forked from firezone/firezone
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile.prod
More file actions
116 lines (95 loc) · 3.17 KB
/
Dockerfile.prod
File metadata and controls
116 lines (95 loc) · 3.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
ARG ELIXIR_VERSION=1.14.0
ARG OTP_VERSION=25.1
ARG ALPINE_VERSION=3.16.2
ARG BUILDER_IMAGE="firezone/elixir:${ELIXIR_VERSION}-otp-${OTP_VERSION}"
ARG RUNNER_IMAGE="alpine:${ALPINE_VERSION}"
FROM ${BUILDER_IMAGE} as builder
# install build dependencies
RUN apk add nodejs npm build-base git python3
# prepare build dir
WORKDIR /app
# install hex + rebar
RUN mix local.hex --force && \
mix local.rebar --force
# set build ENV
ENV MIX_ENV="prod"
# install mix dependencies
COPY mix.exs mix.lock ./
COPY apps/fz_common/mix.exs ./apps/fz_common/mix.exs
COPY apps/fz_http/mix.exs ./apps/fz_http/mix.exs
COPY apps/fz_vpn/mix.exs ./apps/fz_vpn/mix.exs
COPY apps/fz_wall/mix.exs ./apps/fz_wall/mix.exs
RUN mix deps.get --only $MIX_ENV
RUN mkdir config
# copy compile-time config files before we compile dependencies
# to ensure any relevant config change will trigger the dependencies
# to be re-compiled.
COPY config/config.exs config/${MIX_ENV}.exs config/
RUN mix deps.compile
COPY priv priv
COPY apps apps
# mix phx.digest triggers fz_http compilation, need version to be set here
ARG VERSION=0.0.0-docker
ENV VERSION=$VERSION
# compile assets
RUN cd apps/fz_http/assets \
&& npm install \
&& npm run deploy \
&& cd .. \
&& mix phx.digest
# Compile the release
RUN mix compile
# Changes to config/runtime.exs don't require recompiling the code
COPY config/runtime.exs config/
COPY rel rel
RUN mix release
# start a new build stage so that the final image will only contain
# the compiled release and other runtime necessities
FROM ${RUNNER_IMAGE}
RUN apk add -u --no-cache nftables libstdc++ ncurses-libs openssl
WORKDIR /app
# set runner ENV
ENV MIX_ENV="prod" \
PHOENIX_LISTEN_ADDRESS='0.0.0.0' \
PHOENIX_PORT='4000' \
SECURE_COOKIES='true' \
EXTERNAL_TRUSTED_PROXIES='[]' \
PRIVATE_CLIENTS='[]' \
EGRESS_INTERFACE=eth0 \
NFT_PATH=nft \
WIREGUARD_INTERFACE_NAME='wg-firezone' \
WIREGUARD_PORT='51820' \
WIREGUARD_MTU='1280' \
WIREGUARD_ALLOWED_IPS='0.0.0.0/0, ::/0' \
WIREGUARD_DNS='1.1.1.1, 1.0.0.1' \
WIREGUARD_PERSISTENT_KEEPALIVE=0 \
WIREGUARD_IPV4_ENABLED=true \
WIREGUARD_IPV4_MASQUERADE=true \
WIREGUARD_IPV4_NETWORK='10.3.2.0/24' \
WIREGUARD_IPV4_ADDRESS='10.3.2.1' \
WIREGUARD_IPV6_ENABLED=true \
WIREGUARD_IPV6_MASQUERADE=true \
WIREGUARD_IPV6_NETWORK='fd00::3:2:0/120' \
WIREGUARD_IPV6_ADDRESS='fd00::3:2:1' \
WIREGUARD_PRIVATE_KEY_PATH='/var/firezone/private_key' \
DATABASE_NAME=firezone \
DATABASE_USER=postgres \
DATABASE_HOST=postgres \
DATABASE_PORT='5432' \
DATABASE_POOL='10' \
DATABASE_SSL='false' \
DATABASE_SSL_OPTS='{}' \
DATABASE_PARAMETERS='{}' \
LOCAL_AUTH_ENABLED='true' \
ALLOW_UNPRIVILEGED_DEVICE_MANAGEMENT='true' \
ALLOW_UNPRIVILEGED_DEVICE_CONFIGURATION='true' \
DISABLE_VPN_ON_OIDC_ERROR='false' \
AUTO_CREATE_OIDC_USERS='true' \
AUTH_OIDC_JSON='{}' \
MAX_DEVICES_PER_USER='10' \
CONNECTIVITY_CHECKS_ENABLED='true' \
CONNECTIVITY_CHECKS_INTERVAL='3600' \
TELEMETRY_ENABLED='true'
# Only copy the final release from the build stage
COPY --from=builder /app/_build/${MIX_ENV}/rel/firezone ./
CMD ["/app/bin/server"]