Compare commits
10 commits
07596efd7f
...
5c07117e1d
Author | SHA1 | Date | |
---|---|---|---|
|
5c07117e1d | ||
|
b3044bdd6e | ||
|
bac385db3e | ||
|
eefe2e4c9a | ||
|
151215a763 | ||
|
fe96abc12f | ||
|
8cd200bedc | ||
|
c92ecdb79c | ||
|
9477a7048a | ||
|
b505973565 |
4 changed files with 157 additions and 45 deletions
149
.github/workflows/ci.yml
vendored
Normal file
149
.github/workflows/ci.yml
vendored
Normal file
|
@ -0,0 +1,149 @@
|
|||
name: Continuous Integration
|
||||
|
||||
on:
|
||||
push:
|
||||
schedule:
|
||||
- cron: "0 0 * * TUE"
|
||||
|
||||
concurrency: ${{ github.workflow }}-${{ github.ref }}
|
||||
|
||||
env:
|
||||
platforms: "linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7"
|
||||
|
||||
jobs:
|
||||
ci:
|
||||
name: Continuous Integration
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
timeout-minutes: 10
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Load necessary kernel modules
|
||||
run: sudo modprobe ip6_tables
|
||||
|
||||
- name: Install WireGuard
|
||||
run: sudo apt-get install wireguard
|
||||
|
||||
- name: Create WireGuard config
|
||||
run: echo '${{ secrets.WIREGUARD_CONF }}' > wireguard.conf
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v3
|
||||
|
||||
- name: Set up Buildx
|
||||
uses: docker/setup-buildx-action@v3
|
||||
|
||||
- name: Build local Docker image for testing
|
||||
uses: docker/build-push-action@v5
|
||||
with:
|
||||
pull: true
|
||||
load: true
|
||||
tags: wireguard
|
||||
|
||||
- name: Copy Docker image to Podman
|
||||
run: |
|
||||
sudo podman pull docker-daemon:docker.io/library/wireguard:latest
|
||||
sudo podman save -o ${{ runner.temp }}/wireguard.tar docker.io/library/wireguard:latest
|
||||
podman load -i ${{ runner.temp }}/wireguard.tar
|
||||
|
||||
- name: Test tunnel
|
||||
run: |
|
||||
for cmd in "docker" "podman" "sudo podman"; do
|
||||
$cmd run --rm -d --name wireguard --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v ${{ github.workspace }}/wireguard.conf:/etc/wireguard/wg0.conf wireguard
|
||||
normal_ip=$($cmd run --rm curlimages/curl --max-time 3 --retry 3 --retry-delay 1 --retry-all-errors ifconfig.io)
|
||||
wireguard_ip=$($cmd run --rm --net=container:wireguard curlimages/curl --max-time 3 --retry 3 --retry-delay 1 --retry-all-errors ifconfig.io)
|
||||
if [ "$normal_ip" = "$wireguard_ip" ]; then echo "normal ip and wireguard ip are the same" && exit 1; fi
|
||||
$cmd stop wireguard
|
||||
done
|
||||
|
||||
- name: Test kill switch
|
||||
run: |
|
||||
for cmd in "docker" "podman" "sudo podman"; do
|
||||
$cmd run --rm -d --name wireguard --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v ${{ github.workspace }}/wireguard.conf:/etc/wireguard/wg0.conf wireguard
|
||||
$cmd run --rm --net=container:wireguard curlimages/curl --max-time 3 --retry 3 --retry-delay 1 --retry-all-errors ifconfig.io
|
||||
$cmd exec wireguard wg-quick down wg0
|
||||
! $cmd run --rm --net=container:wireguard curlimages/curl --max-time 3 --retry 3 --retry-delay 1 --retry-all-errors ifconfig.io
|
||||
$cmd stop wireguard
|
||||
done
|
||||
|
||||
- name: Test local subnets
|
||||
run: |
|
||||
for cmd in "docker" "podman" "sudo podman"; do
|
||||
ip_address=$(ip route get 1.2.3.4 | awk '{print $7}')
|
||||
$cmd run --rm -d --name nginx -p 8080:80 nginx
|
||||
$cmd run --rm -d --name wireguard --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v ${{ github.workspace }}/wireguard.conf:/etc/wireguard/wg0.conf -e LOCAL_SUBNETS=$ip_address/32 wireguard
|
||||
$cmd run --rm --net=container:wireguard curlimages/curl --max-time 3 --retry 3 --retry-delay 1 --retry-all-errors $ip_address:8080
|
||||
$cmd stop wireguard nginx
|
||||
done
|
||||
|
||||
- name: Test exposed ports
|
||||
run: |
|
||||
for cmd in "docker" "podman" "sudo podman"; do
|
||||
$cmd run --rm -d --name wireguard --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v ${{ github.workspace }}/wireguard.conf:/etc/wireguard/wg0.conf -p 8080:80 wireguard
|
||||
$cmd run --rm -d --name nginx --net=container:wireguard nginx
|
||||
curl --max-time 3 --retry 3 --retry-delay 1 --retry-all-errors localhost:8080
|
||||
$cmd stop wireguard nginx
|
||||
done
|
||||
|
||||
- name: Log into Docker Hub
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
username: jordanpotter
|
||||
password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
|
||||
|
||||
- name: Log into GitHub Container Registry
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Get date
|
||||
id: date
|
||||
uses: josStorer/get-current-time@v2
|
||||
with:
|
||||
format: YYYY-MM-DD
|
||||
|
||||
- name: Get metadata for image
|
||||
id: metadata
|
||||
uses: docker/metadata-action@v5
|
||||
with:
|
||||
images: |
|
||||
jordanpotter/wireguard
|
||||
ghcr.io/${{ github.repository }}
|
||||
tags: |
|
||||
type=raw,value=${{ steps.date.outputs.formattedTime }},enable=${{ github.event_name == 'schedule' }}
|
||||
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
|
||||
|
||||
- name: Build images
|
||||
if: ${{ github.ref != 'refs/heads/main' }}
|
||||
uses: docker/build-push-action@v5
|
||||
with:
|
||||
pull: true
|
||||
push: false
|
||||
tags: ${{ steps.metadata.outputs.tags }}
|
||||
labels: ${{ steps.metadata.outputs.labels }}
|
||||
platforms: ${{ env.platforms }}
|
||||
|
||||
- name: Build and push images
|
||||
if: ${{ github.ref == 'refs/heads/main' }}
|
||||
uses: docker/build-push-action@v5
|
||||
with:
|
||||
pull: true
|
||||
push: true
|
||||
tags: ${{ steps.metadata.outputs.tags }}
|
||||
labels: ${{ steps.metadata.outputs.labels }}
|
||||
platforms: ${{ env.platforms }}
|
||||
|
||||
- name: Update Docker Hub description
|
||||
if: ${{ github.ref == 'refs/heads/main' }}
|
||||
uses: peter-evans/dockerhub-description@v3
|
||||
with:
|
||||
repository: jordanpotter/wireguard
|
||||
username: jordanpotter
|
||||
password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
|
||||
short-description: ${{ github.event.repository.description }}
|
42
.github/workflows/publish.yml
vendored
42
.github/workflows/publish.yml
vendored
|
@ -1,42 +0,0 @@
|
|||
name: Publish
|
||||
|
||||
on:
|
||||
push:
|
||||
tags:
|
||||
- "[0-9]+.[0-9]+.[0-9]+"
|
||||
|
||||
jobs:
|
||||
publish:
|
||||
name: Publish
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v1
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v1
|
||||
|
||||
- name: Get metadata for Docker image
|
||||
id: docker-metadata
|
||||
uses: docker/metadata-action@v3
|
||||
with:
|
||||
images: jordanpotter/wireguard
|
||||
tags: |
|
||||
type=semver,pattern={{version}}
|
||||
|
||||
- name: Log into Docker Hub
|
||||
uses: docker/login-action@v1
|
||||
with:
|
||||
username: jordanpotter
|
||||
password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
|
||||
|
||||
- name: Build and push Docker image
|
||||
uses: docker/build-push-action@v2
|
||||
with:
|
||||
tags: ${{ steps.docker-metadata.outputs.tags }}
|
||||
labels: ${{ steps.docker-metadata.outputs.labels }}
|
||||
platforms: linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7
|
||||
push: true
|
|
@ -1,8 +1,7 @@
|
|||
FROM alpine:3.15.4
|
||||
FROM alpine:3
|
||||
|
||||
RUN apk add --no-cache \
|
||||
openresolv iptables ip6tables iproute2 wireguard-tools \
|
||||
findutils # Needed for find's -printf flag
|
||||
findutils openresolv iptables ip6tables iproute2 wireguard-tools
|
||||
|
||||
COPY entrypoint.sh /entrypoint.sh
|
||||
|
||||
|
|
|
@ -103,3 +103,9 @@ $ docker run --rm \
|
|||
--net=container:wireguard \
|
||||
nginx
|
||||
```
|
||||
|
||||
## Versioning
|
||||
|
||||
This container image is rebuilt weekly with the latest security updates. Each build runs tests to verify all features continue to work as expected, including the kill switch and local network routing.
|
||||
|
||||
Images are tagged with the date of the build in `YYYY-MM-DD` format. The available image tags are listed [here](https://hub.docker.com/r/jordanpotter/wireguard/tags).
|
||||
|
|
Loading…
Reference in a new issue