rename files & update site-dirs

2022-04-08 17:18:27 +01:00 · 2022-04-08 17:18:27 +01:00 · 8bcf9c1a45
parent 9e551777b1
commit 8bcf9c1a45
4 changed files with 229 additions and 135 deletions
--- a/debian/bullseye/scripts/nextcloud-sync.sh
+++ b/debian/bullseye/scripts/nextcloud-sync.sh
@ -1,6 +1,9 @@
 #!/bin/bash

 # Run this script with "(sudo) bash <filename> <args>".
+#
+# 0 2 * * * bash /root/nc-sync.sh | tee -a /var/log/nc_$(date +"\%Y-\%m-\%d").log
+

 # Exit on error.
 #set -eux # debug on
@ -25,9 +28,9 @@ PHP_REMOTE_BIN='php'
 NEXTCLOUD_REMOTE_FILE_DATA='/nextcloud/data'
 NEXTCLOUD_REMOTE_FILE_ROOT='/var/www/nextcloud/htdocs'

-REMOTE_NC_MAINTAINANCE_ON="ssh $SSH_REMOTE_USER@$SSH_REMOTE_HOST sudo -u $NEXTCLOUD_REMOTE_USER $PHP_REMOTE_BIN $NEXTCLOUD_REMOTE_FILE_ROOT/occ maintenance:mode --on"
+REMOTE_NC_MAINTENANCE_ON="ssh $SSH_REMOTE_USER@$SSH_REMOTE_HOST sudo -u $NEXTCLOUD_REMOTE_USER $PHP_REMOTE_BIN $NEXTCLOUD_REMOTE_FILE_ROOT/occ maintenance:mode --on"

-REMOTE_NC_MAINTAINANCE_OFF="ssh $SSH_REMOTE_USER@$SSH_REMOTE_HOST sudo -u $NEXTCLOUD_REMOTE_USER $PHP_REMOTE_BIN $NEXTCLOUD_REMOTE_FILE_ROOT/occ maintenance:mode --off"
+REMOTE_NC_MAINTENANCE_OFF="ssh $SSH_REMOTE_USER@$SSH_REMOTE_HOST sudo -u $NEXTCLOUD_REMOTE_USER $PHP_REMOTE_BIN $NEXTCLOUD_REMOTE_FILE_ROOT/occ maintenance:mode --off"

 REMOTE_DB_CREATE_DUMP="ssh $SSH_REMOTE_USER@$SSH_REMOTE_HOST mysqldump --single-transaction $NEXTCLOUD_REMOTE_DATABASE_NAME > /tmp/nextcloud-$DATE_STAMP.sql"

@ -40,9 +43,9 @@ PHP_BIN='php'
 NEXTCLOUD_FILE_DATA='/nextcloud/data'
 NEXTCLOUD_FILE_ROOT='/var/www/nextcloud/htdocs'

-NC_MAINTAINANCE_ON="sudo -u $NEXTCLOUD_USER $PHP_BIN $NEXTCLOUD_FILE_ROOT/occ maintenance:mode --on"
+NC_MAINTENANCE_ON="sudo -u $NEXTCLOUD_USER $PHP_BIN $NEXTCLOUD_FILE_ROOT/occ maintenance:mode --on"

-NC_MAINTAINANCE_OFF="sudo -u $NEXTCLOUD_USER $PHP_BIN $NEXTCLOUD_FILE_ROOT/occ maintenance:mode --off"
+NC_MAINTENANCE_OFF="sudo -u $NEXTCLOUD_USER $PHP_BIN $NEXTCLOUD_FILE_ROOT/occ maintenance:mode --off"

 GET_DB_DUMP_FROM_REMOTE="rsync --progress -Aavx $SSH_REMOTE_USER@$SSH_REMOTE_HOST:/tmp/nextcloud-$DATE_STAMP.sql /tmp/nextcloud-$DATE_STAMP.sql"

@ -52,14 +55,14 @@ GET_NC_FILES_FROM_REMOTE="rsync --progress -Aavx $SSH_REMOTE_USER@$SSH_REMOTE_HO

 #########

-# Enable remote maintainance mode.
-${REMOTE_NC_MAINTAINANCE_ON}
+# Enable remote MAINTENANCE mode.
+${REMOTE_NC_MAINTENANCE_ON}

