further secure containers

README.md

@@ -1,6 +1,6 @@
 # matthewtran.com
 
-Stuff that's deployed on [matthewtran.com](https://matthewtran.com). Currently running the following services.
+Services deployed on [matthewtran.com](https://matthewtran.com).
 
 - website
 - gitea ([git.matthewtran.com](https://git.matthewtran.com))
@@ -8,8 +8,8 @@ Stuff that's deployed on [matthewtran.com](https://matthewtran.com). Currently r
 - p2pool (`xmrig -o matthewtran.com`)
 - wireguard
 - minecraft
-- ~~minecraft bedrock~~
+- minecraft bedrock
-- ~~terraria~~
+- terraria
 
 ## setup
 

compose.yml

@@ -17,23 +17,30 @@ networks:
       config:
         - subnet: "172.22.0.0/16"
         - subnet: "fd3a:138e:8fd0:0022::/64"
+  nas:
+    enable_ipv6: true
+    ipam:
+      config:
+        - subnet: "172.23.0.0/16"
+        - subnet: "fd3a:138e:8fd0:0023::/64"
 services:
   website:
     restart: always
     build: website/.
-    entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"]
+    entrypoint: ["/bin/sh", "/home/me/entry.sh"]
     ports:
       - "80:8080"
       - "443:8443"
     networks:
       - web
     volumes:
-      - ./website/certbot:/home/ubuntu/certbot
+      - ./website/certbot:/home/me/certbot
     cap_drop:
       - ALL
   gitea:
     restart: always
     image: gitea/gitea:latest-rootless
+    user: "2000:2000"
     ports:
       - "2222:2222"
     networks:
@@ -48,7 +55,7 @@ services:
   monerod:
     restart: always
     build: monerod/.
-    entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"]
+    entrypoint: ["/bin/sh", "/home/me/entry.sh"]
     stdin_open: true
     tty: true
     ports:
@@ -57,14 +64,14 @@ services:
     networks:
       - monero
     volumes:
-      - ./monerod/.bitmonero:/home/ubuntu/.bitmonero
+      - ./monerod/.bitmonero:/home/me/.bitmonero
     cap_drop:
       - ALL
   p2pool:
     stop_grace_period: 1m # TODO reduce m_shutdownCountdown to reduce this
     restart: always
     build: p2pool/.
-    entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"]
+    entrypoint: ["/bin/sh", "/home/me/entry.sh"]
     stdin_open: true
     tty: true
     ports:
@@ -74,43 +81,43 @@ services:
     networks:
       - monero
     volumes:
-      - ./p2pool/cache:/home/ubuntu/cache
+      - ./p2pool/cache:/home/me/cache
     cap_drop:
       - ALL
   minecraft:
     restart: always
     build: minecraft/.
-    entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"]
+    entrypoint: ["/bin/sh", "/home/me/entry.sh"]
     ports:
       - "25565:25565"
     networks:
       - game
     volumes:
-      - ./minecraft/worlds:/home/ubuntu/worlds
+      - ./minecraft/worlds:/home/me/worlds
+    cap_drop:
+      - ALL
+  minecraft_bedrock:
+    restart: always
+    build: minecraft_bedrock/.
+    entrypoint: ["/bin/sh", "/home/me/entry.sh"]
+    ports:
+      - "19132:19132/udp"
+      - "19133:19133/udp"
+    networks:
+      - game
+    volumes:
+      - ./minecraft_bedrock/worlds:/home/me/worlds
+    cap_drop:
+      - ALL
+  terraria:
+    restart: always
+    build: terraria/.
+    entrypoint: ["/bin/sh", "/home/me/entry.sh"]
+    ports:
+      - "7777:7777"
+    networks:
+      - game
+    volumes:
+      - ./terraria/worlds:/home/me/worlds
     cap_drop:
       - ALL
-  # minecraft_bedrock:
-  #   restart: always
-  #   build: minecraft_bedrock/.
-  #   entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"]
-  #   ports:
-  #     - "19132:19132/udp"
-  #     - "19133:19133/udp"
-  #   networks:
-  #     - game
-  #   volumes:
-  #     - ./minecraft_bedrock/worlds:/home/ubuntu/worlds
-  #   cap_drop:
-  #     - ALL
-  # terraria:
-  #   restart: always
-  #   build: terraria/.
-  #   entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"]
-  #   ports:
-  #     - "7777:7777"
-  #   networks:
-  #     - game
-  #   volumes:
-  #     - ./terraria/worlds:/home/ubuntu/worlds
-  #   cap_drop:
-  #     - ALL

minecraft/.dockerignore

@@ -1,2 +1 @@
-world/
+worlds/
-world.*/

minecraft/Dockerfile

@@ -3,8 +3,9 @@ FROM ubuntu:24.04
 RUN apt-get update && apt-get -y upgrade
 RUN apt-get install -y wget openjdk-21-jre
 
-USER ubuntu
+RUN groupadd -g 2002 me && useradd -u 2002 -g 2002 -m me
-WORKDIR /home/ubuntu
+USER me
+WORKDIR /home/me
 
 # from https://github.com/itzg/rcon-cli
 RUN wget -O rcon-cli.tar.gz https://github.com/itzg/rcon-cli/releases/download/1.6.9/rcon-cli_1.6.9_linux_amd64.tar.gz
@@ -13,7 +14,7 @@ RUN tar xvf rcon-cli.tar.gz && rm rcon-cli.tar.gz
 # from https://www.minecraft.net/en-us/download/server (currently 1.21.4)
 RUN wget https://piston-data.mojang.com/v1/objects/4707d00eb834b446575d89a61a11b5d548d8c001/server.jar
 
-COPY --chown=ubuntu:ubuntu eula.txt ./
+COPY --chown=me:me eula.txt ./
-COPY --chown=ubuntu:ubuntu entry.sh ./
+COPY --chown=me:me entry.sh ./
-COPY --chown=ubuntu:ubuntu server.properties ./
+COPY --chown=me:me server.properties ./
-COPY --chown=ubuntu:ubuntu ops.json ./
+COPY --chown=me:me ops.json ./

minecraft_bedrock/Dockerfile

@@ -3,13 +3,14 @@ FROM ubuntu:24.04
 RUN apt-get update && apt-get -y upgrade
 RUN apt-get install -y wget unzip curl tmux
 
-USER ubuntu
+RUN groupadd -g 2002 me && useradd -u 2002 -g 2002 -m me
-WORKDIR /home/ubuntu
+USER me
+WORKDIR /home/me
 
-# from https://www.minecraft.net/en-us/download/server/bedrock (currently 1.21.31.04)
+# from https://www.minecraft.net/en-us/download/server/bedrock (currently 1.21.61.01)
-RUN wget -O server.zip --user-agent "Mozilla/5.0" https://www.minecraft.net/bedrockdedicatedserver/bin-linux/bedrock-server-1.21.31.04.zip
+RUN wget -O server.zip --user-agent "Mozilla/5.0" https://www.minecraft.net/bedrockdedicatedserver/bin-linux/bedrock-server-1.21.61.01.zip
 RUN unzip server.zip && rm server.zip
 
-COPY --chown=ubuntu:ubuntu entry.sh ./
+COPY --chown=me:me entry.sh ./
-COPY --chown=ubuntu:ubuntu server.properties ./
+COPY --chown=me:me server.properties ./
-COPY --chown=ubuntu:ubuntu permissions.json ./
+COPY --chown=me:me permissions.json ./

monerod/Dockerfile

@@ -3,11 +3,12 @@ FROM ubuntu:24.04
 RUN apt-get update && apt-get -y upgrade
 RUN apt-get install -y wget bzip2
 
-USER ubuntu
+RUN groupadd -g 2001 me && useradd -u 2001 -g 2001 -m me
-WORKDIR /home/ubuntu
+USER me
+WORKDIR /home/me
 
 RUN wget https://downloads.getmonero.org/cli/monero-linux-x64-v0.18.3.4.tar.bz2 -O monerod.tar.bz2
 RUN tar xvf monerod.tar.bz2 && rm monerod.tar.bz2
 RUN mv monero-x86_64-linux-gnu-v0.18.3.4 monero
 
-COPY --chown=ubuntu:ubuntu entry.sh ./
+COPY --chown=me:me entry.sh ./

p2pool/Dockerfile

@@ -3,12 +3,13 @@ FROM ubuntu:24.04
 RUN apt-get update && apt-get -y upgrade
 RUN apt-get install -y wget
 
-USER ubuntu
+RUN groupadd -g 2001 me && useradd -u 2001 -g 2001 -m me
-WORKDIR /home/ubuntu
+USER me
+WORKDIR /home/me
 
 # currently v4.3
 RUN wget https://github.com/SChernykh/p2pool/releases/download/v4.3/p2pool-v4.3-linux-x64.tar.gz -O p2pool.tar.gz
 RUN tar xvf p2pool.tar.gz && rm p2pool.tar.gz
 RUN mv p2pool-v4.3-linux-x64/p2pool ./p2pool
 
-COPY --chown=ubuntu:ubuntu entry.sh ./
+COPY --chown=me:me entry.sh ./

scripts/backup.py

@@ -9,6 +9,5 @@ if __name__ == "__main__":
         "terraria/worlds",
         "terraria/password.txt",
         "website/gitea",
-        "website/certbot",
         "website/sendgrid.key",
     ], check=True)

scripts/setup_drive.py

@@ -1,5 +1,7 @@
 #!/usr/bin/sudo /usr/bin/python3
 
+import os
+import shutil
 import subprocess
 import sys
 from pathlib import Path
@@ -27,7 +29,8 @@ if __name__ == "__main__":
     run(f"cryptsetup luksOpen --key-file={key} /dev/{drive} {drive}_luks")
     run(f"mkfs.btrfs /dev/mapper/{drive}_luks")
     run(f"mount /dev/mapper/{drive}_luks {mount}")
-    mount.chmod(0o777)
+    shutil.chown(mount, os.getlogin(), "nas")
+    mount.chmod(0o770)
 
     # TODO modify /etc/crypttab instead once Ubuntu fixed
     with open("/opt/luks.sh", "a") as f:

scripts/setup_repo.py

@@ -1,18 +1,27 @@
 #!/usr/bin/env python3
 
+import shutil
 from pathlib import Path
 
 if __name__ == "__main__":
-    # create folders with same UID/GID as user so containers have access
+    # create folders in group "web" so containers have access
-    PATHS = [
+    PATHS = {
-        "website/certbot",
+        "web": [
-        "website/gitea/config",
+            "website/certbot",
-        "website/gitea/data",
+            "website/gitea/config",
-        "monerod/.bitmonero",
+            "website/gitea/data",
-        "p2pool/cache",
+        ],
-        "minecraft/worlds",
+        "monero": [
-        "minecraft_bedrock/worlds",
+            "monerod/.bitmonero",
-        "terraria/worlds",
+            "p2pool/cache",
-    ]
+        ],
-    for p in PATHS:
+        "game": [
-        Path(p).mkdir(parents=True, exist_ok=True)
+            "minecraft/worlds",
+            "minecraft_bedrock/worlds",
+            "terraria/worlds",
+        ]
+    }
+    for group in PATHS:
+        for p in PATHS[group]:
+            Path(p).mkdir(parents=True, exist_ok=True)
+            shutil.chown(p, group=group)

scripts/setup_server.py

@@ -24,6 +24,17 @@ if __name__ == "__main__":
     if not file.exists():
         with file.open("w") as f:
             f.write("PasswordAuthentication no\n")
+    try:
+        run("addgroup --gid 2000 web")
+        run("addgroup --gid 2001 monero")
+        run("addgroup --gid 2002 game")
+        run("addgroup --gid 2003 nas")
+        run(f"adduser {os.getlogin()} web")
+        run(f"adduser {os.getlogin()} monero")
+        run(f"adduser {os.getlogin()} game")
+        run(f"adduser {os.getlogin()} nas")
+    except:
+        pass
 
     # install docker and configure
     run("snap install docker")
@@ -61,6 +72,7 @@ if __name__ == "__main__":
             f.writelines(s + "\n" for s in [
                 "#!/bin/sh",
                 "iptables  -N DOCKER-USER || true",
+                "iptables  -I DOCKER-USER -d 10.0.0.0/8     -j DROP", # xfinity gateway
                 "iptables  -I DOCKER-USER -p tcp --dport 22 -j DROP", # SSH
                 "ip6tables -N DOCKER-USER || true",
                 "ip6tables -I DOCKER-USER -p tcp --dport 22 -j DROP", # SSH

terraria/Dockerfile

@@ -3,18 +3,19 @@ FROM ubuntu:24.04
 RUN apt-get update && apt-get -y upgrade
 RUN apt-get install -y wget unzip
 
-USER ubuntu
+RUN groupadd -g 2002 me && useradd -u 2002 -g 2002 -m me
-WORKDIR /home/ubuntu
+USER me
+WORKDIR /home/me
 
 # from https://terraria.fandom.com/wiki/Server (currently 1.4.4.9)
 RUN wget https://terraria.org/api/download/pc-dedicated-server/terraria-server-1449.zip
 RUN unzip terraria-server-1449.zip && rm terraria-server-1449.zip
 RUN mv 1449/ server/
 
-COPY --chown=ubuntu:ubuntu entry.sh ./
+COPY --chown=me:me entry.sh ./
 
-WORKDIR /home/ubuntu/server/Linux
+WORKDIR /home/me/server/Linux
 
 RUN chmod +x TerrariaServer.bin.x86_64
-COPY --chown=ubuntu:ubuntu password.default ./password.txt
+COPY --chown=me:me password.default ./password.txt
-COPY --chown=ubuntu:ubuntu config.txt password.tx[t] ./
+COPY --chown=me:me config.txt password.tx[t] ./

terraria/config.txt

@@ -1,6 +1,6 @@
-world=/home/ubuntu/worlds/legendary.wld
+world=/home/me/worlds/legendary.wld
 autocreate=3
 seed=getfixedboi
 worldname=legendary
 difficulty=2
-worldpath=/home/ubuntu/worlds
+worldpath=/home/me/worlds

website/Dockerfile

@@ -8,11 +8,12 @@ RUN apt-get update && apt-get -y upgrade
 RUN apt-get install -y nginx certbot python3-pip
 RUN pip3 install sendgrid --break-system-packages
 
-USER ubuntu
+RUN groupadd -g 2000 me && useradd -u 2000 -g 2000 -m me
-WORKDIR /home/ubuntu
+USER me
+WORKDIR /home/me
 RUN mkdir nginx certbot
 
 # TODO make the website code not terrible ;-;
-COPY --chown=ubuntu:ubuntu html ./html
+COPY --chown=me:me html ./html
-COPY --chown=ubuntu:ubuntu sendgrid.ke[y] ip_update.py ./
+COPY --chown=me:me sendgrid.ke[y] ip_update.py ./
-COPY --chown=ubuntu:ubuntu server.conf entry.sh ./
+COPY --chown=me:me server.conf entry.sh ./

website/server.conf

@@ -1,6 +1,6 @@
 # adapted from /etc/nginx/nginx.conf
 worker_processes auto;
-pid /home/ubuntu/nginx/site.pid;
+pid /home/me/nginx/site.pid;
 error_log /dev/stderr;
 
 events {
@@ -15,18 +15,18 @@ http {
 
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
-    ssl_certificate     /home/ubuntu/certbot/live/matthewtran.com/fullchain.pem;
+    ssl_certificate     /home/me/certbot/live/matthewtran.com/fullchain.pem;
-    ssl_certificate_key /home/ubuntu/certbot/live/matthewtran.com/privkey.pem;
+    ssl_certificate_key /home/me/certbot/live/matthewtran.com/privkey.pem;
 
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
 
     access_log            /dev/stdout;
-    client_body_temp_path /home/ubuntu/nginx/body;
+    client_body_temp_path /home/me/nginx/body;
-    proxy_temp_path       /home/ubuntu/nginx/proxy;
+    proxy_temp_path       /home/me/nginx/proxy;
-    fastcgi_temp_path     /home/ubuntu/nginx/fastcgi;
+    fastcgi_temp_path     /home/me/nginx/fastcgi;
-    uwsgi_temp_path       /home/ubuntu/nginx/uwsgi;
+    uwsgi_temp_path       /home/me/nginx/uwsgi;
-    scgi_temp_path        /home/ubuntu/nginx/scgi;
+    scgi_temp_path        /home/me/nginx/scgi;
 
     # SSL redirect
     server {
@@ -50,7 +50,7 @@ http {
         listen [::]:8443 ssl;
         server_name matthewtran.com www.matthewtran.com;
 
-        root /home/ubuntu/html;
+        root /home/me/html;
         index index.html;
         location / {
             try_files $uri $uri/ =404;