHub container registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Create and push manifests + run: | + tags='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}' + for tag in ${tags} + do + docker manifest create --amend ${tag} ${{ env.GHCR_REPO }}:${{ github.sha }}-amd64 ${{ env.GHCR_REPO }}:${{ github.sha }}-arm64 + docker manifest push ${tag} + done diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 46042d55..7ad4b0c0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -28,7 +28,7 @@ jobs: - name: Debug run: echo ${{ github.ref_name }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: submodules: recursive - name: Cache diff --git a/.github/workflows/current.yml b/.github/workflows/current.yml index 55d8317a..f67ce3ef 100644 --- a/.github/workflows/current.yml +++ b/.github/workflows/current.yml @@ -8,39 +8,15 @@ on: - "*.md" - "LICENSE" +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: - build-docker: - runs-on: [self-hosted, Linux, X64] - steps: - - name: Checkout - uses: actions/checkout@v3 - with: - submodules: recursive - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: | - ghcr.io/defguard/gateway - tags: | - type=ref,event=branch - type=raw,value=current - type=sha - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Login to GitHub container registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Build container - uses: docker/build-push-action@v5 - with: - context: . - platforms: linux/amd64 - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max + build-current: + uses: ./.github/workflows/build-docker.yml + with: + tags: | + type=raw,value=current + type=ref,event=branch + type=sha diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 916bcb3a..9035e420 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,8 +1,8 @@ name: rustdoc Github Pages on: push: - branches: - - main + branches: + - main env: CARGO_INCREMENTAL: 0 @@ -14,27 +14,27 @@ jobs: rustdoc: runs-on: [self-hosted, Linux] container: - image: rust:1.75 + image: rust:1 steps: - - name: Checkout - uses: actions/checkout@v3 - with: - submodules: recursive + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: recursive - - name: Install Rust toolchain - run: rustup update --no-self-update stable + - name: Install Rust toolchain + run: rustup update --no-self-update stable - - name: Install protoc - run: apt-get update && apt-get -y install protobuf-compiler + - name: Install protoc + run: apt-get update && apt-get -y install protobuf-compiler - - name: Build Docs - run: cargo doc --all --no-deps + - name: Build Docs + run: cargo doc --all --no-deps - - name: Deploy Docs - uses: peaceiris/actions-gh-pages@v3 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - publish_branch: gh-pages - publish_dir: ./target/doc - force_orphan: true + - name: Deploy Docs + uses: peaceiris/actions-gh-pages@v3 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + publish_branch: gh-pages + publish_dir: ./target/doc + force_orphan: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3bdd2220..fdff4d45 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,49 +9,14 @@ concurrency: cancel-in-progress: true jobs: - publish-docker: - runs-on: [self-hosted, Linux] - steps: - - name: Checkout - uses: actions/checkout@v3 - with: - submodules: recursive - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: | - ghcr.io/DefGuard/gateway - tags: | - type=raw,value=latest - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=sha - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker BuildX - uses: docker/setup-buildx-action@v3 - with: - config-inline: | - [registry."docker.io"] - mirrors = ["dockerhub-proxy.teonite.net"] - - name: Login to GitHub Container Registry - if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Build container - uses: docker/build-push-action@v5 - with: - context: . - platforms: linux/amd64,linux/arm64 - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max + build-latest: + uses: ./.github/workflows/build-docker.yml + with: + tags: | + type=raw,value=latest + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=sha create-release: name: create-release @@ -69,28 +34,27 @@ jobs: build-release: name: Release ${{ matrix.build }} - needs: ["create-release"] + needs: [create-release] runs-on: - self-hosted - ${{ matrix.os }} strategy: fail-fast: false matrix: - build: [linux, linux-arm, linux-arm64, freebsd] + build: [linux, linux-arm64, freebsd] include: - build: linux + arch: amd64 os: Linux asset_name: defguard-gateway-linux-x86_64 target: x86_64-unknown-linux-gnu - - build: linux-arm - os: Linux - asset_name: defguard-gateway-linux-armv7 - target: armv7-unknown-linux-gnueabihf - build: linux-arm64 + arch: arm64 os: Linux asset_name: defguard-gateway-linux-arm64 target: aarch64-unknown-linux-gnu - build: freebsd + arch: amd64 os: Linux asset_name: defguard-gateway-freebsd-x86_64 target: x86_64-unknown-freebsd @@ -147,7 +111,7 @@ jobs: uses: defGuard/fpm-action@main with: fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml" - fpm_opts: "--debug --output-type deb --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb" - name: Upload DEB if: matrix.build != 'freebsd' @@ -165,7 +129,7 @@ jobs: uses: defGuard/fpm-action@main with: fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml" - fpm_opts: "--debug --output-type rpm --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm" - name: Upload RPM if: matrix.build == 'linux' @@ -183,7 +147,7 @@ jobs: uses: defGuard/fpm-action@main with: fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard-gateway example-config.toml=/etc/defguard/gateway.toml defguard-rc.conf=/etc/rc.conf.d/defguard-gateway" - fpm_opts: "--debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg --freebsd-osversion '*'" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg --freebsd-osversion '*'" - name: Upload FreeBSD if: matrix.build == 'freebsd' @@ -210,7 +174,7 @@ jobs: opnsense/src/opnsense/mvc/app/views/OPNsense/DefguardGateway/=usr/local/opnsense/mvc/app/views/OPNsense/DefguardGateway opnsense/src/opnsense/service/templates/OPNsense/DefguardGateway/=/usr/local/opnsense/service/templates/OPNsense/DefguardGateway opnsense/src/opnsense/service/conf/actions.d/actions_defguardgateway.conf=/usr/local/opnsense/service/conf/actions.d/actions_defguardgateway.conf" - fpm_opts: "--debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg --freebsd-osversion '*'" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg --freebsd-osversion '*'" - name: Upload OPNsense package if: matrix.build == 'freebsd' diff --git a/Cargo.lock b/Cargo.lock index ae95159a..7822b410 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -395,7 +395,7 @@ dependencies = [ [[package]] name = "defguard-gateway" -version = "0.7.1" +version = "0.7.2" dependencies = [ "async-stream", "axum", @@ -421,8 +421,8 @@ dependencies = [ [[package]] name = "defguard_wireguard_rs" -version = "0.4.6" -source = "git+https://github.com/DefGuard/wireguard-rs.git?rev=v0.4.6#6a325957fb6cc83f96dde730262a8b1b0efcedd6" +version = "0.4.7" +source = "git+https://github.com/DefGuard/wireguard-rs.git?rev=v0.4.7#ef1cf3714629bf5016fb38cbb7320451dc69fb09" dependencies = [ "base64", "libc", @@ -1713,9 +1713,9 @@ dependencies = [ [[package]] name = "tonic" -version = "0.12.1" +version = "0.12.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "38659f4a91aba8598d27821589f5db7dddd94601e7a01b1e485a50e5484c7401" +checksum = "c6f6ba989e4b2c58ae83d862d3a3e27690b6e3ae630d0deb59f3697f32aa88ad" dependencies = [ "async-stream", "async-trait", diff --git a/Cargo.toml b/Cargo.toml index 25602bad..bc8a0276 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "defguard-gateway" -version = "0.7.1" +version = "0.7.2" edition = "2021" [dependencies] @@ -12,7 +12,7 @@ chrono = { version = "0.4", default-features = false, features = [ "std", ] } clap = { version = "4.5", features = ["derive", "env"] } -defguard_wireguard_rs = { git = "https://github.com/DefGuard/wireguard-rs.git", rev = "v0.4.6" } +defguard_wireguard_rs = { git = "https://github.com/DefGuard/wireguard-rs.git", rev = "v0.4.7" } env_logger = "0.11" gethostname = "0.5" log = "0.4" @@ -20,7 +20,7 @@ prost = "0.13" serde = { version = "1.0", features = ["derive"] } syslog = "7.0" thiserror = "1.0" -tonic = { version = "0.12", features = ["gzip", "tls", "tls-roots"] } +tonic = { version = "0.12", features = ["gzip", "tls", "tls-native-roots"] } tokio = { version = "1", features = ["macros", "rt-multi-thread"] } tokio-stream = { version = "0.1", features = [] } toml = { version = "0.8", default-features = false, features = ["parse"] } diff --git a/src/gateway.rs b/src/gateway.rs index 2dd8adcd..7665f617 100644 --- a/src/gateway.rs +++ b/src/gateway.rs @@ -326,12 +326,14 @@ impl Gateway { .http2_keep_alive_interval(TEN_SECS) .tcp_keepalive(Some(TEN_SECS)) .keep_alive_while_idle(true); + // if CA certificate is provided, use it (and only it) + // otherwise load certs from system let endpoint = if let Some(ca) = &self.config.grpc_ca { let ca = std::fs::read_to_string(ca)?; let tls = ClientTlsConfig::new().ca_certificate(Certificate::from_pem(ca)); endpoint.tls_config(tls)? } else { - endpoint + endpoint.tls_config(ClientTlsConfig::new().with_native_roots())? }; let channel = endpoint.connect_lazy();