Adjust T-Pot config file, tpotinit

fix logrotate.conf path
add tpotinit logging
add support for LS_WEB_USER in tpot config (.env)
make tpotinit always validate config / adjust users on tpotinit start

env.example

@@ -4,49 +4,66 @@
 # T-Pot Base Settings - Adjust to your needs. #
 ###############################################
 
-# Set Web username and password here, it will be used to create the Nginx password file nginxpasswd.
-#  Use 'htpasswd -n <username>' to create the WEB_USER if you want to manually deploy T-Pot
-#  Example: 'htpasswd -n tsec' will print tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0
-#  Copy the string and replace WEB_USER='tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0'
-WEB_USER='change:me'
+# Set Web usernames and passwords here. This section will be used to create / update the Nginx password file nginxpasswd.
+#  <empty>: This is the default
+#  <'htpasswd encoded usernames / passwords'>:
+#   Use 'htpasswd -n <username>' to create the WEB_USER if you want to manually deploy T-Pot
+#   Example: 'htpasswd -n tsec' will print tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0
+#   Copy the string and replace WEB_USER='tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0'
+#   Multiple users are possible, example (notice the quotes!):
+#   WEB_USER='user1:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0
+#   user2:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0'
+WEB_USER=
+
+# Set Logstash Web usernames and passwords here. This section will be used to create / update the Nginx password file lswebpasswd.
+# The Lostsash Web usernames are used for T-Pot log ingestion via Logstash, each sensor should have its own user.
+#  <empty>: This is empty by default.
+#  <'htpasswd encoded usernames / passwords'>:
+#   Use 'htpasswd -n <username>' to create the LS_WEB_USER if you want to manually deploy T-Pot
+#   Example: 'htpasswd -n tsec' will print tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0
+#   Copy the string and replace / add LS_WEB_USER='tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0'
+#   Multiple users are possible, example (notice the quotes!):
+#   LS_WEB_USER='sensor1:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0
+#   sensor2:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0'
+LS_WEB_USER=
 
 # T-Pot Blackhole
-#  ENABLED: T-Pot will download a db of known mass scanners and nullroute them
+#  ENABLED: T-Pot will download a db of known mass scanners and nullroute them.
 #           Be aware, this will put T-Pot off the map for stealth reasons and
-#           you will get less traffic. Routes will active until reboot and will
-#           be re-added with every T-Pot start until disabled.
+#           you will get less traffic. Routes will be active until next reboot
+#           and will be re-added with every T-Pot start until disabled.
 #  DISABLED: This is the default and no stealth efforts are in place.
 TPOT_BLACKHOLE=DISABLED
 
 # T-Pot Persistence
-# on: This is the default. T-Pot will keep the honeypot logfiles and rotate
-#     with logrotate for 30 days.
-# off: This is recommended for Raspberry Pi or setups with weaker CPUs or
-#      if you just do not need any of the logfiles.
+#  on: This is the default. T-Pot will keep the honeypot logfiles and rotate
+#      with logrotate for 30 days.
+#  off: This is recommended for Raspberry Pi or setups with weaker CPUs or
+#       if you just do not need any of the logfiles.
 TPOT_PERSISTENCE=on
 
 # T-Pot Type
-# HIVE: This is the default and offers everything to connect T-Pot sensors.
-# SENSOR: This needs to be used when running a sensor. Be aware to adjust all other
-#         settings as well.
-#         1. You will need to copy compose/sensor.yml to ./docker-comopose.yml
-#         2. From HIVE host you will need to copy ~/tpotce/data/nginx/cert/nginx.crt to
-#            your SENSOR host to ~/tpotce/data/hive.crt
-#         3. On HIVE: Create a web user per SENSOR on HIVE and provide credentials below
-#            Create credentials with 'htpasswd ~/tpotce/data/nginx/conf/lswebpasswd <username>'
-#         4. On SENSOR: Provide username / password from (3) for TPOT_HIVE_USER as base64 encoded string:
-#                       "echo -n 'username:password' | base64"
+#  HIVE: This is the default and offers everything to connect T-Pot sensors.
+#  SENSOR: This needs to be used when running a sensor. Be aware to adjust all other
+#          settings as well.
+#          1. You will need to copy compose/sensor.yml to ./docker-comopose.yml
+#          2. From HIVE host you will need to copy ~/tpotce/data/nginx/cert/nginx.crt to
+#             your SENSOR host to ~/tpotce/data/hive.crt
+#          3. On HIVE: Create a web user per SENSOR on HIVE and provide credentials below
+#             Create credentials with 'htpasswd ~/tpotce/data/nginx/conf/lswebpasswd <username>'
+#          4. On SENSOR: Provide username / password from (3) for TPOT_HIVE_USER as base64 encoded string:
+#                        "echo -n 'username:password' | base64"
 TPOT_TYPE=HIVE
 
 # T-Pot Hive User (only relevant for SENSOR deployment)
-# <empty>: This is empty by default.
-# <base64 encoded string>: Provide a base64 encoded string "echo -n 'username:password' | base64"
-#                          i.e. TPOT_HIVE_USER='dXNlcm5hbWU6cGFzc3dvcmQ='
+#  <empty>: This is empty by default.
+#  <base64 encoded string>: Provide a base64 encoded string "echo -n 'username:password' | base64"
+#                           i.e. TPOT_HIVE_USER='dXNlcm5hbWU6cGFzc3dvcmQ='
 TPOT_HIVE_USER=
 
 # T-Pot Hive IP (only relevant for SENSOR deployment)
-# <empty>: This is empty by default.
-# <IP, FQDN>: This can be either a IP (i.e. 192.168.1.1) or a FQDN (i.e. foo.bar.local)
+#  <empty>: This is empty by default.
+#  <IP, FQDN>: This can be either a IP (i.e. 192.168.1.1) or a FQDN (i.e. foo.bar.local)
 TPOT_HIVE_IP=
 
 # T-Pot AttackMap Text Output
@@ -68,16 +85,16 @@ TPOT_ATTACKMAP_TEXT_TIMEZONE=UTC
 ###################################################################################
 
 # SentryPeer P2P mode
-# Exchange bad actor data via DHT / P2P mode by setting the ENV to true (1)
-# In some cases (i.e. internally deployed T-Pots) this might be confusing as SentryPeer will show
-# the bad actors in its logs. Therefore this option is opt-in based.
-# 0: This is the default, P2P mode is disabled.
-# 1: Enable P2P mode.
+#  Exchange bad actor data via DHT / P2P mode by setting the ENV to true (1)
+#  In some cases (i.e. internally deployed T-Pots) this might be confusing as SentryPeer will show
+#  the bad actors in its logs. Therefore this option is opt-in based.
+#  0: This is the default, P2P mode is disabled.
+#  1: Enable P2P mode.
 SENTRYPEER_PEER_TO_PEER=0
 
 # Suricata ET Pro ruleset
-# OPEN: This is the default and will the ET Open ruleset
-# OINKCODE: Replace OPEN with your Oinkcode to use the ET Pro ruleset
+#  OPEN: This is the default and will the ET Open ruleset
+#  OINKCODE: Replace OPEN with your Oinkcode to use the ET Pro ruleset
 OINKCODE=OPEN
 
 
@@ -94,10 +111,10 @@ TPOT_DOCKER_ENV=./.env
 # Docker-Compose file
 TPOT_DOCKER_COMPOSE=./docker-compose.yml
 
-# T-Pot Repo
-# Depending on where you are located you may choose between DockerHub and GHCR
-# dtagdevsec: This will use the DockerHub image registry
-# ghcr.io/telekom-security: This will use the GitHub container registry
+# T-Pot Docker Repo
+#  Depending on where you are located you may choose between DockerHub and GHCR
+#  dtagdevsec: This will use the DockerHub image registry
+#  ghcr.io/telekom-security: This will use the GitHub container registry
 TPOT_REPO=dtagdevsec
 
 # T-Pot Version Tag