monoadmin/remotelink-docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add open enrollment + update Windows installer

Browse Source 
Open enrollment (OPEN_ENROLLMENT=true in .env):
- Agents can register with just --server <url>, no token needed
- Machines assigned to OPEN_ENROLLMENT_USER_EMAIL, first admin, or first user
- Falls back gracefully if env var not set
- agent.py register() now takes optional token; --server alone triggers registration

Agent CLI changes:
- --server without --enroll triggers open enrollment registration on first run
- --enroll still works for token-based or re-enrollment
- Error message updated to reflect new syntax

NSIS installer changes:
- Interactive mode: custom page prompts for server URL + optional token
- Silent mode: /SERVER= alone works with open enrollment, /ENROLL= still supported
- Cleans up config on uninstall

agent.spec: add pyperclip, base64, struct, uuid to hidden imports

docker-compose + .env: OPEN_ENROLLMENT and OPEN_ENROLLMENT_USER_EMAIL vars

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
monoadmin
2026-04-11 00:02:05 -07:00
parent 61edbf59bf
commit dcf88c7863
6 changed files with 168 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
agent/agent.py
View File

@@ -112,24 +112,26 @@ def save_config(data: dict):
# ── Registration ──────────────────────────────────────────────────────────────
async def register(server_url: str, enrollment_token: str) -> dict:
"""Self-register with the server using an enrollment token."""
async def register(server_url: str, enrollment_token: Optional[str] = None) -> dict:
"""Self-register with the server. Token is optional when open enrollment is enabled."""
hostname = platform.node()
os_name = platform.system()
os_version = platform.version()
payload: dict = {
"name": hostname,
"hostname": hostname,
"os": os_name,
"osVersion": os_version,
"agentVersion": AGENT_VERSION,
"macAddress": get_mac_address(),
}
if enrollment_token:
payload["enrollmentToken"] = enrollment_token
url = f"{server_url.rstrip('/')}/api/agent/register"
async with httpx.AsyncClient(timeout=30) as client:
resp = await client.post(url, json={
"enrollmentToken": enrollment_token,
"name": hostname,
"hostname": hostname,
"os": os_name,
"osVersion": os_version,
"agentVersion": AGENT_VERSION,
"ipAddress": None,
"macAddress": get_mac_address(),
})
resp = await client.post(url, json=payload)
if resp.status_code != 200:
raise RuntimeError(f"Registration failed: {resp.status_code} {resp.text}")
data = resp.json()
@@ -815,11 +817,25 @@ async def main():
config = load_config()
# ── First-time registration ──────────────────────────────────────────────
if args.enroll:
if args.server and not config:
# Register with enrollment token (if provided) or open enrollment
log.info(f"Registering with server {args.server}")
reg = await register(args.server, args.enroll or None)
relay_url = args.relay or _default_relay_url(args.server)
config = {
"server_url": args.server,
"relay_url": relay_url,
"machine_id": reg["machineId"],
"access_key": reg["accessKey"],
}
if not args.run_once:
save_config(config)
elif args.enroll:
# Re-enroll existing machine with a new token (replaces config)
if not args.server:
log.error("--server is required with --enroll")
sys.exit(1)
log.info(f"Enrolling with server {args.server}")
log.info(f"Re-enrolling with server {args.server}")
reg = await register(args.server, args.enroll)
relay_url = args.relay or _default_relay_url(args.server)
config = {
@@ -830,11 +846,10 @@ async def main():
}
if not args.run_once:
save_config(config)
elif not config:
log.error(
f"No config found at {CONFIG_FILE}.\n"
"Run with --server <url> --enroll <token> to register this machine."
"Run with --server <url> to register (or --server <url> --enroll <token> if enrollment tokens are required)."
)
sys.exit(1)

4
agent/agent.spec
View File

@@ -34,12 +34,16 @@ a = Analysis(
'websockets.legacy.client',
'httpx',
'httpcore',
'pyperclip',
'asyncio',
'json',
'logging',
'platform',
'subprocess',
'signal',
'base64',
'struct',
'uuid',
],
hookspath=[],
runtime_hooks=[],

