hokuto: partial impl

something wrong with adding the miekg/dns package, so a partial commit
for now...

Author: nyiyui

.gitignore

@@ -1,9 +1,9 @@
 /src
 /pkg
 /build2
-qrystal-*.pkg*
+/qrystal-*.pkg*
 /cs-push-config.yml
 /tmp-config.yml
 /cs-push
 /build.tar.zst
-.direnv
+/.direnv

Makefile

@@ -5,7 +5,7 @@ ldflags-mio += -X github.com/nyiyui/qrystal/mio.CommandWg=${shell which wg}
 ldflags-mio += -X github.com/nyiyui/qrystal/mio.CommandWgQuick=${shell which wg-quick}
 ldflags-node = -X github.com/nyiyui/qrystal/node.CommandIp=${shell which ip}
 ldflags-node += -X github.com/nyiyui/qrystal/node.CommandIptables=${shell which iptables}
-ldflags-runner = -X github.com/nyiyui/qrystal/runner.nodeUser=qrystal-node
+ldflags-runner = -X github.com/nyiyui/qrystal/runner.NodeUser=qrystal-node
 
 all: runner-mio runner-node runner gen-keys cs
 

cmd/runner-hokuto/main.go

@@ -0,0 +1,21 @@
+package main
+
+import (
+	"log"
+
+	"github.com/nyiyui/qrystal/profile"
+	"github.com/nyiyui/qrystal/util"
+)
+
+func main() {
+	util.SetupLog()
+	log.SetPrefix("hokuto:  ")
+	log.SetFlags(log.LstdFlags | log.Lmsgprefix)
+	util.ShowCurrent()
+	profile.Profile()
+
+	//err := hokuto.Main()
+	//if err != nil {
+	//	log.Fatalf("%s", err)
+	//}
+}

cmd/runner-node/main.go

@@ -114,11 +114,19 @@ func main() {
 	if err != nil {
 		log.Fatalf("parse MIO_TOKEN: %s", err)
 	}
-	n, err := node.NewNode(node.NodeConfig{
+	nc := node.NodeConfig{
 		MioAddr:  mioAddr,
 		MioToken: mioToken,
 		CS:       ncscs,
-	})
+	}
+	if os.Getenv("HOKUTO_ADDR") != "" {
+		nc.HokutoAddr = os.Getenv("HOKUTO_ADDR")
+		nc.HokutoToken, err = base64.StdEncoding.DecodeString(os.Getenv("HOKUTO_TOKEN"))
+		if err != nil {
+			util.S.Fatalf("parse HOKUTO_TOKEN: %s", err)
+		}
+	}
+	n, err := node.NewNode(nc)
 	if err != nil {
 		panic(err)
 	}

cs/haruka.go

@@ -10,6 +10,7 @@ import (
 )
 
 func (c *CentralSource) HandleHaruka(addr string, tlsCfg TLS) error {
+	util.S.Info("haruka: starting…")
 	cert, err := tls.LoadX509KeyPair(tlsCfg.CertPath, tlsCfg.KeyPath)
 	if err != nil {
 		return fmt.Errorf("loading cert or key: %w", err)
@@ -29,6 +30,6 @@ func (c *CentralSource) HandleHaruka(addr string, tlsCfg TLS) error {
 			util.S.Fatalf("haruka: serve failed: %s", err)
 		}
 	}()
-	util.S.Info("haruka: serving…")
+	util.S.Info("haruka: serving")
 	return nil
 }

cs/ryo.go

@@ -4,44 +4,41 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"log"
 	"net/http"
+	"os"
 	"time"
 
 	"github.com/nyiyui/qrystal/api"
 	"github.com/nyiyui/qrystal/util"
-	"go.uber.org/zap"
-	"go.uber.org/zap/zapcore"
 )
 
 type tokenInfoKeyType struct{}
 
 var tokenInfoKey = tokenInfoKeyType{}
 
 func (c *CentralSource) HandleRyo(addr string, tlsCfg TLS) error {
+	util.S.Info("ryo: starting…")
 	if addr == "" {
 		return nil
 	}
 	mux := http.NewServeMux()
 	// TODO: only POST
 	mux.Handle("/push", c.ryoToken(http.HandlerFunc(c.ryoPush)))
 	mux.Handle("/add-token", c.ryoToken(http.HandlerFunc(c.ryoAddToken)))
-	el, err := zap.NewStdLogAt(util.L, zapcore.ErrorLevel)
-	if err != nil {
-		panic(err)
-	}
 	s := &http.Server{
 		Addr:        addr,
 		Handler:     mux,
 		ReadTimeout: 1 * time.Second,
-		ErrorLog:    el,
+		ErrorLog:    log.New(os.Stderr, "ryo server: ", log.Lmsgprefix|log.LstdFlags|log.Lshortfile),
 	}
 	go func() {
 		err := s.ListenAndServeTLS(tlsCfg.CertPath, tlsCfg.KeyPath)
 		if err != nil {
 			util.S.Fatalf("ryo: serve failed: %s", err)
 		}
 	}()
-	util.S.Info("ryo: serving…")
+	util.S.Info("ryo: serving")
 	return nil
 }
 

flake.lock

@@ -66,9 +66,9 @@
       {
         runner = pkgs.buildGoModule (common // {
           pname = "runner";
-          subPackages = [ "cmd/runner" "cmd/runner-mio" "cmd/runner-node" ];
+          subPackages = [ "cmd/runner" "cmd/runner-mio" "cmd/runner-node" ]; # "cmd/runner-hokuto" ];
           ldflags = (ldflags pkgs) ++ [
-            "-X github.com/nyiyui/qrystal/runner.nodeUser=qrystal-node"
+            "-X github.com/nyiyui/qrystal/runner.NodeUser=qrystal-node"
           ];
           postInstall = ''
             mkdir $out/lib
@@ -135,6 +135,23 @@
               config = mkOption {
                 type = submodule {
                   options = {
+                    hokuto = mkOption {
+                      type = submodule {
+                        options = {
+                          enable = mkOption {
+                            type = bool;
+                            default = true;
+                            description = "Enable DNS";
+                          };
+                          parent = mkOption {
+                            type = str;
+                            default = ".qrystal.internal";
+                            description = "All domains inside networks will be of the format <peer>.<network>.<parent>";
+                          };
+                        };
+                      };
+                      default = {};
+                    };
                     css = mkOption {
                       type = listOf (submodule {
                         options = {
@@ -196,6 +213,7 @@
                 wantedBy = [ "network-online.target" ];
                 environment = {
                   "RUNNER_MIO_PATH" = "${pkg}/bin/runner-mio";
+                  #"RUNNER_HOKUTO_PATH" = "${pkg}/bin/runner-hokuto";
                   "RUNNER_NODE_PATH" = "${pkg}/bin/runner-node";
                   "RUNNER_NODE_CONFIG_PATH" = mkConfigFile cfg;
                 };

flake.nix

@@ -11,3 +11,4 @@ Returns `A` records per-peers' allowed IPs, and `TXT` records for other metadata
 - Initial protocol to fetch networks from qrystal-node.
 - Restrict returned domains to only which the client can see.
 - Forward DNS requests.
+- Reverse lookups.

hokuto/README.md

@@ -0,0 +1,3 @@
+{
+	"parent": ".qrystal.internal"
+}

hokuto/config-sample.json

@@ -0,0 +1,171 @@
+package hokuto
+
+import (
+	"net"
+	"sync"
+
+	//"github.com/miekg/dns"
+	"github.com/nyiyui/qrystal/central"
+)
+
+// ~~stolen~~ copied from <https://gist.github.com/walm/0d67b4fb2d5daf3edd4fad3e13b162cb>.
+
+var cc *central.Config
+var ccLock sync.Mutex
+
+var mask32 = net.CIDRMask(32, 32)
+
+var c Config
+var token []byte
+var suffix string
+
+type Config struct {
+	Parent string `json:"parent"`
+}
+
+/*
+func returnPeer(m *dns.Msg, q dns.Question, peer *central.Peer) {
+	for _, in := range peer.AllowedIPs {
+		if !bytes.Equal(net.IPNet(in).Mask, mask32) {
+			// non-/32s seem very *fun* to deal with...
+			continue
+		}
+		rr, err := dns.NewRR(fmt.Sprintf("%s A %s", q.Name, in.IP.String()))
+		if err == nil {
+			m.Answer = append(m.Answer, rr)
+		}
+	}
+}
+
+func handleQuery(m *dns.Msg) (nxdomain bool) {
+	for _, q := range m.Question {
+		log.Printf("Query for %s\n", q.Name)
+
+		switch q.Qtype {
+		case dns.TypeA:
+			if strings.HasSuffix(q.Name, suffix) {
+				ccLock.Lock()
+				defer ccLock.Unlock()
+				parts := strings.Split(strings.TrimSuffix(q.Name, suffix), ".")
+				if len(parts) == 0 {
+					nxdomain = true
+					return
+				}
+				cnn := parts[0]
+				cn := cc.Networks[cnn]
+				if cn == nil {
+					nxdomain = true
+					return
+				}
+				switch len(parts) {
+				case 1:
+					for _, peer := range cn.Peers {
+						returnPeer(m, q, peer)
+					}
+				case 2:
+					pn := parts[1]
+					peer := cn.Peers[pn]
+					if cn == nil {
+						nxdomain = true
+						return
+					}
+					returnPeer(m, q, peer)
+				}
+			} else {
+				nxdomain = true
+				return
+			}
+		}
+	}
+	return
+}
+
+func handle(w dns.ResponseWriter, r *dns.Msg) {
+	m := new(dns.Msg)
+	m.SetReply(r)
+	m.Compress = false
+	switch r.Opcode {
+	case dns.OpcodeQuery:
+		nxdomain := handleQuery(m)
+		if nxdomain {
+			m.MsgHdr.Rcode = dns.RcodeNameError
+		}
+	}
+	w.WriteMsg(m)
+}
+
+func main2() {
+	configPath := flag.String("config", "", "config path")
+	addr := flag.String("addr", "", "dns bind address")
+	flag.Parse()
+
+	buf, err := os.ReadFile(*configPath)
+	if err != nil {
+		util.S.Fatalf("read config: %s", err)
+	}
+	err = json.Unmarshal(buf, &c)
+	if err != nil {
+		util.S.Fatalf("parse config: %s", err)
+	}
+	suffix = c.Parent + "."
+	util.S.Infof("config parsed from %s", *configPath)
+
+	dns.HandleFunc(".", handle)
+
+	server := &dns.Server{Addr: *addr, Net: "udp"}
+	util.S.Infof("listening on %s", server.Addr)
+	err = server.ListenAndServe()
+	if err != nil {
+		util.S.Fatalf("listen failed: %s\n ", err.Error())
+	}
+	defer server.Shutdown()
+}
+
+type rpcServer struct{}
+
+type UpdateCCQ struct {
+	Token []byte
+	CC    *central.Config
+}
+
+func (_ rpcServer) updateCC(q *UpdateCCQ, _ *bool) error {
+	if !bytes.Equal(token, q.Token) {
+		return errors.New("token mismatch")
+	}
+	if q.CC == nil {
+		return errors.New("cc is nil")
+	}
+	ccLock.Lock()
+	defer ccLock.Unlock()
+	cc = q.CC
+	return nil
+}
+
+func Main() error {
+	var tokenBase64 string
+	var err error
+	token, tokenBase64, err = mio.GenToken()
+	if err != nil {
+		util.S.Fatalf("GenToken: %s", err)
+	}
+	lis, addr, err := mio.Listen()
+	if err != nil {
+		util.S.Fatalf("Listen: %s", err)
+	}
+	fmt.Printf("addr:%s\n", addr)
+	fmt.Printf("token:%s\n", tokenBase64)
+	err = os.Stdout.Close()
+	if err != nil {
+		util.S.Fatalf("close stdout: %s", err)
+	}
+	util.S.Info("聞きます。")
+	rs := rpc.NewServer()
+	rs.RegisterName("updateCC", rpcServer{})
+	handler := mio.Guard(rs)
+	err = http.Serve(lis, handler)
+	if err != nil {
+		util.S.Fatalf("serve: %s", err)
+	}
+	return nil
+}
+*/

hokuto/server.go

@@ -11,7 +11,7 @@ import (
 	"strings"
 )
 
-func listen() (lis net.Listener, addr string, err error) {
+func Listen() (lis net.Listener, addr string, err error) {
 	lis, err = net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
 		return
@@ -20,13 +20,13 @@ func listen() (lis net.Listener, addr string, err error) {
 	return
 }
 
-// guard aborts connections from hosts that are not localhost.
+// Guard aborts connections from hosts that are not localhost.
 //
 // This is intended to be a last resort; it should not be relied on for
 // security.
 //
 // Note: Server should be listening on 127.0.0.1, not 0.0.0.0.
-func guard(handler http.Handler) http.Handler {
+func Guard(handler http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if !strings.HasPrefix(r.RemoteAddr, "127.0.0.1:") {
 			log.Printf("blocked request from %s", r.RemoteAddr)