Created
July 8, 2020 20:53
-
-
Save jaka/c441a3f2ba8d8381a8c7ad237cbc5a2e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| mkcopy() { | |
| [ -f "$1.bak" ] || cp -v "$1" "$1.bak" | |
| } | |
| ########## | |
| dev=/dev/vdb | |
| mkfs.ext4 -b 4096 "$dev" | |
| UUID="$(blkid $dev | sed -n -r "s/.*\sUUID=\"([^\"]*)\".*/\1/p")" | |
| echo -e "UUID=$UUID /srv\text4 defaults 0 0" >>/etc/fstab | |
| mount -a | |
| ########## | |
| TZ=Europe/Ljubljana | |
| which timedatectl &>/dev/null && timedatectl set-timezone "$TZ" || ln -sf "/usr/share/zoneinfo/$TZ" /etc/localtime | |
| ########## | |
| DATA=/srv/data | |
| UPLOAD=/srv/upload | |
| [ -d "$DATA" ] || mkdir -p "$DATA" | |
| [ -d "$UPLOAD" ] || mkdir -p "$UPLOAD" | |
| apt-get update -y | |
| apt-get upgrade -y | |
| ########## | |
| ### APACHE | |
| ########## | |
| apt-get install -y apache2 && apt-get clean | |
| chown -R www-data:www-data $DATA $UPLOAD | |
| ########## | |
| ### PHP | |
| ########## | |
| VER=7.3 | |
| # PHP installation | |
| pkgs= | |
| for php_package in bcmath bz2 curl gd gmp intl json ldap mbstring mysql xml zip; do | |
| pkgs="${pkgs:+$pkgs }php$VER-$php_package" | |
| done | |
| apt-get install -y $pkgs | |
| apt-get install -y libapache2-mod-php php-apcu && apt-get clean | |
| # PHP configuration | |
| for ini in "/etc/php/$VER/cli/php.ini" "/etc/php/$VER/apache2/php.ini"; do | |
| mkcopy "$ini" | |
| done | |
| for ini in "/etc/php/$VER/cli/php.ini" "/etc/php/$VER/apache2/php.ini"; do | |
| sed -i -r "s/^(output_buffering =).*/\1 'Off'/" "$ini" | |
| sed -i -r "s/^(max_execution_time =).*/\1 1200/" "$ini" | |
| sed -i -r "s/^(max_input_time =).*/\1 3600/" "$ini" | |
| sed -i -r "s/^(post_max_size =).*/\1 1024M/" "$ini" | |
| sed -i -r "s/^(upload_max_filesize =).*/\1 1024M/" "$ini" | |
| sed -i -r "s|^;(upload_tmp_dir =).*|\1 $UPLOAD|" "$ini" | |
| sed -i -r "s/^(max_file_uploads =).*/\1 100/" "$ini" | |
| sed -i -r "s/;?(date.timezone =).*/\1 Europe\/\Berlin/" "$ini" | |
| #sed -i -r "s/;?(session.cookie_secure =).*/\1 True/" "$ini" | |
| done | |
| ini="/etc/php/$VER/apache2/php.ini" | |
| sed -i "s/\(memory_limit =\).*/\1 512M/" "$ini" | |
| ini="/etc/php/$VER/mods-available/apcu.ini" | |
| sed -i "\$aapc.enable_cli=1" "$ini" | |
| ########## | |
| ### SQL | |
| ########## | |
| # SQL installation | |
| apt-get install -y mariadb-server && apt-get clean | |
| mysql_secure_installation | |
| /usr/sbin/service mysql stop | |
| # SQL configuration | |
| # my.cnf | |
| cnf=/etc/mysql/my.cnf | |
| mkcopy "$cnf" | |
| dir=/etc/mysql/mariadb.conf.d | |
| # 50-client.cnf | |
| # [client] | |
| cnf="$dir/50-client.cnf" | |
| mkcopy "$cnf" | |
| sed -i "/^#/d" "$cnf" | |
| sed -i "/\[client\]/aport = 3306" "$cnf" | |
| # 50-mysqld_safe.cnf | |
| # [mysqld_safe] | |
| cnf="$dir/50-mysqld_safe.cnf" | |
| mkcopy "$cnf" | |
| sed -i "/^#/d" "$cnf" | |
| sed -i "/^\[mysqld_safe\]/,/^\[.*\]/{/skip_log_error/d}" "$cnf" | |
| sed -i "/^\[mysqld_safe\]/alog_error\t= /var/log/mysql/mysql_error.log" "$cnf" | |
| # 50-server.cnf | |
| # [mysqld] | |
| cnf="$dir/50-server.cnf" | |
| mkcopy "$cnf" | |
| sed -i "/^#/d" "$cnf" | |
| mysqld=( | |
| "transaction_isolation = READ-COMMITTED" | |
| "binlog_format = ROW" | |
| ) | |
| for option in "${mysqld[@]}"; do | |
| sed -i "/^\[mysqld\]/a$option" "$cnf" | |
| done | |
| #sed -i -r "/^\[mysqld\]/,/^\[.*\]/s/(thread_cache_size\s*=).*/\1 128/" $_cnf | |
| #sed -i -r "/^\[mysqld\]/,/^\[.*\]/s/(key_buffer_size\s*=).*/\1 128M/" $_cnf | |
| #sed -i -r "/^\[mysqld\]/,/^\[.*\]/s/(query_cache_limit\s*=).*/\1 2M/" $_cnf | |
| sed -i -r "/^\[mysqld\]/,/^\[.*\]/s/(query_cache_size\s*=).*/\1 64M/" "$cnf" | |
| # 50-mysql-clients.cnf | |
| # [mysqldump] | |
| cnf="$dir/50-mysql-clients.cnf" | |
| mkcopy "$cnf" | |
| sed -i "/^#/d" "$cnf" | |
| mysqld=( | |
| "quote-names" | |
| "quick" | |
| "max_allowed_packet = 16M" | |
| ) | |
| for option in "${mysqld[@]}"; do | |
| sed -i "/^\[mysqldump\]/a$option" "$cnf" | |
| done | |
| /usr/sbin/service mysql start | |
| ########## | |
| ### REDIS | |
| ########## | |
| # REDIS installation | |
| apt-get install -y php-redis redis-server && apt-get clean | |
| # REDIS configuration | |
| /usr/sbin/service redis stop | |
| conf=/etc/redis/redis.conf | |
| mkcopy "$conf" | |
| #sed -i /^#/d $_conf | |
| #sed -i /^\$/d $_conf | |
| sed -i "/^port/s/ .*/ 0/" "$conf" | |
| sed -i -r "s/^(#\s*)?(unixsocket)/\2/g" "$conf" | |
| sed -i -r "s/^(#\s*)?(maxclients) 10000/\2 512/" "$conf" | |
| sed -i "/^unixsocketperm /s/ [0-9]*/ 770/" "$conf" | |
| usermod -a -G redis www-data | |
| conf=/etc/sysctl.conf | |
| mkcopy "$conf" | |
| grep -q "vm.overcommit_memory" "$conf" || sed -i "\$avm.overcommit_memory = 1" "$conf" | |
| /usr/sbin/service redis start | |
| ########## | |
| ### NEXTCLOUD | |
| ######### | |
| service apache2 restart | |
| url=https://download.nextcloud.com/server/releases/latest.zip | |
| app1url=https://github.com/nextcloud/files_retention/releases/download/v1.7.0/files_retention-1.7.0.tar.gz | |
| app2url=https://github.com/nextcloud/files_automatedtagging/releases/download/v1.8.3/files_automatedtagging-1.8.3.tar.gz | |
| # Logging | |
| logdir=/var/log/nextcloud | |
| logfile="$logdir/nextcloud.log" | |
| [ -d "$logdir" ] || mkdir "$logdir" | |
| chmod 750 "$logdir" | |
| chown www-data:adm "$logdir" | |
| apt-get install -y unzip && apt-get clean | |
| dst=/www | |
| file="$dst/nextcloud.zip" | |
| [ -d "$dst" ] || mkdir -p "$dst" | |
| [ -f "$file" ] || wget -O "$file" "$url" | |
| unzip -d "$dst" "$file" | |
| dir="$dst/nextcloud" | |
| # Odstrani privzetost nekaterih dodatkov | |
| for app in accessibility comments contactsinteraction federation files_pdfviewer files_videoplayer firstrunwizard nextcloud_announcements notifications photos privacy sharebymail support survey_client systemtags comments text twofactor_backupcodes updatenotification; do | |
| mkcopy "$dir/apps/$app/appinfo/info.xml" | |
| sed -i "/<default_enable\>/d" "$dir/apps/$app/appinfo/info.xml" | |
| done | |
| # Dodatek za rok trajanja datoteke | |
| #wget -O - "$app1url" | tar -C "$dir/apps/" -xzf - | |
| # Dodatek za samodejno označevanje | |
| #wget -O - "$app2url" | tar -C "$dir/apps/" -xzf - | |
| # Odstrani privzete datoteke | |
| find "$dir/core/skeleton" -mindepth 1 -print -delete | |
| # Odstrani nogo | |
| file="$dir/lib/public/AppFramework/Http/Template/PublicTemplateResponse.php" | |
| mkcopy "$file" | |
| sed -i -r "s/(\\\$footerVisible = ).*/\1false;/" "$file" | |
| # Odstrani nogo na prijavni strani | |
| file="$dir/themes/example/defaults.php" | |
| mkcopy "$file" | |
| sed -i "/public function getLongFooter()/s/{/& return '';/" "$file" | |
| file="$dir/core/templates/layout.guest.php" | |
| mkcopy "$file" | |
| sed -i "/<footer role=\"contentinfo\">/,/<\/footer>/d" "$file" | |
| # Odstrani razmik nad logotipom | |
| #file="$dir/core/css/guest.css" | |
| #mkcopy "$file" | |
| #sed -i "/^.wrapper {/,/^}/s/^\s*margin-top.*/\/*&*\//" "$file" | |
| # Odstrani dopis | |
| file="$dir/apps/settings/templates/settings/personal/development.notice.php" | |
| mkcopy "$file" | |
| >"$file" | |
| file="$dir/config/config.php" | |
| cat <<EOF > "$file" | |
| <?php | |
| \$CONFIG = array( | |
| 'activity_expire_days' => 60, | |
| 'appstoreenabled' => false, | |
| 'blacklisted_files' => array (0 => '.htaccess', 1 => 'Thumbs.db', 2 => 'thumbs.db'), | |
| 'default_language' => 'sl', | |
| 'default_locale' => 'sl_SI', | |
| 'enable_previews' => false, | |
| 'filelocking.enabled' => true, | |
| 'gs.enabled' => false, | |
| 'has_internet_connection' => false, | |
| 'htaccess.RewriteBase' => '/', | |
| 'integrity.check.disabled' => true, | |
| 'knowledgebaseenabled' => false, | |
| 'logfile' => '$logfile', | |
| 'lost_password_link' => 'disabled', | |
| 'memcache.local' => '\OC\Memcache\APCu', | |
| 'memcache.locking' => '\OC\Memcache\Redis', | |
| 'redis' => array ('host' => '/var/run/redis/redis-server.sock', 'port' => 0, 'timeout' => 0.0), | |
| 'skeletondirectory' => '', | |
| 'trusted_domains' => array('*'), | |
| 'updatechecker' => false, | |
| 'upgrade.disable-web' => true | |
| ); | |
| ?> | |
| EOF | |
| chown www-data "$file" | |
| find "$dir/apps" -mindepth 1 -maxdepth 1 -type d -exec chown www-data "{}" \; | |
| for subdir in config; do | |
| chmod 2770 "$dir/$subdir" | |
| chgrp www-data "$dir/$subdir" | |
| done | |
| logrotatefile=/etc/logrotate.d/nextcloud | |
| cat <<EOF >"$logrotatefile" | |
| $logfile { | |
| rotate 6 | |
| monthly | |
| compress | |
| delaycompress | |
| missingok | |
| notifempty | |
| create 640 www-data adm | |
| } | |
| EOF | |
| ######### | |
| ### NEXTCLOUD & SQL | |
| SQL_HOST=localhost | |
| SQL_NAME=nextcloud | |
| SQL_USER=nextcloud | |
| SQL_PASS=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 12) | |
| mysql -u root <<EOF | |
| CREATE DATABASE \`$SQL_NAME\` CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci; | |
| CREATE USER \`$SQL_USER\`@\`$SQL_HOST\` IDENTIFIED BY '$SQL_PASS'; | |
| GRANT ALL PRIVILEGES ON \`$SQL_NAME\`.* TO \`$SQL_USER\`@\`$SQL_HOST\`; | |
| FLUSH PRIVILEGES; | |
| EOF | |
| echo -e "\nSQL_NAME: $SQL_NAME\nSQL_USER: $SQL_NAME\nSQL_PASS: $SQL_PASS\n" | |
| # mysql -u $SQL_USER -p | |
| ######### | |
| ### NEXTCLOUD & APACHE | |
| cat >/etc/apache2/sites-available/nextcloud.conf <<EOF | |
| Alias /nextcloud "/www/nextcloud/" | |
| <Directory /www/nextcloud/> | |
| Require all granted | |
| AllowOverride All | |
| Options FollowSymLinks MultiViews | |
| <IfModule mod_dav.c> | |
| Dav off | |
| </IfModule> | |
| </Directory> | |
| EOF | |
| a2ensite nextcloud.conf | |
| a2enmod rewrite | |
| a2enmod headers | |
| systemctl reload apache2 | |
| ######### | |
| ### NEXTCLOUD INSTALLATION | |
| # useradd -g www-data -s /bin/bash nextcloud | |
| block_host() { | |
| FILE=/etc/hosts | |
| IP="127.0.0.1" | |
| [ -n "$1" ] || return 1; | |
| grep -q "$1" "$FILE" || echo -e "$IP\t$1" >> "$FILE" | |
| } | |
| BLOCK_DOMAINS="apps.nextcloud.com pushfeed.nextcloud.com usercontent.apps.nextcloud.com surveyserver.nextcloud.com" | |
| for dns in $BLOCK_DOMAINS; do | |
| block_host "$dns" | |
| done | |
| su - www-data -s /bin/bash -c "php \"$dir/occ\" maintenance:install \ | |
| --data-dir=\"$DATA\" \ | |
| --database mysql \ | |
| --database-name \"$SQL_NAME\" --database-user \"$SQL_USER\" --database-pass \"$SQL_PASS\" \ | |
| --admin-user \"admin\" --admin-pass \"admin\"" | |
| su - www-data -s /bin/bash -c "php /www/nextcloud/occ config:system:set trusted_domains 0 --value=\*" | |
| su - www-data -s /bin/bash -c "php /www/nextcloud/occ db:add-missing-indice" | |
| su - www-data -s /bin/bash -c "php /www/nextcloud/occ db:convert-filecache-bigint" | |
| file="$dir/.htaccess" | |
| mkcopy "$file" | |
| chown www-data "$file" | |
| su - www-data -s /bin/bash -c "php /www/nextcloud/occ maintenance:update:htaccess" | |
| # CRON | |
| crontab -u www-data -l | { cat; echo "*/10 * * * * php -f $dir/cron.php >/dev/null 2>&1"; } | crontab -u www-data - | |
| # su - www-data -s /bin/bash -c "php /www/nextcloud/occ user:resetpassword admin" | |
| # SECURITY SCAN | |
| # https://scan.nextcloud.com/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment