From 73f8a452c8e335131c76d59bbed35d94b232bb5b Mon Sep 17 00:00:00 2001 From: Ark74 Date: Mon, 22 Jan 2024 19:39:52 -0600 Subject: [PATCH 01/11] files: set configuration file for NCv28 --- files/nextcloud.conf | 178 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 178 insertions(+) create mode 100644 files/nextcloud.conf diff --git a/files/nextcloud.conf b/files/nextcloud.conf new file mode 100644 index 0000000..1e31fb6 --- /dev/null +++ b/files/nextcloud.conf @@ -0,0 +1,178 @@ +# Nextcloud 28 nginx - configuration +upstream php-handler { + #server 127.0.0.1:9000; + server unix:/run/php/php_PHPVER-fpm.sock; +} + + +# Set the `immutable` cache control options only for assets with a cache busting `v` argument +map $arg_v $asset_immutable { + "" ""; + default "immutable"; +} + +server { + listen 80; + listen [::]:80; + server_name _NC_DOMAIN; + # enforce https + return 301 https://\$server_name\$request_uri; +} + +server { + listen _NC_NGINX_SSL_PORT ssl http2; + listen [::]:_NC_NGINX_SSL_PORT ssl http2; + server_name _NC_DOMAIN; + + # Path to the root of your installation + root _NC_PATH/; + + ssl_certificate /etc/letsencrypt/live/_NC_DOMAIN/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/_NC_DOMAIN/privkey.pem; + + # Prevent nginx HTTP Server Detection + server_tokens off; + + # HSTS settings + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; + + # set max upload size and increase upload timeout: + client_max_body_size 512M; + client_body_timeout 300s; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Pagespeed is not supported by Nextcloud, so if your server is built + # with the `ngx_pagespeed` module, uncomment this line to disable it. + #pagespeed off; + + # The settings allows you to optimize the HTTP2 bandwidth. + # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ + # for tuning hints + client_body_buffer_size 512k; + + # HTTP response headers borrowed from Nextcloud `.htaccess` + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Specify how to handle directories -- specifying `/index.php$request_uri` + # here as the fallback means that Nginx always exhibits the desired behaviour + # when a client requests a path that corresponds to a directory that exists + # on the server. In particular, if that directory contains an index.php file, + # that file is correctly served; if it doesn't, then the request is passed to + # the front-end controller. This consistent behaviour means that we don't need + # to specify custom rules for certain paths (e.g. images and other assets, + # `/updater`, `/ocs-provider`), and thus + # `try_files $uri $uri/ /index.php$request_uri` + # always provides the desired behaviour. + index index.php index.html /index.php$request_uri; + + # Rule borrowed from `.htaccess` to handle Microsoft DAV clients + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Make a regex exception for `/.well-known` so that clients can still + # access it despite the existence of the regex rule + # `location ~ /(\.|autotest|...)` which would otherwise handle requests + # for `/.well-known`. + location ^~ /.well-known { + # The rules in this block are an adaptation of the rules + # in `.htaccess` that concern `/.well-known`. + + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + + location /.well-known/acme-challenge { try_files $uri $uri/ =404; } + location /.well-known/pki-validation { try_files $uri $uri/ =404; } + + # Let Nextcloud's API for `/.well-known` URIs handle all other + # requests by passing them to the front-end controller. + return 301 /index.php$request_uri; + } + + # Rules borrowed from `.htaccess` to hide certain paths from clients + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + + # Ensure this block, which passes PHP files to the PHP process, is above the blocks + # which handle static assets (as seen below). If this block is not declared first, + # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` + # to the URI, resulting in a HTTP 500 error response. + location ~ \.php(?:$|/) { + # Required for legacy support + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_pass php-handler; + + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + + fastcgi_max_temp_file_size 0; + } + + # Serve static files + location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463, $asset_immutable"; + access_log off; # Optional: Don't log access to assets + + location ~ \.wasm$ { + default_type application/wasm; + } + } + + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + # Rule borrowed from `.htaccess` + location /remote { + return 301 /remote.php$request_uri; + } + + location / { + try_files $uri $uri/ /index.php$request_uri; + } +} -- 2.34.1 From 44981e6c3e072122a87f94b15afabbd9f8bb1cde Mon Sep 17 00:00:00 2001 From: Ark74 Date: Mon, 22 Jan 2024 19:47:43 -0600 Subject: [PATCH 02/11] tools: add standalone prepare_php.sh script. --- tools/prepare_php.sh | 126 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 tools/prepare_php.sh diff --git a/tools/prepare_php.sh b/tools/prepare_php.sh new file mode 100644 index 0000000..bc91d18 --- /dev/null +++ b/tools/prepare_php.sh @@ -0,0 +1,126 @@ +#!/bin/bash +# Automated PHP environment build for Nextcloud. +# SwITNet Ltd © - 2024, https://switnet.net/ +# GPLv3 or later. + +PHPVER=$1 +STABLE_PHP="$(apt-cache madison php|grep -v ppa|awk -F'[:+]' 'NR==1{print $2}')" +PHP_REPO="$(apt-cache policy | awk '/http/&&/php/{print$2}' | awk -F "/" 'NR==1{print$5}')" +PHP_FPM_DIR="/etc/php/$PHPVER/fpm" +PHP_INI="$PHP_FPM_DIR/php.ini" +PHP_CONF="/etc/php/$PHPVER/fpm/pool.d/www.conf" +TMP_GPG_REPO="$(mktemp -d)" + +if [ $# -ne 1 ]; then + echo "Usage: $0 8.2" + exit 1 +fi + +install_aval_package() { +for i in $1 + do + if [ -z "$(apt-cache madison "$i" 2>/dev/null)" ]; then + echo " > Package $i not available on repo." + else + echo " > Add package $i to the install list" + packages="$packages $i" + fi + done + echo "$packages" + apt-get -y install "$packages" + packages="" +} + +add_gpg_keyring() { +apt-key adv --recv-keys --keyserver keyserver.ubuntu.com "$1" +apt-key export "$1" | gpg --dearmour | tee "$TMP_GPG_REPO"/"$1".gpg >/dev/null +apt-key del "$1" +mv "$TMP_GPG_REPO"/"$1".gpg /etc/apt/trusted.gpg.d/ +} + +add_php_repo() { +if [ "$PHP_REPO" = "php" ]; then + echo "PHP $PHPVER already installed" + apt-get -q2 update + apt-get -yq2 dist-upgrade +else + echo "# Adding Ondrej PHP $PHPVER PPA Repository" + add_gpg_keyring E5267A6C + echo "deb [arch=amd64] http://ppa.launchpad.net/ondrej/php/ubuntu $DISTRO_RELEASE main" > /etc/apt/sources.list.d/php"$PHPVER".list + apt-get update -q2 +fi +} + +add_php_repo + +install_aval_package " \ + imagemagick \ + php$PHPVER-fpm \ + php$PHPVER-bcmath \ + php$PHPVER-bz2 \ + php$PHPVER-cli \ + php$PHPVER-cgi \ + php$PHPVER-curl \ + php$PHPVER-gd \ + php$PHPVER-gmp \ + php$PHPVER-imagick \ + php$PHPVER-intl \ + php$PHPVER-json \ + php$PHPVER-ldap \ + php$PHPVER-mbstring \ + php$PHPVER-pgsql \ + php$PHPVER-redis \ + php$PHPVER-soap \ + php$PHPVER-xml \ + php$PHPVER-xmlrpc \ + php$PHPVER-zip \ + redis-server \ + unzip \ + " + +#System related +install_ifnot smbclient +sed -i "s|.*env\[HOSTNAME\].*|env\[HOSTNAME\] = \$HOSTNAME|" "$PHP_CONF" +sed -i "s|.*env\[PATH\].*|env\[PATH\] = /usr/local/bin:/usr/bin:/bin|" "$PHP_CONF" +sed -i "s|.*env\[TMP\].*|env\[TMP\] = /tmp|" "$PHP_CONF" +sed -i "s|.*env\[TMPDIR\].*|env\[TMPDIR\] = /tmp|" "$PHP_CONF" +sed -i "s|.*env\[TEMP\].*|env\[TEMP\] = /tmp|" "$PHP_CONF" +sed -i "s|;clear_env = no|clear_env = no|" "$PHP_CONF" + +echo " +Tunning PHP.ini... +" +# Change values in php.ini (increase max file size) +# max_execution_time +sed -i "s|max_execution_time =.*|max_execution_time = 3500|g" "$PHP_INI" +# max_input_time +sed -i "s|max_input_time =.*|max_input_time = 3600|g" "$PHP_INI" +# memory_limit +sed -i "s|memory_limit =.*|memory_limit = 512M|g" "$PHP_INI" +# post_max +sed -i "s|post_max_size =.*|post_max_size = 1025M|g" "$PHP_INI" +# upload_max +sed -i "s|upload_max_filesize =.*|upload_max_filesize = 1024M|g" "$PHP_INI" + +phpenmod opcache +{ + +echo "# OPcache settings for Nextcloud" +echo "opcache.enable=1" +echo "opcache.enable_cli=1" +echo "opcache.interned_strings_buffer=8" +echo "opcache.max_accelerated_files=10000" +echo "opcache.memory_consumption=256" +echo "opcache.save_comments=1" +echo "opcache.revalidate_freq=1" +echo "opcache.validate_timestamps=1" +} >> "$PHP_INI" + +update-alternatives --set php /usr/bin/php"$STABLE_PHP" +update-alternatives --set php-fpm.sock /run/php/php"$STABLE_PHP"-fpm.sock +update-alternatives --set php-cgi /usr/bin/php-cgi"$STABLE_PHP" +update-alternatives --set php-cgi-bin /usr/lib/cgi-bin/php"$STABLE_PHP" +update-alternatives --set phar /usr/bin/phar"$STABLE_PHP" +update-alternatives --set phar.phar /usr/bin/phar.phar"$STABLE_PHP" + +systemctl restart php"$PHPVER"-fpm.service -- 2.34.1 From 4626affed75a8316a9fa236bf9c944f51e80667d Mon Sep 17 00:00:00 2001 From: Ark74 Date: Mon, 22 Jan 2024 19:52:38 -0600 Subject: [PATCH 03/11] jra_nextcloud.sh: split prepare php environment. --- jra_nextcloud.sh | 294 +++++------------------------------------------ 1 file changed, 26 insertions(+), 268 deletions(-) diff --git a/jra_nextcloud.sh b/jra_nextcloud.sh index 7008aed..728b87b 100644 --- a/jra_nextcloud.sh +++ b/jra_nextcloud.sh @@ -14,7 +14,7 @@ done #DEBUG if [ "$MODE" = "debug" ]; then -set -x + set -x fi if ! [ "$(id -u)" = 0 ]; then @@ -42,14 +42,10 @@ apt-get update -q2 # Manually add prerequisites. apt-get install -y curl letsencrypt nginx +MIN_PHP="8.2" DISTRO_RELEASE="$(lsb_release -sc)" DOMAIN="$(find /etc/prosody/conf.d/ -name \*.lua|awk -F'.cfg' '!/localhost/{print $1}'|xargs basename)" -PHP_REPO="$(apt-cache policy | awk '/http/&&/php/{print$2}' | awk -F "/" 'NR==1{print$5}')" -PHPVER="$(apt-cache madison php|grep -v ppa|awk -F'[:+]' 'NR==1{print $2}')" PSGVER="$(apt-cache madison postgresql|tr -d '[:blank:]'|awk -F'[|+]' 'NR==1{print $2}')" -PHP_FPM_DIR="/etc/php/$PHPVER/fpm" -PHP_INI="$PHP_FPM_DIR/php.ini" -PHP_CONF="/etc/php/$PHPVER/fpm/pool.d/www.conf" NC_NGINX_SSL_PORT="$(grep "listen 44" /etc/nginx/sites-available/"$DOMAIN".conf | awk '{print$2}')" [ -z "$NC_NGINX_SSL_PORT" ] && NC_NGINX_SSL_PORT="443" NC_REPO="https://download.nextcloud.com/server/releases" @@ -67,28 +63,8 @@ JITSI_MEET_PROXY="/etc/nginx/modules-enabled/60-jitsi-meet.conf" PUBLIC_IP="$(dig +short myip.opendns.com @resolver1.opendns.com)" ISO3166_CODE=TBD NL="$(printf '\n ')" -TMP_GPG_REPO="$(mktemp -d)" -add_gpg_keyring() { -apt-key adv --recv-keys --keyserver keyserver.ubuntu.com "$1" -apt-key export "$1" | gpg --dearmour | tee "$TMP_GPG_REPO"/"$1".gpg >/dev/null -apt-key del "$1" -mv "$TMP_GPG_REPO"/"$1".gpg /etc/apt/trusted.gpg.d/ -} -install_aval_package() { -for i in $1 - do - if [ -z "$(apt-cache madison "$i" 2>/dev/null)" ]; then - echo " > Package $i not available on repo." - else - echo " > Add package $i to the install list" - packages="$packages $i" - fi - done - echo "$packages" - apt-get -y install $packages - packages="" -} + exit_ifinstalled() { if [ "$(dpkg-query -W -f='${Status}' "$1" 2>/dev/null | grep -c "ok installed")" == "1" ]; then echo " This instance already has $1 installed, exiting..." @@ -105,18 +81,6 @@ else apt-get -yq2 install "$1" fi } -add_php() { -if [ "$PHP_REPO" = "php" ]; then - echo "PHP $PHPVER already installed" - apt-get -q2 update - apt-get -yq2 dist-upgrade -else - echo "# Adding Ondrej PHP $PHPVER PPA Repository" - add_gpg_keyring E5267A6C - echo "deb [arch=amd64] http://ppa.launchpad.net/ondrej/php/ubuntu $DISTRO_RELEASE main" > /etc/apt/sources.list.d/php"$PHPVER".list - apt-get update -q2 -fi -} while [[ "$ANS_NCD" != "yes" ]] do read -p "> Please set your domain (or subdomain) here for Nextcloud: (e.g.: cloud.domain.com)$NL" -r NC_DOMAIN @@ -209,70 +173,11 @@ exit_ifinstalled postgresql-"$PSGVER" # PostgresSQL install_ifnot postgresql-"$PSGVER" -# PHP 7.4 / 8.1 -add_php -install_aval_package " \ - imagemagick \ - php$PHPVER-fpm \ - php$PHPVER-bcmath \ - php$PHPVER-bz2 \ - php$PHPVER-curl \ - php$PHPVER-gd \ - php$PHPVER-gmp \ - php$PHPVER-imagick \ - php$PHPVER-intl \ - php$PHPVER-json \ - php$PHPVER-ldap \ - php$PHPVER-mbstring \ - php$PHPVER-pgsql \ - php$PHPVER-redis \ - php$PHPVER-soap \ - php$PHPVER-xml \ - php$PHPVER-xmlrpc \ - php$PHPVER-zip \ - redis-server \ - unzip \ - " -#System related -install_ifnot smbclient -sed -i "s|.*env\[HOSTNAME\].*|env\[HOSTNAME\] = \$HOSTNAME|" "$PHP_CONF" -sed -i "s|.*env\[PATH\].*|env\[PATH\] = /usr/local/bin:/usr/bin:/bin|" "$PHP_CONF" -sed -i "s|.*env\[TMP\].*|env\[TMP\] = /tmp|" "$PHP_CONF" -sed -i "s|.*env\[TMPDIR\].*|env\[TMPDIR\] = /tmp|" "$PHP_CONF" -sed -i "s|.*env\[TEMP\].*|env\[TEMP\] = /tmp|" "$PHP_CONF" -sed -i "s|;clear_env = no|clear_env = no|" "$PHP_CONF" - -echo " -Tunning PHP.ini... -" -# Change values in php.ini (increase max file size) -# max_execution_time -sed -i "s|max_execution_time =.*|max_execution_time = 3500|g" "$PHP_INI" -# max_input_time -sed -i "s|max_input_time =.*|max_input_time = 3600|g" "$PHP_INI" -# memory_limit -sed -i "s|memory_limit =.*|memory_limit = 512M|g" "$PHP_INI" -# post_max -sed -i "s|post_max_size =.*|post_max_size = 1025M|g" "$PHP_INI" -# upload_max -sed -i "s|upload_max_filesize =.*|upload_max_filesize = 1024M|g" "$PHP_INI" - -phpenmod opcache -{ - -echo "# OPcache settings for Nextcloud" -echo "opcache.enable=1" -echo "opcache.enable_cli=1" -echo "opcache.interned_strings_buffer=8" -echo "opcache.max_accelerated_files=10000" -echo "opcache.memory_consumption=256" -echo "opcache.save_comments=1" -echo "opcache.revalidate_freq=1" -echo "opcache.validate_timestamps=1" -} >> "$PHP_INI" - -systemctl restart php"$PHPVER"-fpm.service +#-------------------------------------------------- +# Prepare PHP +#-------------------------------------------------- +bash files/prepare_php.sh "$MIN_PHP" #-------------------------------------------------- # Create DB user @@ -285,165 +190,18 @@ CREATE DATABASE nextcloud_db; CREATE USER ${NC_DB_USER} WITH ENCRYPTED PASSWORD '${NC_DB_PASSWD}'; GRANT ALL PRIVILEGES ON DATABASE ${NC_DB} TO ${NC_DB_USER}; DB -echo "Done! -" +echo -e "\nDone!\n" -#nginx - configuration -cat << NC_NGINX > "$NC_NGINX_CONF" -#nextcloud config -upstream php-handler { - #server 127.0.0.1:9000; - server unix:/run/php/php${PHPVER}-fpm.sock; -} +# Add .mjs as a file extension for javascript +sed -i "/application\/javascript/s|js.*;|js mjs;|" /etc/nginx/mime.types -server { - listen 80; - listen [::]:80; - server_name $NC_DOMAIN; - # enforce https - return 301 https://\$server_name\$request_uri; -} +# nginx conf setup. +cp files/nextcloud.conf "$NC_NGINX_CONF" +sed -i "s|_PHPVER|$MIN_PHP|g" "$NC_NGINX_CONF" +sed -i "s|_NC_DOMAIN|$NC_DOMAIN|g" "$NC_NGINX_CONF" +sed -i "s|_NC_NGINX_SSL_PORT|$NC_NGINX_SSL_PORT|g" "$NC_NGINX_CONF" +sed -i "s|_NC_PATH|$NC_PATH|g" "$NC_NGINX_CONF" -server { - listen $NC_NGINX_SSL_PORT ssl http2; - listen [::]:$NC_NGINX_SSL_PORT ssl http2; - server_name $NC_DOMAIN; - - ssl_certificate /etc/letsencrypt/live/$NC_DOMAIN/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/$NC_DOMAIN/privkey.pem; - - # HSTS settings - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - # Pagespeed is not supported by Nextcloud, so if your server is built - # with the \`ngx_pagespeed\` module, uncomment this line to disable it. - #pagespeed off; - - # HTTP response headers borrowed from Nextcloud \`.htaccess\` - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - # set max upload size - client_max_body_size 1024M; - fastcgi_buffers 64 4K; - - # Path to the root of your installation - root $NC_PATH/; - - # Specify how to handle directories -- specifying \`/index.php\$request_uri\` - # here as the fallback means that Nginx always exhibits the desired behaviour - # when a client requests a path that corresponds to a directory that exists - # on the server. In particular, if that directory contains an index.php file, - # that file is correctly served; if it doesn't, then the request is passed to - # the front-end controller. This consistent behaviour means that we don't need - # to specify custom rules for certain paths (e.g. images and other assets, - # \`/updater\`, \`/ocm-provider\`, \`/ocs-provider\`), and thus - # \`try_files \$uri \$uri/ /index.php\$request_uri\` - # always provides the desired behaviour. - index index.php index.html /index.php\$request_uri; - - # Rule borrowed from \`.htaccess\` to handle Microsoft DAV clients - location = / { - if ( \$http_user_agent ~ ^DavClnt ) { - return 302 /remote.php/webdav/\$is_args\$args; - } - } - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - # Make a regex exception for \`/.well-known\` so that clients can still - # access it despite the existence of the regex rule - # \`location ~ /(\.|autotest|...)\` which would otherwise handle requests - # for \`/.well-known\`. - location ^~ /.well-known { - # The rules in this block are an adaptation of the rules - # in \`.htaccess\` that concern \`/.well-known\`. - - location = /.well-known/carddav { return 301 /remote.php/dav/; } - location = /.well-known/caldav { return 301 /remote.php/dav/; } - - location /.well-known/acme-challenge { try_files \$uri \$uri/ =404; } - location /.well-known/pki-validation { try_files \$uri \$uri/ =404; } - - # Let Nextcloud's API for \`/.well-known\` URIs handle all other - # requests by passing them to the front-end controller. - return 301 /index.php\$request_uri; - } - - # Rules borrowed from \`.htaccess\` to hide certain paths from clients - location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:\$|/) { return 404; } - location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } - - # Ensure this block, which passes PHP files to the PHP process, is above the blocks - # which handle static assets (as seen below). If this block is not declared first, - # then Nginx will encounter an infinite rewriting loop when it prepends \`/index.php\` - # to the URI, resulting in a HTTP 500 error response. - location ~ \.php(?:\$|/) { - fastcgi_split_path_info ^(.+?\.php)(/.*)\$; - set \$path_info \$fastcgi_path_info; - - try_files \$fastcgi_script_name =404; - - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name; - fastcgi_param PATH_INFO \$path_info; - fastcgi_param HTTPS on; - - fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice - fastcgi_param front_controller_active true; # Enable pretty urls - fastcgi_pass php-handler; - - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - } - - location ~ \.(?:css|js|svg|gif)\$ { - try_files \$uri /index.php\$request_uri; - expires 6M; # Cache-Control policy borrowed from \`.htaccess\` - access_log off; # Optional: Don't log access to assets - } - - location ~ \.woff2?\$ { - try_files \$uri /index.php\$request_uri; - expires 7d; # Cache-Control policy borrowed from \`.htaccess\` - access_log off; # Optional: Don't log access to assets - } - - # Rule borrowed from \`.htaccess\` - location /remote { - return 301 /remote.php\$request_uri; - } - - location / { - try_files \$uri \$uri/ /index.php\$request_uri; - } -} -NC_NGINX systemctl stop nginx letsencrypt certonly --standalone --renew-by-default --agree-tos -d "$NC_DOMAIN" if [ -f /etc/letsencrypt/live/"$NC_DOMAIN"/fullchain.pem ];then @@ -479,7 +237,7 @@ chown -R www-data:www-data "$NC_PATH" chmod -R 755 "$NC_PATH" echo -e "\nDatabase installation...\n" -sudo -u www-data php "$NC_PATH"/occ maintenance:install \ +sudo -u www-data php$MIN_PHP "$NC_PATH"/occ maintenance:install \ --database=pgsql \ --database-name="$NC_DB" \ --database-user="$NC_DB_USER" \ @@ -494,7 +252,7 @@ sed -i "/simpleSignUpLink.shown/a \ \ \'knowledgebaseenabled\' => false," "$NC_C sed -i "s|http://localhost|https://$NC_DOMAIN|" "$NC_CONFIG" echo -e "\nAdd crontab...\n" -crontab -u www-data -l | { cat; echo "*/5 * * * * php -f $NC_PATH/cron.php"; } | crontab -u www-data - +crontab -u www-data -l | { cat; echo "*/5 * * * * php$MIN_PHP -f $NC_PATH/cron.php"; } | crontab -u www-data - echo -e "\nAdd memcache support...\n" sed -i "s|# unixsocket .*|unixsocket /var/run/redis/redis.sock|g" "$REDIS_CONF" @@ -520,22 +278,22 @@ sed -i "/);/i \ \ )," "$NC_CONFIG" echo -e "Done\n" echo -e "\nAddding & Setting up Files External App for Local storage...\n" -sudo -u www-data php "$NC_PATH"/occ app:install files_external -sudo -u www-data php "$NC_PATH"/occ app:enable files_external -sudo -u www-data php "$NC_PATH"/occ app:disable support -sudo -u www-data php "$NC_PATH"/occ files_external:import /tmp/jra-nc-app-ef.json +sudo -u www-data php$MIN_PHP "$NC_PATH"/occ app:install files_external +sudo -u www-data php$MIN_PHP "$NC_PATH"/occ app:enable files_external +sudo -u www-data php$MIN_PHP "$NC_PATH"/occ app:disable support +sudo -u www-data php$MIN_PHP "$NC_PATH"/occ files_external:import /tmp/jra-nc-app-ef.json usermod -a -G jibri www-data chmod -R 770 "$DIR_RECORD" chmod -R g+s "$DIR_RECORD" echo -e "\nFixing possible missing tables...\n\n" -echo "y"|sudo -u www-data php "$NC_PATH"/occ db:convert-filecache-bigint -sudo -u www-data php "$NC_PATH"/occ db:add-missing-indices -sudo -u www-data php "$NC_PATH"/occ db:add-missing-columns +echo "y"|sudo -u www-data php$MIN_PHP "$NC_PATH"/occ db:convert-filecache-bigint +sudo -u www-data php$MIN_PHP "$NC_PATH"/occ db:add-missing-indices +sudo -u www-data php$MIN_PHP "$NC_PATH"/occ db:add-missing-columns echo -e "\nAdding trusted domain...\n" -sudo -u www-data php "$NC_PATH"/occ config:system:set trusted_domains 0 --value="$NC_DOMAIN" +sudo -u www-data php$MIN_PHP "$NC_PATH"/occ config:system:set trusted_domains 0 --value="$NC_DOMAIN" echo -e "\nSetting JRA domain on jitsi-updater.sh\n" cd ~/quick-jibri-installer || return -- 2.34.1 From 096c8b6e85ea294a9d656722e505e24cbcdbaf70 Mon Sep 17 00:00:00 2001 From: Ark74 Date: Mon, 22 Jan 2024 20:02:03 -0600 Subject: [PATCH 04/11] remove new line. --- files/nextcloud.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/files/nextcloud.conf b/files/nextcloud.conf index 1e31fb6..28cf26c 100644 --- a/files/nextcloud.conf +++ b/files/nextcloud.conf @@ -4,7 +4,6 @@ upstream php-handler { server unix:/run/php/php_PHPVER-fpm.sock; } - # Set the `immutable` cache control options only for assets with a cache busting `v` argument map $arg_v $asset_immutable { "" ""; -- 2.34.1 From 8bcacb670ad7e42675eaca27ad1aef0b2508938b Mon Sep 17 00:00:00 2001 From: Ark74 Date: Tue, 23 Jan 2024 00:11:27 -0600 Subject: [PATCH 05/11] don't move to tmp --- jra_nextcloud.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jra_nextcloud.sh b/jra_nextcloud.sh index 728b87b..ce6c518 100644 --- a/jra_nextcloud.sh +++ b/jra_nextcloud.sh @@ -184,7 +184,7 @@ bash files/prepare_php.sh "$MIN_PHP" #-------------------------------------------------- echo -e "\n---- Creating the PgSQL DB & User ----" -cd /tmp || return +#cd /tmp || return sudo -u postgres psql < Date: Tue, 23 Jan 2024 00:35:51 -0600 Subject: [PATCH 06/11] fix path for prepase_php.sh and add small breaks --- jra_nextcloud.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/jra_nextcloud.sh b/jra_nextcloud.sh index ce6c518..c44bcb0 100644 --- a/jra_nextcloud.sh +++ b/jra_nextcloud.sh @@ -96,9 +96,11 @@ do echo " - Please try again." fi done +sleep .1 #Simple DNS test if [ "$PUBLIC_IP" = "$(dig -4 +short "$NC_DOMAIN"|awk -v RS='([0-9]+\\.){3}[0-9]+' 'RT{print RT}')" ]; then echo -e "Server public IP & DNS record for $NC_DOMAIN seems to match, continuing...\n\n" + sleep .1 else echo "Server public IP ($PUBLIC_IP) & DNS record for $NC_DOMAIN don't seem to match." echo " > Please check your dns records are applied and updated, otherwise Nextcloud may fail." @@ -110,7 +112,7 @@ else exit fi fi - +sleep .1 NC_NGINX_CONF="/etc/nginx/sites-available/$NC_DOMAIN.conf" while [ -z "$NC_USER" ] do @@ -119,6 +121,7 @@ do echo " - This field is mandatory." fi done +sleep .1 while [ -z "$NC_PASS" ] || [ ${#NC_PASS} -lt 8 ] do read -p "Nextcloud user password: " -r NC_PASS @@ -126,6 +129,7 @@ do echo -e " - This field is mandatory. \nPlease make sure it's at least 8 characters.\n" fi done +sleep .1 #Enable HSTS while [ "$ENABLE_HSTS" != "yes" ] && [ "$ENABLE_HSTS" != "no" ] do @@ -138,7 +142,7 @@ do echo " - HSTS will be enabled." fi done - +sleep .1 echo -e "#Default country phone code\n > Starting at Nextcloud 21.x it's required to set a default country phone ISO 3166-1 alpha-2 code.\n >>> https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements <<<\n" @@ -177,7 +181,7 @@ install_ifnot postgresql-"$PSGVER" #-------------------------------------------------- # Prepare PHP #-------------------------------------------------- -bash files/prepare_php.sh "$MIN_PHP" +bash tools/prepare_php.sh "$MIN_PHP" #-------------------------------------------------- # Create DB user -- 2.34.1 From 17966b81f8caa7e87a3477b6ec6c8a6f62b061f4 Mon Sep 17 00:00:00 2001 From: Ark74 Date: Tue, 23 Jan 2024 00:54:47 -0600 Subject: [PATCH 07/11] make sure to update repo before install. --- quick_jibri_installer.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/quick_jibri_installer.sh b/quick_jibri_installer.sh index 5940dfe..af19f15 100644 --- a/quick_jibri_installer.sh +++ b/quick_jibri_installer.sh @@ -432,6 +432,7 @@ if [ "$LE_SSL" = "yes" ]; then fi echo "jitsi-meet-web-config jitsi-meet/jaas-choice boolean false" \ | debconf-set-selections +apt-get update -qy2 apt-get -y install \ jitsi-meet \ jibri \ -- 2.34.1 From b5c4e5f0cb1c66e9a3362bbf08851b63a96c6b41 Mon Sep 17 00:00:00 2001 From: Ark74 Date: Tue, 23 Jan 2024 01:30:30 -0600 Subject: [PATCH 08/11] use quiet update --- quick_jibri_installer.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/quick_jibri_installer.sh b/quick_jibri_installer.sh index af19f15..0b1b6c7 100644 --- a/quick_jibri_installer.sh +++ b/quick_jibri_installer.sh @@ -131,6 +131,7 @@ add_prosody_repo() { > /etc/apt/sources.list.d/prosody.list curl -s https://prosody.im/files/prosody-debian-packages.key \ > "$PROSODY_GPG_KEY" + apt-get update -q2 fi } dpkg-compare() { @@ -317,6 +318,7 @@ else > /etc/apt/sources.list.d/jitsi-stable.list curl -s https://download.jitsi.org/jitsi-key.gpg.key \ > "$JITSI_GPG_KEY" + apt-get update -q2 JITSI_REPO="stable" fi sleep .1 @@ -432,7 +434,6 @@ if [ "$LE_SSL" = "yes" ]; then fi echo "jitsi-meet-web-config jitsi-meet/jaas-choice boolean false" \ | debconf-set-selections -apt-get update -qy2 apt-get -y install \ jitsi-meet \ jibri \ @@ -453,7 +454,7 @@ else | gpg --dearmor -o "$NODEJS_GPG_KEY" echo "deb [signed-by=$NODEJS_GPG_KEY] https://deb.nodesource.com/node_$NODEJS_VER.x nodistro main" | \ tee /etc/apt/sources.list.d/nodesource.list - apt-get update -yq2 + apt-get update -q2 apt-get install -yq2 nodejs echo "Installing nodejs esprima package..." -- 2.34.1 From cf9486720f96e3a1eaece8ffbb284e1ff88f19fa Mon Sep 17 00:00:00 2001 From: Ark74 Date: Tue, 23 Jan 2024 01:51:58 -0600 Subject: [PATCH 09/11] fix missing variable and short url --- jra_nextcloud.sh | 1 - tools/prepare_php.sh | 5 ++++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/jra_nextcloud.sh b/jra_nextcloud.sh index c44bcb0..d0d9ab2 100644 --- a/jra_nextcloud.sh +++ b/jra_nextcloud.sh @@ -43,7 +43,6 @@ apt-get update -q2 apt-get install -y curl letsencrypt nginx MIN_PHP="8.2" -DISTRO_RELEASE="$(lsb_release -sc)" DOMAIN="$(find /etc/prosody/conf.d/ -name \*.lua|awk -F'.cfg' '!/localhost/{print $1}'|xargs basename)" PSGVER="$(apt-cache madison postgresql|tr -d '[:blank:]'|awk -F'[|+]' 'NR==1{print $2}')" NC_NGINX_SSL_PORT="$(grep "listen 44" /etc/nginx/sites-available/"$DOMAIN".conf | awk '{print$2}')" diff --git a/tools/prepare_php.sh b/tools/prepare_php.sh index bc91d18..1e28fb3 100644 --- a/tools/prepare_php.sh +++ b/tools/prepare_php.sh @@ -5,7 +5,9 @@ PHPVER=$1 STABLE_PHP="$(apt-cache madison php|grep -v ppa|awk -F'[:+]' 'NR==1{print $2}')" +DISTRO_RELEASE="$(lsb_release -sc)" PHP_REPO="$(apt-cache policy | awk '/http/&&/php/{print$2}' | awk -F "/" 'NR==1{print$5}')" +PHP_REPO_URL="http://ppa.launchpad.net/ondrej/php/ubuntu" PHP_FPM_DIR="/etc/php/$PHPVER/fpm" PHP_INI="$PHP_FPM_DIR/php.ini" PHP_CONF="/etc/php/$PHPVER/fpm/pool.d/www.conf" @@ -46,7 +48,8 @@ if [ "$PHP_REPO" = "php" ]; then else echo "# Adding Ondrej PHP $PHPVER PPA Repository" add_gpg_keyring E5267A6C - echo "deb [arch=amd64] http://ppa.launchpad.net/ondrej/php/ubuntu $DISTRO_RELEASE main" > /etc/apt/sources.list.d/php"$PHPVER".list + echo "deb [arch=amd64] $PHP_REPO_URL $DISTRO_RELEASE main" | \ + tee /etc/apt/sources.list.d/php"$PHPVER".list apt-get update -q2 fi } -- 2.34.1 From 45dfb122c36503b67a17f045ce8d5260aa2b42d9 Mon Sep 17 00:00:00 2001 From: Ark74 Date: Tue, 23 Jan 2024 02:10:38 -0600 Subject: [PATCH 10/11] remove quote to allow break by package --- jra_nextcloud.sh | 1 - tools/prepare_php.sh | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/jra_nextcloud.sh b/jra_nextcloud.sh index d0d9ab2..b3e73e9 100644 --- a/jra_nextcloud.sh +++ b/jra_nextcloud.sh @@ -187,7 +187,6 @@ bash tools/prepare_php.sh "$MIN_PHP" #-------------------------------------------------- echo -e "\n---- Creating the PgSQL DB & User ----" -#cd /tmp || return sudo -u postgres psql < Date: Tue, 23 Jan 2024 02:42:56 -0600 Subject: [PATCH 11/11] set debug mode for script and remove deprecated cd --- jra_nextcloud.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/jra_nextcloud.sh b/jra_nextcloud.sh index b3e73e9..e789344 100644 --- a/jra_nextcloud.sh +++ b/jra_nextcloud.sh @@ -180,7 +180,12 @@ install_ifnot postgresql-"$PSGVER" #-------------------------------------------------- # Prepare PHP #-------------------------------------------------- -bash tools/prepare_php.sh "$MIN_PHP" + +if [ "$MODE" = "debug" ]; then + bash -x "$PWD"/tools/prepare_php.sh "$MIN_PHP" +else + bash "$PWD"/tools/prepare_php.sh "$MIN_PHP" +fi #-------------------------------------------------- # Create DB user @@ -298,7 +303,6 @@ echo -e "\nAdding trusted domain...\n" sudo -u www-data php$MIN_PHP "$NC_PATH"/occ config:system:set trusted_domains 0 --value="$NC_DOMAIN" echo -e "\nSetting JRA domain on jitsi-updater.sh\n" -cd ~/quick-jibri-installer || return sed -i "s|NC_DOMAIN=.*|NC_DOMAIN=\"$NC_DOMAIN\"|" jitsi-updater.sh echo -e "\nQuick Nextcloud installation complete!\n" -- 2.34.1