crappyrules
/
mistborn
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

merge into: crappyrules:master
Branches Tags
crappyrules:135-scirius
crappyrules:135-suricata
crappyrules:145-regen
crappyrules:155-refactor
crappyrules:183-redis
crappyrules:47-ansible
crappyrules:53-wifi
crappyrules:59-mattermost
crappyrules:ipv6
crappyrules:master
crappyrules:oidc
crappyrules:onlyoffice
crappyrules:test
crappyrules:v1
crappyrules:v1-1
...
pull from: crappyrules:135-suricata
Branches Tags
crappyrules:135-scirius
crappyrules:135-suricata
crappyrules:145-regen
crappyrules:155-refactor
crappyrules:183-redis
crappyrules:47-ansible
crappyrules:53-wifi
crappyrules:59-mattermost
crappyrules:ipv6
crappyrules:master
crappyrules:oidc
crappyrules:onlyoffice
crappyrules:test
crappyrules:v1
crappyrules:v1-1

37 Commits
master ... 135-surica

Author SHA1 Message Date
Steven Foerster cb2be0a7b0 suricata rsyslog
5 years ago
Steven Foerster f1f06910b1 put off docker rules
5 years ago
Steven Foerster 259befc961 MISTBORN-DOCKER-USER chain
5 years ago
Steven Foerster f8d09291e1 set -e
5 years ago
Steven Foerster b1ffc5bc1d source
5 years ago
Steven Foerster 8287d7bc15 libjansson
5 years ago
Steven Foerster f35dc04942 suricata first
5 years ago
Steven Foerster f99184b199 basic iptables suricata rules
5 years ago
Steven Foerster 379567aca0 install -y
5 years ago
Steven Foerster 66dfe7cb1b MISTBORN_INT_LOG_DROP
5 years ago
Steven Foerster d069d53a27 executable
5 years ago
Steven Foerster ac14b5f242 suricata iptables rules
5 years ago
Steven Foerster 7badb6ea19 splitting iptables scripts
5 years ago
Steven Foerster 1036ca8808 Merge branch 'v1' into 135-suricata
5 years ago
Steven Foerster cd36347210 Merge branch 'master' into v1
5 years ago
Steven Foerster b02aa61b2d suricata script
5 years ago
Steven Foerster 7a5c9c71c2 Merge branch 'v1' of gitlab.com:cyber5k/mistborn into v1
5 years ago
Steven Foerster 01143fa791 mistborn iptables comment
5 years ago
Steven Foerster b2d29d79c8 Merge branch 'master' into v1
5 years ago
Steven Foerster 3fb6c396d2 merge master
5 years ago
Steven Foerster ca1701156c Merge branch 'master' into v1
5 years ago
Steven Foerster 55171b255c paths in setup
5 years ago
Steven Foerster 959e9fef1d upstream dns
5 years ago
Steven Foerster 4d61374ebf merge master
5 years ago
Steven Foerster 4ad96494f7 systemd
5 years ago
Steven Foerster ccf9b61fd2 tweaks
5 years ago
Steven Foerster 18902b4be9 strip out flower
5 years ago
Steven Foerster 202f2658c4 mistborn user
5 years ago
Steven Foerster 021051a45f Merge branch 'v1' of gitlab.com:cyber5k/mistborn into v1
5 years ago
Steven Foerster 0f6e9463e4 global environment variables
5 years ago
Steven Foerster 059c55c64b sudo
5 years ago
Steven Foerster b9dfb30084 mistborn install preserve env
5 years ago
Steven Foerster fd1f3cc5cb syntax
5 years ago
Steven Foerster 074a264bed redis provider
5 years ago
Steven Foerster 682c620ee2 shell
5 years ago
Steven Foerster a70feca44c bash gitlab-ci
5 years ago
Steven Foerster a6a641679d removing extras to other repos
5 years ago
39 changed files with 229 additions and 1353 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats
  1. 24
      base.yml
  2. 26
      compose/production/traefik/dynamic.toml
  3. 28
      extra/bitwarden.yml
  4. 26
      extra/homeassistant.yml
  5. 30
      extra/jellyfin.yml
  6. 255
      extra/jitsi-meet.yml
  7. 29
      extra/nextcloud.yml
  8. 27
      extra/onlyoffice.yml
  9. 30
      extra/raspap.yml
  10. 72
      extra/rocketchat.yml
  11. 35
      extra/syncthing.yml
  12. 16
      extra/tor.yml
  13. 2
      scripts/conf/15-iptables.conf
  14. 2
      scripts/conf/20-suricata.conf
  15. 3
      scripts/conf/cockpit.conf
  16. 366
      scripts/conf/jitsi.env
  17. 33
      scripts/env/setup.sh
  18. 28
      scripts/install.sh
  19. 31
      scripts/services/Mistborn-base.service
  20. 24
      scripts/services/Mistborn-bitwarden.service
  21. 22
      scripts/services/Mistborn-homeassistant.service
  22. 22
      scripts/services/Mistborn-jellyfin.service
  23. 28
      scripts/services/Mistborn-jitsi.service
  24. 22
      scripts/services/Mistborn-nextcloud.service
  25. 22
      scripts/services/Mistborn-onlyoffice.service
  26. 25
      scripts/services/Mistborn-rocketchat.service
  27. 26
      scripts/services/Mistborn-syncthing.service
  28. 24
      scripts/services/Mistborn-tor.service
  29. 21
      scripts/services/raspap/Mistborn-raspap.service
  30. 4
      scripts/services/raspap/install.sh
  31. 31
      scripts/subinstallers/cockpit.sh
  32. 38
      scripts/subinstallers/gen_prod_env.sh
  33. 31
      scripts/subinstallers/ip6tables.sh
  34. 69
      scripts/subinstallers/iptables.sh
  35. 34
      scripts/subinstallers/iptables_cleanup.sh
  36. 20
      scripts/subinstallers/iptables_docker.sh
  37. 3
      scripts/subinstallers/platform.sh
  38. 46
      scripts/subinstallers/suricata.sh
  39. 7
      scripts/subinstallers/vars.sh

24
base.yml
Unescape View File

@ -55,6 +55,7 @@ services:
container_name: mistborn_production_traefik container_name: mistborn_production_traefik
depends_on: depends_on:
- django - django
- redis
volumes: volumes:
#- production_traefik:/etc/traefik/acme #- production_traefik:/etc/traefik/acme
- ./compose/production/traefik/dynamic.toml:/dynamic.toml:ro - ./compose/production/traefik/dynamic.toml:/dynamic.toml:ro
@ -144,17 +145,16 @@ services:
command: /start-celerybeat command: /start-celerybeat
restart: unless-stopped restart: unless-stopped
# flower:
#flower: # image: "cyber5k/mistborn:${MISTBORN_TAG}"
# image: "cyber5k/mistborn:${MISTBORN_TAG}" # container_name: mistborn_production_flower
# container_name: mistborn_production_flower # env_file:
# env_file: # - ./.envs/.production/.django
# - ./.envs/.production/.django # - ./.envs/.production/.postgres
# - ./.envs/.production/.postgres # ports:
# ports: # - "5555:5555/tcp"
# - "5555:5555/tcp" # command: /start-flower
# command: /start-flower # restart: unless-stopped
# restart: unless-stopped
pihole: pihole:
container_name: mistborn_production_pihole container_name: mistborn_production_pihole
@ -204,7 +204,7 @@ services:
- DNSCRYPT_LISTEN_PORT=5054 - DNSCRYPT_LISTEN_PORT=5054
# resolvers: https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-resolvers.md # resolvers: https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-resolvers.md
#- DNSCRYPT_SERVER_NAMES=['scaleway-fr','google','yandex','cloudflare'] #- DNSCRYPT_SERVER_NAMES=['scaleway-fr','google','yandex','cloudflare']
- DNSCRYPT_SERVER_NAMES=['cloudflare','dnswarden-doh1','dnswarden-doh2','dnswarden-doh3','adguard-dns-doh'] - DNSCRYPT_SERVER_NAMES=['cloudflare']
networks: networks:
pihole_net: pihole_net:
ipv4_address: 10.2.0.2 ipv4_address: 10.2.0.2

26
compose/production/traefik/dynamic.toml
Unescape View File

@ -8,17 +8,21 @@
[tls.options.default] [tls.options.default]
minVersion = "VersionTLS12" minVersion = "VersionTLS12"
[http.services] [providers.redis]
[http.services.cockpit.loadBalancer] endpoints = ["127.0.0.1:6379"]
[[http.services.cockpit.loadBalancer.servers]] rootKey = "traefik"
url = "http://10.2.3.1:9090"
[http.routers] #[http.services]
[http.routers.cockpit] # [http.services.cockpit.loadBalancer]
rule = "Host(`cockpit.mistborn`)" # [[http.services.cockpit.loadBalancer.servers]]
service = "cockpit" # url = "http://10.2.3.1:9090"
entrypoints = ["web", "websecure"] #
middlewares = ["mistborn_auth"] #[http.routers]
# [http.routers.cockpit]
# rule = "Host(`cockpit.mistborn`)"
# service = "cockpit"
# entrypoints = ["web", "websecure"]
# middlewares = ["mistborn_auth"]
[http.middlewares] [http.middlewares]
[http.middlewares.mistborn_auth.forwardAuth] [http.middlewares.mistborn_auth.forwardAuth]
@ -28,4 +32,4 @@
insecureSkipVerify = true insecureSkipVerify = true
[http.middlewares.mistborn_headers.headers] [http.middlewares.mistborn_headers.headers]
hostsProxyHeaders = ['X-CSRFToken'] hostsProxyHeaders = ['X-CSRFToken']

