diff --git a/docs/docs/reference/configuration-file.md b/docs/docs/reference/configuration-file.md index 0391a9d43..e53424d6f 100644 --- a/docs/docs/reference/configuration-file.md +++ b/docs/docs/reference/configuration-file.md @@ -8,148 +8,141 @@ parent: Reference Shown below is a complete listing of the configuration options available in `/etc/firezone/firezone.rb`. -| option | description | default value | -| ----------------------------------------- | --------------------- | -------- | -| `default['firezone']['nginx']['enabled']` | Whether to enable the bundled nginx server | `true` | -| default['firezone']['fqdn'] = (node['fqdn'] \|\| node['hostname']).downcase ||| -| default['firezone']['config_directory'] = '/etc/firezone' ||| -| default['firezone']['install_directory'] = '/opt/firezone' ||| -| default['firezone']['app_directory'] = "#{node['firezone']['install_directory']}/embedded/service/firezone" ||| -| default['firezone']['log_directory'] = '/var/log/firezone' ||| -| default['firezone']['var_directory'] = '/var/opt/firezone' ||| -| default['firezone']['user'] = 'firezone' ||| -| default['firezone']['group'] = 'firezone' ||| -| default['firezone']['admin_email'] = "firezone@localhost" ||| -| default['firezone']['egress_interface'] = nil ||| -| default['firezone']['fips_enabled'] = nil ||| -| default['enterprise']['name'] = 'firezone' ||| -| default['firezone']['install_path'] = node['firezone']['install_directory'] ||| -| default['firezone']['sysvinit_id'] = 'SUP' ||| -| default['firezone']['nginx']['enabled'] = true ||| -| default['firezone']['nginx']['force_ssl'] = true ||| -| default['firezone']['nginx']['non_ssl_port'] = 80 ||| -| default['firezone']['nginx']['ssl_port'] = 443 ||| -| default['firezone']['nginx']['directory'] = "#{node['firezone']['var_directory']}/nginx/etc" ||| -| default['firezone']['nginx']['log_directory'] = "#{node['firezone']['log_directory']}/nginx" ||| -| default['firezone']['nginx']['log_rotation']['file_maxbytes'] = 104857600 ||| -| default['firezone']['nginx']['log_rotation']['num_to_keep'] = 10 ||| -| default['firezone']['nginx']['log_x_forwarded_for'] = false ||| -| default['firezone']['nginx']['redirect_to_canonical'] = false ||| -| default['firezone']['nginx']['cache']['enabled'] = false ||| -| default['firezone']['nginx']['cache']['directory'] = "#{node['firezone']['var_directory']}/nginx/cache" ||| -| default['firezone']['nginx']['user'] = node['firezone']['user'] ||| -| default['firezone']['nginx']['group'] = node['firezone']['group'] ||| -| default['firezone']['nginx']['dir'] = node['firezone']['nginx']['directory'] ||| -| default['firezone']['nginx']['log_dir'] = node['firezone']['nginx']['log_directory'] ||| -| default['firezone']['nginx']['pid'] = "#{node['firezone']['nginx']['directory']}/nginx.pid" ||| -| default['firezone']['nginx']['daemon_disable'] = true ||| -| default['firezone']['nginx']['gzip'] = 'on' ||| -| default['firezone']['nginx']['gzip_static'] = 'off' ||| -| default['firezone']['nginx']['gzip_http_version'] = '1.0' ||| -| default['firezone']['nginx']['gzip_comp_level'] = '2' ||| -| default['firezone']['nginx']['gzip_proxied'] = 'any' ||| -| default['firezone']['nginx']['gzip_vary'] = 'off' ||| -| default['firezone']['nginx']['gzip_buffers'] = nil ||| -| default['firezone']['nginx']['gzip_types'] = %w( ||| -| text/plain ||| -| text/css ||| -| application/x-javascript ||| -| text/xml ||| -| application/xml ||| -| application/rss+xml ||| -| application/atom+xml ||| -| text/javascript ||| -| application/javascript ||| -| application/json ||| -| ) ||| -| default['firezone']['nginx']['gzip_min_length'] = 1000 ||| -| default['firezone']['nginx']['gzip_disable'] = 'MSIE [1-6]\.' ||| -| default['firezone']['nginx']['keepalive'] = 