Merge branch '28-raspap' into 'master'

Resolve "Integrate RaspAP as extra service"

Closes #28

See merge request cyber5k/mistborn!73

README.md

@@ -51,6 +51,7 @@ Within Mistborn is a panel to enable and manage these free extra services (off b
 - [Tor](https://www.torproject.org): The Onion Router. One tool in the arsenal of online security and privacy.
 - [Jitsi](https://jitsi.org): Multi-platform open-source video conferencing
 - [Guacamole](https://guacamole.apache.org): A clientless remote desktop gateway that supports standard protocols like VNC, RDP, and SSH.
+- [RaspAP](https://raspap.com/): The easiest, full-featured wireless router setup for Debian-based devices. Period. (Mistborn integration in alpha testing).
 
 # Quickstart
 Tested Operating Systems (in order of thoroughness):
@@ -288,6 +289,7 @@ Mistborn uses the following domains (that can be reached by all Wireguard client
 | OnlyOffice | onlyoffice.mistborn | Off |
 | Jitsi | jitsi.mistborn | Off |
 | Guacamole | guac.mistborn | Off |
+| RaspAP | raspap.mistborn | Off |
 
 # Default Credentials
 These are the default credentials to use in the services you choose to use:
@@ -298,6 +300,7 @@ These are the default credentials to use in the services you choose to use:
 | Cockpit | cockpit | {{default mistborn password}} |
 | Nextcloud | mistborn | {{default mistborn password}} |
 | Guacamole | mistborn | {{default mistborn password }} |
+| RaspAP | mistborn | {{default mistborn password}} |
 
 You can find the credentials sent to the Docker containers in: `/opt/mistborn/.envs/.production/`
 

extra/raspap.yml

@@ -2,12 +2,9 @@ version: '3'
 
 services:
   raspap:
-    build:
+    image: "cyber5k/raspap:${MISTBORN_TAG}"
-      context: ..
-      dockerfile: ./compose/production/raspap/Dockerfile
-    #user: root
-    image: mistborn_production_raspap
     container_name: mistborn_production_raspap
+    #network_mode: host
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.raspap-http.rule=Host(`raspap.mistborn`)"
@@ -19,10 +16,16 @@ services:
       - "traefik.http.routers.raspap-https.tls.certresolver=basic"
       - "traefik.http.services.raspap-service.loadbalancer.server.port=80"
     env_file:
-      - ../.envs/.production/.pihole
+      - ../.envs/.production/.raspap
-    command: /start
+    cap_add:
+      #- NET_ADMIN
+      - SYS_ADMIN
+      #- CAP_FOWNER
+    privileged: true
     volumes:
-      - ../../mistborn_volumes/extra/raspap/etc-raspap:/etc/raspap
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    #command: /start
+    restart: unless-stopped
 
 networks:
   default:

scripts/services/Mistborn-raspap.service

@@ -0,0 +1,25 @@
+[Unit]
+Description=Mistborn RaspAP Service 
+Requires=Mistborn-base.service
+After=Mistborn-base.service
+
+[Service]
+Restart=always
+RestartSec=15
+User=root
+Group=docker
+PermissionsStartOnly=true
+ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 8095 -j MISTBORN_LOG_DROP
+#ExecStartPre=/bin/bash /opt/mistborn_volumes/extra/raspap/etc-raspap/hostapd/servicestart.sh --interface uap0 --seconds 3
+# Shutdown container (if running) when unit is stopped
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh raspap docker-compose -f /opt/mistborn/extra/raspap.yml down
+
+# Start container when unit is started
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh raspap docker-compose -f /opt/mistborn/extra/raspap.yml up --build
+# Stop container when unit is stopped
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh raspap docker-compose -f /opt/mistborn/extra/raspap.yml down
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 8095 -j MISTBORN_LOG_DROP
+# Post stop
+
+[Install]
+WantedBy=multi-user.target

scripts/services/raspap/Mistborn-raspap.service

@@ -1,21 +0,0 @@
-[Unit]
-Description=Mistborn RaspAP Service 
-Requires=Mistborn-base.service
-After=Mistborn-base.service
-
-[Service]
-Restart=always
-User=root
-Group=docker
-PermissionsStartOnly=true
-# Shutdown container (if running) when unit is stopped
-ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/raspap.yml down
-
-# Start container when unit is started
-ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/raspap.yml up --build
-# Stop container when unit is stopped
-ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/raspap.yml down
-# Post stop
-
-[Install]
-WantedBy=multi-user.target

scripts/services/raspap/install.sh

@@ -1,4 +0,0 @@
-#!/bin/bash
-
-# install on gateway
-sudo apt-get install -y hostapd vnstat

scripts/subinstallers/extra/bitwarden.sh

@@ -3,4 +3,5 @@
 # generate bitwarden .env files
 BITWARDEN_PROD_FILE="$1"
 echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE
-echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE
+echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE
+chmod 600 $BITWARDEN_PROD_FILE

scripts/subinstallers/extra/guacamole.sh

@@ -10,4 +10,5 @@ echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE
 echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE
 echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE
 echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE
-echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE
+echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE
+chmod 600 $GUAC_PROD_FILE

scripts/subinstallers/extra/jitsi.sh

@@ -9,4 +9,5 @@ sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secre
 sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
-sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
+sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
+chmod 600 $JITSI_PROD_FILE

scripts/subinstallers/extra/nextcloud.sh

@@ -6,4 +6,5 @@ NEXTCLOUD_PROD_FILE="$1"
 NEXTCLOUD_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}"
 echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE
 echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE
-echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE
+echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE
+chmod 600 $NEXTCLOUD_PROD_FILE

scripts/subinstallers/extra/onlyoffice.sh

@@ -4,4 +4,5 @@
 ONLYOFFICE_PROD_FILE="$1"
 JWT_SECRET="${MISTBORN_DEFAULT_PASSWORD}"
 echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE
-echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE
+echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE
+chmod 600 $ONLYOFFICE_PROD_FILE

scripts/subinstallers/extra/raspap.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# RaspAP
+RASPAP_PROD_FILE="$1"
+echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" > $RASPAP_PROD_FILE
+chmod 600 $RASPAP_PROD_FILE

scripts/subinstallers/extra/rocketchat.sh

@@ -10,4 +10,6 @@ echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE
 echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE
 
 # docker environment
-echo "MISTBORN_BIND_IP=${MISTBORN_BIND_IP}" >> $ROCKETCHAT_PROD_FILE
+echo "MISTBORN_BIND_IP=${MISTBORN_BIND_IP}" >> $ROCKETCHAT_PROD_FILE
+
+chmod 600 $ROCKETCHAT_PROD_FILE