28
extra/bitwarden.yml
Unescape View File

@ -1,28 +0,0 @@
version: '3'
services:
bitwarden:
image: bitwardenrs/server:latest
container_name: mistborn_production_bitwarden
env_file:
- ../.envs/.production/.bitwarden
volumes:
- ../../mistborn_volumes/extra/bitwarden:/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.bitwarden-http.rule=Host(`bitwarden.mistborn`)"
- "traefik.http.routers.bitwarden-http.entrypoints=web"
- "traefik.http.routers.bitwarden-http.middlewares=mistborn_auth@file"
- "traefik.http.routers.bitwarden-https.rule=Host(`bitwarden.mistborn`)"
- "traefik.http.routers.bitwarden-https.entrypoints=websecure"
- "traefik.http.routers.bitwarden-https.middlewares=mistborn_auth@file"
- "traefik.http.routers.bitwarden-https.tls.certresolver=basic"
- "traefik.http.services.bitwarden-service.loadbalancer.server.port=80"
ports:
- 3012:3012/tcp
restart: unless-stopped
networks:
default:
external:
name: mistborn_default

26
extra/homeassistant.yml
Unescape View File

@ -1,26 +0,0 @@
version: '3'
services:
homeassistant:
container_name: mistborn_production_home_assistant
image: homeassistant/home-assistant:stable
volumes:
- ../../mistborn_volumes/extra/homeassistant/config:/config
environment:
- TZ=America/New_York
labels:
- "traefik.enable=true"
- "traefik.http.routers.homeassistant-http.rule=Host(`homeassistant.mistborn`)"
- "traefik.http.routers.homeassistant-http.entrypoints=web"
- "traefik.http.routers.homeassistant-http.middlewares=mistborn_auth@file"
- "traefik.http.routers.homeassistant-https.rule=Host(`homeassistant.mistborn`)"
- "traefik.http.routers.homeassistant-https.entrypoints=websecure"
- "traefik.http.routers.homeassistant-https.middlewares=mistborn_auth@file"
- "traefik.http.routers.homeassistant-https.tls.certresolver=basic"
- "traefik.http.services.homeassistant-service.loadbalancer.server.port=8123"
restart: unless-stopped
networks:
default:
external:
name: mistborn_default

30
extra/jellyfin.yml
Unescape View File

@ -1,30 +0,0 @@
version: '3'
volumes:
production_jellyfin_config: {}
production_jellyfin_cache: {}
services:
jellyfin:
image: jellyfin/jellyfin:latest
container_name: mistborn_production_jellyfin
volumes:
- production_jellyfin_config:/config
- production_jellyfin_cache:/cache
- ../../mistborn_volumes/extra/nextcloud:/media:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.jellyfin-http.rule=Host(`jellyfin.mistborn`)"
- "traefik.http.routers.jellyfin-http.entrypoints=web"
- "traefik.http.routers.jellyfin-http.middlewares=mistborn_auth@file"
- "traefik.http.routers.jellyfin-https.rule=Host(`jellyfin.mistborn`)"
- "traefik.http.routers.jellyfin-https.entrypoints=websecure"
- "traefik.http.routers.jellyfin-https.middlewares=mistborn_auth@file"
- "traefik.http.routers.jellyfin-https.tls.certresolver=basic"
- "traefik.http.services.jellyfin-service.loadbalancer.server.port=8096"
restart: unless-stopped
networks:
default:
external:
name: mistborn_default

255
extra/jitsi-meet.yml
Unescape View File

@ -1,255 +0,0 @@
version: '3'
services:
# Frontend
jitsi-web:
image: jitsi/web:stable-5142-3
restart: unless-stopped
#ports:
#- '${HTTP_PORT}:80'
#- '${HTTPS_PORT}:443'
labels:
- "traefik.enable=true"
- "traefik.http.routers.jitsi-http.rule=Host(`jitsi.mistborn`)"
- "traefik.http.routers.jitsi-http.entrypoints=web"
- "traefik.http.routers.jitsi-http.middlewares=mistborn_auth@file"
- "traefik.http.routers.jitsi-https.rule=Host(`jitsi.mistborn`)"
- "traefik.http.routers.jitsi-https.entrypoints=websecure"
- "traefik.http.routers.jitsi-https.middlewares=mistborn_auth@file"
- "traefik.http.routers.jitsi-https.tls.certresolver=basic"
- "traefik.http.services.jitsi-service.loadbalancer.server.port=${HTTP_PORT}"
volumes:
- ${CONFIG}/web:/config:Z
- ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
env_file:
- ../.envs/.production/.jitsi
environment:
- ENABLE_LETSENCRYPT
- ENABLE_HTTP_REDIRECT
- ENABLE_XMPP_WEBSOCKET
- DISABLE_HTTPS
- LETSENCRYPT_DOMAIN
- LETSENCRYPT_EMAIL
- LETSENCRYPT_USE_STAGING
- PUBLIC_URL
- TZ
- AMPLITUDE_ID
- ANALYTICS_SCRIPT_URLS
- ANALYTICS_WHITELISTED_EVENTS
- BRIDGE_CHANNEL
- BRANDING_DATA_URL
- CALLSTATS_CUSTOM_SCRIPT_URL
- CALLSTATS_ID
- CALLSTATS_SECRET
- CHROME_EXTENSION_BANNER_JSON
- CONFCODE_URL
- CONFIG_EXTERNAL_CONNECT
- DEPLOYMENTINFO_ENVIRONMENT
- DEPLOYMENTINFO_ENVIRONMENT_TYPE
- DEPLOYMENTINFO_USERREGION
- DIALIN_NUMBERS_URL
- DIALOUT_AUTH_URL
- DIALOUT_CODES_URL
- DROPBOX_APPKEY
- DROPBOX_REDIRECT_URI
- ENABLE_AUDIO_PROCESSING
- ENABLE_AUTH
- ENABLE_CALENDAR
- ENABLE_FILE_RECORDING_SERVICE
- ENABLE_FILE_RECORDING_SERVICE_SHARING
- ENABLE_GUESTS
- ENABLE_IPV6
- ENABLE_LIPSYNC
- ENABLE_NO_AUDIO_DETECTION
- ENABLE_P2P
- ENABLE_PREJOIN_PAGE
- ENABLE_RECORDING
- ENABLE_REMB
- ENABLE_REQUIRE_DISPLAY_NAME
- ENABLE_SIMULCAST
- ENABLE_STATS_ID
- ENABLE_STEREO
- ENABLE_SUBDOMAINS
- ENABLE_TALK_WHILE_MUTED
- ENABLE_TCC
- ENABLE_TRANSCRIPTIONS
- ETHERPAD_PUBLIC_URL
- ETHERPAD_URL_BASE
- GOOGLE_ANALYTICS_ID
- GOOGLE_API_APP_CLIENT_ID
- INVITE_SERVICE_URL
- JICOFO_AUTH_USER
- MATOMO_ENDPOINT
- MATOMO_SITE_ID
- MICROSOFT_API_APP_CLIENT_ID
- NGINX_RESOLVER
- NGINX_WORKER_PROCESSES
- NGINX_WORKER_CONNECTIONS
- PEOPLE_SEARCH_URL
- RESOLUTION
- RESOLUTION_MIN
- RESOLUTION_WIDTH
- RESOLUTION_WIDTH_MIN
- START_AUDIO_ONLY
- START_AUDIO_MUTED
- START_BITRATE
- START_VIDEO_MUTED
- TESTING_CAP_SCREENSHARE_BITRATE
- TESTING_OCTO_PROBABILITY
- XMPP_AUTH_DOMAIN
- XMPP_BOSH_URL_BASE
- XMPP_DOMAIN
- XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_RECORDER_DOMAIN
- TOKEN_AUTH_URL
networks:
default:
meet.jitsi:
aliases:
- ${XMPP_DOMAIN}
# XMPP server
jitsi-prosody:
image: jitsi/prosody:stable-5142-3
restart: unless-stopped
expose:
- '5222'
- '5347'
- '5280'
volumes:
- ${CONFIG}/prosody/config:/config:Z
- ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z
env_file:
- ../.envs/.production/.jitsi
environment:
- AUTH_TYPE
- ENABLE_AUTH
- ENABLE_GUESTS
- ENABLE_LOBBY
- ENABLE_XMPP_WEBSOCKET
- GLOBAL_MODULES
- GLOBAL_CONFIG
- LDAP_URL
- LDAP_BASE
- LDAP_BINDDN
- LDAP_BINDPW
- LDAP_FILTER
- LDAP_AUTH_METHOD
- LDAP_VERSION
- LDAP_USE_TLS
- LDAP_TLS_CIPHERS
- LDAP_TLS_CHECK_PEER
- LDAP_TLS_CACERT_FILE
- LDAP_TLS_CACERT_DIR
- LDAP_START_TLS
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_MODULES
- XMPP_MUC_MODULES
- XMPP_INTERNAL_MUC_MODULES
- XMPP_RECORDER_DOMAIN
- XMPP_CROSS_DOMAIN
- JICOFO_COMPONENT_SECRET
- JICOFO_AUTH_USER
- JICOFO_AUTH_PASSWORD
- JVB_AUTH_USER
- JVB_AUTH_PASSWORD
- JIGASI_XMPP_USER
- JIGASI_XMPP_PASSWORD
- JIBRI_XMPP_USER
- JIBRI_XMPP_PASSWORD
- JIBRI_RECORDER_USER
- JIBRI_RECORDER_PASSWORD
- JWT_APP_ID
- JWT_APP_SECRET
- JWT_ACCEPTED_ISSUERS
- JWT_ACCEPTED_AUDIENCES
- JWT_ASAP_KEYSERVER
- JWT_ALLOW_EMPTY
- JWT_AUTH_TYPE
- JWT_TOKEN_AUTH_MODULE
- LOG_LEVEL
- PUBLIC_URL
- TZ
networks:
meet.jitsi:
aliases:
- ${XMPP_SERVER}
# Focus component
jitsi-jicofo:
image: jitsi/jicofo:stable-5142-3
restart: unless-stopped
volumes:
- ${CONFIG}/jicofo:/config:Z
env_file:
- ../.envs/.production/.jitsi
environment:
- AUTH_TYPE
- ENABLE_AUTH
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_SERVER
- JICOFO_COMPONENT_SECRET
- JICOFO_AUTH_USER
- JICOFO_AUTH_PASSWORD
- JICOFO_RESERVATION_REST_BASE_URL
- JVB_BREWERY_MUC
- JIGASI_BREWERY_MUC
- JIGASI_SIP_URI
- JIBRI_BREWERY_MUC
- JIBRI_PENDING_TIMEOUT
- TZ
depends_on:
- jitsi-prosody
networks:
meet.jitsi:
# Video bridge
jitsi-jvb:
image: jitsi/jvb:stable-5142-3
restart: unless-stopped
ports:
- '${JVB_PORT}:${JVB_PORT}/udp'
- '${JVB_TCP_PORT}:${JVB_TCP_PORT}'
volumes:
- ${CONFIG}/jvb:/config:Z
env_file:
- ../.envs/.production/.jitsi
environment:
- DOCKER_HOST_ADDRESS
- XMPP_AUTH_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_SERVER
- JVB_AUTH_USER
- JVB_AUTH_PASSWORD
- JVB_BREWERY_MUC
- JVB_PORT
- JVB_TCP_HARVESTER_DISABLED
- JVB_TCP_PORT
- JVB_TCP_MAPPED_PORT
- JVB_STUN_SERVERS
- JVB_ENABLE_APIS
- JVB_WS_DOMAIN
- JVB_WS_SERVER_ID
- PUBLIC_URL
- TZ
depends_on:
- jitsi-prosody
networks:
meet.jitsi:
aliases:
- jvb.meet.jitsi
# Custom network so all services can communicate using a FQDN
networks:
default:
external:
name: mistborn_default
meet.jitsi:

29
extra/nextcloud.yml
Unescape View File

@ -1,29 +0,0 @@
version: '3'
services:
nextcloud:
image: nextcloud
container_name: mistborn_production_nextcloud
env_file:
- ../.envs/.production/.postgres
- ../.envs/.production/.nextcloud
labels:
- "traefik.enable=true"
- "traefik.http.routers.nextcloud-http.rule=Host(`nextcloud.mistborn`)"
- "traefik.http.routers.nextcloud-http.entrypoints=web"
- "traefik.http.routers.nextcloud-http.middlewares=mistborn_auth@file"
- "traefik.http.routers.nextcloud-https.rule=Host(`nextcloud.mistborn`)"
- "traefik.http.routers.nextcloud-https.entrypoints=websecure"
- "traefik.http.routers.nextcloud-https.middlewares=mistborn_auth@file"
- "traefik.http.routers.nextcloud-https.tls.certresolver=basic"
- "traefik.http.services.nextcloud-service.loadbalancer.server.port=80"
volumes:
- ../../mistborn_volumes/extra/nextcloud:/var/www/html
environment:
- VIRTUAL_HOST=nextcloud.mistborn
restart: unless-stopped
networks:
default:
external:
name: mistborn_default

27
extra/onlyoffice.yml
Unescape View File

@ -1,27 +0,0 @@
version: '3'
services:
onlyoffice:
container_name: mistborn_production_onlyoffice
image: onlyoffice/documentserver:latest
volumes:
- ../../mistborn_volumes/extra/onlyoffice/logs:/var/log/onlyoffice
- ../../mistborn_volumes/extra/onlyoffice/cache:/var/lib/onlyoffice
env_file:
- ../.envs/.production/.onlyoffice
labels:
- "traefik.enable=true"
- "traefik.http.routers.onlyoffice-http.rule=Host(`onlyoffice.mistborn`)"
- "traefik.http.routers.onlyoffice-http.entrypoints=web"
- "traefik.http.routers.onlyoffice-http.middlewares=mistborn_auth@file"
- "traefik.http.routers.onlyoffice-https.rule=Host(`onlyoffice.mistborn`)"
- "traefik.http.routers.onlyoffice-https.entrypoints=websecure"
- "traefik.http.routers.onlyoffice-https.middlewares=mistborn_auth@file"
- "traefik.http.routers.onlyoffice-https.tls.certresolver=basic"
- "traefik.http.services.onlyoffice-service.loadbalancer.server.port=80"
restart: unless-stopped
networks:
default:
external:
name: mistborn_default

30
extra/raspap.yml
Unescape View File

@ -1,30 +0,0 @@
version: '3'
services:
raspap:
build:
context: ..
dockerfile: ./compose/production/raspap/Dockerfile
#user: root
image: mistborn_production_raspap
container_name: mistborn_production_raspap
labels:
- "traefik.enable=true"
- "traefik.http.routers.raspap-http.rule=Host(`raspap.mistborn`)"
- "traefik.http.routers.raspap-http.entrypoints=web"
- "traefik.http.routers.raspap-http.middlewares=mistborn_auth@file"
- "traefik.http.routers.raspap-https.rule=Host(`raspap.mistborn`)"
- "traefik.http.routers.raspap-https.entrypoints=websecure"
- "traefik.http.routers.raspap-https.middlewares=mistborn_auth@file"
- "traefik.http.routers.raspap-https.tls.certresolver=basic"
- "traefik.http.services.raspap-service.loadbalancer.server.port=80"
env_file:
- ../.envs/.production/.pihole
command: /start
volumes:
- ../../mistborn_volumes/extra/raspap/etc-raspap:/etc/raspap
networks:
default:
external:
name: mistborn_default

72
extra/rocketchat.yml
Unescape View File

@ -1,72 +0,0 @@
version: '3'
services:
# rocketchat
rocketchat:
image: rocket.chat:latest
container_name: mistborn_production_rocketchat
command: bash -c 'for i in `seq 1 30`; do node main.js && s=$$? && break || s=$$?; echo "Tried $$i times. Waiting 5 secs..."; sleep 5; done; (exit $$s)'
restart: unless-stopped
volumes:
- ../../mistborn_volumes/extra/rocketchat/uploads:/app/uploads
environment:
- PORT=3000
- ROOT_URL=http://chat.mistborn
- MONGO_URL=mongodb://mongo:27017/rocketchat
- MONGO_OPLOG_URL=mongodb://mongo:27017/local
- Accounts_UseDNSDomainCheck=False
labels:
- "traefik.enable=true"
- "traefik.http.routers.chat-http.rule=Host(`chat.mistborn`)"
- "traefik.http.routers.chat-http.entrypoints=web"
- "traefik.http.routers.chat-http.middlewares=mistborn_auth@file"
- "traefik.http.routers.chat-https.rule=Host(`chat.mistborn`)"
- "traefik.http.routers.chat-https.entrypoints=websecure"
- "traefik.http.routers.chat-https.middlewares=mistborn_auth@file"
- "traefik.http.routers.chat-https.tls.certresolver=basic"
- "traefik.http.services.chat-service.loadbalancer.server.port=3000"
depends_on:
- mongo
#ports:
# - 3000:3000
mongo:
image: mongo:4.0
container_name: mistborn_production_rocketchat_mongo
restart: unless-stopped
volumes:
- ../../mistborn_volumes/extra/rocketchat/data/db:/data/db
- ../../mistborn_volumes/extra/rocketchat/data/dump:/dump
command: mongod --smallfiles --oplogSize 128 --replSet rs0 --storageEngine=mmapv1
# this container's job is just run the command to initialize the replica set.
# it will run the command and remove himself (it will not stay running)
mongo-init-replica:
image: mongo
command: 'bash -c "for i in `seq 1 30`; do mongo mongo/rocketchat --eval \"rs.initiate({ _id: ''rs0'', members: [ { _id: 0, host: ''localhost:27017'' } ]})\" && s=$$? && break || s=$$?; echo \"Tried $$i times. Waiting 5 secs...\"; sleep 5; done; (exit $$s)"'
depends_on:
- mongo
# hubot, the popular chatbot (add the bot user first and change the password before starting this image)
hubot:
image: rocketchat/hubot-rocketchat:latest
container_name: mistborn_production_rocketchat_hubot
restart: unless-stopped
environment:
- ROCKETCHAT_URL=chat.mistborn #:3000
# you can add more scripts as you'd like here, they need to be installable by npm
- EXTERNAL_SCRIPTS=hubot-help,hubot-seen,hubot-links,hubot-diagnostics
env_file:
- ../.envs/.production/.rocketchat
depends_on:
- rocketchat
volumes:
- ../../mistborn_volumes/extra/rocketchat/hubot/scripts:/home/hubot/scripts
# this is used to expose the hubot port for notifications on the host on port 3001, e.g. for hubot-jenkins-notifier
ports:
- "${MISTBORN_BIND_IP}:3001:8080/tcp"
networks:
default:
external:
name: mistborn_default

