Merge branch '215-sast' into 'master'

Resolve "Static Code Analysis" Closes #215 See merge request cyber5k/mistborn!96
Resolve "Static Code Analysis"
83 changed files with 2631 additions and 333 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -13,6 +13,7 @@ stages:
 include:
  - template: Code-Quality.gitlab-ci.yml
  - template: Security/SAST.gitlab-ci.yml
 docker_build:
  stage: test
--- a/README.md
+++ b/README.md
@ -1,7 +1,7 @@
 # Mistborn
-A secure platform for easily standing up and managing your own cloud services: including firewall, ad-blocking, and multi-factor Wireguard VPN access
+A secure platform for easily standing up and managing your own cloud services: including firewall, ad-blocking, and multi-factor WireGuard VPN access
-![Mistborn Wireguard](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_wireguard_.png)*Wireguard Management in Mistborn*
+![Mistborn WireGuard](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_wireguard_.png)*WireGuard Management in Mistborn*
 As featured in [Linux Magazine](https://www.linux-magazine.com/Issues/2020/240/Mistborn/(language)/eng-US) (Linux Pro Magazine in North America) in November 2020
@ -13,13 +13,15 @@ As featured in [Linux Magazine](https://www.linux-magazine.com/Issues/2020/240/M
 # What is Mistborn
 The term [Mistborn](http://www.brandonsanderson.com/the-mistborn-saga-the-original-trilogy) is inspired by a type of powerful Allomancer in Brandon Sanderson's Cosmere.
-Mistborn started as a passion project for a husband and father protecting his family. Certain family members insisted on connecting their devices to free public WiFi networks. We needed a way to secure all family devices with a solid VPN (Wireguard). Once we had that we wanted to control DNS to block ads to all devices and block malicious websites across all family devices. Then we wanted chat, file-sharing, and webchat services that we could use for ourselves without entrusting our data to some big tech company. And then... home automation. I know I'll be adding more services so I made that easy to do.
+Mistborn started as a passion project for a husband and father protecting his family. Certain family members insisted on connecting their devices to free public WiFi networks. We needed a way to secure all family devices with a solid VPN (WireGuard). Once we had that we wanted to control DNS to block ads to all devices and block malicious websites across all family devices. Then we wanted chat, file-sharing, and webchat services that we could use for ourselves without entrusting our data to some big tech company. And then... home automation. I know I'll be adding more services so I made that easy to do.
 As a [Certified Information Systems Security Professional (CISSP)](https://www.credly.com/badges/ebcb76f2-1e82-4079-9ea3-b507ffbd1d15/public_url) and an [Offensive Security Certified Professional (OSCP)](https://www.credly.com/badges/b93c44ec-3af5-48e8-9a33-b64365b70c61/public_url), I designed Mistborn thinking about how it would be attacked by both external and internal threats. In making design trade-off decisions I tend to the paranoid. See [Technical and Security Insights](#technical-and-security-insights).
 Ideal for teams who:
 - hate internet ads
 - need to be protected from malicious internet domains
 - need to collaborate securely
- need multi-factor authentication for Wireguard
+- need multi-factor authentication for WireGuard
 - want to retain sole ownership of their data
 - want to easily grant and revoke access to people and devices via a simple web interface
 - want secure internet access wherever they are
@ -30,7 +32,7 @@ See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/
 Mistborn depends on these core open source technologies:
 - [Docker](https://www.docker.com/why-docker): containerization
- [Wireguard](https://www.wireguard.com): secure VPN access
+- [WireGuard](https://www.wireguard.com): secure VPN access
 - [SSH](https://www.openssh.com): secure remote management
 These tools are not vital to Mistborn itself but are integrated to enhance security, ease, and features:
@ -40,6 +42,10 @@ These tools are not vital to Mistborn itself but are integrated to enhance secur
 - [DNScrypt](https://www.dnscrypt.org): prevents DNS spoofing via cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered
 - [Traefik](https://docs.traefik.io): A modern, efficient reverse-proxy
 These tools can be turned on from the Mistborn Security Operations Center:
 - [Wazuh](https://wazuh.com/): Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.
 - [Suricata](https://suricata-ids.org/): Suricata is a free and open source, mature, fast and robust network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.
 Within Mistborn is a panel to enable and manage these free extra services (off by default), locally hosted in Docker containers:
 - [Home Assistant](https://www.home-assistant.io): Open source home automation that puts local control and privacy first
 - [Nextcloud](https://nextcloud.com): Nextcloud offers the industry-leading, on-premises content collaboration platform. It combines the convenience and ease of use of consumer-grade solutions like Dropbox and Google Drive with the security, privacy and control business needs.
@ -50,13 +56,15 @@ Within Mistborn is a panel to enable and manage these free extra services (off b
 - [Jellyfin](https://jellyfin.org): The Free Media Software System.
 - [Tor](https://www.torproject.org): The Onion Router. One tool in the arsenal of online security and privacy.
 - [Jitsi](https://jitsi.org): Multi-platform open-source video conferencing
 - [Guacamole](https://guacamole.apache.org): A clientless remote desktop gateway that supports standard protocols like VNC, RDP, and SSH.
 - [RaspAP](https://raspap.com/): The easiest, full-featured wireless router setup for Debian-based devices. Period. (Mistborn integration in alpha testing).
 # Quickstart
 Tested Operating Systems (in order of thoroughness):
 - Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
+- Debian 11 (Bullseye)
 - Debian 10 (Buster)
 - Raspberry Pi OS (formerly Raspbian) Buster
 - Formerly tested and may still work: Ubuntu 18.04 LTS, Debian 10 (Buster)
 **Note:** Install operating system updates and restart. Raspberry Pi OS particularly needs to be restarted after kernel updates (kernel modules for the currently running kernel may be missing).
@ -69,17 +77,18 @@ The Mistborn docker images exist for these architectures:
 | Mistborn Docker Images (hub.docker.com)        | Architectures       |
 |------------------------------------------------|---------------------|
-| mistborn (django, celery{worker,beat}, flower) | amd64, arm64, arm/v7 |
+| mistborn (django, celery{worker,beat})         | amd64, arm64, arm/v7 |
 | dnscrypt-proxy                                 | amd64, arm64, arm/v7 |
 Recommended System Specifications:
 | Use Case               | Description                                                                   | RAM   | Hard Disk |
 |------------------------|-------------------------------------------------------------------------------|-------|-----------|
-| Bare bones             | Wireguard, Pihole (no Cockpit, no extra services)                             | 2 GB  | 15 GB     |
+| Bare bones             | WireGuard, Pihole (no Cockpit, no extra services)                             | 2 GB  | 15 GB     |
 | Default                | Bare bones + Cockpit                                                          | 2 GB+ | 15 GB     |
 | Low-resource services  | Default + Bitwarden, Tor, Syncthing                                           | 4 GB  | 20 GB     |
 | High-resource services | Default + Jitsi, Nextcloud, Jellyfin, Rocket.Chat, Home Assistant, OnlyOffice | 6 GB+ | 25 GB+    |
 | SIEM                   | Default + Wazuh + Extras                                                      | 16 GB+ | 100 GB+   |
 Starting from base installation
 ```
@ -87,26 +96,45 @@ git clone https://gitlab.com/cyber5k/mistborn.git
 sudo -E bash ./mistborn/scripts/install.sh
 ```
-Get default admin Wireguard profile
+Get default admin WireGuard profile
 *wait 1 minute after "Mistborn Installed" message*
 ```
 sudo mistborn-cli getconf 
 ```
-Connect via Wireguard then visit `http://home.mistborn`
+Connect via WireGuard then visit `http://home.mistborn`
-For more information, see the `Installation` section below.
+For more information, see the [Installation](#installation) section below.
 # Network Diagram
 ![Mistborn Network Diagram](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mistborn_network.png)
 Mistborn protects your data in a variety of ways:
- All of your devices are protected wherever they go with the Wireguard VPN protocol
+- All of your devices are protected wherever they go with the WireGuard VPN protocol
 - The Mistborn firewall blocks unsolicited incoming internet packets
 - Pi-hole running on Mistborn blocks outgoing internet requests to configurable blocked domains (ads, malicious/phishing domains, etc.) 
 See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/Mistborn-Network-Security) wiki page to see more network diagrams and the network scan results for Mistborn.
 # Status
 ![Mistborn Home](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home_status.png)
 The home page receives WireGuard status updates from the server via WebSocket connections. Superusers receive detailed updates about all connections and profiles. Regular users see details about their own devices.
 # Security Information & Event Management (SIEM)
 ![Mistborn Security Center](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_soc.png)
 The Mistborn Security Operations Center provides SIEM services with Wazuh. The Wazuh Manager requires an Open Distro for Elasticsearch backend. When the Mistborn host has >8 GB RAM the provided Elasticsearch backend can be used. Just click "Start Wazuh" on the `Security Center` page and enjoy your Enterprise-grade SIEM. Wazuh agents can be installed on just about any OS and all Wazuh agent traffic is communicated over the WireGuard connections. Instructions for adding endpoint agents can be found within Wazuh itself.
 Mistborn's Wazuh installs and integrates with Suricata running on Mistborn with logs ingested into Wazuh.
 ![Mistborn Security Center: Wazuh Modules](https://gitlab.com/cyber5k/public/-/raw/master/graphics/wazuh_modules.png)
 The Wazuh Kibana plugin leverages the power of Elasticsearch:
 ![Mistborn Security Center: Wazuh Dashboard](https://gitlab.com/cyber5k/public/-/raw/master/graphics/wazuh_se_dashboard.png)
 # Coppercloud
 Pihole provides a way to block outgoing DNS requests for given lists of blocked domains. Coppercloud provides a way to block outgoing network calls of all types to given lists of IP addresses (IPv4 only for now). This is especially useful for blocking outgoing telemetry (data and state sharing) to owners of software running on all of your devices.
@ -121,19 +149,28 @@ We were getting frustrated at being forced to choose between being connected to
 *Netflix blocking my connections that it sees coming from a DigitalOcean droplet*
-In Mistborn, Gateways are upstream from the VPN server so connections to third-party services (e.g. Netflix, Hulu, etc.) will appear to be coming from the public IP address of the Gateway. I setup a Gateway at home (Raspberry Pi with `wireguard` and `openresolv` installed) and with our Mistborn on DigitalOcean, all Wireguard profiles created with this Gateway will appear to be coming from my house and are not blocked. No port-forwarding required (assuming Mistborn is publicly accessible).
+In Mistborn, Gateways are upstream from the VPN server so connections to third-party services (e.g. Netflix, Hulu, etc.) will appear to be coming from the public IP address of the Gateway. I setup a Gateway at home (Raspberry Pi with `wireguard` and `openresolv` installed) and with our Mistborn on DigitalOcean, all WireGuard profiles created with this Gateway will appear to be coming from my house and are not blocked. No port-forwarding required (assuming Mistborn is publicly accessible).
 ![Mistborn Gateway Diagram](https://gitlab.com/cyber5k/public/-/raw/master/graphics/gateway_network.png)
 The Gateway adds an extra network hop. DNS is still resolved in Mistborn so pihole is still blocking ads.
 # Remote Desktop
 Remote desktops enable multiple users to share desktop resources and data. Remote desktops also enable groups to prevent sensitive data from ever entering an endpoint devices such as a smartphone. For reference, some United States Government regulations require controls to protect Controlled Unclassified Information (CUI) that are not feasible to implement on all endpoint devices and remote desktops prevent the data from entering the device (see NIST SP 800-171 3.1.19, CMMC AC.3.022).
 Mistborn enables remote desktop access via the Apache Guacamole extra service, which supports VNC, RDP, SSH, and other protocols. 
 ![Guacamole Recent Connections](https://gitlab.com/cyber5k/public/-/raw/master/graphics/guacamole_connections.png)
 Guacamole implements its own users and groups access controls to manage access to individual desktops. All Mistborn users must be authenticated with Mistborn (via WireGuard only or MFA) to access the Guacamole interface.
 # Client to client communication
 By default direct communication between network clients is blocked. Mistborn clients can all talk to Mistborn and communicate via shared services (Jitsi, Nextcloud, etc). Direct client to client communication can be enabled via the "client-to-client" toggle.
 ![System Settings](https://gitlab.com/cyber5k/public/-/raw/master/graphics/system_settings_dropdown.png)
 # Installation
-Mistborn is regularly tested on Ubuntu 20.04 LTS (DigitalOcean droplet with 2 GB RAM). It has also been successfully used on Debian Buster and Raspbian Buster systems (though not regularly tested). Make sure to install OS updates and restart before installing Mistborn (Wireguard installs differently on recent kernels).
+Mistborn is regularly tested on Ubuntu 20.04 LTS (DigitalOcean droplet with 2 GB RAM). It has also been successfully used on Debian Buster and Raspbian Buster systems (though not regularly tested). Make sure to install OS updates and restart before installing Mistborn (WireGuard installs differently on recent kernels).
 Clone the git repository and run the install script:
 ```
@ -148,7 +185,7 @@ Running `install.sh` will do the following:
 - install iptables-persistent
 - install Docker
 - install OpenSSH
- install Wireguard
+- install WireGuard
 - install Cockpit (optional)
 - create a `cockpit` system user (if Cockpit is installed)
 - configure unattended-upgrades
@ -176,23 +213,23 @@ sudo -E bash -c "source ./mistborn/scripts/noninteractive/.install_barebones &&
 ```
 # Post-Installation
-When Mistborn-base starts up it will create volumes, initialize the PostgreSQL database, start pihole, run Django migrations and then check to see if a Mistborn superuser named `admin` exists yet. If not, it will create the superuser `admin` along with an accompanying default Wireguard configuration file and start the Wireguard service. You can watch all of this happen with:
+When Mistborn-base starts up it will create volumes, initialize the PostgreSQL database, start pihole, run Django migrations and then check to see if a Mistborn superuser named `admin` exists yet. If not, it will create the superuser `admin` along with an accompanying default WireGuard configuration file and start the WireGuard service. You can watch all of this happen with:
 ```
 sudo journalctl -xfu Mistborn-base
 ```
-The default Wireguard configuration file for `admin` may be obtained via:
+The default WireGuard configuration file for `admin` may be obtained via:
 ```
 sudo mistborn-cli getconf 
 ```
-Please notice that the following lines are **NOT** part of the Wireguard config:
+Please notice that the following lines are **NOT** part of the WireGuard config:
 ```
 Starting mistborn_production_postgres ... done
 Starting mistborn_production_redis    ... done
 PostgreSQL is available
 ```
-The Wireguard config will look like this:
+The WireGuard config will look like this:
 ```
 # "10.15.91.2" - WireGuard Client Profile
 [Interface]
@ -214,18 +251,18 @@ AllowedIPs = 0.0.0.0/0,::/0
 Endpoint = <Mistborn public IP address>:39207
 ```
-## Login via Wireguard
+## Login via WireGuard
-[Install wireguard](https://www.wireguard.com/install/) on your computer. If you get a `resolvconf: command not found` error when starting Wireguard then install openresolv: `sudo apt-get install -y openresolv`
+[Install wireguard](https://www.wireguard.com/install/) on your computer. If you get a `resolvconf: command not found` error when starting WireGuard then install openresolv: `sudo apt-get install -y openresolv`
- Copy the text of the default admin Wireguard config to `/etc/wireguard/wg_admin.conf` on your computer
+- Copy the text of the default admin WireGuard config to `/etc/wireguard/wg_admin.conf` on your computer
 - Run `sudo systemctl start wg-quick@wg_admin`
 - Run `sudo systemctl enable wg-quick@wg_admin`
 - Open your browser and go to "http://home.mistborn"
 - Browse your Mistborn system!
 **Note:** The home.mistborn server takes a minute to come up after Mistborn is up (collectstatic on all that frontend JavaScript and CSS)
-## Wireguard Management
+## WireGuard Management
-Mistborn users can be added (non-privileged or superuser) and removed by superusers. Multiple Wireguard profiles can be created for each user. A non-privileged user can create profiles for themselves.
+Mistborn users can be added (non-privileged or superuser) and removed by superusers. Multiple WireGuard profiles can be created for each user. A non-privileged user can create profiles for themselves.
-![Mistborn Wireguard](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_wireguard_.png)*Wireguard Management in Mistborn*
+![Mistborn WireGuard](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_wireguard_.png)*WireGuard Management in Mistborn*
 ## Extra Services
 Mistborn makes extra services available.
@ -240,11 +277,11 @@ There are multiple ways to authenticate and use the system.
 ![Mistborn Multi Factor Authentication - Authenticator App Setup](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mfa_qr.png)*Mistborn Multi Factor Authentication - Authenticator App Setup*
-## Profile: Wireguard Authentication
+## Profile: WireGuard Authentication
-Mistborn always authenticates with Wireguard. You must have a valid Wireguard configuration file associated with the correct internal IP address. A classic Mistborn profile (Wireguard Only) will allow you to access the internet and all services hosted by Mistborn once you have connected via Wireguard. Note: individual services may require passwords or additional authentication.
+Mistborn always authenticates with WireGuard. You must have a valid WireGuard configuration file associated with the correct internal IP address. A classic Mistborn profile (WireGuard Only) will allow you to access the internet and all services hosted by Mistborn once you have connected via WireGuard. Note: individual services may require passwords or additional authentication.
 ## Profile: Multi Factor Authentication (MFA)
-In addition to Wireguard, you may create a Mistborn profile enabling multi-factor authentication (MFA). You must first connect to Mistborn via Wireguard. Then all internet traffic will route you to the Mistborn webserver where you must first setup and thereafter authenticate with an app (Google Authenticator, Authy, etc.). You must go to [http://home.mistborn](http://home.mistborn) to complete the authentication process.
+In addition to WireGuard, you may create a Mistborn profile enabling multi-factor authentication (MFA). You must first connect to Mistborn via WireGuard. Then all internet traffic will route you to the Mistborn webserver where you must first setup and thereafter authenticate with an app (Google Authenticator, Authy, etc.). You must go to [http://home.mistborn](http://home.mistborn) to complete the authentication process.
 ![Mistborn Multi Factor Authentication](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mfa1.png)*Mistborn Multi Factor Authentication Prompt*
@ -262,7 +299,7 @@ Mistborn service access is blocked via traefik until Mistborn authentication is
 - **Sessions**: Traefik checks the authenticated sessions on the server side to determine whether to allow access to the Mistborn service web pages. If an open session exists for your Mistborn IP address then access will be granted. You may close all sessions by clicking "Sign Out" on the Mistborn home page. Expired sessions are regularly cleaned by the Mistborn system (celery periodic task).
 # Mistborn Subdomains
-Mistborn uses the following domains (that can be reached by all Wireguard clients):
+Mistborn uses the following domains (that can be reached by all WireGuard clients):
 | Service | Domain | Default Status |
 | ------- | ------ | -------------- |
@ -277,6 +314,9 @@ Mistborn uses the following domains (that can be reached by all Wireguard client
 | Syncthing | syncthing.mistborn | Off |
 | OnlyOffice | onlyoffice.mistborn | Off |
 | Jitsi | jitsi.mistborn | Off |
 | Guacamole | guac.mistborn | Off |
 | RaspAP | raspap.mistborn | Off |
 | Wazuh | wazuh.mistborn | Off |
 # Default Credentials
 These are the default credentials to use in the services you choose to use:
@ -285,19 +325,22 @@ These are the default credentials to use in the services you choose to use:
 | ------- | -------- | -------- |
 | Pihole |  | {{default mistborn password}} |
 | Cockpit | cockpit | {{default mistborn password}} |
 | Wazuh | mistborn | {{default mistborn password}} |
 | Nextcloud | mistborn | {{default mistborn password}} |
 | Guacamole | mistborn | {{default mistborn password }} |
 | RaspAP | mistborn | {{default mistborn password}} |
 You can find the credentials sent to the Docker containers in: `/opt/mistborn/.envs/.production/`
 # Gateway Setup
-Mistborn will generate the Wireguard configuration script for the Gateway. From a base Ubuntu/Debian/Raspbian operating system the following packages are recommended to be installed beforehand:
+Mistborn will generate the WireGuard configuration script for the Gateway. From a base Ubuntu/Debian/Raspbian operating system the following packages are recommended to be installed beforehand:
 ## Gateway Requirements
- Wireguard (you can consult the Mistborn Wireguard installer: `mistborn/scripts/subinstallers/wireguard.sh`)
+- WireGuard (you can consult the Mistborn WireGuard installer: `mistborn/scripts/subinstallers/wireguard.sh`)
- Openresolv (a Wireguard dependency that is also installed via the Mistborn Wireguard installer)
+- Openresolv (a WireGuard dependency that is also installed via the Mistborn WireGuard installer)
 - Fail2ban
-## Install Gateway Wireguard config file
+## Install Gateway WireGuard config file
 On Mistborn:
 - Click `View Config` on the Gateways tab in Mistborn
 - Highlight the config
@ -309,15 +352,15 @@ On Gateway:
 - Run `sudo systemctl enable wg-quick@gateway`
 # Phones and Mobile Devices
-All your devices can be connected to Mistborn as Wireguard clients.
+All your devices can be connected to Mistborn as WireGuard clients.
 First steps:
-1. Device: Download the Wireguard app on your device. Links: [Android](https://play.google.com/store/apps/details?id=com.wireguard.android) [Apple](https://apps.apple.com/us/app/wireguard/id1441195209)
+1. Device: Download the WireGuard app on your device. Links: [Android](https://play.google.com/store/apps/details?id=com.wireguard.android) [Apple](https://apps.apple.com/us/app/wireguard/id1441195209)
-1. Mistborn: Create a Wireguard profile for the device.
+1. Mistborn: Create a WireGuard profile for the device.
-1. Device: Scan Wireguard client QR code in Wireguard app.
+1. Device: Scan WireGuard client QR code in WireGuard app.
-1. Device: Enable Wireguard connection.
+1. Device: Enable WireGuard connection.
-All of you device network traffic is now being routed through Wireguard. Ads and malicious sites are blocked by pihole. DNS queries are verified via DNScrypt.
+All of you device network traffic is now being routed through WireGuard. Ads and malicious sites are blocked by pihole. DNS queries are verified via DNScrypt.
 But wait, there's more! You can:
 - visit the [Mistborn web interface](http://home.mistborn) through your phone's browser. 
@ -332,11 +375,11 @@ But wait, there's more! You can:
 | Jitsi Meet     | [Jitsi Meet](https://play.google.com/store/apps/details?id=org.jitsi.meet)                         | [Jitsi Meet](https://apps.apple.com/us/app/jitsi-meet/id1165103905)                |
 | Bitwarden      | [Bitwarden](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden)                     | [Bitwarden](https://apps.apple.com/us/app/bitwarden-password-manager/id1137397744) |
 | Jellyfin       | [Jellyfin](https://play.google.com/store/apps/details?id=org.jellyfin.mobile)                      | [Jellyfin](https://apps.apple.com/us/app/jellyfin-mobile/id1480192618)             |
-| Home Assistant | [Home Assistant](https://play.google.com/store/apps/details?id=io.homeassistant.companion.android) |                                                                                    |
+| Home Assistant | [Home Assistant](https://play.google.com/store/apps/details?id=io.homeassistant.companion.android) | [Home Assistant](https://apps.apple.com/us/app/home-assistant/id1099568401)                                                                                   |
 | Rocket.Chat    | [Rocket.Chat](https://play.google.com/store/apps/details?id=chat.rocket.android)                   | [Rocket.Chat](https://apps.apple.com/us/app/rocket-chat/id1148741252)              |
 ## TLS Certificate
-Some apps require TLS (HTTPS). All traffic to Mistborn domains already occurs over Wireguard but to keep apps running, a TLS certificate exists for Mistborn and can be imported into your device's trusted credentials in the security settings. This certificate is checked every day and will be re-generated when expiration is less than 30 days away.
+Some apps require TLS (HTTPS). All traffic to Mistborn domains already occurs over WireGuard but to keep apps running, a TLS certificate exists for Mistborn and can be imported into your device's trusted credentials in the security settings. This certificate is checked every day and will be re-generated when expiration is less than 30 days away.
 The TLS certificate can be found here:
 ```
@ -346,7 +389,7 @@ The TLS certificate can be found here:
 # FAQ
 Frequently Asked Questions
-## Where is My Data?
+## Where is my data?
 The Docker services mount volumes located in:
 ```
@ -363,11 +406,11 @@ Your data from Nextcloud, Syncthing, Bitwarden, etc. will be located there.
 ## How do I SSH into Mistborn?
 If Mistborn is installed via SSH then an iptables rule is added allowing external SSH connections from the same source IP address only. If Mistborn was installed locally then no external SSH is permitted.
-SSH is permitted from any device connected to Mistborn by Wireguard.
+SSH is permitted from any device connected to Mistborn by WireGuard.
 Password authentication in enabled. Fail2ban blocks IPs with excessive failed login attempts.
-You can SSH using the Mistborn domain when connected by Wireguard:
+You can SSH using the Mistborn domain when connected by WireGuard:
 ```
 ssh user@home.mistborn
 ```
@ -388,9 +431,38 @@ services:
 The available options are here: https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-resolvers.md
 ## How do I purge an extra service/start fresh?
 This is a manual process for the foreseeable future because it is destructive and cannot be undone. In order to purge an extra service do the following:
 - Stop and disable the service
 This can be done from the Mistborn GUI or:
 ```
 sudo systemctl stop Mistborn-<service name>
 sudo systemctl disable Mistborn-<service name>
 ```
 - Remove the data folder
 Locate the correct folder: `sudo ls -ahl /opt/mistborn_volumes/extra/`
 **Be careful:**
 Now remove the folder: `sudo rm -r /opt/mistborn_volumes/extra/<service name>`
 - Remove the variables file
 Locate the file: `sudo ls -ahl /opt/mistborn/.envs/.production/`
 **Be careful:**
 Now remove the file: `sudo rm /opt/mistborn/.envs/.production/.<service name>`
 Now you can restart the service from the GUI or manually and it should be a first run experience.
 # Troubleshooting
-Once you're connected to Wireguard you should see .mistborn domains and the internet should work as expected. Be sure to use http (http://home.mistborn). Wireguard is the encrypted channel so there's usually no need to bother with TLS certs (WebRTC functionality and some mobile apps require TLS so it is available). Here are some things to check if you have issues:
+Once you're connected to WireGuard you should see .mistborn domains and the internet should work as expected. Be sure to use http (http://home.mistborn). WireGuard is the encrypted channel so there's usually no need to bother with TLS certs (WebRTC functionality and some mobile apps require TLS so it is available). Here are some things to check if you have issues:
 Check if you can ping an external IP address:
 ```
@ -422,18 +494,18 @@ Mistborn-base is a systemd process and at any time restarting it should get you
 sudo systemctl restart Mistborn-base
 ```
-The Wireguard processes run independently of Mistborn and will still be up if Mistborn is down. You can check running Wireguard interfaces with:
+The WireGuard processes run independently of Mistborn and will still be up if Mistborn is down. You can check running WireGuard interfaces with:
 ```
 sudo wg show
 ```
-Note the Mistborn naming convention for Wireguard interfaces on the server is wg<listening port>. So if the particular Wireguard process is listening on UDP port 56392 then the interface will be named wg56392 and the config will be in `/etc/wireguard/wg56392.conf`
+Note the Mistborn naming convention for WireGuard interfaces on the server is wg<listening port>. So if the particular WireGuard process is listening on UDP port 56392 then the interface will be named wg56392 and the config will be in `/etc/wireguard/wg56392.conf`
 The `dev/` folder contains a script for completing a hard reset: destroying and rebuilding the system from the original backup:
 ```
 sudo ./dev/rebuild.sh
 ```
-## Troubleshooting Wireguard
+## Troubleshooting WireGuard
 Ensure that your public IP address in your client profile (e.g. `Endpoint = <Mistborn public IP address>:<random port>`) is actually publicly available (not in 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) if you are attempting to access Mistborn across the internet.
 ## Troubleshooting Extra Services
@ -445,9 +517,12 @@ sudo journalctl -xfu Mistborn-syncthing
 sudo journalctl -xfu Mistborn-jellyfin
 sudo journalctl -xfu Mistborn-nextcloud
 sudo journalctl -xfu Mistborn-jitsi
 sudo journalctl -xfu Mistborn-guacamole
 sudo journalctl -xfu Mistborn-rocketchat
 sudo journalctl -xfu Mistborn-onlyoffice
 sudo journalctl -xfu Mistborn-tor
 sudo journalctl -xfu Mistborn-raspap
 sudo journalctl -xfu Mistborn-wazuh
 ```
 ## Troubleshooting Docker
@ -464,13 +539,13 @@ sudo systemctl restart docker
 ## Troubleshooting Upgrade from Ubuntu 18.04 to 20.04
 New installations of 18.04 and 20.04 after 25 April 2020 don't seem to be having issues. If you installed Mistborn on Ubuntu 18.04 prior to 25 April 2020 and then upgrade to 20.04 you may have one minor issue described below.
-Owing to changes in docker NAT rules and container DNS resolution, some Wireguard client configurations generated with Mistborn before 25 April 2020 (be sure to update Mistborn) may experience issues after upgrading to Ubuntu 20.04 LTS. Symptoms: can ping but can't resolve DNS.
+Owing to changes in docker NAT rules and container DNS resolution, some WireGuard client configurations generated with Mistborn before 25 April 2020 (be sure to update Mistborn) may experience issues after upgrading to Ubuntu 20.04 LTS. Symptoms: can ping but can't resolve DNS.
-Solution: Edit the Wireguard client config and set the DNS directive as follows:
+Solution: Edit the WireGuard client config and set the DNS directive as follows:
 ```
 DNS = 10.2.3.1
 ```
-Close the config and restart the client Wireguard process.
+Close the config and restart the client WireGuard process.
 ## Troubleshooting Raspberry Pi OS (Raspbian)
 Be sure to always reboot after updating the kernel. When the kernel is updated the kernel modules are deleted (for the currently running kernel) and you will have issues with any function requiring kernel modules (e.g. `iptables` or `wireguard`).
@ -478,7 +553,7 @@ Be sure to always reboot after updating the kernel. When the kernel is updated t
 **Note**: The Raspberry Pi OS 64-bit BETA (versions from May 2020 and prior) have a bug where the os-release info indicates that it is Debian. Mistborn proceeds to install as though it were Debian. Since it's not Debian there are errors.
 ## Troubleshooting Debian 10
-Run updates and restart before installing Mistborn (`sudo apt-get update && sudo apt-get -y dist-upgrade && sudo shutdown -r now`). Some older Linux kernels will prevent newer Wireguard versions from installing.
+Run updates and restart before installing Mistborn (`sudo apt-get update && sudo apt-get -y dist-upgrade && sudo shutdown -r now`). Some older Linux kernels will prevent newer WireGuard versions from installing.
 # Technical and Security Insights
 These are some notes regarding the technical design and implementations of Mistborn. Feel free to contact me for additional details.
@ -487,15 +562,15 @@ These are some notes regarding the technical design and implementations of Mistb
 See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/Mistborn-Network-Security) wiki entry.
- **Wireguard**: Wireguard is the only way in to Mistborn. When new Wireguard profiles are generated they are attached to a random UDP port. Wireguard does not respond to unauthenticated traffic. External probes on the active Wireguard listening ports are not logged and do not appear on the Metrics page.
+- **WireGuard**: WireGuard is the only way in to Mistborn. When new WireGuard profiles are generated they are attached to a random UDP port. WireGuard does not respond to unauthenticated traffic. External probes on the active WireGuard listening ports are not logged and do not appear on the Metrics page.
- **SSH**: If Mistborn is installed over SSH (most common) then an iptables rule is added allowing future SSH connections from the same source IP address. All other external SSH is blocked. Internal SSH (over the Wireguard tunnels) is allowed. Password authentication is allowed. The SSH key for the `mistborn` user is only accepted from internal source IP addresses. Fail2ban is also installed.
+- **SSH**: If Mistborn is installed over SSH (most common) then an iptables rule is added allowing future SSH connections from the same source IP address. All other external SSH is blocked. Internal SSH (over the WireGuard tunnels) is allowed. Password authentication is allowed. The SSH key for the `mistborn` user is only accepted from internal source IP addresses. Fail2ban is also installed.
- **Traefik**: Iptables closes web ports (TCP 80 and 443) from external access and additonally all web interfaces are behind the Traefik reverse-proxy. All web requests (e.g. home.mistborn) must be resolved by Mistborn DNS (Pihole/dnsmasq) and originate from a Wireguard tunnel.
+- **Traefik**: Iptables closes web ports (TCP 80 and 443) from external access and additonally all web interfaces are behind the Traefik reverse-proxy. All web requests (e.g. home.mistborn) must be resolved by Mistborn DNS (Pihole/dnsmasq) and originate from a WireGuard tunnel.
 - **Docker**: When Docker exposes a port it creates a PREROUTING rule in the NAT table to catch eligible network requests. This means that even if your INPUT chain policy is DROP, your docker containers with exposed ports can receive and respond to traffic. Whenever Mistborn brings up a docker container with an exposed port it creates an iptables rule to block external traffic to that service. 
 ## Firewall
 - **IPtables**: Iptables rules and chains are manipulated directly. If UFW is present it is disabled. IPtables-persistent is used to save a simple set of secure default rules (most importantly setting the INPUT and FORWARD policies to DROP and allowing ESTABLISHED and RELATED traffic) that will be effective immediately upon system startup. Additional rules and chains are created by Docker on startup. Mistborn also creates some iptables chains during installation that are saved in the persistent rules. Mistborn iptables chains and rules are designed to work with Docker's with logic that is easy to follow. A power cycle will always result in a working state.
- **PostUp/PostDown**: Wireguard configuration files on Mistborn include PostUp and PostDown directives that set routes and iptables rules for each Wireguard client individually.
+- **PostUp/PostDown**: WireGuard configuration files on Mistborn include PostUp and PostDown directives that set routes and iptables rules for each WireGuard client individually.
- **Wireguard**: There is a one-to-one mapping between each Wireguard client and server instance listening on Mistborn. By default Wireguard clients cannot talk directly to each other but can use shared services and resources on Mistborn (e.g. Syncthing, Nextcloud, Jitisi, etc). Toggling the "client-to-client" option will enable direct client-to-client communication.
+- **WireGuard**: There is a one-to-one mapping between each WireGuard client and server instance listening on Mistborn. By default WireGuard clients cannot talk directly to each other but can use shared services and resources on Mistborn (e.g. Syncthing, Nextcloud, Jitisi, etc). Toggling the "client-to-client" option will enable direct client-to-client communication.
 - **Metrics**: In addition to the iptables INPUT policy set to DROP, an iptables chain exists that logs the packet meta data before dropping it. Mistborn redirects packets that will be dropped to this chain instead. A summary of the data about these dropped packets (unsolicited network traffic) can be found on the Metrics page.
 - **Coppercloud**: Coppercloud works by populating ipsets with the ipset module in iptables to DROP (blacklist) or ACCEPT (whitelist) a given set of IP addresses. Upon system startup a celery task will compile the IP addresses, create the ipsets, and iptables rules.
@ -505,6 +580,7 @@ See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/
 - The generated TLS certificate has an RSA modulus of 4096 bits, is signed with SHA-256, and is good for 397 days. The certificate is checked daily and will regenerate when expiration is within 30 days.
 - Outbound UDP on port 53 is blocked. All DNS requests should be handled by the dnscrypt_proxy service and if any client, service, etc. tries to circumvent that it is blocked.
 - Unattended upgrades are set to automatically install operating system security updates.
 - Ownership of mistborn files is set to the system mistborn user and access to environment variables is disabled for users other than the owner.
 # Roadmap (not necessarily in order)
 Many features and refinements are in the works at various stages including:
@ -512,14 +588,13 @@ Many features and refinements are in the works at various stages including:
 - Plugins for Extra Services (enabling third-party development)
 - Plugin repository
 - IPv6 support
 - Integration with RaspAP to enable managing an Access Point for local network connections
 - Internal network scan tool and feedback
 - Anomaly detection in network traffic
 # Featured In
 - [Linux Magazine](https://www.linux-magazine.com/Issues/2020/240/Mistborn/(language)/eng-US) November 2020 (featuring Mistborn version from early May 2020)
- [Awesome Open Source](https://www.youtube.com/watch?v=hekP0_crotw) July 2020 (featuring Mistborn version from early July 2020)
+- [Awesome Open Source](https://www.youtube.com/watch?v=hekP0_crotw) July 2020
 - [DB Tech](https://www.youtube.com/watch?v=UE_OuAOgoZI) May 2021
 # Follow
 You can find recent bugfixes, functional additions, some extra documentation and more at the Cyber5K Patreon page: [https://www.patreon.com/cyber5k](https://www.patreon.com/cyber5k)
@ -531,6 +606,7 @@ Contact me at [steven@cyber5k.com](mailto:steven@cyber5k.com)
 # Support Mistborn
 Please consider supporting the project via:
 - [Patreon](https://www.patreon.com/cyber5k)
 - [Paypal.me](https://paypal.me/cyber5k)
 - [Buy me a drink](https://www.buymeacoffee.com/cyber5k)
- [Patreon](https://www.patreon.com/cyber5k)
+- Bitcoin: `3Lqxc1vpndN3TGi9cipNHg1RgXxGxVDdZo`
--- a/base.yml
+++ b/base.yml
@ -13,7 +13,7 @@ services:
      - postgres
      - redis
    ports:
-      - "10.2.3.1:5000:5000/tcp" # auth access
+      - "${MISTBORN_DNS_BIND_IP}:5000:5000/tcp" # auth access
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.django-http.rule=Host(`home.mistborn`)"
@ -51,11 +51,10 @@ services:
    #  context: .
    #  dockerfile: ./compose/production/traefik/Dockerfile
    #image: mistborn_production_traefik
-    image: traefik:v2.2
+    image: traefik:v2.4.9
    container_name: mistborn_production_traefik
    depends_on:
      - django
      - redis
    volumes:
      #- production_traefik:/etc/traefik/acme
      - ./compose/production/traefik/dynamic.toml:/dynamic.toml:ro
@ -85,6 +84,40 @@ services:
      #- --serversTransport.insecureSkipVerify=true
    restart: unless-stopped
  portal:
    build:
      context: ./compose/production/portal/
      dockerfile: Dockerfile
    image: mistborn_production_portal
    container_name: mistborn_production_portal
    ports:
      - "${MISTBORN_DNS_BIND_IP}:5001:80"
    environment:
      - SERVER_REDIRECT=home.mistborn
    # optionally define path to redirect all requests
    # if not set nginx var $request_uri is used
      - SERVER_REDIRECT_PATH=/
    # optionally define schema to redirect all requests
    # if not set but X-Forwarded-Proto is send as request header with value 'https' this will be used.
    # In all other cases nginx var `$scheme` is used
    #- SERVER_REDIRECT_SCHEME=https
    # optionally define the http code to use for redirection
    # allowed Codes are: 301, 302, 303, 307, 308, default is 301
    #- SERVER_REDIRECT_CODE=301
    # optionally define the http code to redirect POST requests
    # if not set or not in allowed Codes, SERVER_REDIRECT_CODE will be used
    #- SERVER_REDIRECT_POST_CODE=
    # optionally define the http code to redirect PUT, PATCH and DELETE requests
    # if not set or not in allowed Codes, SERVER_REDIRECT_CODE will be used
    #- SERVER_REDIRECT_PUT_PATCH_DELETE_CODE=
    # optionally define the location for the nginx access log
    # if not set /dev/stdout is used
    #- SERVER_ACCESS_LOG=/dev/null
    # optionally define the location for the nginx error log
    # if not set /dev/stderr is used
    #- SERVER_ERROR_LOG=/dev/null
    restart: unless-stopped
  redis:
    image: redis:5.0
    container_name: mistborn_production_redis
@ -145,22 +178,23 @@ services:
    command: /start-celerybeat
    restart: unless-stopped
-  # flower:
+
-  #   image: "cyber5k/mistborn:${MISTBORN_TAG}"
+  #flower:
-  #   container_name: mistborn_production_flower
+  #  image: "cyber5k/mistborn:${MISTBORN_TAG}"
-  #   env_file:
+  #  container_name: mistborn_production_flower
-  #     - ./.envs/.production/.django
+  #  env_file:
-  #     - ./.envs/.production/.postgres
+  #    - ./.envs/.production/.django
-  #   ports:
+  #    - ./.envs/.production/.postgres
-  #     - "5555:5555/tcp"
+  #  ports:
-  #   command: /start-flower
+  #    - "5555:5555/tcp"
-  #   restart: unless-stopped
+  #  command: /start-flower
  #  restart: unless-stopped
  pihole:
   container_name: mistborn_production_pihole
-   image: pihole/pihole:v5.5.1
+   image: pihole/pihole:v5.8
   env_file:
-     - /opt/mistborn_volumes/base/base.txt
+     - ./.envs/.production/.pihole
   ports:
     - "${MISTBORN_DNS_BIND_IP}:53:53/tcp"
     - "${MISTBORN_DNS_BIND_IP}:53:53/udp"
@ -168,22 +202,22 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.pihole-http.rule=Host(`pihole.mistborn`)"
      - "traefik.http.routers.pihole-http.entrypoints=web"
-      - "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file,add-pihole-admin"
      - "traefik.http.routers.pihole-https.rule=Host(`pihole.mistborn`)"
      - "traefik.http.routers.pihole-https.entrypoints=websecure"
-      - "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file,add-pihole-admin"
      - "traefik.http.routers.pihole-https.tls.certresolver=basic"
      - "traefik.http.middlewares.add-pihole-admin.addPrefix.prefix=/admin"
      - "traefik.http.services.pihole-service.loadbalancer.server.port=80"
   environment:
     - ServerIP=10.2.0.3
-     - DNS1='10.2.0.2#5054' # docs say port 5054, was 54; use network_mode: host to see which port is used
+     - PIHOLE_DNS_=10.2.0.2#5054
-     - DNS2=''
+     #- DNS1='10.2.0.2#5054' # docs say port 5054, was 54; use network_mode: host to see which port is used
     #- DNS2=''
     - IPv6='false'
     - DNSMASQ_LISTENING=all
   #  TZ: 'America/New York'
   # Volumes store your data between container upgrades
   env_file:
     - ./.envs/.production/.pihole
   volumes:
     - ../mistborn_volumes/base/pihole/etc-pihole:/etc/pihole/
     - ../mistborn_volumes/base/pihole/etc-dnsmasqd:/etc/dnsmasq.d/
@ -204,7 +238,7 @@ services:
     - DNSCRYPT_LISTEN_PORT=5054
     # resolvers: https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-resolvers.md
     #- DNSCRYPT_SERVER_NAMES=['scaleway-fr','google','yandex','cloudflare'] 
-     - DNSCRYPT_SERVER_NAMES=['cloudflare']
+     - DNSCRYPT_SERVER_NAMES=['cloudflare','dnswarden-doh1','dnswarden-doh2','dnswarden-doh3','adguard-dns-doh']
    networks:
      pihole_net:
        ipv4_address: 10.2.0.2
--- a/compose/production/portal/Dockerfile
+++ b/compose/production/portal/Dockerfile
@ -0,0 +1,8 @@
 FROM nginx:1.21.1-alpine
 ADD run.sh /run.sh
 ADD default.conf /etc/nginx/conf.d/default.conf
 RUN chmod +x /run.sh
 CMD ["/run.sh"]
--- a/compose/production/portal/default.conf
+++ b/compose/production/portal/default.conf
@ -0,0 +1,29 @@
 map $http_x_forwarded_proto $redirect_scheme {
    default $scheme;
    https https;
 }
 server {
    listen       80;
    listen       [::]:80;
    server_name  ${SERVER_NAME};
    # cherry picked from https://github.com/schmunk42/docker-nginx-redirect/pull/8
    if ($request_method = POST) {
        return ${SERVER_REDIRECT_POST_CODE} ${SERVER_REDIRECT_SCHEME}://${SERVER_REDIRECT}${SERVER_REDIRECT_PATH};
    }
    if ($request_method ~ PUT|PATCH|DELETE) {
        return ${SERVER_REDIRECT_PUT_PATCH_DELETE_CODE} ${SERVER_REDIRECT_SCHEME}://${SERVER_REDIRECT}${SERVER_REDIRECT_PATH};
    }
    return ${SERVER_REDIRECT_CODE} ${SERVER_REDIRECT_SCHEME}://${SERVER_REDIRECT}${SERVER_REDIRECT_PATH};
    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
 }
--- a/compose/production/portal/run.sh
+++ b/compose/production/portal/run.sh
@ -0,0 +1,54 @@
 #!/usr/bin/env sh
 if [ ! -n "$SERVER_REDIRECT" ] ; then
    echo "Environment variable SERVER_REDIRECT is not set, exiting."
    exit 1
 fi
 # set server name from optional ENV var
 if [ ! -n "$SERVER_NAME" ] ; then
    SERVER_NAME='localhost'
 fi
 # set redirect code from optional ENV var
 # allowed Status Codes are: 301, 302, 303, 307, 308
 expr match "$SERVER_REDIRECT_CODE" '30[12378]$' > /dev/null || SERVER_REDIRECT_CODE='301'
 # set redirect code from optional ENV var for POST requests
 expr match "$SERVER_REDIRECT_POST_CODE" '30[12378]$' > /dev/null || SERVER_REDIRECT_POST_CODE=$SERVER_REDIRECT_CODE
 # set redirect code from optional ENV var for PUT, PATCH and DELETE requests
 expr match "$SERVER_REDIRECT_PUT_PATCH_DELETE_CODE" '30[12378]$' > /dev/null || SERVER_REDIRECT_PUT_PATCH_DELETE_CODE=$SERVER_REDIRECT_CODE
 # set redirect path from optional ENV var
 if [ ! -n "$SERVER_REDIRECT_PATH" ] ; then
    SERVER_REDIRECT_PATH='$request_uri'
 fi
 # set redirect scheme from optional ENV var
 if [ ! -n "$SERVER_REDIRECT_SCHEME" ] ; then
    SERVER_REDIRECT_SCHEME='$redirect_scheme'
 fi
 # set access log location from optional ENV var
 if [ ! -n "$SERVER_ACCESS_LOG" ] ; then
    SERVER_ACCESS_LOG='/dev/stdout'
 fi
 # set error log location from optional ENV var
 if [ ! -n "$SERVER_ERROR_LOG" ] ; then
    SERVER_ERROR_LOG='/dev/stderr'
 fi
 sed -i "s|\${SERVER_REDIRECT}|${SERVER_REDIRECT}|" /etc/nginx/conf.d/default.conf
 sed -i "s|\${SERVER_NAME}|${SERVER_NAME}|" /etc/nginx/conf.d/default.conf
 sed -i "s|\${SERVER_REDIRECT_CODE}|${SERVER_REDIRECT_CODE}|" /etc/nginx/conf.d/default.conf
 sed -i "s|\${SERVER_REDIRECT_POST_CODE}|${SERVER_REDIRECT_POST_CODE}|" /etc/nginx/conf.d/default.conf
 sed -i "s|\${SERVER_REDIRECT_PUT_PATCH_DELETE_CODE}|${SERVER_REDIRECT_PUT_PATCH_DELETE_CODE}|" /etc/nginx/conf.d/default.conf
 sed -i "s|\${SERVER_REDIRECT_PATH}|${SERVER_REDIRECT_PATH}|" /etc/nginx/conf.d/default.conf
 sed -i "s|\${SERVER_REDIRECT_SCHEME}|${SERVER_REDIRECT_SCHEME}|" /etc/nginx/conf.d/default.conf
 ln -sfT "$SERVER_ACCESS_LOG" /var/log/nginx/access.log
 ln -sfT "$SERVER_ERROR_LOG" /var/log/nginx/error.log
 exec nginx -g 'daemon off;'
--- a/compose/production/tor/Dockerfile
+++ b/compose/production/tor/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:latest
+FROM alpine:3.14.0
 RUN apk update \
 && apk upgrade \
--- a/compose/production/traefik/Dockerfile
+++ b/compose/production/traefik/Dockerfile
@ -1,4 +1,4 @@
-FROM traefik:v2.2
+FROM traefik:v2.4.9
 RUN mkdir -p /etc/traefik/acme
 RUN touch /etc/traefik/acme/acme.json
 RUN chmod 600 /etc/traefik/acme/acme.json
--- a/compose/production/traefik/dynamic.toml
+++ b/compose/production/traefik/dynamic.toml
@ -8,21 +8,17 @@
  [tls.options.default]
    minVersion = "VersionTLS12"
-[providers.redis]
+[http.services]
-  endpoints = ["127.0.0.1:6379"]
+  [http.services.cockpit.loadBalancer]
-  rootKey = "traefik"
+    [[http.services.cockpit.loadBalancer.servers]]
      url = "http://10.2.3.1:9090"
-#[http.services]
+[http.routers]
-#  [http.services.cockpit.loadBalancer]
+  [http.routers.cockpit]
-#    [[http.services.cockpit.loadBalancer.servers]]
+    rule = "Host(`cockpit.mistborn`)"
-#      url = "http://10.2.3.1:9090"
+    service = "cockpit"
-#
+    entrypoints = ["web", "websecure"]
-#[http.routers]
+    middlewares = ["mistborn_auth"]
 #  [http.routers.cockpit]
 #    rule = "Host(`cockpit.mistborn`)"
 #    service = "cockpit"
 #    entrypoints = ["web", "websecure"]
 #    middlewares = ["mistborn_auth"]
 [http.middlewares]
  [http.middlewares.mistborn_auth.forwardAuth]
@ -32,4 +28,4 @@
      insecureSkipVerify = true
  [http.middlewares.mistborn_headers.headers]
-    hostsProxyHeaders = ['X-CSRFToken']
+    hostsProxyHeaders = ['X-CSRFToken']
--- a/extra/bitwarden.yml
+++ b/extra/bitwarden.yml
@ -0,0 +1,28 @@
 version: '3'
 services:  
  bitwarden:
    image: vaultwarden/server:latest
    container_name: mistborn_production_bitwarden
    env_file:
      - ../.envs/.production/.bitwarden
    volumes:
      - ../../mistborn_volumes/extra/bitwarden:/data
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.bitwarden-http.rule=Host(`bitwarden.mistborn`)"
      - "traefik.http.routers.bitwarden-http.entrypoints=web"
      - "traefik.http.routers.bitwarden-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.bitwarden-https.rule=Host(`bitwarden.mistborn`)"
      - "traefik.http.routers.bitwarden-https.entrypoints=websecure"
      - "traefik.http.routers.bitwarden-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.bitwarden-https.tls.certresolver=basic"
      - "traefik.http.services.bitwarden-service.loadbalancer.server.port=80"
    ports:
      - "${MISTBORN_BIND_IP}:3012:3012/tcp"
    restart: unless-stopped
 networks:
  default:
    external:
      name: mistborn_default
--- a/extra/elasticsearch.yml
+++ b/extra/elasticsearch.yml
@ -0,0 +1,30 @@
 version: '3.7'
 services:
  elasticsearch:
    image: amazon/opendistro-for-elasticsearch:1.13.2
    hostname: elasticsearch
    restart: unless-stopped
    ports:
      - "${MISTBORN_BIND_IP}:9200:9200"
    environment:
      - discovery.type=single-node
      - cluster.name=mistborn-cluster
      - network.host=0.0.0.0
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - bootstrap.memory_lock=true
    volumes:
      - ../../mistborn_volumes/extra/elasticsearch/init/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
 networks:
  default:
    external:
      name: mistborn_default
--- a/extra/guacamole.yml
+++ b/extra/guacamole.yml
@ -0,0 +1,72 @@
 version: '3'
 # services
 services:
  # guacd
  guacd:
    container_name: mistborn_production_guacd
    image: guacamole/guacd:1.3.0
    networks:
      guacnetwork:
    restart: unless-stopped
    volumes:
    - ../../mistborn_volumes/extra/guacamole/drive:/drive:rw
    - ../../mistborn_volumes/extra/guacamole/record:/record:rw
  # postgres
  guac_postgres:
    container_name: mistborn_production_guac_postgres
    env_file:
    - ../.envs/.production/.guacamole
    environment:
      PGDATA: /var/lib/postgresql/data/guacamole
    image: postgres
    networks:
      guacnetwork:
    restart: unless-stopped
    volumes:
    - ../../mistborn_volumes/extra/guacamole/init:/docker-entrypoint-initdb.d:ro
    - ../../mistborn_volumes/extra/guacamole/data:/var/lib/postgresql/data:rw
  # guacamole
  guacamole:
    container_name: mistborn_production_guacamole
    labels:
    - "traefik.enable=true"
    - "traefik.http.routers.guacamole-http.rule=Host(`guac.mistborn`)"
    - "traefik.http.routers.guacamole-http.entrypoints=web"
    - "traefik.http.routers.guacamole-http.middlewares=mistborn_auth@file,add-guacamole"
    - "traefik.http.routers.guacamole-https.rule=Host(`guac.mistborn`)"
    - "traefik.http.routers.guacamole-https.entrypoints=websecure"
    - "traefik.http.routers.guacamole-https.middlewares=mistborn_auth@file,add-guacamole"
    - "traefik.http.routers.guacamole-https.tls.certresolver=basic"
    - "traefik.http.middlewares.add-guacamole.addPrefix.prefix=/guacamole"
    - "traefik.http.services.guacamole-service.loadbalancer.server.port=8080"
    depends_on:
    - guacd
    - guac_postgres
    environment:
      GUACD_HOSTNAME: guacd
      GUACD_PORT: 4822
      #GUACAMOLE_HOME: /config
    env_file:
    - ../.envs/.production/.guacamole
    image: guacamole/guacamole:1.3.0
    links:
    - guacd
    networks:
      guacnetwork:
    #ports:
 ## enable next line if not using nginx
 ##    - 8080:8080/tcp # Guacamole is on :8080/guacamole, not /.
 ## enable next line when using nginx
    #- 8080/tcp
    restart: unless-stopped
 # networks
 # create a network 'guacnetwork' in mode 'bridged'
 networks:
  guacnetwork:
    driver: bridge
--- a/extra/homeassistant.yml
+++ b/extra/homeassistant.yml
@ -0,0 +1,26 @@
 version: '3'
 services:
  homeassistant:
    container_name: mistborn_production_home_assistant 
    image: homeassistant/home-assistant:stable
    volumes:
      - ../../mistborn_volumes/extra/homeassistant/config:/config
    environment:
      - TZ=America/New_York
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.homeassistant-http.rule=Host(`homeassistant.mistborn`)"
      - "traefik.http.routers.homeassistant-http.entrypoints=web"
      - "traefik.http.routers.homeassistant-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.homeassistant-https.rule=Host(`homeassistant.mistborn`)"
      - "traefik.http.routers.homeassistant-https.entrypoints=websecure"
      - "traefik.http.routers.homeassistant-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.homeassistant-https.tls.certresolver=basic"
      - "traefik.http.services.homeassistant-service.loadbalancer.server.port=8123"
    restart: unless-stopped 
 networks:
  default:
    external:
      name: mistborn_default
--- a/extra/jellyfin.yml
+++ b/extra/jellyfin.yml
@ -0,0 +1,30 @@
 version: '3'
 volumes:
  production_jellyfin_config: {}
  production_jellyfin_cache: {}
 services:  
  jellyfin:
    image: jellyfin/jellyfin:latest
    container_name: mistborn_production_jellyfin
    volumes:
      - production_jellyfin_config:/config
      - production_jellyfin_cache:/cache
      - ../../mistborn_volumes/extra/nextcloud:/media:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.jellyfin-http.rule=Host(`jellyfin.mistborn`)"
      - "traefik.http.routers.jellyfin-http.entrypoints=web"
      - "traefik.http.routers.jellyfin-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.jellyfin-https.rule=Host(`jellyfin.mistborn`)"
      - "traefik.http.routers.jellyfin-https.entrypoints=websecure"
      - "traefik.http.routers.jellyfin-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.jellyfin-https.tls.certresolver=basic"
      - "traefik.http.services.jellyfin-service.loadbalancer.server.port=8096"
    restart: unless-stopped
 networks:
  default:
    external:
      name: mistborn_default
--- a/extra/jitsi-meet.yml
+++ b/extra/jitsi-meet.yml
@ -0,0 +1,255 @@
 version: '3'
 services:
    # Frontend
    jitsi-web:
        image: jitsi/web:latest
        restart: unless-stopped
        #ports:
            #- '${HTTP_PORT}:80'
            #- '${HTTPS_PORT}:443'
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.jitsi-http.rule=Host(`jitsi.mistborn`)"
            - "traefik.http.routers.jitsi-http.entrypoints=web"
            - "traefik.http.routers.jitsi-http.middlewares=mistborn_auth@file"
            - "traefik.http.routers.jitsi-https.rule=Host(`jitsi.mistborn`)"
            - "traefik.http.routers.jitsi-https.entrypoints=websecure"
            - "traefik.http.routers.jitsi-https.middlewares=mistborn_auth@file"
            - "traefik.http.routers.jitsi-https.tls.certresolver=basic"
            - "traefik.http.services.jitsi-service.loadbalancer.server.port=${HTTP_PORT}"
        volumes:
            - ${CONFIG}/web:/config:Z
            - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
        env_file:
            - ../.envs/.production/.jitsi
        environment:
            - ENABLE_LETSENCRYPT
            - ENABLE_HTTP_REDIRECT
            - ENABLE_XMPP_WEBSOCKET
            - DISABLE_HTTPS
            - LETSENCRYPT_DOMAIN
            - LETSENCRYPT_EMAIL
            - LETSENCRYPT_USE_STAGING
            - PUBLIC_URL
            - TZ
            - AMPLITUDE_ID
            - ANALYTICS_SCRIPT_URLS
            - ANALYTICS_WHITELISTED_EVENTS
            - BRIDGE_CHANNEL
            - BRANDING_DATA_URL
            - CALLSTATS_CUSTOM_SCRIPT_URL
            - CALLSTATS_ID
            - CALLSTATS_SECRET
            - CHROME_EXTENSION_BANNER_JSON
            - CONFCODE_URL
            - CONFIG_EXTERNAL_CONNECT
            - DEPLOYMENTINFO_ENVIRONMENT
            - DEPLOYMENTINFO_ENVIRONMENT_TYPE
            - DEPLOYMENTINFO_USERREGION
            - DIALIN_NUMBERS_URL
            - DIALOUT_AUTH_URL
            - DIALOUT_CODES_URL
            - DROPBOX_APPKEY
            - DROPBOX_REDIRECT_URI
            - ENABLE_AUDIO_PROCESSING
            - ENABLE_AUTH
            - ENABLE_CALENDAR
            - ENABLE_FILE_RECORDING_SERVICE
            - ENABLE_FILE_RECORDING_SERVICE_SHARING
            - ENABLE_GUESTS
            - ENABLE_IPV6
            - ENABLE_LIPSYNC
            - ENABLE_NO_AUDIO_DETECTION
            - ENABLE_P2P
            - ENABLE_PREJOIN_PAGE
            - ENABLE_RECORDING
            - ENABLE_REMB
            - ENABLE_REQUIRE_DISPLAY_NAME
            - ENABLE_SIMULCAST
            - ENABLE_STATS_ID
            - ENABLE_STEREO
            - ENABLE_SUBDOMAINS
            - ENABLE_TALK_WHILE_MUTED
            - ENABLE_TCC
            - ENABLE_TRANSCRIPTIONS
            - ETHERPAD_PUBLIC_URL
            - ETHERPAD_URL_BASE
            - GOOGLE_ANALYTICS_ID
            - GOOGLE_API_APP_CLIENT_ID
            - INVITE_SERVICE_URL
            - JICOFO_AUTH_USER
            - MATOMO_ENDPOINT
            - MATOMO_SITE_ID
            - MICROSOFT_API_APP_CLIENT_ID
            - NGINX_RESOLVER
            - NGINX_WORKER_PROCESSES
            - NGINX_WORKER_CONNECTIONS
            - PEOPLE_SEARCH_URL
            - RESOLUTION
            - RESOLUTION_MIN
            - RESOLUTION_WIDTH
            - RESOLUTION_WIDTH_MIN
            - START_AUDIO_ONLY
            - START_AUDIO_MUTED
            - START_BITRATE
            - START_VIDEO_MUTED
            - TESTING_CAP_SCREENSHARE_BITRATE
            - TESTING_OCTO_PROBABILITY
            - XMPP_AUTH_DOMAIN
            - XMPP_BOSH_URL_BASE
            - XMPP_DOMAIN
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_RECORDER_DOMAIN
            - TOKEN_AUTH_URL
        networks:
            default:
            meet.jitsi:
                aliases:
                    - ${XMPP_DOMAIN}
    # XMPP server
    jitsi-prosody:
        image: jitsi/prosody:latest
        restart: unless-stopped
        expose:
            - '5222'
            - '5347'
            - '5280'
        volumes:
            - ${CONFIG}/prosody/config:/config:Z
            - ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z
        env_file:
            - ../.envs/.production/.jitsi
        environment:
            - AUTH_TYPE
            - ENABLE_AUTH
            - ENABLE_GUESTS
            - ENABLE_LOBBY
            - ENABLE_XMPP_WEBSOCKET
            - GLOBAL_MODULES
            - GLOBAL_CONFIG
            - LDAP_URL
            - LDAP_BASE
            - LDAP_BINDDN
            - LDAP_BINDPW
            - LDAP_FILTER
            - LDAP_AUTH_METHOD
            - LDAP_VERSION
            - LDAP_USE_TLS
            - LDAP_TLS_CIPHERS
            - LDAP_TLS_CHECK_PEER
            - LDAP_TLS_CACERT_FILE
            - LDAP_TLS_CACERT_DIR
            - LDAP_START_TLS
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_MODULES
            - XMPP_MUC_MODULES
            - XMPP_INTERNAL_MUC_MODULES
            - XMPP_RECORDER_DOMAIN
            - XMPP_CROSS_DOMAIN
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
            - JVB_AUTH_USER
            - JVB_AUTH_PASSWORD
            - JIGASI_XMPP_USER
            - JIGASI_XMPP_PASSWORD
            - JIBRI_XMPP_USER
            - JIBRI_XMPP_PASSWORD
            - JIBRI_RECORDER_USER
            - JIBRI_RECORDER_PASSWORD
            - JWT_APP_ID
            - JWT_APP_SECRET
            - JWT_ACCEPTED_ISSUERS
            - JWT_ACCEPTED_AUDIENCES
            - JWT_ASAP_KEYSERVER
            - JWT_ALLOW_EMPTY
            - JWT_AUTH_TYPE
            - JWT_TOKEN_AUTH_MODULE
            - LOG_LEVEL
            - PUBLIC_URL
            - TZ
        networks:
            meet.jitsi:
                aliases:
                    - ${XMPP_SERVER}
    # Focus component
    jitsi-jicofo:
        image: jitsi/jicofo:latest
        restart: unless-stopped
        volumes:
            - ${CONFIG}/jicofo:/config:Z
        env_file:
            - ../.envs/.production/.jitsi
        environment:
            - AUTH_TYPE
            - ENABLE_AUTH
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_SERVER
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
            - JICOFO_RESERVATION_REST_BASE_URL
            - JVB_BREWERY_MUC
            - JIGASI_BREWERY_MUC
            - JIGASI_SIP_URI
            - JIBRI_BREWERY_MUC
            - JIBRI_PENDING_TIMEOUT
            - TZ
        depends_on:
            - jitsi-prosody
        networks:
            meet.jitsi:
    # Video bridge
    jitsi-jvb:
        image: jitsi/jvb:latest
        restart: unless-stopped
        ports:
            - "${MISTBORN_BIND_IP}:${JVB_PORT}:${JVB_PORT}/udp"
            - "${MISTBORN_BIND_IP}:${JVB_TCP_PORT}:${JVB_TCP_PORT}"
        volumes:
            - ${CONFIG}/jvb:/config:Z
        env_file:
            - ../.envs/.production/.jitsi
        environment:
            - DOCKER_HOST_ADDRESS
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_SERVER
            - JVB_AUTH_USER
            - JVB_AUTH_PASSWORD
            - JVB_BREWERY_MUC
            - JVB_PORT
            - JVB_TCP_HARVESTER_DISABLED
            - JVB_TCP_PORT
            - JVB_TCP_MAPPED_PORT
            - JVB_STUN_SERVERS
            - JVB_ENABLE_APIS
            - JVB_WS_DOMAIN
            - JVB_WS_SERVER_ID
            - PUBLIC_URL
            - TZ
        depends_on:
            - jitsi-prosody
        networks:
            meet.jitsi:
                aliases:
                    - jvb.meet.jitsi
 # Custom network so all services can communicate using a FQDN
 networks:
    default:
      external:
        name: mistborn_default
    meet.jitsi:
--- a/extra/nextcloud.yml
+++ b/extra/nextcloud.yml
@ -0,0 +1,29 @@
 version: '3'
 services:  
  nextcloud:
    image: nextcloud
    container_name: mistborn_production_nextcloud
    env_file:
      - ../.envs/.production/.postgres
      - ../.envs/.production/.nextcloud
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud-http.rule=Host(`nextcloud.mistborn`)"
      - "traefik.http.routers.nextcloud-http.entrypoints=web"
      - "traefik.http.routers.nextcloud-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.nextcloud-https.rule=Host(`nextcloud.mistborn`)"
      - "traefik.http.routers.nextcloud-https.entrypoints=websecure"
      - "traefik.http.routers.nextcloud-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.nextcloud-https.tls.certresolver=basic"
      - "traefik.http.services.nextcloud-service.loadbalancer.server.port=80"
    volumes:
      - ../../mistborn_volumes/extra/nextcloud:/var/www/html
    environment:
      - VIRTUAL_HOST=nextcloud.mistborn
    restart: unless-stopped
 networks:
  default:
    external:
      name: mistborn_default
--- a/extra/onlyoffice.yml
+++ b/extra/onlyoffice.yml
@ -0,0 +1,27 @@
 version: '3'
 services:
  onlyoffice:
    container_name: mistborn_production_onlyoffice
    image: onlyoffice/documentserver:latest
    volumes:
      - ../../mistborn_volumes/extra/onlyoffice/logs:/var/log/onlyoffice
      - ../../mistborn_volumes/extra/onlyoffice/cache:/var/lib/onlyoffice
    env_file:
      - ../.envs/.production/.onlyoffice
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.onlyoffice-http.rule=Host(`onlyoffice.mistborn`)"
      - "traefik.http.routers.onlyoffice-http.entrypoints=web"
      - "traefik.http.routers.onlyoffice-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.onlyoffice-https.rule=Host(`onlyoffice.mistborn`)"
      - "traefik.http.routers.onlyoffice-https.entrypoints=websecure"
      - "traefik.http.routers.onlyoffice-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.onlyoffice-https.tls.certresolver=basic"
      - "traefik.http.services.onlyoffice-service.loadbalancer.server.port=80"
    restart: unless-stopped 
 networks:
  default:
    external:
      name: mistborn_default
--- a/extra/raspap.yml
+++ b/extra/raspap.yml
@ -0,0 +1,33 @@
 version: '3'
 services:
  raspap:
    image: "cyber5k/raspap:${MISTBORN_TAG}"
    container_name: mistborn_production_raspap
    #network_mode: host
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.raspap-http.rule=Host(`raspap.mistborn`)"
      - "traefik.http.routers.raspap-http.entrypoints=web"
      - "traefik.http.routers.raspap-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.raspap-https.rule=Host(`raspap.mistborn`)"
      - "traefik.http.routers.raspap-https.entrypoints=websecure"
      - "traefik.http.routers.raspap-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.raspap-https.tls.certresolver=basic"
      - "traefik.http.services.raspap-service.loadbalancer.server.port=80"
    env_file:
      - ../.envs/.production/.raspap
    cap_add:
      #- NET_ADMIN
      - SYS_ADMIN
      #- CAP_FOWNER
    privileged: true
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    #command: /start
    restart: unless-stopped
 networks:
  default:
    external:
      name: mistborn_default
--- a/extra/rocketchat.yml
+++ b/extra/rocketchat.yml
@ -0,0 +1,72 @@
 version: '3'
 services:
  # rocketchat
  rocketchat:
    image: rocket.chat:latest
    container_name: mistborn_production_rocketchat
    command: bash -c 'for i in `seq 1 30`; do node main.js && s=$$? && break || s=$$?; echo "Tried $$i times. Waiting 5 secs..."; sleep 5; done; (exit $$s)'
    restart: unless-stopped
    volumes:
      - ../../mistborn_volumes/extra/rocketchat/uploads:/app/uploads
    environment:
      - PORT=3000
      - ROOT_URL=http://chat.mistborn
      - MONGO_URL=mongodb://mongo:27017/rocketchat
      - MONGO_OPLOG_URL=mongodb://mongo:27017/local
      - Accounts_UseDNSDomainCheck=False
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.chat-http.rule=Host(`chat.mistborn`)"
      - "traefik.http.routers.chat-http.entrypoints=web"
      - "traefik.http.routers.chat-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.chat-https.rule=Host(`chat.mistborn`)"
      - "traefik.http.routers.chat-https.entrypoints=websecure"
      - "traefik.http.routers.chat-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.chat-https.tls.certresolver=basic"
      - "traefik.http.services.chat-service.loadbalancer.server.port=3000"
    depends_on:
      - mongo
    #ports:
    #  - 3000:3000
  mongo:
    image: mongo:4.0
    container_name: mistborn_production_rocketchat_mongo
    restart: unless-stopped
    volumes:
     - ../../mistborn_volumes/extra/rocketchat/data/db:/data/db
     - ../../mistborn_volumes/extra/rocketchat/data/dump:/dump
    command: mongod --smallfiles --oplogSize 128 --replSet rs0 --storageEngine=mmapv1
  # this container's job is just run the command to initialize the replica set.
  # it will run the command and remove himself (it will not stay running)
  mongo-init-replica:
    image: mongo
    command: 'bash -c "for i in `seq 1 30`; do mongo mongo/rocketchat --eval \"rs.initiate({ _id: ''rs0'', members: [ { _id: 0, host: ''localhost:27017'' } ]})\" && s=$$? && break || s=$$?; echo \"Tried $$i times. Waiting 5 secs...\"; sleep 5; done; (exit $$s)"'
    depends_on:
      - mongo
  # hubot, the popular chatbot (add the bot user first and change the password before starting this image)
  hubot:
    image: rocketchat/hubot-rocketchat:latest
    container_name: mistborn_production_rocketchat_hubot
    restart: unless-stopped
    environment:
      - ROCKETCHAT_URL=chat.mistborn #:3000
      # you can add more scripts as you'd like here, they need to be installable by npm
      - EXTERNAL_SCRIPTS=hubot-help,hubot-seen,hubot-links,hubot-diagnostics
    env_file:
      - ../.envs/.production/.rocketchat
    depends_on:
      - rocketchat
    volumes:
      - ../../mistborn_volumes/extra/rocketchat/hubot/scripts:/home/hubot/scripts
  # this is used to expose the hubot port for notifications on the host on port 3001, e.g. for hubot-jenkins-notifier
    ports:
      - "${MISTBORN_BIND_IP}:3001:8080/tcp"
 networks:
  default:
    external:
      name: mistborn_default
--- a/extra/syncthing.yml
+++ b/extra/syncthing.yml
@ -0,0 +1,35 @@
 version: '3'
 services:
  syncthing:
    image: linuxserver/syncthing:latest
    container_name: mistborn_production_syncthing
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Amereica/New_York
      - UMASK_SET=022
    volumes:
      - ../../mistborn_volumes/extra/syncthing/config:/config
      - ../../mistborn_volumes/extra/syncthing/data1:/data1
      - ../../mistborn_volumes/extra/syncthing/data2:/data2
    ports:
      #- 8384:8384
      - "${MISTBORN_BIND_IP}:22000:22000/tcp" # listening port
      - "${MISTBORN_BIND_IP}:21027:21027/udp" # protocol discovery
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.mistborn`)"
      - "traefik.http.routers.syncthing-http.entrypoints=web"
      - "traefik.http.routers.syncthing-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.mistborn`)"
      - "traefik.http.routers.syncthing-https.entrypoints=websecure"
      - "traefik.http.routers.syncthing-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.syncthing-https.tls.certresolver=basic"
      - "traefik.http.services.syncthing-service.loadbalancer.server.port=8384"
    restart: unless-stopped
 networks:
  default:
    external:
      name: mistborn_default
--- a/extra/tor.yml
+++ b/extra/tor.yml
@ -0,0 +1,16 @@
 version: '3'
 services:
  tor-client:
    build:
      context: ../compose/production/tor
      dockerfile: ./Dockerfile
    image: mistborn_production_tor
    container_name: mistborn_production_tor
    ports:
      - "${MISTBORN_BIND_IP}:9150:9150/tcp"
 networks:
  default:
    external:
      name: mistborn_default
--- a/extra/wazuh.yml
+++ b/extra/wazuh.yml
@ -0,0 +1,70 @@
 # Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 version: '3.7'
 services:
  wazuh:
    image: wazuh/wazuh-odfe:4.1.5
    hostname: wazuh-manager
    restart: unless-stopped
    ports:
      - "${MISTBORN_BIND_IP}:1514:1514"
      - "${MISTBORN_BIND_IP}:1515:1515"
      - "${MISTBORN_BIND_IP}:514:514/udp"
      - "${MISTBORN_BIND_IP}:55000:55000"
    environment:
      - FILEBEAT_SSL_VERIFICATION_MODE=none
    env_file:
      - ../.envs/.production/.wazuh
    volumes:
      - ossec_api_configuration:/var/ossec/api/configuration
      - ossec_etc:/var/ossec/etc
      - ossec_logs:/var/ossec/logs
      - ossec_queue:/var/ossec/queue
      - ossec_var_multigroups:/var/ossec/var/multigroups
      - ossec_integrations:/var/ossec/integrations
      - ossec_active_response:/var/ossec/active-response/bin
      - ossec_agentless:/var/ossec/agentless
      - ossec_wodles:/var/ossec/wodles
      - filebeat_etc:/etc/filebeat
      - filebeat_var:/var/lib/filebeat
  wazuh-kibana:
    image: wazuh/wazuh-kibana-odfe:4.1.5
    hostname: wazuh-kibana
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.wazuhk-http.rule=Host(`wazuh.mistborn`)"
      - "traefik.http.routers.wazuhk-http.entrypoints=web"
      - "traefik.http.routers.wazuhk-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.wazuhk-https.rule=Host(`wazuh.mistborn`)"
      - "traefik.http.routers.wazuhk-https.entrypoints=websecure"
      - "traefik.http.routers.wazuhk-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.wazuhk-https.tls.certresolver=basic"
      - "traefik.http.services.wazuhk-service.loadbalancer.server.port=5601"
    #ports:
    #  - "${MISTBORN_BIND_IP}:5601:5601"
    environment:
      - SERVER_SSL_ENABLED=false
      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert
      - SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key
    env_file:
      - ../.envs/.production/.wazuh
 volumes:
  ossec_api_configuration:
  ossec_etc:
  ossec_logs:
  ossec_queue:
  ossec_var_multigroups:
  ossec_integrations:
  ossec_active_response:
  ossec_agentless:
  ossec_wodles:
  filebeat_etc:
  filebeat_var:
 networks:
  default:
    external:
      name: mistborn_default
--- a/scripts/conf/15-iptables.conf
+++ b/scripts/conf/15-iptables.conf
@ -1,6 +1,6 @@
 # Log kernel iptables dropped messages to iptables.log
 $template MyTemplate,"%$day%-%timegenerated:1:3:date-rfc3164%-%$year% %timegenerated:12:19:date-rfc3339% %HOSTNAME% %syslogtag% %msg%\n"
-:msg,contains,"[Mistborn-IPTables-Dropped]:" /var/log/iptables.log;MyTemplate #RSYSLOG_FileFormat
+:msg,contains,"[IPTables-Dropped]:" /var/log/iptables.log;MyTemplate #RSYSLOG_FileFormat
 # Uncomment the following to stop logging anything that matches the last rule.
 # Doing this will stop logging kernel generated UFW log messages to the file
--- a/scripts/conf/20-suricata.conf
+++ b/scripts/conf/20-suricata.conf
@ -1,2 +0,0 @@
 $template SuricataTemplate, "<%PRI%>%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"
 user.alert /var/log/suricata.log;SuricataTemplate
--- a/scripts/conf/cockpit.conf
+++ b/scripts/conf/cockpit.conf
@ -0,0 +1,3 @@
 [WebService]
 ProtocolHeader = X-Forwarded-Proto
 AllowUnencrypted=true
--- a/scripts/conf/docker-daemon.json
+++ b/scripts/conf/docker-daemon.json
@ -0,0 +1,3 @@
 {
    "shutdown-timeout": 60 
 }
--- a/scripts/conf/jitsi.env
+++ b/scripts/conf/jitsi.env
@ -0,0 +1,366 @@
 # shellcheck disable=SC2034
 # Security
 #
 # Set these to strong passwords to avoid intruders from impersonating a service account
 # The service(s) won't start unless these are specified
 # Running ./gen-passwords.sh will update .env with strong passwords
 # You may skip the Jigasi and Jibri passwords if you are not using those
 # DO NOT reuse passwords
 #
 # XMPP component password for Jicofo
 JICOFO_COMPONENT_SECRET=
 # XMPP password for Jicofo client connections
 JICOFO_AUTH_PASSWORD=
 # XMPP password for JVB client connections
 JVB_AUTH_PASSWORD=
 # XMPP password for Jigasi MUC client connections
 JIGASI_XMPP_PASSWORD=
 # XMPP recorder password for Jibri client connections
 JIBRI_RECORDER_PASSWORD=
 # XMPP password for Jibri client connections
 JIBRI_XMPP_PASSWORD=
 #
 # Basic configuration options
 #
 # Directory where all configuration will be stored
 #CONFIG=~/.jitsi-meet-cfg
 CONFIG=../.envs/.production/.jitsi-cfg
 # Exposed HTTP port
 HTTP_PORT=80
 # Exposed HTTPS port
 HTTPS_PORT=443
 # System time zone
 TZ=UTC
 # Public URL for the web service (required)
 PUBLIC_URL=https://jitsi.mistborn
 # IP address of the Docker host
 # See the "Running behind NAT or on a LAN environment" section in the Handbook:
 # https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment
 #DOCKER_HOST_ADDRESS=192.168.1.1
 DOCKER_HOST_ADDRESS=10.2.3.1
 # Control whether the lobby feature should be enabled or not
 #ENABLE_LOBBY=1
 # Show a prejoin page before entering a conference
 #ENABLE_PREJOIN_PAGE=0
 #
 # Let's Encrypt configuration
 #
 # Enable Let's Encrypt certificate generation
 #ENABLE_LETSENCRYPT=1
 # Domain for which to generate the certificate
 #LETSENCRYPT_DOMAIN=meet.example.com
 # E-Mail for receiving important account notifications (mandatory)
 #LETSENCRYPT_EMAIL=alice@atlanta.net
 # Use the staging server (for avoiding rate limits while testing)
 #LETSENCRYPT_USE_STAGING=1
 #
 # Etherpad integration (for document sharing)
 #
 # Set etherpad-lite URL in docker local network (uncomment to enable)
 #ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001
 # Set etherpad-lite public URL (uncomment to enable)
 #ETHERPAD_PUBLIC_URL=https://etherpad.my.domain
 # Name your etherpad instance!
 ETHERPAD_TITLE="Video Chat"
 # The default text of a pad
 ETHERPAD_DEFAULT_PAD_TEXT="Welcome to Web Chat!\n\n"
 # Name of the skin for etherpad
 ETHERPAD_SKIN_NAME="colibris"
 # Skin variants for etherpad
 ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background full-width-editor"
 #
 # Basic Jigasi configuration options (needed for SIP gateway support)
 #
 # SIP URI for incoming / outgoing calls
 #JIGASI_SIP_URI=test@sip2sip.info
 # Password for the specified SIP account as a clear text
 #JIGASI_SIP_PASSWORD=passw0rd
 # SIP server (use the SIP account domain if in doubt)
 #JIGASI_SIP_SERVER=sip2sip.info
 # SIP server port
 #JIGASI_SIP_PORT=5060
 # SIP server transport
 #JIGASI_SIP_TRANSPORT=UDP
 #
 # Authentication configuration (see handbook for details)
 #
 # Enable authentication
 #ENABLE_AUTH=1
 # Enable guest access
 #ENABLE_GUESTS=1
 # Select authentication type: internal, jwt or ldap
 #AUTH_TYPE=internal
 # JWT authentication
 #
 # Application identifier
 #JWT_APP_ID=my_jitsi_app_id
 # Application secret known only to your token
 #JWT_APP_SECRET=my_jitsi_app_secret
 # (Optional) Set asap_accepted_issuers as a comma separated list
 #JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client
 # (Optional) Set asap_accepted_audiences as a comma separated list
 #JWT_ACCEPTED_AUDIENCES=my_server1,my_server2
 # LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
 #
 # LDAP url for connection
 #LDAP_URL=ldaps://ldap.domain.com/
 # LDAP base DN. Can be empty
 #LDAP_BASE=DC=example,DC=domain,DC=com
 # LDAP user DN. Do not specify this parameter for the anonymous bind
 #LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
 # LDAP user password. Do not specify this parameter for the anonymous bind
 #LDAP_BINDPW=LdapUserPassw0rd
 # LDAP filter. Tokens example:
 # %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail
 # %s - %s is replaced by the complete service string
 # %r - %r is replaced by the complete realm string
 #LDAP_FILTER=(sAMAccountName=%u)
 # LDAP authentication method
 #LDAP_AUTH_METHOD=bind
 # LDAP version
 #LDAP_VERSION=3
 # LDAP TLS using
 #LDAP_USE_TLS=1
 # List of SSL/TLS ciphers to allow
 #LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
 # Require and verify server certificate
 #LDAP_TLS_CHECK_PEER=1
 # Path to CA cert file. Used when server certificate verify is enabled
 #LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
 # Path to CA certs directory. Used when server certificate verify is enabled
 #LDAP_TLS_CACERT_DIR=/etc/ssl/certs
 # Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
 # LDAP_START_TLS=1
 #
 # Advanced configuration options (you generally don't need to change these)
 #
 # Internal XMPP domain
 XMPP_DOMAIN=meet.jitsi
 # Internal XMPP server
 XMPP_SERVER=xmpp.meet.jitsi
 # Internal XMPP server URL
 XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
 # Internal XMPP domain for authenticated services
 XMPP_AUTH_DOMAIN=auth.meet.jitsi
 # XMPP domain for the MUC
 XMPP_MUC_DOMAIN=muc.meet.jitsi
 # XMPP domain for the internal MUC used for jibri, jigasi and jvb pools
 XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi
 # XMPP domain for unauthenticated users
 XMPP_GUEST_DOMAIN=guest.meet.jitsi
 # Comma separated list of domains for cross domain policy or "true" to allow all
 # The PUBLIC_URL is always allowed
 #XMPP_CROSS_DOMAIN=true
 # Custom Prosody modules for XMPP_DOMAIN (comma separated)
 XMPP_MODULES=
 # Custom Prosody modules for MUC component (comma separated)
 XMPP_MUC_MODULES=
 # Custom Prosody modules for internal MUC component (comma separated)
 XMPP_INTERNAL_MUC_MODULES=
 # MUC for the JVB pool
 JVB_BREWERY_MUC=jvbbrewery
 # XMPP user for JVB client connections
 JVB_AUTH_USER=jvb
 # STUN servers used to discover the server's public IP
 JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443
 # Media port for the Jitsi Videobridge
 JVB_PORT=10000
 # TCP Fallback for Jitsi Videobridge for when UDP isn't available
 JVB_TCP_HARVESTER_DISABLED=true
 JVB_TCP_PORT=4443
 JVB_TCP_MAPPED_PORT=4443
 # A comma separated list of APIs to enable when the JVB is started [default: none]
 # See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
 #JVB_ENABLE_APIS=rest,colibri
 # XMPP user for Jicofo client connections.
 # NOTE: this option doesn't currently work due to a bug
 JICOFO_AUTH_USER=focus
 # Base URL of Jicofo's reservation REST API
 #JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
 # Enable Jicofo's health check REST API (http://<jicofo_base_url>:8888/about/health)
 #JICOFO_ENABLE_HEALTH_CHECKS=true
 # XMPP user for Jigasi MUC client connections
 JIGASI_XMPP_USER=jigasi
 # MUC name for the Jigasi pool
 JIGASI_BREWERY_MUC=jigasibrewery
 # Minimum port for media used by Jigasi
 JIGASI_PORT_MIN=20000
 # Maximum port for media used by Jigasi
 JIGASI_PORT_MAX=20050
 # Enable SDES srtp
 #JIGASI_ENABLE_SDES_SRTP=1
 # Keepalive method
 #JIGASI_SIP_KEEP_ALIVE_METHOD=OPTIONS
 # Health-check extension
 #JIGASI_HEALTH_CHECK_SIP_URI=keepalive
 # Health-check interval
 #JIGASI_HEALTH_CHECK_INTERVAL=300000
 #
 # Enable Jigasi transcription
 #ENABLE_TRANSCRIPTIONS=1
 # Jigasi will record audio when transcriber is on [default: false]
 #JIGASI_TRANSCRIBER_RECORD_AUDIO=true
 # Jigasi will send transcribed text to the chat when transcriber is on [default: false]
 #JIGASI_TRANSCRIBER_SEND_TXT=true
 # Jigasi will post an url to the chat with transcription file [default: false]
 #JIGASI_TRANSCRIBER_ADVERTISE_URL=true
 # Credentials for connect to Cloud Google API from Jigasi
 # Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol
 # section "Before you begin" paragraph 1 to 5
 # Copy the values from the json to the related env vars
 #GC_PROJECT_ID=
 #GC_PRIVATE_KEY_ID=
 #GC_PRIVATE_KEY=
 #GC_CLIENT_EMAIL=
 #GC_CLIENT_ID=
 #GC_CLIENT_CERT_URL=
 # Enable recording
 #ENABLE_RECORDING=1
 # XMPP domain for the jibri recorder
 XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
 # XMPP recorder user for Jibri client connections
 JIBRI_RECORDER_USER=recorder
 # Directory for recordings inside Jibri container
 JIBRI_RECORDING_DIR=/config/recordings
 # The finalizing script. Will run after recording is complete
 JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
 # XMPP user for Jibri client connections
 JIBRI_XMPP_USER=jibri
 # MUC name for the Jibri pool
 JIBRI_BREWERY_MUC=jibribrewery
 # MUC connection timeout
 JIBRI_PENDING_TIMEOUT=90
 # When jibri gets a request to start a service for a room, the room
 # jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain
 # We'll build the url for the call by transforming that into:
 # https://xmpp_domain/subdomain/roomName
 # So if there are any prefixes in the jid (like jitsi meet, which
 # has its participants join a muc at conference.xmpp_domain) then
 # list that prefix here so it can be stripped out to generate
 # the call url correctly
 JIBRI_STRIP_DOMAIN_JID=muc
 # Directory for logs inside Jibri container
 JIBRI_LOGS_DIR=/config/logs
 # Disable HTTPS: handle TLS connections outside of this setup
 DISABLE_HTTPS=1
 # Redirect HTTP traffic to HTTPS
 # Necessary for Let's Encrypt, relies on standard HTTPS port (443)
 #ENABLE_HTTP_REDIRECT=1
 # Enable IPv6
 # Provides means to disable IPv6 in environments that don't support it (get with the times, people!)
 #ENABLE_IPV6=1
 # Container restart policy
 # Defaults to unless-stopped
 RESTART_POLICY=unless-stopped
 # Authenticate using external service or just focus external auth window if there is one already.
 # TOKEN_AUTH_URL=https://auth.meet.example.com/{room}
--- a/scripts/env/check_env_file.sh
+++ b/scripts/env/check_env_file.sh
@ -0,0 +1,35 @@
 #!/bin/bash
 set -e
 SERVICE="$1"
 export MISTBORN_HOME=/opt/mistborn
 export SERVICE_ENV_INSTALLER="${MISTBORN_HOME}/scripts/subinstallers/extra/${SERVICE}.sh"
 export SERVICE_ENV_FILE="${MISTBORN_HOME}/.envs/.production/.${SERVICE}"
 # read in global variables
 set -a
 source ${MISTBORN_HOME}/.env
 source ${MISTBORN_HOME}/.envs/.production/.django
 source ${MISTBORN_HOME}/.envs/.production/.postgres
 source ${MISTBORN_HOME}/.envs/.production/.pihole
 set +a
 if [[ -f "${SERVICE_ENV_INSTALLER}" ]]; then
    if [[ -f "${SERVICE_ENV_FILE}" ]]; then
        echo "Environment file already exists."
    else
        # create env file for service
        echo "Creating environment file"
        source $SERVICE_ENV_INSTALLER $SERVICE_ENV_FILE
        chown mistborn:mistborn $SERVICE_ENV_FILE
        chmod 600 $SERVICE_ENV_FILE
    fi
 else
    echo "No subinstaller found."
 fi
--- a/scripts/env/setup.sh
+++ b/scripts/env/setup.sh
@ -1,10 +1,5 @@
 #!/bin/bash
 # Version
 MISTBORN_MAJOR_VERSION="0"
 MISTBORN_MINOR_VERSION="1"
 MISTBORN_PATCH_NUMBER="1"
 #### ENV file
 VAR_FILE=/opt/mistborn/.env
@ -16,12 +11,7 @@ source /opt/mistborn/scripts/subinstallers/platform.sh
 # setup env file
 echo "" | sudo tee ${VAR_FILE}
 sudo chown mistborn:mistborn ${VAR_FILE}
-
+sudo chmod 600 ${VAR_FILE}
 # Version env variables
 echo "MISTBORN_VERSION=${MISTBORN_MAJOR_VERSION}.${MISTBORN_MINOR_VERSION}.${MISTBORN_PATCH_NUMBER}" | sudo tee -a ${VAR_FILE}
 echo "MISTBORN_MAJOR_VERSION=${MISTBORN_MAJOR_VERSION}" | sudo tee -a ${VAR_FILE}
 echo "MISTBORN_MINOR_VERSION=${MISTBORN_MINOR_VERSION}" | sudo tee -a ${VAR_FILE}
 echo "MISTBORN_PATCH_NUMBER=${MISTBORN_PATCH_NUMBER}" | sudo tee -a ${VAR_FILE}
 # MISTBORN_DNS_BIND_IP
@ -39,11 +29,9 @@ echo "MISTBORN_BIND_IP=10.2.3.1" | sudo tee -a ${VAR_FILE}
 # MISTBORN_TAG
 GIT_BRANCH=$(git -C /opt/mistborn symbolic-ref --short HEAD || echo "master")
-MISTBORN_TAG="${MISTBORN_MAJOR_VERSION}.${MISTBORN_MINOR_VERSION}"
+MISTBORN_TAG="latest"
-if [ ! -z "$MISTBORN_TEST_CONTAINER" ]; then
+if [ "$GIT_BRANCH" != "master" ]; then
-    MISTBORN_TAG="$MISTBORN_TEST_CONTAINER"
+    MISTBORN_TAG="test"
 elif [ "$GIT_BRANCH" == "master" ]; then
    MISTBORN_TAG="latest"
 fi
 echo "MISTBORN_TAG=$MISTBORN_TAG" | sudo tee -a ${VAR_FILE}
@ -53,9 +41,9 @@ echo "MISTBORN_TAG=$MISTBORN_TAG" | sudo tee -a ${VAR_FILE}
 # copy current service files to systemd (overwriting as needed)
 sudo cp /opt/mistborn/scripts/services/Mistborn* /etc/systemd/system/
-## set script user and owner
+# set script user and owner
-#sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/User=root/User=$USER/"
+sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/User=root/User=$USER/"
-##sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/ root:root / $USER:$USER /"
+#sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/ root:root / $USER:$USER /"
 # reload in case the iface is not immediately set
 sudo systemctl daemon-reload
@ -68,13 +56,9 @@ while [[ -z "$iface" ]]; do
    iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}' | tr -d '[:space:]')
 done
 GLOBAL_ENV=/opt/mistborn/.envs/.production/.global
 install -Dv /dev/null $GLOBAL_ENV
 echo "DIFACE=$iface" >> $GLOBAL_ENV
 echo "MISTBORN_ENV_PATH=../../.envs/.production/" >> $GLOBAL_ENV
 echo "MISTBORN_VOL_PATH=../../../mistborn_volumes/extra/" >> $GLOBAL_ENV
 # default interface
-#sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/"
+sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/"
 echo "DIFACE=${iface}" | sudo tee -a ${VAR_FILE}
 sudo systemctl daemon-reload
--- a/scripts/install.sh
+++ b/scripts/install.sh
@ -39,7 +39,7 @@ if [ $(whoami) != "$MISTBORN_USER" ]; then
        sudo cp $FULLPATH /home/$MISTBORN_USER
        sudo chown $MISTBORN_USER:$MISTBORN_USER /home/$MISTBORN_USER/$FILENAME
-        sudo SSH_CLIENT="$SSH_CLIENT" MISTBORN_DEFAULT_PASSWORD="$MISTBORN_DEFAULT_PASSWORD" GIT_BRANCH="$GIT_BRANCH" -i -u $MISTBORN_USER bash -c "/home/$MISTBORN_USER/$FILENAME" # self-referential call
+        sudo SSH_CLIENT="$SSH_CLIENT" MISTBORN_DEFAULT_PASSWORD="$MISTBORN_DEFAULT_PASSWORD" GIT_BRANCH="$GIT_BRANCH" MISTBORN_INSTALL_COCKPIT="$MISTBORN_INSTALL_COCKPIT" -i -u $MISTBORN_USER bash -c "/home/$MISTBORN_USER/$FILENAME" # self-referential call
        exit 0
 fi
@ -59,12 +59,28 @@ echo -e "| |  | | \__ \ |_| |_) | (_) | |  | | | |"
 echo -e "|_|  |_|_|___/\__|_.__/ \___/|_|  |_| |_|"
 echo -e ""
-# INPUT default admin password
+sudo rm -rf /opt/mistborn 2>/dev/null || true
-if [ -z "${MISTBORN_DEFAULT_PASSWORD}" ]; then
+
-    read -p "(Mistborn) Set default admin password: " -s MISTBORN_DEFAULT_PASSWORD
+# clone to /opt and change directory
 echo "Cloning $GIT_BRANCH branch from mistborn repo"
 sudo git clone https://gitlab.com/cyber5k/mistborn.git -b $GIT_BRANCH /opt/mistborn
 sudo chown -R $USER:$USER /opt/mistborn
 pushd .
 cd /opt/mistborn
 git submodule update --init --recursive
 # Check updates
 echo "Checking updates"
 source ./scripts/subinstallers/check_updates.sh
 # MISTBORN_DEFAULT_PASSWORD
 source ./scripts/subinstallers/passwd.sh
 # Install Cockpit?
 if [ -z "${MISTBORN_INSTALL_COCKPIT}" ]; then
    read -p "Install Cockpit (a somewhat resource-heavy system management graphical user interface -- NOT RECOMMENDED on Raspberry Pi)? [y/N]: " MISTBORN_INSTALL_COCKPIT
    echo
-else
+    MISTBORN_INSTALL_COCKPIT=${MISTBORN_INSTALL_COCKPIT:-N}
    echo "MISTBORN_DEFAULT_PASSWORD is already set"
 fi
 # SSH keys
@ -78,18 +94,7 @@ else
    echo "SSH key exists for $USER"
 fi
-sudo rm -rf /opt/mistborn 2>/dev/null || true
+# initial load update package list during check_updates.sh
 # clone to /opt and change directory
 echo "Cloning $GIT_BRANCH branch from mistborn repo"
 sudo git clone https://gitlab.com/cyber5k/mistborn.git -b $GIT_BRANCH /opt/mistborn
 sudo chown -R $USER:$USER /opt/mistborn
 pushd .
 cd /opt/mistborn
 git submodule update --init --recursive
 # initial load update package list
 sudo apt-get update
 # install figlet
 sudo -E apt-get install -y figlet
@ -100,17 +105,39 @@ source ./scripts/subinstallers/platform.sh
 # iptables
 echo "Setting up firewall (iptables)"
-if [ ! -f "/etc/iptables/rules.v4" ]; then
+if [ -f "/etc/iptables/rules.v4" ]; then
-    echo "Setting iptables rules..."
+    echo "Caution: iptables rules exist."
-    source ./scripts/subinstallers/suricata.sh
+
-    source ./scripts/subinstallers/iptables.sh
+    read -p "Would you like to Clear (C) existing iptables rules or Add (A) to existing rules (this may cause problems)? [c/a] " MISTBORN_IPTABLES_ACTION
-    source ./scripts/subinstallers/ip6tables.sh
+    echo
-    #source ./scripts/subinstallers/iptables_docker.sh
+
-    source ./scripts/subinstallers/iptables_cleanup.sh
+    if [[ "${MISTBORN_IPTABLES_ACTION}" =~ ^([cC])$ ]]; then
-else
+    # clear
-    echo "iptables rules exist. Leaving alone."
