Cockpit

Author: msaladna

docs/.vuepress/config.js

@@ -144,6 +144,7 @@ module.exports = {
 				"admin/Bootstrapper",
 				]
 			},
+			"admin/Cockpit",
 			{
 				title: "Migrations",
 				children: [

docs/DEBUGGING.md

@@ -71,6 +71,7 @@ All locations are within /var/log unless noted. siteXX is shorthand for /home/vi
 | Service                   | Location                   | Remarks                                                      |
 | ------------------------- | -------------------------- | ------------------------------------------------------------ |
 | Apache                    | httpd/error_log            | HTTP startup                                                 |
+| Apache per-site           | siteXX ... httpd/access_log | Per-site HTTP requests       
 | Apache per-site           | siteXX ... httpd/error_log | Per-site error logs, FPM connectivity                        |
 | PHP-FPM                   | siteXX ... php-fpm/POOL    | Per-site PHP errors, notices                                 |
 | HTTP malware | httpd/modsec_audit.log | See [malware scans](./admin/ModSecurity.md) |

docs/admin/Authentication.md

@@ -69,7 +69,7 @@ Changing a server secret will invalidate all saved passwords as well as invalida
 
 ## Multi-factor authentication
 
-See "[Restricting Authorization](../SECURITY.md#Restricting%20authorization)" in SECURITY.md.
+See "[Restricting Authorization](../SECURITY.md#totp)" in SECURITY.md.
 
 
 ## Session multipath

docs/admin/Cockpit.md

@@ -0,0 +1,30 @@
+---
+title: Cockpit
+---
+**New in 3.2.46**
+[Cockpit](https://cockpit-project.org/) is a standalone UI to facilitate system management on any Linux distro. ApisCP includes Cockpit integration on AlmaLinux/Rocky Linux 8+ installs.
+
+![Cockpit dashboard](./images/cockpit.png)
+
+## Enabling Cockpit
+
+[TOTP](../SECURITY.md#totp) is mandatory for this feature. A [Scope](Scopes.md) is provided to toggle within the `cockpit` namespace. SSO may be enabled with `cockpit.sso` Scope.
+
+Login when SSO is disabled utilizes the password for user `root`. When SSO is enabled, a limited role is created named `cockpit-user`. This user may only login from local sources and its password is the same password used to login to the panel (*NB: this may not be the same as the password for user `root`*).
+
+```bash 
+# Login/password is root/<ROOT PASSWORD>
+cpcmd scope:set cockpit.enabled true
+
+# Enable SSO
+# Password to elevate "limited access mode" is panel password
+cpcmd scope:set cockpit.sso true
+```
+
+SSO user may be override by changing `cockpit_sso_user` within `cp.bootstrapper` Scope, then running `software/cockpit` role. In multi-admin setups, this password will match the first user, which is decided at install.
+
+```bash
+cpcmd scope:set cp.bootstrapper cockpit_sso_user somenewuser
+upcp -sb software/cockpit
+```
+