Merge branch 'master' into v1

merge master
60 changed files with 75 additions and 1987 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -13,7 +13,6 @@ stages:
 include:
  - template: Code-Quality.gitlab-ci.yml
  - template: Security/SAST.gitlab-ci.yml
 docker_build:
  stage: test
--- a/README.md
+++ b/README.md
@ -15,7 +15,7 @@ The term [Mistborn](http://www.brandonsanderson.com/the-mistborn-saga-the-origin
 Mistborn started as a passion project for a husband and father protecting his family. Certain family members insisted on connecting their devices to free public WiFi networks. We needed a way to secure all family devices with a solid VPN (WireGuard). Once we had that we wanted to control DNS to block ads to all devices and block malicious websites across all family devices. Then we wanted chat, file-sharing, and webchat services that we could use for ourselves without entrusting our data to some big tech company. And then... home automation. I know I'll be adding more services so I made that easy to do.
-As a [Certified Information Systems Security Professional (CISSP)](https://www.credly.com/badges/ebcb76f2-1e82-4079-9ea3-b507ffbd1d15/public_url) and an [Offensive Security Certified Professional (OSCP)](https://www.credly.com/badges/b93c44ec-3af5-48e8-9a33-b64365b70c61/public_url), I designed Mistborn thinking about how it would be attacked by both external and internal threats. In making design trade-off decisions I tend to the paranoid. See [Technical and Security Insights](#technical-and-security-insights).
+As an [Offensive Security Certified Professional (OSCP)](https://resources.infosecinstitute.com/certification/the-oscp-certification-and-exam/), I designed Mistborn thinking about how it would be attacked by both external and internal threats. In making design trade-off decisions I tend to the paranoid. See [Technical and Security Insights](#technical-and-security-insights).
 Ideal for teams who:
 - hate internet ads
@ -62,9 +62,8 @@ Within Mistborn is a panel to enable and manage these free extra services (off b
 # Quickstart
 Tested Operating Systems (in order of thoroughness):
 - Ubuntu 20.04 LTS
- Debian 11 (Bullseye)
+- Debian 10 (Buster)
 - Raspberry Pi OS (formerly Raspbian) Buster
 - Formerly tested and may still work: Ubuntu 18.04 LTS, Debian 10 (Buster)
 **Note:** Install operating system updates and restart. Raspberry Pi OS particularly needs to be restarted after kernel updates (kernel modules for the currently running kernel may be missing).
--- a/base.yml
+++ b/base.yml
@ -55,6 +55,7 @@ services:
    container_name: mistborn_production_traefik
    depends_on:
      - django
      - redis
    volumes:
      #- production_traefik:/etc/traefik/acme
      - ./compose/production/traefik/dynamic.toml:/dynamic.toml:ro
@ -178,8 +179,7 @@ services:
    command: /start-celerybeat
    restart: unless-stopped
-
+  # flower:
  #flower:
  #   image: "cyber5k/mistborn:${MISTBORN_TAG}"
  #   container_name: mistborn_production_flower
  #   env_file:
@ -238,7 +238,7 @@ services:
     - DNSCRYPT_LISTEN_PORT=5054
     # resolvers: https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-resolvers.md
     #- DNSCRYPT_SERVER_NAMES=['scaleway-fr','google','yandex','cloudflare'] 
-     - DNSCRYPT_SERVER_NAMES=['cloudflare','dnswarden-doh1','dnswarden-doh2','dnswarden-doh3','adguard-dns-doh']
+     - DNSCRYPT_SERVER_NAMES=['cloudflare']
    networks:
      pihole_net:
        ipv4_address: 10.2.0.2
--- a/compose/production/traefik/dynamic.toml
+++ b/compose/production/traefik/dynamic.toml
@ -8,17 +8,21 @@
  [tls.options.default]
    minVersion = "VersionTLS12"
-[http.services]
+[providers.redis]
-  [http.services.cockpit.loadBalancer]
+  endpoints = ["127.0.0.1:6379"]
-    [[http.services.cockpit.loadBalancer.servers]]
+  rootKey = "traefik"
      url = "http://10.2.3.1:9090"
-[http.routers]
+#[http.services]
-  [http.routers.cockpit]
+#  [http.services.cockpit.loadBalancer]
-    rule = "Host(`cockpit.mistborn`)"
+#    [[http.services.cockpit.loadBalancer.servers]]
-    service = "cockpit"
+#      url = "http://10.2.3.1:9090"
-    entrypoints = ["web", "websecure"]
+#
-    middlewares = ["mistborn_auth"]
+#[http.routers]
 #  [http.routers.cockpit]
 #    rule = "Host(`cockpit.mistborn`)"
 #    service = "cockpit"
 #    entrypoints = ["web", "websecure"]
 #    middlewares = ["mistborn_auth"]
 [http.middlewares]
  [http.middlewares.mistborn_auth.forwardAuth]
--- a/extra/bitwarden.yml
+++ b/extra/bitwarden.yml
@ -1,28 +0,0 @@
 version: '3'
 services:  
  bitwarden:
    image: vaultwarden/server:latest
    container_name: mistborn_production_bitwarden
    env_file:
      - ../.envs/.production/.bitwarden
    volumes:
      - ../../mistborn_volumes/extra/bitwarden:/data
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.bitwarden-http.rule=Host(`bitwarden.mistborn`)"
      - "traefik.http.routers.bitwarden-http.entrypoints=web"
      - "traefik.http.routers.bitwarden-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.bitwarden-https.rule=Host(`bitwarden.mistborn`)"
      - "traefik.http.routers.bitwarden-https.entrypoints=websecure"
      - "traefik.http.routers.bitwarden-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.bitwarden-https.tls.certresolver=basic"
      - "traefik.http.services.bitwarden-service.loadbalancer.server.port=80"
    ports:
      - "${MISTBORN_BIND_IP}:3012:3012/tcp"
    restart: unless-stopped
 networks:
  default:
    external:
      name: mistborn_default
--- a/extra/elasticsearch.yml
+++ b/extra/elasticsearch.yml
@ -1,30 +0,0 @@
 version: '3.7'
 services:
  elasticsearch:
    image: amazon/opendistro-for-elasticsearch:1.13.2
    hostname: elasticsearch
    restart: unless-stopped
    ports:
      - "${MISTBORN_BIND_IP}:9200:9200"
    environment:
      - discovery.type=single-node
      - cluster.name=mistborn-cluster
      - network.host=0.0.0.0
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - bootstrap.memory_lock=true
    volumes:
      - ../../mistborn_volumes/extra/elasticsearch/init/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
 networks:
  default:
    external:
      name: mistborn_default
--- a/extra/guacamole.yml
+++ b/extra/guacamole.yml
@ -1,72 +0,0 @@
 version: '3'
 # services
 services:
  # guacd
  guacd:
    container_name: mistborn_production_guacd
    image: guacamole/guacd:1.3.0
    networks:
      guacnetwork:
    restart: unless-stopped
    volumes:
    - ../../mistborn_volumes/extra/guacamole/drive:/drive:rw
    - ../../mistborn_volumes/extra/guacamole/record:/record:rw
  # postgres
  guac_postgres:
    container_name: mistborn_production_guac_postgres
    env_file:
    - ../.envs/.production/.guacamole
    environment:
      PGDATA: /var/lib/postgresql/data/guacamole
    image: postgres
    networks:
      guacnetwork:
    restart: unless-stopped
    volumes:
    - ../../mistborn_volumes/extra/guacamole/init:/docker-entrypoint-initdb.d:ro
    - ../../mistborn_volumes/extra/guacamole/data:/var/lib/postgresql/data:rw
  # guacamole
  guacamole:
    container_name: mistborn_production_guacamole
    labels:
    - "traefik.enable=true"
    - "traefik.http.routers.guacamole-http.rule=Host(`guac.mistborn`)"
    - "traefik.http.routers.guacamole-http.entrypoints=web"
    - "traefik.http.routers.guacamole-http.middlewares=mistborn_auth@file,add-guacamole"
    - "traefik.http.routers.guacamole-https.rule=Host(`guac.mistborn`)"
    - "traefik.http.routers.guacamole-https.entrypoints=websecure"
    - "traefik.http.routers.guacamole-https.middlewares=mistborn_auth@file,add-guacamole"
    - "traefik.http.routers.guacamole-https.tls.certresolver=basic"
    - "traefik.http.middlewares.add-guacamole.addPrefix.prefix=/guacamole"
    - "traefik.http.services.guacamole-service.loadbalancer.server.port=8080"
    depends_on:
    - guacd
    - guac_postgres
    environment:
      GUACD_HOSTNAME: guacd
      GUACD_PORT: 4822
      #GUACAMOLE_HOME: /config
    env_file:
    - ../.envs/.production/.guacamole
    image: guacamole/guacamole:1.3.0
    links:
    - guacd
    networks:
      guacnetwork:
    #ports:
 ## enable next line if not using nginx
 ##    - 8080:8080/tcp # Guacamole is on :8080/guacamole, not /.
 ## enable next line when using nginx
    #- 8080/tcp
    restart: unless-stopped
 # networks
 # create a network 'guacnetwork' in mode 'bridged'
 networks:
  guacnetwork:
    driver: bridge
--- a/extra/homeassistant.yml
+++ b/extra/homeassistant.yml
@ -1,26 +0,0 @@
 version: '3'
 services:
  homeassistant:
    container_name: mistborn_production_home_assistant 
    image: homeassistant/home-assistant:stable
    volumes:
      - ../../mistborn_volumes/extra/homeassistant/config:/config
    environment:
      - TZ=America/New_York
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.homeassistant-http.rule=Host(`homeassistant.mistborn`)"
      - "traefik.http.routers.homeassistant-http.entrypoints=web"
      - "traefik.http.routers.homeassistant-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.homeassistant-https.rule=Host(`homeassistant.mistborn`)"
      - "traefik.http.routers.homeassistant-https.entrypoints=websecure"
      - "traefik.http.routers.homeassistant-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.homeassistant-https.tls.certresolver=basic"
      - "traefik.http.services.homeassistant-service.loadbalancer.server.port=8123"
    restart: unless-stopped 
 networks:
  default:
    external:
      name: mistborn_default
--- a/extra/jellyfin.yml
+++ b/extra/jellyfin.yml
@ -1,30 +0,0 @@
 version: '3'
 volumes:
  production_jellyfin_config: {}
  production_jellyfin_cache: {}
 services:  
  jellyfin:
    image: jellyfin/jellyfin:latest
    container_name: mistborn_production_jellyfin
    volumes:
      - production_jellyfin_config:/config
      - production_jellyfin_cache:/cache
      - ../../mistborn_volumes/extra/nextcloud:/media:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.jellyfin-http.rule=Host(`jellyfin.mistborn`)"
      - "traefik.http.routers.jellyfin-http.entrypoints=web"
      - "traefik.http.routers.jellyfin-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.jellyfin-https.rule=Host(`jellyfin.mistborn`)"
      - "traefik.http.routers.jellyfin-https.entrypoints=websecure"
      - "traefik.http.routers.jellyfin-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.jellyfin-https.tls.certresolver=basic"
      - "traefik.http.services.jellyfin-service.loadbalancer.server.port=8096"
    restart: unless-stopped
 networks:
  default:
    external:
      name: mistborn_default
--- a/extra/jitsi-meet.yml
+++ b/extra/jitsi-meet.yml
@ -1,255 +0,0 @@
 version: '3'
 services:
    # Frontend
    jitsi-web:
        image: jitsi/web:latest
        restart: unless-stopped
        #ports:
            #- '${HTTP_PORT}:80'
            #- '${HTTPS_PORT}:443'
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.jitsi-http.rule=Host(`jitsi.mistborn`)"
            - "traefik.http.routers.jitsi-http.entrypoints=web"
            - "traefik.http.routers.jitsi-http.middlewares=mistborn_auth@file"
            - "traefik.http.routers.jitsi-https.rule=Host(`jitsi.mistborn`)"
            - "traefik.http.routers.jitsi-https.entrypoints=websecure"
            - "traefik.http.routers.jitsi-https.middlewares=mistborn_auth@file"
            - "traefik.http.routers.jitsi-https.tls.certresolver=basic"
            - "traefik.http.services.jitsi-service.loadbalancer.server.port=${HTTP_PORT}"
        volumes:
            - ${CONFIG}/web:/config:Z
            - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
        env_file:
            - ../.envs/.production/.jitsi
        environment:
            - ENABLE_LETSENCRYPT
            - ENABLE_HTTP_REDIRECT
            - ENABLE_XMPP_WEBSOCKET
            - DISABLE_HTTPS
            - LETSENCRYPT_DOMAIN
            - LETSENCRYPT_EMAIL
            - LETSENCRYPT_USE_STAGING
            - PUBLIC_URL
            - TZ
            - AMPLITUDE_ID
            - ANALYTICS_SCRIPT_URLS
            - ANALYTICS_WHITELISTED_EVENTS
            - BRIDGE_CHANNEL
            - BRANDING_DATA_URL
            - CALLSTATS_CUSTOM_SCRIPT_URL
            - CALLSTATS_ID
            - CALLSTATS_SECRET
            - CHROME_EXTENSION_BANNER_JSON
            - CONFCODE_URL
            - CONFIG_EXTERNAL_CONNECT
            - DEPLOYMENTINFO_ENVIRONMENT
            - DEPLOYMENTINFO_ENVIRONMENT_TYPE
            - DEPLOYMENTINFO_USERREGION
            - DIALIN_NUMBERS_URL
            - DIALOUT_AUTH_URL
            - DIALOUT_CODES_URL
            - DROPBOX_APPKEY
            - DROPBOX_REDIRECT_URI
            - ENABLE_AUDIO_PROCESSING
            - ENABLE_AUTH
            - ENABLE_CALENDAR
            - ENABLE_FILE_RECORDING_SERVICE
            - ENABLE_FILE_RECORDING_SERVICE_SHARING
            - ENABLE_GUESTS
            - ENABLE_IPV6
            - ENABLE_LIPSYNC
            - ENABLE_NO_AUDIO_DETECTION
            - ENABLE_P2P
            - ENABLE_PREJOIN_PAGE
            - ENABLE_RECORDING
            - ENABLE_REMB
            - ENABLE_REQUIRE_DISPLAY_NAME
            - ENABLE_SIMULCAST
            - ENABLE_STATS_ID
            - ENABLE_STEREO
            - ENABLE_SUBDOMAINS
            - ENABLE_TALK_WHILE_MUTED
            - ENABLE_TCC
            - ENABLE_TRANSCRIPTIONS
            - ETHERPAD_PUBLIC_URL
            - ETHERPAD_URL_BASE
            - GOOGLE_ANALYTICS_ID
            - GOOGLE_API_APP_CLIENT_ID
            - INVITE_SERVICE_URL
            - JICOFO_AUTH_USER
            - MATOMO_ENDPOINT
            - MATOMO_SITE_ID
            - MICROSOFT_API_APP_CLIENT_ID
            - NGINX_RESOLVER
            - NGINX_WORKER_PROCESSES
            - NGINX_WORKER_CONNECTIONS
            - PEOPLE_SEARCH_URL
            - RESOLUTION
            - RESOLUTION_MIN
            - RESOLUTION_WIDTH
            - RESOLUTION_WIDTH_MIN
            - START_AUDIO_ONLY
            - START_AUDIO_MUTED
            - START_BITRATE
            - START_VIDEO_MUTED
            - TESTING_CAP_SCREENSHARE_BITRATE
            - TESTING_OCTO_PROBABILITY
            - XMPP_AUTH_DOMAIN
            - XMPP_BOSH_URL_BASE
            - XMPP_DOMAIN
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_RECORDER_DOMAIN
            - TOKEN_AUTH_URL
        networks:
            default:
            meet.jitsi:
                aliases:
                    - ${XMPP_DOMAIN}
    # XMPP server
    jitsi-prosody:
        image: jitsi/prosody:latest
        restart: unless-stopped
        expose:
            - '5222'
            - '5347'
            - '5280'
        volumes:
            - ${CONFIG}/prosody/config:/config:Z
            - ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z
        env_file:
            - ../.envs/.production/.jitsi
        environment:
            - AUTH_TYPE
            - ENABLE_AUTH
            - ENABLE_GUESTS
            - ENABLE_LOBBY
            - ENABLE_XMPP_WEBSOCKET
            - GLOBAL_MODULES
            - GLOBAL_CONFIG
            - LDAP_URL
            - LDAP_BASE
            - LDAP_BINDDN
            - LDAP_BINDPW
            - LDAP_FILTER
            - LDAP_AUTH_METHOD
            - LDAP_VERSION
            - LDAP_USE_TLS
            - LDAP_TLS_CIPHERS
            - LDAP_TLS_CHECK_PEER
            - LDAP_TLS_CACERT_FILE
            - LDAP_TLS_CACERT_DIR
            - LDAP_START_TLS
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_MODULES
            - XMPP_MUC_MODULES
            - XMPP_INTERNAL_MUC_MODULES
            - XMPP_RECORDER_DOMAIN
            - XMPP_CROSS_DOMAIN
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
            - JVB_AUTH_USER
            - JVB_AUTH_PASSWORD
            - JIGASI_XMPP_USER
            - JIGASI_XMPP_PASSWORD
            - JIBRI_XMPP_USER
            - JIBRI_XMPP_PASSWORD
            - JIBRI_RECORDER_USER
            - JIBRI_RECORDER_PASSWORD
            - JWT_APP_ID
            - JWT_APP_SECRET
            - JWT_ACCEPTED_ISSUERS
            - JWT_ACCEPTED_AUDIENCES
            - JWT_ASAP_KEYSERVER
            - JWT_ALLOW_EMPTY
            - JWT_AUTH_TYPE
            - JWT_TOKEN_AUTH_MODULE
            - LOG_LEVEL
            - PUBLIC_URL
            - TZ
        networks:
            meet.jitsi:
                aliases:
                    - ${XMPP_SERVER}
    # Focus component
    jitsi-jicofo:
        image: jitsi/jicofo:latest
        restart: unless-stopped
        volumes:
            - ${CONFIG}/jicofo:/config:Z
        env_file:
            - ../.envs/.production/.jitsi
        environment:
            - AUTH_TYPE
            - ENABLE_AUTH
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_SERVER
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
            - JICOFO_RESERVATION_REST_BASE_URL
            - JVB_BREWERY_MUC
            - JIGASI_BREWERY_MUC
            - JIGASI_SIP_URI
            - JIBRI_BREWERY_MUC
            - JIBRI_PENDING_TIMEOUT
            - TZ
        depends_on:
            - jitsi-prosody
        networks:
            meet.jitsi:
    # Video bridge
    jitsi-jvb:
        image: jitsi/jvb:latest
        restart: unless-stopped
        ports:
            - "${MISTBORN_BIND_IP}:${JVB_PORT}:${JVB_PORT}/udp"
            - "${MISTBORN_BIND_IP}:${JVB_TCP_PORT}:${JVB_TCP_PORT}"
        volumes:
            - ${CONFIG}/jvb:/config:Z
        env_file:
            - ../.envs/.production/.jitsi
        environment:
            - DOCKER_HOST_ADDRESS
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_SERVER
            - JVB_AUTH_USER
            - JVB_AUTH_PASSWORD
            - JVB_BREWERY_MUC
            - JVB_PORT
            - JVB_TCP_HARVESTER_DISABLED
            - JVB_TCP_PORT
            - JVB_TCP_MAPPED_PORT
            - JVB_STUN_SERVERS
            - JVB_ENABLE_APIS
            - JVB_WS_DOMAIN
            - JVB_WS_SERVER_ID
            - PUBLIC_URL
            - TZ
        depends_on:
            - jitsi-prosody
        networks:
            meet.jitsi:
                aliases:
                    - jvb.meet.jitsi
 # Custom network so all services can communicate using a FQDN
 networks:
    default:
      external:
        name: mistborn_default
    meet.jitsi:
--- a/extra/nextcloud.yml
+++ b/extra/nextcloud.yml
@ -1,29 +0,0 @@
 version: '3'
 services:  
  nextcloud:
    image: nextcloud
    container_name: mistborn_production_nextcloud
    env_file:
      - ../.envs/.production/.postgres
      - ../.envs/.production/.nextcloud
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud-http.rule=Host(`nextcloud.mistborn`)"
      - "traefik.http.routers.nextcloud-http.entrypoints=web"
      - "traefik.http.routers.nextcloud-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.nextcloud-https.rule=Host(`nextcloud.mistborn`)"
      - "traefik.http.routers.nextcloud-https.entrypoints=websecure"
      - "traefik.http.routers.nextcloud-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.nextcloud-https.tls.certresolver=basic"
      - "traefik.http.services.nextcloud-service.loadbalancer.server.port=80"
    volumes:
      - ../../mistborn_volumes/extra/nextcloud:/var/www/html
    environment:
      - VIRTUAL_HOST=nextcloud.mistborn
    restart: unless-stopped
 networks:
  default:
    external:
      name: mistborn_default
--- a/extra/onlyoffice.yml
+++ b/extra/onlyoffice.yml
@ -1,27 +0,0 @@
 version: '3'
 services:
  onlyoffice:
    container_name: mistborn_production_onlyoffice
    image: onlyoffice/documentserver:latest
    volumes:
      - ../../mistborn_volumes/extra/onlyoffice/logs:/var/log/onlyoffice
      - ../../mistborn_volumes/extra/onlyoffice/cache:/var/lib/onlyoffice
    env_file:
      - ../.envs/.production/.onlyoffice
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.onlyoffice-http.rule=Host(`onlyoffice.mistborn`)"
      - "traefik.http.routers.onlyoffice-http.entrypoints=web"
      - "traefik.http.routers.onlyoffice-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.onlyoffice-https.rule=Host(`onlyoffice.mistborn`)"
      - "traefik.http.routers.onlyoffice-https.entrypoints=websecure"
      - "traefik.http.routers.onlyoffice-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.onlyoffice-https.tls.certresolver=basic"
      - "traefik.http.services.onlyoffice-service.loadbalancer.server.port=80"
    restart: unless-stopped 
 networks:
  default:
    external:
      name: mistborn_default
--- a/extra/raspap.yml
+++ b/extra/raspap.yml
@ -1,33 +0,0 @@
 version: '3'
 services:
  raspap:
    image: "cyber5k/raspap:${MISTBORN_TAG}"
    container_name: mistborn_production_raspap
    #network_mode: host
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.raspap-http.rule=Host(`raspap.mistborn`)"
      - "traefik.http.routers.raspap-http.entrypoints=web"
      - "traefik.http.routers.raspap-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.raspap-https.rule=Host(`raspap.mistborn`)"
      - "traefik.http.routers.raspap-https.entrypoints=websecure"
      - "traefik.http.routers.raspap-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.raspap-https.tls.certresolver=basic"
      - "traefik.http.services.raspap-service.loadbalancer.server.port=80"
    env_file:
      - ../.envs/.production/.raspap
    cap_add:
      #- NET_ADMIN
      - SYS_ADMIN
      #- CAP_FOWNER
    privileged: true
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    #command: /start
    restart: unless-stopped
 networks:
  default:
    external:
      name: mistborn_default
--- a/extra/rocketchat.yml
+++ b/extra/rocketchat.yml
@ -1,72 +0,0 @@
 version: '3'
 services:
  # rocketchat
  rocketchat:
    image: rocket.chat:latest
    container_name: mistborn_production_rocketchat
    command: bash -c 'for i in `seq 1 30`; do node main.js && s=$$? && break || s=$$?; echo "Tried $$i times. Waiting 5 secs..."; sleep 5; done; (exit $$s)'
    restart: unless-stopped
    volumes:
      - ../../mistborn_volumes/extra/rocketchat/uploads:/app/uploads
    environment:
      - PORT=3000
      - ROOT_URL=http://chat.mistborn
      - MONGO_URL=mongodb://mongo:27017/rocketchat
      - MONGO_OPLOG_URL=mongodb://mongo:27017/local
      - Accounts_UseDNSDomainCheck=False
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.chat-http.rule=Host(`chat.mistborn`)"
      - "traefik.http.routers.chat-http.entrypoints=web"
      - "traefik.http.routers.chat-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.chat-https.rule=Host(`chat.mistborn`)"
      - "traefik.http.routers.chat-https.entrypoints=websecure"
      - "traefik.http.routers.chat-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.chat-https.tls.certresolver=basic"
      - "traefik.http.services.chat-service.loadbalancer.server.port=3000"
    depends_on:
      - mongo
    #ports:
    #  - 3000:3000
  mongo:
    image: mongo:4.0
    container_name: mistborn_production_rocketchat_mongo
    restart: unless-stopped
    volumes:
     - ../../mistborn_volumes/extra/rocketchat/data/db:/data/db
     - ../../mistborn_volumes/extra/rocketchat/data/dump:/dump
    command: mongod --smallfiles --oplogSize 128 --replSet rs0 --storageEngine=mmapv1
  # this container's job is just run the command to initialize the replica set.
  # it will run the command and remove himself (it will not stay running)
  mongo-init-replica:
    image: mongo
    command: 'bash -c "for i in `seq 1 30`; do mongo mongo/rocketchat --eval \"rs.initiate({ _id: ''rs0'', members: [ { _id: 0, host: ''localhost:27017'' } ]})\" && s=$$? && break || s=$$?; echo \"Tried $$i times. Waiting 5 secs...\"; sleep 5; done; (exit $$s)"'
    depends_on:
      - mongo
  # hubot, the popular chatbot (add the bot user first and change the password before starting this image)
  hubot:
    image: rocketchat/hubot-rocketchat:latest
    container_name: mistborn_production_rocketchat_hubot
    restart: unless-stopped
    environment:
      - ROCKETCHAT_URL=chat.mistborn #:3000
      # you can add more scripts as you'd like here, they need to be installable by npm
      - EXTERNAL_SCRIPTS=hubot-help,hubot-seen,hubot-links,hubot-diagnostics
    env_file:
      - ../.envs/.production/.rocketchat
    depends_on:
      - rocketchat
    volumes:
      - ../../mistborn_volumes/extra/rocketchat/hubot/scripts:/home/hubot/scripts
  # this is used to expose the hubot port for notifications on the host on port 3001, e.g. for hubot-jenkins-notifier
    ports:
      - "${MISTBORN_BIND_IP}:3001:8080/tcp"
 networks:
  default:
    external:
      name: mistborn_default
--- a/extra/syncthing.yml
+++ b/extra/syncthing.yml
@ -1,35 +0,0 @@
 version: '3'
 services:
  syncthing:
    image: linuxserver/syncthing:latest
    container_name: mistborn_production_syncthing
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Amereica/New_York
      - UMASK_SET=022
    volumes:
      - ../../mistborn_volumes/extra/syncthing/config:/config
      - ../../mistborn_volumes/extra/syncthing/data1:/data1
      - ../../mistborn_volumes/extra/syncthing/data2:/data2
    ports:
      #- 8384:8384
      - "${MISTBORN_BIND_IP}:22000:22000/tcp" # listening port
      - "${MISTBORN_BIND_IP}:21027:21027/udp" # protocol discovery
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.mistborn`)"
      - "traefik.http.routers.syncthing-http.entrypoints=web"
      - "traefik.http.routers.syncthing-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.mistborn`)"
      - "traefik.http.routers.syncthing-https.entrypoints=websecure"
      - "traefik.http.routers.syncthing-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.syncthing-https.tls.certresolver=basic"
      - "traefik.http.services.syncthing-service.loadbalancer.server.port=8384"
    restart: unless-stopped
 networks:
  default:
    external:
      name: mistborn_default
--- a/extra/tor.yml
+++ b/extra/tor.yml
@ -1,16 +0,0 @@
 version: '3'
 services:
  tor-client:
    build:
      context: ../compose/production/tor
      dockerfile: ./Dockerfile
    image: mistborn_production_tor
    container_name: mistborn_production_tor
    ports:
      - "${MISTBORN_BIND_IP}:9150:9150/tcp"
 networks:
  default:
    external:
      name: mistborn_default
--- a/extra/wazuh.yml
+++ b/extra/wazuh.yml
@ -1,70 +0,0 @@
 # Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 version: '3.7'
 services:
  wazuh:
    image: wazuh/wazuh-odfe:4.1.5
    hostname: wazuh-manager
    restart: unless-stopped
    ports:
      - "${MISTBORN_BIND_IP}:1514:1514"
      - "${MISTBORN_BIND_IP}:1515:1515"
      - "${MISTBORN_BIND_IP}:514:514/udp"
      - "${MISTBORN_BIND_IP}:55000:55000"
    environment:
      - FILEBEAT_SSL_VERIFICATION_MODE=none
    env_file:
      - ../.envs/.production/.wazuh
    volumes:
      - ossec_api_configuration:/var/ossec/api/configuration
      - ossec_etc:/var/ossec/etc
      - ossec_logs:/var/ossec/logs
      - ossec_queue:/var/ossec/queue
      - ossec_var_multigroups:/var/ossec/var/multigroups
      - ossec_integrations:/var/ossec/integrations
      - ossec_active_response:/var/ossec/active-response/bin
      - ossec_agentless:/var/ossec/agentless
      - ossec_wodles:/var/ossec/wodles
      - filebeat_etc:/etc/filebeat
      - filebeat_var:/var/lib/filebeat
  wazuh-kibana:
    image: wazuh/wazuh-kibana-odfe:4.1.5
    hostname: wazuh-kibana
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.wazuhk-http.rule=Host(`wazuh.mistborn`)"
      - "traefik.http.routers.wazuhk-http.entrypoints=web"
      - "traefik.http.routers.wazuhk-http.middlewares=mistborn_auth@file"
      - "traefik.http.routers.wazuhk-https.rule=Host(`wazuh.mistborn`)"
      - "traefik.http.routers.wazuhk-https.entrypoints=websecure"
      - "traefik.http.routers.wazuhk-https.middlewares=mistborn_auth@file"
      - "traefik.http.routers.wazuhk-https.tls.certresolver=basic"
      - "traefik.http.services.wazuhk-service.loadbalancer.server.port=5601"
    #ports:
    #  - "${MISTBORN_BIND_IP}:5601:5601"
    environment:
      - SERVER_SSL_ENABLED=false
      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert
      - SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key
    env_file:
      - ../.envs/.production/.wazuh
 volumes:
  ossec_api_configuration:
  ossec_etc:
  ossec_logs:
  ossec_queue:
  ossec_var_multigroups:
  ossec_integrations:
  ossec_active_response:
  ossec_agentless:
  ossec_wodles:
  filebeat_etc:
  filebeat_var:
 networks:
  default:
    external:
      name: mistborn_default
--- a/scripts/conf/15-iptables.conf
+++ b/scripts/conf/15-iptables.conf
@ -1,6 +1,6 @@
 # Log kernel iptables dropped messages to iptables.log
 $template MyTemplate,"%$day%-%timegenerated:1:3:date-rfc3164%-%$year% %timegenerated:12:19:date-rfc3339% %HOSTNAME% %syslogtag% %msg%\n"
-:msg,contains,"[IPTables-Dropped]:" /var/log/iptables.log;MyTemplate #RSYSLOG_FileFormat
+:msg,contains,"[Mistborn-IPTables-Dropped]:" /var/log/iptables.log;MyTemplate #RSYSLOG_FileFormat
