Cache node deps; fix minor docs typos (#923)

* Minor typo fixes

* cache node deps

* Remove unneeded script

* Remove unneeded script

* Remove redundant lint-docs step...

* Cache nodejs for static anal

* npm ci before use

* limit markdownlint to docs for now

* Move markdownlint config to root

.github/workflows/test.yml

@@ -2,19 +2,6 @@ name: Test
 on: [push, pull_request]
 
 jobs:
-  lint-docs:
-    runs-on: macos-11
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
-        with:
-          node-version: '16'
-      - name: Lint Docs
-        run: |
-          npm install -g markdownlint-cli
-          cd docs
-          markdownlint .
-
   static-analysis:
     runs-on: ubuntu-latest
     env:
@@ -22,6 +9,11 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - uses: actions/checkout@v2
+      - uses: actions/setup-node@v3
+        with:
+          node-version: '16'
+          cache: 'npm'
+          cache-dependency-path: '**/package-lock.json'
       - uses: actions/setup-ruby@v1
         with:
           ruby-version: '2.7'
@@ -80,6 +72,10 @@ jobs:
       - name: Create PLTs
         if: steps.plt_cache.outputs.cache-hit != 'true'
         run: mix dialyzer --plt
+      - name: Install node modules
+        run: |
+          cd docs
+          npm ci
       - name: Run pre-commit
         run: |
           pre-commit install
@@ -111,9 +107,11 @@ jobs:
             net-tools \
             wireguard
       - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v3
         with:
           node-version: '16'
+          cache: 'npm'
+          cache-dependency-path: '**/package-lock.json'
       - uses: erlef/setup-beam@v1
         with:
           otp-version: '25'

.pre-commit-config.yaml

@@ -31,6 +31,12 @@ repos:
         language: system
         pass_filenames: false
         files: \.rb$
+      - id: markdownlint
+        name: 'nodejs: markdownlint'
+        entry: ./docs/node_modules/markdownlint-cli/markdownlint.js
+        language: system
+        pass_filenames: true
+        files: docs/.*\.md$
 
   # Standard pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit-hooks

docs/docs/deploy/reverse-proxies/README.md

@@ -4,10 +4,10 @@ sidebar_position: 4
 ---
 
 :::note
-This is an advanced configuration. The default bundled Nginx proxy
-is suitable for the vast majority of use cases and is recommended for most
-users. There are important security risks if the Firezone reverse proxy is
-not set up correctly. Use only if you know what you are doing.
+Using a custom reverse proxy is an advanced configuration. The default bundled
+Nginx proxy is suitable for the vast majority of use cases and is recommended
+for most users. There are important security risks if the Firezone reverse proxy
+is not set up correctly. Use only if you know what you are doing.
 :::
 
 ## Introduction
@@ -18,8 +18,8 @@ using behind your own load balancer.
 
 ## Prerequisites
 
-Below you will find the requirements in order to setup Firezone and the
-reverse-proxies.
+Below you will find the requirements in order to setup Firezone with a custom
+reverse proxy.
 
 ### Firezone configuration requirements
 
@@ -31,10 +31,9 @@ reverse-proxies.
   way the [X-Forwarded-For header works](
   https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For),
   this is needed to parse the actual client's IP address to prevent
-  spoofing.
+  IP spoofing.
 
 :::note
-
 The `external_trusted_proxies` list automatically implicitly includes the
 following private CIDR ranges, even if they're not specified in the
 configuration file:
@@ -49,8 +48,7 @@ configuration file:
 This means any web requests originating from these IPs are automatically ignored
 from the `X-Forwarded-For` headers. If you're accessing Firezone from any IPs in
 this range (as seen by the Firezone web app), be sure to add them to the
-`default['firezone']['phoenix']['clients']` configuration option.
-
+`default['firezone']['phoenix']['clients']` configuration option instead.
 :::
 
 Read more about the configuration options
@@ -62,7 +60,8 @@ Read more about the configuration options
   [here](
   https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
 * Your proxy should also set the `X-Forwarded-Proto` to `https`.
-* Your proxy **must** terminate SSL since we enforce [secure cookies](
+* Your proxy (or another downstream proxy) **must** terminate SSL since we
+  enforce [secure cookies](
   https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies).
 * Firezone requires the use of WebSockets to establish realtime connections. We
   recommended following your proxy's specific documentation for supporting

docs/docs/deploy/reverse-proxies/apache.md

@@ -9,9 +9,10 @@ with and without SSL termination.
 These expect the apache to be running on the same host as Firezone and
 `default['firezone']['phoenix']['port']` to be `13000`.
 
-### Without SSL termination
+## Without SSL termination
 
-Take into account that a previous proxy will need to terminate SSL connections.
+Since Firezone requires HTTPS for the web portal, please bear in mind a
+downstream proxy will need to terminate SSL connections in this scenario.
 
