From 442b43f472ec1b94726a83fd62debbefebe0c518 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 27 Feb 2021 00:50:21 +0000 Subject: [PATCH 01/21] Resolve "Add Apache Guacamole service" --- README.md | 6 +- extra/guacamole.yml | 71 +++++++++++++++++++++ scripts/env/guacamole_init.sh | 16 +++++ scripts/services/Mistborn-guacamole.service | 24 +++++++ scripts/subinstallers/gen_prod_env.sh | 12 ++++ 5 files changed, 128 insertions(+), 1 deletion(-) create mode 100644 extra/guacamole.yml create mode 100755 scripts/env/guacamole_init.sh create mode 100644 scripts/services/Mistborn-guacamole.service diff --git a/README.md b/README.md index e5afaa0..3026cd5 100644 --- a/README.md +++ b/README.md @@ -50,6 +50,7 @@ Within Mistborn is a panel to enable and manage these free extra services (off b - [Jellyfin](https://jellyfin.org): The Free Media Software System. - [Tor](https://www.torproject.org): The Onion Router. One tool in the arsenal of online security and privacy. - [Jitsi](https://jitsi.org): Multi-platform open-source video conferencing +- [Guacamole](https://guacamole.apache.org): A clientless remote desktop gateway that supports standard protocols like VNC, RDP, and SSH. # Quickstart Tested Operating Systems (in order of thoroughness): @@ -69,7 +70,7 @@ The Mistborn docker images exist for these architectures: | Mistborn Docker Images (hub.docker.com) | Architectures | |------------------------------------------------|---------------------| -| mistborn (django, celery{worker,beat}, flower) | amd64, arm64, arm/v7 | +| mistborn (django, celery{worker,beat}) | amd64, arm64, arm/v7 | | dnscrypt-proxy | amd64, arm64, arm/v7 | Recommended System Specifications: @@ -277,6 +278,7 @@ Mistborn uses the following domains (that can be reached by all Wireguard client | Syncthing | syncthing.mistborn | Off | | OnlyOffice | onlyoffice.mistborn | Off | | Jitsi | jitsi.mistborn | Off | +| Guacamole | guac.mistborn | Off | # Default Credentials These are the default credentials to use in the services you choose to use: @@ -286,6 +288,7 @@ These are the default credentials to use in the services you choose to use: | Pihole | | {{default mistborn password}} | | Cockpit | cockpit | {{default mistborn password}} | | Nextcloud | mistborn | {{default mistborn password}} | +| Guacamole | mistborn | {{default mistborn password }} | You can find the credentials sent to the Docker containers in: `/opt/mistborn/.envs/.production/` @@ -445,6 +448,7 @@ sudo journalctl -xfu Mistborn-syncthing sudo journalctl -xfu Mistborn-jellyfin sudo journalctl -xfu Mistborn-nextcloud sudo journalctl -xfu Mistborn-jitsi +sudo journalctl -xfu Mistborn-guacamole sudo journalctl -xfu Mistborn-rocketchat sudo journalctl -xfu Mistborn-onlyoffice sudo journalctl -xfu Mistborn-tor diff --git a/extra/guacamole.yml b/extra/guacamole.yml new file mode 100644 index 0000000..f3310a7 --- /dev/null +++ b/extra/guacamole.yml @@ -0,0 +1,71 @@ +version: '3' + +# services +services: + # guacd + guacd: + container_name: mistborn_production_guacd + image: guacamole/guacd + networks: + guacnetwork: + restart: unless-stopped + volumes: + - ../../mistborn_volumes/extra/guacamole/drive:/drive:rw + - ../../mistborn_volumes/extra/guacamole/record:/record:rw + + + # postgres + guac_postgres: + container_name: mistborn_production_guac_postgres + env_file: + - ../.envs/.production/.guacamole + environment: + PGDATA: /var/lib/postgresql/data/guacamole + image: postgres + networks: + guacnetwork: + restart: unless-stopped + volumes: + - ../../mistborn_volumes/extra/guacamole/init:/docker-entrypoint-initdb.d:ro + - ../../mistborn_volumes/extra/guacamole/data:/var/lib/postgresql/data:rw + + + # guacamole + guacamole: + container_name: mistborn_production_guacamole + labels: + - "traefik.enable=true" + - "traefik.http.routers.guacamole-http.rule=Host(`guac.mistborn`)" + - "traefik.http.routers.guacamole-http.entrypoints=web" + - "traefik.http.routers.guacamole-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.guacamole-https.rule=Host(`guac.mistborn`)" + - "traefik.http.routers.guacamole-https.entrypoints=websecure" + - "traefik.http.routers.guacamole-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.guacamole-https.tls.certresolver=basic" + - "traefik.http.services.guacamole-service.loadbalancer.server.port=8080" + depends_on: + - guacd + - guac_postgres + environment: + GUACD_HOSTNAME: guacd + GUACD_PORT: 4822 + #GUACAMOLE_HOME: /config + env_file: + - ../.envs/.production/.guacamole + image: guacamole/guacamole + links: + - guacd + networks: + guacnetwork: + #ports: +## enable next line if not using nginx +## - 8080:8080/tcp # Guacamole is on :8080/guacamole, not /. +## enable next line when using nginx + #- 8080/tcp + restart: unless-stopped + +# networks +# create a network 'guacnetwork' in mode 'bridged' +networks: + guacnetwork: + driver: bridge diff --git a/scripts/env/guacamole_init.sh b/scripts/env/guacamole_init.sh new file mode 100755 index 0000000..50c846f --- /dev/null +++ b/scripts/env/guacamole_init.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +mkdir -p /opt/mistborn_volumes/extra/guacamole/init/ >/dev/null 2>&1 +chmod -R +x /opt/mistborn_volumes/extra/guacamole/init/ +docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgres > /opt/mistborn_volumes/extra/guacamole/init/initdb.sql + +# grab values in initdb.sql to replace +HEXSTRINGS=($(egrep -o [0-9a-fA-F]{64} /opt/mistborn_volumes/extra/guacamole/init/initdb.sql)) + +# reset default password in init.db +SALT=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice('0123456789ABCDEF') for x in range(64)]))") +GUAC_PASSWORD_HASHED=$(echo -n "${MISTBORN_DEFAULT_PASSWORD}${SALT}" | sha256sum | awk '{print $1}' | tr a-z A-Z) + +sed -i "s/${HEXSTRINGS[1]}/$SALT/" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql +sed -i "s/${HEXSTRINGS[0]}/$GUAC_PASSWORD_HASHED/" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql +sed -i "s/guacadmin/mistborn/g" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql \ No newline at end of file diff --git a/scripts/services/Mistborn-guacamole.service b/scripts/services/Mistborn-guacamole.service new file mode 100644 index 0000000..be4f9f1 --- /dev/null +++ b/scripts/services/Mistborn-guacamole.service @@ -0,0 +1,24 @@ +[Unit] +Description=Mistborn Guacamole +Requires=Mistborn-base.service +After=Mistborn-base.service +PartOf=Mistborn-base.service + +[Service] +Restart=always +User=root +Group=docker +PermissionsStartOnly=true +EnvironmentFile=/opt/mistborn/.envs/.production/.guacamole +ExecStartPre=/opt/mistborn/scripts/env/guacamole_init.sh +# Shutdown container (if running) when unit is stopped +ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/guacamole.yml down + +# Start container when unit is started +ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/guacamole.yml up --build +# Stop container when unit is stopped +ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/guacamole.yml down +# Post stop + +[Install] +WantedBy=multi-user.target diff --git a/scripts/subinstallers/gen_prod_env.sh b/scripts/subinstallers/gen_prod_env.sh index ef9bab6..bc06297 100755 --- a/scripts/subinstallers/gen_prod_env.sh +++ b/scripts/subinstallers/gen_prod_env.sh @@ -78,3 +78,15 @@ sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; im sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" + +# Guacamole +GUAC_PROD_FILE="./.envs/.production/.guacamole" +GUAC_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") +echo "POSTGRES_HOST=guac_postgres" > $GUAC_PROD_FILE +echo "POSTGRES_HOSTNAME=guac_postgres" > $GUAC_PROD_FILE +echo "POSTGRES_PORT=5432" >> $GUAC_PROD_FILE +echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE +echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE +echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE +echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE +echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE \ No newline at end of file From c2f42d6794463524478d2b6dcf6d04ba3b011a1b Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 27 Feb 2021 17:48:43 +0000 Subject: [PATCH 02/21] Resolve "Guacamole details and prefix" --- README.md | 9 +++++++++ base.yml | 9 ++++----- extra/guacamole.yml | 5 +++-- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 3026cd5..cf6f56f 100644 --- a/README.md +++ b/README.md @@ -128,6 +128,15 @@ In Mistborn, Gateways are upstream from the VPN server so connections to third-p The Gateway adds an extra network hop. DNS is still resolved in Mistborn so pihole is still blocking ads. +# Remote Desktop +Remote desktops enable multiple users to share desktop resources and data. Remote desktops also enable groups to prevent sensitive data from ever entering an endpoint devices such as a smartphone. For reference, some United States Government regulations require controls to protect Controlled Unclassified Information (CUI) that are not feasible to implement on all endpoint devices and remote desktops prevent the data from entering the device (see NIST SP 800-171 3.1.19, CMMC AC.3.022). + +Mistborn enables remote desktop access via the Apache Guacamole extra service, which supports VNC, RDP, SSH, and other protocols. + +![Guacamole Recent Connections](https://gitlab.com/cyber5k/public/-/raw/master/graphics/guacamole_connections.png) + +Guacamole implements its own users and groups access controls to manage access to individual desktops. All Mistborn users must be authenticated with Mistborn (via Wireguard only or MFA) to access the Guacamole interface. + # Client to client communication By default direct communication between network clients is blocked. Mistborn clients can all talk to Mistborn and communicate via shared services (Jitsi, Nextcloud, etc). Direct client to client communication can be enabled via the "client-to-client" toggle. diff --git a/base.yml b/base.yml index ba22052..d7945a7 100644 --- a/base.yml +++ b/base.yml @@ -160,7 +160,7 @@ services: container_name: mistborn_production_pihole image: pihole/pihole:v5.5.1 env_file: - - /opt/mistborn_volumes/base/base.txt + - ./.envs/.production/.pihole ports: - "${MISTBORN_DNS_BIND_IP}:53:53/tcp" - "${MISTBORN_DNS_BIND_IP}:53:53/udp" @@ -168,11 +168,12 @@ services: - "traefik.enable=true" - "traefik.http.routers.pihole-http.rule=Host(`pihole.mistborn`)" - "traefik.http.routers.pihole-http.entrypoints=web" - - "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file,add-pihole-admin" - "traefik.http.routers.pihole-https.rule=Host(`pihole.mistborn`)" - "traefik.http.routers.pihole-https.entrypoints=websecure" - - "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file,add-pihole-admin" - "traefik.http.routers.pihole-https.tls.certresolver=basic" + - "traefik.http.middlewares.add-pihole-admin.addPrefix.prefix=/admin" - "traefik.http.services.pihole-service.loadbalancer.server.port=80" environment: - ServerIP=10.2.0.3 @@ -182,8 +183,6 @@ services: - DNSMASQ_LISTENING=all # TZ: 'America/New York' # Volumes store your data between container upgrades - env_file: - - ./.envs/.production/.pihole volumes: - ../mistborn_volumes/base/pihole/etc-pihole:/etc/pihole/ - ../mistborn_volumes/base/pihole/etc-dnsmasqd:/etc/dnsmasq.d/ diff --git a/extra/guacamole.yml b/extra/guacamole.yml index f3310a7..59a83ac 100644 --- a/extra/guacamole.yml +++ b/extra/guacamole.yml @@ -37,11 +37,12 @@ services: - "traefik.enable=true" - "traefik.http.routers.guacamole-http.rule=Host(`guac.mistborn`)" - "traefik.http.routers.guacamole-http.entrypoints=web" - - "traefik.http.routers.guacamole-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.guacamole-http.middlewares=mistborn_auth@file,add-guacamole" - "traefik.http.routers.guacamole-https.rule=Host(`guac.mistborn`)" - "traefik.http.routers.guacamole-https.entrypoints=websecure" - - "traefik.http.routers.guacamole-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.guacamole-https.middlewares=mistborn_auth@file,add-guacamole" - "traefik.http.routers.guacamole-https.tls.certresolver=basic" + - "traefik.http.middlewares.add-guacamole.addPrefix.prefix=/guacamole" - "traefik.http.services.guacamole-service.loadbalancer.server.port=8080" depends_on: - guacd From b44a5431720b4e01f2b10b7fbbe575250248a8e4 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sun, 28 Feb 2021 00:33:15 -0500 Subject: [PATCH 03/21] updates --- README.md | 2 +- base.yml | 2 +- extra/jitsi-meet.yml | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index cf6f56f..d99a238 100644 --- a/README.md +++ b/README.md @@ -344,7 +344,7 @@ But wait, there's more! You can: | Jitsi Meet | [Jitsi Meet](https://play.google.com/store/apps/details?id=org.jitsi.meet) | [Jitsi Meet](https://apps.apple.com/us/app/jitsi-meet/id1165103905) | | Bitwarden | [Bitwarden](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) | [Bitwarden](https://apps.apple.com/us/app/bitwarden-password-manager/id1137397744) | | Jellyfin | [Jellyfin](https://play.google.com/store/apps/details?id=org.jellyfin.mobile) | [Jellyfin](https://apps.apple.com/us/app/jellyfin-mobile/id1480192618) | -| Home Assistant | [Home Assistant](https://play.google.com/store/apps/details?id=io.homeassistant.companion.android) | | +| Home Assistant | [Home Assistant](https://play.google.com/store/apps/details?id=io.homeassistant.companion.android) | [Home Assistant](https://apps.apple.com/us/app/home-assistant/id1099568401) | | Rocket.Chat | [Rocket.Chat](https://play.google.com/store/apps/details?id=chat.rocket.android) | [Rocket.Chat](https://apps.apple.com/us/app/rocket-chat/id1148741252) | ## TLS Certificate diff --git a/base.yml b/base.yml index d7945a7..2b19d53 100644 --- a/base.yml +++ b/base.yml @@ -158,7 +158,7 @@ services: pihole: container_name: mistborn_production_pihole - image: pihole/pihole:v5.5.1 + image: pihole/pihole:latest env_file: - ./.envs/.production/.pihole ports: diff --git a/extra/jitsi-meet.yml b/extra/jitsi-meet.yml index 5670540..421f2a3 100644 --- a/extra/jitsi-meet.yml +++ b/extra/jitsi-meet.yml @@ -3,7 +3,7 @@ version: '3' services: # Frontend jitsi-web: - image: jitsi/web:stable-5142-3 + image: jitsi/web:latest restart: unless-stopped #ports: #- '${HTTP_PORT}:80' @@ -111,7 +111,7 @@ services: # XMPP server jitsi-prosody: - image: jitsi/prosody:stable-5142-3 + image: jitsi/prosody:latest restart: unless-stopped expose: - '5222' @@ -182,7 +182,7 @@ services: # Focus component jitsi-jicofo: - image: jitsi/jicofo:stable-5142-3 + image: jitsi/jicofo:latest restart: unless-stopped volumes: - ${CONFIG}/jicofo:/config:Z @@ -213,7 +213,7 @@ services: # Video bridge jitsi-jvb: - image: jitsi/jvb:stable-5142-3 + image: jitsi/jvb:latest restart: unless-stopped ports: - '${JVB_PORT}:${JVB_PORT}/udp' From 49bad9c7baa6bd4decb63c402148c9e4b184441f Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 3 Mar 2021 17:21:45 +0000 Subject: [PATCH 04/21] Resolve "Updates - handle added extra services" --- README.md | 1 + scripts/env/check_env_file.sh | 35 ++++++++++++ scripts/env/setup.sh | 3 + scripts/install.sh | 1 + scripts/services/Mistborn-bitwarden.service | 6 +- scripts/services/Mistborn-guacamole.service | 8 +-- .../services/Mistborn-homeassistant.service | 6 +- scripts/services/Mistborn-jellyfin.service | 6 +- scripts/services/Mistborn-jitsi.service | 14 ++--- scripts/services/Mistborn-nextcloud.service | 8 +-- scripts/services/Mistborn-onlyoffice.service | 6 +- scripts/services/Mistborn-rocketchat.service | 7 +-- scripts/services/Mistborn-syncthing.service | 6 +- scripts/services/Mistborn-tor.service | 6 +- .../guacamole/init.sh} | 5 ++ scripts/services/jitsi/iptables_down.sh | 4 ++ scripts/services/jitsi/iptables_up.sh | 4 ++ scripts/subinstallers/extra/bitwarden.sh | 6 ++ scripts/subinstallers/extra/guacamole.sh | 13 +++++ scripts/subinstallers/extra/jitsi.sh | 12 ++++ scripts/subinstallers/extra/nextcloud.sh | 9 +++ scripts/subinstallers/extra/onlyoffice.sh | 7 +++ scripts/subinstallers/extra/rocketchat.sh | 13 +++++ scripts/subinstallers/gen_prod_env.sh | 55 ++----------------- scripts/wrappers/mistborn_docker.sh | 35 ++++++++++++ 25 files changed, 186 insertions(+), 90 deletions(-) create mode 100755 scripts/env/check_env_file.sh rename scripts/{env/guacamole_init.sh => services/guacamole/init.sh} (86%) create mode 100755 scripts/services/jitsi/iptables_down.sh create mode 100755 scripts/services/jitsi/iptables_up.sh create mode 100755 scripts/subinstallers/extra/bitwarden.sh create mode 100755 scripts/subinstallers/extra/guacamole.sh create mode 100755 scripts/subinstallers/extra/jitsi.sh create mode 100755 scripts/subinstallers/extra/nextcloud.sh create mode 100755 scripts/subinstallers/extra/onlyoffice.sh create mode 100755 scripts/subinstallers/extra/rocketchat.sh create mode 100755 scripts/wrappers/mistborn_docker.sh diff --git a/README.md b/README.md index d99a238..252331c 100644 --- a/README.md +++ b/README.md @@ -518,6 +518,7 @@ See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/ - The generated TLS certificate has an RSA modulus of 4096 bits, is signed with SHA-256, and is good for 397 days. The certificate is checked daily and will regenerate when expiration is within 30 days. - Outbound UDP on port 53 is blocked. All DNS requests should be handled by the dnscrypt_proxy service and if any client, service, etc. tries to circumvent that it is blocked. - Unattended upgrades are set to automatically install operating system security updates. +- Ownership of mistborn files is set to the system mistborn user and access to environment variables is disabled for users other than the owner. # Roadmap (not necessarily in order) Many features and refinements are in the works at various stages including: diff --git a/scripts/env/check_env_file.sh b/scripts/env/check_env_file.sh new file mode 100755 index 0000000..e3bafb1 --- /dev/null +++ b/scripts/env/check_env_file.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +set -e + +SERVICE="$1" + +export MISTBORN_HOME=/opt/mistborn +export SERVICE_ENV_INSTALLER="${MISTBORN_HOME}/scripts/subinstallers/extra/${SERVICE}.sh" +export SERVICE_ENV_FILE="${MISTBORN_HOME}/.envs/.production/.