From 3439d1e36184e83e01829db5c0ee97984b350a5a Mon Sep 17 00:00:00 2001 From: Jon Date: Mon, 28 Aug 2023 18:15:20 +0930 Subject: [PATCH 1/7] feat(inventory): block access to inventory endpoints These paths are the default paths for inventory uploading. access is being prevented so that a different path can be used and so to enforce authentication issue #4 --- includes/etc/apache2/sites-available/000-default.conf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/includes/etc/apache2/sites-available/000-default.conf b/includes/etc/apache2/sites-available/000-default.conf index 7d65c16..1d2386f 100644 --- a/includes/etc/apache2/sites-available/000-default.conf +++ b/includes/etc/apache2/sites-available/000-default.conf @@ -4,6 +4,16 @@ Require all granted RewriteEngine On + # Don't provide access to inventory on these paths + # ToDo: add inventory path for /plugins/fusioninventory/ + RewriteCond %{REQUEST_URI} ^/front/inventory.php$ [OR] + RewriteCond %{REQUEST_URI} /plugins/glpiinventory + RewriteCond %{REQUEST_URI} !/plugins/glpiinventory/front/ [OR] + RewriteCond %{REQUEST_URI} /marketplace/glpiinventory + RewriteCond %{REQUEST_URI} !/marketplace/glpiinventory/front/ + RewriteRule ^(.*)$ - [R=404,NC] + + RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(.*)$ index.php [QSA,L] From 83b4e98a189d50f5b69d25e8a02f0dee70f012e9 Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 29 Aug 2023 03:02:12 +0930 Subject: [PATCH 2/7] feat(inventory): Enable inventory endpoint with env variable by using an env variable the inventory endpoint can be enabled. !3 #4 --- .../apache2/sites-available/000-default.conf | 31 +++++++++++++++---- 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/includes/etc/apache2/sites-available/000-default.conf b/includes/etc/apache2/sites-available/000-default.conf index 1d2386f..c4388f3 100644 --- a/includes/etc/apache2/sites-available/000-default.conf +++ b/includes/etc/apache2/sites-available/000-default.conf @@ -2,24 +2,43 @@ DocumentRoot /var/www/html/public + Require all granted RewriteEngine On + + # Paths: + # Reference: https://glpi-agent.readthedocs.io/en/latest/configuration.html + # - fusioninventory: /plugins/fusioninventory/ + # - Native (non-GlpiInventory plugin): /front/inventory.php + # - GlpiInventory plugin (Marketplace installed): /marketplace/glpiinventory/ + # - GlpiInventory plugin (plugin folder installed): /plugins/glpiinventory/ + # NOTE: for glpi inventory index.php must be prepended to path so that GUI can still be accessed. + # Don't provide access to inventory on these paths # ToDo: add inventory path for /plugins/fusioninventory/ - RewriteCond %{REQUEST_URI} ^/front/inventory.php$ [OR] - RewriteCond %{REQUEST_URI} /plugins/glpiinventory - RewriteCond %{REQUEST_URI} !/plugins/glpiinventory/front/ [OR] - RewriteCond %{REQUEST_URI} /marketplace/glpiinventory - RewriteCond %{REQUEST_URI} !/marketplace/glpiinventory/front/ + + RewriteCond %{ENV:GLPI_INVENTORY_PATH} !/front/inventory.php + RewriteCond %{REQUEST_URI} ^/front/inventory.php$ + RewriteRule ^(.*)$ - [R=404,NC] + + RewriteCond %{ENV:GLPI_INVENTORY_PATH} !/plugins/glpiinventory/ + RewriteCond %{REQUEST_URI} /plugins/glpiinventory + RewriteCond %{REQUEST_URI} !/plugins/glpiinventory/front/ + RewriteRule ^(.*)$ - [R=404,NC] + + RewriteCond %{ENV:GLPI_INVENTORY_PATH} !/marketplace/glpiinventory/ + RewriteCond %{REQUEST_URI} /marketplace/glpiinventory + RewriteCond %{REQUEST_URI} !/marketplace/glpiinventory/front/ RewriteRule ^(.*)$ - [R=404,NC] RewriteCond %{REQUEST_FILENAME} !-f - RewriteRule ^(.*)$ index.php [QSA,L] + ErrorLog /var/log/apache2/error-glpi.log LogLevel warn CustomLog /var/log/apache2/access-glpi.log combined + \ No newline at end of file From 23886773af9976a06be6296cc4a89986df0cd787 Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 29 Aug 2023 17:13:03 +0930 Subject: [PATCH 3/7] docs: added initial docs !3 #2 --- .gitlab-ci.yml | 2 +- .gitmodules | 4 ++ docs/articles/index.md | 0 docs/contact.md | 0 docs/index.md | 0 docs/operations/index.md | 0 docs/projects/glpi/index.md | 79 +++++++++++++++++++++++++++++++++ docs/projects/index.md | 0 docs/tags.md | 0 docs/task-doc-template.md | 87 +++++++++++++++++++++++++++++++++++++ mkdocs.yml | 30 +++++++++++++ website-template | 1 + 12 files changed, 202 insertions(+), 1 deletion(-) create mode 100644 docs/articles/index.md create mode 100644 docs/contact.md create mode 100644 docs/index.md create mode 100644 docs/operations/index.md create mode 100644 docs/projects/glpi/index.md create mode 100644 docs/projects/index.md create mode 100644 docs/tags.md create mode 100644 docs/task-doc-template.md create mode 100644 mkdocs.yml create mode 160000 website-template diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7b7d5d7..4c0ba74 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -7,7 +7,7 @@ variables: DOCKER_IMAGE_PUBLISH_NAME: 'docker-glpi' DOCKER_IMAGE_PUBLISH_REGISTRY: docker.io/nofusscomputing DOCKER_IMAGE_PUBLISH_URL: https://hub.docker.com/r/nofusscomputing/$DOCKER_IMAGE_PUBLISH_NAME - PAGES_ENVIRONMENT_PATH: projects/docker_glpi/ + PAGES_ENVIRONMENT_PATH: projects/glpi/ include: - project: nofusscomputing/projects/gitlab-ci diff --git a/.gitmodules b/.gitmodules index cc4d8a5..de6bfdd 100644 --- a/.gitmodules +++ b/.gitmodules @@ -2,3 +2,7 @@ path = gitlab-ci url = https://gitlab.com/nofusscomputing/projects/gitlab-ci.git branch = development +[submodule "website-template"] + path = website-template + url = https://gitlab.com/nofusscomputing/infrastructure/website-template.git + branch = development diff --git a/docs/articles/index.md b/docs/articles/index.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/contact.md b/docs/contact.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/index.md b/docs/index.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/operations/index.md b/docs/operations/index.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/projects/glpi/index.md b/docs/projects/glpi/index.md new file mode 100644 index 0000000..9de21c0 --- /dev/null +++ b/docs/projects/glpi/index.md @@ -0,0 +1,79 @@ +--- +title: Dockerized GLPI +description: How to use No Fuss Computings docker container GLPI. +date: 2023-08-29 +template: project.html +about: https://gitlab.com/nofusscomputing/projects/ansible/docker-glpi +--- + +This docker container contains GLPI and is intended to be production ready and requires minimal configuration to use. + +!!! info + **TLDR** The docker container is available on dockerhub. `docker pull nofusscomputing/docker-glpi:dev` + +This container is designed to be ephemeral with all data residing within docker volumes. Outside of this container, the only reqirements is hard disk space and a MySQL/MariaDB database. + + +## Features + +To see a full list of changes/features see the [changelog](https://gitlab.com/nofusscomputing/projects/docker-glpi/-/blob/development/CHANGELOG.md). + +- Data Volumes for _(relative paths are for glpi www root, `/var/www/html`)_ + + - `config/` + + - `data/` + + - `files/` + + - `plugins/` + + - `marketplace/` + + - `/var/log/` + +- Inventory endpoints only available with use of feature flag + +- Container health check reports for all services (apache, cron, supervisord) + +- GLPI cron script scheduled within container cron. _See notes below._ + +- GLPI WWW root setup under `public/` + + +## Inventory + +It is posssible to use the inventory features available within GLPI, however by default access to the endpoints is disabled and behind a feature flag.The image by default will return HTTP/404 for the following paths: + +- `plugins/fusioninventory/` fusioninventory + +- `front/inventory.php` Native (non-GlpiInventory plugin) + +- `marketplace/glpiinventory/` GlpiInventory plugin (Marketplace installed) + +- `plugins/glpiinventory/` GlpiInventory plugin (plugin folder installed) + +To enable an inventory endpoint, using the values above, set environmental variable `GLPI_INVENTORY_PATH` when launching the container. i.e. to use GLPI native inventory `GLPI_INVENTORY_PATH=front/inventory.php`. on launching the container with this variable set, that endpoint is available for use for the inventory feature of GLPI. + +!!! tip + when using either `marketplace/glpiinventory/` or `plugins/glpiinventory/` as the inventory path you are required to prepend `index.php` to the end of the `server` directive in `agent.cfg`. i.e. `server = https://my-glpi-server/plugins/glpiinventory/index.php` + +!!! warning + It is strongly advised that when using the inventory features of GLPI, that the endpoints be configured for client authentication. + + +### Clinet Authentication + +Due to the limitations of the inventory agents, mTLS is not available so HTTP Basic Authentication is configurable. by default, when you set the environmental variable `GLPI_INVENTORY_PATH` HTTP basic auth is enabled by default. To configure the users follow these steps: + +1. run command from within the container `htpasswd -c /apache-passwd-glpi-inventory {Username to create}` + +1. enter the password and confirm when prompted + +1. configure the `user` and `password` entries in the `agent.cfg` file. + +!!! tip + Ensure you limit the permissions on the `agent.cfg` file as it contains a password in clear text. Only the user the agent is run as requires access and you are encouraged to limit to that user only. + +!!! warning + HTTP Basic authentication is inherently insecure. to overcome this shortfall, ONLY use HTTP Basic Auth over a secure connection _(https)_. diff --git a/docs/projects/index.md b/docs/projects/index.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/tags.md b/docs/tags.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/task-doc-template.md b/docs/task-doc-template.md new file mode 100644 index 0000000..ade9fcd --- /dev/null +++ b/docs/task-doc-template.md @@ -0,0 +1,87 @@ + + +short summary of the task file + +## {Task Name} + +- **Name**: + +- **Description**: + +- **Module**: + +- **Arguments**: + + - + +- **Conditional**: + +- **Tags**: + + - + +## {Task Name} + +- **Name**: + +- **Description**: + +- **Module**: + +- **Arguments**: + + - + +- **Registers**: + +- **Conditional**: + +- **Tags**: + + - + + +## Variables + +The following variables can be customized in this task file: + +```yaml +variable_name: "default_value" +``` + +- `variable_name`: Description of the variable. + +## Tags + +The tasks in this task file are tagged with the following tags: + +- + +## Usage + +To use this Ansible task file, you can include it in your playbook or role and provide values for the required variables. Here's an example of how you can use this task file: + +1. Create a playbook (e.g., `your_playbook.yaml`) and define the necessary variables: + +```yaml +--- + +- hosts: your_hosts + vars: + variable_name: "value" + + tasks: + - include_tasks: path/to/task_file.yaml +``` + +2. Create a separate file for the task file (e.g., `task_file.yaml`) and copy the content of the task file into it. + +3. Run the playbook: + +```shell +ansible-playbook your_playbook.yaml +``` + +Make sure to replace the placeholder values (`variable_name`, `value`) with the appropriate values for your setup. + +Note: You may need to adjust the playbook structure and additional tasks based on your specific requirements and the tasks you want to execute. \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml new file mode 100644 index 0000000..318e4c2 --- /dev/null +++ b/mkdocs.yml @@ -0,0 +1,30 @@ +INHERIT: website-template/mkdocs.yml + +docs_dir: 'docs' + +repo_name: Docker GLPI +repo_url: https://gitlab.com/nofusscomputing/projects/docker-glpi +edit_uri: '/-/ide/project/nofusscomputing/projects/docker-glpi/edit/development/-/docs/' + +nav: +- Home: index.md + +- Articles: + + - articles/index.md + +- Projects: + + - projects/index.md + + - GLPI Docker: + + - projects/glpi/index.md + + +- Operations: + + - operations/index.md + +- Contact Us: contact.md + diff --git a/website-template b/website-template new file mode 160000 index 0000000..992b548 --- /dev/null +++ b/website-template @@ -0,0 +1 @@ +Subproject commit 992b54805b8b6c78a3d2a5ea7de71c7be2b070c8 From 04999a8b57837d3f30a7df40323b82b4ebb0387b Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 29 Aug 2023 17:14:23 +0930 Subject: [PATCH 4/7] feat(inventory): Authenticated access !3 #4 --- dockerfile | 5 ++++- .../apache2/sites-available/000-default.conf | 18 ++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/dockerfile b/dockerfile index d6cbf9d..f562635 100644 --- a/dockerfile +++ b/dockerfile @@ -88,7 +88,10 @@ COPY --from=prepare /tmp/glpi /var/www/html RUN chown www-data:www-data -R /var/www; \ - ln -s /var/www/html/bin/console /bin/console; + ln -s /var/www/html/bin/console /bin/console; \ + touch /apache-passwd-glpi-inventory; \ + chown www-data:www-data /apache-passwd-glpi-inventory; \ + chmod 740 /apache-passwd-glpi-inventory; VOLUME /var/www/html/config diff --git a/includes/etc/apache2/sites-available/000-default.conf b/includes/etc/apache2/sites-available/000-default.conf index c4388f3..1257317 100644 --- a/includes/etc/apache2/sites-available/000-default.conf +++ b/includes/etc/apache2/sites-available/000-default.conf @@ -1,6 +1,24 @@ DocumentRoot /var/www/html/public + + + + + + + AuthType Basic + AuthName "Restricted Access" + AuthUserFile /apache-passwd-glpi-inventory + Require valid-user + + + + + + + + Require all granted From 83fbaae1d61bcd9ac73f46373694204c5e7751c8 Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 29 Aug 2023 17:14:55 +0930 Subject: [PATCH 5/7] fix(docker): added files as volume !3 --- dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/dockerfile b/dockerfile index f562635..3fd6fcb 100644 --- a/dockerfile +++ b/dockerfile @@ -96,6 +96,7 @@ RUN chown www-data:www-data -R /var/www; \ VOLUME /var/www/html/config VOLUME /var/www/html/data +VOLUME /var/www/html/files VOLUME /var/www/html/plugins VOLUME /var/www/html/marketplacey VOLUME /var/log From 39e476386a4a88fa6fa175f14085eb0cc3e8e4e4 Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 29 Aug 2023 17:28:57 +0930 Subject: [PATCH 6/7] docs: add cron !3 #2 --- docs/projects/glpi/index.md | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/docs/projects/glpi/index.md b/docs/projects/glpi/index.md index 9de21c0..6025188 100644 --- a/docs/projects/glpi/index.md +++ b/docs/projects/glpi/index.md @@ -41,6 +41,29 @@ To see a full list of changes/features see the [changelog](https://gitlab.com/no - GLPI WWW root setup under `public/` +## Cron + +Cron is installed as part of the image and runs automagically on container start. GLPI cron script is also scheduled to run every minute. However for GLPI to use the CLI cron, you must configure it. + +Once GLPI has been setup and configured: + +1. navigate to `Setup -> Automatic Actions` + +1. select all items in the list + +1. click the `Actions` button + +1. select `Update` + +1. select `Run Mode` + +1. select `CLI` + +1. click `Submit` + +Now GLPI will use the CLI cron script to run automagic actions. + + ## Inventory It is posssible to use the inventory features available within GLPI, however by default access to the endpoints is disabled and behind a feature flag.The image by default will return HTTP/404 for the following paths: @@ -62,7 +85,7 @@ To enable an inventory endpoint, using the values above, set environmental varia It is strongly advised that when using the inventory features of GLPI, that the endpoints be configured for client authentication. -### Clinet Authentication +### Client Authentication Due to the limitations of the inventory agents, mTLS is not available so HTTP Basic Authentication is configurable. by default, when you set the environmental variable `GLPI_INVENTORY_PATH` HTTP basic auth is enabled by default. To configure the users follow these steps: From 711549ba4c9709c39022d8e87e401f5184637091 Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 29 Aug 2023 17:42:01 +0930 Subject: [PATCH 7/7] docs: add docker-compose example !3 #2 --- docs/projects/glpi/index.md | 79 +++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/docs/projects/glpi/index.md b/docs/projects/glpi/index.md index 6025188..2508a24 100644 --- a/docs/projects/glpi/index.md +++ b/docs/projects/glpi/index.md @@ -100,3 +100,82 @@ Due to the limitations of the inventory agents, mTLS is not available so HTTP Ba !!! warning HTTP Basic authentication is inherently insecure. to overcome this shortfall, ONLY use HTTP Basic Auth over a secure connection _(https)_. + + +## Running the container + +To quickly setup a container the following `docker-compose.yaml` file could be used. + +``` yaml title="docker-compose.yaml" linenums="1" +version: "3.2" + +services: + + + mariadb: + image: mariadb:latest + container_name: mariadb + hostname: mariadb + volumes: + - /opt/mysql/mysql:/var/lib/mysql + environment: + - MARIADB_ROOT_PASSWORD=******** + - MARIADB_DATABASE=glpi + - MARIADB_USER=******** + - MARIADB_PASSWORD=******** + restart: always + + + ingress: + image: nginx:latest-alpine + container_name : ingress + hostname: ingress + ports: + - "80:80" + - "443:443" + volumes: + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + - /opt/ingress/conf.d:/etc/nginx/conf.d:ro + - /opt/ingress/http:/http:ro + - /opt/ingress/ssl:/ssl:ro + environment: + - TIMEZONE=UTC + restart: always + networks: + - ingress + - default + + + glpi: + image: nofusscomputing/docker-glpi:dev + container_name : glpi + hostname: glpi + ports: + - "80:80" + volumes: + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + - /opt/glpi/plugins:/var/www/html/plugins + - /opt/glpi/files:/var/www/html/files + - /opt/glpi/config:/var/www/html/config + - /opt/glpi/marketplace:/var/www/html/marketplace + environment: + - TIMEZONE=UTC + - GLPI_INVENTORY_PATH=/plugins/glpiinventory/ + restart: always + networks: + - default + + +volumes: + data_mysql: + + +networks: + default: + external: no + ingress: + external: yes + +```