make apps availble on deSEC

addons/deSEC/collabora_docker_desec.sh

@@ -0,0 +1,237 @@
+#!/bin/bash
+
+# T&M Hansson IT AB © - 2022, https://www.hanssonit.se/
+
+true
+SCRIPT_NAME="Collabora (Docker)"
+SCRIPT_EXPLAINER="This script will install the Collabora Office Server bundled with Docker"
+# shellcheck source=lib.sh
+source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+# To work with https://github.com/nextcloud/richdocuments/pull/2235
+
+# Check for errors + debug code and abort if something isn't right
+# 1 = ON
+# 0 = OFF
+DEBUG=0
+debug_mode
+
+# Check if root
+root_check
+
+# Check if Collabora is already installed
+print_text_in_color "$ICyan" "Checking if Collabora is already installed..."
+if ! does_this_docker_exist 'collabora/code'
+then
+ # Ask for installing
+ install_popup "$SCRIPT_NAME"
+else
+ # Ask for removal or reinstallation
+ reinstall_remove_menu "$SCRIPT_NAME"
+ # Removal
+ remove_collabora_docker
+ # Remove config.php value set when install was successful
+ nextcloud_occ config:system:delete allow_local_remote_servers
+ # Show successful uninstall if applicable
+ removal_popup "$SCRIPT_NAME"
+fi
+
+# Check if OnlyOffice is previously installed
+# If yes, then stop and prune the docker container
+if does_this_docker_exist 'onlyoffice/documentserver'
+then
+ # Removal
+ remove_onlyoffice_docker
+fi
+
+# Remove all office apps
+remove_all_office_apps
+
+# Install certbot (Let's Encrypt)
+install_certbot
+
+# Generate certs and auto-configure if successful
+export SUBDOMAIN=collabora
+if run_script DESEC desec_subdomain
+then
+ SUBDOMAIN="$(grep dedyn.io $SCRIPTS/deSEC/.subdomain | tail -1 | cut -d '=' -f2)"
+ # Generate DHparams cipher
+ if [ ! -f "$DHPARAMS_SUB" ]
+ then
+ openssl dhparam -out "$DHPARAMS_SUB" 2048
+ fi
+ print_text_in_color "$IGreen" "Certs are generated!"
+ a2ensite "$SUBDOMAIN.conf"
+ restart_webserver
+ # Install Collabora App
+ install_and_enable_app richdocuments
+else
+ last_fail_tls "$SCRIPTS"/apps/collabora.sh
+ exit 1
+fi
+
+# Nextcloud Main Domain
+NCDOMAIN=$(nextcloud_occ_no_check config:system:get overwrite.cli.url | sed 's|https://||;s|/||')
+
+# Curl the library another time to get the correct https_conf
+# shellcheck source=lib.sh
+source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+
+# Get all needed variables from the library
+nc_update
+
+# Get the latest packages
+apt-get update -q4 & spinner_loading
+
+# Check if Nextcloud is installed
+print_text_in_color "$ICyan" "Checking if Nextcloud is installed..."
+if ! curl -s https://"$NCDOMAIN"/status.php | grep -q 'installed":true'
+then
+ msg_box "It seems like Nextcloud is not installed or that you don't use https on:
+$NCDOMAIN.
+Please install Nextcloud and make sure your domain is reachable, or activate TLS
+on your domain to be able to run this script.
+
+If you use the Nextcloud VM you can use the Let's Encrypt script to get TLS and activate your Nextcloud domain.
+When TLS is activated, run these commands from your CLI:
+sudo curl -sLO $APP/collabora.sh
+sudo bash collabora.sh"
+ exit 1
+fi
+
+# Test RAM size (2GB min) + CPUs (min 2)
+ram_check 2 Collabora
+cpu_check 2 Collabora
+
+# Check if Nextcloud is installed with TLS
+check_nextcloud_https "Collabora (Docker)"
+
+# Install Docker
+install_docker
+
+# Install Collabora docker
+docker pull collabora/code:latest
+docker run -t -d -p 127.0.0.1:9980:9980 -e "aliasgroup1=https://$NCDOMAIN:443" --restart always --name code --cap-add MKNOD collabora/code
+
+# Install Apache2
+install_if_not apache2
+
+# Enable Apache2 module's
+a2enmod proxy
+a2enmod proxy_wstunnel
+a2enmod proxy_http
+a2enmod ssl
+a2enmod headers
+
+# Only add TLS 1.3 on Ubuntu later than 20.04
+if version 20.04 "$DISTRO" 22.04.10
+then
+ TLS13="+TLSv1.3"
+fi
+
+if [ -f "$HTTPS_CONF" ]
+then
+ a2dissite "$SUBDOMAIN.conf"
+ rm -f "$HTTPS_CONF"
+fi
+
+# Create Vhost for Collabora online in Apache2
+if [ ! -f "$HTTPS_CONF" ];
+then
+ cat << HTTPS_CREATE > "$HTTPS_CONF"
+<VirtualHost *:443>
+ ServerName $SUBDOMAIN:443
+
+ <Directory /var/www>
+ Options -Indexes
+ </Directory>
+
+ # TLS configuration, you may want to take the easy route instead and use Lets Encrypt!
+ SSLCertificateChainFile $CERTFILES/$SUBDOMAIN/chain.pem
+ SSLCertificateFile $CERTFILES/$SUBDOMAIN/cert.pem
+ SSLCertificateKeyFile $CERTFILES/$SUBDOMAIN/privkey.pem
+ SSLOpenSSLConfCmd DHParameters $DHPARAMS_SUB
+
+ # Intermediate configuration
+ SSLEngine on
+ SSLCompression off
+ SSLProtocol -all +TLSv1.2 $TLS13
+ SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 
+ SSLHonorCipherOrder off
+ SSLSessionTickets off
+ ServerSignature off
+
+ # Logs
+ LogLevel warn
+ CustomLog \${APACHE_LOG_DIR}/access.log combined
+ ErrorLog \${APACHE_LOG_DIR}/error.log
+
+ # Encoded slashes need to be allowed
+ AllowEncodedSlashes NoDecode
+
+ # Container uses a unique non-signed certificate
+ SSLProxyEngine On
+ SSLProxyVerify None
+ SSLProxyCheckPeerCN Off
+ SSLProxyCheckPeerName Off
+
+ # Improve security settings
+ Header set X-XSS-Protection "1; mode=block"
+ Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+ Header set X-Content-Type-Options nosniff
+ Header set Content-Security-Policy "frame-ancestors 'self' $NCDOMAIN"
+
+ # keep the host
+ ProxyPreserveHost On
+
+ # static html, js, images, etc. served from coolwsd
+ # browser is the client part of LibreOffice Online
+ ProxyPass /browser https://127.0.0.1:9980/browser retry=0
+ ProxyPassReverse /browser https://127.0.0.1:9980/browser
+
+ # WOPI discovery URL
+ ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
+ ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery
+
+ # Endpoint with information about availability of various features
+ ProxyPass /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
+ ProxyPassReverse /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities
+
+ # Main websocket
+ ProxyPassMatch "/cool/(.*)/ws$" wss://127.0.0.1:9980/cool/\$1/ws nocanon
+
+ # Admin Console websocket
+ ProxyPass /cool/adminws wss://127.0.0.1:9980/cool/adminws
+
+ # Download as, Fullscreen presentation and Image upload operations
+ ProxyPass /cool https://127.0.0.1:9980/cool
+ ProxyPassReverse /cool https://127.0.0.1:9980/cool
+</VirtualHost>
+HTTPS_CREATE
+
+ if [ -f "$HTTPS_CONF" ];
+ then
+ print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created."
+ sleep 1
+ else
+ print_text_in_color "$IRed" "Unable to create vhost, exiting..."
+ print_text_in_color "$IRed" "Please report this issue here $ISSUES"
+ exit 1
+ fi
+fi
+
+# Set config for RichDocuments (Collabora App)
+if is_app_installed richdocuments
+then
+ nextcloud_occ config:app:set richdocuments wopi_url --value=https://"$SUBDOMAIN"
+ chown -R www-data:www-data "$NC_APPS_PATH"
+ # Appending the new domain to trusted domains
+ add_to_trusted_domains "$SUBDOMAIN"
+ # Allow remote servers with local addresses e.g. in federated shares, webcal services and more
+ nextcloud_occ config:system:set allow_local_remote_servers --value="true"
+ # Add prune command
+ add_dockerprune
+ print_text_in_color "$ICyan" "Restarting Docker..."
+ docker restart code
+ msg_box "Collabora Docker is now successfully installed. 
+Please be aware that the container is currently starting which can take a few minutes."
+fi

