From da9b432864d300cd76741884e575b7c6b0ec4b71 Mon Sep 17 00:00:00 2001 From: Thomas Basler Date: Wed, 3 Nov 2021 13:37:46 +0100 Subject: [PATCH] xrdp_apphost: new role --- host_vars/pancake.binary.kitchen | 4 + roles/xrdp_apphost/defaults/main.yml | 15 ++ roles/xrdp_apphost/handlers/main.yml | 9 + roles/xrdp_apphost/tasks/main.yml | 35 +++ .../templates/lightburn_xsession.j2 | 2 + roles/xrdp_apphost/templates/sesman.ini.j2 | 113 +++++++++ roles/xrdp_apphost/templates/xrdp.ini.j2 | 237 ++++++++++++++++++ site.yml | 5 + 8 files changed, 420 insertions(+) create mode 100644 host_vars/pancake.binary.kitchen create mode 100644 roles/xrdp_apphost/defaults/main.yml create mode 100644 roles/xrdp_apphost/handlers/main.yml create mode 100644 roles/xrdp_apphost/tasks/main.yml create mode 100644 roles/xrdp_apphost/templates/lightburn_xsession.j2 create mode 100644 roles/xrdp_apphost/templates/sesman.ini.j2 create mode 100644 roles/xrdp_apphost/templates/xrdp.ini.j2 diff --git a/host_vars/pancake.binary.kitchen b/host_vars/pancake.binary.kitchen new file mode 100644 index 0000000..d76d276 --- /dev/null +++ b/host_vars/pancake.binary.kitchen @@ -0,0 +1,4 @@ +--- + +root_keys_host: +- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby" \ No newline at end of file diff --git a/roles/xrdp_apphost/defaults/main.yml b/roles/xrdp_apphost/defaults/main.yml new file mode 100644 index 0000000..c29eabe --- /dev/null +++ b/roles/xrdp_apphost/defaults/main.yml @@ -0,0 +1,15 @@ +--- + +xrdp_maxsessions: 10 +xrdp_killdisconnected: true +xrdp_policy: UBDC + +lightburn_user: lightburn +lightburn_group: lightburn +lightburn_pass: fckgw01lightburn +lightburn_salt: $1$SomeSalt$ + +lightburn_checksum: sha256:30d3cd573f5036edf74922ce56515304e668c345b5921fa0786248a8cc4be048 +lightburn_version: 1.0.04 +lightburn_url: https://github.com/LightBurnSoftware/deployment/releases/download/{{ lightburn_version }}/LightBurn-Linux64-v{{ lightburn_version }}.run +lightburn_target: /home/{{ lightburn_user }}/LightBurn-Linux64-v{{ lightburn_version }}.run diff --git a/roles/xrdp_apphost/handlers/main.yml b/roles/xrdp_apphost/handlers/main.yml new file mode 100644 index 0000000..687a07f --- /dev/null +++ b/roles/xrdp_apphost/handlers/main.yml @@ -0,0 +1,9 @@ +--- + +- name: Restart xrdp + service: name=xrdp state=restarted + +- name: Install LightBurn + shell: "{{ lightburn_target }}" + become: yes + become_user: "{{ lightburn_user }}" \ No newline at end of file diff --git a/roles/xrdp_apphost/tasks/main.yml b/roles/xrdp_apphost/tasks/main.yml new file mode 100644 index 0000000..b642662 --- /dev/null +++ b/roles/xrdp_apphost/tasks/main.yml @@ -0,0 +1,35 @@ +--- + +- name: Install main dependencies + apt: + name: + - xrdp + - libasound2 + - matchbox-window-manager + +- name: Configure xrdp.ini + template: src=xrdp.ini.j2 dest=/etc/xrdp/xrdp.ini + notify: Restart xrdp + +- name: Configure sesman.ini + template: src=sesman.ini.j2 dest=/etc/xrdp/sesman.ini + notify: Restart xrdp + +- name: Install LightBurn dependencies + apt: + name: + - libpulse-mainloop-glib0 + - libnss3 + +- name: Create LightBurn group + group: name={{ lightburn_group }} + +- name: Create LightBurn user + user: name={{ lightburn_user }} password={{ lightburn_pass | password_hash('sha512', lightburn_salt) }} home=/home/{{ lightburn_user }} group={{ lightburn_group }} + +- name: Create LightBurn .xsession + template: src=lightburn_xsession.j2 dest=/home/{{ lightburn_user }}/.xsession + +- name: Download LightBurn binary + get_url: url={{ lightburn_url }} dest={{ lightburn_target }} checksum={{ lightburn_checksum }} mode=0755 + notify: Install LightBurn \ No newline at end of file diff --git a/roles/xrdp_apphost/templates/lightburn_xsession.j2 b/roles/xrdp_apphost/templates/lightburn_xsession.j2 new file mode 100644 index 0000000..3470fcc --- /dev/null +++ b/roles/xrdp_apphost/templates/lightburn_xsession.j2 @@ -0,0 +1,2 @@ +matchbox-window-manager & +exec /home/{{ lightburn_user }}/.local/share/LightBurn/LightBurn \ No newline at end of file diff --git a/roles/xrdp_apphost/templates/sesman.ini.j2 b/roles/xrdp_apphost/templates/sesman.ini.j2 new file mode 100644 index 0000000..6fb8cd1 --- /dev/null +++ b/roles/xrdp_apphost/templates/sesman.ini.j2 @@ -0,0 +1,113 @@ +;; See `man 5 sesman.ini` for details + +[Globals] +ListenAddress=127.0.0.1 +ListenPort=3350 +EnableUserWindowManager=true +; Give in relative path to user's home directory +UserWindowManager=startwm.sh +; Give in full path or relative path to /etc/xrdp +DefaultWindowManager=startwm.sh +; Give in full path or relative path to /etc/xrdp +ReconnectScript=reconnectwm.sh + +[Security] +AllowRootLogin=true +MaxLoginRetry=4 +TerminalServerUsers=tsusers +TerminalServerAdmins=tsadmins +; When AlwaysGroupCheck=false access will be permitted +; if the group TerminalServerUsers is not defined. +AlwaysGroupCheck=false +; When RestrictOutboundClipboard=true clipboard from the +; server is not pushed to the client. +RestrictOutboundClipboard=false + +[Sessions] +;; X11DisplayOffset - x11 display number offset +; Type: integer +; Default: 10 +X11DisplayOffset=10 + +;; MaxSessions - maximum number of connections to an xrdp server +; Type: integer +; Default: 0 +MaxSessions={{ xrdp_maxsessions }} + +;; KillDisconnected - kill disconnected sessions +; Type: boolean +; Default: false +; if 1, true, or yes, kill session after 60 seconds +KillDisconnected={{ xrdp_killdisconnected }} + +;; DisconnectedTimeLimit - when to kill idle sessions +; Type: integer +; Default: 0 +; if not zero, the seconds before a disconnected session is killed +; min 60 seconds +DisconnectedTimeLimit=0 + +;; IdleTimeLimit (specify in second) - wait before disconnect idle sessions +; Type: integer +; Default: 0 +; Set to 0 to disable idle disconnection. +IdleTimeLimit=0 + +;; Policy - session allocation policy +; Type: enum [ "Default" | "UBD" | "UBI" | "UBC" | "UBDI" | "UBDC" ] +; Default: Xrdp: and Xvnc: +; "UBD" session per +; "UBI" session per +; "UBC" session per +; "UBDI" session per +; "UBDC" session per +Policy={{ xrdp_policy }} + +[Logging] +LogFile=xrdp-sesman.log +LogLevel=DEBUG +EnableSyslog=1 +SyslogLevel=DEBUG + +; +; Session definitions - startup command-line parameters for each session type +; + +[Xorg] +; Specify the path of non-suid Xorg executable. It might differ depending +; on your distribution and version. The typical path is shown as follows: +; +; Fedora 26 or later : param=/usr/libexec/Xorg +; Debian 9 or later : param=/usr/lib/xorg/Xorg +; Ubuntu 16.04 or later : param=/usr/lib/xorg/Xorg +; Arch Linux : param=/usr/lib/xorg-server/Xorg +; CentOS 7 : param=/usr/bin/Xorg or param=Xorg +; +param=/usr/lib/xorg/Xorg +; Leave the rest paramaters as-is unless you understand what will happen. +param=-config +param=xrdp/xorg.conf +param=-noreset +param=-nolisten +param=tcp +param=-logfile +param=.xorgxrdp.%s.log + +[Xvnc] +param=Xvnc +param=-bs +param=-nolisten +param=tcp +param=-localhost +param=-dpi +param=96 + +[Chansrv] +; drive redirection, defaults to xrdp_client if not set +FuseMountName=thinclient_drives +; this value allows only the user to acess their own mapped drives. +; Make this more permissive (e.g. 022) if required. +FileUmask=077 + +[SessionVariables] +PULSE_SCRIPT=/etc/xrdp/pulse/default.pa diff --git a/roles/xrdp_apphost/templates/xrdp.ini.j2 b/roles/xrdp_apphost/templates/xrdp.ini.j2 new file mode 100644 index 0000000..3c5a8e6 --- /dev/null +++ b/roles/xrdp_apphost/templates/xrdp.ini.j2 @@ -0,0 +1,237 @@ +[Globals] +; xrdp.ini file version number +ini_version=1 + +; fork a new process for each incoming connection +fork=true + +; ports to listen on, number alone means listen on all interfaces +; 0.0.0.0 or :: if ipv6 is configured +; space between multiple occurrences +; +; Examples: +; port=3389 +; port=unix://./tmp/xrdp.socket +; port=tcp://.:3389 127.0.0.1:3389 +; port=tcp://:3389 *:3389 +; port=tcp://:3389 192.168.1.1:3389 +; port=tcp6://.:3389 ::1:3389 +; port=tcp6://:3389 *:3389 +; port=tcp6://{}:3389 {FC00:0:0:0:0:0:0:1}:3389 +; port=vsock://: +port=3389 + +; 'port' above should be connected to with vsock instead of tcp +; use this only with number alone in port above +; prefer use vsock://: above +use_vsock=false + +; regulate if the listening socket use socket option tcp_nodelay +; no buffering will be performed in the TCP stack +tcp_nodelay=true + +; regulate if the listening socket use socket option keepalive +; if the network connection disappear without close messages the connection will be closed +tcp_keepalive=true + +; set tcp send/recv buffer (for experts) +#tcp_send_buffer_bytes=32768 +#tcp_recv_buffer_bytes=32768 + +; security layer can be 'tls', 'rdp' or 'negotiate' +; for client compatible layer +security_layer=negotiate + +; minimum security level allowed for client for classic RDP encryption +; use tls_ciphers to configure TLS encryption +; can be 'none', 'low', 'medium', 'high', 'fips' +crypt_level=high + +; X.509 certificate and private key +; openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 +; note this needs the user xrdp to be a member of the ssl-cert group, do with e.g. +;$ sudo adduser xrdp ssl-cert +certificate= +key_file= + +; set SSL protocols +; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3' +ssl_protocols=TLSv1.2, TLSv1.3 +; set TLS cipher suites +#tls_ciphers=HIGH + +; Section name to use for automatic login if the client sends username +; and password. If empty, the domain name sent by the client is used. +; If empty and no domain name is given, the first suitable section in +; this file will be used. +autorun= + +allow_channels=true +allow_multimon=true +bitmap_cache=true +bitmap_compression=true +bulk_compression=true +#hidelogwindow=true +max_bpp=32 +new_cursors=true +; fastpath - can be 'input', 'output', 'both', 'none' +use_fastpath=both +; when true, userid/password *must* be passed on cmd line +#require_credentials=true +; You can set the PAM error text in a gateway setup (MAX 256 chars) +#pamerrortxt=change your password according to policy at http://url + +; +; colors used by windows in RGB format +; +blue=009cb5 +grey=dedede +#black=000000 +#dark_grey=808080 +#blue=08246b +#dark_blue=08246b +#white=ffffff +#red=ff0000 +#green=00ff00 +#background=626c72 + +; +; configure login screen +; + +; Login Screen Window Title +#ls_title=My Login Title + +; top level window background color in RGB format +ls_top_window_bg_color=009cb5 + +; width and height of login screen +ls_width=350 +ls_height=430 + +; login screen background color in RGB format +ls_bg_color=dedede + +; optional background image filename (bmp format). +#ls_background_image= + +; logo +; full path to bmp-file or file in shared folder +ls_logo_filename= +ls_logo_x_pos=55 +ls_logo_y_pos=50 + +; for positioning labels such as username, password etc +ls_label_x_pos=30 +ls_label_width=65 + +; for positioning text and combo boxes next to above labels +ls_input_x_pos=110 +ls_input_width=210 + +; y pos for first label and combo box +ls_input_y_pos=220 + +; OK button +ls_btn_ok_x_pos=142 +ls_btn_ok_y_pos=370 +ls_btn_ok_width=85 +ls_btn_ok_height=30 + +; Cancel button +ls_btn_cancel_x_pos=237 +ls_btn_cancel_y_pos=370 +ls_btn_cancel_width=85 +ls_btn_cancel_height=30 + +[Logging] +LogFile=xrdp.log +LogLevel=DEBUG +EnableSyslog=true +SyslogLevel=DEBUG +; LogLevel and SysLogLevel could by any of: core, error, warning, info or debug + +[Channels] +; Channel names not listed here will be blocked by XRDP. +; You can block any channel by setting its value to false. +; IMPORTANT! All channels are not supported in all use +; cases even if you set all values to true. +; You can override these settings on each session type +; These settings are only used if allow_channels=true +rdpdr=true +rdpsnd=true +drdynvc=true +cliprdr=true +rail=true +xrdpvr=true +tcutils=true + +; for debugging xrdp, in section xrdp1, change port=-1 to this: +#port=/tmp/.xrdp/xrdp_display_10 + +; for debugging xrdp, add following line to section xrdp1 +#chansrvport=/tmp/.xrdp/xrdp_chansrv_socket_7210 + + +; +; Session types +; + +; Some session types such as Xorg, X11rdp and Xvnc start a display server. +; Startup command-line parameters for the display server are configured +; in sesman.ini. See and configure also sesman.ini. +[LightBurn] +name=LightBurn +lib=libxup.so +username={{ lightburn_user }} +password={{ lightburn_pass }} +ip=127.0.0.1 +port=-1 +code=20 + +[Xorg] +name=Xorg +lib=libxup.so +username=ask +password=ask +ip=127.0.0.1 +port=-1 +code=20 + +#[Xvnc] +#name=Xvnc +#lib=libvnc.so +#username=ask +#password=ask +#ip=127.0.0.1 +#port=-1 +##xserverbpp=24 +##delay_ms=2000 + +#[vnc-any] +#name=vnc-any +#lib=libvnc.so +#ip=ask +#port=ask5900 +#username=na +#password=ask +##pamusername=asksame +##pampassword=asksame +##pamsessionmng=127.0.0.1 +##delay_ms=2000 + +#[neutrinordp-any] +#name=neutrinordp-any +#lib=libxrdpneutrinordp.so +#ip=ask +#port=ask3389 +#username=ask +#password=ask + +; You can override the common channel settings for each session type +#channel.rdpdr=true +#channel.rdpsnd=true +#channel.drdynvc=true +#channel.cliprdr=true +#channel.rail=true +#channel.xrdpvr=true diff --git a/site.yml b/site.yml index 842b5e8..be95377 100644 --- a/site.yml +++ b/site.yml @@ -42,6 +42,11 @@ roles: - netbox +- name: Setup XRDP host + hosts: pancake.binary.kitchen + roles: + - xrdp_apphost + - name: Setup drone runner hosts: bob.binary.kitchen roles: