From c557ee49e587246734d0d45c8b281a32e9557bc4 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 20 Mar 2020 18:38:47 -0400 Subject: [PATCH 01/20] TOC --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 8a5bbf2..ccae516 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,6 @@ +- TOC +{:toc} + # Mistborn A platform for easily managing your cloud server and Wireguard access From 0b51e6e4a74c356c84861d5321e1bf19b35cb4d0 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 20 Mar 2020 18:45:20 -0400 Subject: [PATCH 02/20] gollum filter --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index ccae516..32e6650 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,4 @@ -- TOC -{:toc} +[[_TOC_]] # Mistborn A platform for easily managing your cloud server and Wireguard access From 1da0a6ee0fbb62bd27eea4ae0d690033f1601850 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 20 Mar 2020 18:46:45 -0400 Subject: [PATCH 03/20] formatting --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 32e6650..2c27b03 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,9 @@ -[[_TOC_]] - # Mistborn A platform for easily managing your cloud server and Wireguard access +# Table of Contents +[[_TOC_]] + ## What is Mistborn The term [Mistborn](http://www.brandonsanderson.com/the-mistborn-saga-the-original-trilogy) comes from a type of powerful Allomancer in Brandon Sanderson's Cosmere. From 1537b9031d39e3cea3b1e5e38343e448b323df3a Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 20 Mar 2020 18:49:53 -0400 Subject: [PATCH 04/20] headers --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 2c27b03..a83951b 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ A platform for easily managing your cloud server and Wireguard access # Table of Contents [[_TOC_]] -## What is Mistborn +# What is Mistborn The term [Mistborn](http://www.brandonsanderson.com/the-mistborn-saga-the-original-trilogy) comes from a type of powerful Allomancer in Brandon Sanderson's Cosmere. Mistborn started as a passion project for a husband and father protecting his family. Certain family members insisted on connecting their devices to free WiFi networks. We needed a way to secure all family devices with a solid VPN (Wireguard). Once we had that we wanted to control DNS to block ads to all devices and block malicious and pornographic websites across all family devices. Then we wanted chat, file-sharing, and webchat services that we could use for ourselves without entrusting our data to some big tech company. And then... home automation. I know I'll be adding services as I go so I made that easy to do. @@ -31,7 +31,7 @@ Within Mistborn is a panel to enable and manage these free extra services, local - [Jellyfin](https://jellyfin.org): The Free Media Software System. - [Tor](https://www.torproject.org): The Onion Router. One tool in the arsenal of online security and privacy. -## Installation +# Installation Mistborn is regularly tested on Ubuntu 18.04 LTS. It has also been successfully used on Debian and Raspbian systems (though not regularly tested). Clone the git repository and run the install script: @@ -59,7 +59,7 @@ Running `install.sh` will do the following: - copy Mistborn systemd service files to `/etc/systemd/system` - start and enable Mistborn-base -## Post-Installation +# Post-Installation When Mistborn-base starts up it will create volumes, initialize the PostgreSQL database, start pihole, run Django migrations and then check to see if a Mistborn superuser named `admin` exists yet. If not, it will create the superuser along with an accompanying Wireguard configuration file and start the Wireguard service. You can watch all of this happen with: ``` journalctl -xfu Mistborn-base @@ -118,7 +118,7 @@ Mistborn makes extra services available. Mistborn functions as a network firewall and provides metrics on blocked probes from the internet. ![Mistborn Metrics](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_metrics.png)*Mistborn Firewall Metrics* -## Troubleshooting +# Troubleshooting Once you're connected to Wireguard you should see .mistborn domains and the internet should work as expected. Be sure to use http (http://home.mistborn). Wireguard is the encrypted channel so we're not bothering with TLS certs. Here are some things to check if you have issues: @@ -143,11 +143,11 @@ wg show ``` Note the Mistborn naming convention for Wireguard interfaces on the server is wg. So if the particular Wireguard process is listening on UDP port 56392 then the interface will be named wg56392 and the config will be in `/etc/wireguard/wg56392.conf` -## Contact +# Contact Contact me at [steven@cyber5k.com](mailto:steven@cyber5k.com) -## Support +# Support Please consider supporting the project via: - [Patreon](https://www.patreon.com/cyber5k) From 4dad75f91af834d1d09ab8faf1ac0c6587a5cc78 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 21 Mar 2020 01:18:30 -0400 Subject: [PATCH 05/20] .envs .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index e737230..ea8c8cf 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ compose/production/traefik/traefik.toml +.envs/ From 6c2f7379455bbd3b8566e10dca6ea4ff32f6a2d8 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sun, 22 Mar 2020 08:32:28 -0400 Subject: [PATCH 06/20] adding docs and bugfixes --- README.md | 6 ++++-- scripts/services/Mistborn-base.service | 12 ++++++------ scripts/services/Mistborn-bitwarden.service | 2 +- scripts/services/Mistborn-rocketchat.service | 2 +- scripts/services/Mistborn-syncthing.service | 4 ++-- scripts/services/Mistborn-tor.service | 2 +- 6 files changed, 15 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index a83951b..2d208cd 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ Within Mistborn is a panel to enable and manage these free extra services, local - [Tor](https://www.torproject.org): The Onion Router. One tool in the arsenal of online security and privacy. # Installation -Mistborn is regularly tested on Ubuntu 18.04 LTS. It has also been successfully used on Debian and Raspbian systems (though not regularly tested). +Mistborn is regularly tested on Ubuntu 18.04 LTS (DigitalOcean droplet with 2 GB RAM). It has also been successfully used on Debian Buster and Raspbian Buster systems (though not regularly tested). Clone the git repository and run the install script: ``` @@ -43,7 +43,7 @@ sudo bash ./mistborn/scripts/install.sh Running `install.sh` will do the following: - create a `mistborn` system user - clone the mistborn repo to `/opt/mistborn` -- setup iptables and ip6tables rules +- setup iptables and ip6tables rules and chains - install iptables-persistent - install Docker - install OpenSSH @@ -51,6 +51,7 @@ Running `install.sh` will do the following: - install Cockpit - create a `cockpit` system user - configure unattended-upgrades +- create and populate traefik.toml - create `/opt/mistborn_volumes` and setup folders for services that will be mounted within - backup original contents of `/opt/mistborn_volumes` in `/opt/mistborn_backup` - Pull docker images for base.yml @@ -105,6 +106,7 @@ Endpoint = :39207 - Run `sudo systemctl enable wg-quick@wg_admin` - Open your browser and go to "http://home.mistborn" - Browse your Mistborn system! +**Note:** The home.mistborn server takes a minute to come up after Mistborn is up (collectstatic on all that frontend JavaScript and CSS) ## Wireguard Management Mistborn users can be added (non-privileged or superuser) and removed by superusers. Multiple Wireguard profiles can be created for each user. A non-privileged user can create profiles for themselves. diff --git a/scripts/services/Mistborn-base.service b/scripts/services/Mistborn-base.service index 8f23fa1..7e2cecd 100644 --- a/scripts/services/Mistborn-base.service +++ b/scripts/services/Mistborn-base.service @@ -24,12 +24,12 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml up # Stop container when unit is stopped ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down # Post stop -ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP -ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP -ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP -ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP -ExecStopPost=/sbin/iptables -D OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP -ExecStopPost=/sbin/ip6tables -D OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP +ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP || true +ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP || true +ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP || true +ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP || true +ExecStopPost=/sbin/iptables -D OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP || true +ExecStopPost=/sbin/ip6tables -D OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP || true [Install] WantedBy=multi-user.target diff --git a/scripts/services/Mistborn-bitwarden.service b/scripts/services/Mistborn-bitwarden.service index 49c144d..50c0e16 100644 --- a/scripts/services/Mistborn-bitwarden.service +++ b/scripts/services/Mistborn-bitwarden.service @@ -17,7 +17,7 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml up # Stop container when unit is stopped ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml down # Post stop -ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP +ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP || true [Install] WantedBy=multi-user.target diff --git a/scripts/services/Mistborn-rocketchat.service b/scripts/services/Mistborn-rocketchat.service index e99e307..d603c6a 100644 --- a/scripts/services/Mistborn-rocketchat.service +++ b/scripts/services/Mistborn-rocketchat.service @@ -17,7 +17,7 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml up # Stop container when unit is stopped ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down # Post stop -ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP +ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP || true [Install] WantedBy=multi-user.target diff --git a/scripts/services/Mistborn-syncthing.service b/scripts/services/Mistborn-syncthing.service index 9dcfbbf..721b3f2 100644 --- a/scripts/services/Mistborn-syncthing.service +++ b/scripts/services/Mistborn-syncthing.service @@ -18,8 +18,8 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml up # Stop container when unit is stopped ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml down # Post stop -ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP -ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP +ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP || true +ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP || true [Install] WantedBy=multi-user.target diff --git a/scripts/services/Mistborn-tor.service b/scripts/services/Mistborn-tor.service index c67fb85..a1c2272 100644 --- a/scripts/services/Mistborn-tor.service +++ b/scripts/services/Mistborn-tor.service @@ -17,7 +17,7 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml up --buil # Stop container when unit is stopped ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml down # Post stop -ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP +ExecStopPost=/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP || true [Install] WantedBy=multi-user.target From 87c2feb8d8bee156adef1af5a0a1bd405a21b0f4 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sun, 22 Mar 2020 17:13:42 -0400 Subject: [PATCH 07/20] MISTBORN_DOCKER_INPUT docker0 (raspbian) --- scripts/subinstallers/iptables.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/subinstallers/iptables.sh b/scripts/subinstallers/iptables.sh index 3b92a44..3230c35 100755 --- a/scripts/subinstallers/iptables.sh +++ b/scripts/subinstallers/iptables.sh @@ -50,7 +50,7 @@ fi # docker rules sudo iptables -N MISTBORN_DOCKER_INPUT sudo iptables -A MISTBORN_DOCKER_INPUT -i br-+ -j ACCEPT -#sudo iptables -A INPUT ! -i $iface -s 172.16.0.0/12 -j ACCEPT +sudo iptables -A MISTBORN_DOCKER_INPUT -i docker0 -j ACCEPT # last rules sudo iptables -A INPUT -j MISTBORN_DOCKER_INPUT From 7fecc367fc2c7e857a2f259403bc4e9309e8a275 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sun, 22 Mar 2020 17:30:46 -0400 Subject: [PATCH 08/20] update.sh sudo --- scripts/update.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/update.sh b/scripts/update.sh index a268028..8f3d639 100755 --- a/scripts/update.sh +++ b/scripts/update.sh @@ -2,7 +2,7 @@ set -e -docker-compose -f /opt/mistborn/base.yml pull -docker-compose -f /opt/mistborn/base.yml build +sudo docker-compose -f /opt/mistborn/base.yml pull +sudo docker-compose -f /opt/mistborn/base.yml build -systemctl restart Mistborn-base +sudo systemctl restart Mistborn-base From 010a49020a3fefe32221af448d0daf879ee5cdc8 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sun, 22 Mar 2020 17:39:49 -0400 Subject: [PATCH 09/20] don't need docker0 --- scripts/subinstallers/iptables.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/subinstallers/iptables.sh b/scripts/subinstallers/iptables.sh index 3230c35..ac40ced 100755 --- a/scripts/subinstallers/iptables.sh +++ b/scripts/subinstallers/iptables.sh @@ -50,7 +50,7 @@ fi # docker rules sudo iptables -N MISTBORN_DOCKER_INPUT sudo iptables -A MISTBORN_DOCKER_INPUT -i br-+ -j ACCEPT -sudo iptables -A MISTBORN_DOCKER_INPUT -i docker0 -j ACCEPT +#sudo iptables -A MISTBORN_DOCKER_INPUT -i docker0 -j ACCEPT # last rules sudo iptables -A INPUT -j MISTBORN_DOCKER_INPUT From b65edfa42229bef27123cb32b50d4c2f672cbfff Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sun, 22 Mar 2020 18:40:57 -0400 Subject: [PATCH 10/20] python3-dev --- scripts/subinstallers/docker.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/subinstallers/docker.sh b/scripts/subinstallers/docker.sh index 1af2f2c..6c0d5a7 100755 --- a/scripts/subinstallers/docker.sh +++ b/scripts/subinstallers/docker.sh @@ -61,7 +61,7 @@ echo "Installing Docker Compose" #elif [ "$DISTRO" == "raspbian" ]; then # Install required packages sudo apt update -sudo apt install -y python python3-pip libffi-dev python-backports.ssl-match-hostname +sudo apt install -y python python3-pip libffi-dev python-backports.ssl-match-hostname python3-dev # Install Docker Compose from pip # This might take a while From 4d30cfd89ae621ac0d9506542645f0fde09357cd Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sun, 22 Mar 2020 18:50:27 -0400 Subject: [PATCH 11/20] libssl-dev --- scripts/subinstallers/docker.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/subinstallers/docker.sh b/scripts/subinstallers/docker.sh index 6c0d5a7..7c5da2a 100755 --- a/scripts/subinstallers/docker.sh +++ b/scripts/subinstallers/docker.sh @@ -61,7 +61,7 @@ echo "Installing Docker Compose" #elif [ "$DISTRO" == "raspbian" ]; then # Install required packages sudo apt update -sudo apt install -y python python3-pip libffi-dev python-backports.ssl-match-hostname python3-dev +sudo apt install -y python python3-pip libffi-dev python-backports.ssl-match-hostname python3-dev libssl-dev # Install Docker Compose from pip # This might take a while From cbec48f74526bdb0ca73cedc27bbfd3c0cea0ba3 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Mon, 23 Mar 2020 15:20:49 -0400 Subject: [PATCH 12/20] sudo --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 2d208cd..171a0cb 100644 --- a/README.md +++ b/README.md @@ -63,12 +63,12 @@ Running `install.sh` will do the following: # Post-Installation When Mistborn-base starts up it will create volumes, initialize the PostgreSQL database, start pihole, run Django migrations and then check to see if a Mistborn superuser named `admin` exists yet. If not, it will create the superuser along with an accompanying Wireguard configuration file and start the Wireguard service. You can watch all of this happen with: ``` -journalctl -xfu Mistborn-base +sudo journalctl -xfu Mistborn-base ``` The client Wireguard configuration file may be obtained via: ``` -docker-compose -f /opt/mistborn/base.yml run --rm django python manage.py getconf admin default +sudo docker-compose -f /opt/mistborn/base.yml run --rm django python manage.py getconf admin default ``` Please notice that the following lines are **NOT** part of the Wireguard config: ``` @@ -126,22 +126,22 @@ Once you're connected to Wireguard you should see .mistborn domains and the inte See if any docker containers are stopped: ``` -docker container ls -a +sudo docker container ls -a ``` Check the running log for Mistborn-base: ``` -journalctl -xfu Mistborn-base +sudo journalctl -xfu Mistborn-base ``` Mistborn-base is a systemd process and at any time restarting it should get you to a working state: ``` -systemctl restart Mistborn-base +sudo systemctl restart Mistborn-base ``` The Wireguard processes run independently of Mistborn and will still be up if Mistborn is down. You can check running Wireguard interfaces with: ``` -wg show +sudo wg show ``` Note the Mistborn naming convention for Wireguard interfaces on the server is wg. So if the particular Wireguard process is listening on UDP port 56392 then the interface will be named wg56392 and the config will be in `/etc/wireguard/wg56392.conf` From 5c727a9f5c13d3c891dd9565a6558086dc0158e1 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 28 Mar 2020 11:55:22 -0400 Subject: [PATCH 13/20] subdomain table --- README.md | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 171a0cb..e5319f2 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ These tools are not vital to Mistborn itself but are integrated to enhance secur - [DNScrypt](https://www.dnscrypt.org): prevents DNS spoofing via cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered - [Traefik](https://docs.traefik.io): A modern, efficient reverse-proxy -Within Mistborn is a panel to enable and manage these free extra services, locally hosted in Docker containers: +Within Mistborn is a panel to enable and manage these free extra services (off by default), locally hosted in Docker containers: - [Home Assistant](https://www.home-assistant.io): Open source home automation that puts local control and privacy first - [Nextcloud](https://nextcloud.com): Nextcloud offers the industry-leading, on-premises content collaboration platform. It combines the convenience and ease of use of consumer-grade solutions like Dropbox and Google Drive with the security, privacy and control business needs. - [BitWarden](https://bitwarden.com): Password manager. The easiest and safest way for individuals, teams, and business organizations to store, share, and sync sensitive data. @@ -30,6 +30,7 @@ Within Mistborn is a panel to enable and manage these free extra services, local - [Rocket.Chat](https://rocket.chat): Free, Open Source, Enterprise Team Chat. - [Jellyfin](https://jellyfin.org): The Free Media Software System. - [Tor](https://www.torproject.org): The Onion Router. One tool in the arsenal of online security and privacy. +- [Jitsi](https://jitsi.org): Multi-platform open-source video conferencing # Installation Mistborn is regularly tested on Ubuntu 18.04 LTS (DigitalOcean droplet with 2 GB RAM). It has also been successfully used on Debian Buster and Raspbian Buster systems (though not regularly tested). @@ -51,6 +52,7 @@ Running `install.sh` will do the following: - install Cockpit - create a `cockpit` system user - configure unattended-upgrades +- generate a self-signed TLS certificate/key (WebRTC functionality requires TLS) - create and populate traefik.toml - create `/opt/mistborn_volumes` and setup folders for services that will be mounted within - backup original contents of `/opt/mistborn_volumes` in `/opt/mistborn_backup` @@ -120,6 +122,23 @@ Mistborn makes extra services available. Mistborn functions as a network firewall and provides metrics on blocked probes from the internet. ![Mistborn Metrics](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_metrics.png)*Mistborn Firewall Metrics* +# Mistborn Subdomains +Mistborn uses the following domains (that can be reached by all Wireguard clients): + +| Service | Domain | Default Status | +| ------- | ------ | -------------- | +| **Home** | home.mistborn | On | +| **Pihole** | pihole.mistborn | On | +| **Cockpit** | cockpit.mistborn | On | +| Nextcloud | nextcloud.mistborn | Off | +| Rocket.Chat | chat.mistborn | Off | +| Home Assistant | homeassistant.mistborn | Off | +| Bitwarden | bitwarden.mistborn | Off | +| Jellyfin | jellyfin.mistborn | Off | +| Syncthing | syncthing.mistborn | Off | +| OnlyOffice | onlyoffice.mistborn | Off | +| Jitsi | jitsi.mistborn | Off | + # Troubleshooting Once you're connected to Wireguard you should see .mistborn domains and the internet should work as expected. Be sure to use http (http://home.mistborn). Wireguard is the encrypted channel so we're not bothering with TLS certs. Here are some things to check if you have issues: From 70802d2acef18c559bd56b9dba454720969cc73c Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 28 Mar 2020 12:22:04 -0400 Subject: [PATCH 14/20] network diagram --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index e5319f2..fbc5198 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,13 @@ Within Mistborn is a panel to enable and manage these free extra services (off b - [Tor](https://www.torproject.org): The Onion Router. One tool in the arsenal of online security and privacy. - [Jitsi](https://jitsi.org): Multi-platform open-source video conferencing +# Network Diagram +Mistborn protects your data in a variety of ways: +- All of your devices are protected wherever they go with the Wireguard VPN protocol +- The Mistborn firewall blocks unsolicited incoming internet probes +- Pi-hole running on Mistborn blocks outgoing internet requests to configurable blocked domains (ads, malicious/phishing domains, etc.) +![Mistborn Network Diagram](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mistborn_network.png)*Mistborn Network Diagram* + # Installation Mistborn is regularly tested on Ubuntu 18.04 LTS (DigitalOcean droplet with 2 GB RAM). It has also been successfully used on Debian Buster and Raspbian Buster systems (though not regularly tested). From d737c4cb8ea7f3905bfa827c3489923bc7006c6f Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 28 Mar 2020 12:25:00 -0400 Subject: [PATCH 15/20] re-arranging --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fbc5198..93fd449 100644 --- a/README.md +++ b/README.md @@ -33,11 +33,11 @@ Within Mistborn is a panel to enable and manage these free extra services (off b - [Jitsi](https://jitsi.org): Multi-platform open-source video conferencing # Network Diagram +![Mistborn Network Diagram](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mistborn_network.png)*Mistborn Network Diagram* Mistborn protects your data in a variety of ways: - All of your devices are protected wherever they go with the Wireguard VPN protocol - The Mistborn firewall blocks unsolicited incoming internet probes - Pi-hole running on Mistborn blocks outgoing internet requests to configurable blocked domains (ads, malicious/phishing domains, etc.) -![Mistborn Network Diagram](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mistborn_network.png)*Mistborn Network Diagram* # Installation Mistborn is regularly tested on Ubuntu 18.04 LTS (DigitalOcean droplet with 2 GB RAM). It has also been successfully used on Debian Buster and Raspbian Buster systems (though not regularly tested). From 702a97241215a9231cf71f9d9a61abdf686dcd66 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 28 Mar 2020 12:26:03 -0400 Subject: [PATCH 16/20] removing caption --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 93fd449..8eb12f6 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ Within Mistborn is a panel to enable and manage these free extra services (off b - [Jitsi](https://jitsi.org): Multi-platform open-source video conferencing # Network Diagram -![Mistborn Network Diagram](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mistborn_network.png)*Mistborn Network Diagram* +![Mistborn Network Diagram](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mistborn_network.png) Mistborn protects your data in a variety of ways: - All of your devices are protected wherever they go with the Wireguard VPN protocol - The Mistborn firewall blocks unsolicited incoming internet probes From 539fef5cefc996ff688073a08d23275f8bc30e10 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 28 Mar 2020 12:26:49 -0400 Subject: [PATCH 17/20] formatting --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 8eb12f6..f9044db 100644 --- a/README.md +++ b/README.md @@ -34,6 +34,7 @@ Within Mistborn is a panel to enable and manage these free extra services (off b # Network Diagram ![Mistborn Network Diagram](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mistborn_network.png) + Mistborn protects your data in a variety of ways: - All of your devices are protected wherever they go with the Wireguard VPN protocol - The Mistborn firewall blocks unsolicited incoming internet probes From 52f40d815f3ba820de18dc3bd952eb5d7efa334c Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 28 Mar 2020 12:27:56 -0400 Subject: [PATCH 18/20] packets --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f9044db..0c4f587 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ Within Mistborn is a panel to enable and manage these free extra services (off b Mistborn protects your data in a variety of ways: - All of your devices are protected wherever they go with the Wireguard VPN protocol -- The Mistborn firewall blocks unsolicited incoming internet probes +- The Mistborn firewall blocks unsolicited incoming internet packets - Pi-hole running on Mistborn blocks outgoing internet requests to configurable blocked domains (ads, malicious/phishing domains, etc.) # Installation From e6734d8e44099ce2e675c4994806c5d440e0c36f Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 28 Mar 2020 12:34:11 -0400 Subject: [PATCH 19/20] dev hard reset --- README.md | 5 +++++ dev/rebuild.sh | 19 +++++++++++++++++++ dev/wg_clean.sh | 24 ++++++++++++++++++++++++ 3 files changed, 48 insertions(+) create mode 100755 dev/rebuild.sh create mode 100755 dev/wg_clean.sh diff --git a/README.md b/README.md index 0c4f587..0ce1511 100644 --- a/README.md +++ b/README.md @@ -172,6 +172,11 @@ sudo wg show ``` Note the Mistborn naming convention for Wireguard interfaces on the server is wg. So if the particular Wireguard process is listening on UDP port 56392 then the interface will be named wg56392 and the config will be in `/etc/wireguard/wg56392.conf` +The `dev/` folder contains a script for completing a hard reset: destroying and rebuilding the system. +``` +sudo ./dev/rebuild.sh +``` + # Contact Contact me at [steven@cyber5k.com](mailto:steven@cyber5k.com) diff --git a/dev/rebuild.sh b/dev/rebuild.sh new file mode 100755 index 0000000..08e8611 --- /dev/null +++ b/dev/rebuild.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +sudo systemctl stop Mistborn-base +sudo rm -rf /opt/mistborn_volumes/* +sudo docker container prune -f +sudo docker image prune -f +sudo docker volume prune -f +sudo eval "$(dirname "${BASH_SOURCE[0]}")/wg_clean.sh" + +pushd . +cd /opt/mistborn +tar -xzvf ../mistborn_backup/mistborn_volumes_backup.tar.gz -C ../ +git pull +git submodule update --init +sudo docker-compose -f base.yml build +popd + +sudo systemctl start Mistborn-base +sudo journalctl -xfu Mistborn-base diff --git a/dev/wg_clean.sh b/dev/wg_clean.sh new file mode 100755 index 0000000..e80ed9b --- /dev/null +++ b/dev/wg_clean.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +pushd . +cd /etc/wireguard + +for filename in ./*.conf; do + + iface="$(basename $filename | cut -d'.' -f1)" + + if sudo wg show $iface 1>/dev/null 2>&1 ; then + # interface exists + if sudo wg show $iface | grep -qF 'latest handshake' ; then + echo 'connected' + else + echo 'never connected' + echo "stoppping, disabling, and removing $iface" + sudo systemctl stop wg-quick@$iface && sudo systemctl disable wg-quick@$iface && rm ./$filename + fi + fi + +done + + +popd From 7df68177327b458c544ef24a12fa71fd0c6a1505 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 28 Mar 2020 12:35:47 -0400 Subject: [PATCH 20/20] clarification --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0ce1511..cd8f12c 100644 --- a/README.md +++ b/README.md @@ -172,7 +172,7 @@ sudo wg show ``` Note the Mistborn naming convention for Wireguard interfaces on the server is wg. So if the particular Wireguard process is listening on UDP port 56392 then the interface will be named wg56392 and the config will be in `/etc/wireguard/wg56392.conf` -The `dev/` folder contains a script for completing a hard reset: destroying and rebuilding the system. +The `dev/` folder contains a script for completing a hard reset: destroying and rebuilding the system from the original backup: ``` sudo ./dev/rebuild.sh ```