From 8eb89c2b4ec52d392580bfe5dd542539a1817516 Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 02:17:59 +0000 Subject: [PATCH 01/35] modifying start.sh to check if the environment variable DISABLE_NEXTCLOUD is set to 1 if it is set 1, it'll skip setting up Nextcloud --- setup/start.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/setup/start.sh b/setup/start.sh index 0b145022..53c1d791 100755 --- a/setup/start.sh +++ b/setup/start.sh @@ -106,7 +106,13 @@ source setup/dkim.sh source setup/spamassassin.sh source setup/web.sh source setup/webmail.sh -source setup/nextcloud.sh + +if [ "${DISABLE_NEXTCLOUD} == "1" ]; then + echo Skipping Nextcloud installation +else + source setup/nextcloud.sh +fi + source setup/zpush.sh source setup/management.sh source setup/munin.sh From bc7aa885e4d40c6fc4ec1bbf7037c0442c7d5356 Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 02:32:30 +0000 Subject: [PATCH 02/35] Check if the user decided to not install Nextcloud and configure Nginx accordingly --- conf/nginx-primaryonly-no-nextcloud.conf | 17 +++++++++++++++++ management/web_update.py | 7 ++++++- 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 conf/nginx-primaryonly-no-nextcloud.conf diff --git a/conf/nginx-primaryonly-no-nextcloud.conf b/conf/nginx-primaryonly-no-nextcloud.conf new file mode 100644 index 00000000..09e1f34a --- /dev/null +++ b/conf/nginx-primaryonly-no-nextcloud.conf @@ -0,0 +1,17 @@ + # Control Panel + # Proxy /admin to our Python based control panel daemon. It is + # listening on IPv4 only so use an IP address and not 'localhost'. + location /admin/assets { + alias /usr/local/lib/mailinabox/vendor/assets; + } + rewrite ^/admin$ /admin/; + rewrite ^/admin/munin$ /admin/munin/ redirect; + location /admin/ { + proxy_pass http://127.0.0.1:10222/; + proxy_set_header X-Forwarded-For $remote_addr; + add_header X-Frame-Options "DENY"; + add_header X-Content-Type-Options nosniff; + add_header Content-Security-Policy "frame-ancestors 'none';"; + } + + # ADDITIONAL DIRECTIVES HERE diff --git a/management/web_update.py b/management/web_update.py index 72295c21..b4939513 100644 --- a/management/web_update.py +++ b/management/web_update.py @@ -8,6 +8,7 @@ from mailconfig import get_mail_domains from dns_update import get_custom_dns_config, get_dns_zones from ssl_certificates import get_ssl_certificates, get_domain_ssl_files, check_certificate from utils import shell, safe_domain_name, sort_domains +from os import environ def get_web_domains(env, include_www_redirects=True, exclude_dns_elsewhere=True): # What domains should we serve HTTP(S) for? @@ -77,7 +78,11 @@ def do_web_update(env): # Load the templates. template0 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx.conf")).read() template1 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-alldomains.conf")).read() - template2 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-primaryonly.conf")).read() + # Check if the user doesn't want Nextcloud. + if environ.get('DISABLE_NEXTCLOUD') == '1': + template2 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-primaryonly-no-nextcloud.conf")).read() + else: + template2 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-primaryonly.conf")).read() template3 = "\trewrite ^(.*) https://$REDIRECT_DOMAIN$1 permanent;\n" # Add the PRIMARY_HOST configuration first so it becomes nginx's default server. From 27b3e8f1a1907600b2991a057bb55140188e8d26 Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 02:41:33 +0000 Subject: [PATCH 03/35] Check if the user didn't want to setup Nextcloud --- setup/webmail.sh | 41 ++++++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/setup/webmail.sh b/setup/webmail.sh index 6cbe55f9..8e6e4012 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -131,25 +131,28 @@ cat > $RCM_CONFIG < ${RCM_PLUGIN_DIR}/carddav/config.inc.php < 'ownCloud', - 'username' => '%u', // login username - 'password' => '%p', // login password - 'url' => 'https://${PRIMARY_HOSTNAME}/cloud/remote.php/carddav/addressbooks/%u/contacts', - 'active' => true, - 'readonly' => false, - 'refresh_time' => '02:00:00', - 'fixed' => array('username','password'), - 'preemptive_auth' => '1', - 'hide' => false, -); -?> -EOF +if [ "${DISABLE_NEXTCLOUD}" != "1" ]; then + + cat > ${RCM_PLUGIN_DIR}/carddav/config.inc.php < 'ownCloud', + 'username' => '%u', // login username + 'password' => '%p', // login password + 'url' => 'https://${PRIMARY_HOSTNAME}/cloud/remote.php/carddav/addressbooks/%u/contacts', + 'active' => true, + 'readonly' => false, + 'refresh_time' => '02:00:00', + 'fixed' => array('username','password'), + 'preemptive_auth' => '1', + 'hide' => false, + ); + ?> + EOF +fi # Create writable directories. mkdir -p /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube From 81d7fdb63f4fbdb7839b8bc115b8bb8bf4bfbe55 Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 03:02:35 +0000 Subject: [PATCH 04/35] add further checks --- setup/webmail.sh | 60 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 40 insertions(+), 20 deletions(-) diff --git a/setup/webmail.sh b/setup/webmail.sh index 8e6e4012..113721ca 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -68,17 +68,20 @@ if [ $needs_update == 1 ]; then git_clone https://github.com/kitist/html5_notifier.git $HTML5_NOTIFIER_VERSION '' ${RCM_PLUGIN_DIR}/html5_notifier # download and verify the full release of the carddav plugin - wget_verify \ - https://github.com/blind-coder/rcmcarddav/releases/download/v${CARDDAV_VERSION}/carddav-${CARDDAV_VERSION}.zip \ - $CARDDAV_HASH \ - /tmp/carddav.zip - # unzip and cleanup - unzip -q /tmp/carddav.zip -d ${RCM_PLUGIN_DIR} - rm -f /tmp/carddav.zip - - # record the version we've installed - echo $UPDATE_KEY > ${RCM_DIR}/version + if [ "${DISABLE_NEXTCLOUD}" != "1" ]; then + wget_verify \ + https://github.com/blind-coder/rcmcarddav/releases/download/v${CARDDAV_VERSION}/carddav-${CARDDAV_VERSION}.zip \ + $CARDDAV_HASH \ + /tmp/carddav.zip + + # unzip and cleanup + unzip -q /tmp/carddav.zip -d ${RCM_PLUGIN_DIR} + rm -f /tmp/carddav.zip + + # record the version we've installed + echo $UPDATE_KEY > ${RCM_DIR}/version + fi fi # ### Configuring Roundcube @@ -122,14 +125,29 @@ cat > $RCM_CONFIG < EOF +if [ "${DISABLE_NEXTCLOUD}" != "1" ]; then + cat >> $RCM_CONFIG < + EOF +else + cat >> $RCM_CONFIG < + EOF +fi + + # Configure CardDav if [ "${DISABLE_NEXTCLOUD}" != "1" ]; then @@ -185,10 +203,12 @@ chmod 775 $STORAGE_ROOT/mail chown root.www-data $STORAGE_ROOT/mail/users.sqlite chmod 664 $STORAGE_ROOT/mail/users.sqlite -# Fix Carddav permissions: -chown -f -R root.www-data ${RCM_PLUGIN_DIR}/carddav -# root.www-data need all permissions, others only read -chmod -R 774 ${RCM_PLUGIN_DIR}/carddav +if [ "${DISABLE_NEXTCLOUD}" != "1" ]; then + # Fix Carddav permissions: + chown -f -R root.www-data ${RCM_PLUGIN_DIR}/carddav + # root.www-data need all permissions, others only read + chmod -R 774 ${RCM_PLUGIN_DIR}/carddav +fi # Run Roundcube database migration script (database is created if it does not exist) ${RCM_DIR}/bin/updatedb.sh --dir ${RCM_DIR}/SQL --package roundcube From ef1327d7bdee2e584c9af854aa0712fa10870bb0 Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 03:06:35 +0000 Subject: [PATCH 05/35] add further Nextcloud checks --- setup/zpush.sh | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/setup/zpush.sh b/setup/zpush.sh index 0cbd30ad..8b51acd1 100755 --- a/setup/zpush.sh +++ b/setup/zpush.sh @@ -64,13 +64,16 @@ rm -f /usr/local/lib/z-push/backend/imap/config.php cp conf/zpush/backend_imap.php /usr/local/lib/z-push/backend/imap/config.php sed -i "s%STORAGE_ROOT%$STORAGE_ROOT%" /usr/local/lib/z-push/backend/imap/config.php -# Configure CardDav -rm -f /usr/local/lib/z-push/backend/carddav/config.php -cp conf/zpush/backend_carddav.php /usr/local/lib/z-push/backend/carddav/config.php - -# Configure CalDav -rm -f /usr/local/lib/z-push/backend/caldav/config.php -cp conf/zpush/backend_caldav.php /usr/local/lib/z-push/backend/caldav/config.php +if [ "${DISABLE_NEXTCLOUD}" != "1" ]; then + + # Configure CardDav + rm -f /usr/local/lib/z-push/backend/carddav/config.php + cp conf/zpush/backend_carddav.php /usr/local/lib/z-push/backend/carddav/config.php + + # Configure CalDav + rm -f /usr/local/lib/z-push/backend/caldav/config.php + cp conf/zpush/backend_caldav.php /usr/local/lib/z-push/backend/caldav/config.php +fi # Configure Autodiscover rm -f /usr/local/lib/z-push/autodiscover/config.php From fb8c380cd6a6b79bcf471f5b349e79176071dc22 Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 03:08:26 +0000 Subject: [PATCH 06/35] improve sync-guide's clarity about the contacts and calendar features --- management/templates/sync-guide.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/management/templates/sync-guide.html b/management/templates/sync-guide.html index 70a5a44e..ac902653 100644 --- a/management/templates/sync-guide.html +++ b/management/templates/sync-guide.html @@ -1,7 +1,7 @@

Contacts & Calendar Synchronization

-

This box can hold your contacts and calendar, just like it holds your email.

+

If you chose to install Nextcloud, then this box can hold your contacts and calendar, just like it holds your email.

From 0414a375c94645298778a8f5da342e336a9e0ac9 Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 03:12:18 +0000 Subject: [PATCH 07/35] check if the user didn't choose to install Nextcloud --- management/dns_update.py | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/management/dns_update.py b/management/dns_update.py index dba6dbc1..bb9fc3b0 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -11,6 +11,7 @@ import dns.resolver from mailconfig import get_mail_domains from utils import shell, load_env_vars_from_file, safe_domain_name, sort_domains +from os import environ # From https://stackoverflow.com/questions/3026957/how-to-validate-a-domain-name-using-regex-php/16491074#16491074 # This regular expression matches domain names according to RFCs, it also accepts fqdn with an leading dot, @@ -280,14 +281,15 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en if not has_rec(dmarc_qname, "TXT", prefix="v=DMARC1; "): records.append((dmarc_qname, "TXT", 'v=DMARC1; p=reject', "Recommended. Prevents use of this domain name for outbound mail by specifying that the SPF rule should be honoured for mail from @%s." % (qname + "." + domain))) - # Add CardDAV/CalDAV SRV records on the non-primary hostname that points to the primary hostname. - # The SRV record format is priority (0, whatever), weight (0, whatever), port, service provider hostname (w/ trailing dot). - if domain != env["PRIMARY_HOSTNAME"]: - for dav in ("card", "cal"): - qname = "_" + dav + "davs._tcp" - if not has_rec(qname, "SRV"): - records.append((qname, "SRV", "0 0 443 " + env["PRIMARY_HOSTNAME"] + ".", "Recommended. Specifies the hostname of the server that handles CardDAV/CalDAV services for email addresses on this domain.")) - + if environ.get('DISABLE_NEXTCLOUD') != '1': + # Add CardDAV/CalDAV SRV records on the non-primary hostname that points to the primary hostname. + # The SRV record format is priority (0, whatever), weight (0, whatever), port, service provider hostname (w/ trailing dot). + if domain != env["PRIMARY_HOSTNAME"]: + for dav in ("card", "cal"): + qname = "_" + dav + "davs._tcp" + if not has_rec(qname, "SRV"): + records.append((qname, "SRV", "0 0 443 " + env["PRIMARY_HOSTNAME"] + ".", "Recommended. Specifies the hostname of the server that handles CardDAV/CalDAV services for email addresses on this domain.")) + # Adds autoconfiguration A records for all domains. # This allows the following clients to automatically configure email addresses in the respective applications. # autodiscover.* - Z-Push ActiveSync Autodiscover From 9e2fd98848ba094f1ab7dcbdb160fbbd5e07097a Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 03:20:24 +0000 Subject: [PATCH 08/35] check if the user didn't want to install Nextcloud --- conf/fail2ban/jails_no_nextcloud.conf | 70 +++++++++++++++++++++++++++ setup/system.sh | 18 +++++-- 2 files changed, 84 insertions(+), 4 deletions(-) create mode 100644 conf/fail2ban/jails_no_nextcloud.conf diff --git a/conf/fail2ban/jails_no_nextcloud.conf b/conf/fail2ban/jails_no_nextcloud.conf new file mode 100644 index 00000000..0213ea7b --- /dev/null +++ b/conf/fail2ban/jails_no_nextcloud.conf @@ -0,0 +1,70 @@ +# Fail2Ban configuration file for Mail-in-a-Box. Do not edit. +# This file is re-generated on updates. + +[DEFAULT] +# Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks +# ping services over the public interface so we should whitelist that address of +# ours too. The string is substituted during installation. +ignoreip = 127.0.0.1/8 PUBLIC_IP + +[dovecot] +enabled = true +filter = dovecotimap +logpath = /var/log/mail.log +findtime = 30 +maxretry = 20 + +[miab-management] +enabled = true +filter = miab-management-daemon +port = http,https +logpath = /var/log/syslog +maxretry = 20 +findtime = 30 + +[miab-munin] +enabled = true +port = http,https +filter = miab-munin +logpath = /var/log/nginx/access.log +maxretry = 20 +findtime = 30 + +[miab-postfix587] +enabled = true +port = 587 +filter = miab-postfix-submission +logpath = /var/log/mail.log +maxretry = 20 +findtime = 30 + +[miab-roundcube] +enabled = true +port = http,https +filter = miab-roundcube +logpath = /var/log/roundcubemail/errors +maxretry = 20 +findtime = 30 + +[recidive] +enabled = true +maxretry = 10 +action = iptables-allports[name=recidive] +# In the recidive section of jail.conf the action contains: +# +# action = iptables-allports[name=recidive] +# sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] +# +# The last line on the action will sent an email to the configured address. This mail will +# notify the administrator that someone has been repeatedly triggering one of the other jails. +# By default we don't configure this address and no action is required from the admin anyway. +# So the notification is ommited. This will prevent message appearing in the mail.log that mail +# can't be delivered to fail2ban@$HOSTNAME. + +[postfix-sasl] +enabled = true + +[sshd] +enabled = true +maxretry = 7 +bantime = 3600 diff --git a/setup/system.sh b/setup/system.sh index ccc60231..895ce0ae 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -340,10 +340,20 @@ systemctl restart systemd-resolved # Configure the Fail2Ban installation to prevent dumb bruce-force attacks against dovecot, postfix, ssh, etc. rm -f /etc/fail2ban/jail.local # we used to use this file but don't anymore rm -f /etc/fail2ban/jail.d/defaults-debian.conf # removes default config so we can manage all of fail2ban rules in one config -cat conf/fail2ban/jails.conf \ - | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ - | sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ - > /etc/fail2ban/jail.d/mailinabox.conf + +if [ ${DISABLE_NEXTCLOUD} != "1"]; then + + cat conf/fail2ban/jails.conf \ + | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ + | sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ + > /etc/fail2ban/jail.d/mailinabox.conf +else + cat conf/fail2ban/jails_no_nextcloud.conf \ + | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ + | sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ + > /etc/fail2ban/jail.d/mailinabox.conf +fi + cp -f conf/fail2ban/filter.d/* /etc/fail2ban/filter.d/ # On first installation, the log files that the jails look at don't all exist. From a02657e99c3caf0b31d6df60cb59a48776305f82 Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 03:35:25 +0000 Subject: [PATCH 09/35] fixed a logical error with the handling of DISABLE_NEXTCLOUD env variable --- setup/webmail.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/webmail.sh b/setup/webmail.sh index 113721ca..251b6eb5 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -127,7 +127,7 @@ cat > $RCM_CONFIG <> $RCM_CONFIG < Date: Thu, 26 Sep 2019 04:05:03 +0000 Subject: [PATCH 10/35] added an additional quotation mark --- setup/start.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/start.sh b/setup/start.sh index 53c1d791..125777c5 100755 --- a/setup/start.sh +++ b/setup/start.sh @@ -107,7 +107,7 @@ source setup/spamassassin.sh source setup/web.sh source setup/webmail.sh -if [ "${DISABLE_NEXTCLOUD} == "1" ]; then +if [ "${DISABLE_NEXTCLOUD}" == "1" ]; then echo Skipping Nextcloud installation else source setup/nextcloud.sh From d78a6b26a5f19aee03fabe7395066965aed48103 Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 04:08:58 +0000 Subject: [PATCH 11/35] added more clarity to the boolean logic --- setup/system.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/system.sh b/setup/system.sh index 895ce0ae..e96952a2 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -341,14 +341,14 @@ systemctl restart systemd-resolved rm -f /etc/fail2ban/jail.local # we used to use this file but don't anymore rm -f /etc/fail2ban/jail.d/defaults-debian.conf # removes default config so we can manage all of fail2ban rules in one config -if [ ${DISABLE_NEXTCLOUD} != "1"]; then +if [ ${DISABLE_NEXTCLOUD} == "1"]; then - cat conf/fail2ban/jails.conf \ + cat conf/fail2ban/jails_no_nextcloud.conf \ | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ | sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ > /etc/fail2ban/jail.d/mailinabox.conf else - cat conf/fail2ban/jails_no_nextcloud.conf \ + cat conf/fail2ban/jails.conf \ | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ | sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ > /etc/fail2ban/jail.d/mailinabox.conf From d30c4d615db42fbac4a99ff1d5bb59740c850857 Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 08:55:19 +0000 Subject: [PATCH 12/35] get the line responsible for recording the roundcube version out of the DISABLE_NEXTCLOUD check because it's unrelated --- setup/webmail.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/webmail.sh b/setup/webmail.sh index 251b6eb5..749deaaf 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -79,9 +79,9 @@ if [ $needs_update == 1 ]; then unzip -q /tmp/carddav.zip -d ${RCM_PLUGIN_DIR} rm -f /tmp/carddav.zip - # record the version we've installed - echo $UPDATE_KEY > ${RCM_DIR}/version fi + # record the version we've installed + echo $UPDATE_KEY > ${RCM_DIR}/version fi # ### Configuring Roundcube From 857ccaa06c9e04064078c9dcfdad675c656b7d28 Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 09:20:52 +0000 Subject: [PATCH 13/35] Implement a new way to handle the Nextcloud fail2ban config. If the user wants Nextcloud to be installed, the setup script will simply append the relevant rules to the config file. This is more efficient than having two separate files. --- conf/fail2ban/jails.conf | 8 --- conf/fail2ban/jails_no_nextcloud.conf | 70 --------------------------- conf/fail2ban/nextcloud-jail.conf | 8 +++ setup/system.sh | 21 ++++---- 4 files changed, 18 insertions(+), 89 deletions(-) delete mode 100644 conf/fail2ban/jails_no_nextcloud.conf create mode 100644 conf/fail2ban/nextcloud-jail.conf diff --git a/conf/fail2ban/jails.conf b/conf/fail2ban/jails.conf index 952dc35a..0213ea7b 100644 --- a/conf/fail2ban/jails.conf +++ b/conf/fail2ban/jails.conf @@ -30,14 +30,6 @@ logpath = /var/log/nginx/access.log maxretry = 20 findtime = 30 -[miab-owncloud] -enabled = true -port = http,https -filter = miab-owncloud -logpath = STORAGE_ROOT/owncloud/nextcloud.log -maxretry = 20 -findtime = 120 - [miab-postfix587] enabled = true port = 587 diff --git a/conf/fail2ban/jails_no_nextcloud.conf b/conf/fail2ban/jails_no_nextcloud.conf deleted file mode 100644 index 0213ea7b..00000000 --- a/conf/fail2ban/jails_no_nextcloud.conf +++ /dev/null @@ -1,70 +0,0 @@ -# Fail2Ban configuration file for Mail-in-a-Box. Do not edit. -# This file is re-generated on updates. - -[DEFAULT] -# Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks -# ping services over the public interface so we should whitelist that address of -# ours too. The string is substituted during installation. -ignoreip = 127.0.0.1/8 PUBLIC_IP - -[dovecot] -enabled = true -filter = dovecotimap -logpath = /var/log/mail.log -findtime = 30 -maxretry = 20 - -[miab-management] -enabled = true -filter = miab-management-daemon -port = http,https -logpath = /var/log/syslog -maxretry = 20 -findtime = 30 - -[miab-munin] -enabled = true -port = http,https -filter = miab-munin -logpath = /var/log/nginx/access.log -maxretry = 20 -findtime = 30 - -[miab-postfix587] -enabled = true -port = 587 -filter = miab-postfix-submission -logpath = /var/log/mail.log -maxretry = 20 -findtime = 30 - -[miab-roundcube] -enabled = true -port = http,https -filter = miab-roundcube -logpath = /var/log/roundcubemail/errors -maxretry = 20 -findtime = 30 - -[recidive] -enabled = true -maxretry = 10 -action = iptables-allports[name=recidive] -# In the recidive section of jail.conf the action contains: -# -# action = iptables-allports[name=recidive] -# sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] -# -# The last line on the action will sent an email to the configured address. This mail will -# notify the administrator that someone has been repeatedly triggering one of the other jails. -# By default we don't configure this address and no action is required from the admin anyway. -# So the notification is ommited. This will prevent message appearing in the mail.log that mail -# can't be delivered to fail2ban@$HOSTNAME. - -[postfix-sasl] -enabled = true - -[sshd] -enabled = true -maxretry = 7 -bantime = 3600 diff --git a/conf/fail2ban/nextcloud-jail.conf b/conf/fail2ban/nextcloud-jail.conf new file mode 100644 index 00000000..a954beea --- /dev/null +++ b/conf/fail2ban/nextcloud-jail.conf @@ -0,0 +1,8 @@ + +[miab-owncloud] +enabled = true +port = http,https +filter = miab-owncloud +logpath = STORAGE_ROOT/owncloud/nextcloud.log +maxretry = 20 +findtime = 120 diff --git a/setup/system.sh b/setup/system.sh index e96952a2..abd84459 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -341,18 +341,17 @@ systemctl restart systemd-resolved rm -f /etc/fail2ban/jail.local # we used to use this file but don't anymore rm -f /etc/fail2ban/jail.d/defaults-debian.conf # removes default config so we can manage all of fail2ban rules in one config -if [ ${DISABLE_NEXTCLOUD} == "1"]; then +# Check if the user wants to enable Nextcloud, if the user wants it +# the relevant firejail configuration will be added +if [ ${DISABLE_NEXTCLOUD} != "1"]; then + cat conf/fail2ban/nextcloud-jail.conf >> conf/fail2ban/jails.conf +fi + +cat conf/fail2ban/jails.conf \ + | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ + | sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ + > /etc/fail2ban/jail.d/mailinabox.conf - cat conf/fail2ban/jails_no_nextcloud.conf \ - | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ - | sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ - > /etc/fail2ban/jail.d/mailinabox.conf -else - cat conf/fail2ban/jails.conf \ - | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ - | sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ - > /etc/fail2ban/jail.d/mailinabox.conf -fi cp -f conf/fail2ban/filter.d/* /etc/fail2ban/filter.d/ From e41cfc30b897baf7f98bcd2d13502530b72cb959 Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 10:00:12 +0000 Subject: [PATCH 14/35] replace '1' with '0', as 0 stands for true in sh. --- management/dns_update.py | 2 +- management/web_update.py | 2 +- setup/start.sh | 2 +- setup/system.sh | 2 +- setup/webmail.sh | 8 ++++---- setup/zpush.sh | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/management/dns_update.py b/management/dns_update.py index bb9fc3b0..3578fcc2 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -281,7 +281,7 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en if not has_rec(dmarc_qname, "TXT", prefix="v=DMARC1; "): records.append((dmarc_qname, "TXT", 'v=DMARC1; p=reject', "Recommended. Prevents use of this domain name for outbound mail by specifying that the SPF rule should be honoured for mail from @%s." % (qname + "." + domain))) - if environ.get('DISABLE_NEXTCLOUD') != '1': + if environ.get('DISABLE_NEXTCLOUD') != '0': # Add CardDAV/CalDAV SRV records on the non-primary hostname that points to the primary hostname. # The SRV record format is priority (0, whatever), weight (0, whatever), port, service provider hostname (w/ trailing dot). if domain != env["PRIMARY_HOSTNAME"]: diff --git a/management/web_update.py b/management/web_update.py index b4939513..43bedff3 100644 --- a/management/web_update.py +++ b/management/web_update.py @@ -79,7 +79,7 @@ def do_web_update(env): template0 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx.conf")).read() template1 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-alldomains.conf")).read() # Check if the user doesn't want Nextcloud. - if environ.get('DISABLE_NEXTCLOUD') == '1': + if environ.get('DISABLE_NEXTCLOUD') == '0': template2 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-primaryonly-no-nextcloud.conf")).read() else: template2 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-primaryonly.conf")).read() diff --git a/setup/start.sh b/setup/start.sh index 125777c5..bad3de90 100755 --- a/setup/start.sh +++ b/setup/start.sh @@ -107,7 +107,7 @@ source setup/spamassassin.sh source setup/web.sh source setup/webmail.sh -if [ "${DISABLE_NEXTCLOUD}" == "1" ]; then +if [ "${DISABLE_NEXTCLOUD}" == "0" ]; then echo Skipping Nextcloud installation else source setup/nextcloud.sh diff --git a/setup/system.sh b/setup/system.sh index abd84459..3fa0c8a9 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -343,7 +343,7 @@ rm -f /etc/fail2ban/jail.d/defaults-debian.conf # removes default config so we c # Check if the user wants to enable Nextcloud, if the user wants it # the relevant firejail configuration will be added -if [ ${DISABLE_NEXTCLOUD} != "1"]; then +if [ ${DISABLE_NEXTCLOUD} != "0"]; then cat conf/fail2ban/nextcloud-jail.conf >> conf/fail2ban/jails.conf fi diff --git a/setup/webmail.sh b/setup/webmail.sh index 749deaaf..eeadf735 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -69,7 +69,7 @@ if [ $needs_update == 1 ]; then # download and verify the full release of the carddav plugin - if [ "${DISABLE_NEXTCLOUD}" != "1" ]; then + if [ "${DISABLE_NEXTCLOUD}" != "0" ]; then wget_verify \ https://github.com/blind-coder/rcmcarddav/releases/download/v${CARDDAV_VERSION}/carddav-${CARDDAV_VERSION}.zip \ $CARDDAV_HASH \ @@ -127,7 +127,7 @@ cat > $RCM_CONFIG <> $RCM_CONFIG < ${RCM_PLUGIN_DIR}/carddav/config.inc.php < Date: Thu, 26 Sep 2019 10:24:40 +0000 Subject: [PATCH 15/35] replace two if statements with one --- management/dns_update.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/management/dns_update.py b/management/dns_update.py index 3578fcc2..a1fd6b33 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -281,10 +281,9 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en if not has_rec(dmarc_qname, "TXT", prefix="v=DMARC1; "): records.append((dmarc_qname, "TXT", 'v=DMARC1; p=reject', "Recommended. Prevents use of this domain name for outbound mail by specifying that the SPF rule should be honoured for mail from @%s." % (qname + "." + domain))) - if environ.get('DISABLE_NEXTCLOUD') != '0': + if environ.get('DISABLE_NEXTCLOUD') != '0' and domain != env["PRIMARY_HOSTNAME"]: # Add CardDAV/CalDAV SRV records on the non-primary hostname that points to the primary hostname. # The SRV record format is priority (0, whatever), weight (0, whatever), port, service provider hostname (w/ trailing dot). - if domain != env["PRIMARY_HOSTNAME"]: for dav in ("card", "cal"): qname = "_" + dav + "davs._tcp" if not has_rec(qname, "SRV"): From 4f5fb7fe4b626912fc5e6f9fe7e401048327cfdf Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 10:26:44 +0000 Subject: [PATCH 16/35] explain why Nextcloud gets skipped --- setup/start.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/start.sh b/setup/start.sh index bad3de90..886640a1 100755 --- a/setup/start.sh +++ b/setup/start.sh @@ -108,7 +108,7 @@ source setup/web.sh source setup/webmail.sh if [ "${DISABLE_NEXTCLOUD}" == "0" ]; then - echo Skipping Nextcloud installation + echo Nextcloud installation was skipped due to a configuration choice else source setup/nextcloud.sh fi From b9d367adffb36f057dfbf55fdcca57d2005157c5 Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 10:32:24 +0000 Subject: [PATCH 17/35] add quotation marks --- setup/system.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/system.sh b/setup/system.sh index 3fa0c8a9..cab05332 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -343,7 +343,7 @@ rm -f /etc/fail2ban/jail.d/defaults-debian.conf # removes default config so we c # Check if the user wants to enable Nextcloud, if the user wants it # the relevant firejail configuration will be added -if [ ${DISABLE_NEXTCLOUD} != "0"]; then +if [ "${DISABLE_NEXTCLOUD}" != "0"]; then cat conf/fail2ban/nextcloud-jail.conf >> conf/fail2ban/jails.conf fi From 86fef267f6933eae247971b366e3b41af5c8e262 Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 10:35:12 +0000 Subject: [PATCH 18/35] reduce duplicated lines --- setup/webmail.sh | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/setup/webmail.sh b/setup/webmail.sh index eeadf735..567fd954 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -130,23 +130,20 @@ EOF if [ "${DISABLE_NEXTCLOUD}" == "0" ]; then cat >> $RCM_CONFIG < EOF else cat >> $RCM_CONFIG < EOF fi +cat >> $RCM_CONFIG < +EOF # Configure CardDav if [ "${DISABLE_NEXTCLOUD}" != "0" ]; then From c0e86045323fbf0bf8d8d53f61a20902bb20664e Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 10:51:46 +0000 Subject: [PATCH 19/35] Reduce nginx config duplication by separating the Nextcloud config into its own file --- conf/nextclound-conf.conf | 60 ++++++++++++++++++++++++ conf/nginx-primaryonly-no-nextcloud.conf | 17 ------- conf/nginx-primaryonly.conf | 60 ------------------------ management/web_update.py | 10 ++-- 4 files changed, 65 insertions(+), 82 deletions(-) create mode 100644 conf/nextclound-conf.conf delete mode 100644 conf/nginx-primaryonly-no-nextcloud.conf diff --git a/conf/nextclound-conf.conf b/conf/nextclound-conf.conf new file mode 100644 index 00000000..dd7457bf --- /dev/null +++ b/conf/nextclound-conf.conf @@ -0,0 +1,60 @@ + + # Nextcloud configuration. + rewrite ^/cloud$ /cloud/ redirect; + rewrite ^/cloud/$ /cloud/index.php; + rewrite ^/cloud/(contacts|calendar|files)$ /cloud/index.php/apps/$1/ redirect; + rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html; + rewrite ^(/cloud/oc[sm]-provider)/$ $1/index.php redirect; + location /cloud/ { + alias /usr/local/lib/owncloud/; + location ~ ^/cloud/(build|tests|config|lib|3rdparty|templates|data|README)/ { + deny all; + } + location ~ ^/cloud/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + # Enable paths for service and cloud federation discovery + # Resolves warning in Nextcloud Settings panel + location ~ ^/cloud/(oc[sm]-provider)?/([^/]+\.php)$ { + index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$1/$2; + fastcgi_pass php-fpm; + } + } + location ~ ^(/cloud)((?:/ocs)?/[^/]+\.php)(/.*)?$ { + # note: ~ has precendence over a regular location block + # Accept URLs like: + # /cloud/index.php/apps/files/ + # /cloud/index.php/apps/files/ajax/scan.php (it's really index.php; see 6fdef379adfdeac86cc2220209bdf4eb9562268d) + # /cloud/ocs/v1.php/apps/files_sharing/api/v1 (see #240) + # /cloud/remote.php/webdav/yourfilehere... + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$2; + fastcgi_param SCRIPT_NAME $1$2; + fastcgi_param PATH_INFO $3; + fastcgi_param MOD_X_ACCEL_REDIRECT_ENABLED on; + fastcgi_param MOD_X_ACCEL_REDIRECT_PREFIX /owncloud-xaccel; + fastcgi_read_timeout 630; + fastcgi_pass php-fpm; + client_max_body_size 1G; + fastcgi_buffers 64 4K; + } + location ^~ /owncloud-xaccel/ { + # This directory is for MOD_X_ACCEL_REDIRECT_ENABLED. Nextcloud sends the full file + # path on disk as a subdirectory under this virtual path. + # We must only allow 'internal' redirects within nginx so that the filesystem + # is not exposed to the world. + internal; + alias /; + } + location ~ ^/((caldav|carddav|webdav).*)$ { + # Z-Push doesn't like getting a redirect, and a plain rewrite didn't work either. + # Properly proxying like this seems to work fine. + proxy_pass https://127.0.0.1/cloud/remote.php/$1; + } + rewrite ^/.well-known/host-meta /cloud/public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /cloud/public.php?service=host-meta-json last; + rewrite ^/.well-known/carddav /cloud/remote.php/carddav/ redirect; + rewrite ^/.well-known/caldav /cloud/remote.php/caldav/ redirect; + diff --git a/conf/nginx-primaryonly-no-nextcloud.conf b/conf/nginx-primaryonly-no-nextcloud.conf deleted file mode 100644 index 09e1f34a..00000000 --- a/conf/nginx-primaryonly-no-nextcloud.conf +++ /dev/null @@ -1,17 +0,0 @@ - # Control Panel - # Proxy /admin to our Python based control panel daemon. It is - # listening on IPv4 only so use an IP address and not 'localhost'. - location /admin/assets { - alias /usr/local/lib/mailinabox/vendor/assets; - } - rewrite ^/admin$ /admin/; - rewrite ^/admin/munin$ /admin/munin/ redirect; - location /admin/ { - proxy_pass http://127.0.0.1:10222/; - proxy_set_header X-Forwarded-For $remote_addr; - add_header X-Frame-Options "DENY"; - add_header X-Content-Type-Options nosniff; - add_header Content-Security-Policy "frame-ancestors 'none';"; - } - - # ADDITIONAL DIRECTIVES HERE diff --git a/conf/nginx-primaryonly.conf b/conf/nginx-primaryonly.conf index 288fce40..9a7576b1 100644 --- a/conf/nginx-primaryonly.conf +++ b/conf/nginx-primaryonly.conf @@ -14,63 +14,3 @@ add_header Content-Security-Policy "frame-ancestors 'none';"; } - # Nextcloud configuration. - rewrite ^/cloud$ /cloud/ redirect; - rewrite ^/cloud/$ /cloud/index.php; - rewrite ^/cloud/(contacts|calendar|files)$ /cloud/index.php/apps/$1/ redirect; - rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html; - rewrite ^(/cloud/oc[sm]-provider)/$ $1/index.php redirect; - location /cloud/ { - alias /usr/local/lib/owncloud/; - location ~ ^/cloud/(build|tests|config|lib|3rdparty|templates|data|README)/ { - deny all; - } - location ~ ^/cloud/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; - } - # Enable paths for service and cloud federation discovery - # Resolves warning in Nextcloud Settings panel - location ~ ^/cloud/(oc[sm]-provider)?/([^/]+\.php)$ { - index index.php; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$1/$2; - fastcgi_pass php-fpm; - } - } - location ~ ^(/cloud)((?:/ocs)?/[^/]+\.php)(/.*)?$ { - # note: ~ has precendence over a regular location block - # Accept URLs like: - # /cloud/index.php/apps/files/ - # /cloud/index.php/apps/files/ajax/scan.php (it's really index.php; see 6fdef379adfdeac86cc2220209bdf4eb9562268d) - # /cloud/ocs/v1.php/apps/files_sharing/api/v1 (see #240) - # /cloud/remote.php/webdav/yourfilehere... - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$2; - fastcgi_param SCRIPT_NAME $1$2; - fastcgi_param PATH_INFO $3; - fastcgi_param MOD_X_ACCEL_REDIRECT_ENABLED on; - fastcgi_param MOD_X_ACCEL_REDIRECT_PREFIX /owncloud-xaccel; - fastcgi_read_timeout 630; - fastcgi_pass php-fpm; - client_max_body_size 1G; - fastcgi_buffers 64 4K; - } - location ^~ /owncloud-xaccel/ { - # This directory is for MOD_X_ACCEL_REDIRECT_ENABLED. Nextcloud sends the full file - # path on disk as a subdirectory under this virtual path. - # We must only allow 'internal' redirects within nginx so that the filesystem - # is not exposed to the world. - internal; - alias /; - } - location ~ ^/((caldav|carddav|webdav).*)$ { - # Z-Push doesn't like getting a redirect, and a plain rewrite didn't work either. - # Properly proxying like this seems to work fine. - proxy_pass https://127.0.0.1/cloud/remote.php/$1; - } - rewrite ^/.well-known/host-meta /cloud/public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /cloud/public.php?service=host-meta-json last; - rewrite ^/.well-known/carddav /cloud/remote.php/carddav/ redirect; - rewrite ^/.well-known/caldav /cloud/remote.php/caldav/ redirect; - - # ADDITIONAL DIRECTIVES HERE diff --git a/management/web_update.py b/management/web_update.py index 43bedff3..78be0dac 100644 --- a/management/web_update.py +++ b/management/web_update.py @@ -76,17 +76,17 @@ def do_web_update(env): nginx_conf = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-top.conf")).read() # Load the templates. + template2_nextcloud = "" template0 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx.conf")).read() template1 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-alldomains.conf")).read() + template2 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-primaryonly.conf")).read() # Check if the user doesn't want Nextcloud. - if environ.get('DISABLE_NEXTCLOUD') == '0': - template2 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-primaryonly-no-nextcloud.conf")).read() - else: - template2 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-primaryonly.conf")).read() + if environ.get('DISABLE_NEXTCLOUD') != '0': + template2_nextcloud = open(os.path.join(os.path.dirname(__file__), "../conf/nextcloud-conf.conf")).read() template3 = "\trewrite ^(.*) https://$REDIRECT_DOMAIN$1 permanent;\n" # Add the PRIMARY_HOST configuration first so it becomes nginx's default server. - nginx_conf += make_domain_config(env['PRIMARY_HOSTNAME'], [template0, template1, template2], ssl_certificates, env) + nginx_conf += make_domain_config(env['PRIMARY_HOSTNAME'], [template0, template1, template2_nextcloud, template2], ssl_certificates, env) # Add configuration all other web domains. has_root_proxy_or_redirect = get_web_domains_with_root_overrides(env) From 898418078758eb9abefd3240a7a25821d81decf5 Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 11:04:37 +0000 Subject: [PATCH 20/35] fix order of Nginx config --- management/web_update.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/management/web_update.py b/management/web_update.py index 78be0dac..07b1d4ae 100644 --- a/management/web_update.py +++ b/management/web_update.py @@ -86,7 +86,7 @@ def do_web_update(env): template3 = "\trewrite ^(.*) https://$REDIRECT_DOMAIN$1 permanent;\n" # Add the PRIMARY_HOST configuration first so it becomes nginx's default server. - nginx_conf += make_domain_config(env['PRIMARY_HOSTNAME'], [template0, template1, template2_nextcloud, template2], ssl_certificates, env) + nginx_conf += make_domain_config(env['PRIMARY_HOSTNAME'], [template0, template1, template2, template2_nextcloud], ssl_certificates, env) # Add configuration all other web domains. has_root_proxy_or_redirect = get_web_domains_with_root_overrides(env) From 7160d3c6a5d09e08a346bff92e6f5e14370759e3 Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 22:34:54 +0000 Subject: [PATCH 21/35] Add a Yes/No function --- setup/functions.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/setup/functions.sh b/setup/functions.sh index 3bb96b7a..1dfe55ae 100644 --- a/setup/functions.sh +++ b/setup/functions.sh @@ -158,6 +158,17 @@ function message_box { dialog --title "$1" --msgbox "$2" 0 0 } +function yesno_box { + # yesno_box "title" "prompt" VARIABLE + # The exit code resembles the user's input and will be stored in the variable VARIABLE + # Temporarily turn off 'set -e' because we need the dialog return code + declare -n result=$3 + set +e + dialog --stdout --title "$1" --yesno "$2" 0 0 + result=$? + set -e +} + function input_box { # input_box "title" "prompt" "defaultvalue" VARIABLE # The user's input will be stored in the variable VARIABLE. From 098f24469a36ca7c57eae526cd31e6fc2afb3d3c Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 22:46:26 +0000 Subject: [PATCH 22/35] Ask the user if he/she wants to disable Nextcloud --- setup/questions.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/setup/questions.sh b/setup/questions.sh index bf382f49..34db0583 100644 --- a/setup/questions.sh +++ b/setup/questions.sh @@ -83,6 +83,12 @@ address, so we're suggesting $DEFAULT_PRIMARY_HOSTNAME. fi fi +# Ask the user if he/she wants to disable Nextcloud +yesno_box "Disable Nextcloud?"\ + "Nextcloud offers the Contacts and Calendar features in Mail-in-a-box\ + \n\nWould you like to disable it?"\ + DISABLE_NEXTCLOUD + # If the machine is behind a NAT, inside a VM, etc., it may not know # its IP address on the public network / the Internet. Ask the Internet # and possibly confirm with user. From fdd662870970faa033e0af7c57d633ce9077079e Mon Sep 17 00:00:00 2001 From: dkoao Date: Fri, 27 Sep 2019 03:25:56 +0000 Subject: [PATCH 23/35] Check if Nextcloud is already installed before asking the user if it should be disabled --- setup/questions.sh | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/setup/questions.sh b/setup/questions.sh index 34db0583..c70e4c98 100644 --- a/setup/questions.sh +++ b/setup/questions.sh @@ -83,12 +83,6 @@ address, so we're suggesting $DEFAULT_PRIMARY_HOSTNAME. fi fi -# Ask the user if he/she wants to disable Nextcloud -yesno_box "Disable Nextcloud?"\ - "Nextcloud offers the Contacts and Calendar features in Mail-in-a-box\ - \n\nWould you like to disable it?"\ - DISABLE_NEXTCLOUD - # If the machine is behind a NAT, inside a VM, etc., it may not know # its IP address on the public network / the Internet. Ask the Internet # and possibly confirm with user. @@ -199,6 +193,16 @@ if [ -z "${STORAGE_ROOT:-}" ]; then STORAGE_ROOT=$([[ -z "${DEFAULT_STORAGE_ROOT:-}" ]] && echo "/home/$STORAGE_USER" || echo "$DEFAULT_STORAGE_ROOT") fi +# Check if Nextcloud is already installed +# If it isn't, ask the user if Nextcloud should be disabled +if [ ! -d $STORAGE_ROOT/owncloud ]; then + # Ask the user if he/she wants to disable Nextcloud + yesno_box "Disable Nextcloud?"\ + "Nextcloud offers the Contacts and Calendar features in Mail-in-a-box\ + \n\nWould you like to disable it?"\ + DISABLE_NEXTCLOUD +fi + # Show the configuration, since the user may have not entered it manually. echo echo "Primary Hostname: $PRIMARY_HOSTNAME" From 610fbc5d4908682b3a7ce2c455db04242873a54a Mon Sep 17 00:00:00 2001 From: dkoao Date: Fri, 27 Sep 2019 08:19:06 +0000 Subject: [PATCH 24/35] rename nextcloud-conf.conf to nginx-nextcloud.conf --- conf/{nextclound-conf.conf => nginx-nextcloud.conf} | 0 management/web_update.py | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename conf/{nextclound-conf.conf => nginx-nextcloud.conf} (100%) diff --git a/conf/nextclound-conf.conf b/conf/nginx-nextcloud.conf similarity index 100% rename from conf/nextclound-conf.conf rename to conf/nginx-nextcloud.conf diff --git a/management/web_update.py b/management/web_update.py index 07b1d4ae..9d03864b 100644 --- a/management/web_update.py +++ b/management/web_update.py @@ -82,7 +82,7 @@ def do_web_update(env): template2 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-primaryonly.conf")).read() # Check if the user doesn't want Nextcloud. if environ.get('DISABLE_NEXTCLOUD') != '0': - template2_nextcloud = open(os.path.join(os.path.dirname(__file__), "../conf/nextcloud-conf.conf")).read() + template2_nextcloud = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-nextcloud.conf")).read() template3 = "\trewrite ^(.*) https://$REDIRECT_DOMAIN$1 permanent;\n" # Add the PRIMARY_HOST configuration first so it becomes nginx's default server. From 403d9fdb7d4fe564408fe59256dd1630a7184b87 Mon Sep 17 00:00:00 2001 From: dkoao Date: Fri, 27 Sep 2019 08:43:42 +0000 Subject: [PATCH 25/35] add further clarity to the "Disable Nextcloud?" question --- setup/questions.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/questions.sh b/setup/questions.sh index c70e4c98..a45f4943 100644 --- a/setup/questions.sh +++ b/setup/questions.sh @@ -199,6 +199,7 @@ if [ ! -d $STORAGE_ROOT/owncloud ]; then # Ask the user if he/she wants to disable Nextcloud yesno_box "Disable Nextcloud?"\ "Nextcloud offers the Contacts and Calendar features in Mail-in-a-box\ + \nIt also offers other features like file sharing, gallery, todos, and more.\ \n\nWould you like to disable it?"\ DISABLE_NEXTCLOUD fi From de6b977e213a435734f19ef0b9b732fb4a321698 Mon Sep 17 00:00:00 2001 From: dkoao Date: Fri, 27 Sep 2019 08:45:44 +0000 Subject: [PATCH 26/35] Add quotation marks to the echo call --- setup/start.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/start.sh b/setup/start.sh index 886640a1..bd534bf9 100755 --- a/setup/start.sh +++ b/setup/start.sh @@ -108,7 +108,7 @@ source setup/web.sh source setup/webmail.sh if [ "${DISABLE_NEXTCLOUD}" == "0" ]; then - echo Nextcloud installation was skipped due to a configuration choice + echo "Nextcloud installation was skipped due to a configuration choice" else source setup/nextcloud.sh fi From e2d8fd5665d5d53a9d66af59339655f1cedb14fc Mon Sep 17 00:00:00 2001 From: dkoao Date: Fri, 27 Sep 2019 09:40:09 +0000 Subject: [PATCH 27/35] check if the Nextcloud fail2ban configuration isn't already added --- setup/system.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/system.sh b/setup/system.sh index cab05332..e3f9784d 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -341,9 +341,9 @@ systemctl restart systemd-resolved rm -f /etc/fail2ban/jail.local # we used to use this file but don't anymore rm -f /etc/fail2ban/jail.d/defaults-debian.conf # removes default config so we can manage all of fail2ban rules in one config -# Check if the user wants to enable Nextcloud, if the user wants it -# the relevant firejail configuration will be added -if [ "${DISABLE_NEXTCLOUD}" != "0"]; then +# Check if the user wants to enable Nextcloud and its rules aren't configured yet +# if both conditions are true, the relevant firejail configuration will be added +if [ "${DISABLE_NEXTCLOUD}" != "0"] && ! grep -q owncloud conf/fail2ban/jails.conf; then cat conf/fail2ban/nextcloud-jail.conf >> conf/fail2ban/jails.conf fi From 97ac5553e4136b89e17f3caeabfa17232da23e88 Mon Sep 17 00:00:00 2001 From: dkoao Date: Fri, 27 Sep 2019 09:54:03 +0000 Subject: [PATCH 28/35] fix indentation --- setup/webmail.sh | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/setup/webmail.sh b/setup/webmail.sh index 567fd954..cd889dbd 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -129,12 +129,12 @@ EOF if [ "${DISABLE_NEXTCLOUD}" == "0" ]; then cat >> $RCM_CONFIG <> $RCM_CONFIG <> $RCM_CONFIG < ${RCM_PLUGIN_DIR}/carddav/config.inc.php < 'ownCloud', - 'username' => '%u', // login username - 'password' => '%p', // login password - 'url' => 'https://${PRIMARY_HOSTNAME}/cloud/remote.php/carddav/addressbooks/%u/contacts', - 'active' => true, - 'readonly' => false, - 'refresh_time' => '02:00:00', - 'fixed' => array('username','password'), - 'preemptive_auth' => '1', - 'hide' => false, - ); - ?> - EOF + 'ownCloud', + 'username' => '%u', // login username + 'password' => '%p', // login password + 'url' => 'https://${PRIMARY_HOSTNAME}/cloud/remote.php/carddav/addressbooks/%u/contacts', + 'active' => true, + 'readonly' => false, + 'refresh_time' => '02:00:00', + 'fixed' => array('username','password'), + 'preemptive_auth' => '1', + 'hide' => false, +); +?> +EOF fi # Create writable directories. From 658fe0ceebecf4ee9186bf8307fe49d7dcbdf36f Mon Sep 17 00:00:00 2001 From: dkoao Date: Fri, 27 Sep 2019 10:32:14 +0000 Subject: [PATCH 29/35] Reduce duplicated code in the handling of roundcube's plugins --- setup/webmail.sh | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/setup/webmail.sh b/setup/webmail.sh index cd889dbd..0fe0fc6e 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -94,6 +94,14 @@ SECRET_KEY=$(dd if=/dev/urandom bs=1 count=18 2>/dev/null | base64 | fold -w 24 # For security, temp and log files are not stored in the default locations # which are inside the roundcube sources directory. We put them instead # in normal places. + +PLUGINS="'html5_notifier', 'archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'persistent_login'" + +# Add the carddav plugin if the user wants to install Nextcloud +if [ "${DISABLE_NEXTCLOUD}" != "0" ]; then + PLUGINS="$PLUGINS, 'carddav'" +fi + cat > $RCM_CONFIG < $RCM_CONFIG <> $RCM_CONFIG <> $RCM_CONFIG <> $RCM_CONFIG < Date: Fri, 27 Sep 2019 13:49:47 +0000 Subject: [PATCH 30/35] fixed typo --- setup/system.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/system.sh b/setup/system.sh index e3f9784d..0b44582b 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -342,7 +342,7 @@ rm -f /etc/fail2ban/jail.local # we used to use this file but don't anymore rm -f /etc/fail2ban/jail.d/defaults-debian.conf # removes default config so we can manage all of fail2ban rules in one config # Check if the user wants to enable Nextcloud and its rules aren't configured yet -# if both conditions are true, the relevant firejail configuration will be added +# if both conditions are true, the relevant fail2ban configuration will be added if [ "${DISABLE_NEXTCLOUD}" != "0"] && ! grep -q owncloud conf/fail2ban/jails.conf; then cat conf/fail2ban/nextcloud-jail.conf >> conf/fail2ban/jails.conf fi From 5cafd91c66ebfffb3b9e46692ca90037be4b4d6c Mon Sep 17 00:00:00 2001 From: dkoao Date: Fri, 27 Sep 2019 16:41:01 +0000 Subject: [PATCH 31/35] Add apt_purge function to remove packages --- setup/functions.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/setup/functions.sh b/setup/functions.sh index 1dfe55ae..b7414832 100644 --- a/setup/functions.sh +++ b/setup/functions.sh @@ -47,6 +47,12 @@ function apt_get_quiet { DEBIAN_FRONTEND=noninteractive hide_output apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" "$@" } +function apt_purge { + # Remove a bunch of packages. + PACKAGES=$@ + apt_get_quiet --purge remove $PACKAGES +} + function apt_install { # Install a bunch of packages. We used to report which packages were already # installed and which needed installing, before just running an 'apt-get From 8b6b59be1ea4bc53e11f2e0997ec96f10084f46b Mon Sep 17 00:00:00 2001 From: dkoao Date: Fri, 27 Sep 2019 16:48:07 +0000 Subject: [PATCH 32/35] Ask the user if he wants to remove Nextcloud if it appears to be installed previously --- setup/nextcloud-remove.sh | 35 +++++++++++++++++++++++++++++++++++ setup/questions.sh | 9 ++++++++- setup/start.sh | 3 +++ 3 files changed, 46 insertions(+), 1 deletion(-) create mode 100755 setup/nextcloud-remove.sh diff --git a/setup/nextcloud-remove.sh b/setup/nextcloud-remove.sh new file mode 100755 index 00000000..7bef4dc7 --- /dev/null +++ b/setup/nextcloud-remove.sh @@ -0,0 +1,35 @@ +#!/bin/bash +# +# This script will remove Nextcloud from your MiaB server +################################################################## + +source setup/functions.sh # load our functions +source /etc/mailinabox.conf # load global vars + +if [[ $EUID -ne 0 ]]; then + echo "This script must be run as root." + exit +fi + +# Backup the existing ownCloud/Nextcloud. +# Create a backup directory to store the current installation and database to + +BACKUP_DIRECTORY=$STORAGE_ROOT/owncloud-backup/`date +"%Y-%m-%d-%T"` +mkdir -p "$BACKUP_DIRECTORY" +if [ -d /usr/local/lib/owncloud/ ]; then + echo "Backing up existing Nextcloud installation, configuration, and database to directory to $BACKUP_DIRECTORY..." + cp -r /usr/local/lib/owncloud "$BACKUP_DIRECTORY/owncloud-install" + rm -r /usr/local/lib/owncloud +fi +if [ -e $STORAGE_ROOT/owncloud/owncloud.db ]; then + cp $STORAGE_ROOT/owncloud/owncloud.db $BACKUP_DIRECTORY +fi +if [ -e $STORAGE_ROOT/owncloud/config.php ]; then + cp $STORAGE_ROOT/owncloud/config.php $BACKUP_DIRECTORY +fi +if [ -d $STORAGE/owncloud/ ]; then + echo "Removing Nextcloud..." + rm -r $STORAGE_ROOT/owncloud +fi +# Remove Nextcloud's dependencies +apt_purge php-imap php-pear php-dev php-xml php-zip php-apcu php-imagick diff --git a/setup/questions.sh b/setup/questions.sh index a45f4943..69972859 100644 --- a/setup/questions.sh +++ b/setup/questions.sh @@ -203,7 +203,14 @@ if [ ! -d $STORAGE_ROOT/owncloud ]; then \n\nWould you like to disable it?"\ DISABLE_NEXTCLOUD fi - +if [ -d $STORAGE_ROOT/owncloud ]; then + yesno_box "Remove Nextcloud?"\ + "It seems that you already have Nextcloud installed previous\ + \n\nNextcloud offers the Contacts and Calendar features in Mail-in-a-box\ + \nIt also offers other features like file sharing, gallery, todos, and more.\ + \n\nWould you like to remove it?"\ + REMOVE_NEXTCLOUD +fi # Show the configuration, since the user may have not entered it manually. echo echo "Primary Hostname: $PRIMARY_HOSTNAME" diff --git a/setup/start.sh b/setup/start.sh index bd534bf9..34acc9f2 100755 --- a/setup/start.sh +++ b/setup/start.sh @@ -104,6 +104,9 @@ source setup/mail-dovecot.sh source setup/mail-users.sh source setup/dkim.sh source setup/spamassassin.sh +if [ "${REMOVE_NEXTCLOUD}" == "0" ] { + source setup/nextcloud-remove.sh +} source setup/web.sh source setup/webmail.sh From 451df93cfe74d10a574bcc70dda5aa5c3756f048 Mon Sep 17 00:00:00 2001 From: dkoao Date: Fri, 27 Sep 2019 17:19:24 +0000 Subject: [PATCH 33/35] Make sure that DISABLE_NEXTCLOUD is set to 0 --- setup/questions.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/setup/questions.sh b/setup/questions.sh index 69972859..77354290 100644 --- a/setup/questions.sh +++ b/setup/questions.sh @@ -202,14 +202,17 @@ if [ ! -d $STORAGE_ROOT/owncloud ]; then \nIt also offers other features like file sharing, gallery, todos, and more.\ \n\nWould you like to disable it?"\ DISABLE_NEXTCLOUD -fi -if [ -d $STORAGE_ROOT/owncloud ]; then +else + # Ask the user if he wants to remove Nextcloud yesno_box "Remove Nextcloud?"\ "It seems that you already have Nextcloud installed previous\ \n\nNextcloud offers the Contacts and Calendar features in Mail-in-a-box\ \nIt also offers other features like file sharing, gallery, todos, and more.\ \n\nWould you like to remove it?"\ REMOVE_NEXTCLOUD + if [ "${REMOVE_NEXTCLOUD}" == "0" ]; then + DISABLE_NEXTCLOUD="0" + fi fi # Show the configuration, since the user may have not entered it manually. echo From fc9389ac515b4e5f79ea49d52dd26ea074a30f14 Mon Sep 17 00:00:00 2001 From: dkoao Date: Fri, 27 Sep 2019 17:37:30 +0000 Subject: [PATCH 34/35] fix typo --- setup/questions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/questions.sh b/setup/questions.sh index 77354290..9755f123 100644 --- a/setup/questions.sh +++ b/setup/questions.sh @@ -205,7 +205,7 @@ if [ ! -d $STORAGE_ROOT/owncloud ]; then else # Ask the user if he wants to remove Nextcloud yesno_box "Remove Nextcloud?"\ - "It seems that you already have Nextcloud installed previous\ + "It seems that you already have Nextcloud installed\ \n\nNextcloud offers the Contacts and Calendar features in Mail-in-a-box\ \nIt also offers other features like file sharing, gallery, todos, and more.\ \n\nWould you like to remove it?"\ From 5e13c55f892c9c70afce333f1f97ee1c6dd157d0 Mon Sep 17 00:00:00 2001 From: dkoao Date: Sat, 28 Sep 2019 09:25:13 +0000 Subject: [PATCH 35/35] Delete the Contacts/Calender section from the admin page if the user didn't enable Nextcloud Also, restored the old text in sync-guide.html since the user would only see it if he enabled Nextcloud --- management/templates/index.html | 4 +--- management/templates/sync-guide.html | 2 +- setup/management.sh | 6 ++++++ 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/management/templates/index.html b/management/templates/index.html index 2c0d5a9a..bf3ee915 100644 --- a/management/templates/index.html +++ b/management/templates/index.html @@ -147,9 +147,7 @@ {% include "aliases.html" %}
-
- {% include "sync-guide.html" %} -
+
{% include "sync-guide.html" %}
{% include "web.html" %} diff --git a/management/templates/sync-guide.html b/management/templates/sync-guide.html index ac902653..70a5a44e 100644 --- a/management/templates/sync-guide.html +++ b/management/templates/sync-guide.html @@ -1,7 +1,7 @@

Contacts & Calendar Synchronization

-

If you chose to install Nextcloud, then this box can hold your contacts and calendar, just like it holds your email.

+

This box can hold your contacts and calendar, just like it holds your email.

diff --git a/setup/management.sh b/setup/management.sh index 3a6e187b..9a035d60 100755 --- a/setup/management.sh +++ b/setup/management.sh @@ -85,6 +85,12 @@ unzip -q /tmp/bootstrap.zip -d $assets_dir mv $assets_dir/bootstrap-$bootstrap_version-dist $assets_dir/bootstrap rm -f /tmp/bootstrap.zip +# Remove the Contacts/Calendar section from the admin page if the user didn't enable Nextcloud +if [ "${DISABLE_NEXTCLOUD}" == 0 ]; then + sed -i '/sync_guide/d' ../management/templates/index.html + rm ../management/templates/sync-guide.html +fi + # Create an init script to start the management daemon and keep it # running after a reboot. cat > $inst_dir/start <