diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c38e178..00fe442 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -17,7 +17,8 @@ include: docker_build: stage: test script: + - apk add bash - apk add docker-compose - - scripts/subinstallers/gen_prod_env.sh "$MISTBORN_DEFAULT_PASSWORD" + - bash scripts/subinstallers/gen_prod_env.sh "$MISTBORN_DEFAULT_PASSWORD" - docker-compose -f base.yml build diff --git a/README.md b/README.md index fb9cdbd..252331c 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,10 @@ A secure platform for easily standing up and managing your own cloud services: i ![Mistborn Wireguard](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_wireguard_.png)*Wireguard Management in Mistborn* +As featured in [Linux Magazine](https://www.linux-magazine.com/Issues/2020/240/Mistborn/(language)/eng-US) (Linux Pro Magazine in North America) in November 2020 + +![Mistborn Featured in Linux Magazine](https://gitlab.com/cyber5k/public/-/raw/master/graphics/linux-magazine-cover-nov-2020.jpg "Mistborn featured in Linux Magazine November 2020") + # Table of Contents [[_TOC_]] @@ -22,6 +26,8 @@ Ideal for teams who: - want to limit or stop data collecting services - want to prevent being detected/blocked for using a proxy or VPN service +See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/Mistborn-Network-Security) wiki page to see the network scan results for Mistborn. + Mistborn depends on these core open source technologies: - [Docker](https://www.docker.com/why-docker): containerization - [Wireguard](https://www.wireguard.com): secure VPN access @@ -44,6 +50,7 @@ Within Mistborn is a panel to enable and manage these free extra services (off b - [Jellyfin](https://jellyfin.org): The Free Media Software System. - [Tor](https://www.torproject.org): The Onion Router. One tool in the arsenal of online security and privacy. - [Jitsi](https://jitsi.org): Multi-platform open-source video conferencing +- [Guacamole](https://guacamole.apache.org): A clientless remote desktop gateway that supports standard protocols like VNC, RDP, and SSH. # Quickstart Tested Operating Systems (in order of thoroughness): @@ -63,7 +70,7 @@ The Mistborn docker images exist for these architectures: | Mistborn Docker Images (hub.docker.com) | Architectures | |------------------------------------------------|---------------------| -| mistborn (django, celery{worker,beat}, flower) | amd64, arm64, arm/v7 | +| mistborn (django, celery{worker,beat}) | amd64, arm64, arm/v7 | | dnscrypt-proxy | amd64, arm64, arm/v7 | Recommended System Specifications: @@ -99,6 +106,8 @@ Mistborn protects your data in a variety of ways: - The Mistborn firewall blocks unsolicited incoming internet packets - Pi-hole running on Mistborn blocks outgoing internet requests to configurable blocked domains (ads, malicious/phishing domains, etc.) +See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/Mistborn-Network-Security) wiki page to see more network diagrams and the network scan results for Mistborn. + # Coppercloud Pihole provides a way to block outgoing DNS requests for given lists of blocked domains. Coppercloud provides a way to block outgoing network calls of all types to given lists of IP addresses (IPv4 only for now). This is especially useful for blocking outgoing telemetry (data and state sharing) to owners of software running on all of your devices. @@ -119,6 +128,15 @@ In Mistborn, Gateways are upstream from the VPN server so connections to third-p The Gateway adds an extra network hop. DNS is still resolved in Mistborn so pihole is still blocking ads. +# Remote Desktop +Remote desktops enable multiple users to share desktop resources and data. Remote desktops also enable groups to prevent sensitive data from ever entering an endpoint devices such as a smartphone. For reference, some United States Government regulations require controls to protect Controlled Unclassified Information (CUI) that are not feasible to implement on all endpoint devices and remote desktops prevent the data from entering the device (see NIST SP 800-171 3.1.19, CMMC AC.3.022). + +Mistborn enables remote desktop access via the Apache Guacamole extra service, which supports VNC, RDP, SSH, and other protocols. + +![Guacamole Recent Connections](https://gitlab.com/cyber5k/public/-/raw/master/graphics/guacamole_connections.png) + +Guacamole implements its own users and groups access controls to manage access to individual desktops. All Mistborn users must be authenticated with Mistborn (via Wireguard only or MFA) to access the Guacamole interface. + # Client to client communication By default direct communication between network clients is blocked. Mistborn clients can all talk to Mistborn and communicate via shared services (Jitsi, Nextcloud, etc). Direct client to client communication can be enabled via the "client-to-client" toggle. @@ -245,8 +263,10 @@ Internet access is blocked via iptables until authentication is completed for an ![Mistborn Multi Factor Authentication - Token Prompt](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mfa_token_enter.png)*Mistborn Multi Factor Authentication - Token Prompt* -### MFA Mistborn Service Access -Mistborn service access is blocked via traefik until Mistborn authentication is complete. You will not be able to access the web pages for pihole, cockpit, or any extra services until authentication is complete for an MFA profile. Attempting to visit one of these pages will redirect you to [http://home.mistborn](http://home.mistborn) where you must complete the authentication process. Click "Sign Out" to re-block access until authentication completes again. +### MFA Mistborn Service Access - Fixed on 4 December 2020 +Mistborn service access is blocked via traefik until Mistborn authentication is complete. You will not be able to access the web pages for pihole, cockpit, or any extra services until authentication is complete for an MFA profile. Attempting to visit one of these pages will produce a "Mistborn: Not authorized" HTTP 403. Click "Sign Out" to re-block access until authentication completes again. + +![Mistborn Multi Factor Authentication - Not Authorized](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mfa_not_authorized.png)*Mistborn Multi Factor Authentication - Not Authorized (Login Incomplete)* ### Notes - **Sessions**: Traefik checks the authenticated sessions on the server side to determine whether to allow access to the Mistborn service web pages. If an open session exists for your Mistborn IP address then access will be granted. You may close all sessions by clicking "Sign Out" on the Mistborn home page. Expired sessions are regularly cleaned by the Mistborn system (celery periodic task). @@ -267,6 +287,7 @@ Mistborn uses the following domains (that can be reached by all Wireguard client | Syncthing | syncthing.mistborn | Off | | OnlyOffice | onlyoffice.mistborn | Off | | Jitsi | jitsi.mistborn | Off | +| Guacamole | guac.mistborn | Off | # Default Credentials These are the default credentials to use in the services you choose to use: @@ -276,6 +297,7 @@ These are the default credentials to use in the services you choose to use: | Pihole | | {{default mistborn password}} | | Cockpit | cockpit | {{default mistborn password}} | | Nextcloud | mistborn | {{default mistborn password}} | +| Guacamole | mistborn | {{default mistborn password }} | You can find the credentials sent to the Docker containers in: `/opt/mistborn/.envs/.production/` @@ -322,7 +344,7 @@ But wait, there's more! You can: | Jitsi Meet | [Jitsi Meet](https://play.google.com/store/apps/details?id=org.jitsi.meet) | [Jitsi Meet](https://apps.apple.com/us/app/jitsi-meet/id1165103905) | | Bitwarden | [Bitwarden](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) | [Bitwarden](https://apps.apple.com/us/app/bitwarden-password-manager/id1137397744) | | Jellyfin | [Jellyfin](https://play.google.com/store/apps/details?id=org.jellyfin.mobile) | [Jellyfin](https://apps.apple.com/us/app/jellyfin-mobile/id1480192618) | -| Home Assistant | [Home Assistant](https://play.google.com/store/apps/details?id=io.homeassistant.companion.android) | | +| Home Assistant | [Home Assistant](https://play.google.com/store/apps/details?id=io.homeassistant.companion.android) | [Home Assistant](https://apps.apple.com/us/app/home-assistant/id1099568401) | | Rocket.Chat | [Rocket.Chat](https://play.google.com/store/apps/details?id=chat.rocket.android) | [Rocket.Chat](https://apps.apple.com/us/app/rocket-chat/id1148741252) | ## TLS Certificate @@ -435,6 +457,7 @@ sudo journalctl -xfu Mistborn-syncthing sudo journalctl -xfu Mistborn-jellyfin sudo journalctl -xfu Mistborn-nextcloud sudo journalctl -xfu Mistborn-jitsi +sudo journalctl -xfu Mistborn-guacamole sudo journalctl -xfu Mistborn-rocketchat sudo journalctl -xfu Mistborn-onlyoffice sudo journalctl -xfu Mistborn-tor @@ -474,6 +497,9 @@ Run updates and restart before installing Mistborn (`sudo apt-get update && sudo These are some notes regarding the technical design and implementations of Mistborn. Feel free to contact me for additional details. ## Attack Surface + +See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/Mistborn-Network-Security) wiki entry. + - **Wireguard**: Wireguard is the only way in to Mistborn. When new Wireguard profiles are generated they are attached to a random UDP port. Wireguard does not respond to unauthenticated traffic. External probes on the active Wireguard listening ports are not logged and do not appear on the Metrics page. - **SSH**: If Mistborn is installed over SSH (most common) then an iptables rule is added allowing future SSH connections from the same source IP address. All other external SSH is blocked. Internal SSH (over the Wireguard tunnels) is allowed. Password authentication is allowed. The SSH key for the `mistborn` user is only accepted from internal source IP addresses. Fail2ban is also installed. - **Traefik**: Iptables closes web ports (TCP 80 and 443) from external access and additonally all web interfaces are behind the Traefik reverse-proxy. All web requests (e.g. home.mistborn) must be resolved by Mistborn DNS (Pihole/dnsmasq) and originate from a Wireguard tunnel. @@ -492,19 +518,23 @@ These are some notes regarding the technical design and implementations of Mistb - The generated TLS certificate has an RSA modulus of 4096 bits, is signed with SHA-256, and is good for 397 days. The certificate is checked daily and will regenerate when expiration is within 30 days. - Outbound UDP on port 53 is blocked. All DNS requests should be handled by the dnscrypt_proxy service and if any client, service, etc. tries to circumvent that it is blocked. - Unattended upgrades are set to automatically install operating system security updates. +- Ownership of mistborn files is set to the system mistborn user and access to environment variables is disabled for users other than the owner. -# Roadmap +# Roadmap (not necessarily in order) Many features and refinements are in the works at various stages including: -- Option to upload metrics information to Cyber5K to refine each Mistborn instance's firewall -- Option to email default admin Wireguard config file -- Adding more extra services (e.g. Gitlab, Game Servers, etc.) -- Cyber5K marketplace to share Gateway access (to fixed IP addresses or domains, and for a fixed amount of time) -- Mistborn managing wireless interfaces for local access points (stripped down RaspAP) -- Optional periodic backup of local Mistborn config files and credentials to Cyber5K +- Plugins for Extra Services (enabling third-party development) +- Plugin repository +- IPv6 support +- Integration with RaspAP to enable managing an Access Point for local network connections - Internal network scan tool and feedback - Anomaly detection in network traffic +# Featured In + +- [Linux Magazine](https://www.linux-magazine.com/Issues/2020/240/Mistborn/(language)/eng-US) November 2020 (featuring Mistborn version from early May 2020) +- [Awesome Open Source](https://www.youtube.com/watch?v=hekP0_crotw) July 2020 (featuring Mistborn version from early July 2020) + # Follow You can find recent bugfixes, functional additions, some extra documentation and more at the Cyber5K Patreon page: [https://www.patreon.com/cyber5k](https://www.patreon.com/cyber5k) diff --git a/base.yml b/base.yml index 04be844..2b19d53 100644 --- a/base.yml +++ b/base.yml @@ -145,22 +145,22 @@ services: restart: unless-stopped - flower: - image: "cyber5k/mistborn:${MISTBORN_TAG}" - container_name: mistborn_production_flower - env_file: - - ./.envs/.production/.django - - ./.envs/.production/.postgres - ports: - - "5555:5555/tcp" - command: /start-flower - restart: unless-stopped + #flower: + # image: "cyber5k/mistborn:${MISTBORN_TAG}" + # container_name: mistborn_production_flower + # env_file: + # - ./.envs/.production/.django + # - ./.envs/.production/.postgres + # ports: + # - "5555:5555/tcp" + # command: /start-flower + # restart: unless-stopped pihole: container_name: mistborn_production_pihole image: pihole/pihole:latest env_file: - - /opt/mistborn_volumes/base/base.txt + - ./.envs/.production/.pihole ports: - "${MISTBORN_DNS_BIND_IP}:53:53/tcp" - "${MISTBORN_DNS_BIND_IP}:53:53/udp" @@ -168,11 +168,12 @@ services: - "traefik.enable=true" - "traefik.http.routers.pihole-http.rule=Host(`pihole.mistborn`)" - "traefik.http.routers.pihole-http.entrypoints=web" - - "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file,add-pihole-admin" - "traefik.http.routers.pihole-https.rule=Host(`pihole.mistborn`)" - "traefik.http.routers.pihole-https.entrypoints=websecure" - - "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file,add-pihole-admin" - "traefik.http.routers.pihole-https.tls.certresolver=basic" + - "traefik.http.middlewares.add-pihole-admin.addPrefix.prefix=/admin" - "traefik.http.services.pihole-service.loadbalancer.server.port=80" environment: - ServerIP=10.2.0.3 @@ -182,8 +183,6 @@ services: - DNSMASQ_LISTENING=all # TZ: 'America/New York' # Volumes store your data between container upgrades - env_file: - - ./.envs/.production/.pihole volumes: - ../mistborn_volumes/base/pihole/etc-pihole:/etc/pihole/ - ../mistborn_volumes/base/pihole/etc-dnsmasqd:/etc/dnsmasq.d/ diff --git a/compose/production/tor/Dockerfile b/compose/production/tor/Dockerfile index af4d0a4..11f8bb8 100644 --- a/compose/production/tor/Dockerfile +++ b/compose/production/tor/Dockerfile @@ -7,7 +7,7 @@ RUN apk update \ EXPOSE 9150 -ADD ./compose/production/tor/torrc /etc/tor/torrc +ADD ./torrc /etc/tor/torrc USER tor CMD /usr/bin/tor -f /etc/tor/torrc diff --git a/compose/production/traefik/dynamic.toml b/compose/production/traefik/dynamic.toml index 3d3adbe..a9f26dd 100644 --- a/compose/production/traefik/dynamic.toml +++ b/compose/production/traefik/dynamic.toml @@ -18,7 +18,7 @@ rule = "Host(`cockpit.mistborn`)" service = "cockpit" entrypoints = ["web", "websecure"] - #middlewares = + middlewares = ["mistborn_auth"] [http.middlewares] [http.middlewares.mistborn_auth.forwardAuth] diff --git a/extra/guacamole.yml b/extra/guacamole.yml new file mode 100644 index 0000000..59a83ac --- /dev/null +++ b/extra/guacamole.yml @@ -0,0 +1,72 @@ +version: '3' + +# services +services: + # guacd + guacd: + container_name: mistborn_production_guacd + image: guacamole/guacd + networks: + guacnetwork: + restart: unless-stopped + volumes: + - ../../mistborn_volumes/extra/guacamole/drive:/drive:rw + - ../../mistborn_volumes/extra/guacamole/record:/record:rw + + + # postgres + guac_postgres: + container_name: mistborn_production_guac_postgres + env_file: + - ../.envs/.production/.guacamole + environment: + PGDATA: /var/lib/postgresql/data/guacamole + image: postgres + networks: + guacnetwork: + restart: unless-stopped + volumes: + - ../../mistborn_volumes/extra/guacamole/init:/docker-entrypoint-initdb.d:ro + - ../../mistborn_volumes/extra/guacamole/data:/var/lib/postgresql/data:rw + + + # guacamole + guacamole: + container_name: mistborn_production_guacamole + labels: + - "traefik.enable=true" + - "traefik.http.routers.guacamole-http.rule=Host(`guac.mistborn`)" + - "traefik.http.routers.guacamole-http.entrypoints=web" + - "traefik.http.routers.guacamole-http.middlewares=mistborn_auth@file,add-guacamole" + - "traefik.http.routers.guacamole-https.rule=Host(`guac.mistborn`)" + - "traefik.http.routers.guacamole-https.entrypoints=websecure" + - "traefik.http.routers.guacamole-https.middlewares=mistborn_auth@file,add-guacamole" + - "traefik.http.routers.guacamole-https.tls.certresolver=basic" + - "traefik.http.middlewares.add-guacamole.addPrefix.prefix=/guacamole" + - "traefik.http.services.guacamole-service.loadbalancer.server.port=8080" + depends_on: + - guacd + - guac_postgres + environment: + GUACD_HOSTNAME: guacd + GUACD_PORT: 4822 + #GUACAMOLE_HOME: /config + env_file: + - ../.envs/.production/.guacamole + image: guacamole/guacamole + links: + - guacd + networks: + guacnetwork: + #ports: +## enable next line if not using nginx +## - 8080:8080/tcp # Guacamole is on :8080/guacamole, not /. +## enable next line when using nginx + #- 8080/tcp + restart: unless-stopped + +# networks +# create a network 'guacnetwork' in mode 'bridged' +networks: + guacnetwork: + driver: bridge diff --git a/extra/jitsi-meet.yml b/extra/jitsi-meet.yml index 7f4b0ed..421f2a3 100644 --- a/extra/jitsi-meet.yml +++ b/extra/jitsi-meet.yml @@ -3,7 +3,8 @@ version: '3' services: # Frontend jitsi-web: - image: jitsi/web + image: jitsi/web:latest + restart: unless-stopped #ports: #- '${HTTP_PORT}:80' #- '${HTTPS_PORT}:443' @@ -18,59 +19,115 @@ services: - "traefik.http.routers.jitsi-https.tls.certresolver=basic" - "traefik.http.services.jitsi-service.loadbalancer.server.port=${HTTP_PORT}" volumes: - - ${CONFIG}/web:/config - - ${CONFIG}/web/letsencrypt:/etc/letsencrypt - - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts + - ${CONFIG}/web:/config:Z + - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z env_file: - ../.envs/.production/.jitsi environment: - - ENABLE_AUTH - - ENABLE_GUESTS - ENABLE_LETSENCRYPT - ENABLE_HTTP_REDIRECT - - ENABLE_TRANSCRIPTIONS + - ENABLE_XMPP_WEBSOCKET - DISABLE_HTTPS - - JICOFO_AUTH_USER - LETSENCRYPT_DOMAIN - LETSENCRYPT_EMAIL + - LETSENCRYPT_USE_STAGING - PUBLIC_URL - - XMPP_DOMAIN + - TZ + - AMPLITUDE_ID + - ANALYTICS_SCRIPT_URLS + - ANALYTICS_WHITELISTED_EVENTS + - BRIDGE_CHANNEL + - BRANDING_DATA_URL + - CALLSTATS_CUSTOM_SCRIPT_URL + - CALLSTATS_ID + - CALLSTATS_SECRET + - CHROME_EXTENSION_BANNER_JSON + - CONFCODE_URL + - CONFIG_EXTERNAL_CONNECT + - DEPLOYMENTINFO_ENVIRONMENT + - DEPLOYMENTINFO_ENVIRONMENT_TYPE + - DEPLOYMENTINFO_USERREGION + - DIALIN_NUMBERS_URL + - DIALOUT_AUTH_URL + - DIALOUT_CODES_URL + - DROPBOX_APPKEY + - DROPBOX_REDIRECT_URI + - ENABLE_AUDIO_PROCESSING + - ENABLE_AUTH + - ENABLE_CALENDAR + - ENABLE_FILE_RECORDING_SERVICE + - ENABLE_FILE_RECORDING_SERVICE_SHARING + - ENABLE_GUESTS + - ENABLE_IPV6 + - ENABLE_LIPSYNC + - ENABLE_NO_AUDIO_DETECTION + - ENABLE_P2P + - ENABLE_PREJOIN_PAGE + - ENABLE_RECORDING + - ENABLE_REMB + - ENABLE_REQUIRE_DISPLAY_NAME + - ENABLE_SIMULCAST + - ENABLE_STATS_ID + - ENABLE_STEREO + - ENABLE_SUBDOMAINS + - ENABLE_TALK_WHILE_MUTED + - ENABLE_TCC + - ENABLE_TRANSCRIPTIONS + - ETHERPAD_PUBLIC_URL + - ETHERPAD_URL_BASE + - GOOGLE_ANALYTICS_ID + - GOOGLE_API_APP_CLIENT_ID + - INVITE_SERVICE_URL + - JICOFO_AUTH_USER + - MATOMO_ENDPOINT + - MATOMO_SITE_ID + - MICROSOFT_API_APP_CLIENT_ID + - NGINX_RESOLVER + - NGINX_WORKER_PROCESSES + - NGINX_WORKER_CONNECTIONS + - PEOPLE_SEARCH_URL + - RESOLUTION + - RESOLUTION_MIN + - RESOLUTION_WIDTH + - RESOLUTION_WIDTH_MIN + - START_AUDIO_ONLY + - START_AUDIO_MUTED + - START_BITRATE + - START_VIDEO_MUTED + - TESTING_CAP_SCREENSHARE_BITRATE + - TESTING_OCTO_PROBABILITY - XMPP_AUTH_DOMAIN - XMPP_BOSH_URL_BASE + - XMPP_DOMAIN - XMPP_GUEST_DOMAIN - XMPP_MUC_DOMAIN - XMPP_RECORDER_DOMAIN - - ETHERPAD_URL_BASE - - TZ - - JIBRI_BREWERY_MUC - - JIBRI_PENDING_TIMEOUT - - JIBRI_XMPP_USER - - JIBRI_XMPP_PASSWORD - - JIBRI_RECORDER_USER - - JIBRI_RECORDER_PASSWORD - - ENABLE_RECORDING + - TOKEN_AUTH_URL networks: default: meet.jitsi: aliases: - ${XMPP_DOMAIN} - restart: unless-stopped # XMPP server jitsi-prosody: - image: jitsi/prosody + image: jitsi/prosody:latest + restart: unless-stopped expose: - '5222' - '5347' - '5280' volumes: - - ${CONFIG}/prosody:/config + - ${CONFIG}/prosody/config:/config:Z + - ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z env_file: - ../.envs/.production/.jitsi environment: - AUTH_TYPE - ENABLE_AUTH - ENABLE_GUESTS + - ENABLE_LOBBY + - ENABLE_XMPP_WEBSOCKET - GLOBAL_MODULES - GLOBAL_CONFIG - LDAP_URL @@ -95,6 +152,7 @@ services: - XMPP_MUC_MODULES - XMPP_INTERNAL_MUC_MODULES - XMPP_RECORDER_DOMAIN + - XMPP_CROSS_DOMAIN - JICOFO_COMPONENT_SECRET - JICOFO_AUTH_USER - JICOFO_AUTH_PASSWORD @@ -115,25 +173,28 @@ services: - JWT_AUTH_TYPE - JWT_TOKEN_AUTH_MODULE - LOG_LEVEL + - PUBLIC_URL - TZ networks: meet.jitsi: aliases: - ${XMPP_SERVER} - restart: unless-stopped # Focus component jitsi-jicofo: - image: jitsi/jicofo + image: jitsi/jicofo:latest + restart: unless-stopped volumes: - - ${CONFIG}/jicofo:/config + - ${CONFIG}/jicofo:/config:Z env_file: - ../.envs/.production/.jitsi environment: + - AUTH_TYPE - ENABLE_AUTH - XMPP_DOMAIN - XMPP_AUTH_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_MUC_DOMAIN - XMPP_SERVER - JICOFO_COMPONENT_SECRET - JICOFO_AUTH_USER @@ -141,6 +202,7 @@ services: - JICOFO_RESERVATION_REST_BASE_URL - JVB_BREWERY_MUC - JIGASI_BREWERY_MUC + - JIGASI_SIP_URI - JIBRI_BREWERY_MUC - JIBRI_PENDING_TIMEOUT - TZ @@ -148,16 +210,16 @@ services: - jitsi-prosody networks: meet.jitsi: - restart: unless-stopped # Video bridge jitsi-jvb: - image: jitsi/jvb + image: jitsi/jvb:latest + restart: unless-stopped ports: - '${JVB_PORT}:${JVB_PORT}/udp' - '${JVB_TCP_PORT}:${JVB_TCP_PORT}' volumes: - - ${CONFIG}/jvb:/config + - ${CONFIG}/jvb:/config:Z env_file: - ../.envs/.production/.jitsi environment: @@ -171,14 +233,19 @@ services: - JVB_PORT - JVB_TCP_HARVESTER_DISABLED - JVB_TCP_PORT + - JVB_TCP_MAPPED_PORT - JVB_STUN_SERVERS - JVB_ENABLE_APIS + - JVB_WS_DOMAIN + - JVB_WS_SERVER_ID + - PUBLIC_URL - TZ depends_on: - jitsi-prosody networks: meet.jitsi: - restart: unless-stopped + aliases: + - jvb.meet.jitsi # Custom network so all services can communicate using a FQDN networks: diff --git a/extra/rocketchat.yml b/extra/rocketchat.yml index 66113f1..f3b85ed 100644 --- a/extra/rocketchat.yml +++ b/extra/rocketchat.yml @@ -64,7 +64,7 @@ services: - ../../mistborn_volumes/extra/rocketchat/hubot/scripts:/home/hubot/scripts # this is used to expose the hubot port for notifications on the host on port 3001, e.g. for hubot-jenkins-notifier ports: - - 3001:8080/tcp + - "${MISTBORN_BIND_IP}:3001:8080/tcp" networks: default: diff --git a/extra/tor.yml b/extra/tor.yml index 068b966..f8c4141 100644 --- a/extra/tor.yml +++ b/extra/tor.yml @@ -3,8 +3,8 @@ version: '3' services: tor-client: build: - context: .. - dockerfile: ./compose/production/tor/Dockerfile + context: ../compose/production/tor + dockerfile: ./Dockerfile image: mistborn_production_tor container_name: mistborn_production_tor ports: diff --git a/scripts/conf/docker-daemon.json b/scripts/conf/docker-daemon.json new file mode 100644 index 0000000..ef746cb --- /dev/null +++ b/scripts/conf/docker-daemon.json @@ -0,0 +1,3 @@ +{ + "shutdown-timeout": 60 +} diff --git a/scripts/conf/jitsi.env b/scripts/conf/jitsi.env index 2666101..3693dd4 100644 --- a/scripts/conf/jitsi.env +++ b/scripts/conf/jitsi.env @@ -1,61 +1,116 @@ +# shellcheck disable=SC2034 + +# Security +# +# Set these to strong passwords to avoid intruders from impersonating a service account +# The service(s) won't start unless these are specified +# Running ./gen-passwords.sh will update .env with strong passwords +# You may skip the Jigasi and Jibri passwords if you are not using those +# DO NOT reuse passwords +# + +# XMPP component password for Jicofo +JICOFO_COMPONENT_SECRET= + +# XMPP password for Jicofo client connections +JICOFO_AUTH_PASSWORD= + +# XMPP password for JVB client connections +JVB_AUTH_PASSWORD= + +# XMPP password for Jigasi MUC client connections +JIGASI_XMPP_PASSWORD= + +# XMPP recorder password for Jibri client connections +JIBRI_RECORDER_PASSWORD= + +# XMPP password for Jibri client connections +JIBRI_XMPP_PASSWORD= + + # # Basic configuration options # -# Directory where all configuration will be stored. +# Directory where all configuration will be stored #CONFIG=~/.jitsi-meet-cfg CONFIG=../.envs/.production/.jitsi-cfg -# Exposed HTTP port. +# Exposed HTTP port HTTP_PORT=80 -# Exposed HTTPS port. -HTTPS_PORT=8443 +# Exposed HTTPS port +HTTPS_PORT=443 -# System time zone. -TZ=Europe/Amsterdam +# System time zone +TZ=UTC -# Public URL for the web service. -#PUBLIC_URL=https://meet.example.com +# Public URL for the web service (required) +PUBLIC_URL=https://jitsi.mistborn -# IP address of the Docker host. See the "Running on a LAN environment" section -# in the README. +# IP address of the Docker host +# See the "Running behind NAT or on a LAN environment" section in the Handbook: +# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment +#DOCKER_HOST_ADDRESS=192.168.1.1 DOCKER_HOST_ADDRESS=10.2.3.1 +# Control whether the lobby feature should be enabled or not +#ENABLE_LOBBY=1 + +# Show a prejoin page before entering a conference +#ENABLE_PREJOIN_PAGE=0 # # Let's Encrypt configuration # -# Enable Let's Encrypt certificate generation. +# Enable Let's Encrypt certificate generation #ENABLE_LETSENCRYPT=1 -# Domain for which to generate the certificate. +# Domain for which to generate the certificate #LETSENCRYPT_DOMAIN=meet.example.com -# E-Mail for receiving important account notifications (mandatory). +# E-Mail for receiving important account notifications (mandatory) #LETSENCRYPT_EMAIL=alice@atlanta.net +# Use the staging server (for avoiding rate limits while testing) +#LETSENCRYPT_USE_STAGING=1 + # # Etherpad integration (for document sharing) # -# Set etherpad-lite URL (uncomment to enable). +# Set etherpad-lite URL in docker local network (uncomment to enable) #ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001 +# Set etherpad-lite public URL (uncomment to enable) +#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain + +# Name your etherpad instance! +ETHERPAD_TITLE="Video Chat" + +# The default text of a pad +ETHERPAD_DEFAULT_PAD_TEXT="Welcome to Web Chat!\n\n" + +# Name of the skin for etherpad +ETHERPAD_SKIN_NAME="colibris" + +# Skin variants for etherpad +ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background full-width-editor" + # # Basic Jigasi configuration options (needed for SIP gateway support) # -# SIP URI for incoming / outgoing calls. +# SIP URI for incoming / outgoing calls #JIGASI_SIP_URI=test@sip2sip.info # Password for the specified SIP account as a clear text #JIGASI_SIP_PASSWORD=passw0rd -# SIP server (use the SIP account domain if in doubt). +# SIP server (use the SIP account domain if in doubt) #JIGASI_SIP_SERVER=sip2sip.info # SIP server port @@ -65,13 +120,13 @@ DOCKER_HOST_ADDRESS=10.2.3.1 #JIGASI_SIP_TRANSPORT=UDP # -# Authentication configuration (see README for details) +# Authentication configuration (see handbook for details) # -# Enable authentication. +# Enable authentication #ENABLE_AUTH=1 -# Enable guest access. +# Enable guest access #ENABLE_GUESTS=1 # Select authentication type: internal, jwt or ldap @@ -80,38 +135,38 @@ DOCKER_HOST_ADDRESS=10.2.3.1 # JWT authentication # -# Application identifier. +# Application identifier #JWT_APP_ID=my_jitsi_app_id -# Application secret known only to your token. +# Application secret known only to your token #JWT_APP_SECRET=my_jitsi_app_secret -# (Optional) Set asap_accepted_issuers as a comma separated list. +# (Optional) Set asap_accepted_issuers as a comma separated list #JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client -# (Optional) Set asap_accepted_audiences as a comma separated list. +# (Optional) Set asap_accepted_audiences as a comma separated list #JWT_ACCEPTED_AUDIENCES=my_server1,my_server2 # LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page) # -# LDAP url for connection. +# LDAP url for connection #LDAP_URL=ldaps://ldap.domain.com/ # LDAP base DN. Can be empty #LDAP_BASE=DC=example,DC=domain,DC=com -# LDAP user DN. Do not specify this parameter for the anonymous bind. +# LDAP user DN. Do not specify this parameter for the anonymous bind #LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com -# LDAP user password. Do not specify this parameter for the anonymous bind. +# LDAP user password. Do not specify this parameter for the anonymous bind #LDAP_BINDPW=LdapUserPassw0rd # LDAP filter. Tokens example: -# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail. -# %s - %s is replaced by the complete service string. -# %r - %r is replaced by the complete realm string. +# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail +# %s - %s is replaced by the complete service string +# %r - %r is replaced by the complete realm string #LDAP_FILTER=(sAMAccountName=%u) # LDAP authentication method @@ -123,16 +178,16 @@ DOCKER_HOST_ADDRESS=10.2.3.1 # LDAP TLS using #LDAP_USE_TLS=1 -# List of SSL/TLS ciphers to allow. +# List of SSL/TLS ciphers to allow #LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC # Require and verify server certificate #LDAP_TLS_CHECK_PEER=1 -# Path to CA cert file. Used when server sertificate verify is enabled. +# Path to CA cert file. Used when server certificate verify is enabled #LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt -# Path to CA certs directory. Used when server sertificate verify is enabled. +# Path to CA certs directory. Used when server certificate verify is enabled #LDAP_TLS_CACERT_DIR=/etc/ssl/certs # Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps:// @@ -143,7 +198,7 @@ DOCKER_HOST_ADDRESS=10.2.3.1 # Advanced configuration options (you generally don't need to change these) # -# Internal XMPP domain. +# Internal XMPP domain XMPP_DOMAIN=meet.jitsi # Internal XMPP server @@ -152,18 +207,22 @@ XMPP_SERVER=xmpp.meet.jitsi # Internal XMPP server URL XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280 -# Internal XMPP domain for authenticated services. +# Internal XMPP domain for authenticated services XMPP_AUTH_DOMAIN=auth.meet.jitsi -# XMPP domain for the MUC. +# XMPP domain for the MUC XMPP_MUC_DOMAIN=muc.meet.jitsi -# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools. +# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi -# XMPP domain for unauthenticated users. +# XMPP domain for unauthenticated users XMPP_GUEST_DOMAIN=guest.meet.jitsi +# Comma separated list of domains for cross domain policy or "true" to allow all +# The PUBLIC_URL is always allowed +#XMPP_CROSS_DOMAIN=true + # Custom Prosody modules for XMPP_DOMAIN (comma separated) XMPP_MODULES= @@ -173,17 +232,14 @@ XMPP_MUC_MODULES= # Custom Prosody modules for internal MUC component (comma separated) XMPP_INTERNAL_MUC_MODULES= -# MUC for the JVB pool. +# MUC for the JVB pool JVB_BREWERY_MUC=jvbbrewery -# XMPP user for JVB client connections. +# XMPP user for JVB client connections JVB_AUTH_USER=jvb -# XMPP password for JVB client connections. -JVB_AUTH_PASSWORD=passw0rd - -# STUN servers used to discover the server's public IP. -JVB_STUN_SERVERS=stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302 +# STUN servers used to discover the server's public IP +JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443 # Media port for the Jitsi Videobridge JVB_PORT=10000 @@ -191,36 +247,32 @@ JVB_PORT=10000 # TCP Fallback for Jitsi Videobridge for when UDP isn't available JVB_TCP_HARVESTER_DISABLED=true JVB_TCP_PORT=4443 +JVB_TCP_MAPPED_PORT=4443 -# A comma separated list of APIs to enable when the JVB is started. The default is none. +# A comma separated list of APIs to enable when the JVB is started [default: none] # See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information #JVB_ENABLE_APIS=rest,colibri -# XMPP component password for Jicofo. -JICOFO_COMPONENT_SECRET=s3cr37 - -# XMPP user for Jicofo client connections. NOTE: this option doesn't currently work due to a bug. +# XMPP user for Jicofo client connections. +# NOTE: this option doesn't currently work due to a bug JICOFO_AUTH_USER=focus -# XMPP password for Jicofo client connections. -JICOFO_AUTH_PASSWORD=passw0rd - # Base URL of Jicofo's reservation REST API #JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com -# XMPP user for Jigasi MUC client connections. -JIGASI_XMPP_USER=jigasi +# Enable Jicofo's health check REST API (http://:8888/about/health) +#JICOFO_ENABLE_HEALTH_CHECKS=true -# XMPP password for Jigasi MUC client connections. -JIGASI_XMPP_PASSWORD=passw0rd +# XMPP user for Jigasi MUC client connections +JIGASI_XMPP_USER=jigasi -# MUC name for the Jigasi pool. +# MUC name for the Jigasi pool JIGASI_BREWERY_MUC=jigasibrewery -# Minimum port for media used by Jigasi. +# Minimum port for media used by Jigasi JIGASI_PORT_MIN=20000 -# Maximum port for media used by Jigasi. +# Maximum port for media used by Jigasi JIGASI_PORT_MAX=20050 # Enable SDES srtp @@ -235,20 +287,21 @@ JIGASI_PORT_MAX=20050 # Health-check interval #JIGASI_HEALTH_CHECK_INTERVAL=300000 # -# Enable Jigasi transcription. +# Enable Jigasi transcription #ENABLE_TRANSCRIPTIONS=1 -# Jigasi will recordord an audio when transcriber is on. Default false. +# Jigasi will record audio when transcriber is on [default: false] #JIGASI_TRANSCRIBER_RECORD_AUDIO=true -# Jigasi will send transcribed text to the chat when transcriber is on. Default false. +# Jigasi will send transcribed text to the chat when transcriber is on [default: false] #JIGASI_TRANSCRIBER_SEND_TXT=true -# Jigasi post to the chat an url with transcription file. Default false. +# Jigasi will post an url to the chat with transcription file [default: false] #JIGASI_TRANSCRIBER_ADVERTISE_URL=true # Credentials for connect to Cloud Google API from Jigasi -# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol section "Before you begin" from 1 to 5 paragraph. +# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol +# section "Before you begin" paragraph 1 to 5 # Copy the values from the json to the related env vars #GC_PROJECT_ID= #GC_PRIVATE_KEY_ID= @@ -263,25 +316,19 @@ JIGASI_PORT_MAX=20050 # XMPP domain for the jibri recorder XMPP_RECORDER_DOMAIN=recorder.meet.jitsi -# XMPP recorder user for Jibri client connections. +# XMPP recorder user for Jibri client connections JIBRI_RECORDER_USER=recorder -# XMPP recorder password for Jibri client connections. -JIBRI_RECORDER_PASSWORD=passw0rd - -# Directory for recordings inside Jibri container. +# Directory for recordings inside Jibri container JIBRI_RECORDING_DIR=/config/recordings -# The finalizing script. Will run after recording is complete. +# The finalizing script. Will run after recording is complete JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh -# XMPP user for Jibri client connections. +# XMPP user for Jibri client connections JIBRI_XMPP_USER=jibri -# XMPP password for Jibri client connections. -JIBRI_XMPP_PASSWORD=passw0rd - -# MUC name for the Jibri pool. +# MUC name for the Jibri pool JIBRI_BREWERY_MUC=jibribrewery # MUC connection timeout @@ -294,14 +341,26 @@ JIBRI_PENDING_TIMEOUT=90 # So if there are any prefixes in the jid (like jitsi meet, which # has its participants join a muc at conference.xmpp_domain) then # list that prefix here so it can be stripped out to generate -# the call url correctly. +# the call url correctly JIBRI_STRIP_DOMAIN_JID=muc -# Directory for logs inside Jibri container. +# Directory for logs inside Jibri container JIBRI_LOGS_DIR=/config/logs -# Disable HTTPS. This can be useful if TLS connections are going to be handled outside of this setup. +# Disable HTTPS: handle TLS connections outside of this setup DISABLE_HTTPS=1 -# Redirects HTTP traffic to HTTPS. Only works with the standard HTTPS port (443). +# Redirect HTTP traffic to HTTPS +# Necessary for Let's Encrypt, relies on standard HTTPS port (443) #ENABLE_HTTP_REDIRECT=1 + +# Enable IPv6 +# Provides means to disable IPv6 in environments that don't support it (get with the times, people!) +#ENABLE_IPV6=1 + +# Container restart policy +# Defaults to unless-stopped +RESTART_POLICY=unless-stopped + +# Authenticate using external service or just focus external auth window if there is one already. +# TOKEN_AUTH_URL=https://auth.meet.example.com/{room} diff --git a/scripts/env/check_env_file.sh b/scripts/env/check_env_file.sh new file mode 100755 index 0000000..e3bafb1 --- /dev/null +++ b/scripts/env/check_env_file.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +set -e + +SERVICE="$1" + +export MISTBORN_HOME=/opt/mistborn +export SERVICE_ENV_INSTALLER="${MISTBORN_HOME}/scripts/subinstallers/extra/${SERVICE}.sh" +export SERVICE_ENV_FILE="${MISTBORN_HOME}/.envs/.production/.${SERVICE}" + +# read in global variables +set -a +source ${MISTBORN_HOME}/.env +source ${MISTBORN_HOME}/.envs/.production/.django +source ${MISTBORN_HOME}/.envs/.production/.postgres +source ${MISTBORN_HOME}/.envs/.production/.pihole +set +a + +if [[ -f "${SERVICE_ENV_INSTALLER}" ]]; then + + if [[ -f "${SERVICE_ENV_FILE}" ]]; then + echo "Environment file already exists." + else + + # create env file for service + echo "Creating environment file" + source $SERVICE_ENV_INSTALLER $SERVICE_ENV_FILE + chown mistborn:mistborn $SERVICE_ENV_FILE + chmod 600 $SERVICE_ENV_FILE + + fi + +else + echo "No subinstaller found." +fi diff --git a/scripts/env/setup.sh b/scripts/env/setup.sh index b7c9643..bbf0237 100755 --- a/scripts/env/setup.sh +++ b/scripts/env/setup.sh @@ -4,15 +4,29 @@ VAR_FILE=/opt/mistborn/.env +# load env variables + source /opt/mistborn/scripts/subinstallers/platform.sh +# setup env file +echo "" | sudo tee ${VAR_FILE} +sudo chown mistborn:mistborn ${VAR_FILE} +sudo chmod 600 ${VAR_FILE} + +# MISTBORN_DNS_BIND_IP + MISTBORN_DNS_BIND_IP="10.2.3.1" #if [ "$DISTRO" == "ubuntu" ] && [ "$VERSION_ID" == "20.04" ]; then # MISTBORN_DNS_BIND_IP="10.2.3.1" #fi -echo "MISTBORN_DNS_BIND_IP=${MISTBORN_DNS_BIND_IP}" | sudo tee ${VAR_FILE} -sudo chown mistborn:mistborn ${VAR_FILE} +echo "MISTBORN_DNS_BIND_IP=${MISTBORN_DNS_BIND_IP}" | sudo tee -a ${VAR_FILE} + +# MISTBORN_BIND_IP + +echo "MISTBORN_BIND_IP=10.2.3.1" | sudo tee -a ${VAR_FILE} + +# MISTBORN_TAG GIT_BRANCH=$(git -C /opt/mistborn symbolic-ref --short HEAD || echo "master") MISTBORN_TAG="latest" @@ -22,13 +36,29 @@ fi echo "MISTBORN_TAG=$MISTBORN_TAG" | sudo tee -a ${VAR_FILE} -#### install and base services -iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}') +#### SERVICE files -# default interface +# copy current service files to systemd (overwriting as needed) sudo cp /opt/mistborn/scripts/services/Mistborn* /etc/systemd/system/ + +# set script user and owner sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/User=root/User=$USER/" #sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/ root:root / $USER:$USER /" + +# reload in case the iface is not immediately set +sudo systemctl daemon-reload + +#### install and base services +iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}' | tr -d '[:space:]') +## cannot be empty +while [[ -z "$iface" ]]; do + sleep 2 + iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}' | tr -d '[:space:]') +done + +# default interface sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/" -sudo systemctl daemon-reload \ No newline at end of file +echo "DIFACE=${iface}" | sudo tee -a ${VAR_FILE} + +sudo systemctl daemon-reload diff --git a/scripts/install.sh b/scripts/install.sh index 31e0f83..a142ad9 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -59,13 +59,18 @@ echo -e "| | | | \__ \ |_| |_) | (_) | | | | | |" echo -e "|_| |_|_|___/\__|_.__/ \___/|_| |_| |_|" echo -e "" -# INPUT default admin password -if [ -z "${MISTBORN_DEFAULT_PASSWORD}" ]; then - read -p "(Mistborn) Set default admin password: " -s MISTBORN_DEFAULT_PASSWORD - echo -else - echo "MISTBORN_DEFAULT_PASSWORD is already set" -fi +sudo rm -rf /opt/mistborn 2>/dev/null || true + +# clone to /opt and change directory +echo "Cloning $GIT_BRANCH branch from mistborn repo" +sudo git clone https://gitlab.com/cyber5k/mistborn.git -b $GIT_BRANCH /opt/mistborn +sudo chown -R $USER:$USER /opt/mistborn +pushd . +cd /opt/mistborn +git submodule update --init --recursive + +# MISTBORN_DEFAULT_PASSWORD +source ./scripts/subinstallers/passwd.sh # Install Cockpit? if [ -z "${MISTBORN_INSTALL_COCKPIT}" ]; then @@ -85,16 +90,6 @@ else echo "SSH key exists for $USER" fi -sudo rm -rf /opt/mistborn 2>/dev/null || true - -# clone to /opt and change directory -echo "Cloning $GIT_BRANCH branch from mistborn repo" -sudo git clone https://gitlab.com/cyber5k/mistborn.git -b $GIT_BRANCH /opt/mistborn -sudo chown -R $USER:$USER /opt/mistborn -pushd . -cd /opt/mistborn -git submodule update --init --recursive - # initial load update package list sudo apt-get update @@ -248,6 +243,7 @@ sudo resolvconf -u 1>/dev/null 2>&1 echo "backup up original volumes folder" sudo mkdir -p ../mistborn_backup +sudo chmod 700 ../mistborn_backup sudo tar -czf ../mistborn_backup/mistborn_volumes_backup.tar.gz ../mistborn_volumes 1>/dev/null 2>&1 # clean docker diff --git a/scripts/services/Mistborn-bitwarden.service b/scripts/services/Mistborn-bitwarden.service index ff79fde..8b0c8de 100644 --- a/scripts/services/Mistborn-bitwarden.service +++ b/scripts/services/Mistborn-bitwarden.service @@ -2,20 +2,22 @@ Description=Mistborn Bitwarden Service Requires=Mistborn-base.service After=Mistborn-base.service +PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down # Post stop ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP diff --git a/scripts/services/Mistborn-guacamole.service b/scripts/services/Mistborn-guacamole.service new file mode 100644 index 0000000..1c193e8 --- /dev/null +++ b/scripts/services/Mistborn-guacamole.service @@ -0,0 +1,23 @@ +[Unit] +Description=Mistborn Guacamole +Requires=Mistborn-base.service +After=Mistborn-base.service +PartOf=Mistborn-base.service + +[Service] +Restart=always +RestartSec=15 +User=root +Group=docker +PermissionsStartOnly=true +# Shutdown container (if running) when unit is stopped +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down + +# Start container when unit is started +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml up --build +# Stop container when unit is stopped +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down +# Post stop + +[Install] +WantedBy=multi-user.target diff --git a/scripts/services/Mistborn-homeassistant.service b/scripts/services/Mistborn-homeassistant.service index f1a0d4d..6ca8cc1 100644 --- a/scripts/services/Mistborn-homeassistant.service +++ b/scripts/services/Mistborn-homeassistant.service @@ -2,19 +2,21 @@ Description=Mistborn Home Assistant Requires=Mistborn-base.service After=Mistborn-base.service +PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down # Post stop [Install] diff --git a/scripts/services/Mistborn-jellyfin.service b/scripts/services/Mistborn-jellyfin.service index 86d1315..270769c 100644 --- a/scripts/services/Mistborn-jellyfin.service +++ b/scripts/services/Mistborn-jellyfin.service @@ -2,19 +2,21 @@ Description=Mistborn Jellyfin Service Requires=Mistborn-nextcloud.service After=Mistborn-nextcloud.service +PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down # Post stop [Install] diff --git a/scripts/services/Mistborn-jitsi.service b/scripts/services/Mistborn-jitsi.service index 49a9c21..d99aa81 100644 --- a/scripts/services/Mistborn-jitsi.service +++ b/scripts/services/Mistborn-jitsi.service @@ -2,26 +2,26 @@ Description=Mistborn Jitsi Service Requires=Mistborn-base.service After=Mistborn-base.service +PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true -EnvironmentFile=/opt/mistborn/.envs/.production/.jitsi # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_up.sh -ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP -ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build + # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down # Post stop -ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP -ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP +ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_down.sh [Install] WantedBy=multi-user.target diff --git a/scripts/services/Mistborn-nextcloud.service b/scripts/services/Mistborn-nextcloud.service index 6a9302c..01f0132 100644 --- a/scripts/services/Mistborn-nextcloud.service +++ b/scripts/services/Mistborn-nextcloud.service @@ -2,19 +2,21 @@ Description=Mistborn Nextcloud Service Requires=Mistborn-base.service After=Mistborn-base.service +PartOf=Mistborn-base.service [Service] Restart=always -User=www-data +RestartSec=15 +User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down # Post stop [Install] diff --git a/scripts/services/Mistborn-onlyoffice.service b/scripts/services/Mistborn-onlyoffice.service index 421912e..16f0010 100644 --- a/scripts/services/Mistborn-onlyoffice.service +++ b/scripts/services/Mistborn-onlyoffice.service @@ -2,19 +2,21 @@ Description=Mistborn OnlyOffice Service Requires=Mistborn-base.service After=Mistborn-base.service +PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down # Post stop [Install] diff --git a/scripts/services/Mistborn-rocketchat.service b/scripts/services/Mistborn-rocketchat.service index 1ad5a84..8106fc9 100644 --- a/scripts/services/Mistborn-rocketchat.service +++ b/scripts/services/Mistborn-rocketchat.service @@ -2,20 +2,22 @@ Description=Mistborn Rocket Chat Service Requires=Mistborn-base.service After=Mistborn-base.service +PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down # Post stop ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP diff --git a/scripts/services/Mistborn-syncthing.service b/scripts/services/Mistborn-syncthing.service index e3065f3..0399dec 100644 --- a/scripts/services/Mistborn-syncthing.service +++ b/scripts/services/Mistborn-syncthing.service @@ -2,21 +2,23 @@ Description=Mistborn Syncthing Service Requires=Mistborn-base.service After=Mistborn-base.service +PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down # Post stop ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP diff --git a/scripts/services/Mistborn-tor.service b/scripts/services/Mistborn-tor.service index bbb871f..43b8c42 100644 --- a/scripts/services/Mistborn-tor.service +++ b/scripts/services/Mistborn-tor.service @@ -2,20 +2,22 @@ Description=Mistborn Tor Service Requires=Mistborn-base.service After=Mistborn-base.service +PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down # Post stop ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP diff --git a/scripts/services/guacamole/init.sh b/scripts/services/guacamole/init.sh new file mode 100755 index 0000000..1e8634f --- /dev/null +++ b/scripts/services/guacamole/init.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +if [[ -f "/opt/mistborn_volumes/extra/guacamole/init/initdb.sql" ]]; then + echo "initdb.sql exists. Proceeding." + exit 0 +fi + +mkdir -p /opt/mistborn_volumes/extra/guacamole/init/ >/dev/null 2>&1 +chmod -R +x /opt/mistborn_volumes/extra/guacamole/init/ +docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgres > /opt/mistborn_volumes/extra/guacamole/init/initdb.sql + +# grab values in initdb.sql to replace +HEXSTRINGS=($(egrep -o [0-9a-fA-F]{64} /opt/mistborn_volumes/extra/guacamole/init/initdb.sql)) + +# reset default password in init.db +SALT=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice('0123456789ABCDEF') for x in range(64)]))") +GUAC_PASSWORD_HASHED=$(echo -n "${MISTBORN_DEFAULT_PASSWORD}${SALT}" | sha256sum | awk '{print $1}' | tr a-z A-Z) + +sed -i "s/${HEXSTRINGS[1]}/$SALT/" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql +sed -i "s/${HEXSTRINGS[0]}/$GUAC_PASSWORD_HASHED/" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql +sed -i "s/guacadmin/mistborn/g" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql \ No newline at end of file diff --git a/scripts/services/jitsi/iptables_down.sh b/scripts/services/jitsi/iptables_down.sh new file mode 100755 index 0000000..f7dc3cc --- /dev/null +++ b/scripts/services/jitsi/iptables_down.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +iptables -w -D DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP +iptables -w -D DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP \ No newline at end of file diff --git a/scripts/services/jitsi/iptables_up.sh b/scripts/services/jitsi/iptables_up.sh new file mode 100755 index 0000000..50756c0 --- /dev/null +++ b/scripts/services/jitsi/iptables_up.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +iptables -w -I DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP +iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP \ No newline at end of file diff --git a/scripts/subinstallers/cockpit.sh b/scripts/subinstallers/cockpit.sh index fbdb141..6d27958 100755 --- a/scripts/subinstallers/cockpit.sh +++ b/scripts/subinstallers/cockpit.sh @@ -16,9 +16,11 @@ fi sudo -E apt-get install -y cockpit -if $(sudo apt-cache show cockpit-docker > /dev/null 2>&1) ; then +if [ $(sudo apt-cache show cockpit-docker > /dev/null 2>&1) ]; then # no longer supported upstream in Ubuntu 20.04 sudo -E apt-get install -y cockpit-docker +elif [ $(sudo apt-cache show cockpit-podman > /dev/null 2>&1) ]; then + sudo -E apt-get install -y cockpit-podman fi sudo cp ./scripts/conf/cockpit.conf /etc/cockpit/cockpit.conf diff --git a/scripts/subinstallers/docker.sh b/scripts/subinstallers/docker.sh index a4206ab..cdc83fa 100755 --- a/scripts/subinstallers/docker.sh +++ b/scripts/subinstallers/docker.sh @@ -18,3 +18,6 @@ fi if [ ! -f /usr/local/bin/docker-compose ]; then sudo -E ln -s $(which docker-compose) /usr/local/bin/docker-compose fi + +# daemon.json +#source ./scripts/subinstallers/docker_daemon.sh diff --git a/scripts/subinstallers/docker_daemon.sh b/scripts/subinstallers/docker_daemon.sh new file mode 100755 index 0000000..92f6edc --- /dev/null +++ b/scripts/subinstallers/docker_daemon.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# daemon.json +if [ ! -f /etc/docker/daemon.json ]; then + sudo -E cp ./scripts/conf/docker-daemon.json /etc/docker/daemon.json + sudo -E systemctl restart docker +fi diff --git a/scripts/subinstallers/docker_manual.sh b/scripts/subinstallers/docker_manual.sh index 2cbb329..2d02ddb 100755 --- a/scripts/subinstallers/docker_manual.sh +++ b/scripts/subinstallers/docker_manual.sh @@ -63,6 +63,7 @@ echo "Installing Docker Compose" # Install Docker Compose from pip # This might take a while -sudo pip3 install docker-compose +# cryptography >=3.4 requires rust to compile, and no rust compiler is readily available for ARM +sudo pip3 install cryptography==3.3.2 docker-compose #fi diff --git a/scripts/subinstallers/extra/bitwarden.sh b/scripts/subinstallers/extra/bitwarden.sh new file mode 100755 index 0000000..abc37a5 --- /dev/null +++ b/scripts/subinstallers/extra/bitwarden.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# generate bitwarden .env files +BITWARDEN_PROD_FILE="$1" +echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE +echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/guacamole.sh b/scripts/subinstallers/extra/guacamole.sh new file mode 100755 index 0000000..8df9d00 --- /dev/null +++ b/scripts/subinstallers/extra/guacamole.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +# Guacamole +GUAC_PROD_FILE="$1" +GUAC_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") +echo "POSTGRES_HOST=guac_postgres" > $GUAC_PROD_FILE +echo "POSTGRES_HOSTNAME=guac_postgres" > $GUAC_PROD_FILE +echo "POSTGRES_PORT=5432" >> $GUAC_PROD_FILE +echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE +echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE +echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE +echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE +echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/jitsi.sh b/scripts/subinstallers/extra/jitsi.sh new file mode 100755 index 0000000..fcf3493 --- /dev/null +++ b/scripts/subinstallers/extra/jitsi.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +# JITSI +JITSI_PROD_FILE="$1" +cp ${MISTBORN_HOME}/scripts/conf/jitsi.env $JITSI_PROD_FILE +mkdir -p ${MISTBORN_HOME}/.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb} +sed -i "s/JICOFO_COMPONENT_SECRET.*/JICOFO_COMPONENT_SECRET=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" \ No newline at end of file diff --git a/scripts/subinstallers/extra/nextcloud.sh b/scripts/subinstallers/extra/nextcloud.sh new file mode 100755 index 0000000..b1568b7 --- /dev/null +++ b/scripts/subinstallers/extra/nextcloud.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# generate nextcloud .env files +NEXTCLOUD_PROD_FILE="$1" +#NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") +NEXTCLOUD_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}" +echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE +echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE +echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/onlyoffice.sh b/scripts/subinstallers/extra/onlyoffice.sh new file mode 100755 index 0000000..3fadeca --- /dev/null +++ b/scripts/subinstallers/extra/onlyoffice.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# generate onlyoffice .env files +ONLYOFFICE_PROD_FILE="$1" +JWT_SECRET="${MISTBORN_DEFAULT_PASSWORD}" +echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE +echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/rocketchat.sh b/scripts/subinstallers/extra/rocketchat.sh new file mode 100755 index 0000000..6da1e2d --- /dev/null +++ b/scripts/subinstallers/extra/rocketchat.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +# generate rocketchat .env files +ROCKETCHAT_PROD_FILE="$1" +#ROCKETCHAT_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") +ROCKETCHAT_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}" +echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE +echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE +echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE +echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE + +# docker environment +echo "MISTBORN_BIND_IP=${MISTBORN_BIND_IP}" >> $ROCKETCHAT_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/gen_prod_env.sh b/scripts/subinstallers/gen_prod_env.sh index f4b9675..d185c32 100755 --- a/scripts/subinstallers/gen_prod_env.sh +++ b/scripts/subinstallers/gen_prod_env.sh @@ -1,9 +1,10 @@ -#!/bin/sh +#!/bin/bash figlet "Mistborn: Container Credentials" # generate production .env file for Django mkdir -p ./.envs/.production +chmod 700 ./.envs DJANGO_PROD_FILE="./.envs/.production/.django" DJANGO_SECRET_KEY=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(50)]))") #CELERY_FLOWER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") @@ -22,6 +23,7 @@ echo "#SENTRY_DNS=" >> $DJANGO_PROD_FILE echo "MISTBORN_INSTALL_COCKPIT=$MISTBORN_INSTALL_COCKPIT" >> $DJANGO_PROD_FILE echo "MISTBORN_PORTAL_IP=10.2.3.1" >> $DJANGO_PROD_FILE echo "MISTBORN_PORTAL_PORT=5000" >> $DJANGO_PROD_FILE +chmod 600 $DJANGO_PROD_FILE # generate production .env file for postgresql POSTGRES_PROD_FILE="./.envs/.production/.postgres" @@ -31,6 +33,7 @@ echo "POSTGRES_PORT=5432" >> $POSTGRES_PROD_FILE echo "POSTGRES_DB=mistborn" >> $POSTGRES_PROD_FILE echo "POSTGRES_USER=prod" >> $POSTGRES_PROD_FILE echo "POSTGRES_PASSWORD=$POSTGRES_PASSWORD" >> $POSTGRES_PROD_FILE +chmod 600 $POSTGRES_PROD_FILE # generate production .env file for pihole @@ -39,42 +42,4 @@ PIHOLE_PROD_FILE="./.envs/.production/.pihole" WEBPASSWORD="$1" echo "TZ=\"America/New York\"" > $PIHOLE_PROD_FILE echo "WEBPASSWORD=$WEBPASSWORD" >> $PIHOLE_PROD_FILE - -# generate rocketchat .env files -ROCKETCHAT_PROD_FILE="./.envs/.production/.rocketchat" -#ROCKETCHAT_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") -ROCKETCHAT_PASSWORD="$1" -echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE -echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE -echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE -echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE - -# generate nextcloud .env files -NEXTCLOUD_PROD_FILE="./.envs/.production/.nextcloud" -#NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") -NEXTCLOUD_PASSWORD="$1" -echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE -echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE -echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE - -# generate onlyoffice .env files -ONLYOFFICE_PROD_FILE="./.envs/.production/.onlyoffice" -JWT_SECRET="$1" -echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE -echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE - -# generate bitwarden .env files -BITWARDEN_PROD_FILE="./.envs/.production/.bitwarden" -echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE -echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE - -# JITSI -JITSI_PROD_FILE="./.envs/.production/.jitsi" -cp ./scripts/conf/jitsi.env $JITSI_PROD_FILE -mkdir -p ./.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb} -sed -i "s/JICOFO_COMPONENT_SECRET.*/JICOFO_COMPONENT_SECRET=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +chmod 600 $PIHOLE_PROD_FILE diff --git a/scripts/subinstallers/iptables.sh b/scripts/subinstallers/iptables.sh index a687eb1..84aada7 100755 --- a/scripts/subinstallers/iptables.sh +++ b/scripts/subinstallers/iptables.sh @@ -113,6 +113,11 @@ fi # IP forwarding sudo sed -i 's/.*net.ipv4.ip_forward.*/net.ipv4.ip_forward=1/' /etc/sysctl.conf + +# VM Overcommit Memory +sudo grep -i "vm.overcommit_memory" /etc/sysctl.conf && sudo sed -i 's/.*vm.overcommit_memory.*/vm.overcommit_memory=1/' /etc/sysctl.conf || echo "vm.overcommit_memory=1" | sudo tee -a /etc/sysctl.conf + +# Force re-read of sysctl.conf sudo sysctl -p /etc/sysctl.conf # rsyslog to create /var/log/iptables.log diff --git a/scripts/subinstallers/openssl.sh b/scripts/subinstallers/openssl.sh index 6862cfc..76e2dbe 100755 --- a/scripts/subinstallers/openssl.sh +++ b/scripts/subinstallers/openssl.sh @@ -17,7 +17,7 @@ sudo -E mkdir -p $KEY_FOLDER sudo -E rm -f ${KEY_FOLDER}/* # generate crt and key -sudo -E openssl req -x509 -sha256 -nodes -days 397 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -addext "subjectAltName = DNS:*.mistborn" -addext extendedKeyUsage=serverAuth -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost" +sudo -E openssl req -x509 -sha256 -nodes -days 397 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -addext "subjectAltName=DNS:*.mistborn,DNS:home.mistborn,DNS:jitsi.mistborn,DNS:bitwarden.mistborn,DNS:chat.mistborn,DNS:homeassistant.mistborn,DNS:jellyfin.mistborn,DNS:syncthing.mistborn,DNS:nextcloud.mistborn,DNS:onlyoffice.mistborn" -addext extendedKeyUsage=serverAuth -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost" # set permissions sudo -E chown -R mistborn:mistborn ${KEY_FOLDER} diff --git a/scripts/subinstallers/passwd.sh b/scripts/subinstallers/passwd.sh new file mode 100755 index 0000000..417926b --- /dev/null +++ b/scripts/subinstallers/passwd.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +# INPUT default admin password +while [ -z "${MISTBORN_DEFAULT_PASSWORD}" ]; do + echo + echo "(Mistborn) The default admin password may only container alphanumeric characters and _" + read -p "(Mistborn) Set default admin password: " -s MISTBORN_DEFAULT_PASSWORD + echo + + if [[ ${MISTBORN_DEFAULT_PASSWORD} =~ ^[A-Za-z0-9_]+$ ]]; then + # it matches + echo "(Mistborn) Password is accepted" + else + unset MISTBORN_DEFAULT_PASSWORD + echo "(Mistborn) Try again" + fi + +done + +echo +echo "MISTBORN_DEFAULT_PASSWORD is set" +echo diff --git a/scripts/subinstallers/wireguard.sh b/scripts/subinstallers/wireguard.sh index 1b7b339..baedd88 100755 --- a/scripts/subinstallers/wireguard.sh +++ b/scripts/subinstallers/wireguard.sh @@ -12,10 +12,10 @@ if ! $(sudo apt-cache show wireguard > /dev/null 2>&1) ; then if [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then echo "Adding Wireguard repo keys" sudo -E apt-get install -y dirmngr - sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553 - sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7638D0442B90D010 - sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC - sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138 + sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 8B48AD6246925553 + sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 7638D0442B90D010 + sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 04EE7237B7D453EC + sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 648ACFD622F3D138 fi if [ "$DISTRO" == "ubuntu" ]; then diff --git a/scripts/update.sh b/scripts/update.sh index 8026316..dbf0845 100755 --- a/scripts/update.sh +++ b/scripts/update.sh @@ -18,6 +18,13 @@ sudo mistborn-cli pullbuild sudo docker container prune -f sudo docker image prune -f + +# RESTART + sudo systemctl stop Mistborn-base + +# docker daemon +#source ./scripts/subinstallers/docker_daemon.sh + sudo systemctl restart Mistborn-setup sudo systemctl restart Mistborn-base diff --git a/scripts/wrappers/mistborn_docker.sh b/scripts/wrappers/mistborn_docker.sh new file mode 100755 index 0000000..bb33894 --- /dev/null +++ b/scripts/wrappers/mistborn_docker.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +set -e + +SERVICE="$1" +shift + +export MISTBORN_HOME="/opt/mistborn" +export MISTBORN_SERVICE_FILE=${MISTBORN_HOME}/.envs/.production/.${SERVICE} +export MISTBORN_SERVICE_INIT=${MISTBORN_HOME}/scripts/services/${SERVICE}/init.sh + +# check and create file if needed +${MISTBORN_HOME}/scripts/env/check_env_file.sh ${SERVICE} + +# read in variables +set -a +source ${MISTBORN_HOME}/.env + +if [[ -f "${MISTBORN_SERVICE_FILE}" ]]; then + echo "Loading service variables" + source ${MISTBORN_SERVICE_FILE} +else + echo "No service variables to load. Proceeding." +fi +set +a + +# init script +if [[ -f "${MISTBORN_SERVICE_INIT}" ]]; then + echo "Running init script" + ${MISTBORN_SERVICE_INIT} +else + echo "No init script. Proceeding." +fi + +# ensure base is up and listening +echo "Waiting for Mistborn-base to finish starting up..." + +while ! nc -z 10.2.3.1 5000; do + WAIT_TIME=$((5 + $RANDOM % 15)) + echo "Waiting ${WAIT_TIME} seconds for Mistborn-base..." + sleep ${WAIT_TIME} +done + +echo "Mistborn-base is running" + +exec "$@"