Merge branch '215-sast' into 'master'

Resolve "Static Code Analysis"

Closes #215

See merge request cyber5k/mistborn!96

.gitlab-ci.yml

@@ -13,6 +13,7 @@ stages:
 
 include:
   - template: Code-Quality.gitlab-ci.yml
+  - template: Security/SAST.gitlab-ci.yml
 
 docker_build:
   stage: test

README.md

@@ -15,7 +15,7 @@ The term [Mistborn](http://www.brandonsanderson.com/the-mistborn-saga-the-origin
 
 Mistborn started as a passion project for a husband and father protecting his family. Certain family members insisted on connecting their devices to free public WiFi networks. We needed a way to secure all family devices with a solid VPN (WireGuard). Once we had that we wanted to control DNS to block ads to all devices and block malicious websites across all family devices. Then we wanted chat, file-sharing, and webchat services that we could use for ourselves without entrusting our data to some big tech company. And then... home automation. I know I'll be adding more services so I made that easy to do.
 
-As an [Offensive Security Certified Professional (OSCP)](https://resources.infosecinstitute.com/certification/the-oscp-certification-and-exam/), I designed Mistborn thinking about how it would be attacked by both external and internal threats. In making design trade-off decisions I tend to the paranoid. See [Technical and Security Insights](#technical-and-security-insights).
+As a [Certified Information Systems Security Professional (CISSP)](https://www.credly.com/badges/ebcb76f2-1e82-4079-9ea3-b507ffbd1d15/public_url) and an [Offensive Security Certified Professional (OSCP)](https://www.credly.com/badges/b93c44ec-3af5-48e8-9a33-b64365b70c61/public_url), I designed Mistborn thinking about how it would be attacked by both external and internal threats. In making design trade-off decisions I tend to the paranoid. See [Technical and Security Insights](#technical-and-security-insights).
 
 Ideal for teams who:
 - hate internet ads
@@ -62,8 +62,9 @@ Within Mistborn is a panel to enable and manage these free extra services (off b
 # Quickstart
 Tested Operating Systems (in order of thoroughness):
 - Ubuntu 20.04 LTS
-- Debian 10 (Buster)
+- Debian 11 (Bullseye)
 - Raspberry Pi OS (formerly Raspbian) Buster
+- Formerly tested and may still work: Ubuntu 18.04 LTS, Debian 10 (Buster)
 
 **Note:** Install operating system updates and restart. Raspberry Pi OS particularly needs to be restarted after kernel updates (kernel modules for the currently running kernel may be missing).
 

base.yml

@@ -55,7 +55,6 @@ services:
     container_name: mistborn_production_traefik
     depends_on:
       - django
-      - redis
     volumes:
       #- production_traefik:/etc/traefik/acme
       - ./compose/production/traefik/dynamic.toml:/dynamic.toml:ro
@@ -179,16 +178,17 @@ services:
     command: /start-celerybeat
     restart: unless-stopped
     
-  # flower:
+
-  #   image: "cyber5k/mistborn:${MISTBORN_TAG}"
+  #flower:
-  #   container_name: mistborn_production_flower
+  #  image: "cyber5k/mistborn:${MISTBORN_TAG}"
-  #   env_file:
+  #  container_name: mistborn_production_flower
-  #     - ./.envs/.production/.django
+  #  env_file:
-  #     - ./.envs/.production/.postgres
+  #    - ./.envs/.production/.django
-  #   ports:
+  #    - ./.envs/.production/.postgres
-  #     - "5555:5555/tcp"
+  #  ports:
-  #   command: /start-flower
+  #    - "5555:5555/tcp"
-  #   restart: unless-stopped
+  #  command: /start-flower
+  #  restart: unless-stopped
   
   pihole:
    container_name: mistborn_production_pihole
@@ -238,7 +238,7 @@ services:
      - DNSCRYPT_LISTEN_PORT=5054
      # resolvers: https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-resolvers.md
      #- DNSCRYPT_SERVER_NAMES=['scaleway-fr','google','yandex','cloudflare'] 
-     - DNSCRYPT_SERVER_NAMES=['cloudflare']
+     - DNSCRYPT_SERVER_NAMES=['cloudflare','dnswarden-doh1','dnswarden-doh2','dnswarden-doh3','adguard-dns-doh']
     networks:
       pihole_net:
         ipv4_address: 10.2.0.2

compose/production/traefik/dynamic.toml

@@ -8,21 +8,17 @@
   [tls.options.default]
     minVersion = "VersionTLS12"
 
-[providers.redis]
+[http.services]
-  endpoints = ["127.0.0.1:6379"]
+  [http.services.cockpit.loadBalancer]
-  rootKey = "traefik"
+    [[http.services.cockpit.loadBalancer.servers]]
+      url = "http://10.2.3.1:9090"
 
-#[http.services]
+[http.routers]
-#  [http.services.cockpit.loadBalancer]
+  [http.routers.cockpit]
-#    [[http.services.cockpit.loadBalancer.servers]]
+    rule = "Host(`cockpit.mistborn`)"
-#      url = "http://10.2.3.1:9090"
+    service = "cockpit"
-#
+    entrypoints = ["web", "websecure"]
-#[http.routers]
+    middlewares = ["mistborn_auth"]
-#  [http.routers.cockpit]
-#    rule = "Host(`cockpit.mistborn`)"
-#    service = "cockpit"
-#    entrypoints = ["web", "websecure"]
-#    middlewares = ["mistborn_auth"]
 
 [http.middlewares]
   [http.middlewares.mistborn_auth.forwardAuth]

extra/bitwarden.yml

@@ -0,0 +1,28 @@
+version: '3'
+
+services:  
+  bitwarden:
+    image: vaultwarden/server:latest
+    container_name: mistborn_production_bitwarden
+    env_file:
+      - ../.envs/.production/.bitwarden
+    volumes:
+      - ../../mistborn_volumes/extra/bitwarden:/data
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.bitwarden-http.rule=Host(`bitwarden.mistborn`)"
+      - "traefik.http.routers.bitwarden-http.entrypoints=web"
+      - "traefik.http.routers.bitwarden-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.bitwarden-https.rule=Host(`bitwarden.mistborn`)"
+      - "traefik.http.routers.bitwarden-https.entrypoints=websecure"
+      - "traefik.http.routers.bitwarden-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.bitwarden-https.tls.certresolver=basic"
+      - "traefik.http.services.bitwarden-service.loadbalancer.server.port=80"
+    ports:
+      - "${MISTBORN_BIND_IP}:3012:3012/tcp"
+    restart: unless-stopped
+
+networks:
+  default:
+    external:
+      name: mistborn_default

extra/elasticsearch.yml

@@ -0,0 +1,30 @@
+version: '3.7'
+
+services:
+
+  elasticsearch:
+    image: amazon/opendistro-for-elasticsearch:1.13.2
+    hostname: elasticsearch
+    restart: unless-stopped
+    ports:
+      - "${MISTBORN_BIND_IP}:9200:9200"
+    environment:
+      - discovery.type=single-node
+      - cluster.name=mistborn-cluster
+      - network.host=0.0.0.0
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - bootstrap.memory_lock=true
+    volumes:
+      - ../../mistborn_volumes/extra/elasticsearch/init/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+
+networks:
+  default:
+    external:
+      name: mistborn_default

extra/guacamole.yml

@@ -0,0 +1,72 @@
+version: '3'
+
+# services
+services:
+  # guacd
+  guacd:
+    container_name: mistborn_production_guacd
+    image: guacamole/guacd:1.3.0
+    networks:
+      guacnetwork:
+    restart: unless-stopped
+    volumes:
+    - ../../mistborn_volumes/extra/guacamole/drive:/drive:rw
+    - ../../mistborn_volumes/extra/guacamole/record:/record:rw
+
+
+  # postgres
+  guac_postgres:
+    container_name: mistborn_production_guac_postgres
+    env_file:
+    - ../.envs/.production/.guacamole
+    environment:
+      PGDATA: /var/lib/postgresql/data/guacamole
+    image: postgres
+    networks:
+      guacnetwork:
+    restart: unless-stopped
+    volumes:
+    - ../../mistborn_volumes/extra/guacamole/init:/docker-entrypoint-initdb.d:ro
+    - ../../mistborn_volumes/extra/guacamole/data:/var/lib/postgresql/data:rw
+
+
+  # guacamole
+  guacamole:
+    container_name: mistborn_production_guacamole
+    labels:
+    - "traefik.enable=true"
+    - "traefik.http.routers.guacamole-http.rule=Host(`guac.mistborn`)"
+    - "traefik.http.routers.guacamole-http.entrypoints=web"
+    - "traefik.http.routers.guacamole-http.middlewares=mistborn_auth@file,add-guacamole"
+    - "traefik.http.routers.guacamole-https.rule=Host(`guac.mistborn`)"
+    - "traefik.http.routers.guacamole-https.entrypoints=websecure"
+    - "traefik.http.routers.guacamole-https.middlewares=mistborn_auth@file,add-guacamole"
+    - "traefik.http.routers.guacamole-https.tls.certresolver=basic"
+    - "traefik.http.middlewares.add-guacamole.addPrefix.prefix=/guacamole"
+    - "traefik.http.services.guacamole-service.loadbalancer.server.port=8080"
+    depends_on:
+    - guacd
+    - guac_postgres
+    environment:
+      GUACD_HOSTNAME: guacd
+      GUACD_PORT: 4822
+      #GUACAMOLE_HOME: /config
+    env_file:
+    - ../.envs/.production/.guacamole
+    image: guacamole/guacamole:1.3.0
+    links:
+    - guacd
+    networks:
+      guacnetwork:
+    #ports:
+## enable next line if not using nginx
+##    - 8080:8080/tcp # Guacamole is on :8080/guacamole, not /.
+## enable next line when using nginx
+    #- 8080/tcp
+    restart: unless-stopped
+
+# networks
+# create a network 'guacnetwork' in mode 'bridged'
+networks:
+  guacnetwork:
+    driver: bridge

extra/homeassistant.yml

@@ -0,0 +1,26 @@
+version: '3'
+
+services:
+  homeassistant:
+    container_name: mistborn_production_home_assistant 
+    image: homeassistant/home-assistant:stable
+    volumes:
+      - ../../mistborn_volumes/extra/homeassistant/config:/config
+    environment:
+      - TZ=America/New_York
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.homeassistant-http.rule=Host(`homeassistant.mistborn`)"
+      - "traefik.http.routers.homeassistant-http.entrypoints=web"
+      - "traefik.http.routers.homeassistant-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.homeassistant-https.rule=Host(`homeassistant.mistborn`)"
+      - "traefik.http.routers.homeassistant-https.entrypoints=websecure"
+      - "traefik.http.routers.homeassistant-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.homeassistant-https.tls.certresolver=basic"
+      - "traefik.http.services.homeassistant-service.loadbalancer.server.port=8123"
+    restart: unless-stopped 
+
+networks:
+  default:
+    external:
+      name: mistborn_default

