diff options
Diffstat (limited to 'static')
| -rw-r--r-- | static/adduser.sh | 39 | ||||
| -rw-r--r-- | static/apps.sh | 28 | ||||
| -rw-r--r-- | static/automatic_updates.sh | 43 | ||||
| -rw-r--r-- | static/change-root-profile.sh | 9 | ||||
| -rw-r--r-- | static/configuration.sh | 28 | ||||
| -rw-r--r-- | static/cookielifetime.sh | 70 | ||||
| -rw-r--r-- | static/docker_overlay2.sh | 167 | ||||
| -rw-r--r-- | static/format-sda-nuc-server.sh | 159 | ||||
| -rw-r--r-- | static/instruction.sh | 41 | ||||
| -rw-r--r-- | static/main_menu.sh | 60 | ||||
| -rw-r--r-- | static/menu.sh | 28 | ||||
| -rw-r--r-- | static/nextcloud.sh | 19 | ||||
| -rw-r--r-- | static/nextcloud_configuration.sh | 74 | ||||
| -rw-r--r-- | static/nhss_index.php | 148 | ||||
| -rw-r--r-- | static/prune_zfs_snaphots.sh | 58 | ||||
| -rw-r--r-- | static/recover_apps.py | 16 | ||||
| -rw-r--r-- | static/security.sh | 121 | ||||
| -rw-r--r-- | static/server_configuration.sh | 91 | ||||
| -rw-r--r-- | static/setup_secure_permissions_nextcloud.sh | 80 | ||||
| -rw-r--r-- | static/temporary-fix.sh | 19 | ||||
| -rw-r--r-- | static/update.sh | 35 | ||||
| -rw-r--r-- | static/updatenotification.sh | 76 | ||||
| -rw-r--r-- | static/zfs-prune-snapshots.sh | 186 |
23 files changed, 1593 insertions, 2 deletions
diff --git a/static/adduser.sh b/static/adduser.sh new file mode 100644 index 00000000..2e58ca8a --- /dev/null +++ b/static/adduser.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +if [[ $UNIXUSER != "ncadmin" ]] +then +msg_box "Current user with sudo permissions is: $UNIXUSER. +This script will set up everything with that user. +If the field after ':' is blank you are probably running as a pure root user. +It's possible to install with root, but there will be minor errors. + +Please create a user with sudo permissions if you want an optimal installation. +The preferred user is 'ncadmin'." + if [[ "no" == $(ask_yes_or_no "Do you want to create a new user?") ]] + then + print_text_in_color "$ICyan" "Not adding another user..." + sleep 1 + else + read -r -p "Enter name of the new user: " NEWUSER + adduser --disabled-password --gecos "" "$NEWUSER" + sudo usermod -aG sudo "$NEWUSER" + usermod -s /bin/bash "$NEWUSER" + while true + do + sudo passwd "$NEWUSER" && break + done + sudo -u "$NEWUSER" sudo bash "$1" + fi +fi diff --git a/static/apps.sh b/static/apps.sh new file mode 100644 index 00000000..ff1835cc --- /dev/null +++ b/static/apps.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +mkdir -p "$SCRIPTS" +print_text_in_color "$ICyan" "Running the additional apps script..." + +if network_ok +then + # Delete, download, run + run_script APP additional_apps +fi + +exit diff --git a/static/automatic_updates.sh b/static/automatic_updates.sh new file mode 100644 index 00000000..26968209 --- /dev/null +++ b/static/automatic_updates.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +print_text_in_color "$ICyan" "Configuring automatic updates..." + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +msg_box "This option will update your server every week on Saturdays at $AUT_UPDATES_TIME:00. +The update will run the built in script '$SCRIPTS/update.sh' which will update both the server packages and Nextcloud itself. + +You can read more about it here: https://www.techandme.se/nextcloud-update-is-now-fully-automated/ +Please keep in mind that automatic updates might fail hence it's important to have a proper backup in place if you plan to run this option. + +You can disable the automatic updates by entering the crontab file like this: +'sudo crontab -e -u root' +Then just put a hash (#) in front of the row that you want to disable. + +In the next step you will be able to choose to proceed or exit." + +if [[ "yes" == $(ask_yes_or_no "Do you want to enable automatic updates?") ]] +then + occ_command config:app:set updatenotification notify_groups --value="[]" + touch $VMLOGS/update.log + crontab -u root -l | { cat; echo "0 $AUT_UPDATES_TIME * * 6 $SCRIPTS/update.sh minor >> $VMLOGS/update.log"; } | crontab -u root - + if [[ "yes" == $(ask_yes_or_no "Do you want to reboot your server after every update? *recommended*") ]] + then + sed -i "s|exit|shutdown -r +1|g" "$SCRIPTS"/update.sh + echo "exit" >> "$SCRIPTS"/update.sh + fi +fi diff --git a/static/change-root-profile.sh b/static/change-root-profile.sh index 5cc68e2f..d495deba 100644 --- a/static/change-root-profile.sh +++ b/static/change-root-profile.sh @@ -27,9 +27,14 @@ then fi fi -if [ -x /var/scripts/nextcloud_install_production.sh ] +if [ -x /var/scripts/nextcloud-startup-script.sh ] then - /var/scripts/nextcloud_install_production.sh + /var/scripts/nextcloud-startup-script.sh +fi + +if [ -x /var/scripts/history.sh ] +then + /var/scripts/history.sh fi mesg n diff --git a/static/configuration.sh b/static/configuration.sh new file mode 100644 index 00000000..bc99697d --- /dev/null +++ b/static/configuration.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +mkdir -p "$SCRIPTS" +print_text_in_color "$ICyan" "Running the nextcloud configuration script..." + +if network_ok +then + # Delete, download, run + run_script STATIC nextcloud_configuration +fi + +exit diff --git a/static/cookielifetime.sh b/static/cookielifetime.sh new file mode 100644 index 00000000..a1a51f3e --- /dev/null +++ b/static/cookielifetime.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +print_text_in_color "$ICyan" "Configuring Cookie Lifetime timeout..." + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +choice=$(whiptail --radiolist "Configure the logout time (in seconds) which will forcefully logout the Nextcloud user from the web browser when the timeout is reached.\n\nSelect one with the [ARROW] keys and select with the [SPACE] key. Confirm by pressing [ENTER]" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"1800s" "30 minutes" ON \ +"7200s" "2 hours" OFF \ +"43200s" "12 hours" OFF \ +"172800s" "2 days" OFF \ +"604800s" "1 week" OFF \ +"2419200s" "4 weeks" OFF \ +"Custom" "setup a custom time" OFF 3>&1 1>&2 2>&3) + +case "$choice" in + "1800s") + occ_command config:system:set remember_login_cookie_lifetime --value="1800" + ;; + "7200s") + occ_command config:system:set remember_login_cookie_lifetime --value="7200" + ;; + "43200s") + occ_command config:system:set remember_login_cookie_lifetime --value="43200" + ;; + "172800s") + occ_command config:system:set remember_login_cookie_lifetime --value="172800" + ;; + "604800s") + occ_command config:system:set remember_login_cookie_lifetime --value="604800" + ;; + "2419200s") + occ_command config:system:set remember_login_cookie_lifetime --value="2419200" + ;; + "Custom") + while true + do + COOKIE_LIFETIME=$(whiptail --inputbox "Configure the logout time (in seconds) which will forcefully logout the Nextcloud user from the web browser when the timeout is reached.