From 12f68f24e6ca1f7cb63a773594616ecfabff3e50 Mon Sep 17 00:00:00 2001 From: Jamil Bou Kheir Date: Sat, 10 Jul 2021 15:51:50 -0700 Subject: [PATCH] tweak wg server key --- config/releases.exs | 3 +- pkg/ubuntu_18.04_amd64/DEBIAN/postinst | 26 +++--- .../lib/systemd/system/firezone.service | 2 +- pkg/ubuntu_18.04_arm64/DEBIAN/postinst | 72 +++++++++++------ pkg/ubuntu_20.04_amd64/DEBIAN/postinst | 80 ++++++++++++------- pkg/ubuntu_20.04_arm64/DEBIAN/postinst | 80 ++++++++++++------- 6 files changed, 167 insertions(+), 96 deletions(-) diff --git a/config/releases.exs b/config/releases.exs index 3fd533987..25f2e2161 100644 --- a/config/releases.exs +++ b/config/releases.exs @@ -11,6 +11,7 @@ secret_key_base = System.fetch_env!("SECRET_KEY_BASE") live_view_signing_salt = System.fetch_env!("LIVE_VIEW_SIGNING_SALT") ssl_cert_file = System.fetch_env!("SSL_CERT_FILE") ssl_key_file = System.fetch_env!("SSL_KEY_FILE") +wg_server_key = System.fetch_env!("WG_SERVER_KEY") disable_signup = case System.get_env("DISABLE_SIGNUP") do @@ -66,7 +67,7 @@ config :fz_http, FzHttpWeb.Endpoint, config :fz_vpn, vpn_endpoint: wg_endpoint_address <> ":" <> wg_listen_port, - private_key: File.read!("/opt/firezone/server.key") |> String.trim() + private_key: wg_server_key # ## Using releases (Elixir v1.9+) # diff --git a/pkg/ubuntu_18.04_amd64/DEBIAN/postinst b/pkg/ubuntu_18.04_amd64/DEBIAN/postinst index 46a141bcb..f6b67cb1b 100755 --- a/pkg/ubuntu_18.04_amd64/DEBIAN/postinst +++ b/pkg/ubuntu_18.04_amd64/DEBIAN/postinst @@ -1,14 +1,8 @@ #!/usr/bin/env bash -set -xe - -ls -la /opt/firezone/bin +set -e # FireZone package post-install script -# 1. Generate secrets -# 2. Bootstrap DB -# 3. Generate WireGuard interface and config - # All created files are 0600 by default umask 077 @@ -22,6 +16,8 @@ fi hostname=$(hostname) +### SET UP DB + # Create role if not exists db_user=firezone db_password="$(openssl rand -hex 16)" @@ -41,29 +37,30 @@ else echo "${db_name} exists; not creating" fi +# Grant all privileges su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\"" -# Setup DB -# XXX: Remove || true and detect actual failures +### SET UP SSL +# XXX: Use Let's Encrypt # Write FireZone SSL files mkdir -p /opt/firezone/ssl ssl_key_file=/opt/firezone/ssl/key.pem ssl_cert_file=/opt/firezone/ssl/cert.pem -if [ ! -f $ssl_key_file && ! -f $ssl_cert_file]; then +if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then + echo "ssl files exist; not creating" +else openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ -keyout $ssl_key_file \ -out $ssl_cert_file \ -days 365 -subj "/CN=${hostname}" -else - echo "ssl files exist; not creating" fi # Generate app secrets live_view_signing_salt="$(openssl rand -base64 24)" secret_key_base="$(openssl rand -base64 48)" db_key="$(openssl rand -base64 32)" -wg genkey > /opt/firezone/server.key +wg_server_key="$(wg genkey)" # Write FireZone config files if [ ! -f /opt/firezone/config.env ]; then @@ -100,6 +97,9 @@ WG_ENDPOINT_ADDRESS= # The Base64-encoded key for encrypted database fields. DB_ENCRYPTION_KEY=${db_key} +# The Base64-encoded private key for the WireGuard interface +WG_SERVER_KEY=${wg_server_key} + # SSL certificate file and key path. Self-signed certs are generated for you on # install, but it's highly recommended to replace these with valid certs. # Free certs can be obtained at https://letsencrypt.org. diff --git a/pkg/ubuntu_18.04_amd64/lib/systemd/system/firezone.service b/pkg/ubuntu_18.04_amd64/lib/systemd/system/firezone.service index 1ffca6203..93714f254 100644 --- a/pkg/ubuntu_18.04_amd64/lib/systemd/system/firezone.service +++ b/pkg/ubuntu_18.04_amd64/lib/systemd/system/firezone.service @@ -1,5 +1,5 @@ [Unit] -Description=FireZone +Description=firezone Requires=postgresql.service After=postgresql.service diff --git a/pkg/ubuntu_18.04_arm64/DEBIAN/postinst b/pkg/ubuntu_18.04_arm64/DEBIAN/postinst index 2dc5b1424..f6b67cb1b 100755 --- a/pkg/ubuntu_18.04_arm64/DEBIAN/postinst +++ b/pkg/ubuntu_18.04_arm64/DEBIAN/postinst @@ -1,14 +1,8 @@ #!/usr/bin/env bash -set -xe - -ls -la /opt/firezone/bin +set -e # FireZone package post-install script -# 1. Generate secrets -# 2. Bootstrap DB -# 3. Generate WireGuard interface and config - # All created files are 0600 by default umask 077 @@ -20,34 +14,56 @@ else useradd --system firezone fi -# Generate app secrets -live_view_signing_salt="$(openssl rand -base64 24)" -secret_key_base="$(openssl rand -base64 48)" +hostname=$(hostname) + +### SET UP DB + +# Create role if not exists db_user=firezone - -# base64 includes forward slashes which are problematic in the -# db_url connect string, so use hex. db_password="$(openssl rand -hex 16)" +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\"" +else + echo "${db_user} role found in DB" +fi -db_key="$(openssl rand -base64 32)" +# Create DB if not exists +db_name=firezone +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true" +else + echo "${db_name} exists; not creating" +fi -# Setup DB -# XXX: Remove || true and detect actual failures -su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\" || true" -su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true" -su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\" || true" +# Grant all privileges +su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\"" + +### SET UP SSL +# XXX: Use Let's Encrypt # Write FireZone SSL files mkdir -p /opt/firezone/ssl -hostname=$(hostname) -openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ - -keyout /opt/firezone/ssl/key.pem \ - -out /opt/firezone/ssl/cert.pem \ - -days 365 -subj "/CN=${hostname}" +ssl_key_file=/opt/firezone/ssl/key.pem +ssl_cert_file=/opt/firezone/ssl/cert.pem +if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then + echo "ssl files exist; not creating" +else + openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ + -keyout $ssl_key_file \ + -out $ssl_cert_file \ + -days 365 -subj "/CN=${hostname}" +fi -wg genkey > /opt/firezone/server.key +# Generate app secrets +live_view_signing_salt="$(openssl rand -base64 24)" +secret_key_base="$(openssl rand -base64 48)" +db_key="$(openssl rand -base64 32)" +wg_server_key="$(wg genkey)" # Write FireZone config files +if [ ! -f /opt/firezone/config.env ]; then cat <> /opt/firezone/config.env # This file is loaded into FireZone's Environment upon launch to configure it. @@ -81,6 +97,9 @@ WG_ENDPOINT_ADDRESS= # The Base64-encoded key for encrypted database fields. DB_ENCRYPTION_KEY=${db_key} +# The Base64-encoded private key for the WireGuard interface +WG_SERVER_KEY=${wg_server_key} + # SSL certificate file and key path. Self-signed certs are generated for you on # install, but it's highly recommended to replace these with valid certs. # Free certs can be obtained at https://letsencrypt.org. @@ -98,6 +117,9 @@ SSL_KEY_FILE=/opt/firezone/ssl/key.pem # users via the CLI. DISABLE_SIGNUP=yes EOT +else + echo "config file exists; not creating" +fi # Set perms chown -R firezone:root /opt/firezone diff --git a/pkg/ubuntu_20.04_amd64/DEBIAN/postinst b/pkg/ubuntu_20.04_amd64/DEBIAN/postinst index 0a2bb2a2f..f6b67cb1b 100755 --- a/pkg/ubuntu_20.04_amd64/DEBIAN/postinst +++ b/pkg/ubuntu_20.04_amd64/DEBIAN/postinst @@ -3,9 +3,8 @@ set -e # FireZone package post-install script -# 1. Generate secrets -# 2. Bootstrap DB -# 3. Generate WireGuard interface and config +# All created files are 0600 by default +umask 077 # Add firezone user if not exists if id firezone &>/dev/null; then @@ -15,37 +14,56 @@ else useradd --system firezone fi -# Generate app secrets -live_view_signing_salt="$(openssl rand -base64 24)" -secret_key_base="$(openssl rand -base64 48)" +hostname=$(hostname) + +### SET UP DB + +# Create role if not exists db_user=firezone - -# base64 includes forward slashes which are problematic in the -# db_url connect string, so use hex. db_password="$(openssl rand -hex 16)" +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\"" +else + echo "${db_user} role found in DB" +fi -db_key="$(openssl rand -base64 32)" +# Create DB if not exists +db_name=firezone +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true" +else + echo "${db_name} exists; not creating" +fi -# Setup DB -sudo -i -u postgres psql -c "CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';" || true -sudo -i -u postgres psql -c "CREATE DATABASE firezone;" || true -sudo -i -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};" || true +# Grant all privileges +su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\"" + +### SET UP SSL +# XXX: Use Let's Encrypt # Write FireZone SSL files mkdir -p /opt/firezone/ssl -chown -R firezone:root /opt/firezone/ssl -hostname=$(hostname) -openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ - -keyout /opt/firezone/ssl/key.pem \ - -out /opt/firezone/ssl/cert.pem \ - -days 365 -subj "/CN=${hostname}" -chmod 0600 /opt/firezone/ssl/key.pem -chmod 0644 /opt/firezone/ssl/cert.pem +ssl_key_file=/opt/firezone/ssl/key.pem +ssl_cert_file=/opt/firezone/ssl/cert.pem +if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then + echo "ssl files exist; not creating" +else + openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ + -keyout $ssl_key_file \ + -out $ssl_cert_file \ + -days 365 -subj "/CN=${hostname}" +fi + +# Generate app secrets +live_view_signing_salt="$(openssl rand -base64 24)" +secret_key_base="$(openssl rand -base64 48)" +db_key="$(openssl rand -base64 32)" +wg_server_key="$(wg genkey)" # Write FireZone config files -touch /opt/firezone/config.env -chmod 0600 /opt/firezone/config.env -chown -R firezone:root /opt/firezone +if [ ! -f /opt/firezone/config.env ]; then cat <> /opt/firezone/config.env # This file is loaded into FireZone's Environment upon launch to configure it. @@ -79,6 +97,9 @@ WG_ENDPOINT_ADDRESS= # The Base64-encoded key for encrypted database fields. DB_ENCRYPTION_KEY=${db_key} +# The Base64-encoded private key for the WireGuard interface +WG_SERVER_KEY=${wg_server_key} + # SSL certificate file and key path. Self-signed certs are generated for you on # install, but it's highly recommended to replace these with valid certs. # Free certs can be obtained at https://letsencrypt.org. @@ -96,7 +117,10 @@ SSL_KEY_FILE=/opt/firezone/ssl/key.pem # users via the CLI. DISABLE_SIGNUP=yes EOT +else + echo "config file exists; not creating" +fi -umask 077 -wg genkey > /opt/firezone/server.key -chown firezone:root /opt/firezone/server.key +# Set perms +chown -R firezone:root /opt/firezone +chmod 0644 /opt/firezone/ssl/cert.pem diff --git