Encrypted VNC traffic

roles/setup_node/templates/desktop.cfg.j2

@@ -77,6 +77,30 @@ write_files:
       sudo -H -u {{ username }} bash -c 'touch ~/.Xauthority'
       /usr/bin/cp /root/vncserver-config-mandatory /etc/tigervnc/vncserver-config-mandatory
       /usr/bin/cp /root/vncserver.users /etc/tigervnc/vncserver.users
+      # generate certificate
+      cat <<EOF > /tmp/san.cnf
+      [req]
+      default_bits  = 4096
+      distinguished_name = req_distinguished_name
+      req_extensions = req_ext
+      x509_extensions = v3_req
+      prompt = no
+      [req_distinguished_name]
+      countryName = AT
+      stateOrProvinceName = Vienna
+      localityName = OSSDIP
+      organizationName = TU Wien
+      commonName = $(/usr/bin/hostname -I | /usr/bin/awk '{print $2}')
+      [req_ext]
+      subjectAltName = @alt_names
+      [v3_req]
+      subjectAltName = @alt_names
+      [alt_names]
+      IP.1 = $(/usr/bin/hostname -I | /usr/bin/awk '{print $2}')
+      EOF
+      sudo -H -u {{ username }} bash -c "/usr/bin/openssl req -x509 -sha256 -nodes -days 36500 -newkey rsa:4096 -keyout ~/.vnc/x509.key -out ~/.vnc/x509.cr -config /tmp/san.cnf"
+      sudo -H -u {{ username }} bash -c "/usr/bin/cp ~/.vnc/x509.cr /tmp"
+      rm /tmp/san.cnf
       # fix the initial prompt to refresh repositories
       #/usr/bin/cp /root/repos.pkla /etc/polkit-1/localauthority/50-local.d/repos.pkla
       #/bin/systemctl restart polkit
@@ -107,7 +131,9 @@ write_files:
   - path: /root/vncserver-config-mandatory
     permissions: '0644'
     content: |
-      securitytypes=vncauth,tlsvnc
+      securitytypes=X509Vnc
+      x509key=/home/{{ username }}/.vnc/x509.key
+      x509cert=/home/{{ username }}/.vnc/x509.cr
       desktop=sandbox
       #screen=1920x1080
       #NoClipboard=1