'on' ||| -| default['firezone']['nginx']['keepalive_timeout'] = 65 ||| -| default['firezone']['nginx']['worker_processes'] = node['cpu'] && node['cpu']['total'] ? node['cpu']['total'] : 1 ||| -| default['firezone']['nginx']['worker_connections'] = 1024 ||| -| default['firezone']['nginx']['worker_rlimit_nofile'] = nil ||| -| default['firezone']['nginx']['multi_accept'] = false ||| -| default['firezone']['nginx']['event'] = nil ||| -| default['firezone']['nginx']['server_tokens'] = nil ||| -| default['firezone']['nginx']['server_names_hash_bucket_size'] = 64 ||| -| default['firezone']['nginx']['sendfile'] = 'on' ||| -| default['firezone']['nginx']['access_log_options'] = nil ||| -| default['firezone']['nginx']['error_log_options'] = nil ||| -| default['firezone']['nginx']['disable_access_log'] = false ||| -| default['firezone']['nginx']['default_site_enabled'] = false ||| -| default['firezone']['nginx']['types_hash_max_size'] = 2048 ||| -| default['firezone']['nginx']['types_hash_bucket_size'] = 64 ||| -| default['firezone']['nginx']['proxy_read_timeout'] = nil ||| -| default['firezone']['nginx']['client_body_buffer_size'] = nil ||| -| default['firezone']['nginx']['client_max_body_size'] = '250m' ||| -| default['firezone']['nginx']['default']['modules'] = [] ||| -| default['firezone']['postgresql']['enabled'] = true ||| -| default['firezone']['postgresql']['username'] = node['firezone']['user'] ||| -| default['firezone']['postgresql']['data_directory'] = "#{node['firezone']['var_directory']}/postgresql/13.3/data" ||| -| default['firezone']['postgresql']['log_directory'] = "#{node['firezone']['log_directory']}/postgresql" ||| -| default['firezone']['postgresql']['log_rotation']['file_maxbytes'] = 104857600 ||| -| default['firezone']['postgresql']['log_rotation']['num_to_keep'] = 10 ||| -| default['firezone']['postgresql']['checkpoint_completion_target'] = 0.5 ||| -| default['firezone']['postgresql']['checkpoint_segments'] = 3 ||| -| default['firezone']['postgresql']['checkpoint_timeout'] = '5min' ||| -| default['firezone']['postgresql']['checkpoint_warning'] = '30s' ||| -| default['firezone']['postgresql']['effective_cache_size'] = '128MB' ||| -| default['firezone']['postgresql']['listen_address'] = '127.0.0.1' ||| -| default['firezone']['postgresql']['max_connections'] = 350 ||| -| default['firezone']['postgresql']['md5_auth_cidr_addresses'] = ['127.0.0.1/32', '::1/128'] ||| -| default['firezone']['postgresql']['port'] = 15432 ||| -| default['firezone']['postgresql']['shared_buffers'] = "#{(node['memory']['total'].to_i / 4) / 1024}MB" ||| -| default['firezone']['postgresql']['shmmax'] = 17179869184 ||| -| default['firezone']['postgresql']['shmall'] = 4194304 ||| -| default['firezone']['postgresql']['work_mem'] = '8MB' ||| -| default['firezone']['database']['user'] = node['firezone']['postgresql']['username'] ||| -| default['firezone']['database']['name'] = 'firezone' ||| -| default['firezone']['database']['host'] = node['firezone']['postgresql']['listen_address'] ||| -| default['firezone']['database']['port'] = node['firezone']['postgresql']['port'] ||| -| default['firezone']['database']['pool'] = [10, Etc.nprocessors].max ||| -| default['firezone']['database']['extensions'] = { 'plpgsql' => true, 'pg_trgm' => true } ||| -| default['firezone']['phoenix']['enabled'] = true ||| -| default['firezone']['phoenix']['port'] = 13000 ||| -| default['firezone']['phoenix']['log_directory'] = "#{node['firezone']['log_directory']}/phoenix" ||| -| default['firezone']['phoenix']['log_rotation']['file_maxbytes'] = 104857600 ||| -| default['firezone']['phoenix']['log_rotation']['num_to_keep'] = 10 ||| -| default['firezone']['wireguard']['enabled'] = true ||| -| default['firezone']['wireguard']['log_directory'] = "#{node['firezone']['log_directory']}/wireguard" ||| -| default['firezone']['wireguard']['log_rotation']['file_maxbytes'] = 104857600 ||| -| default['firezone']['wireguard']['log_rotation']['num_to_keep'] = 10 ||| -| default['firezone']['wireguard']['interface_name'] = 'wg-firezone' ||| -| default['firezone']['wireguard']['port'] = 51820 ||| -| default['firezone']['wireguard']['mtu'] = 1420 ||| -| default['firezone']['wireguard']['ipv4']['enabled'] = true ||| -| default['firezone']['wireguard']['ipv4']['network'] = '10.3.2.0/24' ||| -| default['firezone']['wireguard']['ipv4']['address'] = '10.3.2.1' ||| -| default['firezone']['wireguard']['ipv6']['enabled'] = true ||| -| default['firezone']['wireguard']['ipv6']['network'] = 'fd00::3:2:0/120' ||| -| default['firezone']['wireguard']['ipv6']['address'] = 'fd00::3:2:1' ||| -| default['firezone']['runit']['svlogd_bin'] = "#{node['firezone']['install_directory']}/embedded/bin/svlogd" ||| -| default['firezone']['ssl']['directory'] = '/var/opt/firezone/ssl' ||| -| default['firezone']['ssl']['enabled'] = true ||| -| default['firezone']['ssl']['certificate'] = nil ||| -| default['firezone']['ssl']['certificate_key'] = nil ||| -| default['firezone']['ssl']['ssl_dhparam'] = nil ||| -| default['firezone']['ssl']['country_name'] = 'US' ||| -| default['firezone']['ssl']['state_name'] = 'CA' ||| -| default['firezone']['ssl']['locality_name'] = 'San Francisco' ||| -| default['firezone']['ssl']['company_name'] = 'My Company' ||| -| default['firezone']['ssl']['organizational_unit_name'] = 'Operations' ||| -| default['firezone']['ssl']['email_address'] = 'you@example.com' ||| -| default['firezone']['ssl']['ciphers'] = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA' ||| -| default['firezone']['ssl']['fips_ciphers'] = 'FIPS@STRENGTH:!aNULL:!eNULL' ||| -| default['firezone']['ssl']['protocols'] = 'TLSv1 TLSv1.1 TLSv1.2' ||| -| default['firezone']['ssl']['session_cache'] = 'shared:SSL:4m' ||| -| default['firezone']['ssl']['session_timeout'] = '5m' ||| -| default['firezone']['robots_allow'] = '/' ||| -| default['firezone']['robots_disallow'] = nil ||| -| default['firezone']['from_email'] = nil ||| -| default['firezone']['smtp_address'] = nil ||| -| default['firezone']['smtp_password'] = nil ||| -| default['firezone']['smtp_port'] = nil ||| -| default['firezone']['smtp_user_name'] = nil ||| -| default['firezone']['connectivity_checks']['enabled'] = true ||| -| default['firezone']['connectivity_checks']['interval'] = 3_600 ||| + + +| option | description | default value | +| ----------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------- | +| `default['firezone']['nginx']['enabled']` | Whether to enable the bundled nginx server. | `true` | +| `default['firezone']['fqdn']` | FQDN of this Firezone instance. | `(node['fqdn'] \|\| node['hostname']).downcase` | +| `default['firezone']['config_directory']` | Top-level directory for Firezone configuration. | `'/etc/firezone'` | +| `default['firezone']['install_directory']` | Top-level directory to install Firezone to. | `'/opt/firezone'` | +| `default['firezone']['app_directory']` | Top-level directory to install the Firezone web application. | `"#{node['firezone']['install_directory']}/embedded/service/firezone"` | +| `default['firezone']['log_directory']` | Top-level directory for Firezone logs. | `'/var/log/firezone'` | +| `default['firezone']['var_directory']` | Top-level directory for Firezone runtime files. | `'/var/opt/firezone'` | +| `default['firezone']['user']` | Name of unprivileged Linux user most services and files will belong to. | `'firezone'` | +| `default['firezone']['group']` | Name of Linux group most services and files will belong to. | `'firezone'` | +| `default['firezone']['admin_email']` | Email address for initial Firezone user. | `"firezone@localhost"` | +| `default['firezone']['egress_interface']` | Interface name where tunneled traffic will exit. If nil, the default route interface will be used. | `nil` | +| `default['firezone']['fips_enabled']` | Enable or disable OpenSSL FIPs mode. | `nil` | +| `default['enterprise']['name']` | Name used by the Chef 'enterprise' cookbook. | `'firezone'` | +| `default['firezone']['install_path']` | Install path used by Chef 'enterprise' cookbook. Should be set to the same as the `install_directory` above. | `node['firezone']['install_directory']` | +| `default['firezone']['sysvinit_id']` | An identifier used in `/etc/inittab`. Must be a unique sequence of 1-4 characters. | `'SUP'` | +| `default['firezone']['nginx']['enabled']` | Enable or disable the bundled nginx server. | `true` | +| `default['firezone']['nginx']['force_ssl']` | Force nginx to SSL mode only. | `true` | +| `default['firezone']['nginx']['non_ssl_port']` | HTTP listen port. | `80` | +| `default['firezone']['nginx']['ssl_port']` | HTTPS listen port. | `443` | +| `default['firezone']['nginx']['directory']` | Directory to store Firezone-related nginx virtual host configuration. | `"#{node['firezone']['var_directory']}/nginx/etc"` | +| `default['firezone']['nginx']['log_directory']` | Directory to store Firezone-related nginx log files. | `"#{node['firezone']['log_directory']}/nginx"` | +| `default['firezone']['nginx']['log_rotation']['file_maxbytes']` | File size at which to rotate Nginx log files. | `104857600` | +| `default['firezone']['nginx']['log_rotation']['num_to_keep']` | Number of Firezone nginx log files to keep before discarding. | `10` | +| `default['firezone']['nginx']['log_x_forwarded_for']` | Whether to log Firezone nginx `x-forwarded-for` header. | `false` | +| `default['firezone']['nginx']['redirect_to_canonical']` | Whether to redirect URLs to the canonical FQDN specified above | `false` | +| `default['firezone']['nginx']['cache']['enabled']` | Enable or disable the Firezone nginx cache. | `false` | +| `default['firezone']['nginx']['cache']['directory']` | Directory for Firezone nginx cache. | `"#{node['firezone']['var_directory']}/nginx/cache"` | +| `default['firezone']['nginx']['user']` | Firezone nginx user. | `node['firezone']['user']` | +| `default['firezone']['nginx']['group']` | Firezone nginx group. | `node['firezone']['group']` | +| `default['firezone']['nginx']['dir']` | Top-level nginx configuration directory. | `node['firezone']['nginx']['directory']` | +| `default['firezone']['nginx']['log_dir']` | Top-level nginx log directory. | `node['firezone']['nginx']['log_directory']` | +| `default['firezone']['nginx']['pid']` | Location for nginx pid file. | `"#{node['firezone']['nginx']['directory']}/nginx.pid"` | +| `default['firezone']['nginx']['daemon_disable']` | Disable nginx daemon mode so we can monitor it instead. | `true` | +| `default['firezone']['nginx']['gzip']` | Turn nginx gzip compression on or off. | `'on'` | +| `default['firezone']['nginx']['gzip_static']` | Turn nginx gzip compression on or off for static files. | `'off'` | +| `default['firezone']['nginx']['gzip_http_version']` | HTTP version to use for serving static files. | `'1.0'` | +| `default['firezone']['nginx']['gzip_comp_level']` | nginx gzip compression level. | `'2'` | +| `default['firezone']['nginx']['gzip_proxied']` | Enables or disables gzipping of responses for proxied requests depending on the request and response. | `'any'` | +| `default['firezone']['nginx']['gzip_vary']` | Enables or disables inserting the “Vary: Accept-Encoding” response header. | `'off'` | +| `default['firezone']['nginx']['gzip_buffers']` | Sets the number and size of buffers used to compress a response. If `nil`, nginx default is used. | `nil` | +| `default['firezone']['nginx']['gzip_types']` | MIME types to enable gzip compression for. | `['text/plain', 'text/css','application/x-javascript', 'text/xml', 'application/xml', 'application/rss+xml', 'application/atom+xml', 'text/javascript', 'application/javascript', 'application/json']` | +| `default['firezone']['nginx']['gzip_min_length']` | Minimum file length to enable file gzip compression for. | `1000` | +| `default['firezone']['nginx']['gzip_disable']` | User-agent matcher to disable gzip compression for. | `'MSIE [1-6]\.'` | +| `default['firezone']['nginx']['keepalive']` | Activates cache for connection to upstream servers. | `'on'` | +| `default['firezone']['nginx']['keepalive_timeout']` | Timeout in seconds for keepalive connection to upstream servers. | `65` | +| `default['firezone']['nginx']['worker_processes']` | Number of nginx worker processes. | `node['cpu'] && node['cpu']['total'] ? node['cpu']['total'] : 1` | +| `default['firezone']['nginx']['worker_connections']` | Max number of simultaneous connections that can be opened by a worker process. | `1024` | +| `default['firezone']['nginx']['worker_rlimit_nofile']` | Changes the limit on the maximum number of open files for worker processes. Uses nginx default if nil. | `nil` | +| `default['firezone']['nginx']['multi_accept']` | Whether workers should accept one connection at a time or multiple. | `false` | +| `default['firezone']['nginx']['event']` | Specifies the connection processing method to use inside nginx events context. | `nil` | +| `default['firezone']['nginx']['server_tokens']` | Enables or disables emitting nginx version on error pages and in the “Server” response header field. | `nil` | +| `default['firezone']['nginx']['server_names_hash_bucket_size']` | Sets the bucket size for the server names hash tables. | `64` | +| `default['firezone']['nginx']['sendfile']` | Enables or disables the use of nginx's `sendfile()`. | `'on'` | +| `default['firezone']['nginx']['access_log_options']` | Sets nginx access log options. | `nil` | +| `default['firezone']['nginx']['error_log_options']` | Sets nginx error log options. | `nil` | +| `default['firezone']['nginx']['disable_access_log']` | Disables nginx access log. | `false` | +| `default['firezone']['nginx']['default_site_enabled']` | Enables nginx default site. | `false` | +| `default['firezone']['nginx']['types_hash_max_size']` | nginx types hash max size. | `2048` | +| `default['firezone']['nginx']['types_hash_bucket_size']` | nginx types hash bucket size. | `64` | +| `default['firezone']['nginx']['proxy_read_timeout']` | nginx proxy read timeout. Set to `nil` to use nginx default. | `nil` | +| `default['firezone']['nginx']['client_body_buffer_size']` | nginx client body buffer size. Set to `nil` to use nginx default. | `nil` | +| `default['firezone']['nginx']['client_max_body_size']` | nginx client max body size. | `'250m'` | +| `default['firezone']['nginx']['default']['modules']` | Specify additional nginx modules. | `[]` | +| `default['firezone']['postgresql']['enabled']` | Enable or disable bundled Postgresql. Set to `false` and fill in the `database` options below to use your own Postgresql instance. | `true` | +| `default['firezone']['postgresql']['username']` | Username for Postgresql. | `node['firezone']['user']` | +| `default['firezone']['postgresql']['data_directory']` | Postgresql data directory. | `"#{node['firezone']['var_directory']}/postgresql/13.3/data"` | +| `default['firezone']['postgresql']['log_directory']` | Postgresql log directory. | `"#{node['firezone']['log_directory']}/postgresql"` | +| `default['firezone']['postgresql']['log_rotation']['file_maxbytes']` | Postgresql log file maximum size before it's rotated. | `104857600` | +| `default['firezone']['postgresql']['log_rotation']['num_to_keep']` | Number of Postgresql log files to keep. | `10` | +| `default['firezone']['postgresql']['checkpoint_completion_target']` | Postgresql checkpoint completion target. | `0.5` | +| `default['firezone']['postgresql']['checkpoint_segments']` | Number of Postgresql checkpoint segments. | `3` | +| `default['firezone']['postgresql']['checkpoint_timeout']` | Postgresql checkpoint timeout. | `'5min'` | +| `default['firezone']['postgresql']['checkpoint_warning']` | Postgresql checkpoint warning time in seconds. | `'30s'` | +| `default['firezone']['postgresql']['effective_cache_size']` | Postgresql effective cache size. | `'128MB'` | +| `default['firezone']['postgresql']['listen_address']` | Postgresql listen address. | `'127.0.0.1'` | +| `default['firezone']['postgresql']['max_connections']` | Postgresql max connections. | `350` | +| `default['firezone']['postgresql']['md5_auth_cidr_addresses']` | Postgresql CIDRs to allow for md5 auth. | `['127.0.0.1/32', '::1/128']` | +| `default['firezone']['postgresql']['port']` | Postgresql listen port. | `15432` | +| `default['firezone']['postgresql']['shared_buffers']` | Postgresql shared buffers size. | `"#{(node['memory']['total'].to_i / 4) / 1024}MB"` | +| `default['firezone']['postgresql']['shmmax']` | Postgresql shmmax in bytes. | `17179869184` | +| `default['firezone']['postgresql']['shmall']` | Postgresql shmall in bytes. | `4194304` | +| `default['firezone']['postgresql']['work_mem']` | Postgresql working memory size. | `'8MB'` | +| `default['firezone']['database']['user']` | Specifies the username Firezone will use to connect to the DB. | `node['firezone']['postgresql']['username']` | +| `default['firezone']['database']['name']` | Database that Firezone will use. Will be created if it doesn't exist. | `'firezone'` | +| `default['firezone']['database']['host']` | Database host that Firezone will connect to. | `node['firezone']['postgresql']['listen_address']` | +| `default['firezone']['database']['port']` | Database port that Firezone will connect to. | `node['firezone']['postgresql']['port']` | +| `default['firezone']['database']['pool']` | Database pool size Firezone will use. | `[10, Etc.nprocessors].max` | +| `default['firezone']['database']['extensions']` | Database extensions to enable. | `{ 'plpgsql' => true, 'pg_trgm' => true }` | +| `default['firezone']['phoenix']['enabled']` | Enable or disable the Firezone web application. | `true` | +| `default['firezone']['phoenix']['port']` | Firezone web application listen port. This will be the upstream port that nginx proxies. | `13000` | +| `default['firezone']['phoenix']['log_directory']` | Firezone web application log directory. | `"#{node['firezone']['log_directory']}/phoenix"` | +| `default['firezone']['phoenix']['log_rotation']['file_maxbytes']` | Firezone web application log file size. | `104857600` | +| `default['firezone']['phoenix']['log_rotation']['num_to_keep']` | Number of Firezone web application log files to keep. | `10` | +| `default['firezone']['wireguard']['enabled']` | Enable or disable bundled WireGuard management. | `true` | +| `default['firezone']['wireguard']['log_directory']` | Log directory for bundled WireGuard management. | `"#{node['firezone']['log_directory']}/wireguard"` | +| `default['firezone']['wireguard']['log_rotation']['file_maxbytes']` | WireGuard log file max size. | `104857600` | +| `default['firezone']['wireguard']['log_rotation']['num_to_keep']` | Number of WireGuard log files to keep. | `10` | +| `default['firezone']['wireguard']['interface_name']` | WireGuard interface name. | `'wg-firezone'` | +| `default['firezone']['wireguard']['port']` | WireGuard listen port. | `51820` | +| `default['firezone']['wireguard']['mtu']` | WireGuard interface MTU. | `1420` | +| `default['firezone']['wireguard']['ipv4']['enabled']` | Enable or disable IPv4 for WireGuard network. | `true` | +| `default['firezone']['wireguard']['ipv4']['network']` | WireGuard network IPv4 address pool. | `'10.3.2.0/24'` | +| `default['firezone']['wireguard']['ipv4']['address']` | WireGuard interface IPv4 address. Must be within WireGuard address pool. | `'10.3.2.1'` | +| `default['firezone']['wireguard']['ipv6']['enabled']` | Enable or disable IPv6 for WireGuard network. | `true` | +| `default['firezone']['wireguard']['ipv6']['network']` | WireGuard network IPv6 address pool. | `'fd00::3:2:0/120'` | +| `default['firezone']['wireguard']['ipv6']['address']` | WireGuard interface IPv6 address. Must be within IPv6 address pool. | `'fd00::3:2:1'` | +| `default['firezone']['runit']['svlogd_bin']` | Runit svlogd bin location. | `"#{node['firezone']['install_directory']}/embedded/bin/svlogd"` | +| `default['firezone']['ssl']['directory']` | SSL directory for storing generated certs. | `'/var/opt/firezone/ssl'` | +| `default['firezone']['ssl']['enabled']` | Enable or disable SSL for nginx. | `true` | +| `default['firezone']['ssl']['certificate']` | Path to the certificate file for your FQDN. If this is nil, a self-signed on will be generated for you. | `nil` | +| `default['firezone']['ssl']['certificate_key']` | Path to the certificate key file for your FQDN. If this is nil, a self-signed certificate will be generated for you. | `nil` | +| `default['firezone']['ssl']['ssl_dhparam']` | nginx ssl dh_param. | `nil` | +| `default['firezone']['ssl']['country_name']` | Country name for self-signed cert. | `'US'` | +| `default['firezone']['ssl']['state_name']` | State name for self-signed cert. | `'CA'` | +| `default['firezone']['ssl']['locality_name']` | Locality name for self-signed cert. | `'San Francisco'` | +| `default['firezone']['ssl']['company_name']` | Company name self-signed cert. | `'My Company'` | +| `default['firezone']['ssl']['organizational_unit_name']` | Organizational unit name for self-signed cert. | `'Operations'` | +| `default['firezone']['ssl']['email_address']` | Email address for self-signed cert. | `'you@example.com'` | +| `default['firezone']['ssl']['ciphers']` | SSL ciphers for nginx to use. | `'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'` | +| `default['firezone']['ssl']['fips_ciphers']` | SSL ciphers for FIPs mode. | `'FIPS@STRENGTH:!aNULL:!eNULL'` | +| `default['firezone']['ssl']['protocols']` | TLS protocols to use. | `'TLSv1 TLSv1.1 TLSv1.2'` | +| `default['firezone']['ssl']['session_cache']` | SSL session cache. | `'shared:SSL:4m'` | +| `default['firezone']['ssl']['session_timeout']` | SSL session timeout. | `'5m'` | +| `default['firezone']['robots_allow']` | nginx robots allow. | `'/'` | +| `default['firezone']['robots_disallow']` | nginx robots disallow. | `nil` | +| `default['firezone']['from_email']` | Outbound email from address. | `nil` | +| `default['firezone']['smtp_address']` | Outbound email SMTP server address. | `nil` | +| `default['firezone']['smtp_password']` | Outbound email SMTP password. | `nil` | +| `default['firezone']['smtp_port']` | Outbound email SMTP port. | `nil` | +| `default['firezone']['smtp_user_name']` | Outbound email SMTP username. | `nil` | +| `default['firezone']['connectivity_checks']['enabled']` | Enable or disable the Firezone connectivity checks service. | `true` | +| `default['firezone']['connectivity_checks']['interval']` | Interval between connectivity checks in seconds. | `3_600` | + +