Merge branch 'master' into 53-wifi

.gitlab-ci.yml

@@ -19,6 +19,5 @@ docker_build:
   script:
     - apk add docker-compose
     - scripts/subinstallers/gen_prod_env.sh "$MISTBORN_DEFAULT_PASSWORD"
-    - cp compose/production/traefik/traefik.toml.template compose/production/traefik/traefik.toml
     - docker-compose -f base.yml build
 

README.md

@@ -48,7 +48,9 @@ Tested Operating Systems (in order of thoroughness):
 - Ubuntu 20.04 LTS
 - Ubuntu 18.04 LTS
 - Debian 10 (Buster)
-- Raspbian Buster
+- Raspberry Pi OS (formerly Raspbian) Buster
+
+**Note:** Install operating system updates and restart. Raspberry Pi OS particularly needs to be restarted after kernel updates (kernel modules for the currently running kernel may be missing).
 
 Tested Browsers:
 - Firefox
@@ -59,8 +61,8 @@ The Mistborn docker images exist for these architectures:
 
 | Mistborn Docker Images (hub.docker.com)        | Architectures       |
 |------------------------------------------------|---------------------|
-| mistborn (django, celery{worker,beat}, flower) | amd64, arm64, armv7 |
+| mistborn (django, celery{worker,beat}, flower) | amd64, arm64, arm/v7 |
-| dnscrypt-proxy                                 | amd64, arm64, armv7 |
+| dnscrypt-proxy                                 | amd64, arm64, arm/v7 |
 
 Recommended System Specifications:
 
@@ -74,7 +76,7 @@ Recommended System Specifications:
 Starting from base installation
 ```
 git clone https://gitlab.com/cyber5k/mistborn.git
-sudo bash ./mistborn/scripts/install.sh
+sudo -E bash ./mistborn/scripts/install.sh
 ```
 
 Get default admin Wireguard profile
@@ -121,7 +123,7 @@ Mistborn is regularly tested on Ubuntu 18.04 LTS (DigitalOcean droplet with 2 GB
 Clone the git repository and run the install script:
 ```
 git clone https://gitlab.com/cyber5k/mistborn.git
-sudo bash ./mistborn/scripts/install.sh
+sudo -E bash ./mistborn/scripts/install.sh
 ```
 
 Running `install.sh` will do the following:
@@ -132,8 +134,8 @@ Running `install.sh` will do the following:
 - install Docker
 - install OpenSSH
 - install Wireguard
-- install Cockpit
+- install Cockpit (optional)
-- create a `cockpit` system user
+- create a `cockpit` system user (if Cockpit is installed)
 - configure unattended-upgrades
 - generate a self-signed TLS certificate/key (WebRTC functionality requires TLS)
 - create and populate traefik.toml
@@ -155,7 +157,7 @@ See the environment variables needed in `./scripts/noninteractive/.install_bareb
 This will perform a noninteractive install with the default environment variables set in `.install_barebones`.
 ```
 git clone https://gitlab.com/cyber5k/mistborn.git
-sudo bash -c "source ./mistborn/scripts/noninteractive/.install_barebones && ./mistborn/scripts/install.sh"
+sudo -E bash -c "source ./mistborn/scripts/noninteractive/.install_barebones && ./mistborn/scripts/install.sh"
 ```
 
 # Post-Installation
@@ -317,7 +319,7 @@ But wait, there's more! You can:
 | Rocket.Chat    | [Rocket.Chat](https://play.google.com/store/apps/details?id=chat.rocket.android)                   | [Rocket.Chat](https://apps.apple.com/us/app/rocket-chat/id1148741252)              |
 
 ## TLS Certificate
-Some apps require TLS (HTTPS). All traffic to Mistborn domains already occurs over Wireguard but to keep apps running, a TLS certificate exists for Mistborn and can be imported into your device's trusted credentials in the security settings.
+Some apps require TLS (HTTPS). All traffic to Mistborn domains already occurs over Wireguard but to keep apps running, a TLS certificate exists for Mistborn and can be imported into your device's trusted credentials in the security settings. This certificate is checked every day and will be re-generated when expiration is less than 30 days away.
 
 The TLS certificate can be found here:
 ```
@@ -446,7 +448,7 @@ These are some notes regarding the technical design and implementations of Mistb
 ## Additonal Notes
 - Interface names are not hardcoded anywhere in Mistborn. Two commands that are used in different circumstances to determine the default network interface and the interface that would route a public IP address are: `ip -o -4 route show to default` and `ip -o -4 route get 1.1.1.1`.
 - The "Update" button will pull updated Docker images for mistborn, postgresql, redis, pihole, and dnscrypt. Those services will then be restarted.
-- The generated TLS certificate has an RSA modulus of 4096 bits, is signed with SHA-256, and is good for 10 years. The nanny at Apple has decided to restrict the kinds of certificates iOS users may choose to manually trust and so you may have issues with TLS on an Apple device for now.
+- The generated TLS certificate has an RSA modulus of 4096 bits, is signed with SHA-256, and is good for 397 days. The certificate is checked daily and will regenerate when expiration is within 30 days.
 - Outbound UDP on port 53 is blocked. All DNS requests should be handled by the dnscrypt_proxy service and if any client, service, etc. tries to circumvent that it is blocked.
 - Unattended upgrades are set to automatically install operating system security updates.
 

base.yml

@@ -14,7 +14,14 @@ services:
       - redis
     labels:
       - "traefik.enable=true"
-      - "traefik.port=5000"
+      - "traefik.http.routers.django-http.rule=Host(`home.mistborn`)"
+      - "traefik.http.routers.django-http.entrypoints=web"
+      - "traefik.http.routers.django-http.middlewares=mistborn_headers@file"
+      - "traefik.http.routers.django-https.rule=Host(`home.mistborn`)"
+      - "traefik.http.routers.django-https.entrypoints=websecure"
+      - "traefik.http.routers.django-https.middlewares=mistborn_headers@file"
+      - "traefik.http.routers.django-https.tls.certresolver=basic"
+      - "traefik.http.services.django-service.loadbalancer.server.port=5000"
     env_file:
       - ./.envs/.production/.django
       - ./.envs/.production/.postgres
@@ -38,20 +45,41 @@ services:
     restart: unless-stopped
 
   traefik:
-    build:
+    #build:
-      context: .
+    #  context: .
-      dockerfile: ./compose/production/traefik/Dockerfile
+    #  dockerfile: ./compose/production/traefik/Dockerfile
-    image: mistborn_production_traefik
+    #image: mistborn_production_traefik
+    image: traefik:v2.2
     container_name: mistborn_production_traefik
     depends_on:
       - django
     volumes:
-      - production_traefik:/etc/traefik/acme
+      #- production_traefik:/etc/traefik/acme
+      - ./compose/production/traefik/dynamic.toml:/dynamic.toml:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro
-      - ../mistborn_volumes/base/tls:/tls
+      - ../mistborn_volumes/base/tls:/tls:ro
-    ports:
+    network_mode: host
-      - "0.0.0.0:80:80/tcp"
+      #ports:
-      - "0.0.0.0:443:443/tcp"
+    #  - "0.0.0.0:80:80/tcp"
+    #  - "0.0.0.0:443:443/tcp"
+    #  #- "0.0.0.0:8080:8080/tcp" # dashboard
+    command:
+      ## API settings
+      #- --api.insecure=true
+      #- --api.dashboard=true
+      #- --api.debug=true
+      ## Logs
+      - --log.level=ERROR
+      ## Providers
+      - --providers.docker=true
+      - --providers.docker.exposedbydefault=false
+      - --providers.file.filename=/dynamic.toml
+      #- --providers.docker.network=default
+      ## Entrypoints
+      - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      ## Certificates
+      #- --serversTransport.insecureSkipVerify=true
     restart: unless-stopped
 
   redis:
@@ -136,6 +164,14 @@ services:
      - "${MISTBORN_DNS_BIND_IP}:53:53/udp"
    labels:
       - "traefik.enable=true"
+      - "traefik.http.routers.pihole-http.rule=Host(`pihole.mistborn`)"
+      - "traefik.http.routers.pihole-http.entrypoints=web"
+      - "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.pihole-https.rule=Host(`pihole.mistborn`)"
+      - "traefik.http.routers.pihole-https.entrypoints=websecure"
+      - "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.pihole-https.tls.certresolver=basic"
+      - "traefik.http.services.pihole-service.loadbalancer.server.port=80"
    environment:
      - ServerIP=10.2.0.3
      - DNS1='10.2.0.2#5054' # docs say port 5054, was 54; use network_mode: host to see which port is used

compose/production/traefik/Dockerfile

@@ -1,5 +1,5 @@
-FROM traefik:alpine
+FROM traefik:v2.2
 RUN mkdir -p /etc/traefik/acme
 RUN touch /etc/traefik/acme/acme.json
 RUN chmod 600 /etc/traefik/acme/acme.json
-COPY ./compose/production/traefik/traefik.toml /etc/traefik
+#COPY ./compose/production/traefik/dynamic.toml /etc/traefik

compose/production/traefik/dynamic.toml

@@ -0,0 +1,31 @@
+[tls.stores]
+  [tls.stores.default]
+    [tls.stores.default.defaultCertificate]
+      certFile = "/tls/cert.crt"
+      keyFile = "/tls/cert.key"
+
+[tls.options]
+  [tls.options.default]
+    minVersion = "VersionTLS12"
+
+[http.services]
+  [http.services.cockpit.loadBalancer]
+    [[http.services.cockpit.loadBalancer.servers]]
+      url = "http://10.2.3.1:9090"
+
+[http.routers]
+  [http.routers.cockpit]
+    rule = "Host(`cockpit.mistborn`)"
+    service = "cockpit"
+    entrypoints = ["web", "websecure"]
+    #middlewares =
+
+[http.middlewares]
+  [http.middlewares.mistborn_auth.forwardAuth]
+    address = "https://home.mistborn/auth/"
+    trustForwardHeader = true
+    [http.middlewares.mistborn_auth.forwardAuth.tls]
+      insecureSkipVerify = true
+  
+  [http.middlewares.mistborn_headers.headers]
+    hostsProxyHeaders = ['X-CSRFToken']

compose/production/traefik/traefik.toml.template

@@ -1,257 +0,0 @@
-#debug = true
-
-logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
-InsecureSkipVerify = true 
-
-defaultEntryPoints = ["http", "https"]
-#defaultEntryPoints = ["http"]
-
-# Entrypoints, http and https
-[entryPoints]
-  # http should be redirected to https
-  [entryPoints.http]
-  address = ":80"
-    #[entryPoints.http.redirect]
-    #entryPoint = "https"
-  # https is the default
-  [entryPoints.https]
-  address = ":443"
-    [entryPoints.https.tls]
-    [entryPoints.https.tls.defaultCertificate]
-      certFile = "/tls/cert.crt"
-      keyFile = "/tls/cert.key"
-
-## Enable ACME (Let's Encrypt): automatic SSL
-#[acme]
-## Email address used for registration
-#email = "steven@cyber5k.com"
-#storage = "/etc/traefik/acme/acme.json"
-#entryPoint = "https"
-#onDemand = false
-#OnHostRule = true
-#  # Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
-#  [acme.httpChallenge]
-#  entryPoint = "http"
-
-[file]
-[backends]
-  [backends.django]
-    [backends.django.servers.server1]
-      url = "http://django:5000"
-  
-  [backends.pihole]
-    [backends.pihole.servers.server1]
-      url = "http://pihole:80"
-
-  [backends.homeassistant]
-    [backends.homeassistant.servers.server1]
-      url = "http://homeassistant:8123"
-
-  [backends.syncthing]
-    [backends.syncthing.servers.server1]
-      url = "http://syncthing:8384"
-
-  [backends.rocketchat]
-    [backends.rocketchat.servers.server1]
-      url = "http://rocketchat:3000"
-  
-  [backends.nextcloud]
-    [backends.nextcloud.servers.server1]
-      url = "http://nextcloud:80"
-  
-  [backends.onlyoffice]
-    [backends.onlyoffice.servers.server1]
-      url = "http://onlyoffice:80"
-  
-  [backends.bitwarden]
-    [backends.bitwarden.servers.server1]
-      url = "http://bitwarden:80"
-  
-  [backends.jellyfin]
-    [backends.jellyfin.servers.server1]
-      url = "http://jellyfin:8096"
-  
-  [backends.jitsi]
-    [backends.jitsi.servers.server1]
-      url = "http://jitsi-web:80"
-  
-  [backends.raspap]
-    [backends.raspap.servers.server1]
-      url = "http://raspap:80"
-  
-  [backends.cockpit]
-    [backends.cockpit.servers.server1]
-      url = "http://10.2.3.1:9090"
-  
-[frontends]
-  [frontends.django]
-    backend = "django"
-    passHostHeader = true
-    [frontends.django.headers]
-      HostsProxyHeaders = ['X-CSRFToken']
-    [frontends.django.routes.dr1]
-      #rule = "Host:mistborn.cyber5k.com"
-      rule = "Host:home.mistborn"
-  
-  [frontends.pihole]
-    backend = "pihole"
-    passHostHeader = true
-    [frontends.pihole.auth]
-      [frontends.pihole.auth.forward]
-        address = "https://home.mistborn/auth/"
-        trustForwardHeader = false
-        [frontends.pihole.auth.forward.tls]
-          insecureSkipVerify = true
-    [frontends.pihole.headers]
-      HostsProxyHeaders = ['X-CSRFToken']
-    [frontends.pihole.routes.dr1]
-      rule = "Host:pihole.mistborn"
-  
-  [frontends.homeassistant]
-    backend = "homeassistant"
-    passHostHeader = true
-    [frontends.homeassistant.auth]
-      [frontends.homeassistant.auth.forward]
-        address = "https://home.mistborn/auth/"
-        trustForwardHeader = false
-        [frontends.homeassistant.auth.forward.tls]
-          insecureSkipVerify = true
-    [frontends.homeassistant.headers]
-      HostsProxyHeaders = ['X-CSRFToken']
-    [frontends.homeassistant.routes.dr1]
-      rule = "Host:homeassistant.mistborn"
-
-  [frontends.syncthing]
-    backend = "syncthing"
-    passHostHeader = true
-    [frontends.syncthing.auth]
-      [frontends.syncthing.auth.forward]
-        address = "https://home.mistborn/auth/"
-        trustForwardHeader = false
-        [frontends.syncthing.auth.forward.tls]
-          insecureSkipVerify = true
-    [frontends.syncthing.headers]
-      HostsProxyHeaders = ['X-CSRFToken']
-    [frontends.syncthing.routes.dr1]
-      rule = "Host:syncthing.mistborn"
-
-  [frontends.rocketchat]
-    backend = "rocketchat"
-    passHostHeader = true
-    [frontends.rocketchat.auth]
-      [frontends.rocketchat.auth.forward]
-        address = "https://home.mistborn/auth/"
-        trustForwardHeader = false
-        [frontends.rocketchat.auth.forward.tls]
-          insecureSkipVerify = true
-    [frontends.rocketchat.headers]
-      HostsProxyHeaders = ['X-CSRFToken']
-    [frontends.rocketchat.routes.dr1]
-      rule = "Host:chat.mistborn"
-  
-  [frontends.nextcloud]
-    backend = "nextcloud"
-    passHostHeader = true
-    [frontends.nextcloud.auth]
-      [frontends.nextcloud.auth.forward]
-        address = "https://home.mistborn/auth/"
-        trustForwardHeader = false
-        [frontends.nextcloud.auth.forward.tls]
-          insecureSkipVerify = true
-    [frontends.nextcloud.headers]
-      HostsProxyHeaders = ['X-CSRFToken']
-    [frontends.nextcloud.routes.dr1]
-      rule = "Host:nextcloud.mistborn"
-  
-  [frontends.onlyoffice]
-    backend = "onlyoffice"
-    passHostHeader = true
-    [frontends.onlyoffice.auth]
-      [frontends.onlyoffice.auth.forward]
-        address = "https://home.mistborn/auth/"
-        trustForwardHeader = false
-        [frontends.onlyoffice.auth.forward.tls]
-          insecureSkipVerify = true
-    [frontends.onlyoffice.headers]
-      HostsProxyHeaders = ['X-CSRFToken']
-    [frontends.onlyoffice.routes.dr1]
-      rule = "Host:onlyoffice.mistborn"
-  
-  [frontends.bitwarden]
-    backend = "bitwarden"
-    passHostHeader = true
-    [frontends.bitwarden.auth]
-      [frontends.bitwarden.auth.forward]
-        address = "https://home.mistborn/auth/"
-        trustForwardHeader = false
-        [frontends.bitwarden.auth.forward.tls]
-          insecureSkipVerify = true
-    [frontends.bitwarden.headers]
-      HostsProxyHeaders = ['X-CSRFToken']
-    [frontends.bitwarden.routes.dr1]
-      rule = "Host:bitwarden.mistborn"
-  
-  [frontends.jellyfin]
-    backend = "jellyfin"
-    passHostHeader = true
-    [frontends.jellyfin.auth]
-      [frontends.jellyfin.auth.forward]
-        address = "https://home.mistborn/auth/"
-        trustForwardHeader = false
-        [frontends.jellyfin.auth.forward.tls]
-          insecureSkipVerify = true
-    [frontends.jellyfin.headers]
-      HostsProxyHeaders = ['X-CSRFToken']
-    [frontends.jellyfin.routes.dr1]
-      rule = "Host:jellyfin.mistborn"
-  
-  [frontends.jitsi]
-    backend = "jitsi"
-    passHostHeader = true
-    [frontends.jitsi.auth]
-      [frontends.jitsi.auth.forward]
-        address = "https://home.mistborn/auth/"
-        trustForwardHeader = false
-        [frontends.jitsi.auth.forward.tls]
-          insecureSkipVerify = true
-    [frontends.jitsi.headers]
-      HostsProxyHeaders = ['X-CSRFToken']
-    [frontends.jitsi.routes.dr1]
-      rule = "Host:jitsi.mistborn"
-
-  [frontends.raspap]
-    backend = "raspap"
-    passHostHeader = true
-    [frontends.raspap.auth]
-      [frontends.raspap.auth.forward]
-        address = "https://home.mistborn/auth/"
-        trustForwardHeader = false
-        [frontends.raspap.auth.forward.tls]
-          insecureSkipVerify = true
-    [frontends.raspap.headers]
-      HostsProxyHeaders = ['X-CSRFToken']
-    [frontends.raspap.routes.dr1]
-      rule = "Host:raspap.mistborn"
-  
-  [frontends.cockpit]
-    backend = "cockpit"
-    passHostHeader = true
-    [frontends.cockpit.auth]
-      [frontends.cockpit.auth.forward]
-        address = "https://home.mistborn/auth/"
-        trustForwardHeader = false
-        [frontends.cockpit.auth.forward.tls]
-          insecureSkipVerify = true
-    [frontends.cockpit.headers]
-      HostsProxyHeaders = ['X-CSRFToken']
-    [frontends.cockpit.routes.dr1]
-      rule = "Host:cockpit.mistborn"
-  
-## Connection to docker host system (docker.sock)
-#[docker]
-#endpoint = "unix:///var/run/docker.sock"
-#domain = "localhost"
-#watch = true
-## This will hide all docker containers that don't have explicitly  
-## set label to "enable"
-#exposedbydefault = false

extra/bitwarden.yml

@@ -10,7 +10,14 @@ services:
       - ../../mistborn_volumes/extra/bitwarden:/data
     labels:
       - "traefik.enable=true"
-      - "traefik.port=80"
+      - "traefik.http.routers.bitwarden-http.rule=Host(`bitwarden.mistborn`)"
+      - "traefik.http.routers.bitwarden-http.entrypoints=web"
+      - "traefik.http.routers.bitwarden-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.bitwarden-https.rule=Host(`bitwarden.mistborn`)"
+      - "traefik.http.routers.bitwarden-https.entrypoints=websecure"
+      - "traefik.http.routers.bitwarden-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.bitwarden-https.tls.certresolver=basic"
+      - "traefik.http.services.bitwarden-service.loadbalancer.server.port=80"
     ports:
       - 3012:3012/tcp
     restart: unless-stopped

extra/homeassistant.yml

@@ -10,7 +10,14 @@ services:
       - TZ=America/New_York
     labels:
       - "traefik.enable=true"
-      - "traefik.port=8123"
+      - "traefik.http.routers.homeassistant-http.rule=Host(`homeassistant.mistborn`)"
+      - "traefik.http.routers.homeassistant-http.entrypoints=web"
+      - "traefik.http.routers.homeassistant-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.homeassistant-https.rule=Host(`homeassistant.mistborn`)"
+      - "traefik.http.routers.homeassistant-https.entrypoints=websecure"
+      - "traefik.http.routers.homeassistant-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.homeassistant-https.tls.certresolver=basic"
+      - "traefik.http.services.homeassistant-service.loadbalancer.server.port=8123"
     restart: unless-stopped 
 
 networks:

extra/jellyfin.yml

@@ -14,7 +14,14 @@ services:
       - ../../mistborn_volumes/extra/nextcloud:/media:ro
     labels:
       - "traefik.enable=true"
-      - "traefik.port=8096"
+      - "traefik.http.routers.jellyfin-http.rule=Host(`jellyfin.mistborn`)"
+      - "traefik.http.routers.jellyfin-http.entrypoints=web"
+      - "traefik.http.routers.jellyfin-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.jellyfin-https.rule=Host(`jellyfin.mistborn`)"
+      - "traefik.http.routers.jellyfin-https.entrypoints=websecure"
+      - "traefik.http.routers.jellyfin-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.jellyfin-https.tls.certresolver=basic"
+      - "traefik.http.services.jellyfin-service.loadbalancer.server.port=8096"
     restart: unless-stopped
 
 networks:

extra/jitsi-meet.yml

@@ -9,7 +9,14 @@ services:
             #- '${HTTPS_PORT}:443'
         labels:
             - "traefik.enable=true"
-            - "traefik.port=${HTTP_PORT}"
+            - "traefik.http.routers.jitsi-http.rule=Host(`jitsi.mistborn`)"
+            - "traefik.http.routers.jitsi-http.entrypoints=web"
+            - "traefik.http.routers.jitsi-http.middlewares=mistborn_auth@file"
+            - "traefik.http.routers.jitsi-https.rule=Host(`jitsi.mistborn`)"
+            - "traefik.http.routers.jitsi-https.entrypoints=websecure"
+            - "traefik.http.routers.jitsi-https.middlewares=mistborn_auth@file"
+            - "traefik.http.routers.jitsi-https.tls.certresolver=basic"
+            - "traefik.http.services.jitsi-service.loadbalancer.server.port=${HTTP_PORT}"
         volumes:
             - ${CONFIG}/web:/config
             - ${CONFIG}/web/letsencrypt:/etc/letsencrypt

extra/nextcloud.yml

@@ -9,7 +9,14 @@ services:
       - ../.envs/.production/.nextcloud
     labels:
       - "traefik.enable=true"
-      - "traefik.port=80"
+      - "traefik.http.routers.nextcloud-http.rule=Host(`nextcloud.mistborn`)"
+      - "traefik.http.routers.nextcloud-http.entrypoints=web"
+      - "traefik.http.routers.nextcloud-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.nextcloud-https.rule=Host(`nextcloud.mistborn`)"
+      - "traefik.http.routers.nextcloud-https.entrypoints=websecure"
+      - "traefik.http.routers.nextcloud-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.nextcloud-https.tls.certresolver=basic"
+      - "traefik.http.services.nextcloud-service.loadbalancer.server.port=80"
     volumes:
       - ../../mistborn_volumes/extra/nextcloud:/var/www/html
     environment:

extra/onlyoffice.yml

@@ -11,7 +11,14 @@ services:
       - ../.envs/.production/.onlyoffice
     labels:
       - "traefik.enable=true"
-      - "traefik.port=80"
+      - "traefik.http.routers.onlyoffice-http.rule=Host(`onlyoffice.mistborn`)"
+      - "traefik.http.routers.onlyoffice-http.entrypoints=web"
+      - "traefik.http.routers.onlyoffice-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.onlyoffice-https.rule=Host(`onlyoffice.mistborn`)"
+      - "traefik.http.routers.onlyoffice-https.entrypoints=websecure"
+      - "traefik.http.routers.onlyoffice-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.onlyoffice-https.tls.certresolver=basic"
+      - "traefik.http.services.onlyoffice-service.loadbalancer.server.port=80"
     restart: unless-stopped 
 
 networks:

extra/raspap.yml

@@ -10,7 +10,14 @@ services:
     container_name: mistborn_production_raspap
     labels:
       - "traefik.enable=true"
-      - "traefik.port=80"
+      - "traefik.http.routers.raspap-http.rule=Host(`raspap.mistborn`)"
+      - "traefik.http.routers.raspap-http.entrypoints=web"
+      - "traefik.http.routers.raspap-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.raspap-https.rule=Host(`raspap.mistborn`)"
+      - "traefik.http.routers.raspap-https.entrypoints=websecure"
+      - "traefik.http.routers.raspap-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.raspap-https.tls.certresolver=basic"
+      - "traefik.http.services.raspap-service.loadbalancer.server.port=80"
     env_file:
       - ../.envs/.production/.pihole
     command: /start

extra/rocketchat.yml

@@ -17,7 +17,14 @@ services:
       - Accounts_UseDNSDomainCheck=False
     labels:
       - "traefik.enable=true"
-      - "traefik.port=3000"
+      - "traefik.http.routers.chat-http.rule=Host(`chat.mistborn`)"
+      - "traefik.http.routers.chat-http.entrypoints=web"
+      - "traefik.http.routers.chat-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.chat-https.rule=Host(`chat.mistborn`)"
+      - "traefik.http.routers.chat-https.entrypoints=websecure"
+      - "traefik.http.routers.chat-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.chat-https.tls.certresolver=basic"
+      - "traefik.http.services.chat-service.loadbalancer.server.port=3000"
     depends_on:
       - mongo
     #ports:

extra/syncthing.yml

@@ -19,7 +19,14 @@ services:
       - 21027:21027/udp # protocol discovery
     labels:
       - "traefik.enable=true"
-      - "traefik.port=8384"
+      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.mistborn`)"
+      - "traefik.http.routers.syncthing-http.entrypoints=web"
+      - "traefik.http.routers.syncthing-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.mistborn`)"
+      - "traefik.http.routers.syncthing-https.entrypoints=websecure"
+      - "traefik.http.routers.syncthing-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.syncthing-https.tls.certresolver=basic"
+      - "traefik.http.services.syncthing-service.loadbalancer.server.port=8384"
     restart: unless-stopped
 
 networks:

scripts/install.sh

@@ -69,9 +69,9 @@ fi
 
 # Install Cockpit?
 if [ -z "${MISTBORN_INSTALL_COCKPIT}" ]; then
-    read -p "Install Cockpit (a somewhat resource-heavy system management graphical user interface)? [Y/n]: " MISTBORN_INSTALL_COCKPIT
+    read -p "Install Cockpit (a somewhat resource-heavy system management graphical user interface -- NOT RECOMMENDED on Raspberry Pi)? [y/N]: " MISTBORN_INSTALL_COCKPIT
     echo
-    MISTBORN_INSTALL_COCKPIT=${MISTBORN_INSTALL_COCKPIT:-Y}
+    MISTBORN_INSTALL_COCKPIT=${MISTBORN_INSTALL_COCKPIT:-N}
 fi
 
 # SSH keys
@@ -132,8 +132,11 @@ sudo -E apt-get install -y dnsutils fail2ban
 # Install kernel headers
 if [ "$DISTRO" == "ubuntu" ] || [ "$DISTRO" == "debian" ]; then
     sudo -E apt install -y linux-headers-$(uname -r)
-elif [ "$DISTRO" == "raspbian" ]; then
+elif [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then
     sudo -E apt install -y raspberrypi-kernel-headers
+else
+    echo "Unsupported OS: $DISTRO"
+    exit 1
 fi
 
 # Wireugard
@@ -205,7 +208,7 @@ sudo mkdir -p ../mistborn_volumes/base/pihole/etc-dnsmasqd
 sudo mkdir -p ../mistborn_volumes/extra
 
 # Traefik final setup (cockpit)
-cp ./compose/production/traefik/traefik.toml.template ./compose/production/traefik/traefik.toml
+#cp ./compose/production/traefik/traefikv2.toml.template ./compose/production/traefik/traefik.toml
 
 # setup tls certs 
 source ./scripts/subinstallers/openssl.sh

scripts/subinstallers/cockpit.sh

@@ -10,11 +10,8 @@ elif [ "$DISTRO" == "debian" ]; then
     && echo "buster-backports already in sources" \
     || echo 'deb http://deb.debian.org/debian buster-backports main' | sudo tee -a /etc/apt/sources.list.d/backports.list
     
-
+elif [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then
-elif [ "$DISTRO" == "raspbian" ]; then
-    
     echo "Raspbian repos contain cockpit"
-
 fi
     
 sudo -E apt-get install -y cockpit

scripts/subinstallers/docker.sh

@@ -16,5 +16,5 @@ fi
 
 # set docker-compose path used in Mistborn
 if [ ! -f /usr/local/bin/docker-compose ]; then
-    sudo ln -s $(which docker-compose) /usr/local/bin/docker-compose
+    sudo -E ln -s $(which docker-compose) /usr/local/bin/docker-compose
 fi

scripts/subinstallers/docker_manual.sh

@@ -15,7 +15,7 @@ if [ "$DISTRO" == "ubuntu" ]; then
     curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
 elif [ "$DISTRO" == "debian" ]; then
     curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
-elif [ "$DISTRO" == "raspbian" ]; then
+elif [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then
     curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg | sudo apt-key add -
 fi
 
@@ -31,7 +31,7 @@ elif [ "$DISTRO" == "debian" ]; then
    "deb https://download.docker.com/linux/debian \
    $(lsb_release -cs) \
    stable"
-elif [ "$DISTRO" == "raspbian" ]; then
+elif [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then
     echo "deb [arch=armhf] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") \
      $(lsb_release -cs) stable" | \
     sudo tee /etc/apt/sources.list.d/docker.list
@@ -43,7 +43,7 @@ sudo apt-get update
 
 if [ "$DISTRO" == "ubuntu" ] || [ "$DISTRO" == "debian" ]; then
     sudo -E apt-get install -y docker-ce docker-ce-cli containerd.io
-elif [ "$DISTRO" == "raspbian" ]; then
+elif [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then
     sudo -E apt install -y --no-install-recommends \
     docker-ce \
     cgroupfs-mount
@@ -59,7 +59,7 @@ echo "Installing Docker Compose"
 #    sudo chmod +x /usr/local/bin/docker-compose
 #elif [ "$DISTRO" == "raspbian" ]; then
 # Install required packages
-sudo -E apt install -y python-backports.ssl-match-hostname
+#sudo -E apt install -y python-backports.ssl-match-hostname
 
 # Install Docker Compose from pip
 # This might take a while

scripts/subinstallers/wireguard.sh

@@ -9,18 +9,19 @@ if ! $(sudo apt-cache show wireguard > /dev/null 2>&1) ; then
     echo "Adding Wireguard PPAs"
 
     # Wireguard
-    if [ "$DISTRO" == "raspbian" ]; then
+    if [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then
         echo "Adding Wireguard repo keys"
         sudo -E apt-get install -y dirmngr
         sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553
         sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7638D0442B90D010
         sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC
+        sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138 
     fi
 
     if [ "$DISTRO" == "ubuntu" ]; then
         # Ubuntu	
         sudo add-apt-repository -y ppa:wireguard/wireguard
-    elif [ "$DISTRO" == "debian" ] || [ "$DISTRO" == "raspbian" ]; then
+    elif [ "$DISTRO" == "debian" ] || [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then
         # Debian
         sudo bash -c 'echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list'
         sudo bash -c "printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable"

scripts/update.sh

@@ -17,7 +17,7 @@ sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/
 sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/"
 
 # handle updates to traefik
-sudo cp /opt/mistborn/compose/production/traefik/traefik.toml.template /opt/mistborn/compose/production/traefik/traefik.toml
+#sudo cp /opt/mistborn/compose/production/traefik/traefik.toml.template /opt/mistborn/compose/production/traefik/traefik.toml
 
 sudo systemctl daemon-reload
 sudo systemctl enable Mistborn-setup.service