sambadomain = setup.get('setup', 'sambadomain')
serverip = setup.get('setup', 'serverip')
servername = setup.get('setup', 'servername')
firewallip = setup.get('setup', 'firewallip')
domainname = setup.get('setup', 'domainname')
basedn = setup.get('setup', 'basedn')
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# generate ad admin password
msg = 'Generating AD admin password '
printScript(msg, '', False, False, True)
try:
adadminpw = randomPassword(16)
with open(constants.ADADMINSECRET, 'w') as secret:
secret.write(adadminpw)
subProc('chmod 600 ' + constants.ADADMINSECRET, logfile)
# symlink for sophomorix
subProc(
'ln -sf ' + constants.ADADMINSECRET + ' ' + constants.SOPHOSYSDIR +
'/sophomorix-samba.secret', logfile)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# alte smb.conf löschen
smbconf = '/etc/samba/smb.conf'
if os.path.isfile(smbconf):
subProc(
'sophomorix-admin --create-school-admin pgmadmin --school ' +
schoolname + ' --password "' + adminpw + '"', logfile)
subProc(
'sophomorix-user --user pgmadmin --comment "' + sophomorix_comment +
'"', logfile)
printScript(' Success!', '', True, True, False, len(msg))
except Exception as error:
printScript(error, '', True, True, False, len(msg))
sys.exit(1)
# create dns-admin account
msg = 'Creating samba account for dns-admin '
printScript(msg, '', False, False, True)
try:
dnspw = randomPassword(16)
desc = 'Unprivileged user for DNS updates via DHCP server'
sambaTool(
'user create dns-admin ' + dnspw + ' --description="' + desc + '"',
logfile)
sambaTool('user setexpiry dns-admin --noexpiry', logfile)
sambaTool('group addmembers DnsAdmins dns-admin', logfile)
rc, writeTextfile(constants.DNSADMINSECRET, dnspw, 'w')
os.system('chgrp dhcpd ' + constants.DNSADMINSECRET)
os.system('chmod 440 ' + constants.DNSADMINSECRET)
printScript(' Success!', '', True, True, False, len(msg))
except Exception as error:
printScript(error, '', True, True, False, len(msg))
sys.exit(1)
# add firewall as dns forwarder
def main():
# get setup various values
serverip = setup.get('setup', 'serverip')
bitmask = setup.get('setup', 'bitmask')
firewallip = setup.get('setup', 'firewallip')
servername = setup.get('setup', 'servername')
domainname = setup.get('setup', 'domainname')
basedn = setup.get('setup', 'basedn')
opsiip = setup.get('setup', 'opsiip')
dockerip = setup.get('setup', 'dockerip')
network = setup.get('setup', 'network')
adminpw = setup.get('setup', 'adminpw')
# get timezone
rc, timezone = readTextfile('/etc/timezone')
timezone = timezone.replace('\n', '')
# get binduser password
rc, binduserpw = readTextfile(constants.BINDUSERSECRET)
# firewall config files
now = datetime.datetime.now().strftime('%Y%m%d%H%M%S')
fwconftmp = constants.FWCONFLOCAL
fwconfbak = fwconftmp.replace('.xml', '-' + now + '.xml')
fwconftpl = constants.FWOSCONFTPL
# dummy ip addresses
if not isValidHostIpv4(opsiip):
opsiip = serverip.split('.')[0] + '.' + serverip.split(
'.')[1] + '.' + serverip.split('.')[2] + '.2'
if not isValidHostIpv4(dockerip):
dockerip = serverip.split('.')[0] + '.' + serverip.split(
'.')[1] + '.' + serverip.split('.')[2] + '.3'
# get current config
rc = getFwConfig(firewallip, constants.ROOTPW)
if not rc:
sys.exit(1)
# backup config
msg = '* Backing up '
printScript(msg, '', False, False, True)
try:
shutil.copy(fwconftmp, fwconfbak)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# get root password hash
msg = '* Reading current config '
printScript(msg, '', False, False, True)
try:
rc, content = readTextfile(fwconftmp)
soup = BeautifulSoup(content, 'lxml')
# save interface configuration
wanconfig = str(soup.findAll('wan')[0])
lanconfig = str(soup.findAll('lan')[0])
# save gateway configuration
try:
gwconfig = str(soup.findAll('gateways')[0])
except:
gwconfig = ''
