From c7c7a897d9668a71af38d2a63753bf20e629767f Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Mon, 23 Nov 2020 03:59:34 +0000 Subject: [PATCH 01/23] Resolve "Bugfix: handling empty DIFACE" --- scripts/env/setup.sh | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/scripts/env/setup.sh b/scripts/env/setup.sh index b7c9643..ce3e9bc 100755 --- a/scripts/env/setup.sh +++ b/scripts/env/setup.sh @@ -22,13 +22,25 @@ fi echo "MISTBORN_TAG=$MISTBORN_TAG" | sudo tee -a ${VAR_FILE} -#### install and base services -iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}') - -# default interface +# copy current service files to systemd (overwriting as needed) sudo cp /opt/mistborn/scripts/services/Mistborn* /etc/systemd/system/ + +# set script user and owner sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/User=root/User=$USER/" #sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/ root:root / $USER:$USER /" + +# reload in case the iface is not immediately set +sudo systemctl daemon-reload + +#### install and base services +iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}' | tr -d '[:space:]') +## cannot be empty +while [[ -z "$iface" ]]; do + sleep 2 + iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}' | tr -d '[:space:]') +done + +# default interface sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/" -sudo systemctl daemon-reload \ No newline at end of file +sudo systemctl daemon-reload From d832a6821aee5d770f1c63be0e37824f12541324 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 4 Dec 2020 16:05:09 +0000 Subject: [PATCH 02/23] Resolve "Documentation: Linux Magazine" --- README.md | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index fb9cdbd..2ccb543 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,10 @@ A secure platform for easily standing up and managing your own cloud services: i ![Mistborn Wireguard](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_wireguard_.png)*Wireguard Management in Mistborn* +As featured in [Linux Magazine](https://www.linux-magazine.com/Issues/2020/240/Mistborn/(language)/eng-US) (Linux Pro Magazine in North America) in November 2020 + +![Mistborn Featured in Linux Magazine](https://gitlab.com/cyber5k/public/-/raw/master/graphics/linux-magazine-cover-nov-2020.jpg "Mistborn featured in Linux Magazine November 2020") + # Table of Contents [[_TOC_]] @@ -496,15 +500,17 @@ These are some notes regarding the technical design and implementations of Mistb # Roadmap Many features and refinements are in the works at various stages including: -- Option to upload metrics information to Cyber5K to refine each Mistborn instance's firewall -- Option to email default admin Wireguard config file -- Adding more extra services (e.g. Gitlab, Game Servers, etc.) -- Cyber5K marketplace to share Gateway access (to fixed IP addresses or domains, and for a fixed amount of time) -- Mistborn managing wireless interfaces for local access points (stripped down RaspAP) -- Optional periodic backup of local Mistborn config files and credentials to Cyber5K +- Plugins for Extra Services (enabling third-party development) +- Plugin repository +- Integration with RaspAP to enable managing an Access Point for local network connections - Internal network scan tool and feedback - Anomaly detection in network traffic +# Featured In + +- [Linux Magazine](https://www.linux-magazine.com/Issues/2020/240/Mistborn/(language)/eng-US) November 2020 (featuring Mistborn version from early May 2020) +- [Awesome Open Source](https://www.youtube.com/watch?v=hekP0_crotw) July 2020 (featuring Mistborn version from early July 2020) + # Follow You can find recent bugfixes, functional additions, some extra documentation and more at the Cyber5K Patreon page: [https://www.patreon.com/cyber5k](https://www.patreon.com/cyber5k) From 51af2bbed9c478bff0ca3d58d46c5b76de0fd5fe Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 5 Dec 2020 03:21:44 +0000 Subject: [PATCH 03/23] Resolve "Multi-Factor Authentication integration with Traefik" --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 2ccb543..09440d6 100644 --- a/README.md +++ b/README.md @@ -249,8 +249,8 @@ Internet access is blocked via iptables until authentication is completed for an ![Mistborn Multi Factor Authentication - Token Prompt](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mfa_token_enter.png)*Mistborn Multi Factor Authentication - Token Prompt* -### MFA Mistborn Service Access -Mistborn service access is blocked via traefik until Mistborn authentication is complete. You will not be able to access the web pages for pihole, cockpit, or any extra services until authentication is complete for an MFA profile. Attempting to visit one of these pages will redirect you to [http://home.mistborn](http://home.mistborn) where you must complete the authentication process. Click "Sign Out" to re-block access until authentication completes again. +### MFA Mistborn Service Access - Fixed on 4 December 2020 +Mistborn service access is blocked via traefik until Mistborn authentication is complete. You will not be able to access the web pages for pihole, cockpit, or any extra services until authentication is complete for an MFA profile. Attempting to visit one of these pages will produce a "Mistborn: Not authorized" HTTP 403. Click "Sign Out" to re-block access until authentication completes again. ### Notes - **Sessions**: Traefik checks the authenticated sessions on the server side to determine whether to allow access to the Mistborn service web pages. If an open session exists for your Mistborn IP address then access will be granted. You may close all sessions by clicking "Sign Out" on the Mistborn home page. Expired sessions are regularly cleaned by the Mistborn system (celery periodic task). From 92e62620ee5b0cae64424c8830c7db284277f84b Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 5 Dec 2020 04:14:50 +0000 Subject: [PATCH 04/23] Resolve "Bugfix: MFA authentication routing for cockpit" --- compose/production/traefik/dynamic.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/compose/production/traefik/dynamic.toml b/compose/production/traefik/dynamic.toml index 3d3adbe..a9f26dd 100644 --- a/compose/production/traefik/dynamic.toml +++ b/compose/production/traefik/dynamic.toml @@ -18,7 +18,7 @@ rule = "Host(`cockpit.mistborn`)" service = "cockpit" entrypoints = ["web", "websecure"] - #middlewares = + middlewares = ["mistborn_auth"] [http.middlewares] [http.middlewares.mistborn_auth.forwardAuth] From 0a7644827ef5b072ef6654b09d9104845412b665 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sun, 6 Dec 2020 00:35:21 +0000 Subject: [PATCH 05/23] Resolve "Defense in depth: bind IPs" --- extra/rocketchat.yml | 2 +- scripts/env/setup.sh | 19 +++++++++++++++++-- scripts/services/Mistborn-rocketchat.service | 1 + 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/extra/rocketchat.yml b/extra/rocketchat.yml index 66113f1..f3b85ed 100644 --- a/extra/rocketchat.yml +++ b/extra/rocketchat.yml @@ -64,7 +64,7 @@ services: - ../../mistborn_volumes/extra/rocketchat/hubot/scripts:/home/hubot/scripts # this is used to expose the hubot port for notifications on the host on port 3001, e.g. for hubot-jenkins-notifier ports: - - 3001:8080/tcp + - "${MISTBORN_BIND_IP}:3001:8080/tcp" networks: default: diff --git a/scripts/env/setup.sh b/scripts/env/setup.sh index ce3e9bc..43060b6 100755 --- a/scripts/env/setup.sh +++ b/scripts/env/setup.sh @@ -4,15 +4,28 @@ VAR_FILE=/opt/mistborn/.env +# load env variables + source /opt/mistborn/scripts/subinstallers/platform.sh +# setup env file +echo "" | sudo tee ${VAR_FILE} +sudo chown mistborn:mistborn ${VAR_FILE} + +# MISTBORN_DNS_BIND_IP + MISTBORN_DNS_BIND_IP="10.2.3.1" #if [ "$DISTRO" == "ubuntu" ] && [ "$VERSION_ID" == "20.04" ]; then # MISTBORN_DNS_BIND_IP="10.2.3.1" #fi -echo "MISTBORN_DNS_BIND_IP=${MISTBORN_DNS_BIND_IP}" | sudo tee ${VAR_FILE} -sudo chown mistborn:mistborn ${VAR_FILE} +echo "MISTBORN_DNS_BIND_IP=${MISTBORN_DNS_BIND_IP}" | sudo tee -a ${VAR_FILE} + +# MISTBORN_BIND_IP + +echo "MISTBORN_BIND_IP=10.2.3.1" | sudo tee -a ${VAR_FILE} + +# MISTBORN_TAG GIT_BRANCH=$(git -C /opt/mistborn symbolic-ref --short HEAD || echo "master") MISTBORN_TAG="latest" @@ -22,6 +35,8 @@ fi echo "MISTBORN_TAG=$MISTBORN_TAG" | sudo tee -a ${VAR_FILE} +#### SERVICE files + # copy current service files to systemd (overwriting as needed) sudo cp /opt/mistborn/scripts/services/Mistborn* /etc/systemd/system/ diff --git a/scripts/services/Mistborn-rocketchat.service b/scripts/services/Mistborn-rocketchat.service index 1ad5a84..ecb93a2 100644 --- a/scripts/services/Mistborn-rocketchat.service +++ b/scripts/services/Mistborn-rocketchat.service @@ -8,6 +8,7 @@ Restart=always User=root Group=docker PermissionsStartOnly=true +EnvironmentFile=/opt/mistborn/.env # Shutdown container (if running) when unit is stopped ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down From 5596024be3a444fd5ac194cdca50767863e06130 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sun, 6 Dec 2020 00:41:15 +0000 Subject: [PATCH 06/23] Resolve "Bug: Tor unable to start after Jitsi starts" --- compose/production/tor/Dockerfile | 2 +- extra/tor.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/compose/production/tor/Dockerfile b/compose/production/tor/Dockerfile index af4d0a4..11f8bb8 100644 --- a/compose/production/tor/Dockerfile +++ b/compose/production/tor/Dockerfile @@ -7,7 +7,7 @@ RUN apk update \ EXPOSE 9150 -ADD ./compose/production/tor/torrc /etc/tor/torrc +ADD ./torrc /etc/tor/torrc USER tor CMD /usr/bin/tor -f /etc/tor/torrc diff --git a/extra/tor.yml b/extra/tor.yml index 068b966..f8c4141 100644 --- a/extra/tor.yml +++ b/extra/tor.yml @@ -3,8 +3,8 @@ version: '3' services: tor-client: build: - context: .. - dockerfile: ./compose/production/tor/Dockerfile + context: ../compose/production/tor + dockerfile: ./Dockerfile image: mistborn_production_tor container_name: mistborn_production_tor ports: From d3450f5ab3c7ab54d784ee53922be34a2144908d Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 5 Dec 2020 22:28:22 -0500 Subject: [PATCH 07/23] security scan links --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 09440d6..6b5fe04 100644 --- a/README.md +++ b/README.md @@ -26,6 +26,8 @@ Ideal for teams who: - want to limit or stop data collecting services - want to prevent being detected/blocked for using a proxy or VPN service +See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/Mistborn-Network-Security) wiki page to see the network scan results for Mistborn. + Mistborn depends on these core open source technologies: - [Docker](https://www.docker.com/why-docker): containerization - [Wireguard](https://www.wireguard.com): secure VPN access @@ -252,6 +254,8 @@ Internet access is blocked via iptables until authentication is completed for an ### MFA Mistborn Service Access - Fixed on 4 December 2020 Mistborn service access is blocked via traefik until Mistborn authentication is complete. You will not be able to access the web pages for pihole, cockpit, or any extra services until authentication is complete for an MFA profile. Attempting to visit one of these pages will produce a "Mistborn: Not authorized" HTTP 403. Click "Sign Out" to re-block access until authentication completes again. +![Mistborn Multi Factor Authentication - Not Authorized](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mfa_not_authorized.png)*Mistborn Multi Factor Authentication - Not Authorized (Login Incomplete)* + ### Notes - **Sessions**: Traefik checks the authenticated sessions on the server side to determine whether to allow access to the Mistborn service web pages. If an open session exists for your Mistborn IP address then access will be granted. You may close all sessions by clicking "Sign Out" on the Mistborn home page. Expired sessions are regularly cleaned by the Mistborn system (celery periodic task). @@ -478,6 +482,9 @@ Run updates and restart before installing Mistborn (`sudo apt-get update && sudo These are some notes regarding the technical design and implementations of Mistborn. Feel free to contact me for additional details. ## Attack Surface + +See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/Mistborn-Network-Security) wiki entry. + - **Wireguard**: Wireguard is the only way in to Mistborn. When new Wireguard profiles are generated they are attached to a random UDP port. Wireguard does not respond to unauthenticated traffic. External probes on the active Wireguard listening ports are not logged and do not appear on the Metrics page. - **SSH**: If Mistborn is installed over SSH (most common) then an iptables rule is added allowing future SSH connections from the same source IP address. All other external SSH is blocked. Internal SSH (over the Wireguard tunnels) is allowed. Password authentication is allowed. The SSH key for the `mistborn` user is only accepted from internal source IP addresses. Fail2ban is also installed. - **Traefik**: Iptables closes web ports (TCP 80 and 443) from external access and additonally all web interfaces are behind the Traefik reverse-proxy. All web requests (e.g. home.mistborn) must be resolved by Mistborn DNS (Pihole/dnsmasq) and originate from a Wireguard tunnel. From 649b88977b0f28f9a66d0bfeea20029f7a9b7c6b Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Thu, 10 Dec 2020 00:31:55 +0000 Subject: [PATCH 08/23] Resolve "Jitsi Bouncing Error" --- README.md | 5 +- extra/jitsi-meet.yml | 121 ++++++++++++++++++----- scripts/conf/jitsi.env | 217 ++++++++++++++++++++++++++--------------- 3 files changed, 236 insertions(+), 107 deletions(-) diff --git a/README.md b/README.md index 6b5fe04..e5afaa0 100644 --- a/README.md +++ b/README.md @@ -105,6 +105,8 @@ Mistborn protects your data in a variety of ways: - The Mistborn firewall blocks unsolicited incoming internet packets - Pi-hole running on Mistborn blocks outgoing internet requests to configurable blocked domains (ads, malicious/phishing domains, etc.) +See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/Mistborn-Network-Security) wiki page to see more network diagrams and the network scan results for Mistborn. + # Coppercloud Pihole provides a way to block outgoing DNS requests for given lists of blocked domains. Coppercloud provides a way to block outgoing network calls of all types to given lists of IP addresses (IPv4 only for now). This is especially useful for blocking outgoing telemetry (data and state sharing) to owners of software running on all of your devices. @@ -504,11 +506,12 @@ See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/ - Outbound UDP on port 53 is blocked. All DNS requests should be handled by the dnscrypt_proxy service and if any client, service, etc. tries to circumvent that it is blocked. - Unattended upgrades are set to automatically install operating system security updates. -# Roadmap +# Roadmap (not necessarily in order) Many features and refinements are in the works at various stages including: - Plugins for Extra Services (enabling third-party development) - Plugin repository +- IPv6 support - Integration with RaspAP to enable managing an Access Point for local network connections - Internal network scan tool and feedback - Anomaly detection in network traffic diff --git a/extra/jitsi-meet.yml b/extra/jitsi-meet.yml index 7f4b0ed..3c47167 100644 --- a/extra/jitsi-meet.yml +++ b/extra/jitsi-meet.yml @@ -4,6 +4,7 @@ services: # Frontend jitsi-web: image: jitsi/web + restart: unless-stopped #ports: #- '${HTTP_PORT}:80' #- '${HTTPS_PORT}:443' @@ -18,59 +19,115 @@ services: - "traefik.http.routers.jitsi-https.tls.certresolver=basic" - "traefik.http.services.jitsi-service.loadbalancer.server.port=${HTTP_PORT}" volumes: - - ${CONFIG}/web:/config - - ${CONFIG}/web/letsencrypt:/etc/letsencrypt - - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts + - ${CONFIG}/web:/config:Z + - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z env_file: - ../.envs/.production/.jitsi environment: - - ENABLE_AUTH - - ENABLE_GUESTS - ENABLE_LETSENCRYPT - ENABLE_HTTP_REDIRECT - - ENABLE_TRANSCRIPTIONS + - ENABLE_XMPP_WEBSOCKET - DISABLE_HTTPS - - JICOFO_AUTH_USER - LETSENCRYPT_DOMAIN - LETSENCRYPT_EMAIL + - LETSENCRYPT_USE_STAGING - PUBLIC_URL - - XMPP_DOMAIN + - TZ + - AMPLITUDE_ID + - ANALYTICS_SCRIPT_URLS + - ANALYTICS_WHITELISTED_EVENTS + - BRIDGE_CHANNEL + - BRANDING_DATA_URL + - CALLSTATS_CUSTOM_SCRIPT_URL + - CALLSTATS_ID + - CALLSTATS_SECRET + - CHROME_EXTENSION_BANNER_JSON + - CONFCODE_URL + - CONFIG_EXTERNAL_CONNECT + - DEPLOYMENTINFO_ENVIRONMENT + - DEPLOYMENTINFO_ENVIRONMENT_TYPE + - DEPLOYMENTINFO_USERREGION + - DIALIN_NUMBERS_URL + - DIALOUT_AUTH_URL + - DIALOUT_CODES_URL + - DROPBOX_APPKEY + - DROPBOX_REDIRECT_URI + - ENABLE_AUDIO_PROCESSING + - ENABLE_AUTH + - ENABLE_CALENDAR + - ENABLE_FILE_RECORDING_SERVICE + - ENABLE_FILE_RECORDING_SERVICE_SHARING + - ENABLE_GUESTS + - ENABLE_IPV6 + - ENABLE_LIPSYNC + - ENABLE_NO_AUDIO_DETECTION + - ENABLE_P2P + - ENABLE_PREJOIN_PAGE + - ENABLE_RECORDING + - ENABLE_REMB + - ENABLE_REQUIRE_DISPLAY_NAME + - ENABLE_SIMULCAST + - ENABLE_STATS_ID + - ENABLE_STEREO + - ENABLE_SUBDOMAINS + - ENABLE_TALK_WHILE_MUTED + - ENABLE_TCC + - ENABLE_TRANSCRIPTIONS + - ETHERPAD_PUBLIC_URL + - ETHERPAD_URL_BASE + - GOOGLE_ANALYTICS_ID + - GOOGLE_API_APP_CLIENT_ID + - INVITE_SERVICE_URL + - JICOFO_AUTH_USER + - MATOMO_ENDPOINT + - MATOMO_SITE_ID + - MICROSOFT_API_APP_CLIENT_ID + - NGINX_RESOLVER + - NGINX_WORKER_PROCESSES + - NGINX_WORKER_CONNECTIONS + - PEOPLE_SEARCH_URL + - RESOLUTION + - RESOLUTION_MIN + - RESOLUTION_WIDTH + - RESOLUTION_WIDTH_MIN + - START_AUDIO_ONLY + - START_AUDIO_MUTED + - START_BITRATE + - START_VIDEO_MUTED + - TESTING_CAP_SCREENSHARE_BITRATE + - TESTING_OCTO_PROBABILITY - XMPP_AUTH_DOMAIN - XMPP_BOSH_URL_BASE + - XMPP_DOMAIN - XMPP_GUEST_DOMAIN - XMPP_MUC_DOMAIN - XMPP_RECORDER_DOMAIN - - ETHERPAD_URL_BASE - - TZ - - JIBRI_BREWERY_MUC - - JIBRI_PENDING_TIMEOUT - - JIBRI_XMPP_USER - - JIBRI_XMPP_PASSWORD - - JIBRI_RECORDER_USER - - JIBRI_RECORDER_PASSWORD - - ENABLE_RECORDING + - TOKEN_AUTH_URL networks: default: meet.jitsi: aliases: - ${XMPP_DOMAIN} - restart: unless-stopped # XMPP server jitsi-prosody: - image: jitsi/prosody + image: jitsi/prosody:latest + restart: unless-stopped expose: - '5222' - '5347' - '5280' volumes: - - ${CONFIG}/prosody:/config + - ${CONFIG}/prosody/config:/config:Z + - ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z env_file: - ../.envs/.production/.jitsi environment: - AUTH_TYPE - ENABLE_AUTH - ENABLE_GUESTS + - ENABLE_LOBBY + - ENABLE_XMPP_WEBSOCKET - GLOBAL_MODULES - GLOBAL_CONFIG - LDAP_URL @@ -95,6 +152,7 @@ services: - XMPP_MUC_MODULES - XMPP_INTERNAL_MUC_MODULES - XMPP_RECORDER_DOMAIN + - XMPP_CROSS_DOMAIN - JICOFO_COMPONENT_SECRET - JICOFO_AUTH_USER - JICOFO_AUTH_PASSWORD @@ -115,25 +173,28 @@ services: - JWT_AUTH_TYPE - JWT_TOKEN_AUTH_MODULE - LOG_LEVEL + - PUBLIC_URL - TZ networks: meet.jitsi: aliases: - ${XMPP_SERVER} - restart: unless-stopped # Focus component jitsi-jicofo: - image: jitsi/jicofo + image: jitsi/jicofo:latest + restart: unless-stopped volumes: - - ${CONFIG}/jicofo:/config + - ${CONFIG}/jicofo:/config:Z env_file: - ../.envs/.production/.jitsi environment: + - AUTH_TYPE - ENABLE_AUTH - XMPP_DOMAIN - XMPP_AUTH_DOMAIN - XMPP_INTERNAL_MUC_DOMAIN + - XMPP_MUC_DOMAIN - XMPP_SERVER - JICOFO_COMPONENT_SECRET - JICOFO_AUTH_USER @@ -141,6 +202,7 @@ services: - JICOFO_RESERVATION_REST_BASE_URL - JVB_BREWERY_MUC - JIGASI_BREWERY_MUC + - JIGASI_SIP_URI - JIBRI_BREWERY_MUC - JIBRI_PENDING_TIMEOUT - TZ @@ -148,16 +210,16 @@ services: - jitsi-prosody networks: meet.jitsi: - restart: unless-stopped # Video bridge jitsi-jvb: - image: jitsi/jvb + image: jitsi/jvb:latest + restart: unless-stopped ports: - '${JVB_PORT}:${JVB_PORT}/udp' - '${JVB_TCP_PORT}:${JVB_TCP_PORT}' volumes: - - ${CONFIG}/jvb:/config + - ${CONFIG}/jvb:/config:Z env_file: - ../.envs/.production/.jitsi environment: @@ -171,14 +233,19 @@ services: - JVB_PORT - JVB_TCP_HARVESTER_DISABLED - JVB_TCP_PORT + - JVB_TCP_MAPPED_PORT - JVB_STUN_SERVERS - JVB_ENABLE_APIS + - JVB_WS_DOMAIN + - JVB_WS_SERVER_ID + - PUBLIC_URL - TZ depends_on: - jitsi-prosody networks: meet.jitsi: - restart: unless-stopped + aliases: + - jvb.meet.jitsi # Custom network so all services can communicate using a FQDN networks: diff --git a/scripts/conf/jitsi.env b/scripts/conf/jitsi.env index 2666101..3693dd4 100644 --- a/scripts/conf/jitsi.env +++ b/scripts/conf/jitsi.env @@ -1,61 +1,116 @@ +# shellcheck disable=SC2034 + +# Security +# +# Set these to strong passwords to avoid intruders from impersonating a service account +# The service(s) won't start unless these are specified +# Running ./gen-passwords.sh will update .env with strong passwords +# You may skip the Jigasi and Jibri passwords if you are not using those +# DO NOT reuse passwords +# + +# XMPP component password for Jicofo +JICOFO_COMPONENT_SECRET= + +# XMPP password for Jicofo client connections +JICOFO_AUTH_PASSWORD= + +# XMPP password for JVB client connections +JVB_AUTH_PASSWORD= + +# XMPP password for Jigasi MUC client connections +JIGASI_XMPP_PASSWORD= + +# XMPP recorder password for Jibri client connections +JIBRI_RECORDER_PASSWORD= + +# XMPP password for Jibri client connections +JIBRI_XMPP_PASSWORD= + + # # Basic configuration options # -# Directory where all configuration will be stored. +# Directory where all configuration will be stored #CONFIG=~/.jitsi-meet-cfg CONFIG=../.envs/.production/.jitsi-cfg -# Exposed HTTP port. +# Exposed HTTP port HTTP_PORT=80 -# Exposed HTTPS port. -HTTPS_PORT=8443 +# Exposed HTTPS port +HTTPS_PORT=443 -# System time zone. -TZ=Europe/Amsterdam +# System time zone +TZ=UTC -# Public URL for the web service. -#PUBLIC_URL=https://meet.example.com +# Public URL for the web service (required) +PUBLIC_URL=https://jitsi.mistborn -# IP address of the Docker host. See the "Running on a LAN environment" section -# in the README. +# IP address of the Docker host +# See the "Running behind NAT or on a LAN environment" section in the Handbook: +# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment +#DOCKER_HOST_ADDRESS=192.168.1.1 DOCKER_HOST_ADDRESS=10.2.3.1 +# Control whether the lobby feature should be enabled or not +#ENABLE_LOBBY=1 + +# Show a prejoin page before entering a conference +#ENABLE_PREJOIN_PAGE=0 # # Let's Encrypt configuration # -# Enable Let's Encrypt certificate generation. +# Enable Let's Encrypt certificate generation #ENABLE_LETSENCRYPT=1 -# Domain for which to generate the certificate. +# Domain for which to generate the certificate #LETSENCRYPT_DOMAIN=meet.example.com -# E-Mail for receiving important account notifications (mandatory). +# E-Mail for receiving important account notifications (mandatory) #LETSENCRYPT_EMAIL=alice@atlanta.net +# Use the staging server (for avoiding rate limits while testing) +#LETSENCRYPT_USE_STAGING=1 + # # Etherpad integration (for document sharing) # -# Set etherpad-lite URL (uncomment to enable). +# Set etherpad-lite URL in docker local network (uncomment to enable) #ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001 +# Set etherpad-lite public URL (uncomment to enable) +#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain + +# Name your etherpad instance! +ETHERPAD_TITLE="Video Chat" + +# The default text of a pad +ETHERPAD_DEFAULT_PAD_TEXT="Welcome to Web Chat!\n\n" + +# Name of the skin for etherpad +ETHERPAD_SKIN_NAME="colibris" + +# Skin variants for etherpad +ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background full-width-editor" + # # Basic Jigasi configuration options (needed for SIP gateway support) # -# SIP URI for incoming / outgoing calls. +# SIP URI for incoming / outgoing calls #JIGASI_SIP_URI=test@sip2sip.info # Password for the specified SIP account as a clear text #JIGASI_SIP_PASSWORD=passw0rd -# SIP server (use the SIP account domain if in doubt). +# SIP server (use the SIP account domain if in doubt) #JIGASI_SIP_SERVER=sip2sip.info # SIP server port @@ -65,13 +120,13 @@ DOCKER_HOST_ADDRESS=10.2.3.1 #JIGASI_SIP_TRANSPORT=UDP # -# Authentication configuration (see README for details) +# Authentication configuration (see handbook for details) # -# Enable authentication. +# Enable authentication #ENABLE_AUTH=1 -# Enable guest access. +# Enable guest access #ENABLE_GUESTS=1 # Select authentication type: internal, jwt or ldap @@ -80,38 +135,38 @@ DOCKER_HOST_ADDRESS=10.2.3.1 # JWT authentication # -# Application identifier. +# Application identifier #JWT_APP_ID=my_jitsi_app_id -# Application secret known only to your token. +# Application secret known only to your token #JWT_APP_SECRET=my_jitsi_app_secret -# (Optional) Set asap_accepted_issuers as a comma separated list. +# (Optional) Set asap_accepted_issuers as a comma separated list #JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client -# (Optional) Set asap_accepted_audiences as a comma separated list. +# (Optional) Set asap_accepted_audiences as a comma separated list #JWT_ACCEPTED_AUDIENCES=my_server1,my_server2 # LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page) # -# LDAP url for connection. +# LDAP url for connection #LDAP_URL=ldaps://ldap.domain.com/ # LDAP base DN. Can be empty #LDAP_BASE=DC=example,DC=domain,DC=com -# LDAP user DN. Do not specify this parameter for the anonymous bind. +# LDAP user DN. Do not specify this parameter for the anonymous bind #LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com -# LDAP user password. Do not specify this parameter for the anonymous bind. +# LDAP user password. Do not specify this parameter for the anonymous bind #LDAP_BINDPW=LdapUserPassw0rd # LDAP filter. Tokens example: -# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail. -# %s - %s is replaced by the complete service string. -# %r - %r is replaced by the complete realm string. +# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail +# %s - %s is replaced by the complete service string +# %r - %r is replaced by the complete realm string #LDAP_FILTER=(sAMAccountName=%u) # LDAP authentication method @@ -123,16 +178,16 @@ DOCKER_HOST_ADDRESS=10.2.3.1 # LDAP TLS using #LDAP_USE_TLS=1 -# List of SSL/TLS ciphers to allow. +# List of SSL/TLS ciphers to allow #LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC # Require and verify server certificate #LDAP_TLS_CHECK_PEER=1 -# Path to CA cert file. Used when server sertificate verify is enabled. +# Path to CA cert file. Used when server certificate verify is enabled #LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt -# Path to CA certs directory. Used when server sertificate verify is enabled. +# Path to CA certs directory. Used when server certificate verify is enabled #LDAP_TLS_CACERT_DIR=/etc/ssl/certs # Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps:// @@ -143,7 +198,7 @@ DOCKER_HOST_ADDRESS=10.2.3.1 # Advanced configuration options (you generally don't need to change these) # -# Internal XMPP domain. +# Internal XMPP domain XMPP_DOMAIN=meet.jitsi # Internal XMPP server @@ -152,18 +207,22 @@ XMPP_SERVER=xmpp.meet.jitsi # Internal XMPP server URL XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280 -# Internal XMPP domain for authenticated services. +# Internal XMPP domain for authenticated services XMPP_AUTH_DOMAIN=auth.meet.jitsi -# XMPP domain for the MUC. +# XMPP domain for the MUC XMPP_MUC_DOMAIN=muc.meet.jitsi -# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools. +# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi -# XMPP domain for unauthenticated users. +# XMPP domain for unauthenticated users XMPP_GUEST_DOMAIN=guest.meet.jitsi +# Comma separated list of domains for cross domain policy or "true" to allow all +# The PUBLIC_URL is always allowed +#XMPP_CROSS_DOMAIN=true + # Custom Prosody modules for XMPP_DOMAIN (comma separated) XMPP_MODULES= @@ -173,17 +232,14 @@ XMPP_MUC_MODULES= # Custom Prosody modules for internal MUC component (comma separated) XMPP_INTERNAL_MUC_MODULES= -# MUC for the JVB pool. +# MUC for the JVB pool JVB_BREWERY_MUC=jvbbrewery -# XMPP user for JVB client connections. +# XMPP user for JVB client connections JVB_AUTH_USER=jvb -# XMPP password for JVB client connections. -JVB_AUTH_PASSWORD=passw0rd - -# STUN servers used to discover the server's public IP. -JVB_STUN_SERVERS=stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302 +# STUN servers used to discover the server's public IP +JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443 # Media port for the Jitsi Videobridge JVB_PORT=10000 @@ -191,36 +247,32 @@ JVB_PORT=10000 # TCP Fallback for Jitsi Videobridge for when UDP isn't available JVB_TCP_HARVESTER_DISABLED=true JVB_TCP_PORT=4443 +JVB_TCP_MAPPED_PORT=4443 -# A comma separated list of APIs to enable when the JVB is started. The default is none. +# A comma separated list of APIs to enable when the JVB is started [default: none] # See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information #JVB_ENABLE_APIS=rest,colibri -# XMPP component password for Jicofo. -JICOFO_COMPONENT_SECRET=s3cr37 - -# XMPP user for Jicofo client connections. NOTE: this option doesn't currently work due to a bug. +# XMPP user for Jicofo client connections. +# NOTE: this option doesn't currently work due to a bug JICOFO_AUTH_USER=focus -# XMPP password for Jicofo client connections. -JICOFO_AUTH_PASSWORD=passw0rd - # Base URL of Jicofo's reservation REST API #JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com -# XMPP user for Jigasi MUC client connections. -JIGASI_XMPP_USER=jigasi +# Enable Jicofo's health check REST API (http://:8888/about/health) +#JICOFO_ENABLE_HEALTH_CHECKS=true -# XMPP password for Jigasi MUC client connections. -JIGASI_XMPP_PASSWORD=passw0rd +# XMPP user for Jigasi MUC client connections +JIGASI_XMPP_USER=jigasi -# MUC name for the Jigasi pool. +# MUC name for the Jigasi pool JIGASI_BREWERY_MUC=jigasibrewery -# Minimum port for media used by Jigasi. +# Minimum port for media used by Jigasi JIGASI_PORT_MIN=20000 -# Maximum port for media used by Jigasi. +# Maximum port for media used by Jigasi JIGASI_PORT_MAX=20050 # Enable SDES srtp @@ -235,20 +287,21 @@ JIGASI_PORT_MAX=20050 # Health-check interval #JIGASI_HEALTH_CHECK_INTERVAL=300000 # -# Enable Jigasi transcription. +# Enable Jigasi transcription #ENABLE_TRANSCRIPTIONS=1 -# Jigasi will recordord an audio when transcriber is on. Default false. +# Jigasi will record audio when transcriber is on [default: false] #JIGASI_TRANSCRIBER_RECORD_AUDIO=true -# Jigasi will send transcribed text to the chat when transcriber is on. Default false. +# Jigasi will send transcribed text to the chat when transcriber is on [default: false] #JIGASI_TRANSCRIBER_SEND_TXT=true -# Jigasi post to the chat an url with transcription file. Default false. +# Jigasi will post an url to the chat with transcription file [default: false] #JIGASI_TRANSCRIBER_ADVERTISE_URL=true # Credentials for connect to Cloud Google API from Jigasi -# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol section "Before you begin" from 1 to 5 paragraph. +# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol +# section "Before you begin" paragraph 1 to 5 # Copy the values from the json to the related env vars #GC_PROJECT_ID= #GC_PRIVATE_KEY_ID= @@ -263,25 +316,19 @@ JIGASI_PORT_MAX=20050 # XMPP domain for the jibri recorder XMPP_RECORDER_DOMAIN=recorder.meet.jitsi -# XMPP recorder user for Jibri client connections. +# XMPP recorder user for Jibri client connections JIBRI_RECORDER_USER=recorder -# XMPP recorder password for Jibri client connections. -JIBRI_RECORDER_PASSWORD=passw0rd - -# Directory for recordings inside Jibri container. +# Directory for recordings inside Jibri container JIBRI_RECORDING_DIR=/config/recordings -# The finalizing script. Will run after recording is complete. +# The finalizing script. Will run after recording is complete JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh -# XMPP user for Jibri client connections. +# XMPP user for Jibri client connections JIBRI_XMPP_USER=jibri -# XMPP password for Jibri client connections. -JIBRI_XMPP_PASSWORD=passw0rd - -# MUC name for the Jibri pool. +# MUC name for the Jibri pool JIBRI_BREWERY_MUC=jibribrewery # MUC connection timeout @@ -294,14 +341,26 @@ JIBRI_PENDING_TIMEOUT=90 # So if there are any prefixes in the jid (like jitsi meet, which # has its participants join a muc at conference.xmpp_domain) then # list that prefix here so it can be stripped out to generate -# the call url correctly. +# the call url correctly JIBRI_STRIP_DOMAIN_JID=muc -# Directory for logs inside Jibri container. +# Directory for logs inside Jibri container JIBRI_LOGS_DIR=/config/logs -# Disable HTTPS. This can be useful if TLS connections are going to be handled outside of this setup. +# Disable HTTPS: handle TLS connections outside of this setup DISABLE_HTTPS=1 -# Redirects HTTP traffic to HTTPS. Only works with the standard HTTPS port (443). +# Redirect HTTP traffic to HTTPS +# Necessary for Let's Encrypt, relies on standard HTTPS port (443) #ENABLE_HTTP_REDIRECT=1 + +# Enable IPv6 +# Provides means to disable IPv6 in environments that don't support it (get with the times, people!) +#ENABLE_IPV6=1 + +# Container restart policy +# Defaults to unless-stopped +RESTART_POLICY=unless-stopped + +# Authenticate using external service or just focus external auth window if there is one already. +# TOKEN_AUTH_URL=https://auth.meet.example.com/{room} From e958b64283fe1188a4e7bc5ef1f7993b4096a0aa Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 11 Dec 2020 02:25:45 +0000 Subject: [PATCH 09/23] Resolve "version control jitsi containers" --- extra/jitsi-meet.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/extra/jitsi-meet.yml b/extra/jitsi-meet.yml index 3c47167..5670540 100644 --- a/extra/jitsi-meet.yml +++ b/extra/jitsi-meet.yml @@ -3,7 +3,7 @@ version: '3' services: # Frontend jitsi-web: - image: jitsi/web + image: jitsi/web:stable-5142-3 restart: unless-stopped #ports: #- '${HTTP_PORT}:80' @@ -111,7 +111,7 @@ services: # XMPP server jitsi-prosody: - image: jitsi/prosody:latest + image: jitsi/prosody:stable-5142-3 restart: unless-stopped expose: - '5222' @@ -182,7 +182,7 @@ services: # Focus component jitsi-jicofo: - image: jitsi/jicofo:latest + image: jitsi/jicofo:stable-5142-3 restart: unless-stopped volumes: - ${CONFIG}/jicofo:/config:Z @@ -213,7 +213,7 @@ services: # Video bridge jitsi-jvb: - image: jitsi/jvb:latest + image: jitsi/jvb:stable-5142-3 restart: unless-stopped ports: - '${JVB_PORT}:${JVB_PORT}/udp' From edaff5575bf51adafc80ba23a6f4a6d802e95371 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 1 Jan 2021 03:31:48 +0000 Subject: [PATCH 10/23] Resolve "Service Restarts" --- scripts/services/Mistborn-bitwarden.service | 1 + scripts/services/Mistborn-homeassistant.service | 1 + scripts/services/Mistborn-jellyfin.service | 1 + scripts/services/Mistborn-jitsi.service | 1 + scripts/services/Mistborn-nextcloud.service | 1 + scripts/services/Mistborn-onlyoffice.service | 1 + scripts/services/Mistborn-rocketchat.service | 1 + scripts/services/Mistborn-syncthing.service | 1 + scripts/services/Mistborn-tor.service | 1 + scripts/subinstallers/iptables.sh | 5 +++++ 10 files changed, 14 insertions(+) diff --git a/scripts/services/Mistborn-bitwarden.service b/scripts/services/Mistborn-bitwarden.service index ff79fde..d1343da 100644 --- a/scripts/services/Mistborn-bitwarden.service +++ b/scripts/services/Mistborn-bitwarden.service @@ -2,6 +2,7 @@ Description=Mistborn Bitwarden Service Requires=Mistborn-base.service After=Mistborn-base.service +PartOf=Mistborn-base.service [Service] Restart=always diff --git a/scripts/services/Mistborn-homeassistant.service b/scripts/services/Mistborn-homeassistant.service index f1a0d4d..2acc9d8 100644 --- a/scripts/services/Mistborn-homeassistant.service +++ b/scripts/services/Mistborn-homeassistant.service @@ -2,6 +2,7 @@ Description=Mistborn Home Assistant Requires=Mistborn-base.service After=Mistborn-base.service +PartOf=Mistborn-base.service [Service] Restart=always diff --git a/scripts/services/Mistborn-jellyfin.service b/scripts/services/Mistborn-jellyfin.service index 86d1315..d41c5f3 100644 --- a/scripts/services/Mistborn-jellyfin.service +++ b/scripts/services/Mistborn-jellyfin.service @@ -2,6 +2,7 @@ Description=Mistborn Jellyfin Service Requires=Mistborn-nextcloud.service After=Mistborn-nextcloud.service +PartOf=Mistborn-base.service [Service] Restart=always diff --git a/scripts/services/Mistborn-jitsi.service b/scripts/services/Mistborn-jitsi.service index 49a9c21..c4c388f 100644 --- a/scripts/services/Mistborn-jitsi.service +++ b/scripts/services/Mistborn-jitsi.service @@ -2,6 +2,7 @@ Description=Mistborn Jitsi Service Requires=Mistborn-base.service After=Mistborn-base.service +PartOf=Mistborn-base.service [Service] Restart=always diff --git a/scripts/services/Mistborn-nextcloud.service b/scripts/services/Mistborn-nextcloud.service index 6a9302c..40ed97a 100644 --- a/scripts/services/Mistborn-nextcloud.service +++ b/scripts/services/Mistborn-nextcloud.service @@ -2,6 +2,7 @@ Description=Mistborn Nextcloud Service Requires=Mistborn-base.service After=Mistborn-base.service +PartOf=Mistborn-base.service [Service] Restart=always diff --git a/scripts/services/Mistborn-onlyoffice.service b/scripts/services/Mistborn-onlyoffice.service index 421912e..5e02128 100644 --- a/scripts/services/Mistborn-onlyoffice.service +++ b/scripts/services/Mistborn-onlyoffice.service @@ -2,6 +2,7 @@ Description=Mistborn OnlyOffice Service Requires=Mistborn-base.service After=Mistborn-base.service +PartOf=Mistborn-base.service [Service] Restart=always diff --git a/scripts/services/Mistborn-rocketchat.service b/scripts/services/Mistborn-rocketchat.service index ecb93a2..3c1379d 100644 --- a/scripts/services/Mistborn-rocketchat.service +++ b/scripts/services/Mistborn-rocketchat.service @@ -2,6 +2,7 @@ Description=Mistborn Rocket Chat Service Requires=Mistborn-base.service After=Mistborn-base.service +PartOf=Mistborn-base.service [Service] Restart=always diff --git a/scripts/services/Mistborn-syncthing.service b/scripts/services/Mistborn-syncthing.service index e3065f3..234a213 100644 --- a/scripts/services/Mistborn-syncthing.service +++ b/scripts/services/Mistborn-syncthing.service @@ -2,6 +2,7 @@ Description=Mistborn Syncthing Service Requires=Mistborn-base.service After=Mistborn-base.service +PartOf=Mistborn-base.service [Service] Restart=always diff --git a/scripts/services/Mistborn-tor.service b/scripts/services/Mistborn-tor.service index bbb871f..68d01c5 100644 --- a/scripts/services/Mistborn-tor.service +++ b/scripts/services/Mistborn-tor.service @@ -2,6 +2,7 @@ Description=Mistborn Tor Service Requires=Mistborn-base.service After=Mistborn-base.service +PartOf=Mistborn-base.service [Service] Restart=always diff --git a/scripts/subinstallers/iptables.sh b/scripts/subinstallers/iptables.sh index a687eb1..84aada7 100755 --- a/scripts/subinstallers/iptables.sh +++ b/scripts/subinstallers/iptables.sh @@ -113,6 +113,11 @@ fi # IP forwarding sudo sed -i 's/.*net.ipv4.ip_forward.*/net.ipv4.ip_forward=1/' /etc/sysctl.conf + +# VM Overcommit Memory +sudo grep -i "vm.overcommit_memory" /etc/sysctl.conf && sudo sed -i 's/.*vm.overcommit_memory.*/vm.overcommit_memory=1/' /etc/sysctl.conf || echo "vm.overcommit_memory=1" | sudo tee -a /etc/sysctl.conf + +# Force re-read of sysctl.conf sudo sysctl -p /etc/sysctl.conf # rsyslog to create /var/log/iptables.log From 4a78fe1122725877a92ad74ed13b1fc1d3f023cb Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 16 Jan 2021 15:56:14 -0500 Subject: [PATCH 11/23] pihole version v5.3.4 --- base.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base.yml b/base.yml index 04be844..bfc6acc 100644 --- a/base.yml +++ b/base.yml @@ -158,7 +158,7 @@ services: pihole: container_name: mistborn_production_pihole - image: pihole/pihole:latest + image: pihole/pihole:v5.3.4 env_file: - /opt/mistborn_volumes/base/base.txt ports: From a6f3430fc7bfa4a001a43501bf4b925cedcf0a78 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Mon, 18 Jan 2021 13:51:30 +0000 Subject: [PATCH 12/23] Resolve "Jitsi - "You have beend disconnected" - Only on iOS devices, PC's fine" --- .gitlab-ci.yml | 3 ++- scripts/subinstallers/gen_prod_env.sh | 2 +- scripts/subinstallers/openssl.sh | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c38e178..00fe442 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -17,7 +17,8 @@ include: docker_build: stage: test script: + - apk add bash - apk add docker-compose - - scripts/subinstallers/gen_prod_env.sh "$MISTBORN_DEFAULT_PASSWORD" + - bash scripts/subinstallers/gen_prod_env.sh "$MISTBORN_DEFAULT_PASSWORD" - docker-compose -f base.yml build diff --git a/scripts/subinstallers/gen_prod_env.sh b/scripts/subinstallers/gen_prod_env.sh index f4b9675..ef9bab6 100755 --- a/scripts/subinstallers/gen_prod_env.sh +++ b/scripts/subinstallers/gen_prod_env.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash figlet "Mistborn: Container Credentials" diff --git a/scripts/subinstallers/openssl.sh b/scripts/subinstallers/openssl.sh index 6862cfc..86fd52e 100755 --- a/scripts/subinstallers/openssl.sh +++ b/scripts/subinstallers/openssl.sh @@ -17,7 +17,7 @@ sudo -E mkdir -p $KEY_FOLDER sudo -E rm -f ${KEY_FOLDER}/* # generate crt and key -sudo -E openssl req -x509 -sha256 -nodes -days 397 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -addext "subjectAltName = DNS:*.mistborn" -addext extendedKeyUsage=serverAuth -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost" +sudo -E openssl req -x509 -sha256 -nodes -days 397 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -addext "subjectAltName=DNS:*.mistborn,DNS:jitsi.mistborn,DNS:bitwarden.mistborn,DNS:chat.mistborn,DNS:homeassistant.mistborn,DNS:jellyfin.mistborn,DNS:syncthing.mistborn,DNS:nextcloud.mistborn,DNS:onlyoffice.mistborn" -addext extendedKeyUsage=serverAuth -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost" # set permissions sudo -E chown -R mistborn:mistborn ${KEY_FOLDER} From 78c3ccf9de326682838fa4ab5d7f3688e5a9f412 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Mon, 18 Jan 2021 15:14:44 +0000 Subject: [PATCH 13/23] Resolve "E: Package 'cockpit-docker' has no installation candidate" --- base.yml | 20 ++++++++++---------- scripts/subinstallers/cockpit.sh | 4 +++- scripts/subinstallers/openssl.sh | 2 +- 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/base.yml b/base.yml index bfc6acc..60dcc5b 100644 --- a/base.yml +++ b/base.yml @@ -145,16 +145,16 @@ services: restart: unless-stopped - flower: - image: "cyber5k/mistborn:${MISTBORN_TAG}" - container_name: mistborn_production_flower - env_file: - - ./.envs/.production/.django - - ./.envs/.production/.postgres - ports: - - "5555:5555/tcp" - command: /start-flower - restart: unless-stopped + #flower: + # image: "cyber5k/mistborn:${MISTBORN_TAG}" + # container_name: mistborn_production_flower + # env_file: + # - ./.envs/.production/.django + # - ./.envs/.production/.postgres + # ports: + # - "5555:5555/tcp" + # command: /start-flower + # restart: unless-stopped pihole: container_name: mistborn_production_pihole diff --git a/scripts/subinstallers/cockpit.sh b/scripts/subinstallers/cockpit.sh index fbdb141..6d27958 100755 --- a/scripts/subinstallers/cockpit.sh +++ b/scripts/subinstallers/cockpit.sh @@ -16,9 +16,11 @@ fi sudo -E apt-get install -y cockpit -if $(sudo apt-cache show cockpit-docker > /dev/null 2>&1) ; then +if [ $(sudo apt-cache show cockpit-docker > /dev/null 2>&1) ]; then # no longer supported upstream in Ubuntu 20.04 sudo -E apt-get install -y cockpit-docker +elif [ $(sudo apt-cache show cockpit-podman > /dev/null 2>&1) ]; then + sudo -E apt-get install -y cockpit-podman fi sudo cp ./scripts/conf/cockpit.conf /etc/cockpit/cockpit.conf diff --git a/scripts/subinstallers/openssl.sh b/scripts/subinstallers/openssl.sh index 86fd52e..76e2dbe 100755 --- a/scripts/subinstallers/openssl.sh +++ b/scripts/subinstallers/openssl.sh @@ -17,7 +17,7 @@ sudo -E mkdir -p $KEY_FOLDER sudo -E rm -f ${KEY_FOLDER}/* # generate crt and key -sudo -E openssl req -x509 -sha256 -nodes -days 397 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -addext "subjectAltName=DNS:*.mistborn,DNS:jitsi.mistborn,DNS:bitwarden.mistborn,DNS:chat.mistborn,DNS:homeassistant.mistborn,DNS:jellyfin.mistborn,DNS:syncthing.mistborn,DNS:nextcloud.mistborn,DNS:onlyoffice.mistborn" -addext extendedKeyUsage=serverAuth -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost" +sudo -E openssl req -x509 -sha256 -nodes -days 397 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -addext "subjectAltName=DNS:*.mistborn,DNS:home.mistborn,DNS:jitsi.mistborn,DNS:bitwarden.mistborn,DNS:chat.mistborn,DNS:homeassistant.mistborn,DNS:jellyfin.mistborn,DNS:syncthing.mistborn,DNS:nextcloud.mistborn,DNS:onlyoffice.mistborn" -addext extendedKeyUsage=serverAuth -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost" # set permissions sudo -E chown -R mistborn:mistborn ${KEY_FOLDER} From 5980955cc5ee22b54638fce812d27332d1b7a286 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 19 Jan 2021 19:23:38 -0500 Subject: [PATCH 14/23] use port 80 --- scripts/subinstallers/wireguard.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/subinstallers/wireguard.sh b/scripts/subinstallers/wireguard.sh index 1b7b339..baedd88 100755 --- a/scripts/subinstallers/wireguard.sh +++ b/scripts/subinstallers/wireguard.sh @@ -12,10 +12,10 @@ if ! $(sudo apt-cache show wireguard > /dev/null 2>&1) ; then if [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then echo "Adding Wireguard repo keys" sudo -E apt-get install -y dirmngr - sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553 - sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7638D0442B90D010 - sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC - sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138 + sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 8B48AD6246925553 + sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 7638D0442B90D010 + sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 04EE7237B7D453EC + sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 648ACFD622F3D138 fi if [ "$DISTRO" == "ubuntu" ]; then From d311c45ef55ac580942fc3058ea69798f836f78f Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Thu, 21 Jan 2021 00:23:16 +0000 Subject: [PATCH 15/23] Resolve "Update pihole: dnspooq" --- base.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base.yml b/base.yml index 60dcc5b..ba22052 100644 --- a/base.yml +++ b/base.yml @@ -158,7 +158,7 @@ services: pihole: container_name: mistborn_production_pihole - image: pihole/pihole:v5.3.4 + image: pihole/pihole:v5.5.1 env_file: - /opt/mistborn_volumes/base/base.txt ports: From 35b7a2f3356f18762407699921a46b17adfc8b0d Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 17 Feb 2021 04:26:58 +0000 Subject: [PATCH 16/23] Resolve "Error while installing Mistborn" --- scripts/subinstallers/docker_manual.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/subinstallers/docker_manual.sh b/scripts/subinstallers/docker_manual.sh index 2cbb329..2d02ddb 100755 --- a/scripts/subinstallers/docker_manual.sh +++ b/scripts/subinstallers/docker_manual.sh @@ -63,6 +63,7 @@ echo "Installing Docker Compose" # Install Docker Compose from pip # This might take a while -sudo pip3 install docker-compose +# cryptography >=3.4 requires rust to compile, and no rust compiler is readily available for ARM +sudo pip3 install cryptography==3.3.2 docker-compose #fi From 442b43f472ec1b94726a83fd62debbefebe0c518 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 27 Feb 2021 00:50:21 +0000 Subject: [PATCH 17/23] Resolve "Add Apache Guacamole service" --- README.md | 6 +- extra/guacamole.yml | 71 +++++++++++++++++++++ scripts/env/guacamole_init.sh | 16 +++++ scripts/services/Mistborn-guacamole.service | 24 +++++++ scripts/subinstallers/gen_prod_env.sh | 12 ++++ 5 files changed, 128 insertions(+), 1 deletion(-) create mode 100644 extra/guacamole.yml create mode 100755 scripts/env/guacamole_init.sh create mode 100644 scripts/services/Mistborn-guacamole.service diff --git a/README.md b/README.md index e5afaa0..3026cd5 100644 --- a/README.md +++ b/README.md @@ -50,6 +50,7 @@ Within Mistborn is a panel to enable and manage these free extra services (off b - [Jellyfin](https://jellyfin.org): The Free Media Software System. - [Tor](https://www.torproject.org): The Onion Router. One tool in the arsenal of online security and privacy. - [Jitsi](https://jitsi.org): Multi-platform open-source video conferencing +- [Guacamole](https://guacamole.apache.org): A clientless remote desktop gateway that supports standard protocols like VNC, RDP, and SSH. # Quickstart Tested Operating Systems (in order of thoroughness): @@ -69,7 +70,7 @@ The Mistborn docker images exist for these architectures: | Mistborn Docker Images (hub.docker.com) | Architectures | |------------------------------------------------|---------------------| -| mistborn (django, celery{worker,beat}, flower) | amd64, arm64, arm/v7 | +| mistborn (django, celery{worker,beat}) | amd64, arm64, arm/v7 | | dnscrypt-proxy | amd64, arm64, arm/v7 | Recommended System Specifications: @@ -277,6 +278,7 @@ Mistborn uses the following domains (that can be reached by all Wireguard client | Syncthing | syncthing.mistborn | Off | | OnlyOffice | onlyoffice.mistborn | Off | | Jitsi | jitsi.mistborn | Off | +| Guacamole | guac.mistborn | Off | # Default Credentials These are the default credentials to use in the services you choose to use: @@ -286,6 +288,7 @@ These are the default credentials to use in the services you choose to use: | Pihole | | {{default mistborn password}} | | Cockpit | cockpit | {{default mistborn password}} | | Nextcloud | mistborn | {{default mistborn password}} | +| Guacamole | mistborn | {{default mistborn password }} | You can find the credentials sent to the Docker containers in: `/opt/mistborn/.envs/.production/` @@ -445,6 +448,7 @@ sudo journalctl -xfu Mistborn-syncthing sudo journalctl -xfu Mistborn-jellyfin sudo journalctl -xfu Mistborn-nextcloud sudo journalctl -xfu Mistborn-jitsi +sudo journalctl -xfu Mistborn-guacamole sudo journalctl -xfu Mistborn-rocketchat sudo journalctl -xfu Mistborn-onlyoffice sudo journalctl -xfu Mistborn-tor diff --git a/extra/guacamole.yml b/extra/guacamole.yml new file mode 100644 index 0000000..f3310a7 --- /dev/null +++ b/extra/guacamole.yml @@ -0,0 +1,71 @@ +version: '3' + +# services +services: + # guacd + guacd: + container_name: mistborn_production_guacd + image: guacamole/guacd + networks: + guacnetwork: + restart: unless-stopped + volumes: + - ../../mistborn_volumes/extra/guacamole/drive:/drive:rw + - ../../mistborn_volumes/extra/guacamole/record:/record:rw + + + # postgres + guac_postgres: + container_name: mistborn_production_guac_postgres + env_file: + - ../.envs/.production/.guacamole + environment: + PGDATA: /var/lib/postgresql/data/guacamole + image: postgres + networks: + guacnetwork: + restart: unless-stopped + volumes: + - ../../mistborn_volumes/extra/guacamole/init:/docker-entrypoint-initdb.d:ro + - ../../mistborn_volumes/extra/guacamole/data:/var/lib/postgresql/data:rw + + + # guacamole + guacamole: + container_name: mistborn_production_guacamole + labels: + - "traefik.enable=true" + - "traefik.http.routers.guacamole-http.rule=Host(`guac.mistborn`)" + - "traefik.http.routers.guacamole-http.entrypoints=web" + - "traefik.http.routers.guacamole-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.guacamole-https.rule=Host(`guac.mistborn`)" + - "traefik.http.routers.guacamole-https.entrypoints=websecure" + - "traefik.http.routers.guacamole-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.guacamole-https.tls.certresolver=basic" + - "traefik.http.services.guacamole-service.loadbalancer.server.port=8080" + depends_on: + - guacd + - guac_postgres + environment: + GUACD_HOSTNAME: guacd + GUACD_PORT: 4822 + #GUACAMOLE_HOME: /config + env_file: + - ../.envs/.production/.guacamole + image: guacamole/guacamole + links: + - guacd + networks: + guacnetwork: + #ports: +## enable next line if not using nginx +## - 8080:8080/tcp # Guacamole is on :8080/guacamole, not /. +## enable next line when using nginx + #- 8080/tcp + restart: unless-stopped + +# networks +# create a network 'guacnetwork' in mode 'bridged' +networks: + guacnetwork: + driver: bridge diff --git a/scripts/env/guacamole_init.sh b/scripts/env/guacamole_init.sh new file mode 100755 index 0000000..50c846f --- /dev/null +++ b/scripts/env/guacamole_init.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +mkdir -p /opt/mistborn_volumes/extra/guacamole/init/ >/dev/null 2>&1 +chmod -R +x /opt/mistborn_volumes/extra/guacamole/init/ +docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgres > /opt/mistborn_volumes/extra/guacamole/init/initdb.sql + +# grab values in initdb.sql to replace +HEXSTRINGS=($(egrep -o [0-9a-fA-F]{64} /opt/mistborn_volumes/extra/guacamole/init/initdb.sql)) + +# reset default password in init.db +SALT=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice('0123456789ABCDEF') for x in range(64)]))") +GUAC_PASSWORD_HASHED=$(echo -n "${MISTBORN_DEFAULT_PASSWORD}${SALT}" | sha256sum | awk '{print $1}' | tr a-z A-Z) + +sed -i "s/${HEXSTRINGS[1]}/$SALT/" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql +sed -i "s/${HEXSTRINGS[0]}/$GUAC_PASSWORD_HASHED/" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql +sed -i "s/guacadmin/mistborn/g" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql \ No newline at end of file diff --git a/scripts/services/Mistborn-guacamole.service b/scripts/services/Mistborn-guacamole.service new file mode 100644 index 0000000..be4f9f1 --- /dev/null +++ b/scripts/services/Mistborn-guacamole.service @@ -0,0 +1,24 @@ +[Unit] +Description=Mistborn Guacamole +Requires=Mistborn-base.service +After=Mistborn-base.service +PartOf=Mistborn-base.service + +[Service] +Restart=always +User=root +Group=docker +PermissionsStartOnly=true +EnvironmentFile=/opt/mistborn/.envs/.production/.guacamole +ExecStartPre=/opt/mistborn/scripts/env/guacamole_init.sh +# Shutdown container (if running) when unit is stopped +ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/guacamole.yml down + +# Start container when unit is started +ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/guacamole.yml up --build +# Stop container when unit is stopped +ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/guacamole.yml down +# Post stop + +[Install] +WantedBy=multi-user.target diff --git a/scripts/subinstallers/gen_prod_env.sh b/scripts/subinstallers/gen_prod_env.sh index ef9bab6..bc06297 100755 --- a/scripts/subinstallers/gen_prod_env.sh +++ b/scripts/subinstallers/gen_prod_env.sh @@ -78,3 +78,15 @@ sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; im sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" + +# Guacamole +GUAC_PROD_FILE="./.envs/.production/.guacamole" +GUAC_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") +echo "POSTGRES_HOST=guac_postgres" > $GUAC_PROD_FILE +echo "POSTGRES_HOSTNAME=guac_postgres" > $GUAC_PROD_FILE +echo "POSTGRES_PORT=5432" >> $GUAC_PROD_FILE +echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE +echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE +echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE +echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE +echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE \ No newline at end of file From c2f42d6794463524478d2b6dcf6d04ba3b011a1b Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 27 Feb 2021 17:48:43 +0000 Subject: [PATCH 18/23] Resolve "Guacamole details and prefix" --- README.md | 9 +++++++++ base.yml | 9 ++++----- extra/guacamole.yml | 5 +++-- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 3026cd5..cf6f56f 100644 --- a/README.md +++ b/README.md @@ -128,6 +128,15 @@ In Mistborn, Gateways are upstream from the VPN server so connections to third-p The Gateway adds an extra network hop. DNS is still resolved in Mistborn so pihole is still blocking ads. +# Remote Desktop +Remote desktops enable multiple users to share desktop resources and data. Remote desktops also enable groups to prevent sensitive data from ever entering an endpoint devices such as a smartphone. For reference, some United States Government regulations require controls to protect Controlled Unclassified Information (CUI) that are not feasible to implement on all endpoint devices and remote desktops prevent the data from entering the device (see NIST SP 800-171 3.1.19, CMMC AC.3.022). + +Mistborn enables remote desktop access via the Apache Guacamole extra service, which supports VNC, RDP, SSH, and other protocols. + +![Guacamole Recent Connections](https://gitlab.com/cyber5k/public/-/raw/master/graphics/guacamole_connections.png) + +Guacamole implements its own users and groups access controls to manage access to individual desktops. All Mistborn users must be authenticated with Mistborn (via Wireguard only or MFA) to access the Guacamole interface. + # Client to client communication By default direct communication between network clients is blocked. Mistborn clients can all talk to Mistborn and communicate via shared services (Jitsi, Nextcloud, etc). Direct client to client communication can be enabled via the "client-to-client" toggle. diff --git a/base.yml b/base.yml index ba22052..d7945a7 100644 --- a/base.yml +++ b/base.yml @@ -160,7 +160,7 @@ services: container_name: mistborn_production_pihole image: pihole/pihole:v5.5.1 env_file: - - /opt/mistborn_volumes/base/base.txt + - ./.envs/.production/.pihole ports: - "${MISTBORN_DNS_BIND_IP}:53:53/tcp" - "${MISTBORN_DNS_BIND_IP}:53:53/udp" @@ -168,11 +168,12 @@ services: - "traefik.enable=true" - "traefik.http.routers.pihole-http.rule=Host(`pihole.mistborn`)" - "traefik.http.routers.pihole-http.entrypoints=web" - - "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file,add-pihole-admin" - "traefik.http.routers.pihole-https.rule=Host(`pihole.mistborn`)" - "traefik.http.routers.pihole-https.entrypoints=websecure" - - "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file,add-pihole-admin" - "traefik.http.routers.pihole-https.tls.certresolver=basic" + - "traefik.http.middlewares.add-pihole-admin.addPrefix.prefix=/admin" - "traefik.http.services.pihole-service.loadbalancer.server.port=80" environment: - ServerIP=10.2.0.3 @@ -182,8 +183,6 @@ services: - DNSMASQ_LISTENING=all # TZ: 'America/New York' # Volumes store your data between container upgrades - env_file: - - ./.envs/.production/.pihole volumes: - ../mistborn_volumes/base/pihole/etc-pihole:/etc/pihole/ - ../mistborn_volumes/base/pihole/etc-dnsmasqd:/etc/dnsmasq.d/ diff --git a/extra/guacamole.yml b/extra/guacamole.yml index f3310a7..59a83ac 100644 --- a/extra/guacamole.yml +++ b/extra/guacamole.yml @@ -37,11 +37,12 @@ services: - "traefik.enable=true" - "traefik.http.routers.guacamole-http.rule=Host(`guac.mistborn`)" - "traefik.http.routers.guacamole-http.entrypoints=web" - - "traefik.http.routers.guacamole-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.guacamole-http.middlewares=mistborn_auth@file,add-guacamole" - "traefik.http.routers.guacamole-https.rule=Host(`guac.mistborn`)" - "traefik.http.routers.guacamole-https.entrypoints=websecure" - - "traefik.http.routers.guacamole-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.guacamole-https.middlewares=mistborn_auth@file,add-guacamole" - "traefik.http.routers.guacamole-https.tls.certresolver=basic" + - "traefik.http.middlewares.add-guacamole.addPrefix.prefix=/guacamole" - "traefik.http.services.guacamole-service.loadbalancer.server.port=8080" depends_on: - guacd From b44a5431720b4e01f2b10b7fbbe575250248a8e4 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sun, 28 Feb 2021 00:33:15 -0500 Subject: [PATCH 19/23] updates --- README.md | 2 +- base.yml | 2 +- extra/jitsi-meet.yml | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index cf6f56f..d99a238 100644 --- a/README.md +++ b/README.md @@ -344,7 +344,7 @@ But wait, there's more! You can: | Jitsi Meet | [Jitsi Meet](https://play.google.com/store/apps/details?id=org.jitsi.meet) | [Jitsi Meet](https://apps.apple.com/us/app/jitsi-meet/id1165103905) | | Bitwarden | [Bitwarden](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) | [Bitwarden](https://apps.apple.com/us/app/bitwarden-password-manager/id1137397744) | | Jellyfin | [Jellyfin](https://play.google.com/store/apps/details?id=org.jellyfin.mobile) | [Jellyfin](https://apps.apple.com/us/app/jellyfin-mobile/id1480192618) | -| Home Assistant | [Home Assistant](https://play.google.com/store/apps/details?id=io.homeassistant.companion.android) | | +| Home