Enhance setup script: implement TLS authentication for WayVNC, generate self-signed certificates, and improve user feedback for password security

setup-signage.sh

@@ -13,22 +13,25 @@ DEF='\e[0m'
 # --- End Color Definitions ---
 
 # --- Configuration ---
-# Set the URL you want the signage to display
 KIOSK_URL="https://example.com"
-
-# Set the user account to run the signage under
 SIGNAGE_USER="signage"
 
-# WayVNC Configuration
+# --- WayVNC Configuration ---
-# SET THIS PASSWORD! If left blank, a default 'changeme' will be used, which is INSECURE.
+# Set to true to enable TLS-based username/password authentication for WayVNC.
+# Set to false for passwordless VNC access (less secure, ensure network is trusted).
+WAYVNC_ENABLE_TLS_AUTH=true # Options: true or false
+
+# Password for WayVNC if WAYVNC_ENABLE_TLS_AUTH is true.
+# If blank and TLS auth is enabled, a default INSECURE password 'changeme' will be used.
 WAYVNC_PASSWORD_TO_SET="burek123" # Example: "your_secure_password"
-WAYVNC_USERNAME="signage_vnc"     # Username for VNC authentication
+WAYVNC_USERNAME="signage"     # Username for VNC authentication (if TLS auth is enabled)
+
 WAYVNC_LISTEN_ADDRESS="0.0.0.0"   # Listen on all interfaces
 WAYVNC_PORT="5900"                # Default VNC port
 # --- End Configuration ---
 
 # --- Step Counter ---
-TOTAL_STEPS=14 # Adjusted for new WayVNC config step
+TOTAL_STEPS=14
 CURRENT_STEP=0
 
 log_step_message() {
@@ -40,11 +43,18 @@ log_step_message() {
 echo -e "${BLU}Starting Alpine Linux Signage Setup (Using Sway, greetd, WayVNC)...${DEF}"
 echo -e "${BLU}Target URL: ${GRN}$KIOSK_URL${DEF}"
 echo -e "${BLU}Signage User: ${GRN}$SIGNAGE_USER${DEF}"
-echo -e "${BLU}WayVNC will listen on: ${GRN}$WAYVNC_LISTEN_ADDRESS:$WAYVNC_PORT${DEF}"
+
+if [ "$WAYVNC_ENABLE_TLS_AUTH" = true ]; then
+    echo -e "${BLU}WayVNC Authentication: ${GRN}Enabled (TLS with Username/Password)${DEF}"
     if [ -z "$WAYVNC_PASSWORD_TO_SET" ]; then
-    echo -e "${RED}WARNING: WAYVNC_PASSWORD_TO_SET is empty. A default insecure password 'changeme' will be used.${DEF}"
+        echo -e "${RED}WARNING: WAYVNC_PASSWORD_TO_SET is empty, but TLS Auth is enabled. Defaulting to INSECURE password 'changeme'.${DEF}"
         WAYVNC_PASSWORD_TO_SET="changeme"
     fi
+    echo -e "${BLU}WayVNC User: ${GRN}$WAYVNC_USERNAME${DEF}, Password: ${GRN}(set)${DEF}"
+else
+    echo -e "${YLW}WayVNC Authentication: ${RED}Disabled (Passwordless Access - Ensure network is trusted!)${DEF}"
+fi
+echo -e "${BLU}WayVNC will listen on: ${GRN}$WAYVNC_LISTEN_ADDRESS:$WAYVNC_PORT${DEF}"
 echo "-------------------------------------"
 
 # 1. Check if running as root
@@ -81,27 +91,14 @@ setup-wayland-base
 echo -e "${GRN}Base Wayland environment setup complete.${DEF}"
 echo "-------------------------------------"
 
-# 5. Install necessary packages (openssl added)
+# 5. Install necessary packages
 log_step_message "Installing core packages (Sway, Chromium, Greetd, WayVNC, openssl etc.)"
-apk add \
+PACKAGES_TO_INSTALL="sway swayidle swaybg wl-clipboard xwayland chromium mesa-dri-gallium mesa-va-gallium mesa-egl dbus font-dejavu ttf-freefont util-linux linux-firmware greetd greetd-agreety wayvnc open-vm-tools"
-    sway \
+if [ "$WAYVNC_ENABLE_TLS_AUTH" = true ]; then
-    swayidle \
+    PACKAGES_TO_INSTALL="$PACKAGES_TO_INSTALL openssl"
-    swaybg \
+fi
-    wl-clipboard \
+# shellcheck disable=SC2086
-    xwayland \
+apk add $PACKAGES_TO_INSTALL
-    chromium \
-    mesa-dri-gallium \
-    mesa-va-gallium \
-    mesa-egl \
-    dbus \
-    font-dejavu \
-    ttf-freefont \
-    util-linux \
-    linux-firmware \
-    greetd \
-    greetd-agreety \
-    wayvnc \
-    openssl # Added for key generation
 echo -e "${GRN}Required packages installed.${DEF}"
 echo "-------------------------------------"
 
@@ -150,48 +147,42 @@ SIGNAGE_HOME="/home/$SIGNAGE_USER"
 mkdir -p "$SIGNAGE_HOME/.local/share/sway"
 chown -R "$SIGNAGE_USER:$SIGNAGE_USER" "$SIGNAGE_HOME"
 chmod 750 "$SIGNAGE_HOME"
-chmod -R 700 "$SIGNAGE_HOME/.local"
+chmod -R 700 "$SIGNAGE_HOME/.local" # Restrict access to .local and its subdirectories
 echo -e "${GRN}User home directory configured.${DEF}"
 echo "-------------------------------------"
 
-# 9. Configure user's .profile (WayVNC password not needed here anymore)
+# 9. Configure user's .profile
 log_step_message "Configuring $SIGNAGE_HOME/.profile for $SIGNAGE_USER"
 SIGNAGE_PROFILE="$SIGNAGE_HOME/.profile"
 cat > "$SIGNAGE_PROFILE" << EOF
 # Profile for $SIGNAGE_USER executed by /bin/sh on login
-
+# Environment variables for Wayland applications can be set here.
-# --- Other Environment Variables (optional) ---
-# export XDG_CURRENT_DESKTOP=sway
-# export MOZ_ENABLE_WAYLAND=1
-# export QT_QPA_PLATFORM=wayland
 EOF
 chown "$SIGNAGE_USER:$SIGNAGE_USER" "$SIGNAGE_PROFILE"
 chmod 600 "$SIGNAGE_PROFILE"
 echo -e "${GRN}$SIGNAGE_PROFILE configured.${DEF}"
 echo "-------------------------------------"
 
-# 10. Configure WayVNC with authentication
+# 10. Configure WayVNC
-log_step_message "Configuring WayVNC with authentication"
+log_step_message "Configuring WayVNC"
 SIGNAGE_CONFIG_DIR="$SIGNAGE_HOME/.config"
 WAYVNC_CONFIG_DIR="$SIGNAGE_CONFIG_DIR/wayvnc"
 WAYVNC_KEYS_DIR="$WAYVNC_CONFIG_DIR/keys"
 WAYVNC_CONFIG_FILE="$WAYVNC_CONFIG_DIR/config"
 
-mkdir -p "$WAYVNC_KEYS_DIR"
+mkdir -p "$WAYVNC_KEYS_DIR" # Ensures keys directory exists, even if not used
-chown -R "$SIGNAGE_USER:$SIGNAGE_USER" "$SIGNAGE_CONFIG_DIR" || true # In case .config already existed
+chown -R "$SIGNAGE_USER:$SIGNAGE_USER" "$SIGNAGE_CONFIG_DIR" || true
 chmod 700 "$SIGNAGE_CONFIG_DIR"
-chmod 700 "$WAYVNC_CONFIG_DIR"
+chmod 700 "$WAYVNC_CONFIG_DIR" # Will be created if it doesn't exist
 chmod 700 "$WAYVNC_KEYS_DIR"
 
-# Generate self-signed cert and keys if they don't exist
+if [ "$WAYVNC_ENABLE_TLS_AUTH" = true ]; then
+    echo -e "${BLU}Setting up WayVNC with TLS authentication...${DEF}"
     TLS_KEY_FILE="$WAYVNC_KEYS_DIR/tls_key.pem"
     TLS_CERT_FILE="$WAYVNC_KEYS_DIR/tls_cert.pem"
-# WayVNC also supports rsa_private_key_file for RSA-AES, we'll use TLS for simplicity here.
-# If you need RSA-AES, you'd generate an RSA key: openssl genrsa -out "$WAYVNC_KEYS_DIR/rsa_key.pem" 2048
 
     if [ ! -f "$TLS_KEY_FILE" ] || [ ! -f "$TLS_CERT_FILE" ]; then
         echo -e "${BLU}Generating self-signed TLS certificate and key for WayVNC...${DEF}"
-    # Run as signage user to ensure correct ownership from the start
         su - "$SIGNAGE_USER" -c "openssl genpkey -algorithm RSA -out \"$TLS_KEY_FILE\" -pkeyopt rsa_keygen_bits:2048"
         su - "$SIGNAGE_USER" -c "openssl req -new -key \"$TLS_KEY_FILE\" -out \"$WAYVNC_KEYS_DIR/tls_csr.pem\" -subj \"/CN=localhost/O=Kiosk/OU=Signage\""
         su - "$SIGNAGE_USER" -c "openssl x509 -req -days 3650 -in \"$WAYVNC_KEYS_DIR/tls_csr.pem\" -signkey \"$TLS_KEY_FILE\" -out \"$TLS_CERT_FILE\""
@@ -201,7 +192,6 @@ else
         echo -e "${GRN}WayVNC TLS certificate and key already exist.${DEF}"
     fi
 
-# Create WayVNC config file
     cat > "$WAYVNC_CONFIG_FILE" << EOF
 # WayVNC configuration for signage kiosk
 address=$WAYVNC_LISTEN_ADDRESS
@@ -211,39 +201,45 @@ enable_auth=true
 username=$WAYVNC_USERNAME
 password=$WAYVNC_PASSWORD_TO_SET
 
-# For TLS encryption (recommended)
 private_key_file=$TLS_KEY_FILE
 certificate_file=$TLS_CERT_FILE
-
-# Optional: If you generated an RSA key for RSA-AES (some clients might prefer)
-# rsa_private_key_file=$WAYVNC_KEYS_DIR/rsa_key.pem
-
-# Optional: Relax encryption requirements (can be less secure, for compatibility)
-# relax_encryption=true
-
-# Optional: Keyboard layout settings
-# xkb_layout=us
 EOF
     chown "$SIGNAGE_USER:$SIGNAGE_USER" "$WAYVNC_CONFIG_FILE"
     chmod 600 "$WAYVNC_CONFIG_FILE"
-chmod 400 "$TLS_KEY_FILE" # Restrict private key readability
+    chmod 400 "$TLS_KEY_FILE"
     chmod 644 "$TLS_CERT_FILE"
-
     echo -e "${GRN}WayVNC configuration file created at $WAYVNC_CONFIG_FILE with authentication enabled.${DEF}"
     if [ "$WAYVNC_PASSWORD_TO_SET" = "changeme" ]; then
         echo -e "${RED}CRITICAL: WayVNC password is set to 'changeme'. This is INSECURE. Change WAYVNC_PASSWORD_TO_SET in the script and re-run, or manually edit $WAYVNC_CONFIG_FILE.${DEF}"
     fi
+else
+    echo -e "${YLW}WayVNC authentication is disabled. No WayVNC config file will be created.${DEF}"
+    echo -e "${YLW}WayVNC will start with default settings (no password).${DEF}"
+    # If a config file exists from a previous run with auth, remove it to ensure passwordless
+    if [ -f "$WAYVNC_CONFIG_FILE" ]; then
+        echo -e "${YLW}Removing existing WayVNC config file to ensure passwordless operation.${DEF}"
+        rm -f "$WAYVNC_CONFIG_FILE"
+    fi
+fi
 echo "-------------------------------------"
 
 # 11. Configure Sway
 log_step_message "Configuring Sway"
-SIGNAGE_SWAY_CONFIG_DIR="$SIGNAGE_CONFIG_DIR/sway" # .config already handled
+SIGNAGE_SWAY_CONFIG_DIR="$SIGNAGE_CONFIG_DIR/sway"
 SIGNAGE_SWAY_CONFIG_FILE="$SIGNAGE_SWAY_CONFIG_DIR/config"
-
+mkdir -p "$SIGNAGE_SWAY_CONFIG_DIR"
-mkdir -p "$SIGNAGE_SWAY_CONFIG_DIR" # Ensure sway dir exists under .config
 chown -R "$SIGNAGE_USER:$SIGNAGE_USER" "$SIGNAGE_SWAY_CONFIG_DIR"
 chmod 700 "$SIGNAGE_SWAY_CONFIG_DIR"
 
+WAYVNC_EXEC_LINE="exec wayvnc --render-cursor"
+if [ "$WAYVNC_ENABLE_TLS_AUTH" = false ]; then
+    # If auth is disabled, we need to pass listen address and port if not default
+    # or if user explicitly set them and expects WayVNC to use them without a config file.
+    # However, WayVNC defaults to 0.0.0.0:5900 if no config and no args.
+    # For clarity, if no auth, we'll pass them to ensure it listens as configured in the script.
+    WAYVNC_EXEC_LINE="exec wayvnc --render-cursor $WAYVNC_LISTEN_ADDRESS $WAYVNC_PORT"
+fi
+
 cat > "$SIGNAGE_SWAY_CONFIG_FILE" << EOF
 # Sway configuration for Alpine Signage Kiosk
 set \$mod Mod4
@@ -270,8 +266,10 @@ exec /usr/bin/chromium \\
     --ignore-gpu-blocklist \\
     --disable-gpu
 
-# WayVNC will now use its own config file for auth
+# WayVNC launch
-exec wayvnc --render-cursor # Address/port are now in its config file
+# If TLS auth is enabled, WayVNC uses its config file.
+# If TLS auth is disabled, we pass listen address/port explicitly.
+$WAYVNC_EXEC_LINE
 
 bindsym \$mod+Shift+q kill
 bindsym \$mod+Shift+c reload
@@ -338,23 +336,31 @@ echo "-------------------------------------"
 
 # --- Final Summary ---
 echo -e "${BLU}[Step $((CURRENT_STEP +1))/$TOTAL_STEPS] Final checks and information (this is not an actual step increment).${DEF}"
-CURRENT_STEP=$TOTAL_STEPS # Ensure counter matches total for summary
+CURRENT_STEP=$TOTAL_STEPS
 echo -e "${GRN}-----------------------------------------------------${DEF}"
 echo -e "${GRN} Alpine Linux Signage Setup Script Finished!        ${DEF}"
 echo -e "${GRN}-----------------------------------------------------${DEF}"
 echo -e "${BLU} SUMMARY:${DEF}"
 echo -e " ${GRN}* User '$SIGNAGE_USER' created, added to 'video'/'input' groups.${DEF}"
-echo -e " ${GRN}* WayVNC configured with authentication (user: ${YLW}$WAYVNC_USERNAME${GRN}, pass: ${YLW}${WAYVNC_PASSWORD_TO_SET}${GRN}). Config: ${YLW}$WAYVNC_CONFIG_FILE${DEF}"
+if [ "$WAYVNC_ENABLE_TLS_AUTH" = true ]; then
+    echo -e " ${GRN}* WayVNC configured with TLS authentication (user: ${YLW}$WAYVNC_USERNAME${GRN}, pass: ${YLW}${WAYVNC_PASSWORD_TO_SET}${GRN}). Config: ${YLW}$WAYVNC_CONFIG_FILE${DEF}"
     echo -e " ${YLW}  Self-signed TLS certs generated in ${WAYVNC_KEYS_DIR}. You may need to accept these in your VNC client.${DEF}"
     if [ "$WAYVNC_PASSWORD_TO_SET" = "changeme" ]; then
-    echo -e "   ${RED}CRITICAL: WayVNC password is 'changeme'. THIS IS INSECURE!${DEF}"
+        echo -e "   ${RED}CRITICAL: WayVNC password is 'changeme'. THIS IS INSECURE! Change it in the script or $WAYVNC_CONFIG_FILE.${DEF}"
+    fi
+else
+    echo -e " ${YLW}* WayVNC configured for ${RED}PASSWORDLESS ACCESS${YLW}. Ensure your network is trusted!${DEF}"
 fi
 echo -e " ${GRN}* Sway configured to launch Chromium Kiosk and WayVNC.${DEF}"
 echo -e " ${GRN}* Autologin via greetd and inittab configured.${DEF}"
 echo ""
 echo -e "${RED} !!! IMPORTANT !!!${DEF}"
 echo -e " ${RED}* If 'nomodeset' warning appeared, graphical kiosk WILL NOT WORK until fixed.${DEF}"
+if [ "$WAYVNC_ENABLE_TLS_AUTH" = true ]; then
     echo -e " ${YLW}* Connect to VNC using user: ${GRN}$WAYVNC_USERNAME${YLW} and password: ${GRN}YOUR_SET_PASSWORD${DEF}"
+else
+    echo -e " ${YLW}* Connect to VNC directly (no password).${DEF}"
+fi
 echo -e "   ${YLW}The VNC server is listening on ${GRN}$WAYVNC_LISTEN_ADDRESS:$WAYVNC_PORT${DEF}"
 echo -e "${RED}!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!${DEF}"
 echo ""
@@ -364,10 +370,12 @@ echo ""
 echo -e "${BLU} TROUBLESHOOTING AFTER REBOOT:${DEF}"
 echo -e " ${BLU}1. Check user groups: ${GRN}groups $SIGNAGE_USER${YLW} (should include 'video', 'input')${DEF}"
 echo -e " ${BLU}2. Check Sway log: ${GRN}cat $SWAY_LOG_PATH_IN_GREETD${DEF}"
+if [ "$WAYVNC_ENABLE_TLS_AUTH" = true ]; then
     echo -e " ${BLU}3. Check WayVNC config: ${GRN}cat $WAYVNC_CONFIG_FILE${DEF}"
+fi
 echo -e " ${BLU}4. Check WayVNC running: ${GRN}ps aux | grep wayvnc ; netstat -tulnp | grep :$WAYVNC_PORT${DEF}"
 echo -e " ${BLU}5. Manually test WayVNC (as $SIGNAGE_USER on TTY2, after stopping greetd & starting sway):${DEF}"
-echo -e "    ${GRN}wayvnc${DEF}"
+echo -e "    ${GRN}wayvnc${DEF} (if TLS auth enabled, it uses its config) or ${GRN}wayvnc $WAYVNC_LISTEN_ADDRESS $WAYVNC_PORT${DEF} (if no auth)"
 echo -e "${GRN}-----------------------------------------------------${DEF}"
 
 exit 0