crappyrules
/
mistborn
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Merge branch 'master' into 28-raspap

merge-requests/73/head
Steven Foerster 5 years ago
parent
f2abb4776b 72ba1769aa
commit
c94c99fb86
44 changed files with 720 additions and 242 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      .gitlab-ci.yml
  2. 52
      README.md
  3. 29
      base.yml
  4. 2
      compose/production/tor/Dockerfile
  5. 2
      compose/production/traefik/dynamic.toml
  6. 72
      extra/guacamole.yml
  7. 123
      extra/jitsi-meet.yml
  8. 2
      extra/rocketchat.yml
  9. 4
      extra/tor.yml
  10. 3
      scripts/conf/docker-daemon.json
  11. 217
      scripts/conf/jitsi.env
  12. 35
      scripts/env/check_env_file.sh
  13. 40
      scripts/env/setup.sh
  14. 30
      scripts/install.sh
  15. 8
      scripts/services/Mistborn-bitwarden.service
  16. 23
      scripts/services/Mistborn-guacamole.service
  17. 8
      scripts/services/Mistborn-homeassistant.service
  18. 8
      scripts/services/Mistborn-jellyfin.service
  19. 16
      scripts/services/Mistborn-jitsi.service
  20. 10
      scripts/services/Mistborn-nextcloud.service
  21. 8
      scripts/services/Mistborn-onlyoffice.service
  22. 8
      scripts/services/Mistborn-rocketchat.service
  23. 8
      scripts/services/Mistborn-syncthing.service
  24. 8
      scripts/services/Mistborn-tor.service
  25. 21
      scripts/services/guacamole/init.sh
  26. 4
      scripts/services/jitsi/iptables_down.sh
  27. 4
      scripts/services/jitsi/iptables_up.sh
  28. 4
      scripts/subinstallers/cockpit.sh
  29. 3
      scripts/subinstallers/docker.sh
  30. 7
      scripts/subinstallers/docker_daemon.sh
  31. 3
      scripts/subinstallers/docker_manual.sh
  32. 6
      scripts/subinstallers/extra/bitwarden.sh
  33. 13
      scripts/subinstallers/extra/guacamole.sh
  34. 12
      scripts/subinstallers/extra/jitsi.sh
  35. 9
      scripts/subinstallers/extra/nextcloud.sh
  36. 7
      scripts/subinstallers/extra/onlyoffice.sh
  37. 13
      scripts/subinstallers/extra/rocketchat.sh
  38. 45
      scripts/subinstallers/gen_prod_env.sh
  39. 5
      scripts/subinstallers/iptables.sh
  40. 2
      scripts/subinstallers/openssl.sh
  41. 22
      scripts/subinstallers/passwd.sh
  42. 8
      scripts/subinstallers/wireguard.sh
  43. 7
      scripts/update.sh
  44. 46
      scripts/wrappers/mistborn_docker.sh

3
.gitlab-ci.yml
Unescape View File

@ -17,7 +17,8 @@ include: @@ -17,7 +17,8 @@ include:
docker_build:
stage: test
script:
- apk add bash
- apk add docker-compose
- scripts/subinstallers/gen_prod_env.sh "$MISTBORN_DEFAULT_PASSWORD"
- bash scripts/subinstallers/gen_prod_env.sh "$MISTBORN_DEFAULT_PASSWORD"
- docker-compose -f base.yml build

52
README.md
Unescape View File

@ -3,6 +3,10 @@ A secure platform for easily standing up and managing your own cloud services: i @@ -3,6 +3,10 @@ A secure platform for easily standing up and managing your own cloud services: i
![Mistborn Wireguard](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_wireguard_.png)*Wireguard Management in Mistborn*
As featured in [Linux Magazine](https://www.linux-magazine.com/Issues/2020/240/Mistborn/(language)/eng-US) (Linux Pro Magazine in North America) in November 2020
![Mistborn Featured in Linux Magazine](https://gitlab.com/cyber5k/public/-/raw/master/graphics/linux-magazine-cover-nov-2020.jpg "Mistborn featured in Linux Magazine November 2020")
# Table of Contents
[[_TOC_]]
@ -22,6 +26,8 @@ Ideal for teams who: @@ -22,6 +26,8 @@ Ideal for teams who:
- want to limit or stop data collecting services
- want to prevent being detected/blocked for using a proxy or VPN service
See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/Mistborn-Network-Security) wiki page to see the network scan results for Mistborn.
Mistborn depends on these core open source technologies:
- [Docker](https://www.docker.com/why-docker): containerization
- [Wireguard](https://www.wireguard.com): secure VPN access
@ -44,6 +50,7 @@ Within Mistborn is a panel to enable and manage these free extra services (off b @@ -44,6 +50,7 @@ Within Mistborn is a panel to enable and manage these free extra services (off b
- [Jellyfin](https://jellyfin.org): The Free Media Software System.
- [Tor](https://www.torproject.org): The Onion Router. One tool in the arsenal of online security and privacy.
- [Jitsi](https://jitsi.org): Multi-platform open-source video conferencing
- [Guacamole](https://guacamole.apache.org): A clientless remote desktop gateway that supports standard protocols like VNC, RDP, and SSH.
# Quickstart
Tested Operating Systems (in order of thoroughness):
@ -63,7 +70,7 @@ The Mistborn docker images exist for these architectures: @@ -63,7 +70,7 @@ The Mistborn docker images exist for these architectures:
| Mistborn Docker Images (hub.docker.com) | Architectures |
|------------------------------------------------|---------------------|
| mistborn (django, celery{worker,beat}, flower) | amd64, arm64, arm/v7 |
| mistborn (django, celery{worker,beat}) | amd64, arm64, arm/v7 |
| dnscrypt-proxy | amd64, arm64, arm/v7 |
Recommended System Specifications:
@ -99,6 +106,8 @@ Mistborn protects your data in a variety of ways: @@ -99,6 +106,8 @@ Mistborn protects your data in a variety of ways:
- The Mistborn firewall blocks unsolicited incoming internet packets
- Pi-hole running on Mistborn blocks outgoing internet requests to configurable blocked domains (ads, malicious/phishing domains, etc.)
See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/Mistborn-Network-Security) wiki page to see more network diagrams and the network scan results for Mistborn.
# Coppercloud
Pihole provides a way to block outgoing DNS requests for given lists of blocked domains. Coppercloud provides a way to block outgoing network calls of all types to given lists of IP addresses (IPv4 only for now). This is especially useful for blocking outgoing telemetry (data and state sharing) to owners of software running on all of your devices.
@ -119,6 +128,15 @@ In Mistborn, Gateways are upstream from the VPN server so connections to third-p @@ -119,6 +128,15 @@ In Mistborn, Gateways are upstream from the VPN server so connections to third-p
The Gateway adds an extra network hop. DNS is still resolved in Mistborn so pihole is still blocking ads.
# Remote Desktop
Remote desktops enable multiple users to share desktop resources and data. Remote desktops also enable groups to prevent sensitive data from ever entering an endpoint devices such as a smartphone. For reference, some United States Government regulations require controls to protect Controlled Unclassified Information (CUI) that are not feasible to implement on all endpoint devices and remote desktops prevent the data from entering the device (see NIST SP 800-171 3.1.19, CMMC AC.3.022).
Mistborn enables remote desktop access via the Apache Guacamole extra service, which supports VNC, RDP, SSH, and other protocols.
![Guacamole Recent Connections](https://gitlab.com/cyber5k/public/-/raw/master/graphics/guacamole_connections.png)
Guacamole implements its own users and groups access controls to manage access to individual desktops. All Mistborn users must be authenticated with Mistborn (via Wireguard only or MFA) to access the Guacamole interface.
# Client to client communication
By default direct communication between network clients is blocked. Mistborn clients can all talk to Mistborn and communicate via shared services (Jitsi, Nextcloud, etc). Direct client to client communication can be enabled via the "client-to-client" toggle.
@ -245,8 +263,10 @@ Internet access is blocked via iptables until authentication is completed for an @@ -245,8 +263,10 @@ Internet access is blocked via iptables until authentication is completed for an
![Mistborn Multi Factor Authentication - Token Prompt](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mfa_token_enter.png)*Mistborn Multi Factor Authentication - Token Prompt*
### MFA Mistborn Service Access
Mistborn service access is blocked via traefik until Mistborn authentication is complete. You will not be able to access the web pages for pihole, cockpit, or any extra services until authentication is complete for an MFA profile. Attempting to visit one of these pages will redirect you to [http://home.mistborn](http://home.mistborn) where you must complete the authentication process. Click "Sign Out" to re-block access until authentication completes again.
### MFA Mistborn Service Access - Fixed on 4 December 2020
Mistborn service access is blocked via traefik until Mistborn authentication is complete. You will not be able to access the web pages for pihole, cockpit, or any extra services until authentication is complete for an MFA profile. Attempting to visit one of these pages will produce a "Mistborn: Not authorized" HTTP 403. Click "Sign Out" to re-block access until authentication completes again.
![Mistborn Multi Factor Authentication - Not Authorized](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mfa_not_authorized.png)*Mistborn Multi Factor Authentication - Not Authorized (Login Incomplete)*
### Notes
- **Sessions**: Traefik checks the authenticated sessions on the server side to determine whether to allow access to the Mistborn service web pages. If an open session exists for your Mistborn IP address then access will be granted. You may close all sessions by clicking "Sign Out" on the Mistborn home page. Expired sessions are regularly cleaned by the Mistborn system (celery periodic task).
@ -267,6 +287,7 @@ Mistborn uses the following domains (that can be reached by all Wireguard client @@ -267,6 +287,7 @@ Mistborn uses the following domains (that can be reached by all Wireguard client
| Syncthing | syncthing.mistborn | Off |
| OnlyOffice | onlyoffice.mistborn | Off |
| Jitsi | jitsi.mistborn | Off |
| Guacamole | guac.mistborn | Off |
# Default Credentials
These are the default credentials to use in the services you choose to use:
@ -276,6 +297,7 @@ These are the default credentials to use in the services you choose to use: @@ -276,6 +297,7 @@ These are the default credentials to use in the services you choose to use:
| Pihole | | {{default mistborn password}} |
| Cockpit | cockpit | {{default mistborn password}} |
| Nextcloud | mistborn | {{default mistborn password}} |
| Guacamole | mistborn | {{default mistborn password }} |
You can find the credentials sent to the Docker containers in: `/opt/mistborn/.envs/.production/`
@ -322,7 +344,7 @@ But wait, there's more! You can: @@ -322,7 +344,7 @@ But wait, there's more! You can:
| Jitsi Meet | [Jitsi Meet](https://play.google.com/store/apps/details?id=org.jitsi.meet) | [Jitsi Meet](https://apps.apple.com/us/app/jitsi-meet/id1165103905) |
| Bitwarden | [Bitwarden](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) | [Bitwarden](https://apps.apple.com/us/app/bitwarden-password-manager/id1137397744) |
| Jellyfin | [Jellyfin](https://play.google.com/store/apps/details?id=org.jellyfin.mobile) | [Jellyfin](https://apps.apple.com/us/app/jellyfin-mobile/id1480192618) |
| Home Assistant | [Home Assistant](https://play.google.com/store/apps/details?id=io.homeassistant.companion.android) | |
| Home Assistant | [Home Assistant](https://play.google.com/store/apps/details?id=io.homeassistant.companion.android) | [Home Assistant](https://apps.apple.com/us/app/home-assistant/id1099568401) |
| Rocket.Chat | [Rocket.Chat](https://play.google.com/store/apps/details?id=chat.rocket.android) | [Rocket.Chat](https://apps.apple.com/us/app/rocket-chat/id1148741252) |
## TLS Certificate
@ -435,6 +457,7 @@ sudo journalctl -xfu Mistborn-syncthing @@ -435,6 +457,7 @@ sudo journalctl -xfu Mistborn-syncthing
sudo journalctl -xfu Mistborn-jellyfin
sudo journalctl -xfu Mistborn-nextcloud
sudo journalctl -xfu Mistborn-jitsi
sudo journalctl -xfu Mistborn-guacamole
sudo journalctl -xfu Mistborn-rocketchat
sudo journalctl -xfu Mistborn-onlyoffice
sudo journalctl -xfu Mistborn-tor
@ -474,6 +497,9 @@ Run updates and restart before installing Mistborn (`sudo apt-get update && sudo @@ -474,6 +497,9 @@ Run updates and restart before installing Mistborn (`sudo apt-get update && sudo
These are some notes regarding the technical design and implementations of Mistborn. Feel free to contact me for additional details.
## Attack Surface
See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/Mistborn-Network-Security) wiki entry.
- **Wireguard**: Wireguard is the only way in to Mistborn. When new Wireguard profiles are generated they are attached to a random UDP port. Wireguard does not respond to unauthenticated traffic. External probes on the active Wireguard listening ports are not logged and do not appear on the Metrics page.
- **SSH**: If Mistborn is installed over SSH (most common) then an iptables rule is added allowing future SSH connections from the same source IP address. All other external SSH is blocked. Internal SSH (over the Wireguard tunnels) is allowed. Password authentication is allowed. The SSH key for the `mistborn` user is only accepted from internal source IP addresses. Fail2ban is also installed.
- **Traefik**: Iptables closes web ports (TCP 80 and 443) from external access and additonally all web interfaces are behind the Traefik reverse-proxy. All web requests (e.g. home.mistborn) must be resolved by Mistborn DNS (Pihole/dnsmasq) and originate from a Wireguard tunnel.
@ -492,19 +518,23 @@ These are some notes regarding the technical design and implementations of Mistb @@ -492,19 +518,23 @@ These are some notes regarding the technical design and implementations of Mistb
- The generated TLS certificate has an RSA modulus of 4096 bits, is signed with SHA-256, and is good for 397 days. The certificate is checked daily and will regenerate when expiration is within 30 days.
- Outbound UDP on port 53 is blocked. All DNS requests should be handled by the dnscrypt_proxy service and if any client, service, etc. tries to circumvent that it is blocked.
- Unattended upgrades are set to automatically install operating system security updates.
- Ownership of mistborn files is set to the system mistborn user and access to environment variables is disabled for users other than the owner.
# Roadmap
# Roadmap (not necessarily in order)
Many features and refinements are in the works at various stages including:
- Option to upload metrics information to Cyber5K to refine each Mistborn instance's firewall
- Option to email default admin Wireguard config file
- Adding more extra services (e.g. Gitlab, Game Servers, etc.)
- Cyber5K marketplace to share Gateway access (to fixed IP addresses or domains, and for a fixed amount of time)
- Mistborn managing wireless interfaces for local access points (stripped down RaspAP)
- Optional periodic backup of local Mistborn config files and credentials to Cyber5K
- Plugins for Extra Services (enabling third-party development)
- Plugin repository
- IPv6 support
- Integration with RaspAP to enable managing an Access Point for local network connections
- Internal network scan tool and feedback
- Anomaly detection in network traffic
# Featured In
- [Linux Magazine](https://www.linux-magazine.com/Issues/2020/240/Mistborn/(language)/eng-US) November 2020 (featuring Mistborn version from early May 2020)
- [Awesome Open Source](https://www.youtube.com/watch?v=hekP0_crotw) July 2020 (featuring Mistborn version from early July 2020)
# Follow
You can find recent bugfixes, functional additions, some extra documentation and more at the Cyber5K Patreon page: [https://www.patreon.com/cyber5k](https://www.patreon.com/cyber5k)

29
base.yml
Unescape View File

@ -145,22 +145,22 @@ services: @@ -145,22 +145,22 @@ services:
restart: unless-stopped
flower:
image: "cyber5k/mistborn:${MISTBORN_TAG}"
container_name: mistborn_production_flower
env_file:
- ./.envs/.production/.django
- ./.envs/.production/.postgres
ports:
- "5555:5555/tcp"
command: /start-flower
restart: unless-stopped
#flower:
# image: "cyber5k/mistborn:${MISTBORN_TAG}"
# container_name: mistborn_production_flower
# env_file:
# - ./.envs/.production/.django
# - ./.envs/.production/.postgres
# ports:
# - "5555:5555/tcp"
# command: /start-flower
# restart: unless-stopped
pihole:
container_name: mistborn_production_pihole
image: pihole/pihole:latest
env_file:
- /opt/mistborn_volumes/base/base.txt
- ./.envs/.production/.pihole
ports:
- "${MISTBORN_DNS_BIND_IP}:53:53/tcp"
- "${MISTBORN_DNS_BIND_IP}:53:53/udp"
@ -168,11 +168,12 @@ services: @@ -168,11 +168,12 @@ services:
- "traefik.enable=true"
- "traefik.http.routers.pihole-http.rule=Host(`pihole.mistborn`)"
- "traefik.http.routers.pihole-http.entrypoints=web"
- "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file"
- "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file,add-pihole-admin"
- "traefik.http.routers.pihole-https.rule=Host(`pihole.mistborn`)"
- "traefik.http.routers.pihole-https.entrypoints=websecure"
- "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file"
- "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file,add-pihole-admin"
- "traefik.http.routers.pihole-https.tls.certresolver=basic"
- "traefik.http.middlewares.add-pihole-admin.addPrefix.prefix=/admin"
- "traefik.http.services.pihole-service.loadbalancer.server.port=80"
environment:
- ServerIP=10.2.0.3
@ -182,8 +183,6 @@ services: @@ -182,8 +183,6 @@ services:
- DNSMASQ_LISTENING=all
# TZ: 'America/New York'
# Volumes store your data between container upgrades
env_file:
- ./.envs/.production/.pihole
volumes:
- ../mistborn_volumes/base/pihole/etc-pihole:/etc/pihole/
- ../mistborn_volumes/base/pihole/etc-dnsmasqd:/etc/dnsmasq.d/

2
compose/production/tor/Dockerfile
Unescape View File

@ -7,7 +7,7 @@ RUN apk update \ @@ -7,7 +7,7 @@ RUN apk update \
EXPOSE 9150
ADD ./compose/production/tor/torrc /etc/tor/torrc
ADD ./torrc /etc/tor/torrc
USER tor
CMD /usr/bin/tor -f /etc/tor/torrc

2
compose/production/traefik/dynamic.toml
Unescape View File

@ -18,7 +18,7 @@ @@ -18,7 +18,7 @@
rule = "Host(`cockpit.mistborn`)"
service = "cockpit"
entrypoints = ["web", "websecure"]
#middlewares =
middlewares = ["mistborn_auth"]
[http.middlewares]
[http.middlewares.mistborn_auth.forwardAuth]

72
extra/guacamole.yml
Unescape View File

@ -0,0 +1,72 @@ @@ -0,0 +1,72 @@
version: '3'
# services
services:
# guacd
guacd:
container_name: mistborn_production_guacd
image: guacamole/guacd
networks:
guacnetwork:
restart: unless-stopped
volumes:
- ../../mistborn_volumes/extra/guacamole/drive:/drive:rw
- ../../mistborn_volumes/extra/guacamole/record:/record:rw
# postgres
guac_postgres:
container_name: mistborn_production_guac_postgres
env_file:
- ../.envs/.production/.guacamole
environment:
PGDATA: /var/lib/postgresql/data/guacamole
image: postgres
networks:
guacnetwork:
restart: unless-stopped
volumes:
- ../../mistborn_volumes/extra/guacamole/init:/docker-entrypoint-initdb.d:ro
- ../../mistborn_volumes/extra/guacamole/data:/var/lib/postgresql/data:rw
# guacamole
guacamole:
container_name: mistborn_production_guacamole
labels:
- "traefik.enable=true"
- "traefik.http.routers.guacamole-http.rule=Host(`guac.mistborn`)"
- "traefik.http.routers.guacamole-http.entrypoints=web"
- "traefik.http.routers.guacamole-http.middlewares=mistborn_auth@file,add-guacamole"
- "traefik.http.routers.guacamole-https.rule=Host(`guac.mistborn`)"
- "traefik.http.routers.guacamole-https.entrypoints=websecure"
- "traefik.http.routers.guacamole-https.middlewares=mistborn_auth@file,add-guacamole"
- "traefik.http.routers.guacamole-https.tls.certresolver=basic"
- "traefik.http.middlewares.add-guacamole.addPrefix.prefix=/guacamole"
- "traefik.http.services.guacamole-service.loadbalancer.server.port=8080"
depends_on:
- guacd
- guac_postgres
environment:
GUACD_HOSTNAME: guacd
GUACD_PORT: 4822
#GUACAMOLE_HOME: /config
env_file:
- ../.envs/.production/.guacamole
image: guacamole/guacamole
links:
- guacd
networks:
guacnetwork:
#ports:
## enable next line if not using nginx
## - 8080:8080/tcp # Guacamole is on :8080/guacamole, not /.
## enable next line when using nginx
#- 8080/tcp
restart: unless-stopped
# networks
# create a network 'guacnetwork' in mode 'bridged'
networks:
guacnetwork:
driver: bridge

123
extra/jitsi-meet.yml
Unescape View File

@ -3,7 +3,8 @@ version: '3' @@ -3,7 +3,8 @@ version: '3'
services:
# Frontend
jitsi-web:
image: jitsi/web
image: jitsi/web:latest
restart: unless-stopped
#ports:
#- '${HTTP_PORT}:80'
#- '${HTTPS_PORT}:443'
@ -18,59 +19,115 @@ services: @@ -18,59 +19,115 @@ services:
- "traefik.http.routers.jitsi-https.tls.certresolver=basic"
- "traefik.http.services.jitsi-service.loadbalancer.server.port=${HTTP_PORT}"
volumes:
- ${CONFIG}/web:/config
- ${CONFIG}/web/letsencrypt:/etc/letsencrypt
- ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts
- ${CONFIG}/web:/config:Z
- ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
env_file:
- ../.envs/.production/.jitsi
environment:
- ENABLE_AUTH
- ENABLE_GUESTS
- ENABLE_LETSENCRYPT
- ENABLE_HTTP_REDIRECT
- ENABLE_TRANSCRIPTIONS
- ENABLE_XMPP_WEBSOCKET
- DISABLE_HTTPS
- JICOFO_AUTH_USER
- LETSENCRYPT_DOMAIN
- LETSENCRYPT_EMAIL
- LETSENCRYPT_USE_STAGING
- PUBLIC_URL
- XMPP_DOMAIN
- TZ
- AMPLITUDE_ID
- ANALYTICS_SCRIPT_URLS
- ANALYTICS_WHITELISTED_EVENTS
- BRIDGE_CHANNEL
- BRANDING_DATA_URL
- CALLSTATS_CUSTOM_SCRIPT_URL
- CALLSTATS_ID
- CALLSTATS_SECRET
- CHROME_EXTENSION_BANNER_JSON
- CONFCODE_URL
- CONFIG_EXTERNAL_CONNECT
- DEPLOYMENTINFO_ENVIRONMENT
- DEPLOYMENTINFO_ENVIRONMENT_TYPE
- DEPLOYMENTINFO_USERREGION
- DIALIN_NUMBERS_URL
- DIALOUT_AUTH_URL
- DIALOUT_CODES_URL
- DROPBOX_APPKEY
- DROPBOX_REDIRECT_URI
- ENABLE_AUDIO_PROCESSING
- ENABLE_AUTH
- ENABLE_CALENDAR
- ENABLE_FILE_RECORDING_SERVICE
- ENABLE_FILE_RECORDING_SERVICE_SHARING
- ENABLE_GUESTS
- ENABLE_IPV6
- ENABLE_LIPSYNC
- ENABLE_NO_AUDIO_DETECTION
- ENABLE_P2P
- ENABLE_PREJOIN_PAGE
- ENABLE_RECORDING
- ENABLE_REMB
- ENABLE_REQUIRE_DISPLAY_NAME
- ENABLE_SIMULCAST
- ENABLE_STATS_ID
- ENABLE_STEREO
- ENABLE_SUBDOMAINS
- ENABLE_TALK_WHILE_MUTED
- ENABLE_TCC
- ENABLE_TRANSCRIPTIONS
- ETHERPAD_PUBLIC_URL
- ETHERPAD_URL_BASE
- GOOGLE_ANALYTICS_ID
- GOOGLE_API_APP_CLIENT_ID
- INVITE_SERVICE_URL
- JICOFO_AUTH_USER
- MATOMO_ENDPOINT
- MATOMO_SITE_ID
- MICROSOFT_API_APP_CLIENT_ID
- NGINX_RESOLVER
- NGINX_WORKER_PROCESSES
- NGINX_WORKER_CONNECTIONS
- PEOPLE_SEARCH_URL
- RESOLUTION
- RESOLUTION_MIN
- RESOLUTION_WIDTH
- RESOLUTION_WIDTH_MIN
- START_AUDIO_ONLY
- START_AUDIO_MUTED
- START_BITRATE
- START_VIDEO_MUTED
- TESTING_CAP_SCREENSHARE_BITRATE
- TESTING_OCTO_PROBABILITY
- XMPP_AUTH_DOMAIN
- XMPP_BOSH_URL_BASE
- XMPP_DOMAIN
- XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_RECORDER_DOMAIN
- ETHERPAD_URL_BASE
- TZ
- JIBRI_BREWERY_MUC
- JIBRI_PENDING_TIMEOUT
- JIBRI_XMPP_USER
- JIBRI_XMPP_PASSWORD
- JIBRI_RECORDER_USER
- JIBRI_RECORDER_PASSWORD
- ENABLE_RECORDING
- TOKEN_AUTH_URL
networks:
default:
meet.jitsi:
aliases:
- ${XMPP_DOMAIN}
restart: unless-stopped
# XMPP server
jitsi-prosody:
image: jitsi/prosody
image: jitsi/prosody:latest
restart: unless-stopped
expose:
- '5222'
- '5347'
- '5280'
volumes:
- ${CONFIG}/prosody:/config
- ${CONFIG}/prosody/config:/config:Z
- ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z
env_file:
- ../.envs/.production/.jitsi
environment:
- AUTH_TYPE
- ENABLE_AUTH
- ENABLE_GUESTS
- ENABLE_LOBBY
- ENABLE_XMPP_WEBSOCKET
- GLOBAL_MODULES
- GLOBAL_CONFIG
- LDAP_URL
@ -95,6 +152,7 @@ services: @@ -95,6 +152,7 @@ services:
- XMPP_MUC_MODULES
- XMPP_INTERNAL_MUC_MODULES
- XMPP_RECORDER_DOMAIN
- XMPP_CROSS_DOMAIN
- JICOFO_COMPONENT_SECRET
- JICOFO_AUTH_USER
- JICOFO_AUTH_PASSWORD
@ -115,25 +173,28 @@ services: @@ -115,25 +173,28 @@ services:
- JWT_AUTH_TYPE
- JWT_TOKEN_AUTH_MODULE
- LOG_LEVEL
- PUBLIC_URL
- TZ
networks:
meet.jitsi:
aliases:
- ${XMPP_SERVER}
restart: unless-stopped
# Focus component
jitsi-jicofo:
image: jitsi/jicofo
image: jitsi/jicofo:latest
restart: unless-stopped
volumes:
- ${CONFIG}/jicofo:/config
- ${CONFIG}/jicofo:/config:Z
env_file:
- ../.envs/.production/.jitsi
environment:
- AUTH_TYPE
- ENABLE_AUTH
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_SERVER
- JICOFO_COMPONENT_SECRET
- JICOFO_AUTH_USER
@ -141,6 +202,7 @@ services: @@ -141,6 +202,7 @@ services:
- JICOFO_RESERVATION_REST_BASE_URL
- JVB_BREWERY_MUC
- JIGASI_BREWERY_MUC
- JIGASI_SIP_URI
- JIBRI_BREWERY_MUC
- JIBRI_PENDING_TIMEOUT
- TZ
@ -148,16 +210,16 @@ services: @@ -148,16 +210,16 @@ services:
- jitsi-prosody
networks:
meet.jitsi:
restart: unless-stopped
# Video bridge
jitsi-jvb:
image: jitsi/jvb
image: jitsi/jvb:latest
restart: unless-stopped
ports:
- '${JVB_PORT}:${JVB_PORT}/udp'
- '${JVB_TCP_PORT}:${JVB_TCP_PORT}'
volumes:
- ${CONFIG}/jvb:/config
- ${CONFIG}/jvb:/config:Z
env_file:
- ../.envs/.production/.jitsi
environment:
@ -171,14 +233,19 @@ services: @@ -171,14 +233,19 @@ services:
- JVB_PORT
- JVB_TCP_HARVESTER_DISABLED
- JVB_TCP_PORT
- JVB_TCP_MAPPED_PORT
- JVB_STUN_SERVERS
- JVB_ENABLE_APIS
- JVB_WS_DOMAIN
- JVB_WS_SERVER_ID
- PUBLIC_URL
- TZ
depends_on:
- jitsi-prosody
networks:
meet.jitsi:
restart: unless-stopped
aliases:
- jvb.meet.jitsi
# Custom network so all services can communicate using a FQDN
networks:

2
extra/rocketchat.yml
Unescape View File

@ -64,7 +64,7 @@ services: @@ -64,7 +64,7 @@ services:
- ../../mistborn_volumes/extra/rocketchat/hubot/scripts:/home/hubot/scripts
# this is used to expose the hubot port for notifications on the host on port 3001, e.g. for hubot-jenkins-notifier
ports:
- 3001:8080/tcp
- "${MISTBORN_BIND_IP}:3001:8080/tcp"
networks:
default:

4
extra/tor.yml
Unescape View File

@ -3,8 +3,8 @@ version: '3' @@ -3,8 +3,8 @@ version: '3'
services:
tor-client:
build:
context: ..
dockerfile: ./compose/production/tor/Dockerfile
context: ../compose/production/tor
dockerfile: ./Dockerfile
image: mistborn_production_tor
container_name: mistborn_production_tor
ports:

3
scripts/conf/docker-daemon.json
Unescape View File

@ -0,0 +1,3 @@ @@ -0,0 +1,3 @@
{
"shutdown-timeout": 60
}

217
scripts/conf/jitsi.env
Unescape View File

@ -1,61 +1,116 @@ @@ -1,61 +1,116 @@
# shellcheck disable=SC2034
# Security
#
# Set these to strong passwords to avoid intruders from impersonating a service account
# The service(s) won't start unless these are specified
# Running ./gen-passwords.sh will update .env with strong passwords
# You may skip the Jigasi and Jibri passwords if you are not using those
# DO NOT reuse passwords
#
# XMPP component password for Jicofo
JICOFO_COMPONENT_SECRET=
# XMPP password for Jicofo client connections
JICOFO_AUTH_PASSWORD=
# XMPP password for JVB client connections
JVB_AUTH_PASSWORD=
# XMPP password for Jigasi MUC client connections
JIGASI_XMPP_PASSWORD=
# XMPP recorder password for Jibri client connections
JIBRI_RECORDER_PASSWORD=
# XMPP password for Jibri client connections
JIBRI_XMPP_PASSWORD=
#
# Basic configuration options
#
# Directory where all configuration will be stored.
# Directory where all configuration will be stored
#CONFIG=~/.jitsi-meet-cfg
CONFIG=../.envs/.production/.jitsi-cfg
# Exposed HTTP port.
# Exposed HTTP port
HTTP_PORT=80
# Exposed HTTPS port.
HTTPS_PORT=8443
# Exposed HTTPS port
HTTPS_PORT=443
# System time zone.
TZ=Europe/Amsterdam
# System time zone
TZ=UTC
# Public URL for the web service.
#PUBLIC_URL=https://meet.example.com
# Public URL for the web service (required)
PUBLIC_URL=https://jitsi.mistborn
# IP address of the Docker host. See the "Running on a LAN environment" section
# in the README.
# IP address of the Docker host
# See the "Running behind NAT or on a LAN environment" section in the Handbook:
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment
#DOCKER_HOST_ADDRESS=192.168.1.1
DOCKER_HOST_ADDRESS=10.2.3.1
# Control whether the lobby feature should be enabled or not
#ENABLE_LOBBY=1
# Show a prejoin page before entering a conference
#ENABLE_PREJOIN_PAGE=0
#
# Let's Encrypt configuration
#
# Enable Let's Encrypt certificate generation.
# Enable Let's Encrypt certificate generation
#ENABLE_LETSENCRYPT=1
# Domain for which to generate the certificate.
# Domain for which to generate the certificate
#LETSENCRYPT_DOMAIN=meet.example.com
# E-Mail for receiving important account notifications (mandatory).
# E-Mail for receiving important account notifications (mandatory)
#LETSENCRYPT_EMAIL=alice@atlanta.net
# Use the staging server (for avoiding rate limits while testing)
#LETSENCRYPT_USE_STAGING=1
#
# Etherpad integration (for document sharing)
#
# Set etherpad-lite URL (uncomment to enable).
# Set etherpad-lite URL in docker local network (uncomment to enable)
#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001
# Set etherpad-lite public URL (uncomment to enable)
#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain
# Name your etherpad instance!
ETHERPAD_TITLE="Video Chat"
# The default text of a pad
ETHERPAD_DEFAULT_PAD_TEXT="Welcome to Web Chat!\n\n"
# Name of the skin for etherpad
ETHERPAD_SKIN_NAME="colibris"
# Skin variants for etherpad
ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background full-width-editor"
#
# Basic Jigasi configuration options (needed for SIP gateway support)
#
# SIP URI for incoming / outgoing calls.
# SIP URI for incoming / outgoing calls
#JIGASI_SIP_URI=test@sip2sip.info
# Password for the specified SIP account as a clear text
#JIGASI_SIP_PASSWORD=passw0rd
# SIP server (use the SIP account domain if in doubt).
# SIP server (use the SIP account domain if in doubt)
#JIGASI_SIP_SERVER=sip2sip.info
# SIP server port
@ -65,13 +120,13 @@ DOCKER_HOST_ADDRESS=10.2.3.1 @@ -65,13 +120,13 @@ DOCKER_HOST_ADDRESS=10.2.3.1
#JIGASI_SIP_TRANSPORT=UDP
#
# Authentication configuration (see README for details)
# Authentication configuration (see handbook for details)
#
# Enable authentication.
# Enable authentication
#ENABLE_AUTH=1
# Enable guest access.
# Enable guest access
#ENABLE_GUESTS=1
# Select authentication type: internal, jwt or ldap
@ -80,38 +135,38 @@ DOCKER_HOST_ADDRESS=10.2.3.1 @@ -80,38 +135,38 @@ DOCKER_HOST_ADDRESS=10.2.3.1
# JWT authentication
#
# Application identifier.
# Application identifier
#JWT_APP_ID=my_jitsi_app_id
# Application secret known only to your token.
# Application secret known only to your token
#JWT_APP_SECRET=my_jitsi_app_secret
# (Optional) Set asap_accepted_issuers as a comma separated list.
# (Optional) Set asap_accepted_issuers as a comma separated list
#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client
# (Optional) Set asap_accepted_audiences as a comma separated list.
# (Optional) Set asap_accepted_audiences as a comma separated list
#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2
# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
#
# LDAP url for connection.
# LDAP url for connection
#LDAP_URL=ldaps://ldap.domain.com/
# LDAP base DN. Can be empty
#LDAP_BASE=DC=example,DC=domain,DC=com
# LDAP user DN. Do not specify this parameter for the anonymous bind.
# LDAP user DN. Do not specify this parameter for the anonymous bind
#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
# LDAP user password. Do not specify this parameter for the anonymous bind.
# LDAP user password. Do not specify this parameter for the anonymous bind
#LDAP_BINDPW=LdapUserPassw0rd
# LDAP filter. Tokens example:
# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail.
# %s - %s is replaced by the complete service string.
# %r - %r is replaced by the complete realm string.
# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail
# %s - %s is replaced by the complete service string
# %r - %r is replaced by the complete realm string
#LDAP_FILTER=(sAMAccountName=%u)
# LDAP authentication method
@ -123,16 +178,16 @@ DOCKER_HOST_ADDRESS=10.2.3.1 @@ -123,16 +178,16 @@ DOCKER_HOST_ADDRESS=10.2.3.1
# LDAP TLS using
#LDAP_USE_TLS=1
# List of SSL/TLS ciphers to allow.
# List of SSL/TLS ciphers to allow
#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
# Require and verify server certificate
#LDAP_TLS_CHECK_PEER=1
# Path to CA cert file. Used when server sertificate verify is enabled.
# Path to CA cert file. Used when server certificate verify is enabled
#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
# Path to CA certs directory. Used when server sertificate verify is enabled.
# Path to CA certs directory. Used when server certificate verify is enabled
#LDAP_TLS_CACERT_DIR=/etc/ssl/certs
# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
@ -143,7 +198,7 @@ DOCKER_HOST_ADDRESS=10.2.3.1 @@ -143,7 +198,7 @@ DOCKER_HOST_ADDRESS=10.2.3.1
# Advanced configuration options (you generally don't need to change these)
#
# Internal XMPP domain.
# Internal XMPP domain
XMPP_DOMAIN=meet.jitsi
# Internal XMPP server
@ -152,18 +207,22 @@ XMPP_SERVER=xmpp.meet.jitsi @@ -152,18 +207,22 @@ XMPP_SERVER=xmpp.meet.jitsi
# Internal XMPP server URL
XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
# Internal XMPP domain for authenticated services.
# Internal XMPP domain for authenticated services
XMPP_AUTH_DOMAIN=auth.meet.jitsi
# XMPP domain for the MUC.
# XMPP domain for the MUC
XMPP_MUC_DOMAIN=muc.meet.jitsi
# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools.
# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools
XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi
# XMPP domain for unauthenticated users.
# XMPP domain for unauthenticated users
XMPP_GUEST_DOMAIN=guest.meet.jitsi
# Comma separated list of domains for cross domain policy or "true" to allow all
# The PUBLIC_URL is always allowed
#XMPP_CROSS_DOMAIN=true
# Custom Prosody modules for XMPP_DOMAIN (comma separated)
XMPP_MODULES=
@ -173,17 +232,14 @@ XMPP_MUC_MODULES= @@ -173,17 +232,14 @@ XMPP_MUC_MODULES=
# Custom Prosody modules for internal MUC component (comma separated)
XMPP_INTERNAL_MUC_MODULES=
# MUC for the JVB pool.
# MUC for the JVB pool
JVB_BREWERY_MUC=jvbbrewery
# XMPP user for JVB client connections.
# XMPP user for JVB client connections
JVB_AUTH_USER=jvb
# XMPP password for JVB client connections.
JVB_AUTH_PASSWORD=passw0rd
# STUN servers used to discover the server's public IP.
JVB_STUN_SERVERS=stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302
# STUN servers used to discover the server's public IP
JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443
# Media port for the Jitsi Videobridge
JVB_PORT=10000
@ -191,36 +247,32 @@ JVB_PORT=10000 @@ -191,36 +247,32 @@ JVB_PORT=10000
# TCP Fallback for Jitsi Videobridge for when UDP isn't available
JVB_TCP_HARVESTER_DISABLED=true
JVB_TCP_PORT=4443
JVB_TCP_MAPPED_PORT=4443
# A comma separated list of APIs to enable when the JVB is started. The default is none.
# A comma separated list of APIs to enable when the JVB is started [default: none]
# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
#JVB_ENABLE_APIS=rest,colibri
# XMPP component password for Jicofo.
JICOFO_COMPONENT_SECRET=s3cr37
# XMPP user for Jicofo client connections. NOTE: this option doesn't currently work due to a bug.
# XMPP user for Jicofo client connections.
# NOTE: this option doesn't currently work due to a bug
JICOFO_AUTH_USER=focus
# XMPP password for Jicofo client connections.
JICOFO_AUTH_PASSWORD=passw0rd
# Base URL of Jicofo's reservation REST API
#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
# XMPP user for Jigasi MUC client connections.
JIGASI_XMPP_USER=jigasi
# Enable Jicofo's health check REST API (http://<jicofo_base_url>:8888/about/health)
#JICOFO_ENABLE_HEALTH_CHECKS=true
# XMPP password for Jigasi MUC client connections.
JIGASI_XMPP_PASSWORD=passw0rd
# XMPP user for Jigasi MUC client connections
JIGASI_XMPP_USER=jigasi
# MUC name for the Jigasi pool.
# MUC name for the Jigasi pool
JIGASI_BREWERY_MUC=jigasibrewery
# Minimum port for media used by Jigasi.
# Minimum port for media used by Jigasi
JIGASI_PORT_MIN=20000
# Maximum port for media used by Jigasi.
# Maximum port for media used by Jigasi
JIGASI_PORT_MAX=20050
# Enable SDES srtp
@ -235,20 +287,21 @@ JIGASI_PORT_MAX=20050 @@ -235,20 +287,21 @@ JIGASI_PORT_MAX=20050
# Health-check interval
#JIGASI_HEALTH_CHECK_INTERVAL=300000
#
# Enable Jigasi transcription.
# Enable Jigasi transcription
#ENABLE_TRANSCRIPTIONS=1
# Jigasi will recordord an audio when transcriber is on. Default false.
# Jigasi will record audio when transcriber is on [default: false]
#JIGASI_TRANSCRIBER_RECORD_AUDIO=true
# Jigasi will send transcribed text to the chat when transcriber is on. Default false.
# Jigasi will send transcribed text to the chat when transcriber is on [default: false]
#JIGASI_TRANSCRIBER_SEND_TXT=true
# Jigasi post to the chat an url with transcription file. Default false.
# Jigasi will post an url to the chat with transcription file [default: false]
#JIGASI_TRANSCRIBER_ADVERTISE_URL=true
# Credentials for connect to Cloud Google API from Jigasi
# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol section "Before you begin" from 1 to 5 paragraph.
# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol
# section "Before you begin" paragraph 1 to 5
# Copy the values from the json to the related env vars
#GC_PROJECT_ID=
#GC_PRIVATE_KEY_ID=
@ -263,25 +316,19 @@ JIGASI_PORT_MAX=20050 @@ -263,25 +316,19 @@ JIGASI_PORT_MAX=20050
# XMPP domain for the jibri recorder
XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
# XMPP recorder user for Jibri client connections.
# XMPP recorder user for Jibri client connections
JIBRI_RECORDER_USER=recorder
# XMPP recorder password for Jibri client connections.
JIBRI_RECORDER_PASSWORD=passw0rd
# Directory for recordings inside Jibri container.
# Directory for recordings inside Jibri container
JIBRI_RECORDING_DIR=/config/recordings
# The finalizing script. Will run after recording is complete.
# The finalizing script. Will run after recording is complete
JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
# XMPP user for Jibri client connections.
# XMPP user for Jibri client connections
JIBRI_XMPP_USER=jibri
# XMPP password for Jibri client connections.
JIBRI_XMPP_PASSWORD=passw0rd
# MUC name for the Jibri pool.
# MUC name for the Jibri pool
JIBRI_BREWERY_MUC=jibribrewery
# MUC connection timeout
@ -294,14 +341,26 @@ JIBRI_PENDING_TIMEOUT=90 @@ -294,14 +341,26 @@ JIBRI_PENDING_TIMEOUT=90
# So if there are any prefixes in the jid (like jitsi meet, which
# has its participants join a muc at conference.xmpp_domain) then
# list that prefix here so it can be stripped out to generate
# the call url correctly.
# the call url correctly
JIBRI_STRIP_DOMAIN_JID=muc
# Directory for logs inside Jibri container.
# Directory for logs inside Jibri container
JIBRI_LOGS_DIR=/config/logs
# Disable HTTPS. This can be useful if TLS connections are going to be handled outside of this setup.
# Disable HTTPS: handle TLS connections outside of this setup
DISABLE_HTTPS=1
# Redirects HTTP traffic to HTTPS. Only works with the standard HTTPS port (443).
# Redirect HTTP traffic to HTTPS
# Necessary for Let's Encrypt, relies on standard HTTPS port (443)
#ENABLE_HTTP_REDIRECT=1
# Enable IPv6
# Provides means to disable IPv6 in environments that don't support it (get with the times, people!)
#ENABLE_IPV6=1
# Container restart policy
# Defaults to unless-stopped
RESTART_POLICY=unless-stopped
# Authenticate using external service or just focus external auth window if there is one already.
# TOKEN_AUTH_URL=https://auth.meet.example.com/{room}

