Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

make apps availble on deSEC #2422

Open
wants to merge 26 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
694e063
make apps availble on deSEC
enoch85 Dec 28, 2022
3461bb4
Rename apps/collabora_docker_desec.sh to addons/deSEC/collabora_docke…
enoch85 Dec 28, 2022
1ef7641
add new function
enoch85 Dec 28, 2022
aa3111a
update menu
enoch85 Dec 28, 2022
0305773
talk
enoch85 Dec 28, 2022
af3c677
add onlyoffice
enoch85 Dec 28, 2022
febe625
Rename onlyoffice_docker._desec.sh to onlyoffice_docker_desec.sh
enoch85 Dec 28, 2022
298dbeb
Create onlyoffice_docker.sh
enoch85 Dec 28, 2022
6955314
Update collabora_docker_desec.sh
enoch85 Dec 28, 2022
9098598
Create talk_desec.sh
enoch85 Dec 28, 2022
fb5331f
Update onlyoffice_docker_desec.sh
enoch85 Dec 28, 2022
c7c73ca
typo
enoch85 Dec 28, 2022
d243cdf
typo
enoch85 Dec 28, 2022
282b6b6
Merge branch 'master' into desec-apps
enoch85 Dec 28, 2022
27c6035
fix comment
enoch85 Dec 28, 2022
0293172
change order
enoch85 Dec 29, 2022
617cb8e
collabora now generates as it should
enoch85 Dec 29, 2022
b72446d
onlyffice same as collabora
enoch85 Dec 29, 2022
1ce5053
stop at first occurance
enoch85 Dec 29, 2022
589f0e3
same changes as collabora and onlyoffice
enoch85 Dec 29, 2022
2669632
Merge branch 'master' into desec-apps
enoch85 Jan 5, 2023
cc92db9
Merge branch 'master' into desec-apps
enoch85 Jan 20, 2023
839d9e0
Merge branch 'master' into desec-apps
enoch85 Feb 6, 2023
22551e6
Merge branch 'master' into desec-apps
enoch85 Mar 17, 2023
1d61047
Merge branch 'master' into desec-apps
enoch85 Apr 2, 2023
3792d1d
Merge branch 'master' into desec-apps
enoch85 Apr 8, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
237 changes: 237 additions & 0 deletions addons/deSEC/collabora_docker_desec.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,237 @@
#!/bin/bash

# T&M Hansson IT AB © - 2022, https://www.hanssonit.se/

true
SCRIPT_NAME="Collabora (Docker)"
SCRIPT_EXPLAINER="This script will install the Collabora Office Server bundled with Docker"
# shellcheck source=lib.sh
source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
# To work with https://github.com/nextcloud/richdocuments/pull/2235

# Check for errors + debug code and abort if something isn't right
# 1 = ON
# 0 = OFF
DEBUG=0
debug_mode

# Check if root
root_check

# Check if Collabora is already installed
print_text_in_color "$ICyan" "Checking if Collabora is already installed..."
if ! does_this_docker_exist 'collabora/code'
then
# Ask for installing
install_popup "$SCRIPT_NAME"
else
# Ask for removal or reinstallation
reinstall_remove_menu "$SCRIPT_NAME"
# Removal
remove_collabora_docker
# Remove config.php value set when install was successful
nextcloud_occ config:system:delete allow_local_remote_servers
# Show successful uninstall if applicable
removal_popup "$SCRIPT_NAME"
fi

# Check if OnlyOffice is previously installed
# If yes, then stop and prune the docker container
if does_this_docker_exist 'onlyoffice/documentserver'
then
# Removal
remove_onlyoffice_docker
fi

# Remove all office apps
remove_all_office_apps

# Install certbot (Let's Encrypt)
install_certbot

# Generate certs and auto-configure if successful
export SUBDOMAIN=collabora
if run_script DESEC desec_subdomain
then
SUBDOMAIN="$(grep dedyn.io $SCRIPTS/deSEC/.subdomain | tail -1 | cut -d '=' -f2)"
# Generate DHparams cipher
if [ ! -f "$DHPARAMS_SUB" ]
then
openssl dhparam -out "$DHPARAMS_SUB" 2048
fi
print_text_in_color "$IGreen" "Certs are generated!"
a2ensite "$SUBDOMAIN.conf"
restart_webserver
# Install Collabora App
install_and_enable_app richdocuments
else
last_fail_tls "$SCRIPTS"/apps/collabora.sh
exit 1
fi

