diff options
Diffstat (limited to '.homeinstall')
| -rw-r--r-- | .homeinstall/README.md | 56 | ||||
| -rwxr-xr-x | .homeinstall/hubzilla-setup.sh | 656 | ||||
| -rw-r--r-- | .homeinstall/nginx-zotserver.conf.template | 144 | ||||
| -rw-r--r-- | .homeinstall/zotserver-config.txt.template (renamed from .homeinstall/hubzilla-config.txt.template) | 29 | ||||
| -rwxr-xr-x | .homeinstall/zotserver-setup.sh | 793 |
5 files changed, 985 insertions, 693 deletions
diff --git a/.homeinstall/README.md b/.homeinstall/README.md index 1ed2e07d2..e2c345969 100644 --- a/.homeinstall/README.md +++ b/.homeinstall/README.md @@ -1,9 +1,10 @@ + # How to use ## Disclaimers - This script does work with Debian 10 only. -- This script has to be used on a fresh debian install only (it does not take account for a possibly already installed and configured webserver or sql implementation). +- This script has to be used on a fresh debian install only (it does not take account for a possibly already installed and configured webserver or sql implementation). You may use it to install several hub/instances on the same server, though. ## Preconditions @@ -15,9 +16,12 @@ Hardware Software -+ Fresh installation of Debian 10 (Stretch) ++ Fresh installation of Debian 10 (Buster) + Router with open ports 80 and 443 for your web server +You can of course run the script on a VPS or any distant server as long as the above sotfware requirements are satisfied. + + ## How to run the script + Register your own domain (for example at selfHOST) or a free subdomain (for example at freeDNS) @@ -25,29 +29,29 @@ Software - apt-get install git - mkdir -p /var/www - cd /var/www - - git clone https://framagit.org/hubzilla/core.git html + - git clone https://framagit.org/hubzilla/core.git html (you can replace "html" with any folder name you like, which you'll have to do if you plan to have more than one hub/instance running on your server) - cd html/.homeinstall - - cp hubzilla-config.txt.template hubzilla-config.txt - - nano hubzilla-config.txt + - cp zotserver-config.txt.template zotserver-config.txt + - nano zotserver-config.txt - Read the comments carefully - Enter your values: db pass, domain, values for dyn DNS - Prepare your external disk for backups - - hubzilla-setup.sh as root - - ... wait, wait, wait until the script is finised -+ Open your domain with a browser and step throught the initial configuration of hubzilla. + - ./zotserver-setup.sh as root + - ... wait, wait, wait until the script is finished ++ Open your domain with a browser and step throught the initial configuration of your hub/instance. ## Optional - Set path to imagemagick -In Admin settings of hubzilla or via terminal +In Admin settings of your hub/instance or via terminal - cd /var/www/html + cd /var/www/html (or the custom path you chose) util/config system.imagick_convert_path /usr/bin/convert ## Optional - Switch verification of email on/off -Do this just befor you register the user. +Do this just before you register the first user. -In Admin settings of hubzilla or via terminal +In Admin settings of your hub/instance or via terminal cd /var/www/html @@ -61,18 +65,18 @@ Switch the verification on/off (1/0) ## What the script will do for you... -+ install everything required by Hubzilla, basically a web server (Apache), PHP, a database (MySQL), certbot,... ++ install everything required by your hub/instance, basically a web server (Apache or Nginx), PHP, a database (MySQL), certbot,... + create a database + run certbot to have everything for a secure connection (httpS) + create a script for daily maintenance - backup to external disk (certificates, database, /var/www/) - renew certfificate (letsencrypt) - - update of Hubzilla + - update of your hub/instance (git) - update of Debian - restart + create cron jobs for - DynDNS (selfHOST.de or freedns.afraid.org) every 5 minutes - - Master.php for Zap/Hubzilla every 10 minutes + - Run.php for your hub/instance every 10 minutes - daily maintenance script every day at 05:30 The script is known to work without adjustments with @@ -80,19 +84,12 @@ The script is known to work without adjustments with + Hardware - Mini-PC with Debian 10 (stretch), or - Rapberry 3 with Raspbian, Debian 10 + - Rapberry 4 with Raspbian, Debian 10 + DynDNS - selfHOST.de - freedns.afraid.org -The script can install both [Hubzilla](https://zotlabs.org/page/hubzilla/hubzilla-project) and [Zap](https://zotlabs.com/zap/). Make sure to use the correct GIT repositories. - -+ Hubzilla - - core: git clone https://framagit.org/hubzilla/core.git html (in this readme) - - addons: util/add_addon_repo https://framagit.org/hubzilla/addons.git hzaddons (in hubzilla-setup.sh) -+ Zap - - core: git clone https://framagit.org/zot/zap.git html (in this readme) - - addons: util/add_addon_repo https://framagit.org/zot/zap-addons.git zaddons (in hubzilla-setup.sh) - +The script can install [Hubzilla](https://zotlabs.org/page/hubzilla/hubzilla-project), [Zap](https://zotlabs.com/zap/) and [Mistpark 2020, aka "Misty"](https://zotlabs.com/misty/). Make sure to use the correct GIT repositories. # Step-by-Step - some Details @@ -101,17 +98,17 @@ The script can install both [Hubzilla](https://zotlabs.org/page/hubzilla/hubzill ## Configure your Router -Your web has to be visible in the internet. +Your webserver has to be visible in the internet. Open the ports 80 and 443 on your router for your Debian. Make sure your web server is marked as "exposed host". ## Preparations Dynamic IP Address -Follow the instructions in .homeinstall/hubzilla-config.txt. +Follow the instructions in .homeinstall/zotserver-config.txt. In short... -Your Hubzilla must be reachable by a domain that you can type in your browser +Your Hubzilla server must be reachable by a domain that you can type in your browser cooldomain.org @@ -133,8 +130,6 @@ The cost is 1,50 € per month (2019). ## Note on Rasperry -The script was tested with an Raspberry 3 under Raspian, Debian 10. - It is recommended to run the Raspi without graphical frontend (X-Server). Use... sudo raspi-config @@ -143,5 +138,6 @@ to boot the Rapsi to the client console. DO NOT FORGET TO CHANGE THE DEFAULT PASSWORD FOR USER PI! +## Reminder for Different Web Wervers - +For those of you who feel adventurous enough to use a different web server (i.e. Lighttpd...), don't forget that this script will install Apache or Nginx and that you can only have one web server listening to ports 80 & 443. Also, don't forget to tweak your daily shell script in /var/www/ accordingly. diff --git a/.homeinstall/hubzilla-setup.sh b/.homeinstall/hubzilla-setup.sh deleted file mode 100755 index f1395e8ce..000000000 --- a/.homeinstall/hubzilla-setup.sh +++ /dev/null @@ -1,656 +0,0 @@ -#!/bin/bash -# -# How to use -# ---------- -# -# This file automates the installation of -# - hubzilla: https://zotlabs.org/page/hubzilla/hubzilla-project and -# - zap: https://zotlabs.com/zap/ -# under Debian Linux -# -# 1) Copy the file "hubzilla-config.txt.template" to "hubzilla-config.txt" -# Follow the instuctions there -# -# 2) Switch to user "root" by typing "su -" -# -# 3) Run with "./hubzilla-setup.sh" -# If this fails check if you can execute the script. -# - To make it executable type "chmod +x hubzilla-setup.sh" -# - or run "bash hubzilla-setup.sh" -# -# -# What does this script do basically? -# ----------------------------------- -# -# This file automates the installation of hubzilla under Debian Linux -# - install -# * apache webserer, -# * php, -# * mariadb - the database for hubzilla, -# * adminer, -# * git to download and update addons -# - configure cron -# * "Master.php" for regular background prozesses of hubzilla -# * "apt-get update" and "apt-get dist-upgrade" and "apt-get autoremove" to keep linux up-to-date -# * run command to keep the IP up-to-date > DynDNS provided by selfHOST.de or freedns.afraid.org -# * backup hubzillas database and files (rsync) -# - run letsencrypt to create, register and use a certifacte for https -# -# -# Discussion -# ---------- -# -# Security - password is the same for mysql-server, phpmyadmin and hubzilla db -# - The script runs into installation errors for phpmyadmin if it uses -# different passwords. For the sake of simplicity one singel password. -# -# How to restore from backup -# -------------------------- -# -# Daily backup -# - - - - - - -# -# The installation -# - writes a script /var/www/hubzilla-daily.sh -# - creates a daily cron that runs the hubzilla-daily.sh -# -# hubzilla-daily.sh makes a (daily) backup of all relevant files -# - /var/lib/mysql/ > database -# - /var/www/ > hubzilla/zap from github -# - /etc/letsencrypt/ > certificates -# -# hubzilla-daily.sh writes the backup to an external disk compatible to LUKS+ext4 (see hubzilla-config.txt) -# -# Credits -# ------- -# -# The script is based on Thomas Willinghams script "debian-setup.sh" -# which he used to install the red#matrix. -# -# The documentation for bash is here -# https://www.gnu.org/software/bash/manual/bash.html -# -function check_sanity { - # Do some sanity checking. - print_info "Sanity check..." - if [ $(/usr/bin/id -u) != "0" ] - then - die 'Must be run by root user' - fi - - if [ -f /etc/lsb-release ] - then - die "Distribution is not supported" - fi - if [ ! -f /etc/debian_version ] - then - die "Debian is supported only" - fi - if ! grep -q 'Linux 10' /etc/issue - then - die "Linux 10 (buster) is supported only"x - fi -} - -function check_config { - print_info "config check..." - # Check for required parameters - if [ -z "$db_pass" ] - then - die "db_pass not set in $configfile" - fi - if [ -z "$le_domain" ] - then - die "le_domain not set in $configfile" - fi - # backup is important and should be checked - if [ -n "$backup_device_name" ] - then - if [ ! -d "$backup_mount_point" ] - then - mkdir "$backup_mount_point" - fi - device_mounted=0 - if fdisk -l | grep -i "$backup_device_name.*linux" - then - print_info "ok - filesystem of external device is linux" - if [ -n "$backup_device_pass" ] - then - echo "$backup_device_pass" | cryptsetup luksOpen $backup_device_name cryptobackup - if mount /dev/mapper/cryptobackup /media/hubzilla_backup - then - device_mounted=1 - print_info "ok - could encrypt and mount external backup device" - umount /media/hubzilla_backup - else - print_warn "backup to external device will fail because encryption failed" - fi - cryptsetup luksClose cryptobackup - else - if mount $backup_device_name /media/hubzilla_backup - then - device_mounted=1 - print_info "ok - could mount external backup device" - umount /media/hubzilla_backup - else - print_warn "backup to external device will fail because mount failed" - fi - fi - else - print_warn "backup to external device will fail because filesystem is either not linux or 'backup_device_name' is not correct in $configfile" - fi - if [ $device_mounted == 0 ] - then - die "backup device not ready" - fi - fi -} - -function die { - echo "ERROR: $1" > /dev/null 1>&2 - exit 1 -} - - -function update_upgrade { - print_info "updated and upgrade..." - # Run through the apt-get update/upgrade first. This should be done before - # we try to install any package - apt-get -q -y update && apt-get -q -y dist-upgrade - print_info "updated and upgraded linux" -} - -function check_install { - if [ -z "`which "$1" 2>/dev/null`" ] - then - # export DEBIAN_FRONTEND=noninteractive ... answers from the package - # configuration database - # - q ... without progress information - # - y ... answer interactive questions with "yes" - # DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends -q -y install $2 - DEBIAN_FRONTEND=noninteractive apt-get -q -y install $2 - print_info "installed $2 installed for $1" - else - print_warn "$2 already installed" - fi -} - -function nocheck_install { - # export DEBIAN_FRONTEND=noninteractive ... answers from the package configuration database - # - q ... without progress information - # - y ... answer interactive questions with "yes" - # DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends -q -y install $2 - # DEBIAN_FRONTEND=noninteractive apt-get --install-suggests -q -y install $1 - DEBIAN_FRONTEND=noninteractive apt-get -q -y install $1 - print_info "installed $1" -} - - -function print_info { - echo -n -e '\e[1;34m' - echo -n $1 - echo -e '\e[0m' -} - -function print_warn { - echo -n -e '\e[1;31m' - echo -n $1 - echo -e '\e[0m' -} - -function stop_hubzilla { - print_info "stopping apache webserver..." - systemctl stop apache2 - print_info "stopping mysql db..." - systemctl stop mariadb -} - -function install_apache { - print_info "installing apache..." - nocheck_install "apache2 apache2-utils" - a2enmod rewrite - systemctl restart apache2 -} - -function install_imagemagick { - print_info "installing imagemagick..." - nocheck_install "imagemagick" -} - -function install_curl { - print_info "installing curl..." - nocheck_install "curl" -} - -function install_wget { - print_info "installing wget..." - nocheck_install "wget" -} - -function install_sendmail { - print_info "installing sendmail..." - nocheck_install "sendmail sendmail-bin" -} - -function install_php { - # openssl and mbstring are included in libapache2-mod-php - print_info "installing php..." - nocheck_install "libapache2-mod-php php php-pear php-curl php-gd php-mysqli php-mbstring php-xml php-zip" - sed -i "s/^upload_max_filesize =.*/upload_max_filesize = 100M/g" /etc/php/7.3/apache2/php.ini - sed -i "s/^post_max_size =.*/post_max_size = 100M/g" /etc/php/7.3/apache2/php.ini -} - -function install_mysql { - print_info "installing mysql..." - if [ -z "$mysqlpass" ] - then - die "mysqlpass not set in $configfile" - fi - if type mysql ; then - echo "Yes, mysql is installed" - else - echo "mariadb-server" - nocheck_install "mariadb-server" - systemctl status mariadb - systemctl start mariadb - mysql --user=root <<_EOF_ -UPDATE mysql.user SET Password=PASSWORD('${db_root_password}') WHERE User='root'; -DELETE FROM mysql.user WHERE User=''; -DROP DATABASE IF EXISTS test; -DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'; -FLUSH PRIVILEGES; -_EOF_ - fi -} - -function install_adminer { - print_info "installing adminer..." - nocheck_install "adminer" - if [ ! -f /etc/adminer/adminer.conf ] - then - echo "Alias /adminer /usr/share/adminer/adminer" > /etc/adminer/adminer.conf - ln -s /etc/adminer/adminer.conf /etc/apache2/conf-available/adminer.conf - else - print_info "file /etc/adminer/adminer.conf exists already" - fi - - a2enmod rewrite - - if [ ! -f /etc/apache2/apache2.conf ] - then - die "could not find file /etc/apache2/apache2.conf" - fi - sed -i \ - "s/AllowOverride None/AllowOverride all/" \ - /etc/apache2/apache2.conf - - a2enconf adminer - systemctl restart mariadb - systemctl reload apache2 -} - -function create_hubzilla_db { - print_info "creating hubzilla database..." - if [ -z "$hubzilla_db_name" ] - then - die "hubzilla_db_name not set in $configfile" - fi - if [ -z "$hubzilla_db_user" ] - then - die "hubzilla_db_user not set in $configfile" - fi - if [ -z "$hubzilla_db_pass" ] - then - die "hubzilla_db_pass not set in $configfile" - fi - systemctl restart mariadb - Q1="CREATE DATABASE IF NOT EXISTS $hubzilla_db_name;" - Q2="GRANT USAGE ON *.* TO $hubzilla_db_user@localhost IDENTIFIED BY '$hubzilla_db_pass';" - Q3="GRANT ALL PRIVILEGES ON $hubzilla_db_name.* to $hubzilla_db_user@localhost identified by '$hubzilla_db_pass';" - Q4="FLUSH PRIVILEGES;" - SQL="${Q1}${Q2}${Q3}${Q4}" - mysql -uroot -p$phpmyadminpass -e "$SQL" -} - -function run_freedns { - print_info "run freedns (dynamic IP)..." - if [ -z "$freedns_key" ] - then - print_info "freedns was not started because 'freedns_key' is empty in $configfile" - else - if [ -n "$selfhost_user" ] - then - die "You can not use freeDNS AND selfHOST for dynamic IP updates ('freedns_key' AND 'selfhost_user' set in $configfile)" - fi - wget --no-check-certificate -O - https://freedns.afraid.org/dynamic/update.php?$freedns_key - fi -} - -function install_run_selfhost { - print_info "install and start selfhost (dynamic IP)..." - if [ -z "$selfhost_user" ] - then - print_info "selfHOST was not started because 'selfhost_user' is empty in $configfile" - else - if [ -n "$freedns_key" ] - then - die "You can not use freeDNS AND selfHOST for dynamic IP updates ('freedns_key' AND 'selfhost_user' set in $configfile)" - fi - if [ -z "$selfhost_pass" ] - then - die "selfHOST was not started because 'selfhost_pass' is empty in $configfile" - fi - if [ ! -d $selfhostdir ] - then - mkdir $selfhostdir - fi - # the old way - # https://carol.selfhost.de/update?username=123456&password=supersafe - # - # the prefered way - wget --output-document=$selfhostdir/$selfhostscript http://jonaspasche.de/selfhost-updater - echo "router" > $selfhostdir/device - echo "$selfhost_user" > $selfhostdir/user - echo "$selfhost_pass" > $selfhostdir/pass - bash $selfhostdir/$selfhostscript update - fi -} - -function ping_domain { - print_info "ping domain $domain..." - # Is the domain resolved? Try to ping 6 times à 10 seconds - COUNTER=0 - for i in {1..6} - do - print_info "loop $i for ping -c 1 $domain ..." - if ping -c 4 -W 1 $le_domain - then - print_info "$le_domain resolved" - break - else - if [ $i -gt 5 ] - then - die "Failed to: ping -c 1 $domain not resolved" - fi - fi - sleep 10 - done - sleep 5 -} - -function configure_cron_freedns { - print_info "configure cron for freedns..." - if [ -z "$freedns_key" ] - then - print_info "freedns is not configured because freedns_key is empty in $configfile" - else - # Use cron for dynamich ip update - # - at reboot - # - every 30 minutes - if [ -z "`grep 'freedns.afraid.org' /etc/crontab`" ] - then - echo "@reboot root https://freedns.afraid.org/dynamic/update.php?$freedns_key > /dev/null 2>&1" >> /etc/crontab - echo "*/30 * * * * root wget --no-check-certificate -O - https://freedns.afraid.org/dynamic/update.php?$freedns_key > /dev/null 2>&1" >> /etc/crontab - else - print_info "cron for freedns was configured already" - fi - fi -} - -function configure_cron_selfhost { - print_info "configure cron for selfhost..." - if [ -z "$selfhost_user" ] - then - print_info "selfhost is not configured because selfhost_key is empty in $configfile" - else - # Use cron for dynamich ip update - # - at reboot - # - every 5 minutes - if [ -z "`grep 'selfhost-updater.sh' /etc/crontab`" ] - then - echo "@reboot root bash /etc/selfhost/selfhost-updater.sh update > /dev/null 2>&1" >> /etc/crontab - echo "*/5 * * * * root /bin/bash /etc/selfhost/selfhost-updater.sh update > /dev/null 2>&1" >> /etc/crontab - else - print_info "cron for selfhost was configured already" - fi - fi -} - -function install_letsencrypt { - print_info "installing let's encrypt ..." - # check if user gave domain - if [ -z "$le_domain" ] - then - die "Failed to install let's encrypt: 'le_domain' is empty in $configfile" - fi - if [ -z "$le_email" ] - then - die "Failed to install let's encrypt: 'le_email' is empty in $configfile" - fi - nocheck_install "certbot python-certbot-apache" - print_info "run certbot ..." - certbot --apache -w /var/www/html -d $le_domain -m $le_email --agree-tos --non-interactive --redirect --hsts --uir - service apache2 restart -} - -function check_https { - print_info "checking httpS > testing ..." - url_https=https://$le_domain - wget_output=$(wget -nv --spider --max-redirect 0 $url_https) - if [ $? -ne 0 ] - then - print_warn "check not ok" - else - print_info "check ok" - fi -} - -function install_hubzilla { - print_info "installing addons..." - cd /var/www/html/ - if git remote -v | grep -i "origin.*hubzilla.*core" - then - print_info "hubzilla" - util/add_addon_repo https://framagit.org/hubzilla/addons hzaddons - elif git remote -v | grep -i "origin.*zap.*core" - then - print_info "zap" - util/add_addon_repo https://framagit.org/zot/zap-addons.git zaddons - else - die "neither zap nor hubzilla repository > did not install addons or zap/hubzilla" - fi - mkdir -p "store/[data]/smarty3" - chmod -R 777 store - touch .htconfig.php - chmod ou+w .htconfig.php - cd /var/www/ - chown -R www-data:www-data html - chown root:www-data /var/www/html/ - chown root:www-data /var/www/html/.htaccess - chmod 0644 /var/www/html/.htaccess - print_info "installed addons" -} - -function install_rsync { - print_info "installing rsync..." - nocheck_install "rsync" -} - -function install_cryptosetup { - print_info "installing cryptsetup..." - nocheck_install "cryptsetup" -} - -function configure_cron_daily { - print_info "configuring cron..." - # every 10 min for poller.php - if [ -z "`grep 'Master.php' /etc/crontab`" ] - then - echo "*/10 * * * * www-data cd /var/www/html; php Zotlabs/Daemon/Master.php Cron >> /dev/null 2>&1" >> /etc/crontab - fi - # Run external script daily at 05:30 - # - stop apache and mysql-server - # - renew the certificate of letsencrypt - # - backup db, files (/var/www/html), certificates if letsencrypt - # - update hubzilla core and addon - # - update and upgrade linux - # - reboot is done by "shutdown -h now" because "reboot" hangs sometimes depending on the system -echo "#!/bin/sh" > /var/www/$hubzilladaily -echo "#" >> /var/www/$hubzilladaily -echo "echo \" \"" >> /var/www/$hubzilladaily -echo "echo \"+++ \$(date) +++\"" >> /var/www/$hubzilladaily -echo "echo \" \"" >> /var/www/$hubzilladaily -echo "echo \"\$(date) - renew certificate...\"" >> /var/www/$hubzilladaily -echo "certbot renew --noninteractive" >> /var/www/$hubzilladaily -echo "#" >> /var/www/$hubzilladaily -echo "echo \"\$(date) - stopping apache and mysql...\"" >> /var/www/$hubzilladaily -echo "service apache2 stop" >> /var/www/$hubzilladaily -echo "/etc/init.d/mysql stop # to avoid inconsistencies" >> /var/www/$hubzilladaily -echo "#" >> /var/www/$hubzilladaily -echo "# backup" >> /var/www/$hubzilladaily -echo "echo \"\$(date) - try to mount external device for backup...\"" >> /var/www/$hubzilladaily -echo "backup_device_name=$backup_device_name" >> /var/www/$hubzilladaily -echo "backup_device_pass=$backup_device_pass" >> /var/www/$hubzilladaily -echo "backup_mount_point=$backup_mount_point" >> /var/www/$hubzilladaily -echo "device_mounted=0" >> /var/www/$hubzilladaily -echo "if [ -n \"$backup_device_name\" ]" >> /var/www/$hubzilladaily -echo "then" >> /var/www/$hubzilladaily -echo " if blkid | grep $backup_device_name" >> /var/www/$hubzilladaily -echo " then" >> /var/www/$hubzilladaily - if [ -n "$backup_device_pass" ] - then -echo " echo \"decrypting backup device...\"" >> /var/www/$hubzilladaily -echo " echo "\"$backup_device_pass\"" | cryptsetup luksOpen $backup_device_name cryptobackup" >> /var/www/$hubzilladaily - fi -echo " if [ ! -d $backup_mount_point ]" >> /var/www/$hubzilladaily -echo " then" >> /var/www/$hubzilladaily -echo " mkdir $backup_mount_point" >> /var/www/$hubzilladaily -echo " fi" >> /var/www/$hubzilladaily -echo " echo \"mounting backup device...\"" >> /var/www/$hubzilladaily - if [ -n "$backup_device_pass" ] - then -echo " if mount /dev/mapper/cryptobackup $backup_mount_point" >> /var/www/$hubzilladaily - else -echo " if mount $backup_device_name $backup_mount_point" >> /var/www/$hubzilladaily - fi -echo " then" >> /var/www/$hubzilladaily -echo " device_mounted=1" >> /var/www/$hubzilladaily -echo " echo \"device $backup_device_name is now mounted. Starting backup...\"" >> /var/www/$hubzilladaily -echo " rsync -a --delete /var/lib/mysql/ /media/hubzilla_backup/mysql" >> /var/www/$hubzilladaily -echo " rsync -a --delete /var/www/ /media/hubzilla_backup/www" >> /var/www/$hubzilladaily -echo " rsync -a --delete /etc/letsencrypt/ /media/hubzilla_backup/letsencrypt" >> /var/www/$hubzilladaily -echo " echo \"\$(date) - disk sizes...\"" >> /var/www/$hubzilladaily -echo " df -h" >> /var/www/$hubzilladaily -echo " echo \"\$(date) - db size...\"" >> /var/www/$hubzilladaily -echo " du -h $backup_mount_point | grep mysql/hubzilla" >> /var/www/$hubzilladaily -echo " echo \"unmounting backup device...\"" >> /var/www/$hubzilladaily -echo " umount $backup_mount_point" >> /var/www/$hubzilladaily -echo " else" >> /var/www/$hubzilladaily -echo " echo \"failed to mount device $backup_device_name\"" >> /var/www/$hubzilladaily -echo " fi" >> /var/www/$hubzilladaily - if [ -n "$backup_device_pass" ] - then -echo " echo \"closing decrypted backup device...\"" >> /var/www/$hubzilladaily -echo " cryptsetup luksClose cryptobackup" >> /var/www/$hubzilladaily - fi -echo " fi" >> /var/www/$hubzilladaily -echo "fi" >> /var/www/$hubzilladaily -echo "if [ \$device_mounted == 0 ]" >> /var/www/$hubzilladaily -echo "then" >> /var/www/$hubzilladaily -echo " echo \"device could not be mounted $backup_device_name. No backup written.\"" >> /var/www/$hubzilladaily -echo "fi" >> /var/www/$hubzilladaily -echo "#" >> /var/www/$hubzilladaily -echo "echo \"\$(date) - db size...\"" >> /var/www/$hubzilladaily -echo "du -h /var/lib/mysql/ | grep mysql/hubzilla" >> /var/www/$hubzilladaily -echo "#" >> /var/www/$hubzilladaily -echo "# update" >> /var/www/$hubzilladaily -echo "echo \"\$(date) - updating core and addons...\"" >> /var/www/$hubzilladaily -echo "(cd /var/www/html/ ; util/udall)" >> /var/www/$hubzilladaily -echo "chown -R www-data:www-data /var/www/html/ # make all accessable for the webserver" >> /var/www/$hubzilladaily -echo "chown root:www-data /var/www/html/.htaccess" >> /var/www/$hubzilladaily -echo "chmod 0644 /var/www/html/.htaccess # www-data can read but not write it" >> /var/www/$hubzilladaily -echo "echo \"\$(date) - updating linux...\"" >> /var/www/$hubzilladaily -echo "apt-get -q -y update && apt-get -q -y dist-upgrade && apt-get -q -y autoremove # update linux and upgrade" >> /var/www/$hubzilladaily -echo "echo \"\$(date) - Backup and update finished. Rebooting...\"" >> /var/www/$hubzilladaily -echo "#" >> /var/www/$hubzilladaily -echo "shutdown -r now" >> /var/www/$hubzilladaily - - if [ -z "`grep 'hubzilla-daily.sh' /etc/crontab`" ] - then - echo "30 05 * * * root /bin/bash /var/www/$hubzilladaily >> /var/www/html/hubzilla-daily.log 2>&1" >> /etc/crontab - echo "0 0 1 * * root rm /var/www/html/hubzilla-daily.log" >> /etc/crontab - fi - - # This is active after either "reboot" or "/etc/init.d/cron reload" - print_info "configured cron for updates/upgrades" -} - -######################################################################## -# START OF PROGRAM -######################################################################## -export PATH=/bin:/usr/bin:/sbin:/usr/sbin - -check_sanity - -# Read config file edited by user -configfile=hubzilla-config.txt -source $configfile - -selfhostdir=/etc/selfhost -selfhostscript=selfhost-updater.sh -hubzilladaily=hubzilla-daily.sh -backup_mount_point=/media/hubzilla_backup - -#set -x # activate debugging from here - -check_config -stop_hubzilla -update_upgrade -install_curl -install_wget -install_sendmail -install_apache -install_imagemagick -install_php -install_mysql -install_adminer -create_hubzilla_db -run_freedns -install_run_selfhost -ping_domain -configure_cron_freedns -configure_cron_selfhost - -if [ "$le_domain" != "localhost" ] -then - install_letsencrypt - configure_apache_for_https - check_https -else - print_info "is localhost - skipped installation of letsencrypt and configuration of apache for https" -fi - -install_hubzilla - -if [ "$le_domain" != "localhost" ] -then - rewrite_to_https - install_rsnapshot -else - print_info "is localhost - skipped rewrite to https and installation of rsnapshot" -fi - -configure_cron_daily - -if [ "$le_domain" != "localhost" ] -then - install_cryptosetup - write_uninstall_script -else - print_info "is localhost - skipped installation of cryptosetup" -fi - - -#set +x # stop debugging from here - - diff --git a/.homeinstall/nginx-zotserver.conf.template b/.homeinstall/nginx-zotserver.conf.template new file mode 100644 index 000000000..c77788a1b --- /dev/null +++ b/.homeinstall/nginx-zotserver.conf.template @@ -0,0 +1,144 @@ +## +# Hubzilla/Zap/Mistpark/Osada Nginx block configuration template +# based on the example created by Olaf Conradi +# +# The files generated with this template will be added to +# /etc/nginx/sites-available & /etc/nginx/sites-enabled (symlink) +## + +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# +# http://wiki.nginx.org/Pitfalls +# http://wiki.nginx.org/QuickStart +# http://wiki.nginx.org/Configuration +## + +## +# This configuration assumes +# You filled the zotserver-config.txt file +# Your domain/subdomain is functionnal +# You want all traffic to be https +# You have PHP FastCGI Process Manager (php-fpm) running on localhost +## + +server { + listen 80; + server_name SERVER_NAME; + +# HTTP > HTTPS # + return 301 https://$server_name$request_uri; +} + +## +# Configure Red with SSL +# +# All requests are routed to the front controller +# except for certain known file types like images, css, etc. +# Those are served statically whenever possible with a +# fall back to the front controller (needed for avatars, for example) +## + +server { + listen 443 ssl; + server_name SERVER_NAME; + + ssl on; + ssl_certificate /etc/letsencrypt/live/SERVER_NAME/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/SERVER_NAME/privkey.pem; + ssl_session_timeout 5m; +# DO WE NEED TO REVIEW THE FOLLOWING SETTINGS? + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; + ssl_prefer_server_ciphers on; + + fastcgi_param HTTPS on; + + charset utf-8; + root INSTALL_PATH; + index index.php; + access_log /var/log/nginx/ZOTSERVER_LOG; + + #Uncomment the following line to include a standard configuration file + #Note that the most specific rule wins and your standard configuration + #will therefore *add* to this file, but not override it. + #include standard.conf + + # allow uploads up to 20MB in size + client_max_body_size 20m; + client_body_buffer_size 128k; + + include mime.types; + + # rewrite to front controller as default rule + location / { + if (!-e $request_filename) { + rewrite ^(.*)$ /index.php?req=$1; + } + } + + # make sure webfinger and other well known services aren't blocked + # by denying dot files and rewrite request to the front controller + location ^~ /.well-known/ { + allow all; + if (!-e $request_filename) { + rewrite ^(.*)$ /index.php?req=$1; + } + } + + # statically serve these file types when possible + # otherwise fall back to front controller + # allow browser to cache them + # added .htm for advanced source code editor library + # location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|map|ttf|woff|woff2|svg)$ { + # expires 30d; + # try_files $uri /index.php?req=$uri&$args; + # } + # SHOULD WE UNCOMMENT THE ABOVE LINES ? + + # block these file types + location ~* \.(tpl|md|tgz|log|out)$ { + deny all; + } + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # or a unix socket + location ~* \.php$ { + # IS THE FOLLOWING STILL RELEVANT AS OF AUGUST 2020? + # Zero-day exploit defense. + # http://forum.nginx.org/read.php?2,88845,page=3 + # Won't work properly (404 error) if the file is not stored on this + # server, which is entirely possible with php-fpm/php-fcgi. + # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on + # another machine. And then cross your fingers that you won't get hacked. + try_files $uri =404; + + # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + # With php5-cgi alone: + # fastcgi_pass 127.0.0.1:9000; + + # With php-fpm: + fastcgi_pass unix:PHP_FPM_SOCK; + + include fastcgi_params; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + + # deny access to all dot files + location ~ /\. { + deny all; + } + +#deny access to store + + location ~ /store { + deny all; + } + + +} + diff --git a/.homeinstall/hubzilla-config.txt.template b/.homeinstall/zotserver-config.txt.template index f0bf6121c..39a6e77ff 100644 --- a/.homeinstall/hubzilla-config.txt.template +++ b/.homeinstall/zotserver-config.txt.template @@ -9,11 +9,11 @@ db_pass= ############################################### ### MANDATORY - let's encrypt ################# # -# Hubilla requires encrypted communication via secure HTTP (HTTPS). +# Zot requires encrypted communication via secure HTTP (HTTPS). # This script automates installation of an SSL certificate from # Let's Encrypt (https://letsencrypt.org) # -# Please give the domain name of your hub +# Please give the domain name of your hub/instance # # Example: my.cooldomain.org # Example: cooldomain.org @@ -30,6 +30,18 @@ le_domain= le_email= ############################################### +### OPTIONAL - Webserver choice ############### +# +# Please indicate if you want to choose Nginx +# or Apache as your web server +# +# Valid strings are nginx or apache (lower case), +# any other will stop the setup script. +# +webserver=apache + + +############################################### ### OPTIONAL - selfHOST - dynamic IP address ## # # 1. Register a domain at selfhost.de @@ -87,7 +99,7 @@ freedns_key= # - encrypted LUKS + ext4, or # - ext4 # -# You should test to mount the device befor you run the script +# You should test to mount the device before you run the script # (hubzilla-setup.sh). # How to find your (pluged-in) devices? # @@ -144,10 +156,13 @@ backup_device_pass= # ############################################### # -# Database for hubzilla -hubzilla_db_name=hubzilla -hubzilla_db_user=hubzilla -hubzilla_db_pass=$db_pass +# Database for your hub/instance +# If left empty, both your database and user will be named after your zot instance (hubzilla, zap or misty) +# Use custom name, at least fo the database, if you plan to run more than one hub/instance on the same server +# +zotserver_db_name= +zotserver_db_user= +zotserver_db_pass=$db_pass # # # Password for package mysql-server diff --git a/.homeinstall/zotserver-setup.sh b/.homeinstall/zotserver-setup.sh new file mode 100755 index 000000000..42ff6685d --- /dev/null +++ b/.homeinstall/zotserver-setup.sh @@ -0,0 +1,793 @@ +#!/bin/bash +# +# How to use +# ---------- +# +# This file automates the installation of +# - hubzilla: https://zotlabs.org/page/hubzilla/hubzilla-project and +# - zap: https://zotlabs.com/zap/ +# - misty : https://zotlabs.com/misty/ +# - osada : https://codeberg.org/zot/osada +# - redmatrix : https://codeberg.org/zot/redmatrix +# under Debian Linux "Buster" +# +# 1) Copy the file "zotserver-config.txt.template" to "zotserver-config.txt" +# Follow the instuctions there +# +# 2) Switch to user "root" by typing "su -" +# +# 3) Run with "./zotserver-setup.sh" +# If this fails check if you can execute the script. +# - To make it executable type "chmod +x zotserver-setup.sh" +# - or run "bash zotserver-setup.sh" +# +# +# What does this script do basically? +# ----------------------------------- +# +# This file automates the installation of a Zot hub/instance under Debian Linux +# - install +# * apache webserver, +# * php, +# * mariadb - the database for zotserver, +# * adminer, +# * git to download and update addons +# - configure cron +# * "Run.php" for regular background processes of your Zot hub/instance +# * "apt-get update" and "apt-get dist-upgrade" and "apt-get autoremove" to keep linux up-to-date +# * run command to keep the IP up-to-date > DynDNS provided by selfHOST.de or freedns.afraid.org +# * backup your server's database and files (rsync) +# - run letsencrypt to create, register and use a certifacte for https +# +# +# Discussion +# ---------- +# +# Security - password is the same for mysql-server, phpmyadmin and your hub/instance db +# - The script runs into installation errors for phpmyadmin if it uses +# different passwords. For the sake of simplicity one single password. +# +# How to restore from backup +# -------------------------- +# +# (Some explanations here would certainly be useful) +# +# Daily backup +# ------------ +# +# The installation +# - writes a shell script in /var/www/ +# - creates a daily cron that runs this script +# +# The script makes a (daily) backup of all relevant files +# - /var/lib/mysql/ > database +# - /var/www/ > hubzilla/zap/misty from git repository +# - /etc/letsencrypt/ > certificates +# +# The backup will be written on an external disk compatible to LUKS+ext4 (see zotserver-config.txt) +# +# How to restore from backup +# -------------------------- +# +# (Some explanations here would certainly be useful) +# +# +# Credits +# ------- +# +# The script is based on Thomas Willinghams script "debian-setup.sh" +# which he used to install the red#matrix. +# +# The documentation for bash is here +# https://www.gnu.org/software/bash/manual/bash.html +# +function check_sanity { + # Do some sanity checking. + print_info "Sanity check..." + if [ $(/usr/bin/id -u) != "0" ] + then + die 'Must be run by root user' + fi + + if [ -f /etc/lsb-release ] + then + die "Distribution is not supported" + fi + if [ ! -f /etc/debian_version ] + then + die "Debian is supported only" + fi + if ! grep -q 'Linux 10' /etc/issue + then + die "Linux 10 (buster) is supported only"x + fi +} + +function check_config { + print_info "config check..." + # Check for required parameters + if [ -z "$db_pass" ] + then + die "db_pass not set in $configfile" + fi + if [ -z "$le_domain" ] + then + die "le_domain not set in $configfile" + fi + # backup is important and should be checked + if [ -n "$backup_device_name" ] + then + if [ ! -d "$backup_mount_point" ] + then + mkdir "$backup_mount_point" + fi + device_mounted=0 + if fdisk -l | grep -i "$backup_device_name.