diff --git a/.goreleaser-linux-arm64.yml b/.goreleaser-linux-arm64.yml index 99cafc222..bce6972e6 100644 --- a/.goreleaser-linux-arm64.yml +++ b/.goreleaser-linux-arm64.yml @@ -57,3 +57,71 @@ nfpms: - src: /opt/openziti/bin/zrok dst: /usr/bin/zrok type: "symlink" + + - package_name: zrok-share + id: zrok-share + vendor: NetFoundry + homepage: https://zrok.io/ + maintainer: support@zrok.io + description: |- + This package provides zrok-share.service. To enable, edit the "/opt/openziti/etc/zrok/zrok-share.env" file with the + desired sharing configuration, and run "systemctl enable zrok-share.service && systemctl restart zrok-share.service". + license: Apache 2.0 + + # do not bundle the built binaries, only supporting files + meta: true + + # Formats to be generated. + formats: + - deb + - rpm + + # {{ .ConventionalFileName }} satisfies the RPM name convention. + file_name_template: "{{ .ConventionalFileName }}" + + # Umask to be used on files without explicit mode set. (overridable) + umask: 0o002 + + # Package version within this release version. + release: 1 + + # Section. + section: default + + # Priority. + priority: optional + + # GoReleaser will automatically add the binaries here + dependencies: + - zrok + + recommends: + - jq + + # Contents to add to the package. + contents: + - dst: /lib/systemd/system/ + src: ./nfpm/zrok-share.service + + - dst: /opt/openziti/etc/zrok + type: dir + file_info: + mode: 0755 + + - dst: /opt/openziti/bin/ + src: ./nfpm/zrok-share.bash + file_info: + mode: 0755 + + - dst: /opt/openziti/bin/ + src: ./nfpm/zrok-enable.bash + file_info: + mode: 0755 + + - dst: /opt/openziti/etc/zrok/ + src: ./nfpm/zrok-share.env + type: config|noreplace + + - dst: /opt/openziti/etc/zrok/ + src: ./etc/caddy/multiple_upstream.Caddyfile + type: config|noreplace diff --git a/.goreleaser-linux-armhf.yml b/.goreleaser-linux-armhf.yml index 17526c961..e0b2e32e5 100644 --- a/.goreleaser-linux-armhf.yml +++ b/.goreleaser-linux-armhf.yml @@ -57,3 +57,71 @@ nfpms: - src: /opt/openziti/bin/zrok dst: /usr/bin/zrok type: "symlink" + + - package_name: zrok-share + id: zrok-share + vendor: NetFoundry + homepage: https://zrok.io/ + maintainer: support@zrok.io + description: |- + This package provides zrok-share.service. To enable, edit the "/opt/openziti/etc/zrok/zrok-share.env" file with the + desired sharing configuration, and run "systemctl enable zrok-share.service && systemctl restart zrok-share.service". + license: Apache 2.0 + + # do not bundle the built binaries, only supporting files + meta: true + + # Formats to be generated. + formats: + - deb + - rpm + + # {{ .ConventionalFileName }} satisfies the RPM name convention. + file_name_template: "{{ .ConventionalFileName }}" + + # Umask to be used on files without explicit mode set. (overridable) + umask: 0o002 + + # Package version within this release version. + release: 1 + + # Section. + section: default + + # Priority. + priority: optional + + # GoReleaser will automatically add the binaries here + dependencies: + - zrok + + recommends: + - jq + + # Contents to add to the package. + contents: + - dst: /lib/systemd/system/ + src: ./nfpm/zrok-share.service + + - dst: /opt/openziti/etc/zrok + type: dir + file_info: + mode: 0755 + + - dst: /opt/openziti/bin/ + src: ./nfpm/zrok-share.bash + file_info: + mode: 0755 + + - dst: /opt/openziti/bin/ + src: ./nfpm/zrok-enable.bash + file_info: + mode: 0755 + + - dst: /opt/openziti/etc/zrok/ + src: ./nfpm/zrok-share.env + type: config|noreplace + + - dst: /opt/openziti/etc/zrok/ + src: ./etc/caddy/multiple_upstream.Caddyfile + type: config|noreplace diff --git a/.goreleaser-linux.yml b/.goreleaser-linux.yml index 3a9c08ccc..784c56730 100644 --- a/.goreleaser-linux.yml +++ b/.goreleaser-linux.yml @@ -53,3 +53,71 @@ nfpms: - src: /opt/openziti/bin/zrok dst: /usr/bin/zrok type: "symlink" + + - package_name: zrok-share + id: zrok-share + vendor: NetFoundry + homepage: https://zrok.io/ + maintainer: support@zrok.io + description: |- + This package provides zrok-share.service. To enable, edit the "/opt/openziti/etc/zrok/zrok-share.env" file with the + desired sharing configuration, and run "systemctl enable zrok-share.service && systemctl restart zrok-share.service". + license: Apache 2.0 + + # do not bundle the built binaries, only supporting files + meta: true + + # Formats to be generated. + formats: + - deb + - rpm + + # {{ .ConventionalFileName }} satisfies the RPM name convention. + file_name_template: "{{ .ConventionalFileName }}" + + # Umask to be used on files without explicit mode set. (overridable) + umask: 0o002 + + # Package version within this release version. + release: 1 + + # Section. + section: default + + # Priority. + priority: optional + + # GoReleaser will automatically add the binaries here + dependencies: + - zrok + + recommends: + - jq + + # Contents to add to the package. + contents: + - dst: /lib/systemd/system/ + src: ./nfpm/zrok-share.service + + - dst: /opt/openziti/etc/zrok + type: dir + file_info: + mode: 0755 + + - dst: /opt/openziti/bin/ + src: ./nfpm/zrok-share.bash + file_info: + mode: 0755 + + - dst: /opt/openziti/bin/ + src: ./nfpm/zrok-enable.bash + file_info: + mode: 0755 + + - dst: /opt/openziti/etc/zrok/ + src: ./nfpm/zrok-share.env + type: config|noreplace + + - dst: /opt/openziti/etc/zrok/ + src: ./etc/caddy/multiple_upstream.Caddyfile + type: config|noreplace diff --git a/docker/compose/zrok-public-reserved/compose.yml b/docker/compose/zrok-public-reserved/compose.yml index 5f281b4f9..49f91f00c 100644 --- a/docker/compose/zrok-public-reserved/compose.yml +++ b/docker/compose/zrok-public-reserved/compose.yml @@ -90,12 +90,14 @@ services: - -euc - | if [[ -s ~/.zrok/reserved.json ]]; then - ZROK_RESERVE_TOKEN="$(jq '.token' ~/.zrok/reserved.json 2>/dev/null)" - if [[ -z "$${ZROK_RESERVE_TOKEN}" || "$${ZROK_RESERVE_TOKEN}" == null ]]; then + ZROK_RESERVED_TOKEN="$(jq '.token' ~/.zrok/reserved.json 2>/dev/null)" + + if [[ -z "$${ZROK_RESERVED_TOKEN}" || "$${ZROK_RESERVED_TOKEN}" == null ]]; then echo "ERROR: invalid reserved.json: $(jq -c . ~/.zrok/reserved.json)" >&2 exit 1 - else - echo "INFO: zrok backend is already reserved: $${ZROK_RESERVE_TOKEN}" + else + + echo "INFO: zrok backend is already reserved: $${ZROK_RESERVED_TOKEN}" exit 0 fi else @@ -138,21 +140,24 @@ services: if [[ -z "$${ZROK_PUBLIC_URLS}" || "$${ZROK_PUBLIC_URLS}" == null ]]; then echo "ERROR: frontend endpoints not defined" >&2 exit 1 - else + else + echo "INFO: zrok public URLs: $${ZROK_PUBLIC_URLS}" fi - ZROK_RESERVE_TOKEN=$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null) - if [[ -z "$${ZROK_RESERVE_TOKEN}" && "$${ZROK_RESERVE_TOKEN}" == null ]]; then + ZROK_RESERVED_TOKEN=$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null) + if [[ -z "$${ZROK_RESERVED_TOKEN}" && "$${ZROK_RESERVED_TOKEN}" == null ]]; then echo "ERROR: zrok reservation token not defined" >&2 exit 1 - else - echo "INFO: zrok reservation token: $${ZROK_RESERVE_TOKEN}" + else + + echo "INFO: zrok reservation token: $${ZROK_RESERVED_TOKEN}" fi - echo "INFO: running: zrok $${@} $${ZROK_RESERVE_TOKEN}" - exec zrok "$${@}" $${ZROK_RESERVE_TOKEN} + echo "INFO: running: zrok $${@} $${ZROK_RESERVED_TOKEN}" + exec zrok "$${@}" $${ZROK_RESERVED_TOKEN} fi - command: -- share reserved --headless + command: -- share reserved --headless + depends_on: zrok-reserve: condition: service_completed_successfully diff --git a/etc/caddy/README.md b/etc/caddy/README.md new file mode 100644 index 000000000..1bbef1895 --- /dev/null +++ b/etc/caddy/README.md @@ -0,0 +1,21 @@ + +# Caddyfile Samples + +The Caddyfile samples in this directory are for use with `--backend-mode caddy ./my.Caddyfile` which runs an embedded +Caddy server. + +With a zrok reserved share, you have the option to permanently override the path to the Caddyfile when you run `zrok +share reserved ${ZROK_RESERVED_TOKEN} --override-endpoint new.Caddyfile`. + +The Caddyfile must have this structure because it is rendered as a Go template by zrok to bind the HTTP listener. + +```console +http:// { + bind {{ .ZrokBindAddress }} + # customize reverse_proxy, file_server, etc. +} +``` + +## Notes + +simple_reverse_proxy.Caddyfile is bundled in the zrok-share package for Linux as an example Caddyfile. diff --git a/etc/caddy/multiple_upstream.Caddyfile b/etc/caddy/multiple_upstream.Caddyfile index 3e87dec44..6aedb30d1 100644 --- a/etc/caddy/multiple_upstream.Caddyfile +++ b/etc/caddy/multiple_upstream.Caddyfile @@ -2,18 +2,24 @@ # http:// { # Bind to the zrok share - bind {{ .ZrokBindAddress }} + bind {{ .ZrokBindAddress }} # Handle paths starting with `/zrok/*` # This will also strip the `/zrok/` from the path before sending to the backend - handle_path /zrok/* { - reverse_proxy https://zrok.io { - header_up Host zrok.io - } - } + handle_path /zrok/* { + reverse_proxy https://zrok.io { + header_up Host zrok.io + } + } - # All other traffic goes to localhost:3000 - reverse_proxy /* 127.0.0.1:3000 { - header_up Host localhost:3000 - } + # serve index.html if it exists, else a file index + handle_path /zrok-static/* { + root * /var/www/html + file_server browse + } + + # All other traffic goes to localhost:3000 + reverse_proxy /* 127.0.0.1:3000 { + header_up Host localhost:3000 + } } diff --git a/nfpm/README.md b/nfpm/README.md new file mode 100644 index 000000000..e6e403cb0 --- /dev/null +++ b/nfpm/README.md @@ -0,0 +1,4 @@ + +# nfpm supporting files + +These files are sourced by nfpm when invoked by goreleaser to build Linux packages. diff --git a/nfpm/zrok-enable.bash b/nfpm/zrok-enable.bash new file mode 100644 index 000000000..c12dee67a --- /dev/null +++ b/nfpm/zrok-enable.bash @@ -0,0 +1,46 @@ +#!/usr/bin/env bash +# +# this script uses a zrok enable token to enable a zrok environment in $HOME/.zrok +# + +set -o errexit +set -o nounset +set -o pipefail + +# set HOME to the first colon-sep dir in STATE_DIRECTORY inherited from systemd, e.g. /var/lib/zrok-share +export HOME="${STATE_DIRECTORY%:*}" + +if (( $# )); then + if [[ -s "$1" ]]; then + source "$1" + else + echo "ERROR: $1 is empty or not a readable file" >&2 + exit 1 + fi +else + # TODO: consider defining a default environment file + # if [[ -s /opt/openziti/etc/zrok.env ]]; then + # source /opt/openziti/etc/zrok.env + # else + # echo "ERROR: need /opt/openziti/etc/zrok.env or filename argument to read share configuration" >&2 + # exit 1 + # fi + echo "ERROR: need filename argument to read env configuration" >&2 + exit 1 +fi + +if [[ -s ~/.zrok/environment.json ]]; then + echo "INFO: zrok environment is already enabled. Delete '$(realpath ~/.zrok/environment.json)' if you want to destroy"\ + " it and create a new environment." + exit 0 +else + if [[ -z "${ZROK_ENABLE_TOKEN}" ]]; then + echo "ERROR: ZROK_ENABLE_TOKEN is not defined" >&2 + exit 1 + else + zrok config set apiEndpoint "${ZROK_API_ENDPOINT:-https://api.zrok.io}" + echo "INFO: running: zrok enable ..." + exec zrok enable --headless --description "${ZROK_ENVIRONMENT_NAME:-$(hostname -s) reserved public share}" "${ZROK_ENABLE_TOKEN}" + fi +fi + diff --git a/nfpm/zrok-share.bash b/nfpm/zrok-share.bash new file mode 100644 index 000000000..98813c4b6 --- /dev/null +++ b/nfpm/zrok-share.bash @@ -0,0 +1,112 @@ +#!