diff --git a/1-setup.sh b/1-setup.sh
index 6781200..192561a 100644
--- a/1-setup.sh
+++ b/1-setup.sh
@@ -17,7 +17,7 @@
# Scripts with "add" in their name can be run post install to add optional features not included in the main install
# If something isn't working:
-# tail -f /var/log/syslog /var/log/tomcat*/*.out guac-setup/guacamole_${GUAC_VERSION}_setup.log
+# tail -f /var/log/syslog /var/log/tomcat*/*.out guac-setup/guacamole_setup.log
# Or for Guacamole debug mode & verbose logs in the console:
# sudo systemctl stop guacd && sudo /usr/local/sbin/guacd -L debug -f
@@ -70,7 +70,8 @@ fi
USER_HOME_DIR=$(eval echo ~${SUDO_USER})
DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup
DB_BACKUP_DIR=$USER_HOME_DIR/mysqlbackups
-TMP_DIR=$DOWNLOAD_DIR/tmp
+mkdir -p $DOWNLOAD_DIR
+mkdir -p $DB_BACKUP_DIR
# GitHub download branch
GITHUB="https://raw.githubusercontent.com/itiligent/Guacamole-Install/main"
@@ -87,75 +88,15 @@ GUAC_SOURCE_LINK="http://apache.org/dyn/closer.cgi?action=download&filename=guac
# See https://mariadb.org/mariadb/all-releases/ for available versions.
# Provide a specific MySQL version e.g. 11.1.2 or leave blank to use distro default MySQL packages.
MYSQL_VERSION=""
-if [[ -z "${MYSQL_VERSION}" ]]; then
- # Use Linux distro default version.
- MYSQLSRV="default-mysql-server default-mysql-client mysql-common" # Server
- MYSQLCLIENT="default-mysql-client" # Client
- DB_CMD="mysql" # mysql command is depricated
-else
- # Use official mariadb.org repo
- MYSQLSRV="mariadb-server mariadb-client mariadb-common" # Server
- MYSQLCLIENT="mariadb-client" # Client
- DB_CMD="mariadb" # mysql command is depricated on newer versions
-fi
-
-# Install log Location
-INSTALL_LOG="${DOWNLOAD_DIR}/guacamole_${GUAC_VERSION}_setup.log"
# Guacamole default install URL
GUAC_URL=http://localhost:8080/guacamole/
-# Standardised language used for distro versions and dependencies allows a more maintainable approach should distros diverge.
-# Here the variables for OS variant and library dependency names are initialised.
-source /etc/os-release
-OS_FLAVOUR=$ID
-OS_VERSION=$VERSION_ID
-OS_CODENAME=$VERSION_CODENAME
-JPEGTURBO=""
-LIBPNG=""
-
-# A default route IP and dns search suffix is needed for initial prompts & default starting values.
-# Get the default route interface IP
+# Get the default route interface IP. Manually update for multi homed systems.
DEFAULT_IP=$(ip addr show $(ip route | awk '/default/ { print $5 }') | grep "inet" | head -n 1 | awk '/inet/ {print $2}' | cut -d'/' -f1)
-get_domain_suffix() {
- echo "$1" | awk '{print $2}'
-}
-# Search for "search" and "domain" entries in /etc/resolv.conf
-search_line=$(grep -E '^search[[:space:]]+' /etc/resolv.conf)
-domain_line=$(grep -E '^domain[[:space:]]+' /etc/resolv.conf)
-# Check if both "search" and "domain" lines exist
-if [[ -n "$search_line" ]] && [[ -n "$domain_line" ]]; then
- # Both "search" and "domain" lines exist, extract the domain suffix from both
- search_suffix=$(get_domain_suffix "$search_line")
- domain_suffix=$(get_domain_suffix "$domain_line")
- # Print the domain suffix that appears first
- if [[ ${#search_suffix} -lt ${#domain_suffix} ]]; then
- DOMAIN_SUFFIX=$search_suffix
- else
- DOMAIN_SUFFIX=$domain_suffix
- fi
-elif [[ -n "$search_line" ]]; then
- # If only "search" line exists
- DOMAIN_SUFFIX=$(get_domain_suffix "$search_line")
-elif [[ -n "$domain_line" ]]; then
- # If only "domain" line exists
- DOMAIN_SUFFIX=$(get_domain_suffix "$domain_line")
-else
- # If no "search" or "domain" lines found
- DOMAIN_SUFFIX="local"
-fi
-# Setup directory locations
-mkdir -p $DOWNLOAD_DIR
-mkdir -p $DB_BACKUP_DIR
-mkdir -p $TMP_DIR
-
-# Script branding header
-echo
-echo -e "${GREYB}Guacamole VDI & Jump Server Appliance Setup."
-echo -e " ${LGREEN}Powered by Itiligent"
-echo
-echo
+# Install log Location
+INSTALL_LOG="${DOWNLOAD_DIR}/guacamole_setup.log"
#######################################################################################################################
# Silent setup options - true/false or specific values below prevents prompt at install. EDIT TO SUIT #################
@@ -200,9 +141,16 @@ RDP_PRINTER_LABEL="RDP Printer" # Custom Windows RDP printer label
# Download GitHub setup scripts. To prevent overwrite, COMMENT OUT LINES OF ANY SCRIPTS YOU HAVE EDITED. ##############
#######################################################################################################################
+# Script branding header
+echo
+echo -e "${GREYB}Guacamole VDI & Jump Server Appliance Setup."
+echo -e " ${LGREEN}Powered by Itiligent"
+echo
+echo
+
# Download the set of config scripts from GitHub
cd $DOWNLOAD_DIR
-echo -e "${GREY}Downloading setup files...${DGREY}"
+echo -e "${GREY}Downloading the Guacamole build suite...${DGREY}"
wget -q --show-progress ${GITHUB}/2-install-guacamole.sh -O 2-install-guacamole.sh
wget -q --show-progress ${GITHUB}/3-install-nginx.sh -O 3-install-nginx.sh
wget -q --show-progress ${GITHUB}/4a-install-tls-self-signed-nginx.sh -O 4a-install-tls-self-signed-nginx.sh
@@ -218,34 +166,28 @@ wget -q --show-progress ${GITHUB}/guac-optional-features/add-tls-guac-daemon.sh
wget -q --show-progress ${GITHUB}/guac-optional-features/add-fail2ban.sh -O add-fail2ban.sh
wget -q --show-progress ${GITHUB}/guac-management/backup-guac.sh -O backup-guac.sh
wget -q --show-progress ${GITHUB}/guac-management/upgrade-guac.sh -O upgrade-guac.sh
-wget -q --show-progress ${GITHUB}/guac-management/refresh-tls-self-signed.sh -O refresh-tls-self-signed.sh
+wget -q --show-progress ${GITHUB}/guac-management/refresh-tls-self-signed.sh -O refresh-tls-self-signed.sh
# Download the (customisable) dark theme & branding template
wget -q --show-progress ${GITHUB}/branding.jar -O branding.jar
chmod +x *.sh
-sleep 3
-clear
-
-# Script branding header
-echo
-echo -e "${GREYB}Guacamole VDI & Jump Server Appliance Setup."
-echo -e " ${LGREEN}Powered by Itiligent"
-echo
-echo
# Pause here to optionally customise downloaded scripts before any actual install actions have began
echo -e "${LYELLOW}Ctrl+Z now to exit now if you wish to customise 1-setup.sh options or to setup an unattended install."
echo
-echo
-
-# Lets trigger a sudo prompt here for root credentials needed for the install - this keeps the install menu flow neat
-# Set permissions for sudo and non sudo access to tmp setup files
-sudo chmod -R 770 $TMP_DIR
-sudo chown -R $SUDO_USER:root $TMP_DIR
#######################################################################################################################
-# Determine the correct version of Tomcat use #########################################################################
+# Logic for determining desired packages between distros & database options. Modify as Linux distros diverge ##########
#######################################################################################################################
+# First lets trigger a sudo prompt to cache the admin credentials needed for the next installer steps
+sudo apt-get update -qq &>>${INSTALL_LOG}
+
+# Standardise the language used for distro versions
+source /etc/os-release
+OS_NAME=$ID
+OS_VERSION=$VERSION_ID
+OS_CODENAME=$VERSION_CODENAME
+
# Check for the latest version of Tomcat currently supported by the distro
if [[ $(apt-cache show tomcat10 2>/dev/null | egrep "Version: 10" | wc -l) -gt 0 ]]; then
TOMCAT_VERSION="tomcat10"
@@ -259,24 +201,79 @@ else
fi
# Workaround for current Debian 12 & Tomcat 10 incompatibilities
-if [[ ${OS_FLAVOUR,,} = "debian" ]] && [[ ${OS_CODENAME,,} = *"bookworm"* ]]; then #(checks for upper and lower case)
+if [[ ${OS_NAME,,} = "debian" ]] && [[ ${OS_CODENAME,,} = *"bookworm"* ]]; then #(checks for upper and lower case)
# Add the oldstable repo and downgrade tomcat version install
echo "deb http://deb.debian.org/debian/ bullseye main" | sudo tee /etc/apt/sources.list.d/bullseye.list >/dev/null
TOMCAT_VERSION="tomcat9"
fi
# Workaround for Ubuntu 23.x & Tomcat 10 incompatibilities
-if [[ ${OS_FLAVOUR,,} = "ubuntu" ]] && [[ ${OS_CODENAME,,} = *"lunar"* ]]; then #(checks for upper and lower case)
+if [[ ${OS_NAME,,} = "ubuntu" ]] && [[ ${OS_CODENAME,,} = *"lunar"* ]]; then #(checks for upper and lower case)
TOMCAT_VERSION="tomcat9"
fi
-# Uncomment to force a specific Tomcat version here.
+# Uncomment here to force a specific Tomcat version.
# TOMCAT_VERSION="tomcat9"
+# Standardise language for the the install of MySQL packages
+if [[ -z "${MYSQL_VERSION}" ]]; then
+ # Use Linux distro default version.
+ MYSQLSRV="default-mysql-server default-mysql-client mysql-common" # Server
+ MYSQLCLIENT="default-mysql-client" # Client
+ DB_CMD="mysql" # mysql command is depricated
+else
+ # Use official mariadb.org repo
+ MYSQLSRV="mariadb-server mariadb-client mariadb-common" # Server
+ MYSQLCLIENT="mariadb-client" # Client
+ DB_CMD="mariadb" # mysql command is depricated on newer versions
+fi
+# Standardise differing dependency package names and add any extra distro repositories for these if needed
+# Current package names for various distros are referenced at https://guacamole.apache.org/doc/gug/installing-guacamole.html
+JPEGTURBO=""
+LIBPNG=""
+if [[ $OS_NAME == "ubuntu" ]] || [[ $OS_NAME == *"ubuntu"* ]]; then # potentially expand out distro choices here
+ JPEGTURBO="libjpeg-turbo8-dev"
+ LIBPNG="libpng-dev"
+ # Just in case this repo is not added by default in the distro
+ sudo add-apt-repository -y universe &>>${INSTALL_LOG}
+elif [[ $OS_NAME == "debian" ]] || [[ $OS_NAME == "raspbian" ]]; then # expand distro choices here if required
+ JPEGTURBO="libjpeg62-turbo-dev"
+ LIBPNG="libpng-dev"
+fi
+
#######################################################################################################################
-# DO NOT EDIT PAST THIS POINT #########################################################################################
+# DO NOT EDIT PAST THIS POINT! ########################################################################################
#######################################################################################################################
+# A default dns suffix is needed for initial prompts & default starting values.
+get_domain_suffix() {
+ echo "$1" | awk '{print $2}'
+}
+# Search for "search" and "domain" entries in /etc/resolv.conf
+search_line=$(grep -E '^search[[:space:]]+' /etc/resolv.conf)
+domain_line=$(grep -E '^domain[[:space:]]+' /etc/resolv.conf)
+# Check if both "search" and "domain" lines exist
+if [[ -n "$search_line" ]] && [[ -n "$domain_line" ]]; then
+ # Both "search" and "domain" lines exist, extract the domain suffix from both
+ search_suffix=$(get_domain_suffix "$search_line")
+ domain_suffix=$(get_domain_suffix "$domain_line")
+ # Print the domain suffix that appears first
+ if [[ ${#search_suffix} -lt ${#domain_suffix} ]]; then
+ DOMAIN_SUFFIX=$search_suffix
+ else
+ DOMAIN_SUFFIX=$domain_suffix
+ fi
+elif [[ -n "$search_line" ]]; then
+ # If only "search" line exists
+ DOMAIN_SUFFIX=$(get_domain_suffix "$search_line")
+elif [[ -n "$domain_line" ]]; then
+ # If only "domain" line exists
+ DOMAIN_SUFFIX=$(get_domain_suffix "$domain_line")
+else
+ # If no "search" or "domain" lines found
+ DOMAIN_SUFFIX="local"
+fi
+
#######################################################################################################################
# Begin install menu prompts ##########################################################################################
#######################################################################################################################
@@ -353,19 +350,10 @@ if [[ -z ${RDP_SHARE_HOST} ]]; then
RDP_SHARE_HOST=$SERVER_NAME
fi
-clear
-
-# Script branding header
-echo
-echo -e "${GREYB}Guacamole VDI & Jump Server Appliance Setup."
-echo -e " ${LGREEN}Powered by Itiligent"
-echo
-echo
-
# Prompt the user to install MySQL
echo -e "${LGREEN}MySQL setup options:${GREY}"
if [[ -z ${INSTALL_MYSQL} ]]; then
- echo -e -n "SQL: Install MySQL locally? (to use a remote MySQL Server select 'n') [Y/n] [default y]: ${GREY}"
+ echo -e -n "SQL: Install MySQL locally? (For a REMOTE MySQL server select 'n') [Y/n] [default y]: ${GREY}"
read PROMPT
if [[ ${PROMPT} =~ ^[Nn]$ ]]; then
INSTALL_MYSQL=false
@@ -385,18 +373,6 @@ if [[ -z ${SECURE_MYSQL} ]] && [[ "${INSTALL_MYSQL}" = true ]]; then
fi
fi
-# Prompt the user to apply the Mysql secure installation to remote db
-# This may be problematic on remote databases (for one-script upgrades) as this addition removes remote root login access - a good thing.
-#if [[ -z ${SECURE_MYSQL} ]] && [[ "${INSTALL_MYSQL}" = false ]]; then
-# echo -e -n "${GREY}SQL: Apply MySQL secure installation settings to REMOTE db? [y/N] [default n]: ${GREY}"
-# read PROMPT
-# if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
-# SECURE_MYSQL=true
-# else
-# SECURE_MYSQL=false
-# fi
-#fi
-
# Get additional MYSQL values
if [[ "${INSTALL_MYSQL}" = false ]]; then
[[ -z "${MYSQL_HOST}" ]] &&
@@ -425,7 +401,6 @@ if [[ -z "${GUAC_USER}" ]]; then
GUAC_USER="guacamole_user"
fi
-echo -e ${LMAGENTA}
# Get MySQL root password, confirm correct password entry and prevent blank passwords. No root pw needed for remote instances.
if [[ -z "${MYSQL_ROOT_PWD}" ]] && [[ "${INSTALL_MYSQL}" = true ]]; then
while true; do
@@ -438,7 +413,6 @@ if [[ -z "${MYSQL_ROOT_PWD}" ]] && [[ "${INSTALL_MYSQL}" = true ]]; then
done
fi
-echo -e ${LCYAN}
# Get Guacamole User password, confirm correct password entry and prevent blank passwords
if [[ -z "${GUAC_PWD}" ]]; then
while true; do
@@ -451,7 +425,6 @@ if [[ -z "${GUAC_PWD}" ]]; then
done
fi
-echo -e ${GREY}
# Prompt for preferred backup notification email address
if [[ -z ${BACKUP_EMAIL} ]]; then
while true; do
@@ -533,6 +506,7 @@ if [[ -z "${INSTALL_HISTREC}" ]]; then
INSTALL_HISTREC=false
fi
fi
+
HISTREC_PATH_DEFAULT=/var/lib/guacamole/recordings # Apache default
if [[ -z ${HISTREC_PATH} ]] && [[ "${INSTALL_HISTREC}" = true ]]; then
while true; do
@@ -540,6 +514,7 @@ if [[ -z ${HISTREC_PATH} ]] && [[ "${INSTALL_HISTREC}" = true ]]; then
[[ "${HISTREC_PATH}" = "" ]] || [[ "${HISTREC_PATH}" != "" ]] && break
done
fi
+
# If no custom path is given, lets assume the default path on hitting enter
if [[ -z "${HISTREC_PATH}" ]]; then
HISTREC_PATH="${HISTREC_PATH_DEFAULT}"
@@ -561,7 +536,7 @@ fi
# Prompt to remove the trailing /guacamole dir from the default front end url
if [[ "${INSTALL_NGINX}" = false ]]; then
- echo -e -n "FRONT END: Shorten Guacamole root url to *:8080 (& redirect to /guacamole ) [Y/n]? [default y]: "
+ echo -e -n "FRONT END: Redirect the Tomcat http root url to /guacamole [Y/n]? [default y]: "
read PROMPT
if [[ ${PROMPT} =~ ^[Nn]$ ]]; then
GUAC_URL_REDIR=false
@@ -573,7 +548,7 @@ fi
# We must assign a DNS name for the new proxy site
if [[ -z ${PROXY_SITE} ]] && [[ "${INSTALL_NGINX}" = true ]]; then
while true; do
- read -p "FRONT END: Enter proxy local DNS name? [Enter to use ${DEFAULT_FQDN}]: " PROXY_SITE
+ read -p "FRONT END: Enter proxy LOCAL DNS name? [Enter to use ${DEFAULT_FQDN}]: " PROXY_SITE
[[ "${PROXY_SITE}" = "" ]] || [[ "${PROXY_SITE}" != "" ]] && break
# Rather than allow the default value below, un-comment to alternately force user to enter an explicit name instead
# [[ "${PROXY_SITE}" != "" ]] && break
@@ -598,7 +573,7 @@ if [[ -z ${SELF_SIGN} ]] && [[ "${INSTALL_NGINX}" = true ]]; then
fi
fi
-# Optional prompt to assign the self sign TLS certificate a custom expiry date, un-comment to force a manual entry
+# Optional prompt to manually enter a self sign TLS certificate expiry date, un-comment to force manual entry
#if [[ "${SELF_SIGN}" = true ]]; then
# read - p "PROXY: Enter number of days till TLS certificate expires [default 3650]: " CERT_DAYS
#fi
@@ -622,7 +597,7 @@ fi
# Prompt for Let's Encrypt public dns name
if [[ -z ${LE_DNS_NAME} ]] && [[ "${LETS_ENCRYPT}" = true ]]; then
while true; do
- read -p "FRONT END: Enter the FQDN for your public proxy site : " LE_DNS_NAME
+ read -p "FRONT END: Enter the PUBLIC FQDN for your proxy site : " LE_DNS_NAME
[[ "${LE_DNS_NAME}" != "" ]] && break
echo -e "${LRED}You must enter a public DNS name. Please try again.${GREY}" 1>&2
done
@@ -641,9 +616,6 @@ fi
# Start global setup actions #########################################################################################
#######################################################################################################################
-# Ubuntu and Debian each require different dependency packages.
-# To adapt this script to other distros, research the correct library package names and reference these with their variable
-# names shown here: https://guacamole.apache.org/doc/gug/installing-guacamole.html
clear
echo
echo -e "${GREYB}Guacamole VDI & Jump Server Appliance Setup."
@@ -653,25 +625,10 @@ echo
echo -e "${LGREEN}Beginning Guacamole setup...${GREY}"
echo
-echo -e "${GREY}Checking Linux distro specific dependencies..."
