#!/bin/bash # NextCloudPi additions to Raspbian # # Copyleft 2017 by Ignacio Nunez Hernanz # GPL licensed (see end of file) * Use at your own risk! # # More at https://nextcloudpi.com # WEBADMIN=ncp WEBPASSWD=ownyourbits BRANCH=master BINDIR=/usr/local/bin/ncp CONFDIR=/usr/local/etc/ncp-config.d/ APTINSTALL="apt-get install -y --no-install-recommends" export DEBIAN_FRONTEND=noninteractive install() { # NCP-CONFIG apt-get update $APTINSTALL git dialog whiptail jq file mkdir -p "$CONFDIR" "$BINDIR" # include option in raspi-config (only Raspbian) test -f /usr/bin/raspi-config && { sed -i '/Change User Password/i"0 NextCloudPi Configuration" "Configuration of NextCloudPi" \\' /usr/bin/raspi-config sed -i '/1\\ \*) do_change_pass ;;/i0\\ *) ncp-config ;;' /usr/bin/raspi-config } # add the ncc shortcut cat > /usr/local/bin/ncc <<'EOF' #!/bin/bash sudo -u www-data php /var/www/nextcloud/occ "$@" EOF chmod +x /usr/local/bin/ncc # NCP-WEB ## VIRTUAL HOST cat > /etc/apache2/sites-available/ncp-activation.conf < DocumentRoot /var/www/ncp-web/ SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key Require host localhost Require local Require ip 192.168 Require ip 172 Require ip 10 Require ip fd00::/8 EOF cat > /etc/apache2/sites-available/ncp.conf < DocumentRoot /var/www/ncp-web SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key # 2 days to avoid very big backups requests to timeout TimeOut 172800 DefineExternalAuth pwauth pipe /usr/sbin/pwauth AuthType Basic AuthName "ncp-web login" AuthBasicProvider external AuthExternal pwauth SetEnvIf Request_URI "^" noauth SetEnvIf Request_URI "^index\.php$" !noauth SetEnvIf Request_URI "^/$" !noauth SetEnvIf Request_URI "^/wizard/index.php$" !noauth SetEnvIf Request_URI "^/wizard/$" !noauth Require host localhost Require local Require ip 192.168 Require ip 172 Require ip 10 Require env noauth Require user $WEBADMIN EOF $APTINSTALL libapache2-mod-authnz-external pwauth a2enmod authnz_external authn_core auth_basic a2dissite nextcloud a2ensite ncp-activation ## NCP USER FOR AUTHENTICATION useradd --home-dir /nonexistent "$WEBADMIN" echo -e "$WEBPASSWD\n$WEBPASSWD" | passwd "$WEBADMIN" chsh -s /usr/sbin/nologin "$WEBADMIN" ## NCP LAUNCHER mkdir -p /home/www chown www-data:www-data /home/www chmod 700 /home/www cat > /home/www/ncp-launcher.sh <<'EOF' #!/bin/bash grep -q '[\\&#;`|*?~<>^()[{}$&[:space:]]' <<< "$*" && exit 1 source /usr/local/etc/library.sh run_app $1 EOF chmod 700 /home/www/ncp-launcher.sh cat > /home/www/ncp-backup-launcher.sh <<'EOF' #!/bin/bash action="${1}" file="${2}" compressed="${3}" grep -q '[\\&#;`|*?~<>^()[{}$&]' <<< "$*" && exit 1 [[ "$file" =~ ".." ]] && exit 1 [[ "${action}" == "chksnp" ]] && { btrfs subvolume show "$file" &>/dev/null || exit 1 exit } [[ "${action}" == "delsnp" ]] && { btrfs subvolume delete "$file" || exit 1 exit } [[ -f "$file" ]] || exit 1 [[ "$file" =~ ".tar" ]] || exit 1 [[ "${action}" == "del" ]] && { [[ "$(file "$file")" =~ "tar archive" ]] || [[ "$(file "$file")" =~ "gzip compressed data" ]] || exit 1 rm "$file" || exit 1 exit } [[ "$compressed" != "" ]] && pigz="-I pigz" tar $pigz -tf "$file" data &>/dev/null EOF chmod 700 /home/www/ncp-backup-launcher.sh echo "www-data ALL = NOPASSWD: /home/www/ncp-launcher.sh , /home/www/ncp-backup-launcher.sh, /sbin/halt, /sbin/reboot" >> /etc/sudoers # NCP AUTO TRUSTED DOMAIN mkdir -p /usr/lib/systemd/system cat > /usr/lib/systemd/system/nextcloud-domain.service <<'EOF' [Unit] Description=Register Current IP as Nextcloud trusted domain Requires=network.target After=mysql.service [Service] ExecStart=/bin/bash /usr/local/bin/nextcloud-domain.sh Restart=on-failure RestartSec=5s [Install] WantedBy=multi-user.target EOF cat > /usr/local/bin/nextcloud-domain.sh <<'EOF' #!/bin/bash # wicd service finishes before completing DHCP while :; do iface="$( ip r | grep "default via" | awk '{ print $5 }' | head -1 )" ip="$( ip a show dev "$iface" | grep global | grep -oP '\d{1,3}(.\d{1,3}){3}' | head -1 )" public_ip="$(curl icanhazip.com 2>/dev/null)" [[ "$public_ip" != "" ]] && ncc config:system:set trusted_domains 11 --value="$public_ip" [[ "$ip" != "" ]] && break sleep 3 done ncc config:system:set trusted_domains 1 --value=$ip EOF [[ "$DOCKERBUILD" != 1 ]] && systemctl enable nextcloud-domain # NEXTCLOUDPI UPDATES cat > /etc/cron.daily/ncp-check-version <> /etc/logrotate.d/ncp <<'EOF' /var/log/ncp.log { rotate 4 size 500K missingok notifempty compress } EOF chmod 0444 /etc/logrotate.d/ncp # ONLY FOR IMAGE BUILDS if [[ -f /.ncp-image ]]; then rm -rf /var/log/ncp.log ## NEXTCLOUDPI MOTD rm -rf /etc/update-motd.d mkdir /etc/update-motd.d rm /etc/motd ln -s /var/run/motd /etc/motd cat > /etc/update-motd.d/10logo < /etc/update-motd.d/20updates <<'EOF' #!/bin/bash /usr/local/bin/ncp-check-updates EOF chmod a+x /etc/update-motd.d/* ## HOSTNAME AND mDNS [[ -f /.docker-image ]] || $APTINSTALL avahi-daemon echo nextcloudpi > /etc/hostname sed -i '$c127.0.1.1 nextcloudpi' /etc/hosts ## tag image [[ -f /.docker-image ]] && local DOCKER_TAG="_docker" echo "NextCloudPi${DOCKER_TAG}_$( date "+%m-%d-%y" )" > /usr/local/etc/ncp-baseimage ## SSH hardening if [[ -f /etc/ssh/sshd_config ]]; then sed -i 's|^#AllowTcpForwarding .*|AllowTcpForwarding no|' /etc/ssh/sshd_config sed -i 's|^#ClientAliveCountMax .*|ClientAliveCountMax 2|' /etc/ssh/sshd_config sed -i 's|^MaxAuthTries .*|MaxAuthTries 1|' /etc/ssh/sshd_config sed -i 's|^#MaxSessions .*|MaxSessions 2|' /etc/ssh/sshd_config sed -i 's|^#TCPKeepAlive .*|TCPKeepAlive no|' /etc/ssh/sshd_config sed -i 's|^X11Forwarding .*|X11Forwarding no|' /etc/ssh/sshd_config sed -i 's|^#LogLevel .*|LogLevel VERBOSE|' /etc/ssh/sshd_config sed -i 's|^#Compression .*|Compression no|' /etc/ssh/sshd_config sed -i 's|^#AllowAgentForwarding .*|AllowAgentForwarding no|' /etc/ssh/sshd_config fi ## kernel hardening cat >> /etc/sysctl.conf <