From 156e77225c19ac397f36b789f22f9bb36336256d Mon Sep 17 00:00:00 2001 From: Jamil Bou Kheir Date: Mon, 26 Jul 2021 17:31:11 -0700 Subject: [PATCH] Just separate out the OS build trees; inconsistencies --- .ci/build_packages.sh | 2 + .dockerignore | 20 ++-- pkg/Dockerfile.base.rpm | 1 - pkg/Dockerfile.deb | 6 +- pkg/Dockerfile.rpm | 5 +- .../rpmbuild/SPECS/firezone.spec | 0 .../skel/etc/firezone/config.env | 0 .../skel/usr/lib/firezone/bin/postinst.sh | 0 .../skel/usr/lib/firezone/bin/postrm.sh | 0 .../usr/lib/systemd/system/firezone.service | 0 .../rpmbuild/SPECS/firezone.spec | 29 +++++ .../skel/etc/firezone/config.env | 30 +++++ .../skel/lib/systemd/system/firezone.service | 20 ++++ .../skel/usr/lib/firezone/bin/postinst.sh | 103 ++++++++++++++++++ .../skel/usr/lib/firezone/bin/postrm.sh | 9 ++ pkg/deb_shared/DEBIAN/changelog | 3 - pkg/debian_10.amd64/DEBIAN/changelog | 3 + .../DEBIAN/postinst | 0 .../DEBIAN/postrm | 0 pkg/debian_10.amd64/etc/firezone/config.env | 30 +++++ .../lib/firezone/bin/postinst.sh | 103 ++++++++++++++++++ .../lib/firezone/bin/postrm.sh | 9 ++ .../lib/systemd/system/firezone.service | 20 ++++ pkg/debian_10.arm64/DEBIAN/control | 11 -- .../rpmbuild/SPECS/firezone.spec | 29 +++++ .../skel/etc/firezone/config.env | 30 +++++ .../skel/lib/systemd/system/firezone.service | 20 ++++ .../skel/usr/lib/firezone/bin/postinst.sh | 103 ++++++++++++++++++ .../skel/usr/lib/firezone/bin/postrm.sh | 9 ++ .../rpmbuild/SPECS/firezone.spec | 29 +++++ .../skel/etc/firezone/config.env | 30 +++++ .../skel/lib/systemd/system/firezone.service | 20 ++++ .../skel/usr/lib/firezone/bin/postinst.sh | 103 ++++++++++++++++++ .../skel/usr/lib/firezone/bin/postrm.sh | 9 ++ pkg/ubuntu_18.04.amd64/DEBIAN/changelog | 3 + pkg/ubuntu_18.04.amd64/DEBIAN/postinst | 6 + pkg/ubuntu_18.04.amd64/DEBIAN/postrm | 5 + .../etc/firezone/config.env | 30 +++++ .../lib/firezone/bin/postinst.sh | 103 ++++++++++++++++++ .../lib/firezone/bin/postrm.sh | 9 ++ .../lib/systemd/system/firezone.service | 20 ++++ pkg/ubuntu_18.04.arm64/DEBIAN/control | 11 -- pkg/ubuntu_20.04.amd64/DEBIAN/changelog | 3 + pkg/ubuntu_20.04.amd64/DEBIAN/postinst | 6 + pkg/ubuntu_20.04.amd64/DEBIAN/postrm | 5 + .../etc/firezone/config.env | 30 +++++ .../lib/firezone/bin/postinst.sh | 103 ++++++++++++++++++ .../lib/firezone/bin/postrm.sh | 9 ++ .../lib/systemd/system/firezone.service | 20 ++++ pkg/ubuntu_20.04.arm64/DEBIAN/control | 11 -- 50 files changed, 1107 insertions(+), 53 deletions(-) rename pkg/{rpm_shared => centos_7.x86_64}/rpmbuild/SPECS/firezone.spec (100%) rename pkg/{ => centos_7.x86_64}/skel/etc/firezone/config.env (100%) rename pkg/{ => centos_7.x86_64}/skel/usr/lib/firezone/bin/postinst.sh (100%) rename pkg/{ => centos_7.x86_64}/skel/usr/lib/firezone/bin/postrm.sh (100%) rename pkg/{ => centos_7.x86_64}/skel/usr/lib/systemd/system/firezone.service (100%) create mode 100644 pkg/centos_8.x86_64/rpmbuild/SPECS/firezone.spec create mode 100644 pkg/centos_8.x86_64/skel/etc/firezone/config.env create mode 100644 pkg/centos_8.x86_64/skel/lib/systemd/system/firezone.service create mode 100755 pkg/centos_8.x86_64/skel/usr/lib/firezone/bin/postinst.sh create mode 100755 pkg/centos_8.x86_64/skel/usr/lib/firezone/bin/postrm.sh delete mode 100644 pkg/deb_shared/DEBIAN/changelog create mode 100644 pkg/debian_10.amd64/DEBIAN/changelog rename pkg/{deb_shared => debian_10.amd64}/DEBIAN/postinst (100%) rename pkg/{deb_shared => debian_10.amd64}/DEBIAN/postrm (100%) create mode 100644 pkg/debian_10.amd64/etc/firezone/config.env create mode 100755 pkg/debian_10.amd64/lib/firezone/bin/postinst.sh create mode 100755 pkg/debian_10.amd64/lib/firezone/bin/postrm.sh create mode 100644 pkg/debian_10.amd64/lib/systemd/system/firezone.service delete mode 100644 pkg/debian_10.arm64/DEBIAN/control create mode 100644 pkg/fedora_33.x86_64/rpmbuild/SPECS/firezone.spec create mode 100644 pkg/fedora_33.x86_64/skel/etc/firezone/config.env create mode 100644 pkg/fedora_33.x86_64/skel/lib/systemd/system/firezone.service create mode 100755 pkg/fedora_33.x86_64/skel/usr/lib/firezone/bin/postinst.sh create mode 100755 pkg/fedora_33.x86_64/skel/usr/lib/firezone/bin/postrm.sh create mode 100644 pkg/fedora_34.x86_64/rpmbuild/SPECS/firezone.spec create mode 100644 pkg/fedora_34.x86_64/skel/etc/firezone/config.env create mode 100644 pkg/fedora_34.x86_64/skel/lib/systemd/system/firezone.service create mode 100755 pkg/fedora_34.x86_64/skel/usr/lib/firezone/bin/postinst.sh create mode 100755 pkg/fedora_34.x86_64/skel/usr/lib/firezone/bin/postrm.sh create mode 100644 pkg/ubuntu_18.04.amd64/DEBIAN/changelog create mode 100755 pkg/ubuntu_18.04.amd64/DEBIAN/postinst create mode 100755 pkg/ubuntu_18.04.amd64/DEBIAN/postrm create mode 100644 pkg/ubuntu_18.04.amd64/etc/firezone/config.env create mode 100755 pkg/ubuntu_18.04.amd64/lib/firezone/bin/postinst.sh create mode 100755 pkg/ubuntu_18.04.amd64/lib/firezone/bin/postrm.sh create mode 100644 pkg/ubuntu_18.04.amd64/lib/systemd/system/firezone.service delete mode 100644 pkg/ubuntu_18.04.arm64/DEBIAN/control create mode 100644 pkg/ubuntu_20.04.amd64/DEBIAN/changelog create mode 100755 pkg/ubuntu_20.04.amd64/DEBIAN/postinst create mode 100755 pkg/ubuntu_20.04.amd64/DEBIAN/postrm create mode 100644 pkg/ubuntu_20.04.amd64/etc/firezone/config.env create mode 100755 pkg/ubuntu_20.04.amd64/lib/firezone/bin/postinst.sh create mode 100755 pkg/ubuntu_20.04.amd64/lib/firezone/bin/postrm.sh create mode 100644 pkg/ubuntu_20.04.amd64/lib/systemd/system/firezone.service delete mode 100644 pkg/ubuntu_20.04.arm64/DEBIAN/control diff --git a/.ci/build_packages.sh b/.ci/build_packages.sh index 5f9271734..51627b9e0 100755 --- a/.ci/build_packages.sh +++ b/.ci/build_packages.sh @@ -60,6 +60,7 @@ case $format in version=0.2.0-1 pkg_dir="firezone-${version}.x86_64" pkg_file="${pkg_dir}.rpm" + os_dir="${MATRIX_IMAGE/:/_}.x86_64" final_pkg_file="firezone-${version}-${MATRIX_IMAGE/:/_}.x86_64.rpm" image="ghcr.io/firezone/package-${MATRIX_IMAGE/:/_}:${GITHUB_SHA}" @@ -70,6 +71,7 @@ case $format in -f pkg/Dockerfile.rpm \ --platform linux/amd64 \ --build-arg PKG_DIR=$pkg_dir \ + --build-arg OS_DIR=$os_dir \ --build-arg BASE_IMAGE=$tag \ --progress plain \ . diff --git a/.dockerignore b/.dockerignore index f681a1188..16b80c8e8 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,10 +1,10 @@ -/* apps/fg_http/assets/node_modules */ -/* apps/fg_http/priv/static */ -/* _build */ -/* apps/fg_http/_build */ -/* apps/fg_wall/_build */ -/* apps/fg_vpn/_build */ -/* **/cover */ -/* docs */ -/* .DS_Store */ -/* .git */ +apps/fg_http/assets/node_modules +apps/fg_http/priv/static +_build +apps/fg_http/_build +apps/fg_wall/_build +apps/fg_vpn/_build +**/cover +docs +.DS_Store +.git diff --git a/pkg/Dockerfile.base.rpm b/pkg/Dockerfile.base.rpm index dbb607d4d..bcbfce220 100644 --- a/pkg/Dockerfile.base.rpm +++ b/pkg/Dockerfile.base.rpm @@ -21,7 +21,6 @@ RUN yum install -y \ glibc-all-langpacks \ rpmdevtools \ rpmlint -ENV SHELL /bin/zsh # Restore missing locales from base image RUN yum reinstall glibc-common -y && \ diff --git a/pkg/Dockerfile.deb b/pkg/Dockerfile.deb index e2ceb779a..0abaaffbc 100644 --- a/pkg/Dockerfile.deb +++ b/pkg/Dockerfile.deb @@ -4,10 +4,8 @@ FROM ${BASE_IMAGE} ARG PKG_DIR # Copy shared files -COPY pkg pkg -RUN rsync -avz pkg/skel/* pkg/$PKG_DIR/ -RUN rsync -avz pkg/deb_shared/* pkg/$PKG_DIR/ -RUN rsync -avz _build/prod/rel/firezone/* pkg/$PKG_DIR/usr/lib/firezone/ +COPY pkg/$PKG_DIR pkg/$PKG_DIR +RUN rsync -az _build/prod/rel/firezone/* pkg/$PKG_DIR/usr/lib/firezone/ RUN mkdir -p pkg/$PKG_DIR/usr/bin RUN cd pkg/$PKG_DIR/usr/bin && ln -s ../lib/firezone/bin/firezone RUN cd pkg && dpkg-deb --build $PKG_DIR diff --git a/pkg/Dockerfile.rpm b/pkg/Dockerfile.rpm index 546a65968..a9a38cd0d 100644 --- a/pkg/Dockerfile.rpm +++ b/pkg/Dockerfile.rpm @@ -2,10 +2,11 @@ ARG BASE_IMAGE FROM ${BASE_IMAGE} ARG PKG_DIR +ARG OS_ARCH # Copy shared files -COPY pkg/rpm_shared/rpmbuild rpmbuild -COPY pkg/skel/ rpmbuild/BUILDROOT/$PKG_DIR/ +COPY pkg/$OS_DIR/rpmbuild rpmbuild +COPY pkg/$OS_DIR/skel/ rpmbuild/BUILDROOT/$PKG_DIR/ RUN rsync -az _build/prod/rel/firezone/* rpmbuild/BUILDROOT/$PKG_DIR/usr/lib/firezone/ RUN mkdir -p rpmbuild/BUILDROOT/$PKG_DIR/usr/bin RUN cd rpmbuild/BUILDROOT/$PKG_DIR/usr/bin && ln -s ../lib/firezone/bin/firezone diff --git a/pkg/rpm_shared/rpmbuild/SPECS/firezone.spec b/pkg/centos_7.x86_64/rpmbuild/SPECS/firezone.spec similarity index 100% rename from pkg/rpm_shared/rpmbuild/SPECS/firezone.spec rename to pkg/centos_7.x86_64/rpmbuild/SPECS/firezone.spec diff --git a/pkg/skel/etc/firezone/config.env b/pkg/centos_7.x86_64/skel/etc/firezone/config.env similarity index 100% rename from pkg/skel/etc/firezone/config.env rename to pkg/centos_7.x86_64/skel/etc/firezone/config.env diff --git a/pkg/skel/usr/lib/firezone/bin/postinst.sh b/pkg/centos_7.x86_64/skel/usr/lib/firezone/bin/postinst.sh similarity index 100% rename from pkg/skel/usr/lib/firezone/bin/postinst.sh rename to pkg/centos_7.x86_64/skel/usr/lib/firezone/bin/postinst.sh diff --git a/pkg/skel/usr/lib/firezone/bin/postrm.sh b/pkg/centos_7.x86_64/skel/usr/lib/firezone/bin/postrm.sh similarity index 100% rename from pkg/skel/usr/lib/firezone/bin/postrm.sh rename to pkg/centos_7.x86_64/skel/usr/lib/firezone/bin/postrm.sh diff --git a/pkg/skel/usr/lib/systemd/system/firezone.service b/pkg/centos_7.x86_64/skel/usr/lib/systemd/system/firezone.service similarity index 100% rename from pkg/skel/usr/lib/systemd/system/firezone.service rename to pkg/centos_7.x86_64/skel/usr/lib/systemd/system/firezone.service diff --git a/pkg/centos_8.x86_64/rpmbuild/SPECS/firezone.spec b/pkg/centos_8.x86_64/rpmbuild/SPECS/firezone.spec new file mode 100644 index 000000000..7a8cac1e6 --- /dev/null +++ b/pkg/centos_8.x86_64/rpmbuild/SPECS/firezone.spec @@ -0,0 +1,29 @@ +Name: firezone +Version: 0.2.0 +Release: 1 +Summary: Web UI + Firewall manager for WireGuard™ +URL: https://firez.one +License: ASL 2.0 +Requires: net-tools +Requires: wireguard-tools +Requires: postgresql-server >= 9.6 +Requires: openssl +Requires: systemd +Requires: iptables +Requires: glibc + +%description +Provides a web-based UI that allows you to configure WireGuard™ VPN tunnels and +set up firewall rules for your devices. + +%post +/usr/lib/firezone/bin/postinst.sh + +%postun +/usr/lib/firezone/bin/postrm.sh + +%files +%config /etc/firezone +/usr/lib/systemd/system/firezone.service +/usr/lib/firezone +/usr/bin/firezone diff --git a/pkg/centos_8.x86_64/skel/etc/firezone/config.env b/pkg/centos_8.x86_64/skel/etc/firezone/config.env new file mode 100644 index 000000000..fdc6ad674 --- /dev/null +++ b/pkg/centos_8.x86_64/skel/etc/firezone/config.env @@ -0,0 +1,30 @@ +# This file is loaded into FireZone's Environment upon launch to configure it. + +# The HTTPS port to listen on. Defaults to 8800. +HTTPS_LISTEN_PORT=8800 + +# The address to bind the HTTPS server to. Defaults to "127.0.0.1" +HTTPS_LISTEN_ADDRESS=127.0.0.1 + +# The WireGuard port to listen on. Defaults to 51820. +WG_LISTEN_PORT=51820 + +# The address for the WireGuard endpoint. Defaults to the address of the +# default egress interface if not set. +WG_ENDPOINT_ADDRESS= + +# SSL certificate file and key path. Self-signed certs are generated for you on +# install, but it's highly recommended to replace these with valid certs. +# Free certs can be obtained at https://letsencrypt.org. +SSL_CERT_FILE=/etc/firezone/cert.pem +SSL_KEY_FILE=/etc/firezone/secret/key.pem + +# Temporary folder to store runtime cruft. Must be writable by the firezone user. +RELEASE_TMP=/tmp + +# Path to the intermediate certificates file. (usually not required) +# SSL_CA_CERT_FILE= + +# Host to use for generating links back to the application, such as in +# outbound emails. Should be publicly resolvable. Defaults to "localhost". +# URL_HOST= diff --git a/pkg/centos_8.x86_64/skel/lib/systemd/system/firezone.service b/pkg/centos_8.x86_64/skel/lib/systemd/system/firezone.service new file mode 100644 index 000000000..083cf8062 --- /dev/null +++ b/pkg/centos_8.x86_64/skel/lib/systemd/system/firezone.service @@ -0,0 +1,20 @@ +[Unit] +Description=firezone +Requires=postgresql.service +After=postgresql.service + +[Service] +Restart=on-failure +RestartSec=1 +User=firezone +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH +EnvironmentFile=/etc/firezone/config.env +EnvironmentFile=/etc/firezone/secret/secrets.env +ExecStartPre=/usr/lib/firezone/bin/firezone eval "FzHttp.Release.migrate" +ExecStart=/usr/lib/firezone/bin/firezone start +# XXX: Remove sleeps +ExecStartPost=/bin/sleep 8 +ExecStartPost=/usr/lib/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user" + +[Install] +WantedBy=multi-user.target diff --git a/pkg/centos_8.x86_64/skel/usr/lib/firezone/bin/postinst.sh b/pkg/centos_8.x86_64/skel/usr/lib/firezone/bin/postinst.sh new file mode 100755 index 000000000..361fefa7a --- /dev/null +++ b/pkg/centos_8.x86_64/skel/usr/lib/firezone/bin/postinst.sh @@ -0,0 +1,103 @@ +#!