+        echo "Clearing existing iptables rules..."
        sudo rm -rf /etc/iptables/rules.v4
        sudo iptables -F
        sudo iptables -t nat -F
        sudo iptables -P INPUT ACCEPT
        sudo iptables -P FORWARD ACCEPT
        sudo rm -rf /etc/iptables/rules.v6 || true
        sudo ip6tables -F || true
        sudo ip6tables -t nat -F || true
        sudo ip6tables -P INPUT ACCEPT || true
        sudo ip6tables -P FORWARD ACCEPT || true
    elif [[ "${MISTBORN_IPTABLES_ACTION}" =~ ^([aA])$ ]]; then
    # do nothing
        echo "Proceeding..."
    else
        echo "Unrecognized action: stopping"
        exit 1;
    fi
 fi
 echo "Setting iptables rules..."
 source ./scripts/subinstallers/iptables.sh
 # SSH Server
 sudo -E apt-get install -y openssh-server
@ -147,6 +174,16 @@ sudo systemctl start docker
 # Unattended upgrades
 sudo -E apt-get install -y unattended-upgrades
 # Cockpit
 if [[ "$MISTBORN_INSTALL_COCKPIT" =~ ^([yY][eE][sS]|[yY])$ ]]
 then
    # install cockpit
    source ./scripts/subinstallers/cockpit.sh
    # set variable (that will be available in environment)
    MISTBORN_INSTALL_COCKPIT=Y
 fi
 # Mistborn-cli (pip3 installed by docker)
 figlet "Mistborn: Installing mistborn-cli"
 sudo pip3 install -e ./modules/mistborn-cli
@ -187,6 +224,9 @@ sudo mkdir -p ../mistborn_volumes/base/pihole/etc-pihole
 sudo mkdir -p ../mistborn_volumes/base/pihole/etc-dnsmasqd
 sudo mkdir -p ../mistborn_volumes/extra
 # Traefik final setup (cockpit)
 #cp ./compose/production/traefik/traefikv2.toml.template ./compose/production/traefik/traefik.toml
 # setup tls certs 
 source ./scripts/subinstallers/openssl.sh
 #sudo rm -rf ../mistborn_volumes/base/tls
@ -232,6 +272,7 @@ sudo resolvconf -u 1>/dev/null 2>&1
 echo "backup up original volumes folder"
 sudo mkdir -p ../mistborn_backup
 sudo chmod 700 ../mistborn_backup
 sudo tar -czf ../mistborn_backup/mistborn_volumes_backup.tar.gz ../mistborn_volumes 1>/dev/null 2>&1
 # clean docker
--- a/scripts/services/Mistborn-base.service
+++ b/scripts/services/Mistborn-base.service
@ -6,23 +6,28 @@ After=docker.service
 After=netfilter-persistent.service
 [Service]
 EnvironmentFile=/opt/mistborn/.envs/.production/.global
 EnvironmentFile=/opt/mistborn/.env
 Restart=always
-User=mistborn
+RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 EnvironmentFile=/opt/mistborn/.env
 # stop all containers joined to mistborn_default network
 ExecStartPre=-/usr/bin/bash -c "docker container stop $(docker network inspect mistborn_default | grep Name | tail -n +2 | cut -d':' -f2 | tr -d ',\"') 2>/dev/null"
 # bring down the base service
 ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down
 ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml build
-ExecStartPre=-/sbin/ip address add 10.2.3.1/30 dev $DIFACE
+ExecStartPre=-/sbin/ip address add 10.2.3.1/30 dev DIFACE
-ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
-#ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -w -A OUTPUT -o $DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -A OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/ip6tables -w -A OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/resolvconf -u
 # Start container when unit is started
@ -30,12 +35,12 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml up
 # Stop container when unit is stopped
 ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down
 # Post stop
-ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
-ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
-ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
-ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
-#ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
-ExecStopPost=-/sbin/iptables -D OUTPUT -o $DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/ip6tables -D OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP
 [Install]
--- a/scripts/services/Mistborn-bitwarden.service
+++ b/scripts/services/Mistborn-bitwarden.service
@ -0,0 +1,25 @@
 [Unit]
 Description=Mistborn Bitwarden Service
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down
 # Post stop
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-elasticsearch.service
+++ b/scripts/services/Mistborn-elasticsearch.service
@ -0,0 +1,22 @@
 [Unit]
 Description=Mistborn Elasticsearch Service
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/usr/sbin/sysctl -w vm.max_map_count=262144
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch docker-compose -f /opt/mistborn/extra/elasticsearch.yml down
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch docker-compose -f /opt/mistborn/extra/elasticsearch.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch docker-compose -f /opt/mistborn/extra/elasticsearch.yml down
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-guacamole.service
+++ b/scripts/services/Mistborn-guacamole.service
@ -0,0 +1,23 @@
 [Unit]
 Description=Mistborn Guacamole
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down
 # Post stop
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-homeassistant.service
+++ b/scripts/services/Mistborn-homeassistant.service
@ -0,0 +1,23 @@
 [Unit]
 Description=Mistborn Home Assistant 
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down
 # Post stop
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-jellyfin.service
+++ b/scripts/services/Mistborn-jellyfin.service
@ -0,0 +1,23 @@
 [Unit]
 Description=Mistborn Jellyfin Service
 Requires=Mistborn-nextcloud.service
 After=Mistborn-nextcloud.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down
 # Post stop
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-jitsi.service
+++ b/scripts/services/Mistborn-jitsi.service
@ -0,0 +1,27 @@
 [Unit]
 Description=Mistborn Jitsi Service
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_up.sh
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
 # Post stop
 ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_down.sh
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-nextcloud.service
+++ b/scripts/services/Mistborn-nextcloud.service
@ -0,0 +1,23 @@
 [Unit]
 Description=Mistborn Nextcloud Service
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down
 # Post stop
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-onlyoffice.service
+++ b/scripts/services/Mistborn-onlyoffice.service
@ -0,0 +1,23 @@
 [Unit]
 Description=Mistborn OnlyOffice Service
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
 # Post stop
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-raspap.service
+++ b/scripts/services/Mistborn-raspap.service
@ -0,0 +1,25 @@
 [Unit]
 Description=Mistborn RaspAP Service 
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 8095 -j MISTBORN_LOG_DROP
 #ExecStartPre=/bin/bash /opt/mistborn_volumes/extra/raspap/etc-raspap/hostapd/servicestart.sh --interface uap0 --seconds 3
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh raspap docker-compose -f /opt/mistborn/extra/raspap.yml down
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh raspap docker-compose -f /opt/mistborn/extra/raspap.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh raspap docker-compose -f /opt/mistborn/extra/raspap.yml down
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 8095 -j MISTBORN_LOG_DROP
 # Post stop
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-rocketchat.service
+++ b/scripts/services/Mistborn-rocketchat.service
@ -0,0 +1,25 @@
 [Unit]
 Description=Mistborn Rocket Chat Service
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down
 # Post stop
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-syncthing.service
+++ b/scripts/services/Mistborn-syncthing.service
@ -0,0 +1,27 @@
 [Unit]
 Description=Mistborn Syncthing Service
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down
 # Post stop
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-tor.service
+++ b/scripts/services/Mistborn-tor.service
@ -0,0 +1,25 @@
 [Unit]
 Description=Mistborn Tor Service 
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down
 # Post stop
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-wazuh.service
+++ b/scripts/services/Mistborn-wazuh.service
@ -0,0 +1,30 @@
 [Unit]
 Description=Mistborn Wazuh Service
 Requires=Mistborn-elasticsearch.service
 After=Mistborn-elasticsearch.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 TimeoutStartSec=600
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml up --build
 # Agent install
 ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent.sh
 ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_start.sh
 # Suricata
 ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_init.sh
 ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_start.sh
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down
 ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_stop.sh
 ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/elasticsearch/files/internal_users.yml
+++ b/scripts/services/elasticsearch/files/internal_users.yml
@ -0,0 +1,17 @@
 ---
 # This is the internal user database
 # The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
 _meta:
  type: "internalusers"
  config_version: 2
 # Define your internal users here
 mistborn:
  hash: "__MISTBORN_HASH__"
  reserved: true
  backend_roles:
  - "admin"
  description: "Mistborn user"
--- a/scripts/services/elasticsearch/init.sh
+++ b/scripts/services/elasticsearch/init.sh
@ -0,0 +1,21 @@
 #!/bin/bash
 set -e
 if [[ -f "/opt/mistborn_volumes/extra/elasticsearch/init/internal_users.yml" ]]; then
    echo "internal_users.yml exists. Proceeding."
    exit 0
 fi
 mkdir -p /opt/mistborn_volumes/extra/elasticsearch/init/ >/dev/null 2>&1
 chmod -R +x /opt/mistborn_volumes/extra/elasticsearch/init/
 cp /opt/mistborn/scripts/services/elasticsearch/files/internal_users.yml /opt/mistborn_volumes/extra/elasticsearch/init/
 ELASTICSEARCH_MISTBORN_HASHED="$(docker run --rm amazon/opendistro-for-elasticsearch:1.12.0 bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh -p ${MISTBORN_DEFAULT_PASSWORD} | tr -d '\n')"
 if [[ -z "${ELASTICSEARCH_MISTBORN_HASHED}" ]]; then 
    echo "Elasticsearch password hash not generated properly"
    exit 1;
 fi
 sed -i "s|__MISTBORN_HASH__|${ELASTICSEARCH_MISTBORN_HASHED}|" /opt/mistborn_volumes/extra/elasticsearch/init/internal_users.yml
--- a/scripts/services/guacamole/init.sh
+++ b/scripts/services/guacamole/init.sh
@ -0,0 +1,21 @@
 #!/bin/bash
 if [[ -f "/opt/mistborn_volumes/extra/guacamole/init/initdb.sql" ]]; then
    echo "initdb.sql exists. Proceeding."
    exit 0
 fi
 mkdir -p /opt/mistborn_volumes/extra/guacamole/init/ >/dev/null 2>&1
 chmod -R +x /opt/mistborn_volumes/extra/guacamole/init/
 docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgres > /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
 # grab values in initdb.sql to replace
 HEXSTRINGS=($(egrep -o [0-9a-fA-F]{64} /opt/mistborn_volumes/extra/guacamole/init/initdb.sql))
 # reset default password in init.db
 SALT=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice('0123456789ABCDEF') for x in range(64)]))")
 GUAC_PASSWORD_HASHED=$(echo -n "${MISTBORN_DEFAULT_PASSWORD}${SALT}" | sha256sum | awk '{print $1}' | tr a-z A-Z)
 sed -i "s/${HEXSTRINGS[1]}/$SALT/" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
 sed -i "s/${HEXSTRINGS[0]}/$GUAC_PASSWORD_HASHED/" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
 sed -i "s/guacadmin/mistborn/g" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
--- a/scripts/services/homeassistant/init.sh
+++ b/scripts/services/homeassistant/init.sh
@ -0,0 +1,54 @@
 #!/bin/bash
 HASS_CONFIG="/opt/mistborn_volumes/extra/homeassistant/config/configuration.yaml"
 if [[ -f "$HASS_CONFIG" ]]; then
    # configuration.yaml exists
    if [[ ! -z $(grep "use_x_forwarded_for: true" "$HASS_CONFIG") ]]; then
        # FOUND
        exit 0;
    fi
 # add the proxy config
 # write the trusted proxies config
 cat >> ${HASS_CONFIG}<< EOF
 http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.16.0.0/12 
 EOF
 exit 0;
 fi
 # create parent directory if needed
 PARENTDIR="$(dirname $HASS_CONFIG)"
 if [[ ! -d "$PARENTDIR" ]]; then
    mkdir -p $PARENTDIR
 fi
 # write the trusted proxies config
 cat >> ${HASS_CONFIG}<< EOF
 # Configure a default setup of Home Assistant (frontend, api, etc)
 default_config:
 # Text to speech
 #tts:
 #  - platform: google_translate
 #group: !include groups.yaml
 #automation: !include automations.yaml
 #script: !include scripts.yaml
 #scene: !include scenes.yaml
 http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.16.0.0/12  
 EOF
--- a/scripts/services/jitsi/iptables_down.sh
+++ b/scripts/services/jitsi/iptables_down.sh
@ -0,0 +1,4 @@
 #!/bin/bash
 iptables -w -D DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
 iptables -w -D DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP
--- a/scripts/services/jitsi/iptables_up.sh
+++ b/scripts/services/jitsi/iptables_up.sh
@ -0,0 +1,4 @@
 #!/bin/bash
 iptables -w -I DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
 iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP
--- a/scripts/services/wazuh/agent.sh
+++ b/scripts/services/wazuh/agent.sh
@ -0,0 +1,30 @@
 #!/bin/bash
 # detect if already installed
 if dpkg -s wazuh-agent &> /dev/null; then
    echo "Wazuh agent already installed"
    exit 0
 fi
 # install curl
 echo "install curl"
 sudo -E apt-get install -y curl
 # prepare repo
 echo "Adding Wazuh Repository"
 curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo -E apt-key add -
 echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo -E tee /etc/apt/sources.list.d/wazuh.list
 apt-get update
 # wait for service to be listening
 while ! nc -z 10.2.3.1 55000; do
    WAIT_TIME=10
    echo "Waiting ${WAIT_TIME} seconds for Wazuh API..."
    sleep ${WAIT_TIME}
 done
 # install
 echo "Installing Wazuh agent"
 WAZUH_MANAGER="10.2.3.1" apt-get install wazuh-agent
--- a/scripts/services/wazuh/agent_start.sh
+++ b/scripts/services/wazuh/agent_start.sh
@ -0,0 +1,4 @@
 #!/bin/bash
 systemctl start wazuh-agent
 systemctl enable wazuh-agent
--- a/scripts/services/wazuh/agent_stop.sh
+++ b/scripts/services/wazuh/agent_stop.sh
@ -0,0 +1,4 @@
 #!/bin/bash
 systemctl stop wazuh-agent
 systemctl disable wazuh-agent
--- a/scripts/services/wazuh/suricata/suricata_init.sh
+++ b/scripts/services/wazuh/suricata/suricata_init.sh
@ -0,0 +1,129 @@
 #!/bin/bash
 set -e
 # detect if suricata is installed
 if [[ $(dpkg-query -W -f='${Status}' suricata 2>/dev/null | grep -c "ok installed") -eq 1 ]]; then
    echo "Suricata Installed"
    exit 0
 fi
 source /opt/mistborn/scripts/subinstallers/platform.sh
 # minimal dependencies
 sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev   \
                libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \
                make libmagic-dev libjansson-dev jq wget
 ## recommended dependencies
 #sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev   \
 #                libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \
 #                libcap-ng-dev libcap-ng0 make libmagic-dev         \
 #                libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev \
 #                python-yaml rustc cargo
 # iptables/nftables integration
 sudo -E apt-get -y install libnetfilter-queue-dev libnetfilter-queue1  \
                libnetfilter-log-dev libnetfilter-log1      \
                libnfnetlink-dev libnfnetlink0
 if [ "$DISTRO" == "ubuntu" ]; then
    echo "Installing Suricata Ubuntu PPA"
    sudo -E add-apt-repository -y ppa:oisf/suricata-stable
    sudo -E apt-get update
    sudo -E apt-get install -y suricata
 elif [ "$DISTRO" == "debian" ]; then
    # retrieve version codename
    source /etc/os-release
    echo "deb http://http.debian.net/debian $VERSION_CODENAME-backports main" | \
        sudo -E tee /etc/apt/sources.list.d/backports.list
    sudo -E apt-get update
    sudo -E apt-get install -y suricata -t ${VERSION_CODENAME}-backports
 else
    echo "Basic Suricata installation"
    sudo -E apt-get install -y suricata
 fi
 # # iptables
 # sudo iptables -A INPUT -j NFQUEUE
 # sudo iptables -I FORWARD -j NFQUEUE
 # sudo iptables -I OUTPUT -j NFQUEUE
 # # rsyslog to create /var/log/suricata.log
 # sudo cp ./scripts/conf/20-suricata.conf /etc/rsyslog.d/
 # sudo chown root:root /etc/rsyslog.d/20-suricata.conf
 # sudo systemctl restart rsyslog
 # rules
 pushd .
 cd /tmp
 wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
 tar zxvf emerging.rules.tar.gz
 sudo -E rm /etc/suricata/rules/* -f
 sudo -E mv rules/*.rules /etc/suricata/rules/
 popd
 # suricata yaml
 sudo -E rm -f /etc/suricata/suricata.yaml
 sudo -E wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml
 IFACE=$(ip -o -4 route show to default | awk 'NR==1{print $5}')
 sudo sed -i "s/eth0/${IFACE}/g" /etc/suricata/suricata.yaml
 sudo sed -i "s/eth0/${IFACE}/g" /etc/default/suricata
 #systemctl restart suricata
 # wait for service to be listening
 while ! nc -z 10.2.3.1 55000; do
    WAIT_TIME=10
    echo "Waiting ${WAIT_TIME} seconds for Wazuh API..."
    sleep ${WAIT_TIME}
 done
 # set working directory to mistborn for docker-compose
 pushd .
 cd /opt/mistborn
 # ensure group exists
 sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -g suricata -q 2>/dev/null
 # add this host to group
 WAZUH_ID=$(sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/manage_agents -l | egrep ^\ *ID | grep $(hostname) | awk '{print $2}' | tr -d ',')
 sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -i ${WAZUH_ID} -g suricata -q
 # write agent.conf
 sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh bash -c "cat > /var/ossec/etc/shared/suricata/agent.conf << EOF
 <agent_config>
    <localfile>
        <log_format>json</log_format>
        <location>/var/log/suricata/eve.json</location>
    </localfile>
 </agent_config>
 EOF
 "
 # restart manager
 sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml restart wazuh
 popd
 # suricata-update
 sudo -E apt install python3-pip
 sudo -E pip3 install pyyaml
 sudo -E pip3 install https://github.com/OISF/suricata-update/archive/master.zip
 sudo -E pip3 install --pre --upgrade suricata-update
 # sudo -E suricata-update enable-source oisf/trafficid
 # sudo -E suricata-update enable-source etnetera/aggressive
 # sudo -E suricata-update enable-source sslbl/ssl-fp-blacklist
 # sudo -E suricata-update enable-source et/open
 # sudo -E suricata-update enable-source tgreen/hunting
 # sudo -E suricata-update enable-source sslbl/ja3-fingerprints
 # sudo -E suricata-update enable-source ptresearch/attackdetection
 sudo -E suricata-update
 sudo systemctl daemon-reload
 sudo systemctl restart suricata
--- a/scripts/services/wazuh/suricata/suricata_start.sh
+++ b/scripts/services/wazuh/suricata/suricata_start.sh
@ -0,0 +1,7 @@
 #!/bin/bash
 systemctl start suricata
 systemctl enable suricata
 #apt-get install -y python-pyinotify
 #python /opt/mistborn/scripts/services/scirius/suri_reloader -p /etc/suricata/rules &
--- a/scripts/services/wazuh/suricata/suricata_stop.sh
+++ b/scripts/services/wazuh/suricata/suricata_stop.sh
@ -0,0 +1,6 @@
 #!/bin/bash
 systemctl stop suricata
 systemctl disable suricata
 #kill $(pgrep -f suri_reloader) 2>/dev/null
--- a/scripts/subinstallers/check_updates.sh
+++ b/scripts/subinstallers/check_updates.sh
@ -0,0 +1,10 @@
 #!/bin/bash
 sudo apt-get update
 UPDATES=$(sudo apt-get dist-upgrade -s --quiet=2 | grep ^Inst | wc -l)
 if [[ "$UPDATES" -ne "0" ]]; then
    echo "Please run updates and reboot before installing Mistborn: sudo apt-get update && sudo apt-get -y dist-upgrade"
    exit 1;
 fi
--- a/scripts/subinstallers/cockpit.sh
+++ b/scripts/subinstallers/cockpit.sh
@ -0,0 +1,31 @@
 #!/bin/bash
 # Cockpit
 figlet "Mistborn: Installing Cockpit"
 if [ "$DISTRO" == "ubuntu" ]; then
    echo "Ubuntu backports enabled by default"
 elif [ "$DISTRO" == "debian" ]; then
    sudo grep -qF "buster-backports" /etc/apt/sources.list.d/backports.list \
    && echo "buster-backports already in sources" \
    || echo 'deb http://deb.debian.org/debian buster-backports main' | sudo tee -a /etc/apt/sources.list.d/backports.list
 elif [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then
    echo "Raspbian repos contain cockpit"
 fi
 sudo -E apt-get install -y cockpit
 if [ $(sudo apt-cache show cockpit-docker > /dev/null 2>&1) ]; then
    # no longer supported upstream in Ubuntu 20.04
    sudo -E apt-get install -y cockpit-docker
 elif [ $(sudo apt-cache show cockpit-podman > /dev/null 2>&1) ]; then
    sudo -E apt-get install -y cockpit-podman
 fi
 sudo cp ./scripts/conf/cockpit.conf /etc/cockpit/cockpit.conf
 sudo systemctl restart cockpit.socket
 # create system cockpit user
 echo "Creating cockpit user"
 sudo useradd -s /bin/bash -d /home/cockpit -m -G sudo -p $(openssl passwd -1 "$MISTBORN_DEFAULT_PASSWORD") cockpit || true
--- a/scripts/subinstallers/docker.sh
+++ b/scripts/subinstallers/docker.sh
@ -6,7 +6,18 @@ figlet "Mistborn: Installing Docker"
 sudo apt update
 sudo -E apt install -y python python3-pip python3-setuptools libffi-dev python3-dev libssl-dev
-if [ "$DISTRO" == "ubuntu" ] && [ "$VERSION_ID" == "20.04" ]; then
+# Ubuntu version >= 20.04
 set +e
 vercomp "$VERSION_ID" "19.10"
 case $? in
    0) op='=';;
    1) op='>';;
    2) op='<';;
 esac
 set -e
 if [ "$DISTRO" == "ubuntu" ] && [ "$op" == ">" ]; then
    echo "Automated Docker install"
    sudo -E apt-get install -y docker-compose
 else
@ -18,3 +29,6 @@ fi
 if [ ! -f /usr/local/bin/docker-compose ]; then
    sudo -E ln -s $(which docker-compose) /usr/local/bin/docker-compose
 fi
 # daemon.json
 #source ./scripts/subinstallers/docker_daemon.sh
--- a/scripts/subinstallers/docker_daemon.sh
+++ b/scripts/subinstallers/docker_daemon.sh
@ -0,0 +1,7 @@
 #!/bin/bash
 # daemon.json
 if [ ! -f /etc/docker/daemon.json ]; then
    sudo -E cp ./scripts/conf/docker-daemon.json /etc/docker/daemon.json
    sudo -E systemctl restart docker
 fi
--- a/scripts/subinstallers/docker_manual.sh
+++ b/scripts/subinstallers/docker_manual.sh
@ -67,3 +67,8 @@ echo "Installing Docker Compose"
 sudo pip3 install cryptography==3.3.2 docker-compose
 #fi
 # check raspbian fixes
 if [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then
    source ./scripts/subinstallers/docker_raspbian.sh 
 fi
--- a/scripts/subinstallers/docker_raspbian.sh
+++ b/scripts/subinstallers/docker_raspbian.sh
@ -0,0 +1,46 @@
 #!/bin/bash
 set +e
 compare_version() {
  local versionOne="${1}"
  local comparision="${2}"
  local versionTwo="${3}"
  local result=
  local sortOpt=
  local returncode=1
  if [[ "${versionOne}" == "${versionTwo}" ]] ; then
    return 3
  fi
  case ${comparision} in
    lower|smaller|older|lt|"<" ) sortOpt= ;;
    higher|bigger|newer|bt|">" ) sortOpt='r' ;;
    * ) return 2 ;;
  esac
  result=($(printf "%s\n" "${versionOne}" "${versionTwo}" | sort -${sortOpt}V ))
  if [[ "${versionOne}" == "${result[0]}" ]] ; then
    returncode=0
  fi
  return ${returncode}
 } # end of function compare_version
 # libseccomp2
 LIBSECCOMP2_VERSION=$(sudo -E apt-cache policy libseccomp2 | egrep ^\ *Inst | awk '{print $2}')
 compare_version $LIBSECCOMP2_VERSION '<' '2.5.1-1'
 if [ $? -eq 0 ]; then
    # this is dumb but the raspbian repo managers aren't impressive
    echo "Installing newer libseccomp2"
    pushd .
    cd /tmp
    wget http://ftp.us.debian.org/debian/pool/main/libs/libseccomp/libseccomp2_2.5.1-1_$(dpkg --print-architecture).deb
    sudo dpkg -i libseccomp2_2.5.1-1_$(dpkg --print-architecture).deb
    popd
 fi
 set -e
--- a/scripts/subinstallers/extra/bitwarden.sh
+++ b/scripts/subinstallers/extra/bitwarden.sh
@ -0,0 +1,7 @@
 #!/bin/bash
 # generate bitwarden .env files
 BITWARDEN_PROD_FILE="$1"
 echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE
 echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE
 chmod 600 $BITWARDEN_PROD_FILE
--- a/scripts/subinstallers/extra/elasticsearch.sh
+++ b/scripts/subinstallers/extra/elasticsearch.sh
@ -0,0 +1,6 @@
 #!/bin/bash
 # Elasticsearch
 ELASTICSEARCH_PROD_FILE="$1"
 echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $ELASTICSEARCH_PROD_FILE
 chmod 600 $ELASTICSEARCH_PROD_FILE
--- a/scripts/subinstallers/extra/guacamole.sh
+++ b/scripts/subinstallers/extra/guacamole.sh
@ -0,0 +1,14 @@
 #!/bin/bash
 # Guacamole
 GUAC_PROD_FILE="$1"
 GUAC_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
 echo "POSTGRES_HOST=guac_postgres" > $GUAC_PROD_FILE
 echo "POSTGRES_HOSTNAME=guac_postgres" > $GUAC_PROD_FILE
 echo "POSTGRES_PORT=5432" >> $GUAC_PROD_FILE
 echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE
 echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE
 echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE
 echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE
 echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE
 chmod 600 $GUAC_PROD_FILE
--- a/scripts/subinstallers/extra/jitsi.sh
+++ b/scripts/subinstallers/extra/jitsi.sh
@ -0,0 +1,13 @@
 #!/bin/bash
 # JITSI
 JITSI_PROD_FILE="$1"
 cp ${MISTBORN_HOME}/scripts/conf/jitsi.env $JITSI_PROD_FILE
 mkdir -p ${MISTBORN_HOME}/.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}
 sed -i "s/JICOFO_COMPONENT_SECRET.*/JICOFO_COMPONENT_SECRET=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 chmod 600 $JITSI_PROD_FILE
--- a/scripts/subinstallers/extra/nextcloud.sh
+++ b/scripts/subinstallers/extra/nextcloud.sh
@ -0,0 +1,10 @@
 #!/bin/bash
 # generate nextcloud .env files
 NEXTCLOUD_PROD_FILE="$1"
 #NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
 NEXTCLOUD_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}"
 echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE
 echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE
 echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE
 chmod 600 $NEXTCLOUD_PROD_FILE
--- a/scripts/subinstallers/extra/onlyoffice.sh
+++ b/scripts/subinstallers/extra/onlyoffice.sh
@ -0,0 +1,8 @@
 #!/bin/bash
 # generate onlyoffice .env files
 ONLYOFFICE_PROD_FILE="$1"
 JWT_SECRET="${MISTBORN_DEFAULT_PASSWORD}"
 echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE
 echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE
 chmod 600 $ONLYOFFICE_PROD_FILE
--- a/scripts/subinstallers/extra/raspap.sh
+++ b/scripts/subinstallers/extra/raspap.sh
@ -0,0 +1,6 @@
 #!/bin/bash
 # RaspAP
 RASPAP_PROD_FILE="$1"
 echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" > $RASPAP_PROD_FILE
 chmod 600 $RASPAP_PROD_FILE
--- a/scripts/subinstallers/extra/rocketchat.sh
+++ b/scripts/subinstallers/extra/rocketchat.sh
@ -0,0 +1,15 @@
 #!/bin/bash
 # generate rocketchat .env files
 ROCKETCHAT_PROD_FILE="$1"
 #ROCKETCHAT_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
 ROCKETCHAT_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}"
 echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE
 echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE
 echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE
 echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE
 # docker environment
 echo "MISTBORN_BIND_IP=${MISTBORN_BIND_IP}" >> $ROCKETCHAT_PROD_FILE
 chmod 600 $ROCKETCHAT_PROD_FILE
--- a/scripts/subinstallers/extra/wazuh.sh
+++ b/scripts/subinstallers/extra/wazuh.sh
@ -0,0 +1,92 @@
 #!/bin/bash
 # Wazuh
 WAZUH_PROD_FILE="$1"
 echo "ELASTIC_USERNAME=mistborn" > $WAZUH_PROD_FILE
 echo "ELASTIC_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE
 echo "ELASTICSEARCH_USERNAME=mistborn" >> $WAZUH_PROD_FILE
 echo "ELASTICSEARCH_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE
 # kibana odfe
 # kibana-odfe/config/wazuh_app_config.sh
 # https://wazuh
 echo "WAZUH_API_URL=https://10.2.3.1" >> $WAZUH_PROD_FILE
 echo "API_PORT=55000" >> $WAZUH_PROD_FILE
 echo "API_USERNAME=wazuh-wui" >> $WAZUH_PROD_FILE
 #API_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
 API_PASSWORD_PYTHON=$(cat << EOF
 import secrets
 import random
 import string
 random_pass = ([secrets.choice("@$!*?-"),
                           secrets.choice(string.digits),
                           secrets.choice(string.ascii_lowercase),
                           secrets.choice(string.ascii_uppercase),
                           ]
                          + [secrets.choice(string.ascii_lowercase
                                           + string.ascii_uppercase
                                           + "@$!*?-"
                                           + string.digits) for i in range(12)])
 random.shuffle(random_pass)
 random_pass = ''.join(random_pass)
 print(random_pass)
 EOF
 )
 API_PASSWORD=$(python3 -c "${API_PASSWORD_PYTHON}")
 echo "API_PASSWORD=${API_PASSWORD}" >> $WAZUH_PROD_FILE
 # kibana-odfe/config/entrypoint.sh:
 # https://elasticsearch:9200
 echo "ELASTICSEARCH_URL=https://10.2.3.1:9200" >> $WAZUH_PROD_FILE
 cat >> ${WAZUH_PROD_FILE}<< EOF
 PATTERN="wazuh-alerts-*"
 CHECKS_PATTERN=true
 CHECKS_TEMPLATE=true
 CHECKS_API=true
 CHECKS_SETUP=true
 EXTENSIONS_PCI=true
 EXTENSIONS_GDPR=true
 EXTENSIONS_HIPAA=true
 EXTENSIONS_NIST=true
 EXTENSIONS_TSC=true
 EXTENSIONS_AUDIT=true
 EXTENSIONS_OSCAP=false
 EXTENSIONS_CISCAT=false
 EXTENSIONS_AWS=false
 EXTENSIONS_GCP=false
 EXTENSIONS_VIRUSTOTAL=true
 EXTENSIONS_OSQUERY=true
 EXTENSIONS_DOCKER=true
 APP_TIMEOUT=20000
 API_SELECTOR=true
 IP_SELECTOR=true
 IP_IGNORE="[]"
 WAZUH_MONITORING_ENABLED=true
 WAZUH_MONITORING_FREQUENCY=900
 WAZUH_MONITORING_SHARDS=2
 WAZUH_MONITORING_REPLICAS=0
 ADMIN_PRIVILEGES=true
 EOF
 echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE
 chmod 600 $WAZUH_PROD_FILE
--- a/scripts/subinstallers/gen_prod_env.sh
+++ b/scripts/subinstallers/gen_prod_env.sh
@ -4,6 +4,7 @@ figlet "Mistborn: Container Credentials"
 # generate production .env file for Django
 mkdir -p ./.envs/.production
 chmod 700 ./.envs
 DJANGO_PROD_FILE="./.envs/.production/.django"
 DJANGO_SECRET_KEY=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(50)]))")
 #CELERY_FLOWER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
@ -20,8 +21,9 @@ echo "#MAILGUN_API_KEY=" >> $DJANGO_PROD_FILE
 echo "#MAILGUN_API_URL=" >> $DJANGO_PROD_FILE
 echo "#SENTRY_DNS=" >> $DJANGO_PROD_FILE
 echo "MISTBORN_INSTALL_COCKPIT=$MISTBORN_INSTALL_COCKPIT" >> $DJANGO_PROD_FILE
-echo "MISTBORN_PORTAL_IP=10.2.3.1" >> $DJANGO_PROD_FILE
+#echo "MISTBORN_PORTAL_IP=10.2.3.1" >> $DJANGO_PROD_FILE
-echo "MISTBORN_PORTAL_PORT=5000" >> $DJANGO_PROD_FILE
+echo "MISTBORN_PORTAL_REDIRECT_PORT=5001" >> $DJANGO_PROD_FILE
 chmod 600 $DJANGO_PROD_FILE
 # generate production .env file for postgresql
 POSTGRES_PROD_FILE="./.envs/.production/.postgres"
@ -31,6 +33,7 @@ echo "POSTGRES_PORT=5432" >> $POSTGRES_PROD_FILE
 echo "POSTGRES_DB=mistborn" >> $POSTGRES_PROD_FILE
 echo "POSTGRES_USER=prod" >> $POSTGRES_PROD_FILE
 echo "POSTGRES_PASSWORD=$POSTGRES_PASSWORD" >> $POSTGRES_PROD_FILE
 chmod 600 $POSTGRES_PROD_FILE
 # generate production .env file for pihole
@ -39,4 +42,4 @@ PIHOLE_PROD_FILE="./.envs/.production/.pihole"
 WEBPASSWORD="$1"
 echo "TZ=\"America/New York\"" > $PIHOLE_PROD_FILE
 echo "WEBPASSWORD=$WEBPASSWORD" >> $PIHOLE_PROD_FILE
-
+chmod 600 $PIHOLE_PROD_FILE
--- a/scripts/subinstallers/ip6tables.sh
+++ b/scripts/subinstallers/ip6tables.sh
@ -1,31 +0,0 @@
 #!/bin/bash
 set -e
 # resetting ip6tables rules
 sudo ip6tables -F
 sudo ip6tables -t nat -F
 sudo ip6tables -X MISTBORN_LOG_DROP 2>/dev/null || true
 sudo ip6tables -X MISTBORN_INT_LOG_DROP 2>/dev/null || true
 # ip6tables: log and drop chain (external threats)
 sudo ip6tables -N MISTBORN_LOG_DROP
 sudo ip6tables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[Mistborn-IPTables-Dropped]: " --log-level 4
 sudo ip6tables -A MISTBORN_LOG_DROP -j DROP
 # ip6tables: log and drop chain (internal threats)
 sudo ip6tables -N MISTBORN_INT_LOG_DROP
 sudo ip6tables -A MISTBORN_INT_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[Mistborn-IPTables-Internal-Dropped]: " --log-level 4
 sudo ip6tables -A MISTBORN_INT_LOG_DROP -j DROP
 # ip6tables
 echo "Setting ip6tables rules"
 sudo ip6tables -P INPUT ACCEPT
 sudo ip6tables -I INPUT -i lo -j ACCEPT
 sudo ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 sudo ip6tables -A INPUT -j MISTBORN_LOG_DROP
 sudo ip6tables -P INPUT DROP
 sudo ip6tables -P FORWARD DROP
 sudo ip6tables -P OUTPUT ACCEPT
--- a/scripts/subinstallers/iptables.sh
+++ b/scripts/subinstallers/iptables.sh
@ -4,36 +4,37 @@ set -e
 figlet "Mistborn: Configuring Firewall"
 source ./scripts/subinstallers/vars.sh
 echo "stop iptables wrappers"
 if [ "$DISTRO" == "ubuntu" ]; then
-    # Disable UFW
+    echo "Disabling UFW"
    sudo systemctl stop ufw || true
    sudo systemctl disable ufw || true
 fi
 # make sure user land binaries installed
 sudo apt-get install -y iptables
 # default interface
 iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}')
 # real public interface
 riface=$(ip -o -4 route get 1.1.1.1 | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}')
 # resetting iptables
 sudo iptables -F
 sudo iptables -t nat -F
 sudo iptables -X MISTBORN_LOG_DROP 2>/dev/null || true
 sudo iptables -X MISTBORN_INT_LOG_DROP 2>/dev/null || true
 sudo iptables -X MISTBORN_WIREGUARD_INPUT 2>/dev/null || true
 sudo iptables -X MISTBORN_WIREGUARD_FORWARD 2>/dev/null || true
 sudo iptables -X MISTBORN_WIREGUARD_OUTPUT 2>/dev/null || true
 sudo iptables -X MISTBORN_DOCKER_OUTPUT 2>/dev/null || true
 sudo iptables -X MISTBORN_DOCKER_INPUT 2>/dev/null || true
-# iptables: log and drop chain (external threats)
+# iptables: log and drop chain
 sudo iptables -N MISTBORN_LOG_DROP
-sudo iptables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[Mistborn-IPTables-Dropped]: " --log-level 4
+sudo iptables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[IPTables-Dropped]: " --log-level 4
 sudo iptables -A MISTBORN_LOG_DROP -j DROP
 # iptables: log and drop chain (internal threats)
 sudo iptables -N MISTBORN_INT_LOG_DROP
 sudo iptables -A MISTBORN_INT_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[Mistborn-IPTables-Internal-Dropped]: " --log-level 4
 sudo iptables -A MISTBORN_INT_LOG_DROP -j DROP
 # wireguard rules chains
 sudo iptables -N MISTBORN_WIREGUARD_INPUT
 sudo iptables -N MISTBORN_WIREGUARD_FORWARD
@ -75,3 +76,54 @@ sudo iptables -t nat -I POSTROUTING -o $iface -j MASQUERADE
 #    sudo iptables -t nat -I POSTROUTING -o $riface -j MASQUERADE
 #fi
 # resetting ip6tables rules
 sudo ip6tables -F
 sudo ip6tables -t nat -F
 sudo ip6tables -X MISTBORN_LOG_DROP 2>/dev/null || true
 # ip6tables: log and drop chain
 sudo ip6tables -N MISTBORN_LOG_DROP
 sudo ip6tables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[IPTables-Dropped]: " --log-level 4
 sudo ip6tables -A MISTBORN_LOG_DROP -j DROP
 # ip6tables
 echo "Setting ip6tables rules"
 sudo ip6tables -P INPUT ACCEPT
 sudo ip6tables -I INPUT -i lo -j ACCEPT
 sudo ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 sudo ip6tables -A INPUT -j MISTBORN_LOG_DROP
 sudo ip6tables -P INPUT DROP
 sudo ip6tables -P FORWARD DROP
 sudo ip6tables -P OUTPUT ACCEPT
 # iptables-persistent
 if [ ! "$(dpkg-query -l iptables-persistent)" ]; then
    echo "Installing iptables-persistent"
    # answer variables
    echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections
    echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections
    # install
    sudo -E apt-get install -y iptables-persistent ipset
 else
    echo "Saving iptables rules"
    sudo bash -c "iptables-save > /etc/iptables/rules.v4"
    echo "Saving ip6tables rules"
    sudo bash -c "ip6tables-save > /etc/iptables/rules.v6"
 fi
 # IP forwarding
 sudo sed -i 's/.*net.ipv4.ip_forward.*/net.ipv4.ip_forward=1/' /etc/sysctl.conf
 # VM Overcommit Memory
 sudo grep -i "vm.overcommit_memory" /etc/sysctl.conf && sudo sed -i 's/.*vm.overcommit_memory.*/vm.overcommit_memory=1/' /etc/sysctl.conf || echo "vm.overcommit_memory=1" | sudo tee -a /etc/sysctl.conf
 # Force re-read of sysctl.conf
 sudo sysctl -p /etc/sysctl.conf
 # rsyslog to create /var/log/iptables.log
 sudo cp ./scripts/conf/15-iptables.conf /etc/rsyslog.d/
 sudo chown root:root /etc/rsyslog.d/15-iptables.conf
 sudo systemctl restart rsyslog
--- a/scripts/subinstallers/iptables_cleanup.sh
+++ b/scripts/subinstallers/iptables_cleanup.sh
@ -1,34 +0,0 @@
 #!/bin/bash
 set -e
 # iptables-persistent
 if [ ! "$(dpkg-query -l iptables-persistent)" ]; then
    echo "Installing iptables-persistent"
    # answer variables
    echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections
    echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections
    # install
    sudo -E apt-get install -y iptables-persistent ipset
 else
    echo "Saving iptables rules"
    sudo bash -c "iptables-save > /etc/iptables/rules.v4"
    echo "Saving ip6tables rules"
    sudo bash -c "ip6tables-save > /etc/iptables/rules.v6"
 fi
 # IP forwarding
 sudo sed -i 's/.*net.ipv4.ip_forward.*/net.ipv4.ip_forward=1/' /etc/sysctl.conf
 # VM Overcommit Memory
 sudo grep -i "vm.overcommit_memory" /etc/sysctl.conf && sudo sed -i 's/.*vm.overcommit_memory.*/vm.overcommit_memory=1/' /etc/sysctl.conf || echo "vm.overcommit_memory=1" | sudo tee -a /etc/sysctl.conf
 # Force re-read of sysctl.conf
 sudo sysctl -p /etc/sysctl.conf
 # rsyslog to create /var/log/iptables.log
 sudo cp ./scripts/conf/15-iptables.conf /etc/rsyslog.d/
 sudo chown root:root /etc/rsyslog.d/15-iptables.conf
 sudo systemctl restart rsyslog
--- a/scripts/subinstallers/iptables_docker.sh
+++ b/scripts/subinstallers/iptables_docker.sh
@ -1,20 +0,0 @@
 #!/bin/bash
 set -e
 source ./scripts/subinstallers/vars.sh
 # start from scratch
 sudo iptables -X MISTBORN-DOCKER-USER 2>/dev/null || true
 sudo iptables -N DOCKER-USER || true
 sudo iptables -N MISTBORN-DOCKER-USER || true
 # default Mistborn Docker User chain
 sudo iptables -A MISTBORN-DOCKER-USER -i $iface -s 10.0.0.0/8 -j RETURN
 sudo iptables -A MISTBORN-DOCKER-USER -i $iface -s 172.16.0.0/12 -j RETURN
 sudo iptables -A MISTBORN-DOCKER-USER -i $iface -s 192.168.0.0/16 -j RETURN
 sudo iptables -A MISTBORN-DOCKER-USER -i $iface -j MISTBORN_INT_LOG_DROP
 # add chain to DOCKER-USER
 sudo iptables -I DOCKER-USER -j MISTBORN-DOCKER-USER
--- a/scripts/subinstallers/passwd.sh
+++ b/scripts/subinstallers/passwd.sh
@ -0,0 +1,22 @@
 #!/bin/bash
 # INPUT default admin password
 while [ -z "${MISTBORN_DEFAULT_PASSWORD}" ]; do
    echo
    echo "(Mistborn) The default admin password may only container alphanumeric characters and _"
    read -p "(Mistborn) Set default admin password: " -s MISTBORN_DEFAULT_PASSWORD
    echo
    if [[ ${MISTBORN_DEFAULT_PASSWORD} =~ ^[A-Za-z0-9_]+$ ]]; then
    # it matches
        echo "(Mistborn) Password is accepted"
    else
        unset MISTBORN_DEFAULT_PASSWORD
        echo "(Mistborn) Try again"
    fi
 done
 echo
 echo "MISTBORN_DEFAULT_PASSWORD is set"
 echo
--- a/scripts/subinstallers/platform.sh
+++ b/scripts/subinstallers/platform.sh
@ -5,16 +5,49 @@
 UNAME=$(uname | tr "[:upper:]" "[:lower:]")
 DISTRO=""
 VERSION_ID=""
 VERSION_CODENAME=""
 # If Linux, try to determine specific distribution
 if [ "$UNAME" == "linux" ]; then
    # use /etc/os-release to get distro 
    DISTRO=$(cat /etc/os-release | awk -F= '/^ID=/{print $2}')
    VERSION_ID=$(cat /etc/os-release | awk -F= '/^VERSION_ID=/{print $2}' | tr -d '"')
    VERSION_CODENAME=$(cat /etc/os-release | awk -F= '/^VERSION_CODENAME=/{print $2}' | tr -d '"')
 fi
 figlet "UNAME: $UNAME"
 figlet "DISTRO: $DISTRO"
 figlet "VERSION: $VERSION_ID"
-figlet "CODENAME: $VERSION_CODENAME"
+
 vercomp () {
    # case $? in
    #     0) op='=';;
    #     1) op='>';;
    #     2) op='<';;
    if [[ $1 == $2 ]]
    then
        return 0
    fi
    local IFS=.
    local i ver1=($1) ver2=($2)
    # fill empty fields in ver1 with zeros
    for ((i=${#ver1[@]}; i<${#ver2[@]}; i++))
    do
        ver1[i]=0
    done
    for ((i=0; i<${#ver1[@]}; i++))
    do
        if [[ -z ${ver2[i]} ]]
        then
            # fill empty fields in ver2 with zeros
            ver2[i]=0
        fi
        if ((10#${ver1[i]} > 10#${ver2[i]}))
        then
            return 1
        fi
        if ((10#${ver1[i]} < 10#${ver2[i]}))
        then
            return 2
        fi
    done
    return 0
 }
--- a/scripts/subinstallers/suricata.sh
+++ b/scripts/subinstallers/suricata.sh
@ -1,46 +0,0 @@
 #!/bin/bash
 set -e
 # minimal dependencies
 sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev   \
                libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \
                make libmagic-dev libjansson-dev
 ## recommended dependencies
 #sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev   \
 #                libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \
 #                libcap-ng-dev libcap-ng0 make libmagic-dev         \
 #                libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev \
 #                python-yaml rustc cargo
 # iptables/nftables integration
 sudo -E apt-get -y install libnetfilter-queue-dev libnetfilter-queue1  \
                libnetfilter-log-dev libnetfilter-log1      \
                libnfnetlink-dev libnfnetlink0
 if [ "$DISTRO" == "ubuntu" ]; then
    echo "Installing Suricata Ubuntu PPA"
    sudo -E add-apt-repository -y ppa:oisf/suricata-stable
    sudo -E apt-get update
    sudo -E apt-get install -y suricata
 elif [ "$DISTRO" == "debian" ]; then
    echo "deb http://http.debian.net/debian $VERSION_CODENAME-backports main" | \
        sudo -E tee -a /etc/apt/sources.list.d/backports.list
    sudo -E apt-get update
    sudo -E apt-get install -y suricata -t ${VERSION_CODENAME}-backports
 else
    echo "Basic Suricata installation"
    sudo -E apt-get install -y suricata
 fi
 # iptables
 sudo iptables -A INPUT -j NFQUEUE
 sudo iptables -I FORWARD -j NFQUEUE
 sudo iptables -I OUTPUT -j NFQUEUE
 # rsyslog to create /var/log/suricata.log
 sudo cp ./scripts/conf/20-suricata.conf /etc/rsyslog.d/
 sudo chown root:root /etc/rsyslog.d/20-suricata.conf
 sudo systemctl restart rsyslog
--- a/scripts/subinstallers/vars.sh
+++ b/scripts/subinstallers/vars.sh
@ -1,7 +0,0 @@
 #!/bin/bash
 # default interface
 iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}')
 # real public interface
 riface=$(ip -o -4 route get 1.1.1.1 | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}')
--- a/scripts/subinstallers/wireguard.sh
+++ b/scripts/subinstallers/wireguard.sh
@ -1,16 +1,16 @@
 #!/bin/bash
-figlet "Mistborn: Installing Wireguard"
+figlet "Mistborn: Installing WireGuard"
 # if wireguard not in current repositories
 if ! $(sudo apt-cache show wireguard > /dev/null 2>&1) ; then
    # install PPAs
-    echo "Adding Wireguard PPAs"
+    echo "Adding WireGuard PPAs"
    # Wireguard
    if [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then
-        echo "Adding Wireguard repo keys"
+        echo "Adding WireGuard repo keys"
        sudo -E apt-get install -y dirmngr
        sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 8B48AD6246925553
        sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 7638D0442B90D010
@ -28,6 +28,6 @@ if ! $(sudo apt-cache show wireguard > /dev/null 2>&1) ; then
    fi
 fi
-echo "Installing Wireguard"
+echo "Installing WireGuard"
 sudo apt-get update
 sudo -E apt-get install -y openresolv wireguard
--- a/scripts/update.sh
+++ b/scripts/update.sh
@ -18,6 +18,13 @@ sudo mistborn-cli pullbuild
 sudo docker container prune -f
 sudo docker image prune -f
 # RESTART
 sudo systemctl stop Mistborn-base
 # docker daemon
 #source ./scripts/subinstallers/docker_daemon.sh
 sudo systemctl restart Mistborn-setup
 sudo systemctl restart Mistborn-base
--- a/scripts/wrappers/mistborn_docker.sh
+++ b/scripts/wrappers/mistborn_docker.sh
@ -0,0 +1,57 @@
 #!/bin/bash
 set -e
 MISTBORN_HOME="/opt/mistborn"
 SERVICES="$1"
 shift
 IFS=','
 read -ra SERVICES_ARRAY <<< "${SERVICES}"
 for SERVICE in "${SERVICES_ARRAY[@]}"; do
    MISTBORN_SERVICE_FILE=${MISTBORN_HOME}/.envs/.production/.${SERVICE}
    MISTBORN_SERVICE_INIT=${MISTBORN_HOME}/scripts/services/${SERVICE}/init.sh
    # check and create file if needed
    ${MISTBORN_HOME}/scripts/env/check_env_file.sh ${SERVICE}
    # read in variables
    set -a
    source ${MISTBORN_HOME}/.env
    if [[ -f "${MISTBORN_SERVICE_FILE}" ]]; then
        echo "Loading service variables"
        source ${MISTBORN_SERVICE_FILE}
    else
        echo "No service variables to load. Proceeding."
    fi
    set +a
    # init script
    if [[ -f "${MISTBORN_SERVICE_INIT}" ]]; then
        echo "Running init script"
        ${MISTBORN_SERVICE_INIT}
    else
        echo "No init script. Proceeding."
    fi
 done
 # check that netcat exists
 if ! [ -x "$(command -v nc)" ]; then
    echo "Installing netcat"
    sudo apt-get install -y netcat
 fi
 # ensure base is up and listening
 echo "Checking that Mistborn-base has finished starting up..."
 while ! nc -z 10.2.3.1 5000; do
    WAIT_TIME=$((5 + $RANDOM % 15))
    echo "Waiting ${WAIT_TIME} seconds for Mistborn-base..."
    sleep ${WAIT_TIME}
 done
 echo "Mistborn-base is running"
 exec "$@"
Author	SHA1	Message	Date
Steven Foerster	d4c43c527d	Merge branch '215-sast' into 'master' Resolve "Static Code Analysis" Closes #215 See merge request cyber5k/mistborn!96	4 years ago
Steven Foerster	4418eef8d9	Resolve "Static Code Analysis"	4 years ago
Steven Foerster	0cdce73c04	Merge branch '214-oracle' into 'master' Resolve "Wireguard NO listen port and "Task dawnshard.tasks.wg_info_task" ERROR" Closes #187, #213, and #214 See merge request cyber5k/mistborn!95	4 years ago
Steven Foerster	c137fdc101	Resolve "Wireguard NO listen port and "Task dawnshard.tasks.wg_info_task" ERROR"	4 years ago
Steven Foerster	cd4fdd8e44	Merge branch '208-postgres' into 'master' postgres version Closes #208 See merge request cyber5k/mistborn!94	4 years ago
Steven Foerster	cb0ff4216a	postgres version	4 years ago
Steven Foerster	6bcd5f359b	Merge branch 'devel' into 'master' Updating and setting versions See merge request cyber5k/mistborn!93	4 years ago
Steven Foerster	e090140120	Updating and setting versions	4 years ago
Steven Foerster	bf27b55bb2	Merge branch 'support' into 'master' Support See merge request cyber5k/mistborn!92	4 years ago
Steven Foerster	f2f90a426c	Support	4 years ago
Steven Foerster	731e36b879	Merge branch '204-portal' into 'master' Resolve "MFA Captive Portal" Closes #204 See merge request cyber5k/mistborn!91	4 years ago
Steven Foerster	fc9b287f6b	Resolve "MFA Captive Portal"	4 years ago
Steven Foerster	49b7387eb4	Merge branch '193-homeassistant' into 'master' Resolve "extra services" Closes #193 See merge request cyber5k/mistborn!90	5 years ago
Steven Foerster	8be216c0e6	Resolve "extra services"	5 years ago
Steven Foerster	d98c80a688	Merge branch '194-ubuntu' into 'master' Resolve "Testing on later versions of Ubuntu" Closes #194 See merge request cyber5k/mistborn!89	5 years ago
Steven Foerster	85f2a3a38b	Resolve "Testing on later versions of Ubuntu"	5 years ago
Steven Foerster	09dc4d09f8	Merge branch '188-elasticsearch' into 'master' elasticsearch credentials Closes #188 See merge request cyber5k/mistborn!87	5 years ago
Steven Foerster	098755041b	elasticsearch credentials	5 years ago
Steven Foerster	980432dc43	Merge branch '181-pihole' into 'master' Resolve "Update README" Closes #181 See merge request cyber5k/mistborn!84	5 years ago
Steven Foerster	71b538bdb7	Resolve "Update README"	5 years ago
Steven Foerster	c6b5295aca	Merge branch '161-libseccomp2-raspbian' into 'master' Resolve "PostgresSQL not avaiable" Closes #161 See merge request cyber5k/mistborn!83	5 years ago
Steven Foerster	e655a71db3	Resolve "PostgresSQL not avaiable"	5 years ago
Steven Foerster	d289abaa4b	Merge branch '135-wazuh-ids' into 'master' Resolve "Adding Suricata" Closes #135 See merge request cyber5k/mistborn!82	5 years ago
Steven Foerster	b83227e39d	Resolve "Adding Suricata"	5 years ago
Steven Foerster	5f825ff831	Merge branch '170-restart' into 'master' handle ungraceful restarts Closes #170 See merge request cyber5k/mistborn!81	5 years ago
Steven Foerster	75da49eeab	handle ungraceful restarts	5 years ago
Steven Foerster	97d25bbce4	Merge branch '173-security' into 'master' Resolve "Wazuh is not Starting" Closes #173 See merge request cyber5k/mistborn!80	5 years ago
Steven Foerster	5b9e07fb24	Resolve "Wazuh is not Starting"	5 years ago
Steven Foerster	1ca2a80da3	Merge branch '172-binds' into 'master' Resolve "Dependent Service Restart Handling" Closes #172 See merge request cyber5k/mistborn!79	5 years ago
Steven Foerster	b9b0eebf1e	Resolve "Dependent Service Restart Handling"	5 years ago
Steven Foerster	6fe1abc57f	Merge branch '169-soc' into 'master' Resolve "Security Center Bugfixes" Closes #169 See merge request cyber5k/mistborn!78	5 years ago
Steven Foerster	10568bc684	Resolve "Security Center Bugfixes"	5 years ago
Steven Foerster	7bce97479f	Merge branch '168-parsing' into 'master' Wazuh API Password Closes #168 See merge request cyber5k/mistborn!77	5 years ago
Steven Foerster	8de1dafcad	ampersand	5 years ago
Steven Foerster	ae1461abba	Merge branch '165-wazuh' into 'master' Resolve "Wazuh" Closes #165 See merge request cyber5k/mistborn!75	5 years ago
Steven Foerster	42bd766346	Resolve "Wazuh"	5 years ago
Steven Foerster	ed37b142ba	Merge branch '166-pihole' into 'master' pihole v5.7 Closes #166 See merge request cyber5k/mistborn!74	5 years ago
Steven Foerster	3675e3d0d2	pihole v5.7	5 years ago
Steven Foerster	e935b95285	Merge branch '28-raspap' into 'master' Resolve "Integrate RaspAP as extra service" Closes #28 See merge request cyber5k/mistborn!73	5 years ago
Steven Foerster	9e7f85b6f9	Resolve "Integrate RaspAP as extra service"	5 years ago
Steven Foerster	72ba1769aa	Merge branch '156-docker' into 'master' Resolve "Started Extra Services restart on OS reboot" Closes #156 See merge request cyber5k/mistborn!72	5 years ago
Steven Foerster	d65e5434a0	Resolve "Started Extra Services restart on OS reboot"	5 years ago
Steven Foerster	445cf2678e	Merge branch '150-passwd' into 'master' Resolve "Mistborn default password parsing" Closes #150 See merge request cyber5k/mistborn!70	5 years ago
Steven Foerster	ce5dfb10fa	Resolve "Mistborn default password parsing"	5 years ago
Steven Foerster	d0a70d60a6	Merge branch '144-parsing' into 'master' parsing Closes #144 See merge request cyber5k/mistborn!69	5 years ago
Steven Foerster	84961c793f	parsing	5 years ago
Steven Foerster	9cb037d27f	Merge branch '142-updates' into 'master' Resolve "Updates - handle added extra services" Closes #142 See merge request cyber5k/mistborn!68	5 years ago
Steven Foerster	49bad9c7ba	Resolve "Updates - handle added extra services"	5 years ago
Steven Foerster	65ecd7ae7b	Merge branch '140-updates' into 'master' updates Closes #140 See merge request cyber5k/mistborn!67	5 years ago
Steven Foerster	b44a543172	updates	5 years ago
Steven Foerster	1669161d5d	Merge branch '139-guac' into 'master' Resolve "Guacamole details and prefix" Closes #139 See merge request cyber5k/mistborn!65	5 years ago
Steven Foerster	c2f42d6794	Resolve "Guacamole details and prefix"	5 years ago
Steven Foerster	53b5381150	Merge branch '137-guac' into 'master' Resolve "Add Apache Guacamole service" Closes #137 See merge request cyber5k/mistborn!64	5 years ago
Steven Foerster	442b43f472	Resolve "Add Apache Guacamole service"	5 years ago
		`@ -1,2 +0,0 @@`
			`$template SuricataTemplate, "<%PRI%>%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"`
			`user.alert /var/log/suricata.log;SuricataTemplate`