35
extra/syncthing.yml
Unescape View File

@ -1,35 +0,0 @@
version: '3'
services:
syncthing:
image: linuxserver/syncthing
container_name: mistborn_production_syncthing
environment:
- PUID=1000
- PGID=1000
- TZ=Amereica/New_York
- UMASK_SET=022
volumes:
- ../../mistborn_volumes/extra/syncthing/config:/config
- ../../mistborn_volumes/extra/syncthing/data1:/data1
- ../../mistborn_volumes/extra/syncthing/data2:/data2
ports:
#- 8384:8384
- 22000:22000/tcp # listening port
- 21027:21027/udp # protocol discovery
labels:
- "traefik.enable=true"
- "traefik.http.routers.syncthing-http.rule=Host(`syncthing.mistborn`)"
- "traefik.http.routers.syncthing-http.entrypoints=web"
- "traefik.http.routers.syncthing-http.middlewares=mistborn_auth@file"
- "traefik.http.routers.syncthing-https.rule=Host(`syncthing.mistborn`)"
- "traefik.http.routers.syncthing-https.entrypoints=websecure"
- "traefik.http.routers.syncthing-https.middlewares=mistborn_auth@file"
- "traefik.http.routers.syncthing-https.tls.certresolver=basic"
- "traefik.http.services.syncthing-service.loadbalancer.server.port=8384"
restart: unless-stopped
networks:
default:
external:
name: mistborn_default

16
extra/tor.yml
Unescape View File

@ -1,16 +0,0 @@
version: '3'
services:
tor-client:
build:
context: ../compose/production/tor
dockerfile: ./Dockerfile
image: mistborn_production_tor
container_name: mistborn_production_tor
ports:
- 9150:9150/tcp
networks:
default:
external:
name: mistborn_default

2
scripts/conf/15-iptables.conf
Unescape View File

@ -1,6 +1,6 @@
# Log kernel iptables dropped messages to iptables.log # Log kernel iptables dropped messages to iptables.log
$template MyTemplate,"%$day%-%timegenerated:1:3:date-rfc3164%-%$year% %timegenerated:12:19:date-rfc3339% %HOSTNAME% %syslogtag% %msg%\n" $template MyTemplate,"%$day%-%timegenerated:1:3:date-rfc3164%-%$year% %timegenerated:12:19:date-rfc3339% %HOSTNAME% %syslogtag% %msg%\n"
:msg,contains,"[IPTables-Dropped]:" /var/log/iptables.log;MyTemplate #RSYSLOG_FileFormat :msg,contains,"[Mistborn-IPTables-Dropped]:" /var/log/iptables.log;MyTemplate #RSYSLOG_FileFormat
# Uncomment the following to stop logging anything that matches the last rule. # Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated UFW log messages to the file # Doing this will stop logging kernel generated UFW log messages to the file

2
scripts/conf/20-suricata.conf
Unescape View File

@ -0,0 +1,2 @@
$template SuricataTemplate, "<%PRI%>%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"
user.alert /var/log/suricata.log;SuricataTemplate

3
scripts/conf/cockpit.conf
Unescape View File

@ -1,3 +0,0 @@
[WebService]
ProtocolHeader = X-Forwarded-Proto
AllowUnencrypted=true

366
scripts/conf/jitsi.env
Unescape View File

@ -1,366 +0,0 @@
# shellcheck disable=SC2034
# Security
#
# Set these to strong passwords to avoid intruders from impersonating a service account
# The service(s) won't start unless these are specified
# Running ./gen-passwords.sh will update .env with strong passwords
# You may skip the Jigasi and Jibri passwords if you are not using those
# DO NOT reuse passwords
#
# XMPP component password for Jicofo
JICOFO_COMPONENT_SECRET=
# XMPP password for Jicofo client connections
JICOFO_AUTH_PASSWORD=
# XMPP password for JVB client connections
JVB_AUTH_PASSWORD=
# XMPP password for Jigasi MUC client connections
JIGASI_XMPP_PASSWORD=
# XMPP recorder password for Jibri client connections
JIBRI_RECORDER_PASSWORD=
# XMPP password for Jibri client connections
JIBRI_XMPP_PASSWORD=
#
# Basic configuration options
#
# Directory where all configuration will be stored
#CONFIG=~/.jitsi-meet-cfg
CONFIG=../.envs/.production/.jitsi-cfg
# Exposed HTTP port
HTTP_PORT=80
# Exposed HTTPS port
HTTPS_PORT=443
# System time zone
TZ=UTC
# Public URL for the web service (required)
PUBLIC_URL=https://jitsi.mistborn
# IP address of the Docker host
# See the "Running behind NAT or on a LAN environment" section in the Handbook:
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment
#DOCKER_HOST_ADDRESS=192.168.1.1
DOCKER_HOST_ADDRESS=10.2.3.1
# Control whether the lobby feature should be enabled or not
#ENABLE_LOBBY=1
# Show a prejoin page before entering a conference
#ENABLE_PREJOIN_PAGE=0
#
# Let's Encrypt configuration
#
# Enable Let's Encrypt certificate generation
#ENABLE_LETSENCRYPT=1
# Domain for which to generate the certificate
#LETSENCRYPT_DOMAIN=meet.example.com
# E-Mail for receiving important account notifications (mandatory)
#LETSENCRYPT_EMAIL=alice@atlanta.net
# Use the staging server (for avoiding rate limits while testing)
#LETSENCRYPT_USE_STAGING=1
#
# Etherpad integration (for document sharing)
#
# Set etherpad-lite URL in docker local network (uncomment to enable)
#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001
# Set etherpad-lite public URL (uncomment to enable)
#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain
# Name your etherpad instance!
ETHERPAD_TITLE="Video Chat"
# The default text of a pad
ETHERPAD_DEFAULT_PAD_TEXT="Welcome to Web Chat!\n\n"
# Name of the skin for etherpad
ETHERPAD_SKIN_NAME="colibris"
# Skin variants for etherpad
ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background full-width-editor"
#
# Basic Jigasi configuration options (needed for SIP gateway support)
#
# SIP URI for incoming / outgoing calls
#JIGASI_SIP_URI=test@sip2sip.info
# Password for the specified SIP account as a clear text
#JIGASI_SIP_PASSWORD=passw0rd
# SIP server (use the SIP account domain if in doubt)
#JIGASI_SIP_SERVER=sip2sip.info
# SIP server port
#JIGASI_SIP_PORT=5060
# SIP server transport
#JIGASI_SIP_TRANSPORT=UDP
#
# Authentication configuration (see handbook for details)
#
# Enable authentication
#ENABLE_AUTH=1
# Enable guest access
#ENABLE_GUESTS=1
# Select authentication type: internal, jwt or ldap
#AUTH_TYPE=internal
# JWT authentication
#
# Application identifier
#JWT_APP_ID=my_jitsi_app_id
# Application secret known only to your token
#JWT_APP_SECRET=my_jitsi_app_secret
# (Optional) Set asap_accepted_issuers as a comma separated list
#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client
# (Optional) Set asap_accepted_audiences as a comma separated list
#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2
# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
#
# LDAP url for connection
#LDAP_URL=ldaps://ldap.domain.com/
# LDAP base DN. Can be empty
#LDAP_BASE=DC=example,DC=domain,DC=com
# LDAP user DN. Do not specify this parameter for the anonymous bind
#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
# LDAP user password. Do not specify this parameter for the anonymous bind
#LDAP_BINDPW=LdapUserPassw0rd
# LDAP filter. Tokens example:
# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail
# %s - %s is replaced by the complete service string
# %r - %r is replaced by the complete realm string
#LDAP_FILTER=(sAMAccountName=%u)
# LDAP authentication method
#LDAP_AUTH_METHOD=bind
# LDAP version
#LDAP_VERSION=3
# LDAP TLS using
#LDAP_USE_TLS=1
# List of SSL/TLS ciphers to allow
#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
# Require and verify server certificate
#LDAP_TLS_CHECK_PEER=1
# Path to CA cert file. Used when server certificate verify is enabled
#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
# Path to CA certs directory. Used when server certificate verify is enabled
#LDAP_TLS_CACERT_DIR=/etc/ssl/certs
# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
# LDAP_START_TLS=1
#
# Advanced configuration options (you generally don't need to change these)
#
# Internal XMPP domain
XMPP_DOMAIN=meet.jitsi
# Internal XMPP server
XMPP_SERVER=xmpp.meet.jitsi
# Internal XMPP server URL
XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
# Internal XMPP domain for authenticated services
XMPP_AUTH_DOMAIN=auth.meet.jitsi
# XMPP domain for the MUC
XMPP_MUC_DOMAIN=muc.meet.jitsi
# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools
XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi
# XMPP domain for unauthenticated users
XMPP_GUEST_DOMAIN=guest.meet.jitsi
# Comma separated list of domains for cross domain policy or "true" to allow all
# The PUBLIC_URL is always allowed
#XMPP_CROSS_DOMAIN=true
# Custom Prosody modules for XMPP_DOMAIN (comma separated)
XMPP_MODULES=
# Custom Prosody modules for MUC component (comma separated)
XMPP_MUC_MODULES=
# Custom Prosody modules for internal MUC component (comma separated)
XMPP_INTERNAL_MUC_MODULES=
# MUC for the JVB pool
JVB_BREWERY_MUC=jvbbrewery
# XMPP user for JVB client connections
JVB_AUTH_USER=jvb
# STUN servers used to discover the server's public IP
JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443
# Media port for the Jitsi Videobridge
JVB_PORT=10000
# TCP Fallback for Jitsi Videobridge for when UDP isn't available
JVB_TCP_HARVESTER_DISABLED=true
JVB_TCP_PORT=4443
JVB_TCP_MAPPED_PORT=4443
# A comma separated list of APIs to enable when the JVB is started [default: none]
# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
#JVB_ENABLE_APIS=rest,colibri
# XMPP user for Jicofo client connections.
# NOTE: this option doesn't currently work due to a bug
JICOFO_AUTH_USER=focus
# Base URL of Jicofo's reservation REST API
#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
# Enable Jicofo's health check REST API (http://<jicofo_base_url>:8888/about/health)
#JICOFO_ENABLE_HEALTH_CHECKS=true
# XMPP user for Jigasi MUC client connections
JIGASI_XMPP_USER=jigasi
# MUC name for the Jigasi pool
JIGASI_BREWERY_MUC=jigasibrewery
# Minimum port for media used by Jigasi
JIGASI_PORT_MIN=20000
# Maximum port for media used by Jigasi
JIGASI_PORT_MAX=20050
# Enable SDES srtp
#JIGASI_ENABLE_SDES_SRTP=1
# Keepalive method
#JIGASI_SIP_KEEP_ALIVE_METHOD=OPTIONS
# Health-check extension
#JIGASI_HEALTH_CHECK_SIP_URI=keepalive
# Health-check interval
#JIGASI_HEALTH_CHECK_INTERVAL=300000
#
# Enable Jigasi transcription
#ENABLE_TRANSCRIPTIONS=1
# Jigasi will record audio when transcriber is on [default: false]
#JIGASI_TRANSCRIBER_RECORD_AUDIO=true
# Jigasi will send transcribed text to the chat when transcriber is on [default: false]
#JIGASI_TRANSCRIBER_SEND_TXT=true
# Jigasi will post an url to the chat with transcription file [default: false]
#JIGASI_TRANSCRIBER_ADVERTISE_URL=true
# Credentials for connect to Cloud Google API from Jigasi
# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol
# section "Before you begin" paragraph 1 to 5
# Copy the values from the json to the related env vars
#GC_PROJECT_ID=
#GC_PRIVATE_KEY_ID=
#GC_PRIVATE_KEY=
#GC_CLIENT_EMAIL=
#GC_CLIENT_ID=
#GC_CLIENT_CERT_URL=
# Enable recording
#ENABLE_RECORDING=1
# XMPP domain for the jibri recorder
XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
# XMPP recorder user for Jibri client connections
JIBRI_RECORDER_USER=recorder
# Directory for recordings inside Jibri container
JIBRI_RECORDING_DIR=/config/recordings
# The finalizing script. Will run after recording is complete
JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
# XMPP user for Jibri client connections
JIBRI_XMPP_USER=jibri
# MUC name for the Jibri pool
JIBRI_BREWERY_MUC=jibribrewery
# MUC connection timeout
JIBRI_PENDING_TIMEOUT=90
# When jibri gets a request to start a service for a room, the room
# jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain
# We'll build the url for the call by transforming that into:
# https://xmpp_domain/subdomain/roomName
# So if there are any prefixes in the jid (like jitsi meet, which
# has its participants join a muc at conference.xmpp_domain) then
# list that prefix here so it can be stripped out to generate
# the call url correctly
JIBRI_STRIP_DOMAIN_JID=muc
# Directory for logs inside Jibri container
JIBRI_LOGS_DIR=/config/logs
# Disable HTTPS: handle TLS connections outside of this setup
DISABLE_HTTPS=1
# Redirect HTTP traffic to HTTPS
# Necessary for Let's Encrypt, relies on standard HTTPS port (443)
#ENABLE_HTTP_REDIRECT=1
# Enable IPv6
# Provides means to disable IPv6 in environments that don't support it (get with the times, people!)
#ENABLE_IPV6=1
# Container restart policy
# Defaults to unless-stopped
RESTART_POLICY=unless-stopped
# Authenticate using external service or just focus external auth window if there is one already.
# TOKEN_AUTH_URL=https://auth.meet.example.com/{room}

33
scripts/env/setup.sh vendored
Unescape View File

@ -1,5 +1,10 @@
#!/bin/bash #!/bin/bash
# Version
MISTBORN_MAJOR_VERSION="0"
MISTBORN_MINOR_VERSION="1"
MISTBORN_PATCH_NUMBER="1"
#### ENV file #### ENV file
VAR_FILE=/opt/mistborn/.env VAR_FILE=/opt/mistborn/.env
@ -12,6 +17,12 @@ source /opt/mistborn/scripts/subinstallers/platform.sh
echo "" | sudo tee ${VAR_FILE} echo "" | sudo tee ${VAR_FILE}
sudo chown mistborn:mistborn ${VAR_FILE} sudo chown mistborn:mistborn ${VAR_FILE}
# Version env variables
echo "MISTBORN_VERSION=${MISTBORN_MAJOR_VERSION}.${MISTBORN_MINOR_VERSION}.${MISTBORN_PATCH_NUMBER}" | sudo tee -a ${VAR_FILE}
echo "MISTBORN_MAJOR_VERSION=${MISTBORN_MAJOR_VERSION}" | sudo tee -a ${VAR_FILE}
echo "MISTBORN_MINOR_VERSION=${MISTBORN_MINOR_VERSION}" | sudo tee -a ${VAR_FILE}
echo "MISTBORN_PATCH_NUMBER=${MISTBORN_PATCH_NUMBER}" | sudo tee -a ${VAR_FILE}
# MISTBORN_DNS_BIND_IP # MISTBORN_DNS_BIND_IP
MISTBORN_DNS_BIND_IP="10.2.3.1" MISTBORN_DNS_BIND_IP="10.2.3.1"
@ -28,9 +39,11 @@ echo "MISTBORN_BIND_IP=10.2.3.1" | sudo tee -a ${VAR_FILE}
# MISTBORN_TAG # MISTBORN_TAG
GIT_BRANCH=$(git -C /opt/mistborn symbolic-ref --short HEAD || echo "master") GIT_BRANCH=$(git -C /opt/mistborn symbolic-ref --short HEAD || echo "master")
MISTBORN_TAG="latest" MISTBORN_TAG="${MISTBORN_MAJOR_VERSION}.${MISTBORN_MINOR_VERSION}"
if [ "$GIT_BRANCH" != "master" ]; then if [ ! -z "$MISTBORN_TEST_CONTAINER" ]; then
MISTBORN_TAG="test" MISTBORN_TAG="$MISTBORN_TEST_CONTAINER"
elif [ "$GIT_BRANCH" == "master" ]; then
MISTBORN_TAG="latest"
fi fi
echo "MISTBORN_TAG=$MISTBORN_TAG" | sudo tee -a ${VAR_FILE} echo "MISTBORN_TAG=$MISTBORN_TAG" | sudo tee -a ${VAR_FILE}
@ -40,9 +53,9 @@ echo "MISTBORN_TAG=$MISTBORN_TAG" | sudo tee -a ${VAR_FILE}
# copy current service files to systemd (overwriting as needed) # copy current service files to systemd (overwriting as needed)
sudo cp /opt/mistborn/scripts/services/Mistborn* /etc/systemd/system/ sudo cp /opt/mistborn/scripts/services/Mistborn* /etc/systemd/system/
# set script user and owner ## set script user and owner
sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/User=root/User=$USER/" #sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/User=root/User=$USER/"
#sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/ root:root / $USER:$USER /" ##sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/ root:root / $USER:$USER /"
# reload in case the iface is not immediately set # reload in case the iface is not immediately set
sudo systemctl daemon-reload sudo systemctl daemon-reload
@ -55,7 +68,13 @@ while [[ -z "$iface" ]]; do
iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}' | tr -d '[:space:]') iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}' | tr -d '[:space:]')
done done
GLOBAL_ENV=/opt/mistborn/.envs/.production/.global
install -Dv /dev/null $GLOBAL_ENV
echo "DIFACE=$iface" >> $GLOBAL_ENV
echo "MISTBORN_ENV_PATH=../../.envs/.production/" >> $GLOBAL_ENV
echo "MISTBORN_VOL_PATH=../../../mistborn_volumes/extra/" >> $GLOBAL_ENV
# default interface # default interface
sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/" #sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/"
sudo systemctl daemon-reload sudo systemctl daemon-reload

