Mr.Green

สร้าง บันทึกและแบ่งปัน

พิมพ์ค้นหาบทความได้ในช่องค้นหา

Install Nextcloud 18 using one script only

เป็นบทความที่เก่ามากแล้ว แหล่งฉบับที่ได้มาตอนนี้ link หายไปแล้ว แต่ ยังเก็บไว็ เพื่อไว้ศึกษาเป็นแนวทางในการใช้คำสั่ง แต่ละคำสั่ง ไม่แน่ใจว่าระบบปฎิบัติการใช้ตัวไหน ระหว่าง Debian กับ Ubuntu 18.04 แต่ คำสั่งต่างๆๆ ส่วนมากคล้ายกันและมาใช้งานแทนกันในบางตัว แต่ถ้าดูในสคริปต์ น่าจะเป็น Ubuntu 18.04

#!/bin/bash
# (c) Carsten Rieger IT-Services (Ubuntu 18.04) 14.03.2020
# Nextcloud 18
# PHP 7.4
#########################################################
# Donatations are really appreciated
# => https://paypal.me/carstenrieger
#########################################################
###global function to update and cleanup the environment
function update_and_clean() {
apt update
apt upgrade -y
apt autoclean -y
apt autoremove -y
}
###global function to restart all cloud services
function restart_all_services() {
/usr/sbin/service nginx restart
/usr/sbin/service mysql restart
/usr/sbin/service redis-server restart
/usr/sbin/service php7.4-fpm restart
}
###global function to scan Nextcloud data and generate an overview for fail2ban & ufw
function nextcloud_scan_data() {
sudo -u www-data php /var/www/nextcloud/occ files:scan –all
sudo -u www-data php /var/www/nextcloud/occ files:scan-app-data
fail2ban-client status nextcloud
ufw status verbose
}
### START ###
apt install gnupg gnupg2 lsb-release wget curl -y
###prepare the server environment
cd /etc/apt/sources.list.d
echo “deb [arch=amd64,arm64] http://ppa.launchpad.net/ondrej/php/ubuntu $(lsb_release -cs) main” | tee php.list
echo “deb [arch=amd64,arm64] http://nginx.org/packages/mainline/ubuntu $(lsb_release -cs) nginx” | tee nginx.list
echo “deb [arch=amd64,arm64] http://ftp.hosteurope.de/mirror/mariadb.org/repo/10.4/ubuntu $(lsb_release -cs) main” | tee mariadb.list
###
curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add –
apt-key adv –recv-keys –keyserver hkps://keyserver.ubuntu.com:443 4F4EA0AAE5267A6C
apt-key adv –recv-keys –keyserver hkps://keyserver.ubuntu.com:443 0xF1656F24C74CD1D8
update_and_clean
apt install software-properties-common zip unzip screen git wget ffmpeg libfile-fcntllock-perl locate ghostscript tree htop -y
apt remove nginx nginx-common nginx-full -y –allow-change-held-packages
###instal NGINX using TLSv1.3, OpenSSL 1.1.1
update_and_clean
apt install nginx -y
###enable NGINX autostart
systemctl enable nginx.service
### prepare the NGINX
mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak && touch /etc/nginx/nginx.conf
cat </etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
use epoll;
}
http {
server_names_hash_bucket_size 64;
upstream php-handler {
server unix:/run/php/php7.4-fpm.sock;
}
set_real_ip_from 127.0.0.1;
# set_real_ip_from 192.168.2.0/24;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include /etc/nginx/mime.types;
#include /etc/nginx/proxy.conf;
#include /etc/nginx/ssl.conf;
#include /etc/nginx/header.conf;
#include /etc/nginx/optimization.conf;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
sendfile on;
send_timeout 3600;
tcp_nopush on;
tcp_nodelay on;
open_file_cache max=500 inactive=10m;
open_file_cache_errors on;
keepalive_timeout 65;
reset_timedout_connection on;
server_tokens off;
resolver 127.0.0.53 valid=30s;
resolver_timeout 5s;
include /etc/nginx/conf.d/*.conf;
}
EOF
###restart NGINX
/usr/sbin/service nginx restart
###create folders
mkdir -p /var/www/letsencrypt /etc/letsencrypt/rsa-certs /etc/letsencrypt/ecc-certs
###apply permissions
chown -R www-data:www-data /var/www
###install PHP – Backup default files
apt install php7.4-fpm php7.4-gd php7.4-mysql php7.4-curl php7.4-xml php7.4-zip php7.4-intl php7.4-mbstring php7.4-json php7.4-bz2 php7.4-ldap php-apcu imagemagick php-imagick -y
cp /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/www.conf.bak
cp /etc/php/7.4/cli/php.ini /etc/php/7.4/cli/php.ini.bak
cp /etc/php/7.4/fpm/php.ini /etc/php/7.4/fpm/php.ini.bak
cp /etc/php/7.4/fpm/php-fpm.conf /etc/php/7.4/fpm/php-fpm.conf.bak
cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
###PHP Mods: www.conf
sed -i “s/;env\[HOSTNAME\] = /env[HOSTNAME] = /” /etc/php/7.4/fpm/pool.d/www.conf
sed -i “s/;env\[TMP\] = /env[TMP] = /” /etc/php/7.4/fpm/pool.d/www.conf
sed -i “s/;env\[TMPDIR\] = /env[TMPDIR] = /” /etc/php/7.4/fpm/pool.d/www.conf
sed -i “s/;env\[TEMP\] = /env[TEMP] = /” /etc/php/7.4/fpm/pool.d/www.conf
sed -i “s/;env\[PATH\] = /env[PATH] = /” /etc/php/7.4/fpm/pool.d/www.conf
sed -i “s/pm.max_children =.*/pm.max_children = 120/” /etc/php/7.4/fpm/pool.d/www.conf
sed -i “s/pm.start_servers =.*/pm.start_servers = 12/” /etc/php/7.4/fpm/pool.d/www.conf
sed -i “s/pm.min_spare_servers =.*/pm.min_spare_servers = 6/” /etc/php/7.4/fpm/pool.d/www.conf
sed -i “s/pm.max_spare_servers =.*/pm.max_spare_servers = 18/” /etc/php/7.4/fpm/pool.d/www.conf
sed -i “s/;pm.max_requests =.*/pm.max_requests = 1000/” /etc/php/7.4/fpm/pool.d/www.conf
###PHP Mods: cli/php.ini
sed -i “s/output_buffering =.*/output_buffering = ‘Off’/” /etc/php/7.4/cli/php.ini
sed -i “s/max_execution_time =.*/max_execution_time = 3600/” /etc/php/7.4/cli/php.ini
sed -i “s/max_input_time =.*/max_input_time = 3600/” /etc/php/7.4/cli/php.ini
sed -i “s/post_max_size =.*/post_max_size = 102400M/” /etc/php/7.4/cli/php.ini
sed -i “s/upload_max_filesize =.*/upload_max_filesize = 102400M/” /etc/php/7.4/cli/php.ini
sed -i “s/;date.timezone.*/date.timezone = Asia\/\Bangkok/” /etc/php/7.4/cli/php.ini
###PHP Mods: fpm/php.ini
sed -i “s/memory_limit = 128M/memory_limit = 512M/” /etc/php/7.4/fpm/php.ini
sed -i “s/output_buffering =.*/output_buffering = ‘Off’/” /etc/php/7.4/fpm/php.ini
sed -i “s/max_execution_time =.*/max_execution_time = 3600/” /etc/php/7.4/fpm/php.ini
sed -i “s/max_input_time =.*/max_input_time = 3600/” /etc/php/7.4/fpm/php.ini
sed -i “s/post_max_size =.*/post_max_size = 102400M/” /etc/php/7.4/fpm/php.ini
sed -i “s/upload_max_filesize =.*/upload_max_filesize = 102400M/” /etc/php/7.4/fpm/php.ini
sed -i “s/;date.timezone.*/date.timezone = Asia\/\Bangkok/” /etc/php/7.4/fpm/php.ini
sed -i “s/;session.cookie_secure.*/session.cookie_secure = True/” /etc/php/7.4/fpm/php.ini
sed -i “s/;opcache.enable=.*/opcache.enable=1/” /etc/php/7.4/fpm/php.ini
sed -i “s/;opcache.enable_cli=.*/opcache.enable_cli=1/” /etc/php/7.4/fpm/php.ini
sed -i “s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/” /etc/php/7.4/fpm/php.ini
sed -i “s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=8/” /etc/php/7.4/fpm/php.ini
sed -i “s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/” /etc/php/7.4/fpm/php.ini
sed -i “s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=1/” /etc/php/7.4/fpm/php.ini
sed -i “s/;opcache.save_comments=.*/opcache.save_comments=1/” /etc/php/7.4/fpm/php.ini
sed -i “$aapc.enable_cli=1” /etc/php/7.4/mods-available/apcu.ini
### Solution for ImageMagick errors
sed -i “s/rights=\”none\” pattern=\”PS\”/rights=\”read|write\” pattern=\”PS\”/” /etc/ImageMagick-6/policy.xml
sed -i “s/rights=\”none\” pattern=\”EPI\”/rights=\”read|write\” pattern=\”EPI\”/” /etc/ImageMagick-6/policy.xml
sed -i “s/rights=\”none\” pattern=\”PDF\”/rights=\”read|write\” pattern=\”PDF\”/” /etc/ImageMagick-6/policy.xml
sed -i “s/rights=\”none\” pattern=\”XPS\”/rights=\”read|write\” pattern=\”XPS\”/” /etc/ImageMagick-6/policy.xml
ln -s /usr/local/bin/gs /usr/bin/gs
###restart PHP and NGINX
/usr/sbin/service php7.4-fpm restart
/usr/sbin/service nginx restart
###install MariaDB
apt update && apt install mariadb-server -y
/usr/sbin/service mysql stop
###configure MariaDB
mv /etc/mysql/my.cnf /etc/mysql/my.cnf.bak
cat </etc/mysql/my.cnf
[client]
default-character-set = utf8mb4
port = 3306
[mysqld_safe]
log_error=/var/log/mysql/mysql_error.log
nice = 0
socket = /var/run/mysqld/mysqld.sock
[mysqld]
basedir = /usr
bind-address = 127.0.0.1
binlog_format = ROW
bulk_insert_buffer_size = 16M
character-set-server = utf8mb4
collation-server = utf8mb4_general_ci
concurrent_insert = 2
connect_timeout = 5
datadir = /var/lib/mysql
default_storage_engine = InnoDB
expire_logs_days = 10
general_log_file = /var/log/mysql/mysql.log
general_log = 0
innodb_buffer_pool_size = 1024M
innodb_buffer_pool_instances = 1
innodb_flush_log_at_trx_commit = 2
innodb_log_buffer_size = 32M
innodb_max_dirty_pages_pct = 90
innodb_file_per_table = 1
innodb_open_files = 400
innodb_io_capacity = 4000
innodb_flush_method = O_DIRECT
key_buffer_size = 128M
lc_messages_dir = /usr/share/mysql
lc_messages = en_US
log_bin = /var/log/mysql/mariadb-bin
log_bin_index = /var/log/mysql/mariadb-bin.index
log_error = /var/log/mysql/mysql_error.log
log_slow_verbosity = query_plan
log_warnings = 2
long_query_time = 1
max_allowed_packet = 16M
max_binlog_size = 100M
max_connections = 200
max_heap_table_size = 64M
myisam_recover_options = BACKUP
myisam_sort_buffer_size = 512M
port = 3306
pid-file = /var/run/mysqld/mysqld.pid
query_cache_limit = 2M
query_cache_size = 64M
query_cache_type = 1
query_cache_min_res_unit = 2k
read_buffer_size = 2M
read_rnd_buffer_size = 1M
skip-external-locking
skip-name-resolve
slow_query_log_file = /var/log/mysql/mariadb-slow.log
slow-query-log = 1
socket = /var/run/mysqld/mysqld.sock
sort_buffer_size = 4M
table_open_cache = 400
thread_cache_size = 128
tmp_table_size = 64M
tmpdir = /tmp
transaction_isolation = READ-COMMITTED
user = mysql
wait_timeout = 600
[mysqldump]
max_allowed_packet = 16M
quick
quote-names
[isamchk]
key_buffer = 16M
EOF
/usr/sbin/service mysql restart
###restart MariaDB server and connect to MariaDB to create the database
/usr/sbin/service mysql restart && mysql -uroot <<EOF
CREATE DATABASE nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
CREATE USER plangxxxx@localhost identified by ‘Ployxx40’;
GRANT ALL PRIVILEGES on nextcloud.* to plang2xx@localhost;
FLUSH privileges;
EOF
clear
echo “”
echo ” Your database server will now be hardened – just follow the instructions.”
echo ” Keep in mind: your MariaDB root password is still NOT set!”
echo “”
###harden your MariDB server
mysql_secure_installation
update_and_clean
###install Redis-Server
apt install redis-server php-redis -y
cp /etc/redis/redis.conf /etc/redis/redis.conf.bak
sed -i “s/port 6379/port 0/” /etc/redis/redis.conf
sed -i s/\#\ unixsocket/\unixsocket/g /etc/redis/redis.conf
sed -i “s/unixsocketperm 700/unixsocketperm 770/” /etc/redis/redis.conf
sed -i “s/# maxclients 10000/maxclients 512/” /etc/redis/redis.conf
usermod -a -G redis www-data
cp /etc/sysctl.conf /etc/sysctl.conf.bak && sed -i ‘$avm.overcommit_memory = 1’ /etc/sysctl.conf
###install self signed certificates
apt install ssl-cert -y
###prepare NGINX for Nextcloud and SSL
[ -f /etc/nginx/conf.d/default.conf ] && mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.bak
touch /etc/nginx/conf.d/default.conf
cat </etc/nginx/conf.d/nextcloud.conf
server {
server_name 61.19.202.190;
listen 80 default_server;
listen [::]:80 default_server;
location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host \$host;
}
location / {
return 301 https://\$host\$request_uri;
}
}
server {
server_name 61.19.202.190;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
root /var/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 \$scheme://\$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 \$scheme://\$host/remote.php/dav;
}
#SOCIAL app enabled? Please uncomment the following row
#rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
#WEBFINGER app enabled? Please uncomment the following two rows.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
client_max_body_size 10240M;
location / {
rewrite ^ /index.php;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ^~ /apps/rainloop/app/data {
deny all;
}
location ~ \.(?:flv|mp4|mov|m4a)\$ {
mp4;
mp4_buffer_size 100M;
mp4_max_buffer_size 1024M;
fastcgi_split_path_info ^(.+?.php)(\/.*|)\$;
set \$path_info \$fastcgi_path_info;
try_files \$fastcgi_script_name =404;
include fastcgi_params;
include php_optimization.conf;
}
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+).php(?:$|\/) {
fastcgi_split_path_info ^(.+?.php)(\/.*|)\$;
set \$path_info \$fastcgi_path_info;
try_files \$fastcgi_script_name =404;
include fastcgi_params;
include php_optimization.conf;
}
location ~ ^\/(?:updater|oc[ms]-provider)(?:\$|\/) {
try_files \$uri/ =404;
index index.php;
}
location ~ .(?:css|js|woff2?|svg|gif|map|png|html|ttf|ico|jpg|jpeg)\$ {
try_files \$uri /index.php\$request_uri;
access_log off;
expires 360d;
}
}
EOF
###create a Let’s Encrypt vhost file
touch /etc/nginx/conf.d/letsencrypt.conf
cat </etc/nginx/conf.d/letsencrypt.conf
server
{
server_name 127.0.0.1;
listen 127.0.0.1:81 default_server;
charset utf-8;
location ^~ /.well-known/acme-challenge
{
default_type text/plain;
root /var/www/letsencrypt;
}
}
EOF
###create a ssl configuration file
touch /etc/nginx/ssl.conf
cat </etc/nginx/ssl.conf
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_trusted_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
#ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
#ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
#ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m;
ssl_session_tickets off; ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers ‘TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384’;
ssl_ecdh_curve X448:secp521r1:secp384r1:prime256v1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
EOF
###add a default dhparam.pem file // https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