apps/onlyoffice_docker.sh → addons/deSEC/onlyoffice_docker_desec.sh

@@ -17,7 +17,7 @@ debug_mode
 # Check if root
 root_check
 
-# Check if collabora is already installed
+# Check if onlyoffice is already installed
 if ! does_this_docker_exist 'onlyoffice/documentserver'
 then
  # Ask for installing
@@ -44,6 +44,29 @@ fi
 # Remove all office apps
 remove_all_office_apps
 
+# Install certbot (Let's Encrypt)
+install_certbot
+
+# Generate certs and auto-configure if successful
+export SUBDOMAIN=onlyoffice
+if run_script DESEC desec_subdomain
+then
+ SUBDOMAIN="$(grep onlyoffice -m 1 $SCRIPTS/deSEC/.subdomain | tail -1 | cut -d '=' -f2)"
+ # Generate DHparams cipher
+ if [ ! -f "$DHPARAMS_SUB" ]
+ then
+ openssl dhparam -out "$DHPARAMS_SUB" 2048
+ fi
+ print_text_in_color "$IGreen" "Certs are generated!"
+ a2ensite "$SUBDOMAIN.conf"
+ restart_webserver
+ # Install OnlyOffice
+ install_and_enable_app onlyoffice
+else
+ last_fail_tls "$SCRIPTS"/apps/onlyoffice.sh
+ exit 1
+fi
+
 # Check if apache2 evasive-mod is enabled and disable it because of compatibility issues
 if [ "$(apache2ctl -M | grep evasive)" != "" ]
 then
@@ -60,11 +83,6 @@ It has compatibility issues with OnlyOffice and you can now choose to disable it
  fi
 fi
 
-# Ask for the domain for OnlyOffice
-SUBDOMAIN=$(input_box_flow "OnlyOffice subdomain e.g: office.yourdomain.com
-NOTE: This domain must be different than your Nextcloud domain. \
-They can however be hosted on the same server, but would require separate DNS entries.")
-
 # Nextcloud Main Domain
 NCDOMAIN=$(nextcloud_occ_no_check config:system:get overwrite.cli.url | sed 's|https://||;s|/||')
 
@@ -75,28 +93,6 @@ source /var/scripts/fetch_lib.sh
 # Get all needed variables from the library
 nc_update
 
-# Notification
-msg_box "Before continuing, please make sure that you have you have \
-edited the DNS settings for $SUBDOMAIN, and opened port 80 and 443 \
-directly to this servers IP. A full extensive guide can be found here:
-https://www.techandme.se/open-port-80-443
-
-This can be done automatically if you have UPNP enabled in your firewall/router. \
-You will be offered to use UPNP in the next step.
-
-PLEASE NOTE:
-Using other ports than the default 80 and 443 is not supported, \
-though it may be possible with some custom modification:
-https://help.nextcloud.com/t/domain-refused-to-connect-collabora/91303/17"
-
-if yesno_box_no "Do you want to use UPNP to open port 80 and 443?"
-then
- unset FAIL
- open_port 80 TCP
- open_port 443 TCP
- cleanup_open_port
-fi
-
 # Get the latest packages
 apt-get update -q4 & spinner_loading
 
@@ -115,14 +111,6 @@ sudo bash onlyoffice_docker.sh"
  exit 1
 fi
 
-# Check if $SUBDOMAIN exists and is reachable
-print_text_in_color "$ICyan" "Checking if $SUBDOMAIN exists and is reachable..."
-domain_check_200 "$SUBDOMAIN"
-
-# Check open ports with NMAP
-check_open_port 80 "$SUBDOMAIN"
-check_open_port 443 "$SUBDOMAIN"
-
 # Test RAM size (2GB min) + CPUs (min 2)
 ram_check 2 OnlyOffice
 cpu_check 2 OnlyOffice
@@ -226,27 +214,6 @@ HTTPS_CREATE
  fi
 fi
 
-# Install certbot (Let's Encrypt)
-install_certbot
-
-# Generate certs
-if generate_cert "$SUBDOMAIN"
-then
- # Generate DHparams cipher
- if [ ! -f "$DHPARAMS_SUB" ]
- then
- openssl dhparam -out "$DHPARAMS_SUB" 2048
- fi
- print_text_in_color "$IGreen" "Certs are generated!"
- a2ensite "$SUBDOMAIN.conf"
- restart_webserver
- # Install OnlyOffice
- install_and_enable_app onlyoffice
-else
- last_fail_tls "$SCRIPTS"/apps/onlyoffice.sh
- exit 1
-fi
-
 # Set config for OnlyOffice
 if [ -d "$NC_APPS_PATH"/onlyoffice ]
 then

lib.sh

@@ -850,6 +850,27 @@ to validate them with the $f method. We have exhausted all the methods. Please c
 done
 }
 
+# Let the user choose to setup a specific app with either deSEC, or regular TLS.
+# desec_app_tls_menu "DESEC collabora_docker_desec.sh" "APP collabora_docker.sh"
+desec_app_tls_menu() {
+choice=$(whiptail --title "$TITLE" --menu \
+"Choose TLS setup. Please note, to run the deSEC option, deSEC needs to be configured and setup already.\n
+$MENU_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \
+"deSEC TLS setup" "(If you configured deSEC already. Works with custom port.)" \
+"Regular TLS setup" "(If deSEC isn't installed, setup normal TLS)" 3>&1 1>&2 2>&3)
+
+case "$choice" in
+ "deSEC TLS setup")
+ run_script "${1}"
+ ;;
+ "Regular TLS setup")
+ run_script "${2}"
+ ;;
+ *)
+ ;;
+esac
+}
+
 is_desec_installed() {
 # Check if deSEC is installed and add the needed variables if yes
 if [ -f "$SCRIPTS"/deSEC/.dedynauth ]

menu/additional_apps.sh

@@ -125,7 +125,7 @@ to finish the setup once this script is done." "$SUBTITLE"
  ;;&
  *"Talk"*)
  print_text_in_color "$ICyan" "Downloading the Talk script..."
- run_script APP talk
+ desec_app_tls_menu "DESEC talk_desec" "APP talk"
  ;;&
  *"Webmin"*)
  print_text_in_color "$ICyan" "Downloading the Webmin script..."