Pull request 174: feat vpn-libs-endpoint: improve docker support for trusttunnel

Squashed commit of the following: commit 16a0c416f13fc32db3ae79ba7f0886ba3987f5aa Author: Radmir Sadikov <r.sadikov@adguard.com> Date: Thu Mar 5 12:01:45 2026 +0400 move healthcheck from Dockerfile to docker-compose.yml commit 54aeb8d824 Author: Radmir Sadikov <r.sadikov@adguard.com> Date: Wed Mar 4 15:50:26 2026 +0400 add port parameter for healthcheck commit 0e375b9628 Author: Radmir Sadikov <r.sadikov@adguard.com> Date: Tue Mar 3 17:47:27 2026 +0400 feat vpn-libs-endpoint: improve docker support for trusttunnel
2026-04-26 20:36:02 +00:00 · 2026-03-05 11:29:36 +00:00
parent 18258db85f
commit ebb1ff4d3b
9 changed files with 191 additions and 19 deletions
--- a/tools/setup_wizard/library_settings.rs
+++ b/tools/setup_wizard/library_settings.rs
@@ -27,7 +27,7 @@ pub fn build() -> Built {
                .unwrap_or_else(|| {
                    ask_for_input(
                        &format!(
-                            "{} (use 0.0.0.0:443 for all interfaces on HTTPS port)",
+                            "{} (native: 0.0.0.0:443; Docker with 443:8443 mapping: 0.0.0.0:8443)",
                            Settings::doc_listen_address()
                        ),
                        Some(Settings::default_listen_address().to_string()),
--- a/tools/setup_wizard/main.rs
+++ b/tools/setup_wizard/main.rs
@@ -21,6 +21,8 @@ const HOSTNAME_PARAM_NAME: &str = "host";
 const LIBRARY_SETTINGS_FILE_PARAM_NAME: &str = "lib_settings";
 const TLS_HOSTS_SETTINGS_FILE_PARAM_NAME: &str = "hosts_settings";
 const CERT_TYPE_PARAM_NAME: &str = "cert_type";
+const CERT_CHAIN_PATH_PARAM_NAME: &str = "cert_chain_path";
+const CERT_KEY_PATH_PARAM_NAME: &str = "cert_key_path";
 const ACME_EMAIL_PARAM_NAME: &str = "acme_email";
 const ACME_CHALLENGE_PARAM_NAME: &str = "acme_challenge";
 const ACME_STAGING_PARAM_NAME: &str = "acme_staging";
@@ -45,6 +47,8 @@ pub struct PredefinedParameters {
    pub library_settings_file: Option<String>,
    pub tls_hosts_settings_file: Option<String>,
    pub cert_type: Option<String>,
+    pub cert_chain_path: Option<String>,
+    pub cert_key_path: Option<String>,
    pub acme_email: Option<String>,
    pub acme_challenge: Option<String>,
    pub acme_staging: bool,
@@ -141,8 +145,20 @@ Required in non-interactive mode."#,
            clap::Arg::new(CERT_TYPE_PARAM_NAME)
                .long("cert-type")
                .action(clap::ArgAction::Set)
-                .value_parser(["self-signed", "letsencrypt"])
-                .help("Certificate type: 'self-signed' or 'letsencrypt'"),
+                .value_parser(["self-signed", "letsencrypt", "provided"])
+                .help("Certificate type: 'self-signed', 'letsencrypt', or 'provided'"),
+            clap::Arg::new(CERT_CHAIN_PATH_PARAM_NAME)
+                .long("cert-chain-path")
+                .action(clap::ArgAction::Set)
+                .value_parser(clap::builder::NonEmptyStringValueParser::new())
+                .required_if_eq(CERT_TYPE_PARAM_NAME, "provided")
+                .help("Path to provided certificate chain (required when --cert-type=provided)"),
+            clap::Arg::new(CERT_KEY_PATH_PARAM_NAME)
+                .long("cert-key-path")
+                .action(clap::ArgAction::Set)
+                .value_parser(clap::builder::NonEmptyStringValueParser::new())
+                .required_if_eq(CERT_TYPE_PARAM_NAME, "provided")
+                .help("Path to provided private key (required when --cert-type=provided)"),
            clap::Arg::new(ACME_EMAIL_PARAM_NAME)
                .long("acme-email")
                .action(clap::ArgAction::Set)
@@ -202,6 +218,8 @@ Required in non-interactive mode."#,
            .get_one::<String>(TLS_HOSTS_SETTINGS_FILE_PARAM_NAME)
            .cloned(),
        cert_type: args.get_one::<String>(CERT_TYPE_PARAM_NAME).cloned(),
+        cert_chain_path: args.get_one::<String>(CERT_CHAIN_PATH_PARAM_NAME).cloned(),
+        cert_key_path: args.get_one::<String>(CERT_KEY_PATH_PARAM_NAME).cloned(),
        acme_email: args.get_one::<String>(ACME_EMAIL_PARAM_NAME).cloned(),
        acme_challenge: args.get_one::<String>(ACME_CHALLENGE_PARAM_NAME).cloned(),
        acme_staging: args.get_flag(ACME_STAGING_PARAM_NAME),
--- a/tools/setup_wizard/tls_hosts_settings.rs
+++ b/tools/setup_wizard/tls_hosts_settings.rs
@@ -47,6 +47,9 @@ pub fn build_with_runtime() -> Option<Cert> {
    if crate::get_mode() == Mode::NonInteractive {
        // Check if Let's Encrypt is requested via CLI
        if let Some(ref cert_type) = crate::get_predefined_params().cert_type {
+            if cert_type == "provided" {
+                return load_provided_cert_noninteractive();
+            }
            if cert_type == "letsencrypt" {
                return generate_letsencrypt_cert_noninteractive();
            }
@@ -498,6 +501,29 @@ fn generate_letsencrypt_cert_noninteractive() -> Option<Cert> {
    }
 }

+fn load_provided_cert_noninteractive() -> Option<Cert> {
+    let predefined = crate::get_predefined_params();
+    let cert_chain_path = predefined
+        .cert_chain_path
+        .clone()
+        .expect("Certificate chain path is required for provided cert type");
+    let cert_key_path = predefined
+        .cert_key_path
+        .clone()
+        .expect("Certificate key path is required for provided cert type");
+    drop(predefined);
+
+    let cert = parse_cert(Either::Right((&cert_chain_path, &cert_key_path)));
+    if cert.is_none() {
+        eprintln!(
+            "Failed to load provided certificate and key from '{}' and '{}'",
+            cert_chain_path, cert_key_path
+        );
+    }
+
+    cert
+}
+
 fn parse_cert_expiration(cert_pem: &str) -> Option<String> {
    let (_, pem) = x509_parser::pem::parse_x509_pem(cert_pem.as_bytes()).ok()?;
    let (_, cert) = x509_parser::parse_x509_certificate(&pem.contents).ok()?;