implement s6

ibhi · Oct 5, 2021 · ec93388 · ec93388
1 parent 26905c7
commit ec93388
Show file tree

Hide file tree

Showing 19 changed files with 215 additions and 187 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -1,7 +1,7 @@
 name: deploy
 on:
   push:
-    
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
@@ -40,7 +40,7 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
-          password: ${{ secrets.CR_PAT }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
         uses: docker/build-push-action@v2

diff --git a/Dockerfile b/Dockerfile
@@ -1,10 +1,10 @@
-FROM ubuntu:18.04
+FROM s6on/ubuntu:18.04
+LABEL maintainer="Julio Gutierrez [email protected]"
 
-LABEL maintainer="Julio Gutierrez"
 ARG NORDVPN_VERSION=3.11.0-1
 
 RUN apt-get update -y && \
-    apt-get install -y curl iputils-ping tzdata && \
+    apt-get install -y curl iputils-ping wireguard && \
     curl https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/nordvpn-release_1.0.0_all.deb --output /tmp/nordrepo.deb && \
     apt-get install -y /tmp/nordrepo.deb && \
     apt-get update -y && \
@@ -16,13 +16,8 @@ RUN apt-get update -y && \
 		/tmp/* \
 		/var/cache/apt/archives/* \
 		/var/lib/apt/lists/* \
-		/var/tmp/* && \
-    echo '#!/bin/bash\nservice nordvpn start\nsleep 1\nnordvpn countries' > /usr/bin/countries && \
-    echo '#!/bin/bash\nservice nordvpn start\nsleep 1\nnordvpn cities $1' > /usr/bin/cities && \
-    echo '#!/bin/bash\nservice nordvpn start\nsleep 1\nnordvpn groups' > /usr/bin/n_groups && \
-    chmod +x /usr/bin/countries && \
-    chmod +x /usr/bin/cities && \
-    chmod +x /usr/bin/n_groups
+		/var/tmp/*
 
