Revert "[very much WIP] Official VM (#1302)" (#1311)

This reverts commit 4fb19efd3d62c5091d842079f0177afc44948f8e.

4 files changed, 470 insertions, 0 deletions

diff --git a/old/modsecurity.sh b/old/modsecurity.sh
new file mode 100644
index 00000000..31ec00a0
--- /dev/null
+++ b/old/modsecurity.sh
@@ -0,0 +1,98 @@
+#!/bin/bash
+
+# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/
+
+# shellcheck disable=2034,2059
+true
+# shellcheck source=lib.sh
+. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+
+print_text_in_color "$ICyan" "Installing ModSecurity..."
+
+# Check for errors + debug code and abort if something isn't right
+# 1 = ON
+# 0 = OFF
+DEBUG=0
+debug_mode
+
+# Check if root
+root_check
+
+# Add modsecurity
+apt update -q4 & spinner_loading
+install_if_not libapache2-mod-security2 
+install_if_not modsecurity-crs
+mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
+
+msg_box "WARNING WARNING WARNING WARNING WARNING WARNING:
+
+Do not enable active defence if you don't know what you're doing!
+It will break OnlyOffice, and it may break other stuff as well in Nextcloud as it's
+blocking access to files automatically.
+
+You can monitor the audit log by typing this command in your shell:
+tail -f /var/log/apache2/modsec_audit.log
+
+You can disable it by typing this command in your shell:
+sed -i 's/SecRuleEngine .*/SecRuleEngine DetectionOnly/g' /etc/modsecurity/modsecurity.conf
+
+YOU HAVE BEEN WARNED."
+if [[ "yes" == $(ask_yes_or_no "Do you want to enable active defence?") ]]
+then
+    sed -i 's|SecRuleEngine .*|SecRuleEngine on|g' /etc/modsecurity/modsecurity.conf
+fi
+
+cat << MODSECWHITE > "/etc/modsecurity/whitelist.conf"
+<Directory $NCPATH>
+# VIDEOS
+  SecRuleRemoveById 958291             # Range Header Checks
+  SecRuleRemoveById 981203             # Correlated Attack Attempt
+
+  # PDF
+  SecRuleRemoveById 950109             # Check URL encodings
+
+  # ADMIN (webdav)
+  SecRuleRemoveById 960024             # Repeatative Non-Word Chars (heuristic)
+  SecRuleRemoveById 981173             # SQL Injection Character Anomaly Usage
+  SecRuleRemoveById 981204             # Correlated Attack Attempt
+  SecRuleRemoveById 981243             # PHPIDS - Converted SQLI Filters
+  SecRuleRemoveById 981245             # PHPIDS - Converted SQLI Filters
+  SecRuleRemoveById 981246             # PHPIDS - Converted SQLI Filters
+  SecRuleRemoveById 981318             # String Termination/Statement Ending Injection Testing
+  SecRuleRemoveById 973332             # XSS Filters from IE
+  SecRuleRemoveById 973338             # XSS Filters - Category 3
+  SecRuleRemoveById 981143             # CSRF Protections ( TODO edit LocationMatch filter )
+
+  # COMING BACK FROM OLD SESSION
+  SecRuleRemoveById 970903             # Microsoft Office document properties leakage
+
+  # NOTES APP
+  SecRuleRemoveById 981401             # Content-Type Response Header is Missing and X-Content-Type-Options is either missing or not set to 'nosniff'
+  SecRuleRemoveById 200002             # Failed to parse request body
+
+  # UPLOADS ( 20 MB max excluding file size )
+  SecRequestBodyNoFilesLimit 20971520
+
+  # GENERAL
+  SecRuleRemoveById 960017             # Host header is a numeric IP address
+
+  # SAMEORIGN
+  SecRuleRemoveById 911100             # fpm socket
+
+  # REGISTERED WARNINGS, BUT DID NOT HAVE TO DISABLE THEM
+  #SecRuleRemoveById 981220 900046 981407
+  #SecRuleRemoveById 981222 981405 981185 981184
+</Directory>
+MODSECWHITE
+
+# Don't log in Apache2 error.log, only in a seperate log (/var/log/apache2/modsec_audit.log)
+check_command sed -i 's|SecDefaultAction "phase:1,log,auditlog,pass"|# SecDefaultAction "phase:1,log,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf
+check_command sed -i 's|SecDefaultAction "phase:2,log,auditlog,pass"|# SecDefaultAction "phase:2,log,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf
+check_command sed -i 's|# SecDefaultAction "phase:1,nolog,auditlog,pass"|SecDefaultAction "phase:1,nolog,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf
+check_command sed -i 's|# SecDefaultAction "phase:2,nolog,auditlog,pass"|SecDefaultAction "phase:2,nolog,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf
+
+if [ -f /etc/modsecurity/whitelist.conf ]
+then
+    print_text_in_color "$IGreen" "ModSecurity activated!"
