github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #148 from CloudFire-LLC/144/revert_config

Browse Source 
Revert back to using deb for releases
This commit is contained in:
Jamil
2021-07-09 16:29:54 -07:00
committed by GitHub
parent e498a0f38b 56b2e4d904
commit 9d6d05e1be
42 changed files with 1080 additions and 330 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
.ci/build_release.sh
View File

@@ -1,13 +0,0 @@
#!/usr/bin/env bash
set -e
od=$(pwd)
mix local.hex --force && mix local.rebar --force
mix do deps.get, deps.compile
cd apps/cf_http/assets && npm ci --progress=false --no-audit --loglevel=error
cd $od
npm run --prefix apps/cf_http/assets deploy
cd apps/cf_http
mix phx.digest
cd $od
mix release --overwrite --force

20
.ci/build_ubuntu_18.04.sh Executable file
View File

@@ -0,0 +1,20 @@
#!/usr/bin/env bash
set -e
OS="ubuntu_18.04"
ARCH=${MATRIX_ARCH:-`uname -m`}
PKG_DIR="${OS}_${ARCH}"
PKG_FILE="${PKG_DIR}.deb"
IMAGE="${OS}_${ARCH}:latest"
docker build \
-t $IMAGE \
-f pkg/Dockerfile.$OS \
--platform linux/$ARCH \
--build-arg PKG_DIR=$PKG_DIR \
--progress plain \
.
CID=$(docker create $IMAGE)
mkdir -p _build
docker cp $CID:/build/pkg/$PKG_FILE ./_build/cloudfire_$PKG_FILE

20
.ci/build_ubuntu_20.04.sh Executable file
View File

@@ -0,0 +1,20 @@
#!/usr/bin/env bash
set -e
OS="ubuntu_20.04"
ARCH=${MATRIX_ARCH:-`uname -m`}
PKG_DIR="${OS}_${ARCH}"
PKG_FILE="${PKG_DIR}.deb"
IMAGE="${OS}_${ARCH}:latest"
docker build \
-t $IMAGE \
-f pkg/Dockerfile.$OS \
--platform linux/$ARCH \
--build-arg PKG_DIR=$PKG_DIR \
--progress plain \
.
CID=$(docker create $IMAGE)
mkdir -p _build
docker cp $CID:/build/pkg/$PKG_FILE ./_build/cloudfire_$PKG_FILE

31
.ci/functional_test.sh
View File

@@ -1,27 +1,24 @@
#!/usr/bin/env bash
set -e
set -x
chmod +x cloudfire
sudo apt-get update
sudo apt-get install -y -q postgresql \
wireguard iptables net-tools curl ca-certificates
sudo systemctl start postgresql
sudo dpkg -i *.deb
# Needed because binaries built with Bakeware assume directory exists
mkdir $HOME/.cache
echo "Initializing default config..."
curl https://raw.githubusercontent.com/CloudFire-LLC/cloudfire/${GITHUB_SHA}/scripts/init_config.sh | bash -
# Create DB
export PGPASSWORD=postgres # used by psql
sudo -E -u postgres psql -d postgres -h localhost -c "CREATE DATABASE cloudfire;"
# Start by running migrations always
./cloudfire eval "CfHttp.Release.migrate"
# Start in the background
./cloudfire &
echo "Enabling service..."
sudo systemctl start cloudfire
# Wait for app to start
sleep 10
echo "Service status..."
sudo systemctl status cloudfire.service
echo "Printing service logs..."
sudo journalctl -u cloudfire.service
echo "Trying to load homepage..."
curl -i -vvv -k https://$(hostname):8800/

4
.ci/install_runtimes.sh
View File

@@ -3,9 +3,9 @@ set -e
os_name='ubuntu~bionic'
curl -O https://packages.erlang-solutions.com/erlang/debian/pool/esl-erlang_24.0.2-1~${os_name}_${arch}.deb
curl -O https://packages.erlang-solutions.com/erlang/debian/pool/esl-erlang_24.0.2-1~${os_name}_${MATRIX_ARCH}.deb
curl -O https://packages.erlang-solutions.com/erlang/debian/pool/elixir_1.12.0-1~${os_name}_all.deb
gdebi --non-interactive *.deb
curl -sL https://deb.nodesource.com/setup_14.x | bash -
apt-get install -y -q gcc g++ make nodejs cargo
apt-get install -y -q gcc g++ make nodejs