a/pkg/ubuntu_20.04_arm64/DEBIAN/postinst b/pkg/ubuntu_20.04_arm64/DEBIAN/postinst index 0a2bb2a2f..f6b67cb1b 100755 --- a/pkg/ubuntu_20.04_arm64/DEBIAN/postinst +++ b/pkg/ubuntu_20.04_arm64/DEBIAN/postinst @@ -3,9 +3,8 @@ set -e # FireZone package post-install script -# 1. Generate secrets -# 2. Bootstrap DB -# 3. Generate WireGuard interface and config +# All created files are 0600 by default +umask 077 # Add firezone user if not exists if id firezone &>/dev/null; then @@ -15,37 +14,56 @@ else useradd --system firezone fi -# Generate app secrets -live_view_signing_salt="$(openssl rand -base64 24)" -secret_key_base="$(openssl rand -base64 48)" +hostname=$(hostname) + +### SET UP DB + +# Create role if not exists db_user=firezone - -# base64 includes forward slashes which are problematic in the -# db_url connect string, so use hex. db_password="$(openssl rand -hex 16)" +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\"" +else + echo "${db_user} role found in DB" +fi -db_key="$(openssl rand -base64 32)" +# Create DB if not exists +db_name=firezone +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true" +else + echo "${db_name} exists; not creating" +fi -# Setup DB -sudo -i -u postgres psql -c "CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';" || true -sudo -i -u postgres psql -c "CREATE DATABASE firezone;" || true -sudo -i -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};" || true +# Grant all privileges +su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\"" + +### SET UP SSL +# XXX: Use Let's Encrypt # Write FireZone SSL files mkdir -p /opt/firezone/ssl -chown -R firezone:root /opt/firezone/ssl -hostname=$(hostname) -openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ - -keyout /opt/firezone/ssl/key.pem \ - -out /opt/firezone/ssl/cert.pem \ - -days 365 -subj "/CN=${hostname}" -chmod 0600 /opt/firezone/ssl/key.pem -chmod 0644 /opt/firezone/ssl/cert.pem +ssl_key_file=/opt/firezone/ssl/key.pem +ssl_cert_file=/opt/firezone/ssl/cert.pem +if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then + echo "ssl files exist; not creating" +else + openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ + -keyout $ssl_key_file \ + -out $ssl_cert_file \ + -days 365 -subj "/CN=${hostname}" +fi + +# Generate app secrets +live_view_signing_salt="$(openssl rand -base64 24)" +secret_key_base="$(openssl rand -base64 48)" +db_key="$(openssl rand -base64 32)" +wg_server_key="$(wg genkey)" # Write FireZone config files -touch /opt/firezone/config.env -chmod 0600 /opt/firezone/config.env -chown -R firezone:root /opt/firezone +if [ ! -f /opt/firezone/config.env ]; then cat <> /opt/firezone/config.env # This file is loaded into FireZone's Environment upon launch to configure it. @@ -79,6 +97,9 @@ WG_ENDPOINT_ADDRESS= # The Base64-encoded key for encrypted database fields. DB_ENCRYPTION_KEY=${db_key} +# The Base64-encoded private key for the WireGuard interface +WG_SERVER_KEY=${wg_server_key} + # SSL certificate file and key path. Self-signed certs are generated for you on # install, but it's highly recommended to replace these with valid certs. # Free certs can be obtained at https://letsencrypt.org. @@ -96,7 +117,10 @@ SSL_KEY_FILE=/opt/firezone/ssl/key.pem # users via the CLI. DISABLE_SIGNUP=yes EOT +else + echo "config file exists; not creating" +fi -umask 077 -wg genkey > /opt/firezone/server.key -chown firezone:root /opt/firezone/server.key +# Set perms +chown -R firezone:root /opt/firezone +chmod 0644 /opt/firezone/ssl/cert.pem