\n\nPlease enter the Cookie Lifetime in seconds, so e.g. 1800 for 30 minutes or 3600 for 1 hour\n\n You can not set a value below 30 minutes (1800 seconds)." "$WT_HEIGHT" "$WT_WIDTH" 1800 3>&1 1>&2 2>&3) + if ! check_if_number "$COOKIE_LIFETIME" + then + msg_box "The value you entered doesn't seem to be a number between 0-9, please enter a valid number." + elif [ "$COOKIE_LIFETIME" -lt "1800" ] + then + msg_box "Please choose a value more than 1800 seconds." + elif [[ "no" == $(ask_yes_or_no "Is this correct? $COOKIE_LIFETIME seconds") ]] + then + msg_box "It seems like you weren't satisfied with your setting of ($COOKIE_LIFETIME) seconds. Please try again." + else + occ_command config:system:set remember_login_cookie_lifetime --value="$COOKIE_LIFETIME" + break + fi + done + ;; + *) + ;; +esac diff --git a/static/docker_overlay2.sh b/static/docker_overlay2.sh new file mode 100644 index 00000000..0abcd6dd --- /dev/null +++ b/static/docker_overlay2.sh @@ -0,0 +1,167 @@ +#!/bin/bash +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +### Migrating Docker images to overlay2 ### +# https://www.techandme.se/changes-to-docker-ce-in-the-nextcloud-vm/ +# Credits to: https://gist.github.com/hydra1983/22b2bed38b4f5f56caa87c830c96378d + +# Make sure DOCKERBACKUP is created +if [ -f "$NCPATH"/config/config.php ] +then + NCDATA="$(grep 'datadir' "$NCPATH"/config/config.php | awk '{print $3}' | cut -d "'" -f2)" +fi +DOCKERBACKUP="$NCDATA/DOCKERBACKUP" +mkdir -p "$DOCKERBACKUP" + +# Check if aufs and don't run +if grep -q "aufs" /etc/default/docker +then +msg_box "This script doesn't support images that uses the AUFS driver, sorry + +You are welcome to send a PR, or report an issue here: $ISSUES" + exit 1 +fi + +readonly DB_FILE="$DOCKERBACKUP/images.db" +readonly IMG_DIR="$DOCKERBACKUP/images" + +save_images() { + print_text_in_color "$ICyan" "Create ${IMG_DIR}" + if [[ ! -d "${IMG_DIR}" ]]; then + mkdir "${IMG_DIR}" + fi + + print_text_in_color "$ICyan" "Create ${DB_FILE}" + docker images|grep -v 'IMAGE ID'|awk '{printf("%s %s %s\n", $1, $2, $3)}'|column -t > "${DB_FILE}" + + print_text_in_color "$ICyan" "Read ${DB_FILE}" + local images + while read -r image; do + images+=("$image"); + done <<< "$(cat "${DB_FILE}")" + + local name tag id + for image in "${images[@]}"; do + name=$(echo "$image"|awk '{print $1}') + tag=$(echo "$image"|awk '{print $2}') + id=$(echo "$image"|awk '{print $3}') + + if [[ "${id}" != "" ]]; then + local imgPath="${IMG_DIR}/${id}.dim" + + if [[ ! -f "${imgPath}" ]] ; then + print_text_in_color "$ICyan" "[DEBUG] save ${id} ${name}:${tag} to ${imgPath}" + (time docker save -o "${imgPath}" "${name}":"${tag}") 2>&1 | grep real + else + print_text_in_color "$ICyan" "[DEBUG] ${id} ${name}:${tag} already saved" + fi + fi + done +} + +load_images() { + if [[ ! -f "${DB_FILE}" ]]; then + print_text_in_color "$ICyan" "No ${DB_FILE} to read" + exit 0 + fi + + if [[ ! -d "${IMG_DIR}" ]]; then + print_text_in_color "$ICyan" "No ${IMG_DIR} to load images" + exit 0 + fi + + print_text_in_color "$ICyan" "Read ${DB_FILE}" + local images + while read -r image; do + images+=("$image"); + done <<< "$(cat "${DB_FILE}")" + + local name tag id + for image in "${images[@]}"; do + name=$(echo "$image"|awk '{print $1}') + tag=$(echo "$image"|awk '{print $2}') + id=$(echo "$image"|awk '{print $3}') + + if [[ "${id}" != "" ]]; then + local imgPath="${IMG_DIR}/${id}.dim" + + if [[ "$(docker images|grep "${id}" | grep "${name}" | grep "${tag}")" == "" ]]; then + if [[ "$(docker images|grep "${id}")" == "" ]]; then + print_text_in_color "$ICyan" "[DEBUG] load ${id} ${name}:${tag} from ${imgPath}" + docker load -i "${imgPath}" + else + print_text_in_color "$ICyan" "[DEBUG] tag ${id} as ${name}:${tag}" + docker tag "${id}" "${name}":"${tag}" + fi + else + print_text_in_color "$ICyan" "[DEBUG] ${id} ${name}:${tag} already loaded" + fi + fi + done +} + +# Save all docker images in one file +check_command docker ps -a > "$DOCKERBACKUP"/dockerps.txt +check_command docker images | sed '1d' | awk '{print $1 " " $2 " " $3}' > "$DOCKERBACKUP"/mydockersimages.list +msg_box "The following images will be saved to $DOCKERBACKUP/images + +$(cat "$DOCKERBACKUP"/mydockersimages.list) + +It may take a while so please be patient." + +check_command save_images + +# Set overlay2 +print_text_in_color "$ICyan" "Setting overlay2 in /etc/docker/daemon.json" + +cat << OVERLAY2 > /etc/docker/daemon.json +{ + "storage-driver": "overlay2" +} +OVERLAY2 +rm -f /etc/systemd/system/docker.service +systemctl restart docker.service +print_text_in_color "$ICyan" "Reloading daemon" +systemctl daemon-reload +print_text_in_color "$ICyan" "Restarting the docker service" +check_command systemctl restart docker.service +apt-mark unhold docker-ce + +# Remove old cached versions to avoid failures on update to new version +rm -Rf /var/cache/apt/archives/docker* +rm -Rf /var/cache/apt/archives/container* +rm -Rf /var/cache/apt/archives/aufs* + +# Upgrade docker to latest version +rm -Rf /var/lib/docker +apt update -q4 & spinner_loading +apt upgrade docker-ce -y + +# Load docker images back +print_text_in_color "$ICyan" "Importing saved docker images to overlay2..." +check_command load_images +msg_box "Your Docker images are now imported to overlay2, but not yet running. + +To start the images again, please run the appropriate 'docker run' command for each docker. +These are all the imported docker images: +$(cat "${DB_FILE}") + +You can also find the file with the imported docker images here: +$DB_FILE + +If you experiance any issues, please report them to $ISSUES." +rm -f "$DOCKERBACKUP"/mydockersimages.list diff --git a/static/format-sda-nuc-server.sh b/static/format-sda-nuc-server.sh new file mode 100644 index 00000000..da054586 --- /dev/null +++ b/static/format-sda-nuc-server.sh @@ -0,0 +1,159 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check if root +root_check + +# Needs to be Ubuntu 18.04 and Multiverse +check_distro_version +check_multiverse + +MOUNT_=/mnt/$POOLNAME + +format() { +# umount if mounted +umount /mnt/* &> /dev/null + +# mkdir if not existing +mkdir -p "$MOUNT_" + +DEVTYPE=sda + +# Get the name of the drive +DISKTYPE=$(fdisk -l | grep $DEVTYPE | awk '{print $2}' | cut -d ":" -f1 | head -1) +if [ "$DISKTYPE" != "/dev/$DEVTYPE" ] +then +msg_box "It seems like your $SYSNAME secondary volume (/dev/$DEVTYPE) does not exist. +This script requires that you mount a second drive to hold the data. + +Please shutdown the server and mount a second drive, then start this script again. + +If you want help you can buy support in our shop: +https://shop.hanssonit.se/product/premium-support-per-30-minutes/" +exit 1 +fi + +# Check if ZFS utils are installed +install_if_not zfsutils-linux + +# Check still not mounted +#These functions return exit codes: 0 = found, 1 = not found +isMounted() { findmnt -rno SOURCE,TARGET "$1" >/dev/null;} #path or device +isDevMounted() { findmnt -rno SOURCE "$1" >/dev/null;} #device only +isPathMounted() { findmnt -rno TARGET "$1" >/dev/null;} #path only +isDevPartOfZFS() { zpool status | grep "$1" >/dev/null;} #device memeber of a zpool + +if isPathMounted "/mnt/ncdata"; #Spaces in path names are ok. +then +msg_box "/mnt/ncdata is mounted and need to be unmounted before you can run this script." + exit 1 +fi + +if isDevMounted "/dev/$DEVTYPE"; +then +msg_box "/dev/$DEVTYPE is mounted and need to be unmounted before you can run this script." + exit 1 +fi + +# Universal: +if isMounted "/mnt/ncdata"; +then +msg_box "/mnt/ncdata is mounted and need to be unmounted before you can run this script." + exit 1 +fi + +if isMounted "/dev/${DEVTYPE}1"; +then +msg_box "/dev/${DEVTYPE}1 is mounted and need to be unmounted before you can run this script." + exit 1 +fi + +if isDevPartOfZFS "$DEVTYPE"; +then +msg_box "/dev/$DEVTYPE is a member of a ZFS pool and needs to be removed from any zpool before you can run this script." + exit 1 +fi + +if lsblk -l -n | grep -v mmcblk | grep disk | awk '{ print $1 }' | tail -1 > /dev/null +then +msg_box "Formatting your $SYSNAME secondary volume ($DISKTYPE) when you hit OK. + +*** WARNING: ALL YOUR DATA WILL BE ERASED! ***" + if zpool list | grep "$POOLNAME" > /dev/null + then + check_command zpool destroy "$POOLNAME" + fi + check_command wipefs -a -f "$DISKTYPE" + sleep 0.5 + check_command zpool create -f -o ashift=12 "$POOLNAME" "$DISKTYPE" + check_command zpool set failmode=continue "$POOLNAME" + check_command zfs set mountpoint="$MOUNT_" "$POOLNAME" + check_command zfs set compression=lz4 "$POOLNAME" + check_command zfs set sync=standard "$POOLNAME" + check_command zfs set xattr=sa "$POOLNAME" + check_command zfs set primarycache=all "$POOLNAME" + check_command zfs set atime=off "$POOLNAME" + check_command zfs set recordsize=128k "$POOLNAME" + check_command zfs set logbias=latency "$POOLNAME" + +else +msg_box "It seems like /dev/$DEVTYPE does not exist. +This script requires that you mount a second drive to hold the data. + +Please shutdown the server and mount a second drive, then start this script again. + +If you want help you can buy support in our shop: +https://shop.hanssonit.se/product/premium-support-per-30-minutes/" +exit 1 +fi +} +format + +# Do a backup of the ZFS mount +if is_this_installed libzfs2linux +then + if grep -r $POOLNAME /etc/mtab + then + install_if_not zfs-auto-snapshot + sed -i "s|date --utc|date|g" /usr/sbin/zfs-auto-snapshot + fi +fi + +# Check if UUID is used +if zpool list -v | grep "$DEVTYPE" +then + # Get UUID + check_command partprobe -s + if fdisk -l /dev/"$DEVTYPE"1 >/dev/null 2>&1 + then + UUID_SDB1=$(blkid -o value -s UUID /dev/"DEVTYPE"1) + fi + # Export / import the correct way (based on UUID) + check_command zpool export "$POOLNAME" + check_command zpool import -d /dev/disk/by-uuid/"$UUID_SDB1" "$POOLNAME" +fi + +# Success! +if grep "$POOLNAME" /etc/mtab +then +msg_box "$MOUNT_ mounted successfully as a ZFS volume. + +Automatic scrubbing is done monthly via a cronjob that you can find here: +/etc/cron.d/zfsutils-linux + +Automatic snapshots are taken with 'zfs-auto-snapshot'. You can list current snapshots with: +'sudo zfs list -t snapshot'. +Manpage is here: +http://manpages.ubuntu.com/manpages/focal/man8/zfs-auto-snapshot.8.html + +CURRENT STATUS: +$(zpool status $POOLNAME) + +$(zpool list)" +fi diff --git a/static/instruction.sh b/static/instruction.sh new file mode 100644 index 00000000..384268c2 --- /dev/null +++ b/static/instruction.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +VMLOGS=/var/log/nextcloud +BIGreen='\e[1;92m' # Green +IGreen='\e[0;92m' # Green +Color_Off='\e[0m' # Text Reset + +clear +cat << INST1 ++-----------------------------------------------------------------------+ +| Welcome to the first setup of your own Nextcloud Server! :) | +| | +INST1 +echo -e "|" "${IGreen}To run the startup script type the sudoer password, then hit [ENTER].${Color_Off} |" +echo -e "|" "${IGreen}The default sudoer password is: ${BIGreen}nextcloud${IGreen}${Color_Off} |" +cat << INST2 +| | +| You can find the complete install instructions here: | +| Nextcloud VM = https://bit.ly/2S8eGfS | +| Nextcloud Home/SME Server = https://bit.ly/2k2TNaM | +| | +| To be 100% sure that all the keystrokes work correctly (like @), | +| please use an SSH terminal like Putty. You can download it here: | +| https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html | +| If you are running Windows 10 1809 or later, you can simply use SSH | +| from the command prompt. | +| Connect like this: ssh ncadmin@local.IP.of.this.server | +| | +| You can schedule the Nextcloud update process using a cron job. | +| This is done using a script built into this server that automatically | +| updates Nextcloud, sets secure permissions, and logs the successful | +| update to $VMLOGS/update.log | +| Just choose to configure it when asked to do so later in this script. | +| | +| ###################### T&M Hansson IT - $(date +"%Y") ###################### | ++-----------------------------------------------------------------------+ +INST2 + +exit 0 diff --git a/static/main_menu.sh b/static/main_menu.sh new file mode 100644 index 00000000..0edc7a07 --- /dev/null +++ b/static/main_menu.