mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
370 lines
12 KiB
YAML
370 lines
12 KiB
YAML
version: '3.8'
|
|
|
|
services:
|
|
# Dependencies
|
|
postgres:
|
|
image: postgres:15
|
|
volumes:
|
|
- postgres-data:/var/lib/postgresql/data
|
|
environment:
|
|
POSTGRES_USER: postgres
|
|
POSTGRES_PASSWORD: postgres
|
|
POSTGRES_DB: firezone_dev
|
|
healthcheck:
|
|
test:
|
|
[
|
|
"CMD-SHELL",
|
|
"pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"
|
|
]
|
|
start_period: 20s
|
|
interval: 30s
|
|
retries: 5
|
|
timeout: 5s
|
|
ports:
|
|
- 5432:5432/tcp
|
|
networks:
|
|
- app
|
|
|
|
vault:
|
|
image: vault:1.13.3
|
|
environment:
|
|
VAULT_ADDR: 'http://127.0.0.1:8200'
|
|
VAULT_DEV_ROOT_TOKEN_ID: 'firezone'
|
|
VAULT_LOG_LEVEL: 'debug'
|
|
ports:
|
|
- 8200:8200/tcp
|
|
cap_add:
|
|
- IPC_LOCK
|
|
networks:
|
|
- app
|
|
healthcheck:
|
|
test:
|
|
[
|
|
"CMD",
|
|
"wget",
|
|
"--spider",
|
|
"--proxy",
|
|
"off",
|
|
"http://127.0.0.1:8200/v1/sys/health?standbyok=true"
|
|
]
|
|
interval: 10s
|
|
timeout: 3s
|
|
retries: 10
|
|
start_period: 5s
|
|
|
|
# Firezone Components
|
|
web:
|
|
build:
|
|
context: elixir
|
|
args:
|
|
APPLICATION_NAME: web
|
|
image: firezone_web_dev
|
|
hostname: web.cluster.local
|
|
ports:
|
|
- 8080:8080/tcp
|
|
environment:
|
|
# Web Server
|
|
EXTERNAL_URL: http://localhost:8080/
|
|
PHOENIX_HTTP_WEB_PORT: "8080"
|
|
PHOENIX_SECURE_COOKIES: false
|
|
# Erlang
|
|
ERLANG_DISTRIBUTION_PORT: 9000
|
|
ERLANG_CLUSTER_ADAPTER: "Elixir.Cluster.Strategy.Epmd"
|
|
ERLANG_CLUSTER_ADAPTER_CONFIG: '{"hosts":["api@api.cluster.local","web@web.cluster.local"]}'
|
|
RELEASE_COOKIE: "NksuBhJFBhjHD1uUa9mDOHV"
|
|
RELEASE_HOSTNAME: "web.cluster.local"
|
|
RELEASE_NAME: "web"
|
|
# Database
|
|
DATABASE_HOST: postgres
|
|
DATABASE_PORT: 5432
|
|
DATABASE_NAME: firezone_dev
|
|
DATABASE_USER: postgres
|
|
DATABASE_PASSWORD: postgres
|
|
# Auth
|
|
AUTH_PROVIDER_ADAPTERS: "email,openid_connect,userpass,token,google_workspace"
|
|
# Secrets
|
|
AUTH_TOKEN_KEY_BASE: "5OVYJ83AcoQcPmdKNksuBhJFBhjHD1uUa9mDOHV/6EIdBQ6pXksIhkVeWIzFk5S2"
|
|
AUTH_TOKEN_SALT: "t01wa0K4lUd7mKa0HAtZdE+jFOPDDej2"
|
|
RELAYS_AUTH_TOKEN_KEY_BASE: "5OVYJ83AcoQcPmdKNksuBhJFBhjHD1uUa9mDOHV/6EIdBQ6pXksIhkVeWIzFk5S2"
|
|
RELAYS_AUTH_TOKEN_SALT: "t01wa0K4lUd7mKa0HAtZdE+jFOPDDej2"
|
|
GATEWAYS_AUTH_TOKEN_KEY_BASE: "5OVYJ83AcoQcPmdKNksuBhJFBhjHD1uUa9mDOHV/6EIdBQ6pXksIhkVeWIzFk5S2"
|
|
GATEWAYS_AUTH_TOKEN_SALT: "t01wa0K4lUd7mKa0HAtZdE+jFOPDDej2"
|
|
SECRET_KEY_BASE: "5OVYJ83AcoQcPmdKNksuBhJFBhjHD1uUa9mDOHV/6EIdBQ6pXksIhkVeWIzFk5S2"
|
|
LIVE_VIEW_SIGNING_SALT: "t01wa0K4lUd7mKa0HAtZdE+jFOPDDej2"
|
|
COOKIE_SIGNING_SALT: "t01wa0K4lUd7mKa0HAtZdE+jFOPDDej2"
|
|
COOKIE_ENCRYPTION_SALT: "t01wa0K4lUd7mKa0HAtZdE+jFOPDDej2"
|
|
# Telemetry
|
|
TELEMETRY_ENABLED: "false"
|
|
# Debugging
|
|
LOG_LEVEL: "debug"
|
|
# Emails
|
|
OUTBOUND_EMAIL_FROM: "public-noreply@firez.one"
|
|
OUTBOUND_EMAIL_ADAPTER: "Elixir.Swoosh.Adapters.Postmark"
|
|
## Warning: The token is for the blackhole Postmark server created in a separate isolated account,
|
|
## that WILL NOT send any actual emails, but you can see and debug them in the Postmark dashboard.
|
|
OUTBOUND_EMAIL_ADAPTER_OPTS: "{\"api_key\":\"7da7d1cd-111c-44a7-b5ac-4027b9d230e5\"}"
|
|
# Seeds
|
|
STATIC_SEEDS: "true"
|
|
depends_on:
|
|
vault:
|
|
condition: 'service_healthy'
|
|
postgres:
|
|
condition: 'service_healthy'
|
|
networks:
|
|
- app
|
|
|
|
client:
|
|
environment:
|
|
FZ_URL: "ws://api:8081/"
|
|
FZ_SECRET: "SFMyNTY.g2gDaAN3CGlkZW50aXR5bQAAACQ3ZGE3ZDFjZC0xMTFjLTQ0YTctYjVhYy00MDI3YjlkMjMwZTVtAAAAIBn8Xu1jtFlxZxp4ZvAz0f0QEN2PZThA-7awHMPxn_tHbgYAbLRvQokBYgHhM38.pM-prhb7uvvCVKf51-tAUMEtMzLPZk1n3nLsY44dGFA"
|
|
RUST_LOG: headless=trace,firezone_client_connlib=trace,firezone_tunnel=trace,libs_common=trace,warn
|
|
build:
|
|
context: rust
|
|
dockerfile: Dockerfile
|
|
args:
|
|
PACKAGE: headless
|
|
image: firezone-headless
|
|
dns:
|
|
- 100.100.111.1
|
|
- 8.8.8.8
|
|
cap_add:
|
|
- NET_ADMIN
|
|
sysctls:
|
|
- net.ipv6.conf.all.disable_ipv6=0
|
|
devices:
|
|
- "/dev/net/tun:/dev/net/tun"
|
|
depends_on:
|
|
api:
|
|
condition: 'service_healthy'
|
|
networks:
|
|
app:
|
|
ipv4_address: 172.28.0.100
|
|
|
|
gateway:
|
|
environment:
|
|
FZ_URL: "ws://api:8081/"
|
|
FZ_SECRET: "SFMyNTY.g2gDaAJtAAAAJDNjZWYwNTY2LWFkZmQtNDhmZS1hMGYxLTU4MDY3OTYwOGY2Zm0AAABAamp0enhSRkpQWkdCYy1vQ1o5RHkyRndqd2FIWE1BVWRwenVScjJzUnJvcHg3NS16bmhfeHBfNWJUNU9uby1yYm4GAEC0b0KJAWIAAVGA.9Oirn9t8rvQpfOhW7hwGBFVzeMm9di0xYGTlwf9cFFk"
|
|
RUST_LOG: gateway=trace,firezone_gateway_connlib=trace,firezone_tunnel=trace,libs_common=trace,warn
|
|
ENABLE_MASQUERADE: 1
|
|
build:
|
|
context: rust
|
|
dockerfile: Dockerfile
|
|
args:
|
|
PACKAGE: gateway
|
|
image: firezone-gateway
|
|
cap_add:
|
|
- NET_ADMIN
|
|
sysctls:
|
|
- net.ipv4.ip_forward=1
|
|
- net.ipv4.conf.all.src_valid_mark=1
|
|
- net.ipv6.conf.all.disable_ipv6=0
|
|
- net.ipv6.conf.all.forwarding=1
|
|
- net.ipv6.conf.default.forwarding=1
|
|
devices:
|
|
- "/dev/net/tun:/dev/net/tun"
|
|
depends_on:
|
|
api:
|
|
condition: 'service_healthy'
|
|
networks:
|
|
app:
|
|
ipv4_address: 172.28.0.105
|
|
resources:
|
|
|
|
httpbin:
|
|
image: kennethreitz/httpbin
|
|
networks:
|
|
resources:
|
|
ipv4_address: 172.20.0.100
|
|
|
|
iperf3:
|
|
image: networkstatic/iperf3
|
|
command: -s
|
|
networks:
|
|
resources:
|
|
ipv4_address: 172.20.0.110
|
|
|
|
relay:
|
|
environment:
|
|
PUBLIC_IP4_ADDR: 172.28.0.101
|
|
PUBLIC_IP6_ADDR: fcff:3990:3990::101
|
|
LOWEST_PORT: 55555
|
|
HIGHEST_PORT: 55666
|
|
PORTAL_WS_URL: "ws://api:8081/"
|
|
PORTAL_TOKEN: "SFMyNTY.g2gDaAJtAAAAJDcyODZiNTNkLTA3M2UtNGM0MS05ZmYxLWNjODQ1MWRhZDI5OW0AAABARVg3N0dhMEhLSlVWTGdjcE1yTjZIYXRkR25mdkFEWVFyUmpVV1d5VHFxdDdCYVVkRVUzbzktRmJCbFJkSU5JS24GAFSzb0KJAWIAAVGA.waeGE26tbgkgIcMrWyck0ysv9SHIoHr0zqoM3wao84M"
|
|
RUST_LOG: "debug"
|
|
RUST_BACKTRACE: 1
|
|
build:
|
|
context: rust
|
|
dockerfile: Dockerfile
|
|
args:
|
|
PACKAGE: relay
|
|
image: firezone-relay
|
|
healthcheck:
|
|
test: [ "CMD-SHELL", "lsof -i UDP | grep relay" ]
|
|
start_period: 20s
|
|
interval: 30s
|
|
retries: 5
|
|
timeout: 5s
|
|
depends_on:
|
|
api:
|
|
condition: 'service_healthy'
|
|
ports:
|
|
# XXX: Only 111 ports are used for local dev / testing because Docker Desktop
|
|
# allocates a userland proxy process for each forwarded port X_X.
|
|
#
|
|
# Large ranges here will bring your machine to its knees.
|
|
- "55555-55666:55555-55666/udp"
|
|
- 3478:3478/udp
|
|
networks:
|
|
app:
|
|
ipv4_address: 172.28.0.101
|
|
|
|
api:
|
|
build:
|
|
context: elixir
|
|
args:
|
|
APPLICATION_NAME: api
|
|
image: firezone_api_dev
|
|
hostname: api.cluster.local
|
|
ports:
|
|
- 8081:8081/tcp
|
|
environment:
|
|
# Web Server
|
|
