infra
/
ansible
4
5
Fork 5
Code Issues 6 Pull Requests Activity

XRDP Application Host #51

Merged
moepman merged 19 commits from noby/ansible:xrdp into master 2022-06-20 08:41:14 +02:00
Conversation 0 Commits 19 Files Changed 20 +951
20 changed files with 951 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
host_vars/pancake.binary.kitchen Normal file
View File

@ -0,0 +1,4 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

19
roles/xrdp_apphost/README.md Normal file
View File

@ -0,0 +1,19 @@
xrdp_apphost
============
Manual installation steps
-------------------------
After the role has applied several manual installation steps have to be applied
by a admin user.
* Estlcam
* Login as tsadmin user and execute the following commands
$ sudo -u estlcam --preserve-env=DISPLAY /bin/bash
$ cd ~
$ export WINEPREFIX=~/.wine32
$ export WINEARCH=win32
$ wineboot
$ winetricks dotnet40 gdiplus d3dx9_36
$ wget http://www.estlcam.de/downloads/Estlcam_32_11244.exe
$ wine Estlcam_32_11243.exe

64
roles/xrdp_apphost/defaults/main.yml Normal file
View File

@ -0,0 +1,64 @@
---
xrdp_maxsessions: 10
xrdp_killdisconnected: true
xrdp_policy: UBDC
xrdp_ls_title: Binary Kitchen Application Server
xrdp_ls_top_window_bg_color: 003377
xrdp_ls_bg_color: dedede
xrdp_ls_width: 350
xrdp_ls_height: 430
xrdp_ls_logo_filename: KitchenLogo.bmp
xrdp_ls_logo_x_pos: 55
xrdp_ls_logo_y_pos: 50
xrdp_ls_label_x_pos: 30
xrdp_ls_label_width: 65
xrdp_ls_input_x_pos: 110
xrdp_ls_input_width: 210
xrdp_ls_input_y_pos: 220
xrdp_ls_btn_ok_x_pos: 142
xrdp_ls_btn_ok_y_pos: 370
xrdp_ls_btn_cancel_x_pos: 237
xrdp_ls_btn_cancel_y_pos: 370
info_folder_name: "___Files\ older\ than\ 30\ days\ will\ be\ automatically\ deleted"
xrdp_applications:
LightBurn:
user: lightburn
group: lightburn
pass: "{{ vault_xrdp_apphost_lightburn_pass }}"
salt: "{{ vault_xrdp_apphost_lightburn_salt }}"
git_config_folder: /home/lightburn/.config/LightBurn/
checksum: sha256:f96af6b316f495091c94d40cb1d808f0fb8643fa41a1b04da5ad57499b4a8cdc
version: 1.1.04
Estlcam:
user: estlcam
group: estlcam
pass: "{{ vault_xrdp_apphost_estlcam_pass }}"
salt: "{{ vault_xrdp_apphost_estlcam_salt }}"
git_config_folder: /home/estlcam/.wine32/drive_c/ProgramData/Estlcam/
Slicer:
user: slicer
group: slicer
pass: "{{ vault_xrdp_apphost_slicer_pass }}"
salt: "{{ vault_xrdp_apphost_slicer_salt }}"
git_config_folder: /home/slicer/.config/PrusaSlicer/
checksum: sha256:b36f49a577ab88d568d8165a94ac62e9eb6d9b4dcc46516a82e1a6131fdcea6e
version_base: 2.4.2
version: 2.4.2+linux-x64-GTK3-202204251120
lightburn_url: https://github.com/LightBurnSoftware/deployment/releases/download/{{ xrdp_applications.LightBurn.version }}/LightBurn-Linux64-v{{ xrdp_applications.LightBurn.version }}.run
lightburn_target: /home/{{ xrdp_applications.LightBurn.user }}/LightBurn-Linux64-v{{ xrdp_applications.LightBurn.version }}.run
slicer_url: https://github.com/prusa3d/PrusaSlicer/releases/download/version_{{ xrdp_applications.Slicer.version_base }}/PrusaSlicer-{{ xrdp_applications.Slicer.version }}.AppImage
slicer_target: /home/{{ xrdp_applications.Slicer.user }}/PrusaSlicer-{{ xrdp_applications.Slicer.version }}.AppImage
tsadmin_user: tsadmin
tsadmin_group: tsadmin
tsadmin_pass: "{{ vault_xrdp_apphost_tsadmin_pass }}"
tsadmin_salt: "{{ vault_xrdp_apphost_tsadmin_salt }}"

