From e7b4e8aa46264f895993da8b9de1006f58839ae7 Mon Sep 17 00:00:00 2001 From: Matthew Tran Date: Wed, 19 Feb 2025 22:17:31 -0800 Subject: [PATCH] further secure containers --- README.md | 6 +-- compose.yml | 73 ++++++++++++++++++++---------------- minecraft/.dockerignore | 3 +- minecraft/Dockerfile | 13 ++++--- minecraft_bedrock/Dockerfile | 15 ++++---- monerod/Dockerfile | 7 ++-- p2pool/Dockerfile | 7 ++-- scripts/backup.py | 1 - scripts/setup_drive.py | 5 ++- scripts/setup_repo.py | 35 ++++++++++------- scripts/setup_server.py | 12 ++++++ terraria/Dockerfile | 13 ++++--- terraria/config.txt | 4 +- website/Dockerfile | 11 +++--- website/server.conf | 18 ++++----- 15 files changed, 129 insertions(+), 94 deletions(-) diff --git a/README.md b/README.md index 38ae610..dff7249 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # matthewtran.com -Stuff that's deployed on [matthewtran.com](https://matthewtran.com). Currently running the following services. +Services deployed on [matthewtran.com](https://matthewtran.com). - website - gitea ([git.matthewtran.com](https://git.matthewtran.com)) @@ -8,8 +8,8 @@ Stuff that's deployed on [matthewtran.com](https://matthewtran.com). Currently r - p2pool (`xmrig -o matthewtran.com`) - wireguard - minecraft -- ~~minecraft bedrock~~ -- ~~terraria~~ +- minecraft bedrock +- terraria ## setup diff --git a/compose.yml b/compose.yml index a66b150..b46b670 100644 --- a/compose.yml +++ b/compose.yml @@ -17,23 +17,30 @@ networks: config: - subnet: "172.22.0.0/16" - subnet: "fd3a:138e:8fd0:0022::/64" + nas: + enable_ipv6: true + ipam: + config: + - subnet: "172.23.0.0/16" + - subnet: "fd3a:138e:8fd0:0023::/64" services: website: restart: always build: website/. - entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"] + entrypoint: ["/bin/sh", "/home/me/entry.sh"] ports: - "80:8080" - "443:8443" networks: - web volumes: - - ./website/certbot:/home/ubuntu/certbot + - ./website/certbot:/home/me/certbot cap_drop: - ALL gitea: restart: always image: gitea/gitea:latest-rootless + user: "2000:2000" ports: - "2222:2222" networks: @@ -48,7 +55,7 @@ services: monerod: restart: always build: monerod/. - entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"] + entrypoint: ["/bin/sh", "/home/me/entry.sh"] stdin_open: true tty: true ports: @@ -57,14 +64,14 @@ services: networks: - monero volumes: - - ./monerod/.bitmonero:/home/ubuntu/.bitmonero + - ./monerod/.bitmonero:/home/me/.bitmonero cap_drop: - ALL p2pool: stop_grace_period: 1m # TODO reduce m_shutdownCountdown to reduce this restart: always build: p2pool/. - entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"] + entrypoint: ["/bin/sh", "/home/me/entry.sh"] stdin_open: true tty: true ports: @@ -74,43 +81,43 @@ services: networks: - monero volumes: - - ./p2pool/cache:/home/ubuntu/cache + - ./p2pool/cache:/home/me/cache cap_drop: - ALL minecraft: restart: always build: minecraft/. - entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"] + entrypoint: ["/bin/sh", "/home/me/entry.sh"] ports: - "25565:25565" networks: - game volumes: - - ./minecraft/worlds:/home/ubuntu/worlds + - ./minecraft/worlds:/home/me/worlds + cap_drop: + - ALL + minecraft_bedrock: + restart: always + build: minecraft_bedrock/. + entrypoint: ["/bin/sh", "/home/me/entry.sh"] + ports: + - "19132:19132/udp" + - "19133:19133/udp" + networks: + - game + volumes: + - ./minecraft_bedrock/worlds:/home/me/worlds + cap_drop: + - ALL + terraria: + restart: always + build: terraria/. + entrypoint: ["/bin/sh", "/home/me/entry.sh"] + ports: + - "7777:7777" + networks: + - game + volumes: + - ./terraria/worlds:/home/me/worlds cap_drop: - ALL - # minecraft_bedrock: - # restart: always - # build: minecraft_bedrock/. - # entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"] - # ports: - # - "19132:19132/udp" - # - "19133:19133/udp" - # networks: - # - game - # volumes: - # - ./minecraft_bedrock/worlds:/home/ubuntu/worlds - # cap_drop: - # - ALL - # terraria: - # restart: always - # build: terraria/. - # entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"] - # ports: - # - "7777:7777" - # networks: - # - game - # volumes: - # - ./terraria/worlds:/home/ubuntu/worlds - # cap_drop: - # - ALL diff --git a/minecraft/.dockerignore b/minecraft/.dockerignore index bfc6580..6a2fdbd 100644 --- a/minecraft/.dockerignore +++ b/minecraft/.dockerignore @@ -1,2 +1 @@ -world/ -world.*/ +worlds/ diff --git a/minecraft/Dockerfile b/minecraft/Dockerfile index 0268651..f9605dd 100644 --- a/minecraft/Dockerfile +++ b/minecraft/Dockerfile @@ -3,8 +3,9 @@ FROM ubuntu:24.04 RUN apt-get update && apt-get -y upgrade RUN apt-get install -y wget openjdk-21-jre -USER ubuntu -WORKDIR /home/ubuntu +RUN groupadd -g 2002 me && useradd -u 2002 -g 2002 -m me +USER me +WORKDIR /home/me # from https://github.com/itzg/rcon-cli RUN wget -O rcon-cli.tar.gz https://github.com/itzg/rcon-cli/releases/download/1.6.9/rcon-cli_1.6.9_linux_amd64.tar.gz @@ -13,7 +14,7 @@ RUN tar xvf rcon-cli.tar.gz && rm rcon-cli.tar.gz # from https://www.minecraft.net/en-us/download/server (currently 1.21.4) RUN wget https://piston-data.mojang.com/v1/objects/4707d00eb834b446575d89a61a11b5d548d8c001/server.jar -COPY --chown=ubuntu:ubuntu eula.txt ./ -COPY --chown=ubuntu:ubuntu entry.sh ./ -COPY --chown=ubuntu:ubuntu server.properties ./ -COPY --chown=ubuntu:ubuntu ops.json ./ +COPY --chown=me:me eula.txt ./ +COPY --chown=me:me entry.sh ./ +COPY --chown=me:me server.properties ./ +COPY --chown=me:me ops.json ./ diff --git a/minecraft_bedrock/Dockerfile b/minecraft_bedrock/Dockerfile index 2ec23d1..824c1a8 100644 --- a/minecraft_bedrock/Dockerfile +++ b/minecraft_bedrock/Dockerfile @@ -3,13 +3,14 @@ FROM ubuntu:24.04 RUN apt-get update && apt-get -y upgrade RUN apt-get install -y wget unzip curl tmux -USER ubuntu -WORKDIR /home/ubuntu +RUN groupadd -g 2002 me && useradd -u 2002 -g 2002 -m me +USER me +WORKDIR /home/me -# from https://www.minecraft.net/en-us/download/server/bedrock (currently 1.21.31.04) -RUN wget -O server.zip --user-agent "Mozilla/5.0" https://www.minecraft.net/bedrockdedicatedserver/bin-linux/bedrock-server-1.21.31.04.zip +# from https://www.minecraft.net/en-us/download/server/bedrock (currently 1.21.61.01) +RUN wget -O server.zip --user-agent "Mozilla/5.0" https://www.minecraft.net/bedrockdedicatedserver/bin-linux/bedrock-server-1.21.61.01.zip RUN unzip server.zip && rm server.zip -COPY --chown=ubuntu:ubuntu entry.sh ./ -COPY --chown=ubuntu:ubuntu server.properties ./ -COPY --chown=ubuntu:ubuntu permissions.json ./ +COPY --chown=me:me entry.sh ./ +COPY --chown=me:me server.properties ./ +COPY --chown=me:me permissions.json ./ diff --git a/monerod/Dockerfile b/monerod/Dockerfile index 3b7f2df..2cc768f 100644 --- a/monerod/Dockerfile +++ b/monerod/Dockerfile @@ -3,11 +3,12 @@ FROM ubuntu:24.04 RUN apt-get update && apt-get -y upgrade RUN apt-get install -y wget bzip2 -USER ubuntu -WORKDIR /home/ubuntu +RUN groupadd -g 2001 me && useradd -u 2001 -g 2001 -m me +USER me +WORKDIR /home/me RUN wget https://downloads.getmonero.org/cli/monero-linux-x64-v0.18.3.4.tar.bz2 -O monerod.tar.bz2 RUN tar xvf monerod.tar.bz2 && rm monerod.tar.bz2 RUN mv monero-x86_64-linux-gnu-v0.18.3.4 monero -COPY --chown=ubuntu:ubuntu entry.sh ./ +COPY --chown=me:me entry.sh ./ diff --git a/p2pool/Dockerfile b/p2pool/Dockerfile index 254036d..541303d 100644 --- a/p2pool/Dockerfile +++ b/p2pool/Dockerfile @@ -3,12 +3,13 @@ FROM ubuntu:24.04 RUN apt-get update && apt-get -y upgrade RUN apt-get install -y wget -USER ubuntu -WORKDIR /home/ubuntu +RUN groupadd -g 2001 me && useradd -u 2001 -g 2001 -m me +USER me +WORKDIR /home/me # currently v4.3 RUN wget https://github.com/SChernykh/p2pool/releases/download/v4.3/p2pool-v4.3-linux-x64.tar.gz -O p2pool.tar.gz RUN tar xvf p2pool.tar.gz && rm p2pool.tar.gz RUN mv p2pool-v4.3-linux-x64/p2pool ./p2pool -COPY --chown=ubuntu:ubuntu entry.sh ./ +COPY --chown=me:me entry.sh ./ diff --git a/scripts/backup.py b/scripts/backup.py index 0c846c9..e5a38c1 100755 --- a/scripts/backup.py +++ b/scripts/backup.py @@ -9,6 +9,5 @@ if __name__ == "__main__": "terraria/worlds", "terraria/password.txt", "website/gitea", - "website/certbot", "website/sendgrid.key", ], check=True) diff --git a/scripts/setup_drive.py b/scripts/setup_drive.py index 5e2e01f..5eba7b9 100755 --- a/scripts/setup_drive.py +++ b/scripts/setup_drive.py @@ -1,5 +1,7 @@ #!/usr/bin/sudo /usr/bin/python3 +import os +import shutil import subprocess import sys from pathlib import Path @@ -27,7 +29,8 @@ if __name__ == "__main__": run(f"cryptsetup luksOpen --key-file={key} /dev/{drive} {drive}_luks") run(f"mkfs.btrfs /dev/mapper/{drive}_luks") run(f"mount /dev/mapper/{drive}_luks {mount}") - mount.chmod(0o777) + shutil.chown(mount, os.getlogin(), "nas") + mount.chmod(0o770) # TODO modify /etc/crypttab instead once Ubuntu fixed with open("/opt/luks.sh", "a") as f: diff --git a/scripts/setup_repo.py b/scripts/setup_repo.py index 4f1dbef..8a99bf3 100755 --- a/scripts/setup_repo.py +++ b/scripts/setup_repo.py @@ -1,18 +1,27 @@ #!/usr/bin/env python3 +import shutil from pathlib import Path if __name__ == "__main__": - # create folders with same UID/GID as user so containers have access - PATHS = [ - "website/certbot", - "website/gitea/config", - "website/gitea/data", - "monerod/.bitmonero", - "p2pool/cache", - "minecraft/worlds", - "minecraft_bedrock/worlds", - "terraria/worlds", - ] - for p in PATHS: - Path(p).mkdir(parents=True, exist_ok=True) + # create folders in group "web" so containers have access + PATHS = { + "web": [ + "website/certbot", + "website/gitea/config", + "website/gitea/data", + ], + "monero": [ + "monerod/.bitmonero", + "p2pool/cache", + ], + "game": [ + "minecraft/worlds", + "minecraft_bedrock/worlds", + "terraria/worlds", + ] + } + for group in PATHS: + for p in PATHS[group]: + Path(p).mkdir(parents=True, exist_ok=True) + shutil.chown(p, group=group) diff --git a/scripts/setup_server.py b/scripts/setup_server.py index b6e80da..701ed2c 100755 --- a/scripts/setup_server.py +++ b/scripts/setup_server.py @@ -24,6 +24,17 @@ if __name__ == "__main__": if not file.exists(): with file.open("w") as f: f.write("PasswordAuthentication no\n") + try: + run("addgroup --gid 2000 web") + run("addgroup --gid 2001 monero") + run("addgroup --gid 2002 game") + run("addgroup --gid 2003 nas") + run(f"adduser {os.getlogin()} web") + run(f"adduser {os.getlogin()} monero") + run(f"adduser {os.getlogin()} game") + run(f"adduser {os.getlogin()} nas") + except: + pass # install docker and configure run("snap install docker") @@ -61,6 +72,7 @@ if __name__ == "__main__": f.writelines(s + "\n" for s in [ "#!