github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 10:18:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
firezone/rust/gateway/debian/firezone-gateway.service
Thomas Eizinger 0d2ddd8497 feat(gateway): create debian package (#10537) 
With this PR we add `cargo-deb` to our CI pipeline and build a debian
package for the Gateway. The debian package comes with several
configuration files that make it easy for admins to start and maintain a
Gateway installation:

- The embedded systemd unit file is essentially the same one as what we
currently install with the install script with some minor modifications.
- The token is read from `/etc/firezone/gateway-token` and passed as a
systemd credential. This allows us to set the permissions for this file
to `0400` and have it owned by `root:root`.
	- The configuration is read from `/etc/firezone/gateway-env`.
- Both of these changes basically mean the user should never need to
touch the unit file itself.
- The `sysusers` configuration file ensures the `firezone` user and
group are present on the system.
- The `tmpfiles` configuration file ensures the necessary directories
are present.

All of the above is automatically installed and configured using the
post-installation script which is called by `apt` once the package is
installed.

In addition to the Gateway, we also package a first version of the
`firezone-cli`. Right now, `firezone-cli` (installed as `firezone`) has
three subcommands:

- `gateway authenticate`: Asks for the Gateway's token and installs it
at `/etc/firezone/gateway-token`. The user doesn't have to know how we
manage this token and can trust that we are using safe defaults.
- `gateway enable`: Enables and starts the systemd service.
- `gateway disable`: Disables the systemd service.

Right now, the `.deb` file is only uploaded to the preview APT
repository and not attached to the release. It should therefore not yet
be user-visible unless somebody pokes around a lot, meaning we can defer
documentation to a later PR and start testing it from the preview
repository for our own purposes.

Related: #10598
Resolves: #8484 
Resolves: #10681
2025-10-24 05:14:58 +00:00

77 lines
1.9 KiB
Desktop File
Raw Permalink Blame History

[Unit]
Description=Firezone Gateway
After=network.target
Documentation=https://www.firezone.dev/kb
[Service]
# DO NOT EDIT ANY OF THE BELOW BY HAND. USE "systemctl edit firezone-gateway" INSTEAD TO CUSTOMIZE.
# Most configuration should go as environment variables into `/etc/firezone/gateway-env`.
# The access token should be in `/etc/firezone/gateway-token`.
Type=simple
User=firezone
Group=firezone
PermissionsStartOnly=true
SyslogIdentifier=firezone-gateway
LoadCredential=FIREZONE_TOKEN:/etc/firezone/gateway-token
EnvironmentFile=/etc/firezone/gateway-preset-env
EnvironmentFile=/etc/firezone/gateway-env
ExecStartPre=/usr/bin/firezone-gateway-init
ExecStart=/usr/bin/firezone-gateway
# Restart on failure
TimeoutStartSec=15s
TimeoutStopSec=15s
Restart=always
RestartSec=7
#####################
# HARDENING OPTIONS #
#####################
# Give the service its own private /tmp directory.
PrivateTmp=true
# Mount the system directories read-only (except those explicitly allowed).
ProtectSystem=full
# Make users' home directories read-only.
ProtectHome=read-only
# Disallow gaining new privileges (e.g. via execve() of setuid binaries).
NoNewPrivileges=true
# Disallow the creation of new namespaces.
RestrictNamespaces=yes
# Prevent memory from being both writable and executable.
MemoryDenyWriteExecute=true
# Prevent the service from calling personality(2) to change process execution domain.
LockPersonality=true
# Restrict the set of allowed address families.
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
# Allow the process to have CAP_NET_ADMIN (needed for network administration)
# while restricting it to only that capability.
AmbientCapabilities=CAP_NET_ADMIN
CapabilityBoundingSet=CAP_NET_ADMIN
# Make some sensitive paths inaccessible.
InaccessiblePaths=/root /home
# Set resource limits
LimitNOFILE=4096
LimitNPROC=512
LimitCORE=0
# Set a sane system call filter
SystemCallFilter=@system-service
[Install]
WantedBy=multi-user.target
Reference in New Issue View Git Blame Copy Permalink