Debian build reworking

.ci/build_deb.sh

@@ -1,10 +0,0 @@
-#!/usr/bin/env bash
-set -xe
-
-prefix=${MATRIX_OS}_${MATRIX_ARCH}
-
-mkdir -p pkg/$prefix/opt/cloudfire/bin
-chmod +x cloudfire-${MATRIX_ARCH}
-mv cloudfire-${MATRIX_ARCH} pkg/$prefix/opt/cloudfire/bin/cloudfire
-dpkg-deb --build pkg/$prefix
-mv pkg/$prefix.deb ./cloudfire_$prefix.deb

.ci/build_release.sh

@@ -1,13 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-od=$(pwd)
-mix local.hex --force && mix local.rebar --force
-mix do deps.get, deps.compile
-cd apps/cf_http/assets && npm ci --progress=false --no-audit --loglevel=error
-cd $od
-npm run --prefix apps/cf_http/assets deploy
-cd apps/cf_http
-mix phx.digest
-cd $od
-mix release --overwrite --force

.ci/build_ubuntu_18.04.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+set -e
+
+OS="ubuntu_18.04"
+ARCH=${MATRIX_ARCH:-`uname -m`}
+PKG_DIR="${OS}_${ARCH}"
+PKG_FILE="${PKG_DIR}.deb"
+IMAGE="${OS}_${ARCH}:latest"
+
+docker build \
+  -t $IMAGE \
+  -f pkg/Dockerfile.$OS \
+  --platform linux/$ARCH \
+  --build-arg PKG_DIR=$PKG_DIR \
+  --progress plain \
+  .
+
+CID=$(docker create $IMAGE)
+mkdir -p _build
+docker cp $CID:/build/pkg/$PKG_FILE ./_build/

.ci/build_ubuntu_20.04.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+set -e
+
+OS="ubuntu_20.04"
+ARCH=${MATRIX_ARCH:-`uname -m`}
+PKG_DIR="${OS}_${ARCH}"
+PKG_FILE="${PKG_DIR}.deb"
+IMAGE="${OS}_${ARCH}:latest"
+
+docker build \
+  -t $IMAGE \
+  -f pkg/Dockerfile.$OS \
+  --platform linux/$ARCH \
+  --build-arg PKG_DIR=$PKG_DIR \
+  --progress plain \
+  .
+
+CID=$(docker create $IMAGE)
+mkdir -p _build
+docker cp $CID:/build/pkg/$PKG_FILE ./_build/cloudfire_$PKG_FILE

.ci/functional_test.sh

@@ -2,12 +2,10 @@
 set -x
 
 sudo apt-get update
-sudo apt-get install -y postgresql \
+sudo apt-get install -y -q postgresql \
   wireguard iptables net-tools curl ca-certificates
 sudo systemctl start postgresql
-
-file=cloudfire_${MATRIX_OS}_${MATRIX_ARCH}.deb
-sudo dpkg -i $file
+sudo dpkg -i *.deb
 
 echo "Enabling service..."
 sudo systemctl start cloudfire

.github/workflows/ci.yml

@@ -64,15 +64,25 @@ jobs:
           name: test screenshots
           path: apps/cf_http/screenshots
 
-  build-linux:
+  build:
     needs: unit-integration-test
-    runs-on: ubuntu-18.04
-    name: Build on {{ matrix.arch }}
+    runs-on: ubuntu-20.04
+    name: Build
     env:
       MATRIX_ARCH: ${{ matrix.arch }}
+      MATRIX_OS: ${{ matrix.os }}
       MIX_ENV: prod
     strategy:
       matrix:
+        os:
+          # - amazonlinux_2
+          # - debian_10
+          - ubuntu_18.04
+          - ubuntu_20.04
+          # - redhat_7
+          # - redhat_8
+          # - centos_7
+          # - centos_8
         include:
           - arch: amd64
           # XXX: This currently takes upwards of 10 minutes or more. Disabling for now
@@ -82,10 +92,7 @@ jobs:
 
       # amd64 build
       - if: ${{ matrix.arch == 'amd64' }}
-        run: |
-          sudo apt-get install -q -y zstd gdebi
-          sudo -E bash -c '.ci/install_runtimes.sh'
-          sudo -E bash -c '.ci/build_release.sh'
+        run: .ci/build_${{ matrix.os }}.sh
 
