From 5acc33419a251fc49436e3d2726c927305133e67 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 2 Mar 2021 14:12:35 -0500 Subject: [PATCH 01/19] handle updates and services --- scripts/env/check_env_file.sh | 30 ++++++++++++ scripts/services/Mistborn-guacamole.service | 1 + scripts/services/Mistborn-jitsi.service | 1 + scripts/services/Mistborn-rocketchat.service | 3 +- scripts/subinstallers/extras/bitwarden.sh | 6 +++ scripts/subinstallers/extras/guacamole.sh | 13 +++++ scripts/subinstallers/extras/jitsi.sh | 12 +++++ scripts/subinstallers/extras/nextcloud.sh | 9 ++++ scripts/subinstallers/extras/onlyoffice.sh | 7 +++ scripts/subinstallers/extras/rocketchat.sh | 13 +++++ scripts/subinstallers/gen_prod_env.sh | 51 -------------------- 11 files changed, 94 insertions(+), 52 deletions(-) create mode 100755 scripts/env/check_env_file.sh create mode 100755 scripts/subinstallers/extras/bitwarden.sh create mode 100755 scripts/subinstallers/extras/guacamole.sh create mode 100755 scripts/subinstallers/extras/jitsi.sh create mode 100755 scripts/subinstallers/extras/nextcloud.sh create mode 100755 scripts/subinstallers/extras/onlyoffice.sh create mode 100755 scripts/subinstallers/extras/rocketchat.sh diff --git a/scripts/env/check_env_file.sh b/scripts/env/check_env_file.sh new file mode 100755 index 0000000..3e6aca4 --- /dev/null +++ b/scripts/env/check_env_file.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +set -e + +SERVICE="$1" + +export MISTBORN_HOME=/opt/mistborn + +# read in global variables +set -a +source ${MISTBORN_HOME}/.env +set +a + +export SERVICE_ENV_INSTALLER="${MISTBORN_HOME}/scripts/subinstallers/extra/${SERVICE}.sh" +export SERVICE_ENV_FILE="${MISTBORN_HOME}/.envs/.production/.${SERVICE}" + +if [[ -f "${SERVICE_ENV_INSTALLER}" ]]; then + + if [[ -f "${SERVICE_ENV_FILE}" ]]; then + echo "Environment file already exists." + else + echo "Creating environment file" + + source $SERVICE_ENV_INSTALLER $SERVICE_ENV_FILE + + fi + +else + echo "No subinstaller found." +fi diff --git a/scripts/services/Mistborn-guacamole.service b/scripts/services/Mistborn-guacamole.service index be4f9f1..6a286b7 100644 --- a/scripts/services/Mistborn-guacamole.service +++ b/scripts/services/Mistborn-guacamole.service @@ -10,6 +10,7 @@ User=root Group=docker PermissionsStartOnly=true EnvironmentFile=/opt/mistborn/.envs/.production/.guacamole +ExecStartPre=/opt/mistborn/scripts/env/check_env_file.sh guacamole ExecStartPre=/opt/mistborn/scripts/env/guacamole_init.sh # Shutdown container (if running) when unit is stopped ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/guacamole.yml down diff --git a/scripts/services/Mistborn-jitsi.service b/scripts/services/Mistborn-jitsi.service index c4c388f..5a63cb1 100644 --- a/scripts/services/Mistborn-jitsi.service +++ b/scripts/services/Mistborn-jitsi.service @@ -10,6 +10,7 @@ User=root Group=docker PermissionsStartOnly=true EnvironmentFile=/opt/mistborn/.envs/.production/.jitsi +ExecStartPre=/opt/mistborn/scripts/env/check_env_file.sh jitsi # Shutdown container (if running) when unit is stopped ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down diff --git a/scripts/services/Mistborn-rocketchat.service b/scripts/services/Mistborn-rocketchat.service index 3c1379d..fb84a2a 100644 --- a/scripts/services/Mistborn-rocketchat.service +++ b/scripts/services/Mistborn-rocketchat.service @@ -9,7 +9,8 @@ Restart=always User=root Group=docker PermissionsStartOnly=true -EnvironmentFile=/opt/mistborn/.env +EnvironmentFile=/opt/mistborn/.rocketchat +ExecStartPre=/opt/mistborn/scripts/env/check_env_file.sh rocketchat # Shutdown container (if running) when unit is stopped ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down diff --git a/scripts/subinstallers/extras/bitwarden.sh b/scripts/subinstallers/extras/bitwarden.sh new file mode 100755 index 0000000..abc37a5 --- /dev/null +++ b/scripts/subinstallers/extras/bitwarden.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# generate bitwarden .env files +BITWARDEN_PROD_FILE="$1" +echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE +echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extras/guacamole.sh b/scripts/subinstallers/extras/guacamole.sh new file mode 100755 index 0000000..8df9d00 --- /dev/null +++ b/scripts/subinstallers/extras/guacamole.