add Linux package openziti-router

.github/workflows/publish-docker-images.yml

@@ -116,19 +116,20 @@ jobs:
           if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
             DOCKER_TAGS+=",${IMAGE_REPO}:latest"
           fi
-          echo "DEBUG: DOCKER_TAGS=${DOCKER_TAGS}"
-          echo DOCKER_TAGS="${DOCKER_TAGS}" >> $GITHUB_OUTPUT
+          echo DOCKER_TAGS="${DOCKER_TAGS}" | tee -a $GITHUB_OUTPUT
 
       - name: Build & Push Multi-Platform Router Container Image to Hub
         uses: docker/build-push-action@v3
         with:
           builder: ${{ steps.buildx.outputs.name }}
-          context: ${{ github.workspace }}/dist/docker-images/ziti-router/
+          context: ${{ github.workspace }}/
+          file: ${{ github.workspace }}/dist/docker-images/ziti-router/Dockerfile
           platforms: linux/amd64,linux/arm64
           tags: ${{ steps.tagprep_router.outputs.DOCKER_TAGS }}
           build-args: |
             ZITI_CLI_TAG=${{ env.ZITI_CLI_TAG }}
             ZITI_CLI_IMAGE=${{ env.ZITI_CLI_IMAGE }}
+            DOCKER_BUILD_DIR=./dist/docker-images/ziti-router
           push: true
 
       - name: Set Up Container Image Tags for Go Tunneler Container

dist/cloudfront/get.openziti.io/routes.yml

@@ -38,3 +38,7 @@
 - get: /zdew/
   raw: /openziti/desktop-edge-win/main/release-streams/
   file: latest.json
+
+- get: /dist/
+  raw: /openziti/ziti/{{GITHUB_SHA}}/dist/
+  file: /docker-images/ziti-router/compose.yml

dist/dist-packages/linux/nfpm-openziti-router.yaml

@@ -0,0 +1,40 @@
+# nfpm configuration file
+#
+# check https://nfpm.goreleaser.com/configuration for detailed usage
+#
+name: openziti-router
+arch: ${GOARCH}
+platform: linux
+version: ${ZITI_VERSION}
+maintainer: ${ZITI_MAINTAINER}
+description: >
+  Provides a system service for running an OpenZiti Router
+vendor: ${ZITI_VENDOR}
+homepage: ${ZITI_HOMEPAGE}
+license: Apache-2.0
+# Contents to add to the package.
+contents:
+  - dst: /lib/systemd/system/
+    src: ./dist/dist-packages/linux/openziti-router/ziti-router.service
+
+  - dst: /opt/openziti/etc/router
+    type: dir
+    file_info:
+      mode: 0755
+
+  - dst: /opt/openziti/etc/router/
+    src: ./dist/dist-packages/linux/openziti-router/env
+    type: config|noreplace
+
+  - dst: /opt/openziti/etc/router/
+    src: ./dist/dist-packages/linux/openziti-router/bootstrap.bash
+
+  - dst: /opt/openziti/etc/router/
+    src: ./dist/dist-packages/linux/openziti-router/entrypoint.bash
+
+scripts:
+  postinstall: ./dist/dist-packages/linux/openziti-router/postinstall.bash
+  preremove: ./dist/dist-packages/linux/openziti-router/preremove.bash
+
+depends:
+  - openziti  # ziti CLI

dist/dist-packages/linux/openziti-router/bootstrap.bash

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+#
+# bootstrap the OpenZiti Router with a config file and identity
+#
+
+function makeConfig() {
+  #
+  # create config file
+  #
+
+  if [[ ! -s "${ZITI_ROUTER_CONFIG_FILE}" || "${1:-}" == --force ]]; then
+    ziti create config router "${ZITI_ROUTER_TYPE}" \
+      --tunnelerMode "${ZITI_ROUTER_MODE}" \
+      --routerName "${ZITI_ROUTER_NAME}" \
+      --output "${ZITI_ROUTER_CONFIG_FILE}"
+  fi
+
+}
+
+function enroll() {
+
+  # shellcheck disable=SC1090 # find the identity file path
+  source <(ziti create config environment | grep ZITI_ROUTER)
+
+  if [[ ! -s "${ZITI_ROUTER_IDENTITY_CERT}" || "${1:-}" == --force ]]; then
+    if [ -n "${ZITI_ENROLL_TOKEN:-}" ]; then
+      # shellcheck disable=SC2188
+      ziti router enroll "${ZITI_ROUTER_CONFIG_FILE}" \
+        --jwt <(echo "${ZITI_ENROLL_TOKEN}")
+    elif [ -s "/run/credentials/${UNIT_NAME:=ziti-router.service}/ZITI_ENROLL_TOKEN" ]; then
+      ziti router enroll "${ZITI_ROUTER_CONFIG_FILE}" \
+        --jwt "/run/credentials/${UNIT_NAME}/ZITI_ENROLL_TOKEN"
+    else
+      echo  "ERROR: use SetCredential or LoadCredential in"\
+            " /lib/systemd/system/ziti-router.service or set env var ZITI_ENROLL_TOKEN" >&2
+    fi
+  fi
+
+}
+
+function bootstrap() {
+
+  if [ -n "${1:-}" ]; then
+    ZITI_ROUTER_CONFIG_FILE="${1}"
+  else
+    echo "ERROR: no config file path provided" >&2
+    return 1
+  fi
+
+  # make config file unless it exists if true, set force to overwrite
+  if [ "${ZITI_BOOTSTRAP_CONFIG}"   == true ]; then
+    makeConfig
+  elif [ "${ZITI_BOOTSTRAP_CONFIG}" == force ]; then
+    makeConfig --force
+  fi
+
+  # enroll unless certificate exists, set "force" to overwrite key and cert (requires new enrollment token)
+  if [ "${ZITI_BOOTSTRAP_ENROLLMENT}" == true ]; then
+    enroll
+  elif [ "${ZITI_BOOTSTRAP_ENROLLMENT}" == force ]; then
+    enroll --force
+  fi
+}
+
+#
+# defaults
+#
+
+# used by "ziti create config router" and "ziti create config environment" 
+: "${ZITI_ROUTER_ADVERTISED_ADDRESS:=${HOSTNAME:=$(hostname -f)}}"
+: "${ZITI_ROUTER_NAME:=${HOSTNAME%%.*}}"
+: "${ZITI_CTRL_ADVERTISED_PORT:=1280}"
+export  ZITI_ROUTER_NAME \
+        ZITI_ROUTER_ADVERTISED_ADDRESS \
+        ZITI_CTRL_ADVERTISED_PORT \
+        ZITI_ROUTER_PORT \
+        ZITI_ROUTER_LISTENER_BIND_PORT="${ZITI_ROUTER_PORT}"

dist/dist-packages/linux/openziti-router/entrypoint.bash

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+#
+# this thin wrapper script for the OpenZiti Router uses variable assignments from the systemd env file
+#
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+if ! (( $# )); then
+    # if no args, run the router with the default config file
+    set -- run config.yml
+elif [[ "${1}" == run && -z "${2:-}" ]]; then
+    # if first arg is "run" and second arg is empty, run the router with the default config file
+    set -- run config.yml
+fi
+
+# shellcheck disable=SC1090 # default path is assigned in env file
+source "${ZITI_ROUTER_BOOTSTRAP_BASH:-/opt/openziti/etc/router/bootstrap.bash}"
+
+# if first arg is "run", bootstrap the router with the config file
+if [ "${1}" == run ]; then
+    bootstrap "${2}"
+fi
+
+# optionally renew certs at startup
+if [ "${ZITI_AUTO_RENEW_CERTS:-}" == true ]; then
+    # shellcheck disable=SC2068
+    set -- ${@} --extend
+fi
+
+# shellcheck disable=SC2068
+exec ziti router ${@}

dist/dist-packages/linux/openziti-router/env

@@ -0,0 +1,39 @@
+#
+# this is a systemd env file allowing simple assignments for ziti-controller.service environment and serves as an answer
+# file for first run prompts and unattended installations; only variables that are consumed by the ziti binary are
+# expected here to preserve the separation between the service unit and the binary
+#
+
+#
+# for "ziti create config router edge" commands in bootstrap.bash
+#
+
+# address of the controller (required)
+ZITI_CTRL_ADVERTISED_ADDRESS=
+# tcp port of the controller (default: 1280)
+ZITI_CTRL_ADVERTISED_PORT=1280
+
+# for better security, leave this assignment empty and create a file readable only by root containing the
+# token and set "LoadCredential=ZITI_ENROLL_TOKEN:/opt/openziti/etc/router/.token" in
+# /lib/systemd/system/ziti-router.service
+ZITI_ENROLL_TOKEN=
+
+# the router's address must be resolvable by other routers and edge identities (default: qualified hostname)
+ZITI_ROUTER_ADVERTISED_ADDRESS=
+# the advertised and listening port of the router (default: 3022)
+ZITI_ROUTER_PORT=3022
+
+# the interface address on which to listen (default: 0.0.0.0)
+ZITI_ROUTER_BIND_ADDRESS="0.0.0.0"
+
+# where to listen for DNS requests in tproxy mode (default: udp://127.0.0.1:53)
+ZITI_ROUTER_TPROXY_RESOLVER="udp://127.0.0.1:53"
+
+# set identity filenames (default: unqualified hostname)
+# ZITI_ROUTER_NAME=
+
+# type of router (default: edge, options: edge, fabric)
+ZITI_ROUTER_TYPE=edge
+# the mode of the router (default: host) requires that the router is administratively created with flag
+# --tunneler-enabled
+ZITI_ROUTER_MODE=host