diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 03623c1..c38e178 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -19,6 +19,5 @@ docker_build: script: - apk add docker-compose - scripts/subinstallers/gen_prod_env.sh "$MISTBORN_DEFAULT_PASSWORD" - - cp compose/production/traefik/traefik.toml.template compose/production/traefik/traefik.toml - docker-compose -f base.yml build diff --git a/README.md b/README.md index 6676760..adeb7ce 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,9 @@ Tested Operating Systems (in order of thoroughness): - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Debian 10 (Buster) -- Raspbian Buster +- Raspberry Pi OS (formerly Raspbian) Buster + +**Note:** Install operating system updates and restart. Raspberry Pi OS particularly needs to be restarted after kernel updates (kernel modules for the currently running kernel may be missing). Tested Browsers: - Firefox @@ -59,8 +61,8 @@ The Mistborn docker images exist for these architectures: | Mistborn Docker Images (hub.docker.com) | Architectures | |------------------------------------------------|---------------------| -| mistborn (django, celery{worker,beat}, flower) | amd64, arm64, armv7 | -| dnscrypt-proxy | amd64, arm64, armv7 | +| mistborn (django, celery{worker,beat}, flower) | amd64, arm64, arm/v7 | +| dnscrypt-proxy | amd64, arm64, arm/v7 | Recommended System Specifications: @@ -74,7 +76,7 @@ Recommended System Specifications: Starting from base installation ``` git clone https://gitlab.com/cyber5k/mistborn.git -sudo bash ./mistborn/scripts/install.sh +sudo -E bash ./mistborn/scripts/install.sh ``` Get default admin Wireguard profile @@ -121,7 +123,7 @@ Mistborn is regularly tested on Ubuntu 18.04 LTS (DigitalOcean droplet with 2 GB Clone the git repository and run the install script: ``` git clone https://gitlab.com/cyber5k/mistborn.git -sudo bash ./mistborn/scripts/install.sh +sudo -E bash ./mistborn/scripts/install.sh ``` Running `install.sh` will do the following: @@ -132,8 +134,8 @@ Running `install.sh` will do the following: - install Docker - install OpenSSH - install Wireguard -- install Cockpit -- create a `cockpit` system user +- install Cockpit (optional) +- create a `cockpit` system user (if Cockpit is installed) - configure unattended-upgrades - generate a self-signed TLS certificate/key (WebRTC functionality requires TLS) - create and populate traefik.toml @@ -155,7 +157,7 @@ See the environment variables needed in `./scripts/noninteractive/.install_bareb This will perform a noninteractive install with the default environment variables set in `.install_barebones`. ``` git clone https://gitlab.com/cyber5k/mistborn.git -sudo bash -c "source ./mistborn/scripts/noninteractive/.install_barebones && ./mistborn/scripts/install.sh" +sudo -E bash -c "source ./mistborn/scripts/noninteractive/.install_barebones && ./mistborn/scripts/install.sh" ``` # Post-Installation @@ -317,7 +319,7 @@ But wait, there's more! You can: | Rocket.Chat | [Rocket.Chat](https://play.google.com/store/apps/details?id=chat.rocket.android) | [Rocket.Chat](https://apps.apple.com/us/app/rocket-chat/id1148741252) | ## TLS Certificate -Some apps require TLS (HTTPS). All traffic to Mistborn domains already occurs over Wireguard but to keep apps running, a TLS certificate exists for Mistborn and can be imported into your device's trusted credentials in the security settings. +Some apps require TLS (HTTPS). All traffic to Mistborn domains already occurs over Wireguard but to keep apps running, a TLS certificate exists for Mistborn and can be imported into your device's trusted credentials in the security settings. This certificate is checked every day and will be re-generated when expiration is less than 30 days away. The TLS certificate can be found here: ``` @@ -446,7 +448,7 @@ These are some notes regarding the technical design and implementations of Mistb ## Additonal Notes - Interface names are not hardcoded anywhere in Mistborn. Two commands that are used in different circumstances to determine the default network interface and the interface that would route a public IP address are: `ip -o -4 route show to default` and `ip -o -4 route get 1.1.1.1`. - The "Update" button will pull updated Docker images for mistborn, postgresql, redis, pihole, and dnscrypt. Those services will then be restarted. -- The generated TLS certificate has an RSA modulus of 4096 bits, is signed with SHA-256, and is good for 10 years. The nanny at Apple has decided to restrict the kinds of certificates iOS users may choose to manually trust and so you may have issues with TLS on an Apple device for now. +- The generated TLS certificate has an RSA modulus of 4096 bits, is signed with SHA-256, and is good for 397 days. The certificate is checked daily and will regenerate when expiration is within 30 days. - Outbound UDP on port 53 is blocked. All DNS requests should be handled by the dnscrypt_proxy service and if any client, service, etc. tries to circumvent that it is blocked. - Unattended upgrades are set to automatically install operating system security updates. diff --git a/base.yml b/base.yml index 4596b96..f0536ef 100644 --- a/base.yml +++ b/base.yml @@ -14,7 +14,14 @@ services: - redis labels: - "traefik.enable=true" - - "traefik.port=5000" + - "traefik.http.routers.django-http.rule=Host(`home.mistborn`)" + - "traefik.http.routers.django-http.entrypoints=web" + - "traefik.http.routers.django-http.middlewares=mistborn_headers@file" + - "traefik.http.routers.django-https.rule=Host(`home.mistborn`)" + - "traefik.http.routers.django-https.entrypoints=websecure" + - "traefik.http.routers.django-https.middlewares=mistborn_headers@file" + - "traefik.http.routers.django-https.tls.certresolver=basic" + - "traefik.http.services.django-service.loadbalancer.server.port=5000" env_file: - ./.envs/.production/.django - ./.envs/.production/.postgres @@ -38,20 +45,41 @@ services: restart: unless-stopped traefik: - build: - context: . - dockerfile: ./compose/production/traefik/Dockerfile - image: mistborn_production_traefik + #build: + # context: . + # dockerfile: ./compose/production/traefik/Dockerfile + #image: mistborn_production_traefik + image: traefik:v2.2 container_name: mistborn_production_traefik depends_on: - django volumes: - - production_traefik:/etc/traefik/acme + #- production_traefik:/etc/traefik/acme + - ./compose/production/traefik/dynamic.toml:/dynamic.toml:ro - /var/run/docker.sock:/var/run/docker.sock:ro - - ../mistborn_volumes/base/tls:/tls - ports: - - "0.0.0.0:80:80/tcp" - - "0.0.0.0:443:443/tcp" + - ../mistborn_volumes/base/tls:/tls:ro + network_mode: host + #ports: + # - "0.0.0.0:80:80/tcp" + # - "0.0.0.0:443:443/tcp" + # #- "0.0.0.0:8080:8080/tcp" # dashboard + command: + ## API settings + #- --api.insecure=true + #- --api.dashboard=true + #- --api.debug=true + ## Logs + - --log.level=ERROR + ## Providers + - --providers.docker=true + - --providers.docker.exposedbydefault=false + - --providers.file.filename=/dynamic.toml + #- --providers.docker.network=default + ## Entrypoints + - --entrypoints.web.address=:80 + - --entrypoints.websecure.address=:443 + ## Certificates + #- --serversTransport.insecureSkipVerify=true restart: unless-stopped redis: @@ -136,6 +164,14 @@ services: - "${MISTBORN_DNS_BIND_IP}:53:53/udp" labels: - "traefik.enable=true" + - "traefik.http.routers.pihole-http.rule=Host(`pihole.mistborn`)" + - "traefik.http.routers.pihole-http.entrypoints=web" + - "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.pihole-https.rule=Host(`pihole.mistborn`)" + - "traefik.http.routers.pihole-https.entrypoints=websecure" + - "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.pihole-https.tls.certresolver=basic" + - "traefik.http.services.pihole-service.loadbalancer.server.port=80" environment: - ServerIP=10.2.0.3 - DNS1='10.2.0.2#5054' # docs say port 5054, was 54; use network_mode: host to see which port is used diff --git a/compose/production/traefik/Dockerfile b/compose/production/traefik/Dockerfile index 7088e6f..04c5f93 100644 --- a/compose/production/traefik/Dockerfile +++ b/compose/production/traefik/Dockerfile @@ -1,5 +1,5 @@ -FROM traefik:alpine +FROM traefik:v2.2 RUN mkdir -p /etc/traefik/acme RUN touch /etc/traefik/acme/acme.json RUN chmod 600 /etc/traefik/acme/acme.json -COPY ./compose/production/traefik/traefik.toml /etc/traefik +#COPY ./compose/production/traefik/dynamic.toml /etc/traefik diff --git a/compose/production/traefik/dynamic.toml b/compose/production/traefik/dynamic.toml new file mode 100644 index 0000000..0eeb776 --- /dev/null +++ b/compose/production/traefik/dynamic.toml @@ -0,0 +1,31 @@ +[tls.stores] + [tls.stores.default] + [tls.stores.default.defaultCertificate] + certFile = "/tls/cert.crt" + keyFile = "/tls/cert.key" + +[tls.options] + [tls.options.default] + minVersion = "VersionTLS12" + +[http.services] + [http.services.cockpit.loadBalancer] + [[http.services.cockpit.loadBalancer.servers]] + url = "http://10.2.3.1:9090" + +[http.routers] + [http.routers.cockpit] + rule = "Host(`cockpit.mistborn`)" + service = "cockpit" + entrypoints = ["web", "websecure"] + #middlewares = + +[http.middlewares] + [http.middlewares.mistborn_auth.forwardAuth] + address = "https://home.mistborn/auth/" + trustForwardHeader = true + [http.middlewares.mistborn_auth.forwardAuth.tls] + insecureSkipVerify = true + + [http.middlewares.mistborn_headers.headers] + hostsProxyHeaders = ['X-CSRFToken'] \ No newline at end of file diff --git a/compose/production/traefik/traefik.toml.template b/compose/production/traefik/traefik.toml.template deleted file mode 100644 index 267d53b..0000000 --- a/compose/production/traefik/traefik.toml.template +++ /dev/null @@ -1,257 +0,0 @@ -#debug = true - -logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC -InsecureSkipVerify = true - -defaultEntryPoints = ["http", "https"] -#defaultEntryPoints = ["http"] - -# Entrypoints, http and https -[entryPoints] - # http should be redirected to https - [entryPoints.http] - address = ":80" - #[entryPoints.http.redirect] - #entryPoint = "https" - # https is the default - [entryPoints.https] - address = ":443" - [entryPoints.https.tls] - [entryPoints.https.tls.defaultCertificate] - certFile = "/tls/cert.crt" - keyFile = "/tls/cert.key" - -## Enable ACME (Let's Encrypt): automatic SSL -#[acme] -## Email address used for registration -#email = "steven@cyber5k.com" -#storage = "/etc/traefik/acme/acme.json" -#entryPoint = "https" -#onDemand = false -#OnHostRule = true -# # Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge -# [acme.httpChallenge] -# entryPoint = "http" - -[file] -[backends] - [backends.django] - [backends.django.servers.server1] - url = "http://django:5000" - - [backends.pihole] - [backends.pihole.servers.server1] - url = "http://pihole:80" - - [backends.homeassistant] - [backends.homeassistant.servers.server1] - url = "http://homeassistant:8123" - - [backends.syncthing] - [backends.syncthing.servers.server1] - url = "http://syncthing:8384" - - [backends.rocketchat] - [backends.rocketchat.servers.server1] - url = "http://rocketchat:3000" - - [backends.nextcloud] - [backends.nextcloud.servers.server1] - url = "http://nextcloud:80" - - [backends.onlyoffice] - [backends.onlyoffice.servers.server1] - url = "http://onlyoffice:80" - - [backends.bitwarden] - [backends.bitwarden.servers.server1] - url = "http://bitwarden:80" - - [backends.jellyfin] - [backends.jellyfin.servers.server1] - url = "http://jellyfin:8096" - - [backends.jitsi] - [backends.jitsi.servers.server1] - url = "http://jitsi-web:80" - - [backends.raspap] - [backends.raspap.servers.server1] - url = "http://raspap:80" - - [backends.cockpit] - [backends.cockpit.servers.server1] - url = "http://10.2.3.1:9090" - -[frontends] - [frontends.django] - backend = "django" - passHostHeader = true - [frontends.django.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.django.routes.dr1] - #rule = "Host:mistborn.cyber5k.com" - rule = "Host:home.mistborn" - - [frontends.pihole] - backend = "pihole" - passHostHeader = true - [frontends.pihole.auth] - [frontends.pihole.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.pihole.auth.forward.tls] - insecureSkipVerify = true - [frontends.pihole.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.pihole.routes.dr1] - rule = "Host:pihole.mistborn" - - [frontends.homeassistant] - backend = "homeassistant" - passHostHeader = true - [frontends.homeassistant.auth] - [frontends.homeassistant.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.homeassistant.auth.forward.tls] - insecureSkipVerify = true - [frontends.homeassistant.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.homeassistant.routes.dr1] - rule = "Host:homeassistant.mistborn" - - [frontends.syncthing] - backend = "syncthing" - passHostHeader = true - [frontends.syncthing.auth] - [frontends.syncthing.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.syncthing.auth.forward.tls] - insecureSkipVerify = true - [frontends.syncthing.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.syncthing.routes.dr1] - rule = "Host:syncthing.mistborn" - - [frontends.rocketchat] - backend = "rocketchat" - passHostHeader = true - [frontends.rocketchat.auth] - [frontends.rocketchat.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.rocketchat.auth.forward.tls] - insecureSkipVerify = true - [frontends.rocketchat.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.rocketchat.routes.dr1] - rule = "Host:chat.mistborn" - - [frontends.nextcloud] - backend = "nextcloud" - passHostHeader = true - [frontends.nextcloud.auth] - [frontends.nextcloud.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.nextcloud.auth.forward.tls] - insecureSkipVerify = true - [frontends.nextcloud.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.nextcloud.routes.dr1] - rule = "Host:nextcloud.mistborn" - - [frontends.onlyoffice] - backend = "onlyoffice" - passHostHeader = true - [frontends.onlyoffice.auth] - [frontends.onlyoffice.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.onlyoffice.auth.forward.tls] - insecureSkipVerify = true - [frontends.onlyoffice.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.onlyoffice.routes.dr1] - rule = "Host:onlyoffice.mistborn" - - [frontends.bitwarden] - backend = "bitwarden" - passHostHeader = true - [frontends.bitwarden.auth] - [frontends.bitwarden.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.bitwarden.auth.forward.tls] - insecureSkipVerify = true - [frontends.bitwarden.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.bitwarden.routes.dr1] - rule = "Host:bitwarden.mistborn" - - [frontends.jellyfin] - backend = "jellyfin" - passHostHeader = true - [frontends.jellyfin.auth] - [frontends.jellyfin.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.jellyfin.auth.forward.tls] - insecureSkipVerify = true - [frontends.jellyfin.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.jellyfin.routes.dr1] - rule = "Host:jellyfin.mistborn" - - [frontends.jitsi] - backend = "jitsi" - passHostHeader = true - [frontends.jitsi.auth] - [frontends.jitsi.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.jitsi.auth.forward.tls] - insecureSkipVerify = true - [frontends.jitsi.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.jitsi.routes.dr1] - rule = "Host:jitsi.mistborn" - - [frontends.raspap] - backend = "raspap" - passHostHeader = true - [frontends.raspap.auth] - [frontends.raspap.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.raspap.auth.forward.tls] - insecureSkipVerify = true - [frontends.raspap.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.raspap.routes.dr1] - rule = "Host:raspap.mistborn" - - [frontends.cockpit] - backend = "cockpit" - passHostHeader = true - [frontends.cockpit.auth] - [frontends.cockpit.auth.forward] - address = "https://home.mistborn/auth/" - trustForwardHeader = false - [frontends.cockpit.auth.forward.tls] - insecureSkipVerify = true - [frontends.cockpit.headers] - HostsProxyHeaders = ['X-CSRFToken'] - [frontends.cockpit.routes.dr1] - rule = "Host:cockpit.mistborn" - -## Connection to docker host system (docker.sock) -#[docker] -#endpoint = "unix:///var/run/docker.sock" -#domain = "localhost" -#watch = true -## This will hide all docker containers that don't have explicitly -## set label to "enable" -#exposedbydefault = false diff --git a/extra/bitwarden.yml b/extra/bitwarden.yml index dc6ff56..377b4b8 100644 --- a/extra/bitwarden.yml +++ b/extra/bitwarden.yml @@ -10,7 +10,14 @@ services: - ../../mistborn_volumes/extra/bitwarden:/data labels: - "traefik.enable=true" - - "traefik.port=80" + - "traefik.http.routers.bitwarden-http.rule=Host(`bitwarden.mistborn`)" + - "traefik.http.routers.bitwarden-http.entrypoints=web" + - "traefik.http.routers.bitwarden-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.bitwarden-https.rule=Host(`bitwarden.mistborn`)" + - "traefik.http.routers.bitwarden-https.entrypoints=websecure" + - "traefik.http.routers.bitwarden-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.bitwarden-https.tls.certresolver=basic" + - "traefik.http.services.bitwarden-service.loadbalancer.server.port=80" ports: - 3012:3012/tcp restart: unless-stopped diff --git a/extra/homeassistant.yml b/extra/homeassistant.yml index 2588772..db70d62 100644 --- a/extra/homeassistant.yml +++ b/extra/homeassistant.yml @@ -10,7 +10,14 @@ services: - TZ=America/New_York labels: - "traefik.enable=true" - - "traefik.port=8123" + - "traefik.http.routers.homeassistant-http.rule=Host(`homeassistant.mistborn`)" + - "traefik.http.routers.homeassistant-http.entrypoints=web" + - "traefik.http.routers.homeassistant-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.homeassistant-https.rule=Host(`homeassistant.mistborn`)" + - "traefik.http.routers.homeassistant-https.entrypoints=websecure" + - "traefik.http.routers.homeassistant-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.homeassistant-https.tls.certresolver=basic" + - "traefik.http.services.homeassistant-service.loadbalancer.server.port=8123" restart: unless-stopped networks: diff --git a/extra/jellyfin.yml b/extra/jellyfin.yml index e829e1a..2235322 100644 --- a/extra/jellyfin.yml +++ b/extra/jellyfin.yml @@ -14,7 +14,14 @@ services: - ../../mistborn_volumes/extra/nextcloud:/media:ro labels: - "traefik.enable=true" - - "traefik.port=8096" + - "traefik.http.routers.jellyfin-http.rule=Host(`jellyfin.mistborn`)" + - "traefik.http.routers.jellyfin-http.entrypoints=web" + - "traefik.http.routers.jellyfin-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.jellyfin-https.rule=Host(`jellyfin.mistborn`)" + - "traefik.http.routers.jellyfin-https.entrypoints=websecure" + - "traefik.http.routers.jellyfin-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.jellyfin-https.tls.certresolver=basic" + - "traefik.http.services.jellyfin-service.loadbalancer.server.port=8096" restart: unless-stopped networks: diff --git a/extra/jitsi-meet.yml b/extra/jitsi-meet.yml index cc86c8f..7f4b0ed 100644 --- a/extra/jitsi-meet.yml +++ b/extra/jitsi-meet.yml @@ -9,7 +9,14 @@ services: #- '${HTTPS_PORT}:443' labels: - "traefik.enable=true" - - "traefik.port=${HTTP_PORT}" + - "traefik.http.routers.jitsi-http.rule=Host(`jitsi.mistborn`)" + - "traefik.http.routers.jitsi-http.entrypoints=web" + - "traefik.http.routers.jitsi-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.jitsi-https.rule=Host(`jitsi.mistborn`)" + - "traefik.http.routers.jitsi-https.entrypoints=websecure" + - "traefik.http.routers.jitsi-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.jitsi-https.tls.certresolver=basic" + - "traefik.http.services.jitsi-service.loadbalancer.server.port=${HTTP_PORT}" volumes: - ${CONFIG}/web:/config - ${CONFIG}/web/letsencrypt:/etc/letsencrypt diff --git a/extra/nextcloud.yml b/extra/nextcloud.yml index dc72353..c452356 100644 --- a/extra/nextcloud.yml +++ b/extra/nextcloud.yml @@ -9,7 +9,14 @@ services: - ../.envs/.production/.nextcloud labels: - "traefik.enable=true" - - "traefik.port=80" + - "traefik.http.routers.nextcloud-http.rule=Host(`nextcloud.mistborn`)" + - "traefik.http.routers.nextcloud-http.entrypoints=web" + - "traefik.http.routers.nextcloud-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.nextcloud-https.rule=Host(`nextcloud.mistborn`)" + - "traefik.http.routers.nextcloud-https.entrypoints=websecure" + - "traefik.http.routers.nextcloud-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.nextcloud-https.tls.certresolver=basic" + - "traefik.http.services.nextcloud-service.loadbalancer.server.port=80" volumes: - ../../mistborn_volumes/extra/nextcloud:/var/www/html environment: diff --git a/extra/onlyoffice.yml b/extra/onlyoffice.yml index 63a54a7..043d33e 100644 --- a/extra/onlyoffice.yml +++ b/extra/onlyoffice.yml @@ -11,7 +11,14 @@ services: - ../.envs/.production/.onlyoffice labels: - "traefik.enable=true" - - "traefik.port=80" + - "traefik.http.routers.onlyoffice-http.rule=Host(`onlyoffice.mistborn`)" + - "traefik.http.routers.onlyoffice-http.entrypoints=web" + - "traefik.http.routers.onlyoffice-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.onlyoffice-https.rule=Host(`onlyoffice.mistborn`)" + - "traefik.http.routers.onlyoffice-https.entrypoints=websecure" + - "traefik.http.routers.onlyoffice-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.onlyoffice-https.tls.certresolver=basic" + - "traefik.http.services.onlyoffice-service.loadbalancer.server.port=80" restart: unless-stopped networks: diff --git a/extra/raspap.yml b/extra/raspap.yml index 66575e9..3be7dce 100644 --- a/extra/raspap.yml +++ b/extra/raspap.yml @@ -10,7 +10,14 @@ services: container_name: mistborn_production_raspap labels: - "traefik.enable=true" - - "traefik.port=80" + - "traefik.http.routers.raspap-http.rule=Host(`raspap.mistborn`)" + - "traefik.http.routers.raspap-http.entrypoints=web" + - "traefik.http.routers.raspap-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.raspap-https.rule=Host(`raspap.mistborn`)" + - "traefik.http.routers.raspap-https.entrypoints=websecure" + - "traefik.http.routers.raspap-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.raspap-https.tls.certresolver=basic" + - "traefik.http.services.raspap-service.loadbalancer.server.port=80" env_file: - ../.envs/.production/.pihole command: /start diff --git a/extra/rocketchat.yml b/extra/rocketchat.yml index a568aec..42350c3 100644 --- a/extra/rocketchat.yml +++ b/extra/rocketchat.yml @@ -17,7 +17,14 @@ services: - Accounts_UseDNSDomainCheck=False labels: - "traefik.enable=true" - - "traefik.port=3000" + - "traefik.http.routers.chat-http.rule=Host(`chat.mistborn`)" + - "traefik.http.routers.chat-http.entrypoints=web" + - "traefik.http.routers.chat-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.chat-https.rule=Host(`chat.mistborn`)" + - "traefik.http.routers.chat-https.entrypoints=websecure" + - "traefik.http.routers.chat-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.chat-https.tls.certresolver=basic" + - "traefik.http.services.chat-service.loadbalancer.server.port=3000" depends_on: - mongo #ports: diff --git a/extra/syncthing.yml b/extra/syncthing.yml index 4bd5e89..6083393 100644 --- a/extra/syncthing.yml +++ b/extra/syncthing.yml @@ -19,7 +19,14 @@ services: - 21027:21027/udp # protocol discovery labels: - "traefik.enable=true" - - "traefik.port=8384" + - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.mistborn`)" + - "traefik.http.routers.syncthing-http.entrypoints=web" + - "traefik.http.routers.syncthing-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.mistborn`)" + - "traefik.http.routers.syncthing-https.entrypoints=websecure" + - "traefik.http.routers.syncthing-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.syncthing-https.tls.certresolver=basic" + - "traefik.http.services.syncthing-service.loadbalancer.server.port=8384" restart: unless-stopped networks: diff --git a/scripts/install.sh b/scripts/install.sh index 2a5c4ce..e777b79 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -69,9 +69,9 @@ fi # Install Cockpit? if [ -z "${MISTBORN_INSTALL_COCKPIT}" ]; then - read -p "Install Cockpit (a somewhat resource-heavy system management graphical user interface)? [Y/n]: " MISTBORN_INSTALL_COCKPIT + read -p "Install Cockpit (a somewhat resource-heavy system management graphical user interface -- NOT RECOMMENDED on Raspberry Pi)? [y/N]: " MISTBORN_INSTALL_COCKPIT echo - MISTBORN_INSTALL_COCKPIT=${MISTBORN_INSTALL_COCKPIT:-Y} + MISTBORN_INSTALL_COCKPIT=${MISTBORN_INSTALL_COCKPIT:-N} fi # SSH keys @@ -132,8 +132,11 @@ sudo -E apt-get install -y dnsutils fail2ban # Install kernel headers if [ "$DISTRO" == "ubuntu" ] || [ "$DISTRO" == "debian" ]; then sudo -E apt install -y linux-headers-$(uname -r) -elif [ "$DISTRO" == "raspbian" ]; then +elif [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then sudo -E apt install -y raspberrypi-kernel-headers +else + echo "Unsupported OS: $DISTRO" + exit 1 fi # Wireugard @@ -205,7 +208,7 @@ sudo mkdir -p ../mistborn_volumes/base/pihole/etc-dnsmasqd sudo mkdir -p ../mistborn_volumes/extra # Traefik final setup (cockpit) -cp ./compose/production/traefik/traefik.toml.template ./compose/production/traefik/traefik.toml +#cp ./compose/production/traefik/traefikv2.toml.template ./compose/production/traefik/traefik.toml # setup tls certs source ./scripts/subinstallers/openssl.sh diff --git a/scripts/subinstallers/cockpit.sh b/scripts/subinstallers/cockpit.sh index 445ea69..fbdb141 100755 --- a/scripts/subinstallers/cockpit.sh +++ b/scripts/subinstallers/cockpit.sh @@ -10,11 +10,8 @@ elif [ "$DISTRO" == "debian" ]; then && echo "buster-backports already in sources" \ || echo 'deb http://deb.debian.org/debian buster-backports main' | sudo tee -a /etc/apt/sources.list.d/backports.list - -elif [ "$DISTRO" == "raspbian" ]; then - +elif [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then echo "Raspbian repos contain cockpit" - fi sudo -E apt-get install -y cockpit diff --git a/scripts/subinstallers/docker.sh b/scripts/subinstallers/docker.sh index a051604..a4206ab 100755 --- a/scripts/subinstallers/docker.sh +++ b/scripts/subinstallers/docker.sh @@ -16,5 +16,5 @@ fi # set docker-compose path used in Mistborn if [ ! -f /usr/local/bin/docker-compose ]; then - sudo ln -s $(which docker-compose) /usr/local/bin/docker-compose + sudo -E ln -s $(which docker-compose) /usr/local/bin/docker-compose fi diff --git a/scripts/subinstallers/docker_manual.sh b/scripts/subinstallers/docker_manual.sh index 5fca1c9..2cbb329 100755 --- a/scripts/subinstallers/docker_manual.sh +++ b/scripts/subinstallers/docker_manual.sh @@ -15,7 +15,7 @@ if [ "$DISTRO" == "ubuntu" ]; then curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - elif [ "$DISTRO" == "debian" ]; then curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add - -elif [ "$DISTRO" == "raspbian" ]; then +elif [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg | sudo apt-key add - fi @@ -31,7 +31,7 @@ elif [ "$DISTRO" == "debian" ]; then "deb https://download.docker.com/linux/debian \ $(lsb_release -cs) \ stable" -elif [ "$DISTRO" == "raspbian" ]; then +elif [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then echo "deb [arch=armhf] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") \ $(lsb_release -cs) stable" | \ sudo tee /etc/apt/sources.list.d/docker.list @@ -43,7 +43,7 @@ sudo apt-get update if [ "$DISTRO" == "ubuntu" ] || [ "$DISTRO" == "debian" ]; then sudo -E apt-get install -y docker-ce docker-ce-cli containerd.io -elif [ "$DISTRO" == "raspbian" ]; then +elif [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then sudo -E apt install -y --no-install-recommends \ docker-ce \ cgroupfs-mount @@ -59,7 +59,7 @@ echo "Installing Docker Compose" # sudo chmod +x /usr/local/bin/docker-compose #elif [ "$DISTRO" == "raspbian" ]; then # Install required packages -sudo -E apt install -y python-backports.ssl-match-hostname +#sudo -E apt install -y python-backports.ssl-match-hostname # Install Docker Compose from pip # This might take a while diff --git a/scripts/subinstallers/wireguard.sh b/scripts/subinstallers/wireguard.sh index a544591..1b7b339 100755 --- a/scripts/subinstallers/wireguard.sh +++ b/scripts/subinstallers/wireguard.sh @@ -9,18 +9,19 @@ if ! $(sudo apt-cache show wireguard > /dev/null 2>&1) ; then echo "Adding Wireguard PPAs" # Wireguard - if [ "$DISTRO" == "raspbian" ]; then + if [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then echo "Adding Wireguard repo keys" sudo -E apt-get install -y dirmngr sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553 sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7638D0442B90D010 sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC + sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138 fi if [ "$DISTRO" == "ubuntu" ]; then # Ubuntu sudo add-apt-repository -y ppa:wireguard/wireguard - elif [ "$DISTRO" == "debian" ] || [ "$DISTRO" == "raspbian" ]; then + elif [ "$DISTRO" == "debian" ] || [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then # Debian sudo bash -c 'echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list' sudo bash -c "printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable" diff --git a/scripts/update.sh b/scripts/update.sh index 40e1c74..ce5a4e2 100755 --- a/scripts/update.sh +++ b/scripts/update.sh @@ -17,7 +17,7 @@ sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/ sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/" # handle updates to traefik -sudo cp /opt/mistborn/compose/production/traefik/traefik.toml.template /opt/mistborn/compose/production/traefik/traefik.toml +#sudo cp /opt/mistborn/compose/production/traefik/traefik.toml.template /opt/mistborn/compose/production/traefik/traefik.toml sudo systemctl daemon-reload sudo systemctl enable Mistborn-setup.service