${SERVICE}" + +# read in global variables +set -a +source ${MISTBORN_HOME}/.env +source ${MISTBORN_HOME}/.envs/.production/.django +source ${MISTBORN_HOME}/.envs/.production/.postgres +source ${MISTBORN_HOME}/.envs/.production/.pihole +set +a + +if [[ -f "${SERVICE_ENV_INSTALLER}" ]]; then + + if [[ -f "${SERVICE_ENV_FILE}" ]]; then + echo "Environment file already exists." + else + + # create env file for service + echo "Creating environment file" + source $SERVICE_ENV_INSTALLER $SERVICE_ENV_FILE + chown mistborn:mistborn $SERVICE_ENV_FILE + chmod 600 $SERVICE_ENV_FILE + + fi + +else + echo "No subinstaller found." +fi diff --git a/scripts/env/setup.sh b/scripts/env/setup.sh index 43060b6..bbf0237 100755 --- a/scripts/env/setup.sh +++ b/scripts/env/setup.sh @@ -11,6 +11,7 @@ source /opt/mistborn/scripts/subinstallers/platform.sh # setup env file echo "" | sudo tee ${VAR_FILE} sudo chown mistborn:mistborn ${VAR_FILE} +sudo chmod 600 ${VAR_FILE} # MISTBORN_DNS_BIND_IP @@ -58,4 +59,6 @@ done # default interface sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/" +echo "DIFACE=${iface}" | sudo tee -a ${VAR_FILE} + sudo systemctl daemon-reload diff --git a/scripts/install.sh b/scripts/install.sh index 31e0f83..e79b838 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -248,6 +248,7 @@ sudo resolvconf -u 1>/dev/null 2>&1 echo "backup up original volumes folder" sudo mkdir -p ../mistborn_backup +sudo chmod 700 ../mistborn_backup sudo tar -czf ../mistborn_backup/mistborn_volumes_backup.tar.gz ../mistborn_volumes 1>/dev/null 2>&1 # clean docker diff --git a/scripts/services/Mistborn-bitwarden.service b/scripts/services/Mistborn-bitwarden.service index d1343da..4fed369 100644 --- a/scripts/services/Mistborn-bitwarden.service +++ b/scripts/services/Mistborn-bitwarden.service @@ -10,13 +10,13 @@ User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down # Post stop ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP diff --git a/scripts/services/Mistborn-guacamole.service b/scripts/services/Mistborn-guacamole.service index be4f9f1..a688edd 100644 --- a/scripts/services/Mistborn-guacamole.service +++ b/scripts/services/Mistborn-guacamole.service @@ -9,15 +9,13 @@ Restart=always User=root Group=docker PermissionsStartOnly=true -EnvironmentFile=/opt/mistborn/.envs/.production/.guacamole -ExecStartPre=/opt/mistborn/scripts/env/guacamole_init.sh # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/guacamole.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/guacamole.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/guacamole.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down # Post stop [Install] diff --git a/scripts/services/Mistborn-homeassistant.service b/scripts/services/Mistborn-homeassistant.service index 2acc9d8..a36b7c0 100644 --- a/scripts/services/Mistborn-homeassistant.service +++ b/scripts/services/Mistborn-homeassistant.service @@ -10,12 +10,12 @@ User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down # Post stop [Install] diff --git a/scripts/services/Mistborn-jellyfin.service b/scripts/services/Mistborn-jellyfin.service index d41c5f3..7c27676 100644 --- a/scripts/services/Mistborn-jellyfin.service +++ b/scripts/services/Mistborn-jellyfin.service @@ -10,12 +10,12 @@ User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down # Post stop [Install] diff --git a/scripts/services/Mistborn-jitsi.service b/scripts/services/Mistborn-jitsi.service index c4c388f..c6bcd5c 100644 --- a/scripts/services/Mistborn-jitsi.service +++ b/scripts/services/Mistborn-jitsi.service @@ -9,20 +9,18 @@ Restart=always User=root Group=docker PermissionsStartOnly=true -EnvironmentFile=/opt/mistborn/.envs/.production/.jitsi # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_up.sh -ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP -ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build + # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down # Post stop -ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP -ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP +ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_down.sh [Install] WantedBy=multi-user.target diff --git a/scripts/services/Mistborn-nextcloud.service b/scripts/services/Mistborn-nextcloud.service index 40ed97a..f46c2b7 100644 --- a/scripts/services/Mistborn-nextcloud.service +++ b/scripts/services/Mistborn-nextcloud.service @@ -6,16 +6,16 @@ PartOf=Mistborn-base.service [Service] Restart=always -User=www-data +User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down # Post stop [Install] diff --git a/scripts/services/Mistborn-onlyoffice.service b/scripts/services/Mistborn-onlyoffice.service index 5e02128..72b31d8 100644 --- a/scripts/services/Mistborn-onlyoffice.service +++ b/scripts/services/Mistborn-onlyoffice.service @@ -10,12 +10,12 @@ User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down # Post stop [Install] diff --git a/scripts/services/Mistborn-rocketchat.service b/scripts/services/Mistborn-rocketchat.service index 3c1379d..37bb83f 100644 --- a/scripts/services/Mistborn-rocketchat.service +++ b/scripts/services/Mistborn-rocketchat.service @@ -9,15 +9,14 @@ Restart=always User=root Group=docker PermissionsStartOnly=true -EnvironmentFile=/opt/mistborn/.env # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down # Post stop ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP diff --git a/scripts/services/Mistborn-syncthing.service b/scripts/services/Mistborn-syncthing.service index 234a213..273be71 100644 --- a/scripts/services/Mistborn-syncthing.service +++ b/scripts/services/Mistborn-syncthing.service @@ -10,14 +10,14 @@ User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down # Post stop ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP diff --git a/scripts/services/Mistborn-tor.service b/scripts/services/Mistborn-tor.service index 68d01c5..ed47323 100644 --- a/scripts/services/Mistborn-tor.service +++ b/scripts/services/Mistborn-tor.service @@ -10,13 +10,13 @@ User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP # Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml up --build # Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down # Post stop ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP diff --git a/scripts/env/guacamole_init.sh b/scripts/services/guacamole/init.sh similarity index 86% rename from scripts/env/guacamole_init.sh rename to scripts/services/guacamole/init.sh index 50c846f..1e8634f 100755 --- a/scripts/env/guacamole_init.sh +++ b/scripts/services/guacamole/init.sh @@ -1,5 +1,10 @@ #!/bin/bash +if [[ -f "/opt/mistborn_volumes/extra/guacamole/init/initdb.sql" ]]; then + echo "initdb.sql exists. Proceeding." + exit 0 +fi + mkdir -p /opt/mistborn_volumes/extra/guacamole/init/ >/dev/null 2>&1 chmod -R +x /opt/mistborn_volumes/extra/guacamole/init/ docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgres > /opt/mistborn_volumes/extra/guacamole/init/initdb.sql diff --git a/scripts/services/jitsi/iptables_down.sh b/scripts/services/jitsi/iptables_down.sh new file mode 100755 index 0000000..f7dc3cc --- /dev/null +++ b/scripts/services/jitsi/iptables_down.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +iptables -w -D DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP +iptables -w -D DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP \ No newline at end of file diff --git a/scripts/services/jitsi/iptables_up.sh b/scripts/services/jitsi/iptables_up.sh new file mode 100755 index 0000000..50756c0 --- /dev/null +++ b/scripts/services/jitsi/iptables_up.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +iptables -w -I DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP +iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP \ No newline at end of file diff --git a/scripts/subinstallers/extra/bitwarden.sh b/scripts/subinstallers/extra/bitwarden.sh new file mode 100755 index 0000000..abc37a5 --- /dev/null +++ b/scripts/subinstallers/extra/bitwarden.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# generate bitwarden .env files +BITWARDEN_PROD_FILE="$1" +echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE +echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/guacamole.sh b/scripts/subinstallers/extra/guacamole.sh new file mode 100755 index 0000000..8df9d00 --- /dev/null +++ b/scripts/subinstallers/extra/guacamole.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +# Guacamole +GUAC_PROD_FILE="$1" +GUAC_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") +echo "POSTGRES_HOST=guac_postgres" > $GUAC_PROD_FILE +echo "POSTGRES_HOSTNAME=guac_postgres" > $GUAC_PROD_FILE +echo "POSTGRES_PORT=5432" >> $GUAC_PROD_FILE +echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE +echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE +echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE +echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE +echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/jitsi.sh b/scripts/subinstallers/extra/jitsi.sh new file mode 100755 index 0000000..fcf3493 --- /dev/null +++ b/scripts/subinstallers/extra/jitsi.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +# JITSI +JITSI_PROD_FILE="$1" +cp ${MISTBORN_HOME}/scripts/conf/jitsi.env $JITSI_PROD_FILE +mkdir -p ${MISTBORN_HOME}/.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb} +sed -i "s/JICOFO_COMPONENT_SECRET.*/JICOFO_COMPONENT_SECRET=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" \ No newline at end of file diff --git a/scripts/subinstallers/extra/nextcloud.sh b/scripts/subinstallers/extra/nextcloud.sh new file mode 100755 index 0000000..b1568b7 --- /dev/null +++ b/scripts/subinstallers/extra/nextcloud.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# generate nextcloud .env files +NEXTCLOUD_PROD_FILE="$1" +#NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") +NEXTCLOUD_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}" +echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE +echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE +echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/onlyoffice.sh b/scripts/subinstallers/extra/onlyoffice.sh new file mode 100755 index 0000000..3fadeca --- /dev/null +++ b/scripts/subinstallers/extra/onlyoffice.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# generate onlyoffice .env files +ONLYOFFICE_PROD_FILE="$1" +JWT_SECRET="${MISTBORN_DEFAULT_PASSWORD}" +echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE +echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/rocketchat.sh b/scripts/subinstallers/extra/rocketchat.sh new file mode 100755 index 0000000..6da1e2d --- /dev/null +++ b/scripts/subinstallers/extra/rocketchat.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +# generate rocketchat .env files +ROCKETCHAT_PROD_FILE="$1" +#ROCKETCHAT_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") +ROCKETCHAT_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}" +echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE +echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE +echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE +echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE + +# docker environment +echo "MISTBORN_BIND_IP=${MISTBORN_BIND_IP}" >> $ROCKETCHAT_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/gen_prod_env.sh b/scripts/subinstallers/gen_prod_env.sh index bc06297..d185c32 100755 --- a/scripts/subinstallers/gen_prod_env.sh +++ b/scripts/subinstallers/gen_prod_env.sh @@ -4,6 +4,7 @@ figlet "Mistborn: Container Credentials" # generate production .env file for Django mkdir -p ./.envs/.production +chmod 700 ./.envs DJANGO_PROD_FILE="./.envs/.production/.django" DJANGO_SECRET_KEY=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(50)]))") #CELERY_FLOWER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") @@ -22,6 +23,7 @@ echo "#SENTRY_DNS=" >> $DJANGO_PROD_FILE echo "MISTBORN_INSTALL_COCKPIT=$MISTBORN_INSTALL_COCKPIT" >> $DJANGO_PROD_FILE echo "MISTBORN_PORTAL_IP=10.2.3.1" >> $DJANGO_PROD_FILE echo "MISTBORN_PORTAL_PORT=5000" >> $DJANGO_PROD_FILE +chmod 600 $DJANGO_PROD_FILE # generate production .env file for postgresql POSTGRES_PROD_FILE="./.envs/.production/.postgres" @@ -31,6 +33,7 @@ echo "POSTGRES_PORT=5432" >> $POSTGRES_PROD_FILE echo "POSTGRES_DB=mistborn" >> $POSTGRES_PROD_FILE echo "POSTGRES_USER=prod" >> $POSTGRES_PROD_FILE echo "POSTGRES_PASSWORD=$POSTGRES_PASSWORD" >> $POSTGRES_PROD_FILE +chmod 600 $POSTGRES_PROD_FILE # generate production .env file for pihole @@ -39,54 +42,4 @@ PIHOLE_PROD_FILE="./.envs/.production/.pihole" WEBPASSWORD="$1" echo "TZ=\"America/New York\"" > $PIHOLE_PROD_FILE echo "WEBPASSWORD=$WEBPASSWORD" >> $PIHOLE_PROD_FILE - -# generate rocketchat .env files -ROCKETCHAT_PROD_FILE="./.envs/.production/.rocketchat" -#ROCKETCHAT_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") -ROCKETCHAT_PASSWORD="$1" -echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE -echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE -echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE -echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE - -# generate nextcloud .env files -NEXTCLOUD_PROD_FILE="./.envs/.production/.nextcloud" -#NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") -NEXTCLOUD_PASSWORD="$1" -echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE -echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE -echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE - -# generate onlyoffice .env files -ONLYOFFICE_PROD_FILE="./.envs/.production/.onlyoffice" -JWT_SECRET="$1" -echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE -echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE - -# generate bitwarden .env files -BITWARDEN_PROD_FILE="./.envs/.production/.bitwarden" -echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE -echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE - -# JITSI -JITSI_PROD_FILE="./.envs/.production/.jitsi" -cp ./scripts/conf/jitsi.env $JITSI_PROD_FILE -mkdir -p ./.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb} -sed -i "s/JICOFO_COMPONENT_SECRET.*/JICOFO_COMPONENT_SECRET=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" - -# Guacamole -GUAC_PROD_FILE="./.envs/.production/.guacamole" -GUAC_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") -echo "POSTGRES_HOST=guac_postgres" > $GUAC_PROD_FILE -echo "POSTGRES_HOSTNAME=guac_postgres" > $GUAC_PROD_FILE -echo "POSTGRES_PORT=5432" >> $GUAC_PROD_FILE -echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE -echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE -echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE -echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE -echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE \ No newline at end of file +chmod 600 $PIHOLE_PROD_FILE diff --git a/scripts/wrappers/mistborn_docker.sh b/scripts/wrappers/mistborn_docker.sh new file mode 100755 index 0000000..781eaa6 --- /dev/null +++ b/scripts/wrappers/mistborn_docker.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +set -e + +SERVICE="$1" +shift + +export MISTBORN_HOME="/opt/mistborn" +export MISTBORN_SERVICE_FILE=${MISTBORN_HOME}/.envs/.production/.${SERVICE} +export MISTBORN_SERVICE_INIT=${MISTBORN_HOME}/scripts/services/${SERVICE}/init.sh + +# check and create file if needed +${MISTBORN_HOME}/scripts/env/check_env_file.sh ${SERVICE} + +# read in variables +set -a +source ${MISTBORN_HOME}/.env + +if [[ -f "${MISTBORN_SERVICE_FILE}" ]]; then + echo "Loading service variables" + source ${MISTBORN_SERVICE_FILE} +else + echo "No service variables to load. Proceeding." +fi +set +a + +# init script +if [[ -f "${MISTBORN_SERVICE_INIT}" ]]; then + echo "Running init script" + ${MISTBORN_SERVICE_INIT} +else + echo "No init script. Proceeding." +fi + +exec "$@" \ No newline at end of file From 84961c793feaf3a227d6186ce2ab069ebd543823 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 5 Mar 2021 20:36:13 -0500 Subject: [PATCH 05/21] parsing --- scripts/subinstallers/extra/guacamole.sh | 2 +- scripts/subinstallers/extra/nextcloud.sh | 2 +- scripts/subinstallers/extra/onlyoffice.sh | 2 +- scripts/subinstallers/extra/rocketchat.sh | 2 +- scripts/subinstallers/gen_prod_env.sh | 6 +++--- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/scripts/subinstallers/extra/guacamole.sh b/scripts/subinstallers/extra/guacamole.sh index 8df9d00..8c76a89 100755 --- a/scripts/subinstallers/extra/guacamole.sh +++ b/scripts/subinstallers/extra/guacamole.sh @@ -10,4 +10,4 @@ echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE -echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE \ No newline at end of file +echo "MISTBORN_DEFAULT_PASSWORD=\"$MISTBORN_DEFAULT_PASSWORD\"" >> $GUAC_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/nextcloud.sh b/scripts/subinstallers/extra/nextcloud.sh index b1568b7..101f93c 100755 --- a/scripts/subinstallers/extra/nextcloud.sh +++ b/scripts/subinstallers/extra/nextcloud.sh @@ -5,5 +5,5 @@ NEXTCLOUD_PROD_FILE="$1" #NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") NEXTCLOUD_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}" echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE -echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE +echo "NEXTCLOUD_ADMIN_PASSWORD=\"$NEXTCLOUD_PASSWORD\"" >> $NEXTCLOUD_PROD_FILE echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/onlyoffice.sh b/scripts/subinstallers/extra/onlyoffice.sh index 3fadeca..aa9f917 100755 --- a/scripts/subinstallers/extra/onlyoffice.sh +++ b/scripts/subinstallers/extra/onlyoffice.sh @@ -4,4 +4,4 @@ ONLYOFFICE_PROD_FILE="$1" JWT_SECRET="${MISTBORN_DEFAULT_PASSWORD}" echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE -echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE \ No newline at end of file +echo "JWT_SECRET=\"$JWT_SECRET\"" >> $ONLYOFFICE_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/rocketchat.sh b/scripts/subinstallers/extra/rocketchat.sh index 6da1e2d..f446683 100755 --- a/scripts/subinstallers/extra/rocketchat.sh +++ b/scripts/subinstallers/extra/rocketchat.sh @@ -7,7 +7,7 @@ ROCKETCHAT_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}" echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE -echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE +echo "ROCKETCHAT_PASSWORD=\"$ROCKETCHAT_PASSWORD\"" >> $ROCKETCHAT_PROD_FILE # docker environment echo "MISTBORN_BIND_IP=${MISTBORN_BIND_IP}" >> $ROCKETCHAT_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/gen_prod_env.sh b/scripts/subinstallers/gen_prod_env.sh index d185c32..73028f2 100755 --- a/scripts/subinstallers/gen_prod_env.sh +++ b/scripts/subinstallers/gen_prod_env.sh @@ -15,8 +15,8 @@ echo "DJANGO_ADMIN_URL=admin/" >> $DJANGO_PROD_FILE echo "USE_DOCKER=yes" >> $DJANGO_PROD_FILE echo "REDIS_URL=redis://redis:6379/0" >> $DJANGO_PROD_FILE echo "CELERY_FLOWER_USER=prod" >> $DJANGO_PROD_FILE -echo "CELERY_FLOWER_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $DJANGO_PROD_FILE -echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $DJANGO_PROD_FILE +echo "CELERY_FLOWER_PASSWORD=\"$MISTBORN_DEFAULT_PASSWORD\"" >> $DJANGO_PROD_FILE +echo "MISTBORN_DEFAULT_PASSWORD=\"$MISTBORN_DEFAULT_PASSWORD\"" >> $DJANGO_PROD_FILE echo "#MAILGUN_API_KEY=" >> $DJANGO_PROD_FILE echo "#MAILGUN_API_URL=" >> $DJANGO_PROD_FILE echo "#SENTRY_DNS=" >> $DJANGO_PROD_FILE @@ -41,5 +41,5 @@ PIHOLE_PROD_FILE="./.envs/.production/.pihole" #WEBPASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") WEBPASSWORD="$1" echo "TZ=\"America/New York\"" > $PIHOLE_PROD_FILE -echo "WEBPASSWORD=$WEBPASSWORD" >> $PIHOLE_PROD_FILE +echo "WEBPASSWORD=\"$WEBPASSWORD\"" >> $PIHOLE_PROD_FILE chmod 600 $PIHOLE_PROD_FILE From ce5dfb10faf8de3f464ce534b1a2fa84b4e064ff Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 12 Mar 2021 18:04:21 +0000 Subject: [PATCH 06/21] Resolve "Mistborn default password parsing" --- scripts/install.sh | 29 ++++++++++------------- scripts/subinstallers/extra/guacamole.sh | 2 +- scripts/subinstallers/extra/nextcloud.sh | 2 +- scripts/subinstallers/extra/onlyoffice.sh | 2 +- scripts/subinstallers/extra/rocketchat.sh | 2 +- scripts/subinstallers/gen_prod_env.sh | 6 ++--- scripts/subinstallers/passwd.sh | 22 +++++++++++++++++ 7 files changed, 41 insertions(+), 24 deletions(-) create mode 100755 scripts/subinstallers/passwd.sh diff --git a/scripts/install.sh b/scripts/install.sh index e79b838..a142ad9 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -59,13 +59,18 @@ echo -e "| | | | \__ \ |_| |_) | (_) | | | | | |" echo -e "|_| |_|_|___/\__|_.__/ \___/|_| |_| |_|" echo -e "" -# INPUT default admin password -if [ -z "${MISTBORN_DEFAULT_PASSWORD}" ]; then - read -p "(Mistborn) Set default admin password: " -s MISTBORN_DEFAULT_PASSWORD - echo -else - echo "MISTBORN_DEFAULT_PASSWORD is already set" -fi +sudo rm -rf /opt/mistborn 2>/dev/null || true + +# clone to /opt and change directory +echo "Cloning $GIT_BRANCH branch from mistborn repo" +sudo git clone https://gitlab.com/cyber5k/mistborn.git -b $GIT_BRANCH /opt/mistborn +sudo chown -R $USER:$USER /opt/mistborn +pushd . +cd /opt/mistborn +git submodule update --init --recursive + +# MISTBORN_DEFAULT_PASSWORD +source ./scripts/subinstallers/passwd.sh # Install Cockpit? if [ -z "${MISTBORN_INSTALL_COCKPIT}" ]; then @@ -85,16 +90,6 @@ else echo "SSH key exists for $USER" fi -sudo rm -rf /opt/mistborn 2>/dev/null || true - -# clone to /opt and change directory -echo "Cloning $GIT_BRANCH branch from mistborn repo" -sudo git clone https://gitlab.com/cyber5k/mistborn.git -b $GIT_BRANCH /opt/mistborn -sudo chown -R $USER:$USER /opt/mistborn -pushd . -cd /opt/mistborn -git submodule update --init --recursive - # initial load update package list sudo apt-get update diff --git a/scripts/subinstallers/extra/guacamole.sh b/scripts/subinstallers/extra/guacamole.sh index 8c76a89..8df9d00 100755 --- a/scripts/subinstallers/extra/guacamole.sh +++ b/scripts/subinstallers/extra/guacamole.sh @@ -10,4 +10,4 @@ echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE -echo "MISTBORN_DEFAULT_PASSWORD=\"$MISTBORN_DEFAULT_PASSWORD\"" >> $GUAC_PROD_FILE \ No newline at end of file +echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/nextcloud.sh b/scripts/subinstallers/extra/nextcloud.sh index 101f93c..b1568b7 100755 --- a/scripts/subinstallers/extra/nextcloud.sh +++ b/scripts/subinstallers/extra/nextcloud.sh @@ -5,5 +5,5 @@ NEXTCLOUD_PROD_FILE="$1" #NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") NEXTCLOUD_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}" echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE -echo "NEXTCLOUD_ADMIN_PASSWORD=\"$NEXTCLOUD_PASSWORD\"" >> $NEXTCLOUD_PROD_FILE +echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/onlyoffice.sh b/scripts/subinstallers/extra/onlyoffice.sh index aa9f917..3fadeca 100755 --- a/scripts/subinstallers/extra/onlyoffice.sh +++ b/scripts/subinstallers/extra/onlyoffice.sh @@ -4,4 +4,4 @@ ONLYOFFICE_PROD_FILE="$1" JWT_SECRET="${MISTBORN_DEFAULT_PASSWORD}" echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE -echo "JWT_SECRET=\"$JWT_SECRET\"" >> $ONLYOFFICE_PROD_FILE \ No newline at end of file +echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/rocketchat.sh b/scripts/subinstallers/extra/rocketchat.sh index f446683..6da1e2d 100755 --- a/scripts/subinstallers/extra/rocketchat.sh +++ b/scripts/subinstallers/extra/rocketchat.sh @@ -7,7 +7,7 @@ ROCKETCHAT_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}" echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE -echo "ROCKETCHAT_PASSWORD=\"$ROCKETCHAT_PASSWORD\"" >> $ROCKETCHAT_PROD_FILE +echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE # docker environment echo "MISTBORN_BIND_IP=${MISTBORN_BIND_IP}" >> $ROCKETCHAT_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/gen_prod_env.sh b/scripts/subinstallers/gen_prod_env.sh index 73028f2..d185c32 100755 --- a/scripts/subinstallers/gen_prod_env.sh +++ b/scripts/subinstallers/gen_prod_env.sh @@ -15,8 +15,8 @@ echo "DJANGO_ADMIN_URL=admin/" >> $DJANGO_PROD_FILE echo "USE_DOCKER=yes" >> $DJANGO_PROD_FILE echo "REDIS_URL=redis://redis:6379/0" >> $DJANGO_PROD_FILE echo "CELERY_FLOWER_USER=prod" >> $DJANGO_PROD_FILE -echo "CELERY_FLOWER_PASSWORD=\"$MISTBORN_DEFAULT_PASSWORD\"" >> $DJANGO_PROD_FILE -echo "MISTBORN_DEFAULT_PASSWORD=\"$MISTBORN_DEFAULT_PASSWORD\"" >> $DJANGO_PROD_FILE +echo "CELERY_FLOWER_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $DJANGO_PROD_FILE +echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $DJANGO_PROD_FILE echo "#MAILGUN_API_KEY=" >> $DJANGO_PROD_FILE echo "#MAILGUN_API_URL=" >> $DJANGO_PROD_FILE echo "#SENTRY_DNS=" >> $DJANGO_PROD_FILE @@ -41,5 +41,5 @@ PIHOLE_PROD_FILE="./.envs/.production/.pihole" #WEBPASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") WEBPASSWORD="$1" echo "TZ=\"America/New York\"" > $PIHOLE_PROD_FILE -echo "WEBPASSWORD=\"$WEBPASSWORD\"" >> $PIHOLE_PROD_FILE +echo "WEBPASSWORD=$WEBPASSWORD" >> $PIHOLE_PROD_FILE chmod 600 $PIHOLE_PROD_FILE diff --git a/scripts/subinstallers/passwd.sh b/scripts/subinstallers/passwd.sh new file mode 100755 index 0000000..417926b --- /dev/null +++ b/scripts/subinstallers/passwd.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +# INPUT default admin password +while [ -z "${MISTBORN_DEFAULT_PASSWORD}" ]; do + echo + echo "(Mistborn) The default admin password may only container alphanumeric characters and _" + read -p "(Mistborn) Set default admin password: " -s MISTBORN_DEFAULT_PASSWORD + echo + + if [[ ${MISTBORN_DEFAULT_PASSWORD} =~ ^[A-Za-z0-9_]+$ ]]; then + # it matches + echo "(Mistborn) Password is accepted" + else + unset MISTBORN_DEFAULT_PASSWORD + echo "(Mistborn) Try again" + fi + +done + +echo +echo "MISTBORN_DEFAULT_PASSWORD is set" +echo From d65e5434a0ecc84154a7331329e92c73cb2f1a83 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sun, 21 Mar 2021 16:09:58 +0000 Subject: [PATCH 07/21] Resolve "Started Extra Services restart on OS reboot" --- scripts/conf/docker-daemon.json | 3 +++ scripts/services/Mistborn-bitwarden.service | 1 + scripts/services/Mistborn-guacamole.service | 1 + scripts/services/Mistborn-homeassistant.service | 1 + scripts/services/Mistborn-jellyfin.service | 1 + scripts/services/Mistborn-jitsi.service | 1 + scripts/services/Mistborn-nextcloud.service | 1 + scripts/services/Mistborn-onlyoffice.service | 1 + scripts/services/Mistborn-rocketchat.service | 1 + scripts/services/Mistborn-syncthing.service | 1 + scripts/services/Mistborn-tor.service | 1 + scripts/subinstallers/docker.sh | 3 +++ scripts/subinstallers/docker_daemon.sh | 7 +++++++ scripts/update.sh | 7 +++++++ scripts/wrappers/mistborn_docker.sh | 13 ++++++++++++- 15 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 scripts/conf/docker-daemon.json create mode 100755 scripts/subinstallers/docker_daemon.sh diff --git a/scripts/conf/docker-daemon.json b/scripts/conf/docker-daemon.json new file mode 100644 index 0000000..ef746cb --- /dev/null +++ b/scripts/conf/docker-daemon.json @@ -0,0 +1,3 @@ +{ + "shutdown-timeout": 60 +} diff --git a/scripts/services/Mistborn-bitwarden.service b/scripts/services/Mistborn-bitwarden.service index 4fed369..8b0c8de 100644 --- a/scripts/services/Mistborn-bitwarden.service +++ b/scripts/services/Mistborn-bitwarden.service @@ -6,6 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/services/Mistborn-guacamole.service b/scripts/services/Mistborn-guacamole.service index a688edd..1c193e8 100644 --- a/scripts/services/Mistborn-guacamole.service +++ b/scripts/services/Mistborn-guacamole.service @@ -6,6 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/services/Mistborn-homeassistant.service b/scripts/services/Mistborn-homeassistant.service index a36b7c0..6ca8cc1 100644 --- a/scripts/services/Mistborn-homeassistant.service +++ b/scripts/services/Mistborn-homeassistant.service @@ -6,6 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/services/Mistborn-jellyfin.service b/scripts/services/Mistborn-jellyfin.service index 7c27676..270769c 100644 --- a/scripts/services/Mistborn-jellyfin.service +++ b/scripts/services/Mistborn-jellyfin.service @@ -6,6 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/services/Mistborn-jitsi.service b/scripts/services/Mistborn-jitsi.service index c6bcd5c..d99aa81 100644 --- a/scripts/services/Mistborn-jitsi.service +++ b/scripts/services/Mistborn-jitsi.service @@ -6,6 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/services/Mistborn-nextcloud.service b/scripts/services/Mistborn-nextcloud.service index f46c2b7..01f0132 100644 --- a/scripts/services/Mistborn-nextcloud.service +++ b/scripts/services/Mistborn-nextcloud.service @@ -6,6 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/services/Mistborn-onlyoffice.service b/scripts/services/Mistborn-onlyoffice.service index 72b31d8..16f0010 100644 --- a/scripts/services/Mistborn-onlyoffice.service +++ b/scripts/services/Mistborn-onlyoffice.service @@ -6,6 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/services/Mistborn-rocketchat.service b/scripts/services/Mistborn-rocketchat.service index 37bb83f..8106fc9 100644 --- a/scripts/services/Mistborn-rocketchat.service +++ b/scripts/services/Mistborn-rocketchat.service @@ -6,6 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/services/Mistborn-syncthing.service b/scripts/services/Mistborn-syncthing.service index 273be71..0399dec 100644 --- a/scripts/services/Mistborn-syncthing.service +++ b/scripts/services/Mistborn-syncthing.service @@ -6,6 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/services/Mistborn-tor.service b/scripts/services/Mistborn-tor.service index ed47323..43b8c42 100644 --- a/scripts/services/Mistborn-tor.service +++ b/scripts/services/Mistborn-tor.service @@ -6,6 +6,7 @@ PartOf=Mistborn-base.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/subinstallers/docker.sh b/scripts/subinstallers/docker.sh index a4206ab..cdc83fa 100755 --- a/scripts/subinstallers/docker.sh +++ b/scripts/subinstallers/docker.sh @@ -18,3 +18,6 @@ fi if [ ! -f /usr/local/bin/docker-compose ]; then sudo -E ln -s $(which docker-compose) /usr/local/bin/docker-compose fi + +# daemon.json +#source ./scripts/subinstallers/docker_daemon.sh diff --git a/scripts/subinstallers/docker_daemon.sh b/scripts/subinstallers/docker_daemon.sh new file mode 100755 index 0000000..92f6edc --- /dev/null +++ b/scripts/subinstallers/docker_daemon.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# daemon.json +if [ ! -f /etc/docker/daemon.json ]; then + sudo -E cp ./scripts/conf/docker-daemon.json /etc/docker/daemon.json + sudo -E systemctl restart docker +fi diff --git a/scripts/update.sh b/scripts/update.sh index 8026316..dbf0845 100755 --- a/scripts/update.sh +++ b/scripts/update.sh @@ -18,6 +18,13 @@ sudo mistborn-cli pullbuild sudo docker container prune -f sudo docker image prune -f + +# RESTART + sudo systemctl stop Mistborn-base + +# docker daemon +#source ./scripts/subinstallers/docker_daemon.sh + sudo systemctl restart Mistborn-setup sudo systemctl restart Mistborn-base diff --git a/scripts/wrappers/mistborn_docker.sh b/scripts/wrappers/mistborn_docker.sh index 781eaa6..bb33894 100755 --- a/scripts/wrappers/mistborn_docker.sh +++ b/scripts/wrappers/mistborn_docker.sh @@ -32,4 +32,15 @@ else echo "No init script. Proceeding." fi -exec "$@" \ No newline at end of file +# ensure base is up and listening +echo "Waiting for Mistborn-base to finish starting up..." + +while ! nc -z 10.2.3.1 5000; do + WAIT_TIME=$((5 + $RANDOM % 15)) + echo "Waiting ${WAIT_TIME} seconds for Mistborn-base..." + sleep ${WAIT_TIME} +done + +echo "Mistborn-base is running" + +exec "$@" From 9e7f85b6f99233543f74899cc0432f7ec7e33b5e Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 31 Mar 2021 02:40:04 +0000 Subject: [PATCH 08/21] Resolve "Integrate RaspAP as extra service" --- README.md | 3 +++ extra/raspap.yml | 19 ++++++++------ scripts/services/Mistborn-raspap.service | 25 +++++++++++++++++++ .../services/raspap/Mistborn-raspap.service | 21 ---------------- scripts/services/raspap/install.sh | 4 --- scripts/subinstallers/extra/bitwarden.sh | 3 ++- scripts/subinstallers/extra/guacamole.sh | 3 ++- scripts/subinstallers/extra/jitsi.sh | 3 ++- scripts/subinstallers/extra/nextcloud.sh | 3 ++- scripts/subinstallers/extra/onlyoffice.sh | 3 ++- scripts/subinstallers/extra/raspap.sh | 6 +++++ scripts/subinstallers/extra/rocketchat.sh | 4 ++- 12 files changed, 58 insertions(+), 39 deletions(-) create mode 100644 scripts/services/Mistborn-raspap.service delete mode 100644 scripts/services/raspap/Mistborn-raspap.service delete mode 100755 scripts/services/raspap/install.sh create mode 100644 scripts/subinstallers/extra/raspap.sh diff --git a/README.md b/README.md index 252331c..7ca1b26 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,7 @@ Within Mistborn is a panel to enable and manage these free extra services (off b - [Tor](https://www.torproject.org): The Onion Router. One tool in the arsenal of online security and privacy. - [Jitsi](https://jitsi.org): Multi-platform open-source video conferencing - [Guacamole](https://guacamole.apache.org): A clientless remote desktop gateway that supports standard protocols like VNC, RDP, and SSH. +- [RaspAP](https://raspap.com/): The easiest, full-featured wireless router setup for Debian-based devices. Period. (Mistborn integration in alpha testing). # Quickstart Tested Operating Systems (in order of thoroughness): @@ -288,6 +289,7 @@ Mistborn uses the following domains (that can be reached by all Wireguard client | OnlyOffice | onlyoffice.mistborn | Off | | Jitsi | jitsi.mistborn | Off | | Guacamole | guac.mistborn | Off | +| RaspAP | raspap.mistborn | Off | # Default Credentials These are the default credentials to use in the services you choose to use: @@ -298,6 +300,7 @@ These are the default credentials to use in the services you choose to use: | Cockpit | cockpit | {{default mistborn password}} | | Nextcloud | mistborn | {{default mistborn password}} | | Guacamole | mistborn | {{default mistborn password }} | +| RaspAP | mistborn | {{default mistborn password}} | You can find the credentials sent to the Docker containers in: `/opt/mistborn/.envs/.production/` diff --git a/extra/raspap.yml b/extra/raspap.yml index 3be7dce..9b773ce 100644 --- a/extra/raspap.yml +++ b/extra/raspap.yml @@ -2,12 +2,9 @@ version: '3' services: raspap: - build: - context: .. - dockerfile: ./compose/production/raspap/Dockerfile - #user: root - image: mistborn_production_raspap + image: "cyber5k/raspap:${MISTBORN_TAG}" container_name: mistborn_production_raspap + #network_mode: host labels: - "traefik.enable=true" - "traefik.http.routers.raspap-http.rule=Host(`raspap.mistborn`)" @@ -19,10 +16,16 @@ services: - "traefik.http.routers.raspap-https.tls.certresolver=basic" - "traefik.http.services.raspap-service.loadbalancer.server.port=80" env_file: - - ../.envs/.production/.pihole - command: /start + - ../.envs/.production/.raspap + cap_add: + #- NET_ADMIN + - SYS_ADMIN + #- CAP_FOWNER + privileged: true volumes: - - ../../mistborn_volumes/extra/raspap/etc-raspap:/etc/raspap + - /sys/fs/cgroup:/sys/fs/cgroup:ro + #command: /start + restart: unless-stopped networks: default: diff --git a/scripts/services/Mistborn-raspap.service b/scripts/services/Mistborn-raspap.service new file mode 100644 index 0000000..bb62297 --- /dev/null +++ b/scripts/services/Mistborn-raspap.service @@ -0,0 +1,25 @@ +[Unit] +Description=Mistborn RaspAP Service +Requires=Mistborn-base.service +After=Mistborn-base.service + +[Service] +Restart=always +RestartSec=15 +User=root +Group=docker +PermissionsStartOnly=true +ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 8095 -j MISTBORN_LOG_DROP +#ExecStartPre=/bin/bash /opt/mistborn_volumes/extra/raspap/etc-raspap/hostapd/servicestart.sh --interface uap0 --seconds 3 +# Shutdown container (if running) when unit is stopped +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh raspap docker-compose -f /opt/mistborn/extra/raspap.yml down + +# Start container when unit is started +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh raspap docker-compose -f /opt/mistborn/extra/raspap.yml up --build +# Stop container when unit is stopped +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh raspap docker-compose -f /opt/mistborn/extra/raspap.yml down +ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 8095 -j MISTBORN_LOG_DROP +# Post stop + +[Install] +WantedBy=multi-user.target diff --git a/scripts/services/raspap/Mistborn-raspap.service b/scripts/services/raspap/Mistborn-raspap.service deleted file mode 100644 index 2f3faec..0000000 --- a/scripts/services/raspap/Mistborn-raspap.service +++ /dev/null @@ -1,21 +0,0 @@ -[Unit] -Description=Mistborn RaspAP Service -Requires=Mistborn-base.service -After=Mistborn-base.service - -[Service] -Restart=always -User=root -Group=docker -PermissionsStartOnly=true -# Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/raspap.yml down - -# Start container when unit is started -ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/raspap.yml up --build -# Stop container when unit is stopped -ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/raspap.yml down -# Post stop - -[Install] -WantedBy=multi-user.target diff --git a/scripts/services/raspap/install.sh b/scripts/services/raspap/install.sh deleted file mode 100755 index 4b373ef..0000000 --- a/scripts/services/raspap/install.