Just separate out the OS build trees; inconsistencies

.ci/build_packages.sh

@@ -60,6 +60,7 @@ case $format in
     version=0.2.0-1
     pkg_dir="firezone-${version}.x86_64"
     pkg_file="${pkg_dir}.rpm"
+    os_dir="${MATRIX_IMAGE/:/_}.x86_64"
     final_pkg_file="firezone-${version}-${MATRIX_IMAGE/:/_}.x86_64.rpm"
     image="ghcr.io/firezone/package-${MATRIX_IMAGE/:/_}:${GITHUB_SHA}"
 
@@ -70,6 +71,7 @@ case $format in
       -f pkg/Dockerfile.rpm \
       --platform linux/amd64 \
       --build-arg PKG_DIR=$pkg_dir \
+      --build-arg OS_DIR=$os_dir \
       --build-arg BASE_IMAGE=$tag \
       --progress plain \
       .

.dockerignore

@@ -1,10 +1,10 @@
-/* apps/fg_http/assets/node_modules */
-/* apps/fg_http/priv/static */
-/* _build */
-/* apps/fg_http/_build */
-/* apps/fg_wall/_build */
-/* apps/fg_vpn/_build */
-/* **/cover */
-/* docs */
-/* .DS_Store */
-/* .git */
+apps/fg_http/assets/node_modules
+apps/fg_http/priv/static
+_build
+apps/fg_http/_build
+apps/fg_wall/_build
+apps/fg_vpn/_build
+**/cover
+docs
+.DS_Store
+.git

pkg/Dockerfile.base.rpm

@@ -21,7 +21,6 @@ RUN yum install -y \
     glibc-all-langpacks \
     rpmdevtools \
     rpmlint
-ENV SHELL /bin/zsh
 
 # Restore missing locales from base image
 RUN yum reinstall glibc-common -y && \

pkg/Dockerfile.deb

@@ -4,10 +4,8 @@ FROM ${BASE_IMAGE}
 ARG PKG_DIR
 
 # Copy shared files
-COPY pkg pkg
-RUN rsync -avz pkg/skel/* pkg/$PKG_DIR/
-RUN rsync -avz pkg/deb_shared/* pkg/$PKG_DIR/
-RUN rsync -avz _build/prod/rel/firezone/* pkg/$PKG_DIR/usr/lib/firezone/
+COPY pkg/$PKG_DIR pkg/$PKG_DIR
+RUN rsync -az _build/prod/rel/firezone/* pkg/$PKG_DIR/usr/lib/firezone/
 RUN mkdir -p pkg/$PKG_DIR/usr/bin
 RUN cd pkg/$PKG_DIR/usr/bin && ln -s ../lib/firezone/bin/firezone
 RUN cd pkg && dpkg-deb --build $PKG_DIR

pkg/Dockerfile.rpm

@@ -2,10 +2,11 @@ ARG BASE_IMAGE
 FROM ${BASE_IMAGE}
 
 ARG PKG_DIR
+ARG OS_ARCH
 
 # Copy shared files
-COPY pkg/rpm_shared/rpmbuild rpmbuild
-COPY pkg/skel/ rpmbuild/BUILDROOT/$PKG_DIR/
+COPY pkg/$OS_DIR/rpmbuild rpmbuild
+COPY pkg/$OS_DIR/skel/ rpmbuild/BUILDROOT/$PKG_DIR/
 RUN rsync -az _build/prod/rel/firezone/* rpmbuild/BUILDROOT/$PKG_DIR/usr/lib/firezone/
 RUN mkdir -p rpmbuild/BUILDROOT/$PKG_DIR/usr/bin
 RUN cd rpmbuild/BUILDROOT/$PKG_DIR/usr/bin && ln -s ../lib/firezone/bin/firezone

pkg/centos_8.x86_64/rpmbuild/SPECS/firezone.spec

@@ -0,0 +1,29 @@
+Name:       firezone
+Version:    0.2.0
+Release:    1
+Summary:    Web UI + Firewall manager for WireGuard™
+URL:        https://firez.one
+License:    ASL 2.0
+Requires:   net-tools
+Requires:   wireguard-tools
+Requires:   postgresql-server >= 9.6
+Requires:   openssl
+Requires:   systemd
+Requires:   iptables
+Requires:   glibc
+
+%description
+Provides a web-based UI that allows you to configure WireGuard™ VPN tunnels and
+set up firewall rules for your devices.
+
+%post
+/usr/lib/firezone/bin/postinst.sh
+
+%postun
+/usr/lib/firezone/bin/postrm.sh
+
+%files
+%config /etc/firezone
+/usr/lib/systemd/system/firezone.service
+/usr/lib/firezone
+/usr/bin/firezone

pkg/centos_8.x86_64/skel/etc/firezone/config.env

@@ -0,0 +1,30 @@
+# This file is loaded into FireZone's Environment upon launch to configure it.
+
+# The HTTPS port to listen on. Defaults to 8800.
+HTTPS_LISTEN_PORT=8800
+
+# The address to bind the HTTPS server to. Defaults to "127.0.0.1"
+HTTPS_LISTEN_ADDRESS=127.0.0.1
+
+# The WireGuard port to listen on. Defaults to 51820.
+WG_LISTEN_PORT=51820
+
+# The address for the WireGuard endpoint. Defaults to the address of the
+# default egress interface if not set.
+WG_ENDPOINT_ADDRESS=
+
+# SSL certificate file and key path. Self-signed certs are generated for you on
+# install, but it's highly recommended to replace these with valid certs.
+# Free certs can be obtained at https://letsencrypt.org.
+SSL_CERT_FILE=/etc/firezone/cert.pem
+SSL_KEY_FILE=/etc/firezone/secret/key.pem
+
+# Temporary folder to store runtime cruft. Must be writable by the firezone user.
+RELEASE_TMP=/tmp
+
+# Path to the intermediate certificates file. (usually not required)
+# SSL_CA_CERT_FILE=
+
+# Host to use for generating links back to the application, such as in
+# outbound emails. Should be publicly resolvable. Defaults to "localhost".
+# URL_HOST=

pkg/centos_8.x86_64/skel/lib/systemd/system/firezone.service

@@ -0,0 +1,20 @@
+[Unit]
+Description=firezone
+Requires=postgresql.service
+After=postgresql.service
+
+[Service]
+Restart=on-failure
+RestartSec=1
+User=firezone
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH
+EnvironmentFile=/etc/firezone/config.env
+EnvironmentFile=/etc/firezone/secret/secrets.env
+ExecStartPre=/usr/lib/firezone/bin/firezone eval "FzHttp.Release.migrate"
+ExecStart=/usr/lib/firezone/bin/firezone start
+# XXX: Remove sleeps
+ExecStartPost=/bin/sleep 8
+ExecStartPost=/usr/lib/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user"
+
+[Install]
+WantedBy=multi-user.target

pkg/centos_8.x86_64/skel/usr/lib/firezone/bin/postinst.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+set -e
+
+# FireZone package post-install script
+
+# All created files are 0600 by default
+umask 077
+
+# Add firezone user if not exists
+if id firezone &>/dev/null; then
+  echo "firezone user exists... not creating."
+else
+  echo "creating system user firezone"
+  useradd --system firezone
+fi
+
+hostname=$(hostname)
+
+### SET UP DB
+
+# Create role if not exists
+db_user=firezone
+db_password="$(openssl rand -hex 16)"
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\""
+else
+  echo "${db_user} role found in DB"
+fi
+
+# Create DB if not exists
+db_name=firezone
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true"
+else
+  echo "${db_name} exists; not creating"
+fi
+
+# Grant all privileges
+su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\""
+
+# Set up secrets dir
+mkdir -p /etc/firezone/secret
+chown firezone:root /etc/firezone/secret
+chmod 770 /etc/firezone/secret
+
+# Write FireZone SSL files
+ssl_key_file=/etc/firezone/secret/key.pem
+ssl_cert_file=/etc/firezone/cert.pem
+if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then
+  echo "ssl files exist; not creating"
+else
+  openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
+      -keyout $ssl_key_file \
+      -out $ssl_cert_file \
+      -days 365 -subj "/CN=${hostname}"
+fi
+
+# Generate app secrets
+live_view_signing_salt="$(openssl rand -base64 24)"
+secret_key_base="$(openssl rand -base64 48)"
+db_key="$(openssl rand -base64 32)"
+wg_server_key="$(wg genkey)"
+
+# Write FireZone config file
+if [ -f /etc/firezone/secret.env ]; then
+  echo "config file exists; not creating"
+else
+
+umask 037
+cat <<EOT >> /etc/firezone/secret/secrets.env
+# This file is loaded into FireZone's Environment upon launch to configure it.
+
+# Warning: changing anything here can result in data loss. Make sure you know
+# what you're doing!
+
+# This is used to ensure secure communication with the live web views.
+# Re-generate this with "openssl rand -base64 24". All existing web views will
+# need to be refreshed.
+LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}"
+
+# This is used to secure cookies among other things.
+# You can regenerate this with "openssl rand -base64 48". All existing clients
+# will be signed out.
+SECRET_KEY_BASE="${secret_key_base}"
+
+# The URL to connect to your DB. Assumes the database has been created and this
+# user has privileges to create and modify tables. Must start with ecto://
+# Ex: ecto://user:password@localhost/firezone
+DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone"
+
+# The Base64-encoded key for encrypted database fields.
+DB_ENCRYPTION_KEY=${db_key}
+
+# The Base64-encoded private key for the WireGuard interface
+WG_SERVER_KEY=${wg_server_key}
+EOT
+fi
+
+# Set perms
+chown -R firezone:root /etc/firezone
+chmod 0644 /etc/firezone/cert.pem

pkg/centos_8.x86_64/skel/usr/lib/firezone/bin/postrm.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -e
+
+if [ "$1" = purge ]; then
+  echo "Refusing to purge /etc/firezone/secret and drop database. This must be done manually."
+  echo "If you really want to do this, run the following as root:"
+  echo "  su postgres -c 'psql -c \"DROP DATABASE firezone;\"'"
+  echo "  rm -rf /etc/firezone/secret"
+fi

pkg/deb_shared/DEBIAN/changelog

@@ -1,3 +0,0 @@
-firezone (0.2.0ubuntu1) bionic; urgency=low
-
-  * initial release

pkg/debian_10.amd64/DEBIAN/changelog

@@ -0,0 +1,3 @@
+firezone (0.2.0-1) buster; urgency=low
+
+  * initial release

pkg/debian_10.amd64/etc/firezone/config.env

@@ -0,0 +1,30 @@
+# This file is loaded into FireZone's Environment upon launch to configure it.
+
+# The HTTPS port to listen on. Defaults to 8800.
+HTTPS_LISTEN_PORT=8800
+
+# The address to bind the HTTPS server to. Defaults to "127.0.0.1"
+HTTPS_LISTEN_ADDRESS=127.0.0.1
+
+# The WireGuard port to listen on. Defaults to 51820.
+WG_LISTEN_PORT=51820
+
+# The address for the WireGuard endpoint. Defaults to the address of the
+# default egress interface if not set.
+WG_ENDPOINT_ADDRESS=
+
+# SSL certificate file and key path. Self-signed certs are generated for you on
+# install, but it's highly recommended to replace these with valid certs.
+# Free certs can be obtained at https://letsencrypt.org.
+SSL_CERT_FILE=/etc/firezone/cert.pem
+SSL_KEY_FILE=/etc/firezone/secret/key.pem
+
+# Temporary folder to store runtime cruft. Must be writable by the firezone user.
+RELEASE_TMP=/tmp
+
+# Path to the intermediate certificates file. (usually not required)
+# SSL_CA_CERT_FILE=
+
+# Host to use for generating links back to the application, such as in
+# outbound emails. Should be publicly resolvable. Defaults to "localhost".
+# URL_HOST=

pkg/debian_10.amd64/lib/firezone/bin/postinst.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+set -e
+
+# FireZone package post-install script
+
+# All created files are 0600 by default
+umask 077
+
+# Add firezone user if not exists
+if id firezone &>/dev/null; then
+  echo "firezone user exists... not creating."
+else
+  echo "creating system user firezone"
+  useradd --system firezone
+fi
+
+hostname=$(hostname)
+
+### SET UP DB
+
+# Create role if not exists
+db_user=firezone
+db_password="$(openssl rand -hex 16)"
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\""
+else
+  echo "${db_user} role found in DB"
+fi
+
+# Create DB if not exists
+db_name=firezone
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true"
+else
+  echo "${db_name} exists; not creating"
+fi
+
+# Grant all privileges
+su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\""
+
+# Set up secrets dir
+mkdir -p /etc/firezone/secret
+chown firezone:root /etc/firezone/secret
+chmod 770 /etc/firezone/secret
+
+# Write FireZone SSL files
+ssl_key_file=/etc/firezone/secret/key.pem
+ssl_cert_file=/etc/firezone/cert.pem
+if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then
+  echo "ssl files exist; not creating"
+else
+  openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
+      -keyout $ssl_key_file \
+      -out $ssl_cert_file \
+      -days 365 -subj "/CN=${hostname}"
+fi
+
+# Generate app secrets
+live_view_signing_salt="$(openssl rand -base64 24)"
+secret_key_base="$(openssl rand -base64 48)"
+db_key="$(openssl rand -base64 32)"
+wg_server_key="$(wg genkey)"
+
+# Write FireZone config file
+if [ -f /etc/firezone/secret.env ]; then
+  echo "config file exists; not creating"
+else
+
+umask 037
+cat <<EOT >> /etc/firezone/secret/secrets.env
+# This file is loaded into FireZone's Environment upon launch to configure it.
+
+# Warning: changing anything here can result in data loss. Make sure you know
+# what you're doing!
+
+# This is used to ensure secure communication with the live web views.
+# Re-generate this with "openssl rand -base64 24". All existing web views will
+# need to be refreshed.
+LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}"
+
+# This is used to secure cookies among other things.
+# You can regenerate this with "openssl rand -base64 48". All existing clients
+# will be signed out.
+SECRET_KEY_BASE="${secret_key_base}"
+
+# The URL to connect to your DB. Assumes the database has been created and this
+# user has privileges to create and modify tables. Must start with ecto://
+# Ex: ecto://user:password@localhost/firezone
+DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone"
+
+# The Base64-encoded key for encrypted database fields.
+DB_ENCRYPTION_KEY=${db_key}
+
+# The Base64-encoded private key for the WireGuard interface
+WG_SERVER_KEY=${wg_server_key}
+EOT
+fi
+
+# Set perms
+chown -R firezone:root /etc/firezone
+chmod 0644 /etc/firezone/cert.pem

pkg/debian_10.amd64/lib/firezone/bin/postrm.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -e
+
+if [ "$1" = purge ]; then
+  echo "Refusing to purge /etc/firezone/secret and drop database. This must be done manually."
+  echo "If you really want to do this, run the following as root:"
+  echo "  su postgres -c 'psql -c \"DROP DATABASE firezone;\"'"
+  echo "  rm -rf /etc/firezone/secret"
+fi

pkg/debian_10.amd64/lib/systemd/system/firezone.service

@@ -0,0 +1,20 @@
+[Unit]
+Description=firezone
+Requires=postgresql.service
+After=postgresql.service
+
+[Service]
+Restart=on-failure
+RestartSec=1
+User=firezone
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH
+EnvironmentFile=/etc/firezone/config.env
+EnvironmentFile=/etc/firezone/secret/secrets.env
+ExecStartPre=/usr/lib/firezone/bin/firezone eval "FzHttp.Release.migrate"
+ExecStart=/usr/lib/firezone/bin/firezone start
+# XXX: Remove sleeps
+ExecStartPost=/bin/sleep 8
+ExecStartPost=/usr/lib/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user"
+
+[Install]
+WantedBy=multi-user.target

pkg/debian_10.arm64/DEBIAN/control

@@ -1,11 +0,0 @@
-Package: firezone
-Version: 0.2.0-1
-Architecture: arm64
-Maintainer: FireZone LLC <dpkg@firez.one>
-Depends: libc6, net-tools (>= 1.60), systemd (>= 237), openssl (>= 1.1.1), wireguard-tools (>= 1.0), postgresql (>= 9.6), iptables (>= 1.6.1)
-Section: net
-Priority: optional
-Homepage: https://firez.one
-Description: Web UI + Firewall manager for WireGuard™
- Provides a web-based UI that allows you to configure WireGuard™ VPN tunnels and
- set up firewall rules for your devices.

