search

perara / wg-manager

A easy to use WireGuard dashboard and management tool
MIT License
603 stars 72 forks source link

how to start the service at boot time - bare metal. #75

Open pw44 opened 3 years ago

pw44 commented 3 years ago

Hya, how can the service be started at boot time on bare metal, no docker?

Thx in advance

tromlet commented 3 years ago

I'm actually looking at this too. :P

EDIT: A bit more information about my setup here, we're running this inside of a VM, and so far your management interface appears to be the best one, if ONLY because it will sit there and take existing Wireguard configs.

I HAVE gotten it working on our CentOS 7 server (and I'd be happy to share my methods for your docs!), which is great! But I need it to be able to start up if our cluster goes down and comes back up, etc. A way to run it as a system service would be ideal.

EDIT 3 Feb 2020: I'm making some progress on this!

tromlet commented 3 years ago

Note, this is all on CentOS 7 - you may need to adapt the instructions below to your distro. @perara, @tony1661, your input here on any security considerations or "best practices" would be much appreciated - but I think I got it right!

I created a systemd unit file:

$ cat /etc/systemd/system/wg-manager.service:

[Unit]
Description=WireGuard Manager
After=syslog.target
After=network.target

[Service]
Type=simple
Environment=ADMIN_USERNAME=admin
Environment=ADMIN_PASSWORD=password
WorkingDirectory=/opt/wg-manager/wg_dashboard_backend
ExecStart=/opt/wg-manager/wg_dashboard_backend/venv/bin/gunicorn -k uvicorn.workers.UvicornWorker -b 0.0.0.0:8000 main:app
User=vpn
Group=vpn
Restart=always

[Install]
WantedBy=multi-user.target

I also installed Caddy, and used it to proxy to the server via HTTPS with custom certs from our internal CA.

$ cat /etc/caddy/Caddyfile:

wg.example.com {
  reverse_proxy localhost:8000

  tls /home/vpn/wg.example.com/cert.pem /home/vpn/wg.example.com/key.key {
    ca_root /home/vpn/wg.example.com/ca.pem
  }
}

Then, just do:

# systemctl enable wg-manager
# systemctl start wg-manager
# systemctl enable caddy
# systemctl start caddy

...and your service should be served up via HTTPS and should come right up after a server reboot!

pw44 commented 3 years ago

is this working?

i didn't find gunicorn

Am 03.02.21 um 19:12 schrieb Tom Spettigue:

I created a systemd unit file:

|$ cat /etc/systemd/system/wg-manager.service|:

|[Unit] Description=WireGuard Manager After=syslog.target After=network.target [Service] Type=simple Environment=ADMIN_USERNAME=heimdall Environment=ADMIN_PASSWORD=MZdNH9xseGvnsrNaABOS WorkingDirectory=/opt/wg-manager/wg_dashboard_backend ExecStart=/opt/wg-manager/wg_dashboard_backend/venv/bin/gunicorn -k uvicorn.workers.UvicornWorker -b 0.0.0.0:8000 main:app User=vpn Group=vpn Restart=always [Install] WantedBy=multi-user.target |

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/perara/wg-manager/issues/75#issuecomment-772861446, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQV2IVYIZNS22CRJF7LTS2DS5HC4DANCNFSM4WX5XBKQ.

tromlet commented 3 years ago

Ah, yes, you probably need to do pip install gunicorn after the part of the setup instructions where you install uvicorn. From my reading, gunicorn is a preferred way of running a server like this in production, so I went ahead and figured out how to work with it. That will put gunicorn in the venv/bin directory, where you can then reference it. I didn't use uvicorn for my service file, as it seems like it's generally considered to be a development server - not a production one.

tromlet commented 3 years ago

Any progress on this, my dude @pw44?

Another aspect I found was to be sure to never use anything BUT your final ADMIN_USERNAME and ADMIN_PASSWORD credentials during setup. Doing so will conflict with the database, and all will be lost (well not really you can just use the initial creds you started with, but).