 `<server-name>` needs to be replaced with your domain name.
 
@@ -36,10 +37,10 @@ LoadModule proxy_wstunnel_module /usr/lib/apache2/modules/mod_proxy_wstunnel.so
 </VirtualHost>
 ```
 
-### With SSL termination
+## With SSL termination
 
-This configuration should be used exactly like the previous and uses Firezone's
-generated self-signed certs to terminate SSL.
+This configuration builds on the one above and uses Firezone's auto-generated
+self-signed certificates.
 
 ```conf
 LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so

docs/docs/deploy/reverse-proxies/haproxy.md

@@ -3,13 +3,13 @@ title: HAProxy
 sidebar_position: 3
 ---
 
-The following is an example configuration for the
-[HAProxy](https://www.haproxy.org/) proxy. we assume
+The following is an example reverse proxy configuration for [HAProxy](
+https://www.haproxy.org/) proxy. We assume
 `default['firezone']['phoenix']['port']` to be `13000` and the proxy running on
 the same host as the Firezone app.
 
-There is not SSL termination in this configuration so a previous proxy will
-need to terminate the SSL connection.
+Since Firezone requires HTTPS for the web portal, please bear in mind a
+downstream proxy will need to terminate SSL connections in this scenario.
 
 You can also configure HAProxy to handle the SSL termination as explained
 [here](https://www.haproxy.com/blog/haproxy-ssl-termination/) but take into

docs/docs/deploy/reverse-proxies/traefik.md

@@ -4,32 +4,34 @@ sidebar_position: 2
 ---
 
 The following are examples for configuring the [Traefik](https://traefik.io/)
-proxy.
+proxy as a reverse proxy for Firezone.
 
-As of right now Firezone can't be run as a container in production, although
-this is a [planned feature](https://github.com/firezone/firezone/issues/260).
-So, these example configurations expects Firezone to be deployed on the same
-host as the proxy.
+In these examples, we assume Traefik is deployed using Docker on the same host
+as Firezone. For this to work, you'll need to make sure Firezone's phoenix
+app is bound to port `13000` on the Docker interface address and
+`external_trusted_proxies` is set properly:
 
-In these configurations we assume `default['firezone']['phoenix']['port']` to be
-`13000`. Furthermore, for these configuration to work we need the Firezone app
-to listen in the Docker interface so you should set:
+```ruby
+# /etc/firezone/firezone.rb
 
-* `default['firezone']['phoenix']['listen_address'] = '172.17.0.1'`
-* `default['firezone']['external_trusted_proxies'] = ['172.18.0.2']`
+# ...
 
-In the [configuration file](../../reference/configuration-file.md).
+default['firezone']['phoenix']['port'] = 13000
+default['firezone']['phoenix']['listen_address'] = '172.17.0.1'
+default['firezone']['external_trusted_proxies'] = ['172.18.0.2']
+```
 
 ## Without SSL termination
 
-Take into account that a previous proxy will need to terminate SSL connections.
+Since Firezone requires HTTPS for the web portal, please bear in mind a
+downstream proxy will need to terminate SSL connections in this scenario.
 
-Set the following files
+Use the following `docker-compose.yml` and `rules.yml` files to configure
+Traefik:
 
 ### `docker-compose.yml`
 
-```conf
-ubuntu@ip-172-31-79-208:~/traefik$ cat docker-compose.yml
+```yaml
 version: '3'
 
 services:
@@ -57,8 +59,7 @@ services:
 
 ### `rules.yml`
 
-```conf
-ubuntu@ip-172-31-79-208:~/traefik$ cat rules.yml
+```yaml
 http:
   routers:
     test:
@@ -73,16 +74,15 @@ http:
         - url: "http://host.docker.internal:13000"
 ```
 
-And then you can start the Traefik proxy with `docker compose up`
+Now you should be able to start the Traefik proxy with `docker compose up`.
 
 ## With SSL termination
 
-This configuration use the auto-generated Firezone self-signed certs as the
-default certificates for SSL.
+This configuration uses Firezone's auto-generated self-signed certificates.
 
 ### SSL `docker-compose.yml`
 
-```conf
+```yaml
 version: '3'
 
 services:
@@ -111,7 +111,7 @@ services:
 
 ### SSL `rules.yml`
 
-```conf
+```yaml
 http:
   routers:
     test:
@@ -129,6 +129,6 @@ tls:
   stores:
     default:
       defaultCertificate:
-        certFile: /ssl/ip-172-31-79-208.ec2.internal.crt
-        keyFile: /ssl/ip-172-31-79-208.ec2.internal.key
+        certFile: /path/to/your/cert.crt
+        keyFile: /path/to/your/key.key
 ```