From c1358d47f59342c6e1da86c46b8a58071eb6d281 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Thu, 26 Mar 2020 15:23:19 -0400 Subject: [PATCH 01/15] initial jitsi stuff --- extra/jitsi-meet.yml | 173 +++++++++++++ scripts/conf/jitsi.env | 307 ++++++++++++++++++++++++ scripts/services/Mistborn-jitsi.service | 25 ++ scripts/subinstallers/gen_prod_env.sh | 5 + 4 files changed, 510 insertions(+) create mode 100644 extra/jitsi-meet.yml create mode 100644 scripts/conf/jitsi.env create mode 100644 scripts/services/Mistborn-jitsi.service diff --git a/extra/jitsi-meet.yml b/extra/jitsi-meet.yml new file mode 100644 index 0000000..687c3af --- /dev/null +++ b/extra/jitsi-meet.yml @@ -0,0 +1,173 @@ +version: '3' + +services: + # Frontend + jitsi-web: + image: jitsi/web + ports: + - '${HTTP_PORT}:80' + - '${HTTPS_PORT}:443' + volumes: + - ${CONFIG}/web:/config + - ${CONFIG}/web/letsencrypt:/etc/letsencrypt + - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts + env_file: + - ../.envs/.production/.jitsi + environment: + - ENABLE_AUTH + - ENABLE_GUESTS + - ENABLE_LETSENCRYPT + - ENABLE_HTTP_REDIRECT + - ENABLE_TRANSCRIPTIONS + - DISABLE_HTTPS + - JICOFO_AUTH_USER + - LETSENCRYPT_DOMAIN + - LETSENCRYPT_EMAIL + - PUBLIC_URL + - XMPP_DOMAIN + - XMPP_AUTH_DOMAIN + - XMPP_BOSH_URL_BASE + - XMPP_GUEST_DOMAIN + - XMPP_MUC_DOMAIN + - XMPP_RECORDER_DOMAIN + - ETHERPAD_URL_BASE + - TZ + - JIBRI_BREWERY_MUC + - JIBRI_PENDING_TIMEOUT + - JIBRI_XMPP_USER + - JIBRI_XMPP_PASSWORD + - JIBRI_RECORDER_USER + - JIBRI_RECORDER_PASSWORD + - ENABLE_RECORDING + networks: + meet.jitsi: + aliases: + - ${XMPP_DOMAIN} + + # XMPP server + jitsi-prosody: + image: jitsi/prosody + expose: + - '5222' + - '5347' + - '5280' + volumes: + - ${CONFIG}/prosody:/config + env_file: + - ../.envs/.production/.jitsi + environment: + - AUTH_TYPE + - ENABLE_AUTH + - ENABLE_GUESTS + - GLOBAL_MODULES + - GLOBAL_CONFIG + - LDAP_URL + - LDAP_BASE + - LDAP_BINDDN + - LDAP_BINDPW + - LDAP_FILTER + - LDAP_AUTH_METHOD + - LDAP_VERSION + - LDAP_USE_TLS + - LDAP_TLS_CIPHERS + - LDAP_TLS_CHECK_PEER + - LDAP_TLS_CACERT_FILE + - LDAP_TLS_CACERT_DIR + - LDAP_START_TLS + - XMPP_DOMAIN + - XMPP_AUTH_DOMAIN + - XMPP_GUEST_DOMAIN + - XMPP_MUC_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_MODULES + - XMPP_MUC_MODULES + - XMPP_INTERNAL_MUC_MODULES + - XMPP_RECORDER_DOMAIN + - JICOFO_COMPONENT_SECRET + - JICOFO_AUTH_USER + - JICOFO_AUTH_PASSWORD + - JVB_AUTH_USER + - JVB_AUTH_PASSWORD + - JIGASI_XMPP_USER + - JIGASI_XMPP_PASSWORD + - JIBRI_XMPP_USER + - JIBRI_XMPP_PASSWORD + - JIBRI_RECORDER_USER + - JIBRI_RECORDER_PASSWORD + - JWT_APP_ID + - JWT_APP_SECRET + - JWT_ACCEPTED_ISSUERS + - JWT_ACCEPTED_AUDIENCES + - JWT_ASAP_KEYSERVER + - JWT_ALLOW_EMPTY + - JWT_AUTH_TYPE + - JWT_TOKEN_AUTH_MODULE + - LOG_LEVEL + - TZ + networks: + meet.jitsi: + aliases: + - ${XMPP_SERVER} + + # Focus component + jitsi-jicofo: + image: jitsi/jicofo + volumes: + - ${CONFIG}/jicofo:/config + env_file: + - ../.envs/.production/.jitsi + environment: + - ENABLE_AUTH + - XMPP_DOMAIN + - XMPP_AUTH_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_SERVER + - JICOFO_COMPONENT_SECRET + - JICOFO_AUTH_USER + - JICOFO_AUTH_PASSWORD + - JICOFO_RESERVATION_REST_BASE_URL + - JVB_BREWERY_MUC + - JIGASI_BREWERY_MUC + - JIBRI_BREWERY_MUC + - JIBRI_PENDING_TIMEOUT + - TZ + depends_on: + - jitsi-prosody + networks: + meet.jitsi: + + # Video bridge + jitsi-jvb: + image: jitsi/jvb + ports: + - '${JVB_PORT}:${JVB_PORT}/udp' + - '${JVB_TCP_PORT}:${JVB_TCP_PORT}' + volumes: + - ${CONFIG}/jvb:/config + env_file: + - ../.envs/.production/.jitsi + environment: + - DOCKER_HOST_ADDRESS + - XMPP_AUTH_DOMAIN + - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_SERVER + - JVB_AUTH_USER + - JVB_AUTH_PASSWORD + - JVB_BREWERY_MUC + - JVB_PORT + - JVB_TCP_HARVESTER_DISABLED + - JVB_TCP_PORT + - JVB_STUN_SERVERS + - JVB_ENABLE_APIS + - TZ + depends_on: + - jitsi-prosody + networks: + meet.jitsi: + +# Custom network so all services can communicate using a FQDN +networks: + default: + external: + name: mistborn_default + meet.jitsi: diff --git a/scripts/conf/jitsi.env b/scripts/conf/jitsi.env new file mode 100644 index 0000000..c1158b6 --- /dev/null +++ b/scripts/conf/jitsi.env @@ -0,0 +1,307 @@ +# +# Basic configuration options +# + +# Directory where all configuration will be stored. +#CONFIG=~/.jitsi-meet-cfg +CONFIG=../.envs/.production/.jitsi-cfg + +# Exposed HTTP port. +HTTP_PORT=8000 + +# Exposed HTTPS port. +HTTPS_PORT=8443 + +# System time zone. +TZ=Europe/Amsterdam + +# Public URL for the web service. +#PUBLIC_URL=https://meet.example.com + +# IP address of the Docker host. See the "Running on a LAN environment" section +# in the README. +#DOCKER_HOST_ADDRESS=192.168.1.1 + + +# +# Let's Encrypt configuration +# + +# Enable Let's Encrypt certificate generation. +#ENABLE_LETSENCRYPT=1 + +# Domain for which to generate the certificate. +#LETSENCRYPT_DOMAIN=meet.example.com + +# E-Mail for receiving important account notifications (mandatory). +#LETSENCRYPT_EMAIL=alice@atlanta.net + + +# +# Etherpad integration (for document sharing) +# + +# Set etherpad-lite URL (uncomment to enable). +#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001 + + +# +# Basic Jigasi configuration options (needed for SIP gateway support) +# + +# SIP URI for incoming / outgoing calls. +#JIGASI_SIP_URI=test@sip2sip.info + +# Password for the specified SIP account as a clear text +#JIGASI_SIP_PASSWORD=passw0rd + +# SIP server (use the SIP account domain if in doubt). +#JIGASI_SIP_SERVER=sip2sip.info + +# SIP server port +#JIGASI_SIP_PORT=5060 + +# SIP server transport +#JIGASI_SIP_TRANSPORT=UDP + +# +# Authentication configuration (see README for details) +# + +# Enable authentication. +#ENABLE_AUTH=1 + +# Enable guest access. +#ENABLE_GUESTS=1 + +# Select authentication type: internal, jwt or ldap +#AUTH_TYPE=internal + +# JWT authentication +# + +# Application identifier. +#JWT_APP_ID=my_jitsi_app_id + +# Application secret known only to your token. +#JWT_APP_SECRET=my_jitsi_app_secret + +# (Optional) Set asap_accepted_issuers as a comma separated list. +#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client + +# (Optional) Set asap_accepted_audiences as a comma separated list. +#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2 + + +# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page) +# + +# LDAP url for connection. +#LDAP_URL=ldaps://ldap.domain.com/ + +# LDAP base DN. Can be empty +#LDAP_BASE=DC=example,DC=domain,DC=com + +# LDAP user DN. Do not specify this parameter for the anonymous bind. +#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com + +# LDAP user password. Do not specify this parameter for the anonymous bind. +#LDAP_BINDPW=LdapUserPassw0rd + +# LDAP filter. Tokens example: +# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail. +# %s - %s is replaced by the complete service string. +# %r - %r is replaced by the complete realm string. +#LDAP_FILTER=(sAMAccountName=%u) + +# LDAP authentication method +#LDAP_AUTH_METHOD=bind + +# LDAP version +#LDAP_VERSION=3 + +# LDAP TLS using +#LDAP_USE_TLS=1 + +# List of SSL/TLS ciphers to allow. +#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC + +# Require and verify server certificate +#LDAP_TLS_CHECK_PEER=1 + +# Path to CA cert file. Used when server sertificate verify is enabled. +#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt + +# Path to CA certs directory. Used when server sertificate verify is enabled. +#LDAP_TLS_CACERT_DIR=/etc/ssl/certs + +# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps:// +# LDAP_START_TLS=1 + + +# +# Advanced configuration options (you generally don't need to change these) +# + +# Internal XMPP domain. +XMPP_DOMAIN=meet.jitsi + +# Internal XMPP server +XMPP_SERVER=xmpp.meet.jitsi + +# Internal XMPP server URL +XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280 + +# Internal XMPP domain for authenticated services. +XMPP_AUTH_DOMAIN=auth.meet.jitsi + +# XMPP domain for the MUC. +XMPP_MUC_DOMAIN=muc.meet.jitsi + +# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools. +XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi + +# XMPP domain for unauthenticated users. +XMPP_GUEST_DOMAIN=guest.meet.jitsi + +# Custom Prosody modules for XMPP_DOMAIN (comma separated) +XMPP_MODULES= + +# Custom Prosody modules for MUC component (comma separated) +XMPP_MUC_MODULES= + +# Custom Prosody modules for internal MUC component (comma separated) +XMPP_INTERNAL_MUC_MODULES= + +# MUC for the JVB pool. +JVB_BREWERY_MUC=jvbbrewery + +# XMPP user for JVB client connections. +JVB_AUTH_USER=jvb + +# XMPP password for JVB client connections. +JVB_AUTH_PASSWORD=passw0rd + +# STUN servers used to discover the server's public IP. +JVB_STUN_SERVERS=stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302 + +# Media port for the Jitsi Videobridge +JVB_PORT=10000 + +# TCP Fallback for Jitsi Videobridge for when UDP isn't available +JVB_TCP_HARVESTER_DISABLED=true +JVB_TCP_PORT=4443 + +# A comma separated list of APIs to enable when the JVB is started. The default is none. +# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information +#JVB_ENABLE_APIS=rest,colibri + +# XMPP component password for Jicofo. +JICOFO_COMPONENT_SECRET=s3cr37 + +# XMPP user for Jicofo client connections. NOTE: this option doesn't currently work due to a bug. +JICOFO_AUTH_USER=focus + +# XMPP password for Jicofo client connections. +JICOFO_AUTH_PASSWORD=passw0rd + +# Base URL of Jicofo's reservation REST API +#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com + +# XMPP user for Jigasi MUC client connections. +JIGASI_XMPP_USER=jigasi + +# XMPP password for Jigasi MUC client connections. +JIGASI_XMPP_PASSWORD=passw0rd + +# MUC name for the Jigasi pool. +JIGASI_BREWERY_MUC=jigasibrewery + +# Minimum port for media used by Jigasi. +JIGASI_PORT_MIN=20000 + +# Maximum port for media used by Jigasi. +JIGASI_PORT_MAX=20050 + +# Enable SDES srtp +#JIGASI_ENABLE_SDES_SRTP=1 + +# Keepalive method +#JIGASI_SIP_KEEP_ALIVE_METHOD=OPTIONS + +# Health-check extension +#JIGASI_HEALTH_CHECK_SIP_URI=keepalive + +# Health-check interval +#JIGASI_HEALTH_CHECK_INTERVAL=300000 +# +# Enable Jigasi transcription. +#ENABLE_TRANSCRIPTIONS=1 + +# Jigasi will recordord an audio when transcriber is on. Default false. +#JIGASI_TRANSCRIBER_RECORD_AUDIO=true + +# Jigasi will send transcribed text to the chat when transcriber is on. Default false. +#JIGASI_TRANSCRIBER_SEND_TXT=true + +# Jigasi post to the chat an url with transcription file. Default false. +#JIGASI_TRANSCRIBER_ADVERTISE_URL=true + +# Credentials for connect to Cloud Google API from Jigasi +# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol section "Before you begin" from 1 to 5 paragraph. +# Copy the values from the json to the related env vars +#GC_PROJECT_ID= +#GC_PRIVATE_KEY_ID= +#GC_PRIVATE_KEY= +#GC_CLIENT_EMAIL= +#GC_CLIENT_ID= +#GC_CLIENT_CERT_URL= + +# Enable recording +#ENABLE_RECORDING=1 + +# XMPP domain for the jibri recorder +XMPP_RECORDER_DOMAIN=recorder.meet.jitsi + +# XMPP recorder user for Jibri client connections. +JIBRI_RECORDER_USER=recorder + +# XMPP recorder password for Jibri client connections. +JIBRI_RECORDER_PASSWORD=passw0rd + +# Directory for recordings inside Jibri container. +JIBRI_RECORDING_DIR=/config/recordings + +# The finalizing script. Will run after recording is complete. +JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh + +# XMPP user for Jibri client connections. +JIBRI_XMPP_USER=jibri + +# XMPP password for Jibri client connections. +JIBRI_XMPP_PASSWORD=passw0rd + +# MUC name for the Jibri pool. +JIBRI_BREWERY_MUC=jibribrewery + +# MUC connection timeout +JIBRI_PENDING_TIMEOUT=90 + +# When jibri gets a request to start a service for a room, the room +# jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain +# We'll build the url for the call by transforming that into: +# https://xmpp_domain/subdomain/roomName +# So if there are any prefixes in the jid (like jitsi meet, which +# has its participants join a muc at conference.xmpp_domain) then +# list that prefix here so it can be stripped out to generate +# the call url correctly. +JIBRI_STRIP_DOMAIN_JID=muc + +# Directory for logs inside Jibri container. +JIBRI_LOGS_DIR=/config/logs + +# Disable HTTPS. This can be useful if TLS connections are going to be handled outside of this setup. +#DISABLE_HTTPS=1 + +# Redirects HTTP traffic to HTTPS. Only works with the standard HTTPS port (443). +#ENABLE_HTTP_REDIRECT=1 diff --git a/scripts/services/Mistborn-jitsi.service b/scripts/services/Mistborn-jitsi.service new file mode 100644 index 0000000..edf0962 --- /dev/null +++ b/scripts/services/Mistborn-jitsi.service @@ -0,0 +1,25 @@ +[Unit] +Description=Mistborn Jitsi Service +Requires=Mistborn-base.service +After=Mistborn-base.service + +[Service] +Restart=always +User=root +Group=docker +PermissionsStartOnly=true +EnvironmentFile=/opt/mistborn/.envs/.production/.jitsi + +# Shutdown container (if running) when unit is stopped +ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down + +ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP +# Start container when unit is started +ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build +# Stop container when unit is stopped +ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down +# Post stop +ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP + +[Install] +WantedBy=multi-user.target diff --git a/scripts/subinstallers/gen_prod_env.sh b/scripts/subinstallers/gen_prod_env.sh index a8dfbe8..dbd58f8 100755 --- a/scripts/subinstallers/gen_prod_env.sh +++ b/scripts/subinstallers/gen_prod_env.sh @@ -62,3 +62,8 @@ echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE BITWARDEN_PROD_FILE="./.envs/.production/.bitwarden" echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE + +# JITSI +JITSI_PROD_FILE="./.envs/.production/.jitsi" +cp ./scripts/conf/jitsi.env $JITSI_PROD_FILE +mkdir -p ./.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb} From 53204ae11ee6d542603534fca9e4bc8ad2f3b7a7 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Thu, 26 Mar 2020 15:42:57 -0400 Subject: [PATCH 02/15] traefik --- compose/production/traefik/traefik.toml.template | 12 ++++++++++++ extra/jitsi-meet.yml | 10 +++++++--- scripts/conf/jitsi.env | 4 ++-- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/compose/production/traefik/traefik.toml.template b/compose/production/traefik/traefik.toml.template index 1a1ce2b..4050172 100644 --- a/compose/production/traefik/traefik.toml.template +++ b/compose/production/traefik/traefik.toml.template @@ -68,6 +68,10 @@ defaultEntryPoints = ["http"] [backends.jellyfin.servers.server1] url = "http://jellyfin:8096" + [backends.jitsi] + [backends.jitsi.servers.server1] + url = "http://jitsi-web:80" + [backends.raspap] [backends.raspap.servers.server1] url = "http://raspap:80" @@ -149,6 +153,14 @@ defaultEntryPoints = ["http"] HostsProxyHeaders = ['X-CSRFToken'] [frontends.jellyfin.routes.dr1] rule = "Host:jellyfin.mistborn" + + [frontends.jitsi] + backend = "jitsi" + passHostHeader = true + [frontends.jitsi.headers] + HostsProxyHeaders = ['X-CSRFToken'] + [frontends.jitsi.routes.dr1] + rule = "Host:jitsi.mistborn" [frontends.raspap] backend = "raspap" diff --git a/extra/jitsi-meet.yml b/extra/jitsi-meet.yml index 687c3af..83a29a6 100644 --- a/extra/jitsi-meet.yml +++ b/extra/jitsi-meet.yml @@ -4,9 +4,12 @@ services: # Frontend jitsi-web: image: jitsi/web - ports: - - '${HTTP_PORT}:80' - - '${HTTPS_PORT}:443' + #ports: + #- '${HTTP_PORT}:80' + #- '${HTTPS_PORT}:443' + labels: + - "traefik.enable=true" + - "traefik.port=${HTTP_PORT}" volumes: - ${CONFIG}/web:/config - ${CONFIG}/web/letsencrypt:/etc/letsencrypt @@ -40,6 +43,7 @@ services: - JIBRI_RECORDER_PASSWORD - ENABLE_RECORDING networks: + default: meet.jitsi: aliases: - ${XMPP_DOMAIN} diff --git a/scripts/conf/jitsi.env b/scripts/conf/jitsi.env index c1158b6..dafff01 100644 --- a/scripts/conf/jitsi.env +++ b/scripts/conf/jitsi.env @@ -7,7 +7,7 @@ CONFIG=../.envs/.production/.jitsi-cfg # Exposed HTTP port. -HTTP_PORT=8000 +HTTP_PORT=80 # Exposed HTTPS port. HTTPS_PORT=8443 @@ -301,7 +301,7 @@ JIBRI_STRIP_DOMAIN_JID=muc JIBRI_LOGS_DIR=/config/logs # Disable HTTPS. This can be useful if TLS connections are going to be handled outside of this setup. -#DISABLE_HTTPS=1 +DISABLE_HTTPS=1 # Redirects HTTP traffic to HTTPS. Only works with the standard HTTPS port (443). #ENABLE_HTTP_REDIRECT=1 From be049c68d0606936e5bce9acd93ca5a386a2637f Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Thu, 26 Mar 2020 16:03:52 -0400 Subject: [PATCH 03/15] jvb tcp port backup --- scripts/services/Mistborn-jitsi.service | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/services/Mistborn-jitsi.service b/scripts/services/Mistborn-jitsi.service index edf0962..80970e9 100644 --- a/scripts/services/Mistborn-jitsi.service +++ b/scripts/services/Mistborn-jitsi.service @@ -14,12 +14,14 @@ EnvironmentFile=/opt/mistborn/.envs/.production/.jitsi ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP +ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP # Start container when unit is started ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build # Stop container when unit is stopped ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down # Post stop ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP +ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP [Install] WantedBy=multi-user.target From 983863292ad5e43c2f8b7fd12a1fdd75dbd6b26a Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 27 Mar 2020 12:31:19 -0400 Subject: [PATCH 04/15] docker host address --- compose/production/traefik/traefik.toml.template | 2 +- scripts/conf/jitsi.env | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/compose/production/traefik/traefik.toml.template b/compose/production/traefik/traefik.toml.template index 4050172..45e1169 100644 --- a/compose/production/traefik/traefik.toml.template +++ b/compose/production/traefik/traefik.toml.template @@ -78,7 +78,7 @@ defaultEntryPoints = ["http"] [backends.cockpit] [backends.cockpit.servers.server1] - url = "http://IPV4_PUBLIC:9090" + url = "http://10.2.3.1:9090" [frontends] [frontends.django] diff --git a/scripts/conf/jitsi.env b/scripts/conf/jitsi.env index dafff01..2666101 100644 --- a/scripts/conf/jitsi.env +++ b/scripts/conf/jitsi.env @@ -20,7 +20,7 @@ TZ=Europe/Amsterdam # IP address of the Docker host. See the "Running on a LAN environment" section # in the README. -#DOCKER_HOST_ADDRESS=192.168.1.1 +DOCKER_HOST_ADDRESS=10.2.3.1 # From e828b089c668bae15ce7b438b52fdf7c4c571355 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 27 Mar 2020 16:33:02 -0400 Subject: [PATCH 05/15] openssl --- compose/production/traefik/Dockerfile | 7 ++++--- compose/production/traefik/traefik.toml.template | 13 ++++++++----- scripts/install.sh | 2 ++ scripts/services/Mistborn-base.service | 2 ++ scripts/subinstallers/openssl.sh | 15 +++++++++++++++ 5 files changed, 31 insertions(+), 8 deletions(-) create mode 100755 scripts/subinstallers/openssl.sh diff --git a/compose/production/traefik/Dockerfile b/compose/production/traefik/Dockerfile index 7088e6f..0b80e0b 100644 --- a/compose/production/traefik/Dockerfile +++ b/compose/production/traefik/Dockerfile @@ -1,5 +1,6 @@ FROM traefik:alpine -RUN mkdir -p /etc/traefik/acme -RUN touch /etc/traefik/acme/acme.json -RUN chmod 600 /etc/traefik/acme/acme.json +#RUN mkdir -p /etc/traefik/acme +#RUN touch /etc/traefik/acme/acme.json +#RUN chmod 600 /etc/traefik/acme/acme.json +COPY ./tls /tls COPY ./compose/production/traefik/traefik.toml /etc/traefik diff --git a/compose/production/traefik/traefik.toml.template b/compose/production/traefik/traefik.toml.template index 45e1169..47db874 100644 --- a/compose/production/traefik/traefik.toml.template +++ b/compose/production/traefik/traefik.toml.template @@ -3,8 +3,8 @@ logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC InsecureSkipVerify = true -#defaultEntryPoints = ["http", "https"] -defaultEntryPoints = ["http"] +defaultEntryPoints = ["http", "https"] +#defaultEntryPoints = ["http"] # Entrypoints, http and https [entryPoints] @@ -14,9 +14,12 @@ defaultEntryPoints = ["http"] #[entryPoints.http.redirect] #entryPoint = "https" # https is the default - #[entryPoints.https] - #address = ":443" - # [entryPoints.https.tls] + [entryPoints.https] + address = ":443" + [entryPoints.https.tls] + [entryPoints.httpSSL.tls.defaultCertificate] + certFile = "/tls/cert.crt" + keyFile = "/tls/cert.key" ## Enable ACME (Let's Encrypt): automatic SSL #[acme] diff --git a/scripts/install.sh b/scripts/install.sh index 705edf9..e1534f7 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -181,6 +181,8 @@ sudo mkdir -p ../mistborn_volumes/extra # Traefik final setup (cockpit) cp ./compose/production/traefik/traefik.toml.template ./compose/production/traefik/traefik.toml +# setup tls certs +source ./scripts/subinstallers/openssl.sh # Download docker images while DNS is operable sudo docker-compose -f base.yml pull || true diff --git a/scripts/services/Mistborn-base.service b/scripts/services/Mistborn-base.service index fab39a7..b1c52b5 100644 --- a/scripts/services/Mistborn-base.service +++ b/scripts/services/Mistborn-base.service @@ -16,6 +16,7 @@ ExecStartPre=-/sbin/ip address add 10.2.3.1/30 dev DIFACE ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP +ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -A OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/ip6tables -A OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP @@ -28,6 +29,7 @@ ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP +ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/iptables -D OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/ip6tables -D OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP diff --git a/scripts/subinstallers/openssl.sh b/scripts/subinstallers/openssl.sh new file mode 100755 index 0000000..fcc1dd5 --- /dev/null +++ b/scripts/subinstallers/openssl.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +KEY_FOLDER="./tls/" +CRT_FILE="cert.crt" +KEY_FILE="cert.key" + +CRT_PATH="$KEY_FOLDER/$CRT_FILE" +KEY_PATH="$KEY_FOLDER/$KEY_FILE" + +# generate crt and key +openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost" + +# set permissions +chmod 644 $CRT_PATH +chmod 600 $KEY_PATH From 438f1de4a4b7f52292988023af1c7bb47bf95ed6 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 27 Mar 2020 16:36:17 -0400 Subject: [PATCH 06/15] ensure openssl installed --- scripts/subinstallers/openssl.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/subinstallers/openssl.sh b/scripts/subinstallers/openssl.sh index fcc1dd5..b73969e 100755 --- a/scripts/subinstallers/openssl.sh +++ b/scripts/subinstallers/openssl.sh @@ -7,6 +7,9 @@ KEY_FILE="cert.key" CRT_PATH="$KEY_FOLDER/$CRT_FILE" KEY_PATH="$KEY_FOLDER/$KEY_FILE" +# ensure openssl installed +sudo apt-get install -y openssl + # generate crt and key openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost" From a5bbfaa4d52d5f55fc59771a91be1dc5c7ee53f1 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 27 Mar 2020 16:44:48 -0400 Subject: [PATCH 07/15] make folder --- scripts/subinstallers/openssl.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/subinstallers/openssl.sh b/scripts/subinstallers/openssl.sh index b73969e..57c8cab 100755 --- a/scripts/subinstallers/openssl.sh +++ b/scripts/subinstallers/openssl.sh @@ -10,6 +10,9 @@ KEY_PATH="$KEY_FOLDER/$KEY_FILE" # ensure openssl installed sudo apt-get install -y openssl +# make folder +mkdir -p $KEY_FOLDER + # generate crt and key openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost" From 91d14c28522f921536e4479656fc73b596700420 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 27 Mar 2020 16:53:51 -0400 Subject: [PATCH 08/15] port 443 and acme --- base.yml | 1 + compose/production/traefik/Dockerfile | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/base.yml b/base.yml index 10f4115..31d9090 100644 --- a/base.yml +++ b/base.yml @@ -48,6 +48,7 @@ services: - /var/run/docker.sock:/var/run/docker.sock:ro ports: - "0.0.0.0:80:80/tcp" + - "0.0.0.0:443:443/tcp" redis: image: redis:5.0 diff --git a/compose/production/traefik/Dockerfile b/compose/production/traefik/Dockerfile index 0b80e0b..575a463 100644 --- a/compose/production/traefik/Dockerfile +++ b/compose/production/traefik/Dockerfile @@ -1,6 +1,6 @@ FROM traefik:alpine -#RUN mkdir -p /etc/traefik/acme -#RUN touch /etc/traefik/acme/acme.json -#RUN chmod 600 /etc/traefik/acme/acme.json +RUN mkdir -p /etc/traefik/acme +RUN touch /etc/traefik/acme/acme.json +RUN chmod 600 /etc/traefik/acme/acme.json COPY ./tls /tls COPY ./compose/production/traefik/traefik.toml /etc/traefik From 77ec47b08cb67aa988aece7939564f2f9399cea7 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 27 Mar 2020 17:12:44 -0400 Subject: [PATCH 09/15] mount tls --- base.yml | 1 + compose/production/traefik/Dockerfile | 1 - scripts/install.sh | 1 + 3 files changed, 2 insertions(+), 1 deletion(-) diff --git a/base.yml b/base.yml index 31d9090..b0c3bb7 100644 --- a/base.yml +++ b/base.yml @@ -46,6 +46,7 @@ services: volumes: - production_traefik:/etc/traefik/acme - /var/run/docker.sock:/var/run/docker.sock:ro + - ../mistborn_volumes/base/tls:/tls ports: - "0.0.0.0:80:80/tcp" - "0.0.0.0:443:443/tcp" diff --git a/compose/production/traefik/Dockerfile b/compose/production/traefik/Dockerfile index 575a463..7088e6f 100644 --- a/compose/production/traefik/Dockerfile +++ b/compose/production/traefik/Dockerfile @@ -2,5 +2,4 @@ FROM traefik:alpine RUN mkdir -p /etc/traefik/acme RUN touch /etc/traefik/acme/acme.json RUN chmod 600 /etc/traefik/acme/acme.json -COPY ./tls /tls COPY ./compose/production/traefik/traefik.toml /etc/traefik diff --git a/scripts/install.sh b/scripts/install.sh index e1534f7..539e2ab 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -183,6 +183,7 @@ sudo mkdir -p ../mistborn_volumes/extra cp ./compose/production/traefik/traefik.toml.template ./compose/production/traefik/traefik.toml # setup tls certs source ./scripts/subinstallers/openssl.sh +mv ./tls ../mistborn_volumes/base/ # Download docker images while DNS is operable sudo docker-compose -f base.yml pull || true From 1e5f4d6e3f34c4ac4bfecbe09558ca74743ca79d Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 27 Mar 2020 17:25:27 -0400 Subject: [PATCH 10/15] sudo mv tls --- scripts/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/install.sh b/scripts/install.sh index 539e2ab..86536f4 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -183,7 +183,7 @@ sudo mkdir -p ../mistborn_volumes/extra cp ./compose/production/traefik/traefik.toml.template ./compose/production/traefik/traefik.toml # setup tls certs source ./scripts/subinstallers/openssl.sh -mv ./tls ../mistborn_volumes/base/ +sudo mv ./tls ../mistborn_volumes/base/ # Download docker images while DNS is operable sudo docker-compose -f base.yml pull || true From bd365cc32de89fba035a9d7e97900004dc3af728 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 27 Mar 2020 17:33:03 -0400 Subject: [PATCH 11/15] remove old tls --- scripts/install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/install.sh b/scripts/install.sh index 86536f4..b1dc9c0 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -183,6 +183,7 @@ sudo mkdir -p ../mistborn_volumes/extra cp ./compose/production/traefik/traefik.toml.template ./compose/production/traefik/traefik.toml # setup tls certs source ./scripts/subinstallers/openssl.sh +sudo rm -rf ../mistborn_volumes/base/tls sudo mv ./tls ../mistborn_volumes/base/ # Download docker images while DNS is operable From 03f1affd84f6e4b2aaa6ed7cde36d017c32a770d Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 27 Mar 2020 18:17:39 -0400 Subject: [PATCH 12/15] 10 years --- scripts/subinstallers/openssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/subinstallers/openssl.sh b/scripts/subinstallers/openssl.sh index 57c8cab..e010fad 100755 --- a/scripts/subinstallers/openssl.sh +++ b/scripts/subinstallers/openssl.sh @@ -14,7 +14,7 @@ sudo apt-get install -y openssl mkdir -p $KEY_FOLDER # generate crt and key -openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost" +openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost" # set permissions chmod 644 $CRT_PATH From 1935a23238f2ac14cfebf4fdc5f764969e7c0799 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 27 Mar 2020 18:34:37 -0400 Subject: [PATCH 13/15] iptables log limit 6 --- scripts/subinstallers/iptables.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/subinstallers/iptables.sh b/scripts/subinstallers/iptables.sh index 3b92a44..b3db5ab 100755 --- a/scripts/subinstallers/iptables.sh +++ b/scripts/subinstallers/iptables.sh @@ -27,7 +27,7 @@ sudo iptables -X MISTBORN_DOCKER_INPUT 2>/dev/null || true # iptables: log and drop chain sudo iptables -N MISTBORN_LOG_DROP -sudo iptables -A MISTBORN_LOG_DROP -m limit --limit 2/min -j LOG --log-prefix "[IPTables-Dropped]: " --log-level 4 +sudo iptables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[IPTables-Dropped]: " --log-level 4 sudo iptables -A MISTBORN_LOG_DROP -j DROP # wireguard rules chains From 5b409038341f3c839c80814d0d40794767e25385 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 27 Mar 2020 18:44:53 -0400 Subject: [PATCH 14/15] tls folder to traefik container --- base.yml | 2 +- compose/production/traefik/Dockerfile | 1 + scripts/install.sh | 2 -- 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/base.yml b/base.yml index b0c3bb7..17da863 100644 --- a/base.yml +++ b/base.yml @@ -46,7 +46,7 @@ services: volumes: - production_traefik:/etc/traefik/acme - /var/run/docker.sock:/var/run/docker.sock:ro - - ../mistborn_volumes/base/tls:/tls + #- ../mistborn_volumes/base/tls:/tls ports: - "0.0.0.0:80:80/tcp" - "0.0.0.0:443:443/tcp" diff --git a/compose/production/traefik/Dockerfile b/compose/production/traefik/Dockerfile index 7088e6f..575a463 100644 --- a/compose/production/traefik/Dockerfile +++ b/compose/production/traefik/Dockerfile @@ -2,4 +2,5 @@ FROM traefik:alpine RUN mkdir -p /etc/traefik/acme RUN touch /etc/traefik/acme/acme.json RUN chmod 600 /etc/traefik/acme/acme.json +COPY ./tls /tls COPY ./compose/production/traefik/traefik.toml /etc/traefik diff --git a/scripts/install.sh b/scripts/install.sh index b1dc9c0..e1534f7 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -183,8 +183,6 @@ sudo mkdir -p ../mistborn_volumes/extra cp ./compose/production/traefik/traefik.toml.template ./compose/production/traefik/traefik.toml # setup tls certs source ./scripts/subinstallers/openssl.sh -sudo rm -rf ../mistborn_volumes/base/tls -sudo mv ./tls ../mistborn_volumes/base/ # Download docker images while DNS is operable sudo docker-compose -f base.yml pull || true From 1eb9b0b6276cfb7455bd3ede062793077dac3513 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 27 Mar 2020 19:27:29 -0400 Subject: [PATCH 15/15] https --- base.yml | 2 +- compose/production/traefik/Dockerfile | 1 - compose/production/traefik/traefik.toml.template | 2 +- scripts/install.sh | 2 ++ 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/base.yml b/base.yml index 17da863..b0c3bb7 100644 --- a/base.yml +++ b/base.yml @@ -46,7 +46,7 @@ services: volumes: - production_traefik:/etc/traefik/acme - /var/run/docker.sock:/var/run/docker.sock:ro - #- ../mistborn_volumes/base/tls:/tls + - ../mistborn_volumes/base/tls:/tls ports: - "0.0.0.0:80:80/tcp" - "0.0.0.0:443:443/tcp" diff --git a/compose/production/traefik/Dockerfile b/compose/production/traefik/Dockerfile index 575a463..7088e6f 100644 --- a/compose/production/traefik/Dockerfile +++ b/compose/production/traefik/Dockerfile @@ -2,5 +2,4 @@ FROM traefik:alpine RUN mkdir -p /etc/traefik/acme RUN touch /etc/traefik/acme/acme.json RUN chmod 600 /etc/traefik/acme/acme.json -COPY ./tls /tls COPY ./compose/production/traefik/traefik.toml /etc/traefik diff --git a/compose/production/traefik/traefik.toml.template b/compose/production/traefik/traefik.toml.template index 47db874..19164ad 100644 --- a/compose/production/traefik/traefik.toml.template +++ b/compose/production/traefik/traefik.toml.template @@ -17,7 +17,7 @@ defaultEntryPoints = ["http", "https"] [entryPoints.https] address = ":443" [entryPoints.https.tls] - [entryPoints.httpSSL.tls.defaultCertificate] + [entryPoints.https.tls.defaultCertificate] certFile = "/tls/cert.crt" keyFile = "/tls/cert.key" diff --git a/scripts/install.sh b/scripts/install.sh index e1534f7..b1dc9c0 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -183,6 +183,8 @@ sudo mkdir -p ../mistborn_volumes/extra cp ./compose/production/traefik/traefik.toml.template ./compose/production/traefik/traefik.toml # setup tls certs source ./scripts/subinstallers/openssl.sh +sudo rm -rf ../mistborn_volumes/base/tls +sudo mv ./tls ../mistborn_volumes/base/ # Download docker images while DNS is operable sudo docker-compose -f base.yml pull || true