diff options
author | nachoparker <nacho@ownyourbits.com> | 2018-02-22 15:26:43 +0300 |
---|---|---|
committer | nachoparker <nacho@ownyourbits.com> | 2018-02-23 02:24:38 +0300 |
commit | 36a803f021b45864c6e609fd8c4eef1df6d75aa1 (patch) | |
tree | ea086346e491b6cc868c5971c9b84bf25094a63a | |
parent | d05b06996155c96f0beb886fdea16d52bd65fa50 (diff) |
add ncp-provisioning to SD card imagesv0.46.30
-rw-r--r-- | bin/ncp-provisioning.sh | 77 | ||||
-rw-r--r-- | changelog.md | 4 | ||||
-rw-r--r-- | docker-armhf/nextcloud/Dockerfile | 3 | ||||
-rwxr-xr-x | docker-common/nextcloud/020nextcloud | 2 | ||||
-rw-r--r-- | docker-common/nextcloud/ncp-provisioning.sh | 46 | ||||
-rw-r--r-- | docker/nextcloud/Dockerfile | 3 | ||||
-rw-r--r--[-rwxr-xr-x] | etc/library.sh | 0 | ||||
-rw-r--r-- | etc/nextcloudpi-config.d/nc-init.sh | 2 | ||||
-rw-r--r-- | etc/nextcloudpi-config.d/nc-nextcloud.sh | 19 | ||||
-rw-r--r-- | etc/nextcloudpi-config.d/nc-restore.sh | 2 | ||||
-rw-r--r-- | lamp.sh | 5 | ||||
-rwxr-xr-x | update.sh | 136 |
12 files changed, 145 insertions, 154 deletions
diff --git a/bin/ncp-provisioning.sh b/bin/ncp-provisioning.sh new file mode 100644 index 00000000..cd7fb122 --- /dev/null +++ b/bin/ncp-provisioning.sh @@ -0,0 +1,77 @@ +#!/bin/bash + +# this script runs at startup to provide an unique random passwords for each instance + +## redis provisioning + +CFG=/var/www/nextcloud/config/config.php +REDISPASS="$( grep "^requirepass" /etc/redis/redis.conf | cut -f2 -d' ' )" + +### IF redis password is the default one, generate a new one + +[[ "$REDISPASS" == "default" ]] && { + REDISPASS="$( openssl rand -base64 32 )" + echo Provisioning Redis password + sed -i -E "s|^requirepass .*|requirepass $REDISPASS|" /etc/redis/redis.conf + [[ "$DOCKERBUILD" != 1 ]] && systemctl restart redis +} + +### If there exists already a configuration adjust the password +[[ -f "$CFG" ]] && { + echo "Updating NextCloud config with Redis password" + sed -i "s|'password'.*|'password' => '$REDISPASS',|" "$CFG" +} + +## mariaDB provisioning + +DBADMIN=ncadmin +DBPASSWD=$( grep password /root/.my.cnf | sed 's|password=||' ) + +[[ "$DBPASSWD" == "default" ]] && { + DBPASSWD=$( openssl rand -base64 32 ) + echo Provisioning MariaDB password + echo -e "[client]\npassword=$DBPASSWD" > /root/.my.cnf + chmod 600 /root/.my.cnf + mysql <<EOF +GRANT USAGE ON *.* TO '$DBADMIN'@'localhost' IDENTIFIED BY '$DBPASSWD'; +DROP USER '$DBADMIN'@'localhost'; +CREATE USER '$DBADMIN'@'localhost' IDENTIFIED BY '$DBPASSWD'; +GRANT ALL PRIVILEGES ON nextcloud.* TO $DBADMIN@localhost; +EXIT +EOF +} + +[[ -f "$CFG" ]] && { + echo "Updating NextCloud config with MariaDB password" + sed -i "s|'dbpassword' =>.*|'dbpassword' => '$DBPASSWD',|" "$CFG" +} + +## CPU core adjustment + +CURRENT_THREADS=$( grep "^pm.max_children" /etc/php/7.0/fpm/pool.d/www.conf | awk '{ print $3 }' ) + +CFG=/usr/local/etc/nextcloudpi-config.d/nc-limits.sh +PHPTHREADS=0 +[[ -f "$CFG" ]] && PHPTHREADS=$( grep "^PHPTHREADS_" "$CFG" | cut -d= -f2 ) + +[[ $PHPTHREADS -eq 0 ]] && PHPTHREADS=$( nproc ) + +[[ $PHPTHREADS -ne $CURRENT_THREADS ]] && { + + echo "PHP threads set to $PHPTHREADS" + + sed -i "s|pm.max_children =.*|pm.max_children = $PHPTHREADS|" /etc/php/7.0/fpm/pool.d/www.conf + sed -i "s|pm.max_spare_servers =.*|pm.max_spare_servers = $PHPTHREADS|" /etc/php/7.0/fpm/pool.d/www.conf + sed -i "s|pm.start_servers =.*|pm.start_servers = $PHPTHREADS|" /etc/php/7.0/fpm/pool.d/www.conf + + # need to restart php + bash -c " sleep 3 + systemctl stop php7.0-fpm + systemctl stop mysqld + sleep 0.5 + systemctl start php7.0-fpm + systemctl start mysqld + " &>/dev/null & +} + +exit 0 diff --git a/changelog.md b/changelog.md index 6d055773..e4b4995d 100644 --- a/changelog.md +++ b/changelog.md @@ -1,5 +1,7 @@ -[v0.46.29](https://github.com/nextcloud/nextcloudpi/commit/1804c51) (2018-02-22) ncp-web: fix overlay z-index +[v0.46.30](https://github.com/nextcloud/nextcloudpi/commit/b6ba190) (2018-02-22) add ncp-provisioning to SD card images + +[v0.46.29](https://github.com/nextcloud/nextcloudpi/commit/970a256) (2018-02-22) ncp-web: fix overlay z-index [v0.46.28](https://github.com/nextcloud/nextcloudpi/commit/c78cf60) (2018-02-22) wizard: fix logbox overflow diff --git a/docker-armhf/nextcloud/Dockerfile b/docker-armhf/nextcloud/Dockerfile index f2ba077e..dc25a2c4 100644 --- a/docker-armhf/nextcloud/Dockerfile +++ b/docker-armhf/nextcloud/Dockerfile @@ -37,5 +37,4 @@ echo -e "[client]\npassword=default" > /root/.my.cnf; \ chmod 600 /root/.my.cnf COPY docker-common/nextcloud/020nextcloud /etc/services-enabled.d/ -COPY docker-common/nextcloud/ncp-provisioning.sh /usr/local/bin/ -RUN chmod +x /usr/local/bin/ncp-provisioning.sh +COPY bin/ncp-provisioning.sh /usr/local/bin/ diff --git a/docker-common/nextcloud/020nextcloud b/docker-common/nextcloud/020nextcloud index 76299b7f..3f5fa761 100755 --- a/docker-common/nextcloud/020nextcloud +++ b/docker-common/nextcloud/020nextcloud @@ -18,7 +18,7 @@ OCC="$NCDIR/occ" } echo "Provisioning" -/usr/local/bin/ncp-provisioning.sh +bash /usr/local/bin/ncp-provisioning.sh echo "Starting Redis" mkdir -p /var/run/redis diff --git a/docker-common/nextcloud/ncp-provisioning.sh b/docker-common/nextcloud/ncp-provisioning.sh deleted file mode 100644 index 014bd814..00000000 --- a/docker-common/nextcloud/ncp-provisioning.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -# this script runs at startup to provide an unique random passwords for each instance - -## redis provisioning - -REDISPASS="$( grep "^requirepass" /etc/redis/redis.conf | cut -f2 -d' ' )" - -### IF redis password is the default one, generate a new one - -[[ "$REDISPASS" == "default" ]] && { - REDISPASS="$( openssl rand -base64 32 )" - echo Provisioning Redis password - sed -i -E "s|^requirepass .*|requirepass $REDISPASS|" /etc/redis/redis.conf -} - -### If there exists already a configuration adjust the password -test -f /data/app/config/config.php && { - echo Updating NextCloud config with Redis password $REDISPASS - sed -i "s|'password'.*|'password' => '$REDISPASS',|" /data/app/config/config.php -} - -## mariaDB provisioning - -DBADMIN=ncadmin -DBPASSWD=$( grep password /root/.my.cnf | cut -d= -f2 ) -[[ "$DBPASSWD" == "default" ]] && { - DBPASSWD=$( openssl rand -base64 32 ) - echo Provisioning MariaDB password - echo -e "[client]\npassword=$DBPASSWD" > /root/.my.cnf - chmod 600 /root/.my.cnf - mysql <<EOF -GRANT USAGE ON *.* TO '$DBADMIN'@'localhost' IDENTIFIED BY '$DBPASSWD'; -DROP USER '$DBADMIN'@'localhost'; -CREATE USER '$DBADMIN'@'localhost' IDENTIFIED BY '$DBPASSWD'; -GRANT ALL PRIVILEGES ON nextcloud.* TO $DBADMIN@localhost; -EXIT -EOF -} - -test -f /data/app/config/config.php && { - echo Updating NextCloud config with MariaDB password $DBPASSWD - sed -i "s|'dbpassword' =>.*|'dbpassword' => '$DBPASSWD',|" /data/app/config/config.php -} - -exit 0 diff --git a/docker/nextcloud/Dockerfile b/docker/nextcloud/Dockerfile index f5e4390e..f063831f 100644 --- a/docker/nextcloud/Dockerfile +++ b/docker/nextcloud/Dockerfile @@ -37,5 +37,4 @@ echo -e "[client]\npassword=default" > /root/.my.cnf; \ chmod 600 /root/.my.cnf COPY docker-common/nextcloud/020nextcloud /etc/services-enabled.d/ -COPY docker-common/nextcloud/ncp-provisioning.sh /usr/local/bin/ -RUN chmod +x /usr/local/bin/ncp-provisioning.sh +COPY bin/ncp-provisioning.sh /usr/local/bin/ diff --git a/etc/library.sh b/etc/library.sh index 7e313701..7e313701 100755..100644 --- a/etc/library.sh +++ b/etc/library.sh diff --git a/etc/nextcloudpi-config.d/nc-init.sh b/etc/nextcloudpi-config.d/nc-init.sh index b8474ec3..725cd87f 100644 --- a/etc/nextcloudpi-config.d/nc-init.sh +++ b/etc/nextcloudpi-config.d/nc-init.sh @@ -56,7 +56,7 @@ configure() } # workaround to emulate DROP USER IF EXISTS ..;) - local DBPASSWD=$( grep password /root/.my.cnf | cut -d= -f2 ) + local DBPASSWD=$( grep password /root/.my.cnf | sed 's|password=||' ) mysql <<EOF DROP DATABASE IF EXISTS nextcloud; CREATE DATABASE nextcloud diff --git a/etc/nextcloudpi-config.d/nc-nextcloud.sh b/etc/nextcloudpi-config.d/nc-nextcloud.sh index 94d1d4d6..38c5b5f1 100644 --- a/etc/nextcloudpi-config.d/nc-nextcloud.sh +++ b/etc/nextcloudpi-config.d/nc-nextcloud.sh @@ -62,7 +62,7 @@ install() $APTINSTALL redis-server php7.0-redis local REDIS_CONF=/etc/redis/redis.conf - local REDISPASS=$( openssl rand -base64 32 ) + local REDISPASS="default" sed -i "s|# unixsocket .*|unixsocket /var/run/redis/redis.sock|" $REDIS_CONF sed -i "s|# unixsocketperm .*|unixsocketperm 770|" $REDIS_CONF sed -i "s|# requirepass .*|requirepass $REDISPASS|" $REDIS_CONF @@ -85,6 +85,21 @@ install() systemctl start mysqld } + # service to randomize passwords on first boot + cat > /usr/lib/systemd/system/nc-provisioning.service <<'EOF' +[Unit] +Description=Randomize passwords on first boot +Requires=network.target +After=mysql.service + +[Service] +ExecStart=/bin/bash /usr/local/bin/ncp-provisioning.sh + +[Install] +WantedBy=multi-user.target +EOF + + [[ "$DOCKERBUILD" != 1 ]] && systemctl enable nc-provisioning return 0 } @@ -168,7 +183,7 @@ configure() echo "Setting up database..." # workaround to emulate DROP USER IF EXISTS ..;) - local DBPASSWD=$( grep password /root/.my.cnf | cut -d= -f2 ) + local DBPASSWD=$( grep password /root/.my.cnf | sed 's|password=||' ) mysql <<EOF DROP DATABASE IF EXISTS nextcloud; CREATE DATABASE nextcloud diff --git a/etc/nextcloudpi-config.d/nc-restore.sh