/bin/bash +set -e + +# FireZone package post-install script + +# All created files are 0600 by default +umask 077 + +# Add firezone user if not exists +if id firezone &>/dev/null; then + echo "firezone user exists... not creating." +else + echo "creating system user firezone" + useradd --system firezone +fi + +hostname=$(hostname) + +### SET UP DB + +# Create role if not exists +db_user=firezone +db_password="$(openssl rand -hex 16)" +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\"" +else + echo "${db_user} role found in DB" +fi + +# Create DB if not exists +db_name=firezone +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true" +else + echo "${db_name} exists; not creating" +fi + +# Grant all privileges +su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\"" + +# Set up secrets dir +mkdir -p /etc/firezone/secret +chown firezone:root /etc/firezone/secret +chmod 770 /etc/firezone/secret + +# Write FireZone SSL files +ssl_key_file=/etc/firezone/secret/key.pem +ssl_cert_file=/etc/firezone/cert.pem +if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then + echo "ssl files exist; not creating" +else + openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ + -keyout $ssl_key_file \ + -out $ssl_cert_file \ + -days 365 -subj "/CN=${hostname}" +fi + +# Generate app secrets +live_view_signing_salt="$(openssl rand -base64 24)" +secret_key_base="$(openssl rand -base64 48)" +db_key="$(openssl rand -base64 32)" +wg_server_key="$(wg genkey)" + +# Write FireZone config file +if [ -f /etc/firezone/secret.env ]; then + echo "config file exists; not creating" +else + +umask 037 +cat <> /etc/firezone/secret/secrets.env +# This file is loaded into FireZone's Environment upon launch to configure it. + +# Warning: changing anything here can result in data loss. Make sure you know +# what you're doing! + +# This is used to ensure secure communication with the live web views. +# Re-generate this with "openssl rand -base64 24". All existing web views will +# need to be refreshed. +LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}" + +# This is used to secure cookies among other things. +# You can regenerate this with "openssl rand -base64 48". All existing clients +# will be signed out. +SECRET_KEY_BASE="${secret_key_base}" + +# The URL to connect to your DB. Assumes the database has been created and this +# user has privileges to create and modify tables. Must start with ecto:// +# Ex: ecto://user:password@localhost/firezone +DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone" + +# The Base64-encoded key for encrypted database fields. +DB_ENCRYPTION_KEY=${db_key} + +# The Base64-encoded private key for the WireGuard interface +WG_SERVER_KEY=${wg_server_key} +EOT +fi + +# Set perms +chown -R firezone:root /etc/firezone +chmod 0644 /etc/firezone/cert.pem diff --git a/pkg/centos_8.x86_64/skel/usr/lib/firezone/bin/postrm.sh b/pkg/centos_8.x86_64/skel/usr/lib/firezone/bin/postrm.sh new file mode 100755 index 000000000..bbf1f0efc --- /dev/null +++ b/pkg/centos_8.x86_64/skel/usr/lib/firezone/bin/postrm.sh @@ -0,0 +1,9 @@ +#!/bin/bash +set -e + +if [ "$1" = purge ]; then + echo "Refusing to purge /etc/firezone/secret and drop database. This must be done manually." + echo "If you really want to do this, run the following as root:" + echo " su postgres -c 'psql -c \"DROP DATABASE firezone;\"'" + echo " rm -rf /etc/firezone/secret" +fi diff --git a/pkg/deb_shared/DEBIAN/changelog b/pkg/deb_shared/DEBIAN/changelog deleted file mode 100644 index 831de16be..000000000 --- a/pkg/deb_shared/DEBIAN/changelog +++ /dev/null @@ -1,3 +0,0 @@ -firezone (0.2.0ubuntu1) bionic; urgency=low - - * initial release diff --git a/pkg/debian_10.amd64/DEBIAN/changelog b/pkg/debian_10.amd64/DEBIAN/changelog new file mode 100644 index 000000000..3162bc425 --- /dev/null +++ b/pkg/debian_10.amd64/DEBIAN/changelog @@ -0,0 +1,3 @@ +firezone (0.2.0-1) buster; urgency=low + + * initial release diff --git a/pkg/deb_shared/DEBIAN/postinst b/pkg/debian_10.amd64/DEBIAN/postinst similarity index 100% rename from pkg/deb_shared/DEBIAN/postinst rename to pkg/debian_10.amd64/DEBIAN/postinst diff --git a/pkg/deb_shared/DEBIAN/postrm b/pkg/debian_10.amd64/DEBIAN/postrm similarity index 100% rename from pkg/deb_shared/DEBIAN/postrm rename to pkg/debian_10.amd64/DEBIAN/postrm diff --git a/pkg/debian_10.amd64/etc/firezone/config.env b/pkg/debian_10.amd64/etc/firezone/config.env new file mode 100644 index 000000000..fdc6ad674 --- /dev/null +++ b/pkg/debian_10.amd64/etc/firezone/config.env @@ -0,0 +1,30 @@ +# This file is loaded into FireZone's Environment upon launch to configure it. + +# The HTTPS port to listen on. Defaults to 8800. +HTTPS_LISTEN_PORT=8800 + +# The address to bind the HTTPS server to. Defaults to "127.0.0.1" +HTTPS_LISTEN_ADDRESS=127.0.0.1 + +# The WireGuard port to listen on. Defaults to 51820. +WG_LISTEN_PORT=51820 + +# The address for the WireGuard endpoint. Defaults to the address of the +# default egress interface if not set. +WG_ENDPOINT_ADDRESS= + +# SSL certificate file and key path. Self-signed certs are generated for you on +# install, but it's highly recommended to replace these with valid certs. +# Free certs can be obtained at https://letsencrypt.org. +SSL_CERT_FILE=/etc/firezone/cert.pem +SSL_KEY_FILE=/etc/firezone/secret/key.pem + +# Temporary folder to store runtime cruft. Must be writable by the firezone user. +RELEASE_TMP=/tmp + +# Path to the intermediate certificates file. (usually not required) +# SSL_CA_CERT_FILE= + +# Host to use for generating links back to the application, such as in +# outbound emails. Should be publicly resolvable. Defaults to "localhost". +# URL_HOST= diff --git a/pkg/debian_10.amd64/lib/firezone/bin/postinst.sh b/pkg/debian_10.amd64/lib/firezone/bin/postinst.sh new file mode 100755 index 000000000..361fefa7a --- /dev/null +++ b/pkg/debian_10.amd64/lib/firezone/bin/postinst.sh @@ -0,0 +1,103 @@ +#!/bin/bash +set -e + +# FireZone package post-install script + +# All created files are 0600 by default +umask 077 + +# Add firezone user if not exists +if id firezone &>/dev/null; then + echo "firezone user exists... not creating." +else + echo "creating system user firezone" + useradd --system firezone +fi + +hostname=$(hostname) + +### SET UP DB + +# Create role if not exists +db_user=firezone +db_password="$(openssl rand -hex 16)" +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\"" +else + echo "${db_user} role found in DB" +fi + +# Create DB if not exists +db_name=firezone +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true" +else + echo "${db_name} exists; not creating" +fi + +# Grant all privileges +su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\"" + +# Set up secrets dir +mkdir -p /etc/firezone/secret +chown firezone:root /etc/firezone/secret +chmod 770 /etc/firezone/secret + +# Write FireZone SSL files +ssl_key_file=/etc/firezone/secret/key.pem +ssl_cert_file=/etc/firezone/cert.pem +if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then + echo "ssl files exist; not creating" +else + openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ + -keyout $ssl_key_file \ + -out $ssl_cert_file \ + -days 365 -subj "/CN=${hostname}" +fi + +# Generate app secrets +live_view_signing_salt="$(openssl rand -base64 24)" +secret_key_base="$(openssl rand -base64 48)" +db_key="$(openssl rand -base64 32)" +wg_server_key="$(wg genkey)" + +# Write FireZone config file +if [ -f /etc/firezone/secret.env ]; then + echo "config file exists; not creating" +else + +umask 037 +cat <> /etc/firezone/secret/secrets.env +# This file is loaded into FireZone's Environment upon launch to configure it. + +# Warning: changing anything here can result in data loss. Make sure you know +# what you're doing! + +# This is used to ensure secure communication with the live web views. +# Re-generate this with "openssl rand -base64 24". All existing web views will +# need to be refreshed. +LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}" + +# This is used to secure cookies among other things. +# You can regenerate this with "openssl rand -base64 48". All existing clients +# will be signed out. +SECRET_KEY_BASE="${secret_key_base}" + +# The URL to connect to your DB. Assumes the database has been created and this +# user has privileges to create and modify tables. Must start with ecto:// +# Ex: ecto://user:password@localhost/firezone +DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone" + +# The Base64-encoded key for encrypted database fields. +DB_ENCRYPTION_KEY=${db_key} + +# The Base64-encoded private key for the WireGuard interface +WG_SERVER_KEY=${wg_server_key} +EOT +fi + +# Set perms +chown -R firezone:root /etc/firezone +chmod 0644 /etc/firezone/cert.pem diff --git a/pkg/debian_10.amd64/lib/firezone/bin/postrm.sh b/pkg/debian_10.amd64/lib/firezone/bin/postrm.sh new file mode 100755 index 000000000..bbf1f0efc --- /dev/null +++ b/pkg/debian_10.amd64/lib/firezone/bin/postrm.sh @@ -0,0 +1,9 @@ +#!/bin/bash +set -e + +if [ "$1" = purge ]; then + echo "Refusing to purge /etc/firezone/secret and drop database. This must be done manually." + echo "If you really want to do this, run the following as root:" + echo " su postgres -c 'psql -c \"DROP DATABASE firezone;\"'" + echo " rm -rf /etc/firezone/secret" +fi diff --git a/pkg/debian_10.amd64/lib/systemd/system/firezone.service b/pkg/debian_10.amd64/lib/systemd/system/firezone.service new file mode 100644 index 000000000..083cf8062 --- /dev/null +++ b/pkg/debian_10.amd64/lib/systemd/system/firezone.service @@ -0,0 +1,20 @@ +[Unit] +Description=firezone +Requires=postgresql.service +After=postgresql.service + +[Service] +Restart=on-failure +RestartSec=1 +User=firezone +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH +EnvironmentFile=/etc/firezone/config.env +EnvironmentFile=/etc/firezone/secret/secrets.env +ExecStartPre=/usr/lib/firezone/bin/firezone eval "FzHttp.Release.migrate" +ExecStart=/usr/lib/firezone/bin/firezone start +# XXX: Remove sleeps +ExecStartPost=/bin/sleep 8 +ExecStartPost=/usr/lib/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user" + +[Install] +WantedBy=multi-user.target diff --git a/pkg/debian_10.arm64/DEBIAN/control b/pkg/debian_10.arm64/DEBIAN/control deleted file mode 100644 index 8439dae2b..000000000 --- a/pkg/debian_10.arm64/DEBIAN/control +++ /dev/null @@ -1,11 +0,0 @@ -Package: firezone -Version: 0.2.0-1 -Architecture: arm64 -Maintainer: FireZone LLC -Depends: libc6, net-tools (>= 1.60), systemd (>= 237), openssl (>= 1.1.1), wireguard-tools (>= 1.0), postgresql (>= 9.6), iptables (>= 1.6.1) -Section: net -Priority: optional -Homepage: https://firez.one -Description: Web UI + Firewall manager for WireGuard™ - Provides a web-based UI that allows you to configure WireGuard™ VPN tunnels and - set up firewall rules for your devices. diff --git a/pkg/fedora_33.x86_64/rpmbuild/SPECS/firezone.spec b/pkg/fedora_33.x86_64/rpmbuild/SPECS/firezone.spec new file mode 100644 index 000000000..ae6a7322b --- /dev/null +++ b/pkg/fedora_33.x86_64/rpmbuild/SPECS/firezone.spec @@ -0,0 +1,29 @@ +Name: firezone +Version: 0.2.0 +Release: 1 +Summary: Web UI + Firewall manager for WireGuard™ +URL: https://firez.one +License: ASL 2.0 +Requires: net-tools +Requires: wireguard-tools +Requires: postgresql-server >= 9.6 +Requires: openssl +Requires: systemd +Requires: iptables +Requires: glibc + +%description +Provides a web-based UI that allows you to configure WireGuard™ VPN tunnels and +set up firewall rules for your devices. + +%post +/usr/lib/firezone/bin/postinst.sh + +%postun +/usr/lib/firezone/bin/postrm.sh + +%files +%config /etc/firezone +/lib/systemd/system/firezone.service +/usr/lib/firezone +/usr/bin/firezone diff --git a/pkg/fedora_33.x86_64/skel/etc/firezone/config.env b/pkg/fedora_33.x86_64/skel/etc/firezone/config.env new file mode 100644 index 000000000..fdc6ad674 --- /dev/null +++ b/pkg/fedora_33.x86_64/skel/etc/firezone/config.env @@ -0,0 +1,30 @@ +# This file is loaded into FireZone's Environment upon launch to configure it. + +# The HTTPS port to listen on. Defaults to 8800. +HTTPS_LISTEN_PORT=8800 + +# The address to bind the HTTPS server to. Defaults to "127.0.0.1" +HTTPS_LISTEN_ADDRESS=127.0.0.1 + +# The WireGuard port to listen on. Defaults to 51820. +WG_LISTEN_PORT=51820 + +# The address for the WireGuard endpoint. Defaults to the address of the +# default egress interface if not set. +WG_ENDPOINT_ADDRESS= + +# SSL certificate file and key path. Self-signed certs are generated for you on +# install, but it's highly recommended to replace these with valid certs. +# Free certs can be obtained at https://letsencrypt.org. +SSL_CERT_FILE=/etc/firezone/cert.pem +SSL_KEY_FILE=/etc/firezone/secret/key.pem + +# Temporary folder to store runtime cruft. Must be writable by the firezone user. +RELEASE_TMP=/tmp + +# Path to the intermediate certificates file. (usually not required) +# SSL_CA_CERT_FILE= + +# Host to use for generating links back to the application, such as in +# outbound emails. Should be publicly resolvable. Defaults to "localhost". +# URL_HOST= diff --git a/pkg/fedora_33.x86_64/skel/lib/systemd/system/firezone.service b/pkg/fedora_33.x86_64/skel/lib/systemd/system/firezone.service new file mode 100644 index 000000000..083cf8062 --- /dev/null +++ b/pkg/fedora_33.x86_64/skel/lib/systemd/system/firezone.service @@ -0,0 +1,20 @@ +[Unit] +Description=firezone +Requires=postgresql.service +After=postgresql.service + +[Service] +Restart=on-failure +RestartSec=1 +User=firezone +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH +EnvironmentFile=/etc/firezone/config.env +EnvironmentFile=/etc/firezone/secret/secrets.env +ExecStartPre=/usr/lib/firezone/bin/firezone eval "FzHttp.Release.migrate" +ExecStart=/usr/lib/firezone/bin/firezone start +# XXX: Remove sleeps +ExecStartPost=/bin/sleep 8 +ExecStartPost=/usr/lib/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user" + +[Install] +WantedBy=multi-user.target diff --git a/pkg/fedora_33.x86_64/skel/usr/lib/firezone/bin/postinst.sh b/pkg/fedora_33.x86_64/skel/usr/lib/firezone/bin/postinst.sh new file mode 100755 index 000000000..361fefa7a --- /dev/null +++ b/pkg/fedora_33.x86_64/skel/usr/lib/firezone/bin/postinst.sh @@ -0,0 +1,103 @@ +#!/bin/bash +set -e + +# FireZone package post-install script + +# All created files are 0600 by default +umask 077 + +# Add firezone user if not exists +if id firezone &>/dev/null; then + echo "firezone user exists... not creating." +else + echo "creating system user firezone" + useradd --system firezone +fi + +hostname=$(hostname) + +### SET UP DB + +# Create role if not exists +db_user=firezone +db_password="$(openssl rand -hex 16)" +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\"" +else + echo "${db_user} role found in DB" +fi + +# Create DB if not exists +db_name=firezone +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true" +else + echo "${db_name} exists; not creating" +fi + +# Grant all privileges +su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\"" + +# Set up secrets dir +mkdir -p /etc/firezone/secret +chown firezone:root /etc/firezone/secret +chmod 770 /etc/firezone/secret + +# Write FireZone SSL files +ssl_key_file=/etc/firezone/secret/key.pem +ssl_cert_file=/etc/firezone/cert.pem +if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then + echo "ssl files exist; not creating" +else + openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ + -keyout $ssl_key_file \ + -out $ssl_cert_file \ + -days 365 -subj "/CN=${hostname}" +fi + +# Generate app secrets +live_view_signing_salt="$(openssl rand -base64 24)" +secret_key_base="$(openssl rand -base64 48)" +db_key="$(openssl rand -base64 32)" +wg_server_key="$(wg genkey)" + +# Write FireZone config file +if [ -f /etc/firezone/secret.env ]; then + echo "config file exists; not creating" +else + +umask 037 +cat <> /etc/firezone/secret/secrets.env +# This file is loaded into FireZone's Environment upon launch to configure it. + +# Warning: changing anything here can result in data loss. Make sure you know +# what you're doing! + +# This is used to ensure secure communication with the live web views. +# Re-generate this with "openssl rand -base64 24". All existing web views will +# need to be refreshed. +LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}" + +# This is used to secure cookies among other things. +# You can regenerate this with "openssl rand -base64 48". All existing clients +# will be signed out. +SECRET_KEY_BASE="${secret_key_base}" + +# The URL to connect to your DB. Assumes the database has been created and this +# user has privileges to create and modify tables. Must start with ecto:// +# Ex: ecto://user:password@localhost/firezone +DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone" + +# The Base64-encoded key for encrypted database fields. +DB_ENCRYPTION_KEY=${db_key} + +# The Base64-encoded private key for the WireGuard interface +WG_SERVER_KEY=${wg_server_key} +EOT +fi + +# Set perms +chown -R firezone:root /etc/firezone +chmod 0644 /etc/firezone/cert.pem diff --git a/pkg/fedora_33.x86_64/skel/usr/lib/firezone/bin/postrm.sh b/pkg/fedora_33.x86_64/skel/usr/lib/firezone/bin/postrm.sh new file mode 100755 index 000000000..bbf1f0efc --- /dev/null +++ b/pkg/fedora_33.x86_64/skel/usr/lib/firezone/bin/postrm.sh @@ -0,0 +1,9 @@ +#!/bin/bash +set -e + +if [ "$1" = purge ]; then + echo "Refusing to purge /etc/firezone/secret and drop database. This must be done manually." + echo "If you really want to do this, run the following as root:" + echo " su postgres -c 'psql -c \"DROP DATABASE firezone;\"'" + echo " rm -rf /etc/firezone/secret" +fi diff --git a/pkg/fedora_34.x86_64/rpmbuild/SPECS/firezone.spec b/pkg/fedora_34.x86_64/rpmbuild/SPECS/firezone.spec new file mode 100644 index 000000000..ae6a7322b --- /dev/null +++ b/pkg/fedora_34.x86_64/rpmbuild/SPECS/firezone.spec @@ -0,0 +1,29 @@ +Name: firezone +Version: 0.2.0 +Release: 1 +Summary: Web UI + Firewall manager for WireGuard™ +URL: https://firez.one +License: ASL 2.0 +Requires: net-tools +Requires: wireguard-tools +Requires: postgresql-server >= 9.6 +Requires: openssl +Requires: systemd +Requires: iptables +Requires: glibc + +%description +Provides a web-based UI that allows you to configure WireGuard™ VPN tunnels and +set up firewall rules for your devices. + +%post +/usr/lib/firezone/bin/postinst.sh + +%postun +/usr/lib/firezone/bin/postrm.sh + +%files +%config /etc/firezone +/lib/systemd/system/firezone.service +/usr/lib/firezone +/usr/bin/firezone diff --git a/pkg/fedora_34.x86_64/skel/etc/firezone/config.env b/pkg/fedora_34.x86_64/skel/etc/firezone/config.env new file mode 100644 index 000000000..fdc6ad674 --- /dev/null +++ b/pkg/fedora_34.x86_64/skel/etc/firezone/config.env @@ -0,0 +1,30 @@ +# This file is loaded into FireZone's Environment upon launch to configure it. + +# The HTTPS port to listen on. Defaults to 8800. +HTTPS_LISTEN_PORT=8800 + +# The address to bind the HTTPS server to. Defaults to "127.0.0.1" +HTTPS_LISTEN_ADDRESS=127.0.0.1 + +# The WireGuard port to listen on. Defaults to 51820. +WG_LISTEN_PORT=51820 + +# The address for the WireGuard endpoint. Defaults to the address of the +# default egress interface if not set. +WG_ENDPOINT_ADDRESS= + +# SSL certificate file and key path. Self-signed certs are generated for you on +# install, but it's highly recommended to replace these with valid certs. +# Free certs can be obtained at https://letsencrypt.org. +SSL_CERT_FILE=/etc/firezone/cert.pem +SSL_KEY_FILE=/etc/firezone/secret/key.pem + +# Temporary folder to store runtime cruft. Must be writable by the firezone user. +RELEASE_TMP=/tmp + +# Path to the intermediate certificates file. (usually not required) +# SSL_CA_CERT_FILE= + +# Host to use for generating links back to the application, such as in +# outbound emails. Should be publicly resolvable. Defaults to "localhost". +# URL_HOST= diff --git a/pkg/fedora_34.x86_64/skel/lib/systemd/system/firezone.service b/pkg/fedora_34.x86_64/skel/lib/systemd/system/firezone.service new file mode 100644 index 000000000..083cf8062 --- /dev/null +++ b/pkg/fedora_34.x86_64/skel/lib/systemd/system/firezone.service @@ -0,0 +1,20 @@ +[Unit] +Description=firezone +Requires=postgresql.service +After=postgresql.service + +[Service] +Restart=on-failure +RestartSec=1 +User=firezone +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH +EnvironmentFile=/etc/firezone/config.env +EnvironmentFile=/etc/firezone/secret/secrets.env +ExecStartPre=/usr/lib/firezone/bin/firezone eval "FzHttp.Release.migrate" +ExecStart=/usr/lib/firezone/bin/firezone start +# XXX: Remove sleeps +ExecStartPost=/bin/sleep 8 +ExecStartPost=/usr/lib/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user" + +[Install] +WantedBy=multi-user.target diff --git a/pkg/fedora_34.x86_64/skel/usr/lib/firezone/bin/postinst.sh b/pkg/fedora_34.x86_64/skel/usr/lib/firezone/bin/postinst.sh new file mode 100755 index 000000000..361fefa7a --- /dev/null +++ b/pkg/fedora_34.x86_64/skel/usr/lib/firezone/bin/postinst.sh @@ -0,0 +1,103 @@ +#!/bin/bash +set -e + +# FireZone package post-install script + +# All created files are 0600 by default +umask 077 + +# Add firezone user if not exists +if id firezone &>/dev/null; then + echo "firezone user exists... not creating." +else + echo "creating system user firezone" + useradd --system firezone +fi + +hostname=$(hostname) + +### SET UP DB + +# Create role if not exists +db_user=firezone +db_password="$(openssl rand -hex 16)" +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\"" +else + echo "${db_user} role found in DB" +fi + +# Create DB if not exists +db_name=firezone +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true" +else + echo "${db_name} exists; not creating" +fi + +# Grant all privileges +su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\"" + +# Set up secrets dir +mkdir -p /etc/firezone/secret +chown firezone:root /etc/firezone/secret +chmod 770 /etc/firezone/secret + +# Write FireZone SSL files +ssl_key_file=/etc/firezone/secret/key.pem +ssl_cert_file=/etc/firezone/cert.pem +if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then + echo "ssl files exist; not creating" +else + openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ + -keyout $ssl_key_file \ + -out $ssl_cert_file \ + -days 365 -subj "/CN=${hostname}" +fi + +# Generate app secrets +live_view_signing_salt="$(openssl rand -base64 24)" +secret_key_base="$(openssl rand -base64 48)" +db_key="$(openssl rand -base64 32)" +wg_server_key="$(wg genkey)" + +# Write FireZone config file +if [ -f /etc/firezone/secret.env ]; then + echo "config file exists; not creating" +else + +umask 037 +cat <> /etc/firezone/secret/secrets.env +# This file is loaded into FireZone's Environment upon launch to configure it. + +# Warning: changing anything here can result in data loss. Make sure you know +# what you're doing! + +# This is used to ensure secure communication with the live web views. +# Re-generate this with "openssl rand -base64 24". All existing web views will +# need to be refreshed. +LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}" + +# This is used to secure cookies among other things. +# You can regenerate this with "openssl rand -base64 48". All existing clients +# will be signed out. +SECRET_KEY_BASE="${secret_key_base}" + +# The URL to connect to your DB. Assumes the database has been created and this +# user has privileges to create and modify tables. Must start with ecto:// +# Ex: ecto://user:password@localhost/firezone +DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone" + +# The Base64-encoded key for encrypted database fields. +DB_ENCRYPTION_KEY=${db_key} + +# The Base64-encoded private key for the WireGuard interface +WG_SERVER_KEY=${wg_server_key} +EOT +fi + +# Set perms +chown -R firezone:root /etc/firezone +chmod 0644 /etc/firezone/cert.pem diff --git a/pkg/fedora_34.x86_64/skel/usr/lib/firezone/bin/postrm.sh b/pkg/fedora_34.x86_64/skel/usr/lib/firezone/bin/postrm.sh new file mode 100755 index 000000000..bbf1f0efc --- /dev/null +++ b/pkg/fedora_34.x86_64/skel/usr/lib/firezone/bin/postrm.sh @@ -0,0 +1,9 @@ +#!/bin/bash +set -e + +if [ "$1" = purge ]; then + echo "Refusing to purge /etc/firezone/secret and drop database. This must be done manually." + echo "If you really want to do this, run the following as root:" + echo " su postgres -c 'psql -c \"DROP DATABASE firezone;\"'" + echo " rm -rf /etc/firezone/secret" +fi diff --git a/pkg/ubuntu_18.04.amd64/DEBIAN/changelog b/pkg/ubuntu_18.04.amd64/DEBIAN/changelog new file mode 100644 index 000000000..eb03c6f1a --- /dev/null +++ b/pkg/ubuntu_18.04.amd64/DEBIAN/changelog @@ -0,0 +1,3 @@ +firezone (0.2.0-1) bionic; urgency=low + + * initial release diff --git a/pkg/ubuntu_18.04.amd64/DEBIAN/postinst b/pkg/ubuntu_18.04.amd64/DEBIAN/postinst new file mode 100755 index 000000000..55b029d67 --- /dev/null +++ b/pkg/ubuntu_18.04.amd64/DEBIAN/postinst @@ -0,0 +1,6 @@ +#!/bin/bash +set -e + +# Call the post installation script +echo "Executing post-installation setup..." +. /usr/lib/firezone/bin/postinst.sh diff --git a/pkg/ubuntu_18.04.amd64/DEBIAN/postrm b/pkg/ubuntu_18.04.amd64/DEBIAN/postrm new file mode 100755 index 000000000..898d09c5b --- /dev/null +++ b/pkg/ubuntu_18.04.amd64/DEBIAN/postrm @@ -0,0 +1,5 @@ +#!/bin/bash +set -e + +# Call the post removal script +. /usr/lib/firezone/bin/postrm.sh diff --git a/pkg/ubuntu_18.04.amd64/etc/firezone/config.env b/pkg/ubuntu_18.04.amd64/etc/firezone/config.env new file mode 100644 index 000000000..fdc6ad674 --- /dev/null +++ b/pkg/ubuntu_18.04.amd64/etc/firezone/config.env @@ -0,0 +1,30 @@ +# This file is loaded into FireZone's Environment upon launch to configure it. + +# The HTTPS port to listen on. Defaults to 8800. +HTTPS_LISTEN_PORT=8800 + +# The address to bind the HTTPS server to. Defaults to "127.0.0.1" +HTTPS_LISTEN_ADDRESS=127.0.0.1 + +# The WireGuard port to listen on. Defaults to 51820. +WG_LISTEN_PORT=51820 + +# The address for the WireGuard endpoint. Defaults to the address of the +# default egress interface if not set. +WG_ENDPOINT_ADDRESS= + +# SSL certificate file and key path. Self-signed certs are generated for you on +# install, but it's highly recommended to replace these with valid certs. +# Free certs can be obtained at https://letsencrypt.org. +SSL_CERT_FILE=/etc/firezone/cert.pem +SSL_KEY_FILE=/etc/firezone/secret/key.pem + +# Temporary folder to store runtime cruft. Must be writable by the firezone user. +RELEASE_TMP=/tmp + +# Path to the intermediate certificates file. (usually not required) +# SSL_CA_CERT_FILE= + +# Host to use for generating links back to the application, such as in +# outbound emails. Should be publicly resolvable. Defaults to "localhost". +# URL_HOST= diff --git a/pkg/ubuntu_18.04.amd64/lib/firezone/bin/postinst.sh b/pkg/ubuntu_18.04.amd64/lib/firezone/bin/postinst.sh new file mode 100755 index 000000000..361fefa7a --- /dev/null +++ b/pkg/ubuntu_18.04.amd64/lib/firezone/bin/postinst.sh @@ -0,0 +1,103 @@ +#!