Hello,
i have just set up successfull firezone (0.6.10) installation on my docker host.
As i wanted to use traefik as my reverse proxy i set up the configuration according to the documentation here: Traefik | Firezone
I also set the environment variables directly in my docker-compose.yaml instead of using a .env file.
docker-compose.yaml firezone & postgres
version: '3.8'
x-deploy: &default-deploy
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
update_config:
order: start-first
services:
firezone:
image: firezone/firezone:0.6.10
container_name: webgui-vpn
depends_on:
- postgres
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv4.ip_forward=1
- net.ipv6.conf.all.forwarding=1
environment:
- TZ=Europe/Berlin
- EXTERNAL_URL=vpn.mydomain.xyz
- ADMIN_EMAIL=admin@mydomain.xyz
- DEFAULT_ADMIN_PASSWORD=default
- DATABASE_PASSWORD=default_db
- DATABASE_ENCRYPTION_KEY=base64-encoded-string
- GUARDIAN_SECRET_KEY=base64-encoded-string
- COOKIE_ENCRYPTION_SALT=base64-encoded-string
- COOKIE_SIGNING_SALT=base64-encoded-string
- LIVE_VIEW_SIGNING_SALT=base64-encoded-string
- SECRET_KEY_BASE=base64-encoded-string
- EXTERAL_TRUSTED_PROXIES=['traefik-container-ip']
networks:
- frontend
- db_backend
ports:
- 51820:51820/udp
volumes:
- firezone_data:/var/firezone
labels:
# Basic access configuration
- traefik.enable=true
- traefik.docker.network=frontend
# Redirect http to https
- traefik.http.routers.firezone_http.entrypoints=web_tcp
- traefik.http.routers.firezone_http.rule=Host(`vpn.mydomain.xyz`)
- traefik.http.middlewares.firezone_redirect.redirectscheme.scheme=https
- traefik.http.routers.firezone_http.middlewares=firezone_redirect
# Https
- traefik.http.routers.firezone_https.entrypoints=web_secure_tcp
- traefik.http.routers.firezone_https.rule=Host(`vpn.mydomain.xyz`)
- traefik.http.routers.firezone_https.tls=true
- traefik.http.routers.firezone_https.tls.certresolver=tlsresolver
- traefik.http.services.firezone.loadbalancer.server.port=13000
deploy:
<<: *default-deploy
postgres:
image: postgres:15.1
container_name: db-vpn
environment:
- TZ=Europe/Berlin
- POSTGRES_DB=firezone
- POSTGRES_USER=postgres
- POSTGRES_PASSWORD=default_db
networks:
- firezoneDBNetwork
volumes:
- postgres_data:/var/lib/postgresql/data
deploy:
<<: *default-deploy
update_config:
order: stop-first
volumes:
firezone_data:
postgres_data:
networks:
db_backend:
name: firezoneDBNetwork
driver: bridge
frontend:
external: true
docker-compose.yaml traefik
version: '3.8'
services:
traefik:
image: traefik:v2.9.5
container_name: reverse-proxy
restart: always
environment:
- TZ=Europe/Berlin
extra_hosts:
- "host.docker.internal:host-gateway"
networks:
exposedServices:
ipv4_address: traefik-container-ip
ipv6_address: traefik-container-ip
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock
- /root/docker/config/traefik:/etc/traefik
- /root/docker/data/traefik/logs:/logs
- /root/docker/data/traefik/certificates:/certificates
labels:
# Basic access configuration
- traefik.enable=true
- traefik.docker.network=exposedServices
- traefik.http.routers.traefik.entrypoints=web_tcp
- traefik.http.routers.traefik.rule=Host(`mydomain.xyz`)
# Traefik api configuration
- traefik.http.routers.traefik.service=api@internal
networks:
exposedServices:
name: exposedServices
driver: bridge
enable_ipv6: true
ipam:
config:
- subnet: subnet/16
- subnet: subnet::/64
With this i can reach the firezone webui without a problem but if i now try to login with admin@mydomain.xyz and default @ https://vpn.mydomain.xyz i get the error 'Error signing in: invalid_credentials '.
I also tried setting different types of passwords as default admin pw inside the environment variables and recreating the containers (& volumes) but no luck.
I have also looked at the file /var/lib/docker/containers/container-id/config.v2.json and it does indeed include the corret e-mail and password combination.
Using the command create-or-reset-admin inside the firezone container seems to do nothing too but i also don’t know which parameters to execute with the command as i don’t seem to find any information / documentation about it anywhere.
Is there anything i can do to achieve setting a recognized default admin password besides using the default reverse-proxy?
I would be really glad about any help!
Kind regards
RedPanda