forked from nextcloud/nextcloudpi
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ncp.sh
320 lines (270 loc) · 8.78 KB
/
ncp.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
#!/bin/bash
# NextCloudPi additions to Raspbian
#
# Copyleft 2017 by Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com>
# GPL licensed (see end of file) * Use at your own risk!
#
# More at https://nextcloudpi.com
#
WEBADMIN=ncp
WEBPASSWD=ownyourbits
BRANCH=master
BINDIR=/usr/local/bin/ncp
CONFDIR=/usr/local/etc/ncp-config.d/
APTINSTALL="apt-get install -y --no-install-recommends"
export DEBIAN_FRONTEND=noninteractive
install()
{
# NCP-CONFIG
apt-get update
$APTINSTALL git dialog whiptail jq file lsb-release
mkdir -p "$CONFDIR" "$BINDIR"
# include option in raspi-config (only Raspbian)
test -f /usr/bin/raspi-config && {
sed -i '/Change User Password/i"0 NextCloudPi Configuration" "Configuration of NextCloudPi" \\' /usr/bin/raspi-config
sed -i '/1\\ \*) do_change_pass ;;/i0\\ *) ncp-config ;;' /usr/bin/raspi-config
}
# add the ncc shortcut
cat > /usr/local/bin/ncc <<'EOF'
#!/bin/bash
sudo -u www-data php /var/www/nextcloud/occ "$@"
EOF
chmod +x /usr/local/bin/ncc
# NCP-WEB
## VIRTUAL HOST
cat > /etc/apache2/sites-available/ncp-activation.conf <<EOF
<VirtualHost _default_:443>
DocumentRoot /var/www/ncp-web/
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
</VirtualHost>
<Directory /var/www/ncp-web/>
<RequireAll>
<RequireAny>
Require host localhost
Require local
Require ip 192.168
Require ip 172
Require ip 10
Require ip fe80::/10
Require ip fd00::/8
</RequireAny>
</RequireAll>
</Directory>
EOF
cat > /etc/apache2/sites-available/ncp.conf <<EOF
Listen 4443
<VirtualHost _default_:4443>
DocumentRoot /var/www/ncp-web
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# 2 days to avoid very big backups requests to timeout
TimeOut 172800
<IfModule mod_authnz_external.c>
DefineExternalAuth pwauth pipe /usr/sbin/pwauth
</IfModule>
</VirtualHost>
<Directory /var/www/ncp-web/>
AuthType Basic
AuthName "ncp-web login"
AuthBasicProvider external
AuthExternal pwauth
SetEnvIf Request_URI "^" noauth
SetEnvIf Request_URI "^index\.php$" !noauth
SetEnvIf Request_URI "^/$" !noauth
SetEnvIf Request_URI "^/wizard/index.php$" !noauth
SetEnvIf Request_URI "^/wizard/$" !noauth
<RequireAll>
<RequireAny>
Require host localhost
Require local
Require ip 192.168
Require ip 172
Require ip 10
Require ip fe80::/10
Require ip fd00::/8
</RequireAny>
<RequireAny>
Require env noauth
Require user $WEBADMIN
</RequireAny>
</RequireAll>
</Directory>
EOF
$APTINSTALL libapache2-mod-authnz-external pwauth
a2enmod authnz_external authn_core auth_basic
a2dissite nextcloud
a2ensite ncp-activation
## NCP USER FOR AUTHENTICATION
useradd --home-dir /nonexistent "$WEBADMIN"
echo -e "$WEBPASSWD\n$WEBPASSWD" | passwd "$WEBADMIN"
chsh -s /usr/sbin/nologin "$WEBADMIN"
## NCP LAUNCHER
mkdir -p /home/www
chown www-data:www-data /home/www
chmod 700 /home/www
cat > /home/www/ncp-launcher.sh <<'EOF'
#!/bin/bash
grep -q '[\\&#;`|*?~<>^()[{}$&[:space:]]' <<< "$*" && exit 1
source /usr/local/etc/library.sh
run_app $1
EOF
chmod 700 /home/www/ncp-launcher.sh
cat > /home/www/ncp-backup-launcher.sh <<'EOF'
#!/bin/bash
action="${1}"
file="${2}"
compressed="${3}"
grep -q '[\\&#;`|*?~<>^()[{}$&]' <<< "$*" && exit 1
[[ "$file" =~ ".." ]] && exit 1
[[ "${action}" == "chksnp" ]] && {
btrfs subvolume show "$file" &>/dev/null || exit 1
exit
}
[[ "${action}" == "delsnp" ]] && {
btrfs subvolume delete "$file" || exit 1
exit
}
[[ -f "$file" ]] || exit 1
[[ "$file" =~ ".tar" ]] || exit 1
[[ "${action}" == "del" ]] && {
[[ "$(file "$file")" =~ "tar archive" ]] || [[ "$(file "$file")" =~ "gzip compressed data" ]] || exit 1
rm "$file" || exit 1
exit
}
[[ "$compressed" != "" ]] && pigz="-I pigz"
tar $pigz -tf "$file" data &>/dev/null
