forked from cynthia-rempel/guacamole-compose
-
Notifications
You must be signed in to change notification settings - Fork 0
/
setup.sh
executable file
·104 lines (85 loc) · 2.64 KB
/
setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
#!/bin/bash -x
echo "checking for patch"
patch -v
echo "checking for wget"
wget -v
echo "checking for docker-compose"
docker-compose -v
echo "checking for docker"
docker -v
echo "checking for keytool"
keytool -v
# create directories
mkdir -p {data/guacamole,data/keycloak,init,openid}
cd openid
wget -nc https://mirrors.ocf.berkeley.edu/apache/guacamole/1.1.0/binary/guacamole-auth-openid-1.1.0.tar.gz
tar -xf guacamole-auth-openid-1.1.0.tar.gz
mv guacamole-auth-openid-1.1.0/* .
cd ..
# create the database initialization script for the guacamole database
docker run --rm \
docker.io/guacamole/guacamole:1.1.0 \
/opt/guacamole/bin/initdb.sh --postgres > init/initdb.sql.orig
cp init/initdb.sql.orig init/initdb.sql
patch init/initdb.sql < config/guacamole/1.add-guacadmin-email.patch
# get the original server.xml
touch init/server.xml.orig
docker run --rm --name guacamole-setup \
docker.io/guacamole/guacamole:1.1.0 \
cat /usr/local/tomcat/conf/server.xml > init/server.xml.orig
# make a copy to patch
cp init/server.xml.orig init/server.xml
# enable ssl, and such
patch init/server.xml < config/guacamole/0.enable-tomcat-ssl.patch
# Need self-signed cert for ca
# Create private keys for:
# Guacamole
# Keycloak
openssl req \
-newkey rsa:2048 \
-nodes \
-keyout init/guacamole.key \
-x509 \
-days 365 \
-out init/guacamole.crt \
-subj "/C=US/ST=CA/L=Anytown/O=Ridgecrest First Aid/OU=AED Instructors/CN=guacamole.rfa.net"
# values pulled from server.xml within the image, and errors from the docker log
keytool -genkey \
-alias server \
-keyalg RSA \
-keystore init/application.keystore \
-keysize 2048 \
-storepass password \
-dname "cn=keycloak.rfa.net, ou=AED Instructors, o=Ridgecrest, c=US" \
-keypass password \
-trustcacerts \
-validity 365
# make the certificate available to guacamole
touch init/keycloak.crt
keytool -exportcert \
-keystore init/application.keystore \
-alias server \
-storepass password \
-keypass password | \
openssl x509 -inform der -text > init/keycloak.crt
# Grabbing cacerts, don't use this for standalone.xml
# as we don't link to postgres
touch init/cacerts
timeout 10 docker run --rm --name keycloak-cacerts \
docker.io/jboss/keycloak:latest &
sleep 1s
docker cp keycloak-cacerts:/etc/pki/ca-trust/extracted/java/cacerts init/cacerts
keytool -importcert \
-alias keycloak \
-keystore init/cacerts \
-storepass changeit \
-file init/keycloak.crt \
-trustcacerts -noprompt
keytool -importcert \
-alias guacamole \
-keystore init/cacerts \
-storepass changeit \
-file init/guacamole.crt \
-trustcacerts -noprompt
docker stop keycloak-cacerts
docker rm keycloak-cacerts