Resolve "Defense in depth: bind IPs"

extra/rocketchat.yml

@@ -64,7 +64,7 @@ services:
       - ../../mistborn_volumes/extra/rocketchat/hubot/scripts:/home/hubot/scripts
   # this is used to expose the hubot port for notifications on the host on port 3001, e.g. for hubot-jenkins-notifier
     ports:
-      - 3001:8080/tcp
+      - "${MISTBORN_BIND_IP}:3001:8080/tcp"
 
 networks:
   default:

scripts/env/setup.sh

@@ -4,15 +4,28 @@
 
 VAR_FILE=/opt/mistborn/.env
 
+# load env variables
+
 source /opt/mistborn/scripts/subinstallers/platform.sh
 
+# setup env file
+echo "" | sudo tee ${VAR_FILE}
+sudo chown mistborn:mistborn ${VAR_FILE}
+
+# MISTBORN_DNS_BIND_IP
+
 MISTBORN_DNS_BIND_IP="10.2.3.1"
 #if [ "$DISTRO" == "ubuntu" ] && [ "$VERSION_ID" == "20.04" ]; then
 #    MISTBORN_DNS_BIND_IP="10.2.3.1"
 #fi
 
-echo "MISTBORN_DNS_BIND_IP=${MISTBORN_DNS_BIND_IP}" | sudo tee ${VAR_FILE}
-sudo chown mistborn:mistborn ${VAR_FILE}
+echo "MISTBORN_DNS_BIND_IP=${MISTBORN_DNS_BIND_IP}" | sudo tee -a ${VAR_FILE}
+
+# MISTBORN_BIND_IP
+
+echo "MISTBORN_BIND_IP=10.2.3.1" | sudo tee -a ${VAR_FILE}
+
+# MISTBORN_TAG
 
 GIT_BRANCH=$(git -C /opt/mistborn symbolic-ref --short HEAD || echo "master")
 MISTBORN_TAG="latest"
@@ -22,6 +35,8 @@ fi
 
 echo "MISTBORN_TAG=$MISTBORN_TAG" | sudo tee -a ${VAR_FILE}
 
+#### SERVICE files
+
 # copy current service files to systemd (overwriting as needed)
 sudo cp /opt/mistborn/scripts/services/Mistborn* /etc/systemd/system/
 

scripts/services/Mistborn-rocketchat.service

@@ -8,6 +8,7 @@ Restart=always
 User=root
 Group=docker
 PermissionsStartOnly=true
+EnvironmentFile=/opt/mistborn/.env
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down