/bin/bash +set -e + +# FireZone package post-install script + +# All created files are 0600 by default +umask 077 + +# Add firezone user if not exists +if id firezone &>/dev/null; then + echo "firezone user exists... not creating." +else + echo "creating system user firezone" + useradd --system firezone +fi + +hostname=$(hostname) + +### SET UP DB + +# Create role if not exists +db_user=firezone +db_password="$(openssl rand -hex 16)" +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\"" +else + echo "${db_user} role found in DB" +fi + +# Create DB if not exists +db_name=firezone +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true" +else + echo "${db_name} exists; not creating" +fi + +# Grant all privileges +su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\"" + +# Set up secrets dir +mkdir -p /etc/firezone/secret +chown firezone:root /etc/firezone/secret +chmod 770 /etc/firezone/secret + +# Write FireZone SSL files +ssl_key_file=/etc/firezone/secret/key.pem +ssl_cert_file=/etc/firezone/cert.pem +if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then + echo "ssl files exist; not creating" +else + openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ + -keyout $ssl_key_file \ + -out $ssl_cert_file \ + -days 365 -subj "/CN=${hostname}" +fi + +# Generate app secrets +live_view_signing_salt="$(openssl rand -base64 24)" +secret_key_base="$(openssl rand -base64 48)" +db_key="$(openssl rand -base64 32)" +wg_server_key="$(wg genkey)" + +# Write FireZone config file +if [ -f /etc/firezone/secret.env ]; then + echo "config file exists; not creating" +else + +umask 037 +cat <> /etc/firezone/secret/secrets.env +# This file is loaded into FireZone's Environment upon launch to configure it. + +# Warning: changing anything here can result in data loss. Make sure you know +# what you're doing! + +# This is used to ensure secure communication with the live web views. +# Re-generate this with "openssl rand -base64 24". All existing web views will +# need to be refreshed. +LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}" + +# This is used to secure cookies among other things. +# You can regenerate this with "openssl rand -base64 48". All existing clients +# will be signed out. +SECRET_KEY_BASE="${secret_key_base}" + +# The URL to connect to your DB. Assumes the database has been created and this +# user has privileges to create and modify tables. Must start with ecto:// +# Ex: ecto://user:password@localhost/firezone +DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone" + +# The Base64-encoded key for encrypted database fields. +DB_ENCRYPTION_KEY=${db_key} + +# The Base64-encoded private key for the WireGuard interface +WG_SERVER_KEY=${wg_server_key} +EOT +fi + +# Set perms +chown -R firezone:root /etc/firezone +chmod 0644 /etc/firezone/cert.pem diff --git a/pkg/ubuntu_18.04.amd64/lib/firezone/bin/postrm.sh b/pkg/ubuntu_18.04.amd64/lib/firezone/bin/postrm.sh new file mode 100755 index 000000000..bbf1f0efc --- /dev/null +++ b/pkg/ubuntu_18.04.amd64/lib/firezone/bin/postrm.sh @@ -0,0 +1,9 @@ +#!/bin/bash +set -e + +if [ "$1" = purge ]; then + echo "Refusing to purge /etc/firezone/secret and drop database. This must be done manually." + echo "If you really want to do this, run the following as root:" + echo " su postgres -c 'psql -c \"DROP DATABASE firezone;\"'" + echo " rm -rf /etc/firezone/secret" +fi diff --git a/pkg/ubuntu_18.04.amd64/lib/systemd/system/firezone.service b/pkg/ubuntu_18.04.amd64/lib/systemd/system/firezone.service new file mode 100644 index 000000000..083cf8062 --- /dev/null +++ b/pkg/ubuntu_18.04.amd64/lib/systemd/system/firezone.service @@ -0,0 +1,20 @@ +[Unit] +Description=firezone +Requires=postgresql.service +After=postgresql.service + +[Service] +Restart=on-failure +RestartSec=1 +User=firezone +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH +EnvironmentFile=/etc/firezone/config.env +EnvironmentFile=/etc/firezone/secret/secrets.env +ExecStartPre=/usr/lib/firezone/bin/firezone eval "FzHttp.Release.migrate" +ExecStart=/usr/lib/firezone/bin/firezone start +# XXX: Remove sleeps +ExecStartPost=/bin/sleep 8 +ExecStartPost=/usr/lib/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user" + +[Install] +WantedBy=multi-user.target diff --git a/pkg/ubuntu_18.04.arm64/DEBIAN/control b/pkg/ubuntu_18.04.arm64/DEBIAN/control deleted file mode 100644 index ad2ad00c8..000000000 --- a/pkg/ubuntu_18.04.arm64/DEBIAN/control +++ /dev/null @@ -1,11 +0,0 @@ -Package: firezone -Version: 0.2.0-1 -Architecture: arm64 -Maintainer: FireZone, LLC -Depends: libc6, net-tools (>= 1.60), systemd (>= 237), openssl (>= 1.1.1), wireguard-tools (>= 1.0), postgresql (>= 9.6), iptables (>= 1.6.1) -Section: net -Priority: optional -Homepage: https://firez.one -Description: Web UI + Firewall manager for WireGuard™ - Provides a web-based UI that allows you to configure WireGuard™ VPN tunnels and - set up firewall rules for your devices. diff --git a/pkg/ubuntu_20.04.amd64/DEBIAN/changelog b/pkg/ubuntu_20.04.amd64/DEBIAN/changelog new file mode 100644 index 000000000..dd64b0262 --- /dev/null +++ b/pkg/ubuntu_20.04.amd64/DEBIAN/changelog @@ -0,0 +1,3 @@ +firezone (0.2.0-1) focal; urgency=low + + * initial release diff --git a/pkg/ubuntu_20.04.amd64/DEBIAN/postinst b/pkg/ubuntu_20.04.amd64/DEBIAN/postinst new file mode 100755 index 000000000..55b029d67 --- /dev/null +++ b/pkg/ubuntu_20.04.amd64/DEBIAN/postinst @@ -0,0 +1,6 @@ +#!/bin/bash +set -e + +# Call the post installation script +echo "Executing post-installation setup..." +. /usr/lib/firezone/bin/postinst.sh diff --git a/pkg/ubuntu_20.04.amd64/DEBIAN/postrm b/pkg/ubuntu_20.04.amd64/DEBIAN/postrm new file mode 100755 index 000000000..898d09c5b --- /dev/null +++ b/pkg/ubuntu_20.04.amd64/DEBIAN/postrm @@ -0,0 +1,5 @@ +#!