diff options
44 files changed, 5867 insertions, 284 deletions
diff --git a/addons/smartctl.sh b/addons/smartctl.sh new file mode 100644 index 00000000..b4c7481e --- /dev/null +++ b/addons/smartctl.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059,2086 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +print_text_in_color "$ICyan" "Installing and configuring S.M.A.R.T..." + +# Install smartmontools +install_if_not smartmontools + +# Add a crontab to check the disk, and post the output with notify_admin_gui ever week (maybe with updatenotification?) +if home_sme_server +then + notify_admin_gui "S.M.A.R.T results weekly scan (nvme0n1)" "$(smartctl --all /dev/nvme0n1)" + notify_admin_gui "S.M.A.R.T results weekly scan (sda)" "$(smartctl --all /dev/sda)" +else + # get all disks into an array + disks="$(fdisk -l | grep Disk | grep /dev/sd | awk '{print$2}' | cut -d ":" -f1)" + # loop over disks in array + for disk in $(printf "${disks[@]}") + do + if [ -n "$disks" ] + then + notify_admin_gui "S.M.A.R.T results weekly scan ($disk)" "$(smartctl --all $disk)" + fi + done +fi + +# Add crontab “At 06:12 on Monday.” +if ! crontab -u root -l | grep -w 'smartctl.sh' +then + print_text_in_color "$ICyan" "Adding weekly crontab..." + crontab -u root -l | { cat; echo "12 06 * * 1 $SCRIPTS/smartctl.sh"; } | crontab -u root - + msg_box "S.M.A.R.T is now configured scheluded to run every Monday at 06:12.\n\nYou will be notified with the results each time." +fi diff --git a/apps/additional_apps.sh b/apps/additional_apps.sh new file mode 100644 index 00000000..9b1c568b --- /dev/null +++ b/apps/additional_apps.sh @@ -0,0 +1,98 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Install Apps +choice=$(whiptail --title "Which apps do you want to install?" --checklist "Automatically configure and install selected apps\nSelect by pressing the spacebar\nYou can view this menu later by running 'sudo bash $SCRIPTS/menu.sh'" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"Fail2ban" "(Extra Bruteforce protection)" OFF \ +"Adminer" "(PostgreSQL GUI)" OFF \ +"Netdata" "(Real-time server monitoring)" OFF \ +"Collabora" "(Online editing [2GB RAM])" OFF \ +"OnlyOffice" "(Online editing [2GB RAM])" OFF \ +"Bitwarden" "(External password manager)" OFF \ +"FullTextSearch" "(Elasticsearch for Nextcloud [2GB RAM])" OFF \ +"PreviewGenerator" "(Pre-generate previews)" OFF \ +"LDAP" "(Windows Active directory)" OFF \ +"Talk" "(Nextcloud Video calls and chat)" OFF \ +"SMB-mount" "(Connect to SMB-shares from your local network)" OFF 3>&1 1>&2 2>&3) + +case "$choice" in + *"Fail2ban"*) + clear + print_text_in_color "$ICyan" "Downloading Fail2ban.sh..." + run_script APP fail2ban + ;;& + *"Adminer"*) + clear + print_text_in_color "$ICyan" "Downloading Adminer.sh..." + run_script APP adminer + ;;& + *"Netdata"*) + clear + print_text_in_color "$ICyan" "Downloading Netdata.sh..." + run_script APP netdata + ;;& + *"OnlyOffice"*) + clear + print_text_in_color "$ICyan" "Downloading OnlyOffice.sh..." + run_script APP onlyoffice + ;;& + *"Collabora"*) + clear + print_text_in_color "$ICyan" "Downloading Collabora.sh..." + run_script APP collabora + ;;& + *"Bitwarden"*) + clear + print_text_in_color "$ICyan" "Downloading Bitwarden.sh..." + run_script APP tmbitwarden + ;;& + *"FullTextSearch"*) + clear + print_text_in_color "$ICyan" "Downloading FullTextSearch.sh..." + run_script APP fulltextsearch + ;;& + *"PreviewGenerator"*) + clear + print_text_in_color "$ICyan" "Downloading PreviewGenerator.sh..." + run_script APP previewgenerator + ;;& + *"LDAP"*) + clear + print_text_in_color "$ICyan" "Installing LDAP..." + if install_and_enable_app user_ldap + then + msg_box "LDAP installed! Please visit https://subdomain.yourdomain.com/settings/admin/ldap to finish the setup once this script is done." + else + msg_box "LDAP installation failed." + fi + ;;& + *"Talk"*) + clear + print_text_in_color "$ICyan" "Downloading Talk.sh..." + run_script APP talk + ;;& + *"SMB-mount"*) + clear + print_text_in_color "$ICyan" "Downloading SMB-mount.sh..." + run_script APP smbmount + ;;& + *) + ;; +esac +clear +exit diff --git a/apps/adminer.sh b/apps/adminer.sh new file mode 100644 index 00000000..a7f8f2f2 --- /dev/null +++ b/apps/adminer.sh @@ -0,0 +1,108 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +# Check if adminer is already installed +print_text_in_color "$ICyan" "Checking if Adminer is already installed..." +if is_this_installed adminer +then + choice=$(whiptail --radiolist "It seems like 'Adminer' is already installed.\nChoose what you want to do.\nSelect by pressing the spacebar and ENTER" "$WT_HEIGHT" "$WT_WIDTH" 4 \ + "Uninstall Adminer" "" OFF \ + "Reinstall Adminer" "" ON 3>&1 1>&2 2>&3) + + case "$choice" in + "Uninstall Adminer") + # Check that the script can see the external IP (apache fails otherwise) + check_external_ip + print_text_in_color "$ICyan" "Uninstalling Adminer and resetting all settings..." + a2disconf adminer.conf + rm $ADMINER_CONF + rm $ADMINERDIR/adminer.php + check_command apt-get purge adminer -y + restart_webserver + msg_box "Adminer was successfully uninstalled and all settings were resetted." + exit + ;; + "Reinstall Adminer") + # Check that the script can see the external IP (apache fails otherwise) + check_external_ip + print_text_in_color "$ICyan" "Reinstalling and securing Adminer..." + a2disconf adminer.conf + rm $ADMINER_CONF + rm $ADMINERDIR/adminer.php + check_command apt-get purge adminer -y + ;; + *) + ;; + esac +else + print_text_in_color "$ICyan" "Installing and securing Adminer..." +fi + +# Warn user about HTTP/2 +http2_warn Adminer + +# Check that the script can see the external IP (apache fails otherwise) +check_external_ip + +# Check distrobution and version +check_distro_version + +# Install Adminer +apt update -q4 & spinner_loading +install_if_not adminer +curl_to_dir "http://www.adminer.org" "latest.php" "$ADMINERDIR" +ln -s "$ADMINERDIR"/latest.php "$ADMINERDIR"/adminer.php + +cat << ADMINER_CREATE > "$ADMINER_CONF" +Alias /adminer.php $ADMINERDIR/adminer.php + +<Directory $ADMINERDIR> + +<IfModule mod_dir.c> +DirectoryIndex adminer.php +</IfModule> +AllowOverride None + +# Only allow connections from localhost: +Require ip $GATEWAY/24 + +</Directory> +ADMINER_CREATE + +# Enable config +check_command a2enconf adminer.conf + +if ! restart_webserver +then +msg_box "Apache2 could not restart... +The script will exit." + exit 1 +else +msg_box "Adminer was sucessfully installed and can be reached here: +http://$ADDRESS/adminer.php + +You can download more plugins and get more information here: +https://www.adminer.org + +Your PostgreSQL connection information can be found in $NCPATH/config/config.php + +In case you try to access Adminer and get 'Forbidden' you need to change the IP in: +$ADMINER_CONF" +fi + +exit diff --git a/apps/collabora.sh b/apps/collabora.sh new file mode 100644 index 00000000..085d0c0c --- /dev/null +++ b/apps/collabora.sh @@ -0,0 +1,312 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +# Nextcloud 13 is required. +lowest_compatible_nc 13 + +# Test RAM size (2GB min) + CPUs (min 2) +ram_check 2 Collabora +cpu_check 2 Collabora + +# Check if collabora is already installed +print_text_in_color "$ICyan" "Checking if Collabora is already installed..." +if does_this_docker_exist 'collabora/code' +then + choice=$(whiptail --radiolist "It seems like 'Collabora' is already installed.\nChoose what you want to do.\nSelect by pressing the spacebar and ENTER" "$WT_HEIGHT" "$WT_WIDTH" 4 \ + "Uninstall Collabora" "" OFF \ + "Reinstall Collabora" "" ON 3>&1 1>&2 2>&3) + + case "$choice" in + "Uninstall Collabora") + print_text_in_color "$ICyan" "Uninstalling Collabora..." + # Check if Collabora is previously installed + # If yes, then stop and prune the docker container + docker_prune_this 'collabora/code' + # Revoke LE + SUBDOMAIN=$(whiptail --title "T&M Hansson IT - Collabora" --inputbox "Please enter the subdomain you are using for Collabora, eg: office.yourdomain.com" "$WT_HEIGHT" "$WT_WIDTH" 3>&1 1>&2 2>&3) + if [ -f "$CERTFILES/$SUBDOMAIN/cert.pem" ] + then + yes no | certbot revoke --cert-path "$CERTFILES/$SUBDOMAIN/cert.pem" + REMOVE_OLD="$(find "$LETSENCRYPTPATH/" -name "$SUBDOMAIN*")" + for remove in $REMOVE_OLD + do rm -rf "$remove" + done + fi + # Remove Apache2 config + if [ -f "$SITES_AVAILABLE/$SUBDOMAIN.conf" ] + then + a2dissite "$SUBDOMAIN".conf + restart_webserver + rm -f "$SITES_AVAILABLE/$SUBDOMAIN.conf" + fi + # Disable RichDocuments (Collabora App) if activated + if is_app_installed richdocuments + then + occ_command app:remove richdocuments + fi + # Remove trusted domain + count=0 + while [ "$count" -lt 10 ] + do + if [ "$(occ_command_no_check config:system:get trusted_domains "$count")" == "$SUBDOMAIN" ] + then + occ_command_no_check config:system:delete trusted_domains "$count" + break + else + count=$((count+1)) + fi + done + + msg_box "Collabora was successfully uninstalled." + exit + ;; + "Reinstall Collabora") + print_text_in_color "$ICyan" "Reinstalling Collabora..." + + # Check if Collabora is previously installed + # If yes, then stop and prune the docker container + docker_prune_this 'collabora/code' + ;; + *) + ;; + esac +else + print_text_in_color "$ICyan" "Installing Collabora..." +fi + +# Check if OnlyOffice is previously installed +# If yes, then stop and prune the docker container +if does_this_docker_exist 'onlyoffice/documentserver' +then + docker_prune_this 'onlyoffice/documentserver' + # Revoke LE + SUBDOMAIN=$(whiptail --title "T&M Hansson IT - Collabora" --inputbox "Please enter the subdomain you are using for OnlyOffice, eg: office.yourdomain.com" "$WT_HEIGHT" "$WT_WIDTH" 3>&1 1>&2 2>&3) + if [ -f "$CERTFILES/$SUBDOMAIN/cert.pem" ] + then + yes no | certbot revoke --cert-path "$CERTFILES/$SUBDOMAIN/cert.pem" + REMOVE_OLD="$(find "$LETSENCRYPTPATH/" -name "$SUBDOMAIN*")" + for remove in $REMOVE_OLD + do rm -rf "$remove" + done + fi + # Remove Apache2 config + if [ -f "$SITES_AVAILABLE/$SUBDOMAIN.conf" ] + then + a2dissite "$SUBDOMAIN".conf + restart_webserver + rm -f "$SITES_AVAILABLE/$SUBDOMAIN.conf" + fi + # Remove trusted domain + count=0 + while [ "$count" -lt 10 ] + do + if [ "$(occ_command_no_check config:system:get trusted_domains "$count")" == "$SUBDOMAIN" ] + then + occ_command_no_check config:system:delete trusted_domains "$count" + break + else + count=$((count+1)) + fi + done +fi + +# remove OnlyOffice-documentserver if activated +if is_app_enabled documentserver_community +then + any_key "OnlyOffice will get uninstalled. Press any key to continue. Press CTRL+C to abort" + occ_command app:remove documentserver_community +fi + +# Disable OnlyOffice App if activated +if is_app_installed onlyoffice +then + occ_command app:remove onlyoffice +fi + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +NC_UPDATE=1 && COLLABORA_INSTALL=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +unset NC_UPDATE +unset COLLABORA_INSTALL + +# Notification +msg_box "Before you start, please make sure that port 80+443 is directly forwarded to this machine!" + +# Get the latest packages +apt update -q4 & spinner_loading + +# Check if Nextcloud is installed +print_text_in_color "$ICyan" "Checking if Nextcloud is installed..." +if ! curl -s https://"${NCDOMAIN//\\/}"/status.php | grep -q 'installed":true' +then +msg_box "It seems like Nextcloud is not installed or that you don't use https on: +${NCDOMAIN//\\/}. +Please install Nextcloud and make sure your domain is reachable, or activate TLS +on your domain to be able to run this script. + +If you use the Nextcloud VM you can use the Let's Encrypt script to get TLS and activate your Nextcloud domain. +When TLS is activated, run these commands from your terminal: +sudo curl -sLO $APP/collabora.sh +sudo bash collabora.sh" + exit 1 +fi + +# Check if $SUBDOMAIN exists and is reachable +print_text_in_color "$ICyan" "Checking if $SUBDOMAIN exists and is reachable..." +domain_check_200 "$SUBDOMAIN" + +# Check open ports with NMAP +check_open_port 80 "$SUBDOMAIN" +check_open_port 443 "$SUBDOMAIN" + +# Install Docker +install_docker + +# Install Collabora docker +docker pull collabora/code:latest +docker run -t -d -p 127.0.0.1:9980:9980 -e "domain=$NCDOMAIN" --restart always --name code --cap-add MKNOD collabora/code + +# Install Apache2 +install_if_not apache2 + +# Enable Apache2 module's +a2enmod proxy +a2enmod proxy_wstunnel +a2enmod proxy_http +a2enmod ssl + +if [ -f "$HTTPS_CONF" ] +then + a2dissite "$SUBDOMAIN.conf" + rm -f "$HTTPS_CONF" +fi + +# Create Vhost for Collabora online in Apache2 +if [ ! -f "$HTTPS_CONF" ]; +then + cat << HTTPS_CREATE > "$HTTPS_CONF" +<VirtualHost *:443> + ServerName $SUBDOMAIN:443 + + <Directory /var/www> + Options -Indexes + </Directory> + + # TLS configuration, you may want to take the easy route instead and use Lets Encrypt! + SSLEngine on + SSLCertificateChainFile $CERTFILES/$SUBDOMAIN/chain.pem + SSLCertificateFile $CERTFILES/$SUBDOMAIN/cert.pem + SSLCertificateKeyFile $CERTFILES/$SUBDOMAIN/privkey.pem + SSLOpenSSLConfCmd DHParameters $DHPARAMS_SUB + SSLProtocol all -SSLv2 -SSLv3 + SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS + SSLHonorCipherOrder on + SSLCompression off + + # Encoded slashes need to be allowed + AllowEncodedSlashes NoDecode + + # Container uses a unique non-signed certificate + SSLProxyEngine On + SSLProxyVerify None + SSLProxyCheckPeerCN Off + SSLProxyCheckPeerName Off + + # keep the host + ProxyPreserveHost On + + # static html, js, images, etc. served from loolwsd + # loleaflet is the client part of LibreOffice Online + ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0 + ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet + + # WOPI discovery URL + ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0 + ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery + + # Endpoint with information about availability of various features + ProxyPass /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0 + ProxyPassReverse /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities + + # Main websocket + ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/\$1/ws nocanon + + # Admin Console websocket + ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws + + # Download as, Fullscreen presentation and Image upload operations + ProxyPass /lool https://127.0.0.1:9980/lool + ProxyPassReverse /lool https://127.0.0.1:9980/lool +</VirtualHost> +HTTPS_CREATE + + if [ -f "$HTTPS_CONF" ]; + then + print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created." + sleep 1 + else + print_text_in_color "$IRed" "Unable to create vhost, exiting..." + print_text_in_color "$IRed" "Please report this issue here $ISSUES" + exit 1 + fi +fi + +# Install certbot (Let's Encrypt) +install_certbot + +# Generate certs and auto-configure if successful +if generate_cert "$SUBDOMAIN" +then + # Generate DHparams chifer + if [ ! -f "$DHPARAMS_SUB" ] + then + openssl dhparam -dsaparam -out "$DHPARAMS_SUB" 4096 + fi + printf "%b" "${IGreen}Certs are generated!\n${Color_Off}" + a2ensite "$SUBDOMAIN.conf" + restart_webserver + # Install Collabora App + install_and_enable_app richdocuments +else + last_fail_tls "$SCRIPTS"/apps/collabora.sh +fi + +# Set config for RichDocuments (Collabora App) +if is_app_installed richdocuments +then + occ_command config:app:set richdocuments wopi_url --value=https://"$SUBDOMAIN" + chown -R www-data:www-data "$NC_APPS_PATH" + occ_command config:system:set trusted_domains 3 --value="$SUBDOMAIN" + # Add prune command + { + echo "#!/bin/bash" + echo "docker system prune -a --force" + echo "exit" + } > "$SCRIPTS/dockerprune.sh" + chmod a+x "$SCRIPTS/dockerprune.sh" + crontab -u root -l | { cat; echo "@weekly $SCRIPTS/dockerprune.sh"; } | crontab -u root - + print_text_in_color "$ICyan" "Docker automatic prune job added." + systemctl restart docker.service + docker restart code + print_text_in_color "$IGreen" "Collabora is now successfully installed." + any_key "Press any key to continue... " +fi + +# Make sure the script exits +exit diff --git a/apps/fail2ban.sh b/apps/fail2ban.sh new file mode 100644 index 00000000..1ee47762 --- /dev/null +++ b/apps/fail2ban.sh @@ -0,0 +1,177 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ +# Inspired by https://github.com/nextcloud/nextcloudpi/blob/master/etc/nextcloudpi-config.d/fail2ban.sh + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +NC_UPDATE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +unset NC_UPDATE + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +# Nextcloud 13 is required. +lowest_compatible_nc 13 + +# Check if fail2ban is already installed +print_text_in_color "$ICyan" "Checking if Fail2Ban is already installed..." +if is_this_installed fail2ban +then + choice=$(whiptail --radiolist "It seems like 'Fail2Ban' is already installed.\nChoose what you want to do.\nSelect by pressing the spacebar and ENTER" "$WT_HEIGHT" "$WT_WIDTH" 4 \ + "Uninstall Fail2Ban" "" OFF \ + "Reinstall Fail2Ban" "" ON 3>&1 1>&2 2>&3) + + case "$choice" in + "Uninstall Fail2Ban") + print_text_in_color "$ICyan" "Uninstalling Fail2Ban..." + fail2ban-client unban --all + rm /etc/fail2ban/filter.d/nextcloud.conf + rm /etc/fail2ban/jail.local + check_command apt-get purge fail2ban -y + msg_box "Fail2Ban was successfully uninstalled." + exit + ;; + "Reinstall Fail2Ban") + print_text_in_color "$ICyan" "Reinstalling Fail2Ban..." + fail2ban-client unban --all + rm /etc/fail2ban/filter.d/nextcloud.conf + rm /etc/fail2ban/jail.local + check_command apt-get purge fail2ban -y + ;; + *) + ;; + esac +else + print_text_in_color "$ICyan" "Installing Fail2ban..." +fi + +# Create $VMLOGS dir +mkdir -p "$VMLOGS" + +### Local variables ### +# location of Nextcloud logs +print_text_in_color "$ICyan" "Finding nextcloud.log..." +while : +do + NCLOG=$(find / -type f -name "nextcloud.log" 2> /dev/null) + if [ "$NCLOG" != "$VMLOGS/nextcloud.log" ] + then + # Might enter here if no OR multiple logs already exist, tidy up any existing logs and set the correct path + print_text_in_color "$ICyan" "Unexpected or non-existent logging configuration - deleting any discovered nextcloud.log files and creating a new one at $VMLOGS/nextcloud.log..." + xargs rm -f <<< "$NCLOG" + # Set logging + occ_command config:system:set log_type --value=file + occ_command config:system:set logfile --value="$VMLOGS/nextcloud.log" + occ_command config:system:set loglevel --value=2 + touch "$VMLOGS/nextcloud.log" + chown www-data:www-data "$VMLOGS/nextcloud.log" + else + if [ "$(occ_command config:system:get logfile)" = "$VMLOGS/nextcloud.log" ] + then + break + else + # Set logging + occ_command config:system:set log_type --value=file + occ_command config:system:set logfile --value="$VMLOGS/nextcloud.log" + occ_command config:system:set loglevel --value=2 + touch "$VMLOGS/nextcloud.log" + chown www-data:www-data "$VMLOGS/nextcloud.log" + break + fi + fi +done +# time to ban an IP that exceeded attempts +BANTIME_=1209600 +# cooldown time for incorrect passwords +FINDTIME_=1800 +# failed attempts before banning an IP +MAXRETRY_=20 + +apt update -q4 & spinner_loading +check_command apt install fail2ban -y +check_command update-rc.d fail2ban disable + +# Set timezone +occ_command config:system:set logtimezone --value="$(cat /etc/timezone)" + +# Create nextcloud.conf file +# Test: failregex = Login failed.*Remote IP.*<HOST> +cat << NCONF > /etc/fail2ban/filter.d/nextcloud.conf +[Definition] +failregex=^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$ + ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","app":"core".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$ + ^.*\"remoteAddr\":\"<HOST>\".*Trusted domain error.*\$ +NCONF + +# Create jail.local file +cat << FCONF > /etc/fail2ban/jail.local +# The DEFAULT allows a global definition of the options. They can be overridden +# in each jail afterwards. +[DEFAULT] + +# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not +# ban a host which matches an address in this list. Several addresses can be +# defined using space separator. +ignoreip = 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 + +# "bantime" is the number of seconds that a host is banned. +bantime = $BANTIME_ + +# A host is banned if it has generated "maxretry" during the last "findtime" +# seconds. +findtime = $FINDTIME_ +maxretry = $MAXRETRY_ + +# +# ACTIONS +# +banaction = iptables-multiport +protocol = tcp +chain = INPUT +action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] +action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] +action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] +action = %(action_)s + +# +# SSH +# + +[sshd] + +enabled = true +maxretry = $MAXRETRY_ + +# +# HTTP servers +# + +[nextcloud] + +enabled = true +port = http,https +filter = nextcloud +logpath = $VMLOGS/nextcloud.log +maxretry = $MAXRETRY_ +FCONF + +# Update settings +check_command update-rc.d fail2ban defaults +check_command update-rc.d fail2ban enable +check_command systemctl restart fail2ban.service + +# The End +msg_box "Fail2ban is now sucessfully installed. + +Please use 'fail2ban-client set nextcloud unbanip <Banned IP>' to unban certain IPs +You can also use 'iptables -L -n' to check which IPs that are banned" + +exit diff --git a/apps/fulltextsearch.sh b/apps/fulltextsearch.sh new file mode 100644 index 00000000..30d66e9c --- /dev/null +++ b/apps/fulltextsearch.sh @@ -0,0 +1,178 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ +# SwITNet Ltd © - 2020, https://switnet.net/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +NCDB=1 && NC_UPDATE=1 && ES_INSTALL=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +unset NC_UPDATE +unset ES_INSTALL +unset NCDB + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Nextcloud 13 is required. +lowest_compatible_nc 13 + +# Test RAM size (2GB min) + CPUs (min 2) +ram_check 2 FullTextSearch +cpu_check 2 FullTextSearch + +# Check if fulltextsearch is already installed +print_text_in_color "$ICyan" "Checking if Fulltextsearch is already installed..." +if does_this_docker_exist "$nc_fts" +then + choice=$(whiptail --radiolist "It seems like 'Fulltextsearch' is already installed.\nChoose what you want to do.\nSelect by pressing the spacebar and ENTER" "$WT_HEIGHT" "$WT_WIDTH" 4 \ + "Uninstall Fulltextsearch" "" OFF \ + "Reinstall Fulltextsearch" "" ON 3>&1 1>&2 2>&3) + + case "$choice" in + "Uninstall Fulltextsearch") + print_text_in_color "$ICyan" "Uninstalling Fulltextsearch..." + # Reset database table + check_command sudo -Hiu postgres psql "$NCCONFIGDB" -c "TRUNCATE TABLE oc_fulltextsearch_ticks;" + # Reset Full Text Search to be able to index again, and also remove the app to be able to install it again + if is_app_installed fulltextsearch + then + print_text_in_color "$ICyan" "Removing old version of Full Text Search and resetting the app..." + occ_command_no_check fulltextsearch:reset + occ_command app:remove fulltextsearch + fi + if is_app_installed fulltextsearch_elasticsearch + then + occ_command app:remove fulltextsearch_elasticsearch + fi + if is_app_installed files_fulltextsearch + then + occ_command app:remove files_fulltextsearch + fi + # Remove nc_fts docker if installed + docker_prune_this "$nc_fts" + + msg_box "Fulltextsearch was successfully uninstalled." + exit + ;; + "Reinstall Fulltextsearch") + print_text_in_color "$ICyan" "Reinstalling FullTextSearch..." + + # Reset Full Text Search to be able to index again, and also remove the app to be able to install it again + if is_app_installed fulltextsearch + then + print_text_in_color "$ICyan" "Removing old version of Full Text Search and resetting the app..." + # Reset database table + check_command sudo -Hiu postgres psql "$NCCONFIGDB" -c "TRUNCATE TABLE oc_fulltextsearch_ticks;" + # Reset Full Text Search to be able to index again, and also remove the app to be able to install it again + occ_command_no_check fulltextsearch:reset + occ_command app:remove fulltextsearch + fi + if is_app_installed fulltextsearch_elasticsearch + then + occ_command app:remove fulltextsearch_elasticsearch + fi + if is_app_installed files_fulltextsearch + then + occ_command app:remove files_fulltextsearch + fi + + # Remove nc_fts docker if installed + docker_prune_this "$nc_fts" + ;; + *) + ;; + esac +else + print_text_in_color "$ICyan" "Installing Fulltextsearch..." +fi + +# Make sure there is an Nextcloud installation +if ! [ "$(occ_command -V)" ] +then + msg_box "It seems there is no Nextcloud server installed, please check your installation." + exit 1 +fi + +# Disable and remove Nextant + Solr +if is_app_installed nextant +then + # Remove Nextant + msg_box "We will now remove Nextant + Solr and replace it with Full Text Search" + occ_command app:remove nextant + + # Remove Solr + systemctl stop solr.service + rm -rf /var/solr + rm -rf /opt/solr* + rm /etc/init.d/solr + deluser --remove-home solr + deluser --group solr +fi + +# Check & install docker +install_docker +set_max_count +mkdir -p "$RORDIR" +docker pull "$nc_fts" + +# Create configuration YML +cat << YML_CREATE > /opt/es/readonlyrest.yml +readonlyrest: + access_control_rules: + - name: Accept requests from cloud1 on $INDEX_USER-index + groups: ["cloud1"] + indices: ["$INDEX_USER-index"] + + users: + - username: $INDEX_USER + auth_key: $INDEX_USER:$ROREST + groups: ["cloud1"] +YML_CREATE + +# Set persmissions +chown 1000:1000 -R $RORDIR +chmod ug+rwx -R $RORDIR + +# Run Elastic Search Docker +docker run -d --restart always \ +--name $fts_es_name \ +--ulimit memlock=-1:-1 \ +--ulimit nofile=65536:65536 \ +-p 127.0.0.1:9200:9200 \ +-p 127.0.0.1:9300:9300 \ +-v esdata:/usr/share/elasticsearch/data \ +-v /opt/es/readonlyrest.yml:/usr/share/elasticsearch/config/readonlyrest.yml \ +-e "discovery.type=single-node" \ +-e "bootstrap.memory_lock=true" \ +-e ES_JAVA_OPTS="-Xms512M -Xmx512M" \ +-i -t $nc_fts + +# Wait for bootstraping +docker restart $fts_es_name +countdown "Waiting for docker bootstraping..." "20" +docker logs $fts_es_name + +# Get Full Text Search app for nextcloud +install_and_enable_app fulltextsearch +install_and_enable_app fulltextsearch_elasticsearch +install_and_enable_app files_fulltextsearch +chown -R www-data:www-data $NC_APPS_PATH + +# Final setup +occ_command fulltextsearch:configure '{"search_platform":"OCA\\FullTextSearch_ElasticSearch\\Platform\\ElasticSearchPlatform"}' +occ_command fulltextsearch_elasticsearch:configure "{\"elastic_host\":\"http://${INDEX_USER}:${ROREST}@localhost:9200\",\"elastic_index\":\"${INDEX_USER}-index\"}" +occ_command files_fulltextsearch:configure "{\"files_pdf\":\"1\",\"files_office\":\"1\"}" +if occ_command fulltextsearch:index < /dev/null +then +msg_box "Full Text Search was successfully installed!" +fi + +# Make sure the script exists +exit diff --git a/apps/netdata.sh b/apps/netdata.sh new file mode 100644 index 00000000..e212f00c --- /dev/null +++ b/apps/netdata.sh @@ -0,0 +1,112 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Check if Netdata is already installed +print_text_in_color "$ICyan" "Checking if Netdata is already installed..." +if [ -d /etc/netdata ] +then + choice=$(whiptail --radiolist "It seems like 'Netdata' is already installed.\nChoose what you want to do.\nSelect by pressing the spacebar and ENTER" "$WT_HEIGHT" "$WT_WIDTH" 4 \ + "Uninstall Netdata" "" OFF \ + "Reinstall Netdata" "" ON 3>&1 1>&2 2>&3) + + case "$choice" in + "Uninstall Netdata") + print_text_in_color "$ICyan" "Uninstalling Netdata..." + if [ -f /usr/src/netdata.git/netdata-uninstaller.sh ] + then + if ! yes no | bash /usr/src/netdata.git/netdata-uninstaller.sh --force + then + rm -Rf /usr/src/netdata.git + fi + elif [ -f /usr/libexec/netdata-uninstaller.sh ] + then + yes no | bash /usr/libexec/netdata-uninstaller.sh --yes + elif [ -f /usr/libexec/netdata/netdata-uninstaller.sh ] + then + bash /usr/libexec/netdata/netdata-uninstaller.sh --force --yes + else + check_command curl_to_dir https://raw.githubusercontent.com/netdata/netdata/master/packaging/installer netdata-uninstaller.sh $SCRIPTS + check_command bash $SCRIPTS/netdata-uninstaller.sh --force --yes + rm $SCRIPTS/netdata-uninstaller.sh + rm -rf /var/lib/netdata + msg_box "Netdata was successfully uninstalled." + fi + exit + ;; + "Reinstall Netdata") + print_text_in_color "$ICyan" "Reinstalling Netdata..." + if [ -f /usr/src/netdata.git/netdata-uninstaller.sh ] + then + if ! yes no | bash /usr/src/netdata.git/netdata-uninstaller.sh --force + then + rm -Rf /usr/src/netdata.git + fi + elif [ -f /usr/libexec/netdata-uninstaller.sh ] + then + yes | bash /usr/libexec/netdata-uninstaller.sh --yes + elif [ -f /usr/libexec/netdata/netdata-uninstaller.sh ] + then + bash /usr/libexec/netdata/netdata-uninstaller.sh --force --yes + else + check_command curl_to_dir https://raw.githubusercontent.com/netdata/netdata/master/packaging/installer netdata-uninstaller.sh $SCRIPTS + check_command bash $SCRIPTS/netdata-uninstaller.sh --force --yes + rm $SCRIPTS/netdata-uninstaller.sh + rm -rf /var/lib/netdata + fi + ;; + *) + ;; + esac +else + print_text_in_color "$ICyan" "Installing Netdata..." +fi + +# Install +is_process_running dpkg +is_process_running apt +apt update -q4 & spinner_loading +curl_to_dir https://my-netdata.io kickstart.sh $SCRIPTS +sudo -u "$UNIXUSER" bash $SCRIPTS/kickstart.sh all --dont-wait --no-updates --stable-channel +rm -f $SCRIPTS/kickstart.sh + +# Check Netdata instructions after script is done +any_key "Please check information above and press any key to continue..." + +# Installation done? +if [ -d /etc/netdata ] +then +msg_box "Netdata is now installed and can be accessed from this address: + +http://$ADDRESS:19999 + +If you want to reach it from the internet you need to open port 19999 in your firewall. +If you don't know how to open ports, please follow this guide: +https://www.techandme.se/open-port-80-443/ + +After you have opened the correct port, then you can visit Netdata from your domain: + +http://$(hostname -f):19999 and or http://yourdomanin.com:19999 + +You can find more configuration options in their WIKI: +https://docs.netdata.cloud/daemon/config#configuration-guide" + +# Cleanup +rm -rf /tmp/netdata* +fi + +exit diff --git a/apps/onlyoffice.sh b/apps/onlyoffice.sh new file mode 100644 index 00000000..f3eaf0e7 --- /dev/null +++ b/apps/onlyoffice.sh @@ -0,0 +1,205 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +NC_UPDATE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +unset NC_UPDATE + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +print_text_in_color "$ICyan" "Running the OnlyOffice install script..." + +# Nextcloud 18 is required. +lowest_compatible_nc 18 + +# Test RAM size (2GB min) + CPUs (min 2) +ram_check 2 OnlyOffice +cpu_check 2 OnlyOffice + +# Check if Nextcloud is installed with TLS +if ! occ_command_no_check config:system:get overwrite.cli.url | grep -q "https" +then +msg_box "Sorry, but Nextcloud needs to be run on HTTPS which doesn't seem to be the case here. + +You easily activate TLS (HTTPS) by running the Let's Encrypt script found in $SCRIPTS. +More info here: https://bit.ly/37wRCin + +To run this script again, just exectue 'sudo bash $SCRIPTS/apps.sh' and choose OnlyOffice." + exit +fi + +# Check if OnlyOffice is installed using the old method +if does_this_docker_exist 'onlyoffice/documentserver' +then + # Greater than 18.0.1 is 18.0.2 which is required + if version_gt "$CURRENTVERSION" "18.0.1" + then + msg_box "Your server is compatible with the new way of installing OnlyOffice. We will now remove the old docker and install the app from Nextcloud instead." + # Remove docker image + docker_prune_this 'onlyoffice/documentserver' + # Revoke LE + SUBDOMAIN=$(whiptail --title "T&M Hansson IT - OnlyOffice" --inputbox "Please enter the subdomain you are using for OnlyOffice, eg: office.yourdomain.com" "$WT_HEIGHT" "$WT_WIDTH" 3>&1 1>&2 2>&3) + if [ -f "$CERTFILES/$SUBDOMAIN/cert.pem" ] + then + yes no | certbot revoke --cert-path "$CERTFILES/$SUBDOMAIN/cert.pem" + REMOVE_OLD="$(find "$LETSENCRYPTPATH/" -name "$SUBDOMAIN*")" + for remove in $REMOVE_OLD + do rm -rf "$remove" + done + fi + # Remove Apache2 config + if [ -f "$SITES_AVAILABLE/$SUBDOMAIN.conf" ] + then + a2dissite "$SUBDOMAIN".conf + restart_webserver + rm -f "$SITES_AVAILABLE/$SUBDOMAIN.conf" + fi + # Remove trusted domain + count=0 + while [ "$count" -lt 10 ] + do + if [ "$(occ_command_no_check config:system:get trusted_domains "$count")" == "$SUBDOMAIN" ] + then + occ_command_no_check config:system:delete trusted_domains "$count" + break + else + count=$((count+1)) + fi + done + else +msg_box "You need to run at least Nextcloud 18.0.1 to be able to run OnlyOffice. Please upgrade using the built in script: + +'sudo bash $SCRIPTS/update.sh' + +You can also buy support directly in our shop: https://shop.hanssonit.se/product/upgrade-between-major-owncloud-nextcloud-versions/" + exit + fi +# Check if OnlyOffice is installed using the new method +elif version_gt "$CURRENTVERSION" "18.0.1" && ! does_this_docker_exist 'onlyoffice/documentserver' +then + if is_app_enabled documentserver_community + then + choice=$(whiptail --radiolist "It seems like 'OnlyOffice' is already installed.\nChoose what you want to do.\nSelect by pressing the spacebar and ENTER" "$WT_HEIGHT" "$WT_WIDTH" 4 \ + "Uninstall OnlyOffice" "" OFF \ + "Reinstall OnlyOffice" "" ON 3>&1 1>&2 2>&3) + + case "$choice" in + "Uninstall OnlyOffice") + print_text_in_color "$ICyan" "Uninstalling OnlyOffice..." + occ_command app:remove documentserver_community + # Disable Onlyoffice App if activated + if is_app_installed onlyoffice + then + occ_command app:remove onlyoffice + fi + msg_box "OnlyOffice was successfully uninstalled." + exit + ;; + "Reinstall OnlyOffice") + print_text_in_color "$ICyan" "Reinstalling OnlyOffice..." + occ_command app:remove documentserver_community + ;; + *) + ;; + esac + fi +else +msg_box "You need to run at least Nextcloud 18.0.1 to be able to run OnlyOffice. Please upgrade using the built in script: + +'sudo bash $SCRIPTS/update.sh' + +You can also buy support directly in our shop: https://shop.hanssonit.se/product/upgrade-between-major-owncloud-nextcloud-versions/" + exit +fi + +# Check if apache2 evasive-mod is enabled and disable it because of compatibility issues +if [ "$(apache2ctl -M | grep evasive)" != "" ] +then + msg_box "We noticed that 'mod_evasive' is installed which is the DDOS protection for webservices. It has comptibility issues with OnlyOffice and you can now choose to disable it." + if [[ "no" == $(ask_yes_or_no "Do you want to disable DDOS protection?") ]] + then + print_text_in_color "$ICyan" "Keeping mod_evasive active." + else + a2dismod evasive + # a2dismod mod-evasive # not needed, but existing in the Extra Security script. + apt-get purge libapache2-mod-evasive -y + systemctl restart apache2.service + fi +fi + +# Check if collabora is installed and remove every trace of it +if does_this_docker_exist 'collabora/code' +then + msg_box "You can't run both Collabora and OnlyOffice on the same VM. We will now remove Collabora from the server." + # Remove docker image + docker_prune_this 'collabora/code' + # Revoke LE + SUBDOMAIN=$(whiptail --title "T&M Hansson IT - OnlyOffice" --inputbox "Please enter the subdomain you are using for Collabora, eg: office.yourdomain.com" "$WT_HEIGHT" "$WT_WIDTH" 3>&1 1>&2 2>&3) + if [ -f "$CERTFILES/$SUBDOMAIN/cert.pem" ] + then + yes no | certbot revoke --cert-path "$CERTFILES/$SUBDOMAIN/cert.pem" + REMOVE_OLD="$(find "$LETSENCRYPTPATH/" -name "$SUBDOMAIN*")" + for remove in $REMOVE_OLD + do rm -rf "$remove" + done + fi + # Remove Apache2 config + if [ -f "$SITES_AVAILABLE/$SUBDOMAIN.conf" ] + then + a2dissite "$SUBDOMAIN".conf + restart_webserver + rm -f "$SITES_AVAILABLE/$SUBDOMAIN.conf" + fi + # Disable Collabora App if activated + if is_app_installed richdocuments + then + occ_command app:remove richdocuments + fi + # Remove trusted domain + count=0 + while [ "$count" -lt 10 ] + do + if [ "$(occ_command_no_check config:system:get trusted_domains "$count")" == "$SUBDOMAIN" ] + then + occ_command_no_check config:system:delete trusted_domains "$count" + break + else + count=$((count+1)) + fi + done +fi + +# Install OnlyOffice +msg_box "We will now install OnlyOffice. + +Please note that it might take very long time to install the app, and you will not see any progress bar. + +Please be paitent, don't abort." +install_and_enable_app onlyoffice +sleep 2 +if install_and_enable_app documentserver_community +then + chown -R www-data:www-data "$NC_APPS_PATH" + occ_command config:app:set onlyoffice DocumentServerUrl --value="$(occ_command_no_check config:system:get overwrite.cli.url)apps/documentserver_community/" + msg_box "OnlyOffice was successfully installed." +else + msg_box "The documentserver_community app failed to install. Please try again later.\n\nIf the error presist, please report the issue to https://github.com/nextcloud/documentserver_community\n\n'sudo -u www-data php ./occ app:install documentserver_community failed!'" +fi + +if ! is_app_installed onlyoffice +then + msg_box "The onlyoffice app failed to install. Please try again later." +fi + +# Just make sure the script exits +exit diff --git a/apps/previewgenerator.sh b/apps/previewgenerator.sh new file mode 100644 index 00000000..382c96f2 --- /dev/null +++ b/apps/previewgenerator.sh @@ -0,0 +1,244 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +# PHP 7.x is needed +if is_this_installed php5.6-common +then + msg_box "At least PHP 7.X is supported, please upgrade your PHP version: https://shop.hanssonit.se/product/upgrade-php-version-including-dependencies/" + exit +elif is_this_installed php5.5-common +then + msg_box "At least PHP 7.X is supported, please upgrade your PHP version: https://shop.hanssonit.se/product/upgrade-php-version-including-dependencies/" + exit +fi + +# Encryption may not be enabled +if is_app_enabled encryption +then + msg_box "It seems like you have encryption enabled which is unsupported when using the Preview Generator" + exit +fi + +msg_box "This script will install the Preview Generator. + +It can speedup the loading of previews in Nextcloud a lot. + +Please note: If you continue, all your current Preview Generator settings will be lost, if any." +if [[ "yes" == $(ask_yes_or_no "Do you want to install the Preview Generator?") ]] +then + # Install preview generator + print_text_in_color "$ICyan" "Installing the Preview Generator..." + install_and_enable_app previewgenerator + + # check if the previewgenerator is installed and enabled + if is_app_installed previewgenerator + then + # enable previews + occ_command config:system:set enable_previews --value=true --type=boolean + + # install needed dependency for movies + install_if_not ffmpeg + + # reset the preview formats + occ_command config:system:delete "enabledPreviewProviders" + + # reset the cronjob + print_text_in_color "$ICyan" "Resetting the cronjob for the preview-generation" + crontab -u www-data -l | grep -v 'preview:pre-generate' | crontab -u www-data - + else + exit + fi +else + exit +fi + +msg_box "In the next step you can choose to install a package called imagick to speed up the generation of previews and add support for more filetypes. + +The currently supported filetypes are: +* PNG +* JPEG +* GIF +* BMP +* MarkDown +* MP3 +* TXT +* Movie +* Photoshop (needs imagick) +* SVG (needs imagick) +* TIFF (needs imagick)" + +msg_box "IMPORTANT NOTE!! + +Imagick will put your server at risk as it's is known to have several flaws. +You can check this issue to understand why: https://github.com/nextcloud/vm/issues/743 + +Please note: If you choose not to install imagick, it will get removed now." +if [[ "yes" == $(ask_yes_or_no "Do you want to install imagick?") ]] +then + # Install imagick + install_if_not php-imagick + install_if_not libmagickcore-6.q16-3-extra + + # Choose file formats fo the case when imagick is installed. + # for additional previews please look at the nextcloud documentation. But these probably won't work. + choice=$(whiptail --title "Choose file formats" --checklist "Now you can choose for which file formats you would like to generate previews for\nSelect or unselect by pressing the spacebar" "$WT_HEIGHT" "$WT_WIDTH" 4 \ + "PNG" "" ON \ + "JPEG" "" ON \ + "GIF" "" ON \ + "BMP" "" ON \ + "MarkDown" "" ON \ + "MP3" "" ON \ + "TXT" "" ON \ + "Movie" "" ON \ + "Photoshop" "" ON \ + "SVG" "" ON \ + "TIFF" "" ON 3>&1 1>&2 2>&3) + + case "$choice" in + *"PNG"*) + occ_command config:system:set enabledPreviewProviders 0 --value="OC\\Preview\\PNG" + ;;& + *"JPEG"*) + occ_command config:system:set enabledPreviewProviders 1 --value="OC\\Preview\\JPEG" + ;;& + *"GIF"*) + occ_command config:system:set enabledPreviewProviders 2 --value="OC\\Preview\\GIF" + ;;& + *"BMP"*) + occ_command config:system:set enabledPreviewProviders 3 --value="OC\\Preview\\BMP" + ;;& + *"MarkDown"*) + occ_command config:system:set enabledPreviewProviders 4 --value="OC\\Preview\\MarkDown" + ;;& + *"MP3"*) + occ_command config:system:set enabledPreviewProviders 5 --value="OC\\Preview\\MP3" + ;;& + *"TXT"*) + occ_command config:system:set enabledPreviewProviders 6 --value="OC\\Preview\\TXT" + ;;& + *"Movie"*) + occ_command config:system:set enabledPreviewProviders 7 --value="OC\\Preview\\Movie" + ;;& + *"Photoshop"*) + occ_command config:system:set enabledPreviewProviders 8 --value="OC\\Preview\\Photoshop" + ;;& + *"SVG"*) + occ_command config:system:set enabledPreviewProviders 9 --value="OC\\Preview\\SVG" + ;;& + *"TIFF"*) + occ_command config:system:set enabledPreviewProviders 10 --value="OC\\Preview\\TIFF" + ;;& + *) + ;; + esac +else + # check if imagick ist installed and remove it + if is_this_installed php-imagick + then + apt-get purge php-imagick -y + fi + # check if libmagickcore is installed and remove it + if is_this_installed libmagickcore-6.q16-3-extra + then + apt-get purge libmagickcore-6.q16-3-extra -y + fi + # Choose file formats fo the case when imagick is not installed. + # for additional previews please look at the nextcloud documentation. But these probably won't work. + choice=$(whiptail --title "Choose file formats" --checklist "Now you can choose for which file formats you would like to generate previews for\nSelect or unselect by pressing the spacebar" "$WT_HEIGHT" "$WT_WIDTH" 4 \ + "PNG" "" ON \ + "JPEG" "" ON \ + "GIF" "" ON \ + "BMP" "" ON \ + "MarkDown" "" ON \ + "MP3" "" ON \ + "TXT" "" ON \ + "Movie" "" ON 3>&1 1>&2 2>&3) + + case "$choice" in + *"PNG"*) + occ_command config:system:set enabledPreviewProviders 11 --value="OC\\Preview\\PNG" + ;;& + *"JPEG"*) + occ_command config:system:set enabledPreviewProviders 12 --value="OC\\Preview\\JPEG" + ;;& + *"GIF"*) + occ_command config:system:set enabledPreviewProviders 13 --value="OC\\Preview\\GIF" + ;;& + *"BMP"*) + occ_command config:system:set enabledPreviewProviders 14 --value="OC\\Preview\\BMP" + ;;& + *"MarkDown"*) + occ_command config:system:set enabledPreviewProviders 15 --value="OC\\Preview\\MarkDown" + ;;& + *"MP3"*) + occ_command config:system:set enabledPreviewProviders 16 --value="OC\\Preview\\MP3" + ;;& + *"TXT"*) + occ_command config:system:set enabledPreviewProviders 17 --value="OC\\Preview\\TXT" + ;;& + *"Movie"*) + occ_command config:system:set enabledPreviewProviders 18 --value="OC\\Preview\\Movie" + ;;& + *) + ;; + esac +fi + +# Set aspect ratio +occ_command config:app:set previewgenerator squareSizes --value="32 256" +occ_command config:app:set previewgenerator widthSizes --value="256 384" +occ_command config:app:set previewgenerator heightSizes --value="256" +occ_command config:system:set preview_max_x --value="2048" +occ_command config:system:set preview_max_y --value="2048" +occ_command config:system:set jpeg_quality --value="60" +occ_command config:app:set preview jpeg_quality --value="60" + +msg_box "In the last step you can define a specific Nextcloud user for which will be the user that runs the preview-generation. + +The default behaviour (just hit [ENTER]) is to run with the system user 'www-data' which will generate previews for all users. + +If you on the other hand choose to use a specific user, previews will ONLY be generated for that specific user." +if [[ "no" == $(ask_yes_or_no "Do you want to choose a specific Nextcloud user to generate previews?") ]] +then + print_text_in_color "$ICyan" "Using www-data (all Nextcloud users) for generating previews..." + # Add crontab for www-data + crontab -u www-data -l | { cat; echo "0 4 * * * php -f $NCPATH/occ preview:pre-generate >> $VMLOGS/previewgenerator.log"; } | crontab -u www-data - + touch "$VMLOGS"/previewgenerator.log + chown www-data:www-data "$VMLOGS"/previewgenerator.log + + # Pre generate everything + occ_command preview:generate-all +else + while true + do + PREVIEW_USER=$(whiptail --inputbox "Enter the Nextcloud user for which you want to run the preview-generation" "$WT_HEIGHT" "$WT_WIDTH" 3>&1 1>&2 2>&3) + if [ -z "$(occ_command user:list | grep "$PREVIEW_USER" | awk '{print $3}')" ] + then + msg_box "It seems like the user you entered ($PREVIEW_USER) doesn't exist, please try again." + else + break + fi + done + # Add crontab for $PREVIEW_USER + crontab -u www-data -l | { cat; echo "0 4 * * * php -f $NCPATH/occ preview:pre-generate $PREVIEW_USER >> $VMLOGS/previewgenerator.log"; } | crontab -u www-data - + touch "$VMLOGS"/previewgenerator.log + chown www-data:www-data "$VMLOGS"/previewgenerator.log + + # Pre generate everything + occ_command preview:generate-all "$PREVIEW_USER" +fi diff --git a/apps/smbmount.sh b/apps/smbmount.sh new file mode 100644 index 00000000..17666760 --- /dev/null +++ b/apps/smbmount.sh @@ -0,0 +1,597 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +# Variables +MAX_COUNT=16 +SMBSHARES="/mnt/smbshares" +SMBSHARES_SED=${SMBSHARES//\//\\/} +SMB_CREDENTIALS="/root/.smbcredentials" + +# Install whiptail if not existing +install_if_not whiptail + +# Check MAX_COUNT +if ! [ $MAX_COUNT -gt 0 ] +then + msg_box "The MAX_COUNT variable has to be a positive integer, greater than 0. Please change it accordingly. Recommended is MAX_COUNT=16, because not all menus work reliably with a higher count." + exit +fi + +# Install cifs-utils +install_if_not cifs-utils + +# Make sure, that name resolution works +install_if_not winbind +if [ "$(grep "^hosts:" /etc/nsswitch.conf | grep wins)" == "" ] +then + sed -i '/^hosts/ s/$/ wins/' /etc/nsswitch.conf +fi + +# Functions +add_mount() { + +# Check if mounting slots are available +count=1 +while [ $count -le $MAX_COUNT ] +do + if grep -q "$SMBSHARES/$count " /etc/fstab + then + count=$((count+1)) + else + break + fi +done +if [ $count -gt $MAX_COUNT ] +then + msg_box "All $MAX_COUNT slots are occupied. No mounting slots available. Please delete one of the SMB-mounts.\nIf you really want to mount more, you can simply download the smb-mount script directly and edit the variable 'MAX_COUNT' to a higher value than $MAX_COUNT by running:\n'curl -sLO https://raw.githubusercontent.com/nextcloud/vm/master/apps/smbmount.sh /var/scripts'\n'sudo nano /var/scripts/smbmount.sh' # Edit MAX_COUNT=$MAX_COUNT to your likings and save the file\n'sudo bash /var/scripts/smbmount.sh' # Execute the script." + return +fi + +# Enter SMB-server and Share-name +while true +do + SERVER_SHARE_NAME=$(whiptail --inputbox "Please enter the server and Share-name like this:\n//Server/Share\nor\n//IP-address/Share" "$WT_HEIGHT" "$WT_WIDTH" 3>&1 1>&2 2>&3) + if [[ "no" == $(ask_yes_or_no "Is this correct? $SERVER_SHARE_NAME") ]] + then + msg_box "It seems like your weren't satisfied by the PATH you entered. Please try again." + else + SERVER_SHARE_NAME=${SERVER_SHARE_NAME// /\\040} + break + fi +done + +# Enter the SMB-user +while true +do + SMB_USER=$(whiptail --inputbox "Please enter the username of the SMB-user" "$WT_HEIGHT" "$WT_WIDTH" 3>&1 1>&2 2>&3) + if [[ "no" == $(ask_yes_or_no "Is this correct? $SMB_USER") ]] + then + msg_box "It seems like your weren't satisfied by the SMB-user you entered. Please try again." + else + break + fi +done + +# Enter the password of the SMB-user +while true +do + SMB_PASSWORD=$(whiptail --inputbox "Please enter the password of the SMB-user $SMB_USER.\nPlease note, that comma as a character in the password is not supported." "$WT_HEIGHT" "$WT_WIDTH" 3>&1 1>&2 2>&3) + if [[ "no" == $(ask_yes_or_no "Is this correct? $SMB_PASSWORD") ]] + then + msg_box "It seems like your weren't satisfied by the password for the SMB-user you entered. Please try again." + else + break + fi +done + +# Write everything to /etc/fstab, mount and connect external storage +count=1 +while [ $count -le $MAX_COUNT ] +do + # Check which mounting slot is available + if ! grep -q "$SMBSHARES/$count " /etc/fstab + then + # Write to /etc/fstab and mount + echo "$SERVER_SHARE_NAME $SMBSHARES/$count cifs credentials=$SMB_CREDENTIALS/SMB$count,vers=3.0,uid=www-data,gid=www-data,file_mode=0770,dir_mode=0770,nounix,noserverino 0 0" >> /etc/fstab + mkdir -p $SMB_CREDENTIALS + touch $SMB_CREDENTIALS/SMB$count + chown -R root:root $SMB_CREDENTIALS + chmod -R 600 $SMB_CREDENTIALS + echo "username=$SMB_USER" > $SMB_CREDENTIALS/SMB$count + echo "password=$SMB_PASSWORD" >> $SMB_CREDENTIALS/SMB$count + unset SMB_USER && unset SMB_PASSWORD + mkdir -p "$SMBSHARES/$count" + mount "$SMBSHARES/$count" + + # Check if mounting was successful + if ! mountpoint -q $SMBSHARES/$count + then + # If not remove this line from fstab + msg_box "It seems like the mount wasn't successful. It will get deleted now. Please try again.\nAs a hint:\n- you might fix the connection problem by enabling SMB3 on your SMB-server.\n- You could also try to use the IP-address of the SMB-server instead of the Server-name, if not already done.\n- Please also make sure, that 'ping IP-address' of your SMB-Server from your Nextcloud-instance works." + sed -i "/$SMBSHARES_SED\/$count /d" /etc/fstab + if [ -f $SMB_CREDENTIALS/SMB$count ] + then + check_command rm $SMB_CREDENTIALS/SMB$count + fi + break + else + # Check if Nextcloud is existing + if [ -f $NCPATH/occ ] + then + # Install and enable files_external + if ! is_app_enabled files_external + then + install_and_enable_app files_external + fi + + # Create and mount external storage to the admin group + MOUNT_ID=$(occ_command files_external:create "SMB$count" local null::null -c datadir="$SMBSHARES/$count" ) + MOUNT_ID=${MOUNT_ID//[!0-9]/} + occ_command files_external:applicable --add-group=admin "$MOUNT_ID" -q + occ_command files_external:option "$MOUNT_ID" filesystem_check_changes 1 + + # Inform the user that mounting was successful + msg_box "Your mount was successful, congratulations!\nIt's now accessible in your root directory under $SMBSHARES/$count.\nYou are now using the Nextcloud external storage app to access files there. The Share has been mounted to the Nextcloud admin-group.\nYou can now access 'https://yourdomain-or-ipaddress/settings/admin/externalstorages' to rename 'SMB$count' to whatever you like or e.g. enable sharing." + break + else + # Inform the user that mounting was successful + msg_box "Your mount was successful, congratulations!\nIt's now accessible in your root directory under $SMBSHARES/$count." + break + fi + fi + fi + count=$((count+1)) +done +return +} + +mount_shares() { + +# Check if any SMB-share is created +if ! grep -q "$SMBSHARES" /etc/fstab +then + msg_box "It seems like you have not created any SMB-share." + return +fi +count=1 +while [ $count -le $MAX_COUNT ] +do + if grep -q "$SMBSHARES/$count " /etc/fstab + then + if mountpoint -q $SMBSHARES/$count + then + count=$((count+1)) + else + break + fi + else + count=$((count+1)) + fi +done +if [ $count -gt $MAX_COUNT ] +then + msg_box "No existing SMB-mount-entry is unmounted. So nothing to mount." + return +fi + +args=(whiptail --title "Mount SMB-shares" --checklist "This option let you mount SMB-shares to connect to network-shares from the host-computer or other machines in the local network.\nChoose which one you want to mount.\nSelect or unselect by pressing the spacebar" "$WT_HEIGHT" "$WT_WIDTH" 4) +count=1 + +# Find out which SMB-shares are available +while [ $count -le $MAX_COUNT ] +do + if ! mountpoint -q $SMBSHARES/$count && grep -q "$SMBSHARES/$count " /etc/fstab + then + args+=("$SMBSHARES/$count " "$(grep "$SMBSHARES/$count " /etc/fstab | awk '{print $1}')" OFF) + fi + count=$((count+1)) +done + +# Let the user choose which SMB-shares he wants to mount +selected_options=$("${args[@]}" 3>&1 1>&2 2>&3) +count=1 + +# Mount selected SMB-shares +while [ $count -le $MAX_COUNT ] +do + if [[ $selected_options == *"$SMBSHARES/$count "* ]] + then + mount "$SMBSHARES/$count" + if ! mountpoint -q $SMBSHARES/$count + then + msg_box "It seems like the mount of $SMBSHARES/$count wasn't successful. Please try again." + else + msg_box "Your mount was successful, congratulations!\n It is accessible in your root directory in $SMBSHARES/$count\nYou can use the Nextcloud external storage app to access files there." + fi + fi + count=$((count+1)) +done +return +} + +show_all_mounts() { + +# If no entry created, nothing to show +if ! grep -q "$SMBSHARES" /etc/fstab +then + msg_box "You haven't created any SMB-mount. So nothing to show." + return +fi + +# Find out which SMB-shares are available +args=(whiptail --title "List SMB-shares" --checklist "This option let you show detailed information about your SMB-shares.\nChoose which one you want to change.\nSelect or unselect by pressing the spacebar" "$WT_HEIGHT" "$WT_WIDTH" 4) +count=1 +while [ $count -le $MAX_COUNT ] +do + if grep -q "$SMBSHARES/$count " /etc/fstab + then + args+=("$SMBSHARES/$count " "$(grep "$SMBSHARES/$count " /etc/fstab | awk '{print $1}')" OFF) + fi + count=$((count+1)) +done + +# Let the user choose which details he wants to see +selected_options=$("${args[@]}" 3>&1 1>&2 2>&3) + +# Show selected Shares +count=1 +while [ $count -le $MAX_COUNT ] +do + if [[ $selected_options == *"$SMBSHARES/$count "* ]] + then + if [ -f $SMB_CREDENTIALS/SMB$count ] + then + msg_box "$(grep "$SMBSHARES/$count " /etc/fstab)\n$(cat $SMB_CREDENTIALS/SMB$count)" + else + msg_box "$(grep "$SMBSHARES/$count " /etc/fstab)" + fi + fi + count=$((count+1)) +done +return +} + +change_mount() { + +# If no entry created, nothing to show +if ! grep -q "$SMBSHARES" /etc/fstab +then + msg_box "You haven't created any SMB-mount. So nothing to change." + return +fi + +# Find out which SMB-shares are available +args=(whiptail --title "Change a SMB-mount" --radiolist "This option let you change the password, the username and/or the network-share of one of your SMB-mounts.\nChoose which one you want to show.\nSelect one with the [ARROW] keys and select with the [SPACE] key. Confirm by pressing [ENTER]" "$WT_HEIGHT" "$WT_WIDTH" 4) +count=1 +while [ $count -le $MAX_COUNT ] +do + if grep -q "$SMBSHARES/$count " /etc/fstab + then + args+=("$SMBSHARES/$count " "$(grep "$SMBSHARES/$count " /etc/fstab | awk '{print $1}')" OFF) + fi + count=$((count+1)) +done + +# Let the user choose which mount he wants to change +selected_option=$("${args[@]}" 3>&1 1>&2 2>&3) + +if [[ "$selected_option" == "" ]] +then + return +fi + +# Get count back from selected_option +count=${selected_option//[!0-9]/} + +# Test if SMB-share is still mounted and unmount if yes +if mountpoint -q "$SMBSHARES/$count" +then + umount "$SMBSHARES/$count" + was_mounted=yes + if mountpoint -q "$SMBSHARES/$count" + then + msg_box "It seems like the unmount of $SMBSHARES/$count wasn't successful while trying to change the mount. Please try again." + return + fi +fi + +# Store fstab entry for later in a variable +fstab_entry=$(grep "$SMBSHARES/$count " /etc/fstab) + +# Get old password and username +if ! [ -f "$SMB_CREDENTIALS/SMB$count" ] +then + SERVER_SHARE_NAME=$(echo "$fstab_entry" | awk '{print $1}') + SMB_USER=${fstab_entry##*username=} + SMB_USER=${SMB_USER%%,*} + SMB_PASSWORD=${fstab_entry##*password=} + SMB_PASSWORD=${SMB_PASSWORD%%,*} +else + old_credentials=$(cat "$SMB_CREDENTIALS/SMB$count") + SMB_USER=$(echo "$old_credentials" | grep username=) + SMB_USER=${SMB_USER##*username=} + SMB_PASSWORD=$(echo "$old_credentials" | grep password=) + SMB_PASSWORD=${SMB_PASSWORD##*password=} +fi + +# Let the user choose which entries he wants to change +choice=$(whiptail --title "Change a SMB-mount" --checklist "$fstab_entry\n$old_credentials\nChoose which option you want to change.\nSelect or unselect by pressing the spacebar" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"Password" "(change the password of the SMB-user)" OFF \ +"Username" "(change the username of the SMB-user)" OFF \ +"Share" "(change the SMB-share to use the same mount directory)" OFF 3>&1 1>&2 2>&3) + +case "$choice" in + *"Share"*) + clear + # Enter SMB-server and Share-name + while true + do + SERVER_SHARE_NAME=$(whiptail --inputbox "Please enter the server and Share-name like this:\n//Server/Share\nor\n//IP-address/Share" "$WT_HEIGHT" "$WT_WIDTH" 3>&1 1>&2 2>&3) + if [[ "no" == $(ask_yes_or_no "Is this correct? $SERVER_SHARE_NAME") ]] + then + msg_box "It seems like your weren't satisfied by the PATH you entered. Please try again." + else + SERVER_SHARE_NAME=${SERVER_SHARE_NAME// /\\040} + break + fi + done + ;;& + *"Username"*) + clear + # Enter the SMB-user + while true + do + SMB_USER=$(whiptail --inputbox "Please enter the username of the SMB-user" "$WT_HEIGHT" "$WT_WIDTH" 3>&1 1>&2 2>&3) + if [[ "no" == $(ask_yes_or_no "Is this correct? $SMB_USER") ]] + then + msg_box "It seems like your weren't satisfied by the SMB-user you entered. Please try again." + else + break + fi + done + ;;& + *"Password"*) + clear + # Enter the password of the SMB-user + while true + do + SMB_PASSWORD=$(whiptail --inputbox "Please enter the password of the SMB-user $SMB_USER.\nPlease note, that comma as a character in the password is not supported." "$WT_HEIGHT" "$WT_WIDTH" 3>&1 1>&2 2>&3) + if [[ "no" == $(ask_yes_or_no "Is this correct? $SMB_PASSWORD") ]] + then + msg_box "It seems like your weren't satisfied by the password for the SMB-user you entered. Please try again." + else + break + fi + done + ;;& + "") + return + ;;& + *) + ;; +esac + +# Remove that line from fstab +selected_option_sed=${selected_option//\//\\/} +sed -i "/$selected_option_sed/d" /etc/fstab +unset old_credentials + +# Backup old credentials file +if [ -f "$SMB_CREDENTIALS/SMB$count" ] +then + mv "$SMB_CREDENTIALS/SMB$count" "$SMB_CREDENTIALS/SMB$count.old" +fi + +# Write changed line to /etc/fstab and mount +echo "$SERVER_SHARE_NAME $SMBSHARES/$count cifs credentials=$SMB_CREDENTIALS/SMB$count,vers=3.0,uid=www-data,gid=www-data,file_mode=0770,dir_mode=0770,nounix,noserverino 0 0" >> /etc/fstab +mkdir -p $SMB_CREDENTIALS +touch "$SMB_CREDENTIALS/SMB$count" +chown -R root:root $SMB_CREDENTIALS +chmod -R 600 $SMB_CREDENTIALS +echo "username=$SMB_USER" > "$SMB_CREDENTIALS/SMB$count" +echo "password=$SMB_PASSWORD" >> "$SMB_CREDENTIALS/SMB$count" +unset SMB_USER && unset SMB_PASSWORD +mount "$SMBSHARES/$count" + +# Check if mounting was successful +if ! mountpoint -q "$SMBSHARES/$count" +then + # If not remove this line from fstab + msg_box "It seems like the mount of the changed configuration wasn't successful. It will get deleted now. The old config will get restored now. Please try again to change the mount." + sed -i "/$selected_option_sed/d" /etc/fstab + echo "$fstab_entry" >> /etc/fstab + unset fstab_entry + if [ -f "$SMB_CREDENTIALS/SMB$count.old" ] + then + rm "$SMB_CREDENTIALS/SMB$count" + mv "$SMB_CREDENTIALS/SMB$count.old" "$SMB_CREDENTIALS/SMB$count" + fi + if [[ $was_mounted == yes ]] + then + unset was_mounted + mount "$SMBSHARES/$count" + if ! mountpoint -q "$SMBSHARES/$count" + then + msg_box "Your old configuration couldn't get mounted but is restored to /etc/fstab." + fi + fi +else + # Remove the backup file + if [ -f "$SMB_CREDENTIALS/SMB$count.old" ] + then + check_command rm "$SMB_CREDENTIALS/SMB$count.old" + fi + + # Inform the user that mounting was successful + msg_box "Your change of the mount was successful, congratulations!" +fi + +} + +unmount_shares() { + +# Check if any SMB-shares are available for unmounting +count=1 +while [ $count -le $MAX_COUNT ] +do + if ! mountpoint -q $SMBSHARES/$count + then + count=$((count+1)) + else + break + fi +done +if [ $count -gt $MAX_COUNT ] +then + msg_box "You haven't mounted any SMB-mount. So nothing to unmount" + return +fi + +# Find out which SMB-shares are available +args=(whiptail --title "Unmount SMB-shares" --checklist "This option let you unmount SMB-shares to disconnect network-shares from the host-computer or other machines in the local network.\nChoose what you want to do.\nSelect or unselect by pressing the spacebar" "$WT_HEIGHT" "$WT_WIDTH" 4) +count=1 +while [ $count -le $MAX_COUNT ] +do + if mountpoint -q $SMBSHARES/$count + then + args+=("$SMBSHARES/$count " "$(grep "$SMBSHARES/$count " /etc/fstab | awk '{print $1}')" OFF) + fi + count=$((count+1)) +done + +# Let the user select which SMB-shares he wants to unmount +selected_options=$("${args[@]}" 3>&1 1>&2 2>&3) +count=1 +while [ $count -le $MAX_COUNT ] +do + if [[ $selected_options == *"$SMBSHARES/$count "* ]] + then + umount "$SMBSHARES/$count" + if mountpoint -q $SMBSHARES/$count + then + msg_box "It seems like the unmount of $SMBSHARES/$count wasn't successful. Please try again." + else + msg_box "Your unmount of $SMBSHARES/$count was successful!" + fi + fi + count=$((count+1)) +done +return +} + +delete_mounts() { + +# Check if any SMB-share is available +if ! grep -q "$SMBSHARES" /etc/fstab +then + msg_box "You haven't created any SMB-mount, nothing to delete." + return +fi + +# Check which SMB-shares are available +args=(whiptail --title "Delete SMB-mounts" --checklist "This option let you delete SMB-shares to disconnect and remove network-shares from the Nextcloud VM.\nChoose what you want to do.\nSelect or unselect by pressing the spacebar" "$WT_HEIGHT" "$WT_WIDTH" 4) +count=1 +while [ $count -le $MAX_COUNT ] +do + if grep -q "$SMBSHARES/$count " /etc/fstab + then + args+=("$SMBSHARES/$count " "$(grep "$SMBSHARES/$count " /etc/fstab | awk '{print $1}')" OFF) + fi + count=$((count+1)) +done + +# Let the user choose which SMB-shares he wants to delete +selected_options=$("${args[@]}" 3>&1 1>&2 2>&3) + +# Delete the selected SMB-shares +count=1 +while [ $count -le $MAX_COUNT ] +do + if [[ $selected_options == *"$SMBSHARES/$count "* ]] + then + if mountpoint -q $SMBSHARES/$count + then + umount "$SMBSHARES/$count" + if mountpoint -q $SMBSHARES/$count + then + msg_box "It seems like the unmount of $SMBSHARES/$count wasn't successful during the deletion. Please try again." + else + sed -i "/$SMBSHARES_SED\/$count /d" /etc/fstab + if [ -f $SMB_CREDENTIALS/SMB$count ] + then + check_command rm $SMB_CREDENTIALS/SMB$count + fi + msg_box "Your deletion of $SMBSHARES/$count was successful!" + fi + else + sed -i "/$SMBSHARES_SED\/$count /d" /etc/fstab + if [ -f $SMB_CREDENTIALS/SMB$count ] + then + check_command rm $SMB_CREDENTIALS/SMB$count + fi + msg_box "Your deletion of $SMBSHARES/$count was successful!" + fi + fi + count=$((count+1)) +done +return +} + +# Loop main menu until exited +while true +do + # Main menu + choice=$(whiptail --title "SMB-share" --radiolist "This script let you manage SMB-shares to access files from the host-computer or other machines in the local network.\nChoose what you want to do.\nSelect one with the [ARROW] keys and select with the [SPACE] key. Confirm by pressing [ENTER]" "$WT_HEIGHT" "$WT_WIDTH" 4 \ + "Add a SMB-mount" "(and mount/connect it)" ON \ + "Mount SMB-shares" "(connect SMB-shares)" OFF \ + "Show all SMB-mounts" "(show detailed information about the SMB-mounts)" OFF \ + "Change a SMB-mount" "(change password, username &/or share of a mount)" OFF \ + "Unmount SMB-shares" "(disconnect SMB-shares)" OFF \ + "Delete SMB-mounts" "(and unmount/disconnect them)" OFF \ + "Exit SMB-share" "(exit this script)" OFF 3>&1 1>&2 2>&3) + + case "$choice" in + "Add a SMB-mount") + add_mount + ;; + "Mount SMB-shares") + mount_shares + ;; + "Show all SMB-mounts") + show_all_mounts + ;; + "Change a SMB-mount") + change_mount + ;; + "Unmount SMB-shares") + unmount_shares + ;; + "Delete SMB-mounts") + delete_mounts + ;; + "Exit SMB-share") + break + ;; + "") + break + ;; + *) + ;; + esac +done +exit diff --git a/apps/talk.sh b/apps/talk.sh new file mode 100644 index 00000000..ab75825b --- /dev/null +++ b/apps/talk.sh @@ -0,0 +1,189 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +NC_UPDATE=1 && TURN_INSTALL=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +unset NC_UPDATE +unset TURN_INSTALL + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Must be 20.04 +if ! version 20.04 "$DISTRO" 20.04.6 +then +msg_box "Your current Ubuntu version is $DISTRO but must be between 20.04 - 20.04.6 to install Talk" +msg_box "Please contact us to get support for upgrading your server: +https://www.hanssonit.se/#contact +https://shop.hanssonit.se/" +exit +fi + +# Nextcloud 13 is required. +lowest_compatible_nc 13 + +# Check if adminer is already installed +print_text_in_color "$ICyan" "Checking if Talk is already installed..." +if [ -n "$(occ_command_no_check config:app:get spreed turn_servers | sed 's/\[\]//')" ] || is_this_installed coturn +then + choice=$(whiptail --radiolist "It seems like 'Nextcloud Talk' is already installed.\nChoose what you want to do.\nSelect by pressing the spacebar and ENTER" "$WT_HEIGHT" "$WT_WIDTH" 4 \ + "Uninstall Nextcloud Talk" "" OFF \ + "Reinstall Nextcloud Talk" "" ON 3>&1 1>&2 2>&3) + + case "$choice" in + "Uninstall Nextcloud Talk") + print_text_in_color "$ICyan" "Uninstalling Nextcloud Talk and resetting all settings..." + occ_command_no_check config:app:delete spreed stun_servers + occ_command_no_check config:app:delete spreed turn_servers + occ_command_no_check app:remove spreed + rm $TURN_CONF + apt-get purge coturn -y + msg_box "Nextcloud Talk was successfully uninstalled and all settings were resetted." + exit + ;; + "Reinstall Nextcloud Talk") + print_text_in_color "$ICyan" "Reinstalling Nextcloud Talk..." + occ_command_no_check config:app:delete spreed stun_servers + occ_command_no_check config:app:delete spreed turn_servers + occ_command_no_check app:remove spreed + rm $TURN_CONF + apt-get purge coturn -y + ;; + *) + ;; + esac +else + print_text_in_color "$ICyan" "Installing Nextcloud Talk..." +fi + +# Check if Nextcloud is installed +print_text_in_color "$ICyan" "Checking if Nextcloud is installed..." +if ! curl -s https://"${TURN_DOMAIN//\\/}"/status.php | grep -q 'installed":true' +then +msg_box "It seems like Nextcloud is not installed or that you don't use https on: +${TURN_DOMAIN//\\/} +Please install Nextcloud and make sure your domain is reachable, or activate TLS +on your domain to be able to run this script. +If you use the Nextcloud VM you can use the Let's Encrypt script to get TLS and activate your Nextcloud domain. + +When TLS is activated, run these commands from your terminal: +sudo curl -sLO $APP/talk.sh +sudo bash talk.sh" + exit 1 +fi + +# Let the user choose port. TURN_PORT in msg_box is taken from lib.sh and later changed if user decides to. +NONO_PORTS=(22 25 53 80 443 3306 5432 7983 8983 10000) +msg_box "The default port for Talk used in this script is port $TURN_PORT. +You can read more about that port here: https://www.speedguide.net/port.php?port=$TURN_PORT + +You will now be given the option to change this port to something of your own. +Please keep in mind NOT to use the following ports as they are likley to be in use already: +${NONO_PORTS[*]}" + +if [[ "yes" == $(ask_yes_or_no "Do you want to change port?") ]] +then + while true + do + # Ask for port +cat << ENTERDOMAIN ++---------------------------------------------------------------+ +| Please enter the port you will use for Nextcloud Talk: | ++---------------------------------------------------------------+ +ENTERDOMAIN + echo + read -r TURN_PORT + echo + if [[ "yes" == $(ask_yes_or_no "Is this correct? $TURN_PORT") ]] + then + break + fi + done +fi + +containsElement () { + local e match="$1" + shift + for e; do [[ "$e" == "$match" ]] && return 0; done + return 1 +} + +if containsElement "$TURN_PORT" "${NONO_PORTS[@]}" +then + msg_box "You have to choose another port. Please start over." + exit 1 +fi + +# Install TURN +check_command install_if_not coturn +check_command sed -i '/TURNSERVER_ENABLED/c\TURNSERVER_ENABLED=1' /etc/default/coturn + +# Create log for coturn +mkdir -p "$VMLOGS" +touch "$VMLOGS"/turnserver.log + +# Generate $TURN_CONF +cat << TURN_CREATE > "$TURN_CONF" +listening-port=$TURN_PORT +fingerprint +use-auth-secret +static-auth-secret=$TURN_SECRET +realm=$TURN_DOMAIN +total-quota=100 +bps-capacity=0 +stale-nonce +no-multicast-peers +no-stdout-log +simple-log +log-file=$VMLOGS/turnserver.log +TURN_CREATE +if [ -f "$TURN_CONF" ]; +then + print_text_in_color "$IGreen" "$TURN_CONF was successfully created." +else + print_text_in_color "$IRed" "Unable to create $TURN_CONF, exiting..." + print_text_in_color "$IRed" "Please report this issue here $ISSUES" + exit 1 +fi + +# Restart the TURN server +check_command systemctl restart coturn.service + +# Warn user to open port +msg_box "You have to open $TURN_PORT TCP/UDP in your firewall or your TURN/STUN server won't work! +After you hit OK the script will check for the firewall and eventually exit on failure. + +To run again the setup, after fixing your firewall: +sudo -sLO $APP/talk.sh +sudo bash talk.sh" + +# Check if the port is open +check_open_port "$TURN_PORT" "$TURN_DOMAIN" + +# Enable Spreed (Talk) +STUN_SERVERS_STRING="[\"$TURN_DOMAIN:$TURN_PORT\"]" +TURN_SERVERS_STRING="[{\"server\":\"$TURN_DOMAIN:$TURN_PORT\",\"secret\":\"$TURN_SECRET\",\"protocols\":\"udp,tcp\"}]" +if ! is_app_installed spreed +then + install_and_enable_app spreed + occ_command config:app:set spreed stun_servers --value="$STUN_SERVERS_STRING" --output json + occ_command config:app:set spreed turn_servers --value="$TURN_SERVERS_STRING" --output json + chown -R www-data:www-data "$NC_APPS_PATH" +fi + +if is_app_installed spreed +then +msg_box "Nextcloud Talk is now installed. For more information about Nextcloud Talk and its mobile apps visit: +https://nextcloud.com/talk/" +fi + +exit diff --git a/apps/tmbitwarden.sh b/apps/tmbitwarden.sh new file mode 100644 index 00000000..d3f68c4a --- /dev/null +++ b/apps/tmbitwarden.sh @@ -0,0 +1,96 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +# Test RAM size (3 GB min) + CPUs (min 2) +ram_check 3 Bitwarden +cpu_check 2 Bitwarden + +# Check if Bitwarden is already installed +print_text_in_color "$ICyan" "Checking if Bitwarden is already installed..." +if [ "$(docker ps -a >/dev/null 2>&1 && echo yes || echo no)" == "yes" ] +then + if docker ps -a --format '{{.Names}}' | grep -Eq "bitwarden"; + then + if is_this_installed apache2 + then + if [ -d /root/bwdata ] + then + msg_box "It seems like 'Bitwarden' is already installed.\n\nYou cannot run this script twice, because you would loose all your passwords." + exit 1 + fi + fi + fi +fi + +print_text_in_color "$ICyan" "Installing Bitwarden password manager..." + +msg_box "Bitwarden is a password manager that is seperate from Nextcloud, though we provide this service because it's self hosted and secure. + +If you just want to run Bitwarden locally (not connecting your smartphone) then you can use 'localhost' as domain. +If you on the other hand want to run this on a domain, then please create a DNS record and point it to this server. +In the process of setting up Bitwarden you will be asked to generate an TLS cert with Let's Enrypt so no need to get your own prior to this setup. + +The script is based on this documentation: https://help.bitwarden.com/article/install-on-premise/ +It's a good idea to read that before you start this script. + +Please also report any issues regarding this script setup to $ISSUES" + +msg_box "The necessary preparations to run expose Bitwarden to the internet are: +1. The HTTP proxy and HTTPS ports for Bitwarden are 8080 and 8443, please open those ports before running this script. +2. Please create a DNS record and point that to this server. +3. Raise the amount of RAM to this server to at least 3 GB." + +if [[ "no" == $(ask_yes_or_no "Have you made the necessary preparations?") ]] +then +msg_box "OK, please do the necessary preparations before you run this script and then simply run it again once you're done. + +To run this script again, execute $SCRIPTS/apps.sh and choose Bitwarden" + exit +else + sleep 0.1 +fi + +# Install Docker +install_docker +install_if_not docker-compose + +# Stop Apache to not conflict when LE is run +check_command systemctl stop apache2.service + +# Install Bitwarden +install_if_not curl +cd /root +curl_to_dir "https://raw.githubusercontent.com/bitwarden/core/master/scripts" "bitwarden.sh" "/root" +chmod +x /root/bitwarden.sh +check_command ./bitwarden.sh install +sed -i "s|http_port.