Initial commit

.env.sample

+# Available files
+#   docker-compose.yml      Should always be the first, defines the mandatory services
+#   dev.yml                 Makes the front port 80 accessible throught localhost:${PORT}
+#   prod.yml                Adds traefik labels and networks (external), port 80 accessible via traefik only
+# Example for production
+# The order matters, always start with docker-compose and add services with :myfile.yml
+# COMPOSE_FILE=docker-compose.yml:prod.yml:monetdb.yml
+# Default dev config :
+COMPOSE_FILE=docker-compose.yml:dev.yml
+DOMAIN=localdomain
+VNCUSER=vnc
+PASSWORD=test
+HTTP_PORT=6082
+FILES_PORT=6083
+CPU_SET=0-4
+REPO=https://gitlab.com/adrgt/TSM_VNC

.gitignore

+.env
+run
+.*.sw?

README.MD

+This is a solution allowing collaborators to run resource intensive processes  on a remote server rather than their own personal computers.
+The server runs VNC environments packaged as Docker containers. Collaborators can connect to their own VNC container through their favorite Web browser and interact with the server through a friendly desktop, “as if” they were on their local computer.
+The VNC containers embed all useful peaces of software, like extraction scripts, MySQL Workbench, etc.
+
+## For more information on the development and maintenance, please refer to the [Wiki](https://gitlab.tetras-libre.fr/nocloud/docker/vnc/-/wikis/home).
+## For end user documentation, please refer to this other repo :
+[https://gitlab.tetras-libre.fr/nocloud/docker/vnc](https://gitlab.tetras-libre.fr/nocloud/docker/vnc)

dev.yml

+version: '3'
+
+services:
+  vnc:
+    ports:
+      - "${HTTP_PORT}:80"
+  files:
+    ports:
+      - "${FILES_PORT}:80"

docker-compose.yml

+version: '3'
+
+services:
+    vnc:
+        hostname: vnc
+        build: docker/vnc
+        image: tlvnc
+        restart: unless-stopped
+        environment:
+            USER: ${VNCUSER}
+            SSL_PORT: 443
+            PASSWORD: ${PASSWORD}
+        expose:
+            - 443
+            - 80
+        volumes:
+            - vnc_shared:/home/shared
+            - etc:/etc
+            - home:/home
+        shm_size: '2gb'
+        cap_add:
+            - SYS_ADMIN
+    files:
+        hostname: files
+        build: docker/files
+        image: filebrowser
+        restart: unless-stopped
+        volumes:
+            - home:/srv/
+            - vnc_shared:/srv/shared/
+
+volumes:
+    etc:
+    home:
+    vnc_shared:
+        external: true

docker/files/Dockerfile

+FROM filebrowser/filebrowser:v2.17.2 as filebrowser
+
+
+COPY docker.json /.filebrowser.json
+
+COPY chown.sh /
+RUN chmod +x /chown.sh
+RUN /filebrowser config init
+RUN /filebrowser config set --auth.method=noauth
+RUN /filebrowser cmds add "after_upload" /chown.sh
+RUN /filebrowser cmds add "after_copy" /chown.sh
+RUN /filebrowser cmds add "after_create" /chown.sh
+RUN /filebrowser users add admin admin
+
+ENTRYPOINT ["/filebrowser", "--config=/.filebrowser.json"]

docker/files/chown.sh

+#!/bin/sh
+
+chown -R 1000:1000 $FILE

docker/files/docker.json

+{
+  "port": 80,
+  "baseURL": "/files",
+  "address": "",
+  "log": "stdout",
+  "database": "/database.db",
+  "root": "/srv"
+}