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash - -# install on gateway -sudo apt-get install -y hostapd vnstat \ No newline at end of file diff --git a/scripts/subinstallers/extra/bitwarden.sh b/scripts/subinstallers/extra/bitwarden.sh index abc37a5..339310f 100755 --- a/scripts/subinstallers/extra/bitwarden.sh +++ b/scripts/subinstallers/extra/bitwarden.sh @@ -3,4 +3,5 @@ # generate bitwarden .env files BITWARDEN_PROD_FILE="$1" echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE -echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE \ No newline at end of file +echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE +chmod 600 $BITWARDEN_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/guacamole.sh b/scripts/subinstallers/extra/guacamole.sh index 8df9d00..5cb4871 100755 --- a/scripts/subinstallers/extra/guacamole.sh +++ b/scripts/subinstallers/extra/guacamole.sh @@ -10,4 +10,5 @@ echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE -echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE \ No newline at end of file +echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE +chmod 600 $GUAC_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/jitsi.sh b/scripts/subinstallers/extra/jitsi.sh index fcf3493..a883b67 100755 --- a/scripts/subinstallers/extra/jitsi.sh +++ b/scripts/subinstallers/extra/jitsi.sh @@ -9,4 +9,5 @@ sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secre sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" -sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" \ No newline at end of file +sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE" +chmod 600 $JITSI_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/nextcloud.sh b/scripts/subinstallers/extra/nextcloud.sh index b1568b7..4bd8ca4 100755 --- a/scripts/subinstallers/extra/nextcloud.sh +++ b/scripts/subinstallers/extra/nextcloud.sh @@ -6,4 +6,5 @@ NEXTCLOUD_PROD_FILE="$1" NEXTCLOUD_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}" echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE -echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE \ No newline at end of file +echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE +chmod 600 $NEXTCLOUD_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/onlyoffice.sh b/scripts/subinstallers/extra/onlyoffice.sh index 3fadeca..fbf579c 100755 --- a/scripts/subinstallers/extra/onlyoffice.sh +++ b/scripts/subinstallers/extra/onlyoffice.sh @@ -4,4 +4,5 @@ ONLYOFFICE_PROD_FILE="$1" JWT_SECRET="${MISTBORN_DEFAULT_PASSWORD}" echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE -echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE \ No newline at end of file +echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE +chmod 600 $ONLYOFFICE_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/raspap.sh b/scripts/subinstallers/extra/raspap.sh new file mode 100644 index 0000000..ced9860 --- /dev/null +++ b/scripts/subinstallers/extra/raspap.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# RaspAP +RASPAP_PROD_FILE="$1" +echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" > $RASPAP_PROD_FILE +chmod 600 $RASPAP_PROD_FILE \ No newline at end of file diff --git a/scripts/subinstallers/extra/rocketchat.sh b/scripts/subinstallers/extra/rocketchat.sh index 6da1e2d..e61e4b4 100755 --- a/scripts/subinstallers/extra/rocketchat.sh +++ b/scripts/subinstallers/extra/rocketchat.sh @@ -10,4 +10,6 @@ echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE # docker environment -echo "MISTBORN_BIND_IP=${MISTBORN_BIND_IP}" >> $ROCKETCHAT_PROD_FILE \ No newline at end of file +echo "MISTBORN_BIND_IP=${MISTBORN_BIND_IP}" >> $ROCKETCHAT_PROD_FILE + +chmod 600 $ROCKETCHAT_PROD_FILE \ No newline at end of file From 3675e3d0d283cc7b83a813be0fa8e139dc6c8171 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Thu, 15 Apr 2021 08:01:09 -0400 Subject: [PATCH 09/21] pihole v5.7 --- base.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base.yml b/base.yml index 2b19d53..035a6e8 100644 --- a/base.yml +++ b/base.yml @@ -158,7 +158,7 @@ services: pihole: container_name: mistborn_production_pihole - image: pihole/pihole:latest + image: pihole/pihole:v5.7 env_file: - ./.envs/.production/.pihole ports: From 42bd76634648cb50d380519d697ff0a5821b10a7 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Thu, 22 Apr 2021 02:40:26 +0000 Subject: [PATCH 10/21] Resolve "Wazuh" --- README.md | 20 +++++- extra/elasticsearch.yml | 30 ++++++++ extra/wazuh.yml | 70 +++++++++++++++++++ .../services/Mistborn-elasticsearch.service | 22 ++++++ scripts/services/Mistborn-wazuh.service | 26 +++++++ .../elasticsearch/files/internal_users.yml | 17 +++++ scripts/services/elasticsearch/init.sh | 16 +++++ scripts/services/wazuh/agent.sh | 26 +++++++ scripts/services/wazuh/agent_start.sh | 4 ++ scripts/services/wazuh/agent_stop.sh | 4 ++ scripts/subinstallers/extra/elasticsearch.sh | 6 ++ scripts/subinstallers/extra/wazuh.sh | 53 ++++++++++++++ scripts/wrappers/mistborn_docker.sh | 61 ++++++++-------- 13 files changed, 325 insertions(+), 30 deletions(-) create mode 100644 extra/elasticsearch.yml create mode 100644 extra/wazuh.yml create mode 100644 scripts/services/Mistborn-elasticsearch.service create mode 100644 scripts/services/Mistborn-wazuh.service create mode 100644 scripts/services/elasticsearch/files/internal_users.yml create mode 100755 scripts/services/elasticsearch/init.sh create mode 100755 scripts/services/wazuh/agent.sh create mode 100755 scripts/services/wazuh/agent_start.sh create mode 100755 scripts/services/wazuh/agent_stop.sh create mode 100755 scripts/subinstallers/extra/elasticsearch.sh create mode 100755 scripts/subinstallers/extra/wazuh.sh diff --git a/README.md b/README.md index 7ca1b26..1ad2195 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,7 @@ These tools are not vital to Mistborn itself but are integrated to enhance secur - [Pi-hole](https://pi-hole.net): A DNS server for network-wide ad blocking, etc - [DNScrypt](https://www.dnscrypt.org): prevents DNS spoofing via cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered - [Traefik](https://docs.traefik.io): A modern, efficient reverse-proxy +- [Wazuh](https://wazuh.com/): Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance. Within Mistborn is a panel to enable and manage these free extra services (off by default), locally hosted in Docker containers: - [Home Assistant](https://www.home-assistant.io): Open source home automation that puts local control and privacy first @@ -82,6 +83,7 @@ Recommended System Specifications: | Default | Bare bones + Cockpit | 2 GB+ | 15 GB | | Low-resource services | Default + Bitwarden, Tor, Syncthing | 4 GB | 20 GB | | High-resource services | Default + Jitsi, Nextcloud, Jellyfin, Rocket.Chat, Home Assistant, OnlyOffice | 6 GB+ | 25 GB+ | +| SIEM | Default + Wazuh + Extras | 16 GB+ | 100 GB+ | Starting from base installation ``` @@ -109,6 +111,18 @@ Mistborn protects your data in a variety of ways: See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/Mistborn-Network-Security) wiki page to see more network diagrams and the network scan results for Mistborn. +# Security Information & Event Management (SIEM) + +![Mistborn Security Center](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_soc.png) + +The Mistborn Security Operations Center provides SIEM services with Wazuh. The Wazuh Manager requires an Open Distro for Elasticsearch backend. When the Mistborn host has >8 GB RAM the provided Elasticsearch backend can be used. Just click "Start Wazuh" on the `Security Center` page and enjoy your Enterprise-grade SIEM. Wazuh agents can be installed on just about any OS and all Wazuh agent traffic is communicated over the Wireguard connections. Instructions for adding endpoint agents can be found within Wazuh itself. + +![Mistborn Security Center: Wazuh Modules](https://gitlab.com/cyber5k/public/-/raw/master/graphics/wazuh_modules.png) + +The Wazuh Kibana plugin leverages the power of Elasticsearch: + +![Mistborn Security Center: Wazuh Dashboard](https://gitlab.com/cyber5k/public/-/raw/master/graphics/wazuh_se_dashboard.png) + # Coppercloud Pihole provides a way to block outgoing DNS requests for given lists of blocked domains. Coppercloud provides a way to block outgoing network calls of all types to given lists of IP addresses (IPv4 only for now). This is especially useful for blocking outgoing telemetry (data and state sharing) to owners of software running on all of your devices. @@ -290,6 +304,7 @@ Mistborn uses the following domains (that can be reached by all Wireguard client | Jitsi | jitsi.mistborn | Off | | Guacamole | guac.mistborn | Off | | RaspAP | raspap.mistborn | Off | +| Wazuh | wazuh.mistborn | Off | # Default Credentials These are the default credentials to use in the services you choose to use: @@ -298,6 +313,7 @@ These are the default credentials to use in the services you choose to use: | ------- | -------- | -------- | | Pihole | | {{default mistborn password}} | | Cockpit | cockpit | {{default mistborn password}} | +| Wazuh | mistborn | {{default mistborn password}} | | Nextcloud | mistborn | {{default mistborn password}} | | Guacamole | mistborn | {{default mistborn password }} | | RaspAP | mistborn | {{default mistborn password}} | @@ -464,6 +480,8 @@ sudo journalctl -xfu Mistborn-guacamole sudo journalctl -xfu Mistborn-rocketchat sudo journalctl -xfu Mistborn-onlyoffice sudo journalctl -xfu Mistborn-tor +sudo journalctl -xfu Mistborn-raspap +sudo journalctl -xfu Mistborn-wazuh ``` ## Troubleshooting Docker @@ -529,8 +547,6 @@ Many features and refinements are in the works at various stages including: - Plugins for Extra Services (enabling third-party development) - Plugin repository - IPv6 support -- Integration with RaspAP to enable managing an Access Point for local network connections -- Internal network scan tool and feedback - Anomaly detection in network traffic # Featured In diff --git a/extra/elasticsearch.yml b/extra/elasticsearch.yml new file mode 100644 index 0000000..c1a3a70 --- /dev/null +++ b/extra/elasticsearch.yml @@ -0,0 +1,30 @@ +version: '3.7' + +services: + + elasticsearch: + image: amazon/opendistro-for-elasticsearch:1.12.0 + hostname: elasticsearch + restart: unless-stopped + ports: + - "${MISTBORN_BIND_IP}:9200:9200" + environment: + - discovery.type=single-node + - cluster.name=mistborn-cluster + - network.host=0.0.0.0 + - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + - bootstrap.memory_lock=true + volumes: + - ../../mistborn_volumes/extra/elasticsearch/init/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + +networks: + default: + external: + name: mistborn_default diff --git a/extra/wazuh.yml b/extra/wazuh.yml new file mode 100644 index 0000000..f7df12a --- /dev/null +++ b/extra/wazuh.yml @@ -0,0 +1,70 @@ +# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2) +version: '3.7' + +services: + wazuh: + image: wazuh/wazuh-odfe:4.1.2 + hostname: wazuh-manager + restart: unless-stopped + ports: + - "${MISTBORN_BIND_IP}:1514:1514" + - "${MISTBORN_BIND_IP}:1515:1515" + - "${MISTBORN_BIND_IP}:514:514/udp" + - "${MISTBORN_BIND_IP}:55000:55000" + environment: + - FILEBEAT_SSL_VERIFICATION_MODE=none + env_file: + - ../.envs/.production/.wazuh + volumes: + - ossec_api_configuration:/var/ossec/api/configuration + - ossec_etc:/var/ossec/etc + - ossec_logs:/var/ossec/logs + - ossec_queue:/var/ossec/queue + - ossec_var_multigroups:/var/ossec/var/multigroups + - ossec_integrations:/var/ossec/integrations + - ossec_active_response:/var/ossec/active-response/bin + - ossec_agentless:/var/ossec/agentless + - ossec_wodles:/var/ossec/wodles + - filebeat_etc:/etc/filebeat + - filebeat_var:/var/lib/filebeat + + wazuh-kibana: + image: wazuh/wazuh-kibana-odfe:4.1.2 + hostname: wazuh-kibana + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.wazuhk-http.rule=Host(`wazuh.mistborn`)" + - "traefik.http.routers.wazuhk-http.entrypoints=web" + - "traefik.http.routers.wazuhk-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.wazuhk-https.rule=Host(`wazuh.mistborn`)" + - "traefik.http.routers.wazuhk-https.entrypoints=websecure" + - "traefik.http.routers.wazuhk-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.wazuhk-https.tls.certresolver=basic" + - "traefik.http.services.wazuhk-service.loadbalancer.server.port=5601" + #ports: + # - "${MISTBORN_BIND_IP}:5601:5601" + environment: + - SERVER_SSL_ENABLED=false + - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert + - SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key + env_file: + - ../.envs/.production/.wazuh + +volumes: + ossec_api_configuration: + ossec_etc: + ossec_logs: + ossec_queue: + ossec_var_multigroups: + ossec_integrations: + ossec_active_response: + ossec_agentless: + ossec_wodles: + filebeat_etc: + filebeat_var: + +networks: + default: + external: + name: mistborn_default diff --git a/scripts/services/Mistborn-elasticsearch.service b/scripts/services/Mistborn-elasticsearch.service new file mode 100644 index 0000000..63933c7 --- /dev/null +++ b/scripts/services/Mistborn-elasticsearch.service @@ -0,0 +1,22 @@ +[Unit] +Description=Mistborn Elasticsearch Service +Requires=Mistborn-base.service +After=Mistborn-base.service +PartOf=Mistborn-base.service + +[Service] +Restart=always +RestartSec=15 +User=root +Group=docker +PermissionsStartOnly=true +# Shutdown container (if running) when unit is stopped +ExecStartPre=/usr/sbin/sysctl -w vm.max_map_count=262144 +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch docker-compose -f /opt/mistborn/extra/elasticsearch.yml down +# Start container when unit is started +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch docker-compose -f /opt/mistborn/extra/elasticsearch.yml up --build +# Stop container when unit is stopped +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch docker-compose -f /opt/mistborn/extra/elasticsearch.yml down + +[Install] +WantedBy=multi-user.target diff --git a/scripts/services/Mistborn-wazuh.service b/scripts/services/Mistborn-wazuh.service new file mode 100644 index 0000000..b4cac82 --- /dev/null +++ b/scripts/services/Mistborn-wazuh.service @@ -0,0 +1,26 @@ +[Unit] +Description=Mistborn Wazuh Service +Requires=Mistborn-elasticsearch.service +After=Mistborn-elasticsearch.service +PartOf=Mistborn-base.service + +[Service] +Restart=always +RestartSec=15 +User=root +Group=docker +PermissionsStartOnly=true +# Shutdown container (if running) when unit is stopped +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down +# Start container when unit is started +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml up --build +# Agent install +ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent.sh +ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_start.sh +# Stop container when unit is stopped +ExecStop=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down + + +[Install] +WantedBy=multi-user.target diff --git a/scripts/services/elasticsearch/files/internal_users.yml b/scripts/services/elasticsearch/files/internal_users.yml new file mode 100644 index 0000000..540eede --- /dev/null +++ b/scripts/services/elasticsearch/files/internal_users.yml @@ -0,0 +1,17 @@ +--- +# This is the internal user database +# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + +_meta: + type: "internalusers" + config_version: 2 + +# Define your internal users here + +mistborn: + hash: "__MISTBORN_HASH__" + reserved: true + backend_roles: + - "admin" + description: "Mistborn user" + diff --git a/scripts/services/elasticsearch/init.sh b/scripts/services/elasticsearch/init.sh new file mode 100755 index 0000000..1b3d21b --- /dev/null +++ b/scripts/services/elasticsearch/init.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +set -e + +if [[ -f "/opt/mistborn_volumes/extra/elasticsearch/init/internal_users.yml" ]]; then + echo "internal_users.yml exists. Proceeding." + exit 0 +fi + +mkdir -p /opt/mistborn_volumes/extra/elasticsearch/init/ >/dev/null 2>&1 +chmod -R +x /opt/mistborn_volumes/extra/elasticsearch/init/ +cp /opt/mistborn/scripts/services/elasticsearch/files/internal_users.yml /opt/mistborn_volumes/extra/elasticsearch/init/ + +ELASTICSEARCH_MISTBORN_HASHED=$(docker run --rm amazon/opendistro-for-elasticsearch:1.12.0 bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh -p ${MISTBORN_DEFAULT_PASSWORD} | tr -d '\n') + +sed -i "s|__MISTBORN_HASH__|${ELASTICSEARCH_MISTBORN_HASHED}|" /opt/mistborn_volumes/extra/elasticsearch/init/internal_users.yml diff --git a/scripts/services/wazuh/agent.sh b/scripts/services/wazuh/agent.sh new file mode 100755 index 0000000..b478fa4 --- /dev/null +++ b/scripts/services/wazuh/agent.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +# detect if already installed +if [ $(dpkg -s wazuh-agent &> /dev/null) -eq 0 ]; then + echo "Wazuh agent already installed" + exit 0 +fi + +# prepare repo +echo "Adding Wazuh Repository" +curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - +echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list + +apt-get update + +# wait for service to be listening +while ! nc -z 10.2.3.1 55000; do + WAIT_TIME=10 + echo "Waiting ${WAIT_TIME} seconds for Wazuh API..." + sleep ${WAIT_TIME} +done + +# install +echo "Installing Wazuh agent" +WAZUH_MANAGER="10.2.3.1" apt-get install wazuh-agent + diff --git a/scripts/services/wazuh/agent_start.sh b/scripts/services/wazuh/agent_start.sh new file mode 100755 index 0000000..5996970 --- /dev/null +++ b/scripts/services/wazuh/agent_start.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +systemctl start wazuh-agent +systemctl enable wazuh-agent diff --git a/scripts/services/wazuh/agent_stop.sh b/scripts/services/wazuh/agent_stop.sh new file mode 100755 index 0000000..19cf173 --- /dev/null +++ b/scripts/services/wazuh/agent_stop.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +systemctl stop wazuh-agent +systemctl disable wazuh-agent diff --git a/scripts/subinstallers/extra/elasticsearch.sh b/scripts/subinstallers/extra/elasticsearch.sh new file mode 100755 index 0000000..e7547ae --- /dev/null +++ b/scripts/subinstallers/extra/elasticsearch.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# Elasticsearch +ELASTICSEARCH_PROD_FILE="$1" +echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $ELASTICSEARCH_PROD_FILE +chmod 600 $ELASTICSEARCH_PROD_FILE diff --git a/scripts/subinstallers/extra/wazuh.sh b/scripts/subinstallers/extra/wazuh.sh new file mode 100755 index 0000000..0d5c0ee --- /dev/null +++ b/scripts/subinstallers/extra/wazuh.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# Wazuh +WAZUH_PROD_FILE="$1" +echo "ELASTIC_USERNAME=mistborn" > $WAZUH_PROD_FILE +echo "ELASTIC_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE + +echo "ELASTICSEARCH_USERNAME=mistborn" >> $WAZUH_PROD_FILE +echo "ELASTICSEARCH_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE + +# kibana odfe +# kibana-odfe/config/wazuh_app_config.sh +# https://wazuh +echo "WAZUH_API_URL=https://10.2.3.1" >> $WAZUH_PROD_FILE +echo "API_PORT=55000" >> $WAZUH_PROD_FILE +echo "API_USERNAME=wazuh-wui" >> $WAZUH_PROD_FILE + +#API_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") + +API_PASSWORD_PYTHON=$(cat << EOF + +import secrets +import random +import string + +random_pass = ([secrets.choice("@$!%*?&-_"), + secrets.choice(string.digits), + secrets.choice(string.ascii_lowercase), + secrets.choice(string.ascii_uppercase), + ] + + [secrets.choice(string.ascii_lowercase + + string.ascii_uppercase + + "@$!%*?&-_" + + string.digits) for i in range(12)]) + +random.shuffle(random_pass) +random_pass = ''.join(random_pass) +print(random_pass) + +EOF +) + +API_PASSWORD=$(python3 -c "${API_PASSWORD_PYTHON}") + +echo "API_PASSWORD=${API_PASSWORD}" >> $WAZUH_PROD_FILE + +# kibana-odfe/config/entrypoint.sh: +# https://elasticsearch:9200 +echo "ELASTICSEARCH_URL=https://10.2.3.1:9200" >> $WAZUH_PROD_FILE + +echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE + +chmod 600 $WAZUH_PROD_FILE diff --git a/scripts/wrappers/mistborn_docker.sh b/scripts/wrappers/mistborn_docker.sh index bb33894..a5fa403 100755 --- a/scripts/wrappers/mistborn_docker.sh +++ b/scripts/wrappers/mistborn_docker.sh @@ -2,38 +2,43 @@ set -e -SERVICE="$1" +MISTBORN_HOME="/opt/mistborn" + +SERVICES="$1" shift -export MISTBORN_HOME="/opt/mistborn" -export MISTBORN_SERVICE_FILE=${MISTBORN_HOME}/.envs/.production/.${SERVICE} -export MISTBORN_SERVICE_INIT=${MISTBORN_HOME}/scripts/services/${SERVICE}/init.sh - -# check and create file if needed -${MISTBORN_HOME}/scripts/env/check_env_file.sh ${SERVICE} - -# read in variables -set -a -source ${MISTBORN_HOME}/.env - -if [[ -f "${MISTBORN_SERVICE_FILE}" ]]; then - echo "Loading service variables" - source ${MISTBORN_SERVICE_FILE} -else - echo "No service variables to load. Proceeding." -fi -set +a - -# init script -if [[ -f "${MISTBORN_SERVICE_INIT}" ]]; then - echo "Running init script" - ${MISTBORN_SERVICE_INIT} -else - echo "No init script. Proceeding." -fi +IFS=',' +read -ra SERVICES_ARRAY <<< "${SERVICES}" +for SERVICE in "${SERVICES_ARRAY[@]}"; do + MISTBORN_SERVICE_FILE=${MISTBORN_HOME}/.envs/.production/.${SERVICE} + MISTBORN_SERVICE_INIT=${MISTBORN_HOME}/scripts/services/${SERVICE}/init.sh + + # check and create file if needed + ${MISTBORN_HOME}/scripts/env/check_env_file.sh ${SERVICE} + + # read in variables + set -a + source ${MISTBORN_HOME}/.env + + if [[ -f "${MISTBORN_SERVICE_FILE}" ]]; then + echo "Loading service variables" + source ${MISTBORN_SERVICE_FILE} + else + echo "No service variables to load. Proceeding." + fi + set +a + + # init script + if [[ -f "${MISTBORN_SERVICE_INIT}" ]]; then + echo "Running init script" + ${MISTBORN_SERVICE_INIT} + else + echo "No init script. Proceeding." + fi +done # ensure base is up and listening -echo "Waiting for Mistborn-base to finish starting up..." +echo "Checking that Mistborn-base has finished starting up..." while ! nc -z 10.2.3.1 5000; do WAIT_TIME=$((5 + $RANDOM % 15)) From 8de1dafcad141cde89358e9dcaa9971f07f8299d Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 21 Apr 2021 23:00:09 -0400 Subject: [PATCH 11/21] ampersand --- scripts/subinstallers/extra/wazuh.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/subinstallers/extra/wazuh.sh b/scripts/subinstallers/extra/wazuh.sh index 0d5c0ee..6e2f834 100755 --- a/scripts/subinstallers/extra/wazuh.sh +++ b/scripts/subinstallers/extra/wazuh.sh @@ -23,14 +23,14 @@ import secrets import random import string -random_pass = ([secrets.choice("@$!%*?&-_"), +random_pass = ([secrets.choice("@$!%*?-_"), secrets.choice(string.digits), secrets.choice(string.ascii_lowercase), secrets.choice(string.ascii_uppercase), ] + [secrets.choice(string.ascii_lowercase + string.ascii_uppercase - + "@$!%*?&-_" + + "@$!%*?-_" + string.digits) for i in range(12)]) random.shuffle(random_pass) From 10568bc6849a7075296545e247924c831324fff0 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 23 Apr 2021 02:21:41 +0000 Subject: [PATCH 12/21] Resolve "Security Center Bugfixes" --- scripts/services/wazuh/agent.sh | 2 +- scripts/subinstallers/extra/wazuh.sh | 39 ++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/scripts/services/wazuh/agent.sh b/scripts/services/wazuh/agent.sh index b478fa4..222d664 100755 --- a/scripts/services/wazuh/agent.sh +++ b/scripts/services/wazuh/agent.sh @@ -1,7 +1,7 @@ #!/bin/bash # detect if already installed -if [ $(dpkg -s wazuh-agent &> /dev/null) -eq 0 ]; then +if dpkg -s wazuh-agent &> /dev/null; then echo "Wazuh agent already installed" exit 0 fi diff --git a/scripts/subinstallers/extra/wazuh.sh b/scripts/subinstallers/extra/wazuh.sh index 6e2f834..1a7b6f7 100755 --- a/scripts/subinstallers/extra/wazuh.sh +++ b/scripts/subinstallers/extra/wazuh.sh @@ -48,6 +48,45 @@ echo "API_PASSWORD=${API_PASSWORD}" >> $WAZUH_PROD_FILE # https://elasticsearch:9200 echo "ELASTICSEARCH_URL=https://10.2.3.1:9200" >> $WAZUH_PROD_FILE + +cat >> ${WAZUH_PROD_FILE}<< EOF + +PATTERN="wazuh-alerts-*" + +CHECKS_PATTERN=true +CHECKS_TEMPLATE=true +CHECKS_API=true +CHECKS_SETUP=true + +EXTENSIONS_PCI=true +EXTENSIONS_GDPR=true +EXTENSIONS_HIPAA=true +EXTENSIONS_NIST=true +EXTENSIONS_TSC=true +EXTENSIONS_AUDIT=true +EXTENSIONS_OSCAP=false +EXTENSIONS_CISCAT=false +EXTENSIONS_AWS=false +EXTENSIONS_GCP=false +EXTENSIONS_VIRUSTOTAL=true +EXTENSIONS_OSQUERY=true +EXTENSIONS_DOCKER=true + +APP_TIMEOUT=20000 + +API_SELECTOR=true +IP_SELECTOR=true +IP_IGNORE="[]" + +WAZUH_MONITORING_ENABLED=true +WAZUH_MONITORING_FREQUENCY=900 +WAZUH_MONITORING_SHARDS=2 +WAZUH_MONITORING_REPLICAS=0 + +ADMIN_PRIVILEGES=true + +EOF + echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE chmod 600 $WAZUH_PROD_FILE From b9b0eebf1e3dbaba80b836a7dc427faed1836024 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 27 Apr 2021 02:31:55 +0000 Subject: [PATCH 13/21] Resolve "Dependent Service Restart Handling" --- scripts/services/Mistborn-bitwarden.service | 2 +- scripts/services/Mistborn-elasticsearch.service | 2 +- scripts/services/Mistborn-guacamole.service | 2 +- scripts/services/Mistborn-homeassistant.service | 2 +- scripts/services/Mistborn-jellyfin.service | 2 +- scripts/services/Mistborn-jitsi.service | 2 +- scripts/services/Mistborn-nextcloud.service | 2 +- scripts/services/Mistborn-onlyoffice.service | 2 +- scripts/services/Mistborn-raspap.service | 2 +- scripts/services/Mistborn-rocketchat.service | 2 +- scripts/services/Mistborn-syncthing.service | 2 +- scripts/services/Mistborn-tor.service | 2 +- scripts/services/Mistborn-wazuh.service | 2 +- scripts/subinstallers/extra/wazuh.sh | 4 ++-- scripts/subinstallers/iptables.sh | 2 +- 15 files changed, 16 insertions(+), 16 deletions(-) diff --git a/scripts/services/Mistborn-bitwarden.service b/scripts/services/Mistborn-bitwarden.service index 8b0c8de..4ba99ae 100644 --- a/scripts/services/Mistborn-bitwarden.service +++ b/scripts/services/Mistborn-bitwarden.service @@ -22,4 +22,4 @@ ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-comp ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP [Install] -WantedBy=multi-user.target +WantedBy=Mistborn-base.service diff --git a/scripts/services/Mistborn-elasticsearch.service b/scripts/services/Mistborn-elasticsearch.service index 63933c7..efc5740 100644 --- a/scripts/services/Mistborn-elasticsearch.service +++ b/scripts/services/Mistborn-elasticsearch.service @@ -19,4 +19,4 @@ ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch docker ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch docker-compose -f /opt/mistborn/extra/elasticsearch.yml down [Install] -WantedBy=multi-user.target +WantedBy=Mistborn-base.service diff --git a/scripts/services/Mistborn-guacamole.service b/scripts/services/Mistborn-guacamole.service index 1c193e8..8d62780 100644 --- a/scripts/services/Mistborn-guacamole.service +++ b/scripts/services/Mistborn-guacamole.service @@ -20,4 +20,4 @@ ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-comp # Post stop [Install] -WantedBy=multi-user.target +WantedBy=Mistborn-base.service diff --git a/scripts/services/Mistborn-homeassistant.service b/scripts/services/Mistborn-homeassistant.service index 6ca8cc1..90c7841 100644 --- a/scripts/services/Mistborn-homeassistant.service +++ b/scripts/services/Mistborn-homeassistant.service @@ -20,4 +20,4 @@ ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker- # Post stop [Install] -WantedBy=multi-user.target +WantedBy=Mistborn-base.service diff --git a/scripts/services/Mistborn-jellyfin.service b/scripts/services/Mistborn-jellyfin.service index 270769c..5cc6e48 100644 --- a/scripts/services/Mistborn-jellyfin.service +++ b/scripts/services/Mistborn-jellyfin.service @@ -20,4 +20,4 @@ ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compo # Post stop [Install] -WantedBy=multi-user.target +WantedBy=Mistborn-base.service diff --git a/scripts/services/Mistborn-jitsi.service b/scripts/services/Mistborn-jitsi.service index d99aa81..a52775b 100644 --- a/scripts/services/Mistborn-jitsi.service +++ b/scripts/services/Mistborn-jitsi.service @@ -24,4 +24,4 @@ ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_down.sh [Install] -WantedBy=multi-user.target +WantedBy=Mistborn-base.service diff --git a/scripts/services/Mistborn-nextcloud.service b/scripts/services/Mistborn-nextcloud.service index 01f0132..361c200 100644 --- a/scripts/services/Mistborn-nextcloud.service +++ b/scripts/services/Mistborn-nextcloud.service @@ -20,4 +20,4 @@ ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-comp # Post stop [Install] -WantedBy=multi-user.target +WantedBy=Mistborn-base.service diff --git a/scripts/services/Mistborn-onlyoffice.service b/scripts/services/Mistborn-onlyoffice.service index 16f0010..891181e 100644 --- a/scripts/services/Mistborn-onlyoffice.service +++ b/scripts/services/Mistborn-onlyoffice.service @@ -20,4 +20,4 @@ ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-com # Post stop [Install] -WantedBy=multi-user.target +WantedBy=Mistborn-base.service diff --git a/scripts/services/Mistborn-raspap.service b/scripts/services/Mistborn-raspap.service index bb62297..f77b31a 100644 --- a/scripts/services/Mistborn-raspap.service +++ b/scripts/services/Mistborn-raspap.service @@ -22,4 +22,4 @@ ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 8095 -j MIS # Post stop [Install] -WantedBy=multi-user.target +WantedBy=Mistborn-base.service diff --git a/scripts/services/Mistborn-rocketchat.service b/scripts/services/Mistborn-rocketchat.service index 8106fc9..5673d36 100644 --- a/scripts/services/Mistborn-rocketchat.service +++ b/scripts/services/Mistborn-rocketchat.service @@ -22,4 +22,4 @@ ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-com ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP [Install] -WantedBy=multi-user.target +WantedBy=Mistborn-base.service diff --git a/scripts/services/Mistborn-syncthing.service b/scripts/services/Mistborn-syncthing.service index 0399dec..f658293 100644 --- a/scripts/services/Mistborn-syncthing.service +++ b/scripts/services/Mistborn-syncthing.service @@ -24,4 +24,4 @@ ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 21027 -j MI ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP [Install] -WantedBy=multi-user.target +WantedBy=Mistborn-base.service diff --git a/scripts/services/Mistborn-tor.service b/scripts/services/Mistborn-tor.service index 43b8c42..4b0afcb 100644 --- a/scripts/services/Mistborn-tor.service +++ b/scripts/services/Mistborn-tor.service @@ -22,4 +22,4 @@ ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP [Install] -WantedBy=multi-user.target +WantedBy=Mistborn-base.service diff --git a/scripts/services/Mistborn-wazuh.service b/scripts/services/Mistborn-wazuh.service index b4cac82..13fedeb 100644 --- a/scripts/services/Mistborn-wazuh.service +++ b/scripts/services/Mistborn-wazuh.service @@ -23,4 +23,4 @@ ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose [Install] -WantedBy=multi-user.target +WantedBy=Mistborn-base.service diff --git a/scripts/subinstallers/extra/wazuh.sh b/scripts/subinstallers/extra/wazuh.sh index 1a7b6f7..2959629 100755 --- a/scripts/subinstallers/extra/wazuh.sh +++ b/scripts/subinstallers/extra/wazuh.sh @@ -23,14 +23,14 @@ import secrets import random import string -random_pass = ([secrets.choice("@$!%*?-_"), +random_pass = ([secrets.choice("@$!*?-_"), secrets.choice(string.digits), secrets.choice(string.ascii_lowercase), secrets.choice(string.ascii_uppercase), ] + [secrets.choice(string.ascii_lowercase + string.ascii_uppercase - + "@$!%*?-_" + + "@$!*?-_" + string.digits) for i in range(12)]) random.shuffle(random_pass) diff --git a/scripts/subinstallers/iptables.sh b/scripts/subinstallers/iptables.sh index 84aada7..ba7784e 100755 --- a/scripts/subinstallers/iptables.sh +++ b/scripts/subinstallers/iptables.sh @@ -6,7 +6,7 @@ figlet "Mistborn: Configuring Firewall" echo "stop iptables wrappers" if [ "$DISTRO" == "ubuntu" ]; then - # Disable UFW + echo "Disabling UFW" sudo systemctl stop ufw || true sudo systemctl disable ufw || true fi From 5b9e07fb2458d516237fe29ecd3ab146d8fb22cd Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Mon, 3 May 2021 02:56:05 +0000 Subject: [PATCH 14/21] Resolve "Wazuh is not Starting" --- extra/bitwarden.yml | 2 +- extra/jitsi-meet.yml | 4 ++-- extra/syncthing.yml | 4 ++-- extra/tor.yml | 2 +- scripts/install.sh | 7 +++++-- scripts/services/Mistborn-base.service | 1 + scripts/services/wazuh/agent.sh | 8 ++++++-- scripts/subinstallers/check_updates.sh | 10 ++++++++++ scripts/subinstallers/extra/wazuh.sh | 4 ++-- 9 files changed, 30 insertions(+), 12 deletions(-) create mode 100755 scripts/subinstallers/check_updates.sh diff --git a/extra/bitwarden.yml b/extra/bitwarden.yml index 377b4b8..cd66424 100644 --- a/extra/bitwarden.yml +++ b/extra/bitwarden.yml @@ -19,7 +19,7 @@ services: - "traefik.http.routers.bitwarden-https.tls.certresolver=basic" - "traefik.http.services.bitwarden-service.loadbalancer.server.port=80" ports: - - 3012:3012/tcp + - "${MISTBORN_BIND_IP}:3012:3012/tcp" restart: unless-stopped networks: diff --git a/extra/jitsi-meet.yml b/extra/jitsi-meet.yml index 421f2a3..4a92b8e 100644 --- a/extra/jitsi-meet.yml +++ b/extra/jitsi-meet.yml @@ -216,8 +216,8 @@ services: image: jitsi/jvb:latest restart: unless-stopped ports: - - '${JVB_PORT}:${JVB_PORT}/udp' - - '${JVB_TCP_PORT}:${JVB_TCP_PORT}' + - "${MISTBORN_BIND_IP}:${JVB_PORT}:${JVB_PORT}/udp" + - "${MISTBORN_BIND_IP}:${JVB_TCP_PORT}:${JVB_TCP_PORT}" volumes: - ${CONFIG}/jvb:/config:Z env_file: diff --git a/extra/syncthing.yml b/extra/syncthing.yml index 6083393..f66bd73 100644 --- a/extra/syncthing.yml +++ b/extra/syncthing.yml @@ -15,8 +15,8 @@ services: - ../../mistborn_volumes/extra/syncthing/data2:/data2 ports: #- 8384:8384 - - 22000:22000/tcp # listening port - - 21027:21027/udp # protocol discovery + - "${MISTBORN_BIND_IP}:22000:22000/tcp" # listening port + - "${MISTBORN_BIND_IP}:21027:21027/udp" # protocol discovery labels: - "traefik.enable=true" - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.mistborn`)" diff --git a/extra/tor.yml b/extra/tor.yml index f8c4141..6b06975 100644 --- a/extra/tor.yml +++ b/extra/tor.yml @@ -8,7 +8,7 @@ services: image: mistborn_production_tor container_name: mistborn_production_tor ports: - - 9150:9150/tcp + - "${MISTBORN_BIND_IP}:9150:9150/tcp" networks: default: diff --git a/scripts/install.sh b/scripts/install.sh index a142ad9..0924e86 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -69,6 +69,10 @@ pushd . cd /opt/mistborn git submodule update --init --recursive +# Check updates +echo "Checking updates" +source ./scripts/subinstallers/check_updates.sh + # MISTBORN_DEFAULT_PASSWORD source ./scripts/subinstallers/passwd.sh @@ -90,8 +94,7 @@ else echo "SSH key exists for $USER" fi -# initial load update package list -sudo apt-get update +# initial load update package list during check_updates.sh # install figlet sudo -E apt-get install -y figlet diff --git a/scripts/services/Mistborn-base.service b/scripts/services/Mistborn-base.service index 9f82b72..46e513c 100644 --- a/scripts/services/Mistborn-base.service +++ b/scripts/services/Mistborn-base.service @@ -7,6 +7,7 @@ After=netfilter-persistent.service [Service] Restart=always +RestartSec=15 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/services/wazuh/agent.sh b/scripts/services/wazuh/agent.sh index 222d664..7735fc1 100755 --- a/scripts/services/wazuh/agent.sh +++ b/scripts/services/wazuh/agent.sh @@ -6,10 +6,14 @@ if dpkg -s wazuh-agent &> /dev/null; then exit 0 fi +# install curl +echo "install curl" +sudo -E apt-get install -y curl + # prepare repo echo "Adding Wazuh Repository" -curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - -echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list +curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo -E apt-key add - +echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo -E tee /etc/apt/sources.list.d/wazuh.list apt-get update diff --git a/scripts/subinstallers/check_updates.sh b/scripts/subinstallers/check_updates.sh new file mode 100755 index 0000000..286db0d --- /dev/null +++ b/scripts/subinstallers/check_updates.