diff --git a/extra/scirius.yml b/extra/scirius.yml new file mode 100644 index 0000000..c2cae28 --- /dev/null +++ b/extra/scirius.yml @@ -0,0 +1,30 @@ +version: '3' + +services: + scirius: + container_name: mistborn_production_scirius + image: "cyber5k/scirius:${MISTBORN_TAG}" + #environment: + # - SECRET_KEY: + volumes: + - ../../mistborn_volumes/extra/scirius/data:/data + - ../../mistborn_volumes/extra/scirius/logs:/logs + - ../../mistborn_volumes/extra/scirius/static:/static + - ../../mistborn_volumes/extra/scirius/rules:/rules + - /var/run/suricata-command.socket:/var/run/suricata-command.socket + labels: + - "traefik.enable=true" + - "traefik.http.routers.homeassistant-http.rule=Host(`suricata.mistborn`)" + - "traefik.http.routers.homeassistant-http.entrypoints=web" + - "traefik.http.routers.homeassistant-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.homeassistant-https.rule=Host(`suricata.mistborn`)" + - "traefik.http.routers.homeassistant-https.entrypoints=websecure" + - "traefik.http.routers.homeassistant-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.homeassistant-https.tls.certresolver=basic" + - "traefik.http.services.homeassistant-service.loadbalancer.server.port=8000" + restart: unless-stopped + +networks: + default: + external: + name: mistborn_default \ No newline at end of file diff --git a/scripts/env/suricata_init.sh b/scripts/env/suricata_init.sh new file mode 100755 index 0000000..4e79514 --- /dev/null +++ b/scripts/env/suricata_init.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +set -e + +# minimal dependencies +sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev \ + libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \ + make libmagic-dev libjansson-dev + +## recommended dependencies +#sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev \ +# libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \ +# libcap-ng-dev libcap-ng0 make libmagic-dev \ +# libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev \ +# python-yaml rustc cargo + +# iptables/nftables integration +sudo -E apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 \ + libnetfilter-log-dev libnetfilter-log1 \ + libnfnetlink-dev libnfnetlink0 + + +if [ "$DISTRO" == "ubuntu" ]; then + echo "Installing Suricata Ubuntu PPA" + sudo -E add-apt-repository -y ppa:oisf/suricata-stable + sudo -E apt-get update + sudo -E apt-get install -y suricata +elif [ "$DISTRO" == "debian" ]; then + echo "deb http://http.debian.net/debian $VERSION_CODENAME-backports main" | \ + sudo -E tee -a /etc/apt/sources.list.d/backports.list + sudo -E apt-get update + sudo -E apt-get install -y suricata -t ${VERSION_CODENAME}-backports +else + echo "Basic Suricata installation" + sudo -E apt-get install -y suricata +fi + +# # iptables +# sudo iptables -A INPUT -j NFQUEUE +# sudo iptables -I FORWARD -j NFQUEUE +# sudo iptables -I OUTPUT -j NFQUEUE + +# # rsyslog to create /var/log/suricata.log +# sudo cp ./scripts/conf/20-suricata.conf /etc/rsyslog.d/ +# sudo chown root:root /etc/rsyslog.d/20-suricata.conf +# sudo systemctl restart rsyslog diff --git a/scripts/services/Mistborn-scirius.service b/scripts/services/Mistborn-scirius.service new file mode 100644 index 0000000..5d33cd4 --- /dev/null +++ b/scripts/services/Mistborn-scirius.service @@ -0,0 +1,24 @@ +[Unit] +Description=Mistborn Scirius +Requires=Mistborn-base.service +After=Mistborn-base.service +PartOf=Mistborn-base.service + +[Service] +Restart=always +User=root +Group=docker +PermissionsStartOnly=true +#EnvironmentFile=/opt/mistborn/.envs/.production/.scirius +ExecStartPre=/opt/mistborn/scripts/env/suricata_init.sh +# Shutdown container (if running) when unit is stopped +ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/scirius.yml down + +# Start container when unit is started +ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/scirius.yml up --build +# Stop container when unit is stopped +ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/scirius.yml down +# Post stop + +[Install] +WantedBy=multi-user.target \ No newline at end of file