/usr/bin/env bash +# +# this script shares the configured backend for a reserved share token +# + +set -o errexit +set -o nounset +set -o pipefail + +if ! command -v jq &>/dev/null; then + echo "ERROR: jq is needed but not installed" >&2 + exit 1 +fi + +# set HOME to the first colon-sep dir in STATE_DIRECTORY inherited from systemd, e.g. /var/lib/zrok-share +export HOME="${STATE_DIRECTORY%:*}" + +if (( $# )); then + if [[ -s "$1" ]]; then + source "$1" + else + echo "ERROR: $1 is empty or not readable" >&2 + exit 1 + fi +else + # TODO: consider defining a default environment file + # if [[ -s /opt/openziti/etc/zrok.env ]]; then + # source /opt/openziti/etc/zrok.env + # else + # echo "ERROR: need /opt/openziti/etc/zrok.env or filename argument to read share configuration" >&2 + # exit 1 + # fi + echo "ERROR: need filename argument to read share configuration" >&2 + exit 1 +fi + +if [[ -s ~/.zrok/reserved.json ]]; then + ZROK_RESERVED_TOKEN="$(jq '.token' ~/.zrok/reserved.json 2>/dev/null)" + if [[ -z "${ZROK_RESERVED_TOKEN}" || "${ZROK_RESERVED_TOKEN}" == null ]]; then + echo "ERROR: invalid reserved.json: $(jq -c . ~/.zrok/reserved.json)" >&2 + exit 1 + else + echo "INFO: zrok backend is already reserved: ${ZROK_RESERVED_TOKEN}" + fi +else + ZROK_CMD="reserve public --json-output ${ZROK_VERBOSE:-}" + case "${ZROK_BACKEND:-}" in + http://*|https://*) + ZROK_BACKEND_MODE="proxy" + ;; + *Caddyfile) + ZROK_BACKEND_MODE="caddy" + if ! [[ -r "${ZROK_BACKEND}" ]]; then + echo "ERROR: ${ZROK_BACKEND} is not a readable Caddyfile" >&2 + exit 1 + fi + ;; + /*) + ZROK_BACKEND_MODE="web" + if ! [[ -d "${ZROK_BACKEND}" && -r "${ZROK_BACKEND}" ]]; then + echo "ERROR: ${ZROK_BACKEND} is not a readable directory" >&2 + exit 1 + fi + ;; + *) + echo "ERROR: ${ZROK_BACKEND} is not a valid backend" >&2 + exit 1 + ;; + esac + ZROK_CMD+=" --backend-mode ${ZROK_BACKEND_MODE} ${ZROK_BACKEND}" + if [[ -n "${ZROK_SHARE_OPTS:-}" ]]; then + ZROK_CMD+=" ${ZROK_SHARE_OPTS}" + fi + if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then + ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}" + fi + if [[ -n "${ZROK_OAUTH_EMAILS:-}" ]]; then + for EMAIL in ${ZROK_OAUTH_EMAILS}; do + if ! [[ ${EMAIL} =~ @ ]]; then + echo "WARNING: '${EMAIL}' does not contain '@' so it may match more than one email domain!" >&2 + fi + ZROK_CMD+=" --oauth-email-domains ${EMAIL}" + done + fi + echo "INFO: running: zrok ${ZROK_CMD}" + zrok ${ZROK_CMD} | jq -rc | tee ~/.zrok/reserved.json +fi + +if ! [[ -s ~/.zrok/reserved.json ]]; then + echo "ERROR: empty or missing reserved.json" >&2 + exit 1 +else + ZROK_PUBLIC_URLS=$(jq -cr '.frontend_endpoints' ~/.zrok/reserved.json 2>/dev/null) + if [[ -z "${ZROK_PUBLIC_URLS}" || "${ZROK_PUBLIC_URLS}" == null ]]; then + echo "ERROR: frontend endpoints not defined" >&2 + exit 1 + else + echo "INFO: zrok public URLs: ${ZROK_PUBLIC_URLS}" + fi + ZROK_RESERVED_TOKEN=$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null) + if [[ -z "${ZROK_RESERVED_TOKEN}" || "${ZROK_RESERVED_TOKEN}" == null ]]; then + echo "ERROR: zrok reservation token not defined" >&2 + exit 1 + fi + ZROK_CMD="share reserved ${ZROK_RESERVED_TOKEN} --headless --override-endpoint ${ZROK_BACKEND}" + ZROK_CMD+=" ${ZROK_VERBOSE:-} ${ZROK_INSECURE:-}" + if [[ -n "${ZROK_SHARE_OPTS:-}" ]]; then + ZROK_CMD+=" ${ZROK_SHARE_OPTS}" + fi + echo "INFO: running: zrok ${ZROK_CMD}" + exec zrok ${ZROK_CMD} +fi diff --git a/nfpm/zrok-share.env b/nfpm/zrok-share.env new file mode 100644 index 000000000..01b810ac5 --- /dev/null +++ b/nfpm/zrok-share.env @@ -0,0 +1,70 @@ +# these values are sourced by the zrok-share.service + +# You MUST set ZROK_ENABLE_TOKEN and ZROK_BACKEND. + +# +## You MAY customize the environment name that appears in the zrok console. +# +ZROK_ENVIRONMENT_NAME="" + +# +## You MUST set the environment enable token. +# +ZROK_ENABLE_TOKEN="" + +# +# You MUST define the share backend. +# +# The share URL will be provisioned when the service starts. You MAY change ZROK_BACKEND and the share URL will remain +# the same after a restart as long as the backend mode and authentication options are the same. Options that require a +# new share URL when changed are marked with WARNING. The service will fail to start if a protected option is changed +# and will log the reason to give you an opportunity to decide to delete the old reservation or revert the options to +# keep using the same share URL. +# +# backend-mode proxy (default): share a backend web server URL that's reachable by this host; must begin with 'http://' or +# 'https://'; must accept the HOST header of the proxy frontend; check out Caddy mode if you need more control +ZROK_BACKEND="https://httpbin.org" +#ZROK_BACKEND="http://127.0.0.1:3000" +# +# backend-mode web: run a web server and share a static HTML directory that's present on this host; must begin with '/' +# and be readable by 'other' +#ZROK_BACKEND="/var/www/html" +# +# backend-mode caddy: run an embedded Caddy server configured by the supplied Caddyfile; must end with 'Caddyfile' and +# be readable by 'other' +#ZROK_BACKEND="/opt/openziti/etc/zrok/multiple_upstream.Caddyfile" + +# you MAY set one OAuth2/OIDC provider; "google" and "github" are valid for the default instance api.zrok.io +# WARNING: changing this value requires provisioning a new share URL +# NOTE: basic auth and oauth are mutually exclusive +#ZROK_OAUTH_PROVIDER="google" + +# you MAY restrict access to one or more email addresses or domains; must be a space-separate list +# WARNING: changing this value requires provisioning a new share URL +#ZROK_OAUTH_EMAILS="bob@acme.example.com alice@forge.example.com @corp.example.com" + +# you MAY set additional command-line options for the share; see "zrok reserve public --help" for hints +# WARNING: changing this value requires provisioning a new share URL +# NOTE: basic auth and oauth are mutually exclusive +ZROK_SHARE_OPTS="" + +# +## defaults +# + +# DEBUG log level +# NOTE: changing this value does not require provisioning a new share URL +ZROK_VERBOSE="--verbose" + +# if defined, an https share's backend server certificate will not be verified with backend-mode 'proxy' +# NOTE: changing this value does not require provisioning a new share URL +#ZROK_INSECURE="--insecure" + +# set if self-hosting zrok +# WARNING: if already enabled then changing this value requires enabling a new environment by deleting environment.json +# and restarting the service +#ZROK_API_ENDPOINT="https://api.zrok.io" + +# set if self-hosting zrok and not using only the default frontend name 'public'; must be a space-separated list +# WARNING: changing this value requires provisioning a new share URL +#ZROK_FRONTENDS="public" diff --git a/nfpm/zrok-share.service b/nfpm/zrok-share.service new file mode 100644 index 000000000..bcaf825f0 --- /dev/null +++ b/nfpm/zrok-share.service @@ -0,0 +1,17 @@ +[Unit] +Description=zrok share +After=network-online.target + +[Service] +Type=simple +DynamicUser=yes +StateDirectory=zrok-share +UMask=0007 +Environment=PFXLOG_NO_JSON=true +ExecStartPre=/opt/openziti/bin/zrok-enable.bash /opt/openziti/etc/zrok/zrok-share.env +ExecStart=/opt/openziti/bin/zrok-share.bash /opt/openziti/etc/zrok/zrok-share.env +Restart=always +RestartSec=3 + +[Install] +WantedBy=multi-user.target