feat: Docker container packaging for WolfNet

Paul C · Paul C · commit 9b8d66dc7fa4 · 2026-04-10T07:58:30.000+01:00
- Dockerfile: debian-slim with iproute2/iptables, host network mode
- entrypoint.sh: env var config, join token handling, key generation
- docker-compose.yml: single-service compose for quick deployment
- unraid-template.xml: Unraid Community Apps template

Run with: docker run -d --name wolfnet --network host \
  --cap-add NET_ADMIN --device /dev/net/tun:/dev/net/tun \
  -v wolfnet-config:/etc/wolfnet \
  -e WOLFNET_JOIN_TOKEN=&lt;token&gt; \
  ghcr.io/wolfsoftwaresystemsltd/wolfnet:latest
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -0,0 +1,33 @@
+# WolfNet Docker Container
+# Secure mesh VPN — runs in --network host mode with /dev/net/tun
+#
+# Usage:
+#   docker run -d --name wolfnet --network host \
+#     --cap-add NET_ADMIN --device /dev/net/tun:/dev/net/tun \
+#     -v wolfnet-config:/etc/wolfnet \
+#     -e WOLFNET_JOIN_TOKEN=<token> \
+#     ghcr.io/wolfsoftwaresystemsltd/wolfnet:latest
+
+FROM debian:bookworm-slim
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    iproute2 \
+    iptables \
+    procps \
+    ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir -p /etc/wolfnet /var/run/wolfnet
+
+COPY wolfnet /usr/local/bin/wolfnet
+COPY wolfnetctl /usr/local/bin/wolfnetctl
+COPY entrypoint.sh /entrypoint.sh
+
+RUN chmod +x /usr/local/bin/wolfnet /usr/local/bin/wolfnetctl /entrypoint.sh
+
+EXPOSE 9600/udp
+EXPOSE 9601/udp
+
+VOLUME ["/etc/wolfnet"]
+
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
@@ -0,0 +1,30 @@
+# WolfNet Docker Compose — join an existing WolfNet mesh
+#
+# Usage:
+#   WOLFNET_JOIN_TOKEN=<token> docker compose up -d
+#
+# Get the join token by running `wolfnet invite` on an existing WolfNet node.
+
+services:
+  wolfnet:
+    image: ghcr.io/wolfsoftwaresystemsltd/wolfnet:latest
+    container_name: wolfnet
+    restart: unless-stopped
+    network_mode: host
+    cap_add:
+      - NET_ADMIN
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    volumes:
+      - wolfnet-config:/etc/wolfnet
+      - /run/wolfnet:/var/run/wolfnet
+    environment:
+      - WOLFNET_JOIN_TOKEN=${WOLFNET_JOIN_TOKEN:-}
+      # Optional overrides:
+      # - WOLFNET_ADDRESS=10.0.10.5
+      # - WOLFNET_PORT=9600
+      # - WOLFNET_GATEWAY=false
+      # - WOLFNET_DISCOVERY=true
+
+volumes:
+  wolfnet-config:
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
@@ -0,0 +1,90 @@
+#!/bin/bash
+set -e
+
+# ─── WolfNet Docker Entrypoint ───
+# Configures WolfNet from environment variables and starts the daemon.
+
+CONFIG_DIR="/etc/wolfnet"
+CONFIG_FILE="$CONFIG_DIR/config.toml"
+KEY_FILE="$CONFIG_DIR/private.key"
+STATUS_DIR="/var/run/wolfnet"
+
+mkdir -p "$CONFIG_DIR" "$STATUS_DIR"
+
+# ─── Check TUN device ───
+if [ ! -c /dev/net/tun ]; then
+    echo "ERROR: /dev/net/tun not found."
+    echo "Run with: --device /dev/net/tun:/dev/net/tun"
+    echo "If the TUN module is not loaded, run: modprobe tun"
+    exit 1
+fi
+
+# ─── Generate keys if missing ───
+if [ ! -f "$KEY_FILE" ]; then
+    echo "Generating WolfNet key pair..."
+    wolfnet genkey > "$KEY_FILE"
+    chmod 600 "$KEY_FILE"
+    echo "Key generated. Public key:"
+    wolfnet pubkey < "$KEY_FILE"
+fi
+
+# ─── Handle join token ───
+if [ -n "$WOLFNET_JOIN_TOKEN" ] && [ ! -f "$CONFIG_DIR/.joined" ]; then
+    echo "Joining WolfNet network with invite token..."
+    if wolfnet join "$WOLFNET_JOIN_TOKEN" --config-dir "$CONFIG_DIR"; then
+        touch "$CONFIG_DIR/.joined"
+        echo "Successfully joined. Check 'docker logs wolfnet' for the reverse token."
+    else
+        echo "WARNING: Join failed. Starting with existing config if available."
+    fi
+fi
+
+# ─── Generate config from env vars if missing ───
+if [ ! -f "$CONFIG_FILE" ]; then
+    echo "Generating config from environment variables..."
+    ADDR="${WOLFNET_ADDRESS:-10.0.10.1}"
+    SUBNET="${WOLFNET_SUBNET:-24}"
+    PORT="${WOLFNET_PORT:-9600}"
+    IFACE="${WOLFNET_INTERFACE:-wolfnet0}"
+    GW="${WOLFNET_GATEWAY:-false}"
+    DISC="${WOLFNET_DISCOVERY:-true}"
+    HOSTNAME="${WOLFNET_HOSTNAME:-$(hostname)}"
+
+    cat > "$CONFIG_FILE" <<EOF
+[node]
+address = "$ADDR/$SUBNET"
+listen_port = $PORT
+interface = "$IFACE"
+hostname = "$HOSTNAME"
+gateway = $GW
+
+[network]
+discovery = $DISC
+discovery_port = 9601
+EOF
+
+    # Add static peers if provided (JSON array)
+    if [ -n "$WOLFNET_PEERS" ]; then
+        echo "" >> "$CONFIG_FILE"
+        echo "$WOLFNET_PEERS" | python3 -c "
+import json, sys
+peers = json.load(sys.stdin)
+for p in peers:
+    print(f'''
+[[peers]]
+public_key = \"{p.get('public_key', '')}\"
+endpoint = \"{p.get('endpoint', '')}\"
+allowed_ips = \"{p.get('allowed_ips', '10.0.10.0/24')}\"
+''')
+" >> "$CONFIG_FILE" 2>/dev/null || true
+    fi
+
+    echo "Config generated at $CONFIG_FILE"
+fi
+
+echo "Starting WolfNet daemon..."
+echo "  Config: $CONFIG_FILE"
+echo "  Interface: ${WOLFNET_INTERFACE:-wolfnet0}"
+echo "  Port: ${WOLFNET_PORT:-9600}"
+
+exec wolfnet --config "$CONFIG_FILE"
diff --git a/docker/unraid-template.xml b/docker/unraid-template.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0"?>
+<Container version="2">
+  <Name>WolfNet</Name>
+  <Repository>ghcr.io/wolfsoftwaresystemsltd/wolfnet:latest</Repository>
+  <Registry>https://github.com/wolfsoftwaresystemsltd/wolfnet/pkgs/container/wolfnet</Registry>
+  <Network>host</Network>
+  <Privileged>false</Privileged>
+  <Support>https://github.com/wolfsoftwaresystemsltd/wolfnet/issues</Support>
+  <Project>https://github.com/wolfsoftwaresystemsltd/wolfnet</Project>
+  <Overview>WolfNet is a secure private mesh VPN that creates encrypted tunnels between your servers using X25519 key exchange and ChaCha20-Poly1305 encryption. No WireGuard kernel module needed. Join your Unraid server to your WolfStack cluster overlay network.</Overview>
+  <Category>Network:VPN</Category>
+  <WebUI/>
+  <TemplateURL/>
+  <Icon>https://raw.githubusercontent.com/wolfsoftwaresystemsltd/wolfnet/main/icon.png</Icon>
+  <ExtraParams>--cap-add=NET_ADMIN --device=/dev/net/tun:/dev/net/tun</ExtraParams>
+  <PostArgs/>
+  <DonateText>Support WolfStack development</DonateText>
+  <DonateLink>https://wolf.uk.com</DonateLink>
+  <Description>WolfNet creates a secure encrypted mesh network between your servers. Run on Unraid to join your WolfStack cluster. No WireGuard kernel module required — fully userspace crypto.</Description>
+  <Config Name="Join Token" Target="WOLFNET_JOIN_TOKEN" Default="" Mode="" Description="Invite token from 'wolfnet invite' on an existing node" Type="Variable" Display="always" Required="true" Mask="false"/>
+  <Config Name="WolfNet IP" Target="WOLFNET_ADDRESS" Default="" Mode="" Description="Override auto-assigned IP (leave empty for auto)" Type="Variable" Display="advanced" Required="false" Mask="false"/>
+  <Config Name="Listen Port" Target="WOLFNET_PORT" Default="9600" Mode="" Description="UDP port for tunnel traffic" Type="Variable" Display="advanced" Required="false" Mask="false"/>
+  <Config Name="Gateway Mode" Target="WOLFNET_GATEWAY" Default="false" Mode="" Description="Enable NAT gateway for other WolfNet nodes" Type="Variable" Display="advanced" Required="false" Mask="false"/>
+  <Config Name="Config" Target="/etc/wolfnet" Default="/mnt/user/appdata/wolfnet" Mode="rw" Description="Configuration and key storage" Type="Path" Display="always" Required="true" Mask="false"/>
+  <Config Name="Status" Target="/var/run/wolfnet" Default="/var/run/wolfnet" Mode="rw" Description="Runtime status files" Type="Path" Display="advanced" Required="false" Mask="false"/>
+</Container>
