firezone · jamilbk · Feb 12, 2022 · Feb 12, 2022
diff --git a/docs/docs/reference/configuration-file.md b/docs/docs/reference/configuration-file.md
@@ -12,8 +12,7 @@ Shown below is a complete listing of the configuration options available in
 <!-- markdownlint-disable MD013 -->
 
 | option                                                                        | description                                                                                                  | default value                                                          |
-| ----------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------  |
-| `default['firezone']['nginx']['enabled']`                                     | Whether to enable the bundled nginx server.                                                                  | `true`                                                                 |
+| ----------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------- |
 | `default['firezone']['fqdn']`                                                 | FQDN of this Firezone instance.                                                                              | `(node['fqdn'] || node['hostname']).downcase`                          |
 | `default['firezone']['config_directory']`                                     | Top-level directory for Firezone configuration.                                                              | `'/etc/firezone'`                                                      |
 | `default['firezone']['install_directory']`                                    | Top-level directory to install Firezone to.                                                                  | `'/opt/firezone'`                                                      |
@@ -25,6 +24,7 @@ Shown below is a complete listing of the configuration options available in
 | `default['firezone']['admin_email']`                                          | Email address for initial Firezone user.                                                                     | `"firezone@localhost"`                                                 |
 | `default['firezone']['egress_interface']`                                     | Interface name where tunneled traffic will exit. If nil, the default route interface will be used.           | `nil`                                                                  |
 | `default['firezone']['fips_enabled']`                                         | Enable or disable OpenSSL FIPs mode.                                                                         | `nil`                                                                  |
+| `default['firezone']['logging']['enabled']`                                   | Enable or disable logging across Firezone. Set to `false` to disable logging entirely.                       | `true`                                                                 |
 | `default['enterprise']['name']`                                               | Name used by the Chef 'enterprise' cookbook.                                                                 | `'firezone'`                                                           |
 | `default['firezone']['install_path']`                                         | Install path used by Chef 'enterprise' cookbook. Should be set to the same as the `install_directory` above. | `node['firezone']['install_directory']`                                |
 | `default['firezone']['sysvinit_id']`                                          | An identifier used in `/etc/inittab`. Must be a unique sequence of 1-4 characters.                           | `'SUP'`                                                                |

diff --git a/omnibus/cookbooks/firezone/attributes/default.rb b/omnibus/cookbooks/firezone/attributes/default.rb
@@ -49,6 +49,11 @@
 # Whether to use OpenSSL FIPS mode across Firezone. Default disabled.
 default['firezone']['fips_enabled'] = nil
 
+# ## Global Logging Settings
+#
+# Enable or disable logging. Set this to false to disable all Firezone logs.
+default['firezone']['logging']['enabled'] = true
+
 # ## Enterprise
 #
 # The "enterprise" cookbook provides recipes and resources we can use for this

diff --git a/omnibus/cookbooks/firezone/recipes/nginx.rb b/omnibus/cookbooks/firezone/recipes/nginx.rb
@@ -45,7 +45,7 @@
   owner node['firezone']['user']
   group node['firezone']['group']
   mode '0600'
-  variables(nginx: node['firezone']['nginx'])
+  variables(logging_enabled: node['firezone']['logging']['enabled'], nginx: node['firezone']['nginx'])
 end
 
 if node['firezone']['nginx']['enabled']

diff --git a/omnibus/cookbooks/firezone/recipes/phoenix.rb b/omnibus/cookbooks/firezone/recipes/phoenix.rb
@@ -42,6 +42,7 @@
   group node['firezone']['group']
   mode '0600'
   variables(nginx: node['firezone']['nginx'],
+            logging_enabled: node['firezone']['logging']['enabled'],
             phoenix: node['firezone']['phoenix'],
             fqdn: node['firezone']['fqdn'],
             fips_enabled: node['firezone']['fips_enabled'],

diff --git a/omnibus/cookbooks/firezone/templates/nginx.conf.erb b/omnibus/cookbooks/firezone/templates/nginx.conf.erb
@@ -7,7 +7,11 @@ daemon off;
 worker_rlimit_nofile <%= @nginx['worker_rlimit_nofile'] %>;
 <% end -%>
 
-error_log  <%= @nginx['log_dir'] %>/error.log;
+<% if @logging_enabled -%>
+  error_log  <%= @nginx['log_dir'] %>/error.log;
+<% else -%>
+  error_log /dev/null;
+<% end -%>
 pid        <%= @nginx['pid'] %>;
 
 events {
@@ -32,9 +36,11 @@ http {
   include       <%= @nginx['dir'] %>/mime.types;
   default_type  application/octet-stream;
 
-  <% unless @nginx['disable_access_log'] -%>
-  access_log	<%= @nginx['log_dir'] %>/access.log firezone;
-  <% end %>
+  <% if @logging_enabled -%>
+    <% unless @nginx['disable_access_log'] -%>
+    access_log	<%= @nginx['log_dir'] %>/access.log firezone;
+    <% end %>
+  <% end -%>
 
   server_tokens off;
   add_header X-Clacks-Overhead "GNU Terry Pratchett";

diff --git a/omnibus/cookbooks/firezone/templates/phoenix.nginx.conf.erb b/omnibus/cookbooks/firezone/templates/phoenix.nginx.conf.erb
@@ -55,8 +55,10 @@ server {
   }
 <% end -%>
 
-<% if @nginx['cache']['enabled'] -%>
-  access_log <%= @nginx['log_directory'] %>/cache.log cache;
+<% if @logging_enabled -%>
+  <% if @nginx['cache']['enabled'] -%>
+    access_log <%= @nginx['log_directory'] %>/cache.log cache;
+  <% end -%>
 <% end -%>
 
   location ~ /sitemap\d*.xml.gz {

diff --git a/omnibus/cookbooks/firezone/templates/sv-nginx-run.erb b/omnibus/cookbooks/firezone/templates/sv-nginx-run.erb
@@ -1,8 +1,8 @@
 #!/bin/sh
 exec 2>&1
-<%= "export OPENSSL_FIPS=1" if node['firezone']['fips_enabled'] == true %>
+<%= 'export OPENSSL_FIPS=1' if node['firezone']['fips_enabled'] == true %>
 
 exec <%= node['runit']['chpst_bin'] %> \
        -P \
      <%= node['firezone']['install_directory'] %>/embedded/sbin/nginx \
-       -c <%= node['firezone']['nginx']['directory'] %>/nginx.conf
+     -c <%= node['firezone']['nginx']['directory'] %>/nginx.conf <%= '> /dev/null' unless node['firezone']['logging']['enabled'] %>
diff --git a/omnibus/cookbooks/firezone/templates/sv-phoenix-run.erb b/omnibus/cookbooks/firezone/templates/sv-phoenix-run.erb
@@ -15,4 +15,4 @@ exec <%= node['runit']['chpst_bin'] %> \
   -P \
   -U <%= node['firezone']['user'] %>:<%= node['firezone']['group'] %> \
   -u <%= node['firezone']['user'] %>:<%= node['firezone']['group'] %> \
-  bin/firezone start
+  bin/firezone start <%= '> /dev/null' unless node['firezone']['logging']['enabled'] %>
diff --git a/omnibus/cookbooks/firezone/templates/sv-postgresql-run.erb b/omnibus/cookbooks/firezone/templates/sv-postgresql-run.erb
@@ -5,4 +5,4 @@ exec <%= node['runit']['chpst_bin'] %> \
        -U <%= node['firezone']['postgresql']['username'] %> \
        -u <%= node['firezone']['postgresql']['username'] %> \
      <%= node['firezone']['install_directory']%>/embedded/bin/postgres \
-       -D <%= node['firezone']['postgresql']['data_directory'] %>
+       -D <%= node['firezone']['postgresql']['data_directory'] %> <%= '> /dev/null' unless node['firezone']['logging']['enabled'] %>
diff --git a/omnibus/cookbooks/firezone/templates/sv-wireguard-run.erb b/omnibus/cookbooks/firezone/templates/sv-wireguard-run.erb
@@ -16,4 +16,4 @@ export WIREGUARD_LISTEN_PORT=<%= node['firezone']['wireguard']['port'] %>
 
 exec <%= node['runit']['chpst_bin'] %> \
      -P \
-     <%= node['firezone']['install_directory'] %>/embedded/bin/wireguard
+     <%= node['firezone']['install_directory'] %>/embedded/bin/wireguard <%= '> /dev/null' unless node['firezone']['logging']['enabled'] %>