Merge pull request #737 from silversword411/develop

wip and docs updates
This commit is contained in:
Dan 2021-09-30 12:17:46 -07:00 committed by GitHub
commit e0972b7c24
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 109 additions and 16 deletions

View File

@ -136,6 +136,16 @@ Files create `c:\Windows\temp\Tacticalxxxx\` folder for install (and log files)
***
### Agent Recovery
#### Mesh Agent Recovery
Tactical Agent just runs `mesh_agent.exe -something` to get the mesh agent id and saves it to the django database.
#### Tactical RPC Recovery
#### Tactical Agent Recovery
### Windows Update Management
Tactical RMM Agent sets:

Binary file not shown.

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 19 KiB

View File

@ -1,27 +1,62 @@
# Docker Setup
- Install docker and docker-compose
- Obtain valid wildcard certificate for your domain. If certificates are not provided, a self-signed certificate will be generated and most agent functions won't work. See below on how to generate a free Let's Encrypt!
## 1. Install Docker
## Generate certificates with certbot
Install docker
Install Certbot
### 2. Create the A records
We'll be using `example.com` as our domain for this example.
!!!info
The RMM uses 3 different sites. The Vue frontend e.g. `rmm.example.com` which is where you'll be accesing your RMM from the browser, the REST backend e.g. `api.example.com` and Meshcentral e.g. `mesh.example.com`
1. Get the public IP of your server with `curl https://icanhazip.tacticalrmm.io`
2. Open the DNS manager of wherever the domain you purchased is hosted.
3. Create 3 A records: `rmm`, `api` and `mesh` and point them to the public IP of your server:
![arecords](images/arecords.png)
## 3. Acquire Let's Encrypt Wildcard certs with certbot
!!!warning
If the Let's Encrypt wildcard certificates are not provided, a self-signed certificate will be generated and most agent functions won't work.
### A. Install Certbot
```bash
sudo apt-get install certbot
```
Generate the wildcard certificate. Add the DNS entry for domain validation. Replace `example.com` with your root doamin
### B. Generate the wildcard Let's Encrypt certificates
We're using the [DNS-01 challenge method](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge)
#### a. Deploy the TXT record in your DNS manager
!!!warning
TXT records can take anywhere from 1 minute to a few hours to propogate depending on your DNS provider.<br/>
You should verify the TXT record has been deployed first before pressing Enter.<br/>
A quick way to check is with the following command:<br/> `dig -t txt _acme-challenge.example.com`<br/>
or test using: <https://viewdns.info/dnsrecord/> Enter: `_acme-challenge.example.com`
![txtrecord](images/txtrecord.png)
![dnstxt](images/dnstxt.png)
#### b. Request Let's Encrypt Wildcard cert
```bash
sudo certbot certonly --manual -d *.example.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns
```
## Configure DNS and firewall
!!!note
Replace `example.com` with your root domain
## 4. Configure DNS and firewall
You will need to add DNS entries so that the three subdomains resolve to the IP of the docker host. There is a reverse proxy running that will route the hostnames to the correct container. On the host, you will need to ensure the firewall is open on tcp ports 80, 443 and 4222.
## Setting up the environment
## 5. Setting up the environment
Get the docker-compose and .env.example file on the host you which to install on
@ -33,9 +68,9 @@ mv .env.example .env
Change the values in .env to match your environment.
If you are supplying certificates through Let's Encrypt or another source, see the section below about base64 encoding the certificate files.
When supplying certificates through Let's Encrypt, see the section below about base64 encoding the certificate files.
## Base64 encoding certificates to pass as env variables
### A. Base64 encoding certificates to pass as env variables
Use the below command to add the the correct values to the .env.
@ -54,7 +89,7 @@ echo "CERT_PUB_KEY=$(sudo base64 -w 0 /path/to/pub/key)" >> .env
echo "CERT_PRIV_KEY=$(sudo base64 -w 0 /path/to/priv/key)" >> .env
```
## Starting the environment
## 6. Starting the environment
Run the below command to start the environment.
@ -64,7 +99,7 @@ sudo docker-compose up -d
Removing the -d will start the containers in the foreground and is useful for debugging.
## Get MeshCentral EXE download link
## 7. Get MeshCentral EXE download link
Run the below command to get the download link for the mesh central exe. This needs to be uploaded on first successful signin.
@ -72,6 +107,16 @@ Run the below command to get the download link for the mesh central exe. This ne
sudo docker-compose exec tactical-backend python manage.py get_mesh_exe_url
```
## Backups
Download the mesh agent:
![meshagentdl](images/meshagentdl.png)
Navigate to `https://rmm.example.com` and login with the username/password you created during install.
Once logged in, you will be redirected to the initial setup page.
Create your first client/site, choose the default timezone and then upload the mesh agent you just downloaded.
## Note about Backups
The backup script **does not** work with docker. To backup your install use [standard docker backup/restore](https://docs.docker.com/desktop/backup-and-restore/) processes.