docker/vnc/Dockerfile

+From dorowu/ubuntu-desktop-lxde-vnc:bionic
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update \
+    && apt-get upgrade -y \
+    && apt-get install -y \
+    autoconf \
+    aspell-es \
+    aspell-it \
+    chromium-browser \
+    cron \
+    emacs \
+    evince \
+    git \
+    git-cola \
+    gnome-system-tools \
+    imagemagick \
+    libaspell-dev \
+    libreoffice \
+    mysql-workbench \
+    nginx-full \
+    pandoc \
+    poppler-utils \
+    python-pip \
+    python-virtualenv \
+    python3-pip \
+    python3-virtualenv \
+    rename \
+    vim-nox
+
+RUN apt-get purge -y x11vnc
+
+RUN update-alternatives --auto convert
+RUN update-alternatives --auto identify
+
+RUN ln -s /usr/bin/lxterminal /usr/bin/xterm
+
+# Remove lxde-logout
+COPY panel /etc/xdg/lxpanel/LXDE/panels/panel
+RUN rm /usr/share/applications/lxde-logout.desktop
+
+# Add nginx pam auth
+COPY pam_nginx /etc/pam.d/nginx
+
+# Logo
+COPY logo.png /usr/local/share
+
+## Install latest x11vnc
+RUN mkdir -p /opt
+WORKDIR /opt
+RUN git clone git://github.com/LibVNC/x11vnc
+### Download source deps
+RUN sed -i.bak -e 's/^# \(deb-src .*\)$/\1/' /etc/apt/sources.list
+RUN apt-get update
+RUN apt-get build-dep -y x11vnc
+WORKDIR /opt/x11vnc
+RUN git checkout 0.9.15
+RUN autoreconf -fiv
+RUN ./autogen.sh && ./configure && make && make install
+RUN ln -s /usr/local/bin/x11vnc /usr/bin/x11vnc
+
+# Add xlaunch script
+COPY xlaunch.sh /opt/
+RUN chmod +x /opt/xlaunch.sh
+
+WORKDIR /
+
+RUN mkdir -p /root/.config/openbox
+COPY rc.xml /root/.config/openbox/
+
+RUN date > /build_date
+
+COPY start.sh /tlstart.sh
+RUN chmod +x /tlstart.sh
+
+ENTRYPOINT ["/tlstart.sh"]

docker/vnc/pam_nginx

+@include common-auth

docker/vnc/panel

+# lxpanel <profile> config file. Manually editing is not recommended.
+# Use preference dialog in lxpanel to adjust config when you can.
+
+Global {
+    edge=bottom
+    align=left
+    margin=0
+    widthtype=percent
+    width=100
+    height=26
+    transparent=0
+    tintcolor=#000000
+    alpha=0
+    setdocktype=1
+    setpartialstrut=1
+    autohide=0
+    heightwhenhidden=0
+    usefontcolor=1
+    fontcolor=#ffffff
+    background=1
+    backgroundfile=/usr/share/lxpanel/images/background.png
+}
+
+Plugin {
+    type = space
+    Config {
+        Size=2
+    }
+}
+
+Plugin {
+    type = menu
+    Config {
+        image=/usr/share/lxde/images/lxde-icon.png
+        name=Applications
+        system {
+        }
+        separator {
+        }
+    }
+}
+
+Plugin {
+    type = launchbar
+    Config {
+        Button {
+            id=pcmanfm.desktop
+        }
+        Button {
+            id=lxde-x-www-browser.desktop
+        }
+    }
+}
+
+Plugin {
+    type = space
+    Config {
+        Size=4
+    }
+}
+
+Plugin {
+    type = taskbar
+    expand=1
+    Config {
+        tooltips=1
+        IconsOnly=0
+        AcceptSkipPager=1
+        ShowIconified=1
+        ShowMapped=1
+        ShowAllDesks=0
+        UseMouseWheel=1
+        UseUrgencyHint=1
+        FlatButton=0
+        MaxTaskWidth=150
+        spacing=1
+    }
+}
+
+
+
+Plugin {
+    type = volume
+    Config {
+        VolumeMuteKey = XF86AudioMute
+        VolumeDownKey = XF86AudioLowerVolume
+        VolumeUpKey = XF86AudioRaiseVolume
+    }
+}
+
+Plugin {
+    type = tray
+}
+
+Plugin {
+    type = dclock
+    Config {
+        ClockFmt=%R
+        TooltipFmt=%A %x
+        BoldFont=0
+    }
+}

docker/vnc/sendpass.sh

+#!/bin/bash
+
+if [ -z "$2" ]
+then
+    echo "Usage $0 fqdn userlistfile"
+    exit 1
+fi
+
+OFS=$IFS
+export IFS=","
+tail -n +2 $2 | while read name mail username password port
+do
+    cat << EOF | neomutt -s  "Welcome to the new remote desktop platform"  $mail
+Hello $name,
+
+You have been granted access to the new remote desktop platform.
+You can acces your personal desktop by openning this url in your browser :
+https://$username.$1.fr
+
+Your username is: $username
+Your initial password is: $password
+
+For security concerns please change your password as soon as you connect by
+clicking on the "change password" icon on your desktop.
+
+Best regards,
+EOF
+done
+export IFS=$OFS

docker/vnc/start.sh

+#!/bin/bash
+
+# Copyright (C) 2018  Tetras Libre <Contact@Tetras-Libre.fr>
+# Author: Beniamine, David <David.Beniamine@Tetras-Libre.fr>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+exec &> >(tee -a "/var/log/startup.log")
+
+if [ ! -f /start.sh ]
+then
+    #Do all startup but final exec
+    execcmd=$(grep exec /startup.sh)
+    sed -i -e '/^exec/d' /startup.sh
+    if [ ! -z "`grep \"$USER\" /etc/shadow`" ]
+    then
+        echo "$USER found in shadow not changing pasword"
+        # Do not reset the password
+         sed -i -e '/chpasswd/d' /startup.sh
+    fi
+    echo -e "#!/bin/bash\n$execcmd" > /start.sh
+    chmod +x /start.sh
+    . /startup.sh
+fi
+
+# remove sudo from user
+if [ ! -z "`groups $USER | grep sudo`" ]
+then
+    gpasswd -d $USER sudo
+fi
+
+# nginx pam auth
+ln -sf /usr/share/nginx/modules-available/mod-http-auth-pam.conf \
+    /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf
+sed -i -e 's|#_HTTP_PASSWORD_#||' \
+    -e 's|auth_basic |auth_pam |' \
+    -e 's|auth_basic_user.*|auth_pam_service_name "nginx";|' \
+    -e 's|#_SSL_PORT_#||' \
+    /etc/nginx/sites-enabled/default
+
+# Add /files/ proxy
+if [ -z "`grep 'location /files' /etc/nginx/sites-enabled/default`" ]
+then
+    sed -i \
+        -e 's@^}$@\tlocation /files/ {\n\t\tproxy_pass http://files/files/;\n\t}\n}@' \
+        /etc/nginx/sites-enabled/default
+fi
+
+sed -i -e 's@location ~ /api/@location ~ ^/api/@g' /etc/nginx/sites-enabled/default
+
+if [ -z "`grep client_max_body_size /etc/nginx/nginx.conf`" ]
+then
+    sed -i \
+        -e 's@^\(\s*\)\(sendfile.*\)$@\1client_max_body_size 512m;\n\1\2@' \
+        /etc/nginx/nginx.conf
+fi
+
+usermod -a -G shadow www-data
+
+# starting  dbus
+service dbus start
+
+# Openssl
+if [ ! -e /etc/nginx/ssl/nginx.key ]
+then
+    mkdir -p /etc/nginx/ssl
+    echo -e "FR\n\n\n\n\n\n\n" | openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+        -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
+fi
+
+# Add changepassword icon
+mkdir -p /home/$USER/Desktop
+cat <<EOF > /home/$USER/Desktop/users.desktop
+[Desktop Entry]
+Type=Link
+Name=Change password
+Icon=config-users
+URL=/usr/share/applications/users.desktop
+terminal=true
+EOF
+
+cat <<EOF > /home/$USER/Desktop/help.desktop
+[Desktop Entry]
+Type=Application
+Name=Repport issue
+Icon=help-browser-symbolic
+Exec=/usr/bin/firefox $REPO/issues/new?issue[description]='Hello,%%0A%%0A**EXPLAIN YOUR ISSUE HERE**%%0A%%0A%%23 Technical informations %%0A%%0A %%60%%60%%60user:$USER%%60%%60%%60'
+EOF
+
+cat <<EOF > /home/$USER/.config/mimeapps.list
+[Added Associations]
+application/pdf=evince.desktop;
+
+[Default Applications]
+application/pdf=evince.desktop
+EOF
+
+# Add Trash bookmark
+mkdir -p /home/$USER/.local/share/Trash/files
+mkdir -p /home/$USER/.local/share/Trash/info
+if [ -z "$(grep Trash /home/$USER/.gtk-bookmarks)" ]
+then
+    echo "file:///home/$USER/.local/share/Trash/files Trash" >> /home/$USER/.gtk-bookmarks
+fi
+
+# Add Empty trash action
+mkdir -p /home/$USER/.local/share/file-manager/actions
+cat << EOF > /home/$USER/.local/share/file-manager/actions/empty_trash.desktop
+[Desktop Entry]
+Type=Action
+Name=Empty Trash
+Icon=user-trash-full
+Profiles=empty_trash;
+
+[X-Action-Profile empty_trash]
+Exec=/bin/bash -c "rm -rf /home/$USER/.local/share/Trash/files/* /home/$USER/.local/share/Trash/info/*"
+MimeTypes=inode/directory;
+EOF
+cat << EOF > /home/$USER/Desktop/Trash.desktop
+[Desktop Entry]
+Type=Application
+Name=Trash
+Icon=user-trash
+Exec=/usr/bin/pcmanfm /home/$USER/.local/share/Trash/files/
+EOF
+
+
+# Give user right on shared directory
+chown -R 1000:1000 /home/shared
+# Add rights
+ln -sf /home/shared /home/$USER/Desktop/
+rm /home/$USER/Desktop/home
+ln -sf /home/$USER /home/$USER/Desktop/home
+
+# logo
+
+sed -i -e 's/^\(wallpaper_mode=\).*/\1center/' \
+    -e 's/^\(wallpaper0=\).*/\1\/usr\/local\/share\/logo.png/' \
+    -e 's/^\(desktop_bg=\).*/\1#cecece/' \
+    /home/$USER/.config/pcmanfm/LXDE/desktop-items-0.conf
+
+# Set LC + aliases to run stuff in virtualenv
+if [ -z "`grep LC_ALL /home/$USER/.bashrc`" ]
+then
+cat<<EOF >> /home/$USER/.bashrc
+export PATH=$PATH:/home/$USER/.local/bin
+export LC_ALL=C.UTF-8
+export LC_LANG=C.UTF-8
+EOF
+fi
+
+chown -R 1000:1000 /home/$USER
+
+if [ ! -e "/etc/ImageMagick-6/delegates.xml" ]
+then
+cat <<EOF > /etc/ImageMagick-6/delegates.xml
+<delegatemap>
+</delegatemap>
+EOF
+fi
+
+if [ ! -e "/etc/ImageMagick-6/colors.xml" ]
+then
+cat <<EOF > /etc/ImageMagick-6/colors.xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE colormap [
+<!ELEMENT colormap (color)+>
+<!ELEMENT color (#PCDATA)>
+<!ATTLIST color name CDATA "0">
+<!ATTLIST color color CDATA "rgb(0,0,0)">
+<!ATTLIST color compliance CDATA "SVG">
+]>
+<!--
+  Associate a color name with its red, green, blue, and alpha intensities.
+
+  A number of methods and options require a color parameter. It is often
+  convenient to refer to a color by name (e.g. white) rather than by hex
+  value (e.g. #fff). This file maps a color name to its equivalent red,
+  green, blue, and alpha intensities (e.g. for white, red = 255, green =
+  255, blue = 255, and alpha = 0).
+-->
+<colormap>
+  <!-- <color name="none" color="rgba(0,0,0,0)" compliance="SVG, XPM"/> -->
+  <!-- <color name="black" color="rgb(0,0,0)" compliance="SVG, X11, XPM"/> -->
+  <!-- <color name="red" color="rgb(255,0,0)" compliance="SVG, X11, XPM"/> -->
+  <!-- <color name="magenta" color="rgb(255,0,255)" compliance="SVG, X11, XPM"/> -->
+  <!-- <color name="green" color="rgb(0,128,0)" compliance="SVG"/> -->
+  <!-- <color name="cyan" color="rgb(0,255,255)" compliance="SVG, X11, XPM"/> -->
+  <!-- <color name="blue" color="rgb(0,0,255)" compliance="SVG, X11, XPM"/> -->
+  <!-- <color name="yellow" color="rgb(255,255,0)" compliance="SVG, X11, XPM"/> -->
+  <!-- <color name="white" color="rgb(255,255,255)" compliance="SVG, X11"/> -->
+</colormap>
+EOF
+fi
+
+# Autorestart supervisor services
+if [ `grep -c autorestart /etc/supervisor/conf.d/supervisord.conf` -lt 2 ]
+then
+    sed -i -e 's/^\(command=.*\)$/\1\nautorestart=true/' /etc/supervisor/conf.d/supervisord.conf
+fi
+
+# Logs supervisor services in supervisor stdout to let docker handle them
+if [ `grep -c stdout_logfile /etc/supervisor/conf.d/supervisord.conf` -lt 2 ]
+then
+    sed -i -e 's@^\(command=.*\)$@\1\nstdout_logfile=/dev/fd/1\nstderr_logfile=/dev/fd/1@' /etc/supervisor/conf.d/supervisord.conf
+fi
+
+# Automatically reconnect on connection drop
+sed -i -e 's/\(autoconnect=1\)/\1\&reconnect=1/' /usr/local/lib/web/frontend/static/js/app.1f2067be7db4becef715.js
+
+# run final exec
+exec /start.sh

docker/vnc/xlaunch.sh

+#!/bin/bash
+export DISPLAY=:1.0
+$@

generate_instances.sh

+#!/bin/bash
+
+# Copyright (C) 2018  Tetras Libre <Contact@Tetras-Libre.fr>
+# Author: Beniamine, David <David.Beniamine@Tetras-Libre.fr>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+if [ -z "$1" ]
+then
+    echo "Usage $0 domain"
+    exit 1
+fi
+
+PRODDIR="../prod"
+DOMAIN=$1
+rm cnames
+cd `dirname $0`
+OFS=$IFS
+IFS=,
+echo "name,email,username,password" > new_users.csv
+while read name mail
+do
+    # Username = 1st letter of each name + lastname
+    username=`echo $name | sed -e 's/\([a-zA-Z]\)[^ ]* /\1/g' \
+        -e 's/^\(.*\)$/\L\1/'`
+
+    # Generate random password
+    IFS=$OFS
+    password=`head /dev/urandom | tr -cd '[:alnum:]' | fold -w32 | head -n 1`
+    IFS=,
+    DST=$PRODDIR/$username
+
+    # Prepare prod dir
+    mkdir -p $DST
+    cp docker-compose.yml $DST/
+    sed -e "s/^\(DOMAIN=\).*$/\1$DOMAIN/" \
+        -e "s/^\(VNCUSER=\).*$/\1$username/" \
+        -e "s/^\(PASSWORD=\).*$/\1$password/" \
+        .env.sample > $DST/.env
+    echo "$name,$mail,$username,$password" >> new_users.csv
+    echo "$username.$DOMAIN CNAME $DOMAIN" >> cnames
+
+    # Launch instance
+    cd $DST
+    docker-compose up -d
+    cd -
+
+done < users.csv
+IFS=$OFS
+

prod.yml

+version: '3'
+
+services:
+  vnc:
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      - "traefik.http.routers.${VNCUSER}.rule=Host(`${VNCUSER}.${DOMAIN}.`)"
+      - "traefik.http.routers.${VNCUSER}.tls.certresolver=myresolver"
+      - "traefik.http.routers.${VNCUSER}.entrypoints=web,websecure"
+      - "traefik.http.routers.${VNCUSER}.middlewares=hardening@docker"
+      - "traefik.http.services.${VNCUSER}.loadbalancer.server.port=80"
+  files:
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+
+networks:
+    default:
+    traefik:
+        external: true