From ecbb362bbf268128af08de8204929f77a969a7c3 Mon Sep 17 00:00:00 2001 From: Jamil Bou Kheir Date: Fri, 4 Dec 2020 11:18:12 -0800 Subject: [PATCH] Config fixes --- config/config.exs | 10 ++++++---- config/releases.exs | 11 ++++++++--- pkg/debian/DEBIAN/postinst | 18 +++++++++++++----- 3 files changed, 27 insertions(+), 12 deletions(-) diff --git a/config/config.exs b/config/config.exs index 3043bd6ee..1a4a9de8e 100644 --- a/config/config.exs +++ b/config/config.exs @@ -27,11 +27,13 @@ config :phoenix, :json_library, Jason config :fg_http, ecto_repos: [FgHttp.Repo] +# This will be changed per-env config :fg_vpn, - wireguard_conf_path: - config(:fg_http, - vpn_endpoint: "localhost:51820" - ) + wireguard_conf_path: "/etc/wireguard/wg-fireguard.conf" + +# This will be changed per-env by ENV vars +config :fg_http, + vpn_endpoint: "localhost:51820" # Configures the endpoint # These will be overridden at runtime in production by config/releases.exs diff --git a/config/releases.exs b/config/releases.exs index 8d7ba8aa8..964a949d8 100644 --- a/config/releases.exs +++ b/config/releases.exs @@ -61,7 +61,9 @@ ssl_ca_cert_file = # Optional environment variables pool_size = String.to_integer(System.get_env("POOL_SIZE") || "10") -listen_port = String.to_integer(System.get_env("LISTEN_PORT") || "8800") +https_listen_port = String.to_integer(System.get_env("HTTPS_LISTEN_PORT") || "8800") +wg_listen_port = String.to_integer(System.get_env("WG_LISTEN_PORT" || "51820")) +wg_listen_address = System.get_env("WG_LISTEN_ADDRESS") || "localhost" url_host = System.get_env("URL_HOST") || "localhost" config :fg_vpn, pubkey: pubkey @@ -73,7 +75,7 @@ config :fg_http, FgHttp.Repo, pool_size: pool_size base_opts = [ - port: listen_port, + port: https_listen_port, transport_options: [max_connections: :infinity, socket_opts: [:inet6]], otp_app: :fireguard, keyfile: ssl_key_file, @@ -85,12 +87,15 @@ https_opts = if ssl_ca_cert_file, do: base_opts ++ [cacertfile: ssl_ca_cert_file config :fg_http, FgHttpWeb.Endpoint, # Force SSL for releases https: https_opts, - url: [host: url_host, port: listen_port], + url: [host: url_host, port: https_listen_port], secret_key_base: secret_key_base, live_view: [ signing_salt: live_view_signing_salt ] +config :fg_vpn, + vpn_endpoint: wg_listen_address <> ":" <> wg_listen_port + # ## Using releases (Elixir v1.9+) # # If you are doing OTP releases, you need to instruct Phoenix diff --git a/pkg/debian/DEBIAN/postinst b/pkg/debian/DEBIAN/postinst index a3a86c44c..aba298137 100755 --- a/pkg/debian/DEBIAN/postinst +++ b/pkg/debian/DEBIAN/postinst @@ -70,12 +70,17 @@ DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/fireguard" # Re-generate this using the "wg" utility, e.g. "wg genkey | wg pubkey" PUBKEY="${pubkey}" -# The port to listen on. Defaults to 8800. -LISTEN_PORT=8800 +# The HTTPS port to listen on. Defaults to 8800. +HTTPS_LISTEN_PORT=8800 -# The address to bind the http server and WireGuard process to. -# Defaults to "0.0.0.0" -LISTEN_ADDRESS=0.0.0.0 +# The address to bind the HTTPS server to. Defaults to "0.0.0.0" +HTTPS_LISTEN_ADDRESS=0.0.0.0 + +# The WireGuard port to listen on. Defaults to 51820. +WG_LISTEN_PORT=51820 + +# The address to bind the WireGuard service to. Defaults to "0.0.0.0" +WG_LISTEN_ADDRESS=0.0.0.0 # SSL certificate file and key path. Self-signed certs are generated for you on # install, but it's highly recommended to replace these with valid certs. @@ -98,6 +103,9 @@ EOT default_int=$(route | grep '^default' | grep -o '[^ ]*$') # Write WireGuard config file +# XXX: Figure out whether to write config using postinst script or via Elixir +# process. Elixir process decouples packaging logic from configuration +# management a bit more. cat <> /etc/wireguard/wg-fireguard.conf [Interface] ListenPort = 51820