28
scripts/install.sh
Unescape View File

@ -39,7 +39,7 @@ if [ $(whoami) != "$MISTBORN_USER" ]; then
sudo cp $FULLPATH /home/$MISTBORN_USER sudo cp $FULLPATH /home/$MISTBORN_USER
sudo chown $MISTBORN_USER:$MISTBORN_USER /home/$MISTBORN_USER/$FILENAME sudo chown $MISTBORN_USER:$MISTBORN_USER /home/$MISTBORN_USER/$FILENAME
sudo SSH_CLIENT="$SSH_CLIENT" MISTBORN_DEFAULT_PASSWORD="$MISTBORN_DEFAULT_PASSWORD" GIT_BRANCH="$GIT_BRANCH" MISTBORN_INSTALL_COCKPIT="$MISTBORN_INSTALL_COCKPIT" -i -u $MISTBORN_USER bash -c "/home/$MISTBORN_USER/$FILENAME" # self-referential call sudo SSH_CLIENT="$SSH_CLIENT" MISTBORN_DEFAULT_PASSWORD="$MISTBORN_DEFAULT_PASSWORD" GIT_BRANCH="$GIT_BRANCH" -i -u $MISTBORN_USER bash -c "/home/$MISTBORN_USER/$FILENAME" # self-referential call
exit 0 exit 0
fi fi
@ -67,13 +67,6 @@ else
echo "MISTBORN_DEFAULT_PASSWORD is already set" echo "MISTBORN_DEFAULT_PASSWORD is already set"
fi fi
# Install Cockpit?
if [ -z "${MISTBORN_INSTALL_COCKPIT}" ]; then
read -p "Install Cockpit (a somewhat resource-heavy system management graphical user interface -- NOT RECOMMENDED on Raspberry Pi)? [y/N]: " MISTBORN_INSTALL_COCKPIT
echo
MISTBORN_INSTALL_COCKPIT=${MISTBORN_INSTALL_COCKPIT:-N}
fi
# SSH keys # SSH keys
if [ ! -f ~/.ssh/id_rsa ]; then if [ ! -f ~/.ssh/id_rsa ]; then
echo "Generating SSH keypair for $USER" echo "Generating SSH keypair for $USER"
@ -109,7 +102,11 @@ source ./scripts/subinstallers/platform.sh
echo "Setting up firewall (iptables)" echo "Setting up firewall (iptables)"
if [ ! -f "/etc/iptables/rules.v4" ]; then if [ ! -f "/etc/iptables/rules.v4" ]; then
echo "Setting iptables rules..." echo "Setting iptables rules..."
./scripts/subinstallers/iptables.sh source ./scripts/subinstallers/suricata.sh
source ./scripts/subinstallers/iptables.sh
source ./scripts/subinstallers/ip6tables.sh
#source ./scripts/subinstallers/iptables_docker.sh
source ./scripts/subinstallers/iptables_cleanup.sh
else else
echo "iptables rules exist. Leaving alone." echo "iptables rules exist. Leaving alone."
fi fi
@ -150,16 +147,6 @@ sudo systemctl start docker
# Unattended upgrades # Unattended upgrades
sudo -E apt-get install -y unattended-upgrades sudo -E apt-get install -y unattended-upgrades
# Cockpit
if [[ "$MISTBORN_INSTALL_COCKPIT" =~ ^([yY][eE][sS]|[yY])$ ]]
then
# install cockpit
source ./scripts/subinstallers/cockpit.sh
# set variable (that will be available in environment)
MISTBORN_INSTALL_COCKPIT=Y
fi
# Mistborn-cli (pip3 installed by docker) # Mistborn-cli (pip3 installed by docker)
figlet "Mistborn: Installing mistborn-cli" figlet "Mistborn: Installing mistborn-cli"
sudo pip3 install -e ./modules/mistborn-cli sudo pip3 install -e ./modules/mistborn-cli
@ -200,9 +187,6 @@ sudo mkdir -p ../mistborn_volumes/base/pihole/etc-pihole
sudo mkdir -p ../mistborn_volumes/base/pihole/etc-dnsmasqd sudo mkdir -p ../mistborn_volumes/base/pihole/etc-dnsmasqd
sudo mkdir -p ../mistborn_volumes/extra sudo mkdir -p ../mistborn_volumes/extra
# Traefik final setup (cockpit)
#cp ./compose/production/traefik/traefikv2.toml.template ./compose/production/traefik/traefik.toml
# setup tls certs # setup tls certs
source ./scripts/subinstallers/openssl.sh source ./scripts/subinstallers/openssl.sh
#sudo rm -rf ../mistborn_volumes/base/tls #sudo rm -rf ../mistborn_volumes/base/tls

31
scripts/services/Mistborn-base.service
Unescape View File

@ -6,22 +6,23 @@ After=docker.service
After=netfilter-persistent.service After=netfilter-persistent.service
[Service] [Service]
EnvironmentFile=/opt/mistborn/.envs/.production/.global
EnvironmentFile=/opt/mistborn/.env
Restart=always Restart=always
User=root User=mistborn
Group=docker Group=docker
PermissionsStartOnly=true PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped # Shutdown container (if running) when unit is stopped
EnvironmentFile=/opt/mistborn/.env
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml build ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml build
ExecStartPre=-/sbin/ip address add 10.2.3.1/30 dev DIFACE ExecStartPre=-/sbin/ip address add 10.2.3.1/30 dev $DIFACE
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP #ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/iptables -w -A OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/iptables -w -A OUTPUT -o $DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/ip6tables -w -A OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP ExecStartPre=/sbin/ip6tables -w -A OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/resolvconf -u ExecStartPre=/sbin/resolvconf -u
# Start container when unit is started # Start container when unit is started
@ -29,12 +30,12 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml up
# Stop container when unit is stopped # Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down
# Post stop # Post stop
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP #ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/iptables -D OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/iptables -D OUTPUT -o $DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/ip6tables -D OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP ExecStopPost=-/sbin/ip6tables -D OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP
[Install] [Install]

24
scripts/services/Mistborn-bitwarden.service
Unescape View File

@ -1,24 +0,0 @@
[Unit]
Description=Mistborn Bitwarden Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml down
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP
# Start container when unit is started
ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml up --build
# Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml down
# Post stop
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP
[Install]
WantedBy=multi-user.target

22
scripts/services/Mistborn-homeassistant.service
Unescape View File

@ -1,22 +0,0 @@
[Unit]
Description=Mistborn Home Assistant
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml down
# Start container when unit is started
ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml up --build
# Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/homeassistant.yml down
# Post stop
[Install]
WantedBy=multi-user.target

22
scripts/services/Mistborn-jellyfin.service
Unescape View File

@ -1,22 +0,0 @@
[Unit]
Description=Mistborn Jellyfin Service
Requires=Mistborn-nextcloud.service
After=Mistborn-nextcloud.service
PartOf=Mistborn-base.service
[Service]
Restart=always
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml down
# Start container when unit is started
ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml up --build
# Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jellyfin.yml down
# Post stop
[Install]
WantedBy=multi-user.target

28
scripts/services/Mistborn-jitsi.service
Unescape View File

@ -1,28 +0,0 @@
[Unit]
Description=Mistborn Jitsi Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
User=root
Group=docker
PermissionsStartOnly=true
EnvironmentFile=/opt/mistborn/.envs/.production/.jitsi
# Shutdown container (if running) when unit is stopped
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP
# Start container when unit is started
ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build
# Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
# Post stop
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP
[Install]
WantedBy=multi-user.target