93
agent/installer.nsi
View File

@@ -1,21 +1,26 @@
; RemoteLink Agent NSIS Installer
; Requires: NSIS 3.x, the dist/ folder from PyInstaller build
;
; Build: makensis installer.nsi
; Silent install: RemoteLink-Setup.exe /S
; Silent install + enroll: RemoteLink-Setup.exe /S /SERVER=https://myserver.com /ENROLL=mytoken
; Build: makensis installer.nsi
;
; Silent install (open enrollment — no token):
; RemoteLink-Setup.exe /S /SERVER=https://myserver.com
;
; Silent install with enrollment token:
; RemoteLink-Setup.exe /S /SERVER=https://myserver.com /ENROLL=mytoken
;
; Interactive install:
; RemoteLink-Setup.exe
!define APP_NAME "RemoteLink Agent"
!define APP_VERSION "1.0.0"
!define APP_PUBLISHER "RemoteLink"
!define APP_URL "https://remotelink.example.com"
!define INSTALL_DIR "$PROGRAMFILES64\RemoteLink"
!define SERVICE_EXE "remotelink-agent-service.exe"
!define AGENT_EXE "remotelink-agent.exe"
!define REG_KEY "Software\RemoteLink\Agent"
!define UNINSTALL_KEY "Software\Microsoft\Windows\CurrentVersion\Uninstall\RemoteLinkAgent"
; Installer settings
Name "${APP_NAME} ${APP_VERSION}"
OutFile "RemoteLink-Setup.exe"
InstallDir "${INSTALL_DIR}"
@@ -23,20 +28,22 @@ InstallDirRegKey HKLM "${REG_KEY}" "InstallDir"
RequestExecutionLevel admin
SetCompressor /SOLID lzma
; Command-line parameters
Var ServerURL
Var EnrollToken
; Modern UI
!include "MUI2.nsh"
!include "LogicLib.nsh"
!include "nsProcess.nsh"
!define MUI_ABORTWARNING
!define MUI_ICON "assets\icon.ico"
!define MUI_UNICON "assets\icon.ico"
; Pages shown in interactive mode
!insertmacro MUI_PAGE_WELCOME
; Custom server URL page (interactive only)
Page custom ServerURLPage ServerURLPageLeave
!insertmacro MUI_PAGE_DIRECTORY
!insertmacro MUI_PAGE_INSTFILES
!insertmacro MUI_PAGE_FINISH
@@ -46,15 +53,48 @@ Var EnrollToken
!insertmacro MUI_LANGUAGE "English"
; ── Functions ─────────────────────────────────────────────────────────────────
; ── Custom server URL page ────────────────────────────────────────────────────
Var hServerEdit
Var hTokenEdit
Function ServerURLPage
IfSilent skip_page ; skip in silent/mass-deploy mode
nsDialogs::Create 1018
Pop $0
${NSD_CreateLabel} 0 0 100% 20u "Server URL (e.g. https://remotelink.example.com):"
${NSD_CreateText} 0 22u 100% 14u "$ServerURL"
Pop $hServerEdit
${NSD_CreateLabel} 0 44u 100% 20u "Enrollment Token (leave blank if open enrollment is enabled):"
${NSD_CreateText} 0 66u 100% 14u "$EnrollToken"
Pop $hTokenEdit
nsDialogs::Show
skip_page:
FunctionEnd
Function ServerURLPageLeave
IfSilent skip
${NSD_GetText} $hServerEdit $ServerURL
${NSD_GetText} $hTokenEdit $EnrollToken
${If} $ServerURL == ""
MessageBox MB_OK|MB_ICONEXCLAMATION "Server URL is required."
Abort
${EndIf}
skip:
FunctionEnd
; ── Init: parse command-line ──────────────────────────────────────────────────
Function .onInit
; Parse command-line switches /SERVER= and /ENROLL=
${GetParameters} $R0
ClearErrors
${GetOptions} $R0 "/SERVER=" $ServerURL
ClearErrors
${GetOptions} $R0 "/ENROLL=" $EnrollToken
; Silent mode: skip UI if /S passed
IfSilent 0 +2
SetSilent silent
FunctionEnd
@@ -64,32 +104,39 @@ FunctionEnd
Section "Install" SEC_MAIN
SetOutPath "${INSTALL_DIR}"
; Stop existing service if running
; Stop and remove existing service
nsExec::ExecToLog '"${INSTALL_DIR}\${SERVICE_EXE}" stop'
nsExec::ExecToLog '"${INSTALL_DIR}\${SERVICE_EXE}" remove'
Sleep 1000
; Copy files from PyInstaller dist/
; Copy binaries
File "dist\remotelink-agent.exe"
File "dist\remotelink-agent-service.exe"
; Write registry
; Registry
WriteRegStr HKLM "${REG_KEY}" "InstallDir" "${INSTALL_DIR}"
WriteRegStr HKLM "${REG_KEY}" "Version" "${APP_VERSION}"
; Run enrollment if tokens were provided (silent mass-deploy)
${If} $ServerURL != ""
${AndIf} $EnrollToken != ""
DetailPrint "Enrolling with server $ServerURL…"
nsExec::ExecToLog '"${INSTALL_DIR}\${AGENT_EXE}" --server "$ServerURL" --enroll "$EnrollToken"'
WriteRegStr HKLM "${REG_KEY}" "ServerURL" "$ServerURL"
${EndIf}
; Install + start Windows service
; Enroll with server
${If} $ServerURL != ""
${If} $EnrollToken != ""
DetailPrint "Enrolling with token…"
nsExec::ExecToLog '"${INSTALL_DIR}\${AGENT_EXE}" --server "$ServerURL" --enroll "$EnrollToken"'
${Else}
DetailPrint "Registering (open enrollment)…"
nsExec::ExecToLog '"${INSTALL_DIR}\${AGENT_EXE}" --server "$ServerURL"'
${EndIf}
${EndIf}
; Install and start service
DetailPrint "Installing Windows service…"
nsExec::ExecToLog '"${INSTALL_DIR}\${SERVICE_EXE}" install'
nsExec::ExecToLog '"${INSTALL_DIR}\${SERVICE_EXE}" start'
; Create uninstaller
; Uninstaller
WriteUninstaller "${INSTALL_DIR}\Uninstall.exe"
WriteRegStr HKLM "${UNINSTALL_KEY}" "DisplayName" "${APP_NAME}"
WriteRegStr HKLM "${UNINSTALL_KEY}" "UninstallString" "${INSTALL_DIR}\Uninstall.exe"
@@ -108,9 +155,13 @@ Section "Uninstall"
Delete "${INSTALL_DIR}\remotelink-agent.exe"
Delete "${INSTALL_DIR}\remotelink-agent-service.exe"
Delete "${INSTALL_DIR}\agent.json"
Delete "${INSTALL_DIR}\Uninstall.exe"
RMDir "${INSTALL_DIR}"
; Delete config
RMDir /r "$APPDATA\RemoteLink"
DeleteRegKey HKLM "${REG_KEY}"
DeleteRegKey HKLM "${UNINSTALL_KEY}"
SectionEnd

115
app/api/agent/register/route.ts
View File

@@ -1,21 +1,20 @@
import { db } from '@/lib/db'
import { machines, enrollmentTokens } from '@/lib/db/schema'
import { eq, and, isNull, or, gt } from 'drizzle-orm'
import { machines, enrollmentTokens, users } from '@/lib/db/schema'
import { eq, asc } from 'drizzle-orm'
import { NextRequest, NextResponse } from 'next/server'
import { randomBytes } from 'crypto'
// POST /api/agent/register
// Two modes:
// 1. First-time: { enrollmentToken, name, hostname, os, osVersion, agentVersion, ipAddress }
// → creates machine, returns { machineId, accessKey }
// 2. Re-register: { accessKey, name, hostname, os, osVersion, agentVersion, ipAddress }
// → updates existing machine, returns { machineId }
// Three modes:
// 1. Re-register (existing agent): { accessKey, ... } → updates machine
// 2. Enrollment token: { enrollmentToken, ... } → creates machine owned by token creator
// 3. Open enrollment (no token): { name, ... } → creates machine, OPEN_ENROLLMENT must be true
export async function POST(request: NextRequest) {
try {
const body = await request.json()
const { accessKey, enrollmentToken, name, hostname, os, osVersion, agentVersion, ipAddress } = body
const { accessKey, enrollmentToken, name, hostname, os, osVersion, agentVersion, ipAddress, macAddress } = body
// ── Mode 2: existing agent re-registering ─────────────────────────────────
// ── Mode 1: existing agent re-registering ─────────────────────────────────
if (accessKey) {
const result = await db
.select()
@@ -37,6 +36,7 @@ export async function POST(request: NextRequest) {
osVersion: osVersion || machine.osVersion,
agentVersion: agentVersion || machine.agentVersion,
ipAddress: ipAddress || machine.ipAddress,
macAddress: macAddress || machine.macAddress,
isOnline: true,
lastSeen: new Date(),
updatedAt: new Date(),
@@ -46,66 +46,67 @@ export async function POST(request: NextRequest) {
return NextResponse.json({ machineId: machine.id })
}
// ── Mode 1: first-time registration with enrollment token ─────────────────
if (!enrollmentToken) {
if (!name) {
return NextResponse.json({ error: 'name is required' }, { status: 400 })
}
const newAccessKey = randomBytes(32).toString('hex')
// ── Mode 2: enrollment token ───────────────────────────────────────────────
if (enrollmentToken) {
const tokenResult = await db
.select()
.from(enrollmentTokens)
.where(eq(enrollmentTokens.token, enrollmentToken))
.limit(1)
const token = tokenResult[0]
if (!token) return NextResponse.json({ error: 'Invalid enrollment token' }, { status: 401 })
if (token.revokedAt) return NextResponse.json({ error: 'Enrollment token revoked' }, { status: 401 })
if (token.expiresAt && token.expiresAt < new Date()) return NextResponse.json({ error: 'Enrollment token expired' }, { status: 401 })
if (token.maxUses !== null && token.usedCount >= token.maxUses) return NextResponse.json({ error: 'Enrollment token use limit reached' }, { status: 401 })
const newMachine = await db
.insert(machines)
.values({ userId: token.createdBy!, name, hostname, os, osVersion, agentVersion, ipAddress, macAddress, accessKey: newAccessKey, isOnline: true, lastSeen: new Date() })
.returning({ id: machines.id })
await db.update(enrollmentTokens).set({ usedCount: token.usedCount + 1 }).where(eq(enrollmentTokens.id, token.id))
return NextResponse.json({ machineId: newMachine[0].id, accessKey: newAccessKey })
}
// ── Mode 3: open enrollment (no token required) ────────────────────────────
const openEnrollment = process.env.OPEN_ENROLLMENT === 'true'
if (!openEnrollment) {
return NextResponse.json({ error: 'accessKey or enrollmentToken required' }, { status: 400 })
}
const tokenResult = await db
.select()
.from(enrollmentTokens)
.where(eq(enrollmentTokens.token, enrollmentToken))
.limit(1)
const token = tokenResult[0]
if (!token) {
return NextResponse.json({ error: 'Invalid enrollment token' }, { status: 401 })
// Find the owner: OPEN_ENROLLMENT_USER_EMAIL env var, or first admin, or first user
let ownerId: string | null = null
const ownerEmail = process.env.OPEN_ENROLLMENT_USER_EMAIL
if (ownerEmail) {
const ownerResult = await db.select({ id: users.id }).from(users).where(eq(users.email, ownerEmail)).limit(1)
ownerId = ownerResult[0]?.id ?? null
}
// Check revoked
if (token.revokedAt) {
return NextResponse.json({ error: 'Enrollment token has been revoked' }, { status: 401 })
if (!ownerId) {
// Fall back to first admin, then first user
const adminResult = await db.select({ id: users.id }).from(users).where(eq(users.role, 'admin')).orderBy(asc(users.createdAt)).limit(1)
ownerId = adminResult[0]?.id ?? null
}
// Check expiry
if (token.expiresAt && token.expiresAt < new Date()) {
return NextResponse.json({ error: 'Enrollment token has expired' }, { status: 401 })
if (!ownerId) {
const anyUser = await db.select({ id: users.id }).from(users).orderBy(asc(users.createdAt)).limit(1)
ownerId = anyUser[0]?.id ?? null
}
// Check max uses
if (token.maxUses !== null && token.usedCount >= token.maxUses) {
return NextResponse.json({ error: 'Enrollment token has reached its use limit' }, { status: 401 })
if (!ownerId) {
return NextResponse.json({ error: 'No users exist on the server yet. Create an account first.' }, { status: 503 })
}
if (!name) {
return NextResponse.json({ error: 'name is required for first-time registration' }, { status: 400 })
}
// Generate a secure access key for this machine
const newAccessKey = randomBytes(32).toString('hex')
const newMachine = await db
.insert(machines)
.values({
userId: token.createdBy!,
name,
hostname,
os,
osVersion,
agentVersion,
ipAddress,
accessKey: newAccessKey,
isOnline: true,
lastSeen: new Date(),
})
.values({ userId: ownerId, name, hostname, os, osVersion, agentVersion, ipAddress, macAddress, accessKey: newAccessKey, isOnline: true, lastSeen: new Date() })
.returning({ id: machines.id })
// Increment use count
await db
.update(enrollmentTokens)
.set({ usedCount: token.usedCount + 1 })
.where(eq(enrollmentTokens.id, token.id))
return NextResponse.json({ machineId: newMachine[0].id, accessKey: newAccessKey })
} catch (error) {
console.error('[Agent Register] Error:', error)

2
docker-compose.yml
View File

@@ -37,6 +37,8 @@ services:
AUTH_SECRET: ${AUTH_SECRET}
NEXT_PUBLIC_APP_URL: ${NEXT_PUBLIC_APP_URL:-http://localhost:3000}
NEXT_PUBLIC_RELAY_URL: ${NEXT_PUBLIC_RELAY_URL:-localhost:8765}
OPEN_ENROLLMENT: ${OPEN_ENROLLMENT:-false}
OPEN_ENROLLMENT_USER_EMAIL: ${OPEN_ENROLLMENT_USER_EMAIL:-}
env_file:
- .env
depends_on:

2
tsconfig.tsbuildinfo
View File

File diff suppressed because one or more lines are too long