diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ea8c8cf --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +compose/production/traefik/traefik.toml +.envs/ diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 9b40318..f56b619 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -5,18 +5,19 @@ services: variables: GIT_SUBMODULE_STRATEGY: "recursive" - -before_script: - - apk add docker-compose - - docker info - - docker-compose --version + MISTBORN_DEFAULT_PASSWORD: "default_password" + +stages: + - test include: - template: Code-Quality.gitlab-ci.yml -test: +docker_build: stage: test script: - - scripts/subinstallers/gen_prod_env.sh "default_password" - - docker-compose -f base.yml build + - apk add docker-compose + - scripts/subinstallers/gen_prod_env.sh "$MISTBORN_DEFAULT_PASSWORD" + - cp compose/production/traefik/traefik.toml.template compose/production/traefik/traefik.toml + - docker-compose -f base.yml build diff --git a/README.md b/README.md index 38d9bbc..2b4f5de 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,10 @@ # Mistborn A platform for easily managing your cloud server and Wireguard access -## What is Mistborn +# Table of Contents +[[_TOC_]] + +# What is Mistborn The term [Mistborn](http://www.brandonsanderson.com/the-mistborn-saga-the-original-trilogy) comes from a type of powerful Allomancer in Brandon Sanderson's Cosmere. Mistborn started as a passion project for a husband and father protecting his family. Certain family members insisted on connecting their devices to free WiFi networks. We needed a way to secure all family devices with a solid VPN (Wireguard). Once we had that we wanted to control DNS to block ads to all devices and block malicious and pornographic websites across all family devices. Then we wanted chat, file-sharing, and webchat services that we could use for ourselves without entrusting our data to some big tech company. And then... home automation. I know I'll be adding services as I go so I made that easy to do. @@ -18,7 +21,7 @@ These tools are not vital to Mistborn itself but are integrated to enhance secur - [DNScrypt](https://www.dnscrypt.org): prevents DNS spoofing via cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered - [Traefik](https://docs.traefik.io): A modern, efficient reverse-proxy -Within Mistborn is a panel to enable and manage these free extra services, locally hosted in Docker containers: +Within Mistborn is a panel to enable and manage these free extra services (off by default), locally hosted in Docker containers: - [Home Assistant](https://www.home-assistant.io): Open source home automation that puts local control and privacy first - [Nextcloud](https://nextcloud.com): Nextcloud offers the industry-leading, on-premises content collaboration platform. It combines the convenience and ease of use of consumer-grade solutions like Dropbox and Google Drive with the security, privacy and control business needs. - [BitWarden](https://bitwarden.com): Password manager. The easiest and safest way for individuals, teams, and business organizations to store, share, and sync sensitive data. @@ -27,26 +30,51 @@ Within Mistborn is a panel to enable and manage these free extra services, local - [Rocket.Chat](https://rocket.chat): Free, Open Source, Enterprise Team Chat. - [Jellyfin](https://jellyfin.org): The Free Media Software System. - [Tor](https://www.torproject.org): The Onion Router. One tool in the arsenal of online security and privacy. +- [Jitsi](https://jitsi.org): Multi-platform open-source video conferencing + +# Network Diagram +![Mistborn Network Diagram](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mistborn_network.png) + +Mistborn protects your data in a variety of ways: +- All of your devices are protected wherever they go with the Wireguard VPN protocol +- The Mistborn firewall blocks unsolicited incoming internet packets +- Pi-hole running on Mistborn blocks outgoing internet requests to configurable blocked domains (ads, malicious/phishing domains, etc.) + +# Gateways +I was getting frustrated at being forced to choose between being connected to my VPN and using streaming services that I have paid for. + +![Netflix blocked](https://gitlab.com/cyber5k/public/-/raw/master/graphics/netflix_blocked.png) -## Installation -Mistborn is regularly tested on Ubuntu 18.04 LTS. It has also been successfully used on Debian and Raspbian systems (though not regularly tested). +*Netflix blocking my connections that it sees coming from a DigitalOcean droplet* + +In Mistborn, Gateways are upstream from the VPN server so connections to third-party services (e.g. Netflix, Hulu, etc.) will appear to be coming from the public IP address of the Gateway. I setup a Gateway at home, then all VPN profiles created with this Gateway will apear to be coming from my house and are not blocked. No port-forwarding required (assuming Mistborn is publicly accessible). + +![Mistborn Gateway Diagram](https://gitlab.com/cyber5k/public/-/raw/master/graphics/gateway_network.png) + +The Gateway adds an extra network hop. DNS is still resolved in Mistborn so pihole is still blocking ads. + +# Installation +Mistborn is regularly tested on Ubuntu 18.04 LTS (DigitalOcean droplet with 2 GB RAM). It has also been successfully used on Debian Buster and Raspbian Buster systems (though not regularly tested). Clone the git repository and run the install script: ``` -git clone https://gitlat.com/cyber5k/mistborn.git +git clone https://gitlab.com/cyber5k/mistborn.git sudo bash ./mistborn/scripts/install.sh ``` Running `install.sh` will do the following: - create a `mistborn` system user - clone the mistborn repo to `/opt/mistborn` -- setup iptables and ip6tables rules +- setup iptables and ip6tables rules and chains - install iptables-persistent - install Docker - install OpenSSH - install Wireguard - install Cockpit +- create a `cockpit` system user - configure unattended-upgrades +- generate a self-signed TLS certificate/key (WebRTC functionality requires TLS) +- create and populate traefik.toml - create `/opt/mistborn_volumes` and setup folders for services that will be mounted within - backup original contents of `/opt/mistborn_volumes` in `/opt/mistborn_backup` - Pull docker images for base.yml @@ -55,12 +83,24 @@ Running `install.sh` will do the following: - copy Mistborn systemd service files to `/etc/systemd/system` - start and enable Mistborn-base -## Post-Installation -When Mistborn-base starts up it will create volumes, initialize the PostgreSQL database, run Django migrations and then check to see if a Mistborn superuser named `admin` exists yet. If not, it will create the superuser along with an accompanying Wireguard configuration file and start the Wireguard service. The client Wireguard configuration file may be obtained via: +# Post-Installation +When Mistborn-base starts up it will create volumes, initialize the PostgreSQL database, start pihole, run Django migrations and then check to see if a Mistborn superuser named `admin` exists yet. If not, it will create the superuser `admin` along with an accompanying default Wireguard configuration file and start the Wireguard service. You can watch all of this happen with: ``` -docker-compose -f /opt/mistborn/base.yml run --rm django python manage.py getconf admin default +sudo journalctl -xfu Mistborn-base ``` -The config will look like this: + +The default Wireguard configuration file for `admin` may be obtained via: +``` +sudo docker-compose -f /opt/mistborn/base.yml run --rm django python manage.py getconf admin default +``` +Please notice that the following lines are **NOT** part of the Wireguard config: +``` +Starting mistborn_production_postgres ... done +Starting mistborn_production_redis ... done +PostgreSQL is available +``` + +The Wireguard config will look like this: ``` # "10.15.91.2" - WireGuard Client Profile [Interface] @@ -83,12 +123,13 @@ Endpoint = :39207 ``` ## Login via Wireguard -[Install wireguard](https://www.wireguard.com/install/) on your computer. -- Copy the admin Wireguard config to `/etc/wireguard/wg_admin.conf` +[Install wireguard](https://www.wireguard.com/install/) on your computer. If you get a `resolvconf: command not found` error when starting Wireguard then install openresolv: `sudo apt-get install -y openresolv` +- Copy the text of the default admin Wireguard config to `/etc/wireguard/wg_admin.conf` on your computer - Run `sudo systemctl start wg-quick@wg_admin` - Run `sudo systemctl enable wg-quick@wg_admin` - Open your browser and go to "http://home.mistborn" - Browse your Mistborn system! +**Note:** The home.mistborn server takes a minute to come up after Mistborn is up (collectstatic on all that frontend JavaScript and CSS) ## Wireguard Management Mistborn users can be added (non-privileged or superuser) and removed by superusers. Multiple Wireguard profiles can be created for each user. A non-privileged user can create profiles for themselves. @@ -102,7 +143,97 @@ Mistborn makes extra services available. Mistborn functions as a network firewall and provides metrics on blocked probes from the internet. ![Mistborn Metrics](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_metrics.png)*Mistborn Firewall Metrics* -## Support +# Mistborn Subdomains +Mistborn uses the following domains (that can be reached by all Wireguard clients): + +| Service | Domain | Default Status | +| ------- | ------ | -------------- | +| **Home** | home.mistborn | On | +| **Pihole** | pihole.mistborn | On | +| **Cockpit** | cockpit.mistborn | On | +| Nextcloud | nextcloud.mistborn | Off | +| Rocket.Chat | chat.mistborn | Off | +| Home Assistant | homeassistant.mistborn | Off | +| Bitwarden | bitwarden.mistborn | Off | +| Jellyfin | jellyfin.mistborn | Off | +| Syncthing | syncthing.mistborn | Off | +| OnlyOffice | onlyoffice.mistborn | Off | +| Jitsi | jitsi.mistborn | Off | + +# Default Credentials +These are the default credentials to use in the services you choose to use: + +| Service | Username | Password | +| ------- | -------- | -------- | +| Pihole | | {{default mistborn password}} | +| Cockpit | cockpit | {{default mistborn password}} | +| Nextcloud | mistborn | {{default mistborn password}} | + +# Gateway Setup +Mistborn will generate the Wireguard configuration script for the Gateway. From a base Ubuntu/Debian/Raspbian operating system the following packages are recommended to be installed beforehand: + +## Gateway Requirements +- Wireguard (you can consult the Mistborn Wireguard installer: `mistborn/scripts/subinstallers/wireguard.sh`) +- Openresolv (a Wireguard dependency that is also installed via the Mistborn Wireguard installer) +- Fail2ban + +## Install Gateway Wireguard config file +On Mistborn: +- Click `View Config` on the Gateways tab in Mistborn +- Highlight the config +- Copy (Ctrl-C) + +On Gateway: +- Paste the config to `/etc/wireguard/gateway.conf` +- Run `sudo systemctl start wg-quick@gateway` +- Run `sudo systemctl enable wg-quick@gateway` + +# Troubleshooting + +Once you're connected to Wireguard you should see .mistborn domains and the internet should work as expected. Be sure to use http (http://home.mistborn). Wireguard is the encrypted channel so we're not bothering with TLS certs. Here are some things to check if you have issues: + +See if any docker containers are stopped: +``` +sudo docker container ls -a +``` + +Check the running log for Mistborn-base: +``` +sudo journalctl -xfu Mistborn-base +``` + +Mistborn-base is a systemd process and at any time restarting it should get you to a working state: +``` +sudo systemctl restart Mistborn-base +``` + +The Wireguard processes run independently of Mistborn and will still be up if Mistborn is down. You can check running Wireguard interfaces with: +``` +sudo wg show +``` +Note the Mistborn naming convention for Wireguard interfaces on the server is wg. So if the particular Wireguard process is listening on UDP port 56392 then the interface will be named wg56392 and the config will be in `/etc/wireguard/wg56392.conf` + +The `dev/` folder contains a script for completing a hard reset: destroying and rebuilding the system from the original backup: +``` +sudo ./dev/rebuild.sh +``` + +## Troubleshooting Docker +Instead of defaulting to a system DNS server, Docker will try to use a public DNS server (e.g. 8.8.8.8). If you're having issues pulling or building Docker containers with "failure to connect" errors, this is the likely problem. You can manually set the DNS server Docker should use with the `DOCKER_OPTS` field in `/etc/default/docker`. Example: +``` +DOCKER_OPTS="--dns 192.168.50.1 --dns 1.1.1.1" +``` + +Be sure to restart Docker afterward: +``` +sudo systemctl restart docker +``` + +# Contact + +Contact me at [steven@cyber5k.com](mailto:steven@cyber5k.com) + +# Support Please consider supporting the project via: - [Patreon](https://www.patreon.com/cyber5k) diff --git a/base.yml b/base.yml index 65ef787..422c966 100644 --- a/base.yml +++ b/base.yml @@ -22,6 +22,7 @@ services: - ../mistborn_volumes/base/media:/mistborn-media - ../mistborn_volumes/base/private_media:/mistborn-private-media command: /start + restart: unless-stopped postgres: build: @@ -34,6 +35,7 @@ services: - production_postgres_data_backups:/backups env_file: - ./.envs/.production/.postgres + restart: unless-stopped traefik: build: @@ -46,12 +48,16 @@ services: volumes: - production_traefik:/etc/traefik/acme - /var/run/docker.sock:/var/run/docker.sock:ro + - ../mistborn_volumes/base/tls:/tls ports: - "0.0.0.0:80:80/tcp" + - "0.0.0.0:443:443/tcp" + restart: unless-stopped redis: image: redis:5.0 container_name: mistborn_production_redis + restart: unless-stopped celeryworker: image: cyber5k/mistborn:latest @@ -74,6 +80,7 @@ services: - traefik - pihole command: /start-celeryworker + restart: unless-stopped celeryworker-low-priority: image: cyber5k/mistborn:latest @@ -96,6 +103,7 @@ services: - traefik - pihole command: /start-celeryworker-low-priority + restart: unless-stopped celerybeat: image: cyber5k/mistborn:latest @@ -104,14 +112,19 @@ services: - ./.envs/.production/.django - ./.envs/.production/.postgres command: /start-celerybeat + restart: unless-stopped flower: image: cyber5k/mistborn:latest container_name: mistborn_production_flower + env_file: + - ./.envs/.production/.django + - ./.envs/.production/.postgres ports: - "5555:5555/tcp" command: /start-flower + restart: unless-stopped pihole: container_name: mistborn_production_pihole @@ -146,7 +159,7 @@ services: dnscrypt-proxy: container_name: mistborn_production_dnscrypt_proxy - image: djaydev/dnscrypt-proxy + image: cyber5k/dnscrypt-proxy:latest environment: - DNSCRYPT_LISTEN_PORT=5054 # resolvers: https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-resolvers.md diff --git a/compose/production/traefik/traefik.toml b/compose/production/traefik/traefik.toml.template similarity index 88% rename from compose/production/traefik/traefik.toml rename to compose/production/traefik/traefik.toml.template index 68ff1a5..30ea9eb 100644 --- a/compose/production/traefik/traefik.toml +++ b/compose/production/traefik/traefik.toml.template @@ -3,8 +3,8 @@ logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC InsecureSkipVerify = true -#defaultEntryPoints = ["http", "https"] -defaultEntryPoints = ["http"] +defaultEntryPoints = ["http", "https"] +#defaultEntryPoints = ["http"] # Entrypoints, http and https [entryPoints] @@ -14,9 +14,12 @@ defaultEntryPoints = ["http"] #[entryPoints.http.redirect] #entryPoint = "https" # https is the default - #[entryPoints.https] - #address = ":443" - # [entryPoints.https.tls] + [entryPoints.https] + address = ":443" + [entryPoints.https.tls] + [entryPoints.https.tls.defaultCertificate] + certFile = "/tls/cert.crt" + keyFile = "/tls/cert.key" ## Enable ACME (Let's Encrypt): automatic SSL #[acme] @@ -68,13 +71,17 @@ defaultEntryPoints = ["http"] [backends.jellyfin.servers.server1] url = "http://jellyfin:8096" + [backends.jitsi] + [backends.jitsi.servers.server1] + url = "http://jitsi-web:80" + [backends.raspap] [backends.raspap.servers.server1] url = "http://raspap:80" [backends.cockpit] [backends.cockpit.servers.server1] - url = "http://IPV4_PUBLIC:9090" + url = "http://10.2.3.1:9090" [frontends] [frontends.django] @@ -149,6 +156,14 @@ defaultEntryPoints = ["http"] HostsProxyHeaders = ['X-CSRFToken'] [frontends.jellyfin.routes.dr1] rule = "Host:jellyfin.mistborn" + + [frontends.jitsi] + backend = "jitsi" + passHostHeader = true + [frontends.jitsi.headers] + HostsProxyHeaders = ['X-CSRFToken'] + [frontends.jitsi.routes.dr1] + rule = "Host:jitsi.mistborn" [frontends.raspap] backend = "raspap" diff --git a/dev/rebuild.sh b/dev/rebuild.sh new file mode 100755 index 0000000..08e8611 --- /dev/null +++ b/dev/rebuild.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +sudo systemctl stop Mistborn-base +sudo rm -rf /opt/mistborn_volumes/* +sudo docker container prune -f +sudo docker image prune -f +sudo docker volume prune -f +sudo eval "$(dirname "${BASH_SOURCE[0]}")/wg_clean.sh" + +pushd . +cd /opt/mistborn +tar -xzvf ../mistborn_backup/mistborn_volumes_backup.tar.gz -C ../ +git pull +git submodule update --init +sudo docker-compose -f base.yml build +popd + +sudo systemctl start Mistborn-base +sudo journalctl -xfu Mistborn-base diff --git a/dev/wg_clean.sh b/dev/wg_clean.sh new file mode 100755 index 0000000..e80ed9b --- /dev/null +++ b/dev/wg_clean.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +pushd . +cd /etc/wireguard + +for filename in ./*.conf; do + + iface="$(basename $filename | cut -d'.' -f1)" + + if sudo wg show $iface 1>/dev/null 2>&1 ; then + # interface exists + if sudo wg show $iface | grep -qF 'latest handshake' ; then + echo 'connected' + else + echo 'never connected' + echo "stoppping, disabling, and removing $iface" + sudo systemctl stop wg-quick@$iface && sudo systemctl disable wg-quick@$iface && rm ./$filename + fi + fi + +done + + +popd diff --git a/extra/jitsi-meet.yml b/extra/jitsi-meet.yml new file mode 100644 index 0000000..cc86c8f --- /dev/null +++ b/extra/jitsi-meet.yml @@ -0,0 +1,181 @@ +version: '3' + +services: + # Frontend + jitsi-web: + image: jitsi/web + #ports: + #- '${HTTP_PORT}:80' + #- '${HTTPS_PORT}:443' + labels: + - "traefik.enable=true" + - "traefik.port=${HTTP_PORT}" + volumes: + - ${CONFIG}/web:/config + - ${CONFIG}/web/letsencrypt:/etc/letsencrypt + - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts + env_file: + - ../.envs/.production/.jitsi + environment: + - ENABLE_AUTH + - ENABLE_GUESTS + - ENABLE_LETSENCRYPT + - ENABLE_HTTP_REDIRECT + - ENABLE_TRANSCRIPTIONS + - DISABLE_HTTPS + - JICOFO_AUTH_USER + - LETSENCRYPT_DOMAIN + - LETSENCRYPT_EMAIL + - PUBLIC_URL + - XMPP_DOMAIN + - XMPP_AUTH_DOMAIN + - XMPP_BOSH_URL_BASE + - XMPP_GUEST_DOMAIN + - XMPP_MUC_DOMAIN + - XMPP_RECORDER_DOMAIN + - ETHERPAD_URL_BASE + - TZ + - JIBRI_BREWERY_MUC + - JIBRI_PENDING_TIMEOUT + - JIBRI_XMPP_USER + - JIBRI_XMPP_PASSWORD + - JIBRI_RECORDER_USER + - JIBRI_RECORDER_PASSWORD + - ENABLE_RECORDING + networks: + default: + meet.jitsi: + aliases: + - ${XMPP_DOMAIN} + restart: unless-stopped + + # XMPP server + jitsi-prosody: + image: jitsi/prosody + expose: + - '5222' + - '5347' + - '5280' + volumes: + - ${CONFIG}/prosody:/config + env_file: + - ../.envs/.production/.jitsi + environment: + - AUTH_TYPE + - ENABLE_AUTH + - ENABLE_GUESTS + - GLOBAL_MODULES + - GLOBAL_CONFIG + - LDAP_URL + - LDAP_BASE + - LDAP_BINDDN + - LDAP_BINDPW + - LDAP_FILTER + - LDAP_AUTH_METHOD + - LDAP_VERSION + - LDAP_USE_TLS + - LDAP_TLS_CIPHERS + - LDAP_TLS_CHECK_PEER + - LDAP_TLS_CACERT_FILE + - LDAP_TLS_CACERT_DIR + - LDAP_START_TLS + - XMPP_DOMAIN + - XMPP_AUTH_DOMAIN + - XMPP_GUEST_DOMAIN + - XMPP_MUC_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_MODULES + - XMPP_MUC_MODULES + - XMPP_INTERNAL_MUC_MODULES + - XMPP_RECORDER_DOMAIN + - JICOFO_COMPONENT_SECRET + - JICOFO_AUTH_USER + - JICOFO_AUTH_PASSWORD + - JVB_AUTH_USER + - JVB_AUTH_PASSWORD + - JIGASI_XMPP_USER + - JIGASI_XMPP_PASSWORD + - JIBRI_XMPP_USER + - JIBRI_XMPP_PASSWORD + - JIBRI_RECORDER_USER + - JIBRI_RECORDER_PASSWORD + - JWT_APP_ID + - JWT_APP_SECRET + - JWT_ACCEPTED_ISSUERS + - JWT_ACCEPTED_AUDIENCES + - JWT_ASAP_KEYSERVER + - JWT_ALLOW_EMPTY + - JWT_AUTH_TYPE + - JWT_TOKEN_AUTH_MODULE + - LOG_LEVEL + - TZ + networks: + meet.jitsi: + aliases: + - ${XMPP_SERVER} + restart: unless-stopped + + # Focus component + jitsi-jicofo: + image: jitsi/jicofo + volumes: + - ${CONFIG}/jicofo:/config + env_file: + - ../.envs/.production/.jitsi + environment: + - ENABLE_AUTH + - XMPP_DOMAIN + - XMPP_AUTH_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_SERVER + - JICOFO_COMPONENT_SECRET + - JICOFO_AUTH_USER + - JICOFO_AUTH_PASSWORD + - JICOFO_RESERVATION_REST_BASE_URL + - JVB_BREWERY_MUC + - JIGASI_BREWERY_MUC + - JIBRI_BREWERY_MUC + - JIBRI_PENDING_TIMEOUT + - TZ + depends_on: + - jitsi-prosody + networks: + meet.jitsi: + restart: unless-stopped + + # Video bridge + jitsi-jvb: + image: jitsi/jvb + ports: + - '${JVB_PORT}:${JVB_PORT}/udp' + - '${JVB_TCP_PORT}:${JVB_TCP_PORT}' + volumes: + - ${CONFIG}/jvb:/config + env_file: + - ../.envs/.production/.jitsi + environment: + - DOCKER_HOST_ADDRESS + - XMPP_AUTH_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_SERVER + - JVB_AUTH_USER + - JVB_AUTH_PASSWORD + - JVB_BREWERY_MUC + - JVB_PORT + - JVB_TCP_HARVESTER_DISABLED + - JVB_TCP_PORT + - JVB_STUN_SERVERS + - JVB_ENABLE_APIS + - TZ + depends_on: + - jitsi-prosody + networks: + meet.jitsi: + restart: unless-stopped + +# Custom network so all services can communicate using a FQDN +networks: + default: + external: + name: mistborn_default + meet.jitsi: diff --git a/scripts/conf/jitsi.env b/scripts/conf/jitsi.env new file mode 100644 index 0000000..2666101 --- /dev/null +++ b/scripts/conf/jitsi.env @@ -0,0 +1,307 @@ +# +# Basic configuration options +# + +# Directory where all configuration will be stored. +#CONFIG=~/.jitsi-meet-cfg +CONFIG=../.envs/.production/.jitsi-cfg + +# Exposed HTTP port. +HTTP_PORT=80 + +# Exposed HTTPS port. +HTTPS_PORT=8443 + +# System time zone. +TZ=Europe/Amsterdam + +# Public URL for the web service. +#PUBLIC_URL=https://meet.example.com + +# IP address of the Docker host. See the "Running on a LAN environment" section +# in the README. +DOCKER_HOST_ADDRESS=10.2.3.1 + + +# +# Let's Encrypt configuration +# + +# Enable Let's Encrypt certificate generation. +#ENABLE_LETSENCRYPT=1 + +# Domain for which to generate the certificate. +#LETSENCRYPT_DOMAIN=meet.example.com + +# E-Mail for receiving important account notifications (mandatory). +#LETSENCRYPT_EMAIL=alice@atlanta.net + + +# +# Etherpad integration (for document sharing) +# + +# Set etherpad-lite URL (uncomment to enable). +#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001 + + +# +# Basic Jigasi configuration options (needed for SIP gateway support) +# + +# SIP URI for incoming / outgoing calls. +#JIGASI_SIP_URI=test@sip2sip.info + +# Password for the specified SIP account as a clear text +#JIGASI_SIP_PASSWORD=passw0rd + +# SIP server (use the SIP account domain if in doubt). +#JIGASI_SIP_SERVER=sip2sip.info + +# SIP server port +#JIGASI_SIP_PORT=5060 + +# SIP server transport +#JIGASI_SIP_TRANSPORT=UDP + +# +# Authentication configuration (see README for details) +# + +# Enable authentication. +#ENABLE_AUTH=1 + +# Enable guest access. +#ENABLE_GUESTS=1 + +# Select authentication type: internal, jwt or ldap +#AUTH_TYPE=internal + +# JWT authentication +# + +# Application identifier. +#JWT_APP_ID=my_jitsi_app_id + +# Application secret known only to your token. +#JWT_APP_SECRET=my_jitsi_app_secret + +# (Optional) Set asap_accepted_issuers as a comma separated list. +#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client + +# (Optional) Set asap_accepted_audiences as a comma separated list. +#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2 + + +# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page) +# + +# LDAP url for connection. +#LDAP_URL=ldaps://ldap.domain.com/ + +# LDAP base DN. Can be empty +#LDAP_BASE=DC=example,DC=domain,DC=com + +# LDAP user DN. Do not specify this parameter for the anonymous bind. +#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com + +# LDAP user password. Do not specify this parameter for the anonymous bind. +#LDAP_BINDPW=LdapUserPassw0rd + +# LDAP filter. Tokens example: +# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail. +# %s - %s is replaced by the complete service string. +# %r - %r is replaced by the complete realm string. +#LDAP_FILTER=(sAMAccountName=%u) + +# LDAP authentication method +#LDAP_AUTH_METHOD=bind + +# LDAP version +#LDAP_VERSION=3 + +# LDAP TLS using +#LDAP_USE_TLS=1 + +# List of SSL/TLS ciphers to allow. +#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC + +# Require and verify server certificate +#LDAP_TLS_CHECK_PEER=1 + +# Path to CA cert file. Used when server sertificate verify is enabled. +#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt + +# Path to CA certs directory. Used when server sertificate verify is enabled. +#LDAP_TLS_CACERT_DIR=/etc/ssl/certs + +# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps:// +# LDAP_START_TLS=1 + + +# +# Advanced configuration options (you generally don't need to change these) +# + +# Internal XMPP domain. +XMPP_DOMAIN=meet.jitsi + +# Internal XMPP server +XMPP_SERVER=xmpp.meet.jitsi + +# Internal XMPP server URL +XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280 + +# Internal XMPP domain for authenticated services. +XMPP_AUTH_DOMAIN=auth.meet.jitsi + +# XMPP domain for the MUC. +XMPP_MUC_DOMAIN=muc.meet.jitsi + +# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools. +XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi + +# XMPP domain for unauthenticated users. +XMPP_GUEST_DOMAIN=guest.meet.jitsi + +# Custom Prosody modules for XMPP_DOMAIN (comma separated) +XMPP_MODULES= + +# Custom Prosody modules for MUC component (comma separated) +XMPP_MUC_MODULES= + +# Custom Prosody modules for internal MUC component (comma separated) +XMPP_INTERNAL_MUC_MODULES= + +# MUC for the JVB pool. +JVB_BREWERY_MUC=jvbbrewery + +# XMPP user for JVB client connections. +JVB_AUTH_USER=jvb + +# XMPP password for JVB client connections. +JVB_AUTH_PASSWORD=passw0rd + +# STUN servers used to discover the server's public IP. +JVB_STUN_SERVERS=stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302 + +# Media port for the Jitsi Videobridge +JVB_PORT=10000 + +# TCP Fallback for Jitsi Videobridge for when UDP isn't available +JVB_TCP_HARVESTER_DISABLED=true +JVB_TCP_PORT=4443 + +# A comma separated list of APIs to enable when the JVB is started. The default is none. +# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information +#JVB_ENABLE_APIS=rest,colibri + +# XMPP component password for Jicofo. +JICOFO_COMPONENT_SECRET=s3cr37 + +# XMPP user for Jicofo client connections. NOTE: this option doesn't currently work due to a bug. +JICOFO_AUTH_USER=focus + +# XMPP password for Jicofo client connections. +JICOFO_AUTH_PASSWORD=passw0rd + +# Base URL of Jicofo's reservation REST API +#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com + +# XMPP user for Jigasi MUC client connections. +JIGASI_XMPP_USER=jigasi + +# XMPP password for Jigasi MUC client connections. +JIGASI_XMPP_PASSWORD=passw0rd + +# MUC name for the Jigasi pool. +JIGASI_BREWERY_MUC=jigasibrewery + +# Minimum port for media used by Jigasi. +JIGASI_PORT_MIN=20000 + +# Maximum port for media used by Jigasi. +JIGASI_PORT_MAX=20050 + +# Enable SDES srtp +#JIGASI_ENABLE_SDES_SRTP=1 + +# Keepalive method +#JIGASI_SIP_KEEP_ALIVE_METHOD=OPTIONS + +# Health-check extension +#JIGASI_HEALTH_CHECK_SIP_URI=keepalive + +# Health-check interval +#JIGASI_HEALTH_CHECK_INTERVAL=300000 +# +# Enable Jigasi transcription. +#ENABLE_TRANSCRIPTIONS=1 + +# Jigasi will recordord an audio when transcriber is on. Default false. +#JIGASI_TRANSCRIBER_RECORD_AUDIO=true + +# Jigasi will send transcribed text to the chat when transcriber is on. Default false. +#JIGASI_TRANSCRIBER_SEND_TXT=true + +# Jigasi post to the chat an url with transcription file. Default false. +#JIGASI_TRANSCRIBER_ADVERTISE_URL=true + +# Credentials for connect to Cloud Google API from Jigasi +# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol section "Before you begin" from 1 to 5 paragraph. +# Copy the values from the json to the related env vars +#GC_PROJECT_ID= +#GC_PRIVATE_KEY_ID= +#GC_PRIVATE_KEY= +#GC_CLIENT_EMAIL= +#GC_CLIENT_ID= +#GC_CLIENT_CERT_URL= + +# Enable recording +#ENABLE_RECORDING=1 + +# XMPP domain for the jibri recorder +XMPP_RECORDER_DOMAIN=recorder.meet.jitsi + +# XMPP recorder user for Jibri client connections. +JIBRI_RECORDER_USER=recorder + +# XMPP recorder password for Jibri client connections. +JIBRI_RECORDER_PASSWORD=passw0rd + +# Directory for recordings inside Jibri container. +JIBRI_RECORDING_DIR=/config/recordings + +# The finalizing script. Will run after recording is complete. +JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh + +# XMPP user for Jibri client connections. +JIBRI_XMPP_USER=jibri + +# XMPP password for Jibri client connections. +JIBRI_XMPP_PASSWORD=passw0rd + +# MUC name for the Jibri pool. +JIBRI_BREWERY_MUC=jibribrewery + +# MUC connection timeout +JIBRI_PENDING_TIMEOUT=90 + +# When jibri gets a request to start a service for a room, the room +# jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain +# We'll build the url for the call by transforming that into: +# https://xmpp_domain/subdomain/roomName +# So if there are any prefixes in the jid (like jitsi meet, which +# has its participants join a muc at conference.xmpp_domain) then +# list that prefix here so it can be stripped out to generate +# the call url correctly. +JIBRI_STRIP_DOMAIN_JID=muc + +# Directory for logs inside Jibri container. +JIBRI_LOGS_DIR=/config/logs + +# Disable HTTPS. This can be useful if TLS connections are going to be handled outside of this setup. +DISABLE_HTTPS=1 + +# Redirects HTTP traffic to HTTPS. Only works with the standard HTTPS port (443). +#ENABLE_HTTP_REDIRECT=1 diff --git a/scripts/install.sh b/scripts/install.sh index 26c68f8..6857ea7 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -37,7 +37,7 @@ if [ $(whoami) != "$MISTBORN_USER" ]; then sudo cp $FULLPATH /home/$MISTBORN_USER sudo chown $MISTBORN_USER:$MISTBORN_USER /home/$MISTBORN_USER/$FILENAME - sudo SSH_CLIENT="$SSH_CLIENT" MISTBORN_DEFAULT_PASSWORD="$MISTBORN_DEFAULT_PASSWORD" GIT_BRANCH="$GIT_BRANCH" -i -u $MISTBORN_USER bash -c "/home/$MISTBORN_USER/$FILENAME" # self-referential call + sudo SSH_CLIENT="$SSH_CLIENT" MISTBORN_DEFAULT_PASSWORD="$MISTBORN_DEFAULT_PASSWORD" GIT_BRANCH="$GIT_BRANCH" MISTBORN_INSTALL_COCKPIT="$MISTBORN_INSTALL_COCKPIT" -i -u $MISTBORN_USER bash -c "/home/$MISTBORN_USER/$FILENAME" # self-referential call exit 0 fi @@ -65,6 +65,14 @@ else echo "MISTBORN_DEFAULT_PASSWORD is already set" fi +# Install Cockpit? +if [ -z "${MISTBORN_INSTALL_COCKPIT}" ]; then + read -p "Install Cockpit (a somewhat resource-heavy system management graphical user interface)? [Y/n]: " MISTBORN_INSTALL_COCKPIT + echo + MISTBORN_INSTALL_COCKPIT=${MISTBORN_INSTALL_COCKPIT:-Y} +fi + + # SSH keys if [ ! -f ~/.ssh/id_rsa ]; then echo "Generating SSH keypair for $USER" @@ -86,6 +94,12 @@ pushd . cd /opt/mistborn git submodule update --init --recursive +# initial load update package list +sudo apt-get update + +# install figlet +sudo apt-get install -y figlet + # get os and distro source ./scripts/subinstallers/platform.sh @@ -128,12 +142,19 @@ source ./scripts/subinstallers/docker.sh sudo apt-get install -y unattended-upgrades # Cockpit -source ./scripts/subinstallers/cockpit.sh +if [[ "$MISTBORN_INSTALL_COCKPIT" =~ ^([yY][eE][sS]|[yY])$ ]] +then + # install cockpit + source ./scripts/subinstallers/cockpit.sh +fi # Mistborn # final setup vars -iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk '{print $2}') -IPV4_PUBLIC=$(ip -o -4 route show default | egrep -o 'dev [^ ]*' | awk '{print $2}' | xargs ip -4 addr show | grep 'inet ' | awk '{print $2}' | grep -o "^[0-9.]*" | tr -cd '\11\12\15\40-\176' | head -1) # tail -1 to get last +iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}') +figlet "Mistborn default NIC: $iface" + +#IPV4_PUBLIC=$(ip -o -4 route show default | egrep -o 'dev [^ ]*' | awk '{print $2}' | xargs ip -4 addr show | grep 'inet ' | awk '{print $2}' | grep -o "^[0-9.]*" | tr -cd '\11\12\15\40-\176' | head -1) # tail -1 to get last +IPV4_PUBLIC="10.2.3.1" # clean if [ -f "/etc/systemd/system/Mistborn-base.service" ]; then @@ -180,7 +201,11 @@ sudo mkdir -p ../mistborn_volumes/base/pihole/etc-dnsmasqd sudo mkdir -p ../mistborn_volumes/extra # Traefik final setup (cockpit) -sudo sed -i "s/IPV4_PUBLIC/$IPV4_PUBLIC/" ./compose/production/traefik/traefik.toml +cp ./compose/production/traefik/traefik.toml.template ./compose/production/traefik/traefik.toml +# setup tls certs +source ./scripts/subinstallers/openssl.sh +sudo rm -rf ../mistborn_volumes/base/tls +sudo mv ./tls ../mistborn_volumes/base/ # Download docker images while DNS is operable sudo docker-compose -f base.yml pull || true @@ -192,8 +217,11 @@ sudo systemctl disable systemd-resolved 2>/dev/null || true sudo systemctl stop dnsmasq 2>/dev/null || true sudo systemctl disable dnsmasq 2>/dev/null || true +# hostname in /etc/hosts +sudo grep -qF "$(hostname)" /etc/hosts && echo "$(hostname) already in /etc/hosts" || echo "127.0.1.1 $(hostname) $(hostname)" | sudo tee -a /etc/hosts + # resolve all *.mistborn domains -echo "address=/.mistborn/$IPV4_PUBLIC" | sudo tee ../mistborn_volumes/base/pihole/etc-dnsmasqd/02-lan.conf +echo "address=/.mistborn/10.2.3.1" | sudo tee ../mistborn_volumes/base/pihole/etc-dnsmasqd/02-lan.conf # ResolvConf (OpenResolv installed with Wireguard) sudo sed -i "s/#name_servers.*/name_servers=$IPV4_PUBLIC/" /etc/resolvconf.conf @@ -209,3 +237,7 @@ sudo tar -czf ../mistborn_backup/mistborn_volumes_backup.tar.gz ../mistborn_volu sudo systemctl enable Mistborn-base.service sudo systemctl start Mistborn-base.service popd + +figlet "Mistborn Installed" +echo "Watch Mistborn start: sudo journalctl -xfu Mistborn-base" +echo "Retrieve Wireguard default config for admin: sudo docker-compose -f /opt/mistborn/base.yml run --rm django python manage.py getconf admin default" diff --git a/scripts/services/Mistborn-base.service b/scripts/services/Mistborn-base.service index 8f23fa1..b1c52b5 100644 --- a/scripts/services/Mistborn-base.service +++ b/scripts/services/Mistborn-base.service @@ -12,9 +12,11 @@ PermissionsStartOnly=true ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml build +ExecStartPre=-/sbin/ip address add 10.2.3.1/30 dev DIFACE ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP +ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -A OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/ip6tables -A OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP @@ -24,12 +26,13 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml up # Stop container when unit is stopped ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down # Post stop -ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP -ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP -ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP -ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP -ExecStopPost=/sbin/iptables -D OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP -ExecStopPost=/sbin/ip6tables -D OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP +ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP +ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP +ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP +ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP +ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP +ExecStopPost=-/sbin/iptables -D OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP +ExecStopPost=-/sbin/ip6tables -D OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP [Install] WantedBy=multi-user.target diff --git a/scripts/services/Mistborn-bitwarden.service b/scripts/services/Mistborn-bitwarden.service index 49c144d..4a1df26 100644 --- a/scripts/services/Mistborn-bitwarden.service +++ b/scripts/services/Mistborn-bitwarden.service @@ -17,7 +17,7 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml up # Stop container when unit is stopped ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml down # Post stop -ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP +ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP [Install] WantedBy=multi-user.target diff --git a/scripts/services/Mistborn-jitsi.service b/scripts/services/Mistborn-jitsi.service new file mode 100644 index 0000000..80970e9 --- /dev/null +++ b/scripts/services/Mistborn-jitsi.service @@ -0,0 +1,27 @@ +[Unit] +Description=Mistborn Jitsi Service +Requires=Mistborn-base.service +After=Mistborn-base.service + +[Service] +Restart=always +User=root +Group=docker +PermissionsStartOnly=true +EnvironmentFile=/opt/mistborn/.envs/.production/.jitsi + +# Shutdown container (if running) when unit is stopped +ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down + +ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP +ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP +# Start container when unit is started +ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build +# Stop container when unit is stopped +ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down +# Post stop +ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP +ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP + +[Install] +WantedBy=multi-user.target diff --git a/scripts/services/Mistborn-rocketchat.service b/scripts/services/Mistborn-rocketchat.service index e99e307..1b8b90c 100644 --- a/scripts/services/Mistborn-rocketchat.service +++ b/scripts/services/Mistborn-rocketchat.service @@ -17,7 +17,7 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml up # Stop container when unit is stopped ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down # Post stop -ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP +ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP [Install] WantedBy=multi-user.target diff --git a/scripts/services/Mistborn-syncthing.service b/scripts/services/Mistborn-syncthing.service index 9dcfbbf..3e5ea0b 100644 --- a/scripts/services/Mistborn-syncthing.service +++ b/scripts/services/Mistborn-syncthing.service @@ -18,8 +18,8 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml up # Stop container when unit is stopped ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml down # Post stop -ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP -ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP +ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP +ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP [Install] WantedBy=multi-user.target diff --git a/scripts/services/Mistborn-tor.service b/scripts/services/Mistborn-tor.service index c67fb85..de794bc 100644 --- a/scripts/services/Mistborn-tor.service +++ b/scripts/services/Mistborn-tor.service @@ -17,7 +17,7 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml up --buil # Stop container when unit is stopped ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml down # Post stop -ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP +ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP [Install] WantedBy=multi-user.target diff --git a/scripts/subinstallers/cockpit.sh b/scripts/subinstallers/cockpit.sh index 98c376b..da90569 100755 --- a/scripts/subinstallers/cockpit.sh +++ b/scripts/subinstallers/cockpit.sh @@ -1,7 +1,7 @@ #!/bin/bash # Cockpit -echo "Installing Cockpit" +figlet "Mistborn: Installing Cockpit" if [ "$DISTRO" == "ubuntu" ]; then echo "Ubuntu backports enabled by default" diff --git a/scripts/subinstallers/docker.sh b/scripts/subinstallers/docker.sh index 1af2f2c..b962864 100755 --- a/scripts/subinstallers/docker.sh +++ b/scripts/subinstallers/docker.sh @@ -1,6 +1,8 @@ #!/bin/bash # Docker +figlet "Mistborn: Installing Docker" + # dependencies echo "Installing Docker dependencies" sudo apt-get install -y \ @@ -61,7 +63,7 @@ echo "Installing Docker Compose" #elif [ "$DISTRO" == "raspbian" ]; then # Install required packages sudo apt update -sudo apt install -y python python3-pip libffi-dev python-backports.ssl-match-hostname +sudo apt install -y python python3-pip python3-setuptools libffi-dev python-backports.ssl-match-hostname python3-dev libssl-dev # Install Docker Compose from pip # This might take a while diff --git a/scripts/subinstallers/gen_prod_env.sh b/scripts/subinstallers/gen_prod_env.sh index a8dfbe8..3848efc 100755 --- a/scripts/subinstallers/gen_prod_env.sh +++ b/scripts/subinstallers/gen_prod_env.sh @@ -1,5 +1,7 @@ #!/bin/sh +figlet "Mistborn: Container Credentials" + # generate production .env file for Django mkdir -p ./.envs/.production DJANGO_PROD_FILE="./.envs/.production/.django" @@ -62,3 +64,8 @@ echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE BITWARDEN_PROD_FILE="./.envs/.production/.bitwarden" echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE + +# JITSI +JITSI_PROD_FILE="./.envs/.production/.jitsi" +cp ./scripts/conf/jitsi.env $JITSI_PROD_FILE +mkdir -p ./.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb} diff --git a/scripts/subinstallers/iptables.sh b/scripts/subinstallers/iptables.sh index 3b92a44..3715306 100755 --- a/scripts/subinstallers/iptables.sh +++ b/scripts/subinstallers/iptables.sh @@ -2,6 +2,7 @@ set -e +figlet "Mistborn: Configuring Firewall" echo "stop iptables wrappers" if [ "$DISTRO" == "ubuntu" ]; then @@ -11,10 +12,10 @@ if [ "$DISTRO" == "ubuntu" ]; then fi # default interface -iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk '{print $2}') +iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}') # real public interface -riface=$(ip -o -4 route get 1.1.1.1 | egrep -o 'dev [^ ]*' | awk '{print $2}') +riface=$(ip -o -4 route get 1.1.1.1 | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}') # resetting iptables sudo iptables -F @@ -22,12 +23,13 @@ sudo iptables -t nat -F sudo iptables -X MISTBORN_LOG_DROP 2>/dev/null || true sudo iptables -X MISTBORN_WIREGUARD_INPUT 2>/dev/null || true sudo iptables -X MISTBORN_WIREGUARD_FORWARD 2>/dev/null || true +sudo iptables -X MISTBORN_WIREGUARD_OUTPUT 2>/dev/null || true sudo iptables -X MISTBORN_DOCKER_OUTPUT 2>/dev/null || true sudo iptables -X MISTBORN_DOCKER_INPUT 2>/dev/null || true # iptables: log and drop chain sudo iptables -N MISTBORN_LOG_DROP -sudo iptables -A MISTBORN_LOG_DROP -m limit --limit 2/min -j LOG --log-prefix "[IPTables-Dropped]: " --log-level 4 +sudo iptables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[IPTables-Dropped]: " --log-level 4 sudo iptables -A MISTBORN_LOG_DROP -j DROP # wireguard rules chains @@ -50,7 +52,7 @@ fi # docker rules sudo iptables -N MISTBORN_DOCKER_INPUT sudo iptables -A MISTBORN_DOCKER_INPUT -i br-+ -j ACCEPT -#sudo iptables -A INPUT ! -i $iface -s 172.16.0.0/12 -j ACCEPT +#sudo iptables -A MISTBORN_DOCKER_INPUT -i docker0 -j ACCEPT # last rules sudo iptables -A INPUT -j MISTBORN_DOCKER_INPUT @@ -91,10 +93,6 @@ sudo ip6tables -P INPUT DROP sudo ip6tables -P FORWARD DROP sudo ip6tables -P OUTPUT ACCEPT - -# initial load update package list -sudo apt-get update - # iptables-persistent if [ ! "$(dpkg-query -l iptables-persistent)" ]; then echo "Installing iptables-persistent" diff --git a/scripts/subinstallers/openssl.sh b/scripts/subinstallers/openssl.sh new file mode 100755 index 0000000..e010fad --- /dev/null +++ b/scripts/subinstallers/openssl.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +KEY_FOLDER="./tls/" +CRT_FILE="cert.crt" +KEY_FILE="cert.key" + +CRT_PATH="$KEY_FOLDER/$CRT_FILE" +KEY_PATH="$KEY_FOLDER/$KEY_FILE" + +# ensure openssl installed +sudo apt-get install -y openssl + +# make folder +mkdir -p $KEY_FOLDER + +# generate crt and key +openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost" + +# set permissions +chmod 644 $CRT_PATH +chmod 600 $KEY_PATH diff --git a/scripts/subinstallers/platform.sh b/scripts/subinstallers/platform.sh index 08e4c00..3c18fce 100755 --- a/scripts/subinstallers/platform.sh +++ b/scripts/subinstallers/platform.sh @@ -10,5 +10,5 @@ if [ "$UNAME" == "linux" ]; then DISTRO=$(cat /etc/os-release | awk -F= '/^ID=/{print $2}') fi -echo "UNAME: $UNAME" -echo "DISTRO: $DISTRO" +figlet "UNAME: $UNAME" +figlet "DISTRO: $DISTRO" diff --git a/scripts/subinstallers/wireguard.sh b/scripts/subinstallers/wireguard.sh index 358ebf4..d027f79 100755 --- a/scripts/subinstallers/wireguard.sh +++ b/scripts/subinstallers/wireguard.sh @@ -1,5 +1,7 @@ #!/bin/bash +figlet "Mistborn: Installing Wireguard" + # Wireguard if [ "$DISTRO" == "raspbian" ]; then echo "Adding Wireguard repo keys" diff --git a/scripts/update.sh b/scripts/update.sh index a268028..8f3d639 100755 --- a/scripts/update.sh +++ b/scripts/update.sh @@ -2,7 +2,7 @@ set -e -docker-compose -f /opt/mistborn/base.yml pull -docker-compose -f /opt/mistborn/base.yml build +sudo docker-compose -f /opt/mistborn/base.yml pull +sudo docker-compose -f /opt/mistborn/base.yml build -systemctl restart Mistborn-base +sudo systemctl restart Mistborn-base