wip: firezone

2025-10-10 23:00:39 +02:00 · 2025-01-22 17:25:16 +01:00 · 2025-01-22 17:25:16 +01:00 · 5954cc30fc
commit 5954cc30fc
parent ec502b4193
11 changed files with 2408 additions and 0 deletions
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -19,6 +19,9 @@ _inputs: [
    #    (_pythonFinal: pythonPrev: {
    #    })
    #  ];
+    firezone-server-domain = prev.callPackage ./firezone-server-domain/package.nix { };
+    firezone-server-web = prev.callPackage ./firezone-server-web/package.nix { };
+    firezone-server-api = prev.callPackage ./firezone-server-api/package.nix { };

    formats = prev.formats // {
      ron = import ./ron.nix { inherit (prev) lib pkgs; };
--- a/pkgs/firezone-server-api/package.nix
+++ b/pkgs/firezone-server-api/package.nix
@ -0,0 +1,3 @@
+import ../firezone-server-domain/generic.nix {
+  mixReleaseName = "api";
+}
--- a/pkgs/firezone-server-domain/a.patch
+++ b/pkgs/firezone-server-domain/a.patch
@ -0,0 +1,68 @@
+diff --git a/apps/domain/lib/domain/config/definitions.ex b/apps/domain/lib/domain/config/definitions.ex
+index 8cd2e8d0f..f27d67c69 100644
+--- a/apps/domain/lib/domain/config/definitions.ex
+++ b/apps/domain/lib/domain/config/definitions.ex
+@@ -61,6 +61,7 @@ defmodule Domain.Config.Definitions do
+       {"Database",
+        [
+          :database_host,
+         :database_socket_dir,
+          :database_port,
+          :database_name,
+          :database_user,
+@@ -255,6 +256,11 @@ defmodule Domain.Config.Definitions do
+   """
+   defconfig(:database_host, :string, default: "postgres")
+ 
+  @doc """
+  PostgreSQL socket directory (takes precedence over hostname).
+  """
+  defconfig(:database_socket_dir, :string, default: nil)
+
+   @doc """
+   PostgreSQL port.
+   """
+diff --git a/apps/domain/lib/domain/telemetry.ex b/apps/domain/lib/domain/telemetry.ex
+index af430358d..a544e706e 100644
+--- a/apps/domain/lib/domain/telemetry.ex
+++ b/apps/domain/lib/domain/telemetry.ex
+@@ -13,7 +13,7 @@ defmodule Domain.Telemetry do
+ 
+     children = [
+       # We start a /healthz endpoint that is used for liveness probes
+-      {Bandit, plug: Telemetry.HealthzPlug, scheme: :http, port: 4000},
+      {Bandit, plug: Telemetry.HealthzPlug, scheme: :http, port: System.get_env("HEALTHZ_PORT") |> String.to_integer()},
+ 
+       # Telemetry poller will execute the given period measurements
+       # every 10_000ms. Learn more here: https://hexdocs.pm/telemetry_metrics
+diff --git a/config/runtime.exs b/config/runtime.exs
+index 15037e0a3..948f62cc8 100644
+--- a/config/runtime.exs
+++ b/config/runtime.exs
+@@ -8,15 +8,17 @@ if config_env() == :prod do
+   ###############################
+ 
+   config :domain, Domain.Repo,
+-    database: compile_config!(:database_name),
+-    username: compile_config!(:database_user),
+-    hostname: compile_config!(:database_host),
+-    port: compile_config!(:database_port),
+-    password: compile_config!(:database_password),
+-    pool_size: compile_config!(:database_pool_size),
+-    ssl: compile_config!(:database_ssl_enabled),
+-    ssl_opts: compile_config!(:database_ssl_opts),
+-    parameters: compile_config!(:database_parameters)
+  [
+    {:database, compile_config!(:database_name)},
+    {:username, compile_config!(:database_user)},
+    {:port, compile_config!(:database_port)},
+    {:pool_size, compile_config!(:database_pool_size)},
+    {:ssl, compile_config!(:database_ssl_enabled)},
+    {:ssl_opts, compile_config!(:database_ssl_opts)},
+    {:parameters, compile_config!(:database_parameters)}
+  ]
+  ++ (if System.get_env("DATABASE_PASSWORD"), do: [{:password, compile_config!(:database_password)}], else: [])
+  ++ (if System.get_env("DATABASE_SOCKET_DIR"), do: [{:socket_dir, compile_config!(:database_socket_dir)}], else: [{:hostname, compile_config!(:database_host)}])
+ 
+   config :domain, Domain.Tokens,
+     key_base: compile_config!(:tokens_key_base),
--- a/pkgs/firezone-server-domain/generic.nix
+++ b/pkgs/firezone-server-domain/generic.nix
@ -0,0 +1,129 @@
+{
+  mixReleaseName, # "domain" "web" or "api"
+}:
+{
+  lib,
+  fetchFromGitHub,
+  beamPackages,
+  pnpm_9,
+  nodejs,
+  tailwindcss,
+  esbuild,
+}:
+
+beamPackages.mixRelease rec {
+  pname = "firezone-server-${mixReleaseName}";
+  version = "unstable-2025-01-19";
+
+  src = "${
+    fetchFromGitHub {
+      owner = "firezone";
+      repo = "firezone";
+      rev = "8c9427b7b133e5050be34c2ac0e831c12c08f02c";
+      hash = "sha256-yccplADHRJQQiKrmHcJ5rvouswHrbx4K6ysnIAoZJR0=";
+    }
+  }/elixir";
+  patches = [ ./a.patch ];
+
+  pnpmDeps = pnpm_9.fetchDeps {
+    inherit pname version;
+    src = "${src}/apps/web/assets";
+    hash = "sha256-6rhhGv3jQY5MkOMNe1GEtNyrzJYXCSzvo8RLlKelP10=";
+  };
+  pnpmRoot = "apps/web/assets";
+
+  preBuild = ''
+    cat >> config/config.exs <<EOF
+    config :tailwind, path: "${lib.getExe tailwindcss}"
+    config :esbuild, path: "${lib.getExe esbuild}"
+    EOF
+
+    cat >> config/runtime.exs <<EOF
+    config :tzdata, :data_dir, System.get_env("TZDATA_DIR")
+    EOF
+
+    # TODO replace https://firezone.statuspage.io with custom link,
+    # unfortunately simple replace only works at compile time
+  '';
+
+  postBuild = ''
+    pushd apps/web
+    # for external task you need a workaround for the no deps check flag
+    # https://github.com/phoenixframework/phoenix/issues/2690
+    mix do deps.loadpaths --no-deps-check, assets.deploy
+    mix do deps.loadpaths --no-deps-check, phx.digest priv/static
+    popd
+  '';
+
+  nativeBuildInputs = [
+    pnpm_9
+    pnpm_9.configHook
+    nodejs
+  ];
+
+  inherit mixReleaseName;
+
+  # https://github.com/elixir-cldr/cldr_numbers/pull/52
+  mixNixDeps = import ./mix.nix {
+    inherit lib beamPackages;
+    overrides =
+      final: prev:
+      (lib.mapAttrs (
+        _: value:
+        value.override {
+          appConfigPath = src + "/config";
+        }
+      ) prev)
+      // {
+        ex_cldr_numbers = beamPackages.buildMix rec {
+          name = "ex_cldr_numbers";
+          version = "2.33.4";
+
+          src = beamPackages.fetchHex {
+            pkg = "ex_cldr_numbers";
+            version = "${version}";
+            sha256 = "sha256-0Vt+IX6eYMMo5zBF5R3GfXrF0plyR7gz76ssabLtBvU=";
+          };
+
+          beamDeps = [
+            final.decimal
+            final.digital_token
+            final.ex_cldr
+            final.ex_cldr_currencies
+            final.jason
+          ];
+        };
+
+        # mix2nix does not support git dependencies yet,
+        # so we need to add them manually
+        openid_connect = beamPackages.buildMix {
+          name = "openid_connect";
+          version = "2024-06-15-unstable";
+
+          src = fetchFromGitHub {
+            owner = "firezone";
+            repo = "openid_connect";
+            rev = "e4d9dca8ae43c765c00a7d3dfa12d6f24f5b3418";
+            hash = "sha256-LMmG+WWs83Hw/jcrersUMpk2tdXxkOU0CTe7qVbk6GQ=";
+          };
+          beamDeps = [
+            final.jason
+            final.finch
+            final.jose
+          ];
+        };
+      };
+  };
+
+  meta = {
+    description = "Backend server and Admin UI for the Firezone zero-trust access platform";
+    homepage = "https://github.com/firezone/firezone";
+    license = lib.licenses.asl20;
+    maintainers = with lib.maintainers; [
+      oddlama
+      patrickdag
+    ];
+    mainProgram = mixReleaseName;
+    platforms = lib.platforms.linux;
+  };
+}
--- a/pkgs/firezone-server-domain/mix.nix
+++ b/pkgs/firezone-server-domain/mix.nix
--- a/pkgs/firezone-server-domain/package.nix
+++ b/pkgs/firezone-server-domain/package.nix
@ -0,0 +1,3 @@
+import ./generic.nix {
+  mixReleaseName = "domain";
+}
--- a/pkgs/firezone-server-web/package.nix
+++ b/pkgs/firezone-server-web/package.nix
@ -0,0 +1,3 @@
+import ../firezone-server-domain/generic.nix {
+  mixReleaseName = "web";
+}