From af5cf226aaf2091cef5da136d4c1ac305fe7fd3c Mon Sep 17 00:00:00 2001 From: Jamil Bou Kheir Date: Mon, 26 Jul 2021 17:55:57 -0700 Subject: [PATCH] More minor fixes --- pkg/Dockerfile.rpm | 3 +- .../usr/lib/firezone/bin/postinst.sh | 103 ++++++++++++++++++ .../usr/lib/firezone/bin/postrm.sh | 9 ++ .../usr/lib/firezone/bin/postinst.sh | 103 ++++++++++++++++++ .../usr/lib/firezone/bin/postrm.sh | 9 ++ .../usr/lib/firezone/bin/postinst.sh | 103 ++++++++++++++++++ .../usr/lib/firezone/bin/postrm.sh | 9 ++ 7 files changed, 338 insertions(+), 1 deletion(-) create mode 100755 pkg/debian_10.amd64/usr/lib/firezone/bin/postinst.sh create mode 100755 pkg/debian_10.amd64/usr/lib/firezone/bin/postrm.sh create mode 100755 pkg/ubuntu_18.04.amd64/usr/lib/firezone/bin/postinst.sh create mode 100755 pkg/ubuntu_18.04.amd64/usr/lib/firezone/bin/postrm.sh create mode 100755 pkg/ubuntu_20.04.amd64/usr/lib/firezone/bin/postinst.sh create mode 100755 pkg/ubuntu_20.04.amd64/usr/lib/firezone/bin/postrm.sh diff --git a/pkg/Dockerfile.rpm b/pkg/Dockerfile.rpm index 1332d8153..1d4935e3b 100644 --- a/pkg/Dockerfile.rpm +++ b/pkg/Dockerfile.rpm @@ -6,7 +6,8 @@ ARG OS_DIR COPY pkg/$OS_DIR/rpmbuild rpmbuild COPY pkg/$OS_DIR/skel/* rpmbuild/BUILDROOT/$PKG_DIR/ -RUN rsync -az _build/prod/rel/firezone/* rpmbuild/BUILDROOT/$PKG_DIR/usr/lib/firezone/ +RUN mkdir -p rpmbuild/BUILDROOT/$PKG_DIR/usr/lib/firezone RUN mkdir -p rpmbuild/BUILDROOT/$PKG_DIR/usr/bin +RUN rsync -az _build/prod/rel/firezone/* rpmbuild/BUILDROOT/$PKG_DIR/usr/lib/firezone/ RUN cd rpmbuild/BUILDROOT/$PKG_DIR/usr/bin && ln -s ../lib/firezone/bin/firezone RUN rpmbuild -bb rpmbuild/SPECS/firezone.spec diff --git a/pkg/debian_10.amd64/usr/lib/firezone/bin/postinst.sh b/pkg/debian_10.amd64/usr/lib/firezone/bin/postinst.sh new file mode 100755 index 000000000..361fefa7a --- /dev/null +++ b/pkg/debian_10.amd64/usr/lib/firezone/bin/postinst.sh @@ -0,0 +1,103 @@ +#!/bin/bash +set -e + +# FireZone package post-install script + +# All created files are 0600 by default +umask 077 + +# Add firezone user if not exists +if id firezone &>/dev/null; then + echo "firezone user exists... not creating." +else + echo "creating system user firezone" + useradd --system firezone +fi + +hostname=$(hostname) + +### SET UP DB + +# Create role if not exists +db_user=firezone +db_password="$(openssl rand -hex 16)" +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\"" +else + echo "${db_user} role found in DB" +fi + +# Create DB if not exists +db_name=firezone +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true" +else + echo "${db_name} exists; not creating" +fi + +# Grant all privileges +su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\"" + +# Set up secrets dir +mkdir -p /etc/firezone/secret +chown firezone:root /etc/firezone/secret +chmod 770 /etc/firezone/secret + +# Write FireZone SSL files +ssl_key_file=/etc/firezone/secret/key.pem +ssl_cert_file=/etc/firezone/cert.pem +if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then + echo "ssl files exist; not creating" +else + openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ + -keyout $ssl_key_file \ + -out $ssl_cert_file \ + -days 365 -subj "/CN=${hostname}" +fi + +# Generate app secrets +live_view_signing_salt="$(openssl rand -base64 24)" +secret_key_base="$(openssl rand -base64 48)" +db_key="$(openssl rand -base64 32)" +wg_server_key="$(wg genkey)" + +# Write FireZone config file +if [ -f /etc/firezone/secret.env ]; then + echo "config file exists; not creating" +else + +umask 037 +cat <> /etc/firezone/secret/secrets.env +# This file is loaded into FireZone's Environment upon launch to configure it. + +# Warning: changing anything here can result in data loss. Make sure you know +# what you're doing! + +# This is used to ensure secure communication with the live web views. +# Re-generate this with "openssl rand -base64 24". All existing web views will +# need to be refreshed. +LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}" + +# This is used to secure cookies among other things. +# You can regenerate this with "openssl rand -base64 48". All existing clients +# will be signed out. +SECRET_KEY_BASE="${secret_key_base}" + +# The URL to connect to your DB. Assumes the database has been created and this +# user has privileges to create and modify tables. Must start with ecto:// +# Ex: ecto://user:password@localhost/firezone +DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone" + +# The Base64-encoded key for encrypted database fields. +DB_ENCRYPTION_KEY=${db_key} + +# The Base64-encoded private key for the WireGuard interface +WG_SERVER_KEY=${wg_server_key} +EOT +fi + +# Set perms +chown -R firezone:root /etc/firezone +chmod 0644 /etc/firezone/cert.pem diff --git a/pkg/debian_10.amd64/usr/lib/firezone/bin/postrm.sh b/pkg/debian_10.amd64/usr/lib/firezone/bin/postrm.sh new file mode 100755 index 000000000..bbf1f0efc --- /dev/null +++ b/pkg/debian_10.amd64/usr/lib/firezone/bin/postrm.sh @@ -0,0 +1,9 @@ +#!/bin/bash +set -e + +if [ "$1" = purge ]; then + echo "Refusing to purge /etc/firezone/secret and drop database. This must be done manually." + echo "If you really want to do this, run the following as root:" + echo " su postgres -c 'psql -c \"DROP DATABASE firezone;\"'" + echo " rm -rf /etc/firezone/secret" +fi diff --git a/pkg/ubuntu_18.04.amd64/usr/lib/firezone/bin/postinst.sh b/pkg/ubuntu_18.04.amd64/usr/lib/firezone/bin/postinst.sh new file mode 100755 index 000000000..361fefa7a --- /dev/null +++ b/pkg/ubuntu_18.04.amd64/usr/lib/firezone/bin/postinst.sh @@ -0,0 +1,103 @@ +#!/bin/bash +set -e + +# FireZone package post-install script + +# All created files are 0600 by default +umask 077 + +# Add firezone user if not exists +if id firezone &>/dev/null; then + echo "firezone user exists... not creating." +else + echo "creating system user firezone" + useradd --system firezone +fi + +hostname=$(hostname) + +### SET UP DB + +# Create role if not exists +db_user=firezone +db_password="$(openssl rand -hex 16)" +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\"" +else + echo "${db_user} role found in DB" +fi + +# Create DB if not exists +db_name=firezone +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true" +else + echo "${db_name} exists; not creating" +fi + +# Grant all privileges +su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\"" + +# Set up secrets dir +mkdir -p /etc/firezone/secret +chown firezone:root /etc/firezone/secret +chmod 770 /etc/firezone/secret + +# Write FireZone SSL files +ssl_key_file=/etc/firezone/secret/key.pem +ssl_cert_file=/etc/firezone/cert.pem +if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then + echo "ssl files exist; not creating" +else + openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ + -keyout $ssl_key_file \ + -out $ssl_cert_file \ + -days 365 -subj "/CN=${hostname}" +fi + +# Generate app secrets +live_view_signing_salt="$(openssl rand -base64 24)" +secret_key_base="$(openssl rand -base64 48)" +db_key="$(openssl rand -base64 32)" +wg_server_key="$(wg genkey)" + +# Write FireZone config file +if [ -f /etc/firezone/secret.env ]; then + echo "config file exists; not creating" +else + +umask 037 +cat <> /etc/firezone/secret/secrets.env +# This file is loaded into FireZone's Environment upon launch to configure it. + +# Warning: changing anything here can result in data loss. Make sure you know +# what you're doing! + +# This is used to ensure secure communication with the live web views. +# Re-generate this with "openssl rand -base64 24". All existing web views will +# need to be refreshed. +LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}" + +# This is used to secure cookies among other things. +# You can regenerate this with "openssl rand -base64 48". All existing clients +# will be signed out. +SECRET_KEY_BASE="${secret_key_base}" + +# The URL to connect to your DB. Assumes the database has been created and this +# user has privileges to create and modify tables. Must start with ecto:// +# Ex: ecto://user:password@localhost/firezone +DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone" + +# The Base64-encoded key for encrypted database fields. +DB_ENCRYPTION_KEY=${db_key} + +# The Base64-encoded private key for the WireGuard interface +WG_SERVER_KEY=${wg_server_key} +EOT +fi + +# Set perms +chown -R firezone:root /etc/firezone +chmod 0644 /etc/firezone/cert.pem diff --git a/pkg/ubuntu_18.04.amd64/usr/lib/firezone/bin/postrm.sh b/pkg/ubuntu_18.04.amd64/usr/lib/firezone/bin/postrm.sh new file mode 100755 index 000000000..bbf1f0efc --- /dev/null +++ b/pkg/ubuntu_18.04.amd64/usr/lib/firezone/bin/postrm.sh @@ -0,0 +1,9 @@ +#!/bin/bash +set -e + +if [ "$1" = purge ]; then + echo "Refusing to purge /etc/firezone/secret and drop database. This must be done manually." + echo "If you really want to do this, run the following as root:" + echo " su postgres -c 'psql -c \"DROP DATABASE firezone;\"'" + echo " rm -rf /etc/firezone/secret" +fi diff --git a/pkg/ubuntu_20.04.amd64/usr/lib/firezone/bin/postinst.sh b/pkg/ubuntu_20.04.amd64/usr/lib/firezone/bin/postinst.sh new file mode 100755 index 000000000..361fefa7a --- /dev/null +++ b/pkg/ubuntu_20.04.amd64/usr/lib/firezone/bin/postinst.sh @@ -0,0 +1,103 @@ +#!/bin/bash +set -e + +# FireZone package post-install script + +# All created files are 0600 by default +umask 077 + +# Add firezone user if not exists +if id firezone &>/dev/null; then + echo "firezone user exists... not creating." +else + echo "creating system user firezone" + useradd --system firezone +fi + +hostname=$(hostname) + +### SET UP DB + +# Create role if not exists +db_user=firezone +db_password="$(openssl rand -hex 16)" +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_roles WHERE rolname = '${db_user}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE ROLE ${db_user} WITH LOGIN PASSWORD '${db_password}';\"" +else + echo "${db_user} role found in DB" +fi + +# Create DB if not exists +db_name=firezone +res=$(su postgres -c "psql -c \"SELECT 1 FROM pg_database WHERE datname = '${db_name}';\"") +if [[ $res == *"0 rows"* ]]; then + su postgres -c "psql -c \"CREATE DATABASE firezone;\" || true" +else + echo "${db_name} exists; not creating" +fi + +# Grant all privileges +su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE firezone to ${db_user};\"" + +# Set up secrets dir +mkdir -p /etc/firezone/secret +chown firezone:root /etc/firezone/secret +chmod 770 /etc/firezone/secret + +# Write FireZone SSL files +ssl_key_file=/etc/firezone/secret/key.pem +ssl_cert_file=/etc/firezone/cert.pem +if [ -f $ssl_key_file ] && [ -f $ssl_cert_file ]; then + echo "ssl files exist; not creating" +else + openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes \ + -keyout $ssl_key_file \ + -out $ssl_cert_file \ + -days 365 -subj "/CN=${hostname}" +fi + +# Generate app secrets +live_view_signing_salt="$(openssl rand -base64 24)" +secret_key_base="$(openssl rand -base64 48)" +db_key="$(openssl rand -base64 32)" +wg_server_key="$(wg genkey)" + +# Write FireZone config file +if [ -f /etc/firezone/secret.env ]; then + echo "config file exists; not creating" +else + +umask 037 +cat <> /etc/firezone/secret/secrets.env +# This file is loaded into FireZone's Environment upon launch to configure it. + +# Warning: changing anything here can result in data loss. Make sure you know +# what you're doing! + +# This is used to ensure secure communication with the live web views. +# Re-generate this with "openssl rand -base64 24". All existing web views will +# need to be refreshed. +LIVE_VIEW_SIGNING_SALT="${live_view_signing_salt}" + +# This is used to secure cookies among other things. +# You can regenerate this with "openssl rand -base64 48". All existing clients +# will be signed out. +SECRET_KEY_BASE="${secret_key_base}" + +# The URL to connect to your DB. Assumes the database has been created and this +# user has privileges to create and modify tables. Must start with ecto:// +# Ex: ecto://user:password@localhost/firezone +DATABASE_URL="ecto://${db_user}:${db_password}@127.0.0.1/firezone" + +# The Base64-encoded key for encrypted database fields. +DB_ENCRYPTION_KEY=${db_key} + +# The Base64-encoded private key for the WireGuard interface +WG_SERVER_KEY=${wg_server_key} +EOT +fi + +# Set perms +chown -R firezone:root /etc/firezone +chmod 0644 /etc/firezone/cert.pem diff --git a/pkg/ubuntu_20.04.amd64/usr/lib/firezone/bin/postrm.sh b/pkg/ubuntu_20.04.amd64/usr/lib/firezone/bin/postrm.sh new file mode 100755 index 000000000..bbf1f0efc --- /dev/null +++ b/pkg/ubuntu_20.04.amd64/usr/lib/firezone/bin/postrm.sh @@ -0,0 +1,9 @@ +#!/bin/bash +set -e + +if [ "$1" = purge ]; then + echo "Refusing to purge /etc/firezone/secret and drop database. This must be done manually." + echo "If you really want to do this, run the following as root:" + echo " su postgres -c 'psql -c \"DROP DATABASE firezone;\"'" + echo " rm -rf /etc/firezone/secret" +fi