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +sudo apt-get update + +UPDATES=$(sudo apt-get dist-upgrade -s --quiet=2 | grep ^Inst | wc -l) + +if [[ "$UPDATES" -ne "0" ]]; then + echo "Please run updates and reboot before installing Mistborn: sudo apt-get update && sudo apt-get -y dist-upgrade" + exit 1; +fi \ No newline at end of file diff --git a/scripts/subinstallers/extra/wazuh.sh b/scripts/subinstallers/extra/wazuh.sh index 2959629..83dcb79 100755 --- a/scripts/subinstallers/extra/wazuh.sh +++ b/scripts/subinstallers/extra/wazuh.sh @@ -23,14 +23,14 @@ import secrets import random import string -random_pass = ([secrets.choice("@$!*?-_"), +random_pass = ([secrets.choice("@$!*?-"), secrets.choice(string.digits), secrets.choice(string.ascii_lowercase), secrets.choice(string.ascii_uppercase), ] + [secrets.choice(string.ascii_lowercase + string.ascii_uppercase - + "@$!*?-_" + + "@$!*?-" + string.digits) for i in range(12)]) random.shuffle(random_pass) From 75da49eeab6ad15938240ad4e90bda82ebb272f2 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 4 May 2021 16:29:22 -0400 Subject: [PATCH 15/21] handle ungraceful restarts --- scripts/services/Mistborn-base.service | 5 +++++ scripts/services/Mistborn-wazuh.service | 3 +-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/scripts/services/Mistborn-base.service b/scripts/services/Mistborn-base.service index 46e513c..c5ceb9a 100644 --- a/scripts/services/Mistborn-base.service +++ b/scripts/services/Mistborn-base.service @@ -13,6 +13,11 @@ Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped EnvironmentFile=/opt/mistborn/.env + +# stop all containers joined to mistborn_default network +ExecStartPre=-/usr/bin/bash -c "docker container stop $(docker network inspect mistborn_default | grep Name | tail -n +2 | cut -d':' -f2 | tr -d ',\"') 2>/dev/null" + +# bring down the base service ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml build diff --git a/scripts/services/Mistborn-wazuh.service b/scripts/services/Mistborn-wazuh.service index 13fedeb..ca8354e 100644 --- a/scripts/services/Mistborn-wazuh.service +++ b/scripts/services/Mistborn-wazuh.service @@ -18,9 +18,8 @@ ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent.sh ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_start.sh # Stop container when unit is stopped -ExecStop=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down - +ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh [Install] WantedBy=Mistborn-base.service From b83227e39d46457df4601fd8a79c6e381c07ff55 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 7 May 2021 17:14:49 +0000 Subject: [PATCH 16/21] Resolve "Adding Suricata" --- README.md | 5 + scripts/services/Mistborn-wazuh.service | 5 + .../services/wazuh/suricata/suricata_init.sh | 129 ++++++++++++++++++ .../services/wazuh/suricata/suricata_start.sh | 7 + .../services/wazuh/suricata/suricata_stop.sh | 6 + scripts/wrappers/mistborn_docker.sh | 6 + 6 files changed, 158 insertions(+) create mode 100755 scripts/services/wazuh/suricata/suricata_init.sh create mode 100755 scripts/services/wazuh/suricata/suricata_start.sh create mode 100755 scripts/services/wazuh/suricata/suricata_stop.sh diff --git a/README.md b/README.md index 1ad2195..870c6ac 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,10 @@ These tools are not vital to Mistborn itself but are integrated to enhance secur - [Pi-hole](https://pi-hole.net): A DNS server for network-wide ad blocking, etc - [DNScrypt](https://www.dnscrypt.org): prevents DNS spoofing via cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered - [Traefik](https://docs.traefik.io): A modern, efficient reverse-proxy + +These tools can be turned on from the Mistborn Security Operations Center: - [Wazuh](https://wazuh.com/): Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance. +- [Suricata](https://suricata-ids.org/): Suricata is a free and open source, mature, fast and robust network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats. Within Mistborn is a panel to enable and manage these free extra services (off by default), locally hosted in Docker containers: - [Home Assistant](https://www.home-assistant.io): Open source home automation that puts local control and privacy first @@ -117,6 +120,8 @@ See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/ The Mistborn Security Operations Center provides SIEM services with Wazuh. The Wazuh Manager requires an Open Distro for Elasticsearch backend. When the Mistborn host has >8 GB RAM the provided Elasticsearch backend can be used. Just click "Start Wazuh" on the `Security Center` page and enjoy your Enterprise-grade SIEM. Wazuh agents can be installed on just about any OS and all Wazuh agent traffic is communicated over the Wireguard connections. Instructions for adding endpoint agents can be found within Wazuh itself. +Mistborn's Wazuh installs and integrates with Suricata running on Mistborn with logs ingested into Wazuh. + ![Mistborn Security Center: Wazuh Modules](https://gitlab.com/cyber5k/public/-/raw/master/graphics/wazuh_modules.png) The Wazuh Kibana plugin leverages the power of Elasticsearch: diff --git a/scripts/services/Mistborn-wazuh.service b/scripts/services/Mistborn-wazuh.service index ca8354e..fe019ed 100644 --- a/scripts/services/Mistborn-wazuh.service +++ b/scripts/services/Mistborn-wazuh.service @@ -7,6 +7,7 @@ PartOf=Mistborn-base.service [Service] Restart=always RestartSec=15 +TimeoutStartSec=600 User=root Group=docker PermissionsStartOnly=true @@ -17,8 +18,12 @@ ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose # Agent install ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent.sh ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_start.sh +# Suricata +ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_init.sh +ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_start.sh # Stop container when unit is stopped ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down +ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_stop.sh ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh [Install] diff --git a/scripts/services/wazuh/suricata/suricata_init.sh b/scripts/services/wazuh/suricata/suricata_init.sh new file mode 100755 index 0000000..7937739 --- /dev/null +++ b/scripts/services/wazuh/suricata/suricata_init.sh @@ -0,0 +1,129 @@ +#!/bin/bash + +set -e + +# detect if suricata is installed +if [[ $(dpkg-query -W -f='${Status}' suricata 2>/dev/null | grep -c "ok installed") -eq 1 ]]; then + echo "Suricata Installed" + exit 0 +fi + +source /opt/mistborn/scripts/subinstallers/platform.sh + +# minimal dependencies +sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev \ + libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \ + make libmagic-dev libjansson-dev jq wget + +## recommended dependencies +#sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev \ +# libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \ +# libcap-ng-dev libcap-ng0 make libmagic-dev \ +# libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev \ +# python-yaml rustc cargo + +# iptables/nftables integration +sudo -E apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 \ + libnetfilter-log-dev libnetfilter-log1 \ + libnfnetlink-dev libnfnetlink0 + + +if [ "$DISTRO" == "ubuntu" ]; then + echo "Installing Suricata Ubuntu PPA" + sudo -E add-apt-repository -y ppa:oisf/suricata-stable + sudo -E apt-get update + sudo -E apt-get install -y suricata +elif [ "$DISTRO" == "debian" ]; then + # retrieve version codename + source /etc/os-release + echo "deb http://http.debian.net/debian $VERSION_CODENAME-backports main" | \ + sudo -E tee /etc/apt/sources.list.d/backports.list + sudo -E apt-get update + sudo -E apt-get install -y suricata -t ${VERSION_CODENAME}-backports +else + echo "Basic Suricata installation" + sudo -E apt-get install -y suricata +fi + +# # iptables +# sudo iptables -A INPUT -j NFQUEUE +# sudo iptables -I FORWARD -j NFQUEUE +# sudo iptables -I OUTPUT -j NFQUEUE + +# # rsyslog to create /var/log/suricata.log +# sudo cp ./scripts/conf/20-suricata.conf /etc/rsyslog.d/ +# sudo chown root:root /etc/rsyslog.d/20-suricata.conf +# sudo systemctl restart rsyslog + +# rules +pushd . +cd /tmp +wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz +tar zxvf emerging.rules.tar.gz +sudo -E rm /etc/suricata/rules/* -f +sudo -E mv rules/*.rules /etc/suricata/rules/ +popd + +# suricata yaml +sudo -E rm -f /etc/suricata/suricata.yaml +sudo -E wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml + +IFACE=$(ip -o -4 route show to default | awk 'NR==1{print $5}') +sudo sed -i "s/eth0/${IFACE}/g" /etc/suricata/suricata.yaml +sudo sed -i "s/eth0/${IFACE}/g" /etc/default/suricata + +#systemctl restart suricata + +# wait for service to be listening +while ! nc -z 10.2.3.1 55000; do + WAIT_TIME=10 + echo "Waiting ${WAIT_TIME} seconds for Wazuh API..." + sleep ${WAIT_TIME} +done + +# set working directory to mistborn for docker-compose +pushd . +cd /opt/mistborn + +# ensure group exists +sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -g suricata -q 2>/dev/null + +# add this host to group +WAZUH_ID=$(sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/manage_agents -l | egrep ^\ *ID | grep $(hostname) | awk '{print $2}' | tr -d ',') +sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -i ${WAZUH_ID} -g suricata -q + +# write agent.conf +sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh bash -c "cat > /var/ossec/etc/shared/suricata/agent.conf << EOF + + + json + /var/log/suricata/eve.json + + +EOF +" + +# restart manager +sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml restart wazuh + +popd + +# suricata-update +sudo -E apt install python3-pip +sudo -E pip3 install pyyaml +sudo -E pip3 install https://github.com/OISF/suricata-update/archive/master.zip + +sudo -E pip3 install --pre --upgrade suricata-update + +# sudo -E suricata-update enable-source oisf/trafficid +# sudo -E suricata-update enable-source etnetera/aggressive +# sudo -E suricata-update enable-source sslbl/ssl-fp-blacklist +# sudo -E suricata-update enable-source et/open +# sudo -E suricata-update enable-source tgreen/hunting +# sudo -E suricata-update enable-source sslbl/ja3-fingerprints +# sudo -E suricata-update enable-source ptresearch/attackdetection + +sudo -E suricata-update + +sudo systemctl daemon-reload +sudo systemctl restart suricata \ No newline at end of file diff --git a/scripts/services/wazuh/suricata/suricata_start.sh b/scripts/services/wazuh/suricata/suricata_start.sh new file mode 100755 index 0000000..08803fc --- /dev/null +++ b/scripts/services/wazuh/suricata/suricata_start.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +systemctl start suricata +systemctl enable suricata + +#apt-get install -y python-pyinotify +#python /opt/mistborn/scripts/services/scirius/suri_reloader -p /etc/suricata/rules & \ No newline at end of file diff --git a/scripts/services/wazuh/suricata/suricata_stop.sh b/scripts/services/wazuh/suricata/suricata_stop.sh new file mode 100755 index 0000000..9cd5ba3 --- /dev/null +++ b/scripts/services/wazuh/suricata/suricata_stop.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +systemctl stop suricata +systemctl disable suricata + +#kill $(pgrep -f suri_reloader) 2>/dev/null \ No newline at end of file diff --git a/scripts/wrappers/mistborn_docker.sh b/scripts/wrappers/mistborn_docker.sh index a5fa403..fa918e9 100755 --- a/scripts/wrappers/mistborn_docker.sh +++ b/scripts/wrappers/mistborn_docker.sh @@ -37,6 +37,12 @@ for SERVICE in "${SERVICES_ARRAY[@]}"; do fi done +# check that netcat exists +if ! [ -x "$(command -v nc)" ]; then + echo "Installing netcat" + sudo apt-get install -y netcat +fi + # ensure base is up and listening echo "Checking that Mistborn-base has finished starting up..." From e655a71db3cc8cf914a44c3056e3638782165ac4 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 8 May 2021 16:35:30 +0000 Subject: [PATCH 17/21] Resolve "PostgresSQL not avaiable" --- scripts/subinstallers/docker_manual.sh | 5 +++ scripts/subinstallers/docker_raspbian.sh | 44 ++++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100755 scripts/subinstallers/docker_raspbian.sh diff --git a/scripts/subinstallers/docker_manual.sh b/scripts/subinstallers/docker_manual.sh index 2d02ddb..2e065be 100755 --- a/scripts/subinstallers/docker_manual.sh +++ b/scripts/subinstallers/docker_manual.sh @@ -67,3 +67,8 @@ echo "Installing Docker Compose" sudo pip3 install cryptography==3.3.2 docker-compose #fi + +# check raspbian fixes +if [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then + source ./scripts/subinstallers/docker_raspbian.sh +fi diff --git a/scripts/subinstallers/docker_raspbian.sh b/scripts/subinstallers/docker_raspbian.sh new file mode 100755 index 0000000..8ecda9c --- /dev/null +++ b/scripts/subinstallers/docker_raspbian.sh @@ -0,0 +1,44 @@ +#!/bin/bash + +set +e + +compare_version() { + local versionOne="${1}" + local comparision="${2}" + local versionTwo="${3}" + local result= + local sortOpt= + local returncode=1 + + if [[ "${versionOne}" == "${versionTwo}" ]] ; then + return 3 + fi + + case ${comparision} in + lower|smaller|older|lt|"<" ) sortOpt= ;; + higher|bigger|newer|bt|">" ) sortOpt='r' ;; + * ) return 2 ;; + esac + + result=($(printf "%s\n" "${versionOne}" "${versionTwo}" | sort -${sortOpt}V )) + if [[ "${versionOne}" == "${result[0]}" ]] ; then + returncode=0 + fi + + return ${returncode} +} # end of function compare_version + +# libseccomp2 +LIBSECCOMP2_VERSION=$(sudo -E apt-cache policy libseccomp2 | egrep ^\ *Inst | awk '{print $2}') + +compare_version $LIBSECCOMP2_VERSION '<' '2.5.1-1' + +if [ $? -eq 0 ]; then + # this is dumb but the raspbian repo managers aren't impressive + echo "Installing newer libseccomp2" + pushd . + cd /tmp + wget http://ftp.us.debian.org/debian/pool/main/libs/libseccomp/libseccomp2_2.5.1-1_$(dpkg --print-architecture).deb + sudo dpkg -i libseccomp2_2.5.1-1_$(dpkg --print-architecture).deb + popd +fi From 71b538bdb78ce1131bdac0f9bcb0f38165db1d34 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 28 May 2021 18:04:11 +0000 Subject: [PATCH 18/21] Resolve "Update README" --- README.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 870c6ac..4cd788e 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,8 @@ The term [Mistborn](http://www.brandonsanderson.com/the-mistborn-saga-the-origin Mistborn started as a passion project for a husband and father protecting his family. Certain family members insisted on connecting their devices to free public WiFi networks. We needed a way to secure all family devices with a solid VPN (Wireguard). Once we had that we wanted to control DNS to block ads to all devices and block malicious websites across all family devices. Then we wanted chat, file-sharing, and webchat services that we could use for ourselves without entrusting our data to some big tech company. And then... home automation. I know I'll be adding more services so I made that easy to do. +As an [Offensive Security Certified Professional (OSCP)](https://resources.infosecinstitute.com/certification/the-oscp-certification-and-exam/), I designed Mistborn thinking about how it would be attacked by both external and internal threats. In making design trade-off decisions I tend to the paranoid. See [Technical and Security Insights](#technical-and-security-insights). + Ideal for teams who: - hate internet ads - need to be protected from malicious internet domains @@ -102,7 +104,7 @@ sudo mistborn-cli getconf Connect via Wireguard then visit `http://home.mistborn` -For more information, see the `Installation` section below. +For more information, see the [Installation](#installation) section below. # Network Diagram ![Mistborn Network Diagram](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mistborn_network.png) @@ -557,7 +559,8 @@ Many features and refinements are in the works at various stages including: # Featured In - [Linux Magazine](https://www.linux-magazine.com/Issues/2020/240/Mistborn/(language)/eng-US) November 2020 (featuring Mistborn version from early May 2020) -- [Awesome Open Source](https://www.youtube.com/watch?v=hekP0_crotw) July 2020 (featuring Mistborn version from early July 2020) +- [Awesome Open Source](https://www.youtube.com/watch?v=hekP0_crotw) July 2020 +- [DB Tech](https://www.youtube.com/watch?v=UE_OuAOgoZI) May 2021 # Follow You can find recent bugfixes, functional additions, some extra documentation and more at the Cyber5K Patreon page: [https://www.patreon.com/cyber5k](https://www.patreon.com/cyber5k) From 098755041bde4a235f7675099c7c166ced58ce2b Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 11 Jun 2021 11:42:07 -0400 Subject: [PATCH 19/21] elasticsearch credentials --- scripts/services/elasticsearch/init.