mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
c18d52cec8
* Add instructions for enabling IPv6 within Docker
IPv6 routing is disabled by default on Docker. To have IPv6 work in Firezone
the same way IPv4 currently does (and IPv6 on Omnibus), four things are
generally required:
1. First, ensure your Docker host has IPv6 correctly set up with a quick
ping test:
```
> ping6 -c 4 google.com
PING google.com(sfo03s32-in-x0e.1e100.net (2607:f8b0:4005:814::200e)) 56 data bytes
64 bytes from sfo03s32-in-x0e.1e100.net (2607:f8b0:4005:814::200e): icmp_seq=1 ttl=51 time=1.96 ms
64 bytes from sfo03s32-in-x0e.1e100.net (2607:f8b0:4005:814::200e): icmp_seq=2 ttl=51 time=1.94 ms
64 bytes from sfo03s32-in-x0e.1e100.net (2607:f8b0:4005:814::200e): icmp_seq=3 ttl=51 time=1.92 ms
64 bytes from sfo03s32-in-x0e.1e100.net (2607:f8b0:4005:814::200e): icmp_seq=4 ttl=51 time=1.90 ms
```
2. Add an IPv6 address, subnet, and `enable_ipv6: true` to the Docker
compose. **Note**: Various Googling around the interwebs will uncover
the myth that `enable_ipv6` is not supported on Docker Compose file
versions 3+ -- this seems to be incorrect. Leaving out `enable_ipv6: true`
prevented Docker from automatically assigning IPv6 addresses for
containers attaching to that network.
3. Add the following to `/etc/docker/daemon.json`:
```json
{
"ipv6": true,
"ip6tables": true,
"experimental": true,
"fixed-cidr-v6": "fd00:dead:beef::/80"
}
```
4. The above causes Docker to automatically add `ip6tables` rules to
set up IPv6 NAT/Masquerade for containers. However, this breaks DHCPv6
Router Advertisements, so you'll need to re-enable them for your
default interface with:
```
egress=`ip route show default 0.0.0.0/0 | grep -oP '(?<=dev ).*' | cut -f1 -d' ' | tr -d '\n'`
sudo echo "net.ipv6.conf.${egress}.accept_ra=2" >> /etc/sysctl.conf
```
* Fix bash cmd
* Apply suggestions from code review
Self-review
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
* Apply suggestions from code review
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
102 lines
2.6 KiB
YAML
102 lines
2.6 KiB
YAML
# Example compose file for production deployment on Linux.
|
|
#
|
|
# Note: This file is meant to serve as a template. Please modify it
|
|
# according to your needs. Read more about Docker Compose:
|
|
#
|
|
# https://docs.docker.com/compose/compose-file/
|
|
#
|
|
#
|
|
x-deploy: &default-deploy
|
|
restart_policy:
|
|
condition: unless-stopped
|
|
delay: 5s
|
|
window: 120s
|
|
update_config:
|
|
order: start-first
|
|
|
|
version: '3.7'
|
|
|
|
services:
|
|
caddy:
|
|
image: caddy:2
|
|
volumes:
|
|
- ${FZ_INSTALL_DIR:-.}/caddy:/data/caddy
|
|
# See Caddy's documentation for customizing this line
|
|
# https://caddyserver.com/docs/quick-starts/reverse-proxy
|
|
command:
|
|
- /bin/sh
|
|
- -c
|
|
- |
|
|
cat <<EOF > /etc/caddy/Caddyfile && caddy run --config /etc/caddy/Caddyfile
|
|
|
|
https:// {
|
|
log
|
|
reverse_proxy * 172.25.0.100:13000
|
|
${TLS_OPTS:-}
|
|
}
|
|
EOF
|
|
network_mode: "host"
|
|
deploy:
|
|
<<: *default-deploy
|
|
|
|
firezone:
|
|
image: firezone/firezone
|
|
ports:
|
|
- 51820:51820/udp
|
|
env_file:
|
|
# This should contain a list of env vars for configuring Firezone.
|
|
# See https://docs.firezone.dev/reference/env-vars for more info.
|
|
- ${FZ_INSTALL_DIR:-.}/.env
|
|
volumes:
|
|
# IMPORTANT: Persists WireGuard private key and other data. If
|
|
# /var/firezone/private_key exists when Firezone starts, it is
|
|
# used as the WireGuard private. Otherwise, one is generated.
|
|
- ${FZ_INSTALL_DIR:-.}/firezone:/var/firezone
|
|
cap_add:
|
|
# Needed for WireGuard and firewall support.
|
|
- NET_ADMIN
|
|
- SYS_MODULE
|
|
sysctls:
|
|
# Needed for masquerading and NAT.
|
|
- net.ipv6.conf.all.disable_ipv6=0
|
|
- net.ipv4.ip_forward=1
|
|
- net.ipv6.conf.all.forwarding=1
|
|
depends_on:
|
|
- postgres
|
|
networks:
|
|
firezone-network:
|
|
ipv4_address: 172.25.0.100
|
|
ipv6_address: 2001:3990:3990::99
|
|
|
|
deploy:
|
|
<<: *default-deploy
|
|
|
|
postgres:
|
|
image: postgres:15
|
|
volumes:
|
|
- postgres-data:/var/lib/postgresql/data
|
|
environment:
|
|
POSTGRES_DB: ${DATABASE_NAME:-firezone}
|
|
POSTGRES_USER: ${DATABASE_USER:-postgres}
|
|
POSTGRES_PASSWORD: ${DATABASE_PASSWORD:?err}
|
|
networks:
|
|
- firezone-network
|
|
deploy:
|
|
<<: *default-deploy
|
|
update_config:
|
|
order: stop-first
|
|
|
|
# Postgres needs a named volume to prevent perms issues on non-linux platforms
|
|
volumes:
|
|
postgres-data:
|
|
|
|
networks:
|
|
firezone-network:
|
|
enable_ipv6: true
|
|
driver: bridge
|
|
ipam:
|
|
config:
|
|
- subnet: 172.25.0.0/16
|
|
- subnet: 2001:3990:3990::/64
|
|
gateway: 2001:3990:3990::1
|