 # Make remote dump.
 ${REMOTE_DB_CREATE_DUMP}

-# Enable local maintainance mode.
-${NC_MAINTAINANCE_ON}
+# Enable local MAINTENANCE mode.
+${NC_MAINTENANCE_ON}

 # Sync nc files.
 ${GET_NC_FILES_FROM_REMOTE}
@ -70,14 +73,14 @@ ${GET_DATA_FILES_FROM_REMOTE}
 # Get database dump.
 ${GET_DB_DUMP_FROM_REMOTE}

-# Disable remote maintainance mode.
-${REMOTE_NC_MAINTAINANCE_OFF}
+# Disable remote MAINTENANCE mode.
+${REMOTE_NC_MAINTENANCE_OFF}

 # Restore database dump.
 # You can't script this due to the redirection.
 mysql $NEXTCLOUD_DATABASE_NAME < /tmp/nextcloud-$DATE_STAMP.sql && rm /tmp/nextcloud-$DATE_STAMP.sql

-# Disable local maintainance mode.
-${NC_MAINTAINANCE_OFF}
+# Disable local MAINTENANCE mode.
+${NC_MAINTENANCE_OFF}

 echo "$DATE_STAMP OK" >> /tmp/nc-sync.log
--- a/debian/bullseye/scripts/nginx-install.sh
+++ b/debian/bullseye/scripts/nginx-install.sh
@ -1,120 +0,0 @@
-#!/bin/bash
-
-# Run this script with "(sudo) bash <filename> <args>".
-
-# Exit on error.
-set -e
-
-# Taken from http://nginx.org/en/linux_packages.html
-
-apt install -y curl gnupg2 ca-certificates lsb-release debian-archive-keyring openssl
-
-curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
-    | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
-
-echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
-http://nginx.org/packages/debian `lsb_release -cs` nginx" \
-    | tee /etc/apt/sources.list.d/nginx.list
-
-echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
-    | tee /etc/apt/preferences.d/99nginx
-
-apt update
-apt install nginx
-
-mkdir /var/www/ || true
-
-mkdir /var/www/default
-
-mkdir /etc/nginx/pem/
-
-chown :nginx /etc/nginx/pem/ -Rv
-
-chmod 640 /etc/nginx/pem/
-
-chmod g+s /etc/nginx/pem/
-
-touch /etc/nginx/pem/default-{private,cert}.pem
-
-openssl req -x509 -nodes -days 3650 -subj "/C=US/ST=Self Signed/L=Self Signed/O=Self Signed/OU=Self Signed/CN=Self Signed/emailAddress=self@signed" -newkey rsa:2048 -keyout /etc/nginx/pem/default-private.pem -out /etc/nginx/pem/default-cert.pem
-
-openssl dhparam -out /etc/nginx/pem/default-dhparam.pem 4096
-
-mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.disabled
-
-cat <<NGX > /etc/nginx/conf.d/default.conf
-# Warn on any null variables
-uninitialized_variable_warn on;
-
-# Don't print software version
-server_tokens off;
-
-server {
-    listen 80 default_server;
-    listen [::]:80 default_server;
-
-    # Proxy Let's Encrypt to acme upstream.
-    location ^~ /.well-known/acme-challenge/ {
-        proxy_pass http://acme;
-    }
-
-    location / {
-        return 301 https://\$host\$request_uri;
-    }
-}
-
-# Upstream for acme requests.
-upstream acme {
-    server 127.0.0.1:18080;
-}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-    ssl_prefer_server_ciphers off;
-
-    ssl_certificate pem/default-cert.pem;
-    ssl_certificate_key pem/default-private.pem;
-    ssl_dhparam pem/default-dhparam.pem;
-
-    add_header Strict-Transport-Security "max-age=63072000" always;
-
-    resolver 1.1.1.1 1.0.0.1;
-
-    root /var/www/default;
-    error_log /var/log/nginx/default-error.log;
-    access_log /var/log/nginx/default-access.log;
-
-    # Proxy Let's Encrypt to acme upstream
-    location ^~ /.well-known/acme-challenge/ {
-        proxy_pass http://acme;
-    }
-
-    # Don't serve dot files.
-    location ~ /\. {
-        access_log off;
-        log_not_found off;
-        deny all;
-    }
-
-    # Don't log robots.
-    location = /robots.txt {
-        log_not_found off;
-    }
-
-    # Don't log common file requests.
-    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
-        expires max;
-        log_not_found off;
-    }
-
-    # Include extra files if needed.
-    include conf.d/default-*.inc;
-
-}
-NGX
-
-systemctl restart nginx
--- a/debian/bullseye/scripts/nginx.sh
+++ b/debian/bullseye/scripts/nginx.sh
@ -0,0 +1,209 @@
+#!/bin/bash
+
+# Run this script with "(sudo) bash <filename> <args>".
+
+# Exit on error.
+#set -e
+# Debug
+set -eux
+
+# Don't use ending slashes in paths!
+
+# The user nginx runs as.
+NGINX_USER='nginx'
+
+# The group nginx runs with.
+NGINX_GROUP='nginx'
+
+# Nginx configuration directory.
+NGINX_CONF='/etc/nginx'
+
+# Nginx configuration drop-in path.
+NGINX_CONFD='/etc/nginx/conf.d'
+
+# Where dummy SSL pems are stored.
+NGINX_NGINX_PEM_DIR='/etc/nginx/pem'
+
+# The default site filename, don't use a full path or filename here.
+# Just a name please.
+NGINX_DEFAULT_SITE_CONF_NAME="default"
+
+# Default site directory.
+NGINX_DEFAULT_SITE_PATH='/var/www/default'
+
+# Default site publicly served path.
+NGINX_DEFAULT_SITE_PUB='/var/www/default/public'
+
+main() {
+cat <<INFO
+Run with one of the following options:-
+"sudo bash $0 <function> <args>" for example ...
+"sudo bash $0 nginx"
+
+nginx        - Add nginx stable repo & install nginx.
+nginx-config - Add a basic nginx config with dumb SSL.
+-----
+
+You'll be asked to continue if a file exists, if you're happy to
+continue hit enter or ctrl+c to cancel.
+INFO
+}
+
+
+nginx() {
+# Mostly taken from http://nginx.org/en/linux_packages.html
+
+# Continue if already installed?
+dpkg -l nginx && (
+    echo "Already installed? Continue (hit enter)?"
+    read
+)
+
+apt install -y curl gnupg2 ca-certificates lsb-release \
+    debian-archive-keyring openssl
+
+curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
+    | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
+
+echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
+http://nginx.org/packages/debian `lsb_release -cs` nginx" \
+    | tee /etc/apt/sources.list.d/nginx.list
+
+echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
+    | tee /etc/apt/preferences.d/99nginx
+
+apt update
+apt install nginx
+}
+
+nginx-config() {
+
+cd ${NGINX_CONF:-/no_path/9} || (
+    echo "\"${NGINX_CONF}\" doesn't exist?"
+    return 1;
+)
+
+systemctl stop nginx
+
+# Make default site directories.
+cd ${NGINX_DEFAULT_SITE_PATH:-/no_path/1} && (
+    echo "\"${NGINX_DEFAULT_SITE_PATH}\" exists? Continue (hit enter)?"
+    read
+) || (
+    mkdir ${NGINX_DEFAULT_SITE_PATH:-/no_path/1} -p
+    cd ${NGINX_DEFAULT_SITE_PATH:-/no_path/1}
+)
+
+mkdir ${NGINX_DEFAULT_SITE_PUB:-/no_path/2} -p
+
+# Make pems.
+cd ${NGINX_PEM_DIR:-/no_path/3} && (
+    echo "\"${NGINX_PEM_DIR}\" exists? Continue (hit enter)?"
+    read
+) || (
+    mkdir ${NGINX_PEM_DIR:-/no_path/3}
+    cd ${NGINX_PEM_DIR:-/no_path/3}
+)
+
+chown :${NGINX_GROUP:-nginx} ${NGINX_PEM_DIR:-/no_path/3}
+
+chmod 640 ${NGINX_PEM_DIR:-/no_path/3}
+
+chmod g+s ${NGINX_PEM_DIR:-/no_path/3}
+
+touch ${NGINX_PEM_DIR:-/no_path/3}/default-{private,cert,dhparam}.pem
+
