-
Notifications
You must be signed in to change notification settings - Fork 78
Expand file tree
/
Copy pathentrypoint.sh
More file actions
executable file
·134 lines (114 loc) · 3.39 KB
/
entrypoint.sh
File metadata and controls
executable file
·134 lines (114 loc) · 3.39 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#!/bin/bash
# SPDX-FileCopyrightText: © 2025 Phala Network <dstack@phala.network>
#
# SPDX-License-Identifier: Apache-2.0
set -e
DATA_DIR="/data"
GATEWAY_BASE_DIR="$DATA_DIR/gateway"
CONFIG_PATH="$GATEWAY_BASE_DIR/gateway.toml"
CERTS_DIR="$GATEWAY_BASE_DIR/certs"
WG_KEY_PATH="$GATEWAY_BASE_DIR/wg.key"
mkdir -p $GATEWAY_BASE_DIR/
mkdir -p $DATA_DIR/wireguard/
# Generate or load WireGuard keys
if [ -f "$WG_KEY_PATH" ]; then
PRIVATE_KEY=$(cat "$WG_KEY_PATH")
else
PRIVATE_KEY=$(wg genkey)
echo "$PRIVATE_KEY" >"$WG_KEY_PATH"
chmod 600 "$WG_KEY_PATH" # Secure the private key file
fi
PUBLIC_KEY=$(echo "$PRIVATE_KEY" | wg pubkey)
validate_env() {
if [[ "$1" =~ \" ]]; then
echo "Invalid environment variable"
exit 1
fi
}
validate_env "$WG_ENDPOINT"
validate_env "$NODE_ID"
validate_env "$WG_IP"
validate_env "$WG_RESERVED_NET"
validate_env "$WG_CLIENT_RANGE"
# Validate $NODE_ID, must be a number
if [[ ! "$NODE_ID" =~ ^[0-9]+$ ]]; then
echo "Invalid NODE_ID: $NODE_ID"
exit 1
fi
# Sync is always enabled when NODE_ID > 0. Peer auto-discovery works via incoming
# sync connections: when another node syncs to us, we learn about it automatically
# through WaveKV's handle_sync, which auto-adds the sender as a peer.
# BOOTNODE_URL is optional — it speeds up initial discovery but is not required.
SYNC_ENABLED=$([ "$NODE_ID" -gt 0 ] && echo "true" || echo "false")
echo "WG_IP: $WG_IP"
echo "WG_RESERVED_NET: $WG_RESERVED_NET"
echo "WG_CLIENT_RANGE: $WG_CLIENT_RANGE"
echo "SYNC_ENABLED: $SYNC_ENABLED"
echo "RPC_DOMAIN: $RPC_DOMAIN"
# Create gateway.toml configuration
cat >$CONFIG_PATH <<EOF
keep_alive = 10
log_level = "info"
address = "0.0.0.0:8000"
[tls]
key = "$CERTS_DIR/gateway-rpc.key"
certs = "$CERTS_DIR/gateway-rpc.cert"
[tls.mutual]
ca_certs = "$CERTS_DIR/gateway-ca.cert"
mandatory = false
[core]
set_ulimit = true
rpc_domain = "$RPC_DOMAIN"
[core.sync]
enabled = $SYNC_ENABLED
node_id = $NODE_ID
interval = "${SYNC_INTERVAL:-1m}"
timeout = "${SYNC_TIMEOUT:-2m}"
my_url = "$MY_URL"
bootnode = "$BOOTNODE_URL"
data_dir = "$DATA_DIR"
persist_interval = "${SYNC_PERSIST_INTERVAL:-5m}"
sync_connections_enabled = ${SYNC_CONNECTIONS_ENABLED:-true}
sync_connections_interval = "${SYNC_CONNECTIONS_INTERVAL:-30s}"
[core.admin]
enabled = true
address = "${ADMIN_LISTEN_ADDR:-0.0.0.0}"
port = ${ADMIN_LISTEN_PORT:-8001}
[core.wg]
public_key = "$PUBLIC_KEY"
private_key = "$PRIVATE_KEY"
ip = "$WG_IP"
reserved_net = ["$WG_RESERVED_NET"]
listen_port = 51820
client_ip_range = "$WG_CLIENT_RANGE"
config_path = "$DATA_DIR/wireguard/wg-ds-gw.conf"
interface = "wg-ds-gw"
endpoint = "$WG_ENDPOINT"
[core.proxy]
tls_crypto_provider = "aws-lc-rs"
tls_versions = ["1.2"]
listen_addr = "0.0.0.0"
listen_port = "${PROXY_LISTEN_PORT:-443}"
connect_top_n = 3
localhost_enabled = false
app_address_ns_compat = true
workers = ${PROXY_WORKERS:-32}
max_connections_per_app = ${MAX_CONNECTIONS_PER_APP:-0}
[core.proxy.timeouts]
connect = "${TIMEOUT_CONNECT:-5s}"
handshake = "${TIMEOUT_HANDSHAKE:-5s}"
cache_top_n = "${TIMEOUT_CACHE_TOP_N:-30s}"
dns_resolve = "${TIMEOUT_DNS_RESOLVE:-5s}"
data_timeout_enabled = ${TIMEOUT_DATA_ENABLED:-true}
idle = "${TIMEOUT_IDLE:-10m}"
write = "${TIMEOUT_WRITE:-5s}"
shutdown = "${TIMEOUT_SHUTDOWN:-5s}"
total = "${TIMEOUT_TOTAL:-5h}"
[core.recycle]
enabled = true
interval = "5m"
timeout = "10h"
node_timeout = "10m"
EOF
echo "Configuration file generated: $CONFIG_PATH"
exec "$@"