From 6eba82499afc6ac926323a9eead515080609ca06 Mon Sep 17 00:00:00 2001
From: Andrew Dryga <andrew@dryga.com>
Date: Mon, 13 Mar 2023 15:33:53 -0600
Subject: [PATCH] Use DEFAULT_ADMIN_EMAIL everywhere to prevent legacy key
 usage warnings on fresh installs (#1509)

---
 apps/fz_http/lib/fz_http/release.ex           |  8 ++-
 .../20211221183311_add_role_to_users.exs      |  2 +-
 rel/overlays/bin/gen-env                      |  2 +-
 scripts/docker_migrate.sh                     |  2 +-
 scripts/install.sh                            |  4 +-
 www/docs/administer/troubleshoot.mdx          |  4 +-
 www/docs/deploy/docker/README.mdx             | 57 ++++++++++++-------
 www/docs/reference/rest-api/README.mdx        |  2 +-
 .../reverse-proxy-templates/traefik.mdx       |  2 +-
 9 files changed, 50 insertions(+), 33 deletions(-)

diff --git a/apps/fz_http/lib/fz_http/release.ex b/apps/fz_http/lib/fz_http/release.ex
index 033a5e57e..c4f15ac0a 100644
--- a/apps/fz_http/lib/fz_http/release.ex
+++ b/apps/fz_http/lib/fz_http/release.ex
@@ -26,12 +26,14 @@ defmodule FzHttp.Release do
   def create_admin_user do
     boot_database_app()
 
-    if Repo.exists?(from u in User, where: u.email == ^email()) do
+    if Repo.exists?(from(u in User, where: u.email == ^email())) do
       change_password(email(), default_password())
       {:ok, user} = reset_role(email(), :admin)
 
       # Notify the user
-      Logger.info("Password for user specified by ADMIN_EMAIL reset to DEFAULT_ADMIN_PASSWORD!")
+      Logger.info(
+        "Password for user specified by DEFAULT_ADMIN_EMAIL reset to DEFAULT_ADMIN_PASSWORD!"
+      )
 
       {:ok, user}
     else
@@ -43,7 +45,7 @@ defmodule FzHttp.Release do
              }) do
         # Notify the user
         Logger.info(
-          "An admin user specified by ADMIN_EMAIL is created with a DEFAULT_ADMIN_PASSWORD!"
+          "An admin user specified by DEFAULT_ADMIN_EMAIL is created with a DEFAULT_ADMIN_PASSWORD!"
         )
 
         {:ok, user}
diff --git a/apps/fz_http/priv/repo/migrations/20211221183311_add_role_to_users.exs b/apps/fz_http/priv/repo/migrations/20211221183311_add_role_to_users.exs
index fbaf07c85..3098793ff 100644
--- a/apps/fz_http/priv/repo/migrations/20211221183311_add_role_to_users.exs
+++ b/apps/fz_http/priv/repo/migrations/20211221183311_add_role_to_users.exs
@@ -14,7 +14,7 @@ defmodule FzHttp.Repo.Migrations.AddRoleToUsers do
     # Make existing admin the admin if exists. Admin is most likely the first created user.
     flush()
 
-    admin_email = System.get_env("ADMIN_EMAIL")
+    admin_email = System.get_env("ADMIN_EMAIL") || System.get_env("DEFAULT_ADMIN_EMAIL")
 
     if admin_email do
       execute("UPDATE users SET role = 'admin' WHERE email = '#{admin_email}'")
diff --git a/rel/overlays/bin/gen-env b/rel/overlays/bin/gen-env
index e02a6fd25..61f7f0c9e 100755
--- a/rel/overlays/bin/gen-env
+++ b/rel/overlays/bin/gen-env
@@ -3,7 +3,7 @@
 cat <<-EOF
 VERSION=latest
 EXTERNAL_URL=_CHANGE_ME_
-ADMIN_EMAIL=_CHANGE_ME_
+DEFAULT_ADMIN_EMAIL=_CHANGE_ME_
 DEFAULT_ADMIN_PASSWORD=$(openssl rand -base64 12)
 GUARDIAN_SECRET_KEY=$(openssl rand -base64 48)
 SECRET_KEY_BASE=$(openssl rand -base64 48)
diff --git a/scripts/docker_migrate.sh b/scripts/docker_migrate.sh
index d9f0f2995..f470b9be4 100755
--- a/scripts/docker_migrate.sh
+++ b/scripts/docker_migrate.sh
@@ -124,7 +124,7 @@ migrate () {
 