EXTERNAL_URL: http://localhost:8081/
|
|
PHOENIX_HTTP_API_PORT: "8081"
|
|
PHOENIX_SECURE_COOKIES: false
|
|
# Erlang
|
|
ERLANG_DISTRIBUTION_PORT: 9000
|
|
ERLANG_CLUSTER_ADAPTER: "Elixir.Cluster.Strategy.Epmd"
|
|
ERLANG_CLUSTER_ADAPTER_CONFIG: '{"hosts":["api@api.cluster.local","web@web.cluster.local"]}'
|
|
RELEASE_COOKIE: "NksuBhJFBhjHD1uUa9mDOHV"
|
|
RELEASE_HOSTNAME: "api.cluster.local"
|
|
RELEASE_NAME: "api"
|
|
# Database
|
|
DATABASE_HOST: postgres
|
|
DATABASE_PORT: 5432
|
|
DATABASE_NAME: firezone_dev
|
|
DATABASE_USER: postgres
|
|
DATABASE_PASSWORD: postgres
|
|
# Auth
|
|
AUTH_PROVIDER_ADAPTERS: "email,openid_connect,userpass,token,google_workspace"
|
|
# Secrets
|
|
AUTH_TOKEN_KEY_BASE: "5OVYJ83AcoQcPmdKNksuBhJFBhjHD1uUa9mDOHV/6EIdBQ6pXksIhkVeWIzFk5S2"
|
|
AUTH_TOKEN_SALT: "t01wa0K4lUd7mKa0HAtZdE+jFOPDDej2"
|
|
RELAYS_AUTH_TOKEN_KEY_BASE: "5OVYJ83AcoQcPmdKNksuBhJFBhjHD1uUa9mDOHV/6EIdBQ6pXksIhkVeWIzFk5S2"
|
|
RELAYS_AUTH_TOKEN_SALT: "t01wa0K4lUd7mKa0HAtZdE+jFOPDDej2"
|
|
GATEWAYS_AUTH_TOKEN_KEY_BASE: "5OVYJ83AcoQcPmdKNksuBhJFBhjHD1uUa9mDOHV/6EIdBQ6pXksIhkVeWIzFk5S2"
|
|
GATEWAYS_AUTH_TOKEN_SALT: "t01wa0K4lUd7mKa0HAtZdE+jFOPDDej2"
|
|
SECRET_KEY_BASE: "5OVYJ83AcoQcPmdKNksuBhJFBhjHD1uUa9mDOHV/6EIdBQ6pXksIhkVeWIzFk5S2"
|
|
LIVE_VIEW_SIGNING_SALT: "t01wa0K4lUd7mKa0HAtZdE+jFOPDDej2"
|
|
COOKIE_SIGNING_SALT: "t01wa0K4lUd7mKa0HAtZdE+jFOPDDej2"
|
|
COOKIE_ENCRYPTION_SALT: "t01wa0K4lUd7mKa0HAtZdE+jFOPDDej2"
|
|
# Telemetry
|
|
TELEMETRY_ENABLED: "false"
|
|
# Debugging
|
|
LOG_LEVEL: "debug"
|
|
# Emails
|
|
OUTBOUND_EMAIL_FROM: "public-noreply@firez.one"
|
|
OUTBOUND_EMAIL_ADAPTER: "Elixir.Swoosh.Adapters.Postmark"
|
|
## Warning: The token is for the blackhole Postmark server created in a separate isolated account,
|
|
## that WILL NOT send any actual emails, but you can see and debug them in the Postmark dashboard.
|
|
OUTBOUND_EMAIL_ADAPTER_OPTS: "{\"api_key\":\"7da7d1cd-111c-44a7-b5ac-4027b9d230e5\"}"
|
|
# Seeds
|
|
STATIC_SEEDS: "true"
|
|
depends_on:
|
|
vault:
|
|
condition: 'service_healthy'
|
|
postgres:
|
|
condition: 'service_healthy'
|
|
healthcheck:
|
|
test: [ "CMD-SHELL", "curl -f localhost:8081/healthz" ]
|
|
start_period: 20s
|
|
interval: 30s
|
|
retries: 5
|
|
timeout: 5s
|
|
networks:
|
|
- app
|
|
|
|
# This is a service container which allows to run mix tasks for local development
|
|
# without having to install Elixir and Erlang on the host machine.
|
|
elixir:
|
|
build:
|
|
context: elixir
|
|
target: builder
|
|
args:
|
|
APPLICATION_NAME: api
|
|
image: firezone_local_dev
|
|
hostname: elixir
|
|
volumes:
|
|
- elixir-build-cache:/app/_build
|
|
- ./elixir/apps:/app/apps
|
|
- ./elixir/config:/app/config
|
|
- ./elixir/priv:/app/priv
|
|
- ./elixir/rel:/app/rel
|
|
- ./elixir/mix.exs:/app/mix.exs
|
|
- ./elixir/mix.lock:/app/mix.lock
|
|
- assets-build-cache:/app/apps/web/assets/node_modules
|
|
environment:
|
|
# Web Server
|
|
EXTERNAL_URL: http://localhost:8081/
|
|
# Erlang
|
|
ERLANG_DISTRIBUTION_PORT: 9000
|
|
RELEASE_COOKIE: "NksuBhJFBhjHD1uUa9mDOHV"
|
|
RELEASE_HOSTNAME: "mix.cluster.local"
|
|
RELEASE_NAME: "mix"
|
|
# Database
|
|
DATABASE_HOST: postgres
|
|
DATABASE_PORT: 5432
|
|
DATABASE_NAME: firezone_dev
|
|
DATABASE_USER: postgres
|
|
DATABASE_PASSWORD: postgres
|
|
# Auth
|
|
AUTH_PROVIDER_ADAPTERS: "email,openid_connect,userpass,token,google_workspace"
|
|
# Secrets
|
|
AUTH_TOKEN_KEY_BASE: "5OVYJ83AcoQcPmdKNksuBhJFBhjHD1uUa9mDOHV/6EIdBQ6pXksIhkVeWIzFk5S2"
|
|
AUTH_TOKEN_SALT: "t01wa0K4lUd7mKa0HAtZdE+jFOPDDej2"
|
|
RELAYS_AUTH_TOKEN_KEY_BASE: "5OVYJ83AcoQcPmdKNksuBhJFBhjHD1uUa9mDOHV/6EIdBQ6pXksIhkVeWIzFk5S2"
|
|
RELAYS_AUTH_TOKEN_SALT: "t01wa0K4lUd7mKa0HAtZdE+jFOPDDej2"
|
|
GATEWAYS_AUTH_TOKEN_KEY_BASE: "5OVYJ83AcoQcPmdKNksuBhJFBhjHD1uUa9mDOHV/6EIdBQ6pXksIhkVeWIzFk5S2"
|
|
GATEWAYS_AUTH_TOKEN_SALT: "t01wa0K4lUd7mKa0HAtZdE+jFOPDDej2"
|
|
SECRET_KEY_BASE: "5OVYJ83AcoQcPmdKNksuBhJFBhjHD1uUa9mDOHV/6EIdBQ6pXksIhkVeWIzFk5S2"
|
|
LIVE_VIEW_SIGNING_SALT: "t01wa0K4lUd7mKa0HAtZdE+jFOPDDej2"
|
|
COOKIE_SIGNING_SALT: "t01wa0K4lUd7mKa0HAtZdE+jFOPDDej2"
|
|
COOKIE_ENCRYPTION_SALT: "t01wa0K4lUd7mKa0HAtZdE+jFOPDDej2"
|
|
# Telemetry
|
|
TELEMETRY_ENABLED: "false"
|
|
# Higher log level not to make seeds output too verbose
|
|
LOG_LEVEL: "info"
|
|
# Emails
|
|
OUTBOUND_EMAIL_FROM: "public-noreply@firez.one"
|
|
OUTBOUND_EMAIL_ADAPTER: "Elixir.Swoosh.Adapters.Postmark"
|
|
## Warning: The token is for the blackhole Postmark server created in a separate isolated account,
|
|
## that WILL NOT send any actual emails, but you can see and debug them in the Postmark dashboard.
|
|
OUTBOUND_EMAIL_ADAPTER_OPTS: "{\"api_key\":\"7da7d1cd-111c-44a7-b5ac-4027b9d230e5\"}"
|
|
# Mix env should be set to prod to use secrets declared above,
|
|
# otherwise seeds will generate invalid tokens
|
|
MIX_ENV: "prod"
|
|
# Seeds
|
|
STATIC_SEEDS: "true"
|
|
depends_on:
|
|
postgres:
|
|
condition: 'service_healthy'
|
|
networks:
|
|
- app
|
|
|
|
networks:
|
|
resources:
|
|
ipam:
|
|
config:
|
|
- subnet: 172.20.0.0/16
|
|
app:
|
|
enable_ipv6: false
|
|
ipam:
|
|
config:
|
|
- subnet: 172.28.0.0/16
|
|
|
|
volumes:
|
|
postgres-data:
|
|
elixir-build-cache:
|
|
assets-build-cache:
|