extra/jellyfin.yml

@@ -0,0 +1,30 @@
+version: '3'
+
+volumes:
+  production_jellyfin_config: {}
+  production_jellyfin_cache: {}
+
+services:  
+  jellyfin:
+    image: jellyfin/jellyfin:latest
+    container_name: mistborn_production_jellyfin
+    volumes:
+      - production_jellyfin_config:/config
+      - production_jellyfin_cache:/cache
+      - ../../mistborn_volumes/extra/nextcloud:/media:ro
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.jellyfin-http.rule=Host(`jellyfin.mistborn`)"
+      - "traefik.http.routers.jellyfin-http.entrypoints=web"
+      - "traefik.http.routers.jellyfin-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.jellyfin-https.rule=Host(`jellyfin.mistborn`)"
+      - "traefik.http.routers.jellyfin-https.entrypoints=websecure"
+      - "traefik.http.routers.jellyfin-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.jellyfin-https.tls.certresolver=basic"
+      - "traefik.http.services.jellyfin-service.loadbalancer.server.port=8096"
+    restart: unless-stopped
+
+networks:
+  default:
+    external:
+      name: mistborn_default

extra/jitsi-meet.yml

@@ -0,0 +1,255 @@
+version: '3'
+
+services:
+    # Frontend
+    jitsi-web:
+        image: jitsi/web:latest
+        restart: unless-stopped
+        #ports:
+            #- '${HTTP_PORT}:80'
+            #- '${HTTPS_PORT}:443'
+        labels:
+            - "traefik.enable=true"
+            - "traefik.http.routers.jitsi-http.rule=Host(`jitsi.mistborn`)"
+            - "traefik.http.routers.jitsi-http.entrypoints=web"
+            - "traefik.http.routers.jitsi-http.middlewares=mistborn_auth@file"
+            - "traefik.http.routers.jitsi-https.rule=Host(`jitsi.mistborn`)"
+            - "traefik.http.routers.jitsi-https.entrypoints=websecure"
+            - "traefik.http.routers.jitsi-https.middlewares=mistborn_auth@file"
+            - "traefik.http.routers.jitsi-https.tls.certresolver=basic"
+            - "traefik.http.services.jitsi-service.loadbalancer.server.port=${HTTP_PORT}"
+        volumes:
+            - ${CONFIG}/web:/config:Z
+            - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
+        env_file:
+            - ../.envs/.production/.jitsi
+        environment:
+            - ENABLE_LETSENCRYPT
+            - ENABLE_HTTP_REDIRECT
+            - ENABLE_XMPP_WEBSOCKET
+            - DISABLE_HTTPS
+            - LETSENCRYPT_DOMAIN
+            - LETSENCRYPT_EMAIL
+            - LETSENCRYPT_USE_STAGING
+            - PUBLIC_URL
+            - TZ
+            - AMPLITUDE_ID
+            - ANALYTICS_SCRIPT_URLS
+            - ANALYTICS_WHITELISTED_EVENTS
+            - BRIDGE_CHANNEL
+            - BRANDING_DATA_URL
+            - CALLSTATS_CUSTOM_SCRIPT_URL
+            - CALLSTATS_ID
+            - CALLSTATS_SECRET
+            - CHROME_EXTENSION_BANNER_JSON
+            - CONFCODE_URL
+            - CONFIG_EXTERNAL_CONNECT
+            - DEPLOYMENTINFO_ENVIRONMENT
+            - DEPLOYMENTINFO_ENVIRONMENT_TYPE
+            - DEPLOYMENTINFO_USERREGION
+            - DIALIN_NUMBERS_URL
+            - DIALOUT_AUTH_URL
+            - DIALOUT_CODES_URL
+            - DROPBOX_APPKEY
+            - DROPBOX_REDIRECT_URI
+            - ENABLE_AUDIO_PROCESSING
+            - ENABLE_AUTH
+            - ENABLE_CALENDAR
+            - ENABLE_FILE_RECORDING_SERVICE
+            - ENABLE_FILE_RECORDING_SERVICE_SHARING
+            - ENABLE_GUESTS
+            - ENABLE_IPV6
+            - ENABLE_LIPSYNC
+            - ENABLE_NO_AUDIO_DETECTION
+            - ENABLE_P2P
+            - ENABLE_PREJOIN_PAGE
+            - ENABLE_RECORDING
+            - ENABLE_REMB
+            - ENABLE_REQUIRE_DISPLAY_NAME
+            - ENABLE_SIMULCAST
+            - ENABLE_STATS_ID
+            - ENABLE_STEREO
+            - ENABLE_SUBDOMAINS
+            - ENABLE_TALK_WHILE_MUTED
+            - ENABLE_TCC
+            - ENABLE_TRANSCRIPTIONS
+            - ETHERPAD_PUBLIC_URL
+            - ETHERPAD_URL_BASE
+            - GOOGLE_ANALYTICS_ID
+            - GOOGLE_API_APP_CLIENT_ID
+            - INVITE_SERVICE_URL
+            - JICOFO_AUTH_USER
+            - MATOMO_ENDPOINT
+            - MATOMO_SITE_ID
+            - MICROSOFT_API_APP_CLIENT_ID
+            - NGINX_RESOLVER
+            - NGINX_WORKER_PROCESSES
+            - NGINX_WORKER_CONNECTIONS
+            - PEOPLE_SEARCH_URL
+            - RESOLUTION
+            - RESOLUTION_MIN
+            - RESOLUTION_WIDTH
+            - RESOLUTION_WIDTH_MIN
+            - START_AUDIO_ONLY
+            - START_AUDIO_MUTED
+            - START_BITRATE
+            - START_VIDEO_MUTED
+            - TESTING_CAP_SCREENSHARE_BITRATE
+            - TESTING_OCTO_PROBABILITY
+            - XMPP_AUTH_DOMAIN
+            - XMPP_BOSH_URL_BASE
+            - XMPP_DOMAIN
+            - XMPP_GUEST_DOMAIN
+            - XMPP_MUC_DOMAIN
+            - XMPP_RECORDER_DOMAIN
+            - TOKEN_AUTH_URL
+        networks:
+            default:
+            meet.jitsi:
+                aliases:
+                    - ${XMPP_DOMAIN}
+
+    # XMPP server
+    jitsi-prosody:
+        image: jitsi/prosody:latest
+        restart: unless-stopped
+        expose:
+            - '5222'
+            - '5347'
+            - '5280'
+        volumes:
+            - ${CONFIG}/prosody/config:/config:Z
+            - ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z
+        env_file:
+            - ../.envs/.production/.jitsi
+        environment:
+            - AUTH_TYPE
+            - ENABLE_AUTH
+            - ENABLE_GUESTS
+            - ENABLE_LOBBY
+            - ENABLE_XMPP_WEBSOCKET
+            - GLOBAL_MODULES
+            - GLOBAL_CONFIG
+            - LDAP_URL
+            - LDAP_BASE
+            - LDAP_BINDDN
+            - LDAP_BINDPW
+            - LDAP_FILTER
+            - LDAP_AUTH_METHOD
+            - LDAP_VERSION
+            - LDAP_USE_TLS
+            - LDAP_TLS_CIPHERS
+            - LDAP_TLS_CHECK_PEER
+            - LDAP_TLS_CACERT_FILE
+            - LDAP_TLS_CACERT_DIR
+            - LDAP_START_TLS
+            - XMPP_DOMAIN
+            - XMPP_AUTH_DOMAIN
+            - XMPP_GUEST_DOMAIN
+            - XMPP_MUC_DOMAIN
+            - XMPP_INTERNAL_MUC_DOMAIN
+            - XMPP_MODULES
+            - XMPP_MUC_MODULES
+            - XMPP_INTERNAL_MUC_MODULES
+            - XMPP_RECORDER_DOMAIN
+            - XMPP_CROSS_DOMAIN
+            - JICOFO_COMPONENT_SECRET
+            - JICOFO_AUTH_USER
+            - JICOFO_AUTH_PASSWORD
+            - JVB_AUTH_USER
+            - JVB_AUTH_PASSWORD
+            - JIGASI_XMPP_USER
+            - JIGASI_XMPP_PASSWORD
+            - JIBRI_XMPP_USER
+            - JIBRI_XMPP_PASSWORD
+            - JIBRI_RECORDER_USER
+            - JIBRI_RECORDER_PASSWORD
+            - JWT_APP_ID
+            - JWT_APP_SECRET
+            - JWT_ACCEPTED_ISSUERS
+            - JWT_ACCEPTED_AUDIENCES
+            - JWT_ASAP_KEYSERVER
+            - JWT_ALLOW_EMPTY
+            - JWT_AUTH_TYPE
+            - JWT_TOKEN_AUTH_MODULE
+            - LOG_LEVEL
+            - PUBLIC_URL
+            - TZ
+        networks:
+            meet.jitsi:
+                aliases:
+                    - ${XMPP_SERVER}
+
+    # Focus component
+    jitsi-jicofo:
+        image: jitsi/jicofo:latest
+        restart: unless-stopped
+        volumes:
+            - ${CONFIG}/jicofo:/config:Z
+        env_file:
+            - ../.envs/.production/.jitsi
+        environment:
+            - AUTH_TYPE
+            - ENABLE_AUTH
+            - XMPP_DOMAIN
+            - XMPP_AUTH_DOMAIN
+            - XMPP_INTERNAL_MUC_DOMAIN
+            - XMPP_MUC_DOMAIN
+            - XMPP_SERVER
+            - JICOFO_COMPONENT_SECRET
+            - JICOFO_AUTH_USER
+            - JICOFO_AUTH_PASSWORD
+            - JICOFO_RESERVATION_REST_BASE_URL
+            - JVB_BREWERY_MUC
+            - JIGASI_BREWERY_MUC
+            - JIGASI_SIP_URI
+            - JIBRI_BREWERY_MUC
+            - JIBRI_PENDING_TIMEOUT
+            - TZ
+        depends_on:
+            - jitsi-prosody
+        networks:
+            meet.jitsi:
+
+    # Video bridge
+    jitsi-jvb:
+        image: jitsi/jvb:latest
+        restart: unless-stopped
+        ports:
+            - "${MISTBORN_BIND_IP}:${JVB_PORT}:${JVB_PORT}/udp"
+            - "${MISTBORN_BIND_IP}:${JVB_TCP_PORT}:${JVB_TCP_PORT}"
+        volumes:
+            - ${CONFIG}/jvb:/config:Z
+        env_file:
+            - ../.envs/.production/.jitsi
+        environment:
+            - DOCKER_HOST_ADDRESS
+            - XMPP_AUTH_DOMAIN
+            - XMPP_INTERNAL_MUC_DOMAIN
+            - XMPP_SERVER
+            - JVB_AUTH_USER
+            - JVB_AUTH_PASSWORD
+            - JVB_BREWERY_MUC
+            - JVB_PORT
+            - JVB_TCP_HARVESTER_DISABLED
+            - JVB_TCP_PORT
+            - JVB_TCP_MAPPED_PORT
+            - JVB_STUN_SERVERS
+            - JVB_ENABLE_APIS
+            - JVB_WS_DOMAIN
+            - JVB_WS_SERVER_ID
+            - PUBLIC_URL
+            - TZ
+        depends_on:
+            - jitsi-prosody
+        networks:
+            meet.jitsi:
+                aliases:
+                    - jvb.meet.jitsi
+
+# Custom network so all services can communicate using a FQDN
+networks:
+    default:
+      external:
+        name: mistborn_default
+    meet.jitsi:

extra/nextcloud.yml

@@ -0,0 +1,29 @@
+version: '3'
+
+services:  
+  nextcloud:
+    image: nextcloud
+    container_name: mistborn_production_nextcloud
+    env_file:
+      - ../.envs/.production/.postgres
+      - ../.envs/.production/.nextcloud
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.nextcloud-http.rule=Host(`nextcloud.mistborn`)"
+      - "traefik.http.routers.nextcloud-http.entrypoints=web"
+      - "traefik.http.routers.nextcloud-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.nextcloud-https.rule=Host(`nextcloud.mistborn`)"
+      - "traefik.http.routers.nextcloud-https.entrypoints=websecure"
+      - "traefik.http.routers.nextcloud-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.nextcloud-https.tls.certresolver=basic"
+      - "traefik.http.services.nextcloud-service.loadbalancer.server.port=80"
+    volumes:
+      - ../../mistborn_volumes/extra/nextcloud:/var/www/html
+    environment:
+      - VIRTUAL_HOST=nextcloud.mistborn
+    restart: unless-stopped
+
+networks:
+  default:
+    external:
+      name: mistborn_default

extra/onlyoffice.yml

@@ -0,0 +1,27 @@
+version: '3'
+
+services:
+  onlyoffice:
+    container_name: mistborn_production_onlyoffice
+    image: onlyoffice/documentserver:latest
+    volumes:
+      - ../../mistborn_volumes/extra/onlyoffice/logs:/var/log/onlyoffice
+      - ../../mistborn_volumes/extra/onlyoffice/cache:/var/lib/onlyoffice
+    env_file:
+      - ../.envs/.production/.onlyoffice
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.onlyoffice-http.rule=Host(`onlyoffice.mistborn`)"
+      - "traefik.http.routers.onlyoffice-http.entrypoints=web"
+      - "traefik.http.routers.onlyoffice-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.onlyoffice-https.rule=Host(`onlyoffice.mistborn`)"
+      - "traefik.http.routers.onlyoffice-https.entrypoints=websecure"
+      - "traefik.http.routers.onlyoffice-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.onlyoffice-https.tls.certresolver=basic"
+      - "traefik.http.services.onlyoffice-service.loadbalancer.server.port=80"
+    restart: unless-stopped 
+
+networks:
+  default:
+    external:
+      name: mistborn_default

extra/raspap.yml

@@ -0,0 +1,33 @@
+version: '3'
+
+services:
+  raspap:
+    image: "cyber5k/raspap:${MISTBORN_TAG}"
+    container_name: mistborn_production_raspap
+    #network_mode: host
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.raspap-http.rule=Host(`raspap.mistborn`)"
+      - "traefik.http.routers.raspap-http.entrypoints=web"
+      - "traefik.http.routers.raspap-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.raspap-https.rule=Host(`raspap.mistborn`)"
+      - "traefik.http.routers.raspap-https.entrypoints=websecure"
+      - "traefik.http.routers.raspap-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.raspap-https.tls.certresolver=basic"
+      - "traefik.http.services.raspap-service.loadbalancer.server.port=80"
+    env_file:
+      - ../.envs/.production/.raspap
+    cap_add:
+      #- NET_ADMIN
+      - SYS_ADMIN
+      #- CAP_FOWNER
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    #command: /start
+    restart: unless-stopped
+
+networks:
+  default:
+    external:
+      name: mistborn_default

extra/rocketchat.yml

@@ -0,0 +1,72 @@
+version: '3'
+
+services:
+  # rocketchat
+  rocketchat:
+    image: rocket.chat:latest
+    container_name: mistborn_production_rocketchat
+    command: bash -c 'for i in `seq 1 30`; do node main.js && s=$$? && break || s=$$?; echo "Tried $$i times. Waiting 5 secs..."; sleep 5; done; (exit $$s)'
+    restart: unless-stopped
+    volumes:
+      - ../../mistborn_volumes/extra/rocketchat/uploads:/app/uploads
+    environment:
+      - PORT=3000
+      - ROOT_URL=http://chat.mistborn
+      - MONGO_URL=mongodb://mongo:27017/rocketchat
+      - MONGO_OPLOG_URL=mongodb://mongo:27017/local
+      - Accounts_UseDNSDomainCheck=False
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.chat-http.rule=Host(`chat.mistborn`)"
+      - "traefik.http.routers.chat-http.entrypoints=web"
+      - "traefik.http.routers.chat-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.chat-https.rule=Host(`chat.mistborn`)"
+      - "traefik.http.routers.chat-https.entrypoints=websecure"
+      - "traefik.http.routers.chat-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.chat-https.tls.certresolver=basic"
+      - "traefik.http.services.chat-service.loadbalancer.server.port=3000"
+    depends_on:
+      - mongo
+    #ports:
+    #  - 3000:3000
+
+  mongo:
+    image: mongo:4.0
+    container_name: mistborn_production_rocketchat_mongo
+    restart: unless-stopped
+    volumes:
+     - ../../mistborn_volumes/extra/rocketchat/data/db:/data/db
+     - ../../mistborn_volumes/extra/rocketchat/data/dump:/dump
+    command: mongod --smallfiles --oplogSize 128 --replSet rs0 --storageEngine=mmapv1
+
+  # this container's job is just run the command to initialize the replica set.
+  # it will run the command and remove himself (it will not stay running)
+  mongo-init-replica:
+    image: mongo
+    command: 'bash -c "for i in `seq 1 30`; do mongo mongo/rocketchat --eval \"rs.initiate({ _id: ''rs0'', members: [ { _id: 0, host: ''localhost:27017'' } ]})\" && s=$$? && break || s=$$?; echo \"Tried $$i times. Waiting 5 secs...\"; sleep 5; done; (exit $$s)"'
+    depends_on:
+      - mongo
+
+  # hubot, the popular chatbot (add the bot user first and change the password before starting this image)
+  hubot:
+    image: rocketchat/hubot-rocketchat:latest
+    container_name: mistborn_production_rocketchat_hubot
+    restart: unless-stopped
+    environment:
+      - ROCKETCHAT_URL=chat.mistborn #:3000
+      # you can add more scripts as you'd like here, they need to be installable by npm
+      - EXTERNAL_SCRIPTS=hubot-help,hubot-seen,hubot-links,hubot-diagnostics
+    env_file:
+      - ../.envs/.production/.rocketchat
+    depends_on:
+      - rocketchat
+    volumes:
+      - ../../mistborn_volumes/extra/rocketchat/hubot/scripts:/home/hubot/scripts
+  # this is used to expose the hubot port for notifications on the host on port 3001, e.g. for hubot-jenkins-notifier
+    ports:
+      - "${MISTBORN_BIND_IP}:3001:8080/tcp"
+
+networks:
+  default:
+    external:
+      name: mistborn_default

extra/syncthing.yml

@@ -0,0 +1,35 @@
+version: '3'
+
+services:
+  syncthing:
+    image: linuxserver/syncthing:latest
+    container_name: mistborn_production_syncthing
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Amereica/New_York
+      - UMASK_SET=022
+    volumes:
+      - ../../mistborn_volumes/extra/syncthing/config:/config
+      - ../../mistborn_volumes/extra/syncthing/data1:/data1
+      - ../../mistborn_volumes/extra/syncthing/data2:/data2
+    ports:
+      #- 8384:8384
+      - "${MISTBORN_BIND_IP}:22000:22000/tcp" # listening port
+      - "${MISTBORN_BIND_IP}:21027:21027/udp" # protocol discovery
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.syncthing-http.rule=Host(`syncthing.mistborn`)"
+      - "traefik.http.routers.syncthing-http.entrypoints=web"
+      - "traefik.http.routers.syncthing-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.syncthing-https.rule=Host(`syncthing.mistborn`)"
+      - "traefik.http.routers.syncthing-https.entrypoints=websecure"
+      - "traefik.http.routers.syncthing-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.syncthing-https.tls.certresolver=basic"
+      - "traefik.http.services.syncthing-service.loadbalancer.server.port=8384"
+    restart: unless-stopped
+
+networks:
+  default:
+    external:
+      name: mistborn_default

extra/tor.yml

@@ -0,0 +1,16 @@
+version: '3'
+
+services:
+  tor-client:
+    build:
+      context: ../compose/production/tor
+      dockerfile: ./Dockerfile
+    image: mistborn_production_tor
+    container_name: mistborn_production_tor
+    ports:
+      - "${MISTBORN_BIND_IP}:9150:9150/tcp"
+
+networks:
+  default:
+    external:
+      name: mistborn_default

extra/wazuh.yml

@@ -0,0 +1,70 @@
+# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+version: '3.7'
+
+services:
+  wazuh:
+    image: wazuh/wazuh-odfe:4.1.5
+    hostname: wazuh-manager
+    restart: unless-stopped
+    ports:
+      - "${MISTBORN_BIND_IP}:1514:1514"
+      - "${MISTBORN_BIND_IP}:1515:1515"
+      - "${MISTBORN_BIND_IP}:514:514/udp"
+      - "${MISTBORN_BIND_IP}:55000:55000"
+    environment:
+      - FILEBEAT_SSL_VERIFICATION_MODE=none
+    env_file:
+      - ../.envs/.production/.wazuh
+    volumes:
+      - ossec_api_configuration:/var/ossec/api/configuration
+      - ossec_etc:/var/ossec/etc
+      - ossec_logs:/var/ossec/logs
+      - ossec_queue:/var/ossec/queue
+      - ossec_var_multigroups:/var/ossec/var/multigroups
+      - ossec_integrations:/var/ossec/integrations
+      - ossec_active_response:/var/ossec/active-response/bin
+      - ossec_agentless:/var/ossec/agentless
+      - ossec_wodles:/var/ossec/wodles
+      - filebeat_etc:/etc/filebeat
+      - filebeat_var:/var/lib/filebeat
+
+  wazuh-kibana:
+    image: wazuh/wazuh-kibana-odfe:4.1.5
+    hostname: wazuh-kibana
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.wazuhk-http.rule=Host(`wazuh.mistborn`)"
+      - "traefik.http.routers.wazuhk-http.entrypoints=web"
+      - "traefik.http.routers.wazuhk-http.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.wazuhk-https.rule=Host(`wazuh.mistborn`)"
+      - "traefik.http.routers.wazuhk-https.entrypoints=websecure"
+      - "traefik.http.routers.wazuhk-https.middlewares=mistborn_auth@file"
+      - "traefik.http.routers.wazuhk-https.tls.certresolver=basic"
+      - "traefik.http.services.wazuhk-service.loadbalancer.server.port=5601"
+    #ports:
+    #  - "${MISTBORN_BIND_IP}:5601:5601"
+    environment:
+      - SERVER_SSL_ENABLED=false
+      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert
+      - SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key
+    env_file:
+      - ../.envs/.production/.wazuh
+
+volumes:
+  ossec_api_configuration:
+  ossec_etc:
+  ossec_logs:
+  ossec_queue:
+  ossec_var_multigroups:
+  ossec_integrations:
+  ossec_active_response:
+  ossec_agentless:
+  ossec_wodles:
+  filebeat_etc:
+  filebeat_var:
+
+networks:
+  default:
+    external:
+      name: mistborn_default

scripts/conf/15-iptables.conf

@@ -1,6 +1,6 @@
 # Log kernel iptables dropped messages to iptables.log
 $template MyTemplate,"%$day%-%timegenerated:1:3:date-rfc3164%-%$year% %timegenerated:12:19:date-rfc3339% %HOSTNAME% %syslogtag% %msg%\n"
-:msg,contains,"[Mistborn-IPTables-Dropped]:" /var/log/iptables.log;MyTemplate #RSYSLOG_FileFormat
+:msg,contains,"[IPTables-Dropped]:" /var/log/iptables.log;MyTemplate #RSYSLOG_FileFormat
 
 # Uncomment the following to stop logging anything that matches the last rule.
 # Doing this will stop logging kernel generated UFW log messages to the file

scripts/conf/cockpit.conf

@@ -0,0 +1,3 @@
+[WebService]
+ProtocolHeader = X-Forwarded-Proto
+AllowUnencrypted=true

scripts/conf/jitsi.env

@@ -0,0 +1,366 @@
+# shellcheck disable=SC2034
+
+# Security
+#
+# Set these to strong passwords to avoid intruders from impersonating a service account
+# The service(s) won't start unless these are specified
+# Running ./gen-passwords.sh will update .env with strong passwords
+# You may skip the Jigasi and Jibri passwords if you are not using those
+# DO NOT reuse passwords
+#
+
+# XMPP component password for Jicofo
+JICOFO_COMPONENT_SECRET=
+
+# XMPP password for Jicofo client connections
+JICOFO_AUTH_PASSWORD=
+
+# XMPP password for JVB client connections
+JVB_AUTH_PASSWORD=
+
+# XMPP password for Jigasi MUC client connections
+JIGASI_XMPP_PASSWORD=
+
+# XMPP recorder password for Jibri client connections
+JIBRI_RECORDER_PASSWORD=
+
+# XMPP password for Jibri client connections
+JIBRI_XMPP_PASSWORD=
+
+
+#
+# Basic configuration options
+#
+
+# Directory where all configuration will be stored
+#CONFIG=~/.jitsi-meet-cfg
+CONFIG=../.envs/.production/.jitsi-cfg
+
+# Exposed HTTP port
+HTTP_PORT=80
+
+# Exposed HTTPS port
+HTTPS_PORT=443
+
+# System time zone
+TZ=UTC
+
+# Public URL for the web service (required)
+PUBLIC_URL=https://jitsi.mistborn
+
+# IP address of the Docker host
+# See the "Running behind NAT or on a LAN environment" section in the Handbook:
+# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment
+#DOCKER_HOST_ADDRESS=192.168.1.1
+DOCKER_HOST_ADDRESS=10.2.3.1
+
+# Control whether the lobby feature should be enabled or not
+#ENABLE_LOBBY=1
+
+# Show a prejoin page before entering a conference
+#ENABLE_PREJOIN_PAGE=0
+
+#
+# Let's Encrypt configuration
+#
+
+# Enable Let's Encrypt certificate generation
+#ENABLE_LETSENCRYPT=1
+
+# Domain for which to generate the certificate
+#LETSENCRYPT_DOMAIN=meet.example.com
+
+# E-Mail for receiving important account notifications (mandatory)
+#LETSENCRYPT_EMAIL=alice@atlanta.net
+
+# Use the staging server (for avoiding rate limits while testing)
+#LETSENCRYPT_USE_STAGING=1
+
+
+#
+# Etherpad integration (for document sharing)
+#
+
+# Set etherpad-lite URL in docker local network (uncomment to enable)
+#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001
+
+# Set etherpad-lite public URL (uncomment to enable)
+#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain
+
+# Name your etherpad instance!
+ETHERPAD_TITLE="Video Chat"
+
+# The default text of a pad
+ETHERPAD_DEFAULT_PAD_TEXT="Welcome to Web Chat!\n\n"
+
+# Name of the skin for etherpad
+ETHERPAD_SKIN_NAME="colibris"
+
+# Skin variants for etherpad
+ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background full-width-editor"
+
+
+#
+# Basic Jigasi configuration options (needed for SIP gateway support)
+#
+
+# SIP URI for incoming / outgoing calls
+#JIGASI_SIP_URI=test@sip2sip.info
+
+# Password for the specified SIP account as a clear text
+#JIGASI_SIP_PASSWORD=passw0rd
+
+# SIP server (use the SIP account domain if in doubt)
+#JIGASI_SIP_SERVER=sip2sip.info
+
+# SIP server port
+#JIGASI_SIP_PORT=5060
+
+# SIP server transport
+#JIGASI_SIP_TRANSPORT=UDP
+
+#
+# Authentication configuration (see handbook for details)
+#
+
+# Enable authentication
+#ENABLE_AUTH=1
+
+# Enable guest access
+#ENABLE_GUESTS=1
+
+# Select authentication type: internal, jwt or ldap
+#AUTH_TYPE=internal
+
+# JWT authentication
+#
+
+# Application identifier
+#JWT_APP_ID=my_jitsi_app_id
+
+# Application secret known only to your token
+#JWT_APP_SECRET=my_jitsi_app_secret
+
+# (Optional) Set asap_accepted_issuers as a comma separated list
+#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client
+
+# (Optional) Set asap_accepted_audiences as a comma separated list
+#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2
+
+
+# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
+#
+
+# LDAP url for connection
+#LDAP_URL=ldaps://ldap.domain.com/
+
+# LDAP base DN. Can be empty
+#LDAP_BASE=DC=example,DC=domain,DC=com
+
+# LDAP user DN. Do not specify this parameter for the anonymous bind
+#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
+
+# LDAP user password. Do not specify this parameter for the anonymous bind
+#LDAP_BINDPW=LdapUserPassw0rd
+
+# LDAP filter. Tokens example:
+# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail
+# %s - %s is replaced by the complete service string
+# %r - %r is replaced by the complete realm string
+#LDAP_FILTER=(sAMAccountName=%u)
+
+# LDAP authentication method
+#LDAP_AUTH_METHOD=bind
+
+# LDAP version
+#LDAP_VERSION=3
+
+# LDAP TLS using
+#LDAP_USE_TLS=1
+
+# List of SSL/TLS ciphers to allow
+#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
+
+# Require and verify server certificate
+#LDAP_TLS_CHECK_PEER=1
+
+# Path to CA cert file. Used when server certificate verify is enabled
+#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
+
+# Path to CA certs directory. Used when server certificate verify is enabled
+#LDAP_TLS_CACERT_DIR=/etc/ssl/certs
+
+# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
+# LDAP_START_TLS=1
+
+
+#
+# Advanced configuration options (you generally don't need to change these)
+#
+
+# Internal XMPP domain
+XMPP_DOMAIN=meet.jitsi
+
+# Internal XMPP server
+XMPP_SERVER=xmpp.meet.jitsi
+
+# Internal XMPP server URL
+XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
+
+# Internal XMPP domain for authenticated services
+XMPP_AUTH_DOMAIN=auth.meet.jitsi
+
+# XMPP domain for the MUC
+XMPP_MUC_DOMAIN=muc.meet.jitsi
+
+# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools
+XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi
+
+# XMPP domain for unauthenticated users
+XMPP_GUEST_DOMAIN=guest.meet.jitsi
+
+# Comma separated list of domains for cross domain policy or "true" to allow all
+# The PUBLIC_URL is always allowed
+#XMPP_CROSS_DOMAIN=true
+
+# Custom Prosody modules for XMPP_DOMAIN (comma separated)
+XMPP_MODULES=
+
+# Custom Prosody modules for MUC component (comma separated)
+XMPP_MUC_MODULES=
+
+# Custom Prosody modules for internal MUC component (comma separated)
+XMPP_INTERNAL_MUC_MODULES=
+
+# MUC for the JVB pool
+JVB_BREWERY_MUC=jvbbrewery
+
+# XMPP user for JVB client connections
+JVB_AUTH_USER=jvb
+
+# STUN servers used to discover the server's public IP
+JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443
+
+# Media port for the Jitsi Videobridge
+JVB_PORT=10000
+
+# TCP Fallback for Jitsi Videobridge for when UDP isn't available
+JVB_TCP_HARVESTER_DISABLED=true
+JVB_TCP_PORT=4443
+JVB_TCP_MAPPED_PORT=4443
+
+# A comma separated list of APIs to enable when the JVB is started [default: none]
+# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
+#JVB_ENABLE_APIS=rest,colibri
+
+# XMPP user for Jicofo client connections.
+# NOTE: this option doesn't currently work due to a bug
+JICOFO_AUTH_USER=focus
+
+# Base URL of Jicofo's reservation REST API
+#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
+
+# Enable Jicofo's health check REST API (http://<jicofo_base_url>:8888/about/health)
+#JICOFO_ENABLE_HEALTH_CHECKS=true
+
+# XMPP user for Jigasi MUC client connections
+JIGASI_XMPP_USER=jigasi
+
+# MUC name for the Jigasi pool
+JIGASI_BREWERY_MUC=jigasibrewery
+
+# Minimum port for media used by Jigasi
+JIGASI_PORT_MIN=20000
+
+# Maximum port for media used by Jigasi
+JIGASI_PORT_MAX=20050
+
+# Enable SDES srtp
+#JIGASI_ENABLE_SDES_SRTP=1
+
+# Keepalive method
+#JIGASI_SIP_KEEP_ALIVE_METHOD=OPTIONS
+
+# Health-check extension
+#JIGASI_HEALTH_CHECK_SIP_URI=keepalive
+
+# Health-check interval
+#JIGASI_HEALTH_CHECK_INTERVAL=300000
+#
+# Enable Jigasi transcription
+#ENABLE_TRANSCRIPTIONS=1
+
+# Jigasi will record audio when transcriber is on [default: false]
+#JIGASI_TRANSCRIBER_RECORD_AUDIO=true
+
+# Jigasi will send transcribed text to the chat when transcriber is on [default: false]
+#JIGASI_TRANSCRIBER_SEND_TXT=true
+
+# Jigasi will post an url to the chat with transcription file [default: false]
+#JIGASI_TRANSCRIBER_ADVERTISE_URL=true
+
+# Credentials for connect to Cloud Google API from Jigasi
+# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol
+# section "Before you begin" paragraph 1 to 5
+# Copy the values from the json to the related env vars
+#GC_PROJECT_ID=
+#GC_PRIVATE_KEY_ID=
+#GC_PRIVATE_KEY=
+#GC_CLIENT_EMAIL=
+#GC_CLIENT_ID=
+#GC_CLIENT_CERT_URL=
+
+# Enable recording
+#ENABLE_RECORDING=1
+
+# XMPP domain for the jibri recorder
+XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
+
+# XMPP recorder user for Jibri client connections
+JIBRI_RECORDER_USER=recorder
+
+# Directory for recordings inside Jibri container
+JIBRI_RECORDING_DIR=/config/recordings
+
+# The finalizing script. Will run after recording is complete
+JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
+
+# XMPP user for Jibri client connections
+JIBRI_XMPP_USER=jibri
+
+# MUC name for the Jibri pool
+JIBRI_BREWERY_MUC=jibribrewery
+
+# MUC connection timeout
+JIBRI_PENDING_TIMEOUT=90
+
+# When jibri gets a request to start a service for a room, the room
+# jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain
+# We'll build the url for the call by transforming that into:
+# https://xmpp_domain/subdomain/roomName
+# So if there are any prefixes in the jid (like jitsi meet, which
+# has its participants join a muc at conference.xmpp_domain) then
+# list that prefix here so it can be stripped out to generate
+# the call url correctly
+JIBRI_STRIP_DOMAIN_JID=muc
+
+# Directory for logs inside Jibri container
+JIBRI_LOGS_DIR=/config/logs
+
+# Disable HTTPS: handle TLS connections outside of this setup
+DISABLE_HTTPS=1
+
+# Redirect HTTP traffic to HTTPS
+# Necessary for Let's Encrypt, relies on standard HTTPS port (443)
+#ENABLE_HTTP_REDIRECT=1
+
+# Enable IPv6
+# Provides means to disable IPv6 in environments that don't support it (get with the times, people!)
+#ENABLE_IPV6=1
+
+# Container restart policy
+# Defaults to unless-stopped
+RESTART_POLICY=unless-stopped
+
+# Authenticate using external service or just focus external auth window if there is one already.
+# TOKEN_AUTH_URL=https://auth.meet.example.com/{room}

scripts/env/setup.sh

@@ -1,10 +1,5 @@
 #!/bin/bash
 
-# Version
-MISTBORN_MAJOR_VERSION="0"
-MISTBORN_MINOR_VERSION="1"
-MISTBORN_PATCH_NUMBER="1"
-
 #### ENV file
 
 VAR_FILE=/opt/mistborn/.env
@@ -18,12 +13,6 @@ echo "" | sudo tee ${VAR_FILE}
 sudo chown mistborn:mistborn ${VAR_FILE}
 sudo chmod 600 ${VAR_FILE}
 
-# Version env variables
-echo "MISTBORN_VERSION=${MISTBORN_MAJOR_VERSION}.${MISTBORN_MINOR_VERSION}.${MISTBORN_PATCH_NUMBER}" | sudo tee -a ${VAR_FILE}
-echo "MISTBORN_MAJOR_VERSION=${MISTBORN_MAJOR_VERSION}" | sudo tee -a ${VAR_FILE}
-echo "MISTBORN_MINOR_VERSION=${MISTBORN_MINOR_VERSION}" | sudo tee -a ${VAR_FILE}
-echo "MISTBORN_PATCH_NUMBER=${MISTBORN_PATCH_NUMBER}" | sudo tee -a ${VAR_FILE}
-
 # MISTBORN_DNS_BIND_IP
 
 MISTBORN_DNS_BIND_IP="10.2.3.1"
@@ -40,11 +29,9 @@ echo "MISTBORN_BIND_IP=10.2.3.1" | sudo tee -a ${VAR_FILE}
 # MISTBORN_TAG
 
 GIT_BRANCH=$(git -C /opt/mistborn symbolic-ref --short HEAD || echo "master")
-MISTBORN_TAG="${MISTBORN_MAJOR_VERSION}.${MISTBORN_MINOR_VERSION}"
+MISTBORN_TAG="latest"
-if [ ! -z "$MISTBORN_TEST_CONTAINER" ]; then
+if [ "$GIT_BRANCH" != "master" ]; then
-    MISTBORN_TAG="$MISTBORN_TEST_CONTAINER"
+    MISTBORN_TAG="test"
-elif [ "$GIT_BRANCH" == "master" ]; then
-    MISTBORN_TAG="latest"
 fi
 
 echo "MISTBORN_TAG=$MISTBORN_TAG" | sudo tee -a ${VAR_FILE}
@@ -54,9 +41,9 @@ echo "MISTBORN_TAG=$MISTBORN_TAG" | sudo tee -a ${VAR_FILE}
 # copy current service files to systemd (overwriting as needed)
 sudo cp /opt/mistborn/scripts/services/Mistborn* /etc/systemd/system/
 
-## set script user and owner
+# set script user and owner
-#sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/User=root/User=$USER/"
+sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/User=root/User=$USER/"
-##sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/ root:root / $USER:$USER /"
+#sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/ root:root / $USER:$USER /"
 
 # reload in case the iface is not immediately set
 sudo systemctl daemon-reload
@@ -69,14 +56,8 @@ while [[ -z "$iface" ]]; do
     iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}' | tr -d '[:space:]')
 done
 
-GLOBAL_ENV=/opt/mistborn/.envs/.production/.global
-install -Dv /dev/null $GLOBAL_ENV
-echo "DIFACE=$iface" >> $GLOBAL_ENV
-echo "MISTBORN_ENV_PATH=../../.envs/.production/" >> $GLOBAL_ENV
-echo "MISTBORN_VOL_PATH=../../../mistborn_volumes/extra/" >> $GLOBAL_ENV
-
 # default interface
-#sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/"
+sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/"
 
 echo "DIFACE=${iface}" | sudo tee -a ${VAR_FILE}
 

scripts/install.sh

@@ -39,7 +39,7 @@ if [ $(whoami) != "$MISTBORN_USER" ]; then
 
         sudo cp $FULLPATH /home/$MISTBORN_USER
         sudo chown $MISTBORN_USER:$MISTBORN_USER /home/$MISTBORN_USER/$FILENAME
-        sudo SSH_CLIENT="$SSH_CLIENT" MISTBORN_DEFAULT_PASSWORD="$MISTBORN_DEFAULT_PASSWORD" GIT_BRANCH="$GIT_BRANCH" -i -u $MISTBORN_USER bash -c "/home/$MISTBORN_USER/$FILENAME" # self-referential call
+        sudo SSH_CLIENT="$SSH_CLIENT" MISTBORN_DEFAULT_PASSWORD="$MISTBORN_DEFAULT_PASSWORD" GIT_BRANCH="$GIT_BRANCH" MISTBORN_INSTALL_COCKPIT="$MISTBORN_INSTALL_COCKPIT" -i -u $MISTBORN_USER bash -c "/home/$MISTBORN_USER/$FILENAME" # self-referential call
         exit 0
 fi
 
@@ -76,6 +76,13 @@ source ./scripts/subinstallers/check_updates.sh
 # MISTBORN_DEFAULT_PASSWORD
 source ./scripts/subinstallers/passwd.sh
 
+# Install Cockpit?
+if [ -z "${MISTBORN_INSTALL_COCKPIT}" ]; then
+    read -p "Install Cockpit (a somewhat resource-heavy system management graphical user interface -- NOT RECOMMENDED on Raspberry Pi)? [y/N]: " MISTBORN_INSTALL_COCKPIT
+    echo
+    MISTBORN_INSTALL_COCKPIT=${MISTBORN_INSTALL_COCKPIT:-N}
+fi
+
 # SSH keys
 if [ ! -f ~/.ssh/id_rsa ]; then
     echo "Generating SSH keypair for $USER"
@@ -167,6 +174,16 @@ sudo systemctl start docker
 # Unattended upgrades
 sudo -E apt-get install -y unattended-upgrades
 
+# Cockpit
+if [[ "$MISTBORN_INSTALL_COCKPIT" =~ ^([yY][eE][sS]|[yY])$ ]]
+then
+    # install cockpit
+    source ./scripts/subinstallers/cockpit.sh
+    
+    # set variable (that will be available in environment)
+    MISTBORN_INSTALL_COCKPIT=Y
+fi
+
 # Mistborn-cli (pip3 installed by docker)
 figlet "Mistborn: Installing mistborn-cli"
 sudo pip3 install -e ./modules/mistborn-cli
@@ -207,6 +224,9 @@ sudo mkdir -p ../mistborn_volumes/base/pihole/etc-pihole
 sudo mkdir -p ../mistborn_volumes/base/pihole/etc-dnsmasqd
 sudo mkdir -p ../mistborn_volumes/extra
 
+# Traefik final setup (cockpit)
+#cp ./compose/production/traefik/traefikv2.toml.template ./compose/production/traefik/traefik.toml
+
 # setup tls certs 
 source ./scripts/subinstallers/openssl.sh
 #sudo rm -rf ../mistborn_volumes/base/tls

scripts/services/Mistborn-base.service

@@ -6,8 +6,6 @@ After=docker.service
 After=netfilter-persistent.service
 
 [Service]
-EnvironmentFile=/opt/mistborn/.envs/.production/.global
-EnvironmentFile=/opt/mistborn/.env
 Restart=always
 RestartSec=15
 User=root
@@ -23,13 +21,13 @@ ExecStartPre=-/usr/bin/bash -c "docker container stop $(docker network inspect m
 ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down
 
 ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml build
-ExecStartPre=-/sbin/ip address add 10.2.3.1/30 dev $DIFACE
+ExecStartPre=-/sbin/ip address add 10.2.3.1/30 dev DIFACE
-ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
-#ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -w -A OUTPUT -o $DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -A OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/ip6tables -w -A OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/resolvconf -u
 # Start container when unit is started
@@ -37,12 +35,12 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml up
 # Stop container when unit is stopped
 ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down
 # Post stop
-ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
-ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
-ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
-ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
-#ExecStopPost=-/sbin/iptables -D DOCKER-USER -i $DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
-ExecStopPost=-/sbin/iptables -D OUTPUT -o $DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/ip6tables -D OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP
 
 [Install]

scripts/services/Mistborn-bitwarden.service

@@ -0,0 +1,25 @@
+[Unit]
+Description=Mistborn Bitwarden Service
+Requires=Mistborn-base.service
+After=Mistborn-base.service
+PartOf=Mistborn-base.service
+
+[Service]
+Restart=always
+RestartSec=15
+User=root
+Group=docker
+PermissionsStartOnly=true
+# Shutdown container (if running) when unit is stopped
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down
+
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP
+# Start container when unit is started
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml up --build
+# Stop container when unit is stopped
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh bitwarden docker-compose -f /opt/mistborn/extra/bitwarden.yml down
+# Post stop
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP
+
+[Install]
+WantedBy=Mistborn-base.service

scripts/services/Mistborn-elasticsearch.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=Mistborn Elasticsearch Service
+Requires=Mistborn-base.service
+After=Mistborn-base.service
+PartOf=Mistborn-base.service
+
+[Service]
+Restart=always
+RestartSec=15
+User=root
+Group=docker
+PermissionsStartOnly=true
+# Shutdown container (if running) when unit is stopped
+ExecStartPre=/usr/sbin/sysctl -w vm.max_map_count=262144
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch docker-compose -f /opt/mistborn/extra/elasticsearch.yml down
+# Start container when unit is started
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch docker-compose -f /opt/mistborn/extra/elasticsearch.yml up --build
+# Stop container when unit is stopped
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch docker-compose -f /opt/mistborn/extra/elasticsearch.yml down
+
+[Install]
+WantedBy=Mistborn-base.service

scripts/services/Mistborn-guacamole.service

@@ -0,0 +1,23 @@
+[Unit]
+Description=Mistborn Guacamole
+Requires=Mistborn-base.service
+After=Mistborn-base.service
+PartOf=Mistborn-base.service
+
+[Service]
+Restart=always
+RestartSec=15
+User=root
+Group=docker
+PermissionsStartOnly=true
+# Shutdown container (if running) when unit is stopped
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down
+
+# Start container when unit is started
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml up --build
+# Stop container when unit is stopped
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh guacamole docker-compose -f /opt/mistborn/extra/guacamole.yml down
+# Post stop
+
+[Install]
+WantedBy=Mistborn-base.service

scripts/services/Mistborn-homeassistant.service

@@ -0,0 +1,23 @@
+[Unit]
+Description=Mistborn Home Assistant 
+Requires=Mistborn-base.service
+After=Mistborn-base.service
+PartOf=Mistborn-base.service
+
+[Service]
+Restart=always
+RestartSec=15
+User=root
+Group=docker
+PermissionsStartOnly=true
+# Shutdown container (if running) when unit is stopped
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down
+
+# Start container when unit is started
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml up --build
+# Stop container when unit is stopped
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh homeassistant docker-compose -f /opt/mistborn/extra/homeassistant.yml down
+# Post stop
+
+[Install]
+WantedBy=Mistborn-base.service

scripts/services/Mistborn-jellyfin.service

@@ -0,0 +1,23 @@
+[Unit]
+Description=Mistborn Jellyfin Service
+Requires=Mistborn-nextcloud.service
+After=Mistborn-nextcloud.service
+PartOf=Mistborn-base.service
+
+[Service]
+Restart=always
+RestartSec=15
+User=root
+Group=docker
+PermissionsStartOnly=true
+# Shutdown container (if running) when unit is stopped
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down
+
+# Start container when unit is started
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml up --build
+# Stop container when unit is stopped
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jellyfin docker-compose -f /opt/mistborn/extra/jellyfin.yml down
+# Post stop
+
+[Install]
+WantedBy=Mistborn-base.service

scripts/services/Mistborn-jitsi.service

@@ -0,0 +1,27 @@
+[Unit]
+Description=Mistborn Jitsi Service
+Requires=Mistborn-base.service
+After=Mistborn-base.service
+PartOf=Mistborn-base.service
+
+[Service]
+Restart=always
+RestartSec=15
+User=root
+Group=docker
+PermissionsStartOnly=true
+
+# Shutdown container (if running) when unit is stopped
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_up.sh
+
+# Start container when unit is started
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build
+
+# Stop container when unit is stopped
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down
+# Post stop
+ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh jitsi /opt/mistborn/scripts/services/jitsi/iptables_down.sh
+
+[Install]
+WantedBy=Mistborn-base.service

scripts/services/Mistborn-nextcloud.service

@@ -0,0 +1,23 @@
+[Unit]
+Description=Mistborn Nextcloud Service
+Requires=Mistborn-base.service
+After=Mistborn-base.service
+PartOf=Mistborn-base.service
+
+[Service]
+Restart=always
+RestartSec=15
+User=root
+Group=docker
+PermissionsStartOnly=true
+# Shutdown container (if running) when unit is stopped
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down
+
+# Start container when unit is started
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml up --build
+# Stop container when unit is stopped
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh nextcloud docker-compose -f /opt/mistborn/extra/nextcloud.yml down
+# Post stop
+
+[Install]
+WantedBy=Mistborn-base.service

scripts/services/Mistborn-onlyoffice.service

@@ -0,0 +1,23 @@
+[Unit]
+Description=Mistborn OnlyOffice Service
+Requires=Mistborn-base.service
+After=Mistborn-base.service
+PartOf=Mistborn-base.service
+
+[Service]
+Restart=always
+RestartSec=15
+User=root
+Group=docker
+PermissionsStartOnly=true
+# Shutdown container (if running) when unit is stopped
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
+
+# Start container when unit is started
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml up --build
+# Stop container when unit is stopped
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh onlyoffice docker-compose -f /opt/mistborn/extra/onlyoffice.yml down
+# Post stop
+
+[Install]
+WantedBy=Mistborn-base.service

scripts/services/Mistborn-raspap.service

@@ -0,0 +1,25 @@
+[Unit]
+Description=Mistborn RaspAP Service 
+Requires=Mistborn-base.service
+After=Mistborn-base.service
+
+[Service]
+Restart=always
+RestartSec=15
+User=root
+Group=docker
+PermissionsStartOnly=true
+ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 8095 -j MISTBORN_LOG_DROP
+#ExecStartPre=/bin/bash /opt/mistborn_volumes/extra/raspap/etc-raspap/hostapd/servicestart.sh --interface uap0 --seconds 3
+# Shutdown container (if running) when unit is stopped
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh raspap docker-compose -f /opt/mistborn/extra/raspap.yml down
+
+# Start container when unit is started
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh raspap docker-compose -f /opt/mistborn/extra/raspap.yml up --build
+# Stop container when unit is stopped
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh raspap docker-compose -f /opt/mistborn/extra/raspap.yml down
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 8095 -j MISTBORN_LOG_DROP
+# Post stop
+
+[Install]
+WantedBy=Mistborn-base.service

scripts/services/Mistborn-rocketchat.service

@@ -0,0 +1,25 @@
+[Unit]
+Description=Mistborn Rocket Chat Service
+Requires=Mistborn-base.service
+After=Mistborn-base.service
+PartOf=Mistborn-base.service
+
+[Service]
+Restart=always
+RestartSec=15
+User=root
+Group=docker
+PermissionsStartOnly=true
+# Shutdown container (if running) when unit is stopped
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down
+
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP
+# Start container when unit is started
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml up --build
+# Stop container when unit is stopped
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh rocketchat docker-compose -f /opt/mistborn/extra/rocketchat.yml down
+# Post stop
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP
+
+[Install]
+WantedBy=Mistborn-base.service

scripts/services/Mistborn-syncthing.service

@@ -0,0 +1,27 @@
+[Unit]
+Description=Mistborn Syncthing Service
+Requires=Mistborn-base.service
+After=Mistborn-base.service
+PartOf=Mistborn-base.service
+
+[Service]
+Restart=always
+RestartSec=15
+User=root
+Group=docker
+PermissionsStartOnly=true
+# Shutdown container (if running) when unit is stopped
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down
+
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP
+# Start container when unit is started
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml up --build
+# Stop container when unit is stopped
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh syncthing docker-compose -f /opt/mistborn/extra/syncthing.yml down
+# Post stop
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP
+
+[Install]
+WantedBy=Mistborn-base.service

scripts/services/Mistborn-tor.service

@@ -0,0 +1,25 @@
+[Unit]
+Description=Mistborn Tor Service 
+Requires=Mistborn-base.service
+After=Mistborn-base.service
+PartOf=Mistborn-base.service
+
+[Service]
+Restart=always
+RestartSec=15
+User=root
+Group=docker
+PermissionsStartOnly=true
+# Shutdown container (if running) when unit is stopped
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down
+
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP
+# Start container when unit is started
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml up --build
+# Stop container when unit is stopped
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh tor docker-compose -f /opt/mistborn/extra/tor.yml down
+# Post stop
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP
+
+[Install]
+WantedBy=Mistborn-base.service

scripts/services/Mistborn-wazuh.service

@@ -0,0 +1,30 @@
+[Unit]
+Description=Mistborn Wazuh Service
+Requires=Mistborn-elasticsearch.service
+After=Mistborn-elasticsearch.service
+PartOf=Mistborn-base.service
+
+[Service]
+Restart=always
+RestartSec=15
+TimeoutStartSec=600
+User=root
+Group=docker
+PermissionsStartOnly=true
+# Shutdown container (if running) when unit is stopped
+ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down
+# Start container when unit is started
+ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml up --build
+# Agent install
+ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent.sh
+ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_start.sh
+# Suricata
+ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_init.sh
+ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_start.sh
+# Stop container when unit is stopped
+ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down
+ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_stop.sh
+ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh
+
+[Install]
+WantedBy=Mistborn-base.service

scripts/services/elasticsearch/files/internal_users.yml

@@ -0,0 +1,17 @@
+---
+# This is the internal user database
+# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
+
+_meta:
+  type: "internalusers"
+  config_version: 2
+
+# Define your internal users here
+
+mistborn:
+  hash: "__MISTBORN_HASH__"
+  reserved: true
+  backend_roles:
+  - "admin"
+  description: "Mistborn user"
+

scripts/services/elasticsearch/init.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -e
+
+if [[ -f "/opt/mistborn_volumes/extra/elasticsearch/init/internal_users.yml" ]]; then
+    echo "internal_users.yml exists. Proceeding."
+    exit 0
+fi
+
+mkdir -p /opt/mistborn_volumes/extra/elasticsearch/init/ >/dev/null 2>&1
+chmod -R +x /opt/mistborn_volumes/extra/elasticsearch/init/
+cp /opt/mistborn/scripts/services/elasticsearch/files/internal_users.yml /opt/mistborn_volumes/extra/elasticsearch/init/
+
+ELASTICSEARCH_MISTBORN_HASHED="$(docker run --rm amazon/opendistro-for-elasticsearch:1.12.0 bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh -p ${MISTBORN_DEFAULT_PASSWORD} | tr -d '\n')"
+
+if [[ -z "${ELASTICSEARCH_MISTBORN_HASHED}" ]]; then 
+    echo "Elasticsearch password hash not generated properly"
+    exit 1;
+fi
+
+sed -i "s|__MISTBORN_HASH__|${ELASTICSEARCH_MISTBORN_HASHED}|" /opt/mistborn_volumes/extra/elasticsearch/init/internal_users.yml

scripts/services/guacamole/init.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+if [[ -f "/opt/mistborn_volumes/extra/guacamole/init/initdb.sql" ]]; then
+    echo "initdb.sql exists. Proceeding."
+    exit 0
+fi
+
+mkdir -p /opt/mistborn_volumes/extra/guacamole/init/ >/dev/null 2>&1
+chmod -R +x /opt/mistborn_volumes/extra/guacamole/init/
+docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgres > /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
+
+# grab values in initdb.sql to replace
+HEXSTRINGS=($(egrep -o [0-9a-fA-F]{64} /opt/mistborn_volumes/extra/guacamole/init/initdb.sql))
+
+# reset default password in init.db
+SALT=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice('0123456789ABCDEF') for x in range(64)]))")
+GUAC_PASSWORD_HASHED=$(echo -n "${MISTBORN_DEFAULT_PASSWORD}${SALT}" | sha256sum | awk '{print $1}' | tr a-z A-Z)
+
+sed -i "s/${HEXSTRINGS[1]}/$SALT/" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
+sed -i "s/${HEXSTRINGS[0]}/$GUAC_PASSWORD_HASHED/" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql
+sed -i "s/guacadmin/mistborn/g" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql

scripts/services/homeassistant/init.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+
+HASS_CONFIG="/opt/mistborn_volumes/extra/homeassistant/config/configuration.yaml"
+
+if [[ -f "$HASS_CONFIG" ]]; then
+    # configuration.yaml exists
+
+    if [[ ! -z $(grep "use_x_forwarded_for: true" "$HASS_CONFIG") ]]; then
+        # FOUND
+        exit 0;
+    fi
+
+# add the proxy config
+# write the trusted proxies config
+cat >> ${HASS_CONFIG}<< EOF
+
+http:
+  use_x_forwarded_for: true
+  trusted_proxies:
+    - 172.16.0.0/12 
+
+EOF
+
+exit 0;
+
+fi
+
+# create parent directory if needed
+PARENTDIR="$(dirname $HASS_CONFIG)"
+if [[ ! -d "$PARENTDIR" ]]; then
+    mkdir -p $PARENTDIR
+fi
+
+# write the trusted proxies config
+cat >> ${HASS_CONFIG}<< EOF
+
+# Configure a default setup of Home Assistant (frontend, api, etc)
+default_config:
+
+# Text to speech
+#tts:
+#  - platform: google_translate
+
+#group: !include groups.yaml
+#automation: !include automations.yaml
+#script: !include scripts.yaml
+#scene: !include scenes.yaml
+
+http:
+  use_x_forwarded_for: true
+  trusted_proxies:
+    - 172.16.0.0/12  
+
+EOF

scripts/services/jitsi/iptables_down.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+iptables -w -D DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
+iptables -w -D DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP

scripts/services/jitsi/iptables_up.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+iptables -w -I DOCKER-USER -i $DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
+iptables -w -I DOCKER-USER -i $DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP

scripts/services/wazuh/agent.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# detect if already installed
+if dpkg -s wazuh-agent &> /dev/null; then
+    echo "Wazuh agent already installed"
+    exit 0
+fi
+
+# install curl
+echo "install curl"
+sudo -E apt-get install -y curl
+
+# prepare repo
+echo "Adding Wazuh Repository"
+curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo -E apt-key add -
+echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo -E tee /etc/apt/sources.list.d/wazuh.list
+
+apt-get update
+
+# wait for service to be listening
+while ! nc -z 10.2.3.1 55000; do
+    WAIT_TIME=10
+    echo "Waiting ${WAIT_TIME} seconds for Wazuh API..."
+    sleep ${WAIT_TIME}
+done
+
+# install
+echo "Installing Wazuh agent"
+WAZUH_MANAGER="10.2.3.1" apt-get install wazuh-agent
+

scripts/services/wazuh/agent_start.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+systemctl start wazuh-agent
+systemctl enable wazuh-agent

scripts/services/wazuh/agent_stop.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+systemctl stop wazuh-agent
+systemctl disable wazuh-agent

scripts/services/wazuh/suricata/suricata_init.sh

@@ -0,0 +1,129 @@
+#!/bin/bash
+
+set -e
+
+# detect if suricata is installed
+if [[ $(dpkg-query -W -f='${Status}' suricata 2>/dev/null | grep -c "ok installed") -eq 1 ]]; then
+    echo "Suricata Installed"
+    exit 0
+fi
+
+source /opt/mistborn/scripts/subinstallers/platform.sh
+
+# minimal dependencies
+sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev   \
+                libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \
+                make libmagic-dev libjansson-dev jq wget
+
+## recommended dependencies
+#sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev   \
+#                libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \
+#                libcap-ng-dev libcap-ng0 make libmagic-dev         \
+#                libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev \
+#                python-yaml rustc cargo
+
+# iptables/nftables integration
+sudo -E apt-get -y install libnetfilter-queue-dev libnetfilter-queue1  \
+                libnetfilter-log-dev libnetfilter-log1      \
+                libnfnetlink-dev libnfnetlink0
+
+
+if [ "$DISTRO" == "ubuntu" ]; then
+    echo "Installing Suricata Ubuntu PPA"
+    sudo -E add-apt-repository -y ppa:oisf/suricata-stable
+    sudo -E apt-get update
+    sudo -E apt-get install -y suricata
+elif [ "$DISTRO" == "debian" ]; then
+    # retrieve version codename
+    source /etc/os-release
+    echo "deb http://http.debian.net/debian $VERSION_CODENAME-backports main" | \
+        sudo -E tee /etc/apt/sources.list.d/backports.list
+    sudo -E apt-get update
+    sudo -E apt-get install -y suricata -t ${VERSION_CODENAME}-backports
+else
+    echo "Basic Suricata installation"
+    sudo -E apt-get install -y suricata
+fi
+
+# # iptables
+# sudo iptables -A INPUT -j NFQUEUE
+# sudo iptables -I FORWARD -j NFQUEUE
+# sudo iptables -I OUTPUT -j NFQUEUE
+
+# # rsyslog to create /var/log/suricata.log
+# sudo cp ./scripts/conf/20-suricata.conf /etc/rsyslog.d/
+# sudo chown root:root /etc/rsyslog.d/20-suricata.conf
+# sudo systemctl restart rsyslog
+
+# rules
+pushd .
+cd /tmp
+wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
+tar zxvf emerging.rules.tar.gz
+sudo -E rm /etc/suricata/rules/* -f
+sudo -E mv rules/*.rules /etc/suricata/rules/
+popd
+
+# suricata yaml
+sudo -E rm -f /etc/suricata/suricata.yaml
+sudo -E wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml
+
+IFACE=$(ip -o -4 route show to default | awk 'NR==1{print $5}')
+sudo sed -i "s/eth0/${IFACE}/g" /etc/suricata/suricata.yaml
+sudo sed -i "s/eth0/${IFACE}/g" /etc/default/suricata
+
+#systemctl restart suricata
+
+# wait for service to be listening
+while ! nc -z 10.2.3.1 55000; do
+    WAIT_TIME=10
+    echo "Waiting ${WAIT_TIME} seconds for Wazuh API..."
+    sleep ${WAIT_TIME}
+done
+
+# set working directory to mistborn for docker-compose
+pushd .
+cd /opt/mistborn
+
+# ensure group exists
+sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -g suricata -q 2>/dev/null
+
+# add this host to group
+WAZUH_ID=$(sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/manage_agents -l | egrep ^\ *ID | grep $(hostname) | awk '{print $2}' | tr -d ',')
+sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -i ${WAZUH_ID} -g suricata -q
+
+# write agent.conf
+sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh bash -c "cat > /var/ossec/etc/shared/suricata/agent.conf << EOF
+<agent_config>
+    <localfile>
+        <log_format>json</log_format>
+        <location>/var/log/suricata/eve.json</location>
+    </localfile>
+</agent_config>
+EOF
+"
+
+# restart manager
+sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml restart wazuh
+
+popd
+
+# suricata-update
+sudo -E apt install python3-pip
+sudo -E pip3 install pyyaml
+sudo -E pip3 install https://github.com/OISF/suricata-update/archive/master.zip
+
+sudo -E pip3 install --pre --upgrade suricata-update
+
+# sudo -E suricata-update enable-source oisf/trafficid
+# sudo -E suricata-update enable-source etnetera/aggressive
+# sudo -E suricata-update enable-source sslbl/ssl-fp-blacklist
+# sudo -E suricata-update enable-source et/open
+# sudo -E suricata-update enable-source tgreen/hunting
+# sudo -E suricata-update enable-source sslbl/ja3-fingerprints
+# sudo -E suricata-update enable-source ptresearch/attackdetection
+
+sudo -E suricata-update
+
+sudo systemctl daemon-reload
+sudo systemctl restart suricata

scripts/services/wazuh/suricata/suricata_start.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+systemctl start suricata
+systemctl enable suricata
+
+#apt-get install -y python-pyinotify
+#python /opt/mistborn/scripts/services/scirius/suri_reloader -p /etc/suricata/rules &

scripts/services/wazuh/suricata/suricata_stop.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+systemctl stop suricata
+systemctl disable suricata
+
+#kill $(pgrep -f suri_reloader) 2>/dev/null

scripts/subinstallers/cockpit.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Cockpit
+figlet "Mistborn: Installing Cockpit"
+if [ "$DISTRO" == "ubuntu" ]; then
+    echo "Ubuntu backports enabled by default"
+
+elif [ "$DISTRO" == "debian" ]; then
+    sudo grep -qF "buster-backports" /etc/apt/sources.list.d/backports.list \
+    && echo "buster-backports already in sources" \
+    || echo 'deb http://deb.debian.org/debian buster-backports main' | sudo tee -a /etc/apt/sources.list.d/backports.list
+    
+elif [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then
+    echo "Raspbian repos contain cockpit"
+fi
+    
+sudo -E apt-get install -y cockpit
+
+if [ $(sudo apt-cache show cockpit-docker > /dev/null 2>&1) ]; then
+    # no longer supported upstream in Ubuntu 20.04
+    sudo -E apt-get install -y cockpit-docker
+elif [ $(sudo apt-cache show cockpit-podman > /dev/null 2>&1) ]; then
+    sudo -E apt-get install -y cockpit-podman
+fi
+
+sudo cp ./scripts/conf/cockpit.conf /etc/cockpit/cockpit.conf
+sudo systemctl restart cockpit.socket
+
+# create system cockpit user
+echo "Creating cockpit user"
+sudo useradd -s /bin/bash -d /home/cockpit -m -G sudo -p $(openssl passwd -1 "$MISTBORN_DEFAULT_PASSWORD") cockpit || true

scripts/subinstallers/extra/bitwarden.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# generate bitwarden .env files
+BITWARDEN_PROD_FILE="$1"
+echo "WEBSOCKET_ENABLED=true" > $BITWARDEN_PROD_FILE
+echo "SIGNUPS_ALLOWED=true" >> $BITWARDEN_PROD_FILE
+chmod 600 $BITWARDEN_PROD_FILE

scripts/subinstallers/extra/elasticsearch.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# Elasticsearch
+ELASTICSEARCH_PROD_FILE="$1"
+echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $ELASTICSEARCH_PROD_FILE
+chmod 600 $ELASTICSEARCH_PROD_FILE

scripts/subinstallers/extra/guacamole.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Guacamole
+GUAC_PROD_FILE="$1"
+GUAC_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
+echo "POSTGRES_HOST=guac_postgres" > $GUAC_PROD_FILE
+echo "POSTGRES_HOSTNAME=guac_postgres" > $GUAC_PROD_FILE
+echo "POSTGRES_PORT=5432" >> $GUAC_PROD_FILE
+echo "POSTGRES_DB=guacamole_db" >> $GUAC_PROD_FILE
+echo "POSTGRES_DATABASE=guacamole_db" >> $GUAC_PROD_FILE
+echo "POSTGRES_USER=guac_user" >> $GUAC_PROD_FILE
+echo "POSTGRES_PASSWORD=$GUAC_PASSWORD" >> $GUAC_PROD_FILE
+echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $GUAC_PROD_FILE
+chmod 600 $GUAC_PROD_FILE

scripts/subinstallers/extra/jitsi.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# JITSI
+JITSI_PROD_FILE="$1"
+cp ${MISTBORN_HOME}/scripts/conf/jitsi.env $JITSI_PROD_FILE
+mkdir -p ${MISTBORN_HOME}/.envs/.production/.jitsi-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}
+sed -i "s/JICOFO_COMPONENT_SECRET.*/JICOFO_COMPONENT_SECRET=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
+sed -i "s/JICOFO_AUTH_PASSWORD.*/JICOFO_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
+sed -i "s/JVB_AUTH_PASSWORD.*/JVB_AUTH_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
+sed -i "s/JIGASI_XMPP_PASSWORD.*/JIGASI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
+sed -i "s/JIBRI_RECORDER_PASSWORD.*/JIBRI_RECORDER_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
+sed -i "s/JIBRI_XMPP_PASSWORD.*/JIBRI_XMPP_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")/" "$JITSI_PROD_FILE"
+chmod 600 $JITSI_PROD_FILE

scripts/subinstallers/extra/nextcloud.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# generate nextcloud .env files
+NEXTCLOUD_PROD_FILE="$1"
+#NEXTCLOUD_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
+NEXTCLOUD_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}"
+echo "NEXTCLOUD_ADMIN_USER=mistborn" > $NEXTCLOUD_PROD_FILE
+echo "NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_PASSWORD" >> $NEXTCLOUD_PROD_FILE
+echo "NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mistborn" >> $NEXTCLOUD_PROD_FILE
+chmod 600 $NEXTCLOUD_PROD_FILE

scripts/subinstallers/extra/onlyoffice.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# generate onlyoffice .env files
+ONLYOFFICE_PROD_FILE="$1"
+JWT_SECRET="${MISTBORN_DEFAULT_PASSWORD}"
+echo "JWT_ENABLED=true" > $ONLYOFFICE_PROD_FILE
+echo "JWT_SECRET=$JWT_SECRET" >> $ONLYOFFICE_PROD_FILE
+chmod 600 $ONLYOFFICE_PROD_FILE

scripts/subinstallers/extra/raspap.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# RaspAP
+RASPAP_PROD_FILE="$1"
+echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" > $RASPAP_PROD_FILE
+chmod 600 $RASPAP_PROD_FILE

scripts/subinstallers/extra/rocketchat.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# generate rocketchat .env files
+ROCKETCHAT_PROD_FILE="$1"
+#ROCKETCHAT_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
+ROCKETCHAT_PASSWORD="${MISTBORN_DEFAULT_PASSWORD}"
+echo "ROCKETCHAT_USER=bot" > $ROCKETCHAT_PROD_FILE
+echo "ROCKETCHAT_ROOM=GENERAL" >> $ROCKETCHAT_PROD_FILE
+echo "BOT_NAME=bot" >> $ROCKETCHAT_PROD_FILE
+echo "ROCKETCHAT_PASSWORD=$ROCKETCHAT_PASSWORD" >> $ROCKETCHAT_PROD_FILE
+
+# docker environment
+echo "MISTBORN_BIND_IP=${MISTBORN_BIND_IP}" >> $ROCKETCHAT_PROD_FILE
+
+chmod 600 $ROCKETCHAT_PROD_FILE

scripts/subinstallers/extra/wazuh.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# Wazuh
+WAZUH_PROD_FILE="$1"
+echo "ELASTIC_USERNAME=mistborn" > $WAZUH_PROD_FILE
+echo "ELASTIC_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE
+
+echo "ELASTICSEARCH_USERNAME=mistborn" >> $WAZUH_PROD_FILE
+echo "ELASTICSEARCH_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE
+
+# kibana odfe
+# kibana-odfe/config/wazuh_app_config.sh
+# https://wazuh
+echo "WAZUH_API_URL=https://10.2.3.1" >> $WAZUH_PROD_FILE
+echo "API_PORT=55000" >> $WAZUH_PROD_FILE
+echo "API_USERNAME=wazuh-wui" >> $WAZUH_PROD_FILE
+
+#API_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))")
+
+API_PASSWORD_PYTHON=$(cat << EOF
+
+import secrets
+import random
+import string
+
+random_pass = ([secrets.choice("@$!*?-"),
+                           secrets.choice(string.digits),
+                           secrets.choice(string.ascii_lowercase),
+                           secrets.choice(string.ascii_uppercase),
+                           ]
+                          + [secrets.choice(string.ascii_lowercase
+                                           + string.ascii_uppercase
+                                           + "@$!*?-"
+                                           + string.digits) for i in range(12)])
+
+random.shuffle(random_pass)
+random_pass = ''.join(random_pass)
+print(random_pass)
+
+EOF
+)
+
+API_PASSWORD=$(python3 -c "${API_PASSWORD_PYTHON}")
+
+echo "API_PASSWORD=${API_PASSWORD}" >> $WAZUH_PROD_FILE
+
+# kibana-odfe/config/entrypoint.sh:
+# https://elasticsearch:9200
+echo "ELASTICSEARCH_URL=https://10.2.3.1:9200" >> $WAZUH_PROD_FILE
+
+
+cat >> ${WAZUH_PROD_FILE}<< EOF
+
+PATTERN="wazuh-alerts-*"
+
+CHECKS_PATTERN=true
+CHECKS_TEMPLATE=true
+CHECKS_API=true
+CHECKS_SETUP=true
+
+EXTENSIONS_PCI=true
+EXTENSIONS_GDPR=true
+EXTENSIONS_HIPAA=true
+EXTENSIONS_NIST=true
+EXTENSIONS_TSC=true
+EXTENSIONS_AUDIT=true
+EXTENSIONS_OSCAP=false
+EXTENSIONS_CISCAT=false
+EXTENSIONS_AWS=false
+EXTENSIONS_GCP=false
+EXTENSIONS_VIRUSTOTAL=true
+EXTENSIONS_OSQUERY=true
+EXTENSIONS_DOCKER=true
+
+APP_TIMEOUT=20000
+
+API_SELECTOR=true
+IP_SELECTOR=true
+IP_IGNORE="[]"
+
+WAZUH_MONITORING_ENABLED=true
+WAZUH_MONITORING_FREQUENCY=900
+WAZUH_MONITORING_SHARDS=2
+WAZUH_MONITORING_REPLICAS=0
+
+ADMIN_PRIVILEGES=true
+
+EOF
+
+echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE
+
+chmod 600 $WAZUH_PROD_FILE

scripts/subinstallers/gen_prod_env.sh

@@ -42,5 +42,4 @@ PIHOLE_PROD_FILE="./.envs/.production/.pihole"
 WEBPASSWORD="$1"
 echo "TZ=\"America/New York\"" > $PIHOLE_PROD_FILE
 echo "WEBPASSWORD=$WEBPASSWORD" >> $PIHOLE_PROD_FILE
-
 chmod 600 $PIHOLE_PROD_FILE

scripts/subinstallers/iptables.sh

@@ -32,7 +32,7 @@ sudo iptables -X MISTBORN_DOCKER_INPUT 2>/dev/null || true
 
 # iptables: log and drop chain
 sudo iptables -N MISTBORN_LOG_DROP
-sudo iptables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[Mistborn-IPTables-Dropped]: " --log-level 4
+sudo iptables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[IPTables-Dropped]: " --log-level 4
 sudo iptables -A MISTBORN_LOG_DROP -j DROP
 
 # wireguard rules chains
@@ -83,7 +83,7 @@ sudo ip6tables -X MISTBORN_LOG_DROP 2>/dev/null || true
 
 # ip6tables: log and drop chain
 sudo ip6tables -N MISTBORN_LOG_DROP
-sudo ip6tables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[Mistborn-IPTables-Dropped]: " --log-level 4
+sudo ip6tables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[IPTables-Dropped]: " --log-level 4
 sudo ip6tables -A MISTBORN_LOG_DROP -j DROP
 
 # ip6tables