Deploy Firezone using Docker Compose

Firezone Gateways can be deployed using Docker Compose. This configuration uses the same options shown in the Docker run command shown in the admin portal when deploying a Docker-based Gateway.

Prerequisites

  1. Docker Engine for Linux. Docker Desktop can be used for testing purposes but is not supported for production deployments.
  2. Compose plugin for Docker Engine version 2.0.0 or later. We recommend using the latest version available.

Deployment

Use the following docker-compose.yml, customizing as needed:

services:
  firezone-gateway:
    image: "ghcr.io/firezone/gateway:1"
    environment:
      # Use a unique ID for each Gateway in your Firezone account. If left blank,
      # the Gateway will generate a random ID saved in /var/lib/firezone
      # - FIREZONE_ID=<id>

      # REQUIRED. The token shown when deploying a Gateway in the admin portal.
      - FIREZONE_TOKEN=<token>

      # Configure log output. Other options are "trace", "debug", "info", "warn", "error", and "off".
      # See https://docs.rs/env_logger/latest/env_logger/ for more information.
      - RUST_LOG=info

      # Human-friendly name to use for this Gateway in the admin portal.
      # $(hostname) is used by default if not set.
      # - FIREZONE_NAME=<name-of-gateway>
    volumes:
      # Persist the FIREZONE_ID. Can be omitted if FIREZONE_ID is set above.
      - /var/lib/firezone:/var/lib/firezone
    cap_add:
      - NET_ADMIN
    sysctls:
      # Enable IP forwarding
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.all.forwarding=1
      - net.ipv6.conf.default.forwarding=1
    healthcheck:
      test: ["CMD-SHELL", "ip link | grep tun-firezone"]
      interval: 5s
      timeout: 10s
      retries: 3
      start_period: 1m
    devices:
      - /dev/net/tun:/dev/net/tun
    init: true
# If you want to access services within the same compose file, they must share a network.
#    networks:
#      fz-net:
#
#   # Heads-up for Linux users.
#   # Due to limitations of `systemd-resolved` on Linux, a "two-label" domain is necessary if you want to define this as a DNS resource.
#   # i.e. just using `yourservice` won't work.
#   yourservice.docker:
#     image: "..."
#     networks:
#       fz-net:
#
# networks:
#   fz-net:
Found a problem with this page? Open an issue
Last updated: October 15, 2024