touch /etc/ssl/certs/dhparam.pem
cat </etc/ssl/certs/dhparam.pem
—–BEGIN DH PARAMETERS—–
MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
—–END DH PARAMETERS—–
EOF
###create a proxy configuration file
touch /etc/nginx/proxy.conf
cat </etc/nginx/proxy.conf
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-Host \$host;
proxy_set_header X-Forwarded-Protocol \$scheme;
proxy_set_header X-Forwarded-For \$remote_addr;
proxy_set_header X-Forwarded-Port \$server_port;
proxy_set_header X-Forwarded-Server \$host;
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
proxy_redirect off;
EOF
###create a header configuration file
touch /etc/nginx/header.conf
cat </etc/nginx/header.conf
add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;”;
add_header X-Robots-Tag none always;
add_header X-Download-Options noopen always;
add_header X-Permitted-Cross-Domain-Policies none always;
add_header X-Content-Type-Options “nosniff” always;
add_header X-XSS-Protection “1; mode=block” always;
add_header Referrer-Policy “no-referrer” always;
add_header X-Frame-Options “SAMEORIGIN” always;
EOF
###create a nginx optimization file
touch /etc/nginx/optimization.conf
cat </etc/nginx/optimization.conf
fastcgi_hide_header X-Powered-By;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_connect_timeout 3600;
fastcgi_buffers 64 64K;
fastcgi_buffer_size 256k;
fastcgi_busy_buffers_size 3840K;
fastcgi_cache_key \$http_cookie\$request_method\$host\$request_uri;
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
gzip_disable “MSIE [1-6]\.”;
EOF
###create a nginx php optimization file
touch /etc/nginx/php_optimization.conf
cat </etc/nginx/php_optimization.conf
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
fastcgi_param PATH_INFO \$path_info;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_param HTTPS on;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_cache_valid 404 1m;
fastcgi_cache_valid any 1h;
fastcgi_cache_methods GET HEAD;
EOF
###enable all nginx configuration files
sed -i s/\#\include/\include/g /etc/nginx/nginx.conf
sed -i “s/server_name 61.19.202.190;/server_name $(hostname);/” /etc/nginx/conf.d/nextcloud.conf
###create Nextclouds cronjob
(crontab -u www-data -l ; echo “*/5 * * * * php -f /var/www/nextcloud/cron.php > /dev/null 2>&1”) | crontab -u www-data –
###restart NGINX
/usr/sbin/service nginx restart
###Download Nextclouds latest release and extract it
wget https://download.nextcloud.com/server/releases/latest.tar.bz2
tar -xjf latest.tar.bz2 -C /var/www
###apply permissions
chown -R www-data:www-data /var/www/
###remove the Nextcloud sources
rm -f latest.tar.bz2
###update and restart all sources and services
update_and_clean
restart_all_services
clear
echo “++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++”
echo “Nextcloud-Administrator and password – Attention: password is case-sensitive:”
echo “++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++”
echo “”
echo “Your Nextcloud-DB user: plang2544”
echo “”
echo “Your Nextcloud-DB password: Ploy2540”
echo “”
read -p “Enter your Nextcloud Administrator: ” NEXTCLOUDADMINUSER
echo “Your Nextcloud Administrator: “$NEXTCLOUDADMINUSER
echo “”
read -p “Enter your Nextcloud Administrator password: ” NEXTCLOUDADMINUSERPASSWORD
echo “Your Nextcloud Administrator password: “$NEXTCLOUDADMINUSERPASSWORD
echo “”
while [[ $NEXTCLOUDDATAPATH == ” ]]
do
read -p “Enter your absolute Nextcloud datapath (/your/path): ” NEXTCLOUDDATAPATH
if [[ -z “$NEXTCLOUDDATAPATH” ]]; then
echo “datapath must not be empty!”
