tweak wg server key

config/releases.exs

@@ -11,6 +11,7 @@ secret_key_base = System.fetch_env!("SECRET_KEY_BASE")
 live_view_signing_salt = System.fetch_env!("LIVE_VIEW_SIGNING_SALT")
 ssl_cert_file = System.fetch_env!("SSL_CERT_FILE")
 ssl_key_file = System.fetch_env!("SSL_KEY_FILE")
+wg_server_key = System.fetch_env!("WG_SERVER_KEY")
 
 disable_signup =
   case System.get_env("DISABLE_SIGNUP") do
@@ -66,7 +67,7 @@ config :fz_http, FzHttpWeb.Endpoint,
 
 config :fz_vpn,
   vpn_endpoint: wg_endpoint_address <> ":" <> wg_listen_port,
-  private_key: File.read!("/opt/firezone/server.key") |> String.trim()
+  private_key: wg_server_key
 
 # ## Using releases (Elixir v1.9+)
 #

pkg/ubuntu_18.04_amd64/DEBIAN/postinst

@@ -1,14 +1,8 @@
 #!/usr/bin/env bash
-set -xe
-
-ls -la /opt/firezone/bin
+set -e
 
 # FireZone package post-install script
 
-# 1. Generate secrets
-# 2. Bootstrap DB
-# 3. Generate WireGuard interface and config
-
 # All created files are 0600 by default
 umask 077
 
@@ -22,6 +16,8 @@ fi
 
 hostname=$(hostname)
 
+### SET UP DB
+
 # Create role if not exists
 db_user=firezone
 db_password="$(openssl rand -hex 16)"
@@ -41,29 +37,30 @@ else
   echo "${db_name} exists; not creating"
 fi
 
+# Grant all privileges
 su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\""
 
-# Setup DB
-# XXX: Remove || true and detect actual failures
+### SET UP SSL
+# XXX: Use Let's Encrypt
 
 # Write FireZone SSL files
 mkdir -p /opt/firezone/ssl
 ssl_key_file=/opt/firezone/ssl/key.pem
 ssl_cert_file=/opt/firezone/ssl/cert.pem
-if [ ! -f $ssl_key_file && ! -f $ssl_cert_file]; then
+if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then
+  echo "ssl files exist; not creating"
+else
   openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
       -keyout $ssl_key_file \
       -out $ssl_cert_file \
       -days 365 -subj "/CN=${hostname}"
-else
-  echo "ssl files exist; not creating"
 fi
 
 # Generate app secrets
 live_view_signing_salt="$(openssl rand -base64 24)"
 secret_key_base="$(openssl rand -base64 48)"
 db_key="$(openssl rand -base64 32)"
-wg genkey > /opt/firezone/server.key
+wg_server_key="$(wg genkey)"
 
 # Write FireZone config files
 if [ ! -f /opt/firezone/config.env ]; then
@@ -100,6 +97,9 @@ WG_ENDPOINT_ADDRESS=
 # The Base64-encoded key for encrypted database fields.
 DB_ENCRYPTION_KEY=${db_key}
 
+# The Base64-encoded private key for the WireGuard interface
+WG_SERVER_KEY=${wg_server_key}
+
 # SSL certificate file and key path. Self-signed certs are generated for you on
 # install, but it's highly recommended to replace these with valid certs.
 # Free certs can be obtained at https://letsencrypt.org.

pkg/ubuntu_18.04_amd64/lib/systemd/system/firezone.service

@@ -1,5 +1,5 @@
 [Unit]
-Description=FireZone
+Description=firezone
 Requires=postgresql.service
 After=postgresql.service
 

pkg/ubuntu_18.04_arm64/DEBIAN/postinst

@@ -1,14 +1,8 @@
 #!/usr/bin/env bash
-set -xe
-
-ls -la /opt/firezone/bin
+set -e
 
 # FireZone package post-install script
 
-# 1. Generate secrets
-# 2. Bootstrap DB
-# 3. Generate WireGuard interface and config
-
 # All created files are 0600 by default
 umask 077
 
@@ -20,34 +14,56 @@ else
   useradd --system firezone
 fi
 
-# Generate app secrets
-live_view_signing_salt="$(openssl rand -base64 24)"
-secret_key_base="$(openssl rand -base64 48)"
+hostname=$(hostname)
+
+### SET UP DB
+
+# Create role if not exists
 db_user=firezone
-
-# base64 includes forward slashes which are problematic in the
-# db_url connect string, so use hex.
 db_password="$(openssl rand -hex 16)"
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\""
+else
+  echo "${db_user} role found in DB"
+fi
 
-db_key="$(openssl rand -base64 32)"
+# Create DB if not exists
+db_name=firezone
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true"
+else
+  echo "${db_name} exists; not creating"
+fi
 
-# Setup DB
-# XXX: Remove || true and detect actual failures
-su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\" || true"
-su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true"
-su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\" || true"
+# Grant all privileges
+su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\""
+
+### SET UP SSL
+# XXX: Use Let's Encrypt
 
 # Write FireZone SSL files
 mkdir -p /opt/firezone/ssl
-hostname=$(hostname)
-openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
-    -keyout /opt/firezone/ssl/key.pem \
-    -out /opt/firezone/ssl/cert.pem \
-    -days 365 -subj "/CN=${hostname}"
+ssl_key_file=/opt/firezone/ssl/key.pem
+ssl_cert_file=/opt/firezone/ssl/cert.pem
+if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then
+  echo "ssl files exist; not creating"
+else
+  openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
+      -keyout $ssl_key_file \
+      -out $ssl_cert_file \
+      -days 365 -subj "/CN=${hostname}"
+fi
 
-wg genkey > /opt/firezone/server.key
+# Generate app secrets
+live_view_signing_salt="$(openssl rand -base64 24)"
+secret_key_base="$(openssl rand -base64 48)"
+db_key="$(openssl rand -base64 32)"
+wg_server_key="$(wg genkey)"
 
 # Write FireZone config files
+if [ ! -f /opt/firezone/config.env ]; then
 cat <<EOT >> /opt/firezone/config.env
 # This file is loaded into FireZone's Environment upon launch to configure it.
 
@@ -81,6 +97,9 @@ WG_ENDPOINT_ADDRESS=
 # The Base64-encoded key for encrypted database fields.
 DB_ENCRYPTION_KEY=${db_key}
 
+# The Base64-encoded private key for the WireGuard interface
+WG_SERVER_KEY=${wg_server_key}
+
 # SSL certificate file and key path. Self-signed certs are generated for you on
 # install, but it's highly recommended to replace these with valid certs.
 # Free certs can be obtained at https://letsencrypt.org.
@@ -98,6 +117,9 @@ SSL_KEY_FILE=/opt/firezone/ssl/key.pem
 # users via the CLI.
 DISABLE_SIGNUP=yes
 EOT
+else
+  echo "config file exists; not creating"
+fi
 
 # Set perms
 chown -R firezone:root /opt/firezone

pkg/ubuntu_20.04_amd64/DEBIAN/postinst

@@ -3,9 +3,8 @@ set -e
 
 # FireZone package post-install script
 
-# 1. Generate secrets
-# 2. Bootstrap DB
-# 3. Generate WireGuard interface and config
+# All created files are 0600 by default
+umask 077
 
 # Add firezone user if not exists
 if id firezone &>/dev/null; then
@@ -15,37 +14,56 @@ else
   useradd --system firezone
 fi
 
-# Generate app secrets
-live_view_signing_salt="$(openssl rand -base64 24)"
-secret_key_base="$(openssl rand -base64 48)"
+hostname=$(hostname)
+
+### SET UP DB
+
+# Create role if not exists
 db_user=firezone
-
-# base64 includes forward slashes which are problematic in the
-# db_url connect string, so use hex.
 db_password="$(openssl rand -hex 16)"
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\""
+else
+  echo "${db_user} role found in DB"
+fi
 
-db_key="$(openssl rand -base64 32)"
+# Create DB if not exists
+db_name=firezone
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true"
+else
+  echo "${db_name} exists; not creating"
+fi
 
-# Setup DB
-sudo -i -u postgres psql -c "CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';" || true
-sudo -i -u postgres psql -c "CREATE DATABASE firezone;" || true
-sudo -i -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};" || true
+# Grant all privileges
+su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\""
+
+### SET UP SSL
+# XXX: Use Let's Encrypt
 
 # Write FireZone SSL files
 mkdir -p /opt/firezone/ssl
-chown -R firezone:root /opt/firezone/ssl
-hostname=$(hostname)
-openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
-    -keyout /opt/firezone/ssl/key.pem \
-    -out /opt/firezone/ssl/cert.pem \
-    -days 365 -subj "/CN=${hostname}"
-chmod 0600 /opt/firezone/ssl/key.pem
-chmod 0644 /opt/firezone/ssl/cert.pem
+ssl_key_file=/opt/firezone/ssl/key.pem
+ssl_cert_file=/opt/firezone/ssl/cert.pem
+if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then
+  echo "ssl files exist; not creating"
+else
+  openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
+      -keyout $ssl_key_file \
+      -out $ssl_cert_file \
+      -days 365 -subj "/CN=${hostname}"
+fi
+
+# Generate app secrets
+live_view_signing_salt="$(openssl rand -base64 24)"
+secret_key_base="$(openssl rand -base64 48)"
+db_key="$(openssl rand -base64 32)"
+wg_server_key="$(wg genkey)"
 
 # Write FireZone config files
-touch /opt/firezone/config.env
-chmod 0600 /opt/firezone/config.env
-chown -R firezone:root /opt/firezone
+if [ ! -f /opt/firezone/config.env ]; then
 cat <<EOT >> /opt/firezone/config.env
 # This file is loaded into FireZone's Environment upon launch to configure it.
 