 # Uncomment the following to stop logging anything that matches the last rule.
 # Doing this will stop logging kernel generated UFW log messages to the file
--- a/scripts/conf/cockpit.conf
+++ b/scripts/conf/cockpit.conf
@ -1,3 +0,0 @@
 [WebService]
 ProtocolHeader = X-Forwarded-Proto
 AllowUnencrypted=true
--- a/scripts/conf/jitsi.env
+++ b/scripts/conf/jitsi.env
@ -1,366 +0,0 @@
 # shellcheck disable=SC2034
 # Security
 #
 # Set these to strong passwords to avoid intruders from impersonating a service account
 # The service(s) won't start unless these are specified
 # Running ./gen-passwords.sh will update .env with strong passwords
 # You may skip the Jigasi and Jibri passwords if you are not using those
 # DO NOT reuse passwords
 #
 # XMPP component password for Jicofo
 JICOFO_COMPONENT_SECRET=
 # XMPP password for Jicofo client connections
 JICOFO_AUTH_PASSWORD=
 # XMPP password for JVB client connections
 JVB_AUTH_PASSWORD=
 # XMPP password for Jigasi MUC client connections
 JIGASI_XMPP_PASSWORD=
 # XMPP recorder password for Jibri client connections
 JIBRI_RECORDER_PASSWORD=
 # XMPP password for Jibri client connections
 JIBRI_XMPP_PASSWORD=
 #
 # Basic configuration options
 #
 # Directory where all configuration will be stored
 #CONFIG=~/.jitsi-meet-cfg
 CONFIG=../.envs/.production/.jitsi-cfg
 # Exposed HTTP port
 HTTP_PORT=80
 # Exposed HTTPS port
 HTTPS_PORT=443
 # System time zone
 TZ=UTC
 # Public URL for the web service (required)
 PUBLIC_URL=https://jitsi.mistborn
 # IP address of the Docker host
 # See the "Running behind NAT or on a LAN environment" section in the Handbook:
 # https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment
 #DOCKER_HOST_ADDRESS=192.168.1.1
 DOCKER_HOST_ADDRESS=10.2.3.1
 # Control whether the lobby feature should be enabled or not
 #ENABLE_LOBBY=1
 # Show a prejoin page before entering a conference
 #ENABLE_PREJOIN_PAGE=0
 #
 # Let's Encrypt configuration
 #
 # Enable Let's Encrypt certificate generation
 #ENABLE_LETSENCRYPT=1
 # Domain for which to generate the certificate
 #LETSENCRYPT_DOMAIN=meet.example.com
 # E-Mail for receiving important account notifications (mandatory)
 #LETSENCRYPT_EMAIL=alice@atlanta.net
 # Use the staging server (for avoiding rate limits while testing)
 #LETSENCRYPT_USE_STAGING=1
 #
 # Etherpad integration (for document sharing)
 #
 # Set etherpad-lite URL in docker local network (uncomment to enable)
 #ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001
 # Set etherpad-lite public URL (uncomment to enable)
 #ETHERPAD_PUBLIC_URL=https://etherpad.my.domain
 # Name your etherpad instance!
 ETHERPAD_TITLE="Video Chat"
 # The default text of a pad
 ETHERPAD_DEFAULT_PAD_TEXT="Welcome to Web Chat!\n\n"
 # Name of the skin for etherpad
 ETHERPAD_SKIN_NAME="colibris"
 # Skin variants for etherpad
 ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background full-width-editor"
 #
 # Basic Jigasi configuration options (needed for SIP gateway support)
 #
 # SIP URI for incoming / outgoing calls
 #JIGASI_SIP_URI=test@sip2sip.info
 # Password for the specified SIP account as a clear text
 #JIGASI_SIP_PASSWORD=passw0rd
 # SIP server (use the SIP account domain if in doubt)
 #JIGASI_SIP_SERVER=sip2sip.info
 # SIP server port
 #JIGASI_SIP_PORT=5060
 # SIP server transport
 #JIGASI_SIP_TRANSPORT=UDP
 #
 # Authentication configuration (see handbook for details)
 #
 # Enable authentication
 #ENABLE_AUTH=1
 # Enable guest access
 #ENABLE_GUESTS=1
 # Select authentication type: internal, jwt or ldap
 #AUTH_TYPE=internal
 # JWT authentication
 #
 # Application identifier
 #JWT_APP_ID=my_jitsi_app_id
 # Application secret known only to your token
 #JWT_APP_SECRET=my_jitsi_app_secret
 # (Optional) Set asap_accepted_issuers as a comma separated list
 #JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client
 # (Optional) Set asap_accepted_audiences as a comma separated list
 #JWT_ACCEPTED_AUDIENCES=my_server1,my_server2
 # LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
 #
 # LDAP url for connection
 #LDAP_URL=ldaps://ldap.domain.com/
 # LDAP base DN. Can be empty
 #LDAP_BASE=DC=example,DC=domain,DC=com
 # LDAP user DN. Do not specify this parameter for the anonymous bind
 #LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
 # LDAP user password. Do not specify this parameter for the anonymous bind
 #LDAP_BINDPW=LdapUserPassw0rd
 # LDAP filter. Tokens example:
 # %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail
 # %s - %s is replaced by the complete service string
 # %r - %r is replaced by the complete realm string
 #LDAP_FILTER=(sAMAccountName=%u)
