diff --git a/elixir/apps/web/lib/web/live/relay_groups/new_token.ex b/elixir/apps/web/lib/web/live/relay_groups/new_token.ex index b781e0e10..d6f6e43d8 100644 --- a/elixir/apps/web/lib/web/live/relay_groups/new_token.ex +++ b/elixir/apps/web/lib/web/live/relay_groups/new_token.ex @@ -23,7 +23,7 @@ defmodule Web.RelayGroups.NewToken do group: group, env: env, connected?: false, - selected_tab: "docker-instructions" + selected_tab: "systemd-instructions" )} else _other -> raise Web.LiveErrors.NotFoundError @@ -51,13 +51,110 @@ defmodule Web.RelayGroups.NewToken do <.tabs :if={@env} id="deployment-instructions"> + <:tab + id="systemd-instructions" + label="systemd" + phx_click="tab_selected" + selected={@selected_tab == "systemd-instructions"} + > +

+ 1. Create an unprivileged user and group to run the relay: +

+ + <.code_block + id="code-sample-systemd0" + class="w-full text-xs whitespace-pre-line" + phx-no-format + >sudo groupadd -f firezone \ + && id -u firezone &>/dev/null || sudo useradd -r -g firezone -s /sbin/nologin firezone + +

+ 2. Create a new systemd unit file: +

+ + <.code_block + id="code-sample-systemd1" + class="w-full text-xs whitespace-pre-line" + phx-no-format + >sudo nano /etc/systemd/system/firezone-relay.service + +

+ 3. Copy-paste the following contents into the file: +

+ + <.code_block + id="code-sample-systemd2" + class="w-full text-xs whitespace-pre-line" + phx-no-format + phx-update="ignore" + ><%= systemd_command(@env) %> + +

+ 4. Save by pressing Ctrl+X, then Y, then Enter. +

+ +

+ 5. Reload systemd configuration: +

+ + <.code_block + id="code-sample-systemd4" + class="w-full text-xs whitespace-pre-line" + phx-no-format + >sudo systemctl daemon-reload + +

+ 6. Start the service: +

+ + <.code_block + id="code-sample-systemd5" + class="w-full text-xs whitespace-pre-line" + phx-no-format + >sudo systemctl start firezone-relay + +

+ 7. Enable the service to start on boot: +

+ + <.code_block + id="code-sample-systemd6" + class="w-full text-xs whitespace-pre-line" + phx-no-format + >sudo systemctl enable firezone-relay +
+ +

+ Troubleshooting +

+ +

+ Check the status of the service: +

+ + <.code_block + id="code-sample-systemd7" + class="w-full text-xs whitespace-pre-line" + phx-no-format + >sudo systemctl status firezone-relay + +

+ Check the logs: +

+ + <.code_block + id="code-sample-systemd8" + class="w-full text-xs whitespace-pre-line" + phx-no-format + >sudo journalctl -u firezone-relay.service + <:tab id="docker-instructions" label="Docker" phx_click="tab_selected" selected={@selected_tab == "docker-instructions"} > -

+

Copy-paste this command to your server and replace PUBLIC_IP4_ADDR and PUBLIC_IP6_ADDR with your public IP addresses: @@ -65,94 +162,36 @@ defmodule Web.RelayGroups.NewToken do <.code_block id="code-sample-docker1" - class="w-full rounded-b" + class="w-full text-xs whitespace-pre-line" phx-no-format phx-update="ignore" ><%= docker_command(@env) %>

-

+

Troubleshooting -

+

-

+

Check the container status:

- <.code_block id="code-sample-docker2" class="w-full" phx-no-format>docker ps --filter "name=firezone-relay" + <.code_block + id="code-sample-docker2" + class="w-full text-xs whitespace-pre-line" + phx-no-format + >docker ps --filter "name=firezone-relay" -

+

Check the container logs:

- <.code_block id="code-sample-docker3" class="w-full rounded-b" phx-no-format>docker logs firezone-relay - - <:tab - id="systemd-instructions" - label="Systemd" - phx_click="tab_selected" - selected={@selected_tab == "systemd-instructions"} - > -

- 1. Create a systemd unit file with the following content: -

- - <.code_block id="code-sample-systemd1" class="w-full" phx-no-format>sudo nano /etc/systemd/system/firezone-relay.service - -

- 2. Copy-paste the following content into the file and replace - PUBLIC_IP4_ADDR - and PUBLIC_IP6_ADDR - with your public IP addresses:: -

- <.code_block - id="code-sample-systemd2" - class="w-full rounded-b" + id="code-sample-docker3" + class="w-full text-xs whitespace-pre-line" phx-no-format - phx-update="ignore" - ><%= systemd_command(@env) %> - -

- 3. Save by pressing Ctrl+X, then Y, then Enter. -

- -

- 4. Reload systemd configuration: -

- - <.code_block id="code-sample-systemd4" class="w-full" phx-no-format>sudo systemctl daemon-reload - -

- 5. Start the service: -

- - <.code_block id="code-sample-systemd5" class="w-full" phx-no-format>sudo systemctl start firezone-relay - -

- 6. Enable the service to start on boot: -

- - <.code_block id="code-sample-systemd6" class="w-full" phx-no-format>sudo systemctl enable firezone-relay - -
- -

- Troubleshooting -

- -

- Check the status of the service: -

- - <.code_block id="code-sample-systemd7" class="w-full rounded-b" phx-no-format>sudo systemctl status firezone-relay - -

- Check the logs: -

- - <.code_block id="code-sample-systemd8" class="w-full rounded-b" phx-no-format>sudo journalctl -u firezone-relay.service + >docker logs firezone-relay @@ -223,7 +262,7 @@ defmodule Web.RelayGroups.NewToken do "--health-cmd=\"lsof -i UDP | grep firezone-relay\"", "--name=firezone-relay", "--cap-add=NET_ADMIN", - "--volume /etc/firezone", + "--volume /var/lib/firezone", "--sysctl net.ipv4.ip_forward=1", "--sysctl net.ipv4.conf.all.src_valid_mark=1", "--sysctl net.ipv6.conf.all.disable_ipv6=0", @@ -248,7 +287,7 @@ defmodule Web.RelayGroups.NewToken do [Service] Type=simple #{Enum.map_join(env, "\n", fn {key, value} -> "Environment=\"#{key}=#{value}\"" end)} - ExecStartPre=/bin/sh -c 'set -xue; \\ + ExecStartPre=/bin/sh -c 'set -ue; \\ if [ ! -e /usr/local/bin/firezone-relay ]; then \\ FIREZONE_VERSION=$(curl -Ls \\ -H "Accept: application/vnd.github+json" \\ @@ -270,14 +309,20 @@ defmodule Web.RelayGroups.NewToken do echo "Unsupported architecture"; \\ exit 1 ;; \\ esac; \\ - wget -O /usr/local/bin/firezone-relay $bin_url; \\ - chmod +x /usr/local/bin/firezone-relay; \\ - mkdir -p /etc/firezone; \\ - chmod 0755 /etc/firezone; \\ + curl -Ls $bin_url -o /usr/local/bin/firezone-relay; \\ + chgrp firezone /usr/local/bin/firezone-relay; \\ + chmod 0750 /usr/local/bin/firezone-relay; \\ fi; \\ + mkdir -p /var/lib/firezone; \\ + chown firezone:firezone /var/lib/firezone; \\ + chmod 0775 /var/lib/firezone; \\ ' - AmbientCapabilities=CAP_NET_ADMIN - ExecStart=/bin/sh -c 'FIREZONE_NAME=$(hostname); /usr/local/bin/firezone-relay' + ExecStart=/usr/bin/sudo \\ + --preserve-env=FIREZONE_NAME,FIREZONE_ID,FIREZONE_TOKEN,PUBLIC_IP4_ADDR,PUBLIC_IP6_ADDR,RUST_LOG,LOG_FORMAT \\ + -u firezone \\ + -g firezone \\ + FIREZONE_NAME=$(hostname) \\ + /usr/local/bin/firezone-relay TimeoutStartSec=3s TimeoutStopSec=15s Restart=always diff --git a/elixir/apps/web/lib/web/live/sites/new_token.ex b/elixir/apps/web/lib/web/live/sites/new_token.ex index 558c9b75e..68f6d600e 100644 --- a/elixir/apps/web/lib/web/live/sites/new_token.ex +++ b/elixir/apps/web/lib/web/live/sites/new_token.ex @@ -22,7 +22,7 @@ defmodule Web.Sites.NewToken do group: group, env: env, connected?: false, - selected_tab: "docker-instructions" + selected_tab: "systemd-instructions" )} else {:error, _reason} -> raise Web.LiveErrors.NotFoundError @@ -59,10 +59,82 @@ defmodule Web.Sites.NewToken do <:content>
- Select deployment method: + Select deployment method then follow the instructions below:
<.tabs :if={@env} id="deployment-instructions"> + <:tab + id="systemd-instructions" + label="Systemd" + phx_click="tab_selected" + selected={@selected_tab == "systemd-instructions"} + > +

+ 1. Create an unprivileged user and group to run the gateway: +

+ + <.code_block + id="code-sample-systemd0" + class="w-full text-xs whitespace-pre-line" + phx-no-format + >sudo groupadd -f firezone \ + && id -u firezone &>/dev/null || sudo useradd -r -g firezone -s /sbin/nologin firezone + +

+ 2. Create a new systemd unit file: +

+ + <.code_block + id="code-sample-systemd1" + class="w-full text-xs whitespace-pre-line" + phx-no-format + >sudo nano /etc/systemd/system/firezone-gateway.service + +

+ 3. Copy-paste the following contents into the file: +

+ + <.code_block + id="code-sample-systemd2" + class="w-full text-xs whitespace-pre-line" + phx-no-format + phx-update="ignore" + ><%= systemd_command(@env) %> + +

+ 4. Save by pressing Ctrl+X, then Y, then Enter. +

+ +

+ 5. Reload systemd configuration: +

+ + <.code_block + id="code-sample-systemd4" + class="w-full text-xs whitespace-pre-line" + phx-no-format + >sudo systemctl daemon-reload + +

+ 6. Start the service: +

+ + <.code_block + id="code-sample-systemd5" + class="w-full text-xs whitespace-pre-line" + phx-no-format + >sudo systemctl start firezone-gateway + +

+ 7. Enable the service to start on boot: +

+ + <.code_block + id="code-sample-systemd6" + class="w-full text-xs whitespace-pre-line" + phx-no-format + >sudo systemctl enable firezone-gateway + <:tab id="docker-instructions" label="Docker" @@ -73,52 +145,12 @@ defmodule Web.Sites.NewToken do Copy-paste this command to your server:

- <.code_block id="code-sample-docker1" class="w-full" phx-no-format phx-update="ignore"><%= docker_command(@env) %> - - <:tab - id="systemd-instructions" - label="Systemd" - phx_click="tab_selected" - selected={@selected_tab == "systemd-instructions"} - > -

- 1. Create a new systemd unit file: -

- - <.code_block id="code-sample-systemd1" class="w-full" phx-no-format>sudo nano /etc/systemd/system/firezone-gateway.service - -

- 2. Copy-paste the following contents into the file: -

- <.code_block - id="code-sample-systemd2" - class="w-full rounded-b" + id="code-sample-docker1" + class="w-full text-xs whitespace-pre-line" phx-no-format phx-update="ignore" - ><%= systemd_command(@env) %> - -

- 3. Save by pressing Ctrl+X, then Y, then Enter. -

- -

- 4. Reload systemd configuration: -

- - <.code_block id="code-sample-systemd4" class="w-full" phx-no-format>sudo systemctl daemon-reload - -

- 5. Start the service: -

- - <.code_block id="code-sample-systemd5" class="w-full" phx-no-format>sudo systemctl start firezone-gateway - -

- 6. Enable the service to start on boot: -

- - <.code_block id="code-sample-systemd6" class="w-full" phx-no-format>sudo systemctl enable firezone-gateway + ><%= docker_command(@env) %> @@ -187,7 +219,7 @@ defmodule Web.Sites.NewToken do "--health-cmd=\"ip link | grep tun-firezone\"", "--name=firezone-gateway", "--cap-add=NET_ADMIN", - "--volume /etc/firezone", + "--volume /var/lib/firezone", "--sysctl net.ipv4.ip_forward=1", "--sysctl net.ipv4.conf.all.src_valid_mark=1", "--sysctl net.ipv6.conf.all.disable_ipv6=0", @@ -214,7 +246,7 @@ defmodule Web.Sites.NewToken do [Service] Type=simple #{Enum.map_join(env, "\n", fn {key, value} -> "Environment=\"#{key}=#{value}\"" end)} - ExecStartPre=/bin/sh -c 'set -xue; \\ + ExecStartPre=/bin/sh -c 'set -ue; \\ if [ ! -e /usr/local/bin/firezone-gateway ]; then \\ FIREZONE_VERSION=$(curl -Ls \\ -H "Accept: application/vnd.github+json" \\ @@ -236,20 +268,27 @@ defmodule Web.Sites.NewToken do echo "Unsupported architecture"; \\ exit 1 ;; \\ esac; \\ - wget -O /usr/local/bin/firezone-gateway $bin_url; \\ - chmod +x /usr/local/bin/firezone-gateway; \\ - mkdir -p /etc/firezone; \\ - chmod 0755 /etc/firezone; \\ - iptables-nft -A FORWARD -i tun-firezone -j ACCEPT; \\ - iptables-nft -A FORWARD -o tun-firezone -j ACCEPT; \\ - iptables-nft -t nat -A POSTROUTING -o e+ -j MASQUERADE; \\ - ip6tables-nft -A FORWARD -i tun-firezone -j ACCEPT; \\ - ip6tables-nft -A FORWARD -o tun-firezone -j ACCEPT; \\ - ip6tables-nft -t nat -A POSTROUTING -o e+ -j MASQUERADE; \\ + curl -Ls $bin_url -o /usr/local/bin/firezone-gateway; \\ + chgrp firezone /usr/local/bin/firezone-gateway; \\ + chmod 0750 /usr/local/bin/firezone-gateway; \\ + setcap 'cap_net_admin+eip' /usr/local/bin/firezone-gateway; \\ fi; \\ + mkdir -p /var/lib/firezone; \\ + chown firezone:firezone /var/lib/firezone; \\ + chmod 0775 /var/lib/firezone; \\ + iptables-nft -C FORWARD -i tun-firezone -j ACCEPT || iptables-nft -A FORWARD -i tun-firezone -j ACCEPT; \\ + iptables-nft -C FORWARD -o tun-firezone -j ACCEPT || iptables-nft -A FORWARD -o tun-firezone -j ACCEPT; \\ + iptables-nft -t nat -C POSTROUTING -o e+ -j MASQUERADE || iptables-nft -t nat -A POSTROUTING -o e+ -j MASQUERADE; \\ + ip6tables-nft -C FORWARD -i tun-firezone -j ACCEPT || ip6tables-nft -A FORWARD -i tun-firezone -j ACCEPT; \\ + ip6tables-nft -C FORWARD -o tun-firezone -j ACCEPT || ip6tables-nft -A FORWARD -o tun-firezone -j ACCEPT; \\ + ip6tables-nft -t nat -C POSTROUTING -o e+ -j MASQUERADE || ip6tables-nft -t nat -A POSTROUTING -o e+ -j MASQUERADE; \\ ' - AmbientCapabilities=CAP_NET_ADMIN - ExecStart=/bin/sh -c 'FIREZONE_NAME=$(hostname); /usr/local/bin/firezone-gateway' + ExecStart=/usr/bin/sudo \\ + --preserve-env=FIREZONE_NAME,FIREZONE_ID,FIREZONE_TOKEN,FIREZONE_API_URL,RUST_LOG \\ + -u firezone \\ + -g firezone \\ + FIREZONE_NAME=$(hostname) \\ + /usr/local/bin/firezone-gateway TimeoutStartSec=3s TimeoutStopSec=15s Restart=always diff --git a/elixir/apps/web/test/web/live/relay_groups/new_token_test.exs b/elixir/apps/web/test/web/live/relay_groups/new_token_test.exs index f8cc77038..fa398d33a 100644 --- a/elixir/apps/web/test/web/live/relay_groups/new_token_test.exs +++ b/elixir/apps/web/test/web/live/relay_groups/new_token_test.exs @@ -33,8 +33,8 @@ defmodule Web.Live.RelayGroups.NewTokenTest do assert html =~ "docker run" assert html =~ "Waiting for connection..." - assert Regex.run(~r/FIREZONE_ID=([^ ]+)/, html) |> List.last() - token = Regex.run(~r/FIREZONE_TOKEN=([^ ]+)/, html) |> List.last() |> String.trim(""") + assert Regex.run(~r/FIREZONE_ID=([^& ]+)/, html) |> List.last() + token = Regex.run(~r/FIREZONE_TOKEN=([^& ]+)/, html) |> List.last() |> String.trim(""") :ok = Domain.Relays.subscribe_for_relays_presence_in_group(group) relay = Fixtures.Relays.create_relay(account: account, group: group) diff --git a/elixir/apps/web/test/web/live/sites/new_token_test.exs b/elixir/apps/web/test/web/live/sites/new_token_test.exs index a32d0965a..73511417f 100644 --- a/elixir/apps/web/test/web/live/sites/new_token_test.exs +++ b/elixir/apps/web/test/web/live/sites/new_token_test.exs @@ -31,8 +31,8 @@ defmodule Web.Live.Sites.NewTokenTest do assert html =~ "docker run" assert html =~ "Waiting for connection..." - assert Regex.run(~r/FIREZONE_ID=([^ ]+)/, html) |> List.last() - token = Regex.run(~r/FIREZONE_TOKEN=([^ ]+)/, html) |> List.last() |> String.trim(""") + assert Regex.run(~r/FIREZONE_ID=([^& ]+)/, html) |> List.last() + token = Regex.run(~r/FIREZONE_TOKEN=([^& ]+)/, html) |> List.last() |> String.trim(""") :ok = Domain.Gateways.subscribe_for_gateways_presence_in_group(group) gateway = Fixtures.Gateways.create_gateway(account: account, group: group) diff --git a/scripts/gateway-docker-upgrade.sh b/scripts/gateway-docker-upgrade.sh index a18a69ac8..09a7a4e2e 100755 --- a/scripts/gateway-docker-upgrade.sh +++ b/scripts/gateway-docker-upgrade.sh @@ -33,7 +33,7 @@ do --health-cmd="ip link | grep tun-firezone" \ --name="$RUNNING_NAME" \ --cap-add=NET_ADMIN \ - --volume /etc/firezone \ + --volume /var/lib/firezone \ --env-file variables.env \ --sysctl net.ipv4.ip_forward=1 \ --sysctl net.ipv4.conf.all.src_valid_mark=1 \