feat: add Docker image and GHCR workflow (#3)

.dockerignore

@@ -0,0 +1,13 @@
+.git
+.github
+.gitignore
+.DS_Store
+
+config.yaml
+config.yml
+
+build
+dist
+tmp
+*.log
+*.out

.github/workflows/docker.yml

@@ -0,0 +1,109 @@
+name: docker
+
+on:
+  pull_request:
+  push:
+    branches:
+      - "**"
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  docker-ci:
+    name: Build Docker image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build test image
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          load: true
+          tags: wiregold:test
+          build-args: |
+            VERSION=ci-${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Smoke test help output
+        run: docker run --rm wiregold:test -h
+
+      - name: Smoke test key generation
+        run: docker run --rm wiregold:test -g
+
+      - name: Smoke test preshared key generation
+        run: docker run --rm wiregold:test -pg
+
+      - name: Smoke test missing TUN message
+        run: |
+          set -euo pipefail
+          output="$(docker run --rm wiregold:test 2>&1 || true)"
+          printf '%s\n' "$output"
+          printf '%s' "$output" | grep -F "WireGold requires /dev/net/tun inside the container."
+
+  docker-publish:
+    name: Publish GHCR image
+    runs-on: ubuntu-latest
+    needs: docker-ci
+    if: github.event_name != 'pull_request' && (startsWith(github.ref, 'refs/tags/v') || github.ref == format('refs/heads/{0}', github.event.repository.default_branch))
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=sha
+            type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') || github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+          labels: |
+            org.opencontainers.image.title=WireGold
+            org.opencontainers.image.description=Container image for WireGold, a pure-Go Layer 3 VPN inspired by WireGuard.
+
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          build-args: |
+            VERSION=${{ steps.meta.outputs.version }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/release.yml

@@ -6,52 +6,69 @@ on:
 
 env:
   GITHUB_TOKEN: ${{ github.token }}
+  CGO_ENABLED: 0
+  LDFLAGS: -s -w -checklinkname=0
+  VERSION_PKG: github.com/fumiama/WireGold/config
 
 jobs:
-  my-job:
-    name: Build WireGold on Push Tag 🚀
+  build:
+    name: Build ${{ matrix.name }}
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - { name: linux-x64,              goos: linux,   goarch: amd64  }
+          - { name: linux-x86,              goos: linux,   goarch: "386"  }
+          - { name: windows-x64,            goos: windows, goarch: amd64, ext: .exe }
+          - { name: windows-x86,            goos: windows, goarch: "386", ext: .exe }
+          - { name: linux-arm64,            goos: linux,   goarch: arm64, goarm: "7" }
+          - { name: linux-armv6,            goos: linux,   goarch: arm,   goarm: "6" }
+          - { name: linux-mips,             goos: linux,   goarch: mips   }
+          - { name: linux-mips-softfloat,   goos: linux,   goarch: mips,   gomips: softfloat }
+          - { name: linux-mipsel,           goos: linux,   goarch: mipsle }
+          - { name: linux-mipsel-softfloat, goos: linux,   goarch: mipsle, gomips: softfloat }
+    env:
+      GOOS: ${{ matrix.goos }}
+      GOARCH: ${{ matrix.goarch }}
+      GOARM: ${{ matrix.goarm }}
+      GOMIPS: ${{ matrix.gomips }}
     steps:
-
       - name: Set up Go
         uses: actions/setup-go@master
         with:
           go-version: ^1.25
 
-      - name: Check out code into the Go module directory
+      - name: Check out code
         uses: actions/checkout@master
 
       - name: Cache Go
-        id: cache
         uses: actions/cache@v4
         with:
-          # A list of files, directories, and wildcard patterns to cache and restore
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-build-${{ hashFiles('**/go.sum') }}
 