/bin/bash +set -e + +# Call the post removal script +. /usr/lib/firezone/bin/postrm.sh diff --git a/pkg/ubuntu_20.04.amd64/etc/firezone/config.env b/pkg/ubuntu_20.04.amd64/etc/firezone/config.env new file mode 100644 index 000000000..fdc6ad674 --- /dev/null +++ b/pkg/ubuntu_20.04.amd64/etc/firezone/config.env @@ -0,0 +1,30 @@ +# This file is loaded into FireZone's Environment upon launch to configure it. + +# The HTTPS port to listen on. Defaults to 8800. +HTTPS_LISTEN_PORT=8800 + +# The address to bind the HTTPS server to. Defaults to "127.0.0.1" +HTTPS_LISTEN_ADDRESS=127.0.0.1 + +# The WireGuard port to listen on. Defaults to 51820. +WG_LISTEN_PORT=51820 + +# The address for the WireGuard endpoint. Defaults to the address of the +# default egress interface if not set. +WG_ENDPOINT_ADDRESS= + +# SSL certificate file and key path. Self-signed certs are generated for you on +# install, but it's highly recommended to replace these with valid certs. +# Free certs can be obtained at https://letsencrypt.org. +SSL_CERT_FILE=/etc/firezone/cert.pem +SSL_KEY_FILE=/etc/firezone/secret/key.pem + +# Temporary folder to store runtime cruft. Must be writable by the firezone user. +RELEASE_TMP=/tmp + +# Path to the intermediate certificates file. (usually not required) +# SSL_CA_CERT_FILE= + +# Host to use for generating links back to the application, such as in +# outbound emails. Should be publicly resolvable. Defaults to "localhost". +# URL_HOST= diff --git a/pkg/ubuntu_20.04.amd64/lib/firezone/bin/postinst.sh b/pkg/ubuntu_20.04.amd64/lib/firezone/bin/postinst.sh new file mode 100755 index 000000000..361fefa7a --- /dev/null +++ b/pkg/ubuntu_20.04.amd64/lib/firezone/bin/postinst.sh @@ -0,0 +1,103 @@ +#!/bin/bash +set -e + +# FireZone package post-install script + +# All created files are 0600 by default +umask 077 + +# Add firezone user if not exists +if id firezone &>/dev/null; then + echo "firezone user exists... not creating." +else + echo "creating system user firezone" + useradd --system firezone +fi + +hostname=$(hostname) + +### SET UP DB + +# Create role if not exists +db_user=firezone +db_password="$(openssl rand -hex 16)" +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\"" +else + echo "${db_user} role found in DB" +fi + +# Create DB if not exists +db_name=firezone +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true" +else + echo "${db_name} exists; not creating" +fi + +# Grant all privileges +su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\"" + +# Set up secrets dir +mkdir -p /etc/firezone/secret +chown firezone:root /etc/firezone/secret +chmod 770 /etc/firezone/secret + +# Write FireZone SSL files +ssl_key_file=/etc/firezone/secret/key.pem +ssl_cert_file=/etc/firezone/cert.pem +if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then + echo "ssl files exist; not creating" +else + openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ + -keyout $ssl_key_file \ + -out $ssl_cert_file \ + -days 365 -subj "/CN=${hostname}" +fi + +# Generate app secrets +live_view_signing_salt="$(openssl rand -base64 24)" +secret_key_base="$(openssl rand -base64 48)" +db_key="$(openssl rand -base64 32)" +wg_server_key="$(wg genkey)" + +# Write FireZone config file +if [ -f /etc/firezone/secret.env ]; then + echo "config file exists; not creating" +else + +umask 037 +cat <> /etc/firezone/secret/secrets.env +# This file is loaded into FireZone's Environment upon launch to configure it. + +# Warning: changing anything here can result in data loss. Make sure you know +# what you're doing! + +# This is used to ensure secure communication with the live web views. +# Re-generate this with "openssl rand -base64 24". All existing web views will +# need to be refreshed. +LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}" + +# This is used to secure cookies among other things. +# You can regenerate this with "openssl rand -base64 48". All existing clients +# will be signed out. +SECRET_KEY_BASE="${secret_key_base}" + +# The URL to connect to your DB. Assumes the database has been created and this +# user has privileges to create and modify tables. Must start with ecto:// +# Ex: ecto://user:password@localhost/firezone +DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone" + +# The Base64-encoded key for encrypted database fields. +DB_ENCRYPTION_KEY=${db_key} + +# The Base64-encoded private key for the WireGuard interface +WG_SERVER_KEY=${wg_server_key} +EOT +fi + +# Set perms +chown -R firezone:root /etc/firezone +chmod 0644 /etc/firezone/cert.pem diff --git a/pkg/ubuntu_20.04.amd64/lib/firezone/bin/postrm.sh b/pkg/ubuntu_20.04.amd64/lib/firezone/bin/postrm.sh new file mode 100755 index 000000000..bbf1f0efc --- /dev/null +++ b/pkg/ubuntu_20.04.amd64/lib/firezone/bin/postrm.sh @@ -0,0 +1,9 @@ +#!/bin/bash +set -e + +if [ "$1" = purge ]; then + echo "Refusing to purge /etc/firezone/secret and drop database. This must be done manually." + echo "If you really want to do this, run the following as root:" + echo " su postgres -c 'psql -c \"DROP DATABASE firezone;\"'" + echo " rm -rf /etc/firezone/secret" +fi diff --git a/pkg/ubuntu_20.04.amd64/lib/systemd/system/firezone.service b/pkg/ubuntu_20.04.amd64/lib/systemd/system/firezone.service new file mode 100644 index 000000000..083cf8062 --- /dev/null +++ b/pkg/ubuntu_20.04.amd64/lib/systemd/system/firezone.service @@ -0,0 +1,20 @@ +[Unit] +Description=firezone +Requires=postgresql.service +After=postgresql.service + +[Service] +Restart=on-failure +RestartSec=1 +User=firezone +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH +EnvironmentFile=/etc/firezone/config.env +EnvironmentFile=/etc/firezone/secret/secrets.env +ExecStartPre=/usr/lib/firezone/bin/firezone eval "FzHttp.Release.migrate" +ExecStart=/usr/lib/firezone/bin/firezone start +# XXX: Remove sleeps +ExecStartPost=/bin/sleep 8 +ExecStartPost=/usr/lib/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user" + +[Install] +WantedBy=multi-user.target diff --git a/pkg/ubuntu_20.04.arm64/DEBIAN/control b/pkg/ubuntu_20.04.arm64/DEBIAN/control deleted file mode 100644 index 5a00a2966..000000000 --- a/pkg/ubuntu_20.04.arm64/DEBIAN/control +++ /dev/null @@ -1,11 +0,0 @@ -Package: firezone -Version: 0.2.0-1 -Architecture: arm64 -Maintainer: FireZone, LLC -Depends: libc6, net-tools (>= 1.60), systemd (>= 237), openssl (>= 1.1.1), wireguard-tools (>= 1.0), postgresql (>= 9.6), iptables (>= 1.6.1) -Section: net -Priority: optional -Homepage: https://firez.one -Description: Web UI + Firewall manager for WireGuard™ - Provides a web-based UI that allows you to configure WireGuard VPN tunnels and - set up firewall rules for your devices.