# save dnsserver configuration
try:
dnsconfig = str(soup.findAll('dnsserver')[0])
except:
dnsconfig = ''
# save opt1 configuration if present
try:
opt1config = str(soup.findAll('opt1')[0])
except:
opt1config = ''
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# get base64 encoded certs
msg = '* Reading certificates & ssh key '
printScript(msg, '', False, False, True)
try:
rc, cacertb64 = readTextfile(constants.CACERTB64)
rc, fwcertb64 = readTextfile(constants.SSLDIR +
'/firewall.cert.pem.b64')
rc, fwkeyb64 = readTextfile(constants.SSLDIR + '/firewall.key.pem.b64')
rc, authorizedkey = readTextfile(constants.SSHPUBKEYB64)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# create new firewall configuration
msg = '* Creating xml configuration file '
printScript(msg, '', False, False, True)
try:
# create password hash for new firewall password
hashedpw = bcrypt.hashpw(str.encode(adminpw), bcrypt.gensalt(10))
fwrootpw_hashed = hashedpw.decode()
apikey = randomPassword(80)
apisecret = randomPassword(80)
hashedpw = bcrypt.hashpw(str.encode(apisecret), bcrypt.gensalt(10))
apisecret_hashed = hashedpw.decode()
# read template
rc, content = readTextfile(fwconftpl)
# replace placeholders with values
content = content.replace('@@servername@@', servername)
content = content.replace('@@domainname@@', domainname)
content = content.replace('@@basedn@@', basedn)
content = content.replace('@@wanconfig@@', wanconfig)
content = content.replace('@@dnsconfig@@', dnsconfig)
content = content.replace('@@gwconfig@@', gwconfig)
content = content.replace('@@lanconfig@@', lanconfig)
content = content.replace('@@opt1config@@', opt1config)
content = content.replace('@@serverip@@', serverip)
content = content.replace('@@firewallip@@', firewallip)
content = content.replace('@@network@@', network)
content = content.replace('@@bitmask@@', bitmask)
content = content.replace('@@opsiip@@', opsiip)
content = content.replace('@@dockerip@@', dockerip)
content = content.replace('@@fwrootpw_hashed@@', fwrootpw_hashed)
content = content.replace('@@authorizedkey@@', authorizedkey)
content = content.replace('@@apikey@@', apikey)
content = content.replace('@@apisecret_hashed@@', apisecret_hashed)
content = content.replace('@@binduserpw@@', binduserpw)
content = content.replace('@@timezone@@', timezone)
content = content.replace('@@cacertb64@@', cacertb64)
content = content.replace('@@fwcertb64@@', fwcertb64)
content = content.replace('@@fwkeyb64@@', fwkeyb64)
# write new configfile
rc = writeTextfile(fwconftmp, content, 'w')
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# create api credentials ini file
msg = '* Saving api credentials '
printScript(msg, '', False, False, True)
try:
rc = modIni(constants.FWAPIKEYS, 'api', 'key', apikey)
rc = modIni(constants.FWAPIKEYS, 'api', 'secret', apisecret)
os.system('chmod 400 ' + constants.FWAPIKEYS)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# upload new configfile
rc = putFwConfig(firewallip, constants.ROOTPW)
if not rc:
sys.exit(1)
# remove temporary files
#os.unlink(fwconftmp)
# reboot firewall
rc = sshExec(firewallip, 'configctl firmware reboot', adminpw)
if not rc:
sys.exit(1)
def main():
# get setup various values
serverip = setup.get('setup', 'serverip')
bitmask = setup.get('setup', 'bitmask')
firewallip = setup.get('setup', 'firewallip')
servername = setup.get('setup', 'servername')
domainname = setup.get('setup', 'domainname')
basedn = setup.get('setup', 'basedn')
opsiip = setup.get('setup', 'opsiip')
dockerip = setup.get('setup', 'dockerip')
network = setup.get('setup', 'network')
adminpw = setup.get('setup', 'adminpw')
# get timezone
rc, timezone = readTextfile('/etc/timezone')
timezone = timezone.replace('\n', '')
# get binduser password
rc, binduserpw = readTextfile(constants.BINDUSERSECRET)
