Merge branch 'master' into 28-raspap

5 years ago · c94c99fb86
44 changed files with 720 additions and 242 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -17,7 +17,8 @@ include:
 docker_build:
  stage: test
  script:
    - apk add bash
    - apk add docker-compose
-    - scripts/subinstallers/gen_prod_env.sh "$MISTBORN_DEFAULT_PASSWORD"
+    - bash scripts/subinstallers/gen_prod_env.sh "$MISTBORN_DEFAULT_PASSWORD"
    - docker-compose -f base.yml build
--- a/README.md
+++ b/README.md
@ -3,6 +3,10 @@ A secure platform for easily standing up and managing your own cloud services: i
 ![Mistborn Wireguard](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_wireguard_.png)*Wireguard Management in Mistborn*
 As featured in [Linux Magazine](https://www.linux-magazine.com/Issues/2020/240/Mistborn/(language)/eng-US) (Linux Pro Magazine in North America) in November 2020
 ![Mistborn Featured in Linux Magazine](https://gitlab.com/cyber5k/public/-/raw/master/graphics/linux-magazine-cover-nov-2020.jpg "Mistborn featured in Linux Magazine November 2020")
 # Table of Contents
 [[_TOC_]]
@ -22,6 +26,8 @@ Ideal for teams who:
 - want to limit or stop data collecting services
 - want to prevent being detected/blocked for using a proxy or VPN service
 See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/Mistborn-Network-Security) wiki page to see the network scan results for Mistborn.
 Mistborn depends on these core open source technologies:
 - [Docker](https://www.docker.com/why-docker): containerization
 - [Wireguard](https://www.wireguard.com): secure VPN access
@ -44,6 +50,7 @@ Within Mistborn is a panel to enable and manage these free extra services (off b
 - [Jellyfin](https://jellyfin.org): The Free Media Software System.
 - [Tor](https://www.torproject.org): The Onion Router. One tool in the arsenal of online security and privacy.
 - [Jitsi](https://jitsi.org): Multi-platform open-source video conferencing
 - [Guacamole](https://guacamole.apache.org): A clientless remote desktop gateway that supports standard protocols like VNC, RDP, and SSH.
 # Quickstart
 Tested Operating Systems (in order of thoroughness):
@ -63,7 +70,7 @@ The Mistborn docker images exist for these architectures:
 | Mistborn Docker Images (hub.docker.com)        | Architectures       |
 |------------------------------------------------|---------------------|
-| mistborn (django, celery{worker,beat}, flower) | amd64, arm64, arm/v7 |
+| mistborn (django, celery{worker,beat})         | amd64, arm64, arm/v7 |
 | dnscrypt-proxy                                 | amd64, arm64, arm/v7 |
 Recommended System Specifications:
@ -99,6 +106,8 @@ Mistborn protects your data in a variety of ways:
 - The Mistborn firewall blocks unsolicited incoming internet packets
 - Pi-hole running on Mistborn blocks outgoing internet requests to configurable blocked domains (ads, malicious/phishing domains, etc.) 
 See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/Mistborn-Network-Security) wiki page to see more network diagrams and the network scan results for Mistborn.
 # Coppercloud
 Pihole provides a way to block outgoing DNS requests for given lists of blocked domains. Coppercloud provides a way to block outgoing network calls of all types to given lists of IP addresses (IPv4 only for now). This is especially useful for blocking outgoing telemetry (data and state sharing) to owners of software running on all of your devices.
@ -119,6 +128,15 @@ In Mistborn, Gateways are upstream from the VPN server so connections to third-p
 The Gateway adds an extra network hop. DNS is still resolved in Mistborn so pihole is still blocking ads.
 # Remote Desktop
 Remote desktops enable multiple users to share desktop resources and data. Remote desktops also enable groups to prevent sensitive data from ever entering an endpoint devices such as a smartphone. For reference, some United States Government regulations require controls to protect Controlled Unclassified Information (CUI) that are not feasible to implement on all endpoint devices and remote desktops prevent the data from entering the device (see NIST SP 800-171 3.1.19, CMMC AC.3.022).
 Mistborn enables remote desktop access via the Apache Guacamole extra service, which supports VNC, RDP, SSH, and other protocols. 
 ![Guacamole Recent Connections](https://gitlab.com/cyber5k/public/-/raw/master/graphics/guacamole_connections.png)
 Guacamole implements its own users and groups access controls to manage access to individual desktops. All Mistborn users must be authenticated with Mistborn (via Wireguard only or MFA) to access the Guacamole interface.
 # Client to client communication
 By default direct communication between network clients is blocked. Mistborn clients can all talk to Mistborn and communicate via shared services (Jitsi, Nextcloud, etc). Direct client to client communication can be enabled via the "client-to-client" toggle.
@ -245,8 +263,10 @@ Internet access is blocked via iptables until authentication is completed for an
 ![Mistborn Multi Factor Authentication - Token Prompt](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mfa_token_enter.png)*Mistborn Multi Factor Authentication - Token Prompt*
-### MFA Mistborn Service Access
+### MFA Mistborn Service Access - Fixed on 4 December 2020
-Mistborn service access is blocked via traefik until Mistborn authentication is complete. You will not be able to access the web pages for pihole, cockpit, or any extra services until authentication is complete for an MFA profile. Attempting to visit one of these pages will redirect you to [http://home.mistborn](http://home.mistborn) where you must complete the authentication process. Click "Sign Out" to re-block access until authentication completes again.
+Mistborn service access is blocked via traefik until Mistborn authentication is complete. You will not be able to access the web pages for pihole, cockpit, or any extra services until authentication is complete for an MFA profile. Attempting to visit one of these pages will produce a "Mistborn: Not authorized" HTTP 403. Click "Sign Out" to re-block access until authentication completes again.
 ![Mistborn Multi Factor Authentication - Not Authorized](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mfa_not_authorized.png)*Mistborn Multi Factor Authentication - Not Authorized (Login Incomplete)*
 ### Notes
 - **Sessions**: Traefik checks the authenticated sessions on the server side to determine whether to allow access to the Mistborn service web pages. If an open session exists for your Mistborn IP address then access will be granted. You may close all sessions by clicking "Sign Out" on the Mistborn home page. Expired sessions are regularly cleaned by the Mistborn system (celery periodic task).
@ -267,6 +287,7 @@ Mistborn uses the following domains (that can be reached by all Wireguard client
 | Syncthing | syncthing.mistborn | Off |
 | OnlyOffice | onlyoffice.mistborn | Off |
 | Jitsi | jitsi.mistborn | Off |
 | Guacamole | guac.mistborn | Off |
 # Default Credentials
 These are the default credentials to use in the services you choose to use:
@ -276,6 +297,7 @@ These are the default credentials to use in the services you choose to use:
 | Pihole |  | {{default mistborn password}} |
 | Cockpit | cockpit | {{default mistborn password}} |
 | Nextcloud | mistborn | {{default mistborn password}} |
 | Guacamole | mistborn | {{default mistborn password }} |
 You can find the credentials sent to the Docker containers in: `/opt/mistborn/.envs/.production/`
@ -322,7 +344,7 @@ But wait, there's more! You can:
 | Jitsi Meet     | [Jitsi Meet](https://play.google.com/store/apps/details?id=org.jitsi.meet)                         | [Jitsi Meet](https://apps.apple.com/us/app/jitsi-meet/id1165103905)                |
 | Bitwarden      | [Bitwarden](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden)                     | [Bitwarden](https://apps.apple.com/us/app/bitwarden-password-manager/id1137397744) |
 | Jellyfin       | [Jellyfin](https://play.google.com/store/apps/details?id=org.jellyfin.mobile)                      | [Jellyfin](https://apps.apple.com/us/app/jellyfin-mobile/id1480192618)             |
-| Home Assistant | [Home Assistant](https://play.google.com/store/apps/details?id=io.homeassistant.companion.android) |                                                                                    |
+| Home Assistant | [Home Assistant](https://play.google.com/store/apps/details?id=io.homeassistant.companion.android) | [Home Assistant](https://apps.apple.com/us/app/home-assistant/id1099568401)                                                                                   |
 | Rocket.Chat    | [Rocket.Chat](https://play.google.com/store/apps/details?id=chat.rocket.android)                   | [Rocket.Chat](https://apps.apple.com/us/app/rocket-chat/id1148741252)              |
 ## TLS Certificate
@ -435,6 +457,7 @@ sudo journalctl -xfu Mistborn-syncthing
 sudo journalctl -xfu Mistborn-jellyfin
 sudo journalctl -xfu Mistborn-nextcloud
 sudo journalctl -xfu Mistborn-jitsi
 sudo journalctl -xfu Mistborn-guacamole
 sudo journalctl -xfu Mistborn-rocketchat
 sudo journalctl -xfu Mistborn-onlyoffice
 sudo journalctl -xfu Mistborn-tor
@ -474,6 +497,9 @@ Run updates and restart before installing Mistborn (`sudo apt-get update && sudo
 These are some notes regarding the technical design and implementations of Mistborn. Feel free to contact me for additional details.
 ## Attack Surface
 See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/Mistborn-Network-Security) wiki entry.
 - **Wireguard**: Wireguard is the only way in to Mistborn. When new Wireguard profiles are generated they are attached to a random UDP port. Wireguard does not respond to unauthenticated traffic. External probes on the active Wireguard listening ports are not logged and do not appear on the Metrics page.
 - **SSH**: If Mistborn is installed over SSH (most common) then an iptables rule is added allowing future SSH connections from the same source IP address. All other external SSH is blocked. Internal SSH (over the Wireguard tunnels) is allowed. Password authentication is allowed. The SSH key for the `mistborn` user is only accepted from internal source IP addresses. Fail2ban is also installed.
 - **Traefik**: Iptables closes web ports (TCP 80 and 443) from external access and additonally all web interfaces are behind the Traefik reverse-proxy. All web requests (e.g. home.mistborn) must be resolved by Mistborn DNS (Pihole/dnsmasq) and originate from a Wireguard tunnel.
@ -492,19 +518,23 @@ These are some notes regarding the technical design and implementations of Mistb
 - The generated TLS certificate has an RSA modulus of 4096 bits, is signed with SHA-256, and is good for 397 days. The certificate is checked daily and will regenerate when expiration is within 30 days.
 - Outbound UDP on port 53 is blocked. All DNS requests should be handled by the dnscrypt_proxy service and if any client, service, etc. tries to circumvent that it is blocked.
 - Unattended upgrades are set to automatically install operating system security updates.
 - Ownership of mistborn files is set to the system mistborn user and access to environment variables is disabled for users other than the owner.
-# Roadmap
+# Roadmap (not necessarily in order)
 Many features and refinements are in the works at various stages including:
- Option to upload metrics information to Cyber5K to refine each Mistborn instance's firewall
+- Plugins for Extra Services (enabling third-party development)
- Option to email default admin Wireguard config file
+- Plugin repository
- Adding more extra services (e.g. Gitlab, Game Servers, etc.)
+- IPv6 support
- Cyber5K marketplace to share Gateway access (to fixed IP addresses or domains, and for a fixed amount of time)
+- Integration with RaspAP to enable managing an Access Point for local network connections
 - Mistborn managing wireless interfaces for local access points (stripped down RaspAP)
 - Optional periodic backup of local Mistborn config files and credentials to Cyber5K
 - Internal network scan tool and feedback
 - Anomaly detection in network traffic
 # Featured In
 - [Linux Magazine](https://www.linux-magazine.com/Issues/2020/240/Mistborn/(language)/eng-US) November 2020 (featuring Mistborn version from early May 2020)
 - [Awesome Open Source](https://www.youtube.com/watch?v=hekP0_crotw) July 2020 (featuring Mistborn version from early July 2020)
 # Follow
 You can find recent bugfixes, functional additions, some extra documentation and more at the Cyber5K Patreon page: [https://www.patreon.com/cyber5k](https://www.patreon.com/cyber5k)
--- a/base.yml
+++ b/base.yml
@ -145,22 +145,22 @@ services:
    restart: unless-stopped
-  flower:
+  #flower:
-    image: "cyber5k/mistborn:${MISTBORN_TAG}"
+  #  image: "cyber5k/mistborn:${MISTBORN_TAG}"
-    container_name: mistborn_production_flower
+  #  container_name: mistborn_production_flower
-    env_file:
+  #  env_file:
-      - ./.envs/.production/.django
+  #    - ./.envs/.production/.django
-      - ./.envs/.production/.postgres
+  #    - ./.envs/.production/.postgres
-    ports:
+  #  ports:
-      - "5555:5555/tcp"
+  #    - "5555:5555/tcp"
-    command: /start-flower
+  #  command: /start-flower
-    restart: unless-stopped
+  #  restart: unless-stopped
  pihole:
   container_name: mistborn_production_pihole
   image: pihole/pihole:latest
   env_file:
-     - /opt/mistborn_volumes/base/base.txt
+     - ./.envs/.production/.pihole
   ports:
     - "${MISTBORN_DNS_BIND_IP}:53:53/tcp"
     - "${MISTBORN_DNS_BIND_IP}:53:53/udp"
@ -168,11 +168,12 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.pihole-http.rule=Host(`pihole.mistborn`)"
      - "traefik.http.routers.pihole-http.entrypoints=web"
-      - "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file,add-pihole-admin"
      - "traefik.http.routers.pihole-https.rule=Host(`pihole.mistborn`)"
      - "traefik.http.routers.pihole-https.entrypoints=websecure"
-      - "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file,add-pihole-admin"
      - "traefik.http.routers.pihole-https.tls.certresolver=basic"
      - "traefik.http.middlewares.add-pihole-admin.addPrefix.prefix=/admin"
      - "traefik.http.services.pihole-service.loadbalancer.server.port=80"
   environment:
     - ServerIP=10.2.0.3
@ -182,8 +183,6 @@ services:
     - DNSMASQ_LISTENING=all
   #  TZ: 'America/New York'
   # Volumes store your data between container upgrades
   env_file:
     - ./.envs/.production/.pihole
   volumes:
     - ../mistborn_volumes/base/pihole/etc-pihole:/etc/pihole/
     - ../mistborn_volumes/base/pihole/etc-dnsmasqd:/etc/dnsmasq.d/
--- a/compose/production/tor/Dockerfile
+++ b/compose/production/tor/Dockerfile
@ -7,7 +7,7 @@ RUN apk update \
 EXPOSE 9150
-ADD ./compose/production/tor/torrc /etc/tor/torrc
+ADD ./torrc /etc/tor/torrc
 USER tor
 CMD /usr/bin/tor -f /etc/tor/torrc
--- a/compose/production/traefik/dynamic.toml
+++ b/compose/production/traefik/dynamic.toml
@ -18,7 +18,7 @@
    rule = "Host(`cockpit.mistborn`)"
    service = "cockpit"
    entrypoints = ["web", "websecure"]
-    #middlewares =
+    middlewares = ["mistborn_auth"]
 [http.middlewares]
  [http.middlewares.mistborn_auth.forwardAuth]
--- a/extra/guacamole.yml
+++ b/extra/guacamole.yml
@ -0,0 +1,72 @@
 version: '3'
 # services
 services:
  # guacd
  guacd:
    container_name: mistborn_production_guacd
    image: guacamole/guacd
    networks:
      guacnetwork:
    restart: unless-stopped
    volumes:
    - ../../mistborn_volumes/extra/guacamole/drive:/drive:rw
    - ../../mistborn_volumes/extra/guacamole/record:/record:rw
  # postgres
  guac_postgres:
    container_name: mistborn_production_guac_postgres
    env_file:
    - ../.envs/.production/.guacamole
    environment:
      PGDATA: /var/lib/postgresql/data/guacamole
    image: postgres
    networks:
      guacnetwork:
    restart: unless-stopped
    volumes:
    - ../../mistborn_volumes/extra/guacamole/init:/docker-entrypoint-initdb.d:ro
    - ../../mistborn_volumes/extra/guacamole/data:/var/lib/postgresql/data:rw
  # guacamole
  guacamole:
    container_name: mistborn_production_guacamole
    labels:
    - "traefik.enable=true"
    - "traefik.http.routers.guacamole-http.rule=Host(`guac.mistborn`)"
    - "traefik.http.routers.guacamole-http.entrypoints=web"
    - "traefik.http.routers.guacamole-http.middlewares=mistborn_auth@file,add-guacamole"
    - "traefik.http.routers.guacamole-https.rule=Host(`guac.mistborn`)"
    - "traefik.http.routers.guacamole-https.entrypoints=websecure"
    - "traefik.http.routers.guacamole-https.middlewares=mistborn_auth@file,add-guacamole"
    - "traefik.http.routers.guacamole-https.tls.certresolver=basic"
    - "traefik.http.middlewares.add-guacamole.addPrefix.prefix=/guacamole"
    - "traefik.http.services.guacamole-service.loadbalancer.server.port=8080"
    depends_on:
    - guacd
    - guac_postgres
    environment:
      GUACD_HOSTNAME: guacd
      GUACD_PORT: 4822
      #GUACAMOLE_HOME: /config
    env_file:
    - ../.envs/.production/.guacamole
    image: guacamole/guacamole
    links:
    - guacd
    networks:
      guacnetwork:
    #ports:
 ## enable next line if not using nginx
 ##    - 8080:8080/tcp # Guacamole is on :8080/guacamole, not /.
 ## enable next line when using nginx
    #- 8080/tcp
    restart: unless-stopped
 # networks
 # create a network 'guacnetwork' in mode 'bridged'
 networks:
  guacnetwork:
    driver: bridge
--- a/extra/jitsi-meet.yml
+++ b/extra/jitsi-meet.yml
@ -3,7 +3,8 @@ version: '3'
 services:
    # Frontend
    jitsi-web:
-        image: jitsi/web
+        image: jitsi/web:latest
        restart: unless-stopped
        #ports:
            #- '${HTTP_PORT}:80'
            #- '${HTTPS_PORT}:443'
@ -18,59 +19,115 @@ services:
            - "traefik.http.routers.jitsi-https.tls.certresolver=basic"
            - "traefik.http.services.jitsi-service.loadbalancer.server.port=${HTTP_PORT}"
        volumes:
-            - ${CONFIG}/web:/config
+            - ${CONFIG}/web:/config:Z
-            - ${CONFIG}/web/letsencrypt:/etc/letsencrypt
+            - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
            - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts
        env_file:
            - ../.envs/.production/.jitsi
        environment:
            - ENABLE_AUTH
            - ENABLE_GUESTS
            - ENABLE_LETSENCRYPT
            - ENABLE_HTTP_REDIRECT
-            - ENABLE_TRANSCRIPTIONS
+            - ENABLE_XMPP_WEBSOCKET
            - DISABLE_HTTPS
            - JICOFO_AUTH_USER
            - LETSENCRYPT_DOMAIN
            - LETSENCRYPT_EMAIL
            - LETSENCRYPT_USE_STAGING
            - PUBLIC_URL
-            - XMPP_DOMAIN
+            - TZ
            - AMPLITUDE_ID
            - ANALYTICS_SCRIPT_URLS
            - ANALYTICS_WHITELISTED_EVENTS
            - BRIDGE_CHANNEL
            - BRANDING_DATA_URL
            - CALLSTATS_CUSTOM_SCRIPT_URL
            - CALLSTATS_ID
            - CALLSTATS_SECRET
            - CHROME_EXTENSION_BANNER_JSON
            - CONFCODE_URL
            - CONFIG_EXTERNAL_CONNECT
            - DEPLOYMENTINFO_ENVIRONMENT
            - DEPLOYMENTINFO_ENVIRONMENT_TYPE
            - DEPLOYMENTINFO_USERREGION
            - DIALIN_NUMBERS_URL
            - DIALOUT_AUTH_URL
            - DIALOUT_CODES_URL
            - DROPBOX_APPKEY
            - DROPBOX_REDIRECT_URI
            - ENABLE_AUDIO_PROCESSING
            - ENABLE_AUTH
            - ENABLE_CALENDAR
            - ENABLE_FILE_RECORDING_SERVICE
            - ENABLE_FILE_RECORDING_SERVICE_SHARING
            - ENABLE_GUESTS
            - ENABLE_IPV6
            - ENABLE_LIPSYNC
            - ENABLE_NO_AUDIO_DETECTION
            - ENABLE_P2P
            - ENABLE_PREJOIN_PAGE
            - ENABLE_RECORDING
            - ENABLE_REMB
            - ENABLE_REQUIRE_DISPLAY_NAME
            - ENABLE_SIMULCAST
            - ENABLE_STATS_ID
            - ENABLE_STEREO
            - ENABLE_SUBDOMAINS
            - ENABLE_TALK_WHILE_MUTED
            - ENABLE_TCC
            - ENABLE_TRANSCRIPTIONS
            - ETHERPAD_PUBLIC_URL
            - ETHERPAD_URL_BASE
            - GOOGLE_ANALYTICS_ID
            - GOOGLE_API_APP_CLIENT_ID
            - INVITE_SERVICE_URL
            - JICOFO_AUTH_USER
            - MATOMO_ENDPOINT
            - MATOMO_SITE_ID
            - MICROSOFT_API_APP_CLIENT_ID
            - NGINX_RESOLVER
            - NGINX_WORKER_PROCESSES
            - NGINX_WORKER_CONNECTIONS
            - PEOPLE_SEARCH_URL
            - RESOLUTION
            - RESOLUTION_MIN
            - RESOLUTION_WIDTH
            - RESOLUTION_WIDTH_MIN
            - START_AUDIO_ONLY
            - START_AUDIO_MUTED
            - START_BITRATE
            - START_VIDEO_MUTED
            - TESTING_CAP_SCREENSHARE_BITRATE
            - TESTING_OCTO_PROBABILITY
            - XMPP_AUTH_DOMAIN
            - XMPP_BOSH_URL_BASE
            - XMPP_DOMAIN
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_RECORDER_DOMAIN
-            - ETHERPAD_URL_BASE
+            - TOKEN_AUTH_URL
            - TZ
            - JIBRI_BREWERY_MUC
            - JIBRI_PENDING_TIMEOUT
            - JIBRI_XMPP_USER
            - JIBRI_XMPP_PASSWORD
            - JIBRI_RECORDER_USER
            - JIBRI_RECORDER_PASSWORD
            - ENABLE_RECORDING
        networks:
            default:
            meet.jitsi:
                aliases:
                    - ${XMPP_DOMAIN}
        restart: unless-stopped 
    # XMPP server
    jitsi-prosody:
-        image: jitsi/prosody
+        image: jitsi/prosody:latest
        restart: unless-stopped
        expose:
            - '5222'
            - '5347'
            - '5280'
        volumes:
-            - ${CONFIG}/prosody:/config
+            - ${CONFIG}/prosody/config:/config:Z
            - ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z
        env_file:
            - ../.envs/.production/.jitsi
        environment:
            - AUTH_TYPE
            - ENABLE_AUTH
            - ENABLE_GUESTS
            - ENABLE_LOBBY
            - ENABLE_XMPP_WEBSOCKET
            - GLOBAL_MODULES
            - GLOBAL_CONFIG
            - LDAP_URL
@ -95,6 +152,7 @@ services:
            - XMPP_MUC_MODULES
            - XMPP_INTERNAL_MUC_MODULES
            - XMPP_RECORDER_DOMAIN
            - XMPP_CROSS_DOMAIN
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
@ -115,25 +173,28 @@ services:
            - JWT_AUTH_TYPE
            - JWT_TOKEN_AUTH_MODULE
            - LOG_LEVEL
            - PUBLIC_URL
            - TZ
        networks:
            meet.jitsi:
                aliases:
                    - ${XMPP_SERVER}
        restart: unless-stopped 
    # Focus component
    jitsi-jicofo:
-        image: jitsi/jicofo
+        image: jitsi/jicofo:latest
        restart: unless-stopped
        volumes:
-            - ${CONFIG}/jicofo:/config
+            - ${CONFIG}/jicofo:/config:Z
        env_file:
            - ../.envs/.production/.jitsi
        environment:
            - AUTH_TYPE
            - ENABLE_AUTH
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_SERVER
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
@ -141,6 +202,7 @@ services:
            - JICOFO_RESERVATION_REST_BASE_URL
            - JVB_BREWERY_MUC
            - JIGASI_BREWERY_MUC
            - JIGASI_SIP_URI
            - JIBRI_BREWERY_MUC
            - JIBRI_PENDING_TIMEOUT
            - TZ
@ -148,16 +210,16 @@ services:
            - jitsi-prosody
        networks:
            meet.jitsi:
        restart: unless-stopped 
    # Video bridge
    jitsi-jvb:
-        image: jitsi/jvb
+        image: jitsi/jvb:latest
        restart: unless-stopped
        ports:
            - '${JVB_PORT}:${JVB_PORT}/udp'
            - '${JVB_TCP_PORT}:${JVB_TCP_PORT}'
        volumes:
-            - ${CONFIG}/jvb:/config
+            - ${CONFIG}/jvb:/config:Z
        env_file:
            - ../.envs/.production/.jitsi
        environment:
@ -171,14 +233,19 @@ services:
            - JVB_PORT
            - JVB_TCP_HARVESTER_DISABLED
            - JVB_TCP_PORT
            - JVB_TCP_MAPPED_PORT
            - JVB_STUN_SERVERS
            - JVB_ENABLE_APIS
            - JVB_WS_DOMAIN
            - JVB_WS_SERVER_ID
            - PUBLIC_URL
            - TZ
        depends_on:
            - jitsi-prosody
        networks:
            meet.jitsi:
-        restart: unless-stopped 
+                aliases:
                    - jvb.meet.jitsi
 # Custom network so all services can communicate using a FQDN
 networks:
--- a/extra/rocketchat.yml
+++ b/extra/rocketchat.yml
@ -64,7 +64,7 @@ services:
      - ../../mistborn_volumes/extra/rocketchat/hubot/scripts:/home/hubot/scripts
  # this is used to expose the hubot port for notifications on the host on port 3001, e.g. for hubot-jenkins-notifier
    ports:
-      - 3001:8080/tcp
+      - "${MISTBORN_BIND_IP}:3001:8080/tcp"
 networks:
  default:
--- a/extra/tor.yml
+++ b/extra/tor.yml
@ -3,8 +3,8 @@ version: '3'
 services:
  tor-client:
    build:
-      context: ..
+      context: ../compose/production/tor
-      dockerfile: ./compose/production/tor/Dockerfile
+      dockerfile: ./Dockerfile
    image: mistborn_production_tor
    container_name: mistborn_production_tor
    ports:
--- a/scripts/conf/docker-daemon.json
+++ b/scripts/conf/docker-daemon.json
@ -0,0 +1,3 @@
 {
    "shutdown-timeout": 60 
 }
--- a/scripts/conf/jitsi.env
+++ b/scripts/conf/jitsi.env
@ -1,61 +1,116 @@
 # shellcheck disable=SC2034
 # Security
 #
 # Set these to strong passwords to avoid intruders from impersonating a service account
 # The service(s) won't start unless these are specified
 # Running ./gen-passwords.sh will update .env with strong passwords
 # You may skip the Jigasi and Jibri passwords if you are not using those
 # DO NOT reuse passwords
 #
 # XMPP component password for Jicofo
 JICOFO_COMPONENT_SECRET=
 # XMPP password for Jicofo client connections
 JICOFO_AUTH_PASSWORD=
 # XMPP password for JVB client connections
 JVB_AUTH_PASSWORD=
 # XMPP password for Jigasi MUC client connections
 JIGASI_XMPP_PASSWORD=
 # XMPP recorder password for Jibri client connections
 JIBRI_RECORDER_PASSWORD=
 # XMPP password for Jibri client connections
 JIBRI_XMPP_PASSWORD=
 #
 # Basic configuration options
 #
-# Directory where all configuration will be stored.
+# Directory where all configuration will be stored
 #CONFIG=~/.jitsi-meet-cfg
 CONFIG=../.envs/.production/.jitsi-cfg
-# Exposed HTTP port.
+# Exposed HTTP port
 HTTP_PORT=80
-# Exposed HTTPS port.
+# Exposed HTTPS port
-HTTPS_PORT=8443
+HTTPS_PORT=443
-# System time zone.
+# System time zone
-TZ=Europe/Amsterdam
+TZ=UTC
-# Public URL for the web service.
+# Public URL for the web service (required)
-#PUBLIC_URL=https://meet.example.com
+PUBLIC_URL=https://jitsi.mistborn
-# IP address of the Docker host. See the "Running on a LAN environment" section
+# IP address of the Docker host
-# in the README.
+# See the "Running behind NAT or on a LAN environment" section in the Handbook:
 # https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment
 #DOCKER_HOST_ADDRESS=192.168.1.1
 DOCKER_HOST_ADDRESS=10.2.3.1
 # Control whether the lobby feature should be enabled or not
 #ENABLE_LOBBY=1
 # Show a prejoin page before entering a conference
 #ENABLE_PREJOIN_PAGE=0
 #
 # Let's Encrypt configuration
 #
-# Enable Let's Encrypt certificate generation.
+# Enable Let's Encrypt certificate generation
 #ENABLE_LETSENCRYPT=1
-# Domain for which to generate the certificate.
+# Domain for which to generate the certificate
 #LETSENCRYPT_DOMAIN=meet.example.com
-# E-Mail for receiving important account notifications (mandatory).
+# E-Mail for receiving important account notifications (mandatory)
 #LETSENCRYPT_EMAIL=alice@atlanta.net
 # Use the staging server (for avoiding rate limits while testing)
 #LETSENCRYPT_USE_STAGING=1
 #
 # Etherpad integration (for document sharing)
 #
-# Set etherpad-lite URL (uncomment to enable).
+# Set etherpad-lite URL in docker local network (uncomment to enable)
 #ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001
 # Set etherpad-lite public URL (uncomment to enable)
 #ETHERPAD_PUBLIC_URL=https://etherpad.my.domain
 # Name your etherpad instance!
 ETHERPAD_TITLE="Video Chat"
 # The default text of a pad
 ETHERPAD_DEFAULT_PAD_TEXT="Welcome to Web Chat!\n\n"
 # Name of the skin for etherpad
 ETHERPAD_SKIN_NAME="colibris"
 # Skin variants for etherpad
 ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background full-width-editor"
 #
 # Basic Jigasi configuration options (needed for SIP gateway support)
 #
-# SIP URI for incoming / outgoing calls.
+# SIP URI for incoming / outgoing calls
 #JIGASI_SIP_URI=test@sip2sip.info
 # Password for the specified SIP account as a clear text
 #JIGASI_SIP_PASSWORD=passw0rd
-# SIP server (use the SIP account domain if in doubt).
+# SIP server (use the SIP account domain if in doubt)
 #JIGASI_SIP_SERVER=sip2sip.info
 # SIP server port
@ -65,13 +120,13 @@ DOCKER_HOST_ADDRESS=10.2.3.1
 #JIGASI_SIP_TRANSPORT=UDP
 #
-# Authentication configuration (see README for details)
+# Authentication configuration (see handbook for details)
 #
-# Enable authentication.
+# Enable authentication
 #ENABLE_AUTH=1
-# Enable guest access.
+# Enable guest access
 #ENABLE_GUESTS=1
 # Select authentication type: internal, jwt or ldap
@ -80,38 +135,38 @@ DOCKER_HOST_ADDRESS=10.2.3.1
 # JWT authentication
 #
-# Application identifier.
+# Application identifier
 #JWT_APP_ID=my_jitsi_app_id
-# Application secret known only to your token.
+# Application secret known only to your token
 #JWT_APP_SECRET=my_jitsi_app_secret
-# (Optional) Set asap_accepted_issuers as a comma separated list.
+# (Optional) Set asap_accepted_issuers as a comma separated list
 #JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client
-# (Optional) Set asap_accepted_audiences as a comma separated list.
+# (Optional) Set asap_accepted_audiences as a comma separated list
 #JWT_ACCEPTED_AUDIENCES=my_server1,my_server2
 # LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
 #
-# LDAP url for connection.
+# LDAP url for connection
 #LDAP_URL=ldaps://ldap.domain.com/
 # LDAP base DN. Can be empty
 #LDAP_BASE=DC=example,DC=domain,DC=com
-# LDAP user DN. Do not specify this parameter for the anonymous bind.
+# LDAP user DN. Do not specify this parameter for the anonymous bind
 #LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
-# LDAP user password. Do not specify this parameter for the anonymous bind.
+# LDAP user password. Do not specify this parameter for the anonymous bind
 #LDAP_BINDPW=LdapUserPassw0rd
 # LDAP filter. Tokens example:
-# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail.
+# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail
-# %s - %s is replaced by the complete service string.
+# %s - %s is replaced by the complete service string
-# %r - %r is replaced by the complete realm string.
+# %r - %r is replaced by the complete realm string
 #LDAP_FILTER=(sAMAccountName=%u)
 # LDAP authentication method
@ -123,16 +178,16 @@ DOCKER_HOST_ADDRESS=10.2.3.1
 # LDAP TLS using
 #LDAP_USE_TLS=1
-# List of SSL/TLS ciphers to allow.
+# List of SSL/TLS ciphers to allow
 #LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
 # Require and verify server certificate
 #LDAP_TLS_CHECK_PEER=1
-# Path to CA cert file. Used when server sertificate verify is enabled.
+# Path to CA cert file. Used when server certificate verify is enabled
 #LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
-# Path to CA certs directory. Used when server sertificate verify is enabled.
+# Path to CA certs directory. Used when server certificate verify is enabled
 #LDAP_TLS_CACERT_DIR=/etc/ssl/certs
 # Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
@ -143,7 +198,7 @@ DOCKER_HOST_ADDRESS=10.2.3.1
 # Advanced configuration options (you generally don't need to change these)
 #
-# Internal XMPP domain.
+# Internal XMPP domain
 XMPP_DOMAIN=meet.jitsi
 # Internal XMPP server
@ -152,18 +207,22 @@ XMPP_SERVER=xmpp.meet.jitsi
 # Internal XMPP server URL
 XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
-# Internal XMPP domain for authenticated services.
+# Internal XMPP domain for authenticated services
 XMPP_AUTH_DOMAIN=auth.meet.jitsi
-# XMPP domain for the MUC.
+# XMPP domain for the MUC
 XMPP_MUC_DOMAIN=muc.meet.jitsi
-# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools.
+# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools
 XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi
-# XMPP domain for unauthenticated users.
+# XMPP domain for unauthenticated users
 XMPP_GUEST_DOMAIN=guest.meet.jitsi
 # Comma separated list of domains for cross domain policy or "true" to allow all
 # The PUBLIC_URL is always allowed
 #XMPP_CROSS_DOMAIN=true
 # Custom Prosody modules for XMPP_DOMAIN (comma separated)
 XMPP_MODULES=
@ -173,17 +232,14 @@ XMPP_MUC_MODULES=
 # Custom Prosody modules for internal MUC component (comma separated)
 XMPP_INTERNAL_MUC_MODULES=
-# MUC for the JVB pool.
+# MUC for the JVB pool
 JVB_BREWERY_MUC=jvbbrewery
-# XMPP user for JVB client connections.
+# XMPP user for JVB client connections
 JVB_AUTH_USER=jvb
-# XMPP password for JVB client connections.
+# STUN servers used to discover the server's public IP
-JVB_AUTH_PASSWORD=passw0rd
+JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443
 # STUN servers used to discover the server's public IP.
 JVB_STUN_SERVERS=stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302
 # Media port for the Jitsi Videobridge
 JVB_PORT=10000
@ -191,36 +247,32 @@ JVB_PORT=10000
 # TCP Fallback for Jitsi Videobridge for when UDP isn't available
 JVB_TCP_HARVESTER_DISABLED=true
 JVB_TCP_PORT=4443
 JVB_TCP_MAPPED_PORT=4443
-# A comma separated list of APIs to enable when the JVB is started. The default is none.
+# A comma separated list of APIs to enable when the JVB is started [default: none]
 # See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
 #JVB_ENABLE_APIS=rest,colibri
-# XMPP component password for Jicofo.
+# XMPP user for Jicofo client connections.
-JICOFO_COMPONENT_SECRET=s3cr37
+# NOTE: this option doesn't currently work due to a bug
 # XMPP user for Jicofo client connections. NOTE: this option doesn't currently work due to a bug.
 JICOFO_AUTH_USER=focus
 # XMPP password for Jicofo client connections.
 JICOFO_AUTH_PASSWORD=passw0rd
 # Base URL of Jicofo's reservation REST API
 #JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
-# XMPP user for Jigasi MUC client connections.
+# Enable Jicofo's health check REST API (http://<jicofo_base_url>:8888/about/health)
-JIGASI_XMPP_USER=jigasi
+#JICOFO_ENABLE_HEALTH_CHECKS=true
-# XMPP password for Jigasi MUC client connections.
+# XMPP user for Jigasi MUC client connections
-JIGASI_XMPP_PASSWORD=passw0rd
+JIGASI_XMPP_USER=jigasi
-# MUC name for the Jigasi pool.
+# MUC name for the Jigasi pool
 JIGASI_BREWERY_MUC=jigasibrewery
-# Minimum port for media used by Jigasi.
+# Minimum port for media used by Jigasi
 JIGASI_PORT_MIN=20000
-# Maximum port for media used by Jigasi.
+# Maximum port for media used by Jigasi
 JIGASI_PORT_MAX=20050
 # Enable SDES srtp
@ -235,20 +287,21 @@ JIGASI_PORT_MAX=20050
 # Health-check interval
 #JIGASI_HEALTH_CHECK_INTERVAL=300000
 #
-# Enable Jigasi transcription.
+# Enable Jigasi transcription
 #ENABLE_TRANSCRIPTIONS=1
-# Jigasi will recordord an audio when transcriber is on. Default false.
+# Jigasi will record audio when transcriber is on [default: false]
 #JIGASI_TRANSCRIBER_RECORD_AUDIO=true
-# Jigasi will send transcribed text to the chat when transcriber is on. Default false.
+# Jigasi will send transcribed text to the chat when transcriber is on [default: false]
 #JIGASI_TRANSCRIBER_SEND_TXT=true
-# Jigasi post to the chat an url with transcription file. Default false.
+# Jigasi will post an url to the chat with transcription file [default: false]
 #JIGASI_TRANSCRIBER_ADVERTISE_URL=true
 # Credentials for connect to Cloud Google API from Jigasi
-# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol section "Before you begin" from 1 to 5 paragraph.
+# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol
 # section "Before you begin" paragraph 1 to 5
 # Copy the values from the json to the related env vars
 #GC_PROJECT_ID=
 #GC_PRIVATE_KEY_ID=
@ -263,25 +316,19 @@ JIGASI_PORT_MAX=20050
 # XMPP domain for the jibri recorder
 XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
-# XMPP recorder user for Jibri client connections.
+# XMPP recorder user for Jibri client connections
 JIBRI_RECORDER_USER=recorder
-# XMPP recorder password for Jibri client connections.
+# Directory for recordings inside Jibri container
 JIBRI_RECORDER_PASSWORD=passw0rd
 # Directory for recordings inside Jibri container.
 JIBRI_RECORDING_DIR=/config/recordings
-# The finalizing script. Will run after recording is complete.
+# The finalizing script. Will run after recording is complete
 JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
-# XMPP user for Jibri client connections.
+# XMPP user for Jibri client connections
 JIBRI_XMPP_USER=jibri
-# XMPP password for Jibri client connections.
+# MUC name for the Jibri pool
 JIBRI_XMPP_PASSWORD=passw0rd
 # MUC name for the Jibri pool.
 JIBRI_BREWERY_MUC=jibribrewery
 # MUC connection timeout
@ -294,14 +341,26 @@ JIBRI_PENDING_TIMEOUT=90
 # So if there are any prefixes in the jid (like jitsi meet, which
 # has its participants join a muc at conference.xmpp_domain) then
 # list that prefix here so it can be stripped out to generate
-# the call url correctly.
+# the call url correctly
 JIBRI_STRIP_DOMAIN_JID=muc
-# Directory for logs inside Jibri container.
+# Directory for logs inside Jibri container
 JIBRI_LOGS_DIR=/config/logs
-# Disable HTTPS. This can be useful if TLS connections are going to be handled outside of this setup.
+# Disable HTTPS: handle TLS connections outside of this setup
 DISABLE_HTTPS=1
-# Redirects HTTP traffic to HTTPS. Only works with the standard HTTPS port (443).
+# Redirect HTTP traffic to HTTPS
 # Necessary for Let's Encrypt, relies on standard HTTPS port (443)
 #ENABLE_HTTP_REDIRECT=1
 # Enable IPv6
 # Provides means to disable IPv6 in environments that don't support it (get with the times, people!)
 #ENABLE_IPV6=1
 # Container restart policy
 # Defaults to unless-stopped
 RESTART_POLICY=unless-stopped
 # Authenticate using external service or just focus external auth window if there is one already.
 # TOKEN_AUTH_URL=https://auth.meet.example.com/{room}
--- a/scripts/env/check_env_file.sh
+++ b/scripts/env/check_env_file.sh
@ -0,0 +1,35 @@
 #!/bin/bash
 set -e
 SERVICE="$1"
 export MISTBORN_HOME=/opt/mistborn
 export SERVICE_ENV_INSTALLER="${MISTBORN_HOME}/scripts/subinstallers/extra/${SERVICE}.sh"
 export SERVICE_ENV_FILE="${MISTBORN_HOME}/.envs/.production/.${SERVICE}"
 # read in global variables
 set -a
 source ${MISTBORN_HOME}/.env
 source ${MISTBORN_HOME}/.envs/.production/.django
 source ${MISTBORN_HOME}/.envs/.production/.postgres
 source ${MISTBORN_HOME}/.envs/.production/.pihole
 set +a
 if [[ -f "${SERVICE_ENV_INSTALLER}" ]]; then
    if [[ -f "${SERVICE_ENV_FILE}" ]]; then
        echo "Environment file already exists."
    else
        # create env file for service
        echo "Creating environment file"
        source $SERVICE_ENV_INSTALLER $SERVICE_ENV_FILE
        chown mistborn:mistborn $SERVICE_ENV_FILE
        chmod 600 $SERVICE_ENV_FILE
    fi
 else
    echo "No subinstaller found."
 fi
--- a/scripts/env/setup.sh
+++ b/scripts/env/setup.sh
@ -4,15 +4,29 @@
 VAR_FILE=/opt/mistborn/.env
 # load env variables
 source /opt/mistborn/scripts/subinstallers/platform.sh
 # setup env file
 echo "" | sudo tee ${VAR_FILE}
 sudo chown mistborn:mistborn ${VAR_FILE}
 sudo chmod 600 ${VAR_FILE}
 # MISTBORN_DNS_BIND_IP
 MISTBORN_DNS_BIND_IP="10.2.3.1"
 #if [ "$DISTRO" == "ubuntu" ] && [ "$VERSION_ID" == "20.04" ]; then
 #    MISTBORN_DNS_BIND_IP="10.2.3.1"
 #fi
-echo "MISTBORN_DNS_BIND_IP=${MISTBORN_DNS_BIND_IP}" | sudo tee ${VAR_FILE}
+echo "MISTBORN_DNS_BIND_IP=${MISTBORN_DNS_BIND_IP}" | sudo tee -a ${VAR_FILE}
-sudo chown mistborn:mistborn ${VAR_FILE}
+
 # MISTBORN_BIND_IP
 echo "MISTBORN_BIND_IP=10.2.3.1" | sudo tee -a ${VAR_FILE}
 # MISTBORN_TAG
 GIT_BRANCH=$(git -C /opt/mistborn symbolic-ref --short HEAD || echo "master")
 MISTBORN_TAG="latest"
@ -22,13 +36,29 @@ fi
 echo "MISTBORN_TAG=$MISTBORN_TAG" | sudo tee -a ${VAR_FILE}
-#### install and base services
+#### SERVICE files
 iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}')
-# default interface
+# copy current service files to systemd (overwriting as needed)
 sudo cp /opt/mistborn/scripts/services/Mistborn* /etc/systemd/system/
 # set script user and owner
 sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/User=root/User=$USER/"
 #sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/ root:root / $USER:$USER /"
 # reload in case the iface is not immediately set
 sudo systemctl daemon-reload
 #### install and base services
 iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}' | tr -d '[:space:]')
 ## cannot be empty
 while [[ -z "$iface" ]]; do
    sleep 2
    iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}' | tr -d '[:space:]')
 done
 # default interface
 sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/"
 echo "DIFACE=${iface}" | sudo tee -a ${VAR_FILE}
 sudo systemctl daemon-reload
--- a/scripts/install.sh
+++ b/scripts/install.sh
@ -59,13 +59,18 @@ echo -e "| |  | | \__ \ |_| |_) | (_) | |  | | | |"
 echo -e "|_|  |_|_|___/\__|_.__/ \___/|_|  |_| |_|"
 echo -e ""
-# INPUT default admin password
+sudo rm -rf /opt/mistborn 2>/dev/null || true
-if [ -z "${MISTBORN_DEFAULT_PASSWORD}" ]; then
+
-    read -p "(Mistborn) Set default admin password: " -s MISTBORN_DEFAULT_PASSWORD
+# clone to /opt and change directory
-    echo
+echo "Cloning $GIT_BRANCH branch from mistborn repo"
-else
+sudo git clone https://gitlab.com/cyber5k/mistborn.git -b $GIT_BRANCH /opt/mistborn
-    echo "MISTBORN_DEFAULT_PASSWORD is already set"
+sudo chown -R $USER:$USER /opt/mistborn
-fi
+pushd .
 cd /opt/mistborn
 git submodule update --init --recursive
 # MISTBORN_DEFAULT_PASSWORD
 source ./scripts/subinstallers/passwd.sh
 # Install Cockpit?
 if [ -z "${MISTBORN_INSTALL_COCKPIT}" ]; then
@ -85,16 +90,6 @@ else
    echo "SSH key exists for $USER"
 fi
 sudo rm -rf /opt/mistborn 2>/dev/null || true
 # clone to /opt and change directory
 echo "Cloning $GIT_BRANCH branch from mistborn repo"
 sudo git clone https://gitlab.com/cyber5k/mistborn.git -b $GIT_BRANCH /opt/mistborn
 sudo chown -R $USER:$USER /opt/mistborn
 pushd .
 cd /opt/mistborn
 git submodule update --init --recursive
 # initial load update package list
 sudo apt-get update
@ -248,6 +243,7 @@ sudo resolvconf -u 1>/dev/null 2>&1
 echo "backup up original volumes folder"
 sudo mkdir -p ../mistborn_backup
 sudo chmod 700 ../mistborn_backup
 sudo tar -czf ../mistborn_backup/mistborn_volumes_backup.tar.gz ../mistborn_volumes 1>/dev/null 2>&1
 # clean docker
--- a/scripts/services/Mistborn-bitwarden.service
+++ b/scripts/services/Mistborn-bitwarden.service
@ -2,20 +2,22 @@
 Description=Mistborn Bitwarden Service
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
-ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP
 # Start container when unit is started
-ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml up --build
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml up --build
 # Stop container when unit is stopped
-ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml down
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down
 # Post stop
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP
--- a/scripts/services/Mistborn-guacamole.service
+++ b/scripts/services/Mistborn-guacamole.service
@ -0,0 +1,23 @@
 [Unit]
 Description=Mistborn Guacamole
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down
 # Post stop
 [Install]
 WantedBy=multi-user.target
--- a/scripts/services/Mistborn-homeassistant.service
+++ b/scripts/services/Mistborn-homeassistant.service
@ -2,19 +2,21 @@
 Description=Mistborn Home Assistant 
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
-ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down
 # Start container when unit is started
-ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml up --build
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml up --build
 # Stop container when unit is stopped
-ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml down
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down
 # Post stop
 [Install]
--- a/scripts/services/Mistborn-jellyfin.service
+++ b/scripts/services/Mistborn-jellyfin.service
@ -2,19 +2,21 @@
 Description=Mistborn Jellyfin Service
 Requires=Mistborn-nextcloud.service
 After=Mistborn-nextcloud.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
-ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down
 # Start container when unit is started
-ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml up --build
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml up --build
 # Stop container when unit is stopped
-ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml down
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down
 # Post stop
 [Install]
--- a/scripts/services/Mistborn-jitsi.service
+++ b/scripts/services/Mistborn-jitsi.service
@ -2,26 +2,26 @@
 Description=Mistborn Jitsi Service
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 EnvironmentFile=/opt/mistborn/.envs/.production/.jitsi
 # Shutdown container (if running) when unit is stopped
-ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_up.sh
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP
 # Start container when unit is started
-ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build
 # Stop container when unit is stopped
-ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
 # Post stop
-ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
+ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_down.sh
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP
 [Install]
 WantedBy=multi-user.target
--- a/scripts/services/Mistborn-nextcloud.service
+++ b/scripts/services/Mistborn-nextcloud.service
@ -2,19 +2,21 @@
 Description=Mistborn Nextcloud Service
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
-User=www-data
+RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
-ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down
 # Start container when unit is started
-ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml up --build
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml up --build
 # Stop container when unit is stopped
-ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml down
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down
 # Post stop
 [Install]
--- a/scripts/services/Mistborn-onlyoffice.service
+++ b/scripts/services/Mistborn-onlyoffice.service
@ -2,19 +2,21 @@
 Description=Mistborn OnlyOffice Service
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
-ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
 # Start container when unit is started
-ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml up --build
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml up --build
 # Stop container when unit is stopped
-ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
 # Post stop
 [Install]
--- a/scripts/services/Mistborn-rocketchat.service
+++ b/scripts/services/Mistborn-rocketchat.service
@ -2,20 +2,22 @@
 Description=Mistborn Rocket Chat Service
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
-ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP
 # Start container when unit is started
-ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml up --build
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml up --build
 # Stop container when unit is stopped
-ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down
 # Post stop
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP
--- a/scripts/services/Mistborn-syncthing.service
+++ b/scripts/services/Mistborn-syncthing.service
@ -2,21 +2,23 @@
 Description=Mistborn Syncthing Service
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
-ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP
 # Start container when unit is started
-ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml up --build
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml up --build
 # Stop container when unit is stopped
-ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml down
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down
 # Post stop
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP
--- a/scripts/services/Mistborn-tor.service
+++ b/scripts/services/Mistborn-tor.service
@ -2,20 +2,22 @@
 Description=Mistborn Tor Service 
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
-ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP
 # Start container when unit is started
-ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml up --build
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml up --build
 # Stop container when unit is stopped
-ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml down
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down
 # Post stop
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP
--- a/scripts/services/guacamole/init.sh
+++ b/scripts/services/guacamole/init.sh
@ -0,0 +1,21 @@
 #!/bin/bash
 if [[ -f "/opt/mistborn_volumes/extra/guacamole/init/initdb.sql" ]]; then
    echo "initdb.sql exists. Proceeding."
    exit 0
 fi
 mkdir -p /opt/mistborn_volumes/extra/guacamole/init/ >/dev/null 2>&1
 chmod -R +x /opt/mistborn_volumes/extra/guacamole/init/
 docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgres > /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
 # grab values in initdb.sql to replace
 HEXSTRINGS=($(egrep -o [0-9a-fA-F]{64} /opt/mistborn_volumes/extra/guacamole/init/initdb.sql))
 # reset default password in init.db
 SALT=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice('0123456789ABCDEF') for x in range(64)]))")
 GUAC_PASSWORD_HASHED=$(echo -n "${MISTBORN_DEFAULT_PASSWORD}${SALT}" | sha256sum | awk '{print $1}' | tr a-z A-Z)
 sed -i "s/${HEXSTRINGS[1]}/$SALT/" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
 sed -i "s/${HEXSTRINGS[0]}/$GUAC_PASSWORD_HASHED/" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
 sed -i "s/guacadmin/mistborn/g" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
--- a/scripts/services/jitsi/iptables_down.sh
+++ b/scripts/services/jitsi/iptables_down.sh
@ -0,0 +1,4 @@
 #!/bin/bash
 iptables -w -D DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
 iptables -w -D DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP
--- a/scripts/services/jitsi/iptables_up.sh
+++ b/scripts/services/jitsi/iptables_up.sh
@ -0,0 +1,4 @@
 #!/bin/bash
 iptables -w -I DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
 iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP
--- a/scripts/subinstallers/cockpit.sh
+++ b/scripts/subinstallers/cockpit.sh
@ -16,9 +16,11 @@ fi
 sudo -E apt-get install -y cockpit
-if $(sudo apt-cache show cockpit-docker > /dev/null 2>&1) ; then
+if [ $(sudo apt-cache show cockpit-docker > /dev/null 2>&1) ]; then
    # no longer supported upstream in Ubuntu 20.04
    sudo -E apt-get install -y cockpit-docker
 elif [ $(sudo apt-cache show cockpit-podman > /dev/null 2>&1) ]; then
    sudo -E apt-get install -y cockpit-podman
 fi
 sudo cp ./scripts/conf/cockpit.conf /etc/cockpit/cockpit.conf
--- a/scripts/subinstallers/docker.sh
+++ b/scripts/subinstallers/docker.sh
@ -18,3 +18,6 @@ fi
 if [ ! -f /usr/local/bin/docker-compose ]; then
    sudo -E ln -s $(which docker-compose) /usr/local/bin/docker-compose
 fi
 # daemon.json
 #source ./scripts/subinstallers/docker_daemon.sh
--- a/scripts/subinstallers/docker_daemon.sh
+++ b/scripts/subinstallers/docker_daemon.sh
@ -0,0 +1,7 @@
 #!/bin/bash
 # daemon.json
 if [ ! -f /etc/docker/daemon.json ]; then
    sudo -E cp ./scripts/conf/docker-daemon.json /etc/docker/daemon.json
    sudo -E systemctl restart docker
 fi
--- a/scripts/subinstallers/docker_manual.sh
+++ b/scripts/subinstallers/docker_manual.sh
@ -63,6 +63,7 @@ echo "Installing Docker Compose"
 # Install Docker Compose from pip
 # This might take a while
-sudo pip3 install docker-compose
+# cryptography >=3.4 requires rust to compile, and no rust compiler is readily available for ARM
 sudo pip3 install cryptography==3.3.2 docker-compose
 #fi
--- a/scripts/subinstallers/extra/bitwarden.sh
+++ b/scripts/subinstallers/extra/bitwarden.sh
@ -0,0 +1,6 @@
 #!/bin/bash
 # generate bitwarden .env files
 BITWARDEN_PROD_FILE="$1"
 echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE
 echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE
--- a/scripts/subinstallers/extra/guacamole.sh
+++ b/scripts/subinstallers/extra/guacamole.sh
@ -0,0 +1,13 @@
 #!/bin/bash
 # Guacamole
 GUAC_PROD_FILE="$1"
 GUAC_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
 echo "POSTGRES_HOST=guac_postgres" > $GUAC_PROD_FILE
 echo "POSTGRES_HOSTNAME=guac_postgres" > $GUAC_PROD_FILE
 echo "POSTGRES_PORT=5432" >> $GUAC_PROD_FILE
 echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE
 echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE
 echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE
 echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE
 echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE
--- a/scripts/subinstallers/extra/jitsi.sh
+++ b/scripts/subinstallers/extra/jitsi.sh
@ -0,0 +1,12 @@
 #!/bin/bash
 # JITSI
 JITSI_PROD_FILE="$1"
 cp ${MISTBORN_HOME}/scripts/conf/jitsi.env $JITSI_PROD_FILE
 mkdir -p ${MISTBORN_HOME}/.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}
 sed -i "s/JICOFO_COMPONENT_SECRET.*/JICOFO_COMPONENT_SECRET=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
--- a/scripts/subinstallers/extra/nextcloud.sh
+++ b/scripts/subinstallers/extra/nextcloud.sh
@ -0,0 +1,9 @@
 #!/bin/bash
 # generate nextcloud .env files
 NEXTCLOUD_PROD_FILE="$1"
 #NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
 NEXTCLOUD_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}"
 echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE
 echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE
 echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE
--- a/scripts/subinstallers/extra/onlyoffice.sh
+++ b/scripts/subinstallers/extra/onlyoffice.sh
@ -0,0 +1,7 @@
 #!/bin/bash
 # generate onlyoffice .env files
 ONLYOFFICE_PROD_FILE="$1"
 JWT_SECRET="${MISTBORN_DEFAULT_PASSWORD}"
 echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE
 echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE
--- a/scripts/subinstallers/extra/rocketchat.sh
+++ b/scripts/subinstallers/extra/rocketchat.sh
@ -0,0 +1,13 @@
 #!/bin/bash
 # generate rocketchat .env files
 ROCKETCHAT_PROD_FILE="$1"
 #ROCKETCHAT_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
 ROCKETCHAT_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}"
 echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE
 echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE
 echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE
 echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE
 # docker environment
 echo "MISTBORN_BIND_IP=${MISTBORN_BIND_IP}" >> $ROCKETCHAT_PROD_FILE
--- a/scripts/subinstallers/gen_prod_env.sh
+++ b/scripts/subinstallers/gen_prod_env.sh
@ -1,9 +1,10 @@
-#!/bin/sh
+#!/bin/bash
 figlet "Mistborn: Container Credentials"
 # generate production .env file for Django
 mkdir -p ./.envs/.production
 chmod 700 ./.envs
 DJANGO_PROD_FILE="./.envs/.production/.django"
 DJANGO_SECRET_KEY=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(50)]))")
 #CELERY_FLOWER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
@ -22,6 +23,7 @@ echo "#SENTRY_DNS=" >> $DJANGO_PROD_FILE
 echo "MISTBORN_INSTALL_COCKPIT=$MISTBORN_INSTALL_COCKPIT" >> $DJANGO_PROD_FILE
 echo "MISTBORN_PORTAL_IP=10.2.3.1" >> $DJANGO_PROD_FILE
 echo "MISTBORN_PORTAL_PORT=5000" >> $DJANGO_PROD_FILE
 chmod 600 $DJANGO_PROD_FILE
 # generate production .env file for postgresql
 POSTGRES_PROD_FILE="./.envs/.production/.postgres"
@ -31,6 +33,7 @@ echo "POSTGRES_PORT=5432" >> $POSTGRES_PROD_FILE
 echo "POSTGRES_DB=mistborn" >> $POSTGRES_PROD_FILE
 echo "POSTGRES_USER=prod" >> $POSTGRES_PROD_FILE
 echo "POSTGRES_PASSWORD=$POSTGRES_PASSWORD" >> $POSTGRES_PROD_FILE
 chmod 600 $POSTGRES_PROD_FILE
 # generate production .env file for pihole
@ -39,42 +42,4 @@ PIHOLE_PROD_FILE="./.envs/.production/.pihole"
 WEBPASSWORD="$1"
 echo "TZ=\"America/New York\"" > $PIHOLE_PROD_FILE
 echo "WEBPASSWORD=$WEBPASSWORD" >> $PIHOLE_PROD_FILE
-
+chmod 600 $PIHOLE_PROD_FILE
 # generate rocketchat .env files
 ROCKETCHAT_PROD_FILE="./.envs/.production/.rocketchat"
 #ROCKETCHAT_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
 ROCKETCHAT_PASSWORD="$1"
 echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE
 echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE
 echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE
 echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE
 # generate nextcloud .env files
 NEXTCLOUD_PROD_FILE="./.envs/.production/.nextcloud"
 #NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
 NEXTCLOUD_PASSWORD="$1"
 echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE
 echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE
 echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE
 # generate onlyoffice .env files
 ONLYOFFICE_PROD_FILE="./.envs/.production/.onlyoffice"
 JWT_SECRET="$1"
 echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE
 echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE
 # generate bitwarden .env files
 BITWARDEN_PROD_FILE="./.envs/.production/.bitwarden"
 echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE
 echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE
 # JITSI
 JITSI_PROD_FILE="./.envs/.production/.jitsi"
 cp ./scripts/conf/jitsi.env $JITSI_PROD_FILE
 mkdir -p ./.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}
 sed -i "s/JICOFO_COMPONENT_SECRET.*/JICOFO_COMPONENT_SECRET=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
--- a/scripts/subinstallers/iptables.sh
+++ b/scripts/subinstallers/iptables.sh
@ -113,6 +113,11 @@ fi
 # IP forwarding
 sudo sed -i 's/.*net.ipv4.ip_forward.*/net.ipv4.ip_forward=1/' /etc/sysctl.conf
 # VM Overcommit Memory
 sudo grep -i "vm.overcommit_memory" /etc/sysctl.conf && sudo sed -i 's/.*vm.overcommit_memory.*/vm.overcommit_memory=1/' /etc/sysctl.conf || echo "vm.overcommit_memory=1" | sudo tee -a /etc/sysctl.conf
 # Force re-read of sysctl.conf
 sudo sysctl -p /etc/sysctl.conf
 # rsyslog to create /var/log/iptables.log
--- a/scripts/subinstallers/openssl.sh
+++ b/scripts/subinstallers/openssl.sh
@ -17,7 +17,7 @@ sudo -E mkdir -p $KEY_FOLDER
 sudo -E rm -f ${KEY_FOLDER}/*
 # generate crt and key
-sudo -E openssl req -x509 -sha256 -nodes -days 397 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -addext "subjectAltName = DNS:*.mistborn" -addext extendedKeyUsage=serverAuth -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost"
+sudo -E openssl req -x509 -sha256 -nodes -days 397 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -addext "subjectAltName=DNS:*.mistborn,DNS:home.mistborn,DNS:jitsi.mistborn,DNS:bitwarden.mistborn,DNS:chat.mistborn,DNS:homeassistant.mistborn,DNS:jellyfin.mistborn,DNS:syncthing.mistborn,DNS:nextcloud.mistborn,DNS:onlyoffice.mistborn" -addext extendedKeyUsage=serverAuth -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost"
 # set permissions
 sudo -E chown -R mistborn:mistborn ${KEY_FOLDER}
--- a/scripts/subinstallers/passwd.sh
+++ b/scripts/subinstallers/passwd.sh
@ -0,0 +1,22 @@
 #!/bin/bash
 # INPUT default admin password
 while [ -z "${MISTBORN_DEFAULT_PASSWORD}" ]; do
    echo
    echo "(Mistborn) The default admin password may only container alphanumeric characters and _"
    read -p "(Mistborn) Set default admin password: " -s MISTBORN_DEFAULT_PASSWORD
    echo
    if [[ ${MISTBORN_DEFAULT_PASSWORD} =~ ^[A-Za-z0-9_]+$ ]]; then
    # it matches
        echo "(Mistborn) Password is accepted"
    else
        unset MISTBORN_DEFAULT_PASSWORD
        echo "(Mistborn) Try again"
    fi
 done
 echo
 echo "MISTBORN_DEFAULT_PASSWORD is set"
 echo
--- a/scripts/subinstallers/wireguard.sh
+++ b/scripts/subinstallers/wireguard.sh
@ -12,10 +12,10 @@ if ! $(sudo apt-cache show wireguard > /dev/null 2>&1) ; then
    if [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then
        echo "Adding Wireguard repo keys"
        sudo -E apt-get install -y dirmngr
-        sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553
+        sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 8B48AD6246925553
-        sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7638D0442B90D010
+        sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 7638D0442B90D010
-        sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC
+        sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 04EE7237B7D453EC
-        sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138 
+        sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 648ACFD622F3D138 
    fi
    if [ "$DISTRO" == "ubuntu" ]; then
--- a/scripts/update.sh
+++ b/scripts/update.sh
@ -18,6 +18,13 @@ sudo mistborn-cli pullbuild
 sudo docker container prune -f
 sudo docker image prune -f
 # RESTART
 sudo systemctl stop Mistborn-base
 # docker daemon
 #source ./scripts/subinstallers/docker_daemon.sh
 sudo systemctl restart Mistborn-setup
 sudo systemctl restart Mistborn-base
--- a/scripts/wrappers/mistborn_docker.sh
+++ b/scripts/wrappers/mistborn_docker.sh
@ -0,0 +1,46 @@
 #!/bin/bash
 set -e
 SERVICE="$1"
 shift
 export MISTBORN_HOME="/opt/mistborn"
 export MISTBORN_SERVICE_FILE=${MISTBORN_HOME}/.envs/.production/.${SERVICE}
 export MISTBORN_SERVICE_INIT=${MISTBORN_HOME}/scripts/services/${SERVICE}/init.sh
 # check and create file if needed
 ${MISTBORN_HOME}/scripts/env/check_env_file.sh ${SERVICE}
 # read in variables
 set -a
 source ${MISTBORN_HOME}/.env
 if [[ -f "${MISTBORN_SERVICE_FILE}" ]]; then
    echo "Loading service variables"
    source ${MISTBORN_SERVICE_FILE}
 else
    echo "No service variables to load. Proceeding."
 fi
 set +a
 # init script
 if [[ -f "${MISTBORN_SERVICE_INIT}" ]]; then
    echo "Running init script"
    ${MISTBORN_SERVICE_INIT}
 else
    echo "No init script. Proceeding."
 fi
 # ensure base is up and listening
 echo "Waiting for Mistborn-base to finish starting up..."
 while ! nc -z 10.2.3.1 5000; do
    WAIT_TIME=$((5 + $RANDOM % 15))
    echo "Waiting ${WAIT_TIME} seconds for Mistborn-base..."
    sleep ${WAIT_TIME}
 done
 echo "Mistborn-base is running"
 exec "$@"