From 15e1d8f706a8f01d2da00052492d69462f297c9d Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 27 Mar 2020 23:44:28 +0000 Subject: [PATCH] Resolve "Investigate adding Jitsi Meet as an extra service" --- base.yml | 2 + .../production/traefik/traefik.toml.template | 25 +- extra/jitsi-meet.yml | 177 ++++++++++ scripts/conf/jitsi.env | 307 ++++++++++++++++++ scripts/install.sh | 4 + scripts/services/Mistborn-base.service | 2 + scripts/services/Mistborn-jitsi.service | 27 ++ scripts/subinstallers/gen_prod_env.sh | 5 + scripts/subinstallers/iptables.sh | 2 +- scripts/subinstallers/openssl.sh | 21 ++ 10 files changed, 566 insertions(+), 6 deletions(-) create mode 100644 extra/jitsi-meet.yml create mode 100644 scripts/conf/jitsi.env create mode 100644 scripts/services/Mistborn-jitsi.service create mode 100755 scripts/subinstallers/openssl.sh diff --git a/base.yml b/base.yml index 10f4115..b0c3bb7 100644 --- a/base.yml +++ b/base.yml @@ -46,8 +46,10 @@ services: volumes: - production_traefik:/etc/traefik/acme - /var/run/docker.sock:/var/run/docker.sock:ro + - ../mistborn_volumes/base/tls:/tls ports: - "0.0.0.0:80:80/tcp" + - "0.0.0.0:443:443/tcp" redis: image: redis:5.0 diff --git a/compose/production/traefik/traefik.toml.template b/compose/production/traefik/traefik.toml.template index 2f3fa39..19164ad 100644 --- a/compose/production/traefik/traefik.toml.template +++ b/compose/production/traefik/traefik.toml.template @@ -3,8 +3,8 @@ logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC InsecureSkipVerify = true -#defaultEntryPoints = ["http", "https"] -defaultEntryPoints = ["http"] +defaultEntryPoints = ["http", "https"] +#defaultEntryPoints = ["http"] # Entrypoints, http and https [entryPoints] @@ -14,9 +14,12 @@ defaultEntryPoints = ["http"] #[entryPoints.http.redirect] #entryPoint = "https" # https is the default - #[entryPoints.https] - #address = ":443" - # [entryPoints.https.tls] + [entryPoints.https] + address = ":443" + [entryPoints.https.tls] + [entryPoints.https.tls.defaultCertificate] + certFile = "/tls/cert.crt" + keyFile = "/tls/cert.key" ## Enable ACME (Let's Encrypt): automatic SSL #[acme] @@ -68,6 +71,10 @@ defaultEntryPoints = ["http"] [backends.jellyfin.servers.server1] url = "http://jellyfin:8096" + [backends.jitsi] + [backends.jitsi.servers.server1] + url = "http://jitsi-web:80" + [backends.raspap] [backends.raspap.servers.server1] url = "http://raspap:80" @@ -149,6 +156,14 @@ defaultEntryPoints = ["http"] HostsProxyHeaders = ['X-CSRFToken'] [frontends.jellyfin.routes.dr1] rule = "Host:jellyfin.mistborn" + + [frontends.jitsi] + backend = "jitsi" + passHostHeader = true + [frontends.jitsi.headers] + HostsProxyHeaders = ['X-CSRFToken'] + [frontends.jitsi.routes.dr1] + rule = "Host:jitsi.mistborn" [frontends.raspap] backend = "raspap" diff --git a/extra/jitsi-meet.yml b/extra/jitsi-meet.yml new file mode 100644 index 0000000..83a29a6 --- /dev/null +++ b/extra/jitsi-meet.yml @@ -0,0 +1,177 @@ +version: '3' + +services: + # Frontend + jitsi-web: + image: jitsi/web + #ports: + #- '${HTTP_PORT}:80' + #- '${HTTPS_PORT}:443' + labels: + - "traefik.enable=true" + - "traefik.port=${HTTP_PORT}" + volumes: + - ${CONFIG}/web:/config + - ${CONFIG}/web/letsencrypt:/etc/letsencrypt + - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts + env_file: + - ../.envs/.production/.jitsi + environment: + - ENABLE_AUTH + - ENABLE_GUESTS + - ENABLE_LETSENCRYPT + - ENABLE_HTTP_REDIRECT + - ENABLE_TRANSCRIPTIONS + - DISABLE_HTTPS + - JICOFO_AUTH_USER + - LETSENCRYPT_DOMAIN + - LETSENCRYPT_EMAIL + - PUBLIC_URL + - XMPP_DOMAIN + - XMPP_AUTH_DOMAIN + - XMPP_BOSH_URL_BASE + - XMPP_GUEST_DOMAIN + - XMPP_MUC_DOMAIN + - XMPP_RECORDER_DOMAIN + - ETHERPAD_URL_BASE + - TZ + - JIBRI_BREWERY_MUC + - JIBRI_PENDING_TIMEOUT + - JIBRI_XMPP_USER + - JIBRI_XMPP_PASSWORD + - JIBRI_RECORDER_USER + - JIBRI_RECORDER_PASSWORD + - ENABLE_RECORDING + networks: + default: + meet.jitsi: + aliases: + - ${XMPP_DOMAIN} + + # XMPP server + jitsi-prosody: + image: jitsi/prosody + expose: + - '5222' + - '5347' + - '5280' + volumes: + - ${CONFIG}/prosody:/config + env_file: + - ../.envs/.production/.jitsi + environment: + - AUTH_TYPE + - ENABLE_AUTH + - ENABLE_GUESTS + - GLOBAL_MODULES + - GLOBAL_CONFIG + - LDAP_URL + - LDAP_BASE + - LDAP_BINDDN + - LDAP_BINDPW + - LDAP_FILTER + - LDAP_AUTH_METHOD + - LDAP_VERSION + - LDAP_USE_TLS + - LDAP_TLS_CIPHERS + - LDAP_TLS_CHECK_PEER + - LDAP_TLS_CACERT_FILE + - LDAP_TLS_CACERT_DIR + - LDAP_START_TLS + - XMPP_DOMAIN + - XMPP_AUTH_DOMAIN + - XMPP_GUEST_DOMAIN + - XMPP_MUC_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_MODULES + - XMPP_MUC_MODULES + - XMPP_INTERNAL_MUC_MODULES + - XMPP_RECORDER_DOMAIN + - JICOFO_COMPONENT_SECRET + - JICOFO_AUTH_USER + - JICOFO_AUTH_PASSWORD + - JVB_AUTH_USER + - JVB_AUTH_PASSWORD + - JIGASI_XMPP_USER + - JIGASI_XMPP_PASSWORD + - JIBRI_XMPP_USER + - JIBRI_XMPP_PASSWORD + - JIBRI_RECORDER_USER + - JIBRI_RECORDER_PASSWORD + - JWT_APP_ID + - JWT_APP_SECRET + - JWT_ACCEPTED_ISSUERS + - JWT_ACCEPTED_AUDIENCES + - JWT_ASAP_KEYSERVER + - JWT_ALLOW_EMPTY + - JWT_AUTH_TYPE + - JWT_TOKEN_AUTH_MODULE + - LOG_LEVEL + - TZ + networks: + meet.jitsi: + aliases: + - ${XMPP_SERVER} + + # Focus component + jitsi-jicofo: + image: jitsi/jicofo + volumes: + - ${CONFIG}/jicofo:/config + env_file: + - ../.envs/.production/.jitsi + environment: + - ENABLE_AUTH + - XMPP_DOMAIN + - XMPP_AUTH_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_SERVER + - JICOFO_COMPONENT_SECRET + - JICOFO_AUTH_USER + - JICOFO_AUTH_PASSWORD + - JICOFO_RESERVATION_REST_BASE_URL + - JVB_BREWERY_MUC + - JIGASI_BREWERY_MUC + - JIBRI_BREWERY_MUC + - JIBRI_PENDING_TIMEOUT + - TZ + depends_on: + - jitsi-prosody + networks: + meet.jitsi: + + # Video bridge + jitsi-jvb: + image: jitsi/jvb + ports: + - '${JVB_PORT}:${JVB_PORT}/udp' + - '${JVB_TCP_PORT}:${JVB_TCP_PORT}' + volumes: + - ${CONFIG}/jvb:/config + env_file: + - ../.envs/.production/.jitsi + environment: + - DOCKER_HOST_ADDRESS + - XMPP_AUTH_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_SERVER + - JVB_AUTH_USER + - JVB_AUTH_PASSWORD + - JVB_BREWERY_MUC + - JVB_PORT + - JVB_TCP_HARVESTER_DISABLED + - JVB_TCP_PORT + - JVB_STUN_SERVERS + - JVB_ENABLE_APIS + - TZ + depends_on: + - jitsi-prosody + networks: + meet.jitsi: + +# Custom network so all services can communicate using a FQDN +networks: + default: + external: + name: mistborn_default + meet.jitsi: diff --git a/scripts/conf/jitsi.env b/scripts/conf/jitsi.env new file mode 100644 index 0000000..2666101 --- /dev/null +++ b/scripts/conf/jitsi.env @@ -0,0 +1,307 @@ +# +# Basic configuration options +# + +# Directory where all configuration will be stored. +#CONFIG=~/.jitsi-meet-cfg +CONFIG=../.envs/.production/.jitsi-cfg + +# Exposed HTTP port. +HTTP_PORT=80 + +# Exposed HTTPS port. +HTTPS_PORT=8443 + +# System time zone. +TZ=Europe/Amsterdam + +# Public URL for the web service. +#PUBLIC_URL=https://meet.example.com + +# IP address of the Docker host. See the "Running on a LAN environment" section +# in the README. +DOCKER_HOST_ADDRESS=10.2.3.1 + + +# +# Let's Encrypt configuration +# + +# Enable Let's Encrypt certificate generation. +#ENABLE_LETSENCRYPT=1 + +# Domain for which to generate the certificate. +#LETSENCRYPT_DOMAIN=meet.example.com + +# E-Mail for receiving important account notifications (mandatory). +#LETSENCRYPT_EMAIL=alice@atlanta.net + + +# +# Etherpad integration (for document sharing) +# + +# Set etherpad-lite URL (uncomment to enable). +#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001 + + +# +# Basic Jigasi configuration options (needed for SIP gateway support) +# + +# SIP URI for incoming / outgoing calls. +#JIGASI_SIP_URI=test@sip2sip.info + +# Password for the specified SIP account as a clear text +#JIGASI_SIP_PASSWORD=passw0rd + +# SIP server (use the SIP account domain if in doubt). +#JIGASI_SIP_SERVER=sip2sip.info + +# SIP server port +#JIGASI_SIP_PORT=5060 + +# SIP server transport +#JIGASI_SIP_TRANSPORT=UDP + +# +# Authentication configuration (see README for details) +# + +# Enable authentication. +#ENABLE_AUTH=1 + +# Enable guest access. +#ENABLE_GUESTS=1 + +# Select authentication type: internal, jwt or ldap +#AUTH_TYPE=internal + +# JWT authentication +# + +# Application identifier. +#JWT_APP_ID=my_jitsi_app_id + +# Application secret known only to your token. +#JWT_APP_SECRET=my_jitsi_app_secret + +# (Optional) Set asap_accepted_issuers as a comma separated list. +#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client + +# (Optional) Set asap_accepted_audiences as a comma separated list. +#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2 + + +# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page) +# + +# LDAP url for connection. +#LDAP_URL=ldaps://ldap.domain.com/ + +# LDAP base DN. Can be empty +#LDAP_BASE=DC=example,DC=domain,DC=com + +# LDAP user DN. Do not specify this parameter for the anonymous bind. +#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com + +# LDAP user password. Do not specify this parameter for the anonymous bind. +#LDAP_BINDPW=LdapUserPassw0rd + +# LDAP filter. Tokens example: +# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail. +# %s - %s is replaced by the complete service string. +# %r - %r is replaced by the complete realm string. +#LDAP_FILTER=(sAMAccountName=%u) + +# LDAP authentication method +#LDAP_AUTH_METHOD=bind + +# LDAP version +#LDAP_VERSION=3 + +# LDAP TLS using +#LDAP_USE_TLS=1 + +# List of SSL/TLS ciphers to allow. +#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC + +# Require and verify server certificate +#LDAP_TLS_CHECK_PEER=1 + +# Path to CA cert file. Used when server sertificate verify is enabled. +#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt + +# Path to CA certs directory. Used when server sertificate verify is enabled. +#LDAP_TLS_CACERT_DIR=/etc/ssl/certs + +# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps:// +# LDAP_START_TLS=1 + + +# +# Advanced configuration options (you generally don't need to change these) +# + +# Internal XMPP domain. +XMPP_DOMAIN=meet.jitsi + +# Internal XMPP server +XMPP_SERVER=xmpp.meet.jitsi + +# Internal XMPP server URL +XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280 + +# Internal XMPP domain for authenticated services. +XMPP_AUTH_DOMAIN=auth.meet.jitsi + +# XMPP domain for the MUC. +XMPP_MUC_DOMAIN=muc.meet.jitsi + +# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools. +XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi + +# XMPP domain for unauthenticated users. +XMPP_GUEST_DOMAIN=guest.meet.jitsi + +# Custom Prosody modules for XMPP_DOMAIN (comma separated) +XMPP_MODULES= + +# Custom Prosody modules for MUC component (comma separated) +XMPP_MUC_MODULES= + +# Custom Prosody modules for internal MUC component (comma separated) +XMPP_INTERNAL_MUC_MODULES= + +# MUC for the JVB pool. +JVB_BREWERY_MUC=jvbbrewery + +# XMPP user for JVB client connections. +JVB_AUTH_USER=jvb + +# XMPP password for JVB client connections. +JVB_AUTH_PASSWORD=passw0rd + +# STUN servers used to discover the server's public IP. +JVB_STUN_SERVERS=stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302 + +# Media port for the Jitsi Videobridge +JVB_PORT=10000 + +# TCP Fallback for Jitsi Videobridge for when UDP isn't available +JVB_TCP_HARVESTER_DISABLED=true +JVB_TCP_PORT=4443 + +# A comma separated list of APIs to enable when the JVB is started. The default is none. +# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information +#JVB_ENABLE_APIS=rest,colibri + +# XMPP component password for Jicofo. +JICOFO_COMPONENT_SECRET=s3cr37 + +# XMPP user for Jicofo client connections. NOTE: this option doesn't currently work due to a bug. +JICOFO_AUTH_USER=focus + +# XMPP password for Jicofo client connections. +JICOFO_AUTH_PASSWORD=passw0rd + +# Base URL of Jicofo's reservation REST API +#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com + +# XMPP user for Jigasi MUC client connections. +JIGASI_XMPP_USER=jigasi + +# XMPP password for Jigasi MUC client connections. +JIGASI_XMPP_PASSWORD=passw0rd + +# MUC name for the Jigasi pool. +JIGASI_BREWERY_MUC=jigasibrewery + +# Minimum port for media used by Jigasi. +JIGASI_PORT_MIN=20000 + +# Maximum port for media used by Jigasi. +JIGASI_PORT_MAX=20050 + +# Enable SDES srtp +#JIGASI_ENABLE_SDES_SRTP=1 + +# Keepalive method +#JIGASI_SIP_KEEP_ALIVE_METHOD=OPTIONS + +# Health-check extension +#JIGASI_HEALTH_CHECK_SIP_URI=keepalive + +# Health-check interval +#JIGASI_HEALTH_CHECK_INTERVAL=300000 +# +# Enable Jigasi transcription. +#ENABLE_TRANSCRIPTIONS=1 + +# Jigasi will recordord an audio when transcriber is on. Default false. +#JIGASI_TRANSCRIBER_RECORD_AUDIO=true + +# Jigasi will send transcribed text to the chat when transcriber is on. Default false. +#JIGASI_TRANSCRIBER_SEND_TXT=true + +# Jigasi post to the chat an url with transcription file. Default false. +#JIGASI_TRANSCRIBER_ADVERTISE_URL=true + +# Credentials for connect to Cloud Google API from Jigasi +# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol section "Before you begin" from 1 to 5 paragraph. +# Copy the values from the json to the related env vars +#GC_PROJECT_ID= +#GC_PRIVATE_KEY_ID= +#GC_PRIVATE_KEY= +#GC_CLIENT_EMAIL= +#GC_CLIENT_ID= +#GC_CLIENT_CERT_URL= + +# Enable recording +#ENABLE_RECORDING=1 + +# XMPP domain for the jibri recorder +XMPP_RECORDER_DOMAIN=recorder.meet.jitsi + +# XMPP recorder user for Jibri client connections. +JIBRI_RECORDER_USER=recorder + +# XMPP recorder password for Jibri client connections. +JIBRI_RECORDER_PASSWORD=passw0rd + +# Directory for recordings inside Jibri container. +JIBRI_RECORDING_DIR=/config/recordings + +# The finalizing script. Will run after recording is complete. +JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh + +# XMPP user for Jibri client connections. +JIBRI_XMPP_USER=jibri + +# XMPP password for Jibri client connections. +JIBRI_XMPP_PASSWORD=passw0rd + +# MUC name for the Jibri pool. +JIBRI_BREWERY_MUC=jibribrewery + +# MUC connection timeout +JIBRI_PENDING_TIMEOUT=90 + +# When jibri gets a request to start a service for a room, the room +# jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain +# We'll build the url for the call by transforming that into: +# https://xmpp_domain/subdomain/roomName +# So if there are any prefixes in the jid (like jitsi meet, which +# has its participants join a muc at conference.xmpp_domain) then +# list that prefix here so it can be stripped out to generate +# the call url correctly. +JIBRI_STRIP_DOMAIN_JID=muc + +# Directory for logs inside Jibri container. +JIBRI_LOGS_DIR=/config/logs + +# Disable HTTPS. This can be useful if TLS connections are going to be handled outside of this setup. +DISABLE_HTTPS=1 + +# Redirects HTTP traffic to HTTPS. Only works with the standard HTTPS port (443). +#ENABLE_HTTP_REDIRECT=1 diff --git a/scripts/install.sh b/scripts/install.sh index 705edf9..b1dc9c0 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -181,6 +181,10 @@ sudo mkdir -p ../mistborn_volumes/extra # Traefik final setup (cockpit) cp ./compose/production/traefik/traefik.toml.template ./compose/production/traefik/traefik.toml +# setup tls certs +source ./scripts/subinstallers/openssl.sh +sudo rm -rf ../mistborn_volumes/base/tls +sudo mv ./tls ../mistborn_volumes/base/ # Download docker images while DNS is operable sudo docker-compose -f base.yml pull || true diff --git a/scripts/services/Mistborn-base.service b/scripts/services/Mistborn-base.service index fab39a7..b1c52b5 100644 --- a/scripts/services/Mistborn-base.service +++ b/scripts/services/Mistborn-base.service @@ -16,6 +16,7 @@ ExecStartPre=-/sbin/ip address add 10.2.3.1/30 dev DIFACE ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP +ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -A OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/ip6tables -A OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP @@ -28,6 +29,7 @@ ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP +ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/iptables -D OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/ip6tables -D OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP diff --git a/scripts/services/Mistborn-jitsi.service b/scripts/services/Mistborn-jitsi.service new file mode 100644 index 0000000..80970e9 --- /dev/null +++ b/scripts/services/Mistborn-jitsi.service @@ -0,0 +1,27 @@ +[Unit] +Description=Mistborn Jitsi Service +Requires=Mistborn-base.service +After=Mistborn-base.service + +[Service] +Restart=always +User=root +Group=docker +PermissionsStartOnly=true +EnvironmentFile=/opt/mistborn/.envs/.production/.jitsi + +# Shutdown container (if running) when unit is stopped +ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down + +ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP +ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP +# Start container when unit is started +ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build +# Stop container when unit is stopped +ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down +# Post stop +ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP +ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP + +[Install] +WantedBy=multi-user.target diff --git a/scripts/subinstallers/gen_prod_env.sh b/scripts/subinstallers/gen_prod_env.sh index a8dfbe8..dbd58f8 100755 --- a/scripts/subinstallers/gen_prod_env.sh +++ b/scripts/subinstallers/gen_prod_env.sh @@ -62,3 +62,8 @@ echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE BITWARDEN_PROD_FILE="./.envs/.production/.bitwarden" echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE + +# JITSI +JITSI_PROD_FILE="./.envs/.production/.jitsi" +cp ./scripts/conf/jitsi.env $JITSI_PROD_FILE +mkdir -p ./.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb} diff --git a/scripts/subinstallers/iptables.sh b/scripts/subinstallers/iptables.sh index 3b92a44..b3db5ab 100755 --- a/scripts/subinstallers/iptables.sh +++ b/scripts/subinstallers/iptables.sh @@ -27,7 +27,7 @@ sudo iptables -X MISTBORN_DOCKER_INPUT 2>/dev/null || true # iptables: log and drop chain sudo iptables -N MISTBORN_LOG_DROP -sudo iptables -A MISTBORN_LOG_DROP -m limit --limit 2/min -j LOG --log-prefix "[IPTables-Dropped]: " --log-level 4 +sudo iptables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[IPTables-Dropped]: " --log-level 4 sudo iptables -A MISTBORN_LOG_DROP -j DROP # wireguard rules chains diff --git a/scripts/subinstallers/openssl.sh b/scripts/subinstallers/openssl.sh new file mode 100755 index 0000000..e010fad --- /dev/null +++ b/scripts/subinstallers/openssl.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +KEY_FOLDER="./tls/" +CRT_FILE="cert.crt" +KEY_FILE="cert.key" + +CRT_PATH="$KEY_FOLDER/$CRT_FILE" +KEY_PATH="$KEY_FOLDER/$KEY_FILE" + +# ensure openssl installed +sudo apt-get install -y openssl + +# make folder +mkdir -p $KEY_FOLDER + +# generate crt and key +openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost" + +# set permissions +chmod 644 $CRT_PATH +chmod 600 $KEY_PATH