def doGrubCfg(startconf, group, kopts): grubcfg = constants.LINBOGRUBDIR + '/' + group + '.cfg' rc, content = readTextfile(grubcfg) if rc == True and not constants.MANAGEDSTR in content: printScript(' > Keeping pxe configuration.') return True # get grub partition name of cache cache = getStartconfOption(startconf, 'LINBO', 'Cache') partnr = getStartconfPartnr(startconf, cache) systemtype = getStartconfOption(startconf, 'LINBO', 'SystemType') cacheroot = getGrubPart(cache, systemtype) cachelabel = getStartconfPartlabel(startconf, partnr) # if cache is not defined provide a forced netboot cfg if cacheroot == None: netboottpl = constants.LINBOTPLDIR + '/grub.cfg.forced_netboot' printScript(' > Creating minimal pxe configuration. start.conf is incomplete!') rc = os.system('cp ' + netboottpl + ' ' + grubcfg) return else: printScript(' > Creating pxe configuration.') # create gobal part for group cfg globaltpl = constants.LINBOTPLDIR + '/grub.cfg.global' rc, content = readTextfile(globaltpl) if rc == False: return rc replace_list = [('@@group@@', group), ('@@cachelabel@@', cachelabel), ('@@cacheroot@@', cacheroot), ('@@kopts@@', kopts)] for item in replace_list: content = content.replace(item[0], item[1]) rc = writeTextfile(grubcfg, content, 'w') # get os infos from group's start.conf oslists = getStartconfOsValues(startconf) if oslists == None: return False # write os parts to grub cfg ostpl = constants.LINBOTPLDIR + '/grub.cfg.os' for oslist in oslists: osname, partition, kernel, initrd, kappend, osnr = oslist osroot = getGrubPart(partition, systemtype) ostype = getGrubOstype(osname) partnr = getStartconfPartnr(startconf, partition) oslabel = getStartconfPartlabel(startconf, partnr) rc, content = readTextfile(ostpl) if rc == False: return rc replace_list = [('@@group@@', group), ('@@cachelabel@@', cachelabel), ('@@cacheroot@@', cacheroot), ('@@osname@@', osname), ('@@osnr@@', osnr), ('@@ostype@@', ostype), ('@@oslabel@@', oslabel), ('@@osroot@@', osroot), ('@@partnr@@', partnr), ('@@kernel@@', kernel), ('@@initrd@@', initrd), ('@@kopts@@', kopts), ('@@append@@', kappend)] for item in replace_list: content = content.replace(item[0], item[1]) rc = writeTextfile(grubcfg, content, 'a') if rc == False: return rc
def main(): # helper files for mailserver setup msg = '* Creating helper files ' printScript(msg, '', False, False, True) try: # add binduser password to setup.ini rc, content = readTextfile(setupini) content = content + 'binduserpw = ' + binduserpw rc = writeTextfile(setuptmp, content, 'w') # create setup helper script content = '#!/bin/bash\nmkdir -p ' + constants.SSLDIR content = content + '\nmv /tmp/*.pem ' + constants.SSLDIR content = content + '\nchmod 640 ' + constants.SSLDIR + '/*.key.pem' content = content + '\nln -sf ' + constants.SSLDIR + '/cacert.pem /etc/ssl/certs/cacert.pem' content = content + '\napt-get update\napt-get -y install linuxmuster-mail' content = content + '\nlinuxmuster-mail.py -c ' + setuptmp content = content + '\nsystemctl start linuxmuster-mail.service' rc = writeTextfile(setuphelper, content, 'w') printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # open ssh connection if mailip != serverip: msg = '* Establishing ssh connection to mailserver ' printScript(msg, '', False, False, True) ssh = paramiko.SSHClient() ssh.load_system_host_keys() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect(mailip, 22, 'root', adminpw) try: ftp = ssh.open_sftp() printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # uploading data & certs msg = '* Uploading files to mailserver ' printScript(msg, '', False, False, True) for item in [setuptmp, setuphelper, mailcert, mailkey]: if not ftp.put(item, '/tmp/' + os.path.basename(item)): printScript(' ' + os.path.basename(item) + ' failed!', '', True, True, False, len(msg)) sys.exit(1) ftp.chmod(setuphelper, stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP) printScript(' Success!', '', True, True, False, len(msg)) # start mailserver setup per ssh msg = '* Starting mailserver setup ' printScript(msg, '', False, False, True) try: stdin, stdout, stderr = ssh.exec_command(setuphelper) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # close ssh connection ftp.close() ssh.close() # local mailserver setup else: msg = '* Starting mailserver setup ' printScript(msg, '', False, False, True) try: subProc('apt update && apt -y install linuxmuster-mail', logfile) subProc('linuxmuster-mail.py -s -c ' + setuptmp, logfile) subProc('systemctl start linuxmuster-mail.service', logfile) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) os.unlink(setuptmp) # add mail dns entry msg = '* Creating dns entry ' printScript(msg, '', False, False, True) try: sambaTool('dns add localhost ' + domainname + ' mail A ' + mailip) sambaTool('dns add localhost ' + domainname + ' mail MX "' + mailip + ' 10"') printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1)
setuphelper = '/tmp/setup.sh' # read setup ini msg = 'Reading setup data ' printScript(msg, '', False, False, True) setupini = constants.SETUPINI try: setup = configparser.ConfigParser(inline_comment_prefixes=('#', ';')) setup.read(setupini) # get setup various values mailip = setup.get('setup', 'mailip') serverip = setup.get('setup', 'serverip') domainname = setup.get('setup', 'domainname') adminpw = setup.get('setup', 'adminpw') # get binduser password rc, binduserpw = readTextfile(constants.BINDUSERSECRET) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # main functions def main(): # helper files for mailserver setup msg = '* Creating helper files ' printScript(msg, '', False, False, True) try: # add binduser password to setup.ini rc, content = readTextfile(setupini) content = content + 'binduserpw = ' + binduserpw
def main(): # helper files for opsiserver setup msg = '* Creating helper files ' printScript(msg, '', False, False, True) try: # create settings file for opsi setup rc, content = readTextfile(setupini) content = content.replace('[setup]\n', '') content = content.replace('\n\n', '\n') content = content.replace(' = ', '="') content = content.replace('\n', '"\n') content = content + '\nadmin="Administrator"' rc = writeTextfile(setuptmp, content, 'w') # create setup helper script content = '#!/bin/bash\nmkdir -p ' + constants.SSLDIR content = content + '\nmv /tmp/*.pem ' + constants.SSLDIR content = content + '\nchmod 640 ' + constants.SSLDIR + '/*.key.pem' content = content + '\nln -sf ' + constants.SSLDIR + '/cacert.pem /etc/ssl/certs/cacert.pem' content = content + '\nmv /tmp/settings ' + constants.OPSILMNDIR content = content + '\n' + constants.OPSISETUP + ' --first | tee /tmp/linuxmuster-opsi.log\n' rc = writeTextfile(setuphelper, content, 'w') printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # open ssh connection msg = '* Establishing ssh connection to opsiserver ' printScript(msg, '', False, False, True) ssh = paramiko.SSHClient() ssh.load_system_host_keys() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect(opsiip, 22, 'root', adminpw) try: ftp = ssh.open_sftp() printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # uploading data & certs msg = '* Uploading files to opsiserver ' printScript(msg, '', False, False, True) for item in [setuptmp, setuphelper, opsicert, opsikey]: if not ftp.put(item, '/tmp/' + os.path.basename(item)): printScript(' ' + os.path.basename(item) + ' failed!', '', True, True, False, len(msg)) sys.exit(1) ftp.chmod(setuphelper, stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP) ftp.close() ssh.close() printScript(' Success!', '', True, True, False, len(msg)) # start opsiserver setup per ssh msg = '* Starting opsiserver setup ' printScript(msg, '', False, False, True) try: sshcmd = 'ssh -oNumberOfPasswordPrompts=0 -oStrictHostKeyChecking=no -p 22 ' + opsiip setupcmd = sshcmd + ' ' + setuphelper subProc(setupcmd, logfile) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # close ssh connection os.unlink(setuptmp)
def main(): # get setup various values serverip = setup.get('setup', 'serverip') bitmask = setup.get('setup', 'bitmask') firewallip = setup.get('setup', 'firewallip') servername = setup.get('setup', 'servername') domainname = setup.get('setup', 'domainname') basedn = setup.get('setup', 'basedn') opsiip = setup.get('setup', 'opsiip') dockerip = setup.get('setup', 'dockerip') network = setup.get('setup', 'network') adminpw = setup.get('setup', 'adminpw') # get timezone rc, timezone = readTextfile('/etc/timezone') timezone = timezone.replace('\n', '') # get binduser password rc, binduserpw = readTextfile(constants.BINDUSERSECRET) # firewall config files now = datetime.datetime.now().strftime('%Y%m%d%H%M%S') fwconftmp = constants.FWCONFLOCAL fwconfbak = fwconftmp.replace('.xml', '-' + now + '.xml') fwconftpl = constants.FWOSCONFTPL # dummy ip addresses if not isValidHostIpv4(opsiip): opsiip = serverip.split('.')[0] + '.' + serverip.split( '.')[1] + '.' + serverip.split('.')