├── .gitignore ├── LICENSE ├── README.md ├── config ├── guacamole │ ├── 0.enable-tomcat-ssl.patch │ └── 1.add-guacadmin-email.patch ├── haproxy │ └── haproxy.cfg └── keycloak │ ├── guacamole-client.json │ └── init-keycloak.sh ├── docker-compose.yml ├── docs ├── creating-images.txt ├── images │ ├── 0-guacamole-settings.png │ ├── 1-add-users.png │ ├── 1-new-connection.png │ ├── 2-new-connection-ssh-a.png │ ├── 2-userprofile-a.png │ ├── 3-new-connection-ssh-b.png │ ├── 3-userprofile-b.png │ ├── 4-add-users-keycloak.png │ ├── 5-userprofilea-keycloak.png │ ├── 6-set-password-keycloak.png │ └── data_image.png ├── updating-patches.txt └── using-github.txt ├── setup.sh └── teardown.sh /.gitignore: -------------------------------------------------------------------------------- 1 | data 2 | init 3 | init.bak 4 | openid 5 | myfile.txt 6 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 2-Clause License 2 | 3 | Copyright (c) 2020, cynthia-rempel 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 17 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 20 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 23 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 25 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # guacamole-compose 2 | Docker compose project with oeycloak and guacamole 3 | 4 | ## To get started with no configurations, run 5 | 6 | ``` 7 | ./setup.sh 8 | 9 | docker-compose up 10 | ``` 11 | 12 | Requires name resolution to work, so added the following entry to `/etc/hosts`: 13 | 14 | ``` 15 | 127.0.1.1 guacamole.rfa.net keycloak.rfa.net 16 | ``` 17 | 18 | ### Trust the certs 19 | 20 | Please add init/guacamole.crt and init/keycloak.crt to your trusted certificates. 21 | 22 | ### Create the guacadmin user in keycloak 23 | 24 | ``` 25 | # Add the guacadmin user to keycloak with an email 26 | docker exec guacamole-compose_keycloak_1 \ 27 | /opt/jboss/keycloak/bin/kcadm.sh \ 28 | create users \ 29 | -s username=guacadmin@guacadmin \ 30 | -s enabled=true \ 31 | -s email=guacadmin@guacadmin \ 32 | -r master \ 33 | --server https://keycloak.rfa.net:8443/auth \ 34 | --realm master \ 35 | --user admin \ 36 | --password admin 37 | 38 | # Set the password 39 | docker exec guacamole-compose_keycloak_1 \ 40 | /opt/jboss/keycloak/bin/kcadm.sh \ 41 | set-password \ 42 | --username guacadmin@guacadmin \ 43 | --new-password guacadmin \ 44 | -r master \ 45 | --server https://keycloak.rfa.net:8443/auth \ 46 | --realm master \ 47 | --user admin \ 48 | --password admin 49 | 50 | # Make guacadmin an admin 51 | docker exec guacamole-compose_keycloak_1 \ 52 | /opt/jboss/keycloak/bin/kcadm.sh \ 53 | add-roles \ 54 | --uusername guacadmin@guacadmin \ 55 | --rolename admin \ 56 | -r master \ 57 | --server https://keycloak.rfa.net:8443/auth \ 58 | --realm master \ 59 | --user admin \ 60 | --password admin 61 | ``` 62 | ### Add the guacamole-client 63 | 64 | config/keycloak/guacamole-client.json 65 | 66 | ``` 67 | docker exec guacamole-compose_keycloak_1 \ 68 | /opt/jboss/keycloak/bin/kcadm.sh \ 69 | create clients \ 70 | --file guacamole-client.json \ 71 | -r master \ 72 | --server https://keycloak.rfa.net:8443/auth \ 73 | --realm master \ 74 | --user admin \ 75 | --password admin 76 | ``` 77 | 78 | ### TODO: add "read-only" role for keycloak 79 | 80 | In current configuration all qery and read-roles. 81 | 82 | ### TODO: make "read-only" role a default role in keycloak 83 | 84 | ## To customize: 85 | 86 | Find all instances of rfa.net, and replace them to you're liking 87 | 88 | ``` 89 | grep -R rfa.net | grep -v Binary 90 | ``` 91 | 92 | **Please note:** haproxy sni requires *uniq* certs for *each* backend so 93 | you'll need separate certs for guacamole and keycloak 94 | 95 | ## To use 96 | 97 | Then browsed to: 98 | 99 | https://guacamole.rfa.net:8443/guacamole 100 | 101 | https://keycloak.rfa.net:8443 102 | 103 | ### To add users 104 | 105 | --- 106 | 107 | Guacamole uses keycloak for identity, and uses postgres for authorization. 108 | 109 | ``` 110 | Guacamole's OpenID Connect ... removing the need for users to log into Guacamole 111 | directly. This module must be layered on top of ... that provide connection 112 | information ... database authentication .... 113 | ``` 114 | 115 | Because of this, ***users have to be added to both keycloak and postgres.*** 116 | 117 | Reference: https://guacamole.apache.org/doc/gug/openid-auth.html 118 | 119 | --- 120 | 121 | #### Adding a user to Postgres 122 | 123 | To add users to postgres, add them through the guacamole application. 124 | 125 | https://guacamole.rfa.net:8443/guacamole 126 | 127 | username: *guacadmin@guacadmin* 128 | 129 | password: *guacadmin* 130 | 131 | --- 132 | 133 | **Upper right corner, username, settings** 134 | 135 | ![Upper right corner, username, settings](docs/images/0-guacamole-settings.png "Upper right corner, username, settings") 136 | 137 | --- 138 | 139 | **Middle top, users, left middle, new user** 140 | 141 | ![Middle top, users, left middle, new user](docs/images/1-add-users.png "Middle top, users, left middle, new user") 142 | 143 | --- 144 | 145 | **Make sure the username is in email format, make appropriate selections** 146 | 147 | ![Make sure the username is in email format, make appropriate selections](docs/images/2-userprofile-a.png "Make sure the username is in email format, make appropriate selections") 148 | 149 | --- 150 | 151 | **Scroll down, continuing to make appropriate selections, then click save** 152 | 153 | ![Scroll down, continuing to make appropriate selections, then click save](docs/images/3-userprofile-b.png "Scroll down, continuing to make appropriate selections, then click save") 154 | 155 | ***NOTE***: if a connection is under a subgroup, both the subgroup and 156 | connection must be checked for the user to create a connection. 157 | 158 | --- 159 | 160 | #### Adding user to Keycloak 161 | 162 | https://keycloak.rfa.net:8443 163 | 164 | Administration Console 165 | 166 | --- 167 | 168 | **Scroll down, click users, view all users, add user** 169 | 170 | ![Scroll down, click users, view all users, add user](docs/images/4-add-users-keycloak.png "Scroll down, click users, view all users, add user") 171 | 172 | --- 173 | 174 | **Make the keycloak user's email match the username and email of guacamole user** 175 | 176 | ![Make the keycloak user's email match the username and email of guacamole user](docs/images/5-userprofilea-keycloak.png "Make the keycloak user's email match the username and email guacamole user") 177 | 178 | ***NOTE***: The email of the keycloak user must match the username and email of the guacamole user. 179 | 180 | --- 181 | 182 | **Set the password** 183 | 184 | ![Set the password](docs/images/6-set-password-keycloak.png "Set the password") 185 | 186 | *Why doesn't keycloak let you set the password when you create the user ?!?* 187 | 188 | --- 189 | 190 | ## Adding Connections 191 | 192 | --- 193 | 194 | **Upper right corner, username, settings** 195 | 196 | ![Upper right corner, username, settings](docs/images/0-guacamole-settings.png "Upper right corner, username, settings") 197 | 198 | --- 199 | 200 | **Middle top, connections, left, new connection** 201 | 202 | ![Middle top, connections, left, new connection](docs/images/1-new-connection.png "Middle top, connections, left, new connection") 203 | 204 | --- 205 | 206 | **Make an SSH connection** 207 | 208 | - *Name*: some-name 209 | 210 | - *Location*: the-group 211 | 212 | - *Protocol*: *SSH* 213 | 214 | - *Max number of connections*: 2 215 | 216 | - *Max number of connections per user*: 2 217 | 218 | Reference: https://jasoncoltrin.com/2017/10/04/setup-guacamole-remote-desktop-gateway-on-ubuntu-with-one-script/ 219 | 220 | ![Protocol SSH](docs/images/2-new-connection-ssh-a.png "Protocol SSH") 221 | 222 | --- 223 | 224 | **Set the host** 225 | 226 | **Scroll Down**, under the Network Section set the host 227 | 228 | ![Set the host and port](docs/images/3-new-connection-ssh-b.png "Set the host and port") 229 | 230 | **CLICK SAVE ** 231 | --- 232 | 233 | ## Where to send users when you want to tell them RTFM 234 | 235 | https://guacamole.apache.org/doc/gug/using-guacamole.html 236 | 237 | ## To uninstall 238 | 239 | ``` 240 | docker-compose down 241 | ./teardown.sh 242 | ``` 243 | 244 | ## Reference: 245 | 246 | - https://github.com/airaketa/guacamole-docker-compose/tree/5aac1dccbd7b89b54330155270a4684829de1442 247 | - https://lemonldap-ng.org/documentation/latest/applications/guacamole 248 | https://guacamole.apache.org/doc/gug/administration.html#connection-management 249 | - https://jasoncoltrin.com/2017/10/04/setup-guacamole-remote-desktop-gateway-on-ubuntu-with-one-script/ 250 | -------------------------------------------------------------------------------- /config/guacamole/0.enable-tomcat-ssl.patch: -------------------------------------------------------------------------------- 1 | --- init/server.xml.orig 2020-03-26 18:22:55.548532694 -0700 2 | +++ init/server.xml 2020-03-26 18:27:26.247285566 -0700 3 | @@ -99,18 +99,15 @@ 4 | Either JSSE or OpenSSL style configuration may be used. OpenSSL style 5 | configuration is used below. 6 | --> 7 | - 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /config/guacamole/1.add-guacadmin-email.patch: -------------------------------------------------------------------------------- 1 | --- init/initdb.sql.orig 2020-03-29 17:47:10.732328565 -0700 2 | +++ init/initdb.sql 2020-03-29 19:20:02.227890869 -0700 3 | @@ -754,26 +754,27 @@ 4 | -- 5 | 6 | -- Create default user "guacadmin" with password "guacadmin" 7 | -INSERT INTO guacamole_entity (name, type) VALUES ('guacadmin', 'USER'); 8 | -INSERT INTO guacamole_user (entity_id, password_hash, password_salt, password_date) 9 | +INSERT INTO guacamole_entity (name, type) VALUES ('guacadmin@guacadmin', 'USER'); 10 | +INSERT INTO guacamole_user (entity_id, email_address, password_hash, password_salt, password_date) 11 | SELECT 12 | entity_id, 13 | + 'guacadmin@guacadmin', 14 | decode('CA458A7D494E3BE824F5E1E175A1556C0F8EEF2C2D7DF3633BEC4A29C4411960', 'hex'), -- 'guacadmin' 15 | decode('FE24ADC5E11E2B25288D1704ABE67A79E342ECC26064CE69C5B3177795A82264', 'hex'), 16 | CURRENT_TIMESTAMP 17 | -FROM guacamole_entity WHERE name = 'guacadmin' AND guacamole_entity.type = 'USER'; 18 | +FROM guacamole_entity WHERE name = 'guacadmin@guacadmin' AND guacamole_entity.type = 'USER'; 19 | 20 | -- Grant this user all system permissions 21 | INSERT INTO guacamole_system_permission (entity_id, permission) 22 | SELECT entity_id, permission::guacamole_system_permission_type 23 | FROM ( 24 | VALUES 25 | - ('guacadmin', 'CREATE_CONNECTION'), 26 | - ('guacadmin', 'CREATE_CONNECTION_GROUP'), 27 | - ('guacadmin', 'CREATE_SHARING_PROFILE'), 28 | - ('guacadmin', 'CREATE_USER'), 29 | - ('guacadmin', 'CREATE_USER_GROUP'), 30 | - ('guacadmin', 'ADMINISTER') 31 | + ('guacadmin@guacadmin', 'CREATE_CONNECTION'), 32 | + ('guacadmin@guacadmin', 'CREATE_CONNECTION_GROUP'), 33 | + ('guacadmin@guacadmin', 'CREATE_SHARING_PROFILE'), 34 | + ('guacadmin@guacadmin', 'CREATE_USER'), 35 | + ('guacadmin@guacadmin', 'CREATE_USER_GROUP'), 36 | + ('guacadmin@guacadmin', 'ADMINISTER') 37 | ) permissions (username, permission) 38 | JOIN guacamole_entity ON permissions.username = guacamole_entity.name AND guacamole_entity.type = 'USER'; 39 | 40 | @@ -782,9 +783,9 @@ 41 | SELECT guacamole_entity.entity_id, guacamole_user.user_id, permission::guacamole_object_permission_type 42 | FROM ( 43 | VALUES 44 | - ('guacadmin', 'guacadmin', 'READ'), 45 | - ('guacadmin', 'guacadmin', 'UPDATE'), 46 | - ('guacadmin', 'guacadmin', 'ADMINISTER') 47 | + ('guacadmin@guacadmin', 'guacadmin@guacadmin', 'READ'), 48 | + ('guacadmin@guacadmin', 'guacadmin@guacadmin', 'UPDATE'), 49 | + ('guacadmin@guacadmin', 'guacadmin@guacadmin', 'ADMINISTER') 50 | ) permissions (username, affected_username, permission) 51 | JOIN guacamole_entity ON permissions.username = guacamole_entity.name AND guacamole_entity.type = 'USER' 52 | JOIN guacamole_entity affected ON permissions.affected_username = affected.name AND guacamole_entity.type = 'USER' 53 | -------------------------------------------------------------------------------- /config/haproxy/haproxy.cfg: -------------------------------------------------------------------------------- 1 | frontend ingress_https 2 | bind *:8443 3 | mode tcp 4 | timeout client 1m 5 | no option checkcache 6 | no option httpclose 7 | tcp-request inspect-delay 5s 8 | tcp-request content accept if { req_ssl_hello_type 1 } 9 | tcp-request content reject 10 | use_backend bk_guacamole if { req_ssl_sni -i guacamole.rfa.net } 11 | use_backend bk_keycloak if { req_ssl_sni -i keycloak.rfa.net } 12 | 13 | backend bk_guacamole 14 | mode tcp 15 | balance roundrobin 16 | timeout connect 10s 17 | timeout server 1m 18 | server guacamole guacamole:8443 19 | 20 | backend bk_keycloak 21 | mode tcp 22 | balance roundrobin 23 | timeout connect 10s 24 | timeout server 1m 25 | server keycloak keycloak.rfa.net:8443 26 | 27 | -------------------------------------------------------------------------------- /config/keycloak/guacamole-client.json: -------------------------------------------------------------------------------- 1 | { 2 | "clientId": "guacamole", 3 | "name": "guacamole", 4 | "rootUrl": "", 5 | "adminUrl": "", 6 | "enabled": true, 7 | "redirectUris": [ 8 | "*" 9 | ], 10 | "webOrigins": [ 11 | "*" 12 | ], 13 | "implicitFlowEnabled": true, 14 | "protocol": "openid-connect", 15 | "attributes": { 16 | "saml.assertion.signature": "false", 17 | "saml.force.post.binding": "false", 18 | "saml.multivalued.roles": "false", 19 | "saml.encrypt": "false", 20 | "access.token.signed.response.alg": "", 21 | "saml.server.signature": "false", 22 | "saml.server.signature.keyinfo.ext": "false", 23 | "exclude.session.state.from.auth.response": "true", 24 | "id.token.signed.response.alg": "RS512", 25 | "saml_force_name_id_format": "false", 26 | "saml.client.signature": "false", 27 | "tls.client.certificate.bound.access.tokens": "false", 28 | "saml.authnstatement": "false", 29 | "display.on.consent.screen": "false", 30 | "saml.onetimeuse.condition": "false" 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /config/keycloak/init-keycloak.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Create the guacadmin user in keycloak 4 | 5 | #### Add the guacadmin user to keycloak with an email 6 | /opt/jboss/keycloak/bin/kcadm.sh \ 7 | create users \ 8 | -s username=guacadmin@guacadmin \ 9 | -s enabled=true \ 10 | -s email=guacadmin@guacadmin \ 11 | -r master \ 12 | --server https://keycloak.rfa.net:8443/auth \ 13 | --realm master \ 14 | --user admin \ 15 | --password admin 16 | 17 | # Set the password 18 | /opt/jboss/keycloak/bin/kcadm.sh \ 19 | set-password \ 20 | --username guacadmin@guacadmin \ 21 | --new-password guacadmin \ 22 | -r master \ 23 | --server https://keycloak.rfa.net:8443/auth \ 24 | --realm master \ 25 | --user admin \ 26 | --password admin 27 | 28 | # Make guacadmin an admin 29 | /opt/jboss/keycloak/bin/kcadm.sh \ 30 | add-roles \ 31 | --uusername guacadmin@guacadmin \ 32 | --rolename admin \ 33 | -r master \ 34 | --server https://keycloak.rfa.net:8443/auth \ 35 | --realm master \ 36 | --user admin \ 37 | --password admin 38 | 39 | ### Add the guacamole-client 40 | /opt/jboss/keycloak/bin/kcadm.sh \ 41 | create clients \ 42 | --file guacamole-client.json \ 43 | -r master \ 44 | --server https://keycloak.rfa.net:8443/auth \ 45 | --realm master \ 46 | --user admin \ 47 | --password admin 48 | 49 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | postgres: 5 | image: docker.io/postgres:9.6 6 | restart: always 7 | volumes: 8 | - ./init/initdb.sql:/docker-entrypoint-initdb.d/initdb.sql 9 | - ./data/guacamole:/var/lib/postgresql/data 10 | environment: 11 | POSTGRES_USER: guacamole_user 12 | POSTGRES_PASSWORD: some_password 13 | POSTGRES_DB: guacamole_db 14 | networks: 15 | - guac 16 | guacd: 17 | image: docker.io/guacamole/guacd:1.1.0 18 | restart: always 19 | networks: 20 | - guac 21 | ports: 22 | - "4822:4822" 23 | guacamole: 24 | image: docker.io/guacamole/guacamole:1.1.0 25 | restart: always 26 | ports: 27 | - "6443:8443" 28 | hostname: guacamole.rfa.net 29 | networks: 30 | guac: 31 | aliases: 32 | - guacamole.rfa.net 33 | volumes: 34 | - ./openid/guacamole-auth-openid-1.1.0.jar:/opt/guacamole/openid/guacamole-auth-openid-1.1.0.jar 35 | - ./init/guacamole.crt:/usr/local/tomcat/conf/guacamole.crt 36 | - ./init/guacamole.key:/usr/local/tomcat/conf/guacamole.key 37 | - ./init/server.xml:/usr/local/tomcat/conf/server.xml 38 | - ./init/cacerts:/docker-java-home/jre/lib/security/cacerts 39 | environment: 40 | POSTGRES_HOSTNAME: postgres 41 | POSTGRES_DATABASE: guacamole_db 42 | POSTGRES_USER: guacamole_user 43 | POSTGRES_PASSWORD: some_password 44 | GUACD_PORT_4822_TCP_ADDR: guacd 45 | GUACD_PORT_4822_TCP_PORT: 4822 46 | GUACD_HOSTNAME: guacd 47 | GUACAMOLE_HOSTNAME: https://guacamole:8443/guacamole/# 48 | # https://keycloak.rfa.net:8443/auth/realms/master/.well-known/openid-configuration 49 | # https://guacamole.apache.org/doc/gug/openid-auth.html 50 | OPENID_AUTHORIZATION_ENDPOINT: https://keycloak.rfa.net:8443/auth/realms/master/protocol/openid-connect/auth 51 | OPENID_JWKS_ENDPOINT: https://keycloak.rfa.net:8443/auth/realms/master/protocol/openid-connect/certs 52 | OPENID_ISSUER: https://keycloak.rfa.net:8443/auth/realms/master 53 | OPENID_CLIENT_ID: guacamole 54 | OPENID_REDIRECT_URI: https://guacamole.rfa.net:8443/guacamole/#/settings/sessions 55 | OPENID_REDIRECT_URI: https://guacamole.rfa.net:8443/guacamole 56 | OPENID_CLAIM_TYPE: sub 57 | # OPENID_CLAIM_TYPE: preferred_username 58 | OPENID_SCOPE: openid profile 59 | OPENID_ALLOWED_CLOCK_SKEW: 99999 60 | OPENID_MAX_TOKEN_VALIDITY: 300 61 | OPENID_MAX_NONCE_VALIDITY: 10 62 | depends_on: 63 | - postgres 64 | - guacd 65 | - keycloak 66 | haproxy: 67 | image: docker.io/haproxy:2.1 68 | restart: always 69 | ports: 70 | - "8443:8443" 71 | volumes: 72 | - ./config/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro 73 | networks: 74 | - guac 75 | depends_on: 76 | - guacamole 77 | - keycloak 78 | keycloakpostgres: 79 | image: docker.io/postgres:9.6 80 | restart: always 81 | volumes: 82 | - ./data/keycloak:/var/lib/postgresql/data 83 | environment: 84 | POSTGRES_USER: keycloak 85 | POSTGRES_PASSWORD: keycloak 86 | POSTGRES_DB: keycloak 87 | networks: 88 | - guac 89 | keycloak: 90 | image: docker.io/jboss/keycloak:latest 91 | restart: always 92 | depends_on: 93 | - keycloakpostgres 94 | environment: 95 | - DB_ADDR=keycloakpostgres 96 | - DB_DATABASE=keycloak 97 | - DB_PASSWORD=keycloak 98 | - DB_SCHEMA=public 99 | - DB_USER=keycloak 100 | - DB_VENDOR=POSTGRES 101 | - KEYCLOAK_LOGLEVEL=INFO 102 | - KEYCLOAK_PASSWORD=admin 103 | - KEYCLOAK_USER='admin' 104 | hostname: keycloak.rfa.net 105 | ports: 106 | - "7443:8443" 107 | tmpfs: 108 | - /run 109 | - /tmp 110 | - /opt/jboss/keycloak/standalone/tmp/vfs/temp 111 | volumes: 112 | - ./init/application.keystore:/opt/jboss/keycloak/standalone/configuration/application.keystore 113 | - ./init/cacerts:/usr/lib/jvm/java-11-openjdk-11.0.6.10-0.el8_1.x86_64/lib/security/cacerts 114 | - ./config/keycloak/guacamole-client.json:/guacamole-client.json 115 | networks: 116 | guac: 117 | aliases: 118 | - keycloak.rfa.net 119 | networks: 120 | guac: 121 | driver: bridge 122 | 123 | -------------------------------------------------------------------------------- /docs/creating-images.txt: -------------------------------------------------------------------------------- 1 | References: 2 | https://alvinalexander.com/design/gimp-draw-straight-line-in-gimp/ 3 | -------------------------------------------------------------------------------- /docs/images/0-guacamole-settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cynthia-rempel/guacamole-compose/a2111c2e84d1c95a10d878e3370b5a16665e0657/docs/images/0-guacamole-settings.png -------------------------------------------------------------------------------- /docs/images/1-add-users.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cynthia-rempel/guacamole-compose/a2111c2e84d1c95a10d878e3370b5a16665e0657/docs/images/1-add-users.png -------------------------------------------------------------------------------- /docs/images/1-new-connection.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cynthia-rempel/guacamole-compose/a2111c2e84d1c95a10d878e3370b5a16665e0657/docs/images/1-new-connection.png -------------------------------------------------------------------------------- /docs/images/2-new-connection-ssh-a.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cynthia-rempel/guacamole-compose/a2111c2e84d1c95a10d878e3370b5a16665e0657/docs/images/2-new-connection-ssh-a.png -------------------------------------------------------------------------------- /docs/images/2-userprofile-a.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cynthia-rempel/guacamole-compose/a2111c2e84d1c95a10d878e3370b5a16665e0657/docs/images/2-userprofile-a.png -------------------------------------------------------------------------------- /docs/images/3-new-connection-ssh-b.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cynthia-rempel/guacamole-compose/a2111c2e84d1c95a10d878e3370b5a16665e0657/docs/images/3-new-connection-ssh-b.png -------------------------------------------------------------------------------- /docs/images/3-userprofile-b.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cynthia-rempel/guacamole-compose/a2111c2e84d1c95a10d878e3370b5a16665e0657/docs/images/3-userprofile-b.png -------------------------------------------------------------------------------- /docs/images/4-add-users-keycloak.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cynthia-rempel/guacamole-compose/a2111c2e84d1c95a10d878e3370b5a16665e0657/docs/images/4-add-users-keycloak.png -------------------------------------------------------------------------------- /docs/images/5-userprofilea-keycloak.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cynthia-rempel/guacamole-compose/a2111c2e84d1c95a10d878e3370b5a16665e0657/docs/images/5-userprofilea-keycloak.png -------------------------------------------------------------------------------- /docs/images/6-set-password-keycloak.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cynthia-rempel/guacamole-compose/a2111c2e84d1c95a10d878e3370b5a16665e0657/docs/images/6-set-password-keycloak.png -------------------------------------------------------------------------------- /docs/images/data_image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cynthia-rempel/guacamole-compose/a2111c2e84d1c95a10d878e3370b5a16665e0657/docs/images/data_image.png -------------------------------------------------------------------------------- /docs/updating-patches.txt: -------------------------------------------------------------------------------- 1 | To make a new 0.enable-tomcat-ssl.patch 2 | 3 | diff -Naur init/server.xml.orig init/server.xml > config/guacamole/0.enable-tomcat-ssl.patch 4 | 5 | -------------------------------------------------------------------------------- /docs/using-github.txt: -------------------------------------------------------------------------------- 1 | # To checkout a branch 2 | git checkout -b cindys-branch 3 | 4 | # To add the changes 5 | git add * 6 | 7 | # To commit the changes 8 | git commit -m "commit message" 9 | 10 | # To push the branch onto github 11 | git push origin cindys-branch 12 | 13 | # To merge with master 14 | git merge cindys-branch/master 15 | -------------------------------------------------------------------------------- /setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -x 2 | 3 | echo "checking for patch" 4 | patch -v 5 | echo "checking for wget" 6 | wget -v 7 | echo "checking for docker-compose" 8 | docker-compose -v 9 | echo "checking for docker" 10 | docker -v 11 | echo "checking for keytool" 12 | keytool -v 13 | 14 | # create directories 15 | mkdir -p {data/guacamole,data/keycloak,init,openid} 16 | 17 | cd openid 18 | 19 | wget -nc https://mirrors.ocf.berkeley.edu/apache/guacamole/1.1.0/binary/guacamole-auth-openid-1.1.0.tar.gz 20 | tar -xf guacamole-auth-openid-1.1.0.tar.gz 21 | mv guacamole-auth-openid-1.1.0/* . 22 | cd .. 23 | 24 | # create the database initialization script for the guacamole database 25 | docker run --rm \ 26 | docker.io/guacamole/guacamole:1.1.0 \ 27 | /opt/guacamole/bin/initdb.sh --postgres > init/initdb.sql.orig 28 | 29 | cp init/initdb.sql.orig init/initdb.sql 30 | 31 | patch init/initdb.sql < config/guacamole/1.add-guacadmin-email.patch 32 | 33 | # get the original server.xml 34 | touch init/server.xml.orig 35 | docker run --rm --name guacamole-setup \ 36 | docker.io/guacamole/guacamole:1.1.0 \ 37 | cat /usr/local/tomcat/conf/server.xml > init/server.xml.orig 38 | 39 | # make a copy to patch 40 | cp init/server.xml.orig init/server.xml 41 | 42 | # enable ssl, and such 43 | patch init/server.xml < config/guacamole/0.enable-tomcat-ssl.patch 44 | 45 | # Need self-signed cert for ca 46 | 47 | # Create private keys for: 48 | # Guacamole 49 | # Keycloak 50 | 51 | openssl req \ 52 | -newkey rsa:2048 \ 53 | -nodes \ 54 | -keyout init/guacamole.key \ 55 | -x509 \ 56 | -days 365 \ 57 | -out init/guacamole.crt \ 58 | -subj "/C=US/ST=CA/L=Anytown/O=Ridgecrest First Aid/OU=AED Instructors/CN=guacamole.rfa.net" 59 | 60 | # values pulled from server.xml within the image, and errors from the docker log 61 | keytool -genkey \ 62 | -alias server \ 63 | -keyalg RSA \ 64 | -keystore init/application.keystore \ 65 | -keysize 2048 \ 66 | -storepass password \ 67 | -dname "cn=keycloak.rfa.net, ou=AED Instructors, o=Ridgecrest, c=US" \ 68 | -keypass password \ 69 | -trustcacerts \ 70 | -validity 365 71 | 72 | # make the certificate available to guacamole 73 | touch init/keycloak.crt 74 | keytool -exportcert \ 75 | -keystore init/application.keystore \ 76 | -alias server \ 77 | -storepass password \ 78 | -keypass password | \ 79 | openssl x509 -inform der -text > init/keycloak.crt 80 | 81 | # Grabbing cacerts, don't use this for standalone.xml 82 | # as we don't link to postgres 83 | touch init/cacerts 84 | timeout 10 docker run --rm --name keycloak-cacerts \ 85 | docker.io/jboss/keycloak:latest & 86 | sleep 1s 87 | docker cp keycloak-cacerts:/etc/pki/ca-trust/extracted/java/cacerts init/cacerts 88 | 89 | keytool -importcert \ 90 | -alias keycloak \ 91 | -keystore init/cacerts \ 92 | -storepass changeit \ 93 | -file init/keycloak.crt \ 94 | -trustcacerts -noprompt 95 | keytool -importcert \ 96 | -alias guacamole \ 97 | -keystore init/cacerts \ 98 | -storepass changeit \ 99 | -file init/guacamole.crt \ 100 | -trustcacerts -noprompt 101 | 102 | docker stop keycloak-cacerts 103 | docker rm keycloak-cacerts 104 | 105 | -------------------------------------------------------------------------------- /teardown.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | rm -rf data/* 3 | rm -rf init/* 4 | rm -rf openid/* 5 | --------------------------------------------------------------------------------