fix: config persistence, setup script, and install docs
- app.py: ConfigManager now uses CONFIG_DIR env var for config file path instead of hardcoded './config/cell_config.json' — config was being read from the image's working directory, making all settings writes ephemeral (lost on container restart) - wireguard_manager: generate_config uses configured address/port instead of hardcoded 10.0.0.1 in DNAT rules and Address field - scripts/setup_cell.py: full setup script — generates WireGuard keys (wg binary or Python cryptography fallback), writes wg0.conf and cell_config.json with correct _identity key; CELL_NAME / VPN_ADDRESS / WG_PORT env vars - Makefile: setup target passes env vars through; build-api / build-webui targets - README: replace install.sh references with make setup && make start Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+206
-99
@@ -1,99 +1,206 @@
|
||||
#!/usr/bin/env python3
|
||||
import os
|
||||
import sys
|
||||
import subprocess
|
||||
|
||||
# List of required directories (relative to project root)
|
||||
REQUIRED_DIRS = [
|
||||
'config/caddy/certs',
|
||||
'config/dns',
|
||||
'config/dhcp',
|
||||
'config/ntp',
|
||||
'config/mail/config',
|
||||
'config/mail/ssl',
|
||||
'config/radicale',
|
||||
'config/webdav',
|
||||
'config/wireguard',
|
||||
'config/api',
|
||||
'data/caddy',
|
||||
'data/dns',
|
||||
'data/dhcp',
|
||||
'data/maildata',
|
||||
'data/mailstate',
|
||||
'data/maillogs',
|
||||
'data/radicale',
|
||||
'data/files',
|
||||
'data/api',
|
||||
'data/vault/certs',
|
||||
'data/vault/keys',
|
||||
'data/vault/trust',
|
||||
'data/vault/ca',
|
||||
]
|
||||
|
||||
# List of required files (relative to project root)
|
||||
REQUIRED_FILES = [
|
||||
'config/caddy/Caddyfile',
|
||||
'config/dns/Corefile',
|
||||
'config/dhcp/dnsmasq.conf',
|
||||
'config/ntp/chrony.conf',
|
||||
'config/mail/mailserver.env',
|
||||
'config/webdav/users.passwd',
|
||||
]
|
||||
|
||||
# Helper to create directories
|
||||
def ensure_dir(path):
|
||||
if not os.path.exists(path):
|
||||
os.makedirs(path, exist_ok=True)
|
||||
print(f"[CREATED] Directory: {path}")
|
||||
# Add .gitkeep to empty dirs
|
||||
gitkeep = os.path.join(path, '.gitkeep')
|
||||
with open(gitkeep, 'w') as f:
|
||||
f.write('')
|
||||
else:
|
||||
print(f"[EXISTS] Directory: {path}")
|
||||
|
||||
# Helper to create empty files if missing
|
||||
def ensure_file(path):
|
||||
if not os.path.exists(path):
|
||||
parent = os.path.dirname(path)
|
||||
if parent and not os.path.exists(parent):
|
||||
os.makedirs(parent, exist_ok=True)
|
||||
print(f"[CREATED] Directory: {parent}")
|
||||
with open(path, 'w') as f:
|
||||
f.write('')
|
||||
print(f"[CREATED] File: {path}")
|
||||
else:
|
||||
print(f"[EXISTS] File: {path}")
|
||||
|
||||
# Optionally generate a self-signed CA cert for Caddy
|
||||
def ensure_caddy_ca_cert():
|
||||
cert_dir = os.path.join('config', 'caddy', 'certs')
|
||||
ca_key = os.path.join(cert_dir, 'ca.key')
|
||||
ca_crt = os.path.join(cert_dir, 'ca.crt')
|
||||
if os.path.exists(ca_key) and os.path.exists(ca_crt):
|
||||
print(f"[EXISTS] Caddy CA cert and key: {ca_crt}, {ca_key}")
|
||||
return
|
||||
print("[INFO] Generating self-signed CA certificate for Caddy...")
|
||||
try:
|
||||
subprocess.run([
|
||||
'openssl', 'req', '-x509', '-newkey', 'rsa:4096',
|
||||
'-keyout', ca_key, '-out', ca_crt, '-days', '365', '-nodes',
|
||||
'-subj', '/C=US/ST=State/L=City/O=PersonalInternetCell/CN=CellCA'
|
||||
], check=True)
|
||||
print(f"[CREATED] Caddy CA cert and key: {ca_crt}, {ca_key}")
|
||||
except FileNotFoundError:
|
||||
print("[WARN] openssl not found, skipping CA cert generation.")
|
||||
except subprocess.CalledProcessError:
|
||||
print("[ERROR] openssl failed to generate CA cert.")
|
||||
|
||||
def main():
|
||||
print("--- Personal Internet Cell: Setup Script ---")
|
||||
for d in REQUIRED_DIRS:
|
||||
ensure_dir(d)
|
||||
for f in REQUIRED_FILES:
|
||||
ensure_file(f)
|
||||
ensure_caddy_ca_cert()
|
||||
print("--- Setup complete! ---")
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
||||
#!/usr/bin/env python3
|
||||
"""
|
||||
PIC setup script — run once on a fresh host to initialise a new cell.
|
||||
|
||||
Env vars (all optional, have defaults):
|
||||
CELL_NAME cell identity name (default: mycell)
|
||||
CELL_DOMAIN DNS TLD for this cell (default: cell)
|
||||
VPN_ADDRESS WireGuard server address (default: 10.0.0.1/24)
|
||||
WG_PORT WireGuard listen port (default: 51820)
|
||||
"""
|
||||
import json
|
||||
import os
|
||||
import subprocess
|
||||
import sys
|
||||
|
||||
# ── directories ────────────────────────────────────────────────────────────────
|
||||
REQUIRED_DIRS = [
|
||||
'config/caddy/certs',
|
||||
'config/dns',
|
||||
'config/dhcp',
|
||||
'config/ntp',
|
||||
'config/mail/config',
|
||||
'config/mail/ssl',
|
||||
'config/radicale',
|
||||
'config/webdav',
|
||||
'config/wireguard',
|
||||
'config/api',
|
||||
'data/caddy',
|
||||
'data/dns',
|
||||
'data/dhcp',
|
||||
'data/maildata',
|
||||
'data/mailstate',
|
||||
'data/maillogs',
|
||||
'data/radicale',
|
||||
'data/files',
|
||||
'data/api',
|
||||
'data/vault/certs',
|
||||
'data/vault/keys',
|
||||
'data/vault/trust',
|
||||
'data/vault/ca',
|
||||
'data/logs',
|
||||
'data/wireguard/keys/peers',
|
||||
'data/wireguard/wg_confs',
|
||||
]
|
||||
|
||||
REQUIRED_FILES = [
|
||||
'config/caddy/Caddyfile',
|
||||
'config/dns/Corefile',
|
||||
'config/dhcp/dnsmasq.conf',
|
||||
'config/ntp/chrony.conf',
|
||||
'config/mail/mailserver.env',
|
||||
'config/webdav/users.passwd',
|
||||
]
|
||||
|
||||
ROOT = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
|
||||
|
||||
|
||||
def ensure_dir(rel):
|
||||
path = os.path.join(ROOT, rel)
|
||||
if not os.path.exists(path):
|
||||
os.makedirs(path, exist_ok=True)
|
||||
print(f'[CREATED] {rel}')
|
||||
open(os.path.join(path, '.gitkeep'), 'w').close()
|
||||
else:
|
||||
print(f'[EXISTS] {rel}')
|
||||
|
||||
|
||||
def ensure_file(rel):
|
||||
path = os.path.join(ROOT, rel)
|
||||
if not os.path.exists(path):
|
||||
os.makedirs(os.path.dirname(path), exist_ok=True)
|
||||
open(path, 'w').close()
|
||||
print(f'[CREATED] {rel}')
|
||||
else:
|
||||
print(f'[EXISTS] {rel}')
|
||||
|
||||
|
||||
def ensure_caddy_ca_cert():
|
||||
cert_dir = os.path.join(ROOT, 'config', 'caddy', 'certs')
|
||||
ca_key = os.path.join(cert_dir, 'ca.key')
|
||||
ca_crt = os.path.join(cert_dir, 'ca.crt')
|
||||
if os.path.exists(ca_key) and os.path.exists(ca_crt):
|
||||
print('[EXISTS] Caddy CA cert')
|
||||
return
|
||||
print('[INFO] Generating Caddy CA certificate...')
|
||||
try:
|
||||
subprocess.run([
|
||||
'openssl', 'req', '-x509', '-newkey', 'rsa:4096',
|
||||
'-keyout', ca_key, '-out', ca_crt, '-days', '365', '-nodes',
|
||||
'-subj', '/C=US/ST=State/L=City/O=PersonalInternetCell/CN=CellCA'
|
||||
], check=True, capture_output=True)
|
||||
print(f'[CREATED] Caddy CA cert')
|
||||
except FileNotFoundError:
|
||||
print('[WARN] openssl not found — skipping CA cert generation')
|
||||
except subprocess.CalledProcessError as e:
|
||||
print(f'[ERROR] openssl failed: {e}')
|
||||
|
||||
|
||||
def _gen_keys_python():
|
||||
"""Generate WireGuard keypair using the cryptography library (no wg binary needed)."""
|
||||
import base64
|
||||
from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey
|
||||
private_key = X25519PrivateKey.generate()
|
||||
private_bytes = private_key.private_bytes_raw()
|
||||
public_bytes = private_key.public_key().public_bytes_raw()
|
||||
return base64.b64encode(private_bytes).decode(), base64.b64encode(public_bytes).decode()
|
||||
|
||||
|
||||
def generate_wg_keys():
|
||||
keys_dir = os.path.join(ROOT, 'data', 'wireguard', 'keys')
|
||||
priv_path = os.path.join(keys_dir, 'server_private.key')
|
||||
pub_path = os.path.join(keys_dir, 'server_public.key')
|
||||
if os.path.exists(priv_path) and os.path.exists(pub_path):
|
||||
print('[EXISTS] WireGuard server keys')
|
||||
return open(priv_path).read().strip(), open(pub_path).read().strip()
|
||||
print('[INFO] Generating WireGuard server keys...')
|
||||
os.makedirs(keys_dir, exist_ok=True)
|
||||
# Try wg binary first; fall back to Python cryptography library
|
||||
try:
|
||||
priv = subprocess.check_output(['wg', 'genkey']).decode().strip()
|
||||
pub = subprocess.check_output(['wg', 'pubkey'], input=priv.encode()).decode().strip()
|
||||
except FileNotFoundError:
|
||||
print('[INFO] wg not found — using Python cryptography library')
|
||||
priv, pub = _gen_keys_python()
|
||||
with open(priv_path, 'w') as f:
|
||||
f.write(priv + '\n')
|
||||
os.chmod(priv_path, 0o600)
|
||||
with open(pub_path, 'w') as f:
|
||||
f.write(pub + '\n')
|
||||
print(f'[CREATED] WireGuard server keys pub={pub[:12]}...')
|
||||
return priv, pub
|
||||
|
||||
|
||||
def write_wg0_conf(private_key: str, address: str, port: int):
|
||||
wg_conf = os.path.join(ROOT, 'config', 'wireguard', 'wg0.conf')
|
||||
if os.path.exists(wg_conf):
|
||||
print('[EXISTS] config/wireguard/wg0.conf')
|
||||
return
|
||||
server_ip = address.split('/')[0]
|
||||
content = (
|
||||
f'[Interface]\n'
|
||||
f'PrivateKey = {private_key}\n'
|
||||
f'Address = {address}\n'
|
||||
f'ListenPort = {port}\n'
|
||||
f'PostUp = iptables -A FORWARD -i %i -j ACCEPT; '
|
||||
f'iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; '
|
||||
f'sysctl -q net.ipv4.conf.all.rp_filter=0\n'
|
||||
f'PostDown = iptables -D FORWARD -i %i -j ACCEPT; '
|
||||
f'iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; '
|
||||
f'sysctl -q net.ipv4.conf.all.rp_filter=1\n'
|
||||
)
|
||||
with open(wg_conf, 'w') as f:
|
||||
f.write(content)
|
||||
os.chmod(wg_conf, 0o600)
|
||||
print(f'[CREATED] config/wireguard/wg0.conf address={address} port={port}')
|
||||
|
||||
|
||||
def write_cell_config(cell_name: str, domain: str, port: int):
|
||||
cfg_path = os.path.join(ROOT, 'config', 'api', 'cell_config.json')
|
||||
if os.path.exists(cfg_path):
|
||||
try:
|
||||
existing = json.loads(open(cfg_path).read())
|
||||
if existing and existing != {}:
|
||||
print('[EXISTS] config/api/cell_config.json')
|
||||
return
|
||||
except Exception:
|
||||
pass
|
||||
config = {
|
||||
'_identity': {
|
||||
'cell_name': cell_name,
|
||||
'domain': domain,
|
||||
'ip_range': '172.20.0.0/16',
|
||||
'wireguard_port': port,
|
||||
}
|
||||
}
|
||||
with open(cfg_path, 'w') as f:
|
||||
json.dump(config, f, indent=2)
|
||||
print(f'[CREATED] config/api/cell_config.json name={cell_name} domain={domain}')
|
||||
|
||||
|
||||
def main():
|
||||
cell_name = os.environ.get('CELL_NAME', 'mycell')
|
||||
domain = os.environ.get('CELL_DOMAIN', 'cell')
|
||||
vpn_address = os.environ.get('VPN_ADDRESS', '10.0.0.1/24')
|
||||
wg_port = int(os.environ.get('WG_PORT', '51820'))
|
||||
|
||||
print('--- Personal Internet Cell: Setup ---')
|
||||
print(f' cell={cell_name} domain={domain} vpn={vpn_address} port={wg_port}')
|
||||
print()
|
||||
|
||||
for d in REQUIRED_DIRS:
|
||||
ensure_dir(d)
|
||||
for f in REQUIRED_FILES:
|
||||
ensure_file(f)
|
||||
|
||||
ensure_caddy_ca_cert()
|
||||
priv, _pub = generate_wg_keys()
|
||||
write_wg0_conf(priv, vpn_address, wg_port)
|
||||
write_cell_config(cell_name, domain, wg_port)
|
||||
|
||||
print()
|
||||
print('--- Setup complete! Run: make start ---')
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
||||
|
||||
Reference in New Issue
Block a user