ova building

Author: t-aleksander

.github/workflows/build-ova.yml

@@ -0,0 +1,71 @@
+name: Build OVF Image
+
+on:
+  workflow_dispatch:
+    inputs:
+      core_tag:
+        description: "defguard core image tag"
+        required: true
+      proxy_tag:
+        description: "defguard proxy image tag"
+        required: true
+      gateway_tag:
+        description: "defguard gateway image tag"
+        required: true
+
+jobs:
+  build:
+    runs-on: [self-hosted, Linux, X64]
+
+    defaults:
+      run:
+        working-directory: ova
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y --no-install-recommends \
+            qemu-kvm \
+            qemu-utils \
+            ovmf \
+            cpu-checker
+
+      - name: Check KVM availability
+        run: kvm-ok
+
+      - name: Setup Packer
+        uses: hashicorp/setup-packer@main
+        with:
+          version: latest
+
+      - name: Cache ISO
+        uses: actions/cache@v4
+        with:
+          path: ova/ubuntu-24.04.4-live-server-amd64.iso
+          key: ubuntu-24.04.4-live-server-amd64-iso
+
+      - name: Download ISO (if not cached)
+        run: |
+          if [ ! -f ubuntu-24.04.4-live-server-amd64.iso ]; then
+            curl -fL -o ubuntu-24.04.4-live-server-amd64.iso \
+              https://releases.ubuntu.com/24.04.4/ubuntu-24.04.4-live-server-amd64.iso
+          fi
+
+      - name: Packer init
+        run: packer init defguard.pkr.hcl
+
+      - name: Packer build
+        run: |
+          packer build \
+            -var "iso_url=file://$PWD/ubuntu-24.04.4-live-server-amd64.iso" \
+            -var "core_tag=${{ github.event.inputs.core_tag }}" \
+            -var "proxy_tag=${{ github.event.inputs.proxy_tag }}" \
+            -var "gateway_tag=${{ github.event.inputs.gateway_tag }}" \
+            defguard.pkr.hcl
+
+      - name: Print OVA size
+        run: ls -lh output/defguard/defguard.ova

ova/build-ova.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+set -euo pipefail
+
+TAG="2.0.0-alpha2"
+ISO_PATH="${PWD}/ubuntu-24.04.4-live-server-amd64.iso"
+
+if [ ! -f "$ISO_PATH" ]; then
+  echo "Missing ISO: $ISO_PATH" >&2
+  echo "Download it first with:" >&2
+  echo "  curl -fL -o ubuntu-24.04.4-live-server-amd64.iso https://releases.ubuntu.com/24.04.4/ubuntu-24.04.4-live-server-amd64.iso" >&2
+  exit 1
+fi
+
+packer init defguard.pkr.hcl
+
+packer build \
+  -var "iso_url=file://$ISO_PATH" \
+  -var "core_tag=$TAG" \
+  -var "proxy_tag=$TAG" \
+  -var "gateway_tag=$TAG" \
+  defguard.pkr.hcl

ova/defguard.pkr.hcl

@@ -0,0 +1,132 @@
+packer {
+  required_plugins {
+    qemu = {
+      version = ">= 1.0.9"
+      source  = "github.com/hashicorp/qemu"
+    }
+  }
+}
+
+variable "vm_name"   { default = "defguard" }
+variable "disk_size" { default = "20G" }
+variable "memory"    { default = 2048 }
+variable "cpus"      { default = 2 }
+variable "ssh_user"     { default = "ubuntu" }
+variable "iso_url"      { default = "https://releases.ubuntu.com/24.04.4/ubuntu-24.04.4-live-server-amd64.iso" }
+variable "core_tag"     { type = string }
+variable "proxy_tag"    { type = string }
+variable "gateway_tag"  { type = string }
+
+source "qemu" "ubuntu24" {
+  iso_url      = var.iso_url
+  iso_checksum = "sha256:e907d92eeec9df64163a7e454cbc8d7755e8ddc7ed42f99dbc80c40f1a138433"
+
+  vm_name          = var.vm_name
+  memory           = var.memory
+  cpus             = var.cpus
+  disk_size        = var.disk_size
+  accelerator      = "kvm"
+  format           = "qcow2"
+  output_directory = "output/${var.vm_name}"
+
+  net_device     = "virtio-net"
+  disk_interface = "virtio"
+  machine_type   = "q35"
+
+  ssh_username           = var.ssh_user
+  ssh_password           = "ubuntu"
+  ssh_timeout            = "40m"
+  ssh_handshake_attempts = 100
+
+  http_content = {
+    "/meta-data" = file("${path.root}/http/meta-data")
+    "/user-data" = file("${path.root}/http/user-data")
+  }
+  boot_wait = "5s"
+  boot_command = [
+    "c<wait5>",
+    "linux /casper/vmlinuz autoinstall 'ds=nocloud-net;s=http://{{ .HTTPIP }}:{{ .HTTPPort }}/'<enter><wait5>",
+    "initrd /casper/initrd<enter><wait5>",
+    "boot<enter>"
+  ]
+
+  shutdown_command = "sudo shutdown -P now"
+  headless         = true
+}
+
+build {
+  sources = ["source.qemu.ubuntu24"]
+
+  provisioner "file" {
+    source      = "files/docker-setup.sh"
+    destination = "/tmp/docker-setup.sh"
+  }
+
+  provisioner "file" {
+    source      = "files/99-defguard.cfg"
+    destination = "/tmp/99-defguard.cfg"
+  }
+
+  provisioner "file" {
+    source      = "files/docker-compose.yaml"
+    destination = "/tmp/docker-compose.yaml"
+  }
+
+  provisioner "file" {
+    source      = "files/docker-compose.standalone.yaml"
+    destination = "/tmp/docker-compose.standalone.yaml"
+  }
+
+  provisioner "file" {
+    source      = "files/generate-env.sh"
+    destination = "/tmp/generate-env.sh"
+  }
+
+  provisioner "file" {
+    source      = "files/start.sh"
+    destination = "/tmp/start.sh"
+  }
+
+  provisioner "file" {
+    source      = "files/defguard-init.service"
+    destination = "/tmp/defguard-init.service"
+  }
+
+  provisioner "shell" {
+    inline = [
+      "sudo bash /tmp/docker-setup.sh",
+      "sudo mkdir -p /opt/defguard",
+      "sudo mv /tmp/docker-compose.yaml /opt/defguard/docker-compose.yaml",
+      "sudo mv /tmp/docker-compose.standalone.yaml /opt/defguard/docker-compose.standalone.yaml",
+      "sudo mv /tmp/generate-env.sh /opt/defguard/generate-env.sh",
+      "sudo chmod +x /opt/defguard/generate-env.sh",
+      "sudo mv /tmp/start.sh /opt/defguard/start.sh",
+      "sudo chmod +x /opt/defguard/start.sh",
+      "echo 'DEFGUARD_CORE_TAG=${var.core_tag}' | sudo tee /opt/defguard/.image-tags > /dev/null",
+      "echo 'DEFGUARD_PROXY_TAG=${var.proxy_tag}' | sudo tee -a /opt/defguard/.image-tags > /dev/null",
+      "echo 'DEFGUARD_GATEWAY_TAG=${var.gateway_tag}' | sudo tee -a /opt/defguard/.image-tags > /dev/null",
+      "sudo mv /tmp/99-defguard.cfg /etc/cloud/cloud.cfg.d/99-defguard.cfg",
+      "sudo mv /tmp/defguard-init.service /etc/systemd/system/defguard-init.service",
+      "sudo systemctl daemon-reload",
+      "sudo systemctl enable docker.service",
+      "sudo chown -R ubuntu:ubuntu /opt/defguard",
+      "sudo rm -f /etc/netplan/00-installer-config.yaml /etc/netplan/50-cloud-init.yaml",
+      "sudo cloud-init clean --logs",
+      "sudo rm -f /etc/ssh/ssh_host_*",
+      "sudo rm -f /root/.ssh/authorized_keys",
+      "sudo rm -f /home/ubuntu/.ssh/authorized_keys",
+      "sudo truncate -s 0 /home/ubuntu/.bash_history || true",
+      "sudo truncate -s 0 /root/.bash_history || true",
+      # Expire default password so it must be changed on first login
+      "sudo chage -d 0 ubuntu"
+    ]
+  }
+
+  post-processor "shell-local" {
+    inline = [
+      "qemu-img convert -f qcow2 -O vmdk output/${var.vm_name}/${var.vm_name} output/${var.vm_name}/${var.vm_name}.vmdk",
+      "cp files/ubuntu.vmx output/${var.vm_name}/${var.vm_name}.vmx",
+      "ovftool --lax --diskMode=thin output/${var.vm_name}/${var.vm_name}.vmx output/${var.vm_name}/${var.vm_name}.ova"
+    ]
+  }
+}

ova/files/99-defguard.cfg

@@ -0,0 +1,3 @@
+#cloud-config
+runcmd:
+  - systemctl start defguard-init.service

ova/files/defguard-init.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=DefGuard first-boot initialisation
+After=network-online.target docker.service
+Wants=network-online.target docker.service
+
+[Service]
+Type=oneshot
+WorkingDirectory=/opt/defguard
+StandardOutput=append:/var/log/defguard-startup.log
+StandardError=append:/var/log/defguard-startup.log
+ExecStart=/bin/bash /opt/defguard/generate-env.sh
+ExecStart=/bin/bash /opt/defguard/start.sh

ova/files/docker-compose.standalone.yaml

@@ -0,0 +1,54 @@
+services:
+  core:
+    restart: always
+    profiles: [core]
+    image: ghcr.io/defguard/defguard:${DEFGUARD_CORE_TAG:?DEFGUARD_CORE_TAG is required}
+    env_file: .env
+    environment:
+      DEFGUARD_DB_HOST: db
+      DEFGUARD_DB_PORT: 5432
+    depends_on:
+      - db
+    ports:
+      - "8000:8000"
+
+  edge:
+    restart: always
+    profiles: [edge]
+    image: ghcr.io/defguard/defguard-proxy:${DEFGUARD_PROXY_TAG:?DEFGUARD_PROXY_TAG is required}
+    volumes:
+      - ./.volumes/certs/edge:/etc/defguard/certs
+    ports:
+      - "8080:8080"
+      - "50051:50051"
+
+  gateway:
+    restart: always
+    profiles: [gateway]
+    image: ghcr.io/defguard/gateway:${DEFGUARD_GATEWAY_TAG:?DEFGUARD_GATEWAY_TAG is required}
+    cap_add:
+      - NET_ADMIN
+    volumes:
+      - ./.volumes/certs/gateway:/etc/defguard/certs
+    network_mode: "host"
+    environment:
+      DEFGUARD_STATS_PERIOD: 10
+      HEALTH_PORT: 55003
+
+  npm:
+    image: "jc21/nginx-proxy-manager:latest"
+    restart: unless-stopped
+    profiles: [edge, core]
+
+    ports:
+      - "80:80" # HTTP Port
+      - "443:443" # HTTPS Port
+      - "81:81" # Admin Web Port
+
+  db:
+    restart: always
+    profiles: [core]
+    image: postgres:18-alpine
+    env_file: .env
+    volumes:
+      - ./.volumes/db:/var/lib/postgresql

ova/files/docker-compose.yaml

@@ -0,0 +1,61 @@
+services:
+  core:
+    restart: always
+    image: ghcr.io/defguard/defguard:${DEFGUARD_CORE_TAG:?DEFGUARD_CORE_TAG is required}
+    env_file: .env
+    environment:
+      DEFGUARD_DB_HOST: db
+      DEFGUARD_DB_PORT: 5432
+      DEFGUARD_ADOPT_EDGE: "edge:50051"
+      DEFGUARD_ADOPT_GATEWAY: "host.docker.internal:50066"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    depends_on:
+      - db
+      - edge
+      - gateway
+    ports:
+      - "8000:8000"
+
+  edge:
+    restart: always
+    image: ghcr.io/defguard/defguard-proxy:${DEFGUARD_PROXY_TAG:?DEFGUARD_PROXY_TAG is required}
+    volumes:
+      - ./.volumes/certs/edge:/etc/defguard/certs
+    ports:
+      - "8080:8080"
+
+  gateway:
+    restart: always
+    image: ghcr.io/defguard/gateway:${DEFGUARD_GATEWAY_TAG:?DEFGUARD_GATEWAY_TAG is required}
+    cap_add:
+      - NET_ADMIN
+    volumes:
+      - ./.volumes/certs/gateway:/etc/defguard/certs
+    environment:
+      DEFGUARD_STATS_PERIOD: 10
+      HEALTH_PORT: 55003
+    network_mode: "host"
+
+  npm:
+    image: "jc21/nginx-proxy-manager:latest"
+    restart: unless-stopped
+
+    ports:
+      - "80:80" # HTTP Port
+      - "443:443" # HTTPS Port
+      - "81:81" # Admin Web Port
+
+    environment:
+      TZ: "UTC"
+
+    volumes:
+      - ./.volumes/npm/data:/data
+      - ./.volumes/npm/letsencrypt:/etc/letsencrypt
+
+  db:
+    restart: always
+    image: postgres:18-alpine
+    env_file: .env
+    volumes:
+      - ./.volumes/db:/var/lib/postgresql

ova/files/docker-setup.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+set -e
+
+apt-get update
+apt-get install -y ca-certificates curl
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
+chmod a+r /etc/apt/keyrings/docker.asc
+
+. /etc/os-release
+CODENAME="${UBUNTU_CODENAME:-$VERSION_CODENAME}"
+
+tee /etc/apt/sources.list.d/docker.sources <<EOF
+Types: deb
+URIs: https://download.docker.com/linux/ubuntu
+Suites: ${CODENAME}
+Components: stable
+Signed-By: /etc/apt/keyrings/docker.asc
+EOF
+
+apt-get update
+apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+usermod -aG docker ubuntu