voltron/Nextcloud-Install
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Initial Clone

Browse Source
This commit is contained in:
David Schroeder
2019-11-14 19:36:04 -06:00
parent 1051826ba8
commit ac7cd93dfe
48 changed files with 7742 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
apps/adminer.sh Executable file
View File

@@ -0,0 +1,78 @@
#!/bin/bash
# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/
# shellcheck disable=2034,2059
true
# shellcheck source=lib.sh
. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
print_text_in_color "$ICyan" "Installing and securing Adminer..."
# Check for errors + debug code and abort if something isn't right
# 1 = ON
# 0 = OFF
DEBUG=0
debug_mode
# Check if root
root_check
# Warn user about HTTP/2
http2_warn Adminer
# Check that the script can see the external IP (apache fails otherwise)
if [ -z "$WANIP4" ]
then
print_text_in_color "$IRed" "WANIP4 is an emtpy value, Apache will fail on reboot due to this. Please check your network and try again."
sleep 3
exit 1
fi
# Check distrobution and version
check_distro_version
# Install Adminer
apt update -q4 & spinner_loading
install_if_not adminer
curl_to_dir "http://www.adminer.org" "latest.php" "$ADMINERDIR"
ln -s "$ADMINERDIR"/latest.php "$ADMINERDIR"/adminer.php
cat << ADMINER_CREATE > "$ADMINER_CONF"
Alias /adminer.php $ADMINERDIR/adminer.php
<Directory $ADMINERDIR>
<IfModule mod_dir.c>
DirectoryIndex adminer.php
</IfModule>
AllowOverride None
# Only allow connections from localhost:
Require ip $GATEWAY/24
</Directory>
ADMINER_CREATE
# Enable config
check_command a2enconf adminer.conf
if ! restart_webserver
then
msg_box "Apache2 could not restart...
The script will exit."
exit 1
else
msg_box "Adminer was sucessfully installed and can be reached here:
http://$ADDRESS/adminer.php
You can download more plugins and get more information here:
https://www.adminer.org
Your PostgreSQL connection information can be found in $NCPATH/config/config.php
In case you try to access Adminer and get 'Forbidden' you need to change the IP in:
$ADMINER_CONF"
fi
exit

208
apps/collabora.sh Executable file
View File

@@ -0,0 +1,208 @@
#!/bin/bash
# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/
# shellcheck disable=2034,2059
true
# shellcheck source=lib.sh
NC_UPDATE=1 && COLLABORA_INSTALL=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
unset NC_UPDATE
unset COLLABORA_INSTALL
print_text_in_color "$ICyan" "Installing Collabora..."
# Check for errors + debug code and abort if something isn't right
# 1 = ON
# 0 = OFF
DEBUG=0
debug_mode
# Check if root
root_check
# Nextcloud 13 is required.
lowest_compatible_nc 13
# Test RAM size (2GB min) + CPUs (min 2)
ram_check 2 Collabora
cpu_check 2 Collabora
# Notification
msg_box "Before you start, please make sure that port 80+443 is directly forwarded to this machine!"
# Get the latest packages
apt update -q4 & spinner_loading
# Check if Nextcloud is installed
print_text_in_color "$ICyan" "Checking if Nextcloud is installed..."
if ! curl -s https://"${NCDOMAIN//\\/}"/status.php | grep -q 'installed":true'
then
msg_box "It seems like Nextcloud is not installed or that you don't use https on:
${NCDOMAIN//\\/}.
Please install Nextcloud and make sure your domain is reachable, or activate SSL
on your domain to be able to run this script.
If you use the Nextcloud VM you can use the Let's Encrypt script to get SSL and activate your Nextcloud domain.
When SSL is activated, run these commands from your terminal:
sudo curl -sLO $APP/collabora.sh
sudo bash collabora.sh"
exit 1
fi
# Check if $SUBDOMAIN exists and is reachable
print_text_in_color "$ICyan" "Checking if $SUBDOMAIN exists and is reachable..."
domain_check_200 "$SUBDOMAIN"
# Check open ports with NMAP
check_open_port 80 "$SUBDOMAIN"
check_open_port 443 "$SUBDOMAIN"
# Install Docker
install_docker
# Check if OnlyOffice or Collabora is previously installed
# If yes, then stop and prune the docker container
docker_prune_this 'collabora/code'
docker_prune_this 'onlyoffice/documentserver'
# Disable RichDocuments (Collabora App) if activated
if [ -d "$NC_APPS_PATH"/richdocuments ]
then
occ_command app:remove richdocuments
fi
# Disable OnlyOffice (Collabora App) if activated
if [ -d "$NC_APPS_PATH"/onlyoffice ]
then
occ_command app:remove onlyoffice
fi
# Install Collabora docker
docker pull collabora/code:latest
docker run -t -d -p 127.0.0.1:9980:9980 -e "domain=$NCDOMAIN" --restart always --name code --cap-add MKNOD collabora/code
# Install Apache2
install_if_not apache2
# Enable Apache2 module's
a2enmod proxy
a2enmod proxy_wstunnel
a2enmod proxy_http
a2enmod ssl
if [ -f "$HTTPS_CONF" ]
then
a2dissite "$SUBDOMAIN.conf"
rm -f "$HTTPS_CONF"
fi
# Create Vhost for Collabora online in Apache2
if [ ! -f "$HTTPS_CONF" ];
then
cat << HTTPS_CREATE > "$HTTPS_CONF"
<VirtualHost *:443>
ServerName $SUBDOMAIN:443
<Directory /var/www>
Options -Indexes
</Directory>
# SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
SSLEngine on
SSLCertificateChainFile $CERTFILES/$SUBDOMAIN/chain.pem
SSLCertificateFile $CERTFILES/$SUBDOMAIN/cert.pem
SSLCertificateKeyFile $CERTFILES/$SUBDOMAIN/privkey.pem
SSLOpenSSLConfCmd DHParameters $DHPARAMS
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode
# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
# keep the host
ProxyPreserveHost On
# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet
# WOPI discovery URL
ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery
# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/\$1/ws nocanon
# Admin Console websocket
ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /lool https://127.0.0.1:9980/lool
ProxyPassReverse /lool https://127.0.0.1:9980/lool
</VirtualHost>
HTTPS_CREATE
if [ -f "$HTTPS_CONF" ];
then
print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created."
sleep 1
else
print_text_in_color "$IRed" "Unable to create vhost, exiting..."
print_text_in_color "$IRed" "Please report this issue here $ISSUES"
exit 1
fi
fi
# Install certbot (Let's Encrypt)
install_certbot
# Generate certs
if le_subdomain
then
# Generate DHparams chifer
if [ ! -f "$DHPARAMS" ]
then
openssl dhparam -dsaparam -out "$DHPARAMS" 4096
fi
printf "%b" "${IGreen}Certs are generated!\n${Color_Off}"
a2ensite "$SUBDOMAIN.conf"
restart_webserver
# Install Collabora App
occ_command app:install richdocuments
else
print_text_in_color "$IRed" "It seems like no certs were generated, please report this issue here: $ISSUES"
any_key "Press any key to continue... "
restart_webserver
fi
# Set config for RichDocuments (Collabora App)
if [ -d "$NC_APPS_PATH"/richdocuments ]
then
occ_command config:app:set richdocuments wopi_url --value=https://"$SUBDOMAIN"
chown -R www-data:www-data "$NC_APPS_PATH"
occ_command config:system:set trusted_domains 3 --value="$SUBDOMAIN"
# Add prune command
{
echo "#!/bin/bash"
echo "docker system prune -a --force"
echo "exit"
} > "$SCRIPTS/dockerprune.sh"
chmod a+x "$SCRIPTS/dockerprune.sh"
crontab -u root -l | { cat; echo "@weekly $SCRIPTS/dockerprune.sh"; } | crontab -u root -
print_text_in_color "$ICyan" "Docker automatic prune job added."
service docker restart
docker restart code
print_text_in_color "$IGreen" "Collabora is now successfully installed."
any_key "Press any key to continue... "
fi
exit

132
apps/fail2ban.sh Executable file
View File

@@ -0,0 +1,132 @@
#!/bin/bash
# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/
# Inspired by https://github.com/nextcloud/nextcloudpi/blob/master/etc/nextcloudpi-config.d/fail2ban.sh
# shellcheck disable=2034,2059
true
# shellcheck source=lib.sh
NC_UPDATE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
unset NC_UPDATE
print_text_in_color "$ICyan" "Installing Fail2ban..."
# Check for errors + debug code and abort if something isn't right
# 1 = ON
# 0 = OFF
DEBUG=0
debug_mode
# Check if root
root_check
# Nextcloud 13 is required.
lowest_compatible_nc 13
### Local variables ###
# location of Nextcloud logs
NCLOG="$(find / -name nextcloud.log)"
# time to ban an IP that exceeded attempts
BANTIME_=600000
# cooldown time for incorrect passwords
FINDTIME_=1800
# failed attempts before banning an IP
MAXRETRY_=20
apt update -q4 & spinner_loading
check_command apt install fail2ban -y
check_command update-rc.d fail2ban disable
if [ -z "$NCLOG" ]
then
print_text_in_color "$IRed" "nextcloud.log not found"
print_text_in_color "$IRed" "Please add your logpath to $NCPATH/config/config.php and restart this script."
exit 1
else
chown www-data:www-data "$NCLOG"
fi
# Set values in config.php
occ_command config:system:set loglevel --value=2
occ_command config:system:set log_type --value=file
occ_command config:system:set logfile --value="$NCLOG"
occ_command config:system:set logtimezone --value="$(cat /etc/timezone)"
# Create nextcloud.conf file
cat << NCONF > /etc/fail2ban/filter.d/nextcloud.conf
[Definition]
failregex=^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$
^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","app":"core".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$
^.*\"remoteAddr\":\"<HOST>\".*Trusted domain error.*\$
NCONF
# Disable default Debian sshd chain
check_command sed -i "s|true|false|g" /etc/fail2ban/jail.d/defaults-debian.conf
# Create jail.local file
cat << FCONF > /etc/fail2ban/jail.local
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
# "bantime" is the number of seconds that a host is banned.
bantime = $BANTIME_
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = $FINDTIME_
maxretry = $MAXRETRY_
#
# ACTIONS
#
banaction = iptables-multiport
protocol = tcp
chain = INPUT
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action = %(action_)s
#
# SSH
#
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = $MAXRETRY_
#
# HTTP servers
#
[nextcloud]
enabled = true
port = http,https
filter = nextcloud
logpath = $NCLOG
maxretry = $MAXRETRY_
FCONF
# Update settings
check_command update-rc.d fail2ban defaults
check_command update-rc.d fail2ban enable
check_command service fail2ban restart
# The End
msg_box "Fail2ban is now sucessfully installed.
Please use 'fail2ban-client set nextcloud unbanip <Banned IP>' to unban certain IPs
You can also use 'iptables -L -n' to check which IPs that are banned"
exit

133
apps/fulltextsearch.sh Executable file
View File

@@ -0,0 +1,133 @@
#!/bin/bash
# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/
# SwITNet Ltd © - 2019, https://switnet.net/
# shellcheck disable=2034,2059
true
# shellcheck source=lib.sh
NC_UPDATE=1 && ES_INSTALL=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
unset NC_UPDATE
unset ES_INSTALL
print_text_in_color "$ICyan" "Installing Elastic Search & Full Text Search on Nextcloud..."
# Check for errors + debug code and abort if something isn't right
# 1 = ON
# 0 = OFF
DEBUG=0
debug_mode
# Must be root
root_check
# Nextcloud 13 is required.
lowest_compatible_nc 13
# Make sure there is an Nextcloud installation
if ! [ "$(occ_command -V)" ]
then
msg_box "It seems there is no Nextcloud server installed, please check your installation."
exit 1
fi
# Disable and remove Nextant + Solr
if [ -d "$NC_APPS_PATH"/nextant ]
then
# Remove Nextant
msg_box "We will now remove Nextant + Solr and replace it with Full Text Search"
occ_command app:disable nextant
rm -rf $NC_APPS_PATH/nextant
# Remove Solr
service solr stop
rm -rf /var/solr
rm -rf /opt/solr*
rm /etc/init.d/solr
deluser --remove-home solr
deluser --group solr
fi
# Reset Full Text Search to be able to index again, and also remove the app to be able to install it again
if [ -d $NC_APPS_PATH/fulltextsearch ]
then
print_text_in_color "$ICyan" "Removing old version of Full Text Search and resetting the app..."
sudo -u www-data php $NCPATH/occ fulltextsearch:reset
occ_command app:disable fulltextsearch
rm -rf $NC_APPS_PATH/fulltextsearch
fi
if [ -d $NC_APPS_PATH/fulltextsearch_elasticsearch ]
then
occ_command app:disable fulltextsearch_elasticsearch
rm -rf $NC_APPS_PATH/fulltextsearch_elasticsearch
fi
if [ -d $NC_APPS_PATH/files_fulltextsearch ]
then
occ_command app:disable files_fulltextsearch
rm -rf $NC_APPS_PATH/files_fulltextsearch
fi
# Check & install docker
install_docker
set_max_count
mkdir -p "$RORDIR"
if does_this_docker_exist "$nc_fts"
then
docker_prune_this "$nc_fts"
else
docker pull "$nc_fts"
fi
# Create configuration YML
cat << YML_CREATE > /opt/es/readonlyrest.yml
readonlyrest:
access_control_rules:
- name: Accept requests from cloud1 on $INDEX_USER-index
groups: ["cloud1"]
indices: ["$INDEX_USER-index"]
users:
- username: $INDEX_USER
auth_key: $INDEX_USER:$ROREST
groups: ["cloud1"]
YML_CREATE
# Set persmissions
chown 1000:1000 -R $RORDIR
chmod ug+rwx -R $RORDIR
# Run Elastic Search Docker
docker run -d --restart always \
--name $fts_es_name \
--ulimit memlock=-1:-1 \
--ulimit nofile=65536:65536 \
-p 9200:9200 \
-p 9300:9300 \
-v esdata:/usr/share/elasticsearch/data \
-v /opt/es/readonlyrest.yml:/usr/share/elasticsearch/config/readonlyrest.yml \
-e "discovery.type=single-node" \
-e "bootstrap.memory_lock=true" \
-e ES_JAVA_OPTS="-Xms512M -Xmx512M" \
-i -t $nc_fts
# Wait for bootstraping
docker restart $fts_es_name
countdown "Waiting for docker bootstraping..." "20"
docker logs $fts_es_name
# Get Full Text Search app for nextcloud
install_and_enable_app fulltextsearch
install_and_enable_app fulltextsearch_elasticsearch
install_and_enable_app files_fulltextsearch
chown -R www-data:www-data $NC_APPS_PATH
# Final setup
occ_command fulltextsearch:configure '{"search_platform":"OCA\\FullTextSearch_ElasticSearch\\Platform\\ElasticSearchPlatform"}'
occ_command fulltextsearch_elasticsearch:configure "{\"elastic_host\":\"http://${INDEX_USER}:${ROREST}@localhost:9200\",\"elastic_index\":\"${INDEX_USER}-index\"}"
occ_command files_fulltextsearch:configure "{\"files_pdf\":\"1\",\"files_office\":\"1\"}"
if occ_command fulltextsearch:index < /dev/null
then
msg_box "Full Text Search was successfully installed!"
fi
exit

80
apps/netdata.sh Executable file
View File

@@ -0,0 +1,80 @@
#!/bin/bash
# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/
# shellcheck disable=2034,2059
true
# shellcheck source=lib.sh
. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
print_text_in_color "$ICyan" "Installing Netdata..."
# Check for errors + debug code and abort if something isn't right
# 1 = ON
# 0 = OFF
DEBUG=0
debug_mode
# Download and install Netdata
if [ -d /etc/netdata ]
then
msg_box "Netdata seems to be installed.
We will now remove Netdata and reinstall the latest stable version"
# Uninstall
if [ -f /usr/src/netdata.git/netdata-uninstaller.sh ]
then
if ! yes | bash /usr/src/netdata.git/netdata-uninstaller.sh --force
then
rm -Rf /usr/src/netdata.git
fi
elif [ -f /usr/libexec/netdata-uninstaller.sh ]
then
yes | bash /usr/libexec/netdata-uninstaller.sh --yes
fi
userdel netdata
groupdel netdata
gpasswd -d netdata adm
gpasswd -d netdata proxy
# Install
is_process_running dpkg
is_process_running apt
apt update -q4 & spinner_loading
curl_to_dir https://my-netdata.io kickstart.sh $SCRIPTS
sudo -u "$UNIXUSER" bash $SCRIPTS/kickstart.sh all --dont-wait --no-updates --stable-channel
rm -f $SCRIPTS/kickstart.sh
else
# Install
is_process_running dpkg
is_process_running apt
apt update -q4 & spinner_loading
curl_to_dir https://my-netdata.io kickstart.sh $SCRIPTS
sudo -u "$UNIXUSER" bash $SCRIPTS/kickstart.sh all --dont-wait --no-updates --stable-channel
rm -f $SCRIPTS/kickstart.sh
fi
# Check Netdata instructions after script is done
any_key "Please check information above and press any key to continue..."
# Installation done?
if [ -d /etc/netdata ]
then
msg_box "Netdata is now installed and can be accessed from this address:
http://$ADDRESS:19999
If you want to reach it from the internet you need to open port 19999 in your firewall.
If you don't know how to open ports, please follow this guide:
https://www.techandme.se/open-port-80-443/
After you have opened the correct port, then you can visit Netdata from your domain:
http://$(hostname -f):19999 and or http://yourdomanin.com:19999
You can find more configuration options in their WIKI:
https://docs.netdata.cloud/daemon/config#configuration-guide"
# Cleanup
rm -rf /tmp/netdata*
fi
exit

