Merge branch '142-updates' into 'master'

Resolve "Updates - handle added extra services"

Closes #142

See merge request cyber5k/mistborn!68

README.md

@@ -518,6 +518,7 @@ See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/
 - The generated TLS certificate has an RSA modulus of 4096 bits, is signed with SHA-256, and is good for 397 days. The certificate is checked daily and will regenerate when expiration is within 30 days.
 - Outbound UDP on port 53 is blocked. All DNS requests should be handled by the dnscrypt_proxy service and if any client, service, etc. tries to circumvent that it is blocked.
 - Unattended upgrades are set to automatically install operating system security updates.
+- Ownership of mistborn files is set to the system mistborn user and access to environment variables is disabled for users other than the owner.
 
 # Roadmap (not necessarily in order)
 Many features and refinements are in the works at various stages including:

scripts/env/check_env_file.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+set -e
+
+SERVICE="$1"
+
+export MISTBORN_HOME=/opt/mistborn
+export SERVICE_ENV_INSTALLER="${MISTBORN_HOME}/scripts/subinstallers/extra/${SERVICE}.sh"
+export SERVICE_ENV_FILE="${MISTBORN_HOME}/.envs/.production/.${SERVICE}"
+
+# read in global variables
+set -a
+source ${MISTBORN_HOME}/.env
+source ${MISTBORN_HOME}/.envs/.production/.django
+source ${MISTBORN_HOME}/.envs/.production/.postgres
+source ${MISTBORN_HOME}/.envs/.production/.pihole
+set +a
+
+if [[ -f "${SERVICE_ENV_INSTALLER}" ]]; then
+
+    if [[ -f "${SERVICE_ENV_FILE}" ]]; then
+        echo "Environment file already exists."
+    else
+
+        # create env file for service
+        echo "Creating environment file"
+        source $SERVICE_ENV_INSTALLER $SERVICE_ENV_FILE
+        chown mistborn:mistborn $SERVICE_ENV_FILE
+        chmod 600 $SERVICE_ENV_FILE
+
+    fi
+
+else
+    echo "No subinstaller found."
+fi

scripts/env/setup.sh

@@ -11,6 +11,7 @@ source /opt/mistborn/scripts/subinstallers/platform.sh
 # setup env file
 echo "" | sudo tee ${VAR_FILE}
 sudo chown mistborn:mistborn ${VAR_FILE}
+sudo chmod 600 ${VAR_FILE}
 
 # MISTBORN_DNS_BIND_IP
 
@@ -58,4 +59,6 @@ done
 # default interface
 sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/"
 
+echo "DIFACE=${iface}" | sudo tee -a ${VAR_FILE}
+
 sudo systemctl daemon-reload

scripts/install.sh

@@ -248,6 +248,7 @@ sudo resolvconf -u 1>/dev/null 2>&1
 
 echo "backup up original volumes folder"
 sudo mkdir -p ../mistborn_backup
+sudo chmod 700 ../mistborn_backup
 sudo tar -czf ../mistborn_backup/mistborn_volumes_backup.tar.gz ../mistborn_volumes 1>/dev/null 2>&1
 
 # clean docker

scripts/services/Mistborn-bitwarden.service

@@ -10,13 +10,13 @@ User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
-ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down
 
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP
 # Start container when unit is started
-ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml up --build
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml up --build
 # Stop container when unit is stopped
-ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml down
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down
 # Post stop
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP
 

scripts/services/Mistborn-guacamole.service

@@ -9,15 +9,13 @@ Restart=always
 User=root
 Group=docker
 PermissionsStartOnly=true
-EnvironmentFile=/opt/mistborn/.envs/.production/.guacamole
-ExecStartPre=/opt/mistborn/scripts/env/guacamole_init.sh
 # Shutdown container (if running) when unit is stopped
-ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/guacamole.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down
 
 # Start container when unit is started
-ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/guacamole.yml up --build
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml up --build
 # Stop container when unit is stopped
-ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/guacamole.yml down
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down
 # Post stop
 
 [Install]

scripts/services/Mistborn-homeassistant.service

@@ -10,12 +10,12 @@ User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
-ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down
 
 # Start container when unit is started
-ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml up --build
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml up --build
 # Stop container when unit is stopped
-ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml down
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down
 # Post stop
 
 [Install]

scripts/services/Mistborn-jellyfin.service

@@ -10,12 +10,12 @@ User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
-ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down
 
 # Start container when unit is started
-ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml up --build
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml up --build
 # Stop container when unit is stopped
-ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml down
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down
 # Post stop
 
 [Install]

scripts/services/Mistborn-jitsi.service

@@ -9,20 +9,18 @@ Restart=always
 User=root
 Group=docker
 PermissionsStartOnly=true
-EnvironmentFile=/opt/mistborn/.envs/.production/.jitsi
 
 # Shutdown container (if running) when unit is stopped
-ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_up.sh
 
-ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP
 # Start container when unit is started
-ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build
+
 # Stop container when unit is stopped
-ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
 # Post stop
-ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
-ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP
+ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_down.sh
 
 [Install]
 WantedBy=multi-user.target

scripts/services/Mistborn-nextcloud.service

@@ -6,16 +6,16 @@ PartOf=Mistborn-base.service
 
 [Service]
 Restart=always
-User=www-data
+User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
-ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down
 
 # Start container when unit is started
-ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml up --build
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml up --build
 # Stop container when unit is stopped
-ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml down
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down
 # Post stop
 
 [Install]

scripts/services/Mistborn-onlyoffice.service

@@ -10,12 +10,12 @@ User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
-ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
 
 # Start container when unit is started
-ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml up --build
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml up --build
 # Stop container when unit is stopped
-ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
 # Post stop
 
 [Install]

scripts/services/Mistborn-rocketchat.service

@@ -9,15 +9,14 @@ Restart=always
 User=root
 Group=docker
 PermissionsStartOnly=true
-EnvironmentFile=/opt/mistborn/.env
 # Shutdown container (if running) when unit is stopped
-ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down
 
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP
 # Start container when unit is started
-ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml up --build
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml up --build
 # Stop container when unit is stopped
-ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down
 # Post stop
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP
 

scripts/services/Mistborn-syncthing.service

@@ -10,14 +10,14 @@ User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
-ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down
 
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP
 # Start container when unit is started
-ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml up --build
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml up --build
 # Stop container when unit is stopped
-ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml down
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down
 # Post stop
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP

scripts/services/Mistborn-tor.service

@@ -10,13 +10,13 @@ User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
-ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down
 
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP
 # Start container when unit is started
-ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml up --build
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml up --build
 # Stop container when unit is stopped
-ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml down
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down
 # Post stop
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP
 

scripts/services/guacamole/init.sh

@@ -1,5 +1,10 @@
 #!/bin/bash
 
+if [[ -f "/opt/mistborn_volumes/extra/guacamole/init/initdb.sql" ]]; then
+    echo "initdb.sql exists. Proceeding."
+    exit 0
+fi
+
 mkdir -p /opt/mistborn_volumes/extra/guacamole/init/ >/dev/null 2>&1
 chmod -R +x /opt/mistborn_volumes/extra/guacamole/init/
 docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgres > /opt/mistborn_volumes/extra/guacamole/init/initdb.sql

scripts/services/jitsi/iptables_down.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+iptables -w -D DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
+iptables -w -D DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP

scripts/services/jitsi/iptables_up.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+iptables -w -I DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
+iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP

scripts/subinstallers/extra/bitwarden.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# generate bitwarden .env files
+BITWARDEN_PROD_FILE="$1"
+echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE
+echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE

scripts/subinstallers/extra/guacamole.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# Guacamole
+GUAC_PROD_FILE="$1"
+GUAC_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
+echo "POSTGRES_HOST=guac_postgres" > $GUAC_PROD_FILE
+echo "POSTGRES_HOSTNAME=guac_postgres" > $GUAC_PROD_FILE
+echo "POSTGRES_PORT=5432" >> $GUAC_PROD_FILE
+echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE
+echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE
+echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE
+echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE
+echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE

scripts/subinstallers/extra/jitsi.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# JITSI
+JITSI_PROD_FILE="$1"
+cp ${MISTBORN_HOME}/scripts/conf/jitsi.env $JITSI_PROD_FILE
+mkdir -p ${MISTBORN_HOME}/.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}
+sed -i "s/JICOFO_COMPONENT_SECRET.*/JICOFO_COMPONENT_SECRET=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
+sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
+sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
+sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
+sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
+sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"

scripts/subinstallers/extra/nextcloud.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# generate nextcloud .env files
+NEXTCLOUD_PROD_FILE="$1"
+#NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
+NEXTCLOUD_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}"
+echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE
+echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE
+echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE

scripts/subinstallers/extra/onlyoffice.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# generate onlyoffice .env files
+ONLYOFFICE_PROD_FILE="$1"
+JWT_SECRET="${MISTBORN_DEFAULT_PASSWORD}"
+echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE
+echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE

scripts/subinstallers/extra/rocketchat.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# generate rocketchat .env files
+ROCKETCHAT_PROD_FILE="$1"
+#ROCKETCHAT_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
+ROCKETCHAT_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}"
+echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE
+echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE
+echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE
+echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE
+
+# docker environment
+echo "MISTBORN_BIND_IP=${MISTBORN_BIND_IP}" >> $ROCKETCHAT_PROD_FILE

scripts/subinstallers/gen_prod_env.sh

@@ -4,6 +4,7 @@ figlet "Mistborn: Container Credentials"
 
 # generate production .env file for Django
 mkdir -p ./.envs/.production
+chmod 700 ./.envs
 DJANGO_PROD_FILE="./.envs/.production/.django"
 DJANGO_SECRET_KEY=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(50)]))")
 #CELERY_FLOWER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
@@ -22,6 +23,7 @@ echo "#SENTRY_DNS=" >> $DJANGO_PROD_FILE
 echo "MISTBORN_INSTALL_COCKPIT=$MISTBORN_INSTALL_COCKPIT" >> $DJANGO_PROD_FILE
 echo "MISTBORN_PORTAL_IP=10.2.3.1" >> $DJANGO_PROD_FILE
 echo "MISTBORN_PORTAL_PORT=5000" >> $DJANGO_PROD_FILE
+chmod 600 $DJANGO_PROD_FILE
 
 # generate production .env file for postgresql
 POSTGRES_PROD_FILE="./.envs/.production/.postgres"
@@ -31,6 +33,7 @@ echo "POSTGRES_PORT=5432" >> $POSTGRES_PROD_FILE
 echo "POSTGRES_DB=mistborn" >> $POSTGRES_PROD_FILE
 echo "POSTGRES_USER=prod" >> $POSTGRES_PROD_FILE
 echo "POSTGRES_PASSWORD=$POSTGRES_PASSWORD" >> $POSTGRES_PROD_FILE
+chmod 600 $POSTGRES_PROD_FILE
 
 
 # generate production .env file for pihole
@@ -39,54 +42,4 @@ PIHOLE_PROD_FILE="./.envs/.production/.pihole"
 WEBPASSWORD="$1"
 echo "TZ=\"America/New York\"" > $PIHOLE_PROD_FILE
 echo "WEBPASSWORD=$WEBPASSWORD" >> $PIHOLE_PROD_FILE
-
-# generate rocketchat .env files
-ROCKETCHAT_PROD_FILE="./.envs/.production/.rocketchat"
-#ROCKETCHAT_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
-ROCKETCHAT_PASSWORD="$1"
-echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE
-echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE
-echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE
-echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE
-
-# generate nextcloud .env files
-NEXTCLOUD_PROD_FILE="./.envs/.production/.nextcloud"
-#NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
-NEXTCLOUD_PASSWORD="$1"
-echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE
-echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE
-echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE
-
-# generate onlyoffice .env files
-ONLYOFFICE_PROD_FILE="./.envs/.production/.onlyoffice"
-JWT_SECRET="$1"
-echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE
-echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE
-
-# generate bitwarden .env files
-BITWARDEN_PROD_FILE="./.envs/.production/.bitwarden"
-echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE
-echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE
-
-# JITSI
-JITSI_PROD_FILE="./.envs/.production/.jitsi"
-cp ./scripts/conf/jitsi.env $JITSI_PROD_FILE
-mkdir -p ./.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}
-sed -i "s/JICOFO_COMPONENT_SECRET.*/JICOFO_COMPONENT_SECRET=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
-sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
-sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
-sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
-sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
-sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
-
-# Guacamole
-GUAC_PROD_FILE="./.envs/.production/.guacamole"
-GUAC_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
-echo "POSTGRES_HOST=guac_postgres" > $GUAC_PROD_FILE
-echo "POSTGRES_HOSTNAME=guac_postgres" > $GUAC_PROD_FILE
-echo "POSTGRES_PORT=5432" >> $GUAC_PROD_FILE
-echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE
-echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE
-echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE
-echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE
-echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE
+chmod 600 $PIHOLE_PROD_FILE

scripts/wrappers/mistborn_docker.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+set -e
+
+SERVICE="$1"
+shift
+
+export MISTBORN_HOME="/opt/mistborn"
+export MISTBORN_SERVICE_FILE=${MISTBORN_HOME}/.envs/.production/.${SERVICE}
+export MISTBORN_SERVICE_INIT=${MISTBORN_HOME}/scripts/services/${SERVICE}/init.sh
+
+# check and create file if needed
+${MISTBORN_HOME}/scripts/env/check_env_file.sh ${SERVICE}
+
+# read in variables
+set -a
+source ${MISTBORN_HOME}/.env
+
+if [[ -f "${MISTBORN_SERVICE_FILE}" ]]; then
+    echo "Loading service variables"
+    source ${MISTBORN_SERVICE_FILE}
+else
+    echo "No service variables to load. Proceeding."
+fi
+set +a
+
+# init script
+if [[ -f "${MISTBORN_SERVICE_INIT}" ]]; then
+    echo "Running init script"
+    ${MISTBORN_SERVICE_INIT}
+else
+    echo "No init script. Proceeding."
+fi
+
+exec "$@"