github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 10:18:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Lots of cleanup / new things

Browse Source
This commit is contained in:
Jamil Bou Kheir
2021-07-11 12:15:49 -07:00
parent e8ca109e7a
commit c67b25aa25
33 changed files with 74 additions and 918 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@@ -45,7 +45,7 @@ For now, `firezone` assumes these apps are all running on the same host.
Prerequisites:
1. Postgresql Server 9.6 or higher. Access can be configured in
`/opt/firezone/config.env` after installation.
`/etc/firezone/secret/secrets.env` after installation.
2. `wg`, `openssl`, `ip`, and `iptables` must be in your PATH.
Then you can install `firezone` by [downloading the appropriate package
@@ -56,7 +56,7 @@ from the releases page](https://github.com/firezone/firezone/releases).
You may create additional admin users with the following command:
```bash
/opt/firezone/bin/firezone rpc 'FzHttp.Users.create_user(
> firezone rpc 'FzHttp.Users.create_user(
email: "USER_EMAIL",
password: "USER_PASSWORD",
password_confirmation: "USER_PASSWORD"

4
config/prod.exs
View File

@@ -67,9 +67,9 @@ config :fz_http, FzHttpWeb.Endpoint,
transport_options: [max_connections: :infinity, socket_opts: [:inet6]],
otp_app: :firezone,
# overridden by release config
keyfile: "/opt/firezone/ssl/key.pem",
keyfile: "/etc/firezone/secret/key.pem",
# overridden by release config
certfile: "/opt/firezone/ssl/cert.pem"
certfile: "/etc/firezone/cert.pem"
],
# changed by release config
secret_key_base: "dummy",

62
pkg/Dockerfile.amazonlinux_2
View File

@@ -1,62 +0,0 @@
# This Dockerfile builds release packages.
# **NOTE**: This is not recommended, as it's possible the deployment
# production environment will diff from the image environment here,
# even if the OS and kernel versions match.
# As such, this script has been deprecated in favor of building the release
# in the production environment.
FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build
# Setup to run build script
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -q && \
apt-get install -y --no-install-recommends \
ca-certificates \
build-essential \
git \
dpkg-dev \
libssl-dev \
automake \
gnupg \
curl \
autoconf \
libncurses5-dev \
unzip \
zlib1g-dev \
locales && \
apt-get clean && \
rm -rf /tmp/* /var/tmp/*
RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
locale-gen
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8
RUN curl -sL https://deb.nodesource.com/setup_10.x | bash -
RUN apt-get install nodejs
ENV MIX_ENV prod
WORKDIR /build
RUN mix local.hex --force && \
mix local.rebar --force
COPY mix.exs mix.lock ./
COPY config config
COPY apps/fz_http/mix.exs ./apps/fz_http/
COPY apps/fz_wall/mix.exs ./apps/fz_wall/
COPY apps/fz_vpn/mix.exs ./apps/fz_vpn/
RUN mix do deps.get, deps.compile
COPY apps/fz_http/assets/package.json apps/fz_http/assets/package-lock.json ./apps/fz_http/assets/
RUN cd apps/fz_http/assets && npm ci --progress=false --no-audit --loglevel=error
COPY apps/fz_http/priv apps/fz_http/priv
COPY apps/fz_http/assets apps/fz_http/assets
RUN npm run --prefix ./apps/fz_http/assets deploy && \
cd apps/fz_http && mix phx.digest
COPY . .
RUN mix release firezone
RUN mkdir -p pkg/debian/opt
RUN mv _build/prod/rel/firezone pkg/debian/opt/firezone
RUN cd pkg && dpkg-deb --build debian

62
pkg/Dockerfile.centos_7
View File

@@ -1,62 +0,0 @@
# This Dockerfile builds release packages.
# **NOTE**: This is not recommended, as it's possible the deployment
# production environment will diff from the image environment here,
# even if the OS and kernel versions match.
# As such, this script has been deprecated in favor of building the release
# in the production environment.
FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build
# Setup to run build script
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -q && \
apt-get install -y --no-install-recommends \
ca-certificates \
build-essential \
git \
dpkg-dev \
libssl-dev \
automake \
gnupg \
curl \
autoconf \
libncurses5-dev \
unzip \
zlib1g-dev \
locales && \
apt-get clean && \
rm -rf /tmp/* /var/tmp/*
RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
locale-gen
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8
RUN curl -sL https://deb.nodesource.com/setup_10.x | bash -
RUN apt-get install nodejs
ENV MIX_ENV prod
WORKDIR /build
RUN mix local.hex --force && \
mix local.rebar --force
COPY mix.exs mix.lock ./
COPY config config
COPY apps/fz_http/mix.exs ./apps/fz_http/
COPY apps/fz_wall/mix.exs ./apps/fz_wall/
COPY apps/fz_vpn/mix.exs ./apps/fz_vpn/
RUN mix do deps.get, deps.compile
COPY apps/fz_http/assets/package.json apps/fz_http/assets/package-lock.json ./apps/fz_http/assets/
RUN cd apps/fz_http/assets && npm ci --progress=false --no-audit --loglevel=error
COPY apps/fz_http/priv apps/fz_http/priv
COPY apps/fz_http/assets apps/fz_http/assets
RUN npm run --prefix ./apps/fz_http/assets deploy && \
cd apps/fz_http && mix phx.digest
COPY . .
RUN mix release firezone
RUN mkdir -p pkg/debian/opt
RUN mv _build/prod/rel/firezone pkg/debian/opt/firezone
RUN cd pkg && dpkg-deb --build debian

62
pkg/Dockerfile.centos_8
View File

@@ -1,62 +0,0 @@
# This Dockerfile builds release packages.
# **NOTE**: This is not recommended, as it's possible the deployment
# production environment will diff from the image environment here,
# even if the OS and kernel versions match.
# As such, this script has been deprecated in favor of building the release
# in the production environment.
FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build
# Setup to run build script
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -q && \
apt-get install -y --no-install-recommends \
ca-certificates \
build-essential \
git \
dpkg-dev \
libssl-dev \
automake \
gnupg \
curl \
autoconf \
libncurses5-dev \
unzip \
zlib1g-dev \
locales && \
apt-get clean && \
rm -rf /tmp/* /var/tmp/*
RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
locale-gen
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8
RUN curl -sL https://deb.nodesource.com/setup_10.x | bash -
RUN apt-get install nodejs
ENV MIX_ENV prod
WORKDIR /build
RUN mix local.hex --force && \
mix local.rebar --force
COPY mix.exs mix.lock ./
COPY config config
COPY apps/fz_http/mix.exs ./apps/fz_http/
COPY apps/fz_wall/mix.exs ./apps/fz_wall/
COPY apps/fz_vpn/mix.exs ./apps/fz_vpn/
RUN mix do deps.get, deps.compile
COPY apps/fz_http/assets/package.json apps/fz_http/assets/package-lock.json ./apps/fz_http/assets/
RUN cd apps/fz_http/assets && npm ci --progress=false --no-audit --loglevel=error
COPY apps/fz_http/priv apps/fz_http/priv
COPY apps/fz_http/assets apps/fz_http/assets
RUN npm run --prefix ./apps/fz_http/assets deploy && \
cd apps/fz_http && mix phx.digest
COPY . .
RUN mix release firezone
RUN mkdir -p pkg/debian/opt
RUN mv _build/prod/rel/firezone pkg/debian/opt/firezone
RUN cd pkg && dpkg-deb --build debian

62
pkg/Dockerfile.debian_10
View File

@@ -1,62 +0,0 @@
# This Dockerfile builds release packages.
# **NOTE**: This is not recommended, as it's possible the deployment
# production environment will diff from the image environment here,
# even if the OS and kernel versions match.
# As such, this script has been deprecated in favor of building the release
# in the production environment.
FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build
# Setup to run build script
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -q && \
apt-get install -y --no-install-recommends \
ca-certificates \
build-essential \
git \
dpkg-dev \
libssl-dev \
automake \
gnupg \
curl \
autoconf \
libncurses5-dev \
unzip \
zlib1g-dev \
locales && \
apt-get clean && \
rm -rf /tmp/* /var/tmp/*
RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
locale-gen
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8
RUN curl -sL https://deb.nodesource.com/setup_10.x | bash -
RUN apt-get install nodejs
ENV MIX_ENV prod
WORKDIR /build
RUN mix local.hex --force && \
mix local.rebar --force
COPY mix.exs mix.lock ./
COPY config config
COPY apps/fz_http/mix.exs ./apps/fz_http/
COPY apps/fz_wall/mix.exs ./apps/fz_wall/
COPY apps/fz_vpn/mix.exs ./apps/fz_vpn/
RUN mix do deps.get, deps.compile
COPY apps/fz_http/assets/package.json apps/fz_http/assets/package-lock.json ./apps/fz_http/assets/
RUN cd apps/fz_http/assets && npm ci --progress=false --no-audit --loglevel=error
COPY apps/fz_http/priv apps/fz_http/priv
COPY apps/fz_http/assets apps/fz_http/assets
RUN npm run --prefix ./apps/fz_http/assets deploy && \
cd apps/fz_http && mix phx.digest
COPY . .
RUN mix release firezone
RUN mkdir -p pkg/debian/opt
RUN mv _build/prod/rel/firezone pkg/debian/opt/firezone
RUN cd pkg && dpkg-deb --build debian

62
pkg/Dockerfile.redhat_7
View File

@@ -1,62 +0,0 @@
# This Dockerfile builds release packages.
# **NOTE**: This is not recommended, as it's possible the deployment
# production environment will diff from the image environment here,
# even if the OS and kernel versions match.
# As such, this script has been deprecated in favor of building the release
# in the production environment.
FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build
# Setup to run build script
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -q && \
apt-get install -y --no-install-recommends \
ca-certificates \
build-essential \
git \
dpkg-dev \
libssl-dev \
automake \
gnupg \
curl \
autoconf \
libncurses5-dev \
unzip \
zlib1g-dev \
locales && \
apt-get clean && \
rm -rf /tmp/* /var/tmp/*
RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
locale-gen
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8
RUN curl -sL https://deb.nodesource.com/setup_10.x | bash -
RUN apt-get install nodejs
ENV MIX_ENV prod
WORKDIR /build
RUN mix local.hex --force && \
mix local.rebar --force
COPY mix.exs mix.lock ./
COPY config config
COPY apps/fz_http/mix.exs ./apps/fz_http/
COPY apps/fz_wall/mix.exs ./apps/fz_wall/
COPY apps/fz_vpn/mix.exs ./apps/fz_vpn/
RUN mix do deps.get, deps.compile
COPY apps/fz_http/assets/package.json apps/fz_http/assets/package-lock.json ./apps/fz_http/assets/
RUN cd apps/fz_http/assets && npm ci --progress=false --no-audit --loglevel=error
COPY apps/fz_http/priv apps/fz_http/priv
COPY apps/fz_http/assets apps/fz_http/assets
RUN npm run --prefix ./apps/fz_http/assets deploy && \
cd apps/fz_http && mix phx.digest
COPY . .
RUN mix release firezone
RUN mkdir -p pkg/debian/opt
RUN mv _build/prod/rel/firezone pkg/debian/opt/firezone
RUN cd pkg && dpkg-deb --build debian

62
pkg/Dockerfile.redhat_8
View File

@@ -1,62 +0,0 @@
# This Dockerfile builds release packages.
# **NOTE**: This is not recommended, as it's possible the deployment
# production environment will diff from the image environment here,
# even if the OS and kernel versions match.
# As such, this script has been deprecated in favor of building the release
# in the production environment.
FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build
# Setup to run build script
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -q && \
apt-get install -y --no-install-recommends \
ca-certificates \
build-essential \
git \
dpkg-dev \
libssl-dev \
automake \
gnupg \
curl \
autoconf \
libncurses5-dev \
unzip \
zlib1g-dev \
locales && \
apt-get clean && \
rm -rf /tmp/* /var/tmp/*
RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \
locale-gen
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8
RUN curl -sL https://deb.nodesource.com/setup_10.x | bash -
RUN apt-get install nodejs
ENV MIX_ENV prod
WORKDIR /build
RUN mix local.hex --force && \
mix local.rebar --force
COPY mix.exs mix.lock ./
COPY config config
COPY apps/fz_http/mix.exs ./apps/fz_http/
COPY apps/fz_wall/mix.exs ./apps/fz_wall/
COPY apps/fz_vpn/mix.exs ./apps/fz_vpn/
RUN mix do deps.get, deps.compile
COPY apps/fz_http/assets/package.json apps/fz_http/assets/package-lock.json ./apps/fz_http/assets/
RUN cd apps/fz_http/assets && npm ci --progress=false --no-audit --loglevel=error
COPY apps/fz_http/priv apps/fz_http/priv
COPY apps/fz_http/assets apps/fz_http/assets
RUN npm run --prefix ./apps/fz_http/assets deploy && \
cd apps/fz_http && mix phx.digest
COPY . .
RUN mix release firezone
RUN mkdir -p pkg/debian/opt
RUN mv _build/prod/rel/firezone pkg/debian/opt/firezone
RUN cd pkg && dpkg-deb --build debian

9
pkg/Dockerfile.ubuntu_18.04
View File

@@ -62,9 +62,12 @@ RUN npm run --prefix ./apps/fz_http/assets deploy && \
COPY . .
RUN mix release
RUN mkdir -p pkg/$PKG_DIR/opt
RUN mv _build/prod/rel/firezone pkg/$PKG_DIR/opt/firezone
# Copy shared files
RUN rsync -avz pkg/debain_shared/* pkg/$PKG_DIR/
RUN ls -lR pkg/$PKG_DIR
RUN mkdir -p pkg/$PKG_DIR/etc/firezone
RUN mkdir -p pkg/$PKG_DIR/usr/bin
RUN mv _build/prod/rel/firezone pkg/$PKG_DIR/usr/lib/firezone
RUN cd pkg/$PKG_DIR/usr/bin && ln -s ../lib/firezone/bin/firezone
RUN cd pkg && dpkg-deb --build $PKG_DIR

9
pkg/Dockerfile.ubuntu_20.04
View File

@@ -62,7 +62,12 @@ RUN npm run --prefix ./apps/fz_http/assets deploy && \
COPY . .
RUN mix release
RUN mkdir -p pkg/$PKG_DIR/opt
RUN mv _build/prod/rel/firezone pkg/$PKG_DIR/opt/firezone
# Copy shared files
RUN rsync -avz pkg/debain_shared/* pkg/$PKG_DIR/
RUN ls -lR pkg/$PKG_DIR
RUN mkdir -p pkg/$PKG_DIR/etc/firezone
RUN mkdir -p pkg/$PKG_DIR/usr/bin
RUN mv _build/prod/rel/firezone pkg/$PKG_DIR/usr/lib/firezone
RUN cd pkg/$PKG_DIR/usr/bin && ln -s ../lib/firezone/bin/firezone
RUN cd pkg && dpkg-deb --build $PKG_DIR

0
pkg/ubuntu_18.04_amd64/DEBIAN/changelog → pkg/debian_shared/DEBIAN/changelog
View File

59
pkg/ubuntu_18.04_amd64/DEBIAN/postinst → pkg/debian_shared/DEBIAN/postinst
View File

@@ -1,4 +1,4 @@
#!/usr/bin/env bash
#!/bin/bash
set -e
# FireZone package post-install script
@@ -40,13 +40,14 @@ fi
# Grant all privileges
su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\""
### SET UP SSL
# XXX: Use Let's Encrypt
# Set up secrets dir
mkdir -p /etc/firezone/secret
chown firezone:root /etc/firezone/secret
chmod 770 /etc/firezone/secret
# Write FireZone SSL files
mkdir -p /opt/firezone/ssl
ssl_key_file=/opt/firezone/ssl/key.pem
ssl_cert_file=/opt/firezone/ssl/cert.pem
ssl_key_file=/etc/firezone/secret/key.pem
ssl_cert_file=/etc/firezone/cert.pem
if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then
echo "ssl files exist; not creating"
else
@@ -63,12 +64,17 @@ db_key="$(openssl rand -base64 32)"
wg_server_key="$(wg genkey)"
# Write FireZone config file
if [ -f /opt/firezone/config.env ]; then
if [ -f /etc/firezone/secret.env ]; then
echo "config file exists; not creating"
else
cat <<EOT >> /opt/firezone/config.env
umask 037
cat <<EOT >> /etc/firezone/secret/secrets.env
# This file is loaded into FireZone's Environment upon launch to configure it.
# Warning: changing anything here can result in data loss. Make sure you know
# what you're doing!
# This is used to ensure secure communication with the live web views.
# Re-generate this with "openssl rand -base64 24". All existing web views will
# need to be refreshed.
@@ -80,47 +86,18 @@ LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}"
SECRET_KEY_BASE="${secret_key_base}"
# The URL to connect to your DB. Assumes the database has been created and this
# user has privileges to create and modify tables.
# user has privileges to create and modify tables. Must start with ecto://
# Ex: ecto://user:password@localhost/firezone
DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone"
# The HTTPS port to listen on. Defaults to 8800.
HTTPS_LISTEN_PORT=8800
# The address to bind the HTTPS server to. Defaults to "127.0.0.1"
HTTPS_LISTEN_ADDRESS=127.0.0.1
# The WireGuard port to listen on. Defaults to 51820.
WG_LISTEN_PORT=51820
# The address for the WireGuard endpoint. Defaults to the address of the
# default egress interface if not set.
WG_ENDPOINT_ADDRESS=
# The Base64-encoded key for encrypted database fields.
DB_ENCRYPTION_KEY=${db_key}
# The Base64-encoded private key for the WireGuard interface
WG_SERVER_KEY=${wg_server_key}
# SSL certificate file and key path. Self-signed certs are generated for you on
# install, but it's highly recommended to replace these with valid certs.
# Free certs can be obtained at https://letsencrypt.org.
SSL_CERT_FILE=/opt/firezone/ssl/cert.pem
SSL_KEY_FILE=/opt/firezone/ssl/key.pem
# Path to the intermediate certificates file. (usually not required)
# SSL_CA_CERT_FILE=
# Host to use for generating links back to the application, such as in
# outbound emails. Defaults to "localhost".
# URL_HOST=${hostname}
# For security, it's recommended to leave signups disabled and instead create
# users via the CLI.
DISABLE_SIGNUP=yes
EOT
fi
# Set perms
chown -R firezone:root /opt/firezone
chmod 0644 /opt/firezone/ssl/cert.pem
chown -R firezone:root /etc/firezone
chmod 0644 /etc/firezone/cert.pem

6
pkg/debian_shared/DEBIAN/postrm Executable file
View File

@@ -0,0 +1,6 @@
#!/bin/bash
set -e
# Remove created user
echo "Removing firezone user"
userdel -Zrf firezone

2
pkg/debian_shared/DEBIAN/prerm Executable file
View File

@@ -0,0 +1,2 @@
#!/bin/bash
set -e

27
pkg/debian_shared/etc/firezone/config.env Normal file
View File

@@ -0,0 +1,27 @@
# This file is loaded into FireZone's Environment upon launch to configure it.
# The HTTPS port to listen on. Defaults to 8800.
HTTPS_LISTEN_PORT=8800
# The address to bind the HTTPS server to. Defaults to "127.0.0.1"
HTTPS_LISTEN_ADDRESS=127.0.0.1
# The WireGuard port to listen on. Defaults to 51820.
WG_LISTEN_PORT=51820
# The address for the WireGuard endpoint. Defaults to the address of the
# default egress interface if not set.
WG_ENDPOINT_ADDRESS=
# SSL certificate file and key path. Self-signed certs are generated for you on
# install, but it's highly recommended to replace these with valid certs.
# Free certs can be obtained at https://letsencrypt.org.
SSL_CERT_FILE=/etc/firezone/cert.pem
SSL_KEY_FILE=/etc/firezone/secret/key.pem
# Path to the intermediate certificates file. (usually not required)
# SSL_CA_CERT_FILE=
# Host to use for generating links back to the application, such as in
# outbound emails. Should be publicly resolvable. Defaults to "localhost".
# URL_HOST=

8
pkg/ubuntu_18.04_amd64/lib/systemd/system/firezone.service → pkg/debian_shared/lib/systemd/system/firezone.service
View File

@@ -8,12 +8,12 @@ Restart=on-failure
RestartSec=1
User=firezone
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH
EnvironmentFile=/opt/firezone/config.env
ExecStartPre=/opt/firezone/bin/firezone eval "FzHttp.Release.migrate"
ExecStart=/opt/firezone/bin/firezone start
EnvironmentFile=/etc/firezone/config.env /etc/firezone/secret/secrets.env
ExecStartPre=/usr/lib/firezone/bin/firezone eval "FzHttp.Release.migrate"
ExecStart=/usr/lib/firezone/bin/firezone start
# XXX: Remove sleeps
ExecStartPost=/bin/sleep 8
ExecStartPost=/opt/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user"
ExecStartPost=/usr/lib/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user"
[Install]
WantedBy=multi-user.target

1
pkg/ubuntu_18.04_amd64/DEBIAN/lintian-overrides
View File

@@ -1 +0,0 @@
firezone: dir-or-file-in-opt

11
pkg/ubuntu_18.04_amd64/DEBIAN/templates
View File

@@ -1,11 +0,0 @@
Template: firezone/config
Type: note
Description: config file
FireZone's config file is located at /opt/firezone/config.yml. Only root
should be able to view and edit this file. Random secrets and passwords have
been generated and saved for you already.
Template: firezone/access
Type: note
Description: access instructions
FireZone has been installed successfully and is running on port 8443!

3
pkg/ubuntu_18.04_arm64/DEBIAN/changelog
View File

@@ -1,3 +0,0 @@
firezone (0.2.0ubuntu1) bionic; urgency=low
* initial release

1
pkg/ubuntu_18.04_arm64/DEBIAN/lintian-overrides
View File

@@ -1 +0,0 @@
firezone: dir-or-file-in-opt

126
pkg/ubuntu_18.04_arm64/DEBIAN/postinst
View File

@@ -1,126 +0,0 @@
#!/usr/bin/env bash
set -e
# FireZone package post-install script
# All created files are 0600 by default
umask 077
# Add firezone user if not exists
if id firezone &>/dev/null; then
echo "firezone user exists... not creating."
else
echo "creating system user firezone"
useradd --system firezone
fi
hostname=$(hostname)
### SET UP DB
# Create role if not exists
db_user=firezone
db_password="$(openssl rand -hex 16)"
res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"")
if [[ $res == *"0 rows"* ]]; then
su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\""
else
echo "${db_user} role found in DB"
fi
# Create DB if not exists
db_name=firezone
res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"")
if [[ $res == *"0 rows"* ]]; then
su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true"
else
echo "${db_name} exists; not creating"
fi
# Grant all privileges
su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\""
### SET UP SSL
# XXX: Use Let's Encrypt
# Write FireZone SSL files
mkdir -p /opt/firezone/ssl
ssl_key_file=/opt/firezone/ssl/key.pem
ssl_cert_file=/opt/firezone/ssl/cert.pem
if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then
echo "ssl files exist; not creating"
else
openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
-keyout $ssl_key_file \
-out $ssl_cert_file \
-days 365 -subj "/CN=${hostname}"
fi
# Generate app secrets
live_view_signing_salt="$(openssl rand -base64 24)"
secret_key_base="$(openssl rand -base64 48)"
db_key="$(openssl rand -base64 32)"
wg_server_key="$(wg genkey)"
# Write FireZone config files
if [ ! -f /opt/firezone/config.env ]; then
cat <<EOT >> /opt/firezone/config.env
# This file is loaded into FireZone's Environment upon launch to configure it.
# This is used to ensure secure communication with the live web views.
# Re-generate this with "openssl rand -base64 24". All existing web views will
# need to be refreshed.
LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}"
# This is used to secure cookies among other things.
# You can regenerate this with "openssl rand -base64 48". All existing clients
# will be signed out.
SECRET_KEY_BASE="${secret_key_base}"
# The URL to connect to your DB. Assumes the database has been created and this
# user has privileges to create and modify tables.
DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone"
# The HTTPS port to listen on. Defaults to 8800.
HTTPS_LISTEN_PORT=8800
# The address to bind the HTTPS server to. Defaults to "127.0.0.1"
HTTPS_LISTEN_ADDRESS=127.0.0.1
# The WireGuard port to listen on. Defaults to 51820.
WG_LISTEN_PORT=51820
# The address for the WireGuard endpoint. Defaults to the address of the
# default egress interface if not set.
WG_ENDPOINT_ADDRESS=
# The Base64-encoded key for encrypted database fields.
DB_ENCRYPTION_KEY=${db_key}
# The Base64-encoded private key for the WireGuard interface
WG_SERVER_KEY=${wg_server_key}
# SSL certificate file and key path. Self-signed certs are generated for you on
# install, but it's highly recommended to replace these with valid certs.
# Free certs can be obtained at https://letsencrypt.org.
SSL_CERT_FILE=/opt/firezone/ssl/cert.pem
SSL_KEY_FILE=/opt/firezone/ssl/key.pem
# Path to the intermediate certificates file. (usually not required)
# SSL_CA_CERT_FILE=
# Host to use for generating links back to the application, such as in
# outbound emails. Defaults to "localhost".
# URL_HOST=${hostname}
# For security, it's recommended to leave signups disabled and instead create
# users via the CLI.
DISABLE_SIGNUP=yes
EOT
else
echo "config file exists; not creating"
fi
# Set perms
chown -R firezone:root /opt/firezone
chmod 0644 /opt/firezone/ssl/cert.pem

11
pkg/ubuntu_18.04_arm64/DEBIAN/templates
View File

@@ -1,11 +0,0 @@
Template: firezone/config
Type: note
Description: config file
FireZone's config file is located at /opt/firezone/config.yml. Only root
should be able to view and edit this file. Random secrets and passwords have
been generated and saved for you already.
Template: firezone/access
Type: note
Description: access instructions
FireZone has been installed successfully and is running on port 8443!

19
pkg/ubuntu_18.04_arm64/lib/systemd/system/firezone.service
View File

@@ -1,19 +0,0 @@
[Unit]
Description=FireZone
Requires=postgresql.service
After=postgresql.service
[Service]
Restart=on-failure
RestartSec=1
User=firezone
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH
EnvironmentFile=/opt/firezone/config.env
ExecStartPre=/opt/firezone/bin/firezone eval "FzHttp.Release.migrate"
ExecStart=/opt/firezone/bin/firezone start
# XXX: Remove sleeps
ExecStartPost=/bin/sleep 8
ExecStartPost=/opt/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user"
[Install]
WantedBy=multi-user.target

3
pkg/ubuntu_20.04_amd64/DEBIAN/changelog
View File

@@ -1,3 +0,0 @@
firezone (0.2.0ubuntu1) trusty; urgency=low
* initial release

1
pkg/ubuntu_20.04_amd64/DEBIAN/lintian-overrides
View File

@@ -1 +0,0 @@
firezone: dir-or-file-in-opt

126
pkg/ubuntu_20.04_amd64/DEBIAN/postinst
View File

@@ -1,126 +0,0 @@
#!/usr/bin/env bash
set -e
# FireZone package post-install script
# All created files are 0600 by default
umask 077
# Add firezone user if not exists
if id firezone &>/dev/null; then
echo "firezone user exists... not creating."
else
echo "creating system user firezone"
useradd --system firezone
fi
hostname=$(hostname)
### SET UP DB
# Create role if not exists
db_user=firezone
db_password="$(openssl rand -hex 16)"
res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"")
if [[ $res == *"0 rows"* ]]; then
su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\""
else
echo "${db_user} role found in DB"
fi
# Create DB if not exists
db_name=firezone
res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"")
if [[ $res == *"0 rows"* ]]; then
su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true"
else
echo "${db_name} exists; not creating"
fi
# Grant all privileges
su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\""
### SET UP SSL
# XXX: Use Let's Encrypt
# Write FireZone SSL files
mkdir -p /opt/firezone/ssl
ssl_key_file=/opt/firezone/ssl/key.pem
ssl_cert_file=/opt/firezone/ssl/cert.pem
if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then
echo "ssl files exist; not creating"
else
openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
-keyout $ssl_key_file \
-out $ssl_cert_file \
-days 365 -subj "/CN=${hostname}"
fi
# Generate app secrets
live_view_signing_salt="$(openssl rand -base64 24)"
secret_key_base="$(openssl rand -base64 48)"
db_key="$(openssl rand -base64 32)"
wg_server_key="$(wg genkey)"
# Write FireZone config files
if [ ! -f /opt/firezone/config.env ]; then
cat <<EOT >> /opt/firezone/config.env
# This file is loaded into FireZone's Environment upon launch to configure it.
# This is used to ensure secure communication with the live web views.
# Re-generate this with "openssl rand -base64 24". All existing web views will
# need to be refreshed.
LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}"
# This is used to secure cookies among other things.
# You can regenerate this with "openssl rand -base64 48". All existing clients
# will be signed out.
SECRET_KEY_BASE="${secret_key_base}"
# The URL to connect to your DB. Assumes the database has been created and this
# user has privileges to create and modify tables.
DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone"
# The HTTPS port to listen on. Defaults to 8800.
HTTPS_LISTEN_PORT=8800
# The address to bind the HTTPS server to. Defaults to "127.0.0.1"
HTTPS_LISTEN_ADDRESS=127.0.0.1
# The WireGuard port to listen on. Defaults to 51820.
WG_LISTEN_PORT=51820
# The address for the WireGuard endpoint. Defaults to the address of the
# default egress interface if not set.
WG_ENDPOINT_ADDRESS=
# The Base64-encoded key for encrypted database fields.
DB_ENCRYPTION_KEY=${db_key}
# The Base64-encoded private key for the WireGuard interface
WG_SERVER_KEY=${wg_server_key}
# SSL certificate file and key path. Self-signed certs are generated for you on
# install, but it's highly recommended to replace these with valid certs.
# Free certs can be obtained at https://letsencrypt.org.
SSL_CERT_FILE=/opt/firezone/ssl/cert.pem
SSL_KEY_FILE=/opt/firezone/ssl/key.pem
# Path to the intermediate certificates file. (usually not required)
# SSL_CA_CERT_FILE=
# Host to use for generating links back to the application, such as in
# outbound emails. Defaults to "localhost".
# URL_HOST=${hostname}
# For security, it's recommended to leave signups disabled and instead create
# users via the CLI.
DISABLE_SIGNUP=yes
EOT
else
echo "config file exists; not creating"
fi
# Set perms
chown -R firezone:root /opt/firezone
chmod 0644 /opt/firezone/ssl/cert.pem

11
pkg/ubuntu_20.04_amd64/DEBIAN/templates
View File

@@ -1,11 +0,0 @@
Template: firezone/config
Type: note
Description: config file
FireZone's config file is located at /opt/firezone/config.yml. Only root
should be able to view and edit this file. Random secrets and passwords have
been generated and saved for you already.
Template: firezone/access
Type: note
Description: access instructions
FireZone has been installed successfully and is running on port 8443!

19
pkg/ubuntu_20.04_amd64/lib/systemd/system/firezone.service
View File

@@ -1,19 +0,0 @@
[Unit]
Description=FireZone
Requires=postgresql.service
After=postgresql.service
[Service]
Restart=on-failure
RestartSec=1
User=firezone
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH
EnvironmentFile=/opt/firezone/config.env
ExecStartPre=/opt/firezone/bin/firezone eval "FzHttp.Release.migrate"
ExecStart=/opt/firezone/bin/firezone start
# XXX: Remove sleeps
ExecStartPost=/bin/sleep 8
ExecStartPost=/opt/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user"
[Install]
WantedBy=multi-user.target

3
pkg/ubuntu_20.04_arm64/DEBIAN/changelog
View File

@@ -1,3 +0,0 @@
firezone (0.2.0ubuntu1) trusty; urgency=low
* initial release

1
pkg/ubuntu_20.04_arm64/DEBIAN/lintian-overrides
View File

@@ -1 +0,0 @@
firezone: dir-or-file-in-opt

126
pkg/ubuntu_20.04_arm64/DEBIAN/postinst
View File

@@ -1,126 +0,0 @@
#!/usr/bin/env bash
set -e
# FireZone package post-install script
# All created files are 0600 by default
umask 077
# Add firezone user if not exists
if id firezone &>/dev/null; then
echo "firezone user exists... not creating."