215
.github/workflows/ci.yml vendored
View File

@@ -13,10 +13,18 @@ jobs:
POSTGRES_HOST: localhost
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
MATRIX_OS: ubuntu-18.04
arch: amd64
MATRIX_ARCH: amd64
strategy:
matrix:
postgres:
- postgres:9.6
- postgres:10
- postgres:11
- postgres:12
- postgres:13
services:
postgres:
image: postgres:13
image: ${{ matrix.postgres }}
ports:
- 5432:5432
env:
@@ -56,123 +64,144 @@ jobs:
name: test screenshots
path: apps/cf_http/screenshots
build-linux:
build:
needs: unit-integration-test
runs-on: ubuntu-18.04
name: Build on {{ matrix.arch }}
runs-on: ubuntu-20.04
name: Build
env:
arch: ${{ matrix.arch }}
MATRIX_ARCH: ${{ matrix.arch }}
MATRIX_OS: ${{ matrix.os }}
MIX_ENV: prod
strategy:
matrix:
os:
# - amazonlinux_2
# - debian_10
- ubuntu_18.04
- ubuntu_20.04
# - redhat_7
# - redhat_8
# - centos_7
# - centos_8
include:
- arch: amd64
- arch: arm64
# XXX: This currently takes upwards of 10 minutes or more. Disabling for now
# - arch: arm64
steps:
- uses: actions/checkout@v2
- uses: satackey/action-docker-layer-caching@v0.0.11
continue-on-error: false
with:
key: docker-cache-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }}
restore-keys: |
docker-cache-${{ matrix.os }}-${{ matrix.arch }}-
# amd64 build
- if: ${{ matrix.arch == 'amd64' }}
run: |
sudo apt-get install -q -y zstd gdebi
sudo -E bash -c '.ci/install_runtimes.sh'
sudo -E bash -c '.ci/build_release.sh'
run: .ci/build_${{ matrix.os }}.sh
# arm64 build
# XXX: This currently takes upwards of 10 minutes or more. Disabling for
# now.
# - uses: uraimo/run-on-arch-action@v2.0.10
# if: ${{ matrix.arch == 'arm64' }}
# name: Run on arm64
# with:
# arch: aarch64
# install: |
# # No obvious way to load a script file here, so needs inlining :-(
# apt-get update -q -y
# apt-get install -q -y gcc g++ make curl gdebi zstd
#
# curl -O https://packages.erlang-solutions.com/erlang/debian/pool/esl-erlang_24.0.2-1~ubuntu~bionic_arm64.deb
# curl -O https://packages.erlang-solutions.com/erlang/debian/pool/elixir_1.12.0-1~ubuntu~bionic_all.deb
# gdebi --non-interactive esl-erlang_24.0.2-1~ubuntu~bionic_arm64.deb
# gdebi --non-interactive elixir_1.12.0-1~ubuntu~bionic_all.deb
#
# curl -sL https://deb.nodesource.com/setup_14.x | bash -
# apt-get install -y -q nodejs
# dockerRunArgs: |
# --volume "${PWD}:/app"
# distro: ubuntu18.04
# env: |
# arch: arm64
# githubToken: ${{ github.token }}
# run: |
# cd /app
# bash -c '.ci/build_release.sh'
- uses: uraimo/run-on-arch-action@v2.0.10
if: ${{ matrix.arch == 'arm64' }}
with:
arch: aarch64
install: |
# No obvious way to load a script file here, so needs inlining :-(
apt-get update -q -y
apt-get install -q -y gcc g++ make curl gdebi zstd
curl -O https://packages.erlang-solutions.com/erlang/debian/pool/esl-erlang_24.0.2-1~ubuntu~bionic_arm64.deb
curl -O https://packages.erlang-solutions.com/erlang/debian/pool/elixir_1.12.0-1~ubuntu~bionic_all.deb
gdebi --non-interactive esl-erlang_24.0.2-1~ubuntu~bionic_arm64.deb
gdebi --non-interactive elixir_1.12.0-1~ubuntu~bionic_all.deb
curl -sL https://deb.nodesource.com/setup_14.x | bash -
apt-get install -y -q nodejs
dockerRunArgs: |
--volume "${PWD}:/app"
distro: ubuntu18.04
env: |
arch: arm64
githubToken: ${{ github.token }}
run: |
cd /app
bash -c '.ci/build_release.sh'
- uses: actions/upload-artifact@v2
with:
name: cloudfire-${{ matrix.arch }}
path: _build/prod/rel/bakeware/cloudfire
name: cloudfire_${{ matrix.os }}_${{ matrix.arch }}.deb
path: _build/cloudfire_${{ matrix.os }}_${{ matrix.arch }}.deb
functional-test:
needs: build-linux
runs-on: ${{ matrix.os }}
needs: build
runs-on: ubuntu-20.04
strategy:
matrix:
os: [ubuntu-18.04]
os:
# - amazonlinux_2
# - debian_10
- ubuntu_18.04
- ubuntu_20.04
# - redhat_7
# - redhat_8
# - centos_7
# - centos_8
include:
- arch: amd64
# - arch: arm64
env:
MATRIX_OS: ${{ matrix.os }}
services:
postgres:
image: postgres:13
ports:
- 5432:5432
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
MATRIX_ARCH: ${{ matrix.arch }}
DEBIAN_FRONTEND: noninteractive
steps:
- uses: actions/checkout@v2
- uses: actions/download-artifact@v2
with:
name: cloudfire-amd64
- run: sudo apt-get install -q -y wireguard
name: cloudfire_${{ matrix.os }}_${{ matrix.arch }}.deb
path: ./
- name: Test Install package
env:
DEBIAN_FRONTEND: noninteractive
run: .ci/functional_test.sh
#
# publish:
# needs: functional-test
# runs-on: ${{ matrix.os }}
# strategy:
# matrix:
# os: [ubuntu-20.04]
# if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
# steps:
# - name: Create Release
# id: create_release
# uses: actions/create-release@v1
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# with:
# tag_name: ${{ github.ref }}
# release_name: Release ${{ github.ref }}
# draft: false
# prerelease: true
# - uses: actions/download-artifact@v2
# with:
# name: cloudfire-deb
# - name: Upload Release Asset
# id: upload-release-asset
# uses: actions/upload-release-asset@v1
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# with:
# upload_url: ${{ steps.create_release.outputs.upload_url }}
# asset_path: ./cloudfire_${{ github.sha }}-1_${{ matrix.os }}_amd64.deb
# asset_name: cloudfire_${{ matrix.os }}_amd64.deb
# asset_content_type: application/vnd.debian.binary-package
publish:
needs: functional-test
runs-on: ubuntu-20.04
strategy:
matrix:
os:
# - amazonlinux_2
# - debian_10
- ubuntu_18.04
- ubuntu_20.04
# - redhat_7
# - redhat_8
# - centos_7
# - centos_8
include:
- arch: amd64
# - arch: arm64
if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
steps:
- name: Create Release
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ github.ref }}
release_name: Release ${{ github.ref }}
draft: false
prerelease: true
- uses: actions/download-artifact@v2
with:
name: cloudfire_${{ matrix.os }}_${{ matrix.arch }}
path: ./
- name: Upload Release Asset
id: upload-release-asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ./cloudfire_${{ matrix.os }}_${{ matrix.arch }}.deb
asset_name: ${{ matrix.os }}_${{ matrix.arch }}
asset_content_type: application/vnd.debian.binary-package

3
.tool-versions
View File

@@ -1,4 +1,3 @@
erlang 24.0.3
elixir 1.12.1-otp-24
elixir 1.12.2-otp-24
nodejs lts
rust system