*linux" + then + print_info "ok - filesystem of external device is linux" + if [ -n "$backup_device_pass" ] + then + echo "$backup_device_pass" | cryptsetup luksOpen $backup_device_name cryptobackup + if mount /dev/mapper/cryptobackup /media/zotserver_backup + then + device_mounted=1 + print_info "ok - could encrypt and mount external backup device" + umount /media/zotserver_backup + else + print_warn "backup to external device will fail because encryption failed" + fi + cryptsetup luksClose cryptobackup + else + if mount $backup_device_name /media/zotserver_backup + then + device_mounted=1 + print_info "ok - could mount external backup device" + umount /media/zotserver_backup + else + print_warn "backup to external device will fail because mount failed" + fi + fi + else + print_warn "backup to external device will fail because filesystem is either not linux or 'backup_device_name' is not correct in $configfile" + fi + if [ $device_mounted == 0 ] + then + die "backup device not ready" + fi + fi +} + +function die { + echo "ERROR: $1" > /dev/null 1>&2 + exit 1 +} + + +function update_upgrade { + print_info "updated and upgrade..." + # Run through the apt-get update/upgrade first. This should be done before + # we try to install any package + apt-get -q -y update && apt-get -q -y dist-upgrade + print_info "updated and upgraded linux" +} + +function check_install { + if [ -z "`which "$1" 2>/dev/null`" ] + then + # export DEBIAN_FRONTEND=noninteractive ... answers from the package + # configuration database + # - q ... without progress information + # - y ... answer interactive questions with "yes" + # DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends -q -y install $2 + DEBIAN_FRONTEND=noninteractive apt-get -q -y install $2 + print_info "installed $2 installed for $1" + else + print_warn "$2 already installed" + fi +} + +function nocheck_install { + # export DEBIAN_FRONTEND=noninteractive ... answers from the package configuration database + # - q ... without progress information + # - y ... answer interactive questions with "yes" + # DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends -q -y install $2 + # DEBIAN_FRONTEND=noninteractive apt-get --install-suggests -q -y install $1 + DEBIAN_FRONTEND=noninteractive apt-get -q -y install $1 + print_info "installed $1" +} + + +function print_info { + echo -n -e '\e[1;34m' + echo -n $1 + echo -e '\e[0m' +} + +function print_warn { + echo -n -e '\e[1;31m' + echo -n $1 + echo -e '\e[0m' +} + +function stop_zotserver { + if [ $webserver = "nginx" ] + then + print_info "stopping nginx webserver..." + systemctl stop nginx + elif [ $webserver = "apache" ] + then + print_info "stopping apache webserver..." + systemctl stop apache2 + fi + print_info "stopping mysql db..." + systemctl stop mariadb +} + +function install_apache { + print_info "installing apache..." + nocheck_install "apache2 apache2-utils" + a2enmod rewrite + systemctl restart apache2 +} + +function install_nginx { + print_info "installing nginx..." + nocheck_install "nginx" + systemctl restart nginx +} + +function add_vhost { + print_info "adding apache vhost" + echo "<VirtualHost *:80>" >> "/etc/apache2/sites-available/${le_domain}.conf" + echo "ServerName ${le_domain}" >> "/etc/apache2/sites-available/${le_domain}.conf" + echo "DocumentRoot $install_path" >> "/etc/apache2/sites-available/${le_domain}.conf" + echo "</VirtualHost>" >> "/etc/apache2/sites-available/${le_domain}.conf" + a2ensite $le_domain +} + +function add_nginx_block { + print_info "adding nginx block" + sed "s|SERVER_NAME|${le_domain}|g;s|INSTALL_PATH|${install_path}|g;s|ZOTSERVER_LOG|${install_folder}-${zotserver}.log|;s|PHP_FPM_SOCK|$(ls /var/run/php/*sock)|;" nginx-zotserver.conf.template >> /etc/nginx/sites-enabled/${le_domain}.conf + ln -s /etc/nginx/sites-enabled/${le_domain}.conf /etc/nginx/sites-available/ +} + +function install_imagemagick { + print_info "installing imagemagick..." + nocheck_install "imagemagick" +} + +function install_curl { + print_info "installing curl..." + nocheck_install "curl" +} + +function install_wget { + print_info "installing wget..." + nocheck_install "wget" +} + +function install_sendmail { + print_info "installing sendmail..." + nocheck_install "sendmail sendmail-bin" +} + +function install_php { + # openssl and mbstring are included in libapache2-mod-php + print_info "installing php..." + if [ $webserver = "nginx" ] + then + nocheck_install "php php-pear php-curl php-gd php-mbstring php-xml php-zip php-fpm" + sed -i "s/^upload_max_filesize =.*/upload_max_filesize = 100M/g" /etc/php/7.3/fpm/php.ini + sed -i "s/^post_max_size =.*/post_max_size = 100M/g" /etc/php/7.3/fpm/php.ini + systemctl reload php7.3-fpm + elif [ $webserver = "apache" ] + then + nocheck_install "libapache2-mod-php php php-pear php-curl php-gd php-mbstring php-xml php-zip" + sed -i "s/^upload_max_filesize =.*/upload_max_filesize = 100M/g" /etc/php/7.3/apache2/php.ini + sed -i "s/^post_max_size =.*/post_max_size = 100M/g" /etc/php/7.3/apache2/php.ini + fi +} + +function install_mysql { + print_info "installing mysql..." + if [ -z "$mysqlpass" ] + then + die "mysqlpass not set in $configfile" + fi + if type mysql ; then + echo "Yes, mysql is installed" + else + echo "mariadb-server" + nocheck_install "mariadb-server" + systemctl status mariadb + systemctl start mariadb + mysql --user=root <<_EOF_ +UPDATE mysql.user SET Password=PASSWORD('${mysqlpass}') WHERE User='root'; +DELETE FROM mysql.user WHERE User=''; +DROP DATABASE IF EXISTS test; +DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'; +FLUSH PRIVILEGES; +_EOF_ + fi +} + +function install_adminer { + print_info "installing adminer..." + nocheck_install "adminer" + if [ ! -f /etc/adminer/adminer.conf ] + then + echo "Alias /adminer /usr/share/adminer/adminer" > /etc/adminer/adminer.conf + ln -s /etc/adminer/adminer.conf /etc/apache2/conf-available/adminer.conf + else + print_info "file /etc/adminer/adminer.conf exists already" + fi + + a2enmod rewrite + + if [ ! -f /etc/apache2/apache2.conf ] + then + die "could not find file /etc/apache2/apache2.conf" + fi + sed -i \ + "s/AllowOverride None/AllowOverride all/" \ + /etc/apache2/apache2.conf + + a2enconf adminer + systemctl restart mariadb + systemctl reload apache2 +} + +function create_zotserver_db { + print_info "creating zotserver database..." + if [ -z "$zotserver_db_name" ] + then + zotserver_db_name=$zotserver + fi + if [ -z "$zotserver_db_user" ] + then + zotserver_db_user=$zotserver + fi + if [ -z "$zotserver_db_pass" ] + then + die "zotserver_db_pass not set in $configfile" + fi + systemctl restart mariadb + # Make sure we don't write over an already existing database if we install more than one Zot hub/instance + if [ -z $(mysql -h localhost -u root -p$mysqlpass -e "SHOW DATABASES;" | grep $zotserver_db_name) ] + then + Q1="CREATE DATABASE IF NOT EXISTS $zotserver_db_name;" + Q2="GRANT USAGE ON *.* TO $zotserver_db_user@localhost IDENTIFIED BY '$zotserver_db_pass';" + Q3="GRANT ALL PRIVILEGES ON $zotserver_db_name.* to $zotserver_db_user@localhost identified by '$zotserver_db_pass';" + Q4="FLUSH PRIVILEGES;" + SQL="${Q1}${Q2}${Q3}${Q4}" + mysql -uroot -p$mysqlpass -e "$SQL" + else + die "Can't write over an already existing database!" + fi +} + +function run_freedns { + print_info "run freedns (dynamic IP)..." + if [ -z "$freedns_key" ] + then + print_info "freedns was not started because 'freedns_key' is empty in $configfile" + else + if [ -n "$selfhost_user" ] + then + die "You can not use freeDNS AND selfHOST for dynamic IP updates ('freedns_key' AND 'selfhost_user' set in $configfile)" + fi + wget --no-check-certificate -O - http://freedns.afraid.org/dynamic/update.php?$freedns_key + fi +} + +function install_run_selfhost { + print_info "install and start selfhost (dynamic IP)..." + if [ -z "$selfhost_user" ] + then + print_info "selfHOST was not started because 'selfhost_user' is empty in $configfile" + else + if [ -n "$freedns_key" ] + then + die "You can not use freeDNS AND selfHOST for dynamic IP updates ('freedns_key' AND 'selfhost_user' set in $configfile)" + fi + if [ -z "$selfhost_pass" ] + then + die "selfHOST was not started because 'selfhost_pass' is empty in $configfile" + fi + if [ ! -d $selfhostdir ] + then + mkdir $selfhostdir + fi + # the old way + # https://carol.selfhost.de/update?username=123456&password=supersafe + # + # the prefered way + wget --output-document=$selfhostdir/$selfhostscript http://jonaspasche.de/selfhost-updater + echo "router" > $selfhostdir/device + echo "$selfhost_user" > $selfhostdir/user + echo "$selfhost_pass" > $selfhostdir/pass + bash $selfhostdir/$selfhostscript update + fi +} + +function ping_domain { + print_info "ping domain $domain..." + # Is the domain resolved? Try to ping 6 times à 10 seconds + COUNTER=0 + for i in {1..6} + do + print_info "loop $i for ping -c 1 $domain ..." + if ping -c 4 -W 1 $le_domain + then + print_info "$le_domain resolved" + break + else + if [ $i -gt 5 ] + then + die "Failed to: ping -c 1 $domain not resolved" + fi + fi + sleep 10 + done + sleep 5 +} + +function configure_cron_freedns { + print_info "configure cron for freedns..." + if [ -z "$freedns_key" ] + then + print_info "freedns is not configured because freedns_key is empty in $configfile" + else + # Use cron for dynamich ip update + # - at reboot + # - every 30 minutes + if [ -z "`grep 'freedns.afraid.org' /etc/crontab`" ] + then + echo "@reboot root http://freedns.afraid.org/dynamic/update.php?$freedns_key > /dev/null 2>&1" >> /etc/crontab + echo "*/30 * * * * root wget --no-check-certificate -O - http://freedns.afraid.org/dynamic/update.php?$freedns_key > /dev/null 2>&1" >> /etc/crontab + else + print_info "cron for freedns was configured already" + fi + fi +} + +function configure_cron_selfhost { + print_info "configure cron for selfhost..." + if [ -z "$selfhost_user" ] + then + print_info "selfhost is not configured because selfhost_key is empty in $configfile" + else + # Use cron for dynamich ip update + # - at reboot + # - every 5 minutes + if [ -z "`grep 'selfhost-updater.sh' /etc/crontab`" ] + then + echo "@reboot root bash /etc/selfhost/selfhost-updater.sh update > /dev/null 2>&1" >> /etc/crontab + echo "*/5 * * * * root /bin/bash /etc/selfhost/selfhost-updater.sh update > /dev/null 2>&1" >> /etc/crontab + else + print_info "cron for selfhost was configured already" + fi + fi +} + +function install_letsencrypt { + print_info "installing let's encrypt ..." + # check if user gave domain + if [ -z "$le_domain" ] + then + die "Failed to install let's encrypt: 'le_domain' is empty in $configfile" + fi + if [ -z "$le_email" ] + then + die "Failed to install let's encrypt: 'le_email' is empty in $configfile" + fi + if [ $webserver = "nginx" ] + then + nocheck_install "certbot" + print_info "run certbot..." + systemctl stop nginx + certbot certonly --standalone -d $le_domain -m $le_email --agree-tos --non-interactive + systemctl start nginx + elif [ $webserver = "apache" ] + then + nocheck_install "certbot python-certbot-apache" + print_info "run certbot ..." + certbot --apache -w $install_path -d $le_domain -m $le_email --agree-tos --non-interactive --redirect --hsts --uir + service apache2 restart + fi +} + +function check_https { + print_info "checking httpS > testing ..." + url_https=https://$le_domain + wget_output=$(wget -nv --spider --max-redirect 0 $url_https) + if [ $? -ne 0 ] + then + print_warn "check not ok" + else + print_info "check ok" + fi +} + +function zotserver_name { + if git remote -v | grep -i "origin.*hubzilla.*" + then + zotserver=hubzilla + elif git remote -v | grep -i "origin.*zap.*" + then + zotserver=zap + elif git remote -v | grep -i "origin.*misty.*" + then + zotserver=misty + elif git remote -v | grep -i "origin.*osada.*" + then + zotserver=osada + elif git remote -v | grep -i "origin.*redmatrix.*" + then + zotserver=redmatrix + else + die "neither redmatrix, osada, misty, zap nor hubzilla repository > did not install redmatrix/osada/misty/zap/hubzilla" + fi +} + +function install_zotserver { + print_info "installing addons..." + cd $install_path/ + if [ $zotserver = "hubzilla" ] + then + print_info "hubzilla" + util/add_addon_repo https://framagit.org/hubzilla/addons hzaddons + elif [ $zotserver = "zap" ] + then + print_info "zap" + util/add_addon_repo https://codeberg.org/zot/zap-addons.git zaddons + elif [ $zotserver = "misty" ] + then + print_info "misty" + util/add_addon_repo https://codeberg.org/zot/misty-addons.git maddons + elif [ $zotserver = "osada" ] + then + print_info "osada" + util/add_addon_repo https://codeberg.org/zot/osada-addons.git oaddons + elif [ $zotserver = "redmatrix" ] + then + print_info "redmatrix" + util/add_addon_repo https://codeberg.org/zot/redmatrix-addons.git raddons + else + die "neither redmatrix, osada, misty, zap nor hubzilla repository > did not install addons or redmatrix/osada/misty/zap/hubzilla" + fi + mkdir -p "cache/smarty3" + mkdir -p "store" + chmod -R 777 store + touch .htconfig.php + chmod ou+w .htconfig.php + cd /var/www/ + chown -R www-data:www-data $install_path + chown root:www-data $install_path/ + chown root:www-data $install_path/.htaccess + chmod 0644 $install_path/.htaccess + print_info "installed addons" +} + +function install_rsync { + print_info "installing rsync..." + nocheck_install "rsync" +} + +function install_cryptosetup { + print_info "installing cryptsetup..." + nocheck_install "cryptsetup" +} + +function configure_zotserverdaily { + echo "#!/bin/sh" >> /var/www/$zotserverdaily + echo "#" >> /var/www/$zotserverdaily + echo "# update of $le_domain Zot hub/instance" >> /var/www/$zotserverdaily + echo "echo \"\$(date) - updating core and addons...\"" >> /var/www/$zotserverdaily + echo "echo \"reaching git repository for $le_domain $zotserver hub/instance...\"" >> /var/www/$zotserverdaily + echo "(cd $install_path ; util/udall)" >> /var/www/$zotserverdaily + echo "chown -R www-data:www-data $install_path # make all accessible for the webserver" >> /var/www/$zotserverdaily + if [ $webserver = "apache" ] + then + echo "chown root:www-data $install_path/.htaccess" >> /var/www/$zotserverdaily + echo "chmod 0644 $install_path/.htaccess # www-data can read but not write it" >> /var/www/$zotserverdaily + fi + chmod a+x /var/www/$zotserverdaily +} + +function configure_cron_daily { + print_info "configuring cron..." + # every 10 min for poller.php + if [ -z "`grep '$install_path.*Run.php' /etc/crontab`" ] + then + echo "*/10 * * * * www-data cd $install_path; php Zotlabs/Daemon/Run.php Cron >> /dev/null 2>&1" >> /etc/crontab + fi + # Run external script daily at 05:30 + # - stop apache/nginx and mysql-server + # - renew the certificate of letsencrypt + # - backup db, files ($install_path), certificates if letsencrypt + # - update zotserver core and addon + # - update and upgrade linux + # - reboot is done by "shutdown -h now" because "reboot" hangs sometimes depending on the system + echo "#!/bin/sh" > /var/www/$zotcron + echo "#" >> /var/www/$zotcron + echo "echo \" \"" >> /var/www/$zotcron + echo "echo \"+++ \$(date) +++\"" >> /var/www/$zotcron + echo "echo \" \"" >> /var/www/$zotcron + echo "echo \"\$(date) - stopping $webserver and mysql...\"" >> /var/www/$zotcron + if [ $webserver = "nginx" ] + then + echo "systemctl stop nginx" >> /var/www/$zotcron + elif [ $webserver = "apache" ] + then + echo "service apache2 stop" >> /var/www/$zotcron + fi + echo "/etc/init.d/mysql stop # to avoid inconsistencies" >> /var/www/$zotcron + echo "#" >> /var/www/$zotcron + echo "echo \"\$(date) - renew certificate...\"" >> /var/www/$zotcron + echo "certbot renew --noninteractive" >> /var/www/$zotcron + echo "#" >> /var/www/$zotcron + echo "# backup" >> /var/www/$zotcron + echo "echo \"\$(date) - try to mount external device for backup...\"" >> /var/www/$zotcron + echo "backup_device_name=$backup_device_name" >> /var/www/$zotcron + echo "backup_device_pass=$backup_device_pass" >> /var/www/$zotcron + echo "backup_mount_point=$backup_mount_point" >> /var/www/$zotcron + echo "device_mounted=0" >> /var/www/$zotcron + echo "if [ -n \"\$backup_device_name\" ]" >> /var/www/$zotcron + echo "then" >> /var/www/$zotcron + echo " if blkid | grep $backup_device_name" >> /var/www/$zotcron + echo " then" >> /var/www/$zotcron + if [ -n "$backup_device_pass" ] + then + echo " echo \"decrypting backup device...\"" >> /var/www/$zotcron + echo " echo "\"$backup_device_pass\"" | cryptsetup luksOpen $backup_device_name cryptobackup" >> /var/www/$zotcron + fi + echo " if [ ! -d $backup_mount_point ]" >> /var/www/$zotcron + echo " then" >> /var/www/$zotcron + echo " mkdir $backup_mount_point" >> /var/www/$zotcron + echo " fi" >> /var/www/$zotcron + echo " echo \"mounting backup device...\"" >> /var/www/$zotcron + if [ -n "$backup_device_pass" ] + then + echo " if mount /dev/mapper/cryptobackup $backup_mount_point" >> /var/www/$zotcron + else + echo " if mount $backup_device_name $backup_mount_point" >> /var/www/$zotcron + fi + echo " then" >> /var/www/$zotcron + echo " device_mounted=1" >> /var/www/$zotcron + echo " echo \"device $backup_device_name is now mounted. Starting backup...\"" >> /var/www/$zotcron + echo " rsync -a --delete /var/lib/mysql/ /media/zotserver_backup/mysql" >> /var/www/$zotcron + echo " rsync -a --delete /var/www/ /media/zotserver_backup/www" >> /var/www/$zotcron + echo " rsync -a --delete /etc/letsencrypt/ /media/zotserver_backup/letsencrypt" >> /var/www/$zotcron + echo " echo \"\$(date) - disk sizes...\"" >> /var/www/$zotcron + echo " df -h" >> /var/www/$zotcron + echo " echo \"\$(date) - db size...\"" >> /var/www/$zotcron + echo " du -h $backup_mount_point | grep mysql/zotserver" >> /var/www/$zotcron + echo " echo \"unmounting backup device...\"" >> /var/www/$zotcron + echo " umount $backup_mount_point" >> /var/www/$zotcron + echo " else" >> /var/www/$zotcron + echo " echo \"failed to mount device $backup_device_name\"" >> /var/www/$zotcron + echo " fi" >> /var/www/$zotcron + if [ -n "$backup_device_pass" ] + then + echo " echo \"closing decrypted backup device...\"" >> /var/www/$zotcron + echo " cryptsetup luksClose cryptobackup" >> /var/www/$zotcron + fi + echo " fi" >> /var/www/$zotcron + echo "fi" >> /var/www/$zotcron + echo "if [ \$device_mounted == 0 ]" >> /var/www/$zotcron + echo "then" >> /var/www/$zotcron + echo " echo \"device could not be mounted $backup_device_name. No backup written.\"" >> /var/www/$zotcron + echo "fi" >> /var/www/$zotcron + echo "#" >> /var/www/$zotcron + echo "echo \"\$(date) - db size...\"" >> /var/www/$zotcron + echo "du -h /var/lib/mysql/ | grep mysql/" >> /var/www/$zotcron + echo "#" >> /var/www/$zotcron + echo "cd /var/www" >> /var/www/$zotcron + echo "for f in *-daily.sh; do \"./\${f}\"; done" >> /var/www/$zotcron + echo "echo \"\$(date) - updating linux...\"" >> /var/www/$zotcron + echo "apt-get -q -y update && apt-get -q -y dist-upgrade && apt-get -q -y autoremove # update linux and upgrade" >> /var/www/$zotcron + echo "echo \"\$(date) - Backup and update finished. Rebooting...\"" >> /var/www/$zotcron + echo "#" >> /var/www/$zotcron + echo "shutdown -r now" >> /var/www/$zotcron + + # If global cron job does not exist we add it to /etc/crontab + if grep -q $zotcron /etc/crontab + then + echo "cron job already in /etc/crontab" + else + echo "30 05 * * * root /bin/bash /var/www/$zotcron >> /var/www/zot-daily.log 2>&1" >> /etc/crontab + echo "0 0 1 * * root rm /var/www/zot-daily.log" >> /etc/crontab + fi + + # This is active after either "reboot" or cron reload" + systemctl restart cron + print_info "configured cron for updates/upgrades" +} + +######################################################################## +# START OF PROGRAM +######################################################################## +export PATH=/bin:/usr/bin:/sbin:/usr/sbin +check_sanity + +zotserver_name +print_info "We're installing a $zotserver instance" +install_path="$(dirname "$(pwd)")" +install_folder="$(basename $install_path)" + +# Read config file edited by user +configfile=zotserver-config.txt +source $configfile + +selfhostdir=/etc/selfhost +selfhostscript=selfhost-updater.sh +zotcron="zotcron.sh" +zotserverdaily="${install_folder}-${zotserver}-daily.sh" +backup_mount_point="/media/zotserver_backup" + +#set -x # activate debugging from here + +check_config +stop_zotserver +update_upgrade +install_curl +install_wget +install_sendmail +if [ $webserver = "nginx" ] +then + install_nginx +elif [ $webserver = "apache" ] +then + install_apache +else +die "Failed to install a Web server: 'webserver' not set to \"apache\" or \"nginx\" in $configfile" +fi +install_imagemagick +install_php +if [ $webserver = "nginx" ] +then + add_nginx_block +elif [ $webserver = "apache" ] +then + if [ "$install_path" != "/var/www/html" ] + then + add_vhost + fi +fi +install_mysql +if [ $webserver = "apache" ] +then +install_adminer +fi +create_zotserver_db +run_freedns +install_run_selfhost +ping_domain +configure_cron_freedns +configure_cron_selfhost + +if [ "$le_domain" != "localhost" ] +then + install_letsencrypt + check_https +else + print_info "is localhost - skipped installation of letsencrypt and configuration of apache for https" +fi + +install_zotserver + +configure_zotserverdaily + +configure_cron_daily + +if [ "$le_domain" != "localhost" ] +then + install_cryptosetup + install_rsync +else + print_info "is localhost - skipped installation of cryptosetup" +fi + + +#set +x # stop debugging from here |