35
scripts/env/check_env_file.sh vendored
Unescape View File

@ -0,0 +1,35 @@ @@ -0,0 +1,35 @@
#!/bin/bash
set -e
SERVICE="$1"
export MISTBORN_HOME=/opt/mistborn
export SERVICE_ENV_INSTALLER="${MISTBORN_HOME}/scripts/subinstallers/extra/${SERVICE}.sh"
export SERVICE_ENV_FILE="${MISTBORN_HOME}/.envs/.production/.${SERVICE}"
# read in global variables
set -a
source ${MISTBORN_HOME}/.env
source ${MISTBORN_HOME}/.envs/.production/.django
source ${MISTBORN_HOME}/.envs/.production/.postgres
source ${MISTBORN_HOME}/.envs/.production/.pihole
set +a
if [[ -f "${SERVICE_ENV_INSTALLER}" ]]; then
if [[ -f "${SERVICE_ENV_FILE}" ]]; then
echo "Environment file already exists."
else
# create env file for service
echo "Creating environment file"
source $SERVICE_ENV_INSTALLER $SERVICE_ENV_FILE
chown mistborn:mistborn $SERVICE_ENV_FILE
chmod 600 $SERVICE_ENV_FILE
fi
else
echo "No subinstaller found."
fi

40
scripts/env/setup.sh vendored
Unescape View File

@ -4,15 +4,29 @@ @@ -4,15 +4,29 @@
VAR_FILE=/opt/mistborn/.env
# load env variables
source /opt/mistborn/scripts/subinstallers/platform.sh
# setup env file
echo "" | sudo tee ${VAR_FILE}
sudo chown mistborn:mistborn ${VAR_FILE}
sudo chmod 600 ${VAR_FILE}
# MISTBORN_DNS_BIND_IP
MISTBORN_DNS_BIND_IP="10.2.3.1"
#if [ "$DISTRO" == "ubuntu" ] && [ "$VERSION_ID" == "20.04" ]; then
# MISTBORN_DNS_BIND_IP="10.2.3.1"
#fi
echo "MISTBORN_DNS_BIND_IP=${MISTBORN_DNS_BIND_IP}" | sudo tee ${VAR_FILE}
sudo chown mistborn:mistborn ${VAR_FILE}
echo "MISTBORN_DNS_BIND_IP=${MISTBORN_DNS_BIND_IP}" | sudo tee -a ${VAR_FILE}
# MISTBORN_BIND_IP
echo "MISTBORN_BIND_IP=10.2.3.1" | sudo tee -a ${VAR_FILE}
# MISTBORN_TAG
GIT_BRANCH=$(git -C /opt/mistborn symbolic-ref --short HEAD || echo "master")
MISTBORN_TAG="latest"
@ -22,13 +36,29 @@ fi @@ -22,13 +36,29 @@ fi
echo "MISTBORN_TAG=$MISTBORN_TAG" | sudo tee -a ${VAR_FILE}
#### install and base services
iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}')
#### SERVICE files
# default interface
# copy current service files to systemd (overwriting as needed)
sudo cp /opt/mistborn/scripts/services/Mistborn* /etc/systemd/system/
# set script user and owner
sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/User=root/User=$USER/"
#sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/ root:root / $USER:$USER /"
# reload in case the iface is not immediately set
sudo systemctl daemon-reload
#### install and base services
iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}' | tr -d '[:space:]')
## cannot be empty
while [[ -z "$iface" ]]; do
sleep 2
iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}' | tr -d '[:space:]')
done
# default interface
sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/"
echo "DIFACE=${iface}" | sudo tee -a ${VAR_FILE}
sudo systemctl daemon-reload

30
scripts/install.sh
Unescape View File

@ -59,13 +59,18 @@ echo -e "| | | | \__ \ |_| |_) | (_) | | | | | |" @@ -59,13 +59,18 @@ echo -e "| | | | \__ \ |_| |_) | (_) | | | | | |"
echo -e "|_| |_|_|___/\__|_.__/ \___/|_| |_| |_|"
echo -e ""
# INPUT default admin password
if [ -z "${MISTBORN_DEFAULT_PASSWORD}" ]; then
read -p "(Mistborn) Set default admin password: " -s MISTBORN_DEFAULT_PASSWORD
echo
else
echo "MISTBORN_DEFAULT_PASSWORD is already set"
fi
sudo rm -rf /opt/mistborn 2>/dev/null || true
# clone to /opt and change directory
echo "Cloning $GIT_BRANCH branch from mistborn repo"
sudo git clone https://gitlab.com/cyber5k/mistborn.git -b $GIT_BRANCH /opt/mistborn
sudo chown -R $USER:$USER /opt/mistborn
pushd .
cd /opt/mistborn
git submodule update --init --recursive
# MISTBORN_DEFAULT_PASSWORD
source ./scripts/subinstallers/passwd.sh
# Install Cockpit?
if [ -z "${MISTBORN_INSTALL_COCKPIT}" ]; then
@ -85,16 +90,6 @@ else @@ -85,16 +90,6 @@ else
echo "SSH key exists for $USER"
fi
sudo rm -rf /opt/mistborn 2>/dev/null || true
# clone to /opt and change directory
echo "Cloning $GIT_BRANCH branch from mistborn repo"
sudo git clone https://gitlab.com/cyber5k/mistborn.git -b $GIT_BRANCH /opt/mistborn
sudo chown -R $USER:$USER /opt/mistborn
pushd .
cd /opt/mistborn
git submodule update --init --recursive
# initial load update package list
sudo apt-get update
@ -248,6 +243,7 @@ sudo resolvconf -u 1>/dev/null 2>&1 @@ -248,6 +243,7 @@ sudo resolvconf -u 1>/dev/null 2>&1
echo "backup up original volumes folder"
sudo mkdir -p ../mistborn_backup
sudo chmod 700 ../mistborn_backup
sudo tar -czf ../mistborn_backup/mistborn_volumes_backup.tar.gz ../mistborn_volumes 1>/dev/null 2>&1
# clean docker

8
scripts/services/Mistborn-bitwarden.service
Unescape View File

@ -2,20 +2,22 @@ @@ -2,20 +2,22 @@
Description=Mistborn Bitwarden Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml down
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP
# Start container when unit is started
ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml up --build
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml up --build
# Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml down
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down
# Post stop
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP

23
scripts/services/Mistborn-guacamole.service
Unescape View File

@ -0,0 +1,23 @@ @@ -0,0 +1,23 @@
[Unit]
Description=Mistborn Guacamole
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down
# Start container when unit is started
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml up --build
# Stop container when unit is stopped
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down
# Post stop
[Install]
WantedBy=multi-user.target

8
scripts/services/Mistborn-homeassistant.service
Unescape View File

@ -2,19 +2,21 @@ @@ -2,19 +2,21 @@
Description=Mistborn Home Assistant
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml down
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down
# Start container when unit is started
ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml up --build
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml up --build
# Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml down
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down
# Post stop
[Install]

8
scripts/services/Mistborn-jellyfin.service
Unescape View File

@ -2,19 +2,21 @@ @@ -2,19 +2,21 @@
Description=Mistborn Jellyfin Service
Requires=Mistborn-nextcloud.service
After=Mistborn-nextcloud.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml down
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down
# Start container when unit is started
ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml up --build
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml up --build
# Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml down
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down
# Post stop
[Install]

16
scripts/services/Mistborn-jitsi.service
Unescape View File

@ -2,26 +2,26 @@ @@ -2,26 +2,26 @@
Description=Mistborn Jitsi Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
EnvironmentFile=/opt/mistborn/.envs/.production/.jitsi
# Shutdown container (if running) when unit is stopped
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_up.sh
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP
# Start container when unit is started
ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build
# Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
# Post stop
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP
ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_down.sh
[Install]
WantedBy=multi-user.target

10
scripts/services/Mistborn-nextcloud.service
Unescape View File

@ -2,19 +2,21 @@ @@ -2,19 +2,21 @@
Description=Mistborn Nextcloud Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
User=www-data
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml down
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down
# Start container when unit is started
ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml up --build
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml up --build
# Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml down
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down
# Post stop
[Install]

8
scripts/services/Mistborn-onlyoffice.service
Unescape View File

@ -2,19 +2,21 @@ @@ -2,19 +2,21 @@
Description=Mistborn OnlyOffice Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
# Start container when unit is started
ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml up --build
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml up --build
# Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
# Post stop
[Install]

8
scripts/services/Mistborn-rocketchat.service
Unescape View File

@ -2,20 +2,22 @@ @@ -2,20 +2,22 @@
Description=Mistborn Rocket Chat Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP
# Start container when unit is started
ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml up --build
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml up --build
# Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down
# Post stop
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP

8
scripts/services/Mistborn-syncthing.service
Unescape View File

@ -2,21 +2,23 @@ @@ -2,21 +2,23 @@
Description=Mistborn Syncthing Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml down
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP
# Start container when unit is started
ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml up --build
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml up --build
# Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml down
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down
# Post stop
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP

8
scripts/services/Mistborn-tor.service
Unescape View File

@ -2,20 +2,22 @@ @@ -2,20 +2,22 @@
Description=Mistborn Tor Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml down
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP
# Start container when unit is started
ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml up --build
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml up --build
# Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml down
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down
# Post stop
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP

21
scripts/services/guacamole/init.sh
Unescape View File

@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
#!/bin/bash
if [[ -f "/opt/mistborn_volumes/extra/guacamole/init/initdb.sql" ]]; then
echo "initdb.sql exists. Proceeding."
exit 0
fi
mkdir -p /opt/mistborn_volumes/extra/guacamole/init/ >/dev/null 2>&1
chmod -R +x /opt/mistborn_volumes/extra/guacamole/init/
docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgres > /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
# grab values in initdb.sql to replace
HEXSTRINGS=($(egrep -o [0-9a-fA-F]{64} /opt/mistborn_volumes/extra/guacamole/init/initdb.sql))
# reset default password in init.db
SALT=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice('0123456789ABCDEF') for x in range(64)]))")
GUAC_PASSWORD_HASHED=$(echo -n "${MISTBORN_DEFAULT_PASSWORD}${SALT}" | sha256sum | awk '{print $1}' | tr a-z A-Z)
sed -i "s/${HEXSTRINGS[1]}/$SALT/" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
sed -i "s/${HEXSTRINGS[0]}/$GUAC_PASSWORD_HASHED/" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
sed -i "s/guacadmin/mistborn/g" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql

4
scripts/services/jitsi/iptables_down.sh
Unescape View File

@ -0,0 +1,4 @@ @@ -0,0 +1,4 @@
#!/bin/bash
iptables -w -D DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
iptables -w -D DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP

4
scripts/services/jitsi/iptables_up.sh
Unescape View File

@ -0,0 +1,4 @@ @@ -0,0 +1,4 @@
#!/bin/bash
iptables -w -I DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP

4
scripts/subinstallers/cockpit.sh
Unescape View File

@ -16,9 +16,11 @@ fi @@ -16,9 +16,11 @@ fi
sudo -E apt-get install -y cockpit
if $(sudo apt-cache show cockpit-docker > /dev/null 2>&1) ; then
if [ $(sudo apt-cache show cockpit-docker > /dev/null 2>&1) ]; then
# no longer supported upstream in Ubuntu 20.04
sudo -E apt-get install -y cockpit-docker
elif [ $(sudo apt-cache show cockpit-podman > /dev/null 2>&1) ]; then
sudo -E apt-get install -y cockpit-podman
fi
sudo cp ./scripts/conf/cockpit.conf /etc/cockpit/cockpit.conf

3
scripts/subinstallers/docker.sh
Unescape View File

@ -18,3 +18,6 @@ fi @@ -18,3 +18,6 @@ fi
if [ ! -f /usr/local/bin/docker-compose ]; then
sudo -E ln -s $(which docker-compose) /usr/local/bin/docker-compose
fi
# daemon.json
#source ./scripts/subinstallers/docker_daemon.sh

7
scripts/subinstallers/docker_daemon.sh
Unescape View File

@ -0,0 +1,7 @@ @@ -0,0 +1,7 @@
#!/bin/bash
# daemon.json
if [ ! -f /etc/docker/daemon.json ]; then
sudo -E cp ./scripts/conf/docker-daemon.json /etc/docker/daemon.json
sudo -E systemctl restart docker
fi

3
scripts/subinstallers/docker_manual.sh
Unescape View File

@ -63,6 +63,7 @@ echo "Installing Docker Compose" @@ -63,6 +63,7 @@ echo "Installing Docker Compose"
# Install Docker Compose from pip
# This might take a while
sudo pip3 install docker-compose
# cryptography >=3.4 requires rust to compile, and no rust compiler is readily available for ARM
sudo pip3 install cryptography==3.3.2 docker-compose
#fi

6
scripts/subinstallers/extra/bitwarden.sh
Unescape View File

@ -0,0 +1,6 @@ @@ -0,0 +1,6 @@
#!/bin/bash
# generate bitwarden .env files
BITWARDEN_PROD_FILE="$1"
echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE
echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE

13
scripts/subinstallers/extra/guacamole.sh
Unescape View File

@ -0,0 +1,13 @@ @@ -0,0 +1,13 @@
#!/bin/bash
# Guacamole
GUAC_PROD_FILE="$1"
GUAC_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
echo "POSTGRES_HOST=guac_postgres" > $GUAC_PROD_FILE
echo "POSTGRES_HOSTNAME=guac_postgres" > $GUAC_PROD_FILE
echo "POSTGRES_PORT=5432" >> $GUAC_PROD_FILE
echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE
echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE
echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE
echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE
echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE

12
scripts/subinstallers/extra/jitsi.sh
Unescape View File

@ -0,0 +1,12 @@ @@ -0,0 +1,12 @@
#!/bin/bash
# JITSI
JITSI_PROD_FILE="$1"
cp ${MISTBORN_HOME}/scripts/conf/jitsi.env $JITSI_PROD_FILE
mkdir -p ${MISTBORN_HOME}/.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}
sed -i "s/JICOFO_COMPONENT_SECRET.*/JICOFO_COMPONENT_SECRET=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"

9
scripts/subinstallers/extra/nextcloud.sh
Unescape View File

@ -0,0 +1,9 @@ @@ -0,0 +1,9 @@
#!/bin/bash
# generate nextcloud .env files
NEXTCLOUD_PROD_FILE="$1"
#NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
NEXTCLOUD_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}"
echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE
echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE
echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE

7
scripts/subinstallers/extra/onlyoffice.sh
Unescape View File

@ -0,0 +1,7 @@ @@ -0,0 +1,7 @@
#!/bin/bash
# generate onlyoffice .env files
ONLYOFFICE_PROD_FILE="$1"
JWT_SECRET="${MISTBORN_DEFAULT_PASSWORD}"
echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE
echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE

13
scripts/subinstallers/extra/rocketchat.sh
Unescape View File

@ -0,0 +1,13 @@ @@ -0,0 +1,13 @@
#!/bin/bash
# generate rocketchat .env files
ROCKETCHAT_PROD_FILE="$1"
#ROCKETCHAT_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
ROCKETCHAT_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}"
echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE
echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE
echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE
echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE
# docker environment
echo "MISTBORN_BIND_IP=${MISTBORN_BIND_IP}" >> $ROCKETCHAT_PROD_FILE

45
scripts/subinstallers/gen_prod_env.sh
Unescape View File

@ -1,9 +1,10 @@ @@ -1,9 +1,10 @@
#!/bin/sh
#!/bin/bash
figlet "Mistborn: Container Credentials"
# generate production .env file for Django
mkdir -p ./.envs/.production
chmod 700 ./.envs
DJANGO_PROD_FILE="./.envs/.production/.django"
DJANGO_SECRET_KEY=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(50)]))")
#CELERY_FLOWER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
@ -22,6 +23,7 @@ echo "#SENTRY_DNS=" >> $DJANGO_PROD_FILE @@ -22,6 +23,7 @@ echo "#SENTRY_DNS=" >> $DJANGO_PROD_FILE
echo "MISTBORN_INSTALL_COCKPIT=$MISTBORN_INSTALL_COCKPIT" >> $DJANGO_PROD_FILE
echo "MISTBORN_PORTAL_IP=10.2.3.1" >> $DJANGO_PROD_FILE
echo "MISTBORN_PORTAL_PORT=5000" >> $DJANGO_PROD_FILE
chmod 600 $DJANGO_PROD_FILE
# generate production .env file for postgresql
POSTGRES_PROD_FILE="./.envs/.production/.postgres"
@ -31,6 +33,7 @@ echo "POSTGRES_PORT=5432" >> $POSTGRES_PROD_FILE @@ -31,6 +33,7 @@ echo "POSTGRES_PORT=5432" >> $POSTGRES_PROD_FILE
echo "POSTGRES_DB=mistborn" >> $POSTGRES_PROD_FILE
echo "POSTGRES_USER=prod" >> $POSTGRES_PROD_FILE
echo "POSTGRES_PASSWORD=$POSTGRES_PASSWORD" >> $POSTGRES_PROD_FILE
chmod 600 $POSTGRES_PROD_FILE
# generate production .env file for pihole
@ -39,42 +42,4 @@ PIHOLE_PROD_FILE="./.envs/.production/.pihole" @@ -39,42 +42,4 @@ PIHOLE_PROD_FILE="./.envs/.production/.pihole"
WEBPASSWORD="$1"
echo "TZ=\"America/New York\"" > $PIHOLE_PROD_FILE
echo "WEBPASSWORD=$WEBPASSWORD" >> $PIHOLE_PROD_FILE
# generate rocketchat .env files
ROCKETCHAT_PROD_FILE="./.envs/.production/.rocketchat"
#ROCKETCHAT_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
ROCKETCHAT_PASSWORD="$1"
echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE
echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE
echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE
echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE
# generate nextcloud .env files
NEXTCLOUD_PROD_FILE="./.envs/.production/.nextcloud"
#NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
NEXTCLOUD_PASSWORD="$1"
echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE
echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE
echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE
# generate onlyoffice .env files
ONLYOFFICE_PROD_FILE="./.envs/.production/.onlyoffice"
JWT_SECRET="$1"
echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE
echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE
# generate bitwarden .env files
BITWARDEN_PROD_FILE="./.envs/.production/.bitwarden"
echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE
echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE
# JITSI
JITSI_PROD_FILE="./.envs/.production/.jitsi"
cp ./scripts/conf/jitsi.env $JITSI_PROD_FILE
mkdir -p ./.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}
sed -i "s/JICOFO_COMPONENT_SECRET.*/JICOFO_COMPONENT_SECRET=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
chmod 600 $PIHOLE_PROD_FILE

5
scripts/subinstallers/iptables.sh
Unescape View File

@ -113,6 +113,11 @@ fi @@ -113,6 +113,11 @@ fi
# IP forwarding
sudo sed -i 's/.*net.ipv4.ip_forward.*/net.ipv4.ip_forward=1/' /etc/sysctl.conf
# VM Overcommit Memory
sudo grep -i "vm.overcommit_memory" /etc/sysctl.conf && sudo sed -i 's/.*vm.overcommit_memory.*/vm.overcommit_memory=1/' /etc/sysctl.conf || echo "vm.overcommit_memory=1" | sudo tee -a /etc/sysctl.conf
# Force re-read of sysctl.conf
sudo sysctl -p /etc/sysctl.conf
# rsyslog to create /var/log/iptables.log

2
scripts/subinstallers/openssl.sh
Unescape View File

@ -17,7 +17,7 @@ sudo -E mkdir -p $KEY_FOLDER @@ -17,7 +17,7 @@ sudo -E mkdir -p $KEY_FOLDER
sudo -E rm -f ${KEY_FOLDER}/*
# generate crt and key
sudo -E openssl req -x509 -sha256 -nodes -days 397 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -addext "subjectAltName = DNS:*.mistborn" -addext extendedKeyUsage=serverAuth -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost"
sudo -E openssl req -x509 -sha256 -nodes -days 397 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -addext "subjectAltName=DNS:*.mistborn,DNS:home.mistborn,DNS:jitsi.mistborn,DNS:bitwarden.mistborn,DNS:chat.mistborn,DNS:homeassistant.mistborn,DNS:jellyfin.mistborn,DNS:syncthing.mistborn,DNS:nextcloud.mistborn,DNS:onlyoffice.mistborn" -addext extendedKeyUsage=serverAuth -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost"
# set permissions
sudo -E chown -R mistborn:mistborn ${KEY_FOLDER}

22
scripts/subinstallers/passwd.sh
Unescape View File

@ -0,0 +1,22 @@ @@ -0,0 +1,22 @@
#!/bin/bash
# INPUT default admin password
while [ -z "${MISTBORN_DEFAULT_PASSWORD}" ]; do
echo
echo "(Mistborn) The default admin password may only container alphanumeric characters and _"
read -p "(Mistborn) Set default admin password: " -s MISTBORN_DEFAULT_PASSWORD
echo
if [[ ${MISTBORN_DEFAULT_PASSWORD} =~ ^[A-Za-z0-9_]+$ ]]; then
# it matches
echo "(Mistborn) Password is accepted"
else
unset MISTBORN_DEFAULT_PASSWORD
echo "(Mistborn) Try again"
fi
done
echo
echo "MISTBORN_DEFAULT_PASSWORD is set"
echo

8
scripts/subinstallers/wireguard.sh
Unescape View File

@ -12,10 +12,10 @@ if ! $(sudo apt-cache show wireguard > /dev/null 2>&1) ; then @@ -12,10 +12,10 @@ if ! $(sudo apt-cache show wireguard > /dev/null 2>&1) ; then
if [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then
echo "Adding Wireguard repo keys"
sudo -E apt-get install -y dirmngr
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7638D0442B90D010
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 8B48AD6246925553
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 7638D0442B90D010
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 04EE7237B7D453EC
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 648ACFD622F3D138
fi
if [ "$DISTRO" == "ubuntu" ]; then

7
scripts/update.sh
Unescape View File

@ -18,6 +18,13 @@ sudo mistborn-cli pullbuild @@ -18,6 +18,13 @@ sudo mistborn-cli pullbuild
sudo docker container prune -f
sudo docker image prune -f
# RESTART
sudo systemctl stop Mistborn-base
# docker daemon
#source ./scripts/subinstallers/docker_daemon.sh
sudo systemctl restart Mistborn-setup
sudo systemctl restart Mistborn-base

46
scripts/wrappers/mistborn_docker.sh
Unescape View File

@ -0,0 +1,46 @@ @@ -0,0 +1,46 @@
#!/bin/bash
set -e
SERVICE="$1"
shift
export MISTBORN_HOME="/opt/mistborn"
export MISTBORN_SERVICE_FILE=${MISTBORN_HOME}/.envs/.production/.${SERVICE}
export MISTBORN_SERVICE_INIT=${MISTBORN_HOME}/scripts/services/${SERVICE}/init.sh
# check and create file if needed
${MISTBORN_HOME}/scripts/env/check_env_file.sh ${SERVICE}
# read in variables
set -a
source ${MISTBORN_HOME}/.env
if [[ -f "${MISTBORN_SERVICE_FILE}" ]]; then
echo "Loading service variables"
source ${MISTBORN_SERVICE_FILE}
else
echo "No service variables to load. Proceeding."
fi
set +a
# init script
if [[ -f "${MISTBORN_SERVICE_INIT}" ]]; then
echo "Running init script"
${MISTBORN_SERVICE_INIT}
else
echo "No init script. Proceeding."
fi
# ensure base is up and listening
echo "Waiting for Mistborn-base to finish starting up..."
while ! nc -z 10.2.3.1 5000; do
WAIT_TIME=$((5 + $RANDOM % 15))
echo "Waiting ${WAIT_TIME} seconds for Mistborn-base..."
sleep ${WAIT_TIME}
done
echo "Mistborn-base is running"
exec "$@"
Write Preview
Loading…
Cancel
Save