# Nextcloud Main Domain
NCDOMAIN=$(nextcloud_occ_no_check config:system:get overwrite.cli.url | sed 's|https://||;s|/||')

# Curl the library another time to get the correct https_conf
# shellcheck source=lib.sh
source /var/scripts/fetch_lib.sh || source <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)

# Get all needed variables from the library
nc_update

# Get the latest packages
apt-get update -q4 & spinner_loading

# Check if Nextcloud is installed
print_text_in_color "$ICyan" "Checking if Nextcloud is installed..."
if ! curl -s https://"$NCDOMAIN"/status.php | grep -q 'installed":true'
then
msg_box "It seems like Nextcloud is not installed or that you don't use https on:
$NCDOMAIN.
Please install Nextcloud and make sure your domain is reachable, or activate TLS
on your domain to be able to run this script.

If you use the Nextcloud VM you can use the Let's Encrypt script to get TLS and activate your Nextcloud domain.
When TLS is activated, run these commands from your CLI:
sudo curl -sLO $APP/collabora.sh
sudo bash collabora.sh"
exit 1
fi

# Test RAM size (2GB min) + CPUs (min 2)
ram_check 2 Collabora
cpu_check 2 Collabora

# Check if Nextcloud is installed with TLS
check_nextcloud_https "Collabora (Docker)"

# Install Docker
install_docker

# Install Collabora docker
docker pull collabora/code:latest
docker run -t -d -p 127.0.0.1:9980:9980 -e "aliasgroup1=https://$NCDOMAIN:443" --restart always --name code --cap-add MKNOD collabora/code

# Install Apache2
install_if_not apache2

# Enable Apache2 module's
a2enmod proxy
a2enmod proxy_wstunnel
a2enmod proxy_http
a2enmod ssl
a2enmod headers

# Only add TLS 1.3 on Ubuntu later than 20.04
if version 20.04 "$DISTRO" 22.04.10
then
TLS13="+TLSv1.3"
fi

if [ -f "$HTTPS_CONF" ]
then
a2dissite "$SUBDOMAIN.conf"
rm -f "$HTTPS_CONF"
fi

# Create Vhost for Collabora online in Apache2
if [ ! -f "$HTTPS_CONF" ];
then
cat << HTTPS_CREATE > "$HTTPS_CONF"
<VirtualHost *:443>
ServerName $SUBDOMAIN:443

<Directory /var/www>
Options -Indexes
</Directory>

# TLS configuration, you may want to take the easy route instead and use Lets Encrypt!
SSLCertificateChainFile $CERTFILES/$SUBDOMAIN/chain.pem
SSLCertificateFile $CERTFILES/$SUBDOMAIN/cert.pem
SSLCertificateKeyFile $CERTFILES/$SUBDOMAIN/privkey.pem
SSLOpenSSLConfCmd DHParameters $DHPARAMS_SUB

# Intermediate configuration
SSLEngine on
SSLCompression off
SSLProtocol -all +TLSv1.2 $TLS13
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
ServerSignature off

# Logs
LogLevel warn
CustomLog \${APACHE_LOG_DIR}/access.log combined
ErrorLog \${APACHE_LOG_DIR}/error.log

# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode

# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off

# Improve security settings
Header set X-XSS-Protection "1; mode=block"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set X-Content-Type-Options nosniff
Header set Content-Security-Policy "frame-ancestors 'self' $NCDOMAIN"

# keep the host
ProxyPreserveHost On

# static html, js, images, etc. served from coolwsd
# browser is the client part of LibreOffice Online
ProxyPass /browser https://127.0.0.1:9980/browser retry=0
ProxyPassReverse /browser https://127.0.0.1:9980/browser

# WOPI discovery URL
ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery

# Endpoint with information about availability of various features
ProxyPass /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
ProxyPassReverse /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities

# Main websocket
ProxyPassMatch "/cool/(.*)/ws$" wss://127.0.0.1:9980/cool/\$1/ws nocanon

# Admin Console websocket
ProxyPass /cool/adminws wss://127.0.0.1:9980/cool/adminws

# Download as, Fullscreen presentation and Image upload operations
ProxyPass /cool https://127.0.0.1:9980/cool
ProxyPassReverse /cool https://127.0.0.1:9980/cool
</VirtualHost>
HTTPS_CREATE

if [ -f "$HTTPS_CONF" ];
then
print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created."
sleep 1
else
print_text_in_color "$IRed" "Unable to create vhost, exiting..."
print_text_in_color "$IRed" "Please report this issue here $ISSUES"
exit 1
fi
fi

# Set config for RichDocuments (Collabora App)
if is_app_installed richdocuments
then
nextcloud_occ config:app:set richdocuments wopi_url --value=https://"$SUBDOMAIN"
chown -R www-data:www-data "$NC_APPS_PATH"
# Appending the new domain to trusted domains
add_to_trusted_domains "$SUBDOMAIN"
# Allow remote servers with local addresses e.g. in federated shares, webcal services and more
nextcloud_occ config:system:set allow_local_remote_servers --value="true"
# Add prune command
add_dockerprune
print_text_in_color "$ICyan" "Restarting Docker..."
docker restart code
msg_box "Collabora Docker is now successfully installed.
Please be aware that the container is currently starting which can take a few minutes."
fi
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ debug_mode
# Check if root
enoch85 marked this conversation as resolved.
Show resolved Hide resolved
root_check

# Check if collabora is already installed
# Check if onlyoffice is already installed
if ! does_this_docker_exist 'onlyoffice/documentserver'
then
# Ask for installing
Expand All @@ -44,6 +44,29 @@ fi
# Remove all office apps
remove_all_office_apps

# Install certbot (Let's Encrypt)
install_certbot

# Generate certs and auto-configure if successful
export SUBDOMAIN=onlyoffice
if run_script DESEC desec_subdomain
then
SUBDOMAIN="$(grep onlyoffice -m 1 $SCRIPTS/deSEC/.subdomain | tail -1 | cut -d '=' -f2)"
# Generate DHparams cipher
if [ ! -f "$DHPARAMS_SUB" ]
then
openssl dhparam -out "$DHPARAMS_SUB" 2048
fi
print_text_in_color "$IGreen" "Certs are generated!"
a2ensite "$SUBDOMAIN.conf"
restart_webserver
# Install OnlyOffice
install_and_enable_app onlyoffice
else
last_fail_tls "$SCRIPTS"/apps/onlyoffice.sh
exit 1
fi

# Check if apache2 evasive-mod is enabled and disable it because of compatibility issues
if [ "$(apache2ctl -M | grep evasive)" != "" ]
then
Expand All @@ -60,11 +83,6 @@ It has compatibility issues with OnlyOffice and you can now choose to disable it
fi
fi

# Ask for the domain for OnlyOffice
SUBDOMAIN=$(input_box_flow "OnlyOffice subdomain e.g: office.yourdomain.com
NOTE: This domain must be different than your Nextcloud domain. \
They can however be hosted on the same server, but would require separate DNS entries.")

# Nextcloud Main Domain
NCDOMAIN=$(nextcloud_occ_no_check config:system:get overwrite.cli.url | sed 's|https://||;s|/||')

Expand All @@ -75,28 +93,6 @@ source /var/scripts/fetch_lib.sh
# Get all needed variables from the library
nc_update

# Notification
msg_box "Before continuing, please make sure that you have you have \
edited the DNS settings for $SUBDOMAIN, and opened port 80 and 443 \
directly to this servers IP. A full extensive guide can be found here:
https://www.techandme.se/open-port-80-443

This can be done automatically if you have UPNP enabled in your firewall/router. \
You will be offered to use UPNP in the next step.

PLEASE NOTE:
Using other ports than the default 80 and 443 is not supported, \
though it may be possible with some custom modification:
https://help.nextcloud.com/t/domain-refused-to-connect-collabora/91303/17"

if yesno_box_no "Do you want to use UPNP to open port 80 and 443?"
then
unset FAIL
open_port 80 TCP
open_port 443 TCP
cleanup_open_port
fi

# Get the latest packages
apt-get update -q4 & spinner_loading

Expand All @@ -115,14 +111,6 @@ sudo bash onlyoffice_docker.sh"
exit 1
fi

# Check if $SUBDOMAIN exists and is reachable
print_text_in_color "$ICyan" "Checking if $SUBDOMAIN exists and is reachable..."
domain_check_200 "$SUBDOMAIN"

# Check open ports with NMAP
check_open_port 80 "$SUBDOMAIN"
check_open_port 443 "$SUBDOMAIN"

# Test RAM size (2GB min) + CPUs (min 2)
ram_check 2 OnlyOffice
cpu_check 2 OnlyOffice
Expand Down Expand Up @@ -226,27 +214,6 @@ HTTPS_CREATE
fi
fi

# Install certbot (Let's Encrypt)
install_certbot

# Generate certs
if generate_cert "$SUBDOMAIN"
then
# Generate DHparams cipher
if [ ! -f "$DHPARAMS_SUB" ]
then
openssl dhparam -out "$DHPARAMS_SUB" 2048
fi
print_text_in_color "$IGreen" "Certs are generated!"
a2ensite "$SUBDOMAIN.conf"
restart_webserver
# Install OnlyOffice
install_and_enable_app onlyoffice
else
last_fail_tls "$SCRIPTS"/apps/onlyoffice.sh
exit 1
fi

# Set config for OnlyOffice
if [ -d "$NC_APPS_PATH"/onlyoffice ]
then
Expand Down
21 changes: 21 additions & 0 deletions lib.sh
Original file line number Diff line number Diff line change
Expand Up @@ -850,6 +850,27 @@ to validate them with the $f method. We have exhausted all the methods. Please c
done
}

# Let the user choose to setup a specific app with either deSEC, or regular TLS.
# desec_app_tls_menu "DESEC collabora_docker_desec.sh" "APP collabora_docker.sh"
desec_app_tls_menu() {
choice=$(whiptail --title "$TITLE" --menu \
"Choose TLS setup. Please note, to run the deSEC option, deSEC needs to be configured and setup already.\n
$MENU_GUIDE\n\n$RUN_LATER_GUIDE" "$WT_HEIGHT" "$WT_WIDTH" 4 \
"deSEC TLS setup" "(If you configured deSEC already. Works with custom port.)" \
"Regular TLS setup" "(If deSEC isn't installed, setup normal TLS)" 3>&1 1>&2 2>&3)
enoch85 marked this conversation as resolved.
Show resolved Hide resolved

case "$choice" in
"deSEC TLS setup")
run_script "${1}"
;;
"Regular TLS setup")
run_script "${2}"
;;
*)
;;
esac
}

is_desec_installed() {
# Check if deSEC is installed and add the needed variables if yes
if [ -f "$SCRIPTS"/deSEC/.dedynauth ]
Expand Down
2 changes: 1 addition & 1 deletion menu/additional_apps.sh
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ to finish the setup once this script is done." "$SUBTITLE"
;;&
*"Talk"*)
print_text_in_color "$ICyan" "Downloading the Talk script..."
run_script APP talk
desec_app_tls_menu "DESEC talk_desec" "APP talk"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

honestly, I find it a bit strange that this will now always go through this menu. It will be yet another step

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have a better proposal?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ping @szaimen

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we maybe check for the dessec folder and only show that menu if dessec is already configured?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, should work.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thought about this, what about users that doesn't have deSEC installed and wants to use it?

;;&
*"Webmin"*)
print_text_in_color "$ICyan" "Downloading the Webmin script..."
Expand Down
Loading