github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-02-06 01:06:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix secrets gen

Browse Source
This commit is contained in:
Jamil Bou Kheir
2021-08-20 02:53:46 +00:00
parent 4b19f40a34
commit 95b3dff18d
5 changed files with 76 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
config/releases.exs
View File

@@ -11,23 +11,21 @@ database_user = System.fetch_env!("DATABASE_USER")
database_host = System.fetch_env!("DATABASE_HOST")
database_port = System.fetch_env!("DATBASE_PORT")
database_pool = System.fetch_env!("DATBASE_POOL")
database_encryption_key = System.fetch_env!("DATABASE_ENCRYPTION_KEY")
phoenix_port = System.fetch_env!("PHOENIX_PORT")
port = System.fetch_env!("PHOENIX_PORT")
url_host = System.fetch_env!("URL_HOST")
admin_email = System.fetch_env!("ADMIN_EMAIL")
wireguard_interface_name = System.fetch_env!("WIREGUARD_INTERFACE_NAME")
wireguard_port = System.fetch_env!("WIREGUARD_PORT")
# secrets
encryption_key = System.fetch_env!("DATABASE_ENCRYPTION_KEY")
secret_key_base = System.fetch_env!("SECRET_KEY_BASE")
live_view_signing_salt = System.fetch_env!("LIVE_VIEW_SIGNING_SALT")
wireguard_private_key = System.fetch_env!("WIREGUARD_SERVER_KEY")
wireguard_interface_name = System.fetch_env!("WIREGUARD_INTERFACE_NAME")
wireguard_listen_port = System.fetch_env!("WIREGUARD_LISTEN_PORT")
admin_email = System.fetch_env!("ADMIN_EMAIL")
private_key = System.fetch_env!("WIREGUARD_PRIVATE_KEY")
# Password is not needed if using bundled PostgreSQL, so use nil if it's not set.
database_password = System.get_env("DATABASE_PASSWORD")
default_egress_address =
CLI.exec!("ip route get 8.8.8.8 | grep -oP 'src \\K\\S+'")
|> String.trim()
config :fz_http,
disable_signup: disable_signup
@@ -57,12 +55,12 @@ config :fz_http, FzHttp.Vault,
# https://github.com/danielberkompas/cloak/issues/93
#
# In Cloak 2.0, this will be the default iv length for AES.GCM.
tag: "AES.GCM.V1", key: Base.decode64!(database_encryption_key), iv_length: 12
tag: "AES.GCM.V1", key: Base.decode64!(encryption_key), iv_length: 12
}
]
config :fz_http, FzHttpWeb.Endpoint,
url: [host: url_host, port: phoenix_port],
url: [host: url_host, port: port],
secret_key_base: secret_key_base,
live_view: [
signing_salt: live_view_signing_salt
@@ -71,8 +69,8 @@ config :fz_http, FzHttpWeb.Endpoint,
config :fz_vpn,
wireguard_interface_name: wireguard_interface_name,
wireguard_listen_port: wireguard_listen_port,
wireguard_private_key: wireguard_private_key
wireguard_port: wireguard_port,
wireguard_private_key: private_key
config :fz_http,
admin_email: admin_email

7
omnibus/config/software/wireguard-tools.rb
View File

@@ -30,12 +30,9 @@ license "GPL-2.0"
build do
env = with_standard_compiler_flags(with_embedded_path).merge(
"PREFIX" => "#{install_dir}/embedded",
"RUNSTATEDIR" => "#{install_dir}/embedded/var/run",
"SYSCONFDIR" => "#{install_dir}/embedded/etc",
"DESTDIR" => "#{install_dir}/embedded"
"PREFIX" => "#{install_dir}/embedded"
)
make "-j #{workers}", env: env
make "install", env: env
make "-j #{workers} install", env: env
end

7
omnibus/cookbooks/firezone/attributes/default.rb
View File

@@ -193,8 +193,8 @@ default['firezone']['phoenix']['admin_email'] =
# ## WireGuard
#
# The WireGuard interface settings
default['firezone']['wireguard']['listen_address'] = '0.0.0.0'
default['firezone']['wireguard']['listen_port'] = 15820
default['firezone']['wireguard']['interface_name'] = 'wg-firezone'
default['firezone']['wireguard']['port'] = 11820
# ## Runit
@@ -247,6 +247,9 @@ default['firezone']['database']['port'] = node['firezone']['postgresql']['port']
default['firezone']['database']['pool'] = [10, Etc.nprocessors].max
default['firezone']['database']['extensions'] = { 'plpgsql' => true, 'pg_trgm' => true }
# Uncomment to specify a database password. Not usually needed if using the bundled Postgresql.
# default['firezone']['database']['password'] = 'change_me'
# ## App-specific top-level attributes
#
# These are used by Phoenix. Most will be exported directly to

