NextClous&Webmail features to be disabled and shellcheck findings

2025-04-03 00:07:05 +00:00 · 2022-08-28 09:44:45 +02:00 · 2022-08-28 09:44:45 +02:00 · f3bd2d9d42
commit f3bd2d9d42
parent b8feb77ef4
9 changed files with 271 additions and 232 deletions
--- a/7
+++ b/7
@ -19,7 +19,12 @@ Vagrant.configure("2") do |config|
    export PUBLIC_IP=auto
    export PUBLIC_IPV6=auto
    export PRIMARY_HOSTNAME=auto
-    #export SKIP_NETWORK_CHECKS=1
+
+    export SKIP_NETWORK_CHECKS=1
+    
+    export NEXTCLOUD_ENABLE=0
+    export WEBMAIL_ENABLE=0
+    export ZPUSH_ENABLE=0

    # Start the setup script.
    cd /vagrant
--- a/setup/functions.sh
+++ b/setup/functions.sh
@ -1,10 +1,12 @@
+#!/bin/bash
+
 # Turn on "strict mode." See http://redsymbol.net/articles/unofficial-bash-strict-mode/.
 # -e: exit if any command unexpectedly fails.
 # -u: exit if we have a variable typo.
 # -o pipefail: don't ignore errors in the non-last command in a pipeline
 set -euo pipefail

-PHP_VER=8.0
+export PHP_VER=8.0

 function hide_output {
 	# This function hides the output of a command unless the command fails
@ -16,7 +18,7 @@ function hide_output {
 	# Execute command, redirecting stderr/stdout to the temporary file. Since we
 	# check the return code ourselves, disable 'set -e' temporarily.
 	set +e
-	"$@" &> $OUTPUT
+	"$@" &> "$OUTPUT"
 	E=$?
 	set -e

--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@ -5,6 +5,10 @@
 source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars

+if [ "$NEXTCLOUD_ENABLE" -ne "1" ]; then
+	echo "Skipping Nextcloud installation."
+else
+
 # ### Installing Nextcloud

 echo "Installing Nextcloud (contacts/calendar)..."
@ -378,3 +382,5 @@ chmod +x /etc/cron.d/mailinabox-nextcloud

 # Enable PHP modules and restart PHP.
 restart_service php$PHP_VER-fpm
+
+fi
--- a/setup/preflight.sh
+++ b/setup/preflight.sh
@ -1,3 +1,5 @@
+#!/bin/bash
+
 # Are we running as root?
 if [[ $EUID -ne 0 ]]; then
 	echo "This script must be run as root. Please re-run like this:"
@ -7,7 +9,7 @@ if [[ $EUID -ne 0 ]]; then
 	exit 1
 fi

-# Check that we are running on Ubuntu 20.04 LTS (or 20.04.xx).
+# Check that we are running on Ubuntu 22.04 LTS (or 22.04.xx).
 if [ "$( lsb_release --id --short )" != "Ubuntu" ] || [ "$( lsb_release --release --short )" != "22.04" ]; then
 	echo "Mail-in-a-Box only supports being installed on Ubuntu 22.04, sorry. You are running:"
 	echo
@ -26,7 +28,7 @@ fi
 #
 # Skip the check if we appear to be running inside of Vagrant, because that's really just for testing.
 TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}')
-if [ $TOTAL_PHYSICAL_MEM -lt 490000 ]; then
+if [ "$TOTAL_PHYSICAL_MEM" -lt 490000 ]; then
 if [ ! -d /vagrant ]; then
 	TOTAL_PHYSICAL_MEM=$(expr \( \( $TOTAL_PHYSICAL_MEM \* 1024 \) / 1000 \) / 1000)
 	echo "Your Mail-in-a-Box needs more memory (RAM) to function properly."
@ -35,7 +37,7 @@ if [ ! -d /vagrant ]; then
 	exit
 fi
 fi
-if [ $TOTAL_PHYSICAL_MEM -lt 750000 ]; then
+if [ "$TOTAL_PHYSICAL_MEM" -lt 750000 ]; then
 	echo "WARNING: Your Mail-in-a-Box has less than 768 MB of memory."
 	echo "         It might run unreliably when under heavy load."
 fi
--- a/setup/questions.sh
+++ b/setup/questions.sh
@ -1,3 +1,5 @@
+#!/bin/bash
+
 if [ -z "${NONINTERACTIVE:-}" ]; then
 	# Install 'dialog' so we can ask the user questions. The original motivation for
 	# this was being able to ask the user for input even if stdin has been redirected,
@ -141,16 +143,20 @@ if [ -z "${PUBLIC_IPV6:-}" ]; then
 			"Enter the public IPv6 address of this machine, as given to you by your ISP.
 			\n\nLeave blank if the machine does not have an IPv6 address.
 			\n\nPublic IPv6 address:" \
-			${DEFAULT_PUBLIC_IPV6:-} \
+			"${DEFAULT_PUBLIC_IPV6:-}" \
 			PUBLIC_IPV6

-		if [ ! $PUBLIC_IPV6_EXITCODE ]; then
+		if [ ! "$PUBLIC_IPV6_EXITCODE" ]; then
 			# user hit ESC/cancel
 			exit
 		fi
 	fi
 fi

+export NEXTCLOUD_ENABLE=$NEXTCLOUD_ENABLE
+export WEBMAIL_ENABLE=$WEBMAIL_ENABLE
+export ZPUSH_ENABLE=$ZPUSH_ENABLE
+
 # Get the IP addresses of the local network interface(s) that are connected
 # to the Internet. We need these when we want to have services bind only to
 # the public network interfaces (not loopback, not tunnel interfaces).
--- a/setup/start.sh
+++ b/setup/start.sh
@ -4,7 +4,7 @@

 source setup/functions.sh # load our functions

-# Check system setup: Are we running as root on Ubuntu 18.04 on a
+# Check system setup: Are we running as root on Ubuntu 22.04 on a
 # machine with enough memory? Is /tmp mounted with exec.
 # If not, this shows an error and exits.
 source setup/preflight.sh
@ -35,11 +35,12 @@ if [ -f /etc/mailinabox.conf ]; then

 	# Load the old .conf file to get existing configuration options loaded
 	# into variables with a DEFAULT_ prefix.
-	cat /etc/mailinabox.conf | sed s/^/DEFAULT_/ > /tmp/mailinabox.prev.conf
+	sed s/^/DEFAULT_/ /etc/mailinabox.conf > /tmp/mailinabox.prev.conf
+	# shellcheck source=/dev/null
 	source /tmp/mailinabox.prev.conf
 	rm -f /tmp/mailinabox.prev.conf
 else
-	FIRST_TIME_SETUP=1
+	export FIRST_TIME_SETUP=1
 fi

 # Put a start script in a global location. We tell the user to run 'mailinabox'
@ -75,17 +76,17 @@ fi
 # migration (schema) number for the files stored there, assume this is a fresh
 # installation to that directory and write the file to contain the current
 # migration number for this version of Mail-in-a-Box.
-if ! id -u $STORAGE_USER >/dev/null 2>&1; then
-	useradd -m $STORAGE_USER
+if ! id -u "$STORAGE_USER" >/dev/null 2>&1; then
+	useradd -m "$STORAGE_USER"
 fi
-if [ ! -d $STORAGE_ROOT ]; then
-	mkdir -p $STORAGE_ROOT
+if [ ! -d "$STORAGE_ROOT" ]; then
+	mkdir -p "$STORAGE_ROOT"
 fi
 f=$STORAGE_ROOT
 while [[ $f != / ]]; do chmod a+rx "$f"; f=$(dirname "$f"); done;
-if [ ! -f $STORAGE_ROOT/mailinabox.version ]; then
-	setup/migrate.py --current > $STORAGE_ROOT/mailinabox.version
-	chown $STORAGE_USER.$STORAGE_USER $STORAGE_ROOT/mailinabox.version
+if [ ! -f "$STORAGE_ROOT/mailinabox.version" ]; then
+	setup/migrate.py --current > "$STORAGE_ROOT/mailinabox.version"
+	chown "$STORAGE_USER"."$STORAGE_USER" "$STORAGE_ROOT/mailinabox.version"
 fi

 # Save the global options in /etc/mailinabox.conf so that standalone
@ -101,6 +102,9 @@ PUBLIC_IPV6=$PUBLIC_IPV6
 PRIVATE_IP=$PRIVATE_IP
 PRIVATE_IPV6=$PRIVATE_IPV6
 MTA_STS_MODE=${DEFAULT_MTA_STS_MODE:-enforce}
+NEXTCLOUD_ENABLE=$NEXTCLOUD_ENABLE
+WEBMAIL_ENABLE=$WEBMAIL_ENABLE
+ZPUSH_ENABLE=$ZPUSH_ENABLE
 EOF

 # Start service configuration.
@ -142,14 +146,14 @@ source setup/firstuser.sh
 # We'd let certbot ask the user interactively, but when this script is
 # run in the recommended curl-pipe-to-bash method there is no TTY and
 # certbot will fail if it tries to ask.
-if [ ! -d $STORAGE_ROOT/ssl/lets_encrypt/accounts/acme-v02.api.letsencrypt.org/ ]; then
+if [ ! -d "$STORAGE_ROOT/ssl/lets_encrypt/accounts/acme-v02.api.letsencrypt.org/" ]; then
 echo
 echo "-----------------------------------------------"
 echo "Mail-in-a-Box uses Let's Encrypt to provision free SSL/TLS certificates"
 echo "to enable HTTPS connections to your box. We're automatically"
 echo "agreeing you to their subscriber agreement. See https://letsencrypt.org."
 echo
-certbot register --register-unsafely-without-email --agree-tos --config-dir $STORAGE_ROOT/ssl/lets_encrypt
+certbot register --register-unsafely-without-email --agree-tos --config-dir "$STORAGE_ROOT/ssl/lets_encrypt"
 fi