+openssl req -x509 -nodes -days 3650 -subj "/C=US/ST=Self Signed/L=Self Signed/O=Self Signed/OU=Self Signed/CN=Self Signed/emailAddress=self@signed" -newkey rsa:2048 -keyout ${NGINX_PEM_DIR:-/no_path/3}/default-private.pem -out ${NGINX_PEM_DIR:-/no_path/3}/default-cert.pem
+
+openssl dhparam -out ${NGINX_PEM_DIR:-/no_path/3}/default-dhparam.pem 4096
+
+cd ${NGINX_CONFD:-/no_path/4}
+
+# This doesn't always exist.
+[[ -f "default.conf" ]] && mv default.conf default.conf.backup
+
+NGINX_DEFAULT_SITE_CONF_NAME=${NGINX_DEFAULT_SITE_CONF_NAME:-fail}
+
+NGINX_DEFAULT_SITE_CONF_NAME_FULL="${NGINX_CONFD:-/no_path/4}/${NGINX_DEFAULT_SITE_CONF_NAME:-fail}.conf"
+
+[[ -f "${NGINX_DEFAULT_SITE_CONF_NAME_FULL}" ]] && (
+    echo "\"${NGINX_DEFAULT_SITE_CONF_NAME_FULL}\" exists? Continue (hit enter)?"
+    read
+)
+
+cat <<NGX > ${NGINX_DEFAULT_SITE_CONF_NAME_FULL}
+# Warn on any null variables
+uninitialized_variable_warn on;
+
+# Don't print software version
+server_tokens off;
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    location / {
+        return 301 https://\$host\$request_uri;
+    }
+
+    # Don't serve dot files.
+    location ~ /\. {
+        return 404;
+    }
+
+    # Include extra files.
+    include ${NGINX_CONFD:-/no_path/5}/${NGINX_DEFAULT_SITE_CONF_NAME:-fail}-*.inc;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    ssl_certificate ${NGINX_PEM_DIR:-/no_path/6}/default-cert.pem;
+    ssl_certificate_key ${NGINX_PEM_DIR:-/no_path/6}/default-private.pem;
+    ssl_dhparam ${NGINX_PEM_DIR:-/no_path/6}/default-dhparam.pem;
+
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4;
+
+    root ${NGINX_DEFAULT_SITE_PUB:-/no_path/7}/;
+    error_log ${NGINX_DEFAULT_SITE_PUB:-/no_path/7}/.error.log;
+    access_log ${NGINX_DEFAULT_SITE_PUB:-/no_path/7}/.access.log;
+
+    # Don't serve dot files.
+    location ~ /\. {
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
+
+    # Don't log robots.
+    location = /robots.txt {
+        log_not_found off;
+        access_log off;
+    }
+
+    # Don't log common file requests.
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
+        expires max;
+        log_not_found off;
+        access_log off;
+    }
+
+    # Include extra files.
+    include ${NGINX_CONFD:-/no_path/8}/${NGINX_DEFAULT_SITE_CONF_NAME:-fail}-*.inc;
+}
+NGX
+
+nginx -t
+
+systemctl restart nginx
+
+}
+
+${1:-main} "$@"
--- a/debian/bullseye/scripts/site-dirs.sh
+++ b/debian/bullseye/scripts/site-dirs.sh
@ -10,7 +10,7 @@ OWNER=${2:-www-data}
 OWNER_GROUP=${3:-`id -gn $OWNER`}

 PRIVATE_DIRS="data tmp sessions"
-PUBLIC_DIRS="htdocs"
+PUBLIC_DIRS="public"

 printf 'Create site directories in "%s" owned by "%s" with group "%s"...

@ -65,13 +65,15 @@ chown "$OWNER":"$OWNER_GROUP" .test || (
 # Create the private & public folders then set permissions...
 for private_folder in $PRIVATE_DIRS; do
    mkdir -v "$private_folder"
-    chmod -cR 750 "$private_folder"
    chown -v "$OWNER":"$OWNER_GROUP" "$private_folder"
+    chmod -cR 750 "$private_folder"
+    chmod -cR u+s,g+s,o+s "$private_folder"
 done

 for public_folder in $PUBLIC_DIRS; do
    mkdir -v "$public_folder"
-    chmod -cR 755 "$public_folder"
    chown -v "$OWNER":"$OWNER_GROUP" "$public_folder"
+    chmod -cR 755 "$public_folder"
+    chmod -cR u+s,g+s,o+s "$public_folder"
 done