[Question] Initial user creation in Firezone

[sdaberdaku]

Hello @Intuinewin,

Thank you for the amazing work with the charts!

Could you please provide some more information on how to create the initial user with the Elixir interactive shell?

Thanks,

Sebastian

[Intuinewin]

Hello,

I recommend you configure the mail adapter and don't provision any users yourself. Just use the classic registration flow.

But if you want to provision an account yourself you can read this README which explains how to access the elixir interactive shell and how to create accounts: https://github.com/firezone/firezone/blob/main/elixir/README.md

or use this file which is used to seed a test database https://github.com/firezone/firezone/blob/main/elixir/apps/domain/priv/repo/seeds.exs

[sdaberdaku]

Thanks for your prompt response! Ideally I would like to avoid creating users altogether and attach my Identity Provider to Firezone. I will read the documentation you sent me, however if you have any suggestions on how to do that it would be very welcome. I am setting the OPENID_CONNECT_PROVIDERS env variable for google like so but the "google" login is not showing up on the login page.

global:
...
  # Common extra env for all pods
  extraEnv:
    - name: OPENID_CONNECT_PROVIDERS
      valueFrom:
        secretKeyRef:
          name: idp-credentials
          key: openid_connect_providers

with the secret looking sth like this:

[
  {
    "auto_create_users": true,
    "id": "google",
    "label": "google",
    "client_id": "zzzzz.apps.googleusercontent.com",
    "client_secret": "xxx",
    "discovery_document_uri": "https://accounts.google.com/.well-known/openid-configuration",
    "redirect_uri": "https://aaaaaaaaaaaa/auth/oidc/google/callback/",
    "response_type": "code",
    "scope": "openid email profile"
  }
]

[Intuinewin]

Oh, I think the environment variable OPENID_CONNECT_PROVIDERS is for Firezone 0.7. This chart is intended exclusively for Firezone 1.0 deployment.

With Firezone 1.0 you can't configure OIDC with environment variables. Firezone 1.0 is a multi tenant tool: it consists of account (for example your company) and then this account has users which can login with auth providers (like OIDC).

So to make Firezone works, you first need to sign up in order to create an account and a single admin user. Then within the admin UI you can add auth providers that are enabled globally like OIDC (https://github.com/Intuinewin/helm-charts/blob/main/firezone/values.yaml#L98).

In the readme I say that is that this initial sign up process can be done

• through the UI (this is what I advice), you can disable sign up after the initial account is created
• or through the elixir shell which is more complicated

I hope this helps

[sdaberdaku]

Thanks again for your patience!

Do you by any chance have any working example for OUTBOUND_EMAIL_ADAPTER_OPTS? Any suggestion on the smtp server to use?

[sdaberdaku]

I am probably messing up the formatting or sth because I keep getting this error in the web component logs:

{
   "error_logger":{
      "tag":"error",
      "report_cb":"&:gen_server.format_log/1"
   },
   "message":"no function clause matching in :lists.partition_1/4",
   "time":"2024-09-01T19:50:10.617Z",
   "domain":[
      "otp"
   ],
   "context":{
      "reportLocation":{
         "filePath":"gen_server.erl",
         "functionName":"gen_server.error_info/8",
         "lineNumber":2474
      }
   },
   "otel_trace_flags":[
      48,
      49
   ],
   "severity":"ERROR",
   "logging.googleapis.com/sourceLocation":{
      "file":"gen_server.erl",
      "line":2474,
      "function":"gen_server.error_info/8"
   },
   "logging.googleapis.com/operation":{
      "producer":"#PID<0.843.0>"
   },
   "logging.googleapis.com/spanId":"27075cbe8f151553",
   "logging.googleapis.com/trace":"33ec88a32c1c788a3963e7687f7e93fa",
   "@type":"type.googleapis.com/google.devtools.clouderrorreporting.v1beta1.ReportedErrorEvent",
   "serviceContext":{
      "service":"firezone@10.254.156.252"
   },
   "stack_trace":"** (FunctionClauseError) no function clause matching in :lists.partition_1/4\n    (stdlib 6.0.1) lists.erl:2231:in `:lists.partition_1(#Function<0.14248608/1 in :smtp_socket.proplist_merge/2>, nil, [active: false, keepalive: true, packet: :line], [])'\n    (gen_smtp 1.2.0) /app/deps/gen_smtp/src/smtp_socket.erl:339:in `:smtp_socket.proplist_merge/2'\n    (gen_smtp 1.2.0) /app/deps/gen_smtp/src/smtp_socket.erl:329:in `:smtp_socket.tcp_connect_options/2'\n    (gen_smtp 1.2.0) /app/deps/gen_smtp/src/smtp_socket.erl:107:in `:smtp_socket.connect/5'\n    (gen_smtp 1.2.0) /app/deps/gen_smtp/src/gen_smtp_client.erl:820:in `:gen_smtp_client.connect/2'\n    (gen_smtp 1.2.0) /app/deps/gen_smtp/src/gen_smtp_client.erl:378:in `:gen_smtp_client.open_smtp_session/2'\n    (gen_smtp 1.2.0) /app/deps/gen_smtp/src/gen_smtp_client.erl:316:in `:gen_smtp_client.try_smtp_sessions/3'\n    (gen_smtp 1.2.0) /app/deps/gen_smtp/src/gen_smtp_client.erl:289:in `:gen_smtp_client.send_it/2'\n"
}

I am trying the following config (censoring the sensitive part):

{
    "relay": "smtp-relay.brevo.com",
    "username": "xxx@smtp-brevo.com",
    "password": "xxx",
    "port": 587,
}

The adapter is: adapter: Elixir.Swoosh.Adapters.SMTP

[Intuinewin]

I think I've had this problem before, you need to set sockopts to {} if tls is not enabled. I need to fix this on Firezone (the default value is broken) but haven't had time yet

[sdaberdaku]

Thanks again for the help, I was able to make it work by switching to Elixir.Swoosh.Adapters.Postmark and using the api_key parameter (I finally got the email for registering). I read the documentation you sent me yesterday but I could not make it work, it would always fail at the last step where you mimic sending the email. I think that documentation might be a bit behind.

[sdaberdaku]

By the way, it would be very nice if there was a way to initialize the initial admin user without having to send actual emails.