Update docker-compose.yml

add optional middleware to restrict web panel access

README.md

@@ -71,8 +71,8 @@ docker compose up
 - [wg-easy](examples/wg-easy) - The easiest way to install & manage WireGuard on any Linux host. All-in-one deployment of a WireGuard VPN network service + web management UI.
 - [WireGuard](examples/wireguard) - WireGuard by Linuxserver.io is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.
 - [IPSec VPN Server](examples/ipsec-vpn-server) - Docker image to run an IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2.
+- [Firezone](examples/firezone) - Self-hosted secure remote access gateway that supports the WireGuard protocol. It offers a Web GUI, 1-line install script, multi-factor auth (MFA), and SSO.
 - ~~[Netbird](https://github.com/netbirdio/netbird)~~ - Quickly connect your computers, servers, cloud instances, and IoT devices into a secure private network. No configuration required.
-- ~~[Firezone](https://github.com/firezone/firezone)~~ - Self-hosted secure remote access gateway that supports the WireGuard protocol. It offers a Web GUI, 1-line install script, multi-factor auth (MFA), and SSO.
 
 ### Domain Name Service (DNS)
 - [AdGuard Home](examples/adguard-home) - AdGuard Home is a network-wide software for blocking ads and tracking.

examples/firezone/.env

@@ -0,0 +1,28 @@
+VERSION=latest
+
+# Change these settings
+EXTERNAL_URL=https://firezone.example.com
+DEFAULT_ADMIN_EMAIL=admin@example.com
+DEFAULT_ADMIN_PASSWORD=ins4vOVm9RwuiY4j
+
+GUARDIAN_SECRET_KEY=qAWbvgyHUQVgRtF+JaJseNIt779CLADuYZdWfXPy4R6zQ51wom0SJtpvEVIGYKH0
+SECRET_KEY_BASE=lThlZfb7E79kgKdg7q9e2jf/XF7VXSg/sFFi6xD7CUhVOybLhkYPyeYbFmIJ3Nv0
+LIVE_VIEW_SIGNING_SALT=+lKcWppaW5GPqfYupk8qjuAfWuuHDxRA
+COOKIE_SIGNING_SALT=i+nxqzyT
+COOKIE_ENCRYPTION_SALT=CyMASGO+
+DATABASE_ENCRYPTION_KEY=ftVUOP6G7twvORBaxVR1Z1d8gaKeJMeOIOtR+Zc1sIs=
+DATABASE_PASSWORD=cN8IrZTSBMgcu++k
+
+# The ability to change the IPv4 and IPv6 address pool will be removed
+# in a future Firezone release in order to reduce the possible combinations
+# of network configurations we need to handle.
+#
+# Due to the above, we recommend not changing these unless absolutely
+# necessary.
+WIREGUARD_IPV4_NETWORK=100.64.0.0/10
+WIREGUARD_IPV4_ADDRESS=100.64.0.1
+WIREGUARD_IPV6_NETWORK=fd00::/106
+WIREGUARD_IPV6_ADDRESS=fd00::1
+
+#PHOENIX_EXTERNAL_TRUSTED_PROXIES=["192.168.178.0/24"]
+#PHOENIX_PRIVATE_CLIENTS=["192.168.0.0/24"]

examples/firezone/README.md

@@ -0,0 +1,17 @@
+# Reference
+
+- https://www.firezone.dev/docs/deploy/docker
+
+# Notes
+
+1. Download the `docker-compose.yml` and `.env` file from this repository.
+2. Adjust both files to your needs. Especially change the default secrets!
+3. Proceed by executing the below commands.
+
+````
+docker compose run --rm firezone bin/migrate
+docker compose run --rm firezone bin/create-or-reset-admin
+docker compose up -d
+````
+
+Note: This compose setup requires an already existing dockerized Traefik reverse proxy.

examples/firezone/docker-compose.yml

@@ -0,0 +1,69 @@
+x-deploy: &default-deploy
+  restart_policy:
+    condition: unless-stopped
+    delay: 5s
+    window: 120s
+  update_config:
+    order: start-first
+
+version: "3.7"
+
+services:
+
+  firezone:
+    image: firezone/firezone
+    container_name: firezone-web
+    ports:
+      - 51820:51820/udp
+    env_file:
+      # This should contain a list of env vars for configuring Firezone.
+      # See https://docs.firezone.dev/reference/env-vars for more info.
+      - ${FZ_INSTALL_DIR:-.}/.env
+    volumes:
+      # IMPORTANT: Persists WireGuard private key and other data. If
+      # /var/firezone/private_key exists when Firezone starts, it is
+      # used as the WireGuard private. Otherwise, one is generated.
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/firezone:/var/firezone
+    labels:
+     - traefik.enable=true
+     - traefik.docker.network=dev
+     - traefik.http.routers.firezone_https.rule=Host(`firezone.example.com`)
+     - traefik.http.routers.firezone_https.tls=true
+     - traefik.http.services.firezone.loadbalancer.server.port=13000
+     #- traefik.http.routers.firezone.middlewares=local-ipwhitelist@file
+    cap_add:
+      # Needed for WireGuard and firewall support.
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      # Needed for masquerading and NAT.
+      - net.ipv6.conf.all.disable_ipv6=0
+      - net.ipv4.ip_forward=1
+      - net.ipv6.conf.all.forwarding=1
+    depends_on:
+      - postgres
+    networks:
+      - dev
+
+    deploy:
+      <<: *default-deploy
+
+  postgres:
+    image: postgres:15
+    container_name: firezone-db
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/postgres-data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_DB: ${DATABASE_NAME:-firezone}
+      POSTGRES_USER: ${DATABASE_USER:-postgres}
+      POSTGRES_PASSWORD: ${DATABASE_PASSWORD:?err}
+    networks:
+      - dev
+    deploy:
+      <<: *default-deploy
+      update_config:
+        order: stop-first
+
+networks:
+  dev:
+    external: true