@@ -79,6 +97,9 @@ WG_ENDPOINT_ADDRESS=
 # The Base64-encoded key for encrypted database fields.
 DB_ENCRYPTION_KEY=${db_key}
 
+# The Base64-encoded private key for the WireGuard interface
+WG_SERVER_KEY=${wg_server_key}
+
 # SSL certificate file and key path. Self-signed certs are generated for you on
 # install, but it's highly recommended to replace these with valid certs.
 # Free certs can be obtained at https://letsencrypt.org.
@@ -96,7 +117,10 @@ SSL_KEY_FILE=/opt/firezone/ssl/key.pem
 # users via the CLI.
 DISABLE_SIGNUP=yes
 EOT
+else
+  echo "config file exists; not creating"
+fi
 
-umask 077
-wg genkey > /opt/firezone/server.key
-chown firezone:root /opt/firezone/server.key
+# Set perms
+chown -R firezone:root /opt/firezone
+chmod 0644 /opt/firezone/ssl/cert.pem

pkg/ubuntu_20.04_arm64/DEBIAN/postinst

@@ -3,9 +3,8 @@ set -e
 
 # FireZone package post-install script
 
-# 1. Generate secrets
-# 2. Bootstrap DB
-# 3. Generate WireGuard interface and config
+# All created files are 0600 by default
+umask 077
 
 # Add firezone user if not exists
 if id firezone &>/dev/null; then
@@ -15,37 +14,56 @@ else
   useradd --system firezone
 fi
 
-# Generate app secrets
-live_view_signing_salt="$(openssl rand -base64 24)"
-secret_key_base="$(openssl rand -base64 48)"
+hostname=$(hostname)
+
+### SET UP DB
+
+# Create role if not exists
 db_user=firezone
-
-# base64 includes forward slashes which are problematic in the
-# db_url connect string, so use hex.
 db_password="$(openssl rand -hex 16)"
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\""
+else
+  echo "${db_user} role found in DB"
+fi
 
-db_key="$(openssl rand -base64 32)"
+# Create DB if not exists
+db_name=firezone
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true"
+else
+  echo "${db_name} exists; not creating"
+fi
 
-# Setup DB
-sudo -i -u postgres psql -c "CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';" || true
-sudo -i -u postgres psql -c "CREATE DATABASE firezone;" || true
-sudo -i -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};" || true
+# Grant all privileges
+su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\""
+
+### SET UP SSL
+# XXX: Use Let's Encrypt
 
 # Write FireZone SSL files
 mkdir -p /opt/firezone/ssl
-chown -R firezone:root /opt/firezone/ssl
-hostname=$(hostname)
-openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
-    -keyout /opt/firezone/ssl/key.pem \
-    -out /opt/firezone/ssl/cert.pem \
-    -days 365 -subj "/CN=${hostname}"
-chmod 0600 /opt/firezone/ssl/key.pem
-chmod 0644 /opt/firezone/ssl/cert.pem
+ssl_key_file=/opt/firezone/ssl/key.pem
+ssl_cert_file=/opt/firezone/ssl/cert.pem
+if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then
+  echo "ssl files exist; not creating"
+else
+  openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
+      -keyout $ssl_key_file \
+      -out $ssl_cert_file \
+      -days 365 -subj "/CN=${hostname}"
+fi
+
+# Generate app secrets
+live_view_signing_salt="$(openssl rand -base64 24)"
+secret_key_base="$(openssl rand -base64 48)"
+db_key="$(openssl rand -base64 32)"
+wg_server_key="$(wg genkey)"
 
 # Write FireZone config files
-touch /opt/firezone/config.env
-chmod 0600 /opt/firezone/config.env
-chown -R firezone:root /opt/firezone
+if [ ! -f /opt/firezone/config.env ]; then
 cat <<EOT >> /opt/firezone/config.env
 # This file is loaded into FireZone's Environment upon launch to configure it.
 
@@ -79,6 +97,9 @@ WG_ENDPOINT_ADDRESS=
 # The Base64-encoded key for encrypted database fields.
 DB_ENCRYPTION_KEY=${db_key}
 
+# The Base64-encoded private key for the WireGuard interface
+WG_SERVER_KEY=${wg_server_key}
+
 # SSL certificate file and key path. Self-signed certs are generated for you on
 # install, but it's highly recommended to replace these with valid certs.
 # Free certs can be obtained at https://letsencrypt.org.
@@ -96,7 +117,10 @@ SSL_KEY_FILE=/opt/firezone/ssl/key.pem
 # users via the CLI.
 DISABLE_SIGNUP=yes
 EOT
+else
+  echo "config file exists; not creating"
+fi
 
-umask 077
-wg genkey > /opt/firezone/server.key
-chown firezone:root /opt/firezone/server.key
+# Set perms
+chown -R firezone:root /opt/firezone
+chmod 0644 /opt/firezone/ssl/cert.pem