*|http_port: 8080|g" /root/bwdata/config.yml +sed -i "s|https_port.*|https_port: 8443|g" /root/bwdata/config.yml +check_command ./bitwarden.sh rebuild +check_command ./bitwarden.sh start +if check_command ./bitwarden.sh updatedb +then +msg_box "Bitwarden was sucessfully installed! Please visit $(grep 'url:' /root/bwdata/config.yml | awk '{print$2}'):8443 to setup your account." +else +msg_box "Bitwarden installation failed! We will now remove necessary configs to be able to run this script again" + rm -rf /root/bwdata/ +fi + +# Start Apache2 +check_command systemctl start apache2.service + +exit diff --git a/apps/webmin.sh b/apps/webmin.sh new file mode 100644 index 00000000..0ccd6f19 --- /dev/null +++ b/apps/webmin.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +# Check if webmin is already installed +print_text_in_color "$ICyan" "Checking if Webmin is already installed..." +if is_this_installed webmin +then + choice=$(whiptail --radiolist "It seems like 'Webmin' is already installed.\nChoose what you want to do.\nSelect by pressing the spacebar and ENTER" "$WT_HEIGHT" "$WT_WIDTH" 4 \ + "Uninstall Webmin" "" OFF \ + "Reinstall Webmin" "" ON 3>&1 1>&2 2>&3) + + case "$choice" in + "Uninstall Webmin") + print_text_in_color "$ICyan" "Uninstalling Webmin..." + check_command apt --purge autoremove -y webmin + msg_box "Webmin was successfully uninstalled." + exit + ;; + "Reinstall Webmin") + print_text_in_color "$ICyan" "Reinstalling Webmin..." + check_command apt-get purge webmin -y + ;; + *) + ;; + esac +else + print_text_in_color "$ICyan" "Installing Webmin..." +fi + +# Install packages for Webmin +install_if_not apt-transport-https +install_if_not perl +install_if_not libnet-ssleay-perl +install_if_not openssl +install_if_not libauthen-pam-perl +install_if_not libpam-runtime +install_if_not libio-pty-perl +install_if_not apt-show-versions +install_if_not python2 + +# Install Webmin +if curl -fsSL http://www.webmin.com/jcameron-key.asc | sudo apt-key add - +then + echo "deb https://download.webmin.com/download/repository sarge contrib" > /etc/apt/sources.list.d/webmin.list + apt update -q4 & spinner_loading + install_if_not webmin +fi + +exit diff --git a/nextcloud-startup-script.sh b/nextcloud-startup-script.sh new file mode 100644 index 00000000..0c779f4f --- /dev/null +++ b/nextcloud-startup-script.sh @@ -0,0 +1,565 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +######### + +IRed='\e[0;91m' # Red +IGreen='\e[0;92m' # Green +ICyan='\e[0;96m' # Cyan +Color_Off='\e[0m' # Text Reset +print_text_in_color() { + printf "%b%s%b\n" "$1" "$2" "$Color_Off" +} + +print_text_in_color "$ICyan" "Fetching all the variables from lib.sh..." + +is_process_running() { +PROCESS="$1" + +while : +do + RESULT=$(pgrep "${PROCESS}") + + if [ "${RESULT:-null}" = null ]; then + break + else + print_text_in_color "$ICyan" "${PROCESS} is running, waiting for it to stop..." + sleep 10 + fi +done +} + +######### + +# Check if dpkg or apt is running +is_process_running apt +is_process_running dpkg + +# Use local lib file in case there is no internet connection +if [ -f /var/scripts/lib.sh ] +then +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +NCDB=1 && FIRST_IFACE=1 source /var/scripts/lib.sh +unset NCDB +unset FIRST_IFACE + # If we have internet, then use the latest variables from the lib remote file +elif printf "Testing internet connection..." && ping github.com -c 2 +then +true +# shellcheck source=lib.sh +NCDB=1 && FIRST_IFACE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +unset FIRST_IFACE +unset NCDB +else + printf "You don't seem to have a working internet connection, and /var/scripts/lib.sh is missing so you can't run this script." + printf "Please report this to https://github.com/nextcloud/vm/issues/" + exit 1 +fi + +# Check if root +root_check + +# Check network +if network_ok +then + print_text_in_color "$IGreen" "Online!" +else + print_text_in_color "$ICyan" "Setting correct interface..." + [ -z "$IFACE" ] && IFACE=$(lshw -c network | grep "logical name" | awk '{print $3; exit}') + # Set correct interface + cat <<-SETDHCP > "/etc/netplan/01-netcfg.yaml" +network: + version: 2 + renderer: networkd + ethernets: + $IFACE: + dhcp4: true + dhcp6: true +SETDHCP + check_command netplan apply + print_text_in_color "$ICyan" "Checking connection..." + sleep 1 + if ! nslookup github.com + then +msg_box "The script failed to get an address from DHCP. +You must have a working network connection to run this script. + +You will now be provided with the option to set a static IP manually instead." + + # Run static_ip script + bash /var/scripts/static_ip.sh + fi +fi + +# Check network again +if network_ok +then + print_text_in_color "$IGreen" "Online!" +elif home_sme_server +then +msg_box "It seems like the last try failed as well using LAN ethernet. + +Since the Home/SME server is equipped with a WIFI module, you will now be asked to enable it to get connectivity. + +Please note: It's not recomended to run a server on WIFI. Using an ethernet cable is always the best." + if [[ "yes" == $(ask_yes_or_no "Do you want to enable WIFI on this server?") ]] + then + nmtui + fi + if network_ok + then + print_text_in_color "$IGreen" "Online!" + else +msg_box "Network NOT OK. You must have a working network connection to run this script. + +Please contact us for support: +https://shop.hanssonit.se/product/premium-support-per-30-minutes/ + +Please also post this issue on: https://github.com/nextcloud/vm/issues" + exit 1 + fi +else +msg_box "Network NOT OK. You must have a working network connection to run this script. + +Please contact us for support: +https://shop.hanssonit.se/product/premium-support-per-30-minutes/ + +Please also post this issue on: https://github.com/nextcloud/vm/issues" + exit 1 +fi + +# shellcheck source=lib.sh +NCDB=1 && NC_UPDATE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +unset NC_UPDATE +unset NCDB + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check that this run on the PostgreSQL VM +if ! is_this_installed postgresql-common +then + print_text_in_color "$IRed" "This script is intended to be run using a PostgreSQL database, but PostgreSQL is not installed." + print_text_in_color "$IRed" "Aborting..." + exit 1 +fi + +# Import if missing and export again to import it with UUID +zpool_import_if_missing + +# Set keyboard layout, important when changing passwords and such +if [ "$KEYBOARD_LAYOUT" = "us" ] +then + clear + print_text_in_color "$ICyan" "Current keyboard layout is English (United States)." + if [[ "no" == $(ask_yes_or_no "Do you want to change keyboard layout?") ]] + then + print_text_in_color "$ICyan" "Not changing keyboard layout..." + sleep 1 + clear + else + dpkg-reconfigure keyboard-configuration + msg_box "We will now set the new keyboard layout directly in this session and reboot the server to apply the new keyboard settings.\n\nWhen the server are rebooted, please login as usual and run this script again." + setupcon --force && reboot + fi +fi + +# Set locales +run_script STATIC locales + +# Nextcloud 18 is required +lowest_compatible_nc 18 + +# Is this run as a pure root user? +if is_root +then + if [[ "$UNIXUSER" == "ncadmin" ]] + then + sleep 1 + else + if [ -z "$UNIXUSER" ] + then +msg_box "You seem to be running this as the pure root user. +You must run this as a regular user with sudo permissions. + +Please create a user with sudo permissions and the run this command: +sudo -u [user-with-sudo-permissions] sudo bash /var/scripts/nextcloud-startup-script.sh + +We will do this for you when you hit OK." + download_script STATIC adduser + bash $SCRIPTS/adduser.sh "$SCRIPTS/nextcloud-startup-script.sh" + rm $SCRIPTS/adduser.sh + else +msg_box "You probably see this message if the user 'ncadmin' does not exist on the system, +which could be the case if you are running directly from the scripts on Gihub and not the VM. + +As long as the user you created have sudo permissions it's safe to continue. +This would be the case if you created a new user with the script in the previous step. + +If the user you are running this script with is a user that doesn't have sudo permissions, +please abort this script (CTRL+C) and report this issue to $ISSUES." + fi + fi +fi + +# Upgrade mirrors +run_script STATIC locate_mirror + +######## The first setup is OK to run to this point several times, but not any further ######## +if [ -f "$SCRIPTS/you-can-not-run-the-startup-script-several-times" ] +then +msg_box "The Nextcloud startup script that handles the first setup (this one) is desinged to be run once, not several times in a row. + +If you feel uncertain about adding some extra features during this setup, then it's best to wait until after the first setup is done. You can always add all the extra features later. + +[For the Nextcloud VM:] +Please delete this VM from your host and reimport it once again, then run this setup like you did the first time. + +[For the Nextcloud Home/SME Server:] +It's a bit more tricky since you can't revert in the same way as with a VM. The best thing you can do now is to save all the output from the session you ran before this one + write down all the steps you took and send and email to: +github@hanssonit.se with the subject 'Issues with first setup', and we'll take it from there. + +Full documentation can be found here: https://docs.hanssonit.se +Please report any bugs you find here: $ISSUES" + exit 1 +fi + +touch "$SCRIPTS/you-can-not-run-the-startup-script-several-times" + +echo +print_text_in_color "$ICyan" "Getting scripts from GitHub to be able to run the first setup..." +# Scripts in static (.sh, .php, .py) +download_script LETS_ENC activate-tls +download_script STATIC temporary-fix +download_script STATIC update +download_script STATIC trusted +download_script STATIC test_connection +download_script STATIC setup_secure_permissions_nextcloud +download_script STATIC change_db_pass +download_script STATIC nextcloud +download_script STATIC update-config +download_script STATIC menu +download_script STATIC server_configuration +download_script STATIC nextcloud_configuration +download_script APP additional_apps + +if home_sme_server +then + download_script STATIC nhss_index + mv $SCRIPTS/nhss_index.php $HTML/index.php && rm -f $HTML/html/index.html + chmod 750 $HTML/index.php && chown www-data:www-data $HTML/index.php +else + download_script STATIC index + mv $SCRIPTS/index.php $HTML/index.php && rm -f $HTML/html/index.html + chmod 750 $HTML/index.php && chown www-data:www-data $HTML/index.php +fi + +# Change 000-default to $WEB_ROOT +sed -i "s|DocumentRoot /var/www/html|DocumentRoot $HTML|g" /etc/apache2/sites-available/000-default.conf + +# Make possible to see the welcome screen (without this php-fpm won't reach it) + sed -i '14i\ # http://lost.l-w.ca/0x05/apache-mod_proxy_fcgi-and-php-fpm/' /etc/apache2/sites-available/000-default.conf + sed -i '15i\ <FilesMatch "\.php$">' /etc/apache2/sites-available/000-default.conf + sed -i '16i\ <If "-f %{SCRIPT_FILENAME}">' /etc/apache2/sites-available/000-default.conf + sed -i '17i\ SetHandler "proxy:unix:/run/php/php'$PHPVER'-fpm.nextcloud.sock|fcgi://localhost"' /etc/apache2/sites-available/000-default.conf + sed -i '18i\ </If>' /etc/apache2/sites-available/000-default.conf + sed -i '19i\ </FilesMatch>' /etc/apache2/sites-available/000-default.conf + sed -i '20i\ ' /etc/apache2/sites-available/000-default.conf + +# Make $SCRIPTS excutable +chmod +x -R $SCRIPTS +chown root:root -R $SCRIPTS + +# Allow $UNIXUSER to run figlet script +chown "$UNIXUSER":"$UNIXUSER" "$SCRIPTS/nextcloud.sh" + +msg_box "This script will configure your Nextcloud and activate TLS. +It will also do the following: + +- Generate new SSH keys for the server +- Generate new PostgreSQL password +- Install selected apps and automatically configure them +- Detect and set hostname +- Detect and set trusted domains +- Detect the best Ubuntu mirrors depending on your location +- Upgrade your system and Nextcloud to latest version +- Set secure permissions to Nextcloud +- Set new passwords to Linux and Nextcloud +- Change timezone +- Set correct Rewriterules for Nextcloud +- Copy content from .htaccess to .user.ini (because we use php-fpm) +- Add additional options if you choose them +- And more..." + +msg_box "PLEASE NOTE: +[#] Please finish the whole setup. The server will reboot once done. + +[#] Please read the on-screen instructions carefully, they will guide you through the setup. + +[#] When complete it will delete all the *.sh, *.html, *.tar, *.zip inside: + /root + /home/$UNIXUSER + +[#] Please consider donating if you like the product: + https://shop.hanssonit.se/product-category/donate/ + +[#] You can also ask for help here: + https://help.nextcloud.com/c/support/appliances-docker-snappy-vm + https://shop.hanssonit.se/product/premium-support-per-30-minutes/" +clear + +msg_box "PLEASE NOTE: + +The first setup is meant to be run once, and not aborted. +If you feel uncertain about the options during the setup, just choose the defaults by hitting [ENTER] at each question. + +When the setup is done, the server will automatically reboot. + +Please report any issues to: $ISSUES" +clear + +# Change Timezone +print_text_in_color "$ICyan" "Current timezone is $(cat /etc/timezone)" +if [[ "no" == $(ask_yes_or_no "Do you want to change the timezone?") ]] +then + print_text_in_color "$ICyan" "Not changing timezone..." + sleep 1 + clear +else + dpkg-reconfigure tzdata +fi + +# Change timezone in PHP +sed -i "s|;date.timezone.*|date.timezone = $(cat /etc/timezone)|g" "$PHP_INI" + +# Change timezone for logging +occ_command config:system:set logtimezone --value="$(cat /etc/timezone)" +clear + +# Pretty URLs +print_text_in_color "$ICyan" "Setting RewriteBase to \"/\" in config.php..." +chown -R www-data:www-data $NCPATH +occ_command config:system:set overwrite.cli.url --value="http://localhost/" +occ_command config:system:set htaccess.RewriteBase --value="/" +occ_command maintenance:update:htaccess +bash $SECURE & spinner_loading + +# Generate new SSH Keys +printf "\nGenerating new SSH keys for the server...\n" +rm -v /etc/ssh/ssh_host_* +dpkg-reconfigure openssh-server + +# Generate new PostgreSQL password +print_text_in_color "$ICyan" "Generating new PostgreSQL password..." +check_command bash "$SCRIPTS/change_db_pass.sh" +sleep 3 +clear + +# Server configurations +bash $SCRIPTS/server_configuration.sh + +# Nextcloud configuration +bash $SCRIPTS/nextcloud_configuration.sh + +# Install apps +bash $SCRIPTS/additional_apps.sh + +# Change passwords +# CLI USER +print_text_in_color "$ICyan" "For better security, change the system user password for [$(getent group sudo | cut -d: -f4 | cut -d, -f1)]" +any_key "Press any key to change password for system user..." +while true +do + sudo passwd "$(getent group sudo | cut -d: -f4 | cut -d, -f1)" && break +done +echo +clear +# NEXTCLOUD USER +NCADMIN=$(occ_command user:list | awk '{print $3}') +print_text_in_color "$ICyan" "The current admin user in Nextcloud GUI is [$NCADMIN]" +print_text_in_color "$ICyan" "We will now replace this user with your own." +any_key "Press any key to replace the current (local) admin user for Nextcloud..." +# Create new user +while true +do + print_text_in_color "$ICyan" "Please enter the username for your new user:" + read -r NEWUSER + sudo -u www-data $NCPATH/occ user:add "$NEWUSER" -g admin && break +done +# Delete old user +if [[ "$NCADMIN" ]] +then + print_text_in_color "$ICyan" "Deleting $NCADMIN..." + occ_command user:delete "$NCADMIN" + sleep 2 +fi +clear + +msg_box "Well done, you have now finished most of the setup. + +There are still some stuff left to do, but they are automated so sit back and relax! :)" + +# Add default notifications +notify_admin_gui \ +"Please setup SMTP" \ +"Please remember to setup SMTP to be able to send shared links, user notifications and more via email. Please go here and start setting it up: https://your-nextcloud/settings/admin." + +notify_admin_gui \ +"Do you need support?" \ +"If you need support, please visit the shop: https://shop.hanssonit.se, or the forum: https://help.nextcloud.com." + +if ! is_this_installed php"$PHPVER"-imagick +then + notify_admin_gui \ + "Regarding Imagick not being installed" \ + "As you may have noticed, Imagick is not installed. We care about your security, and here's the reason: https://github.com/nextcloud/server/issues/13099." +fi + +# Fixes https://github.com/nextcloud/vm/issues/58 +a2dismod status +restart_webserver + +if home_sme_server +then + install_if_not bc + mem_available="$(awk '/MemTotal/{print $2}' /proc/meminfo)" + mem_available_gb="$(echo "scale=0; $mem_available/(1024*1024)" | bc)" + # 32 GB RAM + if [[ 30 -lt "${mem_available_gb}" ]] + then + # Add specific values to PHP-FPM based on 32 GB RAM + check_command sed -i "s|pm.max_children.*|pm.max_children = 600|g" "$PHP_POOL_DIR"/nextcloud.conf + check_command sed -i "s|pm.start_servers.*|pm.start_servers = 100|g" "$PHP_POOL_DIR"/nextcloud.conf + check_command sed -i "s|pm.min_spare_servers.*|pm.min_spare_servers = 100|g" "$PHP_POOL_DIR"/nextcloud.conf + check_command sed -i "s|pm.max_spare_servers.*|pm.max_spare_servers = 400|g" "$PHP_POOL_DIR"/nextcloud.conf + restart_webserver + # 16 GB RAM + elif [[ 14 -lt "${mem_available_gb}" ]] + then + # Add specific values to PHP-FPM based on 16 GB RAM + check_command sed -i "s|pm.max_children.*|pm.max_children = 300|g" "$PHP_POOL_DIR"/nextcloud.conf + check_command sed -i "s|pm.start_servers.*|pm.start_servers = 50|g" "$PHP_POOL_DIR"/nextcloud.conf + check_command sed -i "s|pm.min_spare_servers.*|pm.min_spare_servers = 50|g" "$PHP_POOL_DIR"/nextcloud.conf + check_command sed -i "s|pm.max_spare_servers.*|pm.max_spare_servers = 200|g" "$PHP_POOL_DIR"/nextcloud.conf + restart_webserver + fi +else + # Calculate the values of PHP-FPM based on the amount of RAM available (minimum 2 GB or 8 children) + calculate_php_fpm + + # Run again if values are reset on last run + calculate_php_fpm +fi + +# Add temporary fix if needed +bash "$SCRIPTS"/temporary-fix.sh +rm "$SCRIPTS"/temporary-fix.sh + +# Cleanup 1 +occ_command maintenance:repair +rm -f "$SCRIPTS/ip.sh" +rm -f "$SCRIPTS/change_db_pass.sh" +rm -f "$SCRIPTS/test_connection.sh" +rm -f "$SCRIPTS/instruction.sh" +rm -f "$NCDATA/nextcloud.log" +rm -f "$SCRIPTS/static_ip.sh" +rm -f "$SCRIPTS/lib.sh" +rm -f "$SCRIPTS/server_configuration.sh" +rm -f "$SCRIPTS/nextcloud_configuration.sh" +rm -f "$SCRIPTS/additional_apps.sh" + +find /root "/home/$UNIXUSER" -type f \( -name '*.sh*' -o -name '*.html*' -o -name '*.tar*' -o -name 'results' -o -name '*.zip*' \) -delete +find "$NCPATH" -type f \( -name 'results' -o -name '*.sh*' \) -delete +sed -i "s|instruction.sh|nextcloud.sh|g" "/home/$UNIXUSER/.bash_profile" + +truncate -s 0 \ + /root/.bash_history \ + "/home/$UNIXUSER/.bash_history" \ + /var/spool/mail/root \ + "/var/spool/mail/$UNIXUSER" \ + /var/log/apache2/access.log \ + /var/log/apache2/error.log \ + /var/log/cronjobs_success.log \ + "$VMLOGS/nextcloud.log" + +sed -i "s|sudo -i||g" "/home/$UNIXUSER/.bash_profile" + +cat << ROOTNEWPROFILE > "/root/.bash_profile" +# ~/.profile: executed by Bourne-compatible login shells. + +if [ "/bin/bash" ] +then + if [ -f ~/.bashrc ] + then + . ~/.bashrc + fi +fi + +if [ -x /var/scripts/nextcloud-startup-script.sh ] +then + /var/scripts/nextcloud-startup-script.sh +fi + +if [ -x /var/scripts/history.sh ] +then + /var/scripts/history.sh +fi + +mesg n + +ROOTNEWPROFILE + +# Upgrade system +print_text_in_color "$ICyan" "System will now upgrade..." +bash $SCRIPTS/update.sh + +# Cleanup 2 +apt autoremove -y +apt autoclean + +# Set trusted domain in config.php +bash $SCRIPTS/trusted.sh +rm -f $SCRIPTS/trusted.sh + +# Success! +msg_box "The installation process is *almost* done. + +Please hit OK in all the following prompts and let the server reboot to complete the installation process." + +msg_box "TIPS & TRICKS: +1. Publish your server online: https://goo.gl/iUGE2U +2. To login to PostgreSQL just type: sudo -u postgres psql nextcloud_db +3. To update this server just type: sudo bash /var/scripts/update.sh +4. Install apps, configure Nextcloud, and server: sudo bash $SCRIPTS/menu.sh" + +msg_box "SUPPORT: +Please ask for help in the forums, visit our shop to buy support, +or buy a yearly subscription from Nextcloud: +- SUPPORT: https://shop.hanssonit.se/product/premium-support-per-30-minutes/ +- FORUM: https://help.nextcloud.com/ +- SUBSCRIPTION: https://nextcloud.com/pricing/ (Please refer to @enoch85) + +BUGS: +Please report any bugs here: https://github.com/nextcloud/vm/issues" + +msg_box "Congratulations! You have successfully installed Nextcloud! + +LOGIN: +Login to Nextcloud in your browser: +- IP: $ADDRESS +- Hostname: $(hostname -f)" + +# Prefer IPv6 +sed -i "s|precedence ::ffff:0:0/96 100|#precedence ::ffff:0:0/96 100|g" /etc/gai.conf + +# Reboot +print_text_in_color "$IGreen" "Installation done, system will now reboot..." +check_command rm -f "$SCRIPTS/you-can-not-run-the-startup-script-several-times" +check_command rm -f "$SCRIPTS/nextcloud-startup-script.sh" +reboot diff --git a/nextcloud_install_production.sh b/nextcloud_install_production.sh index 16eec896..bf7b2393 100644 --- a/nextcloud_install_production.sh +++ b/nextcloud_install_production.sh @@ -5,115 +5,6 @@ # Prefer IPv4 sed -i "s|#precedence ::ffff:0:0/96 100|precedence ::ffff:0:0/96 100|g" /etc/gai.conf -######### - -IRed='\e[0;91m' # Red -IGreen='\e[0;92m' # Green -ICyan='\e[0;96m' # Cyan -Color_Off='\e[0m' # Text Reset -print_text_in_color() { - printf "%b%s%b\n" "$1" "$2" "$Color_Off" -} - -print_text_in_color "$ICyan" "Fetching all the variables from lib.sh..." - -is_process_running() { -PROCESS="$1" - -while : -do - RESULT=$(pgrep "${PROCESS}") - - if [ "${RESULT:-null}" = null ]; then - break - else - print_text_in_color "$ICyan" "${PROCESS} is running, waiting for it to stop..." - sleep 10 - fi -done -} - -is_root() { - if [[ "$EUID" -ne 0 ]] - then - return 1 - else - return 0 - fi -} - -# Check if root -root_check() { -if ! is_root -then -msg_box "Sorry, you are not root. You now have two options: -1. With SUDO directly: - a) :~$ sudo bash $SCRIPTS/name-of-script.sh -2. Become ROOT and then type your command: - a) :~$ sudo -i - b) :~# bash $SCRIPTS/name-of-script.sh -In both cases above you can leave out $SCRIPTS/ if the script -is directly in your PATH. -More information can be found here: https://unix.stackexchange.com/a/3064" - exit 1 -fi -} - -network_ok() { - print_text_in_color "$ICyan" "Testing if network is OK..." - if ! netplan apply - then - systemctl restart systemd-networkd > /dev/null - fi - sleep 3 && site_200 github.com -} - -######### - -# Check if root -root_check - -# Check network -if network_ok -then - print_text_in_color "$IGreen" "Online!" -else - print_text_in_color "$ICyan" "Setting correct interface..." - [ -z "$IFACE" ] && IFACE=$(lshw -c network | grep "logical name" | awk '{print $3; exit}') - # Set correct interface - cat <<-SETDHCP > "/etc/netplan/01-netcfg.yaml" -network: - version: 2 - renderer: networkd - ethernets: - $IFACE: - dhcp4: true - dhcp6: true -SETDHCP - check_command netplan apply - print_text_in_color "$ICyan" "Checking connection..." - sleep 1 - if ! nslookup github.com - then -msg_box "The script failed to get an address from DHCP. -You must have a working network connection to run this script. -You will now be provided with the option to set a static IP manually instead." - - # Run static_ip script - bash /var/scripts/static_ip.sh - fi -fi - -# Check network again -if network_ok -then - print_text_in_color "$IGreen" "Online!" -else -msg_box "Network NOT OK. You must have a working network connection to run this script. -Please post this issue on: https://github.com/nextcloud/vm/issues" - exit 1 -fi - # Install curl if not existing if [ "$(dpkg-query -W -f='${Status}' "curl" 2>/dev/null | grep -c "ok installed")" == "1" ] then @@ -123,25 +14,15 @@ else apt install curl -y fi -# When we have internet, fetch the latest lib.sh variables and functions +# shellcheck disable=2034,2059 true # shellcheck source=lib.sh -NCDB=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) -unset NCDB +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) # Check if dpkg or apt is running is_process_running apt is_process_running dpkg -# Install curl if not existing -if [ "$(dpkg-query -W -f='${Status}' "curl" 2>/dev/null | grep -c "ok installed")" == "1" ] -then - echo "curl OK" -else - apt update -q4 - apt install curl -y -fi - # Install lshw if not existing if [ "$(dpkg-query -W -f='${Status}' "lshw" 2>/dev/null | grep -c "ok installed")" == "1" ] then @@ -169,6 +50,21 @@ else apt install whiptail -y fi +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +FIRST_IFACE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +unset FIRST_IFACE + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + # Set locales run_script STATIC locales @@ -176,6 +72,11 @@ run_script STATIC locales ram_check 2 Nextcloud cpu_check 1 Nextcloud +# Create new current user +download_script STATIC adduser +bash $SCRIPTS/adduser.sh "nextcloud_install_production.sh" +rm -f $SCRIPTS/adduser.sh + # Check distribution and version if ! version 20.04 "$DISTRO" 20.04.6 then @@ -194,6 +95,39 @@ msg_box "Nextcloud repo is not available, exiting..." exit 1 fi +# Fix LVM on BASE image +if grep -q "LVM" /etc/fstab +then + # Resize LVM (live installer is &%¤%/! + # VM + print_text_in_color "$ICyan" "Extending LVM, this may take a long time..." + lvextend -l 100%FREE --resizefs /dev/ubuntu-vg/ubuntu-lv + + # HomeSME Server + if home_sme_server + then + print_text_in_color "$ICyan" "Extending LVM, this may take a long time..." + while : + do + lvdisplay | grep "Size" | awk '{print $3}' + if ! lvextend -L +10G /dev/ubuntu-vg/ubuntu-lv >/dev/null 2>&1 + then + if ! lvextend -L +1G /dev/ubuntu-vg/ubuntu-lv >/dev/null 2>&1 + then + if ! lvextend -L +100M /dev/ubuntu-vg/ubuntu-lv >/dev/null 2>&1 + then + if ! lvextend -L +1M /dev/ubuntu-vg/ubuntu-lv >/dev/null 2>&1 + then + resize2fs /dev/ubuntu-vg/ubuntu-lv + break + fi + fi + fi + fi + done + fi +fi + # Check if it's a clean server stop_if_installed postgresql stop_if_installed apache2 @@ -208,6 +142,12 @@ stop_if_installed php7.3-fpm stop_if_installed mysql-common stop_if_installed mariadb-server +# Create $SCRIPTS dir +if [ ! -d "$SCRIPTS" ] +then + mkdir -p "$SCRIPTS" +fi + # Create $VMLOGS dir if [ ! -d "$VMLOGS" ] then @@ -220,6 +160,11 @@ install_if_not netplan.io # Install build-essentials to get make install_if_not build-essential +# Just check if the function works and run disk setup +if home_sme_server +then + run_script STATIC format-sda-nuc-server +else # Set dual or single drive setup msg_box "This VM is designed to run with two disks, one for OS and one for DATA. This will get you the best performance since the second disk is using ZFS which is a superior filesystem. You could still choose to only run on one disk though, which is not recommended, but maybe your only option depending on which hypervisor you are running. @@ -250,6 +195,7 @@ case "$choice" in *) ;; esac +fi # Set DNS resolver # https://medium.com/@ahmadb/fixing-dns-issues-in-ubuntu-18-04-lts-bd4f9ca56620 @@ -342,9 +288,9 @@ check_command apt install -y \ php"$PHPVER"-gmp \ php"$PHPVER"-bz2 \ php"$PHPVER"-bcmath \ - php-pear \ - php"$PHPVER"-imagick \ - libmagickcore-6.q16-3-extra + php-pear + # php"$PHPVER"-imagick \ + # libmagickcore-6.q16-3-extra # Enable php-fpm a2enconf php"$PHPVER"-fpm @@ -414,7 +360,7 @@ rm "$HTML/$STABLEVERSION.tar.bz2" # Secure permissions download_script STATIC setup_secure_permissions_nextcloud -chown -R www-data:www-data "$HTML" +bash $SECURE & spinner_loading # Install Nextcloud print_text_in_color "$ICyan" "Installing Nextcloud..." @@ -436,6 +382,13 @@ echo # Prepare cron.php to be run every 15 minutes crontab -u www-data -l | { cat; echo "*/5 * * * * php -f $NCPATH/cron.php > /dev/null 2>&1"; } | crontab -u www-data - +# Run the updatenotification on a schelude +occ_command config:system:set upgrade.disable-web --value="true" +print_text_in_color "$ICyan" "Configuring update notifications specific for this server..." +download_script STATIC updatenotification +check_command chmod +x "$SCRIPTS"/updatenotification.sh +crontab -u root -l | { cat; echo "59 $AUT_UPDATES_TIME * * * $SCRIPTS/updatenotification.sh > /dev/null 2>&1"; } | crontab -u root - + # Change values in php.ini (increase max file size) # max_execution_time sed -i "s|max_execution_time =.*|max_execution_time = 3500|g" "$PHP_INI" @@ -460,6 +413,21 @@ occ_command config:system:set log.condition apps 0 --value admin_audit # Set SMTP mail occ_command config:system:set mail_smtpmode --value="smtp" +# Forget login/session after 30 minutes +occ_command config:system:set remember_login_cookie_lifetime --value="1800" + +# Set logrotate (max 10 MB) +occ_command config:system:set log_rotate_size --value="10485760" + +# Set trashbin retention obligation (save it in trahbin for 6 months or delete when space is needed) +occ_command config:system:set trashbin_retention_obligation --value="auto, 180" + +# Set versions retention obligation (save versions for 12 months or delete when space is needed) +occ_command config:system:set versions_retention_obligation --value="auto, 365" + +# Remove simple signup +occ_command config:system:set simpleSignUpLink.shown --value="false" + # Enable OPCache for PHP # https://docs.nextcloud.com/server/14/admin_manual/configuration_server/server_tuning.html#enable-php-opcache phpenmod opcache @@ -711,11 +679,104 @@ a2ensite "$HTTP_CONF" a2dissite default-ssl restart_webserver +choice=$(whiptail --title "Install apps or software" --checklist "Automatically configure and install selected apps or software\nDeselect by pressing the spacebar" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"Calendar" "" ON \ +"Contacts" "" ON \ +"IssueTemplate" "" ON \ +"PDFViewer" "" ON \ +"Extract" "" ON \ +"Text" "" ON \ +"Mail" "" ON \ +"Deck" "" ON \ +"Group-Folders" "" ON \ +"Webmin" "" ON 3>&1 1>&2 2>&3) + +case "$choice" in + *"Calendar"*) + install_and_enable_app calendar + ;;& + *"Contacts"*) + install_and_enable_app contacts + ;;& + *"IssueTemplate"*) + install_and_enable_app issuetemplate + ;;& + *"PDFViewer"*) + install_and_enable_app files_pdfviewer + ;;& + *"Extract"*) + if install_and_enable_app extract + then + install_if_not unrar + install_if_not p7zip + install_if_not p7zip-full + fi + ;;& + *"Text"*) + install_and_enable_app text + ;;& + *"Mail"*) + install_and_enable_app mail + ;;& + *"Deck"*) + install_and_enable_app deck + ;;& + *"Group-Folders"*) + install_and_enable_app groupfolders + ;;& + *"Webmin"*) + run_script APP webmin + ;;& + *) + ;; +esac + +# Get needed scripts for first bootup +check_command curl_to_dir "$GITHUB_REPO" nextcloud-startup-script.sh "$SCRIPTS" +check_command curl_to_dir "$GITHUB_REPO" lib.sh "$SCRIPTS" +download_script STATIC instruction +download_script STATIC history +download_script STATIC static_ip + +if home_sme_server +then + # Change nextcloud-startup-script.sh + check_command sed -i "s|VM|Home/SME Server|g" $SCRIPTS/nextcloud-startup-script.sh +fi + +# Make $SCRIPTS excutable +chmod +x -R "$SCRIPTS" +chown root:root -R "$SCRIPTS" + +# Prepare first bootup +check_command run_script STATIC change-ncadmin-profile +check_command run_script STATIC change-root-profile + +# Upgrade +apt update -q4 & spinner_loading +apt dist-upgrade -y + +# Remove LXD (always shows up as failed during boot) +apt-get purge lxd -y + # Cleanup apt autoremove -y apt autoclean find /root "/home/$UNIXUSER" -type f \( -name '*.sh*' -o -name '*.html*' -o -name '*.tar*' -o -name '*.zip*' \) -delete +# Install virtual kernels for Hyper-V, (and extra for UTF8 kernel module + Collabora and OnlyOffice) +# Kernel 5.4 +if ! home_sme_server +then + # Hyper-V + apt install -y --install-recommends \ + linux-virtual \ + linux-image-virtual \ + linux-tools-virtual \ + linux-cloud-tools-virtual + # linux-image-extra-virtual only needed for AUFS driver with Docker +fi + # Add aliases if [ -f /root/.bash_aliases ] then @@ -723,135 +784,31 @@ then then { echo "alias nextcloud_occ='sudo -u www-data php /var/www/nextcloud/occ'" +echo "alias run_update_nextcloud='bash /var/scripts/update.sh'" } >> /root/.bash_aliases fi elif [ ! -f /root/.bash_aliases ] then { echo "alias nextcloud_occ='sudo -u www-data php /var/www/nextcloud/occ'" +echo "alias run_update_nextcloud='bash /var/scripts/update.sh'" } > /root/.bash_aliases fi # Set secure permissions final (./data/.htaccess has wrong permissions otherwise) bash $SECURE & spinner_loading -# Force MOTD to show correct number of updates -if is_this_installed update-notifier-common -then - sudo /usr/lib/update-notifier/update-motd-updates-available --force -fi - - -# Fixes https://github.com/nextcloud/vm/issues/58 -a2dismod status -restart_webserver - -# Change passwords -# CLI USER -print_text_in_color "$ICyan" "For better security, change the system user password for [$(getent group sudo | cut -d: -f4 | cut -d, -f1)]" -any_key "Press any key to change password for system user..." -while true -do - sudo passwd "$(getent group sudo | cut -d: -f4 | cut -d, -f1)" && break -done -echo -clear -# NEXTCLOUD USER -NCADMIN=$(occ_command user:list | awk '{print $3}') -print_text_in_color "$ICyan" "The current admin user in Nextcloud GUI is [$NCADMIN]" -print_text_in_color "$ICyan" "We will now replace this user with your own." -any_key "Press any key to replace the current (local) admin user for Nextcloud..." -# Create new user -while true -do - print_text_in_color "$ICyan" "Please enter the username for your new user:" - read -r NEWUSER - sudo -u www-data $NCPATH/occ user:add "$NEWUSER" -g admin && break -done -# Delete old user -if [[ "$NCADMIN" ]] +# Put IP adress in /etc/issue (shown before the login) +if [ -f /etc/issue ] then - print_text_in_color "$ICyan" "Deleting $NCADMIN..." - occ_command user:delete "$NCADMIN" - sleep 2 + echo "\4" >> /etc/issue fi -clear -# Change Timezone -print_text_in_color "$ICyan" "Current timezone is $(cat /etc/timezone)" -if [[ "no" == $(ask_yes_or_no "Do you want to change the timezone?") ]] -then - print_text_in_color "$ICyan" "Not changing timezone..." - sleep 1 - clear -else - dpkg-reconfigure tzdata -fi - -# Change timezone in PHP -sed -i "s|;date.timezone.*|date.timezone = $(cat /etc/timezone)|g" "$PHP_INI" - -# Change timezone for logging -occ_command config:system:set logtimezone --value="$(cat /etc/timezone)" -clear - -# Pretty URLs -print_text_in_color "$ICyan" "Setting RewriteBase to \"/\" in config.php..." -chown -R www-data:www-data $NCPATH -occ_command config:system:set overwrite.cli.url --value="http://localhost/" -occ_command config:system:set htaccess.RewriteBase --value="/" -occ_command maintenance:update:htaccess -bash $SECURE & spinner_loading - -# Generate new SSH Keys -printf "\nGenerating new SSH keys for the server...\n" -rm -v /etc/ssh/ssh_host_* -dpkg-reconfigure openssh-server - -# Generate new PostgreSQL password -print_text_in_color "$ICyan" "Generating new PostgreSQL password..." -check_command bash "$SCRIPTS/change_db_pass.sh" -sleep 3 -clear - -# Prep for first use -cat << ROOTNEWPROFILE > "/root/.bash_profile" -# ~/.profile: executed by Bourne-compatible login shells. -if [ "/bin/bash" ] +# Force MOTD to show correct number of updates +if is_this_installed update-notifier-common then - if [ -f ~/.bashrc ] - then - . ~/.bashrc - fi + sudo /usr/lib/update-notifier/update-motd-updates-available --force fi -mesg n -ROOTNEWPROFILE - -truncate -s 0 \ - /root/.bash_history \ - "/home/$UNIXUSER/.bash_history" \ - /var/spool/mail/root \ - "/var/spool/mail/$UNIXUSER" \ - /var/log/apache2/access.log \ - /var/log/apache2/error.log \ - /var/log/cronjobs_success.log \ - "$VMLOGS/nextcloud.log" - -sed -i "s|sudo -i||g" "/home/$UNIXUSER/.bash_profile" - -# Cleanup 1 -occ_command maintenance:repair -rm -f "$SCRIPTS/ip.sh" -rm -f "$SCRIPTS/change_db_pass.sh" -rm -f "$SCRIPTS/test_connection.sh" -rm -f "$SCRIPTS/instruction.sh" -rm -f "$NCDATA/nextcloud.log" -rm -f "$SCRIPTS/static_ip.sh" -rm -f "$SCRIPTS/lib.sh" -rm -f "$SCRIPTS/server_configuration.sh" -rm -f "$SCRIPTS/nextcloud_configuration.sh" -rm -f "$SCRIPTS/additional_apps.sh" - # Reboot print_text_in_color "$IGreen" "Installation done, system will now reboot..." diff --git a/nextcloud_update.sh b/nextcloud_update.sh new file mode 100644 index 00000000..882e66c8 --- /dev/null +++ b/nextcloud_update.sh @@ -0,0 +1,617 @@ +#!/bin/bash + +################################################################################################################# +# DO NOT USE THIS SCRIPT WHEN UPDATING NEXTCLOUD / YOUR SERVER! RUN `sudo bash /var/scripts/update.sh` INSTEAD. # +################################################################################################################# + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +NCDB=1 && NC_UPDATE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +unset NC_UPDATE +unset NCDB + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin + +# Must be root +root_check + +# Check if dpkg or apt is running +is_process_running apt +is_process_running dpkg + +# Check if /boot is filled more than 90% and exit the script if that's the case since we don't want to end up with a broken system +if [ -d /boot ] +then + if [[ "$(df -h | grep -m 1 /boot | awk '{print $5}' | cut -d "%" -f1)" -gt 90 ]] + then +msg_box "It seems like your boot drive is filled more than 90%. You can't proceed to upgrade since it probably will break your system + +To be able to proceed with the update you need to delete some old Linux kernels. If you need support, please visit: +https://shop.hanssonit.se/product/premium-support-per-30-minutes/" + exit + fi +fi + +# Ubuntu 16.04 is deprecated +check_distro_version + +# Hold PHP if Ondrejs PPA is used +print_text_in_color "$ICyan" "Fetching latest apt packages..." +apt update -q4 & spinner_loading +if apt-cache policy | grep "ondrej" >/dev/null 2>&1 +then + print_text_in_color "$ICyan" "Ondrejs PPA is installed. Holding PHP to avoid upgrading to a newer version without migration..." + apt-mark hold php* +fi + +# Don't allow MySQL/MariaDB +if ! grep -q pgsql /var/www/nextcloud/config/config.php +then + msg_box "MySQL/MariaDB is not supported in this script anymore. Please contact us to get support for upgrading your server: https://shop.hanssonit.se/product/premium-support-per-30-minutes/" + exit 0 +fi + +# Move all logs to new dir (2019-09-04) +if [ -d /var/log/ncvm/ ] +then + rsync -Aaxz /var/log/ncvm/ $VMLOGS + rm -Rf /var/log/ncvm/ +fi + +# Remove the local lib.sh since it's causing issues with new functions (2020-06-01) +if [ -f $SCRIPTS/lib.sh ] +then + rm -f $SCRIPTS/lib.sh +fi + +# Update updatenotification.sh +if [ -f $SCRIPTS/updatenotification.sh ] +then + download_script STATIC updatenotification + chmod +x $SCRIPTS/updatenotification.sh +fi + +# Make sure everyone gets access to menu.sh +download_script STATIC menu + +# Update docker-ce to overlay2 since devicemapper is deprecated +if [ -f /etc/systemd/system/docker.service ] +then + if grep -q "devicemapper" /etc/systemd/system/docker.service + then + print_text_in_color "$ICyan" "Changing to Overlay2 for Docker CE..." + print_text_in_color "$ICyan" "Please report any issues to $ISSUES." + run_script STATIC docker_overlay2 + elif grep -q "aufs" /etc/default/docker + then + apt-mark hold docker-ce + run_script STATIC docker_overlay2 + fi +fi + +export DEBIAN_FRONTEND=noninteractive ; apt dist-upgrade -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" + +# Update Netdata +if [ -d /etc/netdata ] +then + print_text_in_color "$ICyan" "Updating Netdata..." + NETDATA_UPDATER_PATH="$(find /usr -name 'netdata-updater.sh')" + if [ -n "$NETDATA_UPDATER_PATH" ] + then + install_if_not cmake # Needed for Netdata in newer versions + bash "$NETDATA_UPDATER_PATH" + fi +fi + +# Update Redis PHP extension (18.04 --> 20.04 since 16.04 already is deprecated in the top of this script) +print_text_in_color "$ICyan" "Trying to upgrade the Redis PECL extension..." + +# Check current PHP version +check_php + +# Do the upgrade +if pecl list | grep redis >/dev/null 2>&1 +then + if is_this_installed php"$PHPVER"-common + then + install_if_not php"$PHPVER"-dev + fi + pecl channel-update pecl.php.net + yes no | pecl upgrade redis + systemctl restart redis-server.service +fi + +# Double check if redis.so is enabled +if ! grep -qFx extension=redis.so "$PHP_INI" +then + echo "extension=redis.so" >> "$PHP_INI" +fi +restart_webserver + +# Upgrade APCu and igbinary +if [ "${CURRENTVERSION%%.*}" -ge "17" ] +then + if [ -f "$PHP_INI" ] + then + print_text_in_color "$ICyan" "Trying to upgrade igbinary, smbclient, and APCu..." + if pecl list | grep igbinary >/dev/null 2>&1 + then + yes no | pecl upgrade igbinary + # Check if igbinary.so is enabled + if ! grep -qFx extension=igbinary.so "$PHP_INI" + then + echo "extension=igbinary.so" >> "$PHP_INI" + fi + fi + if pecl list | grep smbclient >/dev/null 2>&1 + then + yes no | pecl upgrade smbclient + # Check if igbinary.so is enabled + if ! grep -qFx extension=smbclient.so "$PHP_INI" + then + echo "extension=smbclient.so" >> "$PHP_INI" + fi + fi + if pecl list | grep apcu >/dev/null 2>&1 + then + yes no | pecl upgrade apcu + # Check if apcu.so is enabled + if ! grep -qFx extension=apcu.so "$PHP_INI" + then + echo "extension=apcu.so" >> "$PHP_INI" + fi + fi + fi +fi + +# Update adminer +if [ -d $ADMINERDIR ] +then + print_text_in_color "$ICyan" "Updating Adminer..." + rm -f "$ADMINERDIR"/latest.php "$ADMINERDIR"/adminer.php + curl_to_dir "http://www.adminer.org" "latest.php" "$ADMINERDIR" + ln -s "$ADMINERDIR"/latest.php "$ADMINERDIR"/adminer.php +fi + +# Run watchtower to update all Docker images +if is_docker_running +then + # Remove old watchtower if existing + if does_this_docker_exist v2tec/watchtower + then + # Get Env values (https://github.com/koalaman/shellcheck/issues/1601) + get_env_values() { + # shellcheck disable=SC2016 + docker inspect -f '{{range $index, $value := .Config.Env}}{{$value}}{{println}}{{end}}' watchtower > env.list + } + get_env_values + + # Remove empty lines + sed -i '/^[[:space:]]*$/d' env.list + + # Get Cmd values + CmdDocker=$(docker inspect --format='{{.Config.Cmd}}' watchtower | cut -d "]" -f 1 | cut -d "[" -f 2;) + + # Check if env.list is empty and run the docker accordingly + if [ -s env.list ] + then + docker_prune_this v2tec/watchtower + docker run -d --restart=unless-stopped --name watchtower -v /var/run/docker.sock:/var/run/docker.sock --env-file ./env.list containrrr/watchtower "$CmdDocker" + rm -f env.list + else + docker_prune_this v2tec/watchtower + docker run -d --restart=unless-stopped --name watchtower -v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower "$CmdDocker" + fi + fi + + # Get the new watchtower docker + if ! does_this_docker_exist containrrr/watchtower + then + docker run -d --restart=unless-stopped --name watchtower -v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower --cleanup --interval 3600 + fi +fi + +# Cleanup un-used packages +apt autoremove -y +apt autoclean + +# Update GRUB, just in case +update-grub + +# Remove update lists +rm /var/lib/apt/lists/* -r + +# Free some space (ZFS snapshots) +if is_this_installed libzfs2linux +then + if grep -rq ncdata /etc/mtab + then + run_script STATIC prune_zfs_snaphots + fi +fi + +# Fix bug in nextcloud.sh +CURRUSR="$(getent group sudo | cut -d: -f4 | cut -d, -f1)" +if grep -q "6.ifcfg.me" $SCRIPTS/nextcloud.sh &>/dev/null +then + rm -f "$SCRIPTS/nextcloud.sh" + download_script STATIC nextcloud + chown "$CURRUSR":"$CURRUSR" "$SCRIPTS/nextcloud.sh" + chmod +x "$SCRIPTS/nextcloud.sh" +elif [ -f $SCRIPTS/techandme.sh ] +then + rm -f "$SCRIPTS/techandme.sh" + download_script STATIC nextcloud + chown "$CURRUSR":"$CURRUSR" "$SCRIPTS/nextcloud.sh" + chmod +x "$SCRIPTS/nextcloud.sh" + if [ -f /home/"$CURRUSR"/.bash_profile ] + then + sed -i "s|techandme|nextcloud|g" /home/"$CURRUSR"/.bash_profile + elif [ -f /home/"$CURRUSR"/.profile ] + then + sed -i "s|techandme|nextcloud|g" /home/"$CURRUSR"/.profile + fi +fi + +# Set secure permissions +if [ ! -f "$SECURE" ] +then + mkdir -p "$SCRIPTS" + download_script STATIC setup_secure_permissions_nextcloud + chmod +x "$SECURE" +fi + +# Update all Nextcloud apps +if [ "${CURRENTVERSION%%.*}" -ge "15" ] +then + occ_command maintenance:mode --off + # Check for upgrades + print_text_in_color "$ICyan" "Trying to automatically update all Nextcloud apps..." + UPDATED_APPS="$(occ_command_no_check app:update --all)" +fi + +# Check which apps got updated +if [ -n "$UPDATED_APPS" ] +then + print_text_in_color "$IGreen" "$UPDATED_APPS" + notify_admin_gui \ + "You've got app updates!" \ + "$UPDATED_APPS" +else + print_text_in_color "$IGreen" "Your apps are already up to date!" +fi + +# Nextcloud 13 is required. +lowest_compatible_nc 13 + +if [ -f /tmp/minor.version ] +then + NCBAD=$(cat /tmp/minor.version) + NCVERSION=$(curl -s -m 900 $NCREPO/ | sed --silent 's/.*href="nextcloud-\([^"]\+\).zip.asc".*/\1/p' | sort --version-sort | grep "${CURRENTVERSION%%.*}" | tail -1) + export NCVERSION + export STABLEVERSION="nextcloud-$NCVERSION" + rm -f /tmp/minor.version +elif [ -f /tmp/prerelease.version ] +then + PRERELEASE_VERSION=yes + msg_box "WARNING! You are about to update to a Beta/RC version of Nextcloud.\nThere's no turning back, because it's not possible to downgrade.\n\nPlease only continue if you have made a backup, or took a snapshot." + if [[ "no" == $(ask_yes_or_no "Do you really want to do this?") ]] + then + rm -f /tmp/prerelease.version + unset PRERELEASE_VERSION + else + if grep -q beta /tmp/prerelease.version + then + NCREPO="https://download.nextcloud.com/server/prereleases" + NCVERSION=$(curl -s -m 900 $NCREPO/ | sed --silent 's/.*href="nextcloud-\([^"]\+\).zip.asc".*/\1/p' | sort --version-sort | tail -1) + STABLEVERSION="nextcloud-$NCVERSION" + rm -f /tmp/prerelease.version + elif grep -q RC /tmp/prerelease.version + then + NCREPO="https://download.nextcloud.com/server/prereleases" + NCVERSION=$(cat /tmp/prerelease.version) + STABLEVERSION="nextcloud-$NCVERSION" + rm -f /tmp/prerelease.version + fi + fi +fi + +# Major versions unsupported +if [[ "${CURRENTVERSION%%.*}" -le "$NCBAD" ]] +then +msg_box "Please note that updates between multiple major versions are unsupported! Your situation is: +Current version: $CURRENTVERSION +Latest release: $NCVERSION + +It is best to keep your Nextcloud server upgraded regularly, and to install all point releases +and major releases without skipping any of them, as skipping releases increases the risk of +errors. Major releases are 16, 17, 18 and 19. Point releases are intermediate releases for each +major release. For example, 18.0.5 and 19.0.2 are point releases. + +You can read more about Nextcloud releases here: https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule + +Please contact T&M Hansson IT AB to help you with upgrading between major versions. +https://shop.hanssonit.se/product/upgrade-between-major-owncloud-nextcloud-versions/" + exit 1 +fi + +# Check if new version is larger than current version installed. Skip version check if you want to upgrade to a prerelease. +if [ -z "$PRERELEASE_VERSION" ] +then + print_text_in_color "$ICyan" "Checking for new Nextcloud version..." + if version_gt "$NCVERSION" "$CURRENTVERSION" + then + print_text_in_color "$ICyan" "Latest release is: $NCVERSION. Current version is: $CURRENTVERSION." + print_text_in_color "$IGreen" "New version available, upgrade continues!" + else + print_text_in_color "$IGreen" "You already run the latest version! ($CURRENTVERSION)" + exit 0 + fi +fi + +# Check if PHP version is compatible with $NCVERSION +PHP_VER=71 +NC_VER=16 +if [ "${NCVERSION%%.*}" -ge "$NC_VER" ] +then + if [ "$(php -v | head -n 1 | cut -d " " -f 2 | cut -c 1,3)" -lt "$PHP_VER" ] + then +msg_box "Your PHP version isn't compatible with the new version of Nextcloud. Please upgrade your PHP stack and try again. + +If you need support, please visit https://shop.hanssonit.se/product/upgrade-php-version-including-dependencies/" + exit + fi +fi + +# Check if PHP version is compatible with $NCVERSION +PHP_VER=73 +NC_VER=20 +if [ "${NCVERSION%%.*}" -ge "$NC_VER" ] +then + if [ "$(php -v | head -n 1 | cut -d " " -f 2 | cut -c 1,3)" -lt "$PHP_VER" ] + then +msg_box "Your PHP version isn't compatible with the new version of Nextcloud. Please upgrade your PHP stack and try again. + +If you need support, please visit https://shop.hanssonit.se/product/upgrade-php-version-including-dependencies/" + exit + fi +fi + +# Upgrade Nextcloud +if ! site_200 $NCREPO +then +msg_box "$NCREPO seems to be down, or temporarily not reachable. Please try again in a few minutes." + exit 1 +fi + +countdown "Backing up files and upgrading to Nextcloud $NCVERSION in 10 seconds... Press CTRL+C to abort." "10" + +# Stop Apache2 +check_command systemctl stop apache2.service + +# Create backup dir (/mnt/NCBACKUP/) +if [ ! -d "$BACKUP" ] +then + BACKUP=/var/NCBACKUP + mkdir -p $BACKUP +fi + +# Backup PostgreSQL +if is_this_installed postgresql-common +then + cd /tmp + if sudo -u postgres psql -c "SELECT 1 AS result FROM pg_database WHERE datname='$NCCONFIGDB'" | grep "1 row" > /dev/null + then + print_text_in_color "$ICyan" "Doing pgdump of $NCCONFIGDB..." + check_command sudo -u postgres pg_dump "$NCCONFIGDB" > "$BACKUP"/nextclouddb.sql + else + print_text_in_color "$ICyan" "Doing pgdump of all databases..." + check_command sudo -u postgres pg_dumpall > "$BACKUP"/alldatabases.sql + fi +fi + +# Check if backup exists and move to old +print_text_in_color "$ICyan" "Backing up data..." +DATE=$(date +%Y-%m-%d-%H%M%S) +if [ -d "$BACKUP" ] +then + mkdir -p "$BACKUP"-OLD/"$DATE" + install_if_not rsync + rsync -Aaxz "$BACKUP"/ "$BACKUP"-OLD/"$DATE" + rm -R "$BACKUP" + mkdir -p "$BACKUP" +fi + +# Do a backup of the ZFS mount +if is_this_installed zfs-auto-snapshot +then + if grep -rq ncdata /etc/mtab + then + check_multiverse + sed -i "s|date --utc|date|g" /usr/sbin/zfs-auto-snapshot + check_command zfs-auto-snapshot -r ncdata + fi +fi + +# Backup data +for folders in config apps +do + if [[ "$(rsync -Aaxz $NCPATH/$folders $BACKUP)" -eq 0 ]] + then + BACKUP_OK=1 + else + unset BACKUP_OK + fi +done + +if [ -z $BACKUP_OK ] +then + msg_box "Backup was not OK. Please check $BACKUP and see if the folders are backed up properly" + exit 1 +else + printf "${IGreen}\nBackup OK!${Color_Off}\n" +fi + +# Download and validate Nextcloud package +check_command download_verify_nextcloud_stable + +if [ -f "$HTML/$STABLEVERSION.tar.bz2" ] +then + print_text_in_color "$ICyan" "$HTML/$STABLEVERSION.tar.bz2 exists" +else + msg_box "Aborting, something went wrong with the download" + exit 1 +fi + +if [ -d $BACKUP/config/ ] +then + print_text_in_color "$ICyan" "$BACKUP/config/ exists" +else +msg_box "Something went wrong with backing up your old nextcloud instance +Please check in $BACKUP if config/ folder exist." + exit 1 +fi + +if [ -d $BACKUP/apps/ ] +then + print_text_in_color "$ICyan" "$BACKUP/apps/ exists" + echo + print_text_in_color "$IGreen" "All files are backed up." + occ_command maintenance:mode --on + countdown "Removing old Nextcloud instance in 5 seconds..." "5" + rm -rf $NCPATH + print_text_in_color "$IGreen" "Extracting new package...." + check_command tar -xjf "$HTML/$STABLEVERSION.tar.bz2" -C "$HTML" + rm "$HTML/$STABLEVERSION.tar.bz2" + print_text_in_color "$IGreen" "Restoring config to Nextcloud..." + rsync -Aaxz $BACKUP/config "$NCPATH"/ + bash $SECURE & spinner_loading + occ_command maintenance:mode --off + occ_command upgrade + # Optimize + print_text_in_color "$ICyan" "Optimizing Nextcloud..." + yes | occ_command db:convert-filecache-bigint + occ_command db:add-missing-indices + CURRENTVERSION=$(sudo -u www-data php $NCPATH/occ status | grep "versionstring" | awk '{print $3}') + if [ "${CURRENTVERSION%%.*}" -ge "19" ] + then + check_php + occ_command db:add-missing-columns + install_if_not php"$PHPVER"-bcmath + fi +else +msg_box "Something went wrong with backing up your old nextcloud instance +Please check in $BACKUP if the folders exist." + exit 1 +fi + +# Update Bitwarden +if [ "$(docker ps -a >/dev/null 2>&1 && echo yes || echo no)" == "yes" ] +then + if docker ps -a --format '{{.Names}}' | grep -Eq "bitwarden"; + then + if is_this_installed apache2 + then + if [ -d /root/bwdata ] + then + curl_to_dir "https://raw.githubusercontent.com/bitwarden/server/master/scripts" "bitwarden.sh" "/root" + if [ -f /root/bitwarden.sh ] + then + print_text_in_color "$IGreen" "Upgrading Bitwarden..." + sleep 2 + bash /root/bitwarden.sh updateself + bash /root/bitwarden.sh update + fi + fi + fi + fi +fi + +# Start Apache2 +start_if_stopped apache2 + +# Just double check if the DB is started as well +if is_this_installed postgresql-common +then + if ! pgrep postgres >/dev/null 2>&1 + then + print_text_in_color "$ICyan" "Starting PostgreSQL..." + check_command systemctl start postgresql.service + fi +fi + +# Recover apps that exists in the backed up apps folder +run_script STATIC recover_apps + +# Remove header for Nextcloud 14 (already in .htaccess) +if [ -f /etc/apache2/sites-available/"$(hostname -f)".conf ] +then + if grep -q 'Header always set Referrer-Policy' /etc/apache2/sites-available/"$(hostname -f)".conf + then + sed -i '/Header always set Referrer-Policy/d' /etc/apache2/sites-available/"$(hostname -f)".conf + restart_webserver + fi +fi + +# Change owner of $BACKUP folder to root +chown -R root:root "$BACKUP" + +# Pretty URLs +print_text_in_color "$ICyan" "Setting RewriteBase to \"/\" in config.php..." +chown -R www-data:www-data "$NCPATH" +occ_command config:system:set htaccess.RewriteBase --value="/" +occ_command maintenance:update:htaccess +bash "$SECURE" + +# Repair +occ_command maintenance:repair + +# Create $VMLOGS dir +if [ ! -d "$VMLOGS" ] +then + mkdir -p "$VMLOGS" +fi + +CURRENTVERSION_after=$(occ_command status | grep "versionstring" | awk '{print $3}') +if [[ "$NCVERSION" == "$CURRENTVERSION_after" ]] || [ -n "$PRERELEASE_VERSION" ] +then +msg_box "Latest version is: $NCVERSION. Current version is: $CURRENTVERSION_after. + +||| UPGRADE SUCCESS! ||| + +If you notice that some apps are disabled it's due to that they are not compatible with the new Nextcloud version. +To recover your old apps, please check $BACKUP/apps and copy them to $NCPATH/apps manually. + +Thank you for using T&M Hansson IT's updater!" + occ_command status + occ_command maintenance:mode --off + print_text_in_color "$ICyan" "Sending notification about the successful update to all admins..." + notify_admin_gui \ + "Nextcloud is now updated!" \ + "Your Nextcloud is updated to $CURRENTVERSION_after with the update script in the Nextcloud VM." + echo "NEXTCLOUD UPDATE success-$(date +"%Y%m%d")" >> "$VMLOGS"/update.log + exit 0 +else +msg_box "Latest version is: $NCVERSION. Current version is: $CURRENTVERSION_after. + +||| UPGRADE FAILED! ||| + +Your files are still backed up at $BACKUP. No worries! +Please report this issue to $ISSUES + +Maintenance mode is kept on." + notify_admin_gui \ + "Nextcloud update failed!" \ + "Your Nextcloud update failed, please check the logs at $VMLOGS/update.log" + occ_command status + exit 1 +fi diff --git a/old/modsecurity.sh b/old/modsecurity.sh new file mode 100644 index 00000000..31ec00a0 --- /dev/null +++ b/old/modsecurity.sh @@ -0,0 +1,98 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +print_text_in_color "$ICyan" "Installing ModSecurity..." + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +# Add modsecurity +apt update -q4 & spinner_loading +install_if_not libapache2-mod-security2 +install_if_not modsecurity-crs +mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf + +msg_box "WARNING WARNING WARNING WARNING WARNING WARNING: + +Do not enable active defence if you don't know what you're doing! +It will break OnlyOffice, and it may break other stuff as well in Nextcloud as it's +blocking access to files automatically. + +You can monitor the audit log by typing this command in your shell: +tail -f /var/log/apache2/modsec_audit.log + +You can disable it by typing this command in your shell: +sed -i 's/SecRuleEngine .*/SecRuleEngine DetectionOnly/g' /etc/modsecurity/modsecurity.conf + +YOU HAVE BEEN WARNED." +if [[ "yes" == $(ask_yes_or_no "Do you want to enable active defence?") ]] +then + sed -i 's|SecRuleEngine .*|SecRuleEngine on|g' /etc/modsecurity/modsecurity.conf +fi + +cat << MODSECWHITE > "/etc/modsecurity/whitelist.conf" +<Directory $NCPATH> +# VIDEOS + SecRuleRemoveById 958291 # Range Header Checks + SecRuleRemoveById 981203 # Correlated Attack Attempt + + # PDF + SecRuleRemoveById 950109 # Check URL encodings + + # ADMIN (webdav) + SecRuleRemoveById 960024 # Repeatative Non-Word Chars (heuristic) + SecRuleRemoveById 981173 # SQL Injection Character Anomaly Usage + SecRuleRemoveById 981204 # Correlated Attack Attempt + SecRuleRemoveById 981243 # PHPIDS - Converted SQLI Filters + SecRuleRemoveById 981245 # PHPIDS - Converted SQLI Filters + SecRuleRemoveById 981246 # PHPIDS - Converted SQLI Filters + SecRuleRemoveById 981318 # String Termination/Statement Ending Injection Testing + SecRuleRemoveById 973332 # XSS Filters from IE + SecRuleRemoveById 973338 # XSS Filters - Category 3 + SecRuleRemoveById 981143 # CSRF Protections ( TODO edit LocationMatch filter ) + + # COMING BACK FROM OLD SESSION + SecRuleRemoveById 970903 # Microsoft Office document properties leakage + + # NOTES APP + SecRuleRemoveById 981401 # Content-Type Response Header is Missing and X-Content-Type-Options is either missing or not set to 'nosniff' + SecRuleRemoveById 200002 # Failed to parse request body + + # UPLOADS ( 20 MB max excluding file size ) + SecRequestBodyNoFilesLimit 20971520 + + # GENERAL + SecRuleRemoveById 960017 # Host header is a numeric IP address + + # SAMEORIGN + SecRuleRemoveById 911100 # fpm socket + + # REGISTERED WARNINGS, BUT DID NOT HAVE TO DISABLE THEM + #SecRuleRemoveById 981220 900046 981407 + #SecRuleRemoveById 981222 981405 981185 981184 +</Directory> +MODSECWHITE + +# Don't log in Apache2 error.log, only in a seperate log (/var/log/apache2/modsec_audit.log) +check_command sed -i 's|SecDefaultAction "phase:1,log,auditlog,pass"|# SecDefaultAction "phase:1,log,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf +check_command sed -i 's|SecDefaultAction "phase:2,log,auditlog,pass"|# SecDefaultAction "phase:2,log,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf +check_command sed -i 's|# SecDefaultAction "phase:1,nolog,auditlog,pass"|SecDefaultAction "phase:1,nolog,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf +check_command sed -i 's|# SecDefaultAction "phase:2,nolog,auditlog,pass"|SecDefaultAction "phase:2,nolog,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf + +if [ -f /etc/modsecurity/whitelist.conf ] +then + print_text_in_color "$IGreen" "ModSecurity activated!" + restart_webserver +fi diff --git a/old/ntpdate.sh b/old/ntpdate.sh new file mode 100644 index 00000000..43645ef3 --- /dev/null +++ b/old/ntpdate.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +if network_ok +then + if is_this_installed ntpdate + then + ntpdate -s 1.se.pool.ntp.org + fi +fi +exit diff --git a/old/onlyoffice.sh b/old/onlyoffice.sh new file mode 100644 index 00000000..fcdddd11 --- /dev/null +++ b/old/onlyoffice.sh @@ -0,0 +1,221 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +NC_UPDATE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +unset NC_UPDATE + +# OnlyOffice URL (onlyoffice.sh) +SUBDOMAIN=$(whiptail --title "T&M Hansson IT - OnlyOffice" --inputbox "OnlyOffice subdomain eg: office.yourdomain.com\n\nNOTE: This domain must be different than your Nextcloud domain. They can however be hosted on the same server, but would require seperate DNS entries." "$WT_HEIGHT" "$WT_WIDTH" 3>&1 1>&2 2>&3) +# Nextcloud Main Domain (onlyoffice.sh) +NCDOMAIN=$(whiptail --title "T&M Hansson IT - OnlyOffice" --inputbox "Nextcloud domain, make sure it looks like this: cloud\\.yourdomain\\.com" "$WT_HEIGHT" "$WT_WIDTH" cloud\\.yourdomain\\.com 3>&1 1>&2 2>&3) + +print_text_in_color "$ICyan" "Installing OnlyOffice..." + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +# Nextcloud 13 is required. +lowest_compatible_nc 13 + +# Test RAM size (2GB min) + CPUs (min 2) +ram_check 2 OnlyOffice +cpu_check 2 OnlyOffice + +# Notification +msg_box "Before you start, please make sure that port 80+443 is directly forwarded to this machine!" + +# Get the latest packages +apt update -q4 & spinner_loading + +# Check if Nextcloud is installed +print_text_in_color "$ICyan" "Checking if Nextcloud is installed..." +if ! curl -s https://"${NCDOMAIN//\\/}"/status.php | grep -q 'installed":true' +then +msg_box "It seems like Nextcloud is not installed or that you don't use https on: +${NCDOMAIN//\\/}. +Please install Nextcloud and make sure your domain is reachable, or activate SSL +on your domain to be able to run this script. +If you use the Nextcloud VM you can use the Let's Encrypt script to get SSL and activate your Nextcloud domain. +When SSL is activated, run these commands from your terminal: +sudo curl -sLO $APP/onlyoffice.sh +sudo bash onlyoffice.sh" + exit 1 +fi + +# Check if apache2 evasive-mod is enabled and disable it because of compatibility issues +if [ "$(apache2ctl -M | grep evasive)" != "" ] +then + msg_box "We noticed that 'mod_evasive' is installed which is the DDOS protection for webservices. It has comptibility issues with OnlyOffice and you can now choose to disable it." + if [[ "no" == $(ask_yes_or_no "Do you want to disable DDOS protection?") ]] + then + print_text_in_color "$ICyan" "Keeping mod_evasive active." + else + a2dismod evasive + # a2dismod mod-evasive # not needed, but existing in the Extra Security script. + apt-get purge libapache2-mod-evasive -y + systemctl restart apache2 + fi +fi + +# Check if $SUBDOMAIN exists and is reachable +print_text_in_color "$ICyan" "Checking if $SUBDOMAIN exists and is reachable..." +domain_check_200 "$SUBDOMAIN" + +# Check open ports with NMAP +check_open_port 80 "$SUBDOMAIN" +check_open_port 443 "$SUBDOMAIN" + +# Install Docker +install_docker + +# Check if OnlyOffice or Collabora is previously installed +# If yes, then stop and prune the docker container +docker_prune_this 'onlyoffice/documentserver' +docker_prune_this 'collabora/code' + +# Disable RichDocuments (Collabora App) if activated +if [ -d "$NC_APPS_PATH"/richdocuments ] +then + occ_command app:remove richdocuments +fi + +# Disable OnlyOffice (Collabora App) if activated +if [ -d "$NC_APPS_PATH"/onlyoffice ] +then + occ_command app:remove onlyoffice +fi + +# Install Onlyoffice docker +docker pull onlyoffice/documentserver:latest +docker run -i -t -d -p 127.0.0.3:9090:80 --restart always --name onlyoffice onlyoffice/documentserver + +# Licensed version +# https://helpcenter.onlyoffice.com/server/integration-edition/docker/docker-installation.aspx +# docker run -i -t -d -p 127.0.0.3:9090:80 --restart=always --name onlyoffice \ +# -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data onlyoffice/documentserver-ie + +# Install apache2 +install_if_not apache2 + +# Enable Apache2 module's +a2enmod proxy +a2enmod proxy_wstunnel +a2enmod proxy_http +a2enmod ssl + +if [ -f "$HTTPS_CONF" ] +then + a2dissite "$SUBDOMAIN.conf" + rm -f "$HTTPS_CONF" +fi + +# Create Vhost for OnlyOffice online in Apache2 +if [ ! -f "$HTTPS_CONF" ]; +then + cat << HTTPS_CREATE > "$HTTPS_CONF" +<VirtualHost *:443> + ServerName $SUBDOMAIN:443 + + SSLEngine on + ServerSignature On + SSLHonorCipherOrder on + + SSLCertificateChainFile $CERTFILES/$SUBDOMAIN/chain.pem + SSLCertificateFile $CERTFILES/$SUBDOMAIN/cert.pem + SSLCertificateKeyFile $CERTFILES/$SUBDOMAIN/privkey.pem + SSLOpenSSLConfCmd DHParameters $DHPARAMS_SUB + + SSLProtocol all -SSLv2 -SSLv3 + SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS + + LogLevel warn + CustomLog ${APACHE_LOG_DIR}/access.log combined + ErrorLog ${APACHE_LOG_DIR}/error.log + + # Just in case - see below + SSLProxyEngine On + SSLProxyVerify None + SSLProxyCheckPeerCN Off + SSLProxyCheckPeerName Off + + # contra mixed content warnings + RequestHeader set X-Forwarded-Proto "https" + + # basic proxy settings + ProxyRequests off + + ProxyPassMatch (.*)(\/websocket)$ "ws://127.0.0.3:9090/$1$2" + ProxyPass / "http://127.0.0.3:9090/" + ProxyPassReverse / "http://127.0.0.3:9090/" + + <Location /> + ProxyPassReverse / + </Location> +</VirtualHost> +HTTPS_CREATE + + if [ -f "$HTTPS_CONF" ]; + then + print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created." + sleep 1 + else + print_text_in_color "$IRed" "Unable to create vhost, exiting..." + print_text_in_color "$IRed" "Please report this issue here $ISSUES" + exit 1 + fi +fi + +# Install certbot (Let's Encrypt) +install_certbot + +# Generate certs +if generate_cert "$SUBDOMAIN" +then + # Generate DHparams chifer + if [ ! -f "$DHPARAMS_SUB" ] + then + openssl dhparam -dsaparam -out "$DHPARAMS_SUB" 4096 + fi + printf "%b" "${IGreen}Certs are generated!\n${Color_Off}" + a2ensite "$SUBDOMAIN.conf" + restart_webserver + # Install OnlyOffice + occ_command app:install onlyoffice +else + print_text_in_color "$IRed" "It seems like no certs were generated, please report this issue here: $ISSUES" + any_key "Press any key to continue... " + restart_webserver +fi + +# Set config for OnlyOffice +if [ -d "$NC_APPS_PATH"/onlyoffice ] +then + occ_command config:app:set onlyoffice DocumentServerUrl --value=https://"$SUBDOMAIN/" + chown -R www-data:www-data "$NC_APPS_PATH" + occ_command config:system:set trusted_domains 3 --value="$SUBDOMAIN" +# Add prune command + { + echo "#!/bin/bash" + echo "docker system prune -a --force" + echo "exit" + } > "$SCRIPTS/dockerprune.sh" + chmod a+x "$SCRIPTS/dockerprune.sh" + crontab -u root -l | { cat; echo "@weekly $SCRIPTS/dockerprune.sh"; } | crontab -u root - + print_text_in_color "$ICyan" "Docker automatic prune job added." + service docker restart + docker restart onlyoffice + print_text_in_color "$IGreen" "OnlyOffice is now successfully installed." + any_key "Press any key to continue... " +fi + +exit diff --git a/old/spreedme.sh b/old/spreedme.sh new file mode 100644 index 00000000..2d4ffde2 --- /dev/null +++ b/old/spreedme.sh @@ -0,0 +1,128 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +NC_UPDATE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +unset NC_UPDATE + +print_text_in_color "$ICyan" "Installing Spreed.ME..." + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +if ! is_root +then + printf "\n${Red}Sorry, you are not root.\n${Color_Off}You must type: ${ICyan}sudo ${Color_Off}bash %s/nextcloud_install_production.sh\n" "$SCRIPTS" + exit 1 +fi + +# Check if Nextcloud exists +root_check + +# Nextcloud 13 is required. +lowest_compatible_nc 13 + +# Install if missing +install_if_not apache2 +install_if_not snapd + +# Install Nextcloud Spreed.ME Snap +if [ -d "$SNAPDIR" ] +then + print_text_in_color "$ICyan" "Spreed.ME Snap already seems to be installed and will now be re-installed..." + snap remove spreedme + rm -rf "$SNAPDIR" + snap install --edge spreedme +else + snap install --edge spreedme +fi + +# Install and activate the Spreed.ME app +if [ -d "$NC_APPS_PATH/spreedme" ] +then + # Remove + occ_command app:disable spreedme + print_text_in_color "$ICyan" "Spreed.ME app already seems to be installed and will now be re-installed..." + rm -R "$NC_APPS_PATH/spreedme" + # Reinstall + occ_command app:install spreedme +else + occ_command app:install spreedme +fi +occ_command app:enable spreedme +chown -R www-data:www-data "$NC_APPS_PATH" + +# Generate secret keys +SHAREDSECRET=$(openssl rand -hex 32) +TEMPLINK=$(openssl rand -hex 32) +sed -i "s|sharedsecret_secret = .*|sharedsecret_secret = $SHAREDSECRET|g" "$SNAPDIR/current/server.conf" + +# Populate the else empty config file (uses database for content by default) +cp "$NCPATH/apps/spreedme/config/config.php.in" "$NCPATH/apps/spreedme/config/config.php" + +# Place the key in the NC app config +sed -i "s|.*SPREED_WEBRTC_SHAREDSECRET.*| const SPREED_WEBRTC_SHAREDSECRET = '$SHAREDSECRET';|g" "$NCPATH/apps/spreedme/config/config.php" + +# Allow to create temporary links +sed -i "s|const OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED.*|const OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED = true;|g" "$NCPATH/apps/spreedme/config/config.php" + +# Set temporary links hash +sed -i "s|const OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY.*|const OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY = '$TEMPLINK';|g" "$NCPATH/apps/spreedme/config/config.php" + + +# Enable Apache mods +a2enmod proxy \ + proxy_wstunnel \ + proxy_http \ + headers + +# Add config to vhost +VHOST=/etc/apache2/spreedme.conf +if [ ! -f $VHOST ] +then +cat << VHOST > "$VHOST" +<Location /webrtc> + ProxyPass http://127.0.0.1:8080/webrtc + ProxyPassReverse /webrtc +</Location> + +<Location /webrtc/ws> + ProxyPass ws://127.0.0.1:8080/webrtc/ws +</Location> + + ProxyVia On + ProxyPreserveHost On + RequestHeader set X-Forwarded-Proto 'https' env=HTTPS + # RequestHeader set X-Forwarded-Proto 'https' # Use this if you are behind a (Nginx) reverse proxy with http backends +VHOST +fi + +if ! grep -Fxq "Include $VHOST" /etc/apache2/apache2.conf +then + sed -i "145i Include $VHOST" "/etc/apache2/apache2.conf" +fi + +# Restart services +restart_webserver +if ! systemctl restart snap.spreedme.spreed-webrtc.service +then +msg_box "Something is wrong, the installation did not finish correctly. + +Please report this to $ISSUES" + exit 1 +else +msg_box "Success! Spreed.ME is now installed and configured. + +You may have to change SPREED_WEBRTC_ORIGIN in: +(sudo nano) $NCPATH/apps/spreedme/config/config.php" + exit 0 +fi + +exit diff --git a/prep_vm.sh b/prep_vm.sh deleted file mode 100644 index 547b613e..00000000 --- a/prep_vm.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/bash -# shellcheck disable=2034,2059 -true -# shellcheck source=lib.sh -. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) - -# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ - -# Check for errors + debug code and abort if something isn't right -# 1 = ON -# 0 = OFF -DEBUG=0 -debug_mode - -# Create scripts folder -mkdir -p "$SCRIPTS" - -# Get needed scripts for first bootup -check_command curl_to_dir "$GITHUB_REPO" lib.sh "$SCRIPTS" -download_script STATIC instruction -download_script STATIC history -download_script STATIC static_ip - -# Make $SCRIPTS excutable -chmod +x -R "$SCRIPTS" -chown root:root -R "$SCRIPTS" - -# Prepare first bootup -check_command run_script STATIC change-ncadmin-profile -check_command run_script STATIC change-root-profile - -# Upgrade -apt update -q4 & spinner_loading -apt dist-upgrade -y - -# Remove LXD (always shows up as failed during boot) -apt-get purge lxd -y - -# Put IP adress in /etc/issue (shown before the login) -if [ -f /etc/issue ] -then - echo "\4" >> /etc/issue - echo "USER: ncadmin" - echo "PASS: nextcloud" -fi diff --git a/static/adduser.sh b/static/adduser.sh new file mode 100644 index 00000000..2e58ca8a --- /dev/null +++ b/static/adduser.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +if [[ $UNIXUSER != "ncadmin" ]] +then +msg_box "Current user with sudo permissions is: $UNIXUSER. +This script will set up everything with that user. +If the field after ':' is blank you are probably running as a pure root user. +It's possible to install with root, but there will be minor errors. + +Please create a user with sudo permissions if you want an optimal installation. +The preferred user is 'ncadmin'." + if [[ "no" == $(ask_yes_or_no "Do you want to create a new user?") ]] + then + print_text_in_color "$ICyan" "Not adding another user..." + sleep 1 + else + read -r -p "Enter name of the new user: " NEWUSER + adduser --disabled-password --gecos "" "$NEWUSER" + sudo usermod -aG sudo "$NEWUSER" + usermod -s /bin/bash "$NEWUSER" + while true + do + sudo passwd "$NEWUSER" && break + done + sudo -u "$NEWUSER" sudo bash "$1" + fi +fi diff --git a/static/apps.sh b/static/apps.sh new file mode 100644 index 00000000..ff1835cc --- /dev/null +++ b/static/apps.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +mkdir -p "$SCRIPTS" +print_text_in_color "$ICyan" "Running the additional apps script..." + +if network_ok +then + # Delete, download, run + run_script APP additional_apps +fi + +exit diff --git a/static/automatic_updates.sh b/static/automatic_updates.sh new file mode 100644 index 00000000..26968209 --- /dev/null +++ b/static/automatic_updates.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +print_text_in_color "$ICyan" "Configuring automatic updates..." + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +msg_box "This option will update your server every week on Saturdays at $AUT_UPDATES_TIME:00. +The update will run the built in script '$SCRIPTS/update.sh' which will update both the server packages and Nextcloud itself. + +You can read more about it here: https://www.techandme.se/nextcloud-update-is-now-fully-automated/ +Please keep in mind that automatic updates might fail hence it's important to have a proper backup in place if you plan to run this option. + +You can disable the automatic updates by entering the crontab file like this: +'sudo crontab -e -u root' +Then just put a hash (#) in front of the row that you want to disable. + +In the next step you will be able to choose to proceed or exit." + +if [[ "yes" == $(ask_yes_or_no "Do you want to enable automatic updates?") ]] +then + occ_command config:app:set updatenotification notify_groups --value="[]" + touch $VMLOGS/update.log + crontab -u root -l | { cat; echo "0 $AUT_UPDATES_TIME * * 6 $SCRIPTS/update.sh minor >> $VMLOGS/update.log"; } | crontab -u root - + if [[ "yes" == $(ask_yes_or_no "Do you want to reboot your server after every update? *recommended*") ]] + then + sed -i "s|exit|shutdown -r +1|g" "$SCRIPTS"/update.sh + echo "exit" >> "$SCRIPTS"/update.sh + fi +fi diff --git a/static/change-root-profile.sh b/static/change-root-profile.sh index 5cc68e2f..d495deba 100644 --- a/static/change-root-profile.sh +++ b/static/change-root-profile.sh @@ -27,9 +27,14 @@ then fi fi -if [ -x /var/scripts/nextcloud_install_production.sh ] +if [ -x /var/scripts/nextcloud-startup-script.sh ] then - /var/scripts/nextcloud_install_production.sh + /var/scripts/nextcloud-startup-script.sh +fi + +if [ -x /var/scripts/history.sh ] +then + /var/scripts/history.sh fi mesg n diff --git a/static/configuration.sh b/static/configuration.sh new file mode 100644 index 00000000..bc99697d --- /dev/null +++ b/static/configuration.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +mkdir -p "$SCRIPTS" +print_text_in_color "$ICyan" "Running the nextcloud configuration script..." + +if network_ok +then + # Delete, download, run + run_script STATIC nextcloud_configuration +fi + +exit diff --git a/static/cookielifetime.sh b/static/cookielifetime.sh new file mode 100644 index 00000000..a1a51f3e --- /dev/null +++ b/static/cookielifetime.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +print_text_in_color "$ICyan" "Configuring Cookie Lifetime timeout..." + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +choice=$(whiptail --radiolist "Configure the logout time (in seconds) which will forcefully logout the Nextcloud user from the web browser when the timeout is reached.\n\nSelect one with the [ARROW] keys and select with the [SPACE] key. Confirm by pressing [ENTER]" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"1800s" "30 minutes" ON \ +"7200s" "2 hours" OFF \ +"43200s" "12 hours" OFF \ +"172800s" "2 days" OFF \ +"604800s" "1 week" OFF \ +"2419200s" "4 weeks" OFF \ +"Custom" "setup a custom time" OFF 3>&1 1>&2 2>&3) + +case "$choice" in + "1800s") + occ_command config:system:set remember_login_cookie_lifetime --value="1800" + ;; + "7200s") + occ_command config:system:set remember_login_cookie_lifetime --value="7200" + ;; + "43200s") + occ_command config:system:set remember_login_cookie_lifetime --value="43200" + ;; + "172800s") + occ_command config:system:set remember_login_cookie_lifetime --value="172800" + ;; + "604800s") + occ_command config:system:set remember_login_cookie_lifetime --value="604800" + ;; + "2419200s") + occ_command config:system:set remember_login_cookie_lifetime --value="2419200" + ;; + "Custom") + while true + do + COOKIE_LIFETIME=$(whiptail --inputbox "Configure the logout time (in seconds) which will forcefully logout the Nextcloud user from the web browser when the timeout is reached.\n\nPlease enter the Cookie Lifetime in seconds, so e.g. 1800 for 30 minutes or 3600 for 1 hour\n\n You can not set a value below 30 minutes (1800 seconds)." "$WT_HEIGHT" "$WT_WIDTH" 1800 3>&1 1>&2 2>&3) + if ! check_if_number "$COOKIE_LIFETIME" + then + msg_box "The value you entered doesn't seem to be a number between 0-9, please enter a valid number." + elif [ "$COOKIE_LIFETIME" -lt "1800" ] + then + msg_box "Please choose a value more than 1800 seconds." + elif [[ "no" == $(ask_yes_or_no "Is this correct? $COOKIE_LIFETIME seconds") ]] + then + msg_box "It seems like you weren't satisfied with your setting of ($COOKIE_LIFETIME) seconds. Please try again." + else + occ_command config:system:set remember_login_cookie_lifetime --value="$COOKIE_LIFETIME" + break + fi + done + ;; + *) + ;; +esac diff --git a/static/docker_overlay2.sh b/static/docker_overlay2.sh new file mode 100644 index 00000000..0abcd6dd --- /dev/null +++ b/static/docker_overlay2.sh @@ -0,0 +1,167 @@ +#!/bin/bash +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +### Migrating Docker images to overlay2 ### +# https://www.techandme.se/changes-to-docker-ce-in-the-nextcloud-vm/ +# Credits to: https://gist.github.com/hydra1983/22b2bed38b4f5f56caa87c830c96378d + +# Make sure DOCKERBACKUP is created +if [ -f "$NCPATH"/config/config.php ] +then + NCDATA="$(grep 'datadir' "$NCPATH"/config/config.php | awk '{print $3}' | cut -d "'" -f2)" +fi +DOCKERBACKUP="$NCDATA/DOCKERBACKUP" +mkdir -p "$DOCKERBACKUP" + +# Check if aufs and don't run +if grep -q "aufs" /etc/default/docker +then +msg_box "This script doesn't support images that uses the AUFS driver, sorry + +You are welcome to send a PR, or report an issue here: $ISSUES" + exit 1 +fi + +readonly DB_FILE="$DOCKERBACKUP/images.db" +readonly IMG_DIR="$DOCKERBACKUP/images" + +save_images() { + print_text_in_color "$ICyan" "Create ${IMG_DIR}" + if [[ ! -d "${IMG_DIR}" ]]; then + mkdir "${IMG_DIR}" + fi + + print_text_in_color "$ICyan" "Create ${DB_FILE}" + docker images|grep -v 'IMAGE ID'|awk '{printf("%s %s %s\n", $1, $2, $3)}'|column -t > "${DB_FILE}" + + print_text_in_color "$ICyan" "Read ${DB_FILE}" + local images + while read -r image; do + images+=("$image"); + done <<< "$(cat "${DB_FILE}")" + + local name tag id + for image in "${images[@]}"; do + name=$(echo "$image"|awk '{print $1}') + tag=$(echo "$image"|awk '{print $2}') + id=$(echo "$image"|awk '{print $3}') + + if [[ "${id}" != "" ]]; then + local imgPath="${IMG_DIR}/${id}.dim" + + if [[ ! -f "${imgPath}" ]] ; then + print_text_in_color "$ICyan" "[DEBUG] save ${id} ${name}:${tag} to ${imgPath}" + (time docker save -o "${imgPath}" "${name}":"${tag}") 2>&1 | grep real + else + print_text_in_color "$ICyan" "[DEBUG] ${id} ${name}:${tag} already saved" + fi + fi + done +} + +load_images() { + if [[ ! -f "${DB_FILE}" ]]; then + print_text_in_color "$ICyan" "No ${DB_FILE} to read" + exit 0 + fi + + if [[ ! -d "${IMG_DIR}" ]]; then + print_text_in_color "$ICyan" "No ${IMG_DIR} to load images" + exit 0 + fi + + print_text_in_color "$ICyan" "Read ${DB_FILE}" + local images + while read -r image; do + images+=("$image"); + done <<< "$(cat "${DB_FILE}")" + + local name tag id + for image in "${images[@]}"; do + name=$(echo "$image"|awk '{print $1}') + tag=$(echo "$image"|awk '{print $2}') + id=$(echo "$image"|awk '{print $3}') + + if [[ "${id}" != "" ]]; then + local imgPath="${IMG_DIR}/${id}.dim" + + if [[ "$(docker images|grep "${id}" | grep "${name}" | grep "${tag}")" == "" ]]; then + if [[ "$(docker images|grep "${id}")" == "" ]]; then + print_text_in_color "$ICyan" "[DEBUG] load ${id} ${name}:${tag} from ${imgPath}" + docker load -i "${imgPath}" + else + print_text_in_color "$ICyan" "[DEBUG] tag ${id} as ${name}:${tag}" + docker tag "${id}" "${name}":"${tag}" + fi + else + print_text_in_color "$ICyan" "[DEBUG] ${id} ${name}:${tag} already loaded" + fi + fi + done +} + +# Save all docker images in one file +check_command docker ps -a > "$DOCKERBACKUP"/dockerps.txt +check_command docker images | sed '1d' | awk '{print $1 " " $2 " " $3}' > "$DOCKERBACKUP"/mydockersimages.list +msg_box "The following images will be saved to $DOCKERBACKUP/images + +$(cat "$DOCKERBACKUP"/mydockersimages.list) + +It may take a while so please be patient." + +check_command save_images + +# Set overlay2 +print_text_in_color "$ICyan" "Setting overlay2 in /etc/docker/daemon.json" + +cat << OVERLAY2 > /etc/docker/daemon.json +{ + "storage-driver": "overlay2" +} +OVERLAY2 +rm -f /etc/systemd/system/docker.service +systemctl restart docker.service +print_text_in_color "$ICyan" "Reloading daemon" +systemctl daemon-reload +print_text_in_color "$ICyan" "Restarting the docker service" +check_command systemctl restart docker.service +apt-mark unhold docker-ce + +# Remove old cached versions to avoid failures on update to new version +rm -Rf /var/cache/apt/archives/docker* +rm -Rf /var/cache/apt/archives/container* +rm -Rf /var/cache/apt/archives/aufs* + +# Upgrade docker to latest version +rm -Rf /var/lib/docker +apt update -q4 & spinner_loading +apt upgrade docker-ce -y + +# Load docker images back +print_text_in_color "$ICyan" "Importing saved docker images to overlay2..." +check_command load_images +msg_box "Your Docker images are now imported to overlay2, but not yet running. + +To start the images again, please run the appropriate 'docker run' command for each docker. +These are all the imported docker images: +$(cat "${DB_FILE}") + +You can also find the file with the imported docker images here: +$DB_FILE + +If you experiance any issues, please report them to $ISSUES." +rm -f "$DOCKERBACKUP"/mydockersimages.list diff --git a/static/format-sda-nuc-server.sh b/static/format-sda-nuc-server.sh new file mode 100644 index 00000000..da054586 --- /dev/null +++ b/static/format-sda-nuc-server.sh @@ -0,0 +1,159 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check if root +root_check + +# Needs to be Ubuntu 18.04 and Multiverse +check_distro_version +check_multiverse + +MOUNT_=/mnt/$POOLNAME + +format() { +# umount if mounted +umount /mnt/* &> /dev/null + +# mkdir if not existing +mkdir -p "$MOUNT_" + +DEVTYPE=sda + +# Get the name of the drive +DISKTYPE=$(fdisk -l | grep $DEVTYPE | awk '{print $2}' | cut -d ":" -f1 | head -1) +if [ "$DISKTYPE" != "/dev/$DEVTYPE" ] +then +msg_box "It seems like your $SYSNAME secondary volume (/dev/$DEVTYPE) does not exist. +This script requires that you mount a second drive to hold the data. + +Please shutdown the server and mount a second drive, then start this script again. + +If you want help you can buy support in our shop: +https://shop.hanssonit.se/product/premium-support-per-30-minutes/" +exit 1 +fi + +# Check if ZFS utils are installed +install_if_not zfsutils-linux + +# Check still not mounted +#These functions return exit codes: 0 = found, 1 = not found +isMounted() { findmnt -rno SOURCE,TARGET "$1" >/dev/null;} #path or device +isDevMounted() { findmnt -rno SOURCE "$1" >/dev/null;} #device only +isPathMounted() { findmnt -rno TARGET "$1" >/dev/null;} #path only +isDevPartOfZFS() { zpool status | grep "$1" >/dev/null;} #device memeber of a zpool + +if isPathMounted "/mnt/ncdata"; #Spaces in path names are ok. +then +msg_box "/mnt/ncdata is mounted and need to be unmounted before you can run this script." + exit 1 +fi + +if isDevMounted "/dev/$DEVTYPE"; +then +msg_box "/dev/$DEVTYPE is mounted and need to be unmounted before you can run this script." + exit 1 +fi + +# Universal: +if isMounted "/mnt/ncdata"; +then +msg_box "/mnt/ncdata is mounted and need to be unmounted before you can run this script." + exit 1 +fi + +if isMounted "/dev/${DEVTYPE}1"; +then +msg_box "/dev/${DEVTYPE}1 is mounted and need to be unmounted before you can run this script." + exit 1 +fi + +if isDevPartOfZFS "$DEVTYPE"; +then +msg_box "/dev/$DEVTYPE is a member of a ZFS pool and needs to be removed from any zpool before you can run this script." + exit 1 +fi + +if lsblk -l -n | grep -v mmcblk | grep disk | awk '{ print $1 }' | tail -1 > /dev/null +then +msg_box "Formatting your $SYSNAME secondary volume ($DISKTYPE) when you hit OK. + +*** WARNING: ALL YOUR DATA WILL BE ERASED! ***" + if zpool list | grep "$POOLNAME" > /dev/null + then + check_command zpool destroy "$POOLNAME" + fi + check_command wipefs -a -f "$DISKTYPE" + sleep 0.5 + check_command zpool create -f -o ashift=12 "$POOLNAME" "$DISKTYPE" + check_command zpool set failmode=continue "$POOLNAME" + check_command zfs set mountpoint="$MOUNT_" "$POOLNAME" + check_command zfs set compression=lz4 "$POOLNAME" + check_command zfs set sync=standard "$POOLNAME" + check_command zfs set xattr=sa "$POOLNAME" + check_command zfs set primarycache=all "$POOLNAME" + check_command zfs set atime=off "$POOLNAME" + check_command zfs set recordsize=128k "$POOLNAME" + check_command zfs set logbias=latency "$POOLNAME" + +else +msg_box "It seems like /dev/$DEVTYPE does not exist. +This script requires that you mount a second drive to hold the data. + +Please shutdown the server and mount a second drive, then start this script again. + +If you want help you can buy support in our shop: +https://shop.hanssonit.se/product/premium-support-per-30-minutes/" +exit 1 +fi +} +format + +# Do a backup of the ZFS mount +if is_this_installed libzfs2linux +then + if grep -r $POOLNAME /etc/mtab + then + install_if_not zfs-auto-snapshot + sed -i "s|date --utc|date|g" /usr/sbin/zfs-auto-snapshot + fi +fi + +# Check if UUID is used +if zpool list -v | grep "$DEVTYPE" +then + # Get UUID + check_command partprobe -s + if fdisk -l /dev/"$DEVTYPE"1 >/dev/null 2>&1 + then + UUID_SDB1=$(blkid -o value -s UUID /dev/"DEVTYPE"1) + fi + # Export / import the correct way (based on UUID) + check_command zpool export "$POOLNAME" + check_command zpool import -d /dev/disk/by-uuid/"$UUID_SDB1" "$POOLNAME" +fi + +# Success! +if grep "$POOLNAME" /etc/mtab +then +msg_box "$MOUNT_ mounted successfully as a ZFS volume. + +Automatic scrubbing is done monthly via a cronjob that you can find here: +/etc/cron.d/zfsutils-linux + +Automatic snapshots are taken with 'zfs-auto-snapshot'. You can list current snapshots with: +'sudo zfs list -t snapshot'. +Manpage is here: +http://manpages.ubuntu.com/manpages/focal/man8/zfs-auto-snapshot.8.html + +CURRENT STATUS: +$(zpool status $POOLNAME) + +$(zpool list)" +fi diff --git a/static/instruction.sh b/static/instruction.sh new file mode 100644 index 00000000..384268c2 --- /dev/null +++ b/static/instruction.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +VMLOGS=/var/log/nextcloud +BIGreen='\e[1;92m' # Green +IGreen='\e[0;92m' # Green +Color_Off='\e[0m' # Text Reset + +clear +cat << INST1 ++-----------------------------------------------------------------------+ +| Welcome to the first setup of your own Nextcloud Server! :) | +| | +INST1 +echo -e "|" "${IGreen}To run the startup script type the sudoer password, then hit [ENTER].${Color_Off} |" +echo -e "|" "${IGreen}The default sudoer password is: ${BIGreen}nextcloud${IGreen}${Color_Off} |" +cat << INST2 +| | +| You can find the complete install instructions here: | +| Nextcloud VM = https://bit.ly/2S8eGfS | +| Nextcloud Home/SME Server = https://bit.ly/2k2TNaM | +| | +| To be 100% sure that all the keystrokes work correctly (like @), | +| please use an SSH terminal like Putty. You can download it here: | +| https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html | +| If you are running Windows 10 1809 or later, you can simply use SSH | +| from the command prompt. | +| Connect like this: ssh ncadmin@local.IP.of.this.server | +| | +| You can schedule the Nextcloud update process using a cron job. | +| This is done using a script built into this server that automatically | +| updates Nextcloud, sets secure permissions, and logs the successful | +| update to $VMLOGS/update.log | +| Just choose to configure it when asked to do so later in this script. | +| | +| ###################### T&M Hansson IT - $(date +"%Y") ###################### | ++-----------------------------------------------------------------------+ +INST2 + +exit 0 diff --git a/static/main_menu.sh b/static/main_menu.sh new file mode 100644 index 00000000..0edc7a07 --- /dev/null +++ b/static/main_menu.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Main menu +choice=$(whiptail --title "Main Menu" --radiolist "Choose what you want to do.\nSelect by pressing the spacebar and ENTER\nYou can view this menu later by running 'sudo bash $SCRIPTS/menu.sh" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"Additional Apps" "(Choose which apps to install)" OFF \ +"Nextcloud Configuration" "(Choose between available Nextcloud configurations)" OFF \ +"Server Configuration" "(Choose between available server configurations)" OFF \ +"Update Nextcloud" "(Update Nextcloud to the latest release)" OFF 3>&1 1>&2 2>&3) + +case "$choice" in + "Additional Apps") + if network_ok + then + run_script APP additional_apps + fi + ;; + "Nextcloud Configuration") + if network_ok + then + run_script STATIC nextcloud_configuration + fi + ;; + "Server Configuration") + if network_ok + then + run_script STATIC server_configuration + fi + ;; + "Update Nextcloud") + if [ -f $SCRIPTS/update.sh ] + then + bash $SCRIPTS/update.sh + else + if network_ok + then + download_script STATIC update + bash $SCRIPTS/update.sh + fi + fi + ;; + *) + ;; +esac +exit diff --git a/static/menu.sh b/static/menu.sh new file mode 100644 index 00000000..7aedc84c --- /dev/null +++ b/static/menu.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +mkdir -p "$SCRIPTS" +print_text_in_color "$ICyan" "Running the main menu script..." + +if network_ok +then + # Delete, download, run + run_script STATIC main_menu +fi + +exit diff --git a/static/nextcloud.sh b/static/nextcloud.sh new file mode 100644 index 00000000..26f4c09e --- /dev/null +++ b/static/nextcloud.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +WANIP6=$(curl -s -k -m 5 https://ipv6bot.whatismyipaddress.com) +WANIP4=$(curl -s -k -m 5 https://ipv4bot.whatismyipaddress.com) +ADDRESS=$(hostname -I | cut -d ' ' -f 1) + +clear +figlet -f small Nextcloud +echo "https://www.hanssonit.se/nextcloud-vm" +echo +echo +echo "Hostname: $(hostname -s)" +echo "WAN IPv4: $WANIP4" +echo "WAN IPv6: $WANIP6" +echo "LAN IPv4: $ADDRESS" +echo +exit 0 diff --git a/static/nextcloud_configuration.sh b/static/nextcloud_configuration.sh new file mode 100644 index 00000000..a255606f --- /dev/null +++ b/static/nextcloud_configuration.sh @@ -0,0 +1,74 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +NC_UPDATE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +unset NC_UPDATE + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Configure Nextcloud +choice=$(whiptail --title "Nextcloud Configuration" --checklist "Which settings do you want to configure?\nSelect by pressing the spacebar\nYou can view this menu later by running 'sudo bash $SCRIPTS/menu.sh'" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"CookieLifetime" "(Configure forced logout timeout for users using the web GUI)" OFF \ +"Share-folder" "(Shares from other users will appear in a folder named 'Shared')" OFF \ +"Disable workspaces" "(disable top notes in GUI)" OFF \ +"Disable user flows" "(Disable user settings for Nextcloud Flow)" OFF 3>&1 1>&2 2>&3) + +case "$choice" in + *"CookieLifetime"*) + run_script STATIC cookielifetime + ;;& + *"Share-folder"*) + clear + msg_box "This option will make all Nextcloud shares from other users appear in a folder named 'Shared' in the Nextcloud GUI.\n\nIf you don't enable this option, all shares will appear directly in the Nextcloud GUI root folder, which is the default behaviour." + if [[ "yes" == $(ask_yes_or_no "Do you want to enable this option?") ]] + then + occ_command config:system:set share_folder --value="/Shared" + msg_box "All new Nextcloud shares from other users will appear in the 'Shared' folder from now on." + fi + ;;& + *"Disable workspaces"*) + msg_box "This option will will disable a feature named 'rich workspaces'. It will disable the top notes in GUI." + if [[ "yes" == $(ask_yes_or_no "Do you want to disable rich workspaces?") ]] + then + # Check if text is enabled + if ! is_app_enabled text + then + msg_box "The text app isn't enabled - unable to disable rich workspaces." + sleep 1 + else + # Disable workspaces + occ_command config:app:set text workspace_available --value=0 + msg_box "Rich workspaces are now disabled." + fi + fi + ;;& + *"Disable user flows"*) + # Greater than 18.0.3 is 18.0.4 which is required + if version_gt "$CURRENTVERSION" "18.0.3" + then + msg_box "This option will disable the with Nextcloud 18 introduced user flows. It will disable the user flow settings. Admin flows will continue to work." + if [[ "yes" == $(ask_yes_or_no "Do you want to disable user flows?") ]] + then + occ_command config:app:set workflowengine user_scope_disabled --value yes + msg_box "User flow settings are now disabled." + fi + else + msg_box "'Disable user flows' is only available on Nextcloud 18.0.4 and above.\nPlease upgrade by running 'sudo bash /var/scripts/update.sh'" + sleep 1 + fi + ;;& + *) + ;; +esac +exit diff --git a/static/nhss_index.php b/static/nhss_index.php new file mode 100644 index 00000000..26e8367a --- /dev/null +++ b/static/nhss_index.php @@ -0,0 +1,148 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<html> + <head> + <title>Nextcloud Home/SME Server</title> + <META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW"> + <style type="text/css"> + body { + background-color: #0082c9; + font-weight: 300; + font-size: 1em; + line-height: 1.6em; + font-family: 'Open Sans', Frutiger, Calibri, 'Myriad Pro', Myriad, sans-serif; + color: white; + height: auto; + margin-left: auto; + margin-right: auto; + align: center; + text-align: center; + background: #0082c9; /* Old browsers */ + background-image: url('/nextcloud/core/img/background.png'), linear-gradient(10deg, #0082c9 0%, rgb(28, 175, 255) 50%); + background-size: cover; + } + div.logotext { + width: 50%; + margin: 0 auto; + } + div.logo { + background-image: url('/nextcloud/core/img/logo/logo.svg'); + background-repeat: no-repeat; top center; + width: 50%; + height: 25%; + margin: 0 auto; + background-size: 40%; + margin-left: 40%; + margin-right: 20%; + } + pre { + padding:10pt; + width: 50% + text-align: center; + margin-left: 20%; + margin-right: 20%; + } + div.information { + align: center; + width: 50%; + margin: 10px auto; + display: block; + padding: 10px; + background-color: rgba(0,0,0,.3); + color: #fff; + text-align: left; + border-radius: 3px; + cursor: default; + } + /* unvisited link */ + a:link { + color: #FFFFFF; + } + /* visited link */ + a:visited { + color: #FFFFFF; + } + /* mouse over link */ + a:hover { + color: #E0E0E0; + } + /* selected link */ + a:active { + color: #E0E0E0; + } + </style> + </head> + <body> + <br> + <div class="logo"></div> + <div class="logotext"> + <h2><a href="https://shop.hanssonit.se/product-category/nextcloud/home-sme-server/" target="_blank">Nextcloud Home/SME Server</a> - by <a href="https://www.hanssonit.se" target="_blank">T&M Hansson IT AB</a></h2> + </div> + <br> + <div class="information"> + <p>Thank you for purchasing the Nextcloud Home/SME Server, you made a good choice! If you see this page, you have run the first setup, and you are now ready to start using Nextcloud on your new server. Congratulations! :)</p> + <p>We have set everything up for you and the only thing you have to do now is to login. You can find login details in the middle of this page.</p> + <p>Don't hesitate to ask if you have any questions. You can ask for help in our community <a href="https://help.nextcloud.com/c/support/appliances-docker-snappy-vm" target="_blank">support</a> channels, or <a href="https://shop.hanssonit.se/product/premium-support-per-30-minutes/" target="_blank">buy hands on support</a> from T&M Hansson IT AB. You can also check the <a href="https://docs.hanssonit.se/s/blkkp2qhv0jgrltpicl0/nextcloud-homesme-server" target="_blank">documentation</a>.</p> + </div> + + <h2>Access Nextcloud</h2> + + <div class="information"> + <p>Use the following address: + <h3> + <ul> + <li><a href="https://<?=$_SERVER['SERVER_NAME'];?>/nextcloud">https://<?=$_SERVER['SERVER_NAME'];?></a> (HTTPS) + </ul> + </h3> + <p>Note: Please accept the warning in the browser if you have a self-signed certificate.<br> + + <p>It's recomended to <a href="https://docs.hanssonit.se/s/blkkp2qhv0jgrltpicl0/nextcloud-homesme-server/d/blkkp2qhv0jgrltpidm0/publish-your-server-online" target="_blank">get your own certificate and replace the self-signed certificate to your own.</a> + The easiest way to get a real TLS certificate is to run the Lets' Encrypt script included on this server.<br> + Just run 'sudo bash /var/scripts/activate-tls.sh' from your terminal and follow the instructions. + <h3> + <a href="https://docs.hanssonit.se/s/blkkp2qhv0jgrltpicl0/nextcloud-homesme-server/d/blkkp2qhv0jgrltpid50/server-installation-instructions?currentPageId=blkkp2qhv0jgrltpidb0" target="_blank">Login details</a> + </h3> + </div> + + <h2>Access Webmin</h2> + + <div class="information"> + <p>Use the following address: + <h3> + <ul> + <li><a href="https://<?=$_SERVER['SERVER_NAME'];?>:10000">https://<?=$_SERVER['SERVER_NAME'];?></a> (HTTPS)</li> + </ul> + </h3> + <p>Note: Please accept the warning in the browser if you have a self-signed certificate.<br> + <h3> + <a href="https://docs.hanssonit.se/s/blkkp2qhv0jgrltpicl0/nextcloud-homesme-server/d/blkkp2qhv0jgrltpid50/server-installation-instructions?currentPageId=blkkp2qhv0jgrltpidc0" target="_blank">Login details</a> + </h3> + <p>Note: To access Webmin externally you have to open port 10000 in your router, it's not recomended though due to security concerns.</p> + </div> + + <h2>Access Adminer</h2> + + <div class="information"> + <p>Use one of the following addresses, HTTPS is preffered: + <h3> + <ul> + <li><a href="http://<?=$_SERVER['SERVER_NAME'];?>/adminer.php">http://<?=$_SERVER['SERVER_NAME'];?></a> (HTTP)</li> + <li><a href="https://<?=$_SERVER['SERVER_NAME'];?>/adminer.php">https://<?=$_SERVER['SERVER_NAME'];?></a> (HTTPS)</li> + </ul> + </h3> + <p>Note: Please accept the warning in the browser if you connect via HTTPS.</p> + <h3> + <a href="https://docs.hanssonit.se/s/blkkp2qhv0jgrltpicl0/nextcloud-homesme-server/d/blkkp2qhv0jgrltpid50/server-installation-instructions?currentPageId=blkkp2qhv0jgrltpidcg" target="_blank">Login details</a> + </h3> + <p>Note: Your LAN IP is set as approved in /etc/apache2/conf-available/adminer.conf, all other access is forbidden.</p> + </div> + + <h2>Follow us on Social Media</h2> + + <div class="information"> + <p>If you want to get the latest news and updates, please consider following us! We are very active on Twitter, and post some videos from time to time on Youtube. It might be worth checking out. ;)</p> + </div> + <p><b><a href="https://twitter.com/tmhanssonit" class="twitter-follow-button" data-show-count="false" target="_blank">Follow @tmhanssonit</a><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></b></p> + <script src="https://apis.google.com/js/platform.js"></script> + <div class="g-ytsubscribe" data-channelid="UCLXe8RpVdOsoapYM9_GcrfA" data-layout="full" data-count="default"></div> + </body> +</html> diff --git a/static/prune_zfs_snaphots.sh b/static/prune_zfs_snaphots.sh new file mode 100644 index 00000000..69978c9b --- /dev/null +++ b/static/prune_zfs_snaphots.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +if [ -d $NCDATA ] +then + if is_this_installed zfs-auto-snapshot + then + if [ "$(df -h $NCDATA | awk '{print $5}' | tail -1 | cut -d "%" -f1)" -gt 70 ] + then + # Notify user + notify_admin_gui \ + "Disk space almost full!" \ + "The disk space for ncdata is almost full. We have automatically deleted ZFS snapshots older than 4 weeks and cleaned up your trashbin to free up some space and avoid a fatal crash. Please check $VMLOGS/zfs_prune.log for the results." + # On screen information +msg_box "Your disk space is almost full (more than 70%). + +To solve that, we will now delete ZFS snapshots older than 4 weeks + +The script will also delete everything in trashbin for all users to free up some space." + countdown "To abort, please press CTRL+C within 10 seconds." 10 + print_text_in_color "$IGreen" "Freeing some space... This might take a while, please don't abort." + # Get the latest prune script + if [ -f $SCRIPTS/zfs-prune-snapshots ] + then + rm -f "$SCRIPTS"/zfs-prune-snapshots + download_script STATIC zfs-prune-snapshots + elif [ ! -f $SCRIPTS/zfs-prune-snapshots.sh ] + then + download_script STATIC zfs-prune-snapshots + fi + check_command chmod +x "$SCRIPTS"/zfs-prune-snapshots.sh + # Prune! + cd "$SCRIPTS" + if [ ! -d "$VMLOGS" ] + then + mkdir -p "$VMLOGS" + fi + touch $VMLOGS/zfs_prune.log + ./zfs-prune-snapshots.sh 4w ncdata >> $VMLOGS/zfs_prune.log + occ_command trashbin:cleanup --all-users >> $VMLOGS/zfs_prune.log + fi + fi +fi diff --git a/static/recover_apps.py b/static/recover_apps.py new file mode 100644 index 00000000..8ff4f0f4 --- /dev/null +++ b/static/recover_apps.py @@ -0,0 +1,16 @@ +import glob, json, os, subprocess, requests + +nc_path = '/var/www/nextcloud/apps/' +backup_path = '/var/NCBACKUP/apps/' +shipped_url = 'http://raw.githubusercontent.com/nextcloud/server/master/core/shipped.json' + +json_data = requests.get(shipped_url, timeout=60).json() +shipped_apps = json_data['shippedApps'] + json_data['alwaysEnabled'] + +installed_dirs = set(os.path.basename(path) for path in glob.glob(backup_path + '*')) +missing_dirs = installed_dirs.difference(shipped_apps) + +for d in missing_dirs: +# subprocess.call(['rsync', '-Aax', os.path.join(backup_path, d), nc_path]) +# subprocess.call(['sudo', '-u', 'www-data', '/var/www/nextcloud/occ', 'app:enable', d]) + subprocess.call(['sudo', '-u', 'www-data', '/var/www/nextcloud/occ', 'app:install', d]) diff --git a/static/security.sh b/static/security.sh new file mode 100644 index 00000000..701eaa1b --- /dev/null +++ b/static/security.sh @@ -0,0 +1,121 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# REMOVE disable of SC2154 WHEN PUTTING SPAMHAUS IN PRODUCTION (it's just to fixing travis for now) +# shellcheck disable=2034,2059,SC2154 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +print_text_in_color "$ICyan" "Installing Extra Security..." + +# Based on: http://www.techrepublic.com/blog/smb-technologist/secure-your-apache-server-from-ddos-slowloris-and-dns-injection-attacks/ + +# Protect against DDOS +apt update -q4 & spinner_loading +apt -y install libapache2-mod-evasive +mkdir -p /var/log/apache2/evasive +chown -R www-data:root /var/log/apache2/evasive +if [ ! -f "$ENVASIVE" ] +then + touch "$ENVASIVE" + cat << ENVASIVE > "$ENVASIVE" +DOSHashTableSize 2048 +DOSPageCount 20 # maximum number of requests for the same page +DOSSiteCount 300 # total number of requests for any object by the same client IP on the same listener +DOSPageInterval 1.0 # interval for the page count threshold +DOSSiteInterval 1.0 # interval for the site count threshold +DOSBlockingPeriod 10.0 # time that a client IP will be blocked for +DOSLogDir +ENVASIVE +fi + +# Protect against Slowloris +#apt -y install libapache2-mod-qos +a2enmod reqtimeout # http://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html + +# Don't enable SpamHaus now as it's now working anyway +# REMOVE disable of SC2154 WHEN PUTTING SPAMHAUS IN PRODUCTION (it's just to fixing travis for now) +exit + +# Protect against DNS Injection +# Insipired by: https://www.c-rieger.de/nextcloud-13-nginx-installation-guide-for-ubuntu-18-04-lts/#spamhausproject + +# shellcheck disable=SC2016 +DATE='$(date +%Y-%m-%d)' +cat << SPAMHAUS_ENABLE > "$SCRIPTS/spamhaus_cronjob.sh" +#!/bin/bash +# Thanks to @ank0m +EXEC_DATE='date +%Y-%m-%d' +SPAMHAUS_DROP="/usr/local/src/drop.txt" +SPAMHAUS_eDROP="/usr/local/src/edrop.txt" +URL="https://www.spamhaus.org/drop/drop.txt" +eURL="https://www.spamhaus.org/drop/edrop.txt" +DROP_ADD_TO_UFW="/usr/local/src/DROP2.txt" +eDROP_ADD_TO_UFW="/usr/local/src/eDROP2.txt" +DROP_ARCHIVE_FILE="/usr/local/src/DROP_{$EXEC_DATE}" +eDROP_ARCHIVE_FILE="/usr/local/src/eDROP_{$EXEC_DATE}" +# All credits for the following BLACKLISTS goes to "The Spamhaus Project" - https://www.spamhaus.org +echo "Start time: $(date)" +echo " " +echo "Download daily DROP file:" +curl -fsSL "$URL" > $SPAMHAUS_DROP +grep -v '^;' $SPAMHAUS_DROP | cut -d ' ' -f 1 > $DROP_ADD_TO_UFW +echo " " +echo "Extract DROP IP addresses and add to UFW:" +cat $DROP_ADD_TO_UFW | while read line +do +/usr/sbin/ufw insert 1 deny from "$line" comment 'DROP_Blacklisted_IPs' +done +echo " " +echo "Downloading eDROP list and import to UFW" +echo " " +echo "Download daily eDROP file:" +curl -fsSL "$eURL" > $SPAMHAUS_eDROP +grep -v '^;' $SPAMHAUS_eDROP | cut -d ' ' -f 1 > $eDROP_ADD_TO_UFW +echo " " +echo "Extract eDROP IP addresses and add to UFW:" +cat $eDROP_ADD_TO_UFW | while read line +do +/usr/sbin/ufw insert 1 deny from "$line" comment 'eDROP_Blacklisted_IPs' +done +echo " " +##### +## To remove or revert these rules, keep the list of IPs! +## Run a command like so to remove the rules: +# while read line; do ufw delete deny from $line; done < $ARCHIVE_FILE +##### +echo "Backup DROP IP address list:" +mv $DROP_ADD_TO_UFW $DROP_ARCHIVE_FILE +echo " " +echo "Backup eDROP IP address list:" +mv $eDROP_ADD_TO_UFW $eDROP_ARCHIVE_FILE +echo " " +echo End time: $(date) +SPAMHAUS_ENABLE + +# Make the file executable +chmod +x "$SCRIPTS"/spamhaus_cronjob.sh + +# Add it to crontab +(crontab -l ; echo "10 2 * * * $SCRIPTS/spamhaus_crontab.sh 2>&1") | crontab -u root - + +# Run it for the first time +check_command bash "$SCRIPTS"/spamhaus_cronjob.sh + +# Enable $SPAMHAUS +if sed -i "s|#MS_WhiteList /etc/spamhaus.wl|MS_WhiteList $SPAMHAUS|g" /etc/apache2/mods-enabled/spamhaus.conf +then + print_text_in_color "$IGreen" "Security added!" + restart_webserver +fi diff --git a/static/server_configuration.sh b/static/server_configuration.sh new file mode 100644 index 00000000..b2d797d9 --- /dev/null +++ b/static/server_configuration.sh @@ -0,0 +1,91 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# Use local lib file in case there is no internet connection +if [ -f /var/scripts/lib.sh ] +then +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +source /var/scripts/lib.sh + # If we have internet, then use the latest variables from the lib remote file +elif printf "Testing internet connection..." && ping github.com -c 2 +then +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +else + printf "You don't seem to have a working internet connection, and /var/scripts/lib.sh is missing so you can't run this script." + printf "Please report this to https://github.com/nextcloud/vm/issues/" + exit 1 +fi + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Server configurations +choice=$(whiptail --title "Server configurations" --checklist "Choose what you want to configure\nSelect by pressing the spacebar\nYou can view this menu later by running 'sudo bash $SCRIPTS/menu.sh'" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"Activate TLS" "(Enable HTTPS with Let's Encrypt)" ON \ +"Security" "(Add extra security based on this http://goo.gl/gEJHi7)" OFF \ +"Static IP" "(Set static IP in Ubuntu with netplan.io)" OFF \ +"Disk Check" "(Check for S.M.A.R.T errors on your disks every week on Mondays)" OFF \ +"Automatic updates" "(Automatically update your server every week on Sundays)" OFF 3>&1 1>&2 2>&3) + +case "$choice" in + *"Disk Check"*) + clear + run_script ADDONS smartctl + ;;& + *"Security"*) + clear + run_script STATIC security + ;;& + *"Static IP"*) + clear + run_script STATIC static_ip + ;;& + *"Automatic updates"*) + clear + run_script STATIC automatic_updates + ;;& + *"Activate TLS"*) + clear +msg_box "The following script will install a trusted +TLS certificate through Let's Encrypt. +It's recommended to use TLS (https) together with Nextcloud. +Please open port 80 and 443 to this servers IP before you continue. +More information can be found here: +https://www.techandme.se/open-port-80-443/" + + if [[ "yes" == $(ask_yes_or_no "Do you want to install TLS?") ]] + then + if [ -f $SCRIPTS/activate-tls.sh ] + then + bash $SCRIPTS/activate-tls.sh + else + download_script LETS_ENC activate-tls + bash $SCRIPTS/activate-tls.sh + fi + else + echo + print_text_in_color "$ICyan" "OK, but if you want to run it later, just type: sudo bash $SCRIPTS/activate-tls.sh" + any_key "Press any key to continue..." + fi + + # Just make sure they are gone + rm -f "$SCRIPTS/test-new-config.sh" + rm -f "$SCRIPTS/activate-tls.sh" + clear + ;;& + *) + ;; +esac +exit diff --git a/static/setup_secure_permissions_nextcloud.sh b/static/setup_secure_permissions_nextcloud.sh new file mode 100644 index 00000000..1e81a53a --- /dev/null +++ b/static/setup_secure_permissions_nextcloud.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059,2012 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +htuser='www-data' +htgroup='www-data' +rootuser='root' + +# Only check for existing datadir if Nextcloud is installed +if [ -f "$NCPATH"/config/config.php ] +then + NCDATA="$(grep 'datadir' "$NCPATH"/config/config.php | awk '{print $3}' | cut -d "'" -f2)" +fi + +print_text_in_color "$IGreen" "Setting secure permissions..." +print_text_in_color "$ICyan" "Creating possible missing Directories" +mkdir -p "$NCPATH"/data +mkdir -p "$NCPATH"/updater +mkdir -p "$VMLOGS" +mkdir -p "$NCDATA" + +if ! [ -f "$VMLOGS/nextcloud.log" ] +then + touch "$VMLOGS/nextcloud.log" +fi + +if ! [ -f "$VMLOGS/audit.log" ] +then + touch "$VMLOGS/audit.log" +fi + +print_text_in_color "$ICyan" "chmod Files and Directories" +find "${NCPATH}"/ -type f -print0 | xargs -0 chmod 0640 +find "${VMLOGS}"/audit.log -type f -print0 | xargs -0 chmod 0640 +find "${NCPATH}"/ -type d -print0 | xargs -0 chmod 0750 +find "${VMLOGS}"/ -type d -print0 | xargs -0 chmod 0750 +find "${VMLOGS}"/nextcloud.log -type f -print0 | xargs -0 chmod 0640 + +print_text_in_color "$ICyan" "chown Directories" +chown "${htuser}":"${htgroup}" "${VMLOGS}"/ +chown "${htuser}":"${htgroup}" "${VMLOGS}"/nextcloud.log +chown "${htuser}":"${htgroup}" "${VMLOGS}"/audit.log +chown -R "${rootuser}":"${htgroup}" "${NCPATH}"/ +chown -R "${htuser}":"${htgroup}" "${NCPATH}"/apps/ +chown -R "${htuser}":"${htgroup}" "${NCPATH}"/config/ +chown -R "${htuser}":"${htgroup}" "${NCPATH}"/themes/ +chown -R "${htuser}":"${htgroup}" "${NCPATH}"/updater/ +if ! [ "$(ls -ld "${NCDATA}" | awk '{print$3$4}')" == "${htuser}""${htgroup}" ] +then + chown -R "${htuser}":"${htgroup}" "${NCDATA}"/ +fi + +chmod +x "${NCPATH}"/occ + +print_text_in_color "$ICyan" "chmod/chown .htaccess" +if [ -f "${NCPATH}"/.htaccess ] +then + chmod 0644 "${NCPATH}"/.htaccess + chown "${rootuser}":"${htgroup}" "${NCPATH}"/.htaccess +fi +if [ -f "${NCDATA}"/.htaccess ] +then + chmod 0644 "${NCDATA}"/.htaccess + chown "${rootuser}":"${htgroup}" "${NCDATA}"/.htaccess +fi + diff --git a/static/temporary-fix.sh b/static/temporary-fix.sh new file mode 100644 index 00000000..a84589b7 --- /dev/null +++ b/static/temporary-fix.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +exit diff --git a/static/update.sh b/static/update.sh new file mode 100644 index 00000000..d14aa8bd --- /dev/null +++ b/static/update.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +mkdir -p "$SCRIPTS" + +if [ "${1}" = "minor" ] +then + echo "$((NCMAJOR-1))" > /tmp/minor.version +elif [ "${1}" = "beta" ] +then + echo "beta" > /tmp/prerelease.version +elif [[ "${1}" == *"RC"* ]] +then + echo "${1}" > /tmp/prerelease.version +fi + +# Delete, download, run +run_script GITHUB_REPO nextcloud_update + +exit diff --git a/static/updatenotification.sh b/static/updatenotification.sh new file mode 100644 index 00000000..f8b4c0b5 --- /dev/null +++ b/static/updatenotification.sh @@ -0,0 +1,76 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +NC_UPDATE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +unset NC_UPDATE + +print_text_in_color "$ICyan" "Checking for new Nextcloud version..." + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +NCMIN=$(curl -s -m 900 $NCREPO/ | sed --silent 's/.*href="nextcloud-\([^"]\+\).zip.asc".*/\1/p' | sort --version-sort | grep "${CURRENTVERSION%%.*}" | tail -1) +REPORTEDMAJ="$CURRENTVERSION" +REPORTEDMIN="$CURRENTVERSION" + +if [ "$CURRENTVERSION" == "$NCVERSION" ] && [ "$CURRENTVERSION" == "$NCMIN" ] +then + print_text_in_color "$IGreen" "You already run the latest version! ($NCVERSION)" + exit +fi + +if [ "$REPORTEDMAJ" == "$NCVERSION" ] && [ "$REPORTEDMIN" == "$NCMIN" ] +then + print_text_in_color "$ICyan" "The notification regarding the new Nextcloud update has been already reported!" + exit +fi + +if [ "$NCVERSION" == "$NCMIN" ] && version_gt "$NCMIN" "$REPORTEDMIN" && version_gt "$NCMIN" "$CURRENTVERSION" +then + sed -i "s|^REPORTEDMAJ.*|REPORTEDMAJ=$NCVERSION|" $SCRIPTS/updatenotification.sh + sed -i "s|^REPORTEDMIN.*|REPORTEDMIN=$NCMIN|" $SCRIPTS/updatenotification.sh + if crontab -l -u root | grep -q $SCRIPTS/update.sh + then + notify_admin_gui \ + "New minor Nextcloud Update!" \ + "Nextcloud $NCMIN just became available. Since you are running Automatic Updates on Saturdays at $AUT_UPDATES_TIME:00, you don't need to bother about updating the server to minor Nextcloud versions manually, as that's already taken care of." + else + notify_admin_gui \ + "New minor Nextcloud Update!" \ + "Nextcloud $NCMIN just became available. Please run 'sudo bash /var/scripts/update.sh minor' from your CLI to update your server to Nextcloud $NCMIN." + fi + exit +fi + +if version_gt "$NCMIN" "$REPORTEDMIN" && version_gt "$NCMIN" "$CURRENTVERSION" +then + sed -i "s|^REPORTEDMIN.*|REPORTEDMIN=$NCMIN|" $SCRIPTS/updatenotification.sh + if crontab -l -u root | grep -q $SCRIPTS/update.sh + then + notify_admin_gui \ + "New minor Nextcloud Update!" \ + "Nextcloud $NCMIN just became available. Since you are running Automatic Updates on Saturdays at $AUT_UPDATES_TIME:00, you don't need to bother about updating the server to minor Nextcloud versions manually, as that's already taken care of." + else + notify_admin_gui \ + "New minor Nextcloud Update!" \ + "Nextcloud $NCMIN just became available. Please run 'sudo bash /var/scripts/update.sh minor' from your CLI to update your server to Nextcloud $NCMIN." + fi +fi + +if version_gt "$NCVERSION" "$REPORTEDMAJ" && version_gt "$NCVERSION" "$CURRENTVERSION" +then + sed -i "s|^REPORTEDMAJ.*|REPORTEDMAJ=$NCVERSION|" $SCRIPTS/updatenotification.sh + notify_admin_gui \ + "New major Nextcloud Update!" \ + "Nextcloud $NCVERSION just became available. Please run 'sudo bash /var/scripts/update.sh' from your CLI to update your server to Nextcloud $NCVERSION." +fi diff --git a/static/zfs-prune-snapshots.sh b/static/zfs-prune-snapshots.sh new file mode 100644 index 00000000..beaf2ec5 --- /dev/null +++ b/static/zfs-prune-snapshots.sh @@ -0,0 +1,186 @@ +#!/usr/bin/env bash +# +# script to prune zfs snapshots over a given age +# +# Author: Dave Eddy <dave@daveeddy.com> +# Date: November 20, 2015 +# License: MIT +# https://raw.githubusercontent.com/bahamas10/zfs-prune-snapshots/master/zfs-prune-snapshots + +VERSION='v1.1.0' + +usage() { + local prog=${0##*/} + cat <<-EOF + usage: $prog [-hnv] [-p <prefix>] [-s <suffix>] <time> [[dataset1] ...] + + remove snapshots from one or more zpools that match given criteria + + examples + # $prog 1w + remove snapshots older than a week across all zpools + + # $prog -vn 1w + same as above, but with increased verbosity and without + actually deleting any snapshots (dry-run) + + # $prog 3w tank1 tank2/backup + remove snapshots older than 3 weeks on tank1 and tank2/backup. + note that this script will recurse through *all* of tank1 and + *all* datasets below tank2/backup + + # $prog -p 'autosnap_' 1M zones + remove snapshots older than a month on the zones pool that start + with the string "autosnap_" + + # $prog -s '_frequent' 2M tank + remove snapshots older than two months on the tank pool that end + with the string "_frequent" + + timespec + the first argument denotes how old a snapshot must be for it to + be considered for deletion - possible specifiers are + + s seconds + m minutes + h hours + d days + w weeks + M months + y years + + options + -h print this message and exit + -n dry-run, don't actually delete snapshots + -p <prefix> snapshot prefix string to match + -s <suffix> snapshot suffix string to match + -q quiet, do not printout removed snapshots + -v increase verbosity + -V print the version number and exit + EOF +} + +debug() { + ((verbosity >= 1)) && echo "$@" + return 0 +} + +# given a time in seconds, return the "human readable" string +human() { + local seconds=$1 + if ((seconds < 0)); then + ((seconds *= -1)) + fi + + local times=( + $((seconds / 60 / 60 / 24 / 365)) # years + $((seconds / 60 / 60 / 24 / 30)) # months + $((seconds / 60 / 60 / 24 / 7)) # weeks + $((seconds / 60 / 60 / 24)) # days + $((seconds / 60 / 60)) # hours + $((seconds / 60)) # minutes + $((seconds)) # seconds + ) + local names=(year month week day hour minute second) + + local i + for ((i = 0; i < ${#names[@]}; i++)); do + if ((${times[$i]} > 1)); then + echo "${times[$i]} ${names[$i]}s" + return + elif ((${times[$i]} == 1)); then + echo "${times[$i]} ${names[$i]}" + return + fi + done + echo '0 seconds' +} + +dryrun=false +verbosity=0 +prefix= +suffix= +quiet=false +while getopts 'hnqp:s:vV' option; do + case "$option" in + h) usage; exit 0;; + n) dryrun=true;; + p) prefix=$OPTARG;; + s) suffix=$OPTARG;; + q) quiet=true;; + v) ((verbosity++));; + V) echo "$VERSION"; exit 0;; + *) usage; exit 1;; + esac +done +shift "$((OPTIND - 1))" + +# extract the first argument - the timespec - and +# convert it to seconds +t=$1 +time_re='^([0-9]+)([smhdwMy])$' +seconds= +if [[ $t =~ $time_re ]]; then + # ex: "21d" becomes num=21 spec=d + num=${BASH_REMATCH[1]} + spec=${BASH_REMATCH[2]} + + case "$spec" in + s) seconds=$((num));; + m) seconds=$((num * 60));; + h) seconds=$((num * 60 * 60));; + d) seconds=$((num * 60 * 60 * 24));; + w) seconds=$((num * 60 * 60 * 24 * 7));; + M) seconds=$((num * 60 * 60 * 24 * 30));; + y) seconds=$((num * 60 * 60 * 24 * 365));; + *) echo "error: unknown spec '$spec'" >&2; exit 1;; + esac +elif [[ -z $t ]]; then + echo 'error: timespec must be specified as the first argument' >&2 + exit 1 +else + echo "error: failed to parse timespec '$t'" >&2 + exit 1 +fi + +shift +pools=("$@") + +now=$(date +%s) +code=0 +while read -r creation snapshot; do + # ensure optional prefix matches + snapname=${snapshot#*@} + if [[ -n $prefix && $prefix != "${snapname:0:${#prefix}}" ]]; then + debug "skipping $snapshot: doesn't match prefix $prefix" + continue + fi + + # ensure optional suffix matches + if [[ -n $suffix && $suffix != "${snapname: -${#suffix}}" ]]; then + debug "skipping $snapshot: doesn't match suffix $suffix" + continue + fi + + # ensure snapshot is older than the cutoff time + delta=$((now - creation)) + human=$(human "$delta") + if ((delta <= seconds)); then + debug "skipping $snapshot: $human old" + continue + fi + + # remove the snapshot + if ! $quiet || $dryrun; then + echo -n "removing $snapshot: $human old" + fi + if $dryrun; then + echo ' <dry-run: no action taken>' + else + if ! $quiet; then + echo + fi + zfs destroy "$snapshot" || code=1 + fi +done < <(zfs list -Hpo creation,name -t snapshot -r "${pools[@]}") +exit "$code" |