# firewall config files
now = datetime.datetime.now().strftime('%Y%m%d%H%M%S')
fwconftmp = constants.FWCONFLOCAL
fwconfbak = fwconftmp.replace('.xml', '-' + now + '.xml')
fwconftpl = constants.FWOSCONFTPL
# dummy ip addresses
if not isValidHostIpv4(opsiip):
opsiip = serverip.split('.')[0] + '.' + serverip.split(
'.')[1] + '.' + serverip.split('.')[2] + '.2'
if not isValidHostIpv4(dockerip):
dockerip = serverip.split('.')[0] + '.' + serverip.split(
'.')[1] + '.' + serverip.split('.')[2] + '.3'
# get current config
rc = getFwConfig(firewallip, constants.ROOTPW)
if not rc:
sys.exit(1)
# backup config
msg = '* Backing up '
printScript(msg, '', False, False, True)
try:
shutil.copy(fwconftmp, fwconfbak)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# get root password hash
msg = '* Reading current config '
printScript(msg, '', False, False, True)
try:
rc, content = readTextfile(fwconftmp)
soup = BeautifulSoup(content, 'lxml')
# save certain configuration values for later use
sysctl = str(soup.findAll('sysctl')[0])
# get already configured interfaces
for item in soup.findAll('interfaces'):
if '<lan>' in str(item):
interfaces = str(item)
# save language information
try:
language = str(soup.findAll('language')[0])
except:
language = ''
# second try get language from locale settings
if language == '':
try:
lang = os.environ['LANG'].split('.')[0]
except:
lang = 'en_US'
language = '<language>' + lang + '</language>'
# save gateway configuration
try:
gwconfig = str(soup.findAll('gateways')[0])
gwconfig = gwconfig.replace('<gateways>',
'').replace('</gateways>', '')
except:
gwconfig = ''
# save dnsserver configuration
try:
dnsconfig = str(soup.findAll('dnsserver')[0])
except:
dnsconfig = ''
# add server as dnsserver
dnsserver = '<dnsserver>' + serverip + '</dnsserver>'
if dnsconfig == '':
dnsconfig = dnsserver
else:
dnsconfig = dnsserver + '\n ' + dnsconfig
# save opt1 configuration if present
try:
opt1config = str(soup.findAll('opt1')[0])
except:
opt1config = ''
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# get base64 encoded certs
msg = '* Reading certificates & ssh key '
printScript(msg, '', False, False, True)
try:
rc, cacertb64 = readTextfile(constants.CACERTB64)
rc, fwcertb64 = readTextfile(constants.SSLDIR +
'/firewall.cert.pem.b64')
rc, fwkeyb64 = readTextfile(constants.SSLDIR + '/firewall.key.pem.b64')
rc, authorizedkey = readTextfile(constants.SSHPUBKEYB64)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# create list of first ten network ips for aliascontent (NoProxy group in firewall)
aliascontent = ''
netpre = network.split('.')[0] + '.' + network.split(
'.')[1] + '.' + network.split('.')[2] + '.'
c = 0
max = 10
while c < max:
c = c + 1
aliasip = netpre + str(c)
if aliascontent == '':
aliascontent = aliasip
else:
aliascontent = aliascontent + ' ' + aliasip
# add server ips if not already collected
for aliasip in [serverip, opsiip, dockerip]:
if not aliasip in aliascontent:
aliascontent = aliascontent + '\n' + aliasip
# create new firewall configuration
msg = '* Creating xml configuration file '
printScript(msg, '', False, False, True)
try:
# create password hash for new firewall password
hashedpw = bcrypt.hashpw(str.encode(adminpw), bcrypt.gensalt(10))
fwrootpw_hashed = hashedpw.decode()
apikey = randomPassword(80)
apisecret = randomPassword(80)
hashedpw = bcrypt.hashpw(str.encode(apisecret), bcrypt.gensalt(10))
apisecret_hashed = hashedpw.decode()
# read template
rc, content = readTextfile(fwconftpl)
# replace placeholders with values
content = content.replace('@@sysctl@@', sysctl)
content = content.replace('@@servername@@', servername)
content = content.replace('@@domainname@@', domainname)
content = content.replace('@@basedn@@', basedn)
content = content.replace('@@interfaces@@', interfaces)
content = content.replace('@@dnsconfig@@', dnsconfig)
content = content.replace('@@gwconfig@@', gwconfig)
content = content.replace('@@serverip@@', serverip)
content = content.replace('@@dockerip@@', dockerip)
content = content.replace('@@firewallip@@', firewallip)
content = content.replace('@@network@@', network)
content = content.replace('@@bitmask@@', bitmask)
content = content.replace('@@aliascontent@@', aliascontent)
content = content.replace('@@gw_lan@@', constants.GW_LAN)
content = content.replace('@@fwrootpw_hashed@@', fwrootpw_hashed)
content = content.replace('@@authorizedkey@@', authorizedkey)
content = content.replace('@@apikey@@', apikey)
content = content.replace('@@apisecret_hashed@@', apisecret_hashed)
content = content.replace('@@binduserpw@@', binduserpw)
content = content.replace('@@language@@', language)
content = content.replace('@@timezone@@', timezone)
content = content.replace('@@cacertb64@@', cacertb64)
content = content.replace('@@fwcertb64@@', fwcertb64)
content = content.replace('@@fwkeyb64@@', fwkeyb64)
# write new configfile
rc = writeTextfile(fwconftmp, content, 'w')
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# create api credentials ini file
msg = '* Saving api credentials '
printScript(msg, '', False, False, True)
try:
rc = modIni(constants.FWAPIKEYS, 'api', 'key', apikey)
rc = modIni(constants.FWAPIKEYS, 'api', 'secret', apisecret)
os.system('chmod 400 ' + constants.FWAPIKEYS)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# upload new configfile
rc = putFwConfig(firewallip, constants.ROOTPW)
if not rc:
sys.exit(1)
# remove temporary files
#os.unlink(fwconftmp)
# reboot firewall
rc = sshExec(firewallip, 'configctl firmware reboot', adminpw)
if not rc:
sys.exit(1)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# key & cert files to create
certlist = [servername, 'firewall', 'mail', 'docker', 'opsi']
# basic subject string
subjbase = '-subj /O="' + schoolname + '"/OU=' + sambadomain + '/CN='
# substring with sha and validation duration
shadays = ' -sha256 -days 3650'
# ca key password & string
cakeypw = randomPassword(16)
passin = ' -passin pass:'******'Creating private CA key & certificate '
subj = subjbase + realm + '/subjectAltName=' + realm + '/'
printScript(msg, '', False, False, True)
try:
with open(constants.CAKEYSECRET, 'w') as secret:
secret.write(cakeypw)
subProc('chmod 400 ' + constants.CAKEYSECRET, logfile)
subProc(
'openssl genrsa -out ' + constants.CAKEY + ' -aes128 -passout pass:'******' 2048', logfile)
subProc(
'openssl req -batch -x509 ' + subj + ' -new -nodes ' + passin +
setupini = constants.SETUPINI
try:
setup = configparser.ConfigParser(inline_comment_prefixes=('#', ';'))
setup.read(setupini)
adminpw = setup.get('setup', 'adminpw')
domainname = setup.get('setup', 'domainname')
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# create sophomorix admin user
msg = 'Calculating random passwords '
printScript(msg, '', False, False, True)
try:
binduserpw = randomPassword(16)
with open(constants.BINDUSERSECRET, 'w') as secret:
secret.write(binduserpw)
subProc('chmod 400 ' + constants.SECRETDIR + '/*', logfile)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# samba backup
msg = 'Backing up samba '
printScript(msg, '', False, False, True)
try:
subProc('sophomorix-samba --backup-samba without-users', logfile)
printScript(' Success!', '', True, True, False, len(msg))
except:
def main():
# get various setup values
msg = 'Reading setup data '
printScript(msg, '', False, False, True)
try:
serverip = getSetupValue('serverip')
bitmask = getSetupValue('bitmask')
firewallip = getSetupValue('firewallip')
servername = getSetupValue('servername')
domainname = getSetupValue('domainname')
basedn = getSetupValue('basedn')
opsiip = getSetupValue('opsiip')
dockerip = getSetupValue('dockerip')
network = getSetupValue('network')
adminpw = getSetupValue('adminpw')
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# get timezone
rc, timezone = readTextfile('/etc/timezone')
timezone = timezone.replace('\n', '')
# get binduser password
rc, binduserpw = readTextfile(constants.BINDUSERSECRET)
# get firewall root password provided by linuxmuster-opnsense-reset
pwfile = '/tmp/linuxmuster-opnsense-reset'
if os.path.isfile(pwfile):
# firewall reset after setup, given password is current password
rc, rolloutpw = readTextfile(pwfile)
productionpw = rolloutpw
os.unlink(pwfile)
else:
# initial setup, rollout root password is standardized
rolloutpw = constants.ROOTPW
# new root production password provided by setup
productionpw = adminpw
# create and save radius secret
msg = 'Calculating radius secret '
printScript(msg, '', False, False, True)
try:
radiussecret = randomPassword(16)
with open(constants.RADIUSSECRET, 'w') as secret:
secret.write(radiussecret)
subProc('chmod 400 ' + constants.RADIUSSECRET, logfile)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# firewall config files
now = datetime.datetime.now().strftime('%Y%m%d%H%M%S')
fwconftmp = constants.FWCONFLOCAL
fwconfbak = fwconftmp.replace('.xml', '-' + now + '.xml')
fwconftpl = constants.FWOSCONFTPL
# dummy ip addresses
if not isValidHostIpv4(opsiip):
opsiip = serverip.split('.')[0] + '.' + serverip.split('.')[1] + '.' + serverip.split('.')[2] + '.2'
if not isValidHostIpv4(dockerip):
dockerip = serverip.split('.')[0] + '.' + serverip.split('.')[1] + '.' + serverip.split('.')[2] + '.3'
# get current config
rc = getFwConfig(firewallip, rolloutpw)
if not rc:
sys.exit(1)
# backup config
msg = '* Backing up '
printScript(msg, '', False, False, True)
try:
shutil.copy(fwconftmp, fwconfbak)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# get root password hash
msg = '* Reading current config '
printScript(msg, '', False, False, True)
try:
rc, content = readTextfile(fwconftmp)
soup = BeautifulSoup(content, 'lxml')
# save certain configuration values for later use
sysctl = str(soup.findAll('sysctl')[0])
# get already configured interfaces
for item in soup.findAll('interfaces'):
if '<lan>' in str(item):
interfaces = str(item)
# save language information
try:
language = str(soup.findAll('language')[0])
except:
language = ''
# second try get language from locale settings
if language == '':
try:
lang = os.environ['LANG'].split('.')[0]
except:
lang = 'en_US'
language = '<language>' + lang + '</language>'
# save gateway configuration
try:
gwconfig = str(soup.findAll('gateways')[0])
gwconfig = gwconfig.replace('<gateways>', '').replace('</gateways>', '')
except:
gwconfig = ''
# save dnsserver configuration
try:
dnsconfig = str(soup.findAll('dnsserver')[0])
except:
dnsconfig = ''
# add server as dnsserver
dnsserver = '<dnsserver>' + serverip + '</dnsserver>'
if dnsconfig == '':
dnsconfig = dnsserver
else:
dnsconfig = dnsserver + '\n ' + dnsconfig
# save opt1 configuration if present
try:
opt1config = str(soup.findAll('opt1')[0])
except:
opt1config = ''
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# get base64 encoded certs
msg = '* Reading certificates & ssh key '
printScript(msg, '', False, False, True)
try:
rc, cacertb64 = readTextfile(constants.CACERTB64)
rc, fwcertb64 = readTextfile(constants.SSLDIR + '/firewall.cert.pem.b64')
rc, fwkeyb64 = readTextfile(constants.SSLDIR + '/firewall.key.pem.b64')
rc, authorizedkey = readTextfile(constants.SSHPUBKEYB64)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# create list of first ten network ips for aliascontent (NoProxy group in firewall)
aliascontent = ''
netpre = network.split('.')[0] + '.' + network.split('.')[1] + '.' + network.split('.')[2] + '.'
c = 0
max = 10
while c < max:
c = c + 1
aliasip = netpre + str(c)
if aliascontent == '':
aliascontent = aliasip
else:
aliascontent = aliascontent + ' ' + aliasip
# add server ips if not already collected
for aliasip in [serverip, opsiip, dockerip]:
if not aliasip in aliascontent:
aliascontent = aliascontent + '\n' + aliasip
# create new firewall configuration
msg = '* Creating xml configuration file '
printScript(msg, '', False, False, True)
try:
# create password hash for new firewall password
hashedpw = bcrypt.hashpw(str.encode(productionpw), bcrypt.gensalt(10))
fwrootpw_hashed = hashedpw.decode()
apikey = randomPassword(80)
apisecret = randomPassword(80)
hashedpw = bcrypt.hashpw(str.encode(apisecret), bcrypt.gensalt(10))
apisecret_hashed = hashedpw.decode()
# read template
rc, content = readTextfile(fwconftpl)
# replace placeholders with values
content = content.replace('@@sysctl@@', sysctl)
content = content.replace('@@servername@@', servername)
content = content.replace('@@domainname@@', domainname)
content = content.replace('@@basedn@@', basedn)
content = content.replace('@@interfaces@@', interfaces)
content = content.replace('@@dnsconfig@@', dnsconfig)
content = content.replace('@@gwconfig@@', gwconfig)
content = content.replace('@@serverip@@', serverip)
content = content.replace('@@dockerip@@', dockerip)
content = content.replace('@@firewallip@@', firewallip)
content = content.replace('@@network@@', network)
content = content.replace('@@bitmask@@', bitmask)
content = content.replace('@@aliascontent@@', aliascontent)
content = content.replace('@@gw_lan@@', constants.GW_LAN)
content = content.replace('@@fwrootpw_hashed@@', fwrootpw_hashed)
content = content.replace('@@authorizedkey@@', authorizedkey)
content = content.replace('@@apikey@@', apikey)
content = content.replace('@@apisecret_hashed@@', apisecret_hashed)
content = content.replace('@@binduserpw@@', binduserpw)
content = content.replace('@@radiussecret@@', radiussecret)
content = content.replace('@@language@@', language)
content = content.replace('@@timezone@@', timezone)
content = content.replace('@@cacertb64@@', cacertb64)
content = content.replace('@@fwcertb64@@', fwcertb64)
content = content.replace('@@fwkeyb64@@', fwkeyb64)
# write new configfile
rc = writeTextfile(fwconftmp, content, 'w')
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# create api credentials ini file
msg = '* Saving api credentials '
printScript(msg, '', False, False, True)
try:
rc = modIni(constants.FWAPIKEYS, 'api', 'key', apikey)
rc = modIni(constants.FWAPIKEYS, 'api', 'secret', apisecret)
os.system('chmod 400 ' + constants.FWAPIKEYS)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# upload config files
# upload modified main config.xml
rc = putFwConfig(firewallip, rolloutpw)
if not rc:
sys.exit(1)
# upload modified auth config file for web-proxy sso (#83)
printScript('Creating web proxy sso auth config file')
subProc(constants.FWSHAREDIR + '/create-auth-config.py', logfile)
conftmp = '/tmp/' + os.path.basename(constants.FWAUTHCFG)
if not os.path.isfile(conftmp):
sys.exit(1)
rc, content = readTextfile(conftmp)
fwpath = content.split('\n')[0].partition(' ')[2]
rc = putSftp(firewallip, conftmp, fwpath, productionpw)
if not rc:
sys.exit(1)
# remove temporary files
os.unlink(conftmp)
# reboot firewall
printScript('Installing extensions and rebooting firewall')
fwsetup_local = constants.FWSHAREDIR + '/fwsetup.sh'
fwsetup_remote = '/tmp/fwsetup.sh'
rc = putSftp(firewallip, fwsetup_local, fwsetup_remote, productionpw)
rc = sshExec(firewallip, 'chmod +x ' + fwsetup_remote, productionpw)
rc = sshExec(firewallip, fwsetup_remote, productionpw)
if not rc:
sys.exit(1)
setupini = constants.SETUPINI
try:
setup = configparser.ConfigParser(inline_comment_prefixes=('#', ';'))
setup.read(setupini)
adminpw = setup.get('setup', 'adminpw')
domainname = setup.get('setup', 'domainname')
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# create sophomorix admin user
msg = 'Calculating random passwords '
printScript(msg, '', False, False, True)
try:
sophadminpw = randomPassword(16)
with open(constants.SOPHADMINSECRET, 'w') as secret:
secret.write(sophadminpw)
binduserpw = randomPassword(16)
with open(constants.BINDUSERSECRET, 'w') as secret:
secret.write(binduserpw)
subProc('chmod 400 ' + constants.SECRETDIR + '/*', logfile)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# samba backup
msg = 'Backing up samba '
printScript(msg, '', False, False, True)
try:
