From f0d662a6a1b22a498449850b646a97fe6b1b864d Mon Sep 17 00:00:00 2001
From: Chris <stofflees@gmail.com>
Date: Fri, 8 Oct 2021 18:59:21 +0100
Subject: [PATCH] Add more secure ssh configuration and an example env file

---
 .env.example | 136 +++++++++++++++++++++++++++++++++++++++++++++++++++
 .gitignore   |   1 +
 bootstrap.sh |   8 ++-
 3 files changed, 143 insertions(+), 2 deletions(-)
 create mode 100644 .env.example

diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..ccb80b6
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,136 @@
+#
+# Global settings
+#
+APP_ENV=local
+USERNAME=
+USER_PASSWORD=
+DOMAIN=scarif.local
+LOCAL_IP=192.168.10.10
+SSH_KEY= # Will be added to authorized keys
+DIGITALOCEAN_TOKEN= # For enabling lets encrypt
+
+#
+# Database settings
+# Image: mariadb
+#
+DB_USER=${USERNAME}
+DB_PASSWORD=
+
+#
+# Gitea settings (labs.scarif.space)
+# Image: gitea
+#
+GIT_PASSWORD=
+
+#
+# Foundry settings (rec.scarif.space/foundry)
+# Image: feldy/foundryvtt:release
+#
+FOUNDRY_USER=foundrytron5000
+FOUNDRY_PASSWORD=
+FOUNDRY_ADMIN_KEY=
+
+#
+# Nextcloud settings (tower.scarif.space)
+# Image: nextcloud:fpm-alpine
+#
+NEXTCLOUD_ADMIN_USER=${USERNAME}
+NEXTCLOUD_ADMIN_PASSWORD=
+
+#
+# Collabora settings (office.scarif.space)
+# Image: collabora/code
+#
+COLLABORA_USER=${USERNAME}
+COLLABORA_PASSWORD=
+
+#
+# Monica settings (personel.scarif.space)
+# Image: monica:fpm
+#
+MAIL_FROM=${USERNAME}@${DOMAIN}
+MAIL_HOST=smtp.mailgun.org
+MAIL_PORT=465
+MAIL_USER=postmaster@mg.thinkzingy.com
+MAIL_PASSWORD=
+
+#
+# Jitsi settings (comms.scarif.space)
+# Image: jitsi/web:latest
+#
+JICOFO_COMPONENT_SECRET=
+JICOFO_AUTH_PASSWORD=
+JVB_AUTH_PASSWORD=
+JIGASI_XMLL_PASSWORD=
+JIBRI_RECORDER_PASSWORD=
+JIBRI_XMPP_PASSWORD=
+
+CONFIG=/opt/jitsi # Directory where all configuration will be stored
+HTTP_PORT=8000 # Exposed HTTP port
+HTTPS_PORT=8443 # Exposed HTTPS port
+TZ=UTC # System time zone
+PUBLIC_URL=https://coms.${DOMAIN} # Public URL for the web service (required)
+# IP address of the Docker host
+# See the "Running behind NAT or on a LAN environment" section in the Handbook:
+# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment
+DOCKER_HOST_ADDRESS=${LOCAL_IP}
+ENABLE_LOBBY=1 # Control whether the lobby feature should be enabled or not
+ENABLE_PREJOIN_PAGE=1 # Show a prejoin page before entering a conference
+ENABEL_WELCOME_PAGE=1 # Enable the welcome page
+ENABEL_CLOSE_PAGE=1 # Enable the close page
+#DISABLE_AUDIO_LEVELS=0 # Disable measuring of audio levels
+ENABLE_NOISY_MIC_DETECTION=1 # Enable noisy mic detection
+
+# Etherpad integration (for document sharing)
+#ETHERPAD_URL_BASE=https://etherpad.meet.jitsi:9001 # Set etherpad-lite URL in docker local network (uncomment to enable)
+#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain # Set etherpad-lite public URL (uncomment to enable)
+ETHERPAD_TITLE="Video Chat" # Name your etherpad instance!
