From 694e0634f95bad5c1cfcf327f0f841c6f30d6a29 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Wed, 28 Dec 2022 14:41:45 +0100 Subject: [PATCH 01/19] make apps availble on deSEC Signed-off-by: Daniel Hansson --- apps/collabora_docker_desec.sh | 237 +++++++++++++++++++++++++++++++++ 1 file changed, 237 insertions(+) create mode 100644 apps/collabora_docker_desec.sh diff --git a/apps/collabora_docker_desec.sh b/apps/collabora_docker_desec.sh new file mode 100644 index 0000000000..738128b461 --- /dev/null +++ b/apps/collabora_docker_desec.sh @@ -0,0 +1,237 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2022, https://www.hanssonit.se/ + +true +SCRIPT_NAME="Collabora (Docker)" +SCRIPT_EXPLAINER="This script will install the Collabora Office Server bundled with Docker" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +# To work with https://github.com/nextcloud/richdocuments/pull/2235 + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +# Check if Collabora is already installed +print_text_in_color "$ICyan" "Checking if Collabora is already installed..." +if ! does_this_docker_exist 'collabora/code' +then + # Ask for installing + install_popup "$SCRIPT_NAME" +else + # Ask for removal or reinstallation + reinstall_remove_menu "$SCRIPT_NAME" + # Removal + remove_collabora_docker + # Remove config.php value set when install was successful + nextcloud_occ config:system:delete allow_local_remote_servers + # Show successful uninstall if applicable + removal_popup "$SCRIPT_NAME" +fi + +# Check if OnlyOffice is previously installed +# If yes, then stop and prune the docker container +if does_this_docker_exist 'onlyoffice/documentserver' +then + # Removal + remove_onlyoffice_docker +fi + +# Remove all office apps +remove_all_office_apps + +# Install certbot (Let's Encrypt) +install_certbot + +# Generate certs and auto-configure if successful +export SUBDOMAIN=collabora +if run_script DESEC desec_subdomain +then + SUBDOMAIN="$(grep dedyn.io $SCRIPTS/deSEC/.subdomain | tail -1 | cut -d '=' -f2)" + # Generate DHparams cipher + if [ ! -f "$DHPARAMS_SUB" ] + then + openssl dhparam -out "$DHPARAMS_SUB" 2048 + fi + print_text_in_color "$IGreen" "Certs are generated!" + a2ensite "$SUBDOMAIN.conf" + restart_webserver + # Install Collabora App + install_and_enable_app richdocuments +else + last_fail_tls "$SCRIPTS"/apps/collabora.sh + exit 1 +fi + +# Nextcloud Main Domain +NCDOMAIN=$(nextcloud_occ_no_check config:system:get overwrite.cli.url | sed 's|https://||;s|/||') + +# Curl the library another time to get the correct https_conf +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Get all needed variables from the library +nc_update + +# Get the latest packages +apt-get update -q4 & spinner_loading + +# Check if Nextcloud is installed +print_text_in_color "$ICyan" "Checking if Nextcloud is installed..." +if ! curl -s https://"$NCDOMAIN"/status.php | grep -q 'installed":true' +then + msg_box "It seems like Nextcloud is not installed or that you don't use https on: +$NCDOMAIN. +Please install Nextcloud and make sure your domain is reachable, or activate TLS +on your domain to be able to run this script. + +If you use the Nextcloud VM you can use the Let's Encrypt script to get TLS and activate your Nextcloud domain. +When TLS is activated, run these commands from your CLI: +sudo curl -sLO $APP/collabora.sh +sudo bash collabora.sh" + exit 1 +fi + +# Test RAM size (2GB min) + CPUs (min 2) +ram_check 2 Collabora +cpu_check 2 Collabora + +# Check if Nextcloud is installed with TLS +check_nextcloud_https "Collabora (Docker)" + +# Install Docker +install_docker + +# Install Collabora docker +docker pull collabora/code:latest +docker run -t -d -p 127.0.0.1:9980:9980 -e "aliasgroup1=https://$NCDOMAIN:443" --restart always --name code --cap-add MKNOD collabora/code + +# Install Apache2 +install_if_not apache2 + +# Enable Apache2 module's +a2enmod proxy +a2enmod proxy_wstunnel +a2enmod proxy_http +a2enmod ssl +a2enmod headers + +# Only add TLS 1.3 on Ubuntu later than 20.04 +if version 20.04 "$DISTRO" 22.04.10 +then + TLS13="+TLSv1.3" +fi + +if [ -f "$HTTPS_CONF" ] +then + a2dissite "$SUBDOMAIN.conf" + rm -f "$HTTPS_CONF" +fi + +# Create Vhost for Collabora online in Apache2 +if [ ! -f "$HTTPS_CONF" ]; +then + cat << HTTPS_CREATE > "$HTTPS_CONF" + + ServerName $SUBDOMAIN:443 + + + Options -Indexes + + + # TLS configuration, you may want to take the easy route instead and use Lets Encrypt! + SSLCertificateChainFile $CERTFILES/$SUBDOMAIN/chain.pem + SSLCertificateFile $CERTFILES/$SUBDOMAIN/cert.pem + SSLCertificateKeyFile $CERTFILES/$SUBDOMAIN/privkey.pem + SSLOpenSSLConfCmd DHParameters $DHPARAMS_SUB + + # Intermediate configuration + SSLEngine on + SSLCompression off + SSLProtocol -all +TLSv1.2 $TLS13 + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + SSLHonorCipherOrder off + SSLSessionTickets off + ServerSignature off + + # Logs + LogLevel warn + CustomLog \${APACHE_LOG_DIR}/access.log combined + ErrorLog \${APACHE_LOG_DIR}/error.log + + # Encoded slashes need to be allowed + AllowEncodedSlashes NoDecode + + # Container uses a unique non-signed certificate + SSLProxyEngine On + SSLProxyVerify None + SSLProxyCheckPeerCN Off + SSLProxyCheckPeerName Off + + # Improve security settings + Header set X-XSS-Protection "1; mode=block" + Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + Header set X-Content-Type-Options nosniff + Header set Content-Security-Policy "frame-ancestors 'self' $NCDOMAIN" + + # keep the host + ProxyPreserveHost On + + # static html, js, images, etc. served from coolwsd + # browser is the client part of LibreOffice Online + ProxyPass /browser https://127.0.0.1:9980/browser retry=0 + ProxyPassReverse /browser https://127.0.0.1:9980/browser + + # WOPI discovery URL + ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0 + ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery + + # Endpoint with information about availability of various features + ProxyPass /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0 + ProxyPassReverse /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities + + # Main websocket + ProxyPassMatch "/cool/(.*)/ws$" wss://127.0.0.1:9980/cool/\$1/ws nocanon + + # Admin Console websocket + ProxyPass /cool/adminws wss://127.0.0.1:9980/cool/adminws + + # Download as, Fullscreen presentation and Image upload operations + ProxyPass /cool https://127.0.0.1:9980/cool + ProxyPassReverse /cool https://127.0.0.1:9980/cool + +HTTPS_CREATE + + if [ -f "$HTTPS_CONF" ]; + then + print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created." + sleep 1 + else + print_text_in_color "$IRed" "Unable to create vhost, exiting..." + print_text_in_color "$IRed" "Please report this issue here $ISSUES" + exit 1 + fi +fi + +# Set config for RichDocuments (Collabora App) +if is_app_installed richdocuments +then + nextcloud_occ config:app:set richdocuments wopi_url --value=https://"$SUBDOMAIN" + chown -R www-data:www-data "$NC_APPS_PATH" + # Appending the new domain to trusted domains + add_to_trusted_domains "$SUBDOMAIN" + # Allow remote servers with local addresses e.g. in federated shares, webcal services and more + nextcloud_occ config:system:set allow_local_remote_servers --value="true" + # Add prune command + add_dockerprune + print_text_in_color "$ICyan" "Restarting Docker..." + docker restart code + msg_box "Collabora Docker is now successfully installed. +Please be aware that the container is currently starting which can take a few minutes." +fi From 3461bb4701ea5c40986368ee453a3da759a75ea1 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Wed, 28 Dec 2022 14:42:34 +0100 Subject: [PATCH 02/19] Rename apps/collabora_docker_desec.sh to addons/deSEC/collabora_docker_desec.sh Signed-off-by: Daniel Hansson --- {apps => addons/deSEC}/collabora_docker_desec.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {apps => addons/deSEC}/collabora_docker_desec.sh (100%) diff --git a/apps/collabora_docker_desec.sh b/addons/deSEC/collabora_docker_desec.sh similarity index 100% rename from apps/collabora_docker_desec.sh rename to addons/deSEC/collabora_docker_desec.sh From 1ef7641e8686a7195ac5670d4b22d70731d7c4c7 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Wed, 28 Dec 2022 16:02:43 +0100 Subject: [PATCH 03/19] add new function Signed-off-by: Daniel Hansson --- lib.sh | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/lib.sh b/lib.sh index 3005779d6d..191a187d50 100644 --- a/lib.sh +++ b/lib.sh @@ -850,6 +850,27 @@ to validate them with the $f method. We have exhausted all the methods. Please c done } +# Let the user choose to setup a specific app with either deSEC, or regular TLS. +# desec_app_tls_menu "DESEC collabora_docker_desec.sh" "APP collabora_docker.sh" +desec_app_tls_menu() { +choice=$(whiptail --title "$TITLE" --menu \ +"Choose TLS setup. Please note, to run the deSEC option, deSEC needs to be configured and setup already.\n +$MENU_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ +"deSEC TLS setup" "(If you configured deSEC already. Works with custom port.)" \ +"Regular TLS setup" "(If deSEC isn't installed, setup normal TLS)" 3>&1 1>&2 2>&3) + +case "$choice" in + "deSEC TLS setup") + run_script "${1}" + ;; + "Regular TLS setup") + run_script "${2}" + ;; + *) + ;; +esac +} + is_desec_installed() { # Check if deSEC is installed and add the needed variables if yes if [ -f "$SCRIPTS"/deSEC/.dedynauth ] From aa3111aca782f0ac6467a38c6859030a2ff246c6 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Wed, 28 Dec 2022 16:04:13 +0100 Subject: [PATCH 04/19] update menu Signed-off-by: Daniel Hansson --- menu/documentserver.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/menu/documentserver.sh b/menu/documentserver.sh index 0c848d570c..7e1c0ef21d 100644 --- a/menu/documentserver.sh +++ b/menu/documentserver.sh @@ -27,7 +27,7 @@ $MENU_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ case "$choice" in "Collabora (Docker)") print_text_in_color "$ICyan" "Downloading the Collabora (Docker) script..." - run_script APP collabora_docker + desec_app_tls_menu "DESEC collabora_docker_desec" "APP collabora_docker" ;; "Collabora (Integrated)") print_text_in_color "$ICyan" "Downloading the Collabora (Integrated) script..." @@ -35,7 +35,7 @@ case "$choice" in ;; "OnlyOffice (Docker)") print_text_in_color "$ICyan" "Downloading the OnlyOffice (Docker) script..." - run_script APP onlyoffice_docker + desec_app_tls_menu "DESEC onlyoffice_docker_desec" "APP onlyoffice_docker" ;; "OnlyOffice (Integrated)") print_text_in_color "$ICyan" "Downloading the OnlyOffice (Integrated) script..." From 0305773ae54d41d0cba7d81b3f5ace985872c79a Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Wed, 28 Dec 2022 16:06:22 +0100 Subject: [PATCH 05/19] talk Signed-off-by: Daniel Hansson --- menu/additional_apps.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/menu/additional_apps.sh b/menu/additional_apps.sh index 60fa87e47a..eb8930dcbf 100644 --- a/menu/additional_apps.sh +++ b/menu/additional_apps.sh @@ -125,7 +125,7 @@ to finish the setup once this script is done." "$SUBTITLE" ;;& *"Talk"*) print_text_in_color "$ICyan" "Downloading the Talk script..." - run_script APP talk + desec_app_tls_menu "DESEC talk_desec" "APP talk" ;;& *"Webmin"*) print_text_in_color "$ICyan" "Downloading the Webmin script..." From af3c677da0f1d9804f2b38de81b225e1df77c56d Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Wed, 28 Dec 2022 16:18:28 +0100 Subject: [PATCH 06/19] add onlyoffice Signed-off-by: Daniel Hansson --- .../deSEC/onlyoffice_docker._desec.sh | 81 ++++++------------- 1 file changed, 24 insertions(+), 57 deletions(-) rename apps/onlyoffice_docker.sh => addons/deSEC/onlyoffice_docker._desec.sh (83%) diff --git a/apps/onlyoffice_docker.sh b/addons/deSEC/onlyoffice_docker._desec.sh similarity index 83% rename from apps/onlyoffice_docker.sh rename to addons/deSEC/onlyoffice_docker._desec.sh index db153f28fb..4f039adc66 100644 --- a/apps/onlyoffice_docker.sh +++ b/addons/deSEC/onlyoffice_docker._desec.sh @@ -17,7 +17,7 @@ debug_mode # Check if root root_check -# Check if collabora is already installed +# Check if onlyoffice is already installed if ! does_this_docker_exist 'onlyoffice/documentserver' then # Ask for installing @@ -44,6 +44,29 @@ fi # Remove all office apps remove_all_office_apps +# Install certbot (Let's Encrypt) +install_certbot + +# Generate certs and auto-configure if successful +export SUBDOMAIN=onlyoffice +if run_script DESEC desec_subdomain +then + SUBDOMAIN="$(grep onlyoffice -m 1 $SCRIPTS/deSEC/.subdomain | tail -1 | cut -d '=' -f2)" + # Generate DHparams cipher + if [ ! -f "$DHPARAMS_SUB" ] + then + openssl dhparam -out "$DHPARAMS_SUB" 2048 + fi + print_text_in_color "$IGreen" "Certs are generated!" + a2ensite "$SUBDOMAIN.conf" + restart_webserver + # Install OnlyOffice + install_and_enable_app onlyoffice +else + last_fail_tls "$SCRIPTS"/apps/onlyoffice.sh + exit 1 +fi + # Check if apache2 evasive-mod is enabled and disable it because of compatibility issues if [ "$(apache2ctl -M | grep evasive)" != "" ] then @@ -60,11 +83,6 @@ It has compatibility issues with OnlyOffice and you can now choose to disable it fi fi -# Ask for the domain for OnlyOffice -SUBDOMAIN=$(input_box_flow "OnlyOffice subdomain e.g: office.yourdomain.com -NOTE: This domain must be different than your Nextcloud domain. \ -They can however be hosted on the same server, but would require separate DNS entries.") - # Nextcloud Main Domain NCDOMAIN=$(nextcloud_occ_no_check config:system:get overwrite.cli.url | sed 's|https://||;s|/||') @@ -75,28 +93,6 @@ source /var/scripts/fetch_lib.sh # Get all needed variables from the library nc_update -# Notification -msg_box "Before continuing, please make sure that you have you have \ -edited the DNS settings for $SUBDOMAIN, and opened port 80 and 443 \ -directly to this servers IP. A full extensive guide can be found here: -https://www.techandme.se/open-port-80-443 - -This can be done automatically if you have UPNP enabled in your firewall/router. \ -You will be offered to use UPNP in the next step. - -PLEASE NOTE: -Using other ports than the default 80 and 443 is not supported, \ -though it may be possible with some custom modification: -https://help.nextcloud.com/t/domain-refused-to-connect-collabora/91303/17" - -if yesno_box_no "Do you want to use UPNP to open port 80 and 443?" -then - unset FAIL - open_port 80 TCP - open_port 443 TCP - cleanup_open_port -fi - # Get the latest packages apt-get update -q4 & spinner_loading @@ -115,14 +111,6 @@ sudo bash onlyoffice_docker.sh" exit 1 fi -# Check if $SUBDOMAIN exists and is reachable -print_text_in_color "$ICyan" "Checking if $SUBDOMAIN exists and is reachable..." -domain_check_200 "$SUBDOMAIN" - -# Check open ports with NMAP -check_open_port 80 "$SUBDOMAIN" -check_open_port 443 "$SUBDOMAIN" - # Test RAM size (2GB min) + CPUs (min 2) ram_check 2 OnlyOffice cpu_check 2 OnlyOffice @@ -226,27 +214,6 @@ HTTPS_CREATE fi fi -# Install certbot (Let's Encrypt) -install_certbot - -# Generate certs -if generate_cert "$SUBDOMAIN" -then - # Generate DHparams cipher - if [ ! -f "$DHPARAMS_SUB" ] - then - openssl dhparam -out "$DHPARAMS_SUB" 2048 - fi - print_text_in_color "$IGreen" "Certs are generated!" - a2ensite "$SUBDOMAIN.conf" - restart_webserver - # Install OnlyOffice - install_and_enable_app onlyoffice -else - last_fail_tls "$SCRIPTS"/apps/onlyoffice.sh - exit 1 -fi - # Set config for OnlyOffice if [ -d "$NC_APPS_PATH"/onlyoffice ] then From febe6257857ed7ffbf2078032daf3cbef0013df7 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Wed, 28 Dec 2022 16:21:20 +0100 Subject: [PATCH 07/19] Rename onlyoffice_docker._desec.sh to onlyoffice_docker_desec.sh Signed-off-by: Daniel Hansson --- .../{onlyoffice_docker._desec.sh => onlyoffice_docker_desec.sh} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename addons/deSEC/{onlyoffice_docker._desec.sh => onlyoffice_docker_desec.sh} (100%) diff --git a/addons/deSEC/onlyoffice_docker._desec.sh b/addons/deSEC/onlyoffice_docker_desec.sh similarity index 100% rename from addons/deSEC/onlyoffice_docker._desec.sh rename to addons/deSEC/onlyoffice_docker_desec.sh From 298dbeb16b8b43498bae1b3a07be96ffeab240ee Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Wed, 28 Dec 2022 17:18:47 +0100 Subject: [PATCH 08/19] Create onlyoffice_docker.sh Signed-off-by: Daniel Hansson --- apps/onlyoffice_docker.sh | 270 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 270 insertions(+) create mode 100644 apps/onlyoffice_docker.sh diff --git a/apps/onlyoffice_docker.sh b/apps/onlyoffice_docker.sh new file mode 100644 index 0000000000..db153f28fb --- /dev/null +++ b/apps/onlyoffice_docker.sh @@ -0,0 +1,270 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2019, https://www.hanssonit.se/ + +true +SCRIPT_NAME="OnlyOffice (Docker)" +SCRIPT_EXPLAINER="This script will install the OnlyOffice Document Server bundled with Docker" +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +# Check if collabora is already installed +if ! does_this_docker_exist 'onlyoffice/documentserver' +then + # Ask for installing + install_popup "$SCRIPT_NAME" +else + # Ask for removal or reinstallation + reinstall_remove_menu "$SCRIPT_NAME" + # Removal + remove_onlyoffice_docker + # Remove config.php value set when install was successful + nextcloud_occ config:system:delete allow_local_remote_servers + nextcloud_occ config:system:delete onlyoffice + # Show successful uninstall if applicable + removal_popup "$SCRIPT_NAME" +fi + +# Check if collabora is installed and remove every trace of it +if does_this_docker_exist 'collabora/code' +then + # Removal + remove_collabora_docker +fi + +# Remove all office apps +remove_all_office_apps + +# Check if apache2 evasive-mod is enabled and disable it because of compatibility issues +if [ "$(apache2ctl -M | grep evasive)" != "" ] +then + msg_box "We noticed that 'mod_evasive' is installed which is the DDOS protection for webservices. \ +It has compatibility issues with OnlyOffice and you can now choose to disable it." + if ! yesno_box_yes "Do you want to disable DDOS protection?" + then + print_text_in_color "$ICyan" "Keeping mod_evasive active." + else + a2dismod evasive + # a2dismod mod-evasive # not needed, but existing in the Extra Security script. + apt-get purge libapache2-mod-evasive -y + systemctl restart apache2 + fi +fi + +# Ask for the domain for OnlyOffice +SUBDOMAIN=$(input_box_flow "OnlyOffice subdomain e.g: office.yourdomain.com +NOTE: This domain must be different than your Nextcloud domain. \ +They can however be hosted on the same server, but would require separate DNS entries.") + +# Nextcloud Main Domain +NCDOMAIN=$(nextcloud_occ_no_check config:system:get overwrite.cli.url | sed 's|https://||;s|/||') + +true +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh + +# Get all needed variables from the library +nc_update + +# Notification +msg_box "Before continuing, please make sure that you have you have \ +edited the DNS settings for $SUBDOMAIN, and opened port 80 and 443 \ +directly to this servers IP. A full extensive guide can be found here: +https://www.techandme.se/open-port-80-443 + +This can be done automatically if you have UPNP enabled in your firewall/router. \ +You will be offered to use UPNP in the next step. + +PLEASE NOTE: +Using other ports than the default 80 and 443 is not supported, \ +though it may be possible with some custom modification: +https://help.nextcloud.com/t/domain-refused-to-connect-collabora/91303/17" + +if yesno_box_no "Do you want to use UPNP to open port 80 and 443?" +then + unset FAIL + open_port 80 TCP + open_port 443 TCP + cleanup_open_port +fi + +# Get the latest packages +apt-get update -q4 & spinner_loading + +# Check if Nextcloud is installed +print_text_in_color "$ICyan" "Checking if Nextcloud is installed..." +if ! curl -s https://"$NCDOMAIN"/status.php | grep -q 'installed":true' +then + msg_box "It seems like Nextcloud is not installed or that you don't use https on: +$NCDOMAIN. +Please install Nextcloud and make sure your domain is reachable, or activate TLS +on your domain to be able to run this script. +If you use the Nextcloud VM you can use the Let's Encrypt script to get TLS and activate your Nextcloud domain. +When TLS is activated, run these commands from your CLI: +sudo curl -sLO $APP/onlyoffice_docker.sh +sudo bash onlyoffice_docker.sh" + exit 1 +fi + +# Check if $SUBDOMAIN exists and is reachable +print_text_in_color "$ICyan" "Checking if $SUBDOMAIN exists and is reachable..." +domain_check_200 "$SUBDOMAIN" + +# Check open ports with NMAP +check_open_port 80 "$SUBDOMAIN" +check_open_port 443 "$SUBDOMAIN" + +# Test RAM size (2GB min) + CPUs (min 2) +ram_check 2 OnlyOffice +cpu_check 2 OnlyOffice + +# Check if Nextcloud is installed with TLS +check_nextcloud_https "OnlyOffice (Docker)" + +# Install Docker +install_docker + +ONLYOFFICE_SECRET="$(gen_passwd "$SHUF" "a-zA-Z0-9")" + +# Install Onlyoffice docker +docker pull onlyoffice/documentserver:latest +docker run -i -t -d -p 127.0.0.3:9090:80 -e JWT_ENABLED=true -e JWT_HEADER=AuthorizationJwt -e JWT_SECRET="$ONLYOFFICE_SECRET" --restart always --name onlyoffice onlyoffice/documentserver + +# Install apache2 +install_if_not apache2 + +# Enable Apache2 module's +a2enmod proxy +a2enmod proxy_wstunnel +a2enmod proxy_http +a2enmod ssl +a2enmod headers + +# Only add TLS 1.3 on Ubuntu later than 20.04 +if version 20.04 "$DISTRO" 22.04.10 +then + TLS13="+TLSv1.3" +fi + +if [ -f "$HTTPS_CONF" ] +then + a2dissite "$SUBDOMAIN.conf" + rm -f "$HTTPS_CONF" +fi + +# Create Vhost for OnlyOffice Docker online in Apache2 +if [ ! -f "$HTTPS_CONF" ]; +then + cat << HTTPS_CREATE > "$HTTPS_CONF" + + ServerName $SUBDOMAIN:443 + + SSLCertificateChainFile $CERTFILES/$SUBDOMAIN/chain.pem + SSLCertificateFile $CERTFILES/$SUBDOMAIN/cert.pem + SSLCertificateKeyFile $CERTFILES/$SUBDOMAIN/privkey.pem + SSLOpenSSLConfCmd DHParameters $DHPARAMS_SUB + + # Intermediate configuration + SSLEngine on + SSLCompression off + SSLProtocol -all +TLSv1.2 $TLS13 + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + SSLHonorCipherOrder off + SSLSessionTickets off + ServerSignature off + + # Logs + LogLevel warn + CustomLog \${APACHE_LOG_DIR}/access.log combined + ErrorLog \${APACHE_LOG_DIR}/error.log + + # Just in case - see below + SSLProxyEngine On + SSLProxyVerify None + SSLProxyCheckPeerCN Off + SSLProxyCheckPeerName Off + + # Improve security settings + Header set X-XSS-Protection "1; mode=block" + Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + Header set X-Content-Type-Options nosniff + Header set Content-Security-Policy "frame-ancestors 'self' $NCDOMAIN" + + # contra mixed content warnings + RequestHeader set X-Forwarded-Proto "https" + + # basic proxy settings + ProxyRequests off + + ProxyPassMatch (.*)(\/websocket)$ "ws://127.0.0.3:9090/\$1\$2" + ProxyPass / "http://127.0.0.3:9090/" + ProxyPassReverse / "http://127.0.0.3:9090/" + + + ProxyPassReverse / + + +HTTPS_CREATE + + if [ -f "$HTTPS_CONF" ]; + then + print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created." + sleep 1 + else + print_text_in_color "$IRed" "Unable to create vhost, exiting..." + print_text_in_color "$IRed" "Please report this issue here $ISSUES" + exit 1 + fi +fi + +# Install certbot (Let's Encrypt) +install_certbot + +# Generate certs +if generate_cert "$SUBDOMAIN" +then + # Generate DHparams cipher + if [ ! -f "$DHPARAMS_SUB" ] + then + openssl dhparam -out "$DHPARAMS_SUB" 2048 + fi + print_text_in_color "$IGreen" "Certs are generated!" + a2ensite "$SUBDOMAIN.conf" + restart_webserver + # Install OnlyOffice + install_and_enable_app onlyoffice +else + last_fail_tls "$SCRIPTS"/apps/onlyoffice.sh + exit 1 +fi + +# Set config for OnlyOffice +if [ -d "$NC_APPS_PATH"/onlyoffice ] +then + nextcloud_occ config:app:set onlyoffice DocumentServerUrl --value=https://"$SUBDOMAIN/" + chown -R www-data:www-data "$NC_APPS_PATH" + # Appending the new domain to trusted domains + add_to_trusted_domains "$SUBDOMAIN" + # Allow remote servers with local addresses e.g. in federated shares, webcal services and more + nextcloud_occ config:system:set allow_local_remote_servers --value="true" + nextcloud_occ config:system:set onlyoffice jwt_secret --value="$ONLYOFFICE_SECRET" + nextcloud_occ config:system:set onlyoffice jwt_header --value="AuthorizationJwt" + # Add prune command + add_dockerprune + # Restart Docker + print_text_in_color "$ICyan" "Restarting Docker..." + docker restart onlyoffice + msg_box "OnlyOffice Docker is now successfully installed. +Please be aware that the container is currently starting which can take a few minutes." +fi + +exit From 6955314c781b8577bbf75292dc0ffbfad3e666a7 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Wed, 28 Dec 2022 21:35:00 +0100 Subject: [PATCH 09/19] Update collabora_docker_desec.sh Signed-off-by: Daniel Hansson --- addons/deSEC/collabora_docker_desec.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/addons/deSEC/collabora_docker_desec.sh b/addons/deSEC/collabora_docker_desec.sh index 738128b461..bb60e5f7e2 100644 --- a/addons/deSEC/collabora_docker_desec.sh +++ b/addons/deSEC/collabora_docker_desec.sh @@ -53,7 +53,7 @@ install_certbot export SUBDOMAIN=collabora if run_script DESEC desec_subdomain then - SUBDOMAIN="$(grep dedyn.io $SCRIPTS/deSEC/.subdomain | tail -1 | cut -d '=' -f2)" + SUBDOMAIN="$(grep collabora $SCRIPTS/deSEC/.subdomain | cut -d '=' -f2)" # Generate DHparams cipher if [ ! -f "$DHPARAMS_SUB" ] then From 90985983bbf3990119f13fd43723989012ec0d65 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Wed, 28 Dec 2022 21:35:31 +0100 Subject: [PATCH 10/19] Create talk_desec.sh Signed-off-by: Daniel Hansson --- addons/deSEC/talk_desec.sh | 454 +++++++++++++++++++++++++++++++++++++ 1 file changed, 454 insertions(+) create mode 100644 addons/deSEC/talk_desec.sh diff --git a/addons/deSEC/talk_desec.sh b/addons/deSEC/talk_desec.sh new file mode 100644 index 0000000000..af56af7ccf --- /dev/null +++ b/addons/deSEC/talk_desec.sh @@ -0,0 +1,454 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2022, https://www.hanssonit.se/ + +true +SCRIPT_NAME="Nextcloud Talk" +SCRIPT_EXPLAINER="This script installs Nextcloud Talk and also offers the possibility \ +to install the so-called High-Performance-Backend, which makes it possible to host more video calls than it would be with the standard Talk app. \ +It's called 'Talk Signaling' and you will be offered to install it as part two of this script." +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh + +# Get all needed variables from the library +nc_update +turn_install + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Must be root +root_check + +# Check if talk_signaling is already installed +if [ -z "$(nextcloud_occ_no_check config:app:get spreed turn_servers | sed 's/\[\]//')" ] \ +&& ! is_this_installed coturn +then + # Ask for installing + install_popup "$SCRIPT_NAME" +else + # Ask for removal or reinstallation + reinstall_remove_menu "$SCRIPT_NAME" + # Removal + sed "/# Talk Signaling Server/d" /etc/hosts >/dev/null 2>&1 + sed "/127.0.1.1 $SUBDOMAIN/d" /etc/hosts >/dev/null 2>&1 + nextcloud_occ_no_check config:app:delete spreed stun_servers + nextcloud_occ_no_check config:app:delete spreed turn_servers + nextcloud_occ_no_check config:app:delete spreed signaling_servers + nextcloud_occ_no_check app:remove spreed + rm -rf \ + "$TURN_CONF" \ + "$SIGNALING_SERVER_CONF" \ + /etc/nats \ + /etc/janus \ + /etc/apt/trusted.gpg.d/morph027-janus.asc \ + /etc/apt/trusted.gpg.d/morph027-nats-server.asc \ + /etc/apt/trusted.gpg.d/morph027-nextcloud-spreed-signaling.asc \ + /etc/apt/trusted.gpg.d/morph027-coturn.asc \ + /etc/apt/keyrings/morph027-coturn.asc + /etc/apt/sources.list.d/morph027-nextcloud-spreed-signaling.list\ + /etc/apt/sources.list.d/morph027-janus.list \ + /etc/apt/sources.list.d/morph027-nats-server.list \ + /etc/apt/sources.list.d/morph027-coturn.list \ + $VMLOGS/talk_apache_error.log \ + $VMLOGS/talk_apache_access.log \ + $VMLOGS/turnserver.log \ + /var/www/html/error + APPS=(coturn nats-server janus nextcloud-spreed-signaling) + for app in "${APPS[@]}" + do + if is_this_installed "$app" + then + apt-get purge "$app" -y + fi + done + apt-get autoremove -y + # Show successful uninstall if applicable + removal_popup "$SCRIPT_NAME" +fi + +# Must be 22.04 +if ! version 20.04 "$DISTRO" 22.04.10 +then + msg_box "Your current Ubuntu version is $DISTRO but must be between 20.04 - 22.04.10 to install Talk" + msg_box "Please contact us to get support for upgrading your server: +https://www.hanssonit.se/#contact +https://shop.hanssonit.se/" +exit +fi + +# Nextcloud 19 is required. +lowest_compatible_nc 20 + +####################### TALK (COTURN) + +# Check if Nextcloud is installed with TLS +check_nextcloud_https "Nextclod Talk" + +# Let the user choose port. TURN_PORT in msg_box is taken from lib.sh and later changed if user decides to. +msg_box "The default port for Talk used in this script is port $TURN_PORT. +You can read more about that port here: https://www.speedguide.net/port.php?port=$TURN_PORT +You will now be given the option to change this port to something of your own. +Please keep in mind NOT to use the following ports as they are likely in use already: +${NONO_PORTS[*]}" + +while : +do + if yesno_box_no "Do you want to change port?" + then + # Ask for port + TURN_PORT=$(input_box_flow "Please enter the port you will use for Nextcloud Talk") + fi + + # Check if port is taken and exit if that's the case + if check_nono_ports "$TURN_PORT" + then + break + fi +done + +# Install TURN +if [ "${CODENAME}" == "jammy" ] +then + add_trusted_key_and_repo "gpg.key" \ + "https://packaging.gitlab.io/coturn" \ + "https://packaging.gitlab.io/coturn/$CODENAME" \ + "$CODENAME main" \ + "morph027-coturn.list" +fi +check_command install_if_not coturn +check_command sed -i '/TURNSERVER_ENABLED/c\TURNSERVER_ENABLED=1' /etc/default/coturn + +# Create log for coturn +install -d -m 777 "$VMLOGS" +install -o turnserver -g turnserver -m 660 /dev/null /var/log + +# Generate $TURN_CONF +cat << TURN_CREATE > "$TURN_CONF" +listening-port=$TURN_PORT +fingerprint +use-auth-secret +static-auth-secret=$TURN_SECRET +realm=$TURN_DOMAIN +total-quota=0 +bps-capacity=0 +stale-nonce +no-loopback-peers +no-multicast-peers +no-stdout-log +simple-log +log-file=$VMLOGS/turnserver.log +allowed-peer-ip=127.0.0.1 +# Enable for better security, might disconect calls though (remove the # and restart coturn) +# denied-peer-ip=0.0.0.0-0.255.255.255 +# denied-peer-ip=10.0.0.0-10.255.255.255 +# denied-peer-ip=100.64.0.0-100.127.255.255 +# denied-peer-ip=127.0.0.0-127.255.255.255 +# denied-peer-ip=169.254.0.0-169.254.255.255 +# denied-peer-ip=172.16.0.0-172.31.255.255 +# denied-peer-ip=192.0.0.0-192.0.0.255 +# denied-peer-ip=192.0.2.0-192.0.2.255 +# denied-peer-ip=192.88.99.0-192.88.99.255 +# denied-peer-ip=192.168.0.0-192.168.255.255 +# denied-peer-ip=198.18.0.0-198.19.255.255 +# denied-peer-ip=198.51.100.0-198.51.100.255 +# denied-peer-ip=203.0.113.0-203.0.113.255 +# denied-peer-ip=240.0.0.0-255.255.255.255 +TURN_CREATE +if [ -f "$TURN_CONF" ]; +then + print_text_in_color "$IGreen" "$TURN_CONF was successfully created." +else + print_text_in_color "$IRed" "Unable to create $TURN_CONF, exiting..." + print_text_in_color "$IRed" "Please report this issue here $ISSUES" + exit 1 +fi + +# Restart the TURN server +check_command systemctl restart coturn.service + +# Warn user to open port +msg_box "You have to open $TURN_PORT TCP/UDP in your firewall or your TURN/STUN server won't work! + +This can be done automatically if you have UPNP enabled in your firewall/router. \ +You will be offered to use UPNP in the next step. + +After you hit OK, the script will check if the port is open or not. If it fails \ +and you want to run this script again, just execute this in your CLI: +sudo bash /var/scripts/menu.sh, and choose 'Talk'." + +if yesno_box_no "Do you want to use UPNP to open port $TURN_PORT?" +then + unset FAIL + open_port "$TURN_PORT" TCP + open_port "$TURN_PORT" UDP + cleanup_open_port +fi + +# Check if the port is open +check_open_port "$TURN_PORT" "$TURN_DOMAIN" + +# Enable Spreed (Talk) +STUN_SERVERS_STRING="[\"$TURN_DOMAIN:$TURN_PORT\"]" +TURN_SERVERS_STRING="[{\"server\":\"$TURN_DOMAIN:$TURN_PORT\",\"secret\":\"$TURN_SECRET\",\"protocols\":\"udp,tcp\"}]" + +if ! is_app_enabled spreed +then + install_and_enable_app spreed +fi + +nextcloud_occ config:app:set spreed stun_servers --value="$STUN_SERVERS_STRING" --output json +nextcloud_occ config:app:set spreed turn_servers --value="$TURN_SERVERS_STRING" --output json +chown -R www-data:www-data "$NC_APPS_PATH" + +msg_box "Nextcloud Talk is now installed. For more information about \ +Nextcloud Talk and its mobile apps visit:\nhttps://nextcloud.com/talk/" + +####################### SIGNALING + +SCRIPT_NAME="Talk Signaling Server" + +msg_box "You will now be presented with the option to install the Talk Signaling (STUN) server. +This aims to give you greater performance and ability to have more users in a call at the same time. + +You can read more here: +https://github.com/strukturag/nextcloud-spreed-signaling/blob/master/README.md + +We will use apt packages from https://gitlab.com/morph027 which is a trusted contributor to this repository. + +The exact sources can be found here: +https://gitlab.com/packaging/nextcloud-spreed-signaling +https://gitlab.com/packaging/janus/" + +# Ask the user if he/she wants the HPB server as well +if ! yesno_box_no "Do you want to install the $SCRIPT_NAME? Please note that using basic Talk is usally enough." +then + exit 1 +fi + +# curl the lib another time to get the correct https_conf +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh + +# Install certbot (Let's Encrypt) +install_certbot + +# Generate certs and auto-configure if successful +export SUBDOMAIN=talk +if run_script DESEC desec_subdomain +then + SUBDOMAIN="$(grep talk -m1 $SCRIPTS/deSEC/.subdomain | cut -d '=' -f2)" + # Generate DHparams cipher + if [ ! -f "$DHPARAMS_SUB" ] + then + openssl dhparam -out "$DHPARAMS_SUB" 2048 + fi + print_text_in_color "$IGreen" "Certs are generated!" + a2ensite "$SUBDOMAIN.conf" + restart_webserver + # Install Collabora App + install_and_enable_app richdocuments +else + last_fail_tls "$SCRIPTS"/apps/collabora.sh + exit 1 +fi + +# NATS +## Pre-Configuration +mkdir -p /etc/nats +echo "listen: 127.0.0.1:4222" > /etc/nats/nats.conf +## Installation +curl -sL -o "/etc/apt/trusted.gpg.d/morph027-nats-server.asc" "https://packaging.gitlab.io/nats-server/gpg.key" +echo "deb https://packaging.gitlab.io/nats-server nats main" > /etc/apt/sources.list.d/morph027-nats-server.list +apt-get update -q4 & spinner_loading +install_if_not nats-server +chown nats:nats /etc/nats/nats.conf +start_if_stopped nats-server +check_command systemctl enable nats-server + +# Janus WebRTC Server +## Installation +case "${CODENAME}" in + "bionic"|"focal") + add_trusted_key_and_repo "gpg.key" \ + "https://packaging.gitlab.io/janus" \ + "https://packaging.gitlab.io/janus/$CODENAME" \ + "$CODENAME main" \ + "morph027-janus.list" + ;; + *) + : + ;; +esac +install_if_not janus +## Configuration +sed -i "s|#turn_rest_api_key.*|turn_rest_api_key = $JANUS_API_KEY|" /etc/janus/janus.jcfg +sed -i "s|#full_trickle|full_trickle|g" /etc/janus/janus.jcfg +sed -i 's|#interface.*|interface = "lo"|g' /etc/janus/janus.transport.websockets.jcfg +sed -i 's|#ws_interface.*|ws_interface = "lo"|g' /etc/janus/janus.transport.websockets.jcfg +start_if_stopped janus +check_command systemctl enable janus + +# HPB +## Installation +add_trusted_key_and_repo "gpg.key" \ +"https://packaging.gitlab.io/nextcloud-spreed-signaling" \ +"https://packaging.gitlab.io/nextcloud-spreed-signaling" \ +"signaling main" \ +"morph027-nextcloud-spreed-signaling.list" +install_if_not nextcloud-spreed-signaling +## Configuration +if [ ! -f "$SIGNALING_SERVER_CONF" ]; +then + cat << SIGNALING_CONF_CREATE > "$SIGNALING_SERVER_CONF" +[http] +listen = 127.0.0.1:8081 +[app] +debug = false +[sessions] +hashkey = $(openssl rand -hex 16) +blockkey = $(openssl rand -hex 16) +[clients] +internalsecret = $(openssl rand -hex 16) +[backend] +allowed = ${TURN_DOMAIN} +allowall = false +secret = ${NC_SECRET} +timeout = 10 +connectionsperhost = 8 +[nats] +url = nats://localhost:4222 +[mcu] +type = janus +url = ws://127.0.0.1:8188 +[turn] +apikey = ${JANUS_API_KEY} +secret = ${TURN_SECRET} +servers = turn:$TURN_DOMAIN:$TURN_PORT?transport=tcp,turn:$TURN_DOMAIN:$TURN_PORT?transport=udp +SIGNALING_CONF_CREATE +fi +start_if_stopped signaling +check_command systemctl enable signaling + +# Apache Proxy +# https://github.com/strukturag/nextcloud-spreed-signaling#apache + +# Install Apache2 +install_if_not apache2 + +# Enable Apache2 module's +a2enmod proxy +a2enmod proxy_wstunnel +a2enmod proxy_http +a2enmod ssl +a2enmod headers +a2enmod remoteip + +# Allow CustomLog +touch $VMLOGS/talk_apache_access.log +touch $VMLOGS/talk_apache_error.log +chown www-data:www-data $VMLOGS/talk_apache_error.log $VMLOGS/talk_apache_access.log + +# Prep the error page +mkdir -p /var/www/html/error +echo "Hi there! :) If you see this page, the Apache2 proxy for $SCRIPT_NAME is up and running." > /var/www/html/error/404_proxy.html +chown -R www-data:www-data /var/www/html/error + +# Only add TLS 1.3 on Ubuntu later than 20.04 +if version 20.04 "$DISTRO" 22.04.10 +then + TLS13="+TLSv1.3" +fi + +if [ -f "$HTTPS_CONF" ] +then + a2dissite "$SUBDOMAIN.conf" + rm -f "$HTTPS_CONF" +fi + +if [ ! -f "$HTTPS_CONF" ]; +then + cat << HTTPS_CREATE > "$HTTPS_CONF" + + ServerName $SUBDOMAIN:443 + SSLCertificateChainFile $CERTFILES/$SUBDOMAIN/chain.pem + SSLCertificateFile $CERTFILES/$SUBDOMAIN/cert.pem + SSLCertificateKeyFile $CERTFILES/$SUBDOMAIN/privkey.pem + SSLOpenSSLConfCmd DHParameters $DHPARAMS_SUB + + # Intermediate configuration + SSLEngine on + SSLCompression off + SSLProtocol -all +TLSv1.2 $TLS13 + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + SSLHonorCipherOrder off + SSLSessionTickets off + ServerSignature off + + # Logs + LogLevel warn + CustomLog \${APACHE_LOG_DIR}/access.log combined + ErrorLog \${APACHE_LOG_DIR}/error.log + + # Just in case - see below + SSLProxyEngine On + SSLProxyVerify None + SSLProxyCheckPeerCN Off + SSLProxyCheckPeerName Off + # contra mixed content warnings + RequestHeader set X-Forwarded-Proto "https" + # Custom error page + ProxyErrorOverride On + DocumentRoot "/var/www/html" + ProxyPass /error/ ! + ErrorDocument 404 /error/404_proxy.html + # Enable proxying Websocket requests to the standalone signaling server. + # https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html + ProxyPass / "http://127.0.0.1:8081/" + RewriteEngine on + RewriteCond %{HTTP:Upgrade} websocket [NC] + RewriteCond %{HTTP:Connection} upgrade [NC] + RewriteRule ^/?(.*) "ws://127.0.0.1:8081/\$1" [P,L] + # Extra (remote) headers + RequestHeader set X-Real-IP %{REMOTE_ADDR}s + Header set X-XSS-Protection "1; mode=block" + Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + Header set X-Content-Type-Options nosniff + Header set Content-Security-Policy "frame-ancestors 'self'" + +HTTPS_CREATE + + if [ -f "$HTTPS_CONF" ]; + then + print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created." + sleep 1 + else + print_text_in_color "$IRed" "Unable to create vhost, exiting..." + print_text_in_color "$IRed" "Please report this issue here $ISSUES" + exit 1 + fi +fi + +# Set signaling server strings +SIGNALING_SERVERS_STRING="{\"servers\":[{\"server\":\"https://$SUBDOMAIN/\",\"verify\":true}],\"secret\":\"$NC_SECRET\"}" +nextcloud_occ config:app:set spreed signaling_servers --value="$SIGNALING_SERVERS_STRING" --output json + +# Add to /etc/hosts +if ! grep "$SUBDOMAIN" /etc/hosts +then + echo "# Talk Signaling Server" >> /etc/hosts + echo "127.0.1.1 $SUBDOMAIN" >> /etc/hosts +fi + +# Check that everything is working +if ! curl -L https://"$SUBDOMAIN"/api/v1/welcome +then + msg_box "Installation failed. :/\n\nPlease run this script again to uninstall if you want to clean the system, or choose to reinstall if you want to try again.\n\nLogging can be found by typing: journalctl -lfu signaling" + exit 1 +else + msg_box "Congratulations, everything is working as intended! The installation succeeded.\n\nLogging can be found by typing: journalctl -lfu signaling" + exit 0 +fi From fb5331f763051f45b456eb7882d0904cfb99cdd8 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Wed, 28 Dec 2022 21:36:19 +0100 Subject: [PATCH 11/19] Update onlyoffice_docker_desec.sh Signed-off-by: Daniel Hansson --- addons/deSEC/onlyoffice_docker_desec.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/addons/deSEC/onlyoffice_docker_desec.sh b/addons/deSEC/onlyoffice_docker_desec.sh index 4f039adc66..40a3270bed 100644 --- a/addons/deSEC/onlyoffice_docker_desec.sh +++ b/addons/deSEC/onlyoffice_docker_desec.sh @@ -51,7 +51,7 @@ install_certbot export SUBDOMAIN=onlyoffice if run_script DESEC desec_subdomain then - SUBDOMAIN="$(grep onlyoffice -m 1 $SCRIPTS/deSEC/.subdomain | tail -1 | cut -d '=' -f2)" + SUBDOMAIN="$(grep onlyoffice -m 1 $SCRIPTS/deSEC/.subdomain | cut -d '=' -f2)" # Generate DHparams cipher if [ ! -f "$DHPARAMS_SUB" ] then From c7c73cac39ffe6e1b1f242d5ee2971b264cac2e8 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Wed, 28 Dec 2022 21:39:28 +0100 Subject: [PATCH 12/19] typo Signed-off-by: Daniel Hansson --- apps/talk.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/talk.sh b/apps/talk.sh index 5c508f6bd0..6c17408039 100644 --- a/apps/talk.sh +++ b/apps/talk.sh @@ -224,7 +224,7 @@ https://gitlab.com/packaging/nextcloud-spreed-signaling https://gitlab.com/packaging/janus/" # Ask the user if he/she wants the HPB server as well -if ! yesno_box_no "Do you want to install the $SCRIPT_NAME? Please note that using basic Talk is usally enough." +if ! yesno_box_no "Do you want to install the $SCRIPT_NAME? Please note that using basic Talk is usually enough." then exit 1 fi From d243cdfaf1e77d4ecf36eede82565eaafca222f3 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Wed, 28 Dec 2022 21:43:22 +0100 Subject: [PATCH 13/19] typo Signed-off-by: Daniel Hansson --- addons/deSEC/talk_desec.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/addons/deSEC/talk_desec.sh b/addons/deSEC/talk_desec.sh index af56af7ccf..a9c92f4267 100644 --- a/addons/deSEC/talk_desec.sh +++ b/addons/deSEC/talk_desec.sh @@ -224,7 +224,7 @@ https://gitlab.com/packaging/nextcloud-spreed-signaling https://gitlab.com/packaging/janus/" # Ask the user if he/she wants the HPB server as well -if ! yesno_box_no "Do you want to install the $SCRIPT_NAME? Please note that using basic Talk is usally enough." +if ! yesno_box_no "Do you want to install the $SCRIPT_NAME? Please note that using basic Talk is usually enough." then exit 1 fi From 27c6035111c3eb33283d226379ed26a3fe27d06a Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Wed, 28 Dec 2022 21:45:29 +0100 Subject: [PATCH 14/19] fix comment Signed-off-by: Daniel Hansson --- lib.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib.sh b/lib.sh index 191a187d50..3a442f97ff 100644 --- a/lib.sh +++ b/lib.sh @@ -851,7 +851,7 @@ done } # Let the user choose to setup a specific app with either deSEC, or regular TLS. -# desec_app_tls_menu "DESEC collabora_docker_desec.sh" "APP collabora_docker.sh" +# desec_app_tls_menu "DESEC collabora_docker_desec" "APP collabora_docker" desec_app_tls_menu() { choice=$(whiptail --title "$TITLE" --menu \ "Choose TLS setup. Please note, to run the deSEC option, deSEC needs to be configured and setup already.\n From 02931729117cff900b554e6f62cbb11956bc2290 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Thu, 29 Dec 2022 08:43:10 +0100 Subject: [PATCH 15/19] change order Signed-off-by: Daniel Hansson --- lib.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib.sh b/lib.sh index 3a442f97ff..e20c525d14 100644 --- a/lib.sh +++ b/lib.sh @@ -856,8 +856,8 @@ desec_app_tls_menu() { choice=$(whiptail --title "$TITLE" --menu \ "Choose TLS setup. Please note, to run the deSEC option, deSEC needs to be configured and setup already.\n $MENU_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \ -"deSEC TLS setup" "(If you configured deSEC already. Works with custom port.)" \ -"Regular TLS setup" "(If deSEC isn't installed, setup normal TLS)" 3>&1 1>&2 2>&3) +"Regular TLS setup" "(If deSEC isn't installed, setup normal TLS)" \ +"deSEC TLS setup" "(If you configured deSEC already. Works with custom port.)" 3>&1 1>&2 2>&3) case "$choice" in "deSEC TLS setup") From 617cb8e97b1de99b96e25c5445fbf68fc1035831 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Thu, 29 Dec 2022 17:57:33 +0100 Subject: [PATCH 16/19] collabora now generates as it should Signed-off-by: Daniel Hansson --- addons/deSEC/collabora_docker_desec.sh | 94 ++++++++++++++------------ 1 file changed, 49 insertions(+), 45 deletions(-) diff --git a/addons/deSEC/collabora_docker_desec.sh b/addons/deSEC/collabora_docker_desec.sh index bb60e5f7e2..b7d5669dc9 100644 --- a/addons/deSEC/collabora_docker_desec.sh +++ b/addons/deSEC/collabora_docker_desec.sh @@ -18,6 +18,10 @@ debug_mode # Check if root root_check +# Test RAM size (2GB min) + CPUs (min 2) +ram_check 2 Collabora +cpu_check 2 Collabora + # Check if Collabora is already installed print_text_in_color "$ICyan" "Checking if Collabora is already installed..." if ! does_this_docker_exist 'collabora/code' @@ -54,14 +58,15 @@ export SUBDOMAIN=collabora if run_script DESEC desec_subdomain then SUBDOMAIN="$(grep collabora $SCRIPTS/deSEC/.subdomain | cut -d '=' -f2)" + # Curl the library another time to get the correct DHPARAMS + # shellcheck source=lib.sh + source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) # Generate DHparams cipher if [ ! -f "$DHPARAMS_SUB" ] then openssl dhparam -out "$DHPARAMS_SUB" 2048 fi print_text_in_color "$IGreen" "Certs are generated!" - a2ensite "$SUBDOMAIN.conf" - restart_webserver # Install Collabora App install_and_enable_app richdocuments else @@ -69,49 +74,6 @@ else exit 1 fi -# Nextcloud Main Domain -NCDOMAIN=$(nextcloud_occ_no_check config:system:get overwrite.cli.url | sed 's|https://||;s|/||') - -# Curl the library another time to get the correct https_conf -# shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) - -# Get all needed variables from the library -nc_update - -# Get the latest packages -apt-get update -q4 & spinner_loading - -# Check if Nextcloud is installed -print_text_in_color "$ICyan" "Checking if Nextcloud is installed..." -if ! curl -s https://"$NCDOMAIN"/status.php | grep -q 'installed":true' -then - msg_box "It seems like Nextcloud is not installed or that you don't use https on: -$NCDOMAIN. -Please install Nextcloud and make sure your domain is reachable, or activate TLS -on your domain to be able to run this script. - -If you use the Nextcloud VM you can use the Let's Encrypt script to get TLS and activate your Nextcloud domain. -When TLS is activated, run these commands from your CLI: -sudo curl -sLO $APP/collabora.sh -sudo bash collabora.sh" - exit 1 -fi - -# Test RAM size (2GB min) + CPUs (min 2) -ram_check 2 Collabora -cpu_check 2 Collabora - -# Check if Nextcloud is installed with TLS -check_nextcloud_https "Collabora (Docker)" - -# Install Docker -install_docker - -# Install Collabora docker -docker pull collabora/code:latest -docker run -t -d -p 127.0.0.1:9980:9980 -e "aliasgroup1=https://$NCDOMAIN:443" --restart always --name code --cap-add MKNOD collabora/code - # Install Apache2 install_if_not apache2 @@ -212,6 +174,8 @@ HTTPS_CREATE then print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created." sleep 1 + a2ensite "$SUBDOMAIN.conf" + restart_webserver else print_text_in_color "$IRed" "Unable to create vhost, exiting..." print_text_in_color "$IRed" "Please report this issue here $ISSUES" @@ -219,6 +183,46 @@ HTTPS_CREATE fi fi +# Nextcloud Main Domain +NCDOMAIN=$(nextcloud_occ_no_check config:system:get overwrite.cli.url | sed 's|https://||;s|/||') + +# Curl the library another time to get the correct https_conf +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Get all needed variables from the library +nc_update + +# Get the latest packages +apt-get update -q4 & spinner_loading + +# Check if Nextcloud is installed +print_text_in_color "$ICyan" "Checking if Nextcloud is installed..." +if ! curl -s https://"$NCDOMAIN"/status.php | grep -q 'installed":true' +then + msg_box "It seems like Nextcloud is not installed or that you don't use https on: +$NCDOMAIN. +Please install Nextcloud and make sure your domain is reachable, or activate TLS +on your domain to be able to run this script. + +If you use the Nextcloud VM you can use the Let's Encrypt script to get TLS and activate your Nextcloud domain. +When TLS is activated, run these commands from your CLI: +sudo curl -sLO $APP/collabora.sh +sudo bash collabora.sh" + exit 1 +fi + +# Check if Nextcloud is installed with TLS +check_nextcloud_https "Collabora (Docker)" + +# Install Docker +install_docker + +# Install Collabora docker +docker pull collabora/code:latest +docker run -t -d -p 127.0.0.1:9980:9980 -e "aliasgroup1=https://$NCDOMAIN:443" --restart always --name code --cap-add MKNOD collabora/code + + # Set config for RichDocuments (Collabora App) if is_app_installed richdocuments then From b72446d533c535af79702f6eac5f3a5ce5bd46ab Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Thu, 29 Dec 2022 18:05:07 +0100 Subject: [PATCH 17/19] onlyffice same as collabora Signed-off-by: Daniel Hansson --- addons/deSEC/onlyoffice_docker_desec.sh | 131 ++++++++++++------------ 1 file changed, 67 insertions(+), 64 deletions(-) diff --git a/addons/deSEC/onlyoffice_docker_desec.sh b/addons/deSEC/onlyoffice_docker_desec.sh index 40a3270bed..fcb1e5e0ca 100644 --- a/addons/deSEC/onlyoffice_docker_desec.sh +++ b/addons/deSEC/onlyoffice_docker_desec.sh @@ -17,6 +17,10 @@ debug_mode # Check if root root_check +# Test RAM size (2GB min) + CPUs (min 2) +ram_check 2 OnlyOffice +cpu_check 2 OnlyOffice + # Check if onlyoffice is already installed if ! does_this_docker_exist 'onlyoffice/documentserver' then @@ -52,81 +56,22 @@ export SUBDOMAIN=onlyoffice if run_script DESEC desec_subdomain then SUBDOMAIN="$(grep onlyoffice -m 1 $SCRIPTS/deSEC/.subdomain | cut -d '=' -f2)" + # Curl the library another time to get the correct DHPARAMS + # shellcheck source=lib.sh + source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) # Generate DHparams cipher if [ ! -f "$DHPARAMS_SUB" ] then openssl dhparam -out "$DHPARAMS_SUB" 2048 fi print_text_in_color "$IGreen" "Certs are generated!" - a2ensite "$SUBDOMAIN.conf" - restart_webserver - # Install OnlyOffice + # Install OnlyOffice App install_and_enable_app onlyoffice else - last_fail_tls "$SCRIPTS"/apps/onlyoffice.sh - exit 1 -fi - -# Check if apache2 evasive-mod is enabled and disable it because of compatibility issues -if [ "$(apache2ctl -M | grep evasive)" != "" ] -then - msg_box "We noticed that 'mod_evasive' is installed which is the DDOS protection for webservices. \ -It has compatibility issues with OnlyOffice and you can now choose to disable it." - if ! yesno_box_yes "Do you want to disable DDOS protection?" - then - print_text_in_color "$ICyan" "Keeping mod_evasive active." - else - a2dismod evasive - # a2dismod mod-evasive # not needed, but existing in the Extra Security script. - apt-get purge libapache2-mod-evasive -y - systemctl restart apache2 - fi -fi - -# Nextcloud Main Domain -NCDOMAIN=$(nextcloud_occ_no_check config:system:get overwrite.cli.url | sed 's|https://||;s|/||') - -true -# shellcheck source=lib.sh -source /var/scripts/fetch_lib.sh - -# Get all needed variables from the library -nc_update - -# Get the latest packages -apt-get update -q4 & spinner_loading - -# Check if Nextcloud is installed -print_text_in_color "$ICyan" "Checking if Nextcloud is installed..." -if ! curl -s https://"$NCDOMAIN"/status.php | grep -q 'installed":true' -then - msg_box "It seems like Nextcloud is not installed or that you don't use https on: -$NCDOMAIN. -Please install Nextcloud and make sure your domain is reachable, or activate TLS -on your domain to be able to run this script. -If you use the Nextcloud VM you can use the Let's Encrypt script to get TLS and activate your Nextcloud domain. -When TLS is activated, run these commands from your CLI: -sudo curl -sLO $APP/onlyoffice_docker.sh -sudo bash onlyoffice_docker.sh" + last_fail_tls "$SCRIPTS"/apps/onlyoffice_docker.sh exit 1 fi -# Test RAM size (2GB min) + CPUs (min 2) -ram_check 2 OnlyOffice -cpu_check 2 OnlyOffice - -# Check if Nextcloud is installed with TLS -check_nextcloud_https "OnlyOffice (Docker)" - -# Install Docker -install_docker - -ONLYOFFICE_SECRET="$(gen_passwd "$SHUF" "a-zA-Z0-9")" - -# Install Onlyoffice docker -docker pull onlyoffice/documentserver:latest -docker run -i -t -d -p 127.0.0.3:9090:80 -e JWT_ENABLED=true -e JWT_HEADER=AuthorizationJwt -e JWT_SECRET="$ONLYOFFICE_SECRET" --restart always --name onlyoffice onlyoffice/documentserver - # Install apache2 install_if_not apache2 @@ -206,6 +151,8 @@ HTTPS_CREATE if [ -f "$HTTPS_CONF" ]; then print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created." + a2ensite "$SUBDOMAIN.conf" + restart_webserver sleep 1 else print_text_in_color "$IRed" "Unable to create vhost, exiting..." @@ -214,6 +161,62 @@ HTTPS_CREATE fi fi +# Check if apache2 evasive-mod is enabled and disable it because of compatibility issues +if [ "$(apache2ctl -M | grep evasive)" != "" ] +then + msg_box "We noticed that 'mod_evasive' is installed which is the DDOS protection for webservices. \ +It has compatibility issues with OnlyOffice and you can now choose to disable it." + if ! yesno_box_yes "Do you want to disable DDOS protection?" + then + print_text_in_color "$ICyan" "Keeping mod_evasive active." + else + a2dismod evasive + # a2dismod mod-evasive # not needed, but existing in the Extra Security script. + apt-get purge libapache2-mod-evasive -y + systemctl restart apache2 + fi +fi + +# Nextcloud Main Domain +NCDOMAIN=$(nextcloud_occ_no_check config:system:get overwrite.cli.url | sed 's|https://||;s|/||') + +true +# shellcheck source=lib.sh +source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Get all needed variables from the library +nc_update + +# Get the latest packages +apt-get update -q4 & spinner_loading + +# Check if Nextcloud is installed +print_text_in_color "$ICyan" "Checking if Nextcloud is installed..." +if ! curl -s https://"$NCDOMAIN"/status.php | grep -q 'installed":true' +then + msg_box "It seems like Nextcloud is not installed or that you don't use https on: +$NCDOMAIN. +Please install Nextcloud and make sure your domain is reachable, or activate TLS +on your domain to be able to run this script. +If you use the Nextcloud VM you can use the Let's Encrypt script to get TLS and activate your Nextcloud domain. +When TLS is activated, run these commands from your CLI: +sudo curl -sLO $APP/onlyoffice_docker.sh +sudo bash onlyoffice_docker.sh" + exit 1 +fi + +# Check if Nextcloud is installed with TLS +check_nextcloud_https "OnlyOffice (Docker)" + +# Install Docker +install_docker + +ONLYOFFICE_SECRET="$(gen_passwd "$SHUF" "a-zA-Z0-9")" + +# Install Onlyoffice docker +docker pull onlyoffice/documentserver:latest +docker run -i -t -d -p 127.0.0.3:9090:80 -e JWT_ENABLED=true -e JWT_HEADER=AuthorizationJwt -e JWT_SECRET="$ONLYOFFICE_SECRET" --restart always --name onlyoffice onlyoffice/documentserver + # Set config for OnlyOffice if [ -d "$NC_APPS_PATH"/onlyoffice ] then From 1ce5053940ac9bad70a33d42632509eb5b9ef159 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Thu, 29 Dec 2022 18:05:37 +0100 Subject: [PATCH 18/19] stop at first occurance Signed-off-by: Daniel Hansson --- addons/deSEC/collabora_docker_desec.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/addons/deSEC/collabora_docker_desec.sh b/addons/deSEC/collabora_docker_desec.sh index b7d5669dc9..5ba79d3ae4 100644 --- a/addons/deSEC/collabora_docker_desec.sh +++ b/addons/deSEC/collabora_docker_desec.sh @@ -57,7 +57,7 @@ install_certbot export SUBDOMAIN=collabora if run_script DESEC desec_subdomain then - SUBDOMAIN="$(grep collabora $SCRIPTS/deSEC/.subdomain | cut -d '=' -f2)" + SUBDOMAIN="$(grep collabora -m 1 $SCRIPTS/deSEC/.subdomain | cut -d '=' -f2)" # Curl the library another time to get the correct DHPARAMS # shellcheck source=lib.sh source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) From 589f0e3bdb77ac664117919158dccb3bf99e7484 Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Thu, 29 Dec 2022 18:24:21 +0100 Subject: [PATCH 19/19] same changes as collabora and onlyoffice Signed-off-by: Daniel Hansson --- addons/deSEC/talk_desec.sh | 169 +++++++++++++++++++------------------ 1 file changed, 86 insertions(+), 83 deletions(-) diff --git a/addons/deSEC/talk_desec.sh b/addons/deSEC/talk_desec.sh index a9c92f4267..6e42aea2e8 100644 --- a/addons/deSEC/talk_desec.sh +++ b/addons/deSEC/talk_desec.sh @@ -240,99 +240,23 @@ install_certbot export SUBDOMAIN=talk if run_script DESEC desec_subdomain then - SUBDOMAIN="$(grep talk -m1 $SCRIPTS/deSEC/.subdomain | cut -d '=' -f2)" + SUBDOMAIN="$(grep talk -m 1 $SCRIPTS/deSEC/.subdomain | cut -d '=' -f2)" + # Curl the library another time to get the correct DHPARAMS + # shellcheck source=lib.sh + source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) # Generate DHparams cipher if [ ! -f "$DHPARAMS_SUB" ] then openssl dhparam -out "$DHPARAMS_SUB" 2048 fi print_text_in_color "$IGreen" "Certs are generated!" - a2ensite "$SUBDOMAIN.conf" - restart_webserver - # Install Collabora App - install_and_enable_app richdocuments else - last_fail_tls "$SCRIPTS"/apps/collabora.sh + # remove settings to be able to start over again + rm -f "$HTTPS_CONF" + last_fail_tls "$SCRIPTS"/apps/talk_signaling.sh exit 1 fi -# NATS -## Pre-Configuration -mkdir -p /etc/nats -echo "listen: 127.0.0.1:4222" > /etc/nats/nats.conf -## Installation -curl -sL -o "/etc/apt/trusted.gpg.d/morph027-nats-server.asc" "https://packaging.gitlab.io/nats-server/gpg.key" -echo "deb https://packaging.gitlab.io/nats-server nats main" > /etc/apt/sources.list.d/morph027-nats-server.list -apt-get update -q4 & spinner_loading -install_if_not nats-server -chown nats:nats /etc/nats/nats.conf -start_if_stopped nats-server -check_command systemctl enable nats-server - -# Janus WebRTC Server -## Installation -case "${CODENAME}" in - "bionic"|"focal") - add_trusted_key_and_repo "gpg.key" \ - "https://packaging.gitlab.io/janus" \ - "https://packaging.gitlab.io/janus/$CODENAME" \ - "$CODENAME main" \ - "morph027-janus.list" - ;; - *) - : - ;; -esac -install_if_not janus -## Configuration -sed -i "s|#turn_rest_api_key.*|turn_rest_api_key = $JANUS_API_KEY|" /etc/janus/janus.jcfg -sed -i "s|#full_trickle|full_trickle|g" /etc/janus/janus.jcfg -sed -i 's|#interface.*|interface = "lo"|g' /etc/janus/janus.transport.websockets.jcfg -sed -i 's|#ws_interface.*|ws_interface = "lo"|g' /etc/janus/janus.transport.websockets.jcfg -start_if_stopped janus -check_command systemctl enable janus - -# HPB -## Installation -add_trusted_key_and_repo "gpg.key" \ -"https://packaging.gitlab.io/nextcloud-spreed-signaling" \ -"https://packaging.gitlab.io/nextcloud-spreed-signaling" \ -"signaling main" \ -"morph027-nextcloud-spreed-signaling.list" -install_if_not nextcloud-spreed-signaling -## Configuration -if [ ! -f "$SIGNALING_SERVER_CONF" ]; -then - cat << SIGNALING_CONF_CREATE > "$SIGNALING_SERVER_CONF" -[http] -listen = 127.0.0.1:8081 -[app] -debug = false -[sessions] -hashkey = $(openssl rand -hex 16) -blockkey = $(openssl rand -hex 16) -[clients] -internalsecret = $(openssl rand -hex 16) -[backend] -allowed = ${TURN_DOMAIN} -allowall = false -secret = ${NC_SECRET} -timeout = 10 -connectionsperhost = 8 -[nats] -url = nats://localhost:4222 -[mcu] -type = janus -url = ws://127.0.0.1:8188 -[turn] -apikey = ${JANUS_API_KEY} -secret = ${TURN_SECRET} -servers = turn:$TURN_DOMAIN:$TURN_PORT?transport=tcp,turn:$TURN_DOMAIN:$TURN_PORT?transport=udp -SIGNALING_CONF_CREATE -fi -start_if_stopped signaling -check_command systemctl enable signaling - # Apache Proxy # https://github.com/strukturag/nextcloud-spreed-signaling#apache @@ -424,6 +348,8 @@ HTTPS_CREATE if [ -f "$HTTPS_CONF" ]; then print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created." + a2ensite "$SUBDOMAIN.conf" + restart_webserver sleep 1 else print_text_in_color "$IRed" "Unable to create vhost, exiting..." @@ -432,6 +358,83 @@ HTTPS_CREATE fi fi +# NATS +## Pre-Configuration +mkdir -p /etc/nats +echo "listen: 127.0.0.1:4222" > /etc/nats/nats.conf +## Installation +curl -sL -o "/etc/apt/trusted.gpg.d/morph027-nats-server.asc" "https://packaging.gitlab.io/nats-server/gpg.key" +echo "deb https://packaging.gitlab.io/nats-server nats main" > /etc/apt/sources.list.d/morph027-nats-server.list +apt-get update -q4 & spinner_loading +install_if_not nats-server +chown nats:nats /etc/nats/nats.conf +start_if_stopped nats-server +check_command systemctl enable nats-server + +# Janus WebRTC Server +## Installation +case "${CODENAME}" in + "bionic"|"focal") + add_trusted_key_and_repo "gpg.key" \ + "https://packaging.gitlab.io/janus" \ + "https://packaging.gitlab.io/janus/$CODENAME" \ + "$CODENAME main" \ + "morph027-janus.list" + ;; + *) + : + ;; +esac +install_if_not janus +## Configuration +sed -i "s|#turn_rest_api_key.*|turn_rest_api_key = $JANUS_API_KEY|" /etc/janus/janus.jcfg +sed -i "s|#full_trickle|full_trickle|g" /etc/janus/janus.jcfg +sed -i 's|#interface.*|interface = "lo"|g' /etc/janus/janus.transport.websockets.jcfg +sed -i 's|#ws_interface.*|ws_interface = "lo"|g' /etc/janus/janus.transport.websockets.jcfg +start_if_stopped janus +check_command systemctl enable janus + +# HPB +## Installation +add_trusted_key_and_repo "gpg.key" \ +"https://packaging.gitlab.io/nextcloud-spreed-signaling" \ +"https://packaging.gitlab.io/nextcloud-spreed-signaling" \ +"signaling main" \ +"morph027-nextcloud-spreed-signaling.list" +install_if_not nextcloud-spreed-signaling +## Configuration +if [ ! -f "$SIGNALING_SERVER_CONF" ]; +then + cat << SIGNALING_CONF_CREATE > "$SIGNALING_SERVER_CONF" +[http] +listen = 127.0.0.1:8081 +[app] +debug = false +[sessions] +hashkey = $(openssl rand -hex 16) +blockkey = $(openssl rand -hex 16) +[clients] +internalsecret = $(openssl rand -hex 16) +[backend] +allowed = ${TURN_DOMAIN} +allowall = false +secret = ${NC_SECRET} +timeout = 10 +connectionsperhost = 8 +[nats] +url = nats://localhost:4222 +[mcu] +type = janus +url = ws://127.0.0.1:8188 +[turn] +apikey = ${JANUS_API_KEY} +secret = ${TURN_SECRET} +servers = turn:$TURN_DOMAIN:$TURN_PORT?transport=tcp,turn:$TURN_DOMAIN:$TURN_PORT?transport=udp +SIGNALING_CONF_CREATE +fi +start_if_stopped signaling +check_command systemctl enable signaling + # Set signaling server strings SIGNALING_SERVERS_STRING="{\"servers\":[{\"server\":\"https://$SUBDOMAIN/\",\"verify\":true}],\"secret\":\"$NC_SECRET\"}" nextcloud_occ config:app:set spreed signaling_servers --value="$SIGNALING_SERVERS_STRING" --output json