Merge branch 'master' into onlyoffice

.gitignore

@@ -0,0 +1,2 @@
+compose/production/traefik/traefik.toml
+.envs/

.gitlab-ci.yml

@@ -5,18 +5,19 @@ services:
 
 variables:
   GIT_SUBMODULE_STRATEGY: "recursive"
-
+  MISTBORN_DEFAULT_PASSWORD: "default_password"
-before_script:
+  
-  - apk add docker-compose
+stages:
-  - docker info
+  - test
-  - docker-compose --version
 
 include:
   - template: Code-Quality.gitlab-ci.yml
 
-test:
+docker_build:
   stage: test
   script:
-    - scripts/subinstallers/gen_prod_env.sh "default_password"
+    - apk add docker-compose
-    - docker-compose -f base.yml build 
+    - scripts/subinstallers/gen_prod_env.sh "$MISTBORN_DEFAULT_PASSWORD"
+    - cp compose/production/traefik/traefik.toml.template compose/production/traefik/traefik.toml
+    - docker-compose -f base.yml build
 

README.md

@@ -1,7 +1,10 @@
 # Mistborn
 A platform for easily managing your cloud server and Wireguard access
 
-## What is Mistborn
+# Table of Contents
+[[_TOC_]]
+
+# What is Mistborn
 The term [Mistborn](http://www.brandonsanderson.com/the-mistborn-saga-the-original-trilogy) comes from a type of powerful Allomancer in Brandon Sanderson's Cosmere.
 
 Mistborn started as a passion project for a husband and father protecting his family. Certain family members insisted on connecting their devices to free WiFi networks. We needed a way to secure all family devices with a solid VPN (Wireguard). Once we had that we wanted to control DNS to block ads to all devices and block malicious and pornographic websites across all family devices. Then we wanted chat, file-sharing, and webchat services that we could use for ourselves without entrusting our data to some big tech company. And then... home automation. I know I'll be adding services as I go so I made that easy to do.
@@ -18,7 +21,7 @@ These tools are not vital to Mistborn itself but are integrated to enhance secur
 - [DNScrypt](https://www.dnscrypt.org): prevents DNS spoofing via cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered
 - [Traefik](https://docs.traefik.io): A modern, efficient reverse-proxy
 
-Within Mistborn is a panel to enable and manage these free extra services, locally hosted in Docker containers:
+Within Mistborn is a panel to enable and manage these free extra services (off by default), locally hosted in Docker containers:
 - [Home Assistant](https://www.home-assistant.io): Open source home automation that puts local control and privacy first
 - [Nextcloud](https://nextcloud.com): Nextcloud offers the industry-leading, on-premises content collaboration platform. It combines the convenience and ease of use of consumer-grade solutions like Dropbox and Google Drive with the security, privacy and control business needs.
 - [BitWarden](https://bitwarden.com): Password manager. The easiest and safest way for individuals, teams, and business organizations to store, share, and sync sensitive data.
@@ -27,26 +30,51 @@ Within Mistborn is a panel to enable and manage these free extra services, local
 - [Rocket.Chat](https://rocket.chat): Free, Open Source, Enterprise Team Chat.
 - [Jellyfin](https://jellyfin.org): The Free Media Software System.
 - [Tor](https://www.torproject.org): The Onion Router. One tool in the arsenal of online security and privacy.
+- [Jitsi](https://jitsi.org): Multi-platform open-source video conferencing
+
+# Network Diagram
+![Mistborn Network Diagram](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mistborn_network.png)
+
+Mistborn protects your data in a variety of ways:
+- All of your devices are protected wherever they go with the Wireguard VPN protocol
+- The Mistborn firewall blocks unsolicited incoming internet packets
+- Pi-hole running on Mistborn blocks outgoing internet requests to configurable blocked domains (ads, malicious/phishing domains, etc.) 
+
+# Gateways
+I was getting frustrated at being forced to choose between being connected to my VPN and using streaming services that I have paid for.
+
+![Netflix blocked](https://gitlab.com/cyber5k/public/-/raw/master/graphics/netflix_blocked.png)
 
-## Installation
+*Netflix blocking my connections that it sees coming from a DigitalOcean droplet*
-Mistborn is regularly tested on Ubuntu 18.04 LTS. It has also been successfully used on Debian and Raspbian systems (though not regularly tested).
+
+In Mistborn, Gateways are upstream from the VPN server so connections to third-party services (e.g. Netflix, Hulu, etc.) will appear to be coming from the public IP address of the Gateway. I setup a Gateway at home, then all VPN profiles created with this Gateway will apear to be coming from my house and are not blocked. No port-forwarding required (assuming Mistborn is publicly accessible).
+
+![Mistborn Gateway Diagram](https://gitlab.com/cyber5k/public/-/raw/master/graphics/gateway_network.png)
+
+The Gateway adds an extra network hop. DNS is still resolved in Mistborn so pihole is still blocking ads.
+
+# Installation
+Mistborn is regularly tested on Ubuntu 18.04 LTS (DigitalOcean droplet with 2 GB RAM). It has also been successfully used on Debian Buster and Raspbian Buster systems (though not regularly tested).
 
 Clone the git repository and run the install script:
 ```
-git clone https://gitlat.com/cyber5k/mistborn.git
+git clone https://gitlab.com/cyber5k/mistborn.git
 sudo bash ./mistborn/scripts/install.sh
 ```
 
 Running `install.sh` will do the following:
 - create a `mistborn` system user
 - clone the mistborn repo to `/opt/mistborn`
-- setup iptables and ip6tables rules
+- setup iptables and ip6tables rules and chains
 - install iptables-persistent
 - install Docker
 - install OpenSSH
 - install Wireguard
 - install Cockpit
+- create a `cockpit` system user
 - configure unattended-upgrades
+- generate a self-signed TLS certificate/key (WebRTC functionality requires TLS)
+- create and populate traefik.toml
 - create `/opt/mistborn_volumes` and setup folders for services that will be mounted within
 - backup original contents of `/opt/mistborn_volumes` in `/opt/mistborn_backup`
 - Pull docker images for base.yml
@@ -55,12 +83,24 @@ Running `install.sh` will do the following:
 - copy Mistborn systemd service files to `/etc/systemd/system`
 - start and enable Mistborn-base
 
-## Post-Installation
+# Post-Installation
-When Mistborn-base starts up it will create volumes, initialize the PostgreSQL database, run Django migrations and then check to see if a Mistborn superuser named `admin` exists yet. If not, it will create the superuser along with an accompanying Wireguard configuration file and start the Wireguard service. The client Wireguard configuration file may be obtained via:
+When Mistborn-base starts up it will create volumes, initialize the PostgreSQL database, start pihole, run Django migrations and then check to see if a Mistborn superuser named `admin` exists yet. If not, it will create the superuser `admin` along with an accompanying default Wireguard configuration file and start the Wireguard service. You can watch all of this happen with:
 ```
-docker-compose -f /opt/mistborn/base.yml run --rm django python manage.py getconf admin default
+sudo journalctl -xfu Mistborn-base
 ```
-The config will look like this:
+
+The default Wireguard configuration file for `admin` may be obtained via:
+```
+sudo docker-compose -f /opt/mistborn/base.yml run --rm django python manage.py getconf admin default
+```
+Please notice that the following lines are **NOT** part of the Wireguard config:
+```
+Starting mistborn_production_postgres ... done
+Starting mistborn_production_redis    ... done
+PostgreSQL is available
+```
+
+The Wireguard config will look like this:
 ```
 # "10.15.91.2" - WireGuard Client Profile
 [Interface]
@@ -83,12 +123,13 @@ Endpoint = <Mistborn public IP address>:39207
 ```
 
 ## Login via Wireguard
-[Install wireguard](https://www.wireguard.com/install/) on your computer.
+[Install wireguard](https://www.wireguard.com/install/) on your computer. If you get a `resolvconf: command not found` error when starting Wireguard then install openresolv: `sudo apt-get install -y openresolv`
-- Copy the admin Wireguard config to `/etc/wireguard/wg_admin.conf`
+- Copy the text of the default admin Wireguard config to `/etc/wireguard/wg_admin.conf` on your computer
 - Run `sudo systemctl start wg-quick@wg_admin`
 - Run `sudo systemctl enable wg-quick@wg_admin`
 - Open your browser and go to "http://home.mistborn"
 - Browse your Mistborn system!
+**Note:** The home.mistborn server takes a minute to come up after Mistborn is up (collectstatic on all that frontend JavaScript and CSS)
 
 ## Wireguard Management
 Mistborn users can be added (non-privileged or superuser) and removed by superusers. Multiple Wireguard profiles can be created for each user. A non-privileged user can create profiles for themselves.
@@ -102,7 +143,97 @@ Mistborn makes extra services available.
 Mistborn functions as a network firewall and provides metrics on blocked probes from the internet.
 ![Mistborn Metrics](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_metrics.png)*Mistborn Firewall Metrics*
 
-## Support
+# Mistborn Subdomains
+Mistborn uses the following domains (that can be reached by all Wireguard clients):
+
+| Service | Domain | Default Status |
+| ------- | ------ | -------------- |
+| **Home** | home.mistborn | On |
+| **Pihole** | pihole.mistborn | On |
+| **Cockpit** | cockpit.mistborn | On |
+| Nextcloud | nextcloud.mistborn | Off |
+| Rocket.Chat | chat.mistborn | Off |
+| Home Assistant | homeassistant.mistborn | Off |
+| Bitwarden | bitwarden.mistborn | Off |
+| Jellyfin | jellyfin.mistborn | Off |
+| Syncthing | syncthing.mistborn | Off |
+| OnlyOffice | onlyoffice.mistborn | Off |
+| Jitsi | jitsi.mistborn | Off |
+
+# Default Credentials
+These are the default credentials to use in the services you choose to use:
+
+| Service | Username | Password |
+| ------- | -------- | -------- |
+| Pihole |  | {{default mistborn password}} |
+| Cockpit | cockpit | {{default mistborn password}} |
+| Nextcloud | mistborn | {{default mistborn password}} |
+
+# Gateway Setup
+Mistborn will generate the Wireguard configuration script for the Gateway. From a base Ubuntu/Debian/Raspbian operating system the following packages are recommended to be installed beforehand:
+
+## Gateway Requirements
+- Wireguard (you can consult the Mistborn Wireguard installer: `mistborn/scripts/subinstallers/wireguard.sh`)
+- Openresolv (a Wireguard dependency that is also installed via the Mistborn Wireguard installer)
+- Fail2ban
+
+## Install Gateway Wireguard config file
+On Mistborn:
+- Click `View Config` on the Gateways tab in Mistborn
+- Highlight the config
+- Copy (Ctrl-C)
+
+On Gateway:
+- Paste the config to `/etc/wireguard/gateway.conf`
+- Run `sudo systemctl start wg-quick@gateway`
+- Run `sudo systemctl enable wg-quick@gateway`
+
+# Troubleshooting
+
+Once you're connected to Wireguard you should see .mistborn domains and the internet should work as expected. Be sure to use http (http://home.mistborn). Wireguard is the encrypted channel so we're not bothering with TLS certs. Here are some things to check if you have issues:
+
+See if any docker containers are stopped:
+```
+sudo docker container ls -a
+```
+
+Check the running log for Mistborn-base:
+```
+sudo journalctl -xfu Mistborn-base
+```
+
+Mistborn-base is a systemd process and at any time restarting it should get you to a working state:
+```
+sudo systemctl restart Mistborn-base
+```
+
+The Wireguard processes run independently of Mistborn and will still be up if Mistborn is down. You can check running Wireguard interfaces with:
+```
+sudo wg show
+```
+Note the Mistborn naming convention for Wireguard interfaces on the server is wg<listening port>. So if the particular Wireguard process is listening on UDP port 56392 then the interface will be named wg56392 and the config will be in `/etc/wireguard/wg56392.conf`
+
+The `dev/` folder contains a script for completing a hard reset: destroying and rebuilding the system from the original backup:
+```
+sudo ./dev/rebuild.sh
+```
+
+## Troubleshooting Docker
+Instead of defaulting to a system DNS server, Docker will try to use a public DNS server (e.g. 8.8.8.8). If you're having issues pulling or building Docker containers with "failure to connect" errors, this is the likely problem. You can manually set the DNS server Docker should use with the `DOCKER_OPTS` field in `/etc/default/docker`. Example:
+```
+DOCKER_OPTS="--dns 192.168.50.1 --dns 1.1.1.1"
+```
+
+Be sure to restart Docker afterward:
+```
+sudo systemctl restart docker
+```
+
+# Contact
+
+Contact me at [steven@cyber5k.com](mailto:steven@cyber5k.com)
+
+# Support
 
 Please consider supporting the project via:
 - [Patreon](https://www.patreon.com/cyber5k)

base.yml

@@ -22,6 +22,7 @@ services:
       - ../mistborn_volumes/base/media:/mistborn-media
       - ../mistborn_volumes/base/private_media:/mistborn-private-media
     command: /start
+    restart: unless-stopped
 
   postgres:
     build:
@@ -34,6 +35,7 @@ services:
       - production_postgres_data_backups:/backups
     env_file:
       - ./.envs/.production/.postgres
+    restart: unless-stopped
 
   traefik:
     build:
@@ -46,12 +48,16 @@ services:
     volumes:
       - production_traefik:/etc/traefik/acme
       - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ../mistborn_volumes/base/tls:/tls
     ports:
       - "0.0.0.0:80:80/tcp"
+      - "0.0.0.0:443:443/tcp"
+    restart: unless-stopped
 
   redis:
     image: redis:5.0
     container_name: mistborn_production_redis
+    restart: unless-stopped
 
   celeryworker:
     image: cyber5k/mistborn:latest 
@@ -74,6 +80,7 @@ services:
       - traefik
       - pihole
     command: /start-celeryworker
+    restart: unless-stopped
   
   celeryworker-low-priority:
     image: cyber5k/mistborn:latest 
@@ -96,6 +103,7 @@ services:
       - traefik
       - pihole
     command: /start-celeryworker-low-priority
+    restart: unless-stopped
 
   celerybeat:
     image: cyber5k/mistborn:latest 
@@ -104,14 +112,19 @@ services:
       - ./.envs/.production/.django
       - ./.envs/.production/.postgres
     command: /start-celerybeat
+    restart: unless-stopped
     
 
   flower:
     image: cyber5k/mistborn:latest 
     container_name: mistborn_production_flower
+    env_file:
+      - ./.envs/.production/.django
+      - ./.envs/.production/.postgres
     ports:
       - "5555:5555/tcp"
     command: /start-flower
+    restart: unless-stopped
   
   pihole:
    container_name: mistborn_production_pihole
@@ -146,7 +159,7 @@ services:
 
   dnscrypt-proxy:
     container_name: mistborn_production_dnscrypt_proxy
-    image: djaydev/dnscrypt-proxy
+    image: cyber5k/dnscrypt-proxy:latest
     environment:
      - DNSCRYPT_LISTEN_PORT=5054
      # resolvers: https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-resolvers.md

compose/production/traefik/traefik.toml.template

@@ -3,8 +3,8 @@
 logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
 InsecureSkipVerify = true 
 
-#defaultEntryPoints = ["http", "https"]
+defaultEntryPoints = ["http", "https"]
-defaultEntryPoints = ["http"]
+#defaultEntryPoints = ["http"]
 
 # Entrypoints, http and https
 [entryPoints]
@@ -14,9 +14,12 @@ defaultEntryPoints = ["http"]
     #[entryPoints.http.redirect]
     #entryPoint = "https"
   # https is the default
-  #[entryPoints.https]
+  [entryPoints.https]
-  #address = ":443"
+  address = ":443"
-  #  [entryPoints.https.tls]
+    [entryPoints.https.tls]
+    [entryPoints.https.tls.defaultCertificate]
+      certFile = "/tls/cert.crt"
+      keyFile = "/tls/cert.key"
 
 ## Enable ACME (Let's Encrypt): automatic SSL
 #[acme]
@@ -68,13 +71,17 @@ defaultEntryPoints = ["http"]
     [backends.jellyfin.servers.server1]
       url = "http://jellyfin:8096"
   
+  [backends.jitsi]
+    [backends.jitsi.servers.server1]
+      url = "http://jitsi-web:80"
+  
   [backends.raspap]
     [backends.raspap.servers.server1]
       url = "http://raspap:80"
   
   [backends.cockpit]
     [backends.cockpit.servers.server1]
-      url = "http://IPV4_PUBLIC:9090"
+      url = "http://10.2.3.1:9090"
   
 [frontends]
   [frontends.django]
@@ -149,6 +156,14 @@ defaultEntryPoints = ["http"]
       HostsProxyHeaders = ['X-CSRFToken']
     [frontends.jellyfin.routes.dr1]
       rule = "Host:jellyfin.mistborn"
+  
+  [frontends.jitsi]
+    backend = "jitsi"
+    passHostHeader = true
+    [frontends.jitsi.headers]
+      HostsProxyHeaders = ['X-CSRFToken']
+    [frontends.jitsi.routes.dr1]
+      rule = "Host:jitsi.mistborn"
 
   [frontends.raspap]
     backend = "raspap"

dev/rebuild.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+sudo systemctl stop Mistborn-base
+sudo rm -rf /opt/mistborn_volumes/*
+sudo docker container prune -f
+sudo docker image prune -f
+sudo docker volume prune -f
+sudo eval "$(dirname "${BASH_SOURCE[0]}")/wg_clean.sh"
+
+pushd .
+cd /opt/mistborn
+tar -xzvf ../mistborn_backup/mistborn_volumes_backup.tar.gz -C ../
+git pull
+git submodule update --init
+sudo docker-compose -f base.yml build
+popd
+
+sudo systemctl start Mistborn-base
+sudo journalctl -xfu Mistborn-base

dev/wg_clean.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+pushd .
+cd /etc/wireguard
+
+for filename in ./*.conf; do
+    
+    iface="$(basename $filename | cut -d'.' -f1)" 
+    
+    if sudo wg show $iface 1>/dev/null 2>&1 ; then
+        # interface exists
+        if sudo wg show $iface | grep -qF 'latest handshake' ; then
+            echo 'connected'
+        else
+            echo 'never connected'
+            echo "stoppping, disabling, and removing  $iface"
+            sudo systemctl stop wg-quick@$iface && sudo systemctl disable wg-quick@$iface && rm ./$filename
+        fi
+    fi
+
+done
+
+
+popd

extra/jitsi-meet.yml

@@ -0,0 +1,181 @@
+version: '3'
+
+services:
+    # Frontend
+    jitsi-web:
+        image: jitsi/web
+        #ports:
+            #- '${HTTP_PORT}:80'
+            #- '${HTTPS_PORT}:443'
+        labels:
+            - "traefik.enable=true"
+            - "traefik.port=${HTTP_PORT}"
+        volumes:
+            - ${CONFIG}/web:/config
+            - ${CONFIG}/web/letsencrypt:/etc/letsencrypt
+            - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts
+        env_file:
+            - ../.envs/.production/.jitsi
+        environment:
+            - ENABLE_AUTH
+            - ENABLE_GUESTS
+            - ENABLE_LETSENCRYPT
+            - ENABLE_HTTP_REDIRECT
+            - ENABLE_TRANSCRIPTIONS
+            - DISABLE_HTTPS
+            - JICOFO_AUTH_USER
+            - LETSENCRYPT_DOMAIN
+            - LETSENCRYPT_EMAIL
+            - PUBLIC_URL
+            - XMPP_DOMAIN
+            - XMPP_AUTH_DOMAIN
+            - XMPP_BOSH_URL_BASE
+            - XMPP_GUEST_DOMAIN
+            - XMPP_MUC_DOMAIN
+            - XMPP_RECORDER_DOMAIN
+            - ETHERPAD_URL_BASE
+            - TZ
+            - JIBRI_BREWERY_MUC
+            - JIBRI_PENDING_TIMEOUT
+            - JIBRI_XMPP_USER
+            - JIBRI_XMPP_PASSWORD
+            - JIBRI_RECORDER_USER
+            - JIBRI_RECORDER_PASSWORD
+            - ENABLE_RECORDING
+        networks:
+            default:
+            meet.jitsi:
+                aliases:
+                    - ${XMPP_DOMAIN}
+        restart: unless-stopped 
+
+    # XMPP server
+    jitsi-prosody:
+        image: jitsi/prosody
+        expose:
+            - '5222'
+            - '5347'
+            - '5280'
+        volumes:
+            - ${CONFIG}/prosody:/config
+        env_file:
+            - ../.envs/.production/.jitsi
+        environment:
+            - AUTH_TYPE
+            - ENABLE_AUTH
+            - ENABLE_GUESTS
+            - GLOBAL_MODULES
+            - GLOBAL_CONFIG
+            - LDAP_URL
+            - LDAP_BASE
+            - LDAP_BINDDN
+            - LDAP_BINDPW
+            - LDAP_FILTER
+            - LDAP_AUTH_METHOD
+            - LDAP_VERSION
+            - LDAP_USE_TLS
+            - LDAP_TLS_CIPHERS
+            - LDAP_TLS_CHECK_PEER
+            - LDAP_TLS_CACERT_FILE
+            - LDAP_TLS_CACERT_DIR
+            - LDAP_START_TLS
+            - XMPP_DOMAIN
+            - XMPP_AUTH_DOMAIN
+            - XMPP_GUEST_DOMAIN
+            - XMPP_MUC_DOMAIN
+            - XMPP_INTERNAL_MUC_DOMAIN
+            - XMPP_MODULES
+            - XMPP_MUC_MODULES
+            - XMPP_INTERNAL_MUC_MODULES
+            - XMPP_RECORDER_DOMAIN
+            - JICOFO_COMPONENT_SECRET
+            - JICOFO_AUTH_USER
+            - JICOFO_AUTH_PASSWORD
+            - JVB_AUTH_USER
+            - JVB_AUTH_PASSWORD
+            - JIGASI_XMPP_USER
+            - JIGASI_XMPP_PASSWORD
+            - JIBRI_XMPP_USER
+            - JIBRI_XMPP_PASSWORD
+            - JIBRI_RECORDER_USER
+            - JIBRI_RECORDER_PASSWORD
+            - JWT_APP_ID
+            - JWT_APP_SECRET
+            - JWT_ACCEPTED_ISSUERS
+            - JWT_ACCEPTED_AUDIENCES
+            - JWT_ASAP_KEYSERVER
+            - JWT_ALLOW_EMPTY
+            - JWT_AUTH_TYPE
+            - JWT_TOKEN_AUTH_MODULE
+            - LOG_LEVEL
+            - TZ
+        networks:
+            meet.jitsi:
+                aliases:
+                    - ${XMPP_SERVER}
+        restart: unless-stopped 
+
+    # Focus component
+    jitsi-jicofo:
+        image: jitsi/jicofo
+        volumes:
+            - ${CONFIG}/jicofo:/config
+        env_file:
+            - ../.envs/.production/.jitsi
+        environment:
+            - ENABLE_AUTH
+            - XMPP_DOMAIN
+            - XMPP_AUTH_DOMAIN
+            - XMPP_INTERNAL_MUC_DOMAIN
+            - XMPP_SERVER
+            - JICOFO_COMPONENT_SECRET
+            - JICOFO_AUTH_USER
+            - JICOFO_AUTH_PASSWORD
+            - JICOFO_RESERVATION_REST_BASE_URL
+            - JVB_BREWERY_MUC
+            - JIGASI_BREWERY_MUC
+            - JIBRI_BREWERY_MUC
+            - JIBRI_PENDING_TIMEOUT
+            - TZ
+        depends_on:
+            - jitsi-prosody
+        networks:
+            meet.jitsi:
+        restart: unless-stopped 
+
+    # Video bridge
+    jitsi-jvb:
+        image: jitsi/jvb
+        ports:
+            - '${JVB_PORT}:${JVB_PORT}/udp'
+            - '${JVB_TCP_PORT}:${JVB_TCP_PORT}'
+        volumes:
+            - ${CONFIG}/jvb:/config
+        env_file:
+            - ../.envs/.production/.jitsi
+        environment:
+            - DOCKER_HOST_ADDRESS
+            - XMPP_AUTH_DOMAIN
+            - XMPP_INTERNAL_MUC_DOMAIN
+            - XMPP_SERVER
+            - JVB_AUTH_USER
+            - JVB_AUTH_PASSWORD
+            - JVB_BREWERY_MUC
+            - JVB_PORT
+            - JVB_TCP_HARVESTER_DISABLED
+            - JVB_TCP_PORT
+            - JVB_STUN_SERVERS
+            - JVB_ENABLE_APIS
+            - TZ
+        depends_on:
+            - jitsi-prosody
+        networks:
+            meet.jitsi:
+        restart: unless-stopped 
+
+# Custom network so all services can communicate using a FQDN
+networks:
+    default:
+      external:
+        name: mistborn_default
+    meet.jitsi:

scripts/conf/jitsi.env

@@ -0,0 +1,307 @@
+#
+# Basic configuration options
+#
+
+# Directory where all configuration will be stored.
+#CONFIG=~/.jitsi-meet-cfg
+CONFIG=../.envs/.production/.jitsi-cfg
+
+# Exposed HTTP port.
+HTTP_PORT=80
+
+# Exposed HTTPS port.
+HTTPS_PORT=8443
+
+# System time zone.
+TZ=Europe/Amsterdam
+
+# Public URL for the web service.
+#PUBLIC_URL=https://meet.example.com
+
+# IP address of the Docker host. See the "Running on a LAN environment" section
+# in the README.
+DOCKER_HOST_ADDRESS=10.2.3.1
+
+
+#
+# Let's Encrypt configuration
+#
+
+# Enable Let's Encrypt certificate generation.
+#ENABLE_LETSENCRYPT=1
+
+# Domain for which to generate the certificate.
+#LETSENCRYPT_DOMAIN=meet.example.com
+
+# E-Mail for receiving important account notifications (mandatory).
+#LETSENCRYPT_EMAIL=alice@atlanta.net
+
+
+#
+# Etherpad integration (for document sharing)
+#
+
+# Set etherpad-lite URL (uncomment to enable).
+#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001
+
+
+#
+# Basic Jigasi configuration options (needed for SIP gateway support)
+#
+
+# SIP URI for incoming / outgoing calls.
+#JIGASI_SIP_URI=test@sip2sip.info
+
+# Password for the specified SIP account as a clear text
+#JIGASI_SIP_PASSWORD=passw0rd
+
+# SIP server (use the SIP account domain if in doubt).
+#JIGASI_SIP_SERVER=sip2sip.info
+
+# SIP server port
+#JIGASI_SIP_PORT=5060
+
+# SIP server transport
+#JIGASI_SIP_TRANSPORT=UDP
+
+#
+# Authentication configuration (see README for details)
+#
+
+# Enable authentication.
+#ENABLE_AUTH=1
+
+# Enable guest access.
+#ENABLE_GUESTS=1
+
+# Select authentication type: internal, jwt or ldap
+#AUTH_TYPE=internal
+
+# JWT authentication
+#
+
+# Application identifier.
+#JWT_APP_ID=my_jitsi_app_id
+
+# Application secret known only to your token.
+#JWT_APP_SECRET=my_jitsi_app_secret
+
+# (Optional) Set asap_accepted_issuers as a comma separated list.
+#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client
+
+# (Optional) Set asap_accepted_audiences as a comma separated list.
+#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2
+
+
+# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
+#
+
+# LDAP url for connection.
+#LDAP_URL=ldaps://ldap.domain.com/
+
+# LDAP base DN. Can be empty
+#LDAP_BASE=DC=example,DC=domain,DC=com
+
+# LDAP user DN. Do not specify this parameter for the anonymous bind.
+#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
+
+# LDAP user password. Do not specify this parameter for the anonymous bind.
+#LDAP_BINDPW=LdapUserPassw0rd
+
+# LDAP filter. Tokens example:
+# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail.
+# %s - %s is replaced by the complete service string.
+# %r - %r is replaced by the complete realm string.
+#LDAP_FILTER=(sAMAccountName=%u)
+
+# LDAP authentication method
+#LDAP_AUTH_METHOD=bind
+
+# LDAP version
+#LDAP_VERSION=3
+
+# LDAP TLS using
+#LDAP_USE_TLS=1
+
+# List of SSL/TLS ciphers to allow.
+#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
+
+# Require and verify server certificate
+#LDAP_TLS_CHECK_PEER=1
+
+# Path to CA cert file. Used when server sertificate verify is enabled.
+#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
+
+# Path to CA certs directory. Used when server sertificate verify is enabled.
+#LDAP_TLS_CACERT_DIR=/etc/ssl/certs
+
+# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
+# LDAP_START_TLS=1
+
+
+#
+# Advanced configuration options (you generally don't need to change these)
+#
+
+# Internal XMPP domain.
+XMPP_DOMAIN=meet.jitsi
+
+# Internal XMPP server
+XMPP_SERVER=xmpp.meet.jitsi
+
+# Internal XMPP server URL
+XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
+
+# Internal XMPP domain for authenticated services.
+XMPP_AUTH_DOMAIN=auth.meet.jitsi
+
+# XMPP domain for the MUC.
+XMPP_MUC_DOMAIN=muc.meet.jitsi
+
+# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools.
+XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi
+
+# XMPP domain for unauthenticated users.
+XMPP_GUEST_DOMAIN=guest.meet.jitsi
+
+# Custom Prosody modules for XMPP_DOMAIN (comma separated)
+XMPP_MODULES=
+
+# Custom Prosody modules for MUC component (comma separated)
+XMPP_MUC_MODULES=
+
+# Custom Prosody modules for internal MUC component (comma separated)
+XMPP_INTERNAL_MUC_MODULES=
+
+# MUC for the JVB pool.
+JVB_BREWERY_MUC=jvbbrewery
+
+# XMPP user for JVB client connections.
+JVB_AUTH_USER=jvb
+
+# XMPP password for JVB client connections.
+JVB_AUTH_PASSWORD=passw0rd
+
+# STUN servers used to discover the server's public IP.
+JVB_STUN_SERVERS=stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302
+
+# Media port for the Jitsi Videobridge
+JVB_PORT=10000
+
+# TCP Fallback for Jitsi Videobridge for when UDP isn't available
+JVB_TCP_HARVESTER_DISABLED=true
+JVB_TCP_PORT=4443
+
+# A comma separated list of APIs to enable when the JVB is started. The default is none.
+# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
+#JVB_ENABLE_APIS=rest,colibri
+
+# XMPP component password for Jicofo.
+JICOFO_COMPONENT_SECRET=s3cr37
+
+# XMPP user for Jicofo client connections. NOTE: this option doesn't currently work due to a bug.
+JICOFO_AUTH_USER=focus
+
+# XMPP password for Jicofo client connections.
+JICOFO_AUTH_PASSWORD=passw0rd
+
+# Base URL of Jicofo's reservation REST API
+#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
+
+# XMPP user for Jigasi MUC client connections.
+JIGASI_XMPP_USER=jigasi
+
+# XMPP password for Jigasi MUC client connections.
+JIGASI_XMPP_PASSWORD=passw0rd
+
+# MUC name for the Jigasi pool.
+JIGASI_BREWERY_MUC=jigasibrewery
+
+# Minimum port for media used by Jigasi.
+JIGASI_PORT_MIN=20000
+
+# Maximum port for media used by Jigasi.
+JIGASI_PORT_MAX=20050
+
+# Enable SDES srtp
+#JIGASI_ENABLE_SDES_SRTP=1
+
+# Keepalive method
+#JIGASI_SIP_KEEP_ALIVE_METHOD=OPTIONS
+
+# Health-check extension
+#JIGASI_HEALTH_CHECK_SIP_URI=keepalive
+
+# Health-check interval
+#JIGASI_HEALTH_CHECK_INTERVAL=300000
+#
+# Enable Jigasi transcription.
+#ENABLE_TRANSCRIPTIONS=1
+
+# Jigasi will recordord an audio when transcriber is on. Default false.
+#JIGASI_TRANSCRIBER_RECORD_AUDIO=true
+
+# Jigasi will send transcribed text to the chat when transcriber is on. Default false.
+#JIGASI_TRANSCRIBER_SEND_TXT=true
+
+# Jigasi post to the chat an url with transcription file. Default false.
+#JIGASI_TRANSCRIBER_ADVERTISE_URL=true
+
+# Credentials for connect to Cloud Google API from Jigasi
+# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol section "Before you begin" from 1 to 5 paragraph.
+# Copy the values from the json to the related env vars
+#GC_PROJECT_ID=
+#GC_PRIVATE_KEY_ID=
+#GC_PRIVATE_KEY=
+#GC_CLIENT_EMAIL=
+#GC_CLIENT_ID=
+#GC_CLIENT_CERT_URL=
+
+# Enable recording
+#ENABLE_RECORDING=1
+
+# XMPP domain for the jibri recorder
+XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
+
+# XMPP recorder user for Jibri client connections.
+JIBRI_RECORDER_USER=recorder
+
+# XMPP recorder password for Jibri client connections.
+JIBRI_RECORDER_PASSWORD=passw0rd
+
+# Directory for recordings inside Jibri container.
+JIBRI_RECORDING_DIR=/config/recordings
+
+# The finalizing script. Will run after recording is complete.
+JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
+
+# XMPP user for Jibri client connections.
+JIBRI_XMPP_USER=jibri
+
+# XMPP password for Jibri client connections.
+JIBRI_XMPP_PASSWORD=passw0rd
+
+# MUC name for the Jibri pool.
+JIBRI_BREWERY_MUC=jibribrewery
+
+# MUC connection timeout
+JIBRI_PENDING_TIMEOUT=90
+
+# When jibri gets a request to start a service for a room, the room
+# jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain
+# We'll build the url for the call by transforming that into:
+# https://xmpp_domain/subdomain/roomName
+# So if there are any prefixes in the jid (like jitsi meet, which
+# has its participants join a muc at conference.xmpp_domain) then
+# list that prefix here so it can be stripped out to generate
+# the call url correctly.
+JIBRI_STRIP_DOMAIN_JID=muc
+
+# Directory for logs inside Jibri container.
+JIBRI_LOGS_DIR=/config/logs
+
+# Disable HTTPS. This can be useful if TLS connections are going to be handled outside of this setup.
+DISABLE_HTTPS=1
+
+# Redirects HTTP traffic to HTTPS. Only works with the standard HTTPS port (443).
+#ENABLE_HTTP_REDIRECT=1

scripts/install.sh

@@ -37,7 +37,7 @@ if [ $(whoami) != "$MISTBORN_USER" ]; then
 
         sudo cp $FULLPATH /home/$MISTBORN_USER
         sudo chown $MISTBORN_USER:$MISTBORN_USER /home/$MISTBORN_USER/$FILENAME
-        sudo SSH_CLIENT="$SSH_CLIENT" MISTBORN_DEFAULT_PASSWORD="$MISTBORN_DEFAULT_PASSWORD" GIT_BRANCH="$GIT_BRANCH" -i -u $MISTBORN_USER bash -c "/home/$MISTBORN_USER/$FILENAME" # self-referential call
+        sudo SSH_CLIENT="$SSH_CLIENT" MISTBORN_DEFAULT_PASSWORD="$MISTBORN_DEFAULT_PASSWORD" GIT_BRANCH="$GIT_BRANCH" MISTBORN_INSTALL_COCKPIT="$MISTBORN_INSTALL_COCKPIT" -i -u $MISTBORN_USER bash -c "/home/$MISTBORN_USER/$FILENAME" # self-referential call
         exit 0
 fi
 
@@ -65,6 +65,14 @@ else
     echo "MISTBORN_DEFAULT_PASSWORD is already set"
 fi
 
+# Install Cockpit?
+if [ -z "${MISTBORN_INSTALL_COCKPIT}" ]; then
+    read -p "Install Cockpit (a somewhat resource-heavy system management graphical user interface)? [Y/n]: " MISTBORN_INSTALL_COCKPIT
+    echo
+    MISTBORN_INSTALL_COCKPIT=${MISTBORN_INSTALL_COCKPIT:-Y}
+fi
+
+
 # SSH keys
 if [ ! -f ~/.ssh/id_rsa ]; then
     echo "Generating SSH keypair for $USER"
@@ -86,6 +94,12 @@ pushd .
 cd /opt/mistborn
 git submodule update --init --recursive
 
+# initial load update package list
+sudo apt-get update
+
+# install figlet
+sudo apt-get install -y figlet
+
 # get os and distro
 source ./scripts/subinstallers/platform.sh
 
@@ -128,12 +142,19 @@ source ./scripts/subinstallers/docker.sh
 sudo apt-get install -y unattended-upgrades
 
 # Cockpit
-source ./scripts/subinstallers/cockpit.sh
+if [[ "$MISTBORN_INSTALL_COCKPIT" =~ ^([yY][eE][sS]|[yY])$ ]]
+then
+    # install cockpit
+    source ./scripts/subinstallers/cockpit.sh
+fi
 
 # Mistborn
 # final setup vars
-iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk '{print $2}')
+iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}')
-IPV4_PUBLIC=$(ip -o -4 route show default | egrep -o 'dev [^ ]*' | awk '{print $2}' | xargs ip -4 addr show | grep 'inet ' | awk '{print $2}' | grep -o "^[0-9.]*"  | tr -cd '\11\12\15\40-\176' | head -1) # tail -1 to get last
+figlet "Mistborn default NIC: $iface"
+
+#IPV4_PUBLIC=$(ip -o -4 route show default | egrep -o 'dev [^ ]*' | awk '{print $2}' | xargs ip -4 addr show | grep 'inet ' | awk '{print $2}' | grep -o "^[0-9.]*"  | tr -cd '\11\12\15\40-\176' | head -1) # tail -1 to get last
+IPV4_PUBLIC="10.2.3.1"
 
 # clean
 if [ -f "/etc/systemd/system/Mistborn-base.service" ]; then
@@ -180,7 +201,11 @@ sudo mkdir -p ../mistborn_volumes/base/pihole/etc-dnsmasqd
 sudo mkdir -p ../mistborn_volumes/extra
 
 # Traefik final setup (cockpit)
-sudo sed -i "s/IPV4_PUBLIC/$IPV4_PUBLIC/" ./compose/production/traefik/traefik.toml
+cp ./compose/production/traefik/traefik.toml.template ./compose/production/traefik/traefik.toml
+# setup tls certs 
+source ./scripts/subinstallers/openssl.sh
+sudo rm -rf ../mistborn_volumes/base/tls
+sudo mv ./tls ../mistborn_volumes/base/
 
 # Download docker images while DNS is operable
 sudo docker-compose -f base.yml pull || true
@@ -192,8 +217,11 @@ sudo systemctl disable systemd-resolved 2>/dev/null || true
 sudo systemctl stop dnsmasq 2>/dev/null || true
 sudo systemctl disable dnsmasq 2>/dev/null || true
 
+# hostname in /etc/hosts
+sudo grep -qF "$(hostname)" /etc/hosts && echo "$(hostname) already in /etc/hosts" || echo "127.0.1.1 $(hostname) $(hostname)" | sudo tee -a /etc/hosts
+
 # resolve all *.mistborn domains
-echo "address=/.mistborn/$IPV4_PUBLIC" | sudo tee ../mistborn_volumes/base/pihole/etc-dnsmasqd/02-lan.conf
+echo "address=/.mistborn/10.2.3.1" | sudo tee ../mistborn_volumes/base/pihole/etc-dnsmasqd/02-lan.conf
 
 # ResolvConf (OpenResolv installed with Wireguard)
 sudo sed -i "s/#name_servers.*/name_servers=$IPV4_PUBLIC/" /etc/resolvconf.conf
@@ -209,3 +237,7 @@ sudo tar -czf ../mistborn_backup/mistborn_volumes_backup.tar.gz ../mistborn_volu
 sudo systemctl enable Mistborn-base.service
 sudo systemctl start Mistborn-base.service
 popd
+
+figlet "Mistborn Installed"
+echo "Watch Mistborn start: sudo journalctl -xfu Mistborn-base"
+echo "Retrieve Wireguard default config for admin: sudo docker-compose -f /opt/mistborn/base.yml run --rm django python manage.py getconf admin default"

scripts/services/Mistborn-base.service

@@ -12,9 +12,11 @@ PermissionsStartOnly=true
 ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down
 
 ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml build
+ExecStartPre=-/sbin/ip address add 10.2.3.1/30 dev DIFACE
 ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -A OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/ip6tables -A OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP
@@ -24,12 +26,13 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml up
 # Stop container when unit is stopped
 ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down
 # Post stop
-ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
-ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
-ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
-ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
-ExecStopPost=/sbin/iptables -D OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
-ExecStopPost=/sbin/ip6tables -D OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/ip6tables -D OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP
 
 [Install]
 WantedBy=multi-user.target

scripts/services/Mistborn-bitwarden.service

@@ -17,7 +17,7 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml up
 # Stop container when unit is stopped
 ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml down
 # Post stop
-ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP
 
 [Install]
 WantedBy=multi-user.target

scripts/services/Mistborn-jitsi.service

@@ -0,0 +1,27 @@
+[Unit]
+Description=Mistborn Jitsi Service
+Requires=Mistborn-base.service
+After=Mistborn-base.service
+
+[Service]
+Restart=always
+User=root
+Group=docker
+PermissionsStartOnly=true
+EnvironmentFile=/opt/mistborn/.envs/.production/.jitsi
+
+# Shutdown container (if running) when unit is stopped
+ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
+
+ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP
+# Start container when unit is started
+ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build
+# Stop container when unit is stopped
+ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
+# Post stop
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP
+
+[Install]
+WantedBy=multi-user.target

scripts/services/Mistborn-rocketchat.service

@@ -17,7 +17,7 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml up
 # Stop container when unit is stopped
 ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down
 # Post stop
-ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP
 
 [Install]
 WantedBy=multi-user.target

scripts/services/Mistborn-syncthing.service

@@ -18,8 +18,8 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml up
 # Stop container when unit is stopped
 ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml down
 # Post stop
-ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP
-ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP
 
 [Install]
 WantedBy=multi-user.target

scripts/services/Mistborn-tor.service

@@ -17,7 +17,7 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml up --buil
 # Stop container when unit is stopped
 ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml down
 # Post stop
-ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP
 
 [Install]
 WantedBy=multi-user.target

scripts/subinstallers/cockpit.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # Cockpit
-echo "Installing Cockpit"
+figlet "Mistborn: Installing Cockpit"
 if [ "$DISTRO" == "ubuntu" ]; then
     echo "Ubuntu backports enabled by default"
     

scripts/subinstallers/docker.sh

@@ -1,6 +1,8 @@
 #!/bin/bash
 
 # Docker
+figlet "Mistborn: Installing Docker"
+
 # dependencies
 echo "Installing Docker dependencies"
 sudo apt-get install -y \
@@ -61,7 +63,7 @@ echo "Installing Docker Compose"
 #elif [ "$DISTRO" == "raspbian" ]; then
 # Install required packages
 sudo apt update
-sudo apt install -y python python3-pip libffi-dev python-backports.ssl-match-hostname
+sudo apt install -y python python3-pip python3-setuptools libffi-dev python-backports.ssl-match-hostname python3-dev libssl-dev
 
 # Install Docker Compose from pip
 # This might take a while

scripts/subinstallers/gen_prod_env.sh

@@ -1,5 +1,7 @@
 #!/bin/sh
 
+figlet "Mistborn: Container Credentials"
+
 # generate production .env file for Django
 mkdir -p ./.envs/.production
 DJANGO_PROD_FILE="./.envs/.production/.django"
@@ -62,3 +64,8 @@ echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE
 BITWARDEN_PROD_FILE="./.envs/.production/.bitwarden"
 echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE
 echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE
+
+# JITSI
+JITSI_PROD_FILE="./.envs/.production/.jitsi"
+cp ./scripts/conf/jitsi.env $JITSI_PROD_FILE
+mkdir -p ./.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}

scripts/subinstallers/iptables.sh

@@ -2,6 +2,7 @@
 
 set -e
 
+figlet "Mistborn: Configuring Firewall"
 
 echo "stop iptables wrappers"
 if [ "$DISTRO" == "ubuntu" ]; then
@@ -11,10 +12,10 @@ if [ "$DISTRO" == "ubuntu" ]; then
 fi
 
 # default interface
-iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk '{print $2}')
+iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}')
 
 # real public interface
-riface=$(ip -o -4 route get 1.1.1.1 | egrep -o 'dev [^ ]*' | awk '{print $2}')
+riface=$(ip -o -4 route get 1.1.1.1 | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}')
 
 # resetting iptables
 sudo iptables -F
@@ -22,12 +23,13 @@ sudo iptables -t nat -F
 sudo iptables -X MISTBORN_LOG_DROP 2>/dev/null || true
 sudo iptables -X MISTBORN_WIREGUARD_INPUT 2>/dev/null || true
 sudo iptables -X MISTBORN_WIREGUARD_FORWARD 2>/dev/null || true
+sudo iptables -X MISTBORN_WIREGUARD_OUTPUT 2>/dev/null || true
 sudo iptables -X MISTBORN_DOCKER_OUTPUT 2>/dev/null || true
 sudo iptables -X MISTBORN_DOCKER_INPUT 2>/dev/null || true
 
 # iptables: log and drop chain
 sudo iptables -N MISTBORN_LOG_DROP
-sudo iptables -A MISTBORN_LOG_DROP -m limit --limit 2/min -j LOG --log-prefix "[IPTables-Dropped]: " --log-level 4
+sudo iptables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[IPTables-Dropped]: " --log-level 4
 sudo iptables -A MISTBORN_LOG_DROP -j DROP
 
 # wireguard rules chains
@@ -50,7 +52,7 @@ fi
 # docker rules
 sudo iptables -N MISTBORN_DOCKER_INPUT
 sudo iptables -A MISTBORN_DOCKER_INPUT -i br-+ -j ACCEPT
-#sudo iptables -A INPUT ! -i $iface -s 172.16.0.0/12 -j ACCEPT
+#sudo iptables -A MISTBORN_DOCKER_INPUT -i docker0 -j ACCEPT
 
 # last rules
 sudo iptables -A INPUT -j MISTBORN_DOCKER_INPUT
@@ -91,10 +93,6 @@ sudo ip6tables -P INPUT DROP
 sudo ip6tables -P FORWARD DROP
 sudo ip6tables -P OUTPUT ACCEPT
 
-
-# initial load update package list
-sudo apt-get update
-
 # iptables-persistent
 if [ ! "$(dpkg-query -l iptables-persistent)" ]; then
     echo "Installing iptables-persistent"

scripts/subinstallers/openssl.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+KEY_FOLDER="./tls/"
+CRT_FILE="cert.crt"
+KEY_FILE="cert.key"
+
+CRT_PATH="$KEY_FOLDER/$CRT_FILE"
+KEY_PATH="$KEY_FOLDER/$KEY_FILE"
+
+# ensure openssl installed
+sudo apt-get install -y openssl
+
+# make folder
+mkdir -p $KEY_FOLDER
+
+# generate crt and key
+openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost"
+
+# set permissions
+chmod 644 $CRT_PATH
+chmod 600 $KEY_PATH

scripts/subinstallers/platform.sh

@@ -10,5 +10,5 @@ if [ "$UNAME" == "linux" ]; then
     DISTRO=$(cat /etc/os-release | awk -F= '/^ID=/{print $2}')
 fi
 
-echo "UNAME: $UNAME"
+figlet "UNAME: $UNAME"
-echo "DISTRO: $DISTRO"
+figlet "DISTRO: $DISTRO"

scripts/subinstallers/wireguard.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+figlet "Mistborn: Installing Wireguard"
+
 # Wireguard
 if [ "$DISTRO" == "raspbian" ]; then
     echo "Adding Wireguard repo keys"

scripts/update.sh

@@ -2,7 +2,7 @@
 
 set -e
 
-docker-compose -f /opt/mistborn/base.yml pull
+sudo docker-compose -f /opt/mistborn/base.yml pull
-docker-compose -f /opt/mistborn/base.yml build
+sudo docker-compose -f /opt/mistborn/base.yml build
 
-systemctl restart Mistborn-base
+sudo systemctl restart Mistborn-base