22
scripts/services/Mistborn-nextcloud.service
Unescape View File

@ -1,22 +0,0 @@
[Unit]
Description=Mistborn Nextcloud Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
User=www-data
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml down
# Start container when unit is started
ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml up --build
# Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/nextcloud.yml down
# Post stop
[Install]
WantedBy=multi-user.target

22
scripts/services/Mistborn-onlyoffice.service
Unescape View File

@ -1,22 +0,0 @@
[Unit]
Description=Mistborn OnlyOffice Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
# Start container when unit is started
ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml up --build
# Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
# Post stop
[Install]
WantedBy=multi-user.target

25
scripts/services/Mistborn-rocketchat.service
Unescape View File

@ -1,25 +0,0 @@
[Unit]
Description=Mistborn Rocket Chat Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
User=root
Group=docker
PermissionsStartOnly=true
EnvironmentFile=/opt/mistborn/.env
# Shutdown container (if running) when unit is stopped
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP
# Start container when unit is started
ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml up --build
# Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down
# Post stop
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP
[Install]
WantedBy=multi-user.target

26
scripts/services/Mistborn-syncthing.service
Unescape View File

@ -1,26 +0,0 @@
[Unit]
Description=Mistborn Syncthing Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml down
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP
# Start container when unit is started
ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml up --build
# Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml down
# Post stop
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP
[Install]
WantedBy=multi-user.target

24
scripts/services/Mistborn-tor.service
Unescape View File

@ -1,24 +0,0 @@
[Unit]
Description=Mistborn Tor Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml down
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP
# Start container when unit is started
ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml up --build
# Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml down
# Post stop
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP
[Install]
WantedBy=multi-user.target

21
scripts/services/raspap/Mistborn-raspap.service
Unescape View File

@ -1,21 +0,0 @@
[Unit]
Description=Mistborn RaspAP Service
Requires=Mistborn-base.service
After=Mistborn-base.service
[Service]
Restart=always
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/raspap.yml down
# Start container when unit is started
ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/raspap.yml up --build
# Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/extra/raspap.yml down
# Post stop
[Install]
WantedBy=multi-user.target

4
scripts/services/raspap/install.sh
Unescape View File

@ -1,4 +0,0 @@
#!/bin/bash
# install on gateway
sudo apt-get install -y hostapd vnstat

31
scripts/subinstallers/cockpit.sh
Unescape View File

@ -1,31 +0,0 @@
#!/bin/bash
# Cockpit
figlet "Mistborn: Installing Cockpit"
if [ "$DISTRO" == "ubuntu" ]; then
echo "Ubuntu backports enabled by default"
elif [ "$DISTRO" == "debian" ]; then
sudo grep -qF "buster-backports" /etc/apt/sources.list.d/backports.list \
&& echo "buster-backports already in sources" \
|| echo 'deb http://deb.debian.org/debian buster-backports main' | sudo tee -a /etc/apt/sources.list.d/backports.list
elif [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then
echo "Raspbian repos contain cockpit"
fi
sudo -E apt-get install -y cockpit
if [ $(sudo apt-cache show cockpit-docker > /dev/null 2>&1) ]; then
# no longer supported upstream in Ubuntu 20.04
sudo -E apt-get install -y cockpit-docker
elif [ $(sudo apt-cache show cockpit-podman > /dev/null 2>&1) ]; then
sudo -E apt-get install -y cockpit-podman
fi
sudo cp ./scripts/conf/cockpit.conf /etc/cockpit/cockpit.conf
sudo systemctl restart cockpit.socket
# create system cockpit user
echo "Creating cockpit user"
sudo useradd -s /bin/bash -d /home/cockpit -m -G sudo -p $(openssl passwd -1 "$MISTBORN_DEFAULT_PASSWORD") cockpit || true

38
scripts/subinstallers/gen_prod_env.sh
Unescape View File

@ -40,41 +40,3 @@ WEBPASSWORD="$1"
echo "TZ=\"America/New York\"" > $PIHOLE_PROD_FILE echo "TZ=\"America/New York\"" > $PIHOLE_PROD_FILE
echo "WEBPASSWORD=$WEBPASSWORD" >> $PIHOLE_PROD_FILE echo "WEBPASSWORD=$WEBPASSWORD" >> $PIHOLE_PROD_FILE
# generate rocketchat .env files
ROCKETCHAT_PROD_FILE="./.envs/.production/.rocketchat"
#ROCKETCHAT_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
ROCKETCHAT_PASSWORD="$1"
echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE
echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE
echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE
echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE
# generate nextcloud .env files
NEXTCLOUD_PROD_FILE="./.envs/.production/.nextcloud"
#NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
NEXTCLOUD_PASSWORD="$1"
echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE
echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE
echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE
# generate onlyoffice .env files
ONLYOFFICE_PROD_FILE="./.envs/.production/.onlyoffice"
JWT_SECRET="$1"
echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE
echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE
# generate bitwarden .env files
BITWARDEN_PROD_FILE="./.envs/.production/.bitwarden"
echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE
echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE
# JITSI
JITSI_PROD_FILE="./.envs/.production/.jitsi"
cp ./scripts/conf/jitsi.env $JITSI_PROD_FILE
mkdir -p ./.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}
sed -i "s/JICOFO_COMPONENT_SECRET.*/JICOFO_COMPONENT_SECRET=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"

31
scripts/subinstallers/ip6tables.sh
Unescape View File

@ -0,0 +1,31 @@
#!/bin/bash
set -e
# resetting ip6tables rules
sudo ip6tables -F
sudo ip6tables -t nat -F
sudo ip6tables -X MISTBORN_LOG_DROP 2>/dev/null || true
sudo ip6tables -X MISTBORN_INT_LOG_DROP 2>/dev/null || true
# ip6tables: log and drop chain (external threats)
sudo ip6tables -N MISTBORN_LOG_DROP
sudo ip6tables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[Mistborn-IPTables-Dropped]: " --log-level 4
sudo ip6tables -A MISTBORN_LOG_DROP -j DROP
# ip6tables: log and drop chain (internal threats)
sudo ip6tables -N MISTBORN_INT_LOG_DROP
sudo ip6tables -A MISTBORN_INT_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[Mistborn-IPTables-Internal-Dropped]: " --log-level 4
sudo ip6tables -A MISTBORN_INT_LOG_DROP -j DROP
# ip6tables
echo "Setting ip6tables rules"
sudo ip6tables -P INPUT ACCEPT
sudo ip6tables -I INPUT -i lo -j ACCEPT
sudo ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo ip6tables -A INPUT -j MISTBORN_LOG_DROP
sudo ip6tables -P INPUT DROP
sudo ip6tables -P FORWARD DROP
sudo ip6tables -P OUTPUT ACCEPT

69
scripts/subinstallers/iptables.sh
Unescape View File

@ -4,6 +4,8 @@ set -e
figlet "Mistborn: Configuring Firewall" figlet "Mistborn: Configuring Firewall"
source ./scripts/subinstallers/vars.sh
echo "stop iptables wrappers" echo "stop iptables wrappers"
if [ "$DISTRO" == "ubuntu" ]; then if [ "$DISTRO" == "ubuntu" ]; then
# Disable UFW # Disable UFW
@ -11,27 +13,27 @@ if [ "$DISTRO" == "ubuntu" ]; then
sudo systemctl disable ufw || true sudo systemctl disable ufw || true
fi fi
# default interface
iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}')
# real public interface
riface=$(ip -o -4 route get 1.1.1.1 | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}')
# resetting iptables # resetting iptables
sudo iptables -F sudo iptables -F
sudo iptables -t nat -F sudo iptables -t nat -F
sudo iptables -X MISTBORN_LOG_DROP 2>/dev/null || true sudo iptables -X MISTBORN_LOG_DROP 2>/dev/null || true
sudo iptables -X MISTBORN_INT_LOG_DROP 2>/dev/null || true
sudo iptables -X MISTBORN_WIREGUARD_INPUT 2>/dev/null || true sudo iptables -X MISTBORN_WIREGUARD_INPUT 2>/dev/null || true
sudo iptables -X MISTBORN_WIREGUARD_FORWARD 2>/dev/null || true sudo iptables -X MISTBORN_WIREGUARD_FORWARD 2>/dev/null || true
sudo iptables -X MISTBORN_WIREGUARD_OUTPUT 2>/dev/null || true sudo iptables -X MISTBORN_WIREGUARD_OUTPUT 2>/dev/null || true
sudo iptables -X MISTBORN_DOCKER_OUTPUT 2>/dev/null || true sudo iptables -X MISTBORN_DOCKER_OUTPUT 2>/dev/null || true
sudo iptables -X MISTBORN_DOCKER_INPUT 2>/dev/null || true sudo iptables -X MISTBORN_DOCKER_INPUT 2>/dev/null || true
# iptables: log and drop chain # iptables: log and drop chain (external threats)
sudo iptables -N MISTBORN_LOG_DROP sudo iptables -N MISTBORN_LOG_DROP
sudo iptables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[IPTables-Dropped]: " --log-level 4 sudo iptables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[Mistborn-IPTables-Dropped]: " --log-level 4
sudo iptables -A MISTBORN_LOG_DROP -j DROP sudo iptables -A MISTBORN_LOG_DROP -j DROP
# iptables: log and drop chain (internal threats)
sudo iptables -N MISTBORN_INT_LOG_DROP
sudo iptables -A MISTBORN_INT_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[Mistborn-IPTables-Internal-Dropped]: " --log-level 4
sudo iptables -A MISTBORN_INT_LOG_DROP -j DROP
# wireguard rules chains # wireguard rules chains
sudo iptables -N MISTBORN_WIREGUARD_INPUT sudo iptables -N MISTBORN_WIREGUARD_INPUT
sudo iptables -N MISTBORN_WIREGUARD_FORWARD sudo iptables -N MISTBORN_WIREGUARD_FORWARD
@ -73,54 +75,3 @@ sudo iptables -t nat -I POSTROUTING -o $iface -j MASQUERADE
# sudo iptables -t nat -I POSTROUTING -o $riface -j MASQUERADE # sudo iptables -t nat -I POSTROUTING -o $riface -j MASQUERADE
#fi #fi
# resetting ip6tables rules
sudo ip6tables -F
sudo ip6tables -t nat -F
sudo ip6tables -X MISTBORN_LOG_DROP 2>/dev/null || true
# ip6tables: log and drop chain
sudo ip6tables -N MISTBORN_LOG_DROP
sudo ip6tables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[IPTables-Dropped]: " --log-level 4
sudo ip6tables -A MISTBORN_LOG_DROP -j DROP
# ip6tables
echo "Setting ip6tables rules"
sudo ip6tables -P INPUT ACCEPT
sudo ip6tables -I INPUT -i lo -j ACCEPT
sudo ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo ip6tables -A INPUT -j MISTBORN_LOG_DROP
sudo ip6tables -P INPUT DROP
sudo ip6tables -P FORWARD DROP
sudo ip6tables -P OUTPUT ACCEPT
# iptables-persistent
if [ ! "$(dpkg-query -l iptables-persistent)" ]; then
echo "Installing iptables-persistent"
# answer variables
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections
# install
sudo -E apt-get install -y iptables-persistent ipset
else
echo "Saving iptables rules"
sudo bash -c "iptables-save > /etc/iptables/rules.v4"
echo "Saving ip6tables rules"
sudo bash -c "ip6tables-save > /etc/iptables/rules.v6"
fi
# IP forwarding
sudo sed -i 's/.*net.ipv4.ip_forward.*/net.ipv4.ip_forward=1/' /etc/sysctl.conf
# VM Overcommit Memory
sudo grep -i "vm.overcommit_memory" /etc/sysctl.conf && sudo sed -i 's/.*vm.overcommit_memory.*/vm.overcommit_memory=1/' /etc/sysctl.conf || echo "vm.overcommit_memory=1" | sudo tee -a /etc/sysctl.conf
# Force re-read of sysctl.conf
sudo sysctl -p /etc/sysctl.conf
# rsyslog to create /var/log/iptables.log
sudo cp ./scripts/conf/15-iptables.conf /etc/rsyslog.d/
sudo chown root:root /etc/rsyslog.d/15-iptables.conf
sudo systemctl restart rsyslog

34
scripts/subinstallers/iptables_cleanup.sh
Unescape View File

@ -0,0 +1,34 @@
#!/bin/bash
set -e
# iptables-persistent
if [ ! "$(dpkg-query -l iptables-persistent)" ]; then
echo "Installing iptables-persistent"
# answer variables
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections
# install
sudo -E apt-get install -y iptables-persistent ipset
else
echo "Saving iptables rules"
sudo bash -c "iptables-save > /etc/iptables/rules.v4"
echo "Saving ip6tables rules"
sudo bash -c "ip6tables-save > /etc/iptables/rules.v6"
fi
# IP forwarding
sudo sed -i 's/.*net.ipv4.ip_forward.*/net.ipv4.ip_forward=1/' /etc/sysctl.conf
# VM Overcommit Memory
sudo grep -i "vm.overcommit_memory" /etc/sysctl.conf && sudo sed -i 's/.*vm.overcommit_memory.*/vm.overcommit_memory=1/' /etc/sysctl.conf || echo "vm.overcommit_memory=1" | sudo tee -a /etc/sysctl.conf
# Force re-read of sysctl.conf
sudo sysctl -p /etc/sysctl.conf
# rsyslog to create /var/log/iptables.log
sudo cp ./scripts/conf/15-iptables.conf /etc/rsyslog.d/
sudo chown root:root /etc/rsyslog.d/15-iptables.conf
sudo systemctl restart rsyslog

20
scripts/subinstallers/iptables_docker.sh
Unescape View File

@ -0,0 +1,20 @@
#!/bin/bash
set -e
source ./scripts/subinstallers/vars.sh
# start from scratch
sudo iptables -X MISTBORN-DOCKER-USER 2>/dev/null || true
sudo iptables -N DOCKER-USER || true
sudo iptables -N MISTBORN-DOCKER-USER || true
# default Mistborn Docker User chain
sudo iptables -A MISTBORN-DOCKER-USER -i $iface -s 10.0.0.0/8 -j RETURN
sudo iptables -A MISTBORN-DOCKER-USER -i $iface -s 172.16.0.0/12 -j RETURN
sudo iptables -A MISTBORN-DOCKER-USER -i $iface -s 192.168.0.0/16 -j RETURN
sudo iptables -A MISTBORN-DOCKER-USER -i $iface -j MISTBORN_INT_LOG_DROP
# add chain to DOCKER-USER
sudo iptables -I DOCKER-USER -j MISTBORN-DOCKER-USER

3
scripts/subinstallers/platform.sh
Unescape View File

@ -5,13 +5,16 @@
UNAME=$(uname | tr "[:upper:]" "[:lower:]") UNAME=$(uname | tr "[:upper:]" "[:lower:]")
DISTRO="" DISTRO=""
VERSION_ID="" VERSION_ID=""
VERSION_CODENAME=""
# If Linux, try to determine specific distribution # If Linux, try to determine specific distribution
if [ "$UNAME" == "linux" ]; then if [ "$UNAME" == "linux" ]; then
# use /etc/os-release to get distro # use /etc/os-release to get distro
DISTRO=$(cat /etc/os-release | awk -F= '/^ID=/{print $2}') DISTRO=$(cat /etc/os-release | awk -F= '/^ID=/{print $2}')
VERSION_ID=$(cat /etc/os-release | awk -F= '/^VERSION_ID=/{print $2}' | tr -d '"') VERSION_ID=$(cat /etc/os-release | awk -F= '/^VERSION_ID=/{print $2}' | tr -d '"')
VERSION_CODENAME=$(cat /etc/os-release | awk -F= '/^VERSION_CODENAME=/{print $2}' | tr -d '"')
fi fi
figlet "UNAME: $UNAME" figlet "UNAME: $UNAME"
figlet "DISTRO: $DISTRO" figlet "DISTRO: $DISTRO"
figlet "VERSION: $VERSION_ID" figlet "VERSION: $VERSION_ID"
figlet "CODENAME: $VERSION_CODENAME"

46
scripts/subinstallers/suricata.sh
Unescape View File

@ -0,0 +1,46 @@
#!/bin/bash
set -e
# minimal dependencies
sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev \
libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \
make libmagic-dev libjansson-dev
## recommended dependencies
#sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev \
# libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \
# libcap-ng-dev libcap-ng0 make libmagic-dev \
# libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev \
# python-yaml rustc cargo
# iptables/nftables integration
sudo -E apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 \
libnetfilter-log-dev libnetfilter-log1 \
libnfnetlink-dev libnfnetlink0
if [ "$DISTRO" == "ubuntu" ]; then
echo "Installing Suricata Ubuntu PPA"
sudo -E add-apt-repository -y ppa:oisf/suricata-stable
sudo -E apt-get update
sudo -E apt-get install -y suricata
elif [ "$DISTRO" == "debian" ]; then
echo "deb http://http.debian.net/debian $VERSION_CODENAME-backports main" | \
sudo -E tee -a /etc/apt/sources.list.d/backports.list
sudo -E apt-get update
sudo -E apt-get install -y suricata -t ${VERSION_CODENAME}-backports
else
echo "Basic Suricata installation"
sudo -E apt-get install -y suricata
fi
# iptables
sudo iptables -A INPUT -j NFQUEUE
sudo iptables -I FORWARD -j NFQUEUE
sudo iptables -I OUTPUT -j NFQUEUE
# rsyslog to create /var/log/suricata.log
sudo cp ./scripts/conf/20-suricata.conf /etc/rsyslog.d/
sudo chown root:root /etc/rsyslog.d/20-suricata.conf
sudo systemctl restart rsyslog

7
scripts/subinstallers/vars.sh
Unescape View File

@ -0,0 +1,7 @@
#!/bin/bash
# default interface
iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}')
# real public interface
riface=$(ip -o -4 route get 1.1.1.1 | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}')
Write Preview
Loading…
Cancel
Save