def doLinboStartconf(group): startconf = constants.LINBODIR + '/start.conf.' + group # provide simple start.conf if there is none for this group if not os.path.isfile(startconf): msg = ' > Creating minimal start.conf. Further configuration is necessary!' printScript(msg, '', True) os.system('cp ' + constants.LINBODIR + '/start.conf ' + startconf) # read values from start.conf group_s = getStartconfOption(startconf, 'LINBO', 'Group') serverip_s = getStartconfOption(startconf, 'LINBO', 'Server') kopts_s = getStartconfOption(startconf, 'LINBO', 'KernelOptions') try: serverip_k = re.findall(r'server=[^ ]*', kopts_s, re.IGNORECASE)[0].split('=')[1] except: serverip_k = None # determine whether global values from start conf have to changed if serverip_k != None and isValidHostIpv4(serverip_k) == True: serverip_r = serverip_k else: serverip_r = serverip if kopts_s == None: kopts_r = 'splash quiet' else: kopts_r = kopts_s if group_s != group: group_r = group else: group_r = group # change global startconf options if necessary if serverip_s != serverip_r: rc = setGlobalStartconfOption(startconf, 'Server', serverip_r) if rc == False: return rc if kopts_s != kopts_r: rc = setGlobalStartconfOption(startconf, 'KernelOptions', kopts_r) if rc == False: return rc if group_s != group_r: rc = setGlobalStartconfOption(startconf, 'Group', group_r) if rc == False: return rc # process grub cfgs doGrubCfg(startconf, group, kopts_r)
'.')[1] + '.' + serverip.split('.')[2] + '.' + '100' dhcprange2 = serverip.split('.')[0] + '.' + serverip.split( '.')[1] + '.' + serverip.split('.')[2] + '.' + '200' dhcprange = dhcprange1 + ' ' + dhcprange2 while True: rc, dhcprange = dialog.inputbox( 'Enter the two ip addresses for the free dhcp range (space separated):', title=ititle, height=16, width=64, init=dhcprange) if rc == 'cancel': sys.exit(1) dhcprange1 = dhcprange.split(' ')[0] dhcprange2 = dhcprange.split(' ')[1] if isValidHostIpv4(dhcprange1) and isValidHostIpv4(dhcprange2): break print('DHCP range: ' + dhcprange) setup.set('setup', 'dhcprange', dhcprange) # opsi ititle = title + ': Opsi-IP' try: opsiip = setup.get('setup', 'opsiip') except: opsiip = '' while True: rc, opsiip = dialog.inputbox( 'Enter the ip address of the opsi server (optional):', title=ititle, height=16,
ssh.close() # local mailserver setup else: msg = '* Starting mailserver setup ' printScript(msg, '', False, False, True) try: subProc('apt update && apt -y install linuxmuster-mail', logfile) subProc('linuxmuster-mail.py -s -c ' + setuptmp, logfile) subProc('systemctl start linuxmuster-mail.service', logfile) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) os.unlink(setuptmp) # add mail dns entry msg = '* Creating dns entry ' printScript(msg, '', False, False, True) try: sambaTool('dns add localhost ' + domainname + ' mail A ' + mailip) sambaTool('dns add localhost ' + domainname + ' mail MX "' + mailip + ' 10"') printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # mailserver setup only if ip is set if isValidHostIpv4(mailip): main()
# uploading data & certs msg = '* Uploading files to opsiserver ' printScript(msg, '', False, False, True) for item in [setuptmp, setuphelper, opsicert, opsikey]: if not ftp.put(item, '/tmp/' + os.path.basename(item)): printScript(' ' + os.path.basename(item) + ' failed!', '', True, True, False, len(msg)) sys.exit(1) ftp.chmod(setuphelper, stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP) ftp.close() ssh.close() printScript(' Success!', '', True, True, False, len(msg)) # start opsiserver setup per ssh msg = '* Starting opsiserver setup ' printScript(msg, '', False, False, True) try: sshcmd = 'ssh -oNumberOfPasswordPrompts=0 -oStrictHostKeyChecking=no -p 22 ' + opsiip setupcmd = sshcmd + ' ' + setuphelper subProc(setupcmd, logfile) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # close ssh connection os.unlink(setuptmp) # mailserver setup only if ip is set if isValidHostIpv4(opsiip): main()
def main(): # get setup various values serverip = setup.get('setup', 'serverip') bitmask = setup.get('setup', 'bitmask') firewallip = setup.get('setup', 'firewallip') servername = setup.get('setup', 'servername') domainname = setup.get('setup', 'domainname') basedn = setup.get('setup', 'basedn') opsiip = setup.get('setup', 'opsiip') dockerip = setup.get('setup', 'dockerip') network = setup.get('setup', 'network') adminpw = setup.get('setup', 'adminpw') # get timezone rc, timezone = readTextfile('/etc/timezone') timezone = timezone.replace('\n', '') # get binduser password rc, binduserpw = readTextfile(constants.BINDUSERSECRET) # firewall config files now = datetime.datetime.now().strftime('%Y%m%d%H%M%S') fwconftmp = constants.FWCONFLOCAL fwconfbak = fwconftmp.replace('.xml', '-' + now + '.xml') fwconftpl = constants.FWOSCONFTPL # dummy ip addresses if not isValidHostIpv4(opsiip): opsiip = serverip.split('.')[0] + '.' + serverip.split( '.')[1] + '.' + serverip.split('.')[2] + '.2' if not isValidHostIpv4(dockerip): dockerip = serverip.split('.')[0] + '.' + serverip.split( '.')[1] + '.' + serverip.split('.')[2] + '.3' # get current config rc = getFwConfig(firewallip, constants.ROOTPW) if not rc: sys.exit(1) # backup config msg = '* Backing up ' printScript(msg, '', False, False, True) try: shutil.copy(fwconftmp, fwconfbak) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # get root password hash msg = '* Reading current config ' printScript(msg, '', False, False, True) try: rc, content = readTextfile(fwconftmp) soup = BeautifulSoup(content, 'lxml') # save interface configuration wanconfig = str(soup.findAll('wan')[0]) lanconfig = str(soup.findAll('lan')[0]) # save gateway configuration try: gwconfig = str(soup.findAll('gateways')[0]) except: gwconfig = '' # save dnsserver configuration try: dnsconfig = str(soup.findAll('dnsserver')[0]) except: dnsconfig = '' # save opt1 configuration if present try: opt1config = str(soup.findAll('opt1')[0]) except: opt1config = '' printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # get base64 encoded certs msg = '* Reading certificates & ssh key ' printScript(msg, '', False, False, True) try: rc, cacertb64 = readTextfile(constants.CACERTB64) rc, fwcertb64 = readTextfile(constants.SSLDIR + '/firewall.cert.pem.b64') rc, fwkeyb64 = readTextfile(constants.SSLDIR + '/firewall.key.pem.b64') rc, authorizedkey = readTextfile(constants.SSHPUBKEYB64) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # create new firewall configuration msg = '* Creating xml configuration file ' printScript(msg, '', False, False, True) try: # create password hash for new firewall password hashedpw = bcrypt.hashpw(str.encode(adminpw), bcrypt.gensalt(10)) fwrootpw_hashed = hashedpw.decode() apikey = randomPassword(80) apisecret = randomPassword(80) hashedpw = bcrypt.hashpw(str.encode(apisecret), bcrypt.gensalt(10)) apisecret_hashed = hashedpw.decode() # read template rc, content = readTextfile(fwconftpl) # replace placeholders with values content = content.replace('@@servername@@', servername) content = content.replace('@@domainname@@', domainname) content = content.replace('@@basedn@@', basedn) content = content.replace('@@wanconfig@@', wanconfig) content = content.replace('@@dnsconfig@@', dnsconfig) content = content.replace('@@gwconfig@@', gwconfig) content = content.replace('@@lanconfig@@', lanconfig) content = content.replace('@@opt1config@@', opt1config) content = content.replace('@@serverip@@', serverip) content = content.replace('@@firewallip@@', firewallip) content = content.replace('@@network@@', network) content = content.replace('@@bitmask@@', bitmask) content = content.replace('@@opsiip@@', opsiip) content = content.replace('@@dockerip@@', dockerip) content = content.replace('@@fwrootpw_hashed@@', fwrootpw_hashed) content = content.replace('@@authorizedkey@@', authorizedkey) content = content.replace('@@apikey@@', apikey) content = content.replace('@@apisecret_hashed@@', apisecret_hashed) content = content.replace('@@binduserpw@@', binduserpw) content = content.replace('@@timezone@@', timezone) content = content.replace('@@cacertb64@@', cacertb64) content = content.replace('@@fwcertb64@@', fwcertb64) content = content.replace('@@fwkeyb64@@', fwkeyb64) # write new configfile rc = writeTextfile(fwconftmp, content, 'w') printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # create api credentials ini file msg = '* Saving api credentials ' printScript(msg, '', False, False, True) try: rc = modIni(constants.FWAPIKEYS, 'api', 'key', apikey) rc = modIni(constants.FWAPIKEYS, 'api', 'secret', apisecret) os.system('chmod 400 ' + constants.FWAPIKEYS) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # upload new configfile rc = putFwConfig(firewallip, constants.ROOTPW) if not rc: sys.exit(1) # remove temporary files #os.unlink(fwconftmp) # reboot firewall rc = sshExec(firewallip, 'configctl firmware reboot', adminpw) if not rc: sys.exit(1)
from functions import isDynamicIpDevice from functions import isValidHostname from functions import isValidHostIpv4 from functions import sambaTool cmd = '' ip = '' hostname = '' # get arguments cmd, ip, hostname = sys.argv[1:] # check arguments if cmd not in ['add', 'delete']: sys.exit(1) if not isValidHostIpv4(ip): sys.exit(1) if not isValidHostname(hostname): sys.exit(1) # no action for pxclient if hostname.lower() == 'pxeclient': sys.exit(0) # check if it is a dynamic ip device if not isDynamicIpDevice(hostname): sys.exit(0) # test if there are already valid dns records for this host try: ip_resolved = socket.gethostbyname(hostname)
printScript(' ' + servername, '', True, True, False, len(msg)) except: printScript(' not set!', '', True, True, False, len(msg)) sys.exit(1) setup.set('setup', 'servername', servername) # derive values from servername # netbiosname setup.set('setup', 'netbiosname', servername.upper()) # serverip msg = '* Server-IP ' printScript(msg, '', False, False, True) try: serverip = setup.get('setup', 'serverip') if not isValidHostIpv4(serverip): printScript(' ' + serverip + ' is not valid!', '', True, True, False, len(msg)) sys.exit(1) printScript(' ' + serverip, '', True, True, False, len(msg)) except: printScript(' not set!', '', True, True, False, len(msg)) sys.exit(1) # netmask msg = '* Bitmask ' printScript(msg, '', False, False, True) try: bitmask = setup.get('setup', 'bitmask') ip = IP(serverip + '/' + bitmask, make_net=True) except: printScript(' ' + bitmask + ' is not valid!', '', True, True, False, len(msg))
def main(): # get setup various values serverip = setup.get('setup', 'serverip') bitmask = setup.get('setup', 'bitmask') firewallip = setup.get('setup', 'firewallip') servername = setup.get('setup', 'servername') domainname = setup.get('setup', 'domainname') basedn = setup.get('setup', 'basedn') opsiip = setup.get('setup', 'opsiip') dockerip = setup.get('setup', 'dockerip') network = setup.get('setup', 'network') adminpw = setup.get('setup', 'adminpw') # get timezone rc, timezone = readTextfile('/etc/timezone') timezone = timezone.replace('\n', '') # get binduser password rc, binduserpw = readTextfile(constants.BINDUSERSECRET) # firewall config files now = datetime.datetime.now().strftime('%Y%m%d%H%M%S') fwconftmp = constants.FWCONFLOCAL fwconfbak = fwconftmp.replace('.xml', '-' + now + '.xml') fwconftpl = constants.FWOSCONFTPL # dummy ip addresses if not isValidHostIpv4(opsiip): opsiip = serverip.split('.')