security(gateway): Don't run systemd gateways as root (#2943)

Docker-based gateways won't have working IPv6 (good point @AndrewDryga), so I started testing the systemd gateways more and found some issues I fixed. * Update default tab order for Deploy gateways page to prefer systemd * Update unit file to run gateway as unprivileged user * Remove dependency on `wget` in unit file * Fix iptables logic so rules as re-created on reboot * Use `/var/lib/firezone` instead of `/etc/firezone` for writing runtime files (`/etc/` is often mounted read-only on hardened systems) --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Andrew Dryga <andrew@dryga.com>
2026-01-27 10:18:54 +00:00 · 2023-12-21 10:29:10 -08:00
parent d3f45b5285
commit 34ab093dbc
5 changed files with 229 additions and 145 deletions
--- a/scripts/gateway-docker-upgrade.sh
+++ b/scripts/gateway-docker-upgrade.sh
@@ -33,7 +33,7 @@ do
          --health-cmd="ip link | grep tun-firezone" \
          --name="$RUNNING_NAME" \
          --cap-add=NET_ADMIN \
-          --volume /etc/firezone \
+          --volume /var/lib/firezone \
          --env-file variables.env \
          --sysctl net.ipv4.ip_forward=1 \
          --sysctl net.ipv4.conf.all.src_valid_mark=1 \