+    restart_webserver
+fi
diff --git a/old/ntpdate.sh b/old/ntpdate.sh
new file mode 100644
index 00000000..43645ef3
--- /dev/null
+++ b/old/ntpdate.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/
+
+# shellcheck disable=2034,2059
+true
+# shellcheck source=lib.sh
+. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+
+# Check for errors + debug code and abort if something isn't right
+# 1 = ON
+# 0 = OFF
+DEBUG=0
+debug_mode
+
+if network_ok
+then
+    if is_this_installed ntpdate
+    then
+        ntpdate -s 1.se.pool.ntp.org
+    fi
+fi
+exit
diff --git a/old/onlyoffice.sh b/old/onlyoffice.sh
new file mode 100644
index 00000000..fcdddd11
--- /dev/null
+++ b/old/onlyoffice.sh
@@ -0,0 +1,221 @@
+#!/bin/bash
+
+# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/
+
+# shellcheck disable=2034,2059
+true
+# shellcheck source=lib.sh
+NC_UPDATE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+unset NC_UPDATE
+
+# OnlyOffice URL (onlyoffice.sh)
+SUBDOMAIN=$(whiptail --title "T&M Hansson IT - OnlyOffice" --inputbox "OnlyOffice subdomain eg: office.yourdomain.com\n\nNOTE: This domain must be different than your Nextcloud domain. They can however be hosted on the same server, but would require seperate DNS entries." "$WT_HEIGHT" "$WT_WIDTH" 3>&1 1>&2 2>&3)
+# Nextcloud Main Domain (onlyoffice.sh)
+NCDOMAIN=$(whiptail --title "T&M Hansson IT - OnlyOffice" --inputbox "Nextcloud domain, make sure it looks like this: cloud\\.yourdomain\\.com" "$WT_HEIGHT" "$WT_WIDTH" cloud\\.yourdomain\\.com 3>&1 1>&2 2>&3)
+
+print_text_in_color "$ICyan" "Installing OnlyOffice..."
+
+# Check for errors + debug code and abort if something isn't right
+# 1 = ON
+# 0 = OFF
+DEBUG=0
+debug_mode
+
+# Check if root
+root_check
+
+# Nextcloud 13 is required.
+lowest_compatible_nc 13
+
+# Test RAM size (2GB min) + CPUs (min 2)
+ram_check 2 OnlyOffice
+cpu_check 2 OnlyOffice
+
+# Notification
+msg_box "Before you start, please make sure that port 80+443 is directly forwarded to this machine!"
+
+# Get the latest packages
+apt update -q4 & spinner_loading
+
+# Check if Nextcloud is installed
+print_text_in_color "$ICyan" "Checking if Nextcloud is installed..."
+if ! curl -s https://"${NCDOMAIN//\\/}"/status.php | grep -q 'installed":true'
+then
+msg_box "It seems like Nextcloud is not installed or that you don't use https on:
+${NCDOMAIN//\\/}.