12
README.md
View File

@@ -45,22 +45,18 @@ For now, `cloudfire` assumes these apps are all running on the same host.
Prerequisites:
1. Postgresql Server 9.6 or higher. Access can be configured in
`~/.cloudfire/config.json` after installation.
`/opt/cloudfire/config.env` after installation.
2. `wg`, `openssl`, `ip`, and `iptables` must be in your PATH.
Then you can install `cloudfire` with:
`curl https://raw.githubusercontent.com/CloudFire-LLC/cloudfire/master/scripts/install.sh | bash -`
This will download the `cloudfire` binary, initialize the config directory, and
print further instructions to the console.
Then you can install `cloudfire` by [downloading the appropriate package
from the releases page](https://github.com/CloudFire-LLC/cloudfire/releases).
## Creating additional admin users
You may create additional admin users with the following command:
```bash
cloudfire rpc 'CfHttp.Users.create_user(
/opt/cloudfire/bin/cloudfire rpc 'CfHttp.Users.create_user(
email: "USER_EMAIL",
password: "USER_PASSWORD",
password_confirmation: "USER_PASSWORD"

26
apps/cf_common/lib/config_file.ex
View File

@@ -1,26 +0,0 @@
defmodule CfCommon.ConfigFile do
@moduledoc """
Common config file operations.
"""
def load! do
%{} = Jason.decode!(file_module().read!(config_path()))
end
def write!(config) do
config_path()
|> file_module().write!(Jason.encode!(config), [:write])
end
def exists? do
file_module().exists?(config_path())
end
defp config_path do
System.fetch_env!("HOME") <> "/.cloudfire/config.json"
end
defp file_module do
Application.fetch_env!(:cf_common, :config_file_module)
end
end

23
apps/cf_common/lib/fake_file.ex
View File

@@ -1,23 +0,0 @@
defmodule CfCommon.FakeFile do
@moduledoc """
Provides mocked file operations for testing ConfigFile
"""
@json ~s({
"database_url": "ecto://postgres:postgres@127.0.0.1/cloudfire",
"secret_key_base": "fMjyDw9RpP5+f8klEmeEWnBQKd2H7uKH/PQpOTug6vybretclzaE1k4Y3O2Bw8lX",
"live_view_signing_salt": "EHcSipS+bFTFYMbFmvVR8lAuwYyfqcTE",
"db_encryption_key": "8Wgh3dPubt6q4Y1PlYRuG9v50zQE+QTUzh8mJnkw+jc=",
"ssl_cert_file": "$HOME/.cloudfire/ssl/cert.pem",
"ssl_key_file": "$HOME/.cloudfire/ssl/key.pem",
"url_host": "localhost",
"wg_server_key": "KDp9lQ6OAi/VrfgYo5VIAqCJFs1Gs55GZRDoA7W8500=",
"https_listen_port": "8800",
"https_listen_address": "127.0.0.1",
"wg_listen_port": "51820"
})
def read!(_), do: @json
def write!(_, _, [:write]), do: :ok
def exists?(_), do: true
end

37
apps/cf_common/test/config_file_test.exs
View File

@@ -1,37 +0,0 @@
defmodule CfCommon.ConfigFileTest do
use ExUnit.Case, async: true
alias CfCommon.ConfigFile
@expected_config %{
"database_url" => "ecto://postgres:postgres@127.0.0.1/cloudfire",
"secret_key_base" => "fMjyDw9RpP5+f8klEmeEWnBQKd2H7uKH/PQpOTug6vybretclzaE1k4Y3O2Bw8lX",
"live_view_signing_salt" => "EHcSipS+bFTFYMbFmvVR8lAuwYyfqcTE",
"db_encryption_key" => "8Wgh3dPubt6q4Y1PlYRuG9v50zQE+QTUzh8mJnkw+jc=",
"ssl_cert_file" => "$HOME/.cloudfire/ssl/cert.pem",
"ssl_key_file" => "$HOME/.cloudfire/ssl/key.pem",
"url_host" => "localhost",
"wg_server_key" => "KDp9lQ6OAi/VrfgYo5VIAqCJFs1Gs55GZRDoA7W8500=",
"https_listen_port" => "8800",
"https_listen_address" => "127.0.0.1",
"wg_listen_port" => "51820"
}
describe "load!" do
test "loads stubbed config" do
assert ConfigFile.load!() == @expected_config
end
end
describe "write!" do
test "returns :ok" do
assert ConfigFile.write!(@expected_config) == :ok
end
end
describe "exists?" do
test "returns true" do
assert ConfigFile.exists?()
end
end
end

8
apps/cf_http/assets/static/logo.svg
View File

@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="468px" height="100px" viewBox="0 0 468 100" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<svg width="418px" height="102px" viewBox="0 0 418 102" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 48.2 (47327) - http://www.bohemiancoding.com/sketch -->
<title>Slice</title>
<title>Group</title>
<desc>Created with Sketch.</desc>
<defs></defs>
<g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="Group">
<text id="CloudFire" font-family="Copperplate" font-size="64" font-weight="normal" fill="#000000">
<tspan x="130" y="81">CloudFire</tspan>
<text id="FireZone" font-family="Copperplate" font-size="64" font-weight="normal" fill="#000000">
<tspan x="130" y="81">FireZone</tspan>
</text>
<g id="logo">
<path d="M78,0 C106.929245,20.432184 76.9805386,65.7158066 87.5490618,84 C65.8312154,57.5738976 95.4207963,34.8637635 78,0 Z" id="path6" fill="#CF5C00"></path>
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.6 KiB

After

Width:  |  Height:  |  Size: 1.6 KiB

4
apps/cf_vpn/lib/cf_vpn/cli/live.ex
View File

@@ -18,7 +18,7 @@ defmodule CfVpn.CLI.Live do
import CfCommon.CLI
def setup do
# create_interface()
create_interface()
setup_iptables()
up_interface()
end
@@ -26,7 +26,7 @@ defmodule CfVpn.CLI.Live do
def teardown do
down_interface()
teardown_iptables()
# delete_interface()
delete_interface()
end
@doc """

38
config/releases.exs
View File

@@ -3,33 +3,23 @@
# although such is generally not recommended and you have to
# remember to add this file to your .gitignore.
import Config
alias CfCommon.{CLI, ConfigFile}
unless ConfigFile.exists?() do
raise(~s"""
Config file ~/.cloudfire/config.json not found. Try initializing a default one with:
curl https://raw.githubusercontent.com/CloudFire-LLC/cloudfire/master/scripts/init_config.sh | bash -
""")
end
config_file = ConfigFile.load!()
alias CfCommon.CLI
# Required environment variables
database_url = Map.fetch!(config_file, "database_url")
secret_key_base = Map.fetch!(config_file, "secret_key_base")
live_view_signing_salt = Map.fetch!(config_file, "live_view_signing_salt")
ssl_cert_file = Map.fetch!(config_file, "ssl_cert_file")
ssl_key_file = Map.fetch!(config_file, "ssl_key_file")
database_url = System.fetch_env!("DATABASE_URL")
secret_key_base = System.fetch_env!("SECRET_KEY_BASE")
live_view_signing_salt = System.fetch_env!("LIVE_VIEW_SIGNING_SALT")
ssl_cert_file = System.fetch_env!("SSL_CERT_FILE")
ssl_key_file = System.fetch_env!("SSL_KEY_FILE")
disable_signup =
case config_file["disable_signup"] do
case System.get_env("DISABLE_SIGNUP") do
d when d in ["1", "yes"] -> true
_ -> false
end
ssl_ca_cert_file =
case config_file["ssl_ca_cert_file"] do
case System.get_env("SSL_CA_CERT_FILE") do
"" -> nil
s = _ -> s
end
@@ -41,10 +31,10 @@ default_egress_address =
# Optional environment variables
pool_size = max(:erlang.system_info(:logical_processors_available), 10)
queue_target = 500
https_listen_port = String.to_integer(Map.get(config_file, "https_listen_port", "8800"))
wg_listen_port = Map.get(config_file, "wg_listen_port", "51820")
wg_endpoint_address = Map.get(config_file, "wg_endpoint_address", default_egress_address)
url_host = Map.get(config_file, "url_host", "localhost")
https_listen_port = String.to_integer(System.get_env("HTTPS_LISTEN_PORT", "8800"))