58
omnibus/cookbooks/firezone/libraries/config.rb
View File

@@ -51,10 +51,37 @@ class Firezone
node['firezone']['secret_key_base']
else
Chef::Log.warn 'No secret_key_base set! Generating and writing one to secrets.json. If this FireZone installation has multiple hosts, you must duplicate the secrets.json file exactly across all hosts.'
SecureRandom.hex(50)
SecureRandom.base64(48)
end
live_view_signing_salt = if node['firezone'] && node['firezone']['live_view_signing_salt']
Chef::Log.warn 'Using live_view_signing_salt from firezone.json. This value should really be managed in secrets.json. Writing to secrets.json.'
node['firezone']['live_view_signing_salt']
else
Chef::Log.warn 'No live_view_signing_salt set! Generating and writing one to secrets.json. If this FireZone installation has multiple hosts, you must duplicate the secrets.json file exactly across all hosts.'
SecureRandom.base64(24)
end
wireguard_private_key = if node['firezone'] && node['firezone']['wireguard_private_key']
Chef::Log.warn 'Using wireguard_private_key from firezone.json. This value should really be managed in secrets.json. Writing to secrets.json.'
node['firezone']['wireguard_private_key']
else
Chef::Log.warn 'No wireguard_private_key set! Generating and writing one to secrets.json. If this FireZone installation has multiple hosts, you must duplicate the secrets.json file exactly across all hosts.'
`#{node['firezone']['install_dir']}/embedded/bin/wg genkey`.chomp
end
database_encryption_key = if node['firezone'] && node['firezone']['database_encryption_key']
Chef::Log.warn 'Using database_encryption_key from firezone.json. This value should really be managed in secrets.json. Writing to secrets.json.'
node['firezone']['database_encryption_key']
else
Chef::Log.warn 'No database_encryption_key set! Generating and writing one to secrets.json. If this FireZone installation has multiple hosts, you must duplicate the secrets.json file exactly across all hosts.'
SecureRandom.base64(32)
end
secrets = { 'secret_key_base' => secret_key_base }
secrets = {
'secret_key_base' => secret_key_base,
'live_view_signing_salt' => live_view_signing_salt,
'wireguard_private_key' => wireguard_private_key,
'database_encryption_key' => database_encryption_key
}
open(filename, 'w') do |file|
file.puts Chef::JSONCompat.to_json_pretty(secrets)
@@ -156,6 +183,33 @@ class Firezone
end
end
def self.app_env(attributes)
env = {
'MIX_ENV' => 'prod',
'DATABASE_NAME' => attributes['database']['name'],
'DATABASE_USER' => attributes['database']['user'],
'DATABASE_HOST' => attributes['database']['host'],
'DATABASE_PORT' => attributes['database']['port'],
'DATABASE_POOL' => attributes['database']['pool'],
'PHOENIX_PORT' => attributes['phoenix']['port'],
'URL_HOST' => attributes['url_host'],
'ADMIN_EMAIL' => attributes['admin_email'],
'WIREGUARD_INTERFACE_NAME' => node['firezone']['wireguard']['interface_name'],
'WIREGUARD_PORT' => node['firezone']['wireguard']['port'],
# secrets
'SECRET_KEY_BASE' => attributes['secret_key_base'],
'LIVE_VIEW_SIGNING_SALT' => attributes['live_view_signing_salt'],
'WIREGUARD_PRIVATE_KEY' => attributes['wireguard_private_key'],
'DATABASE_ENCRYPTION_KEY' => attributes['database_encryption_key']
}
if attributes.dig('database', 'password')
env.merge!('DATABASE_PASSWORD' => attributes['database']['password'])
end
end
def self.create_directory!(filename)
dir = File.dirname(filename)
FileUtils.mkdir(dir, mode: 0700) unless Dir.exist?(dir)

5
omnibus/cookbooks/firezone/recipes/app.rb
View File

@@ -45,9 +45,6 @@ end
execute 'database schema' do
command 'bin/firezone eval "FzHttp.Release.migrate"'
cwd node['firezone']['app_directory']
attributes = node['firezone'].merge(
'force_ssl' => node['firezone']['nginx']['force_ssl']
)
environment(attributes.transform_keys(&:upcase))
environment(Firezone::Config.app_env(node['firezone']))
user node['firezone']['user']
end