       # arm64 build
       - uses: uraimo/run-on-arch-action@v2.0.10
@@ -116,69 +123,56 @@ jobs:
 
       - uses: actions/upload-artifact@v2
         with:
-          name: cloudfire-${{ matrix.arch }}
-          path: _build/prod/rel/bakeware/cloudfire
-
-  build-deb:
-    needs: build-linux
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        include:
-          - arch: amd64
-          # - arch: arm64
-        os: [ubuntu-18.04, ubuntu-20.04]
-    env:
-      MATRIX_OS: ${{ matrix.os }}
-      MATRIX_ARCH: ${{ matrix.arch }}
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/download-artifact@v2
-        with:
-          name: cloudfire-${{ matrix.arch }}
-          path: ./cloudfire-${{ matrix.arch }}
-      - run: .ci/build_deb.sh
-      - uses: actions/upload-artifact@v2
-        with:
-          name: cloudfire_${{ matrix.os }}_${{ matrix.arch }}
-          path: cloudfire_${{ matrix.os }}_${{ matrix.arch }}.deb
+          name: cloudfire_${{ matrix.os }}_${{ matrix.arch }}.deb
+          path: _build/cloudfire_${{ matrix.os }}_${{ matrix.arch }}.deb
 
   functional-test:
-    needs: build-deb
-    runs-on: ${{ matrix.os }}
+    needs: build
+    runs-on: ubuntu-20.04
     strategy:
       matrix:
+        os:
+          # - amazonlinux_2
+          # - debian_10
+          - ubuntu_18.04
+          - ubuntu_20.04
+          # - redhat_7
+          # - redhat_8
+          # - centos_7
+          # - centos_8
         include:
           - arch: amd64
           # - arch: arm64
-        os: [ubuntu-18.04, ubuntu-20.04]
-
     env:
       MATRIX_OS: ${{ matrix.os }}
       MATRIX_ARCH: ${{ matrix.arch }}
+      DEBIAN_FRONTEND: noninteractive
     steps:
       - uses: actions/checkout@v2
       - uses: actions/download-artifact@v2
         with:
-          name: cloudfire_${{ matrix.os }}_${{ matrix.arch }}
+          name: cloudfire_${{ matrix.os }}_${{ matrix.arch }}.deb
           path: ./
-      - run: |
-          ls -lR cloudfire*
-      - run: sudo apt-get install -q -y wireguard
       - name: Test Install package
-        env:
-          DEBIAN_FRONTEND: noninteractive
         run: .ci/functional_test.sh
 
-  publish-deb:
+  publish:
     needs: functional-test
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-20.04
     strategy:
       matrix:
+        os:
+          # - amazonlinux_2
+          # - debian_10
+          - ubuntu_18.04
+          - ubuntu_20.04
+          # - redhat_7
+          # - redhat_8
+          # - centos_7
+          # - centos_8
         include:
           - arch: amd64
             # - arch: arm64
-        os: [ubuntu-18.04, ubuntu-20.04]
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
     steps:
       - name: Create Release

.tool-versions

@@ -1,3 +1,3 @@
 erlang 24.0.3
-elixir 1.12.1-otp-24
+elixir 1.12.2-otp-24
 nodejs lts

mix.exs

@@ -22,15 +22,13 @@ defmodule CloudfireUmbrella.MixProject do
       default_release: :cloudfire,
       releases: [
         cloudfire: [
-          # Don't seem to be needed for bakeware releases
-          # include_executables_for: [:unix],
+          include_executables_for: [:unix],
           validate_compile_env: false,
           applications: [
             cf_http: :permanent,
             cf_wall: :permanent,
             cf_vpn: :permanent
           ],
-          steps: [:assemble, &Bakeware.assemble/1],
           cookie: System.get_env("ERL_COOKIE")
         ]
       ]
@@ -44,7 +42,6 @@ defmodule CloudfireUmbrella.MixProject do
   # Run "mix help deps" for examples and options.
   defp deps do
     [
-      {:bakeware, "~> 0.2.0", runtime: false},
       {:excoveralls, "~> 0.13", only: :test},
       {:mix_test_watch, "~> 1.0", only: :dev, runtime: false},
       {:dialyxir, "~> 1.0", only: [:dev], runtime: false}

mix.lock

@@ -1,6 +1,5 @@
 %{
   "argon2_elixir": {:hex, :argon2_elixir, "2.4.0", "2a22ea06e979f524c53b42b598fc6ba38cdcbc977a155e33e057732cfb1fb311", [:make, :mix], [{:comeonin, "~> 5.3", [hex: :comeonin, repo: "hexpm", optional: false]}, {:elixir_make, "~> 0.6", [hex: :elixir_make, repo: "hexpm", optional: false]}], "hexpm", "4ea82e183cf8e7f66dab1f767fedcfe6a195e140357ef2b0423146b72e0a551d"},
-  "bakeware": {:hex, :bakeware, "0.2.0", "e2efb323cc25e857ac2869f0d25a92cac55ed6e1f53399cb5c035d211d27d5ce", [:make, :mix], [{:elixir_make, "~> 0.6", [hex: :elixir_make, repo: "hexpm", optional: false]}], "hexpm", "cad65fcf20162d60c2a159238d1ebfa1f9763b5d671b0992caf1777be42fe3ae"},
   "bamboo": {:hex, :bamboo, "1.7.1", "7f0946e8c9081ce10d347cdba33c247c7c1c4f7dddc194ab0633603ef879bbdf", [:mix], [{:hackney, ">= 1.15.2", [hex: :hackney, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:mime, "~> 1.4", [hex: :mime, repo: "hexpm", optional: false]}, {:phoenix, "~> 1.1", [hex: :phoenix, repo: "hexpm", optional: true]}, {:plug, "~> 1.0", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "5fb34c3ab638fc409deec47c1e91f9d78ad95bf22ccb153588b434e1ff1aa730"},
   "bunt": {:hex, :bunt, "0.2.0", "951c6e801e8b1d2cbe58ebbd3e616a869061ddadcc4863d0a2182541acae9a38", [:mix], [], "hexpm", "7af5c7e09fe1d40f76c8e4f9dd2be7cebd83909f31fee7cd0e9eadc567da8353"},
   "certifi": {:hex, :certifi, "2.6.1", "dbab8e5e155a0763eea978c913ca280a6b544bfa115633fa20249c3d396d9493", [:rebar3], [], "hexpm", "524c97b4991b3849dd5c17a631223896272c6b0af446778ba4675a1dff53bb7e"},

pkg/Dockerfile.centos_7

@@ -0,0 +1,62 @@
+# This Dockerfile builds release packages.
+# **NOTE**: This is not recommended, as it's possible the deployment
+# production environment will diff from the image environment here,
+# even if the OS and kernel versions match.
+# As such, this script has been deprecated in favor of building the release
+# in the production environment.
+FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build
+
+# Setup to run build script
+ENV DEBIAN_FRONTEND noninteractive
+RUN apt-get update -q && \
+    apt-get install -y --no-install-recommends \
+    ca-certificates \
+    build-essential \
+    git \
+    dpkg-dev \
+    libssl-dev \
+    automake \
+    gnupg \
+    curl \
+    autoconf \
+    libncurses5-dev \
+    unzip \
+    zlib1g-dev \
+    locales && \
+    apt-get clean && \
+    rm -rf /tmp/* /var/tmp/*
+RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
+    locale-gen
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+RUN curl -sL https://deb.nodesource.com/setup_10.x | bash -
+RUN apt-get install nodejs
+
+ENV MIX_ENV prod
+WORKDIR /build
+
+RUN mix local.hex --force && \
+    mix local.rebar --force
+COPY mix.exs mix.lock ./
+COPY config config
+COPY apps/cf_http/mix.exs ./apps/cf_http/
+COPY apps/cf_wall/mix.exs ./apps/cf_wall/
+COPY apps/cf_vpn/mix.exs ./apps/cf_vpn/
+RUN mix do deps.get, deps.compile
+
+COPY apps/cf_http/assets/package.json apps/cf_http/assets/package-lock.json ./apps/cf_http/assets/
+RUN cd apps/cf_http/assets && npm ci --progress=false --no-audit --loglevel=error
+COPY apps/cf_http/priv apps/cf_http/priv
+COPY apps/cf_http/assets apps/cf_http/assets
+RUN npm run --prefix ./apps/cf_http/assets deploy && \
+    cd apps/cf_http && mix phx.digest
+
+COPY . .
+RUN mix release cloudfire
+
+RUN mkdir -p pkg/debian/opt
+RUN mv _build/prod/rel/cloudfire pkg/debian/opt/cloudfire
+
+RUN cd pkg && dpkg-deb --build debian

pkg/Dockerfile.centos_8

@@ -0,0 +1,62 @@
+# This Dockerfile builds release packages.
+# **NOTE**: This is not recommended, as it's possible the deployment
+# production environment will diff from the image environment here,
+# even if the OS and kernel versions match.
+# As such, this script has been deprecated in favor of building the release
+# in the production environment.
+FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build
+
+# Setup to run build script
+ENV DEBIAN_FRONTEND noninteractive
+RUN apt-get update -q && \
+    apt-get install -y --no-install-recommends \
+    ca-certificates \
+    build-essential \
+    git \
+    dpkg-dev \
+    libssl-dev \
+    automake \
+    gnupg \
+    curl \
+    autoconf \
+    libncurses5-dev \
+    unzip \
+    zlib1g-dev \
+    locales && \
+    apt-get clean && \
+    rm -rf /tmp/* /var/tmp/*
+RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
+    locale-gen
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+RUN curl -sL https://deb.nodesource.com/setup_10.x | bash -
+RUN apt-get install nodejs
+
+ENV MIX_ENV prod
+WORKDIR /build
+
+RUN mix local.hex --force && \
+    mix local.rebar --force
+COPY mix.exs mix.lock ./
+COPY config config
+COPY apps/cf_http/mix.exs ./apps/cf_http/
+COPY apps/cf_wall/mix.exs ./apps/cf_wall/
+COPY apps/cf_vpn/mix.exs ./apps/cf_vpn/
+RUN mix do deps.get, deps.compile
+
+COPY apps/cf_http/assets/package.json apps/cf_http/assets/package-lock.json ./apps/cf_http/assets/
+RUN cd apps/cf_http/assets && npm ci --progress=false --no-audit --loglevel=error
+COPY apps/cf_http/priv apps/cf_http/priv
+COPY apps/cf_http/assets apps/cf_http/assets
+RUN npm run --prefix ./apps/cf_http/assets deploy && \
+    cd apps/cf_http && mix phx.digest
+
+COPY . .
+RUN mix release cloudfire
+
+RUN mkdir -p pkg/debian/opt
+RUN mv _build/prod/rel/cloudfire pkg/debian/opt/cloudfire
+
+RUN cd pkg && dpkg-deb --build debian

pkg/Dockerfile.debian_10

@@ -0,0 +1,62 @@
+# This Dockerfile builds release packages.
+# **NOTE**: This is not recommended, as it's possible the deployment
+# production environment will diff from the image environment here,
+# even if the OS and kernel versions match.
+# As such, this script has been deprecated in favor of building the release
+# in the production environment.
+FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build
+
+# Setup to run build script
+ENV DEBIAN_FRONTEND noninteractive
+RUN apt-get update -q && \
+    apt-get install -y --no-install-recommends \
+    ca-certificates \
+    build-essential \
+    git \
+    dpkg-dev \
+    libssl-dev \
+    automake \
+    gnupg \
+    curl \
+    autoconf \
+    libncurses5-dev \
+    unzip \
+    zlib1g-dev \
+    locales && \
+    apt-get clean && \
+    rm -rf /tmp/* /var/tmp/*
+RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
+    locale-gen
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+RUN curl -sL https://deb.nodesource.com/setup_10.x | bash -
+RUN apt-get install nodejs
+
+ENV MIX_ENV prod
+WORKDIR /build
+
+RUN mix local.hex --force && \
+    mix local.rebar --force
+COPY mix.exs mix.lock ./
+COPY config config
+COPY apps/cf_http/mix.exs ./apps/cf_http/
+COPY apps/cf_wall/mix.exs ./apps/cf_wall/
+COPY apps/cf_vpn/mix.exs ./apps/cf_vpn/
+RUN mix do deps.get, deps.compile
+
+COPY apps/cf_http/assets/package.json apps/cf_http/assets/package-lock.json ./apps/cf_http/assets/
+RUN cd apps/cf_http/assets && npm ci --progress=false --no-audit --loglevel=error
+COPY apps/cf_http/priv apps/cf_http/priv
+COPY apps/cf_http/assets apps/cf_http/assets
+RUN npm run --prefix ./apps/cf_http/assets deploy && \
+    cd apps/cf_http && mix phx.digest
+
+COPY . .
+RUN mix release cloudfire
+
+RUN mkdir -p pkg/debian/opt
+RUN mv _build/prod/rel/cloudfire pkg/debian/opt/cloudfire
+
+RUN cd pkg && dpkg-deb --build debian

pkg/Dockerfile.redhat_7

@@ -0,0 +1,62 @@
+# This Dockerfile builds release packages.
+# **NOTE**: This is not recommended, as it's possible the deployment
+# production environment will diff from the image environment here,
+# even if the OS and kernel versions match.
+# As such, this script has been deprecated in favor of building the release
+# in the production environment.
+FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build
+
+# Setup to run build script
+ENV DEBIAN_FRONTEND noninteractive
+RUN apt-get update -q && \
+    apt-get install -y --no-install-recommends \
+    ca-certificates \
+    build-essential \
+    git \
+    dpkg-dev \
+    libssl-dev \
+    automake \
+    gnupg \
+    curl \
+    autoconf \
+    libncurses5-dev \
+    unzip \
+    zlib1g-dev \
+    locales && \
+    apt-get clean && \
+    rm -rf /tmp/* /var/tmp/*
+RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
+    locale-gen
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+RUN curl -sL https://deb.nodesource.com/setup_10.x | bash -
+RUN apt-get install nodejs
+
+ENV MIX_ENV prod
+WORKDIR /build
+
+RUN mix local.hex --force && \
+    mix local.rebar --force
+COPY mix.exs mix.lock ./
+COPY config config
+COPY apps/cf_http/mix.exs ./apps/cf_http/
+COPY apps/cf_wall/mix.exs ./apps/cf_wall/
+COPY apps/cf_vpn/mix.exs ./apps/cf_vpn/
+RUN mix do deps.get, deps.compile
+
+COPY apps/cf_http/assets/package.json apps/cf_http/assets/package-lock.json ./apps/cf_http/assets/
+RUN cd apps/cf_http/assets && npm ci --progress=false --no-audit --loglevel=error
+COPY apps/cf_http/priv apps/cf_http/priv
+COPY apps/cf_http/assets apps/cf_http/assets
+RUN npm run --prefix ./apps/cf_http/assets deploy && \
+    cd apps/cf_http && mix phx.digest
+
+COPY . .
+RUN mix release cloudfire
+
+RUN mkdir -p pkg/debian/opt
+RUN mv _build/prod/rel/cloudfire pkg/debian/opt/cloudfire
+
+RUN cd pkg && dpkg-deb --build debian

pkg/Dockerfile.redhat_8

@@ -0,0 +1,62 @@
+# This Dockerfile builds release packages.
+# **NOTE**: This is not recommended, as it's possible the deployment
+# production environment will diff from the image environment here,
+# even if the OS and kernel versions match.
+# As such, this script has been deprecated in favor of building the release
+# in the production environment.
+FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build
+
+# Setup to run build script
+ENV DEBIAN_FRONTEND noninteractive
+RUN apt-get update -q && \
+    apt-get install -y --no-install-recommends \
+    ca-certificates \
+    build-essential \
+    git \
+    dpkg-dev \
+    libssl-dev \
+    automake \
+    gnupg \
+    curl \
+    autoconf \
+    libncurses5-dev \
+    unzip \
+    zlib1g-dev \
+    locales && \
+    apt-get clean && \
+    rm -rf /tmp/* /var/tmp/*
+RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
+    locale-gen
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+RUN curl -sL https://deb.nodesource.com/setup_10.x | bash -
+RUN apt-get install nodejs
+
+ENV MIX_ENV prod
+WORKDIR /build
+
+RUN mix local.hex --force && \
+    mix local.rebar --force
+COPY mix.exs mix.lock ./
+COPY config config
+COPY apps/cf_http/mix.exs ./apps/cf_http/
+COPY apps/cf_wall/mix.exs ./apps/cf_wall/
+COPY apps/cf_vpn/mix.exs ./apps/cf_vpn/
+RUN mix do deps.get, deps.compile
+
+COPY apps/cf_http/assets/package.json apps/cf_http/assets/package-lock.json ./apps/cf_http/assets/
+RUN cd apps/cf_http/assets && npm ci --progress=false --no-audit --loglevel=error
+COPY apps/cf_http/priv apps/cf_http/priv
+COPY apps/cf_http/assets apps/cf_http/assets
+RUN npm run --prefix ./apps/cf_http/assets deploy && \
+    cd apps/cf_http && mix phx.digest
+
+COPY . .
+RUN mix release cloudfire
+
+RUN mkdir -p pkg/debian/opt
+RUN mv _build/prod/rel/cloudfire pkg/debian/opt/cloudfire
+
+RUN cd pkg && dpkg-deb --build debian

pkg/Dockerfile.ubuntu_18.04

@@ -0,0 +1,68 @@
+# This Dockerfile builds release packages.
+# **NOTE**: This is not recommended, as it's possible the deployment
+# production environment will diff from the image environment here,
+# even if the OS and kernel versions match.
+# As such, this script has been deprecated in favor of building the release
+# in the production environment.
+FROM hexpm/elixir:1.12.2-erlang-24.0.3-ubuntu-bionic-20210325
+
+# Overridden by build script
+ARG PKG_DIR
+
+# Setup to run build script
+ENV DEBIAN_FRONTEND noninteractive
+RUN apt-get update -q && \
+    apt-get install -y --no-install-recommends \
+    gdebi \
+    ca-certificates \
+    build-essential \
+    git \
+    dpkg-dev \
+    libssl-dev \
+    automake \
+    gnupg \
+    curl \
+    autoconf \
+    libncurses5-dev \
+    unzip \
+    zlib1g-dev \
+    locales && \
+    apt-get clean && \
+    rm -rf /tmp/* /var/tmp/*
+RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
+    locale-gen
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+RUN curl -sL https://deb.nodesource.com/setup_14.x | bash -
+RUN apt-get install -y --no-install-recommends nodejs
+
+ENV MIX_ENV prod
+WORKDIR /build
+
+RUN mix local.hex --force && \
+    mix local.rebar --force
+COPY mix.exs mix.lock ./
+COPY config config
+COPY apps/cf_http/mix.exs ./apps/cf_http/
+COPY apps/cf_wall/mix.exs ./apps/cf_wall/
+COPY apps/cf_vpn/mix.exs ./apps/cf_vpn/
+COPY apps/cf_common/mix.exs ./apps/cf_common/
+RUN mix do deps.get, deps.compile
+
+COPY apps/cf_http/assets/package.json apps/cf_http/assets/package-lock.json ./apps/cf_http/assets/
+RUN cd apps/cf_http/assets && npm ci --progress=false --no-audit --loglevel=error
+COPY apps/cf_http/priv apps/cf_http/priv
+COPY apps/cf_http/assets apps/cf_http/assets
+RUN npm run --prefix ./apps/cf_http/assets deploy && \
+    cd apps/cf_http && mix phx.digest
+
+COPY . .
+RUN mix release
+
+RUN mkdir -p pkg/debian/opt
+RUN mv _build/prod/rel/cloudfire pkg/debian/opt/cloudfire
+
+RUN echo "How about that pkg dir huh: $PKG_DIR"
+RUN cd pkg && dpkg-deb --build $PKG_DIR

pkg/Dockerfile.ubuntu_20.04

@@ -0,0 +1,67 @@
+# This Dockerfile builds release packages.
+# **NOTE**: This is not recommended, as it's possible the deployment
+# production environment will diff from the image environment here,
+# even if the OS and kernel versions match.
+# As such, this script has been deprecated in favor of building the release
+# in the production environment.
+FROM hexpm/elixir:1.12.2-erlang-24.0.3-ubuntu-focal-20210325
+
+# Overridden by build script
+ARG PKG_DIR
+
+# Setup to run build script
+ENV DEBIAN_FRONTEND noninteractive
+RUN apt-get update -q && \
+    apt-get install -y --no-install-recommends \
+    gdebi \
+    ca-certificates \
+    build-essential \
+    git \
+    dpkg-dev \
+    libssl-dev \
+    automake \
+    gnupg \
+    curl \
+    autoconf \
+    libncurses5-dev \
+    unzip \
+    zlib1g-dev \
+    locales && \
+    apt-get clean && \
+    rm -rf /tmp/* /var/tmp/*
+RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
+    locale-gen
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+RUN curl -sL https://deb.nodesource.com/setup_10.x | bash -
+RUN apt-get install nodejs
+
+ENV MIX_ENV prod
+WORKDIR /build
+
+RUN mix local.hex --force && \
+    mix local.rebar --force
+COPY mix.exs mix.lock ./
+COPY config config
+COPY apps/cf_http/mix.exs ./apps/cf_http/
+COPY apps/cf_wall/mix.exs ./apps/cf_wall/
+COPY apps/cf_vpn/mix.exs ./apps/cf_vpn/
+COPY apps/cf_common/mix.exs ./apps/cf_common/
+RUN mix do deps.get, deps.compile
+
+COPY apps/cf_http/assets/package.json apps/cf_http/assets/package-lock.json ./apps/cf_http/assets/
+RUN cd apps/cf_http/assets && npm ci --progress=false --no-audit --loglevel=error
+COPY apps/cf_http/priv apps/cf_http/priv
+COPY apps/cf_http/assets apps/cf_http/assets
+RUN npm run --prefix ./apps/cf_http/assets deploy && \
+    cd apps/cf_http && mix phx.digest
+
+COPY . .
+RUN mix release
+
+RUN mkdir -p pkg/debian/opt
+RUN mv _build/prod/rel/cloudfire pkg/debian/opt/cloudfire
+
+RUN cd pkg && dpkg-deb --build $PKG_DIR

pkg/ubuntu_18.04_arm64/DEBIAN/control

@@ -0,0 +1,11 @@
+Package: cloudfire
+Version: 0.1.7-1
+Architecture: arm64
+Maintainer: CloudFire, LLC <dpkg@cloudfire.network>
+Depends: net-tools (>= 1.60+git20161116.90da8a0-1ubuntu1), systemd (>= 237-3ubuntu10.48), openssl (>= 1.1.1-1ubuntu2.1~18.04.9), wireguard (>= 1.0.20200319-1ubuntu1), postgresql (>= 9.6), iptables (>= 1.6.1-2ubuntu2)
+Section: net
+Priority: optional
+Homepage: https://cloudfire.network
+Description: Web UI + Firewall manager for WireGuard™
+ Provides a web-based UI that allows you to configure WireGuard™ VPN tunnels and
+ set up firewall rules for your devices.

