Handle password securely, needs htpasswd to create user:password:

- Update tpotinit and entrypoint.sh to reflect this
- Update install.sh to reflect this
- Update .env / env.example to reflect this

Reorder recommended packages in T-Pot Playbook
Add packages to T-Pot Playbook to ensure manual deployment via Ansible will offer the same environment as manual local installation via install.sh and local Ansible deployment.

.env

@@ -1,11 +1,10 @@
 # T-Pot config file. Do not remove.
 
-# Set Web username and password here, only required for first run
-#  Removing the password after first run is recommended
-#  You can always add or remove users as you see fit using htpasswd:
-#  htpasswd -b -c /<data_folder>/nginx/conf/nginxpasswd <username> <password>
-WEB_USER='changeme'
-WEB_PW='changeme'
+# Set Web username and password here, it will be used to create the Nginx password file nginxpasswd.
+#  Use 'htpasswd -n <username>' to create the WEB_USER if you want to manually deploy T-Pot
+#  Example: 'htpasswd -n tsec' will print tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0
+#  Copy the string and replace WEB_USER='tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0'
+WEB_USER='change:me'
 
 # T-Pot Blackhole
 #  ENABLED: T-Pot will download a db of known mass scanners and nullroute them

docker/tpotinit/dist/entrypoint.sh

@@ -34,9 +34,9 @@ if [ -f "/data/uuid" ];
     figlet "${VERSION}"
     echo
     echo "# Checking for default user."
-    if [ "${WEB_USER}" == "changeme" ] || [ "${WEB_PW}" == "changeme" ];
+    if [ "${WEB_USER}" == "change:me" ];
       then
-        echo "# Please change WEB_USER and WEB_PW in the hidden \".env\" file."
+        echo "# Please change WEB_USER in the hidden \".env\" file."
 	      echo "# Aborting."
       	echo
         exit 1
@@ -66,7 +66,7 @@ if [ -f "/data/uuid" ];
     echo
     echo "# Creating web user from tpot.env, make sure to erase the password from the .env ..."
     echo
-    htpasswd -b -c /data/nginx/conf/nginxpasswd "${WEB_USER}" "${WEB_PW}"
+    echo "${WEB_USER}" > /data/nginx/conf/nginxpasswd
     echo
     echo "# Extracting objects, final touches and permissions ..."
     echo

env.example

@@ -1,11 +1,10 @@
 # T-Pot config file. Do not remove.
 
-# Set Web username and password here, only required for first run
-#  Removing the password after first run is recommended
-#  You can always add or remove users as you see fit using htpasswd:
-#  htpasswd -b -c /<data_folder>/nginx/conf/nginxpasswd <username> <password>
-WEB_USER='changeme'
-WEB_PW='changeme'
+# Set Web username and password here, it will be used to create the Nginx password file nginxpasswd.
+#  Use 'htpasswd -n <username>' to create the WEB_USER if you want to manually deploy T-Pot
+#  Example: 'htpasswd -n tsec' will print tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0
+#  Copy the string and replace WEB_USER='tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0'
+WEB_USER='change:me'
 
 # T-Pot Blackhole
 #  ENABLED: T-Pot will download a db of known mass scanners and nullroute them
@@ -32,9 +31,9 @@ TPOT_DOCKER_ENV=./.env
 TPOT_DOCKER_COMPOSE=./docker-compose.yml
 
 # T-Pot Repo
-#  Depending on where you are located you may choose between DockerHub and GHCR
-#  dtagdevsec: This will use the DockerHub image registry
-#  ghcr.io/telekom-security: This will use the GitHub container registry
+# Depending on where you are located you may choose between DockerHub and GHCR
+# dtagdevsec: This will use the DockerHub image registry
+# ghcr.io/telekom-security: This will use the GitHub container registry
 TPOT_REPO=dtagdevsec
 
 # T-Pot Version Tag

install.sh

@@ -3,10 +3,10 @@
 myINSTALL_NOTIFICATION="### Now installing required packages ..."
 myUSER=$(whoami)
 myTPOT_CONF_FILE="/home/${myUSER}/tpotce/.env"
-myPACKAGES_DEBIAN="ansible cracklib-runtime wget"
-myPACKAGES_FEDORA="ansible cracklib wget"
-myPACKAGES_ROCKY="ansible-core ansible-collection-redhat-rhel_mgmt cracklib wget"
-myPACKAGES_OPENSUSE="ansible cracklib wget"
+myPACKAGES_DEBIAN="ansible apache2-utils cracklib-runtime wget"
+myPACKAGES_FEDORA="ansible cracklib httpd-tools wget"
+myPACKAGES_ROCKY="ansible-core ansible-collection-redhat-rhel_mgmt cracklib httpd-tools wget"
+myPACKAGES_OPENSUSE="ansible apache2-utils cracklib wget"
 
 
 myINSTALLER=$(cat << "EOF"
@@ -74,7 +74,7 @@ case ${myCURRENT_DISTRIBUTION} in
         echo "### or press CTRL-C to manually install ‘sudo‘ and add your user to the sudoers."
         echo
         su -c "apt -y update && \
-               apt -y install sudo ${myPACKAGES_DEBIAN} && \
+               NEEDRESTART_SUSPEND=1 apt -y install sudo ${myPACKAGES_DEBIAN} && \
                /usr/sbin/usermod -aG sudo ${myUSER} && \
                echo '${myUSER} ALL=(ALL:ALL) ALL' | tee /etc/sudoers.d/${myUSER} >/dev/null && \
                chmod 440 /etc/sudoers.d/${myUSER}"
@@ -83,7 +83,7 @@ case ${myCURRENT_DISTRIBUTION} in
         echo
       else
         sudo apt update
-        sudo apt install -y ${myPACKAGES_DEBIAN}
+        sudo NEEDRESTART_SUSPEND=1 apt install -y ${myPACKAGES_DEBIAN}
     fi
     ;;
   "openSUSE Tumbleweed")
@@ -204,11 +204,10 @@ while [ "${myWEB_PW}" != "${myWEB_PW2}"  ] && [ "${mySECURE}" == "0" ]
 done
 
 # Write username and password to T-Pot config file
-echo "### Writing username and password to T-Pot config file: ${myTPOT_CONF_FILE}"
-echo "### You can empty the password <WEB_PW=''> after the first start of T-Pot."
+echo "### Creating htpasswd username and password for T-Pot config file: ${myTPOT_CONF_FILE}"
+myWEB_USER_ENC=$(htpasswd -b -n "${myWEB_USER}" "${myWEB_PW}")
 echo
-sed -i "/^WEB_USER=/s/.*/WEB_USER='${myWEB_USER}'/" ${myTPOT_CONF_FILE}
-sed -i "/^WEB_PW=/s/.*/WEB_PW='${myWEB_PW}'/" ${myTPOT_CONF_FILE}
+sed -i "s|^WEB_USER=.*|WEB_USER='${myWEB_USER_ENC}'|" ${myTPOT_CONF_FILE}
 
 # Pull docker images
 echo "### Now pulling images ..."

installer/install/tpot.yml

@@ -58,11 +58,11 @@
       tags:
         - "openSUSE Tumbleweed"
 
-################################
-# T-Pot - Abort if run as root #
-################################
+#####################################################################
+# T-Pot - Abort if run as tpot, root or on unsupported distribution #
+#####################################################################
 
-- name: T-Pot - Abort if run as root
+- name: T-Pot - Abort if run as tpot, root or on unsupported distribution
   hosts: all
   gather_facts: true
   become: false
@@ -117,14 +117,17 @@
     - name: Install recommended packages (Debian, Ubuntu)
       package:
         name:
+          - apache2-utils
           - bash-completion
           - ca-certificates
+          - cracklib-runtime
           - curl 
           - git
           - gnupg
           - grc
-          - vim
           - net-tools
+          - vim
+          - wget
         state: latest
         update_cache: yes
       when: ansible_distribution in ["Debian", "Ubuntu"]
@@ -147,12 +150,15 @@
         name:
           - bash-completion
           - ca-certificates
+          - cracklib
           - curl
           - dnf-plugins-core
           - git
           - grc
-          - vim
+          - httpd-tools
           - net-tools
+          - vim
+          - wget
         state: latest
         update_cache: yes
       when: ansible_distribution in ["AlmaLinux", "Fedora", "Rocky"]
@@ -178,13 +184,16 @@
     - name: Install recommended packages (openSUSE Tumbleweed)
       package:
         name:
+          - apache2-utils
           - bash-completion
           - busybox-net-tools
           - ca-certificates
+          - cracklib
           - curl
           - git
           - grc
           - vim
+          - wget
         state: latest
         update_cache: yes
       when: ansible_distribution in ["openSUSE Tumbleweed"]