[2] + '.2' if not isValidHostIpv4(dockerip): dockerip = serverip.split('.')[0] + '.' + serverip.split( '.')[1] + '.' + serverip.split('.')[2] + '.3' # get current config rc = getFwConfig(firewallip, constants.ROOTPW) if not rc: sys.exit(1) # backup config msg = '* Backing up ' printScript(msg, '', False, False, True) try: shutil.copy(fwconftmp, fwconfbak) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # get root password hash msg = '* Reading current config ' printScript(msg, '', False, False, True) try: rc, content = readTextfile(fwconftmp) soup = BeautifulSoup(content, 'lxml') # save interface configuration wanconfig = str(soup.findAll('wan')[0]) lanconfig = str(soup.findAll('lan')[0]) # save gateway configuration try: gwconfig = str(soup.findAll('gateways')[0]) except: gwconfig = '' # save dnsserver configuration try: dnsconfig = str(soup.findAll('dnsserver')[0]) except: dnsconfig = '' # save opt1 configuration if present try: opt1config = str(soup.findAll('opt1')[0]) except: opt1config = '' printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # get base64 encoded certs msg = '* Reading certificates & ssh key ' printScript(msg, '', False, False, True) try: rc, cacertb64 = readTextfile(constants.CACERTB64) rc, fwcertb64 = readTextfile(constants.SSLDIR + '/firewall.cert.pem.b64') rc, fwkeyb64 = readTextfile(constants.SSLDIR + '/firewall.key.pem.b64') rc, authorizedkey = readTextfile(constants.SSHPUBKEYB64) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # create new firewall configuration msg = '* Creating xml configuration file ' printScript(msg, '', False, False, True) try: # create password hash for new firewall password hashedpw = bcrypt.hashpw(str.encode(adminpw), bcrypt.gensalt(10)) fwrootpw_hashed = hashedpw.decode() apikey = randomPassword(80) apisecret = randomPassword(80) hashedpw = bcrypt.hashpw(str.encode(apisecret), bcrypt.gensalt(10)) apisecret_hashed = hashedpw.decode() # read template rc, content = readTextfile(fwconftpl) # replace placeholders with values content = content.replace('@@servername@@', servername) content = content.replace('@@domainname@@', domainname) content = content.replace('@@basedn@@', basedn) content = content.replace('@@wanconfig@@', wanconfig) content = content.replace('@@dnsconfig@@', dnsconfig) content = content.replace('@@gwconfig@@', gwconfig) content = content.replace('@@lanconfig@@', lanconfig) content = content.replace('@@opt1config@@', opt1config) content = content.replace('@@serverip@@', serverip) content = content.replace('@@firewallip@@', firewallip) content = content.replace('@@network@@', network) content = content.replace('@@bitmask@@', bitmask) content = content.replace('@@opsiip@@', opsiip) content = content.replace('@@dockerip@@', dockerip) content = content.replace('@@fwrootpw_hashed@@', fwrootpw_hashed) content = content.replace('@@authorizedkey@@', authorizedkey) content = content.replace('@@apikey@@', apikey) content = content.replace('@@apisecret_hashed@@', apisecret_hashed) content = content.replace('@@binduserpw@@', binduserpw) content = content.replace('@@timezone@@', timezone) content = content.replace('@@cacertb64@@', cacertb64) content = content.replace('@@fwcertb64@@', fwcertb64) content = content.replace('@@fwkeyb64@@', fwkeyb64) # write new configfile rc = writeTextfile(fwconftmp, content, 'w') printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # create api credentials ini file msg = '* Saving api credentials ' printScript(msg, '', False, False, True) try: rc = modIni(constants.FWAPIKEYS, 'api', 'key', apikey) rc = modIni(constants.FWAPIKEYS, 'api', 'secret', apisecret) os.system('chmod 400 ' + constants.FWAPIKEYS) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # upload new configfile rc = putFwConfig(firewallip, constants.ROOTPW) if not rc: sys.exit(1) # remove temporary files #os.unlink(fwconftmp) # reboot firewall rc = sshExec(firewallip, 'configctl firmware reboot', adminpw) if not rc: sys.exit(1)
# templates, whose corresponding configfiles must not be overwritten do_not_overwrite = 'dhcpd.custom.conf' # templates, whose corresponding configfiles must not be backed up do_not_backup = [ 'interfaces.linuxmuster', 'dovecot.linuxmuster.conf', 'smb.conf' ] printScript('Processing config templates:') for f in os.listdir(constants.TPLDIR): source = constants.TPLDIR + '/' + f msg = '* ' + f + ' ' printScript(msg, '', False, False, True) try: # read template file rc, filedata = readTextfile(source) # replace placeholders with values filedata = filedata.replace('@@bitmask@@', bitmask) filedata = filedata.replace('@@broadcast@@', broadcast) filedata = filedata.replace('@@dhcprange@@', dhcprange) filedata = filedata.replace('@@dhcprange1@@', dhcprange1) filedata = filedata.replace('@@dhcprange2@@', dhcprange2) filedata = filedata.replace('@@domainname@@', domainname) filedata = filedata.replace('@@firewallip@@', firewallip) filedata = filedata.replace('@@linbodir@@', linbodir) filedata = filedata.replace('@@netbiosname@@', netbiosname) filedata = filedata.replace('@@netmask@@', netmask) filedata = filedata.replace('@@network@@', network) filedata = filedata.replace('@@realm@@', realm) filedata = filedata.replace('@@sambadomain@@', sambadomain) filedata = filedata.replace('@@servername@@', servername)
def main(): # get setup various values serverip = setup.get('setup', 'serverip') bitmask = setup.get('setup', 'bitmask') firewallip = setup.get('setup', 'firewallip') servername = setup.get('setup', 'servername') domainname = setup.get('setup', 'domainname') basedn = setup.get('setup', 'basedn') opsiip = setup.get('setup', 'opsiip') dockerip = setup.get('setup', 'dockerip') network = setup.get('setup', 'network') adminpw = setup.get('setup', 'adminpw') # get timezone rc, timezone = readTextfile('/etc/timezone') timezone = timezone.replace('\n', '') # get binduser password rc, binduserpw = readTextfile(constants.BINDUSERSECRET) # firewall config files now = datetime.datetime.now().strftime('%Y%m%d%H%M%S') fwconftmp = constants.FWCONFLOCAL fwconfbak = fwconftmp.replace('.xml', '-' + now + '.xml') fwconftpl = constants.FWOSCONFTPL # dummy ip addresses if not isValidHostIpv4(opsiip): opsiip = serverip.split('.')[0] + '.' + serverip.split( '.')[1] + '.' + serverip.split('.')[2] + '.2' if not isValidHostIpv4(dockerip): dockerip = serverip.split('.')[0] + '.' + serverip.split( '.')[1] + '.' + serverip.split('.')[2] + '.3' # get current config rc = getFwConfig(firewallip, constants.ROOTPW) if not rc: sys.exit(1) # backup config msg = '* Backing up ' printScript(msg, '', False, False, True) try: shutil.copy(fwconftmp, fwconfbak) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # get root password hash msg = '* Reading current config ' printScript(msg, '', False, False, True) try: rc, content = readTextfile(fwconftmp) soup = BeautifulSoup(content, 'lxml') # save certain configuration values for later use sysctl = str(soup.findAll('sysctl')[0]) # get already configured interfaces for item in soup.findAll('interfaces'): if '<lan>' in str(item): interfaces = str(item) # save language information try: language = str(soup.findAll('language')[0]) except: language = '' # second try get language from locale settings if language == '': try: lang = os.environ['LANG'].split('.')[0] except: lang = 'en_US' language = '<language>' + lang + '</language>' # save gateway configuration try: gwconfig = str(soup.findAll('gateways')[0]) gwconfig = gwconfig.replace('<gateways>', '').replace('</gateways>', '') except: gwconfig = '' # save dnsserver configuration try: dnsconfig = str(soup.findAll('dnsserver')[0]) except: dnsconfig = '' # add server as dnsserver dnsserver = '<dnsserver>' + serverip + '</dnsserver>' if dnsconfig == '': dnsconfig = dnsserver else: dnsconfig = dnsserver + '\n ' + dnsconfig # save opt1 configuration if present try: opt1config = str(soup.findAll('opt1')[0]) except: opt1config = '' printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # get base64 encoded certs msg = '* Reading certificates & ssh key ' printScript(msg, '', False, False, True) try: rc, cacertb64 = readTextfile(constants.CACERTB64) rc, fwcertb64 = readTextfile(constants.SSLDIR + '/firewall.cert.pem.b64') rc, fwkeyb64 = readTextfile(constants.SSLDIR + '/firewall.key.pem.b64') rc, authorizedkey = readTextfile(constants.SSHPUBKEYB64) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # create list of first ten network ips for aliascontent (NoProxy group in firewall) aliascontent = '' netpre = network.split('.')[0] + '.' + network.split( '.')[1] + '.' + network.split('.')[2] + '.' c = 0 max = 10 while c < max: c = c + 1 aliasip = netpre + str(c) if aliascontent == '': aliascontent = aliasip else: aliascontent = aliascontent + ' ' + aliasip # add server ips if not already collected for aliasip in [serverip, opsiip, dockerip]: if not aliasip in aliascontent: aliascontent = aliascontent + '\n' + aliasip # create new firewall configuration msg = '* Creating xml configuration file ' printScript(msg, '', False, False, True) try: # create password hash for new firewall password hashedpw = bcrypt.hashpw(str.encode(adminpw), bcrypt.gensalt(10)) fwrootpw_hashed = hashedpw.decode() apikey = randomPassword(80) apisecret = randomPassword(80) hashedpw = bcrypt.hashpw(str.encode(apisecret), bcrypt.gensalt(10)) apisecret_hashed = hashedpw.decode() # read template rc, content = readTextfile(fwconftpl) # replace placeholders with values content = content.replace('@@sysctl@@', sysctl) content = content.replace('@@servername@@', servername) content = content.replace('@@domainname@@', domainname) content = content.replace('@@basedn@@', basedn) content = content.replace('@@interfaces@@', interfaces) content = content.replace('@@dnsconfig@@', dnsconfig) content = content.replace('@@gwconfig@@', gwconfig) content = content.replace('@@serverip@@', serverip) content = content.replace('@@dockerip@@', dockerip) content = content.replace('@@firewallip@@', firewallip) content = content.replace('@@network@@', network) content = content.replace('@@bitmask@@', bitmask) content = content.replace('@@aliascontent@@', aliascontent) content = content.replace('@@gw_lan@@', constants.GW_LAN) content = content.replace('@@fwrootpw_hashed@@', fwrootpw_hashed) content = content.replace('@@authorizedkey@@', authorizedkey) content = content.replace('@@apikey@@', apikey) content = content.replace('@@apisecret_hashed@@', apisecret_hashed) content = content.replace('@@binduserpw@@', binduserpw) content = content.replace('@@language@@', language) content = content.replace('@@timezone@@', timezone) content = content.replace('@@cacertb64@@', cacertb64) content = content.replace('@@fwcertb64@@', fwcertb64) content = content.replace('@@fwkeyb64@@', fwkeyb64) # write new configfile rc = writeTextfile(fwconftmp, content, 'w') printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # create api credentials ini file msg = '* Saving api credentials ' printScript(msg, '', False, False, True) try: rc = modIni(constants.FWAPIKEYS, 'api', 'key', apikey) rc = modIni(constants.FWAPIKEYS, 'api', 'secret', apisecret) os.system('chmod 400 ' + constants.FWAPIKEYS) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # upload new configfile rc = putFwConfig(firewallip, constants.ROOTPW) if not rc: sys.exit(1) # remove temporary files #os.unlink(fwconftmp) # reboot firewall rc = sshExec(firewallip, 'configctl firmware reboot', adminpw) if not rc: sys.exit(1)
printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # set serverip in default start.conf msg = 'Providing server ip to linbo start.conf files ' # default start.conf conffiles = [constants.LINBODIR + '/start.conf'] # collect example start.conf files for item in os.listdir(constants.LINBODIR + '/examples'): if not item.startswith('start.conf.'): continue conffiles.append(constants.LINBODIR + '/examples/' + item) printScript(msg, '', False, False, True) try: for startconf in conffiles: rc, content = readTextfile(startconf) rc = writeTextfile(startconf, content.replace('10.16.1.1', serverip), 'w') printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # bittorrent service msg = 'Activating bittorrent tracker ' printScript(msg, '', False, False, True) try: defaultconf = '/etc/default/bittorrent' rc, content = readTextfile(defaultconf) content = re.sub(r'\nSTART_BTTRACK=.*\n', '\nSTART_BTTRACK=1\n', content, re.IGNORECASE)
printScript(title) # read setup.ini msg = 'Reading setup data ' printScript(msg, '', False, False, True) setupini = constants.SETUPINI try: setup = configparser.RawConfigParser(delimiters=('='), inline_comment_prefixes=('#', ';')) setup.read(setupini) firewallip = setup.get('setup', 'firewallip') opsiip = setup.get('setup', 'opsiip') mailip = setup.get('setup', 'mailip') dockerip = setup.get('setup', 'dockerip') servername = setup.get('setup', 'servername') serverip = setup.get('setup', 'serverip') rc, devices = readTextfile(constants.WIMPORTDATA) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # get random mac address def getRandomMac(devices): while True: mac = "00:00:00:%02x:%02x:%02x" % ( random.randint(0, 255), random.randint(0, 255), random.randint(0, 255) ) if not ';' + mac.upper() + ';' in devices: break
# restart apparmor service msg = 'Restarting apparmor service ' printScript(msg, '', False, False, True) try: subProc('systemctl restart apparmor.service', logfile) printScript(' Success!', '', True, True, False, len(msg)) except Exception as error: printScript(error, '', True, True, False, len(msg)) sys.exit(1) # write schoolname to sophomorix school.conf msg = 'Writing school name to school.conf ' printScript(msg, '', False, False, True) try: schoolname = getSetupValue('schoolname') rc, content = readTextfile(constants.SCHOOLCONF) # need to use regex because sophomorix config files do not do not comply with the ini file standard content = re.sub(r'SCHOOL_LONGNAME=.*\n', 'SCHOOL_LONGNAME=' + schoolname + '\n', content) rc = writeTextfile(constants.SCHOOLCONF, content, 'w') printScript(' Success!', '', True, True, False, len(msg)) except Exception as error: printScript(error, '', True, True, False, len(msg)) sys.exit(1) # import devices msg = 'Starting device import ' printScript(msg, '', False, False, True) try: subProc('linuxmuster-import-devices', logfile) printScript(' Success!', '', True, True, False, len(msg)) except Exception as error:
def main(): # get various setup values msg = 'Reading setup data ' printScript(msg, '', False, False, True) try: serverip = getSetupValue('serverip') bitmask = getSetupValue('bitmask') firewallip = getSetupValue('firewallip') servername = getSetupValue('servername') domainname = getSetupValue('domainname') basedn = getSetupValue('basedn') opsiip = getSetupValue('opsiip') dockerip = getSetupValue('dockerip') network = getSetupValue('network') adminpw = getSetupValue('adminpw') printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # get timezone rc, timezone = readTextfile('/etc/timezone') timezone = timezone.replace('\n', '') # get binduser password rc, binduserpw = readTextfile(constants.BINDUSERSECRET) # get firewall root password provided by linuxmuster-opnsense-reset pwfile = '/tmp/linuxmuster-opnsense-reset' if os.path.isfile(pwfile): # firewall reset after setup, given password is current password rc, rolloutpw = readTextfile(pwfile) productionpw = rolloutpw os.unlink(pwfile) else: # initial setup, rollout root password is standardized rolloutpw = constants.ROOTPW # new root production password provided by setup productionpw = adminpw # create and save radius secret msg = 'Calculating radius secret ' printScript(msg, '', False, False, True) try: radiussecret = randomPassword(16) with open(constants.RADIUSSECRET, 'w') as secret: secret.write(radiussecret) subProc('chmod 400 ' + constants.RADIUSSECRET, logfile) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # firewall config files now = datetime.datetime.now().strftime('%Y%m%d%H%M%S') fwconftmp = constants.FWCONFLOCAL fwconfbak = fwconftmp.replace('.xml', '-' + now + '.xml') fwconftpl = constants.FWOSCONFTPL # dummy ip addresses if not isValidHostIpv4(opsiip): opsiip = serverip.split('.')[0] + '.' + serverip.split('.')[1] + '.' + serverip.split('.')[2] + '.2' if not isValidHostIpv4(dockerip): dockerip = serverip.split('.')[0] + '.' + serverip.split('.')[1] + '.' + serverip.split('.')[2] + '.3' # get current config rc = getFwConfig(firewallip, rolloutpw) if not rc: sys.exit(1) # backup config msg = '* Backing up ' printScript(msg, '', False, False, True) try: shutil.copy(fwconftmp, fwconfbak) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # get root password hash msg = '* Reading current config ' printScript(msg, '', False, False, True) try: rc, content = readTextfile(fwconftmp) soup = BeautifulSoup(content, 'lxml') # save certain configuration values for later use sysctl = str(soup.findAll('sysctl')[0]) # get already configured interfaces for item in soup.findAll('interfaces'): if '<lan>' in str(item): interfaces = str(item) # save language information try: language = str(soup.findAll('language')[0]) except: language = '' # second try get language from locale settings if language == '': try: lang = os.environ['LANG'].split('.')[0] except: lang = 'en_US' language = '<language>' + lang + '</language>' # save gateway configuration try: gwconfig = str(soup.findAll('gateways')[0]) gwconfig = gwconfig.replace('<gateways>', '').replace('</gateways>', '') except: gwconfig = '' # save dnsserver configuration try: dnsconfig = str(soup.findAll('dnsserver')[0]) except: dnsconfig = '' # add server as dnsserver dnsserver = '<dnsserver>' + serverip + '</dnsserver>' if dnsconfig == '': dnsconfig = dnsserver else: dnsconfig = dnsserver + '\n ' + dnsconfig # save opt1 configuration if present try: opt1config = str(soup.findAll('opt1')[0]) except: opt1config = '' printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # get base64 encoded certs msg = '* Reading certificates & ssh key ' printScript(msg, '', False, False, True) try: rc, cacertb64 = readTextfile(constants.CACERTB64) rc, fwcertb64 = readTextfile(constants.SSLDIR + '/firewall.cert.pem.b64') rc, fwkeyb64 = readTextfile(constants.SSLDIR + '/firewall.key.pem.b64') rc, authorizedkey = readTextfile(constants.SSHPUBKEYB64) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # create list of first ten network ips for aliascontent (NoProxy group in firewall) aliascontent = '' netpre = network.split('.')[0] + '.' + network.split('.')[1] + '.' + network.split('.')[2] + '.' c = 0 max = 10 while c < max: c = c + 1 aliasip = netpre + str(c) if aliascontent == '': aliascontent = aliasip else: aliascontent = aliascontent + ' ' + aliasip # add server ips if not already collected for aliasip in [serverip, opsiip, dockerip]: if not aliasip in aliascontent: aliascontent = aliascontent + '\n' + aliasip # create new firewall configuration msg = '* Creating xml configuration file ' printScript(msg, '', False, False, True) try: # create password hash for new firewall password hashedpw = bcrypt.hashpw(str.encode(productionpw), bcrypt.gensalt(10)) fwrootpw_hashed = hashedpw.decode() apikey = randomPassword(80) apisecret = randomPassword(80) hashedpw = bcrypt.hashpw(str.encode(apisecret), bcrypt.gensalt(10)) apisecret_hashed = hashedpw.decode() # read template rc, content = readTextfile(fwconftpl) # replace placeholders with values content = content.replace('@@sysctl@@', sysctl) content = content.replace('@@servername@@', servername) content = content.replace('@@domainname@@', domainname) content = content.replace('@@basedn@@', basedn) content = content.replace('@@interfaces@@', interfaces) content = content.replace('@@dnsconfig@@', dnsconfig) content = content.replace('@@gwconfig@@', gwconfig) content = content.replace('@@serverip@@', serverip) content = content.replace('@@dockerip@@', dockerip) content = content.replace('@@firewallip@@', firewallip) content = content.replace('@@network@@', network) content = content.replace('@@bitmask@@', bitmask) content = content.replace('@@aliascontent@@', aliascontent) content = content.replace('@@gw_lan@@', constants.GW_LAN) content = content.replace('@@fwrootpw_hashed@@', fwrootpw_hashed) content = content.replace('@@authorizedkey@@', authorizedkey) content = content.replace('@@apikey@@', apikey) content = content.replace('@@apisecret_hashed@@', apisecret_hashed) content = content.replace('@@binduserpw@@', binduserpw) content = content.replace('@@radiussecret@@', radiussecret) content = content.replace('@@language@@', language) content = content.replace('@@timezone@@', timezone) content = content.replace('@@cacertb64@@', cacertb64) content = content.replace('@@fwcertb64@@', fwcertb64) content = content.replace('@@fwkeyb64@@', fwkeyb64) # write new configfile rc = writeTextfile(fwconftmp, content, 'w') printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # create api credentials ini file msg = '* Saving api credentials ' printScript(msg, '', False, False, True) try: rc = modIni(constants.FWAPIKEYS, 'api', 'key', apikey) rc = modIni(constants.FWAPIKEYS, 'api', 'secret', apisecret) os.system('chmod 400 ' + constants.FWAPIKEYS) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # upload config files # upload modified main config.xml rc = putFwConfig(firewallip, rolloutpw) if not rc: sys.exit(1) # upload modified auth config file for web-proxy sso (#83) printScript('Creating web proxy sso auth config file') subProc(constants.FWSHAREDIR + '/create-auth-config.py', logfile) conftmp = '/tmp/' + os.path.basename(constants.FWAUTHCFG) if not os.path.isfile(conftmp): sys.exit(1) rc, content = readTextfile(conftmp) fwpath = content.split('\n')[0].partition(' ')[2] rc = putSftp(firewallip, conftmp, fwpath, productionpw) if not rc: sys.exit(1) # remove temporary files os.unlink(conftmp) # reboot firewall printScript('Installing extensions and rebooting firewall') fwsetup_local = constants.FWSHAREDIR + '/fwsetup.sh' fwsetup_remote = '/tmp/fwsetup.sh' rc = putSftp(firewallip, fwsetup_local, fwsetup_remote, productionpw) rc = sshExec(firewallip, 'chmod +x ' + fwsetup_remote, productionpw) rc = sshExec(firewallip, fwsetup_remote, productionpw) if not rc: sys.exit(1)
from functions import getSetupValue from functions import printScript from functions import readTextfile from functions import writeTextfile now = str(datetime.datetime.now()).split('.')[0] printScript('create-auth-config.py ' + now) # get setup values printScript('Reading setup values.') servername = getSetupValue('servername') domainname = getSetupValue('domainname') realm = getSetupValue('realm') rc, bindpw = readTextfile(constants.BINDUSERSECRET) if not rc: sys.exit(1) # read config template printScript('Reading config template.') rc, content = readTextfile(constants.FWAUTHCFG) if not rc: sys.exit(1) # replace placeholders content = content.replace('@@servername@@', servername) content = content.replace('@@domainname@@', domainname) content = content.replace('@@realm@@', realm) content = content.replace('@@bindpw@@', bindpw)
setup.read(constants.SETUPINI) domainname = setup.get('setup', 'domainname') # get serverip from start.conf serverip = getStartconfOption(startconf, 'LINBO', 'SERVER') # create grub config for host # necessary variables cfgtemplate = constants.LINBOTPLDIR + '/host.cfg.pxe' cfgout = '/var/tmp/' + hostname + '.cfg' if os.path.isfile(hostcfg): appendcfg = hostcfg else: appendcfg = groupcfg # read template rc, content = readTextfile(cfgtemplate) # replace placeholders content = content.replace('@@normal@@', normal) content = content.replace('@@serverip@@', serverip) content = content.replace('@@iface@@', iface) content = content.replace('@@hostip@@', ip) content = content.replace('@@mac@@', mac) content = content.replace('@@domainname@@', domainname) content = content.replace('@@group@@', group) content = content.replace('@@hostname@@', hostname) # write file rc = writeTextfile(cfgout, content, 'w') # append host/group specific cfg rc, content = readTextfile(appendcfg) rc = writeTextfile(cfgout, content, 'a')
try: setup = configparser.ConfigParser(inline_comment_prefixes=('#', ';')) setup.read(setupini) # get setup various values serverip = setup.get('setup', 'serverip') bitmask = setup.get('setup', 'bitmask') firewallip = setup.get('setup', 'firewallip') servername = setup.get('setup', 'servername') domainname = setup.get('setup', 'domainname') basedn = setup.get('setup', 'basedn') opsiip = setup.get('setup', 'opsiip') dockerip = setup.get('setup', 'dockerip') network = setup.get('setup', 'network') adminpw = setup.get('setup', 'adminpw') # get timezone rc, timezone = readTextfile('/etc/timezone') timezone = timezone.replace('\n', '') # get binduser password rc, binduserpw = readTextfile(constants.BINDUSERSECRET) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # firewall config files fwconf = '/conf/config.xml' fwconftmp = constants.CACHEDIR + '/opnsense.xml' fwconftpl = constants.FWOSCONFTPL # dummy ip addresses if not isValidHostIpv4(opsiip):
sys.exit() else: assert False, "unhandled option" now = str(datetime.datetime.now()).split('.')[0] printScript('create-keytab.py ' + now) if not check: # get firewall ip from setupini firewallip = getSetupValue('firewallip') # get administrator credentials if global-admin password was not provided if adminpw is None: rc, adminpw = readTextfile(constants.ADADMINSECRET) adminlogin = '******' # reload relevant services sshconnect = 'ssh -q -oBatchmode=yes -oStrictHostKeyChecking=accept-new ' + firewallip for item in ['unbound', 'squid']: printScript('Restarting ' + item) sshcmd = sshconnect + ' pluginctl -s ' + item + ' restart' rc = os.system(sshcmd) if rc != 0: sys.exit(1) # create keytab payload = '{"admin_login": "******", "admin_password": "******"}' apipath = '/proxysso/service/createkeytab' res = firewallApi('post', apipath, payload)
setup.read(constants.SETUPINI) domainname = setup.get('setup', 'domainname') # get serverip from start.conf serverip = getStartconfOption(startconf, 'LINBO', 'SERVER') # create grub config for host # necessary variables cfgtemplate = constants.LINBOTPLDIR + '/host.cfg.pxe' cfgout = '/var/tmp/' + hostname + '.cfg' if os.path.isfile(hostcfg): appendcfg = hostcfg else: appendcfg = groupcfg # read template rc, content = readTextfile(cfgtemplate) # replace placeholders content = content.replace('@@normal@@', normal) content = content.replace('@@serverip@@', serverip) content = content.replace('@@iface@@', iface) content = content.replace('@@hostip@@', ip) content = content.replace('@@mac@@', mac) content = content.replace('@@domainname@@', domainname) content = content.replace('@@group@@', group) content = content.replace('@@hostname@@', hostname) # write file rc = writeTextfile(cfgout, content, 'w') # append host/group specific cfg rc, content = readTextfile(appendcfg) rc = writeTextfile(cfgout, content, 'a')