website/src/app/kb/automate/docker-compose/readme.mdx
import Alert from "@/components/DocsAlert";
Firezone Gateways can be deployed using Docker Compose. This configuration uses the same options shown in the Docker run command shown in the admin portal when deploying a Docker-based Gateway.
Use the following docker-compose.yml, customizing as needed:
services:
firezone-gateway:
image: "ghcr.io/firezone/gateway:1"
environment:
# Use a unique ID for each Gateway in your Firezone account. If left blank,
# the Gateway will generate a random ID saved in /var/lib/firezone
# FIREZONE_ID: <id>
# REQUIRED. The token shown when deploying a Gateway in the admin portal.
FIREZONE_TOKEN: <token>
# Configure log output. Other options are "trace", "debug", "info", "warn", "error", and "off".
# See https://docs.rs/env_logger/latest/env_logger/ for more information.
RUST_LOG: info
# Human-friendly name to use for this Gateway in the admin portal.
# $(hostname) is used by default if not set.
# FIREZONE_NAME: <name-of-gateway>
volumes:
# Persist the FIREZONE_ID. Can be omitted if FIREZONE_ID is set above.
- /var/lib/firezone:/var/lib/firezone
cap_add:
- NET_ADMIN
# Needed to properly handle signals for restarting
init: true
sysctls:
# Enable IP forwarding
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv6.conf.all.forwarding=1
- net.ipv6.conf.default.forwarding=1
healthcheck:
test: ["CMD-SHELL", "ip link | grep tun-firezone"]
interval: 5s
timeout: 10s
retries: 3
start_period: 1m
devices:
- /dev/net/tun:/dev/net/tun
# If you want to access services within the same compose file, they must share a network.
# networks:
# fz-net:
#
# # Heads-up for Linux users.
# # Due to limitations of `systemd-resolved` on Linux, a "two-label" domain is necessary if you want to define this as a DNS resource.
# # i.e. just using `yourservice` won't work.
# yourservice.docker:
# image: "..."
# networks:
# fz-net:
#
# networks:
# fz-net: