crappyrules
/
mistborn
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: crappyrules:master
Branches Tags
crappyrules:135-scirius
crappyrules:135-suricata
crappyrules:145-regen
crappyrules:155-refactor
crappyrules:183-redis
crappyrules:47-ansible
crappyrules:53-wifi
crappyrules:59-mattermost
crappyrules:ipv6
crappyrules:master
crappyrules:oidc
crappyrules:onlyoffice
crappyrules:test
crappyrules:v1
crappyrules:v1-1
..
compare: crappyrules:v1
Branches Tags
crappyrules:135-scirius
crappyrules:135-suricata
crappyrules:145-regen
crappyrules:155-refactor
crappyrules:183-redis
crappyrules:47-ansible
crappyrules:53-wifi
crappyrules:59-mattermost
crappyrules:ipv6
crappyrules:master
crappyrules:oidc
crappyrules:onlyoffice
crappyrules:test
crappyrules:v1
crappyrules:v1-1

26 Commits
master ... v1

Author SHA1 Message Date
Steven Foerster 2e5d51c5db Merge branch 'master' into v1
4 years ago
Steven Foerster fb394fb770 Merge branch 'master' into v1
4 years ago
Steven Foerster 92ba477fc9 merge master
4 years ago
Steven Foerster ff93578f1b merge master
4 years ago
Steven Foerster cd36347210 Merge branch 'master' into v1
5 years ago
Steven Foerster 7a5c9c71c2 Merge branch 'v1' of gitlab.com:cyber5k/mistborn into v1
5 years ago
Steven Foerster 01143fa791 mistborn iptables comment
5 years ago
Steven Foerster b2d29d79c8 Merge branch 'master' into v1
5 years ago
Steven Foerster 3fb6c396d2 merge master
5 years ago
Steven Foerster ca1701156c Merge branch 'master' into v1
5 years ago
Steven Foerster 55171b255c paths in setup
5 years ago
Steven Foerster 959e9fef1d upstream dns
5 years ago
Steven Foerster 4d61374ebf merge master
5 years ago
Steven Foerster 4ad96494f7 systemd
5 years ago
Steven Foerster ccf9b61fd2 tweaks
5 years ago
Steven Foerster 18902b4be9 strip out flower
5 years ago
Steven Foerster 202f2658c4 mistborn user
5 years ago
Steven Foerster 021051a45f Merge branch 'v1' of gitlab.com:cyber5k/mistborn into v1
5 years ago
Steven Foerster 0f6e9463e4 global environment variables
5 years ago
Steven Foerster 059c55c64b sudo
5 years ago
Steven Foerster b9dfb30084 mistborn install preserve env
5 years ago
Steven Foerster fd1f3cc5cb syntax
5 years ago
Steven Foerster 074a264bed redis provider
5 years ago
Steven Foerster 682c620ee2 shell
5 years ago
Steven Foerster a70feca44c bash gitlab-ci
5 years ago
Steven Foerster a6a641679d removing extras to other repos
5 years ago
60 changed files with 75 additions and 1987 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats
  1. 1
      .gitlab-ci.yml
  2. 5
      README.md
  3. 4
      base.yml
  4. 24
      compose/production/traefik/dynamic.toml
  5. 28
      extra/bitwarden.yml
  6. 30
      extra/elasticsearch.yml
  7. 72
      extra/guacamole.yml
  8. 26
      extra/homeassistant.yml
  9. 30
      extra/jellyfin.yml
  10. 255
      extra/jitsi-meet.yml
  11. 29
      extra/nextcloud.yml
  12. 27
      extra/onlyoffice.yml
  13. 33
      extra/raspap.yml
  14. 72
      extra/rocketchat.yml
  15. 35
      extra/syncthing.yml
  16. 16
      extra/tor.yml
  17. 70
      extra/wazuh.yml
  18. 2
      scripts/conf/15-iptables.conf
  19. 3
      scripts/conf/cockpit.conf
  20. 366
      scripts/conf/jitsi.env
  21. 31
      scripts/env/setup.sh
  22. 22
      scripts/install.sh
  23. 28
      scripts/services/Mistborn-base.service
  24. 25
      scripts/services/Mistborn-bitwarden.service
  25. 22
      scripts/services/Mistborn-elasticsearch.service
  26. 23
      scripts/services/Mistborn-guacamole.service
  27. 23
      scripts/services/Mistborn-homeassistant.service
  28. 23
      scripts/services/Mistborn-jellyfin.service
  29. 27
      scripts/services/Mistborn-jitsi.service
  30. 23
      scripts/services/Mistborn-nextcloud.service
  31. 23
      scripts/services/Mistborn-onlyoffice.service
  32. 25
      scripts/services/Mistborn-raspap.service
  33. 25
      scripts/services/Mistborn-rocketchat.service
  34. 27
      scripts/services/Mistborn-syncthing.service
  35. 25
      scripts/services/Mistborn-tor.service
  36. 30
      scripts/services/Mistborn-wazuh.service
  37. 17
      scripts/services/elasticsearch/files/internal_users.yml
  38. 21
      scripts/services/elasticsearch/init.sh
  39. 21
      scripts/services/guacamole/init.sh
  40. 54
      scripts/services/homeassistant/init.sh
  41. 4
      scripts/services/jitsi/iptables_down.sh
  42. 4
      scripts/services/jitsi/iptables_up.sh
  43. 30
      scripts/services/wazuh/agent.sh
  44. 4
      scripts/services/wazuh/agent_start.sh
  45. 4
      scripts/services/wazuh/agent_stop.sh
  46. 129
      scripts/services/wazuh/suricata/suricata_init.sh
  47. 7
      scripts/services/wazuh/suricata/suricata_start.sh
  48. 6
      scripts/services/wazuh/suricata/suricata_stop.sh
  49. 31
      scripts/subinstallers/cockpit.sh
  50. 7
      scripts/subinstallers/extra/bitwarden.sh
  51. 6
      scripts/subinstallers/extra/elasticsearch.sh
  52. 14
      scripts/subinstallers/extra/guacamole.sh
  53. 13
      scripts/subinstallers/extra/jitsi.sh
  54. 10
      scripts/subinstallers/extra/nextcloud.sh
  55. 8
      scripts/subinstallers/extra/onlyoffice.sh
  56. 6
      scripts/subinstallers/extra/raspap.sh
  57. 15
      scripts/subinstallers/extra/rocketchat.sh
  58. 92
      scripts/subinstallers/extra/wazuh.sh
  59. 1
      scripts/subinstallers/gen_prod_env.sh
  60. 4
      scripts/subinstallers/iptables.sh

1
.gitlab-ci.yml
Unescape View File

@ -13,7 +13,6 @@ stages: @@ -13,7 +13,6 @@ stages:
include:
- template: Code-Quality.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml
docker_build:
stage: test

5
README.md
Unescape View File

@ -15,7 +15,7 @@ The term [Mistborn](http://www.brandonsanderson.com/the-mistborn-saga-the-origin @@ -15,7 +15,7 @@ The term [Mistborn](http://www.brandonsanderson.com/the-mistborn-saga-the-origin
Mistborn started as a passion project for a husband and father protecting his family. Certain family members insisted on connecting their devices to free public WiFi networks. We needed a way to secure all family devices with a solid VPN (WireGuard). Once we had that we wanted to control DNS to block ads to all devices and block malicious websites across all family devices. Then we wanted chat, file-sharing, and webchat services that we could use for ourselves without entrusting our data to some big tech company. And then... home automation. I know I'll be adding more services so I made that easy to do.
As a [Certified Information Systems Security Professional (CISSP)](https://www.credly.com/badges/ebcb76f2-1e82-4079-9ea3-b507ffbd1d15/public_url) and an [Offensive Security Certified Professional (OSCP)](https://www.credly.com/badges/b93c44ec-3af5-48e8-9a33-b64365b70c61/public_url), I designed Mistborn thinking about how it would be attacked by both external and internal threats. In making design trade-off decisions I tend to the paranoid. See [Technical and Security Insights](#technical-and-security-insights).
As an [Offensive Security Certified Professional (OSCP)](https://resources.infosecinstitute.com/certification/the-oscp-certification-and-exam/), I designed Mistborn thinking about how it would be attacked by both external and internal threats. In making design trade-off decisions I tend to the paranoid. See [Technical and Security Insights](#technical-and-security-insights).
Ideal for teams who:
- hate internet ads
@ -62,9 +62,8 @@ Within Mistborn is a panel to enable and manage these free extra services (off b @@ -62,9 +62,8 @@ Within Mistborn is a panel to enable and manage these free extra services (off b
# Quickstart
Tested Operating Systems (in order of thoroughness):
- Ubuntu 20.04 LTS
- Debian 11 (Bullseye)
- Debian 10 (Buster)
- Raspberry Pi OS (formerly Raspbian) Buster
- Formerly tested and may still work: Ubuntu 18.04 LTS, Debian 10 (Buster)
**Note:** Install operating system updates and restart. Raspberry Pi OS particularly needs to be restarted after kernel updates (kernel modules for the currently running kernel may be missing).

4
base.yml
Unescape View File

@ -55,6 +55,7 @@ services: @@ -55,6 +55,7 @@ services:
container_name: mistborn_production_traefik
depends_on:
- django
- redis
volumes:
#- production_traefik:/etc/traefik/acme
- ./compose/production/traefik/dynamic.toml:/dynamic.toml:ro
@ -178,7 +179,6 @@ services: @@ -178,7 +179,6 @@ services:
command: /start-celerybeat
restart: unless-stopped
# flower:
# image: "cyber5k/mistborn:${MISTBORN_TAG}"
# container_name: mistborn_production_flower
@ -238,7 +238,7 @@ services: @@ -238,7 +238,7 @@ services:
- DNSCRYPT_LISTEN_PORT=5054
# resolvers: https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-resolvers.md
#- DNSCRYPT_SERVER_NAMES=['scaleway-fr','google','yandex','cloudflare']
- DNSCRYPT_SERVER_NAMES=['cloudflare','dnswarden-doh1','dnswarden-doh2','dnswarden-doh3','adguard-dns-doh']
- DNSCRYPT_SERVER_NAMES=['cloudflare']
networks:
pihole_net:
ipv4_address: 10.2.0.2

24
compose/production/traefik/dynamic.toml
Unescape View File

@ -8,17 +8,21 @@ @@ -8,17 +8,21 @@
[tls.options.default]
minVersion = "VersionTLS12"
[http.services]
[http.services.cockpit.loadBalancer]
[[http.services.cockpit.loadBalancer.servers]]
url = "http://10.2.3.1:9090"
[providers.redis]
endpoints = ["127.0.0.1:6379"]
rootKey = "traefik"
[http.routers]
[http.routers.cockpit]
rule = "Host(`cockpit.mistborn`)"
service = "cockpit"
entrypoints = ["web", "websecure"]
middlewares = ["mistborn_auth"]
#[http.services]
# [http.services.cockpit.loadBalancer]
# [[http.services.cockpit.loadBalancer.servers]]
# url = "http://10.2.3.1:9090"
#
#[http.routers]
# [http.routers.cockpit]
# rule = "Host(`cockpit.mistborn`)"
# service = "cockpit"
# entrypoints = ["web", "websecure"]
# middlewares = ["mistborn_auth"]
[http.middlewares]
[http.middlewares.mistborn_auth.forwardAuth]

28
extra/bitwarden.yml
Unescape View File

@ -1,28 +0,0 @@ @@ -1,28 +0,0 @@
version: '3'
services:
bitwarden:
image: vaultwarden/server:latest
container_name: mistborn_production_bitwarden
env_file:
- ../.envs/.production/.bitwarden
volumes:
- ../../mistborn_volumes/extra/bitwarden:/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.bitwarden-http.rule=Host(`bitwarden.mistborn`)"
- "traefik.http.routers.bitwarden-http.entrypoints=web"
- "traefik.http.routers.bitwarden-http.middlewares=mistborn_auth@file"
- "traefik.http.routers.bitwarden-https.rule=Host(`bitwarden.mistborn`)"
- "traefik.http.routers.bitwarden-https.entrypoints=websecure"
- "traefik.http.routers.bitwarden-https.middlewares=mistborn_auth@file"
- "traefik.http.routers.bitwarden-https.tls.certresolver=basic"
- "traefik.http.services.bitwarden-service.loadbalancer.server.port=80"
ports:
- "${MISTBORN_BIND_IP}:3012:3012/tcp"
restart: unless-stopped
networks:
default:
external:
name: mistborn_default

30
extra/elasticsearch.yml
Unescape View File

@ -1,30 +0,0 @@ @@ -1,30 +0,0 @@
version: '3.7'
services:
elasticsearch:
image: amazon/opendistro-for-elasticsearch:1.13.2
hostname: elasticsearch
restart: unless-stopped
ports:
- "${MISTBORN_BIND_IP}:9200:9200"
environment:
- discovery.type=single-node
- cluster.name=mistborn-cluster
- network.host=0.0.0.0
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- bootstrap.memory_lock=true
volumes:
- ../../mistborn_volumes/extra/elasticsearch/init/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
networks:
default:
external:
name: mistborn_default

72
extra/guacamole.yml
Unescape View File

@ -1,72 +0,0 @@ @@ -1,72 +0,0 @@
version: '3'
# services
services:
# guacd
guacd:
container_name: mistborn_production_guacd
image: guacamole/guacd:1.3.0
networks:
guacnetwork:
restart: unless-stopped
volumes:
- ../../mistborn_volumes/extra/guacamole/drive:/drive:rw
- ../../mistborn_volumes/extra/guacamole/record:/record:rw
# postgres
guac_postgres:
container_name: mistborn_production_guac_postgres
env_file:
- ../.envs/.production/.guacamole
environment:
PGDATA: /var/lib/postgresql/data/guacamole
image: postgres
networks:
guacnetwork:
restart: unless-stopped
volumes:
- ../../mistborn_volumes/extra/guacamole/init:/docker-entrypoint-initdb.d:ro
- ../../mistborn_volumes/extra/guacamole/data:/var/lib/postgresql/data:rw
# guacamole
guacamole:
container_name: mistborn_production_guacamole
labels:
- "traefik.enable=true"
- "traefik.http.routers.guacamole-http.rule=Host(`guac.mistborn`)"
- "traefik.http.routers.guacamole-http.entrypoints=web"
- "traefik.http.routers.guacamole-http.middlewares=mistborn_auth@file,add-guacamole"
- "traefik.http.routers.guacamole-https.rule=Host(`guac.mistborn`)"
- "traefik.http.routers.guacamole-https.entrypoints=websecure"
- "traefik.http.routers.guacamole-https.middlewares=mistborn_auth@file,add-guacamole"
- "traefik.http.routers.guacamole-https.tls.certresolver=basic"
- "traefik.http.middlewares.add-guacamole.addPrefix.prefix=/guacamole"
- "traefik.http.services.guacamole-service.loadbalancer.server.port=8080"
depends_on:
- guacd
- guac_postgres
environment:
GUACD_HOSTNAME: guacd
GUACD_PORT: 4822
#GUACAMOLE_HOME: /config
env_file:
- ../.envs/.production/.guacamole
image: guacamole/guacamole:1.3.0
links:
- guacd
networks:
guacnetwork:
#ports:
## enable next line if not using nginx
## - 8080:8080/tcp # Guacamole is on :8080/guacamole, not /.
## enable next line when using nginx
#- 8080/tcp
restart: unless-stopped
# networks
# create a network 'guacnetwork' in mode 'bridged'
networks:
guacnetwork:
driver: bridge

26
extra/homeassistant.yml
Unescape View File

@ -1,26 +0,0 @@ @@ -1,26 +0,0 @@
version: '3'
services:
homeassistant:
container_name: mistborn_production_home_assistant
image: homeassistant/home-assistant:stable
volumes:
- ../../mistborn_volumes/extra/homeassistant/config:/config
environment:
- TZ=America/New_York
labels:
- "traefik.enable=true"
- "traefik.http.routers.homeassistant-http.rule=Host(`homeassistant.mistborn`)"
- "traefik.http.routers.homeassistant-http.entrypoints=web"
- "traefik.http.routers.homeassistant-http.middlewares=mistborn_auth@file"
- "traefik.http.routers.homeassistant-https.rule=Host(`homeassistant.mistborn`)"
- "traefik.http.routers.homeassistant-https.entrypoints=websecure"
- "traefik.http.routers.homeassistant-https.middlewares=mistborn_auth@file"
- "traefik.http.routers.homeassistant-https.tls.certresolver=basic"
- "traefik.http.services.homeassistant-service.loadbalancer.server.port=8123"
restart: unless-stopped
networks:
default:
external:
name: mistborn_default

30
extra/jellyfin.yml
Unescape View File

@ -1,30 +0,0 @@ @@ -1,30 +0,0 @@
version: '3'
volumes:
production_jellyfin_config: {}
production_jellyfin_cache: {}
services:
jellyfin:
image: jellyfin/jellyfin:latest
container_name: mistborn_production_jellyfin
volumes:
- production_jellyfin_config:/config
- production_jellyfin_cache:/cache
- ../../mistborn_volumes/extra/nextcloud:/media:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.jellyfin-http.rule=Host(`jellyfin.mistborn`)"
- "traefik.http.routers.jellyfin-http.entrypoints=web"
- "traefik.http.routers.jellyfin-http.middlewares=mistborn_auth@file"
- "traefik.http.routers.jellyfin-https.rule=Host(`jellyfin.mistborn`)"
- "traefik.http.routers.jellyfin-https.entrypoints=websecure"
- "traefik.http.routers.jellyfin-https.middlewares=mistborn_auth@file"
- "traefik.http.routers.jellyfin-https.tls.certresolver=basic"
- "traefik.http.services.jellyfin-service.loadbalancer.server.port=8096"
restart: unless-stopped
networks:
default:
external:
name: mistborn_default

255
extra/jitsi-meet.yml
Unescape View File

@ -1,255 +0,0 @@ @@ -1,255 +0,0 @@
version: '3'
services:
# Frontend
jitsi-web:
image: jitsi/web:latest
restart: unless-stopped
#ports:
#- '${HTTP_PORT}:80'
#- '${HTTPS_PORT}:443'
labels:
- "traefik.enable=true"
- "traefik.http.routers.jitsi-http.rule=Host(`jitsi.mistborn`)"
- "traefik.http.routers.jitsi-http.entrypoints=web"
- "traefik.http.routers.jitsi-http.middlewares=mistborn_auth@file"
- "traefik.http.routers.jitsi-https.rule=Host(`jitsi.mistborn`)"
- "traefik.http.routers.jitsi-https.entrypoints=websecure"
- "traefik.http.routers.jitsi-https.middlewares=mistborn_auth@file"
- "traefik.http.routers.jitsi-https.tls.certresolver=basic"
- "traefik.http.services.jitsi-service.loadbalancer.server.port=${HTTP_PORT}"
volumes:
- ${CONFIG}/web:/config:Z
- ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
env_file:
- ../.envs/.production/.jitsi
environment:
- ENABLE_LETSENCRYPT
- ENABLE_HTTP_REDIRECT
- ENABLE_XMPP_WEBSOCKET
- DISABLE_HTTPS
- LETSENCRYPT_DOMAIN
- LETSENCRYPT_EMAIL
- LETSENCRYPT_USE_STAGING
- PUBLIC_URL
- TZ
- AMPLITUDE_ID
- ANALYTICS_SCRIPT_URLS
- ANALYTICS_WHITELISTED_EVENTS
- BRIDGE_CHANNEL
- BRANDING_DATA_URL
- CALLSTATS_CUSTOM_SCRIPT_URL
- CALLSTATS_ID
- CALLSTATS_SECRET
- CHROME_EXTENSION_BANNER_JSON
- CONFCODE_URL
- CONFIG_EXTERNAL_CONNECT
- DEPLOYMENTINFO_ENVIRONMENT
- DEPLOYMENTINFO_ENVIRONMENT_TYPE
- DEPLOYMENTINFO_USERREGION
- DIALIN_NUMBERS_URL
- DIALOUT_AUTH_URL
- DIALOUT_CODES_URL
- DROPBOX_APPKEY
- DROPBOX_REDIRECT_URI
- ENABLE_AUDIO_PROCESSING
- ENABLE_AUTH
- ENABLE_CALENDAR
- ENABLE_FILE_RECORDING_SERVICE
- ENABLE_FILE_RECORDING_SERVICE_SHARING
- ENABLE_GUESTS
- ENABLE_IPV6
- ENABLE_LIPSYNC
- ENABLE_NO_AUDIO_DETECTION
- ENABLE_P2P
- ENABLE_PREJOIN_PAGE
- ENABLE_RECORDING
- ENABLE_REMB
- ENABLE_REQUIRE_DISPLAY_NAME
- ENABLE_SIMULCAST
- ENABLE_STATS_ID
- ENABLE_STEREO
- ENABLE_SUBDOMAINS
- ENABLE_TALK_WHILE_MUTED
- ENABLE_TCC
- ENABLE_TRANSCRIPTIONS
- ETHERPAD_PUBLIC_URL
- ETHERPAD_URL_BASE
- GOOGLE_ANALYTICS_ID
- GOOGLE_API_APP_CLIENT_ID
- INVITE_SERVICE_URL
- JICOFO_AUTH_USER
- MATOMO_ENDPOINT
- MATOMO_SITE_ID
- MICROSOFT_API_APP_CLIENT_ID
- NGINX_RESOLVER
- NGINX_WORKER_PROCESSES
- NGINX_WORKER_CONNECTIONS
- PEOPLE_SEARCH_URL
- RESOLUTION
- RESOLUTION_MIN
- RESOLUTION_WIDTH
- RESOLUTION_WIDTH_MIN
- START_AUDIO_ONLY
- START_AUDIO_MUTED
- START_BITRATE
- START_VIDEO_MUTED
- TESTING_CAP_SCREENSHARE_BITRATE
- TESTING_OCTO_PROBABILITY
- XMPP_AUTH_DOMAIN
- XMPP_BOSH_URL_BASE
- XMPP_DOMAIN
- XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_RECORDER_DOMAIN
- TOKEN_AUTH_URL
networks:
default:
meet.jitsi:
aliases:
- ${XMPP_DOMAIN}
# XMPP server
jitsi-prosody:
image: jitsi/prosody:latest
restart: unless-stopped
expose:
- '5222'
- '5347'
- '5280'
volumes:
- ${CONFIG}/prosody/config:/config:Z
- ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z
env_file:
- ../.envs/.production/.jitsi
environment:
- AUTH_TYPE
- ENABLE_AUTH
- ENABLE_GUESTS
- ENABLE_LOBBY
- ENABLE_XMPP_WEBSOCKET
- GLOBAL_MODULES
- GLOBAL_CONFIG
- LDAP_URL
- LDAP_BASE
- LDAP_BINDDN
- LDAP_BINDPW
- LDAP_FILTER
- LDAP_AUTH_METHOD
- LDAP_VERSION
- LDAP_USE_TLS
- LDAP_TLS_CIPHERS
- LDAP_TLS_CHECK_PEER
- LDAP_TLS_CACERT_FILE
- LDAP_TLS_CACERT_DIR
- LDAP_START_TLS
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_MODULES
- XMPP_MUC_MODULES
- XMPP_INTERNAL_MUC_MODULES
- XMPP_RECORDER_DOMAIN
- XMPP_CROSS_DOMAIN
- JICOFO_COMPONENT_SECRET
- JICOFO_AUTH_USER
- JICOFO_AUTH_PASSWORD
- JVB_AUTH_USER
- JVB_AUTH_PASSWORD
- JIGASI_XMPP_USER
- JIGASI_XMPP_PASSWORD
- JIBRI_XMPP_USER
- JIBRI_XMPP_PASSWORD
- JIBRI_RECORDER_USER
- JIBRI_RECORDER_PASSWORD
- JWT_APP_ID
- JWT_APP_SECRET
- JWT_ACCEPTED_ISSUERS
- JWT_ACCEPTED_AUDIENCES
- JWT_ASAP_KEYSERVER
- JWT_ALLOW_EMPTY
- JWT_AUTH_TYPE
- JWT_TOKEN_AUTH_MODULE
- LOG_LEVEL
- PUBLIC_URL
- TZ
networks:
meet.jitsi:
aliases:
- ${XMPP_SERVER}
# Focus component
jitsi-jicofo:
image: jitsi/jicofo:latest
restart: unless-stopped
volumes:
- ${CONFIG}/jicofo:/config:Z
env_file:
- ../.envs/.production/.jitsi
environment:
- AUTH_TYPE
- ENABLE_AUTH
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_SERVER
- JICOFO_COMPONENT_SECRET
- JICOFO_AUTH_USER
- JICOFO_AUTH_PASSWORD
- JICOFO_RESERVATION_REST_BASE_URL
- JVB_BREWERY_MUC
- JIGASI_BREWERY_MUC
- JIGASI_SIP_URI
- JIBRI_BREWERY_MUC
- JIBRI_PENDING_TIMEOUT
- TZ
depends_on:
- jitsi-prosody
networks:
meet.jitsi:
# Video bridge
jitsi-jvb:
image: jitsi/jvb:latest
restart: unless-stopped
ports:
- "${MISTBORN_BIND_IP}:${JVB_PORT}:${JVB_PORT}/udp"
- "${MISTBORN_BIND_IP}:${JVB_TCP_PORT}:${JVB_TCP_PORT}"
volumes:
- ${CONFIG}/jvb:/config:Z
env_file:
- ../.envs/.production/.jitsi
environment:
- DOCKER_HOST_ADDRESS
- XMPP_AUTH_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_SERVER
- JVB_AUTH_USER
- JVB_AUTH_PASSWORD
- JVB_BREWERY_MUC
- JVB_PORT
- JVB_TCP_HARVESTER_DISABLED
- JVB_TCP_PORT
- JVB_TCP_MAPPED_PORT
- JVB_STUN_SERVERS
- JVB_ENABLE_APIS
- JVB_WS_DOMAIN
- JVB_WS_SERVER_ID
- PUBLIC_URL
- TZ
depends_on:
- jitsi-prosody
networks:
meet.jitsi:
aliases:
- jvb.meet.jitsi
# Custom network so all services can communicate using a FQDN
networks:
default:
external:
name: mistborn_default
meet.jitsi:

29
extra/nextcloud.yml
Unescape View File

@ -1,29 +0,0 @@ @@ -1,29 +0,0 @@
version: '3'
services:
nextcloud:
image: nextcloud
container_name: mistborn_production_nextcloud
env_file:
- ../.envs/.production/.postgres
- ../.envs/.production/.nextcloud
labels:
- "traefik.enable=true"
- "traefik.http.routers.nextcloud-http.rule=Host(`nextcloud.mistborn`)"
- "traefik.http.routers.nextcloud-http.entrypoints=web"
- "traefik.http.routers.nextcloud-http.middlewares=mistborn_auth@file"
- "traefik.http.routers.nextcloud-https.rule=Host(`nextcloud.mistborn`)"
- "traefik.http.routers.nextcloud-https.entrypoints=websecure"
- "traefik.http.routers.nextcloud-https.middlewares=mistborn_auth@file"
- "traefik.http.routers.nextcloud-https.tls.certresolver=basic"
- "traefik.http.services.nextcloud-service.loadbalancer.server.port=80"
volumes:
- ../../mistborn_volumes/extra/nextcloud:/var/www/html
environment:
- VIRTUAL_HOST=nextcloud.mistborn
restart: unless-stopped
networks:
default:
external:
name: mistborn_default

27
extra/onlyoffice.yml
Unescape View File

@ -1,27 +0,0 @@ @@ -1,27 +0,0 @@
version: '3'
services:
onlyoffice:
container_name: mistborn_production_onlyoffice
image: onlyoffice/documentserver:latest
volumes:
- ../../mistborn_volumes/extra/onlyoffice/logs:/var/log/onlyoffice
- ../../mistborn_volumes/extra/onlyoffice/cache:/var/lib/onlyoffice
env_file:
- ../.envs/.production/.onlyoffice
labels:
- "traefik.enable=true"
- "traefik.http.routers.onlyoffice-http.rule=Host(`onlyoffice.mistborn`)"
- "traefik.http.routers.onlyoffice-http.entrypoints=web"
- "traefik.http.routers.onlyoffice-http.middlewares=mistborn_auth@file"
- "traefik.http.routers.onlyoffice-https.rule=Host(`onlyoffice.mistborn`)"
- "traefik.http.routers.onlyoffice-https.entrypoints=websecure"
- "traefik.http.routers.onlyoffice-https.middlewares=mistborn_auth@file"
- "traefik.http.routers.onlyoffice-https.tls.certresolver=basic"
- "traefik.http.services.onlyoffice-service.loadbalancer.server.port=80"
restart: unless-stopped
networks:
default:
external:
name: mistborn_default

33
extra/raspap.yml
Unescape View File

@ -1,33 +0,0 @@ @@ -1,33 +0,0 @@
version: '3'
services:
raspap:
image: "cyber5k/raspap:${MISTBORN_TAG}"
container_name: mistborn_production_raspap
#network_mode: host
labels:
- "traefik.enable=true"
- "traefik.http.routers.raspap-http.rule=Host(`raspap.mistborn`)"
- "traefik.http.routers.raspap-http.entrypoints=web"
- "traefik.http.routers.raspap-http.middlewares=mistborn_auth@file"
- "traefik.http.routers.raspap-https.rule=Host(`raspap.mistborn`)"
- "traefik.http.routers.raspap-https.entrypoints=websecure"
- "traefik.http.routers.raspap-https.middlewares=mistborn_auth@file"
- "traefik.http.routers.raspap-https.tls.certresolver=basic"
- "traefik.http.services.raspap-service.loadbalancer.server.port=80"
env_file:
- ../.envs/.production/.raspap
cap_add:
#- NET_ADMIN
- SYS_ADMIN
#- CAP_FOWNER
privileged: true
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
#command: /start
restart: unless-stopped
networks:
default:
external:
name: mistborn_default

72
extra/rocketchat.yml
Unescape View File

@ -1,72 +0,0 @@ @@ -1,72 +0,0 @@
version: '3'
services:
# rocketchat
rocketchat:
image: rocket.chat:latest
container_name: mistborn_production_rocketchat
command: bash -c 'for i in `seq 1 30`; do node main.js && s=$$? && break || s=$$?; echo "Tried $$i times. Waiting 5 secs..."; sleep 5; done; (exit $$s)'
restart: unless-stopped
volumes:
- ../../mistborn_volumes/extra/rocketchat/uploads:/app/uploads
environment:
- PORT=3000
- ROOT_URL=http://chat.mistborn
- MONGO_URL=mongodb://mongo:27017/rocketchat
- MONGO_OPLOG_URL=mongodb://mongo:27017/local
- Accounts_UseDNSDomainCheck=False
labels:
- "traefik.enable=true"
- "traefik.http.routers.chat-http.rule=Host(`chat.mistborn`)"
- "traefik.http.routers.chat-http.entrypoints=web"
- "traefik.http.routers.chat-http.middlewares=mistborn_auth@file"
- "traefik.http.routers.chat-https.rule=Host(`chat.mistborn`)"
- "traefik.http.routers.chat-https.entrypoints=websecure"
- "traefik.http.routers.chat-https.middlewares=mistborn_auth@file"
- "traefik.http.routers.chat-https.tls.certresolver=basic"
- "traefik.http.services.chat-service.loadbalancer.server.port=3000"
depends_on:
- mongo
#ports:
# - 3000:3000
mongo:
image: mongo:4.0
container_name: mistborn_production_rocketchat_mongo
restart: unless-stopped
volumes:
- ../../mistborn_volumes/extra/rocketchat/data/db:/data/db
- ../../mistborn_volumes/extra/rocketchat/data/dump:/dump
command: mongod --smallfiles --oplogSize 128 --replSet rs0 --storageEngine=mmapv1
# this container's job is just run the command to initialize the replica set.
# it will run the command and remove himself (it will not stay running)
mongo-init-replica:
image: mongo
command: 'bash -c "for i in `seq 1 30`; do mongo mongo/rocketchat --eval \"rs.initiate({ _id: ''rs0'', members: [ { _id: 0, host: ''localhost:27017'' } ]})\" && s=$$? && break || s=$$?; echo \"Tried $$i times. Waiting 5 secs...\"; sleep 5; done; (exit $$s)"'
depends_on:
- mongo
# hubot, the popular chatbot (add the bot user first and change the password before starting this image)
hubot:
image: rocketchat/hubot-rocketchat:latest
container_name: mistborn_production_rocketchat_hubot
restart: unless-stopped
environment:
- ROCKETCHAT_URL=chat.mistborn #:3000
# you can add more scripts as you'd like here, they need to be installable by npm
- EXTERNAL_SCRIPTS=hubot-help,hubot-seen,hubot-links,hubot-diagnostics
env_file:
- ../.envs/.production/.rocketchat
depends_on:
- rocketchat
volumes:
- ../../mistborn_volumes/extra/rocketchat/hubot/scripts:/home/hubot/scripts
# this is used to expose the hubot port for notifications on the host on port 3001, e.g. for hubot-jenkins-notifier
ports:
- "${MISTBORN_BIND_IP}:3001:8080/tcp"
networks:
default:
external:
name: mistborn_default

35
extra/syncthing.yml
Unescape View File

@ -1,35 +0,0 @@ @@ -1,35 +0,0 @@
version: '3'
services:
syncthing:
image: linuxserver/syncthing:latest
container_name: mistborn_production_syncthing
environment:
- PUID=1000
- PGID=1000
- TZ=Amereica/New_York
- UMASK_SET=022
volumes:
- ../../mistborn_volumes/extra/syncthing/config:/config
- ../../mistborn_volumes/extra/syncthing/data1:/data1
- ../../mistborn_volumes/extra/syncthing/data2:/data2
ports:
#- 8384:8384
- "${MISTBORN_BIND_IP}:22000:22000/tcp" # listening port
- "${MISTBORN_BIND_IP}:21027:21027/udp" # protocol discovery
labels:
- "traefik.enable=true"
- "traefik.http.routers.syncthing-http.rule=Host(`syncthing.mistborn`)"
- "traefik.http.routers.syncthing-http.entrypoints=web"
- "traefik.http.routers.syncthing-http.middlewares=mistborn_auth@file"
- "traefik.http.routers.syncthing-https.rule=Host(`syncthing.mistborn`)"
- "traefik.http.routers.syncthing-https.entrypoints=websecure"
- "traefik.http.routers.syncthing-https.middlewares=mistborn_auth@file"
- "traefik.http.routers.syncthing-https.tls.certresolver=basic"
- "traefik.http.services.syncthing-service.loadbalancer.server.port=8384"
restart: unless-stopped
networks:
default:
external:
name: mistborn_default

16
extra/tor.yml
Unescape View File

@ -1,16 +0,0 @@ @@ -1,16 +0,0 @@
version: '3'
services:
tor-client:
build:
context: ../compose/production/tor
dockerfile: ./Dockerfile
image: mistborn_production_tor
container_name: mistborn_production_tor
ports:
- "${MISTBORN_BIND_IP}:9150:9150/tcp"
networks:
default:
external:
name: mistborn_default

70
extra/wazuh.yml
Unescape View File

@ -1,70 +0,0 @@ @@ -1,70 +0,0 @@
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh:
image: wazuh/wazuh-odfe:4.1.5
hostname: wazuh-manager
restart: unless-stopped
ports:
- "${MISTBORN_BIND_IP}:1514:1514"
- "${MISTBORN_BIND_IP}:1515:1515"
- "${MISTBORN_BIND_IP}:514:514/udp"
- "${MISTBORN_BIND_IP}:55000:55000"
environment:
- FILEBEAT_SSL_VERIFICATION_MODE=none
env_file:
- ../.envs/.production/.wazuh
volumes:
- ossec_api_configuration:/var/ossec/api/configuration
- ossec_etc:/var/ossec/etc
- ossec_logs:/var/ossec/logs
- ossec_queue:/var/ossec/queue
- ossec_var_multigroups:/var/ossec/var/multigroups
- ossec_integrations:/var/ossec/integrations
- ossec_active_response:/var/ossec/active-response/bin
- ossec_agentless:/var/ossec/agentless
- ossec_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat
wazuh-kibana:
image: wazuh/wazuh-kibana-odfe:4.1.5
hostname: wazuh-kibana
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.wazuhk-http.rule=Host(`wazuh.mistborn`)"
- "traefik.http.routers.wazuhk-http.entrypoints=web"
- "traefik.http.routers.wazuhk-http.middlewares=mistborn_auth@file"
- "traefik.http.routers.wazuhk-https.rule=Host(`wazuh.mistborn`)"
- "traefik.http.routers.wazuhk-https.entrypoints=websecure"
- "traefik.http.routers.wazuhk-https.middlewares=mistborn_auth@file"
- "traefik.http.routers.wazuhk-https.tls.certresolver=basic"
- "traefik.http.services.wazuhk-service.loadbalancer.server.port=5601"
#ports:
# - "${MISTBORN_BIND_IP}:5601:5601"
environment:
- SERVER_SSL_ENABLED=false
- SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert
- SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key
env_file:
- ../.envs/.production/.wazuh
volumes:
ossec_api_configuration:
ossec_etc:
ossec_logs:
ossec_queue:
ossec_var_multigroups:
ossec_integrations:
ossec_active_response:
ossec_agentless:
ossec_wodles:
filebeat_etc:
filebeat_var:
networks:
default:
external:
name: mistborn_default

2
scripts/conf/15-iptables.conf
Unescape View File

@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
# Log kernel iptables dropped messages to iptables.log
$template MyTemplate,"%$day%-%timegenerated:1:3:date-rfc3164%-%$year% %timegenerated:12:19:date-rfc3339% %HOSTNAME% %syslogtag% %msg%\n"
:msg,contains,"[IPTables-Dropped]:" /var/log/iptables.log;MyTemplate #RSYSLOG_FileFormat
:msg,contains,"[Mistborn-IPTables-Dropped]:" /var/log/iptables.log;MyTemplate #RSYSLOG_FileFormat
# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated UFW log messages to the file

3
scripts/conf/cockpit.conf
Unescape View File

@ -1,3 +0,0 @@ @@ -1,3 +0,0 @@
[WebService]
ProtocolHeader = X-Forwarded-Proto
AllowUnencrypted=true

