318 lines
13 KiB
Python
Executable File
318 lines
13 KiB
Python
Executable File
#!/usr/bin/python
|
|
# -*- coding: utf-8 -*-
|
|
|
|
import argparse
|
|
import json
|
|
import os
|
|
import subprocess
|
|
|
|
CONF_FILE = '/srv/config.json'
|
|
ISSUE_FILE = '/etc/issue'
|
|
NGINX_DIR = '/etc/nginx/conf.d'
|
|
|
|
NGINX_TEMPLATE = '''server {{
|
|
listen [::]:{port} ssl http2;
|
|
server_name {host}.{domain};
|
|
|
|
access_log /var/log/nginx/{app}.access.log;
|
|
error_log /var/log/nginx/{app}.error.log;
|
|
|
|
location / {{
|
|
proxy_pass http://{ip}:8080;
|
|
}}
|
|
|
|
error_page 502 /errror.html;
|
|
location /error.html {{
|
|
root /srv/portal;
|
|
}}
|
|
}}
|
|
'''
|
|
|
|
NGINX_DEFAULT_TEMPLATE = '''server {{
|
|
listen [::]:80 default_server ipv6only=off;
|
|
|
|
location / {{
|
|
return 301 https://$host:{port}$request_uri;
|
|
}}
|
|
location /.well-known/acme-challenge/ {{
|
|
root /etc/acme.sh.d;
|
|
}}
|
|
}}
|
|
|
|
server {{
|
|
listen [::]:{port} ssl http2 default_server ipv6only=off;
|
|
root /srv/portal;
|
|
index index.html;
|
|
|
|
location / {{
|
|
try_files $uri $uri/ =404;
|
|
}}
|
|
location /config.json {{
|
|
alias /srv/config.json;
|
|
}}
|
|
|
|
error_page 404 /error.html;
|
|
}}
|
|
'''
|
|
|
|
ISSUE_TEMPLATE = '''
|
|
\x1b[1;32m _____ _ _ __ ____ __
|
|
/ ____| | | | | \\\\ \\\\ / / \\\\/ |
|
|
| (___ _ __ ___ | |_| |_ ___ _ _\\\\ \\\\ / /| \\\\ / |
|
|
\\\\___ \\\\| '_ \\\\ / _ \\\\| __| __/ _ \\\\ '__\\\\ \\\\/ / | |\\\\/| |
|
|
____) | |_) | (_) | |_| || __/ | \\\\ / | | | |
|
|
|_____/| .__/ \\\\___/ \\\\__|\\\\__\\\\___|_| \\\\/ |_| |_|
|
|
| |
|
|
|_|\x1b[0m
|
|
|
|
|
|
|
|
|
|
\x1b[1;33mUPOZORNĚNÍ:\x1b[0m Neoprávněný přístup k tomuto zařízení je zakázán.
|
|
Musíte mít výslovné oprávnění k přístupu nebo konfiguraci tohoto zařízení.
|
|
Neoprávněné pokusy a kroky k přístupu nebo používání tohoto systému mohou mít
|
|
za následek občanské nebo trestní sankce.
|
|
|
|
|
|
\x1b[1;33mCAUTION:\x1b[0m Unauthozired access to this device is prohibited.
|
|
You must have explicit, authorized permission to access or configure this
|
|
device. Unauthorized attempts and actions to access or use this system may
|
|
result in civil or criminal penalties.