       - name: Tidy Go modules
         run: go mod tidy
 
-      - name: Build linux-x64
-        run: CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -checklinkname=0" -o artifacts/wg-linux-x64 -trimpath
-      - name: Build linux-x86
-        run: CGO_ENABLED=0 GOOS=linux GOARCH=386 go build -ldflags="-s -w -checklinkname=0" -o artifacts/wg-linux-x86 -trimpath
-      - name: Build windows-x64
-        run: CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags="-s -w -checklinkname=0" -o artifacts/wg-windows-x64.exe -trimpath
-      - name: Build windows-x86
-        run: CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -ldflags="-s -w -checklinkname=0" -o artifacts/wg-windows-x86.exe -trimpath
-      - name: Build arm64
-        run: CGO_ENABLED=0 GOOS=linux GOARCH=arm64 GOARM=7 go build -ldflags="-s -w -checklinkname=0" -o artifacts/wg-linux-arm64 -trimpath
-      - name: Build armv6
-        run: CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=6 go build -ldflags="-s -w -checklinkname=0" -o artifacts/wg-linux-armv6 -trimpath
-      - name: Build mips
-        run: CGO_ENABLED=0 GOOS=linux GOARCH=mips go build -ldflags="-s -w -checklinkname=0" -o artifacts/wg-linux-mips -trimpath
-      - name: Build mips-softfloat
-        run: CGO_ENABLED=0 GOOS=linux GOARCH=mips GOMIPS=softfloat go build -ldflags="-s -w -checklinkname=0" -o artifacts/wg-linux-mips-softfloat -trimpath
-      - name: Build mipsel
-        run: CGO_ENABLED=0 GOOS=linux GOARCH=mipsle go build -ldflags="-s -w -checklinkname=0" -o artifacts/wg-linux-mipsel -trimpath
-      - name: Build mipsel-softfloat
-        run: CGO_ENABLED=0 GOOS=linux GOARCH=mipsle GOMIPS=softfloat go build -ldflags="-s -w -checklinkname=0" -o artifacts/wg-linux-mipsel-softfloat -trimpath
+      - name: Build
+        run: go build -ldflags="${LDFLAGS} -X ${VERSION_PKG}.Version=${GITHUB_REF_NAME#v}" -o wg-${{ matrix.name }}${{ matrix.ext }} -trimpath
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: wg-${{ matrix.name }}
+          path: wg-${{ matrix.name }}${{ matrix.ext }}
+
+  release:
+    name: Upload Release 🚀
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: artifacts
+          merge-multiple: true
 
       - name: Upload binaries to release
         uses: svenstaro/upload-release-action@v2
@@ -60,4 +77,4 @@ jobs:
           file: artifacts/wg-*
           tag: ${{ github.ref }}
           overwrite: true
-          file_glob: true
+          file_glob: true

Dockerfile

@@ -0,0 +1,43 @@
+# syntax=docker/dockerfile:1.7
+
+FROM --platform=$TARGETPLATFORM golang:1.25.0-bookworm AS build
+
+ARG VERSION=dev
+
+WORKDIR /src
+
+COPY go.mod go.sum ./
+RUN --mount=type=cache,target=/go/pkg/mod \
+    go mod download
+
+COPY . .
+
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    go build -trimpath -ldflags="-s -w -checklinkname=0 -X github.com/fumiama/WireGold/config.Version=${VERSION}" \
+    -o /out/wg .
+
+FROM debian:bookworm-slim
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+LABEL org.opencontainers.image.title="WireGold" \
+      org.opencontainers.image.description="Container image for WireGold, a pure-Go Layer 3 VPN inspired by WireGuard." \
+      org.opencontainers.image.source="https://github.com/fumiama/WireGold"
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends ca-certificates iproute2 tini \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /config
+
+COPY --from=build /out/wg /usr/local/bin/wg
+COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+
+RUN chmod +x /usr/local/bin/wg /usr/local/bin/docker-entrypoint.sh \
+    && mkdir -p /config
+
+VOLUME ["/config"]
+
+ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-entrypoint.sh"]
+CMD ["-c", "/config/config.yaml"]

config/global.go

@@ -1,3 +1,16 @@
 package config
 
+import "time"
+
+// ShowDebugLog turn on to print verbose logs.
 const ShowDebugLog = false
+
+// Version will show in help message to distinguish different builds.
+// Use -ldflags="-X github.com/fumiama/WireGold/config.Version=x.y.z" to override.
+var Version = "dev"
+
+func init() {
+	if Version == "dev" {
+		Version = "dev-" + time.Now().Format(time.DateOnly)
+	}
+}

docker-entrypoint.sh

@@ -0,0 +1,42 @@
+#!/bin/sh
+set -eu
+
+if [ "$#" -eq 0 ]; then
+    set -- /usr/local/bin/wg -c /config/config.yaml
+elif [ "${1#-}" != "$1" ]; then
+    set -- /usr/local/bin/wg "$@"
+fi
+
+if [ "${1:-}" = "/usr/local/bin/wg" ]; then
+    need_config=1
+    config_path=/config/config.yaml
+    prev=
+
+    for arg in "$@"; do
+        case "$arg" in
+            -g|-pg|-h)
+                need_config=0
+                ;;
+        esac
+
+        if [ "$prev" = "-c" ]; then
+            config_path="$arg"
+        fi
+        prev="$arg"
+    done
+
+    if [ "$need_config" -eq 1 ] && [ ! -c /dev/net/tun ]; then
+        echo "WireGold requires /dev/net/tun inside the container." >&2
+        echo "Run with: --device /dev/net/tun --cap-add NET_ADMIN" >&2
+        echo "If Network is icmp or ip, add --cap-add NET_RAW as well." >&2
+        exit 1
+    fi
+
+    if [ "$need_config" -eq 1 ] && [ ! -f "$config_path" ]; then
+        echo "WireGold config not found: $config_path" >&2
+        echo "Mount your config into /config or override -c." >&2
+        exit 1
+    fi
+fi
+
+exec "$@"

go.mod

@@ -3,7 +3,7 @@ module github.com/fumiama/WireGold
 go 1.25.0
 
 require (
-	github.com/FloatTech/ttl v0.0.0-20260408173819-76cac20073ab
+	github.com/FloatTech/ttl v0.0.0-20260412050038-bd89b9d66fcd
 	github.com/RomiChan/syncx v0.0.0-20240418144900-b7402ffdebc7
 	github.com/fumiama/blake2b-simd v0.0.0-20250228045919-a5dcaba5419a
 	github.com/fumiama/go-base16384 v1.7.1

go.sum

@@ -1,5 +1,5 @@
-github.com/FloatTech/ttl v0.0.0-20260408173819-76cac20073ab h1:V1izfoG5S2Q6LivnKvCVl4xMZYnmf+dGGxK3rCxeGuI=
-github.com/FloatTech/ttl v0.0.0-20260408173819-76cac20073ab/go.mod h1:fHZFWGquNXuHttu9dUYoKuNbm3dzLETnIOnm1muSfDs=
+github.com/FloatTech/ttl v0.0.0-20260412050038-bd89b9d66fcd h1:Dt86dtJ5hPFvDIA8cAFYfO+Vc8ikoGf32ndEhbwjYXM=
+github.com/FloatTech/ttl v0.0.0-20260412050038-bd89b9d66fcd/go.mod h1:fHZFWGquNXuHttu9dUYoKuNbm3dzLETnIOnm1muSfDs=
 github.com/RomiChan/syncx v0.0.0-20240418144900-b7402ffdebc7 h1:S/ferNiehVjNaBMNNBxUjLtVmP/YWD6Yh79RfPv4ehU=
 github.com/RomiChan/syncx v0.0.0-20240418144900-b7402ffdebc7/go.mod h1:vD7Ra3Q9onRtojoY5sMCLQ7JBgjUsrXDnDKyFxqpf9w=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

gold/p2p/icmp/icmp.go

@@ -27,20 +27,51 @@ var (
 	echoid = os.Getpid()
 )
 
+// seqFIFO is a FIFO queue that generates new sequence numbers when empty.
+type seqFIFO struct {
+	mu   sync.Mutex
+	q    []uintptr
+	next *atomic.Uintptr
+}
+
+func (f *seqFIFO) Get() uintptr {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+	if len(f.q) > 0 {
+		v := f.q[0]
+		copy(f.q, f.q[1:])
+		f.q = f.q[:len(f.q)-1]
+		return v
+	}
+	return f.next.Add(1)
+}
+
+func (f *seqFIFO) Put(v uintptr) {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+	if len(f.q) == 0 {
+		f.q = make([]uintptr, 1, 128)
+		f.q[0] = v
+		return
+	}
+	if len(f.q) < cap(f.q) {
+		f.q = append(f.q, v)
+		return
+	}
+	copy(f.q, f.q[1:])
+	f.q[len(f.q)-1] = v
+}
+
 // peerState holds per-peer ICMP echo state within a Conn.
 type peerState struct {
 	id      int
 	seq     atomic.Uintptr
-	seqpool *sync.Pool
+	seqfifo seqFIFO
 }
 
 func newPeerState() *peerState {
 	ps := &peerState{}
-	ps.seqpool = &sync.Pool{
-		New: func() any {
-			return int(ps.seq.Add(1))
-		},
-	}
+	ps.seqfifo.next = &ps.seq
 	return ps
 }
 
@@ -180,7 +211,7 @@ func (conn *Conn) ReadFromPeer(b []byte) (n int, ep p2p.EndPoint, err error) {
 			ps := conn.getOrCreatePeerState(ipaddr)
 			ps.id = body.ID
 			ps.seq.Store(uintptr(body.Seq))
-			ps.seqpool.Put(body.Seq)
+			ps.seqfifo.Put(uintptr(body.Seq))
 		}
 		n = copy(b, body.Data)
 		if config.ShowDebugLog {
@@ -197,7 +228,7 @@ func (conn *Conn) WriteToPeer(b []byte, ep p2p.EndPoint) (int, error) {
 	}
 	addr := (*netip.Addr)(icmpep)
 	ps := conn.getOrCreatePeerState(*addr)
-	seq := ps.seqpool.Get().(int)
+	seq := int(ps.seqfifo.Get())
 	id := ps.id
 	isrequest := id == 0
 	if isrequest {

main.go

@@ -168,7 +168,14 @@ func main() {
 }
 
 func displayHelp(hint string) {
-	fmt.Println(hint)
+	if hint != "" {
+		fmt.Println(hint)
+		fmt.Println("")
+	}
+	fmt.Println("WireGold Version:", config.Version)
+	fmt.Println("Author: Fumiama Minamoto")
+	fmt.Println("Released with GPL-3.0 license")
+	fmt.Println("")
 	flag.Usage()
 	os.Exit(0)
 }