Changes:

- use sudo for software installation in logon script
- logon script desktop-entry
- new log functions in include
- renamed include file
- mozilla starter with profilename option
- added kdevelop profilename

system_setup/logon_script.sh

@@ -2,17 +2,35 @@
 # SPDX-FileCopyrightText: Daniel Pätzold
 # SPDX-License-Identifier: AGPL-3.0-or-later
 #
+# User logon script for KDE Environement
+#
 source ./setup_system.conf
-source ./setup_system.inc
+source ./setup_system.inc.sh
 
-echo "User Logon Script"
-echo "=================="
-echo ""
+elog_init "User Logon Script"
+elog_add "=================="
+elog_add ""
+elog_add `date`
+elog_add "Logging to File ${LOGFILE}"
 
-#Check and copy Autostart-Entry
-#TODO: Check if Desktop is KDE/Plasma and support other Displays
-if [ ! -f "${HOME}/.config/autostart/Logon_Script.desktop" ]; then
-    cp "${SCRIPTPATH}/Logon_Script.desktop" "${HOME}/.config/autostart"
+if [ "$EUID" -eq 0 ]; then
+    elog_add "Error: Cannot run this script as root."
+    exit 1
+fi
+
+#TODO C: Check if Desktop is KDE/Plasma and support other Displays
+# Make kdesu use sudo
+kwriteconfig5 --file kdesurc --group super-user-command --key super-user-command sudo
+if [ $? -ne 0 ]; then
+    elog_add "This script should be run in KDE- Desktop. The setup of kwriteconfig5 has failed. Please check, if you are using KDE."
+    exit 1
+fi
+
+#Copy current Version of Autostart-Entry
+cp "${SCRIPTPATH}/logon_script.sh.desktop" "${HOME}/.config/autostart"
+if [ $? -ne 0 ]; then
+    elog_add "Failed to setup autostart- entry. Check your installation of these scripts."
+    exit 1
 fi
 
 # Mount the private Directory
@@ -22,31 +40,39 @@ else
     ./mount_nocrypt_home.sh
 fi
 if [ $? -ne 0 ]; then
-    echo "Some Error when mounting private Directory, cannot continue. Your Data will not be available."
-    echo "If you want to redo this script here, execute ${SCRIPTPATH}/${SCRIPTNAME}"
+    elog_add "Some Error when mounting private Directory, cannot continue. Your Data will not be available."
+    elog_add "If you want to redo this script here, execute ${SCRIPTPATH}/${SCRIPTNAME}"
     read -n 1 -s -r -p "Press any key to continue"
     exit 1
 fi
 
 #Get WEBDAV TOKEN from Nextcloud
 get_nc_token
-echo "Successfully obtained Token for User "${DAVTOKEN_USER}
+elog_add "Successfully obtained Token for User ${DAVTOKEN_USER}"
 
 #SYNC Firefox + Thunderbird Profile
 ./mozilla_starter.sh firefox sync && ./mozilla_starter.sh thunderbird sync
 
 #Install additional Software
-./sync_client_software.sh
-if [ -f "${CLIENT_SOFTWARE_DST}/install.sh" ]; then
-    /bin/sh "${CLIENT_SOFTWARE_DST}/install.sh"
+elog_add ""
+elog_add "Update and install client Software"
+# Without sudoers-rule for run without asking for password, it won't run and quit complaining about not askpass utilities found
+# Hint: To get this working, create a new ipa rule with options "!authenticate" and "setenv"
+# And also add the following sudo-rule: "^\/sys_config\/system_setup\/sync_client_software\.sh.*$"
+/usr/bin/sudo -A --preserve-env /sys_config/system_setup/sync_client_software.sh install 2>&1 | tee ${LOGFILE} -a | grep -v askpass
+INST_RET=$?
+INST_OUT=$( cat ${LOGFILE} )
+if [[ $INST_RET -ne 0 ]]; then
+    if [[ $INST_OUT == *"askpass"* ]]; then
+        elog_add "Not doing Software Updates, as your user is not allowed to execute the script without a password."
+        elog_add "If you want to change this, make a FreeIPA sudoers rule for the script sync_client_software.sh with !authenticate for you and become a member."
+    else
+        elog_add "*** Error executing software sync and install, please check your output! ***"
+    fi
 fi
 
-#Last, remove unused Flatpak- Runtimes and unused Data
-echo "Removing unused Flatpak- Data."
-flatpak uninstall --unused -y
-flatpak uninstall --delete-data -y
-echo "Sucessfully run logon script (Wait 5 seconds)"
-sleep 5
+elog_add "Sucessfully run logon script (Wait 3 seconds)"
+sleep 3
 
 #read -n 1 -s -r -p "Press any key to continue"
 #echo ""

system_setup/logon_script.sh.desktop

@@ -0,0 +1,19 @@
+#!/usr/bin/env xdg-open
+[Desktop Entry]
+Comment[de_DE]=
+Comment=
+Exec=/usr/bin/konsole --fullscreen --hide-tabbar --hide-menubar -e /sys_config/system_setup/logon_script.sh
+GenericName[de_DE]=
+GenericName=
+Icon=application-x-shellscript
+MimeType=
+Name[de_DE]=logon_script.sh
+Name=logon_script.sh
+Path=/sys_config/system_setup
+StartupNotify=true
+Terminal=false
+TerminalOptions=
+Type=Application
+X-KDE-AutostartScript=true
+X-KDE-SubstituteUID=false
+X-KDE-Username=

system_setup/mozilla_starter.sh

@@ -2,8 +2,9 @@
 # SPDX-FileCopyrightText: Daniel Pätzold
 # SPDX-License-Identifier: AGPL-3.0-or-later
 #
+# Usage
 source ./setup_system.conf
-source ./setup_system.inc
+source ./setup_system.inc.sh
 
 #Lokal Vars
 LOGFILE="${TEMPDIR}/${SCRIPTNAME}.log"
@@ -13,6 +14,9 @@ if [ "${DAVTOKEN_USER}." == "." ]; then
     get_nc_token
 fi
 
+# Use optional Profilename
+profilename=${3:-"default"}
+
 #Parametercheck:
 if [ "${1}." == "." ]; then
     echo "ERROR: Parameter 1 missing."
@@ -21,7 +25,7 @@ elif [ ${1} == 'firefox' ]; then
     REMOTE_PATH=${PROFILE_FIREFOX_SRC}
     PROFILE_PATH=${PROFILE_FIREFOX_DST}
     if [ "${2}." == 'run.' ]; then
-        RUNCMD="/usr/bin/firefox --profile ${PROFILE_FIREFOX_DST}"
+        RUNCMD="/usr/bin/firefox --profile ${PROFILE_FIREFOX_DST}/${profilename}"
     elif [ "${2}." == 'sync.' ]; then
         RUNCMD=""
     else
@@ -33,7 +37,7 @@ elif [ ${1} == 'thunderbird' ]; then
     REMOTE_PATH=${PROFILE_TB_SRC}
     PROFILE_PATH=${PROFILE_TB_DST}
     if [ "${2}." == 'run.' ]; then
-        RUNCMD="/usr/bin/thunderbird -profile ${PROFILE_TB_DST}"
+        RUNCMD="/usr/bin/thunderbird -profile ${PROFILE_TB_DST}/${profilename}"
     elif [ "${2}." == 'sync.' ]; then
         RUNCMD=""
     else
@@ -46,7 +50,7 @@ else
     BREAK_ERROR=1
 fi
 if [[ ${BREAK_ERROR} == 1 ]]; then
-    echo "Call: ${SCRIPTNAME} [firefox | thunderbird] [run | sync]"
+    echo "Call: ${SCRIPTNAME} [firefox | thunderbird] [run | sync] [ profilename ]"
     exit 1
 fi
 
@@ -79,6 +83,7 @@ fi
 #Execute
 if [ "${RUNCMD}." != "." ]; then
     echo "OK. Starting ${1}..."
+    echo ${RUNCMD}
     ${RUNCMD} && echo "${1} ended successfully. Please wait for the Profile to sync."
     if [[ $? -ne 0 ]]; then
         echo "****"

system_setup/setup_system.conf

@@ -2,60 +2,71 @@
 # SPDX-FileCopyrightText: Daniel Pätzold
 # SPDX-License-Identifier: AGPL-3.0-or-later
 #
-TLDOMAIN=obel1x.de
-DOMAIN=clients.${TLDOMAIN}
-SERVERFQDN_IPA=ipa.${TLDOMAIN} # Needs to be the IPA- Server
-SERVERFQDN_NC=nextcloud.${TLDOMAIN}
-SYSCONFIGPATH="/sys_config"
-INSTALLDOCS="https://dokuwiki.obel1x.de/content:serverbasics"
+export TLDOMAIN=obel1x.de
+export DOMAIN=clients.${TLDOMAIN}
+export SERVERFQDN_IPA=ipa.${TLDOMAIN} # Needs to be the IPA- Server
+export SERVERFQDN_NC=nextcloud.${TLDOMAIN}
+export SYSCONFIGPATH="/sys_config"
+export INSTALLDOCS="https://dokuwiki.obel1x.de/content:serverbasics"
 
 # Method to determine Unique Hostname / FQDN of the Client. May be replaced by your needs
 if [ "$EUID" -eq 0 ]; then
-    HOSTNM="pc-$( dmidecode -t system | grep -i 'UUID' | sed 's/UUID: //' | tr '[:upper:]' '[:lower:]' | sed 's/[^0-9a-z]*//g' | xargs|tail -c 13)"
+    export HOSTNM="pc-$( dmidecode -t system | grep -i 'UUID' | sed 's/UUID: //' | tr '[:upper:]' '[:lower:]' | sed 's/[^0-9a-z]*//g' | xargs|tail -c 13)"
 else
-    HOSTNM=$( hostname -s )
+    export HOSTNM=$( hostname -s )
 fi
-FQDN=${HOSTNM}.${DOMAIN}
+export FQDN=${HOSTNM}.${DOMAIN}
+
+#Additional Client-Software- Repository-Folder (Shared Folder / Systemwide)
+export CLIENT_SOFTWARE_DST="/opt/client_software" # Optional. If you don't have a Folder that should always be synced, leave this empty
+export CLIENT_SOFTWARE_SRC="/Shared/sw_geteilt/client_software"
+
+#First run Service Name
+export FIRSTRUN_SERVICENAME="setup-system.service"
+export FIRSTRUN_SCRIPTPATH="/usr/lib/systemd/system"
 
 #Secure File Encryption
 #Needs a running KRA- Service on FreeIPA
 # Set to "true" to use Encryption via IPAVAULT - OTHERWISE YOUR FILES WILL NOT BE ENCRYPTED
-IPAVAULTUSE="false"
+export IPAVAULTUSE="false"
 # Vaultname - can be any Name
-IPAVAULTNAME="CLIENT_FILEENCRYPTION_"${HOSTNM}
+export IPAVAULTNAME="CLIENT_FILEENCRYPTION_"${HOSTNM}
 
-#This if the Path, that will be encryptet at system logon
-DECRYPTEDDATADIR="${HOME}/data" # Decrypted Dir to work for the User
-ENCRYPTEDDATADIR="${HOME}/.data" # Contains the encrypted Data
+#Following settings are only available when run in Userspace
+if [ "$EUID" -ne 0 ]; then
+  #This is the Path, that will be mapped from encryptet filesystem at logon - only available for users, not for root
+  export DECRYPTEDDATADIR="${HOME}/data" # Decrypted Dir to work for the User
+  export ENCRYPTEDDATADIR="${HOME}/.data" # Contains the encrypted Data
 
-#Important Files
-DAVTOKENFILENAME="${DECRYPTEDDATADIR}/WEBDAVTOKEN"
+  #Important Files
+  export DAVTOKENFILENAME="${DECRYPTEDDATADIR}/WEBDAVTOKEN"
 
-#Additional Client-Software- Repository-Folder (Shared Folder / Systemwide)
-CLIENT_SOFTWARE_DST="/opt/client_software" # Optional. If you don't have a Folder that should always be synced, leave this empty
-CLIENT_SOFTWARE_SRC="/Shared/sw_geteilt/client_software"
+  #Path for Documents
+  export CLIENT_DATA_DST="${DECRYPTEDDATADIR}/Dokumente" #Optional
+  export CLIENT_DATA_SRC="/Documents"
 
-#Firefox Profiles
-PROFILE_FIREFOX_SRC="mozilla_profiles/firefox"
-PROFILE_FIREFOX_DST="${DECRYPTEDDATADIR}/firefox"
+  #Firefox Profiles of the User
+  export PROFILE_FIREFOX_SRC="mozilla_profiles/firefox"
+  export PROFILE_FIREFOX_DST="${DECRYPTEDDATADIR}/firefox"
 
-#Thunderbird Profiles
-PROFILE_TB_SRC="mozilla_profiles/thunderbird"
-PROFILE_TB_DST="${DECRYPTEDDATADIR}/thunderbird"
-
-#First run Service Name
-FIRSTRUN_SERVICENAME="setup-system.service"
-FIRSTRUN_SCRIPTPATH="/usr/lib/systemd/system"
+  #Thunderbird Profiles
+  export PROFILE_TB_SRC="mozilla_profiles/thunderbird"
+  export PROFILE_TB_DST="${DECRYPTEDDATADIR}/thunderbird"
+fi
 
 #Basic commons not needing change
-CDATEC8=$(date '+%Y%m%d') # Date 8 Characters long: YYYYMMDD
-CTIMEC6=$(date '+%H%M%S') # Time 6 Chars: HHMMSS
+export CDATEC8=$(date '+%Y%m%d') # Date 8 Characters long: YYYYMMDD
+export CTIMEC6=$(date '+%H%M%S') # Time 6 Chars: HHMMSS
 
 #Basic runtime-Vars
-EXECDIR=$(pwd)
-SCRIPTPATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
+export EXECDIR=$(pwd)
+export SCRIPTPATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
 if [ ${SCRIPTPATH::2} == "//" ]; then
-    SCRIPTPATH=${SCRIPTPATH:1}
+    export SCRIPTPATH=${SCRIPTPATH:1}
 fi
-SCRIPTNAME=$(basename "$0")
+export SCRIPTNAME=$(basename "$0")
+
+# temp and log files
 TEMPDIR="${HOME}/temp/system_setup"
+LOGFILE="${TEMPDIR}/${SCRIPTNAME}.log"
+mkdir -p ${TEMPDIR}