/bin/sh", "iptables -N DOCKER-USER || true", + "iptables -I DOCKER-USER -d 10.0.0.0/8 -j DROP", # xfinity gateway "iptables -I DOCKER-USER -p tcp --dport 22 -j DROP", # SSH "ip6tables -N DOCKER-USER || true", "ip6tables -I DOCKER-USER -p tcp --dport 22 -j DROP", # SSH diff --git a/terraria/Dockerfile b/terraria/Dockerfile index 33097ad..3b84e99 100644 --- a/terraria/Dockerfile +++ b/terraria/Dockerfile @@ -3,18 +3,19 @@ FROM ubuntu:24.04 RUN apt-get update && apt-get -y upgrade RUN apt-get install -y wget unzip -USER ubuntu -WORKDIR /home/ubuntu +RUN groupadd -g 2002 me && useradd -u 2002 -g 2002 -m me +USER me +WORKDIR /home/me # from https://terraria.fandom.com/wiki/Server (currently 1.4.4.9) RUN wget https://terraria.org/api/download/pc-dedicated-server/terraria-server-1449.zip RUN unzip terraria-server-1449.zip && rm terraria-server-1449.zip RUN mv 1449/ server/ -COPY --chown=ubuntu:ubuntu entry.sh ./ +COPY --chown=me:me entry.sh ./ -WORKDIR /home/ubuntu/server/Linux +WORKDIR /home/me/server/Linux RUN chmod +x TerrariaServer.bin.x86_64 -COPY --chown=ubuntu:ubuntu password.default ./password.txt -COPY --chown=ubuntu:ubuntu config.txt password.tx[t] ./ +COPY --chown=me:me password.default ./password.txt +COPY --chown=me:me config.txt password.tx[t] ./ diff --git a/terraria/config.txt b/terraria/config.txt index cde4f20..de531b3 100644 --- a/terraria/config.txt +++ b/terraria/config.txt @@ -1,6 +1,6 @@ -world=/home/ubuntu/worlds/legendary.wld +world=/home/me/worlds/legendary.wld autocreate=3 seed=getfixedboi worldname=legendary difficulty=2 -worldpath=/home/ubuntu/worlds +worldpath=/home/me/worlds diff --git a/website/Dockerfile b/website/Dockerfile index 0589cb2..c0a2350 100644 --- a/website/Dockerfile +++ b/website/Dockerfile @@ -8,11 +8,12 @@ RUN apt-get update && apt-get -y upgrade RUN apt-get install -y nginx certbot python3-pip RUN pip3 install sendgrid --break-system-packages -USER ubuntu -WORKDIR /home/ubuntu +RUN groupadd -g 2000 me && useradd -u 2000 -g 2000 -m me +USER me +WORKDIR /home/me RUN mkdir nginx certbot # TODO make the website code not terrible ;-; -COPY --chown=ubuntu:ubuntu html ./html -COPY --chown=ubuntu:ubuntu sendgrid.ke[y] ip_update.py ./ -COPY --chown=ubuntu:ubuntu server.conf entry.sh ./ +COPY --chown=me:me html ./html +COPY --chown=me:me sendgrid.ke[y] ip_update.py ./ +COPY --chown=me:me server.conf entry.sh ./ diff --git a/website/server.conf b/website/server.conf index c64b529..1b0a292 100644 --- a/website/server.conf +++ b/website/server.conf @@ -1,6 +1,6 @@ # adapted from /etc/nginx/nginx.conf worker_processes auto; -pid /home/ubuntu/nginx/site.pid; +pid /home/me/nginx/site.pid; error_log /dev/stderr; events { @@ -15,18 +15,18 @@ http { ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; - ssl_certificate /home/ubuntu/certbot/live/matthewtran.com/fullchain.pem; - ssl_certificate_key /home/ubuntu/certbot/live/matthewtran.com/privkey.pem; + ssl_certificate /home/me/certbot/live/matthewtran.com/fullchain.pem; + ssl_certificate_key /home/me/certbot/live/matthewtran.com/privkey.pem; include /etc/nginx/mime.types; default_type application/octet-stream; access_log /dev/stdout; - client_body_temp_path /home/ubuntu/nginx/body; - proxy_temp_path /home/ubuntu/nginx/proxy; - fastcgi_temp_path /home/ubuntu/nginx/fastcgi; - uwsgi_temp_path /home/ubuntu/nginx/uwsgi; - scgi_temp_path /home/ubuntu/nginx/scgi; + client_body_temp_path /home/me/nginx/body; + proxy_temp_path /home/me/nginx/proxy; + fastcgi_temp_path /home/me/nginx/fastcgi; + uwsgi_temp_path /home/me/nginx/uwsgi; + scgi_temp_path /home/me/nginx/scgi; # SSL redirect server { @@ -50,7 +50,7 @@ http { listen [::]:8443 ssl; server_name matthewtran.com www.matthewtran.com; - root /home/ubuntu/html; + root /home/me/html; index index.html; location / { try_files $uri $uri/ =404;