pkg/ubuntu_18.04_arm64/DEBIAN/postinst

@@ -0,0 +1,104 @@
+#!/usr/bin/env bash
+set -xe
+
+ls -la /opt/cloudfire/bin
+
+# CloudFire package post-install script
+
+# 1. Generate secrets
+# 2. Bootstrap DB
+# 3. Generate WireGuard interface and config
+
+# All created files are 0600 by default
+umask 077
+
+# Add cloudfire user if not exists
+if id cloudfire &>/dev/null; then
+  echo "cloudfire user exists... not creating."
+else
+  echo "creating system user cloudfire"
+  useradd --system cloudfire
+fi
+
+# Generate app secrets
+live_view_signing_salt="$(openssl rand -base64 24)"
+secret_key_base="$(openssl rand -base64 48)"
+db_user=cloudfire
+
+# base64 includes forward slashes which are problematic in the
+# db_url connect string, so use hex.
+db_password="$(openssl rand -hex 16)"
+
+db_key="$(openssl rand -base64 32)"
+
+# Setup DB
+# XXX: Remove || true and detect actual failures
+su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\" || true"
+su postgres -c "psql -c \"CREATE DATABASE cloudfire;\" || true"
+su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE cloudfire to ${db_user};\" || true"
+
+# Write CloudFire SSL files
+mkdir -p /opt/cloudfire/ssl
+hostname=$(hostname)
+openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
+    -keyout /opt/cloudfire/ssl/key.pem \
+    -out /opt/cloudfire/ssl/cert.pem \
+    -days 365 -subj "/CN=${hostname}"
+
+wg genkey > /opt/cloudfire/server.key
+
+# Write CloudFire config files
+cat <<EOT >> /opt/cloudfire/config.env
+# This file is loaded into CloudFire's Environment upon launch to configure it.
+
+# This is used to ensure secure communication with the live web views.
+# Re-generate this with "openssl rand -base64 24". All existing web views will
+# need to be refreshed.
+LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}"
+
+# This is used to secure cookies among other things.
+# You can regenerate this with "openssl rand -base64 48". All existing clients
+# will be signed out.
+SECRET_KEY_BASE="${secret_key_base}"
+
+# The URL to connect to your DB. Assumes the database has been created and this
+# user has privileges to create and modify tables.
+DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/cloudfire"
+
+# The HTTPS port to listen on. Defaults to 8800.
+HTTPS_LISTEN_PORT=8800
+
+# The address to bind the HTTPS server to. Defaults to "127.0.0.1"
+HTTPS_LISTEN_ADDRESS=127.0.0.1
+
+# The WireGuard port to listen on. Defaults to 51820.
+WG_LISTEN_PORT=51820
+
+# The address for the WireGuard endpoint. Defaults to the address of the
+# default egress interface if not set.
+WG_ENDPOINT_ADDRESS=
+
+# The Base64-encoded key for encrypted database fields.
+DB_ENCRYPTION_KEY=${db_key}
+
+# SSL certificate file and key path. Self-signed certs are generated for you on
+# install, but it's highly recommended to replace these with valid certs.
+# Free certs can be obtained at https://letsencrypt.org.
+SSL_CERT_FILE=/opt/cloudfire/ssl/cert.pem
+SSL_KEY_FILE=/opt/cloudfire/ssl/key.pem
+
+# Path to the intermediate certificates file. (usually not required)
+# SSL_CA_CERT_FILE=
+
+# Host to use for generating links back to the application, such as in
+# outbound emails. Defaults to "localhost".
+# URL_HOST=${hostname}
+
+# For security, it's recommended to leave signups disabled and instead create
+# users via the CLI.
+DISABLE_SIGNUP=yes
+EOT
+
+# Set perms
+chown -R cloudfire:root /opt/cloudfire
+chmod 0644 /opt/cloudfire/ssl/cert.pem

pkg/ubuntu_20.04_amd64/DEBIAN/templates

@@ -0,0 +1,11 @@
+Template: cloudfire/config
+Type: note
+Description: config file
+  CloudFire's config file is located at /opt/cloudfire/config.yml. Only root
+  should be able to view and edit this file. Random secrets and passwords have
+  been generated and saved for you already.
+
+Template: cloudfire/access
+Type: note
+Description: access instructions
+  CloudFire has been installed successfully and is running on port 8443!

pkg/ubuntu_20.04_amd64/lib/systemd/system/cloudfire.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=CloudFire
+Requires=postgresql.service
+After=postgresql.service
+
+[Service]
+Restart=on-failure
+RestartSec=1
+User=cloudfire
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH
+EnvironmentFile=/opt/cloudfire/config.env
+ExecStartPre=/opt/cloudfire/bin/cloudfire eval "CfHttp.Release.migrate"
+ExecStart=/opt/cloudfire/bin/cloudfire start
+ExecStartPost=/bin/sleep 5
+ExecStartPost=/opt/cloudfire/bin/cloudfire rpc "CfHttp.Release.create_admin_user"
+
+[Install]
+WantedBy=multi-user.target

pkg/ubuntu_20.04_arm64/DEBIAN/control

@@ -0,0 +1,11 @@
+Package: cloudfire
+Version: 0.1.7-1
+Architecture: arm64
+Maintainer: CloudFire, LLC <dpkg@cloudfire.network>
+Depends: net-tools (>= 1.60+git20180626.aebd88e-1ubuntu1), systemd (>= 245.4-4ubuntu3.2), openssl (>= 1.1.1f-1ubuntu2), wireguard (>= 1.0.20200319-1ubuntu1), postgresql (>= 12+214ubuntu0.1), iptables (>= 1.8.4-3ubuntu2)
+Section: net
+Priority: optional
+Homepage: https://cloudfire.network
+Description: Web UI + Firewall manager for WireGuard™
+ Provides a web-based UI that allows you to configure WireGuard VPN tunnels and
+ set up firewall rules for your devices.

