roof/pic
1
0
Fork 0
Code Issues Pull Requests Actions Wiki Activity
Files
639fb66e5be103100008d3b83160550bbcb119ae
pic/wireguard/Dockerfile
T
roof 714fb9b1a9
Unit Tests / test (push) Successful in 9m48s
Details
fix: make cross-cell peer-sync push actually reach the remote cell's API 
The offer/permission push between linked cells never worked end-to-end. Two
fixes complete the transport (the push already targets the remote over the WG
tunnel; fix #3 earlier pointed it at HTTPS):

1. The slim WireGuard image (where the push originates — the only namespace with
   routes to remote-cell VPN subnets) had no TLS-capable HTTP client (busybox
   wget lacks TLS, no curl). Add curl + ca-certificates (~5MB).

2. The receiving cell's cell-link firewall allowed the linked subnet to reach
   cell-api:3000 — a dead path (the API binds 127.0.0.1 only; nothing DNATs
   :3000). Move the peer-sync ACCEPT to Caddy:443, which the WG server already
   DNATs (wg0:443 → Caddy → cell-api) and whose replies the existing
   `-o eth0 MASQUERADE` routes back through the tunnel. Source auth (cell VPN
   subnet via X-Forwarded-For) is preserved; the API stays 127.0.0.1-only.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-16 10:01:56 -04:00

23 lines
1.1 KiB
Docker
Raw Blame History

FROM alpine:3.20@sha256:d9e853e87e55526f6b2917df91a2115c36dd7c696a35be12163d44e6e2a4b6bc
# curl + ca-certificates: cell-to-cell peer-sync pushes (offer/permission state)
# originate from this container's network namespace — the only one with routes to
# remote-cell VPN subnets over the tunnel — and go over HTTPS to the remote's
# Caddy. busybox wget here has no TLS, so curl is required (~5MB over the slim
# base; the alternative is no automatic cross-cell sync).
RUN apk add --no-cache wireguard-tools iptables ip6tables iproute2 curl ca-certificates
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
# This image uses the host kernel's builtin WireGuard module (default on modern
# kernels >= 5.6). It needs only CAP_NET_ADMIN — no privileged mode, no
# SYS_MODULE, no /lib/modules mount.
#
# FALLBACK for old kernels lacking builtin WireGuard: re-add to the compose
# service: privileged: true / cap_add: SYS_MODULE / volume /lib/modules:/lib/modules
# and `apk add wireguard-tools` ships the kmod loader path. The slim/unprivileged
# default below assumes a builtin module.
ENTRYPOINT ["/entrypoint.sh"]
Reference in New Issue View Git Blame Copy Permalink