 # Done.
@ -166,7 +170,7 @@ if management/status_checks.py --check-primary-hostname; then
 	echo
 	echo "If you have a DNS problem put the box's IP address in the URL"
 	echo "(https://$PUBLIC_IP/admin) but then check the TLS fingerprint:"
-	openssl x509 -in $STORAGE_ROOT/ssl/ssl_certificate.pem -noout -fingerprint -sha256\
+	openssl x509 -in "$STORAGE_ROOT/ssl/ssl_certificate.pem" -noout -fingerprint -sha256\
        	| sed "s/SHA256 Fingerprint=//"
 else
 	echo https://$PUBLIC_IP/admin
@ -174,7 +178,7 @@ else
 	echo You will be alerted that the website has an invalid certificate. Check that
 	echo the certificate fingerprint matches:
 	echo
-	openssl x509 -in $STORAGE_ROOT/ssl/ssl_certificate.pem -noout -fingerprint -sha256\
+	openssl x509 -in "$STORAGE_ROOT/ssl/ssl_certificate.pem" -noout -fingerprint -sha256\
        	| sed "s/SHA256 Fingerprint=//"
 	echo
 	echo Then you can confirm the security exception and continue.
--- a/setup/system.sh
+++ b/setup/system.sh
@ -1,3 +1,5 @@
+#!/bin/bash
+
 source /etc/mailinabox.conf
 source setup/functions.sh # load our functions

@ -11,8 +13,8 @@ source setup/functions.sh # load our functions
 #
 # First set the hostname in the configuration file, then activate the setting

-echo $PRIMARY_HOSTNAME > /etc/hostname
-hostname $PRIMARY_HOSTNAME
+echo "$PRIMARY_HOSTNAME" > /etc/hostname
+hostname "$PRIMARY_HOSTNAME"

 # ### Fix permissions

@ -43,7 +45,7 @@ chmod g-w /etc /etc/default /usr
 # See https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-ubuntu-14-04
 # for reference

-SWAP_MOUNTED=$(cat /proc/swaps | tail -n+2)
+SWAP_MOUNTED=$(tail -n+2 /proc/swaps)
 SWAP_IN_FSTAB=$(grep "swap" /etc/fstab || /bin/true)
 ROOT_IS_BTRFS=$(grep "\/ .*btrfs" /proc/mounts || /bin/true)
 TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}' || /bin/true)
@ -53,14 +55,14 @@ if
 	[ -z "$SWAP_IN_FSTAB" ] &&
 	[ ! -e /swapfile ] &&
 	[ -z "$ROOT_IS_BTRFS" ] &&
-	[ $TOTAL_PHYSICAL_MEM -lt 1900000 ] &&
-	[ $AVAILABLE_DISK_SPACE -gt 5242880 ]
+	[ "$TOTAL_PHYSICAL_MEM" -lt 1900000 ] &&
+	[ "$AVAILABLE_DISK_SPACE" -gt 5242880 ]
 then
 	echo "Adding a swap file to the system..."

 	# Allocate and activate the swap file. Allocate in 1KB chuncks
 	# doing it in one go, could fail on low memory systems
-	dd if=/dev/zero of=/swapfile bs=1024 count=$[1024*1024] status=none
+	dd if=/dev/zero of=/swapfile bs=1024 count=$((1024*1024)) status=none
 	if [ -e /swapfile ]; then
 		chmod 600 /swapfile
 		hide_output mkswap /swapfile
@ -164,7 +166,7 @@ fi
 # not likely the user will want to change this, so we only ask on first
 # setup.
 if [ -z "${NONINTERACTIVE:-}" ]; then
-	if [ ! -f /etc/timezone ] || [ ! -z ${FIRST_TIME_SETUP:-} ]; then
+	if [ ! -f /etc/timezone ] || [ -n "${FIRST_TIME_SETUP:-}" ]; then
 		# If the file is missing or this is the user's first time running
 		# Mail-in-a-Box setup, run the interactive timezone configuration
 		# tool.
@ -273,8 +275,8 @@ if [ -z "${DISABLE_FIREWALL:-}" ]; then
 	if [ ! -z "$SSH_PORT" ]; then
 	if [ "$SSH_PORT" != "22" ]; then

-	echo Opening alternate SSH port $SSH_PORT. #NODOC
-	ufw_limit $SSH_PORT #NODOC
+	echo Opening alternate SSH port "$SSH_PORT". #NODOC
+	ufw_limit "$SSH_PORT" #NODOC

 	fi
 	fi
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@ -5,131 +5,135 @@
 source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars

-# ### Installing Roundcube
+if [ "$WEBMAIL_ENABLE" -ne "1" ]; then
+	echo "Skipping Roundcube (webmail) installation."
+else

-# We install Roundcube from sources, rather than from Ubuntu, because:
-#
-# 1. Ubuntu's `roundcube-core` package has dependencies on Apache & MySQL, which we don't want.
-#
-# 2. The Roundcube shipped with Ubuntu is consistently out of date.
-#
-# 3. It's packaged incorrectly --- it seems to be missing a directory of files.
-#
-# So we'll use apt-get to manually install the dependencies of roundcube that we know we need,
-# and then we'll manually install roundcube from source.
+	# ### Installing Roundcube

-# These dependencies are from `apt-cache showpkg roundcube-core`.
-echo "Installing Roundcube (webmail)..."
-apt_install \
-	dbconfig-common \
-	php${PHP_VER}-cli php${PHP_VER}-sqlite3 php${PHP_VER}-intl php${PHP_VER}-common php${PHP_VER}-curl php${PHP_VER}-imap \
-	php${PHP_VER}-gd php${PHP_VER}-pspell php${PHP_VER}-mbstring libjs-jquery libjs-jquery-mousewheel libmagic1
+	# We install Roundcube from sources, rather than from Ubuntu, because:
+	#
+	# 1. Ubuntu's `roundcube-core` package has dependencies on Apache & MySQL, which we don't want.
+	#
+	# 2. The Roundcube shipped with Ubuntu is consistently out of date.
+	#
+	# 3. It's packaged incorrectly --- it seems to be missing a directory of files.
+	#
+	# So we'll use apt-get to manually install the dependencies of roundcube that we know we need,
+	# and then we'll manually install roundcube from source.

-# Install Roundcube from source if it is not already present or if it is out of date.
-# Combine the Roundcube version number with the commit hash of plugins to track
-# whether we have the latest version of everything.
-# For the latest versions, see:
-#   https://github.com/roundcube/roundcubemail/releases
-#   https://github.com/mfreiholz/persistent_login/commits/master
-#   https://github.com/stremlau/html5_notifier/commits/master
-#   https://github.com/mstilkerich/rcmcarddav/releases
-# The easiest way to get the package hashes is to run this script and get the hash from
-# the error message.
-VERSION=1.6.0
-HASH=fd84b4fac74419bb73e7a3bcae1978d5589c52de
-PERSISTENT_LOGIN_VERSION=bde7b6840c7d91de627ea14e81cf4133cbb3c07a # version 5.2
-HTML5_NOTIFIER_VERSION=68d9ca194212e15b3c7225eb6085dbcf02fd13d7 # version 0.6.4+
-CARDDAV_VERSION=4.4.3
-CARDDAV_HASH=74f8ba7aee33e78beb9de07f7f44b81f6071b644
+	# These dependencies are from `apt-cache showpkg roundcube-core`.
+	echo "Installing Roundcube (webmail)..."
+	apt_install \
+		dbconfig-common \
+		php${PHP_VER}-cli php${PHP_VER}-sqlite3 php${PHP_VER}-intl php${PHP_VER}-common php${PHP_VER}-curl php${PHP_VER}-imap \
+		php${PHP_VER}-gd php${PHP_VER}-pspell php${PHP_VER}-mbstring libjs-jquery libjs-jquery-mousewheel libmagic1

-UPDATE_KEY=$VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:$CARDDAV_VERSION
+	# Install Roundcube from source if it is not already present or if it is out of date.
+	# Combine the Roundcube version number with the commit hash of plugins to track
+	# whether we have the latest version of everything.
+	# For the latest versions, see:
+	#   https://github.com/roundcube/roundcubemail/releases
+	#   https://github.com/mfreiholz/persistent_login/commits/master
+	#   https://github.com/stremlau/html5_notifier/commits/master
+	#   https://github.com/mstilkerich/rcmcarddav/releases
+	# The easiest way to get the package hashes is to run this script and get the hash from
+	# the error message.
+	VERSION=1.6.0
+	HASH=fd84b4fac74419bb73e7a3bcae1978d5589c52de
+	PERSISTENT_LOGIN_VERSION=bde7b6840c7d91de627ea14e81cf4133cbb3c07a # version 5.2
+	HTML5_NOTIFIER_VERSION=68d9ca194212e15b3c7225eb6085dbcf02fd13d7 # version 0.6.4+
+	CARDDAV_VERSION=4.4.3
+	CARDDAV_HASH=74f8ba7aee33e78beb9de07f7f44b81f6071b644

-# paths that are often reused.
-RCM_DIR=/usr/local/lib/roundcubemail
-RCM_PLUGIN_DIR=${RCM_DIR}/plugins
-RCM_CONFIG=${RCM_DIR}/config/config.inc.php
+	UPDATE_KEY=$VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:$CARDDAV_VERSION

-needs_update=0 #NODOC
-if [ ! -f /usr/local/lib/roundcubemail/version ]; then
-	# not installed yet #NODOC
-	needs_update=1 #NODOC
-elif [[ "$UPDATE_KEY" != $(cat /usr/local/lib/roundcubemail/version) ]]; then
-	# checks if the version is what we want
-	needs_update=1 #NODOC
-fi
-if [ $needs_update == 1 ]; then
-  # if upgrading from 1.3.x, clear the temp_dir
-  if [ -f /usr/local/lib/roundcubemail/version ]; then
-    if [ "$(cat /usr/local/lib/roundcubemail/version | cut -c1-3)" == '1.3' ]; then
-      find /var/tmp/roundcubemail/ -type f ! -name 'RCMTEMP*' -delete
-    fi
-  fi
+	# paths that are often reused.
+	RCM_DIR=/usr/local/lib/roundcubemail
+	RCM_PLUGIN_DIR=${RCM_DIR}/plugins
+	RCM_CONFIG=${RCM_DIR}/config/config.inc.php

-	# install roundcube
-	wget_verify \
-		https://github.com/roundcube/roundcubemail/releases/download/$VERSION/roundcubemail-$VERSION-complete.tar.gz \
-		$HASH \
-		/tmp/roundcube.tgz
-	tar -C /usr/local/lib --no-same-owner -zxf /tmp/roundcube.tgz
-	rm -rf /usr/local/lib/roundcubemail
-	mv /usr/local/lib/roundcubemail-$VERSION/ $RCM_DIR
-	rm -f /tmp/roundcube.tgz
+	needs_update=0 #NODOC
+	if [ ! -f /usr/local/lib/roundcubemail/version ]; then
+		# not installed yet #NODOC
+		needs_update=1 #NODOC
+	elif [[ "$UPDATE_KEY" != $(cat /usr/local/lib/roundcubemail/version) ]]; then
+		# checks if the version is what we want
+		needs_update=1 #NODOC
+	fi
+	if [ $needs_update == 1 ]; then
+	# if upgrading from 1.3.x, clear the temp_dir
+	if [ -f /usr/local/lib/roundcubemail/version ]; then
+		if [ "$(cat /usr/local/lib/roundcubemail/version | cut -c1-3)" == '1.3' ]; then
+		find /var/tmp/roundcubemail/ -type f ! -name 'RCMTEMP*' -delete
+		fi
+	fi

-	# install roundcube persistent_login plugin
-	git_clone https://github.com/mfreiholz/Roundcube-Persistent-Login-Plugin.git $PERSISTENT_LOGIN_VERSION '' ${RCM_PLUGIN_DIR}/persistent_login
+		# install roundcube
+		wget_verify \
+			https://github.com/roundcube/roundcubemail/releases/download/$VERSION/roundcubemail-$VERSION-complete.tar.gz \
+			$HASH \
+			/tmp/roundcube.tgz
+		tar -C /usr/local/lib --no-same-owner -zxf /tmp/roundcube.tgz
+		rm -rf /usr/local/lib/roundcubemail
+		mv /usr/local/lib/roundcubemail-$VERSION/ $RCM_DIR
+		rm -f /tmp/roundcube.tgz

-	# install roundcube html5_notifier plugin
-	git_clone https://github.com/kitist/html5_notifier.git $HTML5_NOTIFIER_VERSION '' ${RCM_PLUGIN_DIR}/html5_notifier
+		# install roundcube persistent_login plugin
+		git_clone https://github.com/mfreiholz/Roundcube-Persistent-Login-Plugin.git $PERSISTENT_LOGIN_VERSION '' ${RCM_PLUGIN_DIR}/persistent_login

-	# download and verify the full release of the carddav plugin
-	wget_verify \
-		https://github.com/mstilkerich/rcmcarddav/releases/download/v${CARDDAV_VERSION}/carddav-v${CARDDAV_VERSION}.tar.gz \
-		$CARDDAV_HASH \
-		/tmp/carddav.tar.gz
+		# install roundcube html5_notifier plugin
+		git_clone https://github.com/kitist/html5_notifier.git $HTML5_NOTIFIER_VERSION '' ${RCM_PLUGIN_DIR}/html5_notifier

-	# unzip and cleanup
-	tar -C ${RCM_PLUGIN_DIR} -zxf /tmp/carddav.tar.gz
-	rm -f /tmp/carddav.tar.gz
+		# download and verify the full release of the carddav plugin
+		wget_verify \
+			https://github.com/mstilkerich/rcmcarddav/releases/download/v${CARDDAV_VERSION}/carddav-v${CARDDAV_VERSION}.tar.gz \
+			$CARDDAV_HASH \
+			/tmp/carddav.tar.gz

-	# record the version we've installed
-	echo $UPDATE_KEY > ${RCM_DIR}/version
-fi
+		# unzip and cleanup
+		tar -C ${RCM_PLUGIN_DIR} -zxf /tmp/carddav.tar.gz
+		rm -f /tmp/carddav.tar.gz

-# ### Configuring Roundcube
+		# record the version we've installed
+		echo $UPDATE_KEY > ${RCM_DIR}/version
+	fi

-# Generate a secret key of PHP-string-safe characters appropriate
-# for the cipher algorithm selected below.
-SECRET_KEY=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 | sed s/=//g)
+	# ### Configuring Roundcube

-# Create a configuration file.
-#
-# For security, temp and log files are not stored in the default locations
-# which are inside the roundcube sources directory. We put them instead
-# in normal places.
-cat > $RCM_CONFIG <<EOF;
+	# Generate a secret key of PHP-string-safe characters appropriate
+	# for the cipher algorithm selected below.
+	SECRET_KEY=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 | sed s/=//g)
+
+	# Create a configuration file.
+	#
+	# For security, temp and log files are not stored in the default locations
+	# which are inside the roundcube sources directory. We put them instead
+	# in normal places.
+	cat > $RCM_CONFIG <<EOF;
 <?php
 /*
- * Do not edit. Written by Mail-in-a-Box. Regenerated on updates.
- */
+* Do not edit. Written by Mail-in-a-Box. Regenerated on updates.
+*/
 \$config = array();
 \$config['log_dir'] = '/var/log/roundcubemail/';
 \$config['temp_dir'] = '/var/tmp/roundcubemail/';
 \$config['db_dsnw'] = 'sqlite:///$STORAGE_ROOT/mail/roundcube/roundcube.sqlite?mode=0640';
 \$config['imap_host'] = 'ssl://localhost:993';
 \$config['imap_conn_options'] = array(
-  'ssl'         => array(
-     'verify_peer'  => false,
-     'verify_peer_name'  => false,
-   ),
- );
+'ssl'         => array(
+	'verify_peer'  => false,
+	'verify_peer_name'  => false,
+),
+);
 \$config['imap_timeout'] = 15;
 \$config['smtp_host'] = 'tls://127.0.0.1';
 \$config['smtp_conn_options'] = array(
-  'ssl'         => array(
-     'verify_peer'  => false,
-     'verify_peer_name'  => false,
-   ),
- );
+'ssl'         => array(
+	'verify_peer'  => false,
+	'verify_peer_name'  => false,
+),
+);
 \$config['support_url'] = 'https://mailinabox.email/';
 \$config['product_name'] = '$PRIMARY_HOSTNAME Webmail';
 \$config['cipher_method'] = 'AES-256-CBC'; # persistent login cookie and potentially other things
@ -147,8 +151,8 @@ cat > $RCM_CONFIG <<EOF;
 ?>
 EOF

-# Configure CardDav
-cat > ${RCM_PLUGIN_DIR}/carddav/config.inc.php <<EOF;
+	# Configure CardDav
+	cat > ${RCM_PLUGIN_DIR}/carddav/config.inc.php <<EOF;
 <?php
 /* Do not edit. Written by Mail-in-a-Box. Regenerated on updates. */
 \$prefs['_GLOBAL']['hide_preferences'] = true;
@ -168,47 +172,49 @@ cat > ${RCM_PLUGIN_DIR}/carddav/config.inc.php <<EOF;
 ?>
 EOF

-# Create writable directories.
-mkdir -p /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
-chown -R www-data.www-data /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
+	# Create writable directories.
+	mkdir -p /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
+	chown -R www-data.www-data /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube

-# Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
-sudo -u www-data touch /var/log/roundcubemail/errors.log
+	# Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
+	sudo -u www-data touch /var/log/roundcubemail/errors.log

-# Password changing plugin settings
-# The config comes empty by default, so we need the settings
-# we're not planning to change in config.inc.dist...
-cp ${RCM_PLUGIN_DIR}/password/config.inc.php.dist \
-	${RCM_PLUGIN_DIR}/password/config.inc.php
+	# Password changing plugin settings
+	# The config comes empty by default, so we need the settings
+	# we're not planning to change in config.inc.dist...
+	cp ${RCM_PLUGIN_DIR}/password/config.inc.php.dist \
+		${RCM_PLUGIN_DIR}/password/config.inc.php

-tools/editconf.py ${RCM_PLUGIN_DIR}/password/config.inc.php \
-	"\$config['password_minimum_length']=8;" \
-	"\$config['password_db_dsn']='sqlite:///$STORAGE_ROOT/mail/users.sqlite';" \
-	"\$config['password_query']='UPDATE users SET password=%D WHERE email=%u';" \
-	"\$config['password_dovecotpw']='/usr/bin/doveadm pw';" \
-	"\$config['password_dovecotpw_method']='SHA512-CRYPT';" \
-	"\$config['password_dovecotpw_with_method']=true;"
+	tools/editconf.py ${RCM_PLUGIN_DIR}/password/config.inc.php \
+		"\$config['password_minimum_length']=8;" \
+		"\$config['password_db_dsn']='sqlite:///$STORAGE_ROOT/mail/users.sqlite';" \
+		"\$config['password_query']='UPDATE users SET password=%D WHERE email=%u';" \
+		"\$config['password_dovecotpw']='/usr/bin/doveadm pw';" \
+		"\$config['password_dovecotpw_method']='SHA512-CRYPT';" \
+		"\$config['password_dovecotpw_with_method']=true;"

-# so PHP can use doveadm, for the password changing plugin
-usermod -a -G dovecot www-data
+	# so PHP can use doveadm, for the password changing plugin
+	usermod -a -G dovecot www-data

-# set permissions so that PHP can use users.sqlite
-# could use dovecot instead of www-data, but not sure it matters
-chown root.www-data $STORAGE_ROOT/mail
-chmod 775 $STORAGE_ROOT/mail
-chown root.www-data $STORAGE_ROOT/mail/users.sqlite
-chmod 664 $STORAGE_ROOT/mail/users.sqlite
+	# set permissions so that PHP can use users.sqlite
+	# could use dovecot instead of www-data, but not sure it matters
+	chown root.www-data $STORAGE_ROOT/mail
+	chmod 775 $STORAGE_ROOT/mail
+	chown root.www-data $STORAGE_ROOT/mail/users.sqlite
+	chmod 664 $STORAGE_ROOT/mail/users.sqlite

-# Fix Carddav permissions:
-chown -f -R root.www-data ${RCM_PLUGIN_DIR}/carddav
-# root.www-data need all permissions, others only read
-chmod -R 774 ${RCM_PLUGIN_DIR}/carddav
+	# Fix Carddav permissions:
+	chown -f -R root.www-data ${RCM_PLUGIN_DIR}/carddav
+	# root.www-data need all permissions, others only read
+	chmod -R 774 ${RCM_PLUGIN_DIR}/carddav

-# Run Roundcube database migration script (database is created if it does not exist)
-php$PHP_VER ${RCM_DIR}/bin/updatedb.sh --dir ${RCM_DIR}/SQL --package roundcube
-chown www-data:www-data $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
-chmod 664 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
+	# Run Roundcube database migration script (database is created if it does not exist)
+	php$PHP_VER ${RCM_DIR}/bin/updatedb.sh --dir ${RCM_DIR}/SQL --package roundcube
+	chown www-data:www-data $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
+	chmod 664 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite

-# Enable PHP modules.
-phpenmod -v $PHP_VER imap
-restart_service php$PHP_VER-fpm
+	# Enable PHP modules.
+	phpenmod -v $PHP_VER imap
+	restart_service php$PHP_VER-fpm
+
+fi
--- a/setup/zpush.sh
+++ b/setup/zpush.sh
@ -13,81 +13,85 @@
 source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars

-# Prereqs.
+if [ "$ZPUSH_ENABLE" -ne "1" ]; then
+	echo "Skipping Roundcube (webmail) installation."
+else

-echo "Installing Z-Push (Exchange/ActiveSync server)..."
-apt_install \
-       php${PHP_VER}-soap php${PHP_VER}-imap libawl-php php$PHP_VER-xml
+	# Prereqs.

-phpenmod -v $PHP_VER imap
+	echo "Installing Z-Push (Exchange/ActiveSync server)..."
+	apt_install \
+		php${PHP_VER}-soap php${PHP_VER}-imap libawl-php php$PHP_VER-xml

-# Copy Z-Push into place.
-VERSION=2.6.2
-TARGETHASH=f0e8091a8030e5b851f5ba1f9f0e1a05b8762d80
-needs_update=0 #NODOC
-if [ ! -f /usr/local/lib/z-push/version ]; then
-	needs_update=1 #NODOC
-elif [[ $VERSION != $(cat /usr/local/lib/z-push/version) ]]; then
-	# checks if the version
-	needs_update=1 #NODOC
-fi
-if [ $needs_update == 1 ]; then
-	# Download
-	wget_verify "https://github.com/Z-Hub/Z-Push/archive/refs/tags/$VERSION.zip" $TARGETHASH /tmp/z-push.zip
+	phpenmod -v $PHP_VER imap

-	# Extract into place.
-	rm -rf /usr/local/lib/z-push /tmp/z-push
-	unzip -q /tmp/z-push.zip -d /tmp/z-push
-	mv /tmp/z-push/*/src /usr/local/lib/z-push
-	rm -rf /tmp/z-push.zip /tmp/z-push
+	# Copy Z-Push into place.
+	VERSION=2.6.2
+	TARGETHASH=f0e8091a8030e5b851f5ba1f9f0e1a05b8762d80
+	needs_update=0 #NODOC
+	if [ ! -f /usr/local/lib/z-push/version ]; then
+		needs_update=1 #NODOC
+	elif [[ $VERSION != $(cat /usr/local/lib/z-push/version) ]]; then
+		# checks if the version
+		needs_update=1 #NODOC
+	fi
+	if [ $needs_update == 1 ]; then
+		# Download
+		wget_verify "https://github.com/Z-Hub/Z-Push/archive/refs/tags/$VERSION.zip" $TARGETHASH /tmp/z-push.zip

-	rm -f /usr/sbin/z-push-{admin,top}
-	echo $VERSION > /usr/local/lib/z-push/version
-fi
+		# Extract into place.
+		rm -rf /usr/local/lib/z-push /tmp/z-push
+		unzip -q /tmp/z-push.zip -d /tmp/z-push
+		mv /tmp/z-push/*/src /usr/local/lib/z-push
+		rm -rf /tmp/z-push.zip /tmp/z-push

-# Configure default config.
-sed -i "s^define('TIMEZONE', .*^define('TIMEZONE', '$(cat /etc/timezone)');^" /usr/local/lib/z-push/config.php
-sed -i "s/define('BACKEND_PROVIDER', .*/define('BACKEND_PROVIDER', 'BackendCombined');/" /usr/local/lib/z-push/config.php
-sed -i "s/define('USE_FULLEMAIL_FOR_LOGIN', .*/define('USE_FULLEMAIL_FOR_LOGIN', true);/" /usr/local/lib/z-push/config.php
-sed -i "s/define('LOG_MEMORY_PROFILER', .*/define('LOG_MEMORY_PROFILER', false);/" /usr/local/lib/z-push/config.php
-sed -i "s/define('BUG68532FIXED', .*/define('BUG68532FIXED', false);/" /usr/local/lib/z-push/config.php
-sed -i "s/define('LOGLEVEL', .*/define('LOGLEVEL', LOGLEVEL_ERROR);/" /usr/local/lib/z-push/config.php
+		rm -f /usr/sbin/z-push-{admin,top}
+		echo $VERSION > /usr/local/lib/z-push/version
+	fi

