bero/test
1
0
Fork 0
Code Issues 52 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

Added ansible support for nextcloud, panel images. This enables mail client being auto configured for when new users are added

Browse Source
This commit is contained in:
root 2022-10-21 17:48:17 +00:00
parent dbd83503fc
commit c6430c8a80
5 changed files with 515 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

422
fstack/files/new_user.php Normal file
View File

@ -0,0 +1,422 @@
<?php
set_include_path( ".:" . __DIR__ . "/../includes/");
include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
include_once "module_functions.inc.php";
$attribute_map = $LDAP['default_attribute_map'];
if (isset($LDAP['account_additional_attributes'])) { $attribute_map = ldap_complete_attribute_array($attribute_map,$LDAP['account_additional_attributes']); }
unset($attribute_map['uidnumber']);
unset($attribute_map['gidnumber']);
if (! array_key_exists($LDAP['account_attribute'], $attribute_map)) {
$attribute_r = array_merge($attribute_map, array($LDAP['account_attribute'] => array("label" => "Account UID")));
}
if ( isset($_POST['setup_admin_account']) ) {
$admin_setup = TRUE;
validate_setup_cookie();
set_page_access("setup");
$completed_action="${SERVER_PATH}log_in";
$page_title="New administrator account";
render_header("$ORGANISATION_NAME account manager - setup administrator account", FALSE);
}
else {
set_page_access("admin");
$completed_action="${THIS_MODULE_PATH}/";
$page_title="New account";
$admin_setup = FALSE;
render_header("$ORGANISATION_NAME account manager");
render_submenu();
}
$invalid_password = FALSE;
$mismatched_passwords = FALSE;
$invalid_username = FALSE;
$weak_password = FALSE;
$invalid_email = FALSE;
$disabled_email_tickbox = TRUE;
$invalid_cn = FALSE;
$invalid_account_identifier = FALSE;
$account_attribute = $LDAP['account_attribute'];
$new_account_r = array();
foreach ($attribute_map as $attribute => $attr_r) {
if (isset($_FILES[$attribute]['size']) and $_FILES[$attribute]['size'] > 0) {
$this_attribute = array();
$this_attribute['count'] = 1;
$this_attribute[0] = file_get_contents($_FILES[$attribute]['tmp_name']);
$$attribute = $this_attribute;
$new_account_r[$attribute] = $this_attribute;
unset($new_account_r[$attribute]['count']);
}
if (isset($_POST[$attribute])) {
$this_attribute = array();
if (is_array($_POST[$attribute]) and count($_POST[$attribute]) > 0) {
foreach($_POST[$attribute] as $key => $value) {
if ($value != "") { $this_attribute[$key] = filter_var($value, FILTER_SANITIZE_FULL_SPECIAL_CHARS); }
}
if (count($this_attribute) > 0) {
$this_attribute['count'] = count($this_attribute);
$$attribute = $this_attribute;
}
}
elseif ($_POST[$attribute] != "") {
$this_attribute['count'] = 1;
$this_attribute[0] = filter_var($_POST[$attribute], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
$$attribute = $this_attribute;
}
}
if (!isset($$attribute) and isset($attr_r['default'])) {
$$attribute['count'] = 1;
$$attribute[0] = $attr_r['default'];
}
if (isset($$attribute)) {
$new_account_r[$attribute] = $$attribute;
unset($new_account_r[$attribute]['count']);
}
}
##
if (isset($_GET['account_request'])) {
$givenname[0]=filter_var($_GET['first_name'], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
$new_account_r['givenname'] = $givenname[0];
unset($new_account_r['givenname']['count']);
$sn[0]=filter_var($_GET['last_name'], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
$new_account_r['sn'] = $sn[0];
unset($new_account_r['sn']['count']);
$mail[0]=filter_var($_GET['email'], FILTER_SANITIZE_EMAIL);
if ($mail[0] == "") {
if (isset($EMAIL_DOMAIN)) {
$mail[0] = $uid . "@" . $EMAIL_DOMAIN;
$disabled_email_tickbox = FALSE;
}
}
else {
$disabled_email_tickbox = FALSE;
}
$new_account_r['mail'] = $mail;
unset($new_account_r['mail']['count']);
}
if (isset($_GET['account_request']) or isset($_POST['create_account'])) {
if (!isset($uid[0])) {
$uid[0] = generate_username($givenname[0],$sn[0]);
$new_account_r['uid'] = $uid;
unset($new_account_r['uid']['count']);
}
if (!isset($cn[0])) {
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE) {
$cn[0] = $givenname[0] . $sn[0];
}
else {
$cn[0] = $givenname[0] . " " . $sn[0];
}
$new_account_r['cn'] = $cn;
unset($new_account_r['cn']['count']);
}
}
if (isset($_POST['create_account'])) {
$password = $_POST['password'];
$new_account_r['password'][0] = $password;
$account_identifier = $new_account_r[$account_attribute][0];
$this_cn=$cn[0];
$this_mail=$mail[0];
$this_givenname=$givenname[0];
$this_sn=$sn[0];
$this_password=$password[0];
if (!isset($this_cn) or $this_cn == "") { $invalid_cn = TRUE; }
if ((!isset($account_identifier) or $account_identifier == "") and $invalid_cn != TRUE) { $invalid_account_identifier = TRUE; }
if ((!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) and $ACCEPT_WEAK_PASSWORDS != TRUE) { $weak_password = TRUE; }
if (isset($this_mail) and !is_valid_email($this_mail)) { $invalid_email = TRUE; }
if (preg_match("/\"|'/",$password)) { $invalid_password = TRUE; }
if ($password != $_POST['password_match']) { $mismatched_passwords = TRUE; }
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE and !preg_match("/$USERNAME_REGEX/",$account_identifier)) { $invalid_account_identifier = TRUE; }
if (isset($_POST['send_email']) and isset($mail) and $EMAIL_SENDING_ENABLED == TRUE) { $send_user_email = TRUE; }
if ( isset($this_givenname)
and isset($this_sn)
and isset($this_password)
and !$mismatched_passwords
and !$weak_password
and !$invalid_password
and !$invalid_account_identifier
and !$invalid_cn
and !$invalid_email) {
$ldap_connection = open_ldap_connection();
$new_account = ldap_new_account($ldap_connection, $new_account_r);
if ($new_account) {
$testout = shell_exec ("sudo -u ansible ansible nextcloud -a \"sudo -u www-data php -d memory_limit=-1 -f /var/www/html/occ user:list | grep $this_cn\" -u ansible -m shell");
$string1 = explode(':', $testout);
$string2 = explode(' ', $string1[0]);
$newmail = explode('@', $this_mail);
$command1 = shell_exec("sudo -u ansible ansible nextcloud -a \"sudo -u www-data php -d memory_limit=-1 -f /var/www/html/occ mail:account:create $string2[8] $newmail[0] $newmail[0]@$newmail[1] mail.$newmail[1] 993 ssl $newmail[0]@$newmail[1] $password mail.$newmail[1] 465 ssl $newmail[0]@$newmail[1] $password password\" -u ansible -m shell");
$creation_message = "The account was created.";
if (isset($send_user_email) and $send_user_email == TRUE) {
include_once "mail_functions.inc.php";
$mail_body = parse_mail_text($new_account_mail_body, $password, $account_identifier, $this_givenname, $this_sn);
$mail_subject = parse_mail_text($new_account_mail_subject, $password, $account_identifier, $this_givenname, $this_sn);
$sent_email = send_email($this_mail,"$this_givenname $this_sn",$mail_subject,$mail_body);
$creation_message = "The account was created";
if ($sent_email) {
$creation_message .= " and an email sent to $this_mail.";
}
else {
$creation_message .= " but unfortunately the email wasn't sent.<br>More information will be available in the logs.";
}
}
if ($admin_setup == TRUE) {
$member_add = ldap_add_member_to_group($ldap_connection, $LDAP['admins_group'], $account_identifier);
if (!$member_add) { ?>
<div class="alert alert-warning">
<p class="text-center"><?php print $creation_message; ?> Unfortunately adding it to the admin group failed.</p>
</div>
<?php
}
#Tidy up empty uniquemember entries left over from the setup wizard
$USER_ID="tmp_admin";
ldap_delete_member_from_group($ldap_connection, $LDAP['admins_group'], "");
if (isset($DEFAULT_USER_GROUP)) { ldap_delete_member_from_group($ldap_connection, $DEFAULT_USER_GROUP, ""); }
}
?>
<div class="alert alert-success">
<p class="text-center"><?php print $creation_message; ?></p>
</div>
<form action='<?php print $completed_action; ?>'>
<p align="center">
<input type='submit' class="btn btn-success" value='Finished'>
</p>
</form>
<?php
render_footer();
exit(0);
}
else {
?>
<div class="alert alert-warning">
<p class="text-center">Failed to create the account:</p>
<pre>
<?php
print ldap_error($ldap_connection) . "\n";
ldap_get_option($ldap_connection, LDAP_OPT_DIAGNOSTIC_MESSAGE, $detailed_err);
print $detailed_err;
?>
</pre>
</div>
<?php
render_footer();
exit(0);
}
}
}
$errors="";
if ($invalid_cn) { $errors.="<li>The Common Name is required</li>\n"; }
if ($invalid_account_identifier) { $errors.="<li>The account identifier (" . $attribute_map[$account_attribute]['label'] . ") is invalid.</li>\n"; }
if ($weak_password) { $errors.="<li>The password is too weak</li>\n"; }
if ($invalid_password) { $errors.="<li>The password contained invalid characters</li>\n"; }
if ($invalid_email) { $errors.="<li>The email address is invalid</li>\n"; }
if ($mismatched_passwords) { $errors.="<li>The passwords are mismatched</li>\n"; }
if ($invalid_username) { $errors.="<li>The username is invalid</li>\n"; }
if ($errors != "") { ?>
<div class="alert alert-warning">
<p class="text-align: center">
There were issues creating the account:
<ul>
<?php print $errors; ?>
</ul>
</p>
</div>
<?php
}
render_js_username_check();
render_js_username_generator('givenname','sn','uid','uid_div');
render_js_cn_generator('givenname','sn','cn','cn_div');
render_js_email_generator('uid','mail');
render_js_homedir_generator('uid','homedirectory');
$tabindex=1;
?>
<script src="<?php print $SERVER_PATH; ?>js/zxcvbn.min.js"></script>
<script type="text/javascript" src="<?php print $SERVER_PATH; ?>js/zxcvbn-bootstrap-strength-meter.js"></script>
<script type="text/javascript">
$(document).ready(function(){
$("#StrengthProgressBar").zxcvbnProgressBar({ passwordInput: "#password" });
});
</script>
<script type="text/javascript" src="<?php print $SERVER_PATH; ?>js/generate_passphrase.js"></script>
<script type="text/javascript" src="<?php print $SERVER_PATH; ?>js/wordlist.js"></script>
<script>
function check_passwords_match() {
if (document.getElementById('password').value != document.getElementById('confirm').value ) {
document.getElementById('password_div').classList.add("has-error");
document.getElementById('confirm_div').classList.add("has-error");
}
else {
document.getElementById('password_div').classList.remove("has-error");
document.getElementById('confirm_div').classList.remove("has-error");
}
}
function random_password() {
generatePassword(4,'-','password','confirm');
$("#StrengthProgressBar").zxcvbnProgressBar({ passwordInput: "#password" });
}
function back_to_hidden(passwordField,confirmField) {
var passwordField = document.getElementById(passwordField).type = 'password';
var confirmField = document.getElementById(confirmField).type = 'password';
}
</script>
<script>
function check_email_validity(mail) {
var check_regex = <?php print $JS_EMAIL_REGEX; ?>
if (! check_regex.test(mail) ) {
document.getElementById("mail_div").classList.add("has-error");
<?php if ($EMAIL_SENDING_ENABLED == TRUE) { ?>document.getElementById("send_email_checkbox").disabled = true;<?php } ?>
}
else {
document.getElementById("mail_div").classList.remove("has-error");
<?php if ($EMAIL_SENDING_ENABLED == TRUE) { ?>document.getElementById("send_email_checkbox").disabled = false;<?php } ?>
}
}
</script>
<?php render_dynamic_field_js(); ?>
<div class="container">
<div class="col-sm-8 col-md-offset-2">
<div class="panel panel-default">
<div class="panel-heading text-center"><?php print $page_title; ?></div>
<div class="panel-body text-center">
<form class="form-horizontal" action="" enctype="multipart/form-data" method="post">
<?php if ($admin_setup == TRUE) { ?><input type="hidden" name="setup_admin_account" value="true"><?php } ?>
<input type="hidden" name="create_account">
<input type="hidden" id="pass_score" value="0" name="pass_score">
<?php
foreach ($attribute_map as $attribute => $attr_r) {
$label = $attr_r['label'];
if (isset($attr_r['onkeyup'])) { $onkeyup = $attr_r['onkeyup']; } else { $onkeyup = ""; }
if ($attribute == $LDAP['account_attribute']) { $label = "<strong>$label</strong><sup>&ast;</sup>"; }
if (isset($$attribute)) { $these_values=$$attribute; } else { $these_values = array(); }
if (isset($attr_r['inputtype'])) { $inputtype = $attr_r['inputtype']; } else { $inputtype = ""; }
render_attribute_fields($attribute,$label,$these_values,"",$onkeyup,$inputtype,$tabindex);
$tabindex++;
}
?>
<div class="form-group" id="password_div">
<label for="password" class="col-sm-3 control-label">Password</label>
<div class="col-sm-6">
<input tabindex="<?php print $tabindex+1; ?>" type="text" class="form-control" id="password" name="password" onkeyup="back_to_hidden('password','confirm');">
</div>
<div class="col-sm-1">
<input tabindex="<?php print $tabindex+2; ?>" type="button" class="btn btn-sm" id="password_generator" onclick="random_password();" value="Generate password">
</div>
</div>
<div class="form-group" id="confirm_div">
<label for="confirm" class="col-sm-3 control-label">Confirm</label>
<div class="col-sm-6">
<input tabindex="<?php print $tabindex+3; ?>" type="password" class="form-control" id="confirm" name="password_match" onkeyup="check_passwords_match()">
</div>
</div>
<?php if ($EMAIL_SENDING_ENABLED == TRUE and $admin_setup != TRUE) { ?>
<div class="form-group" id="send_email_div">
<label for="send_email" class="col-sm-3 control-label"> </label>
<div class="col-sm-6">
<input tabindex="<?php print $tabindex+4; ?>" type="checkbox" class="form-check-input" id="send_email_checkbox" name="send_email" <?php if ($disabled_email_tickbox == TRUE) { print "disabled"; } ?>> Email these credentials to the user?
</div>
</div>
<?php } ?>
<div class="form-group">
<button tabindex="<?php print $tabindex+5; ?>" type="submit" class="btn btn-warning">Create account</button>
</div>
</form>
<div class="progress">
<div id="StrengthProgressBar" class="progress-bar"></div>
</div>
<div><sup>&ast;</sup>The account identifier</div>
</div>
</div>
</div>
</div>
<?php
render_footer();
?>

BIN
fstack/lib/checks.sh
View File

Binary file not shown.

65
fstack/lib/nextcloud.sh
View File

@ -48,6 +48,9 @@ services:
hostname: nextcloud.$DOMAIN
domainname: $DOMAIN
restart: always
build:
context: .
dockerfile: Dockerfile
networks:
fstack:
ipv4_address: 172.99.0.15
@ -77,9 +80,57 @@ networks:
external: true
EOF
cat > fstack/nextcloud/supervisord.conf <<EOF
[supervisord]
nodaemon=true
logfile=/var/log/supervisord/supervisord.log
pidfile=/var/run/supervisord/supervisord.pid
childlogdir=/var/log/supervisord/
logfile_maxbytes=50MB ; maximum size of logfile before rotation
logfile_backups=10 ; number of backed up logfiles
loglevel=error
[program:apache2]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=apache2-foreground
[program:sshd]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=service ssh start
EOF
cat > fstack/nextcloud/Dockerfile <<EOF
FROM nextcloud:latest
RUN apt update -y && apt-get install ssh -y \
&& apt-get install python3 -y && apt-get install sudo -y
RUN echo 'ansible ALL=(ALL:ALL) NOPASSWD:ALL' >> /etc/sudoers \
&& useradd -m ansible -s /bin/bash \
&& sudo -u ansible mkdir /home/ansible/.ssh \
&& mkdir -p /var/run/sshd
RUN apt-get install -y supervisor \
&& rm -rf /var/lib/apt/lists/* \
&& mkdir /var/log/supervisord /var/run/supervisord
COPY supervisord.conf /
ENV NEXTCLOUD_UPDATE=1
CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
EOF
cat > fstack/nextcloud/data/root/nextcloud.sh <<EOF
#!/bin/sh
PATH=/var/www/html:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/sbin:/bin
./occ app:enable user_ldap
./occ ldap:create-empty-config
./occ ldap:set-config s01 ldapHost 'ldaps://ldap.$DOMAIN'
@ -129,13 +180,11 @@ ADMINUUID=\`./occ user:list | grep admin | awk '{ print \$2 }' | awk -F: '{ prin
./occ app:enable tasks
./occ app:enable bookmarks
./occ app:enable forms
./occ app:enable appointments
./occ app:enable news
./occ app:enable spreed
./occ mail:account:create \$ADMINUUID admin admin@$DOMAIN mail.$DOMAIN 993 ssl admin@$DOMAIN $ADMINPASS mail.$DOMAIN 465 ssl admin@$DOMAIN $ADMINPASS password
EOF
chmod +x fstack/nextcloud/data/root/nextcloud.sh
chmod +x fstack/nextcloud/data/root/*.sh
cat > fstack/nextcloud/data/etc/apache2/sites-enabled/000-default.conf <<'EOF'
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
@ -170,14 +219,14 @@ start_nextcloud() {
if [ $DEBUG ]; then
# Start fstack/nextcloud with output to console for debug
docker-compose -f fstack/nextcloud/docker-compose.yml -p nextcloud up
docker-compose -f fstack/nextcloud/docker-compose.yml -p nextcloud up --build
[ $? -eq 0 ] && echo -ne "done.\n" || fail "There was a problem starting service fstack/nextcloud"
else
docker-compose -f fstack/nextcloud/docker-compose.yml -p nextcloud up -d &> /dev/null
docker-compose -f fstack/nextcloud/docker-compose.yml -p nextcloud up --build -d &> /dev/null
# Keep trying nextcloud port 8000 to make sure it's up
# Keep trying nextcloud port 80 to make sure it's up
# before we proceed
RETRY="23"
RETRY="35"
while [ $RETRY -gt 0 ]; do
nc -z 172.99.0.15 80 &> /dev/null
if [ $? -eq 0 ]; then
@ -201,7 +250,7 @@ start_nextcloud() {
[ $? -ne 0 ] && fail "Couldn't chown nextcloud.sh in fstack/nextcloud container"
# Run nextcloud.sh - Setup LDAP, configuration for nextcloud
docker exec -it -u 33 nextcloud /var/www/html/nextcloud.sh &> /dev/null
docker exec -it -u 33 nextcloud /var/www/html/nextcloud.sh
[ $? -ne 0 ] && fail "Couldn't run nextcloud.sh inside fstack/nextcloud container"
# Enable SSL module in fstack/nextcloud

38
fstack/lib/panel.sh
View File

@ -18,6 +18,31 @@ config_panel() {
DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
DOMAIN_LAST=${DOMAIN_ARRAY[1]}
cat > fstack/panel/ansible_hosts <<EOF
[servers]
nextcloud ansible_host=172.99.0.15
[all:vars]
ansible_python_interpreter=/usr/bin/python3
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
EOF
cp fstack/files/new_user.php fstack/panel
cat > fstack/panel/Dockerfile <<EOF
FROM wheelybird/ldap-user-manager:latest
RUN apt update -y && apt-get install ssh -y \
&& apt-get install ansible -y && apt-get install sudo -y
RUN echo 'www-data ALL=(ALL:ALL) NOPASSWD:ALL' >> /etc/sudoers \
&& useradd -m ansible -s /bin/bash \
&& sudo -u ansible mkdir /home/ansible/.ssh && mkdir /etc/ansible
RUN sudo -u ansible ssh-keygen -q -t rsa -N '' -f /home/ansible/.ssh/id_rsa
COPY ansible_hosts /etc/ansible/hosts
COPY new_user.php /opt/ldap_user_manager/account_manager/
EOF
cat > fstack/panel/docker-compose.yml <<EOF
version: '3.8'
services:
@ -27,6 +52,9 @@ services:
hostname: panel.$DOMAIN
domainname: $DOMAIN
restart: always
build:
context: .
dockerfile: Dockerfile
networks:
fstack:
ipv4_address: 172.99.0.12
@ -79,14 +107,14 @@ start_panel() {
if [ $DEBUG ]; then
# Start fstack/panel with output to console for debug
docker-compose -f fstack/panel/docker-compose.yml -p panel up
docker-compose -f fstack/panel/docker-compose.yml -p panel up --build
[ $? -eq 0 ] && echo -ne "done.\n" || fail "There was a problem starting service fstack/panel"
else
docker-compose -f fstack/panel/docker-compose.yml -p panel up -d &> /dev/null
docker-compose -f fstack/panel/docker-compose.yml -p panel up --build -d &> /dev/null
# Keep trying panel port 443 to make sure it's up
# before we proceed
RETRY="23"
RETRY="30"
while [ $RETRY -gt 0 ]; do
nc -z 172.99.0.12 443 &> /dev/null
if [ $? -eq 0 ]; then
@ -102,6 +130,10 @@ start_panel() {
fi
done
fi
# Insert ansible key into nextcloud
KEY=`docker exec -it panel bash -c "cat /home/ansible/.ssh/id_rsa.pub"`
docker exec -it nextcloud bash -c "echo $KEY > /home/ansible/.ssh/authorized_keys"
kill -9 $SPINPID &> /dev/null
echo -ne "done."

2
install-federated.sh
View File

@ -1,4 +1,4 @@
#!/bin/bash
#!/bin/bash -x
#
# Federated installation script