enabling support for wireguard and firewall (#2713)

* wip: enabling support for wireguard and firewall

* wip

* wip

* wip

* wip

* wip

* implement some things

* fix warning

* wip

* alpha.23

* misc fixes

* remove ufw since no longer required

* remove debug info

* add cli bindings

* debugging

* fixes

* individualized acme and privacy settings for domains and bindings

* sdk version bump

* migration

* misc fixes

* refactor Host::update

* debug info

* refactor webserver

* misc fixes

* misc fixes

* refactor port forwarding

* recheck interfaces every 5 min if no dbus event

* misc fixes and cleanup

* misc fixes

Author: dr-bonez

CLEARNET.md

@@ -26,6 +26,7 @@ GZIP_BIN := $(shell which pigz || which gzip)
 TAR_BIN := $(shell which gtar || which tar)
 COMPILED_TARGETS := core/target/$(ARCH)-unknown-linux-musl/release/startbox core/target/$(ARCH)-unknown-linux-musl/release/containerbox system-images/compat/docker-images/$(ARCH).tar system-images/utils/docker-images/$(ARCH).tar system-images/binfmt/docker-images/$(ARCH).tar container-runtime/rootfs.$(ARCH).squashfs
 ALL_TARGETS := $(STARTD_SRC) $(ENVIRONMENT_FILE) $(GIT_HASH_FILE) $(VERSION_FILE) $(COMPILED_TARGETS) cargo-deps/$(ARCH)-unknown-linux-musl/release/startos-backup-fs $(shell if [ "$(PLATFORM)" = "raspberrypi" ]; then echo cargo-deps/aarch64-unknown-linux-musl/release/pi-beep; fi)  $(shell /bin/bash -c 'if [[ "${ENVIRONMENT}" =~ (^|-)unstable($$|-) ]]; then echo cargo-deps/$(ARCH)-unknown-linux-musl/release/tokio-console; fi') $(PLATFORM_FILE) 
+REBUILD_TYPES = 1
 
 ifeq ($(REMOTE),)
 	mkdir = mkdir -p $1
@@ -226,7 +227,7 @@ container-runtime/node_modules/.package-lock.json: container-runtime/package.jso
 	npm --prefix container-runtime ci
 	touch container-runtime/node_modules/.package-lock.json
 
-sdk/base/lib/osBindings/index.ts: core/startos/bindings/index.ts
+sdk/base/lib/osBindings/index.ts: $(shell if [ "$(REBUILD_TYPES)" -ne 0 ]; then echo core/startos/bindings/index.ts; fi)
 	mkdir -p sdk/base/lib/osBindings
 	rsync -ac --delete core/startos/bindings/ sdk/base/lib/osBindings/
 	touch sdk/base/lib/osBindings/index.ts

Makefile

@@ -11,6 +11,7 @@ cryptsetup
 curl
 dnsutils
 dmidecode
+dnsutils
 dosfstools
 e2fsprogs
 ecryptfs-utils
@@ -57,4 +58,5 @@ systemd-timesyncd
 tor
 util-linux
 vim
+wireguard-tools
 wireless-tools

build/dpkg-deps/depends

@@ -4,7 +4,7 @@ set -e
 
 # install dependencies
 /usr/bin/apt update
-/usr/bin/apt install --no-install-recommends -y xserver-xorg x11-xserver-utils xinit firefox-esr matchbox-window-manager libnss3-tools
+/usr/bin/apt install --no-install-recommends -y xserver-xorg x11-xserver-utils xinit firefox-esr matchbox-window-manager libnss3-tools p11-kit-modules
 
 #Change a default preference set by stock debian firefox-esr
 sed -i 's|^pref("extensions.update.enabled", true);$|pref("extensions.update.enabled", false);|' /etc/firefox-esr/firefox-esr.js
@@ -83,6 +83,8 @@ user_pref("toolkit.telemetry.updatePing.enabled", false);
 user_pref("toolkit.telemetry.cachedClientID", "");
 EOF
 
+ln -sf /usr/lib/$(uname -m)-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/firefox-esr/libnssckbi.so
+
 # create kiosk script
 cat > /home/kiosk/kiosk.sh << 'EOF'
 #!/bin/sh

build/lib/scripts/dhclient-exit-hook

@@ -216,12 +216,6 @@ export function makeEffects(context: EffectContext): Effects {
       }) as ReturnType<T.Effects["getServiceInterface"]>
     },
 
-    getPrimaryUrl(...[options]: Parameters<T.Effects["getPrimaryUrl"]>) {
-      return rpcRound("get-primary-url", {
-        ...options,
-        callback: context.callbacks?.addCallback(options.callback) || null,
-      }) as ReturnType<T.Effects["getPrimaryUrl"]>
-    },
     getServicePortForward(
       ...[options]: Parameters<T.Effects["getServicePortForward"]>
     ) {

build/lib/scripts/enable-kiosk

@@ -212,16 +212,22 @@ export class RpcListener {
       s.on("data", (a) =>
         Promise.resolve(a)
           .then((b) => b.toString())
-          .then(logData("dataIn"))
-          .then(jsonParse)
-          .then(captureId)
-          .then((x) => this.dealWithInput(x))
-          .catch(mapError)
-          .then(logData("response"))
-          .then(writeDataToSocket)
-          .catch((e) => {
-            console.error(`Major error in socket handling: ${e}`)
-            console.debug(`Data in: ${a.toString()}`)
+          .then((buf) => {
+            for (let s of buf.split("\n")) {
+              if (s)
+                Promise.resolve(s)
+                  .then(logData("dataIn"))
+                  .then(jsonParse)
+                  .then(captureId)
+                  .then((x) => this.dealWithInput(x))
+                  .catch(mapError)
+                  .then(logData("response"))
+                  .then(writeDataToSocket)
+                  .catch((e) => {
+                    console.error(`Major error in socket handling: ${e}`)
+                    console.debug(`Data in: ${a.toString()}`)
+                  })
+            }
           }),
       )
     })
@@ -390,7 +396,7 @@ export class RpcListener {
 
       .defaultToLazy(() => {
         console.warn(
-          `Coudln't parse the following input ${JSON.stringify(input)}`,
+          `Couldn't parse the following input ${JSON.stringify(input)}`,
         )
         return {
           jsonrpc,

container-runtime/src/Adapters/EffectCreator.ts

@@ -425,7 +425,6 @@ export class SystemForEmbassy implements System {
               name: interfaceValue.name,
               id: `${id}-${internal}`,
               description: interfaceValue.description,
-              hasPrimary: false,
               type:
                 interfaceValue.ui &&
                 (origin.scheme === "http" || origin.sslScheme === "https")

container-runtime/src/Adapters/RpcListener.ts

@@ -74,8 +74,8 @@ export class SystemForStartOs implements System {
   async exit(): Promise<void> {}
 
   async start(effects: Effects): Promise<void> {
+    if (this.runningMain) return
     effects.constRetry = utils.once(() => effects.restart())
-    if (this.runningMain) await this.stop()
     let mainOnTerm: () => Promise<void> | undefined
     const started = async (onTerm: () => Promise<void>) => {
       await effects.setMainStatus({ status: "running" })
@@ -98,8 +98,11 @@ export class SystemForStartOs implements System {
 
   async stop(): Promise<void> {
     if (this.runningMain) {
-      await this.runningMain.stop()
-      this.runningMain = undefined
+      try {
+        await this.runningMain.stop()
+      } finally {
+        this.runningMain = undefined
+      }
     }
   }
 }