-if [[ $OS_FLAVOUR == "ubuntu" ]] || [[ $OS_FLAVOUR == *"ubuntu"* ]]; then # potentially expand out distro choices here
- JPEGTURBO="libjpeg-turbo8-dev"
- LIBPNG="libpng-dev"
- # Just in case this repo is not added by default in the distro
- sudo add-apt-repository -y universe &>>${INSTALL_LOG}
-elif [[ $OS_FLAVOUR == "debian" ]] || [[ $OS_FLAVOUR == "raspbian" ]]; then # expand distro choices here if required
- JPEGTURBO="libjpeg62-turbo-dev"
- LIBPNG="libpng-dev"
-fi
-if [[ $? -ne 0 ]]; then
- echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
- exit 1
-else
- echo -e "${LGREEN}OK${GREY}"
- echo
-fi
+echo -e "${GREY}Synchronising the install script suite with selected settings for later standalone use..."
# Sync the various manual config scripts with the relevant variables selected at install
+# This way scripts can be run at a later time without modification to match the original install
sed -i "s|MYSQL_HOST=|MYSQL_HOST='${MYSQL_HOST}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|MYSQL_PORT=|MYSQL_PORT='${MYSQL_PORT}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|GUAC_USER=|GUAC_USER='${GUAC_USER}'|g" $DOWNLOAD_DIR/backup-guac.sh
@@ -696,6 +653,22 @@ sed -i "s|MYSQL_ROOT_PWD=|MYSQL_ROOT_PWD='${MYSQL_ROOT_PWD}'|g" $DOWNLOAD_DIR/up
sed -i "s|GUAC_USER=|GUAC_USER='${GUAC_USER}'|g" $DOWNLOAD_DIR/upgrade-guac.sh
sed -i "s|GUAC_PWD=|GUAC_PWD='${GUAC_PWD}'|g" $DOWNLOAD_DIR/upgrade-guac.sh
+sed -i "s|PROXY_SITE=|PROXY_SITE='${PROXY_SITE}'|g" $DOWNLOAD_DIR/3-install-nginx.sh
+sed -i "s|INSTALL_LOG=|INSTALL_LOG='${INSTALL_LOG}'|g" $DOWNLOAD_DIR/3-install-nginx.sh
+sed -i "s|GUAC_URL=|GUAC_URL='${GUAC_URL}'|g" $DOWNLOAD_DIR/3-install-nginx.sh
+
+sed -i "s|DOWNLOAD_DIR=|DOWNLOAD_DIR='${DOWNLOAD_DIR}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
+sed -i "s|PROXY_SITE=|PROXY_SITE='${PROXY_SITE}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
+sed -i "s|CERT_COUNTRY=|CERT_COUNTRY='${CERT_COUNTRY}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
+sed -i "s|CERT_STATE=|CERT_STATE='${CERT_STATE}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
+sed -i "s|CERT_LOCATION=|CERT_LOCATION='${CERT_LOCATION=}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
+sed -i "s|CERT_ORG=|CERT_ORG='${CERT_ORG}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
+sed -i "s|CERT_OU=|CERT_OU='${CERT_OU}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
+sed -i "s|CERT_DAYS=|CERT_DAYS='${CERT_DAYS}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
+sed -i "s|GUAC_URL=|GUAC_URL='${GUAC_URL}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
+sed -i "s|INSTALL_LOG=|INSTALL_LOG='${INSTALL_LOG}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
+sed -i "s|DEFAULT_IP=|DEFAULT_IP='${DEFAULT_IP}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
+
sed -i "s|CERT_COUNTRY=|CERT_COUNTRY='${CERT_COUNTRY}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
sed -i "s|CERT_STATE=|CERT_STATE='${CERT_STATE}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
sed -i "s|CERT_LOCATION=|CERT_LOCATION='${CERT_LOCATION}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
@@ -705,9 +678,24 @@ sed -i "s|PROXY_SITE=|PROXY_SITE='${PROXY_SITE}'|g" $DOWNLOAD_DIR/refresh-tls-se
sed -i "s|DEFAULT_IP=|DEFAULT_IP='${DEFAULT_IP}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
sed -i "s|CERT_DAYS=|CERT_DAYS='${CERT_DAYS}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
-# Export the relevant variable selections to child install scripts
+sed -i "s|DOWNLOAD_DIR=|DOWNLOAD_DIR='${DOWNLOAD_DIR}'|g" $DOWNLOAD_DIR/4b-install-tls-letsencrypt-nginx.sh
+sed -i "s|PROXY_SITE=|PROXY_SITE='${PROXY_SITE}'|g" $DOWNLOAD_DIR/4b-install-tls-letsencrypt-nginx.sh
+sed -i "s|GUAC_URL=|GUAC_URL='${GUAC_URL}'|g" $DOWNLOAD_DIR/4b-install-tls-letsencrypt-nginx.sh
+sed -i "s|LE_DNS_NAME=|LE_DNS_NAME='${LE_DNS_NAME}'|g" $DOWNLOAD_DIR/4b-install-tls-letsencrypt-nginx.sh
+sed -i "s|LE_EMAIL=|LE_EMAIL='${LE_EMAIL}'|g" $DOWNLOAD_DIR/4b-install-tls-letsencrypt-nginx.sh
+sed -i "s|INSTALL_LOG=|INSTALL_LOG='${INSTALL_LOG}'|g" $DOWNLOAD_DIR/4b-install-tls-letsencrypt-nginx.sh
+
+sed -i "s|LOCAL_DOMAIN=|LOCAL_DOMAIN='${LOCAL_DOMAIN}'|g" $DOWNLOAD_DIR/add-smtp-relay-o365.sh
+if [[ $? -ne 0 ]]; then
+ echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
+ exit 1
+else
+ echo -e "${LGREEN}OK${GREY}"
+ echo
+fi
+
+# For flexibility, export the relevant variable selections to child install scripts
export DOWNLOAD_DIR="${DOWNLOAD_DIR}"
-export TMP_DIR=$TMP_DIR
export GUAC_VERSION=$GUAC_VERSION
export GUAC_SOURCE_LINK=$GUAC_SOURCE_LINK
export MYSQLJCON=$MYSQLJCON
@@ -716,8 +704,8 @@ export MYSQLSRV=$MYSQLSRV
export MYSQLCLIENT=$MYSQLCLIENT
export DB_CMD=$DB_CMD
export TOMCAT_VERSION=$TOMCAT_VERSION
-export INSTALL_LOG=$INSTALL_LOG
export GUAC_URL=$GUAC_URL
+export INSTALL_LOG=$INSTALL_LOG
export JPEGTURBO=$JPEGTURBO
export LIBPNG=$LIBPNG
export INSTALL_MYSQL=$INSTALL_MYSQL
@@ -738,17 +726,20 @@ export HISTREC_PATH="${HISTREC_PATH}"
export GUAC_URL_REDIR=$GUAC_URL_REDIR
export INSTALL_NGINX=$INSTALL_NGINX
export PROXY_SITE=$PROXY_SITE
+export DEFAULT_IP=$DEFAULT_IP
export CERT_COUNTRY=$CERT_COUNTRY
export CERT_STATE="${CERT_STATE}"
export CERT_LOCATION="${CERT_LOCATION}"
export CERT_ORG="${CERT_ORG}"
export CERT_OU="${CERT_OU}"
+export CERT_DAYS=$CERT_DAYS
export LE_DNS_NAME=$LE_DNS_NAME
export LE_EMAIL=$LE_EMAIL
export BACKUP_EMAIL=$BACKUP_EMAIL
export RDP_SHARE_HOST="${RDP_SHARE_HOST}"
export RDP_SHARE_LABEL="${RDP_SHARE_LABEL}"
export RDP_PRINTER_LABEL="${RDP_PRINTER_LABEL}"
+export LOCAL_DOMAIN=$LOCAL_DOMAIN
# Run the Guacamole install script
sudo -E ./2-install-guacamole.sh
@@ -761,14 +752,14 @@ else
echo -e "${LGREEN}Guacamole install complete\nhttp://${PROXY_SITE}:8080/guacamole - login user/pass: guacadmin/guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
fi
-# Add a Guacamole database backup (mon-fri 12:00am) into cron
+# Add a Guacamole database backup (mon-fri 12:00am) into the current user's cron
mv $DOWNLOAD_DIR/backup-guac.sh $DB_BACKUP_DIR
crontab -l >cron_1
-# Remove any existing entry
+# Remove any existing entry just in case
sed -i '/# backup guacamole/d' cron_1
-# Create the job
+# Create the backup job
echo "0 0 * * 1-5 ${DB_BACKUP_DIR}/backup-guac.sh # backup guacamole" >>cron_1
-# Overwrite the cron settings and cleanup
+# Overwrite the old cron settings and cleanup
crontab cron_1
rm cron_1
@@ -784,7 +775,7 @@ fi
# Apply self signed TLS certificates to Nginx reverse proxy if option is selected
if [[ "${INSTALL_NGINX}" = true ]] && [[ "${SELF_SIGN}" = true ]]; then
- sudo -E ./4a-install-tls-self-signed-nginx.sh ${PROXY_SITE} ${CERT_DAYS} | tee -a ${INSTALL_LOG}
+ sudo -E ./4a-install-tls-self-signed-nginx.sh ${PROXY_SITE} ${CERT_DAYS} ${DEFAULT_IP} | tee -a ${INSTALL_LOG}
echo -e "${LGREEN}Self signed certificate configured for Nginx \n${LYELLOW}https:${LGREEN}//${PROXY_SITE} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
fi
@@ -809,12 +800,7 @@ if [[ $INSTALL_LDAP == "true" ]]; then
fi
# Tidy up. (Installer and Nginx scripts can't be run again or standalone without modification, so removing.)
-rm -rf $USER_HOME_DIR/1-setup.sh
-rm -f 2-install-guacamole.sh
-rm -f 3-install-nginx.sh
-rm -f 4a-install-tls-self-signed-nginx.sh
-rm -f 4b-install-tls-letsencrypt-nginx.sh
-sudo rm -rf $TMP_DIR
+mv $USER_HOME_DIR/1-setup.sh $DOWNLOAD_DIR
apt-get -y autoremove &>>${INSTALL_LOG}
# Done
diff --git a/2-install-guacamole.sh b/2-install-guacamole.sh
index 6ab576e..1eb1e91 100644
--- a/2-install-guacamole.sh
+++ b/2-install-guacamole.sh
@@ -33,7 +33,6 @@ fi
# Update everything but don't do the annoying prompts during apt installs
echo -e "${GREY}Updating base Linux OS..."
export DEBIAN_FRONTEND=noninteractive
-apt-get update -qq &>>${INSTALL_LOG}
apt-get upgrade -qq -y &>>${INSTALL_LOG}
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
@@ -43,7 +42,7 @@ else
echo
fi
-# Install Guacamole build dependencies.
+# Install official MariaDB repo and MariaDB version if a specific version number was provided.
if [[ -n "${MYSQL_VERSION}" ]]; then
echo -e "${GREY}Adding the official MariaDB repository and installing version ${MYSQL_VERSION}..."
# Add the Official MariaDB repo.
@@ -59,6 +58,7 @@ if [[ -n "${MYSQL_VERSION}" ]]; then
fi
fi
+# Install Guacamole build dependencies.
echo -e "${GREY}Installing dependencies required for building Guacamole, this might take a few minutes..."
apt-get -qq -y install ${MYSQLPKG} ${TOMCAT_VERSION} ${JPEGTURBO} ${LIBPNG} ufw pwgen wget expect \
build-essential libcairo2-dev libtool-bin uuid-dev libavcodec-dev libavformat-dev libavutil-dev \
@@ -137,7 +137,6 @@ if [[ "${INSTALL_TOTP}" = true ]]; then
exit 1
else
tar -xzf guacamole-auth-totp-${GUAC_VERSION}.tar.gz
- rm -f add-auth-totp.sh
echo -e "${LGREEN}Downloaded guacamole-auth-totp-${GUAC_VERSION}.tar.gz${GREY}"
fi
fi
@@ -151,7 +150,6 @@ if [[ "${INSTALL_DUO}" = true ]]; then
exit 1
else
tar -xzf guacamole-auth-duo-${GUAC_VERSION}.tar.gz
- rm -f add-auth-duo.sh
echo -e "${LGREEN}Downloaded guacamole-auth-duo-${GUAC_VERSION}.tar.gz${GREY}"
fi
fi
@@ -165,7 +163,6 @@ if [[ "${INSTALL_LDAP}" = true ]]; then
exit 1
else
tar -xzf guacamole-auth-ldap-${GUAC_VERSION}.tar.gz
- rm -f add-auth-ldap.sh
echo -e "${LGREEN}Downloaded guacamole-auth-ldap-${GUAC_VERSION}.tar.gz${GREY}"
fi
fi
@@ -179,7 +176,6 @@ if [[ "${INSTALL_QCONNECT}" = true ]]; then
exit 1
else
tar -xzf guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz
- rm -f add-xtra-quickconnect.sh
echo -e "${LGREEN}Downloaded guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz${GREY}"
fi
fi
@@ -194,7 +190,6 @@ if [[ "${INSTALL_HISTREC}" = true ]]; then
exit 1
else
tar -xzf guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz
- rm -f add-xtra-histrecstor.sh
echo -e "${LGREEN}Downloaded guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz${GREY}"
fi
fi
@@ -433,6 +428,7 @@ fi
# Set Tomcat to start at boot
systemctl enable ${TOMCAT_VERSION}
+# Begin the MySQL database config if this is a local MYSQL install only.
if [[ "${INSTALL_MYSQL}" = true ]]; then
# Set MySQL password
export MYSQL_PWD=${MYSQL_ROOT_PWD}
@@ -493,10 +489,9 @@ ALTER USER 'root'@'localhost' IDENTIFIED BY '$MYSQL_ROOT_PWD';"
echo
fi
- # This should stay as localhost in most local MySQL install situations. This setting determine from WHERE the new ${GUAC_USER}
- # will be able to login to the database (either specific remote IPs or localhost only.)
- # However this setting can be quick and hacky way to build a backend guacamole database server for use behind another guac application server
- # (albeit with the full application suite installed). To do this, set GUAC_USERHost="%" for login access from all IPs, or e.g. 192.168.1.% for an IP range.
+ # This should stay as localhost in most local MySQL install situations. This setting determines from WHERE the new ${GUAC_USER}
+ # will be able to login to the database (either from specific remote IPs or from localhost only.)
+ # However this setting can be a quick and hacky way to build a backend guacamole database server for use behind another guac application server, albeit with the full application suite installed). To do this, set GUAC_USERHost="%" for login access from all IPs, (or e.g. 192.168.1.% for an IP range.)
# You will also need to set the MySQL binding away from the default 127.0.0.1 to 0.0.0.0 or a specific external facing network interface to allow remote login.
if [[ "${MYSQL_HOST}" != "localhost" ]]; then
GUAC_USERHost="%"
@@ -581,7 +576,7 @@ if [[ "${INSTALL_MYSQL}" = true ]]; then
fi
fi
-# Create guacd.conf and locahost IP binding.
+# Create guacd.conf and localhost IP binding.
echo -e "${GREY}Binding guacd to 127.0.0.1 port 4822..."
cat >/etc/guacamole/guacd.conf <<-"EOF"
[server]
@@ -609,8 +604,9 @@ else
echo
fi
-if [[ "${GUAC_URL_REDIR}" = true ]]; then
- echo -e "${GREY}Shortening the Guacamole root url and setting up redirect...${DGREY}"
+# Redirect the Tomcat URL to its root to avoid typing the extra /guacamole path (if not using a reverse proxy)
+if [[ "${GUAC_URL_REDIR}" = true ]] && [[ "${INSTALL_NGINX}" = false ]]; then
+ echo -e "${GREY}Redirecting the Tomcat http root url to /guacamole...${DGREY}"
systemctl stop ${TOMCAT_VERSION}
mv /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.html /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.html.old
touch /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.jsp
@@ -625,14 +621,14 @@ if [[ "${GUAC_URL_REDIR}" = true ]]; then
fi
fi
+# Update Linux firewall
echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 8080..."
-sudo ufw default allow outgoing >/dev/null 2>&1
-sudo ufw default deny incoming >/dev/null 2>&1
-sudo ufw allow OpenSSH >/dev/null 2>&1
-sudo ufw allow 8080/tcp >/dev/null 2>&1
+ufw default allow outgoing >/dev/null 2>&1
+ufw default deny incoming >/dev/null 2>&1
+ufw allow OpenSSH >/dev/null 2>&1
+ufw allow 8080/tcp >/dev/null 2>&1
echo "y" | sudo ufw enable >/dev/null 2>&1
-# Reduce firewall logging noise
-sudo ufw logging off >/dev/null 2>&1
+ufw logging off >/dev/null 2>&1 # Reduce firewall logging noise
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1
@@ -642,16 +638,10 @@ else
fi
# Cleanup
-echo -e "${GREY}Cleanup install files...${GREY}"
+echo -e "${GREY}Cleaning up Guacamole source files...${GREY}"
rm -rf guacamole-*
rm -rf mysql-connector-j-*
rm -rf mariadb_repo_setup
-if [[ "${INSTALL_NGINX}" = false ]]; then
- rm -f 3-install-nginx.sh
- rm -f 4a-install-tls-self-signed-nginx.sh
- rm -f 4b-install-tls-letsencrypt-nginx.sh
- rm -f refresh-tls-self-signed.sh
-fi
unset MYSQL_PWD
apt-get -y remove expect &>>${INSTALL_LOG}
if [[ $? -ne 0 ]]; then
diff --git a/3-install-nginx.sh b/3-install-nginx.sh
index fcfd1dc..97f6e32 100644
--- a/3-install-nginx.sh
+++ b/3-install-nginx.sh
@@ -7,6 +7,9 @@
# August 2023
#######################################################################################################################
+# If run as standalone and not from the main installer script, check the below variables are correct.
+# To run standalone: sudo -E ./3-install-nginx.sh
+
# Prepare text output colours
GREY='\033[0;37m'
DGREY='\033[0;90m'
@@ -16,13 +19,26 @@ LGREEN='\033[0;92m'
LYELLOW='\033[0;93m'
NC='\033[0m' #No Colour
+if ! [[ $(id -u) = 0 ]]; then
+ echo
+ echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
+ exit 1
+fi
+
echo
echo
echo -e "${LGREEN}Installing Nginx...${DGREY}"
echo
+TOMCAT_VERSION=$(ls /etc/ | grep tomcat)
+# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
+PROXY_SITE=
+INSTALL_LOG=
+GUAC_URL=
+
# Install Nginx
-sudo apt-get install nginx -qq -y &>>${INSTALL_LOG}
+apt-get update -qq &>>${INSTALL_LOG}
+apt-get install nginx -qq -y &>>${INSTALL_LOG}
echo -e "${GREY}Configuring Nginx as a reverse proxy for Guacamole's Apache Tomcat front end...${DGREY}"
# Configure /etc/nginx/sites-available/(local dns site name)
@@ -52,8 +68,8 @@ else
fi
# Force nginx to require tls1.2 and above
-sudo sed -i -e '/ssl_protocols/s/^/#/' /etc/nginx/nginx.conf
-sudo sed -i "/SSL Settings/a \ ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE" /etc/nginx/nginx.conf
+sed -i -e '/ssl_protocols/s/^/#/' /etc/nginx/nginx.conf
+sed -i "/SSL Settings/a \ ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE" /etc/nginx/nginx.conf
# Symlink from sites-available to sites-enabled
ln -s /etc/nginx/sites-available/$PROXY_SITE /etc/nginx/sites-enabled/
@@ -63,7 +79,7 @@ unlink /etc/nginx/sites-enabled/default
# Do mandatory Nginx tweaks for logging actual client IPs through a proxy IP of 127.0.0.1 - DO NOT CHANGE COMMAND FORMATING!
echo -e "${GREY}Configuring Apache Tomcat valve for pass through of client IPs to Guacamole logs...${GREY}"
-sudo sed -i '/pattern="%h %l %u %t "%r" %s %b"/a \ \n ' /etc/$TOMCAT_VERSION/server.xml
+sed -i '/pattern="%h %l %u %t "%r" %s %b"/a \ \n ' /etc/$TOMCAT_VERSION/server.xml
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1
@@ -73,8 +89,8 @@ else
fi
# Allow large file transfers through Nginx
-sudo sed -i '/client_max_body_size/d' /etc/nginx/nginx.conf # remove this line if it already exists to prevent duplicates
-sudo sed -i "/Basic Settings/a \ client_max_body_size 100000000M;" /etc/nginx/nginx.conf # Add the larger file transfer size
+sed -i '/client_max_body_size/d' /etc/nginx/nginx.conf # remove this line if it already exists to prevent duplicates
+sed -i "/Basic Settings/a \ client_max_body_size 100000000M;" /etc/nginx/nginx.conf # Add the larger file transfer size
echo -e "${GREY}Boosting Nginx's 'maximum body size' parameter to allow large file transfers...${GREY}"
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
@@ -86,11 +102,11 @@ fi
# Update general ufw rules so force traffic via reverse proxy. Only Nginx and SSH will be available over the network.
echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 80/443..."
-sudo ufw default allow outgoing >/dev/null 2>&1
-sudo ufw default deny incoming >/dev/null 2>&1
-sudo ufw allow OpenSSH >/dev/null 2>&1
-sudo ufw allow 80/tcp >/dev/null 2>&1
-sudo ufw delete allow 8080/tcp >/dev/null 2>&1
+ufw default allow outgoing >/dev/null 2>&1
+ufw default deny incoming >/dev/null 2>&1
+ufw allow OpenSSH >/dev/null 2>&1
+ufw allow 80/tcp >/dev/null 2>&1
+ufw delete allow 8080/tcp >/dev/null 2>&1
echo "y" | sudo ufw enable >/dev/null 2>&1
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
@@ -102,9 +118,9 @@ fi
# Reload everything
echo -e "${GREY}Restaring Guacamole & Ngnix..."
-sudo systemctl restart $TOMCAT_VERSION
-sudo systemctl restart guacd
-sudo systemctl restart nginx
+systemctl restart $TOMCAT_VERSION
+systemctl restart guacd
+systemctl restart nginx
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1
diff --git a/4a-install-tls-self-signed-nginx.sh b/4a-install-tls-self-signed-nginx.sh
index cc1efdf..9d9766c 100644
--- a/4a-install-tls-self-signed-nginx.sh
+++ b/4a-install-tls-self-signed-nginx.sh
@@ -7,6 +7,14 @@
# April 2023
#######################################################################################################################
+# This script can be run multiple times to either install or update TLS settings and certificates.
+
+# Change the name of the site or add/renew TLS certs by specifying command line arguments [dns.name] [cert-lifetime] [IP]
+# e.g. sudo -E ./4a-install-tls-self-signed-nginx.sh proxy.domain.local 365 192.168.1.50
+
+# Alternatively, run the script without any command arguments and the default variables below will apply
+# e.g. sudo - E ./4a-install-tls-self-signed-nginx.sh
+
# Prepare text output colours
GREY='\033[0;37m'
DGREY='\033[0;90m'
@@ -16,34 +24,62 @@ LGREEN='\033[0;92m'
LYELLOW='\033[0;93m'
NC='\033[0m' #No Colour
-echo
-echo
-echo -e "${LGREEN}Setting up self signed TLS certificates for Nginx...${GREY}"
-echo
-
-# Setup script cmd line arguments for proxy site and certificate days
-TLSNAME=$1
-TLSDAYS=$2
+# Check if user is root or sudo
+if ! [[ $(id -u) = 0 ]]; then
+ echo
+ echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
+ exit 1
+fi
# Set default certificate file destinations.
DIR_SSL_CERT="/etc/nginx/ssl/cert"
DIR_SSL_KEY="/etc/nginx/ssl/private"
+TOMCAT_VERSION=$(ls /etc/ | grep tomcat)
+
+# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
+DOWNLOAD_DIR=
+CERT_COUNTRY=
+CERT_STATE=
+CERT_LOCATION=
+CERT_ORG=
+CERT_OU=
+GUAC_URL=
+INSTALL_LOG=
+PROXY_SITE=
+CERT_DAYS=
+DEFAULT_IP=
+
+# Setup script cmd line arguments for proxy site and certificate days
+TLSNAME=$1
+TLSDAYS=$2
+TLSIP=$3
+
+# Assume the values set the guacamole installer if the script is run without any command line options
+# Assume the values set the guacamole installer if the script is run without any command line options
+if [[ -z "$1" ]] | [[ -z "$2" ]] | [[ -z "$3" ]]; then
+ TLSNAME=$PROXY_SITE
+ TLSDAYS=$CERT_DAYS
+ TLSIP=$DEFAULT_IP
+fi
+
+echo
+echo
+echo -e "${LGREEN}Setting up self signed TLS certificates for Nginx...${GREY}"
+echo
+
# Make directories to place TLS Certificate if they don't exist
if [[ ! -d $DIR_SSL_KEY ]]; then
- sudo mkdir -p $DIR_SSL_KEY
+ mkdir -p $DIR_SSL_KEY
fi
if [[ ! -d $DIR_SSL_CERT ]]; then
- sudo mkdir -p $DIR_SSL_CERT
+ mkdir -p $DIR_SSL_CERT
fi
-# Discover IPv4 interface
-DEFAULT_IP=$(ip addr show $(ip route | awk '/default/ { print $5 }') | grep "inet" | head -n 1 | awk '/inet/ {print $2}' | cut -d'/' -f1)
-
echo -e "${GREY}New self signed TLS certificate attributes are shown below...${DGREY}"
# Display the new TLS cert parameters.
-cat <&2
exit 1
@@ -80,12 +116,12 @@ else
fi
# Place TLS Certificate into the defined application path
-sudo cp $TLSNAME.key $DIR_SSL_KEY/$TLSNAME.key
-sudo cp $TLSNAME.crt $DIR_SSL_CERT/$TLSNAME.crt
+cp $TLSNAME.key $DIR_SSL_KEY/$TLSNAME.key
+cp $TLSNAME.crt $DIR_SSL_CERT/$TLSNAME.crt
-# Create a PFX formatted key for easier import to Windows hosts and change permissions to enable copying elsewhere
+# Create a PFX formatted key for easier import to Windows hosts
echo -e "${GREY}Converting client certificates for Windows & Linux...${GREY}"
-sudo openssl pkcs12 -export -out $TLSNAME.pfx -inkey $TLSNAME.key -in $TLSNAME.crt -password pass:1234
+openssl pkcs12 -export -out $TLSNAME.pfx -inkey $TLSNAME.key -in $TLSNAME.crt -password pass:1234
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1
@@ -95,20 +131,21 @@ else
fi
# Change of permissions so certs can be copied via WinSCP.
-sudo chown $SUDO_USER:root $TLSNAME.pfx
-sudo chown $SUDO_USER:root $TLSNAME.crt
-sudo chown $SUDO_USER:root $TLSNAME.key
+chown $SUDO_USER:root $TLSNAME.pfx
+chown $SUDO_USER:root $TLSNAME.crt
+chown $SUDO_USER:root $TLSNAME.key
-# Backup the current Nginx config before update
-echo -e "${GREY}Backing up previous Nginx proxy to $DOWNLOAD_DIR/$TLSNAME-nginx.bak"
-cp /etc/nginx/sites-enabled/${TLSNAME} $DOWNLOAD_DIR/${TLSNAME}-nginx.bak
+# Backup the previous configuration
+if [ -f "/etc/nginx/sites-enabled/${TLSNAME}" ]; then
+ echo -e "${GREY}Backing up previous Nginx proxy config to $DOWNLOAD_DIR/${PROXY_SITE}-nginx.bak"
+ cp -f /etc/nginx/sites-enabled/${TLSNAME} $DOWNLOAD_DIR/${TLSNAME}-nginx.bak
if [[ $? -ne 0 ]]; then
- echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
- exit 1
+ echo -e "${LRED}Warning: Failed to copy the Nginx site config.${GREY}" 1>&2
else
echo -e "${LGREEN}OK${GREY}"
echo
fi
+fi
# Update Nginx config to accept the new certificates
echo -e "${GREY}Configuring Nginx proxy to use the self signed TLS certificate and setting up HTTP redirect...${DGREY}"
@@ -158,13 +195,33 @@ else
echo
fi
+# Find all enabled sites containing the $GUAC_URL and remove them to avoid conflicts
+for x in /etc/nginx/sites-enabled/*; do
+ # Check inside each site candidate to see if the $GUAC_URL exists.
+ if [[ -f "${x}" ]]; then
+ if grep -qE "${GUAC_URL}" "${x}"; then
+ found_sites+=("${x}")
+ fi
+ fi
+done
+
+# Unlink all previous sites pointed to $GUAC_URL
+if [ "${#found_sites[@]}" -gt 0 ]; then
+ for guacUrl in "${found_sites[@]}"; do
+ unlink "${guacUrl}"
+ done
+fi
+
+# Link to enable the new site configuration
+ln -s /etc/nginx/sites-available/$TLSNAME /etc/nginx/sites-enabled/ >/dev/null 2>&1
+
# Update general ufw rules so force traffic via reverse proxy. Only Nginx and SSH will be available over the network.
echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 80/443..."
-sudo ufw default allow outgoing >/dev/null 2>&1
-sudo ufw default deny incoming >/dev/null 2>&1
-sudo ufw allow OpenSSH >/dev/null 2>&1
-sudo ufw allow 80/tcp >/dev/null 2>&1
-sudo ufw allow 443/tcp >/dev/null 2>&1
+ufw default allow outgoing >/dev/null 2>&1
+ufw default deny incoming >/dev/null 2>&1
+ufw allow OpenSSH >/dev/null 2>&1
+ufw allow 80/tcp >/dev/null 2>&1
+ufw allow 443/tcp >/dev/null 2>&1
echo "y" | sudo ufw enable >/dev/null 2>&1
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
@@ -174,11 +231,12 @@ else
echo
fi
-# Reload everything
+# Reload everything and tidy up
echo -e "${GREY}Restaring Guacamole & Ngnix..."
-sudo systemctl restart $TOMCAT_VERSION
-sudo systemctl restart guacd
-sudo systemctl restart nginx
+systemctl restart $TOMCAT_VERSION
+systemctl restart guacd
+systemctl restart nginx
+rm -f cert_attributes.txt
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1
@@ -195,7 +253,7 @@ printf "${GREY}+----------------------------------------------------------------
${LGREEN}+ WINDOWS CLIENT SELF SIGNED TLS BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
+
+ 1. In ${DOWNLOAD_DIR} is a Windows version of the new certificate ${LYELLOW}$TLSNAME.pfx${GREY}
-+ 2. Import this PFX file into your Windows client with the below Powershell commands (as Administrator):
++ 2. Import this PFX file into your Windows client with the below PowerShell commands (as Administrator):
\n"
echo -e "${SHOWASTEXT1} = ConvertTo-SecureString -String "1234" -Force -AsPlainText"
echo -e "Import-pfxCertificate -FilePath $TLSNAME.pfx -Password "${SHOWASTEXT1}" -CertStoreLocation "${SHOWASTEXT2}""
diff --git a/4b-install-tls-letsencrypt-nginx.sh b/4b-install-tls-letsencrypt-nginx.sh
index ac79ef5..a4adabf 100644
--- a/4b-install-tls-letsencrypt-nginx.sh
+++ b/4b-install-tls-letsencrypt-nginx.sh
@@ -7,6 +7,9 @@
# April 2023
#######################################################################################################################
+# If run as standalone and not from the main installer script, check the below variables are correct.
+# To run standalone: sudo ./4b-install-tls-letsencrypt-nginx.sh
+
# Prepare text output colours
GREY='\033[0;37m'
DGREY='\033[0;90m'
@@ -16,6 +19,15 @@ LGREEN='\033[0;92m'
LYELLOW='\033[0;93m'
NC='\033[0m' #No Colour
+TOMCAT_VERSION=$(ls /etc/ | grep tomcat)
+# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
+DOWNLOAD_DIR=
+PROXY_SITE=
+GUAC_URL=
+LE_DNS_NAME=
+LE_EMAIL=
+INSTALL_LOG=
+
echo
echo
echo -e "${LGREEN}Installing Let's Encrypt TLS configuration for Nginx...${GREY}"
@@ -67,11 +79,11 @@ fi
# Update general ufw rules so force traffic via reverse proxy. Only Nginx and SSH will be available over the network.
echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 80/443..."
-sudo ufw default allow outgoing >/dev/null 2>&1
-sudo ufw default deny incoming >/dev/null 2>&1
-sudo ufw allow OpenSSH >/dev/null 2>&1
-sudo ufw allow 80/tcp >/dev/null 2>&1
-sudo ufw allow 443/tcp >/dev/null 2>&1
+ufw default allow outgoing >/dev/null 2>&1
+ufw default deny incoming >/dev/null 2>&1
+ufw allow OpenSSH >/dev/null 2>&1
+ufw allow 80/tcp >/dev/null 2>&1
+ufw allow 443/tcp >/dev/null 2>&1
echo "y" | sudo ufw enable >/dev/null 2>&1
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
@@ -81,10 +93,10 @@ else
echo
fi
-# Bounce Nginx to reload the new Nginx config so certbot config can continue
+# Reload the new Nginx config so as certbot can further ajust
systemctl restart nginx
-# Run certbot to create and associate certificates with currenly public IP (must have tcp 80 and 443 open to work)
+# Run certbot to create and associate certificates with current public IP (must have tcp 80 and 443 open to work!)
certbot --nginx -n -d $LE_DNS_NAME --email $LE_EMAIL --agree-tos --redirect --hsts
echo -e
echo -e "${GREY}Let's Encrypt successfully installed, but check for any errors above (DNS & firewall are the usual culprits).${GREY}"
@@ -120,9 +132,9 @@ fi
# Reload everything once again
echo -e "${GREY}Restaring Guacamole & Ngnix..."
-sudo systemctl restart $TOMCAT_VERSION
-sudo systemctl restart guacd
-sudo systemctl restart nginx
+systemctl restart $TOMCAT_VERSION
+systemctl restart guacd
+systemctl restart nginx
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1
diff --git a/ACTIVE-DIRECTORY-HOW-TO.md b/ACTIVE-DIRECTORY-HOW-TO.md
index 10f539c..bb5cb2b 100644
--- a/ACTIVE-DIRECTORY-HOW-TO.md
+++ b/ACTIVE-DIRECTORY-HOW-TO.md
@@ -1,5 +1,5 @@
-# Integrating Guacamole with Active Directory
+# Integrating Guacamole With Active Directory
## :arrows_clockwise: **Step 1: Ensure two-way LDAP traffic is available to the Guacamole application server**
diff --git a/README.md b/README.md
index 33ff6b2..e112c77 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,10 @@
# Guacamole 1.5.3 VDI/Jump Server Appliance Build Script
-
This repo makes setting up a Guacamole a breeze. Its got installer support for TLS reverse proxy, Active Directory integration, multi-factor authentication, Quick Connect & History Recording Storage UI enhancements, dark mode and custom UI templates, auto database backup, O365 email alerts and even fail2ban and internal daemon security hardening options. There's also code in here to get you up and running with an enterprise high availability deployment too!
+ This repo makes setting up a Guacamole a breeze. Its got installer support for TLS reverse proxy, Active Directory integration, multi-factor authentication, Quick Connect & History Recording Storage UI enhancements, dark mode and custom UI templates, auto database backup, O365 email alerts and even fail2ban and internal daemon security hardening options. There's also code in here to get you up and running with an enterprise high availability deployment if that's your thing!
## Automatic Installation
-
To start building your Guacamole appliance, paste the below link into a terminal and follow the prompts **(no need for sudo, but the user must be a member of the sudo group)**:
+ To start building your Guacamole appliance, paste the below link into a terminal and just follow the prompts **(no need for sudo, but the user must be a member of the sudo group)**:
```shell
wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.sh && chmod +x 1-setup.sh && ./1-setup.sh
@@ -23,8 +23,6 @@ wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.
- DNS entries matching your default appliance network interface IP (essential for TLS).
- Open TCP ports: 22, 80, and 443.
-23.04, 22.04, 20.04 & 18.04
-
## Installation Menu
**The main script guides you through the installation process in the following steps:**
@@ -35,12 +33,17 @@ wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.
4. Select optional console features: Quick Connect & History Recorded Storage UI integrations.
5. Decide on the Guacamole front end: Nginx reverse proxy (http or https) or keep the native Guacamole interface
-**For the more security minded, there's several post-install hardening script options available:**
-- `add-fail2ban.sh`: Adds a lockdown policy for Guacamole to guard against brute force attacks.
-- `add-tls-guac-daemon.sh`: Wraps internal server daemon <--> guac application traffic in TLS.
-- `add-auth-ldap.sh`: A template script for Active Directory integration.
-- `add-smtp-relay-o365.sh`: A template script for email alerts integrated with MSO65 (BYO app password).
+## Managing self signed TLS certs with Nginx (the easy way!)
+
+ - **To change the reverse proxy dns name or IP:**
+ - Just re-run ` 4a-install-tls-self-signed-nginx.sh`as many times as you like (accompanying server and browser client certs will also be updated)
+ - **To renew certificates only, or change IP only:**
+ - Simply run `refresh-tls-self-signed-nginx.sh` as needed.
+ - **Above scripts will also:**
+ - Create and save new client browser certificates to `$HOME/guac-setup`
+ - Provide on-screen instructions for client certificate import (no more pesky browser warnings and that pro look).
+
## Active Directory Integration
@@ -50,32 +53,42 @@ wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.
**Want to give Guacamole your personal touch? Follow the theme and branding instructions** [here](https://github.com/itiligent/Guacamole-Install/tree/main/custom-theme-builder).
-## Custom Installation Notes
+## Installation Instructions
-1. Paste and run the wget autorun link in your home directory.
-2. Exit `1-setup.sh` at the first prompt. (At this point the scripts are downloaded only.)
-3. Customise the huge number of installation variables available in `1-setup.sh` as required. All options for customisation are found in the top sections of this script only. (Certain combinations of edits will even produce a fully unattended install!)
-4. **Caution: If editing `1-setup.sh`, be aware that running the autorun link again re-downloads and overwrites all changes. You must run setup locally after editing.** (Also be sure to comment out the download links in the setup script for any other edited scripts. There should be little need to edit outside of the setup script's options.)
-5. The **upgrade-guac.sh, add-tls-guac-daemon.sh, refresh-tls-self-signed.sh & backup-guac.sh** scripts are automatically adjusted at installation to match your chosen installation settings. These can be run after install without any modification.
-6. If the self-signed TLS proxy option is selected, browser client TLS certificates will be automatically created and saved to `$HOME/guac-setup`.
-7. Note that Nginx is automatically configured to use TLS 1.2 or above (so really old browser versions may not work.)
-8. A daily MySQL backup job will be automatically configured under the script owner's crontab.
-9. **Security info:** The Quick Connect and History Recorded Storage options bring a few security implications; so be aware of potential risks in your particular environment.
-
+### **Paste and the wget autorun link, thats it! *But if* you want to make Guacamole your own and customise...**
+**Exit `1-setup.sh` at the first prompt**. All the configurable options can be found at the start of `1-setup.sh`. Certain combinations of edits will even produce an unattended install!
+
+**Other useful install notes:**
+- **Caution: Be aware that running the auto-run link again re-downloads the suite of scripts and will overwrite your changes. You must run setup locally after editing the setup script.** (Also be sure to comment out the download links in the setup script for any other scripts you want to edit, but there should be little need to touch these.)
+- Many of the scripts in the suite are **automatically adjusted with your chosen installation settings** to form a matched & transportable set. This allows you to add extra features after installation whilst avoiding mismatches with the original install.
+- Nginx is automatically configured to use TLS 1.2 or above (so really old browser versions may not work.)
+- A daily MySQL backup job will be automatically configured under the script owner's crontab.
+- **Security info:** The Quick Connect and History Recorded Storage options bring a few security implications; so be aware of potential risks in your particular environment.
+
+**For the more security minded, there's several post-install hardening script options available:**
+
+- `add-fail2ban.sh`: Adds a lockdown policy for Guacamole to guard against brute force attacks.
+- `add-tls-guac-daemon.sh`: Wraps internal server daemon <--> guac application traffic in TLS.
+- `add-auth-ldap.sh`: A template script for Active Directory integration.
+- `add-smtp-relay-o365.sh`: A template script for email alerts integrated with MSO65 (BYO app password).
+
+
## Upgrading Guacamole
-
To upgrade Guacamole, edit `upgrade-guac.sh` to relfect the latest versions of Guacamole and MySQL connector/J before running it. This script will also automatically update the DUO, LDAP, TOTP, Quick Connect & History Recorded Storage extension if they are found to be present.
+ To upgrade Guacamole, edit `upgrade-guac.sh` to relfect the latest versions of Guacamole and MySQL connector/J before running it. This script will also automatically update the installed extensions.
## Enterprise Scale Out & High Availability
For Enterprise deployments, did you know that Guacamole can be run in a load balanced farm? To achieve this, the database, application and front end components are usually **split into 2 or 3 layers.** (VLANs & firewalls between the layers helps with security too.) See [here](https://github.com/itiligent/Guacamole-Install/tree/main/guac-enterprise-build) for how to get started.
- **For the DATABASE layer:** Find the included `install-mysql-backend-only.sh` to install a standalone instance of the Guacamole MySQL database for your backend.
-- **For the APPLICATION layer:** Simply use the main setup script to build as many application servers as you like. For a true 3 layer load balanced system, make sure to **say no to both the "Install MySQL locally" option and all Nginx front end options** so as only the Guacamole server and Apache Tomcat services are installed.
-- **For the Front end**: There are may choices here. You can slightly modify the Nginx scripts for a separate front end TLS layer, however **HA Proxy** provides far superior session affinity under load balanced conditions when compared to Open Source Nginx, but an Nginx Plus subscription gets you all the good stuff! There's so many possible ways to achieve this in hardware and software. There's plenty of config details in here to help you begin to roll your own HA solution.
+- **For the APPLICATION layer:** Simply use the main setup script to build as many application servers as you like, just use the installer to point these to the backend database, making sure to **say no to both the "Install MySQL locally" option and any Nginx install options**.
+- **For the Front end**: There are so many choices available that are already very well documented. You could even take the (portable) Nginx scripts to build a separate TLS front end layer. Be aware that [HA Proxy](https://www.haproxy.org/) generally provides far superior session affinity and persistence under load balanced conditions [when compared to Open Source Nginx](https://www.nginx.com/products/nginx/compare-models/) as only Nginx Plus subscribers get all the proper load balancing stuff!)
+
+### Installer script download manifest
+
-## Auto Download Manifest
The autorun link downloads these repo files into `$HOME/guac-setup`:
diff --git a/guac-custom-theme-builder/README.MD b/guac-custom-theme-builder/README.MD
index b7f2efd..081ad80 100644
--- a/guac-custom-theme-builder/README.MD
+++ b/guac-custom-theme-builder/README.MD
@@ -2,7 +2,7 @@
## Custom branding & theme instructions ##
1. Install the Java JDK: `sudo apt update && sudo apt -y install default-jdk`
-3. Modify `custom-theme.css` ,`guac-manifest.json`, `en.json` & `META-INF` as desired & add your logo .png files to the images directory.
+3. Modify `custom-theme.css` ,`guac-manifest.json`, `en.json` & `META-INF` as desired & add your logos to the images directory. (Logos must be .png files.)
4. To commit your changes, run the below commands from within the custom-theme-builder directory, then refresh your browser to re-login to Guacamole:
```
# Run within the custom-theme-builder directory
diff --git a/guac-enterprise-build/install-mysql-backend-only.sh b/guac-enterprise-build/install-mysql-backend-only.sh
index dc2e9d1..66ab2ea 100644
--- a/guac-enterprise-build/install-mysql-backend-only.sh
+++ b/guac-enterprise-build/install-mysql-backend-only.sh
@@ -51,7 +51,7 @@ DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup
# Setup directory locations
mkdir -p $DOWNLOAD_DIR
-sudo chown -R $SUDO_USER:root $DOWNLOAD_DIR
+chown -R $SUDO_USER:root $DOWNLOAD_DIR
# Version of Guacamole auth jdbc database schema to use
GUAC_VERSION="1.5.3"
diff --git a/guac-enterprise-build/upgrade-mysql-backend-only.sh b/guac-enterprise-build/upgrade-mysql-backend-only.sh
index 94ec914..dbd6bac 100644
--- a/guac-enterprise-build/upgrade-mysql-backend-only.sh
+++ b/guac-enterprise-build/upgrade-mysql-backend-only.sh
@@ -49,7 +49,7 @@ DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup
# Setup directory locations
mkdir -p $DOWNLOAD_DIR
-sudo chown -R $SUDO_USER:root $DOWNLOAD_DIR
+chown -R $SUDO_USER:root $DOWNLOAD_DIR
# Version of Guacamole to upgrade to. See https://guacamole.apache.org/releases/ for latest version info.
NEW_GUAC_VERSION="1.5.3"
diff --git a/guac-management/backup-guac.sh b/guac-management/backup-guac.sh
index 9bd6b73..90b9d54 100644
--- a/guac-management/backup-guac.sh
+++ b/guac-management/backup-guac.sh
@@ -19,7 +19,7 @@ clear
export PATH=/bin:/usr/bin:/usr/local/bin
TODAY=$(date +%Y-%m-%d)
-# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install
+# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
MYSQL_HOST=
MYSQL_PORT=
GUAC_USER=
diff --git a/guac-management/refresh-tls-self-signed.sh b/guac-management/refresh-tls-self-signed.sh
index f83bd4e..3032dc6 100644
--- a/guac-management/refresh-tls-self-signed.sh
+++ b/guac-management/refresh-tls-self-signed.sh
@@ -6,10 +6,10 @@
# September 2023
#######################################################################################################################
-# If run with with no command arguments, the ${PROXY_SITE} ${CERT_DAYS} & ${Default_IP) values from original install are applied.
-# e.g. sudo ./refresh-tls-self-signed-nginx.sh
+# If run with with no command arguments, the ${PROXY_SITE}, ${CERT_DAYS} & ${Default_IP) values used during the
+# the original install are applied. To keep these run: sudo ./refresh-tls-self-signed-nginx.sh
#
-# SCript can also be run with custom command line arguments for use with any TLS application:
+# This script can also be run with custom command line arguments for use with any TLS application:
# Command arguments are formatted as: [command] [FQDN] [cert-lifetime] [IP]
# e.g. sudo ./refresh-tls-self-signed-nginx.sh webserver.domain.local 365 192.168.1.1
@@ -50,7 +50,7 @@ TLSNAME=$1
TLSDAYS=$2
TLSIP=$3
-# Auto updated values from main installer (manually update if blank)
+# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
CERT_COUNTRY=
CERT_STATE=
CERT_LOCATION=
@@ -60,7 +60,7 @@ PROXY_SITE=
CERT_DAYS=
DEFAULT_IP=
-# Assume the values used by the guacamole installer if the script is run without any command line options
+# Assume the values set the guacamole installer if the script is run without any command line options
if [[ -z "$1" ]] | [[ -z "$2" ]] | [[ -z "$3" ]]; then
TLSNAME=$PROXY_SITE
TLSDAYS=$CERT_DAYS
@@ -69,11 +69,11 @@ fi
# Make directories to place TLS Certificate if they don't exist
if [[ ! -d $DIR_SSL_KEY ]]; then
- sudo mkdir -p $DIR_SSL_KEY
+ mkdir -p $DIR_SSL_KEY
fi
if [[ ! -d $DIR_SSL_CERT ]]; then
- sudo mkdir -p $DIR_SSL_CERT
+ mkdir -p $DIR_SSL_CERT
fi
echo -e "${GREY}New self signed TLS certificate attributes are shown below...${DGREY}"
diff --git a/guac-management/upgrade-guac.sh b/guac-management/upgrade-guac.sh
index 830b08f..a38a62d 100644
--- a/guac-management/upgrade-guac.sh
+++ b/guac-management/upgrade-guac.sh
@@ -46,7 +46,7 @@ DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup
# Setup directory locations
mkdir -p $DOWNLOAD_DIR
-sudo chown -R $SUDO_USER:root $DOWNLOAD_DIR
+chown -R $SUDO_USER:root $DOWNLOAD_DIR
# Version of Guacamole to upgrade to. See https://guacamole.apache.org/releases/ for latest version info.
NEW_GUAC_VERSION="1.5.3"
@@ -66,7 +66,7 @@ GUAC_SOURCE_LINK="http://apache.org/dyn/closer.cgi?action=download&filename=guac
# Install log Location
INSTALL_LOG="${DOWNLOAD_DIR}/guacamole_${NEW_GUAC_VERSION}_upgrade.log"
-# Auto updated values from main installer (manually update if blank)
+# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
INSTALL_MYSQL=
MYSQL_HOST=
MYSQL_PORT=
@@ -85,7 +85,7 @@ echo
# Start upgrade actions ##############################################################################################
#######################################################################################################################
-sudo apt-get upgrade -qq -y
+apt-get upgrade -qq -y
# Stop tomcat and guacd
systemctl stop ${TOMCAT_VERSION}
diff --git a/guac-optional-features/add-auth-duo.sh b/guac-optional-features/add-auth-duo.sh
index 228b052..217b905 100644
--- a/guac-optional-features/add-auth-duo.sh
+++ b/guac-optional-features/add-auth-duo.sh
@@ -6,6 +6,8 @@
# April 2023
#######################################################################################################################
+# If run as standalone and not from the main installer script, check the below variables are correct.
+
# Prepare text output colours
GREY='\033[0;37m'
DGREY='\033[0;90m'
@@ -38,7 +40,7 @@ echo "duo-api-hostname: " >>/etc/guacamole/guacamole.properties
echo "duo-application-key: " >>/etc/guacamole/guacamole.properties
echo
systemctl restart ${TOMCAT_VERSION}
-sudo systemctl restart guacd
+systemctl restart guacd
echo -e "${LYELLOW}You must now set up your online Duo account with a new 'Web SDK' application."
echo
diff --git a/guac-optional-features/add-auth-ldap.sh b/guac-optional-features/add-auth-ldap.sh
index 33cf993..e8a9a80 100644
--- a/guac-optional-features/add-auth-ldap.sh
+++ b/guac-optional-features/add-auth-ldap.sh
@@ -6,6 +6,8 @@
# April 2023
#######################################################################################################################
+# If run as standalone and not from the main installer script, check the below variables are correct.
+
# Prepare text output colours
GREY='\033[0;37m'
DGREY='\033[0;90m'
@@ -17,10 +19,9 @@ NC='\033[0m' #No Colour
clear
-# Check if user is root or sudo
if ! [[ $(id -u) = 0 ]]; then
echo
- echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
+ echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1
fi
@@ -49,7 +50,7 @@ echo
wget -q --show-progress -O guacamole-auth-ldap-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-ldap-${GUAC_VERSION}.tar.gz
tar -xzf guacamole-auth-ldap-${GUAC_VERSION}.tar.gz
mv -f guacamole-auth-ldap-${GUAC_VERSION}/guacamole-auth-ldap-${GUAC_VERSION}.jar /etc/guacamole/extensions/
-sudo chmod 664 /etc/guacamole/extensions/guacamole-auth-ldap-${GUAC_VERSION}.jar
+chmod 664 /etc/guacamole/extensions/guacamole-auth-ldap-${GUAC_VERSION}.jar
echo -e "${LGREEN}Installed guacamole-auth-ldap-${GUAC_VERSION}${GREY}"
echo
echo Adding the below config to /etc/guacamole/guacamole.properties
@@ -66,8 +67,8 @@ ldap-user-search-filter:(objectClass=user)(!(objectCategory=computer))
ldap-max-search-results:200
EOF
-sudo systemctl restart ${TOMCAT_VERSION}
-sudo systemctl restart guacd
+systemctl restart ${TOMCAT_VERSION}
+systemctl restart guacd
rm -rf guacamole-*
diff --git a/guac-optional-features/add-auth-totp.sh b/guac-optional-features/add-auth-totp.sh
index a26a545..8f2e9b6 100644
--- a/guac-optional-features/add-auth-totp.sh
+++ b/guac-optional-features/add-auth-totp.sh
@@ -6,6 +6,8 @@
# April 2023
#######################################################################################################################
+# If run as standalone and not from the main installer script, check the below variables are correct.
+
# Prepare text output colours
GREY='\033[0;37m'
DGREY='\033[0;90m'
@@ -17,10 +19,9 @@ NC='\033[0m' #No Colour
clear
-# Check if user is root or sudo
if ! [[ $(id -u) = 0 ]]; then
echo
- echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
+ echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1
fi
diff --git a/guac-optional-features/add-fail2ban.sh b/guac-optional-features/add-fail2ban.sh
index d54edee..3c7e69f 100644
--- a/guac-optional-features/add-fail2ban.sh
+++ b/guac-optional-features/add-fail2ban.sh
@@ -44,7 +44,7 @@ rm -f /tmp/fail2ban.update
# Prompt to install fail2ban base package with no policy as yet, default of yes
if [[ -z ${FAIL2BAN_BASE} ]]; then
echo
- echo -e -n "${LGREEN}Install Fail2ban? (base package with no policy as yet) [default y]: ${GREY}"
+ echo -e -n "${LGREEN}Install Fail2ban base package? [default y]: ${GREY}"
read PROMPT
if [[ ${PROMPT} =~ ^[Nn]$ ]]; then
FAIL2BAN_BASE=false
@@ -94,8 +94,8 @@ fi
if [[ "${FAIL2BAN_BASE}" = true ]]; then
#Update and install fail2ban (and john for management of config file updates, and not overwrite any existing settings)
- sudo apt-get update -qq >/dev/null 2>&1
- sudo apt-get install fail2ban john -qq -y >/dev/null 2>&1
+ apt-get update -qq >/dev/null 2>&1
+ apt-get install fail2ban john -qq -y >/dev/null 2>&1
# Create the basic jail.local template and local subnet whitelist
cat >/tmp/fail2ban.conf <&2
+ exit 1
+fi
+
clear
SENDER=$SUDO_USER
SERVER=$(uname -n)
-DOMAIN_SEARCH_SUFFIX=$(grep search /etc/resolv.conf | grep -v "#" | sed 's/'search[[:space:]]'//')
-
-# Check if user is root or sudo
-if ! [[ $(id -u) = 0 ]]; then
- echo
- echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
- exit 1
-fi
+# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
+LOCAL_DOMAIN=
echo
echo -e "${LYELLOW}SMTP relay for Office365 setup...${LGREEN}"
@@ -39,7 +42,7 @@ echo -e "${LYELLOW}SMTP relay for Office365 setup...${LGREEN}"
# Install Posfix
echo
echo -e "${GREY}Installing Postfix with non-interactive defaults..."
-sudo apt update -qq >/dev/null 2>&1
+apt-get update -qq >/dev/null 2>&1
DEBIAN_FRONTEND="noninteractive" apt-get install postfix mailutils -qq -y >/dev/null 2>&1
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Postfix install failed. ${GREY}" 1>&2
@@ -58,8 +61,8 @@ echo
echo
# Remove some default Postifx config items that conflict with new entries
-sudo sed -i '/relayhost/d' /etc/postfix/main.cf
-sudo sed -i '/smtp_tls_security_level=may/d' /etc/postfix/main.cf
+sed -i '/relayhost/d' /etc/postfix/main.cf
+sed -i '/smtp_tls_security_level=may/d' /etc/postfix/main.cf
# For simple relay outbound only, limit Postfix to just loopback and IPv4
sed -i 's/inet_interfaces = all/inet_interfaces = loopback-only/g' /etc/postfix/main.cf
@@ -88,28 +91,28 @@ else
fi
# Setup the password file and postmap
-sudo touch /etc/postfix/sasl_passwd
+touch /etc/postfix/sasl_passwd
cat </dev/null 2>&1
[smtp.office365.com]:587 ${SMTP_EMAIL}:${APP_PWD}
EOF
-sudo chown root:root /etc/postfix/sasl_passwd
-sudo chmod 0600 /etc/postfix/sasl_passwd
-sudo postmap /etc/postfix/sasl_passwd
+chown root:root /etc/postfix/sasl_passwd
+chmod 0600 /etc/postfix/sasl_passwd
+postmap /etc/postfix/sasl_passwd
# Setup the generic map file
-sudo touch /etc/postfix/generic
+touch /etc/postfix/generic
cat </dev/null 2>&1
root@${SERVER} ${SMTP_EMAIL}
${SENDER}@${SERVER} ${SMTP_EMAIL}
-@${DOMAIN_SEARCH_SUFFIX} ${SMTP_EMAIL}
+@${LOCAL_DOMAIN} ${SMTP_EMAIL}
EOF
-sudo chown root:root /etc/postfix/generic
-sudo chmod 0600 /etc/postfix/generic
-sudo postmap /etc/postfix/generic
+chown root:root /etc/postfix/generic
+chmod 0600 /etc/postfix/generic
+postmap /etc/postfix/generic
# Restart and test
echo -e "${GREY}Restarting Postfix..."
-sudo systemctl restart postfix
+systemctl restart postfix
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Postfix restart failed. ${GREY}" 1>&2
exit 1
diff --git a/guac-optional-features/add-tls-guac-daemon.sh b/guac-optional-features/add-tls-guac-daemon.sh
index affa92c..ec250b7 100644
--- a/guac-optional-features/add-tls-guac-daemon.sh
+++ b/guac-optional-features/add-tls-guac-daemon.sh
@@ -21,14 +21,13 @@ NC='\033[0m' #No Colour
# Check if user is root or sudo
if ! [[ $(id -u) = 0 ]]; then
echo
- echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
+ echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1
fi
TOMCAT_VERSION=$(ls /etc/ | grep tomcat)
RSA_KEY_LENGTH=2048
-
-# Auto updated values from main installer (manually update if blank)
+# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
CERT_COUNTRY=
CERT_STATE=
CERT_LOCATION=
diff --git a/guac-optional-features/add-xtra-histrecstor.sh b/guac-optional-features/add-xtra-histrecstor.sh
index 4715647..33edead 100644
--- a/guac-optional-features/add-xtra-histrecstor.sh
+++ b/guac-optional-features/add-xtra-histrecstor.sh
@@ -6,6 +6,8 @@
# September 2023
#######################################################################################################################
+# If run as standalone and not from the main installer script, check the below variables are correct.
+
# Prepare text output colours
GREY='\033[0;37m'
DGREY='\033[0;90m'
@@ -20,7 +22,7 @@ clear
# Check if user is root or sudo
if ! [[ $(id -u) = 0 ]]; then
echo
- echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
+ echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1
fi
diff --git a/guac-optional-features/add-xtra-quickconnect.sh b/guac-optional-features/add-xtra-quickconnect.sh
index a59cf30..cc4a148 100644
--- a/guac-optional-features/add-xtra-quickconnect.sh
+++ b/guac-optional-features/add-xtra-quickconnect.sh
@@ -6,6 +6,8 @@
# September 2023
#######################################################################################################################
+# If run as standalone and not from the main installer script, check the below variables are correct.
+
# Prepare text output colours
GREY='\033[0;37m'
DGREY='\033[0;90m'
@@ -20,7 +22,7 @@ clear
# Check if user is root or sudo
if ! [[ $(id -u) = 0 ]]; then
echo
- echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
+ echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1
fi