-CMD /usr/bin/start_vpn.sh
-COPY start_vpn.sh /usr/bin
+COPY /rootfs /
+ENV S6_CMD_WAIT_FOR_SERVICES=1
+CMD nord_login && nord_config && nord_connect && sleep infinity & wait
diff --git a/rootfs/etc/cont-init.d/00-firewall b/rootfs/etc/cont-init.d/00-firewall
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+iptables -P OUTPUT DROP
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+ip6tables -P OUTPUT DROP 2>/dev/null
+ip6tables -P INPUT DROP 2>/dev/null
+ip6tables -P FORWARD DROP 2>/dev/null
+
+echo "Firewall is up, everything has to go through the vpn"
diff --git a/rootfs/etc/cont-init.d/10-tun b/rootfs/etc/cont-init.d/10-tun
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mkdir -p /dev/net
+[[ -c /dev/net/tun ]] || mknod -m 0666 /dev/net/tun c 10 200
diff --git a/rootfs/etc/cont-init.d/20-inet b/rootfs/etc/cont-init.d/20-inet
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+docker_networks=$(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1 | (
+  while read -r interface ; do
+    network="$(ip -o addr show dev "$interface" | awk '$3 == "inet" {print $4}')"
+    if [ -z "$result" ]; then
+      result=$network
+    else
+      result=$result,$network
+    fi
+  done
+  echo "$result"
+))
+if [ -z "$docker_networks" ]; then
+  echo "No inet network"
+  exit
+fi
+
+echo "Enabling connection to secure interface and docker network"
+
+iptables -F
+iptables -X
+
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A INPUT -s "${docker_networks}" -j ACCEPT
+
+iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+iptables -A OUTPUT -d "${docker_networks}" -j ACCEPT
+iptables -A OUTPUT -o tap+ -j ACCEPT
+iptables -A OUTPUT -o tun+ -j ACCEPT
+iptables -A OUTPUT -o nordlynx+ -j ACCEPT
+iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
+iptables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT
+iptables -A OUTPUT -p tcp -m tcp --dport 1194 -j ACCEPT
+iptables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
+iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
+
+iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD -i lo -j ACCEPT
+iptables -A FORWARD -d "${docker_networks}" -j ACCEPT
+iptables -A FORWARD -s "${docker_networks}" -j ACCEPT
+
+iptables -t nat -A POSTROUTING -o tap+ -j MASQUERADE
+iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
+iptables -t nat -A POSTROUTING -o nordlynx+ -j MASQUERADE
diff --git a/rootfs/etc/cont-init.d/20-inet6 b/rootfs/etc/cont-init.d/20-inet6
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+docker_networks=$(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1 | (
+  while read -r interface ; do
+    network="$(ip -o addr show dev "$interface" | awk '$3 == "inet6" {print $4; exit}')"
+    if [ -z "$result" ]; then
+      result=$network
+    else
+      result=$result,$network
+    fi
+  done
+  echo "$result"
+))
+if [ -z "$docker_networks" ]; then
+  echo "No inet6 network"
+  exit
+fi
+
+echo "Enabling connection to secure interface6 and docker network6"
+
+ip6tables -F
+ip6tables -X
+
+ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ip6tables -A INPUT -i lo -j ACCEPT
+ip6tables -A INPUT -s "${docker_networks}" -j ACCEPT
+
+ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ip6tables -A OUTPUT -o lo -j ACCEPT
+ip6tables -A OUTPUT -d "${docker_networks}" -j ACCEPT
+ip6tables -A OUTPUT -o tap+ -j ACCEPT
+ip6tables -A OUTPUT -o tun+ -j ACCEPT
+ip6tables -A OUTPUT -o nordlynx+ -j ACCEPT
+ip6tables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
+ip6tables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT
+ip6tables -A OUTPUT -p tcp -m tcp --dport 1194 -j ACCEPT
+ip6tables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
+ip6tables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
+
+ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ip6tables -A FORWARD -i lo -j ACCEPT
+ip6tables -A FORWARD -d "${docker_networks}" -j ACCEPT
+ip6tables -A FORWARD -s "${docker_networks}" -j ACCEPT
+
+ip6tables -t nat -A POSTROUTING -o tap+ -j MASQUERADE
+ip6tables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
+ip6tables -t nat -A POSTROUTING -o nordlynx+ -j MASQUERADE
