mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
Document WIREGUARD_MTU is for server interface only (#1212)
Client configs will be generated based on runtime configuration stored in the `sites` table, while server configuration (which requires a restart of the server) will be configurable via ENV vars. Refs #1270
This commit is contained in:
Jamil
@@ -1,4 +1,8 @@
|
||||
defmodule FzHttp.Repo.Migrations.MoveWireguardOptionalFieldsToSites do
|
||||
@moduledoc """
|
||||
As of this comment and migration, the client configs will no longer be
|
||||
affected by these ENV vars.
|
||||
"""
|
||||
use Ecto.Migration
|
||||
|
||||
def change do
|
||||
|
||||
@@ -19,48 +19,49 @@ Read more about configuring Firezone in our [configure guide](/deploy/configure)
|
||||
We recommend setting these in your Docker ENV file (`$HOME/.firezone/.env` by
|
||||
default). Required fields in **bold**.
|
||||
|
||||
| Name | Description | Format | Default |
|
||||
| --- | --- | --- | --- |
|
||||
| **`EXTERNAL_URL`** | The external URL the web UI will be accessible at. Must be a valid FQDN for ACME SSL issuance to function. | String | |
|
||||
| **`ADMIN_EMAIL`** | Primary administrator email. | String | |
|
||||
| **`DEFAULT_ADMIN_PASSWORD`** | Default password that will be used for creating or resetting the primary administrator account. | String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. |
|
||||
| **`DATABASE_PASSWORD`** | Password used to connect to the DB. | String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. |
|
||||
| **`DATABASE_ENCRYPTION_KEY`** | The base64-encoded symmetric encryption key used to encrypt and decrypt sensitive fields. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. |
|
||||
| **`GUARDIAN_SECRET_KEY`** | Secret key used for signing JWTs. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. |
|
||||
| **`COOKIE_ENCRYPTION_SALT`** | Encryption salt for cookies issued by the Phoenix web application. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. |
|
||||
| **`COOKIE_SIGNING_SALT`** | Signing salt for cookies issued by the Phoenix web application. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. |
|
||||
| **`LIVE_VIEW_SIGNING_SALT`** | Signing salt for Phoenix LiveView connection tokens. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. |
|
||||
| **`SECRET_KEY_BASE`** | Primary secret key base for the Phoenix application. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. |
|
||||
| `LOCAL_AUTH_ENABLED` | Enable or disable the local authentication method for all users. | Boolean | `true` |
|
||||
| `SAML_ENTITY_ID` | SAML Entity ID. | String | `urn:firezone.dev:firezone-app` |
|
||||
| `SAML_KEYFILE_PATH` | Path to the SAML keyfile inside the container. | String | `/var/firezone/saml.key` |
|
||||
| `SAML_CERTFILE_PATH` | Path to the SAML certificate file inside the container. | String | `/var/firezone/saml.crt` |
|
||||
| `DATABASE_HOST` | Database host. | IP or hostname | `postgres` |
|
||||
| `DATABASE_PORT` | Database port. | Integer | `5432` |
|
||||
| `DATABASE_NAME` | Name of database. | String | `firezone` |
|
||||
| `DATABASE_USER` | Database user. | String | `postgres` |
|
||||
| `DATABASE_POOL` | Size of the Firezone connection pool. | Integer | `10` |
|
||||
| `DATABASE_SSL` | Whether to connect to the database over SSL | Boolean | `false` |
|
||||
| `DATABASE_SSL_OPTS` | Map of options to send to the `:ssl_opts` option when connecting over SSL. See [Ecto.Adapters.Postgres documentation](https://hexdocs.pm/ecto_sql/Ecto.Adapters.Postgres.html#module-connection-options) | JSON-encoded String | `{}` |
|
||||
| `DATABASE_PARAMETERS` | Map of parameters to send to the `:parameters` option when connecting to the database. See [Ecto.Adapters.Postgres documentation](https://hexdocs.pm/ecto_sql/Ecto.Adapters.Postgres.html#module-connection-options). | JSON-encoded String | `{}` |
|
||||
| `CONNECTIVITY_CHECKS_ENABLED` | Enable / disable periodic checking for egress connectivity. Determines the instance's public IP to populate `Endpoint` fields. | Boolean | `true` |
|
||||