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/scripts/services/elasticsearch/init.sh b/scripts/services/elasticsearch/init.sh index 1b3d21b..65f2f28 100755 --- a/scripts/services/elasticsearch/init.sh +++ b/scripts/services/elasticsearch/init.sh @@ -11,6 +11,11 @@ mkdir -p /opt/mistborn_volumes/extra/elasticsearch/init/ >/dev/null 2>&1 chmod -R +x /opt/mistborn_volumes/extra/elasticsearch/init/ cp /opt/mistborn/scripts/services/elasticsearch/files/internal_users.yml /opt/mistborn_volumes/extra/elasticsearch/init/ -ELASTICSEARCH_MISTBORN_HASHED=$(docker run --rm amazon/opendistro-for-elasticsearch:1.12.0 bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh -p ${MISTBORN_DEFAULT_PASSWORD} | tr -d '\n') +ELASTICSEARCH_MISTBORN_HASHED="$(docker run --rm amazon/opendistro-for-elasticsearch:1.12.0 bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh -p ${MISTBORN_DEFAULT_PASSWORD} | tr -d '\n')" + +if [[ -z "${ELASTICSEARCH_MISTBORN_HASHED}" ]]; then + echo "Elasticsearch password hash not generated properly" + exit 1; +fi sed -i "s|__MISTBORN_HASH__|${ELASTICSEARCH_MISTBORN_HASHED}|" /opt/mistborn_volumes/extra/elasticsearch/init/internal_users.yml From 85f2a3a38bb876e6f54ef32d6d29e0351c74e05d Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Thu, 15 Jul 2021 00:34:02 +0000 Subject: [PATCH 20/21] Resolve "Testing on later versions of Ubuntu" --- README.md | 144 ++++++++++++++--------- scripts/subinstallers/docker.sh | 13 +- scripts/subinstallers/docker_raspbian.sh | 2 + scripts/subinstallers/platform.sh | 36 ++++++ 4 files changed, 139 insertions(+), 56 deletions(-) diff --git a/README.md b/README.md index 4cd788e..5298329 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Mistborn -A secure platform for easily standing up and managing your own cloud services: including firewall, ad-blocking, and multi-factor Wireguard VPN access +A secure platform for easily standing up and managing your own cloud services: including firewall, ad-blocking, and multi-factor WireGuard VPN access -![Mistborn Wireguard](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_wireguard_.png)*Wireguard Management in Mistborn* +![Mistborn WireGuard](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_wireguard_.png)*WireGuard Management in Mistborn* As featured in [Linux Magazine](https://www.linux-magazine.com/Issues/2020/240/Mistborn/(language)/eng-US) (Linux Pro Magazine in North America) in November 2020 @@ -13,7 +13,7 @@ As featured in [Linux Magazine](https://www.linux-magazine.com/Issues/2020/240/M # What is Mistborn The term [Mistborn](http://www.brandonsanderson.com/the-mistborn-saga-the-original-trilogy) is inspired by a type of powerful Allomancer in Brandon Sanderson's Cosmere. -Mistborn started as a passion project for a husband and father protecting his family. Certain family members insisted on connecting their devices to free public WiFi networks. We needed a way to secure all family devices with a solid VPN (Wireguard). Once we had that we wanted to control DNS to block ads to all devices and block malicious websites across all family devices. Then we wanted chat, file-sharing, and webchat services that we could use for ourselves without entrusting our data to some big tech company. And then... home automation. I know I'll be adding more services so I made that easy to do. +Mistborn started as a passion project for a husband and father protecting his family. Certain family members insisted on connecting their devices to free public WiFi networks. We needed a way to secure all family devices with a solid VPN (WireGuard). Once we had that we wanted to control DNS to block ads to all devices and block malicious websites across all family devices. Then we wanted chat, file-sharing, and webchat services that we could use for ourselves without entrusting our data to some big tech company. And then... home automation. I know I'll be adding more services so I made that easy to do. As an [Offensive Security Certified Professional (OSCP)](https://resources.infosecinstitute.com/certification/the-oscp-certification-and-exam/), I designed Mistborn thinking about how it would be attacked by both external and internal threats. In making design trade-off decisions I tend to the paranoid. See [Technical and Security Insights](#technical-and-security-insights). @@ -21,7 +21,7 @@ Ideal for teams who: - hate internet ads - need to be protected from malicious internet domains - need to collaborate securely -- need multi-factor authentication for Wireguard +- need multi-factor authentication for WireGuard - want to retain sole ownership of their data - want to easily grant and revoke access to people and devices via a simple web interface - want secure internet access wherever they are @@ -32,7 +32,7 @@ See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/ Mistborn depends on these core open source technologies: - [Docker](https://www.docker.com/why-docker): containerization -- [Wireguard](https://www.wireguard.com): secure VPN access +- [WireGuard](https://www.wireguard.com): secure VPN access - [SSH](https://www.openssh.com): secure remote management These tools are not vital to Mistborn itself but are integrated to enhance security, ease, and features: @@ -84,7 +84,7 @@ Recommended System Specifications: | Use Case | Description | RAM | Hard Disk | |------------------------|-------------------------------------------------------------------------------|-------|-----------| -| Bare bones | Wireguard, Pihole (no Cockpit, no extra services) | 2 GB | 15 GB | +| Bare bones | WireGuard, Pihole (no Cockpit, no extra services) | 2 GB | 15 GB | | Default | Bare bones + Cockpit | 2 GB+ | 15 GB | | Low-resource services | Default + Bitwarden, Tor, Syncthing | 4 GB | 20 GB | | High-resource services | Default + Jitsi, Nextcloud, Jellyfin, Rocket.Chat, Home Assistant, OnlyOffice | 6 GB+ | 25 GB+ | @@ -96,13 +96,13 @@ git clone https://gitlab.com/cyber5k/mistborn.git sudo -E bash ./mistborn/scripts/install.sh ``` -Get default admin Wireguard profile +Get default admin WireGuard profile *wait 1 minute after "Mistborn Installed" message* ``` sudo mistborn-cli getconf ``` -Connect via Wireguard then visit `http://home.mistborn` +Connect via WireGuard then visit `http://home.mistborn` For more information, see the [Installation](#installation) section below. @@ -110,17 +110,22 @@ For more information, see the [Installation](#installation) section below. ![Mistborn Network Diagram](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mistborn_network.png) Mistborn protects your data in a variety of ways: -- All of your devices are protected wherever they go with the Wireguard VPN protocol +- All of your devices are protected wherever they go with the WireGuard VPN protocol - The Mistborn firewall blocks unsolicited incoming internet packets - Pi-hole running on Mistborn blocks outgoing internet requests to configurable blocked domains (ads, malicious/phishing domains, etc.) See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/Mistborn-Network-Security) wiki page to see more network diagrams and the network scan results for Mistborn. +# Status +![Mistborn Home](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home_status.png) + +The home page receives WireGuard status updates from the server via WebSocket connections. Superusers receive detailed updates about all connections and profiles. Regular users see details about their own devices. + # Security Information & Event Management (SIEM) ![Mistborn Security Center](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_soc.png) -The Mistborn Security Operations Center provides SIEM services with Wazuh. The Wazuh Manager requires an Open Distro for Elasticsearch backend. When the Mistborn host has >8 GB RAM the provided Elasticsearch backend can be used. Just click "Start Wazuh" on the `Security Center` page and enjoy your Enterprise-grade SIEM. Wazuh agents can be installed on just about any OS and all Wazuh agent traffic is communicated over the Wireguard connections. Instructions for adding endpoint agents can be found within Wazuh itself. +The Mistborn Security Operations Center provides SIEM services with Wazuh. The Wazuh Manager requires an Open Distro for Elasticsearch backend. When the Mistborn host has >8 GB RAM the provided Elasticsearch backend can be used. Just click "Start Wazuh" on the `Security Center` page and enjoy your Enterprise-grade SIEM. Wazuh agents can be installed on just about any OS and all Wazuh agent traffic is communicated over the WireGuard connections. Instructions for adding endpoint agents can be found within Wazuh itself. Mistborn's Wazuh installs and integrates with Suricata running on Mistborn with logs ingested into Wazuh. @@ -144,7 +149,7 @@ We were getting frustrated at being forced to choose between being connected to *Netflix blocking my connections that it sees coming from a DigitalOcean droplet* -In Mistborn, Gateways are upstream from the VPN server so connections to third-party services (e.g. Netflix, Hulu, etc.) will appear to be coming from the public IP address of the Gateway. I setup a Gateway at home (Raspberry Pi with `wireguard` and `openresolv` installed) and with our Mistborn on DigitalOcean, all Wireguard profiles created with this Gateway will appear to be coming from my house and are not blocked. No port-forwarding required (assuming Mistborn is publicly accessible). +In Mistborn, Gateways are upstream from the VPN server so connections to third-party services (e.g. Netflix, Hulu, etc.) will appear to be coming from the public IP address of the Gateway. I setup a Gateway at home (Raspberry Pi with `wireguard` and `openresolv` installed) and with our Mistborn on DigitalOcean, all WireGuard profiles created with this Gateway will appear to be coming from my house and are not blocked. No port-forwarding required (assuming Mistborn is publicly accessible). ![Mistborn Gateway Diagram](https://gitlab.com/cyber5k/public/-/raw/master/graphics/gateway_network.png) @@ -157,7 +162,7 @@ Mistborn enables remote desktop access via the Apache Guacamole extra service, w ![Guacamole Recent Connections](https://gitlab.com/cyber5k/public/-/raw/master/graphics/guacamole_connections.png) -Guacamole implements its own users and groups access controls to manage access to individual desktops. All Mistborn users must be authenticated with Mistborn (via Wireguard only or MFA) to access the Guacamole interface. +Guacamole implements its own users and groups access controls to manage access to individual desktops. All Mistborn users must be authenticated with Mistborn (via WireGuard only or MFA) to access the Guacamole interface. # Client to client communication By default direct communication between network clients is blocked. Mistborn clients can all talk to Mistborn and communicate via shared services (Jitsi, Nextcloud, etc). Direct client to client communication can be enabled via the "client-to-client" toggle. @@ -165,7 +170,7 @@ By default direct communication between network clients is blocked. Mistborn cli ![System Settings](https://gitlab.com/cyber5k/public/-/raw/master/graphics/system_settings_dropdown.png) # Installation -Mistborn is regularly tested on Ubuntu 20.04 LTS (DigitalOcean droplet with 2 GB RAM). It has also been successfully used on Debian Buster and Raspbian Buster systems (though not regularly tested). Make sure to install OS updates and restart before installing Mistborn (Wireguard installs differently on recent kernels). +Mistborn is regularly tested on Ubuntu 20.04 LTS (DigitalOcean droplet with 2 GB RAM). It has also been successfully used on Debian Buster and Raspbian Buster systems (though not regularly tested). Make sure to install OS updates and restart before installing Mistborn (WireGuard installs differently on recent kernels). Clone the git repository and run the install script: ``` @@ -180,7 +185,7 @@ Running `install.sh` will do the following: - install iptables-persistent - install Docker - install OpenSSH -- install Wireguard +- install WireGuard - install Cockpit (optional) - create a `cockpit` system user (if Cockpit is installed) - configure unattended-upgrades @@ -208,23 +213,23 @@ sudo -E bash -c "source ./mistborn/scripts/noninteractive/.install_barebones && ``` # Post-Installation -When Mistborn-base starts up it will create volumes, initialize the PostgreSQL database, start pihole, run Django migrations and then check to see if a Mistborn superuser named `admin` exists yet. If not, it will create the superuser `admin` along with an accompanying default Wireguard configuration file and start the Wireguard service. You can watch all of this happen with: +When Mistborn-base starts up it will create volumes, initialize the PostgreSQL database, start pihole, run Django migrations and then check to see if a Mistborn superuser named `admin` exists yet. If not, it will create the superuser `admin` along with an accompanying default WireGuard configuration file and start the WireGuard service. You can watch all of this happen with: ``` sudo journalctl -xfu Mistborn-base ``` -The default Wireguard configuration file for `admin` may be obtained via: +The default WireGuard configuration file for `admin` may be obtained via: ``` sudo mistborn-cli getconf ``` -Please notice that the following lines are **NOT** part of the Wireguard config: +Please notice that the following lines are **NOT** part of the WireGuard config: ``` Starting mistborn_production_postgres ... done Starting mistborn_production_redis ... done PostgreSQL is available ``` -The Wireguard config will look like this: +The WireGuard config will look like this: ``` # "10.15.91.2" - WireGuard Client Profile [Interface] @@ -246,18 +251,18 @@ AllowedIPs = 0.0.0.0/0,::/0 Endpoint = :39207 ``` -## Login via Wireguard -[Install wireguard](https://www.wireguard.com/install/) on your computer. If you get a `resolvconf: command not found` error when starting Wireguard then install openresolv: `sudo apt-get install -y openresolv` -- Copy the text of the default admin Wireguard config to `/etc/wireguard/wg_admin.conf` on your computer +## Login via WireGuard +[Install wireguard](https://www.wireguard.com/install/) on your computer. If you get a `resolvconf: command not found` error when starting WireGuard then install openresolv: `sudo apt-get install -y openresolv` +- Copy the text of the default admin WireGuard config to `/etc/wireguard/wg_admin.conf` on your computer - Run `sudo systemctl start wg-quick@wg_admin` - Run `sudo systemctl enable wg-quick@wg_admin` - Open your browser and go to "http://home.mistborn" - Browse your Mistborn system! **Note:** The home.mistborn server takes a minute to come up after Mistborn is up (collectstatic on all that frontend JavaScript and CSS) -## Wireguard Management -Mistborn users can be added (non-privileged or superuser) and removed by superusers. Multiple Wireguard profiles can be created for each user. A non-privileged user can create profiles for themselves. -![Mistborn Wireguard](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_wireguard_.png)*Wireguard Management in Mistborn* +## WireGuard Management +Mistborn users can be added (non-privileged or superuser) and removed by superusers. Multiple WireGuard profiles can be created for each user. A non-privileged user can create profiles for themselves. +![Mistborn WireGuard](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_wireguard_.png)*WireGuard Management in Mistborn* ## Extra Services Mistborn makes extra services available. @@ -272,11 +277,11 @@ There are multiple ways to authenticate and use the system. ![Mistborn Multi Factor Authentication - Authenticator App Setup](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mfa_qr.png)*Mistborn Multi Factor Authentication - Authenticator App Setup* -## Profile: Wireguard Authentication -Mistborn always authenticates with Wireguard. You must have a valid Wireguard configuration file associated with the correct internal IP address. A classic Mistborn profile (Wireguard Only) will allow you to access the internet and all services hosted by Mistborn once you have connected via Wireguard. Note: individual services may require passwords or additional authentication. +## Profile: WireGuard Authentication +Mistborn always authenticates with WireGuard. You must have a valid WireGuard configuration file associated with the correct internal IP address. A classic Mistborn profile (WireGuard Only) will allow you to access the internet and all services hosted by Mistborn once you have connected via WireGuard. Note: individual services may require passwords or additional authentication. ## Profile: Multi Factor Authentication (MFA) -In addition to Wireguard, you may create a Mistborn profile enabling multi-factor authentication (MFA). You must first connect to Mistborn via Wireguard. Then all internet traffic will route you to the Mistborn webserver where you must first setup and thereafter authenticate with an app (Google Authenticator, Authy, etc.). You must go to [http://home.mistborn](http://home.mistborn) to complete the authentication process. +In addition to WireGuard, you may create a Mistborn profile enabling multi-factor authentication (MFA). You must first connect to Mistborn via WireGuard. Then all internet traffic will route you to the Mistborn webserver where you must first setup and thereafter authenticate with an app (Google Authenticator, Authy, etc.). You must go to [http://home.mistborn](http://home.mistborn) to complete the authentication process. ![Mistborn Multi Factor Authentication](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mfa1.png)*Mistborn Multi Factor Authentication Prompt* @@ -294,7 +299,7 @@ Mistborn service access is blocked via traefik until Mistborn authentication is - **Sessions**: Traefik checks the authenticated sessions on the server side to determine whether to allow access to the Mistborn service web pages. If an open session exists for your Mistborn IP address then access will be granted. You may close all sessions by clicking "Sign Out" on the Mistborn home page. Expired sessions are regularly cleaned by the Mistborn system (celery periodic task). # Mistborn Subdomains -Mistborn uses the following domains (that can be reached by all Wireguard clients): +Mistborn uses the following domains (that can be reached by all WireGuard clients): | Service | Domain | Default Status | | ------- | ------ | -------------- | @@ -328,14 +333,14 @@ These are the default credentials to use in the services you choose to use: You can find the credentials sent to the Docker containers in: `/opt/mistborn/.envs/.production/` # Gateway Setup -Mistborn will generate the Wireguard configuration script for the Gateway. From a base Ubuntu/Debian/Raspbian operating system the following packages are recommended to be installed beforehand: +Mistborn will generate the WireGuard