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Main menu +choice=$(whiptail --title "Main Menu" --radiolist "Choose what you want to do.\nSelect by pressing the spacebar and ENTER\nYou can view this menu later by running 'sudo bash $SCRIPTS/menu.sh" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"Additional Apps" "(Choose which apps to install)" OFF \ +"Nextcloud Configuration" "(Choose between available Nextcloud configurations)" OFF \ +"Server Configuration" "(Choose between available server configurations)" OFF \ +"Update Nextcloud" "(Update Nextcloud to the latest release)" OFF 3>&1 1>&2 2>&3) + +case "$choice" in + "Additional Apps") + if network_ok + then + run_script APP additional_apps + fi + ;; + "Nextcloud Configuration") + if network_ok + then + run_script STATIC nextcloud_configuration + fi + ;; + "Server Configuration") + if network_ok + then + run_script STATIC server_configuration + fi + ;; + "Update Nextcloud") + if [ -f $SCRIPTS/update.sh ] + then + bash $SCRIPTS/update.sh + else + if network_ok + then + download_script STATIC update + bash $SCRIPTS/update.sh + fi + fi + ;; + *) + ;; +esac +exit diff --git a/static/menu.sh b/static/menu.sh new file mode 100644 index 00000000..7aedc84c --- /dev/null +++ b/static/menu.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +mkdir -p "$SCRIPTS" +print_text_in_color "$ICyan" "Running the main menu script..." + +if network_ok +then + # Delete, download, run + run_script STATIC main_menu +fi + +exit diff --git a/static/nextcloud.sh b/static/nextcloud.sh new file mode 100644 index 00000000..26f4c09e --- /dev/null +++ b/static/nextcloud.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +WANIP6=$(curl -s -k -m 5 https://ipv6bot.whatismyipaddress.com) +WANIP4=$(curl -s -k -m 5 https://ipv4bot.whatismyipaddress.com) +ADDRESS=$(hostname -I | cut -d ' ' -f 1) + +clear +figlet -f small Nextcloud +echo "https://www.hanssonit.se/nextcloud-vm" +echo +echo +echo "Hostname: $(hostname -s)" +echo "WAN IPv4: $WANIP4" +echo "WAN IPv6: $WANIP6" +echo "LAN IPv4: $ADDRESS" +echo +exit 0 diff --git a/static/nextcloud_configuration.sh b/static/nextcloud_configuration.sh new file mode 100644 index 00000000..a255606f --- /dev/null +++ b/static/nextcloud_configuration.sh @@ -0,0 +1,74 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +NC_UPDATE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +unset NC_UPDATE + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Configure Nextcloud +choice=$(whiptail --title "Nextcloud Configuration" --checklist "Which settings do you want to configure?\nSelect by pressing the spacebar\nYou can view this menu later by running 'sudo bash $SCRIPTS/menu.sh'" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"CookieLifetime" "(Configure forced logout timeout for users using the web GUI)" OFF \ +"Share-folder" "(Shares from other users will appear in a folder named 'Shared')" OFF \ +"Disable workspaces" "(disable top notes in GUI)" OFF \ +"Disable user flows" "(Disable user settings for Nextcloud Flow)" OFF 3>&1 1>&2 2>&3) + +case "$choice" in + *"CookieLifetime"*) + run_script STATIC cookielifetime + ;;& + *"Share-folder"*) + clear + msg_box "This option will make all Nextcloud shares from other users appear in a folder named 'Shared' in the Nextcloud GUI.\n\nIf you don't enable this option, all shares will appear directly in the Nextcloud GUI root folder, which is the default behaviour." + if [[ "yes" == $(ask_yes_or_no "Do you want to enable this option?") ]] + then + occ_command config:system:set share_folder --value="/Shared" + msg_box "All new Nextcloud shares from other users will appear in the 'Shared' folder from now on." + fi + ;;& + *"Disable workspaces"*) + msg_box "This option will will disable a feature named 'rich workspaces'. It will disable the top notes in GUI." + if [[ "yes" == $(ask_yes_or_no "Do you want to disable rich workspaces?") ]] + then + # Check if text is enabled + if ! is_app_enabled text + then + msg_box "The text app isn't enabled - unable to disable rich workspaces." + sleep 1 + else + # Disable workspaces + occ_command config:app:set text workspace_available --value=0 + msg_box "Rich workspaces are now disabled." + fi + fi + ;;& + *"Disable user flows"*) + # Greater than 18.0.3 is 18.0.4 which is required + if version_gt "$CURRENTVERSION" "18.0.3" + then + msg_box "This option will disable the with Nextcloud 18 introduced user flows. It will disable the user flow settings. Admin flows will continue to work." + if [[ "yes" == $(ask_yes_or_no "Do you want to disable user flows?") ]] + then + occ_command config:app:set workflowengine user_scope_disabled --value yes + msg_box "User flow settings are now disabled." + fi + else + msg_box "'Disable user flows' is only available on Nextcloud 18.0.4 and above.\nPlease upgrade by running 'sudo bash /var/scripts/update.sh'" + sleep 1 + fi + ;;& + *) + ;; +esac +exit diff --git a/static/nhss_index.php b/static/nhss_index.php new file mode 100644 index 00000000..26e8367a --- /dev/null +++ b/static/nhss_index.php @@ -0,0 +1,148 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<html> + <head> + <title>Nextcloud Home/SME Server</title> + <META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW"> + <style type="text/css"> + body { + background-color: #0082c9; + font-weight: 300; + font-size: 1em; + line-height: 1.6em; + font-family: 'Open Sans', Frutiger, Calibri, 'Myriad Pro', Myriad, sans-serif; + color: white; + height: auto; + margin-left: auto; + margin-right: auto; + align: center; + text-align: center; + background: #0082c9; /* Old browsers */ + background-image: url('/nextcloud/core/img/background.png'), linear-gradient(10deg, #0082c9 0%, rgb(28, 175, 255) 50%); + background-size: cover; + } + div.logotext { + width: 50%; + margin: 0 auto; + } + div.logo { + background-image: url('/nextcloud/core/img/logo/logo.svg'); + background-repeat: no-repeat; top center; + width: 50%; + height: 25%; + margin: 0 auto; + background-size: 40%; + margin-left: 40%; + margin-right: 20%; + } + pre { + padding:10pt; + width: 50% + text-align: center; + margin-left: 20%; + margin-right: 20%; + } + div.information { + align: center; + width: 50%; + margin: 10px auto; + display: block; + padding: 10px; + background-color: rgba(0,0,0,.3); + color: #fff; + text-align: left; + border-radius: 3px; + cursor: default; + } + /* unvisited link */ + a:link { + color: #FFFFFF; + } + /* visited link */ + a:visited { + color: #FFFFFF; + } + /* mouse over link */ + a:hover { + color: #E0E0E0; + } + /* selected link */ + a:active { + color: #E0E0E0; + } + </style> + </head> + <body> + <br> + <div class="logo"></div> + <div class="logotext"> + <h2><a href="https://shop.hanssonit.se/product-category/nextcloud/home-sme-server/" target="_blank">Nextcloud Home/SME Server</a> - by <a href="https://www.hanssonit.se" target="_blank">T&M Hansson IT AB</a></h2> + </div> + <br> + <div class="information"> + <p>Thank you for purchasing the Nextcloud Home/SME Server, you made a good choice! If you see this page, you have run the first setup, and you are now ready to start using Nextcloud on your new server. Congratulations! :)</p> + <p>We have set everything up for you and the only thing you have to do now is to login. You can find login details in the middle of this page.</p> + <p>Don't hesitate to ask if you have any questions. You can ask for help in our community <a href="https://help.nextcloud.com/c/support/appliances-docker-snappy-vm" target="_blank">support</a> channels, or <a href="https://shop.hanssonit.se/product/premium-support-per-30-minutes/" target="_blank">buy hands on support</a> from T&M Hansson IT AB. You can also check the <a href="https://docs.hanssonit.se/s/blkkp2qhv0jgrltpicl0/nextcloud-homesme-server" target="_blank">documentation</a>.</p> + </div> + + <h2>Access Nextcloud</h2> + + <div class="information"> + <p>Use the following address: + <h3> + <ul> + <li><a href="https://<?=$_SERVER['SERVER_NAME'];?>/nextcloud">https://<?=$_SERVER['SERVER_NAME'];?></a> (HTTPS) + </ul> + </h3> + <p>Note: Please accept the warning in the browser if you have a self-signed certificate.<br> + + <p>It's recomended to <a href="https://docs.hanssonit.se/s/blkkp2qhv0jgrltpicl0/nextcloud-homesme-server/d/blkkp2qhv0jgrltpidm0/publish-your-server-online" target="_blank">get your own certificate and replace the self-signed certificate to your own.</a> + The easiest way to get a real TLS certificate is to run the Lets' Encrypt script included on this server.<br> + Just run 'sudo bash /var/scripts/activate-tls.sh' from your terminal and follow the instructions. + <h3> + <a href="https://docs.hanssonit.se/s/blkkp2qhv0jgrltpicl0/nextcloud-homesme-server/d/blkkp2qhv0jgrltpid50/server-installation-instructions?currentPageId=blkkp2qhv0jgrltpidb0" target="_blank">Login details</a> + </h3> + </div> + + <h2>Access Webmin</h2> + + <div class="information"> + <p>Use the following address: + <h3> + <ul> + <li><a href="https://<?=$_SERVER['SERVER_NAME'];?>:10000">https://<?=$_SERVER['SERVER_NAME'];?></a> (HTTPS)</li> + </ul> + </h3> + <p>Note: Please accept the warning in the browser if you have a self-signed certificate.<br> + <h3> + <a href="https://docs.hanssonit.se/s/blkkp2qhv0jgrltpicl0/nextcloud-homesme-server/d/blkkp2qhv0jgrltpid50/server-installation-instructions?currentPageId=blkkp2qhv0jgrltpidc0" target="_blank">Login details</a> + </h3> + <p>Note: To access Webmin externally you have to open port 10000 in your router, it's not recomended though due to security concerns.</p> + </div> + + <h2>Access Adminer</h2> + + <div class="information"> + <p>Use one of the following addresses, HTTPS is preffered: + <h3> + <ul> + <li><a href="http://<?=$_SERVER['SERVER_NAME'];?>/adminer.php">http://<?=$_SERVER['SERVER_NAME'];?></a> (HTTP)</li> + <li><a href="https://<?=$_SERVER['SERVER_NAME'];?>/adminer.php">https://<?=$_SERVER['SERVER_NAME'];?></a> (HTTPS)</li> + </ul> + </h3> + <p>Note: Please accept the warning in the browser if you connect via HTTPS.</p> + <h3> + <a href="https://docs.hanssonit.se/s/blkkp2qhv0jgrltpicl0/nextcloud-homesme-server/d/blkkp2qhv0jgrltpid50/server-installation-instructions?currentPageId=blkkp2qhv0jgrltpidcg" target="_blank">Login details</a> + </h3> + <p>Note: Your LAN IP is set as approved in /etc/apache2/conf-available/adminer.conf, all other access is forbidden.</p> + </div> + + <h2>Follow us on Social Media</h2> + + <div class="information"> + <p>If you want to get the latest news and updates, please consider following us! We are very active on Twitter, and post some videos from time to time on Youtube. It might be worth checking out. ;)</p> + </div> + <p><b><a href="https://twitter.com/tmhanssonit" class="twitter-follow-button" data-show-count="false" target="_blank">Follow @tmhanssonit</a><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></b></p> + <script src="https://apis.google.com/js/platform.js"></script> + <div class="g-ytsubscribe" data-channelid="UCLXe8RpVdOsoapYM9_GcrfA" data-layout="full" data-count="default"></div> + </body> +</html> diff --git a/static/prune_zfs_snaphots.sh b/static/prune_zfs_snaphots.sh new file mode 100644 index 00000000..69978c9b --- /dev/null +++ b/static/prune_zfs_snaphots.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +if [ -d $NCDATA ] +then + if is_this_installed zfs-auto-snapshot + then + if [ "$(df -h $NCDATA | awk '{print $5}' | tail -1 | cut -d "%" -f1)" -gt 70 ] + then + # Notify user + notify_admin_gui \ + "Disk space almost full!" \ + "The disk space for ncdata is almost full. We have automatically deleted ZFS snapshots older than 4 weeks and cleaned up your trashbin to free up some space and avoid a fatal crash. Please check $VMLOGS/zfs_prune.log for the results." + # On screen information +msg_box "Your disk space is almost full (more than 70%). + +To solve that, we will now delete ZFS snapshots older than 4 weeks + +The script will also delete everything in trashbin for all users to free up some space." + countdown "To abort, please press CTRL+C within 10 seconds." 