Assistant | [Home Assistant](https://play.google.com/store/apps/details?id=io.homeassistant.companion.android) | [Home Assistant](https://apps.apple.com/us/app/home-assistant/id1099568401) | | Rocket.Chat | [Rocket.Chat](https://play.google.com/store/apps/details?id=chat.rocket.android) | [Rocket.Chat](https://apps.apple.com/us/app/rocket-chat/id1148741252) | ## TLS Certificate diff --git a/base.yml b/base.yml index d7945a7..2b19d53 100644 --- a/base.yml +++ b/base.yml @@ -158,7 +158,7 @@ services: pihole: container_name: mistborn_production_pihole - image: pihole/pihole:v5.5.1 + image: pihole/pihole:latest env_file: - ./.envs/.production/.pihole ports: diff --git a/extra/jitsi-meet.yml b/extra/jitsi-meet.yml index 5670540..421f2a3 100644 --- a/extra/jitsi-meet.yml +++ b/extra/jitsi-meet.yml @@ -3,7 +3,7 @@ version: '3' services: # Frontend jitsi-web: - image: jitsi/web:stable-5142-3 + image: jitsi/web:latest restart: unless-stopped #ports: #- '${HTTP_PORT}:80' @@ -111,7 +111,7 @@ services: # XMPP server jitsi-prosody: - image: jitsi/prosody:stable-5142-3 + image: jitsi/prosody:latest restart: unless-stopped expose: - '5222' @@ -182,7 +182,7 @@ services: # Focus component jitsi-jicofo: - image: jitsi/jicofo:stable-5142-3 + image: jitsi/jicofo:latest restart: unless-stopped volumes: - ${CONFIG}/jicofo:/config:Z @@ -213,7 +213,7 @@ services: # Video bridge jitsi-jvb: - image: jitsi/jvb:stable-5142-3 + image: jitsi/jvb:latest restart: unless-stopped ports: - '${JVB_PORT}:${JVB_PORT}/udp' From 49bad9c7baa6bd4decb63c402148c9e4b184441f Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 3 Mar 2021 17:21:45 +0000 Subject: [PATCH 20/23] Resolve "Updates - handle added extra services" --- README.md | 1 + scripts/env/check_env_file.sh | 35 ++++++++++++ scripts/env/setup.sh | 3 + scripts/install.sh | 1 + scripts/services/Mistborn-bitwarden.service | 6 +- scripts/services/Mistborn-guacamole.service | 8 +-- .../services/Mistborn-homeassistant.service | 6 +- scripts/services/Mistborn-jellyfin.service | 6 +- scripts/services/Mistborn-jitsi.service | 14 ++--- scripts/services/Mistborn-nextcloud.service | 8 +-- scripts/services/Mistborn-onlyoffice.service | 6 +- scripts/services/Mistborn-rocketchat.service | 7 +-- scripts/services/Mistborn-syncthing.service | 6 +- scripts/services/Mistborn-tor.service | 6 +- .../guacamole/init.sh} | 5 ++ scripts/services/jitsi/iptables_down.sh | 4 ++ scripts/services/jitsi/iptables_up.sh | 4 ++ scripts/subinstallers/extra/bitwarden.sh | 6 ++ scripts/subinstallers/extra/guacamole.sh | 13 +++++ scripts/subinstallers/extra/jitsi.sh | 12 ++++ scripts/subinstallers/extra/nextcloud.sh | 9 +++ scripts/subinstallers/extra/onlyoffice.sh | 7 +++ scripts/subinstallers/extra/rocketchat.sh | 13 +++++ scripts/subinstallers/gen_prod_env.sh | 55 ++----------------- scripts/wrappers/mistborn_docker.sh | 35 ++++++++++++ 25 files changed, 186 insertions(+), 90 deletions(-) create mode 100755 scripts/env/check_env_file.sh rename scripts/{env/guacamole_init.sh => services/guacamole/init.sh} (86%) create mode 100755 scripts/services/jitsi/iptables_down.sh create mode 100755 scripts/services/jitsi/iptables_up.sh create mode 100755 scripts/subinstallers/extra/bitwarden.sh create mode 100755 scripts/subinstallers/extra/guacamole.sh create mode 100755 scripts/subinstallers/extra/jitsi.sh create mode 100755 scripts/subinstallers/extra/nextcloud.sh create mode 100755 scripts/subinstallers/extra/onlyoffice.sh create mode 100755 scripts/subinstallers/extra/rocketchat.sh create mode 100755 scripts/wrappers/mistborn_docker.sh diff --git a/README.md b/README.md index d99a238..252331c 100644 --- a/README.md +++ b/README.md @@ -518,6 +518,7 @@ See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/ - The generated TLS certificate has an RSA modulus of 4096 bits, is signed with SHA-256, and is good for 397 days. The certificate is checked daily and will regenerate when expiration is within 30 days. - Outbound UDP on port 53 is blocked. All DNS requests should be handled by the dnscrypt_proxy service and if any client, service, etc. tries to circumvent that it is blocked. - Unattended upgrades are set to automatically install operating system security updates. +- Ownership of mistborn files is set to the system mistborn user and access to environment variables is disabled for users other than the owner. # Roadmap (not necessarily in order) Many features and refinements are in the works at various stages including: diff --git a/scripts/env/check_env_file.sh b/scripts/env/check_env_file.sh new file mode 100755 index 0000000..e3bafb1 --- /dev/null +++ b/scripts/env/check_env_file.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +set -e + +SERVICE="$1" + +export MISTBORN_HOME=/opt/mistborn +export SERVICE_ENV_INSTALLER="${MISTBORN_HOME}/scripts/subinstallers/extra/${SERVICE}.sh" +export SERVICE_ENV_FILE="${MISTBORN_HOME}/.envs/.production/.${SERVICE}" + +# read in global variables +set -a +source ${MISTBORN_HOME}/.env +source ${MISTBORN_HOME}/.envs/.production/.django +source ${MISTBORN_HOME}/.envs/.production/.postgres +source ${MISTBORN_HOME}/.envs/.production/.pihole +set +a + +if [[ -f "${SERVICE_ENV_INSTALLER}" ]]; then + + if [[ -f "${SERVICE_ENV_FILE}" ]]; then + echo "Environment file already exists." + else + + # create env file for service + echo "Creating environment file" + source $SERVICE_ENV_INSTALLER $SERVICE_ENV_FILE + chown mistborn:mistborn $SERVICE_ENV_FILE + chmod 600 $SERVICE_ENV_FILE + + fi + +else + echo "No subinstaller found." +fi diff --git a/scripts/env/setup.sh b/scripts/env/setup.sh index 43060b6..bbf0237 100755 --- a/scripts/env/setup.sh +++ b/scripts/env/setup.sh @@ -11,6 +11,7 @@ source /opt/mistborn/scripts/subinstallers/platform.sh # setup env file echo "" | sudo tee ${VAR_FILE} sudo chown mistborn:mistborn ${VAR_FILE} +sudo chmod 600 ${VAR_FILE} # MISTBORN_DNS_BIND_IP @@ -58,4 +59,6 @@ done # default interface sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/" +echo "DIFACE=${iface}" | sudo tee -a ${VAR_FILE} + sudo systemctl daemon-reload diff --git a/scripts/install.sh b/scripts/install.sh index 31e0f83..e79b838 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -248,6 +248,7 @@ sudo resolvconf -u 1>/dev/null 2>&1 echo "backup up original volumes folder" sudo mkdir -p ../mistborn_backup +sudo chmod 700 ../mistborn_backup sudo tar -czf ../mistborn_backup/mistborn_volumes_backup.tar.gz ../mistborn_volumes 1>/dev/null 2>&1 # clean docker diff --git a/scripts/services/Mistborn-bitwarden.service b/scripts/services/Mistborn-bitwarden.service index d1343da..4fed369 100644 --- a/scripts/services/Mistborn-bitwarden.service +++ b/scripts/services/Mistborn-bitwarden.service @@ -10,13 +10,13 @@ User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down # Post stop ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP diff --git a/scripts/services/Mistborn-guacamole.service b/scripts/services/Mistborn-guacamole.service index be4f9f1..a688edd 100644 --- a/scripts/services/Mistborn-guacamole.service +++ b/scripts/services/Mistborn-guacamole.service @@ -9,15 +9,13 @@ Restart=always User=root Group=docker PermissionsStartOnly=true -EnvironmentFile=/opt/mistborn/.envs/.production/.guacamole -ExecStartPre=/opt/mistborn/scripts/env/guacamole_init.sh # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/guacamole.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/guacamole.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/guacamole.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down # Post stop [Install] diff --git a/scripts/services/Mistborn-homeassistant.service b/scripts/services/Mistborn-homeassistant.service index 2acc9d8..a36b7c0 100644 --- a/scripts/services/Mistborn-homeassistant.service +++ b/scripts/services/Mistborn-homeassistant.service @@ -10,12 +10,12 @@ User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down # Post stop [Install] diff --git a/scripts/services/Mistborn-jellyfin.service b/scripts/services/Mistborn-jellyfin.service index d41c5f3..7c27676 100644 --- a/scripts/services/Mistborn-jellyfin.service +++ b/scripts/services/Mistborn-jellyfin.service @@ -10,12 +10,12 @@ User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down # Post stop [Install] diff --git a/scripts/services/Mistborn-jitsi.service b/scripts/services/Mistborn-jitsi.service index c4c388f..c6bcd5c 100644 --- a/scripts/services/Mistborn-jitsi.service +++ b/scripts/services/Mistborn-jitsi.service @@ -9,20 +9,18 @@ Restart=always User=root Group=docker PermissionsStartOnly=true -EnvironmentFile=/opt/mistborn/.envs/.production/.jitsi # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_up.sh -ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP -ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build + # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down # Post stop -ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP -ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP +ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_down.sh [Install] WantedBy=multi-user.target diff --git a/scripts/services/Mistborn-nextcloud.service b/scripts/services/Mistborn-nextcloud.service index 40ed97a..f46c2b7 100644 --- a/scripts/services/Mistborn-nextcloud.service +++ b/scripts/services/Mistborn-nextcloud.service @@ -6,16 +6,16 @@ PartOf=Mistborn-base.service [Service] Restart=always -User=www-data +User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down # Post stop [Install] diff --git a/scripts/services/Mistborn-onlyoffice.service b/scripts/services/Mistborn-onlyoffice.service index 5e02128..72b31d8 100644 --- a/scripts/services/Mistborn-onlyoffice.service +++ b/scripts/services/Mistborn-onlyoffice.service @@ -10,12 +10,12 @@ User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down # Post stop [Install] diff --git a/scripts/services/Mistborn-rocketchat.service b/scripts/services/Mistborn-rocketchat.service index 3c1379d..37bb83f 100644 --- a/scripts/services/Mistborn-rocketchat.service +++ b/scripts/services/Mistborn-rocketchat.service @@ -9,15 +9,14 @@ Restart=always User=root Group=docker PermissionsStartOnly=true -EnvironmentFile=/opt/mistborn/.env # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down # Post stop ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP diff --git a/scripts/services/Mistborn-syncthing.service b/scripts/services/Mistborn-syncthing.service index 234a213..273be71 100644 --- a/scripts/services/Mistborn-syncthing.service +++ b/scripts/services/Mistborn-syncthing.service @@ -10,14 +10,14 @@ User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down # Post stop ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP diff --git a/scripts/services/Mistborn-tor.service b/scripts/services/Mistborn-tor.service index 68d01c5..ed47323 100644 --- a/scripts/services/Mistborn-tor.service +++ b/scripts/services/Mistborn-tor.service @@ -10,13 +10,13 @@ User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down # Post stop ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP diff --git a/scripts/env/guacamole_init.sh b/scripts/services/guacamole/init.sh similarity index 86% rename from scripts/env/guacamole_init.sh rename to scripts/services/guacamole/init.sh index 50c846f..1e8634f 100755 --- a/scripts/env/guacamole_init.sh +++ b/scripts/services/guacamole/init.sh @@ -1,5 +1,10 @@ #!/bin/bash +if [[ -f "/opt/mistborn_volumes/extra/guacamole/init/initdb.sql" ]]; then + echo "initdb.sql exists. Proceeding." + exit 0 +fi + mkdir -p /opt/mistborn_volumes/extra/guacamole/init/ >/dev/null 2>&1 chmod -R +x /opt/mistborn_volumes/extra/guacamole/init/ docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgres > /opt/mistborn_volumes/extra/guacamole/init/initdb.sql diff --git a/scripts/services/jitsi/iptables_down.sh b/scripts/services/jitsi/iptables_down.sh new file mode 100755 index 0000000..f7dc3cc --- /dev/null +++ b/scripts/services/jitsi/iptables_down.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +iptables -w -D DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP +iptables -w -D DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP \ No newline at end of file diff --git a/scripts/services/jitsi/iptables_up.sh b/scripts/services/jitsi/iptables_up.sh new file mode 100755 index 0000000..50756c0 --- /dev/null +++ b/scripts/services/jitsi/iptables_up.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +iptables -w -I DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP +iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP \ No newline at end of file diff --git a/scripts/subinstallers/extra/bitwarden.sh b/scripts/subinstallers/extra/bitwarden.sh new file mode 100755 index 0000000..abc37a5 --- /dev/null +++ b/scripts/subinstallers/extra/bitwarden.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# generate bitwarden .env files +BITWARDEN_PROD_FILE="$1" +echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE +echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/guacamole.sh b/scripts/subinstallers/extra/guacamole.sh new file mode 100755 index 0000000..8df9d00 --- /dev/null +++ b/scripts/subinstallers/extra/guacamole.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +# Guacamole +GUAC_PROD_FILE="$1" +GUAC_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") +echo "POSTGRES_HOST=guac_postgres" > $GUAC_PROD_FILE +echo "POSTGRES_HOSTNAME=guac_postgres" > $GUAC_PROD_FILE +echo "POSTGRES_PORT=5432" >> $GUAC_PROD_FILE +echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE +echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE +echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE +echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE +echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/jitsi.sh b/scripts/subinstallers/extra/jitsi.sh new file mode 100755 index 0000000..fcf3493 --- /dev/null +++ b/scripts/subinstallers/extra/jitsi.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +# JITSI +JITSI_PROD_FILE="$1" +cp ${MISTBORN_HOME}/scripts/conf/jitsi.env $JITSI_PROD_FILE +mkdir -p ${MISTBORN_HOME}/.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb} +sed -i "s/JICOFO_COMPONENT_SECRET.*/JICOFO_COMPONENT_SECRET=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" \ No newline at end of file diff --git a/scripts/subinstallers/extra/nextcloud.sh b/scripts/subinstallers/extra/nextcloud.sh new file mode 100755 index 0000000..b1568b7 --- /dev/null +++ b/scripts/subinstallers/extra/nextcloud.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# generate nextcloud .env files +NEXTCLOUD_PROD_FILE="$1" +#NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") +NEXTCLOUD_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}" +echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE +echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE +echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/onlyoffice.sh b/scripts/subinstallers/extra/onlyoffice.sh new file mode 100755 index 0000000..3fadeca --- /dev/null +++ b/scripts/subinstallers/extra/onlyoffice.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# generate onlyoffice .env files +ONLYOFFICE_PROD_FILE="$1" +JWT_SECRET="${MISTBORN_DEFAULT_PASSWORD}" +echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE +echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/rocketchat.sh b/scripts/subinstallers/extra/rocketchat.sh new file mode 100755 index 0000000..6da1e2d --- /dev/null +++ b/scripts/subinstallers/extra/rocketchat.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +# generate rocketchat .env files +ROCKETCHAT_PROD_FILE="$1" +#ROCKETCHAT_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") +ROCKETCHAT_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}" +echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE +echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE +echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE +echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE + +# docker environment +echo "MISTBORN_BIND_IP=${MISTBORN_BIND_IP}" >> $ROCKETCHAT_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/gen_prod_env.sh b/scripts/subinstallers/gen_prod_env.sh index bc06297..d185c32 100755 --- a/scripts/subinstallers/gen_prod_env.sh +++ b/scripts/subinstallers/gen_prod_env.sh @@ -4,6 +4,7 @@ figlet "Mistborn: Container Credentials" # generate production .env file for Django mkdir -p ./.envs/.production +chmod 700 ./.envs DJANGO_PROD_FILE="./.envs/.production/.django" DJANGO_SECRET_KEY=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(50)]))") #CELERY_FLOWER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") @@ -22,6 +23,7 @@ echo "#SENTRY_DNS=" >> $DJANGO_PROD_FILE echo "MISTBORN_INSTALL_COCKPIT=$MISTBORN_INSTALL_COCKPIT" >> $DJANGO_PROD_FILE echo "MISTBORN_PORTAL_IP=10.2.3.1" >> $DJANGO_PROD_FILE echo "MISTBORN_PORTAL_PORT=5000" >> $DJANGO_PROD_FILE +chmod 600 $DJANGO_PROD_FILE # generate production .env file for postgresql POSTGRES_PROD_FILE="./.envs/.production/.postgres" @@ -31,6 +33,7 @@ echo "POSTGRES_PORT=5432" >> $POSTGRES_PROD_FILE echo "POSTGRES_DB=mistborn" >> $POSTGRES_PROD_FILE echo "POSTGRES_USER=prod" >> $POSTGRES_PROD_FILE echo "POSTGRES_PASSWORD=$POSTGRES_PASSWORD" >> $POSTGRES_PROD_FILE +chmod 600 $POSTGRES_PROD_FILE # generate production .env file for pihole @@ -39,54 +42,4 @@ PIHOLE_PROD_FILE="./.envs/.production/.pihole" WEBPASSWORD="$1" echo "TZ=\"America/New York\"" > $PIHOLE_PROD_FILE echo "WEBPASSWORD=$WEBPASSWORD" >> $PIHOLE_PROD_FILE - -# generate rocketchat .env files -ROCKETCHAT_PROD_FILE="./.envs/.production/.rocketchat" -#ROCKETCHAT_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") -ROCKETCHAT_PASSWORD="$1" -echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE -echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE -echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE -echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE - -# generate nextcloud .env files -NEXTCLOUD_PROD_FILE="./.envs/.production/.nextcloud" -#NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") -NEXTCLOUD_PASSWORD="$1" -echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE -echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE -echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE - -# generate onlyoffice .env files -ONLYOFFICE_PROD_FILE="./.envs/.production/.onlyoffice" -JWT_SECRET="$1" -echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE -echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE - -# generate bitwarden .env files -BITWARDEN_PROD_FILE="./.envs/.production/.bitwarden" -echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE -echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE - -# JITSI -JITSI_PROD_FILE="./.envs/.production/.jitsi" -cp ./scripts/conf/jitsi.env $JITSI_PROD_FILE -mkdir -p ./.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb} -sed -i "s/JICOFO_COMPONENT_SECRET.*/JICOFO_COMPONENT_SECRET=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" - -# Guacamole -GUAC_PROD_FILE="./.envs/.production/.guacamole" -GUAC_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") -echo "POSTGRES_HOST=guac_postgres" > $GUAC_PROD_FILE -echo "POSTGRES_HOSTNAME=guac_postgres" > $GUAC_PROD_FILE -echo "POSTGRES_PORT=5432" >> $GUAC_PROD_FILE -echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE -echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE -echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE -echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE -echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE \ No newline at end of file +chmod 600 $PIHOLE_PROD_FILE diff --git a/scripts/wrappers/mistborn_docker.sh b/scripts/wrappers/mistborn_docker.sh new file mode 100755 index 0000000..781eaa6 --- /dev/null +++ b/scripts/wrappers/mistborn_docker.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +set -e + +SERVICE="$1" +shift + +export MISTBORN_HOME="/opt/mistborn" +export MISTBORN_SERVICE_FILE=${MISTBORN_HOME}/.envs/.production/.${SERVICE} +export MISTBORN_SERVICE_INIT=${MISTBORN_HOME}/scripts/services/${SERVICE}/init.sh + +# check and create file if needed +${MISTBORN_HOME}/scripts/env/check_env_file.sh ${SERVICE} + +# read in variables +set -a +source ${MISTBORN_HOME}/.env + +if [[ -f "${MISTBORN_SERVICE_FILE}" ]]; then + echo "Loading service variables" + source ${MISTBORN_SERVICE_FILE} +else + echo "No service variables to load. Proceeding." +fi +set +a + +# init script +if [[ -f "${MISTBORN_SERVICE_INIT}" ]]; then + echo "Running init script" + ${MISTBORN_SERVICE_INIT} +else + echo "No init script. Proceeding." +fi + +exec "$@" \ No newline at end of file From 84961c793feaf3a227d6186ce2ab069ebd543823 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 5 Mar 2021 20:36:13 -0500 Subject: [PATCH 21/23] parsing --- scripts/subinstallers/extra/guacamole.sh | 2 +- scripts/subinstallers/extra/nextcloud.sh | 2 +- scripts/subinstallers/extra/onlyoffice.sh | 2 +- scripts/subinstallers/extra/rocketchat.sh | 2 +- scripts/subinstallers/gen_prod_env.sh | 6 +++--- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/scripts/subinstallers/extra/guacamole.sh b/scripts/subinstallers/extra/guacamole.sh index 8df9d00..8c76a89 100755 --- a/scripts/subinstallers/extra/guacamole.sh +++ b/scripts/subinstallers/extra/guacamole.sh @@ -10,4 +10,4 @@ echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE -echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE \ No newline at end of file +echo "MISTBORN_DEFAULT_PASSWORD=\"$MISTBORN_DEFAULT_PASSWORD\"" >> $GUAC_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/nextcloud.sh b/scripts/subinstallers/extra/nextcloud.sh index b1568b7..101f93c 100755 --- a/scripts/subinstallers/extra/nextcloud.sh +++ b/scripts/subinstallers/extra/nextcloud.sh @@ -5,5 +5,5 @@ NEXTCLOUD_PROD_FILE="$1" #NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") NEXTCLOUD_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}" echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE -echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE +echo "NEXTCLOUD_ADMIN_PASSWORD=\"$NEXTCLOUD_PASSWORD\"" >> $NEXTCLOUD_PROD_FILE echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/onlyoffice.sh b/scripts/subinstallers/extra/onlyoffice.sh index 3fadeca..aa9f917 100755 --- a/scripts/subinstallers/extra/onlyoffice.sh +++ b/scripts/subinstallers/extra/onlyoffice.sh @@ -4,4 +4,4 @@ ONLYOFFICE_PROD_FILE="$1" JWT_SECRET="${MISTBORN_DEFAULT_PASSWORD}" echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE -echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE \ No newline at end of file +echo "JWT_SECRET=\"$JWT_SECRET\"" >> $ONLYOFFICE_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/rocketchat.sh b/scripts/subinstallers/extra/rocketchat.sh index 6da1e2d..f446683 100755 --- a/scripts/subinstallers/extra/rocketchat.sh +++ b/scripts/subinstallers/extra/rocketchat.sh @@ -7,7 +7,7 @@ ROCKETCHAT_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}" echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE -echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE +echo "ROCKETCHAT_PASSWORD=\"$ROCKETCHAT_PASSWORD\"" >> $ROCKETCHAT_PROD_FILE # docker environment echo "MISTBORN_BIND_IP=${MISTBORN_BIND_IP}" >> $ROCKETCHAT_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/gen_prod_env.sh b/scripts/subinstallers/gen_prod_env.sh index d185c32..73028f2 100755 --- a/scripts/subinstallers/gen_prod_env.sh +++ b/scripts/subinstallers/gen_prod_env.sh @@ -15,8 +15,8 @@ echo "DJANGO_ADMIN_URL=admin/" >> $DJANGO_PROD_FILE echo "USE_DOCKER=yes" >> $DJANGO_PROD_FILE echo "REDIS_URL=redis://redis:6379/0" >> $DJANGO_PROD_FILE echo "CELERY_FLOWER_USER=prod" >> $DJANGO_PROD_FILE -echo "CELERY_FLOWER_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $DJANGO_PROD_FILE -echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $DJANGO_PROD_FILE +echo "CELERY_FLOWER_PASSWORD=\"$MISTBORN_DEFAULT_PASSWORD\"" >> $DJANGO_PROD_FILE +echo "MISTBORN_DEFAULT_PASSWORD=\"$MISTBORN_DEFAULT_PASSWORD\"" >> $DJANGO_PROD_FILE echo "#MAILGUN_API_KEY=" >> $DJANGO_PROD_FILE echo "#MAILGUN_API_URL=" >> $DJANGO_PROD_FILE echo "#SENTRY_DNS=" >> $DJANGO_PROD_FILE @@ -41,5 +41,5 @@ PIHOLE_PROD_FILE="./.envs/.production/.pihole" #WEBPASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") WEBPASSWORD="$1" echo "TZ=\"America/New York\"" > $PIHOLE_PROD_FILE -echo "WEBPASSWORD=$WEBPASSWORD" >> $PIHOLE_PROD_FILE +echo "WEBPASSWORD=\"$WEBPASSWORD\"" >> $PIHOLE_PROD_FILE chmod 600 $PIHOLE_PROD_FILE From ce5dfb10faf8de3f464ce534b1a2fa84b4e064ff Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 12 Mar 2021 18:04:21 +0000 Subject: [PATCH 22/23] Resolve "Mistborn default password parsing" --- scripts/install.sh | 29 ++++++++++------------- scripts/subinstallers/extra/guacamole.sh | 2 +- scripts/subinstallers/extra/nextcloud.sh | 2 +- scripts/subinstallers/extra/onlyoffice.sh | 2 +- scripts/subinstallers/extra/rocketchat.sh | 2 +- scripts/subinstallers/gen_prod_env.sh | 6 ++--- scripts/subinstallers/passwd.sh | 22 +++++++++++++++++ 7 files changed, 41 insertions(+), 24 deletions(-) create mode 100755 scripts/subinstallers/passwd.sh diff --git a/scripts/install.sh b/scripts/install.sh index e79b838..a142ad9 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -59,13 +59,18 @@ echo -e "| | | | \__ \ |_| |_) | (_) | | | | | |" echo -e "|_| |_|_|___/\__|_.__/ \___/|_| |_| |_|" echo -e "" -# INPUT default admin password -if [ -z "${MISTBORN_DEFAULT_PASSWORD}" ]; then - read -p "(Mistborn) Set default admin password: " -s MISTBORN_DEFAULT_PASSWORD - echo -else - echo "MISTBORN_DEFAULT_PASSWORD is already set" -fi +sudo rm -rf /opt/mistborn 2>/dev/null || true + +# clone to /opt and change directory +echo "Cloning $GIT_BRANCH branch from mistborn repo" +sudo git clone https://gitlab.com/cyber5k/mistborn.git -b $GIT_BRANCH /opt/mistborn +sudo chown -R $USER:$USER /opt/mistborn +pushd . +cd /opt/mistborn +git submodule update --init --recursive + +# MISTBORN_DEFAULT_PASSWORD +source ./scripts/subinstallers/passwd.sh # Install Cockpit? if [ -z "${MISTBORN_INSTALL_COCKPIT}" ]; then @@ -85,16 +90,6 @@ else echo "SSH key exists for $USER" fi -sudo rm -rf /opt/mistborn 2>/dev/null || true - -# clone to /opt and change directory -echo "Cloning $GIT_BRANCH branch from mistborn repo" -sudo git clone https://gitlab.com/cyber5k/mistborn.git -b $GIT_BRANCH /opt/mistborn -sudo chown -R $USER:$USER /opt/mistborn -pushd . -cd /opt/mistborn -git submodule update --init --recursive - # initial load update package list sudo apt-get update diff --git a/scripts/subinstallers/extra/guacamole.sh b/scripts/subinstallers/extra/guacamole.sh index 8c76a89..8df9d00 100755 --- a/scripts/subinstallers/extra/guacamole.sh +++ b/scripts/subinstallers/extra/guacamole.sh @@ -10,4 +10,4 @@ echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE -echo "MISTBORN_DEFAULT_PASSWORD=\"$MISTBORN_DEFAULT_PASSWORD\"" >> $GUAC_PROD_FILE \ No newline at end of file +echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/nextcloud.sh b/scripts/subinstallers/extra/nextcloud.sh index 101f93c..b1568b7 100755 --- a/scripts/subinstallers/extra/nextcloud.sh +++ b/scripts/subinstallers/extra/nextcloud.sh @@ -5,5 +5,5 @@ NEXTCLOUD_PROD_FILE="$1" #NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") NEXTCLOUD_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}" echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE -echo "NEXTCLOUD_ADMIN_PASSWORD=\"$NEXTCLOUD_PASSWORD\"" >> $NEXTCLOUD_PROD_FILE +echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/onlyoffice.sh b/scripts/subinstallers/extra/onlyoffice.sh index aa9f917..3fadeca 100755 --- a/scripts/subinstallers/extra/onlyoffice.sh +++ b/scripts/subinstallers/extra/onlyoffice.sh @@ -4,4 +4,4 @@ ONLYOFFICE_PROD_FILE="$1" JWT_SECRET="${MISTBORN_DEFAULT_PASSWORD}" echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE -echo "JWT_SECRET=\"$JWT_SECRET\"" >> $ONLYOFFICE_PROD_FILE \ No newline at end of file +echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/rocketchat.sh b/scripts/subinstallers/extra/rocketchat.sh index f446683..6da1e2d 100755 --- a/scripts/subinstallers/extra/rocketchat.sh +++ b/scripts/subinstallers/extra/rocketchat.sh @@ -7,7 +7,7 @@ ROCKETCHAT_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}" echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE -echo "ROCKETCHAT_PASSWORD=\"$ROCKETCHAT_PASSWORD\"" >> $ROCKETCHAT_PROD_FILE +echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE # docker environment echo "MISTBORN_BIND_IP=${MISTBORN_BIND_IP}" >> $ROCKETCHAT_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/gen_prod_env.sh b/scripts/subinstallers/gen_prod_env.sh index 73028f2..d185c32 100755 --- a/scripts/subinstallers/gen_prod_env.sh +++ b/scripts/subinstallers/gen_prod_env.sh @@ -15,8 +15,8 @@ echo "DJANGO_ADMIN_URL=admin/" >> $DJANGO_PROD_FILE echo "USE_DOCKER=yes" >> $DJANGO_PROD_FILE echo "REDIS_URL=redis://redis:6379/0" >> $DJANGO_PROD_FILE echo "CELERY_FLOWER_USER=prod" >> $DJANGO_PROD_FILE -echo "CELERY_FLOWER_PASSWORD=\"$MISTBORN_DEFAULT_PASSWORD\"" >> $DJANGO_PROD_FILE -echo "MISTBORN_DEFAULT_PASSWORD=\"$MISTBORN_DEFAULT_PASSWORD\"" >> $DJANGO_PROD_FILE +echo "CELERY_FLOWER_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $DJANGO_PROD_FILE +echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $DJANGO_PROD_FILE echo "#MAILGUN_API_KEY=" >> $DJANGO_PROD_FILE echo "#MAILGUN_API_URL=" >> $DJANGO_PROD_FILE echo "#SENTRY_DNS=" >> $DJANGO_PROD_FILE @@ -41,5 +41,5 @@ PIHOLE_PROD_FILE="./.envs/.production/.pihole" #WEBPASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") WEBPASSWORD="$1" echo "TZ=\"America/New York\"" > $PIHOLE_PROD_FILE -echo "WEBPASSWORD=\"$WEBPASSWORD\"" >> $PIHOLE_PROD_FILE +echo "WEBPASSWORD=$WEBPASSWORD" >> $PIHOLE_PROD_FILE chmod 600 $PIHOLE_PROD_FILE diff --git a/scripts/subinstallers/passwd.sh b/scripts/subinstallers/passwd.sh new file mode 100755 index 0000000..417926b --- /dev/null +++ b/scripts/subinstallers/passwd.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +# INPUT default admin password +while [ -z "${MISTBORN_DEFAULT_PASSWORD}" ]; do + echo + echo "(Mistborn) The default admin password may only container alphanumeric characters and _" + read -p "(Mistborn) Set default admin password: " -s MISTBORN_DEFAULT_PASSWORD + echo + + if [[ ${MISTBORN_DEFAULT_PASSWORD} =~ ^[A-Za-z0-9_]+$ ]]; then + # it matches + echo "(Mistborn) Password is accepted" + else + unset MISTBORN_DEFAULT_PASSWORD + echo "(Mistborn) Try again" + fi + +done + +echo +echo "MISTBORN_DEFAULT_PASSWORD is set" +echo From d65e5434a0ecc84154a7331329e92c73cb2f1a83 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sun, 21 Mar 2021 16:09:58 +0000 Subject: [PATCH 23/23] Resolve "Started Extra Services restart on OS reboot" --- scripts/conf/docker-daemon.json | 3 +++ scripts/services/Mistborn-bitwarden.service | 1 + scripts/services/Mistborn-guacamole.service | 1 + scripts/services/Mistborn-homeassistant.service | 1 + scripts/services/Mistborn-jellyfin.service | 1 + scripts/services/Mistborn-jitsi.service | 1 + scripts/services/Mistborn-nextcloud.service | 1 + scripts/services/Mistborn-onlyoffice.service | 1 + scripts/services/Mistborn-rocketchat.service | 1 + scripts/services/Mistborn-syncthing.service | 1 + scripts/services/Mistborn-tor.service | 1 + scripts/subinstallers/docker.sh | 3 +++ scripts/subinstallers/docker_daemon.sh | 7 +++++++ scripts/update.sh | 7 +++++++ scripts/wrappers/mistborn_docker.sh | 13 ++++++++++++- 15 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 scripts/conf/docker-daemon.json create mode 100755 scripts/subinstallers/docker_daemon.sh diff --git a/scripts/conf/docker-daemon.json b/scripts/conf/docker-daemon.json new file mode 100644 index 0000000..ef746cb --- /dev/null +++ b/scripts/conf/docker-daemon.json @@ -0,0 +1,3 @@ +{ + "shutdown-timeout": 60 +} diff --git a/scripts/services/Mistborn-bitwarden.service b/scripts/services/Mistborn-bitwarden.service index 4fed369..8b0c8de 100644 --- a/scripts/services/Mistborn-bitwarden.service +++ b/scripts/services/Mistborn-bitwarden.service @@ -6,6 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/services/Mistborn-guacamole.service b/scripts/services/Mistborn-guacamole.service index a688edd..1c193e8 100644 --- a/scripts/services/Mistborn-guacamole.service +++ b/scripts/services/Mistborn-guacamole.service @@ -6,6 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/services/Mistborn-homeassistant.service b/scripts/services/Mistborn-homeassistant.service index a36b7c0..6ca8cc1 100644 --- a/scripts/services/Mistborn-homeassistant.service +++ b/scripts/services/Mistborn-homeassistant.service @@ -6,6 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/services/Mistborn-jellyfin.service b/scripts/services/Mistborn-jellyfin.service index 7c27676..270769c 100644 --- a/scripts/services/Mistborn-jellyfin.service +++ b/scripts/services/Mistborn-jellyfin.service @@ -6,6 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/services/Mistborn-jitsi.service b/scripts/services/Mistborn-jitsi.service index c6bcd5c..d99aa81 100644 --- a/scripts/services/Mistborn-jitsi.service +++ b/scripts/services/Mistborn-jitsi.service @@ -6,6 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/services/Mistborn-nextcloud.service b/scripts/services/Mistborn-nextcloud.service index f46c2b7..01f0132 100644 --- a/scripts/services/Mistborn-nextcloud.service +++ b/scripts/services/Mistborn-nextcloud.service @@ -6,6 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/services/Mistborn-onlyoffice.service b/scripts/services/Mistborn-onlyoffice.service index 72b31d8..16f0010 100644 --- a/scripts/services/Mistborn-onlyoffice.service +++ b/scripts/services/Mistborn-onlyoffice.service @@ -6,6 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/services/Mistborn-rocketchat.service b/scripts/services/Mistborn-rocketchat.service index 37bb83f..8106fc9 100644 --- a/scripts/services/Mistborn-rocketchat.service +++ b/scripts/services/Mistborn-rocketchat.service @@ -6,6 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/services/Mistborn-syncthing.service b/scripts/services/Mistborn-syncthing.service index 273be71..0399dec 100644 --- a/scripts/services/Mistborn-syncthing.service +++ b/scripts/services/Mistborn-syncthing.service @@ -6,6 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/services/Mistborn-tor.service b/scripts/services/Mistborn-tor.service index ed47323..43b8c42 100644 --- a/scripts/services/Mistborn-tor.service +++ b/scripts/services/Mistborn-tor.service @@ -6,6 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/subinstallers/docker.sh b/scripts/subinstallers/docker.sh index a4206ab..cdc83fa 100755 --- a/scripts/subinstallers/docker.sh +++ b/scripts/subinstallers/docker.sh @@ -18,3 +18,6 @@ fi if [ ! -f /usr/local/bin/docker-compose ]; then sudo -E ln -s $(which docker-compose) /usr/local/bin/docker-compose fi + +# daemon.json +#source ./scripts/subinstallers/docker_daemon.sh diff --git a/scripts/subinstallers/docker_daemon.sh b/scripts/subinstallers/docker_daemon.sh new file mode 100755 index 0000000..92f6edc --- /dev/null +++ b/scripts/subinstallers/docker_daemon.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# daemon.json +if [ ! -f /etc/docker/daemon.json ]; then + sudo -E cp ./scripts/conf/docker-daemon.json /etc/docker/daemon.json + sudo -E systemctl restart docker +fi diff --git a/scripts/update.sh b/scripts/update.sh index 8026316..dbf0845 100755 --- a/scripts/update.sh +++ b/scripts/update.sh @@ -18,6 +18,13 @@ sudo mistborn-cli pullbuild sudo docker container prune -f sudo docker image prune -f + +# RESTART + sudo systemctl stop Mistborn-base + +# docker daemon +#source ./scripts/subinstallers/docker_daemon.sh + sudo systemctl restart Mistborn-setup sudo systemctl restart Mistborn-base diff --git a/scripts/wrappers/mistborn_docker.sh b/scripts/wrappers/mistborn_docker.sh index 781eaa6..bb33894 100755 --- a/scripts/wrappers/mistborn_docker.sh +++ b/scripts/wrappers/mistborn_docker.sh @@ -32,4 +32,15 @@ else echo "No init script. Proceeding." fi -exec "$@" \ No newline at end of file +# ensure base is up and listening +echo "Waiting for Mistborn-base to finish starting up..." + +while ! nc -z 10.2.3.1 5000; do + WAIT_TIME=$((5 + $RANDOM % 15)) + echo "Waiting ${WAIT_TIME} seconds for Mistborn-base..." + sleep ${WAIT_TIME} +done + +echo "Mistborn-base is running" + +exec "$@"