Initial Clone

2019-11-14 19:36:04 -06:00
parent 1051826ba8
commit ac7cd93dfe
48 changed files with 7742 additions and 19 deletions
--- a/lets-encrypt/activate-ssl.sh
+++ b/lets-encrypt/activate-ssl.sh
@@ -0,0 +1,300 @@
+#!/bin/bash
+# shellcheck disable=2034,2059
+true
+# shellcheck source=lib.sh
+. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+
+# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/
+
+# Check for errors + debug code and abort if something isn't right
+# 1 = ON
+# 0 = OFF
+DEBUG=0
+debug_mode
+
+# Check if root
+root_check
+
+# Information
+msg_box "Important! Please read this:
+
+This script will install SSL from Let's Encrypt.
+It's free of charge, and very easy to maintain.
+
+Before we begin the installation you need to have
+a domain that the SSL certs will be valid for.
+If you don't have a domain yet, get one before
+you run this script!
+
+You also have to open port 80+443 against this VMs
+IP address: $ADDRESS - do this in your router/FW.
+Here is a guide: https://goo.gl/Uyuf65
+
+You can find the script here: $SCRIPTS/activate-ssl.sh 
+and you can run it after you got a domain.
+
+Please don't run this script if you don't have
+a domain yet. You can get one for a fair price here:
+https://store.binero.se/?lang=en-US"
+
+if [[ "no" == $(ask_yes_or_no "Are you sure you want to continue?") ]]
+then
+msg_box "OK, but if you want to run this script later,
+just type: sudo bash $SCRIPTS/activate-ssl.sh"
+    exit
+fi
+
+if [[ "no" == $(ask_yes_or_no "Have you forwarded port 80+443 in your router?") ]]
+then
+msg_box "OK, but if you want to run this script later,
+just type: sudo bash /var/scripts/activate-ssl.sh"
+    exit
+fi
+
+if [[ "yes" == $(ask_yes_or_no "Do you have a domain that you will use?") ]]
+then
+    sleep 1
+else
+msg_box "OK, but if you want to run this script later, 
+just type: sudo bash /var/scripts/activate-ssl.sh"
+    exit
+fi
+
+echo
+while true
+do
+# Ask for domain name
+cat << ENTERDOMAIN
+---------------------------------------------------------------+
+|    Please enter the domain name you will use for Nextcloud:   |
+|    Like this: example.com, or nextcloud.example.com           |
+---------------------------------------------------------------+
+ENTERDOMAIN
+echo
+read -r domain
+echo
+if [[ "yes" == $(ask_yes_or_no "Is this correct? $domain") ]]
+then
+    break
+fi
+done
+
+# Check if $domain exists and is reachable
+echo
+print_text_in_color "$ICyan" "Checking if $domain exists and is reachable..."
+domain_check_200 "$domain"
+
+# Check if port is open with NMAP
+sed -i "s|127.0.1.1.*|127.0.1.1       $domain nextcloud|g" /etc/hosts
+network_ok
+check_open_port 80 "$domain"
+check_open_port 443 "$domain"
+
+# Fetch latest version of test-new-config.sh
+check_command download_le_script test-new-config
+
+# Install certbot (Let's Encrypt)
+install_certbot
+
+#Fix issue #28
+ssl_conf="/etc/apache2/sites-available/"$domain.conf""
+
+# DHPARAM
+DHPARAMS="$CERTFILES/$domain/dhparam.pem"
+
+# Check if "$ssl.conf" exists, and if, then delete
+if [ -f "$ssl_conf" ]
+then
+    rm -f "$ssl_conf"
+fi
+
+# Generate nextcloud_ssl_domain.conf
+if [ ! -f "$ssl_conf" ]
+then
+    touch "$ssl_conf"
+    print_text_in_color "$IGreen" "$ssl_conf was successfully created."
+    sleep 2
+    cat << SSL_CREATE > "$ssl_conf"
+<VirtualHost *:80>
+    RewriteEngine On
+    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
+</VirtualHost>
+
+<VirtualHost *:443>
+
+    Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
+    SSLEngine on
+    SSLCompression off
+    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+    SSLHonorCipherOrder on
+    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    SSLSessionTickets off
+    
+### YOUR SERVER ADDRESS ###
+
+    ServerAdmin admin@$domain
+    ServerName $domain
+
+### SETTINGS ###
+    <FilesMatch "\.php$">
+        SetHandler "proxy:unix:/run/php/php$PHPVER-fpm.nextcloud.sock|fcgi://localhost"
+    </FilesMatch>
+
+    DocumentRoot $NCPATH
+
+    <Directory $NCPATH>
+    Options Indexes FollowSymLinks
+    AllowOverride All
+    Require all granted
+    Satisfy Any
+    </Directory>
+
+    <IfModule mod_dav.c>
+    Dav off
+    </IfModule>
+
+    SetEnv HOME $NCPATH
+    SetEnv HTTP_HOME $NCPATH
+    
+    # The following lines prevent .htaccess and .htpasswd files from being
+    # viewed by Web clients.
