344 lines
15 KiB
Bash
344 lines
15 KiB
Bash
|
#!/usr/local/bin/bash
|
||
|
# This script installs the current release of Nextcloud into a create jail
|
||
|
# Based on the example by danb35: https://github.com/danb35/freenas-iocage-nextcloud
|
||
|
|
||
|
|
||
|
# Initialise defaults
|
||
|
JAIL_NAME="nextcloud"
|
||
|
JAIL_IP="$(sed 's|\(.*\)/.*|\1|' <<<"${nextcloud_ip4_addr}" )"
|
||
|
DATABASE="$nextcloud_database"
|
||
|
INCLUDES_PATH="${SCRIPT_DIR}/jails/nextcloud/includes"
|
||
|
STANDALONE_CERT=${nextcloud_standalone_cert}
|
||
|
SELFSIGNED_CERT=${nextcloud_selfsigned_cert}
|
||
|
DNS_CERT=${nextcloud_dns_cert}
|
||
|
NO_CERT=${nextcloud_no_cert}
|
||
|
DL_FLAGS=${nextcloud_dl_flags}
|
||
|
DNS_SETTING=${nextcloud_dns_settings}
|
||
|
CERT_EMAIL=${nextcloud_cert_email}
|
||
|
HOST_NAME=${nextcloud_host_name}
|
||
|
|
||
|
# Only generate new DB passwords when using buildin database
|
||
|
# Set DB username and database to fixed "nextcloud"
|
||
|
|
||
|
if [ "${DATABASE}" = "pgsql-external" ]; then
|
||
|
DB_NAME="PostgreSQL"
|
||
|
DB_HOST="${nextcloud_db_host}"
|
||
|
DB_DATABASE="${nextcloud_db_database}"
|
||
|
DB_USER="${nextcloud_db_user}"
|
||
|
DB_PASSWORD="${nextcloud_db_password}"
|
||
|
elif [ "${DATABASE}" = "mariadb-external" ]; then
|
||
|
DB_NAME="MariaDB"
|
||
|
DB_HOST="${nextcloud_db_host}"
|
||
|
DB_DATABASE="${nextcloud_db_database}"
|
||
|
DB_USER="${nextcloud_db_user}"
|
||
|
DB_PASSWORD="${nextcloud_db_password}"
|
||
|
elif [ "${DATABASE}" = "mariadb-jail" ]; then
|
||
|
DB_DATABASE="nextcloud"
|
||
|
DB_USER="nextcloud"
|
||
|
DB_HOST="$(sed 's|\(.*\)/.*|\1|' <<<"${mariadb_ip4_addr}"):3306"
|
||
|
DB_PASSWORD="${nextcloud_db_password}"
|
||
|
else
|
||
|
echo "Invalid ${JAIL_NAME}_database selected please select one from the following options:"
|
||
|
echo "mariadb-jail, mariadb-external, pgsql-external"
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
|
||
|
ADMIN_PASSWORD=$(openssl rand -base64 12)
|
||
|
|
||
|
#####
|
||
|
#
|
||
|
# Input Sanity Check
|
||
|
#
|
||
|
#####
|
||
|
|
||
|
|
||
|
# Check that necessary variables were set by nextcloud-config
|
||
|
if [ -z "${nextcloud_ip4_addr}" ]; then
|
||
|
echo 'Configuration error: The Nextcloud jail does NOT accept DHCP'
|
||
|
echo 'Please reinstall using a fixed IP adress'
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
if [ -z "${DB_PASSWORD}" ]; then
|
||
|
echo 'Configuration error: The Nextcloud Jail needs a database password'
|
||
|
echo 'Please reinstall with a defifined: db_password'
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
if [ -z "${DB_USER}" ]; then
|
||
|
echo 'Configuration error: The Nextcloud Jail needs a database user'
|
||
|
echo 'Please reinstall with a defifined: db_user'
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
if [ -z "${DB_HOST}" ]; then
|
||
|
echo 'Configuration error: The Nextcloud Jail needs a database host'
|
||
|
echo 'Please reinstall with a defifined: db_host'
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
if [ -z "${DB_DATABASE}" ]; then
|
||
|
echo 'Configuration error: The Nextcloud Jail needs a database name'
|
||
|
echo 'Please reinstall with a defifined: db_database'
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
if [ -z "${nextcloud_time_zone}" ]; then
|
||
|
echo 'Configuration error: TIME_ZONE must be set'
|
||
|
exit 1
|
||
|
fi
|
||
|
if [ -z "${HOST_NAME}" ]; then
|
||
|
echo 'Configuration error: HOST_NAME must be set'
|
||
|
exit 1
|
||
|
fi
|
||
|
if [ $STANDALONE_CERT -eq 0 ] && [ $DNS_CERT -eq 0 ] && [ $NO_CERT -eq 0 ] && [ $SELFSIGNED_CERT -eq 0 ]; then
|
||
|
echo 'Configuration error: Either STANDALONE_CERT, DNS_CERT, NO_CERT,'
|
||
|
echo 'or SELFSIGNED_CERT must be set to 1.'
