diff --git a/apps/fz_http/priv/repo/migrations/20221219020354_move_wireguard_optional_fields_to_sites.exs b/apps/fz_http/priv/repo/migrations/20221219020354_move_wireguard_optional_fields_to_sites.exs index 6183d44a8..e98d22a0d 100644 --- a/apps/fz_http/priv/repo/migrations/20221219020354_move_wireguard_optional_fields_to_sites.exs +++ b/apps/fz_http/priv/repo/migrations/20221219020354_move_wireguard_optional_fields_to_sites.exs @@ -1,4 +1,8 @@ defmodule FzHttp.Repo.Migrations.MoveWireguardOptionalFieldsToSites do + @moduledoc """ + As of this comment and migration, the client configs will no longer be + affected by these ENV vars. + """ use Ecto.Migration def change do diff --git a/docs/docs/reference/env-vars.mdx b/docs/docs/reference/env-vars.mdx index ede90264c..a43d1d98a 100644 --- a/docs/docs/reference/env-vars.mdx +++ b/docs/docs/reference/env-vars.mdx @@ -19,48 +19,49 @@ Read more about configuring Firezone in our [configure guide](/deploy/configure) We recommend setting these in your Docker ENV file (`$HOME/.firezone/.env` by default). Required fields in **bold**. -| Name | Description | Format | Default | -| --- | --- | --- | --- | -| **`EXTERNAL_URL`** | The external URL the web UI will be accessible at. Must be a valid FQDN for ACME SSL issuance to function. | String | | -| **`ADMIN_EMAIL`** | Primary administrator email. | String | | -| **`DEFAULT_ADMIN_PASSWORD`** | Default password that will be used for creating or resetting the primary administrator account. | String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. | -| **`DATABASE_PASSWORD`** | Password used to connect to the DB. | String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. | -| **`DATABASE_ENCRYPTION_KEY`** | The base64-encoded symmetric encryption key used to encrypt and decrypt sensitive fields. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. | -| **`GUARDIAN_SECRET_KEY`** | Secret key used for signing JWTs. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. | -| **`COOKIE_ENCRYPTION_SALT`** | Encryption salt for cookies issued by the Phoenix web application. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. | -| **`COOKIE_SIGNING_SALT`** | Signing salt for cookies issued by the Phoenix web application. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. | -| **`LIVE_VIEW_SIGNING_SALT`** | Signing salt for Phoenix LiveView connection tokens. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. | -| **`SECRET_KEY_BASE`** | Primary secret key base for the Phoenix application. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. | -| `LOCAL_AUTH_ENABLED` | Enable or disable the local authentication method for all users. | Boolean | `true` | -| `SAML_ENTITY_ID` | SAML Entity ID. | String | `urn:firezone.dev:firezone-app` | -| `SAML_KEYFILE_PATH` | Path to the SAML keyfile inside the container. | String | `/var/firezone/saml.key` | -| `SAML_CERTFILE_PATH` | Path to the SAML certificate file inside the container. | String | `/var/firezone/saml.crt` | -| `DATABASE_HOST` | Database host. | IP or hostname | `postgres` | -| `DATABASE_PORT` | Database port. | Integer | `5432` | -| `DATABASE_NAME` | Name of database. | String | `firezone` | -| `DATABASE_USER` | Database user. | String | `postgres` | -| `DATABASE_POOL` | Size of the Firezone connection pool. | Integer | `10` | -| `DATABASE_SSL` | Whether to connect to the database over SSL | Boolean | `false` | -| `DATABASE_SSL_OPTS` | Map of options to send to the `:ssl_opts` option when connecting over SSL. See [Ecto.Adapters.Postgres documentation](https://hexdocs.pm/ecto_sql/Ecto.Adapters.Postgres.html#module-connection-options) | JSON-encoded String | `{}` | -| `DATABASE_PARAMETERS` | Map of parameters to send to the `:parameters` option when connecting to the database. See [Ecto.Adapters.Postgres documentation](https://hexdocs.pm/ecto_sql/Ecto.Adapters.Postgres.html#module-connection-options). | JSON-encoded String | `{}` | -| `CONNECTIVITY_CHECKS_ENABLED` | Enable / disable periodic checking for egress connectivity. Determines the instance's public IP to populate `Endpoint` fields. | Boolean | `true` | -| `CONNECTIVITY_CHECKS_INTERVAL` | Periodicity in seconds to check for egress connectivity. | Integer | `3600` | -| `EXTERNAL_TRUSTED_PROXIES` | List of trusted reverse proxies. | JSON-encoded array | `[]` | -| `MAX_DEVICES_PER_USER` | Maximum number of devices to allow per user. | Integer | `10` | -| `OUTBOUND_EMAIL_FROM` | From address to use for sending outbound emails. If not set, sending email will be disabled (default). | String | | -| `OUTBOUND_EMAIL_PROVIDER` | Method to use for sending outbound email. If not set, will default to `sendmail`. See the list of [Swoosh Adapters](https://github.com/swoosh/swoosh#adapters). | String | | -| `OUTBOUND_EMAIL_CONFIGS` | Email provider-specific config. | JSON-encoded hash of provider config. E.g. `{"gmail": {"access_token": "..."}, "smtp": {"relay": "smtp.example.com"}}`. See the [swoosh docs](https://hexdocs.pm/swoosh/). | `{}` | -| `PHOENIX_PORT` | Internal port to listen on for the Phoenix web server. | Integer | `13000` | -| `PRIVATE_CLIENTS` | List of IPs / CIDRs to consider trusted for purposes of correctly parsing the `X-Forwarded-For` header. | JSON-encoded list of IPs / CIDRs. | `[]` | -| `WIREGUARD_IPV4_ADDRESS` | Tunnel-side IPv4 address of Firezone. | String | `10.3.2.1` | -| `WIREGUARD_IPV4_ENABLED` | Enable / disable tunnel-side IPv4 connectivity. | Boolean | `true` | -| `WIREGUARD_IPV4_MASQUERADE` | Enable / disable IPv4 masquerade. | String | `true` | -| `WIREGUARD_IPV4_NETWORK` | Tunnel-side IPv4 network to use. | String | `10.3.2.0/24` | -| `WIREGUARD_IPV6_ADDRESS` | Tunnel-side IPv6 address of Firezone. | String | `fd00::3:2:1` | -| `WIREGUARD_IPV6_ENABLED` | Enable / disable tunnel IPv6 addresses. | Boolean | `true` | -| `WIREGUARD_IPV6_MASQUERADE` | Enable / disable IPv6 masquerade. | Boolean | `true` | -| `WIREGUARD_IPV6_NETWORK` | Tunnel-side IPv6 network to use. | String | `fd00::3:2:0/120` | -| `WIREGUARD_ENDPOINT` | Default Endpoint used in client configs. Defaults to the server's public IP if not set. | String | | -| `WIREGUARD_PORT` | Port to listen on for WireGuard connections. | Integer | `51820` | -| `SECURE_COOKIES` | Enable or disable requiring secure cookies. Required for HTTPS. | Boolean | `true` | -| `TELEMETRY_ENABLED` | Enable / disable product telemetry. Read more about [what that means here](/reference/telemetry). | Boolean | `true` | +| Name | Description | Format | Default | +| --- | --- | --- | --- | +| **`EXTERNAL_URL`** | The external URL the web UI will be accessible at. Must be a valid FQDN for ACME SSL issuance to function. | String | | +| **`ADMIN_EMAIL`** | Primary administrator email. | String | | +| **`DEFAULT_ADMIN_PASSWORD`** | Default password that will be used for creating or resetting the primary administrator account. | String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. | +| **`DATABASE_PASSWORD`** | Password used to connect to the DB. | String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. | +| **`DATABASE_ENCRYPTION_KEY`** | The base64-encoded symmetric encryption key used to encrypt and decrypt sensitive fields. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. | +| **`GUARDIAN_SECRET_KEY`** | Secret key used for signing JWTs. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. | +| **`COOKIE_ENCRYPTION_SALT`** | Encryption salt for cookies issued by the Phoenix web application. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. | +| **`COOKIE_SIGNING_SALT`** | Signing salt for cookies issued by the Phoenix web application. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. | +| **`LIVE_VIEW_SIGNING_SALT`** | Signing salt for Phoenix LiveView connection tokens. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. | +| **`SECRET_KEY_BASE`** | Primary secret key base for the Phoenix application. | base64-encoded String | Randomly generated upon install with `docker run firezone/firezone bin/gen-env`. | +| `LOCAL_AUTH_ENABLED` | Enable or disable the local authentication method for all users. | Boolean | `true` | +| `SAML_ENTITY_ID` | SAML Entity ID. | String | `urn:firezone.dev:firezone-app` | +| `SAML_KEYFILE_PATH` | Path to the SAML keyfile inside the container. | String | `/var/firezone/saml.key` | +| `SAML_CERTFILE_PATH` | Path to the SAML certificate file inside the container. | String | `/var/firezone/saml.crt` | +| `DATABASE_HOST` | Database host. | IP or hostname | `postgres` | +| `DATABASE_PORT` | Database port. | Integer | `5432` | +| `DATABASE_NAME` | Name of database. | String | `firezone` | +| `DATABASE_USER` | Database user. | String | `postgres` | +| `DATABASE_POOL` | Size of the Firezone connection pool. | Integer | `10` | +| `DATABASE_SSL` | Whether to connect to the database over SSL | Boolean | `false` | +| `DATABASE_SSL_OPTS` | Map of options to send to the `:ssl_opts` option when connecting over SSL. See [Ecto.Adapters.Postgres documentation](https://hexdocs.pm/ecto_sql/Ecto.Adapters.Postgres.html#module-connection-options) | JSON-encoded String | `{}` | +| `DATABASE_PARAMETERS` | Map of parameters to send to the `:parameters` option when connecting to the database. See [Ecto.Adapters.Postgres documentation](https://hexdocs.pm/ecto_sql/Ecto.Adapters.Postgres.html#module-connection-options). | JSON-encoded String | `{}` | +| `CONNECTIVITY_CHECKS_ENABLED` | Enable / disable periodic checking for egress connectivity. Determines the instance's public IP to populate `Endpoint` fields. | Boolean | `true` | +| `CONNECTIVITY_CHECKS_INTERVAL` | Periodicity in seconds to check for egress connectivity. | Integer | `3600` | +| `EXTERNAL_TRUSTED_PROXIES` | List of trusted reverse proxies. | JSON-encoded array | `[]` | +| `MAX_DEVICES_PER_USER` | Maximum number of devices to allow per user. | Integer | `10` | +| `OUTBOUND_EMAIL_FROM` | From address to use for sending outbound emails. If not set, sending email will be disabled (default). | String | | +| `OUTBOUND_EMAIL_PROVIDER` | Method to use for sending outbound email. If not set, will default to `sendmail`. See the list of [Swoosh Adapters](https://github.com/swoosh/swoosh#adapters). | String | | +| `OUTBOUND_EMAIL_CONFIGS` | Email provider-specific config. | JSON-encoded hash of provider config. E.g. `{"gmail": {"access_token": "..."}, "smtp": {"relay": "smtp.example.com"}}`. See the [swoosh docs](https://hexdocs.pm/swoosh/). | `{}` | +| `PHOENIX_PORT` | Internal port to listen on for the Phoenix web server. | Integer | `13000` | +| `PRIVATE_CLIENTS` | List of IPs / CIDRs to consider trusted for purposes of correctly parsing the `X-Forwarded-For` header. | JSON-encoded list of IPs / CIDRs. | `[]` | +| `WIREGUARD_IPV4_ADDRESS` | Tunnel-side IPv4 address of Firezone. | String | `10.3.2.1` | +| `WIREGUARD_IPV4_ENABLED` | Enable / disable tunnel-side IPv4 connectivity. | Boolean | `true` | +| `WIREGUARD_IPV4_MASQUERADE` | Enable / disable IPv4 masquerade. | String | `true` | +| `WIREGUARD_IPV4_NETWORK` | Tunnel-side IPv4 network to use. | String | `10.3.2.0/24` | +| `WIREGUARD_IPV6_ADDRESS` | Tunnel-side IPv6 address of Firezone. | String | `fd00::3:2:1` | +| `WIREGUARD_IPV6_ENABLED` | Enable / disable tunnel IPv6 addresses. | Boolean | `true` | +| `WIREGUARD_IPV6_MASQUERADE` | Enable / disable IPv6 masquerade. | Boolean | `true` | +| `WIREGUARD_IPV6_NETWORK` | Tunnel-side IPv6 network to use. | String | `fd00::3:2:0/120` | +| `WIREGUARD_MTU` | MTU to use for the server-side WireGuard MTU interface. | String | `1280` | +| `WIREGUARD_ENDPOINT` | Default Endpoint used in client configs. Defaults to the server's public IP if not set. | String | | +| `WIREGUARD_PORT` | Port to listen on for WireGuard connections. | Integer | `51820` | +| `SECURE_COOKIES` | Enable or disable requiring secure cookies. Required for HTTPS. | Boolean | `true` | +| `TELEMETRY_ENABLED` | Enable / disable product telemetry. Read more about [what that means here](/reference/telemetry). | Boolean | `true` |