wolfnet: publish multi-arch Docker image to GHCR

- docker/Dockerfile: switch to TARGETARCH-based COPY so one Dockerfile
  serves both linux/amd64 and linux/arm64 buildx targets. Context is
  now the repo root; pre-built binaries live under dist/<arch>/.
- docker/entrypoint.sh: rewrite around the real CLI. The previous
  script called `wolfnet genkey > $KEY_FILE` and `wolfnet pubkey <
  $KEY_FILE` (genkey writes via --output and pubkey takes no stdin),
  passed `--config-dir` to `join` (flag doesn't exist), and piped the
  TOML config through python3 (not in debian-slim). First-run
  bootstrap is now simply `wolfnet join $TOKEN` or `wolfnet init
  --address $WOLFNET_ADDRESS`, both of which write the config and
  key themselves.
- .github/workflows/docker-publish.yml: new. Cross-compiles both musl
  targets, then buildx+QEMU assembles a multi-arch image and pushes
  to ghcr.io/wolfsoftwaresystemsltd/wolfnet with :latest and :<version>
  tags. Fixes the 403 that NAS satellite installs were hitting on
  `docker compose -f docker-compose.satellite.yml up -d` because the
  image had never been published.

Author: Paul C

wolfnet/.github/workflows/docker-publish.yml

@@ -0,0 +1,103 @@
+name: Publish Docker Image
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'Cargo.toml'
+      - 'src/**'
+      - 'docker/**'
+      - '.github/workflows/docker-publish.yml'
+  workflow_dispatch:
+
+jobs:
+  build-binaries:
+    strategy:
+      matrix:
+        include:
+          - target: x86_64-unknown-linux-musl
+            arch: amd64
+            runner: ubuntu-latest
+          - target: aarch64-unknown-linux-musl
+            arch: arm64
+            runner: ubuntu-latest
+
+    runs-on: ${{ matrix.runner }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: ${{ matrix.target }}
+
+      - name: Install cross
+        run: cargo install cross --git https://github.com/cross-rs/cross
+
+      - name: Build static binaries
+        run: cross build --release --target ${{ matrix.target }}
+
+      - name: Stage binaries
+        run: |
+          mkdir -p dist/${{ matrix.arch }}
+          cp target/${{ matrix.target }}/release/wolfnet    dist/${{ matrix.arch }}/wolfnet
+          cp target/${{ matrix.target }}/release/wolfnetctl dist/${{ matrix.arch }}/wolfnetctl
+          chmod +x dist/${{ matrix.arch }}/wolfnet dist/${{ matrix.arch }}/wolfnetctl
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: binaries-${{ matrix.arch }}
+          path: dist/${{ matrix.arch }}/
+
+  publish:
+    needs: build-binaries
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Get version
+        id: version
+        run: echo "version=$(grep '^version' Cargo.toml | head -1 | sed 's/.*\"\(.*\)\".*/\1/')" >> "$GITHUB_OUTPUT"
+
+      - name: Download amd64 binaries
+        uses: actions/download-artifact@v4
+        with:
+          name: binaries-amd64
+          path: dist/amd64
+
+      - name: Download arm64 binaries
+        uses: actions/download-artifact@v4
+        with:
+          name: binaries-arm64
+          path: dist/arm64
+
+      - name: Ensure binaries are executable
+        run: chmod +x dist/amd64/* dist/arm64/*
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push multi-arch image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: docker/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            ghcr.io/wolfsoftwaresystemsltd/wolfnet:latest
+            ghcr.io/wolfsoftwaresystemsltd/wolfnet:${{ steps.version.outputs.version }}

wolfnet/docker/Dockerfile

@@ -1,5 +1,8 @@
-# WolfNet Docker Container
-# Secure mesh VPN — runs in --network host mode with /dev/net/tun
+# WolfNet Docker Container — secure mesh VPN
+#
+# Runs in --network host mode with /dev/net/tun. Pre-built static musl
+# binaries are placed under dist/<arch>/ by the publish workflow; this
+# Dockerfile copies the right one based on TARGETARCH.
 #
 # Usage:
 #   docker run -d --name wolfnet --network host \
@@ -10,6 +13,8 @@
 
 FROM debian:bookworm-slim
 
+ARG TARGETARCH
+
 RUN apt-get update && apt-get install -y --no-install-recommends \
     iproute2 \
     iptables \
@@ -19,9 +24,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 RUN mkdir -p /etc/wolfnet /var/run/wolfnet
 
-COPY wolfnet /usr/local/bin/wolfnet
-COPY wolfnetctl /usr/local/bin/wolfnetctl
-COPY entrypoint.sh /entrypoint.sh
+COPY dist/${TARGETARCH}/wolfnet /usr/local/bin/wolfnet
+COPY dist/${TARGETARCH}/wolfnetctl /usr/local/bin/wolfnetctl
+COPY docker/entrypoint.sh /entrypoint.sh
 
 RUN chmod +x /usr/local/bin/wolfnet /usr/local/bin/wolfnetctl /entrypoint.sh
 

wolfnet/docker/entrypoint.sh

@@ -1,90 +1,35 @@
 #!/bin/bash
 set -e
 
-# ─── WolfNet Docker Entrypoint ───
-# Configures WolfNet from environment variables and starts the daemon.
+# ─── WolfNet Docker Entrypoint ────────────────────────────────────────────────
+# First-run bootstrap, then exec the daemon. The WolfNet binary creates
+# config.toml and the private key itself on `init` / `join`, so this script
+# just picks which of those to run on first boot.
 
-CONFIG_DIR="/etc/wolfnet"
-CONFIG_FILE="$CONFIG_DIR/config.toml"
-KEY_FILE="$CONFIG_DIR/private.key"
+CONFIG="/etc/wolfnet/config.toml"
+CONFIG_DIR="$(dirname "$CONFIG")"
 STATUS_DIR="/var/run/wolfnet"
 
 mkdir -p "$CONFIG_DIR" "$STATUS_DIR"
 
-# ─── Check TUN device ───
 if [ ! -c /dev/net/tun ]; then
-    echo "ERROR: /dev/net/tun not found."
-    echo "Run with: --device /dev/net/tun:/dev/net/tun"
-    echo "If the TUN module is not loaded, run: modprobe tun"
+    echo "✗ /dev/net/tun not found inside the container."
+    echo "  Run with:  --device /dev/net/tun:/dev/net/tun"
+    echo "  If the module is not loaded on the host:  sudo modprobe tun"
     exit 1
 fi
 
-# ─── Generate keys if missing ───
-if [ ! -f "$KEY_FILE" ]; then
-    echo "Generating WolfNet key pair..."
-    wolfnet genkey > "$KEY_FILE"
-    chmod 600 "$KEY_FILE"
-    echo "Key generated. Public key:"
-    wolfnet pubkey < "$KEY_FILE"
-fi
-
-# ─── Handle join token ───
-if [ -n "$WOLFNET_JOIN_TOKEN" ] && [ ! -f "$CONFIG_DIR/.joined" ]; then
-    echo "Joining WolfNet network with invite token..."
-    if wolfnet join "$WOLFNET_JOIN_TOKEN" --config-dir "$CONFIG_DIR"; then
-        touch "$CONFIG_DIR/.joined"
-        echo "Successfully joined. Check 'docker logs wolfnet' for the reverse token."
+if [ ! -f "$CONFIG" ]; then
+    if [ -n "$WOLFNET_JOIN_TOKEN" ]; then
+        echo "→ Joining WolfNet using supplied invite token..."
+        wolfnet --config "$CONFIG" join "$WOLFNET_JOIN_TOKEN"
     else
-        echo "WARNING: Join failed. Starting with existing config if available."
-    fi
-fi
-
-# ─── Generate config from env vars if missing ───
-if [ ! -f "$CONFIG_FILE" ]; then
-    echo "Generating config from environment variables..."
-    ADDR="${WOLFNET_ADDRESS:-10.0.10.1}"
-    SUBNET="${WOLFNET_SUBNET:-24}"
-    PORT="${WOLFNET_PORT:-9600}"
-    IFACE="${WOLFNET_INTERFACE:-wolfnet0}"
-    GW="${WOLFNET_GATEWAY:-false}"
-    DISC="${WOLFNET_DISCOVERY:-true}"
-    HOSTNAME="${WOLFNET_HOSTNAME:-$(hostname)}"
-
-    cat > "$CONFIG_FILE" <<EOF
-[node]
-address = "$ADDR/$SUBNET"
-listen_port = $PORT
-interface = "$IFACE"
-hostname = "$HOSTNAME"
-gateway = $GW
-
-[network]
-discovery = $DISC
-discovery_port = 9601
-EOF
-
-    # Add static peers if provided (JSON array)
-    if [ -n "$WOLFNET_PEERS" ]; then
-        echo "" >> "$CONFIG_FILE"
-        echo "$WOLFNET_PEERS" | python3 -c "
-import json, sys
-peers = json.load(sys.stdin)
-for p in peers:
-    print(f'''
-[[peers]]
-public_key = \"{p.get('public_key', '')}\"
-endpoint = \"{p.get('endpoint', '')}\"
-allowed_ips = \"{p.get('allowed_ips', '10.0.10.0/24')}\"
-''')
-" >> "$CONFIG_FILE" 2>/dev/null || true
+        ADDRESS="${WOLFNET_ADDRESS:-10.0.10.1}"
+        echo "→ No config and no join token — initialising new network at $ADDRESS"
+        echo "  (run 'docker exec wolfnet wolfnet invite' to get a token for peers)"
+        wolfnet --config "$CONFIG" init --address "$ADDRESS"
     fi
-
-    echo "Config generated at $CONFIG_FILE"
 fi
 
-echo "Starting WolfNet daemon..."
-echo "  Config: $CONFIG_FILE"
-echo "  Interface: ${WOLFNET_INTERFACE:-wolfnet0}"
-echo "  Port: ${WOLFNET_PORT:-9600}"
-
-exec wolfnet --config "$CONFIG_FILE"
+echo "→ Starting WolfNet daemon..."
+exec wolfnet --config "$CONFIG" "$@"