virtual_install.sh

#!/bin/bash

# this can be run like:
# bash -c "$(curl -fsSL https://raw.github.com/spr-networks/super/master/virtual_install.sh)"
# run with SKIP_VPN=1 to skip vpn peer setup
# run with SKIP_DNS_BLOCK=1 to disable dns block, default is hosts,ads
# add custom blocks with DNS_BLOCK=hosts,ads,facebook
# if configs are already setup it'll only show the login info
# for a clean reset:
# docker compose -f docker-compose-virt.yml down && rm -rf configs && ./virtual_install.sh

if [ $UID -ne 0 ]; then
	echo "[-] run as root or with sudo"
	exit
fi


install_deps() {
	# install upstream docker
	apt-get update
	apt-get -y install ca-certificates curl gnupg
	install -m 0755 -d /etc/apt/keyrings
	curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor --yes -o /etc/apt/keyrings/docker.gpg
	chmod a+r /etc/apt/keyrings/docker.gpg

	echo \
		"deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
		"$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
		tee /etc/apt/sources.list.d/docker.list > /dev/null

	apt update
	apt-get -y install --no-install-recommends docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
	apt install -y curl git jq qrencode iproute2 wireguard-tools

	git clone https://github.com/spr-networks/super.git
	cd super

	# overwrite docker compose.yml
	cp docker-compose-virt.yml docker-compose.yml
}

# if not git dir is available
if [ ! -f "./docker-compose-virt.yml" ]; then
	install_deps
fi

docker compose 2>/dev/null >/dev/null
HAS_NEWDC=$?
if [ $HAS_NEWDC -ne 0 ]; then
	echo "[-] A newer version of docker is required"
	exit 1
fi

# generate default configs
if [ ! -f configs/base/config.sh ]; then
	echo "[+] generating configs..."
	cp -R base/template_configs/ configs/
	mv configs/base/virtual-config.sh configs/base/config.sh
	# generate dhcp config
	./configs/scripts/gen_coredhcp_yaml.sh > configs/dhcp/coredhcp.yml
	touch configs/base/.setup_done
fi

CONTAINER_CHECK=superapi

# pull and start containers
docker inspect "$CONTAINER_CHECK" > /dev/null 2>&1
if [ $? -eq 1 ]; then
	echo "[+] starting spr..."

	docker compose -f docker-compose-virt.yml pull
	docker compose -f docker-compose-virt.yml up -d
else
	echo "[+] spr already running"
fi

# external ip
DEV=eth0
DEV=$(ip route get 1.1.1.1 | grep -oP 'dev \K\w+' -m1)
# NOTE if this is not eth0 - change config.sh
# verify its a public ip address
EXTERNAL_IP=$(ip addr show dev $DEV | grep -oP "inet \K[0-9\.]+" -m1)
EXTERNAL_IP=$(echo "$EXTERNAL_IP" | grep -P '^(?!^0\.)(?!^10\.)(?!^100\.6[4-9]\.)(?!^100\.[7-9]\d\.)(?!^100\.1[0-1]\d\.)(?!^100\.12[0-7]\.)(?!^127\.)(?!^169\.254\.)(?!^172\.1[6-9]\.)(?!^172\.2[0-9]\.)(?!^172\.3[0-1]\.)(?!^192\.0\.0\.)(?!^192\.0\.2\.)(?!^192\.88\.99\.)(?!^192\.168\.)(?!^198\.1[8-9]\.)(?!^198\.51\.100\.)(?!^203.0\.113\.)(?!^22[4-9]\.)(?!^23[0-9]\.)(?!^24[0-9]\.)(?!^25[0-5]\.)(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$')
EXTERNAL_PORT=8000
if [ ${#EXTERNAL_IP} -eq 0 ]; then
        echo "[-] failed to get external ip for $DEV"
        echo -n "[?] fetch from https://ifconfig.me? [Y/n] "
        read YN
        if [ "$YN" == "n" ] || [ "$YN" == "N" ] ; then
                EXTERNAL_IP="127.0.0.1"
                echo "[+] setting endpoint to $EXTERNAL_IP, change this manually in your config"
        else
                EXTERNAL_IP=$(curl -s "https://ifconfig.me")
        fi
fi


# check spr is running

SPR_DIR=$(docker inspect --format='{{index .Config.Labels "com.docker.compose.project.working_dir"}}' "$CONTAINER_CHECK")
if [ ${#SPR_DIR} -eq 0 ]; then
	echo "[-] $CONTAINER_CHECK not running"
	SPR_DIR=/home/spr/super
	exit
fi

# only generate user if init
if [ ! -f $SPR_DIR/configs/auth/auth_users.json ]; then
	echo "[+] generating admin password"
	PASSWORD=$(cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-16} | head -n 1)
	echo "{\"admin\" : \"$PASSWORD\"}" > $SPR_DIR/configs/auth/auth_users.json

	echo "[+] generating token..."
	TOKEN=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64)
	echo "[{\"Name\": \"admin\", \"Token\": \"$TOKEN\", \"Expire\": 0}]" > $SPR_DIR/configs/auth/auth_tokens.json
else
	PASSWORD=$(cat "$SPR_DIR/configs/auth/auth_users.json" | jq -r .admin)
	TOKEN=$(cat "$SPR_DIR/configs/auth/auth_tokens.json" | jq -r '.[0].Token')
fi

# dns block. default: hosts,ads
# example, run with: DNS_BLOCK="hosts,malware,facebook,redirect"
if [ -z "$DNS_BLOCK" ]; then
	DNS_BLOCK="hosts,ads"
fi

if [ ! -z "$DNS_BLOCK" ] && [ -z $SKIP_DNS_BLOCK ]; then
        urls=()

        _IFS=$IFS
        IFS=','
        for f in $DNS_BLOCK; do
                if [ "$f" == "hosts" ]; then
                        urls+=("https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts")
                else
                        urls+=( "https://raw.githubusercontent.com/blocklistproject/Lists/master/${f}.txt" )
                fi
        done
        IFS=$_IFS

        CONF='{"BlockLists": [], "PermitDomains": [], "BlockDomains": [], "ClientIPExclusions": null}'
        for url in ${urls[@]}; do
                CONF=$(echo $CONF | jq ".BlockLists |= . + [{\"URI\": \"$url\", \"Enabled\": true, \"Tags\": []}]")
        done

        echo $CONF | jq . > $SPR_DIR/state/dns/block_rules.json
fi

echo "[+] login information:"
echo "=========================================================="

HOST=$EXTERNAL_IP
if [ $HOST == "127.0.0.1" ]; then
	HOST="sprvirtual"
fi

echo " http tunnel: ssh $HOST -N -L $EXTERNAL_PORT:127.0.0.1:$EXTERNAL_PORT"
echo "         url: http://localhost:$EXTERNAL_PORT/"
echo "    username: admin"
echo "    password: $PASSWORD"
if [ ! -z "$TOKEN" ]; then
	echo "       token: $TOKEN"
fi
echo "=========================================================="

# if set - exit
if [ ! -z $SKIP_VPN ]; then
	exit
fi

sleep 1
while grep "= privkey" $SPR_DIR/configs/wireguard/wg0.conf > /dev/null;
do
     echo "... Waiting for wireguard service to start and initialize"
     sleep 5
done


# set External IP for SPR for later, so users do not present
# with the internal endpoint IP.
curl 'http://localhost:8000/plugins/wireguard/endpoints' -X 'PUT' -H "Authorization: Bearer ${TOKEN}" --data-raw "[\"${EXTERNAL_IP}\"]"

#only show confirm if its the first one
NUM_PEERS=$(grep '^\[Peer\]' $SPR_DIR/configs/wireguard/wg0.conf 2>/dev/null | wc -l)


echo "[+] num peers already configured: $NUM_PEERS"

# Use the API to generate a wireguard peer
RET=$(curl -s -H "Authorization: Bearer ${TOKEN}" -X PUT http://localhost:8000/plugins/wireguard/peer --data '{}')
PRIVATE_KEY=$(echo $RET | jq -r .Interface.PrivateKey)
PUBLIC_KEY=$(echo $PRIVATE_KEY | wg pubkey)
PUBLIC_KEY_ESCAPED=$(echo \"${PUBLIC_KEY}\" | jq -r @uri)
CLIENT_IP=$(echo $RET | jq -r .Interface.Address)
SERVER_PUBLIC_KEY=$(echo $RET | jq -r .Peer.PublicKey)
PRESHARED_KEY=$(echo $RET | jq -r .Peer.PresharedKey)
DNS_IP=$(echo $RET | jq -r .Interface.DNS)

# Update the Groups for the Device and Name
RET=$(curl -s -H "Authorization: Bearer ${TOKEN}" -X PUT http://localhost:8000/device?identity=${PUBLIC_KEY_ESCAPED} --data "{\"Policies\": [\"wan\", \"dns\"], \"Name\": \"peer${NUM_PEERS}\"}")

# wg client config
_IFS=$IFS
IFS='\n'
CONF=$(cat << EOF
[Interface]
PrivateKey = $PRIVATE_KEY
Address = $CLIENT_IP
DNS = 192.168.2.1

[Peer]
PublicKey = $SERVER_PUBLIC_KEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = $EXTERNAL_IP:51280
PersistentKeepalive = 25
PresharedKey = $PRESHARED_KEY
EOF
)
IFS=$_IFS

echo -e "\n[+] WireGuard config (save this as wg.conf & import in client):\n"
echo -e "$CONF\n"

>/dev/tty printf "Show QR Code? [Y/n] "
</dev/tty read -rn1
if [[ ! $REPLY =~ [nN](oO)* ]]; then
	echo -e "[+] WireGuard QR Code (import in iOS & Android app):\n"
	echo -e "$CONF" | qrencode -t ansiutf8
fi

# reload dns if we have modified blocks
if [ ! -z "$DNS_BLOCK" ]; then
	docker compose -f docker-compose-virt.yml restart dns >/dev/null 2>&1 &
fi