wg_listen_port = System.get_env("WG_LISTEN_PORT", "51820")
wg_endpoint_address = System.get_env("WG_ENDPOINT_ADDRESS", default_egress_address)
url_host = System.get_env("URL_HOST", "localhost")
config :cf_http,
disable_signup: disable_signup
@@ -76,7 +66,7 @@ config :cf_http, CfHttpWeb.Endpoint,
config :cf_vpn,
vpn_endpoint: wg_endpoint_address <> ":" <> wg_listen_port,
private_key: Map.fetch!(config_file, "wg_server_key") |> String.trim()
private_key: File.read!("/opt/cloudfire/server.key") |> String.trim()
# ## Using releases (Elixir v1.9+)
#
@@ -96,7 +86,7 @@ config :cf_http, CfHttp.Vault,
#
# In Cloak 2.0, this will be the default iv length for AES.GCM.
tag: "AES.GCM.V1",
key: Base.decode64!(Map.fetch!(config_file, "db_encryption_key")),
key: Base.decode64!(System.fetch_env!("DB_ENCRYPTION_KEY")),
iv_length: 12
}
]

5
mix.exs
View File

@@ -22,15 +22,13 @@ defmodule CloudfireUmbrella.MixProject do
default_release: :cloudfire,
releases: [
cloudfire: [
# Don't seem to be needed for bakeware releases
# include_executables_for: [:unix],
include_executables_for: [:unix],
validate_compile_env: false,
applications: [
cf_http: :permanent,
cf_wall: :permanent,
cf_vpn: :permanent
],
steps: [:assemble, &Bakeware.assemble/1],
cookie: System.get_env("ERL_COOKIE")
]
]
@@ -44,7 +42,6 @@ defmodule CloudfireUmbrella.MixProject do
# Run "mix help deps" for examples and options.
defp deps do
[
{:bakeware, "~> 0.2.0", runtime: false},
{:excoveralls, "~> 0.13", only: :test},
{:mix_test_watch, "~> 1.0", only: :dev, runtime: false},
{:dialyxir, "~> 1.0", only: [:dev], runtime: false}

1
mix.lock
View File

@@ -1,6 +1,5 @@
%{
"argon2_elixir": {:hex, :argon2_elixir, "2.4.0", "2a22ea06e979f524c53b42b598fc6ba38cdcbc977a155e33e057732cfb1fb311", [:make, :mix], [{:comeonin, "~> 5.3", [hex: :comeonin, repo: "hexpm", optional: false]}, {:elixir_make, "~> 0.6", [hex: :elixir_make, repo: "hexpm", optional: false]}], "hexpm", "4ea82e183cf8e7f66dab1f767fedcfe6a195e140357ef2b0423146b72e0a551d"},
"bakeware": {:hex, :bakeware, "0.2.0", "e2efb323cc25e857ac2869f0d25a92cac55ed6e1f53399cb5c035d211d27d5ce", [:make, :mix], [{:elixir_make, "~> 0.6", [hex: :elixir_make, repo: "hexpm", optional: false]}], "hexpm", "cad65fcf20162d60c2a159238d1ebfa1f9763b5d671b0992caf1777be42fe3ae"},
"bamboo": {:hex, :bamboo, "1.7.1", "7f0946e8c9081ce10d347cdba33c247c7c1c4f7dddc194ab0633603ef879bbdf", [:mix], [{:hackney, ">= 1.15.2", [hex: :hackney, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:mime, "~> 1.4", [hex: :mime, repo: "hexpm", optional: false]}, {:phoenix, "~> 1.1", [hex: :phoenix, repo: "hexpm", optional: true]}, {:plug, "~> 1.0", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "5fb34c3ab638fc409deec47c1e91f9d78ad95bf22ccb153588b434e1ff1aa730"},
"bunt": {:hex, :bunt, "0.2.0", "951c6e801e8b1d2cbe58ebbd3e616a869061ddadcc4863d0a2182541acae9a38", [:mix], [], "hexpm", "7af5c7e09fe1d40f76c8e4f9dd2be7cebd83909f31fee7cd0e9eadc567da8353"},
"certifi": {:hex, :certifi, "2.6.1", "dbab8e5e155a0763eea978c913ca280a6b544bfa115633fa20249c3d396d9493", [:rebar3], [], "hexpm", "524c97b4991b3849dd5c17a631223896272c6b0af446778ba4675a1dff53bb7e"},

0
pkg/Dockerfile → pkg/Dockerfile.amazonlinux_2
View File

62
pkg/Dockerfile.centos_7 Normal file
View File

@@ -0,0 +1,62 @@
# This Dockerfile builds release packages.
# **NOTE**: This is not recommended, as it's possible the deployment
# production environment will diff from the image environment here,
# even if the OS and kernel versions match.
# As such, this script has been deprecated in favor of building the release
# in the production environment.
FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build
# Setup to run build script
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -q && \
apt-get install -y --no-install-recommends \
ca-certificates \
build-essential \
git \
dpkg-dev \
libssl-dev \
automake \
gnupg \
curl \
autoconf \
libncurses5-dev \
unzip \
zlib1g-dev \
locales && \
apt-get clean && \
rm -rf /tmp/* /var/tmp/*
RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
locale-gen
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8
RUN curl -sL https://deb.nodesource.com/setup_10.x | bash -
RUN apt-get install nodejs
ENV MIX_ENV prod
WORKDIR /build
RUN mix local.hex --force && \
mix local.rebar --force
COPY mix.exs mix.lock ./
COPY config config
COPY apps/cf_http/mix.exs ./apps/cf_http/
COPY apps/cf_wall/mix.exs ./apps/cf_wall/
COPY apps/cf_vpn/mix.exs ./apps/cf_vpn/
RUN mix do deps.get, deps.compile
COPY apps/cf_http/assets/package.json apps/cf_http/assets/package-lock.json ./apps/cf_http/assets/
RUN cd apps/cf_http/assets && npm ci --progress=false --no-audit --loglevel=error
COPY apps/cf_http/priv apps/cf_http/priv
COPY apps/cf_http/assets apps/cf_http/assets
RUN npm run --prefix ./apps/cf_http/assets deploy && \
cd apps/cf_http && mix phx.digest
COPY . .
RUN mix release cloudfire
RUN mkdir -p pkg/debian/opt
RUN mv _build/prod/rel/cloudfire pkg/debian/opt/cloudfire
RUN cd pkg && dpkg-deb --build debian

62
pkg/Dockerfile.centos_8 Normal file
View File

@@ -0,0 +1,62 @@
# This Dockerfile builds release packages.
# **NOTE**: This is not recommended, as it's possible the deployment
# production environment will diff from the image environment here,
# even if the OS and kernel versions match.
# As such, this script has been deprecated in favor of building the release
# in the production environment.
FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build
# Setup to run build script
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -q && \
apt-get install -y --no-install-recommends \
ca-certificates \
build-essential \
git \
dpkg-dev \
libssl-dev \
automake \
gnupg \
curl \
autoconf \
libncurses5-dev \
unzip \
zlib1g-dev \
locales && \
apt-get clean && \
rm -rf /tmp/* /var/tmp/*
RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
locale-gen
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8
RUN curl -sL https://deb.nodesource.com/setup_10.x | bash -
RUN apt-get install nodejs
ENV MIX_ENV prod
WORKDIR /build
RUN mix local.hex --force && \
mix local.rebar --force
COPY mix.exs mix.lock ./
COPY config config
COPY apps/cf_http/mix.exs ./apps/cf_http/
COPY apps/cf_wall/mix.exs ./apps/cf_wall/
COPY apps/cf_vpn/mix.exs ./apps/cf_vpn/
RUN mix do deps.get, deps.compile
COPY apps/cf_http/assets/package.json apps/cf_http/assets/package-lock.json ./apps/cf_http/assets/
RUN cd apps/cf_http/assets && npm ci --progress=false --no-audit --loglevel=error
COPY apps/cf_http/priv apps/cf_http/priv
COPY apps/cf_http/assets apps/cf_http/assets
RUN npm run --prefix ./apps/cf_http/assets deploy && \
cd apps/cf_http && mix phx.digest
COPY . .
RUN mix release cloudfire
RUN mkdir -p pkg/debian/opt
RUN mv _build/prod/rel/cloudfire pkg/debian/opt/cloudfire
RUN cd pkg && dpkg-deb --build debian

62
pkg/Dockerfile.debian_10 Normal file
View File

@@ -0,0 +1,62 @@
# This Dockerfile builds release packages.
# **NOTE**: This is not recommended, as it's possible the deployment
# production environment will diff from the image environment here,
# even if the OS and kernel versions match.
# As such, this script has been deprecated in favor of building the release
# in the production environment.
FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build
# Setup to run build script
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -q && \
apt-get install -y --no-install-recommends \
ca-certificates \
build-essential \
git \
dpkg-dev \
libssl-dev \
automake \
gnupg \
curl \
autoconf \
libncurses5-dev \
unzip \
zlib1g-dev \
locales && \
apt-get clean && \
rm -rf /tmp/* /var/tmp/*
RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
locale-gen
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8
RUN curl -sL https://deb.nodesource.com/setup_10.x | bash -
RUN apt-get install nodejs
ENV MIX_ENV prod
WORKDIR /build
RUN mix local.hex --force && \
mix local.rebar --force
COPY mix.exs mix.lock ./
COPY config config
COPY apps/cf_http/mix.exs ./apps/cf_http/
COPY apps/cf_wall/mix.exs ./apps/cf_wall/
COPY apps/cf_vpn/mix.exs ./apps/cf_vpn/
RUN mix do deps.get, deps.compile
COPY apps/cf_http/assets/package.json apps/cf_http/assets/package-lock.json ./apps/cf_http/assets/
RUN cd apps/cf_http/assets && npm ci --progress=false --no-audit --loglevel=error
COPY apps/cf_http/priv apps/cf_http/priv
COPY apps/cf_http/assets apps/cf_http/assets
RUN npm run --prefix ./apps/cf_http/assets deploy && \
cd apps/cf_http && mix phx.digest
COPY . .
RUN mix release cloudfire
RUN mkdir -p pkg/debian/opt
RUN mv _build/prod/rel/cloudfire pkg/debian/opt/cloudfire
RUN cd pkg && dpkg-deb --build debian

62
pkg/Dockerfile.redhat_7 Normal file
View File

@@ -0,0 +1,62 @@
# This Dockerfile builds release packages.
# **NOTE**: This is not recommended, as it's possible the deployment
# production environment will diff from the image environment here,
# even if the OS and kernel versions match.
# As such, this script has been deprecated in favor of building the release
# in the production environment.
FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build
# Setup to run build script
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -q && \
apt-get install -y --no-install-recommends \
ca-certificates \
build-essential \
git \
dpkg-dev \
libssl-dev \
automake \
gnupg \
curl \
autoconf \
libncurses5-dev \
unzip \
zlib1g-dev \
locales && \
apt-get clean && \
rm -rf /tmp/* /var/tmp/*
RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
locale-gen
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8
RUN curl -sL https://deb.nodesource.com/setup_10.x | bash -
RUN apt-get install nodejs
ENV MIX_ENV prod
WORKDIR /build
RUN mix local.hex --force && \
mix local.rebar --force
COPY mix.exs mix.lock ./
COPY config config
COPY apps/cf_http/mix.exs ./apps/cf_http/
COPY apps/cf_wall/mix.exs ./apps/cf_wall/
COPY apps/cf_vpn/mix.exs ./apps/cf_vpn/
RUN mix do deps.get, deps.compile
COPY apps/cf_http/assets/package.json apps/cf_http/assets/package-lock.json ./apps/cf_http/assets/
RUN cd apps/cf_http/assets && npm ci --progress=false --no-audit --loglevel=error
COPY apps/cf_http/priv apps/cf_http/priv
COPY apps/cf_http/assets apps/cf_http/assets
RUN npm run --prefix ./apps/cf_http/assets deploy && \
cd apps/cf_http && mix phx.digest
COPY . .
RUN mix release cloudfire
RUN mkdir -p pkg/debian/opt
RUN mv _build/prod/rel/cloudfire pkg/debian/opt/cloudfire
RUN cd pkg && dpkg-deb --build debian

62
pkg/Dockerfile.redhat_8 Normal file
View File

@@ -0,0 +1,62 @@
# This Dockerfile builds release packages.
# **NOTE**: This is not recommended, as it's possible the deployment
# production environment will diff from the image environment here,
# even if the OS and kernel versions match.
# As such, this script has been deprecated in favor of building the release
# in the production environment.
FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build
# Setup to run build script
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -q && \
apt-get install -y --no-install-recommends \
ca-certificates \
build-essential \
git \
dpkg-dev \
libssl-dev \
automake \
gnupg \
curl \
autoconf \
libncurses5-dev \
unzip \
zlib1g-dev \
locales && \
apt-get clean && \
rm -rf /tmp/* /var/tmp/*
RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
locale-gen
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8
RUN curl -sL https://deb.nodesource.com/setup_10.x | bash -
RUN apt-get install nodejs
ENV MIX_ENV prod
WORKDIR /build
RUN mix local.hex --force && \
mix local.rebar --force
COPY mix.exs mix.lock ./
COPY config config
COPY apps/cf_http/mix.exs ./apps/cf_http/
COPY apps/cf_wall/mix.exs ./apps/cf_wall/
COPY apps/cf_vpn/mix.exs ./apps/cf_vpn/
RUN mix do deps.get, deps.compile
COPY apps/cf_http/assets/package.json apps/cf_http/assets/package-lock.json ./apps/cf_http/assets/
RUN cd apps/cf_http/assets && npm ci --progress=false --no-audit --loglevel=error
COPY apps/cf_http/priv apps/cf_http/priv
COPY apps/cf_http/assets apps/cf_http/assets
RUN npm run --prefix ./apps/cf_http/assets deploy && \
cd apps/cf_http && mix phx.digest
COPY . .
RUN mix release cloudfire
RUN mkdir -p pkg/debian/opt
RUN mv _build/prod/rel/cloudfire pkg/debian/opt/cloudfire
RUN cd pkg && dpkg-deb --build debian

67
pkg/Dockerfile.ubuntu_18.04 Normal file
View File

@@ -0,0 +1,67 @@
# This Dockerfile builds release packages.
# **NOTE**: This is not recommended, as it's possible the deployment
# production environment will diff from the image environment here,
# even if the OS and kernel versions match.
# As such, this script has been deprecated in favor of building the release
# in the production environment.
FROM hexpm/elixir:1.12.2-erlang-24.0.3-ubuntu-bionic-20210325
# Overridden by build script
ARG PKG_DIR
# Setup to run build script
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -q && \
apt-get install -y --no-install-recommends \
gdebi \
ca-certificates \
build-essential \
git \
dpkg-dev \
libssl-dev \
automake \
gnupg \
curl \
autoconf \
libncurses5-dev \
unzip \
zlib1g-dev \
locales && \
apt-get clean && \
rm -rf /tmp/* /var/tmp/*
RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
locale-gen
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8
RUN curl -sL https://deb.nodesource.com/setup_14.x | bash -
RUN apt-get install -y --no-install-recommends nodejs
ENV MIX_ENV prod
WORKDIR /build
RUN mix local.hex --force && \
mix local.rebar --force
COPY mix.exs mix.lock ./
COPY config config
COPY apps/cf_http/mix.exs ./apps/cf_http/
COPY apps/cf_wall/mix.exs ./apps/cf_wall/
COPY apps/cf_vpn/mix.exs ./apps/cf_vpn/
COPY apps/cf_common/mix.exs ./apps/cf_common/
RUN mix do deps.get, deps.compile
COPY apps/cf_http/assets/package.json apps/cf_http/assets/package-lock.json ./apps/cf_http/assets/
RUN cd apps/cf_http/assets && npm ci --progress=false --no-audit --loglevel=error
COPY apps/cf_http/priv apps/cf_http/priv
COPY apps/cf_http/assets apps/cf_http/assets
RUN npm run --prefix ./apps/cf_http/assets deploy && \
cd apps/cf_http && mix phx.digest
COPY . .
RUN mix release
RUN mkdir -p pkg/$PKG_DIR/opt
RUN mv _build/prod/rel/cloudfire pkg/$PKG_DIR/opt/cloudfire
RUN cd pkg && dpkg-deb --build $PKG_DIR

67
pkg/Dockerfile.ubuntu_20.04 Normal file
View File

@@ -0,0 +1,67 @@
# This Dockerfile builds release packages.
# **NOTE**: This is not recommended, as it's possible the deployment
# production environment will diff from the image environment here,
# even if the OS and kernel versions match.
# As such, this script has been deprecated in favor of building the release
# in the production environment.
FROM hexpm/elixir:1.12.2-erlang-24.0.3-ubuntu-focal-20210325
# Overridden by build script
ARG PKG_DIR
# Setup to run build script
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -q && \
apt-get install -y --no-install-recommends \
gdebi \
ca-certificates \
build-essential \
git \
dpkg-dev \
libssl-dev \
automake \
gnupg \
curl \
autoconf \
libncurses5-dev \
unzip \
zlib1g-dev \
locales && \
apt-get clean && \
rm -rf /tmp/* /var/tmp/*
RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
locale-gen
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8
RUN curl -sL https://deb.nodesource.com/setup_14.x | bash -
RUN apt-get install -y --no-install-recommends nodejs
ENV MIX_ENV prod
WORKDIR /build
RUN mix local.hex --force && \
mix local.rebar --force
COPY mix.exs mix.lock ./
COPY config config
COPY apps/cf_http/mix.exs ./apps/cf_http/
COPY apps/cf_wall/mix.exs ./apps/cf_wall/
COPY apps/cf_vpn/mix.exs ./apps/cf_vpn/
COPY apps/cf_common/mix.exs ./apps/cf_common/
RUN mix do deps.get, deps.compile
COPY apps/cf_http/assets/package.json apps/cf_http/assets/package-lock.json ./apps/cf_http/assets/
RUN cd apps/cf_http/assets && npm ci --progress=false --no-audit --loglevel=error
COPY apps/cf_http/priv apps/cf_http/priv
COPY apps/cf_http/assets apps/cf_http/assets
RUN npm run --prefix ./apps/cf_http/assets deploy && \
cd apps/cf_http && mix phx.digest
COPY . .
RUN mix release
RUN mkdir -p pkg/$PKG_DIR/opt
RUN mv _build/prod/rel/cloudfire pkg/$PKG_DIR/opt/cloudfire
RUN cd pkg && dpkg-deb --build $PKG_DIR

11
pkg/ubuntu_18.04_amd64/DEBIAN/control Normal file
View File

@@ -0,0 +1,11 @@
Package: cloudfire
Version: 0.1.7-1
Architecture: amd64
Maintainer: CloudFire, LLC <dpkg@cloudfire.network>
Depends: net-tools (>= 1.60+git20161116.90da8a0-1ubuntu1), systemd (>= 237-3ubuntu10.48), openssl (>= 1.1.1-1ubuntu2.1~18.04.9), wireguard (>= 1.0.20200319-1ubuntu1), postgresql (>= 9.6), iptables (>= 1.6.1-2ubuntu2)
Section: net
Priority: optional
Homepage: https://cloudfire.network
Description: Web UI + Firewall manager for WireGuard™
Provides a web-based UI that allows you to configure WireGuard™ VPN tunnels and
set up firewall rules for your devices.

104
pkg/ubuntu_18.04_amd64/DEBIAN/postinst Executable file
View File

@@ -0,0 +1,104 @@
#!/usr/bin/env bash
set -xe
ls -la /opt/cloudfire/bin
# CloudFire package post-install script
# 1. Generate secrets
# 2. Bootstrap DB
# 3. Generate WireGuard interface and config
# All created files are 0600 by default
umask 077
# Add cloudfire user if not exists
if id cloudfire &>/dev/null; then
echo "cloudfire user exists... not creating."
else
echo "creating system user cloudfire"
useradd --system cloudfire
fi
# Generate app secrets
live_view_signing_salt="$(openssl rand -base64 24)"
secret_key_base="$(openssl rand -base64 48)"
db_user=cloudfire
# base64 includes forward slashes which are problematic in the
# db_url connect string, so use hex.
db_password="$(openssl rand -hex 16)"
db_key="$(openssl rand -base64 32)"
# Setup DB
# XXX: Remove || true and detect actual failures
su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\" || true"
su postgres -c "psql -c \"CREATE DATABASE cloudfire;\" || true"
su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE cloudfire to ${db_user};\" || true"
# Write CloudFire SSL files
mkdir -p /opt/cloudfire/ssl
hostname=$(hostname)
openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
-keyout /opt/cloudfire/ssl/key.pem \
-out /opt/cloudfire/ssl/cert.pem \
-days 365 -subj "/CN=${hostname}"
wg genkey > /opt/cloudfire/server.key
# Write CloudFire config files
cat <<EOT >> /opt/cloudfire/config.env
# This file is loaded into CloudFire's Environment upon launch to configure it.
# This is used to ensure secure communication with the live web views.
# Re-generate this with "openssl rand -base64 24". All existing web views will
# need to be refreshed.
LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}"
# This is used to secure cookies among other things.
# You can regenerate this with "openssl rand -base64 48". All existing clients
# will be signed out.
SECRET_KEY_BASE="${secret_key_base}"
# The URL to connect to your DB. Assumes the database has been created and this
# user has privileges to create and modify tables.
DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/cloudfire"
# The HTTPS port to listen on. Defaults to 8800.
HTTPS_LISTEN_PORT=8800
# The address to bind the HTTPS server to. Defaults to "127.0.0.1"
HTTPS_LISTEN_ADDRESS=127.0.0.1
# The WireGuard port to listen on. Defaults to 51820.
WG_LISTEN_PORT=51820
# The address for the WireGuard endpoint. Defaults to the address of the
# default egress interface if not set.
WG_ENDPOINT_ADDRESS=
# The Base64-encoded key for encrypted database fields.
DB_ENCRYPTION_KEY=${db_key}
# SSL certificate file and key path. Self-signed certs are generated for you on
# install, but it's highly recommended to replace these with valid certs.
# Free certs can be obtained at https://letsencrypt.org.
SSL_CERT_FILE=/opt/cloudfire/ssl/cert.pem
SSL_KEY_FILE=/opt/cloudfire/ssl/key.pem
# Path to the intermediate certificates file. (usually not required)
# SSL_CA_CERT_FILE=
# Host to use for generating links back to the application, such as in
# outbound emails. Defaults to "localhost".
# URL_HOST=${hostname}
# For security, it's recommended to leave signups disabled and instead create
# users via the CLI.
DISABLE_SIGNUP=yes
EOT
# Set perms
chown -R cloudfire:root /opt/cloudfire
chmod 0644 /opt/cloudfire/ssl/cert.pem

0
pkg/ubuntu-20.04/DEBIAN/templates → pkg/ubuntu_18.04_amd64/DEBIAN/templates
View File

4
pkg/ubuntu-20.04/lib/systemd/system/cloudfire.service → pkg/ubuntu_18.04_amd64/lib/systemd/system/cloudfire.service
View File

@@ -9,9 +9,9 @@ RestartSec=1
User=cloudfire
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH
EnvironmentFile=/opt/cloudfire/config.env
ExecStartPre=/opt//bin/cloudfire eval "CfHttp.Release.migrate"
ExecStartPre=/opt/cloudfire/bin/cloudfire eval "CfHttp.Release.migrate"
ExecStart=/opt/cloudfire/bin/cloudfire start
ExecStartPost=sleep 5
ExecStartPost=/bin/sleep 8
ExecStartPost=/opt/cloudfire/bin/cloudfire rpc "CfHttp.Release.create_admin_user"