-# Configure BACKEND
-rm -f /usr/local/lib/z-push/backend/combined/config.php
-cp conf/zpush/backend_combined.php /usr/local/lib/z-push/backend/combined/config.php
+	# Configure default config.
+	sed -i "s^define('TIMEZONE', .*^define('TIMEZONE', '$(cat /etc/timezone)');^" /usr/local/lib/z-push/config.php
+	sed -i "s/define('BACKEND_PROVIDER', .*/define('BACKEND_PROVIDER', 'BackendCombined');/" /usr/local/lib/z-push/config.php
+	sed -i "s/define('USE_FULLEMAIL_FOR_LOGIN', .*/define('USE_FULLEMAIL_FOR_LOGIN', true);/" /usr/local/lib/z-push/config.php
+	sed -i "s/define('LOG_MEMORY_PROFILER', .*/define('LOG_MEMORY_PROFILER', false);/" /usr/local/lib/z-push/config.php
+	sed -i "s/define('BUG68532FIXED', .*/define('BUG68532FIXED', false);/" /usr/local/lib/z-push/config.php
+	sed -i "s/define('LOGLEVEL', .*/define('LOGLEVEL', LOGLEVEL_ERROR);/" /usr/local/lib/z-push/config.php

-# Configure IMAP
-rm -f /usr/local/lib/z-push/backend/imap/config.php
-cp conf/zpush/backend_imap.php /usr/local/lib/z-push/backend/imap/config.php
-sed -i "s%STORAGE_ROOT%$STORAGE_ROOT%" /usr/local/lib/z-push/backend/imap/config.php
+	# Configure BACKEND
+	rm -f /usr/local/lib/z-push/backend/combined/config.php
+	cp conf/zpush/backend_combined.php /usr/local/lib/z-push/backend/combined/config.php

-# Configure CardDav
-rm -f /usr/local/lib/z-push/backend/carddav/config.php
-cp conf/zpush/backend_carddav.php /usr/local/lib/z-push/backend/carddav/config.php
+	# Configure IMAP
+	rm -f /usr/local/lib/z-push/backend/imap/config.php
+	cp conf/zpush/backend_imap.php /usr/local/lib/z-push/backend/imap/config.php
+	sed -i "s%STORAGE_ROOT%$STORAGE_ROOT%" /usr/local/lib/z-push/backend/imap/config.php

-# Configure CalDav
-rm -f /usr/local/lib/z-push/backend/caldav/config.php
-cp conf/zpush/backend_caldav.php /usr/local/lib/z-push/backend/caldav/config.php
+	# Configure CardDav
+	rm -f /usr/local/lib/z-push/backend/carddav/config.php
+	cp conf/zpush/backend_carddav.php /usr/local/lib/z-push/backend/carddav/config.php

-# Configure Autodiscover
-rm -f /usr/local/lib/z-push/autodiscover/config.php
-cp conf/zpush/autodiscover_config.php /usr/local/lib/z-push/autodiscover/config.php
-sed -i "s/PRIMARY_HOSTNAME/$PRIMARY_HOSTNAME/" /usr/local/lib/z-push/autodiscover/config.php
-sed -i "s^define('TIMEZONE', .*^define('TIMEZONE', '$(cat /etc/timezone)');^" /usr/local/lib/z-push/autodiscover/config.php
+	# Configure CalDav
+	rm -f /usr/local/lib/z-push/backend/caldav/config.php
+	cp conf/zpush/backend_caldav.php /usr/local/lib/z-push/backend/caldav/config.php

-# Some directories it will use.
+	# Configure Autodiscover
+	rm -f /usr/local/lib/z-push/autodiscover/config.php
+	cp conf/zpush/autodiscover_config.php /usr/local/lib/z-push/autodiscover/config.php
+	sed -i "s/PRIMARY_HOSTNAME/$PRIMARY_HOSTNAME/" /usr/local/lib/z-push/autodiscover/config.php
+	sed -i "s^define('TIMEZONE', .*^define('TIMEZONE', '$(cat /etc/timezone)');^" /usr/local/lib/z-push/autodiscover/config.php

-mkdir -p /var/log/z-push
-mkdir -p /var/lib/z-push
-chmod 750 /var/log/z-push
-chmod 750 /var/lib/z-push
-chown www-data:www-data /var/log/z-push
-chown www-data:www-data /var/lib/z-push
+	# Some directories it will use.

-# Add log rotation
+	mkdir -p /var/log/z-push
+	mkdir -p /var/lib/z-push
+	chmod 750 /var/log/z-push
+	chmod 750 /var/lib/z-push
+	chown www-data:www-data /var/log/z-push
+	chown www-data:www-data /var/lib/z-push

-cat > /etc/logrotate.d/z-push <<EOF;
+	# Add log rotation
+
+	cat > /etc/logrotate.d/z-push <<EOF;
 /var/log/z-push/*.log {
 	weekly
 	missingok
@ -98,10 +102,12 @@ cat > /etc/logrotate.d/z-push <<EOF;
 }
 EOF

-# Restart service.
+	# Restart service.

-restart_service php$PHP_VER-fpm
+	restart_service php$PHP_VER-fpm

-# Fix states after upgrade
+	# Fix states after upgrade

-hide_output php$PHP_VER /usr/local/lib/z-push/z-push-admin.php -a fixstates
+	hide_output php$PHP_VER /usr/local/lib/z-push/z-push-admin.php -a fixstates
+
+fi