From c67b25aa25fc6158b926f258f077718b9c8ea391 Mon Sep 17 00:00:00 2001 From: Jamil Bou Kheir Date: Sun, 11 Jul 2021 12:15:49 -0700 Subject: [PATCH] Lots of cleanup / new things --- README.md | 4 +- config/prod.exs | 4 +- pkg/Dockerfile.amazonlinux_2 | 62 --------- pkg/Dockerfile.centos_7 | 62 --------- pkg/Dockerfile.centos_8 | 62 --------- pkg/Dockerfile.debian_10 | 62 --------- pkg/Dockerfile.redhat_7 | 62 --------- pkg/Dockerfile.redhat_8 | 62 --------- pkg/Dockerfile.ubuntu_18.04 | 9 +- pkg/Dockerfile.ubuntu_20.04 | 9 +- .../DEBIAN/changelog | 0 .../DEBIAN/postinst | 59 +++----- pkg/debian_shared/DEBIAN/postrm | 6 + pkg/debian_shared/DEBIAN/prerm | 2 + pkg/debian_shared/etc/firezone/config.env | 27 ++++ .../lib/systemd/system/firezone.service | 8 +- .../DEBIAN/lintian-overrides | 1 - pkg/ubuntu_18.04_amd64/DEBIAN/templates | 11 -- pkg/ubuntu_18.04_arm64/DEBIAN/changelog | 3 - .../DEBIAN/lintian-overrides | 1 - pkg/ubuntu_18.04_arm64/DEBIAN/postinst | 126 ------------------ pkg/ubuntu_18.04_arm64/DEBIAN/templates | 11 -- .../lib/systemd/system/firezone.service | 19 --- pkg/ubuntu_20.04_amd64/DEBIAN/changelog | 3 - .../DEBIAN/lintian-overrides | 1 - pkg/ubuntu_20.04_amd64/DEBIAN/postinst | 126 ------------------ pkg/ubuntu_20.04_amd64/DEBIAN/templates | 11 -- .../lib/systemd/system/firezone.service | 19 --- pkg/ubuntu_20.04_arm64/DEBIAN/changelog | 3 - .../DEBIAN/lintian-overrides | 1 - pkg/ubuntu_20.04_arm64/DEBIAN/postinst | 126 ------------------ pkg/ubuntu_20.04_arm64/DEBIAN/templates | 11 -- .../lib/systemd/system/firezone.service | 19 --- 33 files changed, 74 insertions(+), 918 deletions(-) rename pkg/{ubuntu_18.04_amd64 => debian_shared}/DEBIAN/changelog (100%) rename pkg/{ubuntu_18.04_amd64 => debian_shared}/DEBIAN/postinst (63%) create mode 100755 pkg/debian_shared/DEBIAN/postrm create mode 100755 pkg/debian_shared/DEBIAN/prerm create mode 100644 pkg/debian_shared/etc/firezone/config.env rename pkg/{ubuntu_18.04_amd64 => debian_shared}/lib/systemd/system/firezone.service (50%) delete mode 100644 pkg/ubuntu_18.04_amd64/DEBIAN/lintian-overrides delete mode 100644 pkg/ubuntu_18.04_amd64/DEBIAN/templates delete mode 100644 pkg/ubuntu_18.04_arm64/DEBIAN/changelog delete mode 100644 pkg/ubuntu_18.04_arm64/DEBIAN/lintian-overrides delete mode 100755 pkg/ubuntu_18.04_arm64/DEBIAN/postinst delete mode 100644 pkg/ubuntu_18.04_arm64/DEBIAN/templates delete mode 100644 pkg/ubuntu_18.04_arm64/lib/systemd/system/firezone.service delete mode 100644 pkg/ubuntu_20.04_amd64/DEBIAN/changelog delete mode 100644 pkg/ubuntu_20.04_amd64/DEBIAN/lintian-overrides delete mode 100755 pkg/ubuntu_20.04_amd64/DEBIAN/postinst delete mode 100644 pkg/ubuntu_20.04_amd64/DEBIAN/templates delete mode 100644 pkg/ubuntu_20.04_amd64/lib/systemd/system/firezone.service delete mode 100644 pkg/ubuntu_20.04_arm64/DEBIAN/changelog delete mode 100644 pkg/ubuntu_20.04_arm64/DEBIAN/lintian-overrides delete mode 100755 pkg/ubuntu_20.04_arm64/DEBIAN/postinst delete mode 100644 pkg/ubuntu_20.04_arm64/DEBIAN/templates delete mode 100644 pkg/ubuntu_20.04_arm64/lib/systemd/system/firezone.service diff --git a/README.md b/README.md index eb362456b..6a628b9ff 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ For now, `firezone` assumes these apps are all running on the same host. Prerequisites: 1. Postgresql Server 9.6 or higher. Access can be configured in - `/opt/firezone/config.env` after installation. + `/etc/firezone/secret/secrets.env` after installation. 2. `wg`, `openssl`, `ip`, and `iptables` must be in your PATH. Then you can install `firezone` by [downloading the appropriate package @@ -56,7 +56,7 @@ from the releases page](https://github.com/firezone/firezone/releases). You may create additional admin users with the following command: ```bash -/opt/firezone/bin/firezone rpc 'FzHttp.Users.create_user( +> firezone rpc 'FzHttp.Users.create_user( email: "USER_EMAIL", password: "USER_PASSWORD", password_confirmation: "USER_PASSWORD" diff --git a/config/prod.exs b/config/prod.exs index 6fbd1784a..e51cb0fdb 100644 --- a/config/prod.exs +++ b/config/prod.exs @@ -67,9 +67,9 @@ config :fz_http, FzHttpWeb.Endpoint, transport_options: [max_connections: :infinity, socket_opts: [:inet6]], otp_app: :firezone, # overridden by release config - keyfile: "/opt/firezone/ssl/key.pem", + keyfile: "/etc/firezone/secret/key.pem", # overridden by release config - certfile: "/opt/firezone/ssl/cert.pem" + certfile: "/etc/firezone/cert.pem" ], # changed by release config secret_key_base: "dummy", diff --git a/pkg/Dockerfile.amazonlinux_2 b/pkg/Dockerfile.amazonlinux_2 index fd8211344..e69de29bb 100644 --- a/pkg/Dockerfile.amazonlinux_2 +++ b/pkg/Dockerfile.amazonlinux_2 @@ -1,62 +0,0 @@ -# This Dockerfile builds release packages. -# **NOTE**: This is not recommended, as it's possible the deployment -# production environment will diff from the image environment here, -# even if the OS and kernel versions match. -# As such, this script has been deprecated in favor of building the release -# in the production environment. -FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build - -# Setup to run build script -ENV DEBIAN_FRONTEND noninteractive -RUN apt-get update -q && \ - apt-get install -y --no-install-recommends \ - ca-certificates \ - build-essential \ - git \ - dpkg-dev \ - libssl-dev \ - automake \ - gnupg \ - curl \ - autoconf \ - libncurses5-dev \ - unzip \ - zlib1g-dev \ - locales && \ - apt-get clean && \ - rm -rf /tmp/* /var/tmp/* -RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \ - locale-gen -ENV LANG en_US.UTF-8 -ENV LANGUAGE en_US:en -ENV LC_ALL en_US.UTF-8 - -RUN curl -sL https://deb.nodesource.com/setup_10.x | bash - -RUN apt-get install nodejs - -ENV MIX_ENV prod -WORKDIR /build - -RUN mix local.hex --force && \ - mix local.rebar --force -COPY mix.exs mix.lock ./ -COPY config config -COPY apps/fz_http/mix.exs ./apps/fz_http/ -COPY apps/fz_wall/mix.exs ./apps/fz_wall/ -COPY apps/fz_vpn/mix.exs ./apps/fz_vpn/ -RUN mix do deps.get, deps.compile - -COPY apps/fz_http/assets/package.json apps/fz_http/assets/package-lock.json ./apps/fz_http/assets/ -RUN cd apps/fz_http/assets && npm ci --progress=false --no-audit --loglevel=error -COPY apps/fz_http/priv apps/fz_http/priv -COPY apps/fz_http/assets apps/fz_http/assets -RUN npm run --prefix ./apps/fz_http/assets deploy && \ - cd apps/fz_http && mix phx.digest - -COPY . . -RUN mix release firezone - -RUN mkdir -p pkg/debian/opt -RUN mv _build/prod/rel/firezone pkg/debian/opt/firezone - -RUN cd pkg && dpkg-deb --build debian diff --git a/pkg/Dockerfile.centos_7 b/pkg/Dockerfile.centos_7 index fd8211344..e69de29bb 100644 --- a/pkg/Dockerfile.centos_7 +++ b/pkg/Dockerfile.centos_7 @@ -1,62 +0,0 @@ -# This Dockerfile builds release packages. -# **NOTE**: This is not recommended, as it's possible the deployment -# production environment will diff from the image environment here, -# even if the OS and kernel versions match. -# As such, this script has been deprecated in favor of building the release -# in the production environment. -FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build - -# Setup to run build script -ENV DEBIAN_FRONTEND noninteractive -RUN apt-get update -q && \ - apt-get install -y --no-install-recommends \ - ca-certificates \ - build-essential \ - git \ - dpkg-dev \ - libssl-dev \ - automake \ - gnupg \ - curl \ - autoconf \ - libncurses5-dev \ - unzip \ - zlib1g-dev \ - locales && \ - apt-get clean && \ - rm -rf /tmp/* /var/tmp/* -RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \ - locale-gen -ENV LANG en_US.UTF-8 -ENV LANGUAGE en_US:en -ENV LC_ALL en_US.UTF-8 - -RUN curl -sL https://deb.nodesource.com/setup_10.x | bash - -RUN apt-get install nodejs - -ENV MIX_ENV prod -WORKDIR /build - -RUN mix local.hex --force && \ - mix local.rebar --force -COPY mix.exs mix.lock ./ -COPY config config -COPY apps/fz_http/mix.exs ./apps/fz_http/ -COPY apps/fz_wall/mix.exs ./apps/fz_wall/ -COPY apps/fz_vpn/mix.exs ./apps/fz_vpn/ -RUN mix do deps.get, deps.compile - -COPY apps/fz_http/assets/package.json apps/fz_http/assets/package-lock.json ./apps/fz_http/assets/ -RUN cd apps/fz_http/assets && npm ci --progress=false --no-audit --loglevel=error -COPY apps/fz_http/priv apps/fz_http/priv -COPY apps/fz_http/assets apps/fz_http/assets -RUN npm run --prefix ./apps/fz_http/assets deploy && \ - cd apps/fz_http && mix phx.digest - -COPY . . -RUN mix release firezone - -RUN mkdir -p pkg/debian/opt -RUN mv _build/prod/rel/firezone pkg/debian/opt/firezone - -RUN cd pkg && dpkg-deb --build debian diff --git a/pkg/Dockerfile.centos_8 b/pkg/Dockerfile.centos_8 index fd8211344..e69de29bb 100644 --- a/pkg/Dockerfile.centos_8 +++ b/pkg/Dockerfile.centos_8 @@ -1,62 +0,0 @@ -# This Dockerfile builds release packages. -# **NOTE**: This is not recommended, as it's possible the deployment -# production environment will diff from the image environment here, -# even if the OS and kernel versions match. -# As such, this script has been deprecated in favor of building the release -# in the production environment. -FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build - -# Setup to run build script -ENV DEBIAN_FRONTEND noninteractive -RUN apt-get update -q && \ - apt-get install -y --no-install-recommends \ - ca-certificates \ - build-essential \ - git \ - dpkg-dev \ - libssl-dev \ - automake \ - gnupg \ - curl \ - autoconf \ - libncurses5-dev \ - unzip \ - zlib1g-dev \ - locales && \ - apt-get clean && \ - rm -rf /tmp/* /var/tmp/* -RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \ - locale-gen -ENV LANG en_US.UTF-8 -ENV LANGUAGE en_US:en -ENV LC_ALL en_US.UTF-8 - -RUN curl -sL https://deb.nodesource.com/setup_10.x | bash - -RUN apt-get install nodejs - -ENV MIX_ENV prod -WORKDIR /build - -RUN mix local.hex --force && \ - mix local.rebar --force -COPY mix.exs mix.lock ./ -COPY config config -COPY apps/fz_http/mix.exs ./apps/fz_http/ -COPY apps/fz_wall/mix.exs ./apps/fz_wall/ -COPY apps/fz_vpn/mix.exs ./apps/fz_vpn/ -RUN mix do deps.get, deps.compile - -COPY apps/fz_http/assets/package.json apps/fz_http/assets/package-lock.json ./apps/fz_http/assets/ -RUN cd apps/fz_http/assets && npm ci --progress=false --no-audit --loglevel=error -COPY apps/fz_http/priv apps/fz_http/priv -COPY apps/fz_http/assets apps/fz_http/assets -RUN npm run --prefix ./apps/fz_http/assets deploy && \ - cd apps/fz_http && mix phx.digest - -COPY . . -RUN mix release firezone - -RUN mkdir -p pkg/debian/opt -RUN mv _build/prod/rel/firezone pkg/debian/opt/firezone - -RUN cd pkg && dpkg-deb --build debian diff --git a/pkg/Dockerfile.debian_10 b/pkg/Dockerfile.debian_10 index fd8211344..e69de29bb 100644 --- a/pkg/Dockerfile.debian_10 +++ b/pkg/Dockerfile.debian_10 @@ -1,62 +0,0 @@ -# This Dockerfile builds release packages. -# **NOTE**: This is not recommended, as it's possible the deployment -# production environment will diff from the image environment here, -# even if the OS and kernel versions match. -# As such, this script has been deprecated in favor of building the release -# in the production environment. -FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build - -# Setup to run build script -ENV DEBIAN_FRONTEND noninteractive -RUN apt-get update -q && \ - apt-get install -y --no-install-recommends \ - ca-certificates \ - build-essential \ - git \ - dpkg-dev \ - libssl-dev \ - automake \ - gnupg \ - curl \ - autoconf \ - libncurses5-dev \ - unzip \ - zlib1g-dev \ - locales && \ - apt-get clean && \ - rm -rf /tmp/* /var/tmp/* -RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \ - locale-gen -ENV LANG en_US.UTF-8 -ENV LANGUAGE en_US:en -ENV LC_ALL en_US.UTF-8 - -RUN curl -sL https://deb.nodesource.com/setup_10.x | bash - -RUN apt-get install nodejs - -ENV MIX_ENV prod -WORKDIR /build - -RUN mix local.hex --force && \ - mix local.rebar --force -COPY mix.exs mix.lock ./ -COPY config config -COPY apps/fz_http/mix.exs ./apps/fz_http/ -COPY apps/fz_wall/mix.exs ./apps/fz_wall/ -COPY apps/fz_vpn/mix.exs ./apps/fz_vpn/ -RUN mix do deps.get, deps.compile - -COPY apps/fz_http/assets/package.json apps/fz_http/assets/package-lock.json ./apps/fz_http/assets/ -RUN cd apps/fz_http/assets && npm ci --progress=false --no-audit --loglevel=error -COPY apps/fz_http/priv apps/fz_http/priv -COPY apps/fz_http/assets apps/fz_http/assets -RUN npm run --prefix ./apps/fz_http/assets deploy && \ - cd apps/fz_http && mix phx.digest - -COPY . . -RUN mix release firezone - -RUN mkdir -p pkg/debian/opt -RUN mv _build/prod/rel/firezone pkg/debian/opt/firezone - -RUN cd pkg && dpkg-deb --build debian diff --git a/pkg/Dockerfile.redhat_7 b/pkg/Dockerfile.redhat_7 index fd8211344..e69de29bb 100644 --- a/pkg/Dockerfile.redhat_7 +++ b/pkg/Dockerfile.redhat_7 @@ -1,62 +0,0 @@ -# This Dockerfile builds release packages. -# **NOTE**: This is not recommended, as it's possible the deployment -# production environment will diff from the image environment here, -# even if the OS and kernel versions match. -# As such, this script has been deprecated in favor of building the release -# in the production environment. -FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build - -# Setup to run build script -ENV DEBIAN_FRONTEND noninteractive -RUN apt-get update -q && \ - apt-get install -y --no-install-recommends \ - ca-certificates \ - build-essential \ - git \ - dpkg-dev \ - libssl-dev \ - automake \ - gnupg \ - curl \ - autoconf \ - libncurses5-dev \ - unzip \ - zlib1g-dev \ - locales && \ - apt-get clean && \ - rm -rf /tmp/* /var/tmp/* -RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \ - locale-gen -ENV LANG en_US.UTF-8 -ENV LANGUAGE en_US:en -ENV LC_ALL en_US.UTF-8 - -RUN curl -sL https://deb.nodesource.com/setup_10.x | bash - -RUN apt-get install nodejs - -ENV MIX_ENV prod -WORKDIR /build - -RUN mix local.hex --force && \ - mix local.rebar --force -COPY mix.exs mix.lock ./ -COPY config config -COPY apps/fz_http/mix.exs ./apps/fz_http/ -COPY apps/fz_wall/mix.exs ./apps/fz_wall/ -COPY apps/fz_vpn/mix.exs ./apps/fz_vpn/ -RUN mix do deps.get, deps.compile - -COPY apps/fz_http/assets/package.json apps/fz_http/assets/package-lock.json ./apps/fz_http/assets/ -RUN cd apps/fz_http/assets && npm ci --progress=false --no-audit --loglevel=error -COPY apps/fz_http/priv apps/fz_http/priv -COPY apps/fz_http/assets apps/fz_http/assets -RUN npm run --prefix ./apps/fz_http/assets deploy && \ - cd apps/fz_http && mix phx.digest - -COPY . . -RUN mix release firezone - -RUN mkdir -p pkg/debian/opt -RUN mv _build/prod/rel/firezone pkg/debian/opt/firezone - -RUN cd pkg && dpkg-deb --build debian diff --git a/pkg/Dockerfile.redhat_8 b/pkg/Dockerfile.redhat_8 index fd8211344..e69de29bb 100644 --- a/pkg/Dockerfile.redhat_8 +++ b/pkg/Dockerfile.redhat_8 @@ -1,62 +0,0 @@ -# This Dockerfile builds release packages. -# **NOTE**: This is not recommended, as it's possible the deployment -# production environment will diff from the image environment here, -# even if the OS and kernel versions match. -# As such, this script has been deprecated in favor of building the release -# in the production environment. -FROM hexpm/elixir:1.11.2-erlang-23.1.2-ubuntu-focal-20201008 AS build - -# Setup to run build script -ENV DEBIAN_FRONTEND noninteractive -RUN apt-get update -q && \ - apt-get install -y --no-install-recommends \ - ca-certificates \ - build-essential \ - git \ - dpkg-dev \ - libssl-dev \ - automake \ - gnupg \ - curl \ - autoconf \ - libncurses5-dev \ - unzip \ - zlib1g-dev \ - locales && \ - apt-get clean && \ - rm -rf /tmp/* /var/tmp/* -RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && \ - locale-gen -ENV LANG en_US.UTF-8 -ENV LANGUAGE en_US:en -ENV LC_ALL en_US.UTF-8 - -RUN curl -sL https://deb.nodesource.com/setup_10.x | bash - -RUN apt-get install nodejs - -ENV MIX_ENV prod -WORKDIR /build - -RUN mix local.hex --force && \ - mix local.rebar --force -COPY mix.exs mix.lock ./ -COPY config config -COPY apps/fz_http/mix.exs ./apps/fz_http/ -COPY apps/fz_wall/mix.exs ./apps/fz_wall/ -COPY apps/fz_vpn/mix.exs ./apps/fz_vpn/ -RUN mix do deps.get, deps.compile - -COPY apps/fz_http/assets/package.json apps/fz_http/assets/package-lock.json ./apps/fz_http/assets/ -RUN cd apps/fz_http/assets && npm ci --progress=false --no-audit --loglevel=error -COPY apps/fz_http/priv apps/fz_http/priv -COPY apps/fz_http/assets apps/fz_http/assets -RUN npm run --prefix ./apps/fz_http/assets deploy && \ - cd apps/fz_http && mix phx.digest - -COPY . . -RUN mix release firezone - -RUN mkdir -p pkg/debian/opt -RUN mv _build/prod/rel/firezone pkg/debian/opt/firezone - -RUN cd pkg && dpkg-deb --build debian diff --git a/pkg/Dockerfile.ubuntu_18.04 b/pkg/Dockerfile.ubuntu_18.04 index 3b54d8797..bb9c626ea 100644 --- a/pkg/Dockerfile.ubuntu_18.04 +++ b/pkg/Dockerfile.ubuntu_18.04 @@ -62,9 +62,12 @@ RUN npm run --prefix ./apps/fz_http/assets deploy && \ COPY . . RUN mix release -RUN mkdir -p pkg/$PKG_DIR/opt -RUN mv _build/prod/rel/firezone pkg/$PKG_DIR/opt/firezone - +# Copy shared files +RUN rsync -avz pkg/debain_shared/* pkg/$PKG_DIR/ RUN ls -lR pkg/$PKG_DIR +RUN mkdir -p pkg/$PKG_DIR/etc/firezone +RUN mkdir -p pkg/$PKG_DIR/usr/bin +RUN mv _build/prod/rel/firezone pkg/$PKG_DIR/usr/lib/firezone +RUN cd pkg/$PKG_DIR/usr/bin && ln -s ../lib/firezone/bin/firezone RUN cd pkg && dpkg-deb --build $PKG_DIR diff --git a/pkg/Dockerfile.ubuntu_20.04 b/pkg/Dockerfile.ubuntu_20.04 index ec8946581..fd0ad3c84 100644 --- a/pkg/Dockerfile.ubuntu_20.04 +++ b/pkg/Dockerfile.ubuntu_20.04 @@ -62,7 +62,12 @@ RUN npm run --prefix ./apps/fz_http/assets deploy && \ COPY . . RUN mix release -RUN mkdir -p pkg/$PKG_DIR/opt -RUN mv _build/prod/rel/firezone pkg/$PKG_DIR/opt/firezone +# Copy shared files +RUN rsync -avz pkg/debain_shared/* pkg/$PKG_DIR/ +RUN ls -lR pkg/$PKG_DIR +RUN mkdir -p pkg/$PKG_DIR/etc/firezone +RUN mkdir -p pkg/$PKG_DIR/usr/bin +RUN mv _build/prod/rel/firezone pkg/$PKG_DIR/usr/lib/firezone +RUN cd pkg/$PKG_DIR/usr/bin && ln -s ../lib/firezone/bin/firezone RUN cd pkg && dpkg-deb --build $PKG_DIR diff --git a/pkg/ubuntu_18.04_amd64/DEBIAN/changelog b/pkg/debian_shared/DEBIAN/changelog similarity index 100% rename from pkg/ubuntu_18.04_amd64/DEBIAN/changelog rename to pkg/debian_shared/DEBIAN/changelog diff --git a/pkg/ubuntu_18.04_amd64/DEBIAN/postinst b/pkg/debian_shared/DEBIAN/postinst similarity index 63% rename from pkg/ubuntu_18.04_amd64/DEBIAN/postinst rename to pkg/debian_shared/DEBIAN/postinst index dc130fe95..361fefa7a 100755 --- a/pkg/ubuntu_18.04_amd64/DEBIAN/postinst +++ b/pkg/debian_shared/DEBIAN/postinst @@ -1,4 +1,4 @@ -#!/usr/bin/env bash +#!/bin/bash set -e # FireZone package post-install script @@ -40,13 +40,14 @@ fi # Grant all privileges su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\"" -### SET UP SSL -# XXX: Use Let's Encrypt +# Set up secrets dir +mkdir -p /etc/firezone/secret +chown firezone:root /etc/firezone/secret +chmod 770 /etc/firezone/secret # Write FireZone SSL files -mkdir -p /opt/firezone/ssl -ssl_key_file=/opt/firezone/ssl/key.pem -ssl_cert_file=/opt/firezone/ssl/cert.pem +ssl_key_file=/etc/firezone/secret/key.pem +ssl_cert_file=/etc/firezone/cert.pem if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then echo "ssl files exist; not creating" else @@ -63,12 +64,17 @@ db_key="$(openssl rand -base64 32)" wg_server_key="$(wg genkey)" # Write FireZone config file -if [ -f /opt/firezone/config.env ]; then +if [ -f /etc/firezone/secret.env ]; then echo "config file exists; not creating" else -cat <> /opt/firezone/config.env + +umask 037 +cat <> /etc/firezone/secret/secrets.env # This file is loaded into FireZone's Environment upon launch to configure it. +# Warning: changing anything here can result in data loss. Make sure you know +# what you're doing! + # This is used to ensure secure communication with the live web views. # Re-generate this with "openssl rand -base64 24". All existing web views will # need to be refreshed. @@ -80,47 +86,18 @@ LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}" SECRET_KEY_BASE="${secret_key_base}" # The URL to connect to your DB. Assumes the database has been created and this -# user has privileges to create and modify tables. +# user has privileges to create and modify tables. Must start with ecto:// +# Ex: ecto://user:password@localhost/firezone DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone" -# The HTTPS port to listen on. Defaults to 8800. -HTTPS_LISTEN_PORT=8800 - -# The address to bind the HTTPS server to. Defaults to "127.0.0.1" -HTTPS_LISTEN_ADDRESS=127.0.0.1 - -# The WireGuard port to listen on. Defaults to 51820. -WG_LISTEN_PORT=51820 - -# The address for the WireGuard endpoint. Defaults to the address of the -# default egress interface if not set. -WG_ENDPOINT_ADDRESS= - # The Base64-encoded key for encrypted database fields. DB_ENCRYPTION_KEY=${db_key} # The Base64-encoded private key for the WireGuard interface WG_SERVER_KEY=${wg_server_key} - -# SSL certificate file and key path. Self-signed certs are generated for you on -# install, but it's highly recommended to replace these with valid certs. -# Free certs can be obtained at https://letsencrypt.org. -SSL_CERT_FILE=/opt/firezone/ssl/cert.pem -SSL_KEY_FILE=/opt/firezone/ssl/key.pem - -# Path to the intermediate certificates file. (usually not required) -# SSL_CA_CERT_FILE= - -# Host to use for generating links back to the application, such as in -# outbound emails. Defaults to "localhost". -# URL_HOST=${hostname} - -# For security, it's recommended to leave signups disabled and instead create -# users via the CLI. -DISABLE_SIGNUP=yes EOT fi # Set perms -chown -R firezone:root /opt/firezone -chmod 0644 /opt/firezone/ssl/cert.pem +chown -R firezone:root /etc/firezone +chmod 0644 /etc/firezone/cert.pem diff --git a/pkg/debian_shared/DEBIAN/postrm b/pkg/debian_shared/DEBIAN/postrm new file mode 100755 index 000000000..cbdfe886c --- /dev/null +++ b/pkg/debian_shared/DEBIAN/postrm @@ -0,0 +1,6 @@ +#!/bin/bash +set -e + +# Remove created user +echo "Removing firezone user" +userdel -Zrf firezone diff --git a/pkg/debian_shared/DEBIAN/prerm b/pkg/debian_shared/DEBIAN/prerm new file mode 100755 index 000000000..2005ff9b3 --- /dev/null +++ b/pkg/debian_shared/DEBIAN/prerm @@ -0,0 +1,2 @@ +#!/bin/bash +set -e diff --git a/pkg/debian_shared/etc/firezone/config.env b/pkg/debian_shared/etc/firezone/config.env new file mode 100644 index 000000000..6f2e683a7 --- /dev/null +++ b/pkg/debian_shared/etc/firezone/config.env @@ -0,0 +1,27 @@ +# This file is loaded into FireZone's Environment upon launch to configure it. + +# The HTTPS port to listen on. Defaults to 8800. +HTTPS_LISTEN_PORT=8800 + +# The address to bind the HTTPS server to. Defaults to "127.0.0.1" +HTTPS_LISTEN_ADDRESS=127.0.0.1 + +# The WireGuard port to listen on. Defaults to 51820. +WG_LISTEN_PORT=51820 + +# The address for the WireGuard endpoint. Defaults to the address of the +# default egress interface if not set. +WG_ENDPOINT_ADDRESS= + +# SSL certificate file and key path. Self-signed certs are generated for you on +# install, but it's highly recommended to replace these with valid certs. +# Free certs can be obtained at https://letsencrypt.org. +SSL_CERT_FILE=/etc/firezone/cert.pem +SSL_KEY_FILE=/etc/firezone/secret/key.pem + +# Path to the intermediate certificates file. (usually not required) +# SSL_CA_CERT_FILE= + +# Host to use for generating links back to the application, such as in +# outbound emails. Should be publicly resolvable. Defaults to "localhost". +# URL_HOST= diff --git a/pkg/ubuntu_18.04_amd64/lib/systemd/system/firezone.service b/pkg/debian_shared/lib/systemd/system/firezone.service similarity index 50% rename from pkg/ubuntu_18.04_amd64/lib/systemd/system/firezone.service rename to pkg/debian_shared/lib/systemd/system/firezone.service index b55af7901..05fdd6188 100644 --- a/pkg/ubuntu_18.04_amd64/lib/systemd/system/firezone.service +++ b/pkg/debian_shared/lib/systemd/system/firezone.service @@ -8,12 +8,12 @@ Restart=on-failure RestartSec=1 User=firezone AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH -EnvironmentFile=/opt/firezone/config.env -ExecStartPre=/opt/firezone/bin/firezone eval "FzHttp.Release.migrate" -ExecStart=/opt/firezone/bin/firezone start +EnvironmentFile=/etc/firezone/config.env /etc/firezone/secret/secrets.env +ExecStartPre=/usr/lib/firezone/bin/firezone eval "FzHttp.Release.migrate" +ExecStart=/usr/lib/firezone/bin/firezone start # XXX: Remove sleeps ExecStartPost=/bin/sleep 8 -ExecStartPost=/opt/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user" +ExecStartPost=/usr/lib/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user" [Install] WantedBy=multi-user.target diff --git a/pkg/ubuntu_18.04_amd64/DEBIAN/lintian-overrides b/pkg/ubuntu_18.04_amd64/DEBIAN/lintian-overrides deleted file mode 100644 index 9be6341ae..000000000 --- a/pkg/ubuntu_18.04_amd64/DEBIAN/lintian-overrides +++ /dev/null @@ -1 +0,0 @@ -firezone: dir-or-file-in-opt diff --git a/pkg/ubuntu_18.04_amd64/DEBIAN/templates b/pkg/ubuntu_18.04_amd64/DEBIAN/templates deleted file mode 100644 index 2cceaf891..000000000 --- a/pkg/ubuntu_18.04_amd64/DEBIAN/templates +++ /dev/null @@ -1,11 +0,0 @@ -Template: firezone/config -Type: note -Description: config file - FireZone's config file is located at /opt/firezone/config.yml. Only root - should be able to view and edit this file. Random secrets and passwords have - been generated and saved for you already. - -Template: firezone/access -Type: note -Description: access instructions - FireZone has been installed successfully and is running on port 8443! diff --git a/pkg/ubuntu_18.04_arm64/DEBIAN/changelog b/pkg/ubuntu_18.04_arm64/DEBIAN/changelog deleted file mode 100644 index 831de16be..000000000 --- a/pkg/ubuntu_18.04_arm64/DEBIAN/changelog +++ /dev/null @@ -1,3 +0,0 @@ -firezone (0.2.0ubuntu1) bionic; urgency=low - - * initial release diff --git a/pkg/ubuntu_18.04_arm64/DEBIAN/lintian-overrides b/pkg/ubuntu_18.04_arm64/DEBIAN/lintian-overrides deleted file mode 100644 index 9be6341ae..000000000 --- a/pkg/ubuntu_18.04_arm64/DEBIAN/lintian-overrides +++ /dev/null @@ -1 +0,0 @@ -firezone: dir-or-file-in-opt diff --git a/pkg/ubuntu_18.04_arm64/DEBIAN/postinst b/pkg/ubuntu_18.04_arm64/DEBIAN/postinst deleted file mode 100755 index f6b67cb1b..000000000 --- a/pkg/ubuntu_18.04_arm64/DEBIAN/postinst +++ /dev/null @@ -1,126 +0,0 @@ -#!/usr/bin/env bash -set -e - -# FireZone package post-install script - -# All created files are 0600 by default -umask 077 - -# Add firezone user if not exists -if id firezone &>/dev/null; then - echo "firezone user exists... not creating." -else - echo "creating system user firezone" - useradd --system firezone -fi - -hostname=$(hostname) - -### SET UP DB - -# Create role if not exists -db_user=firezone -db_password="$(openssl rand -hex 16)" -res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"") -if [[ $res == *"0 rows"* ]]; then - su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\"" -else - echo "${db_user} role found in DB" -fi - -# Create DB if not exists -db_name=firezone -res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"") -if [[ $res == *"0 rows"* ]]; then - su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true" -else - echo "${db_name} exists; not creating" -fi - -# Grant all privileges -su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\"" - -### SET UP SSL -# XXX: Use Let's Encrypt - -# Write FireZone SSL files -mkdir -p /opt/firezone/ssl -ssl_key_file=/opt/firezone/ssl/key.pem -ssl_cert_file=/opt/firezone/ssl/cert.pem -if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then - echo "ssl files exist; not creating" -else - openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ - -keyout $ssl_key_file \ - -out $ssl_cert_file \ - -days 365 -subj "/CN=${hostname}" -fi - -# Generate app secrets -live_view_signing_salt="$(openssl rand -base64 24)" -secret_key_base="$(openssl rand -base64 48)" -db_key="$(openssl rand -base64 32)" -wg_server_key="$(wg genkey)" - -# Write FireZone config files -if [ ! -f /opt/firezone/config.env ]; then -cat <> /opt/firezone/config.env -# This file is loaded into FireZone's Environment upon launch to configure it. - -# This is used to ensure secure communication with the live web views. -# Re-generate this with "openssl rand -base64 24". All existing web views will -# need to be refreshed. -LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}" - -# This is used to secure cookies among other things. -# You can regenerate this with "openssl rand -base64 48". All existing clients -# will be signed out. -SECRET_KEY_BASE="${secret_key_base}" - -# The URL to connect to your DB. Assumes the database has been created and this -# user has privileges to create and modify tables. -DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone" - -# The HTTPS port to listen on. Defaults to 8800. -HTTPS_LISTEN_PORT=8800 - -# The address to bind the HTTPS server to. Defaults to "127.0.0.1" -HTTPS_LISTEN_ADDRESS=127.0.0.1 - -# The WireGuard port to listen on. Defaults to 51820. -WG_LISTEN_PORT=51820 - -# The address for the WireGuard endpoint. Defaults to the address of the -# default egress interface if not set. -WG_ENDPOINT_ADDRESS= - -# The Base64-encoded key for encrypted database fields. -DB_ENCRYPTION_KEY=${db_key} - -# The Base64-encoded private key for the WireGuard interface -WG_SERVER_KEY=${wg_server_key} - -# SSL certificate file and key path. Self-signed certs are generated for you on -# install, but it's highly recommended to replace these with valid certs. -# Free certs can be obtained at https://letsencrypt.org. -SSL_CERT_FILE=/opt/firezone/ssl/cert.pem -SSL_KEY_FILE=/opt/firezone/ssl/key.pem - -# Path to the intermediate certificates file. (usually not required) -# SSL_CA_CERT_FILE= - -# Host to use for generating links back to the application, such as in -# outbound emails. Defaults to "localhost". -# URL_HOST=${hostname} - -# For security, it's recommended to leave signups disabled and instead create -# users via the CLI. -DISABLE_SIGNUP=yes -EOT -else - echo "config file exists; not creating" -fi - -# Set perms -chown -R firezone:root /opt/firezone -chmod 0644 /opt/firezone/ssl/cert.pem diff --git a/pkg/ubuntu_18.04_arm64/DEBIAN/templates b/pkg/ubuntu_18.04_arm64/DEBIAN/templates deleted file mode 100644 index 2cceaf891..000000000 --- a/pkg/ubuntu_18.04_arm64/DEBIAN/templates +++ /dev/null @@ -1,11 +0,0 @@ -Template: firezone/config -Type: note -Description: config file - FireZone's config file is located at /opt/firezone/config.yml. Only root - should be able to view and edit this file. Random secrets and passwords have - been generated and saved for you already. - -Template: firezone/access -Type: note -Description: access instructions - FireZone has been installed successfully and is running on port 8443! diff --git a/pkg/ubuntu_18.04_arm64/lib/systemd/system/firezone.service b/pkg/ubuntu_18.04_arm64/lib/systemd/system/firezone.service deleted file mode 100644 index a1be51acd..000000000 --- a/pkg/ubuntu_18.04_arm64/lib/systemd/system/firezone.service +++ /dev/null @@ -1,19 +0,0 @@ -[Unit] -Description=FireZone -Requires=postgresql.service -After=postgresql.service - -[Service] -Restart=on-failure -RestartSec=1 -User=firezone -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH -EnvironmentFile=/opt/firezone/config.env -ExecStartPre=/opt/firezone/bin/firezone eval "FzHttp.Release.migrate" -ExecStart=/opt/firezone/bin/firezone start -# XXX: Remove sleeps -ExecStartPost=/bin/sleep 8 -ExecStartPost=/opt/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user" - -[Install] -WantedBy=multi-user.target diff --git a/pkg/ubuntu_20.04_amd64/DEBIAN/changelog b/pkg/ubuntu_20.04_amd64/DEBIAN/changelog deleted file mode 100644 index 9ba56fa91..000000000 --- a/pkg/ubuntu_20.04_amd64/DEBIAN/changelog +++ /dev/null @@ -1,3 +0,0 @@ -firezone (0.2.0ubuntu1) trusty; urgency=low - - * initial release diff --git a/pkg/ubuntu_20.04_amd64/DEBIAN/lintian-overrides b/pkg/ubuntu_20.04_amd64/DEBIAN/lintian-overrides deleted file mode 100644 index 9be6341ae..000000000 --- a/pkg/ubuntu_20.04_amd64/DEBIAN/lintian-overrides +++ /dev/null @@ -1 +0,0 @@ -firezone: dir-or-file-in-opt diff --git a/pkg/ubuntu_20.04_amd64/DEBIAN/postinst b/pkg/ubuntu_20.04_amd64/DEBIAN/postinst deleted file mode 100755 index f6b67cb1b..000000000 --- a/pkg/ubuntu_20.04_amd64/DEBIAN/postinst +++ /dev/null @@ -1,126 +0,0 @@ -#!/usr/bin/env bash -set -e - -# FireZone package post-install script - -# All created files are 0600 by default -umask 077 - -# Add firezone user if not exists -if id firezone &>/dev/null; then - echo "firezone user exists... not creating." -else - echo "creating system user firezone" - useradd --system firezone -fi - -hostname=$(hostname) - -### SET UP DB - -# Create role if not exists -db_user=firezone -db_password="$(openssl rand -hex 16)" -res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"") -if [[ $res == *"0 rows"* ]]; then - su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\"" -else - echo "${db_user} role found in DB" -fi - -# Create DB if not exists -db_name=firezone -res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"") -if [[ $res == *"0 rows"* ]]; then - su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true" -else - echo "${db_name} exists; not creating" -fi - -# Grant all privileges -su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\"" - -### SET UP SSL -# XXX: Use Let's Encrypt - -# Write FireZone SSL files -mkdir -p /opt/firezone/ssl -ssl_key_file=/opt/firezone/ssl/key.pem -ssl_cert_file=/opt/firezone/ssl/cert.pem -if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then - echo "ssl files exist; not creating" -else - openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ - -keyout $ssl_key_file \ - -out $ssl_cert_file \ - -days 365 -subj "/CN=${hostname}" -fi - -# Generate app secrets -live_view_signing_salt="$(openssl rand -base64 24)" -secret_key_base="$(openssl rand -base64 48)" -db_key="$(openssl rand -base64 32)" -wg_server_key="$(wg genkey)" - -# Write FireZone config files -if [ ! -f /opt/firezone/config.env ]; then -cat <> /opt/firezone/config.env -# This file is loaded into FireZone's Environment upon launch to configure it. - -# This is used to ensure secure communication with the live web views. -# Re-generate this with "openssl rand -base64 24". All existing web views will -# need to be refreshed. -LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}" - -# This is used to secure cookies among other things. -# You can regenerate this with "openssl rand -base64 48". All existing clients -# will be signed out. -SECRET_KEY_BASE="${secret_key_base}" - -# The URL to connect to your DB. Assumes the database has been created and this -# user has privileges to create and modify tables. -DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone" - -# The HTTPS port to listen on. Defaults to 8800. -HTTPS_LISTEN_PORT=8800 - -# The address to bind the HTTPS server to. Defaults to "127.0.0.1" -HTTPS_LISTEN_ADDRESS=127.0.0.1 - -# The WireGuard port to listen on. Defaults to 51820. -WG_LISTEN_PORT=51820 - -# The address for the WireGuard endpoint. Defaults to the address of the -# default egress interface if not set. -WG_ENDPOINT_ADDRESS= - -# The Base64-encoded key for encrypted database fields. -DB_ENCRYPTION_KEY=${db_key} - -# The Base64-encoded private key for the WireGuard interface -WG_SERVER_KEY=${wg_server_key} - -# SSL certificate file and key path. Self-signed certs are generated for you on -# install, but it's highly recommended to replace these with valid certs. -# Free certs can be obtained at https://letsencrypt.org. -SSL_CERT_FILE=/opt/firezone/ssl/cert.pem -SSL_KEY_FILE=/opt/firezone/ssl/key.pem - -# Path to the intermediate certificates file. (usually not required) -# SSL_CA_CERT_FILE= - -# Host to use for generating links back to the application, such as in -# outbound emails. Defaults to "localhost". -# URL_HOST=${hostname} - -# For security, it's recommended to leave signups disabled and instead create -# users via the CLI. -DISABLE_SIGNUP=yes -EOT -else - echo "config file exists; not creating" -fi - -# Set perms -chown -R firezone:root /opt/firezone -chmod 0644 /opt/firezone/ssl/cert.pem diff --git a/pkg/ubuntu_20.04_amd64/DEBIAN/templates b/pkg/ubuntu_20.04_amd64/DEBIAN/templates deleted file mode 100644 index 2cceaf891..000000000 --- a/pkg/ubuntu_20.04_amd64/DEBIAN/templates +++ /dev/null @@ -1,11 +0,0 @@ -Template: firezone/config -Type: note -Description: config file - FireZone's config file is located at /opt/firezone/config.yml. Only root - should be able to view and edit this file. Random secrets and passwords have - been generated and saved for you already. - -Template: firezone/access -Type: note -Description: access instructions - FireZone has been installed successfully and is running on port 8443! diff --git a/pkg/ubuntu_20.04_amd64/lib/systemd/system/firezone.service b/pkg/ubuntu_20.04_amd64/lib/systemd/system/firezone.service deleted file mode 100644 index a1be51acd..000000000 --- a/pkg/ubuntu_20.04_amd64/lib/systemd/system/firezone.service +++ /dev/null @@ -1,19 +0,0 @@ -[Unit] -Description=FireZone -Requires=postgresql.service -After=postgresql.service - -[Service] -Restart=on-failure -RestartSec=1 -User=firezone -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH -EnvironmentFile=/opt/firezone/config.env -ExecStartPre=/opt/firezone/bin/firezone eval "FzHttp.Release.migrate" -ExecStart=/opt/firezone/bin/firezone start -# XXX: Remove sleeps -ExecStartPost=/bin/sleep 8 -ExecStartPost=/opt/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user" - -[Install] -WantedBy=multi-user.target diff --git a/pkg/ubuntu_20.04_arm64/DEBIAN/changelog b/pkg/ubuntu_20.04_arm64/DEBIAN/changelog deleted file mode 100644 index 9ba56fa91..000000000 --- a/pkg/ubuntu_20.04_arm64/DEBIAN/changelog +++ /dev/null @@ -1,3 +0,0 @@ -firezone (0.2.0ubuntu1) trusty; urgency=low - - * initial release diff --git a/pkg/ubuntu_20.04_arm64/DEBIAN/lintian-overrides b/pkg/ubuntu_20.04_arm64/DEBIAN/lintian-overrides deleted file mode 100644 index 9be6341ae..000000000 --- a/pkg/ubuntu_20.04_arm64/DEBIAN/lintian-overrides +++ /dev/null @@ -1 +0,0 @@ -firezone: dir-or-file-in-opt diff --git a/pkg/ubuntu_20.04_arm64/DEBIAN/postinst b/pkg/ubuntu_20.04_arm64/DEBIAN/postinst deleted file mode 100755 index f6b67cb1b..000000000 --- a/pkg/ubuntu_20.04_arm64/DEBIAN/postinst +++ /dev/null @@ -1,126 +0,0 @@ -#!