366
scripts/conf/jitsi.env
Unescape View File

@ -1,366 +0,0 @@ @@ -1,366 +0,0 @@
# shellcheck disable=SC2034
# Security
#
# Set these to strong passwords to avoid intruders from impersonating a service account
# The service(s) won't start unless these are specified
# Running ./gen-passwords.sh will update .env with strong passwords
# You may skip the Jigasi and Jibri passwords if you are not using those
# DO NOT reuse passwords
#
# XMPP component password for Jicofo
JICOFO_COMPONENT_SECRET=
# XMPP password for Jicofo client connections
JICOFO_AUTH_PASSWORD=
# XMPP password for JVB client connections
JVB_AUTH_PASSWORD=
# XMPP password for Jigasi MUC client connections
JIGASI_XMPP_PASSWORD=
# XMPP recorder password for Jibri client connections
JIBRI_RECORDER_PASSWORD=
# XMPP password for Jibri client connections
JIBRI_XMPP_PASSWORD=
#
# Basic configuration options
#
# Directory where all configuration will be stored
#CONFIG=~/.jitsi-meet-cfg
CONFIG=../.envs/.production/.jitsi-cfg
# Exposed HTTP port
HTTP_PORT=80
# Exposed HTTPS port
HTTPS_PORT=443
# System time zone
TZ=UTC
# Public URL for the web service (required)
PUBLIC_URL=https://jitsi.mistborn
# IP address of the Docker host
# See the "Running behind NAT or on a LAN environment" section in the Handbook:
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment
#DOCKER_HOST_ADDRESS=192.168.1.1
DOCKER_HOST_ADDRESS=10.2.3.1
# Control whether the lobby feature should be enabled or not
#ENABLE_LOBBY=1
# Show a prejoin page before entering a conference
#ENABLE_PREJOIN_PAGE=0
#
# Let's Encrypt configuration
#
# Enable Let's Encrypt certificate generation
#ENABLE_LETSENCRYPT=1
# Domain for which to generate the certificate
#LETSENCRYPT_DOMAIN=meet.example.com
# E-Mail for receiving important account notifications (mandatory)
#LETSENCRYPT_EMAIL=alice@atlanta.net
# Use the staging server (for avoiding rate limits while testing)
#LETSENCRYPT_USE_STAGING=1
#
# Etherpad integration (for document sharing)
#
# Set etherpad-lite URL in docker local network (uncomment to enable)
#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001
# Set etherpad-lite public URL (uncomment to enable)
#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain
# Name your etherpad instance!
ETHERPAD_TITLE="Video Chat"
# The default text of a pad
ETHERPAD_DEFAULT_PAD_TEXT="Welcome to Web Chat!\n\n"
# Name of the skin for etherpad
ETHERPAD_SKIN_NAME="colibris"
# Skin variants for etherpad
ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background full-width-editor"
#
# Basic Jigasi configuration options (needed for SIP gateway support)
#
# SIP URI for incoming / outgoing calls
#JIGASI_SIP_URI=test@sip2sip.info
# Password for the specified SIP account as a clear text
#JIGASI_SIP_PASSWORD=passw0rd
# SIP server (use the SIP account domain if in doubt)
#JIGASI_SIP_SERVER=sip2sip.info
# SIP server port
#JIGASI_SIP_PORT=5060
# SIP server transport
#JIGASI_SIP_TRANSPORT=UDP
#
# Authentication configuration (see handbook for details)
#
# Enable authentication
#ENABLE_AUTH=1
# Enable guest access
#ENABLE_GUESTS=1
# Select authentication type: internal, jwt or ldap
#AUTH_TYPE=internal
# JWT authentication
#
# Application identifier
#JWT_APP_ID=my_jitsi_app_id
# Application secret known only to your token
#JWT_APP_SECRET=my_jitsi_app_secret
# (Optional) Set asap_accepted_issuers as a comma separated list
#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client
# (Optional) Set asap_accepted_audiences as a comma separated list
#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2
# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
#
# LDAP url for connection
#LDAP_URL=ldaps://ldap.domain.com/
# LDAP base DN. Can be empty
#LDAP_BASE=DC=example,DC=domain,DC=com
# LDAP user DN. Do not specify this parameter for the anonymous bind
#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
# LDAP user password. Do not specify this parameter for the anonymous bind
#LDAP_BINDPW=LdapUserPassw0rd
# LDAP filter. Tokens example:
# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail
# %s - %s is replaced by the complete service string
# %r - %r is replaced by the complete realm string
#LDAP_FILTER=(sAMAccountName=%u)
# LDAP authentication method
#LDAP_AUTH_METHOD=bind
# LDAP version
#LDAP_VERSION=3
# LDAP TLS using
#LDAP_USE_TLS=1
# List of SSL/TLS ciphers to allow
#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
# Require and verify server certificate
#LDAP_TLS_CHECK_PEER=1
# Path to CA cert file. Used when server certificate verify is enabled
#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
# Path to CA certs directory. Used when server certificate verify is enabled
#LDAP_TLS_CACERT_DIR=/etc/ssl/certs
# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
# LDAP_START_TLS=1
#
# Advanced configuration options (you generally don't need to change these)
#
# Internal XMPP domain
XMPP_DOMAIN=meet.jitsi
# Internal XMPP server
XMPP_SERVER=xmpp.meet.jitsi
# Internal XMPP server URL
XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
# Internal XMPP domain for authenticated services
XMPP_AUTH_DOMAIN=auth.meet.jitsi
# XMPP domain for the MUC
XMPP_MUC_DOMAIN=muc.meet.jitsi
# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools
XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi
# XMPP domain for unauthenticated users
XMPP_GUEST_DOMAIN=guest.meet.jitsi
# Comma separated list of domains for cross domain policy or "true" to allow all
# The PUBLIC_URL is always allowed
#XMPP_CROSS_DOMAIN=true
# Custom Prosody modules for XMPP_DOMAIN (comma separated)
XMPP_MODULES=
# Custom Prosody modules for MUC component (comma separated)
XMPP_MUC_MODULES=
# Custom Prosody modules for internal MUC component (comma separated)
XMPP_INTERNAL_MUC_MODULES=
# MUC for the JVB pool
JVB_BREWERY_MUC=jvbbrewery
# XMPP user for JVB client connections
JVB_AUTH_USER=jvb
# STUN servers used to discover the server's public IP
JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443
# Media port for the Jitsi Videobridge
JVB_PORT=10000
# TCP Fallback for Jitsi Videobridge for when UDP isn't available
JVB_TCP_HARVESTER_DISABLED=true
JVB_TCP_PORT=4443
JVB_TCP_MAPPED_PORT=4443
# A comma separated list of APIs to enable when the JVB is started [default: none]
# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
#JVB_ENABLE_APIS=rest,colibri
# XMPP user for Jicofo client connections.
# NOTE: this option doesn't currently work due to a bug
JICOFO_AUTH_USER=focus
# Base URL of Jicofo's reservation REST API
#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
# Enable Jicofo's health check REST API (http://<jicofo_base_url>:8888/about/health)
#JICOFO_ENABLE_HEALTH_CHECKS=true
# XMPP user for Jigasi MUC client connections
JIGASI_XMPP_USER=jigasi
# MUC name for the Jigasi pool
JIGASI_BREWERY_MUC=jigasibrewery
# Minimum port for media used by Jigasi
JIGASI_PORT_MIN=20000
# Maximum port for media used by Jigasi
JIGASI_PORT_MAX=20050
# Enable SDES srtp
#JIGASI_ENABLE_SDES_SRTP=1
# Keepalive method
#JIGASI_SIP_KEEP_ALIVE_METHOD=OPTIONS
# Health-check extension
#JIGASI_HEALTH_CHECK_SIP_URI=keepalive
# Health-check interval
#JIGASI_HEALTH_CHECK_INTERVAL=300000
#
# Enable Jigasi transcription
#ENABLE_TRANSCRIPTIONS=1
# Jigasi will record audio when transcriber is on [default: false]
#JIGASI_TRANSCRIBER_RECORD_AUDIO=true
# Jigasi will send transcribed text to the chat when transcriber is on [default: false]
#JIGASI_TRANSCRIBER_SEND_TXT=true
# Jigasi will post an url to the chat with transcription file [default: false]
#JIGASI_TRANSCRIBER_ADVERTISE_URL=true
# Credentials for connect to Cloud Google API from Jigasi
# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol
# section "Before you begin" paragraph 1 to 5
# Copy the values from the json to the related env vars
#GC_PROJECT_ID=
#GC_PRIVATE_KEY_ID=
#GC_PRIVATE_KEY=
#GC_CLIENT_EMAIL=
#GC_CLIENT_ID=
#GC_CLIENT_CERT_URL=
# Enable recording
#ENABLE_RECORDING=1
# XMPP domain for the jibri recorder
XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
# XMPP recorder user for Jibri client connections
JIBRI_RECORDER_USER=recorder
# Directory for recordings inside Jibri container
JIBRI_RECORDING_DIR=/config/recordings
# The finalizing script. Will run after recording is complete
JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
# XMPP user for Jibri client connections
JIBRI_XMPP_USER=jibri
# MUC name for the Jibri pool
JIBRI_BREWERY_MUC=jibribrewery
# MUC connection timeout
JIBRI_PENDING_TIMEOUT=90
# When jibri gets a request to start a service for a room, the room
# jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain
# We'll build the url for the call by transforming that into:
# https://xmpp_domain/subdomain/roomName
# So if there are any prefixes in the jid (like jitsi meet, which
# has its participants join a muc at conference.xmpp_domain) then
# list that prefix here so it can be stripped out to generate
# the call url correctly
JIBRI_STRIP_DOMAIN_JID=muc
# Directory for logs inside Jibri container
JIBRI_LOGS_DIR=/config/logs
# Disable HTTPS: handle TLS connections outside of this setup
DISABLE_HTTPS=1
# Redirect HTTP traffic to HTTPS
# Necessary for Let's Encrypt, relies on standard HTTPS port (443)
#ENABLE_HTTP_REDIRECT=1
# Enable IPv6
# Provides means to disable IPv6 in environments that don't support it (get with the times, people!)
#ENABLE_IPV6=1
# Container restart policy
# Defaults to unless-stopped
RESTART_POLICY=unless-stopped
# Authenticate using external service or just focus external auth window if there is one already.
# TOKEN_AUTH_URL=https://auth.meet.example.com/{room}

31
scripts/env/setup.sh vendored
Unescape View File

@ -1,5 +1,10 @@ @@ -1,5 +1,10 @@
#!/bin/bash
# Version
MISTBORN_MAJOR_VERSION="0"
MISTBORN_MINOR_VERSION="1"
MISTBORN_PATCH_NUMBER="1"
#### ENV file
VAR_FILE=/opt/mistborn/.env
@ -13,6 +18,12 @@ echo "" | sudo tee ${VAR_FILE} @@ -13,6 +18,12 @@ echo "" | sudo tee ${VAR_FILE}
sudo chown mistborn:mistborn ${VAR_FILE}
sudo chmod 600 ${VAR_FILE}
# Version env variables
echo "MISTBORN_VERSION=${MISTBORN_MAJOR_VERSION}.${MISTBORN_MINOR_VERSION}.${MISTBORN_PATCH_NUMBER}" | sudo tee -a ${VAR_FILE}
echo "MISTBORN_MAJOR_VERSION=${MISTBORN_MAJOR_VERSION}" | sudo tee -a ${VAR_FILE}
echo "MISTBORN_MINOR_VERSION=${MISTBORN_MINOR_VERSION}" | sudo tee -a ${VAR_FILE}
echo "MISTBORN_PATCH_NUMBER=${MISTBORN_PATCH_NUMBER}" | sudo tee -a ${VAR_FILE}
# MISTBORN_DNS_BIND_IP
MISTBORN_DNS_BIND_IP="10.2.3.1"
@ -29,9 +40,11 @@ echo "MISTBORN_BIND_IP=10.2.3.1" | sudo tee -a ${VAR_FILE} @@ -29,9 +40,11 @@ echo "MISTBORN_BIND_IP=10.2.3.1" | sudo tee -a ${VAR_FILE}
# MISTBORN_TAG
GIT_BRANCH=$(git -C /opt/mistborn symbolic-ref --short HEAD || echo "master")
MISTBORN_TAG="${MISTBORN_MAJOR_VERSION}.${MISTBORN_MINOR_VERSION}"
if [ ! -z "$MISTBORN_TEST_CONTAINER" ]; then
MISTBORN_TAG="$MISTBORN_TEST_CONTAINER"
elif [ "$GIT_BRANCH" == "master" ]; then
MISTBORN_TAG="latest"
if [ "$GIT_BRANCH" != "master" ]; then
MISTBORN_TAG="test"
fi
echo "MISTBORN_TAG=$MISTBORN_TAG" | sudo tee -a ${VAR_FILE}
@ -41,9 +54,9 @@ echo "MISTBORN_TAG=$MISTBORN_TAG" | sudo tee -a ${VAR_FILE} @@ -41,9 +54,9 @@ echo "MISTBORN_TAG=$MISTBORN_TAG" | sudo tee -a ${VAR_FILE}
# copy current service files to systemd (overwriting as needed)
sudo cp /opt/mistborn/scripts/services/Mistborn* /etc/systemd/system/
# set script user and owner
sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/User=root/User=$USER/"
#sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/ root:root / $USER:$USER /"
## set script user and owner
#sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/User=root/User=$USER/"
##sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/ root:root / $USER:$USER /"
# reload in case the iface is not immediately set
sudo systemctl daemon-reload
@ -56,8 +69,14 @@ while [[ -z "$iface" ]]; do @@ -56,8 +69,14 @@ while [[ -z "$iface" ]]; do
iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}' | tr -d '[:space:]')
done
GLOBAL_ENV=/opt/mistborn/.envs/.production/.global
install -Dv /dev/null $GLOBAL_ENV
echo "DIFACE=$iface" >> $GLOBAL_ENV
echo "MISTBORN_ENV_PATH=../../.envs/.production/" >> $GLOBAL_ENV
echo "MISTBORN_VOL_PATH=../../../mistborn_volumes/extra/" >> $GLOBAL_ENV
# default interface
sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/"
#sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/"
echo "DIFACE=${iface}" | sudo tee -a ${VAR_FILE}

22
scripts/install.sh
Unescape View File

@ -39,7 +39,7 @@ if [ $(whoami) != "$MISTBORN_USER" ]; then @@ -39,7 +39,7 @@ if [ $(whoami) != "$MISTBORN_USER" ]; then
sudo cp $FULLPATH /home/$MISTBORN_USER
sudo chown $MISTBORN_USER:$MISTBORN_USER /home/$MISTBORN_USER/$FILENAME
sudo SSH_CLIENT="$SSH_CLIENT" MISTBORN_DEFAULT_PASSWORD="$MISTBORN_DEFAULT_PASSWORD" GIT_BRANCH="$GIT_BRANCH" MISTBORN_INSTALL_COCKPIT="$MISTBORN_INSTALL_COCKPIT" -i -u $MISTBORN_USER bash -c "/home/$MISTBORN_USER/$FILENAME" # self-referential call
sudo SSH_CLIENT="$SSH_CLIENT" MISTBORN_DEFAULT_PASSWORD="$MISTBORN_DEFAULT_PASSWORD" GIT_BRANCH="$GIT_BRANCH" -i -u $MISTBORN_USER bash -c "/home/$MISTBORN_USER/$FILENAME" # self-referential call
exit 0
fi
@ -76,13 +76,6 @@ source ./scripts/subinstallers/check_updates.sh @@ -76,13 +76,6 @@ source ./scripts/subinstallers/check_updates.sh
# MISTBORN_DEFAULT_PASSWORD
source ./scripts/subinstallers/passwd.sh
# Install Cockpit?
if [ -z "${MISTBORN_INSTALL_COCKPIT}" ]; then
read -p "Install Cockpit (a somewhat resource-heavy system management graphical user interface -- NOT RECOMMENDED on Raspberry Pi)? [y/N]: " MISTBORN_INSTALL_COCKPIT
echo
MISTBORN_INSTALL_COCKPIT=${MISTBORN_INSTALL_COCKPIT:-N}
fi
# SSH keys
if [ ! -f ~/.ssh/id_rsa ]; then
echo "Generating SSH keypair for $USER"
@ -174,16 +167,6 @@ sudo systemctl start docker @@ -174,16 +167,6 @@ sudo systemctl start docker
# Unattended upgrades
sudo -E apt-get install -y unattended-upgrades
# Cockpit
if [[ "$MISTBORN_INSTALL_COCKPIT" =~ ^([yY][eE][sS]|[yY])$ ]]
then
# install cockpit
source ./scripts/subinstallers/cockpit.sh
# set variable (that will be available in environment)
MISTBORN_INSTALL_COCKPIT=Y
fi
# Mistborn-cli (pip3 installed by docker)
figlet "Mistborn: Installing mistborn-cli"
sudo pip3 install -e ./modules/mistborn-cli
@ -224,9 +207,6 @@ sudo mkdir -p ../mistborn_volumes/base/pihole/etc-pihole @@ -224,9 +207,6 @@ sudo mkdir -p ../mistborn_volumes/base/pihole/etc-pihole
sudo mkdir -p ../mistborn_volumes/base/pihole/etc-dnsmasqd
sudo mkdir -p ../mistborn_volumes/extra
# Traefik final setup (cockpit)
#cp ./compose/production/traefik/traefikv2.toml.template ./compose/production/traefik/traefik.toml
# setup tls certs
source ./scripts/subinstallers/openssl.sh
#sudo rm -rf ../mistborn_volumes/base/tls

28
scripts/services/Mistborn-base.service
Unescape View File

@ -6,6 +6,8 @@ After=docker.service @@ -6,6 +6,8 @@ After=docker.service
After=netfilter-persistent.service
[Service]
EnvironmentFile=/opt/mistborn/.envs/.production/.global
EnvironmentFile=/opt/mistborn/.env
Restart=always
RestartSec=15
User=root
@ -21,13 +23,13 @@ ExecStartPre=-/usr/bin/bash -c "docker container stop $(docker network inspect m @@ -21,13 +23,13 @@ ExecStartPre=-/usr/bin/bash -c "docker container stop $(docker network inspect m
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down
ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml build
ExecStartPre=-/sbin/ip address add 10.2.3.1/30 dev DIFACE
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/iptables -w -A OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
ExecStartPre=-/sbin/ip address add 10.2.3.1/30 dev $DIFACE
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
#ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/iptables -w -A OUTPUT -o $DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/ip6tables -w -A OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/resolvconf -u
# Start container when unit is started
@ -35,12 +37,12 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml up @@ -35,12 +37,12 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml up
# Stop container when unit is stopped
ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down
# Post stop
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/iptables -D OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
#ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/iptables -D OUTPUT -o $DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/ip6tables -D OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP
[Install]

25
scripts/services/Mistborn-bitwarden.service
Unescape View File

@ -1,25 +0,0 @@ @@ -1,25 +0,0 @@
[Unit]
Description=Mistborn Bitwarden Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP
# Start container when unit is started
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml up --build
# Stop container when unit is stopped
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down
# Post stop
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP
[Install]
WantedBy=Mistborn-base.service

22
scripts/services/Mistborn-elasticsearch.service
Unescape View File

@ -1,22 +0,0 @@ @@ -1,22 +0,0 @@
[Unit]
Description=Mistborn Elasticsearch Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/usr/sbin/sysctl -w vm.max_map_count=262144
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch docker-compose -f /opt/mistborn/extra/elasticsearch.yml down
# Start container when unit is started
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch docker-compose -f /opt/mistborn/extra/elasticsearch.yml up --build
# Stop container when unit is stopped
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch docker-compose -f /opt/mistborn/extra/elasticsearch.yml down
[Install]
WantedBy=Mistborn-base.service

23
scripts/services/Mistborn-guacamole.service
Unescape View File

@ -1,23 +0,0 @@ @@ -1,23 +0,0 @@
[Unit]
Description=Mistborn Guacamole
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down
# Start container when unit is started
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml up --build
# Stop container when unit is stopped
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down
# Post stop
[Install]
WantedBy=Mistborn-base.service

23
scripts/services/Mistborn-homeassistant.service
Unescape View File

@ -1,23 +0,0 @@ @@ -1,23 +0,0 @@
[Unit]
Description=Mistborn Home Assistant
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down
# Start container when unit is started
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml up --build
# Stop container when unit is stopped
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down
# Post stop
[Install]
WantedBy=Mistborn-base.service

23
scripts/services/Mistborn-jellyfin.service
Unescape View File

@ -1,23 +0,0 @@ @@ -1,23 +0,0 @@
[Unit]
Description=Mistborn Jellyfin Service
Requires=Mistborn-nextcloud.service
After=Mistborn-nextcloud.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down
# Start container when unit is started
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml up --build
# Stop container when unit is stopped
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down
# Post stop
[Install]
WantedBy=Mistborn-base.service

27
scripts/services/Mistborn-jitsi.service
Unescape View File

@ -1,27 +0,0 @@ @@ -1,27 +0,0 @@
[Unit]
Description=Mistborn Jitsi Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_up.sh
# Start container when unit is started
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build
# Stop container when unit is stopped
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
# Post stop
ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_down.sh
[Install]
WantedBy=Mistborn-base.service

23
scripts/services/Mistborn-nextcloud.service
Unescape View File

@ -1,23 +0,0 @@ @@ -1,23 +0,0 @@
[Unit]
Description=Mistborn Nextcloud Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down
# Start container when unit is started
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml up --build
# Stop container when unit is stopped
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down
# Post stop
[Install]
WantedBy=Mistborn-base.service

23
scripts/services/Mistborn-onlyoffice.service
Unescape View File

@ -1,23 +0,0 @@ @@ -1,23 +0,0 @@
[Unit]
Description=Mistborn OnlyOffice Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
# Start container when unit is started
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml up --build
# Stop container when unit is stopped
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
# Post stop
[Install]
WantedBy=Mistborn-base.service

25
scripts/services/Mistborn-raspap.service
Unescape View File

@ -1,25 +0,0 @@ @@ -1,25 +0,0 @@
[Unit]
Description=Mistborn RaspAP Service
Requires=Mistborn-base.service
After=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 8095 -j MISTBORN_LOG_DROP
#ExecStartPre=/bin/bash /opt/mistborn_volumes/extra/raspap/etc-raspap/hostapd/servicestart.sh --interface uap0 --seconds 3
# Shutdown container (if running) when unit is stopped
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh raspap docker-compose -f /opt/mistborn/extra/raspap.yml down
# Start container when unit is started
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh raspap docker-compose -f /opt/mistborn/extra/raspap.yml up --build
# Stop container when unit is stopped
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh raspap docker-compose -f /opt/mistborn/extra/raspap.yml down
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 8095 -j MISTBORN_LOG_DROP
# Post stop
[Install]
WantedBy=Mistborn-base.service

25
scripts/services/Mistborn-rocketchat.service
Unescape View File

@ -1,25 +0,0 @@ @@ -1,25 +0,0 @@
[Unit]
Description=Mistborn Rocket Chat Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP
# Start container when unit is started
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml up --build
# Stop container when unit is stopped
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down
# Post stop
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP
[Install]
WantedBy=Mistborn-base.service

27
scripts/services/Mistborn-syncthing.service
Unescape View File

@ -1,27 +0,0 @@ @@ -1,27 +0,0 @@
[Unit]
Description=Mistborn Syncthing Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP
# Start container when unit is started
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml up --build
# Stop container when unit is stopped
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down
# Post stop
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP
[Install]
WantedBy=Mistborn-base.service

25
scripts/services/Mistborn-tor.service
Unescape View File

@ -1,25 +0,0 @@ @@ -1,25 +0,0 @@
[Unit]
Description=Mistborn Tor Service
Requires=Mistborn-base.service
After=Mistborn-base.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down
ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP
# Start container when unit is started
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml up --build
# Stop container when unit is stopped
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down
# Post stop
ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP
[Install]
WantedBy=Mistborn-base.service

30
scripts/services/Mistborn-wazuh.service
Unescape View File

@ -1,30 +0,0 @@ @@ -1,30 +0,0 @@
[Unit]
Description=Mistborn Wazuh Service
Requires=Mistborn-elasticsearch.service
After=Mistborn-elasticsearch.service
PartOf=Mistborn-base.service
[Service]
Restart=always
RestartSec=15
TimeoutStartSec=600
User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down
# Start container when unit is started
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml up --build
# Agent install
ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent.sh
ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_start.sh
# Suricata
ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_init.sh
ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_start.sh
# Stop container when unit is stopped
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down
ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_stop.sh
ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh
[Install]
WantedBy=Mistborn-base.service

17
scripts/services/elasticsearch/files/internal_users.yml
Unescape View File

@ -1,17 +0,0 @@ @@ -1,17 +0,0 @@
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
# Define your internal users here
mistborn:
hash: "__MISTBORN_HASH__"
reserved: true
backend_roles:
- "admin"
description: "Mistborn user"

21
scripts/services/elasticsearch/init.sh
Unescape View File

@ -1,21 +0,0 @@ @@ -1,21 +0,0 @@
#!/bin/bash
set -e
if [[ -f "/opt/mistborn_volumes/extra/elasticsearch/init/internal_users.yml" ]]; then
echo "internal_users.yml exists. Proceeding."
exit 0
fi
mkdir -p /opt/mistborn_volumes/extra/elasticsearch/init/ >/dev/null 2>&1
chmod -R +x /opt/mistborn_volumes/extra/elasticsearch/init/
cp /opt/mistborn/scripts/services/elasticsearch/files/internal_users.yml /opt/mistborn_volumes/extra/elasticsearch/init/
ELASTICSEARCH_MISTBORN_HASHED="$(docker run --rm amazon/opendistro-for-elasticsearch:1.12.0 bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh -p ${MISTBORN_DEFAULT_PASSWORD} | tr -d '\n')"
if [[ -z "${ELASTICSEARCH_MISTBORN_HASHED}" ]]; then
echo "Elasticsearch password hash not generated properly"
exit 1;
fi
sed -i "s|__MISTBORN_HASH__|${ELASTICSEARCH_MISTBORN_HASHED}|" /opt/mistborn_volumes/extra/elasticsearch/init/internal_users.yml

21
scripts/services/guacamole/init.sh
Unescape View File

@ -1,21 +0,0 @@ @@ -1,21 +0,0 @@
#!/bin/bash
if [[ -f "/opt/mistborn_volumes/extra/guacamole/init/initdb.sql" ]]; then
echo "initdb.sql exists. Proceeding."
exit 0
fi
mkdir -p /opt/mistborn_volumes/extra/guacamole/init/ >/dev/null 2>&1
chmod -R +x /opt/mistborn_volumes/extra/guacamole/init/
docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgres > /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
# grab values in initdb.sql to replace
HEXSTRINGS=($(egrep -o [0-9a-fA-F]{64} /opt/mistborn_volumes/extra/guacamole/init/initdb.sql))
# reset default password in init.db
SALT=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice('0123456789ABCDEF') for x in range(64)]))")
GUAC_PASSWORD_HASHED=$(echo -n "${MISTBORN_DEFAULT_PASSWORD}${SALT}" | sha256sum | awk '{print $1}' | tr a-z A-Z)
sed -i "s/${HEXSTRINGS[1]}/$SALT/" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
sed -i "s/${HEXSTRINGS[0]}/$GUAC_PASSWORD_HASHED/" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
sed -i "s/guacadmin/mistborn/g" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql

54
scripts/services/homeassistant/init.sh
Unescape View File

@ -1,54 +0,0 @@ @@ -1,54 +0,0 @@
#!/bin/bash
HASS_CONFIG="/opt/mistborn_volumes/extra/homeassistant/config/configuration.yaml"
if [[ -f "$HASS_CONFIG" ]]; then
# configuration.yaml exists
if [[ ! -z $(grep "use_x_forwarded_for: true" "$HASS_CONFIG") ]]; then
# FOUND
exit 0;
fi
# add the proxy config
# write the trusted proxies config
cat >> ${HASS_CONFIG}<< EOF
http:
use_x_forwarded_for: true
trusted_proxies:
- 172.16.0.0/12
EOF
exit 0;
fi
# create parent directory if needed
PARENTDIR="$(dirname $HASS_CONFIG)"
if [[ ! -d "$PARENTDIR" ]]; then
mkdir -p $PARENTDIR
fi
# write the trusted proxies config
cat >> ${HASS_CONFIG}<< EOF
# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:
# Text to speech
#tts:
# - platform: google_translate
#group: !include groups.yaml
#automation: !include automations.yaml
#script: !include scripts.yaml
#scene: !include scenes.yaml
http:
use_x_forwarded_for: true
trusted_proxies:
- 172.16.0.0/12
EOF

4
scripts/services/jitsi/iptables_down.sh
Unescape View File

@ -1,4 +0,0 @@ @@ -1,4 +0,0 @@
#!/bin/bash
iptables -w -D DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
iptables -w -D DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP

4
scripts/services/jitsi/iptables_up.sh
Unescape View File

@ -1,4 +0,0 @@ @@ -1,4 +0,0 @@
#!/bin/bash
iptables -w -I DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP

30
scripts/services/wazuh/agent.sh
Unescape View File

@ -1,30 +0,0 @@ @@ -1,30 +0,0 @@
#!/bin/bash
# detect if already installed
if dpkg -s wazuh-agent &> /dev/null; then
echo "Wazuh agent already installed"
exit 0
fi
# install curl
echo "install curl"
sudo -E apt-get install -y curl
# prepare repo
echo "Adding Wazuh Repository"
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo -E apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo -E tee /etc/apt/sources.list.d/wazuh.list
apt-get update
# wait for service to be listening
while ! nc -z 10.2.3.1 55000; do
WAIT_TIME=10
echo "Waiting ${WAIT_TIME} seconds for Wazuh API..."
sleep ${WAIT_TIME}
done
# install
echo "Installing Wazuh agent"
WAZUH_MANAGER="10.2.3.1" apt-get install wazuh-agent

4
scripts/services/wazuh/agent_start.sh
Unescape View File

@ -1,4 +0,0 @@ @@ -1,4 +0,0 @@
#!/bin/bash
systemctl start wazuh-agent
systemctl enable wazuh-agent

4
scripts/services/wazuh/agent_stop.sh
Unescape View File

@ -1,4 +0,0 @@ @@ -1,4 +0,0 @@
#!/bin/bash
systemctl stop wazuh-agent
systemctl disable wazuh-agent

129
scripts/services/wazuh/suricata/suricata_init.sh
Unescape View File

@ -1,129 +0,0 @@ @@ -1,129 +0,0 @@
#!/bin/bash
set -e
# detect if suricata is installed
if [[ $(dpkg-query -W -f='${Status}' suricata 2>/dev/null | grep -c "ok installed") -eq 1 ]]; then
echo "Suricata Installed"
exit 0
fi
source /opt/mistborn/scripts/subinstallers/platform.sh
# minimal dependencies
sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev \
libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \
make libmagic-dev libjansson-dev jq wget
## recommended dependencies
#sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev \
# libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \
# libcap-ng-dev libcap-ng0 make libmagic-dev \
# libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev \
# python-yaml rustc cargo
# iptables/nftables integration
sudo -E apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 \
libnetfilter-log-dev libnetfilter-log1 \
libnfnetlink-dev libnfnetlink0
if [ "$DISTRO" == "ubuntu" ]; then
echo "Installing Suricata Ubuntu PPA"
sudo -E add-apt-repository -y ppa:oisf/suricata-stable
sudo -E apt-get update
sudo -E apt-get install -y suricata
elif [ "$DISTRO" == "debian" ]; then
# retrieve version codename
source /etc/os-release
echo "deb http://http.debian.net/debian $VERSION_CODENAME-backports main" | \
sudo -E tee /etc/apt/sources.list.d/backports.list
sudo -E apt-get update
sudo -E apt-get install -y suricata -t ${VERSION_CODENAME}-backports
else
echo "Basic Suricata installation"
sudo -E apt-get install -y suricata
fi
# # iptables
# sudo iptables -A INPUT -j NFQUEUE
# sudo iptables -I FORWARD -j NFQUEUE
# sudo iptables -I OUTPUT -j NFQUEUE
# # rsyslog to create /var/log/suricata.log
# sudo cp ./scripts/conf/20-suricata.conf /etc/rsyslog.d/
# sudo chown root:root /etc/rsyslog.d/20-suricata.conf
# sudo systemctl restart rsyslog
# rules
pushd .
cd /tmp
wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
tar zxvf emerging.rules.tar.gz
sudo -E rm /etc/suricata/rules/* -f
sudo -E mv rules/*.rules /etc/suricata/rules/
popd
# suricata yaml
sudo -E rm -f /etc/suricata/suricata.yaml
sudo -E wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml
IFACE=$(ip -o -4 route show to default | awk 'NR==1{print $5}')
sudo sed -i "s/eth0/${IFACE}/g" /etc/suricata/suricata.yaml
sudo sed -i "s/eth0/${IFACE}/g" /etc/default/suricata
#systemctl restart suricata
# wait for service to be listening
while ! nc -z 10.2.3.1 55000; do
WAIT_TIME=10
echo "Waiting ${WAIT_TIME} seconds for Wazuh API..."
sleep ${WAIT_TIME}
done
# set working directory to mistborn for docker-compose
pushd .
cd /opt/mistborn
# ensure group exists
sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -g suricata -q 2>/dev/null
# add this host to group
WAZUH_ID=$(sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/manage_agents -l | egrep ^\ *ID | grep $(hostname) | awk '{print $2}' | tr -d ',')
sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -i ${WAZUH_ID} -g suricata -q
# write agent.conf
sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh bash -c "cat > /var/ossec/etc/shared/suricata/agent.conf << EOF
<agent_config>
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>
</agent_config>
EOF
"
# restart manager
sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml restart wazuh
popd
# suricata-update
sudo -E apt install python3-pip
sudo -E pip3 install pyyaml
sudo -E pip3 install https://github.com/OISF/suricata-update/archive/master.zip
sudo -E pip3 install --pre --upgrade suricata-update
# sudo -E suricata-update enable-source oisf/trafficid
# sudo -E suricata-update enable-source etnetera/aggressive
# sudo -E suricata-update enable-source sslbl/ssl-fp-blacklist
# sudo -E suricata-update enable-source et/open
# sudo -E suricata-update enable-source tgreen/hunting
# sudo -E suricata-update enable-source sslbl/ja3-fingerprints
# sudo -E suricata-update enable-source ptresearch/attackdetection
sudo -E suricata-update
sudo systemctl daemon-reload
sudo systemctl restart suricata

7
scripts/services/wazuh/suricata/suricata_start.sh
Unescape View File

@ -1,7 +0,0 @@ @@ -1,7 +0,0 @@
#!/bin/bash
systemctl start suricata
systemctl enable suricata
#apt-get install -y python-pyinotify
#python /opt/mistborn/scripts/services/scirius/suri_reloader -p /etc/suricata/rules &

6
scripts/services/wazuh/suricata/suricata_stop.sh
Unescape View File

@ -1,6 +0,0 @@ @@ -1,6 +0,0 @@
#!/bin/bash
systemctl stop suricata
systemctl disable suricata
#kill $(pgrep -f suri_reloader) 2>/dev/null

31
scripts/subinstallers/cockpit.sh
Unescape View File

@ -1,31 +0,0 @@ @@ -1,31 +0,0 @@
#!/bin/bash
# Cockpit
figlet "Mistborn: Installing Cockpit"
if [ "$DISTRO" == "ubuntu" ]; then
echo "Ubuntu backports enabled by default"
elif [ "$DISTRO" == "debian" ]; then
sudo grep -qF "buster-backports" /etc/apt/sources.list.d/backports.list \
&& echo "buster-backports already in sources" \
|| echo 'deb http://deb.debian.org/debian buster-backports main' | sudo tee -a /etc/apt/sources.list.d/backports.list
elif [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then
echo "Raspbian repos contain cockpit"
fi
sudo -E apt-get install -y cockpit
if [ $(sudo apt-cache show cockpit-docker > /dev/null 2>&1) ]; then
# no longer supported upstream in Ubuntu 20.04
sudo -E apt-get install -y cockpit-docker
elif [ $(sudo apt-cache show cockpit-podman > /dev/null 2>&1) ]; then
sudo -E apt-get install -y cockpit-podman
fi
sudo cp ./scripts/conf/cockpit.conf /etc/cockpit/cockpit.conf
sudo systemctl restart cockpit.socket
# create system cockpit user
echo "Creating cockpit user"
sudo useradd -s /bin/bash -d /home/cockpit -m -G sudo -p $(openssl passwd -1 "$MISTBORN_DEFAULT_PASSWORD") cockpit || true

7
scripts/subinstallers/extra/bitwarden.sh
Unescape View File

@ -1,7 +0,0 @@ @@ -1,7 +0,0 @@
#!/bin/bash
# generate bitwarden .env files
BITWARDEN_PROD_FILE="$1"
echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE
echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE
chmod 600 $BITWARDEN_PROD_FILE

6
scripts/subinstallers/extra/elasticsearch.sh
Unescape View File

@ -1,6 +0,0 @@ @@ -1,6 +0,0 @@
#!/bin/bash
# Elasticsearch
ELASTICSEARCH_PROD_FILE="$1"
echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $ELASTICSEARCH_PROD_FILE
chmod 600 $ELASTICSEARCH_PROD_FILE

14
scripts/subinstallers/extra/guacamole.sh
Unescape View File

@ -1,14 +0,0 @@ @@ -1,14 +0,0 @@
#!/bin/bash
# Guacamole
GUAC_PROD_FILE="$1"
GUAC_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
echo "POSTGRES_HOST=guac_postgres" > $GUAC_PROD_FILE
echo "POSTGRES_HOSTNAME=guac_postgres" > $GUAC_PROD_FILE
echo "POSTGRES_PORT=5432" >> $GUAC_PROD_FILE
echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE
echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE
echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE
echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE
echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE
chmod 600 $GUAC_PROD_FILE

13
scripts/subinstallers/extra/jitsi.sh
Unescape View File

@ -1,13 +0,0 @@ @@ -1,13 +0,0 @@
#!/bin/bash
# JITSI
JITSI_PROD_FILE="$1"
cp ${MISTBORN_HOME}/scripts/conf/jitsi.env $JITSI_PROD_FILE
mkdir -p ${MISTBORN_HOME}/.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}
sed -i "s/JICOFO_COMPONENT_SECRET.*/JICOFO_COMPONENT_SECRET=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
chmod 600 $JITSI_PROD_FILE

10
scripts/subinstallers/extra/nextcloud.sh
Unescape View File

@ -1,10 +0,0 @@ @@ -1,10 +0,0 @@
#!/bin/bash
# generate nextcloud .env files
NEXTCLOUD_PROD_FILE="$1"
#NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
NEXTCLOUD_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}"
echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE
echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE
echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE
chmod 600 $NEXTCLOUD_PROD_FILE

8
scripts/subinstallers/extra/onlyoffice.sh
Unescape View File

@ -1,8 +0,0 @@ @@ -1,8 +0,0 @@
#!/bin/bash
# generate onlyoffice .env files
ONLYOFFICE_PROD_FILE="$1"
JWT_SECRET="${MISTBORN_DEFAULT_PASSWORD}"
echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE
echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE
chmod 600 $ONLYOFFICE_PROD_FILE

6
scripts/subinstallers/extra/raspap.sh
Unescape View File

@ -1,6 +0,0 @@ @@ -1,6 +0,0 @@
#!/bin/bash
# RaspAP
RASPAP_PROD_FILE="$1"
echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" > $RASPAP_PROD_FILE
chmod 600 $RASPAP_PROD_FILE

15
scripts/subinstallers/extra/rocketchat.sh
Unescape View File

@ -1,15 +0,0 @@ @@ -1,15 +0,0 @@
#!/bin/bash
# generate rocketchat .env files
ROCKETCHAT_PROD_FILE="$1"
#ROCKETCHAT_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
ROCKETCHAT_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}"
echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE
echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE
echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE
echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE
# docker environment
echo "MISTBORN_BIND_IP=${MISTBORN_BIND_IP}" >> $ROCKETCHAT_PROD_FILE
chmod 600 $ROCKETCHAT_PROD_FILE

92
scripts/subinstallers/extra/wazuh.sh
Unescape View File

@ -1,92 +0,0 @@ @@ -1,92 +0,0 @@
#!/bin/bash
# Wazuh
WAZUH_PROD_FILE="$1"
echo "ELASTIC_USERNAME=mistborn" > $WAZUH_PROD_FILE
echo "ELASTIC_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE
echo "ELASTICSEARCH_USERNAME=mistborn" >> $WAZUH_PROD_FILE
echo "ELASTICSEARCH_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE
# kibana odfe
# kibana-odfe/config/wazuh_app_config.sh
# https://wazuh
echo "WAZUH_API_URL=https://10.2.3.1" >> $WAZUH_PROD_FILE
echo "API_PORT=55000" >> $WAZUH_PROD_FILE
echo "API_USERNAME=wazuh-wui" >> $WAZUH_PROD_FILE
#API_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
API_PASSWORD_PYTHON=$(cat << EOF
import secrets
import random
import string
random_pass = ([secrets.choice("@$!*?-"),
secrets.choice(string.digits),
secrets.choice(string.ascii_lowercase),
secrets.choice(string.ascii_uppercase),
]
+ [secrets.choice(string.ascii_lowercase
+ string.ascii_uppercase
+ "@$!*?-"
+ string.digits) for i in range(12)])
random.shuffle(random_pass)
random_pass = ''.join(random_pass)
print(random_pass)
EOF
)
API_PASSWORD=$(python3 -c "${API_PASSWORD_PYTHON}")
echo "API_PASSWORD=${API_PASSWORD}" >> $WAZUH_PROD_FILE
# kibana-odfe/config/entrypoint.sh:
# https://elasticsearch:9200
echo "ELASTICSEARCH_URL=https://10.2.3.1:9200" >> $WAZUH_PROD_FILE
cat >> ${WAZUH_PROD_FILE}<< EOF
PATTERN="wazuh-alerts-*"
CHECKS_PATTERN=true
CHECKS_TEMPLATE=true
CHECKS_API=true
CHECKS_SETUP=true
EXTENSIONS_PCI=true
EXTENSIONS_GDPR=true
EXTENSIONS_HIPAA=true
EXTENSIONS_NIST=true
EXTENSIONS_TSC=true
EXTENSIONS_AUDIT=true
EXTENSIONS_OSCAP=false
EXTENSIONS_CISCAT=false
EXTENSIONS_AWS=false
EXTENSIONS_GCP=false
EXTENSIONS_VIRUSTOTAL=true
EXTENSIONS_OSQUERY=true
EXTENSIONS_DOCKER=true
APP_TIMEOUT=20000
API_SELECTOR=true
IP_SELECTOR=true
IP_IGNORE="[]"
WAZUH_MONITORING_ENABLED=true
WAZUH_MONITORING_FREQUENCY=900
WAZUH_MONITORING_SHARDS=2
WAZUH_MONITORING_REPLICAS=0
ADMIN_PRIVILEGES=true
EOF
echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE
chmod 600 $WAZUH_PROD_FILE

1
scripts/subinstallers/gen_prod_env.sh
Unescape View File

@ -42,4 +42,5 @@ PIHOLE_PROD_FILE="./.envs/.production/.pihole" @@ -42,4 +42,5 @@ PIHOLE_PROD_FILE="./.envs/.production/.pihole"
WEBPASSWORD="$1"
echo "TZ=\"America/New York\"" > $PIHOLE_PROD_FILE
echo "WEBPASSWORD=$WEBPASSWORD" >> $PIHOLE_PROD_FILE
chmod 600 $PIHOLE_PROD_FILE

4
scripts/subinstallers/iptables.sh
Unescape View File

@ -32,7 +32,7 @@ sudo iptables -X MISTBORN_DOCKER_INPUT 2>/dev/null || true @@ -32,7 +32,7 @@ sudo iptables -X MISTBORN_DOCKER_INPUT 2>/dev/null || true
# iptables: log and drop chain
sudo iptables -N MISTBORN_LOG_DROP
sudo iptables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[IPTables-Dropped]: " --log-level 4
sudo iptables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[Mistborn-IPTables-Dropped]: " --log-level 4
sudo iptables -A MISTBORN_LOG_DROP -j DROP
# wireguard rules chains
@ -83,7 +83,7 @@ sudo ip6tables -X MISTBORN_LOG_DROP 2>/dev/null || true @@ -83,7 +83,7 @@ sudo ip6tables -X MISTBORN_LOG_DROP 2>/dev/null || true
# ip6tables: log and drop chain
sudo ip6tables -N MISTBORN_LOG_DROP
sudo ip6tables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[IPTables-Dropped]: " --log-level 4
sudo ip6tables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[Mistborn-IPTables-Dropped]: " --log-level 4
sudo ip6tables -A MISTBORN_LOG_DROP -j DROP
# ip6tables

Write Preview
Loading…
Cancel
Save