printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' not installed!', '', True, True, False, len(msg)) # import devices msg = 'Starting device import ' printScript(msg, '', False, False, True) try: subProc('linuxmuster-import-devices', logfile) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # wait for fw skipfw = getSetupValue('skipfw') if skipfw == 'False': try: waitForFw(wait=30) except: sys.exit(1) # import subnets msg = 'Starting subnets import ' printScript(msg, '', False, False, True) try: subProc('linuxmuster-import-subnets', logfile) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1)
def main(): # get various setup values msg = 'Reading setup data ' printScript(msg, '', False, False, True) try: serverip = getSetupValue('serverip') bitmask = getSetupValue('bitmask') firewallip = getSetupValue('firewallip') servername = getSetupValue('servername') domainname = getSetupValue('domainname') basedn = getSetupValue('basedn') opsiip = getSetupValue('opsiip') dockerip = getSetupValue('dockerip') network = getSetupValue('network') adminpw = getSetupValue('adminpw') printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # get timezone rc, timezone = readTextfile('/etc/timezone') timezone = timezone.replace('\n', '') # get binduser password rc, binduserpw = readTextfile(constants.BINDUSERSECRET) # get firewall root password provided by linuxmuster-opnsense-reset pwfile = '/tmp/linuxmuster-opnsense-reset' if os.path.isfile(pwfile): # firewall reset after setup, given password is current password rc, rolloutpw = readTextfile(pwfile) productionpw = rolloutpw os.unlink(pwfile) else: # initial setup, rollout root password is standardized rolloutpw = constants.ROOTPW # new root production password provided by setup productionpw = adminpw # create and save radius secret msg = 'Calculating radius secret ' printScript(msg, '', False, False, True) try: radiussecret = randomPassword(16) with open(constants.RADIUSSECRET, 'w') as secret: secret.write(radiussecret) subProc('chmod 400 ' + constants.RADIUSSECRET, logfile) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # firewall config files now = datetime.datetime.now().strftime('%Y%m%d%H%M%S') fwconftmp = constants.FWCONFLOCAL fwconfbak = fwconftmp.replace('.xml', '-' + now + '.xml') fwconftpl = constants.FWOSCONFTPL # dummy ip addresses if not isValidHostIpv4(opsiip): opsiip = serverip.split('.')[0] + '.' + serverip.split('.')[1] + '.' + serverip.split('.')[2] + '.2' if not isValidHostIpv4(dockerip): dockerip = serverip.split('.')[0] + '.' + serverip.split('.')[1] + '.' + serverip.split('.')[2] + '.3' # get current config rc = getFwConfig(firewallip, rolloutpw) if not rc: sys.exit(1) # backup config msg = '* Backing up ' printScript(msg, '', False, False, True) try: shutil.copy(fwconftmp, fwconfbak) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # get root password hash msg = '* Reading current config ' printScript(msg, '', False, False, True) try: rc, content = readTextfile(fwconftmp) soup = BeautifulSoup(content, 'lxml') # save certain configuration values for later use sysctl = str(soup.findAll('sysctl')[0]) # get already configured interfaces for item in soup.findAll('interfaces'): if '<lan>' in str(item): interfaces = str(item) # save language information try: language = str(soup.findAll('language')[0]) except: language = '' # second try get language from locale settings if language == '': try: lang = os.environ['LANG'].split('.')[0] except: lang = 'en_US' language = '<language>' + lang + '</language>' # save gateway configuration try: gwconfig = str(soup.findAll('gateways')[0]) gwconfig = gwconfig.replace('<gateways>', '').replace('</gateways>', '') except: gwconfig = '' # save dnsserver configuration try: dnsconfig = str(soup.findAll('dnsserver')[0]) except: dnsconfig = '' # add server as dnsserver dnsserver = '<dnsserver>' + serverip + '</dnsserver>' if dnsconfig == '': dnsconfig = dnsserver else: dnsconfig = dnsserver + '\n ' + dnsconfig # save opt1 configuration if present try: opt1config = str(soup.findAll('opt1')[0]) except: opt1config = '' printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # get base64 encoded certs msg = '* Reading certificates & ssh key ' printScript(msg, '', False, False, True) try: rc, cacertb64 = readTextfile(constants.CACERTB64) rc, fwcertb64 = readTextfile(constants.SSLDIR + '/firewall.cert.pem.b64') rc, fwkeyb64 = readTextfile(constants.SSLDIR + '/firewall.key.pem.b64') rc, authorizedkey = readTextfile(constants.SSHPUBKEYB64) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # create list of first ten network ips for aliascontent (NoProxy group in firewall) aliascontent = '' netpre = network.split('.')[0] + '.' + network.split('.')[1] + '.' + network.split('.')[2] + '.' c = 0 max = 10 while c < max: c = c + 1 aliasip = netpre + str(c) if aliascontent == '': aliascontent = aliasip else: aliascontent = aliascontent + ' ' + aliasip # add server ips if not already collected for aliasip in [serverip, opsiip, dockerip]: if not aliasip in aliascontent: aliascontent = aliascontent + '\n' + aliasip # create new firewall configuration msg = '* Creating xml configuration file ' printScript(msg, '', False, False, True) try: # create password hash for new firewall password hashedpw = bcrypt.hashpw(str.encode(productionpw), bcrypt.gensalt(10)) fwrootpw_hashed = hashedpw.decode() apikey = randomPassword(80) apisecret = randomPassword(80) hashedpw = bcrypt.hashpw(str.encode(apisecret), bcrypt.gensalt(10)) apisecret_hashed = hashedpw.decode() # read template rc, content = readTextfile(fwconftpl) # replace placeholders with values content = content.replace('@@sysctl@@', sysctl) content = content.replace('@@servername@@', servername) content = content.replace('@@domainname@@', domainname) content = content.replace('@@basedn@@', basedn) content = content.replace('@@interfaces@@', interfaces) content = content.replace('@@dnsconfig@@', dnsconfig) content = content.replace('@@gwconfig@@', gwconfig) content = content.replace('@@serverip@@', serverip) content = content.replace('@@dockerip@@', dockerip) content = content.replace('@@firewallip@@', firewallip) content = content.replace('@@network@@', network) content = content.replace('@@bitmask@@', bitmask) content = content.replace('@@aliascontent@@', aliascontent) content = content.replace('@@gw_lan@@', constants.GW_LAN) content = content.replace('@@fwrootpw_hashed@@', fwrootpw_hashed) content = content.replace('@@authorizedkey@@', authorizedkey) content = content.replace('@@apikey@@', apikey) content = content.replace('@@apisecret_hashed@@', apisecret_hashed) content = content.replace('@@binduserpw@@', binduserpw) content = content.replace('@@radiussecret@@', radiussecret) content = content.replace('@@language@@', language) content = content.replace('@@timezone@@', timezone) content = content.replace('@@cacertb64@@', cacertb64) content = content.replace('@@fwcertb64@@', fwcertb64) content = content.replace('@@fwkeyb64@@', fwkeyb64) # write new configfile rc = writeTextfile(fwconftmp, content, 'w') printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # create api credentials ini file msg = '* Saving api credentials ' printScript(msg, '', False, False, True) try: rc = modIni(constants.FWAPIKEYS, 'api', 'key', apikey) rc = modIni(constants.FWAPIKEYS, 'api', 'secret', apisecret) os.system('chmod 400 ' + constants.FWAPIKEYS) printScript(' Success!', '', True, True, False, len(msg)) except: printScript(' Failed!', '', True, True, False, len(msg)) sys.exit(1) # upload config files # upload modified main config.xml rc = putFwConfig(firewallip, rolloutpw) if not rc: sys.exit(1) # upload modified auth config file for web-proxy sso (#83) printScript('Creating web proxy sso auth config file') subProc(constants.FWSHAREDIR + '/create-auth-config.py', logfile) conftmp = '/tmp/' + os.path.basename(constants.FWAUTHCFG) if not os.path.isfile(conftmp): sys.exit(1) rc, content = readTextfile(conftmp) fwpath = content.split('\n')[0].partition(' ')[2] rc = putSftp(firewallip, conftmp, fwpath, productionpw) if not rc: sys.exit(1) # remove temporary files os.unlink(conftmp) # reboot firewall printScript('Installing extensions and rebooting firewall') fwsetup_local = constants.FWSHAREDIR + '/fwsetup.sh' fwsetup_remote = '/tmp/fwsetup.sh' rc = putSftp(firewallip, fwsetup_local, fwsetup_remote, productionpw) rc = sshExec(firewallip, 'chmod +x ' + fwsetup_remote, productionpw) rc = sshExec(firewallip, fwsetup_remote, productionpw) if not rc: sys.exit(1)
import sys from functions import datetime from functions import getSetupValue from functions import printScript from functions import readTextfile from functions import writeTextfile now = str(datetime.datetime.now()).split('.')[0] printScript('create-auth-config.py ' + now) # get setup values printScript('Reading setup values.') servername = getSetupValue('servername') domainname = getSetupValue('domainname') realm = getSetupValue('realm') rc, bindpw = readTextfile(constants.BINDUSERSECRET) if not rc: sys.exit(1) # read config template printScript('Reading config template.') rc, content = readTextfile(constants.FWAUTHCFG) if not rc: sys.exit(1) # replace placeholders content = content.replace('@@servername@@', servername) content = content.replace('@@domainname@@', domainname)
# restart apparmor service msg = 'Restarting apparmor service ' printScript(msg, '', False, False, True) try: subProc('systemctl restart apparmor.service', logfile) printScript(' Success!', '', True, True, False, len(msg)) except Exception as error: printScript(error, '', True, True, False, len(msg)) sys.exit(1) # write schoolname to sophomorix school.conf msg = 'Writing school name to school.conf ' printScript(msg, '', False, False, True) try: schoolname = getSetupValue('schoolname') rc, content = readTextfile(constants.SCHOOLCONF) # need to use regex because sophomorix config files do not do not comply with the ini file standard content = re.sub(r'SCHOOL_LONGNAME=.*\n', 'SCHOOL_LONGNAME=' + schoolname + '\n', content) rc = writeTextfile(constants.SCHOOLCONF, content, 'w') printScript(' Success!', '', True, True, False, len(msg)) except Exception as error: printScript(error, '', True, True, False, len(msg)) sys.exit(1) # import devices msg = 'Starting device import ' printScript(msg, '', False, False, True) try: subProc('linuxmuster-import-devices', logfile) printScript(' Success!', '', True, True, False, len(msg))
# import constants import getopt import os import sys from functions import datetime from functions import firewallApi from functions import getSetupValue from functions import printScript from functions import readTextfile # check first if firewall is skipped by setup skipfw = getSetupValue('skipfw') if skipfw == 'True': printScript('Firewall is skipped by setup!') sys.exit(0) def usage(): print('Usage: create-keytab.py [options]') print('Creates opnsense web proxy sso keytable.') print('If adminpw is omitted saved administrator credentials are used.') print(' [options] may be:') print(' -a <adminpw>, --adminpw=<adminpw>: global-admin password (optional)') print(' -c, --check : check only the presence of keytable file') print(' -v, --verbose : be more verbose') print(' -h, --help : print this help')