Jameica VNC Zugriff

common/nginx/includes/verwaltung-jameica.warpzone.ms

+
+  
+
+    location = / {
+       return 301 https://$host/vnc.html;
+    }
+
+	location /  {
+ 
+            # Enable Authentication 
+            auth_request /auth-proxy;
+
+            # Enable websockets for the noVNC console to work
+            proxy_http_version 1.1;
+	        proxy_set_header Connection $http_connection;
+	        proxy_set_header Origin http://$host;
+	        proxy_set_header Upgrade $http_upgrade;
+
+            # VNC connection timeout
+            proxy_read_timeout 61s;
+
+            # Disable cache
+            proxy_buffering off;
+
+        	proxy_set_header        Host $host;
+        	proxy_set_header        X-Real-IP $remote_addr;
+	        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+        	proxy_set_header        X-Forwarded-Proto $scheme;
+
+	        proxy_pass      http://127.0.0.1:42005/;
+        	proxy_redirect  off;
+
+    }
+
+    location = /auth-proxy {
+        internal;
+
+        proxy_pass http://127.0.0.1:52005/auth;
+
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
+        proxy_cache_valid 202 10m;
+
+        # The following directive adds the cookie to the cache key
+        proxy_cache_key "$http_authorization";
+
+        proxy_set_header X-Ldap-Group "*";
+    }

common/nginx/tasks/config_site.yml

@@ -7,15 +7,16 @@
   stat:
     path: /etc/letsencrypt/live/{{ item }}/privkey.pem
   register: cert
+  when: webserver_ssl == true
 
 - name: Stop nginx
   service: name=nginx state=stopped
   notify: restart nginx
-  when: cert.stat.exists == False 
+  when: webserver_ssl == true and cert.stat.exists == False 
 
 - name: Get Certificate for {{ item }} via Certbot
   command: "certbot certonly --non-interactive --agree-tos --standalone -m {{ letsencrypt_mail }} -w /var/www/html/  -d {{ item }}"
-  when: cert.stat.exists == False 
+  when: webserver_ssl == true and cert.stat.exists == False 
 
 - name: Create nginx config for {{ item }}
   template: src=nginx-site dest=/etc/nginx/sites-enabled/{{ item }}

common/nginx/tasks/main.yml

@@ -7,27 +7,34 @@
   vars:
     packages:
     - nginx-light
-    - libnginx-mod-http-lua
+
+# Pakete installieren (SSL)
+- name: openssl and certbot installieren
+  apt:
+    name: "{{ packages }}"
+    update_cache: yes
+    state: present
+  vars:
+    packages:
     - ca-certificates 
     - openssl
     - certbot
-    - git
-
-
-# DH Parameter geneieriern 
+  when: webserver_ssl == true
 
+# DH Parameter erzeugen 
 - name: check if DH Params exists 
   stat:
     path: /etc/nginx/dhparams.pem
   register: dhparams
+  when: webserver_ssl == true
+
 
 - name: generate new DH Params 
   command: openssl dhparam -out /etc/nginx/dhparams.pem 2048
-  when: dhparams.stat.exists == False 
+  when: webserver_ssl == true and dhparams.stat.exists == False 
 
 
 # NginX einrichten 
-
 - name: nginx default Konfig entfernen 
   file: 
     path: /etc/nginx/sites-enabled/default 
@@ -35,22 +42,24 @@
 
 
 # LetsEncrypt Script erstellen 
-
 - name: LetsEncrypt Script erstellen 
   template: src=letsencrypt.sh dest=/opt/letsencrypt.sh mode=o+x
   notify: restart nginx
+  when: webserver_ssl == true
+
 
 - name: Cronjob für Zertifikatserneuerung
   cron: name="letsencrypt" weekday="*" hour="6" minute="0" job="/opt/letsencrypt.sh"
+  when: webserver_ssl == true
 
 
 # nginx konfigurieren 
-
 - include: config_site.yml
   with_items:
     - "{{ webserver_domains }}"
  
 
+# matrix config 
 - name: Konfig-Datei matrix erstellen
   template: src=nginx-matrix dest=/etc/nginx/sites-enabled/matrix
   notify: restart nginx
@@ -62,7 +71,6 @@
 
 
 # telegraf konfigurieren 
-
 - name: Konfig-Datei status erstellen
   template: src=telegraf.conf dest=/etc/telegraf/telegraf.d/nginx.conf
   notify: restart telegraf 

common/nginx/templates/nginx-site

@@ -14,16 +14,25 @@ server {
 	root /dev/null;
 	index index.html;
 
+    {% if webserver_ssl == true %}
+
 	location /.well-known/acme-challenge/ {
 		root /var/www/html/;
 	}
 
-        location / {
+    location / {
         	rewrite     ^(.*)   https://{{ item }}$1 permanent;
   	}
+	  
+	{% else %}
+
+  	{% include "includes/" + item ignore missing %}
 
+    {% endif %}
 }
 
+{% if webserver_ssl == true %}
+
 server {
 
 	listen 443 ssl http2;
@@ -47,4 +56,4 @@ server {
 	
 }
 
-
+{% endif %}

host_vars/develop

@@ -27,9 +27,14 @@ int_ip4: 192.168.0.202
 # Art des Hosts: physical, vm, docker 
 host_type: "physical"
 
+# SSL deaktivieren
+webserver_ssl: false
 
+# Liste der gehosteten Domänen
 webserver_domains: 
-  - "test.warpzone"
+  - "boxoffice-test.warpzone"
+  - "infra-test.warpzone"
+  - "ldap-test.warpzone"
 
 
 

host_vars/verwaltung

@@ -36,6 +36,7 @@ webserver_ssl: true
 webserver_domains: 
   - "verwaltung.warpzone.ms"
   - "verwaltung-git.warpzone.ms"
+  - "verwaltung-jameica.warpzone.ms"
   - "verwaltung-ldap.warpzone.ms"
 
 

host_vars/webserver-test

@@ -21,8 +21,10 @@ debian_keys:
 # Art des Hosts: physical, vm, docker 
 host_type: "vm"
 
+# SSL aktivieren 
+webserver_ssl: true
 
-
+# Liste der gehosteten Domänen
 webserver_domains: 
   - "infra-test.warpzone.ms"
   - "jabber-test.warpzone.ms"

site.yml

@@ -80,6 +80,7 @@
     - { role: common/openvpn, tags: openvpn }
     - { role: common/docker_ldap, tags: ldap }
     - { role: verwaltung/docker_gitea, tags: gitea }
+    - { role: verwaltung/docker_jameica, tags: jameicavnc }
     - { role: verwaltung/docker_nextcloud, tags: nextcloud }
     - { role: verwaltung/docker_mysql, tags: mysql }
     - { role: verwaltung/user, tags: user }

verwaltung/docker_jameica/tasks/main.yml

+---
+- include_tasks: ../functions/get_secret.yml
+  with_items:
+   - { path: /srv/ldap/secret/ldap_readonly_pass,  length: -1 }
+  
+- name: create folder struct for jameica
+  file: 
+    path: "{{item}}" 
+    state: "directory"
+  with_items:
+    - "/srv/jameica-vnc/"
+    - "/srv/jameica-vnc/work"
+
+- name: Konfig-Dateien erstellen
+  template: 
+    src: "{{item}}" 
+    dest: "/srv/jameica-vnc/{{item}}"
+  with_items:
+    - "docker-compose.yml"
+    - "Dockerfile"
+    - "jameica.conf"
+    - "jameica.sh"
+
+- name: start jameica docker
+  docker_compose:
+    project_src: /srv/jameica-vnc/
+    state: present
+    

verwaltung/docker_jameica/templates/Dockerfile

+FROM theasp/novnc:latest
+
+# Install java
+RUN set -ex; \
+    apt-get update; \
+    apt-get install -y \
+      openjdk-11-jre
+
+COPY jameica.conf /app/conf.d/
+COPY jameica.sh  /app/
+
+RUN set -ex; \
+  mkdir /jameica/; \
+  mkdir /jameica-data/; \
+  mkdir /jameica-work/; \
+  usermod -U -s /bin/bash -d /jameica-work/ -G root www-data; \
+  chown www-data:www-data /app/jameica.sh; \
+  chown www-data:www-data /jameica-work/; \
+  chmod +x /app/jameica.sh; 

verwaltung/docker_jameica/templates/docker-compose.yml

+version: '3'
+
+services:
+    
+  vnc:
+    build: .
+    environment:
+      DISPLAY_WIDTH: 1440
+      DISPLAY_HEIGHT: 900
+      RUN_XTERM: "no"
+    ports:
+      - 127.0.0.1:42005:8080
+    volumes:
+      - /srv/jameica:/jameica/
+      - /srv/data-jameica:/jameica-data/
+      - /srv/jameica-vnc/work:/jameica-work/
+    
+  ldap_auth:
+    image: pinepain/ldap-auth-proxy:0.2.0
+    ports:
+      - 127.0.0.1:52005:8888
+    environment:
+      LOG_LEVEL: "info"
+      LISTEN: ":8888"
+      LDAP_SERVER: "ldap://{{ int_ip4 }}"
+      LDAP_BASE: "{{ ldap_base_dn }}"
+      LDAP_BIND_DN: "{{ ldap_readonly_bind_dn }}"
+      LDAP_BIND_PASSWORD: "{{ ldap_readonly_pass }}"
+      #(&(uid=%s)(memberof=CN=verwaltung,OU=groups,DC=warpzone,DC=ms))
+      LDAP_USER_FILTER: "(&(uid=%s)(memberof=CN=vorstand,OU=groups,DC=warpzone,DC=ms))"
+      #LDAP_GROUP_FILTER: "(&(objectClass=groupOfUniqueNames)(member=uid=%s,ou=Users,o=${OID},dc=jumpcloud,dc=com))"
+      HEADERS_MAP: "X-LDAP-Mail:mail,X-LDAP-UID:uid,X-LDAP-CN:cn"
+

verwaltung/docker_jameica/templates/jameica.conf

+[program:jameica]
+command=/app/jameica.sh
+autorestart=true
+user=www-data

verwaltung/docker_jameica/templates/jameica.sh

+#!/bin/sh
+
+# Linux Start-Script fuer regulaeren Standalone-Betrieb.
+# Jameica wird hierbei mit GUI gestartet.
+
+# Das Datenverzeichnis wird hierbei ohne Passwort geladen
+
+cd "/jameica/"
+archsuffix="64"
+
+LIBOVERLAY_SCROLLBAR=0 GDK_NATIVE_WINDOWS=1 SWT_GTK3=0 exec java -Djava.net.preferIPv4Stack=true -Xmx512m $_JCONSOLE -jar jameica-linux${archsuffix}.jar -f /jameica-data/ -p nopassword $@

verwaltung/docker_mysql/templates/docker-compose.yml

@@ -9,6 +9,7 @@ services:
     restart: always
     ports:
       - 127.0.0.1:3306:3306                                                                                      
+      - 10.42.2.1:3306:3306                                                                                      
     volumes:
       - /srv/mysql/tuning.cnf:/etc/mysql/conf.d/tuning.cnf                                                                                             
       - /srv/mysql/db/:/var/lib/mysql                                                                    

verwaltung/docker_nextcloud/templates/docker-compose.yml

@@ -29,6 +29,7 @@ services:
       - /srv/nextcloud/data/:/var/www/html/
       - /srv/nextcloud/tmp/:/tmp/nextcloudtemp/
       - /srv/nextcloud/memory-limit.ini:/usr/local/etc/php/conf.d/memory-limit.ini:ro
+      - /srv/jameica-vnc/work/:/jameica-work/
     environment:
       REDIS_HOST: redis
       MYSQL_DATABASE: nextcloud

verwaltung/jameica/templates/de.jost_net.JVerein.rmi.JVereinDBService.properties

 database.driver=de.jost_net.JVerein.server.DBSupportMySqlImpl
-database.driver.mysql.jdbcurl=jdbc\:mysql\://localhost\:3306/jverein?useUnicode\=Yes&characterEncoding\=ISO8859_1
+database.driver.mysql.jdbcurl=jdbc\:mysql\://{{ int_ip4 }}\:3306/jverein?useUnicode\=Yes&characterEncoding\=ISO8859_1
 database.driver.mysql.username=vorstand
 database.driver.mysql.password={{mysql_user_pw}}

verwaltung/jameica/templates/de.willuhn.jameica.hbci.rmi.HBCIDBService.properties

 database.driver=de.willuhn.jameica.hbci.server.DBSupportMySqlImpl
-database.driver.mysql.jdbcurl=jdbc\:mysql\://localhost\:3306/hibiscus?useUnicode\=Yes&characterEncoding\=ISO8859_1
+database.driver.mysql.jdbcurl=jdbc\:mysql\://{{ int_ip4 }}\:3306/hibiscus?useUnicode\=Yes&characterEncoding\=ISO8859_1
 database.driver.mysql.username=vorstand
 database.driver.mysql.password={{mysql_user_pw}}
\ No newline at end of file