pkg/fedora_33.x86_64/rpmbuild/SPECS/firezone.spec

@@ -0,0 +1,29 @@
+Name:       firezone
+Version:    0.2.0
+Release:    1
+Summary:    Web UI + Firewall manager for WireGuard™
+URL:        https://firez.one
+License:    ASL 2.0
+Requires:   net-tools
+Requires:   wireguard-tools
+Requires:   postgresql-server >= 9.6
+Requires:   openssl
+Requires:   systemd
+Requires:   iptables
+Requires:   glibc
+
+%description
+Provides a web-based UI that allows you to configure WireGuard™ VPN tunnels and
+set up firewall rules for your devices.
+
+%post
+/usr/lib/firezone/bin/postinst.sh
+
+%postun
+/usr/lib/firezone/bin/postrm.sh
+
+%files
+%config /etc/firezone
+/lib/systemd/system/firezone.service
+/usr/lib/firezone
+/usr/bin/firezone

pkg/fedora_33.x86_64/skel/etc/firezone/config.env

@@ -0,0 +1,30 @@
+# This file is loaded into FireZone's Environment upon launch to configure it.
+
+# The HTTPS port to listen on. Defaults to 8800.
+HTTPS_LISTEN_PORT=8800
+
+# The address to bind the HTTPS server to. Defaults to "127.0.0.1"
+HTTPS_LISTEN_ADDRESS=127.0.0.1
+
+# The WireGuard port to listen on. Defaults to 51820.
+WG_LISTEN_PORT=51820
+
+# The address for the WireGuard endpoint. Defaults to the address of the
+# default egress interface if not set.
+WG_ENDPOINT_ADDRESS=
+
+# SSL certificate file and key path. Self-signed certs are generated for you on
+# install, but it's highly recommended to replace these with valid certs.
+# Free certs can be obtained at https://letsencrypt.org.
+SSL_CERT_FILE=/etc/firezone/cert.pem
+SSL_KEY_FILE=/etc/firezone/secret/key.pem
+
+# Temporary folder to store runtime cruft. Must be writable by the firezone user.
+RELEASE_TMP=/tmp
+
+# Path to the intermediate certificates file. (usually not required)
+# SSL_CA_CERT_FILE=
+
+# Host to use for generating links back to the application, such as in
+# outbound emails. Should be publicly resolvable. Defaults to "localhost".
+# URL_HOST=

pkg/fedora_33.x86_64/skel/lib/systemd/system/firezone.service

@@ -0,0 +1,20 @@
+[Unit]
+Description=firezone
+Requires=postgresql.service
+After=postgresql.service
+
+[Service]
+Restart=on-failure
+RestartSec=1
+User=firezone
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH
+EnvironmentFile=/etc/firezone/config.env
+EnvironmentFile=/etc/firezone/secret/secrets.env
+ExecStartPre=/usr/lib/firezone/bin/firezone eval "FzHttp.Release.migrate"
+ExecStart=/usr/lib/firezone/bin/firezone start
+# XXX: Remove sleeps
+ExecStartPost=/bin/sleep 8
+ExecStartPost=/usr/lib/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user"
+
+[Install]
+WantedBy=multi-user.target

pkg/fedora_33.x86_64/skel/usr/lib/firezone/bin/postinst.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+set -e
+
+# FireZone package post-install script
+
+# All created files are 0600 by default
+umask 077
+
+# Add firezone user if not exists
+if id firezone &>/dev/null; then
+  echo "firezone user exists... not creating."
+else
+  echo "creating system user firezone"
+  useradd --system firezone
+fi
+
+hostname=$(hostname)
+
+### SET UP DB
+
+# Create role if not exists
+db_user=firezone
+db_password="$(openssl rand -hex 16)"
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\""
+else
+  echo "${db_user} role found in DB"
+fi
+
+# Create DB if not exists
+db_name=firezone
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true"
+else
+  echo "${db_name} exists; not creating"
+fi
+
+# Grant all privileges
+su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\""
+
+# Set up secrets dir
+mkdir -p /etc/firezone/secret
+chown firezone:root /etc/firezone/secret
+chmod 770 /etc/firezone/secret
+
+# Write FireZone SSL files
+ssl_key_file=/etc/firezone/secret/key.pem
+ssl_cert_file=/etc/firezone/cert.pem
+if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then
+  echo "ssl files exist; not creating"
+else
+  openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
+      -keyout $ssl_key_file \
+      -out $ssl_cert_file \
+      -days 365 -subj "/CN=${hostname}"
+fi
+
+# Generate app secrets
+live_view_signing_salt="$(openssl rand -base64 24)"
+secret_key_base="$(openssl rand -base64 48)"
+db_key="$(openssl rand -base64 32)"
+wg_server_key="$(wg genkey)"
+
+# Write FireZone config file
+if [ -f /etc/firezone/secret.env ]; then
+  echo "config file exists; not creating"
+else
+
+umask 037
+cat <<EOT >> /etc/firezone/secret/secrets.env
+# This file is loaded into FireZone's Environment upon launch to configure it.
+
+# Warning: changing anything here can result in data loss. Make sure you know
+# what you're doing!
+
+# This is used to ensure secure communication with the live web views.
+# Re-generate this with "openssl rand -base64 24". All existing web views will
+# need to be refreshed.
+LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}"
+
+# This is used to secure cookies among other things.
+# You can regenerate this with "openssl rand -base64 48". All existing clients
+# will be signed out.
+SECRET_KEY_BASE="${secret_key_base}"
+
+# The URL to connect to your DB. Assumes the database has been created and this
+# user has privileges to create and modify tables. Must start with ecto://
+# Ex: ecto://user:password@localhost/firezone
+DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone"
+
+# The Base64-encoded key for encrypted database fields.
+DB_ENCRYPTION_KEY=${db_key}
+
+# The Base64-encoded private key for the WireGuard interface
+WG_SERVER_KEY=${wg_server_key}
+EOT
+fi
+
+# Set perms
+chown -R firezone:root /etc/firezone
+chmod 0644 /etc/firezone/cert.pem

pkg/fedora_33.x86_64/skel/usr/lib/firezone/bin/postrm.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -e
+
+if [ "$1" = purge ]; then
+  echo "Refusing to purge /etc/firezone/secret and drop database. This must be done manually."
+  echo "If you really want to do this, run the following as root:"
+  echo "  su postgres -c 'psql -c \"DROP DATABASE firezone;\"'"
+  echo "  rm -rf /etc/firezone/secret"
+fi

pkg/fedora_34.x86_64/rpmbuild/SPECS/firezone.spec

@@ -0,0 +1,29 @@
+Name:       firezone
+Version:    0.2.0
+Release:    1
+Summary:    Web UI + Firewall manager for WireGuard™
+URL:        https://firez.one
+License:    ASL 2.0
+Requires:   net-tools
+Requires:   wireguard-tools
+Requires:   postgresql-server >= 9.6
+Requires:   openssl
+Requires:   systemd
+Requires:   iptables
+Requires:   glibc
+
+%description
+Provides a web-based UI that allows you to configure WireGuard™ VPN tunnels and
+set up firewall rules for your devices.
+
+%post
+/usr/lib/firezone/bin/postinst.sh
+
+%postun
+/usr/lib/firezone/bin/postrm.sh
+
+%files
+%config /etc/firezone
+/lib/systemd/system/firezone.service
+/usr/lib/firezone
+/usr/bin/firezone

pkg/fedora_34.x86_64/skel/etc/firezone/config.env

@@ -0,0 +1,30 @@
+# This file is loaded into FireZone's Environment upon launch to configure it.
+
+# The HTTPS port to listen on. Defaults to 8800.
+HTTPS_LISTEN_PORT=8800
+
+# The address to bind the HTTPS server to. Defaults to "127.0.0.1"
+HTTPS_LISTEN_ADDRESS=127.0.0.1
+
+# The WireGuard port to listen on. Defaults to 51820.
+WG_LISTEN_PORT=51820
+
+# The address for the WireGuard endpoint. Defaults to the address of the
+# default egress interface if not set.
+WG_ENDPOINT_ADDRESS=
+
+# SSL certificate file and key path. Self-signed certs are generated for you on
+# install, but it's highly recommended to replace these with valid certs.
+# Free certs can be obtained at https://letsencrypt.org.
+SSL_CERT_FILE=/etc/firezone/cert.pem
+SSL_KEY_FILE=/etc/firezone/secret/key.pem
+
+# Temporary folder to store runtime cruft. Must be writable by the firezone user.
+RELEASE_TMP=/tmp
+
+# Path to the intermediate certificates file. (usually not required)
+# SSL_CA_CERT_FILE=
+
+# Host to use for generating links back to the application, such as in
+# outbound emails. Should be publicly resolvable. Defaults to "localhost".
+# URL_HOST=

pkg/fedora_34.x86_64/skel/lib/systemd/system/firezone.service

@@ -0,0 +1,20 @@
+[Unit]
+Description=firezone
+Requires=postgresql.service
+After=postgresql.service
+
+[Service]
+Restart=on-failure
+RestartSec=1
+User=firezone
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH
+EnvironmentFile=/etc/firezone/config.env
+EnvironmentFile=/etc/firezone/secret/secrets.env
+ExecStartPre=/usr/lib/firezone/bin/firezone eval "FzHttp.Release.migrate"
+ExecStart=/usr/lib/firezone/bin/firezone start
+# XXX: Remove sleeps
+ExecStartPost=/bin/sleep 8
+ExecStartPost=/usr/lib/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user"
+
+[Install]
+WantedBy=multi-user.target

