From 7e9c4e5f51aa163dc2f858828670fe851bbc213f Mon Sep 17 00:00:00 2001
From: Christian Elberfeld <christian.elberfeld@adesso.de>
Date: Mon, 30 Mar 2020 23:33:45 +0200
Subject: [PATCH] Jameica VNC Zugriff
---
.../includes/verwaltung-jameica.warpzone.ms | 48 +++++++++++++++++++
common/nginx/tasks/config_site.yml | 5 +-
common/nginx/tasks/main.yml | 28 +++++++----
common/nginx/templates/nginx-site | 13 ++++-
host_vars/develop | 7 ++-
host_vars/verwaltung | 1 +
host_vars/webserver-test | 4 +-
site.yml | 1 +
verwaltung/docker_jameica/tasks/main.yml | 28 +++++++++++
.../docker_jameica/templates/Dockerfile | 19 ++++++++
.../templates/docker-compose.yml | 33 +++++++++++++
.../docker_jameica/templates/jameica.conf | 4 ++
.../docker_jameica/templates/jameica.sh | 11 +++++
.../docker_mysql/templates/docker-compose.yml | 1 +
.../templates/docker-compose.yml | 1 +
...et.JVerein.rmi.JVereinDBService.properties | 2 +-
....jameica.hbci.rmi.HBCIDBService.properties | 2 +-
17 files changed, 190 insertions(+), 18 deletions(-)
create mode 100644 common/nginx/includes/verwaltung-jameica.warpzone.ms
create mode 100644 verwaltung/docker_jameica/tasks/main.yml
create mode 100644 verwaltung/docker_jameica/templates/Dockerfile
create mode 100644 verwaltung/docker_jameica/templates/docker-compose.yml
create mode 100644 verwaltung/docker_jameica/templates/jameica.conf
create mode 100644 verwaltung/docker_jameica/templates/jameica.sh
diff --git a/common/nginx/includes/verwaltung-jameica.warpzone.ms b/common/nginx/includes/verwaltung-jameica.warpzone.ms
new file mode 100644
index 00000000..963d120e
--- /dev/null
+++ b/common/nginx/includes/verwaltung-jameica.warpzone.ms
@@ -0,0 +1,48 @@
+
+
+
+ location = / {
+ return 301 https://$host/vnc.html;
+ }
+
+ location / {
+
+ # Enable Authentication
+ auth_request /auth-proxy;
+
+ # Enable websockets for the noVNC console to work
+ proxy_http_version 1.1;
+ proxy_set_header Connection $http_connection;
+ proxy_set_header Origin http://$host;
+ proxy_set_header Upgrade $http_upgrade;
+
+ # VNC connection timeout
+ proxy_read_timeout 61s;
+
+ # Disable cache
+ proxy_buffering off;
+
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+
+ proxy_pass http://127.0.0.1:42005/;
+ proxy_redirect off;
+
+ }
+
+ location = /auth-proxy {
+ internal;
+
+ proxy_pass http://127.0.0.1:52005/auth;
+
+ proxy_pass_request_body off;
+ proxy_set_header Content-Length "";
+ proxy_cache_valid 202 10m;
+
+ # The following directive adds the cookie to the cache key
+ proxy_cache_key "$http_authorization";
+
+ proxy_set_header X-Ldap-Group "*";
+ }
diff --git a/common/nginx/tasks/config_site.yml b/common/nginx/tasks/config_site.yml
index a867aac3..1dd25b6b 100644
--- a/common/nginx/tasks/config_site.yml
+++ b/common/nginx/tasks/config_site.yml
@@ -7,15 +7,16 @@
stat:
path: /etc/letsencrypt/live/{{ item }}/privkey.pem
register: cert
+ when: webserver_ssl == true
- name: Stop nginx
service: name=nginx state=stopped
notify: restart nginx
- when: cert.stat.exists == False
+ when: webserver_ssl == true and cert.stat.exists == False
- name: Get Certificate for {{ item }} via Certbot
command: "certbot certonly --non-interactive --agree-tos --standalone -m {{ letsencrypt_mail }} -w /var/www/html/ -d {{ item }}"
- when: cert.stat.exists == False
+ when: webserver_ssl == true and cert.stat.exists == False
- name: Create nginx config for {{ item }}
template: src=nginx-site dest=/etc/nginx/sites-enabled/{{ item }}
diff --git a/common/nginx/tasks/main.yml b/common/nginx/tasks/main.yml
index ef6e8b9d..dc2c8d18 100644
--- a/common/nginx/tasks/main.yml
+++ b/common/nginx/tasks/main.yml
@@ -7,27 +7,34 @@
vars:
packages:
- nginx-light
- - libnginx-mod-http-lua
+
+# Pakete installieren (SSL)
+- name: openssl and certbot installieren
+ apt:
+ name: "{{ packages }}"
+ update_cache: yes
+ state: present
+ vars:
+ packages:
- ca-certificates
- openssl
- certbot
- - git
-
-
-# DH Parameter geneieriern
+ when: webserver_ssl == true
+# DH Parameter erzeugen
- name: check if DH Params exists
stat:
path: /etc/nginx/dhparams.pem
register: dhparams
+ when: webserver_ssl == true
+
- name: generate new DH Params
command: openssl dhparam -out /etc/nginx/dhparams.pem 2048
- when: dhparams.stat.exists == False
+ when: webserver_ssl == true and dhparams.stat.exists == False
# NginX einrichten
-
- name: nginx default Konfig entfernen
file:
path: /etc/nginx/sites-enabled/default
@@ -35,22 +42,24 @@
# LetsEncrypt Script erstellen
-
- name: LetsEncrypt Script erstellen
template: src=letsencrypt.sh dest=/opt/letsencrypt.sh mode=o+x
notify: restart nginx
+ when: webserver_ssl == true
+
- name: Cronjob für Zertifikatserneuerung
cron: name="letsencrypt" weekday="*" hour="6" minute="0" job="/opt/letsencrypt.sh"
+ when: webserver_ssl == true
# nginx konfigurieren
-
- include: config_site.yml
with_items:
- "{{ webserver_domains }}"
+# matrix config
- name: Konfig-Datei matrix erstellen
template: src=nginx-matrix dest=/etc/nginx/sites-enabled/matrix
notify: restart nginx
@@ -62,7 +71,6 @@
# telegraf konfigurieren
-
- name: Konfig-Datei status erstellen
template: src=telegraf.conf dest=/etc/telegraf/telegraf.d/nginx.conf
notify: restart telegraf
diff --git a/common/nginx/templates/nginx-site b/common/nginx/templates/nginx-site
index 6913ebdc..1a6b4df3 100644
--- a/common/nginx/templates/nginx-site
+++ b/common/nginx/templates/nginx-site
@@ -14,16 +14,25 @@ server {
root /dev/null;
index index.html;
+ {% if webserver_ssl == true %}
+
location /.well-known/acme-challenge/ {
root /var/www/html/;
}
- location / {
+ location / {
rewrite ^(.*) https://{{ item }}$1 permanent;
}
+
+ {% else %}
+
+ {% include "includes/" + item ignore missing %}
+ {% endif %}
}
+{% if webserver_ssl == true %}
+
server {
listen 443 ssl http2;
@@ -47,4 +56,4 @@ server {
}
-
+{% endif %}
diff --git a/host_vars/develop b/host_vars/develop
index 6c2b19f1..6208a291 100644
--- a/host_vars/develop
+++ b/host_vars/develop
@@ -27,9 +27,14 @@ int_ip4: 192.168.0.202
# Art des Hosts: physical, vm, docker
host_type: "physical"
+# SSL deaktivieren
+webserver_ssl: false
+# Liste der gehosteten Domänen
webserver_domains:
- - "test.warpzone"
+ - "boxoffice-test.warpzone"
+ - "infra-test.warpzone"
+ - "ldap-test.warpzone"
diff --git a/host_vars/verwaltung b/host_vars/verwaltung
index da407910..794f37c8 100644
--- a/host_vars/verwaltung
+++ b/host_vars/verwaltung
@@ -36,6 +36,7 @@ webserver_ssl: true
webserver_domains:
- "verwaltung.warpzone.ms"
- "verwaltung-git.warpzone.ms"
+ - "verwaltung-jameica.warpzone.ms"
- "verwaltung-ldap.warpzone.ms"
diff --git a/host_vars/webserver-test b/host_vars/webserver-test
index 348cdf10..0a951ddf 100644
--- a/host_vars/webserver-test
+++ b/host_vars/webserver-test
@@ -21,8 +21,10 @@ debian_keys:
# Art des Hosts: physical, vm, docker
host_type: "vm"
+# SSL aktivieren
+webserver_ssl: true
-
+# Liste der gehosteten Domänen
webserver_domains:
- "infra-test.warpzone.ms"
- "jabber-test.warpzone.ms"
diff --git a/site.yml b/site.yml
index d4eddde5..7bfec3ac 100644
--- a/site.yml
+++ b/site.yml
@@ -80,6 +80,7 @@
- { role: common/openvpn, tags: openvpn }
- { role: common/docker_ldap, tags: ldap }
- { role: verwaltung/docker_gitea, tags: gitea }
+ - { role: verwaltung/docker_jameica, tags: jameicavnc }
- { role: verwaltung/docker_nextcloud, tags: nextcloud }
- { role: verwaltung/docker_mysql, tags: mysql }
- { role: verwaltung/user, tags: user }
diff --git a/verwaltung/docker_jameica/tasks/main.yml b/verwaltung/docker_jameica/tasks/main.yml
new file mode 100644
index 00000000..a9483e2a
--- /dev/null
+++ b/verwaltung/docker_jameica/tasks/main.yml
@@ -0,0 +1,28 @@
+---
+- include_tasks: ../functions/get_secret.yml
+ with_items:
+ - { path: /srv/ldap/secret/ldap_readonly_pass, length: -1 }
+
+- name: create folder struct for jameica
+ file:
+ path: "{{item}}"
+ state: "directory"
+ with_items:
+ - "/srv/jameica-vnc/"
+ - "/srv/jameica-vnc/work"
+
+- name: Konfig-Dateien erstellen
+ template:
+ src: "{{item}}"
+ dest: "/srv/jameica-vnc/{{item}}"
+ with_items:
+ - "docker-compose.yml"
+ - "Dockerfile"
+ - "jameica.conf"
+ - "jameica.sh"
+
+- name: start jameica docker
+ docker_compose:
+ project_src: /srv/jameica-vnc/
+ state: present
+
diff --git a/verwaltung/docker_jameica/templates/Dockerfile b/verwaltung/docker_jameica/templates/Dockerfile
new file mode 100644
index 00000000..e90149e7
--- /dev/null
+++ b/verwaltung/docker_jameica/templates/Dockerfile
@@ -0,0 +1,19 @@
+FROM theasp/novnc:latest
+
+# Install java
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y \
+ openjdk-11-jre
+
+COPY jameica.conf /app/conf.d/
+COPY jameica.sh /app/
+
+RUN set -ex; \
+ mkdir /jameica/; \
+ mkdir /jameica-data/; \
+ mkdir /jameica-work/; \
+ usermod -U -s /bin/bash -d /jameica-work/ -G root www-data; \
+ chown www-data:www-data /app/jameica.sh; \
+ chown www-data:www-data /jameica-work/; \
+ chmod +x /app/jameica.sh;
diff --git a/verwaltung/docker_jameica/templates/docker-compose.yml b/verwaltung/docker_jameica/templates/docker-compose.yml
new file mode 100644
index 00000000..b5eda8e9
--- /dev/null
+++ b/verwaltung/docker_jameica/templates/docker-compose.yml
@@ -0,0 +1,33 @@
+version: '3'
+
+services:
+
+ vnc:
+ build: .
+ environment:
+ DISPLAY_WIDTH: 1440
+ DISPLAY_HEIGHT: 900
+ RUN_XTERM: "no"
+ ports:
+ - 127.0.0.1:42005:8080
+ volumes:
+ - /srv/jameica:/jameica/
+ - /srv/data-jameica:/jameica-data/
+ - /srv/jameica-vnc/work:/jameica-work/
+
+ ldap_auth:
+ image: pinepain/ldap-auth-proxy:0.2.0
+ ports:
+ - 127.0.0.1:52005:8888
+ environment:
+ LOG_LEVEL: "info"
+ LISTEN: ":8888"
+ LDAP_SERVER: "ldap://{{ int_ip4 }}"
+ LDAP_BASE: "{{ ldap_base_dn }}"
+ LDAP_BIND_DN: "{{ ldap_readonly_bind_dn }}"
+ LDAP_BIND_PASSWORD: "{{ ldap_readonly_pass }}"
+ #(&(uid=%s)(memberof=CN=verwaltung,OU=groups,DC=warpzone,DC=ms))
+ LDAP_USER_FILTER: "(&(uid=%s)(memberof=CN=vorstand,OU=groups,DC=warpzone,DC=ms))"
+ #LDAP_GROUP_FILTER: "(&(objectClass=groupOfUniqueNames)(member=uid=%s,ou=Users,o=${OID},dc=jumpcloud,dc=com))"
+ HEADERS_MAP: "X-LDAP-Mail:mail,X-LDAP-UID:uid,X-LDAP-CN:cn"
+
diff --git a/verwaltung/docker_jameica/templates/jameica.conf b/verwaltung/docker_jameica/templates/jameica.conf
new file mode 100644
index 00000000..22912f67
--- /dev/null
+++ b/verwaltung/docker_jameica/templates/jameica.conf
@@ -0,0 +1,4 @@
+[program:jameica]
+command=/app/jameica.sh
+autorestart=true
+user=www-data
diff --git a/verwaltung/docker_jameica/templates/jameica.sh b/verwaltung/docker_jameica/templates/jameica.sh
new file mode 100644
index 00000000..5cea358f
--- /dev/null
+++ b/verwaltung/docker_jameica/templates/jameica.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# Linux Start-Script fuer regulaeren Standalone-Betrieb.
+# Jameica wird hierbei mit GUI gestartet.
+
+# Das Datenverzeichnis wird hierbei ohne Passwort geladen
+
+cd "/jameica/"
+archsuffix="64"
+
+LIBOVERLAY_SCROLLBAR=0 GDK_NATIVE_WINDOWS=1 SWT_GTK3=0 exec java -Djava.net.preferIPv4Stack=true -Xmx512m $_JCONSOLE -jar jameica-linux${archsuffix}.jar -f /jameica-data/ -p nopassword $@
diff --git a/verwaltung/docker_mysql/templates/docker-compose.yml b/verwaltung/docker_mysql/templates/docker-compose.yml
index c279af6c..b022107c 100644
--- a/verwaltung/docker_mysql/templates/docker-compose.yml
+++ b/verwaltung/docker_mysql/templates/docker-compose.yml
@@ -9,6 +9,7 @@ services:
restart: always
ports:
- 127.0.0.1:3306:3306
+ - 10.42.2.1:3306:3306
volumes:
- /srv/mysql/tuning.cnf:/etc/mysql/conf.d/tuning.cnf
- /srv/mysql/db/:/var/lib/mysql
diff --git a/verwaltung/docker_nextcloud/templates/docker-compose.yml b/verwaltung/docker_nextcloud/templates/docker-compose.yml
index 187c7456..1f0591c9 100644
--- a/verwaltung/docker_nextcloud/templates/docker-compose.yml
+++ b/verwaltung/docker_nextcloud/templates/docker-compose.yml
@@ -29,6 +29,7 @@ services:
- /srv/nextcloud/data/:/var/www/html/
- /srv/nextcloud/tmp/:/tmp/nextcloudtemp/
- /srv/nextcloud/memory-limit.ini:/usr/local/etc/php/conf.d/memory-limit.ini:ro
+ - /srv/jameica-vnc/work/:/jameica-work/
environment:
REDIS_HOST: redis
MYSQL_DATABASE: nextcloud
diff --git a/verwaltung/jameica/templates/de.jost_net.JVerein.rmi.JVereinDBService.properties b/verwaltung/jameica/templates/de.jost_net.JVerein.rmi.JVereinDBService.properties
index 3a67b89b..661113d3 100644
--- a/verwaltung/jameica/templates/de.jost_net.JVerein.rmi.JVereinDBService.properties
+++ b/verwaltung/jameica/templates/de.jost_net.JVerein.rmi.JVereinDBService.properties
@@ -1,4 +1,4 @@
database.driver=de.jost_net.JVerein.server.DBSupportMySqlImpl
-database.driver.mysql.jdbcurl=jdbc\:mysql\://localhost\:3306/jverein?useUnicode\=Yes&characterEncoding\=ISO8859_1
+database.driver.mysql.jdbcurl=jdbc\:mysql\://{{ int_ip4 }}\:3306/jverein?useUnicode\=Yes&characterEncoding\=ISO8859_1
database.driver.mysql.username=vorstand
database.driver.mysql.password={{mysql_user_pw}}
diff --git a/verwaltung/jameica/templates/de.willuhn.jameica.hbci.rmi.HBCIDBService.properties b/verwaltung/jameica/templates/de.willuhn.jameica.hbci.rmi.HBCIDBService.properties
index cf964603..329eeaec 100644
--- a/verwaltung/jameica/templates/de.willuhn.jameica.hbci.rmi.HBCIDBService.properties
+++ b/verwaltung/jameica/templates/de.willuhn.jameica.hbci.rmi.HBCIDBService.properties
@@ -1,4 +1,4 @@
database.driver=de.willuhn.jameica.hbci.server.DBSupportMySqlImpl
-database.driver.mysql.jdbcurl=jdbc\:mysql\://localhost\:3306/hibiscus?useUnicode\=Yes&characterEncoding\=ISO8859_1
+database.driver.mysql.jdbcurl=jdbc\:mysql\://{{ int_ip4 }}\:3306/hibiscus?useUnicode\=Yes&characterEncoding\=ISO8859_1
database.driver.mysql.username=vorstand
database.driver.mysql.password={{mysql_user_pw}}
\ No newline at end of file
--
GitLab