Easy-Guacamole-Installer/1-setup.sh

#!/bin/bash
######################################################################################################################
# Guacamole appliance setup script
# For Ubuntu / Debian / Raspian
# David Harrop
# April 2023
#######################################################################################################################

# To install latest snapshot:
# wget https://raw.githubusercontent.com/itiligent/Guacamole-Setup/main/1-setup.sh && chmod +x 1-setup.sh && ./1-setup.sh

# If something isn't working? 
# tail -f /var/log/syslog /var/log/tomcat*/*.out /var/log/mysql/*.log guac-setup/guacamole_${GUAC_VERSION}_setup.log

# This whole install routine could be collated into one huge script, but it is far easier to manage and maintain by
# breaking up the different stages of the install into at least 4 separate scripts as follows...
# 1-setup.sh is a central script that manages all inputs, options and sequences other included 'install' scripts.
# 2-install-guacamole is the main guts of the whole build. This script downloads and builds Guacamole from source.
# 3-install-nginx.sh automatically installs and configures Nginx to work as an http port 80 front end to Guacamole
# 4a-install-self-signed-nginx.sh sets up the new Nginx/Guacamole front end with self signed SSL certificates.
# 4b-install-ssl-letsencrypt-nginx.sh sets up Nginx with public SSL certificates from LetsEncrypt.

clear

# Prepare text output colours
GREY='\033[0;37m'
DGREY='\033[0;90m'
GREYB='\033[1;37m'
LRED='\033[0;91m'
LGREEN='\033[0;92m'
LYELLOW='\033[0;93m'
NC='\033[0m' #No Colour

# Check to see if previous build/install files exist, stop and check to be safe.
if [ "$( find . -maxdepth 1 \( -name 'guacamole-*' -o -name 'mysql-connector-java-*' \) )" != "" ]; then
# Script branding header
echo
	echo -e "${GREYB}Itiligent Virtual Desktop Appliance Setup."
	echo -e "                    ${LGREEN}Powered by Guacamole"
	echo
	echo
	echo -e "${LRED}Possible previous temp files detected in current build path. Please review and remove old 'guacamole-*' & 'mysql-connector-java-*' files before proceeding.${GREY}" 1>&2
	echo
exit 1
fi

#######################################################################################################################
# Core setup ##########################################################################################################
#######################################################################################################################

#Setup download and temp directory paths
USER_HOME_DIR=$(eval echo ~${SUDO_USER})
DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup
DB_BACKUP_DIR=$USER_HOME_DIR/mysqlbackups/
TMP_DIR=$DOWNLOAD_DIR/tmp

# Github download branch
GITHUB="https://raw.githubusercontent.com/itiligent/Guacamole-Setup/main/"

#Version of Guacamole to install
GUAC_VERSION="1.5.1"

# Set preferred Apache CDN download link
GUAC_SOURCE_LINK="http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/${GUAC_VERSION}"

# MySQL Connector/J version
MYSQLJCON="8.0.30"

# Check for the latest version of Tomcat currently supported by the Linux distro
if [[ $( apt-cache show tomcat10 2> /dev/null | egrep "Version: 10" | wc -l ) -gt 0 ]]; then
	TOMCAT_VERSION="tomcat10"
elif [[ $( apt-cache show tomcat9 2> /dev/null | egrep "Version: 9" | wc -l ) -gt 0 ]]; then
	TOMCAT_VERSION="tomcat9"
elif [[ $( apt-cache show tomcat8 2> /dev/null | egrep "Version: 8.[5-9]" | wc -l ) -gt 0 ]]; then
	TOMCAT_VERSION="tomcat8"
elif [[ $( apt-cache show tomcat7 2> /dev/null | egrep "Version: 8" | wc -l ) -gt 0 ]]; then
	TOMCAT_VERSION="tomcat7"
else
	# Default to current version
	TOMCAT_VERSION="tomcat9"
fi
# Override Apache Tomcat version here.
# TOMCAT_VERSION="tomcat9"

# Install log Location
LOG_LOCATION="${DOWNLOAD_DIR}/guacamole_${GUAC_VERSION}_setup.log"

# Guacamole default install URL
GUAC_URL=http://localhost:8080/guacamole/

# Depending on the Linux distro, required libraries have varied names. Standardising with names makes adapting 
# to other distros easier.
source /etc/os-release
OS_FLAVOUR=$ID
OS_VERSION=$VERSION
JPEGTURBO=""
LIBPNG=""

# Get the default route interface IP
DEFAULT_IP=$(ip addr show $(ip route | awk '/default/ { print $5 }') | grep "inet" | head -n 1 | awk '/inet/ {print $2}' | cut -d'/' -f1)

# Get an initial dns search suffix for use as a starting default for a local dns domain prompt value, we can update this later
DOMAIN_SEARCH_SUFFIX=$(grep search /etc/resolv.conf | grep -v "#" | sed  's/'search[[:space:]]'//')

#######################################################################################################################
# Silent setup options - adding true/false or specific values below prevents prompt at install ########################
#######################################################################################################################
SERVER_NAME=""						# Preferred server hostname
LOCAL_DOMAIN=""						# Local DNS space in use
INSTALL_MYSQL=""					# Install locally (true/false)
SECURE_MYSQL=""						# Apply mysql secure configuration tool (true/false)
MYSQL_HOST=""						# leave blank for localhost default, only specify for remote servers
MYSQL_PORT=""						# If blank default is 3306
GUAC_DB=""							# If blank default is guacamole_db
GUAC_USER=""						# if blank default is guacamole_user
GUAC_PWD=""							# Should not be blank as this may break some aspects of install
MYSQL_ROOT_PWD=""					# Should not be blank as this may break some aspects of install
INSTALL_TOTP=""						# TOTP MFA extension (true/false)
INSTALL_DUO=""						# DUO MFA extension (cant be installed simultaneously with TOTP, true/false)
INSTALL_LDAP=""						# Active Directory extension (true/false)
INSTALL_NGINX=""					# Install and configure Guacamole behind Nginx reverse proxy (http port 80 only, true/false)
PROXY_SITE=""						# Local DNS name for reverse proxy and self signed ssl certificates
SELF_SIGN=""						# Add self signed SSL support to Nginx (Let's Encrypt not available with this, true/false)
CERT_COUNTRY="AU"					# 2 country character code only, must not be blank
CERT_STATE="Victoria"				# Optional to change, must not be blank
CERT_LOCATION="Melbourne"			# Optional to change, must not be blank
CERT_ORG="Itiligent"				# Optional to change, must not be blank
CERT_OU="I.T."						# Optional to change, must not be blank
CERT_DAYS="3650"					# Number of days until self signed certificate expiry
LETS_ENCRYPT=""						# Add Lets Encrypt public SSL support for Nginx (self signed SSL certs not available with this, true/false)
LE_DNS_NAME=""						# Public DNS name to bind with Lets Encrypt certificates
LE_EMAIL=""							# Webmaster/admin email for Lets Encrypt
BACKUP_EMAIL=""						# Email address for backup notifications
BACKUP_RETENTION="30"				# How many days to keep backups for

# Script branding header
echo
echo -e "${GREYB}Itiligent Virtual Desktop Appliance Setup."
echo -e "                    ${LGREEN}Powered by Guacamole"
echo

# Setup directory locations
mkdir -p $DOWNLOAD_DIR
mkdir -p $DB_BACKUP_DIR
mkdir -p $TMP_DIR

#######################################################################################################################
# Download GitHub setup scripts. To prevent overwrite, comment out lines of any scripts you have edited. ##############
#######################################################################################################################

# Download config scripts and setup items from GitHub
cd $DOWNLOAD_DIR
echo
echo -e "${GREY}Downloading setup files...${DGREY}"
wget -q --show-progress ${GITHUB}2-install-guacamole.sh -O 2-install-guacamole.sh
wget -q --show-progress ${GITHUB}3-install-nginx.sh -O 3-install-nginx.sh
wget -q --show-progress ${GITHUB}4a-install-ssl-self-signed-nginx.sh -O 4a-install-ssl-self-signed-nginx.sh
wget -q --show-progress ${GITHUB}4b-install-ssl-letsencrypt-nginx.sh -O 4b-install-ssl-letsencrypt-nginx.sh
# Grab Guacamole manual add on/upgrade scripts
wget -q --show-progress ${GITHUB}add-auth-duo.sh -O add-auth-duo.sh
wget -q --show-progress ${GITHUB}add-auth-ldap.sh -O add-auth-ldap.sh
wget -q --show-progress ${GITHUB}add-auth-totp.sh -O add-auth-totp.sh
wget -q --show-progress ${GITHUB}add-smtp-relay-o365.sh -O add-smtp-relay-o365.sh
wget -q --show-progress ${GITHUB}upgrade-guac.sh -O upgrade-guac.sh
# Grab backup and security hardening scripts
wget -q --show-progress ${GITHUB}backup-guac.sh -O backup-guac.sh
wget -q --show-progress ${GITHUB}add-ssl-guac-gaucd.sh -O add-ssl-guac-gaucd.sh
wget -q --show-progress ${GITHUB}add-fail2ban.sh -O add-fail2ban.sh
# Grab a (customisable) branding extension
wget -q --show-progress ${GITHUB}branding.jar -O branding.jar
chmod +x *.sh
sleep 2
clear

# Script branding header
echo
echo -e "${GREYB}Itiligent Virtual Desktop Appliance Setup."
echo -e "                    ${LGREEN}Powered by Guacamole"
echo
echo

# For convenience & sanity check, display status of preset script options at start of install
echo -e "${GREY}Enabled non-interactive presets are listed below, blank entries will prompt."
echo -e "${DGREY}Server host name\t= ${GREY}${SERVER_NAME}"
echo -e "${DGREY}Local DNS Domain\t= ${GREY}${LOCAL_DOMAIN}"
echo -e "${DGREY}Install MYSQL locally\t= ${GREY}${INSTALL_MYSQL}"
echo -e "${DGREY}MySQL secure install\t= ${GREY}${SECURE_MYSQL}"
echo -e "${DGREY}MySQL remote IP\t\t= ${GREY}${MYSQL_HOST}"
echo -e "${DGREY}MySQL port\t\t= ${GREY}${MYSQL_PORT}"
echo -e "${DGREY}Guacamole db name\t= ${GREY}${GUAC_DB}"
echo -e "${DGREY}Guacamole db user name\t= ${GREY}${GUAC_USER}"
echo -e "${DGREY}Guacamole user pwd\t= ${GREY}${GUAC_PWD}"
echo -e "${DGREY}MySQL root pwd\t\t= ${GREY}${MYSQL_ROOT_PWD}"
echo -e "${DGREY}Add TOTP\t\t= ${GREY}${INSTALL_TOTP}"
echo -e "${DGREY}Add DUO\t\t\t= ${GREY}${INSTALL_DUO}"
echo -e "${DGREY}Add LDAP\t\t= ${GREY}${INSTALL_LDAP}${GREY}"
echo -e "${DGREY}Install Nginx rev proxy\t= ${GREY}${INSTALL_NGINX}${GREY}"
echo -e "${DGREY}Proxy local DNS name\t= ${GREY}${PROXY_SITE}"
echo -e "${DGREY}Add self signed SSL\t= ${GREY}${SELF_SIGN}${GREY}"
echo -e "${DGREY}Self sign cert days\t= ${GREY}${CERT_DAYS}${GREY}"
echo -e "${DGREY}Self sign country\t= ${GREY}${CERT_COUNTRY}${GREY}"
echo -e "${DGREY}Self sign state\t\t= ${GREY}${CERT_STATE}${GREY}"
echo -e "${DGREY}Self sign location\t= ${GREY}${CERT_LOCATION}${GREY}"
echo -e "${DGREY}Self sign ORG\t\t= ${GREY}${CERT_ORG}${GREY}"
echo -e "${DGREY}Self sign OU\t\t= ${GREY}${CERT_OU}${GREY}"
echo -e "${DGREY}Add Let's Encrypt SSL\t= ${GREY}${LETS_ENCRYPT}${GREY}"
echo -e	"${DGREY}Let's Encrypt FQDN\t= ${GREY}${LE_DNS_NAME}${GREY}"
echo -e "${DGREY}Let's Encrypt email\t= ${GREY}${LE_EMAIL}${GREY}"
echo -e "${DGREY}Backup notify email\t= ${GREY}${BACKUP_EMAIL}${GREY}"
echo -e "${DGREY}Days to keep backups\t= ${GREY}${BACKUP_RETENTION}${GREY}"

# Pause to optionally customise downloaded scripts before any actual install actions
echo
echo -e "${LYELLOW}Ctrl+Z now to exit if you wish to edit any 1-setup.sh options for an unattended install."
echo -e "${LYELLOW}After editing, you must always run it locally (and not as sudo) i.e ./1-setup.sh (not from the link)."
echo -e "${LYELLOW}Comment out download links if you wish to prevent re-downloading scripts at each run. "

# Now prompt for sudo to get ready for a hostname change, then while we are here also set perms for sudo and non sudo access to tmp setup files
echo -e "${LGREEN}"
sudo chmod -R 770 $TMP_DIR
sudo chown -R $SUDO_USER:root $TMP_DIR


#######################################################################################################################
# Begin install menu prompts ##########################################################################################
#######################################################################################################################

# We need a default hostname value available to apply even if we do not want to change the hostname. This approach allows the
# user to simply hit enter at the prompt without this creating a blank entry into the /etc/hosts file.
# hostnames and matching DNS entries are essential for implementing SSL successfully.
if [[ -z ${SERVER_NAME} ]]; then
	echo -e "${LYELLOW}Update Linux system HOSTNAME [Enter to keep: ${HOSTNAME}]${LGREEN}"
	read -p "                        Enter new HOSTNAME : " SERVER_NAME
	if [[ "${SERVER_NAME}" = "" ]]; then
		SERVER_NAME=$HOSTNAME
		fi
		echo
		sudo hostnamectl set-hostname $SERVER_NAME &>> ${LOG_LOCATION}
		sudo sed -i '/127.0.1.1/d' /etc/hosts &>> ${LOG_LOCATION}
		echo '127.0.1.1       '${SERVER_NAME}'' | sudo tee -a /etc/hosts &>> ${LOG_LOCATION}
		sudo systemctl restart systemd-hostnamed &>> ${LOG_LOCATION}
	else
		echo
		sudo hostnamectl set-hostname $SERVER_NAME &>> ${LOG_LOCATION}
		sudo sed -i '/127.0.1.1/d' /etc/hosts &>> ${LOG_LOCATION}
		echo '127.0.1.1       '${SERVER_NAME}'' | sudo tee -a /etc/hosts &>> ${LOG_LOCATION}
		sudo systemctl restart systemd-hostnamed &>> ${LOG_LOCATION}
	fi

if [[ -z ${LOCAL_DOMAIN} ]]; then
	echo -e "${LYELLOW}Update Linux LOCAL DNS DOMAIN [Enter to keep: ${DOMAIN_SEARCH_SUFFIX}]${LGREEN}"
	read -p "                        Enter FULL LOCAL DOMAIN NAME: " LOCAL_DOMAIN
	if [[ "${LOCAL_DOMAIN}" = "" ]]; then
		LOCAL_DOMAIN=$DOMAIN_SEARCH_SUFFIX
		fi
		echo
		sudo sed -i "/${DEFAULT_IP}/d" /etc/hosts
		sudo sed -i '/domain/d' /etc/resolv.conf
		sudo sed -i '/search/d' /etc/resolv.conf
		# Update the /etc/hosts file with the new domain values 
		echo ''${DEFAULT_IP}'	'${SERVER_NAME}.${LOCAL_DOMAIN}	${SERVER_NAME}'' | sudo tee -a /etc/hosts &>> ${LOG_LOCATION}
		#Update resolv.conf with new domain and search suffix values
		echo 'domain	'${LOCAL_DOMAIN}'' | sudo tee -a /etc/resolv.conf &>> ${LOG_LOCATION}
		echo 'search	'${LOCAL_DOMAIN}'' | sudo tee -a /etc/resolv.conf &>> ${LOG_LOCATION}
		sudo systemctl restart systemd-hostnamed &>> ${LOG_LOCATION}
	else
		echo
		sudo sed -i "/${DEFAULT_IP}/d" /etc/hosts
		sudo sed -i '/domain/d' /etc/resolv.conf
		sudo sed -i '/search/d' /etc/resolv.conf
		# Update the /etc/hosts file with the new domain values 
		echo ''${DEFAULT_IP}'	'${SERVER_NAME}.${LOCAL_DOMAIN}	${SERVER_NAME}'' | sudo tee -a /etc/hosts &>> ${LOG_LOCATION}
		#Update resolv.conf with new domain and search suffix values
		echo 'domain	'${LOCAL_DOMAIN}'' | sudo tee -a /etc/resolv.conf &>> ${LOG_LOCATION}
		echo 'search	'${LOCAL_DOMAIN}'' | sudo tee -a /etc/resolv.conf &>> ${LOG_LOCATION}
		sudo systemctl restart systemd-hostnamed &>> ${LOG_LOCATION}
	fi

# After updating the hostname and domain names, we can now use a refreshed starting value for the local FQDN.
DEFAULT_FQDN=$SERVER_NAME.$LOCAL_DOMAIN

clear

# Script branding header
echo
echo -e "${GREYB}Itiligent Virtual Desktop Appliance Setup."
echo -e "                    ${LGREEN}Powered by Guacamole"
echo
echo

# Prompt the user to install MySQL, default of yes
echo -e "${LGREEN}MySQL setup options:${GREY}"
if [[ -z ${INSTALL_MYSQL} ]]; then
	echo -e -n "SQL: Install MySQL? (for a remote MySQL Server select 'n') [y/n] [default y]: ${GREY}"
	read PROMPT
	if [[ ${PROMPT} =~ ^[Nn]$ ]]; then
	INSTALL_MYSQL=false
	else
	INSTALL_MYSQL=true
	fi
fi