+Please install Nextcloud and make sure your domain is reachable, or activate SSL
+on your domain to be able to run this script.
+If you use the Nextcloud VM you can use the Let's Encrypt script to get SSL and activate your Nextcloud domain.
+When SSL is activated, run these commands from your terminal:
+sudo curl -sLO $APP/onlyoffice.sh
+sudo bash onlyoffice.sh"
+    exit 1
+fi
+
+# Check if apache2 evasive-mod is enabled and disable it because of compatibility issues
+if [ "$(apache2ctl -M | grep evasive)" != "" ]
+then
+    msg_box "We noticed that 'mod_evasive' is installed which is the DDOS protection for webservices. It has comptibility issues with OnlyOffice and you can now choose to disable it."
+    if [[ "no" == $(ask_yes_or_no "Do you want to disable DDOS protection?")  ]]
+    then
+        print_text_in_color "$ICyan" "Keeping mod_evasive active."
+    else
+        a2dismod evasive
+        # a2dismod mod-evasive # not needed, but existing in the Extra Security script.
+        apt-get purge libapache2-mod-evasive -y
+	systemctl restart apache2
+    fi
+fi
+
+# Check if $SUBDOMAIN exists and is reachable
+print_text_in_color "$ICyan" "Checking if $SUBDOMAIN exists and is reachable..."
+domain_check_200 "$SUBDOMAIN"
+
+# Check open ports with NMAP
+check_open_port 80 "$SUBDOMAIN"
+check_open_port 443 "$SUBDOMAIN"
+
+# Install Docker
+install_docker
+
+# Check if OnlyOffice or Collabora is previously installed
+# If yes, then stop and prune the docker container
+docker_prune_this 'onlyoffice/documentserver'
+docker_prune_this 'collabora/code'
+
+# Disable RichDocuments (Collabora App) if activated
+if [ -d "$NC_APPS_PATH"/richdocuments ]
+then
+    occ_command app:remove richdocuments
+fi
+
+# Disable OnlyOffice (Collabora App) if activated
+if [ -d "$NC_APPS_PATH"/onlyoffice ]
+then
+    occ_command app:remove onlyoffice
+fi
+
+# Install Onlyoffice docker
+docker pull onlyoffice/documentserver:latest
+docker run -i -t -d -p 127.0.0.3:9090:80 --restart always --name onlyoffice onlyoffice/documentserver
+
+# Licensed version
+# https://helpcenter.onlyoffice.com/server/integration-edition/docker/docker-installation.aspx
+# docker run -i -t -d -p 127.0.0.3:9090:80 --restart=always --name onlyoffice \
+# -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data  onlyoffice/documentserver-ie
+
+# Install apache2 
+install_if_not apache2
+
+# Enable Apache2 module's
+a2enmod proxy
+a2enmod proxy_wstunnel
+a2enmod proxy_http
+a2enmod ssl
+
+if [ -f "$HTTPS_CONF" ]
+then
+    a2dissite "$SUBDOMAIN.conf"
+    rm -f "$HTTPS_CONF"
+fi
+
+# Create Vhost for OnlyOffice online in Apache2
+if [ ! -f "$HTTPS_CONF" ];
+then
+    cat << HTTPS_CREATE > "$HTTPS_CONF"
+<VirtualHost *:443>
+     ServerName $SUBDOMAIN:443
+
+    SSLEngine on
+    ServerSignature On
+    SSLHonorCipherOrder on
+
+    SSLCertificateChainFile $CERTFILES/$SUBDOMAIN/chain.pem
+    SSLCertificateFile $CERTFILES/$SUBDOMAIN/cert.pem
+    SSLCertificateKeyFile $CERTFILES/$SUBDOMAIN/privkey.pem
+    SSLOpenSSLConfCmd DHParameters $DHPARAMS_SUB
+    
+    SSLProtocol             all -SSLv2 -SSLv3
+    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+
+    LogLevel warn
+    CustomLog ${APACHE_LOG_DIR}/access.log combined
+    ErrorLog ${APACHE_LOG_DIR}/error.log
+
+    # Just in case - see below
+    SSLProxyEngine On
+    SSLProxyVerify None
+    SSLProxyCheckPeerCN Off
+    SSLProxyCheckPeerName Off
+
+    # contra mixed content warnings
+    RequestHeader set X-Forwarded-Proto "https"
+
+    # basic proxy settings
+    ProxyRequests off
+
+    ProxyPassMatch (.*)(\/websocket)$ "ws://127.0.0.3:9090/$1$2"
+    ProxyPass / "http://127.0.0.3:9090/"
+    ProxyPassReverse / "http://127.0.0.3:9090/"
+        
+    <Location />
+        ProxyPassReverse /
+    </Location>
+</VirtualHost>
+HTTPS_CREATE
+
+    if [ -f "$HTTPS_CONF" ];
+    then
+        print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created."
+        sleep 1
+    else
+        print_text_in_color "$IRed" "Unable to create vhost, exiting..."
+        print_text_in_color "$IRed" "Please report this issue here $ISSUES"
+        exit 1
+    fi
+fi
+
+# Install certbot (Let's Encrypt)
+install_certbot
+
+# Generate certs
+if generate_cert "$SUBDOMAIN"
+then
+    # Generate DHparams chifer
+    if [ ! -f "$DHPARAMS_SUB" ]
+    then
+        openssl dhparam -dsaparam -out "$DHPARAMS_SUB" 4096
+    fi
+    printf "%b" "${IGreen}Certs are generated!\n${Color_Off}"
+    a2ensite "$SUBDOMAIN.conf"
+    restart_webserver
+    # Install OnlyOffice
+    occ_command app:install onlyoffice
+else
+    print_text_in_color "$IRed" "It seems like no certs were generated, please report this issue here: $ISSUES"
+    any_key "Press any key to continue... "
+    restart_webserver
+fi
+
+# Set config for OnlyOffice
+if [ -d "$NC_APPS_PATH"/onlyoffice ]
+then
+    occ_command config:app:set onlyoffice DocumentServerUrl --value=https://"$SUBDOMAIN/"
+    chown -R www-data:www-data "$NC_APPS_PATH"
+    occ_command config:system:set trusted_domains 3 --value="$SUBDOMAIN"
+# Add prune command
+    {
+    echo "#!/bin/bash"
+    echo "docker system prune -a --force"
+    echo "exit"
+    } > "$SCRIPTS/dockerprune.sh"
+    chmod a+x "$SCRIPTS/dockerprune.sh"
+    crontab -u root -l | { cat; echo "@weekly $SCRIPTS/dockerprune.sh"; } | crontab -u root -
+    print_text_in_color "$ICyan" "Docker automatic prune job added."
+    service docker restart
+    docker restart onlyoffice
+    print_text_in_color "$IGreen" "OnlyOffice is now successfully installed."
+    any_key "Press any key to continue... "
+fi
+
+exit
diff --git a/old/spreedme.sh b/old/spreedme.sh
new file mode 100644
index 00000000..2d4ffde2
--- /dev/null
+++ b/old/spreedme.sh
@@ -0,0 +1,128 @@
+#!/bin/bash
+
+# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/
+
+# shellcheck disable=2034,2059
+true
+# shellcheck source=lib.sh
+NC_UPDATE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+unset NC_UPDATE
+
+print_text_in_color "$ICyan" "Installing Spreed.ME..."
+
+# Check for errors + debug code and abort if something isn't right
+# 1 = ON
+# 0 = OFF
+DEBUG=0
+debug_mode
+
+# Check if root
+if ! is_root
+then
+    printf "\n${Red}Sorry, you are not root.\n${Color_Off}You must type: ${ICyan}sudo ${Color_Off}bash %s/nextcloud_install_production.sh\n" "$SCRIPTS"
+    exit 1
+fi
+
+# Check if Nextcloud exists
+root_check
+
+# Nextcloud 13 is required.
+lowest_compatible_nc 13
+
+# Install if missing
+install_if_not apache2
+install_if_not snapd
+
+# Install Nextcloud Spreed.ME Snap
+if [ -d "$SNAPDIR" ]
+then
+    print_text_in_color "$ICyan" "Spreed.ME Snap already seems to be installed and will now be re-installed..."
+    snap remove spreedme
+    rm -rf "$SNAPDIR"
+    snap install --edge spreedme
+else
+    snap install --edge spreedme
+fi
+
+# Install and activate the Spreed.ME app
+if [ -d "$NC_APPS_PATH/spreedme" ]
+then
+    # Remove
+    occ_command app:disable spreedme
+    print_text_in_color "$ICyan" "Spreed.ME app already seems to be installed and will now be re-installed..."
+    rm -R "$NC_APPS_PATH/spreedme"
+    # Reinstall
+    occ_command app:install spreedme
+else
+    occ_command app:install spreedme
+fi
+occ_command app:enable spreedme
+chown -R www-data:www-data "$NC_APPS_PATH"
+
+# Generate secret keys
+SHAREDSECRET=$(openssl rand -hex 32)
+TEMPLINK=$(openssl rand -hex 32)
+sed -i "s|sharedsecret_secret = .*|sharedsecret_secret = $SHAREDSECRET|g" "$SNAPDIR/current/server.conf"
+
+# Populate the else empty config file (uses database for content by default)
+cp "$NCPATH/apps/spreedme/config/config.php.in" "$NCPATH/apps/spreedme/config/config.php"
+
+# Place the key in the NC app config
+sed -i "s|.*SPREED_WEBRTC_SHAREDSECRET.*|       const SPREED_WEBRTC_SHAREDSECRET = '$SHAREDSECRET';|g" "$NCPATH/apps/spreedme/config/config.php"
+
+# Allow to create temporary links
+sed -i "s|const OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED.*|const OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED = true;|g" "$NCPATH/apps/spreedme/config/config.php"
+
+#  Set temporary links hash
+sed -i "s|const OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY.*|const OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY = '$TEMPLINK';|g" "$NCPATH/apps/spreedme/config/config.php"
+
+
+# Enable Apache mods
+a2enmod proxy \
+        proxy_wstunnel \
+        proxy_http \
+        headers
+
+# Add config to vhost
+VHOST=/etc/apache2/spreedme.conf
+if [ ! -f $VHOST ]
+then
+cat << VHOST > "$VHOST"
+<Location /webrtc>
+    ProxyPass http://127.0.0.1:8080/webrtc
+    ProxyPassReverse /webrtc
+</Location>
+
+<Location /webrtc/ws>
+    ProxyPass ws://127.0.0.1:8080/webrtc/ws
+</Location>
+
+    ProxyVia On
+    ProxyPreserveHost On
+    RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
+    # RequestHeader set X-Forwarded-Proto 'https' # Use this if you are behind a (Nginx) reverse proxy with http backends
+VHOST
+fi
+
+if ! grep -Fxq "Include $VHOST" /etc/apache2/apache2.conf
+then
+    sed -i "145i Include $VHOST" "/etc/apache2/apache2.conf"
+fi
+
+# Restart services
+restart_webserver
+if ! systemctl restart snap.spreedme.spreed-webrtc.service
+then
+msg_box "Something is wrong, the installation did not finish correctly.
+
+Please report this to $ISSUES"
+    exit 1
+else
+msg_box "Success! Spreed.ME is now installed and configured.
+
+You may have to change SPREED_WEBRTC_ORIGIN in:
+(sudo nano) $NCPATH/apps/spreedme/config/config.php"
+    exit 0
+fi
+
+exit