[Install]

11
pkg/ubuntu_18.04_arm64/DEBIAN/control Normal file
View File

@@ -0,0 +1,11 @@
Package: cloudfire
Version: 0.1.7-1
Architecture: arm64
Maintainer: CloudFire, LLC <dpkg@cloudfire.network>
Depends: net-tools (>= 1.60+git20161116.90da8a0-1ubuntu1), systemd (>= 237-3ubuntu10.48), openssl (>= 1.1.1-1ubuntu2.1~18.04.9), wireguard (>= 1.0.20200319-1ubuntu1), postgresql (>= 9.6), iptables (>= 1.6.1-2ubuntu2)
Section: net
Priority: optional
Homepage: https://cloudfire.network
Description: Web UI + Firewall manager for WireGuard™
Provides a web-based UI that allows you to configure WireGuard™ VPN tunnels and
set up firewall rules for your devices.

104
pkg/ubuntu_18.04_arm64/DEBIAN/postinst Executable file
View File

@@ -0,0 +1,104 @@
#!/usr/bin/env bash
set -xe
ls -la /opt/cloudfire/bin
# CloudFire package post-install script
# 1. Generate secrets
# 2. Bootstrap DB
# 3. Generate WireGuard interface and config
# All created files are 0600 by default
umask 077
# Add cloudfire user if not exists
if id cloudfire &>/dev/null; then
echo "cloudfire user exists... not creating."
else
echo "creating system user cloudfire"
useradd --system cloudfire
fi
# Generate app secrets
live_view_signing_salt="$(openssl rand -base64 24)"
secret_key_base="$(openssl rand -base64 48)"
db_user=cloudfire
# base64 includes forward slashes which are problematic in the
# db_url connect string, so use hex.
db_password="$(openssl rand -hex 16)"
db_key="$(openssl rand -base64 32)"
# Setup DB
# XXX: Remove || true and detect actual failures
su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\" || true"
su postgres -c "psql -c \"CREATE DATABASE cloudfire;\" || true"
su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE cloudfire to ${db_user};\" || true"
# Write CloudFire SSL files
mkdir -p /opt/cloudfire/ssl
hostname=$(hostname)
openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
-keyout /opt/cloudfire/ssl/key.pem \
-out /opt/cloudfire/ssl/cert.pem \
-days 365 -subj "/CN=${hostname}"
wg genkey > /opt/cloudfire/server.key
# Write CloudFire config files
cat <<EOT >> /opt/cloudfire/config.env
# This file is loaded into CloudFire's Environment upon launch to configure it.
# This is used to ensure secure communication with the live web views.
# Re-generate this with "openssl rand -base64 24". All existing web views will
# need to be refreshed.
LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}"
# This is used to secure cookies among other things.
# You can regenerate this with "openssl rand -base64 48". All existing clients
# will be signed out.
SECRET_KEY_BASE="${secret_key_base}"
# The URL to connect to your DB. Assumes the database has been created and this
# user has privileges to create and modify tables.
DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/cloudfire"
# The HTTPS port to listen on. Defaults to 8800.
HTTPS_LISTEN_PORT=8800
# The address to bind the HTTPS server to. Defaults to "127.0.0.1"
HTTPS_LISTEN_ADDRESS=127.0.0.1
# The WireGuard port to listen on. Defaults to 51820.
WG_LISTEN_PORT=51820
# The address for the WireGuard endpoint. Defaults to the address of the
# default egress interface if not set.
WG_ENDPOINT_ADDRESS=
# The Base64-encoded key for encrypted database fields.
DB_ENCRYPTION_KEY=${db_key}
# SSL certificate file and key path. Self-signed certs are generated for you on
# install, but it's highly recommended to replace these with valid certs.
# Free certs can be obtained at https://letsencrypt.org.
SSL_CERT_FILE=/opt/cloudfire/ssl/cert.pem
SSL_KEY_FILE=/opt/cloudfire/ssl/key.pem
# Path to the intermediate certificates file. (usually not required)
# SSL_CA_CERT_FILE=
# Host to use for generating links back to the application, such as in
# outbound emails. Defaults to "localhost".
# URL_HOST=${hostname}
# For security, it's recommended to leave signups disabled and instead create
# users via the CLI.
DISABLE_SIGNUP=yes
EOT
# Set perms
chown -R cloudfire:root /opt/cloudfire
chmod 0644 /opt/cloudfire/ssl/cert.pem

11
pkg/ubuntu_18.04_arm64/DEBIAN/templates Normal file
View File

@@ -0,0 +1,11 @@
Template: cloudfire/config
Type: note
Description: config file
CloudFire's config file is located at /opt/cloudfire/config.yml. Only root
should be able to view and edit this file. Random secrets and passwords have
been generated and saved for you already.
Template: cloudfire/access
Type: note
Description: access instructions
CloudFire has been installed successfully and is running on port 8443!

18
pkg/ubuntu_18.04_arm64/lib/systemd/system/cloudfire.service Normal file
View File

@@ -0,0 +1,18 @@
[Unit]
Description=CloudFire
Requires=postgresql.service
After=postgresql.service
[Service]
Restart=on-failure
RestartSec=1
User=cloudfire
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH
EnvironmentFile=/opt/cloudfire/config.env
ExecStartPre=/opt/cloudfire/bin/cloudfire eval "CfHttp.Release.migrate"
ExecStart=/opt/cloudfire/bin/cloudfire start
ExecStartPost=/bin/sleep 8
ExecStartPost=/opt/cloudfire/bin/cloudfire rpc "CfHttp.Release.create_admin_user"
[Install]
WantedBy=multi-user.target

0
pkg/ubuntu-20.04/DEBIAN/control → pkg/ubuntu_20.04_amd64/DEBIAN/control
View File

0
pkg/ubuntu-20.04/DEBIAN/postinst → pkg/ubuntu_20.04_amd64/DEBIAN/postinst
View File

11
pkg/ubuntu_20.04_amd64/DEBIAN/templates Normal file
View File

@@ -0,0 +1,11 @@
Template: cloudfire/config
Type: note
Description: config file
CloudFire's config file is located at /opt/cloudfire/config.yml. Only root
should be able to view and edit this file. Random secrets and passwords have
been generated and saved for you already.
Template: cloudfire/access
Type: note
Description: access instructions
CloudFire has been installed successfully and is running on port 8443!

18
pkg/ubuntu_20.04_amd64/lib/systemd/system/cloudfire.service Normal file
View File

@@ -0,0 +1,18 @@
[Unit]
Description=CloudFire
Requires=postgresql.service
After=postgresql.service
[Service]
Restart=on-failure
RestartSec=1
User=cloudfire
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH
EnvironmentFile=/opt/cloudfire/config.env
ExecStartPre=/opt/cloudfire/bin/cloudfire eval "CfHttp.Release.migrate"
ExecStart=/opt/cloudfire/bin/cloudfire start
ExecStartPost=/bin/sleep 8
ExecStartPost=/opt/cloudfire/bin/cloudfire rpc "CfHttp.Release.create_admin_user"
[Install]
WantedBy=multi-user.target

11
pkg/ubuntu_20.04_arm64/DEBIAN/control Normal file
View File

@@ -0,0 +1,11 @@
Package: cloudfire
Version: 0.1.7-1
Architecture: arm64
Maintainer: CloudFire, LLC <dpkg@cloudfire.network>
Depends: net-tools (>= 1.60+git20180626.aebd88e-1ubuntu1), systemd (>= 245.4-4ubuntu3.2), openssl (>= 1.1.1f-1ubuntu2), wireguard (>= 1.0.20200319-1ubuntu1), postgresql (>= 12+214ubuntu0.1), iptables (>= 1.8.4-3ubuntu2)
Section: net
Priority: optional
Homepage: https://cloudfire.network
Description: Web UI + Firewall manager for WireGuard™
Provides a web-based UI that allows you to configure WireGuard VPN tunnels and
set up firewall rules for your devices.

102
pkg/ubuntu_20.04_arm64/DEBIAN/postinst Executable file
View File

@@ -0,0 +1,102 @@
#!/usr/bin/env bash
set -e
# CloudFire package post-install script
# 1. Generate secrets
# 2. Bootstrap DB
# 3. Generate WireGuard interface and config
# Add cloudfire user if not exists
if id cloudfire &>/dev/null; then
echo "cloudfire user exists... not creating."
else
echo "creating system user cloudfire"
useradd --system cloudfire
fi
# Generate app secrets
live_view_signing_salt="$(openssl rand -base64 24)"
secret_key_base="$(openssl rand -base64 48)"
db_user=cloudfire
# base64 includes forward slashes which are problematic in the
# db_url connect string, so use hex.
db_password="$(openssl rand -hex 16)"
db_key="$(openssl rand -base64 32)"
# Setup DB
sudo -i -u postgres psql -c "CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';" || true
sudo -i -u postgres psql -c "CREATE DATABASE cloudfire;" || true
sudo -i -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE cloudfire to ${db_user};" || true
# Write CloudFire SSL files
mkdir -p /opt/cloudfire/ssl
chown -R cloudfire:root /opt/cloudfire/ssl
hostname=$(hostname)
openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
-keyout /opt/cloudfire/ssl/key.pem \
-out /opt/cloudfire/ssl/cert.pem \
-days 365 -subj "/CN=${hostname}"
chmod 0600 /opt/cloudfire/ssl/key.pem
chmod 0644 /opt/cloudfire/ssl/cert.pem
# Write CloudFire config files
touch /opt/cloudfire/config.env
chmod 0600 /opt/cloudfire/config.env
chown -R cloudfire:root /opt/cloudfire
cat <<EOT >> /opt/cloudfire/config.env
# This file is loaded into CloudFire's Environment upon launch to configure it.
# This is used to ensure secure communication with the live web views.
# Re-generate this with "openssl rand -base64 24". All existing web views will
# need to be refreshed.
LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}"
# This is used to secure cookies among other things.
# You can regenerate this with "openssl rand -base64 48". All existing clients
# will be signed out.
SECRET_KEY_BASE="${secret_key_base}"
# The URL to connect to your DB. Assumes the database has been created and this
# user has privileges to create and modify tables.
DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/cloudfire"
# The HTTPS port to listen on. Defaults to 8800.
HTTPS_LISTEN_PORT=8800
# The address to bind the HTTPS server to. Defaults to "127.0.0.1"
HTTPS_LISTEN_ADDRESS=127.0.0.1
# The WireGuard port to listen on. Defaults to 51820.
WG_LISTEN_PORT=51820
# The address for the WireGuard endpoint. Defaults to the address of the
# default egress interface if not set.
WG_ENDPOINT_ADDRESS=
# The Base64-encoded key for encrypted database fields.
DB_ENCRYPTION_KEY=${db_key}
# SSL certificate file and key path. Self-signed certs are generated for you on
# install, but it's highly recommended to replace these with valid certs.
# Free certs can be obtained at https://letsencrypt.org.
SSL_CERT_FILE=/opt/cloudfire/ssl/cert.pem
SSL_KEY_FILE=/opt/cloudfire/ssl/key.pem
# Path to the intermediate certificates file. (usually not required)
# SSL_CA_CERT_FILE=
# Host to use for generating links back to the application, such as in
# outbound emails. Defaults to "localhost".
# URL_HOST=${hostname}
# For security, it's recommended to leave signups disabled and instead create
# users via the CLI.
DISABLE_SIGNUP=yes
EOT
umask 077
wg genkey > /opt/cloudfire/server.key
chown cloudfire:root /opt/cloudfire/server.key

11
pkg/ubuntu_20.04_arm64/DEBIAN/templates Normal file
View File

@@ -0,0 +1,11 @@
Template: cloudfire/config
Type: note
Description: config file
CloudFire's config file is located at /opt/cloudfire/config.yml. Only root
should be able to view and edit this file. Random secrets and passwords have
been generated and saved for you already.
Template: cloudfire/access
Type: note
Description: access instructions
CloudFire has been installed successfully and is running on port 8443!

18
pkg/ubuntu_20.04_arm64/lib/systemd/system/cloudfire.service Normal file
View File

@@ -0,0 +1,18 @@
[Unit]
Description=CloudFire
Requires=postgresql.service
After=postgresql.service
[Service]
Restart=on-failure
RestartSec=1
User=cloudfire
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH
EnvironmentFile=/opt/cloudfire/config.env
ExecStartPre=/opt/cloudfire/bin/cloudfire eval "CfHttp.Release.migrate"
ExecStart=/opt/cloudfire/bin/cloudfire start
ExecStartPost=/bin/sleep 8
ExecStartPost=/opt/cloudfire/bin/cloudfire rpc "CfHttp.Release.create_admin_user"
[Install]
WantedBy=multi-user.target

30
scripts/init_config.sh
View File

@@ -1,30 +0,0 @@
#!/usr/bin/env bash
set -e
mkdir -p $HOME/.cloudfire/ssl
hostname=$(hostname)
openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
-keyout $HOME/.cloudfire/ssl/key.pem \
-out $HOME/.cloudfire/ssl/cert.pem \
-days 365 -subj "/CN=${hostname}"
chmod 0600 $HOME/.cloudfire/ssl/key.pem
chmod 0644 $HOME/.cloudfire/ssl/cert.pem
secret_key_base="$(openssl rand -base64 48)"
live_view_signing_salt="$(openssl rand -base64 24)"
db_encryption_key="$(openssl rand -base64 32)"
wg_server_key="$(wg genkey)"
config="$HOME/.cloudfire/config.json"
touch $config
chmod 0600 $config
cat <<EOT >> $config
{
"database_url": "ecto://postgres:postgres@127.0.0.1/cloudfire",
"secret_key_base": "${secret_key_base}",
"live_view_signing_salt": "${live_view_signing_salt}",
"db_encryption_key": "${db_encryption_key}",
"ssl_cert_file": "${HOME}/.cloudfire/ssl/cert.pem",
"ssl_key_file": "${HOME}/.cloudfire/ssl/key.pem",
"url_host": "${hostname}",
"wg_server_key": "$(wg genkey)"
}
EOT

42
scripts/install.sh
View File

@@ -1,42 +0,0 @@
#!/usr/bin/env bash
set -e
# 1. Detect OS
# 2.
# 3. Download latest release
# 4. Set capabilities with sudo
# 5. Init config file
# 6. Display welcome message:
# - Edit config to configure your DB access and SSL certs
# - Add to PATH
# - How to launch CloudFire
bin="$HOME/.cloudfire/bin/cloudfire"
os=`uname`
if [ ! $os = "Linux" ]; then
echo "${os} unsupported. Only Linux is supported."
exit -1
fi
# Exit if already installed
if [ -f $bin ]; then
echo "${bin} exists. Aborting. If you'd like to upgrade your installation run\
$bin --upgrade"
exit 0
fi
echo 'Initializing default configuration...'
if [ -f "init_config.sh" ]; then
./init_config.sh
else
curl https://raw.githubusercontent.com/CloudFire-LLC/cloudfire/master/scripts/init_config.sh | bash -
fi
echo 'Downloading the latest release...'
# XXX: Detect architecture and download appropriate binary
mkdir -p $HOME/.cloudfire/bin
curl https://github.com/CloudFire-LLC/cloudfire/releases/download/latest/cloudfire_amd64 > $bin
# Ambient capabilities handles this
# echo 'Setting Linux capabilities on the binary... sudo is required'
# sudo bash -c "setcap 'cap_net_admin,cap_net_raw,cap_dac_read_search' $bin"