[0] + '.' + serverip.split( '.')[1] + '.' + serverip.split('.')[2] + '.2' if not isValidHostIpv4(dockerip): dockerip = serverip.split('.')[0] + '.' + serverip.split( '.')[1] + '.' + serverip.split('.')[2] + '.3' # get current config rc = getFwConfig(firewallip, constants.ROOTPW) if not rc: sys.exit(1) # backup config msg = '* Backing up ' printScript(msg, '', False, False, True) try: shutil.copy(fwconftmp, fwconfbak) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # get root password hash msg = '* Reading current config ' printScript(msg, '', False, False, True) try: rc, content = readTextfile(fwconftmp) soup = BeautifulSoup(content, 'lxml') # save certain configuration values for later use sysctl = str(soup.findAll('sysctl')[0]) # get already configured interfaces for item in soup.findAll('interfaces'): if '<lan>' in str(item): interfaces = str(item) # save language information try: language = str(soup.findAll('language')[0]) except: language = '' # second try get language from locale settings if language == '': try: lang = os.environ['LANG'].split('.')[0] except: lang = 'en_US' language = '<language>' + lang + '</language>' # save gateway configuration try: gwconfig = str(soup.findAll('gateways')[0]) gwconfig = gwconfig.replace('<gateways>', '').replace('</gateways>', '') except: gwconfig = '' # save dnsserver configuration try: dnsconfig = str(soup.findAll('dnsserver')[0]) except: dnsconfig = '' # add server as dnsserver dnsserver = '<dnsserver>' + serverip + '</dnsserver>' if dnsconfig == '': dnsconfig = dnsserver else: dnsconfig = dnsserver + '\n ' + dnsconfig # save opt1 configuration if present try: opt1config = str(soup.findAll('opt1')[0]) except: opt1config = '' printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # get base64 encoded certs msg = '* Reading certificates & ssh key ' printScript(msg, '', False, False, True) try: rc, cacertb64 = readTextfile(constants.CACERTB64) rc, fwcertb64 = readTextfile(constants.SSLDIR + '/firewall.cert.pem.b64') rc, fwkeyb64 = readTextfile(constants.SSLDIR + '/firewall.key.pem.b64') rc, authorizedkey = readTextfile(constants.SSHPUBKEYB64) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # create list of first ten network ips for aliascontent (NoProxy group in firewall) aliascontent = '' netpre = network.split('.')[0] + '.' + network.split( '.')[1] + '.' + network.split('.')[2] + '.' c = 0 max = 10 while c < max: c = c + 1 aliasip = netpre + str(c) if aliascontent == '': aliascontent = aliasip else: aliascontent = aliascontent + ' ' + aliasip # add server ips if not already collected for aliasip in [serverip, opsiip, dockerip]: if not aliasip in aliascontent: aliascontent = aliascontent + '\n' + aliasip # create new firewall configuration msg = '* Creating xml configuration file ' printScript(msg, '', False, False, True) try: # create password hash for new firewall password hashedpw = bcrypt.hashpw(str.encode(adminpw), bcrypt.gensalt(10)) fwrootpw_hashed = hashedpw.decode() apikey = randomPassword(80) apisecret = randomPassword(80) hashedpw = bcrypt.hashpw(str.encode(apisecret), bcrypt.gensalt(10)) apisecret_hashed = hashedpw.decode() # read template rc, content = readTextfile(fwconftpl) # replace placeholders with values content = content.replace('@@sysctl@@', sysctl) content = content.replace('@@servername@@', servername) content = content.replace('@@domainname@@', domainname) content = content.replace('@@basedn@@', basedn) content = content.replace('@@interfaces@@', interfaces) content = content.replace('@@dnsconfig@@', dnsconfig) content = content.replace('@@gwconfig@@', gwconfig) content = content.replace('@@serverip@@', serverip) content = content.replace('@@dockerip@@', dockerip) content = content.replace('@@firewallip@@', firewallip) content = content.replace('@@network@@', network) content = content.replace('@@bitmask@@', bitmask) content = content.replace('@@aliascontent@@', aliascontent) content = content.replace('@@gw_lan@@', constants.GW_LAN) content = content.replace('@@fwrootpw_hashed@@', fwrootpw_hashed) content = content.replace('@@authorizedkey@@', authorizedkey) content = content.replace('@@apikey@@', apikey) content = content.replace('@@apisecret_hashed@@', apisecret_hashed) content = content.replace('@@binduserpw@@', binduserpw) content = content.replace('@@language@@', language) content = content.replace('@@timezone@@', timezone) content = content.replace('@@cacertb64@@', cacertb64) content = content.replace('@@fwcertb64@@', fwcertb64) content = content.replace('@@fwkeyb64@@', fwkeyb64) # write new configfile rc = writeTextfile(fwconftmp, content, 'w') printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # create api credentials ini file msg = '* Saving api credentials ' printScript(msg, '', False, False, True) try: rc = modIni(constants.FWAPIKEYS, 'api', 'key', apikey) rc = modIni(constants.FWAPIKEYS, 'api', 'secret', apisecret) os.system('chmod 400 ' + constants.FWAPIKEYS) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # upload new configfile rc = putFwConfig(firewallip, constants.ROOTPW) if not rc: sys.exit(1) # remove temporary files #os.unlink(fwconftmp) # reboot firewall rc = sshExec(firewallip, 'configctl firmware reboot', adminpw) if not rc: sys.exit(1)
printScript(msg, '', False, False, True) try: subProc('service ssh restart', logfile) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # remove known_hosts if os.path.isfile(known_hosts): subProc('rm -f ' + known_hosts, logfile) # install ssh link to additional servers success = [] items = [] if isValidHostIpv4(opsiip): items.append((opsiip, 22)) if isValidHostIpv4(dockerip): items.append((dockerip, 22)) for item in items: ip = item[0] port = item[1] rc = doSshLink(ip, port, constants.ROOTPW) if rc == True: success.append(ip) # test success rc = 0 for item in items: ip = item[0] if not ip in success:
# iterate over devices printScript('', 'begin') printScript('Processing dhcp clients:') f = open(devices, newline='') reader = csv.reader(f, delimiter=';', quoting=csv.QUOTE_NONE) d = open(constants.DHCPDEVCONF, 'w') pxe_groups = [] for row in reader: try: room, host, group, mac, ip, field6, field7, dhcpopts, field9, field10, pxe = row except: continue if room[:1] == '#' or room[:1] == ';': continue if (pxe == '3' or pxe == '2') and isValidHostIpv4(opsiip) == False: pxe = '1' if pxe == '0': htype = 'IP-Host : ' else: htype = 'PXE-Host: ' printScript('* ' + htype + host) # write conf for dhcp clients d.write('host ' + ip + ' {\n') d.write(' hardware ethernet ' + mac + ';\n') d.write(' fixed-address ' + ip + ';\n') d.write(' option host-name "' + host + '";\n') # dhcp options have to be 5 chars minimum to get processed if len(dhcpopts) > 4: for opt in dhcpopts.split(','): d.write(' ' + opt + ';\n')
def main(): # get various setup values msg = 'Reading setup data ' printScript(msg, '', False, False, True) try: serverip = getSetupValue('serverip') bitmask = getSetupValue('bitmask') firewallip = getSetupValue('firewallip') servername = getSetupValue('servername') domainname = getSetupValue('domainname') basedn = getSetupValue('basedn') opsiip = getSetupValue('opsiip') dockerip = getSetupValue('dockerip') network = getSetupValue('network') adminpw = getSetupValue('adminpw') printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # get timezone rc, timezone = readTextfile('/etc/timezone') timezone = timezone.replace('\n', '') # get binduser password rc, binduserpw = readTextfile(constants.BINDUSERSECRET) # get firewall root password provided by linuxmuster-opnsense-reset pwfile = '/tmp/linuxmuster-opnsense-reset' if os.path.isfile(pwfile): # firewall reset after setup, given password is current password rc, rolloutpw = readTextfile(pwfile) productionpw = rolloutpw os.unlink(pwfile) else: # initial setup, rollout root password is standardized rolloutpw = constants.ROOTPW # new root production password provided by setup productionpw = adminpw # create and save radius secret msg = 'Calculating radius secret ' printScript(msg, '', False, False, True) try: radiussecret = randomPassword(16) with open(constants.RADIUSSECRET, 'w') as secret: secret.write(radiussecret) subProc('chmod 400 ' + constants.RADIUSSECRET, logfile) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # firewall config files now = datetime.datetime.now().strftime('%Y%m%d%H%M%S') fwconftmp = constants.FWCONFLOCAL fwconfbak = fwconftmp.replace('.xml', '-' + now + '.xml') fwconftpl = constants.FWOSCONFTPL # dummy ip addresses if not isValidHostIpv4(opsiip): opsiip = serverip.split('.')[0] + '.' + serverip.split('.')[1] + '.' + serverip.split('.')[2] + '.2' if not isValidHostIpv4(dockerip): dockerip = serverip.split('.')[0] + '.' + serverip.split('.')[1] + '.' + serverip.split('.')[2] + '.3' # get current config rc = getFwConfig(firewallip, rolloutpw) if not rc: sys.exit(1) # backup config msg = '* Backing up ' printScript(msg, '', False, False, True) try: shutil.copy(fwconftmp, fwconfbak) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # get root password hash msg = '* Reading current config ' printScript(msg, '', False, False, True) try: rc, content = readTextfile(fwconftmp) soup = BeautifulSoup(content, 'lxml') # save certain configuration values for later use sysctl = str(soup.findAll('sysctl')[0]) # get already configured interfaces for item in soup.findAll('interfaces'): if '<lan>' in str(item): interfaces = str(item) # save language information try: language = str(soup.findAll('language')[0]) except: language = '' # second try get language from locale settings if language == '': try: lang = os.environ['LANG'].split('.')[0] except: lang = 'en_US' language = '<language>' + lang + '</language>' # save gateway configuration try: gwconfig = str(soup.findAll('gateways')[0]) gwconfig = gwconfig.replace('<gateways>', '').replace('</gateways>', '') except: gwconfig = '' # save dnsserver configuration try: dnsconfig = str(soup.findAll('dnsserver')[0]) except: dnsconfig = '' # add server as dnsserver dnsserver = '<dnsserver>' + serverip + '</dnsserver>' if dnsconfig == '': dnsconfig = dnsserver else: dnsconfig = dnsserver + '\n ' + dnsconfig # save opt1 configuration if present try: opt1config = str(soup.findAll('opt1')[0]) except: opt1config = '' printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # get base64 encoded certs msg = '* Reading certificates & ssh key ' printScript(msg, '', False, False, True) try: rc, cacertb64 = readTextfile(constants.CACERTB64) rc, fwcertb64 = readTextfile(constants.SSLDIR + '/firewall.cert.pem.b64') rc, fwkeyb64 = readTextfile(constants.SSLDIR + '/firewall.key.pem.b64') rc, authorizedkey = readTextfile(constants.SSHPUBKEYB64) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # create list of first ten network ips for aliascontent (NoProxy group in firewall) aliascontent = '' netpre = network.split('.')[0] + '.' + network.split('.')[1] + '.' + network.split('.')[2] + '.' c = 0 max = 10 while c < max: c = c + 1 aliasip = netpre + str(c) if aliascontent == '': aliascontent = aliasip else: aliascontent = aliascontent + ' ' + aliasip # add server ips if not already collected for aliasip in [serverip, opsiip, dockerip]: if not aliasip in aliascontent: aliascontent = aliascontent + '\n' + aliasip # create new firewall configuration msg = '* Creating xml configuration file ' printScript(msg, '', False, False, True) try: # create password hash for new firewall password hashedpw = bcrypt.hashpw(str.encode(productionpw), bcrypt.gensalt(10)) fwrootpw_hashed = hashedpw.decode() apikey = randomPassword(80) apisecret = randomPassword(80) hashedpw = bcrypt.hashpw(str.encode(apisecret), bcrypt.gensalt(10)) apisecret_hashed = hashedpw.decode() # read template rc, content = readTextfile(fwconftpl) # replace placeholders with values content = content.replace('@@sysctl@@', sysctl) content = content.replace('@@servername@@', servername) content = content.replace('@@domainname@@', domainname) content = content.replace('@@basedn@@', basedn) content = content.replace('@@interfaces@@', interfaces) content = content.replace('@@dnsconfig@@', dnsconfig) content = content.replace('@@gwconfig@@', gwconfig) content = content.replace('@@serverip@@', serverip) content = content.replace('@@dockerip@@', dockerip) content = content.replace('@@firewallip@@', firewallip) content = content.replace('@@network@@', network) content = content.replace('@@bitmask@@', bitmask) content = content.replace('@@aliascontent@@', aliascontent) content = content.replace('@@gw_lan@@', constants.GW_LAN) content = content.replace('@@fwrootpw_hashed@@', fwrootpw_hashed) content = content.replace('@@authorizedkey@@', authorizedkey) content = content.replace('@@apikey@@', apikey) content = content.replace('@@apisecret_hashed@@', apisecret_hashed) content = content.replace('@@binduserpw@@', binduserpw) content = content.replace('@@radiussecret@@', radiussecret) content = content.replace('@@language@@', language) content = content.replace('@@timezone@@', timezone) content = content.replace('@@cacertb64@@', cacertb64) content = content.replace('@@fwcertb64@@', fwcertb64) content = content.replace('@@fwkeyb64@@', fwkeyb64) # write new configfile rc = writeTextfile(fwconftmp, content, 'w') printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # create api credentials ini file msg = '* Saving api credentials ' printScript(msg, '', False, False, True) try: rc = modIni(constants.FWAPIKEYS, 'api', 'key', apikey) rc = modIni(constants.FWAPIKEYS, 'api', 'secret', apisecret) os.system('chmod 400 ' + constants.FWAPIKEYS) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # upload config files # upload modified main config.xml rc = putFwConfig(firewallip, rolloutpw) if not rc: sys.exit(1) # upload modified auth config file for web-proxy sso (#83) printScript('Creating web proxy sso auth config file') subProc(constants.FWSHAREDIR + '/create-auth-config.py', logfile) conftmp = '/tmp/' + os.path.basename(constants.FWAUTHCFG) if not os.path.isfile(conftmp): sys.exit(1) rc, content = readTextfile(conftmp) fwpath = content.split('\n')[0].partition(' ')[2] rc = putSftp(firewallip, conftmp, fwpath, productionpw) if not rc: sys.exit(1) # remove temporary files os.unlink(conftmp) # reboot firewall printScript('Installing extensions and rebooting firewall') fwsetup_local = constants.FWSHAREDIR + '/fwsetup.sh' fwsetup_remote = '/tmp/fwsetup.sh' rc = putSftp(firewallip, fwsetup_local, fwsetup_remote, productionpw) rc = sshExec(firewallip, 'chmod +x ' + fwsetup_remote, productionpw) rc = sshExec(firewallip, fwsetup_remote, productionpw) if not rc: sys.exit(1)