Enhancing Device Management with Cockpit and Custom Image Configuration

[jastlw]

Hi people.

The idea is for each organization to create its own image, allowing them to distribute their required software and customize the following settings:

1. YubiKey Configuration for LUKS Encryption:
   Is it possible to preconfigure YubiKeys for unlocking LUKS encryption for all employees or just for admins?

2. Pre-configured Admin Account:
   The image should also include a pre-configured admin account with a public key for SSH or YubiKey login.

3. Domain Login Configuration:
   Can we configure the image to allow domain login (LDAP or Microsoft Entra) with the necessary trust relationship settings?

4. Automatic SSH Tunnel Configuration:
   Is it feasible to set up an automatically opening SSH tunnel (upon network change) to an organizational server, enabling admins to manage devices via Cockpit through this tunnel? The public key of the organizational server would be embedded in the image.

5. Additional: VPN Pre-Configuration:
   Could we pre-configure a VPN connection that users can start with their username and password?

Additionally, I would like to note that Cockpit already supports remote management (see Issue).

Does this functionality already exist, and do you think these configurations are possible and practical? What do you think? I am a newbie and your insights would be greatly appreciated.

Thank you!

[jastlw]

Hello again,

Regarding the SSH keys mentioned in point 2 (Pre-configured Admin Account), I came across some information in the documentation: Building Users and Groups. However, I must admit that I'm having difficulty understanding the implementation process. Additionally, I'm unsure how to integrate YubiKey support.

My idea is to help the non-profit organization I work for to transition away from Microsoft Intune. I believe I can effectively manage all the older workstations (those not ready for Windows 11) using Universal Blue Aurora. At this stage, it's still just an idea, but I'm eager to explore its potential. :)

[cgwalters]

Hi! Thanks for your interest.

In the end as I like to say, 95% of Linux system configuration can be done by writing a file, or running a command that writes a file.

As you might notice bootc is a relatively low level tool, and does not try to implement higher level Linux systems management itself.

The general approach is: Write a configuration (usually files) to achieve these config items, and then embed the result into your container.

Could we pre-configure a VPN connection that users can start with their username and password?

Digging into just this one, it of course highly depends on which specific VPN software you're talking about, and also how it's run. But take e.g. NetworkManager-openvpn - all you'd need to do is drop the relevant config files in /etc/NetworkManager/conf.d (or in newer versions, /usr/lib/NetworkManager/conf.d which would be preferred).