|
||
|
exit 1
|
||
|
fi
|
||
|
if [ $STANDALONE_CERT -eq 1 ] && [ $DNS_CERT -eq 1 ] ; then
|
||
|
echo 'Configuration error: Only one of STANDALONE_CERT and DNS_CERT'
|
||
|
echo 'may be set to 1.'
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
if [ $DNS_CERT -eq 1 ] && [ -z "${DNS_PLUGIN}" ] ; then
|
||
|
echo "DNS_PLUGIN must be set to a supported DNS provider."
|
||
|
echo "See https://caddyserver.com/docs under the heading of \"DNS Providers\" for list."
|
||
|
echo "Be sure to omit the prefix of \"tls.dns.\"."
|
||
|
exit 1
|
||
|
fi
|
||
|
if [ $DNS_CERT -eq 1 ] && [ -z "${DNS_ENV}" ] ; then
|
||
|
echo "DNS_ENV must be set to a your DNS provider\'s authentication credentials."
|
||
|
echo "See https://caddyserver.com/docs under the heading of \"DNS Providers\" for more."
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
if [ $DNS_CERT -eq 1 ] ; then
|
||
|
DL_FLAGS="tls.dns.${DNS_PLUGIN}"
|
||
|
DNS_SETTING="dns ${DNS_PLUGIN}"
|
||
|
fi
|
||
|
|
||
|
# Make sure DB_PATH is empty -- if not, MariaDB/PostgreSQL will choke
|
||
|
if [ "$(ls -A "/mnt/${global_dataset_config}/${JAIL_NAME}/config")" ]; then
|
||
|
echo "Reinstall of Nextcloud detected... "
|
||
|
echo "External database selected, unable to verify compatibility. REINSTALL MIGHT NOT WORK... Continuing"
|
||
|
REINSTALL="true"
|
||
|
fi
|
||
|
|
||
|
|
||
|
#####
|
||
|
#
|
||
|
# Fstab And Mounts
|
||
|
#
|
||
|
#####
|
||
|
|
||
|
# Create and Mount Nextcloud, Config and Files
|
||
|
createmount ${JAIL_NAME} ${global_dataset_config}/${JAIL_NAME}/config /usr/local/www/nextcloud/config
|
||
|
createmount ${JAIL_NAME} ${global_dataset_config}/${JAIL_NAME}/themes /usr/local/www/nextcloud/themes
|
||
|
createmount ${JAIL_NAME} ${global_dataset_config}/${JAIL_NAME}/files /config/files
|
||
|
|
||
|
# Install includes fstab
|
||
|
iocage exec "${JAIL_NAME}" mkdir -p /mnt/includes
|
||
|
iocage fstab -a "${JAIL_NAME}" "${INCLUDES_PATH}" /mnt/includes nullfs rw 0 0
|
||
|
|
||
|
|
||
|
iocage exec "${JAIL_NAME}" chown -R www:www /config/files
|
||
|
iocage exec "${JAIL_NAME}" chmod -R 770 /config/files
|
||
|
|
||
|
|
||
|
#####
|
||
|
#
|
||
|
# Basic dependency install
|
||
|
#
|
||
|
#####
|
||
|
|
||
|
if [ "${DATABASE}" = "mariadb-external" ] || [ "${DATABASE}" = "mariadb-jail" ]; then
|
||
|
iocage exec "${JAIL_NAME}" pkg install -qy mariadb103-client php73-pdo_mysql php73-mysqli
|
||
|
elif [ "${DATABASE}" = "pgsql-external" ]; then
|
||
|
iocage exec "${JAIL_NAME}" pkg install -qy postgresql10-client php73-pgsql php73-pdo_pgsql
|
||
|
fi
|
||
|
|
||
|
fetch -o /tmp https://getcaddy.com
|
||
|
if ! iocage exec "${JAIL_NAME}" bash -s personal "${DL_FLAGS}" < /tmp/getcaddy.com
|
||
|
then
|
||
|
echo "Failed to download/install Caddy"
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
iocage exec "${JAIL_NAME}" sysrc redis_enable="YES"
|
||
|
iocage exec "${JAIL_NAME}" sysrc php_fpm_enable="YES"
|
||
|
iocage exec "${JAIL_NAME}" sh -c "make -C /usr/ports/www/php73-opcache clean install BATCH=yes"
|
||
|
iocage exec "${JAIL_NAME}" sh -c "make -C /usr/ports/devel/php73-pcntl clean install BATCH=yes"
|
||
|
|
||
|
|
||
|
#####
|
||
|
#
|
||
|
# Install Nextcloud
|
||
|
#
|
||
|
#####
|
||
|
|
||
|
FILE="latest-18.tar.bz2"
|
||
|
if ! iocage exec "${JAIL_NAME}" fetch -o /tmp https://download.nextcloud.com/server/releases/"${FILE}" https://download.nextcloud.com/server/releases/"${FILE}".asc https://nextcloud.com/nextcloud.asc
|
||
|
then
|
||
|
echo "Failed to download Nextcloud"
|
||
|
exit 1
|
||
|
fi
|
||
|
iocage exec "${JAIL_NAME}" gpg --import /tmp/nextcloud.asc
|
||
|
if ! iocage exec "${JAIL_NAME}" gpg --verify /tmp/"${FILE}".asc
|
||
|
then
|
||
|
echo "GPG Signature Verification Failed!"
|
||
|
echo "The Nextcloud download is corrupt."
|
||
|
exit 1
|
||
|
fi
|
||
|
iocage exec "${JAIL_NAME}" tar xjf /tmp/"${FILE}" -C /usr/local/www/
|
||
|
iocage exec "${JAIL_NAME}" chown -R www:www /usr/local/www/nextcloud/
|
||
|
|
||
|
|
||
|
# Generate and install self-signed cert, if necessary
|
||
|
if [ $SELFSIGNED_CERT -eq 1 ] && [ ! -f "/mnt/${global_dataset_config}/${JAIL_NAME}/ssl/privkey.pem" ]; then
|
||
|
echo "No ssl certificate present, generating self signed certificate"
|
||
|
if [ ! -d "/mnt/${global_dataset_config}/${JAIL_NAME}/ssl" ]; then
|
||
|
echo "cert folder not existing... creating..."
|
||
|
iocage exec ${JAIL_NAME} mkdir /config/ssl
|
||
|
fi
|
||
|
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=${HOST_NAME}" -keyout "${INCLUDES_PATH}"/privkey.pem -out "${INCLUDES_PATH}"/fullchain.pem
|
||
|
iocage exec "${JAIL_NAME}" cp /mnt/includes/privkey.pem /config/ssl/privkey.pem
|
||
|
iocage exec "${JAIL_NAME}" cp /mnt/includes/fullchain.pem /config/ssl/fullchain.pem
|
||
|
fi
|
||
|
|
||
|
# Copy and edit pre-written config files
|
||
|
iocage exec "${JAIL_NAME}" cp -f /mnt/includes/php.ini /usr/local/etc/php.ini
|
||
|
iocage exec "${JAIL_NAME}" cp -f /mnt/includes/redis.conf /usr/local/etc/redis.conf
|
||
|
iocage exec "${JAIL_NAME}" cp -f /mnt/includes/www.conf /usr/local/etc/php-fpm.d/
|
||
|
if [ $STANDALONE_CERT -eq 1 ] || [ $DNS_CERT -eq 1 ]; then
|
||
|
iocage exec "${JAIL_NAME}" cp -f /mnt/includes/remove-staging.sh /root/
|
||
|
fi
|
||
|
if [ $NO_CERT -eq 1 ]; then
|
||
|
echo "Copying Caddyfile for no SSL"
|
||
|
iocage exec "${JAIL_NAME}" cp -f /mnt/includes/Caddyfile-nossl /usr/local/www/Caddyfile
|
||
|
elif [ $SELFSIGNED_CERT -eq 1 ]; then
|
||
|
echo "Copying Caddyfile for self-signed cert"
|
||
|
iocage exec "${JAIL_NAME}" cp -f /mnt/includes/Caddyfile-selfsigned /usr/local/www/Caddyfile
|
||
|
else
|
||
|
echo "Copying Caddyfile for Let's Encrypt cert"
|
||
|
iocage exec "${JAIL_NAME}" cp -f /mnt/includes/Caddyfile /usr/local/www/
|
||
|
fi
|
||
|
iocage exec "${JAIL_NAME}" cp -f /mnt/includes/caddy /usr/local/etc/rc.d/
|
||
|
|
||
|
|
||
|
iocage exec "${JAIL_NAME}" sed -i '' "s/yourhostnamehere/${HOST_NAME}/" /usr/local/www/Caddyfile
|
||
|
iocage exec "${JAIL_NAME}" sed -i '' "s/DNS-PLACEHOLDER/${DNS_SETTING}/" /usr/local/www/Caddyfile
|
||
|
iocage exec "${JAIL_NAME}" sed -i '' "s/JAIL-IP/${JAIL_IP}/" /usr/local/www/Caddyfile
|
||
|
iocage exec "${JAIL_NAME}" sed -i '' "s|mytimezone|${nextcloud_time_zone}|" /usr/local/etc/php.ini
|
||
|
|
||
|
iocage exec "${JAIL_NAME}" sysrc caddy_enable="YES"
|
||
|
iocage exec "${JAIL_NAME}" sysrc caddy_cert_email="${CERT_EMAIL}"
|
||
|
iocage exec "${JAIL_NAME}" sysrc caddy_SNI_default="${HOST_NAME}"
|
||
|
iocage exec "${JAIL_NAME}" sysrc caddy_env="${DNS_ENV}"
|
||
|
|
||
|
iocage restart "${JAIL_NAME}"
|
||
|
|
||
|
if [ "${REINSTALL}" == "true" ]; then
|
||
|
echo "Reinstall detected, skipping generaion of new config and database"
|
||
|
else
|
||
|
|
||
|
# Secure database, set root password, create Nextcloud DB, user, and password
|
||
|
if [ "${DATABASE}" = "mariadb-jail" ]; then
|
||
|
iocage exec "mariadb" mysql -u root -e "CREATE DATABASE ${DB_DATABASE};"
|
||
|
iocage exec "mariadb" mysql -u root -e "GRANT ALL ON ${DB_DATABASE}.* TO ${DB_USER}@${JAIL_IP} IDENTIFIED BY '${DB_PASSWORD}';"
|
||
|
iocage exec "mariadb" mysqladmin reload
|
||
|
fi
|
||
|
|
||
|
|
||
|
# Save passwords for later reference
|
||
|
iocage exec "${JAIL_NAME}" echo "${DB_NAME} root password is ${DB_ROOT_PASSWORD}" > /root/${JAIL_NAME}_db_password.txt
|
||
|
iocage exec "${JAIL_NAME}" echo "Nextcloud database password is ${DB_PASSWORD}" >> /root/${JAIL_NAME}_db_password.txt
|
||
|
iocage exec "${JAIL_NAME}" echo "Nextcloud Administrator password is ${ADMIN_PASSWORD}" >> /root/${JAIL_NAME}_db_password.txt
|
||
|
|
||
|
# CLI installation and configuration of Nextcloud
|
||
|
if [ "${DATABASE}" = "mariadb-external" ] || [ "${DATABASE}" = "mariadb-jail" ]; then
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ maintenance:install --database=\"mysql\" --database-name=\"${DB_DATABASE}\" --database-user=\"${DB_USER}\" --database-pass=\"${DB_PASSWORD}\" --database-host=\"${DB_HOST}\" --admin-user=\"admin\" --admin-pass=\"${ADMIN_PASSWORD}\" --data-dir=\"/config/files\""
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ config:system:set mysql.utf8mb4 --type boolean --value=\"true\""
|
||
|
elif [ "${DATABASE}" = "pgsql-external" ]; then
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ maintenance:install --database=\"pgsql\" --database-name=\"${DB_DATABASE}\" --database-user=\"${DB_USER}\" --database-pass=\"${DB_PASSWORD}\" --database-host=\"${DB_HOST}\" --admin-user=\"admin\" --admin-pass=\"${ADMIN_PASSWORD}\" --data-dir=\"/config/files\""
|
||
|
fi
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ db:add-missing-indices"
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ db:convert-filecache-bigint --no-interaction"
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ config:system:set logtimezone --value=\"${nextcloud_time_zone}\""
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set log_type --value="file"'
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set logfile --value="/var/log/nextcloud.log"'
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set loglevel --value="2"'
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set logrotate_size --value="104847600"'
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set memcache.local --value="\OC\Memcache\APCu"'
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set redis host --value="/tmp/redis.sock"'
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set redis port --value=0 --type=integer'
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set memcache.locking --value="\OC\Memcache\Redis"'
|
||
|
if [ $NO_CERT -eq 1 ]; then
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ config:system:set overwrite.cli.url --value=\"http://${HOST_NAME}/\""