BIN
roles/xrdp_apphost/files/KitchenLogo.bmp Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 99 KiB

12
roles/xrdp_apphost/handlers/main.yml Normal file
View File

@ -0,0 +1,12 @@
---
- name: Restart xrdp
service: name=xrdp state=restarted
- name: Install LightBurn
shell: "{{ lightburn_target }}"
become: yes
become_user: "{{ xrdp_applications.LightBurn.user }}"
- name: Reload smbd
service: name=smbd state=reloaded

104
roles/xrdp_apphost/tasks/app_common.yml Normal file
View File

@ -0,0 +1,104 @@
---
- name: Install global dependencies
apt:
name:
- git
- name: Create Application groups
group: name={{ item.value.group }}
with_dict:
- "{{ xrdp_applications }}"
- name: Create Application users
user: name={{ item.value.user }} password={{ item.value.pass | password_hash('sha512', item.value.salt) }} home=/home/{{ item.value.user }} group={{ item.value.group }}
with_dict:
- "{{ xrdp_applications }}"
- name: Create Application .xsession
template: src={{ item.value.user }}_xsession.j2 dest=/home/{{ item.value.user }}/.xsession
with_dict:
- "{{ xrdp_applications }}"
- name: Create Application data directories
file: path=/home/{{ item.value.user }}/data state=directory mode=0755 owner={{ item.value.user }} group={{ item.value.group }}
with_dict:
- "{{ xrdp_applications }}"
- name: Create info directory
file:
path: "/home/{{ item.value.user }}/data/{{ info_folder_name }}"
state: directory
mode: 0444
owner: root
group: root
with_dict:
- "{{ xrdp_applications }}"
- name: Create file cleanup cron
cron:
name: "Delete files older than 30 days"
minute: "0"
hour: "5"
job: "find /home/{{ item.value.user }}/data -type f -mtime +30 ! -name \"{{ info_folder_name }}\" -delete"
user: "{{ item.value.user }}"
with_dict:
- "{{ xrdp_applications }}"
- name: Create directory cleanup cron
cron:
name: "Delete empty directories"
minute: "1"
hour: "5"
job: "find /home/{{ item.value.user }}/data -type d -empty ! -name \"{{ info_folder_name }}\" -delete"
user: "{{ item.value.user }}"
with_dict:
- "{{ xrdp_applications }}"
- name: Create config directory
file:
path: "{{ item.value.git_config_folder }}"
state: directory
become: yes
become_user: "{{ item.value.user }}"
with_dict:
- "{{ xrdp_applications }}"
- name: Create git repo for configs
command: git init {{ item.value.git_config_folder }}
become: yes
become_user: "{{ item.value.user }}"
args:
creates: "{{ item.value.git_config_folder }}/.git"
with_dict:
- "{{ xrdp_applications }}"
- name: Setup git user names
git_config:
name: user.name
scope: global
value: "{{ item.value.user }}"
become: yes
become_user: "{{ item.value.user }}"
with_dict:
- "{{ xrdp_applications }}"
- name: Setup git E-Mail
git_config:
name: user.email
scope: global
value: "{{ item.value.user }}@{{ inventory_hostname }}"
become: yes
become_user: "{{ item.value.user }}"
with_dict:
- "{{ xrdp_applications }}"
- name: Create config git commit cron
cron:
name: "Add and commit all changes"
minute: "5"
hour: "5"
job: "cd {{ item.value.git_config_folder }} && git add -A && git commit -m 'Commit via cronjob'"
user: "{{ item.value.user }}"
with_dict:
- "{{ xrdp_applications }}"

24
roles/xrdp_apphost/tasks/estlcam.yml Normal file
View File

@ -0,0 +1,24 @@
---
- name: Enable contrib repositories
apt_repository:
repo: deb http://deb.debian.org/debian {{ ansible_distribution_release }} contrib
- name: Add i386 Architecture
command: dpkg --add-architecture i386
args:
creates: /var/lib/dpkg/arch
when: ansible_architecture != 'i386'
register: archrc
- name: Update APT Cache for i386
apt:
update_cache: true
when: archrc is defined and archrc.changed
- name: Install Estlcam dependencies
apt:
name:
- winetricks
- wine32
- xfwm4

12
roles/xrdp_apphost/tasks/lightburn.yml Normal file
View File

@ -0,0 +1,12 @@
---
- name: Install LightBurn dependencies
apt:
name:
- libpulse-mainloop-glib0
- libnss3
- libxkbcommon-x11-0
- name: Download LightBurn binary
get_url: url={{ lightburn_url }} dest={{ lightburn_target }} checksum={{ xrdp_applications.LightBurn.checksum }} mode=0755
notify: Install LightBurn

35
roles/xrdp_apphost/tasks/main.yml Normal file
View File

@ -0,0 +1,35 @@
---
- name: Set Default umask for Users
lineinfile:
dest: '/etc/login.defs'
regexp: "UMASK"
line: "UMASK 027"
state: present
- include: xrdp.yml
- include: app_common.yml
- include: samba.yml
- include: lightburn.yml
- include: estlcam.yml
- include: slicer.yml
- name: Create tsadmin group
group: name={{ tsadmin_group }}
- name: Create tsadmin_user
user: name={{ tsadmin_user }} password={{ tsadmin_pass | password_hash('sha512', tsadmin_salt) }} home=/home/{{ tsadmin_user }} group={{ tsadmin_group }}
- name: Allow 'tsadmin_user' group to have passwordless sudo to other users
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^{{ tsadmin_user }} ALL=({{ item.value.user }}) NOPASSWD: ALL'
line: '{{ tsadmin_user }} ALL=({{ item.value.user }}) NOPASSWD: ALL'
validate: visudo -cf %s
with_dict:
- "{{ xrdp_applications }}"
- name: Create tsadmin_user .xsession
template: src=tsadmin_xsession.j2 dest=/home/{{ tsadmin_user }}/.xsession

12
roles/xrdp_apphost/tasks/samba.yml Normal file
View File

@ -0,0 +1,12 @@
---
- name: Install samba
apt:
name:
- samba
- name: Configure samba
template:
src: smb.conf.j2
dest: /etc/samba/smb.conf
notify: Reload smbd

9
roles/xrdp_apphost/tasks/slicer.yml Normal file
View File

@ -0,0 +1,9 @@
---
- name: Install Slic3r dependencies
apt:
name:
- libgtk2.0-0
- name: Download Slic3r binary
get_url: url={{ slicer_url }} dest={{ slicer_target }} checksum={{ xrdp_applications.Slicer.checksum }} mode=0755

23
roles/xrdp_apphost/tasks/xrdp.yml Normal file
View File

@ -0,0 +1,23 @@
---
- name: Install main dependencies
apt:
name:
- xrdp
- libasound2
- matchbox-window-manager
- name: Configure xrdp.ini
template: src=xrdp.ini.j2 dest=/etc/xrdp/xrdp.ini
notify: Restart xrdp
- name: Configure sesman.ini
template: src=sesman.ini.j2 dest=/etc/xrdp/sesman.ini
notify: Restart xrdp
- name: Create xrdp directory
file: path=/usr/local/share/xrdp/ state=directory mode=0755 owner=root group=root
- name: Copy Binary Kitchen Logo
copy: src={{ xrdp_ls_logo_filename }} dest=/usr/local/share/xrdp/{{ xrdp_ls_logo_filename }}
notify: Restart xrdp

5
roles/xrdp_apphost/templates/estlcam_xsession.j2 Normal file
View File

@ -0,0 +1,5 @@
{{ ansible_managed | comment }}
export WINEPREFIX=~/.wine32
xfwm4 &
exec wine "/home/{{ xrdp_applications.Estlcam.user }}/.wine32/drive_c/Program Files/Estlcam11/Estlcam.exe"

4
roles/xrdp_apphost/templates/lightburn_xsession.j2 Normal file
View File

@ -0,0 +1,4 @@
{{ ansible_managed | comment }}
matchbox-window-manager &
exec /home/{{ xrdp_applications.LightBurn.user }}/.local/share/LightBurn/LightBurn

