adapt to separate env files

openziti · Apr 12, 2024 · b69c787 · b69c787
1 parent daaef5e
commit b69c787
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 11 deletions.
diff --git a/docusaurus/docs/guides/deployments/10-controller/10-deploy.mdx b/docusaurus/docs/guides/deployments/10-controller/10-deploy.mdx
@@ -19,7 +19,7 @@ curl -sS https://get.openziti.io/install.bash \
 
 You must provide these two answers to start the service.
 
-1. In `/opt/openziti/etc/controller/env` (the systemd env file for the controller service)
+1. In `/opt/openziti/etc/controller/bootstrap.env` (the answer file for bootstrapping the controller)
     1. Set `ZITI_CTRL_ADVERTISED_ADDRESS` to the FQDN of the controller
     1. Temporarily set `ZITI_PWD` to the desired management password for user `admin`. You may delete this password after bootstrapping for security.
 
@@ -49,15 +49,15 @@ The controller service will bootstrap a database during the first startup.
 
 The controller requires a BoltDB database to store its state. The Linux system service will initialize a database with a default admin password during the first startup, unless one already exists.
 
-You must specify the management password for the default admin user before starting the service. This is done by setting `ZITI_PWD` in `/opt/openziti/etc/controller/env` or one of `LoadCredential` or `SetCredential` in `/lib/systemd/system/ziti-controller.service`. You may delete the password after bootstrapping for security.
+You must specify the management password for the default admin user before starting the service. This is done by setting `ZITI_PWD` in `/opt/openziti/etc/controller/bootstrap.env` or `LoadCredential` in `/lib/systemd/system/ziti-controller.service`. You may delete the password after bootstrapping for security.
 
 Disable bootstrapping the database by setting `ZITI_BOOTSTRAP_DATABASE=false` in `/lib/systemd/system/ziti-controller.service`.
 
 ## Firewall
 
 The controller listens on a single configurable TCP port: `1280/tcp`. This TLS server employs SNI to select the correct certificate for presentation when there are multiple certificates. Ziti clients use ALPN to negotiate a connection to the router control plane (`ziti-ctrl`) or the REST APIs (`h2`, `http/1.1`).
 
-You may set `ZITI_CTRL_ADVERTISED_PORT` in `/opt/openziti/etc/controller/env` to bootstrap with a different port.
+You may set `ZITI_CTRL_ADVERTISED_PORT` in `/opt/openziti/etc/controller/bootstrap.env` to bootstrap with a different port.
 
 Clients "learn" the controller's address and port when they enroll, so it is necessary to re-enroll or re-create the client if the controller's address or port changes.
 

diff --git a/docusaurus/docs/guides/deployments/10-controller/15-migrate.mdx b/docusaurus/docs/guides/deployments/10-controller/15-migrate.mdx
@@ -40,8 +40,7 @@ sudo cp -v ./ctrl.yaml /var/lib/ziti-controller/config.yml
 sudo sed -Ei "s|$PWD|/var/lib/ziti-controller|g" /var/lib/ziti-controller/config.yml
 
 # disable bootstrapping
-sudo sed -Ei 's|(ZITI_BOOTSTRAP_.*)=.*|\1=false|g' /lib/systemd/system/ziti-controller.service
-sudo systemctl daemon-reload
+sudo sed -Ei 's|(ZITI_BOOTSTRAP_.*)=.*|\1=false|g' /opt/openziti/etc/controller/service.env
 
 # start the service
 sudo systemctl enable --now ziti-controller.service

diff --git a/docusaurus/docs/guides/deployments/20-router/10-deploy.mdx b/docusaurus/docs/guides/deployments/20-router/10-deploy.mdx
@@ -29,13 +29,13 @@ Bootstrapping happens automatically unless you disable it before running the rou
 
 At a minimum, you must set these to start the service with bootstrapping enabled (the default).
 
-1. In `/opt/openziti/etc/router/env` (the systemd env file for the router service)
+1. In `/opt/openziti/etc/router/bootstrap.env` (the answer file for bootstrapping the router)
     1. Set `ZITI_CTRL_ADVERTISED_ADDRESS` to the FQDN of the controller.
     1. Set `ZITI_ENROLL_TOKEN` to the resulting token (JWT)
 
 Additionally, you probably want to set these:
 
-1. In `/opt/openziti/etc/router/env` (the systemd env file for the router service)
+1. In `/opt/openziti/etc/router/bootstrap.env` (the answer file for bootstrapping the router)
     1. Set `ZITI_ROUTER_ADVERTISED_ADDRESS` to the permanent FQDN of the router (default is the system's hostname, which may not be resolvable by clients). This value can not be changed after enrollment.
     1. Set `ZITI_ROUTER_MODE` to `tproxy` (default is `host`) if this router's built-in tunneler will provide a transparent proxy for dialing services. This changes the requirements for kernel capabilities and DNS configuration.
 
@@ -63,7 +63,7 @@ ziti edge create edge-router "AcmeRouter1" \
 
 The systemd service looks for the token in `/opt/openziti/etc/router/.token` if env var `ZITI_ENROLL_TOKEN` is empty. The file must be readable by root (not others).
 
-`ZITI_ENROLL_TOKEN` may be defined for the systemd service in `/opt/openziti/etc/router/env` or in the Docker environment when running as a container.
+`ZITI_ENROLL_TOKEN` may be defined in `/opt/openziti/etc/router/bootstrap.env` or in the Docker environment when running as a container.
 
 The router will enroll with the controller during the first startup. The one-time enrollment token is consumed during the enrollment process and a private key is generated in the router's working directory.
 
@@ -73,7 +73,7 @@ Disable bootstrapping enrollment by setting `ZITI_BOOTSTRAP_ENROLLMENT=false` in
 
 The router listens on a single configurable TCP port: `3022/tcp`. Ziti clients use ALPN to negotiate a connection to the edge (`ziti-edge`), fabric links (`ziti-link`), or health-check APIs (`h2`, `http/1.1`).
 
-You may set `ZITI_ROUTER_PORT` in `/opt/openziti/etc/router/env` or the Docker environment to bootstrap with a different port.
+You may set `ZITI_ROUTER_PORT` in `/opt/openziti/etc/router/bootstrap.env` or the Docker environment to bootstrap with a different port.
 
 Clients "learn" the router's address and port when they poll the controller for authorized routers, so it is not necessary to re-enroll or re-create the client if the router's address or port changes. Simply change the config, bounce the router, and it will begin advertising the new address and port. This works because the system service and Docker container both auto-renew their server certificate every startup, and the certificate's DNS subject alternative name is set in the router's config.yml file. If you set `ZITI_AUTO_RENEW_CERTS=false` then it's necessary to administratively re-create the router or run at least once with the `--extend` flag.
 

diff --git a/docusaurus/docs/guides/deployments/20-router/50-migrate.mdx b/docusaurus/docs/guides/deployments/20-router/50-migrate.mdx
@@ -40,8 +40,7 @@ sudo mv -v /var/lib/ziti-router/{quickstart-router.yaml,config.yml}
 sudo sed -Ei "s|$PWD|/var/lib/ziti-router|g" /var/lib/ziti-router/config.yml
 
 # disable bootstrapping
-sudo sed -Ei 's|(ZITI_BOOTSTRAP_.*)=.*|\1=false|g' /lib/systemd/system/ziti-router.service
-sudo systemctl daemon-reload
+sudo sed -Ei 's|(ZITI_BOOTSTRAP_.*)=.*|\1=false|g' /opt/openziti/etc/router/service.env
 
 # run only the controller in the background using the quickstart state so the enrolled router can check in
 nohup ziti controller run ctrl.yaml &