' +
'
Cliente
' +
row('Nome', d.cliente_name) + row('Nome completo', d.cliente_full) +
row('Dominio email', d.cliente_domain) + row('Tipo', d.cliente_type) +
+ (d.ai_context ? row('Contesto AI', d.ai_context.substring(0, 80) + (d.ai_context.length > 80 ? 'β¦' : '')) : '') +
'
Rete & SSL
' +
row('Hostname', d.domain) + row('Alias', d.aliases) +
- row('SSL', sslMode === 'letsencrypt' ? "Let's Encrypt" : 'Certificato manuale') +
+ row('SSL', sslLabel) +
'
SIEM
' +
row('OpenSearch URL', d.os_url) + row('Username', d.os_user) +
'
Utente admin
' +
diff --git a/setup_server.py b/setup_server.py
index 5859753..57dac97 100644
--- a/setup_server.py
+++ b/setup_server.py
@@ -177,9 +177,8 @@ def generate_argos_json(data):
"full_name": data.get("cliente_full", ""),
"domain": data.get("cliente_domain", ""),
"type": data.get("cliente_type", "enterprise"),
- "ai_context": "",
- "sharepoint_tenant": "",
- "console_url": ""
+ "ai_context": data.get("ai_context", ""),
+ "console_url": ""
},
"network": {
"hostname": hostname,
@@ -364,6 +363,19 @@ def install(data):
chown(CONFIG_DIR / "modules.json")
log("modules.json copiato")
+ # 5b. File .example aggiuntivi (config sezioni recenti)
+ # - automations.json: config feed TI sources + cron daemon TI
+ # - siem_integrations.json: catalogo SIEM Integration Builder
+ # - subnet_registry.json: mapping sede/reparto da subnet
+ for stem in ("automations", "siem_integrations", "subnet_registry"):
+ src = APP_DIR / f"config/{stem}.json.example"
+ dst = CONFIG_DIR / f"{stem}.json"
+ if src.exists() and not dst.exists():
+ shutil.copy(src, dst)
+ os.chmod(dst, 0o640)
+ chown(dst)
+ log(f"{stem}.json copiato da template")
+
# 6. Logo cliente
logo_src = SETUP_DIR / "logo_cliente.png"
if logo_src.exists():
@@ -413,6 +425,74 @@ def install(data):
ssl_crt = str(CERTS_DIR / "fullchain.pem")
ssl_key = str(CERTS_DIR / "privkey.pem")
log("Certificato SSL manuale copiato")
+ elif ssl_mode == "selfsigned":
+ # Cert autofirmato β utile per installazioni LAN/dev senza DNS
+ # pubblico. Validita' 10 anni, RSA 4096, SAN da hostname+alias.
+ log("Generazione certificato autofirmato (RSA 4096, validita' 10 anni)")
+ CERTS_DIR.mkdir(parents=True, exist_ok=True)
+ crt_path = CERTS_DIR / "fullchain.pem"
+ key_path = CERTS_DIR / "privkey.pem"
+ cnf_path = CERTS_DIR / "openssl-selfsigned.cnf"
+
+ # Build subjectAltName list: tutti i nomi DNS + IP server
+ san_dns = [n for n in all_names.split() if n]
+ try:
+ server_ip = subprocess.check_output(
+ ["hostname", "-I"], text=True
+ ).strip().split()[0]
+ except Exception:
+ server_ip = ""
+
+ san_lines = "\n".join(f"DNS.{i+1} = {n}" for i, n in enumerate(san_dns))
+ if server_ip:
+ san_lines += f"\nIP.1 = {server_ip}"
+
+ # Subject info: cliente_full come O, domain come CN
+ client_full = data.get("cliente_full") or data.get("cliente_name") or "ARGOS"
+ cn = domain or "argos.local"
+
+ cnf = f"""[req]
+default_bits = 4096
+prompt = no
+default_md = sha256
+distinguished_name = dn
+req_extensions = req_ext
+x509_extensions = v3_ext
+
+[dn]
+C = IT
+O = {client_full}
+OU = ARGOS SOC
+CN = {cn}
+
+[req_ext]
+subjectAltName = @alt_names
+
+[v3_ext]
+subjectAltName = @alt_names
+basicConstraints = critical, CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[alt_names]
+{san_lines}
+"""
+ cnf_path.write_text(cnf)
+ # Genero la chiave e il cert in un solo passo
+ run(
+ f"openssl req -x509 -nodes -days 3650 -newkey rsa:4096 "
+ f"-keyout {key_path} -out {crt_path} -config {cnf_path}"
+ )
+ os.chmod(key_path, 0o600)
+ os.chmod(crt_path, 0o644)
+ chown(key_path)
+ chown(crt_path)
+ ssl_crt = str(crt_path)
+ ssl_key = str(key_path)
+ log(f"Cert autofirmato generato (CN={cn}, SAN: {len(san_dns)} DNS"
+ f"{' + 1 IP' if server_ip else ''})")
+ log("β οΈ ATTENZIONE: i browser segnaleranno il cert come non attendibile.")
+ log(" Usare solo per LAN/test. Per produzione: Let's Encrypt o cert CA.")
else:
_write_nginx_http(all_names)
run("nginx -t && systemctl restart nginx")