forked from cynthia-rempel/guacamole-compose
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsetup.sh
executable file
·249 lines (197 loc) · 8.1 KB
/
setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
#!/bin/bash
source .load.env
## Functions
############
check_tools() {
echo "checking for patch"
[[ -x "$(command -v patch)" ]] || { echo " patch not found => installing it"; sudo dnf install patch -y; }
echo "checking for wget"
[[ -x "$(command -v wget)" ]] || { echo " wget not found => installing it"; sudo dnf install wget -y; }
echo "checking for docker"
[[ -x "$(command -v docker)" ]] || {
echo " wget not found => installing it";
sudo dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo;
sudo dnf install docker-ce docker-compose-plugin -y;
sudo systemctl start docker;
sudo systemctl enable docker;
}
echo "checking for keytool"
[[ -x "$(command -v keytool)" ]] || { echo " keytool not found => installing openjdk"; sudo dnf install java-17-openjdk.x86_64 -y; }
echo "checking for scriptreplay (replay recorded ssh sessions)"
[[ -x "$(command -v scriptreplay)" ]] || { echo " scriptreplay not found => installing util-linux package"; sudo dnf install util-linux.x86_64 -y; }
}
guacamole_init() {
# create directories
mkdir -p {data/guacamole,data/keycloak,init,tools}
# all extensions are embedded in the docker image
# # add openid plugin
# [[ ! -e extensions/guacamole-auth-sso-openid-${GUACAMOLE_VERSION}.jar ]] && {
# cd extensions
# echo -e "\n Downloading Guacamole OpenID auth plugin"
# wget --quiet https://dlcdn.apache.org/guacamole/${GUACAMOLE_VERSION}/binary/guacamole-auth-sso-${GUACAMOLE_VERSION}.tar.gz
# tar xvzf guacamole-auth-sso-${GUACAMOLE_VERSION}.tar.gz
# mv guacamole-auth-sso-${GUACAMOLE_VERSION}/openid/* .
# rm -rf guacamole-auth-sso-${GUACAMOLE_VERSION}.tar.gz guacamole-auth-sso-${GUACAMOLE_VERSION}
# cd ..
# }
# #add recording storage extension
# # add openid plugin
# [[ ! -e extensions/guacamole-history-recording-storage-${GUACAMOLE_VERSION}.jar ]] && {
# cd extensions
# echo -e "\n Downloading Guacamole recording storage extension"
# wget --quiet https://dlcdn.apache.org/guacamole/${GUACAMOLE_VERSION}/binary/guacamole-history-recording-storage-${GUACAMOLE_VERSION}.tar.gz
# tar xvzf guacamole-history-recording-storage-${GUACAMOLE_VERSION}.tar.gz
# mv guacamole-history-recording-storage-${GUACAMOLE_VERSION}/*.jar .
# rm -rf guacamole-history-recording-storage-${GUACAMOLE_VERSION}.tar.gz guacamole-history-recording-storage-${GUACAMOLE_VERSION}
# cd ..
# }
echo -e "\n Generating guacamole SQL DB init script"
# create the database initialization script for the guacamole database
docker run --rm \
docker.io/guacamole/guacamole:${GUACAMOLE_VERSION} \
/opt/guacamole/bin/initdb.sh --postgresql > init/initdb.sql.orig
cp init/initdb.sql.orig init/initdb.sql
patch init/initdb.sql < config/guacamole/1.add-guacadmin-email.patch
echo -e "\n Activate TLS on Tomcat server"
# get the original server.xml
touch init/server.xml.orig
docker run --rm --name guacamole-setup \
docker.io/guacamole/guacamole:${GUACAMOLE_VERSION} \
cat /usr/local/tomcat/conf/server.xml > init/server.xml.orig
# make a copy to patch
cp init/server.xml.orig init/server.xml
# enable ssl, and such
patch init/server.xml < config/guacamole/0.enable-tomcat-ssl.patch
}
keycloak_init() {
#Managing truststore
[[ ! -e init/cacerts ]] && {
echo -e "\n Getting Java Truststore from keycloak image"
#increase timeout and sleep timers if you have a slow connexion
docker pull docker.io/keycloak/keycloak:${KEYCLOAK_VERSION}
timeout 30 docker run --rm --name keycloak-cacerts \
docker.io/keycloak/keycloak:${KEYCLOAK_VERSION} start &
sleep 15
docker cp keycloak-cacerts:/etc/pki/ca-trust/extracted/java/cacerts init/cacerts
chmod +w init/cacerts
docker stop keycloak-cacerts
docker rm keycloak-cacerts
for ca_file in $(ls trustedCAs)
do
#check if this file is a real X.509 certificate
openssl x509 -in trustedCAs/${ca_file} -text -noout >/dev/null 2>&1 && (
echo -e "\n Adding private CA file ${ca_file} with alias ${ca_file%.*} for mutual TLS with Keycloak"
keytool -importcert \
-alias ${ca_file%.*} \
-keystore init/cacerts \
-storepass changeit \
-file trustedCAs/${ca_file} \
-trustcacerts -noprompt
) || echo -e "\n skipping ${ca_file} as its not a X.509 certificate (PEM format)"
done
}
}
tls_init() {
# Create private keys for:
# Guacamole
# Keycloak
if [[ "${TLS_LETS_ENCRYPT}" == "true" ]]
then
echo -e "\n Generating let's encrypt certificates"
[[ ! -d init/x509 ]] && mkdir init/x509
#registering if first time
[[ ! -e init/x509/account.conf ]] && \
docker run --rm -it \
-v "$(pwd)/init/x509":/acme.sh \
--net=host \
neilpang/acme.sh --register-account -m ${ACME_ACCOUNT_EMAIL}
#issue 2 self signed server certificate (HA Proxy needs two different certificates for LB) if certificate files does not exists
[[ ! -e init/x509/${GUAC_HOSTNAME}_ecc/${GUAC_HOSTNAME}.cer ]] && {
echo -e "\n Generating a new TLS server certificate"
docker run --rm -it \
-v "$(pwd)/init/x509":/acme.sh \
--net=host \
neilpang/acme.sh --issue -d ${GUAC_HOSTNAME} --standalone
}
[[ ! -e init/x509/${KC_HOSTNAME}_ecc/${KC_HOSTNAME}.cer ]] && {
echo -e "\n Generating a new TLS server certificate"
docker run --rm -it \
-v "$(pwd)/init/x509":/acme.sh \
--net=host \
neilpang/acme.sh --issue -d ${KC_HOSTNAME} --standalone
}
#TODO : better fix for unix rights
cp init/x509/${GUAC_HOSTNAME}_ecc/${GUAC_HOSTNAME}.cer init/guacamole.crt
cp init/x509/${KC_HOSTNAME}_ecc/${KC_HOSTNAME}.cer init/keycloak.crt
sudo cp init/x509/${GUAC_HOSTNAME}_ecc/${GUAC_HOSTNAME}.key init/guacamole.key
sudo cp init/x509/${KC_HOSTNAME}_ecc/${KC_HOSTNAME}.key init/keycloak.key
sudo chmod a+r init/guacamole.key init/keycloak.key
echo -e "\n Adding CA for Keycloak client kcadm.sh"
keytool -importcert \
-alias ACMECA \
-keystore init/cacerts \
-storepass changeit \
-file init/x509/${GUAC_HOSTNAME}_ecc/ca.cer \
-trustcacerts -noprompt
else
[[ ! -e init/guacamole.key ]] && {
echo -e "\n Generate TLS Server Keys and certificates for Guacamole"
openssl req \
-newkey rsa:2048 \
-nodes \
-keyout init/guacamole.key \
-x509 \
-days 730 \
-out init/guacamole.crt \
-subj "/C=FR/O=My Company/OU=My Division/CN=${GUAC_HOSTNAME}"
}
[[ ! -e init/keycloak.key ]] && {
echo -e "\n Generate TLS Server Keys and certificates for Keycloak"
# values pulled from server.xml within the image, and errors from the docker log
openssl req \
-newkey rsa:2048 \
-nodes \
-keyout init/keycloak.key \
-x509 \
-days 730 \
-out init/keycloak.crt \
-subj "/C=FR/O=My Company/OU=My Division/CN=${KC_HOSTNAME}"
}
#TODO : better fix for unix rights
sudo chmod a+r init/guacamole.key init/keycloak.key
#adding self signed certificates to truststore
chmod u+w init/cacerts
keytool -importcert \
-alias keycloak \
-keystore init/cacerts \
-storepass changeit \
-file init/keycloak.crt \
-trustcacerts -noprompt
keytool -importcert \
-alias guacamole \
-keystore init/cacerts \
-storepass changeit \
-file init/guacamole.crt \
-trustcacerts -noprompt
fi
}
ha_proxy_conf() {
echo -e "\n Modifying HAProxy configuration file with FQDN"
sed -i -e "s|use_backend bk_guacamole.*|use_backend bk_guacamole if { req_ssl_sni -i ${GUAC_HOSTNAME} }|g" \
-e "s|use_backend bk_keycloak .*|use_backend bk_keycloak if { req_ssl_sni -i ${KC_HOSTNAME} }|g" \
config/haproxy/haproxy.cfg
}
guacd_volumes_rights() {
[[ ! -d record ]] && mkdir record
[[ ! -d drive ]] && mkdir drive
sudo chown 1000 record
sudo chmod 2750 record
sudo chown 1000 drive
}
# Main
check_tools
guacamole_init
keycloak_init
tls_init
ha_proxy_conf
guacd_volumes_rights