20.04 (#1176)

3 files changed, 249 insertions, 0 deletions

diff --git a/old/modsecurity.sh b/old/modsecurity.sh
new file mode 100644
index 00000000..31ec00a0
--- /dev/null
+++ b/old/modsecurity.sh
@@ -0,0 +1,98 @@
+#!/bin/bash
+
+# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/
+
+# shellcheck disable=2034,2059
+true
+# shellcheck source=lib.sh
+. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+
+print_text_in_color "$ICyan" "Installing ModSecurity..."
+
+# Check for errors + debug code and abort if something isn't right
+# 1 = ON
+# 0 = OFF
+DEBUG=0
+debug_mode
+
+# Check if root
+root_check
+
+# Add modsecurity
+apt update -q4 & spinner_loading
+install_if_not libapache2-mod-security2 
+install_if_not modsecurity-crs
+mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
+
+msg_box "WARNING WARNING WARNING WARNING WARNING WARNING:
+
+Do not enable active defence if you don't know what you're doing!
+It will break OnlyOffice, and it may break other stuff as well in Nextcloud as it's
+blocking access to files automatically.
+
+You can monitor the audit log by typing this command in your shell:
+tail -f /var/log/apache2/modsec_audit.log
+
+You can disable it by typing this command in your shell:
+sed -i 's/SecRuleEngine .*/SecRuleEngine DetectionOnly/g' /etc/modsecurity/modsecurity.conf
+
+YOU HAVE BEEN WARNED."
+if [[ "yes" == $(ask_yes_or_no "Do you want to enable active defence?") ]]
+then
+    sed -i 's|SecRuleEngine .*|SecRuleEngine on|g' /etc/modsecurity/modsecurity.conf
+fi
+
+cat << MODSECWHITE > "/etc/modsecurity/whitelist.conf"
+<Directory $NCPATH>
+# VIDEOS
+  SecRuleRemoveById 958291             # Range Header Checks
+  SecRuleRemoveById 981203             # Correlated Attack Attempt
+
+  # PDF
+  SecRuleRemoveById 950109             # Check URL encodings
+
+  # ADMIN (webdav)
+  SecRuleRemoveById 960024             # Repeatative Non-Word Chars (heuristic)
+  SecRuleRemoveById 981173             # SQL Injection Character Anomaly Usage
+  SecRuleRemoveById 981204             # Correlated Attack Attempt
+  SecRuleRemoveById 981243             # PHPIDS - Converted SQLI Filters
+  SecRuleRemoveById 981245             # PHPIDS - Converted SQLI Filters
+  SecRuleRemoveById 981246             # PHPIDS - Converted SQLI Filters
+  SecRuleRemoveById 981318             # String Termination/Statement Ending Injection Testing
+  SecRuleRemoveById 973332             # XSS Filters from IE
+  SecRuleRemoveById 973338             # XSS Filters - Category 3
+  SecRuleRemoveById 981143             # CSRF Protections ( TODO edit LocationMatch filter )
+
+  # COMING BACK FROM OLD SESSION
+  SecRuleRemoveById 970903             # Microsoft Office document properties leakage
+
+  # NOTES APP
+  SecRuleRemoveById 981401             # Content-Type Response Header is Missing and X-Content-Type-Options is either missing or not set to 'nosniff'
+  SecRuleRemoveById 200002             # Failed to parse request body
+
+  # UPLOADS ( 20 MB max excluding file size )
+  SecRequestBodyNoFilesLimit 20971520
+
+  # GENERAL
+  SecRuleRemoveById 960017             # Host header is a numeric IP address
+
+  # SAMEORIGN
+  SecRuleRemoveById 911100             # fpm socket
+
+  # REGISTERED WARNINGS, BUT DID NOT HAVE TO DISABLE THEM
+  #SecRuleRemoveById 981220 900046 981407
+  #SecRuleRemoveById 981222 981405 981185 981184
+</Directory>
+MODSECWHITE
+
+# Don't log in Apache2 error.log, only in a seperate log (/var/log/apache2/modsec_audit.log)
+check_command sed -i 's|SecDefaultAction "phase:1,log,auditlog,pass"|# SecDefaultAction "phase:1,log,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf
+check_command sed -i 's|SecDefaultAction "phase:2,log,auditlog,pass"|# SecDefaultAction "phase:2,log,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf
+check_command sed -i 's|# SecDefaultAction "phase:1,nolog,auditlog,pass"|SecDefaultAction "phase:1,nolog,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf
+check_command sed -i 's|# SecDefaultAction "phase:2,nolog,auditlog,pass"|SecDefaultAction "phase:2,nolog,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf
+
+if [ -f /etc/modsecurity/whitelist.conf ]
+then
+    print_text_in_color "$IGreen" "ModSecurity activated!"
+    restart_webserver
+fi
diff --git a/old/ntpdate.sh b/old/ntpdate.sh
new file mode 100644
index 00000000..43645ef3
--- /dev/null
+++ b/old/ntpdate.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/
+
+# shellcheck disable=2034,2059
+true
+# shellcheck source=lib.sh
+. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+
+# Check for errors + debug code and abort if something isn't right
+# 1 = ON
+# 0 = OFF
+DEBUG=0
+debug_mode
+
+if network_ok
+then
+    if is_this_installed ntpdate
+    then
+        ntpdate -s 1.se.pool.ntp.org
+    fi
+fi
+exit
diff --git a/old/spreedme.sh b/old/spreedme.sh
new file mode 100644
index 00000000..2d4ffde2
--- /dev/null
+++ b/old/spreedme.sh
@@ -0,0 +1,128 @@
+#!/bin/bash
+
+# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/
+
+# shellcheck disable=2034,2059
+true
+# shellcheck source=lib.sh
+NC_UPDATE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+unset NC_UPDATE
+
+print_text_in_color "$ICyan" "Installing Spreed.ME..."
+
+# Check for errors + debug code and abort if something isn't right
+# 1 = ON
+# 0 = OFF
+DEBUG=0
+debug_mode
+
+# Check if root
+if ! is_root
+then
+    printf "\n${Red}Sorry, you are not root.\n${Color_Off}You must type: ${ICyan}sudo ${Color_Off}bash %s/nextcloud_install_production.sh\n" "$SCRIPTS"
+    exit 1
+fi
+
+# Check if Nextcloud exists
+root_check
+
+# Nextcloud 13 is required.
+lowest_compatible_nc 13
+
+# Install if missing
+install_if_not apache2
+install_if_not snapd
+
+# Install Nextcloud Spreed.ME Snap
+if [ -d "$SNAPDIR" ]
+then
+    print_text_in_color "$ICyan" "Spreed.ME Snap already seems to be installed and will now be re-installed..."
+    snap remove spreedme
+    rm -rf "$SNAPDIR"
+    snap install --edge spreedme
+else
+    snap install --edge spreedme
+fi
+
+# Install and activate the Spreed.ME app
+if [ -d "$NC_APPS_PATH/spreedme" ]
+then
+    # Remove
+    occ_command app:disable spreedme
+    print_text_in_color "$ICyan" "Spreed.ME app already seems to be installed and will now be re-installed..."
+    rm -R "$NC_APPS_PATH/spreedme"
+    # Reinstall
+    occ_command app:install spreedme
+else
+    occ_command app:install spreedme
+fi
+occ_command app:enable spreedme
+chown -R www-data:www-data "$NC_APPS_PATH"
+
+# Generate secret keys
+SHAREDSECRET=$(openssl rand -hex 32)
+TEMPLINK=$(openssl rand -hex 32)
+sed -i "s|sharedsecret_secret = .*|sharedsecret_secret = $SHAREDSECRET|g" "$SNAPDIR/current/server.conf"
+
+# Populate the else empty config file (uses database for content by default)
+cp "$NCPATH/apps/spreedme/config/config.php.in" "$NCPATH/apps/spreedme/config/config.php"
+
+# Place the key in the NC app config
+sed -i "s|.*SPREED_WEBRTC_SHAREDSECRET.*|       const SPREED_WEBRTC_SHAREDSECRET = '$SHAREDSECRET';|g" "$NCPATH/apps/spreedme/config/config.php"
+
+# Allow to create temporary links
+sed -i "s|const OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED.*|const OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED = true;|g" "$NCPATH/apps/spreedme/config/config.php"
+
+#  Set temporary links hash
+sed -i "s|const OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY.*|const OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY = '$TEMPLINK';|g" "$NCPATH/apps/spreedme/config/config.php"
+
+
+# Enable Apache mods
+a2enmod proxy \
+        proxy_wstunnel \
+        proxy_http \
+        headers
+
+# Add config to vhost
+VHOST=/etc/apache2/spreedme.conf
+if [ ! -f $VHOST ]
+then
+cat << VHOST > "$VHOST"
+<Location /webrtc>
+    ProxyPass http://127.0.0.1:8080/webrtc
+    ProxyPassReverse /webrtc
+</Location>
+
+<Location /webrtc/ws>
+    ProxyPass ws://127.0.0.1:8080/webrtc/ws
+</Location>
+
+    ProxyVia On
+    ProxyPreserveHost On
+    RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
+    # RequestHeader set X-Forwarded-Proto 'https' # Use this if you are behind a (Nginx) reverse proxy with http backends
+VHOST
+fi
+
+if ! grep -Fxq "Include $VHOST" /etc/apache2/apache2.conf
+then
+    sed -i "145i Include $VHOST" "/etc/apache2/apache2.conf"
+fi
+
+# Restart services
+restart_webserver
+if ! systemctl restart snap.spreedme.spreed-webrtc.service
+then
+msg_box "Something is wrong, the installation did not finish correctly.
+
+Please report this to $ISSUES"
+    exit 1
+else
+msg_box "Success! Spreed.ME is now installed and configured.
+
+You may have to change SPREED_WEBRTC_ORIGIN in:
+(sudo nano) $NCPATH/apps/spreedme/config/config.php"
+    exit 0
+fi
+
+exit