 # LDAP authentication method
 #LDAP_AUTH_METHOD=bind
 # LDAP version
 #LDAP_VERSION=3
 # LDAP TLS using
 #LDAP_USE_TLS=1
 # List of SSL/TLS ciphers to allow
 #LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
 # Require and verify server certificate
 #LDAP_TLS_CHECK_PEER=1
 # Path to CA cert file. Used when server certificate verify is enabled
 #LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
 # Path to CA certs directory. Used when server certificate verify is enabled
 #LDAP_TLS_CACERT_DIR=/etc/ssl/certs
 # Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
 # LDAP_START_TLS=1
 #
 # Advanced configuration options (you generally don't need to change these)
 #
 # Internal XMPP domain
 XMPP_DOMAIN=meet.jitsi
 # Internal XMPP server
 XMPP_SERVER=xmpp.meet.jitsi
 # Internal XMPP server URL
 XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
 # Internal XMPP domain for authenticated services
 XMPP_AUTH_DOMAIN=auth.meet.jitsi
 # XMPP domain for the MUC
 XMPP_MUC_DOMAIN=muc.meet.jitsi
 # XMPP domain for the internal MUC used for jibri, jigasi and jvb pools
 XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi
 # XMPP domain for unauthenticated users
 XMPP_GUEST_DOMAIN=guest.meet.jitsi
 # Comma separated list of domains for cross domain policy or "true" to allow all
 # The PUBLIC_URL is always allowed
 #XMPP_CROSS_DOMAIN=true
 # Custom Prosody modules for XMPP_DOMAIN (comma separated)
 XMPP_MODULES=
 # Custom Prosody modules for MUC component (comma separated)
 XMPP_MUC_MODULES=
 # Custom Prosody modules for internal MUC component (comma separated)
 XMPP_INTERNAL_MUC_MODULES=
 # MUC for the JVB pool
 JVB_BREWERY_MUC=jvbbrewery
 # XMPP user for JVB client connections
 JVB_AUTH_USER=jvb
 # STUN servers used to discover the server's public IP
 JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443
 # Media port for the Jitsi Videobridge
 JVB_PORT=10000
 # TCP Fallback for Jitsi Videobridge for when UDP isn't available
 JVB_TCP_HARVESTER_DISABLED=true
 JVB_TCP_PORT=4443
 JVB_TCP_MAPPED_PORT=4443
 # A comma separated list of APIs to enable when the JVB is started [default: none]
 # See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
 #JVB_ENABLE_APIS=rest,colibri
 # XMPP user for Jicofo client connections.
 # NOTE: this option doesn't currently work due to a bug
 JICOFO_AUTH_USER=focus
 # Base URL of Jicofo's reservation REST API
 #JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
 # Enable Jicofo's health check REST API (http://<jicofo_base_url>:8888/about/health)
 #JICOFO_ENABLE_HEALTH_CHECKS=true
 # XMPP user for Jigasi MUC client connections
 JIGASI_XMPP_USER=jigasi
 # MUC name for the Jigasi pool
 JIGASI_BREWERY_MUC=jigasibrewery
 # Minimum port for media used by Jigasi
 JIGASI_PORT_MIN=20000
 # Maximum port for media used by Jigasi
 JIGASI_PORT_MAX=20050
 # Enable SDES srtp
 #JIGASI_ENABLE_SDES_SRTP=1
 # Keepalive method
 #JIGASI_SIP_KEEP_ALIVE_METHOD=OPTIONS
 # Health-check extension
 #JIGASI_HEALTH_CHECK_SIP_URI=keepalive
 # Health-check interval
 #JIGASI_HEALTH_CHECK_INTERVAL=300000
 #
 # Enable Jigasi transcription
 #ENABLE_TRANSCRIPTIONS=1
 # Jigasi will record audio when transcriber is on [default: false]
 #JIGASI_TRANSCRIBER_RECORD_AUDIO=true
 # Jigasi will send transcribed text to the chat when transcriber is on [default: false]
 #JIGASI_TRANSCRIBER_SEND_TXT=true
 # Jigasi will post an url to the chat with transcription file [default: false]
 #JIGASI_TRANSCRIBER_ADVERTISE_URL=true
 # Credentials for connect to Cloud Google API from Jigasi
 # Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol
 # section "Before you begin" paragraph 1 to 5
 # Copy the values from the json to the related env vars
 #GC_PROJECT_ID=
 #GC_PRIVATE_KEY_ID=
 #GC_PRIVATE_KEY=
 #GC_CLIENT_EMAIL=
 #GC_CLIENT_ID=
 #GC_CLIENT_CERT_URL=
 # Enable recording
 #ENABLE_RECORDING=1
 # XMPP domain for the jibri recorder
 XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
 # XMPP recorder user for Jibri client connections
 JIBRI_RECORDER_USER=recorder
 # Directory for recordings inside Jibri container
 JIBRI_RECORDING_DIR=/config/recordings
 # The finalizing script. Will run after recording is complete
 JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
 # XMPP user for Jibri client connections
 JIBRI_XMPP_USER=jibri
 # MUC name for the Jibri pool
 JIBRI_BREWERY_MUC=jibribrewery
 # MUC connection timeout
 JIBRI_PENDING_TIMEOUT=90
 # When jibri gets a request to start a service for a room, the room
 # jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain
 # We'll build the url for the call by transforming that into:
 # https://xmpp_domain/subdomain/roomName
 # So if there are any prefixes in the jid (like jitsi meet, which
 # has its participants join a muc at conference.xmpp_domain) then
 # list that prefix here so it can be stripped out to generate
 # the call url correctly
 JIBRI_STRIP_DOMAIN_JID=muc
 # Directory for logs inside Jibri container
 JIBRI_LOGS_DIR=/config/logs
 # Disable HTTPS: handle TLS connections outside of this setup
 DISABLE_HTTPS=1
 # Redirect HTTP traffic to HTTPS
 # Necessary for Let's Encrypt, relies on standard HTTPS port (443)
 #ENABLE_HTTP_REDIRECT=1
 # Enable IPv6
 # Provides means to disable IPv6 in environments that don't support it (get with the times, people!)
 #ENABLE_IPV6=1
 # Container restart policy
 # Defaults to unless-stopped
 RESTART_POLICY=unless-stopped
 # Authenticate using external service or just focus external auth window if there is one already.
 # TOKEN_AUTH_URL=https://auth.meet.example.com/{room}
--- a/scripts/env/setup.sh
+++ b/scripts/env/setup.sh
@ -1,5 +1,10 @@
 #!/bin/bash
 # Version
 MISTBORN_MAJOR_VERSION="0"
 MISTBORN_MINOR_VERSION="1"
 MISTBORN_PATCH_NUMBER="1"
 #### ENV file
 VAR_FILE=/opt/mistborn/.env
@ -13,6 +18,12 @@ echo "" | sudo tee ${VAR_FILE}
 sudo chown mistborn:mistborn ${VAR_FILE}
 sudo chmod 600 ${VAR_FILE}
 # Version env variables
 echo "MISTBORN_VERSION=${MISTBORN_MAJOR_VERSION}.${MISTBORN_MINOR_VERSION}.${MISTBORN_PATCH_NUMBER}" | sudo tee -a ${VAR_FILE}
 echo "MISTBORN_MAJOR_VERSION=${MISTBORN_MAJOR_VERSION}" | sudo tee -a ${VAR_FILE}
 echo "MISTBORN_MINOR_VERSION=${MISTBORN_MINOR_VERSION}" | sudo tee -a ${VAR_FILE}
 echo "MISTBORN_PATCH_NUMBER=${MISTBORN_PATCH_NUMBER}" | sudo tee -a ${VAR_FILE}
 # MISTBORN_DNS_BIND_IP
 MISTBORN_DNS_BIND_IP="10.2.3.1"
@ -29,9 +40,11 @@ echo "MISTBORN_BIND_IP=10.2.3.1" | sudo tee -a ${VAR_FILE}
 # MISTBORN_TAG
 GIT_BRANCH=$(git -C /opt/mistborn symbolic-ref --short HEAD || echo "master")
-MISTBORN_TAG="latest"
+MISTBORN_TAG="${MISTBORN_MAJOR_VERSION}.${MISTBORN_MINOR_VERSION}"
-if [ "$GIT_BRANCH" != "master" ]; then
+if [ ! -z "$MISTBORN_TEST_CONTAINER" ]; then
-    MISTBORN_TAG="test"
+    MISTBORN_TAG="$MISTBORN_TEST_CONTAINER"
 elif [ "$GIT_BRANCH" == "master" ]; then
    MISTBORN_TAG="latest"
 fi
 echo "MISTBORN_TAG=$MISTBORN_TAG" | sudo tee -a ${VAR_FILE}
@ -41,9 +54,9 @@ echo "MISTBORN_TAG=$MISTBORN_TAG" | sudo tee -a ${VAR_FILE}
 # copy current service files to systemd (overwriting as needed)
 sudo cp /opt/mistborn/scripts/services/Mistborn* /etc/systemd/system/
-# set script user and owner
+## set script user and owner
-sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/User=root/User=$USER/"
+#sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/User=root/User=$USER/"
-#sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/ root:root / $USER:$USER /"
+##sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/ root:root / $USER:$USER /"
 # reload in case the iface is not immediately set
 sudo systemctl daemon-reload
@ -56,8 +69,14 @@ while [[ -z "$iface" ]]; do
    iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}' | tr -d '[:space:]')
 done
 GLOBAL_ENV=/opt/mistborn/.envs/.production/.global
 install -Dv /dev/null $GLOBAL_ENV
 echo "DIFACE=$iface" >> $GLOBAL_ENV
 echo "MISTBORN_ENV_PATH=../../.envs/.production/" >> $GLOBAL_ENV
 echo "MISTBORN_VOL_PATH=../../../mistborn_volumes/extra/" >> $GLOBAL_ENV
 # default interface
-sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/"
+#sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/"
 echo "DIFACE=${iface}" | sudo tee -a ${VAR_FILE}
--- a/scripts/install.sh
+++ b/scripts/install.sh
@ -39,7 +39,7 @@ if [ $(whoami) != "$MISTBORN_USER" ]; then
        sudo cp $FULLPATH /home/$MISTBORN_USER
        sudo chown $MISTBORN_USER:$MISTBORN_USER /home/$MISTBORN_USER/$FILENAME
-        sudo SSH_CLIENT="$SSH_CLIENT" MISTBORN_DEFAULT_PASSWORD="$MISTBORN_DEFAULT_PASSWORD" GIT_BRANCH="$GIT_BRANCH" MISTBORN_INSTALL_COCKPIT="$MISTBORN_INSTALL_COCKPIT" -i -u $MISTBORN_USER bash -c "/home/$MISTBORN_USER/$FILENAME" # self-referential call
+        sudo SSH_CLIENT="$SSH_CLIENT" MISTBORN_DEFAULT_PASSWORD="$MISTBORN_DEFAULT_PASSWORD" GIT_BRANCH="$GIT_BRANCH" -i -u $MISTBORN_USER bash -c "/home/$MISTBORN_USER/$FILENAME" # self-referential call
        exit 0
 fi
@ -76,13 +76,6 @@ source ./scripts/subinstallers/check_updates.sh
 # MISTBORN_DEFAULT_PASSWORD
 source ./scripts/subinstallers/passwd.sh
 # Install Cockpit?
 if [ -z "${MISTBORN_INSTALL_COCKPIT}" ]; then
    read -p "Install Cockpit (a somewhat resource-heavy system management graphical user interface -- NOT RECOMMENDED on Raspberry Pi)? [y/N]: " MISTBORN_INSTALL_COCKPIT
    echo
    MISTBORN_INSTALL_COCKPIT=${MISTBORN_INSTALL_COCKPIT:-N}
 fi
 # SSH keys
 if [ ! -f ~/.ssh/id_rsa ]; then
    echo "Generating SSH keypair for $USER"
@ -174,16 +167,6 @@ sudo systemctl start docker
 # Unattended upgrades
 sudo -E apt-get install -y unattended-upgrades
 # Cockpit
 if [[ "$MISTBORN_INSTALL_COCKPIT" =~ ^([yY][eE][sS]|[yY])$ ]]
 then
    # install cockpit
    source ./scripts/subinstallers/cockpit.sh
    # set variable (that will be available in environment)
    MISTBORN_INSTALL_COCKPIT=Y
 fi
 # Mistborn-cli (pip3 installed by docker)
 figlet "Mistborn: Installing mistborn-cli"
 sudo pip3 install -e ./modules/mistborn-cli
@ -224,9 +207,6 @@ sudo mkdir -p ../mistborn_volumes/base/pihole/etc-pihole
 sudo mkdir -p ../mistborn_volumes/base/pihole/etc-dnsmasqd
 sudo mkdir -p ../mistborn_volumes/extra
 # Traefik final setup (cockpit)
 #cp ./compose/production/traefik/traefikv2.toml.template ./compose/production/traefik/traefik.toml
 # setup tls certs 
 source ./scripts/subinstallers/openssl.sh
 #sudo rm -rf ../mistborn_volumes/base/tls
--- a/scripts/services/Mistborn-base.service
+++ b/scripts/services/Mistborn-base.service
@ -6,6 +6,8 @@ After=docker.service
 After=netfilter-persistent.service
 [Service]
 EnvironmentFile=/opt/mistborn/.envs/.production/.global
 EnvironmentFile=/opt/mistborn/.env
 Restart=always
 RestartSec=15
 User=root
@ -21,13 +23,13 @@ ExecStartPre=-/usr/bin/bash -c "docker container stop $(docker network inspect m
 ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down
 ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml build
-ExecStartPre=-/sbin/ip address add 10.2.3.1/30 dev DIFACE
+ExecStartPre=-/sbin/ip address add 10.2.3.1/30 dev $DIFACE
-ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
+#ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -w -A OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -A OUTPUT -o $DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/ip6tables -w -A OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/resolvconf -u
 # Start container when unit is started
@ -35,12 +37,12 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml up
 # Stop container when unit is stopped
 ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down
 # Post stop
-ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
-ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
-ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
-ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
-ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
+#ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
-ExecStopPost=-/sbin/iptables -D OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D OUTPUT -o $DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/ip6tables -D OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP
 [Install]
--- a/scripts/services/Mistborn-bitwarden.service
+++ b/scripts/services/Mistborn-bitwarden.service
@ -1,25 +0,0 @@
 [Unit]
 Description=Mistborn Bitwarden Service
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down
 # Post stop
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-elasticsearch.service
+++ b/scripts/services/Mistborn-elasticsearch.service
@ -1,22 +0,0 @@
 [Unit]
 Description=Mistborn Elasticsearch Service
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/usr/sbin/sysctl -w vm.max_map_count=262144
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch docker-compose -f /opt/mistborn/extra/elasticsearch.yml down
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch docker-compose -f /opt/mistborn/extra/elasticsearch.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch docker-compose -f /opt/mistborn/extra/elasticsearch.yml down
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-guacamole.service
+++ b/scripts/services/Mistborn-guacamole.service
@ -1,23 +0,0 @@
 [Unit]
 Description=Mistborn Guacamole
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down
 # Post stop
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-homeassistant.service
+++ b/scripts/services/Mistborn-homeassistant.service
@ -1,23 +0,0 @@
 [Unit]
 Description=Mistborn Home Assistant 
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down
 # Post stop
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-jellyfin.service
+++ b/scripts/services/Mistborn-jellyfin.service
@ -1,23 +0,0 @@
 [Unit]
 Description=Mistborn Jellyfin Service
 Requires=Mistborn-nextcloud.service
 After=Mistborn-nextcloud.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down
 # Post stop
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-jitsi.service
+++ b/scripts/services/Mistborn-jitsi.service
@ -1,27 +0,0 @@
 [Unit]
 Description=Mistborn Jitsi Service
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_up.sh
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
 # Post stop
 ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_down.sh
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-nextcloud.service
+++ b/scripts/services/Mistborn-nextcloud.service
@ -1,23 +0,0 @@
 [Unit]
 Description=Mistborn Nextcloud Service
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down
 # Post stop
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-onlyoffice.service
+++ b/scripts/services/Mistborn-onlyoffice.service
@ -1,23 +0,0 @@
 [Unit]
 Description=Mistborn OnlyOffice Service
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
 # Post stop
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-raspap.service
+++ b/scripts/services/Mistborn-raspap.service
@ -1,25 +0,0 @@
 [Unit]
 Description=Mistborn RaspAP Service 
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 8095 -j MISTBORN_LOG_DROP
 #ExecStartPre=/bin/bash /opt/mistborn_volumes/extra/raspap/etc-raspap/hostapd/servicestart.sh --interface uap0 --seconds 3
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh raspap docker-compose -f /opt/mistborn/extra/raspap.yml down
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh raspap docker-compose -f /opt/mistborn/extra/raspap.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh raspap docker-compose -f /opt/mistborn/extra/raspap.yml down
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 8095 -j MISTBORN_LOG_DROP
 # Post stop
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-rocketchat.service
+++ b/scripts/services/Mistborn-rocketchat.service
@ -1,25 +0,0 @@
 [Unit]
 Description=Mistborn Rocket Chat Service
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down
 # Post stop
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-syncthing.service
+++ b/scripts/services/Mistborn-syncthing.service
@ -1,27 +0,0 @@
 [Unit]
 Description=Mistborn Syncthing Service
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down
 # Post stop
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-tor.service
+++ b/scripts/services/Mistborn-tor.service
@ -1,25 +0,0 @@
 [Unit]
 Description=Mistborn Tor Service 
 Requires=Mistborn-base.service
 After=Mistborn-base.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down
 ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml up --build
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down
 # Post stop
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/Mistborn-wazuh.service
+++ b/scripts/services/Mistborn-wazuh.service
@ -1,30 +0,0 @@
 [Unit]
 Description=Mistborn Wazuh Service
 Requires=Mistborn-elasticsearch.service
 After=Mistborn-elasticsearch.service
 PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
 TimeoutStartSec=600
 User=root
 Group=docker
 PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml up --build
 # Agent install
 ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent.sh
 ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_start.sh
 # Suricata
 ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_init.sh
 ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_start.sh
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down
 ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_stop.sh
 ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh
 [Install]
 WantedBy=Mistborn-base.service
--- a/scripts/services/elasticsearch/files/internal_users.yml
+++ b/scripts/services/elasticsearch/files/internal_users.yml
@ -1,17 +0,0 @@
 ---
 # This is the internal user database
 # The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
 _meta:
  type: "internalusers"
  config_version: 2
 # Define your internal users here
 mistborn:
  hash: "__MISTBORN_HASH__"
  reserved: true
  backend_roles:
  - "admin"
  description: "Mistborn user"
--- a/scripts/services/elasticsearch/init.sh
+++ b/scripts/services/elasticsearch/init.sh
@ -1,21 +0,0 @@
 #!/bin/bash
 set -e
 if [[ -f "/opt/mistborn_volumes/extra/elasticsearch/init/internal_users.yml" ]]; then
    echo "internal_users.yml exists. Proceeding."
    exit 0
 fi
 mkdir -p /opt/mistborn_volumes/extra/elasticsearch/init/ >/dev/null 2>&1
 chmod -R +x /opt/mistborn_volumes/extra/elasticsearch/init/
 cp /opt/mistborn/scripts/services/elasticsearch/files/internal_users.yml /opt/mistborn_volumes/extra/elasticsearch/init/
 ELASTICSEARCH_MISTBORN_HASHED="$(docker run --rm amazon/opendistro-for-elasticsearch:1.12.0 bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh -p ${MISTBORN_DEFAULT_PASSWORD} | tr -d '\n')"
 if [[ -z "${ELASTICSEARCH_MISTBORN_HASHED}" ]]; then 
    echo "Elasticsearch password hash not generated properly"
    exit 1;
 fi
 sed -i "s|__MISTBORN_HASH__|${ELASTICSEARCH_MISTBORN_HASHED}|" /opt/mistborn_volumes/extra/elasticsearch/init/internal_users.yml
--- a/scripts/services/guacamole/init.sh
+++ b/scripts/services/guacamole/init.sh
@ -1,21 +0,0 @@
 #!/bin/bash
 if [[ -f "/opt/mistborn_volumes/extra/guacamole/init/initdb.sql" ]]; then
    echo "initdb.sql exists. Proceeding."
    exit 0
 fi
 mkdir -p /opt/mistborn_volumes/extra/guacamole/init/ >/dev/null 2>&1
 chmod -R +x /opt/mistborn_volumes/extra/guacamole/init/
 docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgres > /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
 # grab values in initdb.sql to replace
 HEXSTRINGS=($(egrep -o [0-9a-fA-F]{64} /opt/mistborn_volumes/extra/guacamole/init/initdb.sql))
 # reset default password in init.db
 SALT=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice('0123456789ABCDEF') for x in range(64)]))")
 GUAC_PASSWORD_HASHED=$(echo -n "${MISTBORN_DEFAULT_PASSWORD}${SALT}" | sha256sum | awk '{print $1}' | tr a-z A-Z)
 sed -i "s/${HEXSTRINGS[1]}/$SALT/" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
 sed -i "s/${HEXSTRINGS[0]}/$GUAC_PASSWORD_HASHED/" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
 sed -i "s/guacadmin/mistborn/g" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
--- a/scripts/services/homeassistant/init.sh
+++ b/scripts/services/homeassistant/init.sh
@ -1,54 +0,0 @@
 #!/bin/bash
 HASS_CONFIG="/opt/mistborn_volumes/extra/homeassistant/config/configuration.yaml"
 if [[ -f "$HASS_CONFIG" ]]; then
    # configuration.yaml exists
    if [[ ! -z $(grep "use_x_forwarded_for: true" "$HASS_CONFIG") ]]; then
        # FOUND
        exit 0;
    fi
 # add the proxy config
 # write the trusted proxies config
 cat >> ${HASS_CONFIG}<< EOF
 http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.16.0.0/12 
 EOF
 exit 0;
 fi
 # create parent directory if needed
 PARENTDIR="$(dirname $HASS_CONFIG)"
 if [[ ! -d "$PARENTDIR" ]]; then
    mkdir -p $PARENTDIR
 fi
 # write the trusted proxies config
 cat >> ${HASS_CONFIG}<< EOF
 # Configure a default setup of Home Assistant (frontend, api, etc)
 default_config:
 # Text to speech
 #tts:
 #  - platform: google_translate
 #group: !include groups.yaml
 #automation: !include automations.yaml
 #script: !include scripts.yaml
 #scene: !include scenes.yaml
 http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.16.0.0/12  
 EOF
--- a/scripts/services/jitsi/iptables_down.sh
+++ b/scripts/services/jitsi/iptables_down.sh
@ -1,4 +0,0 @@
 #!/bin/bash
 iptables -w -D DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
 iptables -w -D DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP
--- a/scripts/services/jitsi/iptables_up.sh
+++ b/scripts/services/jitsi/iptables_up.sh
@ -1,4 +0,0 @@
 #!/bin/bash
 iptables -w -I DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
 iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP
--- a/scripts/services/wazuh/agent.sh
+++ b/scripts/services/wazuh/agent.sh
@ -1,30 +0,0 @@
 #!/bin/bash
 # detect if already installed
 if dpkg -s wazuh-agent &> /dev/null; then
    echo "Wazuh agent already installed"
    exit 0
 fi
 # install curl
 echo "install curl"
 sudo -E apt-get install -y curl
 # prepare repo
 echo "Adding Wazuh Repository"
 curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo -E apt-key add -
 echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo -E tee /etc/apt/sources.list.d/wazuh.list
 apt-get update
 # wait for service to be listening
 while ! nc -z 10.2.3.1 55000; do
    WAIT_TIME=10
    echo "Waiting ${WAIT_TIME} seconds for Wazuh API..."
