From de104a5da83b4c3a1c6567c57cf87809f93c27a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Kn=C3=B6ppler?= <6317548+theCalcaholic@users.noreply.github.com> Date: Wed, 6 Oct 2021 20:44:37 +0200 Subject: Make templating safer and more verbose (#1343) * letsencrypt: fix active status check Signed-off-by: nachoparker * letsencrypt: take into account duplicate domains ending in -0001 Signed-off-by: nachoparker * letsencrypt: fix renewal with httpsonly enabled Signed-off-by: nachoparker * fix inverted template logic for docker Signed-off-by: nachoparker * library.sh: Move templating to separate function - Backup old file before templating (and restore on failure) - Use stderr in the template for debug/info output Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com> * library.sh: Fix syntax error Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com> * library.sh: Only fallback to default config if explicitly allowed Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com> * letsencrypt.sh: Set cert-name Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com> * nextcloud.conf.sh: Use certificate named ncp-nextcloud if available Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com> * letsencrypt.sh: Support multiple, comma separated domains in field "OTHER_DOMAIN" Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com> * nextcloud.conf.sh: Fix path resolution for certificates Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com> * letsencrypt.sh: Improve warning about max trusted domains reached Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com> * letsencrypt.sh: Fix max trusted domains check Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com> * letsencrypt.sh: Fix splitting of domain string by comma Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com> * letsencrypt.sh: Fix splitting of domain string to array Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com> * adjustments for docker/lxc Signed-off-by: nachoparker Co-authored-by: nachoparker --- bin/ncp/CONFIG/nc-nextcloud.sh | 7 ++----- bin/ncp/NETWORKING/letsencrypt.sh | 23 +++++++++++++++++------ bin/ncp/SYSTEM/metrics.sh | 7 +++---- changelog.md | 8 ++++++-- etc/library.sh | 23 +++++++++++++++++++++++ etc/ncp-templates/nextcloud.conf.sh | 10 +++++++++- 6 files changed, 60 insertions(+), 18 deletions(-) diff --git a/bin/ncp/CONFIG/nc-nextcloud.sh b/bin/ncp/CONFIG/nc-nextcloud.sh index 004fc73e..7b60219a 100644 --- a/bin/ncp/CONFIG/nc-nextcloud.sh +++ b/bin/ncp/CONFIG/nc-nextcloud.sh @@ -181,12 +181,9 @@ EOF ## SET APACHE VHOST echo "Setting up Apache..." - bash /usr/local/etc/ncp-templates/nextcloud.conf.sh > /etc/apache2/sites-available/nextcloud.conf || { - echo "ERROR: An error occured while generating the nextcloud apache2 config. Attempting safe mode..." - bash /usr/local/etc/ncp-templates/nextcloud.conf.sh --defaults > /etc/apache2/sites-available/nextcloud.conf || { - echo "ERROR: Safe mode templating failed as well. Nextcloud will not work." + install_template nextcloud.conf.sh /etc/apache2/sites-available/nextcloud.conf --allow-fallback || { + echo "ERROR: Parsing template failed. Nextcloud will not work." exit 1 - } } a2ensite nextcloud diff --git a/bin/ncp/NETWORKING/letsencrypt.sh b/bin/ncp/NETWORKING/letsencrypt.sh index 70e10285..84c9e0c0 100644 --- a/bin/ncp/NETWORKING/letsencrypt.sh +++ b/bin/ncp/NETWORKING/letsencrypt.sh @@ -57,24 +57,30 @@ configure() rm -f /etc/cron.weekly/letsencrypt-ncp rm -f /etc/letsencrypt/renewal-hooks/deploy/ncp [[ "$DOCKERBUILD" == 1 ]] && update-rc.d letsencrypt disable - bash /usr/local/etc/ncp-templates/nextcloud.conf.sh > ${nc_vhostcfg} + install_template nextcloud.conf.sh "${nc_vhostcfg}" echo "letsencrypt certificates disabled. Using self-signed certificates instead." exit 0 } local DOMAIN_LOWERCASE="${DOMAIN,,}" + local OTHER_DOMAINS_ARRAY [[ "$DOMAIN" == "" ]] && { echo "empty domain"; return 1; } + local IFS_BK="$IFS" + IFS=",$IFS" OTHER_DOMAINS_ARRAY=(${OTHER_DOMAIN}) + IFS="$IFS_BK" + # Do it local domain_string="" - for domain in $DOMAIN $OTHER_DOMAIN; do + for domain in $DOMAIN "${OTHER_DOMAINS_ARRAY[@]}"; do [[ "$domain" != "" ]] && { [[ $domain_string == "" ]] && \ domain_string+="${domain}" || \ domain_string+=",${domain}" } done - "${letsencrypt}" certonly -n --force-renew --no-self-upgrade --webroot -w "${ncdir}" --hsts --agree-tos -m "${EMAIL}" -d "${domain_string}" && { + "${letsencrypt}" certonly -n --force-renew --cert-name ncp-nextcloud --no-self-upgrade --webroot -w "${ncdir}" \ + --hsts --agree-tos -m "${EMAIL}" -d "${domain_string}" && { # Set up auto-renewal cat > /etc/cron.weekly/letsencrypt-ncp < ${nc_vhostcfg} + install_template nextcloud.conf.sh "${nc_vhostcfg}" sed -i "s|SSLCertificateFile.*|SSLCertificateFile /etc/letsencrypt/live/$DOMAIN_LOWERCASE/fullchain.pem|" $vhostcfg2 sed -i "s|SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/letsencrypt/live/$DOMAIN_LOWERCASE/privkey.pem|" $vhostcfg2 # Configure Nextcloud local domain_index="${TRUSTED_DOMAINS[letsencrypt_1]}" - for dom in $DOMAIN $OTHER_DOMAIN; do + for dom in $DOMAIN "${OTHER_DOMAINS_ARRAY[@]}"; do [[ "$dom" != "" ]] && { - ncc config:system:set trusted_domains $domain_index --value=$dom + [[ $domain_index -lt 20 ]] || { + echo "WARN: $dom will not be included in trusted domains for Nextcloud (maximum reached)." \ + "It will still be included in the SSL certificate" + continue + } + ncc config:system:set trusted_domains "$domain_index" --value="$dom" ((domain_index++)) } done diff --git a/bin/ncp/SYSTEM/metrics.sh b/bin/ncp/SYSTEM/metrics.sh index 24963a85..0790f76f 100644 --- a/bin/ncp/SYSTEM/metrics.sh +++ b/bin/ncp/SYSTEM/metrics.sh @@ -35,7 +35,7 @@ configure() { if [[ "$ACTIVE" != yes ]] then - bash /usr/local/etc/ncp-templates/nextcloud.conf.sh --defaults > /etc/apache2/sites-available/nextcloud.conf + install_template nextcloud.conf.sh /etc/apache2/sites-available/nextcloud.conf systemctl disable prometheus-node-exporter service prometheus-node-exporter stop @@ -59,9 +59,8 @@ configure() { rm -f "${htpasswd_file}" echo "$PASSWORD" | htpasswd -ciB "${htpasswd_file}" "$USER" - bash /usr/local/etc/ncp-templates/nextcloud.conf.sh > /etc/apache2/sites-available/nextcloud.conf || { - echo "An unexpected error occurred while configuring apache. Rolling back..." >&2 - bash /usr/local/etc/ncp-templates/nextcloud.conf.sh --defaults > /etc/apache2/sites-available/nextcloud.conf + install_template nextcloud.conf.sh /etc/apache2/sites-available/nextcloud.conf || { + echo "ERROR while generating nextcloud.conf! Exiting..." return 1 } diff --git a/changelog.md b/changelog.md index 8a8b8836..db684f01 100644 --- a/changelog.md +++ b/changelog.md @@ -1,7 +1,11 @@ -[v1.40.2](https://github.com/nextcloud/nextcloudpi/commit/fc3f978) (2021-10-05) nc-update-nc: BTRFS support +[v1.40.4](https://github.com/nextcloud/nextcloudpi/commit/9fa18af) (2021-10-06) Make templating safer and more verbose (#1343) -[v1.40.1](https://github.com/nextcloud/nextcloudpi/commit/7c361c5) (2021-10-05) update: improve check for apt (#1356) +[v1.40.3 ](https://github.com/nextcloud/nextcloudpi/commit/8a6c1c0) (2021-10-06) ncp-check-nc-version: dont notify the same version more than once + +[v1.40.2 ](https://github.com/nextcloud/nextcloudpi/commit/ea1e00c) (2021-10-05) nc-update-nc: BTRFS support + +[v1.40.1 ](https://github.com/nextcloud/nextcloudpi/commit/7c361c5) (2021-10-05) update: improve check for apt (#1356) [v1.40.0 ](https://github.com/nextcloud/nextcloudpi/commit/a0728d7) (2021-10-04) nc-notify-updates: notify of new supported NC versions diff --git a/etc/library.sh b/etc/library.sh index 2e58d477..4cfccbe4 100644 --- a/etc/library.sh +++ b/etc/library.sh @@ -183,6 +183,29 @@ function find_app_param_num() } +install_template() { + local template="${1?}" + local target="${2?}" + local bkp="$(mktemp)" + [[ -f "$target" ]] && cp -a "$target" "$bkp" + { + if [[ "$3" == "--defaults" ]]; then + { bash "/usr/local/etc/ncp-templates/$template" --defaults > "$target"; } 2>&1 + else + { bash "/usr/local/etc/ncp-templates/$template" > "$target"; } 2>&1 || \ + { + [[ "$3" == "--allow-fallback" ]] && \ + { bash "/usr/local/etc/ncp-templates/$template" --defaults > "$target"; } 2>&1 + } + fi + } || { + echo "ERROR: Could not generate $target from template $template. Rolling back..." + mv "$bkp" "$target" + return 1 + } + rm "$bkp" +} + find_app_param() { local script="${1?}" diff --git a/etc/ncp-templates/nextcloud.conf.sh b/etc/ncp-templates/nextcloud.conf.sh index caf987f3..ea49032c 100644 --- a/etc/ncp-templates/nextcloud.conf.sh +++ b/etc/ncp-templates/nextcloud.conf.sh @@ -3,6 +3,9 @@ set -e source /usr/local/etc/library.sh +[[ "$1" != "--defaults" ]] || echo "INFO: Restoring template to default settings" >&2 +[[ ! -f /.docker-image ]] || echo "INFO: Docker installation detected" >&2 + if [[ "$1" != "--defaults" ]]; then LETSENCRYPT_DOMAIN="$( # force defaults during initial build @@ -13,7 +16,10 @@ if [[ "$1" != "--defaults" ]]; then )" fi -if ! [[ -f /.ncp-image ]] && [[ "$1" != "--defaults" ]]; then +[[ -z "$LETSENCRYPT_DOMAIN" ]] || echo "INFO: Letsencrypt domain is ${LETSENCRYPT_DOMAIN}" >&2 + +# skip during build +if ! [[ -f /.ncp-image ]] && [[ "$1" != "--defaults" ]] && [[ -f "${BINDIR}/SYSTEM/metrics.sh" ]]; then METRICS_IS_ENABLED="$( source "${BINDIR}/SYSTEM/metrics.sh" tmpl_metrics_enabled && echo yes || echo no @@ -22,6 +28,8 @@ else METRICS_IS_ENABLED=no fi +echo "INFO: Metrics enabled: ${METRICS_IS_ENABLED}" >&2 + echo "### DO NOT EDIT! THIS FILE HAS BEEN AUTOMATICALLY GENERATED. CHANGES WILL BE OVERWRITTEN ###" echo "" -- cgit v1.2.3