/usr/bin/env bash -set -e - -# FireZone package post-install script - -# All created files are 0600 by default -umask 077 - -# Add firezone user if not exists -if id firezone &>/dev/null; then - echo "firezone user exists... not creating." -else - echo "creating system user firezone" - useradd --system firezone -fi - -hostname=$(hostname) - -### SET UP DB - -# Create role if not exists -db_user=firezone -db_password="$(openssl rand -hex 16)" -res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"") -if [[ $res == *"0 rows"* ]]; then - su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\"" -else - echo "${db_user} role found in DB" -fi - -# Create DB if not exists -db_name=firezone -res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"") -if [[ $res == *"0 rows"* ]]; then - su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true" -else - echo "${db_name} exists; not creating" -fi - -# Grant all privileges -su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\"" - -### SET UP SSL -# XXX: Use Let's Encrypt - -# Write FireZone SSL files -mkdir -p /opt/firezone/ssl -ssl_key_file=/opt/firezone/ssl/key.pem -ssl_cert_file=/opt/firezone/ssl/cert.pem -if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then - echo "ssl files exist; not creating" -else - openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ - -keyout $ssl_key_file \ - -out $ssl_cert_file \ - -days 365 -subj "/CN=${hostname}" -fi - -# Generate app secrets -live_view_signing_salt="$(openssl rand -base64 24)" -secret_key_base="$(openssl rand -base64 48)" -db_key="$(openssl rand -base64 32)" -wg_server_key="$(wg genkey)" - -# Write FireZone config files -if [ ! -f /opt/firezone/config.env ]; then -cat <> /opt/firezone/config.env -# This file is loaded into FireZone's Environment upon launch to configure it. - -# This is used to ensure secure communication with the live web views. -# Re-generate this with "openssl rand -base64 24". All existing web views will -# need to be refreshed. -LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}" - -# This is used to secure cookies among other things. -# You can regenerate this with "openssl rand -base64 48". All existing clients -# will be signed out. -SECRET_KEY_BASE="${secret_key_base}" - -# The URL to connect to your DB. Assumes the database has been created and this -# user has privileges to create and modify tables. -DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone" - -# The HTTPS port to listen on. Defaults to 8800. -HTTPS_LISTEN_PORT=8800 - -# The address to bind the HTTPS server to. Defaults to "127.0.0.1" -HTTPS_LISTEN_ADDRESS=127.0.0.1 - -# The WireGuard port to listen on. Defaults to 51820. -WG_LISTEN_PORT=51820 - -# The address for the WireGuard endpoint. Defaults to the address of the -# default egress interface if not set. -WG_ENDPOINT_ADDRESS= - -# The Base64-encoded key for encrypted database fields. -DB_ENCRYPTION_KEY=${db_key} - -# The Base64-encoded private key for the WireGuard interface -WG_SERVER_KEY=${wg_server_key} - -# SSL certificate file and key path. Self-signed certs are generated for you on -# install, but it's highly recommended to replace these with valid certs. -# Free certs can be obtained at https://letsencrypt.org. -SSL_CERT_FILE=/opt/firezone/ssl/cert.pem -SSL_KEY_FILE=/opt/firezone/ssl/key.pem - -# Path to the intermediate certificates file. (usually not required) -# SSL_CA_CERT_FILE= - -# Host to use for generating links back to the application, such as in -# outbound emails. Defaults to "localhost". -# URL_HOST=${hostname} - -# For security, it's recommended to leave signups disabled and instead create -# users via the CLI. -DISABLE_SIGNUP=yes -EOT -else - echo "config file exists; not creating" -fi - -# Set perms -chown -R firezone:root /opt/firezone -chmod 0644 /opt/firezone/ssl/cert.pem diff --git a/pkg/ubuntu_20.04_arm64/DEBIAN/templates b/pkg/ubuntu_20.04_arm64/DEBIAN/templates deleted file mode 100644 index 2cceaf891..000000000 --- a/pkg/ubuntu_20.04_arm64/DEBIAN/templates +++ /dev/null @@ -1,11 +0,0 @@ -Template: firezone/config -Type: note -Description: config file - FireZone's config file is located at /opt/firezone/config.yml. Only root - should be able to view and edit this file. Random secrets and passwords have - been generated and saved for you already. - -Template: firezone/access -Type: note -Description: access instructions - FireZone has been installed successfully and is running on port 8443! diff --git a/pkg/ubuntu_20.04_arm64/lib/systemd/system/firezone.service b/pkg/ubuntu_20.04_arm64/lib/systemd/system/firezone.service deleted file mode 100644 index a1be51acd..000000000 --- a/pkg/ubuntu_20.04_arm64/lib/systemd/system/firezone.service +++ /dev/null @@ -1,19 +0,0 @@ -[Unit] -Description=FireZone -Requires=postgresql.service -After=postgresql.service - -[Service] -Restart=on-failure -RestartSec=1 -User=firezone -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH -EnvironmentFile=/opt/firezone/config.env -ExecStartPre=/opt/firezone/bin/firezone eval "FzHttp.Release.migrate" -ExecStart=/opt/firezone/bin/firezone start -# XXX: Remove sleeps -ExecStartPost=/bin/sleep 8 -ExecStartPost=/opt/firezone/bin/firezone rpc "FzHttp.Release.create_admin_user" - -[Install] -WantedBy=multi-user.target