10 + print_text_in_color "$IGreen" "Freeing some space... This might take a while, please don't abort." + # Get the latest prune script + if [ -f $SCRIPTS/zfs-prune-snapshots ] + then + rm -f "$SCRIPTS"/zfs-prune-snapshots + download_script STATIC zfs-prune-snapshots + elif [ ! -f $SCRIPTS/zfs-prune-snapshots.sh ] + then + download_script STATIC zfs-prune-snapshots + fi + check_command chmod +x "$SCRIPTS"/zfs-prune-snapshots.sh + # Prune! + cd "$SCRIPTS" + if [ ! -d "$VMLOGS" ] + then + mkdir -p "$VMLOGS" + fi + touch $VMLOGS/zfs_prune.log + ./zfs-prune-snapshots.sh 4w ncdata >> $VMLOGS/zfs_prune.log + occ_command trashbin:cleanup --all-users >> $VMLOGS/zfs_prune.log + fi + fi +fi diff --git a/static/recover_apps.py b/static/recover_apps.py new file mode 100644 index 00000000..8ff4f0f4 --- /dev/null +++ b/static/recover_apps.py @@ -0,0 +1,16 @@ +import glob, json, os, subprocess, requests + +nc_path = '/var/www/nextcloud/apps/' +backup_path = '/var/NCBACKUP/apps/' +shipped_url = 'http://raw.githubusercontent.com/nextcloud/server/master/core/shipped.json' + +json_data = requests.get(shipped_url, timeout=60).json() +shipped_apps = json_data['shippedApps'] + json_data['alwaysEnabled'] + +installed_dirs = set(os.path.basename(path) for path in glob.glob(backup_path + '*')) +missing_dirs = installed_dirs.difference(shipped_apps) + +for d in missing_dirs: +# subprocess.call(['rsync', '-Aax', os.path.join(backup_path, d), nc_path]) +# subprocess.call(['sudo', '-u', 'www-data', '/var/www/nextcloud/occ', 'app:enable', d]) + subprocess.call(['sudo', '-u', 'www-data', '/var/www/nextcloud/occ', 'app:install', d]) diff --git a/static/security.sh b/static/security.sh new file mode 100644 index 00000000..701eaa1b --- /dev/null +++ b/static/security.sh @@ -0,0 +1,121 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# REMOVE disable of SC2154 WHEN PUTTING SPAMHAUS IN PRODUCTION (it's just to fixing travis for now) +# shellcheck disable=2034,2059,SC2154 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +print_text_in_color "$ICyan" "Installing Extra Security..." + +# Based on: http://www.techrepublic.com/blog/smb-technologist/secure-your-apache-server-from-ddos-slowloris-and-dns-injection-attacks/ + +# Protect against DDOS +apt update -q4 & spinner_loading +apt -y install libapache2-mod-evasive +mkdir -p /var/log/apache2/evasive +chown -R www-data:root /var/log/apache2/evasive +if [ ! -f "$ENVASIVE" ] +then + touch "$ENVASIVE" + cat << ENVASIVE > "$ENVASIVE" +DOSHashTableSize 2048 +DOSPageCount 20 # maximum number of requests for the same page +DOSSiteCount 300 # total number of requests for any object by the same client IP on the same listener +DOSPageInterval 1.0 # interval for the page count threshold +DOSSiteInterval 1.0 # interval for the site count threshold +DOSBlockingPeriod 10.0 # time that a client IP will be blocked for +DOSLogDir +ENVASIVE +fi + +# Protect against Slowloris +#apt -y install libapache2-mod-qos +a2enmod reqtimeout # http://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html + +# Don't enable SpamHaus now as it's now working anyway +# REMOVE disable of SC2154 WHEN PUTTING SPAMHAUS IN PRODUCTION (it's just to fixing travis for now) +exit + +# Protect against DNS Injection +# Insipired by: https://www.c-rieger.de/nextcloud-13-nginx-installation-guide-for-ubuntu-18-04-lts/#spamhausproject + +# shellcheck disable=SC2016 +DATE='$(date +%Y-%m-%d)' +cat << SPAMHAUS_ENABLE > "$SCRIPTS/spamhaus_cronjob.sh" +#!/bin/bash +# Thanks to @ank0m +EXEC_DATE='date +%Y-%m-%d' +SPAMHAUS_DROP="/usr/local/src/drop.txt" +SPAMHAUS_eDROP="/usr/local/src/edrop.txt" +URL="https://www.spamhaus.org/drop/drop.txt" +eURL="https://www.spamhaus.org/drop/edrop.txt" +DROP_ADD_TO_UFW="/usr/local/src/DROP2.txt" +eDROP_ADD_TO_UFW="/usr/local/src/eDROP2.txt" +DROP_ARCHIVE_FILE="/usr/local/src/DROP_{$EXEC_DATE}" +eDROP_ARCHIVE_FILE="/usr/local/src/eDROP_{$EXEC_DATE}" +# All credits for the following BLACKLISTS goes to "The Spamhaus Project" - https://www.spamhaus.org +echo "Start time: $(date)" +echo " " +echo "Download daily DROP file:" +curl -fsSL "$URL" > $SPAMHAUS_DROP +grep -v '^;' $SPAMHAUS_DROP | cut -d ' ' -f 1 > $DROP_ADD_TO_UFW +echo " " +echo "Extract DROP IP addresses and add to UFW:" +cat $DROP_ADD_TO_UFW | while read line +do +/usr/sbin/ufw insert 1 deny from "$line" comment 'DROP_Blacklisted_IPs' +done +echo " " +echo "Downloading eDROP list and import to UFW" +echo " " +echo "Download daily eDROP file:" +curl -fsSL "$eURL" > $SPAMHAUS_eDROP +grep -v '^;' $SPAMHAUS_eDROP | cut -d ' ' -f 1 > $eDROP_ADD_TO_UFW +echo " " +echo "Extract eDROP IP addresses and add to UFW:" +cat $eDROP_ADD_TO_UFW | while read line +do +/usr/sbin/ufw insert 1 deny from "$line" comment 'eDROP_Blacklisted_IPs' +done +echo " " +##### +## To remove or revert these rules, keep the list of IPs! +## Run a command like so to remove the rules: +# while read line; do ufw delete deny from $line; done < $ARCHIVE_FILE +##### +echo "Backup DROP IP address list:" +mv $DROP_ADD_TO_UFW $DROP_ARCHIVE_FILE +echo " " +echo "Backup eDROP IP address list:" +mv $eDROP_ADD_TO_UFW $eDROP_ARCHIVE_FILE +echo " " +echo End time: $(date) +SPAMHAUS_ENABLE + +# Make the file executable +chmod +x "$SCRIPTS"/spamhaus_cronjob.sh + +# Add it to crontab +(crontab -l ; echo "10 2 * * * $SCRIPTS/spamhaus_crontab.sh 2>&1") | crontab -u root - + +# Run it for the first time +check_command bash "$SCRIPTS"/spamhaus_cronjob.sh + +# Enable $SPAMHAUS +if sed -i "s|#MS_WhiteList /etc/spamhaus.wl|MS_WhiteList $SPAMHAUS|g" /etc/apache2/mods-enabled/spamhaus.conf +then + print_text_in_color "$IGreen" "Security added!" + restart_webserver +fi diff --git a/static/server_configuration.sh b/static/server_configuration.sh new file mode 100644 index 00000000..b2d797d9 --- /dev/null +++ b/static/server_configuration.sh @@ -0,0 +1,91 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# Use local lib file in case there is no internet connection +if [ -f /var/scripts/lib.sh ] +then +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +source /var/scripts/lib.sh + # If we have internet, then use the latest variables from the lib remote file +elif printf "Testing internet connection..." && ping github.com -c 2 +then +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +else + printf "You don't seem to have a working internet connection, and /var/scripts/lib.sh is missing so you can't run this script." + printf "Please report this to https://github.com/nextcloud/vm/issues/" + exit 1 +fi + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Server configurations +choice=$(whiptail --title "Server configurations" --checklist "Choose what you want to configure\nSelect by pressing the spacebar\nYou can view this menu later by running 'sudo bash $SCRIPTS/menu.sh'" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"Activate TLS" "(Enable HTTPS with Let's Encrypt)" ON \ +"Security" "(Add extra security based on this http://goo.gl/gEJHi7)" OFF \ +"Static IP" "(Set static IP in Ubuntu with netplan.io)" OFF \ +"Disk Check" "(Check for S.M.A.R.T errors on your disks every week on Mondays)" OFF \ +"Automatic updates" "(Automatically update your server every week on Sundays)" OFF 3>&1 1>&2 2>&3) + +case "$choice" in + *"Disk Check"*) + clear + run_script ADDONS smartctl + ;;& + *"Security"*) + clear + run_script STATIC security + ;;& + *"Static IP"*) + clear + run_script STATIC static_ip + ;;& + *"Automatic updates"*) + clear + run_script STATIC automatic_updates + ;;& + *"Activate TLS"*) + clear +msg_box "The following script will install a trusted +TLS certificate through Let's Encrypt. +It's recommended to use TLS (https) together with Nextcloud. +Please open port 80 and 443 to this servers IP before you continue. +More information can be found here: +https://www.techandme.se/open-port-80-443/" + + if [[ "yes" == $(ask_yes_or_no "Do you want to install TLS?") ]] + then + if [ -f $SCRIPTS/activate-tls.sh ] + then + bash $SCRIPTS/activate-tls.sh + else + download_script LETS_ENC activate-tls + bash $SCRIPTS/activate-tls.sh + fi + else + echo + print_text_in_color "$ICyan" "OK, but if you want to run it later, just type: sudo bash $SCRIPTS/activate-tls.sh" + any_key "Press any key to continue..." + fi + + # Just make sure they are gone + rm -f "$SCRIPTS/test-new-config.sh" + rm -f "$SCRIPTS/activate-tls.sh" + clear + ;;& + *) + ;; +esac +exit diff --git a/static/setup_secure_permissions_nextcloud.sh b/static/setup_secure_permissions_nextcloud.sh new file mode 100644 index 00000000..1e81a53a --- /dev/null +++ b/static/setup_secure_permissions_nextcloud.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059,2012 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +htuser='www-data' +htgroup='www-data' +rootuser='root' + +# Only check for existing datadir if Nextcloud is installed +if [ -f "$NCPATH"/config/config.php ] +then + NCDATA="$(grep 'datadir' "$NCPATH"/config/config.php | awk '{print $3}' | cut -d "'" -f2)" +fi + +print_text_in_color "$IGreen" "Setting secure permissions..." +print_text_in_color "$ICyan" "Creating possible missing Directories" +mkdir -p "$NCPATH"/data +mkdir -p "$NCPATH"/updater +mkdir -p "$VMLOGS" +mkdir -p "$NCDATA" + +if ! [ -f "$VMLOGS/nextcloud.log" ] +then + touch "$VMLOGS/nextcloud.log" +fi + +if ! [ -f "$VMLOGS/audit.log" ] +then + touch "$VMLOGS/audit.log" +fi + +print_text_in_color "$ICyan" "chmod Files and Directories" +find "${NCPATH}"/ -type f -print0 | xargs -0 chmod 0640 +find "${VMLOGS}"/audit.log -type f -print0 | xargs -0 chmod 0640 +find "${NCPATH}"/ -type d -print0 | xargs -0 chmod 0750 +find "${VMLOGS}"/ -type d -print0 | xargs -0 chmod 0750 +find "${VMLOGS}"/nextcloud.log -type f -print0 | xargs -0 chmod 0640 + +print_text_in_color "$ICyan" "chown Directories" +chown "${htuser}":"${htgroup}" "${VMLOGS}"/ +chown "${htuser}":"${htgroup}" "${VMLOGS}"/nextcloud.log +chown "${htuser}":"${htgroup}" "${VMLOGS}"/audit.log +chown -R "${rootuser}":"${htgroup}" "${NCPATH}"/ +chown -R "${htuser}":"${htgroup}" "${NCPATH}"/apps/ +chown -R "${htuser}":"${htgroup}" "${NCPATH}"/config/ +chown -R "${htuser}":"${htgroup}" "${NCPATH}"/themes/ +chown -R "${htuser}":"${htgroup}" "${NCPATH}"/updater/ +if ! [ "$(ls -ld "${NCDATA}" | awk '{print$3$4}')" == "${htuser}""${htgroup}" ] +then + chown -R "${htuser}":"${htgroup}" "${NCDATA}"/ +fi + +chmod +x "${NCPATH}"/occ + +print_text_in_color "$ICyan" "chmod/chown .htaccess" +if [ -f "${NCPATH}"/.htaccess ] +then + chmod 0644 "${NCPATH}"/.htaccess + chown "${rootuser}":"${htgroup}" "${NCPATH}"/.htaccess +fi +if [ -f "${NCDATA}"/.htaccess ] +then + chmod 0644 "${NCDATA}"/.htaccess + chown "${rootuser}":"${htgroup}" "${NCDATA}"/.htaccess +fi + diff --git a/static/temporary-fix.sh b/static/temporary-fix.sh new file mode 100644 index 00000000..a84589b7 --- /dev/null +++ b/static/temporary-fix.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +exit diff --git a/static/update.sh b/static/update.sh new file mode 100644 index 00000000..d14aa8bd --- /dev/null +++ b/static/update.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +mkdir -p "$SCRIPTS" + +if [ "${1}" = "minor" ] +then + echo "$((NCMAJOR-1))" > /tmp/minor.version +elif [ "${1}" = "beta" ] +then + echo "beta" > /tmp/prerelease.version +elif [[ "${1}" == *"RC"* ]] +then + echo "${1}" > /tmp/prerelease.version +fi + +# Delete, download, run +run_script GITHUB_REPO nextcloud_update + +exit diff --git a/static/updatenotification.sh b/static/updatenotification.sh new file mode 100644 index 00000000..f8b4c0b5 --- /dev/null +++ b/static/updatenotification.sh @@ -0,0 +1,76 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +NC_UPDATE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +unset NC_UPDATE + +print_text_in_color "$ICyan" "Checking for new Nextcloud version..." + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +NCMIN=$(curl -s -m 900 $NCREPO/ | sed --silent 's/.*href="nextcloud-\([^"]\+\).zip.asc".*/\1/p' | sort --version-sort | grep "${CURRENTVERSION%%.*}" | tail -1) +REPORTEDMAJ="$CURRENTVERSION" +REPORTEDMIN="$CURRENTVERSION" + +if [ "$CURRENTVERSION" == "$NCVERSION" ] && [ "$CURRENTVERSION" == "$NCMIN" ] +then + print_text_in_color "$IGreen" "You already run the latest version! ($NCVERSION)" + exit +fi + +if [ "$REPORTEDMAJ" == "$NCVERSION" ] && [ "$REPORTEDMIN" == "$NCMIN" ] +then + print_text_in_color "$ICyan" "The notification regarding the new Nextcloud update has been already reported!" + exit +fi + +if [ "$NCVERSION" == "$NCMIN" ] && version_gt "$NCMIN" "$REPORTEDMIN" && version_gt "$NCMIN" "$CURRENTVERSION" +then + sed -i "s|^REPORTEDMAJ.*|REPORTEDMAJ=$NCVERSION|" $SCRIPTS/updatenotification.sh + sed -i "s|^REPORTEDMIN.*|REPORTEDMIN=$NCMIN|" $SCRIPTS/updatenotification.sh + if crontab -l -u root | grep -q $SCRIPTS/update.sh + then + notify_admin_gui \ + "New minor Nextcloud Update!" \ + "Nextcloud $NCMIN just became available. Since you are running Automatic Updates on Saturdays at $AUT_UPDATES_TIME:00, you don't need to bother about updating the server to minor Nextcloud versions manually, as that's already taken care of." + else + notify_admin_gui \ + "New minor Nextcloud Update!" \ + "Nextcloud $NCMIN just became available. Please run 'sudo bash /var/scripts/update.sh minor' from your CLI to update your server to Nextcloud $NCMIN." + fi + exit +fi + +if version_gt "$NCMIN" "$REPORTEDMIN" && version_gt "$NCMIN" "$CURRENTVERSION" +then + sed -i "s|^REPORTEDMIN.*|REPORTEDMIN=$NCMIN|" $SCRIPTS/updatenotification.sh + if crontab -l -u root | grep -q $SCRIPTS/update.sh + then + notify_admin_gui \ + "New minor Nextcloud Update!" \ + "Nextcloud $NCMIN just became available. Since you are running Automatic Updates on Saturdays at $AUT_UPDATES_TIME:00, you don't need to bother about updating the server to minor Nextcloud versions manually, as that's already taken care of." + else + notify_admin_gui \ + "New minor Nextcloud Update!" \ + "Nextcloud $NCMIN just became available. Please run 'sudo bash /var/scripts/update.sh minor' from your CLI to update your server to Nextcloud $NCMIN." + fi +fi + +if version_gt "$NCVERSION" "$REPORTEDMAJ" && version_gt "$NCVERSION" "$CURRENTVERSION" +then + sed -i "s|^REPORTEDMAJ.*|REPORTEDMAJ=$NCVERSION|" $SCRIPTS/updatenotification.sh + notify_admin_gui \ + "New major Nextcloud Update!" \ + "Nextcloud $NCVERSION just became available. Please run 'sudo bash /var/scripts/update.sh' from your CLI to update your server to Nextcloud $NCVERSION." +fi diff --git a/static/zfs-prune-snapshots.sh b/static/zfs-prune-snapshots.sh new file mode 100644 index 00000000..beaf2ec5 --- /dev/null +++ b/static/zfs-prune-snapshots.sh @@ -0,0 +1,186 @@ +#!/usr/bin/env bash +# +# script to prune zfs snapshots over a given age +# +# Author: Dave Eddy <dave@daveeddy.com> +# Date: November 20, 2015 +# License: MIT +# https://raw.githubusercontent.com/bahamas10/zfs-prune-snapshots/master/zfs-prune-snapshots + +VERSION='v1.1.0' + +usage() { + local prog=${0##*/} + cat <<-EOF + usage: $prog [-hnv] [-p <prefix>] [-s <suffix>] <time> [[dataset1] ...] + + remove snapshots from one or more zpools that match given criteria + + examples + # $prog 1w + remove snapshots older than a week across all zpools + + # $prog -vn 1w + same as above, but with increased verbosity and without + actually deleting any snapshots (dry-run) + + # $prog 3w tank1 tank2/backup + remove snapshots older than 3 weeks on tank1 and tank2/backup. + note that this script will recurse through *all* of tank1 and + *all* datasets below tank2/backup + + # $prog -p 'autosnap_' 1M zones + remove snapshots older than a month on the zones pool that start + with the string "autosnap_" + + # $prog -s '_frequent' 2M tank + remove snapshots older than two months on the tank pool that end + with the string "_frequent" + + timespec + the first argument denotes how old a snapshot must be for it to + be considered for deletion - possible specifiers are + + s seconds + m minutes + h hours + d days + w weeks + M months + y years + + options + -h print this message and exit + -n dry-run, don't actually delete snapshots + -p <prefix> snapshot prefix string to match + -s <suffix> snapshot suffix string to match + -q quiet, do not printout removed snapshots + -v increase verbosity + -V print the version number and exit + EOF +} + +debug() { + ((verbosity >= 1)) && echo "$@" + return 0 +} + +# given a time in seconds, return the "human readable" string +human() { + local seconds=$1 + if ((seconds < 0)); then + ((seconds *= -1)) + fi + + local times=( + $((seconds / 60 / 60 / 24 / 365)) # years + $((seconds / 60 / 60 / 24 / 30)) # months + $((seconds / 60 / 60 / 24 / 7)) # weeks + $((seconds / 60 / 60 / 24)) # days + $((seconds / 60 / 60)) # hours + $((seconds / 60)) # minutes + $((seconds)) # seconds + ) + local names=(year month week day hour minute second) + + local i + for ((i = 0; i < ${#names[@]}; i++)); do + if ((${times[$i]} > 1)); then + echo "${times[$i]} ${names[$i]}s" + return + elif ((${times[$i]} == 1)); then + echo "${times[$i]} ${names[$i]}" + return + fi + done + echo '0 seconds' +} + +dryrun=false +verbosity=0 +prefix= +suffix= +quiet=false +while getopts 'hnqp:s:vV' option; do + case "$option" in + h) usage; exit 0;; + n) dryrun=true;; + p) prefix=$OPTARG;; + s) suffix=$OPTARG;; + q) quiet=true;; + v) ((verbosity++));; + V) echo "$VERSION"; exit 0;; + *) usage; exit 1;; + esac +done +shift "$((OPTIND - 1))" + +# extract the first argument - the timespec - and +# convert it to seconds +t=$1 +time_re='^([0-9]+)([smhdwMy])$' +seconds= +if [[ $t =~ $time_re ]]; then + # ex: "21d" becomes num=21 spec=d + num=${BASH_REMATCH[1]} + spec=${BASH_REMATCH[2]} + + case "$spec" in + s) seconds=$((num));; + m) seconds=$((num * 60));; + h) seconds=$((num * 60 * 60));; + d) seconds=$((num * 60 * 60 * 24));; + w) seconds=$((num * 60 * 60 * 24 * 7));; + M) seconds=$((num * 60 * 60 * 24 * 30));; + y) seconds=$((num * 60 * 60 * 24 * 365));; + *) echo "error: unknown spec '$spec'" >&2; exit 1;; + esac +elif [[ -z $t ]]; then + echo 'error: timespec must be specified as the first argument' >&2 + exit 1 +else + echo "error: failed to parse timespec '$t'" >&2 + exit 1 +fi + +shift +pools=("$@") + +now=$(date +%s) +code=0 +while read -r creation snapshot; do + # ensure optional prefix matches + snapname=${snapshot#*@} + if [[ -n $prefix && $prefix != "${snapname:0:${#prefix}}" ]]; then + debug "skipping $snapshot: doesn't match prefix $prefix" + continue + fi + + # ensure optional suffix matches + if [[ -n $suffix && $suffix != "${snapname: -${#suffix}}" ]]; then + debug "skipping $snapshot: doesn't match suffix $suffix" + continue + fi + + # ensure snapshot is older than the cutoff time + delta=$((now - creation)) + human=$(human "$delta") + if ((delta <= seconds)); then + debug "skipping $snapshot: $human old" + continue + fi + + # remove the snapshot + if ! $quiet || $dryrun; then + echo -n "removing $snapshot: $human old" + fi + if $dryrun; then + echo ' <dry-run: no action taken>' + else + if ! $quiet; then + echo + fi + zfs destroy "$snapshot" || code=1 + fi +done < <(zfs list -Hpo creation,name -t snapshot -r "${pools[@]}") +exit "$code" |