pkg/ubuntu_20.04_arm64/DEBIAN/postinst

@@ -0,0 +1,102 @@
+#!/usr/bin/env bash
+set -e
+
+# CloudFire package post-install script
+
+# 1. Generate secrets
+# 2. Bootstrap DB
+# 3. Generate WireGuard interface and config
+
+# Add cloudfire user if not exists
+if id cloudfire &>/dev/null; then
+  echo "cloudfire user exists... not creating."
+else
+  echo "creating system user cloudfire"
+  useradd --system cloudfire
+fi
+
+# Generate app secrets
+live_view_signing_salt="$(openssl rand -base64 24)"
+secret_key_base="$(openssl rand -base64 48)"
+db_user=cloudfire
+
+# base64 includes forward slashes which are problematic in the
+# db_url connect string, so use hex.
+db_password="$(openssl rand -hex 16)"
+
+db_key="$(openssl rand -base64 32)"
+
+# Setup DB
+sudo -i -u postgres psql -c "CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';" || true
+sudo -i -u postgres psql -c "CREATE DATABASE cloudfire;" || true
+sudo -i -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE cloudfire to ${db_user};" || true
+
+# Write CloudFire SSL files
+mkdir -p /opt/cloudfire/ssl
+chown -R cloudfire:root /opt/cloudfire/ssl
+hostname=$(hostname)
+openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
+    -keyout /opt/cloudfire/ssl/key.pem \
+    -out /opt/cloudfire/ssl/cert.pem \
+    -days 365 -subj "/CN=${hostname}"
+chmod 0600 /opt/cloudfire/ssl/key.pem
+chmod 0644 /opt/cloudfire/ssl/cert.pem
+
+# Write CloudFire config files
+touch /opt/cloudfire/config.env
+chmod 0600 /opt/cloudfire/config.env
+chown -R cloudfire:root /opt/cloudfire
+cat <<EOT >> /opt/cloudfire/config.env
+# This file is loaded into CloudFire's Environment upon launch to configure it.
+
+# This is used to ensure secure communication with the live web views.
+# Re-generate this with "openssl rand -base64 24". All existing web views will
+# need to be refreshed.
+LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}"
+
+# This is used to secure cookies among other things.
+# You can regenerate this with "openssl rand -base64 48". All existing clients
+# will be signed out.
+SECRET_KEY_BASE="${secret_key_base}"
+
+# The URL to connect to your DB. Assumes the database has been created and this
+# user has privileges to create and modify tables.
+DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/cloudfire"
+
+# The HTTPS port to listen on. Defaults to 8800.
+HTTPS_LISTEN_PORT=8800
+
+# The address to bind the HTTPS server to. Defaults to "127.0.0.1"
+HTTPS_LISTEN_ADDRESS=127.0.0.1
+
+# The WireGuard port to listen on. Defaults to 51820.
+WG_LISTEN_PORT=51820
+
+# The address for the WireGuard endpoint. Defaults to the address of the
+# default egress interface if not set.
+WG_ENDPOINT_ADDRESS=
+
+# The Base64-encoded key for encrypted database fields.
+DB_ENCRYPTION_KEY=${db_key}
+
+# SSL certificate file and key path. Self-signed certs are generated for you on
+# install, but it's highly recommended to replace these with valid certs.
+# Free certs can be obtained at https://letsencrypt.org.
+SSL_CERT_FILE=/opt/cloudfire/ssl/cert.pem
+SSL_KEY_FILE=/opt/cloudfire/ssl/key.pem
+
+# Path to the intermediate certificates file. (usually not required)
+# SSL_CA_CERT_FILE=
+
+# Host to use for generating links back to the application, such as in
+# outbound emails. Defaults to "localhost".
+# URL_HOST=${hostname}
+
+# For security, it's recommended to leave signups disabled and instead create
+# users via the CLI.
+DISABLE_SIGNUP=yes
+EOT
+
+umask 077
+wg genkey > /opt/cloudfire/server.key
+chown cloudfire:root /opt/cloudfire/server.key

pkg/ubuntu_20.04_arm64/DEBIAN/templates

@@ -0,0 +1,11 @@
+Template: cloudfire/config
+Type: note
+Description: config file
+  CloudFire's config file is located at /opt/cloudfire/config.yml. Only root
+  should be able to view and edit this file. Random secrets and passwords have
+  been generated and saved for you already.
+
+Template: cloudfire/access
+Type: note
+Description: access instructions
+  CloudFire has been installed successfully and is running on port 8443!

pkg/ubuntu_20.04_arm64/lib/systemd/system/cloudfire.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=CloudFire
+Requires=postgresql.service
+After=postgresql.service
+
+[Service]
+Restart=on-failure
+RestartSec=1
+User=cloudfire
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH
+EnvironmentFile=/opt/cloudfire/config.env
+ExecStartPre=/opt/cloudfire/bin/cloudfire eval "CfHttp.Release.migrate"
+ExecStart=/opt/cloudfire/bin/cloudfire start
+ExecStartPost=/bin/sleep 5
+ExecStartPost=/opt/cloudfire/bin/cloudfire rpc "CfHttp.Release.create_admin_user"
+
+[Install]
+WantedBy=multi-user.target