From 0a7644827ef5b072ef6654b09d9104845412b665 Mon Sep 17 00:00:00 2001
From: Steven Foerster <sfoerster@gmail.com>
Date: Sun, 6 Dec 2020 00:35:21 +0000
Subject: [PATCH] Resolve "Defense in depth: bind IPs"

---
 extra/rocketchat.yml                         |  2 +-
 scripts/env/setup.sh                         | 19 +++++++++++++++++--
 scripts/services/Mistborn-rocketchat.service |  1 +
 3 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/extra/rocketchat.yml b/extra/rocketchat.yml
index 66113f1..f3b85ed 100644
--- a/extra/rocketchat.yml
+++ b/extra/rocketchat.yml
@@ -64,7 +64,7 @@ services:
       - ../../mistborn_volumes/extra/rocketchat/hubot/scripts:/home/hubot/scripts
   # this is used to expose the hubot port for notifications on the host on port 3001, e.g. for hubot-jenkins-notifier
     ports:
-      - 3001:8080/tcp
+      - "${MISTBORN_BIND_IP}:3001:8080/tcp"
 
 networks:
   default:
diff --git a/scripts/env/setup.sh b/scripts/env/setup.sh
index ce3e9bc..43060b6 100755
--- a/scripts/env/setup.sh
+++ b/scripts/env/setup.sh
@@ -4,15 +4,28 @@
 
 VAR_FILE=/opt/mistborn/.env
 
+# load env variables
+
 source /opt/mistborn/scripts/subinstallers/platform.sh
 
+# setup env file
+echo "" | sudo tee ${VAR_FILE}
+sudo chown mistborn:mistborn ${VAR_FILE}
+
+# MISTBORN_DNS_BIND_IP
+
 MISTBORN_DNS_BIND_IP="10.2.3.1"
 #if [ "$DISTRO" == "ubuntu" ] && [ "$VERSION_ID" == "20.04" ]; then
 #    MISTBORN_DNS_BIND_IP="10.2.3.1"
 #fi
 
-echo "MISTBORN_DNS_BIND_IP=${MISTBORN_DNS_BIND_IP}" | sudo tee ${VAR_FILE}
-sudo chown mistborn:mistborn ${VAR_FILE}
+echo "MISTBORN_DNS_BIND_IP=${MISTBORN_DNS_BIND_IP}" | sudo tee -a ${VAR_FILE}
+
+# MISTBORN_BIND_IP
+
+echo "MISTBORN_BIND_IP=10.2.3.1" | sudo tee -a ${VAR_FILE}
+
+# MISTBORN_TAG
 
 GIT_BRANCH=$(git -C /opt/mistborn symbolic-ref --short HEAD || echo "master")
 MISTBORN_TAG="latest"
@@ -22,6 +35,8 @@ fi
 
 echo "MISTBORN_TAG=$MISTBORN_TAG" | sudo tee -a ${VAR_FILE}
 
+#### SERVICE files
+
 # copy current service files to systemd (overwriting as needed)
 sudo cp /opt/mistborn/scripts/services/Mistborn* /etc/systemd/system/
 
diff --git a/scripts/services/Mistborn-rocketchat.service b/scripts/services/Mistborn-rocketchat.service
index 1ad5a84..ecb93a2 100644
--- a/scripts/services/Mistborn-rocketchat.service
+++ b/scripts/services/Mistborn-rocketchat.service
@@ -8,6 +8,7 @@ Restart=always
 User=root
 Group=docker
 PermissionsStartOnly=true
+EnvironmentFile=/opt/mistborn/.env
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down