pkg/fedora_34.x86_64/skel/usr/lib/firezone/bin/postinst.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+set -e
+
+# FireZone package post-install script
+
+# All created files are 0600 by default
+umask 077
+
+# Add firezone user if not exists
+if id firezone &>/dev/null; then
+  echo "firezone user exists... not creating."
+else
+  echo "creating system user firezone"
+  useradd --system firezone
+fi
+
+hostname=$(hostname)
+
+### SET UP DB
+
+# Create role if not exists
+db_user=firezone
+db_password="$(openssl rand -hex 16)"
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\""
+else
+  echo "${db_user} role found in DB"
+fi
+
+# Create DB if not exists
+db_name=firezone
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true"
+else
+  echo "${db_name} exists; not creating"
+fi
+
+# Grant all privileges
+su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\""
+
+# Set up secrets dir
+mkdir -p /etc/firezone/secret
+chown firezone:root /etc/firezone/secret
+chmod 770 /etc/firezone/secret
+
+# Write FireZone SSL files
+ssl_key_file=/etc/firezone/secret/key.pem
+ssl_cert_file=/etc/firezone/cert.pem
+if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then
+  echo "ssl files exist; not creating"
+else
+  openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
+      -keyout $ssl_key_file \
+      -out $ssl_cert_file \
+      -days 365 -subj "/CN=${hostname}"
+fi
+
+# Generate app secrets
+live_view_signing_salt="$(openssl rand -base64 24)"
+secret_key_base="$(openssl rand -base64 48)"
+db_key="$(openssl rand -base64 32)"
+wg_server_key="$(wg genkey)"
+
+# Write FireZone config file
+if [ -f /etc/firezone/secret.env ]; then
+  echo "config file exists; not creating"
+else
+
+umask 037
+cat <<EOT >> /etc/firezone/secret/secrets.env
+# This file is loaded into FireZone's Environment upon launch to configure it.
+
+# Warning: changing anything here can result in data loss. Make sure you know
+# what you're doing!
+
+# This is used to ensure secure communication with the live web views.
+# Re-generate this with "openssl rand -base64 24". All existing web views will
+# need to be refreshed.
+LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}"
+
+# This is used to secure cookies among other things.
+# You can regenerate this with "openssl rand -base64 48". All existing clients
+# will be signed out.
+SECRET_KEY_BASE="${secret_key_base}"
+
+# The URL to connect to your DB. Assumes the database has been created and this
+# user has privileges to create and modify tables. Must start with ecto://
+# Ex: ecto://user:password@localhost/firezone
+DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone"
+
+# The Base64-encoded key for encrypted database fields.
+DB_ENCRYPTION_KEY=${db_key}
+
+# The Base64-encoded private key for the WireGuard interface
+WG_SERVER_KEY=${wg_server_key}
+EOT
+fi
+
+# Set perms
+chown -R firezone:root /etc/firezone
+chmod 0644 /etc/firezone/cert.pem

pkg/fedora_34.x86_64/skel/usr/lib/firezone/bin/postrm.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -e
+
+if [ "$1" = purge ]; then
+  echo "Refusing to purge /etc/firezone/secret and drop database. This must be done manually."
+  echo "If you really want to do this, run the following as root:"
+  echo "  su postgres -c 'psql -c \"DROP DATABASE firezone;\"'"
+  echo "  rm -rf /etc/firezone/secret"
+fi

pkg/ubuntu_18.04.amd64/DEBIAN/changelog

@@ -0,0 +1,3 @@
+firezone (0.2.0-1) bionic; urgency=low
+
+  * initial release

pkg/ubuntu_18.04.amd64/DEBIAN/postinst

@@ -0,0 +1,6 @@
+#!/bin/bash
+set -e
+
+# Call the post installation script
+echo "Executing post-installation setup..."
+. /usr/lib/firezone/bin/postinst.sh

pkg/ubuntu_18.04.amd64/DEBIAN/postrm

@@ -0,0 +1,5 @@
+#!/bin/bash
+set -e
+
+# Call the post removal script
+. /usr/lib/firezone/bin/postrm.sh

pkg/ubuntu_18.04.amd64/etc/firezone/config.env

@@ -0,0 +1,30 @@
+# This file is loaded into FireZone's Environment upon launch to configure it.
+
+# The HTTPS port to listen on. Defaults to 8800.
+HTTPS_LISTEN_PORT=8800
+
+# The address to bind the HTTPS server to. Defaults to "127.0.0.1"
+HTTPS_LISTEN_ADDRESS=127.0.0.1
+
+# The WireGuard port to listen on. Defaults to 51820.
+WG_LISTEN_PORT=51820
+
+# The address for the WireGuard endpoint. Defaults to the address of the
+# default egress interface if not set.
+WG_ENDPOINT_ADDRESS=
+
+# SSL certificate file and key path. Self-signed certs are generated for you on
+# install, but it's highly recommended to replace these with valid certs.
+# Free certs can be obtained at https://letsencrypt.org.
+SSL_CERT_FILE=/etc/firezone/cert.pem
+SSL_KEY_FILE=/etc/firezone/secret/key.pem
+
+# Temporary folder to store runtime cruft. Must be writable by the firezone user.
+RELEASE_TMP=/tmp
+
+# Path to the intermediate certificates file. (usually not required)
+# SSL_CA_CERT_FILE=
+
+# Host to use for generating links back to the application, such as in
+# outbound emails. Should be publicly resolvable. Defaults to "localhost".
+# URL_HOST=

pkg/ubuntu_18.04.amd64/lib/firezone/bin/postinst.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+set -e
+
+# FireZone package post-install script
+
+# All created files are 0600 by default
+umask 077
+
+# Add firezone user if not exists
+if id firezone &>/dev/null; then
+  echo "firezone user exists... not creating."
+else
+  echo "creating system user firezone"
+  useradd --system firezone
+fi
+
+hostname=$(hostname)
+
+### SET UP DB
+
+# Create role if not exists
+db_user=firezone
+db_password="$(openssl rand -hex 16)"
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\""
+else
+  echo "${db_user} role found in DB"
+fi
+
+# Create DB if not exists
+db_name=firezone
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true"
+else
+  echo "${db_name} exists; not creating"
+fi
+
+# Grant all privileges
+su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\""
+
+# Set up secrets dir
+mkdir -p /etc/firezone/secret
+chown firezone:root /etc/firezone/secret
+chmod 770 /etc/firezone/secret
+
+# Write FireZone SSL files
+ssl_key_file=/etc/firezone/secret/key.pem
+ssl_cert_file=/etc/firezone/cert.pem
+if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then
+  echo "ssl files exist; not creating"
+else
+  openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
+      -keyout $ssl_key_file \
+      -out $ssl_cert_file \
+      -days 365 -subj "/CN=${hostname}"
+fi
+
+# Generate app secrets
+live_view_signing_salt="$(openssl rand -base64 24)"
+secret_key_base="$(openssl rand -base64 48)"
+db_key="$(openssl rand -base64 32)"
+wg_server_key="$(wg genkey)"
+
+# Write FireZone config file
+if [ -f /etc/firezone/secret.env ]; then
+  echo "config file exists; not creating"
+else
+
+umask 037
+cat <<EOT >> /etc/firezone/secret/secrets.env
+# This file is loaded into FireZone's Environment upon launch to configure it.
+
+# Warning: changing anything here can result in data loss. Make sure you know
+# what you're doing!
+
+# This is used to ensure secure communication with the live web views.
+# Re-generate this with "openssl rand -base64 24". All existing web views will
+# need to be refreshed.
+LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}"
+
+# This is used to secure cookies among other things.
+# You can regenerate this with "openssl rand -base64 48". All existing clients
+# will be signed out.
+SECRET_KEY_BASE="${secret_key_base}"
+
+# The URL to connect to your DB. Assumes the database has been created and this
+# user has privileges to create and modify tables. Must start with ecto://
+# Ex: ecto://user:password@localhost/firezone
+DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone"
+
+# The Base64-encoded key for encrypted database fields.
+DB_ENCRYPTION_KEY=${db_key}
+
+# The Base64-encoded private key for the WireGuard interface
+WG_SERVER_KEY=${wg_server_key}
+EOT
+fi
+
+# Set perms
+chown -R firezone:root /etc/firezone
+chmod 0644 /etc/firezone/cert.pem

pkg/ubuntu_18.04.amd64/lib/firezone/bin/postrm.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -e
+
+if [ "$1" = purge ]; then
+  echo "Refusing to purge /etc/firezone/secret and drop database. This must be done manually."
+  echo "If you really want to do this, run the following as root:"
+  echo "  su postgres -c 'psql -c \"DROP DATABASE firezone;\"'"
+  echo "  rm -rf /etc/firezone/secret"
+fi

pkg/ubuntu_18.04.amd64/lib/systemd/system/firezone.service

@@ -0,0 +1,20 @@
+[Unit]
+Description=firezone
+Requires=postgresql.service
+After=postgresql.service
+
+[Service]
+Restart=on-failure
+RestartSec=1
+User=firezone
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH
+EnvironmentFile=/etc/firezone/config.env
+EnvironmentFile=/etc/firezone/secret/secrets.env
+ExecStartPre=/usr/lib/firezone/bin/firezone eval "FzHttp.Release.migrate"
+ExecStart=/usr/lib/firezone/bin/firezone start
+# XXX: Remove sleeps
+ExecStartPost=/bin/sleep 8
+ExecStartPost=/usr/lib/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user"
+
+[Install]
+WantedBy=multi-user.target

pkg/ubuntu_18.04.arm64/DEBIAN/control

@@ -1,11 +0,0 @@
-Package: firezone
-Version: 0.2.0-1
-Architecture: arm64
-Maintainer: FireZone, LLC <dpkg@firez.one>
-Depends: libc6, net-tools (>= 1.60), systemd (>= 237), openssl (>= 1.1.1), wireguard-tools (>= 1.0), postgresql (>= 9.6), iptables (>= 1.6.1)
-Section: net
-Priority: optional
-Homepage: https://firez.one
-Description: Web UI + Firewall manager for WireGuard™
- Provides a web-based UI that allows you to configure WireGuard™ VPN tunnels and
- set up firewall rules for your devices.

pkg/ubuntu_20.04.amd64/DEBIAN/changelog

@@ -0,0 +1,3 @@
+firezone (0.2.0-1) focal; urgency=low
+
+  * initial release

pkg/ubuntu_20.04.amd64/DEBIAN/postinst

@@ -0,0 +1,6 @@
+#!/bin/bash
+set -e
+
+# Call the post installation script
+echo "Executing post-installation setup..."
+. /usr/lib/firezone/bin/postinst.sh

pkg/ubuntu_20.04.amd64/DEBIAN/postrm

@@ -0,0 +1,5 @@
+#!/bin/bash
+set -e
+
+# Call the post removal script
+. /usr/lib/firezone/bin/postrm.sh

pkg/ubuntu_20.04.amd64/etc/firezone/config.env

@@ -0,0 +1,30 @@
+# This file is loaded into FireZone's Environment upon launch to configure it.
+
+# The HTTPS port to listen on. Defaults to 8800.
+HTTPS_LISTEN_PORT=8800
+
+# The address to bind the HTTPS server to. Defaults to "127.0.0.1"
+HTTPS_LISTEN_ADDRESS=127.0.0.1
+
+# The WireGuard port to listen on. Defaults to 51820.
+WG_LISTEN_PORT=51820
+
+# The address for the WireGuard endpoint. Defaults to the address of the
+# default egress interface if not set.
+WG_ENDPOINT_ADDRESS=
+
+# SSL certificate file and key path. Self-signed certs are generated for you on
+# install, but it's highly recommended to replace these with valid certs.
+# Free certs can be obtained at https://letsencrypt.org.
+SSL_CERT_FILE=/etc/firezone/cert.pem
+SSL_KEY_FILE=/etc/firezone/secret/key.pem
+
+# Temporary folder to store runtime cruft. Must be writable by the firezone user.
+RELEASE_TMP=/tmp
+
+# Path to the intermediate certificates file. (usually not required)
+# SSL_CA_CERT_FILE=
+
+# Host to use for generating links back to the application, such as in
+# outbound emails. Should be publicly resolvable. Defaults to "localhost".
+# URL_HOST=

pkg/ubuntu_20.04.amd64/lib/firezone/bin/postinst.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+set -e
+
+# FireZone package post-install script
+
+# All created files are 0600 by default
+umask 077
+
+# Add firezone user if not exists
+if id firezone &>/dev/null; then
+  echo "firezone user exists... not creating."
+else
+  echo "creating system user firezone"
+  useradd --system firezone
+fi
+
+hostname=$(hostname)
+
+### SET UP DB
+
+# Create role if not exists
+db_user=firezone
+db_password="$(openssl rand -hex 16)"
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\""
+else
+  echo "${db_user} role found in DB"
+fi
+
+# Create DB if not exists
+db_name=firezone
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true"
+else
+  echo "${db_name} exists; not creating"
+fi
+
+# Grant all privileges
+su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\""
+
+# Set up secrets dir
+mkdir -p /etc/firezone/secret
+chown firezone:root /etc/firezone/secret
+chmod 770 /etc/firezone/secret
+
+# Write FireZone SSL files
+ssl_key_file=/etc/firezone/secret/key.pem
+ssl_cert_file=/etc/firezone/cert.pem
+if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then
+  echo "ssl files exist; not creating"
+else
+  openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
+      -keyout $ssl_key_file \
+      -out $ssl_cert_file \
+      -days 365 -subj "/CN=${hostname}"
+fi
+
+# Generate app secrets
+live_view_signing_salt="$(openssl rand -base64 24)"
+secret_key_base="$(openssl rand -base64 48)"
+db_key="$(openssl rand -base64 32)"
+wg_server_key="$(wg genkey)"
+
+# Write FireZone config file
+if [ -f /etc/firezone/secret.env ]; then
+  echo "config file exists; not creating"
+else
+
+umask 037
+cat <<EOT >> /etc/firezone/secret/secrets.env
+# This file is loaded into FireZone's Environment upon launch to configure it.
+
+# Warning: changing anything here can result in data loss. Make sure you know
+# what you're doing!
+
+# This is used to ensure secure communication with the live web views.
+# Re-generate this with "openssl rand -base64 24". All existing web views will
+# need to be refreshed.
+LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}"
+
+# This is used to secure cookies among other things.
+# You can regenerate this with "openssl rand -base64 48". All existing clients
+# will be signed out.
+SECRET_KEY_BASE="${secret_key_base}"
+
+# The URL to connect to your DB. Assumes the database has been created and this
+# user has privileges to create and modify tables. Must start with ecto://
+# Ex: ecto://user:password@localhost/firezone
+DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone"
+
+# The Base64-encoded key for encrypted database fields.
+DB_ENCRYPTION_KEY=${db_key}
+
+# The Base64-encoded private key for the WireGuard interface
+WG_SERVER_KEY=${wg_server_key}
+EOT
+fi
+
+# Set perms
+chown -R firezone:root /etc/firezone
+chmod 0644 /etc/firezone/cert.pem

pkg/ubuntu_20.04.amd64/lib/firezone/bin/postrm.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -e
+
+if [ "$1" = purge ]; then
+  echo "Refusing to purge /etc/firezone/secret and drop database. This must be done manually."
+  echo "If you really want to do this, run the following as root:"
+  echo "  su postgres -c 'psql -c \"DROP DATABASE firezone;\"'"
+  echo "  rm -rf /etc/firezone/secret"
+fi

pkg/ubuntu_20.04.amd64/lib/systemd/system/firezone.service

@@ -0,0 +1,20 @@
+[Unit]
+Description=firezone
+Requires=postgresql.service
+After=postgresql.service
+
+[Service]
+Restart=on-failure
+RestartSec=1
+User=firezone
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH
+EnvironmentFile=/etc/firezone/config.env
+EnvironmentFile=/etc/firezone/secret/secrets.env
+ExecStartPre=/usr/lib/firezone/bin/firezone eval "FzHttp.Release.migrate"
+ExecStart=/usr/lib/firezone/bin/firezone start
+# XXX: Remove sleeps
+ExecStartPost=/bin/sleep 8
+ExecStartPost=/usr/lib/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user"
+
+[Install]
+WantedBy=multi-user.target

pkg/ubuntu_20.04.arm64/DEBIAN/control

@@ -1,11 +0,0 @@
-Package: firezone
-Version: 0.2.0-1
-Architecture: arm64
-Maintainer: FireZone, LLC <dpkg@firez.one>
-Depends: libc6, net-tools (>= 1.60), systemd (>= 237), openssl (>= 1.1.1), wireguard-tools (>= 1.0), postgresql (>= 9.6), iptables (>= 1.6.1)
-Section: net
-Priority: optional
-Homepage: https://firez.one
-Description: Web UI + Firewall manager for WireGuard™
- Provides a web-based UI that allows you to configure WireGuard VPN tunnels and
- set up firewall rules for your devices.