new appliance: guacamole

This commit is contained in:
Jörg Deckert 2020-05-30 20:10:30 +02:00
parent 7c0d2b8eb0
commit ff38725854
20 changed files with 3733 additions and 6 deletions

56
guacamole/Makefile Normal file
View File

@ -0,0 +1,56 @@
preinstall:
# switch to hardened, build hardened toolchain, rebuild everything
mkdir -p $(CHROOT)/etc/portage/profile
echo "-hardened" >> $(CHROOT)/etc/portage/profile/use.mask
$(inroot) $(EMERGE) $(USEPKG) --oneshot gcc
$(inroot) $(EMERGE) $(USEPKG) --oneshot binutils virtual/libc
-$(gcc_config)
$(inroot) $(EMERGE) $(USEPKG) --emptytree @world
$(inroot) bash -c 'yes YES | etc-update --automode -9'
postinstall: base/timesyncd.conf base/firstboot.start
# Konfigurationen anpassen
cp base/timesyncd.conf $(CHROOT)/etc/systemd/timesyncd.conf
mkdir -p $(CHROOT)/etc/local.d
cp base/firstboot.start $(CHROOT)/etc/local.d/firstboot.start
touch $(CHROOT)/firstboot
sed -i 's/# %wheel ALL=(ALL) ALL/%wheel ALL=(ALL) ALL/' $(CHROOT)/etc/sudoers
sed -i 's#^auth.*$$#auth [success=2 default=ignore] pam_ssh_agent_auth.so file=~/.ssh/authorized_keys\nauth include system-auth#' $(CHROOT)/etc/pam.d/sudo
echo "Defaults env_keep += SSH_AUTH_SOCK" > $(CHROOT)/etc/sudoers.d/ssh_auth_sock
$(inroot) useradd -m -G users,wheel -s /bin/bash --comment="virtual appliance admin" --uid 2000 admin
$(inroot) passwd -d admin; $(inroot) passwd -e admin
$(inroot) systemctl enable tmux@root.service
cp base/tmux.conf $(CHROOT)/root/.tmux.conf
# Beispiel feste IP-Adresse
cp base/00-eth0.network $(CHROOT)/00-eth0.network.example
# MariaDB-Konfiguration ($$, weil make ein $ entfernt)
sed -i "s/^character-set-server.*$$/character-set-server = utf8mb4/" $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
echo >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
echo "collation-server = utf8mb4_general_ci" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
echo "transaction_isolation = READ-COMMITTED" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
echo "binlog_format = ROW" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
echo "expire_logs_days = 3" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
echo "innodb_file_per_table = 1" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
echo "innodb_large_prefix = on" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
cp mariadb/my.cnf.root $(CHROOT)/root/.my.cnf
chmod 0600 $(CHROOT)/root/.my.cnf
rm -rf $(CHROOT)/var/lib/mysql/*
$(inroot) bash -c 'yes gentoo | emerge --config dev-db/mariadb'
# Nginx
mv $(CHROOT)/etc/nginx/nginx.conf $(CHROOT)/etc/nginx/nginx.conf.orig
cp nginx/nginx.conf $(CHROOT)/etc/nginx/nginx.conf
# Guacamole
$(inroot) /usr/share/tomcat-8.5/gentoo/tomcat-instance-manager.bash --create
echo >> $(CHROOT)/etc/conf.d/tomcat-8.5
echo "# Guacamole" >> $(CHROOT)/etc/conf.d/tomcat-8.5
echo "TOMCAT_EXTRA_CLASSPATH=\"/usr/share/jdbc-mysql/lib/jdbc-mysql.jar\"" >> $(CHROOT)/etc/conf.d/tomcat-8.5
echo "GUACAMOLE_HOME=/etc/guacamole" >> $(CHROOT)/etc/conf.d/tomcat-8.5
cp tomcat/tomcat.start $(CHROOT)/usr/bin/tomcat-8.5
cp tomcat/tomcat.systemd $(CHROOT)/etc/systemd/system/tomcat-8.5.service
ln -sf /usr/share/guacamole-client/guacamole.war $(CHROOT)/var/lib/tomcat-8.5/webapps/
clean:

7
guacamole/README.md Normal file
View File

@ -0,0 +1,7 @@
Erstkonfiguration
=================
- für variable Daten (Datenbanken, Konfiguration) muß eine mit ext4 formatierte Datenpartition mit dem Label "DATA" vorhanden sein. Diese wird nach /DATA gemountet.
- feste IP-Adresse und /etc/hosts konfigurieren
- evtl. Nginx-Zertifikat neu erzeugen
- unter VMware evtl. open-vm-tools aktivieren

View File

@ -0,0 +1,22 @@
# Beispiel für feste IP-Adreß-Konfiguration:
# Anpassen und als 00-eth0.network nach /etc/systemd/network verschieben
# (s. "man systemd.network", "man systemd-resolved")
#
# NICHT VERGESSEN: entsprechende Einträge in /etc/hosts hinzufügen
# <IPv4> <FQDN> <Hostname>
# <IPv6> <FQDN> <Hostname>
[Match]
Name=eth0
[Network]
Description=1. Netzwerk-Port
Address=192.168.1.2/24
Address=fdb5:78b:64cc:0:f8c0::2/64
Gateway=192.168.1.1
Gateway=fdb5:78b:64cc:0:f8c0::1
DNS=192.168.1.3
DNS=fdb5:78b:64cc:0:f8c0::3
NTP=192.168.1.4
NTP=fdb5:78b:64cc:0:f8c0::4
Domains=privacyidea.de

81
guacamole/base/firstboot.start Executable file
View File

@ -0,0 +1,81 @@
#!/bin/bash
# base settings
set -e
[ -e /firstboot ] || exit 0
echo 'Setting defaults...'
localectl --no-convert set-keymap de-latin1-nodeadkeys
echo 'Activate services...'
timedatectl set-ntp true
# variables
LABEL="DATA"
DATABASE_PASS="Di1sgMySQLPwd."
# Data partition
echo 'Mount data partition...'
mkdir -p /$LABEL
if [ ! -L "/dev/disk/by-label/$LABEL" ]; then
echo 'ERROR: Data partition not found!'
echo "Please create a data partition with ext4 filesystem and label \"$LABEL\":"
echo "# cfdisk /dev/<disk> (use GPT label, create linux partition)"
echo "# mkfs.ext4 -L $LABEL /dev/<partition>"
exit 1
fi
if ! grep -Fq "LABEL=$LABEL" /etc/fstab; then
echo "LABEL=$LABEL /$LABEL ext4 noatime 0 1" >> /etc/fstab
fi
mount -a
if ! mount | grep /$LABEL > /dev/null; then
echo "ERROR: Could not mount data partition!"
exit 1
fi
if [ ! -d "/$LABEL/var/lib/mysql/guacamole_db" ]; then
echo 'Initialize MariaDB...'
systemctl stop mariadb
mkdir -p /$LABEL/var/lib/mysql
rm -rf /$LABEL/var/lib/mysql/*
cp -a /var/lib/mysql/. /$LABEL/var/lib/mysql
sed -i "s:^datadir.*:datadir = /$LABEL/var/lib/mysql:" /etc/mysql/mariadb.d/50-distro-server.cnf
systemctl start mariadb
echo 'Create Guacamole database...'
mysql -u root -e "CREATE DATABASE guacamole_db;"
mysql -u root -e "CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY '$DATABASE_PASS';"
mysql -u root -e "GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost';"
mysql -u root -e "FLUSH PRIVILEGES;"
sed -i "s/#mysql-hostname: localhost/mysql-hostname: localhost/" /etc/guacamole/guacamole.properties
sed -i "s/#mysql-port: 3306/mysql-port: 3306/" /etc/guacamole/guacamole.properties
sed -i "s/#mysql-database: guacamole/mysql-database: guacamole_db/" /etc/guacamole/guacamole.properties
sed -i "s/#mysql-username: guacamole/mysql-username: guacamole_user/" /etc/guacamole/guacamole.properties
sed -i "s/#mysql-password: some_password/mysql-password: $DATABASE_PASS/" /etc/guacamole/guacamole.properties
echo 'Initialize Guacamole database...'
cat /usr/share/guacamole-client/schema/mysql/001-create-schema.sql | mysql -u root guacamole_db
cat /usr/share/guacamole-client/schema/mysql/002-create-admin-user.sql | mysql -u root guacamole_db
else
echo 'Start MariaDB...'
sed -i "s:^datadir.*:datadir = /$LABEL/var/lib/mysql:" /etc/mysql/mariadb.d/50-distro-server.cnf
systemctl start mariadb
fi
echo 'Enable database...'
systemctl enable mariadb
echo 'Start and enable Guacamole proxy daemon...'
systemctl start guacd
systemctl enable guacd
echo 'Start and enable Guacamole Tomcat instance...'
systemctl start tomcat-8.5
systemctl enable tomcat-8.5
echo 'Start and enable Nginx...'
systemctl start nginx
systemctl enable nginx
rm /firstboot

View File

@ -0,0 +1,12 @@
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# See timesyncd.conf(5) for details.
[Time]
NTP=0.de.pool.ntp.org 1.de.pool.ntp.org 2.de.pool.ntp.org 3.de.pool.ntp.org
FallbackNTP=0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org

3
guacamole/base/tmux.conf Normal file
View File

@ -0,0 +1,3 @@
set -g mouse on
set-option -g set-titles on
set-option -g set-titles-string "#S / #T"

21
guacamole/guacamole.cfg Normal file
View File

@ -0,0 +1,21 @@
##HOSTNAME = $(APPLIANCE)
##TIMEZONE = UTC
DISK_SIZE = 8.0G
##SWAP_SIZE = 30
##SWAP_FILE = $(CHROOT)/.swap
##ARCH = amd64-hardened
##MAKEOPTS = -j10 -l10
##PRUNE_CRITICAL = NO
##CHANGE_PASSWORD = YES
##HEADLESS = NO
##SOFTWARE = 1
##PKGLIST = 0
##RSYNC_MIRROR = rsync://rsync15.de.gentoo.org/gentoo/
##KERNEL_PKG = gentoo-sources
KERNEL_CONFIG = appliances/$(APPLIANCE)/kernel.config
ENABLE_SSHD = YES
TIMEZONE=Europe/Berlin
LOCALE=de_DE.utf8
REPO_NAMES = unitas-misc unitas-guacamole
REPO_URI_unitas-misc = https://dev.unitas-network.de/r/Gentoo/unitas-misc.git
REPO_URI_unitas-guacamole = https://dev.unitas-network.de/r/Gentoo/unitas-guacamole.git

3211
guacamole/kernel.config Normal file

File diff suppressed because it is too large Load Diff

8
guacamole/make.conf Normal file
View File

@ -0,0 +1,8 @@
CFLAGS="-O2 -pipe"
CXXFLAGS="-O2 -pipe"
USE="hardened justify pie ssp urandom xattr -fortran -pch -pic -prelink -profile -tcc"
MAKEOPTS="-j5"
VIDEO_CARDS="vmware"
ACCEPT_LICENSE="*"
PYTHON_TARGETS="python3_7"
PYTHON_SINGLE_TARGET="python3_7"

View File

@ -0,0 +1,7 @@
[mysqladmin]
user = root
password = gentoo
[mysql]
user = root
password = gentoo

View File

@ -0,0 +1,80 @@
user nginx nginx;
worker_processes 1;
error_log /var/log/nginx/error_log info;
events {
worker_connections 1024;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main
'$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$gzip_ratio"';
client_header_timeout 10m;
client_body_timeout 10m;
send_timeout 10m;
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 4 2k;
request_pool_size 4k;
gzip off;
output_buffers 1 32k;
postpone_output 1460;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 75 20;
ignore_invalid_headers on;
index index.html;
server {
listen 80 default_server;
listen [::]:80 default_server;
access_log /var/log/nginx/localhost.access_log main;
error_log /var/log/nginx/localhost.error_log info;
root /var/www/localhost/htdocs;
location /guacamole/ {
proxy_pass http://localhost:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
access_log off;
}
}
# SSL example
#server {
# listen 127.0.0.1:443;
# server_name localhost;
# ssl on;
# ssl_certificate /etc/ssl/nginx/nginx.pem;
# ssl_certificate_key /etc/ssl/nginx/nginx.key;
# access_log /var/log/nginx/localhost.ssl_access_log main;
# error_log /var/log/nginx/localhost.ssl_error_log info;
# root /var/www/localhost/htdocs;
#}
}

View File

@ -0,0 +1,9 @@
# Grundsystem
app-emulation/open-vm-tools
sys-auth/pam_ssh_agent_auth
# Guacamole
dev-java/javatoolkit
net-libs/libtelnet
net-misc/guacamole-server
www-apps/guacamole-client

2
guacamole/package.mask Normal file
View File

@ -0,0 +1,2 @@
# wir wollen nicht icedtea-bin, sondern openjdk-jre-bin
dev-java/icedtea-bin

27
guacamole/package.use Normal file
View File

@ -0,0 +1,27 @@
# base
app-admin/sudo -sendmail
app-editors/nano ncurses
app-emulation/open-vm-tools pic -modules
app-misc/mc -slang
dev-lang/python ssl threads xml
dev-libs/libpcre cxx jit
dev-libs/libpcre2 jit
dev-util/pkgconfig internal-glib
dev-vcs/git -python
net-misc/openssh ssl
net-misc/wget ssl
sys-apps/hwids udev
sys-apps/kmod tools
sys-apps/net-tools hostname
sys-apps/portage ipc
sys-auth/pambase nullok sha512
sys-devel/gcc cxx nptl
sys-kernel/gentoo-sources symlink
# Monitoring
net-analyzer/zabbix agent
# Guacamole
media-plugins/alsa-plugins pulseaudio
net-misc/guacamole-server encode pulseaudio rdp ssh telnet vnc vorbis webp
www-apps/guacamole-client ldap mysql

130
guacamole/tomcat/tomcat.start Executable file
View File

@ -0,0 +1,130 @@
#!/bin/sh
# Author: Jens Koegler <j.koegler@web.de>
# based on the original init.d script
# set debugging on
# set -x
die() {
usage
exit 1
}
usage() {
cat <<EOL
Usage: ${BASH_SOURCE} [start|stop] <instance-name>
Usage: NAME=<instance> ${BASH_SOURCE} [start|stop]
Instance-name can be the environment variable NAME
EOL
}
if ([[ $# -gt 2 ]] || [[ $# -eq 0 ]]); then
die
fi
RUN=$1
TOMCAT=`basename ${BASH_SOURCE}`
if [ $# -eq 2 ]; then
printf -v INSTANCE "%s-%s" "$TOMCAT" "$2"
else
if [[ -z ${NAME} ]]; then
printf -v INSTANCE "%s" "$TOMCAT"
else
printf -v INSTANCE "%s-%s" "$TOMCAT" "$NAME"
fi
fi
if [[ -f /etc/conf.d/${INSTANCE} ]]; then
source /etc/conf.d/${INSTANCE}
else
echo "The configuration file /etc/conf.d/${INSTANCE} does not exist"
die
fi
: ${CATALINA_HOME:=/usr/share/${TOMCAT}}
: ${CATALINA_BASE:=/var/lib/${INSTANCE}}
: ${CATALINA_TMPDIR:=/var/tmp/${INSTANCE}}
: ${TOMCAT_START:=start}
: ${JPDA_TRANSPORT:="dt_socket"}
: ${JPDA_ADDRESS:="8000"}
: ${JPDA_OPTS="-Xdebug -Xrunjdwp:transport=${JPDA_TRANSPORT},address=${JPDA_ADDRESS},server=y,suspend=n"}
if [ ! -e "${CATALINA_TMPDIR}" ]; then
mkdir -p "${CATALINA_TMPDIR}"
chown tomcat:tomcat "${CATALINA_TMPDIR}"
fi
export JAVA_HOME=`java-config ${TOMCAT_JVM:+--select-vm ${TOMCAT_JVM}} --jre-home`
export CLASSPATH="${CATALINA_HOME}/bin/bootstrap.jar:${CATALINA_HOME}/bin/tomcat-juli.jar"
start() {
if [ ! -e "${CATALINA_TMPDIR}" ]; then
mkdir -p "${CATALINA_TMPDIR}"
chown tomcat:tomcat "${CATALINA_TMPDIR}"
fi
local DEPEND=$(java-config --query DEPEND --package ${TOMCAT}):${TOMCAT_EXTRA_JARS}
DEPEND=${DEPEND%:}
local GCLASSPATH=$(java-config --with-dependencies --classpath "${DEPEND//:/,}"):${TOMCAT_EXTRA_CLASSPATH}
GCLASSPATH=${GCLASSPATH%:}
local cmd=java args=
if [ "${TOMCAT_START}" = "debug" ] || [ "${TOMCAT_START}" = "-security debug" ] ; then
cmd=jdb
args="${args} -sourcepath ${CATALINA_HOME}/../../jakarta-tomcat-catalina/catalina/src/share"
fi
if [ "${TOMCAT_START}" = "-security debug" ] || [ "${TOMCAT_START}" = "-security start" ]; then
args="${args} -Djava.security.manager"
args="${args} -Djava.security.policy=${CATALINA_BASE}/conf/catalina.policy"
fi
if [ "${TOMCAT_START}" = "jpda start" ] ; then
args="${args} ${JPDA_OPTS}"
fi
if [ -r "${CATALINA_HOME}"/bin/tomcat-juli.jar ]; then
args="${args} -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
-Djava.util.logging.config.file=${CATALINA_BASE}/conf/logging.properties"
fi
${JAVA_HOME}/bin/${cmd} \
${JAVA_OPTS} \
${args} \
'-XX:OnOutOfMemoryError=kill -9 %%p' \
-Dcatalina.base="${CATALINA_BASE}" \
-Dcatalina.home="${CATALINA_HOME}" \
-Djava.io.tmpdir="${CATALINA_TMPDIR}" \
-Dgentoo.classpath="${GCLASSPATH//:/,}" \
-classpath "${CLASSPATH}" \
org.apache.catalina.startup.Bootstrap \
${CATALINA_OPTS} \
${TOMCAT_START}
}
stop() {
${JAVA_HOME}/bin/java \
${JAVA_OPTS} \
${args} \
-Dcatalina.base="${CATALINA_BASE}" \
-Dcatalina.home="${CATALINA_HOME}" \
-Djava.io.tmpdir="${CATALINA_TMPDIR}" \
-Dgentoo.classpath="${GCLASSPATH//:/,}" \
-classpath "${CLASSPATH}" \
org.apache.catalina.startup.Bootstrap stop
}
case "${RUN}" in
start)
start
;;
stop)
stop
;;
*)
die
;;
esac

View File

@ -0,0 +1,18 @@
[Unit]
Description=Apache Tomcat Web Application Container
After=network.target
[Service]
Type=simple
EnvironmentFile=/etc/conf.d/tomcat-8.5
Environment=SHELL=/bin/bash
ExecStart=/usr/bin/tomcat-8.5 start
ExecStop=/usr/bin/tomcat-8.5 stop
SuccessExitStatus=143
User=tomcat
Group=tomcat
TimeoutStopSec=90
Restart=always
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,19 @@
[Unit]
Description=Apache Tomcat Web Application Container
After=network.target
[Service]
Type=simple
EnvironmentFile=/etc/conf.d/tomcat-8.5-%i
Environment="NAME=%i"
Environment=SHELL=/bin/bash
ExecStart=/usr/bin/tomcat-8.5 start
ExecStop=/usr/bin/tomcat-8.5 stop
SuccessExitStatus=143
User=tomcat
Group=tomcat
TimeoutStopSec=90
Restart=always
[Install]
WantedBy=multi-user.target

16
guacamole/world Normal file
View File

@ -0,0 +1,16 @@
app-admin/logrotate
app-admin/sudo
app-emulation/open-vm-tools
app-emulation/qemu-guest-agent
app-misc/mc
app-misc/tmuxservice
net-analyzer/zabbix
sys-auth/pam_ssh_agent_auth
sys-fs/mdadm
sys-power/acpid
app-crypt/certbot-nginx
dev-db/mariadb
dev-java/openjdk-jre-bin:8
net-misc/guacamole-server
www-apps/guacamole-client
www-servers/nginx

View File

@ -18,8 +18,8 @@ install_snmpbuilder:
$(inroot) test -f /var/cache/distfiles/$(SB_TARBALL) || \
$(inroot) wget -P /var/cache/distfiles $(SB_URL)
$(inroot) tar xf /var/cache/distfiles/$(SB_TARBALL) -C /tmp
cp $(CHROOT)/tmp/snmpbuilder-$(OF_COMMIT)/snmp_builder.php $(CHROOT)/var/www/localhost/htdocs/zabbix/
cp -r $(CHROOT)/tmp/snmpbuilder-$(OF_COMMIT)/snmp_builder $(CHROOT)/var/www/localhost/htdocs/zabbix/
cp $(CHROOT)/tmp/snmpbuilder-$(SB_COMMIT)/snmp_builder.php $(CHROOT)/var/www/localhost/htdocs/zabbix/
cp -r $(CHROOT)/tmp/snmpbuilder-$(SB_COMMIT)/snmp_builder $(CHROOT)/var/www/localhost/htdocs/zabbix/
sed -i 's#/var/www/html/zabbix/snmp_builder/mibs#/var/www/localhost/htdocs/zabbix/snmp_builder/mibs#' $(CHROOT)/var/www/localhost/htdocs/zabbix/snmp_builder.php
patch -d $(CHROOT)/var/www/localhost/htdocs/zabbix/ -p1 < zabbix/snmp_builder.diff
@ -127,8 +127,6 @@ postinstall: base/timesyncd.conf base/firstboot.start
$(inroot)chown zabbix:zabbix /var/log/snmptt
# Zabbix SNMP Builder
<------># oletools zur Office-Macro-Erkennung in rspamd
<------>$(MAKE) install_snmpbuilder
<------>$(MAKE) install_
## $(MAKE) install_snmpbuilder
clean:

View File

@ -4,5 +4,5 @@ sys-auth/pam_ssh_agent_auth ~amd64 ~x86
# Zabbix
##dev-db/mariadb ~amd64 ~x86
net-analyzer/zabbix **
net-analyzer/zabbix ~amd64 ~x86
net-analyzer/snmptt ~amd64 ~x86