chore: add .deb and .rpk packaging

Author: coadler

.goreleaser.yaml

@@ -17,19 +17,30 @@ builds:
       - "386"
       - arm
       - arm64
+    goarm:
+      - "7"
     ignore:
       - goos: darwin
         goarch: "386"
       - goos: windows
         goarch: "arm"
     binary: "{{ .ProjectName }}_v{{ .Version }}"
+nfpms:
+  - vendor: Coder Technologies Inc.
+    homepage: https://coder.com/
+    maintainer: Colin Adler <[email protected]>
+    description: |-
+      Wush installer package.
+      Wush creates secure Wireguard tunnels between two devices.
+    license: CC0
+    formats:
+      - apk
+      - deb
 archives:
   - id: "zip"
     format: zip
-    name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
   - id: "tarball"
     format: tar.gz
-    name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
 checksum:
   name_template: "{{ .ProjectName }}_{{ .Version }}_SHA256SUMS"
   algorithm: sha256
@@ -40,7 +51,7 @@ signs:
       # need to pass the batch flag to indicate its not interactive.
       - "--batch"
       - "--local-user"
-      - "{{ .Env.GPG_FINGERPRINT }}" # set this environment variable for your signing key
+      - "{{ .Env.GPG_FINGERPRINT }}"
       - "--output"
       - "${signature}"
       - "--detach-sign"

README.md

@@ -1 +1 @@
-# wush
+# wush - secure shells and file transfers behind nat

cmd/wush/send.go

@@ -29,29 +29,42 @@ import (
 
 func sendCmd() *serpent.Command {
 	var (
-		waitP2P     bool
-		overlayType string
+		authID             string
+		waitP2P            bool
+		overlayTransport   string
+		stunAddrOverride   string
+		stunAddrOverrideIP netip.Addr
 	)
 	return &serpent.Command{
 		Use: "send",
 		Handler: func(inv *serpent.Invocation) error {
 			ctx := inv.Context()
 			logger := slog.New(slog.NewTextHandler(io.Discard, nil))
-			var authID string
-			err := huh.NewInput().
-				Title("Enter your Auth ID:").
-				Value(&authID).
-				Run()
-			if err != nil {
-				return fmt.Errorf("get auth id: %w", err)
+
+			if authID == "" {
+				err := huh.NewInput().
+					Title("Enter your Auth ID:").
+					Value(&authID).
+					Run()
+				if err != nil {
+					return fmt.Errorf("get auth id: %w", err)
+				}
 			}
 
 			dm, err := tsserver.DERPMapTailscale(ctx)
 			if err != nil {
 				return err
 			}
 
+			if stunAddrOverride != "" {
+				stunAddrOverrideIP, err = netip.ParseAddr(stunAddrOverride)
+				if err != nil {
+					return fmt.Errorf("parse stun addr override: %w", err)
+				}
+			}
+
 			send := overlay.NewSendOverlay(logger, dm)
+			send.STUNIPOverride = stunAddrOverrideIP
 
 			err = send.Auth.Parse(authID)
 			if err != nil {
@@ -77,7 +90,7 @@ func sendCmd() *serpent.Command {
 				return err
 			}
 
-			switch overlayType {
+			switch overlayTransport {
 			case "derp":
 				if send.Auth.ReceiverDERPRegionID == 0 {
 					return errors.New("overlay type is \"derp\", but receiver is of type \"stun\"")
@@ -199,9 +212,21 @@ func sendCmd() *serpent.Command {
 		},
 		Options: []serpent.Option{
 			{
-				Flag:    "overlay-type",
-				Default: "derp",
-				Value:   serpent.EnumOf(&overlayType, "derp", "stun"),
+				Flag:        "auth-id",
+				Description: "The auth id returned by `wush receive`. If not provided, it will be asked for on startup.",
+				Default:     "",
+				Value:       serpent.StringOf(&authID),
+			},
+			{
+				Flag:        "overlay-transport",
+				Description: "The transport to use on the overlay. The overlay is used to exchange Wireguard nodes between peers. In DERP mode, nodes are exchanged over public Tailscale DERPs, while STUN mode sends nodes directly over UDP.",
+				Default:     "derp",
+				Value:       serpent.EnumOf(&overlayTransport, "derp", "stun"),
+			},
+			{
+				Flag:    "stun-ip-override",
+				Default: "",
+				Value:   serpent.StringOf(&stunAddrOverride),
 			},
 		},
 	}

overlay/send.go

@@ -29,8 +29,9 @@ func NewSendOverlay(logger *slog.Logger, dm *tailcfg.DERPMap) *Send {
 }
 
 type Send struct {
-	Logger  *slog.Logger
-	derpMap *tailcfg.DERPMap
+	Logger         *slog.Logger
+	STUNIPOverride netip.Addr
+	derpMap        *tailcfg.DERPMap
 
 	// _ip is the ip we get from the receiver, which is our ip on the tailnet.
 	_ip        netip.Addr
@@ -74,14 +75,19 @@ func (s *Send) ListenOverlaySTUN(ctx context.Context) error {
 		panic("marshal node: " + err.Error())
 	}
 
-	addrOverride := netip.AddrPortFrom(netip.AddrFrom4([4]byte{127, 0, 0, 1}), s.Auth.ReceiverStunAddr.Port())
+	receiverAddr := s.Auth.ReceiverStunAddr
+	if s.STUNIPOverride.IsValid() {
+		receiverAddr = netip.AddrPortFrom(s.STUNIPOverride, s.Auth.ReceiverStunAddr.Port())
+	}
+
 	sealed := s.Auth.OverlayPrivateKey.SealTo(s.Auth.ReceiverPublicKey, raw)
-	// _, err = conn.WriteToUDPAddrPort(sealed, s.Auth.ReceiverStunAddr)
-	_, err = conn.WriteToUDPAddrPort(sealed, addrOverride)
+	_, err = conn.WriteToUDPAddrPort(sealed, receiverAddr)
 	if err != nil {
 		return fmt.Errorf("send overlay hello over STUN: %w", err)
 	}
 
+	keepAlive := time.NewTicker(30 * time.Second)
+
 	go func() {
 		for {
 			select {
@@ -98,11 +104,27 @@ func (s *Send) ListenOverlaySTUN(ctx context.Context) error {
 				}
 
 				sealed := s.Auth.OverlayPrivateKey.SealTo(s.Auth.ReceiverPublicKey, raw)
-				_, err = conn.WriteToUDPAddrPort(sealed, addrOverride)
+				_, err = conn.WriteToUDPAddrPort(sealed, receiverAddr)
 				if err != nil {
 					fmt.Printf("send response over STUN: %s\n", err)
 					return
 				}
+
+			case <-keepAlive.C:
+				msg := overlayMessage{
+					Typ: messageTypePing,
+				}
+				raw, err := json.Marshal(msg)
+				if err != nil {
+					panic("marshal node: " + err.Error())
+				}
+
+				sealed := s.Auth.OverlayPrivateKey.SealTo(s.Auth.ReceiverPublicKey, raw)
+				_, err = conn.WriteToUDPAddrPort(sealed, receiverAddr)
+				if err != nil {
+					fmt.Printf("send ping message over STUN: %s\n", err)
+					return
+				}
 			}
 		}
 	}()