View File

@ -131,7 +131,7 @@ Answer the initial questions when prompted. Replace `example.com` with your doma
![questions](images/install_questions.png)
### Deploy the TXT record in your DNS manager
### Deploy the TXT record in your DNS manager for Lets Encrypt wildcard certs
!!!warning
TXT records can take anywhere from 1 minute to a few hours to propogate depending on your DNS provider.<br/>
@ -149,6 +149,8 @@ Create a login for the RMM web UI:
A bunch of URLS / usernames / passwords will be printed out at the end of the install script. **Save these somewhere safe.** [Recover them if you didn't](faq.md#how-do-i-recover-my-meshcentral-login-credentials)
### Upload mesh agents
Copy the url for the meshagent exe (`https://mesh.example.com/agentinvite?c=......`), paste it in your browser and download the mesh agent:
![meshagentdl](images/meshagentdl.png)
@ -181,6 +183,9 @@ Login to your router/NAT device.
1. Set your TRMM server as a static IP (Use a DHCP reservation is usually safer)
2. Create 2 port forwarding rules. `TCP Port 443` and `TCP Port 4222` to your TRMM servers private IP address.
!!!note
<https://portforward.com/> can help with Port Forwarding setup
### You're Done

View File

@ -26,7 +26,7 @@ ping mesh.example.com
The IP address for all 3 should reflect your Tactical RMM server
## Problems after new install
## Problems after new server install
In the very unlikely event you have issues after install please wipe the box and install again (following all the steps including downloading the install script but not running it) use the following command which will log the install progress and if you continue to have issues will assist with support of the installation.
@ -47,9 +47,9 @@ If you see an error about SSL or certificate expired, then your Let's Encrypt ce
Refer to the Let's Encrypt cert renewal instructions [here](update_server.md#keeping-your-lets-encrypt-certificate-up-to-date)
## Agents not updating
## Agents not installing or updating
The most common problem we've seen of agents not updating is due to Antivirus blocking the updater executable.
The most common problem we've seen of agents not installing or updating is due to Antivirus blocking the updater executable.
Windows Defender will 100% of the time block the updater from running unless an exclusion is set.

View File

@ -539,3 +539,9 @@ done
###Renew certs can be done by sudo letsencrypt renew (this should automatically be in /etc/cron.d/certbot)
```
### Using your own certs with Docker
Let's Encrypt is the only officially supported method of obtaining wildcard certificates. Publicly signed certificates should work but have not been fully tested.
If you are providing your own publicly signed certificates, ensure you download the **full chain** (combined CA/Root + Intermediary) certificate in pem format. If certificates are not provided, a self-signed certificate will be generated and most agent functions won't work.

View File

@ -0,0 +1,27 @@
<#
.SYNOPSIS
Enables Bitlocker
.DESCRIPTION
Enables bitlocker, and shows recovery keys
.OUTPUTS
Results are printed to the console.
.NOTES
Change Log
V1.0 Initial release from dinger1986 https://discord.com/channels/736478043522072608/744281869499105290/836871708790882384
#>
If(!(test-path C:\TEMP\))
{
New-Item -ItemType Directory -Force -Path C:\TEMP\
}
Enable-Bitlocker -MountPoint c: -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector
manage-bde -protectors C: -get
$bitlockerkey = manage-bde -protectors C: -get
(
echo $bitlockerkey
)>"C:\Temp\bitlockerkey.txt"