else
echo "creating system user firezone"
useradd --system firezone
fi
hostname=$(hostname)
### SET UP DB
# Create role if not exists
db_user=firezone
db_password="$(openssl rand -hex 16)"
res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"")
if [[ $res == *"0 rows"* ]]; then
su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\""
else
echo "${db_user} role found in DB"
fi
# Create DB if not exists
db_name=firezone
res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"")
if [[ $res == *"0 rows"* ]]; then
su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true"
else
echo "${db_name} exists; not creating"
fi
# Grant all privileges
su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\""
### SET UP SSL
# XXX: Use Let's Encrypt
# Write FireZone SSL files
mkdir -p /opt/firezone/ssl
ssl_key_file=/opt/firezone/ssl/key.pem
ssl_cert_file=/opt/firezone/ssl/cert.pem
if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then
echo "ssl files exist; not creating"
else
openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
-keyout $ssl_key_file \
-out $ssl_cert_file \
-days 365 -subj "/CN=${hostname}"
fi
# Generate app secrets
live_view_signing_salt="$(openssl rand -base64 24)"
secret_key_base="$(openssl rand -base64 48)"
db_key="$(openssl rand -base64 32)"
wg_server_key="$(wg genkey)"
# Write FireZone config files
if [ ! -f /opt/firezone/config.env ]; then
cat <<EOT >> /opt/firezone/config.env
# This file is loaded into FireZone's Environment upon launch to configure it.
# This is used to ensure secure communication with the live web views.
# Re-generate this with "openssl rand -base64 24". All existing web views will
# need to be refreshed.
LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}"
# This is used to secure cookies among other things.
# You can regenerate this with "openssl rand -base64 48". All existing clients
# will be signed out.
SECRET_KEY_BASE="${secret_key_base}"
# The URL to connect to your DB. Assumes the database has been created and this
# user has privileges to create and modify tables.
DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone"
# The HTTPS port to listen on. Defaults to 8800.
HTTPS_LISTEN_PORT=8800
# The address to bind the HTTPS server to. Defaults to "127.0.0.1"
HTTPS_LISTEN_ADDRESS=127.0.0.1
# The WireGuard port to listen on. Defaults to 51820.
WG_LISTEN_PORT=51820
# The address for the WireGuard endpoint. Defaults to the address of the
# default egress interface if not set.
WG_ENDPOINT_ADDRESS=
# The Base64-encoded key for encrypted database fields.
DB_ENCRYPTION_KEY=${db_key}
# The Base64-encoded private key for the WireGuard interface
WG_SERVER_KEY=${wg_server_key}
# SSL certificate file and key path. Self-signed certs are generated for you on
# install, but it's highly recommended to replace these with valid certs.
# Free certs can be obtained at https://letsencrypt.org.
SSL_CERT_FILE=/opt/firezone/ssl/cert.pem
SSL_KEY_FILE=/opt/firezone/ssl/key.pem
# Path to the intermediate certificates file. (usually not required)
# SSL_CA_CERT_FILE=
# Host to use for generating links back to the application, such as in
# outbound emails. Defaults to "localhost".
# URL_HOST=${hostname}
# For security, it's recommended to leave signups disabled and instead create
# users via the CLI.
DISABLE_SIGNUP=yes
EOT
else
echo "config file exists; not creating"
fi
# Set perms
chown -R firezone:root /opt/firezone
chmod 0644 /opt/firezone/ssl/cert.pem

11
pkg/ubuntu_20.04_arm64/DEBIAN/templates
View File

@@ -1,11 +0,0 @@
Template: firezone/config
Type: note
Description: config file
FireZone's config file is located at /opt/firezone/config.yml. Only root
should be able to view and edit this file. Random secrets and passwords have
been generated and saved for you already.
Template: firezone/access
Type: note
Description: access instructions
FireZone has been installed successfully and is running on port 8443!

19
pkg/ubuntu_20.04_arm64/lib/systemd/system/firezone.service
View File

@@ -1,19 +0,0 @@
[Unit]
Description=FireZone
Requires=postgresql.service
After=postgresql.service
[Service]
Restart=on-failure
RestartSec=1
User=firezone
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH
EnvironmentFile=/opt/firezone/config.env
ExecStartPre=/opt/firezone/bin/firezone eval "FzHttp.Release.migrate"
ExecStart=/opt/firezone/bin/firezone start
# XXX: Remove sleeps
ExecStartPost=/bin/sleep 8
ExecStartPost=/opt/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user"
[Install]
WantedBy=multi-user.target