|
|
|
|
|
|
|
|
|
|
Pro přístup k aplikacím otevřete URL \x1b[1mhttps://{host}\x1b[0m ve Vašem
|
|
internetovém prohlížeči.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\x1b[0;30m
|
|
'''
|
|
|
|
class SpotterManager:
|
|
def __init__(self):
|
|
# Load JSON configuration
|
|
with open(CONF_FILE, 'r') as f:
|
|
self.conf = json.load(f)
|
|
self.domain = self.conf['host']['domain']
|
|
self.port = self.conf['host']['port']
|
|
|
|
def save_conf(self):
|
|
# Save a sorted JSON configuration object with indentation
|
|
with open(CONF_FILE, 'w') as f:
|
|
json.dump(self.conf, f, sort_keys=True, indent=4)
|
|
|
|
def update_login(self, app, login, password):
|
|
# Update login and password for an app in the configuration
|
|
if login is not None:
|
|
self.conf['apps'][app]['login'] = login
|
|
if password is not None:
|
|
self.conf['apps'][app]['password'] = password
|
|
self.save_conf()
|
|
|
|
def show_tiles(self, app):
|
|
# Update tiles-shown for the app in the configuration
|
|
self.conf['apps'][app]['tiles-shown'] = True
|
|
self.save_conf()
|
|
|
|
def hide_tiles(self, app):
|
|
# Update tiles-shown for the app in the configuration
|
|
self.conf['apps'][app]['tiles-shown'] = False
|
|
self.save_conf()
|
|
|
|
def start_app(self, app):
|
|
# Start the actual app service
|
|
subprocess.call(['/sbin/service', app, 'start'])
|
|
|
|
def stop_app(self, app):
|
|
# Stop the actual app service
|
|
subprocess.call(['/sbin/service', app, 'stop'])
|
|
# Stop the app service's dependencies if they are not used by any other running app
|
|
deps = self.build_deps_tree()
|
|
for dep in self.get_app_deps(app):
|
|
if False not in [self.is_app_started(d) for d in deps[dep]]:
|
|
subprocess.call(['/sbin/service', dep, 'stop'])
|
|
|
|
def build_deps_tree(self):
|
|
# Fisrt, build a dictionary of {app: [needs]}
|
|
needs = {}
|
|
for app in self.conf['apps']:
|
|
needs[app] = self.get_app_deps(app)
|
|
# Then reverse it to {need: [apps]}
|
|
deps = {}
|
|
for app, need in needs.iteritems():
|
|
for n in need:
|
|
deps.setdefault(n, []).append(app)
|
|
return deps
|
|
|
|
def get_app_deps(self, app):
|
|
# Get "needs" line from init script and split it to list, skipping first two elements (docker, net)
|
|
try:
|
|
with open(os.path.join('/etc/init.d', app), 'r') as f:
|
|
return [l.split()[2:] for l in f.readlines() if l.startswith('\tneed')][0]
|
|
except:
|
|
return []
|
|
|
|
def is_app_started(self, app):
|
|
# Check OpenRC service status without calling any binary
|
|
return os.path.exists(os.path.join('/run/openrc/started', app))
|
|
|
|
def enable_autostart(self, app):
|
|
# Add the app to OpenRC default runlevel
|
|
subprocess.call(['/sbin/rc-update', 'add', app])
|
|
|
|
def disable_autostart(self, app):
|
|
# Remove the app from OpenRC default runlevel
|
|
subprocess.call(['/sbin/rc-update', 'del', app])
|
|
|
|
def register_proxy(self, app):
|
|
# Rebuild nginx configuration using an actual IP of referenced app container
|
|
with open(os.path.join(NGINX_DIR, '{}.conf'.format(app)), 'w') as f:
|
|
f.write(NGINX_TEMPLATE.format(app=app, host=self.conf['apps'][app]['host'], ip=self.get_container_ip(app), domain=self.domain, port=self.port))
|
|
subprocess.call(['/sbin/service', 'nginx', 'reload'])
|
|
|
|
def unregister_proxy(self, app):
|
|
# Remove nginx configuration to prevent proxy mismatch when the container IP is reassigned to another container
|
|
nginx_conf = os.path.join(NGINX_DIR, '{}.conf'.format(app))
|
|
if os.path.exists(nginx_conf):
|
|
os.unlink(nginx_conf)
|
|
subprocess.call(['/sbin/service', 'nginx', 'reload'])
|
|
|
|
def get_container_ip(self, app):
|
|
# Return an IP address of a container. If the container is not running, return localhost address instead
|
|
try:
|
|
return subprocess.check_output(['/usr/bin/docker', 'inspect', '-f', '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}', app]).strip()
|
|
except:
|
|
return '127.0.0.1'
|
|
|
|
def update_domain(self, domain, port):
|
|
self.domain = self.conf['host']['domain'] = domain
|
|
self.port = self.conf['host']['port'] = port
|
|
self.save_conf()
|
|
self.rebuild_nginx()
|
|
self.rebuild_issue()
|
|
self.restart_apps()
|
|
|
|
def rebuild_nginx(self):
|
|
# Remove all nginx config files to prevent errors during reloads invoked by app restarts
|
|
for f in os.listdir(NGINX_DIR):
|
|
os.unlink(os.path.join(NGINX_DIR, f))
|
|
# Rebuild nginx config for the portal app and restart nginx to properly bind the new listen port
|
|
with open(os.path.join(NGINX_DIR, 'default.conf'), 'w') as f:
|
|
f.write(NGINX_DEFAULT_TEMPLATE.format(port=self.port))
|
|
subprocess.call(['/sbin/service', 'nginx', 'restart'])
|
|
|
|
def rebuild_issue(self):
|
|
# Compile the HTTPS host displayed in terminal banner
|
|
host = self.domain
|
|
# If the dummy host is used, take an IP address of a primary interface instead
|
|
if self.domain == 'spotter.vm':
|
|
host = subprocess.check_output(['ip', 'route', 'get', '1']).split()[-1]
|
|
# Show port number only when using the non-default HTTPS port
|
|
if self.port != '443':
|
|
host = ':{}'.format(self.port)
|
|
# Rebuild the terminal banner
|
|
with open(ISSUE_FILE, 'w') as f:
|
|
f.write(ISSUE_TEMPLATE.format(host=host))
|
|
|
|
def restart_apps(self):
|
|
for app in self.conf['apps']:
|
|
# Check if a script for internal update of URL in the app exists and is executable and run it
|
|
script_path = os.path.join('/srv', app, 'update-url.sh')
|
|
if os.path.exists(script_path) and os.access(script_path, os.X_OK):
|
|
subprocess.call([script_path, '{}.{}'.format(self.conf['apps'][app]['host'], self.domain), self.port])
|
|
# If the app is currently running, restart the app service
|
|
if self.is_app_started(app):
|
|
subprocess.call(['/sbin/service', app, 'restart'])
|
|
|
|
def request_cert(self, email):
|
|
# Compile an acme.sh command for certificate requisition
|
|
cmd = ['/usr/bin/acme.sh', '--issue', '-d', self.domain]
|
|
for app in self.conf['apps']:
|
|
cmd += ['-d', '{}.{}'.format(self.conf['apps'][app]['host'], self.domain)]
|
|
cmd += ['-w', '/etc/acme.sh.d', '--accountemail', email]
|
|
# Request the certificate. If the requisition command fails, CalledProcessError will be raised
|
|
subprocess.check_output(cmd, stderr=subprocess.STDOUT)
|
|
# Install the issued certificate
|
|
subprocess.call(['/usr/bin/acme.sh', '--installcert', '-d', self.domain, '--keypath', '/etc/ssl/private/services.key', '--fullchainpath', '/etc/ssl/certs/services.pem', '--reloadcmd', 'service nginx reload'])
|
|
|
|
if __name__ == '__main__':
|
|
parser = argparse.ArgumentParser(description='Spotter VM application manager')
|
|
subparsers = parser.add_subparsers()
|
|
|
|
parser_update_login = subparsers.add_parser('update-login', help='Updates application login')
|
|
parser_update_login.set_defaults(action='update-login')
|
|
parser_update_login.add_argument('app', help='Application name')
|
|
parser_update_login.add_argument('login', help='Administrative login')
|
|
parser_update_login.add_argument('password', help='Administrative password')
|
|
|
|
parser_show_tiles = subparsers.add_parser('show-tiles', help='Shows application tiles in Portal')
|
|
parser_show_tiles.set_defaults(action='show-tiles')
|
|
parser_show_tiles.add_argument('app', help='Application name')
|
|
|
|
parser_hide_tiles = subparsers.add_parser('hide-tiles', help='Hides application tiles in Portal')
|
|
parser_hide_tiles.set_defaults(action='hide-tiles')
|
|
parser_hide_tiles.add_argument('app', help='Application name')
|
|
|
|
parser_start_app = subparsers.add_parser('start-app', help='Start application including it\'s dependencies')
|
|
parser_start_app.set_defaults(action='start-app')
|
|
parser_start_app.add_argument('app', help='Application name')
|
|
|
|
parser_stop_app = subparsers.add_parser('stop-app', help='Stops application including it\'s dependencies if they are not used by another running application')
|
|
parser_stop_app.set_defaults(action='stop-app')
|
|
parser_stop_app.add_argument('app', help='Application name')
|
|
|
|
parser_enable_autostart = subparsers.add_parser('enable-autostart', help='Enables application autostart')
|
|
parser_enable_autostart.set_defaults(action='enable-autostart')
|
|
parser_enable_autostart.add_argument('app', help='Application name')
|
|
|
|
parser_disable_autostart = subparsers.add_parser('disable-autostart', help='Disables application autostart')
|
|
parser_disable_autostart.set_defaults(action='disable-autostart')
|
|
parser_disable_autostart.add_argument('app', help='Application name')
|
|
|
|
parser_register_proxy = subparsers.add_parser('register-proxy', help='Rebuilds nginx proxy target for an application container')
|
|
parser_register_proxy.set_defaults(action='register-proxy')
|
|
parser_register_proxy.add_argument('app', help='Application name')
|
|
|
|
parser_unregister_proxy = subparsers.add_parser('unregister-proxy', help='Removes nginx proxy target for an application container')
|
|
parser_unregister_proxy.set_defaults(action='unregister-proxy')
|
|
parser_unregister_proxy.add_argument('app', help='Application name')
|
|
|
|
parser_update_domain = subparsers.add_parser('update-domain', help='Rebuilds domain structure of VM with new domain name and new HTTPS port')
|
|
parser_update_domain.set_defaults(action='update-domain')
|
|
parser_update_domain.add_argument('domain', help='Domain name')
|
|
parser_update_domain.add_argument('port', help='HTTPS port')
|
|
|
|
parser_request_cert = subparsers.add_parser('request-cert', help='Requests and installs Let\'s Encrypt certificate for currently set domain')
|
|
parser_request_cert.set_defaults(action='request-cert')
|
|
parser_request_cert.add_argument('email', help='Email address to receive certificate notifications')
|
|
|
|
args = parser.parse_args()
|
|
sm = SpotterManager()
|
|
if args.action == 'update-login':
|
|
sm.update_login(args.app, args.login, args.password)
|
|
elif args.action == 'show-tiles':
|
|
sm.show_tiles(args.app)
|
|
elif args.action == 'hide-tiles':
|
|
sm.hide_tiles(args.app)
|
|
elif args.action == 'start-app':
|
|
sm.start_app(args.app)
|
|
elif args.action == 'stop-app':
|
|
sm.stop_app(args.app)
|
|
elif args.action == 'enable-autostart':
|
|
sm.enable_autostart(args.app)
|
|
elif args.action == 'disable-autostart':
|
|
sm.disable_autostart(args.app)
|
|
elif args.action == 'register-proxy':
|
|
sm.register_proxy(args.app)
|
|
elif args.action == 'unregister-proxy':
|
|
sm.unregister_proxy(args.app)
|
|
elif args.action == 'update-domain':
|
|
sm.update_domain(args.domain, args.port)
|
|
elif args.action == 'request-cert':
|
|
sm.request_cert(args.email)
|