-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathhttps_vnc.cgr
More file actions
222 lines (184 loc) · 8.24 KB
/
https_vnc.cgr
File metadata and controls
222 lines (184 loc) · 8.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
--- HTTPS Browser VNC on Raspberry Pi OS ---
# Usage:
# Validate syntax:
# cgr validate https_vnc.cgr
#
# Preview install without changing the system:
# cgr apply https_vnc.cgr --set action=install --dry-run
#
# Install HTTPS browser VNC:
# sudo cgr apply https_vnc.cgr --set action=install
#
# Roll back HTTPS browser VNC:
# sudo cgr apply https_vnc.cgr --set action=rollback
#
# Uninstall HTTPS browser VNC:
# sudo cgr apply https_vnc.cgr --set action=uninstall
#
# The default action is "install", so omitting --set action=install installs.
#
# This graph is stateless so a previous install run cannot cause rollback steps
# to be skipped, and a previous rollback or uninstall run cannot affect a later install.
set stateless = true
set action = "install"
set novnc_port = "6080"
set vnc_port = "5900"
set user_name = "pi"
set nginx_cert_dir = "/etc/nginx/certs"
set nginx_auth_file = "/etc/nginx/.vncpasswd"
set novnc_service = "/etc/systemd/system/novnc.service"
set nginx_site = "/etc/nginx/sites-available/novnc"
set nginx_site_link = "/etc/nginx/sites-enabled/novnc"
set backup_dir = "/var/backups/https-vnc"
target "local" local:
[validate action]:
run:
case "${action}" in
install|rollback|uninstall) exit 0 ;;
*) printf 'Invalid action: %s\nUse install, rollback, or uninstall.\n' "${action}"; exit 1 ;;
esac
# ─── Install ────────────────────────────────────────────────────────────────
phase "install" when "action == 'install'":
[update apt cache] as root, timeout 5m:
first [validate action]
always run $ apt update
[install packages] as root, timeout 10m:
first [update apt cache]
skip if $ dpkg -s novnc websockify nginx apache2-utils curl >/dev/null 2>&1
run $ apt install -y novnc websockify nginx apache2-utils curl
[enable RealVNC] as root, if fails ignore:
first [install packages]
always run $ raspi-config nonint do_vnc 0
[configure wayvnc] as root, if fails ignore:
first [enable RealVNC]
skip if:
test ! -f /etc/wayvnc/config
grep -q '^enable_auth=false' /etc/wayvnc/config
grep -q '^enable_pam=false' /etc/wayvnc/config
run:
mkdir -p ${backup_dir}
cp /etc/wayvnc/config ${backup_dir}/config.bak 2>/dev/null || true
sed -i 's/enable_auth=true/enable_auth=false/' /etc/wayvnc/config
sed -i 's/enable_pam=true/enable_pam=false/' /etc/wayvnc/config
systemctl restart wayvnc || true
[verify VNC backend]:
first [configure wayvnc]
run:
ss -ltn | grep -q ":${vnc_port} "
retry 6x wait 5s
[backup existing config] as root:
first [verify VNC backend]
always run:
mkdir -p ${backup_dir}
for f in ${novnc_service} ${nginx_site} /etc/nginx/sites-enabled/default; do
if test -f "$f"; then cp "$f" "${backup_dir}/$(basename "$f").bak" || true; fi
done
[write novnc service] as root:
first [backup existing config]
content > ${novnc_service}:
[Unit]
Description=noVNC Web VNC
After=network.target
[Service]
ExecStart=/usr/bin/websockify --web /usr/share/novnc/ 127.0.0.1:${novnc_port} localhost:${vnc_port}
Restart=always
User=${user_name}
[Install]
WantedBy=multi-user.target
[start novnc service] as root:
first [write novnc service]
always run:
systemctl daemon-reload
systemctl enable novnc
systemctl restart novnc
[create certificate directory] as root:
first [install packages]
skip if $ test -d ${nginx_cert_dir}
run $ mkdir -p ${nginx_cert_dir}
[create HTTPS certificate] as root:
first [create certificate directory]
skip if:
test -s ${nginx_cert_dir}/vnc.key
test -s ${nginx_cert_dir}/vnc.crt
run:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout ${nginx_cert_dir}/vnc.key \
-out ${nginx_cert_dir}/vnc.crt \
-subj "/CN=$(hostname).local"
chmod 600 ${nginx_cert_dir}/vnc.key
# Note: [create HTTPS login] owns the terminal. Keep it after the service setup
# path so live progress from parallel steps cannot repaint over its prompt.
[create HTTPS login] as root, timeout 10m reset on output:
first [install packages], [start novnc service]
skip if $ test -s ${nginx_auth_file}
interactive
run $ printf '\nCreate HTTPS login credentials\n'; printf 'Username: '; IFS= read -r VNC_USER < /dev/tty; while true; do printf 'Password: '; stty -echo < /dev/tty; IFS= read -r VNC_PASS < /dev/tty; stty echo < /dev/tty; printf '\n'; printf 'Confirm: '; stty -echo < /dev/tty; IFS= read -r CONFIRM < /dev/tty; stty echo < /dev/tty; printf '\n'; test "$VNC_PASS" = "$CONFIRM" && break; printf 'Passwords do not match. Try again.\n'; done; htpasswd -cb ${nginx_auth_file} "$VNC_USER" "$VNC_PASS"; chown root:www-data ${nginx_auth_file}; chmod 640 ${nginx_auth_file}
[write nginx site] as root:
first [create HTTPS certificate], [create HTTPS login]
content > ${nginx_site}:
server {
listen 443 ssl;
server_name _;
ssl_certificate ${nginx_cert_dir}/vnc.crt;
ssl_certificate_key ${nginx_cert_dir}/vnc.key;
auth_basic "Secure VNC";
auth_basic_user_file ${nginx_auth_file};
location = / {
return 301 /vnc.html;
}
location / {
proxy_pass http://127.0.0.1:${novnc_port}/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
}
validate $ nginx -t
[enable nginx site] as root:
first [write nginx site]
skip if:
test -L ${nginx_site_link}
test "$(readlink ${nginx_site_link})" = "${nginx_site}"
test ! -e /etc/nginx/sites-enabled/default
run:
ln -sf ${nginx_site} ${nginx_site_link}
rm -f /etc/nginx/sites-enabled/default
[restart nginx after install] as root:
first [enable nginx site], [start novnc service]
always run $ nginx -t && systemctl restart nginx
[verify HTTPS VNC services]:
first [restart nginx after install]
run:
systemctl is-active nginx | grep -q active
systemctl is-active novnc | grep -q active
ss -ltn | grep -q ":${vnc_port} "
curl -fsS http://127.0.0.1:${novnc_port}/vnc.html >/dev/null
retry 3x wait 2s
[show access URL]:
first [verify HTTPS VNC services]
always run $ IP=$(hostname -I | awk '{print $1}'); printf '\nAccess your Pi at:\n https://%s/\n\nLogin with the HTTPS credentials you created.\nThe VNC desktop should connect automatically.\n\nSelf-signed certificate warning is expected.\n' "$IP"
# ─── Rollback / Uninstall ──────────────────────────────────────────────────
phase "rollback" when "action != 'install'":
[stop novnc] as root, if fails ignore:
first [validate action]
always run $ systemctl stop novnc
[disable novnc] as root, if fails ignore:
first [stop novnc]
always run $ systemctl disable novnc
[remove HTTPS VNC files] as root:
first [disable novnc]
always run $ rm -f ${novnc_service} ${nginx_site_link} ${nginx_site} ${nginx_auth_file}; rm -rf ${nginx_cert_dir}
[restore default nginx site] as root:
first [remove HTTPS VNC files]
skip if $ test ! -f ${backup_dir}/default.bak
run $ cp ${backup_dir}/default.bak /etc/nginx/sites-enabled/default
[reload systemd] as root:
first [remove HTTPS VNC files]
always run $ systemctl daemon-reload
[restart nginx after rollback] as root, if fails ignore:
first [restore default nginx site], [reload systemd]
always run $ systemctl restart nginx
[rollback complete]:
first [restart nginx after rollback]
always run $ printf '%s complete.\nHTTPS VNC has been removed.\n' "${action}"