Resolve "Guacamole details and prefix"

README.md

@@ -128,6 +128,15 @@ In Mistborn, Gateways are upstream from the VPN server so connections to third-p
 
 The Gateway adds an extra network hop. DNS is still resolved in Mistborn so pihole is still blocking ads.
 
+# Remote Desktop
+Remote desktops enable multiple users to share desktop resources and data. Remote desktops also enable groups to prevent sensitive data from ever entering an endpoint devices such as a smartphone. For reference, some United States Government regulations require controls to protect Controlled Unclassified Information (CUI) that are not feasible to implement on all endpoint devices and remote desktops prevent the data from entering the device (see NIST SP 800-171 3.1.19, CMMC AC.3.022).
+
+Mistborn enables remote desktop access via the Apache Guacamole extra service, which supports VNC, RDP, SSH, and other protocols. 
+
+![Guacamole Recent Connections](https://gitlab.com/cyber5k/public/-/raw/master/graphics/guacamole_connections.png)
+
+Guacamole implements its own users and groups access controls to manage access to individual desktops. All Mistborn users must be authenticated with Mistborn (via Wireguard only or MFA) to access the Guacamole interface.
+
 # Client to client communication
 By default direct communication between network clients is blocked. Mistborn clients can all talk to Mistborn and communicate via shared services (Jitsi, Nextcloud, etc). Direct client to client communication can be enabled via the "client-to-client" toggle.
 

base.yml

@@ -160,7 +160,7 @@ services:
    container_name: mistborn_production_pihole
    image: pihole/pihole:v5.5.1
    env_file:
-     - /opt/mistborn_volumes/base/base.txt
+     - ./.envs/.production/.pihole
    ports:
      - "${MISTBORN_DNS_BIND_IP}:53:53/tcp"
      - "${MISTBORN_DNS_BIND_IP}:53:53/udp"
@@ -168,11 +168,12 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.pihole-http.rule=Host(`pihole.mistborn`)"
       - "traefik.http.routers.pihole-http.entrypoints=web"
-      - "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file,add-pihole-admin"
       - "traefik.http.routers.pihole-https.rule=Host(`pihole.mistborn`)"
       - "traefik.http.routers.pihole-https.entrypoints=websecure"
-      - "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file,add-pihole-admin"
       - "traefik.http.routers.pihole-https.tls.certresolver=basic"
+      - "traefik.http.middlewares.add-pihole-admin.addPrefix.prefix=/admin"
       - "traefik.http.services.pihole-service.loadbalancer.server.port=80"
    environment:
      - ServerIP=10.2.0.3
@@ -182,8 +183,6 @@ services:
      - DNSMASQ_LISTENING=all
    #  TZ: 'America/New York'
    # Volumes store your data between container upgrades
-   env_file:
-     - ./.envs/.production/.pihole
    volumes:
      - ../mistborn_volumes/base/pihole/etc-pihole:/etc/pihole/
      - ../mistborn_volumes/base/pihole/etc-dnsmasqd:/etc/dnsmasq.d/

extra/guacamole.yml

@@ -37,11 +37,12 @@ services:
     - "traefik.enable=true"
     - "traefik.http.routers.guacamole-http.rule=Host(`guac.mistborn`)"
     - "traefik.http.routers.guacamole-http.entrypoints=web"
-    - "traefik.http.routers.guacamole-http.middlewares=mistborn_auth@file"
+    - "traefik.http.routers.guacamole-http.middlewares=mistborn_auth@file,add-guacamole"
     - "traefik.http.routers.guacamole-https.rule=Host(`guac.mistborn`)"
     - "traefik.http.routers.guacamole-https.entrypoints=websecure"
-    - "traefik.http.routers.guacamole-https.middlewares=mistborn_auth@file"
+    - "traefik.http.routers.guacamole-https.middlewares=mistborn_auth@file,add-guacamole"
     - "traefik.http.routers.guacamole-https.tls.certresolver=basic"
+    - "traefik.http.middlewares.add-guacamole.addPrefix.prefix=/guacamole"
     - "traefik.http.services.guacamole-service.loadbalancer.server.port=8080"
     depends_on:
     - guacd