From db467edc2bbe3e1dbd76469a5c44afc3c81769e6 Mon Sep 17 00:00:00 2001 From: Kariton <67470612+Kariton@users.noreply.github.com> Date: Sat, 14 Oct 2023 13:53:39 +0200 Subject: [PATCH 01/11] fix binary release --- .cargo/config.toml | 3 +++ .github/workflows/ci.yaml | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.cargo/config.toml b/.cargo/config.toml index 6e388b4..bef024c 100644 --- a/.cargo/config.toml +++ b/.cargo/config.toml @@ -23,3 +23,6 @@ linker = "s390x-linux-musl-gcc" [target.riscv64gc-unknown-linux-musl] linker = "riscv64-linux-musl-gcc" + +[target.x86_64-unknown-freebsd] +linker = "x86_64-unknown-freebsd" diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a606205..b733783 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -35,7 +35,7 @@ jobs: target: ${{ matrix.target }} override: true - - run: cargo install --git https://github.com/cross-rs/cross.git # cross in crates.io is too old + - run: cargo install cross --git https://github.com/cross-rs/cross # cross in crates.io is too old - name: Build continue-on-error: ${{ matrix.channel != 'stable' }} From 4a10e0d9145c1acaaf99687fb2ae50cd5d1191eb Mon Sep 17 00:00:00 2001 From: Kariton <67470612+Kariton@users.noreply.github.com> Date: Sat, 14 Oct 2023 14:19:11 +0200 Subject: [PATCH 02/11] Add RC service (OPNsense) to README --- README.md | 96 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) diff --git a/README.md b/README.md index be32f47..1a25741 100644 --- a/README.md +++ b/README.md @@ -322,6 +322,102 @@ If you're interested in more hardening, you can analyze the unit with: systemd-analyze security prometheus-wireguard-exporter.service ``` +### RC service file + +This example is for an installation on OPNsense. + +Add service user: `pw adduser wireguard_exporter -g wheel -d /nonexistent -s /usr/sbin/nologin -c "Prometheus wireguard_exporter user"` +Group `wheel` is nessesary to read the `wg*.conf` files. + +Service: `/usr/local/etc/rc.d/wireguard_exporter` +``` +#!/bin/sh + +# PROVIDE: wireguard_exporter +# REQUIRE: LOGIN +# KEYWORD: shutdown +# +# Add the following lines to /etc/rc.conf.local or /etc/rc.conf +# to enable this service: +# +# wireguard_exporter_enable (bool): Set to NO by default. +# Set it to YES to enable wireguard_exporter. +# wireguard_exporter_user (string): Set user that wireguard_exporter will run under +# Default is "wireguard_exporter". +# wireguard_exporter_group (string): Set group that wireguard_exporter will run under +# Default is "wheel". +# wireguard_exporter_args (string): Set extra arguments to pass to wireguard_exporter +# Default is "". +# wireguard_exporter_listen_address (string):Set ip that wireguard_exporter will listen on +# Default is "0.0.0.0". +# wireguard_exporter_listen_port (integer): Set port that wireguard_exporter will listen on +# Default is "9586". +# node_exporter_configs (string): Set directory that wireguard_exporter will watch +# Default is "/usr/local/etc/wireguard/*.conf". + +. /etc/rc.subr + +name=wireguard_exporter +rcvar=wireguard_exporter_enable + +load_rc_config $name + +: ${wireguard_exporter_enable:="NO"} +: ${wireguard_exporter_user:="wireguard_exporter"} +: ${wireguard_exporter_group:="wheel"} +: ${wireguard_exporter_args:=""} +: ${wireguard_exporter_listen_address:="0.0.0.0"} +: ${wireguard_exporter_listen_port:="9586"} +: ${node_exporter_configs:="/usr/local/etc/wireguard/*.conf"} + +pidfile=/var/run/wireguard_exporter.pid +command="/usr/sbin/daemon" +procname="/usr/local/bin/wireguard_exporter" +command_args="-f -p ${pidfile} -T ${name} \ + /usr/bin/env ${procname} \ + -l ${wireguard_exporter_listen_address} \ + -p ${wireguard_exporter_listen_port} \ + -n ${node_exporter_configs} \ + ${wireguard_exporter_args}" + +start_precmd=wireguard_exporter_startprecmd + +wireguard_exporter_startprecmd() +{ + if [ ! -e ${pidfile} ]; then + install \ + -o ${wireguard_exporter_user} \ + -g ${wireguard_exporter_group} \ + /dev/null ${pidfile}; + fi +} + +load_rc_config $name +run_rc_command "$1" +``` + +Service configuration `/etc/rc.conf.d/wireguard_exporter` +``` +wireguard_exporter_args="-a true -r true -d true " # adjust to your liking +wireguard_exporter_listen_address="172.16.0.1" # listen address +wireguard_exporter_enable="YES" # enable startup on boot +``` + +With the above unit, you can use the following sudo rule: + +``` +wireguard_exporter ALL=(root) NOPASSWD: /usr/bin/wg # no sudo password required +Cmnd_Alias WGEXPORT = /usr/bin/wg # configuration alias for further use +Defaults!WGEXPORT !log_allowed # prevent logging of permitted executions +``` + +Testing + +``` +service wireguard_exporter stop +sudo su -m wireguard_exporter -c '/usr/local/bin/wireguard_exporter -l 0.0.0.0 -p 9586 -n /usr/local/etc/wireguard/*.conf -a true -r true -d true' +``` + ## Development ### Locally From ff47870c542ff8ad9516c990dd9252ebd95650e1 Mon Sep 17 00:00:00 2001 From: Kariton <67470612+Kariton@users.noreply.github.com> Date: Wed, 18 Oct 2023 18:36:41 +0200 Subject: [PATCH 03/11] opnsese service user was not persistant --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1a25741..22ffdb2 100644 --- a/README.md +++ b/README.md @@ -326,7 +326,7 @@ systemd-analyze security prometheus-wireguard-exporter.service This example is for an installation on OPNsense. -Add service user: `pw adduser wireguard_exporter -g wheel -d /nonexistent -s /usr/sbin/nologin -c "Prometheus wireguard_exporter user"` +Add service user: `pw adduser wireguard_exporter -u 518 -g wheel -d /nonexistent -s /usr/sbin/nologin -c "Prometheus wireguard_exporter user"` Group `wheel` is nessesary to read the `wg*.conf` files. Service: `/usr/local/etc/rc.d/wireguard_exporter` From aab6f84365b4109d2e3864068acb54d076265b28 Mon Sep 17 00:00:00 2001 From: Kariton <67470612+Kariton@users.noreply.github.com> Date: Sun, 22 Oct 2023 20:31:59 +0200 Subject: [PATCH 04/11] Update ci.yaml Copy: https://github.com/MindFlavor/prometheus_wireguard_exporter/pull/118 Copy: https://github.com/MindFlavor/prometheus_wireguard_exporter/pull/119 --- .github/workflows/ci.yaml | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b733783..b701747 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -2,9 +2,17 @@ name: CI on: push: - branches: [ master ] - tags: [ '*' ] + paths: + - .github/workflows/binaries.yml + - src/** + - Cargo.lock + - Cargo.toml pull_request: + paths: + - .github/workflows/binaries.yml + - src/** + - Cargo.lock + - Cargo.toml jobs: build: @@ -27,7 +35,7 @@ jobs: # - aarch64-unknown-freebsd <- std not precompiled steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - uses: actions-rs/toolchain@v1 with: @@ -35,7 +43,19 @@ jobs: target: ${{ matrix.target }} override: true - - run: cargo install cross --git https://github.com/cross-rs/cross # cross in crates.io is too old + - uses: actions/cache@v3 + with: + path: | + ~/.cargo/bin/ + ~/.cargo/registry/index/ + ~/.cargo/registry/cache/ + ~/.cargo/git/db/ + target/ + key: ${{ runner.os }}-cargo-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }} + restore-keys: | + ${{ runner.os }}-cargo-${{ matrix.target }}- + + - run: cargo install cross - name: Build continue-on-error: ${{ matrix.channel != 'stable' }} @@ -50,7 +70,7 @@ jobs: name: prometheus_wireguard_exporter_${{ matrix.target }} path: prometheus_wireguard_exporter_${{ matrix.target }} - - uses: alexellis/upload-assets@0.3.0 + - uses: alexellis/upload-assets@0.4.0 if: startsWith(github.ref, 'refs/tags/') env: GITHUB_TOKEN: ${{ github.token }} From 4231f50c5acd9a47a1002b5311d89cf56eb3fe5f Mon Sep 17 00:00:00 2001 From: Kariton <67470612+Kariton@users.noreply.github.com> Date: Sun, 22 Oct 2023 20:46:58 +0200 Subject: [PATCH 05/11] fix docker build Copy: https://github.com/MindFlavor/prometheus_wireguard_exporter/pull/117 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 19ea602..0506527 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ ARG BUILDPLATFORM=linux/amd64 ARG ALPINE_VERSION=3.14 -ARG RUST_VERSION=latest +ARG RUST_VERSION=1.69-bullseye FROM --platform=${BUILDPLATFORM} rust:${RUST_VERSION} AS base WORKDIR /usr/src/prometheus_wireguard_exporter From 1c2b675b2e1fb6b2a3605a9ac950b9b495453e7d Mon Sep 17 00:00:00 2001 From: Kariton <67470612+Kariton@users.noreply.github.com> Date: Sun, 22 Oct 2023 21:04:43 +0200 Subject: [PATCH 06/11] Update docker.yml --- .github/workflows/docker.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index b7c9df1..10feb68 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -23,7 +23,7 @@ jobs: env: DOCKER_BUILDKIT: "1" steps: - - uses: actions/checkout@v2.3.4 + - uses: actions/checkout@v4 - name: Lint run: docker build --target lint . @@ -44,12 +44,12 @@ jobs: if: github.event_name == 'push' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2.3.4 + - uses: actions/checkout@v4 - - uses: docker/setup-qemu-action@v1 - - uses: docker/setup-buildx-action@v1 + - uses: docker/setup-qemu-action@v3 + - uses: docker/setup-buildx-action@v3 - - uses: docker/login-action@v1.9.0 + - uses: docker/login-action@v3 with: username: mindflavor password: ${{ secrets.DOCKERHUB_PASSWORD }} @@ -73,7 +73,7 @@ jobs: fi - name: Build and push final image - uses: docker/build-push-action@v2.4.0 + uses: docker/build-push-action@v5 with: platforms: ${{ steps.vars.outputs.platforms }} build-args: | From 38c79a93479bed81635394212591db045b641bb3 Mon Sep 17 00:00:00 2001 From: Kariton <67470612+Kariton@users.noreply.github.com> Date: Sun, 22 Oct 2023 21:04:46 +0200 Subject: [PATCH 07/11] Update dockerhub-description.yml --- .github/workflows/dockerhub-description.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml index bbdafac..58c0451 100644 --- a/.github/workflows/dockerhub-description.yml +++ b/.github/workflows/dockerhub-description.yml @@ -10,9 +10,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2.3.4 + - uses: actions/checkout@v4 + - name: Docker Hub Description - uses: peter-evans/dockerhub-description@v2.4.3 + uses: peter-evans/dockerhub-description@v3 with: username: mindflavor password: ${{ secrets.DOCKERHUB_PASSWORD }} From 2453702b0fe0c10f7a174d9f1af92037c3fd016d Mon Sep 17 00:00:00 2001 From: Kariton <67470612+Kariton@users.noreply.github.com> Date: Sun, 22 Oct 2023 21:05:56 +0200 Subject: [PATCH 08/11] fix dockerhub-description.yml --- .github/workflows/dockerhub-description.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml index 58c0451..53b3568 100644 --- a/.github/workflows/dockerhub-description.yml +++ b/.github/workflows/dockerhub-description.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - - uses: actions/checkout@v4 + uses: actions/checkout@v4 - name: Docker Hub Description uses: peter-evans/dockerhub-description@v3 From 6b88e6f18cfe5802028f744f55d87bea739adb89 Mon Sep 17 00:00:00 2001 From: Kariton <67470612+Kariton@users.noreply.github.com> Date: Tue, 24 Oct 2023 11:35:55 +0200 Subject: [PATCH 09/11] Update ci.yaml name --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b701747..97048c0 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,4 +1,4 @@ -name: CI +name: Build and Publish Binaries on: push: From 7908f22098b6dc3b5ec779c85152d14ff30bca1b Mon Sep 17 00:00:00 2001 From: Kariton <67470612+Kariton@users.noreply.github.com> Date: Tue, 24 Oct 2023 11:36:17 +0200 Subject: [PATCH 10/11] Update docker.yml name --- .github/workflows/docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 10feb68..581b08c 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -1,4 +1,4 @@ -name: CI +name: Docker Test on: push: paths: From 65d637bf5293148e7f6956824ce60596c33957f3 Mon Sep 17 00:00:00 2001 From: Kariton <67470612+Kariton@users.noreply.github.com> Date: Tue, 24 Oct 2023 11:37:41 +0200 Subject: [PATCH 11/11] Update docker.yml name --- .github/workflows/docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 581b08c..6e19483 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -1,4 +1,4 @@ -name: Docker Test +name: Build and Publish Docker Container on: push: paths: