diff --git a/.github/workflows/commit-tests.yml b/.github/workflows/commit-tests.yml index 3078fd43..c76fe20e 100644 --- a/.github/workflows/commit-tests.yml +++ b/.github/workflows/commit-tests.yml @@ -8,13 +8,13 @@ jobs: PRIMARY_HOSTNAME: box1.abc.com EHDD_KEYFILE: /tmp/keyfile steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: create ehdd keyfile run: sudo -E echo -n "secret" >/tmp/keyfile - name: setup run: sudo -E tests/system-setup/remote-nextcloud-docker.sh - name: test-runner - run: sudo -E tests/runner.sh -dumpoutput -no-smtp-remote remote-nextcloud ehdd default remote-nextcloud + run: sudo -E tests/runner.sh -dumpoutput -no-smtp-remote remote-nextcloud ehdd default - uses: actions/upload-artifact@v3 if: failure() with: @@ -31,7 +31,7 @@ jobs: # TODO: change UPSTREAM_TAG to 'main' once upstream is installable UPSTREAM_TAG: v67 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: setup run: sudo -E tests/system-setup/upgrade-from-upstream.sh --populate=basic --populate=totpuser - name: test-runner diff --git a/management/daily_tasks.sh b/management/daily_tasks.sh index 0a568cd9..e220be27 100755 --- a/management/daily_tasks.sh +++ b/management/daily_tasks.sh @@ -20,7 +20,7 @@ export LC_TYPE=en_US.UTF-8 # On Mondays, i.e. once a week, send the administrator a report of total emails # sent and received so the admin might notice server abuse. -if [ `date "+%u"` -eq 1 ]; then +if [ "$(date "+%u")" -eq 1 ]; then management/mail_log.py -t week | management/email_administrator.py "Mail-in-a-Box Usage Report" fi diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh index 71d64739..3e4683a0 100644 --- a/setup/bootstrap.sh +++ b/setup/bootstrap.sh @@ -79,9 +79,9 @@ if [[ $EUID -ne 0 ]]; then fi # Clone the Mail-in-a-Box repository if it doesn't exist. -if [ ! -d $HOME/mailinabox ]; then +if [ ! -d "$HOME/mailinabox" ]; then if [ ! -f /usr/bin/git ]; then - echo Installing git . . . + echo "Installing git . . ." apt-get -q -q update DEBIAN_FRONTEND=noninteractive apt-get -q -q install -y git < /dev/null echo @@ -91,25 +91,25 @@ if [ ! -d $HOME/mailinabox ]; then SOURCE=https://github.com/downtownallday/mailinabox-ldap.git fi - echo Downloading Mail-in-a-Box $TAG. . . + echo "Downloading Mail-in-a-Box $TAG. . ." git clone \ - -b $TAG --depth 1 \ - $SOURCE \ - $HOME/mailinabox \ + -b "$TAG" --depth 1 \ + "$SOURCE" \ + "$HOME/mailinabox" \ < /dev/null 2> /dev/null echo fi # Change directory to it. -cd $HOME/mailinabox +cd "$HOME/mailinabox" || exit # Update it. -if [ "$TAG" != $(git describe --always) ]; then - echo Updating Mail-in-a-Box to $TAG . . . - git fetch --depth 1 --force --prune origin tag $TAG - if ! git checkout -q $TAG; then - echo "Update failed. Did you modify something in $(pwd)?" +if [ "$TAG" != "$(git describe --always)" ]; then + echo "Updating Mail-in-a-Box to $TAG . . ." + git fetch --depth 1 --force --prune origin tag "$TAG" + if ! git checkout -q "$TAG"; then + echo "Update failed. Did you modify something in $PWD?" exit 1 fi echo diff --git a/setup/dkim.sh b/setup/dkim.sh index d50d29ab..a2c8e3d0 100755 --- a/setup/dkim.sh +++ b/setup/dkim.sh @@ -19,12 +19,12 @@ source setup/functions.sh # load our functions source /etc/mailinabox.conf # load global vars # Install DKIM... -echo Installing OpenDKIM/OpenDMARC... +echo "Installing OpenDKIM/OpenDMARC..." apt_install opendkim opendkim-tools opendmarc # Make sure configuration directories exist. mkdir -p /etc/opendkim; -mkdir -p $STORAGE_ROOT/mail/dkim +mkdir -p "$STORAGE_ROOT/mail/dkim" # Used in InternalHosts and ExternalIgnoreList configuration directives. # Not quite sure why. @@ -62,12 +62,12 @@ fi # such as Google. But they and others use a 2048 bit key, so we'll # do the same. Keys beyond 2048 bits may exceed DNS record limits. if [ ! -f "$STORAGE_ROOT/mail/dkim/mail.private" ]; then - opendkim-genkey -b 2048 -r -s mail -D $STORAGE_ROOT/mail/dkim + opendkim-genkey -b 2048 -r -s mail -D "$STORAGE_ROOT/mail/dkim" fi # Ensure files are owned by the opendkim user and are private otherwise. -chown -R opendkim:opendkim $STORAGE_ROOT/mail/dkim -chmod go-rwx $STORAGE_ROOT/mail/dkim +chown -R opendkim:opendkim "$STORAGE_ROOT/mail/dkim" +chmod go-rwx "$STORAGE_ROOT/mail/dkim" tools/editconf.py /etc/opendmarc.conf -s \ "Syslog=true" \ diff --git a/setup/dns.sh b/setup/dns.sh index e82ba8b1..1f7a710d 100755 --- a/setup/dns.sh +++ b/setup/dns.sh @@ -142,7 +142,7 @@ if [ ! -f "$STORAGE_ROOT/dns/dnssec/$algo.conf" ]; then # (This previously used -b 2048 but it's unclear if this setting makes sense # for non-RSA keys, so it's removed. The RSA-based keys are not recommended # anymore anyway.) - KSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -r /dev/urandom -a $algo -k _domain_); + KSK=$(umask 077; cd "$STORAGE_ROOT/dns/dnssec"; ldns-keygen -r /dev/urandom -a $algo -k _domain_); # Now create a Zone-Signing Key (ZSK) which is expected to be # rotated more often than a KSK, although we have no plans to @@ -150,7 +150,7 @@ if [ ! -f "$STORAGE_ROOT/dns/dnssec/$algo.conf" ]; then # disturbing DNS availability.) Omit `-k`. # (This previously used -b 1024 but it's unclear if this setting makes sense # for non-RSA keys, so it's removed.) - ZSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -r /dev/urandom -a $algo _domain_); + ZSK=$(umask 077; cd "$STORAGE_ROOT/dns/dnssec"; ldns-keygen -r /dev/urandom -a $algo _domain_); # These generate two sets of files like: # @@ -162,7 +162,7 @@ if [ ! -f "$STORAGE_ROOT/dns/dnssec/$algo.conf" ]; then # options. So we'll store the names of the files we just generated. # We might have multiple keys down the road. This will identify # what keys are the current keys. - cat > $STORAGE_ROOT/dns/dnssec/$algo.conf << EOF; + cat > "$STORAGE_ROOT/dns/dnssec/$algo.conf" << EOF; KSK=$KSK ZSK=$ZSK EOF @@ -178,7 +178,7 @@ cat > /etc/cron.daily/mailinabox-dnssec << EOF; #!/bin/bash # Mail-in-a-Box # Re-sign any DNS zones with DNSSEC because the signatures expire periodically. -$(pwd)/tools/dns_update +$PWD/tools/dns_update EOF chmod +x /etc/cron.daily/mailinabox-dnssec diff --git a/setup/firstuser.sh b/setup/firstuser.sh index 87379874..c292c6fb 100644 --- a/setup/firstuser.sh +++ b/setup/firstuser.sh @@ -1,3 +1,4 @@ +#!/bin/bash ##### ##### This file is part of Mail-in-a-Box-LDAP which is released under the ##### terms of the GNU Affero General Public License as published by the @@ -19,7 +20,7 @@ if [ -z "$(management/cli.py user)" ]; then input_box "Mail Account" \ "Let's create your first mail account. \n\nWhat email address do you want?" \ - me@$(get_default_hostname) \ + "me@$(get_default_hostname)" \ EMAIL_ADDR if [ -z "$EMAIL_ADDR" ]; then @@ -31,7 +32,7 @@ if [ -z "$(management/cli.py user)" ]; then input_box "Mail Account" \ "That's not a valid email address. \n\nWhat email address do you want?" \ - $EMAIL_ADDR \ + "$EMAIL_ADDR" \ EMAIL_ADDR if [ -z "$EMAIL_ADDR" ]; then # user hit ESC/cancel @@ -56,11 +57,11 @@ if [ -z "$(management/cli.py user)" ]; then fi # Create the user's mail account. This will ask for a password if none was given above. - management/cli.py user add $EMAIL_ADDR ${EMAIL_PW:-} + management/cli.py user add "$EMAIL_ADDR" "${EMAIL_PW:-}" # Make it an admin. - hide_output management/cli.py user make-admin $EMAIL_ADDR + hide_output management/cli.py user make-admin "$EMAIL_ADDR" # Create an alias to which we'll direct all automatically-created administrative aliases. - management/cli.py alias add administrator@$PRIMARY_HOSTNAME $EMAIL_ADDR > /dev/null + management/cli.py alias add "administrator@$PRIMARY_HOSTNAME" "$EMAIL_ADDR" > /dev/null fi diff --git a/setup/functions.sh b/setup/functions.sh index 94958774..45c08309 100644 --- a/setup/functions.sh +++ b/setup/functions.sh @@ -1,3 +1,4 @@ +#!/bin/bash # -*- indent-tabs-mode: t; tab-width: 4; -*- ##### ##### This file is part of Mail-in-a-Box-LDAP which is released under the @@ -32,7 +33,7 @@ function hide_output { # Execute command, redirecting stderr/stdout to the temporary file. Since we # check the return code ourselves, disable 'set -e' temporarily. set +e - "$@" &> $OUTPUT + "$@" &> "$OUTPUT" E=$? set -e @@ -40,15 +41,15 @@ function hide_output { if [ $E != 0 ]; then # Something failed. echo - echo FAILED: "$@" + echo "FAILED: $*" echo ----------------------------------------- - cat $OUTPUT + cat "$OUTPUT" echo ----------------------------------------- exit $E fi # Remove temporary file. - rm -f $OUTPUT + rm -f "$OUTPUT" } function wait_for_apt_lock { @@ -97,9 +98,9 @@ function get_default_hostname { # Guess the machine's hostname. It should be a fully qualified # domain name suitable for DNS. None of these calls may provide # the right value, but it's the best guess we can make. - set -- $(hostname --fqdn 2>/dev/null || + set -- "$(hostname --fqdn 2>/dev/null || hostname --all-fqdns 2>/dev/null || - hostname 2>/dev/null) + hostname 2>/dev/null)" printf '%s\n' "$1" # return this value } @@ -111,7 +112,7 @@ function get_publicip_from_web_service { # # Pass '4' or '6' as an argument to this function to specify # what type of address to get (IPv4, IPv6). - curl -$1 --fail --silent --max-time 15 icanhazip.com 2>/dev/null || /bin/true + curl -"$1" --fail --silent --max-time 15 icanhazip.com 2>/dev/null || /bin/true } function get_default_privateip { @@ -154,19 +155,19 @@ function get_default_privateip { if [ "$1" == "6" ]; then target=2001:4860:4860::8888; fi # Get the route information. - route=$(ip -$1 -o route get $target 2>/dev/null | grep -v unreachable) + route=$(ip -"$1" -o route get $target 2>/dev/null | grep -v unreachable) # Parse the address out of the route information. - address=$(echo $route | sed "s/.* src \([^ ]*\).*/\1/") + address=$(echo "$route" | sed "s/.* src \([^ ]*\).*/\1/") if [[ "$1" == "6" && $address == fe80:* ]]; then # For IPv6 link-local addresses, parse the interface out # of the route information and append it with a '%'. - interface=$(echo $route | sed "s/.* dev \([^ ]*\).*/\1/") + interface=$(echo "$route" | sed "s/.* dev \([^ ]*\).*/\1/") address=$address%$interface fi - echo $address + echo "$address" } function ufw_allow { @@ -184,7 +185,7 @@ function ufw_limit { } function restart_service { - hide_output service $1 restart + hide_output service "$1" restart } ## Dialog Functions ## @@ -213,7 +214,7 @@ function input_menu { declare -n result_code=$4_EXITCODE local IFS=^$'\n' set +e - result=$(dialog --stdout --title "$1" --menu "$2" 0 0 0 $3) + result=$(dialog --stdout --title "$1" --menu "$2" 0 0 0 "$3") result_code=$? set -e } @@ -225,17 +226,17 @@ function wget_verify { HASH=$2 DEST=$3 CHECKSUM="$HASH $DEST" - rm -f $DEST - hide_output wget --compression=auto -O $DEST $URL + rm -f "$DEST" + hide_output wget --compression=auto -O "$DEST" "$URL" if ! echo "$CHECKSUM" | sha1sum --check --strict > /dev/null; then echo "------------------------------------------------------------" echo "Download of $URL did not match expected checksum." echo "Found:" - sha1sum $DEST + sha1sum "$DEST" echo echo "Expected:" echo "$CHECKSUM" - rm -f $DEST + rm -f "$DEST" exit 1 fi } @@ -251,10 +252,10 @@ function git_clone { SUBDIR=$3 TARGETPATH=$4 TMPPATH=/tmp/git-clone-$$ - rm -rf $TMPPATH $TARGETPATH - git clone -q $REPO $TMPPATH || exit 1 - (cd $TMPPATH; git checkout -q $TREEISH;) || exit 1 - mv $TMPPATH/$SUBDIR $TARGETPATH + rm -rf $TMPPATH "$TARGETPATH" + git clone -q "$REPO" $TMPPATH || exit 1 + (cd $TMPPATH; git checkout -q "$TREEISH";) || exit 1 + mv $TMPPATH/"$SUBDIR" "$TARGETPATH" rm -rf $TMPPATH } @@ -326,14 +327,14 @@ say() { wait_for_management_daemon() { local progress="${1:-progress}" # show progress? "progress"/"no-progress" local max_wait="${2:-60}" # seconds, 0=forever - local start=$(date +%s) + local start="$(date +%s)" local elapsed=0 now [ "$max_wait" = "forever" ] && max_wait=0 - + # Wait for the management daemon to start... until nc -z -w 4 127.0.0.1 10222 do - now=$(date +%s) + now="$(date +%s)" # let returns 1 if the equasion evaluates to zero, which will # cause the script to exit because of set -e. add one. [ $now -eq $start ] && let now+=1 @@ -343,7 +344,7 @@ wait_for_management_daemon() { return 1 fi if [ "$progress" = "progress" ]; then - echo Waiting for the Mail-in-a-Box management daemon to start... + echo "Waiting for the Mail-in-a-Box management daemon to start..." fi sleep 2 done @@ -383,4 +384,3 @@ remove_hook_handler() { fi fi } - diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh index 68331a51..0af6a1de 100755 --- a/setup/mail-dovecot.sh +++ b/setup/mail-dovecot.sh @@ -54,8 +54,8 @@ apt_install \ # - https://www.dovecot.org/list/dovecot/2012-August/137569.html # - https://www.dovecot.org/list/dovecot/2011-December/132455.html tools/editconf.py /etc/dovecot/conf.d/10-master.conf \ - default_process_limit=$(echo "$(nproc) * 250" | bc) \ - default_vsz_limit=$(echo "$(free -tm | tail -1 | awk '{print $2}') / 3" | bc)M \ + default_process_limit="$(($(nproc) * 250))" \ + default_vsz_limit="$(($(free -tm | tail -1 | awk '{print $2}') / 3))M" \ log_path=/var/log/mail.log # The inotify `max_user_instances` default is 128, which constrains @@ -70,7 +70,7 @@ tools/editconf.py /etc/sysctl.conf \ # username part of the user's email address. We'll ensure that no bad domains or email addresses # are created within the management daemon. tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \ - mail_location=maildir:$STORAGE_ROOT/mail/mailboxes/%d/%n \ + mail_location="maildir:$STORAGE_ROOT/mail/mailboxes/%d/%n" \ mail_privileged_group=mail \ first_valid_uid=0 @@ -161,7 +161,7 @@ EOF # Setting a `postmaster_address` is required or LMTP won't start. An alias # will be created automatically by our management daemon. tools/editconf.py /etc/dovecot/conf.d/15-lda.conf \ - postmaster_address=postmaster@$PRIMARY_HOSTNAME + "postmaster_address=postmaster@$PRIMARY_HOSTNAME" # ### Sieve @@ -210,14 +210,14 @@ chown -R mail:dovecot /etc/dovecot chmod -R o-rwx /etc/dovecot # Ensure mailbox files have a directory that exists and are owned by the mail user. -mkdir -p $STORAGE_ROOT/mail/mailboxes -chown -R mail:mail $STORAGE_ROOT/mail/mailboxes +mkdir -p "$STORAGE_ROOT/mail/mailboxes" +chown -R mail:mail "$STORAGE_ROOT/mail/mailboxes" # Same for the sieve scripts. -mkdir -p $STORAGE_ROOT/mail/sieve -mkdir -p $STORAGE_ROOT/mail/sieve/global_before -mkdir -p $STORAGE_ROOT/mail/sieve/global_after -chown -R mail:mail $STORAGE_ROOT/mail/sieve +mkdir -p "$STORAGE_ROOT/mail/sieve" +mkdir -p "$STORAGE_ROOT/mail/sieve/global_before" +mkdir -p "$STORAGE_ROOT/mail/sieve/global_after" +chown -R mail:mail "$STORAGE_ROOT/mail/sieve" # Allow the IMAP/POP ports in the firewall. ufw_allow imaps diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index c115fc86..23fce799 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -65,9 +65,9 @@ apt_install postfix postfix-sqlite postfix-pcre postgrey ca-certificates postfix # * Extend the SPF time limit to avoid timeouts chasing SPF records tools/editconf.py /etc/postfix/main.cf \ inet_interfaces=all \ - smtp_bind_address=$PRIVATE_IP \ - smtp_bind_address6=$PRIVATE_IPV6 \ - myhostname=$PRIMARY_HOSTNAME\ + smtp_bind_address="$PRIVATE_IP" \ + smtp_bind_address6="$PRIVATE_IPV6" \ + myhostname="$PRIMARY_HOSTNAME"\ smtpd_banner="\$myhostname ESMTP Hi, I'm a Mail-in-a-Box (Ubuntu/Postfix; see https://mailinabox.email/)" \ mydestination=localhost @@ -159,9 +159,9 @@ sed -i "s/PUBLIC_IP/$PUBLIC_IP/" /etc/postfix/outgoing_mail_header_filters tools/editconf.py /etc/postfix/main.cf \ smtpd_tls_security_level=may\ smtpd_tls_auth_only=yes \ - smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \ - smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \ - smtpd_tls_dh1024_param_file=$STORAGE_ROOT/ssl/dh2048.pem \ + smtpd_tls_cert_file="$STORAGE_ROOT/ssl/ssl_certificate.pem" \ + smtpd_tls_key_file="$STORAGE_ROOT/ssl/ssl_private_key.pem" \ + smtpd_tls_dh1024_param_file="$STORAGE_ROOT/ssl/dh2048.pem" \ smtpd_tls_protocols="!SSLv2,!SSLv3" \ smtpd_tls_ciphers=medium \ tls_medium_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA \ @@ -281,13 +281,13 @@ tools/editconf.py /etc/default/postgrey \ # If the $STORAGE_ROOT/mail/postgrey is empty, copy the postgrey database over from the old location -if [ ! -d $STORAGE_ROOT/mail/postgrey/db ]; then +if [ ! -d "$STORAGE_ROOT/mail/postgrey/db" ]; then # Stop the service service postgrey stop # Ensure the new paths for postgrey db exists - mkdir -p $STORAGE_ROOT/mail/postgrey/db + mkdir -p "$STORAGE_ROOT/mail/postgrey/db" # Move over database files - mv /var/lib/postgrey/* $STORAGE_ROOT/mail/postgrey/db/ || true + mv /var/lib/postgrey/* "$STORAGE_ROOT/mail/postgrey/db/" || true fi # keep the postgrey local client whitelist file in STORAGE_ROOT so it # gets backed up @@ -299,8 +299,8 @@ fi ln -sf "$STORAGE_ROOT/mail/postgrey/whitelist_clients.local" \ "/etc/postgrey/whitelist_clients.local" # Ensure permissions are set -chown -R postgrey:postgrey $STORAGE_ROOT/mail/postgrey/ -chmod 700 $STORAGE_ROOT/mail/postgrey/{,db} +chown -R postgrey:postgrey "$STORAGE_ROOT/mail/postgrey/" +chmod 700 "$STORAGE_ROOT/mail/postgrey/"{,db} # We are going to setup a newer whitelist for postgrey, the version included in the distribution is old cat > /etc/cron.daily/mailinabox-postgrey-whitelist << EOF; diff --git a/setup/mail-users.sh b/setup/mail-users.sh index 1522d77f..b9a76635 100755 --- a/setup/mail-users.sh +++ b/setup/mail-users.sh @@ -27,10 +27,10 @@ source /etc/mailinabox.conf # load global vars source ${STORAGE_ROOT}/ldap/miab_ldap.conf # user-data specific vars dovecot_setting() { - /usr/bin/doveconf $1 2>/dev/null | awk -F= '{gsub(/^ +/, "", $2); print $2}' + /usr/bin/doveconf "$1" 2>/dev/null | awk -F= '{gsub(/^ +/, "", $2); print $2}' } postfix_setting() { - /usr/sbin/postconf $1 2>/dev/null | awk -F= '{gsub(/^ +/, "", $2); print $2}' + /usr/sbin/postconf "$1" 2>/dev/null | awk -F= '{gsub(/^ +/, "", $2); print $2}' } # ### User Authentication @@ -249,7 +249,7 @@ chmod 0640 /etc/postfix/virtual-mailbox-maps.cf # This is the ldap version of aliases(5) but for virtual # addresses. Postfix queries this recursively to determine delivery # addresses. Aliases may be addresses, domains, and catch-alls. -# +# cat > /etc/postfix/virtual-alias-maps.cf < $STORAGE_ROOT/backup/secret_key.txt) +mkdir -p "$STORAGE_ROOT/backup" +if [ ! -f "$STORAGE_ROOT/backup/secret_key.txt" ]; then + umask 077; openssl rand -base64 2048 > "$STORAGE_ROOT/backup/secret_key.txt" fi @@ -109,8 +109,8 @@ tr -cd '[:xdigit:]' < /dev/urandom | head -c 32 > /var/lib/mailinabox/api.key chmod 640 /var/lib/mailinabox/api.key source $venv/bin/activate -export PYTHONPATH=$(pwd)/management -exec gunicorn --log-level ${MGMT_LOG_LEVEL:-info} -b localhost:10222 -w 1 --timeout 630 wsgi:app +export PYTHONPATH=$PWD/management +exec gunicorn --log-level "${MGMT_LOG_LEVEL:-info}" -b localhost:10222 -w 1 --timeout 630 wsgi:app EOF chmod +x $inst_dir/start cp --remove-destination conf/mailinabox.service /lib/systemd/system/mailinabox.service # target was previously a symlink so remove it first @@ -126,7 +126,7 @@ minute=$((RANDOM % 60)) # avoid overloading mailinabox.email cat > /etc/cron.d/mailinabox-nightly << EOF; # Mail-in-a-Box --- Do not edit / will be overwritten on update. # Run nightly tasks: backup, status checks. -$minute 3 * * * root (cd $(pwd) && management/daily_tasks.sh) +$minute 3 * * * root (cd $PWD && management/daily_tasks.sh) EOF # Start the management server. diff --git a/setup/munin.sh b/setup/munin.sh index 90b72047..79e7afc9 100755 --- a/setup/munin.sh +++ b/setup/munin.sh @@ -50,7 +50,7 @@ chown munin /var/log/munin/munin-cgi-graph.log # ensure munin-node knows the name of this machine # and reduce logging level to warning tools/editconf.py /etc/munin/munin-node.conf -s \ - host_name=$PRIMARY_HOSTNAME \ + host_name="$PRIMARY_HOSTNAME" \ log_level=1 # Update the activated plugins through munin's autoconfiguration. @@ -62,9 +62,9 @@ find /etc/munin/plugins/ -lname /usr/share/munin/plugins/ntp_ -print0 | xargs -0 # Deactivate monitoring of network interfaces that are not up. Otherwise we can get a lot of empty charts. for f in $(find /etc/munin/plugins/ \( -lname /usr/share/munin/plugins/if_ -o -lname /usr/share/munin/plugins/if_err_ -o -lname /usr/share/munin/plugins/bonding_err_ \)); do - IF=$(echo $f | sed s/.*_//); - if ! grep -qFx up /sys/class/net/$IF/operstate 2>/dev/null; then - rm $f; + IF=$(echo "$f" | sed s/.*_//); + if ! grep -qFx up "/sys/class/net/$IF/operstate" 2>/dev/null; then + rm "$f"; fi; done @@ -72,7 +72,7 @@ done mkdir -p /var/lib/munin-node/plugin-state/ # Create a systemd service for munin. -ln -sf $(pwd)/management/munin_start.sh /usr/local/lib/mailinabox/munin_start.sh +ln -sf "$PWD/management/munin_start.sh" /usr/local/lib/mailinabox/munin_start.sh chmod 0744 /usr/local/lib/mailinabox/munin_start.sh cp --remove-destination conf/munin.service /lib/systemd/system/munin.service # target was previously a symlink so remove first hide_output systemctl link -f /lib/systemd/system/munin.service diff --git a/setup/network-checks.sh b/setup/network-checks.sh index 5e1f173b..1571cd37 100644 --- a/setup/network-checks.sh +++ b/setup/network-checks.sh @@ -1,3 +1,4 @@ +#!/bin/bash ##### ##### This file is part of Mail-in-a-Box-LDAP which is released under the ##### terms of the GNU Affero General Public License as published by the @@ -15,7 +16,7 @@ apt_get_quiet install bind9-host sed netcat-openbsd # The user might have chosen a name that was previously in use by a spammer # and will not be able to reliably send mail. Do this after any automatic # choices made above. -if host $PRIMARY_HOSTNAME.dbl.spamhaus.org > /dev/null; then +if host "$PRIMARY_HOSTNAME.dbl.spamhaus.org" > /dev/null; then echo echo "The hostname you chose '$PRIMARY_HOSTNAME' is listed in the" echo "Spamhaus Domain Block List. See http://www.spamhaus.org/dbl/" @@ -31,8 +32,8 @@ fi # The user might have ended up on an IP address that was previously in use # by a spammer, or the user may be deploying on a residential network. We # will not be able to reliably send mail in these cases. -REVERSED_IPV4=$(echo $PUBLIC_IP | sed "s/\([0-9]*\).\([0-9]*\).\([0-9]*\).\([0-9]*\)/\4.\3.\2.\1/") -if host $REVERSED_IPV4.zen.spamhaus.org > /dev/null; then +REVERSED_IPV4=$(echo "$PUBLIC_IP" | sed "s/\([0-9]*\).\([0-9]*\).\([0-9]*\).\([0-9]*\)/\4.\3.\2.\1/") +if host "$REVERSED_IPV4.zen.spamhaus.org" > /dev/null; then echo echo "The IP address $PUBLIC_IP is listed in the Spamhaus Block List." echo "See http://www.spamhaus.org/query/ip/$PUBLIC_IP." diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh index ad867e29..b512ea26 100755 --- a/setup/nextcloud.sh +++ b/setup/nextcloud.sh @@ -82,13 +82,13 @@ user_external_hash=a494073dcdecbbbc79a9c77f72524ac9994d2eec # Clear prior packages and install dependencies from apt. apt-get purge -qq -y owncloud* # we used to use the package manager -apt_install curl php${PHP_VER} php${PHP_VER}-fpm \ - php${PHP_VER}-cli php${PHP_VER}-sqlite3 php${PHP_VER}-gd php${PHP_VER}-imap php${PHP_VER}-curl \ - php${PHP_VER}-dev php${PHP_VER}-gd php${PHP_VER}-xml php${PHP_VER}-mbstring php${PHP_VER}-zip php${PHP_VER}-apcu \ - php${PHP_VER}-intl php${PHP_VER}-imagick php${PHP_VER}-gmp php${PHP_VER}-bcmath +apt_install curl php"${PHP_VER}" php"${PHP_VER}"-fpm \ + php"${PHP_VER}"-cli php"${PHP_VER}"-sqlite3 php"${PHP_VER}"-gd php"${PHP_VER}"-imap php"${PHP_VER}"-curl \ + php"${PHP_VER}"-dev php"${PHP_VER}"-gd php"${PHP_VER}"-xml php"${PHP_VER}"-mbstring php"${PHP_VER}"-zip php"${PHP_VER}"-apcu \ + php"${PHP_VER}"-intl php"${PHP_VER}"-imagick php"${PHP_VER}"-gmp php"${PHP_VER}"-bcmath # Enable APC before Nextcloud tools are run. -tools/editconf.py /etc/php/$PHP_VER/mods-available/apcu.ini -c ';' \ +tools/editconf.py /etc/php/"$PHP_VER"/mods-available/apcu.ini -c ';' \ apc.enabled=1 \ apc.enable_cli=1 @@ -108,7 +108,7 @@ InstallNextcloud() { echo # Download and verify - get_nc_download_url $version .zip + get_nc_download_url "$version" .zip download_link "$DOWNLOAD_URL" to-file use-cache "$DOWNLOAD_URL_CACHE_ID" "" "$hash" rm -f /tmp/nextcloud.zip $DOWNLOAD_FILE_REMOVE && mv "$DOWNLOAD_FILE" /tmp/nextcloud.zip || ln -s "$DOWNLOAD_FILE" /tmp/nextcloud.zip @@ -125,11 +125,11 @@ InstallNextcloud() { # their github repositories. mkdir -p /usr/local/lib/owncloud/apps - wget_verify https://github.com/nextcloud-releases/contacts/archive/refs/tags/v$version_contacts.tar.gz $hash_contacts /tmp/contacts.tgz + wget_verify "https://github.com/nextcloud-releases/contacts/archive/refs/tags/v$version_contacts.tar.gz" "$hash_contacts" /tmp/contacts.tgz tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/ rm /tmp/contacts.tgz - wget_verify https://github.com/nextcloud-releases/calendar/archive/refs/tags/v$version_calendar.tar.gz $hash_calendar /tmp/calendar.tgz + wget_verify "https://github.com/nextcloud-releases/calendar/archive/refs/tags/v$version_calendar.tar.gz" "$hash_calendar" /tmp/calendar.tgz tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/ rm /tmp/calendar.tgz @@ -141,7 +141,7 @@ InstallNextcloud() { git_clone https://github.com/nextcloud/user_external.git "$version_user_external" '' /usr/local/lib/owncloud/apps/user_external else # otherwise, download a release - wget_verify https://github.com/nextcloud-releases/user_external/releases/download/v$version_user_external/user_external-v$version_user_external.tar.gz $hash_user_external /tmp/user_external.tgz + wget_verify "https://github.com/nextcloud-releases/user_external/releases/download/v$version_user_external/user_external-v$version_user_external.tar.gz" "$hash_user_external" /tmp/user_external.tgz tar -xf /tmp/user_external.tgz -C /usr/local/lib/owncloud/apps/ rm /tmp/user_external.tgz fi @@ -152,33 +152,35 @@ InstallNextcloud() { # Create a symlink to the config.php in STORAGE_ROOT (for upgrades we're restoring the symlink we previously # put in, and in new installs we're creating a symlink and will create the actual config later). - ln -sf $STORAGE_ROOT/owncloud/config.php /usr/local/lib/owncloud/config/config.php + ln -sf "$STORAGE_ROOT/owncloud/config.php" /usr/local/lib/owncloud/config/config.php # Make sure permissions are correct or the upgrade step won't run. # $STORAGE_ROOT/owncloud may not yet exist, so use -f to suppress # that error. - chown -f -R www-data:www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud || /bin/true + chown -f -R www-data:www-data "$STORAGE_ROOT/owncloud" /usr/local/lib/owncloud || /bin/true # If this isn't a new installation, immediately run the upgrade script. # Then check for success (0=ok and 3=no upgrade needed, both are success). - if [ -e $STORAGE_ROOT/owncloud/owncloud.db ]; then + if [ -e "$STORAGE_ROOT/owncloud/owncloud.db" ]; then # ownCloud 8.1.1 broke upgrades. It may fail on the first attempt, but # that can be OK. - hide_output sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ upgrade - if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then + hide_output sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/occ upgrade + E=$? + if [ $E -ne 0 ] && [ $E -ne 3 ]; then echo "Trying ownCloud upgrade again to work around ownCloud upgrade bug..." - sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ upgrade - if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi - sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ maintenance:mode --off + sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/occ upgrade + E=$? + if [ $E -ne 0 ] && [ $E -ne 3 ]; then exit 1; fi + sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/occ maintenance:mode --off echo "...which seemed to work." fi # Add missing indices. NextCloud didn't include this in the normal upgrade because it might take some time. - hide_output sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ db:add-missing-indices - hide_output sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ db:add-missing-primary-keys + hide_output sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/occ db:add-missing-indices + hide_output sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/occ db:add-missing-primary-keys # Run conversion to BigInt identifiers, this process may take some time on large tables. - hide_output sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ db:convert-filecache-bigint --no-interaction + hide_output sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/occ db:convert-filecache-bigint --no-interaction fi } @@ -194,7 +196,7 @@ if [ -d "/usr/local/lib/owncloud" ]; then fi # If config.php exists, get version number, otherwise CURRENT_NEXTCLOUD_VER is empty. if [ -f "$STORAGE_ROOT/owncloud/config.php" ]; then - CURRENT_NEXTCLOUD_VER=$(php$PHP_VER -r "include(\"$STORAGE_ROOT/owncloud/config.php\"); echo(\$CONFIG['version']);") + CURRENT_NEXTCLOUD_VER=$(php"$PHP_VER" -r "include(\"$STORAGE_ROOT/owncloud/config.php\"); echo(\$CONFIG['version']);") else CURRENT_NEXTCLOUD_VER="" fi @@ -204,7 +206,7 @@ fi if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextcloud_ver ]]; then # Stop php-fpm if running. If they are not running (which happens on a previously failed install), dont bail. - service php$PHP_VER-fpm stop &> /dev/null || /bin/true + service php"$PHP_VER"-fpm stop &> /dev/null || /bin/true # Backup the existing ownCloud/Nextcloud. # Create a backup directory to store the current installation and database to @@ -214,21 +216,21 @@ if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextc echo "Upgrading Nextcloud --- backing up existing installation, configuration, and database to directory to $BACKUP_DIRECTORY..." cp -r /usr/local/lib/owncloud "$BACKUP_DIRECTORY/owncloud-install" fi - if [ -e $STORAGE_ROOT/owncloud/owncloud.db ]; then - cp $STORAGE_ROOT/owncloud/owncloud.db $BACKUP_DIRECTORY + if [ -e "$STORAGE_ROOT/owncloud/owncloud.db" ]; then + cp "$STORAGE_ROOT/owncloud/owncloud.db" "$BACKUP_DIRECTORY" fi - if [ -e $STORAGE_ROOT/owncloud/config.php ]; then - cp $STORAGE_ROOT/owncloud/config.php $BACKUP_DIRECTORY + if [ -e "$STORAGE_ROOT/owncloud/config.php" ]; then + cp "$STORAGE_ROOT/owncloud/config.php" "$BACKUP_DIRECTORY" fi # If ownCloud or Nextcloud was previously installed.... - if [ ! -z ${CURRENT_NEXTCLOUD_VER} ]; then + if [ -n "${CURRENT_NEXTCLOUD_VER}" ]; then # Database migrations from ownCloud are no longer possible because ownCloud cannot be run under # PHP 7. - if [ -e $STORAGE_ROOT/owncloud/config.php ]; then + if [ -e "$STORAGE_ROOT/owncloud/config.php" ]; then # Remove the read-onlyness of the config, which is needed for migrations, especially for v24 - sed -i -e '/config_is_read_only/d' $STORAGE_ROOT/owncloud/config.php + sed -i -e '/config_is_read_only/d' "$STORAGE_ROOT/owncloud/config.php" fi if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^[89] ]]; then @@ -276,13 +278,13 @@ fi # Setup Nextcloud if the Nextcloud database does not yet exist. Running setup when # the database does exist wipes the database and user data. -if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then +if [ ! -f "$STORAGE_ROOT/owncloud/owncloud.db" ]; then # Create user data directory - mkdir -p $STORAGE_ROOT/owncloud + mkdir -p "$STORAGE_ROOT/owncloud" # Create an initial configuration file. - instanceid=oc$(echo $PRIMARY_HOSTNAME | sha1sum | fold -w 10 | head -n 1) - cat > $STORAGE_ROOT/owncloud/config.php < "$STORAGE_ROOT/owncloud/config.php" < '$STORAGE_ROOT/owncloud', @@ -335,12 +337,12 @@ EOF EOF # Set permissions - chown -R www-data:www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud + chown -R www-data:www-data "$STORAGE_ROOT/owncloud" /usr/local/lib/owncloud # Execute Nextcloud's setup step, which creates the Nextcloud sqlite database. # It also wipes it if it exists. And it updates config.php with database # settings and deletes the autoconfig.php file. - (cd /usr/local/lib/owncloud; sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/index.php;) + (cd /usr/local/lib/owncloud || exit; sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/index.php;) fi # Update config.php. @@ -356,7 +358,7 @@ fi # Use PHP to read the settings file, modify it, and write out the new settings array. TIMEZONE=$(cat /etc/timezone) CONFIG_TEMP=$(/bin/mktemp) -php$PHP_VER < $CONFIG_TEMP && mv $CONFIG_TEMP $STORAGE_ROOT/owncloud/config.php; +php"$PHP_VER" < "$CONFIG_TEMP" && mv "$CONFIG_TEMP" "$STORAGE_ROOT/owncloud/config.php"; EOF -chown www-data:www-data $STORAGE_ROOT/owncloud/config.php +chown www-data:www-data "$STORAGE_ROOT/owncloud/config.php" # Enable/disable apps. Note that this must be done after the Nextcloud setup. # The firstrunwizard gave Josh all sorts of problems, so disabling that. # user_external is what allows Nextcloud to use IMAP for login. The contacts # and calendar apps are the extensions we really care about here. -hide_output sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/console.php app:disable firstrunwizard -hide_output sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/console.php app:enable user_external -hide_output sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/console.php app:enable contacts -hide_output sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/console.php app:enable calendar +hide_output sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/console.php app:disable firstrunwizard +hide_output sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/console.php app:enable user_external +hide_output sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/console.php app:enable contacts +hide_output sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/console.php app:enable calendar # When upgrading, run the upgrade script again now that apps are enabled. It seems like # the first upgrade at the top won't work because apps may be disabled during upgrade? # Check for success (0=ok, 3=no upgrade needed). -sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ upgrade -if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi +sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/occ upgrade +E=$? +if [ $E -ne 0 ] && [ $E -ne 3 ]; then exit 1; fi # Disable default apps that we don't support sudo -u www-data \ - php$PHP_VER /usr/local/lib/owncloud/occ app:disable photos dashboard activity \ + php"$PHP_VER" /usr/local/lib/owncloud/occ app:disable photos dashboard activity \ | (grep -v "No such app enabled" || /bin/true) # Set PHP FPM values to support large file uploads # (semicolon is the comment character in this file, hashes produce deprecation warnings) -tools/editconf.py /etc/php/$PHP_VER/fpm/php.ini -c ';' \ +tools/editconf.py /etc/php/"$PHP_VER"/fpm/php.ini -c ';' \ upload_max_filesize=16G \ post_max_size=16G \ output_buffering=16384 \ @@ -420,7 +423,7 @@ tools/editconf.py /etc/php/$PHP_VER/fpm/php.ini -c ';' \ short_open_tag=On # Set Nextcloud recommended opcache settings -tools/editconf.py /etc/php/$PHP_VER/cli/conf.d/10-opcache.ini -c ';' \ +tools/editconf.py /etc/php/"$PHP_VER"/cli/conf.d/10-opcache.ini -c ';' \ opcache.enable=1 \ opcache.enable_cli=1 \ opcache.interned_strings_buffer=8 \ @@ -434,7 +437,7 @@ tools/editconf.py /etc/php/$PHP_VER/cli/conf.d/10-opcache.ini -c ';' \ # This version was probably in use in Mail-in-a-Box v0.41 (February 26, 2019) and earlier. # We moved to v0.6.3 in 193763f8. Ignore errors - maybe there are duplicated users with the # correct backend already. -sqlite3 $STORAGE_ROOT/owncloud/owncloud.db "UPDATE oc_users_external SET backend='127.0.0.1';" || /bin/true +sqlite3 "$STORAGE_ROOT/owncloud/owncloud.db" "UPDATE oc_users_external SET backend='127.0.0.1';" || /bin/true # Set up a general cron job for Nextcloud. # Also add another job for Calendar updates, per advice in the Nextcloud docs @@ -449,11 +452,11 @@ chmod +x /etc/cron.d/mailinabox-nextcloud # We also need to change the sending mode from background-job to occ. # Or else the reminders will just be sent as soon as possible when the background jobs run. -hide_output sudo -u www-data php$PHP_VER -f /usr/local/lib/owncloud/occ config:app:set dav sendEventRemindersMode --value occ +hide_output sudo -u www-data php"$PHP_VER" -f /usr/local/lib/owncloud/occ config:app:set dav sendEventRemindersMode --value occ # Now set the config to read-only. # Do this only at the very bottom when no further occ commands are needed. -sed -i'' "s/'config_is_read_only'\s*=>\s*false/'config_is_read_only' => true/" $STORAGE_ROOT/owncloud/config.php +sed -i'' "s/'config_is_read_only'\s*=>\s*false/'config_is_read_only' => true/" "$STORAGE_ROOT/owncloud/config.php" # Rotate the nextcloud.log file cat > /etc/logrotate.d/nextcloud </dev/null -chmod -R 660 $STORAGE_ROOT/mail/spamassassin -chmod 770 $STORAGE_ROOT/mail/spamassassin +chmod -R 660 "$STORAGE_ROOT/mail/spamassassin" +chmod 770 "$STORAGE_ROOT/mail/spamassassin" # Initial training? # sa-learn --ham storage/mail/mailboxes/*/*/cur/ diff --git a/setup/ssl.sh b/setup/ssl.sh index 79fb7f41..a3ba8c2f 100755 --- a/setup/ssl.sh +++ b/setup/ssl.sh @@ -37,11 +37,11 @@ source /etc/mailinabox.conf # load global vars # Show a status line if we are going to take any action in this file. if [ ! -f /usr/bin/openssl ] \ - || [ ! -s $STORAGE_ROOT/ssl/ca_private_key.pem ] \ - || [ ! -f $STORAGE_ROOT/ssl/ca_certificate.pem ] \ - || [ ! -s $STORAGE_ROOT/ssl/ssl_private_key.pem ] \ - || [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ] \ - || [ ! -f $STORAGE_ROOT/ssl/dh2048.pem ]; then + || [ ! -s "$STORAGE_ROOT/ssl/ca_private_key.pem" ] \ + || [ ! -f "$STORAGE_ROOT/ssl/ca_certificate.pem" ] \ + || [ ! -s "$STORAGE_ROOT/ssl/ssl_private_key.pem" ] \ + || [ ! -f "$STORAGE_ROOT/ssl/ssl_certificate.pem" ] \ + || [ ! -f "$STORAGE_ROOT/ssl/dh2048.pem" ]; then echo "Creating initial SSL certificate and perfect forward secrecy Diffie-Hellman parameters..." fi @@ -51,7 +51,7 @@ apt_install openssl # Create a directory to store TLS-related things like "SSL" certificates. -mkdir -p $STORAGE_ROOT/ssl +mkdir -p "$STORAGE_ROOT/ssl" # Generate new private keys. # @@ -73,62 +73,62 @@ mkdir -p $STORAGE_ROOT/ssl # # Since we properly seed /dev/urandom in system.sh we should be fine, but I leave # in the rest of the notes in case that ever changes. -if [ ! -s $STORAGE_ROOT/ssl/ca_private_key.pem ]; then +if [ ! -s "$STORAGE_ROOT/ssl/ca_private_key.pem" ]; then # Set the umask so the key file is never world-readable. (umask 077; hide_output \ openssl genrsa -aes256 -passout 'pass:SECRET-PASSWORD' \ - -out $STORAGE_ROOT/ssl/ca_private_key.pem 4096) + -out "$STORAGE_ROOT/ssl/ca_private_key.pem" 4096) # remove the existing ca-certificate, it must be regenerated - rm -f $STORAGE_ROOT/ssl/ca_certificate.pem - + rm -f "$STORAGE_ROOT/ssl/ca_certificate.pem" + # Remove the ssl_certificate.pem symbolic link to force a # regeneration of a self-signed server certificate. Old certs need # to be signed by the new ca. - if [ -L $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then + if [ -L "$STORAGE_ROOT/ssl/ssl_certificate.pem" ]; then # Get the name of the certificate issuer - issuer="$(openssl x509 -issuer -nocert -in $STORAGE_ROOT/ssl/ssl_certificate.pem)" - + issuer="$(openssl x509 -issuer -nocert -in "$STORAGE_ROOT/ssl/ssl_certificate.pem")" + # Determine if the ssl cert if self-signed. If unique hashes is 1, # the cert is self-signed (pior versions of MiaB used self-signed # certs). - uniq_hashes="$(openssl x509 -subject_hash -issuer_hash -nocert -in $STORAGE_ROOT/ssl/ssl_certificate.pem | uniq | wc -l)" - + uniq_hashes="$(openssl x509 -subject_hash -issuer_hash -nocert -in "$STORAGE_ROOT/ssl/ssl_certificate.pem" | uniq | wc -l)" + if [ "$uniq_hashes" == "1" ] || grep "Temporary-Mail-In-A-Box-CA" <<<"$issuer" >/dev/null then - rm -f $STORAGE_ROOT/ssl/ssl_certificate.pem + rm -f "$STORAGE_ROOT/ssl/ssl_certificate.pem" fi fi fi -if [ ! -s $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then +if [ ! -s "$STORAGE_ROOT/ssl/ssl_private_key.pem" ]; then # Set the umask so the key file is never world-readable. (umask 037; hide_output \ - openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048) - + openssl genrsa -out "$STORAGE_ROOT/ssl/ssl_private_key.pem" 2048) + # Remove the ssl_certificate.pem symbolic link to force a # regeneration of the server certificate. It needs to be # signed by the new ca. - if [ -L $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then - rm -f $STORAGE_ROOT/ssl/ssl_certificate.pem + if [ -L "$STORAGE_ROOT/ssl/ssl_certificate.pem" ]; then + rm -f "$STORAGE_ROOT/ssl/ssl_certificate.pem" fi fi # Give the group 'ssl-cert' read access so slapd can read it groupadd -fr ssl-cert -chgrp ssl-cert $STORAGE_ROOT/ssl/ssl_private_key.pem -chmod g+r $STORAGE_ROOT/ssl/ssl_private_key.pem +chgrp ssl-cert "$STORAGE_ROOT/ssl/ssl_private_key.pem" +chmod g+r "$STORAGE_ROOT/ssl/ssl_private_key.pem" # # Generate a root CA certificate # -if [ ! -f $STORAGE_ROOT/ssl/ca_certificate.pem ]; then +if [ ! -f "$STORAGE_ROOT/ssl/ca_certificate.pem" ]; then # Generate the self-signed certificate. - CERT=$STORAGE_ROOT/ssl/ca_certificate.pem + CERT="$STORAGE_ROOT/ssl/ca_certificate.pem" hide_output \ openssl req -new -x509 \ -days 3650 -sha384 \ - -key $STORAGE_ROOT/ssl/ca_private_key.pem \ + -key "$STORAGE_ROOT/ssl/ca_private_key.pem" \ -passin 'pass:SECRET-PASSWORD' \ -out $CERT \ -subj '/CN=Temporary-Mail-In-A-Box-CA' @@ -139,9 +139,9 @@ if [ ! -e /usr/local/share/ca-certificates/mailinabox.crt ]; then # this is required for openldap's TLS implementation # do this as a separate step in case a CA certificate is manually # copied onto the machine for QA/test - CERT=$STORAGE_ROOT/ssl/ca_certificate.pem + CERT="$STORAGE_ROOT/ssl/ca_certificate.pem" hide_output \ - cp $CERT /usr/local/share/ca-certificates/mailinabox.crt + cp "$CERT" /usr/local/share/ca-certificates/mailinabox.crt hide_output \ update-ca-certificates fi @@ -150,28 +150,28 @@ fi # Generate a signed SSL certificate because things like nginx, dovecot, # etc. won't even start without some certificate in place, and we need nginx # so we can offer the user a control panel to install a better certificate. -if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then - # # Generate a certificate signing request. - CSR=/tmp/ssl_cert_sign_req-$$.csr +if [ ! -f "$STORAGE_ROOT/ssl/ssl_certificate.pem" ]; then + # Generate a certificate signing request. + CSR="$(mktemp --tmpdir XXXXXXXXXX.csr)" hide_output \ - openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $CSR \ + openssl req -new -key "$STORAGE_ROOT/ssl/ssl_private_key.pem" -out "$CSR" \ -sha256 -subj "/CN=$PRIMARY_HOSTNAME" # create a ca database (directory) for openssl - CADIR=$STORAGE_ROOT/ssl/ca - mkdir -p $CADIR/newcerts - touch $CADIR/index.txt $CADIR/index.txt.attr - [ ! -e $CADIR/serial ] && date +%s > $CADIR/serial + CADIR="$STORAGE_ROOT/ssl/ca" + mkdir -p "$CADIR/newcerts" + touch "$CADIR/index.txt" "$CADIR/index.txt.attr" + [ ! -e "$CADIR/serial" ] && date +%s > "$CADIR/serial" # Generate the signed certificate. - CERT=$STORAGE_ROOT/ssl/$PRIMARY_HOSTNAME-cert-$(date --rfc-3339=date | sed s/-//g).pem + CERT="$STORAGE_ROOT/ssl/$PRIMARY_HOSTNAME-cert-$(date --rfc-3339=date | sed s/-//g).pem" hide_output \ openssl ca -batch \ - -keyfile $STORAGE_ROOT/ssl/ca_private_key.pem \ - -cert $STORAGE_ROOT/ssl/ca_certificate.pem \ + -keyfile "$STORAGE_ROOT/ssl/ca_private_key.pem" \ + -cert "$STORAGE_ROOT/ssl/ca_certificate.pem" \ -passin 'pass:SECRET-PASSWORD' \ - -in $CSR \ - -out $CERT \ + -in "$CSR" \ + -out "$CERT" \ -days 365 \ -name miab_ca \ -config - <<< " @@ -206,16 +206,16 @@ authorityKeyIdentifier = keyid,issuer " # Delete the certificate signing request because it has no other purpose. - rm -f $CSR + rm -f "$CSR" # Symlink the certificates into the system certificate path, so system services # can find it. - ln -s $CERT $STORAGE_ROOT/ssl/ssl_certificate.pem + ln -s "$CERT" "$STORAGE_ROOT/ssl/ssl_certificate.pem" fi # Generate some Diffie-Hellman cipher bits. # openssl's default bit length for this is 1024 bits, but we'll create # 2048 bits of bits per the latest recommendations. -if [ ! -f $STORAGE_ROOT/ssl/dh2048.pem ]; then - openssl dhparam -out $STORAGE_ROOT/ssl/dh2048.pem 2048 +if [ ! -f "$STORAGE_ROOT/ssl/dh2048.pem" ]; then + openssl dhparam -out "$STORAGE_ROOT/ssl/dh2048.pem" 2048 fi diff --git a/setup/start.sh b/setup/start.sh index a93408cf..33335885 100755 --- a/setup/start.sh +++ b/setup/start.sh @@ -37,7 +37,7 @@ export LC_TYPE=en_US.UTF-8 export NCURSES_NO_UTF8_ACS=1 # if encryption-at-rest is enabled, make sure the drive is mounted -ehdd/mount.sh +ehdd/mount.sh # Recall the last settings used if we're running this a second time. if [ -f /etc/mailinabox.conf ]; then @@ -58,7 +58,7 @@ fi # in the first dialog prompt, so we should do this before that starts. cat > /usr/local/bin/mailinabox << EOF; #!/bin/bash -cd $(pwd) +cd $PWD source $(source ehdd/ehdd_funcs.sh; if hdd_exists; then echo 'ehdd/start-encrypted.sh'; else echo 'setup/start.sh'; fi) EOF chmod +x /usr/local/bin/mailinabox @@ -87,22 +87,22 @@ fi # migration (schema) number for the files stored there, assume this is a fresh # installation to that directory and write the file to contain the current # migration number for this version of Mail-in-a-Box. -if ! id -u $STORAGE_USER >/dev/null 2>&1; then - useradd -m $STORAGE_USER +if ! id -u "$STORAGE_USER" >/dev/null 2>&1; then + useradd -m "$STORAGE_USER" # default permissions for new home directories in jammy (ubuntu # 22) changed from 0755 to 0750. openldap (slapd.service) runs # under its own user account (openldap) and requires access to # STORAGE_ROOT - chmod o+x $STORAGE_ROOT + chmod o+x "$STORAGE_ROOT" fi -if [ ! -d $STORAGE_ROOT ]; then - mkdir -p $STORAGE_ROOT +if [ ! -d "$STORAGE_ROOT" ]; then + mkdir -p "$STORAGE_ROOT" fi f=$STORAGE_ROOT while [[ $f != / ]]; do chmod a+rx "$f"; f=$(dirname "$f"); done; -if [ ! -f $STORAGE_ROOT/mailinabox-ldap.version ]; then - setup/migrate.py --current > $STORAGE_ROOT/mailinabox-ldap.version - chown $STORAGE_USER:$STORAGE_USER $STORAGE_ROOT/mailinabox-ldap.version +if [ ! -f "$STORAGE_ROOT/mailinabox-ldap.version" ]; then + setup/migrate.py --current > "$STORAGE_ROOT/mailinabox-ldap.version" + chown "$STORAGE_USER:$STORAGE_USER" "$STORAGE_ROOT/mailinabox-ldap.version" fi # normalize the directory path for setup mods @@ -161,14 +161,14 @@ source setup/firstuser.sh # We'd let certbot ask the user interactively, but when this script is # run in the recommended curl-pipe-to-bash method there is no TTY and # certbot will fail if it tries to ask. -if [ -z "${SKIP_CERTBOT:-}" ] && [ ! -d $STORAGE_ROOT/ssl/lets_encrypt/accounts/acme-v02.api.letsencrypt.org/ ]; then +if [ -z "${SKIP_CERTBOT:-}" ] && [ ! -d "$STORAGE_ROOT/ssl/lets_encrypt/accounts/acme-v02.api.letsencrypt.org/" ]; then echo echo "-----------------------------------------------" echo "Mail-in-a-Box uses Let's Encrypt to provision free SSL/TLS certificates" echo "to enable HTTPS connections to your box. We're automatically" echo "agreeing you to their subscriber agreement. See https://letsencrypt.org." echo -certbot register --register-unsafely-without-email --agree-tos --config-dir $STORAGE_ROOT/ssl/lets_encrypt +certbot register --register-unsafely-without-email --agree-tos --config-dir "$STORAGE_ROOT/ssl/lets_encrypt" fi # @@ -179,27 +179,27 @@ source setup/setupmods.sh echo echo "-----------------------------------------------" echo -echo Your Mail-in-a-Box is running. +echo "Your Mail-in-a-Box is running." echo -echo Please log in to the control panel for further instructions at: +echo "Please log in to the control panel for further instructions at:" echo if management/status_checks.py --check-primary-hostname; then # Show the nice URL if it appears to be resolving and has a valid certificate. - echo https://$PRIMARY_HOSTNAME/admin + echo "https://$PRIMARY_HOSTNAME/admin" echo echo "If you have a DNS problem put the box's IP address in the URL" echo "(https://$PUBLIC_IP/admin) but then check the TLS fingerprint:" - openssl x509 -in $STORAGE_ROOT/ssl/ssl_certificate.pem -noout -fingerprint -sha256\ + openssl x509 -in "$STORAGE_ROOT/ssl/ssl_certificate.pem" -noout -fingerprint -sha256\ | sed "s/SHA256 Fingerprint=//i" else - echo https://$PUBLIC_IP/admin + echo "https://$PUBLIC_IP/admin" echo - echo You will be alerted that the website has an invalid certificate. Check that - echo the certificate fingerprint matches: + echo "You will be alerted that the website has an invalid certificate. Check that" + echo "the certificate fingerprint matches:" echo - openssl x509 -in $STORAGE_ROOT/ssl/ssl_certificate.pem -noout -fingerprint -sha256\ + openssl x509 -in "$STORAGE_ROOT/ssl/ssl_certificate.pem" -noout -fingerprint -sha256\ | sed "s/SHA256 Fingerprint=//i" echo - echo Then you can confirm the security exception and continue. + echo "Then you can confirm the security exception and continue." echo fi diff --git a/setup/system.sh b/setup/system.sh index cbaa64f3..7d51372d 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -1,3 +1,4 @@ +#!