+    <Files ".ht*">
+    Require all denied
+    </Files>
+    
+    # Disable HTTP TRACE method.
+    TraceEnable off
+    # Disable HTTP TRACK method.
+    RewriteEngine On
+    RewriteCond %{REQUEST_METHOD} ^TRACK
+    RewriteRule .* - [R=405,L]
+    
+    # Avoid "Sabre\DAV\Exception\BadRequest: expected filesize XXXX got XXXX"
+    <IfModule mod_reqtimeout.c>
+    RequestReadTimeout body=0
+    </IfModule>
+
+### LOCATION OF CERT FILES ###
+
+    SSLCertificateChainFile $CERTFILES/$domain/chain.pem
+    SSLCertificateFile $CERTFILES/$domain/cert.pem
+    SSLCertificateKeyFile $CERTFILES/$domain/privkey.pem
+    SSLOpenSSLConfCmd DHParameters $DHPARAMS
+
+</VirtualHost>
+
+### EXTRAS ###
+    SSLUseStapling On
+    SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
+SSL_CREATE
+fi
+
+# Check if PHP-FPM is installed and if not, then remove PHP-FPM related lines from config
+if [ ! -f "$PHP_POOL_DIR"/nextcloud.conf ]
+then
+    sed -i "s|<FilesMatch.*|# Removed due to that PHP-FPM is missing|g" "$ssl_conf"
+    sed -i "s|SetHandler.*|#|g" "$ssl_conf"
+    sed -i "s|</FilesMatch.*|#|g" "$ssl_conf"
+elif ! is_this_installed php"$PHPVER"-fpm
+then
+    sed -i "s|<FilesMatch.*|# Removed due to that PHP-FPM is missing|g" "$1"
+    sed -i "s|SetHandler.*|#|g" "$ssl_conf"
+    sed -i "s|</FilesMatch.*|#|g" "$ssl_conf"
+fi
+
+# Methods
+# https://certbot.eff.org/docs/using.html#certbot-command-line-options
+default_le="--rsa-key-size 4096 --renew-by-default --no-eff-email --agree-tos --uir --hsts --server https://acme-v02.api.letsencrypt.org/directory -d $domain"
+
+standalone() {
+# Generate certs
+if eval "certbot certonly --standalone --pre-hook 'service apache2 stop' --post-hook 'service apache2 start' $default_le"
+then
+    echo "success" > /tmp/le_test
+else
+    echo "fail" > /tmp/le_test
+fi
+}
+tls-alpn-01() {
+if eval "certbot certonly --preferred-challenges tls-alpn-01 $default_le"
+then
+    echo "success" > /tmp/le_test
+else
+    echo "fail" > /tmp/le_test
+fi
+}
+dns() {
+if eval "certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns $default_le"
+then
+    echo "success" > /tmp/le_test
+else
+    echo "fail" > /tmp/le_test
+fi
+}
+
+methods=(standalone dns)
+
+create_config() {
+# $1 = method
+local method="$1"
+# Check if $CERTFILES exists
+if [ -d "$CERTFILES" ]
+ then
+    # Generate DHparams chifer
+    if [ ! -f "$DHPARAMS" ]
+    then
+        openssl dhparam -dsaparam -out "$DHPARAMS" 4096
+    fi
+    # Activate new config
+    check_command bash "$SCRIPTS/test-new-config.sh" "$domain.conf"
+    exit
+fi
+}
+
+attempts_left() {
+local method="$1"
+if [ "$method" == "standalone" ]
+then
+    printf "%b" "${ICyan}It seems like no certs were generated, we will do 1 more try.\n${Color_Off}"
+    any_key "Press any key to continue..."
+#elif [ "$method" == "tls-alpn-01" ]
+#then
+#    printf "%b" "${ICyan}It seems like no certs were generated, we will do 1 more try.\n${Color_Off}"
+#    any_key "Press any key to continue..."
+elif [ "$method" == "dns" ]
+then
+    printf "%b" "${IRed}It seems like no certs were generated, please check your DNS and try again.\n${Color_Off}"
+    any_key "Press any key to continue..."
+fi
+}
+
+# Generate the cert
+for f in "${methods[@]}"; do "$f"
+if [ "$(grep 'success' /tmp/le_test)" == 'success' ]; then
+    rm -f /tmp/le_test
+    create_config "$f"
+else
+    rm -f /tmp/le_test
+    attempts_left "$f"
+fi
+done
+
+# Failed
+msg_box "Sorry, last try failed as well. :/
+
+The script is located in $SCRIPTS/activate-ssl.sh
+Please try to run it again some other time with other settings.
+
+There are different configs you can try in Let's Encrypt's user guide:
+https://letsencrypt.readthedocs.org/en/latest/index.html
+Please check the guide for further information on how to enable SSL.
+
+This script is developed on GitHub, feel free to contribute:
+https://github.com/nextcloud/vm
+
+The script will now do some cleanup and revert the settings."
+
+# Cleanup
+apt remove certbot -y
+apt autoremove -y
+clear
--- a/lets-encrypt/test-new-config.sh
+++ b/lets-encrypt/test-new-config.sh
@@ -0,0 +1,90 @@
+#!/bin/bash
+# shellcheck disable=2034,2059
+true
+# shellcheck source=lib.sh
+. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+
+# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/
+
+# Check for errors + debug code and abort if something isn't right
+# 1 = ON
+# 0 = OFF
+DEBUG=0
+debug_mode
+
+# Activate the new config
+printf "${Color_Off}We will now test that everything is OK\n"
+any_key "Press any key to continue... "
+a2ensite "$1"
+a2dissite nextcloud_ssl_domain_self_signed.conf
+a2dissite nextcloud_http_domain_self_signed.conf
+a2dissite 000-default.conf
+if restart_webserver
+then
+msg_box "New settings works! SSL is now activated and OK!
+
+This cert will expire in 90 days if you don't renew it.
+There are several ways of renewing this cert and here are some tips and tricks:
+https://goo.gl/c1JHR0
+
+To do your job a little bit easier we have added a autorenew script as a cronjob.
+If you need to edit the crontab please type: crontab -u root -e
+If you need to edit the script itself, please check: $SCRIPTS/letsencryptrenew.sh
+
+Feel free to contribute to this project: https://goo.gl/3fQD65"
+    crontab -u root -l | { cat; echo "3 */12 * * * $SCRIPTS/letsencryptrenew.sh"; } | crontab -u root -
+
+FQDOMAIN=$(grep -m 1 "ServerName" "/etc/apache2/sites-enabled/$1" | awk '{print $2}')
+if [ "$(hostname)" != "$FQDOMAIN" ]
+then
+    print_text_in_color "$ICyan" "Setting hostname to $FQDOMAIN..."
+    sudo sh -c "echo 'ServerName $FQDOMAIN' >> /etc/apache2/apache2.conf"
+    sudo hostnamectl set-hostname "$FQDOMAIN"
+    # Change /etc/hosts as well
+    sed -i "s|127.0.1.1.*|127.0.1.1       $FQDOMAIN $(hostname -s)|g" /etc/hosts
+    # And in the php-fpm pool conf
+    sed -i "s|env\[HOSTNAME\] = .*|env[HOSTNAME] = $(hostname -f)|g" "$PHP_POOL_DIR"/nextcloud.conf
+fi
+
+# Set trusted domains
+run_static_script trusted
+
+add_crontab_le() {
+# shellcheck disable=SC2016
+DATE='$(date +%Y-%m-%d_%H:%M)'
+cat << CRONTAB > "$SCRIPTS/letsencryptrenew.sh"
+#!/bin/sh
+if ! certbot renew --quiet --no-self-upgrade > /var/log/letsencrypt/renew.log 2>&1 ; then
+        echo "Let's Encrypt FAILED!"--$DATE >> /var/log/letsencrypt/cronjob.log
+else
+        echo "Let's Encrypt SUCCESS!"--$DATE >> /var/log/letsencrypt/cronjob.log
+fi
+
+# Check if service is running
+if ! pgrep apache2 > /dev/null
+then
+    service apache2 start
+fi
+CRONTAB
+}
+add_crontab_le
+
+# Makeletsencryptrenew.sh executable
+chmod +x $SCRIPTS/letsencryptrenew.sh
+
+# Cleanup
+rm -f $SCRIPTS/test-new-config.sh
+rm -f $SCRIPTS/activate-ssl.sh
+rm -f /var/www/index.php
+
+else
+# If it fails, revert changes back to normal
+    a2dissite "$1"
+    a2ensite nextcloud_ssl_domain_self_signed.conf
+    a2ensite nextcloud_http_domain_self_signed.conf
+    a2ensite 000-default.conf
+    restart_webserver
+    printf "${ICyan}Couldn't load new config, reverted to old settings. Self-signed SSL is OK!${Color_Off}\n"
+    any_key "Press any key to continue... "
+    exit 1
+fi