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +# Guacamole +GUAC_PROD_FILE="$1" +GUAC_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") +echo "POSTGRES_HOST=guac_postgres" > $GUAC_PROD_FILE +echo "POSTGRES_HOSTNAME=guac_postgres" > $GUAC_PROD_FILE +echo "POSTGRES_PORT=5432" >> $GUAC_PROD_FILE +echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE +echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE +echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE +echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE +echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extras/jitsi.sh b/scripts/subinstallers/extras/jitsi.sh new file mode 100755 index 0000000..fcf3493 --- /dev/null +++ b/scripts/subinstallers/extras/jitsi.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +# JITSI +JITSI_PROD_FILE="$1" +cp ${MISTBORN_HOME}/scripts/conf/jitsi.env $JITSI_PROD_FILE +mkdir -p ${MISTBORN_HOME}/.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb} +sed -i "s/JICOFO_COMPONENT_SECRET.*/JICOFO_COMPONENT_SECRET=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" \ No newline at end of file diff --git a/scripts/subinstallers/extras/nextcloud.sh b/scripts/subinstallers/extras/nextcloud.sh new file mode 100755 index 0000000..b1568b7 --- /dev/null +++ b/scripts/subinstallers/extras/nextcloud.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# generate nextcloud .env files +NEXTCLOUD_PROD_FILE="$1" +#NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") +NEXTCLOUD_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}" +echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE +echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE +echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extras/onlyoffice.sh b/scripts/subinstallers/extras/onlyoffice.sh new file mode 100755 index 0000000..3fadeca --- /dev/null +++ b/scripts/subinstallers/extras/onlyoffice.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# generate onlyoffice .env files +ONLYOFFICE_PROD_FILE="$1" +JWT_SECRET="${MISTBORN_DEFAULT_PASSWORD}" +echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE +echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extras/rocketchat.sh b/scripts/subinstallers/extras/rocketchat.sh new file mode 100755 index 0000000..6da1e2d --- /dev/null +++ b/scripts/subinstallers/extras/rocketchat.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +# generate rocketchat .env files +ROCKETCHAT_PROD_FILE="$1" +#ROCKETCHAT_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") +ROCKETCHAT_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}" +echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE +echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE +echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE +echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE + +# docker environment +echo "MISTBORN_BIND_IP=${MISTBORN_BIND_IP}" >> $ROCKETCHAT_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/gen_prod_env.sh b/scripts/subinstallers/gen_prod_env.sh index bc06297..23845e8 100755 --- a/scripts/subinstallers/gen_prod_env.sh +++ b/scripts/subinstallers/gen_prod_env.sh @@ -39,54 +39,3 @@ PIHOLE_PROD_FILE="./.envs/.production/.pihole" WEBPASSWORD="$1" echo "TZ=\"America/New York\"" > $PIHOLE_PROD_FILE echo "WEBPASSWORD=$WEBPASSWORD" >> $PIHOLE_PROD_FILE - -# generate rocketchat .env files -ROCKETCHAT_PROD_FILE="./.envs/.production/.rocketchat" -#ROCKETCHAT_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") -ROCKETCHAT_PASSWORD="$1" -echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE -echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE -echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE -echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE - -# generate nextcloud .env files -NEXTCLOUD_PROD_FILE="./.envs/.production/.nextcloud" -#NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") -NEXTCLOUD_PASSWORD="$1" -echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE -echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE -echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE - -# generate onlyoffice .env files -ONLYOFFICE_PROD_FILE="./.envs/.production/.onlyoffice" -JWT_SECRET="$1" -echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE -echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE - -# generate bitwarden .env files -BITWARDEN_PROD_FILE="./.envs/.production/.bitwarden" -echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE -echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE - -# JITSI -JITSI_PROD_FILE="./.envs/.production/.jitsi" -cp ./scripts/conf/jitsi.env $JITSI_PROD_FILE -mkdir -p ./.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb} -sed -i "s/JICOFO_COMPONENT_SECRET.*/JICOFO_COMPONENT_SECRET=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" - -# Guacamole -GUAC_PROD_FILE="./.envs/.production/.guacamole" -GUAC_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") -echo "POSTGRES_HOST=guac_postgres" > $GUAC_PROD_FILE -echo "POSTGRES_HOSTNAME=guac_postgres" > $GUAC_PROD_FILE -echo "POSTGRES_PORT=5432" >> $GUAC_PROD_FILE -echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE -echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE -echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE -echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE -echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE \ No newline at end of file From 2782069d62213146c00791a2aa894d90fab49816 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 2 Mar 2021 14:17:37 -0500 Subject: [PATCH 02/19] global vars --- scripts/env/check_env_file.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/env/check_env_file.sh b/scripts/env/check_env_file.sh index 3e6aca4..b8337c4 100755 --- a/scripts/env/check_env_file.sh +++ b/scripts/env/check_env_file.sh @@ -9,6 +9,9 @@ export MISTBORN_HOME=/opt/mistborn # read in global variables set -a source ${MISTBORN_HOME}/.env +source ${MISTBORN_HOME}/.envs/.production/.django +source ${MISTBORN_HOME}/.envs/.production/.postgres +source ${MISTBORN_HOME}/.envs/.production/.pihole set +a export SERVICE_ENV_INSTALLER="${MISTBORN_HOME}/scripts/subinstallers/extra/${SERVICE}.sh" From baa2477d3d09f8469ef4fe6a62d031bf856fc1ca Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 2 Mar 2021 16:32:50 -0500 Subject: [PATCH 03/19] wrapper --- scripts/services/Mistborn-bitwarden.service | 6 +++--- .../{extras => extra}/bitwarden.sh | 0 .../{extras => extra}/guacamole.sh | 0 .../subinstallers/{extras => extra}/jitsi.sh | 0 .../{extras => extra}/nextcloud.sh | 0 .../{extras => extra}/onlyoffice.sh | 0 .../{extras => extra}/rocketchat.sh | 0 scripts/wrappers/mistborn_docker.sh | 20 +++++++++++++++++++ 8 files changed, 23 insertions(+), 3 deletions(-) rename scripts/subinstallers/{extras => extra}/bitwarden.sh (100%) rename scripts/subinstallers/{extras => extra}/guacamole.sh (100%) rename scripts/subinstallers/{extras => extra}/jitsi.sh (100%) rename scripts/subinstallers/{extras => extra}/nextcloud.sh (100%) rename scripts/subinstallers/{extras => extra}/onlyoffice.sh (100%) rename scripts/subinstallers/{extras => extra}/rocketchat.sh (100%) create mode 100755 scripts/wrappers/mistborn_docker.sh diff --git a/scripts/services/Mistborn-bitwarden.service b/scripts/services/Mistborn-bitwarden.service index d1343da..4fed369 100644 --- a/scripts/services/Mistborn-bitwarden.service +++ b/scripts/services/Mistborn-bitwarden.service @@ -10,13 +10,13 @@ User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down # Post stop ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP diff --git a/scripts/subinstallers/extras/bitwarden.sh b/scripts/subinstallers/extra/bitwarden.sh similarity index 100% rename from scripts/subinstallers/extras/bitwarden.sh rename to scripts/subinstallers/extra/bitwarden.sh diff --git a/scripts/subinstallers/extras/guacamole.sh b/scripts/subinstallers/extra/guacamole.sh similarity index 100% rename from scripts/subinstallers/extras/guacamole.sh rename to scripts/subinstallers/extra/guacamole.sh diff --git a/scripts/subinstallers/extras/jitsi.sh b/scripts/subinstallers/extra/jitsi.sh similarity index 100% rename from scripts/subinstallers/extras/jitsi.sh rename to scripts/subinstallers/extra/jitsi.sh diff --git a/scripts/subinstallers/extras/nextcloud.sh b/scripts/subinstallers/extra/nextcloud.sh similarity index 100% rename from scripts/subinstallers/extras/nextcloud.sh rename to scripts/subinstallers/extra/nextcloud.sh diff --git a/scripts/subinstallers/extras/onlyoffice.sh b/scripts/subinstallers/extra/onlyoffice.sh similarity index 100% rename from scripts/subinstallers/extras/onlyoffice.sh rename to scripts/subinstallers/extra/onlyoffice.sh diff --git a/scripts/subinstallers/extras/rocketchat.sh b/scripts/subinstallers/extra/rocketchat.sh similarity index 100% rename from scripts/subinstallers/extras/rocketchat.sh rename to scripts/subinstallers/extra/rocketchat.sh diff --git a/scripts/wrappers/mistborn_docker.sh b/scripts/wrappers/mistborn_docker.sh new file mode 100755 index 0000000..68fda70 --- /dev/null +++ b/scripts/wrappers/mistborn_docker.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +set -e + +SERVICE="$1" +shift + +export MISTBORN_HOME="/opt/mistborn" + +# check and create file if needed +${MISTBORN_HOME}/scripts/env/check_env_file.sh ${SERVICE} + +# read in variables +set -a +source ${MISTBORN_HOME}/.env +source ${MISTBORN_HOME}/.envs/.production/.${SERVICE} +set +a + +echo $@ +#exec "$@" \ No newline at end of file From 1c6ff044ad8f48e49850cc2b23259cee8bf11467 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 2 Mar 2021 16:52:14 -0500 Subject: [PATCH 04/19] exec --- scripts/wrappers/mistborn_docker.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/scripts/wrappers/mistborn_docker.sh b/scripts/wrappers/mistborn_docker.sh index 68fda70..812648d 100755 --- a/scripts/wrappers/mistborn_docker.sh +++ b/scripts/wrappers/mistborn_docker.sh @@ -16,5 +16,4 @@ source ${MISTBORN_HOME}/.env source ${MISTBORN_HOME}/.envs/.production/.${SERVICE} set +a -echo $@ -#exec "$@" \ No newline at end of file +exec "$@" \ No newline at end of file From f1a727c67826d796303b051bd5f31164a221d858 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 2 Mar 2021 17:14:01 -0500 Subject: [PATCH 05/19] wrap all extras --- scripts/services/Mistborn-guacamole.service | 8 +++----- scripts/services/Mistborn-homeassistant.service | 6 +++--- scripts/services/Mistborn-jellyfin.service | 6 +++--- scripts/services/Mistborn-jitsi.service | 8 +++----- scripts/services/Mistborn-nextcloud.service | 6 +++--- scripts/services/Mistborn-onlyoffice.service | 6 +++--- scripts/services/Mistborn-rocketchat.service | 8 +++----- scripts/services/Mistborn-syncthing.service | 6 +++--- scripts/services/Mistborn-tor.service | 6 +++--- 9 files changed, 27 insertions(+), 33 deletions(-) diff --git a/scripts/services/Mistborn-guacamole.service b/scripts/services/Mistborn-guacamole.service index 6a286b7..39aee24 100644 --- a/scripts/services/Mistborn-guacamole.service +++ b/scripts/services/Mistborn-guacamole.service @@ -9,16 +9,14 @@ Restart=always User=root Group=docker PermissionsStartOnly=true -EnvironmentFile=/opt/mistborn/.envs/.production/.guacamole -ExecStartPre=/opt/mistborn/scripts/env/check_env_file.sh guacamole ExecStartPre=/opt/mistborn/scripts/env/guacamole_init.sh # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/guacamole.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/guacamole.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/guacamole.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down # Post stop [Install] diff --git a/scripts/services/Mistborn-homeassistant.service b/scripts/services/Mistborn-homeassistant.service index 2acc9d8..a36b7c0 100644 --- a/scripts/services/Mistborn-homeassistant.service +++ b/scripts/services/Mistborn-homeassistant.service @@ -10,12 +10,12 @@ User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down # Post stop [Install] diff --git a/scripts/services/Mistborn-jellyfin.service b/scripts/services/Mistborn-jellyfin.service index d41c5f3..7c27676 100644 --- a/scripts/services/Mistborn-jellyfin.service +++ b/scripts/services/Mistborn-jellyfin.service @@ -10,12 +10,12 @@ User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down # Post stop [Install] diff --git a/scripts/services/Mistborn-jitsi.service b/scripts/services/Mistborn-jitsi.service index 5a63cb1..b400f74 100644 --- a/scripts/services/Mistborn-jitsi.service +++ b/scripts/services/Mistborn-jitsi.service @@ -9,18 +9,16 @@ Restart=always User=root Group=docker PermissionsStartOnly=true -EnvironmentFile=/opt/mistborn/.envs/.production/.jitsi -ExecStartPre=/opt/mistborn/scripts/env/check_env_file.sh jitsi # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down # Post stop ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP diff --git a/scripts/services/Mistborn-nextcloud.service b/scripts/services/Mistborn-nextcloud.service index 40ed97a..256c81a 100644 --- a/scripts/services/Mistborn-nextcloud.service +++ b/scripts/services/Mistborn-nextcloud.service @@ -10,12 +10,12 @@ User=www-data Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down # Post stop [Install] diff --git a/scripts/services/Mistborn-onlyoffice.service b/scripts/services/Mistborn-onlyoffice.service index 5e02128..72b31d8 100644 --- a/scripts/services/Mistborn-onlyoffice.service +++ b/scripts/services/Mistborn-onlyoffice.service @@ -10,12 +10,12 @@ User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down # Post stop [Install] diff --git a/scripts/services/Mistborn-rocketchat.service b/scripts/services/Mistborn-rocketchat.service index fb84a2a..37bb83f 100644 --- a/scripts/services/Mistborn-rocketchat.service +++ b/scripts/services/Mistborn-rocketchat.service @@ -9,16 +9,14 @@ Restart=always User=root Group=docker PermissionsStartOnly=true -EnvironmentFile=/opt/mistborn/.rocketchat -ExecStartPre=/opt/mistborn/scripts/env/check_env_file.sh rocketchat # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down # Post stop ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP diff --git a/scripts/services/Mistborn-syncthing.service b/scripts/services/Mistborn-syncthing.service index 234a213..273be71 100644 --- a/scripts/services/Mistborn-syncthing.service +++ b/scripts/services/Mistborn-syncthing.service @@ -10,14 +10,14 @@ User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down # Post stop ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP diff --git a/scripts/services/Mistborn-tor.service b/scripts/services/Mistborn-tor.service index 68d01c5..ed47323 100644 --- a/scripts/services/Mistborn-tor.service +++ b/scripts/services/Mistborn-tor.service @@ -10,13 +10,13 @@ User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down # Post stop ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP From 6a79eff8b3af425497b91080ceabde0dd1c73939 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 2 Mar 2021 17:29:48 -0500 Subject: [PATCH 06/19] no error when file DNE --- scripts/wrappers/mistborn_docker.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/scripts/wrappers/mistborn_docker.sh b/scripts/wrappers/mistborn_docker.sh index 812648d..a40fd74 100755 --- a/scripts/wrappers/mistborn_docker.sh +++ b/scripts/wrappers/mistborn_docker.sh @@ -6,6 +6,7 @@ SERVICE="$1" shift export MISTBORN_HOME="/opt/mistborn" +export MISTBORN_SERVICE_FILE=${MISTBORN_HOME}/.envs/.production/.${SERVICE} # check and create file if needed ${MISTBORN_HOME}/scripts/env/check_env_file.sh ${SERVICE} @@ -13,7 +14,13 @@ ${MISTBORN_HOME}/scripts/env/check_env_file.sh ${SERVICE} # read in variables set -a source ${MISTBORN_HOME}/.env -source ${MISTBORN_HOME}/.envs/.production/.${SERVICE} + +if [[ -f "${MISTBORN_SERVICE_FILE}" ]]; then + echo "Loading service variables" + source ${MISTBORN_SERVICE_FILE} +else + echo "No service variables to load" +fi set +a exec "$@" \ No newline at end of file From 2963faeb687144790f5130d482d7f65782b634aa Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 2 Mar 2021 19:37:09 -0500 Subject: [PATCH 07/19] jitsi env --- scripts/services/Mistborn-jitsi.service | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/services/Mistborn-jitsi.service b/scripts/services/Mistborn-jitsi.service index b400f74..076f233 100644 --- a/scripts/services/Mistborn-jitsi.service +++ b/scripts/services/Mistborn-jitsi.service @@ -9,6 +9,7 @@ Restart=always User=root Group=docker PermissionsStartOnly=true +EnvironmentFile=/opt/mistborn/.envs/.production/.jitsi # Shutdown container (if running) when unit is stopped ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down From ee229a1c33caf961d55f7c62c3a5f2e24dfe1e01 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 2 Mar 2021 20:07:39 -0500 Subject: [PATCH 08/19] jitsi post --- scripts/services/Mistborn-jitsi.service | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/services/Mistborn-jitsi.service b/scripts/services/Mistborn-jitsi.service index 076f233..25754e5 100644 --- a/scripts/services/Mistborn-jitsi.service +++ b/scripts/services/Mistborn-jitsi.service @@ -14,10 +14,12 @@ EnvironmentFile=/opt/mistborn/.envs/.production/.jitsi # Shutdown container (if running) when unit is stopped ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down -ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP -ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP # Start container when unit is started ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build +# Firewall +ExecStartPost=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP +ExecStartPost=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP + # Stop container when unit is stopped ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down # Post stop From b05be6ba0580865eb096ef4c50b1bf34d2cb08fb Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 2 Mar 2021 20:12:27 -0500 Subject: [PATCH 09/19] jitsi wrapper --- scripts/services/Mistborn-jitsi.service | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/scripts/services/Mistborn-jitsi.service b/scripts/services/Mistborn-jitsi.service index 25754e5..deae277 100644 --- a/scripts/services/Mistborn-jitsi.service +++ b/scripts/services/Mistborn-jitsi.service @@ -13,18 +13,17 @@ EnvironmentFile=/opt/mistborn/.envs/.production/.jitsi # Shutdown container (if running) when unit is stopped ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi iptables -w -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP # Start container when unit is started ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build -# Firewall -ExecStartPost=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP -ExecStartPost=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP # Stop container when unit is stopped ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down # Post stop -ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP -ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP +ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi iptables -D DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP +ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi iptables -D DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP [Install] WantedBy=multi-user.target From 2fe60bac7dce8dcd37069be87f6f209031099655 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 2 Mar 2021 20:16:23 -0500 Subject: [PATCH 10/19] removing env ref --- scripts/services/Mistborn-jitsi.service | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/services/Mistborn-jitsi.service b/scripts/services/Mistborn-jitsi.service index deae277..6fed3cb 100644 --- a/scripts/services/Mistborn-jitsi.service +++ b/scripts/services/Mistborn-jitsi.service @@ -9,7 +9,6 @@ Restart=always User=root Group=docker PermissionsStartOnly=true -EnvironmentFile=/opt/mistborn/.envs/.production/.jitsi # Shutdown container (if running) when unit is stopped ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down From 5e6c1f45d0345c1299b8c0c93051bf63b07f2303 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 2 Mar 2021 22:09:53 -0500 Subject: [PATCH 11/19] jitsi scripts --- scripts/env/setup.sh | 2 ++ scripts/services/Mistborn-jitsi.service | 6 ++---- scripts/services/jitsi/iptables_down.sh | 4 ++++ scripts/services/jitsi/iptables_up.sh | 4 ++++ 4 files changed, 12 insertions(+), 4 deletions(-) create mode 100644 scripts/services/jitsi/iptables_down.sh create mode 100644 scripts/services/jitsi/iptables_up.sh diff --git a/scripts/env/setup.sh b/scripts/env/setup.sh index 43060b6..47c6c28 100755 --- a/scripts/env/setup.sh +++ b/scripts/env/setup.sh @@ -58,4 +58,6 @@ done # default interface sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/" +echo "DIFACE=${iface}" | sudo tee -a ${VAR_FILE} + sudo systemctl daemon-reload diff --git a/scripts/services/Mistborn-jitsi.service b/scripts/services/Mistborn-jitsi.service index 6fed3cb..c6bcd5c 100644 --- a/scripts/services/Mistborn-jitsi.service +++ b/scripts/services/Mistborn-jitsi.service @@ -12,8 +12,7 @@ PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down -ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi iptables -w -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP -ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_up.sh # Start container when unit is started ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build @@ -21,8 +20,7 @@ ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose # Stop container when unit is stopped ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down # Post stop -ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi iptables -D DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP -ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi iptables -D DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP +ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_down.sh [Install] WantedBy=multi-user.target diff --git a/scripts/services/jitsi/iptables_down.sh b/scripts/services/jitsi/iptables_down.sh new file mode 100644 index 0000000..f7dc3cc --- /dev/null +++ b/scripts/services/jitsi/iptables_down.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +iptables -w -D DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP +iptables -w -D DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP \ No newline at end of file diff --git a/scripts/services/jitsi/iptables_up.sh b/scripts/services/jitsi/iptables_up.sh new file mode 100644 index 0000000..50756c0 --- /dev/null +++ b/scripts/services/jitsi/iptables_up.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +iptables -w -I DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP +iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP \ No newline at end of file From b70495073ca70c47d2f2e0689c724aec89f9c3a9 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 2 Mar 2021 22:15:06 -0500 Subject: [PATCH 12/19] +x --- scripts/services/jitsi/iptables_down.sh | 0 scripts/services/jitsi/iptables_up.sh | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 scripts/services/jitsi/iptables_down.sh mode change 100644 => 100755 scripts/services/jitsi/iptables_up.sh diff --git a/scripts/services/jitsi/iptables_down.sh b/scripts/services/jitsi/iptables_down.sh old mode 100644 new mode 100755 diff --git a/scripts/services/jitsi/iptables_up.sh b/scripts/services/jitsi/iptables_up.sh