fix: make cross-cell peer-sync push actually reach the remote cell's API
Unit Tests / test (push) Successful in 9m48s
Unit Tests / test (push) Successful in 9m48s
The offer/permission push between linked cells never worked end-to-end. Two fixes complete the transport (the push already targets the remote over the WG tunnel; fix #3 earlier pointed it at HTTPS): 1. The slim WireGuard image (where the push originates — the only namespace with routes to remote-cell VPN subnets) had no TLS-capable HTTP client (busybox wget lacks TLS, no curl). Add curl + ca-certificates (~5MB). 2. The receiving cell's cell-link firewall allowed the linked subnet to reach cell-api:3000 — a dead path (the API binds 127.0.0.1 only; nothing DNATs :3000). Move the peer-sync ACCEPT to Caddy:443, which the WG server already DNATs (wg0:443 → Caddy → cell-api) and whose replies the existing `-o eth0 MASQUERADE` routes back through the tunnel. Source auth (cell VPN subnet via X-Forwarded-For) is preserved; the API stays 127.0.0.1-only. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -1,6 +1,11 @@
|
||||
FROM alpine:3.20@sha256:d9e853e87e55526f6b2917df91a2115c36dd7c696a35be12163d44e6e2a4b6bc
|
||||
|
||||
RUN apk add --no-cache wireguard-tools iptables ip6tables iproute2
|
||||
# curl + ca-certificates: cell-to-cell peer-sync pushes (offer/permission state)
|
||||
# originate from this container's network namespace — the only one with routes to
|
||||
# remote-cell VPN subnets over the tunnel — and go over HTTPS to the remote's
|
||||
# Caddy. busybox wget here has no TLS, so curl is required (~5MB over the slim
|
||||
# base; the alternative is no automatic cross-cell sync).
|
||||
RUN apk add --no-cache wireguard-tools iptables ip6tables iproute2 curl ca-certificates
|
||||
|
||||
COPY entrypoint.sh /entrypoint.sh
|
||||
RUN chmod +x /entrypoint.sh
|
||||
|
||||
Reference in New Issue
Block a user