    sleep ${WAIT_TIME}
 done
 # install
 echo "Installing Wazuh agent"
 WAZUH_MANAGER="10.2.3.1" apt-get install wazuh-agent
--- a/scripts/services/wazuh/agent_start.sh
+++ b/scripts/services/wazuh/agent_start.sh
@ -1,4 +0,0 @@
 #!/bin/bash
 systemctl start wazuh-agent
 systemctl enable wazuh-agent
--- a/scripts/services/wazuh/agent_stop.sh
+++ b/scripts/services/wazuh/agent_stop.sh
@ -1,4 +0,0 @@
 #!/bin/bash
 systemctl stop wazuh-agent
 systemctl disable wazuh-agent
--- a/scripts/services/wazuh/suricata/suricata_init.sh
+++ b/scripts/services/wazuh/suricata/suricata_init.sh
@ -1,129 +0,0 @@
 #!/bin/bash
 set -e
 # detect if suricata is installed
 if [[ $(dpkg-query -W -f='${Status}' suricata 2>/dev/null | grep -c "ok installed") -eq 1 ]]; then
    echo "Suricata Installed"
    exit 0
 fi
 source /opt/mistborn/scripts/subinstallers/platform.sh
 # minimal dependencies
 sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev   \
                libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \
                make libmagic-dev libjansson-dev jq wget
 ## recommended dependencies
 #sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev   \
 #                libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \
 #                libcap-ng-dev libcap-ng0 make libmagic-dev         \
 #                libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev \
 #                python-yaml rustc cargo
 # iptables/nftables integration
 sudo -E apt-get -y install libnetfilter-queue-dev libnetfilter-queue1  \
                libnetfilter-log-dev libnetfilter-log1      \
                libnfnetlink-dev libnfnetlink0
 if [ "$DISTRO" == "ubuntu" ]; then
    echo "Installing Suricata Ubuntu PPA"
    sudo -E add-apt-repository -y ppa:oisf/suricata-stable
    sudo -E apt-get update
    sudo -E apt-get install -y suricata
 elif [ "$DISTRO" == "debian" ]; then
    # retrieve version codename
    source /etc/os-release
    echo "deb http://http.debian.net/debian $VERSION_CODENAME-backports main" | \
        sudo -E tee /etc/apt/sources.list.d/backports.list
    sudo -E apt-get update
    sudo -E apt-get install -y suricata -t ${VERSION_CODENAME}-backports
 else
    echo "Basic Suricata installation"
    sudo -E apt-get install -y suricata
 fi
 # # iptables
 # sudo iptables -A INPUT -j NFQUEUE
 # sudo iptables -I FORWARD -j NFQUEUE
 # sudo iptables -I OUTPUT -j NFQUEUE
 # # rsyslog to create /var/log/suricata.log
 # sudo cp ./scripts/conf/20-suricata.conf /etc/rsyslog.d/
 # sudo chown root:root /etc/rsyslog.d/20-suricata.conf
 # sudo systemctl restart rsyslog
 # rules
 pushd .
 cd /tmp
 wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
 tar zxvf emerging.rules.tar.gz
 sudo -E rm /etc/suricata/rules/* -f
 sudo -E mv rules/*.rules /etc/suricata/rules/
 popd
 # suricata yaml
 sudo -E rm -f /etc/suricata/suricata.yaml
 sudo -E wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml
 IFACE=$(ip -o -4 route show to default | awk 'NR==1{print $5}')
 sudo sed -i "s/eth0/${IFACE}/g" /etc/suricata/suricata.yaml
 sudo sed -i "s/eth0/${IFACE}/g" /etc/default/suricata
 #systemctl restart suricata
 # wait for service to be listening
 while ! nc -z 10.2.3.1 55000; do
    WAIT_TIME=10
    echo "Waiting ${WAIT_TIME} seconds for Wazuh API..."
    sleep ${WAIT_TIME}
 done
 # set working directory to mistborn for docker-compose
 pushd .
 cd /opt/mistborn
 # ensure group exists
 sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -g suricata -q 2>/dev/null
 # add this host to group
 WAZUH_ID=$(sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/manage_agents -l | egrep ^\ *ID | grep $(hostname) | awk '{print $2}' | tr -d ',')
 sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -i ${WAZUH_ID} -g suricata -q
 # write agent.conf
 sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh bash -c "cat > /var/ossec/etc/shared/suricata/agent.conf << EOF
 <agent_config>
    <localfile>
        <log_format>json</log_format>
        <location>/var/log/suricata/eve.json</location>
    </localfile>
 </agent_config>
 EOF
 "
 # restart manager
 sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml restart wazuh
 popd
 # suricata-update
 sudo -E apt install python3-pip
 sudo -E pip3 install pyyaml
 sudo -E pip3 install https://github.com/OISF/suricata-update/archive/master.zip
 sudo -E pip3 install --pre --upgrade suricata-update
 # sudo -E suricata-update enable-source oisf/trafficid
 # sudo -E suricata-update enable-source etnetera/aggressive
 # sudo -E suricata-update enable-source sslbl/ssl-fp-blacklist
 # sudo -E suricata-update enable-source et/open
 # sudo -E suricata-update enable-source tgreen/hunting
 # sudo -E suricata-update enable-source sslbl/ja3-fingerprints
 # sudo -E suricata-update enable-source ptresearch/attackdetection
 sudo -E suricata-update
 sudo systemctl daemon-reload
 sudo systemctl restart suricata
--- a/scripts/services/wazuh/suricata/suricata_start.sh
+++ b/scripts/services/wazuh/suricata/suricata_start.sh
@ -1,7 +0,0 @@
 #!/bin/bash
 systemctl start suricata
 systemctl enable suricata
 #apt-get install -y python-pyinotify
 #python /opt/mistborn/scripts/services/scirius/suri_reloader -p /etc/suricata/rules &
--- a/scripts/services/wazuh/suricata/suricata_stop.sh
+++ b/scripts/services/wazuh/suricata/suricata_stop.sh
@ -1,6 +0,0 @@
 #!/bin/bash
 systemctl stop suricata
 systemctl disable suricata
 #kill $(pgrep -f suri_reloader) 2>/dev/null
--- a/scripts/subinstallers/cockpit.sh
+++ b/scripts/subinstallers/cockpit.sh
@ -1,31 +0,0 @@
 #!/bin/bash
 # Cockpit
 figlet "Mistborn: Installing Cockpit"
 if [ "$DISTRO" == "ubuntu" ]; then
    echo "Ubuntu backports enabled by default"
 elif [ "$DISTRO" == "debian" ]; then
    sudo grep -qF "buster-backports" /etc/apt/sources.list.d/backports.list \
    && echo "buster-backports already in sources" \
    || echo 'deb http://deb.debian.org/debian buster-backports main' | sudo tee -a /etc/apt/sources.list.d/backports.list
 elif [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then
    echo "Raspbian repos contain cockpit"
 fi
 sudo -E apt-get install -y cockpit
 if [ $(sudo apt-cache show cockpit-docker > /dev/null 2>&1) ]; then
    # no longer supported upstream in Ubuntu 20.04
    sudo -E apt-get install -y cockpit-docker
 elif [ $(sudo apt-cache show cockpit-podman > /dev/null 2>&1) ]; then
    sudo -E apt-get install -y cockpit-podman
 fi
 sudo cp ./scripts/conf/cockpit.conf /etc/cockpit/cockpit.conf
 sudo systemctl restart cockpit.socket
 # create system cockpit user
 echo "Creating cockpit user"
 sudo useradd -s /bin/bash -d /home/cockpit -m -G sudo -p $(openssl passwd -1 "$MISTBORN_DEFAULT_PASSWORD") cockpit || true
--- a/scripts/subinstallers/extra/bitwarden.sh
+++ b/scripts/subinstallers/extra/bitwarden.sh
@ -1,7 +0,0 @@
 #!/bin/bash
 # generate bitwarden .env files
 BITWARDEN_PROD_FILE="$1"
 echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE
 echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE
 chmod 600 $BITWARDEN_PROD_FILE
--- a/scripts/subinstallers/extra/elasticsearch.sh
+++ b/scripts/subinstallers/extra/elasticsearch.sh
@ -1,6 +0,0 @@
 #!/bin/bash
 # Elasticsearch
 ELASTICSEARCH_PROD_FILE="$1"
 echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $ELASTICSEARCH_PROD_FILE
 chmod 600 $ELASTICSEARCH_PROD_FILE
--- a/scripts/subinstallers/extra/guacamole.sh
+++ b/scripts/subinstallers/extra/guacamole.sh
@ -1,14 +0,0 @@
 #!/bin/bash
 # Guacamole
 GUAC_PROD_FILE="$1"
 GUAC_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
 echo "POSTGRES_HOST=guac_postgres" > $GUAC_PROD_FILE
 echo "POSTGRES_HOSTNAME=guac_postgres" > $GUAC_PROD_FILE
 echo "POSTGRES_PORT=5432" >> $GUAC_PROD_FILE
 echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE
 echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE
 echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE
 echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE
 echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE
 chmod 600 $GUAC_PROD_FILE
--- a/scripts/subinstallers/extra/jitsi.sh
+++ b/scripts/subinstallers/extra/jitsi.sh
@ -1,13 +0,0 @@
 #!/bin/bash
 # JITSI
 JITSI_PROD_FILE="$1"
 cp ${MISTBORN_HOME}/scripts/conf/jitsi.env $JITSI_PROD_FILE
 mkdir -p ${MISTBORN_HOME}/.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}
 sed -i "s/JICOFO_COMPONENT_SECRET.*/JICOFO_COMPONENT_SECRET=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
 chmod 600 $JITSI_PROD_FILE
--- a/scripts/subinstallers/extra/nextcloud.sh
+++ b/scripts/subinstallers/extra/nextcloud.sh
@ -1,10 +0,0 @@
 #!/bin/bash
 # generate nextcloud .env files
 NEXTCLOUD_PROD_FILE="$1"
 #NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
 NEXTCLOUD_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}"
 echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE
 echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE
 echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE
 chmod 600 $NEXTCLOUD_PROD_FILE
--- a/scripts/subinstallers/extra/onlyoffice.sh
+++ b/scripts/subinstallers/extra/onlyoffice.sh
@ -1,8 +0,0 @@
 #!/bin/bash
 # generate onlyoffice .env files
 ONLYOFFICE_PROD_FILE="$1"
 JWT_SECRET="${MISTBORN_DEFAULT_PASSWORD}"
 echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE
 echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE
 chmod 600 $ONLYOFFICE_PROD_FILE
--- a/scripts/subinstallers/extra/raspap.sh
+++ b/scripts/subinstallers/extra/raspap.sh
@ -1,6 +0,0 @@
 #!/bin/bash
 # RaspAP
 RASPAP_PROD_FILE="$1"
 echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" > $RASPAP_PROD_FILE
 chmod 600 $RASPAP_PROD_FILE
--- a/scripts/subinstallers/extra/rocketchat.sh
+++ b/scripts/subinstallers/extra/rocketchat.sh
@ -1,15 +0,0 @@
 #!/bin/bash
 # generate rocketchat .env files
 ROCKETCHAT_PROD_FILE="$1"
 #ROCKETCHAT_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
 ROCKETCHAT_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}"
 echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE
 echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE
 echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE
 echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE
 # docker environment
 echo "MISTBORN_BIND_IP=${MISTBORN_BIND_IP}" >> $ROCKETCHAT_PROD_FILE
 chmod 600 $ROCKETCHAT_PROD_FILE
--- a/scripts/subinstallers/extra/wazuh.sh
+++ b/scripts/subinstallers/extra/wazuh.sh
@ -1,92 +0,0 @@
 #!/bin/bash
 # Wazuh
 WAZUH_PROD_FILE="$1"
 echo "ELASTIC_USERNAME=mistborn" > $WAZUH_PROD_FILE
 echo "ELASTIC_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE
 echo "ELASTICSEARCH_USERNAME=mistborn" >> $WAZUH_PROD_FILE
 echo "ELASTICSEARCH_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE
 # kibana odfe
 # kibana-odfe/config/wazuh_app_config.sh
 # https://wazuh
 echo "WAZUH_API_URL=https://10.2.3.1" >> $WAZUH_PROD_FILE
 echo "API_PORT=55000" >> $WAZUH_PROD_FILE
 echo "API_USERNAME=wazuh-wui" >> $WAZUH_PROD_FILE
 #API_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
 API_PASSWORD_PYTHON=$(cat << EOF
 import secrets
 import random
 import string
 random_pass = ([secrets.choice("@$!*?-"),
                           secrets.choice(string.digits),
                           secrets.choice(string.ascii_lowercase),
                           secrets.choice(string.ascii_uppercase),
                           ]
                          + [secrets.choice(string.ascii_lowercase
                                           + string.ascii_uppercase
                                           + "@$!*?-"
                                           + string.digits) for i in range(12)])
 random.shuffle(random_pass)
 random_pass = ''.join(random_pass)
 print(random_pass)
 EOF
 )
 API_PASSWORD=$(python3 -c "${API_PASSWORD_PYTHON}")
 echo "API_PASSWORD=${API_PASSWORD}" >> $WAZUH_PROD_FILE
 # kibana-odfe/config/entrypoint.sh:
 # https://elasticsearch:9200
 echo "ELASTICSEARCH_URL=https://10.2.3.1:9200" >> $WAZUH_PROD_FILE
 cat >> ${WAZUH_PROD_FILE}<< EOF
 PATTERN="wazuh-alerts-*"
 CHECKS_PATTERN=true
 CHECKS_TEMPLATE=true
 CHECKS_API=true
 CHECKS_SETUP=true
 EXTENSIONS_PCI=true
 EXTENSIONS_GDPR=true
 EXTENSIONS_HIPAA=true
 EXTENSIONS_NIST=true
 EXTENSIONS_TSC=true
 EXTENSIONS_AUDIT=true
 EXTENSIONS_OSCAP=false
 EXTENSIONS_CISCAT=false
 EXTENSIONS_AWS=false
 EXTENSIONS_GCP=false
 EXTENSIONS_VIRUSTOTAL=true
 EXTENSIONS_OSQUERY=true
 EXTENSIONS_DOCKER=true
 APP_TIMEOUT=20000
 API_SELECTOR=true
 IP_SELECTOR=true
 IP_IGNORE="[]"
 WAZUH_MONITORING_ENABLED=true
 WAZUH_MONITORING_FREQUENCY=900
 WAZUH_MONITORING_SHARDS=2
 WAZUH_MONITORING_REPLICAS=0
 ADMIN_PRIVILEGES=true
 EOF
 echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE
 chmod 600 $WAZUH_PROD_FILE
--- a/scripts/subinstallers/gen_prod_env.sh
+++ b/scripts/subinstallers/gen_prod_env.sh
@ -42,4 +42,5 @@ PIHOLE_PROD_FILE="./.envs/.production/.pihole"
 WEBPASSWORD="$1"
 echo "TZ=\"America/New York\"" > $PIHOLE_PROD_FILE
 echo "WEBPASSWORD=$WEBPASSWORD" >> $PIHOLE_PROD_FILE
 chmod 600 $PIHOLE_PROD_FILE
--- a/scripts/subinstallers/iptables.sh
+++ b/scripts/subinstallers/iptables.sh
@ -32,7 +32,7 @@ sudo iptables -X MISTBORN_DOCKER_INPUT 2>/dev/null || true
 # iptables: log and drop chain
 sudo iptables -N MISTBORN_LOG_DROP
-sudo iptables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[IPTables-Dropped]: " --log-level 4
+sudo iptables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[Mistborn-IPTables-Dropped]: " --log-level 4
 sudo iptables -A MISTBORN_LOG_DROP -j DROP
 # wireguard rules chains
@ -83,7 +83,7 @@ sudo ip6tables -X MISTBORN_LOG_DROP 2>/dev/null || true
 # ip6tables: log and drop chain
 sudo ip6tables -N MISTBORN_LOG_DROP
-sudo ip6tables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[IPTables-Dropped]: " --log-level 4
+sudo ip6tables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[Mistborn-IPTables-Dropped]: " --log-level 4
 sudo ip6tables -A MISTBORN_LOG_DROP -j DROP
 # ip6tables
Author	SHA1	Message	Date
Steven Foerster	2e5d51c5db	Merge branch 'master' into v1	4 years ago
Steven Foerster	fb394fb770	Merge branch 'master' into v1	4 years ago
Steven Foerster	92ba477fc9	merge master	4 years ago
Steven Foerster	ff93578f1b	merge master	4 years ago
Steven Foerster	cd36347210	Merge branch 'master' into v1	5 years ago
Steven Foerster	7a5c9c71c2	Merge branch 'v1' of gitlab.com:cyber5k/mistborn into v1	5 years ago
Steven Foerster	01143fa791	mistborn iptables comment	5 years ago
Steven Foerster	b2d29d79c8	Merge branch 'master' into v1	5 years ago
Steven Foerster	3fb6c396d2	merge master	5 years ago
Steven Foerster	ca1701156c	Merge branch 'master' into v1	5 years ago
Steven Foerster	55171b255c	paths in setup	5 years ago
Steven Foerster	959e9fef1d	upstream dns	5 years ago
Steven Foerster	4d61374ebf	merge master	5 years ago
Steven Foerster	4ad96494f7	systemd	5 years ago
Steven Foerster	ccf9b61fd2	tweaks	5 years ago
Steven Foerster	18902b4be9	strip out flower	5 years ago
Steven Foerster	202f2658c4	mistborn user	5 years ago
Steven Foerster	021051a45f	Merge branch 'v1' of gitlab.com:cyber5k/mistborn into v1	5 years ago
Steven Foerster	0f6e9463e4	global environment variables	5 years ago
Steven Foerster	059c55c64b	sudo	5 years ago
Steven Foerster	b9dfb30084	mistborn install preserve env	5 years ago
Steven Foerster	fd1f3cc5cb	syntax	5 years ago
Steven Foerster	074a264bed	redis provider	5 years ago
Steven Foerster	682c620ee2	shell	5 years ago
Steven Foerster	a70feca44c	bash gitlab-ci	5 years ago
Steven Foerster	a6a641679d	removing extras to other repos	5 years ago