system_setup/setup_system.inc.sh

@@ -0,0 +1,127 @@
+# Includes for System Setup
+#
+# SPDX-FileCopyrightText: Daniel Pätzold
+# SPDX-License-Identifier: AGPL-3.0-or-later
+#
+# This is not a runnig script-file. No Logik to execute. Its used for includes in other scripts.
+
+#Check if we are root
+# Deprectaed - use if Statement itself
+#check_root()
+#{
+#    if [ "$EUID" -ne 0 ]; then
+#        return 1
+#    fi
+#    return 0
+#}
+
+#Check if the Data- Directory is encrypted
+check_data_isecrypted() {
+    CHECKRES=$( cat /etc/mtab | grep "${DECRYPTEDDATADIR}" | grep "fuse.gocryptfs" )
+    if [ "${CHECKRES}." == "." ]; then
+        return 1 # Error: Directory is not mounted
+    else
+        return 0 # Directory is mounted
+    fi
+}
+
+# Functions for logging
+elog_init() {
+    echo $@ | tee ${LOGFILE}
+}
+elog_add() {
+    echo $@ | tee ${LOGFILE} -a
+}
+
+# Will set variable DAVTOKEN_USER and DAVTOKEN_PASS to the stored value or get a new one
+get_nc_token() {
+    export DAVTOKEN_USER=""
+    export DAVTOKEN_PASS=""
+
+    if [ "$EUID" -eq 0 ]; then
+      echo "get_nc_token(): Called as superuser, which is denied."
+      return 1 # Token for Superuser makes no sense and cannot work
+    fi
+
+    if [ ${IPAVAULTUSE} == "true" ]; then
+        check_data_isecrypted
+        if [ $? -ne 0 ]; then
+            echo "Data Directory is not encrypted. Please mount it first."
+            return 1
+        fi
+    fi
+
+    if [ ! -f ${DAVTOKENFILENAME} ]; then
+        # Directory is ok, but no Tokenfile was found, need to generate a new one
+        REQJSON=$( curl -s -A "WEBDAV:${HOSTNM}" -X POST "https://${SERVERFQDN_NC}/index.php/login/v2" )
+        #    echo "JSON is:"
+        #    echo "${REQJSON}"
+
+        REQTOKEN=$( echo "${REQJSON}" | grep -oP '(?<="token":")[^"]+(?=")' )
+        REQURL=$( echo "${REQJSON}" | grep -oP '(?<="login":")[^"]+(?=")' )
+        /usr/bin/firefox "${REQURL}" &
+
+        for i in {1..200}
+        do
+            echo "Waiting 6 seconds"
+            sleep 6
+            echo -n "Poll Number ${i}..."
+            POLLJSON=$( curl -s -X POST "https://${SERVERFQDN_NC}/login/v2/poll" -d "token=${REQTOKEN}" )
+            if [[ "${POLLJSON}" == *"appPassword"* ]]; then
+                echo "${POLLJSON}" > ${DAVTOKENFILENAME}
+                echo "found token. Token has been written to ${DAVTOKENFILENAME}"
+                break
+            else
+                echo "failed"
+            fi
+        done
+    else
+        # Tokenfile found, reading it
+        POLLJSON=$( cat ${DAVTOKENFILENAME} )
+    fi
+    export DAVTOKEN_USER=$( echo "${POLLJSON}" | grep -oP '(?<="loginName":")[^"]+(?=")' )
+    export DAVTOKEN_PASS=$( echo "${POLLJSON}" | grep -oP '(?<="appPassword":")[^"]+(?=")' )
+}
+
+# Custom `select` implementation that allows *empty* input.
+# Pass the choices as individual arguments.
+# Output is the chosen item, or "", if the user just pressed ENTER.
+# Example:
+#    choice=$(selectWithDefault 'one' 'two' 'three')
+selectWithDefault() {
+
+    local item i=0 numItems=$#
+
+    # Print numbered menu items, based on the arguments passed.
+    for item; do         # Short for: for item in "$@"; do
+        printf '%s\n' "$((++i))) $item"
+        done >&2 # Print to stderr, as `select` does.
+
+        # Prompt the user for the index of the desired item.
+        while :; do
+            printf %s "${PS3-#? }" >&2 # Print the prompt string to stderr, as `select` does.
+            read -r index
+            # Make sure that the input is either empty or that a valid index was entered.
+            [[ -z $index ]] && break  # empty input
+            (( index >= 1 && index <= numItems )) 2>/dev/null || { echo "Invalid selection. Please try again." >&2; continue; }
+            break
+            done
+
+            # Output the selected item, if any.
+            [[ -n $index ]] && printf %s "${@: index:1}"
+
+}
+selectExample() {
+# Print the prompt message and call the custom select function.
+echo "Include audits (default is 'Nope')?"
+optionsAudits=('Yep' 'Nope')
+opt=$(selectWithDefault "${optionsAudits[@]}")
+
+# Process the selected item.
+case $opt in
+'Yep') includeAudits=true; ;;
+''|'Nope') includeAudits=false; ;; # $opt is '' if the user just pressed ENTER
+esac
+}
+
+# This is not a runnig script-file. No Logik to execute. Its used for includes in other scripts.

system_setup/setup_system_full.sh

@@ -34,7 +34,7 @@
 
 #Load Sytem Settings
 source $(dirname "$0")/setup_system.conf
-source $(dirname "$0")/setup_system.inc
+source $(dirname "$0")/setup_system.inc.sh
 # TODO
 # Install System settings to installed system
 # read system settings from that file

system_setup/sync_client_software.sh

@@ -2,11 +2,26 @@
 # SPDX-FileCopyrightText: Daniel Pätzold
 # SPDX-License-Identifier: AGPL-3.0-or-later
 #
+# Central sofwareinstallation script. Should be called from logon-script via sudo and prereserved env
+#
 source ./setup_system.conf
-source ./setup_system.inc
+source ./setup_system.inc.sh
 
 #Lokal Vars
-LOGFILE="${TEMPDIR}/${SCRIPTNAME}.log"
+
+#Check for root
+if [ "$EUID" -ne 0 ]; then
+    echo "Error: Script requires root privileges. It should be executed via logon-script and not standalone."
+    exit 1
+fi
+
+#Check Token
+if [ "${DAVTOKEN_USER}." == "." ]; then
+    echo "Error: Script cannot be executed standalone and needs a prereserved environement from logon-script."
+    echo "To get executed without password prompt, use the NOPASSWD rule in sudo."
+    echo "In FreeIPA you can use the sudo-option !authenticate in the sudo rule."
+    exit 1
+fi
 
 #Check if Repository is defined
 if [ "${CLIENT_SOFTWARE_DST}." == "." ]; then
@@ -14,23 +29,21 @@ if [ "${CLIENT_SOFTWARE_DST}." == "." ]; then
     exit 0
 fi
 
-echo "Syncing central softwarerepository."
-
-#Check or get Token
-if [ "${DAVTOKEN_USER}." == "." ]; then
-    get_nc_token
-fi
-
+echo "Syncing central softwarerepository ${CLIENT_SOFTWARE_DST}"
 # Create Directory if not existent
 if [ ! -d ${CLIENT_SOFTWARE_DST} ]; then
-    sudo mkdir ${CLIENT_SOFTWARE_DST}
-    sudo chmod o=rwx ${CLIENT_SOFTWARE_DST}
+    mkdir ${CLIENT_SOFTWARE_DST}
 fi
+
+#Logs for systems software-repository go to roots log files
+LOGFILE="${TEMPDIR}/${SCRIPTNAME}.log"
+echo "Logging to File ${LOGFILE}"
+mkdir -p ${TEMPDIR}
+
 #Sync Files
-SYNCCMD="/usr/bin/flatpak run --branch=stable --arch=x86_64 --command=nextcloudcmd com.nextcloud.desktopclient.nextcloud -h -u ${DAVTOKEN_USER} -p ${DAVTOKEN_PASS} --path ${CLIENT_SOFTWARE_SRC} ${CLIENT_SOFTWARE_DST} https://${SERVERFQDN_NC}"
+SYNCCMD="sudo -i /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=nextcloudcmd com.nextcloud.desktopclient.nextcloud -h -u ${DAVTOKEN_USER} -p ${DAVTOKEN_PASS} --path ${CLIENT_SOFTWARE_SRC} ${CLIENT_SOFTWARE_DST} https://${SERVERFQDN_NC}"
 SYNCCMD_HIDDENPW=$( echo "${SYNCCMD/${DAVTOKEN_PASS}/***HIDDEN***}" )
 echo "Exec: ${SYNCCMD_HIDDENPW}"
-mkdir -p ${TEMPDIR}
 echo "Sync Client Software" > ${LOGFILE}
 echo "====================" >> ${LOGFILE}
 date >> ${LOGFILE}
@@ -48,7 +61,12 @@ if [[ $? -ne 0 ]]; then
     echo ""
     exit 1
 fi
+chown root:root -R ${CLIENT_SOFTWARE_DST}
+chmod u+rw,go-rwx -R ${CLIENT_SOFTWARE_DST}
 if [ -f "${CLIENT_SOFTWARE_DST}/install.sh" ]; then
-    chmod ugo+x "${CLIENT_SOFTWARE_DST}/install.sh"
+    chmod u+x "${CLIENT_SOFTWARE_DST}/install.sh"
+fi
+echo "Sucessfully synced."
+if [ $1 == "install" ]; then
+    ${CLIENT_SOFTWARE_DST}/install.sh
 fi
-echo "Sucessfully synced. Quit."