Compare commits

..

No commits in common. "5c07117e1d87cc52dd7db1e252bc0377b8a3888c" and "07596efd7f5a40995f214bd2850a4395a92c179e" have entirely different histories.

4 changed files with 45 additions and 157 deletions

View file

@ -1,149 +0,0 @@
name: Continuous Integration
on:
push:
schedule:
- cron: "0 0 * * TUE"
concurrency: ${{ github.workflow }}-${{ github.ref }}
env:
platforms: "linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7"
jobs:
ci:
name: Continuous Integration
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
timeout-minutes: 10
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Load necessary kernel modules
run: sudo modprobe ip6_tables
- name: Install WireGuard
run: sudo apt-get install wireguard
- name: Create WireGuard config
run: echo '${{ secrets.WIREGUARD_CONF }}' > wireguard.conf
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Buildx
uses: docker/setup-buildx-action@v3
- name: Build local Docker image for testing
uses: docker/build-push-action@v5
with:
pull: true
load: true
tags: wireguard
- name: Copy Docker image to Podman
run: |
sudo podman pull docker-daemon:docker.io/library/wireguard:latest
sudo podman save -o ${{ runner.temp }}/wireguard.tar docker.io/library/wireguard:latest
podman load -i ${{ runner.temp }}/wireguard.tar
- name: Test tunnel
run: |
for cmd in "docker" "podman" "sudo podman"; do
$cmd run --rm -d --name wireguard --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v ${{ github.workspace }}/wireguard.conf:/etc/wireguard/wg0.conf wireguard
normal_ip=$($cmd run --rm curlimages/curl --max-time 3 --retry 3 --retry-delay 1 --retry-all-errors ifconfig.io)
wireguard_ip=$($cmd run --rm --net=container:wireguard curlimages/curl --max-time 3 --retry 3 --retry-delay 1 --retry-all-errors ifconfig.io)
if [ "$normal_ip" = "$wireguard_ip" ]; then echo "normal ip and wireguard ip are the same" && exit 1; fi
$cmd stop wireguard
done
- name: Test kill switch
run: |
for cmd in "docker" "podman" "sudo podman"; do
$cmd run --rm -d --name wireguard --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v ${{ github.workspace }}/wireguard.conf:/etc/wireguard/wg0.conf wireguard
$cmd run --rm --net=container:wireguard curlimages/curl --max-time 3 --retry 3 --retry-delay 1 --retry-all-errors ifconfig.io
$cmd exec wireguard wg-quick down wg0
! $cmd run --rm --net=container:wireguard curlimages/curl --max-time 3 --retry 3 --retry-delay 1 --retry-all-errors ifconfig.io
$cmd stop wireguard
done
- name: Test local subnets
run: |
for cmd in "docker" "podman" "sudo podman"; do
ip_address=$(ip route get 1.2.3.4 | awk '{print $7}')
$cmd run --rm -d --name nginx -p 8080:80 nginx
$cmd run --rm -d --name wireguard --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v ${{ github.workspace }}/wireguard.conf:/etc/wireguard/wg0.conf -e LOCAL_SUBNETS=$ip_address/32 wireguard
$cmd run --rm --net=container:wireguard curlimages/curl --max-time 3 --retry 3 --retry-delay 1 --retry-all-errors $ip_address:8080
$cmd stop wireguard nginx
done
- name: Test exposed ports
run: |
for cmd in "docker" "podman" "sudo podman"; do
$cmd run --rm -d --name wireguard --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v ${{ github.workspace }}/wireguard.conf:/etc/wireguard/wg0.conf -p 8080:80 wireguard
$cmd run --rm -d --name nginx --net=container:wireguard nginx
curl --max-time 3 --retry 3 --retry-delay 1 --retry-all-errors localhost:8080
$cmd stop wireguard nginx
done
- name: Log into Docker Hub
uses: docker/login-action@v3
with:
username: jordanpotter
password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
- name: Log into GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Get date
id: date
uses: josStorer/get-current-time@v2
with:
format: YYYY-MM-DD
- name: Get metadata for image
id: metadata
uses: docker/metadata-action@v5
with:
images: |
jordanpotter/wireguard
ghcr.io/${{ github.repository }}
tags: |
type=raw,value=${{ steps.date.outputs.formattedTime }},enable=${{ github.event_name == 'schedule' }}
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
- name: Build images
if: ${{ github.ref != 'refs/heads/main' }}
uses: docker/build-push-action@v5
with:
pull: true
push: false
tags: ${{ steps.metadata.outputs.tags }}
labels: ${{ steps.metadata.outputs.labels }}
platforms: ${{ env.platforms }}
- name: Build and push images
if: ${{ github.ref == 'refs/heads/main' }}
uses: docker/build-push-action@v5
with:
pull: true
push: true
tags: ${{ steps.metadata.outputs.tags }}
labels: ${{ steps.metadata.outputs.labels }}
platforms: ${{ env.platforms }}
- name: Update Docker Hub description
if: ${{ github.ref == 'refs/heads/main' }}
uses: peter-evans/dockerhub-description@v3
with:
repository: jordanpotter/wireguard
username: jordanpotter
password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
short-description: ${{ github.event.repository.description }}

42
.github/workflows/publish.yml vendored Normal file
View file

@ -0,0 +1,42 @@
name: Publish
on:
push:
tags:
- "[0-9]+.[0-9]+.[0-9]+"
jobs:
publish:
name: Publish
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Get metadata for Docker image
id: docker-metadata
uses: docker/metadata-action@v3
with:
images: jordanpotter/wireguard
tags: |
type=semver,pattern={{version}}
- name: Log into Docker Hub
uses: docker/login-action@v1
with:
username: jordanpotter
password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
- name: Build and push Docker image
uses: docker/build-push-action@v2
with:
tags: ${{ steps.docker-metadata.outputs.tags }}
labels: ${{ steps.docker-metadata.outputs.labels }}
platforms: linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7
push: true

View file

@ -1,7 +1,8 @@
FROM alpine:3 FROM alpine:3.15.4
RUN apk add --no-cache \ RUN apk add --no-cache \
findutils openresolv iptables ip6tables iproute2 wireguard-tools openresolv iptables ip6tables iproute2 wireguard-tools \
findutils # Needed for find's -printf flag
COPY entrypoint.sh /entrypoint.sh COPY entrypoint.sh /entrypoint.sh

View file

@ -103,9 +103,3 @@ $ docker run --rm \
--net=container:wireguard \ --net=container:wireguard \
nginx nginx
``` ```
## Versioning
This container image is rebuilt weekly with the latest security updates. Each build runs tests to verify all features continue to work as expected, including the kill switch and local network routing.
Images are tagged with the date of the build in `YYYY-MM-DD` format. The available image tags are listed [here](https://hub.docker.com/r/jordanpotter/wireguard/tags).