/bin/bash ##### ##### This file is part of Mail-in-a-Box-LDAP which is released under the ##### terms of the GNU Affero General Public License as published by the @@ -20,8 +21,8 @@ source setup/functions.sh # load our functions # # First set the hostname in the configuration file, then activate the setting -echo $PRIMARY_HOSTNAME > /etc/hostname -hostname $PRIMARY_HOSTNAME +echo "$PRIMARY_HOSTNAME" > /etc/hostname +hostname "$PRIMARY_HOSTNAME" # ### Fix permissions @@ -62,14 +63,14 @@ if [ -z "$SWAP_IN_FSTAB" ] && [ ! -e /swapfile ] && [ -z "$ROOT_IS_BTRFS" ] && - [ $TOTAL_PHYSICAL_MEM -lt 1900000 ] && - [ $AVAILABLE_DISK_SPACE -gt 5242880 ] + [ "$TOTAL_PHYSICAL_MEM" -lt 1900000 ] && + [ "$AVAILABLE_DISK_SPACE" -gt 5242880 ] then echo "Adding a swap file to the system..." # Allocate and activate the swap file. Allocate in 1KB chuncks # doing it in one go, could fail on low memory systems - dd if=/dev/zero of=/swapfile bs=1024 count=$[1024*1024] status=none + dd if=/dev/zero of=/swapfile bs=1024 count=$((1024*1024)) status=none if [ -e /swapfile ]; then chmod 600 /swapfile hide_output mkswap /swapfile @@ -120,13 +121,13 @@ hide_output add-apt-repository --y ppa:ondrej/php # PPAs so we can install those packages later. if [ "${SKIP_SYSTEM_UPDATE:-0}" != "1" ]; then - echo Updating system packages... + echo "Updating system packages..." hide_output apt-get update apt_get_quiet upgrade -# Old kernels pile up over time and take up a lot of disk space, and because of Mail-in-a-Box -# changes there may be other packages that are no longer needed. Clear out anything apt knows -# is safe to delete. + # Old kernels pile up over time and take up a lot of disk space, and because of Mail-in-a-Box + # changes there may be other packages that are no longer needed. Clear out anything apt knows + # is safe to delete. apt_get_quiet autoremove fi @@ -146,7 +147,7 @@ fi # * bc: allows us to do math to compute sane defaults # * openssh-client: provides ssh-keygen -echo Installing system packages... +echo "Installing system packages..." apt_install python3 python3-dev python3-pip python3-setuptools \ netcat-openbsd wget curl git sudo coreutils bc file \ pollinate openssh-client unzip \ @@ -175,7 +176,7 @@ fi # not likely the user will want to change this, so we only ask on first # setup. if [ -z "${NONINTERACTIVE:-}" ]; then - if [ ! -f /etc/timezone ] || [ ! -z ${FIRST_TIME_SETUP:-} ]; then + if [ ! -f /etc/timezone ] || [ -n "${FIRST_TIME_SETUP:-}" ]; then # If the file is missing or this is the user's first time running # Mail-in-a-Box setup, run the interactive timezone configuration # tool. @@ -237,7 +238,7 @@ fi # hardware entropy to get going, by drawing from /dev/random. haveged makes this # less likely to stall for very long. -echo Initializing system random number generator... +echo "Initializing system random number generator..." dd if=/dev/random of=/dev/urandom bs=1 count=32 2> /dev/null # This is supposedly sufficient. But because we're not sure if hardware entropy @@ -281,11 +282,11 @@ if [ -z "${DISABLE_FIREWALL:-}" ]; then # settings, find the port it is supposedly running on, and open that port #NODOC # too. #NODOC SSH_PORT=$(sshd -T 2>/dev/null | grep "^port " | sed "s/port //") #NODOC - if [ ! -z "$SSH_PORT" ]; then + if [ -n "$SSH_PORT" ]; then if [ "$SSH_PORT" != "22" ]; then - echo Opening alternate SSH port $SSH_PORT. #NODOC - ufw_limit $SSH_PORT #NODOC + echo "Opening alternate SSH port $SSH_PORT." #NODOC + ufw_limit "$SSH_PORT" #NODOC fi fi diff --git a/setup/web.sh b/setup/web.sh index 7a61fa3c..57e9c006 100755 --- a/setup/web.sh +++ b/setup/web.sh @@ -17,7 +17,7 @@ source /etc/mailinabox.conf # load global vars # Some Ubuntu images start off with Apache. Remove it since we # will use nginx. Use autoremove to remove any Apache depenencies. if [ -f /usr/sbin/apache2 ]; then - echo Removing apache... + echo "Removing apache..." hide_output apt-get -y purge apache2 apache2-* hide_output apt-get -y --purge autoremove fi @@ -28,7 +28,7 @@ fi echo "Installing Nginx (web server)..." -apt_install nginx php${PHP_VER}-cli php${PHP_VER}-fpm idn2 +apt_install nginx php"${PHP_VER}"-cli php"${PHP_VER}"-fpm idn2 rm -f /etc/nginx/sites-enabled/default @@ -55,15 +55,15 @@ tools/editconf.py /etc/nginx/nginx.conf -s \ ssl_protocols="TLSv1.2 TLSv1.3;" # Tell PHP not to expose its version number in the X-Powered-By header. -tools/editconf.py /etc/php/$PHP_VER/fpm/php.ini -c ';' \ +tools/editconf.py /etc/php/"$PHP_VER"/fpm/php.ini -c ';' \ expose_php=Off # Set PHPs default charset to UTF-8, since we use it. See #367. -tools/editconf.py /etc/php/$PHP_VER/fpm/php.ini -c ';' \ +tools/editconf.py /etc/php/"$PHP_VER"/fpm/php.ini -c ';' \ default_charset="UTF-8" # Configure the path environment for php-fpm -tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \ +tools/editconf.py /etc/php/"$PHP_VER"/fpm/pool.d/www.conf -c ';' \ env[PATH]=/usr/local/bin:/usr/bin:/bin \ # Configure php-fpm based on the amount of memory the machine has @@ -71,32 +71,32 @@ tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \ # Some synchronisation issues can occur when many people access the site at once. # The pm=ondemand setting is used for memory constrained machines < 2GB, this is copied over from PR: 1216 TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}' || /bin/true) -if [ $TOTAL_PHYSICAL_MEM -lt 1000000 ] +if [ "$TOTAL_PHYSICAL_MEM" -lt 1000000 ] then - tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \ + tools/editconf.py /etc/php/"$PHP_VER"/fpm/pool.d/www.conf -c ';' \ pm=ondemand \ pm.max_children=8 \ pm.start_servers=2 \ pm.min_spare_servers=1 \ pm.max_spare_servers=3 -elif [ $TOTAL_PHYSICAL_MEM -lt 2000000 ] +elif [ "$TOTAL_PHYSICAL_MEM" -lt 2000000 ] then - tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \ + tools/editconf.py /etc/php/"$PHP_VER"/fpm/pool.d/www.conf -c ';' \ pm=ondemand \ pm.max_children=16 \ pm.start_servers=4 \ pm.min_spare_servers=1 \ pm.max_spare_servers=6 -elif [ $TOTAL_PHYSICAL_MEM -lt 3000000 ] +elif [ "$TOTAL_PHYSICAL_MEM" -lt 3000000 ] then - tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \ + tools/editconf.py /etc/php/"$PHP_VER"/fpm/pool.d/www.conf -c ';' \ pm=dynamic \ pm.max_children=60 \ pm.start_servers=6 \ pm.min_spare_servers=3 \ pm.max_spare_servers=9 else - tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \ + tools/editconf.py /etc/php/"$PHP_VER"/fpm/pool.d/www.conf -c ';' \ pm=dynamic \ pm.max_children=120 \ pm.start_servers=12 \ @@ -133,7 +133,7 @@ chmod a+r /var/lib/mailinabox/mozilla-autoconfig.xml # Create a generic mta-sts.txt file which is exposed via the # nginx configuration at /.well-known/mta-sts.txt -# more documentation is available on: +# more documentation is available on: # https://www.uriports.com/blog/mta-sts-explained/ # default mode is "enforce". In /etc/mailinabox.conf change # "MTA_STS_MODE=testing" which means "Messages will be delivered @@ -147,16 +147,16 @@ cat conf/mta-sts.txt \ chmod a+r /var/lib/mailinabox/mta-sts.txt # make a default homepage -if [ -d $STORAGE_ROOT/www/static ]; then mv $STORAGE_ROOT/www/static $STORAGE_ROOT/www/default; fi # migration #NODOC -mkdir -p $STORAGE_ROOT/www/default -if [ ! -f $STORAGE_ROOT/www/default/index.html ]; then - cp conf/www_default.html $STORAGE_ROOT/www/default/index.html +if [ -d "$STORAGE_ROOT/www/static" ]; then mv "$STORAGE_ROOT/www/static" "$STORAGE_ROOT/www/default"; fi # migration #NODOC +mkdir -p "$STORAGE_ROOT/www/default" +if [ ! -f "$STORAGE_ROOT/www/default/index.html" ]; then + cp conf/www_default.html "$STORAGE_ROOT/www/default/index.html" fi -chown -R $STORAGE_USER $STORAGE_ROOT/www +chown -R "$STORAGE_USER" "$STORAGE_ROOT/www" # Start services. restart_service nginx -restart_service php$PHP_VER-fpm +restart_service php"$PHP_VER"-fpm # Open ports. ufw_allow http diff --git a/setup/webmail.sh b/setup/webmail.sh old mode 100755 new mode 100644 index 58259b0f..4c6c4316 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -14,7 +14,7 @@ source setup/functions.sh # load our functions source setup/functions-downloads.sh source /etc/mailinabox.conf # load global vars -source ${STORAGE_ROOT}/ldap/miab_ldap.conf +source "${STORAGE_ROOT}/ldap/miab_ldap.conf" # ### Installing Roundcube @@ -33,11 +33,11 @@ source ${STORAGE_ROOT}/ldap/miab_ldap.conf echo "Installing Roundcube (webmail)..." apt_install \ dbconfig-common \ - php${PHP_VER}-cli php${PHP_VER}-sqlite3 php${PHP_VER}-intl php${PHP_VER}-common php${PHP_VER}-curl php${PHP_VER}-imap \ - php${PHP_VER}-gd php${PHP_VER}-pspell php${PHP_VER}-mbstring libjs-jquery libjs-jquery-mousewheel libmagic1 \ + php"${PHP_VER}"-cli php"${PHP_VER}"-sqlite3 php"${PHP_VER}"-intl php"${PHP_VER}"-common php"${PHP_VER}"-curl php"${PHP_VER}"-imap \ + php"${PHP_VER}"-gd php"${PHP_VER}"-pspell php"${PHP_VER}"-mbstring libjs-jquery libjs-jquery-mousewheel libmagic1 \ sqlite3 -apt_install php${PHP_VER}-ldap +apt_install php"${PHP_VER}"-ldap # Install Roundcube from source if it is not already present or if it is out of date. # Combine the Roundcube version number with the commit hash of plugins to track @@ -248,8 +248,8 @@ cat > ${RCM_PLUGIN_DIR}/persistent_login/config.inc.php < /etc/cron.daily/mailinabox-roundcubemail << EOF #!/bin/bash # Mail-in-a-Box # Clean up the roundcube database -cd $RCM_DIR && bin/cleandb.sh >/dev/null +cd "$RCM_DIR" && bin/cleandb.sh >/dev/null EOF chmod +x /etc/cron.daily/mailinabox-roundcubemail diff --git a/setup/zpush.sh b/setup/zpush.sh index b9fce937..3c66a5e6 100755 --- a/setup/zpush.sh +++ b/setup/zpush.sh @@ -26,9 +26,9 @@ source /etc/mailinabox.conf # load global vars echo "Installing Z-Push (Exchange/ActiveSync server)..." apt_install \ - php${PHP_VER}-soap php${PHP_VER}-imap libawl-php php$PHP_VER-xml + php"${PHP_VER}"-soap php"${PHP_VER}"-imap libawl-php php"$PHP_VER"-xml -phpenmod -v $PHP_VER imap +phpenmod -v "$PHP_VER" imap # Copy Z-Push into place. VERSION=2.7.1 @@ -53,10 +53,10 @@ if [ $needs_update == 1 ]; then # Create admin and top scripts with PHP_VER rm -f /usr/sbin/z-push-{admin,top} echo '#!/bin/bash' > /usr/sbin/z-push-admin - echo php$PHP_VER /usr/local/lib/z-push/z-push-admin.php '"$@"' >> /usr/sbin/z-push-admin + echo php"$PHP_VER" /usr/local/lib/z-push/z-push-admin.php '"$@"' >> /usr/sbin/z-push-admin chmod 755 /usr/sbin/z-push-admin echo '#!/bin/bash' > /usr/sbin/z-push-top - echo php$PHP_VER /usr/local/lib/z-push/z-push-top.php '"$@"' >> /usr/sbin/z-push-top + echo php"$PHP_VER" /usr/local/lib/z-push/z-push-top.php '"$@"' >> /usr/sbin/z-push-top chmod 755 /usr/sbin/z-push-top echo $VERSION > /usr/local/lib/z-push/version @@ -118,8 +118,8 @@ EOF # Restart service. -restart_service php$PHP_VER-fpm +restart_service php"$PHP_VER"-fpm # Fix states after upgrade -hide_output php$PHP_VER /usr/local/lib/z-push/z-push-admin.php -a fixstates +hide_output php"$PHP_VER" /usr/local/lib/z-push/z-push-admin.php -a fixstates diff --git a/tests/lib/python/browser/NextcloudAutomation.py b/tests/lib/python/browser/NextcloudAutomation.py index 4772fd03..abc631b7 100644 --- a/tests/lib/python/browser/NextcloudAutomation.py +++ b/tests/lib/python/browser/NextcloudAutomation.py @@ -98,6 +98,9 @@ class NextcloudAutomation(object): def close_first_run_wizard(self): d = self.d firstrunwiz = d.find_el('#firstrunwizard', throws=False, quiet=True) + if firstrunwiz and not firstrunwiz.is_displayed(): + d.say_verbose("wait for first run wizard to display") + d.sleep(1) if firstrunwiz and firstrunwiz.is_displayed(): d.say_verbose("closing first run wizard") # ElementNotInteractableException diff --git a/tests/suites/remote-nextcloud.sh b/tests/suites/remote-nextcloud.sh index 69995aa7..795fe67a 100644 --- a/tests/suites/remote-nextcloud.sh +++ b/tests/suites/remote-nextcloud.sh @@ -8,7 +8,7 @@ ##### details. ##### -# +# # Test the setup modification script setup/mods.available/remote-nextcloud.sh # Prerequisites: # @@ -28,7 +28,7 @@ # is_configured() { - . /etc/mailinabox_mods.conf + . /etc/mailinabox_mods.conf 2>>$TEST_OF if [ $? -ne 0 -o -z "$NC_HOST" ]; then return 1 fi @@ -52,7 +52,7 @@ assert_roundcube_carddav_contact_exists() { record "[checking that roundcube contact with vcard UID=$c_uid exists]" roundcube_carddav_contact_exists "$user" "$pass" "$c_uid" 2>>$TEST_OF local rc=$? - + if [ $rc -eq 0 ]; then return elif [ $rc -eq 1 ]; then @@ -69,7 +69,7 @@ assert_roundcube_carddav_contact_exists() { test_mail_from_nextcloud() { test_start "mail_from_nextcloud" - test_end + test_end } test_nextcloud_contacts() { @@ -98,10 +98,10 @@ test_nextcloud_contacts() { "$alice" \ "$alice_pw" \ "" "" "" - + # # 1. create contact in Nextcloud - ensure it is available in Roundcube - # + # # this will validate Nextcloud's ability to authenticate users via # LDAP and that Roundcube is able to reach Nextcloud for contacts # @@ -125,7 +125,7 @@ test_nextcloud_contacts() { test_end return fi - + # force a refresh/sync of the contacts in Roundcube record "[forcing refresh of roundcube contact for $alice]" roundcube_force_carddav_refresh "$alice" "$alice_pw" >>$TEST_OF 2>&1 || \ @@ -133,16 +133,16 @@ test_nextcloud_contacts() { # query the roundcube sqlite database for the new contact assert_roundcube_carddav_contact_exists "$alice" "$alice_pw" "$c_uid" - + # delete the contact record "[delete contact with vcard uid '$c_uid' from $alice]" carddav_delete_contact "$alice" "$alice_pw" "$c_uid" 2>>$TEST_OF || \ test_failure "Unable to delete contact for $alice in Nextcloud" - - + + # clean up mgmt_assert_delete_user "$alice" - + test_end } @@ -155,7 +155,7 @@ test_web_config() { fi local code - + # nginx should be configured to redirect .well-known/caldav and # .well-known/carddav to the remote nextcloud if grep '\.well-known/carddav[\t ]*/cloud/' /etc/nginx/conf.d/local.conf >/dev/null; then @@ -176,7 +176,7 @@ test_web_config() { test_failure "carddav url doesn't work: $REST_ERROR" fi fi - + if grep '\.well-known/caldav[\t ]*/cloud/' /etc/nginx/conf.d/local.conf >/dev/null; then test_failure "/.well-known/caldav redirects to the local nextcloud, but should redirect to $NC_HOST:$NC_PORT" else @@ -199,8 +199,8 @@ test_web_config() { if grep -A 1 CardDAVPrincipalURL /var/lib/mailinabox/mobileconfig.xml | tail -1 | grep -F "/cloud/remote.php" >/dev/null; then test_failure "ios mobileconfig redirects to the local nextcloud, but should redirect to $NC_HOST:$NC_PORT" fi - - test_end + + test_end } @@ -211,7 +211,3 @@ test_web_config test_nextcloud_contacts suite_end mgmt_end - - - - diff --git a/tests/vagrant/preloaded/prepvm.sh b/tests/vagrant/preloaded/prepvm.sh index 52e706a3..e43e2e0b 100755 --- a/tests/vagrant/preloaded/prepvm.sh +++ b/tests/vagrant/preloaded/prepvm.sh @@ -56,10 +56,10 @@ OS_MAJOR=$(. /etc/os-release; echo $VERSION_ID | awk -F. '{print $1}') remove_line_continuation() { local file="$1" awk ' -BEGIN { C=0 } -C==1 && /[^\\]$/ { C=0; print $0; next } -C==1 { printf("%s",substr($0,0,length($0)-1)); next } -/\\$/ { C=1; printf("%s",substr($0,0,length($0)-1)); next } +BEGIN { C=0 } +C==1 && /[^\\]$/ { C=0; print $0; next } +C==1 { printf("%s",substr($0,0,length($0)-1)); next } +/\\$/ { C=1; printf("%s",substr($0,0,length($0)-1)); next } { print $0 }' \ "$file" } @@ -79,15 +79,15 @@ install_packages() { pkgs="$(cut -c12- <<<"$line")" ;; esac - + # don't install slapd pkgs="$(sed 's/slapd//g' <<< "$pkgs")" # manually set PHP_VER if necessary if grep "PHP_VER" <<<"$pkgs" >/dev/null; then - pkgs="$(sed "s/\${*PHP_VER}*/$PHP_VER/g" <<< "$pkgs")" + pkgs="$(sed "s/\"\?\${*PHP_VER}*\"\?/$PHP_VER/g" <<< "$pkgs")" fi - + if [ ! -z "$pkgs" ]; then H2 "install: $pkgs" if ! $dry_run; then @@ -108,7 +108,7 @@ install_ppas() { if ! $dry_run; then exec_no_output $line fi - done + done } add_swap() { @@ -181,7 +181,7 @@ for file in "${desired_order[@]}" "${setup_files[@]}"; do done failed=0 - + for file in ${ordered_files[@]}; do H1 "$file" remove_line_continuation "$file" | install_packages @@ -228,4 +228,3 @@ else echo "" exit 0 fi - diff --git a/tools/archive_conf_files.sh b/tools/archive_conf_files.sh index 67aa91d2..7994b802 100644 --- a/tools/archive_conf_files.sh +++ b/tools/archive_conf_files.sh @@ -1,3 +1,4 @@ +#!/bin/bash ##### ##### This file is part of Mail-in-a-Box-LDAP which is released under the ##### terms of the GNU Affero General Public License as published by the @@ -9,10 +10,9 @@ # Use this script to make an archive of the contents of all # of the configuration files we edit with editconf.py. -for fn in `grep -hr editconf.py setup | sed "s/tools\/editconf.py //" | sed "s/ .*//" | sort | uniq`; do +for fn in $(grep -hr editconf.py setup | sed "s/tools\/editconf.py //" | sed "s/ .*//" | sort | uniq); do echo ====================================================================== - echo $fn + echo "$fn" echo ====================================================================== - cat $fn + cat "$fn" done - diff --git a/tools/dns_update b/tools/dns_update index 3dda3f6b..0ee51ea1 100755 --- a/tools/dns_update +++ b/tools/dns_update @@ -12,4 +12,4 @@ POSTDATA=dummy if [ "$1" == "--force" ]; then POSTDATA=force=1 fi -curl -s -d $POSTDATA --user $(