126 lines
4.2 KiB
Bash
Executable File
126 lines
4.2 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
set -eu
|
|
|
|
# Remove leftover files
|
|
find /tmp/ /run/ -mindepth 1 -delete ||:
|
|
|
|
# Add GPU devices groups to additional groups
|
|
for dev in /dev/dri/*; do
|
|
[ -c "${dev:?}" ] || continue
|
|
gid=$(stat -c '%g' "${dev:?}")
|
|
uug=${UNPRIVILEGED_USER_GROUPS?}
|
|
UNPRIVILEGED_USER_GROUPS="${uug:+${uug:?},}${gid:?}"
|
|
done
|
|
|
|
# Create additional groups
|
|
_IFS=${IFS}; IFS=,
|
|
for gid in ${UNPRIVILEGED_USER_GROUPS?}; do
|
|
if ! getent group "${gid:?}" >/dev/null 2>&1; then
|
|
groupadd --gid "${gid:?}" "g_${gid:?}"
|
|
fi
|
|
done
|
|
IFS=$_IFS
|
|
|
|
# Create unprivileged user and group
|
|
if ! getent group "${UNPRIVILEGED_USER_GID:?}" >/dev/null 2>&1; then
|
|
groupadd --gid "${UNPRIVILEGED_USER_GID:?}" "${UNPRIVILEGED_USER_NAME:?}"
|
|
fi
|
|
if ! getent passwd "${UNPRIVILEGED_USER_UID:?}" >/dev/null 2>&1; then
|
|
useradd \
|
|
--uid "${UNPRIVILEGED_USER_UID:?}" \
|
|
--gid "${UNPRIVILEGED_USER_GID:?}" \
|
|
--groups "${UNPRIVILEGED_USER_GROUPS?}" \
|
|
--shell "${UNPRIVILEGED_USER_SHELL:?}" \
|
|
--home-dir "${UNPRIVILEGED_USER_HOME:?}" \
|
|
--create-home \
|
|
"${UNPRIVILEGED_USER_NAME:?}"
|
|
fi
|
|
|
|
# Set unprivileged user password
|
|
if [ -n "${UNPRIVILEGED_USER_PASSWORD?}" ]; then
|
|
printf '%s' "${UNPRIVILEGED_USER_NAME:?}:${UNPRIVILEGED_USER_PASSWORD:?}" | chpasswd
|
|
else
|
|
passwd -d "${UNPRIVILEGED_USER_NAME:?}"
|
|
fi
|
|
|
|
if [ -w "${UNPRIVILEGED_USER_HOME:?}" ]; then
|
|
# Copy /etc/skel/ to unprivileged user home if certain files do not exist
|
|
if [ ! -e "${UNPRIVILEGED_USER_HOME:?}"/.profile ]; then
|
|
cp -aT /etc/skel/ "${UNPRIVILEGED_USER_HOME:?}" ||:
|
|
find /etc/skel/ -mindepth 1 -exec sh -c 'chown "$1:" "$2/${3#/etc/skel/}"' _ "${UNPRIVILEGED_USER_NAME:?}" "${UNPRIVILEGED_USER_HOME:?}" '{}' ';'
|
|
fi
|
|
|
|
# Set unprivileged user home permissions
|
|
if [ "$(stat -c '%u' "${UNPRIVILEGED_USER_HOME:?}")" != "${UNPRIVILEGED_USER_UID:?}" ]; then
|
|
chown "${UNPRIVILEGED_USER_NAME:?}:" "${UNPRIVILEGED_USER_HOME:?}"
|
|
fi
|
|
if [ "$(stat -c '%a' "${UNPRIVILEGED_USER_HOME:?}")" != '750' ]; then
|
|
chmod 750 "${UNPRIVILEGED_USER_HOME:?}"
|
|
fi
|
|
fi
|
|
|
|
# Create /run/user/${UNPRIVILEGED_USER_UID}/ directory if it does not exist
|
|
if [ ! -d /run/user/"${UNPRIVILEGED_USER_UID:?}"/ ]; then
|
|
mkdir -p /run/user/"${UNPRIVILEGED_USER_UID:?}"/
|
|
chmod 700 /run/user/"${UNPRIVILEGED_USER_UID:?}"/
|
|
chown "${UNPRIVILEGED_USER_NAME:?}:" /run/user/"${UNPRIVILEGED_USER_UID:?}"/
|
|
fi
|
|
|
|
# Disable glx module if /dev/dri/ does not exist
|
|
if [ ! -d /dev/dri/ ]; then
|
|
printf '%s\n' '"/dev/dri/" does not exist, glx module will be disabled' 1>&2
|
|
sed -i 's|Load \("glx"\)|Disable \1|g' /opt/xrdp/etc/X11/xrdp/xorg.conf
|
|
fi
|
|
|
|
# Enable xrdp bootstrap service
|
|
if [ "${SERVICE_XRDP_BOOTSTRAP_ENABLED:?}" = 'true' ] && [ ! -L "${SVDIR:?}"/xrdp-bootstrap ]; then
|
|
ln -s /etc/sv/xrdp-bootstrap "${SVDIR:?}"
|
|
fi
|
|
|
|
# Enable headless X server service
|
|
if [ "${SERVICE_XORG_HEADLESS_ENABLED:?}" = 'true' ] && [ ! -L "${SVDIR:?}"/xorg-headless ]; then
|
|
ln -s /etc/sv/xorg-headless "${SVDIR:?}"
|
|
fi
|
|
|
|
# Generate SSH keys if they do not exist
|
|
if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
|
|
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N '' >/dev/null
|
|
fi
|
|
if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
|
|
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N '' >/dev/null
|
|
fi
|
|
|
|
# Generate xrdp RSA keys if they do not exist
|
|
if [ ! -f "${XRDP_RSAKEYS_PATH:?}" ]; then
|
|
mkdir -p "$(dirname "${XRDP_RSAKEYS_PATH:?}")"
|
|
(umask 077 \
|
|
&& xrdp-keygen xrdp "${XRDP_RSAKEYS_PATH:?}" \
|
|
) >/dev/null
|
|
fi
|
|
|
|
# Generate RDP certificate if it does not exist
|
|
if [ ! -f "${XRDP_TLS_KEY_PATH:?}" ] || [ ! -f "${XRDP_TLS_CRT_PATH:?}" ]; then
|
|
FQDN=$(hostname --fqdn)
|
|
|
|
mkdir -p "$(dirname "${XRDP_TLS_KEY_PATH:?}")"
|
|
(umask 077 \
|
|
&& openssl ecparam -genkey -name prime256v1 > "${XRDP_TLS_KEY_PATH:?}" \
|
|
) >/dev/null
|
|
|
|
mkdir -p "$(dirname "${XRDP_TLS_CRT_PATH:?}")"
|
|
(umask 022 \
|
|
&& openssl req -x509 -sha256 -days 3650 -subj "/CN=${FQDN:?}" -addext "subjectAltName=DNS:${FQDN:?}" -key "${XRDP_TLS_KEY_PATH:?}" > "${XRDP_TLS_CRT_PATH:?}" \
|
|
) >/dev/null
|
|
fi
|
|
|
|
# Print RDP certificate fingerprint
|
|
openssl x509 -in "${XRDP_TLS_CRT_PATH:?}" -noout -fingerprint -sha1
|
|
openssl x509 -in "${XRDP_TLS_CRT_PATH:?}" -noout -fingerprint -sha256
|
|
|
|
# Dump environment variables
|
|
env | grep -Ev '^(PWD|OLDPWD|HOME|USER|SHELL|TERM|([^=]*(PASSWORD|SECRET)[^=]*))=' | sort > /etc/environment
|
|
|
|
# Start runit
|
|
exec runsvdir -P "${SVDIR:?}"
|