Config fixes

config/config.exs

@@ -27,11 +27,13 @@ config :phoenix, :json_library, Jason
 config :fg_http,
   ecto_repos: [FgHttp.Repo]
 
+# This will be changed per-env
 config :fg_vpn,
-  wireguard_conf_path:
-    config(:fg_http,
-      vpn_endpoint: "localhost:51820"
-    )
+  wireguard_conf_path: "/etc/wireguard/wg-fireguard.conf"
+
+# This will be changed per-env by ENV vars
+config :fg_http,
+  vpn_endpoint: "localhost:51820"
 
 # Configures the endpoint
 # These will be overridden at runtime in production by config/releases.exs

config/releases.exs

@@ -61,7 +61,9 @@ ssl_ca_cert_file =
 
 # Optional environment variables
 pool_size = String.to_integer(System.get_env("POOL_SIZE") || "10")
-listen_port = String.to_integer(System.get_env("LISTEN_PORT") || "8800")
+https_listen_port = String.to_integer(System.get_env("HTTPS_LISTEN_PORT") || "8800")
+wg_listen_port = String.to_integer(System.get_env("WG_LISTEN_PORT" || "51820"))
+wg_listen_address = System.get_env("WG_LISTEN_ADDRESS") || "localhost"
 url_host = System.get_env("URL_HOST") || "localhost"
 
 config :fg_vpn, pubkey: pubkey
@@ -73,7 +75,7 @@ config :fg_http, FgHttp.Repo,
   pool_size: pool_size
 
 base_opts = [
-  port: listen_port,
+  port: https_listen_port,
   transport_options: [max_connections: :infinity, socket_opts: [:inet6]],
   otp_app: :fireguard,
   keyfile: ssl_key_file,
@@ -85,12 +87,15 @@ https_opts = if ssl_ca_cert_file, do: base_opts ++ [cacertfile: ssl_ca_cert_file
 config :fg_http, FgHttpWeb.Endpoint,
   # Force SSL for releases
   https: https_opts,
-  url: [host: url_host, port: listen_port],
+  url: [host: url_host, port: https_listen_port],
   secret_key_base: secret_key_base,
   live_view: [
     signing_salt: live_view_signing_salt
   ]
 
+config :fg_vpn,
+  vpn_endpoint: wg_listen_address <> ":" <> wg_listen_port
+
 # ## Using releases (Elixir v1.9+)
 #
 # If you are doing OTP releases, you need to instruct Phoenix

pkg/debian/DEBIAN/postinst

@@ -70,12 +70,17 @@ DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/fireguard"
 # Re-generate this using the "wg" utility, e.g. "wg genkey | wg pubkey"
 PUBKEY="${pubkey}"
 
-# The port to listen on. Defaults to 8800.
-LISTEN_PORT=8800
+# The HTTPS port to listen on. Defaults to 8800.
+HTTPS_LISTEN_PORT=8800
 
-# The address to bind the http server and WireGuard process to.
-# Defaults to "0.0.0.0"
-LISTEN_ADDRESS=0.0.0.0
+# The address to bind the HTTPS server to. Defaults to "0.0.0.0"
+HTTPS_LISTEN_ADDRESS=0.0.0.0
+
+# The WireGuard port to listen on. Defaults to 51820.
+WG_LISTEN_PORT=51820
+
+# The address to bind the WireGuard service to. Defaults to "0.0.0.0"
+WG_LISTEN_ADDRESS=0.0.0.0
 
 # SSL certificate file and key path. Self-signed certs are generated for you on
 # install, but it's highly recommended to replace these with valid certs.
@@ -98,6 +103,9 @@ EOT
 default_int=$(route | grep '^default' | grep -o '[^ ]*$')
 
 # Write WireGuard config file
+# XXX: Figure out whether to write config using postinst script or via Elixir
+# process. Elixir process decouples packaging logic from configuration
+# management a bit more.
 cat <<EOT >> /etc/wireguard/wg-fireguard.conf
 [Interface]
 ListenPort = 51820