Merge 5e13c55f89 into cd62fd9826

2025-04-29 04:17:07 +00:00 · 2019-11-24 20:08:07 +00:00 · 2019-11-24 20:08:07 +00:00 · 891e8c8c99
commit 891e8c8c99
parent cd62fd9826 5e13c55f89
15 changed files with 222 additions and 102 deletions
--- a/conf/fail2ban/jails.conf
+++ b/conf/fail2ban/jails.conf
@ -30,14 +30,6 @@ logpath  = /var/log/nginx/access.log
 maxretry = 20
 findtime = 30
 [miab-owncloud]
 enabled  = true
 port     = http,https
 filter   = miab-owncloud
 logpath  = STORAGE_ROOT/owncloud/nextcloud.log
 maxretry = 20
 findtime = 120
 [miab-postfix587]
 enabled  = true
 port     = 587
--- a/conf/fail2ban/nextcloud-jail.conf
+++ b/conf/fail2ban/nextcloud-jail.conf
@ -0,0 +1,8 @@
 [miab-owncloud]
 enabled  = true
 port     = http,https
 filter   = miab-owncloud
 logpath  = STORAGE_ROOT/owncloud/nextcloud.log
 maxretry = 20
 findtime = 120
--- a/conf/nginx-nextcloud.conf
+++ b/conf/nginx-nextcloud.conf
@ -0,0 +1,60 @@
 	# Nextcloud configuration.
 	rewrite ^/cloud$ /cloud/ redirect;
 	rewrite ^/cloud/$ /cloud/index.php;
 	rewrite ^/cloud/(contacts|calendar|files)$ /cloud/index.php/apps/$1/ redirect;
 	rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html;
 	rewrite ^(/cloud/oc[sm]-provider)/$ $1/index.php redirect;
 	location /cloud/ {
 		alias /usr/local/lib/owncloud/;
 	 	location ~ ^/cloud/(build|tests|config|lib|3rdparty|templates|data|README)/ {
 	 		deny all;
 	 	}
 	 	location ~ ^/cloud/(?:\.|autotest|occ|issue|indie|db_|console) {
 	 		deny all;
 	 	}
 		# Enable paths for service and cloud federation discovery
 		# Resolves warning in Nextcloud Settings panel
                location ~ ^/cloud/(oc[sm]-provider)?/([^/]+\.php)$ {
                        index index.php;
                        include fastcgi_params;
                        fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$1/$2;
                        fastcgi_pass php-fpm;
                }
 	}
 	location ~ ^(/cloud)((?:/ocs)?/[^/]+\.php)(/.*)?$ {
 		# note: ~ has precendence over a regular location block
 		# Accept URLs like:
 		# /cloud/index.php/apps/files/
 		# /cloud/index.php/apps/files/ajax/scan.php (it's really index.php; see 6fdef379adfdeac86cc2220209bdf4eb9562268d)
 		# /cloud/ocs/v1.php/apps/files_sharing/api/v1 (see #240)
 		# /cloud/remote.php/webdav/yourfilehere...
 		include fastcgi_params;
 		fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$2;
 		fastcgi_param SCRIPT_NAME $1$2;
 		fastcgi_param PATH_INFO $3;
 		fastcgi_param MOD_X_ACCEL_REDIRECT_ENABLED on;
 		fastcgi_param MOD_X_ACCEL_REDIRECT_PREFIX /owncloud-xaccel;
 		fastcgi_read_timeout 630;
 		fastcgi_pass php-fpm;
 		client_max_body_size 1G;
 		fastcgi_buffers 64 4K;
 	}
 	location ^~ /owncloud-xaccel/ {
 		# This directory is for MOD_X_ACCEL_REDIRECT_ENABLED. Nextcloud sends the full file
 		# path on disk as a subdirectory under this virtual path.
 		# We must only allow 'internal' redirects within nginx so that the filesystem
 		# is not exposed to the world.
 		internal;
 		alias /;