# Prompt the user to apply the Mysql secure installation locally
if [ -z ${SECURE_MYSQL} ] && [ "${INSTALL_MYSQL}" = true ]; then
	echo -e -n "${GREY}SQL: Apply MySQL secure installation settings to LOCAL db? [y/n] [default y]: ${GREY}"
	read PROMPT
	if [[ ${PROMPT} =~ ^[Nn]$ ]]; then
	SECURE_MYSQL=false
	else
	SECURE_MYSQL=true
	fi
fi

# Prompt the user to apply the Mysql secure installation to remote db
if [ -z ${SECURE_MYSQL} ] && [ "${INSTALL_MYSQL}" = false ]; then
	echo -e -n "${GREY}SQL: Apply MySQL secure installation settings to REMOTE db? [y/n] [default n]: ${GREY}"
	read PROMPT
	if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
	SECURE_MYSQL=true
	else
	SECURE_MYSQL=false
	fi
fi

# We need to get some additional MYSQL values
if [ "${INSTALL_MYSQL}" = false ]; then
	[ -z "${MYSQL_HOST}" ] \
	&& read -p "SQL: Enter MySQL server hostname or IP: " MYSQL_HOST
	[ -z "${MYSQL_PORT}" ] \
	&& read -p "SQL: Enter MySQL server port [3306]: " MYSQL_PORT
	[ -z "${GUAC_DB}" ] \
	&& read -p "SQL: Enter Guacamole database name [guacamole_db]: " GUAC_DB
	[ -z "${GUAC_USER}" ] \
	&& read -p "SQL: Enter Guacamole user name [guacamole_user]: " GUAC_USER
fi

# Checking if a mysql host given, if not set a default
if [ -z "${MYSQL_HOST}" ]; then
	MYSQL_HOST="localhost"
fi

# Checking if a mysql port given, if not set a default
if [ -z "${MYSQL_PORT}" ]; then
	MYSQL_PORT="3306"
fi

# Checking if a database name given, if not set a default
if [ -z "${GUAC_DB}" ]; then
	GUAC_DB="guacamole_db"
fi

# Checking if a mysql user given, if not set a default
if [ -z "${GUAC_USER}" ]; then
	GUAC_USER="guacamole_user"
fi

# Get Guacamole User password, confirm correct password entry and prevent blank passwords
if [ -z "${GUAC_PWD}" ]; then
	while true; do
	read -s -p "SQL: Enter ${MYSQL_HOST}'s MySQL ${GUAC_USER} password: " GUAC_PWD
	echo
	read -s -p "SQL: Confirm ${MYSQL_HOST}'s MySQL ${GUAC_USER} password: " PROMPT2
	echo
	[ "${GUAC_PWD}" = "${PROMPT2}" ] && [ "${GUAC_PWD}" != "" ] && [ "${PROMPT2}" != "" ] && break
	echo -e "${LRED}Passwords don't match or can't be null. Please try again.${GREY}" 1>&2
	done
fi

# Get MySQL root password, confirm correct password entry and prevent blank passwords
if [ -z "${MYSQL_ROOT_PWD}" ]; then
	while true; do
	read -s -p "SQL: Enter ${MYSQL_HOST}'s MySQL root password: " MYSQL_ROOT_PWD
	echo
	read -s -p "SQL: Confirm ${MYSQL_HOST}'s MySQL root password: " PROMPT2
	echo
	[ "${MYSQL_ROOT_PWD}" = "${PROMPT2}" ] && [ "${MYSQL_ROOT_PWD}" != "" ] && [ "${PROMPT2}" != "" ] && break
	echo -e "${LRED}Passwords don't match or can't be null. Please try again.${GREY}" 1>&2
	done
fi

# Prompt for preferred backup notification email address
if [[ -z ${BACKUP_EMAIL} ]]; then
	while true; do
	read -p "SQL: Enter email address for SQL backup messages [Enter to skip]: " BACKUP_EMAIL
	[ "${BACKUP_EMAIL}" = "" ] || [ "${BACKUP_EMAIL}" != "" ] && break
	# Rather than allow a blank value, un-comment to alternately force user to enter an explicit value instead
	# [ "${BACKUP_EMAIL}" != "" ] && break
	# echo -e "${LRED}You must enter an email address. Please try again.${GREY}" 1>&2
	done
fi

# If no backup notification email address is given, enter a default value
if [ -z ${BACKUP_EMAIL} ]; then
BACKUP_EMAIL="backup-email@yourdomain.com"
fi

echo
# Prompt the user if they would like to install TOTP MFA, default of no
echo -e "${LGREEN}Guacamole authentication extension options:${GREY}"
if [[ -z "${INSTALL_TOTP}" ]] && [[ "${INSTALL_DUO}" != true ]]; then
	echo -e -n "AUTH: Install TOTP? (choose 'n' if you want Duo) [y/n]? [default n]: "
	read PROMPT
	if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
	INSTALL_TOTP=true
	INSTALL_DUO=false
	else
	INSTALL_TOTP=false
	fi
fi

# Prompt the user if they would like to install Duo MFA, default of no
if [[ -z "${INSTALL_DUO}" ]] && [[ "${INSTALL_TOTP}" != true ]]; then
	echo -e -n "${GREY}AUTH: Install Duo? [y/n] [default n]: "
	read PROMPT
	if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
	INSTALL_DUO=true
	INSTALL_TOTP=false
	else
	INSTALL_DUO=false
	fi
fi

# We can't install TOTP and Duo at the same time (option not supported by Guacamole)
if [[ "${INSTALL_TOTP}" = true ]] && [[ "${INSTALL_DUO}" = true ]]; then
	echo -e "${LRED}GUAC MFA: TOTP and Duo cannot be installed at the same time.${GREY}" 1>&2
	exit 1
fi

# Prompt the user if they would like to install Duo MFA, default of no
if [[ -z "${INSTALL_LDAP}" ]]; then
	echo -e -n "${GREY}AUTH: Install LDAP? [y/n] [default n]: "
	read PROMPT
	if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
	INSTALL_LDAP=true
	else
	INSTALL_LDAP=false
	fi
fi

echo
# Prompt for Guacamole front end reverse proxy option
echo -e "${LGREEN}Nginx reverse proxy options:${GREY}"
if [[ -z ${INSTALL_NGINX} ]]; then
	echo -e -n "REV PROXY: Protect Guacamole behind Nginx reverse proxy [y/n]? [default y]: "
	read PROMPT
	if [[ ${PROMPT} =~ ^[Nn]$ ]]; then
	INSTALL_NGINX=false
	else
	INSTALL_NGINX=true
	fi
fi

# We must assign a DNS name for the new proxy site
if [[ -z ${PROXY_SITE} ]] && [[ "${INSTALL_NGINX}" = true ]]; then
	while true; do
	read -p "REV PROXY: Enter proxy local DNS name? [Enter to use ${DEFAULT_FQDN}]: " PROXY_SITE
	[ "${PROXY_SITE}" = "" ] || [ "${PROXY_SITE}" != "" ] && break
	# Rather than allow the default value below, un-comment to alternately force user to enter an explicit name instead
	# [ "${PROXY_SITE}" != "" ] && break
	# echo -e "${LRED}You must enter a proxy site DNS name. Please try again.${GREY}" 1>&2
	done
fi

# If no proxy site dns name is given, lets assume a default FQDN
if [ -z "${PROXY_SITE}" ]; then
PROXY_SITE="${DEFAULT_FQDN}"
fi

# Prompt for self signed SSL reverse proxy option
if [[ -z ${SELF_SIGN} ]] && [[ "${INSTALL_NGINX}" = true ]]; then
	# Prompt the user to see if they would like to install self signed SSL support for Nginx, default of no
	echo -e -n "REV PROXY: Add self signed SSL support to Nginx? [y/n]? (choose 'n' for Let's Encrypt)[default n]: "
	read PROMPT
	if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
	SELF_SIGN=true
	else
	SELF_SIGN=false
	fi
fi

# Optional prompt to assign the self sign SSL certificate a custom expiry date, un-comment to force a manual entry
#if [ "${SELF_SIGN}" = true ]; then
#	read - p "PROXY: Enter number of days till SSL certificate expires [default 3650]: " CERT_DAYS
#fi

# If no self sign SSL certificate expiry given, lets assume a generous 10 year default certificate expiry
if [ -z "${CERT_DAYS}" ]; then
	CERT_DAYS="3650"
fi

# Prompt for Let's Encrypt SSL reverse proxy configuration option
if [[ -z ${LETS_ENCRYPT} ]] && [[ "${INSTALL_NGINX}" = true ]] && [[ "${SELF_SIGN}" = "false" ]]; then
	echo -e -n "REV PROXY: Add Let's Encrypt SSL support to Nginx reverse proxy [y/n] [default n]: ${GREY}"
	read PROMPT
	if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
	LETS_ENCRYPT=true
	else
	LETS_ENCRYPT=false
	fi
fi

# Prompt for Let's Encrypt public dns name
if [[ -z ${LE_DNS_NAME} ]] && [[ "${LETS_ENCRYPT}" = true ]]; then
	while true; do
	read -p "REV PROXY: Enter the FQDN for your public proxy site : " LE_DNS_NAME
	[ "${LE_DNS_NAME}" != "" ] && break
	echo -e "${LRED}You must enter a public DNS name. Please try again.${GREY}" 1>&2
	done
fi

# Prompt for Let's Encrypt admin email
if [[ -z ${LE_EMAIL} ]] && [[ "${LETS_ENCRYPT}" = true ]]; then
	while true; do
	read -p "REV PROXY: Enter the email address for Let's Encrypt notifications : " LE_EMAIL
	[ "${LE_EMAIL}" != "" ] && break
	echo -e "${LRED}You must enter an email address. Please try again.${GREY}" 1>&2
	done
fi


#######################################################################################################################
# Start global setup actions  #########################################################################################
#######################################################################################################################

# Ubuntu and Debian each require different dependency packages. Below works ok from Ubuntu 18.04 / Debian 10 and above.
# To adapt this script to other distros, research the correct library package names and reference these with the variable
# names assigned here. See https://guacamole.apache.org/doc/gug/installing-guacamole.html for dependency info.
echo -e "${GREY}Checking linux distro specific dependencies..."
if [[ $OS_FLAVOUR == "ubuntu" ]] || [[ $OS_FLAVOUR == "ubuntu"* ]]; then # potentially expand out distro choices here
	JPEGTURBO="libjpeg-turbo8-dev"
	LIBPNG="libpng-dev"
	# Just in case this repo is not added by default in the distro
	sudo add-apt-repository -y universe &>> ${LOG_LOCATION}
	elif [[ $OS_FLAVOUR == "debian" ]] || [[ $OS_FLAVOUR == "raspbian" ]] ; then # expand distro choices here if required
	JPEGTURBO="libjpeg62-turbo-dev"
	LIBPNG="libpng-dev"
fi
if [ $? -ne 0 ]; then
	echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
	exit 1
else
	echo -e "${LGREEN}OK${GREY}"
fi

# Because the below scripts may be run manually after install, we need to sync them
# with our global variables or any setup prompt choices we made. This way we can run them
# later and they will all work as a set without any manual changes.
sed -i "s|MYSQL_HOST=|MYSQL_HOST='${MYSQL_HOST}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|MYSQL_PORT=|MYSQL_PORT='${MYSQL_PORT}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|GUAC_USER=|GUAC_USER='${GUAC_USER}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|GUAC_PWD=|GUAC_PWD='${GUAC_PWD}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|GUAC_DB=|GUAC_DB='${GUAC_DB}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|DB_BACKUP_DIR=|DB_BACKUP_DIR='${DB_BACKUP_DIR}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|BACKUP_EMAIL=|BACKUP_EMAIL='${BACKUP_EMAIL}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|BACKUP_RETENTION=|BACKUP_RETENTION='${BACKUP_RETENTION}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|CERT_COUNTRY=|CERT_COUNTRY='${CERT_COUNTRY}'|g" $DOWNLOAD_DIR/add-ssl-guac-gaucd.sh
sed -i "s|CERT_STATE=|CERT_STATE='${CERT_STATE}'|g" $DOWNLOAD_DIR/add-ssl-guac-gaucd.sh
sed -i "s|CERT_LOCATION=|CERT_LOCATION='${CERT_LOCATION=}'|g" $DOWNLOAD_DIR/add-ssl-guac-gaucd.sh
sed -i "s|CERT_ORG=|CERT_ORG='${CERT_ORG}'|g" $DOWNLOAD_DIR/add-ssl-guac-gaucd.sh
sed -i "s|CERT_OU=|CERT_OU='${CERT_OU}'|g" $DOWNLOAD_DIR/add-ssl-guac-gaucd.sh

# Export the relevant variable selections to child install scripts below
export BACKUP_EMAIL=$BACKUP_EMAIL
export CERT_COUNTRY=$CERT_COUNTRY
export CERT_LOCATION="${CERT_LOCATION}"
export CERT_ORG="${CERT_ORG}"
export CERT_OU="${CERT_OU}"
export CERT_STATE="${CERT_STATE}"
export DOWNLOAD_DIR="${DOWNLOAD_DIR}"
export GUAC_DB=$GUAC_DB
export GUAC_PWD="${GUAC_PWD}"
export GUAC_SOURCE_LINK=$GUAC_SOURCE_LINK
export GUAC_URL=$GUAC_URL
export GUAC_USER=$GUAC_USER
export GUAC_VERSION=$GUAC_VERSION
export INSTALL_DUO=$INSTALL_DUO
export INSTALL_LDAP=$INSTALL_LDAP
export INSTALL_MYSQL=$INSTALL_MYSQL
export INSTALL_TOTP=$INSTALL_TOTP
export JPEGTURBO=$JPEGTURBO
export LE_DNS_NAME=$LE_DNS_NAME
export LE_EMAIL=$LE_EMAIL
export LIBPNG=$LIBPNG
export LOG_LOCATION=$LOG_LOCATION
export MYSQL_HOST=$MYSQL_HOST
export MYSQL_PORT=$MYSQL_PORT
export MYSQL_ROOT_PWD="${MYSQL_ROOT_PWD}"
export MYSQLJCON=$MYSQLJCON
export PROXY_SITE=$PROXY_SITE
export SECURE_MYSQL=$SECURE_MYSQL
export TMP_DIR=$TMP_DIR
export TOMCAT_VERSION=$TOMCAT_VERSION

# Run the Guacamole install script
sudo -E ./2-install-guacamole.sh
if [ $? -ne 0 ]; then
	echo -e "${LRED}2-install-guacamole.sh FAILED. See ${LOG_LOCATION}${GREY}" 1>&2
	exit 1
	else
	echo -e "${LGREEN}Guacamole installation complete\n- Visit: http://${PROXY_SITE}:8080/guacamole\n- Default login (user/pass): guacadmin/guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
fi

# Add a Guacamole database backup (mon-fri 12:00am) into cron
crontab -l > cron_1
	# Remove existing entry to allow multiple runs
	sed -i '/# backup guacamole/d' cron_1
	# Create the job
	echo "0 0 * * 1-5 ${DOWNLOAD_DIR}/backup-guac.sh # backup guacamole" >> cron_1
# Overwrite the cron settings and cleanup
crontab cron_1
rm cron_1


#######################################################################################################################
# Start optional setup actions   ######################################################################################
#######################################################################################################################

### Install Nginx reverse proxy front end to Guacamole if option is selected
if [ "${INSTALL_NGINX}" = true ]; then
	sudo -E ./3-install-nginx.sh
	echo -e "${LGREEN}Nginx installation complete\n- Site changed to : http://${PROXY_SITE}\n- Default login (user/pass): guacadmin/guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
	fi

### Apply self signed SSL certificates to Nginx reverse proxy if option is selected
if [[ "${INSTALL_NGINX}" = true ]] && [[ "${SELF_SIGN}" = true ]]; then
sudo -E ./4a-install-ssl-self-signed-nginx.sh ${PROXY_SITE} ${CERT_DAYS}
echo -e "${LGREEN}Self signed certificates successfully created and configured for Nginx \n- Site changed to : ${LYELLOW}https:${LGREEN}//${PROXY_SITE}\n- Default login (user/pass): guacadmin/guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
fi

### Apply Let's Encrypt SSL certificates to Nginx reverse proxy if option is selected
if [[ "${INSTALL_NGINX}" = true ]] && [[ "${LETS_ENCRYPT}" = true ]]; then
	sudo -E ./4b-install-ssl-letsencrypt-nginx.sh
echo -e "${LGREEN}Let's Encrypt SSL successfully configured for Nginx \n- Site changed to : ${LYELLOW}https:${LGREEN}//${LE_DNS_NAME}\n- Default login (user/pass): guacadmin/guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
fi

# Duo Settings reminder - If Duo is selected you can't login to Guacamole at all until this extension is fully configured
if [ $INSTALL_DUO == "true" ]; then
	echo
	echo -e "${LYELLOW}Reminder: Duo requires extra account specific config before you can log in to Guacamole."
	echo -e "See https://guacamole.apache.org/doc/${GUAC_VERSION}/gug/duo-auth.html"
fi

# Final tidy up
echo
echo -e "${LGREEN}FYI, 1-setup.sh was moved to ${USER_HOME_DIR}/guacamole."
mv $USER_HOME_DIR/1-setup.sh $DOWNLOAD_DIR
sudo rm -R $TMP_DIR

# Done
echo
printf "${LGREEN}Guacamole ${GUAC_VERSION} install complete! \n${NC}"
echo -e ${NC}