197
apps/onlyoffice.sh Executable file
View File

@@ -0,0 +1,197 @@
#!/bin/bash
# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/
# shellcheck disable=2034,2059
true
# shellcheck source=lib.sh
NC_UPDATE=1 && OO_INSTALL=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
unset NC_UPDATE
unset OO_INSTALL
print_text_in_color "$ICyan" "Installing OnlyOffice..."
# Check for errors + debug code and abort if something isn't right
# 1 = ON
# 0 = OFF
DEBUG=0
debug_mode
# Check if root
root_check
# Nextcloud 13 is required.
lowest_compatible_nc 13
# Test RAM size (2GB min) + CPUs (min 2)
ram_check 2 OnlyOffice
cpu_check 2 OnlyOffice
# Notification
msg_box "Before you start, please make sure that port 80+443 is directly forwarded to this machine!"
# Get the latest packages
apt update -q4 & spinner_loading
# Check if Nextcloud is installed
print_text_in_color "$ICyan" "Checking if Nextcloud is installed..."
if ! curl -s https://"${NCDOMAIN//\\/}"/status.php | grep -q 'installed":true'
then
msg_box "It seems like Nextcloud is not installed or that you don't use https on:
${NCDOMAIN//\\/}.
Please install Nextcloud and make sure your domain is reachable, or activate SSL
on your domain to be able to run this script.
If you use the Nextcloud VM you can use the Let's Encrypt script to get SSL and activate your Nextcloud domain.
When SSL is activated, run these commands from your terminal:
sudo curl -sLO $APP/onlyoffice.sh
sudo bash onlyoffice.sh"
exit 1
fi
# Check if $SUBDOMAIN exists and is reachable
print_text_in_color "$ICyan" "Checking if $SUBDOMAIN exists and is reachable..."
domain_check_200 "$SUBDOMAIN"
# Check open ports with NMAP
check_open_port 80 "$SUBDOMAIN"
check_open_port 443 "$SUBDOMAIN"
# Install Docker
install_docker
# Check if OnlyOffice or Collabora is previously installed
# If yes, then stop and prune the docker container
docker_prune_this 'onlyoffice/documentserver'
docker_prune_this 'collabora/code'
# Disable RichDocuments (Collabora App) if activated
if [ -d "$NC_APPS_PATH"/richdocuments ]
then
occ_command app:remove richdocuments
fi
# Disable OnlyOffice (Collabora App) if activated
if [ -d "$NC_APPS_PATH"/onlyoffice ]
then
occ_command app:remove onlyoffice
fi
# Install Onlyoffice docker
docker pull onlyoffice/documentserver:latest
docker run -i -t -d -p 127.0.0.3:9090:80 --restart always --name onlyoffice onlyoffice/documentserver
# Install apache2
install_if_not apache2
# Enable Apache2 module's
a2enmod proxy
a2enmod proxy_wstunnel
a2enmod proxy_http
a2enmod ssl
if [ -f "$HTTPS_CONF" ]
then
a2dissite "$SUBDOMAIN.conf"
rm -f "$HTTPS_CONF"
fi
# Create Vhost for OnlyOffice online in Apache2
if [ ! -f "$HTTPS_CONF" ];
then
cat << HTTPS_CREATE > "$HTTPS_CONF"
<VirtualHost *:443>
ServerName $SUBDOMAIN:443
SSLEngine on
ServerSignature On
SSLHonorCipherOrder on
SSLCertificateChainFile $CERTFILES/$SUBDOMAIN/chain.pem
SSLCertificateFile $CERTFILES/$SUBDOMAIN/cert.pem
SSLCertificateKeyFile $CERTFILES/$SUBDOMAIN/privkey.pem
SSLOpenSSLConfCmd DHParameters $DHPARAMS
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
ErrorLog ${APACHE_LOG_DIR}/error.log
# Just in case - see below
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
# contra mixed content warnings
RequestHeader set X-Forwarded-Proto "https"
# basic proxy settings
ProxyRequests off
ProxyPassMatch (.*)(\/websocket)$ "ws://127.0.0.3:9090/$1$2"
ProxyPass / "http://127.0.0.3:9090/"
ProxyPassReverse / "http://127.0.0.3:9090/"
<Location />
ProxyPassReverse /
</Location>
</VirtualHost>
HTTPS_CREATE
if [ -f "$HTTPS_CONF" ];
then
print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created."
sleep 1
else
print_text_in_color "$IRed" "Unable to create vhost, exiting..."
print_text_in_color "$IRed" "Please report this issue here $ISSUES"
exit 1
fi
fi
# Install certbot (Let's Encrypt)
install_certbot
# Generate certs
if le_subdomain
then
# Generate DHparams chifer
if [ ! -f "$DHPARAMS" ]
then
openssl dhparam -dsaparam -out "$DHPARAMS" 4096
fi
printf "%b" "${IGreen}Certs are generated!\n${Color_Off}"
a2ensite "$SUBDOMAIN.conf"
restart_webserver
# Install OnlyOffice
occ_command app:install onlyoffice
else
print_text_in_color "$IRed" "It seems like no certs were generated, please report this issue here: $ISSUES"
any_key "Press any key to continue... "
restart_webserver
fi
# Set config for OnlyOffice
if [ -d "$NC_APPS_PATH"/onlyoffice ]
then
occ_command config:app:set onlyoffice DocumentServerUrl --value=https://"$SUBDOMAIN/"
chown -R www-data:www-data "$NC_APPS_PATH"
occ_command config:system:set trusted_domains 3 --value="$SUBDOMAIN"
# Add prune command
{
echo "#!/bin/bash"
echo "docker system prune -a --force"
echo "exit"
} > "$SCRIPTS/dockerprune.sh"
chmod a+x "$SCRIPTS/dockerprune.sh"
crontab -u root -l | { cat; echo "@weekly $SCRIPTS/dockerprune.sh"; } | crontab -u root -
print_text_in_color "$ICyan" "Docker automatic prune job added."
service docker restart
docker restart onlyoffice
print_text_in_color "$IGreen" "OnlyOffice is now successfully installed."
any_key "Press any key to continue... "
fi
exit

82
apps/previewgenerator.sh Executable file
View File

@@ -0,0 +1,82 @@
#!/bin/bash
# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/
# shellcheck disable=2034,2059
true
# shellcheck source=lib.sh
. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
# Check for errors + debug code and abort if something isn't right
# 1 = ON
# 0 = OFF
DEBUG=0
debug_mode
# Check if root
root_check
msg_box "Please note that this will put your server at risk as it will install a package called 'imagick' which is known to have several flaws.
You can check this issue to understand why: https://github.com/nextcloud/vm/issues/743
You can choose to cancel installing this in the next step."
if [[ "no" == $(ask_yes_or_no "Do you still want to continue?") ]]
then
exit
else
sleep 1
fi
# Install preview generator
install_and_enable_app previewgenerator
# Run the first preview generation and add crontab
if [ -d "$NC_APPS_PATH/previewgenerator" ]
then
# Enable previews (remove the # to enable the specific preview)
occ_command config:system:set enable_previews --value=true --type=boolean
occ_command config:system:set preview_libreoffice_path --value="/usr/bin/libreoffice"
# occ_command config:system:set enabledPreviewProviders 0 --value="OC\\Preview\\PNG"
# occ_command config:system:set enabledPreviewProviders 1 --value="OC\\Preview\\JPEG"
# occ_command config:system:set enabledPreviewProviders 2 --value="OC\\Preview\\GIF"
# occ_command config:system:set enabledPreviewProviders 3 --value="OC\\Preview\\BMP"
# occ_command config:system:set enabledPreviewProviders 4 --value="OC\\Preview\\XBitmap"
# occ_command config:system:set enabledPreviewProviders 5 --value="OC\\Preview\\MarkDown"
# occ_command config:system:set enabledPreviewProviders 6 --value="OC\\Preview\\MP3"
# occ_command config:system:set enabledPreviewProviders 7 --value="OC\\Preview\\TXT"
# occ_command config:system:set enabledPreviewProviders 8 --value="OC\\Preview\\Illustrator"
# occ_command config:system:set enabledPreviewProviders 9 --value="OC\\Preview\\Movie"
# occ_command config:system:set enabledPreviewProviders 10 --value="OC\\Preview\\MSOffice2003"
# occ_command config:system:set enabledPreviewProviders 11 --value="OC\\Preview\\MSOffice2007"
# occ_command config:system:set enabledPreviewProviders 12 --value="OC\\Preview\\MSOfficeDoc"
# occ_command config:system:set enabledPreviewProviders 13 --value="OC\\Preview\\OpenDocument"
# occ_command config:system:set enabledPreviewProviders 14 --value="OC\\Preview\\PDF"
# occ_command config:system:set enabledPreviewProviders 15 --value="OC\\Preview\\Photoshop"
# occ_command config:system:set enabledPreviewProviders 16 --value="OC\\Preview\\Postscript"
# occ_command config:system:set enabledPreviewProviders 17 --value="OC\\Preview\\StarOffice"
# occ_command config:system:set enabledPreviewProviders 18 --value="OC\\Preview\\SVG"
# occ_command config:system:set enabledPreviewProviders 19 --value="OC\\Preview\\TIFF"
# occ_command config:system:set enabledPreviewProviders 20 --value="OC\\Preview\\Font"
# Set aspect ratio
occ_command config:app:set --value="32 64 1024" previewgenerator squareSizes
occ_command config:app:set --value="64 128 1024" previewgenerator widthSizes
occ_command config:app:set --value="64 256 1024" previewgenerator heightSizes
# Add crotab
crontab -u www-data -l | { cat; echo "@daily php -f $NCPATH/occ preview:pre-generate >> /var/log/previewgenerator.log"; } | crontab -u www-data -
touch /var/log/previewgenerator.log
chown www-data:www-data /var/log/previewgenerator.log
# Install needed dependencies
install_if_not ffmpeg
install_if_not libreoffice
install_if_not php-imagick
install_if_not libmagickcore-6.q16-3-extra
# Pre generate everything
occ_command preview:generate-all
fi
exit

128
apps/spreedme.sh Executable file
View File

@@ -0,0 +1,128 @@
#!/bin/bash
# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/
# shellcheck disable=2034,2059
true
# shellcheck source=lib.sh
NC_UPDATE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
unset NC_UPDATE
print_text_in_color "$ICyan" "Installing Spreed.ME..."
# Check for errors + debug code and abort if something isn't right
# 1 = ON
# 0 = OFF
DEBUG=0
debug_mode
# Check if root
if ! is_root
then
printf "\n${Red}Sorry, you are not root.\n${Color_Off}You must type: ${ICyan}sudo ${Color_Off}bash %s/nextcloud_install_production.sh\n" "$SCRIPTS"
exit 1
fi
# Check if Nextcloud exists
root_check
# Nextcloud 13 is required.
lowest_compatible_nc 13
# Install if missing
install_if_not apache2
install_if_not snapd
# Install Nextcloud Spreed.ME Snap
if [ -d "$SNAPDIR" ]
then
print_text_in_color "$ICyan" "Spreed.ME Snap already seems to be installed and will now be re-installed..."
snap remove spreedme
rm -rf "$SNAPDIR"
snap install --edge spreedme
else
snap install --edge spreedme
fi
# Install and activate the Spreed.ME app
if [ -d "$NC_APPS_PATH/spreedme" ]
then
# Remove
occ_command app:disable spreedme
print_text_in_color "$ICyan" "Spreed.ME app already seems to be installed and will now be re-installed..."
rm -R "$NC_APPS_PATH/spreedme"
# Reinstall
occ_command app:install spreedme
else
occ_command app:install spreedme
fi
occ_command app:enable spreedme
chown -R www-data:www-data "$NC_APPS_PATH"
# Generate secret keys
SHAREDSECRET=$(openssl rand -hex 32)
TEMPLINK=$(openssl rand -hex 32)
sed -i "s|sharedsecret_secret = .*|sharedsecret_secret = $SHAREDSECRET|g" "$SNAPDIR/current/server.conf"
# Populate the else empty config file (uses database for content by default)
cp "$NCPATH/apps/spreedme/config/config.php.in" "$NCPATH/apps/spreedme/config/config.php"
# Place the key in the NC app config
sed -i "s|.*SPREED_WEBRTC_SHAREDSECRET.*| const SPREED_WEBRTC_SHAREDSECRET = '$SHAREDSECRET';|g" "$NCPATH/apps/spreedme/config/config.php"
# Allow to create temporary links
sed -i "s|const OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED.*|const OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED = true;|g" "$NCPATH/apps/spreedme/config/config.php"
# Set temporary links hash
sed -i "s|const OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY.*|const OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY = '$TEMPLINK';|g" "$NCPATH/apps/spreedme/config/config.php"
# Enable Apache mods
a2enmod proxy \
proxy_wstunnel \
proxy_http \
headers
# Add config to vhost
VHOST=/etc/apache2/spreedme.conf
if [ ! -f $VHOST ]
then
cat << VHOST > "$VHOST"
<Location /webrtc>
ProxyPass http://127.0.0.1:8080/webrtc
ProxyPassReverse /webrtc
</Location>
<Location /webrtc/ws>
ProxyPass ws://127.0.0.1:8080/webrtc/ws
</Location>
ProxyVia On
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
# RequestHeader set X-Forwarded-Proto 'https' # Use this if you are behind a (Nginx) reverse proxy with http backends
VHOST
fi
if ! grep -Fxq "Include $VHOST" /etc/apache2/apache2.conf
then
sed -i "145i Include $VHOST" "/etc/apache2/apache2.conf"
fi
# Restart services
restart_webserver
if ! systemctl restart snap.spreedme.spreed-webrtc.service
then
msg_box "Something is wrong, the installation did not finish correctly.
Please report this to $ISSUES"
exit 1
else
msg_box "Success! Spreed.ME is now installed and configured.
You may have to change SPREED_WEBRTC_ORIGIN in:
(sudo nano) $NCPATH/apps/spreedme/config/config.php"
exit 0
fi
exit

151
apps/talk.sh Executable file
View File

@@ -0,0 +1,151 @@
#!/bin/bash
# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/
# shellcheck disable=2034,2059
true
# shellcheck source=lib.sh
NC_UPDATE=1 && TURN_INSTALL=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
unset NC_UPDATE
unset TURN_INSTALL
print_text_in_color "$ICyan" "Installing Nextcloud Talk..."
# Check for errors + debug code and abort if something isn't right
# 1 = ON
# 0 = OFF
DEBUG=0
debug_mode
# Must be root
root_check
# Nextcloud 13 is required.
lowest_compatible_nc 13
# Check if Nextcloud is installed
print_text_in_color "$ICyan" "Checking if Nextcloud is installed..."
if ! curl -s https://"${TURN_DOMAIN//\\/}"/status.php | grep -q 'installed":true'
then
msg_box "It seems like Nextcloud is not installed or that you don't use https on:
${TURN_DOMAIN//\\/}
Please install Nextcloud and make sure your domain is reachable, or activate SSL
on your domain to be able to run this script.
If you use the Nextcloud VM you can use the Let's Encrypt script to get SSL and activate your Nextcloud domain.
When SSL is activated, run these commands from your terminal:
sudo curl -sLO $APP/talk.sh
sudo bash talk.sh"
exit 1
fi
# Let the user choose port. TURN_PORT in msg_box is taken from lib.sh and later changed if user decides to.
NONO_PORTS=(22 25 53 80 443 3306 5432 7983 8983 10000)
msg_box "The default port for Talk used in this script is port $TURN_PORT.
You can read more about that port here: https://www.speedguide.net/port.php?port=$TURN_PORT
You will now be given the option to change this port to something of your own.
Please keep in mind NOT to use the following ports as they are likley to be in use already:
${NONO_PORTS[*]}"
if [[ "yes" == $(ask_yes_or_no "Do you want to change port?") ]]
then
while true
do
# Ask for port
cat << ENTERDOMAIN
+---------------------------------------------------------------+
| Please enter the port you will use for Nextcloud Talk: |
+---------------------------------------------------------------+
ENTERDOMAIN
echo
read -r TURN_PORT
echo
if [[ "yes" == $(ask_yes_or_no "Is this correct? $TURN_PORT") ]]
then
break
fi
done
fi
containsElement () {
local e match="$1"
shift
for e; do [[ "$e" == "$match" ]] && return 0; done
return 1
}
if containsElement "$TURN_PORT" "${NONO_PORTS[@]}"
then
msg_box "You have to choose another port. Please start over."
exit 1
fi
# Install TURN
check_command install_if_not coturn
check_command sed -i '/TURNSERVER_ENABLED/c\TURNSERVER_ENABLED=1' /etc/default/coturn
# Generate $TURN_CONF
cat << TURN_CREATE > "$TURN_CONF"
tls-listening-port=$TURN_PORT
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=$TURN_SECRET
realm=$TURN_DOMAIN
total-quota=100
bps-capacity=0
stale-nonce
cert=$CERTFILES/$TURN_DOMAIN/cert.pem
pkey=$CERTFILES/$TURN_DOMAIN/privkey.pem
dh-file=$CERTFILES/$TURN_DOMAIN/dhparam.pem
cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5"
no-loopback-peers
no-multicast-peers
no-tlsv1
no-tlsv1_1
no-stdout-log
simple-log
log-file=/var/log/turnserver.log
TURN_CREATE
if [ -f "$TURN_CONF" ];
then
print_text_in_color "$IGreen" "$TURN_CONF was successfully created."
else
print_text_in_color "$IRed" "Unable to create $TURN_CONF, exiting..."
print_text_in_color "$IRed" "Please report this issue here $ISSUES"
exit 1
fi
# Restart the TURN server
check_command systemctl restart coturn
# Warn user to open port
msg_box "You have to open $TURN_PORT TCP/UDP in your firewall or your TURN/STUN server won't work!
After you hit OK the script will check for the firewall and eventually exit on failure.
To run again the setup, after fixing your firewall:
sudo -sLO $APP/talk.sh
sudo bash talk.sh"
# Check if the port is open
check_open_port "$TURN_PORT" "$TURN_DOMAIN"
# Enable Spreed (Talk)
STUN_SERVERS_STRING="[\"$TURN_DOMAIN:$TURN_PORT\"]"
TURN_SERVERS_STRING="[{\"server\":\"$TURN_DOMAIN:$TURN_PORT\",\"secret\":\"$TURN_SECRET\",\"protocols\":\"udp,tcp\"}]"
if [ ! -d "$NC_APPS_PATH"/spreed ]
then
install_and_enable_app spreed
occ_command config:app:set spreed stun_servers --value="$STUN_SERVERS_STRING" --output json
occ_command config:app:set spreed turn_servers --value="$TURN_SERVERS_STRING" --output json
chown -R www-data:www-data "$NC_APPS_PATH"
fi
if [ -d "$NC_APPS_PATH"/spreed ]
then
msg_box "Nextcloud Talk is now installed. For more information about Nextcloud Talk and its mobile apps visit:
https://nextcloud.com/talk/"
fi
exit

76
apps/tmbitwarden.sh Executable file
View File

@@ -0,0 +1,76 @@
#!/bin/bash
# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/
# shellcheck disable=2034,2059
true
# shellcheck source=lib.sh
. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
print_text_in_color "$ICyan" "Installing Bitwarden password manager..."
# Check for errors + debug code and abort if something isn't right
# 1 = ON
# 0 = OFF
DEBUG=0
debug_mode
# Check if root
root_check
msg_box "Bitwarden is a password manager that is seperate from Nextcloud, though we provide this service because it's self hosted and secure.
If you just want to run Bitwarden locally (not connecting your smartphone) then you can use 'localhost' as domain.
If you on the other hand want to run this on a domain, then please create a DNS record and point it to this server.
In the process of setting up Bitwarden you will be asked to generate an SSL cert with Let's Enrypt so no need to get your own prior to this setup.
The script is based on this documentation: https://help.bitwarden.com/article/install-on-premise/
It's a good idea to read that before you start this script.
Please also report any issues regarding this script setup to $ISSUES"
msg_box "The necessary preparations to run expose Bitwarden to the internet are:
1. The HTTP proxy and HTTPS ports for Bitwarden are 8080 and 8443, please open those ports before running this script.
2. Please create a DNS record and point that to this server.
3. Raise the amount of RAM to this server to at least 3 GB."
if [[ "no" == $(ask_yes_or_no "Have you made the necessary preparations?") ]]
then
msg_box "OK, please do the necessary preparations before you run this script and then simply run it again once you're done.
The script is located at: $SCRIPTS/apps/tmbitwarden.sh"
exit
else
sleep 0.1
fi
# Test RAM size (3 GB min) + CPUs (min 2)
ram_check 3 Bitwarden
cpu_check 2 Bitwarden
# Install Docker
install_docker
install_if_not docker-compose
# Stop Apache to not conflict when LE is run
check_command systemctl stop apache2.service
# Install Bitwarden
install_if_not curl
cd /root
curl_to_dir "https://raw.githubusercontent.com/bitwarden/core/master/scripts" "bitwarden.sh" "/root"
chmod +x /root/bitwarden.sh
check_command ./bitwarden.sh install
sed -i "s|http_port.*|http_port: 8080|g" /root/bwdata/config.yml
sed -i "s|https_port.*|https_port: 8443|g" /root/bwdata/config.yml
check_command ./bitwarden.sh rebuild
check_command ./bitwarden.sh start
if check_command ./bitwarden.sh updatedb
then
msg_box "Bitwarden was sucessfully installed! Please visit $(grep 'url:' /root/bwdata/config.yml | awk '{print$2}'):8443 to setup your account."
else
msg_box "Bitwarden installation failed! We will now remove necessary configs to be able to run this script again"
rm -rf /root/bwdata/
fi
# Start Apache2
check_command systemctl start apache2.service

40
apps/webmin.sh Executable file
View File

@@ -0,0 +1,40 @@
#!/bin/bash
# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/
# shellcheck disable=2034,2059
true
# shellcheck source=lib.sh
. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
print_text_in_color "$ICyan" "Installing Webmin..."
# Check for errors + debug code and abort if something isn't right
# 1 = ON
# 0 = OFF
DEBUG=0
debug_mode
# Check if root
root_check
# Install packages for Webmin
install_if_not apt-transport-https
install_if_not perl
install_if_not libnet-ssleay-perl
install_if_not openssl
install_if_not libauthen-pam-perl
install_if_not libpam-runtime
install_if_not libio-pty-perl
install_if_not apt-show-versions
install_if_not python
# Install Webmin
if curl -fsSL http://www.webmin.com/jcameron-key.asc | sudo apt-key add -
then
echo "deb https://download.webmin.com/download/repository sarge contrib" > /etc/apt/sources.list.d/webmin.list
apt update -q4 & spinner_loading
install_if_not webmin
fi
exit