From f63eedaf82fc54a0cc9a987a3149aa5b66334161 Mon Sep 17 00:00:00 2001
From: Jaroslaw Wencel <jaroslaw.wencel@gmail.com>
Date: Sun, 28 Aug 2022 09:44:45 +0200
Subject: [PATCH 1/3] NextClous&Webmail features to be disabled and shellcheck
 findings

---
 Vagrantfile        |   7 +-
 setup/functions.sh |   6 +-
 setup/nextcloud.sh |   6 +
 setup/preflight.sh |   8 +-
 setup/questions.sh |  10 +-
 setup/start.sh     |  32 ++---
 setup/system.sh    |  20 +--
 setup/webmail.sh   | 300 +++++++++++++++++++++++----------------------
 setup/zpush.sh     | 134 ++++++++++----------
 9 files changed, 281 insertions(+), 242 deletions(-)

diff --git a/Vagrantfile b/Vagrantfile
index 757c2ec9..d9796ac8 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -19,7 +19,12 @@ Vagrant.configure("2") do |config|
     export PUBLIC_IP=auto
     export PUBLIC_IPV6=auto
     export PRIMARY_HOSTNAME=auto
-    #export SKIP_NETWORK_CHECKS=1
+
+    export SKIP_NETWORK_CHECKS=1
+    
+    export NEXTCLOUD_ENABLE=0
+    export WEBMAIL_ENABLE=0
+    export ZPUSH_ENABLE=0
 
     # Start the setup script.
     cd /vagrant
diff --git a/setup/functions.sh b/setup/functions.sh
index 151c5f40..15703c2f 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -1,10 +1,12 @@
+#!/bin/bash
+
 # Turn on "strict mode." See http://redsymbol.net/articles/unofficial-bash-strict-mode/.
 # -e: exit if any command unexpectedly fails.
 # -u: exit if we have a variable typo.
 # -o pipefail: don't ignore errors in the non-last command in a pipeline
 set -euo pipefail
 
-PHP_VER=8.0
+export PHP_VER=8.0
 
 function hide_output {
 	# This function hides the output of a command unless the command fails
@@ -16,7 +18,7 @@ function hide_output {
 	# Execute command, redirecting stderr/stdout to the temporary file. Since we
 	# check the return code ourselves, disable 'set -e' temporarily.
 	set +e
-	"$@" &> $OUTPUT
+	"$@" &> "$OUTPUT"
 	E=$?
 	set -e
 
diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index b9c3a6d4..164dc0cb 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -5,6 +5,10 @@
 source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars
 
+if [ "$NEXTCLOUD_ENABLE" -ne "1" ]; then
+	echo "Skipping Nextcloud installation."
+else
+
 # ### Installing Nextcloud
 
 echo "Installing Nextcloud (contacts/calendar)..."
@@ -378,3 +382,5 @@ rm -f /etc/cron.hourly/mailinabox-owncloud
 
 # Enable PHP modules and restart PHP.
 restart_service php$PHP_VER-fpm
+
+fi
\ No newline at end of file
diff --git a/setup/preflight.sh b/setup/preflight.sh
index bd6d65b7..26483e63 100644
--- a/setup/preflight.sh
+++ b/setup/preflight.sh
@@ -1,3 +1,5 @@
+#!/bin/bash
+
 # Are we running as root?
 if [[ $EUID -ne 0 ]]; then
 	echo "This script must be run as root. Please re-run like this:"
@@ -7,7 +9,7 @@ if [[ $EUID -ne 0 ]]; then
 	exit 1
 fi
 
-# Check that we are running on Ubuntu 20.04 LTS (or 20.04.xx).
+# Check that we are running on Ubuntu 22.04 LTS (or 22.04.xx).
 if [ "$( lsb_release --id --short )" != "Ubuntu" ] || [ "$( lsb_release --release --short )" != "22.04" ]; then
 	echo "Mail-in-a-Box only supports being installed on Ubuntu 22.04, sorry. You are running:"
 	echo
@@ -26,7 +28,7 @@ fi
 #
 # Skip the check if we appear to be running inside of Vagrant, because that's really just for testing.
 TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}')
-if [ $TOTAL_PHYSICAL_MEM -lt 490000 ]; then
+if [ "$TOTAL_PHYSICAL_MEM" -lt 490000 ]; then
 if [ ! -d /vagrant ]; then
 	TOTAL_PHYSICAL_MEM=$(expr \( \( $TOTAL_PHYSICAL_MEM \* 1024 \) / 1000 \) / 1000)
 	echo "Your Mail-in-a-Box needs more memory (RAM) to function properly."
@@ -35,7 +37,7 @@ if [ ! -d /vagrant ]; then
 	exit
 fi
 fi
-if [ $TOTAL_PHYSICAL_MEM -lt 750000 ]; then
+if [ "$TOTAL_PHYSICAL_MEM" -lt 750000 ]; then
 	echo "WARNING: Your Mail-in-a-Box has less than 768 MB of memory."
 	echo "         It might run unreliably when under heavy load."
 fi
diff --git a/setup/questions.sh b/setup/questions.sh
index bf382f49..a457e76c 100644
--- a/setup/questions.sh
+++ b/setup/questions.sh
@@ -1,3 +1,5 @@
+#!/bin/bash
+
 if [ -z "${NONINTERACTIVE:-}" ]; then
 	# Install 'dialog' so we can ask the user questions. The original motivation for
 	# this was being able to ask the user for input even if stdin has been redirected,
@@ -141,16 +143,20 @@ if [ -z "${PUBLIC_IPV6:-}" ]; then
 			"Enter the public IPv6 address of this machine, as given to you by your ISP.
 			\n\nLeave blank if the machine does not have an IPv6 address.
 			\n\nPublic IPv6 address:" \
-			${DEFAULT_PUBLIC_IPV6:-} \
+			"${DEFAULT_PUBLIC_IPV6:-}" \
 			PUBLIC_IPV6
 
-		if [ ! $PUBLIC_IPV6_EXITCODE ]; then
+		if [ ! "$PUBLIC_IPV6_EXITCODE" ]; then
 			# user hit ESC/cancel
 			exit
 		fi
 	fi
 fi
 
+export NEXTCLOUD_ENABLE=$NEXTCLOUD_ENABLE
+export WEBMAIL_ENABLE=$WEBMAIL_ENABLE
+export ZPUSH_ENABLE=$ZPUSH_ENABLE
+
 # Get the IP addresses of the local network interface(s) that are connected
 # to the Internet. We need these when we want to have services bind only to
 # the public network interfaces (not loopback, not tunnel interfaces).
diff --git a/setup/start.sh b/setup/start.sh
index 0626ab01..9c920efb 100755
--- a/setup/start.sh
+++ b/setup/start.sh
@@ -4,7 +4,7 @@
 
 source setup/functions.sh # load our functions
 
-# Check system setup: Are we running as root on Ubuntu 18.04 on a
+# Check system setup: Are we running as root on Ubuntu 22.04 on a
 # machine with enough memory? Is /tmp mounted with exec.
 # If not, this shows an error and exits.
 source setup/preflight.sh
@@ -35,11 +35,12 @@ if [ -f /etc/mailinabox.conf ]; then
 