diff --git a/rootfs/etc/cont-init.d/30-route b/rootfs/etc/cont-init.d/30-route
@@ -0,0 +1,11 @@
+#!/usr/bin/with-contenv bash
+
+if [ -n "$NET_LOCAL" ]; then
+   gw="$(ip route | awk '/default/{print $3}')"
+   for net in ${NET_LOCAL//[;,]/ }; do
+      echo "Enabling connection to network ${net}"
+      iptables -A INPUT -i eth0 -s "$net" -j ACCEPT
+      iptables -A OUTPUT -o eth0 -d "$net" -j ACCEPT
+      ip route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0
+  done
+fi
diff --git a/rootfs/etc/cont-init.d/30-route6 b/rootfs/etc/cont-init.d/30-route6
@@ -0,0 +1,11 @@
+#!/usr/bin/with-contenv bash
+
+if [ -n "$NET6_LOCAL" ]; then
+   gw="$(ip -6 route | awk '/default/{print $3}')"
+   for net in ${NET6_LOCAL//[;,]/ }; do
+      echo "Enabling connection to network ${net}"
+      ip6tables -A INPUT -i eth0 -s "$net" -j ACCEPT
+      ip6tables -A OUTPUT -o eth0 -d "$net" -j ACCEPT
+      ip -6 route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0
+  done
+fi
diff --git a/rootfs/etc/cont-init.d/40-allowlist b/rootfs/etc/cont-init.d/40-allowlist
@@ -0,0 +1,9 @@
+#!/usr/bin/with-contenv bash
+
+if [[ -n ${ALLOW_LIST} ]]; then
+  for domain in ${ALLOW_LIST//[;,]/ }; do
+    domain=$(echo "$domain" | sed 's/^.*:\/\///;s/\/.*$//')
+    echo "Enabling connection to host ${domain}"
+    iptables  -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT
+  done
+fi
diff --git a/rootfs/etc/fix-attrs.d/nord_utils b/rootfs/etc/fix-attrs.d/nord_utils
@@ -0,0 +1,4 @@
+/usr/bin/nord_config false root:root 0755 0755
+/usr/bin/nord_connect false root:root 0755 0755
+/usr/bin/nord_login false root:root 0755 0755
+/usr/bin/nord_private_key false root:root 0755 0755
diff --git a/rootfs/etc/services.d/nordvpn/data/check b/rootfs/etc/services.d/nordvpn/data/check
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+[ -S /run/nordvpn/nordvpnd.sock ] && exit 0
+exit 1
diff --git a/rootfs/etc/services.d/nordvpn/finish b/rootfs/etc/services.d/nordvpn/finish
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+nordvpn disconnect
+nordvpn logout
+rm -rf /run/nordvpn
diff --git a/rootfs/etc/services.d/nordvpn/notification-fd b/rootfs/etc/services.d/nordvpn/notification-fd
@@ -0,0 +1 @@
+3
diff --git a/rootfs/etc/services.d/nordvpn/run b/rootfs/etc/services.d/nordvpn/run
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if [[ ! -d /run/nordvpn ]]; then
+  mkdir -m 0770 /run/nordvpn
+fi
+
+s6-notifyoncheck /usr/sbin/nordvpnd
diff --git a/rootfs/usr/bin/nord_config b/rootfs/usr/bin/nord_config
@@ -0,0 +1,16 @@
+#!/usr/bin/with-contenv bash
+
+[[ -n ${DNS} ]] && nordvpn set dns ${DNS//[;,]/ }
+
+[[ -n ${CYBER_SEC} ]] && nordvpn set cybersec ${CYBER_SEC}
+[[ -n ${OBFUSCATE} ]] && nordvpn set obfuscate ${OBFUSCATE}
+[[ -n ${FIREWALL} ]] && nordvpn set firewall ${FIREWALL}
+#[[ -n ${KILLSWITCH} ]] && nordvpn set killswitch ${KILLSWITCH}
+
+[[ -n ${PROTOCOL} ]] && nordvpn set protocol ${PROTOCOL}
+nordvpn set technology ${TECHNOLOGY:-NordLynx}
+
+[[ -n ${PORTS} ]] && for port in ${PORTS//[;,]/ }; do nordvpn whitelist add port "${port}"; done
+[[ -n ${PORT_RANGE} ]] && nordvpn whitelist add ports ${PORT_RANGE}
+
+exit 0
diff --git a/rootfs/usr/bin/nord_connect b/rootfs/usr/bin/nord_connect
@@ -0,0 +1,9 @@
+#!/usr/bin/with-contenv bash
+
+[[ -n ${PRE_CONNECT} ]] && eval ${PRE_CONNECT}
+
+nordvpn connect ${CONNECT}
+
+[[ -n ${POST_CONNECT} ]] && eval ${POST_CONNECT}
+
+exit 0
diff --git a/rootfs/usr/bin/nord_login b/rootfs/usr/bin/nord_login
@@ -0,0 +1,8 @@
+#!/usr/bin/with-contenv bash
+
+nordvpn login --username "${USER}" --password "${PASS}" || {
+  echo "Invalid Username or password."
+  exit 1
+}
+
+exit 0
diff --git a/rootfs/usr/bin/nord_private_key b/rootfs/usr/bin/nord_private_key
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+nord_login
+nord_config
+nord_connect
+echo "############################################################"
+echo "IP: $(ip -o addr show dev nordlynx | awk '$3 == "inet" {print $4}')"
+echo "Private Key: $(wg show nordlynx private-key)"
+echo "############################################################"
+exit 0