115
roles/xrdp_apphost/templates/sesman.ini.j2 Normal file
View File

@ -0,0 +1,115 @@
{{ ansible_managed | comment(decoration = '; ') }}
;; See `man 5 sesman.ini` for details
[Globals]
ListenAddress=127.0.0.1
ListenPort=3350
EnableUserWindowManager=true
; Give in relative path to user's home directory
UserWindowManager=startwm.sh
; Give in full path or relative path to /etc/xrdp
DefaultWindowManager=startwm.sh
; Give in full path or relative path to /etc/xrdp
ReconnectScript=reconnectwm.sh
[Security]
AllowRootLogin=true
MaxLoginRetry=4
TerminalServerUsers=tsusers
TerminalServerAdmins=tsadmins
; When AlwaysGroupCheck=false access will be permitted
; if the group TerminalServerUsers is not defined.
AlwaysGroupCheck=false
; When RestrictOutboundClipboard=true clipboard from the
; server is not pushed to the client.
RestrictOutboundClipboard=false
[Sessions]
;; X11DisplayOffset - x11 display number offset
; Type: integer
; Default: 10
X11DisplayOffset=10
;; MaxSessions - maximum number of connections to an xrdp server
; Type: integer
; Default: 0
MaxSessions={{ xrdp_maxsessions }}
;; KillDisconnected - kill disconnected sessions
; Type: boolean
; Default: false
; if 1, true, or yes, kill session after 60 seconds
KillDisconnected={{ xrdp_killdisconnected }}
;; DisconnectedTimeLimit - when to kill idle sessions
; Type: integer
; Default: 0
; if not zero, the seconds before a disconnected session is killed
; min 60 seconds
DisconnectedTimeLimit=0
;; IdleTimeLimit (specify in second) - wait before disconnect idle sessions
; Type: integer
; Default: 0
; Set to 0 to disable idle disconnection.
IdleTimeLimit=0
;; Policy - session allocation policy
; Type: enum [ "Default" | "UBD" | "UBI" | "UBC" | "UBDI" | "UBDC" ]
; Default: Xrdp:<User,BitPerPixel> and Xvnc:<User,BitPerPixel,DisplaySize>
; "UBD" session per <User,BitPerPixel,DisplaySize>
; "UBI" session per <User,BitPerPixel,IPAddr>
; "UBC" session per <User,BitPerPixel,Connection>
; "UBDI" session per <User,BitPerPixel,DisplaySize,IPAddr>
; "UBDC" session per <User,BitPerPixel,DisplaySize,Connection>
Policy={{ xrdp_policy }}
[Logging]
LogFile=xrdp-sesman.log
LogLevel=DEBUG
EnableSyslog=1
SyslogLevel=DEBUG
;
; Session definitions - startup command-line parameters for each session type
;
[Xorg]
; Specify the path of non-suid Xorg executable. It might differ depending
; on your distribution and version. The typical path is shown as follows:
;
; Fedora 26 or later : param=/usr/libexec/Xorg
; Debian 9 or later : param=/usr/lib/xorg/Xorg
; Ubuntu 16.04 or later : param=/usr/lib/xorg/Xorg
; Arch Linux : param=/usr/lib/xorg-server/Xorg
; CentOS 7 : param=/usr/bin/Xorg or param=Xorg
;
param=/usr/lib/xorg/Xorg
; Leave the rest paramaters as-is unless you understand what will happen.
param=-config
param=xrdp/xorg.conf
param=-noreset
param=-nolisten
param=tcp
param=-logfile
param=.xorgxrdp.%s.log
[Xvnc]
param=Xvnc
param=-bs
param=-nolisten
param=tcp
param=-localhost
param=-dpi
param=96
[Chansrv]
; drive redirection, defaults to xrdp_client if not set
FuseMountName=thinclient_drives
; this value allows only the user to acess their own mapped drives.
; Make this more permissive (e.g. 022) if required.
FileUmask=077
[SessionVariables]
PULSE_SCRIPT=/etc/xrdp/pulse/default.pa

4
roles/xrdp_apphost/templates/slicer_xsession.j2 Normal file
View File

@ -0,0 +1,4 @@
{{ ansible_managed | comment }}
matchbox-window-manager &
exec /home/{{ xrdp_applications.Slicer.user }}/PrusaSlicer-{{ xrdp_applications.Slicer.version }}.AppImage

252
roles/xrdp_apphost/templates/smb.conf.j2 Normal file
View File

@ -0,0 +1,252 @@
{{ ansible_managed | comment }}
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
# - When such options are commented with ";", the proposed setting
# differs from the default Samba behaviour
# - When commented with "#", the proposed setting is the default
# behaviour of Samba but the option is considered important
# enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
# Append syslog@1 if you want important messages to be sent to syslog too.
logging = file
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
########## Domains ###########
#
# The following settings only takes effect if 'server role = classic
# primary domain controller', 'server role = classic backup domain controller'
# or 'domain logons' is set
#
# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
; logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
# logon path = \\%N\%U\profile
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
; logon drive = H:
# logon home = \\%N\%U
# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
; logon script = logon.cmd
# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
# This allows machine accounts to be created on the domain controller via the
# SAMR RPC pipe.
# The following assumes a "machines" group exists on the system
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.
; add group script = /usr/sbin/addgroup --force-badname %g
############ Misc ############
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m
# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap config * : backend = tdb
; idmap config * : range = 3000-7999
; idmap config YOURDOMAINHERE : backend = tdb
; idmap config YOURDOMAINHERE : range = 100000-999999
; template shell = /bin/bash
# Setup usershare options to enable non-root users to share folders
# with the net usershare command.
# Maximum number of usershare. 0 means that usershare is disabled.
# usershare max shares = 100
# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = yes
#======================= Share Definitions =======================
;[homes]
; comment = Home Directories
; browseable = no
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
; read only = yes
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
; create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
; directory mask = 0700
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
; valid users = %S
# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700
;[printers]
; comment = All Printers
; browseable = no
; path = /var/spool/samba
; printable = yes
; guest ok = no
; read only = yes
; create mask = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
;[print$]
; comment = Printer Drivers
; path = /var/lib/samba/printers
; browseable = yes
; read only = yes
; guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
; write list = root, @lpadmin
{% for app, config in xrdp_applications.items() %}
# {{ app}} share
[{{ app | lower }}]
comment = {{ app }} data folder
path = /home/{{ config.user }}/data
browseable = yes
read only = no
guest ok = yes
create mask = 0600
directory mask = 0700
force user = {{ config.user }}
hide dot files = yes
{% endfor %}

7
roles/xrdp_apphost/templates/tsadmin_xsession.j2 Normal file
View File

@ -0,0 +1,7 @@
{{ ansible_managed | comment }}
{% for app, config in xrdp_applications.items() %}
xhost si:localuser:{{ config.user }}
{% endfor %}
xfwm4 &
exec xterm

241
roles/xrdp_apphost/templates/xrdp.ini.j2 Normal file
View File

@ -0,0 +1,241 @@
{{ ansible_managed | comment(decoration = '; ') }}
[Globals]
; xrdp.ini file version number
ini_version=1
; fork a new process for each incoming connection
fork=true
; ports to listen on, number alone means listen on all interfaces
; 0.0.0.0 or :: if ipv6 is configured
; space between multiple occurrences
;
; Examples:
; port=3389
; port=unix://./tmp/xrdp.socket
; port=tcp://.:3389 127.0.0.1:3389
; port=tcp://:3389 *:3389
; port=tcp://<any ipv4 format addr>:3389 192.168.1.1:3389
; port=tcp6://.:3389 ::1:3389
; port=tcp6://:3389 *:3389
; port=tcp6://{<any ipv6 format addr>}:3389 {FC00:0:0:0:0:0:0:1}:3389
; port=vsock://<cid>:<port>
port=3389
; 'port' above should be connected to with vsock instead of tcp
; use this only with number alone in port above
; prefer use vsock://<cid>:<port> above
use_vsock=false
; regulate if the listening socket use socket option tcp_nodelay
; no buffering will be performed in the TCP stack
tcp_nodelay=true
; regulate if the listening socket use socket option keepalive
; if the network connection disappear without close messages the connection will be closed
tcp_keepalive=true
; set tcp send/recv buffer (for experts)
#tcp_send_buffer_bytes=32768
#tcp_recv_buffer_bytes=32768
; security layer can be 'tls', 'rdp' or 'negotiate'
; for client compatible layer
security_layer=negotiate
; minimum security level allowed for client for classic RDP encryption
; use tls_ciphers to configure TLS encryption
; can be 'none', 'low', 'medium', 'high', 'fips'
crypt_level=high
; X.509 certificate and private key
; openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
; note this needs the user xrdp to be a member of the ssl-cert group, do with e.g.
;$ sudo adduser xrdp ssl-cert
certificate=
key_file=
; set SSL protocols
; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3'
ssl_protocols=TLSv1.2, TLSv1.3
; set TLS cipher suites
#tls_ciphers=HIGH
; Section name to use for automatic login if the client sends username
; and password. If empty, the domain name sent by the client is used.
; If empty and no domain name is given, the first suitable section in
; this file will be used.
autorun=
allow_channels=true
allow_multimon=true
bitmap_cache=true
bitmap_compression=true
bulk_compression=true
#hidelogwindow=true
max_bpp=32
new_cursors=true
; fastpath - can be 'input', 'output', 'both', 'none'
use_fastpath=both
; when true, userid/password *must* be passed on cmd line
#require_credentials=true
; You can set the PAM error text in a gateway setup (MAX 256 chars)
#pamerrortxt=change your password according to policy at http://url
;
; colors used by windows in RGB format
;
blue=009cb5
grey=dedede
#black=000000
#dark_grey=808080
#blue=08246b
#dark_blue=08246b
#white=ffffff
#red=ff0000
#green=00ff00
#background=626c72
;
; configure login screen
;
; Login Screen Window Title
ls_title={{ xrdp_ls_title }}
; top level window background color in RGB format
ls_top_window_bg_color={{ xrdp_ls_top_window_bg_color }}
; width and height of login screen
ls_width={{ xrdp_ls_width }}
ls_height={{ xrdp_ls_height }}
; login screen background color in RGB format
ls_bg_color={{ xrdp_ls_bg_color }}
; optional background image filename (bmp format).
#ls_background_image=
; logo
; full path to bmp-file or file in shared folder
ls_logo_filename=/usr/local/share/xrdp/{{ xrdp_ls_logo_filename }}
ls_logo_x_pos={{ xrdp_ls_logo_x_pos }}
ls_logo_y_pos={{ xrdp_ls_logo_y_pos }}
; for positioning labels such as username, password etc
ls_label_x_pos={{ xrdp_ls_label_x_pos }}
ls_label_width={{ xrdp_ls_label_width }}
; for positioning text and combo boxes next to above labels
ls_input_x_pos={{ xrdp_ls_input_x_pos }}
ls_input_width={{ xrdp_ls_input_width }}
; y pos for first label and combo box
ls_input_y_pos={{ xrdp_ls_input_y_pos }}
; OK button
ls_btn_ok_x_pos={{ xrdp_ls_btn_ok_x_pos }}
ls_btn_ok_y_pos={{ xrdp_ls_btn_ok_y_pos }}
ls_btn_ok_width=85
ls_btn_ok_height=30
; Cancel button
ls_btn_cancel_x_pos={{ xrdp_ls_btn_cancel_x_pos }}
ls_btn_cancel_y_pos={{ xrdp_ls_btn_cancel_y_pos }}
ls_btn_cancel_width=85
ls_btn_cancel_height=30
[Logging]
LogFile=xrdp.log
LogLevel=DEBUG
EnableSyslog=true
SyslogLevel=DEBUG
; LogLevel and SysLogLevel could by any of: core, error, warning, info or debug
[Channels]
; Channel names not listed here will be blocked by XRDP.
; You can block any channel by setting its value to false.
; IMPORTANT! All channels are not supported in all use
; cases even if you set all values to true.
; You can override these settings on each session type
; These settings are only used if allow_channels=true
rdpdr=true
rdpsnd=true
drdynvc=true
cliprdr=true
rail=true
xrdpvr=true
tcutils=true
; for debugging xrdp, in section xrdp1, change port=-1 to this:
#port=/tmp/.xrdp/xrdp_display_10
; for debugging xrdp, add following line to section xrdp1
#chansrvport=/tmp/.xrdp/xrdp_chansrv_socket_7210
;
; Session types
;
; Some session types such as Xorg, X11rdp and Xvnc start a display server.
; Startup command-line parameters for the display server are configured
; in sesman.ini. See and configure also sesman.ini.
{% for app, config in xrdp_applications.items() %}
[{{ app }}]
name={{ app }}
lib=libxup.so
username={{ config.user }}
password={{ config.pass }}
ip=127.0.0.1
port=-1
code=20
{% endfor %}
[Xorg]
name=Xorg
lib=libxup.so
username=ask
password=ask
ip=127.0.0.1
port=-1
code=20
#[Xvnc]
#name=Xvnc
#lib=libvnc.so
#username=ask
#password=ask
#ip=127.0.0.1
#port=-1
##xserverbpp=24
##delay_ms=2000
#[vnc-any]
#name=vnc-any
#lib=libvnc.so
#ip=ask
#port=ask5900
#username=na
#password=ask
##pamusername=asksame
##pampassword=asksame
##pamsessionmng=127.0.0.1
##delay_ms=2000
#[neutrinordp-any]
#name=neutrinordp-any
#lib=libxrdpneutrinordp.so
#ip=ask
#port=ask3389
#username=ask
#password=ask
; You can override the common channel settings for each session type
#channel.rdpdr=true
#channel.rdpsnd=true
#channel.drdynvc=true
#channel.cliprdr=true
#channel.rail=true
#channel.xrdpvr=true

5
site.yml
View File

@ -42,6 +42,11 @@
roles:
- netbox
- name: Setup XRDP host
hosts: pancake.binary.kitchen
roles:
- xrdp_apphost
- name: Setup drone runner
hosts: bob.binary.kitchen
roles: