Test SSL self-signed cert generation

.env.sample

@@ -16,3 +16,10 @@ LIVE_VIEW_SIGNING_SALT=
 
 # Generate with wg genkey | wg pubkey
 PUBKEY=
+
+LISTEN_PORT=
+LISTEN_ADDRESS=
+SSL_CERT_FILE=
+SSL_KEY_FILE=
+SSL_CA_CERT_FILE=
+DISABLE_SIGNUP=

Vagrantfile

@@ -10,7 +10,7 @@ Vagrant.configure('2') do |config|
   config.vm.hostname = 'fireguard.local'
 
   # Web
-  config.vm.network 'forwarded_port', guest: 4000, host: 4000, protocol: 'tcp'
+  config.vm.network 'forwarded_port', guest: 8800, host: 8800, protocol: 'tcp'
 
   # VPN
   config.vm.network 'forwarded_port', guest: 51820, host: 51820, protocol: 'udp'

config/releases.exs

@@ -8,32 +8,51 @@ import Config
 database_url =
   System.get_env("DATABASE_URL") ||
     raise """
-    environment variable DATABASE_URL is missing.
+    Environment variable DATABASE_URL is missing.
     For example: ecto://USER:PASS@HOST/DATABASE
     """
 
 secret_key_base =
   System.get_env("SECRET_KEY_BASE") ||
     raise """
-    environment variable SECRET_KEY_BASE is missing.
+    Environment variable SECRET_KEY_BASE is missing.
+    Please generate with "openssl rand -base64 48" and add to
+    /opt/fireguard/config.env
     """
 
 live_view_signing_salt =
   System.get_env("LIVE_VIEW_SIGNING_SALT") ||
     raise """
-    environment variable LIVE_VIEW_SIGNING_SALT is missing.
+    Environment variable LIVE_VIEW_SIGNING_SALT is missing.
+    Please generate with "openssl rand -base64 24" and add to
+    /opt/fireguard/config.env
     """
 
 pubkey =
   System.get_env("PUBKEY") ||
     raise """
-    environment variable PUBKEY is missing.
+    Environment variable PUBKEY is missing. Please generate
+    with the "wg" utility.
     """
 
+ssl_cert_file =
+  System.get("SSL_CERT_FILE") ||
+    raise """
+    Environment variable SSL_CERT_FILE is missing. FireGuard requires SSL.
+    """
+
+ssl_key_file =
+  System.get("SSL_KEY_FILE") ||
+    raise """
+    Environment variable SSL_KEY_FILE is missing. FireGuard requires SSL.
+    """
+
+ssl_ca_cert_file = System.get("SSL_CA_CERT_FILE") || nil
+
 # Optional environment variables
 pool_size = String.to_integer(System.get_env("POOL_SIZE") || "10")
-listen_port = String.to_integer(System.get_env("LISTEN_PORT") || "4000")
-listen_host = System.get_env("LISTEN_HOST") || "localhost"
+listen_port = String.to_integer(System.get_env("LISTEN_PORT") || "8800")
+url_host = System.get_env("URL_HOST") || "localhost"
 
 config :fg_vpn, pubkey: pubkey
 
@@ -43,11 +62,18 @@ config :fg_http, FgHttp.Repo,
   pool_size: pool_size
 
 config :fg_http, FgHttpWeb.Endpoint,
-  http: [
+  # Force SSL for releases
+  force_ssl: [rewrite_on: [:x_forwarded_proto], hsts: true, host: nil],
+  https: [
     port: listen_port,
-    transport_options: [socket_opts: [:inet6]]
+    transport_options: [socket_opts: [:inet6]],
+    cipher_suite: :strong,
+    otp_app: :fireguard,
+    keyfile: ssl_key_file,
+    certfile: ssl_cert_file,
+    cacertfile: ssl_ca_cert_file
   ],
-  url: [host: listen_host, port: listen_port],
+  url: [host: url_host, port: listen_port],
   secret_key_base: secret_key_base,
   live_view: [
     signing_salt: live_view_signing_salt

pkg/debian/DEBIAN/postinst

@@ -30,17 +30,65 @@ sudo -i -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE fireguard to ${db_
 privkey=$(wg genkey)
 pubkey=$(echo ${privkey} | wg pubkey)
 
+# Write FireGuard SSL files
+mkdir -p /opt/fireguard/ssl
+chown -R fireguard:root /opt/fireguard/ssl
+hostname=$(hostname)
+openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
+    -keyout /opt/fireguard/ssl/key.pem \
+    -out /opt/fireguard/ssl/cert.pem \
+    -days 365 -subj "/CN=${hostname}"
+chmod 0600 /opt/fireguard/ssl/key.pem
+chmod 0644 /opt/fireguard/ssl/cert.pem
+
 # Write FireGuard config file
 touch /opt/fireguard/config.env
-chown -R fireguard:root /opt/fireguard
 chmod 0600 /opt/fireguard/config.env
+chown -R fireguard:root /opt/fireguard
 cat <<EOT >> /opt/fireguard/config.env
+# This file is loaded into FireGuard's Environment upon launch to configure it.
+
+# This is used to ensure secure communication with the live web views.
+# Re-generate this with "openssl rand -base64 24". All existing web views will
+# need to be refreshed.
 LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}"
+
+# This is used to secure cookies among other things.
+# You can regenerate this with "openssl rand -base64 48". All existing clients
+# will be signed out.
 SECRET_KEY_BASE="${secret_key_base}"
-DATABASE_URL="ecto://${db_user}:${db_password}@localhost/fireguard"
+
+# The URL to connect to your DB. Assumes the database has been created and this
+# user has privileges to create and modify tables.
+DATABASE_URL="ecto://${db_user}:${db_password}@locRegeneratealhost/fireguard"
+
+# The public key for the WireGuard interface controlled by FireGuard.
+# This should match what's in /etc/wireguard/wg-fireguard.conf.
+# Re-generate this using the "wg" utility, e.g. "wg genkey | wg pubkey"
 PUBKEY="${pubkey}"
-LISTEN_PORT=4000
-LISTEN_HOST=localhost
+
+# The port to listen on. Defaults to 8800.
+LISTEN_PORT=8800
+
+# The address to bind the http server and WireGuard process to.
+# Defaults to "0.0.0.0"
+LISTEN_ADDRESS=0.0.0.0
+
+# SSL certificate file and key path. Self-signed certs are generated for you on
+# install, but it's highly recommended to replace these with valid certs.
+# Free certs can be obtained at https://letsencrypt.org.
+SSL_CERT_FILE=/opt/fireguard/ssl/cert.pem
+SSL_KEY_FILE=/opt/fireguard/ssl/key.pem
+
+# Path to the intermediate certificates file. (usually not required)
+SSL_CA_CERT_FILE=
+
+# Host to use for generating links back to the application, such as in
+# outbound emails. Defaults to "localhost"
+URL_HOST=localhost
+
+# For public-facing sites, it's recommended to leave signups disabled.
+DISABLE_SIGNUP=yes
 EOT
 
 # Grab default route interface