configuration script for the Gateway. From a base Ubuntu/Debian/Raspbian operating system the following packages are recommended to be installed beforehand: ## Gateway Requirements -- Wireguard (you can consult the Mistborn Wireguard installer: `mistborn/scripts/subinstallers/wireguard.sh`) -- Openresolv (a Wireguard dependency that is also installed via the Mistborn Wireguard installer) +- WireGuard (you can consult the Mistborn WireGuard installer: `mistborn/scripts/subinstallers/wireguard.sh`) +- Openresolv (a WireGuard dependency that is also installed via the Mistborn WireGuard installer) - Fail2ban -## Install Gateway Wireguard config file +## Install Gateway WireGuard config file On Mistborn: - Click `View Config` on the Gateways tab in Mistborn - Highlight the config @@ -347,15 +352,15 @@ On Gateway: - Run `sudo systemctl enable wg-quick@gateway` # Phones and Mobile Devices -All your devices can be connected to Mistborn as Wireguard clients. +All your devices can be connected to Mistborn as WireGuard clients. First steps: -1. Device: Download the Wireguard app on your device. Links: [Android](https://play.google.com/store/apps/details?id=com.wireguard.android) [Apple](https://apps.apple.com/us/app/wireguard/id1441195209) -1. Mistborn: Create a Wireguard profile for the device. -1. Device: Scan Wireguard client QR code in Wireguard app. -1. Device: Enable Wireguard connection. +1. Device: Download the WireGuard app on your device. Links: [Android](https://play.google.com/store/apps/details?id=com.wireguard.android) [Apple](https://apps.apple.com/us/app/wireguard/id1441195209) +1. Mistborn: Create a WireGuard profile for the device. +1. Device: Scan WireGuard client QR code in WireGuard app. +1. Device: Enable WireGuard connection. -All of you device network traffic is now being routed through Wireguard. Ads and malicious sites are blocked by pihole. DNS queries are verified via DNScrypt. +All of you device network traffic is now being routed through WireGuard. Ads and malicious sites are blocked by pihole. DNS queries are verified via DNScrypt. But wait, there's more! You can: - visit the [Mistborn web interface](http://home.mistborn) through your phone's browser. @@ -374,7 +379,7 @@ But wait, there's more! You can: | Rocket.Chat | [Rocket.Chat](https://play.google.com/store/apps/details?id=chat.rocket.android) | [Rocket.Chat](https://apps.apple.com/us/app/rocket-chat/id1148741252) | ## TLS Certificate -Some apps require TLS (HTTPS). All traffic to Mistborn domains already occurs over Wireguard but to keep apps running, a TLS certificate exists for Mistborn and can be imported into your device's trusted credentials in the security settings. This certificate is checked every day and will be re-generated when expiration is less than 30 days away. +Some apps require TLS (HTTPS). All traffic to Mistborn domains already occurs over WireGuard but to keep apps running, a TLS certificate exists for Mistborn and can be imported into your device's trusted credentials in the security settings. This certificate is checked every day and will be re-generated when expiration is less than 30 days away. The TLS certificate can be found here: ``` @@ -384,7 +389,7 @@ The TLS certificate can be found here: # FAQ Frequently Asked Questions -## Where is My Data? +## Where is my data? The Docker services mount volumes located in: ``` @@ -401,11 +406,11 @@ Your data from Nextcloud, Syncthing, Bitwarden, etc. will be located there. ## How do I SSH into Mistborn? If Mistborn is installed via SSH then an iptables rule is added allowing external SSH connections from the same source IP address only. If Mistborn was installed locally then no external SSH is permitted. -SSH is permitted from any device connected to Mistborn by Wireguard. +SSH is permitted from any device connected to Mistborn by WireGuard. Password authentication in enabled. Fail2ban blocks IPs with excessive failed login attempts. -You can SSH using the Mistborn domain when connected by Wireguard: +You can SSH using the Mistborn domain when connected by WireGuard: ``` ssh user@home.mistborn ``` @@ -426,9 +431,38 @@ services: The available options are here: https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-resolvers.md +## How do I purge an extra service/start fresh? + +This is a manual process for the foreseeable future because it is destructive and cannot be undone. In order to purge an extra service do the following: + +- Stop and disable the service + +This can be done from the Mistborn GUI or: + +``` +sudo systemctl stop Mistborn- +sudo systemctl disable Mistborn- +``` + +- Remove the data folder + +Locate the correct folder: `sudo ls -ahl /opt/mistborn_volumes/extra/` + +**Be careful:** +Now remove the folder: `sudo rm -r /opt/mistborn_volumes/extra/` + +- Remove the variables file + +Locate the file: `sudo ls -ahl /opt/mistborn/.envs/.production/` + +**Be careful:** +Now remove the file: `sudo rm /opt/mistborn/.envs/.production/.` + +Now you can restart the service from the GUI or manually and it should be a first run experience. + # Troubleshooting -Once you're connected to Wireguard you should see .mistborn domains and the internet should work as expected. Be sure to use http (http://home.mistborn). Wireguard is the encrypted channel so there's usually no need to bother with TLS certs (WebRTC functionality and some mobile apps require TLS so it is available). Here are some things to check if you have issues: +Once you're connected to WireGuard you should see .mistborn domains and the internet should work as expected. Be sure to use http (http://home.mistborn). WireGuard is the encrypted channel so there's usually no need to bother with TLS certs (WebRTC functionality and some mobile apps require TLS so it is available). Here are some things to check if you have issues: Check if you can ping an external IP address: ``` @@ -460,18 +494,18 @@ Mistborn-base is a systemd process and at any time restarting it should get you sudo systemctl restart Mistborn-base ``` -The Wireguard processes run independently of Mistborn and will still be up if Mistborn is down. You can check running Wireguard interfaces with: +The WireGuard processes run independently of Mistborn and will still be up if Mistborn is down. You can check running WireGuard interfaces with: ``` sudo wg show ``` -Note the Mistborn naming convention for Wireguard interfaces on the server is wg. So if the particular Wireguard process is listening on UDP port 56392 then the interface will be named wg56392 and the config will be in `/etc/wireguard/wg56392.conf` +Note the Mistborn naming convention for WireGuard interfaces on the server is wg. So if the particular WireGuard process is listening on UDP port 56392 then the interface will be named wg56392 and the config will be in `/etc/wireguard/wg56392.conf` The `dev/` folder contains a script for completing a hard reset: destroying and rebuilding the system from the original backup: ``` sudo ./dev/rebuild.sh ``` -## Troubleshooting Wireguard +## Troubleshooting WireGuard Ensure that your public IP address in your client profile (e.g. `Endpoint = :`) is actually publicly available (not in 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) if you are attempting to access Mistborn across the internet. ## Troubleshooting Extra Services @@ -505,13 +539,13 @@ sudo systemctl restart docker ## Troubleshooting Upgrade from Ubuntu 18.04 to 20.04 New installations of 18.04 and 20.04 after 25 April 2020 don't seem to be having issues. If you installed Mistborn on Ubuntu 18.04 prior to 25 April 2020 and then upgrade to 20.04 you may have one minor issue described below. -Owing to changes in docker NAT rules and container DNS resolution, some Wireguard client configurations generated with Mistborn before 25 April 2020 (be sure to update Mistborn) may experience issues after upgrading to Ubuntu 20.04 LTS. Symptoms: can ping but can't resolve DNS. +Owing to changes in docker NAT rules and container DNS resolution, some WireGuard client configurations generated with Mistborn before 25 April 2020 (be sure to update Mistborn) may experience issues after upgrading to Ubuntu 20.04 LTS. Symptoms: can ping but can't resolve DNS. -Solution: Edit the Wireguard client config and set the DNS directive as follows: +Solution: Edit the WireGuard client config and set the DNS directive as follows: ``` DNS = 10.2.3.1 ``` -Close the config and restart the client Wireguard process. +Close the config and restart the client WireGuard process. ## Troubleshooting Raspberry Pi OS (Raspbian) Be sure to always reboot after updating the kernel. When the kernel is updated the kernel modules are deleted (for the currently running kernel) and you will have issues with any function requiring kernel modules (e.g. `iptables` or `wireguard`). @@ -519,7 +553,7 @@ Be sure to always reboot after updating the kernel. When the kernel is updated t **Note**: The Raspberry Pi OS 64-bit BETA (versions from May 2020 and prior) have a bug where the os-release info indicates that it is Debian. Mistborn proceeds to install as though it were Debian. Since it's not Debian there are errors. ## Troubleshooting Debian 10 -Run updates and restart before installing Mistborn (`sudo apt-get update && sudo apt-get -y dist-upgrade && sudo shutdown -r now`). Some older Linux kernels will prevent newer Wireguard versions from installing. +Run updates and restart before installing Mistborn (`sudo apt-get update && sudo apt-get -y dist-upgrade && sudo shutdown -r now`). Some older Linux kernels will prevent newer WireGuard versions from installing. # Technical and Security Insights These are some notes regarding the technical design and implementations of Mistborn. Feel free to contact me for additional details. @@ -528,15 +562,15 @@ These are some notes regarding the technical design and implementations of Mistb See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/Mistborn-Network-Security) wiki entry. -- **Wireguard**: Wireguard is the only way in to Mistborn. When new Wireguard profiles are generated they are attached to a random UDP port. Wireguard does not respond to unauthenticated traffic. External probes on the active Wireguard listening ports are not logged and do not appear on the Metrics page. -- **SSH**: If Mistborn is installed over SSH (most common) then an iptables rule is added allowing future SSH connections from the same source IP address. All other external SSH is blocked. Internal SSH (over the Wireguard tunnels) is allowed. Password authentication is allowed. The SSH key for the `mistborn` user is only accepted from internal source IP addresses. Fail2ban is also installed. -- **Traefik**: Iptables closes web ports (TCP 80 and 443) from external access and additonally all web interfaces are behind the Traefik reverse-proxy. All web requests (e.g. home.mistborn) must be resolved by Mistborn DNS (Pihole/dnsmasq) and originate from a Wireguard tunnel. +- **WireGuard**: WireGuard is the only way in to Mistborn. When new WireGuard profiles are generated they are attached to a random UDP port. WireGuard does not respond to unauthenticated traffic. External probes on the active WireGuard listening ports are not logged and do not appear on the Metrics page. +- **SSH**: If Mistborn is installed over SSH (most common) then an iptables rule is added allowing future SSH connections from the same source IP address. All other external SSH is blocked. Internal SSH (over the WireGuard tunnels) is allowed. Password authentication is allowed. The SSH key for the `mistborn` user is only accepted from internal source IP addresses. Fail2ban is also installed. +- **Traefik**: Iptables closes web ports (TCP 80 and 443) from external access and additonally all web interfaces are behind the Traefik reverse-proxy. All web requests (e.g. home.mistborn) must be resolved by Mistborn DNS (Pihole/dnsmasq) and originate from a WireGuard tunnel. - **Docker**: When Docker exposes a port it creates a PREROUTING rule in the NAT table to catch eligible network requests. This means that even if your INPUT chain policy is DROP, your docker containers with exposed ports can receive and respond to traffic. Whenever Mistborn brings up a docker container with an exposed port it creates an iptables rule to block external traffic to that service. ## Firewall - **IPtables**: Iptables rules and chains are manipulated directly. If UFW is present it is disabled. IPtables-persistent is used to save a simple set of secure default rules (most importantly setting the INPUT and FORWARD policies to DROP and allowing ESTABLISHED and RELATED traffic) that will be effective immediately upon system startup. Additional rules and chains are created by Docker on startup. Mistborn also creates some iptables chains during installation that are saved in the persistent rules. Mistborn iptables chains and rules are designed to work with Docker's with logic that is easy to follow. A power cycle will always result in a working state. -- **PostUp/PostDown**: Wireguard configuration files on Mistborn include PostUp and PostDown directives that set routes and iptables rules for each Wireguard client individually. -- **Wireguard**: There is a one-to-one mapping between each Wireguard client and server instance listening on Mistborn. By default Wireguard clients cannot talk directly to each other but can use shared services and resources on Mistborn (e.g. Syncthing, Nextcloud, Jitisi, etc). Toggling the "client-to-client" option will enable direct client-to-client communication. +- **PostUp/PostDown**: WireGuard configuration files on Mistborn include PostUp and PostDown directives that set routes and iptables rules for each WireGuard client individually. +- **WireGuard**: There is a one-to-one mapping between each WireGuard client and server instance listening on Mistborn. By default WireGuard clients cannot talk directly to each other but can use shared services and resources on Mistborn (e.g. Syncthing, Nextcloud, Jitisi, etc). Toggling the "client-to-client" option will enable direct client-to-client communication. - **Metrics**: In addition to the iptables INPUT policy set to DROP, an iptables chain exists that logs the packet meta data before dropping it. Mistborn redirects packets that will be dropped to this chain instead. A summary of the data about these dropped packets (unsolicited network traffic) can be found on the Metrics page. - **Coppercloud**: Coppercloud works by populating ipsets with the ipset module in iptables to DROP (blacklist) or ACCEPT (whitelist) a given set of IP addresses. Upon system startup a celery task will compile the IP addresses, create the ipsets, and iptables rules. diff --git a/scripts/subinstallers/docker.sh b/scripts/subinstallers/docker.sh index cdc83fa..516a93c 100755 --- a/scripts/subinstallers/docker.sh +++ b/scripts/subinstallers/docker.sh @@ -6,7 +6,18 @@ figlet "Mistborn: Installing Docker" sudo apt update sudo -E apt install -y python python3-pip python3-setuptools libffi-dev python3-dev libssl-dev -if [ "$DISTRO" == "ubuntu" ] && [ "$VERSION_ID" == "20.04" ]; then +# Ubuntu version >= 20.04 + +set +e +vercomp "$VERSION_ID" "19.10" +case $? in + 0) op='=';; + 1) op='>';; + 2) op='<';; +esac +set -e + +if [ "$DISTRO" == "ubuntu" ] && [ "$op" == ">" ]; then echo "Automated Docker install" sudo -E apt-get install -y docker-compose else diff --git a/scripts/subinstallers/docker_raspbian.sh b/scripts/subinstallers/docker_raspbian.sh index 8ecda9c..c5e3e71 100755 --- a/scripts/subinstallers/docker_raspbian.sh +++ b/scripts/subinstallers/docker_raspbian.sh @@ -42,3 +42,5 @@ if [ $? -eq 0 ]; then sudo dpkg -i libseccomp2_2.5.1-1_$(dpkg --print-architecture).deb popd fi + +set -e \ No newline at end of file diff --git a/scripts/subinstallers/platform.sh b/scripts/subinstallers/platform.sh index a619a95..2db71b4 100755 --- a/scripts/subinstallers/platform.sh +++ b/scripts/subinstallers/platform.sh @@ -15,3 +15,39 @@ fi figlet "UNAME: $UNAME" figlet "DISTRO: $DISTRO" figlet "VERSION: $VERSION_ID" + + +vercomp () { + # case $? in + # 0) op='=';; + # 1) op='>';; + # 2) op='<';; + if [[ $1 == $2 ]] + then + return 0 + fi + local IFS=. + local i ver1=($1) ver2=($2) + # fill empty fields in ver1 with zeros + for ((i=${#ver1[@]}; i<${#ver2[@]}; i++)) + do + ver1[i]=0 + done + for ((i=0; i<${#ver1[@]}; i++)) + do + if [[ -z ${ver2[i]} ]] + then + # fill empty fields in ver2 with zeros + ver2[i]=0 + fi + if ((10#${ver1[i]} > 10#${ver2[i]})) + then + return 1 + fi + if ((10#${ver1[i]} < 10#${ver2[i]})) + then + return 2 + fi + done + return 0 +} \ No newline at end of file From 8be216c0e6a4ce892e5fba150a90519df29bbba7 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Thu, 15 Jul 2021 02:47:29 +0000 Subject: [PATCH 21/21] Resolve "extra services" --- scripts/services/homeassistant/init.sh | 54 ++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100755 scripts/services/homeassistant/init.sh diff --git a/scripts/services/homeassistant/init.sh b/scripts/services/homeassistant/init.sh new file mode 100755 index 0000000..5c68fc6 --- /dev/null +++ b/scripts/services/homeassistant/init.sh @@ -0,0 +1,54 @@ +#!/bin/bash + +HASS_CONFIG="/opt/mistborn_volumes/extra/homeassistant/config/configuration.yaml" + +if [[ -f "$HASS_CONFIG" ]]; then + # configuration.yaml exists + + if [[ ! -z $(grep "use_x_forwarded_for: true" "$HASS_CONFIG") ]]; then + # FOUND + exit 0; + fi + +# add the proxy config +# write the trusted proxies config +cat >> ${HASS_CONFIG}<< EOF + +http: + use_x_forwarded_for: true + trusted_proxies: + - 172.16.0.0/12 + +EOF + +exit 0; + +fi + +# create parent directory if needed +PARENTDIR="$(dirname $HASS_CONFIG)" +if [[ ! -d "$PARENTDIR" ]]; then + mkdir -p $PARENTDIR +fi + +# write the trusted proxies config +cat >> ${HASS_CONFIG}<< EOF + +# Configure a default setup of Home Assistant (frontend, api, etc) +default_config: + +# Text to speech +#tts: +# - platform: google_translate + +#group: !include groups.yaml +#automation: !include automations.yaml +#script: !include scripts.yaml +#scene: !include scenes.yaml + +http: + use_x_forwarded_for: true + trusted_proxies: + - 172.16.0.0/12 + +EOF