More minor fixes

2026-04-05 07:06:08 +00:00 · 2021-07-26 17:55:57 -07:00
parent 4864c7873b
commit af5cf226aa
7 changed files with 338 additions and 1 deletions
--- a/pkg/Dockerfile.rpm
+++ b/pkg/Dockerfile.rpm
@@ -6,7 +6,8 @@ ARG OS_DIR

 COPY pkg/$OS_DIR/rpmbuild rpmbuild
 COPY pkg/$OS_DIR/skel/* rpmbuild/BUILDROOT/$PKG_DIR/
-RUN rsync -az _build/prod/rel/firezone/* rpmbuild/BUILDROOT/$PKG_DIR/usr/lib/firezone/
+RUN mkdir -p rpmbuild/BUILDROOT/$PKG_DIR/usr/lib/firezone
 RUN mkdir -p rpmbuild/BUILDROOT/$PKG_DIR/usr/bin
+RUN rsync -az _build/prod/rel/firezone/* rpmbuild/BUILDROOT/$PKG_DIR/usr/lib/firezone/
 RUN cd rpmbuild/BUILDROOT/$PKG_DIR/usr/bin && ln -s ../lib/firezone/bin/firezone
 RUN rpmbuild -bb rpmbuild/SPECS/firezone.spec
--- a/pkg/debian_10.amd64/usr/lib/firezone/bin/postinst.sh
+++ b/pkg/debian_10.amd64/usr/lib/firezone/bin/postinst.sh
@@ -0,0 +1,103 @@
+#!/bin/bash
+set -e
+
+# FireZone package post-install script
+
+# All created files are 0600 by default
+umask 077
+
+# Add firezone user if not exists
+if id firezone &>/dev/null; then
+  echo "firezone user exists... not creating."
+else
+  echo "creating system user firezone"
+  useradd --system firezone
+fi
+
+hostname=$(hostname)
+
+### SET UP DB
+
+# Create role if not exists
+db_user=firezone
+db_password="$(openssl rand -hex 16)"
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\""
+else
+  echo "${db_user} role found in DB"
+fi
+
+# Create DB if not exists
+db_name=firezone
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true"
+else
+  echo "${db_name} exists; not creating"
+fi
+
+# Grant all privileges
+su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\""
+
+# Set up secrets dir
+mkdir -p /etc/firezone/secret
+chown firezone:root /etc/firezone/secret
+chmod 770 /etc/firezone/secret
+
+# Write FireZone SSL files
+ssl_key_file=/etc/firezone/secret/key.pem
+ssl_cert_file=/etc/firezone/cert.pem
+if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then
+  echo "ssl files exist; not creating"
+else
+  openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
+      -keyout $ssl_key_file \
+      -out $ssl_cert_file \
+      -days 365 -subj "/CN=${hostname}"
+fi
+
+# Generate app secrets
+live_view_signing_salt="$(openssl rand -base64 24)"
+secret_key_base="$(openssl rand -base64 48)"
+db_key="$(openssl rand -base64 32)"
+wg_server_key="$(wg genkey)"
+
+# Write FireZone config file
+if [ -f /etc/firezone/secret.env ]; then
+  echo "config file exists; not creating"
+else
+
+umask 037
+cat <<EOT >> /etc/firezone/secret/secrets.env
+# This file is loaded into FireZone's Environment upon launch to configure it.
+
+# Warning: changing anything here can result in data loss. Make sure you know
+# what you're doing!
+
+# This is used to ensure secure communication with the live web views.
+# Re-generate this with "openssl rand -base64 24". All existing web views will
+# need to be refreshed.
+LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}"
+
+# This is used to secure cookies among other things.
+# You can regenerate this with "openssl rand -base64 48". All existing clients
+# will be signed out.
+SECRET_KEY_BASE="${secret_key_base}"
+
+# The URL to connect to your DB. Assumes the database has been created and this
+# user has privileges to create and modify tables. Must start with ecto://
+# Ex: ecto://user:password@localhost/firezone
+DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone"
+
+# The Base64-encoded key for encrypted database fields.
+DB_ENCRYPTION_KEY=${db_key}
+
+# The Base64-encoded private key for the WireGuard interface
+WG_SERVER_KEY=${wg_server_key}
+EOT
+fi
+
+# Set perms
+chown -R firezone:root /etc/firezone
+chmod 0644 /etc/firezone/cert.pem
--- a/pkg/debian_10.amd64/usr/lib/firezone/bin/postrm.sh
+++ b/pkg/debian_10.amd64/usr/lib/firezone/bin/postrm.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+set -e
+
+if [ "$1" = purge ]; then
+  echo "Refusing to purge /etc/firezone/secret and drop database. This must be done manually."
+  echo "If you really want to do this, run the following as root:"
+  echo "  su postgres -c 'psql -c \"DROP DATABASE firezone;\"'"
+  echo "  rm -rf /etc/firezone/secret"
+fi
--- a/pkg/ubuntu_18.04.amd64/usr/lib/firezone/bin/postinst.sh
+++ b/pkg/ubuntu_18.04.amd64/usr/lib/firezone/bin/postinst.sh
@@ -0,0 +1,103 @@
+#!/bin/bash
+set -e
+
+# FireZone package post-install script
+
+# All created files are 0600 by default
+umask 077
+
+# Add firezone user if not exists
+if id firezone &>/dev/null; then
+  echo "firezone user exists... not creating."
+else
+  echo "creating system user firezone"
+  useradd --system firezone
+fi
+
+hostname=$(hostname)
+
+### SET UP DB
+
+# Create role if not exists
+db_user=firezone
+db_password="$(openssl rand -hex 16)"
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\""
+else
+  echo "${db_user} role found in DB"
+fi
+
+# Create DB if not exists
+db_name=firezone
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true"
+else
+  echo "${db_name} exists; not creating"
+fi
+
+# Grant all privileges
+su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\""
+
+# Set up secrets dir
+mkdir -p /etc/firezone/secret
+chown firezone:root /etc/firezone/secret
+chmod 770 /etc/firezone/secret
+
+# Write FireZone SSL files
+ssl_key_file=/etc/firezone/secret/key.pem
+ssl_cert_file=/etc/firezone/cert.pem
+if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then
+  echo "ssl files exist; not creating"
+else
+  openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
+      -keyout $ssl_key_file \
+      -out $ssl_cert_file \
+      -days 365 -subj "/CN=${hostname}"
+fi
+
+# Generate app secrets
+live_view_signing_salt="$(openssl rand -base64 24)"
+secret_key_base="$(openssl rand -base64 48)"
+db_key="$(openssl rand -base64 32)"
+wg_server_key="$(wg genkey)"
+
+# Write FireZone config file
+if [ -f /etc/firezone/secret.env ]; then
+  echo "config file exists; not creating"
+else
+
+umask 037
+cat <<EOT >> /etc/firezone/secret/secrets.env
+# This file is loaded into FireZone's Environment upon launch to configure it.
+
+# Warning: changing anything here can result in data loss. Make sure you know
+# what you're doing!
+
+# This is used to ensure secure communication with the live web views.
+# Re-generate this with "openssl rand -base64 24". All existing web views will
+# need to be refreshed.
+LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}"
+
+# This is used to secure cookies among other things.
+# You can regenerate this with "openssl rand -base64 48". All existing clients
+# will be signed out.
+SECRET_KEY_BASE="${secret_key_base}"
+
+# The URL to connect to your DB. Assumes the database has been created and this
+# user has privileges to create and modify tables. Must start with ecto://
+# Ex: ecto://user:password@localhost/firezone
+DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone"
+
+# The Base64-encoded key for encrypted database fields.
+DB_ENCRYPTION_KEY=${db_key}
+
+# The Base64-encoded private key for the WireGuard interface
+WG_SERVER_KEY=${wg_server_key}
+EOT
+fi
+
+# Set perms
+chown -R firezone:root /etc/firezone
+chmod 0644 /etc/firezone/cert.pem
--- a/pkg/ubuntu_18.04.amd64/usr/lib/firezone/bin/postrm.sh
+++ b/pkg/ubuntu_18.04.amd64/usr/lib/firezone/bin/postrm.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+set -e
+
+if [ "$1" = purge ]; then
+  echo "Refusing to purge /etc/firezone/secret and drop database. This must be done manually."
+  echo "If you really want to do this, run the following as root:"
+  echo "  su postgres -c 'psql -c \"DROP DATABASE firezone;\"'"
+  echo "  rm -rf /etc/firezone/secret"
+fi
--- a/pkg/ubuntu_20.04.amd64/usr/lib/firezone/bin/postinst.sh
+++ b/pkg/ubuntu_20.04.amd64/usr/lib/firezone/bin/postinst.sh
@@ -0,0 +1,103 @@
+#!/bin/bash
+set -e
+
+# FireZone package post-install script
+
+# All created files are 0600 by default
+umask 077
+
+# Add firezone user if not exists
+if id firezone &>/dev/null; then
+  echo "firezone user exists... not creating."
+else
+  echo "creating system user firezone"
+  useradd --system firezone
+fi
+
+hostname=$(hostname)
+
+### SET UP DB
+
+# Create role if not exists
+db_user=firezone
+db_password="$(openssl rand -hex 16)"
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\""
+else
+  echo "${db_user} role found in DB"
+fi
+
+# Create DB if not exists
+db_name=firezone
+res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"")
+if [[ $res == *"0 rows"* ]]; then
+  su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true"
+else
+  echo "${db_name} exists; not creating"
+fi
+
+# Grant all privileges
+su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\""
+
+# Set up secrets dir
+mkdir -p /etc/firezone/secret
+chown firezone:root /etc/firezone/secret
+chmod 770 /etc/firezone/secret
+
+# Write FireZone SSL files
+ssl_key_file=/etc/firezone/secret/key.pem
+ssl_cert_file=/etc/firezone/cert.pem
+if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then
+  echo "ssl files exist; not creating"
+else
+  openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \
+      -keyout $ssl_key_file \
+      -out $ssl_cert_file \
+      -days 365 -subj "/CN=${hostname}"
+fi
+
+# Generate app secrets
+live_view_signing_salt="$(openssl rand -base64 24)"
+secret_key_base="$(openssl rand -base64 48)"
+db_key="$(openssl rand -base64 32)"
+wg_server_key="$(wg genkey)"
+
+# Write FireZone config file
+if [ -f /etc/firezone/secret.env ]; then
+  echo "config file exists; not creating"
+else
+
+umask 037
+cat <<EOT >> /etc/firezone/secret/secrets.env
+# This file is loaded into FireZone's Environment upon launch to configure it.
+
+# Warning: changing anything here can result in data loss. Make sure you know
+# what you're doing!
+
+# This is used to ensure secure communication with the live web views.
+# Re-generate this with "openssl rand -base64 24". All existing web views will
+# need to be refreshed.
+LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}"
+
+# This is used to secure cookies among other things.
+# You can regenerate this with "openssl rand -base64 48". All existing clients
+# will be signed out.
+SECRET_KEY_BASE="${secret_key_base}"
+
+# The URL to connect to your DB. Assumes the database has been created and this
+# user has privileges to create and modify tables. Must start with ecto://
+# Ex: ecto://user:password@localhost/firezone
+DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone"
+
+# The Base64-encoded key for encrypted database fields.
+DB_ENCRYPTION_KEY=${db_key}
+
+# The Base64-encoded private key for the WireGuard interface
+WG_SERVER_KEY=${wg_server_key}
+EOT
+fi
+
+# Set perms
+chown -R firezone:root /etc/firezone
+chmod 0644 /etc/firezone/cert.pem
--- a/pkg/ubuntu_20.04.amd64/usr/lib/firezone/bin/postrm.sh
+++ b/pkg/ubuntu_20.04.amd64/usr/lib/firezone/bin/postrm.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+set -e
+
+if [ "$1" = purge ]; then
+  echo "Refusing to purge /etc/firezone/secret and drop database. This must be done manually."
+  echo "If you really want to do this, run the following as root:"
+  echo "  su postgres -c 'psql -c \"DROP DATABASE firezone;\"'"
+  echo "  rm -rf /etc/firezone/secret"
+fi