From dc7ffe48a9cd5b240a94acd495cf51285b3a1646 Mon Sep 17 00:00:00 2001 From: Jamil Bou Kheir Date: Fri, 13 Aug 2021 15:36:43 +0000 Subject: [PATCH] Add postinst script --- omnibus/package-scripts/firezone/postinst | 104 +++++++++++++++++++++- omnibus/package-scripts/firezone/postrm | 3 +- 2 files changed, 105 insertions(+), 2 deletions(-) diff --git a/omnibus/package-scripts/firezone/postinst b/omnibus/package-scripts/firezone/postinst index 15757b513..c23ba4cfe 100755 --- a/omnibus/package-scripts/firezone/postinst +++ b/omnibus/package-scripts/firezone/postinst @@ -1,10 +1,13 @@ -#!/bin/sh +#!/bin/bash +set -e +# FireZone package post-install script # # Perform necessary firezone setup steps # after package is installed. # PROGNAME=`basename $0` +install_dir=/opt/firezone error_exit() { @@ -12,6 +15,105 @@ error_exit() exit 1 } +# All created files are 0600 by default +umask 077 + +# Add firezone user if not exists +if id firezone &>/dev/null; then + echo "firezone user exists... not creating." +else + echo "creating system user firezone" + useradd --system firezone +fi + + +### SET UP DB + +# Create role if not exists +db_user=firezone +db_password="$(openssl rand -hex 16)" +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\"" +else + echo "${db_user} role found in DB" +fi + +# Create DB if not exists +db_name=firezone +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true" +else + echo "${db_name} exists; not creating" +fi + +# Grant all privileges +su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\"" + +# Set up secrets dir +mkdir -p ${install_dir}/embedded/etc/firezone/secret +chown firezone:root ${install_dir}/embedded/etc/firezone/secret +chmod 770 ${install_dir}/embedded/etc/firezone/secret + +# Write FireZone SSL files +ssl_key_file=${install_dir}/embedded/etc/firezone/secret/key.pem +ssl_cert_file=${install_dir}/embedded/etc/firezone/cert.pem +hostname=$(hostname) +if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then + echo "ssl files exist; not creating" +else + openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ + -keyout $ssl_key_file \ + -out $ssl_cert_file \ + -days 365 -subj "/CN=${hostname}" +fi + +# Generate app secrets +live_view_signing_salt="$(openssl rand -base64 24)" +secret_key_base="$(openssl rand -base64 48)" +db_key="$(openssl rand -base64 32)" +wg_server_key="$(wg genkey)" + +# Write FireZone config file +if [ -f ${install_dir}/embedded/etc/firezone/secret/secrets.env ]; then + echo "config file exists; not creating" +else + +umask 037 +cat < ${install_dir}/embedded/etc/firezone/secret/secrets.env +# This file is loaded into FireZone's Environment upon launch to configure it. + +# Warning: changing anything here can result in data loss. Make sure you know +# what you're doing! + +# This is used to ensure secure communication with the live web views. +# Re-generate this with "openssl rand -base64 24". All existing web views will +# need to be refreshed. +LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}" + +# This is used to secure cookies among other things. +# You can regenerate this with "openssl rand -base64 48". All existing clients +# will be signed out. +SECRET_KEY_BASE="${secret_key_base}" + +# The URL to connect to your DB. Assumes the database has been created and this +# user has privileges to create and modify tables. Must start with ecto:// +# Ex: ecto://user:password@localhost/firezone +DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone" + +# The Base64-encoded key for encrypted database fields. +DB_ENCRYPTION_KEY=${db_key} + +# The Base64-encoded private key for the WireGuard interface +WG_SERVER_KEY=${wg_server_key} +EOT +fi + +# Set perms +chown -R firezone:root ${install_dir}/embedded/etc/firezone +chmod 0644 ${install_dir}/embedded/etc/firezone/cert.pem + echo "Thank you for installing firezone!" exit 0 diff --git a/omnibus/package-scripts/firezone/postrm b/omnibus/package-scripts/firezone/postrm index 6bdd7d3dd..b2575e5a3 100755 --- a/omnibus/package-scripts/firezone/postrm +++ b/omnibus/package-scripts/firezone/postrm @@ -1,4 +1,5 @@ -#!/bin/sh +#!/bin/bash +set -e # # Perform necessary firezone removal steps # after package is uninstalled.