EOF
chmod 700 /home/www/ncp-backup-launcher.sh
echo "www-data ALL = NOPASSWD: /home/www/ncp-launcher.sh , /home/www/ncp-backup-launcher.sh, /sbin/halt, /sbin/reboot" >> /etc/sudoers
# NCP AUTO TRUSTED DOMAIN
mkdir -p /usr/lib/systemd/system
cat > /usr/lib/systemd/system/nextcloud-domain.service <<'EOF'
[Unit]
Description=Register Current IP as Nextcloud trusted domain
Requires=network.target
After=mysql.service
[Service]
ExecStart=/bin/bash /usr/local/bin/nextcloud-domain.sh
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target
EOF
cat > /usr/local/bin/nextcloud-domain.sh <<'EOF'
#!/bin/bash
# wicd service finishes before completing DHCP
while :; do
iface="$( ip r | grep "default via" | awk '{ print $5 }' | head -1 )"
ip="$( ip a show dev "$iface" | grep global | grep -oP '\d{1,3}(.\d{1,3}){3}' | head -1 )"
public_ip="$(curl icanhazip.com 2>/dev/null)"
[[ "$public_ip" != "" ]] && ncc config:system:set trusted_domains 11 --value="$public_ip"
[[ "$ip" != "" ]] && break
sleep 3
done
ncc config:system:set trusted_domains 1 --value=$ip
EOF
[[ "$DOCKERBUILD" != 1 ]] && systemctl enable nextcloud-domain
# NEXTCLOUDPI UPDATES
cat > /etc/cron.daily/ncp-check-version <<EOF
#!/bin/sh
/usr/local/bin/ncp-check-version
EOF
chmod a+x /etc/cron.daily/ncp-check-version
touch /var/run/.ncp-latest-version
chown root:www-data /var/run/.ncp-latest-version
chmod g+w /var/run/.ncp-latest-version
# Install all ncp-apps
bin/ncp-update $BRANCH || exit 1
# LIMIT LOG SIZE
grep -q maxsize /etc/logrotate.d/apache2 || sed -i /weekly/amaxsize2M /etc/logrotate.d/apache2
cat >> /etc/logrotate.d/ncp <<'EOF'
/var/log/ncp.log
{
rotate 4
size 500K
missingok
notifempty
compress
}
EOF
chmod 0444 /etc/logrotate.d/ncp
# ONLY FOR IMAGE BUILDS
if [[ -f /.ncp-image ]]; then
rm -rf /var/log/ncp.log
## NEXTCLOUDPI MOTD
rm -rf /etc/update-motd.d
mkdir /etc/update-motd.d
rm /etc/motd
ln -s /var/run/motd /etc/motd
cat > /etc/update-motd.d/10logo <<EOF
#!/bin/sh
echo
cat /usr/local/etc/ncp-ascii.txt
EOF
cat > /etc/update-motd.d/20updates <<'EOF'
#!/bin/bash
/usr/local/bin/ncp-check-updates
EOF
chmod a+x /etc/update-motd.d/*
## HOSTNAME AND mDNS
[[ -f /.docker-image ]] || $APTINSTALL avahi-daemon
echo nextcloudpi > /etc/hostname
sed -i '$c127.0.1.1 nextcloudpi' /etc/hosts
## tag image
[[ -f /.docker-image ]] && local DOCKER_TAG="_docker"
echo "NextCloudPi${DOCKER_TAG}_$( date "+%m-%d-%y" )" > /usr/local/etc/ncp-baseimage
## SSH hardening
if [[ -f /etc/ssh/sshd_config ]]; then
sed -i 's|^#AllowTcpForwarding .*|AllowTcpForwarding no|' /etc/ssh/sshd_config
sed -i 's|^#ClientAliveCountMax .*|ClientAliveCountMax 2|' /etc/ssh/sshd_config
sed -i 's|^MaxAuthTries .*|MaxAuthTries 1|' /etc/ssh/sshd_config
sed -i 's|^#MaxSessions .*|MaxSessions 2|' /etc/ssh/sshd_config
sed -i 's|^#TCPKeepAlive .*|TCPKeepAlive no|' /etc/ssh/sshd_config
sed -i 's|^X11Forwarding .*|X11Forwarding no|' /etc/ssh/sshd_config
sed -i 's|^#LogLevel .*|LogLevel VERBOSE|' /etc/ssh/sshd_config
sed -i 's|^#Compression .*|Compression no|' /etc/ssh/sshd_config
sed -i 's|^#AllowAgentForwarding .*|AllowAgentForwarding no|' /etc/ssh/sshd_config
fi
## kernel hardening
cat >> /etc/sysctl.conf <<EOF
fs.protected_hardlinks=1
fs.protected_symlinks=1
kernel.core_uses_pid=1
kernel.dmesg_restrict=1
kernel.kptr_restrict=2
kernel.sysrq=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.default.log_martians=1
net.ipv4.tcp_timestamps=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
EOF
## other tweaks
sed -i "s|^UMASK.*|UMASK 027|" /etc/login.defs
fi
}
configure() { :; }
# License
#
# This script is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This script is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this script; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330,
# Boston, MA 02111-1307 USA