From 88da5102a78a02ef986246d6feb33262c67199ad Mon Sep 17 00:00:00 2001
From: pstruebi <struebin.patrick@gmail.com>
Date: Thu, 27 Mar 2025 14:32:09 +0100
Subject: [PATCH] add wireguard container to compose

---
 docker-compose.yaml                | 74 ++++++++++++++++++++++--------
 wg_config/coredns/Corefile         |  6 +++
 wg_config/templates/peer.conf      | 11 +++++
 wg_config/templates/server.conf    |  6 +++
 wg_config/wg_confs/peer_raspi.conf | 11 +++++
 5 files changed, 90 insertions(+), 18 deletions(-)
 create mode 100644 wg_config/coredns/Corefile
 create mode 100644 wg_config/templates/peer.conf
 create mode 100644 wg_config/templates/server.conf
 create mode 100644 wg_config/wg_confs/peer_raspi.conf

diff --git a/docker-compose.yaml b/docker-compose.yaml
index 5c08d1c..d0896bb 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -1,23 +1,61 @@
 services:
-  multicaster:
-    privileged: true        # Grants full access to all devices (needed for serial access)
+  # multicaster:
+  #   # TODO: make this more restricitive in the future
+  #   privileged: true        # Grants full access to all devices (for serial access)
+  #   restart: unless-stopped
+  #   #ports:
+  #   #  - "5000:5000" # make the multicaster also reachable from the host
+  #   build:
+  #     dockerfile: Dockerfile
+  #     ssh: 
+  #       #- default=~/.ssh/id_ed25519 #lappi
+  #       - default=~/.ssh/id_rsa #raspi
+  #   volumes:
+  #     - "/dev/serial:/dev/serial" 
+  #   #devices:
+  #     # - /dev/serial/by-id/usb-ZEPHYR_Zephyr_HCI_UART_sample_81BD14B8D71B5662-if00
+  #   environment:
+  #     LOG_LEVEL: INFO
+    
+  #   network_mode: service:wireguard
+
+  #   command: python ./auracast/multicast_server.py
+  #   #command: python ./auracast/multicast.py # continously streaming test app
+  #   #networks:
+  #   #  - default
+
+  wireguard: # TODO: make all privileges in this compose file as tight as possible
+    image: lscr.io/linuxserver/wireguard:latest
+    container_name: wireguard
     restart: unless-stopped
-    ports:
-      - "5000:5000"
-    build:
-      dockerfile: Dockerfile
-      ssh: 
-        - default=~/.ssh/id_ed25519 #lappi
-        #- default=~/.ssh/id_rsa #raspi
-    volumes:
-      - "/dev/serial:/dev/serial" 
-    #devices:
-      # - /dev/serial/by-id/usb-ZEPHYR_Zephyr_HCI_UART_sample_81BD14B8D71B5662-if00
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE #optional
     environment:
-      LOG_LEVEL: INFO
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Vienna
+      # - SERVERURL=wireguard.domain.com #optional
+      # - SERVERPORT=51820 #optional
+      # - PEERS=1 #optional
+      # - PEERDNS=auto #optional
+      # - INTERNAL_SUBNET=10.13.13.0 #optional
+      # - ALLOWEDIPS=0.0.0.0/0 #optional
+      # - PERSISTENTKEEPALIVE_PEERS= #optional
+      - LOG_CONFS=true #optional
+    volumes:
+      - ./wg_config:/config
+      - /lib/modules:/lib/modules #optional
+    ports:
+      - 51820:51820/udp # TODO: nececcarry ?
+      #- "5000:5000" # make the multicaster also reachable from the host
 
-    command: python ./auracast/multicast_server.py
-    #command: python ./auracast/multicast.py # continously streaming test app
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+    networks:
+      - default
+      #- vpn
+# use docker compose up --build --remove-orphans
 
-
-# use docker compose up --build
\ No newline at end of file
+networks:
+  vpn:
\ No newline at end of file
diff --git a/wg_config/coredns/Corefile b/wg_config/coredns/Corefile
new file mode 100644
index 0000000..e26fbe6
--- /dev/null
+++ b/wg_config/coredns/Corefile
@@ -0,0 +1,6 @@
+. {
+    loop
+    errors
+    health
+    forward . /etc/resolv.conf
+}
diff --git a/wg_config/templates/peer.conf b/wg_config/templates/peer.conf
new file mode 100644
index 0000000..d987dba
--- /dev/null
+++ b/wg_config/templates/peer.conf
@@ -0,0 +1,11 @@
+[Interface]
+Address = ${CLIENT_IP}
+PrivateKey = $(cat /config/${PEER_ID}/privatekey-${PEER_ID})
+ListenPort = 51820
+DNS = ${PEERDNS}
+
+[Peer]
+PublicKey = $(cat /config/server/publickey-server)
+PresharedKey = $(cat /config/${PEER_ID}/presharedkey-${PEER_ID})
+Endpoint = ${SERVERURL}:${SERVERPORT}
+AllowedIPs = ${ALLOWEDIPS}
diff --git a/wg_config/templates/server.conf b/wg_config/templates/server.conf
new file mode 100644
index 0000000..757682d
--- /dev/null
+++ b/wg_config/templates/server.conf
@@ -0,0 +1,6 @@
+[Interface]
+Address = ${INTERFACE}.1
+ListenPort = 51820
+PrivateKey = $(cat /config/server/privatekey-server)
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
diff --git a/wg_config/wg_confs/peer_raspi.conf b/wg_config/wg_confs/peer_raspi.conf
new file mode 100644
index 0000000..8df0777
--- /dev/null
+++ b/wg_config/wg_confs/peer_raspi.conf
@@ -0,0 +1,11 @@
+[Interface]
+Address = 10.13.13.2
+PrivateKey = WJkEh2FDxJxNnqvVyjOs7acI+RlT63zdQ3wrKbi1oE4=
+ListenPort = 51820
+DNS = 10.13.13.1
+
+[Peer]
+PublicKey = DnLs1PO3sPt61YY6BWOIuh4F8+DU0zHegG8QnpVqxU0=
+PresharedKey = YmLbW5O76gRlFvnA/ifRpk1Yiao+SilOJDya0K6bjBo=
+Endpoint = vpn-hinterwaldner.duckdns.org:51821
+AllowedIPs = 0.0.0.0/0