 	}
 	location ~ ^/((caldav|carddav|webdav).*)$ {
 		# Z-Push doesn't like getting a redirect, and a plain rewrite didn't work either.
 		# Properly proxying like this seems to work fine.
 		proxy_pass https://127.0.0.1/cloud/remote.php/$1;
 	}
 	rewrite ^/.well-known/host-meta /cloud/public.php?service=host-meta last;
 	rewrite ^/.well-known/host-meta.json /cloud/public.php?service=host-meta-json last;
 	rewrite ^/.well-known/carddav /cloud/remote.php/carddav/ redirect;
 	rewrite ^/.well-known/caldav /cloud/remote.php/caldav/ redirect;
--- a/conf/nginx-primaryonly.conf
+++ b/conf/nginx-primaryonly.conf
@ -14,63 +14,3 @@
 		add_header Content-Security-Policy "frame-ancestors 'none';";
 	}
 	# Nextcloud configuration.
 	rewrite ^/cloud$ /cloud/ redirect;
 	rewrite ^/cloud/$ /cloud/index.php;
 	rewrite ^/cloud/(contacts|calendar|files)$ /cloud/index.php/apps/$1/ redirect;
 	rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html;
 	rewrite ^(/cloud/oc[sm]-provider)/$ $1/index.php redirect;
 	location /cloud/ {
 		alias /usr/local/lib/owncloud/;
 	 	location ~ ^/cloud/(build|tests|config|lib|3rdparty|templates|data|README)/ {
 	 		deny all;
 	 	}
 	 	location ~ ^/cloud/(?:\.|autotest|occ|issue|indie|db_|console) {
 	 		deny all;
 	 	}
 		# Enable paths for service and cloud federation discovery
 		# Resolves warning in Nextcloud Settings panel
                location ~ ^/cloud/(oc[sm]-provider)?/([^/]+\.php)$ {
                        index index.php;
                        include fastcgi_params;
                        fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$1/$2;
                        fastcgi_pass php-fpm;
                }
 	}
 	location ~ ^(/cloud)((?:/ocs)?/[^/]+\.php)(/.*)?$ {
 		# note: ~ has precendence over a regular location block
 		# Accept URLs like:
 		# /cloud/index.php/apps/files/
 		# /cloud/index.php/apps/files/ajax/scan.php (it's really index.php; see 6fdef379adfdeac86cc2220209bdf4eb9562268d)
 		# /cloud/ocs/v1.php/apps/files_sharing/api/v1 (see #240)
 		# /cloud/remote.php/webdav/yourfilehere...
 		include fastcgi_params;
 		fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$2;
 		fastcgi_param SCRIPT_NAME $1$2;
 		fastcgi_param PATH_INFO $3;
 		fastcgi_param MOD_X_ACCEL_REDIRECT_ENABLED on;
 		fastcgi_param MOD_X_ACCEL_REDIRECT_PREFIX /owncloud-xaccel;
 		fastcgi_read_timeout 630;
 		fastcgi_pass php-fpm;
 		client_max_body_size 1G;
 		fastcgi_buffers 64 4K;
 	}
 	location ^~ /owncloud-xaccel/ {
 		# This directory is for MOD_X_ACCEL_REDIRECT_ENABLED. Nextcloud sends the full file
 		# path on disk as a subdirectory under this virtual path.
 		# We must only allow 'internal' redirects within nginx so that the filesystem
 		# is not exposed to the world.
 		internal;
 		alias /;
 	}
 	location ~ ^/((caldav|carddav|webdav).*)$ {
 		# Z-Push doesn't like getting a redirect, and a plain rewrite didn't work either.
 		# Properly proxying like this seems to work fine.
 		proxy_pass https://127.0.0.1/cloud/remote.php/$1;
 	}
 	rewrite ^/.well-known/host-meta /cloud/public.php?service=host-meta last;
 	rewrite ^/.well-known/host-meta.json /cloud/public.php?service=host-meta-json last;
 	rewrite ^/.well-known/carddav /cloud/remote.php/carddav/ redirect;
 	rewrite ^/.well-known/caldav /cloud/remote.php/caldav/ redirect;
 	# ADDITIONAL DIRECTIVES HERE
--- a/management/dns_update.py
+++ b/management/dns_update.py
@ -11,6 +11,7 @@ import dns.resolver
 from mailconfig import get_mail_domains
 from utils import shell, load_env_vars_from_file, safe_domain_name, sort_domains
 from os import environ
 # From https://stackoverflow.com/questions/3026957/how-to-validate-a-domain-name-using-regex-php/16491074#16491074
 # This regular expression matches domain names according to RFCs, it also accepts fqdn with an leading dot,
@ -280,9 +281,9 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
 		if not has_rec(dmarc_qname, "TXT", prefix="v=DMARC1; "):
 			records.append((dmarc_qname, "TXT", 'v=DMARC1; p=reject', "Recommended. Prevents use of this domain name for outbound mail by specifying that the SPF rule should be honoured for mail from @%s." % (qname + "." + domain)))
        if environ.get('DISABLE_NEXTCLOUD') != '0' and domain != env["PRIMARY_HOSTNAME"]:
        	# Add CardDAV/CalDAV SRV records on the non-primary hostname that points to the primary hostname.
        	# The SRV record format is priority (0, whatever), weight (0, whatever), port, service provider hostname (w/ trailing dot).
 	if domain != env["PRIMARY_HOSTNAME"]:
        		for dav in ("card", "cal"):
        			qname = "_" + dav + "davs._tcp"
        			if not has_rec(qname, "SRV"):
--- a/management/templates/index.html
+++ b/management/templates/index.html
@ -147,9 +147,7 @@
      {% include "aliases.html" %}
      </div>
-      <div id="panel_sync_guide" class="admin_panel">
+      <div id="panel_sync_guide" class="admin_panel">{% include "sync-guide.html" %}</div>
      {% include "sync-guide.html" %}
      </div>
      <div id="panel_web" class="admin_panel">
      {% include "web.html" %}
--- a/management/web_update.py
+++ b/management/web_update.py
@ -8,6 +8,7 @@ from mailconfig import get_mail_domains
 from dns_update import get_custom_dns_config, get_dns_zones
 from ssl_certificates import get_ssl_certificates, get_domain_ssl_files, check_certificate
 from utils import shell, safe_domain_name, sort_domains
 from os import environ
 def get_web_domains(env, include_www_redirects=True, exclude_dns_elsewhere=True):
 	# What domains should we serve HTTP(S) for?
@ -75,13 +76,17 @@ def do_web_update(env):
 	nginx_conf = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-top.conf")).read()
 	# Load the templates.
        template2_nextcloud = ""
 	template0 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx.conf")).read()
 	template1 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-alldomains.conf")).read()
 	template2 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-primaryonly.conf")).read()
        # Check if the user doesn't want Nextcloud.
        if environ.get('DISABLE_NEXTCLOUD') != '0':
 	    template2_nextcloud = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-nextcloud.conf")).read()
 	template3 = "\trewrite ^(.*) https://$REDIRECT_DOMAIN$1 permanent;\n"
 	# Add the PRIMARY_HOST configuration first so it becomes nginx's default server.
-	nginx_conf += make_domain_config(env['PRIMARY_HOSTNAME'], [template0, template1, template2], ssl_certificates, env)
+	nginx_conf += make_domain_config(env['PRIMARY_HOSTNAME'], [template0, template1, template2, template2_nextcloud], ssl_certificates, env)
 	# Add configuration all other web domains.
 	has_root_proxy_or_redirect = get_web_domains_with_root_overrides(env)
--- a/setup/functions.sh
+++ b/setup/functions.sh
@ -47,6 +47,12 @@ function apt_get_quiet {
 	DEBIAN_FRONTEND=noninteractive hide_output apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" "$@"
 }
 function apt_purge {
 	# Remove a bunch of packages.
 	PACKAGES=$@
 	apt_get_quiet --purge remove $PACKAGES
 }
 function apt_install {
 	# Install a bunch of packages. We used to report which packages were already
 	# installed and which needed installing, before just running an 'apt-get
@ -158,6 +164,17 @@ function message_box {
 	dialog --title "$1" --msgbox "$2" 0 0
 }
 function yesno_box {
 	# yesno_box "title" "prompt" VARIABLE
 	# The exit code resembles the user's input and will be stored in the variable VARIABLE
 	# Temporarily turn off 'set -e' because we need the dialog return code
 	declare -n result=$3
 	set +e
 	dialog --stdout --title "$1" --yesno "$2" 0 0
 	result=$?
 	set -e
 }
 function input_box {
 	# input_box "title" "prompt" "defaultvalue" VARIABLE
 	# The user's input will be stored in the variable VARIABLE.
--- a/setup/management.sh
+++ b/setup/management.sh
@ -85,6 +85,12 @@ unzip -q /tmp/bootstrap.zip -d $assets_dir
 mv $assets_dir/bootstrap-$bootstrap_version-dist $assets_dir/bootstrap
 rm -f /tmp/bootstrap.zip
 # Remove the Contacts/Calendar section from the admin page if the user didn't enable Nextcloud
 if [ "${DISABLE_NEXTCLOUD}" == 0 ]; then
 	sed -i '/sync_guide/d' ../management/templates/index.html
 	rm ../management/templates/sync-guide.html
 fi
 # Create an init script to start the management daemon and keep it
 # running after a reboot.
 cat > $inst_dir/start <<EOF;
--- a/setup/nextcloud-remove.sh
+++ b/setup/nextcloud-remove.sh
@ -0,0 +1,35 @@
 #!/bin/bash
 #
 # This script will remove Nextcloud from your MiaB server
 ##################################################################
 source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars
 if [[ $EUID -ne 0 ]]; then
 	echo "This script must be run as root."
 	exit
 fi
 # Backup the existing ownCloud/Nextcloud.
 # Create a backup directory to store the current installation and database to
 BACKUP_DIRECTORY=$STORAGE_ROOT/owncloud-backup/`date +"%Y-%m-%d-%T"`
 mkdir -p "$BACKUP_DIRECTORY"
 if [ -d /usr/local/lib/owncloud/ ]; then
 	echo "Backing up existing Nextcloud installation, configuration, and database to directory to $BACKUP_DIRECTORY..."
 	cp -r /usr/local/lib/owncloud "$BACKUP_DIRECTORY/owncloud-install"
 	rm -r /usr/local/lib/owncloud
 fi
 if [ -e $STORAGE_ROOT/owncloud/owncloud.db ]; then
 	cp $STORAGE_ROOT/owncloud/owncloud.db $BACKUP_DIRECTORY
 fi
 if [ -e $STORAGE_ROOT/owncloud/config.php ]; then
 	cp $STORAGE_ROOT/owncloud/config.php $BACKUP_DIRECTORY
 fi
 if [ -d $STORAGE/owncloud/ ]; then
 	echo "Removing Nextcloud..."
 	rm -r $STORAGE_ROOT/owncloud
 fi
 # Remove Nextcloud's dependencies
 apt_purge php-imap php-pear php-dev php-xml php-zip php-apcu php-imagick
--- a/setup/questions.sh
+++ b/setup/questions.sh
@ -193,6 +193,27 @@ if [ -z "${STORAGE_ROOT:-}" ]; then
 	STORAGE_ROOT=$([[ -z "${DEFAULT_STORAGE_ROOT:-}" ]] && echo "/home/$STORAGE_USER" || echo "$DEFAULT_STORAGE_ROOT")
 fi
 # Check if Nextcloud is already installed
 # If it isn't, ask the user if Nextcloud should be disabled 
 if [ ! -d $STORAGE_ROOT/owncloud ]; then
 	# Ask the user if he/she wants to disable Nextcloud
 	yesno_box "Disable Nextcloud?"\
 		"Nextcloud offers the Contacts and Calendar features in Mail-in-a-box\
 		\nIt also offers other features like file sharing, gallery, todos, and more.\ 
 		\n\nWould you like to disable it?"\
 		DISABLE_NEXTCLOUD
 else
 	# Ask the user if he wants to remove Nextcloud
 	yesno_box "Remove Nextcloud?"\
 		"It seems that you already have Nextcloud installed\
 		\n\nNextcloud offers the Contacts and Calendar features in Mail-in-a-box\
 		\nIt also offers other features like file sharing, gallery, todos, and more.\ 
 		\n\nWould you like to remove it?"\
 		REMOVE_NEXTCLOUD	
 	if [ "${REMOVE_NEXTCLOUD}" == "0" ]; then
 		DISABLE_NEXTCLOUD="0"	
 	fi
 fi
 # Show the configuration, since the user may have not entered it manually.
 echo
 echo "Primary Hostname: $PRIMARY_HOSTNAME"
--- a/setup/start.sh
+++ b/setup/start.sh
@ -104,9 +104,18 @@ source setup/mail-dovecot.sh
 source setup/mail-users.sh
 source setup/dkim.sh
 source setup/spamassassin.sh
 if [ "${REMOVE_NEXTCLOUD}" == "0" ] {
 	source setup/nextcloud-remove.sh
 }
 source setup/web.sh
 source setup/webmail.sh
-source setup/nextcloud.sh
+
 if [ "${DISABLE_NEXTCLOUD}" == "0" ]; then
 	echo "Nextcloud installation was skipped due to a configuration choice"
 else 
 	source setup/nextcloud.sh
 fi
 source setup/zpush.sh
 source setup/management.sh
 source setup/munin.sh
--- a/setup/system.sh
+++ b/setup/system.sh
@ -344,10 +344,19 @@ systemctl restart systemd-resolved
 # Configure the Fail2Ban installation to prevent dumb bruce-force attacks against dovecot, postfix, ssh, etc.
 rm -f /etc/fail2ban/jail.local # we used to use this file but don't anymore
 rm -f /etc/fail2ban/jail.d/defaults-debian.conf # removes default config so we can manage all of fail2ban rules in one config
 # Check if the user wants to enable Nextcloud and its rules aren't configured yet
 # if both conditions are true, the relevant fail2ban configuration will be added
 if [ "${DISABLE_NEXTCLOUD}" != "0"] && ! grep -q owncloud conf/fail2ban/jails.conf; then
 	cat conf/fail2ban/nextcloud-jail.conf >> conf/fail2ban/jails.conf
 fi
 cat conf/fail2ban/jails.conf \
 	| sed "s/PUBLIC_IP/$PUBLIC_IP/g" \
 	| sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \
 	> /etc/fail2ban/jail.d/mailinabox.conf
 cp -f conf/fail2ban/filter.d/* /etc/fail2ban/filter.d/
 # On first installation, the log files that the jails look at don't all exist.
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@ -68,6 +68,8 @@ if [ $needs_update == 1 ]; then
 	git_clone https://github.com/kitist/html5_notifier.git $HTML5_NOTIFIER_VERSION '' ${RCM_PLUGIN_DIR}/html5_notifier
 	# download and verify the full release of the carddav plugin
 	if [ "${DISABLE_NEXTCLOUD}" != "0" ]; then
 		wget_verify \
 			https://github.com/blind-coder/rcmcarddav/releases/download/v${CARDDAV_VERSION}/carddav-${CARDDAV_VERSION}.zip \
 			$CARDDAV_HASH \
@ -77,6 +79,7 @@ if [ $needs_update == 1 ]; then
 		unzip -q /tmp/carddav.zip -d ${RCM_PLUGIN_DIR}
 		rm -f /tmp/carddav.zip
 	fi
 	# record the version we've installed
 	echo $UPDATE_KEY > ${RCM_DIR}/version
 fi
@ -91,6 +94,14 @@ SECRET_KEY=$(dd if=/dev/urandom bs=1 count=18 2>/dev/null | base64 | fold -w 24
 # For security, temp and log files are not stored in the default locations
 # which are inside the roundcube sources directory. We put them instead
 # in normal places.
 PLUGINS="'html5_notifier', 'archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'persistent_login'"
 # Add the carddav plugin if the user wants to install Nextcloud
 if [ "${DISABLE_NEXTCLOUD}" != "0" ]; then
 	PLUGINS="$PLUGINS, 'carddav'"
 fi
 cat > $RCM_CONFIG <<EOF;
 <?php
 /*
@ -122,7 +133,7 @@ cat > $RCM_CONFIG <<EOF;
 \$config['support_url'] = 'https://mailinabox.email/';
 \$config['product_name'] = '$PRIMARY_HOSTNAME Webmail';
 \$config['des_key'] = '$SECRET_KEY';
-\$config['plugins'] = array('html5_notifier', 'archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'persistent_login', 'carddav');
+\$config['plugins'] = array($PLUGINS);
 \$config['skin'] = 'larry';
 \$config['login_autocomplete'] = 2;
 \$config['password_charset'] = 'UTF-8';
@ -131,7 +142,9 @@ cat > $RCM_CONFIG <<EOF;
 EOF
 # Configure CardDav
-cat > ${RCM_PLUGIN_DIR}/carddav/config.inc.php <<EOF;
+if [ "${DISABLE_NEXTCLOUD}" != "0" ]; then
 	cat > ${RCM_PLUGIN_DIR}/carddav/config.inc.php <<EOF;
 <?php
 /* Do not edit. Written by Mail-in-a-Box. Regenerated on updates. */
 \$prefs['_GLOBAL']['hide_preferences'] = true;
@ -150,6 +163,7 @@ cat > ${RCM_PLUGIN_DIR}/carddav/config.inc.php <<EOF;
 );
 ?>
 EOF
 fi
 # Create writable directories.
 mkdir -p /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
@ -182,10 +196,12 @@ chmod 775 $STORAGE_ROOT/mail
 chown root.www-data $STORAGE_ROOT/mail/users.sqlite
 chmod 664 $STORAGE_ROOT/mail/users.sqlite
-# Fix Carddav permissions:
+if [ "${DISABLE_NEXTCLOUD}" != "0" ]; then
-chown -f -R root.www-data ${RCM_PLUGIN_DIR}/carddav
+	# Fix Carddav permissions:
-# root.www-data need all permissions, others only read
+	chown -f -R root.www-data ${RCM_PLUGIN_DIR}/carddav
-chmod -R 774 ${RCM_PLUGIN_DIR}/carddav
+	# root.www-data need all permissions, others only read
 	chmod -R 774 ${RCM_PLUGIN_DIR}/carddav
 fi
 # Run Roundcube database migration script (database is created if it does not exist)
 ${RCM_DIR}/bin/updatedb.sh --dir ${RCM_DIR}/SQL --package roundcube
--- a/setup/zpush.sh
+++ b/setup/zpush.sh
@ -64,13 +64,16 @@ rm -f /usr/local/lib/z-push/backend/imap/config.php
 cp conf/zpush/backend_imap.php /usr/local/lib/z-push/backend/imap/config.php
 sed -i "s%STORAGE_ROOT%$STORAGE_ROOT%" /usr/local/lib/z-push/backend/imap/config.php
-# Configure CardDav
+if [ "${DISABLE_NEXTCLOUD}" != "0" ]; then
 rm -f /usr/local/lib/z-push/backend/carddav/config.php
 cp conf/zpush/backend_carddav.php /usr/local/lib/z-push/backend/carddav/config.php
-# Configure CalDav
+	# Configure CardDav
-rm -f /usr/local/lib/z-push/backend/caldav/config.php
+	rm -f /usr/local/lib/z-push/backend/carddav/config.php
-cp conf/zpush/backend_caldav.php /usr/local/lib/z-push/backend/caldav/config.php
+	cp conf/zpush/backend_carddav.php /usr/local/lib/z-push/backend/carddav/config.php
 	# Configure CalDav
 	rm -f /usr/local/lib/z-push/backend/caldav/config.php
 	cp conf/zpush/backend_caldav.php /usr/local/lib/z-push/backend/caldav/config.php
 fi
 # Configure Autodiscover
 rm -f /usr/local/lib/z-push/autodiscover/config.php