b/etc/nextcloudpi-config.d/nc-restore.sh index bb856ebb..e613cf32 100644 --- a/etc/nextcloudpi-config.d/nc-restore.sh +++ b/etc/nextcloudpi-config.d/nc-restore.sh @@ -30,7 +30,7 @@ You can use nc-backup" configure() { - local DBPASSWD=$( grep password /root/.my.cnf | cut -d= -f2 ) + local DBPASSWD=$( grep password /root/.my.cnf | sed 's|password=||' ) [ -f $BACKUPFILE_ ] || { echo "$BACKUPFILE_ not found"; return 1; } [ -d /var/www/nextcloud ] && { echo "INFO: overwriting old instance" ; } @@ -29,15 +29,14 @@ install() # INSTALL ########################################## - $APTINSTALL apt-utils openssl - $APTINSTALL cron + $APTINSTALL apt-utils cron $APTINSTALL apache2 $APTINSTALL php7.0 php7.0-curl php7.0-gd php7.0-fpm php7.0-cli php7.0-opcache php7.0-mbstring php7.0-xml php7.0-zip php7.0-fileinfo php7.0-mcrypt php7.0-ldap mkdir -p /run/php # Randomize mariaDB password # Suggested by @enoch85 and taken from the nextcloud vm ( https://github.com/nextcloud/vm/blob/master/lib.sh#L46 ) - DBPASSWD=$( openssl rand -base64 32 ) + local DBPASSWD="default" echo -e "[client]\npassword=$DBPASSWD" > /root/.my.cnf chmod 600 /root/.my.cnf @@ -120,86 +120,6 @@ done # not for image builds, only live updates [[ ! -f /.ncp-image ]] && { - # fix automount in latest images - test -f /etc/udev/rules.d/90-qemu.rules && { - rm -f /etc/udev/rules.d/90-qemu.rules - udevadm control --reload-rules && udevadm trigger - pgrep -c udiskie &>/dev/null && systemctl restart nc-automount - } - - # btrfs tools - type btrfs &>/dev/null || { - apt-get update - apt-get install -y --no-install-recommends btrfs-tools - } - - # harden security - - ## harden redis - REDIS_CONF=/etc/redis/redis.conf - REDISPASS=$( grep "^requirepass" /etc/redis/redis.conf | cut -d' ' -f2 ) - [[ "$REDISPASS" == "" ]] && REDISPASS=$( openssl rand -base64 32 ) - sed -i 's|# rename-command CONFIG ""|rename-command CONFIG ""|' $REDIS_CONF - sed -i "s|# requirepass .*|requirepass $REDISPASS|" $REDIS_CONF - - grep -q "'password'" /var/www/nextcloud/config/config.php || \ - sed -i "/timeout/a'password' => '$REDISPASS'," /var/www/nextcloud/config/config.php - - ## harden postfix - sed -i 's|^smtpd_banner .*|smtpd_banner = $myhostname ESMTP|' /etc/postfix/main.cf - sed -i 's|^disable_vrfy_command .*|disable_vrfy_command = yes|' /etc/postfix/main.cf - - ## harden SSH - sed -i 's|^#AllowTcpForwarding .*|AllowTcpForwarding no|' /etc/ssh/sshd_config - sed -i 's|^#ClientAliveCountMax .*|ClientAliveCountMax 2|' /etc/ssh/sshd_config - sed -i 's|^MaxAuthTries .*|MaxAuthTries 1|' /etc/ssh/sshd_config - sed -i 's|^#MaxSessions .*|MaxSessions 2|' /etc/ssh/sshd_config - sed -i 's|^#PermitRootLogin .*|PermitRootLogin no|' /etc/ssh/sshd_config - sed -i 's|^#TCPKeepAlive .*|TCPKeepAlive no|' /etc/ssh/sshd_config - sed -i 's|^X11Forwarding .*|X11Forwarding no|' /etc/ssh/sshd_config - sed -i 's|^#LogLevel .*|LogLevel VERBOSE|' /etc/ssh/sshd_config - sed -i 's|^#Compression .*|Compression no|' /etc/ssh/sshd_config - sed -i 's|^#AllowAgentForwarding .*|AllowAgentForwarding no|' /etc/ssh/sshd_config - - ## harden kernel - grep -q protected_hardlinks=1 /etc/sysctl.conf || cat >> /etc/sysctl.conf <<EOF -fs.protected_hardlinks=1 -fs.protected_symlinks=1 -kernel.core_uses_pid=1 -kernel.dmesg_restrict=1 -kernel.kptr_restrict=2 -kernel.sysrq=0 -net.ipv4.conf.all.accept_redirects=0 -net.ipv4.conf.all.log_martians=1 -net.ipv4.conf.all.rp_filter=1 -net.ipv4.conf.all.send_redirects=0 -net.ipv4.conf.default.accept_redirects=0 -net.ipv4.conf.default.accept_source_route=0 -net.ipv4.conf.default.log_martians=1 -net.ipv4.tcp_timestamps=0 -net.ipv6.conf.all.accept_redirects=0 -net.ipv6.conf.default.accept_redirects=0 -EOF - sysctl -p /etc/sysctl.conf &>/dev/null - - # small tweaks - cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local - chmod go-x /usr/bin/arm-linux-gnueabihf-* &>/dev/null - sed -i "s|^UMASK.*|UMASK 027|" /etc/login.defs - - # secure mysql - DBPASSWD=$( grep password /root/.my.cnf | cut -d= -f2 ) - mysql_secure_installation &>/dev/null <<EOF -$DBPASSWD -y -$DBPASSWD -$DBPASSWD -y -y -y -y -EOF - # update ncp-backup cd /usr/local/etc/nextcloudpi-config.d &>/dev/null install_script nc-backup.sh @@ -215,21 +135,6 @@ EOF grep -q '^ACTIVE_=yes$' nc-backup-auto.sh && activate_script nc-backup-auto.sh cd - &>/dev/null - # restore pip.conf after workaround - cat > /etc/pip.conf <<EOF -[global] -extra-index-url=https://www.piwheels.hostedpi.com/simple -EOF - - # update cron letsencrypt - [[ -f /etc/cron.d/letsencrypt-ncp ]] && rm -f /etc/cron.d/letsencrypt-ncp && { - cat > /etc/cron.weekly/letsencrypt-ncp <<EOF -#!/bin/bash -/etc/letsencrypt/certbot-auto renew --quiet -EOF - chmod +x /etc/cron.weekly/letsencrypt-ncp - } - # add ncp-config link [[ -e /usr/local/bin/ncp-config ]] || ln -s /usr/local/bin/nextcloudpi-config /usr/local/bin/ncp-config @@ -268,6 +173,47 @@ EOF grep -q reboot /etc/sudoers || \ sed -i 's|www-data.*|www-data ALL = NOPASSWD: /home/www/ncp-launcher.sh , /sbin/halt, /sbin/reboot|' /etc/sudoers + # randomize passwords for old images ( older than v0.46.30 ) + cat > /usr/lib/systemd/system/nc-provisioning.service <<'EOF' +[Unit] +Description=Randomize passwords on first boot +Requires=network.target +After=mysql.service + +[Service] +ExecStart=/bin/bash /usr/local/bin/ncp-provisioning.sh + +[Install] +WantedBy=multi-user.target +EOF + + systemctl enable nc-provisioning + + NEED_UPDATE=false + + MAJOR=0 MINOR=46 PATCH=30 + + MAJ=$( grep -oP "\d+\.\d+\.\d+" /usr/local/etc/ncp-version | cut -d. -f1 ) + MIN=$( grep -oP "\d+\.\d+\.\d+" /usr/local/etc/ncp-version | cut -d. -f2 ) + PAT=$( grep -oP "\d+\.\d+\.\d+" /usr/local/etc/ncp-version | cut -d. -f3 ) + + if [ "$MAJOR" -gt "$MAJ" ]; then + NEED_UPDATE=true + elif [ "$MAJOR" -eq "$MAJ" ] && [ "$MINOR" -gt "$MIN" ]; then + NEED_UPDATE=true + elif [ "$MAJOR" -eq "$MAJ" ] && [ "$MINOR" -eq "$MIN" ] && [ "$PATCH" -gt "$PAT" ]; then + NEED_UPDATE=true + fi + + [[ "$NEED_UPDATE" == "true" ]] && { + REDISPASS="default" + DBPASSWD="default" + sed -i -E "s|^requirepass .*|requirepass $REDISPASS|" /etc/redis/redis.conf + echo -e "[client]\npassword=$DBPASSWD" > /root/.my.cnf + chmod 600 /root/.my.cnf + systemctl start nc-provisioning + } + } # end - only live updates exit 0 |