old mode 100644 new mode 100755 From cd6f1de4427b4fc55a2e68a9f35d107e10fa7bc0 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 3 Mar 2021 07:41:35 -0500 Subject: [PATCH 13/19] chmod --- scripts/env/setup.sh | 1 + scripts/install.sh | 1 + scripts/subinstallers/gen_prod_env.sh | 1 + 3 files changed, 3 insertions(+) diff --git a/scripts/env/setup.sh b/scripts/env/setup.sh index 47c6c28..bbf0237 100755 --- a/scripts/env/setup.sh +++ b/scripts/env/setup.sh @@ -11,6 +11,7 @@ source /opt/mistborn/scripts/subinstallers/platform.sh # setup env file echo "" | sudo tee ${VAR_FILE} sudo chown mistborn:mistborn ${VAR_FILE} +sudo chmod 600 ${VAR_FILE} # MISTBORN_DNS_BIND_IP diff --git a/scripts/install.sh b/scripts/install.sh index 31e0f83..e79b838 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -248,6 +248,7 @@ sudo resolvconf -u 1>/dev/null 2>&1 echo "backup up original volumes folder" sudo mkdir -p ../mistborn_backup +sudo chmod 700 ../mistborn_backup sudo tar -czf ../mistborn_backup/mistborn_volumes_backup.tar.gz ../mistborn_volumes 1>/dev/null 2>&1 # clean docker diff --git a/scripts/subinstallers/gen_prod_env.sh b/scripts/subinstallers/gen_prod_env.sh index 23845e8..3644bc6 100755 --- a/scripts/subinstallers/gen_prod_env.sh +++ b/scripts/subinstallers/gen_prod_env.sh @@ -4,6 +4,7 @@ figlet "Mistborn: Container Credentials" # generate production .env file for Django mkdir -p ./.envs/.production +chmod 700 ./.envs DJANGO_PROD_FILE="./.envs/.production/.django" DJANGO_SECRET_KEY=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(50)]))") #CELERY_FLOWER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") From bb70b94357b1d3a2b888b2b3904ac6085fa6a60c Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 3 Mar 2021 09:54:26 -0500 Subject: [PATCH 14/19] init script --- scripts/env/check_env_file.sh | 9 +++++---- .../guacamole_init.sh => services/guacamole/init.sh} | 5 +++++ scripts/wrappers/mistborn_docker.sh | 11 ++++++++++- 3 files changed, 20 insertions(+), 5 deletions(-) rename scripts/{env/guacamole_init.sh => services/guacamole/init.sh} (86%) diff --git a/scripts/env/check_env_file.sh b/scripts/env/check_env_file.sh index b8337c4..9972e9d 100755 --- a/scripts/env/check_env_file.sh +++ b/scripts/env/check_env_file.sh @@ -5,6 +5,8 @@ set -e SERVICE="$1" export MISTBORN_HOME=/opt/mistborn +export SERVICE_ENV_INSTALLER="${MISTBORN_HOME}/scripts/subinstallers/extra/${SERVICE}.sh" +export SERVICE_ENV_FILE="${MISTBORN_HOME}/.envs/.production/.${SERVICE}" # read in global variables set -a @@ -14,17 +16,16 @@ source ${MISTBORN_HOME}/.envs/.production/.postgres source ${MISTBORN_HOME}/.envs/.production/.pihole set +a -export SERVICE_ENV_INSTALLER="${MISTBORN_HOME}/scripts/subinstallers/extra/${SERVICE}.sh" -export SERVICE_ENV_FILE="${MISTBORN_HOME}/.envs/.production/.${SERVICE}" - if [[ -f "${SERVICE_ENV_INSTALLER}" ]]; then if [[ -f "${SERVICE_ENV_FILE}" ]]; then echo "Environment file already exists." else - echo "Creating environment file" + # create env file for service + echo "Creating environment file" source $SERVICE_ENV_INSTALLER $SERVICE_ENV_FILE + chmod 600 $SERVICE_ENV_FILE fi diff --git a/scripts/env/guacamole_init.sh b/scripts/services/guacamole/init.sh similarity index 86% rename from scripts/env/guacamole_init.sh rename to scripts/services/guacamole/init.sh index 50c846f..1e8634f 100755 --- a/scripts/env/guacamole_init.sh +++ b/scripts/services/guacamole/init.sh @@ -1,5 +1,10 @@ #!/bin/bash +if [[ -f "/opt/mistborn_volumes/extra/guacamole/init/initdb.sql" ]]; then + echo "initdb.sql exists. Proceeding." + exit 0 +fi + mkdir -p /opt/mistborn_volumes/extra/guacamole/init/ >/dev/null 2>&1 chmod -R +x /opt/mistborn_volumes/extra/guacamole/init/ docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgres > /opt/mistborn_volumes/extra/guacamole/init/initdb.sql diff --git a/scripts/wrappers/mistborn_docker.sh b/scripts/wrappers/mistborn_docker.sh index a40fd74..781eaa6 100755 --- a/scripts/wrappers/mistborn_docker.sh +++ b/scripts/wrappers/mistborn_docker.sh @@ -7,6 +7,7 @@ shift export MISTBORN_HOME="/opt/mistborn" export MISTBORN_SERVICE_FILE=${MISTBORN_HOME}/.envs/.production/.${SERVICE} +export MISTBORN_SERVICE_INIT=${MISTBORN_HOME}/scripts/services/${SERVICE}/init.sh # check and create file if needed ${MISTBORN_HOME}/scripts/env/check_env_file.sh ${SERVICE} @@ -19,8 +20,16 @@ if [[ -f "${MISTBORN_SERVICE_FILE}" ]]; then echo "Loading service variables" source ${MISTBORN_SERVICE_FILE} else - echo "No service variables to load" + echo "No service variables to load. Proceeding." fi set +a +# init script +if [[ -f "${MISTBORN_SERVICE_INIT}" ]]; then + echo "Running init script" + ${MISTBORN_SERVICE_INIT} +else + echo "No init script. Proceeding." +fi + exec "$@" \ No newline at end of file From 37fc6e62cfc8bd8f89552d9f41e3554327a2b177 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 3 Mar 2021 09:56:05 -0500 Subject: [PATCH 15/19] more chmod --- scripts/subinstallers/gen_prod_env.