   # BEGIN env vars that matter
   condIns $env_files "EXTERNAL_URL"
-  condIns $env_files "ADMIN_EMAIL"
+  condIns $env_files "DEFAULT_ADMIN_EMAIL"
   condIns $env_files "GUARDIAN_SECRET_KEY"
   condIns $env_files "DATABASE_ENCRYPTION_KEY"
   condIns $env_files "SECRET_KEY_BASE"
diff --git a/scripts/install.sh b/scripts/install.sh
index 8f7230d82..3ad455244 100755
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -142,7 +142,7 @@ firezoneSetup() {
   fi
   db_pass=$(od -vN "8" -An -tx1 /dev/urandom | tr -d " \n" ; echo)
   docker run --rm firezone/firezone bin/gen-env > "$installDir/.env"
-  sed -i.bak "s/ADMIN_EMAIL=.*/ADMIN_EMAIL=$1/" "$installDir/.env"
+  sed -i.bak "s/DEFAULT_ADMIN_EMAIL=.*/DEFAULT_ADMIN_EMAIL=$1/" "$installDir/.env"
   sed -i.bak "s~EXTERNAL_URL=.*~EXTERNAL_URL=$2~" "$installDir/.env"
   sed -i.bak "s/DATABASE_PASSWORD=.*/DATABASE_PASSWORD=$db_pass/" "$installDir/.env"
   echo "TLS_OPTS=\"$3\"" >> "$installDir/.env"
@@ -178,7 +178,7 @@ Installation complete!
 You should now be able to log into the Web UI at $externalUrl with the
 following credentials:
 
-`grep ADMIN_EMAIL $installDir/.env`
+`grep DEFAULT_ADMIN_EMAIL $installDir/.env`
 `grep DEFAULT_ADMIN_PASSWORD $installDir/.env`
 
 EOF
diff --git a/www/docs/administer/troubleshoot.mdx b/www/docs/administer/troubleshoot.mdx
index 0c63feebb..da944cf2f 100644
--- a/www/docs/administer/troubleshoot.mdx
+++ b/www/docs/administer/troubleshoot.mdx
@@ -151,7 +151,7 @@ To                         Action      From
 
 ## Admin login isn't working
 
-If the password for the account with email `ADMIN_EMAIL` isn't working, you can
+If the password for the account with email `DEFAULT_ADMIN_EMAIL` isn't working, you can
 reset it using the process below.
 
 <Tabs>
@@ -160,7 +160,7 @@ reset it using the process below.
 First change directory to your Firezone installation directory
 (`$HOME/.firezone` by default), then run the `bin/create-or-reset-admin` script
 to reset the admin user's password. The password for the user specified by
-`ADMIN_EMAIL`
+`DEFAULT_ADMIN_EMAIL`
 in `$HOME/.firezone/.env` will be reset to the `DEFAULT_ADMIN_PASSWORD` variable.
 
 ```shell
diff --git a/www/docs/deploy/docker/README.mdx b/www/docs/deploy/docker/README.mdx
index de9783312..322c76f2f 100644
--- a/www/docs/deploy/docker/README.mdx
+++ b/www/docs/deploy/docker/README.mdx
@@ -1,8 +1,7 @@
 ---
 title: Docker
 sidebar_position: 2
-description:
-  Install Firezone via Docker to manage secure remote
+description: Install Firezone via Docker to manage secure remote
   access to private networks and resources.
 ---
 
@@ -26,14 +25,14 @@ deploying Firezone. Docker offers a number of benefits over the old
 
 ## Step 1: Prerequisites
 
-* Ensure you're on a [supported platform](supported-platforms) with [
+- Ensure you're on a [supported platform](supported-platforms) with [
   docker-compose](https://docs.docker.com/compose/install/) **version 2
   or higher** installed.
-* Ensure port forwarding is enabled on your firewall.
+- Ensure port forwarding is enabled on your firewall.
   The default Firezone configuration requires the following ports to be open:
-  * `80/tcp` (optional): For automatically issuing SSL certificates.
-  * `443/tcp`: To access the web UI.
-  * `51820/udp`: VPN traffic listen port.
+  - `80/tcp` (optional): For automatically issuing SSL certificates.
+  - `443/tcp`: To access the web UI.
+  - `51820/udp`: VPN traffic listen port.
 
 :::caution
 Before deploying Firezone in **production**, you'll need a valid DNS record
@@ -63,28 +62,38 @@ If the automatic install fails, or you'd just like more control over the
 installation process, follow the steps below to install manually.
 
 1. Download the docker compose template to a local working directory:
-**For Linux**:
+   **For Linux**:
+
 ```
 curl -fsSL https://raw.githubusercontent.com/firezone/firezone/master/docker-compose.prod.yml -o docker-compose.yml
 ```
+
 **For macOS, Windows (non-production only)**:
+
 ```
 curl -fsSL https://raw.githubusercontent.com/firezone/firezone/master/docker-compose.desktop.yml -o docker-compose.yml
 ```
+
 1. Generate required secrets:
+
 ```
 docker run --rm firezone/firezone bin/gen-env > .env
 ```
-1. At a minimum, change the `ADMIN_EMAIL` and `EXTERNAL_URL` variables.
-Optionally modify other secrets as needed.
+
+1. At a minimum, change the `DEFAULT_ADMIN_EMAIL` and `EXTERNAL_URL` variables.
+   Optionally modify other secrets as needed.
 1. Migrate the database:
+
 ```
 docker compose run --rm firezone bin/migrate
 ```
+
 1. Create the first admin:
+
 ```
 docker compose run --rm firezone bin/create-or-reset-admin
 ```
+
 1. Bring the services up: `docker compose up -d`
 
 You should now be able to access the Firezone web portal at the `EXTERNAL_URL`
@@ -108,6 +117,7 @@ By default, Firezone ships with IPv6 connectivity enabled inside the tunnel but
 to the public internet. To enable IPv6 support in Docker-deployed Firezone, follow the steps below.
 
 1. Enable IPv6 support within Docker by adding the following to `/etc/docker/daemon.json`:
+
 ```json
 {
   "ipv6": true,
@@ -116,15 +126,20 @@ to the public internet. To enable IPv6 support in Docker-deployed Firezone, foll
   "fixed-cidr-v6": "2001:db8:1::/64"
 }
 ```
-  This enables IPv6 NAT and configures IPv6 forwarding for Docker containers.
+
+This enables IPv6 NAT and configures IPv6 forwarding for Docker containers.
+
 1. Enable router advertisements on boot for your default egress interface:
+
 ```
 egress=`ip route show default 0.0.0.0/0 | grep -oP '(?<=dev ).*' | cut -f1 -d' ' | tr -d '\n'`
 sudo bash -c "echo net.ipv6.conf.${egress}.accept_ra=2 >> /etc/sysctl.conf"
 ```
+
 1. Reboot
 
 You should now be able to ping google from within a docker container:
+
 ```
 docker run --rm -t busybox ping6 -c 4 google.com
 ```
@@ -142,24 +157,24 @@ Firezone currently uses WireGuard's
 Once successfully deployed, users and devices can be added to
 connect to the VPN server:
 
-* [Add Users](../../user-guides/add-users):
-Add users to grant them access to your network.
-* [Client Instructions](../../user-guides/client-instructions):
-Instructions to establish a VPN session.
+- [Add Users](../../user-guides/add-users):
+  Add users to grant them access to your network.
+- [Client Instructions](../../user-guides/client-instructions):
+  Instructions to establish a VPN session.
 
-import SupportOptions from '@site/src/partials/_support_options.mdx';
-<SupportOptions />
+import SupportOptions from "@site/src/partials/_support_options.mdx";
+<SupportOptions />;
 
 ## Post Setup
 
 Congrats! You have completed the setup, but there's a lot more you can do with
 Firezone:
 
-* [Integrate your identity provider](../../authenticate/)
+- [Integrate your identity provider](../../authenticate/)
   for authenticating clients
-* Using Firezone as a NAT gateway to
+- Using Firezone as a NAT gateway to
   [establish a static IP for your team](../../user-guides/use-cases/nat-gateway)
-* Create tunnels between multiple peers with
+- Create tunnels between multiple peers with
   [reverse tunnels](../../user-guides/use-cases/reverse-tunnel)
-* Only route certain traffic through Firezone with
+- Only route certain traffic through Firezone with
   [split tunneling](../../user-guides/use-cases/split-tunnel)
diff --git a/www/docs/reference/rest-api/README.mdx b/www/docs/reference/rest-api/README.mdx
index 4176797c7..5a2cd8ce5 100644
--- a/www/docs/reference/rest-api/README.mdx
+++ b/www/docs/reference/rest-api/README.mdx
@@ -24,7 +24,7 @@ docker compose -f $HOME/.firezone/docker-compose.yml exec firezone bin/create-ap
 
 :::caution
 API tokens generated from the CLI are owned by the primary administrator specified by
-the `ADMIN_EMAIL` environment variable.
+the `DEFAULT_ADMIN_EMAIL` environment variable.
 :::
 
 ```mdx-code-block
diff --git a/www/docs/reference/reverse-proxy-templates/traefik.mdx b/www/docs/reference/reverse-proxy-templates/traefik.mdx
index d0c2e060c..b92f4c88b 100644
--- a/www/docs/reference/reverse-proxy-templates/traefik.mdx
+++ b/www/docs/reference/reverse-proxy-templates/traefik.mdx
@@ -183,7 +183,7 @@ services:
       - ${HOME}/.firezone/firezone:/var/firezone
     environment:
       EXTERNAL_URL: ${EXTERNAL_URL:?err}
-      ADMIN_EMAIL: ${ADMIN_EMAIL:?err}
+      DEFAULT_ADMIN_EMAIL: ${DEFAULT_ADMIN_EMAIL:?err}
       DEFAULT_ADMIN_PASSWORD: ${DEFAULT_ADMIN_PASSWORD:?err}
       GUARDIAN_SECRET_KEY: ${GUARDIAN_SECRET_KEY:?err}
       SECRET_KEY_BASE: ${SECRET_KEY_BASE:?err}