trawl

iakat · iakat · commit d37db6ca8e06 · 2026-03-07T16:20:40.000+01:00
diff --git a/.github/workflows/trawl.yaml b/.github/workflows/trawl.yaml
@@ -0,0 +1,69 @@
+name: trawl
+
+on:
+  schedule:
+  - cron: "0 10 * * *"
+  push:
+    branches:
+    - "**"
+    tags:
+    - "v*.*.*"
+  pull_request:
+    branches:
+    - "main"
+
+jobs:
+  trawl:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Set variables useful for later
+      id: useful_vars
+      run: |-
+        echo "::set-output name=timestamp::$(date +%s)"
+        echo "::set-output name=short_sha::${GITHUB_SHA::8}"
+    - name: Checkout
+      uses: actions/checkout@v3
+    - name: Docker meta
+      id: docker_meta
+      uses: docker/metadata-action@v4
+      with:
+        images: ghcr.io/${{ github.repository }}/trawl
+        tags: |
+          type=schedule
+          type=ref,event=branch
+          type=ref,event=pr
+          type=semver,pattern={{version}}
+          type=semver,pattern={{major}}.{{minor}}
+          type=semver,pattern={{major}}
+          type=sha,prefix=,format=long,event=tag
+          type=sha
+          type=raw,value=latest,enable=${{ endsWith(github.ref, github.event.repository.default_branch) }}
+          type=raw,value=${{ github.ref_name }}-${{ steps.useful_vars.outputs.short_sha }}-${{ steps.useful_vars.outputs.timestamp }},enable=${{ endsWith(github.ref, github.event.repository.default_branch) }}
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v2
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v2
+    - name: Login to GHCR
+      if: github.event_name != 'pull_request'
+      uses: docker/login-action@v2
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Cache Docker layers
+      uses: actions/cache@v3
+      with:
+        path: /tmp/.buildx-cache
+        key: ${{ runner.os }}-trawl-buildx-${{ github.sha }}
+        restore-keys: |
+          ${{ runner.os }}-trawl-buildx-
+    - name: Build and push
+      uses: docker/build-push-action@v4
+      with:
+        context: trawl
+        push: ${{ github.event_name != 'pull_request' }}
+        tags: ${{ steps.docker_meta.outputs.tags }}
+        labels: ${{ steps.docker_meta.outputs.labels }}
+        platforms: linux/amd64,linux/arm64
+        cache-from: type=local,src=/tmp/.buildx-cache
+        cache-to: type=local,dest=/tmp/.buildx-cache,mode=max
diff --git a/trawl/Dockerfile b/trawl/Dockerfile
@@ -0,0 +1,63 @@
+FROM debian:trixie-slim
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        wireguard-tools iproute2 iptables \
+        rclone rsync lsyncd sshfs fuse3 unfs3 \
+        openssh-client dropbear \
+        socat netcat-openbsd curl wget jq \
+        inotify-tools tcpdump mtr-tiny dnsutils \
+        procps strace tmux file less zstd && \
+    rm -rf /var/lib/apt/lists/* && \
+    curl -fsSL https://github.com/aptible/supercronic/releases/download/v0.2.33/supercronic-linux-amd64 \
+        -o /usr/local/bin/supercronic && \
+    chmod +x /usr/local/bin/supercronic && \
+    mkdir -p /etc/wireguard /data
+
+VOLUME ["/data", "/etc/wireguard"]
+EXPOSE 51820/udp
+
+RUN cat > /entrypoint.sh << 'SCRIPT'
+#!/bin/bash
+set -e
+
+cleanup() {
+    kill $(jobs -p) 2>/dev/null || true
+    for conf in /etc/wireguard/wg*.conf; do
+        [ -f "$conf" ] && wg-quick down "$(basename "${conf%.conf}")" 2>/dev/null || true
+    done
+    exit 0
+}
+trap cleanup SIGTERM SIGINT
+
+# generate default wg0 only if no configs exist
+if ! ls /etc/wireguard/wg*.conf 2>/dev/null | grep -q .; then
+    [ -f /etc/wireguard/privatekey ] || {
+        wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
+        chmod 600 /etc/wireguard/privatekey
+        echo "[INFO] pubkey: $(cat /etc/wireguard/publickey)"
+    }
+    cat > /etc/wireguard/wg0.conf << EOF
+[Interface]
+PrivateKey = $(cat /etc/wireguard/privatekey)
+Address = ${WG_IP:-192.168.192.2}/32
+ListenPort = 51820
+
+[Peer]
+PublicKey = ${WG_CLIENT_PUBKEY:-CHANGEME}
+AllowedIPs = ${WG_CLIENT_IP:-192.168.192.1}/32
+EOF
+    chmod 600 /etc/wireguard/wg0.conf
+fi
+
+# bring up all WG interfaces
+for conf in /etc/wireguard/wg*.conf; do
+    [ -f "$conf" ] && wg-quick up "$(basename "${conf%.conf}")" && \
+        echo "[INFO] up: $(basename "${conf%.conf}")"
+done
+
+exec ${CMD:-sleep infinity}
+SCRIPT
+
+RUN chmod +x /entrypoint.sh
+CMD ["/entrypoint.sh"]