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/subinstallers/gen_prod_env.sh b/scripts/subinstallers/gen_prod_env.sh index 3644bc6..d185c32 100755 --- a/scripts/subinstallers/gen_prod_env.sh +++ b/scripts/subinstallers/gen_prod_env.sh @@ -23,6 +23,7 @@ echo "#SENTRY_DNS=" >> $DJANGO_PROD_FILE echo "MISTBORN_INSTALL_COCKPIT=$MISTBORN_INSTALL_COCKPIT" >> $DJANGO_PROD_FILE echo "MISTBORN_PORTAL_IP=10.2.3.1" >> $DJANGO_PROD_FILE echo "MISTBORN_PORTAL_PORT=5000" >> $DJANGO_PROD_FILE +chmod 600 $DJANGO_PROD_FILE # generate production .env file for postgresql POSTGRES_PROD_FILE="./.envs/.production/.postgres" @@ -32,6 +33,7 @@ echo "POSTGRES_PORT=5432" >> $POSTGRES_PROD_FILE echo "POSTGRES_DB=mistborn" >> $POSTGRES_PROD_FILE echo "POSTGRES_USER=prod" >> $POSTGRES_PROD_FILE echo "POSTGRES_PASSWORD=$POSTGRES_PASSWORD" >> $POSTGRES_PROD_FILE +chmod 600 $POSTGRES_PROD_FILE # generate production .env file for pihole @@ -40,3 +42,4 @@ PIHOLE_PROD_FILE="./.envs/.production/.pihole" WEBPASSWORD="$1" echo "TZ=\"America/New York\"" > $PIHOLE_PROD_FILE echo "WEBPASSWORD=$WEBPASSWORD" >> $PIHOLE_PROD_FILE +chmod 600 $PIHOLE_PROD_FILE From aba3d9ed44ba51a6c6a596e0b8468d1ffa4e7601 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 3 Mar 2021 10:47:51 -0500 Subject: [PATCH 16/19] removing old init call --- scripts/services/Mistborn-guacamole.service | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/services/Mistborn-guacamole.service b/scripts/services/Mistborn-guacamole.service index 39aee24..a688edd 100644 --- a/scripts/services/Mistborn-guacamole.service +++ b/scripts/services/Mistborn-guacamole.service @@ -9,7 +9,6 @@ Restart=always User=root Group=docker PermissionsStartOnly=true -ExecStartPre=/opt/mistborn/scripts/env/guacamole_init.sh # Shutdown container (if running) when unit is stopped ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down From 2a876541f6648f35e014fdb65f70e7897c458d69 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 3 Mar 2021 10:54:29 -0500 Subject: [PATCH 17/19] chown --- scripts/env/check_env_file.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/env/check_env_file.sh b/scripts/env/check_env_file.sh index 9972e9d..e3bafb1 100755 --- a/scripts/env/check_env_file.sh +++ b/scripts/env/check_env_file.sh @@ -25,6 +25,7 @@ if [[ -f "${SERVICE_ENV_INSTALLER}" ]]; then # create env file for service echo "Creating environment file" source $SERVICE_ENV_INSTALLER $SERVICE_ENV_FILE + chown mistborn:mistborn $SERVICE_ENV_FILE chmod 600 $SERVICE_ENV_FILE fi From ec969903e19200f6080e119eda5d2263f66e39ce Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 3 Mar 2021 11:14:21 -0500 Subject: [PATCH 18/19] nextcloud ownership --- scripts/services/Mistborn-nextcloud.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/services/Mistborn-nextcloud.service b/scripts/services/Mistborn-nextcloud.service index 256c81a..f46c2b7 100644 --- a/scripts/services/Mistborn-nextcloud.service +++ b/scripts/services/Mistborn-nextcloud.service @@ -6,7 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always -User=www-data +User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped From 55cedcc3a9bd24b4f635b35913b44f4c87cc3ff9 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 3 Mar 2021 12:15:58 -0500 Subject: [PATCH 19/19] docs --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index d99a238..252331c 100644 --- a/README.md +++ b/README.md @@ -518,6 +518,7 @@ See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/ - The generated TLS certificate has an RSA modulus of 4096 bits, is signed with SHA-256, and is good for 397 days. The certificate is checked daily and will regenerate when expiration is within 30 days. - Outbound UDP on port 53 is blocked. All DNS requests should be handled by the dnscrypt_proxy service and if any client, service, etc. tries to circumvent that it is blocked. - Unattended upgrades are set to automatically install operating system security updates. +- Ownership of mistborn files is set to the system mistborn user and access to environment variables is disabled for users other than the owner. # Roadmap (not necessarily in order) Many features and refinements are in the works at various stages including: