Merge branch 'master' into onlyoffice

2022-06-09 18:03:35 +03:00 · 2020-07-30 11:51:01 -04:00
parent 61b0b43143 fe36dff1b9
commit d2c0c22e6f
20 changed files with 182 additions and 45 deletions
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 # Mistborn
-A secure platform for easily standing up and managing your own cloud services: including firewall, ad-blocking, and Wireguard VPN access
+A secure platform for easily standing up and managing your own cloud services: including firewall, ad-blocking, and multi-factor Wireguard VPN access

 # Table of Contents
 [[_TOC_]]
@@ -13,6 +13,7 @@ Ideal for teams who:
 - hate internet ads
 - need to be protected from malicious internet domains
 - need to collaborate securely
+- need multi-factor authentication for Wireguard
 - want to retain sole ownership of their data
 - want to easily grant and revoke access to people and devices via a simple web interface
 - want secure internet access wherever they are
@@ -44,8 +45,8 @@ Within Mistborn is a panel to enable and manage these free extra services (off b

 # Quickstart
 Tested Operating Systems (in order of thoroughness):
- Ubuntu 18.04 LTS
 - Ubuntu 20.04 LTS
+- Ubuntu 18.04 LTS
 - Debian 10 (Buster)
 - Raspbian Buster

@@ -141,6 +142,19 @@ Running `install.sh` will do the following:
 - copy Mistborn systemd service files to `/etc/systemd/system`
 - start and enable Mistborn-base

+# Non-Interactive Installation
+In order to install without interaction some environment variables need to be pre-set. 
+
+## Environment Variables
+See the environment variables needed in `./scripts/noninteractive/.install_barebones`
+
+## Example Noninteractive Install
+This will perform a noninteractive install with the default environment variables set in `.install_barebones`.
+```
+git clone https://gitlab.com/cyber5k/mistborn.git
+sudo bash -c "source ./mistborn/scripts/noninteractive/.install_barebones && ./mistborn/scripts/install.sh"
+```
+
 # Post-Installation
 When Mistborn-base starts up it will create volumes, initialize the PostgreSQL database, start pihole, run Django migrations and then check to see if a Mistborn superuser named `admin` exists yet. If not, it will create the superuser `admin` along with an accompanying default Wireguard configuration file and start the Wireguard service. You can watch all of this happen with:
 ```
@@ -201,6 +215,30 @@ Mistborn makes extra services available.
 Mistborn functions as a network firewall and provides metrics on blocked probes from the internet.
 ![Mistborn Metrics](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_metrics.png)*Mistborn Firewall Metrics*

+# Authentication
+There are multiple ways to authenticate and use the system. 
+
+![Mistborn Multi Factor Authentication - Authenticator App Setup](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mfa_qr.png)*Mistborn Multi Factor Authentication - Authenticator App Setup*
+
+## Profile: Wireguard Authentication
+Mistborn always authenticates with Wireguard. You must have a valid Wireguard configuration file associated with the correct internal IP address. A classic Mistborn profile (Wireguard Only) will allow you to access the internet and all services hosted by Mistborn once you have connected via Wireguard. Note: individual services may require passwords or additional authentication.
+
+## Profile: Multi Factor Authentication (MFA)
+In addition to Wireguard, you may create a Mistborn profile enabling multi-factor authentication (MFA). You must first connect to Mistborn via Wireguard. Then all internet traffic will route you to the Mistborn webserver where you must first setup and thereafter authenticate with an app (Google Authenticator, Authy, etc.). You must go to [http://home.mistborn](http://home.mistborn) to complete the authentication process.
+
+![Mistborn Multi Factor Authentication](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mfa1.png)*Mistborn Multi Factor Authentication Prompt*
+
+### MFA Internet Access
+Internet access is blocked via iptables until authentication is completed for an MFA profile. You must go to [http://home.mistborn](http://home.mistborn) to complete the authentication process. Click "Sign Out" to re-block internet access until authentication completes again.
+
+![Mistborn Multi Factor Authentication - Token Prompt](https://gitlab.com/cyber5k/public/-/raw/master/graphics/mfa_token_enter.png)*Mistborn Multi Factor Authentication - Token Prompt*
+
+### MFA Mistborn Service Access
+Mistborn service access is blocked via traefik until Mistborn authentication is complete. You will not be able to access the web pages for pihole, cockpit, or any extra services until authentication is complete for an MFA profile. Attempting to visit one of these pages will redirect you to [http://home.mistborn](http://home.mistborn) where you must complete the authentication process. Click "Sign Out" to re-block access until authentication completes again.
+
+### Notes
+- **Sessions**: Traefik checks the authenticated sessions on the server side to determine whether to allow access to the Mistborn service web pages. If an open session exists for your Mistborn IP address then access will be granted. You may close all sessions by clicking "Sign Out" on the Mistborn home page. Expired sessions are regularly cleaned by the Mistborn system (celery periodic task).
+
 # Mistborn Subdomains
 Mistborn uses the following domains (that can be reached by all Wireguard clients):

@@ -376,6 +414,14 @@ DNS = 10.2.3.1
 ```
 Close the config and restart the client Wireguard process.

+## Troubleshooting Raspberry Pi OS (Raspbian)
+Be sure to always reboot after updating the kernel. When the kernel is updated the kernel modules are deleted (for the currently running kernel) and you will have issues with any function requiring kernel modules (e.g. `iptables` or `wireguard`).
+
+**Note**: The Raspberry Pi OS 64-bit BETA (versions from May 2020 and prior) have a bug where the os-release info indicates that it is Debian. Mistborn proceeds to install as though it were Debian. Since it's not Debian there are errors.
+
+## Troubleshooting Debian 10
+Run updates and restart before installing Mistborn (`sudo apt-get update && sudo apt-get -y dist-upgrade && sudo shutdown -r now`). Some older Linux kernels will prevent newer Wireguard versions from installing.
+
 # Technical and Security Insights
 These are some notes regarding the technical design and implementations of Mistborn. Feel free to contact me for additional details.

@@ -397,6 +443,7 @@ These are some notes regarding the technical design and implementations of Mistb
 - The "Update" button will pull updated Docker images for mistborn, postgresql, redis, pihole, and dnscrypt. Those services will then be restarted.
 - The generated TLS certificate has an RSA modulus of 4096 bits, is signed with SHA-256, and is good for 10 years. The nanny at Apple has decided to restrict the kinds of certificates iOS users may choose to manually trust and so you may have issues with TLS on an Apple device for now.
 - Outbound UDP on port 53 is blocked. All DNS requests should be handled by the dnscrypt_proxy service and if any client, service, etc. tries to circumvent that it is blocked.
+- Unattended upgrades are set to automatically install operating system security updates.

 # Roadmap
 Many features and refinements are in the works at various stages including:
@@ -414,7 +461,7 @@ Many features and refinements are in the works at various stages including:

 Contact me at [steven@cyber5k.com](mailto:steven@cyber5k.com)

-# Support
+# Support Mistborn

 Please consider supporting the project via:
 - [Paypal.me](https://paypal.me/cyber5k)
--- a/base.yml
+++ b/base.yml
@@ -166,7 +166,7 @@ services:
     - DNSCRYPT_LISTEN_PORT=5054
     # resolvers: https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-resolvers.md
     #- DNSCRYPT_SERVER_NAMES=['scaleway-fr','google','yandex','cloudflare'] 
-     - DNSCRYPT_SERVER_NAMES=['cloudflare','dnswarden-doh1','dnswarden-doh2','dnswarden-doh3','securedns-doh','adguard-dns-doh'] 
+     - DNSCRYPT_SERVER_NAMES=['cloudflare','dnswarden-doh1','dnswarden-doh2','dnswarden-doh3','adguard-dns-doh']
    networks:
      pihole_net:
        ipv4_address: 10.2.0.2
--- a/compose/production/traefik/traefik.toml.template
+++ b/compose/production/traefik/traefik.toml.template
@@ -96,6 +96,12 @@ defaultEntryPoints = ["http", "https"]
  [frontends.pihole]
    backend = "pihole"
    passHostHeader = true
+    [frontends.pihole.auth]
+      [frontends.pihole.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.pihole.auth.forward.tls]
+          insecureSkipVerify = true
    [frontends.pihole.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.pihole.routes.dr1]
@@ -104,6 +110,12 @@ defaultEntryPoints = ["http", "https"]
  [frontends.homeassistant]
    backend = "homeassistant"
    passHostHeader = true
+    [frontends.homeassistant.auth]
+      [frontends.homeassistant.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.homeassistant.auth.forward.tls]
+          insecureSkipVerify = true
    [frontends.homeassistant.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.homeassistant.routes.dr1]
@@ -112,6 +124,12 @@ defaultEntryPoints = ["http", "https"]
  [frontends.syncthing]
    backend = "syncthing"
    passHostHeader = true
+    [frontends.syncthing.auth]
+      [frontends.syncthing.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.syncthing.auth.forward.tls]
+          insecureSkipVerify = true
    [frontends.syncthing.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.syncthing.routes.dr1]
@@ -120,6 +138,12 @@ defaultEntryPoints = ["http", "https"]
  [frontends.rocketchat]
    backend = "rocketchat"
    passHostHeader = true
+    [frontends.rocketchat.auth]
+      [frontends.rocketchat.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.rocketchat.auth.forward.tls]
+          insecureSkipVerify = true
    [frontends.rocketchat.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.rocketchat.routes.dr1]
@@ -128,6 +152,12 @@ defaultEntryPoints = ["http", "https"]
  [frontends.nextcloud]
    backend = "nextcloud"
    passHostHeader = true
+    [frontends.nextcloud.auth]
+      [frontends.nextcloud.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.nextcloud.auth.forward.tls]
+          insecureSkipVerify = true
    [frontends.nextcloud.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.nextcloud.routes.dr1]
@@ -136,6 +166,12 @@ defaultEntryPoints = ["http", "https"]
  [frontends.onlyoffice]
    backend = "onlyoffice"
    passHostHeader = true
+    [frontends.onlyoffice.auth]
+      [frontends.onlyoffice.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.onlyoffice.auth.forward.tls]
+          insecureSkipVerify = true
    [frontends.onlyoffice.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.onlyoffice.routes.dr1]
@@ -144,6 +180,12 @@ defaultEntryPoints = ["http", "https"]
  [frontends.bitwarden]
    backend = "bitwarden"
    passHostHeader = true
+    [frontends.bitwarden.auth]
+      [frontends.bitwarden.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.bitwarden.auth.forward.tls]
+          insecureSkipVerify = true
    [frontends.bitwarden.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.bitwarden.routes.dr1]
@@ -152,6 +194,12 @@ defaultEntryPoints = ["http", "https"]
  [frontends.jellyfin]
    backend = "jellyfin"
    passHostHeader = true
+    [frontends.jellyfin.auth]
+      [frontends.jellyfin.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.jellyfin.auth.forward.tls]
+          insecureSkipVerify = true
    [frontends.jellyfin.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.jellyfin.routes.dr1]
@@ -160,6 +208,12 @@ defaultEntryPoints = ["http", "https"]
  [frontends.jitsi]
    backend = "jitsi"
    passHostHeader = true
+    [frontends.jitsi.auth]
+      [frontends.jitsi.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.jitsi.auth.forward.tls]
+          insecureSkipVerify = true
    [frontends.jitsi.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.jitsi.routes.dr1]
@@ -168,6 +222,12 @@ defaultEntryPoints = ["http", "https"]
  [frontends.raspap]
    backend = "raspap"
    passHostHeader = true
+    [frontends.raspap.auth]
+      [frontends.raspap.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.raspap.auth.forward.tls]
+          insecureSkipVerify = true
    [frontends.raspap.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.raspap.routes.dr1]
@@ -176,6 +236,12 @@ defaultEntryPoints = ["http", "https"]
  [frontends.cockpit]
    backend = "cockpit"
    passHostHeader = true
+    [frontends.cockpit.auth]
+      [frontends.cockpit.auth.forward]
+        address = "https://home.mistborn/auth/"
+        trustForwardHeader = false
+        [frontends.cockpit.auth.forward.tls]
+          insecureSkipVerify = true
    [frontends.cockpit.headers]
      HostsProxyHeaders = ['X-CSRFToken']
    [frontends.cockpit.routes.dr1]
--- a/scripts/env/setup.sh
+++ b/scripts/env/setup.sh
@@ -4,10 +4,10 @@ VAR_FILE=/opt/mistborn/.env

 source /opt/mistborn/scripts/subinstallers/platform.sh

-MISTBORN_DNS_BIND_IP="0.0.0.0"
-if [ "$DISTRO" == "ubuntu" ] && [ "$VERSION_ID" == "20.04" ]; then
-    MISTBORN_DNS_BIND_IP="10.2.3.1"
-fi
+MISTBORN_DNS_BIND_IP="10.2.3.1"
+#if [ "$DISTRO" == "ubuntu" ] && [ "$VERSION_ID" == "20.04" ]; then
+#    MISTBORN_DNS_BIND_IP="10.2.3.1"
+#fi

 echo "MISTBORN_DNS_BIND_IP=${MISTBORN_DNS_BIND_IP}" | sudo tee ${VAR_FILE}
 sudo chown mistborn:mistborn ${VAR_FILE}
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -2,6 +2,8 @@

 set -e

+export DEBIAN_FRONTEND=noninteractive
+
 ## ensure run as nonroot user
 #if [ "$EUID" -eq 0 ]; then
 MISTBORN_USER="mistborn"
@@ -97,7 +99,7 @@ git submodule update --init --recursive
 sudo apt-get update

 # install figlet
-sudo apt-get install -y figlet
+sudo -E apt-get install -y figlet

 # get os and distro
 source ./scripts/subinstallers/platform.sh
@@ -114,22 +116,24 @@ fi


 # SSH Server
-sudo apt-get install -y openssh-server
+sudo -E apt-get install -y openssh-server
 sudo sed -i 's/#PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
 sudo sed -i 's/PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
 sudo sed -i 's/#PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
 sudo sed -i 's/PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
+sudo sed -i 's/#Port.*/Port 22/' /etc/ssh/sshd_config
+sudo sed -i 's/Port.*/Port 22/' /etc/ssh/sshd_config
 sudo systemctl enable ssh
 sudo systemctl restart ssh

 # Additional tools fail2ban
-sudo apt-get install -y dnsutils fail2ban
+sudo -E apt-get install -y dnsutils fail2ban

 # Install kernel headers
 if [ "$DISTRO" == "ubuntu" ] || [ "$DISTRO" == "debian" ]; then
-    sudo apt install -y linux-headers-$(uname -r)
+    sudo -E apt install -y linux-headers-$(uname -r)
 elif [ "$DISTRO" == "raspbian" ]; then
-    sudo apt-get install -y raspberrypi-kernel-headers
+    sudo -E apt install -y raspberrypi-kernel-headers
 fi

 # Wireugard
@@ -141,13 +145,16 @@ sudo systemctl enable docker
 sudo systemctl start docker

 # Unattended upgrades
-sudo apt-get install -y unattended-upgrades
+sudo -E apt-get install -y unattended-upgrades

 # Cockpit
 if [[ "$MISTBORN_INSTALL_COCKPIT" =~ ^([yY][eE][sS]|[yY])$ ]]
 then
    # install cockpit
    source ./scripts/subinstallers/cockpit.sh
+    
+    # set variable (that will be available in environment)
+    MISTBORN_INSTALL_COCKPIT=Y
 fi

 # Mistborn-cli (pip3 installed by docker)
@@ -199,6 +206,7 @@ sudo mkdir -p ../mistborn_volumes/extra

 # Traefik final setup (cockpit)
 cp ./compose/production/traefik/traefik.toml.template ./compose/production/traefik/traefik.toml
+
 # setup tls certs 
 source ./scripts/subinstallers/openssl.sh
 sudo rm -rf ../mistborn_volumes/base/tls
@@ -225,8 +233,9 @@ sudo grep -qF "$(hostname)" /etc/hosts && echo "$(hostname) already in /etc/host
 echo "address=/.mistborn/10.2.3.1" | sudo tee ../mistborn_volumes/base/pihole/etc-dnsmasqd/02-lan.conf

 # ResolvConf (OpenResolv installed with Wireguard)
-sudo sed -i "s/#name_servers.*/name_servers=$IPV4_PUBLIC/" /etc/resolvconf.conf
-sudo sed -i "s/name_servers.*/name_servers=$IPV4_PUBLIC/" /etc/resolvconf.conf
+#sudo sed -i "s/#name_servers.*/name_servers=$IPV4_PUBLIC/" /etc/resolvconf.conf
+sudo sed -i "s/#name_servers.*/name_servers=10.2.3.1/" /etc/resolvconf.conf
+sudo sed -i "s/name_servers.*/name_servers=10.2.3.1/" /etc/resolvconf.conf
 #sudo sed -i "s/#name_servers.*/name_servers=127.0.0.1/" /etc/resolvconf.conf
 sudo resolvconf -u 1>/dev/null 2>&1

--- a/scripts/noninteractive/.install_barebones
+++ b/scripts/noninteractive/.install_barebones
@@ -0,0 +1,2 @@
+export MISTBORN_DEFAULT_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(20)]))")
+export MISTBORN_INSTALL_COCKPIT=No
--- a/scripts/services/Mistborn-base.service
+++ b/scripts/services/Mistborn-base.service
@@ -14,13 +14,13 @@ ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down

 ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml build
 ExecStartPre=-/sbin/ip address add 10.2.3.1/30 dev DIFACE
-ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -A OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/ip6tables -A OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -A OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/ip6tables -w -A OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/resolvconf -u
 # Start container when unit is started
 ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml up
--- a/scripts/services/Mistborn-bitwarden.service
+++ b/scripts/services/Mistborn-bitwarden.service
@@ -11,7 +11,7 @@ PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml down

-ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3012 -j MISTBORN_LOG_DROP
 # Start container when unit is started
 ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/bitwarden.yml up --build
 # Stop container when unit is stopped
--- a/scripts/services/Mistborn-jitsi.service
+++ b/scripts/services/Mistborn-jitsi.service
@@ -13,8 +13,8 @@ EnvironmentFile=/opt/mistborn/.envs/.production/.jitsi
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml down

-ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport $JVB_PORT -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport $JVB_TCP_PORT -j MISTBORN_LOG_DROP
 # Start container when unit is started
 ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/jitsi-meet.yml up --build
 # Stop container when unit is stopped
--- a/scripts/services/Mistborn-rocketchat.service
+++ b/scripts/services/Mistborn-rocketchat.service
@@ -11,7 +11,7 @@ PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml down

-ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 3001 -j MISTBORN_LOG_DROP
 # Start container when unit is started
 ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/rocketchat.yml up --build
 # Stop container when unit is stopped
--- a/scripts/services/Mistborn-syncthing.service
+++ b/scripts/services/Mistborn-syncthing.service
@@ -11,8 +11,8 @@ PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml down

-ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP
-ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p udp --dport 21027 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 22000 -j MISTBORN_LOG_DROP
 # Start container when unit is started
 ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/syncthing.yml up --build
 # Stop container when unit is stopped
--- a/scripts/services/Mistborn-tor.service
+++ b/scripts/services/Mistborn-tor.service
@@ -11,7 +11,7 @@ PermissionsStartOnly=true
 # Shutdown container (if running) when unit is stopped
 ExecStartPre=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml down

-ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -w -I DOCKER-USER -i DIFACE -p tcp --dport 9150 -j MISTBORN_LOG_DROP
 # Start container when unit is started
 ExecStart=/usr/local/bin/docker-compose -f /opt/mistborn/extra/tor.yml up --build
 # Stop container when unit is stopped
--- a/scripts/subinstallers/cockpit.sh
+++ b/scripts/subinstallers/cockpit.sh
@@ -4,22 +4,25 @@
 figlet "Mistborn: Installing Cockpit"
 if [ "$DISTRO" == "ubuntu" ]; then
    echo "Ubuntu backports enabled by default"
-    
-    sudo apt-get install -y cockpit cockpit-docker

 elif [ "$DISTRO" == "debian" ]; then
    sudo grep -qF "buster-backports" /etc/apt/sources.list.d/backports.list \
    && echo "buster-backports already in sources" \
    || echo 'deb http://deb.debian.org/debian buster-backports main' | sudo tee -a /etc/apt/sources.list.d/backports.list
    
-    sudo apt-get install -y cockpit cockpit-docker

 elif [ "$DISTRO" == "raspbian" ]; then
    
    echo "Raspbian repos contain cockpit"
-    sudo apt-get install -y cockpit cockpit-docker

 fi
+    
+sudo -E apt-get install -y cockpit
+
+if $(sudo apt-cache show cockpit-docker > /dev/null 2>&1) ; then
+    # no longer supported upstream in Ubuntu 20.04
+    sudo -E apt-get install -y cockpit-docker
+fi

 sudo cp ./scripts/conf/cockpit.conf /etc/cockpit/cockpit.conf
 sudo systemctl restart cockpit.socket
--- a/scripts/subinstallers/docker.sh
+++ b/scripts/subinstallers/docker.sh
@@ -4,11 +4,11 @@
 figlet "Mistborn: Installing Docker"

 sudo apt update
-sudo apt install -y python python3-pip python3-setuptools libffi-dev python3-dev libssl-dev
+sudo -E apt install -y python python3-pip python3-setuptools libffi-dev python3-dev libssl-dev

 if [ "$DISTRO" == "ubuntu" ] && [ "$VERSION_ID" == "20.04" ]; then
    echo "Automated Docker install"
-    sudo apt-get install -y docker-compose
+    sudo -E apt-get install -y docker-compose
 else
    echo "Manual Docker installation"
    source ./scripts/subinstallers/docker_manual.sh
--- a/scripts/subinstallers/docker_manual.sh
+++ b/scripts/subinstallers/docker_manual.sh
@@ -2,7 +2,7 @@

 # dependencies
 echo "Installing Docker dependencies"
-sudo apt-get install -y \
+sudo -E apt-get install -y \
    apt-transport-https \
    ca-certificates \
    curl \
@@ -42,9 +42,9 @@ echo "Installing docker"
 sudo apt-get update

 if [ "$DISTRO" == "ubuntu" ] || [ "$DISTRO" == "debian" ]; then
-    sudo apt-get install -y docker-ce docker-ce-cli containerd.io
+    sudo -E apt-get install -y docker-ce docker-ce-cli containerd.io
 elif [ "$DISTRO" == "raspbian" ]; then
-    sudo apt install -y --no-install-recommends \
+    sudo -E apt install -y --no-install-recommends \
    docker-ce \
    cgroupfs-mount
 fi
@@ -59,7 +59,7 @@ echo "Installing Docker Compose"
 #    sudo chmod +x /usr/local/bin/docker-compose
 #elif [ "$DISTRO" == "raspbian" ]; then
 # Install required packages
-sudo apt install -y python-backports.ssl-match-hostname
+sudo -E apt install -y python-backports.ssl-match-hostname

 # Install Docker Compose from pip
 # This might take a while
--- a/scripts/subinstallers/gen_prod_env.sh
+++ b/scripts/subinstallers/gen_prod_env.sh
@@ -19,6 +19,9 @@ echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $DJANGO_PROD_FILE
 echo "#MAILGUN_API_KEY=" >> $DJANGO_PROD_FILE
 echo "#MAILGUN_API_URL=" >> $DJANGO_PROD_FILE
 echo "#SENTRY_DNS=" >> $DJANGO_PROD_FILE
+echo "MISTBORN_INSTALL_COCKPIT=$MISTBORN_INSTALL_COCKPIT" >> $DJANGO_PROD_FILE
+echo "MISTBORN_PORTAL_IP=10.2.3.1" >> $DJANGO_PROD_FILE
+echo "MISTBORN_PORTAL_PORT=5000" >> $DJANGO_PROD_FILE

 # generate production .env file for postgresql
 POSTGRES_PROD_FILE="./.envs/.production/.postgres"
--- a/scripts/subinstallers/iptables.sh
+++ b/scripts/subinstallers/iptables.sh
@@ -46,7 +46,8 @@ sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 # if installing over SSH, add SSH rule
 if [ ! -z "${SSH_CLIENT}" ]; then
    SSH_SRC=$(echo $SSH_CLIENT | awk '{print $1}')
-    sudo iptables -A INPUT -p tcp -s $SSH_SRC --dport 22 -j ACCEPT
+    SSH_PRT=$(echo $SSH_CLIENT | awk '{print $3}')
+    sudo iptables -A INPUT -p tcp -s $SSH_SRC --dport $SSH_PRT -j ACCEPT
 fi

 # docker rules
@@ -102,7 +103,7 @@ if [ ! "$(dpkg-query -l iptables-persistent)" ]; then
    echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections
    
    # install
-    sudo apt-get install -y iptables-persistent ipset
+    sudo -E apt-get install -y iptables-persistent ipset
 else
    echo "Saving iptables rules"
    sudo bash -c "iptables-save > /etc/iptables/rules.v4"
--- a/scripts/subinstallers/openssl.sh
+++ b/scripts/subinstallers/openssl.sh
@@ -8,7 +8,7 @@ CRT_PATH="$KEY_FOLDER/$CRT_FILE"
 KEY_PATH="$KEY_FOLDER/$KEY_FILE"

 # ensure openssl installed
-sudo apt-get install -y openssl
+sudo -E apt-get install -y openssl

 # make folder
 mkdir -p $KEY_FOLDER
--- a/scripts/subinstallers/wireguard.sh
+++ b/scripts/subinstallers/wireguard.sh
@@ -11,7 +11,7 @@ if ! $(sudo apt-cache show wireguard > /dev/null 2>&1) ; then
    # Wireguard
    if [ "$DISTRO" == "raspbian" ]; then
        echo "Adding Wireguard repo keys"
-        sudo apt-get install -y dirmngr
+        sudo -E apt-get install -y dirmngr
        sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553
        sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7638D0442B90D010
        sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC
@@ -29,4 +29,4 @@ fi

 echo "Installing Wireguard"
 sudo apt-get update
-sudo apt-get install -y openresolv wireguard
+sudo -E apt-get install -y openresolv wireguard
--- a/scripts/update.sh
+++ b/scripts/update.sh
@@ -2,17 +2,23 @@

 set -e

+export DEBIAN_FRONTEND=noninteractive
+
 sudo git -C /opt/mistborn pull
 sudo git -C /opt/mistborn submodule update --init --recursive

 # ensure mistborn-cli is installed
 sudo pip3 install -e /opt/mistborn/modules/mistborn-cli

+# handle updates to Mistborn systemd scripts
 iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}')
 sudo cp /opt/mistborn/scripts/services/Mistborn* /etc/systemd/system/
 sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/User=root/User=mistborn/"
 sudo find /etc/systemd/system/ -type f -name 'Mistborn*' | xargs sudo sed -i "s/DIFACE/$iface/"

+# handle updates to traefik
+sudo cp /opt/mistborn/compose/production/traefik/traefik.toml.template /opt/mistborn/compose/production/traefik/traefik.toml
+
 sudo systemctl daemon-reload
 sudo systemctl enable Mistborn-setup.service
 sudo systemctl restart Mistborn-setup.service