#!/bin/bash # NextCloudPi additions to Raspbian # # Copyleft 2017 by Ignacio Nunez Hernanz # GPL licensed (see end of file) * Use at your own risk! # # More at https://nextcloudpi.com # WEBADMIN=ncp WEBPASSWD=ownyourbits BRANCH="${BRANCH:-master}" BINDIR=/usr/local/bin/ncp CONFDIR=/usr/local/etc/ncp-config.d/ APTINSTALL="apt-get install -y --no-install-recommends" export DEBIAN_FRONTEND=noninteractive install() { # NCP-CONFIG apt-get update $APTINSTALL git dialog whiptail jq file lsb-release mkdir -p "$CONFDIR" "$BINDIR" # include option in raspi-config (only Raspbian) test -f /usr/bin/raspi-config && { sed -i '/Change User Password/i"0 NextCloudPi Configuration" "Configuration of NextCloudPi" \\' /usr/bin/raspi-config sed -i '/1\\ \*) do_change_pass ;;/i0\\ *) ncp-config ;;' /usr/bin/raspi-config # Disable raspberry pi default user usermod pi -s /sbin/nologin } # add the ncc shortcut cat > /usr/local/bin/ncc <<'EOF' #!/bin/bash [[ ${EUID} -eq 0 ]] && SUDO="sudo -E -u www-data" ${SUDO} php /var/www/nextcloud/occ "$@" EOF chmod +x /usr/local/bin/ncc # NCP-WEB ## VIRTUAL HOST cat > /etc/apache2/sites-available/ncp-activation.conf < DocumentRoot /var/www/ncp-web/ SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key Require host localhost Require local Require ip 192.168 Require ip 172 Require ip 10 Require ip fe80::/10 Require ip fd00::/8 EOF cat > /etc/apache2/sites-available/ncp.conf < DocumentRoot /var/www/ncp-web SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains" # 2 days to avoid very big backups requests to timeout TimeOut 172800 DefineExternalAuth pwauth pipe /usr/sbin/pwauth AuthType Basic AuthName "ncp-web login" AuthBasicProvider external AuthExternal pwauth SetEnvIf Request_URI "^" noauth SetEnvIf Request_URI "^index\.php$" !noauth SetEnvIf Request_URI "^/$" !noauth SetEnvIf Request_URI "^/wizard/index.php$" !noauth SetEnvIf Request_URI "^/wizard/$" !noauth Require host localhost Require local Require ip 192.168 Require ip 172 Require ip 10 Require ip fe80::/10 Require ip fd00::/8 Require env noauth Require user $WEBADMIN EOF $APTINSTALL libapache2-mod-authnz-external pwauth a2enmod authnz_external authn_core auth_basic a2dissite nextcloud a2ensite ncp-activation ## NCP USER FOR AUTHENTICATION id -u "$WEBADMIN" &>/dev/null || useradd --home-dir /nonexistent "$WEBADMIN" echo -e "$WEBPASSWD\n$WEBPASSWD" | passwd "$WEBADMIN" chsh -s /usr/sbin/nologin "$WEBADMIN" ## NCP LAUNCHER mkdir -p /home/www chown www-data:www-data /home/www chmod 700 /home/www cat > /home/www/ncp-launcher.sh <<'EOF' #!/bin/bash grep -q '[\\&#;`|*?~<>^()[{}$&[:space:]]' <<< "$*" && exit 1 source /usr/local/etc/library.sh run_app $1 EOF chmod 700 /home/www/ncp-launcher.sh cat > /home/www/ncp-backup-launcher.sh <<'EOF' #!/bin/bash action="${1}" file="${2}" compressed="${3}" grep -q '[\\&#;`|*?~<>^()[{}$&]' <<< "$*" && exit 1 [[ "$file" =~ ".." ]] && exit 1 [[ "${action}" == "chksnp" ]] && { btrfs subvolume show "$file" &>/dev/null || exit 1 exit } [[ "${action}" == "delsnp" ]] && { btrfs subvolume delete "$file" || exit 1 exit } [[ -f "$file" ]] || exit 1 [[ "$file" =~ ".tar" ]] || exit 1 [[ "${action}" == "del" ]] && { [[ "$(file "$file")" =~ "tar archive" ]] || [[ "$(file "$file")" =~ "gzip compressed data" ]] || exit 1 rm "$file" || exit 1 exit } [[ "$compressed" != "" ]] && pigz="-I pigz" tar $pigz -tf "$file" data &>/dev/null EOF chmod 700 /home/www/ncp-backup-launcher.sh echo "www-data ALL = NOPASSWD: /home/www/ncp-launcher.sh , /home/www/ncp-backup-launcher.sh, /sbin/halt, /sbin/reboot" >> /etc/sudoers # NCP AUTO TRUSTED DOMAIN mkdir -p /usr/lib/systemd/system cat > /usr/lib/systemd/system/nextcloud-domain.service <<'EOF' [Unit] Description=Register Current IP as Nextcloud trusted domain Requires=network.target After=mysql.service redis.service [Service] ExecStart=/bin/bash /usr/local/bin/nextcloud-domain.sh Restart=on-failure RestartSec=5s [Install] WantedBy=multi-user.target EOF [[ "$DOCKERBUILD" != 1 ]] && systemctl enable nextcloud-domain # NEXTCLOUDPI UPDATES cat > /etc/cron.daily/ncp-check-version < /etc/logrotate.d/ncp <<'EOF' /var/log/ncp.log { rotate 4 size 500K missingok notifempty compress } EOF chmod 0444 /etc/logrotate.d/ncp # ONLY FOR IMAGE BUILDS if [[ -f /.ncp-image ]]; then rm -rf /var/log/ncp.log ## NEXTCLOUDPI MOTD rm -rf /etc/update-motd.d mkdir /etc/update-motd.d rm /etc/motd ln -s /var/run/motd /etc/motd cat > /etc/update-motd.d/10logo < /etc/update-motd.d/20updates <<'EOF' #!/bin/bash /usr/local/bin/ncp-check-updates EOF chmod a+x /etc/update-motd.d/* ## HOSTNAME AND mDNS [[ -f /.docker-image ]] || { $APTINSTALL avahi-daemon sed -i '/^127.0.1.1/d' /etc/hosts sed -i "\$a127.0.1.1 nextcloudpi $(hostname)" /etc/hosts } echo nextcloudpi > /etc/hostname ## tag image is_docker && local DOCKER_TAG="_docker" is_lxc && local DOCKER_TAG="_lxc" echo "NextCloudPi${DOCKER_TAG}_$( date "+%m-%d-%y" )" > /usr/local/etc/ncp-baseimage ## SSH hardening if [[ -f /etc/ssh/sshd_config ]]; then sed -i 's|^#AllowTcpForwarding .*|AllowTcpForwarding no|' /etc/ssh/sshd_config sed -i 's|^#ClientAliveCountMax .*|ClientAliveCountMax 2|' /etc/ssh/sshd_config sed -i 's|^MaxAuthTries .*|MaxAuthTries 1|' /etc/ssh/sshd_config sed -i 's|^#MaxSessions .*|MaxSessions 2|' /etc/ssh/sshd_config sed -i 's|^#TCPKeepAlive .*|TCPKeepAlive no|' /etc/ssh/sshd_config sed -i 's|^X11Forwarding .*|X11Forwarding no|' /etc/ssh/sshd_config sed -i 's|^#LogLevel .*|LogLevel VERBOSE|' /etc/ssh/sshd_config sed -i 's|^#Compression .*|Compression no|' /etc/ssh/sshd_config sed -i 's|^#AllowAgentForwarding .*|AllowAgentForwarding no|' /etc/ssh/sshd_config fi ## kernel hardening cat >> /etc/sysctl.conf <