add ncp-provisioning to SD card images

bin/ncp-provisioning.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+
+# this script runs at startup to provide an unique random passwords for each instance
+
+## redis provisioning
+
+CFG=/var/www/nextcloud/config/config.php
+REDISPASS="$( grep "^requirepass" /etc/redis/redis.conf | cut -f2 -d' ' )"
+
+### IF redis password is the default one, generate a new one
+
+[[ "$REDISPASS" == "default" ]] && {
+  REDISPASS="$( openssl rand -base64 32 )"
+  echo Provisioning Redis password
+  sed -i -E "s|^requirepass .*|requirepass $REDISPASS|" /etc/redis/redis.conf
+  [[ "$DOCKERBUILD" != 1 ]] && systemctl restart redis
+}
+
+### If there exists already a configuration adjust the password
+[[ -f "$CFG" ]] && {
+  echo "Updating NextCloud config with Redis password"
+  sed -i "s|'password'.*|'password' => '$REDISPASS',|" "$CFG"
+}
+
+## mariaDB provisioning
+
+DBADMIN=ncadmin
+DBPASSWD=$( grep password /root/.my.cnf | sed 's|password=||' )
+
+[[ "$DBPASSWD" == "default" ]] && {
+  DBPASSWD=$( openssl rand -base64 32 )
+  echo Provisioning MariaDB password
+  echo -e "[client]\npassword=$DBPASSWD" > /root/.my.cnf
+  chmod 600 /root/.my.cnf
+  mysql <<EOF
+GRANT USAGE ON *.* TO '$DBADMIN'@'localhost' IDENTIFIED BY '$DBPASSWD';
+DROP USER '$DBADMIN'@'localhost';
+CREATE USER '$DBADMIN'@'localhost' IDENTIFIED BY '$DBPASSWD';
+GRANT ALL PRIVILEGES ON nextcloud.* TO $DBADMIN@localhost;
+EXIT
+EOF
+}
+
+[[ -f "$CFG" ]] && {
+  echo "Updating NextCloud config with MariaDB password"
+  sed -i "s|'dbpassword' =>.*|'dbpassword' => '$DBPASSWD',|" "$CFG"
+}
+
+## CPU core adjustment
+
+CURRENT_THREADS=$( grep "^pm.max_children" /etc/php/7.0/fpm/pool.d/www.conf | awk '{ print $3 }' )
+
+CFG=/usr/local/etc/nextcloudpi-config.d/nc-limits.sh
+PHPTHREADS=0
+[[ -f "$CFG" ]] && PHPTHREADS=$( grep "^PHPTHREADS_" "$CFG"  | cut -d= -f2 )
+
+[[ $PHPTHREADS -eq 0 ]] && PHPTHREADS=$( nproc )
+
+[[ $PHPTHREADS -ne $CURRENT_THREADS ]] && {
+
+  echo "PHP threads set to $PHPTHREADS"
+
+  sed -i "s|pm.max_children =.*|pm.max_children = $PHPTHREADS|"           /etc/php/7.0/fpm/pool.d/www.conf
+  sed -i "s|pm.max_spare_servers =.*|pm.max_spare_servers = $PHPTHREADS|" /etc/php/7.0/fpm/pool.d/www.conf
+  sed -i "s|pm.start_servers =.*|pm.start_servers = $PHPTHREADS|"         /etc/php/7.0/fpm/pool.d/www.conf
+
+  # need to restart php
+  bash -c " sleep 3
+            systemctl stop php7.0-fpm
+            systemctl stop mysqld
+            sleep 0.5
+            systemctl start php7.0-fpm
+            systemctl start mysqld
+            " &>/dev/null &
+}
+
+exit 0

changelog.md

@@ -1,5 +1,7 @@
 
-[v0.46.29](https://github.com/nextcloud/nextcloudpi/commit/1804c51) (2018-02-22) ncp-web: fix overlay z-index
+[v0.46.30](https://github.com/nextcloud/nextcloudpi/commit/b6ba190) (2018-02-22) add ncp-provisioning to SD card images
+
+[v0.46.29](https://github.com/nextcloud/nextcloudpi/commit/970a256) (2018-02-22) ncp-web: fix overlay z-index
 
 [v0.46.28](https://github.com/nextcloud/nextcloudpi/commit/c78cf60) (2018-02-22) wizard: fix logbox overflow
 

docker-armhf/nextcloud/Dockerfile

@@ -37,5 +37,4 @@ echo -e "[client]\npassword=default" > /root/.my.cnf; \
 chmod 600 /root/.my.cnf
 
 COPY docker-common/nextcloud/020nextcloud /etc/services-enabled.d/
-COPY docker-common/nextcloud/ncp-provisioning.sh /usr/local/bin/
-RUN chmod +x /usr/local/bin/ncp-provisioning.sh
+COPY bin/ncp-provisioning.sh /usr/local/bin/

docker-common/nextcloud/020nextcloud

@@ -18,7 +18,7 @@ OCC="$NCDIR/occ"
 }
 
 echo "Provisioning"
-/usr/local/bin/ncp-provisioning.sh
+bash /usr/local/bin/ncp-provisioning.sh
 
 echo "Starting Redis"
 mkdir -p /var/run/redis

docker/nextcloud/Dockerfile

@@ -37,5 +37,4 @@ echo -e "[client]\npassword=default" > /root/.my.cnf; \
 chmod 600 /root/.my.cnf
 
 COPY docker-common/nextcloud/020nextcloud /etc/services-enabled.d/
-COPY docker-common/nextcloud/ncp-provisioning.sh /usr/local/bin/
-RUN chmod +x /usr/local/bin/ncp-provisioning.sh
+COPY bin/ncp-provisioning.sh /usr/local/bin/

etc/nextcloudpi-config.d/nc-init.sh

@@ -56,7 +56,7 @@ configure()
   }
 
   # workaround to emulate DROP USER IF EXISTS ..;)
-  local DBPASSWD=$( grep password /root/.my.cnf | cut -d= -f2 )
+  local DBPASSWD=$( grep password /root/.my.cnf | sed 's|password=||' )
   mysql <<EOF
 DROP DATABASE IF EXISTS nextcloud;
 CREATE DATABASE nextcloud

etc/nextcloudpi-config.d/nc-nextcloud.sh

@@ -62,7 +62,7 @@ install()
   $APTINSTALL redis-server php7.0-redis
 
   local REDIS_CONF=/etc/redis/redis.conf
-  local REDISPASS=$( openssl rand -base64 32 )
+  local REDISPASS="default"
   sed -i "s|# unixsocket .*|unixsocket /var/run/redis/redis.sock|" $REDIS_CONF
   sed -i "s|# unixsocketperm .*|unixsocketperm 770|"               $REDIS_CONF
   sed -i "s|# requirepass .*|requirepass $REDISPASS|"              $REDIS_CONF
@@ -85,6 +85,21 @@ install()
     systemctl start mysqld
   }
 
+  # service to randomize passwords on first boot
+  cat > /usr/lib/systemd/system/nc-provisioning.service <<'EOF'
+[Unit]
+Description=Randomize passwords on first boot
+Requires=network.target
+After=mysql.service
+
+[Service]
+ExecStart=/bin/bash /usr/local/bin/ncp-provisioning.sh
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+  [[ "$DOCKERBUILD" != 1 ]] && systemctl enable nc-provisioning
   return 0
 }
 
@@ -168,7 +183,7 @@ configure()
   echo "Setting up database..."
 
   # workaround to emulate DROP USER IF EXISTS ..;)
-  local DBPASSWD=$( grep password /root/.my.cnf | cut -d= -f2 )
+  local DBPASSWD=$( grep password /root/.my.cnf | sed 's|password=||' )
   mysql <<EOF
 DROP DATABASE IF EXISTS nextcloud;
 CREATE DATABASE nextcloud

etc/nextcloudpi-config.d/nc-restore.sh

@@ -30,7 +30,7 @@ You can use nc-backup"
 
 configure()
 { 
-  local DBPASSWD=$( grep password /root/.my.cnf | cut -d= -f2 )
+  local DBPASSWD=$( grep password /root/.my.cnf | sed 's|password=||' )
 
   [ -f $BACKUPFILE_       ] || { echo "$BACKUPFILE_ not found"; return 1; }
   [ -d /var/www/nextcloud ] && { echo "INFO: overwriting old instance"  ; }

lamp.sh

@@ -29,15 +29,14 @@ install()
     # INSTALL 
     ##########################################
 
-    $APTINSTALL apt-utils openssl
-    $APTINSTALL cron
+    $APTINSTALL apt-utils cron
     $APTINSTALL apache2
     $APTINSTALL php7.0 php7.0-curl php7.0-gd php7.0-fpm php7.0-cli php7.0-opcache php7.0-mbstring php7.0-xml php7.0-zip php7.0-fileinfo php7.0-mcrypt php7.0-ldap
     mkdir -p /run/php
 
     # Randomize mariaDB password
     # Suggested by @enoch85 and taken from the nextcloud vm ( https://github.com/nextcloud/vm/blob/master/lib.sh#L46 )
-    DBPASSWD=$( openssl rand -base64 32 )
+    local DBPASSWD="default"
     echo -e "[client]\npassword=$DBPASSWD" > /root/.my.cnf
     chmod 600 /root/.my.cnf
 

update.sh

@@ -120,86 +120,6 @@ done
 # not for image builds, only live updates
 [[ ! -f /.ncp-image ]] && {
 
-  # fix automount in latest images
-   test -f /etc/udev/rules.d/90-qemu.rules && {
-     rm -f /etc/udev/rules.d/90-qemu.rules
-     udevadm control --reload-rules && udevadm trigger
-     pgrep -c udiskie &>/dev/null && systemctl restart nc-automount
-   }
-
-   # btrfs tools
-   type btrfs &>/dev/null || {
-    apt-get update 
-    apt-get install -y --no-install-recommends btrfs-tools
-  }
-
-  # harden security
-
-  ## harden redis
-  REDIS_CONF=/etc/redis/redis.conf
-  REDISPASS=$( grep "^requirepass" /etc/redis/redis.conf  | cut -d' ' -f2 )
-  [[ "$REDISPASS" == "" ]] && REDISPASS=$( openssl rand -base64 32 )
-  sed -i 's|# rename-command CONFIG ""|rename-command CONFIG ""|'  $REDIS_CONF
-  sed -i "s|# requirepass .*|requirepass $REDISPASS|"              $REDIS_CONF
-
-  grep -q "'password'" /var/www/nextcloud/config/config.php || \
-    sed -i "/timeout/a'password' => '$REDISPASS'," /var/www/nextcloud/config/config.php
-
-  ## harden postfix
-  sed -i 's|^smtpd_banner .*|smtpd_banner = $myhostname ESMTP|'    /etc/postfix/main.cf
-  sed -i 's|^disable_vrfy_command .*|disable_vrfy_command = yes|'  /etc/postfix/main.cf
-
-  ## harden SSH
-  sed -i 's|^#AllowTcpForwarding .*|AllowTcpForwarding no|'     /etc/ssh/sshd_config
-  sed -i 's|^#ClientAliveCountMax .*|ClientAliveCountMax 2|'    /etc/ssh/sshd_config
-  sed -i 's|^MaxAuthTries .*|MaxAuthTries 1|'                   /etc/ssh/sshd_config
-  sed -i 's|^#MaxSessions .*|MaxSessions 2|'                    /etc/ssh/sshd_config
-  sed -i 's|^#PermitRootLogin .*|PermitRootLogin no|'           /etc/ssh/sshd_config
-  sed -i 's|^#TCPKeepAlive .*|TCPKeepAlive no|'                 /etc/ssh/sshd_config
-  sed -i 's|^X11Forwarding .*|X11Forwarding no|'                /etc/ssh/sshd_config
-  sed -i 's|^#LogLevel .*|LogLevel VERBOSE|'                    /etc/ssh/sshd_config
-  sed -i 's|^#Compression .*|Compression no|'                   /etc/ssh/sshd_config
-  sed -i 's|^#AllowAgentForwarding .*|AllowAgentForwarding no|' /etc/ssh/sshd_config
-
-  ## harden kernel
-  grep -q protected_hardlinks=1 /etc/sysctl.conf || cat >> /etc/sysctl.conf <<EOF
-fs.protected_hardlinks=1
-fs.protected_symlinks=1
-kernel.core_uses_pid=1
-kernel.dmesg_restrict=1
-kernel.kptr_restrict=2
-kernel.sysrq=0
-net.ipv4.conf.all.accept_redirects=0
-net.ipv4.conf.all.log_martians=1
-net.ipv4.conf.all.rp_filter=1
-net.ipv4.conf.all.send_redirects=0
-net.ipv4.conf.default.accept_redirects=0
-net.ipv4.conf.default.accept_source_route=0
-net.ipv4.conf.default.log_martians=1
-net.ipv4.tcp_timestamps=0
-net.ipv6.conf.all.accept_redirects=0
-net.ipv6.conf.default.accept_redirects=0
-EOF
-  sysctl -p /etc/sysctl.conf &>/dev/null
-
-  # small tweaks
-  cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
-  chmod go-x /usr/bin/arm-linux-gnueabihf-* &>/dev/null
-  sed -i "s|^UMASK.*|UMASK           027|" /etc/login.defs
-
-  # secure mysql
-  DBPASSWD=$( grep password /root/.my.cnf | cut -d= -f2 )
-    mysql_secure_installation &>/dev/null <<EOF
-$DBPASSWD
-y
-$DBPASSWD
-$DBPASSWD
-y
-y
-y
-y
-EOF
-
   # update ncp-backup
   cd /usr/local/etc/nextcloudpi-config.d &>/dev/null
   install_script nc-backup.sh
@@ -215,21 +135,6 @@ EOF
   grep -q '^ACTIVE_=yes$' nc-backup-auto.sh && activate_script nc-backup-auto.sh 
   cd - &>/dev/null
 
-  # restore pip.conf after workaround
-  cat > /etc/pip.conf <<EOF
-[global]
-extra-index-url=https://www.piwheels.hostedpi.com/simple
-EOF
-
-  # update cron letsencrypt
-  [[ -f /etc/cron.d/letsencrypt-ncp ]] && rm -f /etc/cron.d/letsencrypt-ncp && {
-    cat > /etc/cron.weekly/letsencrypt-ncp <<EOF
-#!/bin/bash
-/etc/letsencrypt/certbot-auto renew --quiet
-EOF
-    chmod +x /etc/cron.weekly/letsencrypt-ncp
-  }
-
   # add ncp-config link
   [[ -e /usr/local/bin/ncp-config ]] || ln -s /usr/local/bin/nextcloudpi-config /usr/local/bin/ncp-config
 
@@ -268,6 +173,47 @@ EOF
   grep -q reboot /etc/sudoers || \
     sed -i 's|www-data.*|www-data ALL = NOPASSWD: /home/www/ncp-launcher.sh , /sbin/halt, /sbin/reboot|' /etc/sudoers
 
+  # randomize passwords for old images ( older than v0.46.30 )
+  cat > /usr/lib/systemd/system/nc-provisioning.service <<'EOF'
+[Unit]
+Description=Randomize passwords on first boot
+Requires=network.target
+After=mysql.service
+
+[Service]
+ExecStart=/bin/bash /usr/local/bin/ncp-provisioning.sh
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+  systemctl enable nc-provisioning
+
+  NEED_UPDATE=false
+
+  MAJOR=0 MINOR=46 PATCH=30
+
+  MAJ=$( grep -oP "\d+\.\d+\.\d+" /usr/local/etc/ncp-version | cut -d. -f1 )
+  MIN=$( grep -oP "\d+\.\d+\.\d+" /usr/local/etc/ncp-version | cut -d. -f2 )
+  PAT=$( grep -oP "\d+\.\d+\.\d+" /usr/local/etc/ncp-version | cut -d. -f3 )
+
+  if [ "$MAJOR" -gt "$MAJ" ]; then
+    NEED_UPDATE=true
+  elif [ "$MAJOR" -eq "$MAJ" ] && [ "$MINOR" -gt "$MIN" ]; then
+    NEED_UPDATE=true
+  elif [ "$MAJOR" -eq "$MAJ" ] && [ "$MINOR" -eq "$MIN" ] && [ "$PATCH" -gt "$PAT" ]; then
+    NEED_UPDATE=true
+  fi
+
+  [[ "$NEED_UPDATE" == "true" ]] && {
+    REDISPASS="default"
+    DBPASSWD="default"
+    sed -i -E "s|^requirepass .*|requirepass $REDISPASS|" /etc/redis/redis.conf
+    echo -e "[client]\npassword=$DBPASSWD" > /root/.my.cnf
+    chmod 600 /root/.my.cnf
+    systemctl start nc-provisioning
+  }
+
 } # end - only live updates
 
 exit 0