| `CONNECTIVITY_CHECKS_INTERVAL` | Periodicity in seconds to check for egress connectivity. | Integer | `3600` |
|
||||
| `EXTERNAL_TRUSTED_PROXIES` | List of trusted reverse proxies. | JSON-encoded array | `[]` |
|
||||
| `MAX_DEVICES_PER_USER` | Maximum number of devices to allow per user. | Integer | `10` |
|
||||
| `OUTBOUND_EMAIL_FROM` | From address to use for sending outbound emails. If not set, sending email will be disabled (default). | String | |
|
||||
| `OUTBOUND_EMAIL_PROVIDER` | Method to use for sending outbound email. If not set, will default to `sendmail`. See the list of [Swoosh Adapters](https://github.com/swoosh/swoosh#adapters). | String | |
|
||||
| `OUTBOUND_EMAIL_CONFIGS` | Email provider-specific config. | JSON-encoded hash of provider config. E.g. `{"gmail": {"access_token": "..."}, "smtp": {"relay": "smtp.example.com"}}`. See the [swoosh docs](https://hexdocs.pm/swoosh/). | `{}` |
|
||||
| `PHOENIX_PORT` | Internal port to listen on for the Phoenix web server. | Integer | `13000` |
|
||||
| `PRIVATE_CLIENTS` | List of IPs / CIDRs to consider trusted for purposes of correctly parsing the `X-Forwarded-For` header. | JSON-encoded list of IPs / CIDRs. | `[]` |
|
||||
| `WIREGUARD_IPV4_ADDRESS` | Tunnel-side IPv4 address of Firezone. | String | `10.3.2.1` |
|
||||
| `WIREGUARD_IPV4_ENABLED` | Enable / disable tunnel-side IPv4 connectivity. | Boolean | `true` |
|
||||
| `WIREGUARD_IPV4_MASQUERADE` | Enable / disable IPv4 masquerade. | String | `true` |
|
||||
| `WIREGUARD_IPV4_NETWORK` | Tunnel-side IPv4 network to use. | String | `10.3.2.0/24` |
|
||||
| `WIREGUARD_IPV6_ADDRESS` | Tunnel-side IPv6 address of Firezone. | String | `fd00::3:2:1` |
|
||||
| `WIREGUARD_IPV6_ENABLED` | Enable / disable tunnel IPv6 addresses. | Boolean | `true` |
|
||||
| `WIREGUARD_IPV6_MASQUERADE` | Enable / disable IPv6 masquerade. | Boolean | `true` |
|
||||
| `WIREGUARD_IPV6_NETWORK` | Tunnel-side IPv6 network to use. | String | `fd00::3:2:0/120` |
|
||||
| `WIREGUARD_ENDPOINT` | Default Endpoint used in client configs. Defaults to the server's public IP if not set. | String | |
|
||||
| `WIREGUARD_PORT` | Port to listen on for WireGuard connections. | Integer | `51820` |
|
||||
| `SECURE_COOKIES` | Enable or disable requiring secure cookies. Required for HTTPS. | Boolean | `true` |
|
||||
| `TELEMETRY_ENABLED` | Enable / disable product telemetry. Read more about [what that means here](/reference/telemetry). | Boolean | `true` |
|
||||
| Name | Description | Format | Default |
|
||||
| --- | --- | --- | --- |
|
||||
| **`EXTERNAL_URL`** | The external URL the web UI will be accessible at. Must be a valid FQDN for ACME SSL issuance to function. | String | |
|
||||
| **`ADMIN_EMAIL`** | Primary administrator email. | String | |
|
||||
| **`DEFAULT_ADMIN_PASSWORD`** | Default password that will be used for creating or resetting the primary administrator account. | String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. |
|
||||
| **`DATABASE_PASSWORD`** | Password used to connect to the DB. | String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. |
|
||||
| **`DATABASE_ENCRYPTION_KEY`** | The base64-encoded symmetric encryption key used to encrypt and decrypt sensitive fields. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. |
|
||||
| **`GUARDIAN_SECRET_KEY`** | Secret key used for signing JWTs. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. |
|
||||
| **`COOKIE_ENCRYPTION_SALT`** | Encryption salt for cookies issued by the Phoenix web application. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. |
|
||||
| **`COOKIE_SIGNING_SALT`** | Signing salt for cookies issued by the Phoenix web application. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. |
|
||||
| **`LIVE_VIEW_SIGNING_SALT`** | Signing salt for Phoenix LiveView connection tokens. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. |
|
||||
| **`SECRET_KEY_BASE`** | Primary secret key base for the Phoenix application. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. |
|
||||
| `LOCAL_AUTH_ENABLED` | Enable or disable the local authentication method for all users. | Boolean | `true` |
|
||||
| `SAML_ENTITY_ID` | SAML Entity ID. | String | `urn:firezone.dev:firezone-app` |
|
||||
| `SAML_KEYFILE_PATH` | Path to the SAML keyfile inside the container. | String | `/var/firezone/saml.key` |
|
||||
| `SAML_CERTFILE_PATH` | Path to the SAML certificate file inside the container. | String | `/var/firezone/saml.crt` |
|
||||
| `DATABASE_HOST` | Database host. | IP or hostname | `postgres` |
|
||||
| `DATABASE_PORT` | Database port. | Integer | `5432` |
|
||||
| `DATABASE_NAME` | Name of database. | String | `firezone` |
|
||||
| `DATABASE_USER` | Database user. | String | `postgres` |
|
||||
| `DATABASE_POOL` | Size of the Firezone connection pool. | Integer | `10` |
|
||||
| `DATABASE_SSL` | Whether to connect to the database over SSL | Boolean | `false` |
|
||||
| `DATABASE_SSL_OPTS` | Map of options to send to the `:ssl_opts` option when connecting over SSL. See [Ecto.Adapters.Postgres documentation](https://hexdocs.pm/ecto_sql/Ecto.Adapters.Postgres.html#module-connection-options) | JSON-encoded String | `{}` |
|
||||
| `DATABASE_PARAMETERS` | Map of parameters to send to the `:parameters` option when connecting to the database. See [Ecto.Adapters.Postgres documentation](https://hexdocs.pm/ecto_sql/Ecto.Adapters.Postgres.html#module-connection-options). | JSON-encoded String | `{}` |
|
||||
| `CONNECTIVITY_CHECKS_ENABLED` | Enable / disable periodic checking for egress connectivity. Determines the instance's public IP to populate `Endpoint` fields. | Boolean | `true` |
|
||||
| `CONNECTIVITY_CHECKS_INTERVAL` | Periodicity in seconds to check for egress connectivity. | Integer | `3600` |
|
||||
| `EXTERNAL_TRUSTED_PROXIES` | List of trusted reverse proxies. | JSON-encoded array | `[]` |
|
||||
| `MAX_DEVICES_PER_USER` | Maximum number of devices to allow per user. | Integer | `10` |
|
||||
| `OUTBOUND_EMAIL_FROM` | From address to use for sending outbound emails. If not set, sending email will be disabled (default). | String | |
|
||||
| `OUTBOUND_EMAIL_PROVIDER` | Method to use for sending outbound email. If not set, will default to `sendmail`. See the list of [Swoosh Adapters](https://github.com/swoosh/swoosh#adapters). | String | |
|
||||
| `OUTBOUND_EMAIL_CONFIGS` | Email provider-specific config. | JSON-encoded hash of provider config. E.g. `{"gmail": {"access_token": "..."}, "smtp": {"relay": "smtp.example.com"}}`. See the [swoosh docs](https://hexdocs.pm/swoosh/). | `{}` |
|
||||
| `PHOENIX_PORT` | Internal port to listen on for the Phoenix web server. | Integer | `13000` |
|
||||
| `PRIVATE_CLIENTS` | List of IPs / CIDRs to consider trusted for purposes of correctly parsing the `X-Forwarded-For` header. | JSON-encoded list of IPs / CIDRs. | `[]` |
|
||||
| `WIREGUARD_IPV4_ADDRESS` | Tunnel-side IPv4 address of Firezone. | String | `10.3.2.1` |
|
||||
| `WIREGUARD_IPV4_ENABLED` | Enable / disable tunnel-side IPv4 connectivity. | Boolean | `true` |
|
||||
| `WIREGUARD_IPV4_MASQUERADE` | Enable / disable IPv4 masquerade. | String | `true` |
|
||||
| `WIREGUARD_IPV4_NETWORK` | Tunnel-side IPv4 network to use. | String | `10.3.2.0/24` |
|
||||
| `WIREGUARD_IPV6_ADDRESS` | Tunnel-side IPv6 address of Firezone. | String | `fd00::3:2:1` |
|
||||
| `WIREGUARD_IPV6_ENABLED` | Enable / disable tunnel IPv6 addresses. | Boolean | `true` |
|
||||
| `WIREGUARD_IPV6_MASQUERADE` | Enable / disable IPv6 masquerade. | Boolean | `true` |
|
||||
| `WIREGUARD_IPV6_NETWORK` | Tunnel-side IPv6 network to use. | String | `fd00::3:2:0/120` |
|
||||
| `WIREGUARD_MTU` | MTU to use for the server-side WireGuard MTU interface. | String | `1280` |
|
||||
| `WIREGUARD_ENDPOINT` | Default Endpoint used in client configs. Defaults to the server's public IP if not set. | String | |
|
||||
| `WIREGUARD_PORT` | Port to listen on for WireGuard connections. | Integer | `51820` |
|
||||
| `SECURE_COOKIES` | Enable or disable requiring secure cookies. Required for HTTPS. | Boolean | `true` |
|
||||
| `TELEMETRY_ENABLED` | Enable / disable product telemetry. Read more about [what that means here](/reference/telemetry). | Boolean | `true` |
|
||||
|
||||
Reference in New Issue
Block a user