networking/wireguard_container (#5)

Add container with wireguard config, improve general setup with poetry

Reviewed-on: https://gitea.pstruebi.xyz/auracaster/bumble-auracast/pulls/5

.gitignore

@@ -37,3 +37,4 @@ __pycache__/
 # Exclude .env file from all platforms
 */.env
 
+wg_config/wg_confs/

Dockerfile

@@ -1,6 +1,12 @@
 # TODO: investigate using -alpine in the future
 FROM python:3.11 
 
+# Install system dependencies and poetry
+RUN apt-get update && apt-get install -y \
+    iputils-ping \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
 WORKDIR /usr/src/app
 
 COPY ./pyproject.toml .

docker-compose.yaml

@@ -1,23 +1,64 @@
 services:
-  multicaster:
+
-    privileged: true        # Grants full access to all devices (needed for serial access)
+  wireguard: # TODO: make all privileges in this compose file as tight as possible
+    image: lscr.io/linuxserver/wireguard:latest
+    container_name: wireguard
     restart: unless-stopped
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE #optional
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Vienna
+      # - SERVERURL=wireguard.domain.com #optional
+      # - SERVERPORT=51820 #optional
+      # - PEERS=1 #optional
+      # - PEERDNS=auto #optional
+      # - INTERNAL_SUBNET=10.13.13.0 #optional
+      # - ALLOWEDIPS=0.0.0.0/0 #optional
+      # - PERSISTENTKEEPALIVE_PEERS= #optional
+      - LOG_CONFS=true #optional
+    volumes:
+      - ./wg_config:/config
+      - /lib/modules:/lib/modules #optional
     ports:
-      - "5000:5000"
+      - 51820:51820/udp
+      #- 51821:51821/udp # just a workaround if another wireguard client is already running - make sure to change in .conf file too
+      #- 5000:5000 # make the multicaster also reachable from the host - TODO: this should be removed for production
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+    networks:
+      - default
+
+  multicaster:
+    container_name: multicaster
+    depends_on: 
+      - wireguard
+    # TODO: make this more restricitive in the future
+    privileged: true        # Grants full access to all devices (for serial access)
+    restart: unless-stopped
+    network_mode: service:wireguard
+    #ports:
+    #  - "5000:5000" 
     build:
       dockerfile: Dockerfile
       ssh: 
-        - default=~/.ssh/id_ed25519 #lappi
+        #- default=~/.ssh/id_ed25519 #lappi
-        #- default=~/.ssh/id_rsa #raspi
+        - default=~/.ssh/id_rsa #raspi
     volumes:
       - "/dev/serial:/dev/serial" 
     #devices:
       # - /dev/serial/by-id/usb-ZEPHYR_Zephyr_HCI_UART_sample_81BD14B8D71B5662-if00
     environment:
       LOG_LEVEL: INFO
-
+    
-    command: python ./auracast/multicast_server.py
+    #vpn only seems to initiate handshake after some outgoing connection is being made
+    command: >
+      bash -c "(while true; do ping -c 1 vpn.pstruebi.xyz || echo 'Ping failed'; sleep 60; done) & python ./auracast/multicast_server.py"
     #command: python ./auracast/multicast.py # continously streaming test app
 
 
-# use docker compose up --build
+# place corresponding peer config for each peer in wg_confs
+# use docker compose up --build --remove-orphans
+

pyproject.toml

@@ -1,7 +1,7 @@
 [project]
 name = "auracast"
 version = "0.0.1"
-requires-python = ">=3.8"
+requires-python = ">=3.11"
 
 dependencies = [
     "bumble @ git+ssh://git@ssh.pstruebi.xyz:222/auracaster/bumble_mirror.git@12bcdb7770c0d57a094bc0a96cd52e701f97fece",
@@ -10,8 +10,9 @@ dependencies = [
     "aioconsole",
     "fastapi==0.115.11",
     "uvicorn==0.34.0",
-    "pydantic",
+    "aiohttp==3.9.3",
-    "aiohttp==3.9.3"
+    "sounddevice (>=0.5.1,<0.6.0)",
+    "aioconsole (>=0.8.1,<0.9.0)"
 ]
 