|
||
|
else
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ config:system:set overwrite.cli.url --value=\"https://${HOST_NAME}/\""
|
||
|
fi
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set htaccess.RewriteBase --value="/"'
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ maintenance:update:htaccess'
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ config:system:set trusted_domains 1 --value=\"${HOST_NAME}\""
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ config:system:set trusted_domains 2 --value=\"${JAIL_IP}\""
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ app:enable encryption'
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ encryption:enable'
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ encryption:disable'
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ background:cron'
|
||
|
|
||
|
fi
|
||
|
|
||
|
iocage exec "${JAIL_NAME}" touch /var/log/nextcloud.log
|
||
|
iocage exec "${JAIL_NAME}" chown www /var/log/nextcloud.log
|
||
|
iocage exec "${JAIL_NAME}" su -m www -c 'php -f /usr/local/www/nextcloud/cron.php'
|
||
|
iocage exec "${JAIL_NAME}" crontab -u www /mnt/includes/www-crontab
|
||
|
|
||
|
# Don't need /mnt/includes any more, so unmount it
|
||
|
iocage fstab -r "${JAIL_NAME}" "${INCLUDES_PATH}" /mnt/includes nullfs rw 0 0
|
||
|
|
||
|
# Done!
|
||
|
echo "Installation complete!"
|
||
|
if [ $NO_CERT -eq 1 ]; then
|
||
|
echo "Using your web browser, go to http://${HOST_NAME} to log in"
|
||
|
else
|
||
|
echo "Using your web browser, go to https://${HOST_NAME} to log in"
|
||
|
fi
|
||
|
|
||
|
if [ "${REINSTALL}" == "true" ]; then
|
||
|
echo "You did a reinstall, please use your old database and account credentials"
|
||
|
else
|
||
|
|
||
|
echo "Default user is admin, password is ${ADMIN_PASSWORD}"
|
||
|
echo ""
|
||
|
|
||
|
echo "Database Information"
|
||
|
echo "--------------------"
|
||
|
echo "Database user = ${DB_USER}"
|
||
|
echo "Database password = ${DB_PASSWORD}"
|
||
|
echo ""
|
||
|
echo "All passwords are saved in /root/${JAIL_NAME}_db_password.txt"
|
||
|
fi
|
||
|
|
||
|
echo ""
|
||
|
if [ $STANDALONE_CERT -eq 1 ] || [ $DNS_CERT -eq 1 ]; then
|
||
|
echo "You have obtained your Let's Encrypt certificate using the staging server."
|
||
|
echo "This certificate will not be trusted by your browser and will cause SSL errors"
|
||
|
echo "when you connect. Once you've verified that everything else is working"
|
||
|
echo "correctly, you should issue a trusted certificate. To do this, run:"
|
||
|
echo " iocage exec ${JAIL_NAME} /root/remove-staging.sh"
|
||
|
echo ""
|
||
|
elif [ $SELFSIGNED_CERT -eq 1 ]; then
|
||
|
echo "You have chosen to create a self-signed TLS certificate for your Nextcloud"
|
||
|
echo "installation. This certificate will not be trusted by your browser and"
|
||
|
echo "will cause SSL errors when you connect. If you wish to replace this certificate"
|
||
|
echo "with one obtained elsewhere, the private key is located at:"
|
||
|
echo "/config/ssl/privkey.pem"
|
||
|
echo "The full chain (server + intermediate certificates together) is at:"
|
||
|
echo "/config/ssl/fullchain.pem"
|
||
|
echo ""
|
||
|
fi
|
||
|
|