Update KasmVNC user group and config settings

- Use `usermod` to add user to ssl-cert group for compatibility.
- Simplify KasmVNC config with protocol and SSL parameters.
- Ensure UDP communication is confined to localhost for security.

kasmvnc/README.md

@@ -14,10 +14,29 @@ Automatically install [KasmVNC](https://kasmweb.com/kasmvnc) in a workspace, and
 ```tf
 module "kasmvnc" {
   source              = "registry.coder.com/modules/kasmvnc/coder"
-  version             = "1.0.22"
+  version             = "1.0.23"
   agent_id            = coder_agent.example.id
   desktop_environment = "xfce"
 }
 ```
 
 > **Note:** This module only works on workspaces with a pre-installed desktop environment. As an example base image you can use `codercom/enterprise-desktop` image.
+
+> **Note:** You can also use the kasmtech [custom images](https://kasmweb.com/docs/latest/guide/custom_images.html) by extending them as following:
+
+```Dockerfile
+FROM kasmweb/postman:1.16.0
+ARG USER=kasm-user
+USER root
+# Overwrite the existing config file to disable ssl
+RUN cat <<EOF > /etc/kasmvnc/kasmvnc.yaml
+network:
+  protocol: http
+  ssl:
+    require_ssl: false
+  udp:
+    public_ip: 127.0.0.1
+EOF
+RUN addgroup $USER ssl-cert
+USER $USER
+```

kasmvnc/run.sh

@@ -5,7 +5,7 @@
 # Function to check if vncserver is already installed
 check_installed() {
   if command -v vncserver &> /dev/null; then
-    echo "vncserver is already installed."
+    echo "A binary with name vncserver already installed."
     return 0 # Don't exit, just indicate it's installed
   else
     return 1 # Indicates not installed
@@ -34,7 +34,7 @@ install_deb() {
   download_file $url /tmp/kasmvncserver.deb
   sudo apt-get update
   DEBIAN_FRONTEND=noninteractive sudo apt-get install --yes -qq --no-install-recommends --no-install-suggests /tmp/kasmvncserver.deb
-  sudo adduser $USER ssl-cert
+  sudo usermod -aG ssl-cert $USER
   rm /tmp/kasmvncserver.deb
 }
 
@@ -75,35 +75,35 @@ install_alpine() {
   rm /tmp/kasmvncserver.tgz
 }
 
-# Detect system information
-distro=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}')
-version=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
-arch=$(uname -m)
+# Check if vncserver is installed, and install if not
+if ! check_installed; then
+  # Detect system information
+  distro=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}')
+  version=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+  arch=$(uname -m)
 
-echo "Detected Distribution: $distro"
-echo "Detected Version: $version"
-echo "Detected Architecture: $arch"
+  echo "Detected Distribution: $distro"
+  echo "Detected Version: $version"
+  echo "Detected Architecture: $arch"
 
-# Map arch to package arch
-if [[ "$arch" == "x86_64" ]]; then
-  if [[ "$distro" == "ubuntu" || "$distro" == "debian" || "$distro" == "kali" ]]; then
-    arch="amd64"
+  # Map arch to package arch
+  if [[ "$arch" == "x86_64" ]]; then
+    if [[ "$distro" == "ubuntu" || "$distro" == "debian" || "$distro" == "kali" ]]; then
+      arch="amd64"
+    else
+      arch="x86_64"
+    fi
+  elif [[ "$arch" == "aarch64" || "$arch" == "arm64" ]]; then
+    if [[ "$distro" == "ubuntu" || "$distro" == "debian" || "$distro" == "kali" ]]; then
+      arch="arm64"
+    else
+      arch="aarch64"
+    fi
   else
-    arch="x86_64"
-  fi
-elif [[ "$arch" == "aarch64" || "$arch" == "arm64" ]]; then
-  if [[ "$distro" == "ubuntu" || "$distro" == "debian" || "$distro" == "kali" ]]; then
-    arch="arm64"
-  else
-    arch="aarch64"
+    echo "Unsupported architecture: $arch"
+    exit 1
   fi
-else
-  echo "Unsupported architecture: $arch"
-  exit 1
-fi
 
-# Check if vncserver is installed, and install if not
-if ! check_installed; then
   echo "Installing KASM version: ${VERSION}"
   case $distro in
     ubuntu | debian | kali)
@@ -155,10 +155,12 @@ if ! check_installed; then
       ;;
   esac
 else
-  echo "vncserver already installed. Skipping installation."
+  echo "Skipping installation."
 fi
 
-# Coder port-forwarding from dashboard only supports HTTP
+# Try to create /etc/kasmvnc/kasmvnc.yaml system-wide
+# we don't fail as some images might be missing sudo permissions
+sudo mkdir -p /etc/kasmvnc || true
 sudo bash -c "cat > /etc/kasmvnc/kasmvnc.yaml <<EOF
 network:
   protocol: http
@@ -167,7 +169,22 @@ network:
     require_ssl: false
   udp:
     public_ip: 127.0.0.1
-EOF"
+EOF" || true
+
+
+# There could already be a config file in the image at /etc/kasmvnc/kasmvnc.yaml, but we need to set the websocket port
+mkdir -p "$HOME/.vnc"
+cat > "$HOME/.vnc/kasmvnc.yaml" <<EOF
+network:
+  protocol: http
+  websocket_port: ${PORT}
+  ssl:
+    require_ssl: false
+    pem_certificate:
+    pem_key:
+  udp:
+    public_ip: 127.0.0.1
+EOF
 
 # This password is not used since we start the server without auth.
 # The server is protected via the Coder session token / tunnel
@@ -176,4 +193,4 @@ echo -e "password\npassword\n" | vncpasswd -wo -u $USER
 
 # Start the server
 printf "🚀 Starting KasmVNC server...\n"
-sudo -u $USER bash -c "vncserver -select-de ${DESKTOP_ENVIRONMENT} -disableBasicAuth" > /tmp/kasmvncserver.log 2>&1 &
+vncserver -select-de ${DESKTOP_ENVIRONMENT} -disableBasicAuth > /tmp/kasmvncserver.log 2>&1 &