mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
0d2ddd8497
With this PR we add `cargo-deb` to our CI pipeline and build a debian package for the Gateway. The debian package comes with several configuration files that make it easy for admins to start and maintain a Gateway installation: - The embedded systemd unit file is essentially the same one as what we currently install with the install script with some minor modifications. - The token is read from `/etc/firezone/gateway-token` and passed as a systemd credential. This allows us to set the permissions for this file to `0400` and have it owned by `root:root`. - The configuration is read from `/etc/firezone/gateway-env`. - Both of these changes basically mean the user should never need to touch the unit file itself. - The `sysusers` configuration file ensures the `firezone` user and group are present on the system. - The `tmpfiles` configuration file ensures the necessary directories are present. All of the above is automatically installed and configured using the post-installation script which is called by `apt` once the package is installed. In addition to the Gateway, we also package a first version of the `firezone-cli`. Right now, `firezone-cli` (installed as `firezone`) has three subcommands: - `gateway authenticate`: Asks for the Gateway's token and installs it at `/etc/firezone/gateway-token`. The user doesn't have to know how we manage this token and can trust that we are using safe defaults. - `gateway enable`: Enables and starts the systemd service. - `gateway disable`: Disables the systemd service. Right now, the `.deb` file is only uploaded to the preview APT repository and not attached to the release. It should therefore not yet be user-visible unless somebody pokes around a lot, meaning we can defer documentation to a later PR and start testing it from the preview repository for our own purposes. Related: #10598 Resolves: #8484 Resolves: #10681
21 lines
1.4 KiB
Bash
21 lines
1.4 KiB
Bash
#!/bin/sh
|
|
|
|
set -ue
|
|
|
|
# Enable masquerading for Firezone tunnel traffic
|
|
iptables -C FORWARD -i tun-firezone -j ACCEPT >/dev/null 2>&1 || iptables -I FORWARD 1 -i tun-firezone -j ACCEPT
|
|
iptables -C FORWARD -o tun-firezone -j ACCEPT >/dev/null 2>&1 || iptables -I FORWARD 1 -o tun-firezone -j ACCEPT
|
|
iptables -t nat -C POSTROUTING -s 100.64.0.0/11 -o e+ -j MASQUERADE >/dev/null 2>&1 || iptables -t nat -A POSTROUTING -s 100.64.0.0/11 -o e+ -j MASQUERADE
|
|
iptables -t nat -C POSTROUTING -s 100.64.0.0/11 -o w+ -j MASQUERADE >/dev/null 2>&1 || iptables -t nat -A POSTROUTING -s 100.64.0.0/11 -o w+ -j MASQUERADE
|
|
ip6tables -C FORWARD -i tun-firezone -j ACCEPT >/dev/null 2>&1 || ip6tables -I FORWARD 1 -i tun-firezone -j ACCEPT
|
|
ip6tables -C FORWARD -o tun-firezone -j ACCEPT >/dev/null 2>&1 || ip6tables -I FORWARD 1 -o tun-firezone -j ACCEPT
|
|
ip6tables -t nat -C POSTROUTING -s fd00:2021:1111::/107 -o e+ -j MASQUERADE >/dev/null 2>&1 || ip6tables -t nat -A POSTROUTING -s fd00:2021:1111::/107 -o e+ -j MASQUERADE
|
|
ip6tables -t nat -C POSTROUTING -s fd00:2021:1111::/107 -o w+ -j MASQUERADE >/dev/null 2>&1 || ip6tables -t nat -A POSTROUTING -s fd00:2021:1111::/107 -o w+ -j MASQUERADE
|
|
|
|
# Enable packet forwarding for IPv4 and IPv6
|
|
sysctl -w net.ipv4.ip_forward=1
|
|
sysctl -w net.ipv4.conf.all.src_valid_mark=1
|
|
sysctl -w net.ipv6.conf.all.disable_ipv6=0
|
|
sysctl -w net.ipv6.conf.all.forwarding=1
|
|
sysctl -w net.ipv6.conf.default.forwarding=1
|