This example will work once our latest gateway is pushed to GitHub
Container Registry, but to test it for now a few overrides can be added
to the `main.tf` to use our Google Artifact Registry and local module
instead:
```diff
module "gateways" {
-- source = "github.com/firezone/firezone/terraform/modules/google-cloud/apps/gateway-region-instance-group"
++ source = "../../../modules/google-cloud/apps/gateway-region-instance-group"
...
++ container_registry = "us-east1-docker.pkg.dev"
++ image_repo = "firezone-prod/firezone"
++ image = "gateway"
}
```
---------
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Signed-off-by: Andrew Dryga <andrew@dryga.com>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Adds a working example of the simplest way to deploy Gateways to GCP
that is also mostly cloud platform agnostic.
I avoided using COS and Docker for this because:
- Systemd is already installed and supports IPv6 already
- Can be more easily adapted to other platforms where Docker may not be
available or trickier to setup (E.g. CentOS 7)
- COS is Google-specific
---------
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Co-authored-by: Andrew Dryga <andrew@dryga.com>
Some recent changes to the Rust part of the codebase made it quite
difficult to locally build the project due to tauri's heavy dependencies
on WebKitGTK and other native libraries.
I tried working around this on my local (nix) machine and found it quite
difficult. The cleanest way here is to make use of what Nix calls
"devshells" which give you an environment specifically for hacking on
your project.
Unfortunately, these files need to be tracked in version control and
cannot be ignored (at least I've not found a way to do that). Given that
we already have a lot of clutter in our repository, I put them under
`scripts/nix`.
They are generally useful. I also added a `.envrc` file which
automatically launches the dev-shell. As a result, you have a shell
ready to go with all your dependencies as soon as you `cd` into our
repository (assuming you use `direnv` and it is hooked up with your
shell).
I didn't really want to have any of my local setup leak into the repo
because I think apart from me and @conectado, nobody is using nix, thus
I hope this minimal footprint is an okay compromise.
* Add new `VERSION` to `docker_migrate.sh` script
* Add missing `SAML_KEYFILE_PATH` and `SAML_CERTFILE_PATH` env vars to
migrate script
* Add missing `PHOENIX_PORT` var
* Bump Elixir to 1.14.3
* Bump Erlang to 25.2.1
* Update docs to document new VERSION var in docker-compose.yml upgrade
mechanism
Fixes#1395
There's been some confusion lately over the change to disable
auto-create users by default, so this PR aims to document the choice a
little more clearly.
Refs #1362#1117
Co-authored-by: Andrew Dryga <andrew@dryga.com>
Adds a minimal supervision tree for making DB changes from the
`FzHttp.Release` module. This allows the `bin/create-or-reset-admin` and
`bin/create-api-token` commands to be with `docker compose exec` or
`docker compose run --rm` indiscriminately.
Starting the FzHttp.Repo directly is more involved it's not compiled
into the release as an OTP app.
1. The test data is taken from tests, you can override attributes by
adding keyword params to `doc` macro;
2. Additionally, you can add a section title using a `@moduledoc` in a
controller and a controller action title using `@doc` on a controller
function. (It will be added to all instances of its usage).
3. To make parameters nice a helper was added to build it using
`DocHelper`, you can find an example in UserController.
Overall, the code is messy, I'll need to revisit it, but was doing it in
a rush so hope it's good enough for v0.
Results you can see at https://firezone.docs.apiary.io/.
To generate it locally run `DOC=1 mix test
test/fz_http_web/controllers/json`.
Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com>
Expose the most commonly-used SSL client options to our OIDC and
ConnectivityChecks HTTP clients. Resolves some lingering issues some
users were facing with OIDC where they needed a custom TLS version
enforced or cacert file used to fetch the `discovery_document` and
resulting keys.
SSL misconfiguration can be a security concern, so we intentionally puke
when an unexpected key is passed. This should result in a new GitHub
issue being opened and dialog created to learn more about the use-case.
Fixes#996
### TODO
- [x] "/v0"
- [x] Double-check migration order; re-timestamp if necessary
- [x] Move `sites` fields to `configurations` so they can be updated
from API
- [x] #1240 -- it introduces possible race conditions for API requests
- [x] #1249
- [ ] #1008
- [ ] Final review
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Co-authored-by: Andrew Dryga <andrew@dryga.com>
This PR also moves to `yarn` for docs package management for improved
speed, security, and developer experience. Docusaurus prefers yarn.
Refs firezone/marketing#126
Client configs will be generated based on runtime configuration
stored in the `sites` table, while server configuration (which
requires a restart of the server) will be configurable via ENV vars.
Refs #1270
* docs: add logs and update troubleshooting
Updates the troubleshooting doc for Docker based deployments and adds a general logs doc with more info on what Firezone logs.
Also added a mention of Audit logs in beta to source more convos.
* docs: further Docker clarifications
Clarifying some troubleshooting guides that refer to firezone-ctl.
Not everyone arrives at the env-vars or config file through the deploy/configure guide. Some load these pages directly via search. Adding a more prominent note that it's for Omnibus based deploy.
* docs: add troubleshooting docs on locked out state
Adding a section on reseting admin passwords for both docker and omnibus deployments. I realize we removed the omnibus firezone-ctl reference. I won't add it back since I have no idea where to put it.
* docs: update split tunnel doc
Was originally going to write more about other ways you can achieve split tunneling with wireguard, but will leave that for now
* fix whitespace
* update split tunnel doc
* docs: add DNS considerations to split tunnel doc
https://github.com/firezone/product/issues/527
* update split tunnel doc
* further clarify split tunnel doc
* add note about on-demand feature
* Docs - Improve titles and descriptions (#1187)
* docs: update titles, descriptions
Changes:
- set more descriptive titles (better for readers and SEO)
- add meta descriptions
- convert titles to sentence case for consistency
* docs: small fixes
* fix trailing whitespaces
* fix spelling
* Apply suggestions from code review
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Signed-off-by: Jason G <jason@firez.one>
* add descriptions to client instructions
Signed-off-by: Jason G <jason@firez.one>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
* chore: update logs doc
* chore: apply suggestions from code review
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Signed-off-by: Jason G <jason@firez.one>
* chore: line length and log description
* chore: rename debug logs
* chore: apply suggestions from code review
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Signed-off-by: Jason G <jason@firez.one>
* Docs - Add draft whitelist sso doc (#1185)
* doc: adding whitelist sso doc
redo of https://github.com/firezone/firezone/pull/995
* docs: add seo titles
* docs: improve titles
* grammar fixes
* fix trailing whitespace
apparently my vscode plugin does not find trailing whitespace in front matter
* put doc in draftmode
* add note on wireguard client apps
* Revert "add note on wireguard client apps"
This reverts commit 9013ce1c3b1bcb8b825f0fcbb1c5fe7e050cae82.
* Apply suggestions from code review
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Signed-off-by: Jason G <jason@firez.one>
Signed-off-by: Jason G <jason@firez.one>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
* chore: apply suggestions from code review
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Signed-off-by: Jason G <jason@firez.one>
* chore: Update docs/docs/user-guides/client-instructions.mdx
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Signed-off-by: Jason G <jason@firez.one>
* chore: update title capitalization and other small fixes
* Apply suggestions from code review
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Signed-off-by: Jason G <jason@firez.one>
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
* Add instructions for enabling IPv6 within Docker
IPv6 routing is disabled by default on Docker. To have IPv6 work in Firezone
the same way IPv4 currently does (and IPv6 on Omnibus), four things are
generally required:
1. First, ensure your Docker host has IPv6 correctly set up with a quick
ping test:
```
> ping6 -c 4 google.com
PING google.com(sfo03s32-in-x0e.1e100.net (2607:f8b0:4005:814::200e)) 56 data bytes
64 bytes from sfo03s32-in-x0e.1e100.net (2607:f8b0:4005:814::200e): icmp_seq=1 ttl=51 time=1.96 ms
64 bytes from sfo03s32-in-x0e.1e100.net (2607:f8b0:4005:814::200e): icmp_seq=2 ttl=51 time=1.94 ms
64 bytes from sfo03s32-in-x0e.1e100.net (2607:f8b0:4005:814::200e): icmp_seq=3 ttl=51 time=1.92 ms
64 bytes from sfo03s32-in-x0e.1e100.net (2607:f8b0:4005:814::200e): icmp_seq=4 ttl=51 time=1.90 ms
```
2. Add an IPv6 address, subnet, and `enable_ipv6: true` to the Docker
compose. **Note**: Various Googling around the interwebs will uncover
the myth that `enable_ipv6` is not supported on Docker Compose file
versions 3+ -- this seems to be incorrect. Leaving out `enable_ipv6: true`
prevented Docker from automatically assigning IPv6 addresses for
containers attaching to that network.
3. Add the following to `/etc/docker/daemon.json`:
```json
{
"ipv6": true,
"ip6tables": true,
"experimental": true,
"fixed-cidr-v6": "fd00:dead:beef::/80"
}
```
4. The above causes Docker to automatically add `ip6tables` rules to
set up IPv6 NAT/Masquerade for containers. However, this breaks DHCPv6
Router Advertisements, so you'll need to re-enable them for your
default interface with:
```
egress=`ip route show default 0.0.0.0/0 | grep -oP '(?<=dev ).*' | cut -f1 -d' ' | tr -d '\n'`
sudo echo "net.ipv6.conf.${egress}.accept_ra=2" >> /etc/sysctl.conf
```
* Fix bash cmd
* Apply suggestions from code review
Self-review
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
* Apply suggestions from code review
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
* Remove _build folders for umbrella apps
For umbrella apps everything goes into /_build directory so there no need to ignore directories that should never be created
* Change mix aliases to be more aligned with what OS community would expect
1. We want ecto.create and ecto.migrate to be run on each tests, this will simplify setup steps (no need to run migrations manually)
2. ecto.remigrate is not needed because now you can just run ecto.drop and on tests migrations would be executed anyways.
* Rename docker-compose step name in CONTRIBUTING.md
The step was renamed here: dd67baf629 (diff-67a4805fdcc6145d7b3ada2a6099a9b2e91c9d0fd108c22f95d2f01d219793d1R10)
* Remove .devcontainer
This an is opinionated change. Right now devcontainer doesn't work but should be easy to fix (with renaming step name), but at the same time it forces developers that use VS code to have unified development environment (including plugins for the editor itself).
I feel like it's not a good path to go for OS and for small team - everyone should be allowed to use setup they like. Especially for people like me that tend to recompile ls-elixir for Elixir plugin from master branch.
Plus it's yet another thing to maintain while nobody on the team is using it, which means it will be always causing issues.
* Make fz_http mix.exs aliases aligned with umbrella app ones
* Redirect stderr to stdout in a command called from dev.exs
Otherwise I'm getting this on my MacOS (that has a `route` implementation that doesn't show interfaces) when `mix phx.server` is executed:
```
usage: route [-dnqtv] command [[modifiers] args]
```
* Fix race condition due to static device field values
Both public_key and name are unique and we should not use static values for field covered by unique index, otherwise deadlocks and slow tests are expected.
* Remove unwanted transaction block
The changeset code doesn't have any code that accesses the database and individual Ecto.SQL commands are already wrapped in transactions by default, so there is no need to start it manually and hold for longer than expected (while irrelevant Elixir code is running).
* Use netstat to identify egress interface on MacOS
* Rename uninstall.sh to omnibus-uninstall.sh
* Fix uninstall path in omnibus_build.yml