 	# Load the old .conf file to get existing configuration options loaded
 	# into variables with a DEFAULT_ prefix.
-	cat /etc/mailinabox.conf | sed s/^/DEFAULT_/ > /tmp/mailinabox.prev.conf
+	sed s/^/DEFAULT_/ /etc/mailinabox.conf > /tmp/mailinabox.prev.conf
+	# shellcheck source=/dev/null
 	source /tmp/mailinabox.prev.conf
 	rm -f /tmp/mailinabox.prev.conf
 else
-	FIRST_TIME_SETUP=1
+	export FIRST_TIME_SETUP=1
 fi
 
 # Put a start script in a global location. We tell the user to run 'mailinabox'
@@ -75,17 +76,17 @@ fi
 # migration (schema) number for the files stored there, assume this is a fresh
 # installation to that directory and write the file to contain the current
 # migration number for this version of Mail-in-a-Box.
-if ! id -u $STORAGE_USER >/dev/null 2>&1; then
-	useradd -m $STORAGE_USER
+if ! id -u "$STORAGE_USER" >/dev/null 2>&1; then
+	useradd -m "$STORAGE_USER"
 fi
-if [ ! -d $STORAGE_ROOT ]; then
-	mkdir -p $STORAGE_ROOT
+if [ ! -d "$STORAGE_ROOT" ]; then
+	mkdir -p "$STORAGE_ROOT"
 fi
 f=$STORAGE_ROOT
 while [[ $f != / ]]; do chmod a+rx "$f"; f=$(dirname "$f"); done;
-if [ ! -f $STORAGE_ROOT/mailinabox.version ]; then
-	setup/migrate.py --current > $STORAGE_ROOT/mailinabox.version
-	chown $STORAGE_USER.$STORAGE_USER $STORAGE_ROOT/mailinabox.version
+if [ ! -f "$STORAGE_ROOT/mailinabox.version" ]; then
+	setup/migrate.py --current > "$STORAGE_ROOT/mailinabox.version"
+	chown "$STORAGE_USER"."$STORAGE_USER" "$STORAGE_ROOT/mailinabox.version"
 fi
 
 # Save the global options in /etc/mailinabox.conf so that standalone
@@ -101,6 +102,9 @@ PUBLIC_IPV6=$PUBLIC_IPV6
 PRIVATE_IP=$PRIVATE_IP
 PRIVATE_IPV6=$PRIVATE_IPV6
 MTA_STS_MODE=${DEFAULT_MTA_STS_MODE:-enforce}
+NEXTCLOUD_ENABLE=$NEXTCLOUD_ENABLE
+WEBMAIL_ENABLE=$WEBMAIL_ENABLE
+ZPUSH_ENABLE=$ZPUSH_ENABLE
 EOF
 
 # Start service configuration.
@@ -142,14 +146,14 @@ source setup/firstuser.sh
 # We'd let certbot ask the user interactively, but when this script is
 # run in the recommended curl-pipe-to-bash method there is no TTY and
 # certbot will fail if it tries to ask.
-if [ ! -d $STORAGE_ROOT/ssl/lets_encrypt/accounts/acme-v02.api.letsencrypt.org/ ]; then
+if [ ! -d "$STORAGE_ROOT/ssl/lets_encrypt/accounts/acme-v02.api.letsencrypt.org/" ]; then
 echo
 echo "-----------------------------------------------"
 echo "Mail-in-a-Box uses Let's Encrypt to provision free SSL/TLS certificates"
 echo "to enable HTTPS connections to your box. We're automatically"
 echo "agreeing you to their subscriber agreement. See https://letsencrypt.org."
 echo
-certbot register --register-unsafely-without-email --agree-tos --config-dir $STORAGE_ROOT/ssl/lets_encrypt
+certbot register --register-unsafely-without-email --agree-tos --config-dir "$STORAGE_ROOT/ssl/lets_encrypt"
 fi
 
 # Done.
@@ -166,7 +170,7 @@ if management/status_checks.py --check-primary-hostname; then
 	echo
 	echo "If you have a DNS problem put the box's IP address in the URL"
 	echo "(https://$PUBLIC_IP/admin) but then check the TLS fingerprint:"
-	openssl x509 -in $STORAGE_ROOT/ssl/ssl_certificate.pem -noout -fingerprint -sha256\
+	openssl x509 -in "$STORAGE_ROOT/ssl/ssl_certificate.pem" -noout -fingerprint -sha256\
         	| sed "s/SHA256 Fingerprint=//"
 else
 	echo https://$PUBLIC_IP/admin
@@ -174,7 +178,7 @@ else
 	echo You will be alerted that the website has an invalid certificate. Check that
 	echo the certificate fingerprint matches:
 	echo
-	openssl x509 -in $STORAGE_ROOT/ssl/ssl_certificate.pem -noout -fingerprint -sha256\
+	openssl x509 -in "$STORAGE_ROOT/ssl/ssl_certificate.pem" -noout -fingerprint -sha256\
         	| sed "s/SHA256 Fingerprint=//"
 	echo
 	echo Then you can confirm the security exception and continue.
diff --git a/setup/system.sh b/setup/system.sh
index d9ee1f3f..f3514976 100755
--- a/setup/system.sh
+++ b/setup/system.sh
@@ -1,3 +1,5 @@
+#!/bin/bash
+
 source /etc/mailinabox.conf
 source setup/functions.sh # load our functions
 
@@ -11,8 +13,8 @@ source setup/functions.sh # load our functions
 #
 # First set the hostname in the configuration file, then activate the setting
 
-echo $PRIMARY_HOSTNAME > /etc/hostname
-hostname $PRIMARY_HOSTNAME
+echo "$PRIMARY_HOSTNAME" > /etc/hostname
+hostname "$PRIMARY_HOSTNAME"
 
 # ### Fix permissions
 
@@ -43,7 +45,7 @@ chmod g-w /etc /etc/default /usr
 # See https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-ubuntu-14-04
 # for reference
 
-SWAP_MOUNTED=$(cat /proc/swaps | tail -n+2)
+SWAP_MOUNTED=$(tail -n+2 /proc/swaps)
 SWAP_IN_FSTAB=$(grep "swap" /etc/fstab || /bin/true)
 ROOT_IS_BTRFS=$(grep "\/ .*btrfs" /proc/mounts || /bin/true)
 TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}' || /bin/true)
@@ -53,14 +55,14 @@ if
 	[ -z "$SWAP_IN_FSTAB" ] &&
 	[ ! -e /swapfile ] &&
 	[ -z "$ROOT_IS_BTRFS" ] &&
-	[ $TOTAL_PHYSICAL_MEM -lt 1900000 ] &&
-	[ $AVAILABLE_DISK_SPACE -gt 5242880 ]
+	[ "$TOTAL_PHYSICAL_MEM" -lt 1900000 ] &&
+	[ "$AVAILABLE_DISK_SPACE" -gt 5242880 ]
 then
 	echo "Adding a swap file to the system..."
 
 	# Allocate and activate the swap file. Allocate in 1KB chuncks
 	# doing it in one go, could fail on low memory systems
-	dd if=/dev/zero of=/swapfile bs=1024 count=$[1024*1024] status=none
+	dd if=/dev/zero of=/swapfile bs=1024 count=$((1024*1024)) status=none
 	if [ -e /swapfile ]; then
 		chmod 600 /swapfile
 		hide_output mkswap /swapfile
@@ -164,7 +166,7 @@ fi
 # not likely the user will want to change this, so we only ask on first
 # setup.
 if [ -z "${NONINTERACTIVE:-}" ]; then
-	if [ ! -f /etc/timezone ] || [ ! -z ${FIRST_TIME_SETUP:-} ]; then
+	if [ ! -f /etc/timezone ] || [ -n "${FIRST_TIME_SETUP:-}" ]; then
 		# If the file is missing or this is the user's first time running
 		# Mail-in-a-Box setup, run the interactive timezone configuration
 		# tool.
@@ -273,8 +275,8 @@ if [ -z "${DISABLE_FIREWALL:-}" ]; then
 	if [ ! -z "$SSH_PORT" ]; then
 	if [ "$SSH_PORT" != "22" ]; then
 
-	echo Opening alternate SSH port $SSH_PORT. #NODOC
-	ufw_limit $SSH_PORT #NODOC
+	echo Opening alternate SSH port "$SSH_PORT". #NODOC
+	ufw_limit "$SSH_PORT" #NODOC
 
 	fi
 	fi
diff --git a/setup/webmail.sh b/setup/webmail.sh
index e064a201..75da09de 100755
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@@ -5,112 +5,116 @@
 source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars
 
-# ### Installing Roundcube
+if [ "$WEBMAIL_ENABLE" -ne "1" ]; then
+	echo "Skipping Roundcube (webmail) installation."
+else
 
-# We install Roundcube from sources, rather than from Ubuntu, because:
-#
-# 1. Ubuntu's `roundcube-core` package has dependencies on Apache & MySQL, which we don't want.
-#
-# 2. The Roundcube shipped with Ubuntu is consistently out of date.
-#
-# 3. It's packaged incorrectly --- it seems to be missing a directory of files.
-#
-# So we'll use apt-get to manually install the dependencies of roundcube that we know we need,
-# and then we'll manually install roundcube from source.
+	# ### Installing Roundcube
 
-# These dependencies are from `apt-cache showpkg roundcube-core`.
-echo "Installing Roundcube (webmail)..."
-apt_install \
-	dbconfig-common \
-	php${PHP_VER}-cli php${PHP_VER}-sqlite3 php${PHP_VER}-intl php${PHP_VER}-common php${PHP_VER}-curl php${PHP_VER}-imap \
-	php${PHP_VER}-gd php${PHP_VER}-pspell php${PHP_VER}-mbstring libjs-jquery libjs-jquery-mousewheel libmagic1
+	# We install Roundcube from sources, rather than from Ubuntu, because:
+	#
+	# 1. Ubuntu's `roundcube-core` package has dependencies on Apache & MySQL, which we don't want.
+	#
+	# 2. The Roundcube shipped with Ubuntu is consistently out of date.
+	#
+	# 3. It's packaged incorrectly --- it seems to be missing a directory of files.
+	#
+	# So we'll use apt-get to manually install the dependencies of roundcube that we know we need,
+	# and then we'll manually install roundcube from source.
 
-# Install Roundcube from source if it is not already present or if it is out of date.
-# Combine the Roundcube version number with the commit hash of plugins to track
-# whether we have the latest version of everything.
-# For the latest versions, see:
-#   https://github.com/roundcube/roundcubemail/releases
-#   https://github.com/mfreiholz/persistent_login/commits/master
-#   https://github.com/stremlau/html5_notifier/commits/master
-#   https://github.com/mstilkerich/rcmcarddav/releases
-# The easiest way to get the package hashes is to run this script and get the hash from
-# the error message.
-VERSION=1.5.2
-HASH=208ce4ca0be423cc0f7070ff59bd03588b4439bf
-PERSISTENT_LOGIN_VERSION=59ca1b0d3a02cff5fa621c1ad581d15f9d642fe8
-HTML5_NOTIFIER_VERSION=68d9ca194212e15b3c7225eb6085dbcf02fd13d7 # version 0.6.4+
-CARDDAV_VERSION=4.3.0
-CARDDAV_HASH=4ad7df8843951062878b1375f77c614f68bc5c61
+	# These dependencies are from `apt-cache showpkg roundcube-core`.
+	echo "Installing Roundcube (webmail)..."
+	apt_install \
+		dbconfig-common \
+		php${PHP_VER}-cli php${PHP_VER}-sqlite3 php${PHP_VER}-intl php${PHP_VER}-common php${PHP_VER}-curl php${PHP_VER}-imap \
+		php${PHP_VER}-gd php${PHP_VER}-pspell php${PHP_VER}-mbstring libjs-jquery libjs-jquery-mousewheel libmagic1
 
-UPDATE_KEY=$VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:$CARDDAV_VERSION
+	# Install Roundcube from source if it is not already present or if it is out of date.
+	# Combine the Roundcube version number with the commit hash of plugins to track
+	# whether we have the latest version of everything.
+	# For the latest versions, see:
+	#   https://github.com/roundcube/roundcubemail/releases
+	#   https://github.com/mfreiholz/persistent_login/commits/master
+	#   https://github.com/stremlau/html5_notifier/commits/master
+	#   https://github.com/mstilkerich/rcmcarddav/releases
+	# The easiest way to get the package hashes is to run this script and get the hash from
+	# the error message.
+	VERSION=1.5.2
+	HASH=208ce4ca0be423cc0f7070ff59bd03588b4439bf
+	PERSISTENT_LOGIN_VERSION=59ca1b0d3a02cff5fa621c1ad581d15f9d642fe8
+	HTML5_NOTIFIER_VERSION=68d9ca194212e15b3c7225eb6085dbcf02fd13d7 # version 0.6.4+
+	CARDDAV_VERSION=4.3.0
+	CARDDAV_HASH=4ad7df8843951062878b1375f77c614f68bc5c61
 
-# paths that are often reused.
-RCM_DIR=/usr/local/lib/roundcubemail
-RCM_PLUGIN_DIR=${RCM_DIR}/plugins
-RCM_CONFIG=${RCM_DIR}/config/config.inc.php
+	UPDATE_KEY=$VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:$CARDDAV_VERSION
 
-needs_update=0 #NODOC
-if [ ! -f /usr/local/lib/roundcubemail/version ]; then
-	# not installed yet #NODOC
-	needs_update=1 #NODOC
-elif [[ "$UPDATE_KEY" != $(cat /usr/local/lib/roundcubemail/version) ]]; then
-	# checks if the version is what we want
-	needs_update=1 #NODOC
-fi
-if [ $needs_update == 1 ]; then
-  # if upgrading from 1.3.x, clear the temp_dir
-  if [ -f /usr/local/lib/roundcubemail/version ]; then
-    if [ "$(cat /usr/local/lib/roundcubemail/version | cut -c1-3)" == '1.3' ]; then
-      find /var/tmp/roundcubemail/ -type f ! -name 'RCMTEMP*' -delete
-    fi
-  fi
+	# paths that are often reused.
+	RCM_DIR=/usr/local/lib/roundcubemail
+	RCM_PLUGIN_DIR=${RCM_DIR}/plugins
+	RCM_CONFIG=${RCM_DIR}/config/config.inc.php
 
-	# install roundcube
-	wget_verify \
-		https://github.com/roundcube/roundcubemail/releases/download/$VERSION/roundcubemail-$VERSION-complete.tar.gz \
-		$HASH \
-		/tmp/roundcube.tgz
-	tar -C /usr/local/lib --no-same-owner -zxf /tmp/roundcube.tgz
-	rm -rf /usr/local/lib/roundcubemail
-	mv /usr/local/lib/roundcubemail-$VERSION/ $RCM_DIR
-	rm -f /tmp/roundcube.tgz
+	needs_update=0 #NODOC
+	if [ ! -f /usr/local/lib/roundcubemail/version ]; then
+		# not installed yet #NODOC
+		needs_update=1 #NODOC
+	elif [[ "$UPDATE_KEY" != $(cat /usr/local/lib/roundcubemail/version) ]]; then
+		# checks if the version is what we want
+		needs_update=1 #NODOC
+	fi
+	if [ $needs_update == 1 ]; then
+	# if upgrading from 1.3.x, clear the temp_dir
+	if [ -f /usr/local/lib/roundcubemail/version ]; then
+		if [ "$(cat /usr/local/lib/roundcubemail/version | cut -c1-3)" == '1.3' ]; then
+		find /var/tmp/roundcubemail/ -type f ! -name 'RCMTEMP*' -delete
+		fi
+	fi
 
-	# install roundcube persistent_login plugin
-	git_clone https://github.com/mfreiholz/Roundcube-Persistent-Login-Plugin.git $PERSISTENT_LOGIN_VERSION '' ${RCM_PLUGIN_DIR}/persistent_login
+		# install roundcube
+		wget_verify \
+			https://github.com/roundcube/roundcubemail/releases/download/$VERSION/roundcubemail-$VERSION-complete.tar.gz \
+			$HASH \
+			/tmp/roundcube.tgz
+		tar -C /usr/local/lib --no-same-owner -zxf /tmp/roundcube.tgz
+		rm -rf /usr/local/lib/roundcubemail
+		mv /usr/local/lib/roundcubemail-$VERSION/ $RCM_DIR
+		rm -f /tmp/roundcube.tgz
 
-	# install roundcube html5_notifier plugin
-	git_clone https://github.com/kitist/html5_notifier.git $HTML5_NOTIFIER_VERSION '' ${RCM_PLUGIN_DIR}/html5_notifier
+		# install roundcube persistent_login plugin
+		git_clone https://github.com/mfreiholz/Roundcube-Persistent-Login-Plugin.git $PERSISTENT_LOGIN_VERSION '' ${RCM_PLUGIN_DIR}/persistent_login
 
-	# download and verify the full release of the carddav plugin
-	wget_verify \
-		https://github.com/blind-coder/rcmcarddav/releases/download/v${CARDDAV_VERSION}/carddav-v${CARDDAV_VERSION}.tar.gz \
-		$CARDDAV_HASH \
-		/tmp/carddav.tar.gz
+		# install roundcube html5_notifier plugin
+		git_clone https://github.com/kitist/html5_notifier.git $HTML5_NOTIFIER_VERSION '' ${RCM_PLUGIN_DIR}/html5_notifier
 
-	# unzip and cleanup
-	tar -C ${RCM_PLUGIN_DIR} -zxf /tmp/carddav.tar.gz
-	rm -f /tmp/carddav.tar.gz
+		# download and verify the full release of the carddav plugin
+		wget_verify \
+			https://github.com/blind-coder/rcmcarddav/releases/download/v${CARDDAV_VERSION}/carddav-v${CARDDAV_VERSION}.tar.gz \
+			$CARDDAV_HASH \
+			/tmp/carddav.tar.gz
 
-	# record the version we've installed
-	echo $UPDATE_KEY > ${RCM_DIR}/version
-fi
+		# unzip and cleanup
+		tar -C ${RCM_PLUGIN_DIR} -zxf /tmp/carddav.tar.gz
+		rm -f /tmp/carddav.tar.gz
 
-# ### Configuring Roundcube
+		# record the version we've installed
+		echo $UPDATE_KEY > ${RCM_DIR}/version
+	fi
 
-# Generate a secret key of PHP-string-safe characters appropriate
-# for the cipher algorithm selected below.
-SECRET_KEY=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 | sed s/=//g)
+	# ### Configuring Roundcube
 
-# Create a configuration file.
-#
-# For security, temp and log files are not stored in the default locations
-# which are inside the roundcube sources directory. We put them instead
-# in normal places.
-cat > $RCM_CONFIG <<EOF;
+	# Generate a secret key of PHP-string-safe characters appropriate
+	# for the cipher algorithm selected below.
+	SECRET_KEY=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 | sed s/=//g)
+
+	# Create a configuration file.
+	#
+	# For security, temp and log files are not stored in the default locations
+	# which are inside the roundcube sources directory. We put them instead
+	# in normal places.
+	cat > $RCM_CONFIG <<EOF;
 <?php
 /*
- * Do not edit. Written by Mail-in-a-Box. Regenerated on updates.
- */
+* Do not edit. Written by Mail-in-a-Box. Regenerated on updates.
+*/
 \$config = array();
 \$config['log_dir'] = '/var/log/roundcubemail/';
 \$config['temp_dir'] = '/var/tmp/roundcubemail/';
@@ -118,19 +122,19 @@ cat > $RCM_CONFIG <<EOF;
 \$config['default_host'] = 'ssl://localhost';
 \$config['default_port'] = 993;
 \$config['imap_conn_options'] = array(
-  'ssl'         => array(
-     'verify_peer'  => false,
-     'verify_peer_name'  => false,
-   ),
- );
+'ssl'         => array(
+	'verify_peer'  => false,
+	'verify_peer_name'  => false,
+),
+);
 \$config['imap_timeout'] = 15;
 \$config['smtp_server'] = 'tls://127.0.0.1';
 \$config['smtp_conn_options'] = array(
-  'ssl'         => array(
-     'verify_peer'  => false,
-     'verify_peer_name'  => false,
-   ),
- );
+'ssl'         => array(
+	'verify_peer'  => false,
+	'verify_peer_name'  => false,
+),
+);
 \$config['support_url'] = 'https://mailinabox.email/';
 \$config['product_name'] = '$PRIMARY_HOSTNAME Webmail';
 \$config['cipher_method'] = 'AES-256-CBC'; # persistent login cookie and potentially other things
@@ -144,68 +148,70 @@ cat > $RCM_CONFIG <<EOF;
 ?>
 EOF
 
-# Configure CardDav
-cat > ${RCM_PLUGIN_DIR}/carddav/config.inc.php <<EOF;
+	# Configure CardDav
+	cat > ${RCM_PLUGIN_DIR}/carddav/config.inc.php <<EOF;
 <?php
 /* Do not edit. Written by Mail-in-a-Box. Regenerated on updates. */
 \$prefs['_GLOBAL']['hide_preferences'] = true;
 \$prefs['_GLOBAL']['suppress_version_warning'] = true;
 \$prefs['ownCloud'] = array(
-	 'name'         =>  'ownCloud',
-	 'username'     =>  '%u', // login username
-	 'password'     =>  '%p', // login password
-	 'url'          =>  'https://${PRIMARY_HOSTNAME}/cloud/remote.php/carddav/addressbooks/%u/contacts',
-	 'active'       =>  true,
-	 'readonly'     =>  false,
-	 'refresh_time' => '02:00:00',
-	 'fixed'        =>  array('username','password'),
-	 'preemptive_auth' => '1',
-	 'hide'        =>  false,
+	'name'         =>  'ownCloud',
+	'username'     =>  '%u', // login username
+	'password'     =>  '%p', // login password
+	'url'          =>  'https://${PRIMARY_HOSTNAME}/cloud/remote.php/carddav/addressbooks/%u/contacts',
+	'active'       =>  true,
+	'readonly'     =>  false,
+	'refresh_time' => '02:00:00',
+	'fixed'        =>  array('username','password'),
+	'preemptive_auth' => '1',
+	'hide'        =>  false,
 );
 ?>
 EOF
 
-# Create writable directories.
-mkdir -p /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
-chown -R www-data.www-data /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
+	# Create writable directories.
+	mkdir -p /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
+	chown -R www-data.www-data /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
 
-# Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
-sudo -u www-data touch /var/log/roundcubemail/errors.log
+	# Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
+	sudo -u www-data touch /var/log/roundcubemail/errors.log
 
-# Password changing plugin settings
-# The config comes empty by default, so we need the settings
-# we're not planning to change in config.inc.dist...
-cp ${RCM_PLUGIN_DIR}/password/config.inc.php.dist \
-	${RCM_PLUGIN_DIR}/password/config.inc.php
+	# Password changing plugin settings
+	# The config comes empty by default, so we need the settings
+	# we're not planning to change in config.inc.dist...
+	cp ${RCM_PLUGIN_DIR}/password/config.inc.php.dist \
+		${RCM_PLUGIN_DIR}/password/config.inc.php
 
-tools/editconf.py ${RCM_PLUGIN_DIR}/password/config.inc.php \
-	"\$config['password_minimum_length']=8;" \
-	"\$config['password_db_dsn']='sqlite:///$STORAGE_ROOT/mail/users.sqlite';" \
-	"\$config['password_query']='UPDATE users SET password=%D WHERE email=%u';" \
-	"\$config['password_dovecotpw']='/usr/bin/doveadm pw';" \
-	"\$config['password_dovecotpw_method']='SHA512-CRYPT';" \
-	"\$config['password_dovecotpw_with_method']=true;"
+	tools/editconf.py ${RCM_PLUGIN_DIR}/password/config.inc.php \
+		"\$config['password_minimum_length']=8;" \
+		"\$config['password_db_dsn']='sqlite:///$STORAGE_ROOT/mail/users.sqlite';" \
+		"\$config['password_query']='UPDATE users SET password=%D WHERE email=%u';" \
+		"\$config['password_dovecotpw']='/usr/bin/doveadm pw';" \
+		"\$config['password_dovecotpw_method']='SHA512-CRYPT';" \
+		"\$config['password_dovecotpw_with_method']=true;"
 
-# so PHP can use doveadm, for the password changing plugin
-usermod -a -G dovecot www-data
+	# so PHP can use doveadm, for the password changing plugin
+	usermod -a -G dovecot www-data
 
-# set permissions so that PHP can use users.sqlite
-# could use dovecot instead of www-data, but not sure it matters
-chown root.www-data $STORAGE_ROOT/mail
-chmod 775 $STORAGE_ROOT/mail
-chown root.www-data $STORAGE_ROOT/mail/users.sqlite
-chmod 664 $STORAGE_ROOT/mail/users.sqlite
+	# set permissions so that PHP can use users.sqlite
+	# could use dovecot instead of www-data, but not sure it matters
+	chown root.www-data $STORAGE_ROOT/mail
+	chmod 775 $STORAGE_ROOT/mail
+	chown root.www-data $STORAGE_ROOT/mail/users.sqlite
+	chmod 664 $STORAGE_ROOT/mail/users.sqlite
 
-# Fix Carddav permissions:
-chown -f -R root.www-data ${RCM_PLUGIN_DIR}/carddav
-# root.www-data need all permissions, others only read
-chmod -R 774 ${RCM_PLUGIN_DIR}/carddav
+	# Fix Carddav permissions:
+	chown -f -R root.www-data ${RCM_PLUGIN_DIR}/carddav
+	# root.www-data need all permissions, others only read
+	chmod -R 774 ${RCM_PLUGIN_DIR}/carddav
 
-# Run Roundcube database migration script (database is created if it does not exist)
-php$PHP_VER ${RCM_DIR}/bin/updatedb.sh --dir ${RCM_DIR}/SQL --package roundcube
-chown www-data:www-data $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
-chmod 664 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
+	# Run Roundcube database migration script (database is created if it does not exist)
+	php$PHP_VER ${RCM_DIR}/bin/updatedb.sh --dir ${RCM_DIR}/SQL --package roundcube
+	chown www-data:www-data $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
+	chmod 664 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
 
-# Enable PHP modules.
-phpenmod -v $PHP_VER imap
-restart_service php$PHP_VER-fpm
+	# Enable PHP modules.
+	phpenmod -v $PHP_VER imap
+	restart_service php$PHP_VER-fpm
+
+fi
\ No newline at end of file
diff --git a/setup/zpush.sh b/setup/zpush.sh
index 4fdfadc4..baf98ee4 100755
--- a/setup/zpush.sh
+++ b/setup/zpush.sh
@@ -13,81 +13,85 @@
 source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars
 
-# Prereqs.
+if [ "$ZPUSH_ENABLE" -ne "1" ]; then
+	echo "Skipping Roundcube (webmail) installation."
+else
 
-echo "Installing Z-Push (Exchange/ActiveSync server)..."
-apt_install \
-       php${PHP_VER}-soap php${PHP_VER}-imap libawl-php php$PHP_VER-xml
+	# Prereqs.
 
-phpenmod -v $PHP_VER imap
+	echo "Installing Z-Push (Exchange/ActiveSync server)..."
+	apt_install \
+		php${PHP_VER}-soap php${PHP_VER}-imap libawl-php php$PHP_VER-xml
 
-# Copy Z-Push into place.
-VERSION=2.6.2
-TARGETHASH=f0e8091a8030e5b851f5ba1f9f0e1a05b8762d80
-needs_update=0 #NODOC
-if [ ! -f /usr/local/lib/z-push/version ]; then
-	needs_update=1 #NODOC
-elif [[ $VERSION != $(cat /usr/local/lib/z-push/version) ]]; then
-	# checks if the version
-	needs_update=1 #NODOC
-fi
-if [ $needs_update == 1 ]; then
-	# Download
-	wget_verify "https://github.com/Z-Hub/Z-Push/archive/refs/tags/$VERSION.zip" $TARGETHASH /tmp/z-push.zip
+	phpenmod -v $PHP_VER imap
 
-	# Extract into place.
-	rm -rf /usr/local/lib/z-push /tmp/z-push
-	unzip -q /tmp/z-push.zip -d /tmp/z-push
-	mv /tmp/z-push/*/src /usr/local/lib/z-push
-	rm -rf /tmp/z-push.zip /tmp/z-push
+	# Copy Z-Push into place.
+	VERSION=2.6.2
+	TARGETHASH=f0e8091a8030e5b851f5ba1f9f0e1a05b8762d80
+	needs_update=0 #NODOC
+	if [ ! -f /usr/local/lib/z-push/version ]; then
+		needs_update=1 #NODOC
+	elif [[ $VERSION != $(cat /usr/local/lib/z-push/version) ]]; then
+		# checks if the version
+		needs_update=1 #NODOC
+	fi
+	if [ $needs_update == 1 ]; then
+		# Download
+		wget_verify "https://github.com/Z-Hub/Z-Push/archive/refs/tags/$VERSION.zip" $TARGETHASH /tmp/z-push.zip
 
-	rm -f /usr/sbin/z-push-{admin,top}
-	echo $VERSION > /usr/local/lib/z-push/version
-fi
+		# Extract into place.
+		rm -rf /usr/local/lib/z-push /tmp/z-push
+		unzip -q /tmp/z-push.zip -d /tmp/z-push
+		mv /tmp/z-push/*/src /usr/local/lib/z-push
+		rm -rf /tmp/z-push.zip /tmp/z-push
 
-# Configure default config.
-sed -i "s^define('TIMEZONE', .*^define('TIMEZONE', '$(cat /etc/timezone)');^" /usr/local/lib/z-push/config.php
-sed -i "s/define('BACKEND_PROVIDER', .*/define('BACKEND_PROVIDER', 'BackendCombined');/" /usr/local/lib/z-push/config.php
-sed -i "s/define('USE_FULLEMAIL_FOR_LOGIN', .*/define('USE_FULLEMAIL_FOR_LOGIN', true);/" /usr/local/lib/z-push/config.php
-sed -i "s/define('LOG_MEMORY_PROFILER', .*/define('LOG_MEMORY_PROFILER', false);/" /usr/local/lib/z-push/config.php
-sed -i "s/define('BUG68532FIXED', .*/define('BUG68532FIXED', false);/" /usr/local/lib/z-push/config.php
-sed -i "s/define('LOGLEVEL', .*/define('LOGLEVEL', LOGLEVEL_ERROR);/" /usr/local/lib/z-push/config.php
+		rm -f /usr/sbin/z-push-{admin,top}
+		echo $VERSION > /usr/local/lib/z-push/version
+	fi
 
-# Configure BACKEND
-rm -f /usr/local/lib/z-push/backend/combined/config.php
-cp conf/zpush/backend_combined.php /usr/local/lib/z-push/backend/combined/config.php
+	# Configure default config.
+	sed -i "s^define('TIMEZONE', .*^define('TIMEZONE', '$(cat /etc/timezone)');^" /usr/local/lib/z-push/config.php
+	sed -i "s/define('BACKEND_PROVIDER', .*/define('BACKEND_PROVIDER', 'BackendCombined');/" /usr/local/lib/z-push/config.php
+	sed -i "s/define('USE_FULLEMAIL_FOR_LOGIN', .*/define('USE_FULLEMAIL_FOR_LOGIN', true);/" /usr/local/lib/z-push/config.php
+	sed -i "s/define('LOG_MEMORY_PROFILER', .*/define('LOG_MEMORY_PROFILER', false);/" /usr/local/lib/z-push/config.php
+	sed -i "s/define('BUG68532FIXED', .*/define('BUG68532FIXED', false);/" /usr/local/lib/z-push/config.php
+	sed -i "s/define('LOGLEVEL', .*/define('LOGLEVEL', LOGLEVEL_ERROR);/" /usr/local/lib/z-push/config.php
 
-# Configure IMAP
-rm -f /usr/local/lib/z-push/backend/imap/config.php
-cp conf/zpush/backend_imap.php /usr/local/lib/z-push/backend/imap/config.php
-sed -i "s%STORAGE_ROOT%$STORAGE_ROOT%" /usr/local/lib/z-push/backend/imap/config.php
+	# Configure BACKEND
+	rm -f /usr/local/lib/z-push/backend/combined/config.php
+	cp conf/zpush/backend_combined.php /usr/local/lib/z-push/backend/combined/config.php
 
-# Configure CardDav
-rm -f /usr/local/lib/z-push/backend/carddav/config.php
-cp conf/zpush/backend_carddav.php /usr/local/lib/z-push/backend/carddav/config.php
+	# Configure IMAP
+	rm -f /usr/local/lib/z-push/backend/imap/config.php
+	cp conf/zpush/backend_imap.php /usr/local/lib/z-push/backend/imap/config.php
+	sed -i "s%STORAGE_ROOT%$STORAGE_ROOT%" /usr/local/lib/z-push/backend/imap/config.php
 
-# Configure CalDav
-rm -f /usr/local/lib/z-push/backend/caldav/config.php
-cp conf/zpush/backend_caldav.php /usr/local/lib/z-push/backend/caldav/config.php
+	# Configure CardDav
+	rm -f /usr/local/lib/z-push/backend/carddav/config.php
+	cp conf/zpush/backend_carddav.php /usr/local/lib/z-push/backend/carddav/config.php
 
-# Configure Autodiscover
-rm -f /usr/local/lib/z-push/autodiscover/config.php
-cp conf/zpush/autodiscover_config.php /usr/local/lib/z-push/autodiscover/config.php
-sed -i "s/PRIMARY_HOSTNAME/$PRIMARY_HOSTNAME/" /usr/local/lib/z-push/autodiscover/config.php
-sed -i "s^define('TIMEZONE', .*^define('TIMEZONE', '$(cat /etc/timezone)');^" /usr/local/lib/z-push/autodiscover/config.php
+	# Configure CalDav
+	rm -f /usr/local/lib/z-push/backend/caldav/config.php
+	cp conf/zpush/backend_caldav.php /usr/local/lib/z-push/backend/caldav/config.php
 
-# Some directories it will use.
+	# Configure Autodiscover
+	rm -f /usr/local/lib/z-push/autodiscover/config.php
+	cp conf/zpush/autodiscover_config.php /usr/local/lib/z-push/autodiscover/config.php
+	sed -i "s/PRIMARY_HOSTNAME/$PRIMARY_HOSTNAME/" /usr/local/lib/z-push/autodiscover/config.php
+	sed -i "s^define('TIMEZONE', .*^define('TIMEZONE', '$(cat /etc/timezone)');^" /usr/local/lib/z-push/autodiscover/config.php
 
-mkdir -p /var/log/z-push
-mkdir -p /var/lib/z-push
-chmod 750 /var/log/z-push
-chmod 750 /var/lib/z-push
-chown www-data:www-data /var/log/z-push
-chown www-data:www-data /var/lib/z-push
+	# Some directories it will use.
 
-# Add log rotation
+	mkdir -p /var/log/z-push
+	mkdir -p /var/lib/z-push
+	chmod 750 /var/log/z-push
+	chmod 750 /var/lib/z-push
+	chown www-data:www-data /var/log/z-push
+	chown www-data:www-data /var/lib/z-push
 
-cat > /etc/logrotate.d/z-push <<EOF;
+	# Add log rotation
+
+	cat > /etc/logrotate.d/z-push <<EOF;
 /var/log/z-push/*.log {
 	weekly
 	missingok
@@ -98,10 +102,12 @@ cat > /etc/logrotate.d/z-push <<EOF;
 }
 EOF
 
-# Restart service.
+	# Restart service.
 
-restart_service php$PHP_VER-fpm
+	restart_service php$PHP_VER-fpm
 
-# Fix states after upgrade
+	# Fix states after upgrade
 
-hide_output php$PHP_VER /usr/local/lib/z-push/z-push-admin.php -a fixstates
+	hide_output php$PHP_VER /usr/local/lib/z-push/z-push-admin.php -a fixstates
+
+fi
\ No newline at end of file

From 55da363b251cf1a0948b5829e0bb76c46170778e Mon Sep 17 00:00:00 2001
From: Jaroslaw Wencel <jaroslaw@wencel.org>
Date: Sun, 28 Aug 2022 22:34:07 +0200
Subject: [PATCH 2/3] shellcheck improvements

---
 setup/bootstrap.sh | 20 ++++++++++----------
 setup/dkim.sh      | 11 ++++++-----
 setup/functions.sh | 36 ++++++++++++++++++------------------
 3 files changed, 34 insertions(+), 33 deletions(-)

diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh
index cc4c060e..014538c8 100644
--- a/setup/bootstrap.sh
+++ b/setup/bootstrap.sh
@@ -19,12 +19,12 @@ if [ -z "$TAG" ]; then
 	# want to display in status checks.
 	#
 	# Allow point-release versions of the major releases, e.g. 22.04.1 is OK.
-	UBUNTU_VERSION=$( lsb_release -d | sed 's/.*:\s*//' | sed 's/\([0-9]*\.[0-9]*\)\.[0-9]/\1/' )"
-	if [ "$UBUNTU_VERSION" == "Ubuntu 22.04 LTS" ]; then
+	UBUNTU_VERSION=$( lsb_release -d | sed 's/.*:\s*//' | sed 's/\([0-9]*\.[0-9]*\)\.[0-9]/\1/' )
+	if [[ "$UBUNTU_VERSION" == "Ubuntu 22.04 LTS" ]]; then
 		# This machine is running Ubuntu 22.04, which is supported by
 		# Mail-in-a-Box versions 60 and later.
 		TAG=v60
-	elif [ "$UBUNTU_VERSION" == "Ubuntu 18.04 LTS" ]; then
+	elif [[ "$UBUNTU_VERSION" == "Ubuntu 18.04 LTS" ]]; then
 		# This machine is running Ubuntu 18.04, which is supported by
 		# Mail-in-a-Box versions 0.40 through 5x.
 		echo "Support is ending for Ubuntu 18.04."
@@ -32,7 +32,7 @@ if [ -z "$TAG" ]; then
 		echo "a new machine running Ubuntu 22.04. See:"
 		echo "https://mailinabox.email/maintenance.html#upgrade"
 		TAG=v57a
-	elif [ "$UBUNTU_VERSION" == "Ubuntu 14.04 LTS" ]; then
+	elif [[ "$UBUNTU_VERSION" == "Ubuntu 14.04 LTS" ]]; then
 		# This machine is running Ubuntu 14.04, which is supported by
 		# Mail-in-a-Box versions 1 through v0.30.
 		echo "Ubuntu 14.04 is no longer supported."
@@ -51,7 +51,7 @@ if [[ $EUID -ne 0 ]]; then
 fi
 
 # Clone the Mail-in-a-Box repository if it doesn't exist.
-if [ ! -d $HOME/mailinabox ]; then
+if [[ ! -d "$HOME/mailinabox" ]]; then
 	if [ ! -f /usr/bin/git ]; then
 		echo Installing git . . .
 		apt-get -q -q update
@@ -59,22 +59,22 @@ if [ ! -d $HOME/mailinabox ]; then
 		echo
 	fi
 
-	echo Downloading Mail-in-a-Box $TAG. . .
+	echo "Downloading Mail-in-a-Box $TAG . . ."
 	git clone \
 		-b $TAG --depth 1 \
 		https://github.com/mail-in-a-box/mailinabox \
-		$HOME/mailinabox \
+		"$HOME/mailinabox" \
 		< /dev/null 2> /dev/null
 
 	echo
 fi
 
 # Change directory to it.
-cd $HOME/mailinabox
+cd "$HOME/mailinabox" || exit
 
 # Update it.
-if [ "$TAG" != $(git describe) ]; then
-	echo Updating Mail-in-a-Box to $TAG . . .
+if [[ "$TAG" != $(git describe) ]]; then
+	echo "Updating Mail-in-a-Box to $TAG . . ."
 	git fetch --depth 1 --force --prune origin tag $TAG
 	if ! git checkout -q $TAG; then
 		echo "Update failed. Did you modify something in $(pwd)?"
diff --git a/setup/dkim.sh b/setup/dkim.sh
index b2541a12..d14b3293 100755
--- a/setup/dkim.sh
+++ b/setup/dkim.sh
@@ -6,6 +6,7 @@
 #
 # The DNS configuration for DKIM is done in the management daemon.
 
+# shellcheck source=./functions.sh
 source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars
 
@@ -15,7 +16,7 @@ apt_install opendkim opendkim-tools opendmarc
 
 # Make sure configuration directories exist.
 mkdir -p /etc/opendkim;
-mkdir -p $STORAGE_ROOT/mail/dkim
+mkdir -p "$STORAGE_ROOT/mail/dkim"
 
 # Used in InternalHosts and ExternalIgnoreList configuration directives.
 # Not quite sure why.
@@ -52,13 +53,13 @@ fi
 # A 1024-bit key is seen as a minimum standard by several providers
 # such as Google. But they and others use a 2048 bit key, so we'll
 # do the same. Keys beyond 2048 bits may exceed DNS record limits.
-if [ ! -f "$STORAGE_ROOT/mail/dkim/mail.private" ]; then
-	opendkim-genkey -b 2048 -r -s mail -D $STORAGE_ROOT/mail/dkim
+if [[ ! -f "$STORAGE_ROOT/mail/dkim/mail.private" ]]; then
+	opendkim-genkey -b 2048 -r -s mail -D "$STORAGE_ROOT/mail/dkim"
 fi
 
 # Ensure files are owned by the opendkim user and are private otherwise.
-chown -R opendkim:opendkim $STORAGE_ROOT/mail/dkim
-chmod go-rwx $STORAGE_ROOT/mail/dkim
+chown -R opendkim:opendkim "$STORAGE_ROOT/mail/dkim"
+chmod go-rwx "$STORAGE_ROOT/mail/dkim"
 
 tools/editconf.py /etc/opendmarc.conf -s \
 	"Syslog=true" \
diff --git a/setup/functions.sh b/setup/functions.sh
index 15703c2f..139440ef 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -28,13 +28,13 @@ function hide_output {
 		echo
 		echo FAILED: "$@"
 		echo -----------------------------------------
-		cat $OUTPUT
+		cat "$OUTPUT"
 		echo -----------------------------------------
 		exit $E
 	fi
 
 	# Remove temporary file.
-	rm -f $OUTPUT
+	rm -f "$OUTPUT"
 }
 
 function apt_get_quiet {
@@ -78,7 +78,7 @@ function get_publicip_from_web_service {
 	#
 	# Pass '4' or '6' as an argument to this function to specify
 	# what type of address to get (IPv4, IPv6).
-	curl -$1 --fail --silent --max-time 15 icanhazip.com 2>/dev/null || /bin/true
+	curl -"$1" --fail --silent --max-time 15 icanhazip.com 2>/dev/null || /bin/true
 }
 
 function get_default_privateip {
@@ -121,19 +121,19 @@ function get_default_privateip {
 	if [ "$1" == "6" ]; then target=2001:4860:4860::8888; fi
 
 	# Get the route information.
-	route=$(ip -$1 -o route get $target 2>/dev/null | grep -v unreachable)
+	route=$(ip -"$1" -o route get $target 2>/dev/null | grep -v unreachable)
 
 	# Parse the address out of the route information.
-	address=$(echo $route | sed "s/.* src \([^ ]*\).*/\1/")
+	address=$(echo "$route" | sed "s/.* src \([^ ]*\).*/\1/")
 
 	if [[ "$1" == "6" && $address == fe80:* ]]; then
 		# For IPv6 link-local addresses, parse the interface out
 		# of the route information and append it with a '%'.
-		interface=$(echo $route | sed "s/.* dev \([^ ]*\).*/\1/")
+		interface=$(echo "$route" | sed "s/.* dev \([^ ]*\).*/\1/")
 		address=$address%$interface
 	fi
 
-	echo $address
+	echo "$address"
 }
 
 function ufw_allow {
@@ -151,7 +151,7 @@ function ufw_limit {
 }
 
 function restart_service {
-	hide_output service $1 restart
+	hide_output service "$1" restart
 }
 
 ## Dialog Functions ##
@@ -180,7 +180,7 @@ function input_menu {
 	declare -n result_code=$4_EXITCODE
 	local IFS=^$'\n'
 	set +e
-	result=$(dialog --stdout --title "$1" --menu "$2" 0 0 0 $3)
+	result=$(dialog --stdout --title "$1" --menu "$2" 0 0 0 "$3")
 	result_code=$?
 	set -e
 }
@@ -192,17 +192,17 @@ function wget_verify {
 	HASH=$2
 	DEST=$3
 	CHECKSUM="$HASH  $DEST"
-	rm -f $DEST
-	hide_output wget -O $DEST $URL
+	rm -f "$DEST"
+	hide_output wget -O "$DEST" "$URL"
 	if ! echo "$CHECKSUM" | sha1sum --check --strict > /dev/null; then
 		echo "------------------------------------------------------------"
 		echo "Download of $URL did not match expected checksum."
 		echo "Found:"
-		sha1sum $DEST
+		sha1sum "$DEST"
 		echo
 		echo "Expected:"
 		echo "$CHECKSUM"
-		rm -f $DEST
+		rm -f "$DEST"
 		exit 1
 	fi
 }
@@ -218,9 +218,9 @@ function git_clone {
 	SUBDIR=$3
 	TARGETPATH=$4
 	TMPPATH=/tmp/git-clone-$$
-	rm -rf $TMPPATH $TARGETPATH
-	git clone -q $REPO $TMPPATH || exit 1
-	(cd $TMPPATH; git checkout -q $TREEISH;) || exit 1
-	mv $TMPPATH/$SUBDIR $TARGETPATH
-	rm -rf $TMPPATH
+	rm -rf "$TMPPATH" "$TARGETPATH"
+	git clone -q "$REPO" "$TMPPATH" || exit 1
+	(cd "$TMPPATH" && git checkout -q "$TREEISH") || exit 1
+	mv "$TMPPATH/$SUBDIR" "$TARGETPATH"
+	rm -rf "$TMPPATH"
 }

From d6753c3830c453e126eb4547fc60786eaaa59142 Mon Sep 17 00:00:00 2001
From: Jaroslaw Wencel <jaroslaw.wencel@gmail.com>
Date: Wed, 28 Sep 2022 23:54:10 +0200
Subject: [PATCH 3/3] option to disable Nextcloud items in management console

---
 management/daemon.py            | 2 ++
 management/templates/index.html | 4 ++++
 setup/management.sh             | 2 ++
 3 files changed, 8 insertions(+)

diff --git a/management/daemon.py b/management/daemon.py
index 98c6689c..793b31b6 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -133,6 +133,8 @@ def index():
 
 		backup_s3_hosts=backup_s3_hosts,
 		csr_country_codes=csr_country_codes,
+
+		nextcloud_enable=env['NEXTCLOUD_ENABLE']
 	)
 
 # Create a session key by checking the username/password in the Authorization header.
diff --git a/management/templates/index.html b/management/templates/index.html
index f9c87f2c..dc52210a 100644
--- a/management/templates/index.html
+++ b/management/templates/index.html
@@ -139,7 +139,9 @@
                 <li><a href="#mfa" onclick="return show_panel(this);">Two-Factor Authentication</a></li>
               </ul>
             </li>
+            {% if nextcloud_enable==1 %}
             <li><a href="#sync_guide" onclick="return show_panel(this);" class="if-logged-in">Contacts/Calendar</a></li>
+            {% endif %}
             <li><a href="#web" onclick="return show_panel(this);" class="if-logged-in-admin">Web</a></li>
           </ul>
           <ul class="nav navbar-nav navbar-right">
@@ -190,9 +192,11 @@
       {% include "aliases.html" %}
       </div>
 
+      {% if nextcloud_enable==1 %}
       <div id="panel_sync_guide" class="admin_panel">
       {% include "sync-guide.html" %}
       </div>
+      {% endif %}
 
       <div id="panel_web" class="admin_panel">
       {% include "web.html" %}
diff --git a/setup/management.sh b/setup/management.sh
index 52d38498..60f7f01f 100755
--- a/setup/management.sh
+++ b/setup/management.sh
@@ -98,6 +98,8 @@ export LC_ALL=en_US.UTF-8
 export LANG=en_US.UTF-8
 export LC_TYPE=en_US.UTF-8
 
+source /etc/mailinabox.conf
+
 source $venv/bin/activate
 exec python $(pwd)/management/daemon.py
 EOF