+ETHERPAD_DEFAULT_PAD_TEXT="Welcome to Web Chat!\n\n" # The default text of a pad
+ETHERPAD_SKIN_NAME="colibrid" # Name of the skin for etherpad
+ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background full-width-editor"
+
+# Authentication configuration (see handbook for details)
+ENABLE_AUTH=1 # Enable authentication
+ENABLE_GUEST=1 # Enable guest access
+AUTH_TYPE=internal # Select authentication type: internal, jwt or ldap
+
+# Advanced configuration options (you generally don't need to change these)
+XMPP_DOMAIN=meet.jitsi # Internal XMPP domain
+XMPP_SERVER=xmpp.meet.jitsi # Internal XMPP server
+XMPP_BOSH_URL_BASE=https://xmpp.meet.jitsi:5280 # Internal XMPP server URL
+XMPP_AUTH_DOMAIN=auth.meet.jitsi # Internal XMPP domain for authenticated services
+XMPP_MUC_DOMAIN=muc.meet.jitsi # XMPP domain for the MUC
+XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi # XMPP domain for the internal MUC used for jibri, jigasi and jvb pools
+XMPP_GUEST_DOMAIN=guest.meet.jitsi # XMPP domain for unauthenticated users
+XMPP_MODULES= # Custom Prosody modules for XMPP_DOMAIN (comma separated)
+XMPP_MUC_MODULES= # Custom Prosody modules for MUC component (comma separated)
+XMPP_INTERNAL_MUC_MODULES= # Custom Prosody modules for internal MUC component (comma separated)
+JVB_BREWERY_MUC=jvbbrewery # MUC for the JVB pool
+JVB_AUTH_USER=jvb # XMPP user for JVB client connections
+JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443 # STUN servers used to discover the server's public IP
+JVB_PORT=10000 # Media port for the Jitsi Videobridge
+JVT_TCP_HARVERTER_DISABLED=true # TCP Fallback for Jitsi Videobridge
+JVT_TCP_PORT=4443
+JVT_TCP_MAPPED_PORT=4443
+JICOFO_AUTH_USER=focus #XMPP user for Jicofo client connections. NOTE: this option doesn't currently work due to a bug
+JIGASI_XMPP_USER=jigasi # XMPP user for Jigasi MUC client connections
+JIGASI_BREWERY_MUC=jigasibrewery # MUC name for the Jigasi ppol
+JIGASI_PORT_MIN=20000 # Minimum port for media used by Jigasi
+JIGASI_PORT_MAX=20050 # Maximum port for media used by Jigasi
+XMPP_RECORDER_DOMAIN=recorder.meet.jitsi # XMPP domain for the jibri recorder
+JIBRI_RECORDER_USER=recorder # XMPP recorder user for Jibri client connections
+JIBRI_RECORDING_DIR=/config/recordings # Directory for recordings inside Jibri container
+JIBRI_XMPP_USER=jibri # XMPP user for Jibri client connections
+JIBRI_BREWERY_MUC=jibribrewery # MUC name for the Jibri ppol
+JIBRI_PENDING_TIMEOUT=90 # MUC connection timeout
+# When jibri gets a request to start a service for a room, the room
+# jid wil llook like: roomName@optional.prefixes.subdomain.xmpp_domain
+# We'll build the url for the call by transforming that into:
+# https://xmpp_domain/subdomain/roomName
+# So if there are any prefixes in the jid (like jitsi meet, which
+# has its participants join a muc at conference.xmpp_domain) then
+# list that prefix here so it can be stripped out to generate
+# the call url correctly
+JIBRI_STRIP_DOMAIN_JID=muc
+JIBRI_LOGS_DIR=/config/logs # Directory for logs inside Jibri container
+
diff --git a/.gitignore b/.gitignore
index 60930ce..a1275d8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 .env
 .vagrant
+*.log
diff --git a/bootstrap.sh b/bootstrap.sh
index bb70396..64951fd 100755
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -27,10 +27,14 @@ mkdir /home/chris/.ssh
 echo $SSH_KEY >> /home/chris/.ssh/authorized_keys
 # Disable root login
 sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin no/" /etc/ssh/sshd_config
-# Logout after 5 minutes of inactivity
-sed -i "s/#LoginGraceTime 2m/LoginGraceTime 5m/" /etc/ssh/sshd_config
+# Logout after 1 minute of inactivity
+sed -i "s/#LoginGraceTime 2m/LoginGraceTime 1m/" /etc/ssh/sshd_config
 # Add banner art
 sed -i "s/#Banner none/Banner \/opt\/scarif\/ssh-banner-art/" >> /etc/ssh/sshd_config
+# Limit number of sessions
+sed -i "s/#MaxSessions/MaxSessions 4/" >> /etc/ssh/sshd_config
+# Limit users
+sed -i "s/#AllowUsers/AllowUsers chris git/" >> /etc/ssh/sshd_config
 # Modify login messages
 echo "Clearance codes accepted! proceed:" > /etc/motd
 # Enforce a delay after a failed login attempt to prevent brute force attacks