 [project.optional-dependencies]

src/auracast/multicast.py

@@ -25,6 +25,7 @@ import itertools
 import struct
 from typing import cast, Any, AsyncGenerator, Coroutine, List
 import itertools
+import glob
 
 try:
     import lc3  # type: ignore  # pylint: disable=E0401
@@ -476,6 +477,20 @@ class Streamer():
 
 async def broadcast(global_conf: auracast_config.AuracastGlobalConfig, big_conf: List[auracast_config.AuracastBigConfig]):
     """Start a broadcast."""
+
+    if global_conf.transport == 'auto':
+        devices = glob.glob('/dev/serial/by-id/*')
+        logging.info('Found serial devices: %s', devices)
+        for device in devices:
+            if 'usb-ZEPHYR_Zephyr_HCI_UART_sample' in device:
+                logging.info('Using: %s', device)
+                global_conf.transport = f'serial:{device},115200,rtscts'
+                break
+
+    # check again if transport is still auto
+    if global_conf.transport == 'auto':
+        raise AssertionError('No suitable transport found.')
+
     async with create_device(global_conf) as device:
         if not device.supports_le_periodic_advertising:
             logger.error(color('Periodic advertising not supported', 'red'))
@@ -516,11 +531,12 @@ if __name__ == "__main__":
     # TODO: How can we use other iso interval than 10ms ?(medium or low rel) ? - nrf53audio receiver repports I2S tx underrun
     config.qos_config=auracast_config.AuracastQosHigh()
 
-    #global_conf.transport='serial:/dev/serial/by-id/usb-ZEPHYR_Zephyr_HCI_UART_sample_81BD14B8D71B5662-if00,1000000,rtscts' # transport for nrf52 dongle
+    #config.transport='serial:/dev/serial/by-id/usb-ZEPHYR_Zephyr_HCI_UART_sample_81BD14B8D71B5662-if00,1000000,rtscts' # transport for nrf52 dongle
-    #global_conf.transport='serial:/dev/serial/by-id/usb-SEGGER_J-Link_001050076061-if02,1000000,rtscts' # transport for nrf53dk
+    #config.transport='serial:/dev/serial/by-id/usb-SEGGER_J-Link_001050076061-if02,1000000,rtscts' # transport for nrf53dk
-    #global_conf.transport='serial:/dev/serial/by-id/usb-SEGGER_J-Link_001057705357-if02,1000000,rtscts' # transport for nrf54l15dk
+    #config.transport='serial:/dev/serial/by-id/usb-SEGGER_J-Link_001057705357-if02,1000000,rtscts' # transport for nrf54l15dk
-    config.transport='serial:/dev/serial/by-id/usb-ZEPHYR_Zephyr_HCI_UART_sample_95A087EADB030B24-if00,115200,rtscts' #nrf52dongle hci_uart usb cdc
+    #config.transport='serial:/dev/serial/by-id/usb-ZEPHYR_Zephyr_HCI_UART_sample_95A087EADB030B24-if00,115200,rtscts' #nrf52dongle hci_uart usb cdc
-    # global_conf.transport='usb:2fe3:000b' #nrf52dongle hci_usb # TODO: iso packet over usb not supported
+    #config.transport='usb:2fe3:000b' #nrf52dongle hci_usb # TODO: iso packet over usb not supported
+    config.transport= 'auto'
 
     for big in config.bigs: # TODO: encrypted streams are not working
         #big.code = 'ff'*16 # returns hci/HCI_ENCRYPTION_MODE_NOT_ACCEPTABLE_ERROR

tests/run_btmon_nrf52_rtt.sh

@@ -0,0 +1 @@
+btmon --jlink nRF52840_xxAA,1050076061 

wg_config/coredns/Corefile

@@ -0,0 +1,6 @@
+. {
+    loop
+    errors
+    health
+    forward . /etc/resolv.conf
+}

wg_config/templates/peer.conf

@@ -0,0 +1,11 @@
+[Interface]
+Address = ${CLIENT_IP}
+PrivateKey = $(cat /config/${PEER_ID}/privatekey-${PEER_ID})
+ListenPort = 51820
+DNS = ${PEERDNS}
+
+[Peer]
+PublicKey = $(cat /config/server/publickey-server)
+PresharedKey = $(cat /config/${PEER_ID}/presharedkey-${PEER_ID})
+Endpoint = ${SERVERURL}:${SERVERPORT}
+AllowedIPs = ${ALLOWEDIPS}

wg_config/templates/server.conf

@@ -0,0 +1,6 @@
+[Interface]
+Address = ${INTERFACE}.1
+ListenPort = 51820
+PrivateKey = $(cat /config/server/privatekey-server)
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE