def doLinboStartconf(group):
startconf = constants.LINBODIR + '/start.conf.' + group
# provide simple start.conf if there is none for this group
if not os.path.isfile(startconf):
msg = ' > Creating minimal start.conf. Further configuration is necessary!'
printScript(msg, '', True)
os.system('cp ' + constants.LINBODIR + '/start.conf ' + startconf)
# read values from start.conf
group_s = getStartconfOption(startconf, 'LINBO', 'Group')
serverip_s = getStartconfOption(startconf, 'LINBO', 'Server')
kopts_s = getStartconfOption(startconf, 'LINBO', 'KernelOptions')
try:
serverip_k = re.findall(r'server=[^ ]*', kopts_s, re.IGNORECASE)[0].split('=')[1]
except:
serverip_k = None
# determine whether global values from start conf have to changed
if serverip_k != None and isValidHostIpv4(serverip_k) == True:
serverip_r = serverip_k
else:
serverip_r = serverip
if kopts_s == None:
kopts_r = 'splash quiet'
else:
kopts_r = kopts_s
if group_s != group:
group_r = group
else:
group_r = group
# change global startconf options if necessary
if serverip_s != serverip_r:
rc = setGlobalStartconfOption(startconf, 'Server', serverip_r)
if rc == False:
return rc
if kopts_s != kopts_r:
rc = setGlobalStartconfOption(startconf, 'KernelOptions', kopts_r)
if rc == False:
return rc
if group_s != group_r:
rc = setGlobalStartconfOption(startconf, 'Group', group_r)
if rc == False:
return rc
# process grub cfgs
doGrubCfg(startconf, group, kopts_r)
'.')[1] + '.' + serverip.split('.')[2] + '.' + '100'
dhcprange2 = serverip.split('.')[0] + '.' + serverip.split(
'.')[1] + '.' + serverip.split('.')[2] + '.' + '200'
dhcprange = dhcprange1 + ' ' + dhcprange2
while True:
rc, dhcprange = dialog.inputbox(
'Enter the two ip addresses for the free dhcp range (space separated):',
title=ititle,
height=16,
width=64,
init=dhcprange)
if rc == 'cancel':
sys.exit(1)
dhcprange1 = dhcprange.split(' ')[0]
dhcprange2 = dhcprange.split(' ')[1]
if isValidHostIpv4(dhcprange1) and isValidHostIpv4(dhcprange2):
break
print('DHCP range: ' + dhcprange)
setup.set('setup', 'dhcprange', dhcprange)
# opsi
ititle = title + ': Opsi-IP'
try:
opsiip = setup.get('setup', 'opsiip')
except:
opsiip = ''
while True:
rc, opsiip = dialog.inputbox(
'Enter the ip address of the opsi server (optional):',
title=ititle,
height=16,
ssh.close()
# local mailserver setup
else:
msg = '* Starting mailserver setup '
printScript(msg, '', False, False, True)
try:
subProc('apt update && apt -y install linuxmuster-mail', logfile)
subProc('linuxmuster-mail.py -s -c ' + setuptmp, logfile)
subProc('systemctl start linuxmuster-mail.service', logfile)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
os.unlink(setuptmp)
# add mail dns entry
msg = '* Creating dns entry '
printScript(msg, '', False, False, True)
try:
sambaTool('dns add localhost ' + domainname + ' mail A ' + mailip)
sambaTool('dns add localhost ' + domainname + ' mail MX "' + mailip +
' 10"')
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# mailserver setup only if ip is set
if isValidHostIpv4(mailip):
main()
# uploading data & certs
msg = '* Uploading files to opsiserver '
printScript(msg, '', False, False, True)
for item in [setuptmp, setuphelper, opsicert, opsikey]:
if not ftp.put(item, '/tmp/' + os.path.basename(item)):
printScript(' ' + os.path.basename(item) + ' failed!', '', True,
True, False, len(msg))
sys.exit(1)
ftp.chmod(setuphelper, stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP)
ftp.close()
ssh.close()
printScript(' Success!', '', True, True, False, len(msg))
# start opsiserver setup per ssh
msg = '* Starting opsiserver setup '
printScript(msg, '', False, False, True)
try:
sshcmd = 'ssh -oNumberOfPasswordPrompts=0 -oStrictHostKeyChecking=no -p 22 ' + opsiip
setupcmd = sshcmd + ' ' + setuphelper
subProc(setupcmd, logfile)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# close ssh connection
os.unlink(setuptmp)
# mailserver setup only if ip is set
if isValidHostIpv4(opsiip):
main()
def main():
# get setup various values
serverip = setup.get('setup', 'serverip')
bitmask = setup.get('setup', 'bitmask')
firewallip = setup.get('setup', 'firewallip')
servername = setup.get('setup', 'servername')
domainname = setup.get('setup', 'domainname')
basedn = setup.get('setup', 'basedn')
opsiip = setup.get('setup', 'opsiip')
dockerip = setup.get('setup', 'dockerip')
network = setup.get('setup', 'network')
adminpw = setup.get('setup', 'adminpw')
# get timezone
rc, timezone = readTextfile('/etc/timezone')
timezone = timezone.replace('\n', '')
# get binduser password
rc, binduserpw = readTextfile(constants.BINDUSERSECRET)
# firewall config files
now = datetime.datetime.now().strftime('%Y%m%d%H%M%S')
fwconftmp = constants.FWCONFLOCAL
fwconfbak = fwconftmp.replace('.xml', '-' + now + '.xml')
fwconftpl = constants.FWOSCONFTPL
# dummy ip addresses
if not isValidHostIpv4(opsiip):
opsiip = serverip.split('.')[0] + '.' + serverip.split(
'.')[1] + '.' + serverip.split('.')[2] + '.2'
if not isValidHostIpv4(dockerip):
dockerip = serverip.split('.')[0] + '.' + serverip.split(
'.')[1] + '.' + serverip.split('.')[2] + '.3'
# get current config
rc = getFwConfig(firewallip, constants.ROOTPW)
if not rc:
sys.exit(1)
# backup config
msg = '* Backing up '
printScript(msg, '', False, False, True)
try:
shutil.copy(fwconftmp, fwconfbak)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# get root password hash
msg = '* Reading current config '
printScript(msg, '', False, False, True)
try:
rc, content = readTextfile(fwconftmp)
soup = BeautifulSoup(content, 'lxml')
# save interface configuration
wanconfig = str(soup.findAll('wan')[0])
lanconfig = str(soup.findAll('lan')[0])
# save gateway configuration
try:
gwconfig = str(soup.findAll('gateways')[0])
except:
gwconfig = ''
# save dnsserver configuration
try:
dnsconfig = str(soup.findAll('dnsserver')[0])
except:
dnsconfig = ''
# save opt1 configuration if present
try:
opt1config = str(soup.findAll('opt1')[0])
except:
opt1config = ''
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# get base64 encoded certs
msg = '* Reading certificates & ssh key '
printScript(msg, '', False, False, True)
try:
rc, cacertb64 = readTextfile(constants.CACERTB64)
rc, fwcertb64 = readTextfile(constants.SSLDIR +
'/firewall.cert.pem.b64')
rc, fwkeyb64 = readTextfile(constants.SSLDIR + '/firewall.key.pem.b64')
rc, authorizedkey = readTextfile(constants.SSHPUBKEYB64)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# create new firewall configuration
msg = '* Creating xml configuration file '
printScript(msg, '', False, False, True)
try:
# create password hash for new firewall password
hashedpw = bcrypt.hashpw(str.encode(adminpw), bcrypt.gensalt(10))
fwrootpw_hashed = hashedpw.decode()
apikey = randomPassword(80)
apisecret = randomPassword(80)
hashedpw = bcrypt.hashpw(str.encode(apisecret), bcrypt.gensalt(10))
apisecret_hashed = hashedpw.decode()
# read template
rc, content = readTextfile(fwconftpl)
# replace placeholders with values
content = content.replace('@@servername@@', servername)
content = content.replace('@@domainname@@', domainname)
content = content.replace('@@basedn@@', basedn)
content = content.replace('@@wanconfig@@', wanconfig)
content = content.replace('@@dnsconfig@@', dnsconfig)
content = content.replace('@@gwconfig@@', gwconfig)
content = content.replace('@@lanconfig@@', lanconfig)
content = content.replace('@@opt1config@@', opt1config)
content = content.replace('@@serverip@@', serverip)
content = content.replace('@@firewallip@@', firewallip)
content = content.replace('@@network@@', network)
content = content.replace('@@bitmask@@', bitmask)
content = content.replace('@@opsiip@@', opsiip)
content = content.replace('@@dockerip@@', dockerip)
content = content.replace('@@fwrootpw_hashed@@', fwrootpw_hashed)
content = content.replace('@@authorizedkey@@', authorizedkey)
content = content.replace('@@apikey@@', apikey)
content = content.replace('@@apisecret_hashed@@', apisecret_hashed)
content = content.replace('@@binduserpw@@', binduserpw)
content = content.replace('@@timezone@@', timezone)
content = content.replace('@@cacertb64@@', cacertb64)
content = content.replace('@@fwcertb64@@', fwcertb64)
content = content.replace('@@fwkeyb64@@', fwkeyb64)
# write new configfile
rc = writeTextfile(fwconftmp, content, 'w')
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# create api credentials ini file
msg = '* Saving api credentials '
printScript(msg, '', False, False, True)
try:
rc = modIni(constants.FWAPIKEYS, 'api', 'key', apikey)
rc = modIni(constants.FWAPIKEYS, 'api', 'secret', apisecret)
os.system('chmod 400 ' + constants.FWAPIKEYS)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# upload new configfile
rc = putFwConfig(firewallip, constants.ROOTPW)
if not rc:
sys.exit(1)
# remove temporary files
#os.unlink(fwconftmp)
# reboot firewall
rc = sshExec(firewallip, 'configctl firmware reboot', adminpw)
if not rc:
sys.exit(1)
from functions import isDynamicIpDevice
from functions import isValidHostname
from functions import isValidHostIpv4
from functions import sambaTool
cmd = ''
ip = ''
hostname = ''
# get arguments
cmd, ip, hostname = sys.argv[1:]
# check arguments
if cmd not in ['add', 'delete']:
sys.exit(1)
if not isValidHostIpv4(ip):
sys.exit(1)
if not isValidHostname(hostname):
sys.exit(1)
# no action for pxclient
if hostname.lower() == 'pxeclient':
sys.exit(0)
# check if it is a dynamic ip device
if not isDynamicIpDevice(hostname):
sys.exit(0)
# test if there are already valid dns records for this host
try:
ip_resolved = socket.gethostbyname(hostname)
printScript(' ' + servername, '', True, True, False, len(msg))
except:
printScript(' not set!', '', True, True, False, len(msg))
sys.exit(1)
setup.set('setup', 'servername', servername)
# derive values from servername
# netbiosname
setup.set('setup', 'netbiosname', servername.upper())
# serverip
msg = '* Server-IP '
printScript(msg, '', False, False, True)
try:
serverip = setup.get('setup', 'serverip')
if not isValidHostIpv4(serverip):
printScript(' ' + serverip + ' is not valid!', '', True, True, False, len(msg))
sys.exit(1)
printScript(' ' + serverip, '', True, True, False, len(msg))
except:
printScript(' not set!', '', True, True, False, len(msg))
sys.exit(1)
# netmask
msg = '* Bitmask '
printScript(msg, '', False, False, True)
try:
bitmask = setup.get('setup', 'bitmask')
ip = IP(serverip + '/' + bitmask, make_net=True)
except:
printScript(' ' + bitmask + ' is not valid!', '', True, True, False, len(msg))
def main():
# get setup various values
serverip = setup.get('setup', 'serverip')
bitmask = setup.get('setup', 'bitmask')
firewallip = setup.get('setup', 'firewallip')
servername = setup.get('setup', 'servername')
domainname = setup.get('setup', 'domainname')
basedn = setup.get('setup', 'basedn')
opsiip = setup.get('setup', 'opsiip')
dockerip = setup.get('setup', 'dockerip')
network = setup.get('setup', 'network')
adminpw = setup.get('setup', 'adminpw')
# get timezone
rc, timezone = readTextfile('/etc/timezone')
timezone = timezone.replace('\n', '')
# get binduser password
rc, binduserpw = readTextfile(constants.BINDUSERSECRET)
# firewall config files
now = datetime.datetime.now().strftime('%Y%m%d%H%M%S')
fwconftmp = constants.FWCONFLOCAL
fwconfbak = fwconftmp.replace('.xml', '-' + now + '.xml')
fwconftpl = constants.FWOSCONFTPL
# dummy ip addresses
if not isValidHostIpv4(opsiip):
opsiip = serverip.split('.')[0] + '.' + serverip.split(
'.')[1] + '.' + serverip.split('.')[2] + '.2'
if not isValidHostIpv4(dockerip):
dockerip = serverip.split('.')[0] + '.' + serverip.split(
'.')[1] + '.' + serverip.split('.')[2] + '.3'
# get current config
rc = getFwConfig(firewallip, constants.ROOTPW)
if not rc:
sys.exit(1)
# backup config
msg = '* Backing up '
printScript(msg, '', False, False, True)
try:
shutil.copy(fwconftmp, fwconfbak)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# get root password hash
msg = '* Reading current config '
printScript(msg, '', False, False, True)
try:
rc, content = readTextfile(fwconftmp)
soup = BeautifulSoup(content, 'lxml')
# save certain configuration values for later use
sysctl = str(soup.findAll('sysctl')[0])
# get already configured interfaces
for item in soup.findAll('interfaces'):
if '<lan>' in str(item):
interfaces = str(item)
# save language information
try:
language = str(soup.findAll('language')[0])
except:
language = ''
# second try get language from locale settings
if language == '':
try:
lang = os.environ['LANG'].split('.')[0]
except:
lang = 'en_US'
language = '<language>' + lang + '</language>'
# save gateway configuration
try:
gwconfig = str(soup.findAll('gateways')[0])
gwconfig = gwconfig.replace('<gateways>',
'').replace('</gateways>', '')
except:
gwconfig = ''
# save dnsserver configuration
try:
dnsconfig = str(soup.findAll('dnsserver')[0])
except:
dnsconfig = ''
# add server as dnsserver
dnsserver = '<dnsserver>' + serverip + '</dnsserver>'
if dnsconfig == '':
dnsconfig = dnsserver
else:
dnsconfig = dnsserver + '\n ' + dnsconfig
# save opt1 configuration if present
try:
opt1config = str(soup.findAll('opt1')[0])
except:
opt1config = ''
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# get base64 encoded certs
msg = '* Reading certificates & ssh key '
printScript(msg, '', False, False, True)
try:
rc, cacertb64 = readTextfile(constants.CACERTB64)
rc, fwcertb64 = readTextfile(constants.SSLDIR +
'/firewall.cert.pem.b64')
rc, fwkeyb64 = readTextfile(constants.SSLDIR + '/firewall.key.pem.b64')
rc, authorizedkey = readTextfile(constants.SSHPUBKEYB64)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# create list of first ten network ips for aliascontent (NoProxy group in firewall)
aliascontent = ''
netpre = network.split('.')[0] + '.' + network.split(
'.')[1] + '.' + network.split('.')[2] + '.'
c = 0
max = 10
while c < max:
c = c + 1
aliasip = netpre + str(c)
if aliascontent == '':
aliascontent = aliasip
else:
aliascontent = aliascontent + ' ' + aliasip
# add server ips if not already collected
for aliasip in [serverip, opsiip, dockerip]:
if not aliasip in aliascontent:
aliascontent = aliascontent + '\n' + aliasip
# create new firewall configuration
msg = '* Creating xml configuration file '
printScript(msg, '', False, False, True)
try:
# create password hash for new firewall password
hashedpw = bcrypt.hashpw(str.encode(adminpw), bcrypt.gensalt(10))
fwrootpw_hashed = hashedpw.decode()
apikey = randomPassword(80)
apisecret = randomPassword(80)
hashedpw = bcrypt.hashpw(str.encode(apisecret), bcrypt.gensalt(10))
apisecret_hashed = hashedpw.decode()
# read template
rc, content = readTextfile(fwconftpl)
# replace placeholders with values
content = content.replace('@@sysctl@@', sysctl)
content = content.replace('@@servername@@', servername)
content = content.replace('@@domainname@@', domainname)
content = content.replace('@@basedn@@', basedn)
content = content.replace('@@interfaces@@', interfaces)
content = content.replace('@@dnsconfig@@', dnsconfig)
content = content.replace('@@gwconfig@@', gwconfig)
content = content.replace('@@serverip@@', serverip)
content = content.replace('@@dockerip@@', dockerip)
content = content.replace('@@firewallip@@', firewallip)
content = content.replace('@@network@@', network)
content = content.replace('@@bitmask@@', bitmask)
content = content.replace('@@aliascontent@@', aliascontent)
content = content.replace('@@gw_lan@@', constants.GW_LAN)
content = content.replace('@@fwrootpw_hashed@@', fwrootpw_hashed)
content = content.replace('@@authorizedkey@@', authorizedkey)
content = content.replace('@@apikey@@', apikey)
content = content.replace('@@apisecret_hashed@@', apisecret_hashed)
content = content.replace('@@binduserpw@@', binduserpw)
content = content.replace('@@language@@', language)
content = content.replace('@@timezone@@', timezone)
content = content.replace('@@cacertb64@@', cacertb64)
content = content.replace('@@fwcertb64@@', fwcertb64)
content = content.replace('@@fwkeyb64@@', fwkeyb64)
# write new configfile
rc = writeTextfile(fwconftmp, content, 'w')
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# create api credentials ini file
msg = '* Saving api credentials '
printScript(msg, '', False, False, True)
try:
rc = modIni(constants.FWAPIKEYS, 'api', 'key', apikey)
rc = modIni(constants.FWAPIKEYS, 'api', 'secret', apisecret)
os.system('chmod 400 ' + constants.FWAPIKEYS)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# upload new configfile
rc = putFwConfig(firewallip, constants.ROOTPW)
if not rc:
sys.exit(1)
# remove temporary files
#os.unlink(fwconftmp)
# reboot firewall
rc = sshExec(firewallip, 'configctl firmware reboot', adminpw)
if not rc:
sys.exit(1)
printScript(msg, '', False, False, True)
try:
subProc('service ssh restart', logfile)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# remove known_hosts
if os.path.isfile(known_hosts):
subProc('rm -f ' + known_hosts, logfile)
# install ssh link to additional servers
success = []
items = []
if isValidHostIpv4(opsiip):
items.append((opsiip, 22))
if isValidHostIpv4(dockerip):
items.append((dockerip, 22))
for item in items:
ip = item[0]
port = item[1]
rc = doSshLink(ip, port, constants.ROOTPW)
if rc == True:
success.append(ip)
# test success
rc = 0
for item in items:
ip = item[0]
if not ip in success:
# iterate over devices
printScript('', 'begin')
printScript('Processing dhcp clients:')
f = open(devices, newline='')
reader = csv.reader(f, delimiter=';', quoting=csv.QUOTE_NONE)
d = open(constants.DHCPDEVCONF, 'w')
pxe_groups = []
for row in reader:
try:
room, host, group, mac, ip, field6, field7, dhcpopts, field9, field10, pxe = row
except:
continue
if room[:1] == '#' or room[:1] == ';':
continue
if (pxe == '3' or pxe == '2') and isValidHostIpv4(opsiip) == False:
pxe = '1'
if pxe == '0':
htype = 'IP-Host : '
else:
htype = 'PXE-Host: '
printScript('* ' + htype + host)
# write conf for dhcp clients
d.write('host ' + ip + ' {\n')
d.write(' hardware ethernet ' + mac + ';\n')
d.write(' fixed-address ' + ip + ';\n')
d.write(' option host-name "' + host + '";\n')
# dhcp options have to be 5 chars minimum to get processed
if len(dhcpopts) > 4:
for opt in dhcpopts.split(','):
d.write(' ' + opt + ';\n')
def main():
# get various setup values
msg = 'Reading setup data '
printScript(msg, '', False, False, True)
try:
serverip = getSetupValue('serverip')
bitmask = getSetupValue('bitmask')
firewallip = getSetupValue('firewallip')
servername = getSetupValue('servername')
domainname = getSetupValue('domainname')
basedn = getSetupValue('basedn')
opsiip = getSetupValue('opsiip')
dockerip = getSetupValue('dockerip')
network = getSetupValue('network')
adminpw = getSetupValue('adminpw')
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# get timezone
rc, timezone = readTextfile('/etc/timezone')
timezone = timezone.replace('\n', '')
# get binduser password
rc, binduserpw = readTextfile(constants.BINDUSERSECRET)
# get firewall root password provided by linuxmuster-opnsense-reset
pwfile = '/tmp/linuxmuster-opnsense-reset'
if os.path.isfile(pwfile):
# firewall reset after setup, given password is current password
rc, rolloutpw = readTextfile(pwfile)
productionpw = rolloutpw
os.unlink(pwfile)
else:
# initial setup, rollout root password is standardized
rolloutpw = constants.ROOTPW
# new root production password provided by setup
productionpw = adminpw
# create and save radius secret
msg = 'Calculating radius secret '
printScript(msg, '', False, False, True)
try:
radiussecret = randomPassword(16)
with open(constants.RADIUSSECRET, 'w') as secret:
secret.write(radiussecret)
subProc('chmod 400 ' + constants.RADIUSSECRET, logfile)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# firewall config files
now = datetime.datetime.now().strftime('%Y%m%d%H%M%S')
fwconftmp = constants.FWCONFLOCAL
fwconfbak = fwconftmp.replace('.xml', '-' + now + '.xml')
fwconftpl = constants.FWOSCONFTPL
# dummy ip addresses
if not isValidHostIpv4(opsiip):
opsiip = serverip.split('.')[0] + '.' + serverip.split('.')[1] + '.' + serverip.split('.')[2] + '.2'
if not isValidHostIpv4(dockerip):
dockerip = serverip.split('.')[0] + '.' + serverip.split('.')[1] + '.' + serverip.split('.')[2] + '.3'
# get current config
rc = getFwConfig(firewallip, rolloutpw)
if not rc:
sys.exit(1)
# backup config
msg = '* Backing up '
printScript(msg, '', False, False, True)
try:
shutil.copy(fwconftmp, fwconfbak)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# get root password hash
msg = '* Reading current config '
printScript(msg, '', False, False, True)
try:
rc, content = readTextfile(fwconftmp)
soup = BeautifulSoup(content, 'lxml')
# save certain configuration values for later use
sysctl = str(soup.findAll('sysctl')[0])
# get already configured interfaces
for item in soup.findAll('interfaces'):
if '<lan>' in str(item):
interfaces = str(item)
# save language information
try:
language = str(soup.findAll('language')[0])
except:
language = ''
# second try get language from locale settings
if language == '':
try:
lang = os.environ['LANG'].split('.')[0]
except:
lang = 'en_US'
language = '<language>' + lang + '</language>'
# save gateway configuration
try:
gwconfig = str(soup.findAll('gateways')[0])
gwconfig = gwconfig.replace('<gateways>', '').replace('</gateways>', '')
except:
gwconfig = ''
# save dnsserver configuration
try:
dnsconfig = str(soup.findAll('dnsserver')[0])
except:
dnsconfig = ''
# add server as dnsserver
dnsserver = '<dnsserver>' + serverip + '</dnsserver>'
if dnsconfig == '':
dnsconfig = dnsserver
else:
dnsconfig = dnsserver + '\n ' + dnsconfig
# save opt1 configuration if present
try:
opt1config = str(soup.findAll('opt1')[0])
except:
opt1config = ''
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# get base64 encoded certs
msg = '* Reading certificates & ssh key '
printScript(msg, '', False, False, True)
try:
rc, cacertb64 = readTextfile(constants.CACERTB64)
rc, fwcertb64 = readTextfile(constants.SSLDIR + '/firewall.cert.pem.b64')
rc, fwkeyb64 = readTextfile(constants.SSLDIR + '/firewall.key.pem.b64')
rc, authorizedkey = readTextfile(constants.SSHPUBKEYB64)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# create list of first ten network ips for aliascontent (NoProxy group in firewall)
aliascontent = ''
netpre = network.split('.')[0] + '.' + network.split('.')[1] + '.' + network.split('.')[2] + '.'
c = 0
max = 10
while c < max:
c = c + 1
aliasip = netpre + str(c)
if aliascontent == '':
aliascontent = aliasip
else:
aliascontent = aliascontent + ' ' + aliasip
# add server ips if not already collected
for aliasip in [serverip, opsiip, dockerip]:
if not aliasip in aliascontent:
aliascontent = aliascontent + '\n' + aliasip
# create new firewall configuration
msg = '* Creating xml configuration file '
printScript(msg, '', False, False, True)
try:
# create password hash for new firewall password
hashedpw = bcrypt.hashpw(str.encode(productionpw), bcrypt.gensalt(10))
fwrootpw_hashed = hashedpw.decode()
apikey = randomPassword(80)
apisecret = randomPassword(80)
hashedpw = bcrypt.hashpw(str.encode(apisecret), bcrypt.gensalt(10))
apisecret_hashed = hashedpw.decode()
# read template
rc, content = readTextfile(fwconftpl)
# replace placeholders with values
content = content.replace('@@sysctl@@', sysctl)
content = content.replace('@@servername@@', servername)
content = content.replace('@@domainname@@', domainname)
content = content.replace('@@basedn@@', basedn)
content = content.replace('@@interfaces@@', interfaces)
content = content.replace('@@dnsconfig@@', dnsconfig)
content = content.replace('@@gwconfig@@', gwconfig)
content = content.replace('@@serverip@@', serverip)
content = content.replace('@@dockerip@@', dockerip)
content = content.replace('@@firewallip@@', firewallip)
content = content.replace('@@network@@', network)
content = content.replace('@@bitmask@@', bitmask)
content = content.replace('@@aliascontent@@', aliascontent)
content = content.replace('@@gw_lan@@', constants.GW_LAN)
content = content.replace('@@fwrootpw_hashed@@', fwrootpw_hashed)
content = content.replace('@@authorizedkey@@', authorizedkey)
content = content.replace('@@apikey@@', apikey)
content = content.replace('@@apisecret_hashed@@', apisecret_hashed)
content = content.replace('@@binduserpw@@', binduserpw)
content = content.replace('@@radiussecret@@', radiussecret)
content = content.replace('@@language@@', language)
content = content.replace('@@timezone@@', timezone)
content = content.replace('@@cacertb64@@', cacertb64)
content = content.replace('@@fwcertb64@@', fwcertb64)
content = content.replace('@@fwkeyb64@@', fwkeyb64)
# write new configfile
rc = writeTextfile(fwconftmp, content, 'w')
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# create api credentials ini file
msg = '* Saving api credentials '
printScript(msg, '', False, False, True)
try:
rc = modIni(constants.FWAPIKEYS, 'api', 'key', apikey)
rc = modIni(constants.FWAPIKEYS, 'api', 'secret', apisecret)
os.system('chmod 400 ' + constants.FWAPIKEYS)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# upload config files
# upload modified main config.xml
rc = putFwConfig(firewallip, rolloutpw)
if not rc:
sys.exit(1)
# upload modified auth config file for web-proxy sso (#83)
printScript('Creating web proxy sso auth config file')
subProc(constants.FWSHAREDIR + '/create-auth-config.py', logfile)
conftmp = '/tmp/' + os.path.basename(constants.FWAUTHCFG)
if not os.path.isfile(conftmp):
sys.exit(1)
rc, content = readTextfile(conftmp)
fwpath = content.split('\n')[0].partition(' ')[2]
rc = putSftp(firewallip, conftmp, fwpath, productionpw)
if not rc:
sys.exit(1)
# remove temporary files
os.unlink(conftmp)
# reboot firewall
printScript('Installing extensions and rebooting firewall')
fwsetup_local = constants.FWSHAREDIR + '/fwsetup.sh'
fwsetup_remote = '/tmp/fwsetup.sh'
rc = putSftp(firewallip, fwsetup_local, fwsetup_remote, productionpw)
rc = sshExec(firewallip, 'chmod +x ' + fwsetup_remote, productionpw)
rc = sshExec(firewallip, fwsetup_remote, productionpw)
if not rc:
sys.exit(1)