echo””
else
echo “Your Nextcloud datapath: “$NEXTCLOUDDATAPATH
fi
done
if [[ ! -e $NEXTCLOUDDATAPATH ]];
then
mkdir -p $NEXTCLOUDDATAPATH
fi
chown -R www-data:www-data $NEXTCLOUDDATAPATH
echo “++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++”
echo “”
echo “Your NEXTCLOUD will now be installed silently – please be patient …”
echo “”
###NEXTCLOUD INSTALLATION
sudo -u www-data php /var/www/nextcloud/occ maintenance:install –database “mysql” –database-name nextcloud –database-user plang2544 –database-pass Ploy2540 –admin-user “$NEXTCLOUDADMINUSER” –admin-pass “$NEXTCLOUDADMINUSERPASSWORD” –data-dir “$NEXTCLOUDDATAPATH”
###read and store the current hostname in lowercases
declare -l YOURSERVERNAME
YOURSERVERNAME=$(hostname)
###Modifications to Nextclouds config.php
sudo -u www-data cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
sudo -u www-data php /var/www/nextcloud/occ config:system:set trusted_domains 0 –value=$YOURSERVERNAME
sudo -u www-data php /var/www/nextcloud/occ config:system:set overwrite.cli.url –value=https://$YOURSERVERNAME
echo “”
echo “++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++”
###backup of the effected file .user.ini
cp /var/www/nextcloud/.user.ini /usr/local/src/.user.ini.bak
###apply Nextcloud optimizations
sudo -u www-data sed -i “s/output_buffering=.*/output_buffering=’Off’/” /var/www/nextcloud/.user.ini
sudo -u www-data php /var/www/nextcloud/occ background:cron
###apply optimizations to Nextclouds global config.php
sed -i ‘/);/d’ /var/www/nextcloud/config/config.php
cat <>/var/www/nextcloud/config/config.php
‘activity_expire_days’ => 14,
‘auth.bruteforce.protection.enabled’ => true,
‘blacklisted_files’ =>
array (
0 => ‘.htaccess’,
1 => ‘Thumbs.db’,
2 => ‘thumbs.db’,
),
‘cron_log’ => true,
‘enable_previews’ => true,
‘enabledPreviewProviders’ =>
array (
0 => ‘OC\\Preview\\PNG’,
1 => ‘OC\\Preview\\JPEG’,
2 => ‘OC\\Preview\\GIF’,
3 => ‘OC\\Preview\\BMP’,
4 => ‘OC\\Preview\\XBitmap’,
5 => ‘OC\\Preview\\Movie’,
6 => ‘OC\\Preview\\PDF’,
7 => ‘OC\\Preview\\MP3’,
8 => ‘OC\\Preview\\TXT’,
9 => ‘OC\\Preview\\MarkDown’,
),
‘filesystem_check_changes’ => 0,
‘filelocking.enabled’ => ‘true’,
‘htaccess.RewriteBase’ => ‘/’,
‘integrity.check.disabled’ => false,
‘knowledgebaseenabled’ => false,
‘log_rotate_size’ => 104857600,
‘logfile’ => ‘$NEXTCLOUDDATAPATH/nextcloud.log’,
‘logtimezone’ => ‘Europe/Berlin’,
‘memcache.local’ => ‘\\OC\\Memcache\\APCu’,
‘memcache.locking’ => ‘\\OC\\Memcache\\Redis’,
‘preview_max_x’ => 1024,
‘preview_max_y’ => 768,
‘preview_max_scale_factor’ => 1,
‘redis’ =>
array (
‘host’ => ‘/var/run/redis/redis-server.sock’,
‘port’ => 0,
‘timeout’ => 0.0,
),
‘quota_include_external_storage’ => false,
‘share_folder’ => ‘/Shares’,
‘skeletondirectory’ => ”,
‘trashbin_retention_obligation’ => ‘auto, 7’,
);
EOF
sed -i “s/.*dbhost.*/\ \ ‘dbhost\’ \=\>\ \’localhost\:\/var\/run\/mysqld\/mysqld\.sock\’\,/g” /var/www/nextcloud/config/config.php
###remove leading whitespaces
sed -i ‘s/^[ ]*//’ /var/www/nextcloud/config/config.php
chown -R www-data:www-data /var/www
restart_all_services
update_and_clean
###install fail2ban
apt install fail2ban -y
###create a fail2ban Nextcloud filter
touch /etc/fail2ban/filter.d/nextcloud.conf
cat </etc/fail2ban/filter.d/nextcloud.conf
[Definition]
failregex=^{“reqId”:”.*”,”remoteAddr”:”.*”,”app”:”core”,”message”:”Login failed: ‘.*’ \(Remote IP: ”\)”,”level”:2,”time”:”.*”}$
^{“reqId”:”.*”,”level”:2,”time”:”.*”,”remoteAddr”:”.*”,”user,:”.*”,”app”:”no app in context”.*”,”method”:”.*”,”message”:”Login failed: ‘.*’ \(Remote IP: ”\)”.*}$
^{“reqId”:”.*”,”level”:2,”time”:”.*”,”remoteAddr”:”.*”,”user”:”.*”,”app”:”.*”,”method”:”.*”,”url”:”.*”,”message”:”Login failed: .* \(Remote IP: \).*}$
EOF
###create a fail2ban Nextcloud jail
touch /etc/fail2ban/jail.d/nextcloud.local
cat </etc/fail2ban/jail.d/nextcloud.local
[nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 5
bantime = 3600
findtime = 3600
logpath = $NEXTCLOUDDATAPATH/nextcloud.log
[nginx-http-auth]
enabled = true
EOF
update_and_clean
###install ufw
apt install ufw -y
###open firewall ports 80+443 for http(s)
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 3316/tcp
###open firewall port 22 for SSH
ufw allow 22/tcp
###enable UFW (autostart)
ufw logging medium && ufw default deny incoming && ufw enable
###restart fail2ban, ufw and redis-server services
/usr/sbin/service ufw restart
/usr/sbin/service fail2ban restart
/usr/sbin/service redis-server restart
sudo -u www-data php /var/www/nextcloud/occ app:disable survey_client
sudo -u www-data php /var/www/nextcloud/occ app:disable firstrunwizard
sudo -u www-data php /var/www/nextcloud/occ app:enable admin_audit
sudo -u www-data php /var/www/nextcloud/occ app:enable files_pdfviewer
###clean up redis-server
redis-cli -s /var/run/redis/redis-server.sock <<EOF
FLUSHALL
quit
EOF
###Nextcloud occ db:… (maintenance/optimization)
/usr/sbin/service nginx stop
clear
echo “———————————“
echo “Issue Nextcloud-DB optimizations!”
echo “———————————“
echo “Press ‘y’ to issue optimizations.”
echo “———————————“
echo “”
sudo -u www-data php /var/www/nextcloud/occ db:add-missing-indices
sudo -u www-data php /var/www/nextcloud/occ db:convert-filecache-bigint
echo ” “
echo ” The document server will be downloaded – please be patient (~ 300MB) …”
echo ” “
sudo -u www-data php /var/www/nextcloud/occ security:certificates:import /etc/ssl/certs/ssl-cert-snakeoil.pem
sudo -u www-data php /var/www/nextcloud/occ app:install documentserver_community
echo ” The document server will be enabled…”
sudo -u www-data php /var/www/nextcloud/occ app:enable documentserver_community
echo ” “
echo ” The Onlyoffice app will be downloaded – please be patient …”
sudo -u www-data php /var/www/nextcloud/occ app:install onlyoffice
echo ” “
echo ” The Onlyoffice app will be enabled …”
sudo -u www-data php /var/www/nextcloud/occ app:enable onlyoffice
echo ” “
###rescan Nextcloud data
nextcloud_scan_data
restart_all_services
### issue the cron.php once
sudo -u www-data php /var/www/nextcloud/cron.php
clear
echo “”
echo “+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++”
echo “”
echo ” Open your browser and call your Nextcloud at”
echo “”
echo ” https://$YOURSERVERNAME”
echo “”
echo “*******************************************************************************”
echo “Your Nextcloud DB data : nextcloud | nextcloud”
echo “”
echo “Your Nextcloud User : “$NEXTCLOUDADMINUSER
echo “Your Nextcloud Password: “$NEXTCLOUDADMINUSERPASSWORD
echo “Your Nextcloud datapath: “$NEXTCLOUDDATAPATH
echo “”
echo “+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++”
echo “”
echo ” I do strongly recommend to enhance the server security by re-creating”
echo ” the dhparam.pem file:”
echo “”
echo ” openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096″
echo “”
echo ” https://www.c-rieger.de/nextcloud-installationsanleitung/#dhparamfile”
echo “”
echo “+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++”
echo “”
### CleanUp
cat /dev/null > ~/.bash_history && history -c && history -w
exit 0
chmod +x install.sh
./install.sh
https://riegers.in/install-nextcloud-18-using-one-script-only/
Tags:  

Leave a Reply

Your email address will not be published. Required fields are marked *