diff --git a/dietpi/dietpi-software b/dietpi/dietpi-software index 88c7f60133..936c41a8ea 100644 --- a/dietpi/dietpi-software +++ b/dietpi/dietpi-software @@ -17,10 +17,10 @@ # Usage: # - dietpi-software # - /DietPi/dietpi/dietpi-software install iUNIQUEID (OR) sINDEX_{SSHSERVER,FILESERVER,LOGGING,WEBSERVER}_TARGET=-int - # - /DietPi/dietpi/dietpi-software reinstall Same as installed, however, only reinstalls if state =2. Does not uninstall due to package removal danger (eg: xserver removes kodi), simply flags to be installed (=1). - # - /DietPi/dietpi/dietpi-software uninstall iUNIQUEID - # - /DietPi/dietpi/dietpi-software list #Lists UNIQUEIDs for software - # - /DietPi/dietpi/dietpi-software setpermissions #Sets shared permissions for /var/www and userdata folders + # - /DietPi/dietpi/dietpi-software reinstall #Same as installed, however, only reinstalls if state =2. Does not uninstall due to package removal danger (eg: xserver removes kodi), simply flags to be installed (=1). + # - /DietPi/dietpi/dietpi-software uninstall iUNIQUEID + # - /DietPi/dietpi/dietpi-software list #Lists UNIQUEIDs for software. + # - /DietPi/dietpi/dietpi-software setpermissions #Sets shared permissions for /var/www and userdata folders. #//////////////////////////////////// #Force en_GB Locale for whole script. Prevents incorrect parsing with non-english locales. @@ -264,7 +264,7 @@ _EOF_ #PHP5/7 specific directories, apt package-, module- and command names FP_PHP_BASE_DIR='/etc/php/7.0' PHP_APT_PACKAGE_NAME='php' - if (( $DISTRO == 3 )); then + if (( $DISTRO < 4 )); then FP_PHP_BASE_DIR='/etc/php5' PHP_APT_PACKAGE_NAME='php5' @@ -310,15 +310,15 @@ _EOF_ TOTAL_SOFTWARE_INDEXS=0 TOTAL_SOFTWARE_INDEXS_HARDLIMIT=169 #Increase as needed. Must be higher than TOTAL_SOFTWARE_INDEXS once calculated in Software_Arrays_Init - INSTALLING_INDEX=0 #Which software index is currently being installed? + INSTALLING_INDEX=0 #Which software index is currently being installed? - aSOFTWARE_CATEGORY_INDEX=0 #Category index - aSOFTWARE_TYPE=0 #0=DietPi 1=Linux | -1=Hidden from install menu, visible in uninstall menu | -2 Hidden from all menus + aSOFTWARE_CATEGORY_INDEX=0 #Category index + aSOFTWARE_TYPE=0 #0=DietPi 1=Linux | -1=Hidden from install menu, visible in uninstall menu | -2 Hidden from all menus - aSOFTWARE_INSTALL_STATE=0 #0=not / 1=tobe, or not tobe that is the... / 2=installed + aSOFTWARE_INSTALL_STATE=0 #0=not / 1=tobe, or not tobe that is the... / 2=installed - aSOFTWARE_WHIP_NAME=0 #Item name eg: Kodi - aSOFTWARE_WHIP_DESC=0 #Blah blah + aSOFTWARE_WHIP_NAME=0 #Item name eg: Kodi + aSOFTWARE_WHIP_DESC=0 #Blah blah FP_ONLINEDOC_URL='http://dietpi.com/phpbb/viewtopic.php?' aSOFTWARE_ONLINEDOC_URL=0 @@ -357,11 +357,11 @@ _EOF_ # Adding Software to the Install List: # ------------------------------------ # - index_current: - # This is the next number in the sequence, each software install has a unique number + # This is the next number in the sequence. Each software install has a unique number, # so it can be referenced in all arrays. This has to be the same for install, uninstall # and setting up the service. Run "dietpi-software list | grep 'index Current'" to - # get the next number in the sequence. Ensure you are running a testing build as - # release may be behind the testing branch and avaliable software packages + # get the next number in the sequence. Ensure that you are running a testing build, as + # release may be behind the testing branch and avaliable software packages. # # - aSOFTWARE_WHIP_NAME: # This is the name to display in the UI. @@ -370,27 +370,27 @@ _EOF_ # This is the description to place next to the name in the UI. # # - aSOFTWARE_CATEGORY_INDEX: - # If you are adding a new peice of software first choose the category it goes under - # (aSOFTWARE_CATEGORIES_DIETPI or aSOFTWARE_CATEGORIES_LINUX) this will give you - # the aSOFTWARE_CATEGORY_INDEX to set, in the example belo this is 0. + # If you are adding a new peice of software, first choose the category it belongs to + # (see aSOFTWARE_CATEGORIES_DIETPI and aSOFTWARE_CATEGORIES_LINUX below), which will + # give you the aSOFTWARE_CATEGORY_INDEX to set. In the example below this is 0. # # - aSOFTWARE_TYPE: - # If this is aSOFTWARE_CATEGORIES_DIETPI then aSOFTWARE_TYPE = 0 if it is + # If this is aSOFTWARE_CATEGORIES_DIETPI then aSOFTWARE_TYPE=0, if it is # aSOFTWARE_CATEGORIES_LINUX then it is 1. In the example it is 0. # # - aSOFTWARE_ONLINEDOC_URL: # This is appeneded to FP_ONLINEDOC_URL to make a URL for help on this software. # # Specifying other software as dependencies: - # If you need other software to be avaliable for you look under the 'Requires software + # If your software needs other software to be available, look under the 'Requires software # to be installed' heading and then add that to the section you create. In the example - # below ALSA and XSERVERXORG are needed. The system will check to see if they are - # installed and if not will install them for you. + # below ALSA and XSERVERXORG are needed. The system will check their presence + # and install as needed. # # Dealing with Hardware types: - # If you have hardware requirements like must not/only be installed on a pi then you need - # to add something like the following, look for other examples in the existing software - # installations. Full list of models can be found in 'dietpi-obtain_hw_model' + # If you have hardware requirements, like must not/only be installed on a Pi, then you need + # to add something like below. Look for other examples in the existing software + # installations. Full list of models can be found in 'dietpi-obtain_hw_model'. # # # - Disabled for All non-rpi # for ((i=10; i<=$MAX_HW_MODEL; i++)) @@ -3786,7 +3786,7 @@ _EOF_ # + stretch extras if (( $DISTRO >= 4 )); then - AGI "$PHP_APT_PACKAGE_NAME"-opcache "$PHP_APT_PACKAGE_NAME"-mbstring "$PHP_APT_PACKAGE_NAME"-zip "$PHP_APT_PACKAGE_NAME"-xml + AGI "$PHP_APT_PACKAGE_NAME"-mbstring "$PHP_APT_PACKAGE_NAME"-zip "$PHP_APT_PACKAGE_NAME"-xml fi @@ -9019,7 +9019,7 @@ _EOF_ fi - # APCu configuration: To prevent cli (cron.php) producing Nextcloud log [info] entry. + # APCu configuration: To prevent cli (cron.php) producing Nextcloud log [info] entries. grep -q 'apc.enable_cli=' $FP_PHP_BASE_DIR/mods-available/apcu.ini && sed -i '/apc.enable_cli=/c\apc.enable_cli=1' $FP_PHP_BASE_DIR/mods-available/apcu.ini || echo 'apc.enable_cli=1' >> $FP_PHP_BASE_DIR/mods-available/apcu.ini # OPCache configuration: https://docs.nextcloud.com/server/12/admin_manual/configuration_server/server_tuning.html?highlight=opcache#enable-php-opcache @@ -9065,6 +9065,14 @@ _EOF_ cat << _EOF_ > /etc/nginx/sites-dietpi/nextcloud.config location ^~ /nextcloud { + # Security headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + # set max upload size client_max_body_size $(( $(php -r 'print(PHP_INT_MAX);') / 1024 / 1024))M; fastcgi_buffers 64 4K; @@ -9088,27 +9096,31 @@ location ^~ /nextcloud { location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ { deny all; } + location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { - include fastcgi_params; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_param SCRIPT_FILENAME \$request_filename; - fastcgi_param PATH_INFO \$fastcgi_path_info; - fastcgi_param HTTPS on; - # Avoid sending the security headers twice - fastcgi_param modHeadersAvailable true; - fastcgi_param REMOTE_USER \$remote_user; - fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_intercept_errors on; - # Disable because Jessie Nginx does not support that parameter - #fastcgi_request_buffering off; + include fastcgi_params; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_param SCRIPT_FILENAME \$request_filename; + fastcgi_param PATH_INFO \$fastcgi_path_info; + # HTTPS forces redirection from http://, thus has to be enabled only on active HTTPS environment. + #fastcgi_param HTTPS on; + # Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + fastcgi_param REMOTE_USER \$remote_user; + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_intercept_errors on; + # Disable because Jessie Nginx does not support that parameter + #fastcgi_request_buffering off; + # Hard coding 128M OPCache size, only for /nextcloud, to suppress warning on nextcloud admin panel. + fastcgi_param PHP_ADMIN_VALUE "opcache.memory_consumption=128"; } location ~ ^/nextcloud/(?:updater|ocs-provider)(?:$|/) { - try_files \$uri/ =404; + try_files \$uri/ =404; index index.php; } @@ -9116,9 +9128,9 @@ location ^~ /nextcloud { # Make sure it is BELOW the PHP block location ~ \.(?:css|js|woff|svg|gif)$ { try_files \$uri /nextcloud/index.php\$uri\$is_args\$args; - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header Cache-Control "public, max-age=15778463"; - add_header X-Content-Type-Options nosniff; + add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; @@ -9133,16 +9145,22 @@ location ^~ /nextcloud { access_log off; } - # Hard coding 128M OPCache size, only for /nextcloud, to suppress warning on nextcloud admin panel. - fastcgi_param PHP_ADMIN_VALUE "opcache.memory_consumption=128"; - } _EOF_ - # - Stretch, set php7.0 + # - Stretch, set php7.0 and fastcgi_request_buffering off; if (( $DISTRO >= 4 )); then sed -i "s#/run/php5-fpm.sock#/run/php/php7.0-fpm.sock#g" /etc/nginx/sites-dietpi/nextcloud.config + sed -i "s#\#fastcgi_request_buffering off;#fastcgi_request_buffering off;#g" /etc/nginx/sites-dietpi/nextcloud.config + + fi + + # Set HTTPS on, if SSL connection is available, even with self-signed/untrusted certificate. + DietPi/dietpi/func/check_connection https://localhost &> /dev/null + if (( $? == 0 || $? == 5)); then + + sed -i "s#\#fastcgi_param HTTPS on;#fastcgi_param HTTPS on;#g" /etc/nginx/sites-dietpi/nextcloud.config fi @@ -9161,19 +9179,22 @@ _EOF_ fi - # - Create DB v11: https://github.com/Fourdee/DietPi/issues/647#issuecomment-267019815 - /DietPi/dietpi/func/create_mysql_db nextcloud "$GLOBAL_PW" root "$GLOBAL_PW" - sudo -u www-data php /var/www/nextcloud/occ maintenance:install --no-interaction --database "mysql" --database-name "nextcloud" --database-user "root" --database-pass "$GLOBAL_PW" --admin-user "$username" --admin-pass "$GLOBAL_PW" --data-dir "$FP_DIETPI_USERDATA_DIRECTORY/nextcloud_data" - #Disable trusted_domains. + # Remove obsolete 'oc_admin'@'%' MySQL user: + mysql -uroot -p"$GLOBAL_PW" -e "drop user $(grep -m1 "'dbuser'" /var/www/nextcloud/config/config.php | awk '{print $3}' | sed "s/,//")" + + # Disable trusted_domains. if (( ! $(cat /var/www/nextcloud/config/config.php | grep -ci -m1 "1 => '*'") )); then sed -i "/0 => 'localhost'/a 1 => '*'," /var/www/nextcloud/config/config.php fi + + # Set CLI URL to Nextcloud sub directory: + sed -i "s#'http://localhost'#'http://localhost/nextcloud'#g" - #Owncloud/Nextcloud ignores system wide php.ini settings. Use their own config. + # Owncloud/Nextcloud ignores system wide php.ini settings. Use their own config. # - max upload size local php_max_upload_size="$(( $(php -r 'print(PHP_INT_MAX);') / 1024 / 1024))M" @@ -12967,6 +12988,7 @@ _EOF_ systemctl start mysql mysqladmin -u root -p"$GLOBAL_PW" drop nextcloud -f + mysql -uroot -p"$GLOBAL_PW" -e "drop user $(grep -m1 "'dbuser'" /var/www/nextcloud/config/config.php | awk '{print $3}' | sed "s/,//")@$(grep -m1 "'dbhost'" /var/www/nextcloud/config/config.php | awk '{print $3}' | sed "s/,//")" rm -R /var/www/nextcloud a2dissite nextcloud &>/dev/null rm /etc/apache2/sites-available/nextcloud.conf &>/dev/null diff --git a/dietpi/patch_file b/dietpi/patch_file index 300253ea4b..eceb77534d 100644 --- a/dietpi/patch_file +++ b/dietpi/patch_file @@ -32,6 +32,14 @@ HW_MODEL_DESCRIPTION=$(sed -n 2p /DietPi/dietpi/.hw_model) DISTRO=$(sed -n 3p /DietPi/dietpi/.hw_model) HW_ARCH=$(sed -n 6p /DietPi/dietpi/.hw_model) + + #Global Password: Exception to AUTO first run init. + GLOBAL_PW=$(cat /DietPi/dietpi.txt | grep -m1 '^AUTO_Global_Password=' | sed 's/.*=//') + if [ ! -n "$GLOBAL_PW" ]; then + + GLOBAL_PW='dietpi' + + fi ALLO_GUI_IMAGE=0 if [ -f /DietPi/dietpi/.installed ] && (( $(cat /DietPi/dietpi/.installed | grep -ci -m1 '^aSOFTWARE_INSTALL_STATE\[159\]=2') )); then @@ -2780,6 +2788,11 @@ _EOF_ # Squeezelite / Shairport-sync / Allo GUI (full) /DietPi/dietpi/dietpi-software reinstall 36 37 159 #------------------------------------------------------------------------------- + #Nextcloud: Remove obsolete MySQL user + if ! [ "$(grep -m1 "'dbhost'" /var/www/nextcloud/config/config.php 2> /dev/null | awk '{print $3}' | sed "s/,//")" == "''" ]; then + mysql -uroot -p"$GLOBAL_PW" -e "drop user $(grep -m1 "'dbuser'" /var/www/nextcloud/config/config.php | awk '{print $3}' | sed "s/,//")" &> /dev/null + fi + #------------------------------------------------------------------------------- #WiFi module disable powersave addition: echo -e "options wlan_8192eu rtw_power_mgnt=0" > /etc/modprobe.d/wlan_8192eu.conf #------------------------------------------------------------------------------- @@ -2812,7 +2825,6 @@ _EOF_ echo -e "\n" >> /DietPi/config.txt #------------------------------------------------------------------------------- - fi #-------------------------------------------------------------------------------